@modelstatus/cli 0.1.0

package/src/sources/aws.js

@@ -0,0 +1,63 @@
+import { hasCmd, run } from "./shell.js";
+import { scanConfigEntries, entriesFromKV } from "./configscan.js";
+
+/* Pure parsers (unit-tested) — keep all JSON shape knowledge here. */
+export function parseSecretList(stdout) {
+  try {
+    return (JSON.parse(stdout).SecretList || []).map((s) => s.Name).filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+export function parseSecretValue(stdout) {
+  try {
+    return JSON.parse(stdout).SecretString ?? null;
+  } catch {
+    return null;
+  }
+}
+export function parseSsm(stdout) {
+  try {
+    return (JSON.parse(stdout).Parameters || []).map((p) => ({ name: p.Name, value: p.Value }));
+  } catch {
+    return [];
+  }
+}
+
+/** AWS Secrets Manager + SSM Parameter Store. Shells out to your already-
+ * authenticated `aws` CLI, read-only. Secret VALUES are scanned locally for
+ * model ids and never uploaded. opts: { region }. */
+export const awsSecretsSource = {
+  id: "aws-secrets",
+  label: "AWS Secrets Manager + SSM",
+  async available() {
+    return hasCmd("aws");
+  },
+  async collect(opts, compiled) {
+    const region = opts?.region ? ["--region", opts.region] : [];
+    const tag = opts?.region || "default";
+    const out = [];
+
+    const list = await run("aws", ["secretsmanager", "list-secrets", "--output", "json", ...region]);
+    if (list.ok) {
+      for (const name of parseSecretList(list.stdout)) {
+        const v = await run("aws", ["secretsmanager", "get-secret-value", "--secret-id", name, "--output", "json", ...region]);
+        const val = v.ok ? parseSecretValue(v.stdout) : null;
+        if (val == null) continue;
+        const entries = entriesFromKV(name.split("/").pop(), val, `aws-secrets://${tag}/${name}`, name);
+        out.push(...scanConfigEntries(entries, compiled, { sourceType: "aws-secrets" }));
+      }
+    }
+
+    const ssm = await run("aws", [
+      "ssm", "get-parameters-by-path", "--path", "/", "--recursive", "--with-decryption", "--output", "json", ...region,
+    ]);
+    if (ssm.ok) {
+      for (const p of parseSsm(ssm.stdout)) {
+        const entries = entriesFromKV(p.name.split("/").pop(), p.value, `aws-ssm://${tag}${p.name}`, p.name);
+        out.push(...scanConfigEntries(entries, compiled, { sourceType: "aws-ssm" }));
+      }
+    }
+    return out;
+  },
+};

package/src/sources/configscan.js

@@ -0,0 +1,88 @@
+/** Shared config/secret scanning for the non-file sources (env, aws, k8s, helm,
+ * sql). Turns key/value config — including JSON-stringified and nested values —
+ * into normalized model Candidates, running the registry detector over each
+ * leaf and REDACTING every snippet so secret values never leave the machine.
+ *
+ * We only ever emit model-id strings (non-sensitive identifiers like "gpt-4o");
+ * provider API keys and other secrets are detected-around but never extracted. */
+import { detectInLine } from "../detect/core.js";
+import { redactValue } from "../redact.js";
+
+const isPlainObject = (v) => v !== null && typeof v === "object" && !Array.isArray(v);
+
+/** Guess an environment label from any contextual hints (namespace, key, path). */
+export function guessEnvFrom(...hints) {
+  const s = hints.filter(Boolean).join(" ").toLowerCase();
+  if (/(^|[^a-z])(dev|development|sandbox|local)([^a-z]|$)/.test(s)) return "dev";
+  if (/(^|[^a-z])(stag|staging|stg|qa|uat|test)([^a-z]|$)/.test(s)) return "staging";
+  return "prod";
+}
+
+/** Flatten a nested object/array into leaf entries with dotted locator paths. */
+export function flattenConfig(obj, baseLocator, envHint, depth = 0) {
+  const out = [];
+  const join = (loc, seg) => (loc.includes("#") ? `${loc}.${seg}` : `${loc}#${seg}`);
+  const walk = (node, locator, d) => {
+    if (node == null) return;
+    if (d > 10) return;
+    if (Array.isArray(node)) {
+      node.forEach((x, i) => walk(x, `${locator}[${i}]`, d + 1));
+      return;
+    }
+    if (typeof node === "object") {
+      for (const [k, v] of Object.entries(node)) walk(v, locator.includes("#") ? `${locator}.${k}` : `${locator}#${k}`, d + 1);
+      return;
+    }
+    out.push({ key: locator.split(/[#.]/).pop(), value: String(node), locator, envHint });
+  };
+  // Seed: object/array at the base.
+  if (Array.isArray(obj)) obj.forEach((x, i) => walk(x, `${baseLocator}#[${i}]`, depth + 1));
+  else if (isPlainObject(obj)) for (const [k, v] of Object.entries(obj)) walk(v, join(baseLocator, k), depth + 1);
+  return out;
+}
+
+/** Expand a single key/value into entries, JSON-decoding stringified objects. */
+export function entriesFromKV(key, value, locator, envHint) {
+  let v = value;
+  if (typeof v === "string") {
+    const t = v.trim();
+    if ((t.startsWith("{") && t.endsWith("}")) || (t.startsWith("[") && t.endsWith("]"))) {
+      try {
+        v = JSON.parse(t);
+      } catch {
+        /* not JSON — treat as scalar */
+      }
+    }
+  }
+  if (isPlainObject(v) || Array.isArray(v)) return flattenConfig(v, locator, envHint);
+  return [{ key, value: v == null ? "" : String(v), locator, envHint }];
+}
+
+/** Run the detector over config entries → model Candidates (redacted snippets).
+ * entries: [{ key, value, locator, envHint }] */
+export function scanConfigEntries(entries, compiled, { sourceType, env }) {
+  const out = [];
+  const seen = new Set();
+  for (const e of entries) {
+    const value = e.value == null ? "" : String(e.value);
+    const line = `${e.key ?? ""}=${value}`;
+    const found = detectInLine(line, compiled);
+    if (!found.size) continue;
+    const environment = env || guessEnvFrom(e.envHint, e.key, e.locator);
+    for (const model_string of found) {
+      const key = `${model_string}|${e.locator}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      out.push({
+        model_string,
+        source_type: sourceType,
+        location_label: e.locator,
+        source_path: e.locator,
+        source_line: null,
+        environment,
+        snippet: redactValue(`${e.key ?? ""}=${value}`).slice(0, 160),
+      });
+    }
+  }
+  return out;
+}

package/src/sources/env.js

@@ -0,0 +1,21 @@
+import { scanConfigEntries } from "./configscan.js";
+
+/** Live process environment — the "env vars not on disk" case. Catches model
+ * ids set at runtime (OPENAI_MODEL=gpt-4o, MODEL=claude-3-5-sonnet, …) that a
+ * filesystem scan can't see. Run it inside the deployed context to inventory it. */
+export const envSource = {
+  id: "env",
+  label: "Environment variables (live process)",
+  async available() {
+    return true;
+  },
+  async collect(_opts, compiled) {
+    const entries = Object.entries(process.env).map(([key, value]) => ({
+      key,
+      value,
+      locator: `env://process/${key}`,
+      envHint: process.env.NODE_ENV || process.env.APP_ENV || "",
+    }));
+    return scanConfigEntries(entries, compiled, { sourceType: "env" });
+  },
+};

package/src/sources/filesystem.js

@@ -0,0 +1,95 @@
+import fs from "node:fs";
+import path from "node:path";
+import { compilePatterns, detectInLine } from "../detect/core.js";
+import { redactValue } from "../redact.js";
+
+const SKIP_DIRS = new Set([
+  "node_modules", ".git", ".next", "dist", "build", "out", "vendor", ".turbo",
+  "coverage", ".pglite", ".venv", "venv", "__pycache__", ".idea", ".vscode",
+]);
+const TEXT_EXT = new Set([
+  ".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".py", ".go", ".rb", ".java",
+  ".rs", ".php", ".cs", ".yaml", ".yml", ".json", ".toml", ".ipynb", ".env",
+]);
+
+function guessEnv(file) {
+  const f = file.toLowerCase();
+  if (/(test|spec|experimental|sandbox|scratch|\/dev\/|\.dev\.)/.test(f)) return "dev";
+  if (/stag/.test(f)) return "staging";
+  return "prod";
+}
+
+/** Recursively collect candidate source files, skipping noise dirs. */
+function walk(root) {
+  const files = [];
+  (function rec(dir) {
+    let entries;
+    try {
+      entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const e of entries) {
+      const full = path.join(dir, e.name);
+      if (e.isDirectory()) {
+        if (!SKIP_DIRS.has(e.name) && !e.name.startsWith(".")) rec(full);
+      } else {
+        const ext = path.extname(e.name);
+        if (TEXT_EXT.has(ext) || e.name.startsWith(".env")) files.push(full);
+      }
+    }
+  })(root);
+  return files;
+}
+
+/** The filesystem source: walk a directory tree and emit normalized Candidates. */
+export const filesystemSource = {
+  id: "filesystem",
+  label: "Filesystem",
+  async available() {
+    return true;
+  },
+  /** opts: { root } → Candidate[] */
+  async collect({ root }, compiled) {
+    const files = walk(root);
+    const seen = new Set();
+    const out = [];
+    for (const file of files) {
+      let content;
+      try {
+        content = fs.readFileSync(file, "utf8");
+      } catch {
+        continue;
+      }
+      if (content.length > 2_000_000) continue;
+      const rel = path.relative(root, file);
+      content.split(/\r?\n/).forEach((line, idx) => {
+        for (const modelStr of detectInLine(line, compiled)) {
+          const key = `${rel}:${idx + 1}:${modelStr}`;
+          if (seen.has(key)) return;
+          seen.add(key);
+          out.push({
+            model_string: modelStr,
+            source_type: "file",
+            file: rel,
+            line: idx + 1,
+            location_label: `${rel}:${idx + 1}`,
+            source_path: rel,
+            source_line: idx + 1,
+            environment: guessEnv(rel),
+            snippet: redactValue(line.trim().slice(0, 160)),
+          });
+        }
+      });
+    }
+    return out;
+  },
+};
+
+/** Convenience: compile patterns + run the filesystem source. */
+export async function scanFilesystem(root, patterns) {
+  const compiled = compilePatterns(patterns);
+  return filesystemSource.collect({ root }, compiled);
+}
+
+export { guessEnv };

package/src/sources/helm.js

@@ -0,0 +1,42 @@
+import { hasCmd, run } from "./shell.js";
+import { scanConfigEntries, flattenConfig } from "./configscan.js";
+
+/** Pure parser: `helm list -A -o json` → [{ name, namespace }]. */
+export function parseHelmList(stdout) {
+  try {
+    const j = JSON.parse(stdout);
+    return (Array.isArray(j) ? j : []).map((r) => ({ name: r.name, namespace: r.namespace })).filter((r) => r.name);
+  } catch {
+    return [];
+  }
+}
+
+/** Helm release values via your authenticated `helm`, read-only. Reads the
+ * merged values of each release (`helm get values -o json`) and scans them for
+ * model ids. On-disk chart values.yaml/templates are already covered by the
+ * filesystem source when you scan the chart directory. */
+export const helmSource = {
+  id: "helm",
+  label: "Helm release values",
+  async available() {
+    return hasCmd("helm");
+  },
+  async collect(_opts, compiled) {
+    const out = [];
+    const list = await run("helm", ["list", "-A", "-o", "json"]);
+    for (const r of parseHelmList(list.ok ? list.stdout : "[]")) {
+      const v = await run("helm", ["get", "values", r.name, "-n", r.namespace, "-o", "json"]);
+      if (!v.ok) continue;
+      let vals;
+      try {
+        vals = JSON.parse(v.stdout);
+      } catch {
+        continue;
+      }
+      if (!vals || typeof vals !== "object") continue;
+      const entries = flattenConfig(vals, `helm://${r.namespace}/${r.name}`, r.namespace);
+      out.push(...scanConfigEntries(entries, compiled, { sourceType: "helm" }));
+    }
+    return out;
+  },
+};

package/src/sources/index.js

@@ -0,0 +1,63 @@
+import { compilePatterns } from "../detect/core.js";
+import { filesystemSource } from "./filesystem.js";
+import { envSource } from "./env.js";
+import { awsSecretsSource } from "./aws.js";
+import { k8sSource } from "./k8s.js";
+import { helmSource } from "./helm.js";
+import { sqlSource } from "./sql.js";
+
+/**
+ * A Source discovers AI-model usage from one place and emits normalized Candidates:
+ *   { model_string, source_type, location_label, source_path, source_line?, environment, snippet }
+ *
+ * Interface:
+ *   id: string
+ *   label: string
+ *   available(opts): Promise<boolean>          // is the backing tool/creds present?
+ *   collect(opts, compiled): Promise<Candidate[]>
+ *
+ * The secrets/config sources (env, aws-secrets, k8s, helm, sql) each shell out to
+ * an ALREADY-AUTHENTICATED CLI, run read-only, scan locally, and REDACT every
+ * snippet — only non-sensitive model ids ever leave the machine, never secrets.
+ */
+const SOURCES = [filesystemSource, envSource, awsSecretsSource, k8sSource, helmSource, sqlSource];
+
+export const ALL_SOURCE_IDS = SOURCES.map((s) => s.id);
+
+export function listSources() {
+  return SOURCES;
+}
+
+export function getSource(id) {
+  return SOURCES.find((s) => s.id === id) ?? null;
+}
+
+/** Which of the requested sources are usable right now (tool/creds present). */
+export async function availability(sourceIds, opts = {}) {
+  const ids = sourceIds && sourceIds.length ? sourceIds : ["filesystem"];
+  const report = [];
+  for (const id of ids) {
+    const src = getSource(id);
+    report.push({ id, label: src?.label ?? id, available: src ? await src.available(opts) : false, known: !!src });
+  }
+  return report;
+}
+
+/** Run a set of sources, returning a flat, de-duplicated Candidate[]. */
+export async function collectFrom(sourceIds, opts, patterns) {
+  const compiled = compilePatterns(patterns);
+  const ids = sourceIds && sourceIds.length ? sourceIds : ["filesystem"];
+  const seen = new Set();
+  const out = [];
+  for (const id of ids) {
+    const src = getSource(id);
+    if (!src || !(await src.available(opts))) continue;
+    for (const c of await src.collect(opts, compiled)) {
+      const key = `${c.model_string}|${c.location_label}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      out.push(c);
+    }
+  }
+  return out;
+}

package/src/sources/k8s.js

@@ -0,0 +1,51 @@
+import { hasCmd, run } from "./shell.js";
+import { scanConfigEntries, entriesFromKV } from "./configscan.js";
+
+const b64decode = (s) => {
+  try {
+    return Buffer.from(s, "base64").toString("utf8");
+  } catch {
+    return s;
+  }
+};
+
+/** Pure parser: a `kubectl get … -o json` List → config entries.
+ * Secret `data` is base64; ConfigMap `data` is plaintext. */
+export function extractK8sEntries(json) {
+  let obj;
+  try {
+    obj = typeof json === "string" ? JSON.parse(json) : json;
+  } catch {
+    return [];
+  }
+  const entries = [];
+  for (const it of obj?.items || []) {
+    const kind = (it.kind || "").toLowerCase();
+    const ns = it.metadata?.namespace || "default";
+    const name = it.metadata?.name || "";
+    const isSecret = /secret/.test(kind);
+    const data = { ...(it.data || {}), ...(it.stringData || {}) };
+    for (const [k, raw] of Object.entries(data)) {
+      const value = isSecret ? b64decode(raw) : raw;
+      entries.push(...entriesFromKV(k, value, `k8s://${ns}/${kind || "obj"}/${name}#${k}`, ns));
+    }
+  }
+  return entries;
+}
+
+/** Kubernetes Secrets + ConfigMaps via your authenticated `kubectl`, read-only.
+ * opts: { namespace, kubeContext }. Defaults to all namespaces. */
+export const k8sSource = {
+  id: "k8s",
+  label: "Kubernetes secrets + configmaps",
+  async available() {
+    return hasCmd("kubectl");
+  },
+  async collect(opts, compiled) {
+    const ctx = opts?.kubeContext ? ["--context", opts.kubeContext] : [];
+    const nsArgs = opts?.namespace ? ["-n", opts.namespace] : ["-A"];
+    const res = await run("kubectl", ["get", "secrets,configmaps", ...nsArgs, "-o", "json", ...ctx]);
+    if (!res.ok) return [];
+    return scanConfigEntries(extractK8sEntries(res.stdout), compiled, { sourceType: "k8s" });
+  },
+};

package/src/sources/shell.js

@@ -0,0 +1,35 @@
+import { execFile } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
+
+/** Is `name` an executable on PATH? Pure PATH scan — no shell, no spawn. */
+export function hasCmd(name) {
+  const PATH = process.env.PATH || "";
+  for (const dir of PATH.split(path.delimiter)) {
+    if (!dir) continue;
+    try {
+      fs.accessSync(path.join(dir, name), fs.constants.X_OK);
+      return true;
+    } catch {
+      /* keep looking */
+    }
+  }
+  return false;
+}
+
+/** Run a command WITHOUT a shell (execFile → no injection). Read-only by
+ * convention. Never throws; resolves { ok, stdout, stderr, code }. */
+export function run(cmd, args, { timeout = 25000, input, maxBuffer = 48 * 1024 * 1024 } = {}) {
+  return new Promise((resolve) => {
+    const child = execFile(cmd, args, { timeout, maxBuffer }, (err, stdout, stderr) => {
+      resolve({ ok: !err, stdout: stdout || "", stderr: stderr || "", code: err?.code ?? 0 });
+    });
+    if (input != null) {
+      try {
+        child.stdin.end(input);
+      } catch {
+        /* ignore */
+      }
+    }
+  });
+}

package/src/sources/sql.js

@@ -0,0 +1,47 @@
+import { hasCmd, run } from "./shell.js";
+import { detectInLine } from "../detect/core.js";
+import { redactValue } from "../redact.js";
+
+const isPg = (dsn) => /^postgres(ql)?:\/\//.test(dsn || "");
+const safeIdent = (s) => String(s || "").replace(/[^A-Za-z0-9_.]/g, "");
+
+/** Opt-in SQL/DB config scan. Requires --db <postgres-dsn> and the `psql` client.
+ * Runs a READ-ONLY SELECT over a config/settings table and scans the textual
+ * output for model ids. opts: { db, sqlTable, env }. */
+export const sqlSource = {
+  id: "sql",
+  label: "SQL / DB config",
+  async available(opts) {
+    return !!(opts && opts.db && isPg(opts.db)) && hasCmd("psql");
+  },
+  async collect(opts, compiled) {
+    if (!opts?.db || !isPg(opts.db)) return [];
+    const table = safeIdent(opts.sqlTable || "settings");
+    if (!table) return [];
+    // Force read-only so a bad table/DSN can never mutate anything.
+    const sql = `SET default_transaction_read_only=on; SELECT * FROM ${table};`;
+    const res = await run("psql", [opts.db, "-A", "-t", "-c", sql]);
+    if (!res.ok) return [];
+
+    const out = [];
+    const seen = new Set();
+    res.stdout.split(/\r?\n/).forEach((line, i) => {
+      for (const model_string of detectInLine(line, compiled)) {
+        const locator = `sql://${table}#row${i + 1}`;
+        const key = `${model_string}|${locator}`;
+        if (seen.has(key)) return;
+        seen.add(key);
+        out.push({
+          model_string,
+          source_type: "sql",
+          location_label: locator,
+          source_path: locator,
+          source_line: i + 1,
+          environment: opts.env || "prod",
+          snippet: redactValue(line.trim()).slice(0, 160),
+        });
+      }
+    });
+    return out;
+  },
+};

package/src/tui/app.js

@@ -0,0 +1,139 @@
+import React from "react";
+import { render, Box, Text, useInput, useApp } from "ink";
+import { createClient } from "../api.js";
+import { h, useAsync } from "./ui.js";
+import { InventoryView } from "./views/inventory.js";
+import { ScanView } from "./views/scan.js";
+import { WhatsNewView } from "./views/whatsnew.js";
+import { AddView } from "./views/add.js";
+import { AlertsView } from "./views/alerts.js";
+import { AccountView } from "./views/account.js";
+
+const VIEWS = [
+  { key: "inventory", label: "Inventory", Comp: InventoryView },
+  { key: "scan", label: "Scan", Comp: ScanView },
+  { key: "whatsnew", label: "What's New", Comp: WhatsNewView },
+  { key: "add", label: "Add", Comp: AddView },
+  { key: "alerts", label: "Alerts", Comp: AlertsView },
+  { key: "account", label: "Account", Comp: AccountView },
+];
+
+function Header({ idx, accountName, plan }) {
+  return h(
+    Box,
+    { flexDirection: "column" },
+    h(
+      Box,
+      { justifyContent: "space-between" },
+      h(Text, { color: "cyan", bold: true }, " LLM Status "),
+      h(
+        Text,
+        { color: "gray" },
+        `${accountName ?? "…"}${plan ? `  ·  ${plan}` : ""} `,
+      ),
+    ),
+    h(
+      Box,
+      {},
+      ...VIEWS.map((v, i) =>
+        h(
+          Text,
+          { key: v.key, color: i === idx ? "black" : "gray", backgroundColor: i === idx ? "cyan" : undefined },
+          ` ${i + 1} ${v.label} `,
+        ),
+      ),
+    ),
+  );
+}
+
+function PromptBar({ prompt }) {
+  if (!prompt) return null;
+  return h(
+    Box,
+    { borderStyle: "round", borderColor: "yellow", paddingX: 1 },
+    h(Text, { color: "yellow" }, `${prompt.label}: `),
+    h(Text, {}, prompt.value),
+    h(Text, { color: "gray" }, "▏"),
+  );
+}
+
+export function App({ apiBase, apiKey, dir, initialView }) {
+  const { exit } = useApp();
+  const client = React.useMemo(() => createClient({ apiBase, apiKey }), [apiBase, apiKey]);
+  const startIdx = Math.max(0, VIEWS.findIndex((v) => v.key === initialView));
+  const [idx, setIdx] = React.useState(startIdx);
+  const [toast, setToast] = React.useState(null);
+  const [prompt, setPrompt] = React.useState(null);
+  const me = useAsync(() => client.me(), []);
+
+  const showToast = React.useCallback((msg, color = "green") => {
+    setToast({ msg, color });
+    setTimeout(() => setToast(null), 2500);
+  }, []);
+
+  const askPrompt = React.useCallback(
+    (label, { initial = "", onSubmit, onCancel } = {}) =>
+      setPrompt({ label, value: initial, onSubmit, onCancel }),
+    [],
+  );
+
+  // Global keys — paused while a prompt is capturing text.
+  useInput(
+    (input, key) => {
+      if (key.ctrl && input === "c") return exit();
+      if (/[1-6]/.test(input)) return setIdx(Number(input) - 1);
+      if (key.tab) return setIdx((i) => (i + 1) % VIEWS.length);
+      if (input === "q") return exit();
+    },
+    { isActive: !prompt },
+  );
+
+  // Prompt capture.
+  useInput(
+    (input, key) => {
+      if (key.escape) {
+        const cb = prompt.onCancel;
+        setPrompt(null);
+        cb?.();
+        return;
+      }
+      if (key.return) {
+        const { onSubmit, value } = prompt;
+        setPrompt(null);
+        onSubmit?.(value);
+        return;
+      }
+      if (key.backspace || key.delete) return setPrompt((p) => ({ ...p, value: p.value.slice(0, -1) }));
+      if (input && !key.ctrl && !key.meta) setPrompt((p) => ({ ...p, value: p.value + input }));
+    },
+    { isActive: !!prompt },
+  );
+
+  const ui = { showToast, askPrompt, switchTo: (key) => setIdx(VIEWS.findIndex((v) => v.key === key)) };
+  const View = VIEWS[idx].Comp;
+  const account = me.data?.account ?? null;
+
+  return h(
+    Box,
+    { flexDirection: "column", paddingX: 1 },
+    h(Header, { idx, accountName: account?.name, plan: account?.plan }),
+    h(
+      Box,
+      { flexDirection: "column", marginTop: 1, minHeight: 14 },
+      h(View, { client, me: account, refreshMe: me.reload, dir, apiBase, ui, active: !prompt }),
+    ),
+    h(PromptBar, { prompt }),
+    h(
+      Box,
+      { marginTop: 0 },
+      toast
+        ? h(Text, { color: toast.color }, ` ${toast.msg}`)
+        : h(Text, { color: "gray" }, " 1-6/Tab switch · q quit · keys per view shown above"),
+    ),
+  );
+}
+
+export function runApp(opts) {
+  const app = render(h(App, opts));
+  return app.waitUntilExit();
+}