@modelstatus/cli 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 LLM Status
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,124 @@
+# @modelstatus/cli
+
+**Track which AI models you use, where, and never get surprised by a retirement.**
+
+The free CLI + TUI for [LLM Status](https://llmstatus.ai) — scans your repo for AI model usage (OpenAI, Anthropic, Google, Mistral, DeepSeek, xAI, Moonshot, Cohere, and dozens more) and joins it to a constantly-updated lifecycle registry so you find out *before* `gpt-4` retires, not after.
+
+```bash
+npx @modelstatus/cli status
+```
+
+That's it. No sign-in, no account, no telemetry — just a snapshot of every model in your repo plus health badges and replacement suggestions.
+
+## Install
+
+Pick whichever fits your stack:
+
+```bash
+# Self-contained binary, no Node required:
+curl -fsSL https://llmstatus.ai/install.sh | bash
+
+# Via npm (needs Node ≥18):
+npm i -g @modelstatus/cli
+```
+
+Or skip install entirely and one-shot it: `npx @modelstatus/cli status`.
+
+## Quick start
+
+### Free: offline health check
+
+```bash
+mm status [dir]                       # if installed
+npx @modelstatus/cli status [dir]     # zero install (needs Node)
+```
+
+Pulls the **signed** registry snapshot from `cdn.llmstatus.ai` (Ed25519-signed, anti-rollback, ~225 kB), scans the directory, resolves every model id, and prints what you use along with its health:
+
+```
+LLM Status — registry 20260528T013239Z (today), 380 models
+Scanned ./apps/web: 12 reference(s) → 6 model(s), 1 custom
+
+Models in use:
+  🔴 retired     openai/gpt-4-0314          retires 2024-06-13   → openai/gpt-4-1  (2)
+  🟠 retiring    anthropic/claude-opus-4    retires 2026-06-15   → anthropic/claude-opus-4-7  (1)
+  🟢 ok          openai/gpt-5                                                       (3)
+
+⚠ 2 model(s) need attention before they retire.
+```
+
+Works **fully offline** after the first run (cached snapshot at `~/.config/llmstatus/registry-cache.json`).
+
+### Sign in for cloud features
+
+```bash
+mm login           # browser sign-in, polls for completion
+mm scan            # scans + uploads to your account's inventory
+mm                 # launches the TUI: inventory, scan, what's-new, alerts
+mm upgrade         # Stripe checkout for Pro (alerting)
+```
+
+You get two binaries — `mm` (short) and `llmstatus` (descriptive). Same binary, take your pick.
+
+## Commands
+
+| Command | What it does |
+|---|---|
+| `mm status [dir]` | Free offline model-health check — no account |
+| `mm` | Launch the TUI (inventory, scan, what's-new, alerts, account) |
+| `mm login [api_key]` | Browser sign-in with polling (or paste a key) |
+| `mm signup` | Create an account in the browser |
+| `mm scan [dir]` | Scan for model usage; interactive TUI, or `--ci`/`--json` for pipelines |
+| `mm sources` | List detection sources and whether each can run here |
+| `mm upgrade` | Open Stripe checkout, poll until Pro is active |
+| `mm logout` | Forget the saved API key |
+
+**Scan sources** (`--sources`, default `filesystem`; `all` for everything):
+
+| Source | Reads from |
+|---|---|
+| `filesystem` | repo files |
+| `env` | live process env vars (`OPENAI_API_KEY`, …) |
+| `aws-secrets` | AWS Secrets Manager + SSM |
+| `k8s` | kubectl secrets + configmaps |
+| `helm` | helm release values |
+| `sql` | psql, via `--db <dsn>` |
+
+Secret sources shell out to your already-authenticated CLIs, run **read-only**, REDACT every snippet, and only ever upload model ids — secret *values* never leave your machine. Use `--dry-run` to preview.
+
+**Common flags:** `--api <url>` · `--key <key>` · `--project <id|name>` · `--yes` · `--json` · `--ci` · `--dry-run` · `--sources <list>` · `--region <r>` · `--namespace <ns>` · `--kube-context <c>` · `--db <dsn>` · `--sql-table <t>`
+
+## Free vs paid
+
+| | Free (this CLI) | Pro (signed in) |
+|---|---|---|
+| `mm status` on any repo | ✓ unlimited | ✓ |
+| Signed registry snapshot, offline cache | ✓ | ✓ |
+| Resolve + health locally, on-device | ✓ | ✓ |
+| Secret-source aware (`env`, `aws-secrets`, `k8s`, `helm`, `sql`) | ✓ | ✓ |
+| Cloud inventory across projects/teams | — | ✓ |
+| Alerts on deprecations/retirements (email/Slack/SMS) | — | ✓ |
+| CI integrations + web dashboard | — | ✓ |
+
+## How the registry distribution works
+
+The registry is published as a **date-versioned, signed snapshot** on Cloudflare R2 at `cdn.llmstatus.ai`, with a mini-TUF trust chain:
+
+```
+pinned root key (in the CLI binary)
+   → root-signs ─→ keys.json (names the current signing key)
+                       → signing-key-signs ─→ latest.json (pointer, with sha256)
+                                                  → blob: <version>.json (immutable)
+```
+
+The CLI verifies every byte before trusting the snapshot, refuses any rollback to an older version, and falls back to its local cache when the network's down. The signing key can be rotated without shipping a new CLI release.
+
+## Links
+
+- Website: [llmstatus.ai](https://llmstatus.ai)
+- Pricing: [llmstatus.ai/pricing](https://llmstatus.ai/pricing)
+- Contact / bugs: [it@llmstatus.ai](mailto:it@llmstatus.ai)
+
+## License
+
+[MIT](LICENSE) © LLM Status

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@modelstatus/cli",
+  "version": "0.1.0",
+  "description": "Track which AI models you use, where, and never get surprised by a retirement. Free offline model-health for any repo (mm status), browser sign-in for cloud inventory + alerts.",
+  "keywords": [
+    "llm",
+    "ai",
+    "models",
+    "deprecation",
+    "retirement",
+    "registry",
+    "openai",
+    "anthropic",
+    "claude",
+    "gpt",
+    "gemini",
+    "mistral",
+    "cli",
+    "tui",
+    "monitoring",
+    "lifecycle"
+  ],
+  "homepage": "https://llmstatus.ai",
+  "bugs": {
+    "email": "it@llmstatus.ai"
+  },
+  "author": "LLM Status <it@llmstatus.ai>",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "mm": "src/index.js",
+    "llmstatus": "src/index.js"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "test": "node --test"
+  },
+  "dependencies": {
+    "ink": "^5.0.1",
+    "react": "^18.3.1"
+  },
+  "devDependencies": {
+    "ink-testing-library": "^4.0.0"
+  }
+}

package/src/api.js

@@ -0,0 +1,85 @@
+/** Thin client for the LLM Status / Model Manager public API (/api/v1). */
+export function createClient({ apiBase, apiKey }) {
+  async function req(method, pathname, body) {
+    const res = await fetch(`${apiBase}/api/v1${pathname}`, {
+      method,
+      headers: {
+        ...(apiKey ? { authorization: `Bearer ${apiKey}` } : {}),
+        ...(body ? { "content-type": "application/json" } : {}),
+      },
+      body: body ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    let data;
+    try {
+      data = text ? JSON.parse(text) : {};
+    } catch {
+      data = { raw: text };
+    }
+    if (!res.ok) {
+      const msg = data?.error?.message || data?.message || `HTTP ${res.status}`;
+      const err = new Error(`${method} ${pathname} → ${msg}`);
+      err.status = res.status;
+      err.code = data?.error?.code;
+      err.body = data;
+      throw err;
+    }
+    return data;
+  }
+
+  const qs = (params = {}) => {
+    const u = new URLSearchParams();
+    for (const [k, v] of Object.entries(params)) if (v != null && v !== "") u.set(k, String(v));
+    const s = u.toString();
+    return s ? `?${s}` : "";
+  };
+
+  return {
+    raw: req,
+
+    // account / auth
+    me: () => req("GET", "/me"),
+
+    // device auth (no key required)
+    authStart: (body) => req("POST", "/cli-auth/start", body),
+    authPoll: (deviceCode) => req("POST", "/cli-auth/poll", { device_code: deviceCode }),
+
+    // registry (shared, read-only)
+    detectionPatterns: () => req("GET", "/registry/detection-patterns"),
+    resolve: (strings) => req("POST", "/registry/resolve", { strings }),
+    registryEvents: (since) => req("GET", `/registry/events${qs({ since })}`),
+    registryModels: (params) => req("GET", `/registry/models${qs(params)}`),
+
+    // projects
+    listProjects: () => req("GET", "/projects"),
+    createProject: (name) => req("POST", "/projects", { name }),
+    patchProject: (id, body) => req("PATCH", `/projects/${id}`, body),
+
+    // usages
+    listUsages: (params) => req("GET", `/usages${qs(params)}`),
+    getUsage: (id) => req("GET", `/usages/${id}`),
+    createUsage: (body) => req("POST", "/usages", body),
+    patchUsage: (id, body) => req("PATCH", `/usages/${id}`, body),
+    deleteUsage: (id) => req("DELETE", `/usages/${id}`),
+    linkUsage: (id, modelId) => req("POST", `/usages/${id}/link`, { model_id: modelId }),
+    bulkUpload: (projectId, usages) => req("POST", "/usages/bulk", { project_id: projectId, usages }),
+
+    // notification rules
+    listRules: () => req("GET", "/notification-rules"),
+    createRule: (body) => req("POST", "/notification-rules", body),
+    patchRule: (id, body) => req("PATCH", `/notification-rules/${id}`, body),
+    deleteRule: (id) => req("DELETE", `/notification-rules/${id}`),
+
+    // channels
+    listChannels: () => req("GET", "/channels"),
+    createChannel: (body) => req("POST", "/channels", { action: "connect", ...body }),
+    testChannel: (body) => req("POST", "/channels", { action: "test", ...body }),
+
+    // notifications feed
+    listNotifications: (params) => req("GET", `/notifications${qs(params)}`),
+    readNotification: (id) => req("POST", `/notifications/${id}/read`),
+
+    // billing
+    checkout: () => req("POST", "/billing/checkout"),
+  };
+}

package/src/auth.js

@@ -0,0 +1,44 @@
+import { createClient } from "./api.js";
+import { loadConfig, saveConfig, configFilePath } from "./config.js";
+import { openUrl } from "./openUrl.js";
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+/** Browser login with polling, à la Claude Code: start a device request, open
+ * the browser, then poll until the user authorizes (or signs up). Returns
+ * { apiKey, account } and saves it to the config file. */
+export async function loginViaBrowser({ apiBase, signup = false, log = console.error }) {
+  const client = createClient({ apiBase });
+  const start = await client.authStart({ client_name: "mm CLI", signup });
+
+  log(`\n  Opening your browser to authorize this device…`);
+  log(`  If it doesn't open, visit:\n    ${start.verification_url}`);
+  log(`  Verification code: ${start.user_code}\n`);
+  openUrl(start.verification_url);
+
+  const interval = Math.max(1, start.interval || 3) * 1000;
+  const deadline = Date.now() + (start.expires_in || 600) * 1000;
+
+  log(`  Waiting for authorization`);
+  while (Date.now() < deadline) {
+    await sleep(interval);
+    let res;
+    try {
+      res = await client.authPoll(start.device_code);
+    } catch {
+      continue; // transient network error — keep polling
+    }
+    if (res.status === "approved") {
+      const cfg = loadConfig();
+      cfg.apiKey = res.api_key;
+      cfg.apiBase = apiBase;
+      saveConfig(cfg);
+      log(`\n  ✓ Authorized${res.account?.name ? ` as "${res.account.name}"` : ""}. Saved to ${configFilePath}\n`);
+      return { apiKey: res.api_key, account: res.account ?? null };
+    }
+    if (res.status === "denied") throw new Error("Authorization was denied.");
+    if (res.status === "expired") throw new Error("The login request expired. Run `mm login` again.");
+    process.stderr.write(".");
+  }
+  throw new Error("Timed out waiting for authorization. Run `mm login` again.");
+}

package/src/config.js

@@ -0,0 +1,63 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+const dir = path.join(os.homedir(), ".config", "llmstatus");
+const file = path.join(dir, "config.json");
+// Legacy location (pre-rebrand) — read as a fallback so existing logins keep working.
+const legacyFile = path.join(os.homedir(), ".config", "modelmanager", "config.json");
+
+export function loadConfig() {
+  for (const f of [file, legacyFile]) {
+    try {
+      return JSON.parse(fs.readFileSync(f, "utf8"));
+    } catch {
+      /* try next */
+    }
+  }
+  return {};
+}
+
+export function saveConfig(next) {
+  // The API key lives here in plaintext, so keep it owner-only (like gh/aws creds)
+  // — other local users must not be able to read it. chmod after write also fixes
+  // a pre-existing loose-perm file (writeFileSync's mode only applies on create).
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  fs.writeFileSync(file, JSON.stringify(next, null, 2), { mode: 0o600 });
+  try {
+    fs.chmodSync(file, 0o600);
+  } catch {
+    /* best-effort (e.g. Windows) */
+  }
+  return file;
+}
+
+/** Resolve {apiBase, apiKey} from flags > env > config file. Defaults to prod. */
+export function resolveAuth(flags = {}) {
+  const cfg = loadConfig();
+  const apiBase =
+    flags.api ||
+    process.env.LLMSTATUS_API_BASE ||
+    process.env.MM_API_BASE ||
+    cfg.apiBase ||
+    "https://llmstatus.ai";
+  const apiKey =
+    flags.key || process.env.LLMSTATUS_API_KEY || process.env.MM_API_KEY || cfg.apiKey || "";
+  return { apiBase: apiBase.replace(/\/$/, ""), apiKey };
+}
+
+/** Forget the saved API key (keeps apiBase). */
+export function clearAuth() {
+  const cfg = loadConfig();
+  delete cfg.apiKey;
+  saveConfig(cfg);
+}
+
+/** Persist a single key (e.g. lastEventsSeenAt for the "what's new" feed). */
+export function setConfigValue(key, value) {
+  const cfg = loadConfig();
+  cfg[key] = value;
+  saveConfig(cfg);
+}
+
+export const configFilePath = file;

package/src/detect/core.js

@@ -0,0 +1,58 @@
+/** Pure model-string detector shared by every scan source (filesystem now,
+ * secrets/k8s/helm/sql later). Given text + the registry's detection patterns,
+ * returns the model strings found per line. No I/O. */
+
+// File extensions / TLDs the family globs accidentally swallow
+// (e.g. "command-2.0.0.tgz", "grok-free.app"). Used to reject generic matches.
+const BANNED_TAIL =
+  /\.(tgz|tar|gz|zip|js|ts|tsx|jsx|mjs|py|go|rb|json|md|lock|sh|css|html|txt|log|yaml|yml|toml|ini|conf|cfg|env|pem|crt|key|csv|xml|pdf|sql|app|com|net|io|dev|org|ai|co)\b/;
+
+/** Trim leading/trailing separators a greedy family glob can capture. */
+function cleanGeneric(s) {
+  return s.replace(/^[.\-_]+/, "").replace(/[.\-_]+$/, "");
+}
+
+/** Family globs catch brand-NEW versioned models before they're in the
+ * registry, so a real hit virtually always carries a version digit. Requiring
+ * one (and rejecting filename/domain tails) kills the bulk of false positives. */
+function looksLikeModel(s) {
+  return s.length >= 5 && /[0-9]/.test(s) && !BANNED_TAIL.test(s);
+}
+
+/** Compile detection patterns into reusable matchers (do this once per scan). */
+export function compilePatterns(patterns) {
+  const exact = [];
+  for (const ms of patterns.model_strings || []) {
+    if (ms.match && ms.match.length >= 4) exact.push(ms.match.toLowerCase());
+  }
+  const generic = (patterns.generic_model_regexes || []).map((r) => new RegExp(r, "gi"));
+  return { exact, generic };
+}
+
+/** Find model strings on a single line. Returns a Set of lowercased strings. */
+export function detectInLine(line, compiled) {
+  const lower = line.toLowerCase();
+  const found = new Set();
+  for (const s of compiled.exact) if (lower.includes(s)) found.add(s);
+  for (const re of compiled.generic) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(line))) {
+      const cand = cleanGeneric(m[0].toLowerCase());
+      if (looksLikeModel(cand)) found.add(cand);
+      if (re.lastIndex === m.index) re.lastIndex++;
+    }
+  }
+  return found;
+}
+
+/** Detect across multi-line text → [{ model_string, line, snippet }]. */
+export function detectInText(text, compiled) {
+  const out = [];
+  text.split(/\r?\n/).forEach((line, idx) => {
+    for (const modelStr of detectInLine(line, compiled)) {
+      out.push({ model_string: modelStr, line: idx + 1, snippet: line.trim().slice(0, 160) });
+    }
+  });
+  return out;
+}