@haystackeditor/cli 0.7.2 → 0.8.0

package/dist/commands/init.d.ts

@@ -4,7 +4,7 @@
  * Creates .haystack.json with auto-detected settings.
  */
 interface InitOptions {
-    yes?: boolean;
+    force?: boolean;
 }
 export declare function initCommand(options: InitOptions): Promise<void>;
 export {};

package/dist/commands/init.js

@@ -3,7 +3,6 @@
  *
  * Creates .haystack.json with auto-detected settings.
  */
-import inquirer from 'inquirer';
 import chalk from 'chalk';
 import * as path from 'path';
 import { detectProject } from '../utils/detect.js';
@@ -11,27 +10,11 @@ import { saveConfig, configExists } from '../utils/config.js';
 import { createSkillFile, createClaudeCommand } from '../utils/skill.js';
 import { validateConfigSecurity, formatSecurityReport } from '../utils/secrets.js';
 export async function initCommand(options) {
-    // Auto-use defaults when not in interactive terminal (e.g., when run by AI agents)
-    const isInteractive = process.stdin.isTTY && process.stdout.isTTY;
-    if (!isInteractive && !options.yes) {
-        console.log(chalk.dim('Non-interactive mode detected. Using --yes defaults.\n'));
-        options.yes = true;
-    }
-    console.log(chalk.cyan('\n🌾 Haystack Setup Wizard\n'));
+    console.log(chalk.cyan('\n🌾 Haystack Setup\n'));
     // Check if config already exists
-    if (await configExists()) {
-        const { overwrite } = await inquirer.prompt([
-            {
-                type: 'confirm',
-                name: 'overwrite',
-                message: '.haystack.json already exists. Overwrite?',
-                default: false,
-            },
-        ]);
-        if (!overwrite) {
-            console.log(chalk.yellow('Setup cancelled.'));
-            return;
-        }
+    if (await configExists() && !options.force) {
+        console.log(chalk.yellow('.haystack.json already exists. Use --force to overwrite.\n'));
+        return;
     }
     // Detect project
     console.log(chalk.dim('Detecting project configuration...\n'));
@@ -45,107 +28,31 @@ export async function initCommand(options) {
     if (detected.isMonorepo) {
         console.log(`  Monorepo: ${chalk.bold(detected.monorepoTool || 'yes')}`);
         if (detected.services?.length) {
-            console.log(`  Services: ${chalk.bold(detected.services.map((s) => s.name).join(', '))}`);
+            console.log(`  Services: ${chalk.bold(detected.services.length)} packages detected`);
         }
     }
     console.log('');
-    // If --yes flag, use all defaults
-    if (options.yes) {
-        const config = buildConfigFromDetection(detected);
-        const configPath = await saveConfig(config);
-        console.log(chalk.green(`✓ Created ${configPath}`));
-        // Create skill file for agent discovery
-        const skillPath = await createSkillFile();
-        console.log(chalk.green(`✓ Created ${skillPath}`));
-        // Create Claude Code slash command
-        const commandPath = await createClaudeCommand();
-        console.log(chalk.green(`✓ Created ${commandPath} (use /haystack in Claude Code)\n`));
-        // Security validation
-        await runSecurityCheck(configPath);
-        // Print the prompt for the AI agent to follow
-        console.log(chalk.cyan('━'.repeat(70)));
-        console.log(chalk.cyan.bold('\n📋 NEXT STEP: Add verification flows\n'));
-        console.log(chalk.white('The config has dev server settings. Now add flows to tell Haystack'));
-        console.log(chalk.white('what to verify when PRs are opened.\n'));
-        console.log(chalk.yellow.bold('Give this prompt to your AI coding agent:\n'));
-        console.log(chalk.cyan('━'.repeat(70)));
-        console.log(`
-${chalk.white('Add Haystack verification flows to .haystack.json')}
-
-${chalk.bold('STEP 1: Understand the app')}
-- Read src/App.tsx and the main components
-- Write 2 sentences: What does this app do? What's the core feature?
-
-${chalk.bold('STEP 2: Identify what PRs would touch')}
-- List the 5 most important UI areas that PRs change
-- These need the most thorough flows
-
-${chalk.bold('STEP 3: Add flows')}
-- Read .agents/skills/haystack.md for the flow format
-- Add flows for the 5 core areas first, then secondary pages
-
-${chalk.bold('STEP 4: Validate')}
-- Confirm the core feature from Step 1 has flows
-- Verify selectors are specific (not generic like "#root")
-`);
-        console.log(chalk.cyan('━'.repeat(70)));
-        return;
-    }
-    // Interactive prompts
-    const answers = await inquirer.prompt([
-        {
-            type: 'input',
-            name: 'name',
-            message: 'Project name:',
-            default: path.basename(process.cwd()),
-        },
-        {
-            type: 'confirm',
-            name: 'isMonorepo',
-            message: 'Is this a monorepo with multiple services?',
-            default: detected.isMonorepo,
-        },
-    ]);
-    let config;
-    if (answers.isMonorepo) {
-        config = await configureMonorepo(detected, answers.name);
-    }
-    else {
-        config = await configureSingleService(detected, answers.name);
-    }
-    // Verification commands
-    const { commands } = await inquirer.prompt([
-        {
-            type: 'input',
-            name: 'commands',
-            message: 'Verification commands (comma-separated):',
-            default: `${detected.packageManager} build, ${detected.packageManager} lint, ${detected.packageManager} tsc --noEmit`,
-        },
-    ]);
-    config.verification = {
-        commands: commands
-            .split(',')
-            .map((cmd) => cmd.trim())
-            .filter(Boolean)
-            .map((cmd) => {
-            const name = cmd.split(' ').pop() || cmd;
-            return { name, run: cmd };
-        }),
-    };
-    // Save config
+    // Build config from detection (no interactive prompts)
+    const config = buildConfigFromDetection(detected);
     const configPath = await saveConfig(config);
     console.log(chalk.green(`✓ Created ${configPath}`));
     // Create skill file for agent discovery
     const skillPath = await createSkillFile();
-    console.log(chalk.green(`✓ Created ${skillPath}\n`));
-    // Show the generated config
-    console.log(chalk.dim('Generated configuration:'));
-    console.log(chalk.dim('─'.repeat(40)));
-    console.log(JSON.stringify(config, null, 2));
-    console.log(chalk.dim('─'.repeat(40)));
+    console.log(chalk.green(`✓ Created ${skillPath}`));
+    // Create Claude Code slash command
+    const commandPath = await createClaudeCommand();
+    console.log(chalk.green(`✓ Created ${commandPath}`));
     // Security validation
     await runSecurityCheck(configPath);
-    printNextSteps();
+    // Print next steps - direct to skill
+    console.log(chalk.cyan('\n━'.repeat(60)));
+    console.log(chalk.cyan.bold('\n📋 NEXT: Add verification flows\n'));
+    console.log(chalk.white('Base config created. Now an AI agent needs to add flows.\n'));
+    console.log(chalk.bold('Option 1: Claude Code'));
+    console.log(chalk.dim('  Run /setup-haystack in Claude Code\n'));
+    console.log(chalk.bold('Option 2: Other AI agents'));
+    console.log(chalk.dim('  Give your agent: "Read .agents/skills/setup-haystack.md and follow it"\n'));
+    console.log(chalk.cyan('━'.repeat(60) + '\n'));
 }
 /**
  * Run security check on config file
@@ -161,125 +68,6 @@ async function runSecurityCheck(configPath) {
         console.log(chalk.dim('\n' + formatSecurityReport(findings)));
     }
 }
-async function configureSingleService(detected, name) {
-    const answers = await inquirer.prompt([
-        {
-            type: 'input',
-            name: 'command',
-            message: 'Dev server command:',
-            default: detected.suggestedDevCommand,
-        },
-        {
-            type: 'number',
-            name: 'port',
-            message: 'Dev server port:',
-            default: detected.suggestedPort,
-        },
-        {
-            type: 'input',
-            name: 'readyPattern',
-            message: 'Ready pattern (stdout text when server is ready):',
-            default: detected.suggestedReadyPattern,
-        },
-        {
-            type: 'input',
-            name: 'authBypass',
-            message: 'Auth bypass env var (leave blank if no auth):',
-            default: detected.suggestedAuthBypass,
-        },
-    ]);
-    const env = {};
-    if (answers.authBypass) {
-        const [key, value] = answers.authBypass.split('=');
-        env[key] = value || 'true';
-    }
-    return {
-        version: '1',
-        name,
-        dev_server: {
-            command: answers.command,
-            port: answers.port,
-            ready_pattern: answers.readyPattern,
-            ...(Object.keys(env).length > 0 ? { env } : {}),
-        },
-    };
-}
-async function configureMonorepo(detected, name) {
-    // Get list of services
-    const detectedServices = detected.services || [];
-    const serviceNames = detectedServices.map((s) => s.name);
-    const { selectedServices } = await inquirer.prompt([
-        {
-            type: 'checkbox',
-            name: 'selectedServices',
-            message: 'Which services should the sandbox run?',
-            choices: serviceNames.length > 0 ? serviceNames : ['frontend', 'api'],
-            default: serviceNames,
-        },
-    ]);
-    // Ask about auth bypass
-    const { authBypass } = await inquirer.prompt([
-        {
-            type: 'input',
-            name: 'authBypass',
-            message: 'Auth bypass env var (applied to all services):',
-            default: detected.suggestedAuthBypass,
-        },
-    ]);
-    const services = {};
-    for (const serviceName of selectedServices) {
-        const detectedService = detectedServices.find((s) => s.name === serviceName);
-        console.log(chalk.dim(`\nConfiguring ${serviceName}...`));
-        const answers = await inquirer.prompt([
-            {
-                type: 'input',
-                name: 'root',
-                message: `  Directory:`,
-                default: detectedService?.root || './',
-            },
-            {
-                type: 'input',
-                name: 'command',
-                message: `  Command:`,
-                default: detectedService?.suggestedCommand || `${detected.packageManager} dev`,
-            },
-            {
-                type: 'list',
-                name: 'type',
-                message: `  Type:`,
-                choices: ['server', 'batch'],
-                default: detectedService?.type || 'server',
-            },
-            {
-                type: 'number',
-                name: 'port',
-                message: `  Port:`,
-                default: detectedService?.suggestedPort || 3000,
-                when: (ans) => ans.type === 'server',
-            },
-        ]);
-        const env = {};
-        if (authBypass) {
-            const [key, value] = authBypass.split('=');
-            env[key] = value || 'true';
-        }
-        // Check if this service has detected dependencies
-        const dependsOn = detectedService?.suggestedDependsOn?.filter((dep) => selectedServices.includes(dep));
-        services[serviceName] = {
-            ...(answers.root !== './' ? { root: answers.root } : {}),
-            command: answers.command,
-            ...(answers.type === 'server' ? { port: answers.port } : { type: 'batch' }),
-            ready_pattern: 'ready|started|listening|Local:',
-            ...(Object.keys(env).length > 0 ? { env } : {}),
-            ...(dependsOn?.length ? { depends_on: dependsOn } : {}),
-        };
-    }
-    return {
-        version: '1',
-        name,
-        services,
-    };
-}
 function buildConfigFromDetection(detected) {
     const env = {};
     if (detected.suggestedAuthBypass) {
@@ -328,10 +116,3 @@ function buildConfigFromDetection(detected) {
         },
     };
 }
-function printNextSteps() {
-    console.log(chalk.cyan('Next steps:'));
-    console.log(`  1. Review .haystack.json and adjust as needed`);
-    console.log(`  2. Add auth bypass env var if your app requires login`);
-    console.log(`  3. Add flows to describe key user journeys to verify`);
-    console.log(`  4. Commit: ${chalk.green('git add .haystack.json .agents/ && git commit -m "Add Haystack"')}\n`);
-}

package/dist/commands/secrets.d.ts

@@ -12,6 +12,21 @@ export declare function setSecret(key: string, value: string, options: {
     scope?: string;
     scopeId?: string;
 }): Promise<void>;
+/**
+ * Get a secret value (for programmatic use)
+ * Returns the value to stdout for piping to other commands.
+ * Use --quiet to suppress all output except the value.
+ */
+export declare function getSecret(key: string, options: {
+    quiet?: boolean;
+}): Promise<void>;
+/**
+ * Get multiple secrets needed by a repo's .haystack.json
+ * Returns JSON object with key-value pairs.
+ */
+export declare function getSecretsForRepo(keys: string[], options: {
+    json?: boolean;
+}): Promise<void>;
 /**
  * Delete a secret
  */

package/dist/commands/secrets.js

@@ -101,6 +101,89 @@ export async function setSecret(key, value, options) {
         process.exit(1);
     }
 }
+/**
+ * Get a secret value (for programmatic use)
+ * Returns the value to stdout for piping to other commands.
+ * Use --quiet to suppress all output except the value.
+ */
+export async function getSecret(key, options) {
+    const token = await requireAuth();
+    if (!key) {
+        console.error(chalk.red('\nUsage: haystack secrets get KEY\n'));
+        process.exit(1);
+    }
+    try {
+        const response = await apiRequest('GET', `/${encodeURIComponent(key)}`, token);
+        if (!response.ok) {
+            if (response.status === 401) {
+                if (!options.quiet) {
+                    console.error(chalk.red('Session expired. Run `haystack login` again.\n'));
+                }
+                process.exit(1);
+            }
+            if (response.status === 404) {
+                if (!options.quiet) {
+                    console.error(chalk.yellow(`\nSecret ${key} not found.\n`));
+                }
+                process.exit(1);
+            }
+            throw new Error(`Failed to get secret: ${response.status}`);
+        }
+        const data = await response.json();
+        // Output just the value (no newline if quiet, for piping)
+        if (options.quiet) {
+            process.stdout.write(data.value);
+        }
+        else {
+            console.log(data.value);
+        }
+    }
+    catch (error) {
+        if (!options.quiet) {
+            console.error(chalk.red(`\nError: ${error.message}\n`));
+        }
+        process.exit(1);
+    }
+}
+/**
+ * Get multiple secrets needed by a repo's .haystack.json
+ * Returns JSON object with key-value pairs.
+ */
+export async function getSecretsForRepo(keys, options) {
+    const token = await requireAuth();
+    if (keys.length === 0) {
+        console.error(chalk.red('\nUsage: haystack secrets get-for-repo KEY1 KEY2 ...\n'));
+        process.exit(1);
+    }
+    try {
+        const response = await apiRequest('POST', '/batch', token, { keys });
+        if (!response.ok) {
+            if (response.status === 401) {
+                console.error(chalk.red('Session expired. Run `haystack login` again.\n'));
+                process.exit(1);
+            }
+            throw new Error(`Failed to get secrets: ${response.status}`);
+        }
+        const data = await response.json();
+        if (options.json) {
+            console.log(JSON.stringify(data.secrets));
+        }
+        else {
+            if (data.missing.length > 0) {
+                console.log(chalk.yellow(`\nMissing secrets: ${data.missing.join(', ')}\n`));
+            }
+            console.log(chalk.bold('\nSecrets loaded:\n'));
+            for (const [k, v] of Object.entries(data.secrets)) {
+                console.log(`  ${chalk.cyan(k)}: ${chalk.dim('***' + v.slice(-4))}`);
+            }
+            console.log();
+        }
+    }
+    catch (error) {
+        console.error(chalk.red(`\nError: ${error.message}\n`));
+        process.exit(1);
+    }
+}
 /**
  * Delete a secret
  */

package/dist/index.js

@@ -15,7 +15,7 @@ import { Command } from 'commander';
 import { statusCommand } from './commands/status.js';
 import { initCommand } from './commands/init.js';
 import { loginCommand, logoutCommand } from './commands/login.js';
-import { listSecrets, setSecret, deleteSecret } from './commands/secrets.js';
+import { listSecrets, setSecret, getSecret, getSecretsForRepo, deleteSecret } from './commands/secrets.js';
 import { handleSandbox } from './commands/config.js';
 const program = new Command();
 program
@@ -25,14 +25,15 @@ program
 program
     .command('init')
     .description('Create .haystack.json configuration')
-    .option('-y, --yes', 'Use auto-detected defaults without prompting')
+    .option('-f, --force', 'Overwrite existing .haystack.json')
     .addHelpText('after', `
-This creates a .haystack.json file that configures:
-  • How to start your dev server
-  • Verification commands (build, lint, typecheck)
+This creates a .haystack.json file with auto-detected settings:
+  • Dev server command and port
+  • Services (for monorepos)
   • Auth bypass for sandbox environments
 
-Once set up, AI agents can automatically spin up and test your app.
+After running, use /setup-haystack in Claude Code (or give your AI agent
+.agents/skills/setup-haystack.md) to add verification flows.
 `)
     .action(initCommand);
 program
@@ -63,6 +64,20 @@ secrets
     .action((key, value, options) => {
     setSecret(key, value, options);
 });
+secrets
+    .command('get <key>')
+    .description('Get a secret value')
+    .option('-q, --quiet', 'Output only the value (for piping)')
+    .action((key, options) => {
+    getSecret(key, options);
+});
+secrets
+    .command('get-for-repo <keys...>')
+    .description('Get multiple secrets needed by a repo')
+    .option('--json', 'Output as JSON')
+    .action((keys, options) => {
+    getSecretsForRepo(keys, options);
+});
 secrets
     .command('delete <key>')
     .description('Delete a secret')

package/dist/types.d.ts

@@ -34,19 +34,43 @@ export interface HaystackConfig {
      */
     network?: NetworkConfig;
     /**
-     * Secrets for fixture fetching and other operations.
-     * These are injected as environment variables in the sandbox.
-     * Supports tokens for staging APIs, S3 credentials, etc.
+     * Secrets required by this project.
+     * Values are stored securely on the Haystack platform via `haystack secrets set`.
+     * At runtime, secrets are fetched and injected as environment variables.
      *
-     * ⚠️ SECURITY: Never commit real secrets to git!
-     * Use environment variable references: $ENV_VAR or ${ENV_VAR}
+     * This field declares WHAT secrets are needed, not their values.
+     * Use `haystack secrets set KEY VALUE` to store the actual values.
      *
      * @example
      * secrets:
-     *   STAGING_TOKEN: "$STAGING_API_TOKEN"    # Read from local env
-     *   AWS_ACCESS_KEY_ID: "${AWS_ACCESS_KEY_ID}"
+     *   OPENAI_API_KEY:
+     *     description: "OpenAI API key for LLM calls"
+     *     required: true
+     *   STAGING_TOKEN:
+     *     description: "Token for staging API access"
+     *     required: false
      */
-    secrets?: Record<string, string>;
+    secrets?: Record<string, SecretDeclaration>;
+}
+/**
+ * Secret declaration - describes what a secret is for, not its value
+ */
+export interface SecretDeclaration {
+    /** Human-readable description of what this secret is used for */
+    description?: string;
+    /**
+     * Whether this secret is required for verification to run.
+     * If true and the secret is not set, verification will fail with an error.
+     * If false, verification will continue with a warning.
+     * @default false
+     */
+    required?: boolean;
+    /**
+     * Services that use this secret.
+     * If specified, the secret is only injected into these services' environments.
+     * If omitted, the secret is available to all services.
+     */
+    services?: string[];
 }
 /**
  * Dev server configuration (simple mode)

package/dist/utils/skill.js

@@ -104,17 +104,32 @@ grep '"name":' .haystack.json
 }
 \`\`\`
 
-### Finding Golden Inputs
+---
 
-For analysis/processing pipelines:
-- Pick a **small, stable PR** that won't change
-- Document what the expected output should be
-- Add it as a comment in the flow description
+## STOP - Confirm Golden URLs and Golden Data
 
-\`\`\`bash
-# Find a good golden PR (small, merged, stable)
-gh pr list --state merged --limit 10 --json number,title,changedFiles | jq '.[] | select(.changedFiles < 5)'
-\`\`\`
+**If you identified backend services that need verification, you MUST ask the user with a proposed example:**
+
+First, explore the codebase to find:
+- Example inputs used in tests, scripts, or documentation
+- Default/demo values in config files or environment variables
+- IDs or URLs referenced in comments or READMEs
+
+Then propose a specific example:
+
+> I found these backend services that need verification:
+> - **[service name]**: [what it does]
+>
+> For backend verification, I need **golden test data** - stable inputs that produce predictable output.
+>
+> **Based on what I found in the codebase, here's my suggestion:**
+> - **Golden URL/Input**: \`[specific example you found, e.g., a test ID, demo endpoint, or sample file]\`
+> - **Command**: \`[the command to run with this input]\`
+> - **Expected Output**: \`[what success looks like based on the code]\`
+>
+> Does this look right? Or should I use different test data?
+
+**Wait for the user to confirm or provide alternatives before adding backend flows.**
 
 ---
 
@@ -596,6 +611,49 @@ The verification Planner needs to find UI elements by selectors. Generic selecto
 
 ---
 
+## ⚠️ CRITICAL RULE: Every Button MUST Have \`data-testid\` and \`aria-label\`
+
+**This is non-negotiable.** Every \`<button>\` element in the codebase MUST have:
+1. \`data-testid="descriptive-name"\` - For automated testing/verification
+2. \`aria-label="Action description"\` - For accessibility AND verification
+
+**Why?** The verification system clicks buttons by their \`data-testid\` or \`aria-label\`. Without these, buttons are invisible to automation. We learned this the hard way - a theme toggle button without these attributes broke our entire verification pipeline.
+
+\`\`\`tsx
+// ❌ WRONG - No identifiers, verification cannot click this
+<button onClick={toggleTheme}>
+  <SunIcon />
+</button>
+
+// ✅ CORRECT - Both data-testid AND aria-label
+<button
+  onClick={toggleTheme}
+  data-testid="theme-toggle"
+  aria-label="Toggle dark mode"
+>
+  <SunIcon />
+</button>
+\`\`\`
+
+**For button wrapper components**, pass through these props:
+\`\`\`tsx
+interface ButtonProps {
+  'data-testid'?: string;
+  'aria-label'?: string;
+  // ...other props
+}
+
+function IconButton({ 'data-testid': testId, 'aria-label': ariaLabel, ...props }: ButtonProps) {
+  return (
+    <button data-testid={testId} aria-label={ariaLabel} {...props}>
+      {props.children}
+    </button>
+  );
+}
+\`\`\`
+
+---
+
 ## What to Add
 
 ### 1. \`aria-label\` on Interactive Elements
@@ -727,13 +785,21 @@ Forms should have proper labels and descriptions:
 
 ## Step 1: Scan for Missing Identifiers
 
+**Start with buttons - these are the most critical:**
+
 \`\`\`bash
-# Find buttons without aria-label
-grep -rn "<button" src/ --include="*.tsx" | grep -v "aria-label" | head -20
+# CRITICAL: Find ALL buttons missing data-testid (fix ALL of these!)
+grep -rn "<button" src/ --include="*.tsx" | grep -v "data-testid" | head -30
+
+# CRITICAL: Find ALL buttons missing aria-label (fix ALL of these!)
+grep -rn "<button" src/ --include="*.tsx" | grep -v "aria-label" | head -30
 
-# Find icon-only buttons (likely missing labels)
+# Find icon-only buttons (MUST have aria-label since no visible text)
 grep -rn "<button.*Icon\\|<button.*>.*</.*Icon>" src/ --include="*.tsx" | head -20
 
+# Find button wrapper components that need to pass through data-testid/aria-label
+grep -rn "function.*Button\\|const.*Button.*=" src/ --include="*.tsx" | head -10
+
 # Find modals/dialogs without role
 grep -rn "modal\\|dialog\\|Modal\\|Dialog" src/ --include="*.tsx" | grep -v "role=" | head -20
 
@@ -744,6 +810,8 @@ grep -rn "<input\\|<select\\|<textarea" src/ --include="*.tsx" | grep -v "aria-l
 ls src/components/ src/pages/ 2>/dev/null
 \`\`\`
 
+**Every button found without \`data-testid\` or \`aria-label\` MUST be fixed.**
+
 ---
 
 ## Step 2: Prioritize by Impact

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@haystackeditor/cli",
-  "version": "0.7.2",
+  "version": "0.8.0",
   "description": "Set up Haystack verification for your project",
   "type": "module",
   "bin": {