@ao_zorin/zocket 1.1.0 → 1.3.0

package/dist/zocket.js

@@ -3,11 +3,12 @@
 // src/cli.ts
 import { Command } from "commander";
 import { createServer } from "http";
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync4, existsSync as existsSync5 } from "fs";
-import { dirname as dirname5 } from "path";
-import { randomBytes as randomBytes6 } from "crypto";
+import { mkdirSync as mkdirSync5 } from "fs";
+import { randomUUID } from "crypto";
 import { serve } from "@hono/node-server";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
 
 // src/vault.ts
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
@@ -15,11 +16,26 @@ import { dirname } from "path";
 import { lock } from "proper-lockfile";
 
 // src/crypto.ts
-import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
+import { randomBytes, createCipheriv, createDecipheriv, createHmac, timingSafeEqual } from "crypto";
 var VERSION = 1;
 var ALGORITHM = "aes-256-gcm";
 var IV_BYTES = 12;
 var TAG_BYTES = 16;
+var FERNET_VERSION = 128;
+function base64UrlToBuffer(raw) {
+  const normalized = raw.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = normalized.length % 4 === 0 ? "" : "=".repeat(4 - normalized.length % 4);
+  return Buffer.from(normalized + pad, "base64");
+}
+function pkcs7Unpad(buf) {
+  if (!buf.length) throw new Error("Invalid PKCS7 padding");
+  const pad = buf[buf.length - 1];
+  if (pad < 1 || pad > 16) throw new Error("Invalid PKCS7 padding");
+  for (let i = buf.length - pad; i < buf.length; i += 1) {
+    if (buf[i] !== pad) throw new Error("Invalid PKCS7 padding");
+  }
+  return buf.subarray(0, buf.length - pad);
+}
 function encrypt(plaintext, key) {
   const iv = randomBytes(IV_BYTES);
   const cipher = createCipheriv(ALGORITHM, key, iv);
@@ -39,25 +55,86 @@ function decrypt(data, key) {
   decipher.setAuthTag(tag);
   return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
 }
+function decryptLegacyFernet(tokenData, keyBase64) {
+  const token = tokenData.toString("utf8").trim();
+  const raw = base64UrlToBuffer(token);
+  if (raw.length < 1 + 8 + 16 + 32) throw new Error("Invalid legacy token length");
+  if (raw[0] !== FERNET_VERSION) throw new Error("Invalid legacy token version");
+  const key = base64UrlToBuffer(keyBase64);
+  if (key.length !== 32) throw new Error("Invalid legacy key length");
+  const signingKey = key.subarray(0, 16);
+  const encryptionKey = key.subarray(16, 32);
+  const hmacStart = raw.length - 32;
+  const msg = raw.subarray(0, hmacStart);
+  const sig = raw.subarray(hmacStart);
+  const mac = createHmac("sha256", signingKey).update(msg).digest();
+  if (mac.length !== sig.length || !timingSafeEqual(mac, sig)) {
+    throw new Error("Legacy token HMAC verification failed");
+  }
+  const iv = raw.subarray(1 + 8, 1 + 8 + 16);
+  const ciphertext = raw.subarray(1 + 8 + 16, hmacStart);
+  const decipher = createDecipheriv("aes-128-cbc", encryptionKey, iv);
+  decipher.setAutoPadding(false);
+  const padded = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return pkcs7Unpad(padded);
+}
 
 // src/vault.ts
 var PROJECT_RE = /^[a-zA-Z0-9._-]+$/;
 var SECRET_RE = /^[A-Z_][A-Z0-9_]*$/;
 var VaultService = class {
-  constructor(vaultPath2, lockFile, key) {
+  constructor(vaultPath2, lockFile, key, legacyKeyBase64, keyFilePath) {
     this.vaultPath = vaultPath2;
     this.lockFile = lockFile;
     this.key = key;
+    this.legacyKeyBase64 = legacyKeyBase64;
+    this.keyFilePath = keyFilePath;
   }
   load() {
     if (!existsSync(this.vaultPath)) return { version: 1, projects: {} };
     const raw = readFileSync(this.vaultPath);
-    return JSON.parse(decrypt(raw, this.key).toString("utf8"));
+    try {
+      return JSON.parse(decrypt(raw, this.key).toString("utf8"));
+    } catch (err2) {
+      const message = String(err2);
+      if (this.legacyKeyBase64 && message.includes("Unsupported vault version")) {
+        return this.migrateLegacy(raw);
+      }
+      throw err2;
+    }
   }
   save(data) {
     mkdirSync(dirname(this.vaultPath), { recursive: true });
     writeFileSync(this.vaultPath, encrypt(Buffer.from(JSON.stringify(data)), this.key));
   }
+  ensureExists() {
+    if (!existsSync(this.vaultPath)) {
+      this.save({ version: 1, projects: {} });
+    }
+  }
+  migrateLegacy(raw) {
+    const plaintext = decryptLegacyFernet(raw, this.legacyKeyBase64);
+    let parsed;
+    try {
+      parsed = JSON.parse(plaintext.toString("utf8"));
+    } catch {
+      throw new Error("Legacy vault JSON parse failed");
+    }
+    const data = {
+      version: typeof parsed.version === "number" ? parsed.version : 1,
+      projects: parsed.projects && typeof parsed.projects === "object" ? parsed.projects : {}
+    };
+    if (!data.version || data.version !== 1) data.version = 1;
+    if (!data.projects) data.projects = {};
+    this.save(data);
+    if (this.keyFilePath) {
+      try {
+        writeFileSync(this.keyFilePath, this.key.toString("hex"), { mode: 384 });
+      } catch {
+      }
+    }
+    return data;
+  }
   async withLock(fn) {
     mkdirSync(dirname(this.lockFile), { recursive: true });
     if (!existsSync(this.lockFile)) writeFileSync(this.lockFile, "");
@@ -302,12 +379,12 @@ function runCommand(command, env, policy, maxChars = 500) {
   r.exit_code = proc.status ?? 1;
   return r;
 }
-function runScript(lang, code, env, maxChars = 500) {
-  const ext = lang === "node" ? ".mjs" : ".py";
+function runScript(_lang, code, env, maxChars = 500) {
+  const ext = ".mjs";
   const tmpFile = join(tmpdir(), `zkt-${randomBytes3(8).toString("hex")}${ext}`);
   try {
     writeFileSync3(tmpFile, code, "utf8");
-    const bin = lang === "node" ? "node" : "python3";
+    const bin = "node";
     const proc = spawnSync(bin, [tmpFile], {
       env: { ...process.env, ...env },
       encoding: "utf8",
@@ -483,8 +560,8 @@ function envRefsIn(text) {
   const matches = [...text.matchAll(/\$\{?([A-Z_][A-Z0-9_]*)\}?/g)].map((m) => m[1]);
   return [...new Set(matches)];
 }
-function buildCtx(text, lang) {
-  return { text, envRefs: envRefsIn(text), hasNetwork: NETWORK_RE.test(text), lang };
+function buildCtx(text) {
+  return { text, envRefs: envRefsIn(text), hasNetwork: NETWORK_RE.test(text) };
 }
 var RULES = [
   // ── Critical ────────────────────────────────────────────────────────────
@@ -577,13 +654,6 @@ var RULES = [
     weight: W.MEDIUM,
     test: (c) => /\b(printenv|env)\b[^|]*>/.test(c.text)
   },
-  {
-    id: "PYTHON_SUBPROCESS_EXFIL",
-    description: "Python subprocess call invoking network tool (curl/wget/nc)",
-    severity: "medium",
-    weight: W.MEDIUM,
-    test: (c) => c.lang === "python" && /subprocess\.(run|Popen|call|check_output)\([^)]*\b(curl|wget|nc\b|netcat)\b/.test(c.text)
-  },
   // ── Low ──────────────────────────────────────────────────────────────────
   {
     id: "SINGLE_ENV_NETWORK",
@@ -648,9 +718,9 @@ var SecurityAnalyzer = class {
     const text = isBashC ? command[2] : command.join(" ");
     return this.analyze(buildCtx(text));
   }
-  analyzeScript(lang, code) {
+  analyzeScript(_lang, code) {
     if (this.cfg.mode === "off") return allow();
-    const ctx = buildCtx(code, lang);
+    const ctx = buildCtx(code);
     return this.analyze(ctx);
   }
   analyze(ctx) {
@@ -870,18 +940,18 @@ function buildCatalog(services) {
     },
     {
       name: "run_script",
-      summary: "Run an inline node/python script with project secrets injected as env vars. Prefer over multiple run_with_project_env calls.",
+      summary: "Run an inline node script with project secrets injected as env vars. Prefer over multiple run_with_project_env calls.",
       register: (server) => {
         server.tool(
           "run_script",
           [
-            "Run an inline script with project secrets available as environment variables.",
+            "Run an inline node script with project secrets available as environment variables.",
             "Use this instead of multiple run_with_project_env calls \u2014 write the full logic in one script.",
             "Filesystem is NOT shared between calls. Secret values never appear in this conversation."
           ].join(" "),
           {
             project: z.string().describe("Project name"),
-            lang: z.enum(["node", "python"]).describe("Script language"),
+            lang: z.enum(["node"]).describe("Script language"),
             code: z.string().min(1).describe("Full script source code"),
             max_chars: z.number().int().min(1).max(32e3).optional().describe("Max output chars (default ~500)"),
             confirm: z.boolean().optional().describe("Set to true to confirm execution of a medium-risk script after reviewing the warning")
@@ -1118,12 +1188,12 @@ function createMcpServer(services, options = {}) {
 // src/web.ts
 import { Hono } from "hono";
 import { getCookie, setCookie, deleteCookie } from "hono/cookie";
-import { createHmac, randomBytes as randomBytes5 } from "crypto";
+import { createHmac as createHmac2, randomBytes as randomBytes5 } from "crypto";
 import { readdirSync, statSync, existsSync as existsSync4 } from "fs";
 import { join as join2, resolve as resolvePath, dirname as dirname4 } from "path";
 
 // src/auth.ts
-import { randomBytes as randomBytes4, pbkdf2Sync, timingSafeEqual } from "crypto";
+import { randomBytes as randomBytes4, pbkdf2Sync, timingSafeEqual as timingSafeEqual2 } from "crypto";
 var ITERATIONS = 6e5;
 var KEY_LEN = 32;
 var DIGEST = "sha256";
@@ -1136,7 +1206,7 @@ function verifyPassword(password, hash, salt) {
   const derived = pbkdf2Sync(password, salt, ITERATIONS, KEY_LEN, DIGEST);
   const expected = Buffer.from(hash, "hex");
   if (derived.length !== expected.length) return false;
-  return timingSafeEqual(derived, expected);
+  return timingSafeEqual2(derived, expected);
 }
 
 // src/i18n.ts
@@ -1338,7 +1408,7 @@ function normalizeLang(lang) {
 var COOKIE = "zs";
 function signSession(data, secret) {
   const payload = Buffer.from(JSON.stringify(data)).toString("base64url");
-  const sig = createHmac("sha256", secret).update(payload).digest("hex").slice(0, 20);
+  const sig = createHmac2("sha256", secret).update(payload).digest("hex").slice(0, 20);
   return `${payload}.${sig}`;
 }
 function parseSession(value, secret) {
@@ -1346,7 +1416,7 @@ function parseSession(value, secret) {
   if (dot === -1) return null;
   const payload = value.slice(0, dot);
   const sig = value.slice(dot + 1);
-  const expected = createHmac("sha256", secret).update(payload).digest("hex").slice(0, 20);
+  const expected = createHmac2("sha256", secret).update(payload).digest("hex").slice(0, 20);
   if (sig !== expected) return null;
   try {
     return JSON.parse(Buffer.from(payload, "base64url").toString());
@@ -1922,31 +1992,383 @@ function lockPath(home = zocketHome()) {
   return join3(home, "vault.lock");
 }
 
-// src/cli.ts
+// src/keys.ts
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync4, existsSync as existsSync5 } from "fs";
+import { dirname as dirname5 } from "path";
+import { randomBytes as randomBytes6 } from "crypto";
+function isHexKey(raw) {
+  return /^[0-9a-fA-F]{64}$/.test(raw);
+}
+function isBase64UrlKey(raw) {
+  return /^[A-Za-z0-9_-]{43,44}=?$/.test(raw);
+}
+function base64UrlToBuffer2(raw) {
+  const normalized = raw.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = normalized.length % 4 === 0 ? "" : "=".repeat(4 - normalized.length % 4);
+  return Buffer.from(normalized + pad, "base64");
+}
 function loadOrCreateKey(keyFile) {
   if (existsSync5(keyFile)) {
     const raw = readFileSync5(keyFile, "utf8").trim();
-    return Buffer.from(raw, "hex");
+    if (isHexKey(raw)) {
+      return { key: Buffer.from(raw, "hex"), source: "hex" };
+    }
+    if (isBase64UrlKey(raw)) {
+      const key2 = base64UrlToBuffer2(raw);
+      if (key2.length !== 32) {
+        throw new Error("Legacy base64 key is invalid length");
+      }
+      return { key: key2, source: "base64", legacyBase64: raw };
+    }
+    throw new Error("Unsupported key format: expected 64-char hex or base64url");
   }
   mkdirSync4(dirname5(keyFile), { recursive: true });
   const key = randomBytes6(32);
   writeFileSync5(keyFile, key.toString("hex"), { mode: 384 });
-  return key;
+  return { key, source: "generated" };
 }
-async function cmdStart(opts) {
+
+// src/tui.ts
+import blessed from "blessed";
+function safeText(value) {
+  if (!value) return "";
+  return String(value);
+}
+function buildProjectLabel(row) {
+  const count = row.secret_count ?? 0;
+  return `${row.name} (${count})`;
+}
+async function runTui(services) {
+  const { vault } = services;
+  const screen = blessed.screen({
+    smartCSR: true,
+    title: "zocket"
+  });
+  const header = blessed.box({
+    parent: screen,
+    top: 0,
+    height: 1,
+    width: "100%",
+    style: { fg: "white", bg: "blue" },
+    content: " zocket \u2022 TUI  |  q:quit  tab:switch  r:refresh  v:values  n:new project  d:delete  s:set secret  e:edit  x:delete"
+  });
+  const footer = blessed.box({
+    parent: screen,
+    bottom: 0,
+    height: 1,
+    width: "100%",
+    style: { fg: "black", bg: "white" },
+    content: " Ready"
+  });
+  const projectList = blessed.list({
+    parent: screen,
+    label: " Projects ",
+    top: 1,
+    left: 0,
+    bottom: 1,
+    width: "30%",
+    border: "line",
+    keys: true,
+    mouse: true,
+    style: {
+      selected: { bg: "blue", fg: "white" },
+      border: { fg: "cyan" }
+    },
+    scrollbar: {
+      ch: " ",
+      inverse: true
+    }
+  });
+  const secretTable = blessed.listtable({
+    parent: screen,
+    label: " Secrets ",
+    top: 1,
+    left: "30%",
+    bottom: 1,
+    width: "70%",
+    border: "line",
+    keys: true,
+    mouse: true,
+    align: "left",
+    noCellBorders: true,
+    style: {
+      header: { fg: "yellow", bold: true },
+      cell: { fg: "white" },
+      selected: { bg: "blue", fg: "white" },
+      border: { fg: "cyan" }
+    }
+  });
+  const prompt = blessed.prompt({
+    parent: screen,
+    border: "line",
+    height: 9,
+    width: "60%",
+    top: "center",
+    left: "center",
+    label: " Input ",
+    keys: true,
+    vi: true
+  });
+  const confirm = blessed.question({
+    parent: screen,
+    border: "line",
+    height: 7,
+    width: "60%",
+    top: "center",
+    left: "center",
+    label: " Confirm ",
+    keys: true,
+    vi: true
+  });
+  let projects = [];
+  let secrets = [];
+  let currentProject = null;
+  let showValues = false;
+  function setStatus(message) {
+    footer.setContent(` ${message}`);
+    screen.render();
+  }
+  function setFocusPane(pane) {
+    if (pane === "projects") {
+      projectList.style.border.fg = "green";
+      secretTable.style.border.fg = "cyan";
+      projectList.setLabel(" Projects ");
+      secretTable.setLabel(" Secrets ");
+      projectList.focus();
+    } else {
+      projectList.style.border.fg = "cyan";
+      secretTable.style.border.fg = "green";
+      projectList.setLabel(" Projects ");
+      secretTable.setLabel(" Secrets ");
+      secretTable.focus();
+    }
+    screen.render();
+  }
+  async function askInput(label, initial = "") {
+    return await new Promise((resolve) => {
+      prompt.input(label, initial, (err2, value) => {
+        if (err2) return resolve(null);
+        resolve(value ?? "");
+      });
+    });
+  }
+  async function askConfirm(label) {
+    return await new Promise((resolve) => {
+      confirm.ask(label, (err2, answer) => {
+        if (err2) return resolve(false);
+        resolve(Boolean(answer));
+      });
+    });
+  }
+  async function refreshProjects(selectName) {
+    projects = await vault.listProjects();
+    if (!projects.length) {
+      projectList.setItems(["(no projects)"]);
+      projectList.select(0);
+      currentProject = null;
+      return;
+    }
+    const labels = projects.map(buildProjectLabel);
+    projectList.setItems(labels);
+    let idx = 0;
+    if (selectName) {
+      const found = projects.findIndex((p) => p.name === selectName);
+      if (found >= 0) idx = found;
+    } else if (currentProject) {
+      const found = projects.findIndex((p) => p.name === currentProject?.name);
+      if (found >= 0) idx = found;
+    }
+    projectList.select(idx);
+    currentProject = projects[idx];
+  }
+  async function refreshSecrets() {
+    if (!currentProject) {
+      secretTable.setData([["Key", "Value", "Description", "Updated"]]);
+      return;
+    }
+    secrets = await vault.listSecrets(currentProject.name);
+    let rows;
+    if (!secrets.length) {
+      rows = [[showValues ? "Key" : "Key", showValues ? "Value" : "Description", "Updated"]];
+    } else {
+      if (showValues) {
+        const values = await Promise.all(secrets.map((s) => vault.getSecretValue(currentProject.name, s.key)));
+        rows = [
+          ["Key", "Value", "Description", "Updated"],
+          ...secrets.map((s, i) => [
+            s.key,
+            safeText(values[i]),
+            safeText(s.description),
+            safeText(s.updated_at)
+          ])
+        ];
+      } else {
+        rows = [
+          ["Key", "Description", "Updated"],
+          ...secrets.map((s) => [s.key, safeText(s.description), safeText(s.updated_at)])
+        ];
+      }
+    }
+    secretTable.setData(rows);
+  }
+  async function refreshAll() {
+    await refreshProjects();
+    await refreshSecrets();
+    screen.render();
+  }
+  async function createProject() {
+    const name = await askInput("Project name");
+    if (!name) return;
+    const desc = await askInput("Description (optional)", "");
+    const folder = await askInput("Folder path (optional)", "");
+    await vault.createProject(name, desc ?? "");
+    if (folder) await vault.setFolder(name, folder);
+    setStatus(`Project created: ${name}`);
+    await refreshProjects(name);
+    await refreshSecrets();
+  }
+  async function deleteProject() {
+    if (!currentProject) return;
+    const ok2 = await askConfirm(`Delete project ${currentProject.name}?`);
+    if (!ok2) return;
+    await vault.deleteProject(currentProject.name);
+    setStatus(`Project deleted: ${currentProject.name}`);
+    await refreshProjects();
+    await refreshSecrets();
+  }
+  async function setProjectFolder() {
+    if (!currentProject) return;
+    const path = await askInput("Folder path (empty to clear)", currentProject.folder_path ?? "");
+    if (path === null) return;
+    await vault.setFolder(currentProject.name, path.trim() || void 0);
+    setStatus("Folder updated");
+    await refreshProjects(currentProject.name);
+  }
+  async function setAllowedDomains() {
+    if (!currentProject) return;
+    const initial = (await vault.getAllowedDomains(currentProject.name))?.join(", ") ?? "";
+    const domains = await askInput("Allowed domains (comma-separated)", initial);
+    if (domains === null) return;
+    const value = domains.split(",").map((s) => s.trim()).filter(Boolean);
+    await vault.setAllowedDomains(currentProject.name, value.length ? value : null);
+    setStatus("Allowed domains updated");
+  }
+  function selectedSecretKey() {
+    if (!secrets.length) return null;
+    const idx = secretTable.selected - 1;
+    if (idx < 0 || idx >= secrets.length) return null;
+    return secrets[idx].key;
+  }
+  async function upsertSecret(edit = false) {
+    if (!currentProject) return;
+    let key = "";
+    let value = "";
+    let desc = "";
+    if (edit) {
+      const selectedKey = selectedSecretKey();
+      if (!selectedKey) return;
+      key = selectedKey;
+      desc = secrets.find((s) => s.key === selectedKey)?.description ?? "";
+      value = showValues ? await vault.getSecretValue(currentProject.name, selectedKey) : "";
+    }
+    const keyInput = await askInput("Key (UPPERCASE)", key);
+    if (!keyInput) return;
+    const valueInput = await askInput("Value", value);
+    if (valueInput === null) return;
+    const descInput = await askInput("Description (optional)", desc);
+    await vault.setSecret(currentProject.name, keyInput, valueInput, descInput ?? "");
+    setStatus("Secret saved");
+    await refreshSecrets();
+  }
+  async function deleteSecret() {
+    if (!currentProject) return;
+    const key = selectedSecretKey();
+    if (!key) return;
+    const ok2 = await askConfirm(`Delete secret ${key}?`);
+    if (!ok2) return;
+    await vault.deleteSecret(currentProject.name, key);
+    setStatus(`Secret deleted: ${key}`);
+    await refreshSecrets();
+  }
+  projectList.on("select", async (_, idx) => {
+    currentProject = projects[idx] ?? null;
+    await refreshSecrets();
+    screen.render();
+  });
+  screen.key(["q", "C-c"], () => process.exit(0));
+  screen.key(["tab"], () => {
+    if (screen.focused === projectList) setFocusPane("secrets");
+    else setFocusPane("projects");
+  });
+  screen.key(["r"], async () => {
+    setStatus("Refreshing...");
+    await refreshAll();
+    setStatus("Ready");
+  });
+  screen.key(["v"], async () => {
+    showValues = !showValues;
+    setStatus(showValues ? "Values: visible" : "Values: hidden");
+    await refreshSecrets();
+    screen.render();
+  });
+  screen.key(["n"], async () => {
+    await createProject();
+    screen.render();
+  });
+  screen.key(["d"], async () => {
+    await deleteProject();
+    screen.render();
+  });
+  screen.key(["f"], async () => {
+    await setProjectFolder();
+    screen.render();
+  });
+  screen.key(["a"], async () => {
+    await setAllowedDomains();
+    screen.render();
+  });
+  screen.key(["s"], async () => {
+    await upsertSecret(false);
+    screen.render();
+  });
+  screen.key(["e"], async () => {
+    await upsertSecret(true);
+    screen.render();
+  });
+  screen.key(["x"], async () => {
+    await deleteSecret();
+    screen.render();
+  });
+  await refreshAll();
+  setFocusPane("projects");
+  screen.render();
+}
+
+// src/cli.ts
+function createServices() {
   const home = zocketHome();
-  mkdirSync4(home, { recursive: true });
-  const key = loadOrCreateKey(keyPath());
-  const vault = new VaultService(vaultPath(), lockPath(), key);
+  mkdirSync5(home, { recursive: true });
+  const keyMaterial = loadOrCreateKey(keyPath());
+  const vault = new VaultService(vaultPath(), lockPath(), keyMaterial.key, keyMaterial.legacyBase64, keyPath());
+  vault.ensureExists();
   const config = new ConfigStore(configPath());
   const audit = new AuditLogger(auditPath());
+  config.ensureExists();
+  return { vault, config, audit };
+}
+async function cmdStart(opts) {
+  const { vault, config, audit } = createServices();
   const cfg = config.ensureExists();
   const mode = opts.mode === "admin" ? "admin" : "metadata";
   const services = { vault, config, audit, mode };
-  const webApp = createWebApp({ vault, config, audit });
-  serve({ fetch: webApp.fetch, hostname: opts.host, port: opts.webPort }, () => {
-    console.log(`[zocket] web    http://${opts.host}:${opts.webPort}`);
-  });
+  if (opts.webEnabled) {
+    const webApp = createWebApp({ vault, config, audit });
+    serve({ fetch: webApp.fetch, hostname: opts.host, port: opts.webPort }, () => {
+      console.log(`[zocket] web    http://${opts.host}:${opts.webPort}`);
+    });
+  } else {
+    console.log("[zocket] web    disabled");
+  }
   const sessions = /* @__PURE__ */ new Map();
   const mcpHttp = createServer((req, res) => {
     const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
@@ -1976,19 +2398,180 @@ async function cmdStart(opts) {
   });
   mcpHttp.listen(opts.mcpPort, opts.host, () => {
     console.log(`[zocket] mcp    http://${opts.host}:${opts.mcpPort}/sse  (mode: ${mode}, loading: ${cfg.mcp_loading})`);
+  });
+  const streamableSessions = /* @__PURE__ */ new Map();
+  const streamableHttp = createServer(async (req, res) => {
+    const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
+    if (url.pathname !== "/mcp") {
+      res.writeHead(404).end("Not found");
+      return;
+    }
+    const method = (req.method ?? "GET").toUpperCase();
+    let parsedBody = void 0;
+    if (method === "POST") {
+      let raw = "";
+      for await (const chunk of req) {
+        raw += chunk;
+      }
+      if (raw.trim().length > 0) {
+        try {
+          parsedBody = JSON.parse(raw);
+        } catch {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            jsonrpc: "2.0",
+            error: { code: -32700, message: "Parse error" },
+            id: null
+          }));
+          return;
+        }
+      }
+    }
+    const header = req.headers["mcp-session-id"];
+    const sessionId = Array.isArray(header) ? header[0] : header;
+    let transport;
+    if (sessionId && streamableSessions.has(sessionId)) {
+      transport = streamableSessions.get(sessionId);
+    } else if (!sessionId && method === "POST" && parsedBody && isInitializeRequest(parsedBody)) {
+      transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        onsessioninitialized: (sid) => {
+          if (transport) streamableSessions.set(sid, transport);
+        }
+      });
+      transport.onclose = () => {
+        const sid = transport?.sessionId;
+        if (sid && streamableSessions.has(sid)) streamableSessions.delete(sid);
+      };
+      const mcpServer = createMcpServer(services, { loading: cfg.mcp_loading });
+      mcpServer.connect(transport).catch((e) => {
+        console.error("[zocket] MCP streamable connect error:", e);
+      });
+    } else {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        jsonrpc: "2.0",
+        error: { code: -32e3, message: "Bad Request: No valid session ID provided" },
+        id: null
+      }));
+      return;
+    }
+    try {
+      await transport.handleRequest(req, res, parsedBody);
+    } catch (e) {
+      console.error("[zocket] MCP streamable request error:", e);
+      if (!res.headersSent) {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({
+          jsonrpc: "2.0",
+          error: { code: -32603, message: "Internal server error" },
+          id: null
+        }));
+      }
+    }
+  });
+  streamableHttp.listen(opts.mcpStreamPort, opts.host, () => {
+    console.log(`[zocket] mcp    http://${opts.host}:${opts.mcpStreamPort}/mcp  (streamable-http)`);
     console.log(`[zocket] ready  \u2014 vault: ${vaultPath()}`);
   });
 }
 function buildCli() {
   const program = new Command("zocket").description("Local encrypted vault + MCP server for AI agent workflows").version("1.0.0");
-  program.command("start").description("Start web panel and MCP SSE server").option("--host <host>", "Bind host", "127.0.0.1").option("--web-port <port>", "Web panel port", "18001").option("--mcp-port <port>", "MCP SSE port", "18002").option("--mode <mode>", "MCP mode (metadata|admin)", "admin").action(async (opts) => {
+  program.command("init").description("Initialize vault and config").action(async () => {
+    createServices();
+    console.log(`[zocket] initialized \u2014 vault: ${vaultPath()}`);
+  });
+  program.command("start").description("Start web panel + MCP SSE + MCP Streamable HTTP servers (use --no-web for MCP-only)").option("--host <host>", "Bind host", "127.0.0.1").option("--web-port <port>", "Web panel port", "18001").option("--mcp-port <port>", "MCP SSE port", "18002").option("--mcp-stream-port <port>", "MCP Streamable HTTP port", "18003").option("--mode <mode>", "MCP mode (metadata|admin)", "admin").option("--no-web", "Disable web panel").action(async (opts) => {
     await cmdStart({
       host: opts.host,
       webPort: parseInt(opts.webPort, 10),
       mcpPort: parseInt(opts.mcpPort, 10),
-      mode: opts.mode
+      mcpStreamPort: parseInt(opts.mcpStreamPort, 10),
+      mode: opts.mode,
+      webEnabled: opts.web
+    });
+  });
+  program.command("server").description("Start MCP servers without web panel").option("--host <host>", "Bind host", "127.0.0.1").option("--mcp-port <port>", "MCP SSE port", "18002").option("--mcp-stream-port <port>", "MCP Streamable HTTP port", "18003").option("--mode <mode>", "MCP mode (metadata|admin)", "admin").action(async (opts) => {
+    await cmdStart({
+      host: opts.host,
+      webPort: 18001,
+      mcpPort: parseInt(opts.mcpPort, 10),
+      mcpStreamPort: parseInt(opts.mcpStreamPort, 10),
+      mode: opts.mode,
+      webEnabled: false
     });
   });
+  const projects = program.command("projects").description("Manage projects");
+  projects.command("list").action(async () => {
+    const { vault } = createServices();
+    const rows = await vault.listProjects();
+    if (!rows.length) {
+      console.log("No projects");
+      return;
+    }
+    for (const r of rows) {
+      console.log(`${r.name}	${r.secret_count}	${r.folder_path ?? ""}`);
+    }
+  });
+  projects.command("create <name>").option("--description <text>", "Description", "").option("--folder <path>", "Folder path", "").action(async (name, opts) => {
+    const { vault } = createServices();
+    await vault.createProject(name, opts.description ?? "");
+    if (opts.folder) await vault.setFolder(name, opts.folder);
+    console.log("Project created:", name);
+  });
+  projects.command("delete <name>").action(async (name) => {
+    const { vault } = createServices();
+    await vault.deleteProject(name);
+    console.log("Project deleted:", name);
+  });
+  projects.command("set-folder <name> [path]").description('Set or clear folder path (use "-" to clear)').action(async (name, path) => {
+    const { vault } = createServices();
+    const value = path && path !== "-" ? path : void 0;
+    await vault.setFolder(name, value);
+    console.log("Folder updated:", name);
+  });
+  projects.command("set-domains <name> [domains]").description('Set or clear allowed domains (comma-separated, use "-" to clear)').action(async (name, domains) => {
+    const { vault } = createServices();
+    const value = domains && domains !== "-" ? domains.split(",").map((s) => s.trim()).filter(Boolean) : null;
+    await vault.setAllowedDomains(name, value);
+    console.log("Domains updated:", name);
+  });
+  const secrets = program.command("secrets").description("Manage secrets");
+  secrets.command("list <project>").option("--show-values", "Include secret values", false).action(async (project, opts) => {
+    const { vault } = createServices();
+    const rows = await vault.listSecrets(project);
+    if (!rows.length) {
+      console.log("No secrets");
+      return;
+    }
+    for (const r of rows) {
+      if (opts.showValues) {
+        const v = await vault.getSecretValue(project, r.key);
+        console.log(`${r.key}	${v}	${r.description ?? ""}`);
+      } else {
+        console.log(`${r.key}	${r.description ?? ""}`);
+      }
+    }
+  });
+  secrets.command("get <project> <key>").action(async (project, key) => {
+    const { vault } = createServices();
+    const v = await vault.getSecretValue(project, key);
+    console.log(v);
+  });
+  secrets.command("set <project> <key> <value>").option("--description <text>", "Description", "").action(async (project, key, value, opts) => {
+    const { vault } = createServices();
+    await vault.setSecret(project, key, value, opts.description ?? "");
+    console.log("Secret saved:", key);
+  });
+  secrets.command("delete <project> <key>").action(async (project, key) => {
+    const { vault } = createServices();
+    await vault.deleteSecret(project, key);
+    console.log("Secret deleted:", key);
+  });
+  program.command("tui").description("Interactive terminal UI for full management").action(async () => {
+    const { vault, config, audit } = createServices();
+    await runTui({ vault, config, audit });
+  });
   return program;
 }