wyrm-mcp 7.2.0 → 7.2.2

package/dist/wyrm-cli.js

@@ -1,1724 +1,115 @@
 #!/usr/bin/env node
-/**
- * Wyrm CLI — Terminal interface for browsing and capturing AI memory
- *
- * Usage: wyrm <command> [options]
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import { join, dirname } from 'path';
-import { homedir } from 'os';
-import { existsSync, readFileSync } from 'fs';
-import { fileURLToPath } from 'url';
-import { spawnSync } from 'child_process';
-import { createInterface } from 'readline';
-import { WyrmDB } from './database.js';
-import { MemoryArtifacts } from './memory-artifacts.js';
-import { GroundTruths } from './intelligence.js';
-import { Rehydration } from './rehydration.js';
-import { makeRenderDeps, buildRenderPlan, renderToDisk, renderForClient, } from './render-target.js';
-import { classifyCapture } from './capture.js';
-import { c, colors, formatTable, printSection, printSuccess, printError, icons } from './cli.js';
-import { readActor } from './attribution.js';
-// ==================== VERSION ====================
-/**
- * Read name+version from the package.json shipped alongside dist/, so the CLI
- * banner and `--version` always match what npm published — no hard-coded
- * constant to drift on each release. Falls back gracefully if unreadable.
- */
-function readPkg() {
-    try {
-        const here = dirname(fileURLToPath(import.meta.url));
-        // dist/ sits one level below the package root.
-        return JSON.parse(readFileSync(join(here, '..', 'package.json'), 'utf-8'));
-    }
-    catch {
-        return {};
-    }
-}
-// ==================== FLAG HELPERS ====================
-/** Parse an int flag, falling back to a default for missing/invalid values
- *  (a bare `--limit` with no number would otherwise coerce to NaN). */
-function intFlag(v, def) {
-    const n = typeof v === 'string' ? parseInt(v, 10) : NaN;
-    return Number.isFinite(n) ? n : def;
-}
-/** Parse a float flag, falling back to a default for missing/invalid values. */
-function floatFlag(v, def) {
-    const n = typeof v === 'string' ? parseFloat(v) : NaN;
-    return Number.isFinite(n) ? n : def;
-}
-// ==================== DB INITIALIZATION ====================
-function getDbPath() {
-    return process.env.WYRM_DB_PATH ?? join(homedir(), '.wyrm', 'wyrm.db');
-}
-function openDb() {
-    return new WyrmDB(getDbPath());
-}
-function parseArgs(args) {
-    const positional = [];
-    const flags = {};
-    let i = 0;
-    while (i < args.length) {
-        const arg = args[i];
-        if (arg.startsWith('--')) {
-            const key = arg.slice(2);
-            const next = args[i + 1];
-            if (next && !next.startsWith('--')) {
-                flags[key] = next;
-                i += 2;
-            }
-            else {
-                flags[key] = true;
-                i++;
-            }
-        }
-        else {
-            positional.push(arg);
-            i++;
-        }
-    }
-    return { positional, flags };
-}
-// ==================== PROJECT RESOLUTION ====================
-function resolveProject(db, projectName) {
-    if (!projectName)
-        return null;
-    const rawDb = db.getDatabase();
-    const proj = rawDb.prepare('SELECT * FROM projects WHERE LOWER(name) LIKE LOWER(?) LIMIT 1').get(`%${projectName}%`);
-    return proj ?? null;
-}
-// ==================== COMMANDS ====================
-async function cmdSearch(args) {
-    const { positional, flags } = parseArgs(args);
-    const query = positional[0];
-    if (!query) {
-        printError('Usage: wyrm search <query> [--project <name>] [--type all|memories|truths|quests|data]');
-        process.exit(1);
-    }
-    const db = openDb();
-    const rawDb = db.getDatabase();
-    const searchType = flags['type'] ?? 'all';
-    const projectName = flags['project'];
-    const proj = projectName ? resolveProject(db, projectName) : null;
-    const projectId = proj?.id;
-    printSection(`Search: "${query}"`);
-    const rows = [];
-    // FTS search memories
-    if (searchType === 'all' || searchType === 'memories') {
-        try {
-            const projectClause = projectId ? `AND m.project_id = ${projectId}` : '';
-            const mems = rawDb.prepare(`
+import{join as oe,dirname as ae}from"path";import{homedir as Ee}from"os";import{existsSync as ce,readFileSync as V}from"fs";import{fileURLToPath as le}from"url";import{spawnSync as B}from"child_process";import{createInterface as K}from"readline";import{WyrmDB as xe}from"./database.js";import{MemoryArtifacts as G}from"./memory-artifacts.js";import{GroundTruths as de}from"./intelligence.js";import{Rehydration as Ce}from"./rehydration.js";import{makeRenderDeps as pe,buildRenderPlan as se,renderToDisk as Re,renderForClient as ue}from"./render-target.js";import{classifyCapture as Pe}from"./capture.js";import{c as d,colors as J,formatTable as M,printSection as j,printSuccess as v,printError as p,icons as L}from"./cli.js";import{readActor as Te}from"./attribution.js";function O(){try{const l=ae(le(import.meta.url));return JSON.parse(V(oe(l,"..","package.json"),"utf-8"))}catch{return{}}}function R(l,i){const e=typeof l=="string"?parseInt(l,10):NaN;return Number.isFinite(e)?e:i}function z(l,i){const e=typeof l=="string"?parseFloat(l):NaN;return Number.isFinite(e)?e:i}function De(){return process.env.WYRM_DB_PATH??oe(Ee(),".wyrm","wyrm.db")}function E(){return new xe(De())}function x(l){const i=[],e={};let s=0;for(;s<l.length;){const r=l[s];if(r.startsWith("--")){const t=r.slice(2),n=l[s+1];n&&!n.startsWith("--")?(e[t]=n,s+=2):(e[t]=!0,s++)}else i.push(r),s++}return{positional:i,flags:e}}function P(l,i){return i?l.getDatabase().prepare("SELECT * FROM projects WHERE LOWER(name) LIKE LOWER(?) LIMIT 1").get(`%${i}%`)??null:null}async function Me(l){const{positional:i,flags:e}=x(l),s=i[0];s||(p("Usage: wyrm search <query> [--project <name>] [--type all|memories|truths|quests|data]"),process.exit(1));const r=E(),t=r.getDatabase(),n=e.type??"all",a=e.project,u=(a?P(r,a):null)?.id;j(`Search: "${s}"`);const c=[];if(n==="all"||n==="memories")try{const m=u?`AND m.project_id = ${u}`:"",y=t.prepare(`
         SELECT m.id, m.kind, m.problem, m.project_id FROM memory_artifacts m
         JOIN memory_artifacts_fts fts ON m.id = fts.rowid
-        WHERE memory_artifacts_fts MATCH ? ${projectClause}
+        WHERE memory_artifacts_fts MATCH ? ${m}
         LIMIT 20
-      `).all(query);
-            for (const m of mems) {
-                rows.push([`mem:${m.id}`, 'memory', m.kind, m.problem.slice(0, 80)]);
-            }
-        }
-        catch { /* FTS not available or empty */ }
-    }
-    // FTS search sessions
-    if (searchType === 'all' || searchType === 'sessions') {
-        try {
-            const projectClause = projectId ? `AND s.project_id = ${projectId}` : '';
-            const sessions = rawDb.prepare(`
+      `).all(s);for(const f of y)c.push([`mem:${f.id}`,"memory",f.kind,f.problem.slice(0,80)])}catch{}if(n==="all"||n==="sessions")try{const m=u?`AND s.project_id = ${u}`:"",y=t.prepare(`
         SELECT s.id, s.objectives, s.project_id FROM sessions s
         JOIN sessions_fts fts ON s.id = fts.rowid
-        WHERE sessions_fts MATCH ? ${projectClause}
+        WHERE sessions_fts MATCH ? ${m}
         LIMIT 10
-      `).all(query);
-            for (const s of sessions) {
-                rows.push([`session:${s.id}`, 'session', '', s.objectives.slice(0, 80)]);
-            }
-        }
-        catch { /* ignore */ }
-    }
-    // FTS search quests
-    if (searchType === 'all' || searchType === 'quests') {
-        try {
-            const projectClause = projectId ? `AND q.project_id = ${projectId}` : '';
-            const quests = rawDb.prepare(`
+      `).all(s);for(const f of y)c.push([`session:${f.id}`,"session","",f.objectives.slice(0,80)])}catch{}if(n==="all"||n==="quests")try{const m=u?`AND q.project_id = ${u}`:"",y=t.prepare(`
         SELECT q.id, q.title, q.priority, q.project_id FROM quests q
         JOIN quests_fts fts ON q.id = fts.rowid
-        WHERE quests_fts MATCH ? ${projectClause}
+        WHERE quests_fts MATCH ? ${m}
         LIMIT 10
-      `).all(query);
-            for (const q of quests) {
-                rows.push([`quest:${q.id}`, 'quest', q.priority, q.title.slice(0, 80)]);
-            }
-        }
-        catch { /* ignore */ }
-    }
-    // FTS search data lake
-    if (searchType === 'all' || searchType === 'data') {
-        try {
-            const projectClause = projectId ? `AND d.project_id = ${projectId}` : '';
-            const data = rawDb.prepare(`
+      `).all(s);for(const f of y)c.push([`quest:${f.id}`,"quest",f.priority,f.title.slice(0,80)])}catch{}if(n==="all"||n==="data")try{const m=u?`AND d.project_id = ${u}`:"",y=t.prepare(`
         SELECT d.id, d.category, d.key, d.value FROM data_lake d
         JOIN data_lake_fts fts ON d.id = fts.rowid
-        WHERE data_lake_fts MATCH ? ${projectClause}
+        WHERE data_lake_fts MATCH ? ${m}
         LIMIT 10
-      `).all(query);
-            for (const d of data) {
-                rows.push([`data:${d.id}`, 'data', d.category, d.value.slice(0, 80)]);
-            }
-        }
-        catch { /* ignore */ }
-    }
-    db.close();
-    if (rows.length === 0) {
-        console.log(c.dim(`  No results found for "${query}"`));
-        return;
-    }
-    console.log(formatTable(['ID', 'Type', 'Subtype', 'Preview'], rows));
-    console.log(c.dim(`\n  ${rows.length} result${rows.length !== 1 ? 's' : ''}`));
-}
-async function cmdLs(args) {
-    const { flags } = parseArgs(args);
-    const type = flags['type'] ?? 'all';
-    const limit = intFlag(flags['limit'], 20);
-    const projectName = flags['project'];
-    const db = openDb();
-    const rawDb = db.getDatabase();
-    const proj = projectName ? resolveProject(db, projectName) : null;
-    const projectId = proj?.id;
-    const projectClause = projectId ? `WHERE project_id = ${projectId}` : '';
-    const projectClauseAnd = projectId ? `AND project_id = ${projectId}` : '';
-    printSection('Wyrm Memory');
-    if (type === 'all' || type === 'memories') {
-        printSection('Memories');
-        const mems = rawDb.prepare(`
+      `).all(s);for(const f of y)c.push([`data:${f.id}`,"data",f.category,f.value.slice(0,80)])}catch{}if(r.close(),c.length===0){console.log(d.dim(`  No results found for "${s}"`));return}console.log(M(["ID","Type","Subtype","Preview"],c)),console.log(d.dim(`
+  ${c.length} result${c.length!==1?"s":""}`))}async function Ie(l){const{flags:i}=x(l),e=i.type??"all",s=R(i.limit,20),r=i.project,t=E(),n=t.getDatabase(),o=(r?P(t,r):null)?.id,u=o?`WHERE project_id = ${o}`:"",c=o?`AND project_id = ${o}`:"";if(j("Wyrm Memory"),e==="all"||e==="memories"){j("Memories");const m=n.prepare(`
       SELECT id, kind, confidence, problem, tags FROM memory_artifacts
-      ${projectClause}
+      ${u}
       ORDER BY created_at DESC LIMIT ?
-    `).all(limit);
-        if (mems.length > 0) {
-            const rows = mems.map(m => [
-                `mem:${m.id}`,
-                m.kind,
-                `${Math.round(m.confidence * 100)}%`,
-                m.problem.slice(0, 60),
-                m.tags?.slice(0, 30) ?? '',
-            ]);
-            console.log(formatTable(['ID', 'Kind', 'Conf', 'Preview', 'Tags'], rows));
-        }
-        else {
-            console.log(c.dim('  No memories yet.'));
-        }
-    }
-    if (type === 'all' || type === 'truths') {
-        printSection('Ground Truths');
-        const truths = rawDb.prepare(`
+    `).all(s);if(m.length>0){const y=m.map(f=>[`mem:${f.id}`,f.kind,`${Math.round(f.confidence*100)}%`,f.problem.slice(0,60),f.tags?.slice(0,30)??""]);console.log(M(["ID","Kind","Conf","Preview","Tags"],y))}else console.log(d.dim("  No memories yet."))}if(e==="all"||e==="truths"){j("Ground Truths");const m=n.prepare(`
       SELECT id, category, key, value FROM ground_truths
-      WHERE is_current = 1 ${projectClauseAnd}
+      WHERE is_current = 1 ${c}
       ORDER BY created_at DESC LIMIT ?
-    `).all(limit);
-        if (truths.length > 0) {
-            const rows = truths.map(t => [
-                `truth:${t.id}`,
-                t.category,
-                t.key.slice(0, 30),
-                t.value.slice(0, 60),
-            ]);
-            console.log(formatTable(['ID', 'Category', 'Key', 'Value'], rows));
-        }
-        else {
-            console.log(c.dim('  No ground truths yet.'));
-        }
-    }
-    if (type === 'all' || type === 'quests') {
-        printSection('Quests');
-        const quests = rawDb.prepare(`
+    `).all(s);if(m.length>0){const y=m.map(f=>[`truth:${f.id}`,f.category,f.key.slice(0,30),f.value.slice(0,60)]);console.log(M(["ID","Category","Key","Value"],y))}else console.log(d.dim("  No ground truths yet."))}if(e==="all"||e==="quests"){j("Quests");const m=n.prepare(`
       SELECT id, priority, title, status FROM quests
-      ${projectClause}
+      ${u}
       ORDER BY created_at DESC LIMIT ?
-    `).all(limit);
-        if (quests.length > 0) {
-            const rows = quests.map(q => [
-                `quest:${q.id}`,
-                q.priority,
-                q.title.slice(0, 60),
-                q.status,
-            ]);
-            console.log(formatTable(['ID', 'Priority', 'Title', 'Status'], rows));
-        }
-        else {
-            console.log(c.dim('  No quests yet.'));
-        }
-    }
-    db.close();
-}
-async function cmdShow(args) {
-    const { positional } = parseArgs(args);
-    const typedId = positional[0];
-    if (!typedId) {
-        printError('Usage: wyrm show <typed-id>  (e.g. mem:41, quest:12, truth:7, data:5, session:3)');
-        process.exit(1);
-    }
-    const [typePrefix, idStr] = typedId.split(':');
-    const id = parseInt(idStr ?? '', 10);
-    if (!typePrefix || isNaN(id)) {
-        printError(`Invalid typed ID: ${typedId}. Format: type:number (e.g. mem:41)`);
-        process.exit(1);
-    }
-    const db = openDb();
-    const rawDb = db.getDatabase();
-    printSection(`${typedId}`);
-    switch (typePrefix) {
-        case 'mem': {
-            const row = rawDb.prepare('SELECT * FROM memory_artifacts WHERE id = ?').get(id);
-            if (!row) {
-                printError(`Memory artifact ${id} not found`);
-                break;
-            }
-            console.log(c.bold('Kind:      ') + row['kind']);
-            console.log(c.bold('Confidence:') + ` ${Math.round(row['confidence'] * 100)}%`);
-            console.log(c.bold('Problem:   ') + '\n' + row['problem']);
-            if (row['validated_fix'])
-                console.log(c.bold('Solution:  ') + '\n' + row['validated_fix']);
-            if (row['why_it_worked'])
-                console.log(c.bold('Why:       ') + '\n' + row['why_it_worked']);
-            if (row['tags'])
-                console.log(c.bold('Tags:      ') + row['tags']);
-            console.log(c.bold('Created:   ') + row['created_at']);
-            break;
-        }
-        case 'quest': {
-            const row = rawDb.prepare('SELECT * FROM quests WHERE id = ?').get(id);
-            if (!row) {
-                printError(`Quest ${id} not found`);
-                break;
-            }
-            console.log(c.bold('Title:    ') + row['title']);
-            console.log(c.bold('Priority: ') + row['priority']);
-            console.log(c.bold('Status:   ') + row['status']);
-            if (row['description'])
-                console.log(c.bold('Desc:     ') + '\n' + row['description']);
-            if (row['tags'])
-                console.log(c.bold('Tags:     ') + row['tags']);
-            console.log(c.bold('Created:  ') + row['created_at']);
-            break;
-        }
-        case 'truth': {
-            const row = rawDb.prepare('SELECT * FROM ground_truths WHERE id = ?').get(id);
-            if (!row) {
-                printError(`Ground truth ${id} not found`);
-                break;
-            }
-            console.log(c.bold('Category: ') + row['category']);
-            console.log(c.bold('Key:      ') + row['key']);
-            console.log(c.bold('Value:    ') + '\n' + row['value']);
-            if (row['rationale'])
-                console.log(c.bold('Rationale:') + '\n' + row['rationale']);
-            console.log(c.bold('Active:   ') + (row['is_current'] ? 'Yes' : 'No (superseded)'));
-            console.log(c.bold('Created:  ') + row['created_at']);
-            break;
-        }
-        case 'data': {
-            const row = rawDb.prepare('SELECT * FROM data_lake WHERE id = ?').get(id);
-            if (!row) {
-                printError(`Data point ${id} not found`);
-                break;
-            }
-            console.log(c.bold('Category: ') + row['category']);
-            console.log(c.bold('Key:      ') + row['key']);
-            console.log(c.bold('Value:    ') + '\n' + String(row['value']).slice(0, 500));
-            console.log(c.bold('Created:  ') + row['created_at']);
-            break;
-        }
-        case 'session': {
-            const row = rawDb.prepare('SELECT * FROM sessions WHERE id = ?').get(id);
-            if (!row) {
-                printError(`Session ${id} not found`);
-                break;
-            }
-            console.log(c.bold('Date:       ') + row['date']);
-            console.log(c.bold('Objectives: ') + '\n' + row['objectives']);
-            if (row['completed'])
-                console.log(c.bold('Completed:  ') + '\n' + row['completed']);
-            if (row['notes'])
-                console.log(c.bold('Notes:      ') + '\n' + row['notes']);
-            break;
-        }
-        default:
-            printError(`Unknown type prefix: ${typePrefix}. Use mem|quest|truth|data|session`);
-    }
-    db.close();
-}
-async function cmdCapture(args) {
-    const { positional, flags } = parseArgs(args);
-    const content = positional[0];
-    if (!content) {
-        printError('Usage: wyrm capture "<content>" [--project <name>] [--mode auto|quest|truth|memory]');
-        process.exit(1);
-    }
-    const projectName = flags['project'];
-    const mode = flags['mode'];
-    const db = openDb();
-    const rawDb = db.getDatabase();
-    let projectId = null;
-    if (projectName) {
-        const proj = resolveProject(db, projectName);
-        if (!proj) {
-            printError(`Project not found: ${projectName}`);
-            db.close();
-            process.exit(1);
-        }
-        projectId = proj.id;
-    }
-    // Classify
-    let classified = classifyCapture(content);
-    if (mode && mode !== 'auto') {
-        const subtypeMap = { quest: 'quest', truth: 'decision', memory: 'pattern' };
-        classified = {
-            type: mode,
-            subtype: subtypeMap[mode] ?? mode,
-            confidence: 100,
-            reasoning: `Mode override: ${mode}`,
-        };
-    }
-    const { type, subtype, confidence, reasoning } = classified;
-    if ((type === 'quest' || type === 'truth' || type === 'memory') && projectId === null) {
-        printError('A --project is required to capture. Use: wyrm capture "<text>" --project <name>');
-        db.close();
-        process.exit(1);
-    }
-    let storedId = 0;
-    let typeShort = '';
-    let needsReview = false;
-    const memory = new MemoryArtifacts(rawDb);
-    const groundTruths = new GroundTruths(rawDb);
-    if (type === 'quest') {
-        const quest = db.addQuest(projectId, content.slice(0, 200), '', 'medium');
-        storedId = quest.id;
-        typeShort = 'quest';
-    }
-    else if (type === 'truth') {
-        if (mode !== 'truth' && confidence < 100) {
-            const artifact = memory.add(projectId, { kind: 'pattern', problem: content, confidence: confidence / 100, needsReview: 1 });
-            storedId = artifact.id;
-            typeShort = 'mem';
-            needsReview = true;
-        }
-        else {
-            const truth = groundTruths.set(projectId, { category: 'decision', key: content.slice(0, 60), value: content });
-            storedId = truth.id;
-            typeShort = 'truth';
-        }
-    }
-    else {
-        const shouldAutoCreate = confidence >= 75;
-        const artifact = memory.add(projectId, {
-            kind: subtype,
-            problem: content, confidence: confidence / 100, needsReview: shouldAutoCreate ? 0 : 1,
-        });
-        storedId = artifact.id;
-        typeShort = 'mem';
-        if (!shouldAutoCreate)
-            needsReview = true;
-    }
-    db.close();
-    printSuccess(`Captured as ${type}: ${subtype}`);
-    console.log(`${c.dim('Confidence:')} ${confidence}%  |  ${c.dim(reasoning)}`);
-    console.log(`${c.dim('ID:')} ${typeShort}:${storedId}`);
-    if (needsReview)
-        console.log(`${icons.warning} Stored for review — run ${c.cyan('wyrm review')} to activate`);
-}
-/**
- * Print a session rehydration brief: the cross-session continuity briefing
- * (objectives, completed work, ground truths, open quests, validated patterns,
- * unresolved failures) drawn from a project's most recent session.
- *
- * Resolution order: --session <id> → --path <dir> (exact project path) →
- * --project <name> → the current working directory. This is the command the
- * SessionStart hook shells to, so a fresh agent inherits prior state without a
- * manual tool call. It is READ-ONLY and never exits non-zero (a load hook must
- * not break a session): on any miss it writes a short note to stderr and exits 0.
- */
-async function cmdRehydrate(args) {
-    const { flags } = parseArgs(args);
-    const explicitSession = intFlag(flags['session'], 0);
-    const pathFlag = flags['path'];
-    const projectName = flags['project'];
-    const maxChars = intFlag(flags['max-chars'], 6000);
-    const quiet = flags['quiet'] === true; // suppress the "nothing found" stderr note (for hooks)
-    // Silence the DB layer's own info logging (migrations / WAL checkpoint / close)
-    // so this command's stdout is a clean, machine-consumable brief: it is piped
-    // straight into the SessionStart hook. The brief itself and the not-found
-    // notes go through process.stdout/stderr directly, so they are unaffected.
-    const realConsoleLog = console.log;
-    console.log = () => { };
-    const db = openDb();
-    try {
-        const rehydration = new Rehydration(db.getDatabase());
-        // 1. Resolve which session to rehydrate.
-        let sessionId = explicitSession;
-        if (sessionId <= 0) {
-            // Resolve the project: explicit --path (exact), then --project (name match), then cwd.
-            let project = pathFlag ? db.getProject(pathFlag) : undefined;
-            if (!project && projectName)
-                project = resolveProject(db, projectName) ?? undefined;
-            if (!project)
-                project = db.getProject(process.cwd());
-            if (!project) {
-                if (!quiet)
-                    process.stderr.write('wyrm rehydrate: no Wyrm project for this directory, nothing to restore.\n');
-                return;
-            }
-            const recent = db.getRecentSessions(project.id, 1);
-            if (recent.length === 0) {
-                if (!quiet)
-                    process.stderr.write(`wyrm rehydrate: project "${project.name}" has no prior sessions yet.\n`);
-                return;
-            }
-            sessionId = recent[0].id;
-        }
-        // 2. Build the brief and print it (truncating very long briefs so a
-        //    SessionStart injection never bloats a fresh context window).
-        const brief = rehydration.rehydrate(sessionId);
-        if (!brief) {
-            if (!quiet)
-                process.stderr.write(`wyrm rehydrate: session ${sessionId} not found.\n`);
-            return;
-        }
-        let md = brief.briefing_markdown;
-        if (maxChars > 0 && md.length > maxChars) {
-            md = md.slice(0, maxChars) +
-                `\n\n_... brief truncated at ${maxChars} chars, run \`wyrm show session:${brief.session_id}\` for the full record._`;
-        }
-        process.stdout.write(md + '\n');
-    }
-    finally {
-        db.close();
-        console.log = realConsoleLog;
-    }
-}
-/**
- * `wyrm render` — compile the project's memory to MEMORY.md + topic files (+
- * optional client adapters). The zero-MCP-token path for casual sessions: a
- * deterministic digest of ground truths / failures / quests / patterns written
- * straight into the harness-native memory slot. Safe (never escapes the target
- * dir, never clobbers operator prose outside the wyrm:render markers).
- *
- * Flags:
- *   --path <dir>        project to render (defaults to cwd's project)
- *   --project <name>    project by name
- *   --out <dir>         where to write (defaults to the project path)
- *   --client <list>     comma-separated: claude,cursor,copilot,agents
- *   --brief             print the SessionStart brief to stdout instead of writing files
- *   --force             append into non-Wyrm-managed files (never overwrites prose)
- *   --quiet             suppress the per-file write log
- */
-async function cmdRender(args) {
-    const { flags } = parseArgs(args);
-    const pathFlag = flags['path'];
-    const projectName = flags['project'];
-    const outDir = flags['out'];
-    const briefOnly = flags['brief'] === true;
-    const force = flags['force'] === true;
-    const quiet = flags['quiet'] === true;
-    const clientList = (typeof flags['client'] === 'string' ? flags['client'] : '')
-        .split(',').map((s) => s.trim().toLowerCase()).filter(Boolean);
-    const VALID_CLIENTS = ['claude', 'cursor', 'copilot', 'agents'];
-    const clients = clientList.filter((c) => VALID_CLIENTS.includes(c));
-    const badClients = clientList.filter((c) => !VALID_CLIENTS.includes(c));
-    if (badClients.length > 0) {
-        printError(`Unknown --client value(s): ${badClients.join(', ')} (valid: ${VALID_CLIENTS.join('|')})`);
-        process.exit(1);
-    }
-    // Silence the DB layer's own info logging so --brief stdout stays clean.
-    const realConsoleLog = console.log;
-    if (briefOnly)
-        console.log = () => { };
-    const db = openDb();
-    try {
-        let project = pathFlag ? db.getProject(pathFlag) : undefined;
-        if (!project && projectName)
-            project = resolveProject(db, projectName) ?? undefined;
-        if (!project)
-            project = db.getProject(process.cwd());
-        if (!project) {
-            console.log = realConsoleLog;
-            printError('wyrm render: no Wyrm project for this directory (use --path or --project).');
-            process.exit(1);
-        }
-        const deps = makeRenderDeps(db.getDatabase());
-        const stamp = { wyrm_version: readPkg().version ?? 'unknown', compiled_at: new Date().toISOString() };
-        if (briefOnly) {
-            const plan = buildRenderPlan(deps, project, stamp);
-            console.log = realConsoleLog;
-            process.stdout.write(plan.sessionBrief + '\n');
-            return;
-        }
-        const root = outDir ?? project.path;
-        // T039 silent-overwrite guard (security pass #2, critical): an explicit
-        // `wyrm render` OVERWRITES the Wyrm-managed region, so it MUST harvest any
-        // human edit to that region into the review queue FIRST — UNCONDITIONALLY.
-        // The opt-in WYRM_REVERSE_BRIDGE/WYRM_RENDER_WATCH env gates the CONTINUOUS
-        // WATCHER (the daemon loop), NOT this one-shot data-loss guard on a direct
-        // overwrite. Gating the sweep behind reverseBridgeEnabled() (the default
-        // OFF) meant an operator who hand-edited a truth inside the wyrm:render
-        // region and re-ran `wyrm render` lost that edit with no review candidate —
-        // the cardinal sin the provenance header (render-target.ts) promises against.
-        // The edit is never lost: it becomes a review candidate; the render then
-        // proceeds (the operator vets the candidate). Fail-safe: a sweep error never
-        // blocks the render, but the sweep always RUNS.
-        {
-            const bridge = await import('./reverse-bridge.js');
-            const preBrief = buildRenderPlan(deps, project, stamp);
-            const lastBlocks = { 'MEMORY.md': preBrief.memoryMd };
-            for (const client of clients) {
-                const t = renderForClient(client, preBrief.model, stamp);
-                lastBlocks[t.relPath] = t.block;
-            }
-            try {
-                const bridgeDeps = bridge.makeBridgeDeps(db.getDatabase());
-                const swept = await bridge.sweepProject(bridgeDeps, { id: project.id, path: project.path }, lastBlocks, { rootDir: root });
-                if (swept.added > 0 && !quiet) {
-                    console.log(`  ${icons.warning} harvested ${swept.added} human edit(s) → review queue before overwrite`);
-                }
-            }
-            catch { /* fail-safe: guard never blocks a render */ }
-        }
-        const { plan, writes } = renderToDisk(deps, project, stamp, { rootDir: root, clients, force });
-        if (!quiet) {
-            printSuccess(`Rendered ${project.name} memory ` +
-                `(${plan.model.truths.length} truths, ${plan.model.failures.length} failures, ` +
-                `${plan.model.quests.length} quests, ${plan.model.artifacts.length} patterns) to ${root}`);
-            for (const w of writes) {
-                const mark = w.action === 'created' ? icons.success
-                    : w.action === 'updated' ? icons.info : icons.warning;
-                console.log(`  ${mark} ${w.action.padEnd(7)} ${w.path}${w.reason ? `  (${w.reason})` : ''}`);
-            }
-        }
-    }
-    finally {
-        db.close();
-        console.log = realConsoleLog;
-    }
-}
-/**
- * `wyrm reverse-bridge` (v7 F4 — T039) — watch native memory files for human/
- * agent edits, diff them against what `wyrm render` last wrote, and queue the
- * edits as review candidates. Read-only on the watched files; never silently
- * ingests (everything lands needs_review=1) and never overwrites an edit. The
- * last-rendered blocks are reconstructed deterministically from the DB (the same
- * blocks `wyrm render` would emit), so the diff has no separate state to drift.
- */
-async function cmdReverseBridge(args) {
-    const { flags } = parseArgs(args);
-    const pathFlag = flags['path'];
-    const projectName = flags['project'];
-    const rootDir = flags['root'];
-    const dryRun = flags['dry-run'] === true || flags.dry === true;
-    const clientList = (typeof flags['client'] === 'string' ? flags['client'] : '')
-        .split(',').map((s) => s.trim().toLowerCase()).filter(Boolean);
-    const VALID_CLIENTS = ['claude', 'cursor', 'copilot', 'agents'];
-    const clients = clientList.filter((c) => VALID_CLIENTS.includes(c));
-    const bridge = await import('./reverse-bridge.js');
-    const db = openDb();
-    try {
-        let project = pathFlag ? db.getProject(pathFlag) : undefined;
-        if (!project && projectName)
-            project = resolveProject(db, projectName) ?? undefined;
-        if (!project)
-            project = db.getProject(process.cwd());
-        if (!project) {
-            printError('wyrm reverse-bridge: no Wyrm project for this directory (use --path or --project).');
-            process.exitCode = 1;
-            return;
-        }
-        // Reconstruct the blocks Wyrm last rendered into each watched file, so the
-        // diff knows what is Wyrm-owned (overwritable) vs a human edit.
-        const deps = makeRenderDeps(db.getDatabase());
-        const stamp = { wyrm_version: readPkg().version ?? 'unknown', compiled_at: new Date().toISOString() };
-        const plan = buildRenderPlan(deps, project, stamp);
-        const lastBlocks = {
-            'MEMORY.md': plan.memoryMd,
-        };
-        for (const client of clients) {
-            const t = renderForClient(client, plan.model, stamp);
-            lastBlocks[t.relPath] = t.block;
-        }
-        // For any watched file we did NOT render this run, last block is null → the
-        // bridge treats its region as operator-edited (harvest before any overwrite).
-        const bridgeDeps = bridge.makeBridgeDeps(db.getDatabase());
-        const report = await bridge.sweepProject(bridgeDeps, { id: project.id, path: project.path }, lastBlocks, { dryRun, rootDir });
-        printSection(`Reverse bridge ${dryRun ? '(dry run) ' : ''}— ${report.added} candidate(s) queued, ` +
-            `${report.skipped} already present (${report.filesWithEdits}/${report.filesScanned} file(s) with edits)`);
-        for (const s of report.sample)
-            console.log(`  ${icons.bullet} ${s}`);
-        if (!dryRun && report.added > 0)
-            printSuccess('Review with: wyrm review');
-    }
-    finally {
-        db.close();
-    }
-}
-async function cmdImport(args) {
-    const { positional, flags } = parseArgs(args.slice(1));
-    const subCmd = args[0];
-    const projectName = flags['project'];
-    if (subCmd === 'git') {
-        const n = intFlag(flags['last'], 20);
-        const db = openDb();
-        const rawDb = db.getDatabase();
-        let projectId = null;
-        if (projectName) {
-            const proj = resolveProject(db, projectName);
-            if (!proj) {
-                printError(`Project not found: ${projectName}`);
-                db.close();
-                process.exit(1);
-            }
-            projectId = proj.id;
-        }
-        else {
-            // Use most recent project
-            const recent = rawDb.prepare('SELECT p.* FROM projects p JOIN sessions s ON s.project_id = p.id ORDER BY s.created_at DESC LIMIT 1').get();
-            if (recent)
-                projectId = recent.id;
-        }
-        if (!projectId) {
-            printError('No project found. Use --project <name>');
-            db.close();
-            process.exit(1);
-        }
-        // Run git log
-        // Use the unit-separator control byte (%x1f) as the field delimiter — commit
-        // subjects/authors can contain '|'. Drop %b (body): it's unused here and its
-        // embedded newlines would break the per-line parse below.
-        const gitResult = spawnSync('git', ['log', `--pretty=format:%H%x1f%s%x1f%an%x1f%ai`, `-${n}`], {
-            cwd: process.cwd(), encoding: 'utf-8', timeout: 10000, shell: false,
-        });
-        if (gitResult.error || gitResult.status !== 0) {
-            printError('git log failed. Make sure you are in a git repository.');
-            db.close();
-            process.exit(1);
-        }
-        const lines = gitResult.stdout.split('\n').filter((l) => l.trim());
-        const memory = new MemoryArtifacts(rawDb);
-        let captured = 0, skipped = 0;
-        for (const line of lines) {
-            const [, message, author, date] = line.split('\x1f');
-            const msg = message ?? '';
-            if (/^Merge /i.test(msg) || /^(chore|bump|release|version)/i.test(msg)) {
-                skipped++;
-                continue;
-            }
-            let kind = 'pattern';
-            if (/^fix(\(.+\))?:/i.test(msg))
-                kind = 'lesson';
-            else if (/^refactor(\(.+\))?:/i.test(msg))
-                kind = 'heuristic';
-            const typePrefix = msg.split(':')[0] ?? 'commit';
-            memory.add(projectId, {
-                kind, problem: msg,
-                whyItWorked: `Committed by ${author ?? 'unknown'} on ${date ?? 'unknown'}`,
-                tags: ['git', 'commit', typePrefix.toLowerCase()],
-                confidence: 0.6, needsReview: 1,
-            });
-            captured++;
-        }
-        db.close();
-        printSuccess(`Imported ${captured} commits (${skipped} skipped). Run ${c.cyan('wyrm review')} to activate.`);
-    }
-    else if (subCmd === 'rules') {
-        const filePath = positional[0];
-        const fmt = flags['format'] ?? 'plain';
-        if (!filePath) {
-            printError('Usage: wyrm import rules <path> [--project <name>] [--format cursorrules|copilot|plain]');
-            process.exit(1);
-        }
-        if (!existsSync(filePath)) {
-            printError(`File not found: ${filePath}`);
-            process.exit(1);
-        }
-        const content = readFileSync(filePath, 'utf-8');
-        const db = openDb();
-        const rawDb = db.getDatabase();
-        let projectId = null;
-        if (projectName) {
-            const proj = resolveProject(db, projectName);
-            if (!proj) {
-                printError(`Project not found: ${projectName}`);
-                db.close();
-                process.exit(1);
-            }
-            projectId = proj.id;
-        }
-        else {
-            const recent = rawDb.prepare('SELECT p.* FROM projects p JOIN sessions s ON s.project_id = p.id ORDER BY s.created_at DESC LIMIT 1').get();
-            if (recent)
-                projectId = recent.id;
-        }
-        if (!projectId) {
-            printError('No project found. Use --project <name>');
-            db.close();
-            process.exit(1);
-        }
-        const src = filePath.split('/').pop() ?? 'rules';
-        const baseTags = ['imported', fmt, src];
-        const byHeadings = content.split(/\n(?=#)/);
-        const byParagraphs = content.split(/\n\n+/);
-        const chunks = (byHeadings.length >= byParagraphs.length ? byHeadings : byParagraphs)
-            .map(ch => ch.trim()).filter(ch => ch.length >= 15);
-        const memory = new MemoryArtifacts(rawDb);
-        const groundTruths = new GroundTruths(rawDb);
-        let truthsCreated = 0, artifactsCreated = 0;
-        for (const chunk of chunks) {
-            if (/\b(always|never|must|use|don't|avoid|prefer)\b/i.test(chunk)) {
-                groundTruths.set(projectId, { category: 'constraint', key: chunk.slice(0, 50).replace(/\n/g, ' '), value: chunk, source: src });
-                truthsCreated++;
-            }
-            else {
-                memory.add(projectId, { kind: 'heuristic', problem: chunk, tags: baseTags, confidence: 0.7, needsReview: 1 });
-                artifactsCreated++;
-            }
-        }
-        db.close();
-        printSuccess(`Imported ${truthsCreated} ground truths + ${artifactsCreated} artifacts (pending review).`);
-    }
-    else {
-        printError('Usage: wyrm import git [--project <name>] [--last N]');
-        printError('       wyrm import rules <path> [--project <name>] [--format cursorrules|copilot|plain]');
-        process.exit(1);
-    }
-}
-async function cmdStats(args) {
-    const { flags } = parseArgs(args);
-    const projectName = flags['project'];
-    const db = openDb();
-    const rawDb = db.getDatabase();
-    printSection('Wyrm Statistics');
-    if (projectName) {
-        const proj = resolveProject(db, projectName);
-        if (!proj) {
-            printError(`Project not found: ${projectName}`);
-            db.close();
-            process.exit(1);
-        }
-        const stats = db.getProjectStats(proj.id);
-        const rows = [
-            ['Sessions', String(stats.sessions)],
-            ['Quests (pending)', String(stats.quests.pending)],
-            ['Quests (completed)', String(stats.quests.completed)],
-            ['Data Points', String(stats.dataPoints)],
-        ];
-        console.log(formatTable(['Metric', 'Value'], rows));
-    }
-    else {
-        const stats = db.getStats();
-        const rows = [
-            ['Projects', String(stats.projects)],
-            ['Sessions', String(stats.sessions)],
-            ['Quests', String(stats.quests)],
-            ['Data Points', String(stats.dataPoints)],
-            ['DB Size', stats.dbSize],
-        ];
-        // Also show memory/truths counts
-        const memCount = rawDb.prepare('SELECT COUNT(*) as n FROM memory_artifacts').get().n;
-        const truthCount = rawDb.prepare('SELECT COUNT(*) as n FROM ground_truths WHERE is_current = 1').get().n;
-        rows.push(['Memories', String(memCount)], ['Ground Truths', String(truthCount)]);
-        console.log(formatTable(['Metric', 'Value'], rows));
-    }
-    db.close();
-}
-async function cmdReview(args) {
-    const { flags } = parseArgs(args);
-    const projectName = flags['project'];
-    const db = openDb();
-    const rawDb = db.getDatabase();
-    let projectId = null;
-    if (projectName) {
-        const proj = resolveProject(db, projectName);
-        if (!proj) {
-            printError(`Project not found: ${projectName}`);
-            db.close();
-            process.exit(1);
-        }
-        projectId = proj.id;
-    }
-    const projectClause = projectId ? `AND project_id = ${projectId}` : '';
-    const pending = rawDb.prepare(`
+    `).all(s);if(m.length>0){const y=m.map(f=>[`quest:${f.id}`,f.priority,f.title.slice(0,60),f.status]);console.log(M(["ID","Priority","Title","Status"],y))}else console.log(d.dim("  No quests yet."))}t.close()}async function Ae(l){const{positional:i}=x(l),e=i[0];e||(p("Usage: wyrm show <typed-id>  (e.g. mem:41, quest:12, truth:7, data:5, session:3)"),process.exit(1));const[s,r]=e.split(":"),t=parseInt(r??"",10);(!s||isNaN(t))&&(p(`Invalid typed ID: ${e}. Format: type:number (e.g. mem:41)`),process.exit(1));const n=E(),a=n.getDatabase();switch(j(`${e}`),s){case"mem":{const o=a.prepare("SELECT * FROM memory_artifacts WHERE id = ?").get(t);if(!o){p(`Memory artifact ${t} not found`);break}console.log(d.bold("Kind:      ")+o.kind),console.log(d.bold("Confidence:")+` ${Math.round(o.confidence*100)}%`),console.log(d.bold("Problem:   ")+`
+`+o.problem),o.validated_fix&&console.log(d.bold("Solution:  ")+`
+`+o.validated_fix),o.why_it_worked&&console.log(d.bold("Why:       ")+`
+`+o.why_it_worked),o.tags&&console.log(d.bold("Tags:      ")+o.tags),console.log(d.bold("Created:   ")+o.created_at);break}case"quest":{const o=a.prepare("SELECT * FROM quests WHERE id = ?").get(t);if(!o){p(`Quest ${t} not found`);break}console.log(d.bold("Title:    ")+o.title),console.log(d.bold("Priority: ")+o.priority),console.log(d.bold("Status:   ")+o.status),o.description&&console.log(d.bold("Desc:     ")+`
+`+o.description),o.tags&&console.log(d.bold("Tags:     ")+o.tags),console.log(d.bold("Created:  ")+o.created_at);break}case"truth":{const o=a.prepare("SELECT * FROM ground_truths WHERE id = ?").get(t);if(!o){p(`Ground truth ${t} not found`);break}console.log(d.bold("Category: ")+o.category),console.log(d.bold("Key:      ")+o.key),console.log(d.bold("Value:    ")+`
+`+o.value),o.rationale&&console.log(d.bold("Rationale:")+`
+`+o.rationale),console.log(d.bold("Active:   ")+(o.is_current?"Yes":"No (superseded)")),console.log(d.bold("Created:  ")+o.created_at);break}case"data":{const o=a.prepare("SELECT * FROM data_lake WHERE id = ?").get(t);if(!o){p(`Data point ${t} not found`);break}console.log(d.bold("Category: ")+o.category),console.log(d.bold("Key:      ")+o.key),console.log(d.bold("Value:    ")+`
+`+String(o.value).slice(0,500)),console.log(d.bold("Created:  ")+o.created_at);break}case"session":{const o=a.prepare("SELECT * FROM sessions WHERE id = ?").get(t);if(!o){p(`Session ${t} not found`);break}console.log(d.bold("Date:       ")+o.date),console.log(d.bold("Objectives: ")+`
+`+o.objectives),o.completed&&console.log(d.bold("Completed:  ")+`
+`+o.completed),o.notes&&console.log(d.bold("Notes:      ")+`
+`+o.notes);break}default:p(`Unknown type prefix: ${s}. Use mem|quest|truth|data|session`)}n.close()}async function Ne(l){const{positional:i,flags:e}=x(l),s=i[0];s||(p('Usage: wyrm capture "<content>" [--project <name>] [--mode auto|quest|truth|memory]'),process.exit(1));const r=e.project,t=e.mode,n=E(),a=n.getDatabase();let o=null;if(r){const S=P(n,r);S||(p(`Project not found: ${r}`),n.close(),process.exit(1)),o=S.id}let u=Pe(s);t&&t!=="auto"&&(u={type:t,subtype:{quest:"quest",truth:"decision",memory:"pattern"}[t]??t,confidence:100,reasoning:`Mode override: ${t}`});const{type:c,subtype:m,confidence:y,reasoning:f}=u;(c==="quest"||c==="truth"||c==="memory")&&o===null&&(p('A --project is required to capture. Use: wyrm capture "<text>" --project <name>'),n.close(),process.exit(1));let g=0,w="",h=!1;const b=new G(a),_=new de(a);if(c==="quest")g=n.addQuest(o,s.slice(0,200),"","medium").id,w="quest";else if(c==="truth")t!=="truth"&&y<100?(g=b.add(o,{kind:"pattern",problem:s,confidence:y/100,needsReview:1}).id,w="mem",h=!0):(g=_.set(o,{category:"decision",key:s.slice(0,60),value:s}).id,w="truth");else{const S=y>=75;g=b.add(o,{kind:m,problem:s,confidence:y/100,needsReview:S?0:1}).id,w="mem",S||(h=!0)}n.close(),v(`Captured as ${c}: ${m}`),console.log(`${d.dim("Confidence:")} ${y}%  |  ${d.dim(f)}`),console.log(`${d.dim("ID:")} ${w}:${g}`),h&&console.log(`${L.warning} Stored for review \u2014 run ${d.cyan("wyrm review")} to activate`)}async function Le(l){const{flags:i}=x(l),e=R(i.session,0),s=i.path,r=i.project,t=R(i["max-chars"],6e3),n=i.quiet===!0,a=console.log;console.log=()=>{};const o=E();try{const u=new Ce(o.getDatabase());let c=e;if(c<=0){let f=s?o.getProject(s):void 0;if(!f&&r&&(f=P(o,r)??void 0),f||(f=o.getProject(process.cwd())),!f){n||process.stderr.write(`wyrm rehydrate: no Wyrm project for this directory, nothing to restore.
+`);return}const g=o.getRecentSessions(f.id,1);if(g.length===0){n||process.stderr.write(`wyrm rehydrate: project "${f.name}" has no prior sessions yet.
+`);return}c=g[0].id}const m=u.rehydrate(c);if(!m){n||process.stderr.write(`wyrm rehydrate: session ${c} not found.
+`);return}let y=m.briefing_markdown;t>0&&y.length>t&&(y=y.slice(0,t)+`
+
+_... brief truncated at ${t} chars, run \`wyrm show session:${m.session_id}\` for the full record._`),process.stdout.write(y+`
+`)}finally{o.close(),console.log=a}}async function Oe(l){const{flags:i}=x(l),e=i.path,s=i.project,r=i.out,t=i.brief===!0,n=i.force===!0,a=i.quiet===!0,o=(typeof i.client=="string"?i.client:"").split(",").map(g=>g.trim().toLowerCase()).filter(Boolean),u=["claude","cursor","copilot","agents"],c=o.filter(g=>u.includes(g)),m=o.filter(g=>!u.includes(g));m.length>0&&(p(`Unknown --client value(s): ${m.join(", ")} (valid: ${u.join("|")})`),process.exit(1));const y=console.log;t&&(console.log=()=>{});const f=E();try{let g=e?f.getProject(e):void 0;!g&&s&&(g=P(f,s)??void 0),g||(g=f.getProject(process.cwd())),g||(console.log=y,p("wyrm render: no Wyrm project for this directory (use --path or --project)."),process.exit(1));const w=pe(f.getDatabase()),h={wyrm_version:O().version??"unknown",compiled_at:new Date().toISOString()};if(t){const $=se(w,g,h);console.log=y,process.stdout.write($.sessionBrief+`
+`);return}const b=r??g.path;{const $=await import("./reverse-bridge.js"),T=se(w,g,h),Y={"MEMORY.md":T.memoryMd};for(const q of c){const A=ue(q,T.model,h);Y[A.relPath]=A.block}try{const q=$.makeBridgeDeps(f.getDatabase()),A=await $.sweepProject(q,{id:g.id,path:g.path},Y,{rootDir:b});A.added>0&&!a&&console.log(`  ${L.warning} harvested ${A.added} human edit(s) \u2192 review queue before overwrite`)}catch{}}const{plan:_,writes:S}=Re(w,g,h,{rootDir:b,clients:c,force:n});if(!a){v(`Rendered ${g.name} memory (${_.model.truths.length} truths, ${_.model.failures.length} failures, ${_.model.quests.length} quests, ${_.model.artifacts.length} patterns) to ${b}`);for(const $ of S){const T=$.action==="created"?L.success:$.action==="updated"?L.info:L.warning;console.log(`  ${T} ${$.action.padEnd(7)} ${$.path}${$.reason?`  (${$.reason})`:""}`)}}}finally{f.close(),console.log=y}}async function We(l){const{flags:i}=x(l),e=i.path,s=i.project,r=i.root,t=i["dry-run"]===!0||i.dry===!0,n=(typeof i.client=="string"?i.client:"").split(",").map(m=>m.trim().toLowerCase()).filter(Boolean),a=["claude","cursor","copilot","agents"],o=n.filter(m=>a.includes(m)),u=await import("./reverse-bridge.js"),c=E();try{let m=e?c.getProject(e):void 0;if(!m&&s&&(m=P(c,s)??void 0),m||(m=c.getProject(process.cwd())),!m){p("wyrm reverse-bridge: no Wyrm project for this directory (use --path or --project)."),process.exitCode=1;return}const y=pe(c.getDatabase()),f={wyrm_version:O().version??"unknown",compiled_at:new Date().toISOString()},g=se(y,m,f),w={"MEMORY.md":g.memoryMd};for(const _ of o){const S=ue(_,g.model,f);w[S.relPath]=S.block}const h=u.makeBridgeDeps(c.getDatabase()),b=await u.sweepProject(h,{id:m.id,path:m.path},w,{dryRun:t,rootDir:r});j(`Reverse bridge ${t?"(dry run) ":""}\u2014 ${b.added} candidate(s) queued, ${b.skipped} already present (${b.filesWithEdits}/${b.filesScanned} file(s) with edits)`);for(const _ of b.sample)console.log(`  ${L.bullet} ${_}`);!t&&b.added>0&&v("Review with: wyrm review")}finally{c.close()}}async function Ye(l){const{positional:i,flags:e}=x(l.slice(1)),s=l[0],r=e.project;if(s==="git"){const t=R(e.last,20),n=E(),a=n.getDatabase();let o=null;if(r){const g=P(n,r);g||(p(`Project not found: ${r}`),n.close(),process.exit(1)),o=g.id}else{const g=a.prepare("SELECT p.* FROM projects p JOIN sessions s ON s.project_id = p.id ORDER BY s.created_at DESC LIMIT 1").get();g&&(o=g.id)}o||(p("No project found. Use --project <name>"),n.close(),process.exit(1));const u=B("git",["log","--pretty=format:%H%x1f%s%x1f%an%x1f%ai",`-${t}`],{cwd:process.cwd(),encoding:"utf-8",timeout:1e4,shell:!1});(u.error||u.status!==0)&&(p("git log failed. Make sure you are in a git repository."),n.close(),process.exit(1));const c=u.stdout.split(`
+`).filter(g=>g.trim()),m=new G(a);let y=0,f=0;for(const g of c){const[,w,h,b]=g.split(""),_=w??"";if(/^Merge /i.test(_)||/^(chore|bump|release|version)/i.test(_)){f++;continue}let S="pattern";/^fix(\(.+\))?:/i.test(_)?S="lesson":/^refactor(\(.+\))?:/i.test(_)&&(S="heuristic");const $=_.split(":")[0]??"commit";m.add(o,{kind:S,problem:_,whyItWorked:`Committed by ${h??"unknown"} on ${b??"unknown"}`,tags:["git","commit",$.toLowerCase()],confidence:.6,needsReview:1}),y++}n.close(),v(`Imported ${y} commits (${f} skipped). Run ${d.cyan("wyrm review")} to activate.`)}else if(s==="rules"){const t=i[0],n=e.format??"plain";t||(p("Usage: wyrm import rules <path> [--project <name>] [--format cursorrules|copilot|plain]"),process.exit(1)),ce(t)||(p(`File not found: ${t}`),process.exit(1));const a=V(t,"utf-8"),o=E(),u=o.getDatabase();let c=null;if(r){const $=P(o,r);$||(p(`Project not found: ${r}`),o.close(),process.exit(1)),c=$.id}else{const $=u.prepare("SELECT p.* FROM projects p JOIN sessions s ON s.project_id = p.id ORDER BY s.created_at DESC LIMIT 1").get();$&&(c=$.id)}c||(p("No project found. Use --project <name>"),o.close(),process.exit(1));const m=t.split("/").pop()??"rules",y=["imported",n,m],f=a.split(/\n(?=#)/),g=a.split(/\n\n+/),w=(f.length>=g.length?f:g).map($=>$.trim()).filter($=>$.length>=15),h=new G(u),b=new de(u);let _=0,S=0;for(const $ of w)/\b(always|never|must|use|don't|avoid|prefer)\b/i.test($)?(b.set(c,{category:"constraint",key:$.slice(0,50).replace(/\n/g," "),value:$,source:m}),_++):(h.add(c,{kind:"heuristic",problem:$,tags:y,confidence:.7,needsReview:1}),S++);o.close(),v(`Imported ${_} ground truths + ${S} artifacts (pending review).`)}else p("Usage: wyrm import git [--project <name>] [--last N]"),p("       wyrm import rules <path> [--project <name>] [--format cursorrules|copilot|plain]"),process.exit(1)}async function qe(l){const{flags:i}=x(l),e=i.project,s=E(),r=s.getDatabase();if(j("Wyrm Statistics"),e){const t=P(s,e);t||(p(`Project not found: ${e}`),s.close(),process.exit(1));const n=s.getProjectStats(t.id),a=[["Sessions",String(n.sessions)],["Quests (pending)",String(n.quests.pending)],["Quests (completed)",String(n.quests.completed)],["Data Points",String(n.dataPoints)]];console.log(M(["Metric","Value"],a))}else{const t=s.getStats(),n=[["Projects",String(t.projects)],["Sessions",String(t.sessions)],["Quests",String(t.quests)],["Data Points",String(t.dataPoints)],["DB Size",t.dbSize]],a=r.prepare("SELECT COUNT(*) as n FROM memory_artifacts").get().n,o=r.prepare("SELECT COUNT(*) as n FROM ground_truths WHERE is_current = 1").get().n;n.push(["Memories",String(a)],["Ground Truths",String(o)]),console.log(M(["Metric","Value"],n))}s.close()}async function Fe(l){const{flags:i}=x(l),e=i.project,s=E(),r=s.getDatabase();let t=null;if(e){const c=P(s,e);c||(p(`Project not found: ${e}`),s.close(),process.exit(1)),t=c.id}const n=t?`AND project_id = ${t}`:"",a=r.prepare(`
     SELECT id, kind, problem FROM memory_artifacts
-    WHERE needs_review = 1 ${projectClause}
+    WHERE needs_review = 1 ${n}
     ORDER BY created_at ASC
-  `).all();
-    if (pending.length === 0) {
-        console.log(c.dim(`  No artifacts pending review${projectName ? ` for ${projectName}` : ''}.`));
-        db.close();
-        return;
-    }
-    printSection(`Review Queue (${pending.length} items)`);
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    const ask = (question) => new Promise(resolve => { rl.question(question, resolve); });
-    for (const item of pending) {
-        console.log(`\n${c.bold(`[${item.kind}] #${item.id}`)}`);
-        console.log(c.dim('─'.repeat(60)));
-        console.log(item.problem.slice(0, 300));
-        console.log(c.dim('─'.repeat(60)));
-        const answer = await ask(`${c.cyan('[a]')}pprove / ${c.red('[r]')}eject / ${c.yellow('[s]')}kip? `);
-        const choice = answer.trim().toLowerCase();
-        if (choice === 'a') {
-            rawDb.prepare('UPDATE memory_artifacts SET needs_review = 0, updated_at = datetime(\'now\') WHERE id = ?').run(item.id);
-            printSuccess(`Approved #${item.id}`);
-        }
-        else if (choice === 'r') {
-            rawDb.prepare('DELETE FROM memory_artifacts WHERE id = ?').run(item.id);
-            console.log(`${icons.cross} Rejected #${item.id}`);
-        }
-        else {
-            console.log(c.dim(`  Skipped #${item.id}`));
-        }
-    }
-    rl.close();
-    db.close();
-    console.log('\nReview complete.');
-}
-async function cmdSync(args) {
-    const { positional, flags } = parseArgs(args);
-    const subcommand = positional[0]; // 'export' | 'import' | 'preview'
-    if (!subcommand || !['export', 'import', 'preview'].includes(subcommand)) {
-        printError('Usage: wyrm sync export --out <path> | wyrm sync import --from <path> | wyrm sync preview --from <path>');
-        process.exit(1);
-    }
-    const { randomBytes, pbkdf2Sync, createCipheriv, createDecipheriv } = await import('crypto');
-    const { readFileSync, writeFileSync, copyFileSync, unlinkSync, existsSync, chmodSync } = await import('fs');
-    const { homedir: homedirCli } = await import('os');
-    const { join: joinCli } = await import('path');
-    const BetterSQLite = (await import('better-sqlite3')).default;
-    // Get passphrase from env or prompt interactively
-    let passphrase = process.env.WYRM_SYNC_PASSPHRASE ?? '';
-    if (!passphrase) {
-        const rlSync = createInterface({ input: process.stdin, output: process.stdout });
-        passphrase = await new Promise(resolve => {
-            process.stdout.write('Passphrase: ');
-            // Hide input
-            if (process.stdin.isTTY)
-                process.stdin.setRawMode?.(true);
-            rlSync.question('', ans => {
-                if (process.stdin.isTTY)
-                    process.stdin.setRawMode?.(false);
-                console.log('');
-                rlSync.close();
-                resolve(ans);
-            });
-        });
-    }
-    if (!passphrase) {
-        printError('Passphrase is required. Set WYRM_SYNC_PASSPHRASE or enter interactively.');
-        process.exit(1);
-    }
-    const wyrmDirCli = joinCli(homedirCli(), '.wyrm');
-    const db = openDb();
-    if (subcommand === 'export') {
-        const outputPath = flags['out'];
-        if (!outputPath) {
-            printError('--out <path> is required');
-            process.exit(1);
-        }
-        const tempPath = joinCli(wyrmDirCli, 'wyrm_cli_export_temp.db');
-        try {
-            const rawDb = db.getDatabase();
-            if (existsSync(tempPath))
-                unlinkSync(tempPath);
-            rawDb.prepare('VACUUM INTO ?').run(tempPath);
-            const plaintext = readFileSync(tempPath);
-            const salt = randomBytes(32);
-            const iv = randomBytes(16);
-            const key = pbkdf2Sync(passphrase, salt, 600000, 32, 'sha256');
-            const cipher = createCipheriv('aes-256-gcm', key, iv);
-            const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-            const authTag = cipher.getAuthTag();
-            const magic = Buffer.from('WYRM');
-            const version = Buffer.alloc(1);
-            version.writeUInt8(1, 0);
-            const output = Buffer.concat([magic, version, salt, iv, authTag, encrypted]);
-            writeFileSync(outputPath, output);
-            try {
-                chmodSync(outputPath, 0o600);
-            }
-            catch { /* non-fatal */ }
-            try {
-                unlinkSync(tempPath);
-            }
-            catch { /* non-fatal */ }
-            const sizeMb = (output.length / (1024 * 1024)).toFixed(2);
-            printSuccess(`Exported to ${outputPath} (${sizeMb} MB)`);
-        }
-        catch (err) {
-            try {
-                if (existsSync(tempPath))
-                    unlinkSync(tempPath);
-            }
-            catch { /* clean up */ }
-            printError(`Export failed: ${err}`);
-        }
-        db.close();
-        return;
-    }
-    const inputPath = flags['from'];
-    if (!inputPath) {
-        printError('--from <path> is required');
-        process.exit(1);
-    }
-    const fileData = readFileSync(inputPath);
-    if (fileData.subarray(0, 4).toString('ascii') !== 'WYRM') {
-        printError('Invalid Wyrm snapshot file.');
-        process.exit(1);
-    }
-    const version = fileData.readUInt8(4);
-    if (version !== 1) {
-        printError(`Unsupported snapshot version: ${version}`);
-        process.exit(1);
-    }
-    const salt = fileData.subarray(5, 37);
-    const iv = fileData.subarray(37, 53);
-    const authTag = fileData.subarray(53, 69);
-    const encrypted = fileData.subarray(69);
-    const key = pbkdf2Sync(passphrase, salt, 600000, 32, 'sha256');
-    const decipher = createDecipheriv('aes-256-gcm', key, iv);
-    decipher.setAuthTag(authTag);
-    let decrypted;
-    try {
-        decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
-    }
-    catch {
-        printError('Decryption failed — wrong passphrase or corrupted file.');
-        process.exit(1);
-    }
-    if (subcommand === 'preview') {
-        const tempPreview = joinCli(wyrmDirCli, 'wyrm_cli_preview_temp.db');
-        if (existsSync(tempPreview))
-            unlinkSync(tempPreview);
-        writeFileSync(tempPreview, decrypted);
-        try {
-            const previewDb = new BetterSQLite(tempPreview, { readonly: true });
-            const tables = ['projects', 'sessions', 'ground_truths', 'memory_artifacts', 'quests'];
-            printSection('Snapshot Preview');
-            const rows = [];
-            for (const t of tables) {
-                try {
-                    const row = previewDb.prepare(`SELECT COUNT(*) as n FROM ${t}`).get();
-                    rows.push([t, String(row.n)]);
-                }
-                catch {
-                    rows.push([t, '?']);
-                }
-            }
-            console.log(formatTable(['Table', 'Count'], rows));
-            previewDb.close();
-        }
-        catch (err) {
-            printError(`Preview failed: ${err}`);
-        }
-        try {
-            if (existsSync(tempPreview))
-                unlinkSync(tempPreview);
-        }
-        catch { /* clean up */ }
-        db.close();
-        return;
-    }
-    // restore
-    const dbPath = db.getDatabasePath();
-    const rlConfirm = createInterface({ input: process.stdin, output: process.stdout });
-    const answer = await new Promise(resolve => {
-        rlConfirm.question('This will REPLACE your current database. Type CONFIRM to proceed: ', resolve);
-    });
-    rlConfirm.close();
-    if (answer.trim() !== 'CONFIRM') {
-        console.log(c.dim('Aborted.'));
-        db.close();
-        return;
-    }
-    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
-    const backupPath = `${dbPath}.backup.${timestamp}`;
-    copyFileSync(dbPath, backupPath);
-    printSuccess(`Backed up to ${backupPath}`);
-    const tempRestore = joinCli(wyrmDirCli, 'wyrm_cli_restore_temp.db');
-    writeFileSync(tempRestore, decrypted);
-    db.getDatabase().close();
-    copyFileSync(tempRestore, dbPath);
-    // Drop stale WAL/SHM sidecars from the OLD database — leaving them lets
-    // SQLite replay an unrelated WAL over the freshly restored file and corrupt
-    // it (Wyrm runs in WAL mode).
-    for (const suffix of ['-wal', '-shm']) {
-        try {
-            if (existsSync(dbPath + suffix))
-                unlinkSync(dbPath + suffix);
-        }
-        catch { /* non-fatal */ }
-    }
-    try {
-        unlinkSync(tempRestore);
-    }
-    catch { /* clean up */ }
-    printSuccess(`Restored from ${inputPath}. Backup at ${backupPath}`);
-}
-async function cmdPrune(args) {
-    const { flags } = parseArgs(args);
-    const projectName = flags['project'];
-    const pathFlag = flags['path'];
-    const minConf = floatFlag(flags['min-confidence'], 0.3);
-    const olderThanDays = intFlag(flags['older-than'], 90);
-    const noDryRun = flags['no-dry-run'] === true;
-    const assumeYes = flags['yes'] === true; // skip the interactive CONFIRM (for the SessionEnd auto-prune hook)
-    const db = openDb();
-    const rawDb = db.getDatabase();
-    // Scope resolution: exact --path first (what the auto-prune hook passes), then
-    // --project name. Exact-path scoping prevents a loose name LIKE match from
-    // deleting a *different* project's artifacts. No flag → global prune.
-    let projectId = null;
-    if (pathFlag || projectName) {
-        const proj = pathFlag ? db.getProject(pathFlag) : resolveProject(db, projectName);
-        if (!proj) {
-            printError(`Project not found: ${pathFlag ?? projectName}`);
-            db.close();
-            process.exit(1);
-        }
-        projectId = proj.id;
-    }
-    // Candidate selection + deletion live in MemoryArtifacts.pruneStale (unit
-    // tested for exact project scoping). The CLI keeps the table render + confirm.
-    const memory = new MemoryArtifacts(rawDb);
-    const { candidates } = memory.pruneStale({ projectId, minConfidence: minConf, olderThanDays, dryRun: true });
-    printSection(`Prune Candidates${noDryRun ? ' (LIVE DELETE)' : ' (dry-run)'}`);
-    if (candidates.length === 0) {
-        console.log(c.dim('  No artifacts match prune criteria.'));
-        db.close();
-        return;
-    }
-    const rows = candidates.map(r => [
-        String(r.id), r.kind, r.problem.slice(0, 60),
-        (r.confidence * 100).toFixed(0) + '%',
-        r.last_accessed_at ?? 'never',
-    ]);
-    console.log(formatTable(['ID', 'Kind', 'Problem', 'Conf', 'Last Accessed'], rows));
-    console.log(`\nTotal: ${candidates.length} candidate(s)`);
-    if (!noDryRun) {
-        console.log(c.dim('\nThis is a dry run. Use --no-dry-run to delete (confirm each ID).'));
-        db.close();
-        return;
-    }
-    // --yes bypasses the prompt for non-interactive callers (the SessionEnd
-    // auto-prune hook). Still bounded by the same conservative filters above:
-    // low confidence, stale, already-reviewed, non-superseding artifacts only.
-    if (!assumeYes) {
-        const rlPrune = createInterface({ input: process.stdin, output: process.stdout });
-        const answer = await new Promise(resolve => {
-            rlPrune.question(`\nDelete these ${candidates.length} artifact(s)? Type CONFIRM to proceed: `, resolve);
-        });
-        rlPrune.close();
-        if (answer.trim() !== 'CONFIRM') {
-            console.log(c.dim('Aborted.'));
-            db.close();
-            return;
-        }
-    }
-    // Delete exactly the candidate set we showed (and confirmed), not a fresh
-    // re-select, so the deleted set always matches the displayed set.
-    const deleted = memory.deleteArtifacts(candidates.map(c => c.id));
-    printSuccess(`Deleted ${deleted} artifact(s).`);
-    db.close();
-}
-// ==================== v7 F3 (T023) — CLI-EXILE SUBCOMMANDS ====================
-// The 22 CLI-exiled MCP names (src/deprecations.ts CLI_EXILE_TOOLS) redirect
-// to `wyrm` subcommands in 7.0. `setup|embed|sync|cloud|vault|harvest|review|
-// grove` already existed; the commands below ship the genuinely missing ones.
-// Every command WRAPS the existing src module the MCP case ran — never a
-// reimplementation (license.ts, hours.ts, agent-daemon.ts, version-check.ts,
-// autoconfig.ts, migrate-prompt.ts, maintenance.ts, reindex.ts, vectors.ts).
-/** Read all of stdin (for `wyrm activate` / piped license JSON). */
-function readStdin() {
-    return readFileSync(0, 'utf-8').trim();
-}
-/** `wyrm license` — show the current license status (wraps license.ts). */
-async function cmdLicense() {
-    const { initializeLicense, getLicenseInfo, getTier } = await import('./license.js');
-    initializeLicense();
-    const info = getLicenseInfo();
-    printSection('Wyrm License');
-    const rows = [
-        ['Tier', getTier()],
-        ['Status', info.valid ? 'valid' : 'free tier (no license key)'],
-    ];
-    if (info.valid && info.key) {
-        rows.push(['Key', info.key]);
-        rows.push(['Issued to', info.issuedTo ?? 'unknown']);
-        rows.push(['Expires', info.expiresAt ? new Date(info.expiresAt).toLocaleDateString() : 'never']);
-    }
-    rows.push(['Features', info.features.join(', ') || '(free)']);
-    console.log(formatTable(['Field', 'Value'], rows));
-    if (!info.valid) {
-        console.log(c.dim('\n  Activate with: wyrm activate <license.json | key>   ·   buy at https://ghosts.lk/wyrm'));
-    }
-}
-/** `wyrm activate <key|path>` — activate a license (wraps license.ts). */
-async function cmdLogin() {
-    // Device-authorization flow against the identity hub → a free, account-bound,
-    // short-lived signed license saved to ~/.wyrm/license.json. This is what
-    // satisfies the activation gate on account-required (official) builds.
-    const base = (process.env.WYRM_ACCOUNT_URL ?? 'https://account.ghosts.lk').replace(/\/$/, '');
-    let start;
-    try {
-        const r = await fetch(`${base}/api/v1/cli/auth/start`, { method: 'POST' });
-        if (!r.ok)
-            throw new Error(`HTTP ${r.status}`);
-        start = await r.json();
-    }
-    catch (e) {
-        printError(`Couldn't reach ${base} (${e instanceof Error ? e.message : 'network error'}).`);
-        process.exitCode = 1;
-        return;
-    }
-    const url = start.verification_uri_complete || start.verification_uri || `${base}/cli`;
-    console.log(`\n  ${c.cyan('Sign in to activate Wyrm (free):')}`);
-    console.log(`  1. Open  ${c.cyan(url)}`);
-    console.log(`  2. Approve the code  ${c.cyan(start.user_code)}`);
-    console.log(c.dim('\n  Waiting for approval… (Ctrl-C to cancel)'));
-    const interval = (start.interval ?? 3) * 1000;
-    const deadline = Date.now() + (start.expires_in ?? 600) * 1000;
-    let token = '';
-    while (Date.now() < deadline) {
-        await new Promise((res) => setTimeout(res, interval));
-        try {
-            const pr = await fetch(`${base}/api/v1/cli/auth/poll`, {
-                method: 'POST', headers: { 'content-type': 'application/json' },
-                body: JSON.stringify({ device_code: start.device_code }),
-            });
-            const pj = await pr.json();
-            if (pj.status === 'approved' && pj.token) {
-                token = pj.token;
-                break;
-            }
-            if (pj.status === 'denied' || pj.error === 'expired') {
-                printError('Login was denied or the code expired. Run `wyrm login` again.');
-                process.exitCode = 1;
-                return;
-            }
-        }
-        catch { /* transient — keep polling */ }
-    }
-    if (!token) {
-        printError('Login timed out. Run `wyrm login` again.');
-        process.exitCode = 1;
-        return;
-    }
-    let signedStr;
-    try {
-        const lr = await fetch(`${base}/api/v1/license/free`, { method: 'POST', headers: { authorization: `Bearer ${token}` } });
-        if (!lr.ok) {
-            const ej = await lr.json().catch(() => ({}));
-            printError(`Activation failed (${lr.status}): ${ej.hint || ej.error || 'unknown error'}`);
-            process.exitCode = 1;
-            return;
-        }
-        signedStr = JSON.stringify(await lr.json());
-    }
-    catch (e) {
-        printError(`Activation request failed (${e instanceof Error ? e.message : 'network error'}).`);
-        process.exitCode = 1;
-        return;
-    }
-    const { activateLicense } = await import('./license.js');
-    const result = activateLicense(signedStr);
-    if (result.valid) {
-        printSuccess(`Signed in & activated — ${result.tier} tier (expires ${result.expiresAt ?? 'never'}).`);
-        console.log(c.dim('  Restart the Wyrm MCP server / daemon to apply.'));
-    }
-    else {
-        printError(`Activation failed: ${result.error ?? 'unknown error'}`);
-        process.exitCode = 1;
-    }
-}
-async function cmdActivate(args) {
-    const { positional } = parseArgs(args);
-    const input = positional[0];
-    let licenseStr;
-    if (input && existsSync(input)) {
-        licenseStr = readFileSync(input, 'utf-8');
-    }
-    else if (input) {
-        licenseStr = input;
-    }
-    else if (!process.stdin.isTTY) {
-        licenseStr = readStdin();
-    }
-    else {
-        printError('Usage: wyrm activate <license.json path | license JSON>   (or pipe the JSON on stdin)');
-        process.exit(1);
-    }
-    const { activateLicense } = await import('./license.js');
-    try {
-        const result = activateLicense(licenseStr);
-        if (result.valid) {
-            printSuccess(`License activated — ${result.tier} tier (${result.features.join(', ')})`);
-            console.log(c.dim('  Restart Wyrm (MCP server / daemon) to apply all features.'));
-        }
-        else {
-            printError(`License activation failed: ${result.error ?? 'unknown error'}`);
-            process.exitCode = 1;
-        }
-    }
-    catch {
-        printError('Invalid license format. Please verify your license key.');
-        process.exitCode = 1;
-    }
-}
-/** `wyrm maintenance [--vacuum] [--archive-days N]` — wraps maintenance.ts
- * (the SAME runMaintenance the wyrm_maintenance MCP tool runs). */
-async function cmdMaintenance(args) {
-    const { flags } = parseArgs(args);
-    const { runMaintenance } = await import('./maintenance.js');
-    const { FailurePatterns } = await import('./failure-patterns.js');
-    const { SessionSeen } = await import('./session-seen.js');
-    const { AgentPresence } = await import('./presence.js');
-    const db = openDb();
-    try {
-        const raw = db.getDatabase();
-        const archiveDays = intFlag(flags['archive-days'], 0);
-        const report = runMaintenance(
-        // v7 F3 (T029): + presence — stale-claim eviction rides maintenance.
-        { db, sessionSeen: new SessionSeen(raw), failures: new FailurePatterns(raw), presence: new AgentPresence(raw) }, { vacuum: flags.vacuum === true, archiveDays: archiveDays > 0 ? archiveDays : undefined });
-        printSection('Maintenance complete');
-        for (const line of report.lines)
-            console.log(`  - ${line}`);
-        console.log(c.dim(`\n  Database size: ${report.dbSize}`));
-    }
-    finally {
-        db.close();
-    }
-}
-/** `wyrm index <setup|rebuild|status>` — vector search ops (wraps vectors.ts +
- * reindex.ts — the SAME loop the wyrm_reindex MCP tool runs). */
-async function cmdIndexVectors(args) {
-    const { positional, flags } = parseArgs(args);
-    const sub = positional[0] ?? 'status';
-    const { createVectorStore } = await import('./vectors.js');
-    const providerName = flags.provider
-        ?? process.env.WYRM_VECTOR_PROVIDER ?? 'auto';
-    const providerConfig = {
-        provider: providerName,
-        model: flags.model,
-        apiKey: flags['api-key'] ?? process.env.OPENAI_API_KEY,
-        ollamaUrl: flags['ollama-url'],
-    };
-    if (sub === 'setup') {
-        const { createProvider } = await import('./providers/embedding-provider.js');
-        const provider = createProvider(providerConfig);
-        const ready = await provider.isReady();
-        if (!ready && providerConfig.provider !== 'none') {
-            printError(`Provider not ready: ${provider.name}. Check the configuration and try again.`);
-            process.exitCode = 1;
-            return;
-        }
-        printSuccess(`Vector provider verified: ${provider.name} (model ${provider.model}, ${provider.dimensions}d)`);
-        console.log(c.dim('  The MCP server reads WYRM_VECTOR_PROVIDER (and provider-specific env) at boot —'));
-        console.log(c.dim(`  set WYRM_VECTOR_PROVIDER=${provider.name === 'none' ? 'none' : providerConfig.provider} in the server env, then: wyrm index rebuild`));
-        return;
-    }
-    const db = openDb();
-    try {
-        const raw = db.getDatabase();
-        const store = createVectorStore(providerConfig, raw);
-        if (sub === 'status') {
-            const stats = store.getStats();
-            printSection('Vector index');
-            const rows = [
-                ['Provider', stats.provider],
-                ['Model', stats.model],
-                ['Vectors', String(stats.total)],
-                ...Object.entries(stats.byType).map(([t, n]) => [`  ${t}`, String(n)]),
-            ];
-            console.log(formatTable(['Field', 'Value'], rows));
-            return;
-        }
-        if (sub === 'rebuild') {
-            const { reindexProjects } = await import('./reindex.js');
-            const dryRun = flags['dry-run'] === true;
-            const projRef = flags.project;
-            let projectIds;
-            if (projRef) {
-                const proj = db.getProject(projRef) ?? resolveProject(db, projRef);
-                if (!proj) {
-                    printError(`Project not found: ${projRef}`);
-                    process.exitCode = 1;
-                    return;
-                }
-                projectIds = [proj.id];
-            }
-            else {
-                projectIds = db.getAllProjects(1000).map((p) => p.id);
-            }
-            const { indexed, skipped } = await reindexProjects(raw, store, projectIds, {
-                dryRun,
-                onError: (message, context) => printError(`${message}: ${JSON.stringify(context)}`),
-            });
-            printSuccess(`Reindex ${dryRun ? '(dry run) ' : ''}— ${projectIds.length} project(s), ${indexed} indexed, ${skipped} skipped`);
-            return;
-        }
-        printError('Usage: wyrm index <setup|rebuild|status> [--provider auto|local|ollama|openai|none] [--model M] [--project P] [--dry-run]');
-        process.exitCode = 1;
-    }
-    finally {
-        db.close();
-    }
-}
-/** `wyrm update [--check] [--force]` — wraps version-check.ts; the update
- * itself is the same `npm install -g wyrm-mcp@latest` wyrm_self_update ran. */
-async function cmdUpdate(args) {
-    const { flags } = parseArgs(args);
-    const { getUpdateStatus } = await import('./version-check.js');
-    const current = readPkg().version ?? '0.0.0';
-    const db = openDb();
-    let status;
-    try {
-        status = await getUpdateStatus(db.getDatabase(), current, { force: flags.force === true || flags.check === true });
-    }
-    finally {
-        db.close();
-    }
-    printSection('Wyrm update');
-    console.log(formatTable(['Field', 'Value'], [
-        ['Current', status.current],
-        ['Latest', status.latest ?? 'unknown (offline?)'],
-        ['Update available', status.updateAvailable ? 'yes' : 'no'],
-        ['Checked', `${status.checkedAt} (${status.source})`],
-    ]));
-    if (flags.check === true)
-        return;
-    if (!status.updateAvailable && flags.force !== true) {
-        console.log(c.dim('\n  Already up to date. (Use --force to reinstall anyway.)'));
-        return;
-    }
-    console.log(c.dim('\n  Running: npm install -g wyrm-mcp@latest\n'));
-    const r = spawnSync('npm', ['install', '-g', 'wyrm-mcp@latest'], { stdio: 'inherit', shell: false });
-    if (r.status === 0)
-        printSuccess('Updated. Restart your MCP clients to pick up the new binary.');
-    else {
-        printError(`npm install exited with ${r.status ?? 'unknown'}`);
-        process.exitCode = r.status ?? 1;
-    }
-}
-/** `wyrm prompt <inject|migrate>` — wraps autoconfig.ts / migrate-prompt.ts. */
-async function cmdPrompt(args) {
-    const { positional, flags } = parseArgs(args);
-    const sub = positional[0];
-    const projectPath = flags.project ?? process.cwd();
-    if (sub === 'inject') {
-        const { injectSystemPrompt } = await import('./autoconfig.js');
-        const clients = typeof flags.clients === 'string' ? flags.clients.split(',').map((s) => s.trim()).filter(Boolean) : [];
-        const result = injectSystemPrompt(projectPath, clients);
-        printSection('System prompt injection');
-        for (const f of result.injected)
-            console.log(`  + ${f}`);
-        for (const s of result.skipped)
-            console.log(c.dim(`  o skipped (unknown client): ${s}`));
-        for (const e of result.errors)
-            printError(e);
-        if (result.injected.length > 0) {
-            printSuccess('AI clients in this project will now call wyrm_session_prime at conversation start.');
-        }
-        if (result.errors.length > 0)
-            process.exitCode = 1;
-        return;
-    }
-    if (sub === 'migrate') {
-        const { migrateProject, renderMigrationReport } = await import('./migrate-prompt.js');
-        const { WYRM_INJECT_BLOCK } = await import('./autoconfig.js');
-        const apply = flags.apply === true;
-        const results = migrateProject({ projectPath, newBlock: WYRM_INJECT_BLOCK, apply });
-        console.log(renderMigrationReport(results, apply));
-        return;
-    }
-    printError('Usage: wyrm prompt inject [--project <path>] [--clients copilot,cursor] | wyrm prompt migrate [--project <path>] [--apply]');
-    process.exitCode = 1;
-}
-/** `wyrm hours report --from <date> --to <date>` — wraps hours.ts HourLedger. */
-async function cmdHours(args) {
-    const { positional, flags } = parseArgs(args);
-    const sub = positional[0] ?? 'report';
-    if (sub !== 'report') {
-        printError('Usage: wyrm hours report --from YYYY-MM-DD --to YYYY-MM-DD [--project <name>] [--session-hours H] [--json]');
-        process.exit(1);
-    }
-    const from = flags.from;
-    const to = flags.to;
-    if (!from || !to) {
-        printError('--from and --to are required (YYYY-MM-DD)');
-        process.exit(1);
-    }
-    const { HourLedger } = await import('./hours.js');
-    const db = openDb();
-    try {
-        const projectName = flags.project;
-        const proj = projectName ? resolveProject(db, projectName) : null;
-        if (projectName && !proj) {
-            printError(`Project not found: ${projectName}`);
-            process.exitCode = 1;
-            return;
-        }
-        const report = new HourLedger(db.getDatabase()).report({
-            range_start: from,
-            range_end: to,
-            project_id: proj?.id,
-            default_session_hours: floatFlag(flags['session-hours'], 1.0),
-        });
-        if (flags.json === true) {
-            console.log(JSON.stringify(report, null, 2));
-            return;
-        }
-        printSection(`Hours ${report.range.start} → ${report.range.end}`);
-        if (report.by_project.length === 0) {
-            console.log(c.dim('  No sessions in range.'));
-            return;
-        }
-        console.log(formatTable(['Project', 'Sessions', 'Hours'], report.by_project.map((p) => [p.project_name, String(p.session_count), p.hours.toFixed(2)])));
-        console.log(`\n  Total: ${report.total_hours.toFixed(2)}h across ${report.entries.length} session(s)` +
-            (report.estimated_sessions > 0 ? c.dim(` (${report.estimated_sessions} estimated)`) : ''));
-    }
-    finally {
-        db.close();
-    }
-}
-/** `wyrm invoice generate --client <name> --rate <usd/h> --from --to` —
- * wraps hours.ts HourLedger.invoice (markdown to stdout or --out file). */
-async function cmdInvoice(args) {
-    const { positional, flags } = parseArgs(args);
-    const sub = positional[0] ?? 'generate';
-    const client = flags.client;
-    const rate = floatFlag(flags.rate, NaN);
-    const from = flags.from;
-    const to = flags.to;
-    if (sub !== 'generate' || !client || !Number.isFinite(rate) || !from || !to) {
-        printError('Usage: wyrm invoice generate --client <name> --rate <usd/hour> --from YYYY-MM-DD --to YYYY-MM-DD' +
-            ' [--project <name>] [--number INV-X] [--currency USD] [--notes "…"] [--out <path>]');
-        process.exit(1);
-    }
-    const { HourLedger } = await import('./hours.js');
-    const db = openDb();
-    try {
-        const projectName = flags.project;
-        const proj = projectName ? resolveProject(db, projectName) : null;
-        if (projectName && !proj) {
-            printError(`Project not found: ${projectName}`);
-            process.exitCode = 1;
-            return;
-        }
-        const md = new HourLedger(db.getDatabase()).invoice({
-            client_name: client,
-            hourly_rate_usd: rate,
-            range_start: from,
-            range_end: to,
-            project_id: proj?.id,
-            invoice_number: flags.number,
-            currency: flags.currency,
-            notes: flags.notes,
-            business_name: flags['business-name'],
-            business_address: flags['business-address'],
-            business_contact: flags['business-contact'],
-            client_address: flags['client-address'],
-            default_session_hours: floatFlag(flags['session-hours'], 1.0),
-        });
-        const out = flags.out;
-        if (out) {
-            const { writeFileSync } = await import('node:fs');
-            writeFileSync(out, md + '\n', 'utf-8');
-            printSuccess(`Invoice written to ${out}`);
-        }
-        else {
-            process.stdout.write(md + '\n');
-        }
-    }
-    finally {
-        db.close();
-    }
-}
-/** `wyrm agent <init|status|stop|restart>` — wraps agent-daemon.ts. */
-async function cmdAgent(args) {
-    const { positional, flags } = parseArgs(args);
-    const sub = positional[0] ?? 'status';
-    const { AgentDaemon } = await import('./agent-daemon.js');
-    const db = openDb();
-    try {
-        const daemon = new AgentDaemon(db.getDatabase());
-        switch (sub) {
-            case 'init':
-            case 'start': {
-                const interval = Math.max(10, Math.min(intFlag(flags.interval, 600), 86400));
-                const r = daemon.start({
-                    interval_seconds: interval,
-                    max_steps: flags['max-steps'] !== undefined ? intFlag(flags['max-steps'], 0) || undefined : undefined,
-                    project_path: flags.project,
-                    verbose: flags.verbose === true,
-                });
-                if (!r.ok) {
-                    printError(`Agent init failed: ${r.error}`);
-                    process.exitCode = 1;
-                    return;
-                }
-                const s = r.status;
-                printSuccess(`Agent ${s.pid != null && s.pid !== r.pid ? 'already running' : 'started'} — pid ${s.pid}`);
-                console.log(`  Interval: ${interval}s · Active goals: ${s.active_goals} · Total iterations: ${s.total_iterations}`);
-                console.log(c.dim(`  Log: ${s.log_file}`));
-                return;
-            }
-            case 'status': {
-                const s = daemon.status();
-                printSection('Wyrm agent');
-                console.log(s.running
-                    ? `  RUNNING — pid ${s.pid}${s.started_at ? ` (since ${s.started_at})` : ''}`
-                    : '  NOT RUNNING. Start it with: wyrm agent init');
-                console.log(`  Active goals: ${s.active_goals} · Total iterations: ${s.total_iterations}`);
-                if (s.last_action) {
-                    console.log(`  Last action (${s.last_action.ran_at}): ${s.last_action.summary} [${s.last_action.result_status ?? '?'}]`);
-                }
-                if (flags.log === true) {
-                    console.log('\n=== Recent log ===');
-                    console.log(daemon.recentLog(40));
-                }
-                return;
-            }
-            case 'stop': {
-                const r = await daemon.stop({ grace_ms: flags.grace !== undefined ? intFlag(flags.grace, 3000) : undefined });
-                if (!r.ok) {
-                    printError(`Stop failed: ${r.error}`);
-                    process.exitCode = 1;
-                    return;
-                }
-                printSuccess(r.was_running
-                    ? `Agent stopped (was pid ${r.pid}). Goals remain in DB — wyrm agent init resumes.`
-                    : 'Agent was not running. (No-op.)');
-                return;
-            }
-            case 'restart': {
-                const r = await daemon.restart({
-                    interval_seconds: flags.interval !== undefined ? intFlag(flags.interval, 600) : undefined,
-                    max_steps: flags['max-steps'] !== undefined ? intFlag(flags['max-steps'], 0) || undefined : undefined,
-                    project_path: flags.project,
-                    verbose: flags.verbose === true,
-                });
-                if (!r.ok) {
-                    printError(`Restart failed: ${r.error}`);
-                    process.exitCode = 1;
-                    return;
-                }
-                printSuccess(`Agent restarted — pid ${r.status.pid}. Active goals: ${r.status.active_goals}.`);
-                return;
-            }
-            default:
-                printError('Usage: wyrm agent <init|status|stop|restart> [--interval N] [--max-steps N] [--project <path>] [--verbose] [--log]');
-                process.exitCode = 1;
-        }
-    }
-    finally {
-        db.close();
-    }
-}
-/** `wyrm setup [...]` — delegate to the existing wyrm-setup bin (dist/setup.js
- * parses argv itself); `--encrypt` wraps crypto.ts (the wyrm_encrypt_setup
- * exile target: `wyrm setup --encrypt [--enable|--test]`). */
-async function cmdSetup(args) {
-    if (args.includes('--encrypt')) {
-        const { initializeLicense, hasFeature } = await import('./license.js');
-        initializeLicense();
-        if (!hasFeature('encryption')) {
-            printError('Encryption setup requires a Pro license or higher. See: wyrm license');
-            process.exitCode = 1;
-            return;
-        }
-        const { getCrypto, initializeCrypto } = await import('./crypto.js');
-        const wantEnable = args.includes('--enable');
-        const wantTest = args.includes('--test');
-        if (wantEnable) {
-            // password from env or stdin pipe — never argv (shell-history safety,
-            // same posture as `wyrm vault set`).
-            const password = process.env.WYRM_ENCRYPTION_KEY ?? (!process.stdin.isTTY ? readStdin() : '');
-            if (!password || password.length < 8) {
-                printError('Password must be at least 8 characters. Set WYRM_ENCRYPTION_KEY or pipe it:  printf %s "$PW" | wyrm setup --encrypt --enable');
-                process.exitCode = 1;
-                return;
-            }
-            initializeCrypto(password);
-            printSuccess('Encryption enabled (AES-256-GCM, key derived via PBKDF2). Store your password safely — it cannot be recovered.');
-            return;
-        }
-        const crypto = getCrypto();
-        if (wantTest) {
-            if (!crypto.isEnabled()) {
-                printError('Encryption not enabled. Run: wyrm setup --encrypt --enable');
-                process.exitCode = 1;
-                return;
-            }
-            const testData = 'Wyrm encryption test ' + Date.now();
-            const ok = crypto.decrypt(crypto.encrypt(testData)) === testData;
-            if (ok)
-                printSuccess('Encryption test PASSED (encrypt → decrypt roundtrip).');
-            else {
-                printError('Encryption test FAILED.');
-                process.exitCode = 1;
-            }
-            return;
-        }
-        printSection('Encryption status');
-        console.log(`  Enabled:   ${crypto.isEnabled() ? 'yes — new data is encrypted at rest' : 'no'}`);
-        console.log('  Algorithm: AES-256-GCM');
-        if (!crypto.isEnabled())
-            console.log(c.dim('  Enable with: wyrm setup --encrypt --enable  (password via WYRM_ENCRYPTION_KEY or stdin)'));
-        return;
-    }
-    // Plain `wyrm setup [...flags]` == the wyrm-setup bin: spawn the sibling
-    // script so its own argv parsing (argv.slice(2)) sees the flags directly.
-    const here = dirname(fileURLToPath(import.meta.url));
-    const r = spawnSync(process.execPath, [join(here, 'setup.js'), ...args], { stdio: 'inherit', shell: false });
-    process.exitCode = r.status ?? 0;
-}
-function printHelp() {
-    console.log(`
-${colors.brightMagenta}󱅝 Wyrm CLI v${readPkg().version ?? 'unknown'}${colors.reset}
-${colors.dim}Persistent AI Memory System${colors.reset}
+  `).all();if(a.length===0){console.log(d.dim(`  No artifacts pending review${e?` for ${e}`:""}.`)),s.close();return}j(`Review Queue (${a.length} items)`);const o=K({input:process.stdin,output:process.stdout}),u=c=>new Promise(m=>{o.question(c,m)});for(const c of a){console.log(`
+${d.bold(`[${c.kind}] #${c.id}`)}`),console.log(d.dim("\u2500".repeat(60))),console.log(c.problem.slice(0,300)),console.log(d.dim("\u2500".repeat(60)));const y=(await u(`${d.cyan("[a]")}pprove / ${d.red("[r]")}eject / ${d.yellow("[s]")}kip? `)).trim().toLowerCase();y==="a"?(r.prepare("UPDATE memory_artifacts SET needs_review = 0, updated_at = datetime('now') WHERE id = ?").run(c.id),v(`Approved #${c.id}`)):y==="r"?(r.prepare("DELETE FROM memory_artifacts WHERE id = ?").run(c.id),console.log(`${L.cross} Rejected #${c.id}`)):console.log(d.dim(`  Skipped #${c.id}`))}o.close(),s.close(),console.log(`
+Review complete.`)}async function Ue(l){const{positional:i,flags:e}=x(l),s=i[0];(!s||!["export","import","preview"].includes(s))&&(p("Usage: wyrm sync export --out <path> | wyrm sync import --from <path> | wyrm sync preview --from <path>"),process.exit(1));const{randomBytes:r,pbkdf2Sync:t,createCipheriv:n,createDecipheriv:a}=await import("crypto"),{readFileSync:o,writeFileSync:u,copyFileSync:c,unlinkSync:m,existsSync:y,chmodSync:f}=await import("fs"),{homedir:g}=await import("os"),{join:w}=await import("path"),h=(await import("better-sqlite3")).default;let b=process.env.WYRM_SYNC_PASSPHRASE??"";if(!b){const C=K({input:process.stdin,output:process.stdout});b=await new Promise(D=>{process.stdout.write("Passphrase: "),process.stdin.isTTY&&process.stdin.setRawMode?.(!0),C.question("",N=>{process.stdin.isTTY&&process.stdin.setRawMode?.(!1),console.log(""),C.close(),D(N)})})}b||(p("Passphrase is required. Set WYRM_SYNC_PASSPHRASE or enter interactively."),process.exit(1));const _=w(g(),".wyrm"),S=E();if(s==="export"){const C=e.out;C||(p("--out <path> is required"),process.exit(1));const D=w(_,"wyrm_cli_export_temp.db");try{const N=S.getDatabase();y(D)&&m(D),N.prepare("VACUUM INTO ?").run(D);const U=o(D),W=r(32),H=r(16),$e=t(b,W,6e5,32,"sha256"),te=n("aes-256-gcm",$e,H),ke=Buffer.concat([te.update(U),te.final()]),Se=te.getAuthTag(),je=Buffer.from("WYRM"),ne=Buffer.alloc(1);ne.writeUInt8(1,0);const ie=Buffer.concat([je,ne,W,H,Se,ke]);u(C,ie);try{f(C,384)}catch{}try{m(D)}catch{}const _e=(ie.length/(1024*1024)).toFixed(2);v(`Exported to ${C} (${_e} MB)`)}catch(N){try{y(D)&&m(D)}catch{}p(`Export failed: ${N}`)}S.close();return}const $=e.from;$||(p("--from <path> is required"),process.exit(1));const T=o($);T.subarray(0,4).toString("ascii")!=="WYRM"&&(p("Invalid Wyrm snapshot file."),process.exit(1));const Y=T.readUInt8(4);Y!==1&&(p(`Unsupported snapshot version: ${Y}`),process.exit(1));const q=T.subarray(5,37),A=T.subarray(37,53),ge=T.subarray(53,69),he=T.subarray(69),we=t(b,q,6e5,32,"sha256"),Q=a("aes-256-gcm",we,A);Q.setAuthTag(ge);let X;try{X=Buffer.concat([Q.update(he),Q.final()])}catch{p("Decryption failed \u2014 wrong passphrase or corrupted file."),process.exit(1)}if(s==="preview"){const C=w(_,"wyrm_cli_preview_temp.db");y(C)&&m(C),u(C,X);try{const D=new h(C,{readonly:!0}),N=["projects","sessions","ground_truths","memory_artifacts","quests"];j("Snapshot Preview");const U=[];for(const W of N)try{const H=D.prepare(`SELECT COUNT(*) as n FROM ${W}`).get();U.push([W,String(H.n)])}catch{U.push([W,"?"])}console.log(M(["Table","Count"],U)),D.close()}catch(D){p(`Preview failed: ${D}`)}try{y(C)&&m(C)}catch{}S.close();return}const F=S.getDatabasePath(),re=K({input:process.stdin,output:process.stdout}),be=await new Promise(C=>{re.question("This will REPLACE your current database. Type CONFIRM to proceed: ",C)});if(re.close(),be.trim()!=="CONFIRM"){console.log(d.dim("Aborted.")),S.close();return}const ve=new Date().toISOString().replace(/[:.]/g,"-"),Z=`${F}.backup.${ve}`;c(F,Z),v(`Backed up to ${Z}`);const ee=w(_,"wyrm_cli_restore_temp.db");u(ee,X),S.getDatabase().close(),c(ee,F);for(const C of["-wal","-shm"])try{y(F+C)&&m(F+C)}catch{}try{m(ee)}catch{}v(`Restored from ${$}. Backup at ${Z}`)}async function He(l){const{flags:i}=x(l),e=i.project,s=i.path,r=z(i["min-confidence"],.3),t=R(i["older-than"],90),n=i["no-dry-run"]===!0,a=i.yes===!0,o=E(),u=o.getDatabase();let c=null;if(s||e){const w=s?o.getProject(s):P(o,e);w||(p(`Project not found: ${s??e}`),o.close(),process.exit(1)),c=w.id}const m=new G(u),{candidates:y}=m.pruneStale({projectId:c,minConfidence:r,olderThanDays:t,dryRun:!0});if(j(`Prune Candidates${n?" (LIVE DELETE)":" (dry-run)"}`),y.length===0){console.log(d.dim("  No artifacts match prune criteria.")),o.close();return}const f=y.map(w=>[String(w.id),w.kind,w.problem.slice(0,60),(w.confidence*100).toFixed(0)+"%",w.last_accessed_at??"never"]);if(console.log(M(["ID","Kind","Problem","Conf","Last Accessed"],f)),console.log(`
+Total: ${y.length} candidate(s)`),!n){console.log(d.dim(`
+This is a dry run. Use --no-dry-run to delete (confirm each ID).`)),o.close();return}if(!a){const w=K({input:process.stdin,output:process.stdout}),h=await new Promise(b=>{w.question(`
+Delete these ${y.length} artifact(s)? Type CONFIRM to proceed: `,b)});if(w.close(),h.trim()!=="CONFIRM"){console.log(d.dim("Aborted.")),o.close();return}}const g=m.deleteArtifacts(y.map(w=>w.id));v(`Deleted ${g} artifact(s).`),o.close()}function me(){return V(0,"utf-8").trim()}async function Ve(){const{initializeLicense:l,getLicenseInfo:i,getTier:e}=await import("./license.js");l();const s=i();j("Wyrm License");const r=[["Tier",e()],["Status",s.valid?"valid":"free tier (no license key)"]];s.valid&&s.key&&(r.push(["Key",s.key]),r.push(["Issued to",s.issuedTo??"unknown"]),r.push(["Expires",s.expiresAt?new Date(s.expiresAt).toLocaleDateString():"never"])),r.push(["Features",s.features.join(", ")||"(free)"]),console.log(M(["Field","Value"],r)),s.valid||console.log(d.dim(`
+  Activate with: wyrm login   (free)   \xB7   or: wyrm activate <license.json | key>`)),console.log(d.dim(`
+  Source (AGPL-3.0-or-later): https://github.com/Ghosts-Protocol-Pvt-Ltd/Wyrm`)),console.log(d.dim("  Per AGPL \xA713, operators of a MODIFIED Wyrm network service must offer their modified source to users."))}async function Be(){const l=(process.env.WYRM_ACCOUNT_URL??"https://account.ghosts.lk").replace(/\/$/,""),i=(()=>{try{return O().version??"unknown"}catch{return"unknown"}})();let e;try{const c=await fetch(`${l}/api/v1/cli/auth/start`,{method:"POST",headers:{"x-wyrm-version":i}});if(!c.ok)throw new Error(`HTTP ${c.status}`);e=await c.json()}catch(c){p(`Couldn't reach ${l} (${c instanceof Error?c.message:"network error"}).`),process.exitCode=1;return}const s=e.verification_uri_complete||e.verification_uri||`${l}/cli`;console.log(`
+  ${d.cyan("Sign in to activate Wyrm (free):")}`),console.log(`  1. Open  ${d.cyan(s)}`),console.log(`  2. Approve the code  ${d.cyan(e.user_code)}`),console.log(d.dim(`
+  Waiting for approval\u2026 (Ctrl-C to cancel)`));const r=(e.interval??3)*1e3,t=Date.now()+(e.expires_in??600)*1e3;let n="";for(;Date.now()<t;){await new Promise(c=>setTimeout(c,r));try{const m=await(await fetch(`${l}/api/v1/cli/auth/poll`,{method:"POST",headers:{"content-type":"application/json"},body:JSON.stringify({device_code:e.device_code})})).json();if(m.status==="approved"&&m.token){n=m.token;break}if(m.status==="denied"||m.error==="expired"){p("Login was denied or the code expired. Run `wyrm login` again."),process.exitCode=1;return}}catch{}}if(!n){p("Login timed out. Run `wyrm login` again."),process.exitCode=1;return}let a;try{const c=await fetch(`${l}/api/v1/license/free`,{method:"POST",headers:{authorization:`Bearer ${n}`,"x-wyrm-version":i}});if(!c.ok){const m=await c.json().catch(()=>({}));p(`Activation failed (${c.status}): ${m.hint||m.error||"unknown error"}`),process.exitCode=1;return}a=JSON.stringify(await c.json())}catch(c){p(`Activation request failed (${c instanceof Error?c.message:"network error"}).`),process.exitCode=1;return}const{activateLicense:o}=await import("./license.js"),u=o(a);u.valid?(v(`Signed in & activated \u2014 ${u.tier} tier (expires ${u.expiresAt??"never"}).`),console.log(d.dim("  Restart the Wyrm MCP server / daemon to apply."))):(p(`Activation failed: ${u.error??"unknown error"}`),process.exitCode=1)}async function Ke(l){const{positional:i}=x(l),e=i[0];let s;e&&ce(e)?s=V(e,"utf-8"):e?s=e:process.stdin.isTTY?(p("Usage: wyrm activate <license.json path | license JSON>   (or pipe the JSON on stdin)"),process.exit(1)):s=me();const{activateLicense:r}=await import("./license.js");try{const t=r(s);t.valid?(v(`License activated \u2014 ${t.tier} tier (${t.features.join(", ")})`),console.log(d.dim("  Restart Wyrm (MCP server / daemon) to apply all features."))):(p(`License activation failed: ${t.error??"unknown error"}`),process.exitCode=1)}catch{p("Invalid license format. Please verify your license key."),process.exitCode=1}}async function Ge(l){const{flags:i}=x(l),{runMaintenance:e}=await import("./maintenance.js"),{FailurePatterns:s}=await import("./failure-patterns.js"),{SessionSeen:r}=await import("./session-seen.js"),{AgentPresence:t}=await import("./presence.js"),n=E();try{const a=n.getDatabase(),o=R(i["archive-days"],0),u=e({db:n,sessionSeen:new r(a),failures:new s(a),presence:new t(a)},{vacuum:i.vacuum===!0,archiveDays:o>0?o:void 0});j("Maintenance complete");for(const c of u.lines)console.log(`  - ${c}`);console.log(d.dim(`
+  Database size: ${u.dbSize}`))}finally{n.close()}}async function Je(l){const{positional:i,flags:e}=x(l),s=i[0]??"status",{createVectorStore:r}=await import("./vectors.js"),n={provider:e.provider??process.env.WYRM_VECTOR_PROVIDER??"auto",model:e.model,apiKey:e["api-key"]??process.env.OPENAI_API_KEY,ollamaUrl:e["ollama-url"]};if(s==="setup"){const{createProvider:o}=await import("./providers/embedding-provider.js"),u=o(n);if(!await u.isReady()&&n.provider!=="none"){p(`Provider not ready: ${u.name}. Check the configuration and try again.`),process.exitCode=1;return}v(`Vector provider verified: ${u.name} (model ${u.model}, ${u.dimensions}d)`),console.log(d.dim("  The MCP server reads WYRM_VECTOR_PROVIDER (and provider-specific env) at boot \u2014")),console.log(d.dim(`  set WYRM_VECTOR_PROVIDER=${u.name==="none"?"none":n.provider} in the server env, then: wyrm index rebuild`));return}const a=E();try{const o=a.getDatabase(),u=r(n,o);if(s==="status"){const c=u.getStats();j("Vector index");const m=[["Provider",c.provider],["Model",c.model],["Vectors",String(c.total)],...Object.entries(c.byType).map(([y,f])=>[`  ${y}`,String(f)])];console.log(M(["Field","Value"],m));return}if(s==="rebuild"){const{reindexProjects:c}=await import("./reindex.js"),m=e["dry-run"]===!0,y=e.project;let f;if(y){const h=a.getProject(y)??P(a,y);if(!h){p(`Project not found: ${y}`),process.exitCode=1;return}f=[h.id]}else f=a.getAllProjects(1e3).map(h=>h.id);const{indexed:g,skipped:w}=await c(o,u,f,{dryRun:m,onError:(h,b)=>p(`${h}: ${JSON.stringify(b)}`)});v(`Reindex ${m?"(dry run) ":""}\u2014 ${f.length} project(s), ${g} indexed, ${w} skipped`);return}p("Usage: wyrm index <setup|rebuild|status> [--provider auto|local|ollama|openai|none] [--model M] [--project P] [--dry-run]"),process.exitCode=1}finally{a.close()}}async function ze(l){const{flags:i}=x(l),{getUpdateStatus:e}=await import("./version-check.js"),s=O().version??"0.0.0",r=E();let t;try{t=await e(r.getDatabase(),s,{force:i.force===!0||i.check===!0})}finally{r.close()}if(j("Wyrm update"),console.log(M(["Field","Value"],[["Current",t.current],["Latest",t.latest??"unknown (offline?)"],["Update available",t.updateAvailable?"yes":"no"],["Checked",`${t.checkedAt} (${t.source})`]])),i.check===!0)return;if(!t.updateAvailable&&i.force!==!0){console.log(d.dim(`
+  Already up to date. (Use --force to reinstall anyway.)`));return}console.log(d.dim(`
+  Running: npm install -g wyrm-mcp@latest
+`));const n=B("npm",["install","-g","wyrm-mcp@latest"],{stdio:"inherit",shell:!1});n.status===0?v("Updated. Restart your MCP clients to pick up the new binary."):(p(`npm install exited with ${n.status??"unknown"}`),process.exitCode=n.status??1)}async function Qe(l){const{positional:i,flags:e}=x(l),s=i[0],r=e.project??process.cwd();if(s==="inject"){const{injectSystemPrompt:t}=await import("./autoconfig.js"),n=typeof e.clients=="string"?e.clients.split(",").map(o=>o.trim()).filter(Boolean):[],a=t(r,n);j("System prompt injection");for(const o of a.injected)console.log(`  + ${o}`);for(const o of a.skipped)console.log(d.dim(`  o skipped (unknown client): ${o}`));for(const o of a.errors)p(o);a.injected.length>0&&v("AI clients in this project will now call wyrm_session_prime at conversation start."),a.errors.length>0&&(process.exitCode=1);return}if(s==="migrate"){const{migrateProject:t,renderMigrationReport:n}=await import("./migrate-prompt.js"),{WYRM_INJECT_BLOCK:a}=await import("./autoconfig.js"),o=e.apply===!0,u=t({projectPath:r,newBlock:a,apply:o});console.log(n(u,o));return}p("Usage: wyrm prompt inject [--project <path>] [--clients copilot,cursor] | wyrm prompt migrate [--project <path>] [--apply]"),process.exitCode=1}async function Xe(l){const{positional:i,flags:e}=x(l);(i[0]??"report")!=="report"&&(p("Usage: wyrm hours report --from YYYY-MM-DD --to YYYY-MM-DD [--project <name>] [--session-hours H] [--json]"),process.exit(1));const r=e.from,t=e.to;(!r||!t)&&(p("--from and --to are required (YYYY-MM-DD)"),process.exit(1));const{HourLedger:n}=await import("./hours.js"),a=E();try{const o=e.project,u=o?P(a,o):null;if(o&&!u){p(`Project not found: ${o}`),process.exitCode=1;return}const c=new n(a.getDatabase()).report({range_start:r,range_end:t,project_id:u?.id,default_session_hours:z(e["session-hours"],1)});if(e.json===!0){console.log(JSON.stringify(c,null,2));return}if(j(`Hours ${c.range.start} \u2192 ${c.range.end}`),c.by_project.length===0){console.log(d.dim("  No sessions in range."));return}console.log(M(["Project","Sessions","Hours"],c.by_project.map(m=>[m.project_name,String(m.session_count),m.hours.toFixed(2)]))),console.log(`
+  Total: ${c.total_hours.toFixed(2)}h across ${c.entries.length} session(s)`+(c.estimated_sessions>0?d.dim(` (${c.estimated_sessions} estimated)`):""))}finally{a.close()}}async function Ze(l){const{positional:i,flags:e}=x(l),s=i[0]??"generate",r=e.client,t=z(e.rate,NaN),n=e.from,a=e.to;(s!=="generate"||!r||!Number.isFinite(t)||!n||!a)&&(p('Usage: wyrm invoice generate --client <name> --rate <usd/hour> --from YYYY-MM-DD --to YYYY-MM-DD [--project <name>] [--number INV-X] [--currency USD] [--notes "\u2026"] [--out <path>]'),process.exit(1));const{HourLedger:o}=await import("./hours.js"),u=E();try{const c=e.project,m=c?P(u,c):null;if(c&&!m){p(`Project not found: ${c}`),process.exitCode=1;return}const y=new o(u.getDatabase()).invoice({client_name:r,hourly_rate_usd:t,range_start:n,range_end:a,project_id:m?.id,invoice_number:e.number,currency:e.currency,notes:e.notes,business_name:e["business-name"],business_address:e["business-address"],business_contact:e["business-contact"],client_address:e["client-address"],default_session_hours:z(e["session-hours"],1)}),f=e.out;if(f){const{writeFileSync:g}=await import("node:fs");g(f,y+`
+`,"utf-8"),v(`Invoice written to ${f}`)}else process.stdout.write(y+`
+`)}finally{u.close()}}async function et(l){const{positional:i,flags:e}=x(l),s=i[0]??"status",{AgentDaemon:r}=await import("./agent-daemon.js"),t=E();try{const n=new r(t.getDatabase());switch(s){case"init":case"start":{const a=Math.max(10,Math.min(R(e.interval,600),86400)),o=n.start({interval_seconds:a,max_steps:e["max-steps"]!==void 0&&R(e["max-steps"],0)||void 0,project_path:e.project,verbose:e.verbose===!0});if(!o.ok){p(`Agent init failed: ${o.error}`),process.exitCode=1;return}const u=o.status;v(`Agent ${u.pid!=null&&u.pid!==o.pid?"already running":"started"} \u2014 pid ${u.pid}`),console.log(`  Interval: ${a}s \xB7 Active goals: ${u.active_goals} \xB7 Total iterations: ${u.total_iterations}`),console.log(d.dim(`  Log: ${u.log_file}`));return}case"status":{const a=n.status();j("Wyrm agent"),console.log(a.running?`  RUNNING \u2014 pid ${a.pid}${a.started_at?` (since ${a.started_at})`:""}`:"  NOT RUNNING. Start it with: wyrm agent init"),console.log(`  Active goals: ${a.active_goals} \xB7 Total iterations: ${a.total_iterations}`),a.last_action&&console.log(`  Last action (${a.last_action.ran_at}): ${a.last_action.summary} [${a.last_action.result_status??"?"}]`),e.log===!0&&(console.log(`
+=== Recent log ===`),console.log(n.recentLog(40)));return}case"stop":{const a=await n.stop({grace_ms:e.grace!==void 0?R(e.grace,3e3):void 0});if(!a.ok){p(`Stop failed: ${a.error}`),process.exitCode=1;return}v(a.was_running?`Agent stopped (was pid ${a.pid}). Goals remain in DB \u2014 wyrm agent init resumes.`:"Agent was not running. (No-op.)");return}case"restart":{const a=await n.restart({interval_seconds:e.interval!==void 0?R(e.interval,600):void 0,max_steps:e["max-steps"]!==void 0&&R(e["max-steps"],0)||void 0,project_path:e.project,verbose:e.verbose===!0});if(!a.ok){p(`Restart failed: ${a.error}`),process.exitCode=1;return}v(`Agent restarted \u2014 pid ${a.status.pid}. Active goals: ${a.status.active_goals}.`);return}default:p("Usage: wyrm agent <init|status|stop|restart> [--interval N] [--max-steps N] [--project <path>] [--verbose] [--log]"),process.exitCode=1}}finally{t.close()}}async function tt(l){if(l.includes("--encrypt")){const{initializeLicense:s,hasFeature:r}=await import("./license.js");if(s(),!r("encryption")){p("Encryption setup requires a Pro license or higher. See: wyrm license"),process.exitCode=1;return}const{getCrypto:t,initializeCrypto:n}=await import("./crypto.js"),a=l.includes("--enable"),o=l.includes("--test");if(a){const c=process.env.WYRM_ENCRYPTION_KEY??(process.stdin.isTTY?"":me());if(!c||c.length<8){p('Password must be at least 8 characters. Set WYRM_ENCRYPTION_KEY or pipe it:  printf %s "$PW" | wyrm setup --encrypt --enable'),process.exitCode=1;return}n(c),v("Encryption enabled (AES-256-GCM, key derived via PBKDF2). Store your password safely \u2014 it cannot be recovered.");return}const u=t();if(o){if(!u.isEnabled()){p("Encryption not enabled. Run: wyrm setup --encrypt --enable"),process.exitCode=1;return}const c="Wyrm encryption test "+Date.now();u.decrypt(u.encrypt(c))===c?v("Encryption test PASSED (encrypt \u2192 decrypt roundtrip)."):(p("Encryption test FAILED."),process.exitCode=1);return}j("Encryption status"),console.log(`  Enabled:   ${u.isEnabled()?"yes \u2014 new data is encrypted at rest":"no"}`),console.log("  Algorithm: AES-256-GCM"),u.isEnabled()||console.log(d.dim("  Enable with: wyrm setup --encrypt --enable  (password via WYRM_ENCRYPTION_KEY or stdin)"));return}const i=ae(le(import.meta.url)),e=B(process.execPath,[oe(i,"setup.js"),...l],{stdio:"inherit",shell:!1});process.exitCode=e.status??0}function fe(){console.log(`
+${J.brightMagenta}\u{F115D} Wyrm CLI v${O().version??"unknown"}${J.reset}
+${J.dim}Persistent AI Memory System${J.reset}
 
-${c.bold('Usage:')} wyrm <command> [options]
+${d.bold("Usage:")} wyrm <command> [options]
 
-${c.bold('Commands:')}
-  ${c.cyan('search')} <query>                    Search across memories, truths, quests, and data
-  ${c.cyan('ls')}                                List stored items
-  ${c.cyan('show')} <typed-id>                   Show full detail (mem:N, quest:N, truth:N, data:N, session:N)
-  ${c.cyan('capture')} "<content>"               Classify and capture a thought, task, or lesson
-  ${c.cyan('rehydrate')} [--project <name>]      Print the latest session's continuity brief (for SessionStart)
-  ${c.cyan('render')} [--client <list>] [--brief] Compile DB → MEMORY.md + topic files (zero-MCP-token memory)
-  ${c.cyan('import git')}                        Import git log history to review queue
-  ${c.cyan('import rules')} <path>               Import .cursorrules / copilot-instructions file
-  ${c.cyan('stats')}                             Show database statistics
-  ${c.cyan('review')}                            Interactively review pending artifacts
-  ${c.cyan('sync export')} --out <path>          Export encrypted DB snapshot
-  ${c.cyan('sync import')} --from <path>         Restore from encrypted snapshot (backs up first)
-  ${c.cyan('sync preview')} --from <path>        Preview snapshot stats without restoring
-  ${c.cyan('prune')} [--project <name>]          Prune stale low-confidence artifacts (dry-run by default)
-  ${c.cyan('cloud')} <login|sync|export|…>       Cloud backup & multi-device sync (Pro license)
-  ${c.cyan('grove')} <status|policy>              Per-project sync lanes (private|cloud|team) + leak audit
-  ${c.cyan('skill')} <backfill-content|export|share>  Portable skills: store SKILL.md content + sync/export
-  ${c.cyan('serve')} [--ui]                       Start the Wyrm HTTP server (optionally open the dashboard)
-  ${c.cyan('setup')} [--check|--encrypt|…]        Auto-configure AI clients (wyrm-setup); --encrypt for at-rest crypto
-  ${c.cyan('intro')}                              What Wyrm is and how to use it
-  ${c.cyan('license')}                            Show license status & features
-  ${c.cyan('login')}                              Sign in (free account) and activate — required on official builds
-  ${c.cyan('activate')} <key|path>                Activate a license (JSON arg, file path, or stdin)
-  ${c.cyan('maintenance')} [--vacuum]             Archive/prune/sweep/checkpoint the database
-  ${c.cyan('index')} <setup|rebuild|status>       Vector search: verify provider, reindex, stats
-  ${c.cyan('update')} [--check]                   Check for / install the latest wyrm-mcp
-  ${c.cyan('prompt')} <inject|migrate>            Inject/refresh the session-prime block in client files
-  ${c.cyan('hours')} report --from --to           Hours report derived from session history
-  ${c.cyan('invoice')} generate --client …        Markdown invoice from the hours ledger
-  ${c.cyan('agent')} <init|status|stop|restart>   Background agent daemon (goal loop)
+${d.bold("Commands:")}
+  ${d.cyan("search")} <query>                    Search across memories, truths, quests, and data
+  ${d.cyan("ls")}                                List stored items
+  ${d.cyan("show")} <typed-id>                   Show full detail (mem:N, quest:N, truth:N, data:N, session:N)
+  ${d.cyan("capture")} "<content>"               Classify and capture a thought, task, or lesson
+  ${d.cyan("rehydrate")} [--project <name>]      Print the latest session's continuity brief (for SessionStart)
+  ${d.cyan("render")} [--client <list>] [--brief] Compile DB \u2192 MEMORY.md + topic files (zero-MCP-token memory)
+  ${d.cyan("import git")}                        Import git log history to review queue
+  ${d.cyan("import rules")} <path>               Import .cursorrules / copilot-instructions file
+  ${d.cyan("stats")}                             Show database statistics
+  ${d.cyan("review")}                            Interactively review pending artifacts
+  ${d.cyan("sync export")} --out <path>          Export encrypted DB snapshot
+  ${d.cyan("sync import")} --from <path>         Restore from encrypted snapshot (backs up first)
+  ${d.cyan("sync preview")} --from <path>        Preview snapshot stats without restoring
+  ${d.cyan("prune")} [--project <name>]          Prune stale low-confidence artifacts (dry-run by default)
+  ${d.cyan("cloud")} <login|sync|export|\u2026>       Cloud backup & multi-device sync (Pro license)
+  ${d.cyan("grove")} <status|policy>              Per-project sync lanes (private|cloud|team) + leak audit
+  ${d.cyan("skill")} <backfill-content|export|share>  Portable skills: store SKILL.md content + sync/export
+  ${d.cyan("serve")} [--ui]                       Start the Wyrm HTTP server (optionally open the dashboard)
+  ${d.cyan("setup")} [--check|--encrypt|\u2026]        Auto-configure AI clients (wyrm-setup); --encrypt for at-rest crypto
+  ${d.cyan("intro")}                              What Wyrm is and how to use it
+  ${d.cyan("license")}                            Show license status & features
+  ${d.cyan("login")}                              Sign in (free account) and activate \u2014 required on official builds
+  ${d.cyan("activate")} <key|path>                Activate a license (JSON arg, file path, or stdin)
+  ${d.cyan("maintenance")} [--vacuum]             Archive/prune/sweep/checkpoint the database
+  ${d.cyan("index")} <setup|rebuild|status>       Vector search: verify provider, reindex, stats
+  ${d.cyan("update")} [--check]                   Check for / install the latest wyrm-mcp
+  ${d.cyan("prompt")} <inject|migrate>            Inject/refresh the session-prime block in client files
+  ${d.cyan("hours")} report --from --to           Hours report derived from session history
+  ${d.cyan("invoice")} generate --client \u2026        Markdown invoice from the hours ledger
+  ${d.cyan("agent")} <init|status|stop|restart>   Background agent daemon (goal loop)
 
-${c.bold('Options:')}
+${d.bold("Options:")}
   --project <name>           Filter or associate with a specific project
   --type <type>              Filter type (memories|truths|quests|data|all)
   --limit <N>                Limit number of results (default: 20)
@@ -1735,766 +126,22 @@ ${c.bold('Options:')}
   --help, -h                 Show this help
   --version, -v              Print the installed version
 
-${c.bold('Environment:')}
+${d.bold("Environment:")}
   WYRM_DB_PATH               Override database path (default: ~/.wyrm/wyrm.db)
   WYRM_SYNC_PASSPHRASE       Passphrase for encrypted sync (or prompted interactively)
 
-${c.bold('Examples:')}
+${d.bold("Examples:")}
   wyrm search "authentication bug"
   wyrm ls --type memories --project MyApp
   wyrm capture "TODO: refactor the auth module" --project MyApp
   wyrm sync export --out ~/wyrm-backup.wyrm
   wyrm sync preview --from ~/wyrm-backup.wyrm
   wyrm prune --project MyApp --min-confidence 0.2 --older-than 30
-`);
-}
-// ==================== MAIN ====================
-const [, , command, ...restArgs] = process.argv;
-function fmtEvent(e) {
-    const ref = e.ref_table ? `${e.ref_table}${e.ref_id ? '#' + e.ref_id : ''}` : '';
-    const when = new Date(e.created_at).toLocaleTimeString();
-    // v7 (T008): NULL attribution reads as actor='legacy' at display read sites.
-    return `#${e.cursor}  ${e.kind.padEnd(15)} ${ref.padEnd(16)} ${readActor(e.actor)}  ${when}`;
-}
-/** `wyrm events publish <kind> --project <p>` and `wyrm events since --project <p>`. */
-async function cmdEvents(args) {
-    const { positional, flags } = parseArgs(args);
-    const sub = positional[0] || 'since';
-    const db = openDb();
-    try {
-        if (!db.liveMemoryEnabled()) {
-            printError('Live Memory is disabled (set WYRM_LIVE_MEMORY=1).');
-            process.exitCode = 1;
-            return;
-        }
-        const projRef = (typeof flags.project === 'string' ? flags.project : '') || process.cwd();
-        // Exact resolution only (path then name) — matches the HTTP surface; a fuzzy
-        // LIKE match could silently attach the stream to the WRONG project.
-        const project = db.getProject(projRef) ?? db.getProjectByName(projRef);
-        if (!project) {
-            printError(`Project not found: ${projRef}`);
-            process.exitCode = 1;
-            return;
-        }
-        if (sub === 'publish') {
-            const kind = positional[1] || (typeof flags.kind === 'string' ? flags.kind : '');
-            if (!kind) {
-                printError('usage: wyrm events publish <kind> --project <p> [--actor A] [--ref-table T --ref-id ID]');
-                process.exitCode = 1;
-                return;
-            }
-            db.publishEvent({
-                projectId: project.id,
-                kind: kind,
-                refTable: typeof flags['ref-table'] === 'string' ? flags['ref-table'] : undefined,
-                refId: typeof flags['ref-id'] === 'string' ? flags['ref-id'] : undefined,
-                actor: typeof flags.actor === 'string' ? flags.actor : undefined,
-            });
-            printSuccess(`Event published (${kind}) to ${project.name}`);
-            return;
-        }
-        if (sub === 'since') {
-            const cursor = intFlag(flags.cursor, 0);
-            const limit = intFlag(flags.limit, 50);
-            const events = db.eventsSince(project.id, cursor, limit);
-            for (const e of events)
-                console.log(fmtEvent(e));
-            printSection(`${events.length} event(s) for '${project.name}' since cursor ${cursor}`);
-            return;
-        }
-        printError(`usage: wyrm events <publish|since> ...`);
-        process.exitCode = 1;
-    }
-    finally {
-        db.close();
-    }
-}
-/** `wyrm watch [--project <p>] [--interval ms]` — tail a project's event stream to stdout. */
-async function cmdWatch(args) {
-    const { flags } = parseArgs(args);
-    const db = openDb();
-    if (!db.liveMemoryEnabled()) {
-        printError('Live Memory is disabled (set WYRM_LIVE_MEMORY=1).');
-        db.close();
-        process.exitCode = 1;
-        return;
-    }
-    const projRef = (typeof flags.project === 'string' ? flags.project : '') || process.cwd();
-    const project = db.getProject(projRef) ?? resolveProject(db, projRef);
-    if (!project) {
-        printError(`Project not found: ${projRef}`);
-        db.close();
-        process.exitCode = 1;
-        return;
-    }
-    const intervalMs = Math.max(250, intFlag(flags.interval, 1000));
-    // Default: tail only NEW events (start at current head). `--since N` to replay.
-    let cursor = intFlag(flags.since, db.subscribeEvents(project.id, 1).cursor);
-    printSection(`Watching '${project.name}' (cursor ${cursor}, every ${intervalMs}ms) — Ctrl-C to stop`);
-    const tick = () => {
-        try {
-            for (const e of db.eventsSince(project.id, cursor, 200)) {
-                cursor = e.cursor;
-                console.log(fmtEvent(e));
-            }
-        }
-        catch { /* transient — keep watching */ }
-    };
-    tick();
-    const timer = setInterval(tick, intervalMs);
-    const stop = () => { clearInterval(timer); try {
-        db.close();
-    }
-    catch { /* */ } process.exit(0); };
-    process.on('SIGINT', stop);
-    process.on('SIGTERM', stop);
-}
-/** `wyrm embed [--remove|--status] [--project <dir>] [--all]` — make Wyrm first-priority memory. */
-async function cmdEmbed(args) {
-    const { flags } = parseArgs(args);
-    const { embedAll, removeAll, statusAll } = await import('./priority-embed.js');
-    const opts = {
-        projectDir: typeof flags.project === 'string' ? flags.project : undefined,
-        allClients: flags.all === true,
-    };
-    const line = (r) => console.log(`  ${String(r.result ?? r.status).padEnd(9)} [${r.scope}] ${r.file}`);
-    if (flags.status) {
-        printSection('Wyrm priority embedding — status');
-        statusAll(opts).forEach(line);
-        return;
-    }
-    if (flags.remove) {
-        printSection('Wyrm priority embedding — removed');
-        removeAll(opts).forEach(line);
-        return;
-    }
-    printSection('Wyrm is now FIRST-PRIORITY memory');
-    embedAll(opts).forEach(line);
-    // Install the proactive hooks + persistent buddy statusline too (best-effort).
-    try {
-        const { installClaudeCodeHooks, installClaudeStatusline } = await import('./autoconfig.js');
-        const hooks = installClaudeCodeHooks();
-        if (hooks)
-            printSuccess('Proactive hooks installed (SessionStart rehydrate + capture + tool-trace).');
-        else
-            console.log('  (Claude Code not detected — skipped hook install.)');
-        const sl = installClaudeStatusline();
-        if (sl)
-            printSuccess(`Buddy statusline: ${sl.message}`);
-    }
-    catch { /* best-effort */ }
-    printSuccess('Wyrm will now be read first, primed proactively, and shown in the TUI at all times.');
-}
-/** `wyrm harvest [--project <p>] [--dry-run] [--limit N]` — auto-populate memory from docs + git into the review queue. */
-async function cmdHarvest(args) {
-    const { flags } = parseArgs(args);
-    const { harvestProjects } = await import('./harvest.js');
-    const { MemoryArtifacts } = await import('./memory-artifacts.js');
-    const { escapeLikePattern } = await import('./auto-capture.js');
-    const db = openDb();
-    try {
-        const raw = db.getDatabase();
-        const memory = new MemoryArtifacts(raw);
-        const deps = {
-            // Security pass #1: harvest sigs are doc/git-text-derived — %/_ must be
-            // LITERAL in the dedup probe (same escapeLikePattern rule as the MCP
-            // harvest/auto_capture/debrief probes).
-            existsBySig: (pid, sig) => !!raw.prepare("SELECT 1 FROM memory_artifacts WHERE project_id = ? AND tags LIKE ? ESCAPE '\\' LIMIT 1").get(pid, '%' + escapeLikePattern(sig) + '%'),
-            addCandidate: (pid, item) => memory.add(pid, { kind: item.kind, problem: item.text, tags: [...item.tags, item.sig], confidence: item.confidence, needsReview: 1, createdBy: 'harvest' }),
-        };
-        const projRef = typeof flags.project === 'string' ? flags.project : undefined;
-        let projects;
-        if (projRef) {
-            const p = db.getProject(projRef) ?? db.getProjectByName(projRef);
-            if (!p) {
-                printError(`Project not found: ${projRef}`);
-                process.exitCode = 1;
-                return;
-            }
-            projects = [{ id: p.id, name: p.name, path: p.path }];
-        }
-        else {
-            projects = db.getAllProjects(500).map((p) => ({ id: p.id, name: p.name, path: p.path }));
-        }
-        const dryRun = flags['dry-run'] === true || flags.dry === true;
-        const includeCode = flags.code === true || flags['include-code'] === true;
-        const { reports, totalAdded, totalSkipped } = harvestProjects(deps, projects, { dryRun, gitLimit: intFlag(flags.limit, 30), includeCode });
-        printSection(`Harvest ${dryRun ? '(dry run) ' : ''}— ${totalAdded} candidate(s), ${totalSkipped} already present (${projects.length} project(s))`);
-        for (const r of reports.filter((r) => r.added > 0).sort((a, b) => b.added - a.added).slice(0, 25)) {
-            console.log(`  +${String(r.added).padStart(3)} (skip ${r.skipped})  ${r.project}`);
-        }
-        if (includeCode && !dryRun) {
-            const { SymbolGraph } = await import('./symbols.js');
-            const sg = new SymbolGraph(raw);
-            let syms = 0, files = 0;
-            for (const p of projects) {
-                try {
-                    const r = sg.indexProject(p.id, p.path);
-                    syms += r.symbols;
-                    files += r.files;
-                }
-                catch { /* skip */ }
-            }
-            console.log(`  📐 Indexed ${syms} code symbols (${files} files) → searchable via 'wyrm search'`);
-        }
-        if (!dryRun && totalAdded > 0)
-            printSuccess('Review with: wyrm review');
-    }
-    finally {
-        db.close();
-    }
-}
-/** `wyrm vault <set|get|list|rm|exec|import-npm|info>` — local encrypted secret store. */
-async function cmdVault(args) {
-    const v = await import('./vault.js');
-    const [sub, ...rest] = args;
-    try {
-        switch (sub) {
-            case 'set': {
-                const name = rest[0];
-                if (!name) {
-                    printError('usage: wyrm vault set <name>   (the secret is read from STDIN, never argv)');
-                    process.exitCode = 1;
-                    return;
-                }
-                if (process.stdin.isTTY) {
-                    printError(`pipe the secret in, e.g.:  printf %s "$TOKEN" | wyrm vault set ${name}`);
-                    process.exitCode = 1;
-                    return;
-                }
-                const fs = await import('node:fs');
-                const value = fs.readFileSync(0, 'utf8').replace(/\r?\n$/, '');
-                if (!value) {
-                    printError('empty secret on stdin');
-                    process.exitCode = 1;
-                    return;
-                }
-                v.vaultSet(name, value);
-                printSuccess(`Stored "${name}" (AES-256-GCM). Use it without exposing it:  wyrm vault exec ${name} -- <command>`);
-                break;
-            }
-            case 'get': {
-                const name = rest[0];
-                if (!name) {
-                    printError('usage: wyrm vault get <name>');
-                    process.exitCode = 1;
-                    return;
-                }
-                const val = v.vaultGet(name);
-                if (val === undefined) {
-                    printError(`no secret named "${name}"`);
-                    process.exitCode = 1;
-                    return;
-                }
-                process.stdout.write(val); // no trailing newline — clean for $(...) / pipes
-                break;
-            }
-            case 'list':
-            case 'ls': {
-                const names = v.vaultList();
-                if (!names.length) {
-                    console.log('(vault is empty)');
-                    break;
-                }
-                printSection(`Vault — ${names.length} secret(s)`);
-                for (const n of names)
-                    console.log('  • ' + n);
-                break;
-            }
-            case 'rm':
-            case 'remove':
-            case 'delete': {
-                const name = rest[0];
-                if (!name) {
-                    printError('usage: wyrm vault rm <name>');
-                    process.exitCode = 1;
-                    return;
-                }
-                printSuccess(v.vaultRemove(name) ? `Removed "${name}"` : `(no secret named "${name}")`);
-                break;
-            }
-            case 'exec': {
-                // wyrm vault exec <name> [--as ENVVAR] -- <command...>
-                const name = rest[0];
-                const sep = rest.indexOf('--');
-                if (!name || sep === -1 || sep + 1 >= rest.length) {
-                    printError('usage: wyrm vault exec <name> [--as ENVVAR] -- <command...>');
-                    process.exitCode = 1;
-                    return;
-                }
-                const opts = rest.slice(1, sep);
-                const asIdx = opts.indexOf('--as');
-                const envVar = asIdx >= 0 ? opts[asIdx + 1] : name.toUpperCase().replace(/[^A-Z0-9]+/g, '_');
-                const cmd = rest.slice(sep + 1);
-                const secret = v.vaultGet(name);
-                if (secret === undefined) {
-                    printError(`no secret named "${name}"`);
-                    process.exitCode = 1;
-                    return;
-                }
-                const r = spawnSync(cmd[0], cmd.slice(1), { stdio: 'inherit', env: { ...process.env, [envVar]: secret } });
-                process.exitCode = r.status ?? 1;
-                break;
-            }
-            case 'import-npm': {
-                const fs = await import('node:fs');
-                const os = await import('node:os');
-                const path = await import('node:path');
-                const npmrc = path.join(os.homedir(), '.npmrc');
-                if (!fs.existsSync(npmrc)) {
-                    printError('~/.npmrc not found');
-                    process.exitCode = 1;
-                    return;
-                }
-                const m = fs.readFileSync(npmrc, 'utf8').match(/\/\/registry\.npmjs\.org\/:_authToken=(.+)/);
-                if (!m) {
-                    printError('no npm authToken found in ~/.npmrc');
-                    process.exitCode = 1;
-                    return;
-                }
-                v.vaultSet('npm-token', m[1].trim());
-                printSuccess('Imported npm token → vault as "npm-token". You can now scrub the plaintext from ~/.npmrc and use:  wyrm vault exec npm-token --as NODE_AUTH_TOKEN -- npm publish');
-                break;
-            }
-            case 'setup': {
-                // Idempotent "set it up professionally" entry point — the action a client AI
-                // runs after seeing the session-prime advisory. Secures an insecure vault using
-                // the best available backend, then teaches the safe store/use workflow.
-                const p = v.vaultPaths();
-                if (p.secure) {
-                    printSuccess(`Vault is already secure (backend: ${p.backend}, ${p.count} secret(s)).`);
-                }
-                else {
-                    const backend = p.keychainAvailable ? 'keychain' : 'passphrase';
-                    if (backend === 'passphrase' && !process.env.WYRM_VAULT_PASSPHRASE) {
-                        printError('No OS keychain on this host. Set WYRM_VAULT_PASSPHRASE, then re-run:  wyrm vault setup');
-                        process.exitCode = 1;
-                        return;
-                    }
-                    const r = v.vaultSecure({ backend });
-                    printSuccess(`Vault secured: ${r.from} → ${r.to}${r.rotated ? ' (key rotated)' : ''}.`);
-                    if (r.keyfileShredded)
-                        console.log('  plaintext vault.key:  shredded ✔');
-                    if (r.backup)
-                        console.log(`  ciphertext backup:    ${r.backup} (delete once confirmed)`);
-                }
-                printSection('Store & use credentials safely');
-                console.log('  store:  printf %s "$TOKEN" | wyrm vault set <name>     # reads STDIN — never argv/shell history');
-                console.log('  use:    wyrm vault exec <name> --as ENV_VAR -- <cmd>   # injected as env var, never printed');
-                console.log('  list:   wyrm vault list        inspect: wyrm vault info');
-                break;
-            }
-            case 'secure': {
-                // wyrm vault secure [--backend keychain|passphrase] [--no-rotate]
-                const bIdx = rest.indexOf('--backend');
-                const backend = (bIdx >= 0 ? rest[bIdx + 1] : 'keychain');
-                if (backend !== 'keychain' && backend !== 'passphrase') {
-                    printError('usage: wyrm vault secure [--backend keychain|passphrase] [--no-rotate]');
-                    process.exitCode = 1;
-                    return;
-                }
-                if (backend === 'passphrase' && !process.env.WYRM_VAULT_PASSPHRASE) {
-                    printError('set WYRM_VAULT_PASSPHRASE before:  wyrm vault secure --backend passphrase');
-                    process.exitCode = 1;
-                    return;
-                }
-                const rotate = !rest.includes('--no-rotate');
-                const r = v.vaultSecure({ backend, rotate });
-                printSuccess(`Vault secured: ${r.from} → ${r.to}${r.rotated ? ' (key rotated)' : ''}.`);
-                console.log(`  secrets re-encrypted: ${r.secrets}`);
-                if (r.keyfileShredded)
-                    console.log('  plaintext vault.key:  shredded ✔');
-                if (r.backup)
-                    console.log(`  ciphertext backup:    ${r.backup} (delete once you've confirmed)`);
-                console.log(backend === 'keychain'
-                    ? '  master key now lives in the OS keychain — not on disk.'
-                    : '  master key now derived from WYRM_VAULT_PASSPHRASE — keep that set for future use.');
-                break;
-            }
-            case 'info': {
-                const p = v.vaultPaths();
-                printSection('Vault');
-                console.log(`  backend: ${p.backend}`);
-                console.log(`  secrets: ${p.count}`);
-                console.log(`  store:   ${p.vault} (0600)`);
-                console.log(`  key:     ${p.backend === 'keyfile'
-                    ? p.key + ' (0600)'
-                    : p.backend === 'keychain' ? '(OS keychain — no key on disk)' : '(derived from WYRM_VAULT_PASSPHRASE — no key on disk)'}`);
-                console.log(`  secure:  ${p.secure ? 'yes — key is not a plaintext file beside the ciphertext' : 'NO — key sits beside ciphertext'}`);
-                if (!p.secure) {
-                    console.log(p.keychainAvailable
-                        ? '  ⚠ run `wyrm vault secure` to move the key into the OS keychain.'
-                        : '  ⚠ no OS keychain found — set WYRM_VAULT_PASSPHRASE and run `wyrm vault secure --backend passphrase`.');
-                }
-                break;
-            }
-            default:
-                printError('usage: wyrm vault <setup|set|get|list|rm|exec|import-npm|secure|info>');
-                process.exitCode = 1;
-        }
-    }
-    catch (e) {
-        printError(`vault: ${e.message}`);
-        process.exitCode = 1;
-    }
-}
-// ==================== GROVE (sync policy lanes) ====================
-/**
- * `wyrm skill`: portability ops for the skill registry (migration 25).
- *   wyrm skill backfill-content              read every skill's SKILL.md into the registry (idempotent)
- *   wyrm skill export <targetDir> [--all]    materialize SKILL.md files from stored content
- *   wyrm skill share <name|--all|--tier T> [--public|--private] [--include-inactive]  set cloud-sync visibility (single or bulk)
- *
- * Storing the SKILL.md body in the registry makes skills portable across
- * machines: backfill on the source box, sync the DB, then `export` on the
- * target to reconstitute the files. Egress is private-by-default — a skill
- * only leaves the machine once `share`d (cross_project_visibility org/public).
- */
-async function cmdSkill(args) {
-    const sub = args[0];
-    if (!sub || sub === 'help' || sub === '--help') {
-        console.log('Usage:\n'
-            + '  wyrm skill backfill-content              read every skill\'s SKILL.md into the registry (idempotent)\n'
-            + '  wyrm skill export <targetDir> [--all]    materialize SKILL.md files from stored content\n'
-            + '  wyrm skill share <name|--all|--tier T> [--public|--private] [--include-inactive]  set cloud-sync visibility (single or bulk)');
-        return;
-    }
-    const db = openDb();
-    try {
-        if (sub === 'backfill-content' || sub === 'backfill') {
-            printSection('Backfill SKILL.md content into the registry');
-            const r = db.backfillSkillContent();
-            printSuccess(`${r.filled} filled  .  ${r.unchanged} unchanged  .  ${r.missing} missing-file  (of ${r.total} registered)`);
-            if (r.missing > 0)
-                console.log(c.yellow(`  ${r.missing} skill(s) had no readable SKILL.md — re-run after restoring their files.`));
-            return;
-        }
-        if (sub === 'export') {
-            const targetDir = args[1];
-            if (!targetDir) {
-                printError('Usage: wyrm skill export <targetDir> [--all]');
-                db.close();
-                process.exit(1);
-            }
-            const includeInactive = args.includes('--all');
-            printSection(`Export skills → ${targetDir}`);
-            const r = db.exportSkillContent(targetDir, { includeInactive });
-            printSuccess(`${r.written} SKILL.md written  .  ${r.skipped_no_content} skipped (no stored content)  (of ${r.total} ${includeInactive ? 'total' : 'active'})`);
-            if (r.skipped_no_content > 0)
-                console.log(c.yellow('  Run `wyrm skill backfill-content` on the source machine to populate content first.'));
-            if (r.collisions > 0)
-                console.log(c.yellow(`  ${r.collisions} slug collision(s) disambiguated with a name-hash suffix (distinct skills, same slug) — no content lost.`));
-            return;
-        }
-        if (sub === 'share') {
-            const vis = args.includes('--private') ? 'within' : args.includes('--public') ? 'public' : 'org';
-            const includeInactive = args.includes('--include-inactive');
-            const tierIdx = args.indexOf('--tier');
-            const tier = tierIdx >= 0 ? args[tierIdx + 1] : undefined;
-            if (tierIdx >= 0 && (!tier || tier.startsWith('--'))) {
-                printError('Usage: wyrm skill share --tier <god|mega|atomic> [--public|--private] [--include-inactive]');
-                db.close();
-                process.exit(1);
-            }
-            const bulk = args.includes('--all') || !!tier;
-            if (bulk) {
-                const n = db.setAllSkillsVisibility(vis, { tier, includeInactive });
-                const scope = tier ? `tier '${tier}'` : includeInactive ? 'all skills' : 'all active skills';
-                printSuccess(`${n} skill(s) (${scope}) visibility → '${vis}'.`);
-                if (vis === 'within')
-                    console.log('  These skills will NOT egress on cloud sync (private).');
-                else
-                    console.log(`  ${n} skills are now cloud-sync-eligible (they leave on the next \`wyrm cloud sync\`).`);
-                return;
-            }
-            const name = args[1];
-            if (!name) {
-                printError('Usage: wyrm skill share <name|--all|--tier <tier>> [--public|--private] [--include-inactive]');
-                db.close();
-                process.exit(1);
-            }
-            const row = db.setSkillVisibility(name, vis);
-            if (!row) {
-                printError(`Skill not found: ${name}`);
-                db.close();
-                process.exit(1);
-            }
-            printSuccess(`Skill "${name}" visibility → '${vis}'.`);
-            if (vis === 'within')
-                console.log('  This skill will NOT egress on cloud sync (private).');
-            else
-                console.log('  This skill is now cloud-sync-eligible (it leaves on the next `wyrm cloud sync`).');
-            return;
-        }
-        printError(`Unknown skill subcommand: ${sub}`);
-        process.exit(1);
-    }
-    finally {
-        db.close();
-    }
-}
-/**
- * `wyrm grove`: manage and audit per-project replication lanes (sync_policy).
- *   wyrm grove status                                      list groves + leak audit
- *   wyrm grove policy <project|id> <private|cloud|team>     set a grove's lane
- *
- * private = never replicates. cloud = the operator's own cloud backup.
- * team = also federates to a team Wyrm. Per-row visibility / is_shared flags
- * still apply on top; the grove is the outer gate.
- */
-async function cmdGrove(args) {
-    const sub = args[0] ?? 'status';
-    const db = openDb();
-    const raw = db.getDatabase();
-    const hasPolicy = raw.prepare('PRAGMA table_info(projects)').all()
-        .some((col) => col.name === 'sync_policy');
-    if (!hasPolicy) {
-        printError('Grove sync policy is not on this database yet (upgrade Wyrm so migrations apply).');
-        db.close();
-        process.exit(1);
-    }
-    if (sub === 'status' || sub === 'ls' || sub === 'list') {
-        printSection('Grove sync policy + leak audit');
-        const projects = raw.prepare('SELECT id, name, sync_policy FROM projects ORDER BY id').all();
-        const visTables = ['ground_truths', 'memory_artifacts', 'quests', 'design_tokens', 'design_references'];
-        const sharedTables = ['ground_truths', 'memory_artifacts', 'quests', 'sessions', 'decision_edges'];
-        const countWhere = (tables, pid, where) => {
-            let n = 0;
-            for (const t of tables) {
-                try {
-                    n += raw.prepare(`SELECT COUNT(*) AS n FROM ${t} WHERE project_id = ? AND ${where}`).get(pid).n;
-                }
-                catch { /* table/col may be absent */ }
-            }
-            return n;
-        };
-        const rows = [];
-        let leaks = 0;
-        for (const p of projects) {
-            const promoted = countWhere(visTables, p.id, "cross_project_visibility IN ('org','public')");
-            const shared = countWhere(sharedTables, p.id, 'is_shared = 1');
-            const isLeak = p.sync_policy === 'private' && (promoted + shared) > 0;
-            if (isLeak)
-                leaks++;
-            const audit = isLeak
-                ? c.red(`LEAK: ${promoted} promoted + ${shared} shared in a PRIVATE grove`)
-                : `${promoted} promoted / ${shared} shared`;
-            rows.push([String(p.id), p.name, p.sync_policy, audit]);
-        }
-        console.log(formatTable(['#', 'Grove', 'sync_policy', 'rows eligible to leave'], rows));
-        console.log('\nprivate = never replicates  .  cloud = your own cloud backup  .  team = federates to a team Wyrm');
-        if (leaks > 0)
-            console.log(c.red(`\n! ${leaks} private grove(s) hold rows marked to leave. Re-private those rows or change the grove lane.`));
-        db.close();
-        return;
-    }
-    if (sub === 'policy' || sub === 'set') {
-        const ref = args[1];
-        const policy = args[2];
-        if (!ref || !['private', 'cloud', 'team'].includes(policy)) {
-            printError('Usage: wyrm grove policy <project|id> <private|cloud|team>');
-            db.close();
-            process.exit(1);
-        }
-        let proj = resolveProject(db, ref);
-        if (!proj && /^\d+$/.test(ref)) {
-            proj = raw.prepare('SELECT id, name FROM projects WHERE id = ?').get(Number(ref));
-        }
-        if (!proj) {
-            printError(`Grove not found: ${ref}`);
-            db.close();
-            process.exit(1);
-        }
-        raw.prepare('UPDATE projects SET sync_policy = ? WHERE id = ?').run(policy, proj.id);
-        printSuccess(`Grove "${proj.name}" set to '${policy}'.`);
-        if (policy !== 'private') {
-            console.log(`  Rows still only leave when also marked ${policy === 'team' ? 'is_shared (team)' : 'org/public (cloud)'}. The grove is the outer gate.`);
-        }
-        db.close();
-        return;
-    }
-    printError(`Unknown grove subcommand: ${sub}`);
-    console.log('Usage:\n  wyrm grove status\n  wyrm grove policy <project|id> <private|cloud|team>');
-    db.close();
-    process.exit(1);
-}
-if (command === '--version' || command === '-v' || command === 'version') {
-    // Single source of truth (package.json), shared with the help banner.
-    const pkg = readPkg();
-    console.log(`${pkg.name ?? 'wyrm-mcp'} v${pkg.version ?? 'unknown'}`);
-}
-else if (!command || command === '--help' || command === '-h' || command === 'help') {
-    printHelp();
-}
-else {
-    (async () => {
-        try {
-            switch (command) {
-                case 'search':
-                    await cmdSearch(restArgs);
-                    break;
-                case 'ls':
-                    await cmdLs(restArgs);
-                    break;
-                case 'show':
-                    await cmdShow(restArgs);
-                    break;
-                case 'capture':
-                    await cmdCapture(restArgs);
-                    break;
-                case 'rehydrate':
-                    await cmdRehydrate(restArgs);
-                    break;
-                case 'render':
-                    await cmdRender(restArgs);
-                    break;
-                case 'reverse-bridge':
-                    await cmdReverseBridge(restArgs);
-                    break;
-                case 'import':
-                    await cmdImport(restArgs);
-                    break;
-                case 'stats':
-                    await cmdStats(restArgs);
-                    break;
-                case 'review':
-                    await cmdReview(restArgs);
-                    break;
-                case 'sync':
-                    await cmdSync(restArgs);
-                    break;
-                case 'cloud': {
-                    const { cmdCloud } = await import('./cloud/cli.js');
-                    await cmdCloud(restArgs);
-                    break;
-                }
-                case 'grove':
-                    await cmdGrove(restArgs);
-                    break;
-                case 'skill':
-                    await cmdSkill(restArgs);
-                    break;
-                case 'prune':
-                    await cmdPrune(restArgs);
-                    break;
-                // v7 F3 (T023): CLI-exile subcommands — the `wyrm` replacements the
-                // 22 exiled MCP names redirect to (src/deprecations.ts CLI_EXILE_TOOLS).
-                case 'license':
-                    await cmdLicense();
-                    break;
-                case 'login':
-                    await cmdLogin();
-                    break;
-                case 'activate':
-                    await cmdActivate(restArgs);
-                    break;
-                case 'maintenance':
-                    await cmdMaintenance(restArgs);
-                    break;
-                case 'index':
-                    await cmdIndexVectors(restArgs);
-                    break;
-                case 'update':
-                    await cmdUpdate(restArgs);
-                    break;
-                case 'prompt':
-                    await cmdPrompt(restArgs);
-                    break;
-                case 'hours':
-                    await cmdHours(restArgs);
-                    break;
-                case 'invoice':
-                    await cmdInvoice(restArgs);
-                    break;
-                case 'agent':
-                    await cmdAgent(restArgs);
-                    break;
-                case 'setup':
-                    await cmdSetup(restArgs);
-                    break;
-                case 'intro': {
-                    const { renderIntro } = await import('./visibility.js');
-                    console.log(renderIntro(readPkg().version ?? 'unknown'));
-                    break;
-                }
-                case 'events':
-                    await cmdEvents(restArgs);
-                    break;
-                case 'watch':
-                    await cmdWatch(restArgs);
-                    break;
-                case 'embed':
-                    await cmdEmbed(restArgs);
-                    break;
-                case 'harvest':
-                    await cmdHarvest(restArgs);
-                    break;
-                case 'vault':
-                    await cmdVault(restArgs);
-                    break;
-                case 'statusline': {
-                    const { installClaudeStatusline, removeClaudeStatusline } = await import('./autoconfig.js');
-                    const res = restArgs.includes('--remove') ? removeClaudeStatusline() : installClaudeStatusline();
-                    if (!res)
-                        printError('Claude Code not detected (~/.claude missing).');
-                    else
-                        printSuccess(res.message);
-                    break;
-                }
-                // Easy dashboard access: `wyrm ui` / `wyrm dashboard` == `wyrm serve --ui`
-                // (starts the HTTP server and opens the /ui dashboard in the browser).
-                case 'ui':
-                case 'dashboard':
-                    if (!restArgs.includes('--ui'))
-                        restArgs.push('--ui');
-                // falls through to `serve`
-                case 'serve': {
-                    const hasUiFlag = restArgs.includes('--ui');
-                    if (hasUiFlag) {
-                        const { enableDevMode } = await import('./http-auth.js');
-                        enableDevMode();
-                    }
-                    // Start HTTP server inline
-                    const { server } = await import('./http-fast.js');
-                    const port = parseInt(process.env.WYRM_PORT ?? process.env.PORT ?? '3333', 10);
-                    const bindHost = process.env.WYRM_BIND_HOST || '127.0.0.1';
-                    server.listen(port, bindHost, () => {
-                        printSuccess(`Wyrm HTTP server running on ${bindHost}:${port}`);
-                        if (process.env.WYRM_UI_READONLY === '1') {
-                            console.log('🔒 READ-ONLY mode: writes + off-box egress are blocked; safe to expose.');
-                        }
-                        if (hasUiFlag) {
-                            const url = `http://localhost:${port}/ui`;
-                            console.log(`🖥️  Dashboard: ${url}`);
-                            // Best-effort browser launch; never crash the server if the
-                            // OS opener isn't available (CI, headless box, missing PATH).
-                            import('child_process').then(({ spawn }) => {
-                                const plt = process.platform;
-                                try {
-                                    const child = plt === 'darwin'
-                                        ? spawn('open', [url], { stdio: 'ignore', detached: true })
-                                        : plt === 'win32'
-                                            ? spawn('cmd', ['/c', 'start', '', url], { stdio: 'ignore', detached: true })
-                                            : spawn('xdg-open', [url], { stdio: 'ignore', detached: true });
-                                    child.on('error', () => { });
-                                    child.unref();
-                                }
-                                catch { /* spawn threw synchronously — also fine */ }
-                            }).catch(() => { });
-                        }
-                    });
-                    break;
-                }
-                default:
-                    printError(`Unknown command: ${command}`);
-                    printHelp();
-                    process.exit(1);
-            }
-        }
-        catch (err) {
-            printError(String(err));
-            process.exit(1);
-        }
-    })();
-}
-//# sourceMappingURL=wyrm-cli.js.map
+`)}const[,,I,...k]=process.argv;function ye(l){const i=l.ref_table?`${l.ref_table}${l.ref_id?"#"+l.ref_id:""}`:"",e=new Date(l.created_at).toLocaleTimeString();return`#${l.cursor}  ${l.kind.padEnd(15)} ${i.padEnd(16)} ${Te(l.actor)}  ${e}`}async function ot(l){const{positional:i,flags:e}=x(l),s=i[0]||"since",r=E();try{if(!r.liveMemoryEnabled()){p("Live Memory is disabled (set WYRM_LIVE_MEMORY=1)."),process.exitCode=1;return}const t=(typeof e.project=="string"?e.project:"")||process.cwd(),n=r.getProject(t)??r.getProjectByName(t);if(!n){p(`Project not found: ${t}`),process.exitCode=1;return}if(s==="publish"){const a=i[1]||(typeof e.kind=="string"?e.kind:"");if(!a){p("usage: wyrm events publish <kind> --project <p> [--actor A] [--ref-table T --ref-id ID]"),process.exitCode=1;return}r.publishEvent({projectId:n.id,kind:a,refTable:typeof e["ref-table"]=="string"?e["ref-table"]:void 0,refId:typeof e["ref-id"]=="string"?e["ref-id"]:void 0,actor:typeof e.actor=="string"?e.actor:void 0}),v(`Event published (${a}) to ${n.name}`);return}if(s==="since"){const a=R(e.cursor,0),o=R(e.limit,50),u=r.eventsSince(n.id,a,o);for(const c of u)console.log(ye(c));j(`${u.length} event(s) for '${n.name}' since cursor ${a}`);return}p("usage: wyrm events <publish|since> ..."),process.exitCode=1}finally{r.close()}}async function st(l){const{flags:i}=x(l),e=E();if(!e.liveMemoryEnabled()){p("Live Memory is disabled (set WYRM_LIVE_MEMORY=1)."),e.close(),process.exitCode=1;return}const s=(typeof i.project=="string"?i.project:"")||process.cwd(),r=e.getProject(s)??P(e,s);if(!r){p(`Project not found: ${s}`),e.close(),process.exitCode=1;return}const t=Math.max(250,R(i.interval,1e3));let n=R(i.since,e.subscribeEvents(r.id,1).cursor);j(`Watching '${r.name}' (cursor ${n}, every ${t}ms) \u2014 Ctrl-C to stop`);const a=()=>{try{for(const c of e.eventsSince(r.id,n,200))n=c.cursor,console.log(ye(c))}catch{}};a();const o=setInterval(a,t),u=()=>{clearInterval(o);try{e.close()}catch{}process.exit(0)};process.on("SIGINT",u),process.on("SIGTERM",u)}async function rt(l){const{flags:i}=x(l),{embedAll:e,removeAll:s,statusAll:r}=await import("./priority-embed.js"),t={projectDir:typeof i.project=="string"?i.project:void 0,allClients:i.all===!0},n=a=>console.log(`  ${String(a.result??a.status).padEnd(9)} [${a.scope}] ${a.file}`);if(i.status){j("Wyrm priority embedding \u2014 status"),r(t).forEach(n);return}if(i.remove){j("Wyrm priority embedding \u2014 removed"),s(t).forEach(n);return}j("Wyrm is now FIRST-PRIORITY memory"),e(t).forEach(n);try{const{installClaudeCodeHooks:a,installClaudeStatusline:o}=await import("./autoconfig.js");a()?v("Proactive hooks installed (SessionStart rehydrate + capture + tool-trace)."):console.log("  (Claude Code not detected \u2014 skipped hook install.)");const c=o();c&&v(`Buddy statusline: ${c.message}`)}catch{}v("Wyrm will now be read first, primed proactively, and shown in the TUI at all times.")}async function nt(l){const{flags:i}=x(l),{harvestProjects:e}=await import("./harvest.js"),{MemoryArtifacts:s}=await import("./memory-artifacts.js"),{escapeLikePattern:r}=await import("./auto-capture.js"),t=E();try{const n=t.getDatabase(),a=new s(n),o={existsBySig:(h,b)=>!!n.prepare("SELECT 1 FROM memory_artifacts WHERE project_id = ? AND tags LIKE ? ESCAPE '\\' LIMIT 1").get(h,"%"+r(b)+"%"),addCandidate:(h,b)=>a.add(h,{kind:b.kind,problem:b.text,tags:[...b.tags,b.sig],confidence:b.confidence,needsReview:1,createdBy:"harvest"})},u=typeof i.project=="string"?i.project:void 0;let c;if(u){const h=t.getProject(u)??t.getProjectByName(u);if(!h){p(`Project not found: ${u}`),process.exitCode=1;return}c=[{id:h.id,name:h.name,path:h.path}]}else c=t.getAllProjects(500).map(h=>({id:h.id,name:h.name,path:h.path}));const m=i["dry-run"]===!0||i.dry===!0,y=i.code===!0||i["include-code"]===!0,{reports:f,totalAdded:g,totalSkipped:w}=e(o,c,{dryRun:m,gitLimit:R(i.limit,30),includeCode:y});j(`Harvest ${m?"(dry run) ":""}\u2014 ${g} candidate(s), ${w} already present (${c.length} project(s))`);for(const h of f.filter(b=>b.added>0).sort((b,_)=>_.added-b.added).slice(0,25))console.log(`  +${String(h.added).padStart(3)} (skip ${h.skipped})  ${h.project}`);if(y&&!m){const{SymbolGraph:h}=await import("./symbols.js"),b=new h(n);let _=0,S=0;for(const $ of c)try{const T=b.indexProject($.id,$.path);_+=T.symbols,S+=T.files}catch{}console.log(`  \u{1F4D0} Indexed ${_} code symbols (${S} files) \u2192 searchable via 'wyrm search'`)}!m&&g>0&&v("Review with: wyrm review")}finally{t.close()}}async function it(l){const i=await import("./vault.js"),[e,...s]=l;try{switch(e){case"set":{const r=s[0];if(!r){p("usage: wyrm vault set <name>   (the secret is read from STDIN, never argv)"),process.exitCode=1;return}if(process.stdin.isTTY){p(`pipe the secret in, e.g.:  printf %s "$TOKEN" | wyrm vault set ${r}`),process.exitCode=1;return}const n=(await import("node:fs")).readFileSync(0,"utf8").replace(/\r?\n$/,"");if(!n){p("empty secret on stdin"),process.exitCode=1;return}i.vaultSet(r,n),v(`Stored "${r}" (AES-256-GCM). Use it without exposing it:  wyrm vault exec ${r} -- <command>`);break}case"get":{const r=s[0];if(!r){p("usage: wyrm vault get <name>"),process.exitCode=1;return}const t=i.vaultGet(r);if(t===void 0){p(`no secret named "${r}"`),process.exitCode=1;return}process.stdout.write(t);break}case"list":case"ls":{const r=i.vaultList();if(!r.length){console.log("(vault is empty)");break}j(`Vault \u2014 ${r.length} secret(s)`);for(const t of r)console.log("  \u2022 "+t);break}case"rm":case"remove":case"delete":{const r=s[0];if(!r){p("usage: wyrm vault rm <name>"),process.exitCode=1;return}v(i.vaultRemove(r)?`Removed "${r}"`:`(no secret named "${r}")`);break}case"exec":{const r=s[0],t=s.indexOf("--");if(!r||t===-1||t+1>=s.length){p("usage: wyrm vault exec <name> [--as ENVVAR] -- <command...>"),process.exitCode=1;return}const n=s.slice(1,t),a=n.indexOf("--as"),o=a>=0?n[a+1]:r.toUpperCase().replace(/[^A-Z0-9]+/g,"_"),u=s.slice(t+1),c=i.vaultGet(r);if(c===void 0){p(`no secret named "${r}"`),process.exitCode=1;return}const m=B(u[0],u.slice(1),{stdio:"inherit",env:{...process.env,[o]:c}});process.exitCode=m.status??1;break}case"import-npm":{const r=await import("node:fs"),t=await import("node:os"),a=(await import("node:path")).join(t.homedir(),".npmrc");if(!r.existsSync(a)){p("~/.npmrc not found"),process.exitCode=1;return}const o=r.readFileSync(a,"utf8").match(/\/\/registry\.npmjs\.org\/:_authToken=(.+)/);if(!o){p("no npm authToken found in ~/.npmrc"),process.exitCode=1;return}i.vaultSet("npm-token",o[1].trim()),v('Imported npm token \u2192 vault as "npm-token". You can now scrub the plaintext from ~/.npmrc and use:  wyrm vault exec npm-token --as NODE_AUTH_TOKEN -- npm publish');break}case"setup":{const r=i.vaultPaths();if(r.secure)v(`Vault is already secure (backend: ${r.backend}, ${r.count} secret(s)).`);else{const t=r.keychainAvailable?"keychain":"passphrase";if(t==="passphrase"&&!process.env.WYRM_VAULT_PASSPHRASE){p("No OS keychain on this host. Set WYRM_VAULT_PASSPHRASE, then re-run:  wyrm vault setup"),process.exitCode=1;return}const n=i.vaultSecure({backend:t});v(`Vault secured: ${n.from} \u2192 ${n.to}${n.rotated?" (key rotated)":""}.`),n.keyfileShredded&&console.log("  plaintext vault.key:  shredded \u2714"),n.backup&&console.log(`  ciphertext backup:    ${n.backup} (delete once confirmed)`)}j("Store & use credentials safely"),console.log('  store:  printf %s "$TOKEN" | wyrm vault set <name>     # reads STDIN \u2014 never argv/shell history'),console.log("  use:    wyrm vault exec <name> --as ENV_VAR -- <cmd>   # injected as env var, never printed"),console.log("  list:   wyrm vault list        inspect: wyrm vault info");break}case"secure":{const r=s.indexOf("--backend"),t=r>=0?s[r+1]:"keychain";if(t!=="keychain"&&t!=="passphrase"){p("usage: wyrm vault secure [--backend keychain|passphrase] [--no-rotate]"),process.exitCode=1;return}if(t==="passphrase"&&!process.env.WYRM_VAULT_PASSPHRASE){p("set WYRM_VAULT_PASSPHRASE before:  wyrm vault secure --backend passphrase"),process.exitCode=1;return}const n=!s.includes("--no-rotate"),a=i.vaultSecure({backend:t,rotate:n});v(`Vault secured: ${a.from} \u2192 ${a.to}${a.rotated?" (key rotated)":""}.`),console.log(`  secrets re-encrypted: ${a.secrets}`),a.keyfileShredded&&console.log("  plaintext vault.key:  shredded \u2714"),a.backup&&console.log(`  ciphertext backup:    ${a.backup} (delete once you've confirmed)`),console.log(t==="keychain"?"  master key now lives in the OS keychain \u2014 not on disk.":"  master key now derived from WYRM_VAULT_PASSPHRASE \u2014 keep that set for future use.");break}case"info":{const r=i.vaultPaths();j("Vault"),console.log(`  backend: ${r.backend}`),console.log(`  secrets: ${r.count}`),console.log(`  store:   ${r.vault} (0600)`),console.log(`  key:     ${r.backend==="keyfile"?r.key+" (0600)":r.backend==="keychain"?"(OS keychain \u2014 no key on disk)":"(derived from WYRM_VAULT_PASSPHRASE \u2014 no key on disk)"}`),console.log(`  secure:  ${r.secure?"yes \u2014 key is not a plaintext file beside the ciphertext":"NO \u2014 key sits beside ciphertext"}`),r.secure||console.log(r.keychainAvailable?"  \u26A0 run `wyrm vault secure` to move the key into the OS keychain.":"  \u26A0 no OS keychain found \u2014 set WYRM_VAULT_PASSPHRASE and run `wyrm vault secure --backend passphrase`.");break}default:p("usage: wyrm vault <setup|set|get|list|rm|exec|import-npm|secure|info>"),process.exitCode=1}}catch(r){p(`vault: ${r.message}`),process.exitCode=1}}async function at(l){const i=l[0];if(!i||i==="help"||i==="--help"){console.log(`Usage:
+  wyrm skill backfill-content              read every skill's SKILL.md into the registry (idempotent)
+  wyrm skill export <targetDir> [--all]    materialize SKILL.md files from stored content
+  wyrm skill share <name|--all|--tier T> [--public|--private] [--include-inactive]  set cloud-sync visibility (single or bulk)`);return}const e=E();try{if(i==="backfill-content"||i==="backfill"){j("Backfill SKILL.md content into the registry");const s=e.backfillSkillContent();v(`${s.filled} filled  .  ${s.unchanged} unchanged  .  ${s.missing} missing-file  (of ${s.total} registered)`),s.missing>0&&console.log(d.yellow(`  ${s.missing} skill(s) had no readable SKILL.md \u2014 re-run after restoring their files.`));return}if(i==="export"){const s=l[1];s||(p("Usage: wyrm skill export <targetDir> [--all]"),e.close(),process.exit(1));const r=l.includes("--all");j(`Export skills \u2192 ${s}`);const t=e.exportSkillContent(s,{includeInactive:r});v(`${t.written} SKILL.md written  .  ${t.skipped_no_content} skipped (no stored content)  (of ${t.total} ${r?"total":"active"})`),t.skipped_no_content>0&&console.log(d.yellow("  Run `wyrm skill backfill-content` on the source machine to populate content first.")),t.collisions>0&&console.log(d.yellow(`  ${t.collisions} slug collision(s) disambiguated with a name-hash suffix (distinct skills, same slug) \u2014 no content lost.`));return}if(i==="share"){const s=l.includes("--private")?"within":l.includes("--public")?"public":"org",r=l.includes("--include-inactive"),t=l.indexOf("--tier"),n=t>=0?l[t+1]:void 0;if(t>=0&&(!n||n.startsWith("--"))&&(p("Usage: wyrm skill share --tier <god|mega|atomic> [--public|--private] [--include-inactive]"),e.close(),process.exit(1)),l.includes("--all")||!!n){const c=e.setAllSkillsVisibility(s,{tier:n,includeInactive:r}),m=n?`tier '${n}'`:r?"all skills":"all active skills";v(`${c} skill(s) (${m}) visibility \u2192 '${s}'.`),console.log(s==="within"?"  These skills will NOT egress on cloud sync (private).":`  ${c} skills are now cloud-sync-eligible (they leave on the next \`wyrm cloud sync\`).`);return}const o=l[1];o||(p("Usage: wyrm skill share <name|--all|--tier <tier>> [--public|--private] [--include-inactive]"),e.close(),process.exit(1)),e.setSkillVisibility(o,s)||(p(`Skill not found: ${o}`),e.close(),process.exit(1)),v(`Skill "${o}" visibility \u2192 '${s}'.`),console.log(s==="within"?"  This skill will NOT egress on cloud sync (private).":"  This skill is now cloud-sync-eligible (it leaves on the next `wyrm cloud sync`).");return}p(`Unknown skill subcommand: ${i}`),process.exit(1)}finally{e.close()}}async function ct(l){const i=l[0]??"status",e=E(),s=e.getDatabase();if(s.prepare("PRAGMA table_info(projects)").all().some(t=>t.name==="sync_policy")||(p("Grove sync policy is not on this database yet (upgrade Wyrm so migrations apply)."),e.close(),process.exit(1)),i==="status"||i==="ls"||i==="list"){j("Grove sync policy + leak audit");const t=s.prepare("SELECT id, name, sync_policy FROM projects ORDER BY id").all(),n=["ground_truths","memory_artifacts","quests","design_tokens","design_references"],a=["ground_truths","memory_artifacts","quests","sessions","decision_edges"],o=(m,y,f)=>{let g=0;for(const w of m)try{g+=s.prepare(`SELECT COUNT(*) AS n FROM ${w} WHERE project_id = ? AND ${f}`).get(y).n}catch{}return g},u=[];let c=0;for(const m of t){const y=o(n,m.id,"cross_project_visibility IN ('org','public')"),f=o(a,m.id,"is_shared = 1"),g=m.sync_policy==="private"&&y+f>0;g&&c++;const w=g?d.red(`LEAK: ${y} promoted + ${f} shared in a PRIVATE grove`):`${y} promoted / ${f} shared`;u.push([String(m.id),m.name,m.sync_policy,w])}console.log(M(["#","Grove","sync_policy","rows eligible to leave"],u)),console.log(`
+private = never replicates  .  cloud = your own cloud backup  .  team = federates to a team Wyrm`),c>0&&console.log(d.red(`
+! ${c} private grove(s) hold rows marked to leave. Re-private those rows or change the grove lane.`)),e.close();return}if(i==="policy"||i==="set"){const t=l[1],n=l[2];(!t||!["private","cloud","team"].includes(n))&&(p("Usage: wyrm grove policy <project|id> <private|cloud|team>"),e.close(),process.exit(1));let a=P(e,t);!a&&/^\d+$/.test(t)&&(a=s.prepare("SELECT id, name FROM projects WHERE id = ?").get(Number(t))),a||(p(`Grove not found: ${t}`),e.close(),process.exit(1)),s.prepare("UPDATE projects SET sync_policy = ? WHERE id = ?").run(n,a.id),v(`Grove "${a.name}" set to '${n}'.`),n!=="private"&&console.log(`  Rows still only leave when also marked ${n==="team"?"is_shared (team)":"org/public (cloud)"}. The grove is the outer gate.`),e.close();return}p(`Unknown grove subcommand: ${i}`),console.log(`Usage:
+  wyrm grove status
+  wyrm grove policy <project|id> <private|cloud|team>`),e.close(),process.exit(1)}if(I==="--version"||I==="-v"||I==="version"){const l=O();console.log(`${l.name??"wyrm-mcp"} v${l.version??"unknown"}`)}else!I||I==="--help"||I==="-h"||I==="help"?fe():(async()=>{try{switch(I){case"search":await Me(k);break;case"ls":await Ie(k);break;case"show":await Ae(k);break;case"capture":await Ne(k);break;case"rehydrate":await Le(k);break;case"render":await Oe(k);break;case"reverse-bridge":await We(k);break;case"import":await Ye(k);break;case"stats":await qe(k);break;case"review":await Fe(k);break;case"sync":await Ue(k);break;case"cloud":{const{cmdCloud:l}=await import("./cloud/cli.js");await l(k);break}case"grove":await ct(k);break;case"skill":await at(k);break;case"prune":await He(k);break;case"license":await Ve();break;case"login":await Be();break;case"activate":await Ke(k);break;case"maintenance":await Ge(k);break;case"index":await Je(k);break;case"update":await ze(k);break;case"prompt":await Qe(k);break;case"hours":await Xe(k);break;case"invoice":await Ze(k);break;case"agent":await et(k);break;case"setup":await tt(k);break;case"intro":{const{renderIntro:l}=await import("./visibility.js");console.log(l(O().version??"unknown"));break}case"events":await ot(k);break;case"watch":await st(k);break;case"embed":await rt(k);break;case"harvest":await nt(k);break;case"vault":await it(k);break;case"statusline":{const{installClaudeStatusline:l,removeClaudeStatusline:i}=await import("./autoconfig.js"),e=k.includes("--remove")?i():l();e?v(e.message):p("Claude Code not detected (~/.claude missing).");break}case"ui":case"dashboard":k.includes("--ui")||k.push("--ui");case"serve":{const l=k.includes("--ui");if(l){const{enableDevMode:r}=await import("./http-auth.js");r()}const{server:i}=await import("./http-fast.js"),e=parseInt(process.env.WYRM_PORT??process.env.PORT??"3333",10),s=process.env.WYRM_BIND_HOST||"127.0.0.1";i.listen(e,s,()=>{if(v(`Wyrm HTTP server running on ${s}:${e}`),process.env.WYRM_UI_READONLY==="1"&&console.log("\u{1F512} READ-ONLY mode: writes + off-box egress are blocked; safe to expose."),l){const r=`http://localhost:${e}/ui`;console.log(`\u{1F5A5}\uFE0F  Dashboard: ${r}`),import("child_process").then(({spawn:t})=>{const n=process.platform;try{const a=n==="darwin"?t("open",[r],{stdio:"ignore",detached:!0}):n==="win32"?t("cmd",["/c","start","",r],{stdio:"ignore",detached:!0}):t("xdg-open",[r],{stdio:"ignore",detached:!0});a.on("error",()=>{}),a.unref()}catch{}}).catch(()=>{})}});break}default:p(`Unknown command: ${I}`),fe(),process.exit(1)}}catch(l){p(String(l)),process.exit(1)}})();