@modelstatus/cli 0.1.34 → 0.1.35

package/src/sources/index.js

@@ -5,22 +5,43 @@ import { awsSecretsSource } from "./aws.js";
 import { k8sSource } from "./k8s.js";
 import { helmSource } from "./helm.js";
 import { sqlSource } from "./sql.js";
+import { awsLambdaSource } from "./aws-lambda.js";
+import { vercelSource } from "./vercel.js";
+import { supabaseEdgeSource } from "./supabase.js";
+import { githubActionsSource } from "./github-actions.js";
+import { enabledIds, getEnvTag } from "../integrations.js";
 
 /**
  * A Source discovers AI-model usage from one place and emits normalized Candidates:
  *   { model_string, source_type, location_label, source_path, source_line?, environment, snippet }
  *
- * Interface:
+ * Interface (only id/label/available/collect are REQUIRED — the rest are OPTIONAL
+ * and read via ?? / ?., so the 6 original sources keep working untouched):
  *   id: string
  *   label: string
- *   available(opts): Promise<boolean>          // is the backing tool/creds present?
+ *   available(opts): Promise<boolean>          // is the backing tool/creds present? (cheap PATH check — no spawn)
  *   collect(opts, compiled): Promise<Candidate[]>
+ *   kind?: "local" | "cli" | "mcp" | "api"     // descriptive grouping only; NEVER gates execution (default "local")
+ *   authState?(opts): Promise<{ connected, mode, account?, reason? }>
+ *                                              // OPTIONAL richer read-only identity probe (MAY spawn); used by the
+ *                                              // TUI "test" key + verbose `mm sources`, NOT by the hot collect path
+ *   envTag?: "prod"|"staging"|"dev"|"unknown"  // a declared default env fallback (the authoritative per-source
+ *                                              // envTag comes from integrations.json and is folded into opts.env)
+ *   integration?: true                          // marks a LIVE integration subject to the enabled-gate (the 6
+ *                                              // original sources omit it → unaffected)
  *
- * The secrets/config sources (env, aws-secrets, k8s, helm, sql) each shell out to
- * an ALREADY-AUTHENTICATED CLI, run read-only, scan locally, and REDACT every
- * snippet — only non-sensitive model ids ever leave the machine, never secrets.
+ * The secrets/config sources (env, aws-secrets, k8s, helm, sql) and the 4 live
+ * integrations each shell out to an ALREADY-AUTHENTICATED CLI, run read-only, scan
+ * locally, and REDACT every snippet — only non-sensitive model ids ever leave the
+ * machine, never secrets. Secret-NAME-only surfaces (gh/supabase secret lists,
+ * vercel env names) pass the NAME with an EMPTY value so no value can leak.
  */
-const SOURCES = [filesystemSource, envSource, awsSecretsSource, k8sSource, helmSource, sqlSource];
+const SOURCES = [
+  filesystemSource, envSource, awsSecretsSource, k8sSource, helmSource, sqlSource,
+  // Live integrations (integration:true) — only run when toggled on in
+  // integrations.json OR named explicitly in --sources (see the gate below).
+  awsLambdaSource, vercelSource, supabaseEdgeSource, githubActionsSource,
+];
 
 export const ALL_SOURCE_IDS = SOURCES.map((s) => s.id);
 
@@ -32,27 +53,63 @@ export function getSource(id) {
   return SOURCES.find((s) => s.id === id) ?? null;
 }
 
-/** Which of the requested sources are usable right now (tool/creds present). */
-export async function availability(sourceIds, opts = {}) {
+/** A live integration runs only when enabled in integrations.json OR explicitly
+ * named (so a one-off `--sources vercel` works without toggling it on first).
+ * The 6 original sources omit `integration` → this never gates them. */
+function integrationAllowed(src, id, explicit) {
+  if (!src?.integration) return true; // not an integration → always allowed
+  return enabledIds().has(id) || explicit.has(id);
+}
+
+/** Which of the requested sources are usable right now (tool/creds present).
+ * For a live integration, `available` is reported as `enabled && hasCmd` UNLESS
+ * it was explicitly requested by name (then just hasCmd). Each row also carries
+ * `enabled` + `integration` so cmdSources / the TUI can render the toggle.
+ * `explicit` is the set of ids the caller named verbatim. */
+export async function availability(sourceIds, opts = {}, explicit = new Set()) {
   const ids = sourceIds && sourceIds.length ? sourceIds : ["filesystem"];
+  const enabled = enabledIds();
   const report = [];
   for (const id of ids) {
     const src = getSource(id);
-    report.push({ id, label: src?.label ?? id, available: src ? await src.available(opts) : false, known: !!src });
+    const hasTool = src ? await src.available(opts) : false;
+    const isIntegration = !!src?.integration;
+    const isEnabled = enabled.has(id);
+    // Integrations only count as "available" when enabled (unless explicitly asked).
+    const available = isIntegration && !explicit.has(id) ? hasTool && isEnabled : hasTool;
+    report.push({
+      id,
+      label: src?.label ?? id,
+      kind: src?.kind ?? "local",
+      available,
+      known: !!src,
+      integration: isIntegration,
+      enabled: isEnabled,
+    });
   }
   return report;
 }
 
-/** Run a set of sources, returning a flat, de-duplicated Candidate[]. */
-export async function collectFrom(sourceIds, opts, patterns) {
+/** Run a set of sources, returning a flat, de-duplicated Candidate[]. Stays on
+ * the cheap path: uses available() (PATH check), never authState() (spawn).
+ * `explicit` is the set of ids the caller named verbatim — naming a live
+ * integration there overrides the enabled-gate. */
+export async function collectFrom(sourceIds, opts, patterns, explicit = new Set()) {
   const compiled = compilePatterns(patterns);
   const ids = sourceIds && sourceIds.length ? sourceIds : ["filesystem"];
   const seen = new Set();
   const out = [];
   for (const id of ids) {
     const src = getSource(id);
-    if (!src || !(await src.available(opts))) continue;
-    for (const c of await src.collect(opts, compiled)) {
+    if (!src) continue;
+    // Live-integration gate: skip a disabled integration unless explicitly named.
+    if (!integrationAllowed(src, id, explicit)) continue;
+    if (!(await src.available(opts))) continue;
+    // Fold the per-source declared envTag into opts.env so the integration's env
+    // overrides guessEnvFrom — but an explicit --env flag (opts.env) still wins,
+    // and Vercel's authoritative deploy target still wins inside its own collect.
+    const srcOpts = src.integration ? { ...opts, env: opts.env || getEnvTag(id) } : opts;
+    for (const c of await src.collect(srcOpts, compiled)) {
       const key = `${c.model_string}|${c.location_label}`;
       if (seen.has(key)) continue;
       seen.add(key);

package/src/sources/scan-runner.js

@@ -0,0 +1,127 @@
+/* Background-scan RUNNER: a thin, React-free seam over the cooperative
+ * streaming filesystem scan. It owns the AbortController + paused flag, runs
+ * scanFilesystemStreaming on the main event loop (the walk yields via
+ * setImmediate on a time + count budget, so a foreground frame loop and the
+ * input handler keep ticking in the gaps), and re-emits the engine's raw
+ * onEvent protocol onto a NAMED handlers object so callers never touch
+ * event-type strings.
+ *
+ * Why no worker_threads: the shipped artifact is a single Bun-compiled binary
+ * built from ONE entry (`bun build src/index.js --compile`). A `new Worker(new
+ * URL('./scan-worker.js', …))` would resolve to a loose .js path that doesn't
+ * exist inside the self-contained binary — it'd work under `node src/index.js`
+ * (npm) but break on the CDN binary. The scan is already background-capable on
+ * the single thread, so a worker buys nothing here. The returned handle shape
+ * ({ abort, pause, resume, paused }) is DELIBERATELY identical to what a
+ * worker-backed impl would expose, so a future worker swap (with build-script
+ * support + an in-process fallback) is mechanical, not a rewrite. */
+import { scanFilesystemStreaming } from "./filesystem.js";
+
+/**
+ * Start a background filesystem scan.
+ *
+ * @param {object} opts
+ * @param {string} opts.root              dir to walk (required)
+ * @param {object} opts.compiled          compiled detection patterns (compilePatterns(snapshot.detection))
+ * @param {string[]} [opts.exclude]       extra ignore patterns (forwarded verbatim)
+ * @param {object} [opts.env]             env override (MM_MAX_PER_FILE etc.), forwarded verbatim
+ * @param {number} [opts.yieldBudgetMs=8] elapsed-time yield budget (the core responsiveness enhancement)
+ * @param {number} [opts.maxFilesPerSlice=40] file-count yield ceiling (legacy YIELD_EVERY backstop)
+ *
+ * @param {object} [handlers]
+ * @param {(candidate:object)=>void}  [handlers.onCandidate] per detected usage — the firehose, NOT batched here
+ * @param {(p:object)=>void}          [handlers.onProgress]  { filesScanned, dirsSeen, catalogsSkipped, currentDir }
+ * @param {(d:object)=>void}          [handlers.onDir]       { path, dirsSeen }
+ * @param {(s:object)=>void}          [handlers.onSkip]      { path, distinct, catalogsSkipped } (catalog files)
+ * @param {(r:object)=>void}          [handlers.onDone]      { candidates, filesScanned, dirsSeen, catalogsSkipped, scannedAt } — suppressed after abort()
+ * @param {(err:Error)=>void}         [handlers.onError]     walk threw
+ *
+ * @returns {{ abort:()=>void, pause:()=>void, resume:()=>void, paused:boolean }}
+ *   abort()  idempotent; aborts the walk + suppresses onDone (so a torn-down
+ *            consumer never setState-after-unmount). resume from partial is N/A.
+ *   pause()  idempotent; engine stops reading files but the async fn stays alive
+ *            (event loop free → a foreground loop keeps ticking).
+ *   resume() idempotent.
+ *   paused   getter mirroring the internal flag (for UI).
+ *
+ * Coalescing (the 120ms render flush) stays in the CONSUMER — the runner is a
+ * synchronous re-emitter so its semantics are identical whether backed by
+ * cooperative async (direct calls, today) or a future worker (message-port
+ * events). It does NOT touch React, registry fetch, disk cache, or upload.
+ */
+export function startScan(opts, handlers = {}) {
+  const { root, compiled, exclude, env, yieldBudgetMs = 8, maxFilesPerSlice = 40 } = opts || {};
+  const {
+    onCandidate = () => {},
+    onProgress = () => {},
+    onDir = () => {},
+    onSkip = () => {},
+    onDone = () => {},
+    onError = () => {},
+  } = handlers;
+
+  const ac = new AbortController();
+  let paused = false;
+  let aborted = false;
+  // Track the latest progress counters so onDone can report a complete summary
+  // even when the final event before completion was a `candidate` (no counts).
+  let filesScanned = 0;
+  let dirsSeen = 0;
+  let catalogsSkipped = 0;
+
+  scanFilesystemStreaming(
+    { root, signal: ac.signal, exclude, env, isPaused: () => paused, yieldBudgetMs, maxFilesPerSlice },
+    compiled,
+    (ev) => {
+      // Re-dispatch the raw engine event onto named handlers. No batching here.
+      switch (ev.type) {
+        case "dir":
+          dirsSeen = ev.dirsSeen;
+          onDir({ path: ev.path, dirsSeen: ev.dirsSeen });
+          break;
+        case "candidate":
+          onCandidate(ev.candidate);
+          break;
+        case "skip":
+          catalogsSkipped = ev.catalogsSkipped;
+          onSkip({ path: ev.path, distinct: ev.distinct, catalogsSkipped: ev.catalogsSkipped });
+          break;
+        case "progress":
+          filesScanned = ev.filesScanned;
+          dirsSeen = ev.dirsSeen;
+          catalogsSkipped = ev.catalogsSkipped;
+          onProgress({ filesScanned: ev.filesScanned, dirsSeen: ev.dirsSeen, catalogsSkipped: ev.catalogsSkipped, currentDir: ev.currentDir });
+          break;
+        default:
+          break;
+      }
+    },
+  ).then(
+    (candidates) => {
+      // Suppress onDone after abort: the engine returns its partial set on a
+      // detected abort, but a torn-down caller must not be re-notified.
+      if (aborted) return;
+      onDone({ candidates, filesScanned, dirsSeen, catalogsSkipped, scannedAt: Date.now() });
+    },
+    (err) => {
+      if (aborted) return;
+      onError(err instanceof Error ? err : new Error(String(err)));
+    },
+  );
+
+  return {
+    abort() {
+      aborted = true;
+      ac.abort();
+    },
+    pause() {
+      paused = true;
+    },
+    resume() {
+      paused = false;
+    },
+    get paused() {
+      return paused;
+    },
+  };
+}

package/src/sources/supabase-edge.js

@@ -0,0 +1,183 @@
+import fs from "node:fs";
+import path from "node:path";
+import { hasCmd, run } from "./shell.js";
+import { detectInLine } from "../detect/core.js";
+import { redactValue } from "../redact.js";
+import { scanConfigEntries, entriesFromKV } from "./configscan.js";
+
+/* Pure parsers (unit-tested). All command-output shape knowledge lives here so
+ * the source body stays a thin orchestration layer that's easy to reason about. */
+
+/** `supabase secrets list` → secret NAMES only. Handles both the table output
+ * (NAME | DIGEST) and `--output json` ([{name}]). We NEVER fetch secret values:
+ * a secret VALUE could never be a useful model id, and pulling it would be a
+ * needless exfiltration risk. NAMES alone let `detectInLine` flag a name like
+ * OPENAI_MODEL_OVERRIDE without ever touching a value. */
+export function parseSupabaseSecrets(stdout) {
+  const s = String(stdout || "").trim();
+  // JSON form first (`--output json`).
+  try {
+    const j = JSON.parse(s);
+    if (Array.isArray(j)) return j.map((x) => x.name || x.NAME).filter(Boolean);
+  } catch {
+    /* fall through to table parse */
+  }
+  const names = [];
+  for (const raw of s.split(/\r?\n/)) {
+    const line = raw.trim();
+    if (!line) continue;
+    if (/^name\b/i.test(line)) continue; // header row
+    if (/^[-\s|]+$/.test(line)) continue; // separator rule
+    const name = line
+      .split(/\s{2,}|\t|\s\|\s|\|/)
+      .map((c) => c.trim())
+      .filter(Boolean)[0];
+    if (name && /^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) names.push(name);
+  }
+  return names;
+}
+
+/** `supabase functions list` → edge-function slugs. Handles `--output json`
+ * ([{ name|slug }]) and the table output (header SLUG/NAME, then one per row). */
+export function parseFunctionList(stdout) {
+  const s = String(stdout || "").trim();
+  if (!s) return [];
+  try {
+    const j = JSON.parse(s);
+    if (Array.isArray(j)) return j.map((x) => x.slug || x.name || x.SLUG || x.NAME).filter(Boolean);
+  } catch {
+    /* fall through to table parse */
+  }
+  const slugs = [];
+  for (const raw of s.split(/\r?\n/)) {
+    const line = raw.trim();
+    if (!line) continue;
+    if (/^(slug|name|id)\b/i.test(line)) continue; // header row
+    if (/^[-\s|]+$/.test(line)) continue; // separator rule
+    const first = line
+      .split(/\s{2,}|\t|\s\|\s|\|/)
+      .map((c) => c.trim())
+      .filter(Boolean)[0];
+    // Edge-function slugs are url-safe: letters, digits, hyphens, underscores.
+    if (first && /^[A-Za-z0-9][A-Za-z0-9_-]*$/.test(first)) slugs.push(first);
+  }
+  return slugs;
+}
+
+/** Line-scan one edge-function source body → Candidates. Pure: takes text +
+ * locatorBase + compiled (+ optional env override), returns candidates with a
+ * #L<n> locator and a redacted, 160-capped snippet. detectInLine returns a Set,
+ * iterated with for…of (not .length). The snippet is redactValue'd FIRST then
+ * sliced so a secret straddling the 160-char boundary can't leak a half-token. */
+export function scanFunctionBody(text, locatorBase, compiled, env) {
+  const out = [];
+  const seen = new Set();
+  String(text || "")
+    .split(/\r?\n/)
+    .forEach((line, i) => {
+      for (const model_string of detectInLine(line, compiled)) {
+        const locator = `${locatorBase}#L${i + 1}`;
+        const key = `${model_string}|${locator}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        out.push({
+          model_string,
+          source_type: "supabase-edge",
+          location_label: locator,
+          source_path: locator,
+          source_line: i + 1,
+          environment: env || "unknown",
+          snippet: redactValue(line.trim()).slice(0, 160),
+        });
+      }
+    });
+  return out;
+}
+
+/** Supabase Edge Functions + secrets. LIVE integration: gated on the enabled
+ * toggle AND the `supabase` CLI (see sources/index.js's gate). Two surfaces, both
+ * through the redaction funnel:
+ *   (a) `supabase secrets list` → secret NAME-only entries (empty value, so no
+ *       value can ever leak) → scanConfigEntries.
+ *   (b) LOCAL edge-function source under <root>/supabase/functions, line-scanned
+ *       via detectInLine. We read the LOCAL repo (the same model as the
+ *       filesystem source) — we never `supabase functions download`, so no fetched
+ *       code is written to disk and the scan stays fully testable.
+ *
+ * available() is satisfied by the `supabase` CLI on PATH OR a SUPABASE_ACCESS_TOKEN
+ * in the environment (the token authenticates the CLI / Management API; the local
+ * function-body scan needs neither). opts: { root, supabaseProjectRef, env }. */
+export const supabaseEdgeSource = {
+  id: "supabase-edge",
+  label: "Supabase Edge Functions + secrets",
+  kind: "cli",
+  integration: true,
+  envTag: "unknown",
+  async available() {
+    return hasCmd("supabase") || !!process.env.SUPABASE_ACCESS_TOKEN;
+  },
+  /** Read-only identity probe (MAY spawn). Used by the TUI "test" key + verbose
+   * `mm sources`, NOT by the hot collect path. */
+  async authState() {
+    if (!hasCmd("supabase")) {
+      return {
+        connected: !!process.env.SUPABASE_ACCESS_TOKEN,
+        mode: "token",
+        reason: process.env.SUPABASE_ACCESS_TOKEN ? undefined : "supabase CLI not installed",
+      };
+    }
+    const r = await run("supabase", ["projects", "list"]);
+    if (!r.ok) return { connected: false, mode: "projects-list", reason: (r.stderr || "not authenticated").split("\n")[0] };
+    return { connected: true, mode: "projects-list" };
+  },
+  async collect(opts, compiled) {
+    const ref = opts?.supabaseProjectRef || "local";
+    const out = [];
+
+    // (a) Secret NAMES only (never values). Requires the CLI; skipped gracefully
+    // when only a token is present (no shell to list through).
+    if (hasCmd("supabase")) {
+      const refArg = opts?.supabaseProjectRef ? ["--project-ref", opts.supabaseProjectRef] : [];
+      const secrets = await run("supabase", ["secrets", "list", ...refArg]);
+      if (secrets.ok) {
+        for (const name of parseSupabaseSecrets(secrets.stdout)) {
+          // NAME as the entry key, EMPTY value → detectInLine runs on the name
+          // only; there is no value to leak.
+          const entries = entriesFromKV(name, "", `supabase-edge://${ref}/secrets#${name}`, ref);
+          out.push(...scanConfigEntries(entries, compiled, { sourceType: "supabase-edge", env: opts?.env }));
+        }
+      }
+    }
+
+    // (b) LOCAL edge-function source bodies (no network download → testable, no
+    // disk-write of fetched code). Walk <root>/supabase/functions one level deep.
+    const fnDir = path.join(opts?.root || ".", "supabase", "functions");
+    let slugs = [];
+    try {
+      slugs = fs
+        .readdirSync(fnDir, { withFileTypes: true })
+        .filter((d) => d.isDirectory())
+        .map((d) => d.name);
+    } catch {
+      /* no local functions dir — secrets-only is fine */
+    }
+    for (const slug of slugs) {
+      let files = [];
+      try {
+        files = fs.readdirSync(path.join(fnDir, slug)).filter((f) => /\.(ts|js|tsx|jsx|mjs)$/.test(f));
+      } catch {
+        continue;
+      }
+      for (const f of files) {
+        let text;
+        try {
+          text = fs.readFileSync(path.join(fnDir, slug, f), "utf8");
+        } catch {
+          continue;
+        }
+        out.push(...scanFunctionBody(text, `supabase-edge://${ref}/${slug}/${f}`, compiled, opts?.env));
+      }
+    }
+    return out;
+  },
+};

package/src/sources/supabase.js

@@ -0,0 +1,5 @@
+/** Compatibility shim. The canonical implementation now lives in
+ * sources/supabase-edge.js (matching the source id and the integration design).
+ * This file re-exports it so the registration in sources/index.js and existing
+ * imports keep resolving to ONE implementation with no behavior change. */
+export { supabaseEdgeSource, parseSupabaseSecrets, parseFunctionList, scanFunctionBody } from "./supabase-edge.js";

package/src/sources/vercel.js

@@ -0,0 +1,74 @@
+import { hasCmd, run } from "./shell.js";
+import { scanConfigEntries, entriesFromKV } from "./configscan.js";
+
+/** Deployment TARGET → environment. The target is AUTHORITATIVE (Vercel tells us
+ * exactly where an env var deploys), so it's mapped straight through and passed as
+ * the explicit env to scanConfigEntries — never guessed, and it overrides both the
+ * integration's declared envTag AND any global --env. */
+const TARGET_ENV = { production: "prod", preview: "staging", development: "dev" };
+
+/* Pure parser (unit-tested). Parses the `vercel env ls` table into NAME + target
+ * rows. We pull NAMES ONLY (never values) so no secret can leak — a model id in a
+ * Vercel env var lives in the NAME (e.g. OPENAI_MODEL), and the value of a model
+ * env var is rarely a registry id and never worth a secret-on-disk risk. */
+export function parseVercelEnvLs(stdout) {
+  const rows = [];
+  const lines = String(stdout || "").split(/\r?\n/);
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (!line) continue;
+    // Skip the header + any framing/prefix lines (no env-var name there).
+    if (/^(name\b|vercel cli|>|environment variables|retrieving)/i.test(line)) continue;
+    // Columns are whitespace-separated: NAME  VALUE(encrypted)  ENVIRONMENTS  …
+    const cols = line.split(/\s{2,}|\t/).map((c) => c.trim()).filter(Boolean);
+    if (!cols.length) continue;
+    const name = cols[0];
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) continue; // looks like an env-var name
+    // The environments column names one of production/preview/development.
+    const joined = cols.join(" ").toLowerCase();
+    const target = ["production", "preview", "development"].find((t) => joined.includes(t)) || "";
+    rows.push({ name, target });
+  }
+  return rows;
+}
+
+/** Vercel project env. LIVE integration: gated on the enabled toggle AND the
+ * `vercel` CLI being present (or a VERCEL_TOKEN in the env — the CLI auto-picks
+ * it up for non-interactive auth). Lists env-var NAMES only via `vercel env ls`
+ * (NEVER `vercel env pull` — that would write plaintext secrets to disk).
+ * opts: { vercelProject, vercelTeam }. */
+export const vercelSource = {
+  id: "vercel",
+  label: "Vercel project env",
+  kind: "cli",
+  integration: true,
+  envTag: "unknown",
+  async available() {
+    return hasCmd("vercel") || !!process.env.VERCEL_TOKEN;
+  },
+  async authState() {
+    const r = await run("vercel", ["whoami"]);
+    if (!r.ok) return { connected: false, mode: "whoami", reason: (r.stderr || "not logged in").split("\n")[0] };
+    return { connected: true, mode: "whoami", account: r.stdout.trim().split("\n").pop() };
+  },
+  async collect(opts, compiled) {
+    const scope = opts?.vercelTeam ? ["--scope", opts.vercelTeam] : [];
+    const project = opts?.vercelProject || "default";
+    const out = [];
+    // One pull per target so the env is authoritative + per-row correct. We ask
+    // for NAMES only; `vercel env ls <target>` prints the table without values.
+    for (const target of ["production", "preview", "development"]) {
+      const r = await run("vercel", ["env", "ls", target, ...scope]);
+      if (!r.ok) continue;
+      for (const { name } of parseVercelEnvLs(r.stdout)) {
+        // NAME-only entry: empty value → detectInLine runs on the name only, no
+        // value to leak. The TARGET is the authoritative env (overrides everything).
+        const entries = entriesFromKV(name, "", `vercel://${project}/${target}#${name}`, target);
+        out.push(...scanConfigEntries(entries, compiled, { sourceType: "vercel", env: TARGET_ENV[target] }));
+      }
+    }
+    return out;
+  },
+};
+
+export { TARGET_ENV };

package/src/tui/app.js

@@ -15,6 +15,7 @@ import { WhatsNewView, meta as whatsnewMeta } from "./views/whatsnew.js";
 import { AddView, meta as addMeta } from "./views/add.js";
 import { AlertsView, meta as alertsMeta } from "./views/alerts.js";
 import { AccountView, meta as accountMeta } from "./views/account.js";
+import { IntegrationsView, meta as integrationsMeta } from "./views/integrations.js";
 import { SignIn } from "./signin.js";
 
 // `needsAuth: true` views show a sign-in card when there's no apiKey; Local +
@@ -27,9 +28,12 @@ const VIEWS = [
   { key: "add", label: "Add", title: "add", Comp: AddView, meta: addMeta, needsAuth: true },
   { key: "alerts", label: "Alerts", title: "alerts", Comp: AlertsView, meta: alertsMeta, needsAuth: true },
   { key: "account", label: "Account", title: "account", Comp: AccountView, meta: accountMeta, needsAuth: false },
+  // Sources toggle — local-first (needsAuth:false): the enabled set persists in
+  // integrations.json and drives `mm scan`; the web mirror is best-effort.
+  { key: "integrations", label: "Sources", title: "sources", Comp: IntegrationsView, meta: integrationsMeta, needsAuth: false },
 ];
 
-const GATE_KEYS = [{ k: "1-7", label: "switch" }, { k: "7", label: "sign in" }];
+const GATE_KEYS = [{ k: "1-8", label: "switch" }, { k: "7", label: "sign in" }];
 
 // Lines of chrome around the body (topRule, lights, tabs, blank, prompt, blank,
 // toast, status, keybar, bottomRule) — the body fills whatever rows remain.