ctxbin 0.1.0

package/dist/cli.js

@@ -0,0 +1,1066 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/cli.ts
+var import_node_util2 = require("util");
+var import_node_process2 = __toESM(require("process"));
+var import_node_path8 = __toESM(require("path"));
+var import_promises9 = __toESM(require("fs/promises"));
+var import_node_fs3 = require("fs");
+
+// src/errors.ts
+var CtxbinError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+  }
+};
+function fail(code, message) {
+  throw new CtxbinError(code, message);
+}
+function formatError(err) {
+  if (err instanceof CtxbinError) {
+    return `CTXBIN_ERR ${err.code}: ${err.message}`;
+  }
+  const message = err instanceof Error ? err.message : String(err);
+  return `CTXBIN_ERR IO: ${message}`;
+}
+
+// src/config.ts
+var import_promises = __toESM(require("fs/promises"));
+var import_node_path = __toESM(require("path"));
+var import_node_os = __toESM(require("os"));
+var ENV_URL = "CTXBIN_STORE_URL";
+var ENV_TOKEN = "CTXBIN_STORE_TOKEN";
+async function loadConfig() {
+  const envUrl = process.env[ENV_URL];
+  const envToken = process.env[ENV_TOKEN];
+  if (envUrl || envToken) {
+    if (!envUrl || !envToken) {
+      return fail("INVALID_INPUT", "both CTXBIN_STORE_URL and CTXBIN_STORE_TOKEN must be set");
+    }
+    return { url: envUrl, token: envToken };
+  }
+  const configPath = import_node_path.default.join(import_node_os.default.homedir(), ".ctxbin", "config.json");
+  let raw;
+  try {
+    raw = await import_promises.default.readFile(configPath, "utf8");
+  } catch {
+    return fail("INVALID_INPUT", "missing CTXBIN_STORE_URL/CTXBIN_STORE_TOKEN and no ~/.ctxbin/config.json");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return fail("INVALID_INPUT", "invalid JSON in ~/.ctxbin/config.json");
+  }
+  const url = parsed.store_url || parsed.storeUrl || parsed.url;
+  const token = parsed.store_token || parsed.storeToken || parsed.token;
+  if (!url || !token) {
+    return fail("INVALID_INPUT", "config.json must include store_url and store_token");
+  }
+  return { url, token };
+}
+async function writeConfig(config) {
+  const dir = import_node_path.default.join(import_node_os.default.homedir(), ".ctxbin");
+  const configPath = import_node_path.default.join(dir, "config.json");
+  await import_promises.default.mkdir(dir, { recursive: true, mode: 448 });
+  const payload = {
+    store_url: config.url,
+    store_token: config.token
+  };
+  await import_promises.default.writeFile(configPath, JSON.stringify(payload, null, 2), "utf8");
+}
+
+// src/store.ts
+function createStore(url, token) {
+  const baseUrl = url.replace(/\/$/, "");
+  async function command(cmd, ...args) {
+    let res;
+    try {
+      res = await fetch(baseUrl, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify([cmd, ...args])
+      });
+    } catch (err) {
+      return fail("NETWORK", `store request failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    if (!res.ok) {
+      const text = await res.text();
+      return fail("NETWORK", `store request failed (${res.status}): ${text}`);
+    }
+    let data;
+    try {
+      data = await res.json();
+    } catch {
+      return fail("NETWORK", "store response was not valid JSON");
+    }
+    if (data.error) {
+      return fail("NETWORK", data.error);
+    }
+    return data.result;
+  }
+  return {
+    async get(hash, field) {
+      const result = await command("HGET", hash, field);
+      return result ?? null;
+    },
+    async set(hash, field, value) {
+      await command("HSET", hash, field, value);
+    },
+    async delete(hash, field) {
+      await command("HDEL", hash, field);
+    },
+    async list(hash) {
+      const result = await command("HGETALL", hash);
+      if (!result) return [];
+      if (!Array.isArray(result)) {
+        return fail("NETWORK", "store response for HGETALL was not an array");
+      }
+      const pairs = [];
+      for (let i = 0; i < result.length; i += 2) {
+        const field = result[i];
+        const value = result[i + 1];
+        if (typeof field !== "string" || typeof value !== "string") {
+          return fail("NETWORK", "store response for HGETALL contained invalid entries");
+        }
+        pairs.push({ field, value });
+      }
+      pairs.sort((a, b) => a.field.localeCompare(b.field));
+      return pairs;
+    }
+  };
+}
+
+// src/git.ts
+var import_node_child_process = require("child_process");
+var import_node_path2 = __toESM(require("path"));
+var import_node_util = require("util");
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
+async function git(args) {
+  try {
+    const { stdout } = await execFileAsync("git", args, { encoding: "utf8" });
+    return stdout.trim();
+  } catch {
+    return fail("NOT_IN_GIT", "not inside a git repository");
+  }
+}
+async function inferCtxKey() {
+  const root = await git(["rev-parse", "--show-toplevel"]);
+  const branch = await git(["rev-parse", "--abbrev-ref", "HEAD"]);
+  const project = import_node_path2.default.basename(root);
+  if (!project || !branch) {
+    return fail("NOT_IN_GIT", "unable to infer ctx key from git repository");
+  }
+  return `${project}/${branch}`;
+}
+
+// src/skillpack.ts
+var import_promises5 = __toESM(require("fs/promises"));
+var import_node_fs = require("fs");
+var import_node_path6 = __toESM(require("path"));
+var import_node_os2 = __toESM(require("os"));
+var import_node_zlib = __toESM(require("zlib"));
+var import_promises6 = require("stream/promises");
+var import_tar2 = __toESM(require("tar"));
+
+// src/constants.ts
+var SKILLPACK_HEADER = "ctxbin-skillpack@1\n";
+var SKILLREF_HEADER = "ctxbin-skillref@1\n";
+var MAX_SKILLPACK_BYTES = 7 * 1024 * 1024;
+var MAX_SKILLREF_DOWNLOAD_BYTES = 20 * 1024 * 1024;
+var MAX_SKILLREF_EXTRACT_BYTES = 100 * 1024 * 1024;
+var MAX_SKILLREF_FILES = 5e3;
+var SKILLREF_CONNECT_TIMEOUT_MS = 5e3;
+var SKILLREF_DOWNLOAD_TIMEOUT_MS = 3e4;
+var DEFAULT_EXCLUDES = [".git", "node_modules", ".DS_Store"];
+
+// src/fs-ops.ts
+var import_promises3 = __toESM(require("fs/promises"));
+var import_node_path3 = __toESM(require("path"));
+
+// src/chmod.ts
+var import_promises2 = __toESM(require("fs/promises"));
+async function safeChmod(path9, mode) {
+  try {
+    await import_promises2.default.chmod(path9, mode);
+  } catch (err) {
+    if (process.platform === "win32") {
+      return;
+    }
+    throw err;
+  }
+}
+
+// src/fs-ops.ts
+async function ensureDir(dir) {
+  await import_promises3.default.mkdir(dir, { recursive: true });
+}
+function toPosix(p) {
+  return p.split(import_node_path3.default.sep).join("/");
+}
+async function copyDirContents(src, dest) {
+  await ensureDir(dest);
+  const entries = await import_promises3.default.readdir(src, { withFileTypes: true });
+  for (const entry of entries) {
+    const srcPath = import_node_path3.default.join(src, entry.name);
+    const destPath = import_node_path3.default.join(dest, entry.name);
+    if (entry.isDirectory()) {
+      await copyDirContents(srcPath, destPath);
+      const stat = await import_promises3.default.stat(srcPath);
+      await safeChmod(destPath, stat.mode & 511);
+      continue;
+    }
+    if (entry.isFile()) {
+      await ensureDir(import_node_path3.default.dirname(destPath));
+      await import_promises3.default.copyFile(srcPath, destPath);
+      const stat = await import_promises3.default.stat(srcPath);
+      await safeChmod(destPath, stat.mode & 511);
+      continue;
+    }
+    return fail("IO", `unsupported file type during copy: ${srcPath}`);
+  }
+}
+
+// src/perm.ts
+var import_promises4 = __toESM(require("fs/promises"));
+var import_node_path4 = __toESM(require("path"));
+async function applyNormalizedPermissions(root, execSet) {
+  async function walk(absDir) {
+    const entries = await import_promises4.default.readdir(absDir, { withFileTypes: true });
+    for (const entry of entries) {
+      const absPath = import_node_path4.default.join(absDir, entry.name);
+      if (entry.isDirectory()) {
+        await safeChmod(absPath, 493);
+        await walk(absPath);
+        continue;
+      }
+      if (entry.isFile()) {
+        const rel = toPosix(import_node_path4.default.relative(root, absPath));
+        const mode = execSet.has(rel) ? 493 : 420;
+        await safeChmod(absPath, mode);
+        continue;
+      }
+      return fail("IO", `unsupported file type after extract: ${absPath}`);
+    }
+  }
+  await walk(root);
+}
+
+// src/validators.ts
+var import_node_path5 = __toESM(require("path"));
+function normalizeGithubUrl(input) {
+  let url;
+  try {
+    url = new URL(input);
+  } catch {
+    return fail("INVALID_URL", "invalid URL");
+  }
+  if (url.protocol !== "https:") {
+    return fail("INVALID_URL", "URL must use https");
+  }
+  if (url.hostname !== "github.com") {
+    return fail("INVALID_URL", "only github.com is supported");
+  }
+  if (url.search || url.hash) {
+    return fail("INVALID_URL", "URL must not include query or hash");
+  }
+  const parts = url.pathname.split("/").filter(Boolean);
+  if (parts.length !== 2) {
+    return fail("INVALID_URL", "URL must be https://github.com/<owner>/<repo>");
+  }
+  const owner = parts[0];
+  let repo = parts[1];
+  if (repo.endsWith(".git")) {
+    repo = repo.slice(0, -4);
+  }
+  if (!owner || !repo) {
+    return fail("INVALID_URL", "URL must be https://github.com/<owner>/<repo>");
+  }
+  return `https://github.com/${owner}/${repo}`;
+}
+function validateCommitSha(ref) {
+  if (!/^[0-9a-f]{40}$/.test(ref)) {
+    return fail("INVALID_REF", "ref must be a 40-hex commit SHA");
+  }
+  return ref;
+}
+function normalizeSkillPath(input) {
+  const trimmed = input.trim();
+  if (!trimmed) {
+    return fail("INVALID_PATH", "path must be a non-empty directory path");
+  }
+  const cleaned = trimmed.replace(/\\/g, "/");
+  if (cleaned.startsWith("/")) {
+    return fail("INVALID_PATH", "path must be relative, not absolute");
+  }
+  const normalized = import_node_path5.default.posix.normalize(cleaned).replace(/^\.\//, "");
+  if (normalized === "." || normalized === "") {
+    return fail("INVALID_PATH", "path must be a non-empty directory path");
+  }
+  if (normalized.startsWith("../") || normalized.includes("/../") || normalized === "..") {
+    return fail("INVALID_PATH", "path must not include .. segments");
+  }
+  if (normalized.endsWith("/")) {
+    return normalized.slice(0, -1);
+  }
+  return normalized;
+}
+function assertSafeTarPath(entryPath) {
+  const cleaned = entryPath.replace(/\\/g, "/");
+  if (cleaned.startsWith("/")) {
+    return fail("INVALID_PATH", `tar entry path must be relative: ${entryPath}`);
+  }
+  const normalized = import_node_path5.default.posix.normalize(cleaned);
+  if (normalized.startsWith("../") || normalized === ".." || normalized.includes("/../")) {
+    return fail("INVALID_PATH", `tar entry path contains traversal: ${entryPath}`);
+  }
+}
+
+// src/tar-utils.ts
+var import_tar = __toESM(require("tar"));
+async function listTarEntries(file) {
+  const entries = [];
+  await import_tar.default.t({
+    file,
+    onentry(entry) {
+      entries.push({
+        path: entry.path,
+        type: entry.type,
+        size: entry.size ?? 0,
+        mode: entry.mode ?? 0
+      });
+    }
+  });
+  return entries;
+}
+
+// src/skillpack.ts
+var ALLOWED_TYPES = /* @__PURE__ */ new Set(["File", "Directory"]);
+async function createSkillpackFromDir(dirPath) {
+  const stats = await import_promises5.default.stat(dirPath).catch(() => null);
+  if (!stats || !stats.isDirectory()) {
+    return fail("INVALID_INPUT", `--dir is not a directory: ${dirPath}`);
+  }
+  const entries = await collectEntries(dirPath);
+  const tmpDir = await import_promises5.default.mkdtemp(import_node_path6.default.join(import_node_os2.default.tmpdir(), "ctxbin-skillpack-"));
+  const tarPath = import_node_path6.default.join(tmpDir, "skillpack.tar.gz");
+  try {
+    const tarStream = import_tar2.default.c(
+      {
+        cwd: dirPath,
+        portable: true,
+        mtime: /* @__PURE__ */ new Date(0)
+      },
+      entries
+    );
+    const gzip = import_node_zlib.default.createGzip({ mtime: 0 });
+    await (0, import_promises6.pipeline)(tarStream, gzip, (0, import_node_fs.createWriteStream)(tarPath));
+    const stat = await import_promises5.default.stat(tarPath);
+    if (stat.size > MAX_SKILLPACK_BYTES) {
+      return fail(
+        "SIZE_LIMIT",
+        `skillpack tar.gz size ${stat.size} bytes exceeds ${MAX_SKILLPACK_BYTES} bytes`
+      );
+    }
+    const data = await import_promises5.default.readFile(tarPath);
+    const b64 = data.toString("base64");
+    return SKILLPACK_HEADER + b64;
+  } finally {
+    await import_promises5.default.rm(tmpDir, { recursive: true, force: true });
+  }
+}
+async function extractSkillpackToDir(value, targetDir) {
+  const base64 = value.slice(SKILLPACK_HEADER.length);
+  let buffer;
+  try {
+    buffer = Buffer.from(base64, "base64");
+  } catch {
+    return fail("IO", "invalid skillpack base64 data");
+  }
+  const tmpRoot = await import_promises5.default.mkdtemp(import_node_path6.default.join(import_node_os2.default.tmpdir(), "ctxbin-skillpack-"));
+  const tarPath = import_node_path6.default.join(tmpRoot, "skillpack.tar.gz");
+  await import_promises5.default.writeFile(tarPath, buffer);
+  try {
+    const entries = await listTarEntries(tarPath);
+    const execSet = validateTarEntries(entries);
+    const extractDir = import_node_path6.default.join(tmpRoot, "extract");
+    await ensureDir(extractDir);
+    await import_tar2.default.x({
+      file: tarPath,
+      cwd: extractDir,
+      preserveOwner: false,
+      noMtime: true
+    });
+    await applyNormalizedPermissions(extractDir, execSet);
+    await ensureDir(targetDir);
+    await copyDirContents(extractDir, targetDir);
+  } finally {
+    await import_promises5.default.rm(tmpRoot, { recursive: true, force: true });
+  }
+}
+async function collectEntries(root) {
+  const results = [];
+  async function walk(absDir, relDir) {
+    const entries = await import_promises5.default.readdir(absDir, { withFileTypes: true });
+    entries.sort((a, b) => a.name.localeCompare(b.name));
+    for (const entry of entries) {
+      if (DEFAULT_EXCLUDES.includes(entry.name)) {
+        if (entry.isDirectory()) {
+          continue;
+        }
+        if (entry.isFile() && entry.name === ".DS_Store") {
+          continue;
+        }
+      }
+      const absPath = import_node_path6.default.join(absDir, entry.name);
+      const relPath = relDir ? import_node_path6.default.posix.join(relDir, entry.name) : entry.name;
+      const stat = await import_promises5.default.lstat(absPath);
+      if (stat.isSymbolicLink()) {
+        return fail("IO", `symlink not allowed in skillpack: ${absPath}`);
+      }
+      if (entry.isDirectory()) {
+        results.push(relPath);
+        await walk(absPath, relPath);
+        continue;
+      }
+      if (entry.isFile()) {
+        if (entry.name === ".DS_Store") {
+          continue;
+        }
+        results.push(relPath);
+        continue;
+      }
+      return fail("IO", `unsupported file type in skillpack: ${absPath}`);
+    }
+  }
+  await walk(root, "");
+  results.sort();
+  return results;
+}
+function validateTarEntries(entries) {
+  const execSet = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    assertSafeTarPath(entry.path);
+    if (!ALLOWED_TYPES.has(entry.type)) {
+      return fail("IO", `unsupported entry type in skillpack: ${entry.path}`);
+    }
+    if (entry.type === "File" && entry.mode & 73) {
+      execSet.add(entry.path);
+    }
+  }
+  return execSet;
+}
+
+// src/skillref.ts
+var import_promises7 = __toESM(require("fs/promises"));
+var import_node_path7 = __toESM(require("path"));
+var import_node_os3 = __toESM(require("os"));
+var import_node_fs2 = require("fs");
+var import_tar3 = __toESM(require("tar"));
+var ALLOWED_TYPES2 = /* @__PURE__ */ new Set(["File", "Directory"]);
+function createSkillrefValue(url, skillPath, ref) {
+  const normalizedUrl = normalizeGithubUrl(url);
+  const normalizedPath = normalizeSkillPath(skillPath);
+  const payload = ref ? JSON.stringify({ url: normalizedUrl, path: normalizedPath, ref: validateCommitSha(ref) }) : JSON.stringify({ url: normalizedUrl, path: normalizedPath, track: "default" });
+  return SKILLREF_HEADER + payload;
+}
+function parseSkillrefValue(value) {
+  if (!value.startsWith(SKILLREF_HEADER)) {
+    return fail("TYPE_MISMATCH", "value is not a skillref");
+  }
+  const raw = value.slice(SKILLREF_HEADER.length);
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return fail("IO", "invalid skillref payload JSON");
+  }
+  if (!parsed || typeof parsed.url !== "string" || typeof parsed.path !== "string") {
+    return fail("IO", "invalid skillref payload fields");
+  }
+  const normalized = {
+    url: normalizeGithubUrl(parsed.url),
+    path: normalizeSkillPath(parsed.path)
+  };
+  if (typeof parsed.ref === "string") {
+    return { ...normalized, ref: validateCommitSha(parsed.ref) };
+  }
+  if (parsed.track === "default") {
+    return { ...normalized, track: "default" };
+  }
+  return fail("IO", "invalid skillref payload fields");
+}
+async function loadSkillrefToDir(value, targetDir) {
+  const skillref = parseSkillrefValue(value);
+  const resolvedRef = skillref.ref ?? await fetchDefaultBranch(skillref.url);
+  const tmpRoot = await import_promises7.default.mkdtemp(import_node_path7.default.join(import_node_os3.default.tmpdir(), "ctxbin-skillref-"));
+  const tarPath = import_node_path7.default.join(tmpRoot, "skillref.tar.gz");
+  try {
+    await downloadArchive(skillref.url, resolvedRef, tarPath);
+    const entries = await listTarEntries(tarPath).catch(() => fail("IO", "failed to parse tar archive"));
+    const analysis = analyzeEntries(entries, skillref.path);
+    const extractDir = import_node_path7.default.join(tmpRoot, "extract");
+    await ensureDir(extractDir);
+    const stripCount = 1 + skillref.path.split("/").length;
+    await import_tar3.default.x({
+      file: tarPath,
+      cwd: extractDir,
+      preserveOwner: false,
+      noMtime: true,
+      strip: stripCount,
+      filter: (p, entry) => {
+        const entryPath = entry?.path ?? p;
+        return isUnderPath(entryPath, analysis.prefix, skillref.path);
+      }
+    });
+    await applyNormalizedPermissions(extractDir, analysis.execSet);
+    await ensureDir(targetDir);
+    await copyDirContents(extractDir, targetDir);
+  } finally {
+    await import_promises7.default.rm(tmpRoot, { recursive: true, force: true });
+  }
+}
+async function downloadArchive(repoUrl, ref, outPath) {
+  const { owner, repo } = splitGithubUrl(repoUrl);
+  const url = `https://codeload.github.com/${owner}/${repo}/tar.gz/${ref}`;
+  const controller = new AbortController();
+  const totalTimer = setTimeout(() => controller.abort(), SKILLREF_DOWNLOAD_TIMEOUT_MS);
+  let res;
+  try {
+    res = await fetchWithRedirect(url, 1, controller, ["github.com", "codeload.github.com"]);
+  } catch (err) {
+    clearTimeout(totalTimer);
+    return fail("NETWORK", `download failed: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  if (!res.ok) {
+    clearTimeout(totalTimer);
+    const text = await res.text();
+    return fail("NETWORK", `download failed (${res.status}): ${text}`);
+  }
+  if (!res.body) {
+    clearTimeout(totalTimer);
+    return fail("NETWORK", "download failed: empty response body");
+  }
+  const fileStream = (0, import_node_fs2.createWriteStream)(outPath);
+  let total = 0;
+  let magic = Buffer.alloc(0);
+  try {
+    for await (const chunk of res.body) {
+      if (magic.length < 2) {
+        const needed = 2 - magic.length;
+        magic = Buffer.concat([magic, chunk.subarray(0, needed)]);
+        if (magic.length === 2) {
+          if (magic[0] !== 31 || magic[1] !== 139) {
+            fileStream.close();
+            controller.abort();
+            return fail("IO", "downloaded file is not gzip data");
+          }
+        }
+      }
+      total += chunk.length;
+      if (total > MAX_SKILLREF_DOWNLOAD_BYTES) {
+        fileStream.close();
+        controller.abort();
+        return fail(
+          "SIZE_LIMIT",
+          `downloaded archive size ${total} exceeds ${MAX_SKILLREF_DOWNLOAD_BYTES} bytes`
+        );
+      }
+      fileStream.write(chunk);
+    }
+  } catch (err) {
+    fileStream.close();
+    clearTimeout(totalTimer);
+    if (err instanceof CtxbinError) {
+      throw err;
+    }
+    return fail("NETWORK", `download failed: ${err instanceof Error ? err.message : String(err)}`);
+  } finally {
+    clearTimeout(totalTimer);
+  }
+  if (magic.length < 2) {
+    fileStream.close();
+    return fail("IO", "downloaded file is incomplete");
+  }
+  await new Promise((resolve, reject) => {
+    fileStream.end(() => resolve());
+    fileStream.on("error", reject);
+  });
+}
+async function fetchWithRedirect(url, redirectsLeft, controller, allowedHosts, init) {
+  const connectTimer = setTimeout(() => controller.abort(), SKILLREF_CONNECT_TIMEOUT_MS);
+  const res = await fetch(url, {
+    ...init,
+    signal: controller.signal,
+    redirect: "manual"
+  });
+  clearTimeout(connectTimer);
+  if (isRedirect(res.status)) {
+    if (redirectsLeft <= 0) {
+      return fail("NETWORK", "too many redirects");
+    }
+    const location = res.headers.get("location");
+    if (!location) {
+      return fail("NETWORK", "redirect without location header");
+    }
+    const nextUrl = new URL(location, url).toString();
+    const host = new URL(nextUrl).hostname;
+    if (!allowedHosts.includes(host)) {
+      return fail("NETWORK", `redirected to unsupported host: ${host}`);
+    }
+    return fetchWithRedirect(nextUrl, redirectsLeft - 1, controller, allowedHosts, init);
+  }
+  return res;
+}
+function isRedirect(status) {
+  return [301, 302, 303, 307, 308].includes(status);
+}
+function splitGithubUrl(repoUrl) {
+  const url = new URL(repoUrl);
+  const parts = url.pathname.split("/").filter(Boolean);
+  if (parts.length !== 2) {
+    return fail("INVALID_URL", "URL must be https://github.com/<owner>/<repo>");
+  }
+  return { owner: parts[0], repo: parts[1] };
+}
+async function fetchDefaultBranch(repoUrl) {
+  const { owner, repo } = splitGithubUrl(repoUrl);
+  const url = `https://api.github.com/repos/${owner}/${repo}`;
+  const controller = new AbortController();
+  const totalTimer = setTimeout(() => controller.abort(), SKILLREF_DOWNLOAD_TIMEOUT_MS);
+  let res;
+  try {
+    res = await fetchWithRedirect(url, 1, controller, ["github.com", "api.github.com"], {
+      headers: {
+        "User-Agent": "ctxbin",
+        Accept: "application/vnd.github+json"
+      }
+    });
+  } catch (err) {
+    clearTimeout(totalTimer);
+    return fail("NETWORK", `default branch lookup failed: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  if (!res.ok) {
+    clearTimeout(totalTimer);
+    const text = await res.text();
+    return fail("NETWORK", `default branch lookup failed (${res.status}): ${text}`);
+  }
+  let data;
+  try {
+    data = await res.json();
+  } catch {
+    clearTimeout(totalTimer);
+    return fail("NETWORK", "default branch lookup returned invalid JSON");
+  }
+  clearTimeout(totalTimer);
+  if (!data || typeof data.default_branch !== "string" || data.default_branch.length === 0) {
+    return fail("NETWORK", "default branch lookup returned no default_branch");
+  }
+  return data.default_branch;
+}
+function analyzeEntries(entries, requestedPath) {
+  if (entries.length === 0) {
+    return fail("NOT_FOUND", "archive contained no entries");
+  }
+  const prefix = entries[0].path.split("/")[0];
+  if (!prefix) {
+    return fail("IO", "unable to determine archive prefix");
+  }
+  const execSet = /* @__PURE__ */ new Set();
+  let entryCount = 0;
+  let totalSize = 0;
+  let matched = false;
+  for (const entry of entries) {
+    assertSafeTarPath(entry.path);
+    if (!ALLOWED_TYPES2.has(entry.type)) {
+      return fail("IO", `unsupported entry type in archive: ${entry.path}`);
+    }
+    if (entry.path === prefix) {
+      continue;
+    }
+    if (!entry.path.startsWith(`${prefix}/`)) {
+      return fail("IO", "archive has unexpected top-level layout");
+    }
+    const rel = entry.path.slice(prefix.length + 1);
+    if (!rel) {
+      continue;
+    }
+    const relToReq = stripRequestedPath(rel, requestedPath);
+    if (relToReq === null) {
+      continue;
+    }
+    matched = true;
+    entryCount += 1;
+    if (rel === requestedPath && entry.type === "File") {
+      return fail("INVALID_PATH", "requested path is not a directory");
+    }
+    if (entry.type === "File") {
+      totalSize += entry.size ?? 0;
+      if (entry.mode & 73) {
+        execSet.add(relToReq);
+      }
+    }
+  }
+  if (!matched) {
+    return fail("NOT_FOUND", "requested path not found in archive");
+  }
+  if (entryCount > MAX_SKILLREF_FILES) {
+    return fail("SIZE_LIMIT", `extracted entry count ${entryCount} exceeds ${MAX_SKILLREF_FILES}`);
+  }
+  if (totalSize > MAX_SKILLREF_EXTRACT_BYTES) {
+    return fail("SIZE_LIMIT", `extracted size ${totalSize} exceeds ${MAX_SKILLREF_EXTRACT_BYTES}`);
+  }
+  return { prefix, execSet };
+}
+function stripRequestedPath(rel, requestedPath) {
+  if (rel === requestedPath) {
+    return "";
+  }
+  const prefix = requestedPath + "/";
+  if (rel.startsWith(prefix)) {
+    return rel.slice(prefix.length);
+  }
+  return null;
+}
+function isUnderPath(entryPath, prefix, requestedPath) {
+  if (entryPath === prefix) {
+    return false;
+  }
+  if (!entryPath.startsWith(`${prefix}/`)) {
+    return false;
+  }
+  const rel = entryPath.slice(prefix.length + 1);
+  if (!rel) {
+    return false;
+  }
+  if (rel === requestedPath || rel.startsWith(requestedPath + "/")) {
+    return true;
+  }
+  return false;
+}
+
+// src/value.ts
+function detectSkillValueType(value) {
+  if (value.startsWith(SKILLPACK_HEADER)) return "skillpack";
+  if (value.startsWith(SKILLREF_HEADER)) return "skillref";
+  return "string";
+}
+
+// src/input.ts
+var import_promises8 = __toESM(require("fs/promises"));
+var import_node_process = __toESM(require("process"));
+async function resolveSaveInput(resource, opts, stdinIsTTY = Boolean(import_node_process.default.stdin.isTTY)) {
+  const hasFile = typeof opts.file === "string";
+  const hasValue = typeof opts.value === "string";
+  const hasDir = typeof opts.dir === "string";
+  const urlFlagsUsed = Boolean(opts.url || opts.ref || opts.path);
+  const hasUrl = Boolean(opts.url && opts.path);
+  const explicitCount = [hasFile, hasValue, hasDir, hasUrl].filter(Boolean).length;
+  const hasStdin = !stdinIsTTY && explicitCount === 0;
+  if (urlFlagsUsed && !hasUrl) {
+    return fail("INVALID_INPUT", "--url and --path must be provided together");
+  }
+  const methods = explicitCount + (hasStdin ? 1 : 0);
+  if (methods !== 1) {
+    return fail("INVALID_INPUT", "exactly one input method must be used");
+  }
+  if (hasDir && resource !== "skill") {
+    return fail("INVALID_INPUT", "--dir is only valid for skill save");
+  }
+  if (hasUrl && resource !== "skill") {
+    return fail("INVALID_INPUT", "--url/--ref/--path are only valid for skill save");
+  }
+  if (opts.append && (hasDir || hasUrl)) {
+    return fail("INVALID_INPUT", "--append cannot be used with --dir or --url");
+  }
+  if (hasDir) {
+    const value = await createSkillpackFromDir(opts.dir);
+    return { kind: "skillpack", value };
+  }
+  if (hasUrl) {
+    const value = createSkillrefValue(opts.url, opts.path, opts.ref);
+    return { kind: "skillref", value };
+  }
+  if (hasFile) {
+    const content = await import_promises8.default.readFile(opts.file, "utf8");
+    return { kind: "string", value: content };
+  }
+  if (hasValue) {
+    return { kind: "string", value: opts.value };
+  }
+  const stdin = await readStdin();
+  return { kind: "string", value: stdin };
+}
+async function readStdin() {
+  return new Promise((resolve, reject) => {
+    let data = "";
+    import_node_process.default.stdin.setEncoding("utf8");
+    import_node_process.default.stdin.on("data", (chunk) => {
+      data += chunk;
+    });
+    import_node_process.default.stdin.on("end", () => resolve(data));
+    import_node_process.default.stdin.on("error", reject);
+  });
+}
+
+// src/cli.ts
+async function main() {
+  let positionals;
+  let values;
+  try {
+    ({ positionals, values } = (0, import_node_util2.parseArgs)({
+      args: import_node_process2.default.argv.slice(2),
+      options: {
+        append: { type: "boolean" },
+        version: { type: "boolean", short: "v" },
+        file: { type: "string" },
+        value: { type: "string" },
+        dir: { type: "string" },
+        url: { type: "string" },
+        ref: { type: "string" },
+        path: { type: "string" }
+      },
+      allowPositionals: true
+    }));
+  } catch (err) {
+    return fail("INVALID_INPUT", err instanceof Error ? err.message : "invalid arguments");
+  }
+  const [resource, command, keyArg, ...extra] = positionals;
+  if (values.version) {
+    import_node_process2.default.stdout.write(getVersion() + "\n");
+    return;
+  }
+  if (!resource) {
+    return fail("INVALID_INPUT", "missing resource");
+  }
+  if (resource === "init") {
+    if (command || keyArg || extra.length) {
+      return fail("INVALID_INPUT", "init does not accept additional arguments");
+    }
+    await runInit();
+    return;
+  }
+  if (!command) {
+    return fail("INVALID_INPUT", "missing command");
+  }
+  if (extra.length > 0) {
+    return fail("INVALID_INPUT", "too many positional arguments");
+  }
+  const opts = {
+    append: Boolean(values.append),
+    file: values.file,
+    value: values.value,
+    dir: values.dir,
+    url: values.url,
+    ref: values.ref,
+    path: values.path
+  };
+  let store;
+  try {
+    const storeConfig = await loadConfig();
+    store = createStore(storeConfig.url, storeConfig.token);
+  } catch (err) {
+    if (resource === "skill" && command === "load" && keyArg === "ctxbin") {
+      const fallback = await loadBundledSkill();
+      if (fallback) {
+        import_node_process2.default.stdout.write(fallback);
+        return;
+      }
+    }
+    throw err;
+  }
+  const hash = resolveHash(resource);
+  if (command === "list") {
+    if (keyArg) {
+      return fail("INVALID_INPUT", "list does not accept a key");
+    }
+    ensureNoListFlags(opts);
+    await handleList(store, resource, hash);
+    return;
+  }
+  const key = await resolveKey(resource, keyArg);
+  switch (command) {
+    case "load":
+      await handleLoad(store, resource, hash, key, opts);
+      return;
+    case "save":
+      await handleSave(store, resource, hash, key, opts);
+      return;
+    case "delete":
+      await handleDelete(store, resource, hash, key, opts);
+      return;
+    default:
+      return fail("INVALID_INPUT", `unknown command: ${command}`);
+  }
+}
+async function runInit() {
+  const readline = await import("readline/promises");
+  const rl = readline.createInterface({ input: import_node_process2.default.stdin, output: import_node_process2.default.stdout });
+  const url = (await rl.question("CTXBIN_STORE_URL: ")).trim();
+  const token = (await rl.question("CTXBIN_STORE_TOKEN: ")).trim();
+  await rl.close();
+  if (!url || !token) {
+    return fail("INVALID_INPUT", "both URL and token are required");
+  }
+  await writeConfig({ url, token });
+}
+function resolveHash(resource) {
+  if (resource === "ctx" || resource === "agent" || resource === "skill") {
+    return resource;
+  }
+  return fail("INVALID_INPUT", `unknown resource: ${resource}`);
+}
+async function resolveKey(resource, keyArg) {
+  if (resource === "ctx") {
+    if (keyArg) return keyArg;
+    return inferCtxKey();
+  }
+  if (!keyArg) {
+    return fail("MISSING_KEY", "key is required");
+  }
+  return keyArg;
+}
+async function handleLoad(store, resource, hash, key, opts) {
+  ensureNoSaveInput(opts, "load");
+  const value = await store.get(hash, key);
+  if (value === null) {
+    if (resource === "skill" && key === "ctxbin") {
+      const fallback = await loadBundledSkill();
+      if (fallback) {
+        import_node_process2.default.stdout.write(fallback);
+        return;
+      }
+    }
+    return fail("NOT_FOUND", `no value for ${hash}:${key}`);
+  }
+  if (resource === "skill") {
+    const kind = detectSkillValueType(value);
+    if (kind === "string") {
+      if (opts.dir) {
+        return fail("TYPE_MISMATCH", "--dir cannot be used with string values");
+      }
+      import_node_process2.default.stdout.write(value);
+      return;
+    }
+    if (!opts.dir) {
+      return fail("TYPE_MISMATCH", "--dir is required for skillpack/skillref load");
+    }
+    if (kind === "skillpack") {
+      await extractSkillpackToDir(value, opts.dir);
+      return;
+    }
+    if (kind === "skillref") {
+      await loadSkillrefToDir(value, opts.dir);
+      return;
+    }
+  }
+  if (opts.dir) {
+    return fail("TYPE_MISMATCH", "--dir is only valid for skill values");
+  }
+  import_node_process2.default.stdout.write(value);
+}
+async function handleSave(store, resource, hash, key, opts) {
+  const input = await resolveSaveInput(resource, opts);
+  if (opts.append) {
+    if (input.kind !== "string") {
+      return fail("INVALID_INPUT", "--append only applies to string inputs");
+    }
+    const existing = await store.get(hash, key);
+    if (resource === "skill" && existing && detectSkillValueType(existing) !== "string") {
+      return fail("TYPE_MISMATCH", "cannot append to skillpack/skillref values");
+    }
+    const merged = existing ? `${existing}
+
+${input.value}` : input.value;
+    await store.set(hash, key, merged);
+    return;
+  }
+  if (input.kind !== "string" && resource !== "skill") {
+    return fail("TYPE_MISMATCH", "non-string inputs are only valid for skill");
+  }
+  await store.set(hash, key, input.value);
+}
+async function handleDelete(store, resource, hash, key, opts) {
+  ensureNoSaveInput(opts, "delete");
+  if (opts.dir) {
+    return fail("INVALID_INPUT", "--dir is not valid for delete");
+  }
+  await store.delete(hash, key);
+}
+async function handleList(store, resource, hash) {
+  const entries = await store.list(hash);
+  if (entries.length === 0) return;
+  const lines = entries.map(({ field, value }) => {
+    let type = "--value";
+    if (resource === "skill") {
+      const kind = detectSkillValueType(value);
+      if (kind === "skillpack") type = "--dir";
+      if (kind === "skillref") type = "--url";
+    }
+    return `${field}	${type}`;
+  });
+  import_node_process2.default.stdout.write(lines.join("\n"));
+}
+function ensureNoSaveInput(opts, command) {
+  if (opts.append || opts.file || opts.value || opts.url || opts.ref || opts.path) {
+    return fail("INVALID_INPUT", `${command} does not accept input flags`);
+  }
+}
+function ensureNoListFlags(opts) {
+  if (opts.append || opts.file || opts.value || opts.dir || opts.url || opts.ref || opts.path) {
+    return fail("INVALID_INPUT", "list does not accept input flags");
+  }
+}
+main().catch((err) => {
+  import_node_process2.default.stderr.write(formatError(err) + "\n");
+  import_node_process2.default.exit(1);
+});
+async function loadBundledSkill() {
+  try {
+    const bundled = import_node_path8.default.resolve(__dirname, "skills", "ctxbin", "SKILL.md");
+    return await import_promises9.default.readFile(bundled, "utf8");
+  } catch {
+    return null;
+  }
+}
+function getVersion() {
+  try {
+    const pkgPath = import_node_path8.default.resolve(__dirname, "..", "package.json");
+    const raw = (0, import_node_fs3.readFileSync)(pkgPath, "utf8");
+    const data = JSON.parse(raw);
+    if (data && typeof data.version === "string") {
+      return data.version;
+    }
+  } catch {
+  }
+  return "0.0.0";
+}
+//# sourceMappingURL=cli.js.map