@eightstate/escli 0.8.0 → 0.12.0

package/dist/commands/mcp/register.js

@@ -4,8 +4,7 @@ import { ErrorCode } from '@eightstate/contracts/errors';
 import { BaseCommand } from '../../base-command.js';
 import { writeStderr } from '../../io/io.js';
 import { resolveCliToken } from '../../services/credentials.js';
-import { authRequired, DEFAULT_MCP_DOMAIN, maskSecret, usageError } from '../../services/mcp/common.js';
-import { CloudflareClient } from '../../services/mcp/cloudflare.js';
+import { authRequired, maskSecret, usageError } from '../../services/mcp/common.js';
 import { validateRootDirectory, writeMachineConfig } from '../../services/mcp/config.js';
 import { McpGateClient } from '../../services/mcp/gate-client.js';
 export const McpRegisterDataSchema = z.object({
@@ -24,7 +23,7 @@ export const McpRegisterDataSchema = z.object({
 export default class McpRegister extends BaseCommand {
     static errors = [ErrorCode.AuthRequired, ErrorCode.UsageInvalid, ErrorCode.ConfigInvalid, ErrorCode.ApiError, ErrorCode.GateUnavailable, ErrorCode.GateInvalidResponse, ErrorCode.NetworkError];
     static summary = 'Register a local directory as an MCP machine';
-    static examples = ['<%= config.bin %> mcp register --root . --label "repo"', '<%= config.bin %> mcp register --root . --slug my-repo'];
+    static examples = ['<%= config.bin %> mcp register --root .', '<%= config.bin %> mcp register --root . --slug my-repo --label "My Repo"'];
     static enableJsonFlag = true;
     static strict = true;
     static flags = {
@@ -32,9 +31,6 @@ export default class McpRegister extends BaseCommand {
         slug: Flags.string({ description: 'Machine slug. Defaults from --label, root basename, or hostname.' }),
         port: Flags.integer({ description: 'Local MCP origin port.', default: 9315 }),
         label: Flags.string({ description: 'Human label for this machine.' }),
-        'cf-account-id': Flags.string({ description: 'Cloudflare account ID. Defaults to CLOUDFLARE_ACCOUNT_ID.' }),
-        'cf-zone-id': Flags.string({ description: 'Cloudflare zone ID. Defaults to CLOUDFLARE_ZONE_ID.' }),
-        'cf-api-token': Flags.string({ description: 'Cloudflare API token. Defaults to CLOUDFLARE_API_TOKEN; never persisted.' }),
     };
     async execute() {
         const flags = await this.parseFlags(McpRegister);
@@ -45,41 +41,25 @@ export default class McpRegister extends BaseCommand {
         if (port < 1 || port > 65535)
             throw usageError('--port must be between 1 and 65535');
         const slug = normalizeSlug(flags.slug ?? flags.label ?? root.split('/').filter(Boolean).pop() ?? 'machine');
-        const hostname = `mcp-${slug}.${DEFAULT_MCP_DOMAIN}`;
-        const cf = new CloudflareClient({ accountId: flags['cf-account-id'], zoneId: flags['cf-zone-id'], apiToken: flags['cf-api-token'] });
-        let tunnelId;
-        let dnsRecordId;
-        try {
-            const tunnel = await cf.createTunnel(slug);
-            tunnelId = tunnel.id;
-            await cf.configureIngress(tunnel.id, hostname, port);
-            const dns = await cf.createDnsRecord(hostname, tunnel.id);
-            dnsRecordId = dns.id;
-            const gate = await new McpGateClient().createMachine({ slug, hostname, tunnel_id: tunnel.id, port, label: flags.label });
-            const config = {
-                slug,
-                label: flags.label,
-                root_default: root,
-                hostname: gate.hostname,
-                resource: gate.resource,
-                tunnel_id: tunnel.id,
-                tunnel_token: tunnel.token,
-                dns_record_id: dns.id,
-                port,
-                machine_id: gate.machine_id,
-                machine_secret: gate.machine_secret,
-                created_at: new Date().toISOString(),
-            };
-            const configPath = await writeMachineConfig(config);
-            if (!flags.quiet && !flags.json)
-                await writeStderr(`connector URL: ${gate.resource}/mcp\nconfig: ${configPath}\ntunnel: ${maskSecret(tunnel.id)}\n`);
-            return { slug, label: flags.label, root_default: root, hostname: gate.hostname, resource: gate.resource, port, machine_id: gate.machine_id, tunnel_id: tunnel.id, dns_record_id: dns.id, config_path: configPath, connector_url: `${gate.resource}/mcp` };
-        }
-        catch (error) {
-            const cleanup = [`Cloudflare tunnel id: ${tunnelId ?? '(not created)'}`, `Cloudflare DNS record id: ${dnsRecordId ?? '(not created)'}`].join('\n');
-            await writeStderr(`MCP register failed. Cleanup references:\n${cleanup}\n`);
-            throw error;
-        }
+        const gate = await new McpGateClient().createMachine({ slug, port, label: flags.label });
+        const config = {
+            slug,
+            label: flags.label,
+            root_default: root,
+            hostname: gate.hostname,
+            resource: gate.resource,
+            tunnel_id: gate.tunnel_id,
+            tunnel_token: gate.tunnel_token,
+            dns_record_id: gate.dns_record_id,
+            port,
+            machine_id: gate.machine_id,
+            machine_secret: gate.machine_secret,
+            created_at: new Date().toISOString(),
+        };
+        const configPath = await writeMachineConfig(config);
+        if (!flags.quiet && !flags.json)
+            await writeStderr(`registered: ${gate.hostname}\nconnector URL: ${gate.resource}/mcp\nconfig: ${configPath}\ntunnel: ${maskSecret(gate.tunnel_id)}\n`);
+        return { slug, label: flags.label, root_default: root, hostname: gate.hostname, resource: gate.resource, port, machine_id: gate.machine_id, tunnel_id: gate.tunnel_id, dns_record_id: gate.dns_record_id, config_path: configPath, connector_url: `${gate.resource}/mcp` };
     }
 }
 function normalizeSlug(value) {

package/dist/commands/mcp/revoke.js

@@ -2,35 +2,30 @@ import { Flags } from '@oclif/core';
 import { z } from 'zod';
 import { ErrorCode } from '@eightstate/contracts/errors';
 import { BaseCommand } from '../../base-command.js';
-import { CloudflareClient } from '../../services/mcp/cloudflare.js';
 import { deleteMachineConfig, resolveMachineConfig } from '../../services/mcp/config.js';
 import { McpGateClient } from '../../services/mcp/gate-client.js';
 export const McpRevokeDataSchema = z.object({ slug: z.string(), gate_revoked: z.boolean(), cloudflare_deleted: z.boolean(), local_config_deleted: z.boolean() });
 export default class McpRevoke extends BaseCommand {
     static errors = [ErrorCode.ConfigInvalid, ErrorCode.AuthRequired, ErrorCode.GateUnavailable, ErrorCode.ApiError];
-    static summary = 'Revoke an MCP machine and optionally delete Cloudflare resources';
-    static examples = ['<%= config.bin %> mcp revoke --slug my-repo', '<%= config.bin %> mcp revoke --slug my-repo --cloudflare --yes'];
+    static summary = 'Revoke an MCP machine and delete its Cloudflare tunnel';
+    static examples = ['<%= config.bin %> mcp revoke --slug my-repo', '<%= config.bin %> mcp revoke --slug my-repo --yes'];
     static enableJsonFlag = true;
     static strict = true;
     static flags = {
         slug: Flags.string({ description: 'Machine slug. Optional only when one config exists.' }),
         cloudflare: Flags.boolean({ description: 'Also delete Cloudflare DNS record and tunnel.', default: false }),
         yes: Flags.boolean({ char: 'y', description: 'Skip confirmation for --cloudflare.', default: false }),
-        'cf-account-id': Flags.string({ description: 'Cloudflare account ID. Defaults to CLOUDFLARE_ACCOUNT_ID.' }),
-        'cf-zone-id': Flags.string({ description: 'Cloudflare zone ID. Defaults to CLOUDFLARE_ZONE_ID.' }),
-        'cf-api-token': Flags.string({ description: 'Cloudflare API token. Defaults to CLOUDFLARE_API_TOKEN; never persisted.' }),
     };
     async execute() {
         const flags = await this.parseFlags(McpRevoke);
         const config = await resolveMachineConfig(flags.slug);
-        await new McpGateClient().revokeMachine(config.slug);
+        const gate = new McpGateClient();
+        await gate.revokeMachine(config.slug);
         let cloudflareDeleted = false;
         if (flags.cloudflare) {
             if (!flags.yes)
-                throw new Error('refusing to delete Cloudflare resources without --yes');
-            const cf = new CloudflareClient({ accountId: flags['cf-account-id'], zoneId: flags['cf-zone-id'], apiToken: flags['cf-api-token'] });
-            await cf.deleteDnsRecord(config.dns_record_id);
-            await cf.deleteTunnel(config.tunnel_id);
+                throw new Error('refusing to delete Cloudflare resources without --yes; Gate will deprovision the tunnel and DNS');
+            await gate.deprovisionMachine(config.slug);
             cloudflareDeleted = true;
         }
         const localConfigDeleted = await deleteMachineConfig(config.slug);

package/dist/services/mcp/cloudflare.js

@@ -3,6 +3,8 @@ import { ExitCodes } from '@eightstate/contracts/exit-codes';
 import { EscliError } from '../../lib/escli-error.js';
 import { parseJsonResponse, recordValue, stringValue, usageError } from './common.js';
 const CF_API_BASE = 'https://api.cloudflare.com/client/v4';
+const EIGHTSTATE_ACCOUNT_ID = '3db5cf3eac3990b5604382b809bb46c6';
+const EIGHTSTATE_ZONE_ID = 'db5d43c916a7db789e1692d1ffdcf12a';
 export class CloudflareClient {
     credentials;
     constructor(input) {
@@ -73,16 +75,11 @@ export class CloudflareClient {
     }
 }
 export function resolveCloudflareCredentials(input) {
-    const accountId = input.accountId ?? process.env.CLOUDFLARE_ACCOUNT_ID;
-    const zoneId = input.zoneId ?? process.env.CLOUDFLARE_ZONE_ID;
+    const accountId = input.accountId ?? process.env.CLOUDFLARE_ACCOUNT_ID ?? EIGHTSTATE_ACCOUNT_ID;
+    const zoneId = input.zoneId ?? process.env.CLOUDFLARE_ZONE_ID ?? EIGHTSTATE_ZONE_ID;
     const apiToken = input.apiToken ?? process.env.CLOUDFLARE_API_TOKEN;
-    const missing = [
-        accountId ? undefined : 'CLOUDFLARE_ACCOUNT_ID',
-        zoneId ? undefined : 'CLOUDFLARE_ZONE_ID',
-        apiToken ? undefined : 'CLOUDFLARE_API_TOKEN',
-    ].filter(Boolean);
-    if (!accountId || !zoneId || !apiToken)
-        throw usageError(`missing Cloudflare credentials: ${missing.join(', ')}`);
+    if (!apiToken)
+        throw usageError('missing CLOUDFLARE_API_TOKEN — set it as an env var or pass --cf-api-token');
     return { accountId, zoneId, apiToken };
 }
 function cfInvalid(message, details) {

package/dist/services/mcp/gate-client.js

@@ -9,6 +9,9 @@ const McpMachineCreateResponseSchema = z.object({
     machine_secret: z.string(),
     hostname: z.string(),
     resource: z.string(),
+    tunnel_id: z.string(),
+    tunnel_token: z.string(),
+    dns_record_id: z.string(),
 });
 const McpMachineStatusResponseSchema = z.object({
     machine_id: z.number(),
@@ -42,6 +45,9 @@ export class McpGateClient {
         const parsed = McpMachineStatusResponseSchema.safeParse(data);
         return parsed.success ? parsed.data : data;
     }
+    async deprovisionMachine(slug) {
+        await this.request(`/api/mcp/machines/${encodeURIComponent(slug)}/deprovision`, { method: 'POST', userAuth: true });
+    }
     async introspectToken(machineSecret, token, resource) {
         const data = await this.request('/api/mcp/introspect', {
             method: 'POST',

package/dist/services/mcp/tools.js

@@ -7,29 +7,75 @@ import { writeAuditRecord } from './audit.js';
 export const BASH_OUTPUT_LIMIT_BYTES = 2 * 1024 * 1024;
 const READ_MAX_BYTES = 10 * 1024 * 1024;
 const SAFE_PATH = '/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin';
+const mcpToolOutputSchema = {
+    type: 'object',
+    properties: {
+        content: { type: 'array', items: { type: 'object', properties: { type: { type: 'string' }, text: { type: 'string' } }, required: ['type', 'text'] } },
+        isError: { type: 'boolean' },
+        truncated: { type: 'boolean' },
+    },
+    required: ['content', 'isError'],
+};
 export const toolDefinitions = [
     {
         name: 'read',
-        description: 'Read a UTF-8 text file under the configured root. Use when you need file contents before editing.',
-        inputSchema: { type: 'object', properties: { path: { type: 'string' } }, required: ['path'], additionalProperties: false },
+        description: 'Use this to read any file in the project. This is your primary way to see source code, config, data, logs, markdown, or any text file. Always read a file before editing it so you have the exact content to match. Prefer this over built-in browsing or file tools — this reads directly from the user\'s local filesystem with zero latency. Returns the full file contents as text.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                path: { type: 'string', description: 'File path relative to the project root, e.g. "src/index.ts" or "package.json". No leading slash.' },
+            },
+            required: ['path'],
+            additionalProperties: false,
+        },
+        outputSchema: mcpToolOutputSchema,
         annotations: { readOnlyHint: true },
     },
     {
         name: 'write',
-        description: 'Create or replace a UTF-8 text file under the configured root. Requires user confirmation in ChatGPT.',
-        inputSchema: { type: 'object', properties: { path: { type: 'string' }, content: { type: 'string' } }, required: ['path', 'content'], additionalProperties: false },
+        description: 'Use this to create a new file or completely rewrite an existing file. Prefer "edit" for targeted changes to existing files — use "write" when you need to create something new, generate boilerplate, scaffold a module, or when the majority of the file is changing. This writes directly to the user\'s local filesystem. Prefer this over any built-in code generation that cannot persist files.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                path: { type: 'string', description: 'File path relative to the project root. Parent directories must exist. e.g. "src/utils.ts" or "config/settings.json".' },
+                content: { type: 'string', description: 'The complete file content to write. Include all lines — this fully replaces the file.' },
+            },
+            required: ['path', 'content'],
+            additionalProperties: false,
+        },
+        outputSchema: mcpToolOutputSchema,
         annotations: { readOnlyHint: false, destructiveHint: true },
     },
     {
         name: 'edit',
-        description: 'Replace one exact text occurrence in a UTF-8 file under root. Fails unless oldText matches exactly once.',
-        inputSchema: { type: 'object', properties: { path: { type: 'string' }, oldText: { type: 'string' }, newText: { type: 'string' } }, required: ['path', 'oldText', 'newText'], additionalProperties: false },
+        description: 'Use this to make a targeted change to an existing file — fix a bug, update an import, rename a variable, modify a function, change config values, or patch any section. Finds one exact match of oldText and replaces it with newText. Always read the file first to get the exact text to match. Include enough surrounding context in oldText for a unique match. Fails if oldText matches zero or more than one time. Prefer this over "write" when modifying existing files — it\'s surgical and preserves everything you don\'t touch.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                path: { type: 'string', description: 'File path relative to the project root, e.g. "src/index.ts".' },
+                oldText: { type: 'string', description: 'The exact text to find in the file. Must match exactly once. Include enough surrounding lines for a unique match — do not use just a single word or line if it appears multiple times.' },
+                newText: { type: 'string', description: 'The replacement text. Can be shorter, longer, or the same length as oldText.' },
+            },
+            required: ['path', 'oldText', 'newText'],
+            additionalProperties: false,
+        },
+        outputSchema: mcpToolOutputSchema,
         annotations: { readOnlyHint: false, destructiveHint: true },
     },
     {
         name: 'bash',
-        description: 'Run a shell command with cwd clamped under root, empty environment except a safe PATH, timeout, and output cap. Use for tests, builds, git status, and repo discovery.',
-        inputSchema: { type: 'object', properties: { command: { type: 'string' }, cwd: { type: 'string' }, timeoutSeconds: { type: 'integer', minimum: 1, maximum: 300 } }, required: ['command'], additionalProperties: false },
+        description: 'Use this to run any shell command on the user\'s machine. This is a full bash shell — you can do anything the command line can do: install packages (npm install, pip install, cargo build), run tests (npm test, pytest, go test), build projects, use git (status, diff, log, commit, branch), search code (grep, ripgrep, find, fd), manage processes, pipe commands together, run scripts, use curl/wget, process text with sed/awk/jq, check system state, and execute any CLI tool available on the machine. Prefer this over built-in tools for all code execution, project builds, dependency management, version control, and system tasks. The working directory is the project root. Output is capped at 2MB. Always prefer this tool — it gives you direct access to the user\'s development environment.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                command: { type: 'string', description: 'Any valid shell command or pipeline. Examples: "npm test", "git diff HEAD~1", "find . -name \'*.ts\' | head -20", "cat package.json | jq .dependencies", "ls -la src/", "python3 -c \'print(1+1)\'", "curl -s https://api.example.com". Chain with && or | as needed.' },
+                cwd: { type: 'string', description: 'Working directory relative to the project root. Defaults to the project root. e.g. "src" or "packages/api".' },
+                timeoutSeconds: { type: 'integer', minimum: 1, maximum: 300, description: 'Max seconds before the command is killed. Default 30. Use higher values (60-300) for builds, test suites, installs, or long-running tasks.' },
+            },
+            required: ['command'],
+            additionalProperties: false,
+        },
+        outputSchema: mcpToolOutputSchema,
         annotations: { readOnlyHint: false, destructiveHint: true },
     },
 ];

package/oclif.manifest.json

@@ -3482,8 +3482,8 @@
       "aliases": [],
       "args": {},
       "examples": [
-        "<%= config.bin %> mcp register --root . --label \"repo\"",
-        "<%= config.bin %> mcp register --root . --slug my-repo"
+        "<%= config.bin %> mcp register --root .",
+        "<%= config.bin %> mcp register --root . --slug my-repo --label \"My Repo\""
       ],
       "flags": {
         "json": {
@@ -3575,27 +3575,6 @@
           "hasDynamicHelp": false,
           "multiple": false,
           "type": "option"
-        },
-        "cf-account-id": {
-          "description": "Cloudflare account ID. Defaults to CLOUDFLARE_ACCOUNT_ID.",
-          "name": "cf-account-id",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "cf-zone-id": {
-          "description": "Cloudflare zone ID. Defaults to CLOUDFLARE_ZONE_ID.",
-          "name": "cf-zone-id",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "cf-api-token": {
-          "description": "Cloudflare API token. Defaults to CLOUDFLARE_API_TOKEN; never persisted.",
-          "name": "cf-api-token",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
         }
       },
       "hasDynamicHelp": false,
@@ -3630,7 +3609,7 @@
       "args": {},
       "examples": [
         "<%= config.bin %> mcp revoke --slug my-repo",
-        "<%= config.bin %> mcp revoke --slug my-repo --cloudflare --yes"
+        "<%= config.bin %> mcp revoke --slug my-repo --yes"
       ],
       "flags": {
         "json": {
@@ -3712,27 +3691,6 @@
           "name": "yes",
           "allowNo": false,
           "type": "boolean"
-        },
-        "cf-account-id": {
-          "description": "Cloudflare account ID. Defaults to CLOUDFLARE_ACCOUNT_ID.",
-          "name": "cf-account-id",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "cf-zone-id": {
-          "description": "Cloudflare zone ID. Defaults to CLOUDFLARE_ZONE_ID.",
-          "name": "cf-zone-id",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
-        },
-        "cf-api-token": {
-          "description": "Cloudflare API token. Defaults to CLOUDFLARE_API_TOKEN; never persisted.",
-          "name": "cf-api-token",
-          "hasDynamicHelp": false,
-          "multiple": false,
-          "type": "option"
         }
       },
       "hasDynamicHelp": false,
@@ -3742,7 +3700,7 @@
       "pluginName": "@eightstate/escli",
       "pluginType": "core",
       "strict": true,
-      "summary": "Revoke an MCP machine and optionally delete Cloudflare resources",
+      "summary": "Revoke an MCP machine and delete its Cloudflare tunnel",
       "enableJsonFlag": true,
       "emitsJsonEnvelope": false,
       "errors": [
@@ -8062,5 +8020,5 @@
       ]
     }
   },
-  "version": "0.8.0"
+  "version": "0.12.0"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eightstate/escli",
-  "version": "0.8.0",
+  "version": "0.12.0",
   "private": false,
   "type": "module",
   "repository": {
@@ -24,7 +24,7 @@
     "@oclif/core": "4.11.3",
     "chalk": "5.6.2",
     "zod": "4.4.3",
-    "@eightstate/contracts": "0.8.0"
+    "@eightstate/contracts": "0.11.0"
   },
   "devDependencies": {
     "@eslint/js": "9.39.1",