incremnt 0.6.0 → 0.7.0

package/src/remote.js

@@ -110,17 +110,17 @@ function endpointForCommand(baseUrl, normalizedCommand, options) {
       return sessionsUrl;
     }
     case 'session-show':
-      return resolveServiceUrl(baseUrl, `/cli/sessions/${options.id}`);
+      return resolveServiceUrl(baseUrl, `/cli/sessions/${encodeURIComponent(options.id)}`);
     case 'planned-vs-actual':
-      return resolveServiceUrl(baseUrl, `/cli/sessions/${options['session-id']}/compare`);
+      return resolveServiceUrl(baseUrl, `/cli/sessions/${encodeURIComponent(options['session-id'])}/compare`);
     case 'why-did-this-change':
-      return resolveServiceUrl(baseUrl, `/cli/sessions/${options['session-id']}/explain`);
+      return resolveServiceUrl(baseUrl, `/cli/sessions/${encodeURIComponent(options['session-id'])}/explain`);
     case 'program-list':
       return resolveServiceUrl(baseUrl, '/cli/programs');
     case 'program-summary':
       return resolveServiceUrl(baseUrl, '/cli/programs/current');
     case 'program-detail':
-      return resolveServiceUrl(baseUrl, options.id ? `/cli/programs/${options.id}` : '/cli/programs/active');
+      return resolveServiceUrl(baseUrl, options.id ? `/cli/programs/${encodeURIComponent(options.id)}` : '/cli/programs/active');
     case 'cycle-summary-list': {
       const cyclesUrl = resolveServiceUrl(baseUrl, '/cli/cycles');
       if (options['program-id']) {
@@ -129,7 +129,7 @@ function endpointForCommand(baseUrl, normalizedCommand, options) {
       return cyclesUrl;
     }
     case 'cycle-summary-show':
-      return resolveServiceUrl(baseUrl, `/cli/cycles/${options.id}`);
+      return resolveServiceUrl(baseUrl, `/cli/cycles/${encodeURIComponent(options.id)}`);
     case 'exercise-history': {
       const historyUrl = resolveServiceUrl(baseUrl, '/cli/exercises/history');
       historyUrl.searchParams.set('name', options.name ?? options.exercise);
@@ -140,7 +140,7 @@ function endpointForCommand(baseUrl, normalizedCommand, options) {
     case 'goals-list':
       return resolveServiceUrl(baseUrl, '/cli/goals');
     case 'goals-show':
-      return resolveServiceUrl(baseUrl, options.id ? `/cli/goals/${options.id}` : '/cli/goals');
+      return resolveServiceUrl(baseUrl, options.id ? `/cli/goals/${encodeURIComponent(options.id)}` : '/cli/goals');
     case 'health-summary': {
       const healthUrl = resolveServiceUrl(baseUrl, '/cli/health/summary');
       if (options.days) {
@@ -160,9 +160,9 @@ function endpointForCommand(baseUrl, normalizedCommand, options) {
       return askUrl;
     }
     case 'ask-show':
-      return resolveServiceUrl(baseUrl, `/cli/ask/history/${options.id}`);
+      return resolveServiceUrl(baseUrl, `/cli/ask/history/${encodeURIComponent(options.id)}`);
     case 'program-share-fetch':
-      return resolveServiceUrl(baseUrl, `/program-share/${options.token}`);
+      return resolveServiceUrl(baseUrl, `/program-share/${encodeURIComponent(options.token)}`);
     case 'increment-score-current': {
       const url = resolveServiceUrl(baseUrl, '/cli/increment-score/current');
       if (options.historyDays) url.searchParams.set('historyDays', options.historyDays);
@@ -238,6 +238,97 @@ async function executeRemoteCoachReadTool(toolName, input, sessionState) {
   return executeLocalCoachReadTool(snapshot, toolName, input);
 }
 
+// Build the shape of a write request without executing it.
+// Returns { method, url, body }. body is a parsed JS object or null.
+// Used by the --dry-run path. Keep endpoint and body changes in sync with the
+// real write handlers below; the drift test in dry-run.test.js asserts both
+// paths emit the same { method, url, body }.
+export async function buildWriteRequest(commandId, options, sessionState) {
+  const baseUrl = sessionState.session?.transport?.baseUrl;
+  if (!baseUrl) {
+    const error = new Error('--dry-run requires a remote session. Run `incremnt login` first.');
+    error.code = 'REMOTE_NOT_IMPLEMENTED';
+    throw error;
+  }
+
+  switch (commandId) {
+    case 'programs-propose': {
+      if (!options.file) {
+        const error = new Error('--file is required for programs propose.');
+        error.code = 'MISSING_OPTION';
+        throw error;
+      }
+      const raw = await fs.readFile(options.file, 'utf8');
+      const proposal = JSON.parse(raw);
+      return {
+        method: 'POST',
+        url: resolveServiceUrl(baseUrl, '/cli/programs/proposals').toString(),
+        body: proposal
+      };
+    }
+    case 'proposal-dismiss': {
+      if (!options.id) {
+        const error = new Error('--id is required for proposal dismiss.');
+        error.code = 'MISSING_OPTION';
+        throw error;
+      }
+      return {
+        method: 'PATCH',
+        url: resolveServiceUrl(baseUrl, `/cli/programs/proposals/${encodeURIComponent(options.id)}`).toString(),
+        body: { status: 'dismissed' }
+      };
+    }
+    case 'program-share-create': {
+      if (!options['program-id']) {
+        const error = new Error('--program-id is required for programs share create.');
+        error.code = 'MISSING_OPTION';
+        throw error;
+      }
+      return {
+        method: 'POST',
+        url: resolveServiceUrl(baseUrl, `/cli/programs/${encodeURIComponent(options['program-id'])}/share`).toString(),
+        body: null
+      };
+    }
+    case 'program-share-revoke': {
+      if (!options['share-id']) {
+        const error = new Error('--share-id is required for programs share revoke.');
+        error.code = 'MISSING_OPTION';
+        throw error;
+      }
+      return {
+        method: 'POST',
+        url: resolveServiceUrl(baseUrl, `/cli/program-share/${encodeURIComponent(options['share-id'])}/revoke`).toString(),
+        body: null
+      };
+    }
+    case 'increment-score-upload': {
+      if (!options.file) {
+        const error = new Error('--file is required for increment-score upload.');
+        error.code = 'MISSING_OPTION';
+        throw error;
+      }
+      const raw = await fs.readFile(options.file, 'utf8');
+      const body = JSON.parse(raw);
+      if (!body || !Array.isArray(body.snapshots)) {
+        const error = new Error('Invalid file: expected an object with a snapshots array.');
+        error.code = 'INVALID_PAYLOAD';
+        throw error;
+      }
+      return {
+        method: 'POST',
+        url: resolveServiceUrl(baseUrl, '/mobile/score-snapshots').toString(),
+        body
+      };
+    }
+    default: {
+      const error = new Error(`Command ${commandId} does not support --dry-run.`);
+      error.code = 'UNSUPPORTED_DRY_RUN';
+      throw error;
+    }
+  }
+}
+
 const remoteWriteCommandHandlers = {
   'programs-propose': async (options, sessionState) => {
     const baseUrl = sessionState.session?.transport?.baseUrl;
@@ -310,7 +401,7 @@ const remoteWriteCommandHandlers = {
       throw error;
     }
 
-    const endpoint = resolveServiceUrl(baseUrl, `/cli/programs/proposals/${options.id}`);
+    const endpoint = resolveServiceUrl(baseUrl, `/cli/programs/proposals/${encodeURIComponent(options.id)}`);
     const response = await fetch(endpoint, {
       method: 'PATCH',
       headers: {
@@ -345,7 +436,7 @@ const remoteWriteCommandHandlers = {
       throw error;
     }
 
-    const endpoint = resolveServiceUrl(baseUrl, `/cli/programs/${options['program-id']}/share`);
+    const endpoint = resolveServiceUrl(baseUrl, `/cli/programs/${encodeURIComponent(options['program-id'])}/share`);
     const response = await fetch(endpoint, {
       method: 'POST',
       headers: {
@@ -377,7 +468,7 @@ const remoteWriteCommandHandlers = {
       throw error;
     }
 
-    const endpoint = resolveServiceUrl(baseUrl, `/cli/programs/${options['program-id']}/shares`);
+    const endpoint = resolveServiceUrl(baseUrl, `/cli/programs/${encodeURIComponent(options['program-id'])}/shares`);
     const response = await fetch(endpoint, {
       headers: {
         Authorization: `Bearer ${sessionState.session?.auth?.accessToken ?? ''}`
@@ -441,7 +532,7 @@ const remoteWriteCommandHandlers = {
       throw error;
     }
 
-    const endpoint = resolveServiceUrl(baseUrl, `/cli/program-share/${options['share-id']}/revoke`);
+    const endpoint = resolveServiceUrl(baseUrl, `/cli/program-share/${encodeURIComponent(options['share-id'])}/revoke`);
     const response = await fetch(endpoint, {
       method: 'POST',
       headers: {

package/src/summary-evals.js

@@ -733,6 +733,45 @@ function hasFatigueLanguage(output) {
   return /\b(fatigue|fatigued|underrecovered|recovery debt|fatigue ceiling|limited by recovery|limited by fatigue|accumulated fatigue)\b/i.test(output);
 }
 
+function hasAskFatigueRecoveryLanguage(output) {
+  return hasFatigueLanguage(output)
+    || /\b(?:poor|low|bad|incomplete)\s+recovery\b/i.test(output)
+    || /\bunder[-\s]?recovery\b/i.test(output)
+    || /\brecovery\s+(?:limited|held back|caused|explains|drove|deficit|issue|problem)\b/i.test(output);
+}
+
+function hasAskFatigueRecoveryUncertaintyLanguage(output) {
+  const missingRecoveryData = /\b(?:no|not enough|without|missing|lack(?:ing)?|insufficient)\s+(?:\w+\s+){0,4}?(?:recovery|readiness|vitals?|sleep|hrv|heart rate|data|info|signals?|metrics?)\b/i.test(output);
+  const refusesInference = /\b(?:cannot|can't|do not|don't|does not|doesn't|would not|wouldn't|not enough|isn't enough|is not enough|no basis to|hard to)\s+(?:\w+\s+){0,12}?(?:infer|tie|connect|attribute|blame|claim|say|show|prove|know|call)\s+(?:\w+\s+){0,12}?(?:fatigue|recovery|readiness|why)\b/i.test(output);
+  const recoveryDoesNotExplain = /\b(?:fatigue|recovery|readiness)\b\s+(?:\w+\s+){0,10}?(?:cannot|can't|does not|doesn't|would not|wouldn't|isn't|is not)\s+(?:\w+\s+){0,10}?(?:explain|prove|show|tell|account for)\b/i.test(output);
+  return missingRecoveryData || refusesInference || recoveryDoesNotExplain;
+}
+
+function hasAskPositiveFatigueRecoveryAttribution(output) {
+  const concept = String.raw`(?:fatigue|fatigued|under[-\s]?recovered|under[-\s]?recovery|poor recovery|low recovery|incomplete recovery|recovery debt|fatigue ceiling|accumulated fatigue)`;
+  const causeVerb = String.raw`(?:because|due to|caused by|from|reflects?|suggests?|indicates?|points? to|explains?|limited|held back|drove|contributed to|tied to|tie\s+\w+\s+to)`;
+  const patterns = [
+    new RegExp(String.raw`\b${causeVerb}\b.{0,80}\b${concept}\b`, 'gi'),
+    new RegExp(String.raw`\b${concept}\b.{0,80}\b(?:caused|limited|held back|explains?|drove|led to|contributed to|accounts? for)\b`, 'gi')
+  ];
+  for (const pattern of patterns) {
+    for (const match of output.matchAll(pattern)) {
+      const start = Math.max(0, (match.index ?? 0) - 40);
+      const window = output.slice(start, (match.index ?? 0) + match[0].length);
+      if (!/\b(?:not|no|cannot|can't|doesn't|does not|would not|wouldn't|isn't|is not)\b/i.test(window)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+function hasUnsupportedAskFatigueRecoveryClaim(output) {
+  if (!hasAskFatigueRecoveryLanguage(output)) return false;
+  if (hasAskPositiveFatigueRecoveryAttribution(output)) return true;
+  return !hasAskFatigueRecoveryUncertaintyLanguage(output);
+}
+
 function matchesHistoricalFamilyName(claimName, actualName) {
   const claimVariants = new Set(historicalExerciseVariants(claimName));
   const actualVariants = new Set(historicalExerciseVariants(actualName));
@@ -1182,7 +1221,7 @@ function evaluateAskClaims(output, snapshot, testCase) {
     }
   }
 
-  if (hasFatigueLanguage(normalized) && !hasAskFatigueSupport(snapshot)) {
+  if (hasUnsupportedAskFatigueRecoveryClaim(normalized) && !hasAskFatigueSupport(snapshot)) {
     failures.push('Ask answer uses fatigue/recovery language but the snapshot has no recent vitals, sleep, or rep-dropoff signals to support it.');
   }
 

package/src/sync-service.js

@@ -21,6 +21,7 @@ const DEFAULT_RATE_LIMIT_RULES = {
   'weekly-checkin-current': 30,
   'weekly-checkin-ack': 30,
   'weekly-checkin-start': 10,
+  'weekly-digest-current': 30,
   'dev-login': 10,
   'device-start': 20,
   'device-poll': 300,
@@ -1050,6 +1051,10 @@ function routeRequest(url, method) {
     return { command: 'weekly-checkin-start', options: {} };
   }
 
+  if (pathname === '/cli/weekly-digest/current') {
+    return { command: 'weekly-digest-current', options: {} };
+  }
+
   if (pathname === '/cli/health/ai') {
     return {
       command: 'health-ai',
@@ -1434,41 +1439,6 @@ function routeRequest(url, method) {
   return null;
 }
 
-/// Formats a `ProgramPhaseWindowContext` (sent by iOS in the request body) as
-/// a short text prelude prepended to the AI context. Without this the model
-/// would have to infer "is this a deload week / was last week deload?" from
-/// session prose; with it the structured phase facts are explicit.
-function formatProgramPhasePrelude(programPhase) {
-  if (!programPhase || typeof programPhase !== 'object') return null;
-  const current = programPhase.current;
-  const previous = programPhase.previousWeek;
-  const next = programPhase.nextWeek;
-  if (!current?.phase || typeof current.displayWeek !== 'number') return null;
-  const describe = (phase) => {
-    if (!phase?.phase) return null;
-    const week = typeof phase.displayWeek === 'number' ? `week ${phase.displayWeek}` : 'week ?';
-    return `${week} (${phase.phase})${phase.isDeload ? ' · deload week' : ''}`;
-  };
-  const describeList = (phases) => {
-    if (!Array.isArray(phases) || phases.length === 0) return null;
-    return phases.map(describe).filter(Boolean).join(', ');
-  };
-  const lines = [
-    '[Program phase]',
-    `- Current: ${describe(current)}`
-  ];
-  if (previous?.phase) lines.push(`- Previous: ${describe(previous)}`);
-  if (next?.phase) lines.push(`- Next: ${describe(next)}`);
-  if (programPhase.isPostDeloadReturn === true) {
-    lines.push('- Post-deload return: yes (last week was deload, this week is build)');
-  }
-  const range = describeList(programPhase.phasesInRange);
-  if (range) lines.push(`- Range phases: ${range}`);
-  const previousRange = describeList(programPhase.previousRangePhases);
-  if (previousRange) lines.push(`- Previous range phases: ${previousRange}`);
-  return lines.join('\n');
-}
-
 export function formatIncrementScorePrelude(snapshots) {
   if (!Array.isArray(snapshots) || snapshots.length === 0) return null;
   const latest = snapshots[0];
@@ -2021,6 +1991,7 @@ export function createSyncServiceRequestHandler({
   pushMobileSyncChangesForAccount = null,
   insertScoreSnapshotsForAccount = null,
   listScoreSnapshotsForAccount = null,
+  getCurrentWeeklyScoreDigestForAccount = null,
   // Social
   social = null,
   onError = null
@@ -3488,6 +3459,43 @@ export function createSyncServiceRequestHandler({
         return;
       }
 
+      if (route.command === 'weekly-digest-current') {
+        if (request.method !== 'GET') {
+          methodNotAllowed(response, 'Use GET for /cli/weekly-digest/current.');
+          return;
+        }
+        if (!getCurrentWeeklyScoreDigestForAccount) {
+          json(response, 503, { error: 'Weekly digest not available' });
+          return;
+        }
+        try {
+          const row = await getCurrentWeeklyScoreDigestForAccount(account);
+          if (!row) {
+            response.writeHead(204);
+            response.end();
+            return;
+          }
+          json(response, 200, {
+            id: row.id,
+            weekStartDate: row.weekStartDate,
+            status: row.status,
+            score: row.score,
+            scoreDelta: row.scoreDelta,
+            components: row.components,
+            componentsDelta: row.componentsDelta,
+            signals: row.signals,
+            observation: row.observation,
+            formulaVersion: row.formulaVersion,
+            generatedAt: row.generatedAt,
+            seenAt: row.seenAt,
+          });
+        } catch (err) {
+          console.error('Weekly digest read error:', err.message);
+          json(response, 500, { error: 'Failed to read weekly digest' });
+        }
+        return;
+      }
+
       let snapshot;
       try {
         snapshot = loadSnapshotForAccount
@@ -3707,7 +3715,10 @@ export function createSyncServiceRequestHandler({
             if (openrouterKey && generateWeeklyCheckinRecapImpl && generateCheckinQuestionsImpl) {
               try {
                 const { weeklyCheckinContext } = await import('./queries.js');
-                const ctx = weeklyCheckinContext(snapshot, account.id, {});
+                // Anchor to row.weekStartDate so lazy-gen describes the
+                // canonical week, matching cron behaviour (onemore-8oc5).
+                const referenceNow = new Date(`${row.weekStartDate}T23:59:59.999Z`);
+                const ctx = weeklyCheckinContext(snapshot, account.id, { now: referenceNow });
                 if (ctx) {
                   let priorCommitmentRow = null;
                   if (listActiveCoachCommitmentsForAccount) {
@@ -4160,13 +4171,9 @@ export function createSyncServiceRequestHandler({
           ? queries.askRoutedContext(snapshot, question, { exclude, coachFacts })
           : { context: queries.askContext(snapshot, { exclude }), metadata: { route: 'legacy' } };
         const persistedKind = persistedConversation?.kind ?? (conversationId?.startsWith('weekly-checkin:') ? 'weekly-checkin' : 'ask');
-        const serverProgramPhase = persistedKind === 'weekly-checkin'
-          ? queries.weeklyCheckinContext?.(snapshot, account.id)?.programPhase
-          : null;
-        const programPhasePrelude = formatProgramPhasePrelude(body?.programPhase ?? serverProgramPhase);
         const incrementScorePrelude = formatIncrementScorePrelude(scoreSnapshots);
 
-        const preludes = [programPhasePrelude, incrementScorePrelude].filter(Boolean);
+        const preludes = [incrementScorePrelude].filter(Boolean);
         const ctx = preludes.length > 0
           ? `${preludes.join('\n\n')}\n\n${routedContext.context}`
           : routedContext.context;

package/src/validate.js

@@ -0,0 +1,152 @@
+// Per-option input validation. Defends against agent-hallucinated values
+// (path traversals, embedded query params in IDs, control characters).
+//
+// Formats:
+//   'id'   — ^[A-Za-z0-9_-]+$  (no ?, &, #, %, /, whitespace, control chars)
+//   'path' — no .. segments, no NUL, no control chars, no URL schemes
+//   'url'  — must parse as http(s) URL
+//   'enum' — must be one of opt.enum
+//   'text' — reject ASCII <0x20 except \t \n; length cap (default 4 KB)
+//   undefined → 'text'
+
+const ID_RE = /^[A-Za-z0-9_-]+$/;
+// Any RFC-3986-style scheme: letter followed by letters/digits/+/-/. then ://.
+// Matches http://, https://, file://, ftp://, FILE://, custom://, etc.
+const URL_SCHEME_RE = /^[a-z][a-z0-9+.-]*:\/\//i;
+// eslint-disable-next-line no-control-regex
+const CONTROL_RE = /[\x00-\x08\x0B\x0C\x0E-\x1F]/;
+// eslint-disable-next-line no-control-regex
+const ANY_CONTROL_RE = /[\x00-\x1F]/;
+const DEFAULT_TEXT_CAP = 4096;
+const FIELDS_OPTION = {
+  name: 'fields',
+  type: 'string',
+  format: 'text',
+  maxLength: 1024
+};
+
+export class ValidationError extends Error {
+  constructor(message, { option, format, code = 'INVALID_OPTION' } = {}) {
+    super(message);
+    this.name = 'ValidationError';
+    this.code = code;
+    this.option = option;
+    this.format = format;
+  }
+}
+
+export function validateOption(opt, rawValue) {
+  if (rawValue === undefined) return rawValue;
+
+  const format = opt.format ?? (opt.type === 'number' ? 'number' : 'text');
+
+  if (rawValue === null) {
+    throw new ValidationError(`--${opt.name} must not be null`, { option: opt.name, format, code: 'MISSING_OPTION' });
+  }
+
+  if (opt.type === 'number' || format === 'number') {
+    if (typeof rawValue !== 'string' && typeof rawValue !== 'number') {
+      throw new ValidationError(`--${opt.name} must be a number (got ${JSON.stringify(rawValue)})`, { option: opt.name, format });
+    }
+    if (typeof rawValue === 'string' && rawValue.trim() === '') {
+      throw new ValidationError(`--${opt.name} must be a number (got ${JSON.stringify(rawValue)})`, { option: opt.name, format });
+    }
+    const num = typeof rawValue === 'number' ? rawValue : Number(rawValue);
+    if (!Number.isFinite(num)) {
+      throw new ValidationError(`--${opt.name} must be a number (got ${JSON.stringify(rawValue)})`, { option: opt.name, format });
+    }
+    return num;
+  }
+
+  if (typeof rawValue !== 'string') {
+    throw new ValidationError(`--${opt.name} must be a string`, { option: opt.name, format });
+  }
+
+  if (format === 'id') {
+    if (!ID_RE.test(rawValue)) {
+      throw new ValidationError(
+        `--${opt.name} contains disallowed characters (allowed: letters, digits, '-', '_')`,
+        { option: opt.name, format }
+      );
+    }
+    return rawValue;
+  }
+
+  if (format === 'path') {
+    if (ANY_CONTROL_RE.test(rawValue)) {
+      throw new ValidationError(`--${opt.name} contains control characters`, { option: opt.name, format });
+    }
+    if (URL_SCHEME_RE.test(rawValue)) {
+      throw new ValidationError(`--${opt.name} must be a filesystem path, not a URL`, { option: opt.name, format });
+    }
+    const segments = rawValue.split(/[\\/]/);
+    if (segments.some((seg) => seg === '..')) {
+      throw new ValidationError(`--${opt.name} must not contain '..' path segments`, { option: opt.name, format });
+    }
+    return rawValue;
+  }
+
+  if (format === 'url') {
+    if (ANY_CONTROL_RE.test(rawValue)) {
+      throw new ValidationError(`--${opt.name} contains control characters`, { option: opt.name, format });
+    }
+    let parsed;
+    try {
+      parsed = new URL(rawValue);
+    } catch {
+      throw new ValidationError(`--${opt.name} is not a valid URL`, { option: opt.name, format });
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+      throw new ValidationError(`--${opt.name} must be http(s)`, { option: opt.name, format });
+    }
+    return rawValue;
+  }
+
+  if (format === 'enum') {
+    const allowed = opt.enum ?? [];
+    if (!allowed.includes(rawValue)) {
+      throw new ValidationError(
+        `--${opt.name} must be one of: ${allowed.join(', ')}`,
+        { option: opt.name, format }
+      );
+    }
+    return rawValue;
+  }
+
+  // 'text' (default)
+  if (CONTROL_RE.test(rawValue)) {
+    throw new ValidationError(`--${opt.name} contains control characters`, { option: opt.name, format });
+  }
+  const cap = opt.maxLength ?? DEFAULT_TEXT_CAP;
+  if (rawValue.length > cap) {
+    throw new ValidationError(`--${opt.name} exceeds max length (${cap})`, { option: opt.name, format });
+  }
+  return rawValue;
+}
+
+export function validateOptions(commandEntry, options) {
+  if (!commandEntry?.options) return options;
+  const out = { ...options };
+  for (const opt of commandEntry.options) {
+    if (out[opt.name] === undefined) continue;
+    if (out[opt.name] === true) {
+      const format = opt.format ?? (opt.type === 'number' ? 'number' : 'text');
+      throw new ValidationError(`--${opt.name} requires a value`, { option: opt.name, format, code: 'MISSING_OPTION' });
+    }
+    out[opt.name] = validateOption(opt, out[opt.name]);
+  }
+  if (commandEntry.supportsFields && out.fields !== undefined) {
+    if (out.fields === true) {
+      throw new ValidationError('--fields requires a value', { option: 'fields', format: 'text', code: 'MISSING_OPTION' });
+    }
+    out.fields = validateOption(FIELDS_OPTION, out.fields);
+    const keys = out.fields
+      .split(',')
+      .map((s) => s.trim())
+      .filter((s) => s.length > 0);
+    if (keys.length === 0) {
+      throw new ValidationError('--fields requires at least one field name', { option: 'fields', format: 'text' });
+    }
+  }
+  return out;
+}