@ao_zorin/zocket 1.2.0 → 1.3.0

package/README.md

@@ -41,6 +41,11 @@ zocket start --host 127.0.0.1 --web-port 18001 --mcp-port 18002 --mcp-stream-por
 
 Open `http://127.0.0.1:18001`.
 
+MCP-only (no web panel):
+```bash
+zocket server --host 127.0.0.1 --mcp-port 18002 --mcp-stream-port 18003 --mode admin
+```
+
 ## CLI / TUI
 
 Full CLI management:

package/dist/zocket.js

@@ -16,11 +16,26 @@ import { dirname } from "path";
 import { lock } from "proper-lockfile";
 
 // src/crypto.ts
-import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
+import { randomBytes, createCipheriv, createDecipheriv, createHmac, timingSafeEqual } from "crypto";
 var VERSION = 1;
 var ALGORITHM = "aes-256-gcm";
 var IV_BYTES = 12;
 var TAG_BYTES = 16;
+var FERNET_VERSION = 128;
+function base64UrlToBuffer(raw) {
+  const normalized = raw.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = normalized.length % 4 === 0 ? "" : "=".repeat(4 - normalized.length % 4);
+  return Buffer.from(normalized + pad, "base64");
+}
+function pkcs7Unpad(buf) {
+  if (!buf.length) throw new Error("Invalid PKCS7 padding");
+  const pad = buf[buf.length - 1];
+  if (pad < 1 || pad > 16) throw new Error("Invalid PKCS7 padding");
+  for (let i = buf.length - pad; i < buf.length; i += 1) {
+    if (buf[i] !== pad) throw new Error("Invalid PKCS7 padding");
+  }
+  return buf.subarray(0, buf.length - pad);
+}
 function encrypt(plaintext, key) {
   const iv = randomBytes(IV_BYTES);
   const cipher = createCipheriv(ALGORITHM, key, iv);
@@ -40,20 +55,53 @@ function decrypt(data, key) {
   decipher.setAuthTag(tag);
   return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
 }
+function decryptLegacyFernet(tokenData, keyBase64) {
+  const token = tokenData.toString("utf8").trim();
+  const raw = base64UrlToBuffer(token);
+  if (raw.length < 1 + 8 + 16 + 32) throw new Error("Invalid legacy token length");
+  if (raw[0] !== FERNET_VERSION) throw new Error("Invalid legacy token version");
+  const key = base64UrlToBuffer(keyBase64);
+  if (key.length !== 32) throw new Error("Invalid legacy key length");
+  const signingKey = key.subarray(0, 16);
+  const encryptionKey = key.subarray(16, 32);
+  const hmacStart = raw.length - 32;
+  const msg = raw.subarray(0, hmacStart);
+  const sig = raw.subarray(hmacStart);
+  const mac = createHmac("sha256", signingKey).update(msg).digest();
+  if (mac.length !== sig.length || !timingSafeEqual(mac, sig)) {
+    throw new Error("Legacy token HMAC verification failed");
+  }
+  const iv = raw.subarray(1 + 8, 1 + 8 + 16);
+  const ciphertext = raw.subarray(1 + 8 + 16, hmacStart);
+  const decipher = createDecipheriv("aes-128-cbc", encryptionKey, iv);
+  decipher.setAutoPadding(false);
+  const padded = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return pkcs7Unpad(padded);
+}
 
 // src/vault.ts
 var PROJECT_RE = /^[a-zA-Z0-9._-]+$/;
 var SECRET_RE = /^[A-Z_][A-Z0-9_]*$/;
 var VaultService = class {
-  constructor(vaultPath2, lockFile, key) {
+  constructor(vaultPath2, lockFile, key, legacyKeyBase64, keyFilePath) {
     this.vaultPath = vaultPath2;
     this.lockFile = lockFile;
     this.key = key;
+    this.legacyKeyBase64 = legacyKeyBase64;
+    this.keyFilePath = keyFilePath;
   }
   load() {
     if (!existsSync(this.vaultPath)) return { version: 1, projects: {} };
     const raw = readFileSync(this.vaultPath);
-    return JSON.parse(decrypt(raw, this.key).toString("utf8"));
+    try {
+      return JSON.parse(decrypt(raw, this.key).toString("utf8"));
+    } catch (err2) {
+      const message = String(err2);
+      if (this.legacyKeyBase64 && message.includes("Unsupported vault version")) {
+        return this.migrateLegacy(raw);
+      }
+      throw err2;
+    }
   }
   save(data) {
     mkdirSync(dirname(this.vaultPath), { recursive: true });
@@ -64,6 +112,29 @@ var VaultService = class {
       this.save({ version: 1, projects: {} });
     }
   }
+  migrateLegacy(raw) {
+    const plaintext = decryptLegacyFernet(raw, this.legacyKeyBase64);
+    let parsed;
+    try {
+      parsed = JSON.parse(plaintext.toString("utf8"));
+    } catch {
+      throw new Error("Legacy vault JSON parse failed");
+    }
+    const data = {
+      version: typeof parsed.version === "number" ? parsed.version : 1,
+      projects: parsed.projects && typeof parsed.projects === "object" ? parsed.projects : {}
+    };
+    if (!data.version || data.version !== 1) data.version = 1;
+    if (!data.projects) data.projects = {};
+    this.save(data);
+    if (this.keyFilePath) {
+      try {
+        writeFileSync(this.keyFilePath, this.key.toString("hex"), { mode: 384 });
+      } catch {
+      }
+    }
+    return data;
+  }
   async withLock(fn) {
     mkdirSync(dirname(this.lockFile), { recursive: true });
     if (!existsSync(this.lockFile)) writeFileSync(this.lockFile, "");
@@ -1117,12 +1188,12 @@ function createMcpServer(services, options = {}) {
 // src/web.ts
 import { Hono } from "hono";
 import { getCookie, setCookie, deleteCookie } from "hono/cookie";
-import { createHmac, randomBytes as randomBytes5 } from "crypto";
+import { createHmac as createHmac2, randomBytes as randomBytes5 } from "crypto";
 import { readdirSync, statSync, existsSync as existsSync4 } from "fs";
 import { join as join2, resolve as resolvePath, dirname as dirname4 } from "path";
 
 // src/auth.ts
-import { randomBytes as randomBytes4, pbkdf2Sync, timingSafeEqual } from "crypto";
+import { randomBytes as randomBytes4, pbkdf2Sync, timingSafeEqual as timingSafeEqual2 } from "crypto";
 var ITERATIONS = 6e5;
 var KEY_LEN = 32;
 var DIGEST = "sha256";
@@ -1135,7 +1206,7 @@ function verifyPassword(password, hash, salt) {
   const derived = pbkdf2Sync(password, salt, ITERATIONS, KEY_LEN, DIGEST);
   const expected = Buffer.from(hash, "hex");
   if (derived.length !== expected.length) return false;
-  return timingSafeEqual(derived, expected);
+  return timingSafeEqual2(derived, expected);
 }
 
 // src/i18n.ts
@@ -1337,7 +1408,7 @@ function normalizeLang(lang) {
 var COOKIE = "zs";
 function signSession(data, secret) {
   const payload = Buffer.from(JSON.stringify(data)).toString("base64url");
-  const sig = createHmac("sha256", secret).update(payload).digest("hex").slice(0, 20);
+  const sig = createHmac2("sha256", secret).update(payload).digest("hex").slice(0, 20);
   return `${payload}.${sig}`;
 }
 function parseSession(value, secret) {
@@ -1345,7 +1416,7 @@ function parseSession(value, secret) {
   if (dot === -1) return null;
   const payload = value.slice(0, dot);
   const sig = value.slice(dot + 1);
-  const expected = createHmac("sha256", secret).update(payload).digest("hex").slice(0, 20);
+  const expected = createHmac2("sha256", secret).update(payload).digest("hex").slice(0, 20);
   if (sig !== expected) return null;
   try {
     return JSON.parse(Buffer.from(payload, "base64url").toString());
@@ -1925,177 +1996,360 @@ function lockPath(home = zocketHome()) {
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, mkdirSync as mkdirSync4, existsSync as existsSync5 } from "fs";
 import { dirname as dirname5 } from "path";
 import { randomBytes as randomBytes6 } from "crypto";
+function isHexKey(raw) {
+  return /^[0-9a-fA-F]{64}$/.test(raw);
+}
+function isBase64UrlKey(raw) {
+  return /^[A-Za-z0-9_-]{43,44}=?$/.test(raw);
+}
+function base64UrlToBuffer2(raw) {
+  const normalized = raw.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = normalized.length % 4 === 0 ? "" : "=".repeat(4 - normalized.length % 4);
+  return Buffer.from(normalized + pad, "base64");
+}
 function loadOrCreateKey(keyFile) {
   if (existsSync5(keyFile)) {
     const raw = readFileSync5(keyFile, "utf8").trim();
-    return Buffer.from(raw, "hex");
+    if (isHexKey(raw)) {
+      return { key: Buffer.from(raw, "hex"), source: "hex" };
+    }
+    if (isBase64UrlKey(raw)) {
+      const key2 = base64UrlToBuffer2(raw);
+      if (key2.length !== 32) {
+        throw new Error("Legacy base64 key is invalid length");
+      }
+      return { key: key2, source: "base64", legacyBase64: raw };
+    }
+    throw new Error("Unsupported key format: expected 64-char hex or base64url");
   }
   mkdirSync4(dirname5(keyFile), { recursive: true });
   const key = randomBytes6(32);
   writeFileSync5(keyFile, key.toString("hex"), { mode: 384 });
-  return key;
+  return { key, source: "generated" };
 }
 
 // src/tui.ts
-import readline from "readline/promises";
-import { stdin as input, stdout as output } from "process";
-async function promptMenu(rl, title, options) {
-  output.write(`
-${title}
-`);
-  options.forEach((opt, i) => output.write(`  ${i + 1}) ${opt}
-`));
-  const answer = await rl.question("> ");
-  const idx = Number(answer.trim()) - 1;
-  return Number.isFinite(idx) && idx >= 0 && idx < options.length ? idx : -1;
-}
-async function promptInput(rl, label, fallback = "") {
-  const ans = await rl.question(`${label}${fallback ? ` (${fallback})` : ""}: `);
-  return ans.trim() || fallback;
-}
-async function promptConfirm(rl, label) {
-  const ans = await rl.question(`${label} [y/N]: `);
-  return ans.trim().toLowerCase() === "y";
+import blessed from "blessed";
+function safeText(value) {
+  if (!value) return "";
+  return String(value);
 }
-async function pickProject(rl, vault) {
-  const rows = await vault.listProjects();
-  if (!rows.length) {
-    output.write("No projects\n");
-    return null;
-  }
-  const idx = await promptMenu(rl, "Select project", rows.map((r) => `${r.name} (${r.secret_count})`));
-  if (idx < 0) return null;
-  return rows[idx].name;
+function buildProjectLabel(row) {
+  const count = row.secret_count ?? 0;
+  return `${row.name} (${count})`;
 }
-async function showProjects(vault) {
-  const rows = await vault.listProjects();
-  if (!rows.length) {
-    output.write("No projects\n");
-    return;
-  }
-  rows.forEach((r) => {
-    output.write(`${r.name}	${r.secret_count}	${r.folder_path ?? ""}
-`);
+async function runTui(services) {
+  const { vault } = services;
+  const screen = blessed.screen({
+    smartCSR: true,
+    title: "zocket"
   });
-}
-async function showSecrets(vault, project, showValues) {
-  const rows = await vault.listSecrets(project);
-  if (!rows.length) {
-    output.write("No secrets\n");
-    return;
-  }
-  for (const r of rows) {
-    if (showValues) {
-      const v = await vault.getSecretValue(project, r.key);
-      output.write(`${r.key}	${v}	${r.description ?? ""}
-`);
+  const header = blessed.box({
+    parent: screen,
+    top: 0,
+    height: 1,
+    width: "100%",
+    style: { fg: "white", bg: "blue" },
+    content: " zocket \u2022 TUI  |  q:quit  tab:switch  r:refresh  v:values  n:new project  d:delete  s:set secret  e:edit  x:delete"
+  });
+  const footer = blessed.box({
+    parent: screen,
+    bottom: 0,
+    height: 1,
+    width: "100%",
+    style: { fg: "black", bg: "white" },
+    content: " Ready"
+  });
+  const projectList = blessed.list({
+    parent: screen,
+    label: " Projects ",
+    top: 1,
+    left: 0,
+    bottom: 1,
+    width: "30%",
+    border: "line",
+    keys: true,
+    mouse: true,
+    style: {
+      selected: { bg: "blue", fg: "white" },
+      border: { fg: "cyan" }
+    },
+    scrollbar: {
+      ch: " ",
+      inverse: true
+    }
+  });
+  const secretTable = blessed.listtable({
+    parent: screen,
+    label: " Secrets ",
+    top: 1,
+    left: "30%",
+    bottom: 1,
+    width: "70%",
+    border: "line",
+    keys: true,
+    mouse: true,
+    align: "left",
+    noCellBorders: true,
+    style: {
+      header: { fg: "yellow", bold: true },
+      cell: { fg: "white" },
+      selected: { bg: "blue", fg: "white" },
+      border: { fg: "cyan" }
+    }
+  });
+  const prompt = blessed.prompt({
+    parent: screen,
+    border: "line",
+    height: 9,
+    width: "60%",
+    top: "center",
+    left: "center",
+    label: " Input ",
+    keys: true,
+    vi: true
+  });
+  const confirm = blessed.question({
+    parent: screen,
+    border: "line",
+    height: 7,
+    width: "60%",
+    top: "center",
+    left: "center",
+    label: " Confirm ",
+    keys: true,
+    vi: true
+  });
+  let projects = [];
+  let secrets = [];
+  let currentProject = null;
+  let showValues = false;
+  function setStatus(message) {
+    footer.setContent(` ${message}`);
+    screen.render();
+  }
+  function setFocusPane(pane) {
+    if (pane === "projects") {
+      projectList.style.border.fg = "green";
+      secretTable.style.border.fg = "cyan";
+      projectList.setLabel(" Projects ");
+      secretTable.setLabel(" Secrets ");
+      projectList.focus();
     } else {
-      output.write(`${r.key}	${r.description ?? ""}
-`);
+      projectList.style.border.fg = "cyan";
+      secretTable.style.border.fg = "green";
+      projectList.setLabel(" Projects ");
+      secretTable.setLabel(" Secrets ");
+      secretTable.focus();
     }
+    screen.render();
   }
-}
-async function runTui(services) {
-  const rl = readline.createInterface({ input, output });
-  const { vault } = services;
-  try {
-    while (true) {
-      const main = await promptMenu(rl, "Zocket TUI", [
-        "Projects",
-        "Secrets",
-        "Exit"
-      ]);
-      if (main === 2) break;
-      if (main === 0) {
-        const idx = await promptMenu(rl, "Projects", [
-          "List",
-          "Create",
-          "Delete",
-          "Set folder path",
-          "Set allowed domains",
-          "Back"
-        ]);
-        if (idx === 5) continue;
-        if (idx === 0) await showProjects(vault);
-        if (idx === 1) {
-          const name = await promptInput(rl, "Project name");
-          const desc = await promptInput(rl, "Description", "");
-          const folder = await promptInput(rl, "Folder path", "");
-          await vault.createProject(name, desc);
-          if (folder) await vault.setFolder(name, folder);
-          output.write("Project created\n");
-        }
-        if (idx === 2) {
-          const name = await pickProject(rl, vault);
-          if (!name) continue;
-          if (await promptConfirm(rl, `Delete ${name}?`)) {
-            await vault.deleteProject(name);
-            output.write("Project deleted\n");
-          }
-        }
-        if (idx === 3) {
-          const name = await pickProject(rl, vault);
-          if (!name) continue;
-          const path = await promptInput(rl, "Folder path (empty to clear)", "");
-          await vault.setFolder(name, path || void 0);
-          output.write("Folder updated\n");
-        }
-        if (idx === 4) {
-          const name = await pickProject(rl, vault);
-          if (!name) continue;
-          const domains = await promptInput(rl, "Allowed domains (comma-separated, empty to clear)", "");
-          const value = domains ? domains.split(",").map((s) => s.trim()).filter(Boolean) : null;
-          await vault.setAllowedDomains(name, value);
-          output.write("Allowed domains updated\n");
-        }
-      }
-      if (main === 1) {
-        const project = await pickProject(rl, vault);
-        if (!project) continue;
-        const idx = await promptMenu(rl, `Secrets for ${project}`, [
-          "List (no values)",
-          "List (with values)",
-          "Add or update",
-          "Get value",
-          "Delete",
-          "Back"
-        ]);
-        if (idx === 5) continue;
-        if (idx === 0) await showSecrets(vault, project, false);
-        if (idx === 1) await showSecrets(vault, project, true);
-        if (idx === 2) {
-          const key = await promptInput(rl, "Key (UPPERCASE)", "");
-          const value = await promptInput(rl, "Value", "");
-          const desc = await promptInput(rl, "Description", "");
-          await vault.setSecret(project, key, value, desc);
-          output.write("Secret saved\n");
-        }
-        if (idx === 3) {
-          const key = await promptInput(rl, "Key", "");
-          const value = await vault.getSecretValue(project, key);
-          output.write(`${value}
-`);
-        }
-        if (idx === 4) {
-          const key = await promptInput(rl, "Key", "");
-          if (await promptConfirm(rl, `Delete ${key}?`)) {
-            await vault.deleteSecret(project, key);
-            output.write("Secret deleted\n");
-          }
-        }
+  async function askInput(label, initial = "") {
+    return await new Promise((resolve) => {
+      prompt.input(label, initial, (err2, value) => {
+        if (err2) return resolve(null);
+        resolve(value ?? "");
+      });
+    });
+  }
+  async function askConfirm(label) {
+    return await new Promise((resolve) => {
+      confirm.ask(label, (err2, answer) => {
+        if (err2) return resolve(false);
+        resolve(Boolean(answer));
+      });
+    });
+  }
+  async function refreshProjects(selectName) {
+    projects = await vault.listProjects();
+    if (!projects.length) {
+      projectList.setItems(["(no projects)"]);
+      projectList.select(0);
+      currentProject = null;
+      return;
+    }
+    const labels = projects.map(buildProjectLabel);
+    projectList.setItems(labels);
+    let idx = 0;
+    if (selectName) {
+      const found = projects.findIndex((p) => p.name === selectName);
+      if (found >= 0) idx = found;
+    } else if (currentProject) {
+      const found = projects.findIndex((p) => p.name === currentProject?.name);
+      if (found >= 0) idx = found;
+    }
+    projectList.select(idx);
+    currentProject = projects[idx];
+  }
+  async function refreshSecrets() {
+    if (!currentProject) {
+      secretTable.setData([["Key", "Value", "Description", "Updated"]]);
+      return;
+    }
+    secrets = await vault.listSecrets(currentProject.name);
+    let rows;
+    if (!secrets.length) {
+      rows = [[showValues ? "Key" : "Key", showValues ? "Value" : "Description", "Updated"]];
+    } else {
+      if (showValues) {
+        const values = await Promise.all(secrets.map((s) => vault.getSecretValue(currentProject.name, s.key)));
+        rows = [
+          ["Key", "Value", "Description", "Updated"],
+          ...secrets.map((s, i) => [
+            s.key,
+            safeText(values[i]),
+            safeText(s.description),
+            safeText(s.updated_at)
+          ])
+        ];
+      } else {
+        rows = [
+          ["Key", "Description", "Updated"],
+          ...secrets.map((s) => [s.key, safeText(s.description), safeText(s.updated_at)])
+        ];
       }
     }
-  } finally {
-    rl.close();
+    secretTable.setData(rows);
+  }
+  async function refreshAll() {
+    await refreshProjects();
+    await refreshSecrets();
+    screen.render();
+  }
+  async function createProject() {
+    const name = await askInput("Project name");
+    if (!name) return;
+    const desc = await askInput("Description (optional)", "");
+    const folder = await askInput("Folder path (optional)", "");
+    await vault.createProject(name, desc ?? "");
+    if (folder) await vault.setFolder(name, folder);
+    setStatus(`Project created: ${name}`);
+    await refreshProjects(name);
+    await refreshSecrets();
+  }
+  async function deleteProject() {
+    if (!currentProject) return;
+    const ok2 = await askConfirm(`Delete project ${currentProject.name}?`);
+    if (!ok2) return;
+    await vault.deleteProject(currentProject.name);
+    setStatus(`Project deleted: ${currentProject.name}`);
+    await refreshProjects();
+    await refreshSecrets();
+  }
+  async function setProjectFolder() {
+    if (!currentProject) return;
+    const path = await askInput("Folder path (empty to clear)", currentProject.folder_path ?? "");
+    if (path === null) return;
+    await vault.setFolder(currentProject.name, path.trim() || void 0);
+    setStatus("Folder updated");
+    await refreshProjects(currentProject.name);
+  }
+  async function setAllowedDomains() {
+    if (!currentProject) return;
+    const initial = (await vault.getAllowedDomains(currentProject.name))?.join(", ") ?? "";
+    const domains = await askInput("Allowed domains (comma-separated)", initial);
+    if (domains === null) return;
+    const value = domains.split(",").map((s) => s.trim()).filter(Boolean);
+    await vault.setAllowedDomains(currentProject.name, value.length ? value : null);
+    setStatus("Allowed domains updated");
+  }
+  function selectedSecretKey() {
+    if (!secrets.length) return null;
+    const idx = secretTable.selected - 1;
+    if (idx < 0 || idx >= secrets.length) return null;
+    return secrets[idx].key;
   }
+  async function upsertSecret(edit = false) {
+    if (!currentProject) return;
+    let key = "";
+    let value = "";
+    let desc = "";
+    if (edit) {
+      const selectedKey = selectedSecretKey();
+      if (!selectedKey) return;
+      key = selectedKey;
+      desc = secrets.find((s) => s.key === selectedKey)?.description ?? "";
+      value = showValues ? await vault.getSecretValue(currentProject.name, selectedKey) : "";
+    }
+    const keyInput = await askInput("Key (UPPERCASE)", key);
+    if (!keyInput) return;
+    const valueInput = await askInput("Value", value);
+    if (valueInput === null) return;
+    const descInput = await askInput("Description (optional)", desc);
+    await vault.setSecret(currentProject.name, keyInput, valueInput, descInput ?? "");
+    setStatus("Secret saved");
+    await refreshSecrets();
+  }
+  async function deleteSecret() {
+    if (!currentProject) return;
+    const key = selectedSecretKey();
+    if (!key) return;
+    const ok2 = await askConfirm(`Delete secret ${key}?`);
+    if (!ok2) return;
+    await vault.deleteSecret(currentProject.name, key);
+    setStatus(`Secret deleted: ${key}`);
+    await refreshSecrets();
+  }
+  projectList.on("select", async (_, idx) => {
+    currentProject = projects[idx] ?? null;
+    await refreshSecrets();
+    screen.render();
+  });
+  screen.key(["q", "C-c"], () => process.exit(0));
+  screen.key(["tab"], () => {
+    if (screen.focused === projectList) setFocusPane("secrets");
+    else setFocusPane("projects");
+  });
+  screen.key(["r"], async () => {
+    setStatus("Refreshing...");
+    await refreshAll();
+    setStatus("Ready");
+  });
+  screen.key(["v"], async () => {
+    showValues = !showValues;
+    setStatus(showValues ? "Values: visible" : "Values: hidden");
+    await refreshSecrets();
+    screen.render();
+  });
+  screen.key(["n"], async () => {
+    await createProject();
+    screen.render();
+  });
+  screen.key(["d"], async () => {
+    await deleteProject();
+    screen.render();
+  });
+  screen.key(["f"], async () => {
+    await setProjectFolder();
+    screen.render();
+  });
+  screen.key(["a"], async () => {
+    await setAllowedDomains();
+    screen.render();
+  });
+  screen.key(["s"], async () => {
+    await upsertSecret(false);
+    screen.render();
+  });
+  screen.key(["e"], async () => {
+    await upsertSecret(true);
+    screen.render();
+  });
+  screen.key(["x"], async () => {
+    await deleteSecret();
+    screen.render();
+  });
+  await refreshAll();
+  setFocusPane("projects");
+  screen.render();
 }
 
 // src/cli.ts
 function createServices() {
   const home = zocketHome();
   mkdirSync5(home, { recursive: true });
-  const key = loadOrCreateKey(keyPath());
-  const vault = new VaultService(vaultPath(), lockPath(), key);
+  const keyMaterial = loadOrCreateKey(keyPath());
+  const vault = new VaultService(vaultPath(), lockPath(), keyMaterial.key, keyMaterial.legacyBase64, keyPath());
   vault.ensureExists();
   const config = new ConfigStore(configPath());
   const audit = new AuditLogger(auditPath());
@@ -2107,10 +2361,14 @@ async function cmdStart(opts) {
   const cfg = config.ensureExists();
   const mode = opts.mode === "admin" ? "admin" : "metadata";
   const services = { vault, config, audit, mode };
-  const webApp = createWebApp({ vault, config, audit });
-  serve({ fetch: webApp.fetch, hostname: opts.host, port: opts.webPort }, () => {
-    console.log(`[zocket] web    http://${opts.host}:${opts.webPort}`);
-  });
+  if (opts.webEnabled) {
+    const webApp = createWebApp({ vault, config, audit });
+    serve({ fetch: webApp.fetch, hostname: opts.host, port: opts.webPort }, () => {
+      console.log(`[zocket] web    http://${opts.host}:${opts.webPort}`);
+    });
+  } else {
+    console.log("[zocket] web    disabled");
+  }
   const sessions = /* @__PURE__ */ new Map();
   const mcpHttp = createServer((req, res) => {
     const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
@@ -2223,13 +2481,24 @@ function buildCli() {
     createServices();
     console.log(`[zocket] initialized \u2014 vault: ${vaultPath()}`);
   });
-  program.command("start").description("Start web panel + MCP SSE + MCP Streamable HTTP servers").option("--host <host>", "Bind host", "127.0.0.1").option("--web-port <port>", "Web panel port", "18001").option("--mcp-port <port>", "MCP SSE port", "18002").option("--mcp-stream-port <port>", "MCP Streamable HTTP port", "18003").option("--mode <mode>", "MCP mode (metadata|admin)", "admin").action(async (opts) => {
+  program.command("start").description("Start web panel + MCP SSE + MCP Streamable HTTP servers (use --no-web for MCP-only)").option("--host <host>", "Bind host", "127.0.0.1").option("--web-port <port>", "Web panel port", "18001").option("--mcp-port <port>", "MCP SSE port", "18002").option("--mcp-stream-port <port>", "MCP Streamable HTTP port", "18003").option("--mode <mode>", "MCP mode (metadata|admin)", "admin").option("--no-web", "Disable web panel").action(async (opts) => {
     await cmdStart({
       host: opts.host,
       webPort: parseInt(opts.webPort, 10),
       mcpPort: parseInt(opts.mcpPort, 10),
       mcpStreamPort: parseInt(opts.mcpStreamPort, 10),
-      mode: opts.mode
+      mode: opts.mode,
+      webEnabled: opts.web
+    });
+  });
+  program.command("server").description("Start MCP servers without web panel").option("--host <host>", "Bind host", "127.0.0.1").option("--mcp-port <port>", "MCP SSE port", "18002").option("--mcp-stream-port <port>", "MCP Streamable HTTP port", "18003").option("--mode <mode>", "MCP mode (metadata|admin)", "admin").action(async (opts) => {
+    await cmdStart({
+      host: opts.host,
+      webPort: 18001,
+      mcpPort: parseInt(opts.mcpPort, 10),
+      mcpStreamPort: parseInt(opts.mcpStreamPort, 10),
+      mode: opts.mode,
+      webEnabled: false
     });
   });
   const projects = program.command("projects").description("Manage projects");

package/docs/INSTALL.md

@@ -12,6 +12,11 @@ This guide installs **zocket** (Node.js) as:
 curl -fsSL https://raw.githubusercontent.com/aozorin/zocket/main/scripts/install-zocket.sh | bash
 ```
 
+MCP-only (no web panel):
+```bash
+curl -fsSL https://raw.githubusercontent.com/aozorin/zocket/main/scripts/install-zocket.sh | bash -s -- --no-web
+```
+
 If you run from a local clone:
 ```bash
 bash scripts/install-zocket.sh --source local
@@ -22,6 +27,13 @@ bash scripts/install-zocket.sh --source local
 irm https://raw.githubusercontent.com/aozorin/zocket/main/scripts/install-zocket.ps1 | iex
 ```
 
+MCP-only (no web panel):
+```powershell
+$tmp = "$env:TEMP\\install-zocket.ps1"
+irm https://raw.githubusercontent.com/aozorin/zocket/main/scripts/install-zocket.ps1 -OutFile $tmp
+powershell -ExecutionPolicy Bypass -File $tmp -NoWeb
+```
+
 If you run from a local clone:
 ```powershell
 powershell -ExecutionPolicy Bypass -File .\scripts\install-zocket.ps1 -Source Local
@@ -93,6 +105,11 @@ zocket init
 zocket start --host 127.0.0.1 --web-port 18001 --mcp-port 18002 --mcp-stream-port 18003 --mode admin
 ```
 
+MCP-only (no web panel):
+```bash
+zocket server --host 127.0.0.1 --mcp-port 18002 --mcp-stream-port 18003 --mode admin
+```
+
 ## 6) Systemd hardening on Linux (production)
 
 If you install with `--autostart system`, the installer creates and enables:
@@ -155,6 +172,7 @@ Or create manually:
 - task `Zocket` on logon
 - action:
   - `zocket start --host 127.0.0.1 --web-port 18001 --mcp-port 18002 --mcp-stream-port 18003 --mode admin`
+  - add `--no-web` for MCP-only
 
 ## 7) First web open
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ao_zorin/zocket",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Local encrypted vault + web panel + MCP server for AI agent workflows",
   "type": "module",
   "bin": {
@@ -18,6 +18,7 @@
     "@anthropic-ai/sdk": "^0.78.0",
     "@hono/node-server": "^1.13.0",
     "@modelcontextprotocol/sdk": "^1.0.0",
+    "blessed": "^0.1.81",
     "commander": "^12.0.0",
     "hono": "^4.0.0",
     "proper-lockfile": "^4.1.2",
@@ -33,6 +34,7 @@
   },
   "devDependencies": {
     "@anthropic-ai/tokenizer": "^0.0.4",
+    "@types/blessed": "^0.1.24",
     "@types/node": "^20.0.0",
     "@types/proper-lockfile": "^4.1.4",
     "js-tiktoken": "^1.0.21",

package/scripts/install-zocket.ps1

@@ -11,7 +11,8 @@ Param(
   [int]$McpStreamPort = 18003,
   [ValidateSet("metadata", "admin")]
   [string]$McpMode = "admin",
-  [bool]$EnableAutostart = $true
+  [bool]$EnableAutostart = $true,
+  [switch]$NoWeb
 )
 
 $ErrorActionPreference = "Stop"
@@ -63,12 +64,17 @@ $env:ZOCKET_HOME = $ZocketHome
 if ($EnableAutostart) {
   $taskName = "Zocket"
   $cmd = "\"$zocketBin\" start --host 127.0.0.1 --web-port $WebPort --mcp-port $McpPort --mcp-stream-port $McpStreamPort --mode $McpMode"
+  if ($NoWeb) { $cmd = "$cmd --no-web" }
   schtasks /Create /F /SC ONLOGON /RL LIMITED /TN $taskName /TR $cmd | Out-Null
 }
 
 Write-Output "zocket installed successfully."
 Write-Output "zocket: $zocketBin"
 Write-Output "ZOCKET_HOME=$ZocketHome"
-Write-Output "web panel: http://127.0.0.1:$WebPort"
+if ($NoWeb) {
+  Write-Output "web panel: disabled"
+} else {
+  Write-Output "web panel: http://127.0.0.1:$WebPort"
+}
 Write-Output "mcp sse:   http://127.0.0.1:$McpPort/sse"
 Write-Output "mcp http:  http://127.0.0.1:$McpStreamPort/mcp"

package/scripts/install-zocket.sh

@@ -15,6 +15,7 @@ MCP_STREAM_PORT="${MCP_STREAM_PORT:-18003}"
 MCP_MODE="${MCP_MODE:-admin}"              # metadata|admin
 AUTOSTART="${AUTOSTART:-user}"             # user|system|none
 SERVICE_USER="${SERVICE_USER:-zocketd}"
+WEB_ENABLED="${WEB_ENABLED:-true}"
 
 usage() {
   cat <<EOF
@@ -30,6 +31,7 @@ Options:
   --mcp-port <port>
   --mcp-stream-port <port>
   --mcp-mode <metadata|admin>
+  --no-web
   --autostart <user|system|none>
   --service-user <name>
   -h, --help
@@ -49,6 +51,7 @@ while [[ $# -gt 0 ]]; do
     --mcp-port) MCP_PORT="$2"; shift 2 ;;
     --mcp-stream-port) MCP_STREAM_PORT="$2"; shift 2 ;;
     --mcp-mode) MCP_MODE="$2"; shift 2 ;;
+    --no-web) WEB_ENABLED="false"; shift 1 ;;
     --autostart) AUTOSTART="$2"; shift 2 ;;
     --service-user) SERVICE_USER="$2"; shift 2 ;;
     -h|--help) usage; exit 0 ;;
@@ -242,6 +245,9 @@ EOF
 }
 
 EXEC_START="${ZOCKET_BIN} start --host 127.0.0.1 --web-port ${WEB_PORT} --mcp-port ${MCP_PORT} --mcp-stream-port ${MCP_STREAM_PORT} --mode ${MCP_MODE}"
+if [[ "$WEB_ENABLED" == "false" ]]; then
+  EXEC_START="${EXEC_START} --no-web"
+fi
 
 if [[ "$AUTOSTART" == "user" && "$OS" == linux* ]]; then
   USER_UNIT_DIR="$HOME/.config/systemd/user"
@@ -270,7 +276,7 @@ zocket:    ${ZOCKET_BIN}
 ZOCKET_HOME=${ZOCKET_HOME_DIR}
 
 Default ports:
-  web panel: http://127.0.0.1:${WEB_PORT}
+  web panel: http://127.0.0.1:${WEB_PORT}$( [[ "$WEB_ENABLED" == "false" ]] && printf ' (disabled)' )
   MCP SSE:   http://127.0.0.1:${MCP_PORT}/sse
   MCP HTTP:  http://127.0.0.1:${MCP_STREAM_PORT}/mcp