npm - gipity - Versions diffs - 1.0.395 → 1.0.397 - Mend

gipity 1.0.395 → 1.0.397

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/auth.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync, chmodSync } from 'fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync, chmodSync, openSync, closeSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { decodeJwtExp } from './utils.js';
@@ -8,6 +8,7 @@ import { decodeJwtExp } from './utils.js';
 // so the `claude` subprocess and git/npm still use the real home.
 const AUTH_DIR = process.env.GIPITY_DIR || join(homedir(), '.gipity');
 const AUTH_FILE = join(AUTH_DIR, 'auth.json');
+const AUTH_LOCK_FILE = join(AUTH_DIR, 'auth.lock');
 let cached = null;
 export function getAuth() {
     if (cached)
@@ -70,16 +71,65 @@ export function sessionExpired() {
     return Date.now() > exp * 1000;
 }
 const delay = (ms) => new Promise(r => setTimeout(r, ms));
+// ─── Cross-process refresh lock ────────────────────────────────
+// Serializes token refreshes across every `gipity` process that shares this
+// ~/.gipity/auth.json (foreground commands, the file-sync hook, the relay
+// daemon). Without it, siblings race to refresh the SINGLE-USE refresh token:
+// the first wins and rotates it, the rest submit the now-dead token and 401.
+// Retry-and-re-read alone left a window (a sibling could 401 before the winner
+// finished writing the file). Holding the lock closes that window — siblings
+// wait, then re-read and ADOPT the freshly-rotated token instead of refreshing.
+const LOCK_WAIT_MS = 10_000; // refresh is one quick round-trip; cap the wait
+const LOCK_POLL_MS = 100;
+/** Acquire the global auth-refresh lock. Returns a release fn, or null if we
+ *  couldn't get it within the wait window (caller then proceeds best-effort —
+ *  refresh must never block a command indefinitely). Mirrors sync.ts's advisory
+ *  lock: O_EXCL create, PID payload, stale-holder reclaim. Exported for tests. */
+export async function acquireRefreshLock() {
+    mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+    const start = Date.now();
+    while (true) {
+        try {
+            const fd = openSync(AUTH_LOCK_FILE, 'wx'); // fails if the file exists
+            writeFileSync(fd, String(process.pid));
+            closeSync(fd);
+            return () => { try {
+                unlinkSync(AUTH_LOCK_FILE);
+            }
+            catch { /* already gone */ } };
+        }
+        catch {
+            // Lock held (or a transient create error). Reclaim it if the holder PID is dead.
+            try {
+                const pid = parseInt(readFileSync(AUTH_LOCK_FILE, 'utf-8').trim(), 10);
+                if (pid && !isNaN(pid)) {
+                    try {
+                        process.kill(pid, 0);
+                    }
+                    catch {
+                        try {
+                            unlinkSync(AUTH_LOCK_FILE);
+                        }
+                        catch { /* race */ }
+                        continue;
+                    }
+                }
+            }
+            catch { /* unreadable - retry */ }
+            if (Date.now() - start > LOCK_WAIT_MS)
+                return null; // give up waiting, proceed best-effort
+            await delay(LOCK_POLL_MS);
+        }
+    }
+}
 /** Renew the access token (5-min buffer) before an authenticated call, surviving
  *  the case that broke overnight fix-mode runs: MANY concurrent `gipity` processes
  *  (relay daemon, file-sync hook, parallel commands) sharing one ~/.gipity/auth.json.
  *  Refresh tokens are SINGLE-USE — the server rotates them, so when several siblings
- *  race to refresh the same token, the first wins and the rest get a 401. The old
- *  code trusted a stale in-process cache and, on that race, let the 401 reach the
- *  caller, whose handler called clearAuth() and DELETED the shared file — locking
- *  every sibling out mid-run ("Not logged in"). Fix: always read the file fresh, and
- *  retry the race/transient failures, re-reading each attempt so we ADOPT whatever
- *  token a sibling just rotated in rather than resubmitting the rotated-away one.
+ *  race to refresh the same token, the first wins and the rest get a 401. We guard
+ *  the refresh with a cross-process lock so only one sibling refreshes at a time; the
+ *  others wait, re-read the file, and ADOPT the freshly-rotated token. If the lock
+ *  can't be had in time we still try (re-reading first), so this never hangs a command.
  *  Stays void / never throws / never clears auth: a genuine dead token still flows to
  *  the caller's existing 401 path (which messages "run: gipity login"). */
 export async function refreshTokenIfNeeded() {
@@ -90,57 +140,71 @@ export async function refreshTokenIfNeeded() {
     const buffer = 5 * 60 * 1000; // refresh 5 min before the access token lapses
     const fresh = (a) => Date.now() <= new Date(a.expiresAt).getTime() - buffer;
     if (fresh(auth))
-        return;
+        return; // fast path: token still good, no lock needed
     // If the refresh token itself has expired, re-login is genuinely required; leave the
     // expired auth in place so the caller's existing 401 path prompts `gipity login`.
     const refreshExp = decodeJwtExp(auth.refreshToken);
     if (refreshExp && Date.now() > refreshExp * 1000)
         return;
-    const { resolveApiBase } = await import('./config.js');
-    const apiBase = resolveApiBase();
-    for (let attempt = 1; attempt <= 3; attempt++) {
-        const cur = readAuthFresh(); // a sibling may have just refreshed for us
-        if (cur && fresh(cur)) {
-            cached = cur;
+    // Serialize with sibling processes so we don't race the single-use refresh token.
+    const release = await acquireRefreshLock();
+    try {
+        // Re-check under the lock: a sibling may have refreshed while we waited.
+        const held = readAuthFresh();
+        if (held && fresh(held)) {
+            cached = held;
             return;
         }
-        const refreshToken = cur?.refreshToken ?? auth.refreshToken;
-        let res;
-        try {
-            res = await fetch(`${apiBase}/auth/refresh`, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ refreshToken }),
-            });
-        }
-        catch {
-            await delay(attempt * 300);
-            continue; // network blip - retry
-        }
-        if (res.ok) {
-            const json = await res.json().catch(() => null);
-            const exp = json && decodeJwtExp(json.accessToken);
-            if (!json || !exp) {
+        const { resolveApiBase } = await import('./config.js');
+        const apiBase = resolveApiBase();
+        for (let attempt = 1; attempt <= 3; attempt++) {
+            const cur = readAuthFresh(); // a sibling may have just refreshed for us
+            if (cur && fresh(cur)) {
+                cached = cur;
+                return;
+            }
+            const refreshToken = cur?.refreshToken ?? auth.refreshToken;
+            let res;
+            try {
+                res = await fetch(`${apiBase}/auth/refresh`, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ refreshToken }),
+                });
+            }
+            catch {
                 await delay(attempt * 300);
-                continue;
+                continue; // network blip - retry
             }
-            saveAuth({ accessToken: json.accessToken, refreshToken: json.refreshToken, email: auth.email, expiresAt: new Date(exp * 1000).toISOString() });
-            return;
-        }
-        // 401/403 → the refresh token was rejected outright (it was rotated away by a
-        // sibling, or genuinely expired). Re-read once more in case a sibling's fresh
-        // token just landed; otherwise stop and let the caller's 401 path re-login.
-        if (res.status === 401 || res.status === 403) {
-            const after = readAuthFresh();
-            if (after && fresh(after)) {
-                cached = after;
+            if (res.ok) {
+                const json = await res.json().catch(() => null);
+                const exp = json && decodeJwtExp(json.accessToken);
+                if (!json || !exp) {
+                    await delay(attempt * 300);
+                    continue;
+                }
+                saveAuth({ accessToken: json.accessToken, refreshToken: json.refreshToken, email: auth.email, expiresAt: new Date(exp * 1000).toISOString() });
                 return;
             }
-            return;
+            // 401/403 → the refresh token was rejected outright (rotated away by a sibling
+            // that beat us to the lock, or genuinely expired). Re-read once more in case a
+            // sibling's fresh token just landed; otherwise stop and let the caller re-login.
+            if (res.status === 401 || res.status === 403) {
+                const after = readAuthFresh();
+                if (after && fresh(after)) {
+                    cached = after;
+                    return;
+                }
+                return;
+            }
+            await delay(attempt * 300); // 5xx / unexpected → transient, retry
         }
-        await delay(attempt * 300); // 5xx / unexpected → transient, retry
+        // Retries exhausted: leave the existing token. The caller's request will 401 and the
+        // existing handler messages the user — we never delete the shared auth.json here.
+    }
+    finally {
+        if (release)
+            release();
     }
-    // Retries exhausted: leave the existing token. The caller's request will 401 and the
-    // existing handler messages the user — we never delete the shared auth.json here.
 }
 //# sourceMappingURL=auth.js.map

package/dist/commands/claude.js CHANGED Viewed

@@ -17,7 +17,7 @@ function resolveCommand(cmd) {
         return `${cmd}.cmd`;
     }
 }
-import { getAuth, saveAuth, clearAuth } from '../auth.js';
+import { getAuth, saveAuth } from '../auth.js';
 import { get, post, publicPost, ApiError, getAccountSlug } from '../api.js';
 import { getConfig, saveConfigAt, clearConfigCache, getApiBaseOverride, DEFAULT_API_BASE, getConfigPath } from '../config.js';
 import { sync } from '../sync.js';
@@ -339,7 +339,9 @@ export const claudeCommand = new Command('claude')
             }
             catch (err) {
                 if (err instanceof ApiError && err.statusCode === 401) {
-                    clearAuth();
+                    // Don't clearAuth() — the file is shared with concurrent gipity
+                    // processes (sync hook, relay); deleting it logs them all out. A
+                    // re-login overwrites it anyway. Leave it and just point the user.
                     console.error(`  ${clrError('Your session expired.')} ${muted('Run: gipity login')}`);
                 }
                 else {
@@ -480,7 +482,9 @@ export const claudeCommand = new Command('claude')
                         process.exit(1);
                     }
                     if (err instanceof ApiError && err.statusCode === 401 && !reauthed && !nonInteractive) {
-                        clearAuth();
+                        // No clearAuth(): interactiveLogin() saves fresh tokens over the
+                        // file. Deleting it first would log out any sibling process (sync
+                        // hook, relay) sharing this ~/.gipity/auth.json mid-run.
                         console.log(`  ${muted('Your session expired. Let\'s sign you back in.')}\n`);
                         auth = await interactiveLogin();
                         console.log('');
@@ -488,7 +492,7 @@ export const claudeCommand = new Command('claude')
                         continue;
                     }
                     if (err instanceof ApiError && err.statusCode === 401) {
-                        clearAuth();
+                        // Leave the shared auth.json in place (see above) — just message.
                         console.error(`  ${clrError('Your session expired.')}`);
                         console.error(`  ${muted('Run: gipity login')}`);
                         process.exit(1);

package/dist/commands/sync.js CHANGED Viewed

@@ -1,17 +1,18 @@
 import { Command } from 'commander';
 import { sync } from '../sync.js';
 import { createProgressReporter } from '../progress.js';
-import { error as clrError } from '../colors.js';
+import { error as clrError, muted } from '../colors.js';
 export const syncCommand = new Command('sync')
     .description('Sync files (a .gipityignore at the project root excludes paths, gitignore-style)')
     .option('--plan', 'Print the plan without applying any changes')
     .option('--force', 'Bypass the bulk-deletion guard')
+    .option('--prune', 'Remove files that exist on Gipity but not locally (applies the bulk deletes the guard defers)')
     .option('--json', 'Output as JSON')
     .action(async (opts) => {
     try {
         // JSON mode stays machine-clean; otherwise show live progress on a TTY.
         const progress = opts.json ? undefined : createProgressReporter();
-        const result = await sync({ plan: opts.plan, force: opts.force, progress });
+        const result = await sync({ plan: opts.plan, force: opts.force, prune: opts.prune, progress });
         if (opts.json) {
             console.log(JSON.stringify(result));
         }
@@ -20,8 +21,14 @@ export const syncCommand = new Command('sync')
             if (!opts.plan && result.applied > 0) {
                 console.log(`\n${result.applied} action${result.applied > 1 ? 's' : ''} applied.`);
             }
-            if (result.skipped > 0) {
-                console.error(clrError(`${result.skipped} action${result.skipped > 1 ? 's' : ''} skipped by guard.`));
+            // The guard defers bulk server-side deletes (files on Gipity but not
+            // local). Surface that here as a helpful hint - not a red error - with
+            // the one command that resolves it. Only `gipity sync` shows this;
+            // deploy/test/sandbox stay silent (their internal sync defers quietly).
+            if (result.deferredDeletes > 0) {
+                console.log(muted(`\n${result.deferredDeletes} file${result.deferredDeletes > 1 ? 's' : ''} on Gipity ` +
+                    `${result.deferredDeletes > 1 ? 'are' : 'is'} not present locally and ${result.deferredDeletes > 1 ? 'were' : 'was'} left untouched. ` +
+                    `Run 'gipity sync --prune' to remove ${result.deferredDeletes > 1 ? 'them' : 'it'}.`));
             }
             for (const e of result.errors)
                 console.error(clrError(e));

package/dist/knowledge.js CHANGED Viewed

@@ -45,7 +45,7 @@ Gipity is the cloud platform your project runs on - hosting, databases, deployme
 Prefer the cheapest option that works - CLI and sandbox are instant and free, app services are runtime HTTP calls, \`gipity chat\` burns LLM tokens:
-1. CLI commands (fast, no agent overhead). The \`gipity\` CLI covers add, deploy, db, fn, logs, browser, sync, memory, skill, and more. All commands support \`--json\`.
+1. CLI commands (fast, no agent overhead). The \`gipity\` CLI covers add, deploy, db, fn, logs, browser, sync, memory, skill, email, and more. All commands support \`--json\`. You can send email yourself - \`gipity email send\` goes out as the agent from \`gipity@gipity.ai\` with no setup or API keys (\`gipity skill read email\`); don't build a \`mailto:\` workaround or reach for an SMTP library.
 2. Cloud sandbox via \`gipity sandbox run\` - Docker container with pre-installed tools for media (ffmpeg, ImageMagick, sox), documents (pandoc, LibreOffice), and data (pandas, matplotlib, sqlite3). Run \`gipity skill read sandbox-tools\` for the full toolkit. No network from inside the sandbox - fetch what you need before sending it in.
 3. App services - runtime HTTP endpoints your deployed app calls directly at \`https://a.gipity.ai/api/<PROJECT_GUID>/services/*\`. Available: LLM, TTS, image, sound, music, transcribe, video, file upload, realtime, location. Load the matching skill (\`app-llm\`, \`app-tts\`, etc.) before writing service code - they have the schemas, auth pattern, and common-mistake guards. For one-off generation during development, prefer \`gipity generate <image|video|speech|music>\` or \`gipity chat\`. \`gipity generate\` saves to a generic file in the current directory by default (e.g. \`./generated.png\`) - pass \`-o <path>\` to write it straight into your source tree so it deploys (e.g. \`gipity generate image "hero banner" -o src/assets/images/hero.png\`) instead of generating at cwd and moving it.
 4. Delegate to Gip (\`gipity chat "<task>"\`) - only when the work genuinely needs agent reasoning or a tool not in the CLI, sandbox, or app services. Required for: Twitter/X search, Gmail, calendar, push notifications, video understanding, audio source isolation, cross-model second opinions, multi-step orchestration. Don't use \`gipity chat\` for anything the sandbox can do - it's slower and burns tokens.
@@ -54,7 +54,7 @@ You are the developer. Write files in this directory - the Gipity Claude Code pl
 ## Use first-party services before reaching outside
-Gipity ships first-party services for what apps usually pull from third parties - auth, location/geocoding, LLM, image/audio/video generation, transcription, file uploads, realtime. Before calling an external API or adding an npm package for one of these, check \`gipity skill list\` for a match. First-party services need no API keys, cost less, and keep data in-house. Reach outside only when the catalog has no equivalent - and say so when you do.
+Gipity ships first-party services for what apps usually pull from third parties - auth, location/geocoding, LLM, image/audio/video generation, transcription, file uploads, realtime, and email (send as the agent via \`gipity email send\`, or from a deployed app via a workflow \`notify\` step - no SMTP/SendGrid/Nodemailer). Before calling an external API or adding an npm package for one of these, check \`gipity skill list\` for a match. First-party services need no API keys, cost less, and keep data in-house. Reach outside only when the catalog has no equivalent - and say so when you do.
 ## Don't guess Gipity facts - look them up
@@ -98,7 +98,7 @@ mkdir -p ~/GipityProjects/<slug> && cd ~/GipityProjects/<slug> && gipity init <s
 ## CLI quick reference
-Key commands: \`gipity add <template|kit>\`, \`gipity deploy dev\`, \`gipity sandbox run\`, \`gipity page inspect <url>\`, \`gipity page screenshot <url>\`, \`gipity db query "SQL"\`, \`gipity fn call <name>\`, \`gipity logs fn <name>\`, \`gipity skill read <name>\`.
+Key commands: \`gipity add <template|kit>\`, \`gipity deploy dev\`, \`gipity sandbox run\`, \`gipity page inspect <url>\`, \`gipity page screenshot <url>\`, \`gipity db query "SQL"\`, \`gipity fn call <name>\`, \`gipity logs fn <name>\`, \`gipity email send --to <addr> --subject <s> --body <b>\` (sends as \`gipity@gipity.ai\`; omit \`--to\` to self-send), \`gipity skill read <name>\`.
 Pull an existing remote project local (given its URL/slug): \`mkdir -p ~/GipityProjects/<slug> && cd ~/GipityProjects/<slug> && gipity init <slug>\` (adopts the matching project and syncs files down - this is the "clone").
 For deterministic text questions (letter/word counts, substring occurrences, nth word/char, anagrams), use \`gipity text analyze "<text>"\` - local and instant, no sandbox or LLM needed.
 Run \`gipity --help\` for the full list. Use \`--help\` on any command for details.
@@ -149,6 +149,7 @@ Kit skills (reusable building blocks - \`gipity add <kit>\`):
 - \`chatbot\` - the chatbot kit: persona + scope guardrails + static knowledge, bubble widget or headless engine
 Other key skills:
+- \`email\` - sending email as the agent from gipity@gipity.ai (no setup/keys) — plus Gmail-thread replies, HTML formatting, images
 - \`sandbox-tools\` - cloud sandbox capabilities and pre-installed tools
 - \`tts\` - agent-side speech tools (different from the \`app-tts\` HTTP service)`;
 export const DEFINITION_OF_DONE = `## Definition of done (build tasks)

package/dist/sync.js CHANGED Viewed

@@ -481,16 +481,20 @@ async function bulkDeleteGuard(p, knownFiles, opts) {
     const totalDeletes = p.deletesLocal + p.deletesRemote;
     if (totalDeletes === 0)
         return true;
-    if (opts.force)
+    if (opts.force || opts.prune)
         return true;
     const denom = Math.max(knownFiles, 1);
     const fraction = totalDeletes / denom;
     if (totalDeletes < BULK_DELETE_COUNT || fraction < BULK_DELETE_FRACTION)
         return true;
     if (!opts.interactive || getAutoConfirm()) {
-        console.error(`Refusing to delete ${totalDeletes} file${totalDeletes > 1 ? 's' : ''} ` +
-            `(${Math.round(fraction * 100)}% of tree) non-interactively. ` +
-            `Re-run with --force or interactively to confirm.`);
+        // Non-interactive (deploy/test/sandbox auto-mirror): there's no human to
+        // confirm, so defer the bulk deletes SILENTLY and carry them forward. This
+        // is the safe default - uploads/downloads still apply, nothing is deleted -
+        // and it avoids spamming a "Refusing to delete N files" error on every
+        // command when a project legitimately has server-only files (e.g. runtime
+        // uploads, or sandbox outputs not kept locally). The deferred count rides
+        // out in SyncResult.deferredDeletes; `gipity sync --prune` applies them.
         return false;
     }
     const answer = await prompt(`\nPlan deletes ${totalDeletes} files (${Math.round(fraction * 100)}% of the tree). Type "delete" to confirm: `);
@@ -572,6 +576,7 @@ async function syncInner(projectGuid, root, ignore, opts, interactive) {
         return {
             plan: planned, applied: 0, skipped: 0, errors: [],
             summary: formatPlan(planned),
+            deferredDeletes: 0,
         };
     }
     // Bulk-delete guard over the *planned* deletes.
@@ -983,6 +988,7 @@ async function syncInner(projectGuid, root, ignore, opts, interactive) {
         skipped: skippedByGuard,
         errors,
         summary: formatPlan(planned),
+        deferredDeletes: skippedByGuard,
     };
 }
 function cleanupEmptyDirs(root, ignorePatterns) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "gipity",
-  "version": "1.0.395",
+  "version": "1.0.397",
   "description": "The full-stack platform tuned for AI agents. Database, storage, auth, functions, deploy, and drop-in kits - all agent-tuned. Pair with Claude Code or use standalone.",
   "bin": {
     "gipity": "dist/updater/shim.js",
@@ -12,7 +12,7 @@
     "build": "tsc && chmod +x dist/index.js dist/gipcc.js dist/gipccd.js dist/updater/shim.js dist/updater/check.js",
     "dev": "tsc --watch",
     "test": "npm run test:smoke",
-    "test:smoke": "tsc && node --test dist/__tests__/utils.test.js dist/__tests__/colors.test.js dist/__tests__/config.test.js dist/__tests__/sync.test.js dist/__tests__/sync-apply.test.js dist/__tests__/sync-lock.test.js dist/__tests__/push-cas.test.js dist/__tests__/upload.test.js dist/__tests__/progress.test.js dist/__tests__/updater.test.js dist/__tests__/cli-smoke.test.js dist/__tests__/claude-noninteractive.test.js dist/__tests__/claude-trust.test.js dist/__tests__/relay-state.test.js dist/__tests__/relay-daemon.test.js dist/__tests__/relay-installers.test.js dist/__tests__/relay-bridge-abort.test.js dist/__tests__/relay-redact.test.js dist/__tests__/relay-machine-id.test.js dist/__tests__/stream-json.test.js dist/__tests__/relay-ingest-contract.test.js dist/__tests__/prompts.test.js dist/__tests__/capture-transcript.test.js dist/__tests__/flag-aliases.test.js dist/__tests__/adopt-cwd.test.js dist/__tests__/cli-cmd-agent.test.js dist/__tests__/cli-cmd-approval.test.js dist/__tests__/cli-cmd-audit.test.js dist/__tests__/cli-cmd-chat.test.js dist/__tests__/cli-cmd-credits.test.js dist/__tests__/cli-cmd-db.test.js dist/__tests__/cli-cmd-deploy.test.js dist/__tests__/cli-cmd-domain.test.js dist/__tests__/cli-cmd-email.test.js dist/__tests__/cli-cmd-file.test.js dist/__tests__/cli-cmd-fn.test.js dist/__tests__/cli-cmd-service.test.js dist/__tests__/cli-cmd-job.test.js dist/__tests__/cli-cmd-generate.test.js dist/__tests__/cli-cmd-gmail.test.js dist/__tests__/cli-cmd-info.test.js dist/__tests__/cli-cmd-init.test.js dist/__tests__/cli-cmd-location.test.js dist/__tests__/cli-cmd-text.test.js dist/__tests__/cli-cmd-login.test.js dist/__tests__/cli-cmd-logout.test.js dist/__tests__/cli-cmd-token.test.js dist/__tests__/cli-cmd-logs.test.js dist/__tests__/cli-cmd-memory.test.js dist/__tests__/cli-cmd-page.test.js dist/__tests__/cli-cmd-plan.test.js dist/__tests__/cli-cmd-project.test.js dist/__tests__/cli-cmd-rbac.test.js dist/__tests__/cli-cmd-realtime.test.js dist/__tests__/cli-cmd-records.test.js dist/__tests__/cli-cmd-relay.test.js dist/__tests__/cli-cmd-sandbox.test.js dist/__tests__/cli-cmd-add.test.js dist/__tests__/cli-cmd-remove.test.js dist/__tests__/cli-cmd-skill.test.js dist/__tests__/cli-cmd-test.test.js dist/__tests__/cli-cmd-workflow.test.js dist/__tests__/setup-skills-block.test.js dist/__tests__/setup-hooks.test.js",
+    "test:smoke": "tsc && node --test dist/__tests__/utils.test.js dist/__tests__/colors.test.js dist/__tests__/config.test.js dist/__tests__/sync.test.js dist/__tests__/sync-apply.test.js dist/__tests__/sync-lock.test.js dist/__tests__/auth-lock.test.js dist/__tests__/push-cas.test.js dist/__tests__/upload.test.js dist/__tests__/progress.test.js dist/__tests__/updater.test.js dist/__tests__/cli-smoke.test.js dist/__tests__/claude-noninteractive.test.js dist/__tests__/claude-trust.test.js dist/__tests__/relay-state.test.js dist/__tests__/relay-daemon.test.js dist/__tests__/relay-installers.test.js dist/__tests__/relay-bridge-abort.test.js dist/__tests__/relay-redact.test.js dist/__tests__/relay-machine-id.test.js dist/__tests__/stream-json.test.js dist/__tests__/relay-ingest-contract.test.js dist/__tests__/prompts.test.js dist/__tests__/capture-transcript.test.js dist/__tests__/flag-aliases.test.js dist/__tests__/adopt-cwd.test.js dist/__tests__/cli-cmd-agent.test.js dist/__tests__/cli-cmd-approval.test.js dist/__tests__/cli-cmd-audit.test.js dist/__tests__/cli-cmd-chat.test.js dist/__tests__/cli-cmd-credits.test.js dist/__tests__/cli-cmd-db.test.js dist/__tests__/cli-cmd-deploy.test.js dist/__tests__/cli-cmd-domain.test.js dist/__tests__/cli-cmd-email.test.js dist/__tests__/cli-cmd-file.test.js dist/__tests__/cli-cmd-fn.test.js dist/__tests__/cli-cmd-service.test.js dist/__tests__/cli-cmd-job.test.js dist/__tests__/cli-cmd-generate.test.js dist/__tests__/cli-cmd-gmail.test.js dist/__tests__/cli-cmd-info.test.js dist/__tests__/cli-cmd-init.test.js dist/__tests__/cli-cmd-location.test.js dist/__tests__/cli-cmd-text.test.js dist/__tests__/cli-cmd-login.test.js dist/__tests__/cli-cmd-logout.test.js dist/__tests__/cli-cmd-token.test.js dist/__tests__/cli-cmd-logs.test.js dist/__tests__/cli-cmd-memory.test.js dist/__tests__/cli-cmd-page.test.js dist/__tests__/cli-cmd-plan.test.js dist/__tests__/cli-cmd-project.test.js dist/__tests__/cli-cmd-rbac.test.js dist/__tests__/cli-cmd-realtime.test.js dist/__tests__/cli-cmd-records.test.js dist/__tests__/cli-cmd-relay.test.js dist/__tests__/cli-cmd-sandbox.test.js dist/__tests__/cli-cmd-add.test.js dist/__tests__/cli-cmd-remove.test.js dist/__tests__/cli-cmd-skill.test.js dist/__tests__/cli-cmd-test.test.js dist/__tests__/cli-cmd-workflow.test.js dist/__tests__/setup-skills-block.test.js dist/__tests__/setup-hooks.test.js",
     "test:e2e": "tsc && GIPITY_E2E=1 node --test --test-timeout=180000 dist/__tests__/cli-e2e-live.test.js dist/__tests__/cli-e2e-services-media-live.test.js dist/__tests__/cli-e2e-workflow-live.test.js dist/__tests__/cli-e2e-sandbox-live.test.js dist/__tests__/cli-e2e-page-fetch-live.test.js dist/__tests__/cli-e2e-page-test-live.test.js",
     "test:e2e:sandbox": "tsc && GIPITY_E2E=1 node --test --test-timeout=180000 dist/__tests__/cli-e2e-sandbox-live.test.js"
   },