wyrm-mcp 7.2.0 → 7.2.2

package/dist/cloud/cli.js

@@ -1,135 +1,4 @@
-/**
- * `wyrm cloud …` subcommand dispatcher.
- *
- *   wyrm cloud login                authenticate via Google/GitHub OAuth
- *   wyrm cloud logout               revoke this session
- *   wyrm cloud status               account + tier + storage + devices
- *   wyrm cloud devices              list registered devices
- *   wyrm cloud devices revoke <id>  revoke a device
- *   wyrm cloud sync [--dry-run]     push local changes + pull peer deltas
- *   wyrm cloud export <path>        download full account dump (encrypted blobs included)
- *   wyrm cloud delete --confirm     permanently delete the account on Wyrm Cloud
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- */
-import { randomBytes } from 'node:crypto';
-import { writeFileSync } from 'node:fs';
-import { hostname } from 'node:os';
-import { resolve } from 'node:path';
-import { createInterface } from 'node:readline';
-import { CloudClient, CloudError, DEFAULT_BASE, SESSION_FILE, loadSession, saveSession, clearSession } from './client.js';
-import { getMasterKey, keyExists, keyFilePath } from './crypto.js';
-import { computeMachineFp, classifySession } from './machine-id.js';
-import { runSync, CopiedSessionError } from './sync-engine.js';
-import { initializeLicense, hasFeature, getTier } from '../license.js';
-/**
- * Gate the data-movement cloud commands behind a Pro+ license.
- *
- * Cloud sync is a paid feature (the `cloud_backup` flag, granted at pro
- * tier and above). The MCP tools already enforce this; without the same
- * check here, the CLI was a free bypass of the paid tier. Setup/visibility
- * commands (login, logout, status, devices, recovery, delete) stay free so
- * users can authenticate, see the upsell, and always retain the right to
- * delete their own data.
- */
-function requireCloudLicense() {
-    initializeLicense(); // loads ~/.wyrm/license.json (no-op → free tier)
-    if (!hasFeature('cloud_backup')) {
-        console.error('󱅝 Wyrm Cloud sync requires a Pro license or higher.');
-        console.error(`   Current tier: ${getTier()}`);
-        console.error('   Upgrade:      https://ghosts.lk/wyrm');
-        console.error('   Already paid? Activate your license (wyrm_license tool, or place');
-        console.error('   the signed JSON at ~/.wyrm/license.json) and retry.');
-        process.exit(1);
-    }
-}
-function fmtBytes(n) {
-    if (n < 1024)
-        return `${n} B`;
-    if (n < 1024 * 1024)
-        return `${(n / 1024).toFixed(1)} KiB`;
-    if (n < 1024 * 1024 * 1024)
-        return `${(n / (1024 * 1024)).toFixed(1)} MiB`;
-    return `${(n / (1024 * 1024 * 1024)).toFixed(2)} GiB`;
-}
-function fmtTime(unixMs) {
-    if (!unixMs)
-        return '—';
-    return new Date(unixMs).toISOString().replace('T', ' ').slice(0, 16) + ' UTC';
-}
-export async function cmdCloud(args) {
-    const sub = args[0];
-    const rest = args.slice(1);
-    try {
-        switch (sub) {
-            case undefined:
-            case 'help':
-            case '--help':
-            case '-h':
-                return cmdHelp();
-            case 'login': return await cmdLogin(rest);
-            case 'logout': return await cmdLogout();
-            case 'status': return await cmdStatus();
-            case 'doctor': return cmdDoctor();
-            case 'devices': return await cmdDevices(rest);
-            case 'sync': return await cmdSync(rest);
-            case 'export': return await cmdExport(rest);
-            case 'delete': return await cmdDelete(rest);
-            case 'recovery': return await cmdRecovery(rest);
-            default:
-                console.error(`Unknown subcommand: wyrm cloud ${sub}`);
-                console.error(`Try \`wyrm cloud help\``);
-                process.exit(1);
-        }
-    }
-    catch (err) {
-        // Translate common errors to friendly CLI output. Falls through
-        // to a generic message for unexpected exceptions.
-        if (err instanceof CopiedSessionError) {
-            // The detailed loud guidance was already written to stderr by the
-            // sync engine. Just exit non-zero without burying it under a
-            // generic message.
-            process.exit(1);
-        }
-        if (err instanceof CloudError) {
-            if (err.status === 401) {
-                console.error('✘ Not authenticated. Run `wyrm cloud login`.');
-            }
-            else if (err.status === 403) {
-                console.error(`✘ Forbidden: ${err.message}`);
-            }
-            else if (err.status === 0) {
-                // Network / timeout error from fetch.
-                console.error(`✘ ${err.message}`);
-                console.error('   Check your internet connection. If wyrm.ghosts.lk is unreachable, see status at https://www.cloudflarestatus.com');
-            }
-            else if (err.status === 501) {
-                console.error(`✘ Service not configured: ${err.message}`);
-            }
-            else {
-                console.error(`✘ ${err.message} (HTTP ${err.status})`);
-            }
-        }
-        else if (err instanceof Error) {
-            const msg = err.message;
-            if (msg.includes('Not logged in')) {
-                console.error('✘ Not logged in. Run `wyrm cloud login`.');
-            }
-            else if (msg.includes('Wyrm Cloud key')) {
-                console.error(`✘ Encryption-key error: ${msg}`);
-            }
-            else {
-                console.error(`✘ ${msg}`);
-            }
-        }
-        else {
-            console.error('✘ Unexpected error:', err);
-        }
-        process.exit(1);
-    }
-}
-function cmdHelp() {
-    console.log(`󱅝 wyrm cloud — sync your Wyrm memory across devices
+import{randomBytes as D}from"node:crypto";import{writeFileSync as I}from"node:fs";import{hostname as N}from"node:os";import{resolve as P}from"node:path";import{createInterface as A}from"node:readline";import{CloudClient as a,CloudError as k,DEFAULT_BASE as p,SESSION_FILE as f,loadSession as d,saveSession as S,clearSession as b}from"./client.js";import{getMasterKey as R,keyExists as h,keyFilePath as g}from"./crypto.js";import{computeMachineFp as E,classifySession as O}from"./machine-id.js";import{runSync as L,CopiedSessionError as W}from"./sync-engine.js";import{initializeLicense as F,hasFeature as M,getTier as B}from"../license.js";function T(){F(),M("cloud_backup")||(console.error("\u{F115D} Wyrm Cloud sync requires a Pro license or higher."),console.error(`   Current tier: ${B()}`),console.error("   Upgrade:      https://ghosts.lk/wyrm"),console.error("   Already paid? Activate your license (wyrm_license tool, or place"),console.error("   the signed JSON at ~/.wyrm/license.json) and retry."),process.exit(1))}function w(e){return e<1024?`${e} B`:e<1024*1024?`${(e/1024).toFixed(1)} KiB`:e<1024*1024*1024?`${(e/(1024*1024)).toFixed(1)} MiB`:`${(e/(1024*1024*1024)).toFixed(2)} GiB`}function G(e){return e?new Date(e).toISOString().replace("T"," ").slice(0,16)+" UTC":"\u2014"}async function ie(e){const n=e[0],s=e.slice(1);try{switch(n){case void 0:case"help":case"--help":case"-h":return U();case"login":return await j(s);case"logout":return await K();case"status":return await H();case"doctor":return Y();case"devices":return await q(s);case"sync":return await z(s);case"export":return await J(s);case"delete":return await Q(s);case"recovery":return await V(s);default:console.error(`Unknown subcommand: wyrm cloud ${n}`),console.error("Try `wyrm cloud help`"),process.exit(1)}}catch(o){if(o instanceof W&&process.exit(1),o instanceof k)o.status===401?console.error("\u2718 Not authenticated. Run `wyrm cloud login`."):o.status===403?console.error(`\u2718 Forbidden: ${o.message}`):o.status===0?(console.error(`\u2718 ${o.message}`),console.error("   Check your internet connection. If wyrm.ghosts.lk is unreachable, see status at https://www.cloudflarestatus.com")):o.status===501?console.error(`\u2718 Service not configured: ${o.message}`):console.error(`\u2718 ${o.message} (HTTP ${o.status})`);else if(o instanceof Error){const r=o.message;r.includes("Not logged in")?console.error("\u2718 Not logged in. Run `wyrm cloud login`."):r.includes("Wyrm Cloud key")?console.error(`\u2718 Encryption-key error: ${r}`):console.error(`\u2718 ${r}`)}else console.error("\u2718 Unexpected error:",o);process.exit(1)}}function U(){console.log(`\u{F115D} wyrm cloud \u2014 sync your Wyrm memory across devices
 
 USAGE:
   wyrm cloud <subcommand> [args]
@@ -155,7 +24,7 @@ SUBCOMMANDS:
 
 CONFIG:
   Session file: ~/.wyrm/cloud.json  (0600)
-  Master key:   ~/.wyrm/cloud.key   (0600)  ← never sent to server
+  Master key:   ~/.wyrm/cloud.key   (0600)  \u2190 never sent to server
 
 CONSTITUTION:
   All sync payloads AES-256-GCM encrypted client-side before upload.
@@ -163,411 +32,6 @@ CONSTITUTION:
 
 DOMAIN:
   https://wyrm.ghosts.lk
-`);
-}
-// ── login ───────────────────────────────────────────────────────────────────
-async function cmdLogin(_args) {
-    if (loadSession()) {
-        console.error('Already logged in. Run `wyrm cloud logout` first to switch accounts.');
-        process.exit(1);
-    }
-    const client = new CloudClient(DEFAULT_BASE);
-    const pollToken = randomBytes(32).toString('hex'); // 64 chars
-    let init;
-    try {
-        init = await client.cliInit(pollToken);
-    }
-    catch (err) {
-        console.error(`✘ Could not start login: ${err instanceof Error ? err.message : err}`);
-        process.exit(1);
-    }
-    console.log('');
-    console.log('󱅝 Sign in to Wyrm Cloud');
-    console.log('');
-    console.log(`   1. Open this URL on any device:`);
-    console.log(`        ${init.browser_url}`);
-    console.log('');
-    console.log(`   2. Type this code when prompted:`);
-    console.log(`        ${init.code}`);
-    console.log('');
-    console.log(`   3. Sign in with Google or GitHub.`);
-    console.log('');
-    console.log(`   Waiting (expires in ${Math.round(init.expires_in_sec / 60)} min)…`);
-    // Poll up to expires_in_sec, every 3s.
-    const start = Date.now();
-    const deadline = start + init.expires_in_sec * 1000;
-    let session;
-    let accountId;
-    while (Date.now() < deadline) {
-        await new Promise((r) => { setTimeout(r, 3000); });
-        try {
-            const poll = await client.cliPoll(pollToken);
-            if (poll.ready && poll.session) {
-                session = poll.session;
-                accountId = poll.account_id;
-                break;
-            }
-        }
-        catch (err) {
-            // The pending state is a 200 with ready:false (handled above). A
-            // 404 here means the poll_token isn't in the DB — link expired or
-            // server lost state. Fail loud; don't spin until deadline.
-            console.error(`\n✘ Login failed: ${err instanceof Error ? err.message : err}`);
-            process.exit(1);
-        }
-    }
-    if (!session || !accountId) {
-        console.error('\n✘ Login timed out. Run `wyrm cloud login` again.');
-        process.exit(1);
-    }
-    // Save session, fetch account info for the welcome message.
-    saveSession({
-        base: DEFAULT_BASE,
-        session,
-        account_id: accountId,
-        created_at: Date.now(),
-    });
-    const authed = new CloudClient(DEFAULT_BASE, session);
-    let email = '';
-    try {
-        const me = await authed.me();
-        email = me.account.email;
-    }
-    catch { /* whatever, login still succeeded */ }
-    // Register this machine as a device (idempotent: every fresh login creates one).
-    const deviceName = `${hostname()} (${process.platform})`;
-    let deviceId;
-    try {
-        const reg = await authed.registerDevice(deviceName);
-        deviceId = reg.device.id;
-        // Update session file with device info + this machine's fingerprint.
-        // The fp binds the session to THIS machine so a later copy of
-        // cloud.json to a second box is detected at sync (failure #40).
-        const s = loadSession();
-        if (s)
-            saveSession({ ...s, email, device_id: deviceId, device_name: deviceName, machine_fp: computeMachineFp() });
-    }
-    catch (err) {
-        console.error(`\n⚠ Logged in but could not register device: ${err instanceof Error ? err.message : err}`);
-        console.error('  Re-run `wyrm cloud login` to retry.');
-        return;
-    }
-    console.log('');
-    console.log(`✓ Signed in as ${email}`);
-    console.log(`✓ Device registered: ${deviceName}`);
-    console.log(`✓ Session saved to ${SESSION_FILE}`);
-    // Eagerly materialise the master key so `wyrm cloud recovery show`
-    // works immediately after login. Without this, the key only gets
-    // created lazily on the first encrypt(), and the post-login UX of
-    // "save your recovery phrase right now" doesn't actually work.
-    const keyWasFresh = !keyExists();
-    getMasterKey(); // creates the file if missing
-    if (keyWasFresh) {
-        console.log(`✓ Encryption key generated at ${keyFilePath()} (0600)`);
-        console.log('');
-        console.log('  ⚠ Back up the key file. Losing it means losing access to your synced data.');
-        console.log('    The Wyrm Cloud server CANNOT recover it — that\'s the operator-owns-data');
-        console.log('    guarantee. Run `wyrm cloud recovery show` now to get a 24-word phrase,');
-        console.log('    or copy the key file to a password manager / encrypted backup.');
-    }
-    else {
-        console.log(`✓ Encryption key reused from ${keyFilePath()}`);
-    }
-    console.log('');
-    console.log(`Next: \`wyrm cloud sync\` to push your memory.`);
-}
-// ── logout ──────────────────────────────────────────────────────────────────
-async function cmdLogout() {
-    const s = loadSession();
-    if (!s) {
-        console.log('Not logged in.');
-        return;
-    }
-    try {
-        const client = new CloudClient(s.base, s.session);
-        await client.logout();
-        console.log('✓ Session revoked server-side.');
-    }
-    catch (err) {
-        console.error(`⚠ Could not revoke server-side: ${err instanceof Error ? err.message : err}`);
-        console.error('  Local session cleared anyway.');
-    }
-    clearSession();
-    console.log(`✓ Local session removed (${SESSION_FILE}).`);
-    console.log('  Note: ~/.wyrm/cloud.key kept. Delete manually if you want a clean slate.');
-}
-// ── status ──────────────────────────────────────────────────────────────────
-async function cmdStatus() {
-    const s = loadSession();
-    if (!s) {
-        console.log('Not logged in. Run `wyrm cloud login`.');
-        return;
-    }
-    const client = new CloudClient(s.base, s.session);
-    try {
-        const me = await client.me();
-        const st = await client.syncStatus();
-        console.log('');
-        console.log(`󱅝 Wyrm Cloud — ${me.account.email}`);
-        console.log('');
-        console.log(`  Tier:     ${st.tier}`);
-        console.log(`  Storage:  ${fmtBytes(st.storage.used_bytes)} / ${fmtBytes(st.storage.limit_bytes)} (${st.storage.percent}%)`);
-        console.log(`  Deltas:   ${st.deltas}`);
-        console.log(`  Devices:  ${st.devices}`);
-        console.log(`  Providers:${me.identities.map((i) => ' ' + i.provider).join(',')}`);
-        console.log('');
-        console.log(`  This machine: ${s.device_name ?? '(not registered)'}`);
-        console.log(`  Device ID:    ${s.device_id ? s.device_id.slice(0, 8) + '…' : '(none)'}`);
-        console.log(`  Session age:  ${Math.round((Date.now() - s.created_at) / (24 * 60 * 60 * 1000))} day(s)`);
-        printIdentityHealth(s);
-        console.log('');
-        // Encryption-key health. The whole operator-owns-data guarantee rests
-        // on this file existing — if it's gone, no pulled blob can be decrypted.
-        if (!keyExists()) {
-            console.log('  ⚠ ENCRYPTION KEY MISSING');
-            console.log(`    Expected at: ${keyFilePath()}`);
-            console.log(`    Without this file, deltas already pushed cannot be decrypted.`);
-            console.log(`    If you have a backup, restore it before running sync.`);
-            console.log('');
-        }
-        else if (st.deltas > 0) {
-            console.log(`  Key:      ${keyFilePath()} (0600)`);
-            console.log(`            ⚠ Back this file up. Losing it = losing access to your ${st.deltas} deltas.`);
-            console.log('');
-        }
-    }
-    catch (err) {
-        if (err instanceof CloudError && err.status === 401) {
-            console.error('Session expired or invalid. Run `wyrm cloud login` again.');
-            process.exit(1);
-        }
-        throw err;
-    }
-}
-/**
- * Print the device-identity health line(s) for a session: whether the
- * stored machine fingerprint matches THIS machine. A mismatch is the
- * copied-session / device_id-collision symptom (failure #40). Shared by
- * `status` and `doctor`.
- */
-function printIdentityHealth(s) {
-    const verdict = classifySession(s.machine_fp);
-    if (verdict.state === 'match') {
-        console.log('  Identity:     ✓ machine fingerprint matches (not a copied session)');
-    }
-    else if (verdict.state === 'adopt') {
-        console.log('  Identity:     — no fingerprint yet (pre-7.0.3 session; adopted on next sync)');
-    }
-    else {
-        console.log('  Identity:     ⚠ FINGERPRINT MISMATCH — this session looks COPIED');
-        console.log(`                  stored ${verdict.stored.slice(0, 12)}… vs this machine ${verdict.current.slice(0, 12)}…`);
-        console.log('                  device_id collision → cross-device pull returns 0 silently.');
-        console.log('                  Fix: rm ~/.wyrm/cloud.json ~/.wyrm/cloud-cursor.json (KEEP cloud.key),');
-        console.log('                       then `wyrm cloud login`.  (Or `wyrm cloud sync --force` if intended.)');
-    }
-}
-// ── doctor ────────────────────────────────────────────────────────────────────
-function cmdDoctor() {
-    const s = loadSession();
-    console.log('');
-    console.log('󱅝 Wyrm Cloud — device identity doctor');
-    console.log('');
-    if (!s) {
-        console.log('  Not logged in. Run `wyrm cloud login`.');
-        console.log('');
-        return;
-    }
-    console.log(`  Account:      ${s.email ?? s.account_id.slice(0, 8) + '…'}`);
-    console.log(`  Device ID:    ${s.device_id ? s.device_id.slice(0, 8) + '…' : '(none — re-run `wyrm cloud login`)'}`);
-    console.log(`  Server:       ${s.base}`);
-    console.log(`  Stored fp:    ${s.machine_fp ? s.machine_fp.slice(0, 12) + '…' : '(none — pre-7.0.3 session)'}`);
-    console.log(`  This box fp:  ${computeMachineFp().slice(0, 12)}…`);
-    printIdentityHealth(s);
-    console.log('');
-    console.log('  Only ~/.wyrm/cloud.key is meant to be shared across your machines.');
-    console.log('  cloud.json + cloud-cursor.json + machine-id are per-device.');
-    console.log('');
-}
-// ── devices ─────────────────────────────────────────────────────────────────
-async function cmdDevices(args) {
-    const action = args[0];
-    const client = CloudClient.fromSession();
-    if (action === 'revoke') {
-        const id = args[1];
-        if (!id) {
-            console.error('Usage: wyrm cloud devices revoke <device-id>');
-            process.exit(1);
-        }
-        await client.revokeDevice(id);
-        console.log(`✓ Device ${id.slice(0, 8)}… revoked.`);
-        return;
-    }
-    const { devices } = await client.listDevices();
-    const session = loadSession();
-    const thisId = session?.device_id;
-    console.log('');
-    console.log(`󱅝 Devices (${devices.length})`);
-    console.log('');
-    for (const d of devices) {
-        const marker = d.id === thisId ? '★' : ' ';
-        const status = d.revoked ? '(revoked)' : '';
-        console.log(`  ${marker} ${d.id.slice(0, 8)}…  ${d.name.padEnd(30)}  last_seen=${fmtTime(d.last_seen_at)}  ${status}`);
-    }
-    console.log('');
-    console.log('  ★ = this machine');
-    console.log('  Revoke: wyrm cloud devices revoke <device-id>');
-    console.log('');
-}
-// ── sync ────────────────────────────────────────────────────────────────────
-async function cmdSync(args) {
-    requireCloudLicense();
-    const dryRun = args.includes('--dry-run');
-    const all = args.includes('--all');
-    const force = args.includes('--force');
-    if (!keyExists()) {
-        console.error('⚠ Encryption key not found at', keyFilePath());
-        console.error('  A new key will be generated, but it will NOT decrypt deltas');
-        console.error('  pushed by other devices using a different key. If you have a backup,');
-        console.error('  restore it to ~/.wyrm/cloud.key (0600) before running sync.');
-        console.error('  Continuing in 5 seconds — press Ctrl+C to abort.');
-        await new Promise((r) => { setTimeout(r, 5000); });
-    }
-    if (all) {
-        console.log('🌐 --all mode: syncing every semantic table (ignoring visibility flags).');
-        console.log('   Skipped: per-device logs, FTS shadows, sync internals.');
-        console.log('');
-    }
-    const result = await runSync({ dryRun, all, force });
-    console.log('');
-    console.log('󱅝 Sync complete');
-    console.log('');
-    console.log(`  Pushed:  ${result.pushed} row(s)${dryRun ? ' (dry run)' : ''}`);
-    console.log(`  Pulled:  ${result.pulled} row(s)`);
-    console.log(`  Deleted: ${result.deleted_local} row(s) (peer tombstones)`);
-    if (result.errors.length > 0) {
-        console.log('');
-        console.log('  Errors:');
-        for (const e of result.errors)
-            console.log(`    - ${e}`);
-    }
-    console.log('');
-}
-// ── export ──────────────────────────────────────────────────────────────────
-async function cmdExport(args) {
-    requireCloudLicense();
-    const client = CloudClient.fromSession();
-    const targetArg = args.find((a) => !a.startsWith('-'));
-    const target = resolve(targetArg ?? `wyrm-cloud-export-${new Date().toISOString().slice(0, 10)}.json`);
-    console.log('  Fetching account export…');
-    const dump = await client.accountExport();
-    const body = JSON.stringify(dump, null, 2);
-    writeFileSync(target, body, { mode: 0o600 });
-    console.log('');
-    console.log(`✓ Exported to ${target}`);
-    console.log('');
-    console.log(`  Account:    ${dump.account.email} (${dump.account.id.slice(0, 8)}…)`);
-    console.log(`  Devices:    ${dump.devices.length}`);
-    console.log(`  Identities: ${dump.identities.length}`);
-    console.log(`  Orgs:       ${dump.orgs.length}`);
-    console.log(`  Deltas:     ${dump.deltas.length}`);
-    console.log(`  Size:       ${fmtBytes(body.length)}`);
-    console.log('');
-    console.log('  Deltas are still AES-256-GCM ciphertext. To decrypt them you');
-    console.log(`  need the key at ${keyFilePath()}. Back that up alongside this file.`);
-    console.log('');
-}
-// ── delete ──────────────────────────────────────────────────────────────────
-async function cmdDelete(args) {
-    const confirmed = args.includes('--confirm');
-    if (!confirmed) {
-        console.error('✘ This permanently deletes your Wyrm Cloud account.');
-        console.error('  Re-run with --confirm to proceed:');
-        console.error('    wyrm cloud delete --confirm');
-        process.exit(1);
-    }
-    const s = loadSession();
-    if (!s) {
-        console.error('✘ Not logged in. Nothing to delete.');
-        process.exit(1);
-    }
-    console.log('');
-    console.log('⚠ You are about to PERMANENTLY DELETE your Wyrm Cloud account.');
-    console.log('');
-    console.log(`  Account: ${s.email ?? s.account_id}`);
-    console.log(`  Server:  ${s.base}`);
-    console.log('');
-    console.log('  This wipes all encrypted blobs, devices, identities, and org');
-    console.log('  memberships you own. The local ~/.wyrm/cloud.key is kept so');
-    console.log('  any backups remain decryptable. This action CANNOT be undone.');
-    console.log('');
-    const phrase = await prompt('  Type "DELETE my account" to confirm: ');
-    if (phrase.trim() !== 'DELETE my account') {
-        console.error('✘ Confirmation phrase did not match. Aborting.');
-        process.exit(1);
-    }
-    const client = new CloudClient(s.base, s.session);
-    await client.accountDelete();
-    clearSession();
-    console.log('');
-    console.log('✓ Account deleted on server.');
-    console.log(`✓ Local session removed (${SESSION_FILE}).`);
-    console.log(`  Kept: ${keyFilePath()} (in case you need to decrypt an old export).`);
-    console.log('');
-}
-function prompt(question) {
-    return new Promise((resolveP) => {
-        const rl = createInterface({ input: process.stdin, output: process.stdout });
-        rl.question(question, (answer) => { rl.close(); resolveP(answer); });
-    });
-}
-// ── recovery ────────────────────────────────────────────────────────────────
-async function cmdRecovery(args) {
-    const action = args[0];
-    if (action === 'show') {
-        const { keyToMnemonic } = await import('./recovery.js');
-        const phrase = keyToMnemonic();
-        const words = phrase.split(' ');
-        console.log('');
-        console.log('🔑 Wyrm Cloud recovery phrase (BIP39, 24 words)');
-        console.log('');
-        // 4 rows × 6 columns — easier to write down without losing place.
-        for (let row = 0; row < 4; row++) {
-            const line = words
-                .slice(row * 6, row * 6 + 6)
-                .map((w, i) => `${String(row * 6 + i + 1).padStart(2)}. ${w.padEnd(10)}`)
-                .join(' ');
-            console.log(`  ${line}`);
-        }
-        console.log('');
-        console.log('  Write these down on PAPER and keep them somewhere safe.');
-        console.log('  Anyone with this phrase can decrypt your synced Wyrm memory.');
-        console.log('  Wyrm Cloud has NO COPY of this. Lose it = lose your data.');
-        console.log('');
-        return;
-    }
-    if (action === 'restore') {
-        const overwrite = args.includes('--overwrite');
-        console.log('');
-        console.log('🔑 Restore master key from BIP39 recovery phrase');
-        console.log('');
-        console.log('  Enter your 24 words separated by spaces (case-insensitive).');
-        console.log('  Press Enter when done.');
-        console.log('');
-        const phrase = await prompt('  > ');
-        const { mnemonicToKey } = await import('./recovery.js');
-        const { path, overwrote } = mnemonicToKey(phrase, { overwrite });
-        console.log('');
-        console.log(`✓ Master key restored to ${path} (0600)`);
-        if (overwrote) {
-            console.log('  Replaced existing key (you passed --overwrite).');
-        }
-        console.log('  Run `wyrm cloud sync` to pull deltas with the restored key.');
-        console.log('');
-        return;
-    }
-    console.error('Usage:');
-    console.error('  wyrm cloud recovery show');
-    console.error('  wyrm cloud recovery restore [--overwrite]');
-    process.exit(1);
-}
-//# sourceMappingURL=cli.js.map
+`)}async function j(e){d()&&(console.error("Already logged in. Run `wyrm cloud logout` first to switch accounts."),process.exit(1));const n=new a(p),s=D(32).toString("hex");let o;try{o=await n.cliInit(s)}catch(t){console.error(`\u2718 Could not start login: ${t instanceof Error?t.message:t}`),process.exit(1)}console.log(""),console.log("\u{F115D} Sign in to Wyrm Cloud"),console.log(""),console.log("   1. Open this URL on any device:"),console.log(`        ${o.browser_url}`),console.log(""),console.log("   2. Type this code when prompted:"),console.log(`        ${o.code}`),console.log(""),console.log("   3. Sign in with Google or GitHub."),console.log(""),console.log(`   Waiting (expires in ${Math.round(o.expires_in_sec/60)} min)\u2026`);const l=Date.now()+o.expires_in_sec*1e3;let c,i;for(;Date.now()<l;){await new Promise(t=>{setTimeout(t,3e3)});try{const t=await n.cliPoll(s);if(t.ready&&t.session){c=t.session,i=t.account_id;break}}catch(t){console.error(`
+\u2718 Login failed: ${t instanceof Error?t.message:t}`),process.exit(1)}}(!c||!i)&&(console.error("\n\u2718 Login timed out. Run `wyrm cloud login` again."),process.exit(1)),S({base:p,session:c,account_id:i,created_at:Date.now()});const u=new a(p,c);let y="";try{y=(await u.me()).account.email}catch{}const m=`${N()} (${process.platform})`;let v;try{v=(await u.registerDevice(m)).device.id;const $=d();$&&S({...$,email:y,device_id:v,device_name:m,machine_fp:E()})}catch(t){console.error(`
+\u26A0 Logged in but could not register device: ${t instanceof Error?t.message:t}`),console.error("  Re-run `wyrm cloud login` to retry.");return}console.log(""),console.log(`\u2713 Signed in as ${y}`),console.log(`\u2713 Device registered: ${m}`),console.log(`\u2713 Session saved to ${f}`);const C=!h();R(),C?(console.log(`\u2713 Encryption key generated at ${g()} (0600)`),console.log(""),console.log("  \u26A0 Back up the key file. Losing it means losing access to your synced data."),console.log("    The Wyrm Cloud server CANNOT recover it \u2014 that's the operator-owns-data"),console.log("    guarantee. Run `wyrm cloud recovery show` now to get a 24-word phrase,"),console.log("    or copy the key file to a password manager / encrypted backup.")):console.log(`\u2713 Encryption key reused from ${g()}`),console.log(""),console.log("Next: `wyrm cloud sync` to push your memory.")}async function K(){const e=d();if(!e){console.log("Not logged in.");return}try{await new a(e.base,e.session).logout(),console.log("\u2713 Session revoked server-side.")}catch(n){console.error(`\u26A0 Could not revoke server-side: ${n instanceof Error?n.message:n}`),console.error("  Local session cleared anyway.")}b(),console.log(`\u2713 Local session removed (${f}).`),console.log("  Note: ~/.wyrm/cloud.key kept. Delete manually if you want a clean slate.")}async function H(){const e=d();if(!e){console.log("Not logged in. Run `wyrm cloud login`.");return}const n=new a(e.base,e.session);try{const s=await n.me(),o=await n.syncStatus();console.log(""),console.log(`\u{F115D} Wyrm Cloud \u2014 ${s.account.email}`),console.log(""),console.log(`  Tier:     ${o.tier}`),console.log(`  Storage:  ${w(o.storage.used_bytes)} / ${w(o.storage.limit_bytes)} (${o.storage.percent}%)`),console.log(`  Deltas:   ${o.deltas}`),console.log(`  Devices:  ${o.devices}`),console.log(`  Providers:${s.identities.map(r=>" "+r.provider).join(",")}`),console.log(""),console.log(`  This machine: ${e.device_name??"(not registered)"}`),console.log(`  Device ID:    ${e.device_id?e.device_id.slice(0,8)+"\u2026":"(none)"}`),console.log(`  Session age:  ${Math.round((Date.now()-e.created_at)/(1440*60*1e3))} day(s)`),x(e),console.log(""),h()?o.deltas>0&&(console.log(`  Key:      ${g()} (0600)`),console.log(`            \u26A0 Back this file up. Losing it = losing access to your ${o.deltas} deltas.`),console.log("")):(console.log("  \u26A0 ENCRYPTION KEY MISSING"),console.log(`    Expected at: ${g()}`),console.log("    Without this file, deltas already pushed cannot be decrypted."),console.log("    If you have a backup, restore it before running sync."),console.log(""))}catch(s){throw s instanceof k&&s.status===401&&(console.error("Session expired or invalid. Run `wyrm cloud login` again."),process.exit(1)),s}}function x(e){const n=O(e.machine_fp);n.state==="match"?console.log("  Identity:     \u2713 machine fingerprint matches (not a copied session)"):n.state==="adopt"?console.log("  Identity:     \u2014 no fingerprint yet (pre-7.0.3 session; adopted on next sync)"):(console.log("  Identity:     \u26A0 FINGERPRINT MISMATCH \u2014 this session looks COPIED"),console.log(`                  stored ${n.stored.slice(0,12)}\u2026 vs this machine ${n.current.slice(0,12)}\u2026`),console.log("                  device_id collision \u2192 cross-device pull returns 0 silently."),console.log("                  Fix: rm ~/.wyrm/cloud.json ~/.wyrm/cloud-cursor.json (KEEP cloud.key),"),console.log("                       then `wyrm cloud login`.  (Or `wyrm cloud sync --force` if intended.)"))}function Y(){const e=d();if(console.log(""),console.log("\u{F115D} Wyrm Cloud \u2014 device identity doctor"),console.log(""),!e){console.log("  Not logged in. Run `wyrm cloud login`."),console.log("");return}console.log(`  Account:      ${e.email??e.account_id.slice(0,8)+"\u2026"}`),console.log(`  Device ID:    ${e.device_id?e.device_id.slice(0,8)+"\u2026":"(none \u2014 re-run `wyrm cloud login`)"}`),console.log(`  Server:       ${e.base}`),console.log(`  Stored fp:    ${e.machine_fp?e.machine_fp.slice(0,12)+"\u2026":"(none \u2014 pre-7.0.3 session)"}`),console.log(`  This box fp:  ${E().slice(0,12)}\u2026`),x(e),console.log(""),console.log("  Only ~/.wyrm/cloud.key is meant to be shared across your machines."),console.log("  cloud.json + cloud-cursor.json + machine-id are per-device."),console.log("")}async function q(e){const n=e[0],s=a.fromSession();if(n==="revoke"){const c=e[1];c||(console.error("Usage: wyrm cloud devices revoke <device-id>"),process.exit(1)),await s.revokeDevice(c),console.log(`\u2713 Device ${c.slice(0,8)}\u2026 revoked.`);return}const{devices:o}=await s.listDevices(),l=d()?.device_id;console.log(""),console.log(`\u{F115D} Devices (${o.length})`),console.log("");for(const c of o){const i=c.id===l?"\u2605":" ",u=c.revoked?"(revoked)":"";console.log(`  ${i} ${c.id.slice(0,8)}\u2026  ${c.name.padEnd(30)}  last_seen=${G(c.last_seen_at)}  ${u}`)}console.log(""),console.log("  \u2605 = this machine"),console.log("  Revoke: wyrm cloud devices revoke <device-id>"),console.log("")}async function z(e){T();const n=e.includes("--dry-run"),s=e.includes("--all"),o=e.includes("--force");h()||(console.error("\u26A0 Encryption key not found at",g()),console.error("  A new key will be generated, but it will NOT decrypt deltas"),console.error("  pushed by other devices using a different key. If you have a backup,"),console.error("  restore it to ~/.wyrm/cloud.key (0600) before running sync."),console.error("  Continuing in 5 seconds \u2014 press Ctrl+C to abort."),await new Promise(l=>{setTimeout(l,5e3)})),s&&(console.log("\u{1F310} --all mode: syncing every semantic table (ignoring visibility flags)."),console.log("   Skipped: per-device logs, FTS shadows, sync internals."),console.log(""));const r=await L({dryRun:n,all:s,force:o});if(console.log(""),console.log("\u{F115D} Sync complete"),console.log(""),console.log(`  Pushed:  ${r.pushed} row(s)${n?" (dry run)":""}`),console.log(`  Pulled:  ${r.pulled} row(s)`),console.log(`  Deleted: ${r.deleted_local} row(s) (peer tombstones)`),r.errors.length>0){console.log(""),console.log("  Errors:");for(const l of r.errors)console.log(`    - ${l}`)}console.log("")}async function J(e){T();const n=a.fromSession(),s=e.find(c=>!c.startsWith("-")),o=P(s??`wyrm-cloud-export-${new Date().toISOString().slice(0,10)}.json`);console.log("  Fetching account export\u2026");const r=await n.accountExport(),l=JSON.stringify(r,null,2);I(o,l,{mode:384}),console.log(""),console.log(`\u2713 Exported to ${o}`),console.log(""),console.log(`  Account:    ${r.account.email} (${r.account.id.slice(0,8)}\u2026)`),console.log(`  Devices:    ${r.devices.length}`),console.log(`  Identities: ${r.identities.length}`),console.log(`  Orgs:       ${r.orgs.length}`),console.log(`  Deltas:     ${r.deltas.length}`),console.log(`  Size:       ${w(l.length)}`),console.log(""),console.log("  Deltas are still AES-256-GCM ciphertext. To decrypt them you"),console.log(`  need the key at ${g()}. Back that up alongside this file.`),console.log("")}async function Q(e){e.includes("--confirm")||(console.error("\u2718 This permanently deletes your Wyrm Cloud account."),console.error("  Re-run with --confirm to proceed:"),console.error("    wyrm cloud delete --confirm"),process.exit(1));const s=d();s||(console.error("\u2718 Not logged in. Nothing to delete."),process.exit(1)),console.log(""),console.log("\u26A0 You are about to PERMANENTLY DELETE your Wyrm Cloud account."),console.log(""),console.log(`  Account: ${s.email??s.account_id}`),console.log(`  Server:  ${s.base}`),console.log(""),console.log("  This wipes all encrypted blobs, devices, identities, and org"),console.log("  memberships you own. The local ~/.wyrm/cloud.key is kept so"),console.log("  any backups remain decryptable. This action CANNOT be undone."),console.log(""),(await _('  Type "DELETE my account" to confirm: ')).trim()!=="DELETE my account"&&(console.error("\u2718 Confirmation phrase did not match. Aborting."),process.exit(1)),await new a(s.base,s.session).accountDelete(),b(),console.log(""),console.log("\u2713 Account deleted on server."),console.log(`\u2713 Local session removed (${f}).`),console.log(`  Kept: ${g()} (in case you need to decrypt an old export).`),console.log("")}function _(e){return new Promise(n=>{const s=A({input:process.stdin,output:process.stdout});s.question(e,o=>{s.close(),n(o)})})}async function V(e){const n=e[0];if(n==="show"){const{keyToMnemonic:s}=await import("./recovery.js"),r=s().split(" ");console.log(""),console.log("\u{1F511} Wyrm Cloud recovery phrase (BIP39, 24 words)"),console.log("");for(let l=0;l<4;l++){const c=r.slice(l*6,l*6+6).map((i,u)=>`${String(l*6+u+1).padStart(2)}. ${i.padEnd(10)}`).join(" ");console.log(`  ${c}`)}console.log(""),console.log("  Write these down on PAPER and keep them somewhere safe."),console.log("  Anyone with this phrase can decrypt your synced Wyrm memory."),console.log("  Wyrm Cloud has NO COPY of this. Lose it = lose your data."),console.log("");return}if(n==="restore"){const s=e.includes("--overwrite");console.log(""),console.log("\u{1F511} Restore master key from BIP39 recovery phrase"),console.log(""),console.log("  Enter your 24 words separated by spaces (case-insensitive)."),console.log("  Press Enter when done."),console.log("");const o=await _("  > "),{mnemonicToKey:r}=await import("./recovery.js"),{path:l,overwrote:c}=r(o,{overwrite:s});console.log(""),console.log(`\u2713 Master key restored to ${l} (0600)`),c&&console.log("  Replaced existing key (you passed --overwrite)."),console.log("  Run `wyrm cloud sync` to pull deltas with the restored key."),console.log("");return}console.error("Usage:"),console.error("  wyrm cloud recovery show"),console.error("  wyrm cloud recovery restore [--overwrite]"),process.exit(1)}export{ie as cmdCloud};