@ao_zorin/zocket 1.0.0 → 1.2.0

package/dist/zocket.js

@@ -0,0 +1,2313 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { Command } from "commander";
+import { createServer } from "http";
+import { mkdirSync as mkdirSync5 } from "fs";
+import { randomUUID } from "crypto";
+import { serve } from "@hono/node-server";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+
+// src/vault.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { dirname } from "path";
+import { lock } from "proper-lockfile";
+
+// src/crypto.ts
+import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
+var VERSION = 1;
+var ALGORITHM = "aes-256-gcm";
+var IV_BYTES = 12;
+var TAG_BYTES = 16;
+function encrypt(plaintext, key) {
+  const iv = randomBytes(IV_BYTES);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const version = Buffer.allocUnsafe(4);
+  version.writeUInt32BE(VERSION, 0);
+  return Buffer.concat([version, iv, tag, ciphertext]);
+}
+function decrypt(data, key) {
+  const version = data.readUInt32BE(0);
+  if (version !== VERSION) throw new Error(`Unsupported vault version: ${version}`);
+  const iv = data.subarray(4, 4 + IV_BYTES);
+  const tag = data.subarray(4 + IV_BYTES, 4 + IV_BYTES + TAG_BYTES);
+  const ciphertext = data.subarray(4 + IV_BYTES + TAG_BYTES);
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+
+// src/vault.ts
+var PROJECT_RE = /^[a-zA-Z0-9._-]+$/;
+var SECRET_RE = /^[A-Z_][A-Z0-9_]*$/;
+var VaultService = class {
+  constructor(vaultPath2, lockFile, key) {
+    this.vaultPath = vaultPath2;
+    this.lockFile = lockFile;
+    this.key = key;
+  }
+  load() {
+    if (!existsSync(this.vaultPath)) return { version: 1, projects: {} };
+    const raw = readFileSync(this.vaultPath);
+    return JSON.parse(decrypt(raw, this.key).toString("utf8"));
+  }
+  save(data) {
+    mkdirSync(dirname(this.vaultPath), { recursive: true });
+    writeFileSync(this.vaultPath, encrypt(Buffer.from(JSON.stringify(data)), this.key));
+  }
+  ensureExists() {
+    if (!existsSync(this.vaultPath)) {
+      this.save({ version: 1, projects: {} });
+    }
+  }
+  async withLock(fn) {
+    mkdirSync(dirname(this.lockFile), { recursive: true });
+    if (!existsSync(this.lockFile)) writeFileSync(this.lockFile, "");
+    const release = await lock(this.lockFile, { retries: { retries: 5, minTimeout: 50 } });
+    try {
+      const data = this.load();
+      const result = fn(data);
+      this.save(data);
+      return result;
+    } finally {
+      await release();
+    }
+  }
+  async createProject(name, description) {
+    if (!PROJECT_RE.test(name)) throw new Error(`Invalid project name: ${name}`);
+    await this.withLock((data) => {
+      if (data.projects[name]) throw new Error(`Project already exists: ${name}`);
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      data.projects[name] = { description, created_at: now, updated_at: now, secrets: {} };
+    });
+  }
+  async deleteProject(name) {
+    await this.withLock((data) => {
+      if (!data.projects[name]) throw new Error(`Project not found: ${name}`);
+      delete data.projects[name];
+    });
+  }
+  async listProjects() {
+    const data = this.load();
+    return Object.entries(data.projects).map(([name, p]) => ({
+      name,
+      description: p.description,
+      created_at: p.created_at,
+      folder_path: p.folder_path,
+      secret_count: Object.keys(p.secrets).length,
+      allowed_domains: p.allowed_domains
+    }));
+  }
+  async setAllowedDomains(project, domains) {
+    await this.withLock((data) => {
+      if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+      data.projects[project].allowed_domains = domains;
+      data.projects[project].updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    });
+  }
+  async getAllowedDomains(project) {
+    const data = this.load();
+    if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+    return data.projects[project].allowed_domains ?? null;
+  }
+  async setSecret(project, key, value, description) {
+    if (!SECRET_RE.test(key)) throw new Error(`Invalid secret key: ${key}`);
+    await this.withLock((data) => {
+      if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+      data.projects[project].secrets[key] = { value, description, updated_at: (/* @__PURE__ */ new Date()).toISOString() };
+      data.projects[project].updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    });
+  }
+  async deleteSecret(project, key) {
+    await this.withLock((data) => {
+      if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+      delete data.projects[project].secrets[key];
+      data.projects[project].updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    });
+  }
+  async listKeys(project) {
+    const data = this.load();
+    if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+    return Object.keys(data.projects[project].secrets);
+  }
+  async listSecrets(project) {
+    const data = this.load();
+    if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+    return Object.entries(data.projects[project].secrets).map(([key, s]) => ({
+      key,
+      description: s.description,
+      updated_at: s.updated_at
+    }));
+  }
+  async getEnv(project) {
+    const data = this.load();
+    if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+    return Object.fromEntries(Object.entries(data.projects[project].secrets).map(([k, v]) => [k, v.value]));
+  }
+  async setFolder(project, folderPath) {
+    await this.withLock((data) => {
+      if (!data.projects[project]) throw new Error(`Project not found: ${project}`);
+      data.projects[project].folder_path = folderPath;
+      data.projects[project].updated_at = (/* @__PURE__ */ new Date()).toISOString();
+    });
+  }
+  async findByPath(path) {
+    const data = this.load();
+    let best = null;
+    let bestLen = 0;
+    for (const [name, proj] of Object.entries(data.projects)) {
+      if (proj.folder_path && path.startsWith(proj.folder_path) && proj.folder_path.length > bestLen) {
+        best = name;
+        bestLen = proj.folder_path.length;
+      }
+    }
+    return best;
+  }
+  async getSecretValue(project, key) {
+    const data = this.load();
+    const secret = data.projects[project]?.secrets[key];
+    if (!secret) throw new Error(`Secret not found: ${project}/${key}`);
+    return secret.value;
+  }
+  async reEncrypt(newKey) {
+    mkdirSync(dirname(this.lockFile), { recursive: true });
+    if (!existsSync(this.lockFile)) writeFileSync(this.lockFile, "");
+    const release = await lock(this.lockFile, { retries: { retries: 5, minTimeout: 50 } });
+    try {
+      const data = this.load();
+      this.key = newKey;
+      this.save(data);
+    } finally {
+      await release();
+    }
+  }
+};
+
+// src/config.ts
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
+import { dirname as dirname2 } from "path";
+import { randomBytes as randomBytes2 } from "crypto";
+var DEFAULTS = {
+  language: "en",
+  key_storage: "file",
+  web_auth_enabled: false,
+  web_password_hash: "",
+  web_password_salt: "",
+  theme: "standard",
+  theme_variant: "light",
+  session_secret: "",
+  folder_picker_roots: ["/home", "/srv", "/opt", "/var/www", "/var/lib"],
+  exec_allow_list: null,
+  exec_max_output: 500,
+  exec_allow_substitution: true,
+  exec_allow_full_output: false,
+  exec_redact_secrets: true,
+  security_mode: "enforce",
+  security_block_threshold: "high",
+  mcp_loading: "eager"
+};
+var ConfigStore = class {
+  constructor(path) {
+    this.path = path;
+  }
+  load() {
+    try {
+      const raw = JSON.parse(readFileSync2(this.path, "utf8"));
+      return { ...DEFAULTS, ...raw };
+    } catch {
+      return { ...DEFAULTS };
+    }
+  }
+  save(cfg) {
+    mkdirSync2(dirname2(this.path), { recursive: true });
+    writeFileSync2(this.path, JSON.stringify(cfg, null, 2));
+  }
+  set(key, value) {
+    const cfg = this.load();
+    cfg[key] = value;
+    this.save(cfg);
+  }
+  ensureExists() {
+    const cfg = this.load();
+    if (!cfg.session_secret) {
+      cfg.session_secret = randomBytes2(32).toString("hex");
+      this.save(cfg);
+    }
+    return cfg;
+  }
+};
+
+// src/audit.ts
+import { appendFileSync, readFileSync as readFileSync3, existsSync as existsSync2, mkdirSync as mkdirSync3 } from "fs";
+import { dirname as dirname3 } from "path";
+var AuditLogger = class {
+  constructor(path) {
+    this.path = path;
+  }
+  log(action, actor, details, status) {
+    mkdirSync3(dirname3(this.path), { recursive: true });
+    const entry = { timestamp: (/* @__PURE__ */ new Date()).toISOString(), action, actor, details, status };
+    appendFileSync(this.path, JSON.stringify(entry) + "\n");
+  }
+  tail(n) {
+    if (!existsSync2(this.path)) return [];
+    const lines = readFileSync3(this.path, "utf8").trim().split("\n").filter(Boolean);
+    return lines.slice(-n).map((l) => JSON.parse(l));
+  }
+  failedLogins(withinMinutes) {
+    if (!existsSync2(this.path)) return 0;
+    const since = new Date(Date.now() - withinMinutes * 6e4);
+    const lines = readFileSync3(this.path, "utf8").trim().split("\n").filter(Boolean);
+    return lines.map((l) => JSON.parse(l)).filter((e) => e.action === "login" && e.status === "fail" && new Date(e.timestamp) >= since).length;
+  }
+};
+
+// src/mcp.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+import { spawnSync as spawnSync2 } from "child_process";
+
+// src/runner.ts
+import { spawnSync } from "child_process";
+import { writeFileSync as writeFileSync3, unlinkSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+import { randomBytes as randomBytes3 } from "crypto";
+function substituteEnv(args, env) {
+  return args.map(
+    (arg) => arg.replace(/\$\{([A-Z_][A-Z0-9_]*)\}|\$([A-Z_][A-Z0-9_]*)/g, (_, a, b) => env[a ?? b] ?? "")
+  );
+}
+function trimResult(stdout, stderr, maxChars) {
+  const truncated = stdout.length > maxChars || stderr.length > maxChars;
+  const result = {
+    exit_code: 0,
+    stdout: stdout.slice(0, maxChars),
+    truncated
+  };
+  if (stderr.trim()) result.stderr = stderr.slice(0, maxChars);
+  return result;
+}
+function runCommand(command, env, policy, maxChars = 500) {
+  const [bin, ...rawArgs] = command;
+  if (!bin) throw new Error("Command is empty");
+  if (policy.allow_list !== null && !policy.allow_list.includes(bin)) {
+    throw new Error(`Command is not allowed: ${bin}`);
+  }
+  const args = policy.allow_substitution ? substituteEnv(rawArgs, env) : rawArgs;
+  const proc = spawnSync(bin, args, {
+    env: { ...process.env, ...env },
+    encoding: "utf8",
+    maxBuffer: 10 * 1024 * 1024
+  });
+  const r = trimResult(proc.stdout ?? "", proc.stderr ?? "", maxChars);
+  r.exit_code = proc.status ?? 1;
+  return r;
+}
+function runScript(_lang, code, env, maxChars = 500) {
+  const ext = ".mjs";
+  const tmpFile = join(tmpdir(), `zkt-${randomBytes3(8).toString("hex")}${ext}`);
+  try {
+    writeFileSync3(tmpFile, code, "utf8");
+    const bin = "node";
+    const proc = spawnSync(bin, [tmpFile], {
+      env: { ...process.env, ...env },
+      encoding: "utf8",
+      maxBuffer: 10 * 1024 * 1024
+    });
+    const r = trimResult(proc.stdout ?? "", proc.stderr ?? "", maxChars);
+    r.exit_code = proc.status ?? 1;
+    return r;
+  } finally {
+    try {
+      unlinkSync(tmpFile);
+    } catch {
+    }
+  }
+}
+
+// src/env-file.ts
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync3 } from "fs";
+function listEnvKeys(filePath) {
+  if (!existsSync3(filePath)) return [];
+  return readFileSync4(filePath, "utf8").split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#")).map((l) => l.split("=")[0].trim()).filter(Boolean);
+}
+function setEnvKey(filePath, key, value) {
+  const existing = existsSync3(filePath) ? readFileSync4(filePath, "utf8") : "";
+  const lines = existing ? existing.split("\n") : [];
+  const re = new RegExp(`^\\s*${key}\\s*=.*$`);
+  const idx = lines.findIndex((l) => re.test(l));
+  const entry = `${key}=${value}`;
+  if (idx !== -1) {
+    lines[idx] = entry;
+  } else {
+    if (lines.length > 0 && lines[lines.length - 1] !== "") lines.push("");
+    lines.push(entry);
+  }
+  writeFileSync4(filePath, lines.join("\n"));
+}
+
+// src/api-registry.ts
+var API_REGISTRY = [
+  // ── Stock / Media ──────────────────────────────────────────────────────────
+  { name: "Pexels", keywords: ["pexels"], domains: ["api.pexels.com"] },
+  { name: "Unsplash", keywords: ["unsplash"], domains: ["api.unsplash.com", "unsplash.com"] },
+  { name: "Pixabay", keywords: ["pixabay"], domains: ["pixabay.com"] },
+  { name: "Shutterstock", keywords: ["shutterstock"], domains: ["api.shutterstock.com"] },
+  { name: "Getty Images", keywords: ["getty"], domains: ["api.gettyimages.com"] },
+  { name: "Cloudinary", keywords: ["cloudinary"], domains: ["api.cloudinary.com", "res.cloudinary.com"] },
+  // ── AI / LLM ───────────────────────────────────────────────────────────────
+  { name: "OpenAI", keywords: ["openai", "gpt", "chatgpt"], domains: ["api.openai.com"] },
+  { name: "Anthropic", keywords: ["anthropic", "claude"], domains: ["api.anthropic.com"] },
+  { name: "Gemini/Google", keywords: ["gemini", "bard"], domains: ["generativelanguage.googleapis.com"] },
+  { name: "Mistral", keywords: ["mistral"], domains: ["api.mistral.ai"] },
+  { name: "Cohere", keywords: ["cohere"], domains: ["api.cohere.ai", "api.cohere.com"] },
+  { name: "Hugging Face", keywords: ["huggingface", "hf_"], domains: ["huggingface.co", "api-inference.huggingface.co"] },
+  { name: "Together AI", keywords: ["together"], domains: ["api.together.xyz"] },
+  { name: "Groq", keywords: ["groq"], domains: ["api.groq.com"] },
+  { name: "Replicate", keywords: ["replicate"], domains: ["api.replicate.com"] },
+  { name: "ElevenLabs", keywords: ["elevenlabs", "eleven_labs"], domains: ["api.elevenlabs.io"] },
+  { name: "Stability AI", keywords: ["stability", "stablediffusion"], domains: ["api.stability.ai"] },
+  // ── Payment ────────────────────────────────────────────────────────────────
+  { name: "Stripe", keywords: ["stripe"], domains: ["api.stripe.com", "checkout.stripe.com", "connect.stripe.com"] },
+  { name: "PayPal", keywords: ["paypal"], domains: ["api.paypal.com", "api.sandbox.paypal.com"] },
+  { name: "Braintree", keywords: ["braintree"], domains: ["api.braintreegateway.com", "sandbox.braintreegateway.com"] },
+  { name: "Adyen", keywords: ["adyen"], domains: ["checkout-test.adyen.com", "checkout-live.adyenpayments.com"] },
+  { name: "Square", keywords: ["square"], domains: ["connect.squareupsandbox.com", "connect.squareup.com"] },
+  { name: "Paddle", keywords: ["paddle"], domains: ["api.paddle.com", "sandbox-api.paddle.com"] },
+  { name: "LemonSqueezy", keywords: ["lemonsqueezy", "lemon_squeezy"], domains: ["api.lemonsqueezy.com"] },
+  { name: "Coinbase", keywords: ["coinbase"], domains: ["api.coinbase.com", "api.commerce.coinbase.com"] },
+  // ── Cloud / Infrastructure ─────────────────────────────────────────────────
+  { name: "AWS", keywords: ["aws", "amazon", "amazonaws"], domains: ["amazonaws.com", "s3.amazonaws.com", "ec2.amazonaws.com", "sts.amazonaws.com"] },
+  { name: "Google Cloud", keywords: ["gcp", "google_cloud", "gcloud"], domains: ["googleapis.com", "storage.googleapis.com"] },
+  { name: "Azure", keywords: ["azure"], domains: ["azure.com", "management.azure.com", "login.microsoftonline.com"] },
+  { name: "Cloudflare", keywords: ["cloudflare", "cf_"], domains: ["api.cloudflare.com"] },
+  { name: "DigitalOcean", keywords: ["digitalocean", "do_"], domains: ["api.digitalocean.com"] },
+  { name: "Vercel", keywords: ["vercel"], domains: ["api.vercel.com"] },
+  { name: "Netlify", keywords: ["netlify"], domains: ["api.netlify.com"] },
+  { name: "Railway", keywords: ["railway"], domains: ["backboard.railway.app"] },
+  { name: "Fly.io", keywords: ["fly", "flyio"], domains: ["api.machines.dev", "fly.io"] },
+  // ── Communication ──────────────────────────────────────────────────────────
+  { name: "Twilio", keywords: ["twilio"], domains: ["api.twilio.com", "verify.twilio.com"] },
+  { name: "SendGrid", keywords: ["sendgrid"], domains: ["api.sendgrid.com"] },
+  { name: "Mailgun", keywords: ["mailgun"], domains: ["api.mailgun.net", "api.eu.mailgun.net"] },
+  { name: "Postmark", keywords: ["postmark"], domains: ["api.postmarkapp.com"] },
+  { name: "Resend", keywords: ["resend"], domains: ["api.resend.com"] },
+  { name: "Slack", keywords: ["slack"], domains: ["slack.com", "hooks.slack.com"] },
+  { name: "Discord", keywords: ["discord"], domains: ["discord.com", "discordapp.com"] },
+  { name: "Telegram", keywords: ["telegram", "tg_bot"], domains: ["api.telegram.org"] },
+  { name: "WhatsApp", keywords: ["whatsapp"], domains: ["graph.facebook.com"] },
+  { name: "Vonage/Nexmo", keywords: ["vonage", "nexmo"], domains: ["rest.nexmo.com", "api.nexmo.com"] },
+  // ── Auth / Identity ────────────────────────────────────────────────────────
+  { name: "Auth0", keywords: ["auth0"], domains: ["auth0.com"] },
+  { name: "Clerk", keywords: ["clerk"], domains: ["api.clerk.dev", "clerk.com"] },
+  { name: "Supabase", keywords: ["supabase"], domains: ["supabase.co", "supabase.io"] },
+  { name: "Firebase", keywords: ["firebase", "firestore"], domains: ["firebase.googleapis.com", "firebaseio.com", "identitytoolkit.googleapis.com"] },
+  { name: "Okta", keywords: ["okta"], domains: ["okta.com", "okta-emea.com"] },
+  // ── Dev Tools ──────────────────────────────────────────────────────────────
+  { name: "GitHub", keywords: ["github", "gh_"], domains: ["api.github.com", "github.com"] },
+  { name: "GitLab", keywords: ["gitlab"], domains: ["gitlab.com"] },
+  { name: "Bitbucket", keywords: ["bitbucket"], domains: ["api.bitbucket.org"] },
+  { name: "Linear", keywords: ["linear"], domains: ["api.linear.app"] },
+  { name: "Jira/Atlassian", keywords: ["jira", "atlassian", "confluence"], domains: ["atlassian.net", "atlassian.com"] },
+  { name: "Sentry", keywords: ["sentry"], domains: ["sentry.io"] },
+  { name: "Datadog", keywords: ["datadog", "dd_"], domains: ["api.datadoghq.com", "api.datadoghq.eu"] },
+  { name: "PagerDuty", keywords: ["pagerduty"], domains: ["api.pagerduty.com"] },
+  // ── Data / Analytics ──────────────────────────────────────────────────────
+  { name: "Airtable", keywords: ["airtable"], domains: ["api.airtable.com"] },
+  { name: "Notion", keywords: ["notion"], domains: ["api.notion.com"] },
+  { name: "Supabase", keywords: ["supabase"], domains: ["supabase.co"] },
+  { name: "PlanetScale", keywords: ["planetscale"], domains: ["api.planetscale.com"] },
+  { name: "MongoDB Atlas", keywords: ["mongodb", "atlas"], domains: ["cloud.mongodb.com", "data.mongodb-api.com"] },
+  { name: "Pinecone", keywords: ["pinecone"], domains: ["api.pinecone.io"] },
+  { name: "Algolia", keywords: ["algolia"], domains: ["algolia.net", "algolianet.com"] },
+  { name: "Elastic", keywords: ["elastic", "elasticsearch"], domains: ["cloud.elastic.co"] },
+  { name: "Mixpanel", keywords: ["mixpanel"], domains: ["api.mixpanel.com"] },
+  { name: "Amplitude", keywords: ["amplitude"], domains: ["api.amplitude.com", "api2.amplitude.com"] },
+  // ── Maps / Location ────────────────────────────────────────────────────────
+  { name: "Google Maps", keywords: ["googlemaps", "google_maps", "gmaps"], domains: ["maps.googleapis.com"] },
+  { name: "Mapbox", keywords: ["mapbox"], domains: ["api.mapbox.com"] },
+  { name: "HERE Maps", keywords: ["here_maps", "heremaps"], domains: ["geocoder.ls.hereapi.com", "router.hereapi.com"] },
+  { name: "OpenWeather", keywords: ["openweather", "owm"], domains: ["api.openweathermap.org"] },
+  // ── E-commerce ────────────────────────────────────────────────────────────
+  { name: "Shopify", keywords: ["shopify"], domains: ["myshopify.com", "admin.shopify.com"] },
+  { name: "WooCommerce", keywords: ["woocommerce", "woo"], domains: ["woocommerce.com"] },
+  { name: "Amazon MWS/SP", keywords: ["amazon_seller", "mws"], domains: ["sellingpartnerapi-na.amazon.com", "mws.amazonservices.com"] }
+];
+function extractHints(projectName, keyNames) {
+  return [projectName, ...keyNames].join(" ").toLowerCase().split(/[\s_\-./]+/).filter((s) => s.length >= 3);
+}
+function checkDomainMatch(hints, destinationDomain) {
+  const dest = destinationDomain.toLowerCase();
+  for (const entry of API_REGISTRY) {
+    const matched = entry.keywords.some((kw) => hints.some((h) => h.includes(kw) || kw.includes(h)));
+    if (!matched) continue;
+    const ok2 = entry.domains.some((d) => dest === d || dest.endsWith("." + d) || d.endsWith("." + dest));
+    return { matched: entry, expected: entry.domains, actual: dest, ok: ok2 };
+  }
+  return null;
+}
+
+// src/security.ts
+var W = { CRITICAL: 20, HIGH: 10, MEDIUM: 5, LOW: 2 };
+var RISK_THRESHOLDS = [
+  [20, "critical"],
+  [10, "high"],
+  [5, "medium"],
+  [1, "low"],
+  [0, "none"]
+];
+var BLOCK_SCORE = {
+  none: Infinity,
+  low: 1,
+  medium: 5,
+  high: 10,
+  critical: 20
+};
+function scoreToRisk(score) {
+  for (const [threshold, level] of RISK_THRESHOLDS) {
+    if (score >= threshold) return level;
+  }
+  return "none";
+}
+function extractDomains(text) {
+  const matches = [...text.matchAll(/https?:\/\/([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/g)];
+  return [...new Set(matches.map((m) => m[1].toLowerCase()))];
+}
+function domainAllowed(domain, allowedDomains) {
+  return allowedDomains.some((allowed) => {
+    const a = allowed.toLowerCase();
+    return domain === a || domain.endsWith("." + a);
+  });
+}
+var NETWORK_RE = /\b(curl|wget|nc\b|ncat|socat|netcat|fetch|axios|requests?\.|urllib|http\.client|httpx|aiohttp|XMLHttpRequest|require\(['"]https?['"]\)|require\(["']node:https?["']\))\b/;
+function envRefsIn(text) {
+  const matches = [...text.matchAll(/\$\{?([A-Z_][A-Z0-9_]*)\}?/g)].map((m) => m[1]);
+  return [...new Set(matches)];
+}
+function buildCtx(text) {
+  return { text, envRefs: envRefsIn(text), hasNetwork: NETWORK_RE.test(text) };
+}
+var RULES = [
+  // ── Critical ────────────────────────────────────────────────────────────
+  {
+    id: "ENV_DUMP_PIPE_NETWORK",
+    description: "printenv or env piped directly to a network tool (classic exfiltration)",
+    severity: "critical",
+    weight: W.CRITICAL,
+    supersedes: ["BARE_ENV_DUMP", "SINGLE_ENV_NETWORK"],
+    test: (c) => /\b(printenv|env)\b[^|]*\|[^|]*(curl|wget|nc\b|ncat|socat|netcat)\b/.test(c.text)
+  },
+  {
+    id: "PROC_ENVIRON_READ",
+    description: "Reading another process environment via /proc/<pid>/environ",
+    severity: "critical",
+    weight: W.CRITICAL,
+    test: (c) => /\/proc\/[0-9*]+\/environ/.test(c.text)
+  },
+  {
+    id: "LOOP_ENV_EXFIL",
+    description: "Loop iterating over environment variables combined with network call",
+    severity: "critical",
+    weight: W.CRITICAL,
+    supersedes: ["MULTIPLE_SECRETS_ARGS", "SINGLE_ENV_NETWORK"],
+    test: (c) => /\bfor\b[\s\S]{0,120}(printenv|os\.environ|process\.env)[\s\S]{0,300}(curl|wget|fetch|requests?\.|urllib|http\.client)\b/.test(c.text) || /for\s+\w+\s+in\s+(os\.environ|os\.environ\.items\(\)|os\.environ\.keys\(\))[\s\S]{0,300}(requests?|urllib|http\.client|curl|wget)\b/.test(c.text)
+  },
+  {
+    id: "MULTI_SECRET_IN_URL",
+    description: "Two or more distinct secrets referenced in a single outbound URL or query string",
+    severity: "critical",
+    weight: W.CRITICAL,
+    supersedes: ["MULTIPLE_SECRETS_ARGS", "SINGLE_ENV_NETWORK"],
+    test: (c) => {
+      if (c.envRefs.length < 2 || !c.hasNetwork) return false;
+      if (/https?:\/\/[^\s]*\$\{?[A-Z_][A-Z0-9_]*\}?[^\s]*\$\{?[A-Z_][A-Z0-9_]*\}?/.test(c.text)) return true;
+      if (/[?&]\w+=\$\{?[A-Z_][A-Z0-9_]*\}?(&\w+=\$\{?[A-Z_][A-Z0-9_]*\}?)+/.test(c.text)) return true;
+      return false;
+    }
+  },
+  // ── High ────────────────────────────────────────────────────────────────
+  {
+    id: "ENCODE_PIPE_NETWORK",
+    description: "Base64/hex encoding of data combined with network transmission (obfuscated exfiltration)",
+    severity: "high",
+    weight: W.HIGH,
+    supersedes: ["SINGLE_ENV_NETWORK"],
+    test: (c) => /(base64|xxd\b|od\b|hexdump|btoa\(|\.toString\(['"]base64['"]\)|b64encode|binascii\.hexlify)[\s\S]{0,400}(curl|wget|nc\b|fetch|requests?\.|urllib)/.test(c.text)
+  },
+  {
+    id: "SENSITIVE_FILE_EXFIL",
+    description: "Reading sensitive system files (/etc/shadow, ~/.ssh/) combined with network call",
+    severity: "high",
+    weight: W.HIGH,
+    test: (c) => /(\/etc\/shadow|\/etc\/passwd|\/root\/\.ssh|~\/\.ssh\/|\/home\/[^/\s]+\/\.ssh\/)[\s\S]{0,400}(curl|wget|nc\b|fetch|requests?\.|urllib|http\.client)/.test(c.text) || /(curl|wget|nc\b|fetch|requests?\.|urllib)[\s\S]{0,400}(\/etc\/shadow|\/etc\/passwd|\/root\/\.ssh|~\/\.ssh\/|\/home\/[^/\s]+\/\.ssh\/)/.test(c.text)
+  },
+  {
+    id: "ENV_DUMP_SUBSHELL",
+    description: "printenv/env used inside a subshell substitution",
+    severity: "high",
+    weight: W.HIGH,
+    supersedes: ["BARE_ENV_DUMP"],
+    test: (c) => /\$\(\s*(printenv|env)\s*\)/.test(c.text)
+  },
+  // ── Medium ───────────────────────────────────────────────────────────────
+  {
+    id: "BARE_ENV_DUMP",
+    description: "Bare printenv/env call with no output destination \u2014 dumps all environment variables to stdout",
+    severity: "medium",
+    weight: W.MEDIUM,
+    test: (c) => /^\s*(printenv|env)\s*$/.test(c.text.trim())
+  },
+  {
+    id: "MULTIPLE_SECRETS_ARGS",
+    description: "Two or more distinct secrets referenced alongside a network operation",
+    severity: "medium",
+    weight: W.MEDIUM,
+    test: (c) => c.envRefs.length >= 2 && c.hasNetwork
+  },
+  {
+    id: "SCRIPT_ENUMERATE_ALL_ENV",
+    description: "Script bulk-reads all environment keys (Object.keys/entries or os.environ.items) with network present",
+    severity: "medium",
+    weight: W.MEDIUM,
+    test: (c) => c.hasNetwork && /(Object\.(keys|entries|values)\(process\.env\)|for\s*\(\s*(const\s+)?\[?\w+\]?\s+(?:in|of)\s+(?:Object\.\w+\()?process\.env|dict\(os\.environ\)|os\.environ\.items\(\)|os\.environ\.keys\(\))/.test(c.text)
+  },
+  {
+    id: "REDIRECT_ENV_TO_FILE",
+    description: "Environment dump redirected to a file (data persistence risk)",
+    severity: "medium",
+    weight: W.MEDIUM,
+    test: (c) => /\b(printenv|env)\b[^|]*>/.test(c.text)
+  },
+  // ── Low ──────────────────────────────────────────────────────────────────
+  {
+    id: "SINGLE_ENV_NETWORK",
+    description: "A single secret is referenced alongside a network call (may be legitimate API auth)",
+    severity: "low",
+    weight: W.LOW,
+    test: (c) => c.envRefs.length >= 1 && c.hasNetwork
+  },
+  {
+    id: "PROC_SELF_ENVIRON",
+    description: "Reading /proc/self/environ (own process environment)",
+    severity: "low",
+    weight: W.LOW,
+    test: (c) => /\/proc\/self\/environ/.test(c.text)
+  },
+  // This rule is only registered when allowed_domains is configured — see analyze()
+  {
+    id: "UNKNOWN_DOMAIN",
+    description: "Secret sent to a domain not in exec_allowed_domains allowlist",
+    severity: "high",
+    weight: W.HIGH,
+    test: (_) => false
+    // replaced dynamically in analyze()
+  },
+  // This rule is only active when hints are configured — see analyze()
+  {
+    id: "SUSPICIOUS_DOMAIN",
+    description: "Secret sent to a domain that does not match the known API for this project (semantic mismatch)",
+    severity: "medium",
+    weight: W.MEDIUM,
+    supersedes: ["SINGLE_ENV_NETWORK"],
+    test: (_) => false
+    // replaced dynamically in analyze()
+  }
+];
+var ALLOWANCES = [
+  {
+    name: "AUTH_HEADER_SINGLE_KEY",
+    score_delta: -3,
+    // curl -H "Authorization: Bearer $API_KEY" https://api.example.com
+    test: (c) => c.envRefs.length === 1 && /-H\s+['"]?Authorization:\s*(Bearer|Basic|Token)\s+\$\{?[A-Z_][A-Z0-9_]*\}?['"]?/.test(c.text)
+  },
+  {
+    name: "STATIC_HTTPS_TARGET",
+    score_delta: -1,
+    // URL target is a static domain, not $VAR-based host
+    test: (c) => /https:\/\/[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.test(c.text) && !/https?:\/\/\$\{?[A-Z_]/.test(c.text)
+  },
+  {
+    name: "SINGLE_ENV_VAR_ONLY",
+    score_delta: -1,
+    test: (c) => c.envRefs.length === 1
+  }
+];
+var SecurityAnalyzer = class {
+  constructor(cfg) {
+    this.cfg = cfg;
+  }
+  analyzeCommand(command) {
+    if (this.cfg.mode === "off") return allow();
+    const isBashC = command.length >= 3 && /^(ba?sh|sh|dash|zsh|ksh)$/.test(command[0]) && command[1] === "-c";
+    const text = isBashC ? command[2] : command.join(" ");
+    return this.analyze(buildCtx(text));
+  }
+  analyzeScript(_lang, code) {
+    if (this.cfg.mode === "off") return allow();
+    const ctx = buildCtx(code);
+    return this.analyze(ctx);
+  }
+  analyze(ctx) {
+    const fired = /* @__PURE__ */ new Set();
+    const findings = [];
+    const allowedDomains = this.cfg.allowed_domains;
+    const unknownDomainRule = RULES.find((r) => r.id === "UNKNOWN_DOMAIN");
+    if (allowedDomains && allowedDomains.length > 0) {
+      unknownDomainRule.test = (c) => {
+        if (!c.hasNetwork || c.envRefs.length === 0) return false;
+        const domains = extractDomains(c.text);
+        if (domains.length === 0) return false;
+        return domains.some((d) => !domainAllowed(d, allowedDomains));
+      };
+    } else {
+      unknownDomainRule.test = () => false;
+    }
+    const hints = this.cfg.hints ?? null;
+    const suspiciousDomainRule = RULES.find((r) => r.id === "SUSPICIOUS_DOMAIN");
+    if (hints && hints.length > 0) {
+      suspiciousDomainRule.test = (c) => {
+        if (!c.hasNetwork || c.envRefs.length === 0) return false;
+        const domains = extractDomains(c.text);
+        if (domains.length === 0) return false;
+        return domains.some((d) => {
+          const result = checkDomainMatch(hints, d);
+          return result !== null && !result.ok;
+        });
+      };
+    } else {
+      suspiciousDomainRule.test = () => false;
+    }
+    const sorted = [...RULES].sort((a, b) => b.weight - a.weight);
+    for (const rule of sorted) {
+      if (fired.has(rule.id)) continue;
+      if (rule.test(ctx)) {
+        findings.push({ pattern: rule.id, description: rule.description, severity: rule.severity });
+        fired.add(rule.id);
+        rule.supersedes?.forEach((id) => fired.add(id));
+      }
+    }
+    let score = findings.reduce((s, f) => {
+      const rule = RULES.find((r) => r.id === f.pattern);
+      return s + rule.weight;
+    }, 0);
+    const hasSuspiciousDomain = findings.some((f) => f.pattern === "SUSPICIOUS_DOMAIN");
+    if (score < W.HIGH && !hasSuspiciousDomain) {
+      for (const allowance of ALLOWANCES) {
+        if (allowance.test(ctx)) score += allowance.score_delta;
+      }
+      score = Math.max(0, score);
+    }
+    const risk = scoreToRisk(score);
+    const blocked = this.cfg.mode === "enforce" && score >= BLOCK_SCORE[this.cfg.block_threshold];
+    const allowed = !blocked;
+    return {
+      allowed,
+      risk,
+      score,
+      findings,
+      reason: blocked ? `[${risk.toUpperCase()}] ${findings.map((f) => f.pattern).join(", ")}` : void 0
+    };
+  }
+};
+function createAnalyzer(cfg, allowedDomains = null, hints = null) {
+  return new SecurityAnalyzer({
+    mode: cfg.security_mode,
+    block_threshold: cfg.security_block_threshold,
+    allowed_domains: allowedDomains,
+    hints
+  });
+}
+function allow() {
+  return { allowed: true, risk: "none", score: 0, findings: [] };
+}
+
+// src/mcp.ts
+var SYSTEM_INSTRUCTIONS = `
+Zocket MCP \u2014 encrypted local vault + safe command runner.
+
+Rules:
+- Secret VALUES are never returned by any tool. Use run_with_project_env or run_script to consume them.
+- Filesystem is NOT shared between tool calls. Do not save intermediate data to /tmp.
+- Prefer run_script for multi-step data processing instead of many sequential run_with_project_env calls.
+- Use max_chars: 200 for status-only checks; only request more when you actually need the full output.
+- Use output_filter (jq expression) to extract only the field you need from JSON responses.
+- $VAR and \${VAR} placeholders in command args are substituted server-side with project secrets.
+- In lazy mode: call list_tools_summary to see available tools, then activate_tool(name) before first use.
+`.trim();
+function applyJq(json, expr) {
+  const proc = spawnSync2("jq", ["-r", expr], {
+    input: json,
+    encoding: "utf8",
+    timeout: 3e3
+  });
+  if (proc.status === 0 && proc.stdout) return proc.stdout.trimEnd();
+  return json;
+}
+function ok(data) {
+  return { content: [{ type: "text", text: JSON.stringify(data) }] };
+}
+function err(message) {
+  return { content: [{ type: "text", text: JSON.stringify({ error: message }) }], isError: true };
+}
+function buildCatalog(services) {
+  const { vault, config, audit } = services;
+  return [
+    {
+      name: "list_projects",
+      summary: "List all projects (name, description, secret_count, folder_path). No secret values.",
+      register: (server) => {
+        server.tool(
+          "list_projects",
+          "List all projects. Returns name, description, secret_count, folder_path. No secret values.",
+          async () => {
+            try {
+              return ok({ projects: await vault.listProjects() });
+            } catch (e) {
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "list_project_keys",
+      summary: "List secret key names for a project. Values are never returned.",
+      register: (server) => {
+        server.tool(
+          "list_project_keys",
+          "List secret key names for a project. Values are never returned.",
+          { project: z.string().describe("Project name") },
+          async ({ project }) => {
+            try {
+              return ok({ project, keys: await vault.listKeys(project) });
+            } catch (e) {
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "get_exec_policy",
+      summary: "Get current command execution policy (allowed commands, output limits).",
+      register: (server) => {
+        server.tool(
+          "get_exec_policy",
+          "Get the current command execution policy (allowed commands, output limits).",
+          async () => {
+            const cfg = config.load();
+            return ok({
+              allow_list: cfg.exec_allow_list,
+              max_output: cfg.exec_max_output,
+              allow_substitution: cfg.exec_allow_substitution
+            });
+          }
+        );
+      }
+    },
+    {
+      name: "run_with_project_env",
+      summary: "Run a command with project secrets injected as $VAR env placeholders.",
+      register: (server) => {
+        server.tool(
+          "run_with_project_env",
+          [
+            "Run a command with project secrets injected as environment variables.",
+            "Use $VAR or ${VAR} placeholders in args \u2014 substituted server-side.",
+            "Tip: use output_filter (jq expression) to extract only the field you need.",
+            "Tip: use max_chars: 200 for status-only checks."
+          ].join(" "),
+          {
+            project: z.string().describe("Project name"),
+            command: z.array(z.string()).min(1).describe('Command and args, e.g. ["curl", "-H", "Authorization: $API_KEY", "https://..."]'),
+            max_chars: z.number().int().min(1).max(32e3).optional().describe("Max output chars (default ~500)"),
+            output_filter: z.string().optional().describe('jq expression to filter JSON stdout, e.g. ".items[0].url"'),
+            confirm: z.boolean().optional().describe("Set to true to confirm execution of a medium-risk command after reviewing the warning")
+          },
+          async ({ project, command, max_chars, output_filter, confirm }) => {
+            try {
+              const cfg = config.load();
+              const allowedDomains = await vault.getAllowedDomains(project);
+              const keyNames = await vault.listKeys(project);
+              const hints = extractHints(project, keyNames);
+              const sec = createAnalyzer(cfg, allowedDomains, hints).analyzeCommand(command);
+              audit.log("security_check", "mcp", { project, command: command[0], risk: sec.risk, findings: sec.findings.map((f) => f.pattern) }, sec.allowed ? "ok" : "blocked");
+              if (!sec.allowed) return err(`Security check blocked command: ${sec.reason}`);
+              if (sec.risk === "medium" && !confirm) {
+                return ok({
+                  requires_confirmation: true,
+                  risk: sec.risk,
+                  warning: `Command flagged as ${sec.risk.toUpperCase()} risk. Review findings and re-call with confirm: true to proceed.`,
+                  findings: sec.findings.map((f) => ({ pattern: f.pattern, description: f.description }))
+                });
+              }
+              const policy = {
+                allow_list: cfg.exec_allow_list,
+                max_output: cfg.exec_max_output,
+                allow_substitution: cfg.exec_allow_substitution
+              };
+              const env = await vault.getEnv(project);
+              const result = runCommand(command, env, policy, max_chars ?? cfg.exec_max_output);
+              if (output_filter && result.stdout) result.stdout = applyJq(result.stdout, output_filter);
+              audit.log("run_command", "mcp", { project, command: command[0] }, result.exit_code === 0 ? "ok" : "fail");
+              const res = { exit_code: result.exit_code, stdout: result.stdout };
+              if (result.stderr) res.stderr = result.stderr;
+              if (result.truncated) res.truncated = true;
+              return ok(res);
+            } catch (e) {
+              audit.log("run_command", "mcp", { project, command: command[0] }, "denied");
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "run_script",
+      summary: "Run an inline node script with project secrets injected as env vars. Prefer over multiple run_with_project_env calls.",
+      register: (server) => {
+        server.tool(
+          "run_script",
+          [
+            "Run an inline node script with project secrets available as environment variables.",
+            "Use this instead of multiple run_with_project_env calls \u2014 write the full logic in one script.",
+            "Filesystem is NOT shared between calls. Secret values never appear in this conversation."
+          ].join(" "),
+          {
+            project: z.string().describe("Project name"),
+            lang: z.enum(["node"]).describe("Script language"),
+            code: z.string().min(1).describe("Full script source code"),
+            max_chars: z.number().int().min(1).max(32e3).optional().describe("Max output chars (default ~500)"),
+            confirm: z.boolean().optional().describe("Set to true to confirm execution of a medium-risk script after reviewing the warning")
+          },
+          async ({ project, lang, code, max_chars, confirm }) => {
+            try {
+              const cfg = config.load();
+              const allowedDomains = await vault.getAllowedDomains(project);
+              const keyNames = await vault.listKeys(project);
+              const hints = extractHints(project, keyNames);
+              const sec = createAnalyzer(cfg, allowedDomains, hints).analyzeScript(lang, code);
+              audit.log("security_check", "mcp", { project, lang, risk: sec.risk, findings: sec.findings.map((f) => f.pattern) }, sec.allowed ? "ok" : "blocked");
+              if (!sec.allowed) return err(`Security check blocked script: ${sec.reason}`);
+              if (sec.risk === "medium" && !confirm) {
+                return ok({
+                  requires_confirmation: true,
+                  risk: sec.risk,
+                  warning: `Script flagged as ${sec.risk.toUpperCase()} risk. Review findings and re-call with confirm: true to proceed.`,
+                  findings: sec.findings.map((f) => ({ pattern: f.pattern, description: f.description }))
+                });
+              }
+              const env = await vault.getEnv(project);
+              const result = runScript(lang, code, env, max_chars ?? cfg.exec_max_output);
+              audit.log("run_script", "mcp", { project, lang }, result.exit_code === 0 ? "ok" : "fail");
+              const res = { exit_code: result.exit_code, stdout: result.stdout };
+              if (result.stderr) res.stderr = result.stderr;
+              if (result.truncated) res.truncated = true;
+              return ok(res);
+            } catch (e) {
+              audit.log("run_script", "mcp", { project }, "denied");
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "env_keys",
+      summary: "List key names in a .env file. Values are never returned.",
+      register: (server) => {
+        server.tool(
+          "env_keys",
+          "List key names in a .env file. Values are never returned.",
+          { path: z.string().describe("Absolute path to the .env file") },
+          ({ path }) => {
+            try {
+              return ok({ path, keys: listEnvKeys(path) });
+            } catch (e) {
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "env_set",
+      summary: "Insert or update a key=value pair in a .env file.",
+      register: (server) => {
+        server.tool(
+          "env_set",
+          "Insert or update a key=value pair in a .env file. Creates the file if it does not exist.",
+          {
+            path: z.string().describe("Absolute path to the .env file"),
+            key: z.string().describe("Variable name, e.g. API_KEY"),
+            value: z.string().describe("Value to set")
+          },
+          ({ path, key, value }) => {
+            try {
+              setEnvKey(path, key, value);
+              audit.log("env_set", "mcp", { path, key }, "ok");
+              return ok({ path, key, updated: true });
+            } catch (e) {
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "set_project_folder",
+      summary: "Set (or clear) the local folder path associated with a project.",
+      register: (server) => {
+        server.tool(
+          "set_project_folder",
+          "Associate a local folder path with a project. Pass null to remove the association.",
+          {
+            project: z.string().describe("Project name"),
+            folder_path: z.string().nullable().describe("Absolute folder path, or null to clear")
+          },
+          async ({ project, folder_path }) => {
+            try {
+              await vault.setFolder(project, folder_path ?? void 0);
+              audit.log("set_project_folder", "mcp", { project, folder_path }, "ok");
+              return ok({ project, folder_path });
+            } catch (e) {
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "set_project_domains",
+      summary: "Set allowed outbound domains for a project. Requests to other domains will be blocked.",
+      register: (server) => {
+        server.tool(
+          "set_project_domains",
+          [
+            "Set the list of domains this project's secrets are allowed to be sent to.",
+            'Pass null to remove restrictions. Example: ["api.stripe.com", "zorin.pw"]',
+            "After setting, run_with_project_env and run_script will block requests to any other domain."
+          ].join(" "),
+          {
+            project: z.string().describe("Project name"),
+            domains: z.array(z.string()).nullable().describe("Domain list (no protocol), or null to remove restriction")
+          },
+          async ({ project, domains }) => {
+            try {
+              await vault.setAllowedDomains(project, domains);
+              audit.log("set_project_domains", "mcp", { project, domains }, "ok");
+              return ok({ project, allowed_domains: domains });
+            } catch (e) {
+              return err(String(e));
+            }
+          }
+        );
+      }
+    },
+    {
+      name: "get_settings",
+      summary: "Show current Zocket settings: security mode, loading mode, execution policy.",
+      register: (server) => {
+        server.tool(
+          "get_settings",
+          "Show current Zocket settings: security mode, loading mode, execution policy.",
+          async () => {
+            const cfg = config.load();
+            return ok({
+              security_mode: cfg.security_mode,
+              security_block_threshold: cfg.security_block_threshold,
+              mcp_loading: cfg.mcp_loading,
+              exec_allow_list: cfg.exec_allow_list,
+              exec_max_output: cfg.exec_max_output,
+              exec_allow_substitution: cfg.exec_allow_substitution
+            });
+          }
+        );
+      }
+    },
+    {
+      name: "configure",
+      summary: "Update Zocket settings: security mode (off/audit/enforce), loading mode (eager/lazy), block threshold.",
+      register: (server) => {
+        server.tool(
+          "configure",
+          [
+            "Update Zocket settings. All parameters are optional \u2014 only provided fields are changed.",
+            "security_mode: off (disabled), audit (log only), enforce (block threats).",
+            "mcp_loading: eager (all tools at connect), lazy (on-demand via activate_tool). Takes effect on next server restart.",
+            "security_block_threshold: minimum risk level that triggers a block (low/medium/high/critical)."
+          ].join(" "),
+          {
+            security_mode: z.enum(["off", "audit", "enforce"]).optional().describe("Security analysis mode"),
+            security_block_threshold: z.enum(["low", "medium", "high", "critical"]).optional().describe("Block commands at this risk level and above"),
+            mcp_loading: z.enum(["eager", "lazy"]).optional().describe("Tool registration strategy (takes effect on restart)")
+          },
+          async ({ security_mode, security_block_threshold, mcp_loading }) => {
+            try {
+              const cfg = config.load();
+              if (security_mode !== void 0) cfg.security_mode = security_mode;
+              if (security_block_threshold !== void 0) cfg.security_block_threshold = security_block_threshold;
+              if (mcp_loading !== void 0) cfg.mcp_loading = mcp_loading;
+              config.save(cfg);
+              audit.log("configure", "mcp", { security_mode, security_block_threshold, mcp_loading }, "ok");
+              return ok({
+                security_mode: cfg.security_mode,
+                security_block_threshold: cfg.security_block_threshold,
+                mcp_loading: cfg.mcp_loading,
+                note: mcp_loading !== void 0 ? "mcp_loading takes effect on next server restart" : void 0
+              });
+            } catch (e) {
+              return err(String(e));
+            }
+          }
+        );
+      }
+    }
+  ];
+}
+function createMcpServer(services, options = {}) {
+  const { loading = services.config.load().mcp_loading } = options;
+  const server = new McpServer(
+    { name: "zocket", version: "1.0.0" },
+    { instructions: SYSTEM_INSTRUCTIONS }
+  );
+  const catalog = buildCatalog(services);
+  if (loading === "eager") {
+    for (const entry of catalog) entry.register(server, services);
+    return server;
+  }
+  const activated = /* @__PURE__ */ new Set();
+  server.tool(
+    "list_tools_summary",
+    "List available tools with short descriptions. Call activate_tool(name) to unlock one before use.",
+    {
+      query: z.string().optional().describe("Optional filter \u2014 returns tools whose name or summary contains this string")
+    },
+    ({ query }) => {
+      const q = query?.toLowerCase();
+      const tools = catalog.filter((e) => !q || e.name.includes(q) || e.summary.toLowerCase().includes(q)).map((e) => ({ name: e.name, summary: e.summary, active: activated.has(e.name) }));
+      return ok({ tools });
+    }
+  );
+  server.tool(
+    "activate_tool",
+    "Register a tool by name so it becomes available. Call list_tools_summary first to see options.",
+    { name: z.string().describe("Tool name to activate") },
+    async ({ name }) => {
+      const entry = catalog.find((e) => e.name === name);
+      if (!entry) return err(`Unknown tool: ${name}. Call list_tools_summary to see available tools.`);
+      if (activated.has(name)) return ok({ name, status: "already_active" });
+      entry.register(server, services);
+      activated.add(name);
+      try {
+        await server.server.notification({ method: "notifications/tools/list_changed" });
+      } catch {
+      }
+      return ok({ name, status: "activated" });
+    }
+  );
+  return server;
+}
+
+// src/web.ts
+import { Hono } from "hono";
+import { getCookie, setCookie, deleteCookie } from "hono/cookie";
+import { createHmac, randomBytes as randomBytes5 } from "crypto";
+import { readdirSync, statSync, existsSync as existsSync4 } from "fs";
+import { join as join2, resolve as resolvePath, dirname as dirname4 } from "path";
+
+// src/auth.ts
+import { randomBytes as randomBytes4, pbkdf2Sync, timingSafeEqual } from "crypto";
+var ITERATIONS = 6e5;
+var KEY_LEN = 32;
+var DIGEST = "sha256";
+function hashPassword(password) {
+  const salt = randomBytes4(16).toString("hex");
+  const hash = pbkdf2Sync(password, salt, ITERATIONS, KEY_LEN, DIGEST).toString("hex");
+  return { hash, salt };
+}
+function verifyPassword(password, hash, salt) {
+  const derived = pbkdf2Sync(password, salt, ITERATIONS, KEY_LEN, DIGEST);
+  const expected = Buffer.from(hash, "hex");
+  if (derived.length !== expected.length) return false;
+  return timingSafeEqual(derived, expected);
+}
+
+// src/i18n.ts
+var messages = {
+  en: {
+    "app.tagline": "Local encrypted vault for MCP/CLI workflows.",
+    "ui.projects": "Projects",
+    "ui.name": "Name",
+    "ui.keys_count": "Keys",
+    "ui.new_project": "New project",
+    "ui.optional_desc": "Description (optional)",
+    "ui.optional_folder": "Project folder path (optional)",
+    "ui.project_folder": "Project folder",
+    "ui.not_set": "Not set",
+    "ui.choose_folder": "Choose folder",
+    "ui.save_folder": "Save folder",
+    "ui.clear_folder": "Clear folder",
+    "ui.folder_picker": "Folder picker",
+    "ui.current_path": "Current path",
+    "ui.parent_folder": "Up",
+    "ui.roots": "Roots",
+    "ui.select_folder": "Select this folder",
+    "ui.close": "Close",
+    "ui.loading": "Loading...",
+    "ui.no_subfolders": "No subfolders",
+    "ui.folder_picker_failed": "Failed to load folders",
+    "ui.create": "Create",
+    "ui.real_values_visible": "Real values are visible.",
+    "ui.hide_values": "Hide values",
+    "ui.masked_values_visible": "Masked values are visible.",
+    "ui.show_values": "Show values",
+    "ui.delete_project": "Delete project",
+    "ui.secrets": "Secrets",
+    "ui.description": "Description",
+    "ui.updated_at": "Updated",
+    "ui.value": "Value",
+    "ui.delete": "Delete",
+    "ui.edit_secret": "Edit secret",
+    "ui.add_or_update_secret": "Add or update secret",
+    "ui.secret_preset": "Secret preset",
+    "ui.choose_preset": "Choose preset",
+    "ui.friendly_name": "Friendly name (optional)",
+    "ui.key": "Key",
+    "ui.folder_search": "Search folders",
+    "ui.no_matching_folders": "No matching folders",
+    "ui.save": "Save",
+    "ui.no_projects": "No projects yet",
+    "ui.create_left": "Create a project in the left panel.",
+    "ui.lang": "Language",
+    "ui.lang_en": "English",
+    "ui.lang_ru": "Russian",
+    "ui.theme": "Theme",
+    "ui.theme_standard": "Standard",
+    "ui.theme_zorin": "Zorin Pretty",
+    "ui.variant_light": "Light view",
+    "ui.variant_dark": "Dark glow",
+    "ui.sign_in": "Sign in",
+    "ui.password": "Password",
+    "ui.password_repeat": "Repeat password",
+    "ui.login": "Login",
+    "ui.logout": "Logout",
+    "ui.invalid_login": "Invalid password",
+    "ui.auth_required": "Authentication is required",
+    "ui.first_time_set_password": "Set admin password first via CLI: zocket auth set-password",
+    "ui.first_setup_title": "First launch setup",
+    "ui.first_setup_subtitle": "Choose how to protect your local panel.",
+    "ui.set_password": "Set your password",
+    "ui.save_and_enter": "Save and open panel",
+    "ui.generate_password": "Generate strong password",
+    "ui.generate_password_hint": "A secure random password will be generated and shown once.",
+    "ui.generate_and_enter": "Generate and open panel",
+    "ui.continue_without_password": "Continue without password",
+    "ui.insecure_warning": "This is less secure. Anyone with local access may open the panel.",
+    "ui.i_understand_risk": "I understand the risk",
+    "ui.continue_anyway": "Continue without password",
+    "ui.insecure_confirm_dialog": "Continue without password? This is less secure.",
+    "ui.confirm_insecure_required": "Please confirm that you understand the security risk.",
+    "ui.invalid_setup_option": "Invalid setup option.",
+    "ui.password_required": "Password is required.",
+    "ui.passwords_do_not_match": "Passwords do not match.",
+    "ui.generated_password_notice": "Generated admin password (shown once):",
+    "ui.generated_password_save_now": "Save it now. You can change it later via CLI.",
+    "msg.key_file": "Key file: {path}",
+    "msg.vault_file": "Vault file: {path}",
+    "msg.init_complete": "Initialization complete.",
+    "msg.project_created": "Project created: {name}",
+    "msg.project_deleted": "Project deleted: {name}",
+    "msg.project_folder_set": "Project folder saved: {name}",
+    "msg.project_folder_cleared": "Project folder cleared: {name}",
+    "msg.secret_saved": "Secret {key} saved for project {project}",
+    "msg.secret_deleted": "Secret {key} deleted from project {project}",
+    "msg.password_set": "Web admin password was updated.",
+    "msg.language_set": "Language set to {lang}.",
+    "err.usage_use": "Usage: zocket use <project> -- <command> [args...]",
+    "err.need_login": "Error: password login required."
+  },
+  ru: {
+    "app.tagline": "\u041B\u043E\u043A\u0430\u043B\u044C\u043D\u043E\u0435 \u0448\u0438\u0444\u0440\u043E\u0432\u0430\u043D\u043D\u043E\u0435 \u0445\u0440\u0430\u043D\u0438\u043B\u0438\u0449\u0435 \u0434\u043B\u044F MCP/CLI.",
+    "ui.projects": "\u041F\u0440\u043E\u0435\u043A\u0442\u044B",
+    "ui.name": "\u0418\u043C\u044F",
+    "ui.keys_count": "\u041A\u043B\u044E\u0447\u0435\u0439",
+    "ui.new_project": "\u041D\u043E\u0432\u044B\u0439 \u043F\u0440\u043E\u0435\u043A\u0442",
+    "ui.optional_desc": "\u041E\u043F\u0438\u0441\u0430\u043D\u0438\u0435 (\u043E\u043F\u0446\u0438\u043E\u043D\u0430\u043B\u044C\u043D\u043E)",
+    "ui.optional_folder": "\u041F\u0430\u043F\u043A\u0430 \u043F\u0440\u043E\u0435\u043A\u0442\u0430 (\u043E\u043F\u0446\u0438\u043E\u043D\u0430\u043B\u044C\u043D\u043E)",
+    "ui.project_folder": "\u041F\u0430\u043F\u043A\u0430 \u043F\u0440\u043E\u0435\u043A\u0442\u0430",
+    "ui.not_set": "\u041D\u0435 \u0437\u0430\u0434\u0430\u043D\u043E",
+    "ui.choose_folder": "\u0412\u044B\u0431\u0440\u0430\u0442\u044C \u043F\u0430\u043F\u043A\u0443",
+    "ui.save_folder": "\u0421\u043E\u0445\u0440\u0430\u043D\u0438\u0442\u044C \u043F\u0430\u043F\u043A\u0443",
+    "ui.clear_folder": "\u041E\u0447\u0438\u0441\u0442\u0438\u0442\u044C \u043F\u0430\u043F\u043A\u0443",
+    "ui.folder_picker": "\u0412\u044B\u0431\u043E\u0440 \u043F\u0430\u043F\u043A\u0438",
+    "ui.current_path": "\u0422\u0435\u043A\u0443\u0449\u0438\u0439 \u043F\u0443\u0442\u044C",
+    "ui.parent_folder": "\u0412\u0432\u0435\u0440\u0445",
+    "ui.roots": "\u041A\u043E\u0440\u043D\u0438",
+    "ui.select_folder": "\u0412\u044B\u0431\u0440\u0430\u0442\u044C \u044D\u0442\u0443 \u043F\u0430\u043F\u043A\u0443",
+    "ui.close": "\u0417\u0430\u043A\u0440\u044B\u0442\u044C",
+    "ui.loading": "\u0417\u0430\u0433\u0440\u0443\u0437\u043A\u0430...",
+    "ui.no_subfolders": "\u041F\u043E\u0434\u043F\u0430\u043F\u043E\u043A \u043D\u0435\u0442",
+    "ui.folder_picker_failed": "\u041D\u0435 \u0443\u0434\u0430\u043B\u043E\u0441\u044C \u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044C \u043F\u0430\u043F\u043A\u0438",
+    "ui.create": "\u0421\u043E\u0437\u0434\u0430\u0442\u044C",
+    "ui.real_values_visible": "\u041F\u043E\u043A\u0430\u0437\u0430\u043D\u044B \u0440\u0435\u0430\u043B\u044C\u043D\u044B\u0435 \u0437\u043D\u0430\u0447\u0435\u043D\u0438\u044F.",
+    "ui.hide_values": "\u0421\u043A\u0440\u044B\u0442\u044C \u0437\u043D\u0430\u0447\u0435\u043D\u0438\u044F",
+    "ui.masked_values_visible": "\u041F\u043E\u043A\u0430\u0437\u0430\u043D\u044B \u0437\u0430\u043C\u0430\u0441\u043A\u0438\u0440\u043E\u0432\u0430\u043D\u043D\u044B\u0435 \u0437\u043D\u0430\u0447\u0435\u043D\u0438\u044F.",
+    "ui.show_values": "\u041F\u043E\u043A\u0430\u0437\u0430\u0442\u044C \u0437\u043D\u0430\u0447\u0435\u043D\u0438\u044F",
+    "ui.delete_project": "\u0423\u0434\u0430\u043B\u0438\u0442\u044C \u043F\u0440\u043E\u0435\u043A\u0442",
+    "ui.secrets": "\u0421\u0435\u043A\u0440\u0435\u0442\u044B",
+    "ui.description": "\u041E\u043F\u0438\u0441\u0430\u043D\u0438\u0435",
+    "ui.updated_at": "\u041E\u0431\u043D\u043E\u0432\u043B\u0451\u043D",
+    "ui.value": "\u0417\u043D\u0430\u0447\u0435\u043D\u0438\u0435",
+    "ui.delete": "\u0423\u0434\u0430\u043B\u0438\u0442\u044C",
+    "ui.edit_secret": "\u0420\u0435\u0434\u0430\u043A\u0442\u0438\u0440\u043E\u0432\u0430\u0442\u044C",
+    "ui.add_or_update_secret": "\u0414\u043E\u0431\u0430\u0432\u0438\u0442\u044C \u0438\u043B\u0438 \u043E\u0431\u043D\u043E\u0432\u0438\u0442\u044C \u0441\u0435\u043A\u0440\u0435\u0442",
+    "ui.secret_preset": "\u041F\u0440\u0435\u0441\u0435\u0442 \u0441\u0435\u043A\u0440\u0435\u0442\u0430",
+    "ui.choose_preset": "\u0412\u044B\u0431\u0440\u0430\u0442\u044C \u043F\u0440\u0435\u0441\u0435\u0442",
+    "ui.friendly_name": "\u0427\u0438\u0442\u0430\u0431\u0435\u043B\u044C\u043D\u043E\u0435 \u0438\u043C\u044F (\u043E\u043F\u0446\u0438\u043E\u043D\u0430\u043B\u044C\u043D\u043E)",
+    "ui.key": "\u041A\u043B\u044E\u0447",
+    "ui.folder_search": "\u041F\u043E\u0438\u0441\u043A \u043F\u0430\u043F\u043E\u043A",
+    "ui.no_matching_folders": "\u0421\u043E\u0432\u043F\u0430\u0434\u0435\u043D\u0438\u0439 \u043D\u0435 \u043D\u0430\u0439\u0434\u0435\u043D\u043E",
+    "ui.save": "\u0421\u043E\u0445\u0440\u0430\u043D\u0438\u0442\u044C",
+    "ui.no_projects": "\u041F\u0440\u043E\u0435\u043A\u0442\u043E\u0432 \u043F\u043E\u043A\u0430 \u043D\u0435\u0442",
+    "ui.create_left": "\u0421\u043E\u0437\u0434\u0430\u0439\u0442\u0435 \u043F\u0440\u043E\u0435\u043A\u0442 \u0441\u043B\u0435\u0432\u0430.",
+    "ui.lang": "\u042F\u0437\u044B\u043A",
+    "ui.lang_en": "\u0410\u043D\u0433\u043B\u0438\u0439\u0441\u043A\u0438\u0439",
+    "ui.lang_ru": "\u0420\u0443\u0441\u0441\u043A\u0438\u0439",
+    "ui.theme": "\u0422\u0435\u043C\u0430",
+    "ui.theme_standard": "\u0421\u0442\u0430\u043D\u0434\u0430\u0440\u0442\u043D\u0430\u044F",
+    "ui.theme_zorin": "Zorin Pretty",
+    "ui.variant_light": "\u0421\u0432\u0435\u0442\u043B\u0430\u044F",
+    "ui.variant_dark": "\u0422\u0451\u043C\u043D\u0430\u044F",
+    "ui.sign_in": "\u0412\u0445\u043E\u0434",
+    "ui.password": "\u041F\u0430\u0440\u043E\u043B\u044C",
+    "ui.password_repeat": "\u041F\u043E\u0432\u0442\u043E\u0440\u0438\u0442\u0435 \u043F\u0430\u0440\u043E\u043B\u044C",
+    "ui.login": "\u0412\u043E\u0439\u0442\u0438",
+    "ui.logout": "\u0412\u044B\u0439\u0442\u0438",
+    "ui.invalid_login": "\u041D\u0435\u0432\u0435\u0440\u043D\u044B\u0439 \u043F\u0430\u0440\u043E\u043B\u044C",
+    "ui.auth_required": "\u0422\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044F \u0430\u0443\u0442\u0435\u043D\u0442\u0438\u0444\u0438\u043A\u0430\u0446\u0438\u044F",
+    "ui.first_time_set_password": "\u0421\u043D\u0430\u0447\u0430\u043B\u0430 \u0437\u0430\u0434\u0430\u0439\u0442\u0435 \u043F\u0430\u0440\u043E\u043B\u044C \u0447\u0435\u0440\u0435\u0437 CLI: zocket auth set-password",
+    "ui.first_setup_title": "\u041F\u0435\u0440\u0432\u0438\u0447\u043D\u0430\u044F \u043D\u0430\u0441\u0442\u0440\u043E\u0439\u043A\u0430",
+    "ui.first_setup_subtitle": "\u0412\u044B\u0431\u0435\u0440\u0438\u0442\u0435 \u0441\u043F\u043E\u0441\u043E\u0431 \u0437\u0430\u0449\u0438\u0442\u044B \u043B\u043E\u043A\u0430\u043B\u044C\u043D\u043E\u0439 \u043F\u0430\u043D\u0435\u043B\u0438.",
+    "ui.set_password": "\u0417\u0430\u0434\u0430\u0442\u044C \u0441\u0432\u043E\u0439 \u043F\u0430\u0440\u043E\u043B\u044C",
+    "ui.save_and_enter": "\u0421\u043E\u0445\u0440\u0430\u043D\u0438\u0442\u044C \u0438 \u043E\u0442\u043A\u0440\u044B\u0442\u044C \u043F\u0430\u043D\u0435\u043B\u044C",
+    "ui.generate_password": "\u0421\u0433\u0435\u043D\u0435\u0440\u0438\u0440\u043E\u0432\u0430\u0442\u044C \u043D\u0430\u0434\u0451\u0436\u043D\u044B\u0439 \u043F\u0430\u0440\u043E\u043B\u044C",
+    "ui.generate_password_hint": "\u0411\u0443\u0434\u0435\u0442 \u0441\u0433\u0435\u043D\u0435\u0440\u0438\u0440\u043E\u0432\u0430\u043D \u0441\u043B\u0443\u0447\u0430\u0439\u043D\u044B\u0439 \u043F\u0430\u0440\u043E\u043B\u044C \u0438 \u043F\u043E\u043A\u0430\u0437\u0430\u043D \u043E\u0434\u0438\u043D \u0440\u0430\u0437.",
+    "ui.generate_and_enter": "\u0421\u0433\u0435\u043D\u0435\u0440\u0438\u0440\u043E\u0432\u0430\u0442\u044C \u0438 \u043E\u0442\u043A\u0440\u044B\u0442\u044C \u043F\u0430\u043D\u0435\u043B\u044C",
+    "ui.continue_without_password": "\u041F\u0440\u043E\u0434\u043E\u043B\u0436\u0438\u0442\u044C \u0431\u0435\u0437 \u043F\u0430\u0440\u043E\u043B\u044F",
+    "ui.insecure_warning": "\u042D\u0442\u043E \u043C\u0435\u043D\u0435\u0435 \u0431\u0435\u0437\u043E\u043F\u0430\u0441\u043D\u043E. \u041B\u044E\u0431\u043E\u0439 \u0441 \u043B\u043E\u043A\u0430\u043B\u044C\u043D\u044B\u043C \u0434\u043E\u0441\u0442\u0443\u043F\u043E\u043C \u0441\u043C\u043E\u0436\u0435\u0442 \u043E\u0442\u043A\u0440\u044B\u0442\u044C \u043F\u0430\u043D\u0435\u043B\u044C.",
+    "ui.i_understand_risk": "\u042F \u043F\u043E\u043D\u0438\u043C\u0430\u044E \u0440\u0438\u0441\u043A",
+    "ui.continue_anyway": "\u041F\u0440\u043E\u0434\u043E\u043B\u0436\u0438\u0442\u044C \u0431\u0435\u0437 \u043F\u0430\u0440\u043E\u043B\u044F",
+    "ui.insecure_confirm_dialog": "\u041F\u0440\u043E\u0434\u043E\u043B\u0436\u0438\u0442\u044C \u0431\u0435\u0437 \u043F\u0430\u0440\u043E\u043B\u044F? \u042D\u0442\u043E \u043C\u0435\u043D\u0435\u0435 \u0431\u0435\u0437\u043E\u043F\u0430\u0441\u043D\u043E.",
+    "ui.confirm_insecure_required": "\u041F\u043E\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u0435, \u0447\u0442\u043E \u0432\u044B \u043F\u043E\u043D\u0438\u043C\u0430\u0435\u0442\u0435 \u0440\u0438\u0441\u043A \u0431\u0435\u0437\u043E\u043F\u0430\u0441\u043D\u043E\u0441\u0442\u0438.",
+    "ui.invalid_setup_option": "\u041D\u0435\u043A\u043E\u0440\u0440\u0435\u043A\u0442\u043D\u044B\u0439 \u0432\u0430\u0440\u0438\u0430\u043D\u0442 \u043D\u0430\u0441\u0442\u0440\u043E\u0439\u043A\u0438.",
+    "ui.password_required": "\u041D\u0443\u0436\u043D\u043E \u0432\u0432\u0435\u0441\u0442\u0438 \u043F\u0430\u0440\u043E\u043B\u044C.",
+    "ui.passwords_do_not_match": "\u041F\u0430\u0440\u043E\u043B\u0438 \u043D\u0435 \u0441\u043E\u0432\u043F\u0430\u0434\u0430\u044E\u0442.",
+    "ui.generated_password_notice": "\u0421\u0433\u0435\u043D\u0435\u0440\u0438\u0440\u043E\u0432\u0430\u043D\u043D\u044B\u0439 \u043F\u0430\u0440\u043E\u043B\u044C \u0430\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\u043E\u0440\u0430 (\u043F\u043E\u043A\u0430\u0437\u0430\u043D \u043E\u0434\u0438\u043D \u0440\u0430\u0437):",
+    "ui.generated_password_save_now": "\u0421\u043E\u0445\u0440\u0430\u043D\u0438\u0442\u0435 \u0435\u0433\u043E \u0441\u0435\u0439\u0447\u0430\u0441. \u041F\u043E\u0437\u0436\u0435 \u043C\u043E\u0436\u043D\u043E \u0441\u043C\u0435\u043D\u0438\u0442\u044C \u0447\u0435\u0440\u0435\u0437 CLI.",
+    "msg.key_file": "\u0424\u0430\u0439\u043B \u043A\u043B\u044E\u0447\u0430: {path}",
+    "msg.vault_file": "\u0424\u0430\u0439\u043B vault: {path}",
+    "msg.init_complete": "\u0418\u043D\u0438\u0446\u0438\u0430\u043B\u0438\u0437\u0430\u0446\u0438\u044F \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043D\u0430.",
+    "msg.project_created": "\u041F\u0440\u043E\u0435\u043A\u0442 \u0441\u043E\u0437\u0434\u0430\u043D: {name}",
+    "msg.project_deleted": "\u041F\u0440\u043E\u0435\u043A\u0442 \u0443\u0434\u0430\u043B\u0451\u043D: {name}",
+    "msg.project_folder_set": "\u041F\u0430\u043F\u043A\u0430 \u043F\u0440\u043E\u0435\u043A\u0442\u0430 \u0441\u043E\u0445\u0440\u0430\u043D\u0435\u043D\u0430: {name}",
+    "msg.project_folder_cleared": "\u041F\u0430\u043F\u043A\u0430 \u043F\u0440\u043E\u0435\u043A\u0442\u0430 \u043E\u0447\u0438\u0449\u0435\u043D\u0430: {name}",
+    "msg.secret_saved": "\u0421\u0435\u043A\u0440\u0435\u0442 {key} \u0441\u043E\u0445\u0440\u0430\u043D\u0451\u043D \u0434\u043B\u044F \u043F\u0440\u043E\u0435\u043A\u0442\u0430 {project}",
+    "msg.secret_deleted": "\u0421\u0435\u043A\u0440\u0435\u0442 {key} \u0443\u0434\u0430\u043B\u0451\u043D \u0438\u0437 \u043F\u0440\u043E\u0435\u043A\u0442\u0430 {project}",
+    "msg.password_set": "\u041F\u0430\u0440\u043E\u043B\u044C \u0432\u0435\u0431-\u0430\u0434\u043C\u0438\u043D\u0430 \u043E\u0431\u043D\u043E\u0432\u043B\u0451\u043D.",
+    "msg.language_set": "\u042F\u0437\u044B\u043A \u043F\u0435\u0440\u0435\u043A\u043B\u044E\u0447\u0435\u043D \u043D\u0430 {lang}.",
+    "err.usage_use": "\u0418\u0441\u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u043D\u0438\u0435: zocket use <project> -- <command> [args...]",
+    "err.need_login": "\u041E\u0448\u0438\u0431\u043A\u0430: \u043D\u0443\u0436\u0435\u043D \u043F\u0430\u0440\u043E\u043B\u044C\u043D\u044B\u0439 \u0432\u0445\u043E\u0434."
+  }
+};
+function t(key, lang = "en", vars = {}) {
+  const msg = messages[lang]?.[key] ?? messages["en"]?.[key] ?? key;
+  return msg.replace(/\{(\w+)\}/g, (_, k) => vars[k] ?? `{${k}}`);
+}
+function normalizeLang(lang) {
+  return lang?.toLowerCase().startsWith("ru") ? "ru" : "en";
+}
+
+// src/web.ts
+var COOKIE = "zs";
+function signSession(data, secret) {
+  const payload = Buffer.from(JSON.stringify(data)).toString("base64url");
+  const sig = createHmac("sha256", secret).update(payload).digest("hex").slice(0, 20);
+  return `${payload}.${sig}`;
+}
+function parseSession(value, secret) {
+  const dot = value.lastIndexOf(".");
+  if (dot === -1) return null;
+  const payload = value.slice(0, dot);
+  const sig = value.slice(dot + 1);
+  const expected = createHmac("sha256", secret).update(payload).digest("hex").slice(0, 20);
+  if (sig !== expected) return null;
+  try {
+    return JSON.parse(Buffer.from(payload, "base64url").toString());
+  } catch {
+    return null;
+  }
+}
+function safeResolve(p) {
+  return resolvePath(p.replace(/^~/, process.env.HOME ?? ""));
+}
+function isSubPath(child, parent) {
+  return child === parent || child.startsWith(parent + "/");
+}
+var CSS_COMMON = `
+@import url("https://fonts.googleapis.com/css2?family=Manrope:wght@400;600;700;800&display=swap");
+:root{--p:#0088cc;--pd:#006699;--bg:#f4faff;--bga:#eaf4fb;--card:rgba(255,255,255,.92);--text:#1b2b37;--muted:#607889;--bdr:rgba(0,136,204,.23);--danger:#be123c;--ok:#0f766e}
+*{box-sizing:border-box}
+body{margin:0;font-family:"Manrope","Segoe UI",sans-serif;color:var(--text)}
+input,button,textarea{width:100%;border-radius:11px;padding:9px 10px;font:inherit;margin-bottom:8px}
+input,textarea{border:1px solid var(--bdr);background:rgba(255,255,255,.95)}
+input:focus,textarea:focus{outline:2px solid rgba(0,136,204,.28);border-color:var(--p)}
+button{border:0;cursor:pointer;color:#fff;font-weight:800;background:linear-gradient(95deg,var(--p),#00a7ff);box-shadow:0 10px 22px rgba(0,136,204,.23)}
+button:hover{transform:translateY(-1px)}
+.danger{background:linear-gradient(95deg,var(--danger),#e11d48)!important;box-shadow:0 10px 22px rgba(190,18,60,.25)!important}
+.mono{font-family:"JetBrains Mono","Fira Code",monospace;font-size:13px;word-break:break-word}
+.inline{display:flex;gap:8px;align-items:center;flex-wrap:wrap}
+.inline form{margin:0}
+.btn-sm{width:auto;margin-bottom:0;padding:7px 11px}
+.error{margin-bottom:12px;padding:10px 12px;border:1px solid #fecdd3;background:#fff1f2;color:#9f1239;border-radius:12px}
+.notice{margin-bottom:12px;padding:10px 12px;border:1px solid #99f6e4;background:#f0fdfa;color:#115e59;border-radius:12px}
+`;
+function pageShell(lang, title, body) {
+  return `<!doctype html>
+<html lang="${lang}"><head>
+<meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/>
+<title>${title}</title>
+<style>${CSS_COMMON}
+body{background:radial-gradient(40vw 40vw at 6% 0%,rgba(0,136,204,.20),transparent 55%),radial-gradient(45vw 45vw at 95% 100%,rgba(0,136,204,.17),transparent 60%),linear-gradient(140deg,var(--bg) 0%,var(--bga) 100%);min-height:100vh;padding:16px}
+.app{max-width:1320px;margin:0 auto}
+.top{border:1px solid var(--bdr);border-radius:20px;background:var(--card);box-shadow:0 18px 55px rgba(0,63,94,.17);backdrop-filter:blur(8px);padding:16px;display:flex;justify-content:space-between;align-items:center;gap:14px;margin-bottom:14px}
+.brand{font-size:clamp(22px,3vw,32px);font-weight:800;letter-spacing:-.03em}
+.brand span{background:linear-gradient(95deg,var(--p),#00a7ff);-webkit-background-clip:text;background-clip:text;color:transparent}
+.meta{display:flex;gap:12px;align-items:center;flex-wrap:wrap}
+.meta a{text-decoration:none;color:var(--pd);font-weight:700}
+.layout{display:grid;grid-template-columns:360px 1fr;gap:14px}
+.card{border:1px solid var(--bdr);border-radius:20px;background:var(--card);box-shadow:0 16px 42px rgba(0,70,110,.14);backdrop-filter:blur(8px);padding:14px}
+h2,h3{margin:0 0 10px;letter-spacing:-.015em}
+p{margin:0 0 10px;color:var(--muted)}
+table{width:100%;border-collapse:collapse}
+th,td{text-align:left;border-bottom:1px solid rgba(0,136,204,.15);padding:8px 7px;vertical-align:top}
+th{font-size:13px;color:var(--muted)}
+.folder-field{display:flex;gap:8px;align-items:center}
+.folder-field input{margin-bottom:0}
+.modal[hidden]{display:none}
+.modal{position:fixed;inset:0;background:rgba(17,31,41,.62);display:flex;align-items:center;justify-content:center;padding:16px}
+.modal-card{width:min(820px,96vw);max-height:90vh;overflow:auto;border:1px solid var(--bdr);border-radius:18px;background:#fff;padding:14px}
+.modal-head{display:flex;align-items:center;justify-content:space-between;gap:8px}
+.chip{display:inline-flex;align-items:center;gap:6px;border:1px solid var(--bdr);border-radius:999px;padding:6px 10px;background:rgba(255,255,255,.8);color:var(--muted);font-size:13px}
+.folder-list{max-height:280px;overflow:auto;border:1px solid var(--bdr);border-radius:10px;padding:8px}
+.folder-list button{width:100%;text-align:left;margin-bottom:6px}
+.folder-list button:last-child{margin-bottom:0}
+hr{border:none;border-top:1px solid var(--bdr);margin:12px 0}
+@media(max-width:1040px){.layout{grid-template-columns:1fr}}
+@media(max-width:700px){.top{flex-direction:column;align-items:flex-start}}
+</style></head>
+<body><div class="app">${body}</div></body></html>`;
+}
+function loginPage(lang, error, missingPassword) {
+  const body = `
+<style>
+body{display:grid;place-items:center;min-height:100vh;padding:20px}
+.shell{width:min(680px,100%);border-radius:22px;border:1px solid var(--bdr);background:linear-gradient(180deg,rgba(255,255,255,.96),rgba(255,255,255,.93));box-shadow:0 24px 70px rgba(0,62,95,.20);backdrop-filter:blur(7px);padding:22px}
+.head{display:flex;justify-content:space-between;align-items:center;gap:10px;margin-bottom:14px}
+.logo{font-size:24px;font-weight:800;letter-spacing:-.02em}
+.logo span{background:linear-gradient(95deg,var(--p),#00a9ff);-webkit-background-clip:text;background-clip:text;color:transparent}
+.lang a{color:var(--pd);text-decoration:none;font-weight:700;margin-left:10px}
+h1{margin:4px 0 6px;font-size:clamp(22px,4.6vw,32px);line-height:1.1;letter-spacing:-.02em}
+h2{margin:0 0 8px;font-size:17px;letter-spacing:-.01em}
+.section{border:1px solid var(--bdr);border-radius:14px;background:rgba(255,255,255,.82);padding:12px;margin-bottom:10px}
+.section.warn{border-color:rgba(190,18,60,.30);background:#fff7f9}
+.checkline{display:flex;gap:8px;align-items:flex-start;margin-bottom:8px;color:#374151}
+.checkline input{width:auto;margin:4px 0 0;padding:0}
+</style>
+<div class="shell">
+  <div class="head">
+    <div class="logo">zocket <span>pretty</span></div>
+    <div class="lang"><a href="/login?lang=en">EN</a><a href="/login?lang=ru">RU</a></div>
+  </div>
+  ${error ? `<div class="error">${error}</div>` : ""}
+  ${missingPassword ? `
+    <h1>${t("ui.first_setup_title", lang)}</h1>
+    <p>${t("ui.first_setup_subtitle", lang)}</p>
+    <div class="section">
+      <h2>${t("ui.set_password", lang)}</h2>
+      <form method="post" action="/setup/first-run">
+        <input type="hidden" name="mode" value="set_password"/>
+        <input type="password" name="password" placeholder="${t("ui.password", lang)}" required/>
+        <input type="password" name="password_repeat" placeholder="${t("ui.password_repeat", lang)}" required/>
+        <button type="submit">${t("ui.save_and_enter", lang)}</button>
+      </form>
+    </div>
+    <div class="section">
+      <h2>${t("ui.generate_password", lang)}</h2>
+      <p>${t("ui.generate_password_hint", lang)}</p>
+      <form method="post" action="/setup/first-run">
+        <input type="hidden" name="mode" value="generate_password"/>
+        <button type="submit">${t("ui.generate_and_enter", lang)}</button>
+      </form>
+    </div>
+    <div class="section warn">
+      <h2>${t("ui.continue_without_password", lang)}</h2>
+      <p>${t("ui.insecure_warning", lang)}</p>
+      <form method="post" action="/setup/first-run" onsubmit="return confirm('${t("ui.insecure_confirm_dialog", lang)}')">
+        <input type="hidden" name="mode" value="no_password"/>
+        <label class="checkline">
+          <input type="checkbox" name="confirm_no_password" value="1" required/>
+          <span>${t("ui.i_understand_risk", lang)}</span>
+        </label>
+        <button class="danger" type="submit">${t("ui.continue_anyway", lang)}</button>
+      </form>
+    </div>
+  ` : `
+    <h1>${t("ui.sign_in", lang)}</h1>
+    <form method="post" action="/login">
+      <input type="password" name="password" placeholder="${t("ui.password", lang)}" required/>
+      <button type="submit">${t("ui.login", lang)}</button>
+    </form>
+  `}
+</div>`;
+  return `<!doctype html><html lang="${lang}"><head>
+<meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/>
+<title>zocket</title><style>${CSS_COMMON}</style></head><body>${body}</body></html>`;
+}
+function mainPage(opts) {
+  const { lang, projects, selected, secrets, showValues, secretValues, error, notice } = opts;
+  const selInfo = projects.find((p) => p.name === selected);
+  const sidebar = `
+<aside class="card">
+  <h2>${t("ui.projects", lang)}</h2>
+  <table>
+    <thead><tr><th>${t("ui.name", lang)}</th><th>${t("ui.keys_count", lang)}</th></tr></thead>
+    <tbody>
+      ${projects.map((p) => `<tr><td><a href="/?project=${enc(p.name)}">${esc(p.name)}</a></td><td>${p.secret_count}</td></tr>`).join("")}
+    </tbody>
+  </table>
+  <hr/>
+  <h3>${t("ui.new_project", lang)}</h3>
+  <form method="post" action="/projects/create">
+    <input name="name" placeholder="project-name" required/>
+    <input name="description" placeholder="${t("ui.optional_desc", lang)}"/>
+    <div class="folder-field">
+      <input id="cf" name="folder_path" placeholder="${t("ui.optional_folder", lang)}" readonly/>
+      <button class="btn-sm" type="button" onclick="openPicker('cf')">${t("ui.choose_folder", lang)}</button>
+    </div>
+    <button type="submit">${t("ui.create", lang)}</button>
+  </form>
+</aside>`;
+  let main = `<main class="card">`;
+  if (!selected) {
+    main += `<h2>${t("ui.no_projects", lang)}</h2><p>${t("ui.create_left", lang)}</p>`;
+  } else {
+    const domains = selInfo?.allowed_domains;
+    const domainsStr = domains ? domains.join(", ") : "";
+    main += `
+<h2>${esc(selected)}</h2>
+<p>${t("ui.project_folder", lang)}: ${selInfo?.folder_path ? `<span class="mono">${esc(selInfo.folder_path)}</span>` : t("ui.not_set", lang)}</p>
+
+<form method="post" action="/projects/${enc(selected)}/folder">
+  <div class="folder-field">
+    <input id="ef" name="folder_path" placeholder="${t("ui.optional_folder", lang)}" value="${esc(selInfo?.folder_path ?? "")}" readonly/>
+    <button class="btn-sm" type="button" onclick="openPicker('ef')">${t("ui.choose_folder", lang)}</button>
+  </div>
+  <button type="submit">${t("ui.save_folder", lang)}</button>
+</form>
+${selInfo?.folder_path ? `
+<form method="post" action="/projects/${enc(selected)}/folder" onsubmit="return confirm('${t("ui.clear_folder", lang)}?')">
+  <input type="hidden" name="clear" value="1"/>
+  <button class="danger btn-sm" type="submit">${t("ui.clear_folder", lang)}</button>
+</form>` : ""}
+
+<p>Domains: ${domains ? `<span class="mono">${esc(domainsStr)}</span>` : t("ui.not_set", lang)}</p>
+<form method="post" action="/projects/${enc(selected)}/domains">
+  <input name="domains" placeholder="api.example.com, api2.example.com (empty to remove)" value="${esc(domainsStr)}"/>
+  <button type="submit" class="btn-sm">Save domains</button>
+</form>
+
+<p>
+  ${showValues ? `${t("ui.real_values_visible", lang)} <a href="/?project=${enc(selected)}">${t("ui.hide_values", lang)}</a>` : `${t("ui.masked_values_visible", lang)} <a href="/?project=${enc(selected)}&show_values=1">${t("ui.show_values", lang)}</a>`}
+</p>
+<div class="inline">
+  <form method="post" action="/projects/${enc(selected)}/delete" onsubmit="return confirm('${t("ui.delete_project", lang)}?')">
+    <button class="danger btn-sm" type="submit">${t("ui.delete_project", lang)}</button>
+  </form>
+</div>
+
+<h3>${t("ui.secrets", lang)}</h3>
+<table>
+  <thead><tr><th>KEY</th><th>${t("ui.value", lang)}</th><th>${t("ui.description", lang)}</th><th>${t("ui.updated_at", lang)}</th><th></th></tr></thead>
+  <tbody>
+    ${secrets.map((s) => `<tr>
+      <td class="mono">${esc(s.key)}</td>
+      <td class="mono">${showValues ? esc(secretValues[s.key] ?? "") : "***"}</td>
+      <td>${esc(s.description)}</td>
+      <td>${esc(s.updated_at.slice(0, 16).replace("T", " "))}</td>
+      <td>
+        <form method="post" action="/projects/${enc(selected)}/secrets/${enc(s.key)}/delete" onsubmit="return confirm('Delete ${esc(s.key)}?')">
+          <button class="danger btn-sm" type="submit">${t("ui.delete", lang)}</button>
+        </form>
+      </td>
+    </tr>`).join("")}
+  </tbody>
+</table>
+
+<h3>${t("ui.add_or_update_secret", lang)}</h3>
+<form method="post" action="/projects/${enc(selected)}/secrets/upsert">
+  <input name="key" placeholder="API_KEY" required/>
+  <input name="value" placeholder="${t("ui.value", lang)}" required/>
+  <input name="description" placeholder="${t("ui.optional_desc", lang)}"/>
+  <button type="submit">${t("ui.save", lang)}</button>
+</form>`;
+  }
+  main += `</main>`;
+  const folderScript = `
+<script>
+const ps={targetId:null,current:null,parent:null};
+const pm=document.getElementById('fp-modal');
+const pc=document.getElementById('fp-cur');
+const pl=document.getElementById('fp-list');
+const pe=document.getElementById('fp-err');
+const pu=document.getElementById('fp-up');
+const psel=document.getElementById('fp-sel');
+function _setErr(m){if(!m){pe.style.display='none';pe.textContent='';return}pe.style.display='block';pe.textContent=m}
+function _renderBtns(rows){pl.innerHTML='';if(!rows||!rows.length){pl.innerHTML='<p>${t("ui.no_subfolders", lang)}</p>';return}for(const r of rows){const b=document.createElement('button');b.type='button';b.textContent=r.name;b.addEventListener('click',()=>_load(r.path));pl.appendChild(b)}}
+async function _load(path){_setErr('');pl.innerHTML='<p>${t("ui.loading", lang)}</p>';const q=path?'?path='+encodeURIComponent(path):'';const r=await fetch('/api/folders'+q,{credentials:'same-origin'});const d=await r.json();if(!r.ok||!d.ok){_setErr(d&&d.error?d.error:'${t("ui.folder_picker_failed", lang)}');pl.innerHTML='';return}ps.current=d.current;ps.parent=d.parent;pc.textContent=d.current||'${t("ui.roots", lang)}';pu.disabled=!d.parent;psel.disabled=!d.current;_renderBtns(d.directories||[])}
+function openPicker(id){ps.targetId=id;pm.hidden=false;const inp=document.getElementById(id);_load(inp&&inp.value?inp.value:'')}
+function closePicker(){pm.hidden=true;ps.targetId=null;ps.current=null;ps.parent=null}
+function pickerUp(){if(ps.parent)_load(ps.parent)}
+function pickerRoots(){_load('')}
+function pickerSelect(){if(!ps.targetId||!ps.current)return;const inp=document.getElementById(ps.targetId);if(inp)inp.value=ps.current;closePicker()}
+</script>`;
+  const topBar = `
+<div class="top">
+  <div>
+    <div class="brand">zocket <span>pretty</span></div>
+    <p style="margin:0;color:var(--muted)">${t("app.tagline", lang)}</p>
+  </div>
+  <div class="meta">
+    <span>${t("ui.lang", lang)}:</span>
+    <a href="/?lang=en${selected ? `&project=${enc(selected)}` : ""}">EN</a>
+    <a href="/?lang=ru${selected ? `&project=${enc(selected)}` : ""}">RU</a>
+    <form method="post" action="/logout"><button class="btn-sm" type="submit">${t("ui.logout", lang)}</button></form>
+  </div>
+</div>`;
+  const folderModal = `
+<div id="fp-modal" class="modal" hidden>
+  <div class="modal-card">
+    <div class="modal-head">
+      <h3>${t("ui.folder_picker", lang)}</h3>
+      <button class="btn-sm danger" type="button" onclick="closePicker()">${t("ui.close", lang)}</button>
+    </div>
+    <p>${t("ui.current_path", lang)}: <span class="mono" id="fp-cur">-</span></p>
+    <div class="inline">
+      <button class="btn-sm" type="button" id="fp-up" onclick="pickerUp()">${t("ui.parent_folder", lang)}</button>
+      <button class="btn-sm" type="button" onclick="pickerRoots()">${t("ui.roots", lang)}</button>
+      <button class="btn-sm" type="button" id="fp-sel" onclick="pickerSelect()">${t("ui.select_folder", lang)}</button>
+    </div>
+    <div id="fp-err" class="error" style="display:none"></div>
+    <div id="fp-list" class="folder-list"></div>
+  </div>
+</div>`;
+  const content = `
+${topBar}
+${error ? `<div class="error">${esc(error)}</div>` : ""}
+${notice ? `<div class="notice">${esc(notice)}</div>` : ""}
+<div class="layout">${sidebar}${main}</div>
+${folderModal}
+${folderScript}`;
+  return pageShell(lang, "zocket", content);
+}
+function esc(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function enc(s) {
+  return encodeURIComponent(s);
+}
+function createWebApp(services) {
+  const { vault, config, audit } = services;
+  const app = new Hono();
+  function getLang(cookieLang, queryLang) {
+    const raw = queryLang ?? cookieLang ?? config.load().language;
+    return normalizeLang(raw);
+  }
+  function isAuthenticated(sessionCookie, secret) {
+    if (!config.load().web_auth_enabled) return true;
+    if (!sessionCookie) return false;
+    const sess = parseSession(sessionCookie, secret);
+    return sess?.auth === true;
+  }
+  function hasPassword() {
+    const cfg = config.load();
+    return !!(cfg.web_password_hash && cfg.web_password_salt);
+  }
+  function requireAuth(next) {
+    return async (c) => {
+      const cfg = config.load();
+      const lang = getLang(getCookie(c, "lang"), c.req.query("lang"));
+      if (c.req.query("lang")) setCookie(c, "lang", lang, { path: "/", sameSite: "Lax" });
+      const sess = getCookie(c, COOKIE);
+      if (!isAuthenticated(sess, cfg.session_secret)) {
+        const dest = c.req.path;
+        return c.redirect(`/login${dest !== "/" ? `?next=${enc(dest)}` : ""}`);
+      }
+      return next(cfg);
+    };
+  }
+  app.get("/login", (c) => {
+    const cfg = config.load();
+    const lang = getLang(getCookie(c, "lang"), c.req.query("lang"));
+    if (c.req.query("lang")) setCookie(c, "lang", lang, { path: "/", sameSite: "Lax" });
+    if (!cfg.web_auth_enabled) return c.redirect("/");
+    const sess = getCookie(c, COOKIE);
+    if (isAuthenticated(sess, cfg.session_secret)) return c.redirect("/");
+    return c.html(loginPage(lang, c.req.query("error"), !hasPassword()));
+  });
+  app.post("/login", async (c) => {
+    const cfg = config.load();
+    const lang = getLang(getCookie(c, "lang"), void 0);
+    const body = await c.req.parseBody();
+    const password = String(body.password ?? "");
+    const ok2 = verifyPassword(password, String(cfg.web_password_hash), String(cfg.web_password_salt));
+    if (!ok2) {
+      audit.log("web.login", "web", { remote: c.req.header("x-forwarded-for") ?? "local" }, "fail");
+      return c.redirect(`/login?error=${enc(t("ui.invalid_login", lang))}`);
+    }
+    setCookie(c, COOKIE, signSession({ auth: true }, cfg.session_secret), { path: "/", httpOnly: true, sameSite: "Lax" });
+    audit.log("web.login", "web", {}, "ok");
+    const next = c.req.query("next") ?? "/";
+    return c.redirect(next);
+  });
+  app.post("/setup/first-run", async (c) => {
+    const cfg = config.load();
+    const lang = getLang(getCookie(c, "lang"), void 0);
+    if (hasPassword()) return c.redirect("/login");
+    const body = await c.req.parseBody();
+    const mode = String(body.mode ?? "");
+    if (mode === "set_password") {
+      const pw = String(body.password ?? ""), pw2 = String(body.password_repeat ?? "");
+      if (!pw) return c.redirect(`/login?error=${enc(t("ui.password_required", lang))}`);
+      if (pw !== pw2) return c.redirect(`/login?error=${enc(t("ui.passwords_do_not_match", lang))}`);
+      const { salt, hash } = hashPassword(pw);
+      cfg.web_password_salt = salt;
+      cfg.web_password_hash = hash;
+      cfg.web_auth_enabled = true;
+      config.save(cfg);
+      setCookie(c, COOKIE, signSession({ auth: true }, cfg.session_secret), { path: "/", httpOnly: true, sameSite: "Lax" });
+      audit.log("web.setup", "web", { mode: "set_password" }, "ok");
+      return c.redirect("/");
+    }
+    if (mode === "generate_password") {
+      const generated = randomBytes5(18).toString("base64url");
+      const { salt, hash } = hashPassword(generated);
+      cfg.web_password_salt = salt;
+      cfg.web_password_hash = hash;
+      cfg.web_auth_enabled = true;
+      config.save(cfg);
+      setCookie(c, COOKIE, signSession({ auth: true }, cfg.session_secret), { path: "/", httpOnly: true, sameSite: "Lax" });
+      setCookie(c, "genpw", generated, { path: "/", httpOnly: true, sameSite: "Lax", maxAge: 60 });
+      audit.log("web.setup", "web", { mode: "generate_password" }, "ok");
+      return c.redirect("/");
+    }
+    if (mode === "no_password") {
+      if (String(body.confirm_no_password) !== "1")
+        return c.redirect(`/login?error=${enc(t("ui.confirm_insecure_required", lang))}`);
+      cfg.web_auth_enabled = false;
+      cfg.web_password_hash = "";
+      cfg.web_password_salt = "";
+      config.save(cfg);
+      setCookie(c, COOKIE, signSession({ auth: true }, cfg.session_secret), { path: "/", httpOnly: true, sameSite: "Lax" });
+      audit.log("web.setup", "web", { mode: "no_password" }, "ok");
+      return c.redirect("/");
+    }
+    return c.redirect(`/login?error=${enc(t("ui.invalid_setup_option", lang))}`);
+  });
+  app.post("/logout", (c) => {
+    deleteCookie(c, COOKIE, { path: "/" });
+    return c.redirect("/login");
+  });
+  app.get("/api/folders", (c) => {
+    const cfg = config.load();
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.json({ ok: false, error: "Unauthorized" }, 401);
+    const roots = (cfg.folder_picker_roots ?? ["/home", "/srv", "/opt", "/var/www"]).filter((r) => {
+      try {
+        return existsSync4(r) && statSync(r).isDirectory();
+      } catch {
+        return false;
+      }
+    });
+    if (!roots.length) return c.json({ ok: false, error: "No folder picker roots configured" }, 500);
+    const requested = c.req.query("path")?.trim() ?? "";
+    if (!requested) {
+      const rows = roots.map((r) => ({ name: r, path: r }));
+      return c.json({ ok: true, current: null, parent: null, roots: rows, directories: rows });
+    }
+    const current = safeResolve(requested);
+    if (!roots.some((r) => isSubPath(current, r)))
+      return c.json({ ok: false, error: "Folder is outside allowed roots." }, 403);
+    if (!existsSync4(current) || !statSync(current).isDirectory())
+      return c.json({ ok: false, error: "Folder not found." }, 404);
+    let dirs = [];
+    try {
+      dirs = readdirSync(current, { withFileTypes: true }).filter((e) => e.isDirectory() && !e.name.startsWith(".")).map((e) => ({ name: e.name, path: join2(current, e.name) })).filter((d) => roots.some((r) => isSubPath(d.path, r))).sort((a, b) => a.name.localeCompare(b.name));
+    } catch {
+      dirs = [];
+    }
+    const parent_ = dirname4(current);
+    const parent = parent_ !== current && roots.some((r) => isSubPath(parent_, r)) ? parent_ : null;
+    return c.json({ ok: true, current, parent, roots: roots.map((r) => ({ name: r, path: r })), directories: dirs });
+  });
+  app.get("/", async (c) => {
+    const cfg = config.load();
+    const lang = getLang(getCookie(c, "lang"), c.req.query("lang"));
+    if (c.req.query("lang")) setCookie(c, "lang", lang, { path: "/", sameSite: "Lax" });
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.redirect("/login");
+    const projects = await vault.listProjects();
+    const reqProject = c.req.query("project");
+    const selected = reqProject ?? (projects[0]?.name ?? null);
+    const showValues = c.req.query("show_values") === "1";
+    const notice_raw = getCookie(c, "genpw");
+    if (notice_raw) deleteCookie(c, "genpw", { path: "/" });
+    let secrets = [];
+    let secretValues = {};
+    if (selected) {
+      try {
+        secrets = await vault.listSecrets(selected);
+        if (showValues) secretValues = await vault.getEnv(selected);
+      } catch {
+        secrets = [];
+      }
+    }
+    return c.html(mainPage({
+      lang,
+      projects,
+      selected,
+      secrets,
+      showValues,
+      secretValues,
+      error: c.req.query("error"),
+      notice: notice_raw ? `${t("ui.generated_password_notice", lang)}
+${notice_raw}
+${t("ui.generated_password_save_now", lang)}` : void 0
+    }));
+  });
+  app.post("/projects/create", async (c) => {
+    const cfg = config.load();
+    const lang = getLang(getCookie(c, "lang"), void 0);
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.redirect("/login");
+    const body = await c.req.parseBody();
+    const name = String(body.name ?? "").trim();
+    const description = String(body.description ?? "");
+    const folder_path = String(body.folder_path ?? "").trim() || void 0;
+    try {
+      await vault.createProject(name, description);
+      if (folder_path) await vault.setFolder(name, folder_path);
+      audit.log("web.project.create", "web", { name, folder_path }, "ok");
+    } catch (e) {
+      audit.log("web.project.create", "web", { name }, "fail");
+      return c.redirect(`/?error=${enc(String(e))}`);
+    }
+    return c.redirect(`/?project=${enc(name)}`);
+  });
+  app.post("/projects/:project/delete", async (c) => {
+    const cfg = config.load();
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.redirect("/login");
+    const project = c.req.param("project");
+    try {
+      await vault.deleteProject(project);
+      audit.log("web.project.delete", "web", { project }, "ok");
+    } catch (e) {
+      return c.redirect(`/?error=${enc(String(e))}`);
+    }
+    return c.redirect("/");
+  });
+  app.post("/projects/:project/folder", async (c) => {
+    const cfg = config.load();
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.redirect("/login");
+    const project = c.req.param("project");
+    const body = await c.req.parseBody();
+    const clear = body.clear === "1";
+    const folder_path = clear ? void 0 : String(body.folder_path ?? "").trim() || void 0;
+    try {
+      await vault.setFolder(project, folder_path);
+      audit.log("web.project.folder", "web", { project, folder_path }, "ok");
+    } catch (e) {
+      return c.redirect(`/?project=${enc(project)}&error=${enc(String(e))}`);
+    }
+    return c.redirect(`/?project=${enc(project)}`);
+  });
+  app.post("/projects/:project/domains", async (c) => {
+    const cfg = config.load();
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.redirect("/login");
+    const project = c.req.param("project");
+    const body = await c.req.parseBody();
+    const raw = String(body.domains ?? "").trim();
+    const domains = raw ? raw.split(/[\s,]+/).map((d) => d.trim()).filter(Boolean) : null;
+    try {
+      await vault.setAllowedDomains(project, domains);
+      audit.log("web.project.domains", "web", { project, domains }, "ok");
+    } catch (e) {
+      return c.redirect(`/?project=${enc(project)}&error=${enc(String(e))}`);
+    }
+    return c.redirect(`/?project=${enc(project)}`);
+  });
+  app.post("/projects/:project/secrets/upsert", async (c) => {
+    const cfg = config.load();
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.redirect("/login");
+    const project = c.req.param("project");
+    const body = await c.req.parseBody();
+    const key = String(body.key ?? "").trim();
+    const value = String(body.value ?? "");
+    const description = String(body.description ?? "");
+    try {
+      await vault.setSecret(project, key, value, description);
+      audit.log("web.secret.upsert", "web", { project, key }, "ok");
+    } catch (e) {
+      audit.log("web.secret.upsert", "web", { project, key }, "fail");
+      return c.redirect(`/?project=${enc(project)}&error=${enc(String(e))}`);
+    }
+    return c.redirect(`/?project=${enc(project)}`);
+  });
+  app.post("/projects/:project/secrets/:key/delete", async (c) => {
+    const cfg = config.load();
+    const sess = getCookie(c, COOKIE);
+    if (!isAuthenticated(sess, cfg.session_secret)) return c.redirect("/login");
+    const project = c.req.param("project");
+    const key = c.req.param("key");
+    try {
+      await vault.deleteSecret(project, key);
+      audit.log("web.secret.delete", "web", { project, key }, "ok");
+    } catch (e) {
+      return c.redirect(`/?project=${enc(project)}&error=${enc(String(e))}`);
+    }
+    return c.redirect(`/?project=${enc(project)}`);
+  });
+  return app;
+}
+
+// src/paths.ts
+import { homedir } from "os";
+import { join as join3 } from "path";
+function zocketHome() {
+  return process.env.ZOCKET_HOME ?? join3(homedir(), ".zocket");
+}
+function vaultPath(home = zocketHome()) {
+  return join3(home, "vault.enc");
+}
+function keyPath(home = zocketHome()) {
+  return join3(home, "master.key");
+}
+function configPath(home = zocketHome()) {
+  return join3(home, "config.json");
+}
+function auditPath(home = zocketHome()) {
+  return join3(home, "audit.log");
+}
+function lockPath(home = zocketHome()) {
+  return join3(home, "vault.lock");
+}
+
+// src/keys.ts
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync4, existsSync as existsSync5 } from "fs";
+import { dirname as dirname5 } from "path";
+import { randomBytes as randomBytes6 } from "crypto";
+function loadOrCreateKey(keyFile) {
+  if (existsSync5(keyFile)) {
+    const raw = readFileSync5(keyFile, "utf8").trim();
+    return Buffer.from(raw, "hex");
+  }
+  mkdirSync4(dirname5(keyFile), { recursive: true });
+  const key = randomBytes6(32);
+  writeFileSync5(keyFile, key.toString("hex"), { mode: 384 });
+  return key;
+}
+
+// src/tui.ts
+import readline from "readline/promises";
+import { stdin as input, stdout as output } from "process";
+async function promptMenu(rl, title, options) {
+  output.write(`
+${title}
+`);
+  options.forEach((opt, i) => output.write(`  ${i + 1}) ${opt}
+`));
+  const answer = await rl.question("> ");
+  const idx = Number(answer.trim()) - 1;
+  return Number.isFinite(idx) && idx >= 0 && idx < options.length ? idx : -1;
+}
+async function promptInput(rl, label, fallback = "") {
+  const ans = await rl.question(`${label}${fallback ? ` (${fallback})` : ""}: `);
+  return ans.trim() || fallback;
+}
+async function promptConfirm(rl, label) {
+  const ans = await rl.question(`${label} [y/N]: `);
+  return ans.trim().toLowerCase() === "y";
+}
+async function pickProject(rl, vault) {
+  const rows = await vault.listProjects();
+  if (!rows.length) {
+    output.write("No projects\n");
+    return null;
+  }
+  const idx = await promptMenu(rl, "Select project", rows.map((r) => `${r.name} (${r.secret_count})`));
+  if (idx < 0) return null;
+  return rows[idx].name;
+}
+async function showProjects(vault) {
+  const rows = await vault.listProjects();
+  if (!rows.length) {
+    output.write("No projects\n");
+    return;
+  }
+  rows.forEach((r) => {
+    output.write(`${r.name}	${r.secret_count}	${r.folder_path ?? ""}
+`);
+  });
+}
+async function showSecrets(vault, project, showValues) {
+  const rows = await vault.listSecrets(project);
+  if (!rows.length) {
+    output.write("No secrets\n");
+    return;
+  }
+  for (const r of rows) {
+    if (showValues) {
+      const v = await vault.getSecretValue(project, r.key);
+      output.write(`${r.key}	${v}	${r.description ?? ""}
+`);
+    } else {
+      output.write(`${r.key}	${r.description ?? ""}
+`);
+    }
+  }
+}
+async function runTui(services) {
+  const rl = readline.createInterface({ input, output });
+  const { vault } = services;
+  try {
+    while (true) {
+      const main = await promptMenu(rl, "Zocket TUI", [
+        "Projects",
+        "Secrets",
+        "Exit"
+      ]);
+      if (main === 2) break;
+      if (main === 0) {
+        const idx = await promptMenu(rl, "Projects", [
+          "List",
+          "Create",
+          "Delete",
+          "Set folder path",
+          "Set allowed domains",
+          "Back"
+        ]);
+        if (idx === 5) continue;
+        if (idx === 0) await showProjects(vault);
+        if (idx === 1) {
+          const name = await promptInput(rl, "Project name");
+          const desc = await promptInput(rl, "Description", "");
+          const folder = await promptInput(rl, "Folder path", "");
+          await vault.createProject(name, desc);
+          if (folder) await vault.setFolder(name, folder);
+          output.write("Project created\n");
+        }
+        if (idx === 2) {
+          const name = await pickProject(rl, vault);
+          if (!name) continue;
+          if (await promptConfirm(rl, `Delete ${name}?`)) {
+            await vault.deleteProject(name);
+            output.write("Project deleted\n");
+          }
+        }
+        if (idx === 3) {
+          const name = await pickProject(rl, vault);
+          if (!name) continue;
+          const path = await promptInput(rl, "Folder path (empty to clear)", "");
+          await vault.setFolder(name, path || void 0);
+          output.write("Folder updated\n");
+        }
+        if (idx === 4) {
+          const name = await pickProject(rl, vault);
+          if (!name) continue;
+          const domains = await promptInput(rl, "Allowed domains (comma-separated, empty to clear)", "");
+          const value = domains ? domains.split(",").map((s) => s.trim()).filter(Boolean) : null;
+          await vault.setAllowedDomains(name, value);
+          output.write("Allowed domains updated\n");
+        }
+      }
+      if (main === 1) {
+        const project = await pickProject(rl, vault);
+        if (!project) continue;
+        const idx = await promptMenu(rl, `Secrets for ${project}`, [
+          "List (no values)",
+          "List (with values)",
+          "Add or update",
+          "Get value",
+          "Delete",
+          "Back"
+        ]);
+        if (idx === 5) continue;
+        if (idx === 0) await showSecrets(vault, project, false);
+        if (idx === 1) await showSecrets(vault, project, true);
+        if (idx === 2) {
+          const key = await promptInput(rl, "Key (UPPERCASE)", "");
+          const value = await promptInput(rl, "Value", "");
+          const desc = await promptInput(rl, "Description", "");
+          await vault.setSecret(project, key, value, desc);
+          output.write("Secret saved\n");
+        }
+        if (idx === 3) {
+          const key = await promptInput(rl, "Key", "");
+          const value = await vault.getSecretValue(project, key);
+          output.write(`${value}
+`);
+        }
+        if (idx === 4) {
+          const key = await promptInput(rl, "Key", "");
+          if (await promptConfirm(rl, `Delete ${key}?`)) {
+            await vault.deleteSecret(project, key);
+            output.write("Secret deleted\n");
+          }
+        }
+      }
+    }
+  } finally {
+    rl.close();
+  }
+}
+
+// src/cli.ts
+function createServices() {
+  const home = zocketHome();
+  mkdirSync5(home, { recursive: true });
+  const key = loadOrCreateKey(keyPath());
+  const vault = new VaultService(vaultPath(), lockPath(), key);
+  vault.ensureExists();
+  const config = new ConfigStore(configPath());
+  const audit = new AuditLogger(auditPath());
+  config.ensureExists();
+  return { vault, config, audit };
+}
+async function cmdStart(opts) {
+  const { vault, config, audit } = createServices();
+  const cfg = config.ensureExists();
+  const mode = opts.mode === "admin" ? "admin" : "metadata";
+  const services = { vault, config, audit, mode };
+  const webApp = createWebApp({ vault, config, audit });
+  serve({ fetch: webApp.fetch, hostname: opts.host, port: opts.webPort }, () => {
+    console.log(`[zocket] web    http://${opts.host}:${opts.webPort}`);
+  });
+  const sessions = /* @__PURE__ */ new Map();
+  const mcpHttp = createServer((req, res) => {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
+    if (req.method === "GET" && url.pathname === "/sse") {
+      const transport = new SSEServerTransport("/messages", res);
+      sessions.set(transport.sessionId, transport);
+      res.on("close", () => sessions.delete(transport.sessionId));
+      const mcpServer = createMcpServer(services, { loading: cfg.mcp_loading });
+      mcpServer.connect(transport).catch((e) => {
+        console.error("[zocket] MCP connect error:", e);
+      });
+      return;
+    }
+    if (req.method === "POST" && url.pathname === "/messages") {
+      const sessionId = url.searchParams.get("sessionId") ?? "";
+      const transport = sessions.get(sessionId);
+      if (!transport) {
+        res.writeHead(404).end("Session not found");
+        return;
+      }
+      transport.handlePostMessage(req, res).catch((e) => {
+        console.error("[zocket] MCP message error:", e);
+      });
+      return;
+    }
+    res.writeHead(404).end("Not found");
+  });
+  mcpHttp.listen(opts.mcpPort, opts.host, () => {
+    console.log(`[zocket] mcp    http://${opts.host}:${opts.mcpPort}/sse  (mode: ${mode}, loading: ${cfg.mcp_loading})`);
+  });
+  const streamableSessions = /* @__PURE__ */ new Map();
+  const streamableHttp = createServer(async (req, res) => {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
+    if (url.pathname !== "/mcp") {
+      res.writeHead(404).end("Not found");
+      return;
+    }
+    const method = (req.method ?? "GET").toUpperCase();
+    let parsedBody = void 0;
+    if (method === "POST") {
+      let raw = "";
+      for await (const chunk of req) {
+        raw += chunk;
+      }
+      if (raw.trim().length > 0) {
+        try {
+          parsedBody = JSON.parse(raw);
+        } catch {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            jsonrpc: "2.0",
+            error: { code: -32700, message: "Parse error" },
+            id: null
+          }));
+          return;
+        }
+      }
+    }
+    const header = req.headers["mcp-session-id"];
+    const sessionId = Array.isArray(header) ? header[0] : header;
+    let transport;
+    if (sessionId && streamableSessions.has(sessionId)) {
+      transport = streamableSessions.get(sessionId);
+    } else if (!sessionId && method === "POST" && parsedBody && isInitializeRequest(parsedBody)) {
+      transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        onsessioninitialized: (sid) => {
+          if (transport) streamableSessions.set(sid, transport);
+        }
+      });
+      transport.onclose = () => {
+        const sid = transport?.sessionId;
+        if (sid && streamableSessions.has(sid)) streamableSessions.delete(sid);
+      };
+      const mcpServer = createMcpServer(services, { loading: cfg.mcp_loading });
+      mcpServer.connect(transport).catch((e) => {
+        console.error("[zocket] MCP streamable connect error:", e);
+      });
+    } else {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        jsonrpc: "2.0",
+        error: { code: -32e3, message: "Bad Request: No valid session ID provided" },
+        id: null
+      }));
+      return;
+    }
+    try {
+      await transport.handleRequest(req, res, parsedBody);
+    } catch (e) {
+      console.error("[zocket] MCP streamable request error:", e);
+      if (!res.headersSent) {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          jsonrpc: "2.0",
+          error: { code: -32603, message: "Internal server error" },
+          id: null
+        }));
+      }
+    }
+  });
+  streamableHttp.listen(opts.mcpStreamPort, opts.host, () => {
+    console.log(`[zocket] mcp    http://${opts.host}:${opts.mcpStreamPort}/mcp  (streamable-http)`);
+    console.log(`[zocket] ready  \u2014 vault: ${vaultPath()}`);
+  });
+}
+function buildCli() {
+  const program = new Command("zocket").description("Local encrypted vault + MCP server for AI agent workflows").version("1.0.0");
+  program.command("init").description("Initialize vault and config").action(async () => {
+    createServices();
+    console.log(`[zocket] initialized \u2014 vault: ${vaultPath()}`);
+  });
+  program.command("start").description("Start web panel + MCP SSE + MCP Streamable HTTP servers").option("--host <host>", "Bind host", "127.0.0.1").option("--web-port <port>", "Web panel port", "18001").option("--mcp-port <port>", "MCP SSE port", "18002").option("--mcp-stream-port <port>", "MCP Streamable HTTP port", "18003").option("--mode <mode>", "MCP mode (metadata|admin)", "admin").action(async (opts) => {
+    await cmdStart({
+      host: opts.host,
+      webPort: parseInt(opts.webPort, 10),
+      mcpPort: parseInt(opts.mcpPort, 10),
+      mcpStreamPort: parseInt(opts.mcpStreamPort, 10),
+      mode: opts.mode
+    });
+  });
+  const projects = program.command("projects").description("Manage projects");
+  projects.command("list").action(async () => {
+    const { vault } = createServices();
+    const rows = await vault.listProjects();
+    if (!rows.length) {
+      console.log("No projects");
+      return;
+    }
+    for (const r of rows) {
+      console.log(`${r.name}	${r.secret_count}	${r.folder_path ?? ""}`);
+    }
+  });
+  projects.command("create <name>").option("--description <text>", "Description", "").option("--folder <path>", "Folder path", "").action(async (name, opts) => {
+    const { vault } = createServices();
+    await vault.createProject(name, opts.description ?? "");
+    if (opts.folder) await vault.setFolder(name, opts.folder);
+    console.log("Project created:", name);
+  });
+  projects.command("delete <name>").action(async (name) => {
+    const { vault } = createServices();
+    await vault.deleteProject(name);
+    console.log("Project deleted:", name);
+  });
+  projects.command("set-folder <name> [path]").description('Set or clear folder path (use "-" to clear)').action(async (name, path) => {
+    const { vault } = createServices();
+    const value = path && path !== "-" ? path : void 0;
+    await vault.setFolder(name, value);
+    console.log("Folder updated:", name);
+  });
+  projects.command("set-domains <name> [domains]").description('Set or clear allowed domains (comma-separated, use "-" to clear)').action(async (name, domains) => {
+    const { vault } = createServices();
+    const value = domains && domains !== "-" ? domains.split(",").map((s) => s.trim()).filter(Boolean) : null;
+    await vault.setAllowedDomains(name, value);
+    console.log("Domains updated:", name);
+  });
+  const secrets = program.command("secrets").description("Manage secrets");
+  secrets.command("list <project>").option("--show-values", "Include secret values", false).action(async (project, opts) => {
+    const { vault } = createServices();
+    const rows = await vault.listSecrets(project);
+    if (!rows.length) {
+      console.log("No secrets");
+      return;
+    }
+    for (const r of rows) {
+      if (opts.showValues) {
+        const v = await vault.getSecretValue(project, r.key);
+        console.log(`${r.key}	${v}	${r.description ?? ""}`);
+      } else {
+        console.log(`${r.key}	${r.description ?? ""}`);
+      }
+    }
+  });
+  secrets.command("get <project> <key>").action(async (project, key) => {
+    const { vault } = createServices();
+    const v = await vault.getSecretValue(project, key);
+    console.log(v);
+  });
+  secrets.command("set <project> <key> <value>").option("--description <text>", "Description", "").action(async (project, key, value, opts) => {
+    const { vault } = createServices();
+    await vault.setSecret(project, key, value, opts.description ?? "");
+    console.log("Secret saved:", key);
+  });
+  secrets.command("delete <project> <key>").action(async (project, key) => {
+    const { vault } = createServices();
+    await vault.deleteSecret(project, key);
+    console.log("Secret deleted:", key);
+  });
+  program.command("tui").description("Interactive terminal UI for full management").action(async () => {
+    const { vault, config, audit } = createServices();
+    await runTui({ vault, config, audit });
+  });
+  return program;
+}
+
+// src/index.ts
+buildCli().parseAsync(process.argv).catch((e) => {
+  console.error(e);
+  process.exit(1);
+});