@chainpatrol/cli 0.6.0 → 0.8.0

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @chainpatrol/cli
 
+## 0.8.0
+
+### Minor Changes
+
+- 11d074f: Support non-interactive authentication via the `CHAINPATROL_API_KEY` env
+  var. When set, the CLI sends it as the `x-api-key` header on API calls and
+  skips the device-code login flow entirely. `chainpatrol login` reports
+  "already authenticated via env var" instead of polling, and
+  `chainpatrol logout` refuses to no-op (it tells you to unset the env var).
+  Stored Better Auth bearer credentials are still used as a fallback when
+  the env var is unset. Headless service accounts (e.g. agent42) should mint
+  a USER-type API key via `/staff/api-keys` and set
+  `CHAINPATROL_API_KEY=cp_live_…` in their deployment env.
+
+## 0.7.0
+
+### Minor Changes
+
+- c170343: Add `chainpatrol setup --cloud` flag that also installs a Claude Code
+  SessionStart hook at `~/.claude/hooks/chainpatrol-login.sh` and registers
+  it in `~/.claude/settings.json`. When the user has no chainpatrol
+  credentials, the hook emits SessionStart `additionalContext` so Claude
+  surfaces the device-code login URL on the first user turn — useful for
+  cloud Claude Code environments that can't run the interactive login from
+  a container startup script. The hook is a silent no-op once the user is
+  authenticated. Local installs (without `--cloud`) leave Claude Code
+  hooks untouched. `chainpatrol uninstall` always removes the hook if
+  present, without disturbing unrelated hooks or settings.
+
 ## 0.6.0
 
 ### Minor Changes

package/dist/{breakdown-AX6QNTQH.js → breakdown-DXSN7KUF.js}

@@ -4,8 +4,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{chunk-EEG7T6WT.js → chunk-EGWK6SRQ.js}

@@ -139,6 +139,7 @@ function clearCredentials() {
   }
 }
 function isLoggedIn() {
+  if (hasApiKeyEnv()) return true;
   try {
     getValidCredentials();
     return true;
@@ -146,6 +147,9 @@ function isLoggedIn() {
     return false;
   }
 }
+function hasApiKeyEnv() {
+  return Boolean(process.env.CHAINPATROL_API_KEY?.trim());
+}
 function getValidCredentials() {
   const creds = getCredentials();
   const expiresMs = new Date(creds.expiresAt).getTime();
@@ -280,6 +284,7 @@ export {
   storeCredentials,
   clearCredentials,
   isLoggedIn,
+  hasApiKeyEnv,
   getValidCredentials,
   fetchUserEmail,
   requestDeviceCode,

package/dist/{chunk-LLWKCA3H.js → chunk-F6D645LF.js}

@@ -1,6 +1,6 @@
 import {
   getValidCredentials
-} from "./chunk-EEG7T6WT.js";
+} from "./chunk-EGWK6SRQ.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";
@@ -18,20 +18,32 @@ function parseIsoDate(value) {
   return dt.toJSDate();
 }
 var REQUEST_TIMEOUT_MS = 3e4;
+function defaultGetCredential() {
+  const envKey = process.env.CHAINPATROL_API_KEY;
+  if (envKey && envKey.trim().length > 0) {
+    return { kind: "api-key", value: envKey.trim() };
+  }
+  return { kind: "bearer", value: getValidCredentials().accessToken };
+}
 function createApiClient(options) {
   const config = getConfig();
   const apiUrl = options?.apiUrl ?? config.apiUrl;
-  const getToken = options?.getToken ?? (() => getValidCredentials().accessToken);
+  const getCredential = options?.getCredential ?? (options?.getToken ? () => ({ kind: "bearer", value: options.getToken() }) : defaultGetCredential);
   async function request(path, body) {
-    const token = getToken();
+    const credential = getCredential();
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (credential.kind === "api-key") {
+      headers["x-api-key"] = credential.value;
+    } else {
+      headers["Authorization"] = `Bearer ${credential.value}`;
+    }
     let res;
     try {
       res = await fetch(`${apiUrl}/api/v2${path}`, {
         method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${token}`
-        },
+        headers,
         body: JSON.stringify(body),
         signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
       });

package/dist/{chunk-EBJMOX3Q.js → chunk-PZV55KAR.js}

@@ -1,17 +1,22 @@
 import {
   fetchUserEmail,
   getCredentials,
+  hasApiKeyEnv,
   isLoggedIn,
   pollForToken,
   requestDeviceCode,
   storeCredentials
-} from "./chunk-EEG7T6WT.js";
+} from "./chunk-EGWK6SRQ.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";
 
 // src/lib/login-flow.ts
 async function runLoginFlow(emit) {
+  if (hasApiKeyEnv()) {
+    emit({ type: "already_logged_in", email: null });
+    return true;
+  }
   if (isLoggedIn()) {
     const creds = getCredentials();
     emit({ type: "already_logged_in", email: creds.email ?? null });

package/dist/{chunk-AGXMZFUU.js → chunk-XIHOCIYM.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
+} from "./chunk-F6D645LF.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";

package/dist/{chunk-XOXQPUR6.js → chunk-ZN3VMRWG.js}

@@ -4,13 +4,125 @@ import {
 } from "./chunk-IUZB3DQW.js";
 
 // src/commands/setup-skill.ts
-import { mkdirSync, writeFileSync, existsSync, readFileSync as readFileSync2, rmSync } from "fs";
-import { join } from "path";
+import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, readFileSync as readFileSync3, rmSync } from "fs";
+import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
+
+// src/commands/login-hook.ts
+import { mkdirSync, writeFileSync, readFileSync, existsSync, unlinkSync } from "fs";
 import { homedir } from "os";
+import { join, dirname } from "path";
+var CLAUDE_DIR = join(homedir(), ".claude");
+var HOOK_DIR = join(CLAUDE_DIR, "hooks");
+var HOOK_FILE = join(HOOK_DIR, "chainpatrol-login.sh");
+var SETTINGS_FILE = join(CLAUDE_DIR, "settings.json");
+var HOOK_SCRIPT = `#!/bin/bash
+# chainpatrol auto-login hook \u2014 installed by \`chainpatrol setup\`.
+# On Claude Code session start, if the user has no chainpatrol credentials,
+# emit additionalContext so Claude surfaces the device-code login URL on
+# the first user turn. Safe to run repeatedly: no-ops once authenticated.
+set -uo pipefail
+
+CONFIG_DIR="\${CHAINPATROL_CONFIG_DIR:-$HOME/.chainpatrol}"
+if [ -s "$CONFIG_DIR/credentials.json" ]; then
+  exit 0
+fi
+
+# Only nudge when the CLI is reachable \u2014 otherwise we'd ask Claude to run
+# a command that isn't installed.
+if ! command -v chainpatrol >/dev/null 2>&1 \\
+   && [ ! -x /usr/local/bin/chainpatrol ] \\
+   && ! ls /opt/node*/bin/chainpatrol >/dev/null 2>&1; then
+  exit 0
+fi
+
+cat <<'JSON'
+{"hookSpecificOutput":{"hookEventName":"SessionStart","additionalContext":"chainpatrol auto-login: the user is not authenticated with ChainPatrol (no credentials.json found). If the user's task involves ChainPatrol or the chainpatrol CLI, start \`chainpatrol login\` in the background per the /chainpatrol skill's headless runbook (background + tail /tmp/cp-login.out) and surface the verification URL before doing anything else. If the user's task is unrelated, ignore this notice."}}
+JSON
+exit 0
+`;
+function installLoginHook() {
+  mkdirSync(HOOK_DIR, { recursive: true });
+  const hookWritten = !existsSync(HOOK_FILE) || readFileSync(HOOK_FILE, "utf-8") !== HOOK_SCRIPT;
+  if (hookWritten) {
+    writeFileSync(HOOK_FILE, HOOK_SCRIPT, { mode: 493 });
+  }
+  const settingsUpdated = registerHookInSettings();
+  return {
+    hookPath: HOOK_FILE,
+    hookWritten,
+    settingsPath: SETTINGS_FILE,
+    settingsUpdated
+  };
+}
+function uninstallLoginHook() {
+  let hookRemoved = false;
+  if (existsSync(HOOK_FILE)) {
+    unlinkSync(HOOK_FILE);
+    hookRemoved = true;
+  }
+  const settingsUpdated = unregisterHookFromSettings();
+  return { hookRemoved, settingsUpdated };
+}
+function readSettings() {
+  if (!existsSync(SETTINGS_FILE)) return {};
+  const raw = readFileSync(SETTINGS_FILE, "utf-8");
+  if (raw.trim() === "") return {};
+  return JSON.parse(raw);
+}
+function writeSettings(settings) {
+  mkdirSync(dirname(SETTINGS_FILE), { recursive: true });
+  writeFileSync(SETTINGS_FILE, JSON.stringify(settings, null, 2) + "\n", {
+    mode: 420
+  });
+}
+function hasHookEntry(settings) {
+  const matchers = settings.hooks?.SessionStart;
+  if (!Array.isArray(matchers)) return false;
+  return matchers.some(
+    (matcher) => Array.isArray(matcher?.hooks) && matcher.hooks.some((h) => h?.command === HOOK_FILE)
+  );
+}
+function registerHookInSettings() {
+  const settings = readSettings();
+  if (hasHookEntry(settings)) return false;
+  const hooks = settings.hooks ??= {};
+  const sessionStart = hooks.SessionStart ??= [];
+  sessionStart.push({
+    hooks: [{ type: "command", command: HOOK_FILE }]
+  });
+  writeSettings(settings);
+  return true;
+}
+function unregisterHookFromSettings() {
+  if (!existsSync(SETTINGS_FILE)) return false;
+  const settings = readSettings();
+  const sessionStart = settings.hooks?.SessionStart;
+  if (!Array.isArray(sessionStart)) return false;
+  let changed = false;
+  const filtered = sessionStart.map((matcher) => {
+    if (!Array.isArray(matcher?.hooks)) return matcher;
+    const remaining = matcher.hooks.filter((h) => h?.command !== HOOK_FILE);
+    if (remaining.length === matcher.hooks.length) return matcher;
+    changed = true;
+    return remaining.length > 0 ? { ...matcher, hooks: remaining } : null;
+  }).filter((m) => m !== null);
+  if (!changed) return false;
+  if (filtered.length === 0) {
+    delete settings.hooks.SessionStart;
+    if (Object.keys(settings.hooks).length === 0) {
+      delete settings.hooks;
+    }
+  } else {
+    settings.hooks.SessionStart = filtered;
+  }
+  writeSettings(settings);
+  return true;
+}
 
 // src/lib/version.ts
-import { readFileSync } from "fs";
-import { dirname, resolve } from "path";
+import { readFileSync as readFileSync2 } from "fs";
+import { dirname as dirname2, resolve } from "path";
 import { fileURLToPath } from "url";
 var PACKAGE_NAME = "@chainpatrol/cli";
 var cached;
@@ -21,7 +133,7 @@ function getCliVersion() {
 }
 function resolveCliVersion() {
   try {
-    const here = dirname(fileURLToPath(import.meta.url));
+    const here = dirname2(fileURLToPath(import.meta.url));
     const candidates = [
       resolve(here, "..", "package.json"),
       resolve(here, "..", "..", "package.json")
@@ -36,7 +148,7 @@ function resolveCliVersion() {
 }
 function tryReadVersion(path) {
   try {
-    const raw = readFileSync(path, "utf-8");
+    const raw = readFileSync2(path, "utf-8");
     const pkg = JSON.parse(raw);
     if (pkg.name === PACKAGE_NAME && typeof pkg.version === "string") {
       return pkg.version;
@@ -66,8 +178,8 @@ function compareVersions(a, b) {
 }
 
 // src/commands/setup-skill.ts
-var SKILL_DIR = join(homedir(), ".claude", "skills", "chainpatrol");
-var SKILL_FILE = join(SKILL_DIR, "SKILL.md");
+var SKILL_DIR = join2(homedir2(), ".claude", "skills", "chainpatrol");
+var SKILL_FILE = join2(SKILL_DIR, "SKILL.md");
 function buildSkillContent(version) {
   return `---
 name: chainpatrol
@@ -971,16 +1083,16 @@ function getBundledSkillContent() {
   return buildSkillContent(getCliVersion());
 }
 function readInstalledSkillVersion() {
-  if (!existsSync(SKILL_FILE)) return void 0;
+  if (!existsSync2(SKILL_FILE)) return void 0;
   try {
-    const raw = readFileSync2(SKILL_FILE, "utf-8");
+    const raw = readFileSync3(SKILL_FILE, "utf-8");
     return parseSkillVersion(raw);
   } catch {
     return void 0;
   }
 }
 function isSkillInstalled() {
-  return existsSync(SKILL_FILE);
+  return existsSync2(SKILL_FILE);
 }
 function parseSkillVersion(content) {
   const fmMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
@@ -1001,66 +1113,94 @@ var LOGO = `
 `;
 function setupSkill(options) {
   const skillContent = buildSkillContent(getCliVersion());
-  const alreadyExists = existsSync(SKILL_FILE);
-  if (alreadyExists) {
-    const existing = readFileSync2(SKILL_FILE, "utf-8");
-    if (existing === skillContent) {
-      if (options.json) {
-        console.log(JSON.stringify({ status: "up-to-date", path: SKILL_FILE }));
-      } else {
-        console.log("Claude Code skill is already up to date.");
-      }
-      return;
-    }
+  const skillAlreadyExists = existsSync2(SKILL_FILE);
+  const skillUpToDate = skillAlreadyExists && readFileSync3(SKILL_FILE, "utf-8") === skillContent;
+  let skillStatus;
+  if (!skillAlreadyExists) {
+    mkdirSync2(SKILL_DIR, { recursive: true });
+    writeFileSync2(SKILL_FILE, skillContent, { mode: 420 });
+    skillStatus = "installed";
+  } else if (!skillUpToDate) {
+    writeFileSync2(SKILL_FILE, skillContent, { mode: 420 });
+    skillStatus = "updated";
+  } else {
+    skillStatus = "up-to-date";
   }
-  mkdirSync(SKILL_DIR, { recursive: true });
-  writeFileSync(SKILL_FILE, skillContent, { mode: 420 });
   const completionResult = installCompletions();
+  const loginHookResult = options.cloud ? installLoginHook() : null;
+  const completionsChanged = completionResult.installed || completionResult.configuredShellRc;
+  const loginHookChanged = loginHookResult != null && (loginHookResult.hookWritten || loginHookResult.settingsUpdated);
+  const overallStatus = skillStatus !== "up-to-date" ? skillStatus : completionsChanged || loginHookChanged ? "updated" : "up-to-date";
   if (options.json) {
     console.log(
       JSON.stringify({
-        status: alreadyExists ? "updated" : "installed",
+        status: overallStatus,
         path: SKILL_FILE,
-        completions: completionResult
+        skill: { status: skillStatus, path: SKILL_FILE },
+        completions: completionResult,
+        loginHook: loginHookResult
       })
     );
-  } else {
-    console.log(LOGO);
+    return;
+  }
+  if (overallStatus === "up-to-date") {
+    console.log("Claude Code skill, completions, and login hook are already up to date.");
+    return;
+  }
+  console.log(LOGO);
+  if (skillStatus === "installed") {
+    console.log(`Installed Claude Code skill at ${SKILL_FILE}`);
+  } else if (skillStatus === "updated") {
+    console.log(`Updated Claude Code skill at ${SKILL_FILE}`);
+  }
+  console.log("You can now use /chainpatrol in Claude Code from any project.");
+  if (loginHookChanged && loginHookResult) {
+    console.log(`Installed auto-login hook at ${loginHookResult.hookPath}`);
+    if (loginHookResult.settingsUpdated) {
+      console.log(`Registered SessionStart hook in ${loginHookResult.settingsPath}`);
+    }
+  }
+  if (completionResult.installed) {
     console.log(
-      alreadyExists ? `Updated Claude Code skill at ${SKILL_FILE}` : `Installed Claude Code skill at ${SKILL_FILE}`
+      `Installed ${completionResult.shell} completions at ${completionResult.path}`
     );
-    console.log("You can now use /chainpatrol in Claude Code from any project.");
-    if (completionResult.installed) {
-      console.log(
-        `Installed ${completionResult.shell} completions at ${completionResult.path}`
-      );
-      if (completionResult.configuredShellRc) {
-        console.log("Added completion config to ~/.zshrc");
-      }
-      console.log('Run "exec zsh" or open a new terminal to enable tab completion.');
+    if (completionResult.configuredShellRc) {
+      console.log("Added completion config to ~/.zshrc");
     }
+    console.log('Run "exec zsh" or open a new terminal to enable tab completion.');
   }
 }
 function uninstallSkill(options) {
-  if (!existsSync(SKILL_FILE)) {
-    if (options.json) {
-      console.log(JSON.stringify({ status: "not-installed" }));
-    } else {
-      console.log("Claude Code skill is not installed.");
-    }
-    return;
+  const skillInstalled = existsSync2(SKILL_FILE);
+  if (skillInstalled) {
+    rmSync(SKILL_DIR, { recursive: true });
   }
-  rmSync(SKILL_DIR, { recursive: true });
   const removedCompletions = uninstallCompletions();
+  const loginHookResult = uninstallLoginHook();
+  const removedAnything = skillInstalled || removedCompletions || loginHookResult.hookRemoved || loginHookResult.settingsUpdated;
   if (options.json) {
     console.log(
-      JSON.stringify({ status: "uninstalled", path: SKILL_FILE, removedCompletions })
+      JSON.stringify({
+        status: removedAnything ? "uninstalled" : "not-installed",
+        path: SKILL_FILE,
+        removedCompletions,
+        loginHook: loginHookResult
+      })
     );
-  } else {
+    return;
+  }
+  if (!removedAnything) {
+    console.log("Claude Code skill is not installed.");
+    return;
+  }
+  if (skillInstalled) {
     console.log("Removed Claude Code skill from " + SKILL_DIR);
-    if (removedCompletions) {
-      console.log("Removed shell completions.");
-    }
+  }
+  if (loginHookResult.hookRemoved || loginHookResult.settingsUpdated) {
+    console.log("Removed chainpatrol auto-login hook.");
+  }
+  if (removedCompletions) {
+    console.log("Removed shell completions.");
   }
 }
 

package/dist/cli.js

@@ -13,7 +13,7 @@ import {
   getCliVersion,
   isSkillInstalled,
   readInstalledSkillVersion
-} from "./chunk-XOXQPUR6.js";
+} from "./chunk-ZN3VMRWG.js";
 import "./chunk-IUZB3DQW.js";
 import {
   DateTime
@@ -354,7 +354,10 @@ var HELP = {
   },
   setup: {
     description: "Install Claude Code skill and shell completions.",
-    usage: "chainpatrol setup"
+    usage: "chainpatrol setup [--cloud]",
+    options: [
+      "--cloud              Also install a SessionStart hook that surfaces the device-code login URL when the user is not authenticated. Intended for Claude Code cloud / headless environments; omit for local installs."
+    ]
   },
   uninstall: {
     description: "Remove Claude Code skill and shell completions.",
@@ -651,7 +654,8 @@ ${getTopLevelHelp()}
     version: { type: "boolean", shortFlag: "V" },
     quiet: { type: "boolean", default: false, shortFlag: "q" },
     noInput: { type: "boolean", default: false },
-    noColor: { type: "boolean", default: false }
+    noColor: { type: "boolean", default: false },
+    cloud: { type: "boolean", default: false }
   }
 });
 var [command, subcommand, action] = cli.input;
@@ -750,12 +754,12 @@ function parseAttachmentUrls() {
 }
 async function handleConfigsList(org) {
   if (jsonMode) {
-    const { listConfigsJson } = await import("./list-json-LEKCCWQU.js");
+    const { listConfigsJson } = await import("./list-json-DWHMAA6S.js");
     await listConfigsJson({ org });
     return;
   }
   const { render } = await import("ink");
-  const { default: ConfigsList } = await import("./list-5ENZAOFL.js");
+  const { default: ConfigsList } = await import("./list-6ELSECNR.js");
   const { default: React } = await import("react");
   render(React.createElement(ConfigsList, { org }));
 }
@@ -810,14 +814,14 @@ async function main() {
         );
       }
       if (jsonMode) {
-        const { loginJson } = await import("./login-json-XGMXT5VJ.js");
+        const { loginJson } = await import("./login-json-MPLXCSP4.js");
         await loginJson();
       } else if (!process.stdout.isTTY) {
-        const { loginPlain } = await import("./login-plain-CWKOUZKE.js");
+        const { loginPlain } = await import("./login-plain-NIJDS3D2.js");
         await loginPlain();
       } else {
         const { render } = await import("ink");
-        const { default: Login } = await import("./login-C66GRR3Y.js");
+        const { default: Login } = await import("./login-AMEXCOGT.js");
         const { default: React } = await import("react");
         render(React.createElement(Login));
       }
@@ -825,11 +829,11 @@ async function main() {
     }
     case "logout": {
       if (jsonMode) {
-        const { logoutJson } = await import("./logout-json-4GIJZJ46.js");
+        const { logoutJson } = await import("./logout-json-ACXBI6PN.js");
         await logoutJson();
       } else {
         const { render } = await import("ink");
-        const { default: Logout } = await import("./logout-LA7VEKON.js");
+        const { default: Logout } = await import("./logout-T6Q4IVPU.js");
         const { default: React } = await import("react");
         render(React.createElement(Logout));
       }
@@ -853,7 +857,7 @@ async function main() {
     case "detections": {
       const org = await resolveOrg();
       if (subcommand === "healthcheck") {
-        const { runDetectionsHealthcheck } = await import("./healthcheck-AQUXVKAO.js");
+        const { runDetectionsHealthcheck } = await import("./healthcheck-XTQN64DB.js");
         await runDetectionsHealthcheck({
           org,
           source: cli.flags.source,
@@ -868,7 +872,7 @@ async function main() {
         break;
       }
       if (subcommand === "validate") {
-        const { runDetectionsValidate } = await import("./validate-27RUCN7R.js");
+        const { runDetectionsValidate } = await import("./validate-RI7YKHKH.js");
         await runDetectionsValidate({
           org,
           source: cli.flags.source,
@@ -883,7 +887,7 @@ async function main() {
         break;
       }
       if (subcommand === "drift") {
-        const { runDetectionsDrift } = await import("./drift-VOKQJ36G.js");
+        const { runDetectionsDrift } = await import("./drift-WJD2Z5ZB.js");
         await runDetectionsDrift({
           org,
           source: cli.flags.source,
@@ -897,7 +901,7 @@ async function main() {
         break;
       }
       if (subcommand === "run") {
-        const { runDetectionsRun } = await import("./run-OT2X46GT.js");
+        const { runDetectionsRun } = await import("./run-4S244KUM.js");
         await runDetectionsRun({
           org,
           configId: cli.flags.configId,
@@ -916,7 +920,7 @@ async function main() {
           break;
         }
         if (action === "run") {
-          const { runDetectionsRun } = await import("./run-OT2X46GT.js");
+          const { runDetectionsRun } = await import("./run-4S244KUM.js");
           await runDetectionsRun({
             org,
             configId: cli.flags.configId,
@@ -934,7 +938,7 @@ async function main() {
             throw new Error("detections configs update requires --config-id");
           }
           const configPatch = getConfigPatchFromSetFlags();
-          const { runDetectionsConfigsUpdate } = await import("./configs-update-VROBC2HI.js");
+          const { runDetectionsConfigsUpdate } = await import("./configs-update-BBENU2PG.js");
           await runDetectionsConfigsUpdate({
             org,
             configId: cli.flags.configId,
@@ -961,7 +965,7 @@ async function main() {
     case "metrics": {
       const org = await resolveOrg();
       if (subcommand === "summary") {
-        const { runMetricsSummary } = await import("./summary-JOCABBCO.js");
+        const { runMetricsSummary } = await import("./summary-JYDAPBYX.js");
         await runMetricsSummary({
           org,
           from: cli.flags.from,
@@ -973,7 +977,7 @@ async function main() {
         break;
       }
       if (subcommand === "found") {
-        const { runMetricsFound } = await import("./found-A5HRTJCJ.js");
+        const { runMetricsFound } = await import("./found-4UY3IC5T.js");
         await runMetricsFound({
           org,
           from: cli.flags.from,
@@ -990,7 +994,7 @@ async function main() {
         if (!by || !["day", "type", "brand"].includes(by)) {
           throw new Error("metrics breakdown requires --by <day|type|brand>");
         }
-        const { runMetricsBreakdown } = await import("./breakdown-AX6QNTQH.js");
+        const { runMetricsBreakdown } = await import("./breakdown-DXSN7KUF.js");
         await runMetricsBreakdown({
           org,
           by,
@@ -1010,7 +1014,7 @@ async function main() {
     case "reports": {
       if (subcommand === "list") {
         const org = await resolveOrg();
-        const { runReportsList } = await import("./list-CVFXTKNX.js");
+        const { runReportsList } = await import("./list-BVUG6RUF.js");
         await runReportsList({
           org,
           limit: cli.flags.limit,
@@ -1026,7 +1030,7 @@ async function main() {
       }
       if (subcommand === "create") {
         const org = await tryResolveOrg();
-        const { runReportsCreate } = await import("./create-XTCUNT2C.js");
+        const { runReportsCreate } = await import("./create-SXPAFMPT.js");
         await runReportsCreate({
           org,
           title: cli.flags.title,
@@ -1050,7 +1054,7 @@ async function main() {
     }
     case "queues": {
       if (subcommand === "snapshot") {
-        const { runQueuesSnapshot } = await import("./snapshot-4QR4I67P.js");
+        const { runQueuesSnapshot } = await import("./snapshot-MEOOARL3.js");
         await runQueuesSnapshot({
           org: cli.flags.org,
           all: cli.flags.all,
@@ -1068,7 +1072,7 @@ async function main() {
     }
     case "orgs": {
       if (subcommand === "list") {
-        const { runOrgsList } = await import("./list-CGRHTFAS.js");
+        const { runOrgsList } = await import("./list-IJS66PYW.js");
         await runOrgsList({
           query: cli.flags.query,
           subscriptionStatus: cli.flags.subscriptionStatus,
@@ -1088,7 +1092,7 @@ async function main() {
     }
     case "healthchecks": {
       if (subcommand === "list") {
-        const { runHealthchecksList } = await import("./list-PLZ67PNY.js");
+        const { runHealthchecksList } = await import("./list-2PBVBN5K.js");
         await runHealthchecksList({
           json: jsonMode,
           outputFormat: cliContext.outputFormat
@@ -1102,7 +1106,7 @@ async function main() {
           thresholds.minResults = cli.flags.minResults;
         if (cli.flags.lookbackHours !== void 0)
           thresholds.lookbackHours = cli.flags.lookbackHours;
-        const { runHealthchecksRun } = await import("./run-MS5SA5YL.js");
+        const { runHealthchecksRun } = await import("./run-M25F7TWI.js");
         await runHealthchecksRun({
           org,
           id: action,
@@ -1120,7 +1124,7 @@ async function main() {
     }
     case "presets": {
       if (subcommand === "list") {
-        const { runPresetsList } = await import("./list-EYRN5JYC.js");
+        const { runPresetsList } = await import("./list-BGI7IZ55.js");
         await runPresetsList({ outputFormat: cliContext.outputFormat });
         break;
       }
@@ -1131,7 +1135,7 @@ async function main() {
           );
         }
         const org = await resolveOrg();
-        const { runPresetsRun } = await import("./run-YHDUUP66.js");
+        const { runPresetsRun } = await import("./run-3W7LSPX2.js");
         await runPresetsRun({
           presetId: action,
           org,
@@ -1148,12 +1152,12 @@ async function main() {
     case "setup":
     case "install":
     case "i": {
-      const { setupSkill } = await import("./setup-skill-BTR2IZ4E.js");
-      setupSkill({ json: jsonMode });
+      const { setupSkill } = await import("./setup-skill-J7PZYVCE.js");
+      setupSkill({ json: jsonMode, cloud: cli.flags.cloud });
       break;
     }
     case "uninstall": {
-      const { uninstallSkill } = await import("./setup-skill-BTR2IZ4E.js");
+      const { uninstallSkill } = await import("./setup-skill-J7PZYVCE.js");
       uninstallSkill({ json: jsonMode });
       break;
     }

package/dist/{configs-update-VROBC2HI.js → configs-update-BBENU2PG.js}

@@ -7,8 +7,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{create-XTCUNT2C.js → create-SXPAFMPT.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{drift-VOKQJ36G.js → drift-WJD2Z5ZB.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{found-A5HRTJCJ.js → found-4UY3IC5T.js}

@@ -4,8 +4,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";

package/dist/{healthcheck-AQUXVKAO.js → healthcheck-XTQN64DB.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-PLZ67PNY.js → list-2PBVBN5K.js}

@@ -4,8 +4,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-5ENZAOFL.js → list-6ELSECNR.js}

@@ -4,12 +4,12 @@ import {
 } from "./chunk-JCMWDZYY.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
+} from "./chunk-F6D645LF.js";
 import {
   AuthCorruptedError,
   AuthExpiredError,
   AuthNotLoggedInError
-} from "./chunk-EEG7T6WT.js";
+} from "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-EYRN5JYC.js → list-BGI7IZ55.js}

@@ -1,13 +1,13 @@
 import {
   PRESETS
-} from "./chunk-AGXMZFUU.js";
+} from "./chunk-XIHOCIYM.js";
 import "./chunk-E2LAMILJ.js";
 import {
   printOutput,
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
-import "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+import "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-CVFXTKNX.js → list-BVUG6RUF.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-CGRHTFAS.js → list-IJS66PYW.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{list-json-LEKCCWQU.js → list-json-DWHMAA6S.js}

@@ -1,7 +1,7 @@
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{login-C66GRR3Y.js → login-AMEXCOGT.js}

@@ -5,15 +5,16 @@ import {
 import {
   formatUserCode,
   isHeadlessEnv
-} from "./chunk-EBJMOX3Q.js";
+} from "./chunk-PZV55KAR.js";
 import {
   fetchUserEmail,
   getCredentials,
+  hasApiKeyEnv,
   isLoggedIn,
   pollForToken,
   requestDeviceCode,
   storeCredentials
-} from "./chunk-EEG7T6WT.js";
+} from "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 
@@ -26,6 +27,14 @@ function Login() {
   const { exit } = useApp();
   const [state, setState] = useState({ phase: "checking" });
   useEffect(() => {
+    if (hasApiKeyEnv()) {
+      setState({
+        phase: "already-logged-in",
+        email: "(authenticated via CHAINPATROL_API_KEY)"
+      });
+      setTimeout(() => exit(), 100);
+      return;
+    }
     if (isLoggedIn()) {
       const creds = getCredentials();
       if (creds.email) {

package/dist/{login-json-XGMXT5VJ.js → login-json-MPLXCSP4.js}

@@ -1,8 +1,8 @@
 import {
   isHeadlessEnv,
   runLoginFlow
-} from "./chunk-EBJMOX3Q.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-PZV55KAR.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{login-plain-CWKOUZKE.js → login-plain-NIJDS3D2.js}

@@ -2,8 +2,8 @@ import {
   formatUserCode,
   isHeadlessEnv,
   runLoginFlow
-} from "./chunk-EBJMOX3Q.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-PZV55KAR.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{logout-LA7VEKON.js → logout-T6Q4IVPU.js}

@@ -1,7 +1,8 @@
 import {
   clearCredentials,
+  hasApiKeyEnv,
   isLoggedIn
-} from "./chunk-EEG7T6WT.js";
+} from "./chunk-EGWK6SRQ.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/logout.tsx
@@ -9,6 +10,14 @@ import { Text, useApp } from "ink";
 import { jsx, jsxs } from "react/jsx-runtime";
 function Logout() {
   const { exit } = useApp();
+  if (hasApiKeyEnv()) {
+    setTimeout(() => exit(), 100);
+    return /* @__PURE__ */ jsxs(Text, { children: [
+      "Authenticated via ",
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "CHAINPATROL_API_KEY" }),
+      "; unset the env var to log out."
+    ] });
+  }
   if (!isLoggedIn()) {
     setTimeout(() => exit(), 100);
     return /* @__PURE__ */ jsx(Text, { children: "Not currently logged in." });

package/dist/{logout-json-4GIJZJ46.js → logout-json-ACXBI6PN.js}

@@ -1,11 +1,21 @@
 import {
   clearCredentials,
+  hasApiKeyEnv,
   isLoggedIn
-} from "./chunk-EEG7T6WT.js";
+} from "./chunk-EGWK6SRQ.js";
 import "./chunk-U73SABXK.js";
 
 // src/commands/logout-json.ts
 async function logoutJson() {
+  if (hasApiKeyEnv()) {
+    console.log(
+      JSON.stringify({
+        status: "api_key_env_active",
+        message: "Authenticated via CHAINPATROL_API_KEY; unset the env var to log out."
+      })
+    );
+    return;
+  }
   if (!isLoggedIn()) {
     console.log(JSON.stringify({ status: "not_logged_in" }));
     return;

package/dist/{run-YHDUUP66.js → run-3W7LSPX2.js}

@@ -1,14 +1,14 @@
 import {
   getPresetDefinition,
   runPreset
-} from "./chunk-AGXMZFUU.js";
+} from "./chunk-XIHOCIYM.js";
 import {
   CliExitError,
   ExitCode
 } from "./chunk-E2LAMILJ.js";
 import "./chunk-VFT3TD3E.js";
-import "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+import "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{run-OT2X46GT.js → run-4S244KUM.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{run-MS5SA5YL.js → run-M25F7TWI.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{setup-skill-BTR2IZ4E.js → setup-skill-J7PZYVCE.js}

@@ -6,7 +6,7 @@ import {
   readInstalledSkillVersion,
   setupSkill,
   uninstallSkill
-} from "./chunk-XOXQPUR6.js";
+} from "./chunk-ZN3VMRWG.js";
 import "./chunk-IUZB3DQW.js";
 export {
   getBundledSkillContent,

package/dist/{snapshot-4QR4I67P.js → snapshot-MEOOARL3.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{summary-JOCABBCO.js → summary-JYDAPBYX.js}

@@ -4,8 +4,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/dist/{validate-27RUCN7R.js → validate-RI7YKHKH.js}

@@ -8,8 +8,8 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-LLWKCA3H.js";
-import "./chunk-EEG7T6WT.js";
+} from "./chunk-F6D645LF.js";
+import "./chunk-EGWK6SRQ.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";
 

package/package.json

@@ -2,7 +2,7 @@
   "name": "@chainpatrol/cli",
   "description": "The official ChainPatrol CLI — terminal interface for threat detection",
   "author": "Umar Ahmed <umar@chainpatrol.io>",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "license": "UNLICENSED",
   "homepage": "https://chainpatrol.com/docs/cli",
   "keywords": [