@aigne/afs-cli 1.11.0-beta.11 → 1.11.0-beta.13

package/dist/providers/vault/dist/key-resolver.mjs

@@ -0,0 +1,180 @@
+import { deriveKeyFromPassphrase, readVaultSalt } from "./encrypted-file.mjs";
+import { randomBytes } from "node:crypto";
+import { execFile } from "node:child_process";
+import { platform } from "node:os";
+import { promisify } from "node:util";
+
+//#region ../../providers/vault/dist/key-resolver.mjs
+/**
+* Master key resolution chain.
+*
+* Priority (first available wins):
+* 1. AFS_VAULT_KEY environment variable (hex-encoded) — explicit override for CI/automation
+* 2. OS Keychain (macOS Keychain / Linux Secret Service) — desktop default
+* 3. Passphrase prompt (key derived via crypto.scrypt, cached in memory)
+*
+* No native dependencies — uses system CLIs for keychain access.
+*/
+const execFileAsync = promisify(execFile);
+const SERVICE_NAME = "afs-vault";
+const ACCOUNT_NAME = "master-key";
+const KEY_LENGTH = 32;
+/** Cached key for the process lifetime (avoids repeated prompts). */
+let cachedKey = null;
+/**
+* Resolve master key using the priority chain.
+*
+* @param interactive - If true, allows passphrase prompt. Default true.
+* @param vaultPath - Path to vault file (used for per-file salt in passphrase mode).
+* @returns 32-byte master key buffer.
+*/
+async function resolveMasterKey(interactive = true, vaultPath) {
+	if (cachedKey) return cachedKey;
+	const envKey = process.env.AFS_VAULT_KEY;
+	if (envKey) {
+		const buf = Buffer.from(envKey, "hex");
+		if (buf.length !== KEY_LENGTH) throw new Error("AFS_VAULT_KEY must be a 64-character hex string (32 bytes)");
+		cachedKey = buf;
+		return buf;
+	}
+	const keychainKey = await readKeychain();
+	if (keychainKey) {
+		cachedKey = keychainKey;
+		return keychainKey;
+	}
+	if (!interactive) throw new Error("No vault master key found. Set AFS_VAULT_KEY environment variable (64-char hex),\nor run in interactive mode to enter a passphrase.");
+	const key = deriveKeyFromPassphrase(await promptPassphrase(), (vaultPath ? await readVaultSalt(vaultPath) : null) ?? await readPassphraseSalt());
+	cachedKey = key;
+	return key;
+}
+/**
+* Store a master key in the OS keychain.
+* Returns true on success, false if keychain is unavailable.
+*/
+async function storeKeychain(masterKey) {
+	const hexKey = masterKey.toString("hex");
+	const os = platform();
+	try {
+		if (os === "darwin") {
+			await execFileAsync("security", [
+				"add-generic-password",
+				"-s",
+				SERVICE_NAME,
+				"-a",
+				ACCOUNT_NAME,
+				"-w",
+				hexKey,
+				"-U"
+			]);
+			return true;
+		}
+		if (os === "linux") {
+			const { spawn: spawn$1 } = await import("node:child_process");
+			return new Promise((resolve) => {
+				const proc = spawn$1("secret-tool", [
+					"store",
+					"--label",
+					"AFS Vault Master Key",
+					"service",
+					SERVICE_NAME,
+					"account",
+					ACCOUNT_NAME
+				]);
+				proc.stdin.write(hexKey);
+				proc.stdin.end();
+				proc.on("close", (code) => resolve(code === 0));
+				proc.on("error", () => resolve(false));
+			});
+		}
+		return false;
+	} catch {
+		return false;
+	}
+}
+/**
+* Read master key from OS keychain.
+* Returns null if not found or keychain unavailable.
+*/
+async function readKeychain() {
+	const os = platform();
+	try {
+		if (os === "darwin") {
+			const { stdout } = await execFileAsync("security", [
+				"find-generic-password",
+				"-s",
+				SERVICE_NAME,
+				"-a",
+				ACCOUNT_NAME,
+				"-w"
+			]);
+			const hex = stdout.trim();
+			if (hex.length === KEY_LENGTH * 2) return Buffer.from(hex, "hex");
+			return null;
+		}
+		if (os === "linux") {
+			const { stdout } = await execFileAsync("secret-tool", [
+				"lookup",
+				"service",
+				SERVICE_NAME,
+				"account",
+				ACCOUNT_NAME
+			]);
+			const hex = stdout.trim();
+			if (hex.length === KEY_LENGTH * 2) return Buffer.from(hex, "hex");
+			return null;
+		}
+		return null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Prompt user for passphrase via stdin (no echo).
+*/
+async function promptPassphrase() {
+	const { createInterface } = await import("node:readline");
+	return new Promise((resolve, reject) => {
+		const rl = createInterface({
+			input: process.stdin,
+			output: process.stderr,
+			terminal: true
+		});
+		if (process.stdin.isTTY) {
+			process.stderr.write("Vault passphrase: ");
+			rl._writeToOutput = () => {};
+		}
+		rl.question("", (answer) => {
+			rl.close();
+			if (process.stdin.isTTY) process.stderr.write("\n");
+			if (!answer || answer.trim() === "") {
+				reject(/* @__PURE__ */ new Error("Passphrase cannot be empty"));
+				return;
+			}
+			resolve(answer);
+		});
+	});
+}
+/**
+* Read or create the passphrase salt file.
+*
+* The salt is stored alongside the vault file to enable consistent
+* key derivation from the same passphrase.
+*/
+async function readPassphraseSalt() {
+	const { homedir: homedir$1 } = await import("node:os");
+	const { join } = await import("node:path");
+	const { readFile, writeFile, mkdir } = await import("node:fs/promises");
+	const saltPath = join(homedir$1(), ".afs-config", "vault-salt");
+	try {
+		const data = await readFile(saltPath);
+		if (data.length === 32) return data;
+	} catch {}
+	const salt = randomBytes(32);
+	await mkdir(join(homedir$1(), ".afs-config"), { recursive: true });
+	await writeFile(saltPath, salt, { mode: 384 });
+	return salt;
+}
+
+//#endregion
+export { resolveMasterKey, storeKeychain };
+//# sourceMappingURL=key-resolver.mjs.map

package/dist/providers/vault/dist/key-resolver.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-resolver.mjs","names":["spawn","homedir"],"sources":["../../../../../../providers/vault/dist/key-resolver.mjs"],"sourcesContent":["import { deriveKeyFromPassphrase, readVaultSalt } from \"./encrypted-file.mjs\";\nimport { randomBytes } from \"node:crypto\";\nimport { execFile } from \"node:child_process\";\nimport { platform } from \"node:os\";\nimport { promisify } from \"node:util\";\n\n//#region src/key-resolver.ts\n/**\n* Master key resolution chain.\n*\n* Priority (first available wins):\n* 1. AFS_VAULT_KEY environment variable (hex-encoded) — explicit override for CI/automation\n* 2. OS Keychain (macOS Keychain / Linux Secret Service) — desktop default\n* 3. Passphrase prompt (key derived via crypto.scrypt, cached in memory)\n*\n* No native dependencies — uses system CLIs for keychain access.\n*/\nconst execFileAsync = promisify(execFile);\nconst SERVICE_NAME = \"afs-vault\";\nconst ACCOUNT_NAME = \"master-key\";\nconst KEY_LENGTH = 32;\n/** Cached key for the process lifetime (avoids repeated prompts). */\nlet cachedKey = null;\n/**\n* Resolve master key using the priority chain.\n*\n* @param interactive - If true, allows passphrase prompt. Default true.\n* @param vaultPath - Path to vault file (used for per-file salt in passphrase mode).\n* @returns 32-byte master key buffer.\n*/\nasync function resolveMasterKey(interactive = true, vaultPath) {\n\tif (cachedKey) return cachedKey;\n\tconst envKey = process.env.AFS_VAULT_KEY;\n\tif (envKey) {\n\t\tconst buf = Buffer.from(envKey, \"hex\");\n\t\tif (buf.length !== KEY_LENGTH) throw new Error(\"AFS_VAULT_KEY must be a 64-character hex string (32 bytes)\");\n\t\tcachedKey = buf;\n\t\treturn buf;\n\t}\n\tconst keychainKey = await readKeychain();\n\tif (keychainKey) {\n\t\tcachedKey = keychainKey;\n\t\treturn keychainKey;\n\t}\n\tif (!interactive) throw new Error(\"No vault master key found. Set AFS_VAULT_KEY environment variable (64-char hex),\\nor run in interactive mode to enter a passphrase.\");\n\tconst key = deriveKeyFromPassphrase(await promptPassphrase(), (vaultPath ? await readVaultSalt(vaultPath) : null) ?? await readPassphraseSalt());\n\tcachedKey = key;\n\treturn key;\n}\n/**\n* Store a master key in the OS keychain.\n* Returns true on success, false if keychain is unavailable.\n*/\nasync function storeKeychain(masterKey) {\n\tconst hexKey = masterKey.toString(\"hex\");\n\tconst os = platform();\n\ttry {\n\t\tif (os === \"darwin\") {\n\t\t\tawait execFileAsync(\"security\", [\n\t\t\t\t\"add-generic-password\",\n\t\t\t\t\"-s\",\n\t\t\t\tSERVICE_NAME,\n\t\t\t\t\"-a\",\n\t\t\t\tACCOUNT_NAME,\n\t\t\t\t\"-w\",\n\t\t\t\thexKey,\n\t\t\t\t\"-U\"\n\t\t\t]);\n\t\t\treturn true;\n\t\t}\n\t\tif (os === \"linux\") {\n\t\t\tconst { spawn } = await import(\"node:child_process\");\n\t\t\treturn new Promise((resolve) => {\n\t\t\t\tconst proc = spawn(\"secret-tool\", [\n\t\t\t\t\t\"store\",\n\t\t\t\t\t\"--label\",\n\t\t\t\t\t\"AFS Vault Master Key\",\n\t\t\t\t\t\"service\",\n\t\t\t\t\tSERVICE_NAME,\n\t\t\t\t\t\"account\",\n\t\t\t\t\tACCOUNT_NAME\n\t\t\t\t]);\n\t\t\t\tproc.stdin.write(hexKey);\n\t\t\t\tproc.stdin.end();\n\t\t\t\tproc.on(\"close\", (code) => resolve(code === 0));\n\t\t\t\tproc.on(\"error\", () => resolve(false));\n\t\t\t});\n\t\t}\n\t\treturn false;\n\t} catch {\n\t\treturn false;\n\t}\n}\n/**\n* Read master key from OS keychain.\n* Returns null if not found or keychain unavailable.\n*/\nasync function readKeychain() {\n\tconst os = platform();\n\ttry {\n\t\tif (os === \"darwin\") {\n\t\t\tconst { stdout } = await execFileAsync(\"security\", [\n\t\t\t\t\"find-generic-password\",\n\t\t\t\t\"-s\",\n\t\t\t\tSERVICE_NAME,\n\t\t\t\t\"-a\",\n\t\t\t\tACCOUNT_NAME,\n\t\t\t\t\"-w\"\n\t\t\t]);\n\t\t\tconst hex = stdout.trim();\n\t\t\tif (hex.length === KEY_LENGTH * 2) return Buffer.from(hex, \"hex\");\n\t\t\treturn null;\n\t\t}\n\t\tif (os === \"linux\") {\n\t\t\tconst { stdout } = await execFileAsync(\"secret-tool\", [\n\t\t\t\t\"lookup\",\n\t\t\t\t\"service\",\n\t\t\t\tSERVICE_NAME,\n\t\t\t\t\"account\",\n\t\t\t\tACCOUNT_NAME\n\t\t\t]);\n\t\t\tconst hex = stdout.trim();\n\t\t\tif (hex.length === KEY_LENGTH * 2) return Buffer.from(hex, \"hex\");\n\t\t\treturn null;\n\t\t}\n\t\treturn null;\n\t} catch {\n\t\treturn null;\n\t}\n}\n/**\n* Delete master key from OS keychain.\n*/\nasync function deleteKeychain() {\n\tconst os = platform();\n\ttry {\n\t\tif (os === \"darwin\") {\n\t\t\tawait execFileAsync(\"security\", [\n\t\t\t\t\"delete-generic-password\",\n\t\t\t\t\"-s\",\n\t\t\t\tSERVICE_NAME,\n\t\t\t\t\"-a\",\n\t\t\t\tACCOUNT_NAME\n\t\t\t]);\n\t\t\treturn true;\n\t\t}\n\t\tif (os === \"linux\") {\n\t\t\tawait execFileAsync(\"secret-tool\", [\n\t\t\t\t\"clear\",\n\t\t\t\t\"service\",\n\t\t\t\tSERVICE_NAME,\n\t\t\t\t\"account\",\n\t\t\t\tACCOUNT_NAME\n\t\t\t]);\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t} catch {\n\t\treturn false;\n\t}\n}\n/**\n* Prompt user for passphrase via stdin (no echo).\n*/\nasync function promptPassphrase() {\n\tconst { createInterface } = await import(\"node:readline\");\n\treturn new Promise((resolve, reject) => {\n\t\tconst rl = createInterface({\n\t\t\tinput: process.stdin,\n\t\t\toutput: process.stderr,\n\t\t\tterminal: true\n\t\t});\n\t\tif (process.stdin.isTTY) {\n\t\t\tprocess.stderr.write(\"Vault passphrase: \");\n\t\t\trl._writeToOutput = () => {};\n\t\t}\n\t\trl.question(\"\", (answer) => {\n\t\t\trl.close();\n\t\t\tif (process.stdin.isTTY) process.stderr.write(\"\\n\");\n\t\t\tif (!answer || answer.trim() === \"\") {\n\t\t\t\treject(/* @__PURE__ */ new Error(\"Passphrase cannot be empty\"));\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tresolve(answer);\n\t\t});\n\t});\n}\n/**\n* Read or create the passphrase salt file.\n*\n* The salt is stored alongside the vault file to enable consistent\n* key derivation from the same passphrase.\n*/\nasync function readPassphraseSalt() {\n\tconst { homedir } = await import(\"node:os\");\n\tconst { join } = await import(\"node:path\");\n\tconst { readFile, writeFile, mkdir } = await import(\"node:fs/promises\");\n\tconst saltPath = join(homedir(), \".afs-config\", \"vault-salt\");\n\ttry {\n\t\tconst data = await readFile(saltPath);\n\t\tif (data.length === 32) return data;\n\t} catch {}\n\tconst salt = randomBytes(32);\n\tawait mkdir(join(homedir(), \".afs-config\"), { recursive: true });\n\tawait writeFile(saltPath, salt, { mode: 384 });\n\treturn salt;\n}\n/**\n* Reset cached key (for testing).\n*/\nfunction _resetCachedKeyForTesting() {\n\tcachedKey = null;\n}\n\n//#endregion\nexport { _resetCachedKeyForTesting, deleteKeychain, resolveMasterKey, storeKeychain };\n//# sourceMappingURL=key-resolver.mjs.map"],"mappings":";;;;;;;;;;;;;;;;;AAiBA,MAAM,gBAAgB,UAAU,SAAS;AACzC,MAAM,eAAe;AACrB,MAAM,eAAe;AACrB,MAAM,aAAa;;AAEnB,IAAI,YAAY;;;;;;;;AAQhB,eAAe,iBAAiB,cAAc,MAAM,WAAW;AAC9D,KAAI,UAAW,QAAO;CACtB,MAAM,SAAS,QAAQ,IAAI;AAC3B,KAAI,QAAQ;EACX,MAAM,MAAM,OAAO,KAAK,QAAQ,MAAM;AACtC,MAAI,IAAI,WAAW,WAAY,OAAM,IAAI,MAAM,6DAA6D;AAC5G,cAAY;AACZ,SAAO;;CAER,MAAM,cAAc,MAAM,cAAc;AACxC,KAAI,aAAa;AAChB,cAAY;AACZ,SAAO;;AAER,KAAI,CAAC,YAAa,OAAM,IAAI,MAAM,sIAAsI;CACxK,MAAM,MAAM,wBAAwB,MAAM,kBAAkB,GAAG,YAAY,MAAM,cAAc,UAAU,GAAG,SAAS,MAAM,oBAAoB,CAAC;AAChJ,aAAY;AACZ,QAAO;;;;;;AAMR,eAAe,cAAc,WAAW;CACvC,MAAM,SAAS,UAAU,SAAS,MAAM;CACxC,MAAM,KAAK,UAAU;AACrB,KAAI;AACH,MAAI,OAAO,UAAU;AACpB,SAAM,cAAc,YAAY;IAC/B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA,CAAC;AACF,UAAO;;AAER,MAAI,OAAO,SAAS;GACnB,MAAM,EAAE,mBAAU,MAAM,OAAO;AAC/B,UAAO,IAAI,SAAS,YAAY;IAC/B,MAAM,OAAOA,QAAM,eAAe;KACjC;KACA;KACA;KACA;KACA;KACA;KACA;KACA,CAAC;AACF,SAAK,MAAM,MAAM,OAAO;AACxB,SAAK,MAAM,KAAK;AAChB,SAAK,GAAG,UAAU,SAAS,QAAQ,SAAS,EAAE,CAAC;AAC/C,SAAK,GAAG,eAAe,QAAQ,MAAM,CAAC;KACrC;;AAEH,SAAO;SACA;AACP,SAAO;;;;;;;AAOT,eAAe,eAAe;CAC7B,MAAM,KAAK,UAAU;AACrB,KAAI;AACH,MAAI,OAAO,UAAU;GACpB,MAAM,EAAE,WAAW,MAAM,cAAc,YAAY;IAClD;IACA;IACA;IACA;IACA;IACA;IACA,CAAC;GACF,MAAM,MAAM,OAAO,MAAM;AACzB,OAAI,IAAI,WAAW,aAAa,EAAG,QAAO,OAAO,KAAK,KAAK,MAAM;AACjE,UAAO;;AAER,MAAI,OAAO,SAAS;GACnB,MAAM,EAAE,WAAW,MAAM,cAAc,eAAe;IACrD;IACA;IACA;IACA;IACA;IACA,CAAC;GACF,MAAM,MAAM,OAAO,MAAM;AACzB,OAAI,IAAI,WAAW,aAAa,EAAG,QAAO,OAAO,KAAK,KAAK,MAAM;AACjE,UAAO;;AAER,SAAO;SACA;AACP,SAAO;;;;;;AAqCT,eAAe,mBAAmB;CACjC,MAAM,EAAE,oBAAoB,MAAM,OAAO;AACzC,QAAO,IAAI,SAAS,SAAS,WAAW;EACvC,MAAM,KAAK,gBAAgB;GAC1B,OAAO,QAAQ;GACf,QAAQ,QAAQ;GAChB,UAAU;GACV,CAAC;AACF,MAAI,QAAQ,MAAM,OAAO;AACxB,WAAQ,OAAO,MAAM,qBAAqB;AAC1C,MAAG,uBAAuB;;AAE3B,KAAG,SAAS,KAAK,WAAW;AAC3B,MAAG,OAAO;AACV,OAAI,QAAQ,MAAM,MAAO,SAAQ,OAAO,MAAM,KAAK;AACnD,OAAI,CAAC,UAAU,OAAO,MAAM,KAAK,IAAI;AACpC,2BAAuB,IAAI,MAAM,6BAA6B,CAAC;AAC/D;;AAED,WAAQ,OAAO;IACd;GACD;;;;;;;;AAQH,eAAe,qBAAqB;CACnC,MAAM,EAAE,uBAAY,MAAM,OAAO;CACjC,MAAM,EAAE,SAAS,MAAM,OAAO;CAC9B,MAAM,EAAE,UAAU,WAAW,UAAU,MAAM,OAAO;CACpD,MAAM,WAAW,KAAKC,WAAS,EAAE,eAAe,aAAa;AAC7D,KAAI;EACH,MAAM,OAAO,MAAM,SAAS,SAAS;AACrC,MAAI,KAAK,WAAW,GAAI,QAAO;SACxB;CACR,MAAM,OAAO,YAAY,GAAG;AAC5B,OAAM,MAAM,KAAKA,WAAS,EAAE,cAAc,EAAE,EAAE,WAAW,MAAM,CAAC;AAChE,OAAM,UAAU,UAAU,MAAM,EAAE,MAAM,KAAK,CAAC;AAC9C,QAAO"}

package/dist/repl.cjs

@@ -30,7 +30,11 @@ const ALL_COMMANDS = [
 	"stat",
 	"exec",
 	"explain",
+	"search",
 	"mount",
+	"program",
+	"vault",
+	"service",
 	"explore",
 	"cd",
 	"pwd",
@@ -84,7 +88,11 @@ function formatHelp() {
 		"    stat [path]             Get file or directory info (default: current node)",
 		"    exec <action>           Execute an action",
 		"    explain [topic]         Explain AFS concepts or paths (default: current path)",
-		"    mount                   Mount management",
+		"    search <path> <query>   Search content in a path",
+		"    mount                   Mount management (add, list, remove)",
+		"    program                 Program management (install, list, uninstall)",
+		"    vault                   Credential vault management",
+		"    service                 Daemon service management",
 		"    explore [path]          Interactive TUI explorer (default: current dir)",
 		"",
 		"  REPL Commands:",
@@ -227,18 +235,29 @@ function isExploreCommand(cmd) {
 	const normalized = cmd.replace(/^afs\s+/, "").trim();
 	return normalized === "explore" || normalized.startsWith("explore ");
 }
-function parseExplorePath(cmd, ctx) {
-	const path = cmd.replace(/^afs\s+/, "").trim().split(/\s+/)[1];
-	if (!path) {
-		if (ctx.currentNamespace) return `$afs:${ctx.currentNamespace}${ctx.currentPath}`;
-		return ctx.currentPath;
+function parseExploreArgs(cmd, ctx) {
+	const parts = cmd.replace(/^afs\s+/, "").trim().split(/\s+/).slice(1);
+	let web = false;
+	let port = 0;
+	const pathParts = [];
+	for (let i = 0; i < parts.length; i++) {
+		const part = parts[i];
+		if (part === "--web") web = true;
+		else if (part === "--port" && i + 1 < parts.length) port = Number(parts[++i]) || 0;
+		else if (part.startsWith("--port=")) port = Number(part.slice(7)) || 0;
+		else if (!part.startsWith("-")) pathParts.push(part);
 	}
-	if (!path.startsWith("/") && !path.startsWith("@") && !path.startsWith("$afs")) {
+	let path = pathParts[0];
+	if (!path) path = ctx.currentNamespace ? `$afs:${ctx.currentNamespace}${ctx.currentPath}` : ctx.currentPath;
+	else if (!path.startsWith("/") && !path.startsWith("@") && !path.startsWith("$afs")) {
 		const resolved = normalizePath((0, ufo.joinURL)(ctx.currentPath, path));
-		if (ctx.currentNamespace) return `$afs:${ctx.currentNamespace}${resolved}`;
-		return resolved;
+		path = ctx.currentNamespace ? `$afs:${ctx.currentNamespace}${resolved}` : resolved;
 	}
-	return path;
+	return {
+		path,
+		web,
+		port
+	};
 }
 function createCompleter(ctx) {
 	return function completer(line, callback) {
@@ -375,6 +394,41 @@ async function startRepl(options) {
 		console.warn(`⚠ ${failures.length} ${noun} failed:`);
 		for (const f of failures) console.warn(`  - ${f.path}: ${f.reason}`);
 	}
+	let programManager;
+	try {
+		const { ProgramManager } = await Promise.resolve().then(() => require("./program/program-manager.cjs"));
+		const { scanProgramTriggers } = await Promise.resolve().then(() => require("./program/trigger-scanner.cjs"));
+		const { listInstalledPrograms, getUserConfigDir } = await Promise.resolve().then(() => require("./config/program-install.cjs"));
+		const userConfigDir = getUserConfigDir();
+		programManager = new ProgramManager({
+			globalAFS: afs,
+			createProvider: afs.createProviderFromMount,
+			listPrograms: async () => {
+				return (await listInstalledPrograms({ userConfigDir })).map((p) => ({
+					id: p.id,
+					installPath: p.installPath,
+					mountPath: p.mountPath
+				}));
+			},
+			scanTriggers: async (programDir) => {
+				let compile = null;
+				try {
+					compile = (await import("@aigne/ash")).compileSource;
+				} catch {}
+				return scanProgramTriggers(programDir, compile);
+			},
+			dataDir: (programId) => `/.data/${programId}`,
+			readMountOverrides: async (programId) => {
+				const { readProgramMountOverrides } = await Promise.resolve().then(() => require("./config/program-install.cjs"));
+				return readProgramMountOverrides(programId, { userConfigDir });
+			}
+		});
+		await programManager.activateAll();
+		const activated = programManager.getActivatedPrograms();
+		if (activated.length > 0) console.log(`Activated ${activated.length} program(s): ${activated.join(", ")}`);
+	} catch (err) {
+		console.error(`[PM] Program activation error:`, err instanceof Error ? err.message : err);
+	}
 	const executor = new require_index.AFSCommandExecutor(afs, {
 		cwd,
 		tty: true,
@@ -389,6 +443,7 @@ async function startRepl(options) {
 	let closed = false;
 	let rl;
 	let originalDataHandler = null;
+	let activeWebExplorer = null;
 	function startReplLoop() {
 		const stdin = process.stdin;
 		if (stdin._readableState) {
@@ -448,22 +503,30 @@ async function startRepl(options) {
 		rl.on("close", () => {
 			if (!closed) {
 				closed = true;
+				if (activeWebExplorer) {
+					activeWebExplorer.stop();
+					activeWebExplorer = null;
+				}
 				console.log("\nBye!");
 			}
 		});
 		rl.prompt();
 	}
 	async function handleExplore(trimmed, ctx$1) {
+		const args = parseExploreArgs(trimmed, ctx$1);
+		if (args.web) {
+			await handleExploreWeb(args, ctx$1);
+			return;
+		}
 		rl.removeAllListeners("line");
 		rl.removeAllListeners("close");
 		rl.close();
 		cleanupStdinAfterBlessed();
 		try {
 			const { createExplorerScreen } = await Promise.resolve().then(() => require("./explorer/screen.cjs"));
-			const startPath = parseExplorePath(trimmed, ctx$1);
 			await createExplorerScreen({
 				afs: ctx$1.afs,
-				startPath,
+				startPath: args.path,
 				version: ctx$1.version,
 				onExit: () => {}
 			});
@@ -475,13 +538,45 @@ async function startRepl(options) {
 		console.log("");
 		if (!closed) startReplLoop();
 	}
+	async function handleExploreWeb(args, ctx$1) {
+		if (activeWebExplorer) {
+			activeWebExplorer.stop();
+			console.log("Stopped previous web explorer.");
+			activeWebExplorer = null;
+		}
+		try {
+			const { resolve } = await import("node:path");
+			const { startExplorer } = await import("@aigne/afs-explorer");
+			let webRoot;
+			try {
+				const { createRequire } = await import("node:module");
+				webRoot = resolve(createRequire(require("url").pathToFileURL(__filename).href).resolve("@aigne/afs-explorer/package.json"), "..", "web");
+			} catch {}
+			const info = await startExplorer(ctx$1.afs, {
+				port: args.port,
+				host: "localhost",
+				webRoot,
+				open: true
+			});
+			activeWebExplorer = info;
+			console.log(`Web explorer running at ${info.url}`);
+			console.log("Type \"explore --web\" again to restart, or continue using REPL.");
+		} catch (e) {
+			const msg = e instanceof Error ? e.message : String(e);
+			console.error(`Failed to start web explorer: ${msg}`);
+		}
+		if (!closed) rl.prompt();
+	}
 	startReplLoop();
 	return new Promise((resolve) => {
 		const checkClosed = setInterval(() => {
 			if (closed) {
 				clearInterval(checkClosed);
-				if (onExit) onExit().catch(() => {}).then(resolve);
-				else resolve();
+				const cleanup = async () => {
+					if (programManager) await programManager.deactivateAll().catch(() => {});
+					if (onExit) await onExit().catch(() => {});
+				};
+				cleanup().then(resolve);
 			}
 		}, 100);
 	});

package/dist/repl.d.cts.map

@@ -1 +1 @@
-{"version":3,"file":"repl.d.cts","names":[],"sources":["../src/repl.ts"],"mappings":";;;iBAiiBsB,SAAA,CAAU,OAAA;EAC9B,GAAA;EACA,OAAA;EACA,MAAA,SAAe,OAAA;EAEf,cAAA,GAAiB,KAAA;IAAQ,QAAA,EAAU,SAAA;IAAW,SAAA;EAAA;AAAA,IAC5C,OAAA"}
+{"version":3,"file":"repl.d.cts","names":[],"sources":["../src/repl.ts"],"mappings":";;;iBA2jBsB,SAAA,CAAU,OAAA;EAC9B,GAAA;EACA,OAAA;EACA,MAAA,SAAe,OAAA;EAEf,cAAA,GAAiB,KAAA;IAAQ,QAAA,EAAU,SAAA;IAAW,SAAA;EAAA;AAAA,IAC5C,OAAA"}

package/dist/repl.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"repl.d.mts","names":[],"sources":["../src/repl.ts"],"mappings":";;;;iBAiiBsB,SAAA,CAAU,OAAA;EAC9B,GAAA;EACA,OAAA;EACA,MAAA,SAAe,OAAA;EAEf,cAAA,GAAiB,KAAA;IAAQ,QAAA,EAAU,SAAA;IAAW,SAAA;EAAA;AAAA,IAC5C,OAAA"}
+{"version":3,"file":"repl.d.mts","names":[],"sources":["../src/repl.ts"],"mappings":";;;;iBA2jBsB,SAAA,CAAU,OAAA;EAC9B,GAAA;EACA,OAAA;EACA,MAAA,SAAe,OAAA;EAEf,cAAA,GAAiB,KAAA;IAAQ,QAAA,EAAU,SAAA;IAAW,SAAA;EAAA;AAAA,IAC5C,OAAA"}

package/dist/repl.mjs

@@ -29,7 +29,11 @@ const ALL_COMMANDS = [
 	"stat",
 	"exec",
 	"explain",
+	"search",
 	"mount",
+	"program",
+	"vault",
+	"service",
 	"explore",
 	"cd",
 	"pwd",
@@ -83,7 +87,11 @@ function formatHelp() {
 		"    stat [path]             Get file or directory info (default: current node)",
 		"    exec <action>           Execute an action",
 		"    explain [topic]         Explain AFS concepts or paths (default: current path)",
-		"    mount                   Mount management",
+		"    search <path> <query>   Search content in a path",
+		"    mount                   Mount management (add, list, remove)",
+		"    program                 Program management (install, list, uninstall)",
+		"    vault                   Credential vault management",
+		"    service                 Daemon service management",
 		"    explore [path]          Interactive TUI explorer (default: current dir)",
 		"",
 		"  REPL Commands:",
@@ -226,18 +234,29 @@ function isExploreCommand(cmd) {
 	const normalized = cmd.replace(/^afs\s+/, "").trim();
 	return normalized === "explore" || normalized.startsWith("explore ");
 }
-function parseExplorePath(cmd, ctx) {
-	const path = cmd.replace(/^afs\s+/, "").trim().split(/\s+/)[1];
-	if (!path) {
-		if (ctx.currentNamespace) return `$afs:${ctx.currentNamespace}${ctx.currentPath}`;
-		return ctx.currentPath;
+function parseExploreArgs(cmd, ctx) {
+	const parts = cmd.replace(/^afs\s+/, "").trim().split(/\s+/).slice(1);
+	let web = false;
+	let port = 0;
+	const pathParts = [];
+	for (let i = 0; i < parts.length; i++) {
+		const part = parts[i];
+		if (part === "--web") web = true;
+		else if (part === "--port" && i + 1 < parts.length) port = Number(parts[++i]) || 0;
+		else if (part.startsWith("--port=")) port = Number(part.slice(7)) || 0;
+		else if (!part.startsWith("-")) pathParts.push(part);
 	}
-	if (!path.startsWith("/") && !path.startsWith("@") && !path.startsWith("$afs")) {
+	let path = pathParts[0];
+	if (!path) path = ctx.currentNamespace ? `$afs:${ctx.currentNamespace}${ctx.currentPath}` : ctx.currentPath;
+	else if (!path.startsWith("/") && !path.startsWith("@") && !path.startsWith("$afs")) {
 		const resolved = normalizePath(joinURL(ctx.currentPath, path));
-		if (ctx.currentNamespace) return `$afs:${ctx.currentNamespace}${resolved}`;
-		return resolved;
+		path = ctx.currentNamespace ? `$afs:${ctx.currentNamespace}${resolved}` : resolved;
 	}
-	return path;
+	return {
+		path,
+		web,
+		port
+	};
 }
 function createCompleter(ctx) {
 	return function completer(line, callback) {
@@ -374,6 +393,41 @@ async function startRepl(options) {
 		console.warn(`⚠ ${failures.length} ${noun} failed:`);
 		for (const f of failures) console.warn(`  - ${f.path}: ${f.reason}`);
 	}
+	let programManager;
+	try {
+		const { ProgramManager } = await import("./program/program-manager.mjs");
+		const { scanProgramTriggers } = await import("./program/trigger-scanner.mjs");
+		const { listInstalledPrograms, getUserConfigDir } = await import("./config/program-install.mjs");
+		const userConfigDir = getUserConfigDir();
+		programManager = new ProgramManager({
+			globalAFS: afs,
+			createProvider: afs.createProviderFromMount,
+			listPrograms: async () => {
+				return (await listInstalledPrograms({ userConfigDir })).map((p) => ({
+					id: p.id,
+					installPath: p.installPath,
+					mountPath: p.mountPath
+				}));
+			},
+			scanTriggers: async (programDir) => {
+				let compile = null;
+				try {
+					compile = (await import("@aigne/ash")).compileSource;
+				} catch {}
+				return scanProgramTriggers(programDir, compile);
+			},
+			dataDir: (programId) => `/.data/${programId}`,
+			readMountOverrides: async (programId) => {
+				const { readProgramMountOverrides } = await import("./config/program-install.mjs");
+				return readProgramMountOverrides(programId, { userConfigDir });
+			}
+		});
+		await programManager.activateAll();
+		const activated = programManager.getActivatedPrograms();
+		if (activated.length > 0) console.log(`Activated ${activated.length} program(s): ${activated.join(", ")}`);
+	} catch (err) {
+		console.error(`[PM] Program activation error:`, err instanceof Error ? err.message : err);
+	}
 	const executor = new AFSCommandExecutor(afs, {
 		cwd,
 		tty: true,
@@ -388,6 +442,7 @@ async function startRepl(options) {
 	let closed = false;
 	let rl;
 	let originalDataHandler = null;
+	let activeWebExplorer = null;
 	function startReplLoop() {
 		const stdin = process.stdin;
 		if (stdin._readableState) {
@@ -447,22 +502,30 @@ async function startRepl(options) {
 		rl.on("close", () => {
 			if (!closed) {
 				closed = true;
+				if (activeWebExplorer) {
+					activeWebExplorer.stop();
+					activeWebExplorer = null;
+				}
 				console.log("\nBye!");
 			}
 		});
 		rl.prompt();
 	}
 	async function handleExplore(trimmed, ctx$1) {
+		const args = parseExploreArgs(trimmed, ctx$1);
+		if (args.web) {
+			await handleExploreWeb(args, ctx$1);
+			return;
+		}
 		rl.removeAllListeners("line");
 		rl.removeAllListeners("close");
 		rl.close();
 		cleanupStdinAfterBlessed();
 		try {
 			const { createExplorerScreen } = await import("./explorer/screen.mjs");
-			const startPath = parseExplorePath(trimmed, ctx$1);
 			await createExplorerScreen({
 				afs: ctx$1.afs,
-				startPath,
+				startPath: args.path,
 				version: ctx$1.version,
 				onExit: () => {}
 			});
@@ -474,13 +537,45 @@ async function startRepl(options) {
 		console.log("");
 		if (!closed) startReplLoop();
 	}
+	async function handleExploreWeb(args, ctx$1) {
+		if (activeWebExplorer) {
+			activeWebExplorer.stop();
+			console.log("Stopped previous web explorer.");
+			activeWebExplorer = null;
+		}
+		try {
+			const { resolve: resolve$1 } = await import("node:path");
+			const { startExplorer } = await import("@aigne/afs-explorer");
+			let webRoot;
+			try {
+				const { createRequire } = await import("node:module");
+				webRoot = resolve$1(createRequire(import.meta.url).resolve("@aigne/afs-explorer/package.json"), "..", "web");
+			} catch {}
+			const info = await startExplorer(ctx$1.afs, {
+				port: args.port,
+				host: "localhost",
+				webRoot,
+				open: true
+			});
+			activeWebExplorer = info;
+			console.log(`Web explorer running at ${info.url}`);
+			console.log("Type \"explore --web\" again to restart, or continue using REPL.");
+		} catch (e) {
+			const msg = e instanceof Error ? e.message : String(e);
+			console.error(`Failed to start web explorer: ${msg}`);
+		}
+		if (!closed) rl.prompt();
+	}
 	startReplLoop();
 	return new Promise((resolve$1) => {
 		const checkClosed = setInterval(() => {
 			if (closed) {
 				clearInterval(checkClosed);
-				if (onExit) onExit().catch(() => {}).then(resolve$1);
-				else resolve$1();
+				const cleanup = async () => {
+					if (programManager) await programManager.deactivateAll().catch(() => {});
+					if (onExit) await onExit().catch(() => {});
+				};
+				cleanup().then(resolve$1);
 			}
 		}, 100);
 	});