Skip to main content

aristo_cli/
lib.rs

1//! Library form of the Aristo CLI. The `aristo` binary (`src/main.rs`) is
2//! a thin wrapper that calls [`run`] and exits with its return code.
3//!
4//! Splitting the CLI into a lib + tiny bin lets integration tests exercise
5//! `dispatch` directly without spawning a child process for every case
6//! (the `binary_smoke` test still spawns one, on purpose, as the canary
7//! for the binary's own glue).
8
9mod commands;
10mod data_plane;
11mod error;
12mod filter;
13/// The nudge/progress engine (Phase 18 #9). Public so the as-yet-unwired
14/// scorer is part of the lib API surface; the `aristo nudge` emitter (S0d)
15/// is its in-crate consumer.
16pub mod nudge;
17mod pipeline;
18mod session;
19mod skills;
20mod update_notify;
21mod workspace;
22
23pub use error::{CliError, CliResult};
24pub use filter::{Filter, FilterParseError};
25pub use workspace::{Workspace, WorkspaceError};
26
27use clap::{Parser, Subcommand};
28use std::path::PathBuf;
29use std::process::ExitCode;
30
31/// Aristo annotation SDK CLI.
32///
33/// Each subcommand handles one stage of the annotation lifecycle:
34/// authoring (`init`, `lang`, `install-skills`), indexing and stamping
35/// (`index`, `stamp`, `rename`), inspection (`show`, `list`, `status`,
36/// `graph`, `doc`, `badge`), quality gates (`lint`, `verify`,
37/// `critique`), review-session management (`session`), and canon
38/// binding against the Aretta server (`auth`, `canon`).
39#[derive(Parser, Debug)]
40#[command(
41    name = "aristo",
42    version,
43    about = "Aristo annotation SDK — write, verify, and document intent.",
44    long_about = None,
45)]
46struct Cli {
47    #[command(subcommand)]
48    command: Commands,
49}
50
51#[derive(Subcommand, Debug)]
52enum Commands {
53    /// Set up Aristo in this repo (creates `aristo.toml`, `.aristo/`,
54    /// pre-commit hook). Pass `--ci` / `--ci-verify` to also add CI workflows.
55    Init {
56        /// Modify Cargo.toml to add `aristo` as a dependency. Default
57        /// behavior just prints the dep line for the user to paste in.
58        #[arg(short, long)]
59        force: bool,
60
61        /// Also write a lite PR-gate workflow (`.github/workflows/aristo.yml`)
62        /// that runs audit/lint/doc via the shared aristo-action. No token needed.
63        #[arg(long)]
64        ci: bool,
65
66        /// Also write the nightly/manual verify workflow
67        /// (`.github/workflows/aristo-verify.yml`). Needs an `ARETTA_TOKEN` repo
68        /// secret (paid tier). Implies `--ci`.
69        #[arg(long)]
70        ci_verify: bool,
71
72        /// Install a local pre-commit hook (DEPRECATED). Off by default and no
73        /// longer auto-installed: the index is a gitignored cache, so CI
74        /// (`aristo verify --audit`) is the enforcement point. The hook only
75        /// runs `aristo doc` + `lint` locally as a convenience.
76        #[arg(long)]
77        hook: bool,
78    },
79
80    /// Print a syntax cheat sheet for the detected language.
81    Lang {
82        /// Detect language for a specific file. Currently only Rust
83        /// (`.rs`) is supported; other extensions error out.
84        #[arg(long)]
85        file: Option<PathBuf>,
86    },
87
88    /// Install Aristo skills for a coding agent (claude-code, cursor, codex, opencode, antigravity).
89    InstallSkills {
90        /// Target agent. Required unless `--list-agents` is used.
91        #[arg(long, value_name = "name")]
92        agent: Option<String>,
93        /// List supported agents and exit.
94        #[arg(long)]
95        list_agents: bool,
96        /// Install at user-level (e.g. ~/.claude/skills/) instead of project-level.
97        #[arg(long)]
98        user: bool,
99        /// Re-pin installed skills to this binary's version. With `--agent`,
100        /// re-installs that agent; without it, heals every already-installed
101        /// agent in place (both scopes, or just `--user`).
102        #[arg(long)]
103        update: bool,
104        /// Report whether installed skills are stale relative to this binary
105        /// (read-only). Exits non-zero if any are out of date.
106        #[arg(long)]
107        check: bool,
108        /// Internal: emit a SessionStart hook `additionalContext` block when
109        /// installed skills are stale (used by the hook this command installs).
110        #[arg(long, hide = true)]
111        hook_format: bool,
112    },
113
114    /// Reverse `install-skills`: remove SDK-bundled skills.
115    UninstallSkills {
116        /// Target agent. Required.
117        #[arg(long, value_name = "name")]
118        agent: String,
119        /// Uninstall from user-level instead of project-level.
120        #[arg(long)]
121        user: bool,
122        /// Override the "skip locally-modified" safety check.
123        #[arg(long)]
124        force: bool,
125    },
126
127    /// Scan source for annotations and write the index (`.aristo/index.toml`).
128    Index {
129        /// Force a full re-walk, ignoring the per-file mtime cache.
130        #[arg(long)]
131        all: bool,
132    },
133
134    /// Refresh the annotation index — pick up new annotations, detect
135    /// drift, and (when signed in) match against the Aretta canon.
136    Stamp {
137        /// CI mode: report whether `stamp` would change the index,
138        /// without writing. Exits non-zero if it would. Skips the
139        /// canon-match step too (no outbound network calls in this
140        /// mode).
141        #[arg(long)]
142        check: bool,
143        /// Skip the canon-match step for this run. Doesn't disable
144        /// canon globally — set `[canon] enabled = false` in
145        /// `aristo.toml` for that. Useful when you're offline or want
146        /// a fast local stamp.
147        #[arg(long = "skip-canon")]
148        skip_canon: bool,
149        /// Invalidate the local canon-match cache and re-query every
150        /// annotation on this run. Equivalent to
151        /// `aristo canon refresh && aristo stamp`.
152        #[arg(long = "refresh-canon", conflicts_with = "skip_canon")]
153        refresh_canon: bool,
154        /// Garbage-collect archived orphan proofs after stamping. Removed
155        /// annotations' `.proof` files are normally *archived* (moved to
156        /// `.aristo/archive/proofs/`) so a stray stamp never loses a verdict;
157        /// `--gc` is the only path that hard-deletes them. No-op under
158        /// `--check` (CI must not mutate the workspace).
159        #[arg(long = "gc")]
160        gc: bool,
161    },
162
163    /// Look up an annotation by id, fn / mod / struct name, or file:line.
164    Show {
165        /// Selector: bare id, `fn <name>`, `mod <name>`, `struct <name>`,
166        /// `enum <name>`, `trait <name>`, or `<file>:<line>`.
167        selector: String,
168        /// Emit the entry as JSON instead of human-readable text.
169        #[arg(long, conflicts_with = "toml_out")]
170        json: bool,
171        /// Emit the entry as TOML (mirrors the on-disk index schema).
172        #[arg(long = "toml", conflicts_with = "json")]
173        toml_out: bool,
174    },
175
176    /// List every annotation in the index.
177    List {
178        /// Unified filter clause (`id=<id>`, `file=<path>`,
179        /// `parent=<id>`, `status=<state>`). Repeatable; multiple
180        /// `--filter` flags AND together.
181        #[arg(long = "filter", value_name = "key=value")]
182        filters: Vec<String>,
183        /// Emit a JSON array of records instead of human-readable text.
184        #[arg(long)]
185        json: bool,
186    },
187
188    /// Project-level summary (tier, counts, freshness).
189    Status,
190
191    /// Machine-readable project metrics (counts, unverified backlog, tier).
192    /// The same `Metrics` value the nudge engine computes internally.
193    Metrics {
194        /// Emit the metrics as a JSON object instead of a human summary.
195        #[arg(long)]
196        json: bool,
197    },
198
199    /// The nudge/progress engine. With no `--event`, prints what the engine
200    /// would surface right now (human introspection). With `--event`, runs as
201    /// a Claude Code hook emitter (`post-tool-use` / `user-prompt-submit` /
202    /// `session-start`) — always exits 0 so a nudge can never break the
203    /// agent's workflow. Agent-facing output uses `additionalContext` (the
204    /// only channel that reaches the model); `Stop` is intentionally not
205    /// served (its output never reaches the agent).
206    Nudge {
207        /// Hook event to serve (omit for the human readout).
208        #[arg(long)]
209        event: Option<String>,
210    },
211
212    /// Ambient one-line status segment for the Claude Code `statusLine`
213    /// (e.g. `aristo  3 review · 2 unverified · Apprentice`). Read-only;
214    /// prints nothing when there's no workspace or nudges are off.
215    Statusline,
216
217    /// Review newly-authored intents (#7). With no flags, lists what awaits
218    /// review (split into new-this-session vs backlog when a baseline exists).
219    /// `--mark <id>` records intents as reviewed once you've looked at them.
220    Review {
221        /// Mark these authored intents reviewed (repeatable; comma-lists OK).
222        /// The whole batch is validated before anything is written.
223        #[arg(long = "mark", value_name = "ID")]
224        mark: Vec<String>,
225        /// Emit the review snapshot (or mark result) as JSON instead of a
226        /// human summary.
227        #[arg(long)]
228        json: bool,
229    },
230
231    /// Check annotation prose for quality issues (rule-based; no LLM).
232    Lint {
233        /// Read-only mode: exit non-zero on `error` findings (or
234        /// `warn` with `--strict`); never modifies source.
235        #[arg(long)]
236        check: bool,
237        /// Apply auto-fixable lint rules (whitespace only) to source
238        /// files in place.
239        #[arg(long, conflicts_with = "check")]
240        fix: bool,
241        /// Treat `warn` severity as failure too (only meaningful with `--check`).
242        #[arg(long)]
243        strict: bool,
244    },
245
246    /// Run verification for every annotation that opted in.
247    Verify {
248        /// Unified filter clause (`id=<id>`, `file=<path>`,
249        /// `parent=<id>`, `status=<state>`). Repeatable; multiple
250        /// `--filter` flags AND together.
251        #[arg(long = "filter", value_name = "key=value")]
252        filters: Vec<String>,
253        /// Re-verify entries that are already in a clean verified
254        /// state. By default they're skipped; pass `--rerun` to force
255        /// a re-check.
256        #[arg(long)]
257        rerun: bool,
258        /// CI mode: report whether any status would change, without
259        /// writing the index. Exits non-zero if any change is needed.
260        #[arg(long)]
261        check: bool,
262        /// Treat warn-severity verification outcomes as failure too.
263        #[arg(long)]
264        strict: bool,
265        /// Audit mode: regenerate the index in memory and validate every
266        /// `.aristo/proofs/<id>.proof` against current source. Reports
267        /// fresh / stale / refuted / orphan counts; with `--strict`, exits
268        /// non-zero on any stale, counterexample, or orphan proof. The CI
269        /// freshness gate (replaces `aristo stamp --check`) — no dispatch,
270        /// no network, no token.
271        #[arg(long = "audit")]
272        audit: bool,
273        /// Apply pending verdict files in `.aristo/proofs/` to the
274        /// index. Reads every `<id>.proof`, runs the mechanical
275        /// validator, and (if it passes) flips the entry's status.
276        /// Skips dispatch of new verifications when set.
277        #[arg(long = "apply-verdicts", conflicts_with = "submit_verdict")]
278        apply_verdicts: bool,
279        /// Migration only: ignore any agent-stamped ground hashes in
280        /// the `.proof` files and recompute them from the cited file
281        /// ranges and index entries. Use this once when migrating
282        /// from older proof files that recorded hashes the SDK now
283        /// fills in itself. Without this flag, a stamped hash that
284        /// mismatches the current source is reported as staleness
285        /// and the proof is rejected. Only meaningful with
286        /// `--apply-verdicts`.
287        #[arg(long = "rewrite-hashes", requires = "apply_verdicts")]
288        rewrite_hashes: bool,
289        /// **Internal — invoked by the verification skill.** Submit
290        /// a single verdict: parse the JSON payload, validate it,
291        /// and (on pass) atomically write `.aristo/proofs/<id>.proof`.
292        /// Prints `accepted: sha256:<hex>` on success; structured
293        /// errors on reject. Agents never write `.proof` files
294        /// directly — the SDK is the sole writer.
295        #[arg(long = "submit-verdict", requires = "id", requires = "json")]
296        submit_verdict: bool,
297        /// Annotation id this verdict is about. Required with
298        /// `--submit-verdict`. The `.proof` file lands at
299        /// `.aristo/proofs/<id>.proof` (with `:` rewritten to `__`).
300        #[arg(long = "id", requires = "submit_verdict")]
301        id: Option<String>,
302        /// JSON-serialized ProofFile body. Required with
303        /// `--submit-verdict`. Pass as a single-quoted shell string;
304        /// the SDK parses it into a ProofFile and rejects anything
305        /// the validator would reject. Same schema as the TOML body
306        /// written on accept.
307        #[arg(long = "json", requires = "submit_verdict")]
308        json: Option<String>,
309        /// **Internal — invoked by the verification skill.**
310        /// Atomically claim one task from the pending queue and
311        /// print its TOML body to stdout. Empty stdout means the
312        /// queue is drained (exit 0 either way). Verify workers are
313        /// single-shot — call once, process the task, exit — so
314        /// context doesn't carry between verifications. The
315        /// orchestrator runs N workers in parallel and uses
316        /// `--queue-status` to decide when to spawn the next wave.
317        #[arg(long = "pop-next", conflicts_with_all = ["apply_verdicts", "submit_verdict", "queue_status"])]
318        pop_next: bool,
319        /// Peek at queue state without claiming. Prints `pending: N`,
320        /// `claimed: M` to stdout, exit 0. Used by the orchestrator
321        /// to decide whether to dispatch another wave of workers.
322        /// Safe to call concurrently.
323        #[arg(long = "queue-status", conflicts_with_all = ["apply_verdicts", "submit_verdict"])]
324        queue_status: bool,
325        /// Block until the canon-verify session reaches a terminal
326        /// state, rendering a snapshot at each long-poll return and
327        /// emitting a `still running…` heartbeat every 60s. Exit code
328        /// is derived from the final summary: `0` iff every
329        /// annotation is `verified` or `no_coverage`. Without
330        /// `--wait` the SDK detaches after dispatch (prints session
331        /// id and exits 0). Combine with `--view <id>` to attach to
332        /// a session another invocation started.
333        #[arg(long = "wait")]
334        wait: bool,
335        /// Re-attach to a previously-dispatched canon-verify session
336        /// by id. Skips the source eligibility scan, push-first
337        /// precheck, and POST — just GETs the session state and
338        /// renders. Combine with `--wait` to block until terminal.
339        #[arg(long = "view", value_name = "SESSION_ID")]
340        view: Option<String>,
341        /// Subset the canon-verify dispatch to the listed annotation
342        /// ids. Comma-separated; each id must be a canon-bound entry
343        /// (`aristos:foo` or `kanon:bar`) in the workspace's index.
344        /// Bare canon-id suffixes (e.g. `foo`) are accepted as a
345        /// shorthand. `arta_*` (server-side opaque) ids are rejected
346        /// — those are not user-facing.
347        #[arg(long = "tags", value_name = "id1,id2,...", value_delimiter = ',')]
348        tags: Vec<String>,
349        /// Phase 16 (c): record a user-side known-failure waiver for a
350        /// canon-bound property your code currently violates. Write-only
351        /// — does NOT dispatch a verification. Requires `--because`. The
352        /// gap lands in `.aristo/expectations.toml` (commit it); at
353        /// verify time it renders as a "known gap (accepted)" instead of
354        /// a failure, and the strict ratchet flips it back to red if the
355        /// property ever starts passing — so stale waivers can't rot.
356        /// Accepts a bare canon-id suffix (e.g. `foo`) as shorthand.
357        #[arg(
358            long = "accept",
359            value_name = "CANON_ID",
360            requires = "because",
361            conflicts_with_all = [
362                "view", "wait", "tags", "rerun", "check", "strict", "filters",
363                "apply_verdicts", "rewrite_hashes", "submit_verdict", "id",
364                "json", "pop_next", "queue_status"
365            ]
366        )]
367        accept: Option<String>,
368        /// Reason the gap is accepted (mandatory with `--accept`).
369        /// Recorded verbatim and shown on the verify card. A reasonless
370        /// waiver is how baselines rot, so it is required.
371        #[arg(long = "because", value_name = "REASON", requires = "accept")]
372        because: Option<String>,
373        /// Optional tracking reference (issue URL, ticket id) for the
374        /// accepted gap. Only meaningful with `--accept`.
375        #[arg(long = "tracking", value_name = "REF", requires = "accept")]
376        tracking: Option<String>,
377    },
378
379    /// Run the critique skill against annotation prose — opinionated
380    /// suggestions, severity-tagged findings.
381    Critique {
382        /// Unified filter clause (`id=<id>[,<id>,...]`,
383        /// `file=<path>`, `parent=<id>`, `status=<state>`). Repeatable;
384        /// multiple `--filter` flags AND together; values may be
385        /// comma-separated. **REQUIRED** — `aristo critique` with no
386        /// filter errors with usage. To sweep every annotation in the
387        /// index, opt in explicitly with `--all --yes`.
388        #[arg(long = "filter", value_name = "key=value")]
389        filters: Vec<String>,
390        /// Apply pending critique files in `.aristo/critiques/` —
391        /// re-validate every `<id>.critique` and print a summary
392        /// grouped by id. Defaults to listing only findings whose
393        /// `disposition` is `None` (open / not yet reviewed); pass
394        /// `--include-closed` for the full view including findings
395        /// already triaged via `aristo session decide`.
396        #[arg(long = "apply-findings", conflicts_with_all = ["submit_findings", "pop_next", "queue_status"])]
397        apply_findings: bool,
398        /// Include findings whose `disposition` has been set (Accepted /
399        /// Rejected / Deferred) in the `--apply-findings` summary.
400        /// By default only open findings are listed — closed ones
401        /// stop re-surfacing on every apply, which is how a review
402        /// closes the loop. Only meaningful with `--apply-findings`.
403        #[arg(long = "include-closed", requires = "apply_findings")]
404        include_closed: bool,
405        /// Force re-enqueue of every matched annotation, bypassing the
406        /// `last_critiqued_at_text_hash` cache. Default behavior skips
407        /// annotations whose text hasn't drifted since the cached
408        /// critique was produced (so re-runs of `aristo critique
409        /// --filter id=X` are free when X is unchanged).
410        #[arg(long = "rerun")]
411        rerun: bool,
412        /// Restrict scope to annotations in files git-staged for the
413        /// next commit (`git diff --cached --name-only`). Useful for
414        /// pre-commit hook integration. Satisfies the filter-required
415        /// guard on its own; composes with explicit `--filter`
416        /// clauses via intersection (annotations must match BOTH
417        /// `--filter` and appear in the staged set).
418        #[arg(long = "staged")]
419        staged: bool,
420        /// Sweep every intent annotation that has a real `verify`
421        /// method (skips documentation-only `verify = false`). Loud
422        /// on purpose: prints `(this will enqueue N annotations;
423        /// ~$X cost — proceed with --all --yes?)` and exits 2 unless
424        /// you also pass `--yes`. Without the confirmation, an agent
425        /// could accidentally fire hundreds of LLM calls in one go.
426        #[arg(long = "all", conflicts_with_all = ["filters", "staged"])]
427        all: bool,
428        /// Skip the confirmation prompt for `--all`. Required
429        /// alongside `--all` to actually enqueue the sweep; without
430        /// it `--all` just prints the cost estimate and exits 2.
431        #[arg(long = "yes", requires = "all")]
432        yes: bool,
433        /// **Internal — invoked by the critique skill.** Atomically
434        /// claim one task from the critique queue and print its TOML
435        /// body to stdout. Empty stdout means the queue is drained
436        /// (exit 0 either way). Unlike verify, critique workers loop
437        /// on this call — the tasks are shallow and vocabulary stays
438        /// consistent when one worker handles several.
439        #[arg(long = "pop-next", conflicts_with_all = ["apply_findings", "submit_findings", "queue_status"])]
440        pop_next: bool,
441        /// Peek at queue state without claiming. Prints `pending: N`
442        /// + `claimed: M` to stdout, exit 0.
443        #[arg(long = "queue-status", conflicts_with_all = ["apply_findings", "submit_findings"])]
444        queue_status: bool,
445        /// **Internal — invoked by the critique skill.** Submit a
446        /// single critique: parse the JSON payload, validate it, and
447        /// (on accept) atomically write
448        /// `.aristo/critiques/<id>.critique`. Prints
449        /// `accepted: sha256:<hex>` on success.
450        #[arg(long = "submit-findings", requires = "id", requires = "json")]
451        submit_findings: bool,
452        /// Annotation id this submission is about. Required with
453        /// `--submit-findings`.
454        #[arg(long = "id", requires = "submit_findings")]
455        id: Option<String>,
456        /// JSON-serialized CritiqueFile body. Required with
457        /// `--submit-findings`.
458        #[arg(long = "json", requires = "submit_findings")]
459        json: Option<String>,
460    },
461
462    /// Generate per-annotation markdown to .aristo/doc/.
463    Doc {
464        /// Write only the crate-root summary (`_summary.md`); skip the
465        /// per-annotation pass.
466        #[arg(long)]
467        summary: bool,
468        /// Include each annotation's current verification status in
469        /// the rendered markdown. Status is a build-time snapshot
470        /// that drifts as code evolves; the default omits it so doc
471        /// artifacts stay reproducible on a clean checkout.
472        #[arg(long = "include-status")]
473        include_status: bool,
474        /// CI mode: recompute expected per-annotation MD from the index,
475        /// compare against `.aristo/doc/`, exit non-zero on drift. Never
476        /// writes.
477        #[arg(long)]
478        check: bool,
479        /// Composite: also generate the annotation graph (Mermaid)
480        /// and embed it inline in `_summary.md`. Implies `--summary`.
481        /// Conflicts with `--check` (read-only mode can't write the
482        /// graph block).
483        #[arg(long = "include-graph", conflicts_with = "check")]
484        include_graph: bool,
485    },
486
487    /// Generate the annotation graph (Mermaid / DOT / SVG).
488    Graph {
489        /// Output format. `mermaid` (default) emits a fenced
490        /// flowchart TD block; `dot` emits Graphviz DOT; `svg`
491        /// requires `dot` on PATH and shells out to render.
492        #[arg(long, default_value = "mermaid")]
493        format: String,
494        /// Write to this path instead of stdout. Atomic via
495        /// temp-file + rename. Relative paths resolve against the
496        /// invoking directory.
497        #[arg(long)]
498        out: Option<PathBuf>,
499        /// Unified filter clause (`id=<id>`, `file=<path>[:<LO>-<HI>]`,
500        /// `parent=<id>`, `status=<state>`). Repeatable; multiple
501        /// `--filter` flags AND together. With no filter, the scope
502        /// is the whole index.
503        #[arg(long = "filter", value_name = "key=value")]
504        filters: Vec<String>,
505        /// Drop `assume` nodes from the rendered graph. They're
506        /// included by default because assumes describe the
507        /// background facts your intents rely on — dropping them by
508        /// default would hide those.
509        #[arg(long = "exclude-assumes")]
510        exclude_assumes: bool,
511        /// Walk N hops from each filter-matched node in both
512        /// directions (ancestors + descendants) and include them in
513        /// the rendered graph. Useful for "show me this annotation
514        /// plus some context". Only meaningful with `--filter`;
515        /// without a filter, the scope is already the whole index.
516        #[arg(long, value_name = "N")]
517        depth: Option<u32>,
518        /// Include intent nodes that have no parent and no children.
519        /// They're omitted by default — usually they're standalone
520        /// claims that don't add structure to the rendered graph.
521        /// Assumes are always included (see `--exclude-assumes` for
522        /// that opt-out).
523        #[arg(long = "include-orphans")]
524        include_orphans: bool,
525        /// Color nodes by their current verification status instead
526        /// of by `verify` level (verified=green / tested=blue /
527        /// neural=yellow / stale=orange / orphan=purple /
528        /// forged=red+border / unknown=gray /
529        /// counterexample=red+border / inconclusive=red+border /
530        /// pending-deepen=gray). The `verify` level moves to the
531        /// in-node label. Use when you want to see what's still
532        /// unverified.
533        #[arg(long = "include-status")]
534        include_status: bool,
535    },
536
537    /// Generate a shareable SVG verification badge for README / docs.
538    Badge {
539        /// Write SVG to this path (relative to workspace root, or absolute).
540        /// Default: stdout.
541        #[arg(long)]
542        out: Option<PathBuf>,
543        /// Badge style: `flat-square` (default), `flat`, or `plastic`.
544        #[arg(long, default_value = "flat-square")]
545        style: String,
546        /// Which metric the SVG value half displays. `tier` (default,
547        /// the locked D7 score → D8 tier) is the headline signal;
548        /// `count` and `rate` preserve the slice-31 surfaces for
549        /// projects that prefer the simpler counters.
550        #[arg(long, default_value = "tier")]
551        metric: String,
552    },
553
554    /// Rename an annotation id everywhere it appears — source files,
555    /// index, and doc artifacts. Either every change lands or none do.
556    ///
557    /// Supported renames: bare → bare, and stamp-assigned opaque
558    /// (`aret_*`) → bare. Canon-bound prefixes (`aristos:` / `kanon:`)
559    /// are rejected in either direction — those prefixes are applied
560    /// by `aristo canon accept` and removed by `aristo canon unbind`.
561    /// The new id cannot itself be an opaque `aret_*` id (those are
562    /// stamp-assigned only).
563    Rename {
564        /// Annotation id to rename FROM. Must exist in the current
565        /// `.aristo/index.toml`.
566        old_id: String,
567        /// Annotation id to rename TO. Must not already exist and must
568        /// not use the reserved `aret_*` / `aristos:` / `kanon:`
569        /// prefixes.
570        new_id: String,
571        /// Compute and print the rename plan (source edits + per-id
572        /// artifact moves + index updates) without writing anything.
573        #[arg(long = "dry-run")]
574        dry_run: bool,
575    },
576
577    /// Run a review session over a pipeline's open artifacts —
578    /// critique findings, proof verdicts, and so on. Start it,
579    /// inspect bucket counts, record decisions, and close out.
580    Session {
581        #[command(subcommand)]
582        action: SessionAction,
583    },
584
585    /// Sign in to the Aretta canon API. Required for `aristo stamp`
586    /// and `aristo critique` to see canon matches on the Pro /
587    /// Enterprise tiers.
588    Auth {
589        #[command(subcommand)]
590        action: AuthAction,
591    },
592
593    /// Manage canon bindings: accept or reject pending matches,
594    /// inspect or refresh the local cache, unbind bound ids, and
595    /// request a verifier for a canon entry.
596    Canon {
597        #[command(subcommand)]
598        action: CanonAction,
599    },
600}
601
602/// Subcommands under `aristo auth`. Each operates on the persistent
603/// credentials store under `$XDG_CONFIG_HOME/aristo/credentials`
604/// (or the platform default per `aristo_core::auth`).
605#[derive(clap::Subcommand, Debug)]
606pub(crate) enum AuthAction {
607    /// Authenticate against the Aretta proxy.
608    ///
609    /// **Default mode (GitHub OAuth):** the CLI fetches the GitHub
610    /// authorization URL from the proxy, tries to open it in your
611    /// browser, and prompts you to paste the code shown on the
612    /// proxy's callback page. The proxy then mints an `arta_*`
613    /// token scoped to your `(user, repo)` pair.
614    ///
615    /// **Bypass modes (for CI / scripting):**
616    ///
617    /// - **`--stdin`** — read the raw token from stdin
618    ///   (`echo "$TOKEN" | aristo auth login --stdin`).
619    /// - **`--token=<T>`** — use the literal token value.
620    ///
621    /// The token is persisted to `$XDG_CONFIG_HOME/aristo/credentials`
622    /// with `0600` Unix permissions.
623    Login {
624        /// Read the token from stdin (consumes entire stdin). Skips
625        /// the OAuth flow.
626        #[arg(long, conflicts_with = "token")]
627        stdin: bool,
628        /// Use this token directly. Skips the OAuth flow.
629        #[arg(long, value_name = "TOKEN")]
630        token: Option<String>,
631        /// Aretta server to authenticate against. Accepts:
632        /// `prod` / `production` (= https://code.aretta.ai, default),
633        /// `dev` / `development` / `staging` (= https://dev.aretta.ai),
634        /// or a full URL for self-hosted deployments
635        /// (`https://aretta.example.com`).
636        #[arg(long, default_value = "prod")]
637        server: String,
638        /// Repo to scope the OAuth-minted token to (`owner/repo`).
639        /// Defaults to auto-deriving from `<cwd>/.git/config`'s
640        /// `remote.origin.url`. Required for non-git directories or
641        /// when the remote isn't a GitHub URL. Ignored in `--stdin` /
642        /// `--token` bypass modes (where the token is supplied
643        /// directly with its server-side scope already set).
644        #[arg(long, value_name = "OWNER/REPO")]
645        repo: Option<String>,
646    },
647    /// Show the current authentication state. Never prints the token
648    /// itself — only its source (env var, credentials file, or none).
649    /// Handy for sanity-checking before running `aristo stamp`.
650    Status,
651    /// Print the resolved `arta_*` token to stdout — the `ARETTA_TOKEN`
652    /// env var if set, else the on-disk credentials file. Nothing else is
653    /// printed, so it pipes cleanly to your clipboard, e.g.
654    /// `aristo auth token | pbcopy` (macOS) or
655    /// `aristo auth token | xclip -selection clipboard` (Linux). Handy for
656    /// setting the `ARETTA_TOKEN` CI secret. Errors if not authenticated.
657    Token,
658    /// Remove the stored credentials file. Idempotent — running
659    /// `logout` when not logged in is not an error.
660    Logout,
661}
662
663/// Subcommands under `aristo canon`.
664#[derive(clap::Subcommand, Debug)]
665pub(crate) enum CanonAction {
666    /// Accept a pending canon match: rewrite source to use the
667    /// canonical text + apply the `aristos:` / `kanon:` prefix to
668    /// the annotation id, update the index entry's binding state
669    /// to `Bound`, and move the cache entry from `pending_matches`
670    /// to `accepted_matches`.
671    ///
672    /// Both arguments are required: the bare annotation id as it
673    /// appears in `.aristo/index.toml` (NOT prefixed; the prefix
674    /// is applied by accept) and the bare canon id from the
675    /// pending match (e.g. `cell_written_exactly_once_per_page_edit`).
676    Accept {
677        /// Annotation id whose pending match you're accepting. Use
678        /// the bare form (no `aristos:` / `kanon:` prefix); the
679        /// prefix is applied by the accept itself based on the
680        /// pending match's `prefix_tier`.
681        annotation_id: String,
682        /// Canon id from the pending match (also bare — no
683        /// prefix). The pair `(annotation_id, canon_id)` locates
684        /// the exact pending match in `.aristo/canon-matches.toml`.
685        canon_id: String,
686    },
687
688    /// Reject a pending canon match: move the entry from
689    /// `pending_matches` to `rejected_matches`, pinned to the
690    /// current annotation `text_hash`. The rejection keeps the same
691    /// `(canon_id, text_hash)` pair from re-surfacing on future
692    /// `aristo stamp` runs; once the annotation text changes, the
693    /// rejection no longer applies and the match is re-evaluated.
694    /// Source and index are not touched — rejection is a cache-only
695    /// operation.
696    Reject {
697        /// Annotation id whose pending match you're rejecting.
698        annotation_id: String,
699        /// Canon id from the pending match.
700        canon_id: String,
701        /// Optional note recorded with the rejection. Useful for
702        /// capturing the *why* (e.g. "this canon entry is too broad",
703        /// "wrong category") for whoever revisits it later.
704        #[arg(long = "reason")]
705        reason: Option<String>,
706    },
707
708    /// List the current canon match state: one line per annotation
709    /// with pending / accepted / rejected counts, plus per-bucket
710    /// detail lines for each match. Reads `.aristo/canon-matches.toml`;
711    /// does not call the canon API.
712    List,
713
714    /// Fetch the canon entry detail for `<canon_id>` via the canon
715    /// API and render the longer description + example + references.
716    /// For the full trust card (server description + local binding
717    /// state combined), use `aristo show <bound_id>` instead.
718    Show {
719        /// Bare canon id (no `aristos:` / `kanon:` prefix). The
720        /// server's `GET /canon/entry/<canon_id>` endpoint returns
721        /// the same entry regardless of which tier you'd bind into;
722        /// the prefix is a per-user, per-scope attribute.
723        canon_id: String,
724        /// Optional explicit version (`v<minor>.<patch>`). Omit to
725        /// get the catalog's currently active version.
726        #[arg(long = "version")]
727        version: Option<String>,
728    },
729
730    /// Re-query the canon API for every annotation in the index,
731    /// bypassing the local match cache. Equivalent to
732    /// `aristo stamp --refresh-canon` without the rest of the stamp
733    /// pipeline — no source walk, no drift check, no index rewrite.
734    /// Useful when you know a new catalog version has shipped and
735    /// want fresh matches without a full stamp.
736    Refresh,
737
738    /// Reverse of `aristo canon accept`: strip the `aristos:` /
739    /// `kanon:` prefix from a canon-bound annotation, revert its
740    /// binding to `Local`, and drop the accepted_matches cache
741    /// entry. Source is rewritten in place (only the `id =` value
742    /// changes; canonical text + verify + parent are preserved).
743    /// The next `aristo stamp` may re-pull a fresh pending match
744    /// against the same annotation text.
745    Unbind {
746        /// Canon-bound annotation id including the prefix (e.g.
747        /// `aristos:cell_written_exactly_once_per_page_edit`).
748        prefixed_id: String,
749    },
750
751    /// Record a verification-demand signal against a canon entry.
752    /// Idempotent on `(canon_id, repo, user)` — repeated calls don't
753    /// pile up. Use when an annotation is bound at the `kanon:` tier
754    /// and you'd like Aretta to invest in a verifier for that canon
755    /// entry.
756    RequestVerify {
757        /// Canon id (no prefix). The same id the trust card shows,
758        /// or that `aristo canon list` reports.
759        canon_id: String,
760        /// Optional note to attach to the demand signal (e.g.
761        /// "critical for our financial-tx audit"). A repeat call
762        /// with a new note replaces the previous one server-side.
763        #[arg(long = "notes")]
764        notes: Option<String>,
765    },
766
767    /// Report per-binding version drift between the local cache and
768    /// the canon API. Reports three classes: `current` (no change),
769    /// `patch-bump` (same canon_id, newer version — recommended
770    /// action: `aristo canon refresh`), and `minor-bump` (canon_id
771    /// retired — recommended action: `aristo canon unbind <id>` then
772    /// re-stamp). Currently diagnostic-only; automatic patch-bump
773    /// application is planned.
774    Migrate,
775
776    /// List or inspect queued §17 proof-tree suggestions (the related
777    /// canon entries dragged in alongside a primary match). Read-only:
778    /// it does not open a review session or mutate the queue. To review
779    /// and adopt suggestions, run `aristo session start intent-review`.
780    ///
781    /// With no argument, lists every queued cluster. With an
782    /// `<objective>` (the cluster's objective canon_id, or the seeding
783    /// primary id for siblings-only clusters), shows that cluster's
784    /// detail. With `--counts`, emits a machine-readable JSON summary
785    /// `{matches:{new,pending}, suggestions:{new,pending}}` for the
786    /// menu / skill entry Q&A.
787    Suggestions {
788        /// Objective canon_id (or seeding primary id) of the cluster to
789        /// show. Omit to list all queued clusters.
790        objective: Option<String>,
791        /// Emit counts only (`{matches:{...}, suggestions:{...}}`) as
792        /// JSON; no per-cluster detail. Mutually exclusive with
793        /// passing an `<objective>`.
794        #[arg(long = "counts", conflicts_with = "objective")]
795        counts: bool,
796        /// Scope the listing with the shared `--filter` grammar
797        /// (`id=`, `file=[:LO-HI]`, `parent=`, `status=`). The
798        /// `cluster <objective>` mode (§6B) is `--filter
799        /// parent=<kanon:objective>` — it scopes the list to one proof
800        /// cluster (leaves carry `parent=`). Multiple `--filter` flags
801        /// AND together. No new grammar — reuses `filter.rs` verbatim.
802        #[arg(
803            long = "filter",
804            value_name = "KEY=VALUE",
805            conflicts_with = "objective"
806        )]
807        filter: Vec<Filter>,
808    },
809}
810
811/// Subcommands under `aristo session`. Each maps to one substrate
812/// operation; per-kind side effects (e.g. mutating a `.critique`
813/// file on accept) plug in via the `SessionKind` trait wired in
814/// step 5.
815#[derive(clap::Subcommand, Debug)]
816pub(crate) enum SessionAction {
817    /// Begin a new review session of the given kind. Fails if a
818    /// session is already active — pass `--allow-nesting` to override
819    /// (currently no kind allows nesting).
820    Start {
821        /// Session kind (`critique-review`, `proof-review`).
822        kind: String,
823        /// Display label for the artifact under review (e.g.
824        /// `src/critique/pending.rs` or
825        /// `proof:balance_no_duplicate_cells`).
826        #[arg(long = "subject")]
827        subject: String,
828        /// Override the kind's default nesting policy. Currently only
829        /// `Disallow` is implemented; the flag is reserved for future
830        /// per-kind opt-ins.
831        #[arg(long = "allow-nesting", default_value_t = false)]
832        allow_nesting: bool,
833    },
834    /// Print the active session id (or empty stdout if none).
835    /// Exit 0 either way.
836    Active {
837        /// Emit the full `<system-reminder>` block instead of just
838        /// the id — for the `UserPromptSubmit` hook installed by
839        /// `aristo install-skills`. Empty stdout when no session
840        /// is active (the hook then injects nothing).
841        #[arg(long = "hook-format", default_value_t = false)]
842        hook_format: bool,
843    },
844    /// Print bucket counts + open items for the active session.
845    /// Exit 0; errors out if no session is active.
846    Status,
847    /// Record a decision on one item in the active session.
848    Decide {
849        /// Item reference (`<id>#<index>` for indexed items, or any
850        /// opaque per-kind string).
851        #[arg(long = "item")]
852        item: String,
853        /// Which bucket the item lands in.
854        #[arg(long = "bucket", value_enum)]
855        bucket: BucketArg,
856        /// Optional note recorded with the decision.
857        #[arg(long = "note")]
858        note: Option<String>,
859    },
860    /// Close the active session. Strict by default — errors out if
861    /// any items are still in the open bucket.
862    Exit {
863        /// Move open items to the per-kind backlog instead of
864        /// erroring. Items are never silently dropped; the next
865        /// session of this kind surfaces them via the backlog menu.
866        #[arg(long = "defer-undecided", default_value_t = false)]
867        defer_undecided: bool,
868    },
869    /// Cancel the session and discard every decision recorded so far.
870    /// Requires `--yes` to skip the confirmation prompt.
871    Abort {
872        /// Skip the confirmation prompt.
873        #[arg(long = "yes", default_value_t = false)]
874        yes: bool,
875    },
876    /// List the active session and the most recent N closed sessions.
877    List {
878        /// Maximum number of closed-session rows to include.
879        #[arg(long = "limit", default_value_t = 10)]
880        limit: usize,
881    },
882}
883
884/// User-facing bucket choices for `aristo session decide`. Maps to
885/// the substrate's [`session::types::ItemStatus`] (minus `Open`,
886/// which is the implicit pre-decision state).
887#[derive(Debug, Clone, Copy, PartialEq, Eq, clap::ValueEnum)]
888pub(crate) enum BucketArg {
889    Accepted,
890    Rejected,
891    Pending,
892}
893
894/// Process entry point. Parses `argv`, dispatches to the chosen subcommand,
895/// and returns the exit code. Prints `error: <msg>` to stderr on any
896/// `CliError`.
897pub fn run() -> ExitCode {
898    let cli = Cli::parse();
899    let code = match dispatch(cli.command) {
900        Ok(()) => ExitCode::SUCCESS,
901        Err(e) => {
902            if !e.is_silent() {
903                eprintln!("error: {e}");
904            }
905            ExitCode::from(e.exit_code())
906        }
907    };
908    // Best-effort "newer aristo available" notice, printed after the
909    // command's own output and never affecting its exit code. Silent in
910    // CI / pipes / on opt-out (see `update_notify`).
911    update_notify::maybe_notify();
912    code
913}
914
915/// Maps a parsed `Commands` variant to its handler.
916fn dispatch(cmd: Commands) -> CliResult<()> {
917    match cmd {
918        Commands::Init {
919            force,
920            ci,
921            ci_verify,
922            hook,
923        } => commands::init::run(force, ci, ci_verify, hook),
924        Commands::Lang { file } => commands::lang::run(file),
925        Commands::InstallSkills {
926            agent,
927            list_agents,
928            user,
929            update,
930            check,
931            hook_format,
932        } => {
933            commands::install_skills::install(agent, list_agents, user, update, check, hook_format)
934        }
935        Commands::UninstallSkills { agent, user, force } => {
936            commands::install_skills::uninstall(agent, user, force)
937        }
938        Commands::Index { all } => commands::index::run(all),
939        Commands::Stamp {
940            check,
941            skip_canon,
942            refresh_canon,
943            gc,
944        } => commands::stamp::run(check, skip_canon, refresh_canon, gc),
945        Commands::Show {
946            selector,
947            json,
948            toml_out,
949        } => commands::show::run(&selector, output_mode(json, toml_out)),
950        Commands::List { filters, json } => commands::list::run(&filters, json),
951        Commands::Status => commands::status::run(),
952        Commands::Metrics { json } => commands::metrics::run(json),
953        Commands::Nudge { event } => commands::nudge::run(event),
954        Commands::Statusline => commands::statusline::run(),
955        Commands::Review { mark, json } => commands::review::run(json, mark),
956        Commands::Lint { check, fix, strict } => commands::lint::run(check, fix, strict),
957        Commands::Verify {
958            filters,
959            rerun,
960            check,
961            strict,
962            audit,
963            apply_verdicts,
964            rewrite_hashes,
965            submit_verdict,
966            id,
967            json,
968            pop_next,
969            queue_status,
970            wait,
971            view,
972            tags,
973            accept,
974            because,
975            tracking,
976        } => commands::verify::run(
977            &filters,
978            rerun,
979            check,
980            strict,
981            audit,
982            apply_verdicts,
983            rewrite_hashes,
984            submit_verdict,
985            pop_next,
986            queue_status,
987            id,
988            json,
989            wait,
990            view,
991            &tags,
992            accept,
993            because,
994            tracking,
995        ),
996        Commands::Critique {
997            filters,
998            apply_findings,
999            include_closed,
1000            rerun,
1001            staged,
1002            all,
1003            yes,
1004            pop_next,
1005            queue_status,
1006            submit_findings,
1007            id,
1008            json,
1009        } => commands::critique::run(
1010            &filters,
1011            submit_findings,
1012            pop_next,
1013            queue_status,
1014            apply_findings,
1015            include_closed,
1016            rerun,
1017            staged,
1018            all,
1019            yes,
1020            id,
1021            json,
1022        ),
1023        Commands::Doc {
1024            summary,
1025            include_status,
1026            check,
1027            include_graph,
1028        } => commands::doc::run(summary, include_status, check, include_graph),
1029        Commands::Graph {
1030            format,
1031            out,
1032            filters,
1033            exclude_assumes,
1034            depth,
1035            include_orphans,
1036            include_status,
1037        } => commands::graph::run(
1038            &format,
1039            out,
1040            &filters,
1041            exclude_assumes,
1042            depth,
1043            include_orphans,
1044            include_status,
1045        ),
1046        Commands::Badge { out, style, metric } => {
1047            let style =
1048                commands::badge::Style::parse(&style).map_err(|message| CliError::Other {
1049                    message,
1050                    exit_code: 2,
1051                })?;
1052            let metric =
1053                commands::badge::Metric::parse(&metric).map_err(|message| CliError::Other {
1054                    message,
1055                    exit_code: 2,
1056                })?;
1057            commands::badge::run(out, style, metric)
1058        }
1059        Commands::Rename {
1060            old_id,
1061            new_id,
1062            dry_run,
1063        } => commands::rename::run(&old_id, &new_id, dry_run),
1064        Commands::Session { action } => commands::session::run(action),
1065        Commands::Auth { action } => commands::auth::run(action),
1066        Commands::Canon { action } => match action {
1067            CanonAction::Accept {
1068                annotation_id,
1069                canon_id,
1070            } => commands::canon::accept::run(&annotation_id, &canon_id),
1071            CanonAction::Reject {
1072                annotation_id,
1073                canon_id,
1074                reason,
1075            } => commands::canon::reject::run(&annotation_id, &canon_id, reason),
1076            CanonAction::List => commands::canon::list::run(),
1077            CanonAction::Show { canon_id, version } => {
1078                commands::canon::show::run(&canon_id, version)
1079            }
1080            CanonAction::Refresh => commands::canon::refresh::run(),
1081            CanonAction::Unbind { prefixed_id } => commands::canon::unbind::run(&prefixed_id),
1082            CanonAction::RequestVerify { canon_id, notes } => {
1083                commands::canon::request_verify::run(&canon_id, notes)
1084            }
1085            CanonAction::Migrate => commands::canon::migrate::run(),
1086            CanonAction::Suggestions {
1087                objective,
1088                counts,
1089                filter,
1090            } => commands::canon::suggestions::run(objective, counts, filter),
1091        },
1092    }
1093}
1094
1095fn output_mode(json: bool, toml_out: bool) -> commands::show::OutputMode {
1096    if json {
1097        commands::show::OutputMode::Json
1098    } else if toml_out {
1099        commands::show::OutputMode::Toml
1100    } else {
1101        commands::show::OutputMode::Text
1102    }
1103}
1104
1105#[cfg(test)]
1106mod tests {
1107    use super::*;
1108    use clap::CommandFactory;
1109
1110    #[test]
1111    fn cli_parser_construction_is_valid() {
1112        // clap performs a structural sanity check (e.g. no duplicate
1113        // subcommand names) when CommandFactory::command() runs. We assert
1114        // it succeeds rather than panicking at runtime when a user types
1115        // `--help`. Cheap canary against future enum-shape mistakes.
1116        Cli::command().debug_assert();
1117    }
1118
1119    // Note: slice 32 removed the last `not_yet(...)` stub (Rename now
1120    // has a real implementation). The `CliError::NotImplemented` variant
1121    // is kept for future stubs but is no longer reachable from dispatch.
1122}