githolon 0.1.2

package/LICENSE.md

@@ -0,0 +1,36 @@
+# Nomos Pre-Release License (v1)
+
+Copyright © 2026 Captain App Ltd. All rights reserved.
+
+This is a pre-release of Nomos. This license gives you what you need to BUILD
+with it; we keep the rest for now.
+
+## You may
+
+- install and use these packages to author Nomos domains, compile them, and
+  deploy them to Nomos Cloud or any Nomos instance Captain App operates or
+  authorizes;
+- build, run, and ship applications on top of them — including commercial ones;
+- keep everything that's yours: code you write, and everything these tools
+  generate FOR you (scaffolds from `create-githolon` / `githolon generate`, generated
+  clients, compiled domain packages) carries NO restriction from us — it is
+  yours outright.
+
+## You may not
+
+- redistribute these packages or their source, in whole or in part, outside
+  your team;
+- modify them or build derivative tools, SDKs, or runtimes from their source;
+- offer the Nomos runtime, or anything materially similar, as a hosted service;
+- reverse-engineer the holon wasm runtime.
+
+## The rest
+
+Provided **as is**, with no warranty of any kind; to the maximum extent
+permitted by law, Captain App Ltd accepts no liability arising from your use.
+This license terminates automatically if you breach it.
+
+Want the kernel source, broader rights, or to do something this doesn't cover?
+**Ask: jack@captainapp.co.uk.** The plan is to open Nomos up gradually, with
+the people actually using it — telling us what you're building is how that
+happens faster.

package/dist/cli.mjs

@@ -0,0 +1,1149 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { spawnSync as spawnSync3 } from "node:child_process";
+import { createRequire } from "node:module";
+import { dirname as dirname2, join as join4 } from "node:path";
+import { pathToFileURL } from "node:url";
+
+// src/generate.ts
+import { mkdirSync, existsSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+// src/naming.ts
+function words(raw) {
+  return raw.replace(/([a-z0-9])([A-Z])/g, "$1 $2").replace(/[_\-\s]+/g, " ").trim().toLowerCase().split(" ").filter((w) => w.length > 0);
+}
+var cap = (w) => w.length === 0 ? w : w[0].toUpperCase() + w.slice(1);
+function pascalCase(raw) {
+  return words(raw).map(cap).join("");
+}
+function camelCase(raw) {
+  return words(raw).map((w, i) => i === 0 ? w : cap(w)).join("");
+}
+function snakeCase(raw) {
+  return words(raw).join("_");
+}
+function screamingSnakeCase(raw) {
+  return words(raw).join("_").toUpperCase();
+}
+function assertValidName(raw) {
+  const ws = words(raw);
+  if (ws.length === 0) {
+    throw new Error(`Invalid name: '${raw}' \u2014 give at least one word, e.g. 'work_order'.`);
+  }
+  for (const w of ws) {
+    if (!/^[a-z][a-z0-9]*$/.test(w)) {
+      throw new Error(
+        `Invalid name token '${w}' in '${raw}' \u2014 words must be alphanumeric and start with a letter (got after normalisation: ${ws.join(", ")}).`
+      );
+    }
+  }
+  return ws;
+}
+
+// src/templates.ts
+function namesFor(raw) {
+  return {
+    raw,
+    pascal: pascalCase(raw),
+    camel: camelCase(raw),
+    statusesConst: `${screamingSnakeCase(raw)}_STATUSES`
+  };
+}
+var HEADER = (raw, kind) => `/**
+ * The \`${raw}\` ${kind} \u2014 scaffolded by \`githolon generate\`.
+ *
+ * Authoring rules (see @githolon/dsl): write ONLY aggregates (typed fields, each
+ * tagged with a merge Driver) and directives (Zod payload + declarative plan).
+ * You never write apply/fold/merge \u2014 the kernel owns the merge algebra.
+ *
+ * Convention: the fail-closed \`Conflict\` driver is the default for scalars.
+ * Relax only what differs: \`.merge(Lww)\`, \`.merge(AddWins)\`, \`.merge(MapOf(Lww))\`.
+ */`;
+function aggregateBlock(n) {
+  return `export const ${n.statusesConst} = ["active", "retired"] as const;
+
+export const ${n.pascal} = aggregate("${n.pascal}", {
+  // Default driver is the fail-closed \`Conflict\`: concurrent edits surface
+  // as a conflict rather than silently coalescing. Declare only what differs.
+  label: t.string().merge(Conflict),
+  // Overrides \u2014 last-write-wins / set-union / per-key map:
+  pos: t.int().merge(Lww),
+  status: t.enum(${n.statusesConst}).merge(Lww),
+  tags: t.set(t.string()).merge(AddWins),
+  customFields: t.map(t.string()).merge(MapOf(Lww)),
+});`;
+}
+function domainTemplate(raw) {
+  const n = namesFor(raw);
+  return `${HEADER(raw, "domain")}
+import { z } from "zod";
+import {
+  aggregate,
+  directive,
+  t,
+  Conflict,
+  Lww,
+  AddWins,
+  MapOf,
+  set,
+  addToSet,
+  setEntry,
+} from "@githolon/dsl";
+
+${aggregateBlock(n)}
+
+/** create${n.pascal} \u2014 .creates the aggregate; seeds label/pos/status. */
+export const create${n.pascal} = directive("create${n.pascal}")
+  .creates(${n.pascal})
+  .payload(
+    z.object({
+      label: z.string(),
+      pos: z.number().int(),
+      status: z.enum(${n.statusesConst}),
+    }),
+  )
+  .plan((p) => [
+    set(${n.pascal}, "label", p.label),
+    set(${n.pascal}, "pos", p.pos),
+    set(${n.pascal}, "status", p.status),
+  ]);
+
+/** move${n.pascal} \u2014 .mutates pos. */
+export const move${n.pascal} = directive("move${n.pascal}")
+  .mutates(${n.pascal})
+  .payload(z.object({ pos: z.number().int() }))
+  .plan((p) => [set(${n.pascal}, "pos", p.pos)]);
+
+/** tag${n.pascal} \u2014 .mutates tags (add-wins union). */
+export const tag${n.pascal} = directive("tag${n.pascal}")
+  .mutates(${n.pascal})
+  .payload(z.object({ tags: z.array(z.string()) }))
+  .plan((p) => [addToSet(${n.pascal}, "tags", p.tags)]);
+
+/** setCustomFieldOn${n.pascal} \u2014 .mutates customFields (a map entry). */
+export const setCustomFieldOn${n.pascal} = directive("setCustomFieldOn${n.pascal}")
+  .mutates(${n.pascal})
+  .payload(z.object({ key: z.string(), value: z.string() }))
+  .plan((p) => [setEntry(${n.pascal}, "customFields", p.key, p.value)]);
+`;
+}
+function aggregateTemplate(raw) {
+  const n = namesFor(raw);
+  return `${HEADER(raw, "aggregate")}
+import { aggregate, t, Conflict, Lww, AddWins, MapOf } from "@githolon/dsl";
+
+${aggregateBlock(n)}
+`;
+}
+function intentTemplate(raw) {
+  const n = namesFor(raw);
+  return `${HEADER(raw, "intent (directive)")}
+import { z } from "zod";
+import { aggregate, directive, t, Conflict, set } from "@githolon/dsl";
+
+// Stub target \u2014 in a real domain, import the existing aggregate handle instead.
+export const ${n.pascal} = aggregate("${n.pascal}", {
+  label: t.string().merge(Conflict),
+});
+
+/** ${n.camel} \u2014 .mutates the target aggregate. */
+export const ${n.camel} = directive("${n.camel}")
+  .mutates(${n.pascal})
+  .payload(z.object({ label: z.string() }))
+  .plan((p) => [set(${n.pascal}, "label", p.label)]);
+`;
+}
+
+// src/generate.ts
+var RENDERERS = {
+  domain: domainTemplate,
+  aggregate: aggregateTemplate,
+  intent: intentTemplate
+};
+function renderScaffold(kind, name) {
+  assertValidName(name);
+  const render = RENDERERS[kind];
+  if (!render) {
+    throw new Error(`Unknown generator kind '${kind}'. Use: domain | aggregate | intent.`);
+  }
+  return render(name);
+}
+function generate(opts) {
+  const contents = renderScaffold(opts.kind, opts.name);
+  const fileName = `${snakeCase(opts.name)}.ts`;
+  const path = join(opts.outDir, fileName);
+  if (existsSync(path) && !opts.force) {
+    throw new Error(
+      `Refusing to overwrite existing file: ${path}
+Re-run with --force to replace it.`
+    );
+  }
+  mkdirSync(opts.outDir, { recursive: true });
+  writeFileSync(path, contents, "utf8");
+  return { path, contents };
+}
+
+// src/cloud.ts
+import { chmodSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readdirSync, readFileSync, writeFileSync as writeFileSync2 } from "node:fs";
+import { join as join2 } from "node:path";
+import { homedir } from "node:os";
+var DEFAULT_CLOUD = "https://nomos.captainapp.co.uk";
+var DEFAULT_AUTH_URL = "https://kjbcjkihxskuwwfdqklt.supabase.co";
+var DEFAULT_AUTH_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImtqYmNqa2loeHNrdXd3ZmRxa2x0Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTA3MDU2OTAsImV4cCI6MjA2NjI4MTY5MH0.V9e7XsuTlTOLqefOIedTqlBiTxUSn4O5FZSPWwAxiSI";
+function cloudBase(flag) {
+  return (flag ?? process.env["NOMOS_CLOUD"] ?? DEFAULT_CLOUD).replace(/\/+$/, "");
+}
+function authUrl() {
+  return (process.env["HOLON_AUTH_URL"] ?? DEFAULT_AUTH_URL).replace(/\/+$/, "");
+}
+function authAnonKey() {
+  return process.env["HOLON_AUTH_ANON_KEY"] ?? DEFAULT_AUTH_ANON_KEY;
+}
+function configDir() {
+  return process.env["HOLON_CONFIG_DIR"] ?? join2(homedir(), ".holon");
+}
+function credsPath() {
+  return join2(configDir(), "credentials.json");
+}
+function loadCreds() {
+  if (!existsSync2(credsPath())) return { version: 1, secrets: {} };
+  return JSON.parse(readFileSync(credsPath(), "utf8"));
+}
+function saveCreds(c) {
+  mkdirSync2(configDir(), { recursive: true });
+  writeFileSync2(credsPath(), JSON.stringify(c, null, 2) + "\n", "utf8");
+  chmodSync(credsPath(), 384);
+}
+var secretKey = (cloud, ws) => `${cloud} ${ws}`;
+function getSecret(cloud, ws) {
+  return loadCreds().secrets[secretKey(cloud, ws)];
+}
+function setSecret(cloud, ws, secret) {
+  const c = loadCreds();
+  c.secrets[secretKey(cloud, ws)] = secret;
+  saveCreds(c);
+}
+function setPrincipal(principal) {
+  const c = loadCreds();
+  c.principal = principal;
+  saveCreds(c);
+}
+function principalHeaders(principal) {
+  return /^[\w-]+\.[\w-]+\.[\w-]+$/.test(principal) ? { "x-nomos-auth": principal } : { "x-nomos-principal": principal };
+}
+function sessionFromGotrue(d) {
+  if (typeof d.access_token !== "string" || typeof d.refresh_token !== "string") return void 0;
+  return {
+    url: authUrl(),
+    uid: d.user?.id ?? "",
+    anonymous: d.user?.is_anonymous === true,
+    accessToken: d.access_token,
+    refreshToken: d.refresh_token,
+    expiresAt: d.expires_at ?? Math.floor(Date.now() / 1e3) + (d.expires_in ?? 3600)
+  };
+}
+async function gotrue(path, body) {
+  const r = await fetch(`${authUrl()}${path}`, {
+    method: "POST",
+    headers: { apikey: authAnonKey(), "content-type": "application/json" },
+    body
+  });
+  return await r.json().catch(() => ({ error: `auth provider returned ${r.status} with no body` }));
+}
+function saveSession(s) {
+  const c = loadCreds();
+  c.session = s;
+  saveCreds(c);
+}
+async function sessionToken() {
+  const c = loadCreds();
+  if (c.session === void 0) return void 0;
+  if (c.session.expiresAt - 60 > Math.floor(Date.now() / 1e3)) return c.session.accessToken;
+  const d = await gotrue("/auth/v1/token?grant_type=refresh_token", JSON.stringify({ refresh_token: c.session.refreshToken }));
+  const s = sessionFromGotrue(d);
+  if (s === void 0) {
+    throw new Error(
+      `session refresh failed (${d.error_description ?? d.error ?? d.msg ?? "unknown"}) \u2014 githolon login --agent (or --token) again`
+    );
+  }
+  saveSession(s);
+  return s.accessToken;
+}
+function discoverDeployJson(cwd, explicit) {
+  if (explicit !== void 0) {
+    if (!existsSync2(explicit)) throw new Error(`deploy body not found: ${explicit}`);
+    return explicit;
+  }
+  const buildDir = join2(cwd, "build");
+  if (!existsSync2(buildDir)) {
+    throw new Error("no build/ directory \u2014 run `githolon compile` first (or pass --file <path>)");
+  }
+  const bodies = readdirSync(buildDir).filter((f) => f.endsWith(".deploy.json"));
+  if (bodies.length === 0) {
+    throw new Error("no build/*.deploy.json \u2014 run `githolon compile` first (or pass --file <path>)");
+  }
+  if (bodies.length > 1) {
+    throw new Error(`multiple deploy bodies in build/ (${bodies.join(", ")}) \u2014 pass --file <path>`);
+  }
+  return join2(buildDir, bodies[0]);
+}
+var out = (s) => void process.stdout.write(s + "\n");
+var err = (s) => void process.stderr.write("error: " + s + "\n");
+async function login(opts) {
+  if (opts.agent !== true && opts.token === void 0) {
+    err(
+      "browser login is not wired up yet \u2014 use one of:\n  githolon login --agent             anonymous sign-in (verified identity, linkable later)\n  githolon login --token <refresh>   adopt an existing captain app session"
+    );
+    return 1;
+  }
+  const d = opts.agent === true ? await gotrue("/auth/v1/signup", "{}") : await gotrue("/auth/v1/token?grant_type=refresh_token", JSON.stringify({ refresh_token: opts.token }));
+  const s = sessionFromGotrue(d);
+  if (s === void 0) {
+    err(`login failed: ${d.error_description ?? d.error ?? d.msg ?? JSON.stringify(d)}`);
+    return 1;
+  }
+  saveSession(s);
+  out(`\u2713 logged in${s.anonymous ? " (anonymous agent identity \u2014 linkable to a full account later)" : ""}`);
+  out(`  principal uid ${s.uid}`);
+  out(`  session saved \u2192 ${credsPath()} (auto-refreshed; births now ride x-nomos-auth)`);
+  return 0;
+}
+async function whoami() {
+  const c = loadCreds();
+  if (c.session !== void 0) {
+    out(`session: ${c.session.anonymous ? "anonymous agent" : "account"} uid ${c.session.uid} (auth ${c.session.url})`);
+    return 0;
+  }
+  if (c.principal !== void 0) {
+    out(`bare principal (transitional, unverified): ${c.principal}`);
+    return 0;
+  }
+  out("not logged in \u2014 githolon login --agent, or pass --principal <uid> per birth");
+  return 0;
+}
+async function logout() {
+  const c = loadCreds();
+  delete c.session;
+  saveCreds(c);
+  out("\u2713 session cleared (stored workspace secrets kept)");
+  return 0;
+}
+async function wsCreate(name, opts) {
+  const cloud = cloudBase(opts.cloud);
+  const principal = opts.principal ?? await sessionToken().catch((e) => (err(e.message), void 0)) ?? loadCreds().principal;
+  if (principal === void 0) {
+    err(
+      "a birth needs a principal \u2014 githolon login --agent (self-onboarding),\nor pass --principal <your-auth-uid or access token> (saved as the default)"
+    );
+    return 1;
+  }
+  const r = await fetch(`${cloud}/v1/workspaces/${name}`, {
+    method: "POST",
+    headers: principalHeaders(principal)
+  });
+  const d = await r.json().catch(() => void 0);
+  if (!r.ok || d?.ok !== true) {
+    err(`create '${name}' refused (${r.status}): ${d ? JSON.stringify(d) : "no body"}`);
+    return 1;
+  }
+  if (opts.principal !== void 0) setPrincipal(opts.principal);
+  if (typeof d.workspaceSecret === "string") {
+    setSecret(cloud, name, d.workspaceSecret);
+    out(`\u2713 workspace ${name} created on ${cloud}`);
+    out(`\u2713 workspaceSecret saved \u2192 ${credsPath()} (githolon deploy uses it automatically)`);
+  } else {
+    out(`\u2713 workspace ${name} already exists on ${cloud} (no new secret issued)`);
+    if (getSecret(cloud, name) === void 0) {
+      out(`  no stored secret for it here \u2014 if you own it: githolon secret set ${name} <secret>`);
+    }
+  }
+  return 0;
+}
+async function wsStatus(name, opts) {
+  const cloud = cloudBase(opts.cloud);
+  const r = await fetch(`${cloud}/v1/workspaces/${name}`);
+  const text = await r.text();
+  if (!r.ok) {
+    err(`status '${name}' (${r.status}): ${text}`);
+    return 1;
+  }
+  out(text);
+  return 0;
+}
+async function deploy(ws, opts) {
+  const cloud = cloudBase(opts.cloud);
+  let file;
+  try {
+    file = discoverDeployJson(process.cwd(), opts.file);
+  } catch (e) {
+    err(e.message);
+    return 1;
+  }
+  const secret = getSecret(cloud, ws);
+  if (secret === void 0) {
+    err(
+      `no stored secret for ${ws} on ${cloud}
+  githolon ws create ${ws}            (a fresh workspace saves its secret here)
+  githolon secret set ${ws} <secret>  (import one you already hold)`
+    );
+    return 1;
+  }
+  const r = await fetch(`${cloud}/v1/workspaces/${ws}/domains`, {
+    method: "POST",
+    headers: { "content-type": "application/json", authorization: `Bearer ${secret}` },
+    body: readFileSync(file, "utf8")
+  });
+  const d = await r.json().catch(() => void 0);
+  if (r.status === 401) {
+    err(`deploy refused (401) \u2014 the stored secret for ${ws} is not the workspace's. githolon secret set ${ws} <secret>`);
+    return 1;
+  }
+  if (!r.ok || d?.ok !== true) {
+    err(`deploy '${ws}' failed (${r.status}): ${d ? JSON.stringify(d) : "no body"}`);
+    return 1;
+  }
+  const phase = d.installation?.[0]?.data?.["status.phase"];
+  out(`\u2713 deployed ${file.split("/").pop()} \u2192 ${ws}${typeof phase === "string" ? ` (${phase})` : ""}`);
+  if (typeof d.domainHash === "string") out(`  law hash ${d.domainHash}`);
+  return 0;
+}
+async function secretSet(ws, secret, opts) {
+  setSecret(cloudBase(opts.cloud), ws, secret);
+  out(`\u2713 secret for ${ws} saved \u2192 ${credsPath()}`);
+  return 0;
+}
+async function secretRotate(ws, opts) {
+  const cloud = cloudBase(opts.cloud);
+  const current = getSecret(cloud, ws);
+  if (current === void 0) {
+    err(`no stored secret for ${ws} on ${cloud} \u2014 githolon secret set ${ws} <secret> first`);
+    return 1;
+  }
+  const r = await fetch(`${cloud}/v1/workspaces/${ws}/rotate-secret`, {
+    method: "POST",
+    headers: { authorization: `Bearer ${current}` }
+  });
+  const d = await r.json().catch(() => void 0);
+  if (!r.ok || d?.ok !== true || typeof d.workspaceSecret !== "string") {
+    err(`rotate '${ws}' failed (${r.status}): ${d ? JSON.stringify(d) : "no body"}`);
+    return 1;
+  }
+  setSecret(cloud, ws, d.workspaceSecret);
+  out(`\u2713 secret for ${ws} rotated and saved \u2192 ${credsPath()}`);
+  return 0;
+}
+
+// src/git.ts
+import { spawnSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import { readFileSync as readFileSync2 } from "node:fs";
+var out2 = (s) => void process.stdout.write(s + "\n");
+var err2 = (s) => void process.stderr.write("error: " + s + "\n");
+function git(args, opts = {}) {
+  const r = spawnSync("git", args, { stdio: opts.quiet === true ? "ignore" : "inherit" });
+  return r.status ?? 1;
+}
+function ensureSecret(cloud, ws) {
+  const existing = getSecret(cloud, ws);
+  if (existing !== void 0) return existing;
+  const minted = `holon_v1_${randomBytes(24).toString("hex")}`;
+  setSecret(cloud, ws, minted);
+  return minted;
+}
+function parseCredentialInput(input) {
+  const kv = {};
+  for (const line of input.split("\n")) {
+    if (line === "") break;
+    const i = line.indexOf("=");
+    if (i > 0) kv[line.slice(0, i)] = line.slice(i + 1);
+  }
+  return kv;
+}
+function workspaceFromPath(path) {
+  const m = (path ?? "").match(/^v1\/workspaces\/([^/]+)\/git(\/|$)/);
+  return m?.[1];
+}
+async function gitCredential(action) {
+  if (action !== "get") return 0;
+  const kv = parseCredentialInput(readFileSync2(0, "utf8"));
+  const ws = workspaceFromPath(kv["path"]);
+  if (kv["protocol"] !== "https" || ws === void 0) return 0;
+  const cloud = `https://${kv["host"]}`;
+  const token = await sessionToken().catch(() => void 0);
+  out2(`username=${token ?? "nomos"}`);
+  out2(`password=${ensureSecret(cloud, ws)}`);
+  out2("");
+  return 0;
+}
+async function gitSetup(opts) {
+  const cloud = cloudBase(opts.cloud);
+  const self = process.argv[1];
+  if (self === void 0) {
+    err2("cannot locate the githolon CLI entry to install as a credential helper");
+    return 1;
+  }
+  const helper = `!"${process.execPath}" "${self}" git-credential`;
+  if (git(["config", "--global", `credential.${cloud}.helper`, helper]) !== 0 || git(["config", "--global", `credential.${cloud}.useHttpPath`, "true"]) !== 0) {
+    err2("git config failed \u2014 is git installed?");
+    return 1;
+  }
+  out2(`\u2713 git credential helper installed for ${cloud} (global gitconfig)`);
+  out2(`  pushes/clones of ${cloud}/v1/workspaces/<ws>/git now authenticate from ~/.holon`);
+  return 0;
+}
+async function gitRemote(ws, name, opts) {
+  const cloud = cloudBase(opts.cloud);
+  if (git(["rev-parse", "--git-dir"], { quiet: true }) !== 0) {
+    err2("not a git repository \u2014 run inside your repo (git init first)");
+    return 1;
+  }
+  const setupRc = await gitSetup(opts);
+  if (setupRc !== 0) return setupRc;
+  ensureSecret(cloud, ws);
+  const url = `${cloud}/v1/workspaces/${ws}/git`;
+  if (git(["remote", "add", name, url], { quiet: true }) !== 0) {
+    if (git(["remote", "set-url", name, url], { quiet: true }) !== 0) {
+      err2(`could not add or update remote '${name}'`);
+      return 1;
+    }
+  }
+  const token = await sessionToken().catch(() => void 0);
+  if (token === void 0) {
+    const principal = loadCreds().principal;
+    if (principal === void 0) {
+      err2(
+        `remote '${name}' \u2192 ${url} is wired, but a BIRTH push needs a principal:
+  githolon login --agent   (then just push)
+  \u2014 or re-run after githolon ws create/login so a principal is on file`
+      );
+      return 1;
+    }
+    if (git(["config", `http.${url}.extraHeader`, `x-nomos-principal: ${principal}`]) !== 0) {
+      err2("git config failed setting the principal header");
+      return 1;
+    }
+  }
+  out2(`\u2713 remote '${name}' \u2192 ${url}`);
+  out2(`  workspace secret on file; ${token !== void 0 ? "births ride your session (verified)" : "births ride x-nomos-principal (bare uid)"}`);
+  out2(`  birth/deploy by push:  git push ${name} main`);
+  return 0;
+}
+
+// src/ledger.ts
+import { spawnSync as spawnSync2 } from "node:child_process";
+import { randomBytes as randomBytes2 } from "node:crypto";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readdirSync as readdirSync2, readFileSync as readFileSync3, statSync, writeFileSync as writeFileSync3 } from "node:fs";
+import { dirname, join as join3 } from "node:path";
+import { File as File2, Directory as Directory2 } from "@bjorn3/browser_wasi_shim";
+
+// vendor/engine/engine.mjs
+import { WASI, File, Directory, OpenFile, ConsoleStdout, PreopenDirectory } from "@bjorn3/browser_wasi_shim";
+import git2 from "isomorphic-git";
+import http from "isomorphic-git/http/web";
+
+// vendor/engine/git-fs.mjs
+function fsErr(code, p) {
+  const e = new Error(`${code}: ${p}`);
+  e.code = code;
+  return e;
+}
+function makeGitFs(preopen, mount, { File: File3, Directory: Directory3 }) {
+  const root = preopen.dir;
+  const isDir = (n) => n && n.contents instanceof Map;
+  function parts(p) {
+    if (p === mount) return [];
+    if (!p.startsWith(mount + "/")) throw fsErr("ENOENT", p);
+    const rel = p.slice(mount.length + 1).replace(/\/+$/, "");
+    return rel === "" ? [] : rel.split("/");
+  }
+  function resolve(ps) {
+    let cur = root;
+    for (const part of ps) {
+      if (!isDir(cur)) return null;
+      const next = cur.contents.get(part);
+      if (next === void 0) return null;
+      cur = next;
+    }
+    return cur;
+  }
+  const parent = (ps) => resolve(ps.slice(0, -1));
+  const leaf = (ps) => ps[ps.length - 1];
+  const promises = {
+    async readFile(p, opts) {
+      const n = resolve(parts(p));
+      if (n === null) throw fsErr("ENOENT", p);
+      if (isDir(n)) throw fsErr("EISDIR", p);
+      const data = n.data ?? new Uint8Array(0);
+      const encoding = typeof opts === "string" ? opts : opts && opts.encoding;
+      return encoding ? new TextDecoder().decode(data) : new Uint8Array(data);
+    },
+    async writeFile(p, data) {
+      const ps = parts(p);
+      const par = parent(ps);
+      if (!isDir(par)) throw fsErr("ENOENT", p);
+      const bytes = typeof data === "string" ? new TextEncoder().encode(data) : new Uint8Array(data);
+      par.contents.set(leaf(ps), new File3(bytes));
+    },
+    async unlink(p) {
+      const ps = parts(p), par = parent(ps);
+      if (!isDir(par) || !par.contents.delete(leaf(ps))) throw fsErr("ENOENT", p);
+    },
+    async readdir(p) {
+      const n = resolve(parts(p));
+      if (n === null) throw fsErr("ENOENT", p);
+      if (!isDir(n)) throw fsErr("ENOTDIR", p);
+      return [...n.contents.keys()];
+    },
+    async mkdir(p) {
+      const ps = parts(p), par = parent(ps);
+      if (!isDir(par)) throw fsErr("ENOENT", p);
+      if (par.contents.has(leaf(ps))) throw fsErr("EEXIST", p);
+      par.contents.set(leaf(ps), new Directory3(/* @__PURE__ */ new Map()));
+    },
+    async rmdir(p) {
+      const ps = parts(p), par = parent(ps);
+      if (!isDir(par)) throw fsErr("ENOENT", p);
+      par.contents.delete(leaf(ps));
+    },
+    async stat(p) {
+      return promises.lstat(p);
+    },
+    async lstat(p) {
+      const n = resolve(parts(p));
+      if (n === null) throw fsErr("ENOENT", p);
+      const dir = isDir(n);
+      return {
+        type: dir ? "dir" : "file",
+        mode: dir ? 16384 : 33188,
+        size: dir ? 0 : n.data ? n.data.length : 0,
+        ino: 0,
+        mtimeMs: 0,
+        ctimeMs: 0,
+        uid: 1,
+        gid: 1,
+        dev: 1,
+        isFile: () => !dir,
+        isDirectory: () => dir,
+        isSymbolicLink: () => false
+      };
+    },
+    async readlink(p) {
+      throw fsErr("EINVAL", p);
+    },
+    async symlink() {
+      throw fsErr("EPERM", "symlink unsupported");
+    },
+    async chmod() {
+    }
+  };
+  return { promises };
+}
+
+// vendor/engine/tree.mjs
+var enc = new TextEncoder();
+var dec = new TextDecoder();
+
+// vendor/engine/engine.mjs
+var enc2 = new TextEncoder();
+var dec2 = new TextDecoder();
+var BRANCH = "main";
+var repoArgOf = (ws) => `/work/ws/${ws}`;
+var gitdirOf = (ws) => `/work/ws/${ws}/nomos.git`;
+var unpack = (p) => {
+  const v = typeof p === "bigint" ? p : BigInt(p);
+  return { ptr: Number(v >> 32n), len: Number(v & 0xffffffffn) };
+};
+async function sha256hex(t) {
+  const b = await crypto.subtle.digest("SHA-256", enc2.encode(t));
+  return [...new Uint8Array(b)].map((x) => x.toString(16).padStart(2, "0")).join("");
+}
+function osEntropyBuffer(n) {
+  const bytes = new Uint8Array(n * 8);
+  crypto.getRandomValues(bytes);
+  const out4 = new Array(n), T = 2 ** 53;
+  for (let i = 0; i < n; i++) {
+    let z = 0n;
+    for (let b = 7; b >= 0; b--) z = z << 8n | BigInt(bytes[i * 8 + b]);
+    out4[i] = Number(z >> 11n) / T;
+  }
+  return out4;
+}
+function stringifyBig(o) {
+  return JSON.stringify(o, (_k, v) => typeof v === "bigint" ? `@@B:${v}@@` : v).replace(/"@@B:(\d+)@@"/g, "$1");
+}
+function call(ex, mode, fields, STDERR) {
+  const req = enc2.encode(JSON.stringify({ mode, ...fields }));
+  const reqPtr = ex.git_holon_alloc(req.length);
+  try {
+    new Uint8Array(ex.memory.buffer, reqPtr, req.length).set(req);
+    const { ptr, len } = unpack(ex.git_holon_call(reqPtr, req.length));
+    try {
+      const e = JSON.parse(dec2.decode(new Uint8Array(ex.memory.buffer, ptr, len).slice()));
+      if (!e.ok) throw new Error((e.error || "holon error") + (STDERR.length ? ` | ${STDERR.slice(-4).join(" / ")}` : ""));
+      return e.result;
+    } finally {
+      ex.git_holon_dealloc(ptr, len);
+    }
+  } finally {
+    ex.git_holon_dealloc(reqPtr, req.length);
+  }
+}
+function seedManifests(m, strings) {
+  m.set("domain_manifests.json", new File(enc2.encode(strings.read)));
+  m.set("identity-manifests.json", new File(enc2.encode(strings.identity)));
+}
+var installPayload = (hash, usda, installedBy) => ({ domainHash: hash, packageUsda: usda, installedBy, authorityScope: "workspace/root", dependencies: [], finalizers: [] });
+async function createEngine({ wasmModule, bootstrapPkg, nomosPkg, manifestStrings, replica, installedBy = "nomos-cloud" }) {
+  const hashes = { bootstrap: await sha256hex(bootstrapPkg), nomos: await sha256hex(nomosPkg) };
+  const root = /* @__PURE__ */ new Map();
+  seedManifests(root, manifestStrings);
+  root.set("domain.package.usda", new File(enc2.encode(bootstrapPkg)));
+  root.set("ws", new Directory(/* @__PURE__ */ new Map()));
+  const preopen = new PreopenDirectory("/work", root);
+  const STDERR = [];
+  const fds = [new OpenFile(new File([])), ConsoleStdout.lineBuffered(() => {
+  }), ConsoleStdout.lineBuffered((l) => STDERR.push(l)), preopen];
+  const wasi = new WASI(["wasm_git_holon", "reactor"], [], fds, { debug: false });
+  const inst = await WebAssembly.instantiate(wasmModule, { wasi_snapshot_preview1: wasi.wasiImport });
+  const code = wasi.start(inst);
+  if (code !== 0) throw new Error(`reactor init exited ${code}; stderr=${STDERR.join("\n")}`);
+  for (const n of ["memory", "git_holon_alloc", "git_holon_dealloc", "git_holon_call"]) if (!inst.exports[n]) throw new Error(`missing export ${n}`);
+  const eng = {
+    ex: inst.exports,
+    preopen,
+    STDERR,
+    seq: 0,
+    replica,
+    hashes,
+    bootstrapPkg,
+    nomosPkg,
+    manifestStrings,
+    installedBy,
+    fs: makeGitFs(preopen, "/work", { File, Directory }),
+    mounted: /* @__PURE__ */ new Map(),
+    // ws -> { restored, remoteMain, restoreError }
+    mainIntents: /* @__PURE__ */ new Map(),
+    // ws -> { head, ids:Set, oids:Set } (admission idempotence)
+    knownDomainsCache: null
+  };
+  return eng;
+}
+async function mountWorkspace(eng, ws, ledger) {
+  if (eng.mounted.has(ws)) return eng.mounted.get(ws);
+  const wsContents = /* @__PURE__ */ new Map();
+  seedManifests(wsContents, eng.manifestStrings);
+  eng.preopen.dir.contents.get("ws").contents.set(ws, new Directory(wsContents));
+  const gitdir = gitdirOf(ws);
+  let restored = false, remoteMain = null, restoreError = null;
+  try {
+    const info = await git2.getRemoteInfo({ http, url: ledger.remote, headers: ledger.headers });
+    remoteMain = info.refs && info.refs.heads && info.refs.heads.main || null;
+    if (remoteMain) {
+      await git2.init({ fs: eng.fs, gitdir, bare: true, defaultBranch: "main" });
+      await git2.addRemote({ fs: eng.fs, gitdir, remote: "origin", url: ledger.remote, force: true });
+      await git2.fetch({ fs: eng.fs, http, gitdir, remote: "origin", ref: "main", singleBranch: true, headers: ledger.headers });
+      await git2.writeRef({ fs: eng.fs, gitdir, ref: "refs/heads/main", value: remoteMain, force: true });
+      await git2.writeRef({ fs: eng.fs, gitdir, ref: "HEAD", value: "ref: refs/heads/main", force: true, symbolic: true });
+      restored = true;
+    }
+  } catch (e) {
+    restoreError = String(e && e.stack || e).split("\n").slice(0, 5).join(" | ");
+  }
+  const m = { restored, remoteMain, restoreError };
+  eng.mounted.set(ws, m);
+  return m;
+}
+function writeWork(eng, name, bytes) {
+  eng.preopen.dir.contents.set(name, new File(bytes));
+}
+function author(eng, ws, domain, directiveId, payload, controllerHash) {
+  const seq = eng.seq++;
+  const envelope = { payload: { domain, directiveId, payload }, captured_ports: { clock: { physical: Date.now(), logical: 0, replica: eng.replica }, rng: osEntropyBuffer(64) }, policy_version: 1, policy_domain: "Nomos", policy_gas: 0, policy_memory: 0 };
+  writeWork(eng, `payload-${seq}.json`, enc2.encode(JSON.stringify(payload)));
+  writeWork(eng, `envelope-${seq}.json`, enc2.encode(stringifyBig(envelope)));
+  const genesis = !controllerHash;
+  return JSON.parse(call(eng.ex, "author", { repoArg: repoArgOf(ws), workspace: ws, domain, directiveId, payloadFile: `/work/payload-${seq}.json`, envelopeFile: `/work/envelope-${seq}.json`, seq, actor: "", domainFile: genesis ? "/work/domain.package.usda" : "", domainHash: genesis ? "" : controllerHash, branch: BRANCH }, eng.STDERR));
+}
+function verifyChainLocal(eng, ws) {
+  return JSON.parse(call(eng.ex, "verify_chain", { repoArg: repoArgOf(ws), workspace: ws, branch: BRANCH }, eng.STDERR));
+}
+
+// src/ledger.ts
+var out3 = (s) => void process.stdout.write(s + "\n");
+var err3 = (s) => void process.stderr.write("error: " + s + "\n");
+var WS = "local";
+async function fetchJsonCached(url, cacheFile) {
+  try {
+    const r = await fetch(url);
+    if (!r.ok) throw new Error(`${url} \u2192 ${r.status}`);
+    const text = await r.text();
+    mkdirSync3(dirname(cacheFile), { recursive: true });
+    writeFileSync3(cacheFile, text, "utf8");
+    return JSON.parse(text);
+  } catch (e) {
+    if (existsSync3(cacheFile)) return JSON.parse(readFileSync3(cacheFile, "utf8"));
+    throw e;
+  }
+}
+async function fetchRuntime(cloud) {
+  const cache = join3(configDir(), "runtime");
+  let wasmBytes;
+  const wasmCache = join3(cache, "holon.wasm");
+  try {
+    const r = await fetch(`${cloud}/v1/runtime/holon.wasm`);
+    if (!r.ok) throw new Error(`runtime wasm \u2192 ${r.status}`);
+    wasmBytes = new Uint8Array(await r.arrayBuffer());
+    mkdirSync3(cache, { recursive: true });
+    writeFileSync3(wasmCache, wasmBytes);
+  } catch (e) {
+    if (!existsSync3(wasmCache)) throw e;
+    wasmBytes = readFileSync3(wasmCache);
+  }
+  const manifests = await fetchJsonCached(`${cloud}/v1/runtime/manifests`, join3(cache, "manifests.json"));
+  const packages = await fetchJsonCached(`${cloud}/v1/runtime/packages`, join3(cache, "packages.json"));
+  return { wasmBytes, manifests, packages };
+}
+function mergeManifests(baked, overlay) {
+  const read = JSON.parse(baked.domainManifests);
+  const identity = JSON.parse(baked.identityManifests);
+  for (const [k, v] of Object.entries(overlay.identityManifests ?? {})) identity[k] = v;
+  const r = overlay.readManifest;
+  if (r !== void 0) {
+    for (const [t, schema] of Object.entries(r["aggregateFieldKinds"] ?? {})) read["aggregateFieldKinds"][t] = schema;
+    for (const key of ["queries", "counts", "spatials", "deriveds", "combineds"]) {
+      for (const d of r[key] ?? []) {
+        const list = read[key] = read[key] ?? [];
+        if (!list.some((x) => JSON.stringify(x) === JSON.stringify(d))) list.push(d);
+      }
+    }
+  }
+  return { read: JSON.stringify(read), identity: JSON.stringify(identity) };
+}
+function writeTreeToDisk(dir, diskPath) {
+  mkdirSync3(diskPath, { recursive: true });
+  for (const [name, inode] of dir.contents) {
+    const p = join3(diskPath, name);
+    if (inode.contents instanceof Map) writeTreeToDisk(inode, p);
+    else writeFileSync3(p, inode.data ?? new Uint8Array(0));
+  }
+}
+function readTreeFromDisk(diskPath) {
+  const contents = /* @__PURE__ */ new Map();
+  for (const name of readdirSync2(diskPath)) {
+    const p = join3(diskPath, name);
+    if (statSync(p).isDirectory()) contents.set(name, readTreeFromDisk(p));
+    else contents.set(name, new File2(readFileSync3(p)));
+  }
+  return new Directory2(contents);
+}
+async function engineFor(cloud, overlay, installedBy) {
+  const runtime = await fetchRuntime(cloud);
+  const manifestStrings = overlay === void 0 ? { read: runtime.manifests.domainManifests, identity: runtime.manifests.identityManifests } : mergeManifests(runtime.manifests, overlay);
+  const replica = BigInt(`0x${randomBytes2(8).toString("hex")}`) & (1n << 63n) - 1n;
+  const eng = await createEngine({
+    wasmModule: await WebAssembly.compile(runtime.wasmBytes),
+    bootstrapPkg: runtime.packages.bootstrap,
+    nomosPkg: runtime.packages.nomos,
+    manifestStrings,
+    replica,
+    installedBy
+  });
+  await mountWorkspace(eng, WS, { remote: "https://unborn.invalid/", headers: {} });
+  return { eng, runtime };
+}
+function printVerdict(v) {
+  if (v["valid"] === true) {
+    out3(`\u2713 chain VALID \u2014 head ${String(v["head"]).slice(0, 12)}\u2026, ${v["intents"]} intent(s), ${v["plansRerun"]} plan(s) re-run`);
+    out3(`  controller ${String(v["controllerHash"]).slice(0, 12)}\u2026 | installed: ${v["installedDomains"]?.map((h) => h.slice(0, 12) + "\u2026").join(", ") ?? "\u2014"}`);
+    return true;
+  }
+  err3(`chain INVALID at ${v["check"]}${v["atIndex"] !== void 0 ? ` (intent ${v["atIndex"]})` : ""}: ${v["error"]}`);
+  return false;
+}
+async function ledgerInit(dir, opts) {
+  const cloud = cloudBase(opts.cloud);
+  if (existsSync3(dir) && readdirSync2(dir).length > 0) {
+    err3(`refusing to mint into non-empty directory: ${dir}`);
+    return 1;
+  }
+  let deployFile;
+  try {
+    deployFile = discoverDeployJson(process.cwd(), opts.file);
+  } catch (e) {
+    err3(e.message);
+    return 1;
+  }
+  const deployBody = JSON.parse(readFileSync3(deployFile, "utf8"));
+  const domainHash = await sha256hex(deployBody.packageUsda);
+  const c = loadCreds();
+  const principal = await sessionToken().catch(() => void 0) !== void 0 ? c.session.uid : c.principal;
+  if (principal === void 0) {
+    err3("a holon is born OF someone \u2014 githolon login --agent first (or githolon ws create --principal <uid> once)");
+    return 1;
+  }
+  out3(`minting a holon locally (law ${domainHash.slice(0, 12)}\u2026, installedBy ${principal})`);
+  const { eng } = await engineFor(cloud, deployBody, principal);
+  author(eng, WS, "bootstrap", "installDomain", installPayload(eng.hashes.nomos, eng.nomosPkg, principal), "");
+  author(eng, WS, "nomos", "installDomain", installPayload(domainHash, deployBody.packageUsda, principal), eng.hashes.nomos);
+  const verdict = verifyChainLocal(eng, WS);
+  if (!printVerdict(verdict)) return 1;
+  const gitTree = eng.preopen.dir.contents.get("ws").contents.get(WS).contents.get("nomos.git");
+  const gitDir = join3(dir, ".git");
+  writeTreeToDisk(gitTree, gitDir);
+  const cfgPath = join3(gitDir, "config");
+  writeFileSync3(cfgPath, readFileSync3(cfgPath, "utf8").replace(/bare = true/, "bare = false"), "utf8");
+  spawnSync2("git", ["-C", dir, "reset", "--hard", "main"], { stdio: "ignore" });
+  out3(`\u2713 holon written \u2192 ${dir} (a normal git repo; git log IS the audit trail)`);
+  out3(`
+Birth it on Nomos Cloud (the cloud re-derives this exact verdict):`);
+  out3(`  cd ${dir} && npx githolon git remote <ws> && git push nomos main`);
+  return 0;
+}
+async function ledgerVerify(dir, opts) {
+  const gitDir = existsSync3(join3(dir, ".git")) ? join3(dir, ".git") : dir;
+  if (!existsSync3(join3(gitDir, "HEAD"))) {
+    err3(`${dir} is not a git repo (no HEAD)`);
+    return 1;
+  }
+  const { eng } = await engineFor(cloudBase(opts.cloud), void 0, "verify");
+  const wsDir = eng.preopen.dir.contents.get("ws").contents.get(WS);
+  wsDir.contents.set("nomos.git", readTreeFromDisk(gitDir));
+  return printVerdict(verifyChainLocal(eng, WS)) ? 0 : 1;
+}
+
+// src/cli.ts
+var KINDS = ["domain", "aggregate", "intent"];
+var DEFAULT_OUT = "src/domains";
+var USAGE = `githolon \u2014 the Nomos developer CLI
+
+Authoring:
+  githolon compile  [compiler args]                       compile the package by ./nomos.package.mjs
+  githolon generate <domain|aggregate|intent> <name> [options]
+  githolon g        <domain|aggregate|intent> <name> [options]
+
+Identity (~/.holon/credentials.json \u2014 sessions auto-refresh):
+  githolon login --agent                                  anonymous sign-in: a verified self-onboarded identity
+  githolon login --token <refresh_token>                  adopt an existing captain app session
+  githolon whoami                                         show the principal births will ride
+  githolon logout                                         clear the session (workspace secrets kept)
+
+Nomos Cloud (secrets live in ~/.holon/credentials.json \u2014 never copy one by hand):
+  githolon ws create <name> [--principal <uid|token>]     birth a workspace; SAVES its one-time secret
+  githolon ws status <name>                               workspace status (lineage, phase, verdicts)
+  githolon deploy <ws> [--file <deploy.json>]             POST build/*.deploy.json with the stored secret
+  githolon secret set <ws> <secret>                       import a secret you already hold
+  githolon secret rotate <ws>                             rotate (and re-save) the workspace secret
+
+Git lane (stock git push as deploy/birth \u2014 see also: push-to-create):
+  githolon git setup                                      install the credential helper for the cloud host
+  githolon git remote <ws> [<remoteName>]                 wire this repo to a workspace (default name: nomos)
+                                                       then: git push nomos main
+
+The local-first lane (mint + assert a holon on YOUR machine, under YOUR identity):
+  githolon ledger init <dir>                              genesis + your compiled law, verified by the SAME
+                                                       wasm gate the cloud runs, written as a git repo
+  githolon ledger verify <dir>                            re-run the chain's self-verification from disk
+
+Options:
+  --cloud <url>    target cloud (default: $NOMOS_CLOUD or https://nomos.captainapp.co.uk)
+  --out <dir>      generate: target directory (default: ${DEFAULT_OUT})
+  --force          generate: overwrite an existing file
+  --dry-run        generate: print to stdout, write nothing
+  -h, --help       show this help
+`;
+function cloudArgs(rest) {
+  const pos = [];
+  const opts = {};
+  for (let i = 0; i < rest.length; i++) {
+    const a = rest[i];
+    if (a === "--cloud" || a === "--principal" || a === "--file") {
+      const v = rest[++i];
+      if (v === void 0) return { pos, opts, bad: `${a} requires a value` };
+      if (a === "--cloud") opts.cloud = v;
+      else if (a === "--principal") opts.principal = v;
+      else opts.file = v;
+    } else if (a.startsWith("--")) {
+      return { pos, opts, bad: `unknown flag '${a}'` };
+    } else {
+      pos.push(a);
+    }
+  }
+  return { pos, opts };
+}
+async function runCloud(argv) {
+  const [command, ...rest] = argv;
+  const { pos, opts, bad } = cloudArgs(rest);
+  const usageFail = (m) => {
+    process.stderr.write(`error: ${m}
+
+${USAGE}`);
+    return 1;
+  };
+  if (bad !== void 0) return usageFail(bad);
+  if (command === "ws") {
+    const [sub2, name] = pos;
+    if (sub2 === "create" && name !== void 0) return wsCreate(name, opts);
+    if (sub2 === "status" && name !== void 0) return wsStatus(name, opts);
+    return usageFail("expected: githolon ws <create|status> <name>");
+  }
+  if (command === "deploy") {
+    const [ws2] = pos;
+    if (ws2 === void 0) return usageFail("expected: githolon deploy <ws>");
+    return deploy(ws2, opts);
+  }
+  const [sub, ws, secret] = pos;
+  if (sub === "set" && ws !== void 0 && secret !== void 0) return secretSet(ws, secret, opts);
+  if (sub === "rotate" && ws !== void 0) return secretRotate(ws, opts);
+  return usageFail("expected: githolon secret <set <ws> <secret> | rotate <ws>>");
+}
+function isKind(s) {
+  return s !== void 0 && KINDS.includes(s);
+}
+function runCompile(args) {
+  const resolveDslPkg = (fromDir) => {
+    try {
+      const req = fromDir === void 0 ? createRequire(import.meta.url) : createRequire(pathToFileURL(join4(fromDir, "noop.js")));
+      return req.resolve("@githolon/dsl/package.json");
+    } catch {
+      return void 0;
+    }
+  };
+  const dslPkg = resolveDslPkg(process.cwd()) ?? resolveDslPkg(void 0);
+  if (dslPkg === void 0) {
+    process.stderr.write("error: @githolon/dsl not found \u2014 add it to your project's dependencies\n");
+    return 1;
+  }
+  const launcher = join4(dirname2(dslPkg), "compile_package.mjs");
+  const r = spawnSync3(process.execPath, [launcher, ...args], { stdio: "inherit", cwd: process.cwd() });
+  return r.status ?? 1;
+}
+function parseArgs(argv) {
+  const [command, ...rest] = argv;
+  if (command !== "generate" && command !== "g") {
+    throw new Error(
+      `Unknown command '${command ?? "(none)"}'. Expected compile | generate | ws | deploy | secret.`
+    );
+  }
+  let outDir = DEFAULT_OUT;
+  let force = false;
+  let dryRun = false;
+  const positionals = [];
+  for (let i = 0; i < rest.length; i++) {
+    const arg = rest[i];
+    switch (arg) {
+      case "--out": {
+        const next = rest[++i];
+        if (next === void 0) throw new Error("--out requires a directory argument.");
+        outDir = next;
+        break;
+      }
+      case "--force":
+        force = true;
+        break;
+      case "--dry-run":
+        dryRun = true;
+        break;
+      default:
+        if (arg.startsWith("--")) throw new Error(`Unknown flag '${arg}'.`);
+        positionals.push(arg);
+    }
+  }
+  const [kind, name] = positionals;
+  if (!isKind(kind)) {
+    throw new Error(
+      `Expected a generator kind (${KINDS.join(" | ")}), got '${kind ?? "(none)"}'.`
+    );
+  }
+  if (name === void 0) {
+    throw new Error(`Expected a <name> after '${kind}', e.g. \`githolon generate ${kind} work_order\`.`);
+  }
+  return { kind, name, outDir, force, dryRun };
+}
+async function main(argv) {
+  if (argv.length === 0 || argv[0] === "-h" || argv[0] === "--help") {
+    process.stdout.write(USAGE);
+    return 0;
+  }
+  if (argv[0] === "compile") {
+    return runCompile(argv.slice(1));
+  }
+  if (argv[0] === "ws" || argv[0] === "deploy" || argv[0] === "secret") {
+    return runCloud(argv);
+  }
+  if (argv[0] === "login") {
+    const agent = argv.includes("--agent");
+    const tokenAt = argv.indexOf("--token");
+    const token = tokenAt >= 0 ? argv[tokenAt + 1] : void 0;
+    if (tokenAt >= 0 && token === void 0) {
+      process.stderr.write("error: --token requires a value\n");
+      return 1;
+    }
+    return login({ agent, ...token !== void 0 ? { token } : {} });
+  }
+  if (argv[0] === "whoami") return whoami();
+  if (argv[0] === "logout") return logout();
+  if (argv[0] === "ledger") {
+    const { pos, opts, bad } = cloudArgs(argv.slice(1));
+    if (bad !== void 0) {
+      process.stderr.write(`error: ${bad}
+
+${USAGE}`);
+      return 1;
+    }
+    const [sub, dir] = pos;
+    if (sub === "init" && dir !== void 0) return ledgerInit(dir, opts);
+    if (sub === "verify" && dir !== void 0) return ledgerVerify(dir, opts);
+    process.stderr.write(`error: expected: githolon ledger <init|verify> <dir>
+
+${USAGE}`);
+    return 1;
+  }
+  if (argv[0] === "git-credential") return gitCredential(argv[1]);
+  if (argv[0] === "git") {
+    const { pos, opts, bad } = cloudArgs(argv.slice(1));
+    if (bad !== void 0) {
+      process.stderr.write(`error: ${bad}
+
+${USAGE}`);
+      return 1;
+    }
+    const [sub, ws, remoteName] = pos;
+    if (sub === "setup") return gitSetup(opts);
+    if (sub === "remote" && ws !== void 0) return gitRemote(ws, remoteName ?? "nomos", opts);
+    process.stderr.write(`error: expected: githolon git <setup | remote <ws> [name]>
+
+${USAGE}`);
+    return 1;
+  }
+  let parsed;
+  try {
+    parsed = parseArgs(argv);
+  } catch (err4) {
+    process.stderr.write(`error: ${err4.message}
+
+${USAGE}`);
+    return 1;
+  }
+  try {
+    if (parsed.dryRun) {
+      process.stdout.write(renderScaffold(parsed.kind, parsed.name));
+      return 0;
+    }
+    const { path } = generate({
+      kind: parsed.kind,
+      name: parsed.name,
+      outDir: parsed.outDir,
+      force: parsed.force
+    });
+    process.stdout.write(`created ${path}
+`);
+    return 0;
+  } catch (err4) {
+    process.stderr.write(`error: ${err4.message}
+`);
+    return 1;
+  }
+}
+process.exit(await main(process.argv.slice(2)));

package/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "githolon",
+  "version": "0.1.2",
+  "type": "module",
+  "description": "githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.",
+  "license": "SEE LICENSE IN LICENSE.md",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Captain-App/nomos2.git",
+    "directory": "cli"
+  },
+  "bin": {
+    "githolon": "./dist/cli.mjs"
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "node build.mjs",
+    "prepare": "npm run build",
+    "holon": "tsx src/cli.ts",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@bjorn3/browser_wasi_shim": "0.4.2",
+    "@githolon/dsl": "^0.1.2",
+    "isomorphic-git": "^1.38.4"
+  },
+  "devDependencies": {
+    "esbuild": "0.24.2",
+    "tsx": "^4.19.2",
+    "typescript": "^5.6.3",
+    "vitest": "^2.1.8"
+  }
+}