@0dai-dev/cli 4.1.0 → 4.2.0

package/lib/commands/ssh.js

@@ -0,0 +1,416 @@
+"use strict";
+
+const shared = require("../shared");
+const { https, http, fs, path, os, API_URL, AUTH_FILE, log } = shared;
+const { cmdAuthLogin } = require("./auth");
+
+const BEGIN_MARKER = "# BEGIN 0dai managed";
+const END_MARKER = "# END 0dai managed";
+
+function _apiRequest(method, endpoint, payload, extraHeaders = {}) {
+  return new Promise((resolve, reject) => {
+    const url = new URL(endpoint, API_URL);
+    const mod = url.protocol === "https:" ? https : http;
+    const body = payload === undefined ? null : JSON.stringify(payload);
+    const headers = {
+      Accept: "application/json",
+      "User-Agent": "0dai-cli/ssh",
+      ...extraHeaders,
+    };
+    if (body !== null) {
+      headers["Content-Type"] = "application/json";
+      headers["Content-Length"] = Buffer.byteLength(body);
+    }
+    try {
+      const auth = JSON.parse(fs.readFileSync(AUTH_FILE, "utf8"));
+      const token = auth.api_key || auth.access_token || auth.token;
+      if (token && !headers.Authorization) headers.Authorization = `Bearer ${token}`;
+    } catch {}
+
+    const req = mod.request(
+      {
+        hostname: url.hostname,
+        port: url.port || (url.protocol === "https:" ? 443 : 80),
+        path: url.pathname,
+        method,
+        headers,
+        timeout: 60000,
+      },
+      (res) => {
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => {
+          const raw = Buffer.concat(chunks).toString("utf8");
+          let parsed = {};
+          try {
+            parsed = raw ? JSON.parse(raw) : {};
+          } catch {
+            parsed = { error: raw || `HTTP ${res.statusCode}` };
+          }
+          if (res.statusCode >= 200 && res.statusCode < 300) {
+            resolve(parsed);
+            return;
+          }
+          reject(new Error(parsed.error || parsed.message || `HTTP ${res.statusCode}`));
+        });
+      }
+    );
+    req.on("error", (err) => reject(err));
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("request timed out after 60s"));
+    });
+    if (body !== null) req.write(body);
+    req.end();
+  });
+}
+
+async function _ensureAuthenticated() {
+  let authed = false;
+  try {
+    const auth = JSON.parse(fs.readFileSync(AUTH_FILE, "utf8"));
+    authed = Boolean(auth?.api_key || auth?.access_token || auth?.token);
+  } catch {}
+  if (!authed) {
+    if (process.stdout.isTTY && process.stdin.isTTY) {
+      await cmdAuthLogin();
+      return;
+    }
+    throw new Error("authentication required — run '0dai auth login' first");
+  }
+}
+
+function _parseArgs(args) {
+  const options = {
+    name: "",
+    file: "",
+    publicKey: "",
+    keyId: "",
+    grantId: "",
+    hostId: "",
+    environment: "",
+    userEmail: "",
+    unixUser: "",
+    tokenEnv: "ODAI_SSH_SYNC_TOKEN",
+    homeRoot: "",
+    json: false,
+    apply: false,
+  };
+  for (let i = 0; i < args.length; i += 1) {
+    const arg = args[i];
+    if (arg === "--name" && args[i + 1]) {
+      options.name = args[++i];
+    } else if (arg === "--file" && args[i + 1]) {
+      options.file = args[++i];
+    } else if (arg === "--public-key" && args[i + 1]) {
+      options.publicKey = args[++i];
+    } else if (arg === "--key-id" && args[i + 1]) {
+      options.keyId = args[++i];
+    } else if (arg === "--grant-id" && args[i + 1]) {
+      options.grantId = args[++i];
+    } else if (arg === "--host-id" && args[i + 1]) {
+      options.hostId = args[++i];
+    } else if (arg === "--env" && args[i + 1]) {
+      options.environment = args[++i];
+    } else if (arg === "--user-email" && args[i + 1]) {
+      options.userEmail = args[++i];
+    } else if (arg === "--unix-user" && args[i + 1]) {
+      options.unixUser = args[++i];
+    } else if (arg === "--token-env" && args[i + 1]) {
+      options.tokenEnv = args[++i];
+    } else if (arg === "--home-root" && args[i + 1]) {
+      options.homeRoot = args[++i];
+    } else if (arg === "--json") {
+      options.json = true;
+    } else if (arg === "--apply") {
+      options.apply = true;
+    }
+  }
+  return options;
+}
+
+function _require(value, label) {
+  if (!value) throw new Error(`${label} required`);
+}
+
+function _readPublicKey(options) {
+  if (options.publicKey) return options.publicKey.trim();
+  if (options.file) return fs.readFileSync(options.file, "utf8").trim();
+  throw new Error("--file or --public-key required");
+}
+
+function _printJson(payload) {
+  console.log(JSON.stringify(payload, null, 2));
+}
+
+function _printKeys(keys) {
+  if (!Array.isArray(keys) || keys.length === 0) {
+    console.log("No SSH keys yet. Add one with: 0dai ssh key add --name laptop --file ~/.ssh/id_ed25519.pub");
+    return;
+  }
+  console.log(`SSH Keys (${keys.length})`);
+  console.log("ID                Name            Algorithm                  Status    Fingerprint");
+  console.log("-".repeat(96));
+  for (const key of keys) {
+    console.log(
+      `${String(key.key_id || "").slice(0, 16).padEnd(16)} ` +
+      `${String(key.name || "").slice(0, 14).padEnd(14)} ` +
+      `${String(key.algorithm || "").slice(0, 25).padEnd(25)} ` +
+      `${String(key.status || "").padEnd(8)} ` +
+      `${key.fingerprint_sha256 || ""}`
+    );
+  }
+}
+
+function _printHosts(ownedHosts, accessibleHosts) {
+  console.log(`Owned Hosts (${ownedHosts.length})`);
+  if (!ownedHosts.length) {
+    console.log("  none");
+  } else {
+    for (const host of ownedHosts) {
+      console.log(`  ${host.host_id}  ${host.name}  [${host.environment}]  token:${host.token_hint || "—"}  last-sync:${host.last_sync_at || "never"}`);
+    }
+  }
+  console.log("");
+  console.log(`Accessible Hosts (${accessibleHosts.length})`);
+  if (!accessibleHosts.length) {
+    console.log("  none");
+  } else {
+    for (const host of accessibleHosts) {
+      console.log(`  ${host.name}  unix:${host.unix_user}  owner:${host.owner_email || "—"}`);
+    }
+  }
+}
+
+function _printGrants(grants) {
+  if (!Array.isArray(grants) || grants.length === 0) {
+    console.log("No grants yet.");
+    return;
+  }
+  console.log(`SSH Grants (${grants.length})`);
+  for (const grant of grants) {
+    console.log(`  ${grant.grant_id}  host:${grant.host_name || grant.host_id}  user:${grant.user_email}  unix:${grant.unix_user}  ${grant.state}`);
+  }
+}
+
+function _printAudit(audit) {
+  if (!Array.isArray(audit) || audit.length === 0) {
+    console.log("No SSH audit events yet.");
+    return;
+  }
+  console.log(`SSH Audit (${audit.length})`);
+  for (const entry of audit.slice(-20).reverse()) {
+    console.log(`  ${entry.created_at}  ${entry.kind}  ${entry.subject_id}`);
+  }
+}
+
+function _resolveAuthorizedKeysPath(unixUser, homeRoot) {
+  const currentUser = process.env.USER || process.env.LOGNAME || "";
+  if (unixUser === currentUser) {
+    return path.join(os.homedir(), ".ssh", "authorized_keys");
+  }
+  const base = homeRoot || "/home";
+  return path.join(base, unixUser, ".ssh", "authorized_keys");
+}
+
+function _mergeManagedBlock(existingText, managedText) {
+  const lines = String(existingText || "").split(/\r?\n/);
+  const kept = [];
+  let insideManaged = false;
+  for (const line of lines) {
+    if (line.trim() === BEGIN_MARKER) {
+      insideManaged = true;
+      continue;
+    }
+    if (line.trim() === END_MARKER) {
+      insideManaged = false;
+      continue;
+    }
+    if (!insideManaged) kept.push(line);
+  }
+  const unmanaged = kept.join("\n").trim();
+  return unmanaged ? `${unmanaged}\n\n${managedText}\n` : `${managedText}\n`;
+}
+
+function _buildManagedBlock(hostId, unixUser, authorizedKeys) {
+  const lines = [
+    BEGIN_MARKER,
+    `# host_id=${hostId} unix_user=${unixUser}`,
+    ...authorizedKeys,
+    END_MARKER,
+  ];
+  return lines.join("\n");
+}
+
+function _applySyncState(state, options) {
+  const results = [];
+  for (const entry of state.unix_users || []) {
+    const unixUser = entry.unix_user;
+    const filePath = _resolveAuthorizedKeysPath(unixUser, options.homeRoot);
+    const dirPath = path.dirname(filePath);
+    fs.mkdirSync(dirPath, { recursive: true, mode: 0o700 });
+    let existing = "";
+    if (fs.existsSync(filePath)) {
+      existing = fs.readFileSync(filePath, "utf8");
+      const backupPath = `${filePath}.bak.${Date.now()}`;
+      fs.copyFileSync(filePath, backupPath);
+    }
+    const nextContent = _mergeManagedBlock(
+      existing,
+      _buildManagedBlock(state.host.host_id, unixUser, entry.authorized_keys || [])
+    );
+    const tmpPath = `${filePath}.tmp`;
+    fs.writeFileSync(tmpPath, nextContent, { mode: 0o600 });
+    fs.renameSync(tmpPath, filePath);
+    results.push({ unix_user: unixUser, path: filePath, key_count: (entry.authorized_keys || []).length });
+  }
+  return results;
+}
+
+async function cmdSsh(_target, sub, args) {
+  const entity = sub || "help";
+  const action = args[2] || "";
+  const options = _parseArgs(args);
+
+  try {
+    if (entity === "sync") {
+      _require(options.hostId, "--host-id");
+      const syncToken = String(process.env[options.tokenEnv] || "").trim();
+      if (!syncToken) throw new Error(`${options.tokenEnv} is empty`);
+      const state = await _apiRequest("POST", "/v1/ssh/sync", { host_id: options.hostId }, { "X-SSH-Sync-Token": syncToken });
+      if (options.json) {
+        _printJson(state);
+        return;
+      }
+      console.log(`SSH sync state ${state.state_version} for ${state.host.name}`);
+      for (const entry of state.unix_users || []) {
+        console.log(`  ${entry.unix_user}: ${(entry.authorized_keys || []).length} keys`);
+      }
+      if (!options.apply) {
+        console.log("");
+        console.log("Dry run only. Re-run with --apply to update authorized_keys.");
+        return;
+      }
+      const results = _applySyncState(state, options);
+      console.log("");
+      console.log("Applied managed authorized_keys blocks:");
+      for (const item of results) {
+        console.log(`  ${item.unix_user} → ${item.path} (${item.key_count} keys)`);
+      }
+      return;
+    }
+
+    await _ensureAuthenticated();
+
+    if (entity === "key") {
+      if (action === "add") {
+        const payload = { name: options.name, public_key: _readPublicKey(options) };
+        const result = await _apiRequest("POST", "/v1/ssh/keys/add", payload);
+        if (options.json) return _printJson(result);
+        console.log(`Added SSH key ${result.key.key_id}`);
+        console.log(`  ${result.key.fingerprint_sha256}`);
+        return;
+      }
+      if (action === "revoke") {
+        _require(options.keyId, "--key-id");
+        const result = await _apiRequest("POST", "/v1/ssh/keys/revoke", { key_id: options.keyId });
+        if (options.json) return _printJson(result);
+        console.log(`Revoked SSH key ${result.key.key_id}`);
+        return;
+      }
+      const result = await _apiRequest("POST", "/v1/ssh/keys/list", {});
+      if (options.json) return _printJson(result);
+      _printKeys(result.keys || []);
+      return;
+    }
+
+    if (entity === "host") {
+      if (action === "register") {
+        _require(options.name, "--name");
+        const result = await _apiRequest("POST", "/v1/ssh/hosts/register", { name: options.name, environment: options.environment });
+        if (options.json) return _printJson(result);
+        console.log(`Registered host ${result.host.host_id} (${result.host.name})`);
+        console.log(`  export ODAI_SSH_SYNC_TOKEN=${result.sync_token}`);
+        console.log(`  0dai ssh sync --host-id ${result.host.host_id} --apply`);
+        return;
+      }
+      if (action === "rotate-token") {
+        _require(options.hostId, "--host-id");
+        const result = await _apiRequest("POST", "/v1/ssh/hosts/rotate-token", { host_id: options.hostId });
+        if (options.json) return _printJson(result);
+        console.log(`Rotated sync token for ${result.host.name}`);
+        console.log(`  export ODAI_SSH_SYNC_TOKEN=${result.sync_token}`);
+        return;
+      }
+      const result = await _apiRequest("POST", "/v1/ssh/hosts/list", {});
+      if (options.json) return _printJson(result);
+      _printHosts(result.owned_hosts || [], result.accessible_hosts || []);
+      return;
+    }
+
+    if (entity === "grant") {
+      if (action === "add") {
+        _require(options.hostId, "--host-id");
+        _require(options.userEmail, "--user-email");
+        _require(options.unixUser, "--unix-user");
+        const result = await _apiRequest("POST", "/v1/ssh/grants/add", {
+          host_id: options.hostId,
+          user_email: options.userEmail,
+          unix_user: options.unixUser,
+        });
+        if (options.json) return _printJson(result);
+        console.log(`Added SSH grant ${result.grant.grant_id}`);
+        return;
+      }
+      if (action === "revoke") {
+        const grantId = options.grantId || args[3];
+        _require(grantId, "--grant-id");
+        const result = await _apiRequest("POST", "/v1/ssh/grants/revoke", { grant_id: grantId });
+        if (options.json) return _printJson(result);
+        console.log(`Revoked SSH grant ${result.grant.grant_id}`);
+        return;
+      }
+      const result = await _apiRequest("POST", "/v1/ssh/overview", {});
+      if (options.json) return _printJson(result);
+      _printGrants(result.grants || []);
+      return;
+    }
+
+    if (entity === "audit") {
+      const result = await _apiRequest("POST", "/v1/ssh/overview", {});
+      if (options.json) return _printJson(result);
+      _printAudit(result.audit || []);
+      return;
+    }
+
+    if (entity === "status" || entity === "overview") {
+      const result = await _apiRequest("POST", "/v1/ssh/overview", {});
+      if (options.json) return _printJson(result);
+      _printKeys(result.keys || []);
+      console.log("");
+      _printHosts(result.owned_hosts || [], result.accessible_hosts || []);
+      console.log("");
+      _printGrants(result.grants || []);
+      console.log("");
+      _printAudit(result.audit || []);
+      return;
+    }
+
+    console.log("Usage:");
+    console.log("  0dai ssh key add --name laptop --file ~/.ssh/id_ed25519.pub");
+    console.log("  0dai ssh key list");
+    console.log("  0dai ssh key revoke --key-id <sshk_...>");
+    console.log("  0dai ssh host register --name prod-api --env production");
+    console.log("  0dai ssh host list");
+    console.log("  0dai ssh host rotate-token --host-id <sshh_...>");
+    console.log("  0dai ssh grant add --host-id <sshh_...> --user-email dev@example.com --unix-user deploy");
+    console.log("  0dai ssh grant revoke --grant-id <sshg_...>");
+    console.log("  0dai ssh audit");
+    console.log("  0dai ssh sync --host-id <sshh_...> --token-env ODAI_SSH_SYNC_TOKEN [--apply] [--home-root /home]");
+  } catch (err) {
+    log(`error: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+module.exports = { cmdSsh };

package/lib/commands/status.js

@@ -1,43 +1,40 @@
 "use strict";
 const shared = require("../shared");
-const { log, T, R, D, fs, path, spawnSync, findRepoScript, getSwarmQuotaLocal, _detectPlanLocal, PLAN_LEVELS } = shared;
+const {
+  log, T, R, D, fs, path, spawnSync, findRepoScript,
+  getSwarmQuotaLocal, _detectPlanLocal, PLAN_LEVELS, loadAuthState,
+} = shared;
 
-function cmdStatus(target) {
+function countJson(dir) {
+  try { return fs.readdirSync(dir).filter(f => f.endsWith(".json")).length; } catch { return 0; }
+}
+
+function loadJson(file) {
+  try { return JSON.parse(fs.readFileSync(file, "utf8")); } catch { return null; }
+}
+
+function collectStatusPayload(target) {
   const ai = path.join(target, "ai");
   let v = "?", stack = "?";
   try { v = fs.readFileSync(path.join(ai, "VERSION"), "utf8").trim(); } catch {}
   try { stack = JSON.parse(fs.readFileSync(path.join(ai, "manifest", "discovery.json"), "utf8")).stack || "?"; } catch {}
-  log(`v${v} | stack: ${stack}`);
 
-  const count = (dir) => { try { return fs.readdirSync(dir).filter(f => f.endsWith(".json")).length; } catch { return 0; } };
-  const q = count(path.join(ai, "swarm", "queue"));
-  const a = count(path.join(ai, "swarm", "active"));
-  const d = count(path.join(ai, "swarm", "done"));
-  if (q || a || d) console.log(`  swarm: ${q} queued, ${a} active, ${d} done`);
+  const q = countJson(path.join(ai, "swarm", "queue"));
+  const a = countJson(path.join(ai, "swarm", "active"));
+  const d = countJson(path.join(ai, "swarm", "done"));
 
-  // Swarm quota
   const quota = getSwarmQuotaLocal(target);
-  if (quota.plan === "free") {
-    console.log(`  swarm quota: ${D}locked (Free) — upgrade for ${quota.daily_limit} tasks/day${R}`);
-  } else {
-    console.log(`  swarm quota: ${quota.used_today}/${quota.daily_limit} tasks today (${quota.plan})`);
-  }
-
-  // Session roaming status
   const sessPlan = _detectPlanLocal(target);
   const sessLocked = PLAN_LEVELS[sessPlan] < PLAN_LEVELS["pro"];
-  if (sessLocked) {
-    console.log(`  session roaming: ${D}locked (Free) — upgrade to save/resume sessions${R}`);
-  } else {
-    console.log(`  session roaming: ${T}available (${sessPlan})${R}`);
-  }
 
-  try {
-    const s = JSON.parse(fs.readFileSync(path.join(ai, "sessions", "active.json"), "utf8"));
-    console.log(`  session: ${(s.task || {}).goal || "?"} (agent: ${s.current_agent || "?"})`);
-  } catch {}
+  const session = loadJson(path.join(ai, "sessions", "active.json"));
+  const auth = loadAuthState() || {};
+  const budget = loadJson(path.join(ai, "swarm", "budget.json")) || {};
+  const today = new Date().toISOString().slice(0, 10);
+  const budgetDaily = budget.daily && typeof budget.daily === "object" ? budget.daily : {};
 
-  // Anti-pattern warnings count
+  let driftDetected = false;
+  let warningCount = 0;
   try {
     const ds = findRepoScript(target, "anti_pattern_detector.py");
     if (ds) {
@@ -45,25 +42,98 @@ function cmdStatus(target) {
                            { stdio: ["ignore", "pipe", "ignore"], encoding: "utf8", timeout: 5000 });
       if (wr.status === 0 && wr.stdout) {
         const wc = JSON.parse(wr.stdout.trim());
-        if (wc.count > 0) console.log(`  warnings: ${wc.count} active — run: 0dai experience warnings`);
+        warningCount = Number(wc.count || 0);
       }
     }
   } catch {}
 
-  // First-status tip (shows once after init)
-  try { require("../onboarding").showFirstStatusTip(target); } catch {}
-
-  // Drift warning (lightweight)
   try {
     const ds = findRepoScript(target, "drift_detector.py");
     if (ds) {
       const dr = spawnSync("python3", [ds, "report", "--target", target],
                            { stdio: ["ignore", "pipe", "ignore"], encoding: "utf8", timeout: 5000 });
-      if (dr.stdout && (dr.stdout.includes("MODIFIED") || dr.stdout.includes("CONTRADICTS"))) {
-        console.log(`  drift: config changes detected — run: 0dai doctor --drift`);
-      }
+      driftDetected = !!(dr.stdout && (dr.stdout.includes("MODIFIED") || dr.stdout.includes("CONTRADICTS")));
     }
   } catch {}
+
+  return {
+    version: v,
+    stack,
+    swarm: {
+      queued: q,
+      active: a,
+      done: d,
+      quota_state: quota.plan === "free" ? "locked" : "available",
+      quota_plan: quota.plan,
+      used_today: Number(quota.used_today || 0),
+      daily_limit: Number(quota.daily_limit || 0),
+    },
+    session: {
+      id: session ? (session.id || null) : null,
+      name: session ? ((session.task || {}).goal || null) : null,
+      agent: session ? (session.current_agent || null) : null,
+      archive_count: countJson(path.join(ai, "sessions", "archive")),
+      roaming_state: sessLocked ? "locked" : "available",
+      roaming_plan: sessPlan,
+    },
+    auth: {
+      logged_in: !!(auth.api_key || auth.access_token || auth.token),
+      email: auth.email || auth.user || null,
+      tier: auth.plan || sessPlan || "free",
+      activation: ((auth.license || {}).status) || "inactive",
+      activation_id: ((auth.license || {}).activation_id) || null,
+    },
+    budget: {
+      today: Number(budgetDaily[today] || 0),
+      total_spent: Number(budget.total_spent || 0),
+    },
+    drift: {
+      detected: driftDetected,
+    },
+    warnings: warningCount,
+  };
+}
+
+function cmdStatus(target, options = {}) {
+  const payload = collectStatusPayload(target);
+  if (options.json) {
+    console.log(JSON.stringify(payload, null, 2));
+    return payload;
+  }
+
+  log(`v${payload.version} | stack: ${payload.stack}`);
+
+  if (payload.swarm.queued || payload.swarm.active || payload.swarm.done) {
+    console.log(`  swarm: ${payload.swarm.queued} queued, ${payload.swarm.active} active, ${payload.swarm.done} done`);
+  }
+
+  if (payload.swarm.quota_state === "locked") {
+    console.log(`  swarm quota: ${D}locked (Free) — upgrade for ${payload.swarm.daily_limit} tasks/day${R}`);
+  } else {
+    console.log(`  swarm quota: ${payload.swarm.used_today}/${payload.swarm.daily_limit} tasks today (${payload.swarm.quota_plan})`);
+  }
+
+  if (payload.session.roaming_state === "locked") {
+    console.log(`  session roaming: ${D}locked (Free) — upgrade to save/resume sessions${R}`);
+  } else {
+    console.log(`  session roaming: ${T}available (${payload.session.roaming_plan})${R}`);
+  }
+
+  if (payload.session.name) {
+    console.log(`  session: ${payload.session.name} (agent: ${payload.session.agent || "?"})`);
+  }
+
+  if (payload.warnings > 0) {
+    console.log(`  warnings: ${payload.warnings} active — run: 0dai experience warnings`);
+  }
+
+  try { require("../onboarding").showFirstStatusTip(target); } catch {}
+
+  if (payload.drift.detected) {
+    console.log(`  drift: config changes detected — run: 0dai doctor --drift`);
+  }
+
+  return payload;
 }
 
-module.exports = { cmdStatus };
+module.exports = { cmdStatus, collectStatusPayload };

package/lib/commands/tui.js

@@ -0,0 +1,49 @@
+"use strict";
+const path = require("path");
+const shared = require("../shared");
+const { log, D, R, VERSION } = shared;
+
+/**
+ * `0dai tui` — read-only dashboard (issue #373).
+ *
+ * Lazy-loads lib/tui/index.js (pre-built by scripts/build-tui.js at prepack
+ * time). Degrades gracefully if the bundle / peer deps aren't available so
+ * non-TUI users on minimal installs still get a useful message.
+ */
+async function cmdTui(target, args = []) {
+  if (!process.stdout.isTTY) {
+    console.error("0dai tui requires an interactive TTY. Try: 0dai status");
+    process.exit(2);
+  }
+
+  // Ink 5.x is ESM; bundle is .mjs so we load it via dynamic import
+  // from this CJS entry.
+  const bundlePath = path.join(__dirname, "..", "tui", "index.mjs");
+  let tui;
+  try {
+    // Use the file:// URL form so Windows paths with drive letters load too.
+    const url = require("url").pathToFileURL(bundlePath).href;
+    tui = await import(url);
+  } catch (err) {
+    const code = err && err.code;
+    const msg = String(err && err.message || "");
+    if (code === "ERR_MODULE_NOT_FOUND" || msg.includes("Cannot find module")) {
+      log("TUI bundle missing. Rebuild with:");
+      console.log(`  ${D}cd $(npm root -g)/@0dai-dev/cli && node scripts/build-tui.js${R}`);
+      process.exit(1);
+    }
+    throw err;
+  }
+
+  let plan = "free";
+  try {
+    const auth = shared.loadAuthState();
+    if (auth && auth.plan) plan = auth.plan;
+  } catch {
+    // keep default plan
+  }
+
+  await tui.run({ target, version: VERSION, plan });
+}
+
+module.exports = { cmdTui };

package/lib/commands/workspace.js

@@ -108,6 +108,7 @@ function detectSessions(target) {
 function cmdWorkspaceInit(target, args) {
   const globalFlag = args.includes("--global");
 
+  const sessions = detectSessions(target);
   if (sessions.length === 0) {
     log("no services detected. Create workspace config manually with: 0dai workspace add");
     return;