@dinoxx/dinox-cli 1.0.0 → 1.0.2

package/README.md

@@ -115,6 +115,8 @@ dino auth status
 dino note search "AI"
 dino note search "AI" --days 7
 dino note search "AI" --from 2026-02-01 --to 2026-02-28
+dino note search "AI" --box "Inbox"
+dino note search --sql 'type = "crawl" AND zettel_boxes IN ("Inbox","Project")'
 ```
 
 创建笔记：
@@ -207,11 +209,6 @@ dino config set sync.timeoutMs 20000
 1. macOS: `~/Library/Application Support/dinox/config.json`
 2. Windows: `%APPDATA%\dinox\config.json`
 
-本地数据库：
-
-1. macOS: `~/Library/Application Support/dinox/powersync.sqlite`
-2. Windows: `%LOCALAPPDATA%\dinox\powersync.sqlite`
-
 ## 6.2 多行命令写法不同
 
 macOS / Linux（bash/zsh）用 `\` 续行：
@@ -267,16 +264,238 @@ dino tag add "你的标签"
 dino box add "你的卡片盒"
 ```
 
-## Q3：我设置了 `powersync.endpoint` 但没生效
+---
+
+## 8. 完整命令参数参考
+
+## 8.1 全局参数（适用于 CLI）
+
+以下参数可放在命令前后使用，例如：`dino --json auth status`。
+
+| 参数 | 类型 | 说明 |
+| --- | --- | --- |
+| `--json` | flag | 输出 machine-readable YAML（仅被支持该参数的命令读取）。 |
+| `--offline` | flag | 跳过 connect/sync，仅用本地缓存（仅被支持该参数的命令读取）。 |
+| `--sync-timeout <ms>` | integer | 覆盖连接/同步超时毫秒，必须是正整数。 |
+| `--verbose` | flag | 预留 verbose 开关。 |
+
+## 8.2 `auth` 命令
+
+### `dino auth login <authorization>`
+
+保存授权信息并验证连接。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `<authorization>` | 是 | 完整 Authorization 头值，例如：`"Bearer <token>"` |
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--no-verify` | 否 | 只保存登录信息，不做凭证交换与初始同步验证。 |
+
+支持全局参数：`--json`、`--sync-timeout`
+
+### `dino auth logout`
+
+清理已保存登录信息。
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--clear-local-db` | 否 | 同时删除本地 SQLite 数据库。 |
+
+### `dino auth status`
+
+查看当前登录与同步状态。
+
+支持全局参数：`--json`、`--offline`、`--sync-timeout`
+
+## 8.3 `sync` 命令
+
+### `dino sync`
+
+连接并执行同步。
+
+支持全局参数：`--json`、`--sync-timeout`
+
+## 8.4 `note` 命令
+
+### `dino note search [query]`
+
+按关键词/标签/创建时间搜索笔记。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `[query]` | 否 | 搜索关键词。可为空。 |
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--tags <expr>` | 否 | 标签表达式，支持 `AND` / `OR` / `NOT` 与括号。 |
+| `--from <date>` | 否 | 创建时间起点，支持 `YYYY-MM-DD` 或 ISO datetime。 |
+| `--to <date>` | 否 | 创建时间终点，支持 `YYYY-MM-DD` 或 ISO datetime。 |
+| `--days <n>` | 否 | 最近 N 天（按 `created_at`），不能与 `--from/--to` 同时使用。 |
+| `--box <string\|@file>` | 否 | 按卡片盒名称筛选（支持 JSON 数组或逗号/换行分隔）；会自动解析为 box id 查询。 |
+| `--sql <expr>` | 否 | SQL 风格条件表达式；仅支持字段 `id/content_md/summary/tags/zettel_boxes/created_at/type`，其中 `zettel_boxes` 按名称自动转 id。只支持只读 WHERE 条件（禁止 `INSERT/UPDATE/DELETE`、注释和多语句）。 |
+| `--include-deleted` | 否 | 包含软删除笔记。 |
+
+支持全局参数：`--offline`、`--sync-timeout`
+
+### `dino note get <id>`
+
+按 ID 获取笔记基础信息。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `<id>` | 是 | 笔记 ID。 |
+
+支持全局参数：`--json`、`--offline`、`--sync-timeout`
+
+### `dino note detail <id>`
+
+按 ID 获取笔记完整详情。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `<id>` | 是 | 笔记 ID。 |
+
+支持全局参数：`--offline`、`--sync-timeout`
+
+### `dino note create --title <string> --content <string|@file> [options]`
+
+创建笔记。
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--title <string>` | 是 | 笔记标题。 |
+| `--content <string|@file>` | 是 | Markdown 内容，可传 `@文件路径`。 |
+| `--type <note\|crawl>` | 否 | 笔记类型，默认 `crawl`。 |
+| `--tags <string\|@file>` | 否 | 标签列表（JSON 数组或逗号/换行分隔）。 |
+| `--zettel_boxes <string\|@file>` | 否 | 卡片盒名称列表（JSON 数组或逗号/换行分隔）。 |
+
+支持全局参数：`--json`、`--offline`、`--sync-timeout`
+
+### `dino note delete <id>`
+
+软删除笔记（`is_del=1`）。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `<id>` | 是 | 笔记 ID。 |
+
+支持全局参数：`--json`、`--offline`、`--sync-timeout`
+
+## 8.5 `tag` 命令
+
+### `dino tag list`
+
+列出标签。
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--json` | 否 | 输出 machine-readable YAML。 |
+| `--offline` | 否 | 跳过 connect/sync，仅用本地缓存。 |
+| `--sync-timeout <ms>` | 否 | 覆盖连接/同步超时毫秒。 |
+
+### `dino tag add [name] [options]`
+
+新增标签。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `[name]` | 否 | 标签名/路径（支持斜杠层级）。 |
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--name <string>` | 否 | 标签名/路径，可替代位置参数 `[name]`。 |
+| `--emoji <string>` | 否 | 标签 emoji。 |
+| `--json` | 否 | 输出 machine-readable YAML。 |
+| `--offline` | 否 | 跳过 connect/sync，仅用本地缓存。 |
+| `--sync-timeout <ms>` | 否 | 覆盖连接/同步超时毫秒。 |
+
+说明：`[name]` 与 `--name` 至少提供一个；若两者都提供且值不同会报错。
+
+## 8.6 `box` 命令
+
+### `dino box list`
+
+列出卡片盒。
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--offline` | 否 | 跳过 connect/sync，仅用本地缓存。 |
+| `--sync-timeout <ms>` | 否 | 覆盖连接/同步超时毫秒。 |
+
+### `dino box add [name] [options]`
+
+新增卡片盒。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `[name]` | 否 | 卡片盒名称。 |
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--name <string>` | 否 | 卡片盒名称，可替代位置参数 `[name]`。 |
+| `--description <string>` | 否 | 用途说明（可帮助 AI 路由笔记）。 |
+| `--color <string>` | 否 | 卡片盒颜色。 |
+| `--json` | 否 | 输出 machine-readable YAML。 |
+| `--offline` | 否 | 跳过 connect/sync，仅用本地缓存。 |
+| `--sync-timeout <ms>` | 否 | 覆盖连接/同步超时毫秒。 |
+
+说明：`[name]` 与 `--name` 至少提供一个；若两者都提供且值不同会报错。
+
+## 8.7 `prompt` 命令
+
+### `dino prompt list`
+
+列出 Prompt（`name` 与 `cmd`）。
+
+| 选项 | 必填 | 说明 |
+| --- | --- | --- |
+| `--offline` | 否 | 跳过 connect/sync，仅用本地缓存。 |
+| `--sync-timeout <ms>` | 否 | 覆盖连接/同步超时毫秒。 |
+
+## 8.8 `config` 命令
+
+### `dino config get [key]`
+
+读取配置（输出 YAML）。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `[key]` | 否 | 配置键（点路径）；不传则返回全部配置。 |
+
+可读 key：
+
+```text
+sync.timeoutMs
+```
+
+### `dino config set <key> <value>`
+
+写入配置。
+
+| 参数 | 必填 | 说明 |
+| --- | --- | --- |
+| `<key>` | 是 | 配置键（点路径）。 |
+| `<value>` | 是 | 配置值。 |
+
+可写 key：
+
+```text
+sync.timeoutMs    (必须为正整数)
+```
+
+## 8.9 `info` 命令
+
+### `dino info`
 
-这两个配置是固定的，不允许修改：
+显示 CLI 版本信息。
 
-1. `powersync.endpoint = https://powersync.dinoai.fun`
-2. `powersync.uploadBaseUrl = https://dinoai.chatgo.pro`
+支持全局参数：`--json`
 
 ---
 
-## 8. 查看帮助
+## 9. 查看帮助
 
 随时可以看帮助：
 

package/dist/commands/auth/index.js

@@ -18,6 +18,12 @@ function parseSyncTimeoutMs(value) {
     }
     return Math.trunc(parsed);
 }
+async function removeSqliteArtifacts(dbPath) {
+    const artifacts = ['', '-wal', '-shm'];
+    for (const suffix of artifacts) {
+        await fs.rm(`${dbPath}${suffix}`, { force: true }).catch(() => undefined);
+    }
+}
 export function registerAuthCommands(program) {
     const auth = program
         .command('auth')
@@ -110,7 +116,7 @@ export function registerAuthCommands(program) {
         await saveConfig(config);
         if (options.clearLocalDb) {
             const dbPath = getPowerSyncDbPath();
-            await fs.rm(dbPath, { force: true }).catch(() => undefined);
+            await removeSqliteArtifacts(dbPath);
         }
     });
     auth

package/dist/commands/config/index.d.ts

@@ -1,2 +1,3 @@
 import { Command } from 'commander';
+export declare function sanitizeConfigForDisplay(config: unknown): unknown;
 export declare function registerConfigCommands(program: Command): void;

package/dist/commands/config/index.js

@@ -1,10 +1,9 @@
 import { isConfigKey, isFixedConfigKey, isReadableConfigKey } from '../../config/keys.js';
-import { getConfigValue, loadConfig, setConfigValue } from '../../config/store.js';
-import { resolveConfig } from '../../config/resolve.js';
+import { getConfigValue, setConfigValue } from '../../config/store.js';
 import { redactAuthorization } from '../../utils/redact.js';
 import { DinoxError } from '../../utils/errors.js';
 import { printYaml } from '../../utils/output.js';
-function redactConfigForDisplay(config) {
+export function sanitizeConfigForDisplay(config) {
     if (!config || typeof config !== 'object' || Array.isArray(config)) {
         return config;
     }
@@ -13,16 +12,9 @@ function redactConfigForDisplay(config) {
     if (auth && typeof auth === 'object') {
         auth.authorization = redactAuthorization(auth.authorization);
     }
+    delete clone.powersync;
     return clone;
 }
-function getByPath(value, keyPath) {
-    return keyPath.split('.').reduce((current, segment) => {
-        if (!current || typeof current !== 'object') {
-            return undefined;
-        }
-        return current[segment];
-    }, value);
-}
 export function registerConfigCommands(program) {
     const configCmd = program.command('config').description('Read and write Dinox configuration');
     configCmd
@@ -33,13 +25,8 @@ export function registerConfigCommands(program) {
         if (key && !isReadableConfigKey(key)) {
             throw new DinoxError(`Unknown config key: ${key}`);
         }
-        if (key && isFixedConfigKey(key)) {
-            const resolved = resolveConfig(await loadConfig());
-            printYaml(getByPath(resolved, key));
-            return;
-        }
         const value = await getConfigValue(key);
-        const redacted = key ? value : redactConfigForDisplay(value);
+        const redacted = key ? value : sanitizeConfigForDisplay(value);
         printYaml(redacted);
     });
     configCmd

package/dist/commands/notes/index.js

@@ -8,7 +8,7 @@ import { printYaml } from '../../utils/output.js';
 import { resolveAuthIdentity } from '../../auth/userInfo.js';
 import { connectPowerSync, waitForIdleDataFlow } from '../../powersync/runtime.js';
 import { syncNoteTokenIndex } from '../../powersync/tokenIndex.js';
-import { createNote, getNote, getNoteDetail, resolveZettelBoxIdsForCreate, searchNotes, softDeleteNote, validateTagsForCreate, } from './repo.js';
+import { createNote, getNote, getNoteDetail, resolveZettelBoxIdsForCreate, resolveZettelBoxIdsForSearch, searchNotes, softDeleteNote, validateTagsForCreate, } from './repo.js';
 import { parseCreatedAtRange } from './searchTime.js';
 function parseSyncTimeoutMs(value) {
     if (typeof value !== 'string') {
@@ -78,6 +78,8 @@ export function registerNoteCommands(program) {
         .option('--from <date>', 'created_at start (YYYY-MM-DD or ISO datetime)')
         .option('--to <date>', 'created_at end (YYYY-MM-DD or ISO datetime)')
         .option('--days <n>', 'recent N days by created_at (cannot be used with --from/--to)')
+        .option('--box <string|@file>', 'zettel box names (JSON array or comma/newline-separated)')
+        .option('--sql <expr>', 'SQL-like expression over id/content_md/summary/tags/zettel_boxes/created_at/type')
         .option('--include-deleted', 'include soft-deleted notes')
         .action(async (query, options, command) => {
         const globals = command.optsWithGlobals?.() ?? {};
@@ -94,11 +96,17 @@ export function registerNoteCommands(program) {
                 to: options.to,
                 days: options.days,
             });
+            const boxInput = typeof options.box === 'string' ? options.box : '';
+            const zettelBoxNames = boxInput ? await parseStringListInput(boxInput, '--box') : [];
+            const zettelBoxIds = await resolveZettelBoxIdsForSearch(db, zettelBoxNames);
+            const sqlExpression = typeof options.sql === 'string' ? options.sql.trim() : '';
             const rows = await searchNotes(db, keyword, {
                 includeDeleted: Boolean(options.includeDeleted),
                 tagsExpression: tagsExpression || undefined,
                 createdAtFrom,
                 createdAtTo,
+                zettelBoxIds,
+                sqlExpression: sqlExpression || undefined,
             });
             printYaml(rows);
         }

package/dist/commands/notes/repo.d.ts

@@ -18,6 +18,8 @@ type SearchNotesOptions = {
     tagsExpression?: string;
     createdAtFrom?: string;
     createdAtTo?: string;
+    zettelBoxIds?: string[];
+    sqlExpression?: string;
 };
 export type SearchedNote = {
     id: string;
@@ -66,5 +68,6 @@ export declare function createNote(db: AbstractPowerSyncDatabase, input: {
 }>;
 export declare function validateTagsForCreate(db: AbstractPowerSyncDatabase, requestedTags: string[]): Promise<string[]>;
 export declare function resolveZettelBoxIdsForCreate(db: AbstractPowerSyncDatabase, requestedNames: string[]): Promise<string[]>;
+export declare function resolveZettelBoxIdsForSearch(db: AbstractPowerSyncDatabase, requestedNames: string[]): Promise<string[]>;
 export declare function softDeleteNote(db: AbstractPowerSyncDatabase, id: string): Promise<void>;
 export {};

package/dist/commands/notes/repo.js

@@ -3,16 +3,23 @@ import { nowIsoUtc } from '../../utils/time.js';
 import { tokenizeWithJieba } from '../../utils/tokenize.js';
 import { listBoxes } from '../boxes/repo.js';
 import { listTags } from '../tags/repo.js';
+import { buildNoteSearchSqlFilter } from './searchSql.js';
 export async function searchNotes(db, query, options) {
     const normalizedQuery = query.trim();
     const tagFilter = buildTagFilter(options.tagsExpression, 'n');
     const createdAtFilter = buildCreatedAtFilter(options.createdAtFrom, options.createdAtTo, 'n');
+    const zettelBoxFilter = buildZettelBoxFilter(options.zettelBoxIds, 'n');
+    const sqlFilter = await buildNoteSearchSqlFilter({
+        expression: options.sqlExpression,
+        noteAlias: 'n',
+        resolveZettelBoxNames: (names) => resolveZettelBoxIdsForSearch(db, names),
+    });
     let rows = [];
     if (!options.includeDeleted) {
         const ftsMatch = buildFtsMatchQuery(normalizedQuery);
         if (ftsMatch) {
             try {
-                rows = await searchNotesWithFts(db, ftsMatch, tagFilter, createdAtFilter);
+                rows = await searchNotesWithFts(db, ftsMatch, tagFilter, createdAtFilter, zettelBoxFilter, sqlFilter);
                 return enrichSearchRows(db, rows);
             }
             catch (error) {
@@ -53,6 +60,14 @@ export async function searchNotes(db, query, options) {
         whereClauses.push(createdAtFilter.sql);
         params.push(...createdAtFilter.params);
     }
+    if (zettelBoxFilter) {
+        whereClauses.push(zettelBoxFilter.sql);
+        params.push(...zettelBoxFilter.params);
+    }
+    if (sqlFilter) {
+        whereClauses.push(sqlFilter.sql);
+        params.push(...sqlFilter.params);
+    }
     rows = await db.getAll(`
     SELECT
       n.id,
@@ -69,7 +84,7 @@ export async function searchNotes(db, query, options) {
     `, params);
     return enrichSearchRows(db, rows);
 }
-async function searchNotesWithFts(db, matchQuery, tagFilter, createdAtFilter) {
+async function searchNotesWithFts(db, matchQuery, tagFilter, createdAtFilter, zettelBoxFilter, sqlFilter) {
     const whereClauses = ['(n.is_del IS NULL OR n.is_del = 0)', 'note_local_fts MATCH ?'];
     const params = [matchQuery];
     if (tagFilter) {
@@ -80,6 +95,14 @@ async function searchNotesWithFts(db, matchQuery, tagFilter, createdAtFilter) {
         whereClauses.push(createdAtFilter.sql);
         params.push(...createdAtFilter.params);
     }
+    if (zettelBoxFilter) {
+        whereClauses.push(zettelBoxFilter.sql);
+        params.push(...zettelBoxFilter.params);
+    }
+    if (sqlFilter) {
+        whereClauses.push(sqlFilter.sql);
+        params.push(...sqlFilter.params);
+    }
     return db.getAll(`
     SELECT
       n.id,
@@ -214,6 +237,30 @@ function buildCreatedAtFilter(createdAtFrom, createdAtTo, noteAlias) {
         params,
     };
 }
+function buildZettelBoxFilter(zettelBoxIds, noteAlias) {
+    const normalizedIds = Array.from(new Set((zettelBoxIds ?? [])
+        .map((id) => id.trim())
+        .filter((id) => id.length > 0)));
+    if (normalizedIds.length === 0) {
+        return null;
+    }
+    const placeholders = normalizedIds.map(() => '?').join(', ');
+    return {
+        sql: `
+      EXISTS (
+        SELECT 1
+        FROM json_each(
+          CASE
+            WHEN json_valid(COALESCE(${noteAlias}.zettel_boxes, '')) THEN ${noteAlias}.zettel_boxes
+            ELSE '[]'
+          END
+        ) box_item
+        WHERE TRIM(CAST(box_item.value AS TEXT)) IN (${placeholders})
+      )
+    `,
+        params: normalizedIds,
+    };
+}
 function parseTagExpression(expression) {
     const tokens = tokenizeTagExpression(expression);
     if (tokens.length === 0) {
@@ -537,6 +584,13 @@ export async function createNote(db, input) {
 function normalizeLookupKey(value) {
     return value.trim().toLowerCase();
 }
+function buildZettelBoxRetryQuestion(intent, type) {
+    const command = intent === 'search' ? 'dino note search' : 'dino note create';
+    if (type === 'ambiguous') {
+        return `Do you want to specify unique box names (or IDs) and retry \`${command}\`?`;
+    }
+    return `Do you want to add these missing boxes and retry \`${command}\`?`;
+}
 export async function validateTagsForCreate(db, requestedTags) {
     if (requestedTags.length === 0) {
         return [];
@@ -580,6 +634,12 @@ export async function validateTagsForCreate(db, requestedTags) {
     return resolved;
 }
 export async function resolveZettelBoxIdsForCreate(db, requestedNames) {
+    return resolveZettelBoxIdsByName(db, requestedNames, 'create');
+}
+export async function resolveZettelBoxIdsForSearch(db, requestedNames) {
+    return resolveZettelBoxIdsByName(db, requestedNames, 'search');
+}
+async function resolveZettelBoxIdsByName(db, requestedNames, intent) {
     if (requestedNames.length === 0) {
         return [];
     }
@@ -642,7 +702,7 @@ export async function resolveZettelBoxIdsForCreate(db, requestedNames) {
                 type: 'ambiguous_zettel_boxes',
                 ambiguous,
                 availableNamesSample: availableNames.slice(0, 20),
-                question: 'Do you want to specify unique box names (or IDs) and retry `dino note create`?',
+                question: buildZettelBoxRetryQuestion(intent, 'ambiguous'),
             },
         });
     }
@@ -653,7 +713,7 @@ export async function resolveZettelBoxIdsForCreate(db, requestedNames) {
                 missing,
                 availableCount: availableNames.length,
                 availableNamesSample: availableNames.slice(0, 20),
-                question: 'Do you want to add these missing boxes and retry `dino note create`?',
+                question: buildZettelBoxRetryQuestion(intent, 'missing'),
             },
         });
     }

package/dist/commands/notes/searchSql.d.ts

@@ -0,0 +1,11 @@
+export type SqlFilter = {
+    sql: string;
+    params: string[];
+};
+type BuildNoteSearchSqlFilterOptions = {
+    expression?: string;
+    noteAlias: string;
+    resolveZettelBoxNames: (names: string[]) => Promise<string[]>;
+};
+export declare function buildNoteSearchSqlFilter(options: BuildNoteSearchSqlFilterOptions): Promise<SqlFilter | null>;
+export {};

package/dist/commands/notes/searchSql.js

@@ -0,0 +1,599 @@
+import { DinoxError } from '../../utils/errors.js';
+const SEARCH_FIELDS = new Set([
+    'id',
+    'content_md',
+    'summary',
+    'tags',
+    'zettel_boxes',
+    'created_at',
+    'type',
+]);
+const FORBIDDEN_SQL_KEYWORDS = [
+    'insert',
+    'update',
+    'delete',
+    'drop',
+    'alter',
+    'create',
+    'replace',
+    'truncate',
+    'attach',
+    'detach',
+    'pragma',
+    'vacuum',
+    'begin',
+    'commit',
+    'rollback',
+];
+const SCALAR_FIELD_COLUMNS = {
+    id: 'id',
+    content_md: 'content_md',
+    summary: 'summary',
+    created_at: 'created_at',
+    type: 'type',
+};
+export async function buildNoteSearchSqlFilter(options) {
+    const expression = options.expression?.trim() ?? '';
+    if (!expression) {
+        return null;
+    }
+    try {
+        assertReadOnlySearchExpression(expression);
+        const ast = parseSearchSqlExpression(expression);
+        const zettelBoxIdByName = await buildZettelBoxIdLookup(ast, options.resolveZettelBoxNames);
+        const params = [];
+        const sql = compileNode(ast, options.noteAlias, params, zettelBoxIdByName);
+        return {
+            sql: `(${sql})`,
+            params,
+        };
+    }
+    catch (error) {
+        if (error instanceof DinoxError) {
+            throw error;
+        }
+        const message = error instanceof Error ? error.message : String(error);
+        throw new DinoxError(`Invalid --sql expression: ${message}`);
+    }
+}
+function assertReadOnlySearchExpression(expression) {
+    const unquoted = maskQuotedSegments(expression).toLowerCase();
+    if (unquoted.includes(';')) {
+        throw new DinoxError('Invalid --sql expression: only read-only WHERE-style conditions are allowed (semicolon is not permitted)');
+    }
+    if (unquoted.includes('--') || unquoted.includes('/*') || unquoted.includes('*/')) {
+        throw new DinoxError('Invalid --sql expression: SQL comments are not allowed; only read-only WHERE-style conditions are supported');
+    }
+    for (const keyword of FORBIDDEN_SQL_KEYWORDS) {
+        const pattern = new RegExp(`\\b${keyword}\\b`, 'i');
+        if (pattern.test(unquoted)) {
+            throw new DinoxError(`Invalid --sql expression: keyword '${keyword.toUpperCase()}' is not allowed (read-only search only)`);
+        }
+    }
+}
+function maskQuotedSegments(expression) {
+    let result = '';
+    let quote = null;
+    for (let i = 0; i < expression.length; i += 1) {
+        const ch = expression[i];
+        if (!quote) {
+            if (ch === '"' || ch === "'") {
+                quote = ch;
+                result += ' ';
+            }
+            else {
+                result += ch;
+            }
+            continue;
+        }
+        result += ' ';
+        if (ch === '\\') {
+            if (i + 1 < expression.length) {
+                result += ' ';
+                i += 1;
+            }
+            continue;
+        }
+        if (ch !== quote) {
+            continue;
+        }
+        if (expression[i + 1] === quote) {
+            result += ' ';
+            i += 1;
+            continue;
+        }
+        quote = null;
+    }
+    return result;
+}
+function parseSearchSqlExpression(expression) {
+    const tokens = tokenizeSearchSqlExpression(expression);
+    if (tokens.length === 0) {
+        throw new Error('Expression is empty');
+    }
+    let index = 0;
+    const peek = () => tokens[index] ?? null;
+    const consume = (expected) => {
+        const token = peek();
+        if (!token) {
+            throw new Error('Unexpected end of expression');
+        }
+        if (expected && token.type !== expected) {
+            throw new Error(`Expected ${expected} at position ${token.position + 1}`);
+        }
+        index += 1;
+        return token;
+    };
+    const match = (type) => {
+        const token = peek();
+        if (!token || token.type !== type) {
+            return false;
+        }
+        index += 1;
+        return true;
+    };
+    const parseValue = () => {
+        const token = peek();
+        if (!token) {
+            throw new Error('Unexpected end of expression while reading a value');
+        }
+        if (token.type !== 'WORD' && token.type !== 'STRING') {
+            throw new Error(`Expected value at position ${token.position + 1}`);
+        }
+        consume(token.type);
+        const value = token.value.trim();
+        if (!value) {
+            throw new Error(`Empty value at position ${token.position + 1}`);
+        }
+        return value;
+    };
+    const parseValueList = () => {
+        const open = consume('LPAREN');
+        const values = [];
+        while (true) {
+            values.push(parseValue());
+            if (match('COMMA')) {
+                continue;
+            }
+            if (match('RPAREN')) {
+                break;
+            }
+            const next = peek();
+            const nextPos = next ? next.position + 1 : open.position + 1;
+            throw new Error(`Expected ',' or ')' at position ${nextPos}`);
+        }
+        if (values.length === 0) {
+            throw new Error(`IN list cannot be empty at position ${open.position + 1}`);
+        }
+        return values;
+    };
+    const parseCondition = () => {
+        const fieldToken = peek();
+        if (!fieldToken) {
+            throw new Error('Unexpected end of expression');
+        }
+        if (fieldToken.type !== 'WORD') {
+            throw new Error(`Expected field name at position ${fieldToken.position + 1}`);
+        }
+        consume('WORD');
+        const field = normalizeSearchField(fieldToken.value);
+        if (!field) {
+            throw new Error(`Unsupported field '${fieldToken.value}' at position ${fieldToken.position + 1}`);
+        }
+        if (match('NOT')) {
+            if (match('IN')) {
+                return {
+                    kind: 'in',
+                    field,
+                    not: true,
+                    values: parseValueList(),
+                };
+            }
+            if (match('LIKE')) {
+                return {
+                    kind: 'comparison',
+                    field,
+                    operator: 'NOT LIKE',
+                    value: parseValue(),
+                };
+            }
+            const token = peek();
+            const pos = token ? token.position + 1 : fieldToken.position + 1;
+            throw new Error(`Expected IN or LIKE after NOT at position ${pos}`);
+        }
+        if (match('IN')) {
+            return {
+                kind: 'in',
+                field,
+                not: false,
+                values: parseValueList(),
+            };
+        }
+        if (match('LIKE')) {
+            return {
+                kind: 'comparison',
+                field,
+                operator: 'LIKE',
+                value: parseValue(),
+            };
+        }
+        const operatorToken = peek();
+        if (!operatorToken || operatorToken.type !== 'OP') {
+            const pos = operatorToken ? operatorToken.position + 1 : fieldToken.position + 1;
+            throw new Error(`Expected comparison operator at position ${pos}`);
+        }
+        consume('OP');
+        return {
+            kind: 'comparison',
+            field,
+            operator: normalizeComparisonOperator(operatorToken.value, operatorToken.position),
+            value: parseValue(),
+        };
+    };
+    const parsePrimary = () => {
+        const token = peek();
+        if (!token) {
+            throw new Error('Unexpected end of expression');
+        }
+        if (token.type === 'LPAREN') {
+            consume('LPAREN');
+            const node = parseOr();
+            const close = peek();
+            if (!close || close.type !== 'RPAREN') {
+                throw new Error(`Missing ')' for '(' at position ${token.position + 1}`);
+            }
+            consume('RPAREN');
+            return node;
+        }
+        return parseCondition();
+    };
+    const parseUnary = () => {
+        if (match('NOT')) {
+            return { kind: 'not', child: parseUnary() };
+        }
+        return parsePrimary();
+    };
+    const parseAnd = () => {
+        let node = parseUnary();
+        while (match('AND')) {
+            node = { kind: 'and', left: node, right: parseUnary() };
+        }
+        return node;
+    };
+    const parseOr = () => {
+        let node = parseAnd();
+        while (match('OR')) {
+            node = { kind: 'or', left: node, right: parseAnd() };
+        }
+        return node;
+    };
+    const ast = parseOr();
+    const extra = peek();
+    if (extra) {
+        throw new Error(`Unexpected token '${extra.value}' at position ${extra.position + 1}`);
+    }
+    return ast;
+}
+function tokenizeSearchSqlExpression(expression) {
+    const tokens = [];
+    let i = 0;
+    while (i < expression.length) {
+        const ch = expression[i];
+        if (/\s/.test(ch)) {
+            i += 1;
+            continue;
+        }
+        if (ch === '(') {
+            tokens.push({ type: 'LPAREN', value: ch, position: i });
+            i += 1;
+            continue;
+        }
+        if (ch === ')') {
+            tokens.push({ type: 'RPAREN', value: ch, position: i });
+            i += 1;
+            continue;
+        }
+        if (ch === ',') {
+            tokens.push({ type: 'COMMA', value: ch, position: i });
+            i += 1;
+            continue;
+        }
+        if (ch === '\'' || ch === '"') {
+            const quoted = readQuotedValue(expression, i);
+            tokens.push({ type: 'STRING', value: quoted.value, position: i });
+            i = quoted.next;
+            continue;
+        }
+        const op = readOperator(expression, i);
+        if (op) {
+            tokens.push({ type: 'OP', value: op.value, position: i });
+            i = op.next;
+            continue;
+        }
+        let j = i;
+        while (j < expression.length) {
+            const next = expression[j];
+            if (/\s/.test(next) || next === '(' || next === ')' || next === ',' || /[<>=!]/.test(next)) {
+                break;
+            }
+            j += 1;
+        }
+        const raw = expression.slice(i, j);
+        if (!raw) {
+            throw new Error(`Unsupported token '${ch}' at position ${i + 1}`);
+        }
+        const upper = raw.toUpperCase();
+        if (upper === 'AND' || upper === 'OR' || upper === 'NOT' || upper === 'IN' || upper === 'LIKE') {
+            tokens.push({ type: upper, value: raw, position: i });
+        }
+        else {
+            tokens.push({ type: 'WORD', value: raw, position: i });
+        }
+        i = j;
+    }
+    return tokens;
+}
+function readOperator(expression, start) {
+    const twoChars = expression.slice(start, start + 2);
+    if (twoChars === '<=' || twoChars === '>=' || twoChars === '<>' || twoChars === '!=') {
+        return {
+            value: twoChars,
+            next: start + 2,
+        };
+    }
+    const oneChar = expression[start];
+    if (oneChar === '=' || oneChar === '<' || oneChar === '>') {
+        return {
+            value: oneChar,
+            next: start + 1,
+        };
+    }
+    return null;
+}
+function readQuotedValue(expression, start) {
+    const quote = expression[start];
+    let i = start + 1;
+    let value = '';
+    while (i < expression.length) {
+        const ch = expression[i];
+        if (ch === '\\') {
+            if (i + 1 >= expression.length) {
+                throw new Error(`Invalid escape at position ${i + 1}`);
+            }
+            value += expression[i + 1];
+            i += 2;
+            continue;
+        }
+        if (ch === quote) {
+            if (expression[i + 1] === quote) {
+                value += quote;
+                i += 2;
+                continue;
+            }
+            return {
+                value,
+                next: i + 1,
+            };
+        }
+        value += ch;
+        i += 1;
+    }
+    throw new Error(`Unclosed quote at position ${start + 1}`);
+}
+function normalizeSearchField(value) {
+    const normalized = value.trim().toLowerCase();
+    if (SEARCH_FIELDS.has(normalized)) {
+        return normalized;
+    }
+    return null;
+}
+function normalizeComparisonOperator(raw, position) {
+    if (raw === '=') {
+        return '=';
+    }
+    if (raw === '!=' || raw === '<>') {
+        return '!=';
+    }
+    if (raw === '>') {
+        return '>';
+    }
+    if (raw === '>=') {
+        return '>=';
+    }
+    if (raw === '<') {
+        return '<';
+    }
+    if (raw === '<=') {
+        return '<=';
+    }
+    throw new Error(`Unsupported operator '${raw}' at position ${position + 1}`);
+}
+function normalizeLookupKey(value) {
+    return value.trim().toLowerCase();
+}
+async function buildZettelBoxIdLookup(ast, resolveZettelBoxNames) {
+    const rawValues = collectZettelBoxValues(ast)
+        .map((value) => value.trim())
+        .filter((value) => value.length > 0);
+    if (rawValues.length === 0) {
+        return new Map();
+    }
+    const uniqueNames = [];
+    const seen = new Set();
+    for (const raw of rawValues) {
+        const key = normalizeLookupKey(raw);
+        if (seen.has(key)) {
+            continue;
+        }
+        seen.add(key);
+        uniqueNames.push(raw);
+    }
+    const ids = await resolveZettelBoxNames(uniqueNames);
+    if (ids.length !== uniqueNames.length) {
+        throw new DinoxError('Failed to resolve zettel box names in --sql expression');
+    }
+    const lookup = new Map();
+    for (let i = 0; i < uniqueNames.length; i += 1) {
+        lookup.set(normalizeLookupKey(uniqueNames[i]), ids[i]);
+    }
+    return lookup;
+}
+function collectZettelBoxValues(node) {
+    if (node.kind === 'comparison') {
+        if (node.field === 'zettel_boxes') {
+            return [node.value];
+        }
+        return [];
+    }
+    if (node.kind === 'in') {
+        if (node.field === 'zettel_boxes') {
+            return node.values;
+        }
+        return [];
+    }
+    if (node.kind === 'not') {
+        return collectZettelBoxValues(node.child);
+    }
+    return [...collectZettelBoxValues(node.left), ...collectZettelBoxValues(node.right)];
+}
+function compileNode(node, noteAlias, params, zettelBoxIdByName) {
+    if (node.kind === 'comparison') {
+        return compileComparison(node, noteAlias, params, zettelBoxIdByName);
+    }
+    if (node.kind === 'in') {
+        return compileInCondition(node, noteAlias, params, zettelBoxIdByName);
+    }
+    if (node.kind === 'not') {
+        return `NOT (${compileNode(node.child, noteAlias, params, zettelBoxIdByName)})`;
+    }
+    if (node.kind === 'and') {
+        return `(${compileNode(node.left, noteAlias, params, zettelBoxIdByName)}) AND (${compileNode(node.right, noteAlias, params, zettelBoxIdByName)})`;
+    }
+    return `(${compileNode(node.left, noteAlias, params, zettelBoxIdByName)}) OR (${compileNode(node.right, noteAlias, params, zettelBoxIdByName)})`;
+}
+function compileComparison(node, noteAlias, params, zettelBoxIdByName) {
+    if (node.field === 'tags') {
+        if (node.operator !== '=' && node.operator !== '!=') {
+            throw new Error(`Operator '${node.operator}' is not supported for field 'tags'`);
+        }
+        const value = normalizeLookupKey(node.value);
+        if (!value) {
+            throw new Error('tags condition value cannot be empty');
+        }
+        params.push(value);
+        const existsSql = `
+      EXISTS (
+        SELECT 1
+        FROM json_each(
+          CASE
+            WHEN json_valid(COALESCE(${noteAlias}.tags, '')) THEN ${noteAlias}.tags
+            ELSE '[]'
+          END
+        ) tag_item
+        WHERE LOWER(TRIM(CAST(tag_item.value AS TEXT))) = ?
+      )
+    `;
+        return node.operator === '!=' ? `NOT (${existsSql})` : existsSql;
+    }
+    if (node.field === 'zettel_boxes') {
+        if (node.operator !== '=' && node.operator !== '!=') {
+            throw new Error(`Operator '${node.operator}' is not supported for field 'zettel_boxes'`);
+        }
+        const resolvedId = zettelBoxIdByName.get(normalizeLookupKey(node.value));
+        if (!resolvedId) {
+            throw new DinoxError(`Unknown zettel box name in --sql expression: ${node.value}`);
+        }
+        params.push(resolvedId);
+        const existsSql = `
+      EXISTS (
+        SELECT 1
+        FROM json_each(
+          CASE
+            WHEN json_valid(COALESCE(${noteAlias}.zettel_boxes, '')) THEN ${noteAlias}.zettel_boxes
+            ELSE '[]'
+          END
+        ) box_item
+        WHERE TRIM(CAST(box_item.value AS TEXT)) = ?
+      )
+    `;
+        return node.operator === '!=' ? `NOT (${existsSql})` : existsSql;
+    }
+    const column = `${noteAlias}.${SCALAR_FIELD_COLUMNS[node.field]}`;
+    params.push(node.value);
+    if (node.operator === 'LIKE' || node.operator === 'NOT LIKE') {
+        return `(${column} IS NOT NULL AND ${column} ${node.operator} ?)`;
+    }
+    return `(${column} ${node.operator} ?)`;
+}
+function compileInCondition(node, noteAlias, params, zettelBoxIdByName) {
+    if (node.values.length === 0) {
+        throw new Error('IN list cannot be empty');
+    }
+    if (node.field === 'tags') {
+        const normalized = uniqueNonEmptyValues(node.values.map((value) => normalizeLookupKey(value)));
+        if (normalized.length === 0) {
+            throw new Error('tags IN list cannot be empty');
+        }
+        const placeholders = normalized.map(() => '?').join(', ');
+        params.push(...normalized);
+        const existsSql = `
+      EXISTS (
+        SELECT 1
+        FROM json_each(
+          CASE
+            WHEN json_valid(COALESCE(${noteAlias}.tags, '')) THEN ${noteAlias}.tags
+            ELSE '[]'
+          END
+        ) tag_item
+        WHERE LOWER(TRIM(CAST(tag_item.value AS TEXT))) IN (${placeholders})
+      )
+    `;
+        return node.not ? `NOT (${existsSql})` : existsSql;
+    }
+    if (node.field === 'zettel_boxes') {
+        const ids = uniqueNonEmptyValues(node.values
+            .map((value) => zettelBoxIdByName.get(normalizeLookupKey(value)) ?? '')
+            .filter((value) => value.length > 0));
+        if (ids.length === 0) {
+            throw new Error('zettel_boxes IN list cannot be empty');
+        }
+        const placeholders = ids.map(() => '?').join(', ');
+        params.push(...ids);
+        const existsSql = `
+      EXISTS (
+        SELECT 1
+        FROM json_each(
+          CASE
+            WHEN json_valid(COALESCE(${noteAlias}.zettel_boxes, '')) THEN ${noteAlias}.zettel_boxes
+            ELSE '[]'
+          END
+        ) box_item
+        WHERE TRIM(CAST(box_item.value AS TEXT)) IN (${placeholders})
+      )
+    `;
+        return node.not ? `NOT (${existsSql})` : existsSql;
+    }
+    const values = uniqueNonEmptyValues(node.values.map((value) => value.trim()));
+    if (values.length === 0) {
+        throw new Error('IN list cannot be empty');
+    }
+    const column = `${noteAlias}.${SCALAR_FIELD_COLUMNS[node.field]}`;
+    const placeholders = values.map(() => '?').join(', ');
+    params.push(...values);
+    if (node.not) {
+        return `(${column} NOT IN (${placeholders}))`;
+    }
+    return `(${column} IN (${placeholders}))`;
+}
+function uniqueNonEmptyValues(values) {
+    const result = [];
+    const seen = new Set();
+    for (const value of values) {
+        if (!value || seen.has(value)) {
+            continue;
+        }
+        seen.add(value);
+        result.push(value);
+    }
+    return result;
+}

package/dist/config/keys.d.ts

@@ -1,6 +1,6 @@
-export declare const CONFIG_KEYS: readonly ["powersync.tokenEndpoint", "powersync.uploadV4Path", "powersync.uploadV2Path", "sync.timeoutMs"];
-export declare const FIXED_CONFIG_KEYS: readonly ["powersync.endpoint", "powersync.uploadBaseUrl"];
-export declare const READABLE_CONFIG_KEYS: readonly ["powersync.tokenEndpoint", "powersync.uploadV4Path", "powersync.uploadV2Path", "sync.timeoutMs", "powersync.endpoint", "powersync.uploadBaseUrl"];
+export declare const CONFIG_KEYS: readonly ["sync.timeoutMs"];
+export declare const FIXED_CONFIG_KEYS: readonly [];
+export declare const READABLE_CONFIG_KEYS: readonly ["sync.timeoutMs"];
 export type ConfigKey = (typeof CONFIG_KEYS)[number];
 export type FixedConfigKey = (typeof FIXED_CONFIG_KEYS)[number];
 export type ReadableConfigKey = (typeof READABLE_CONFIG_KEYS)[number];

package/dist/config/keys.js

@@ -1,10 +1,7 @@
 export const CONFIG_KEYS = [
-    'powersync.tokenEndpoint',
-    'powersync.uploadV4Path',
-    'powersync.uploadV2Path',
     'sync.timeoutMs',
 ];
-export const FIXED_CONFIG_KEYS = ['powersync.endpoint', 'powersync.uploadBaseUrl'];
+export const FIXED_CONFIG_KEYS = [];
 export const READABLE_CONFIG_KEYS = [...CONFIG_KEYS, ...FIXED_CONFIG_KEYS];
 export function isConfigKey(value) {
     return CONFIG_KEYS.includes(value);

package/dist/config/paths.js

@@ -1,5 +1,6 @@
 import os from 'node:os';
 import path from 'node:path';
+const POWERSYNC_DB_FILENAME = 'dinox-cli.sqlite';
 function resolveConfigHome() {
     if (process.env.DINOX_CONFIG_DIR) {
         return process.env.DINOX_CONFIG_DIR;
@@ -35,5 +36,5 @@ export function getDataDir() {
     return path.join(resolveDataHome(), 'dinox');
 }
 export function getPowerSyncDbPath() {
-    return path.join(getDataDir(), 'powersync.sqlite');
+    return path.join(getDataDir(), POWERSYNC_DB_FILENAME);
 }

package/package.json

@@ -1,12 +1,14 @@
 {
   "name": "@dinoxx/dinox-cli",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Dinox CLI",
   "main": "dist/dinox.js",
   "scripts": {
     "build": "tsc -p tsconfig.json && node scripts/add-shebang.mjs",
     "dev": "tsx src/dinox.ts",
     "prepublishOnly": "npm run build",
+    "publish:npm": "sh scripts/publish-npm.sh",
+    "publish:npm:dry-run": "sh scripts/publish-npm.sh --dry-run",
     "start": "node dist/dinox.js",
     "test": "node --test --import tsx test/**/*.test.ts"
   },