@askance/cli 0.1.0 → 0.2.1

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2025 Advancer Limited
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2025 Advancer Limited
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,79 +1,79 @@
-# @askance/cli
-
-Tool call interception & approval management for AI coding agents.
-
-Askance hooks into your coding agent (Claude Code, Cursor, GitHub Copilot) and routes tool calls through policy rules and a cloud dashboard for approval — so agents can work while you review from any device.
-
-## Quick Start
-
-```bash
-npm install --save-dev @askance/cli
-npx askance init
-npx askance login
-# Restart your agent session
-```
-
-## What it does
-
-- **Hook handler** — intercepts tool calls before execution and evaluates them against your `.askance.yml` policy rules
-- **MCP server** — provides tools for the agent to wait for approvals and check for instructions
-- **CLI** — sets up config files and authenticates with the Askance cloud
-
-## Commands
-
-| Command | Description |
-|---------|-------------|
-| `npx askance init` | Set up hooks, MCP server, policy rules, and CLAUDE.md |
-| `npx askance login` | Authenticate via browser (GitHub, Google, or Microsoft) |
-| `npx askance template <name>` | Apply a policy template (`conservative`, `moderate`, `permissive`, `ci-safe`) |
-| `npx askance help` | Show usage information |
-
-### Init options
-
-```bash
-npx askance init            # Claude Code (default)
-npx askance init --cursor   # Cursor IDE
-npx askance init --copilot  # GitHub Copilot
-npx askance init --all      # All agents
-```
-
-## Policy rules
-
-Policy rules in `.askance.yml` control what happens when the agent uses a tool:
-
-- **allow** — tool call proceeds immediately
-- **gate** — queued for approval in the dashboard
-- **deny** — blocked automatically
-
-```yaml
-rules:
-  - name: "Allow read-only tools"
-    match:
-      tool: "^(Read|Glob|Grep|WebSearch)$"
-    action: allow
-
-  - name: "Gate file writes"
-    match:
-      tool: "^(Edit|Write)$"
-    action: gate
-    risk: medium
-
-  - name: "Deny destructive commands"
-    match:
-      tool: "^Bash$"
-      command: "(rm -rf|chmod 777)"
-    action: deny
-    risk: high
-```
-
-## Dashboard
-
-Manage approvals at [app.askance.app](https://app.askance.app) — approve, deny, or send instructions to your agent from any device.
-
-## Documentation
-
-Full docs at [askance.app/docs](https://askance.app/docs)
-
-## License
-
-MIT
+# @askance/cli
+
+Tool call interception & approval management for AI coding agents.
+
+Askance hooks into your coding agent (Claude Code, Cursor, GitHub Copilot) and routes tool calls through policy rules and a cloud dashboard for approval — so agents can work while you review from any device.
+
+## Quick Start
+
+```bash
+npm install --save-dev @askance/cli
+npx askance init
+npx askance login
+# Restart your agent session
+```
+
+## What it does
+
+- **Hook handler** — intercepts tool calls before execution and evaluates them against your `.askance.yml` policy rules
+- **MCP server** — provides tools for the agent to wait for approvals and check for instructions
+- **CLI** — sets up config files and authenticates with the Askance cloud
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `npx askance init` | Set up hooks, MCP server, policy rules, and CLAUDE.md |
+| `npx askance login` | Authenticate via browser (GitHub, Google, or Microsoft) |
+| `npx askance template <name>` | Apply a policy template (`conservative`, `moderate`, `permissive`, `ci-safe`) |
+| `npx askance help` | Show usage information |
+
+### Init options
+
+```bash
+npx askance init            # Claude Code (default)
+npx askance init --cursor   # Cursor IDE
+npx askance init --copilot  # GitHub Copilot
+npx askance init --all      # All agents
+```
+
+## Policy rules
+
+Policy rules in `.askance.yml` control what happens when the agent uses a tool:
+
+- **allow** — tool call proceeds immediately
+- **gate** — queued for approval in the dashboard
+- **deny** — blocked automatically
+
+```yaml
+rules:
+  - name: "Allow read-only tools"
+    match:
+      tool: "^(Read|Glob|Grep|WebSearch)$"
+    action: allow
+
+  - name: "Gate file writes"
+    match:
+      tool: "^(Edit|Write)$"
+    action: gate
+    risk: medium
+
+  - name: "Deny destructive commands"
+    match:
+      tool: "^Bash$"
+      command: "(rm -rf|chmod 777)"
+    action: deny
+    risk: high
+```
+
+## Dashboard
+
+Manage approvals at [app.askance.app](https://app.askance.app) — approve, deny, or send instructions to your agent from any device.
+
+## Documentation
+
+Full docs at [askance.app/docs](https://askance.app/docs)
+
+## License
+
+MIT

package/dist/cli/index.js

@@ -39,6 +39,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
+const child_process_1 = require("child_process");
+const readline_1 = __importDefault(require("readline"));
 const api_client_1 = require("../common/api-client");
 const COMMANDS = ["init", "login", "template", "help"];
 const command = (process.argv[2] ?? "help");
@@ -53,76 +55,42 @@ const pkgRoot = path_1.default.resolve(__dirname, "..", "..");
 // ---------------------------------------------------------------------------
 // Shared helpers
 // ---------------------------------------------------------------------------
-function ensurePolicy() {
-    const policyPath = path_1.default.join(projectDir, ".askance.yml");
-    if (!fs_1.default.existsSync(policyPath)) {
-        const defaultPolicy = `version: 1
-
-api_url: https://api.askance.app
-project_id: ""
-
-keep_alive:
-  enabled: true
-  duration: 3600        # total seconds to stay alive polling (default: 1 hour)
-  poll_interval: 30     # seconds per poll cycle (default: 30s)
-
-rules:
-  - name: "Allow read-only tools"
-    match:
-      tool: "^(Read|Glob|Grep|WebSearch|WebFetch)$"
-    action: allow
-
-  - name: "Allow safe bash commands"
-    match:
-      tool: "^Bash$"
-      command: "^(npm test|npm run lint|npm run build|git status|git diff|git log|ls)"
-    action: allow
-
-  - name: "Gate file writes"
-    match:
-      tool: "^(Edit|Write|NotebookEdit)$"
-    action: gate
-    risk: medium
-
-  - name: "Gate package installs"
-    match:
-      tool: "^Bash$"
-      command: "(npm install|pip install|dotnet add)"
-    action: gate
-    risk: medium
-
-  - name: "Deny destructive commands"
-    match:
-      tool: "^Bash$"
-      command: "(rm -rf|chmod 777|curl.*\\\\|.*bash)"
-    action: deny
-    risk: high
-
-  - name: "Default - gate everything else"
-    match:
-      tool: ".*"
-    action: gate
-    risk: low
-`;
-        fs_1.default.writeFileSync(policyPath, defaultPolicy);
-        console.log("[askance] Created .askance.yml");
+function ensureConfig() {
+    const askanceDir = path_1.default.join(projectDir, ".askance");
+    if (!fs_1.default.existsSync(askanceDir)) {
+        fs_1.default.mkdirSync(askanceDir, { recursive: true });
+    }
+    const configPath = path_1.default.join(askanceDir, "config.json");
+    if (!fs_1.default.existsSync(configPath)) {
+        const defaultConfig = {
+            apiUrl: "https://api.askance.app",
+            projectId: "",
+            keepAlive: {
+                enabled: true,
+                duration: 3600,
+                pollInterval: 30,
+            },
+        };
+        fs_1.default.writeFileSync(configPath, JSON.stringify(defaultConfig, null, 2) + "\n");
+        console.log("[askance] Created .askance/config.json");
     }
     else {
-        console.log("[askance] .askance.yml already exists, skipping");
+        console.log("[askance] .askance/config.json already exists, skipping");
     }
 }
 function ensureGitignore() {
     const gitignorePath = path_1.default.join(projectDir, ".gitignore");
+    const ignoreEntry = ".askance/credentials";
     if (fs_1.default.existsSync(gitignorePath)) {
         const content = fs_1.default.readFileSync(gitignorePath, "utf-8");
-        if (!content.includes(".askance/")) {
-            fs_1.default.appendFileSync(gitignorePath, "\n# Askance session data\n.askance/\n");
-            console.log("[askance] Added .askance/ to .gitignore");
+        if (!content.includes(ignoreEntry)) {
+            fs_1.default.appendFileSync(gitignorePath, "\n# Askance credentials (do not commit)\n.askance/credentials\n");
+            console.log("[askance] Added .askance/credentials to .gitignore");
         }
     }
     else {
-        fs_1.default.writeFileSync(gitignorePath, "# Askance session data\n.askance/\n");
-        console.log("[askance] Created .gitignore with .askance/");
+        fs_1.default.writeFileSync(gitignorePath, "# Askance credentials (do not commit)\n.askance/credentials\n");
+        console.log("[askance] Created .gitignore with .askance/credentials");
     }
 }
 // ---------------------------------------------------------------------------
@@ -137,9 +105,13 @@ function initClaude() {
     const hookHandlerPath = path_1.default.join(pkgRoot, "dist", "hook-handler", "index.js").replace(/\\/g, "/");
     const stopHookPath = path_1.default.join(pkgRoot, "dist", "hook-handler", "stop-hook.js").replace(/\\/g, "/");
     const mcpServerPath = path_1.default.join(pkgRoot, "dist", "mcp-server", "index.js").replace(/\\/g, "/");
-    const settings = fs_1.default.existsSync(settingsPath)
-        ? JSON.parse(fs_1.default.readFileSync(settingsPath, "utf-8"))
-        : {};
+    let settings = {};
+    if (fs_1.default.existsSync(settingsPath)) {
+        try {
+            settings = JSON.parse(fs_1.default.readFileSync(settingsPath, "utf-8"));
+        }
+        catch { }
+    }
     // Set hooks
     const hooks = (settings.hooks ?? {});
     hooks.PreToolUse = [
@@ -188,9 +160,13 @@ function initCursor() {
     const settingsPath = path_1.default.join(cursorDir, "settings.json");
     const hookHandlerPath = path_1.default.join(pkgRoot, "dist", "hook-handler", "index.js").replace(/\\/g, "/");
     const mcpServerPath = path_1.default.join(pkgRoot, "dist", "mcp-server", "index.js").replace(/\\/g, "/");
-    const settings = fs_1.default.existsSync(settingsPath)
-        ? JSON.parse(fs_1.default.readFileSync(settingsPath, "utf-8"))
-        : {};
+    let settings = {};
+    if (fs_1.default.existsSync(settingsPath)) {
+        try {
+            settings = JSON.parse(fs_1.default.readFileSync(settingsPath, "utf-8"));
+        }
+        catch { }
+    }
     // Set Cursor hooks
     const cursorHooks = (settings["cursor.hooks"] ?? {});
     cursorHooks.preToolUse = {
@@ -222,9 +198,13 @@ function initCopilot() {
     }
     const configPath = path_1.default.join(githubDir, "copilot-config.json");
     const hookHandlerPath = path_1.default.join(pkgRoot, "dist", "hook-handler", "index.js").replace(/\\/g, "/");
-    const config = fs_1.default.existsSync(configPath)
-        ? JSON.parse(fs_1.default.readFileSync(configPath, "utf-8"))
-        : {};
+    let config = {};
+    if (fs_1.default.existsSync(configPath)) {
+        try {
+            config = JSON.parse(fs_1.default.readFileSync(configPath, "utf-8"));
+        }
+        catch { }
+    }
     // Set Copilot agent hooks
     const copilotAgent = (config["copilot.agent"] ?? {});
     const hooks = (copilotAgent.hooks ?? {});
@@ -247,7 +227,7 @@ const CLAUDE_MD_SECTION = `
 This project uses [Askance](https://askance.app) for AI tool call interception and approval management.
 
 **How it works:**
-- All tool calls are intercepted by Askance hooks and evaluated against policy rules in \`.askance.yml\`
+- All tool calls are intercepted by Askance hooks and evaluated against policy rules managed via the dashboard
 - Safe operations (reads, searches) are auto-approved; risky operations require human approval
 - When a tool call is gated for approval, use \`mcp__askance__wait\` to wait for the decision
 - Use \`mcp__askance__check_instructions\` periodically to check for operator instructions
@@ -275,8 +255,8 @@ function ensureClaudeMd() {
 }
 function init() {
     console.log("[askance] Initializing Askance in", projectDir);
-    // 1. Always write .askance.yml + .gitignore
-    ensurePolicy();
+    // 1. Always create .askance/config.json + update .gitignore
+    ensureConfig();
     ensureGitignore();
     // 2. Determine which IDE configs to set up
     const setupClaude = flagAll || (!flagCursor && !flagCopilot);
@@ -305,7 +285,139 @@ function init() {
         console.log("  2. Copilot agent hooks are configured in .github/copilot-config.json");
     }
     console.log("  3. Open the dashboard: https://app.askance.app");
-    console.log("  4. Edit .askance.yml to customize your policy rules");
+    console.log("  4. Manage policy rules via the dashboard");
+}
+// ---------------------------------------------------------------------------
+// Project setup helpers
+// ---------------------------------------------------------------------------
+function detectGitInfo() {
+    let repoUrl = "";
+    let branch = "main";
+    let repoName = path_1.default.basename(projectDir);
+    try {
+        repoUrl = (0, child_process_1.execSync)("git remote get-url origin", {
+            cwd: projectDir,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+    }
+    catch { }
+    try {
+        branch = (0, child_process_1.execSync)("git branch --show-current", {
+            cwd: projectDir,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim() || "main";
+    }
+    catch { }
+    // Extract repo name from URL (e.g. git@github.com:user/my-repo.git → my-repo)
+    if (repoUrl) {
+        const match = repoUrl.match(/\/([^/]+?)(?:\.git)?$/) ?? repoUrl.match(/:([^/]+?)(?:\.git)?$/);
+        if (match)
+            repoName = match[1];
+    }
+    return { repoUrl, branch, repoName };
+}
+function promptSelection(message, max) {
+    const rl = readline_1.default.createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolve) => {
+        rl.question(message, (answer) => {
+            rl.close();
+            const num = parseInt(answer.trim(), 10);
+            if (isNaN(num) || num < 1 || num > max) {
+                resolve(-1);
+            }
+            else {
+                resolve(num);
+            }
+        });
+    });
+}
+async function setupProject() {
+    console.log("\n[askance] Setting up project...");
+    // Fetch existing projects
+    const projectsResult = await (0, api_client_1.apiGet)("/api/projects");
+    if (!projectsResult.ok || !projectsResult.data) {
+        console.log("  Could not fetch projects. You can link a project later via the dashboard.");
+        return;
+    }
+    const projects = projectsResult.data;
+    let selectedId = "";
+    let selectedName = "";
+    if (projects.length === 1) {
+        // Auto-select the only project
+        selectedId = projects[0].id;
+        selectedName = projects[0].name;
+        console.log(`  Found 1 existing project: ${selectedName}`);
+        console.log(`  Using project: ${selectedName} (${selectedId})`);
+    }
+    else if (projects.length > 1) {
+        // Prompt the user to select
+        console.log(`  Found ${projects.length} projects:`);
+        for (let i = 0; i < projects.length; i++) {
+            console.log(`    ${i + 1}. ${projects[i].name}`);
+        }
+        const choice = await promptSelection(`  Select a project (1-${projects.length}): `, projects.length);
+        if (choice < 1) {
+            console.log("  Invalid selection. You can link a project later via the dashboard.");
+            return;
+        }
+        selectedId = projects[choice - 1].id;
+        selectedName = projects[choice - 1].name;
+        console.log(`  Using project: ${selectedName} (${selectedId})`);
+    }
+    else {
+        // No projects — auto-create one
+        const git = detectGitInfo();
+        console.log(`  No projects found. Creating "${git.repoName}" from ${git.repoUrl ? "git remote" : "directory name"}...`);
+        const createResult = await (0, api_client_1.apiPost)("/api/projects", {
+            Name: git.repoName,
+            RepoUrl: git.repoUrl,
+            Branch: git.branch,
+        });
+        if (!createResult.ok) {
+            if (createResult.status === 402) {
+                console.log("\n  Your plan allows 1 project and you've reached the limit.");
+                console.log("  Upgrade at https://app.askance.app/settings");
+                console.log("  You're still logged in — link a project manually or upgrade first.");
+            }
+            else {
+                console.log(`  Failed to create project: ${createResult.error}`);
+                console.log("  You can create a project later via the dashboard.");
+            }
+            return;
+        }
+        if (!createResult.data) {
+            console.log("  Failed to create project. You can create one later via the dashboard.");
+            return;
+        }
+        selectedId = createResult.data.id;
+        selectedName = createResult.data.name;
+        console.log(`  Created project "${selectedName}"`);
+        console.log(`  Project ID: ${selectedId}`);
+    }
+    // Save project ID to .askance/config.json
+    const configPath = path_1.default.join(projectDir, ".askance", "config.json");
+    if (fs_1.default.existsSync(configPath)) {
+        try {
+            const cfg = JSON.parse(fs_1.default.readFileSync(configPath, "utf-8"));
+            cfg.projectId = selectedId;
+            fs_1.default.writeFileSync(configPath, JSON.stringify(cfg, null, 2) + "\n");
+        }
+        catch { }
+    }
+    // Also save to credentials for backward compatibility
+    const credPath = path_1.default.join(projectDir, ".askance", "credentials");
+    if (fs_1.default.existsSync(credPath)) {
+        try {
+            const creds = JSON.parse(fs_1.default.readFileSync(credPath, "utf-8"));
+            creds.project_id = selectedId;
+            fs_1.default.writeFileSync(credPath, JSON.stringify(creds, null, 2) + "\n", { mode: 0o600 });
+        }
+        catch { }
+    }
+    (0, api_client_1.clearConfigCache)();
+    console.log("  Project linked successfully.");
 }
 // ---------------------------------------------------------------------------
 // Login — opens browser for auth, saves JWT to .askance/credentials
@@ -382,13 +494,16 @@ async function login() {
                     project_id: pollResult.data.projectId ?? "",
                 };
                 fs_1.default.writeFileSync(path_1.default.join(askanceDir, "credentials"), JSON.stringify(credentials, null, 2) + "\n", { mode: 0o600 });
-                // Update .askance.yml project_id if we got one
+                // Update .askance/config.json project_id if we got one
                 if (pollResult.data.projectId) {
-                    const policyPath = path_1.default.join(projectDir, ".askance.yml");
-                    if (fs_1.default.existsSync(policyPath)) {
-                        let content = fs_1.default.readFileSync(policyPath, "utf-8");
-                        content = content.replace(/^project_id:\s*"?"?.*"?"?\s*$/m, `project_id: "${pollResult.data.projectId}"`);
-                        fs_1.default.writeFileSync(policyPath, content);
+                    const configPath = path_1.default.join(projectDir, ".askance", "config.json");
+                    if (fs_1.default.existsSync(configPath)) {
+                        try {
+                            const cfg = JSON.parse(fs_1.default.readFileSync(configPath, "utf-8"));
+                            cfg.projectId = pollResult.data.projectId;
+                            fs_1.default.writeFileSync(configPath, JSON.stringify(cfg, null, 2) + "\n");
+                        }
+                        catch { }
                     }
                 }
                 (0, api_client_1.clearConfigCache)();
@@ -397,6 +512,10 @@ async function login() {
                     console.log(`  Logged in as: ${pollResult.data.email}`);
                 }
                 console.log("  Credentials saved to .askance/credentials");
+                // If the server didn't provide a project_id, run interactive setup
+                if (!pollResult.data.projectId) {
+                    await setupProject();
+                }
                 return;
             }
             if (pollResult.data.status === "expired") {
@@ -408,8 +527,35 @@ async function login() {
     console.error("\n[askance] Login timed out. Please try again.");
     process.exit(1);
 }
-function template() {
-    const TEMPLATES = ["conservative", "moderate", "permissive", "ci-safe"];
+const TEMPLATE_RULES = {
+    conservative: [
+        { Name: "Allow read-only tools", ToolPattern: "^(Read|Glob|Grep|WebSearch|WebFetch)$", Action: "Allow", Risk: "Low" },
+        { Name: "Gate file writes", ToolPattern: "^(Edit|Write|NotebookEdit)$", Action: "Gate", Risk: "Medium" },
+        { Name: "Gate all bash commands", ToolPattern: "^Bash$", Action: "Gate", Risk: "Medium" },
+        { Name: "Deny destructive commands", ToolPattern: "^Bash$", CommandPattern: "(rm -rf|chmod 777|curl.*\\\\|.*bash)", Action: "Deny", Risk: "High" },
+        { Name: "Default — gate everything else", ToolPattern: ".*", Action: "Gate", Risk: "Low" },
+    ],
+    moderate: [
+        { Name: "Allow read-only tools", ToolPattern: "^(Read|Glob|Grep|WebSearch|WebFetch)$", Action: "Allow", Risk: "Low" },
+        { Name: "Allow safe bash commands", ToolPattern: "^Bash$", CommandPattern: "^(npm test|npm run lint|npm run build|git status|git diff|git log|ls)", Action: "Allow", Risk: "Low" },
+        { Name: "Gate file writes", ToolPattern: "^(Edit|Write|NotebookEdit)$", Action: "Gate", Risk: "Medium" },
+        { Name: "Gate package installs", ToolPattern: "^Bash$", CommandPattern: "(npm install|pip install|dotnet add)", Action: "Gate", Risk: "Medium" },
+        { Name: "Deny destructive commands", ToolPattern: "^Bash$", CommandPattern: "(rm -rf|chmod 777|curl.*\\\\|.*bash)", Action: "Deny", Risk: "High" },
+        { Name: "Default — gate everything else", ToolPattern: ".*", Action: "Gate", Risk: "Low" },
+    ],
+    permissive: [
+        { Name: "Deny destructive commands", ToolPattern: "^Bash$", CommandPattern: "(rm -rf|chmod 777|curl.*\\\\|.*bash)", Action: "Deny", Risk: "High" },
+        { Name: "Default — allow everything else", ToolPattern: ".*", Action: "Allow", Risk: "Low" },
+    ],
+    "ci-safe": [
+        { Name: "Allow read-only tools", ToolPattern: "^(Read|Glob|Grep)$", Action: "Allow", Risk: "Low" },
+        { Name: "Allow test and build commands", ToolPattern: "^Bash$", CommandPattern: "^(npm test|npm run lint|npm run build)", Action: "Allow", Risk: "Low" },
+        { Name: "Deny all bash", ToolPattern: "^Bash$", Action: "Deny", Risk: "High" },
+        { Name: "Default — deny everything else", ToolPattern: ".*", Action: "Deny", Risk: "Medium" },
+    ],
+};
+async function template() {
+    const TEMPLATES = Object.keys(TEMPLATE_RULES);
     const templateName = process.argv[3];
     if (!templateName) {
         console.log(`
@@ -417,7 +563,7 @@ function template() {
 
 Available templates:
   conservative   Gate writes and bash, deny destructive commands
-  moderate       Allow safe writes and bash, gate the rest
+  moderate       Allow safe writes and bash, gate the rest (default)
   permissive     Allow everything, deny only destructive commands
   ci-safe        Minimal permissions for CI/CD environments
 
@@ -434,26 +580,21 @@ Example:
         console.error(`[askance] Available templates: ${TEMPLATES.join(", ")}`);
         process.exit(1);
     }
-    // Templates are bundled alongside the compiled output
-    // In source: src/templates/<name>.yml
-    // In dist:   dist/templates/<name>.yml (copied by build)
-    // Also try source path for development
-    const distTemplatePath = path_1.default.join(pkgRoot, "dist", "templates", `${templateName}.yml`);
-    const srcTemplatePath = path_1.default.join(pkgRoot, "src", "templates", `${templateName}.yml`);
-    const templatePath = fs_1.default.existsSync(distTemplatePath) ? distTemplatePath : srcTemplatePath;
-    if (!fs_1.default.existsSync(templatePath)) {
-        console.error(`[askance] Template file not found at ${templatePath}`);
-        console.error("[askance] Try rebuilding: npm run build");
+    const config = (0, api_client_1.readConfig)();
+    if (!config.token || !config.projectId) {
+        console.error("[askance] You must be logged in and have a project linked.");
+        console.error("  Run: npx askance login");
         process.exit(1);
     }
-    const destPath = path_1.default.join(projectDir, ".askance.yml");
-    const templateContent = fs_1.default.readFileSync(templatePath, "utf-8");
-    if (fs_1.default.existsSync(destPath)) {
-        console.log(`[askance] Overwriting existing .askance.yml with "${templateName}" template`);
+    const rules = TEMPLATE_RULES[templateName];
+    console.log(`[askance] Applying "${templateName}" template (${rules.length} rules)...`);
+    const result = await (0, api_client_1.apiPost)(`/api/projects/${config.projectId}/rules`, rules);
+    if (!result.ok) {
+        console.error(`[askance] Failed to apply template: ${result.error}`);
+        process.exit(1);
     }
-    fs_1.default.writeFileSync(destPath, templateContent);
-    console.log(`[askance] Applied "${templateName}" template to .askance.yml`);
-    console.log("[askance] Restart your agent session to apply the new policy");
+    console.log(`[askance] Applied "${templateName}" template to project rules`);
+    console.log("[askance] Rules are active immediately — no restart needed");
 }
 function help() {
     console.log(`
@@ -464,7 +605,7 @@ Usage:
 
 Commands:
   init     Set up Askance in the current project
-           - Creates .askance.yml (policy rules)
+           - Creates .askance/config.json (settings)
            - Configures agent hooks and MCP servers
 
            Options:
@@ -477,7 +618,8 @@ Commands:
            - Opens browser for OAuth sign-in
            - Saves access token to .askance/credentials
 
-  template Apply a pre-built policy template
+  template Apply a pre-built policy template to your project
+           - Pushes rules to the Askance API (requires login)
            - Available: conservative, moderate, permissive, ci-safe
            - Usage: npx askance template <name>
 
@@ -497,19 +639,25 @@ Dashboard: https://app.askance.app
 Docs:      https://askance.app
 `);
 }
-switch (command) {
-    case "init":
-        init();
-        break;
-    case "login":
-        login();
-        break;
-    case "template":
-        template();
-        break;
-    case "help":
-    default:
-        help();
-        break;
+async function main() {
+    switch (command) {
+        case "init":
+            init();
+            break;
+        case "login":
+            await login();
+            break;
+        case "template":
+            await template();
+            break;
+        case "help":
+        default:
+            help();
+            break;
+    }
 }
+main().catch((err) => {
+    console.error("[askance] Error:", err.message);
+    process.exit(1);
+});
 //# sourceMappingURL=index.js.map

package/dist/common/api-client.js

@@ -15,23 +15,22 @@ const node_https_1 = __importDefault(require("node:https"));
 const node_http_1 = __importDefault(require("node:http"));
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
-const yaml_1 = require("yaml");
 let cachedConfig = null;
 function readConfig() {
     if (cachedConfig)
         return cachedConfig;
     const projectDir = process.env.ASKANCE_PROJECT_DIR ?? process.cwd();
-    // Read API URL from .askance.yml or env
+    // Read from .askance/config.json (primary) or env
     let apiUrl = process.env.ASKANCE_API_URL ?? "";
     let projectId = process.env.ASKANCE_PROJECT_ID ?? "";
-    const policyPath = node_path_1.default.join(projectDir, ".askance.yml");
-    if (node_fs_1.default.existsSync(policyPath)) {
+    const configPath = node_path_1.default.join(projectDir, ".askance", "config.json");
+    if (node_fs_1.default.existsSync(configPath)) {
         try {
-            const yml = (0, yaml_1.parse)(node_fs_1.default.readFileSync(policyPath, "utf-8"));
-            if (yml?.api_url && !apiUrl)
-                apiUrl = yml.api_url;
-            if (yml?.project_id && !projectId)
-                projectId = yml.project_id;
+            const cfg = JSON.parse(node_fs_1.default.readFileSync(configPath, "utf-8"));
+            if (cfg.apiUrl && !apiUrl)
+                apiUrl = cfg.apiUrl;
+            if (cfg.projectId && !projectId)
+                projectId = cfg.projectId;
         }
         catch { }
     }
@@ -170,13 +169,13 @@ function waitForInstruction(projectId, timeoutMs) {
 }
 function readKeepAliveConfig() {
     const projectDir = process.env.ASKANCE_PROJECT_DIR ?? process.cwd();
-    const policyPath = node_path_1.default.join(projectDir, ".askance.yml");
+    const configPath = node_path_1.default.join(projectDir, ".askance", "config.json");
     try {
-        const yml = (0, yaml_1.parse)(node_fs_1.default.readFileSync(policyPath, "utf-8"));
+        const cfg = JSON.parse(node_fs_1.default.readFileSync(configPath, "utf-8"));
         return {
-            enabled: yml?.keep_alive?.enabled ?? true,
-            duration: yml?.keep_alive?.duration ?? 3600,
-            poll_interval: yml?.keep_alive?.poll_interval ?? 30,
+            enabled: cfg.keepAlive?.enabled ?? true,
+            duration: cfg.keepAlive?.duration ?? 3600,
+            poll_interval: cfg.keepAlive?.pollInterval ?? 30,
         };
     }
     catch {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askance/cli",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "Askance CLI — Tool call interception & approval management for AI coding agents",
   "license": "MIT",
   "homepage": "https://askance.app",
@@ -29,19 +29,17 @@
   },
   "files": [
     "dist/**/*.js",
-    "dist/templates/**",
     "!dist/daemon/**",
     "!dist/dashboard/**",
     "LICENSE",
     "README.md"
   ],
   "scripts": {
-    "build": "tsc && node -e \"const fs=require('fs');const path=require('path');function cpDir(s,d){fs.mkdirSync(d,{recursive:true});for(const f of fs.readdirSync(s)){const sp=path.join(s,f),dp=path.join(d,f);fs.statSync(sp).isDirectory()?cpDir(sp,dp):fs.copyFileSync(sp,dp)}}cpDir('src/templates','dist/templates')\""
+    "build": "tsc"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.26.0",
-    "uuid": "^11.1.0",
-    "yaml": "^2.6.1"
+    "uuid": "^11.1.0"
   },
   "devDependencies": {
     "@types/uuid": "^10.0.0",

package/dist/templates/ci-safe.yml

@@ -1,22 +0,0 @@
-version: 1
-
-api_url: https://api.askance.app
-project_id: ""
-
-keep_alive:
-  enabled: false
-  duration: 0
-  poll_interval: 0
-rules:
-  - name: "Allow read-only tools"
-    match: { tool: "^(Read|Glob|Grep)$" }
-    action: allow
-    risk: low
-  - name: "Allow test commands"
-    match: { tool: "^Bash$", command: "^(npm test|pytest|dotnet test|go test|cargo test)" }
-    action: allow
-    risk: low
-  - name: "Deny everything else"
-    match: { tool: ".*" }
-    action: deny
-    risk: high

package/dist/templates/conservative.yml

@@ -1,30 +0,0 @@
-version: 1
-
-api_url: https://api.askance.app
-project_id: ""
-
-keep_alive:
-  enabled: true
-  duration: 3600
-  poll_interval: 30
-rules:
-  - name: "Allow read-only tools"
-    match: { tool: "^(Read|Glob|Grep|WebSearch|WebFetch)$" }
-    action: allow
-    risk: low
-  - name: "Gate all writes"
-    match: { tool: "^(Write|Edit|NotebookEdit)$" }
-    action: gate
-    risk: medium
-  - name: "Gate bash commands"
-    match: { tool: "^Bash$" }
-    action: gate
-    risk: high
-  - name: "Deny destructive commands"
-    match: { tool: "^Bash$", command: "(rm -rf|drop table|format |shutdown|reboot)" }
-    action: deny
-    risk: high
-  - name: "Default - gate everything"
-    match: { tool: ".*" }
-    action: gate
-    risk: medium

package/dist/templates/copilot-config.json

@@ -1,11 +0,0 @@
-{
-  "copilot.agent": {
-    "hooks": {
-      "preToolUse": {
-        "command": "node",
-        "args": ["node_modules/@askance/cli/dist/hook-handler/index.js"],
-        "matchTools": [".*"]
-      }
-    }
-  }
-}

package/dist/templates/cursor-config.json

@@ -1,18 +0,0 @@
-{
-  "cursor.hooks": {
-    "preToolUse": {
-      "command": "node",
-      "args": ["node_modules/@askance/cli/dist/hook-handler/index.js"],
-      "matchTools": [".*"],
-      "excludeTools": ["mcp__askance__.*"]
-    }
-  },
-  "cursor.mcp": {
-    "servers": {
-      "askance": {
-        "command": "node",
-        "args": ["node_modules/@askance/cli/dist/mcp-server/index.js"]
-      }
-    }
-  }
-}

package/dist/templates/moderate.yml

@@ -1,34 +0,0 @@
-version: 1
-
-api_url: https://api.askance.app
-project_id: ""
-
-keep_alive:
-  enabled: true
-  duration: 3600
-  poll_interval: 30
-rules:
-  - name: "Allow read-only tools"
-    match: { tool: "^(Read|Glob|Grep|WebSearch|WebFetch)$" }
-    action: allow
-    risk: low
-  - name: "Allow safe writes"
-    match: { tool: "^(Write|Edit|NotebookEdit)$" }
-    action: allow
-    risk: low
-  - name: "Allow safe bash commands"
-    match: { tool: "^Bash$", command: "^(npm test|npm run |npx tsc|git status|git log|git diff|ls |cat |echo |pwd)" }
-    action: allow
-    risk: low
-  - name: "Gate other bash commands"
-    match: { tool: "^Bash$" }
-    action: gate
-    risk: medium
-  - name: "Deny destructive commands"
-    match: { tool: "^Bash$", command: "(rm -rf|drop table|format |shutdown|reboot|git push --force)" }
-    action: deny
-    risk: high
-  - name: "Default - gate everything"
-    match: { tool: ".*" }
-    action: gate
-    risk: low

package/dist/templates/permissive.yml

@@ -1,18 +0,0 @@
-version: 1
-
-api_url: https://api.askance.app
-project_id: ""
-
-keep_alive:
-  enabled: true
-  duration: 3600
-  poll_interval: 30
-rules:
-  - name: "Allow all tools"
-    match: { tool: ".*" }
-    action: allow
-    risk: low
-  - name: "Deny destructive commands"
-    match: { tool: "^Bash$", command: "(rm -rf /|drop database|format c:|shutdown|reboot|git push --force.*main)" }
-    action: deny
-    risk: high