npm - @moxxy/cli - Versions diffs - 0.0.11 → 0.1.0 - Mend

@moxxy/cli 0.0.11 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/README.md +278 -112
package/bin/moxxy +10 -0
package/package.json +36 -53
package/src/api-client.js +286 -0
package/src/cli.js +341 -0
package/src/commands/agent.js +413 -0
package/src/commands/auth.js +326 -0
package/src/commands/channel.js +285 -0
package/src/commands/doctor.js +261 -0
package/src/commands/events.js +80 -0
package/src/commands/gateway.js +428 -0
package/src/commands/heartbeat.js +145 -0
package/src/commands/init.js +767 -0
package/src/commands/mcp.js +278 -0
package/src/commands/plugin.js +583 -0
package/src/commands/provider.js +1934 -0
package/src/commands/skill.js +125 -0
package/src/commands/template.js +237 -0
package/src/commands/uninstall.js +196 -0
package/src/commands/update.js +406 -0
package/src/commands/vault.js +219 -0
package/src/help.js +368 -0
package/src/lib/plugin-registry.js +98 -0
package/src/platform.js +40 -0
package/src/sse-client.js +79 -0
package/src/tui/action-wizards.js +130 -0
package/src/tui/app.jsx +859 -0
package/src/tui/components/action-picker.jsx +86 -0
package/src/tui/components/chat-panel.jsx +120 -0
package/src/tui/components/footer.jsx +13 -0
package/src/tui/components/header.jsx +45 -0
package/src/tui/components/input-area.jsx +384 -0
package/src/tui/components/messages/ask-message.jsx +13 -0
package/src/tui/components/messages/assistant-message.jsx +165 -0
package/src/tui/components/messages/channel-message.jsx +18 -0
package/src/tui/components/messages/event-message.jsx +22 -0
package/src/tui/components/messages/hive-status.jsx +34 -0
package/src/tui/components/messages/skill-message.jsx +31 -0
package/src/tui/components/messages/system-message.jsx +12 -0
package/src/tui/components/messages/thinking.jsx +25 -0
package/src/tui/components/messages/tool-group.jsx +62 -0
package/src/tui/components/messages/tool-message.jsx +66 -0
package/src/tui/components/messages/user-message.jsx +12 -0
package/src/tui/components/model-picker.jsx +138 -0
package/src/tui/components/multiline-input.jsx +72 -0
package/src/tui/events-handler.js +730 -0
package/src/tui/helpers.js +59 -0
package/src/tui/hooks/use-command-handler.js +451 -0
package/src/tui/index.jsx +55 -0
package/src/tui/input-utils.js +26 -0
package/src/tui/markdown-renderer.js +66 -0
package/src/tui/mcp-wizard.js +136 -0
package/src/tui/model-picker.js +174 -0
package/src/tui/slash-commands.js +26 -0
package/src/tui/store.js +12 -0
package/src/tui/theme.js +17 -0
package/src/ui.js +109 -0
package/bin/moxxy.js +0 -2
package/dist/chunk-23LZYKQ6.mjs +0 -1131
package/dist/chunk-2FZEA3NG.mjs +0 -457
package/dist/chunk-3KDPLS22.mjs +0 -1131
package/dist/chunk-3QRJTRBT.mjs +0 -1102
package/dist/chunk-6DZX6EAA.mjs +0 -37
package/dist/chunk-A4WRDUNY.mjs +0 -1242
package/dist/chunk-C46NSEKG.mjs +0 -211
package/dist/chunk-CAUXONEF.mjs +0 -1131
package/dist/chunk-CPL5V56X.mjs +0 -1131
package/dist/chunk-CTBVTTBG.mjs +0 -440
package/dist/chunk-FHHLXTEZ.mjs +0 -1121
package/dist/chunk-FXY3GPVA.mjs +0 -1126
package/dist/chunk-GSNMMI3H.mjs +0 -530
package/dist/chunk-HHOAOGUS.mjs +0 -1242
package/dist/chunk-N5JTPB6U.mjs +0 -820
package/dist/chunk-NGVL4Q5C.mjs +0 -1102
package/dist/chunk-Q2OCMNYI.mjs +0 -1131
package/dist/chunk-QDVRLN6D.mjs +0 -1121
package/dist/chunk-QO2JONHP.mjs +0 -1131
package/dist/chunk-RVAPILHA.mjs +0 -1242
package/dist/chunk-S7YBOV7E.mjs +0 -1131
package/dist/chunk-SHIG6Y5L.mjs +0 -1074
package/dist/chunk-SOFST2PV.mjs +0 -1242
package/dist/chunk-TMZWETMH.mjs +0 -1242
package/dist/chunk-TYD7NMMI.mjs +0 -581
package/dist/chunk-TYQ3YS42.mjs +0 -1068
package/dist/chunk-UALWCJ7F.mjs +0 -1131
package/dist/chunk-UQZKODNW.mjs +0 -1124
package/dist/chunk-USC6R2ON.mjs +0 -1242
package/dist/chunk-W32EQCVC.mjs +0 -823
package/dist/chunk-WMB5ENMC.mjs +0 -1242
package/dist/chunk-WNHA5JAP.mjs +0 -1242
package/dist/cli-2AIWTL6F.mjs +0 -8
package/dist/cli-2QKJ5UUL.mjs +0 -8
package/dist/cli-4RIS6DQX.mjs +0 -8
package/dist/cli-5RH4VBBL.mjs +0 -7
package/dist/cli-7MK4YGOP.mjs +0 -7
package/dist/cli-B4KH6MZI.mjs +0 -8
package/dist/cli-CGO2LZ6Z.mjs +0 -8
package/dist/cli-CVP26EL2.mjs +0 -8
package/dist/cli-DDRVVNAV.mjs +0 -8
package/dist/cli-E7U56QVQ.mjs +0 -8
package/dist/cli-EQNRMLL3.mjs +0 -8
package/dist/cli-F5RUHHH4.mjs +0 -8
package/dist/cli-LX6FFSEF.mjs +0 -8
package/dist/cli-LY74GWKR.mjs +0 -6
package/dist/cli-MAT3ZJHI.mjs +0 -8
package/dist/cli-NJXXTQYF.mjs +0 -8
package/dist/cli-O4ZGFAZG.mjs +0 -8
package/dist/cli-ORVLI3UQ.mjs +0 -8
package/dist/cli-PV43ZVKA.mjs +0 -8
package/dist/cli-REVD6ISM.mjs +0 -8
package/dist/cli-TBX76KQX.mjs +0 -8
package/dist/cli-TLX5ENVM.mjs +0 -8
package/dist/cli-TNJHCBQA.mjs +0 -6
package/dist/cli-TUX22CZP.mjs +0 -8
package/dist/cli-XJVH7EEP.mjs +0 -8
package/dist/cli-XXOW4VXJ.mjs +0 -8
package/dist/cli-XZ5RESNB.mjs +0 -6
package/dist/cli-YCBYZ76Q.mjs +0 -8
package/dist/cli-ZLMQCU7X.mjs +0 -8
package/dist/dist-2VGKJRBH.mjs +0 -6820
package/dist/dist-37BNX4QG.mjs +0 -7081
package/dist/dist-7LTHRYKA.mjs +0 -11569
package/dist/dist-7XJPQW5C.mjs +0 -6950
package/dist/dist-AYMVOW7T.mjs +0 -7123
package/dist/dist-FAXRJMEN.mjs +0 -6812
package/dist/dist-HQGANM3P.mjs +0 -6976
package/dist/dist-KATLOZQV.mjs +0 -7054
package/dist/dist-KLSB6YHV.mjs +0 -6964
package/dist/dist-LKIOZQ42.mjs +0 -17
package/dist/dist-UYA4RJUH.mjs +0 -2792
package/dist/dist-ZYHCBILM.mjs +0 -6993
package/dist/index.d.mts +0 -23
package/dist/index.d.ts +0 -23
package/dist/index.js +0 -25512
package/dist/index.mjs +0 -18
package/dist/src-APP5P3UD.mjs +0 -1386
package/dist/src-D5HMDDVE.mjs +0 -1324
package/dist/src-EK3WD4AU.mjs +0 -1327
package/dist/src-LSZFLMFN.mjs +0 -1400
package/dist/src-WIOCZRAC.mjs +0 -1397
package/dist/src-YK6CHCMW.mjs +0 -1400

package/src/commands/update.js ADDED Viewed

@@ -0,0 +1,406 @@
+import { p } from '../ui.js';
+import { startGateway, stopGateway, findBinary, paths } from './gateway.js';
+import { execSync } from 'node:child_process';
+import {
+  existsSync, copyFileSync, renameSync, chmodSync, unlinkSync,
+  createReadStream, createWriteStream, readFileSync,
+} from 'node:fs';
+import { pipeline } from 'node:stream/promises';
+import { createHash } from 'node:crypto';
+import { platform, arch } from 'node:os';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+const GITHUB_REPO = process.env.MOXXY_GITHUB_REPO || 'moxxy-ai/moxxy';
+const GITHUB_API = 'https://api.github.com';
+// --- Pure functions (exported for testing) ---
+export function detectPlatform() {
+  const osMap = { darwin: 'darwin', linux: 'linux' };
+  const archMap = { arm64: 'arm64', x64: 'x86_64' };
+  const os = osMap[platform()] || platform();
+  const cpuArch = archMap[arch()] || arch();
+  const binaryName = `moxxy-gateway-${os}-${cpuArch}`;
+  return { os, arch: cpuArch, binaryName };
+}
+export function parseUpdateFlags(args) {
+  const flags = { check: false, rollback: false, force: false, json: false };
+  for (const arg of args) {
+    if (arg === '--check') flags.check = true;
+    else if (arg === '--rollback') flags.rollback = true;
+    else if (arg === '--force') flags.force = true;
+    else if (arg === '--json') flags.json = true;
+  }
+  return flags;
+}
+export function compareVersions(current, latest) {
+  const normalize = (v) => v.replace(/^v/, '').split('.').map(Number);
+  const c = normalize(current);
+  const l = normalize(latest);
+  // Pad to equal length
+  while (c.length < 3) c.push(0);
+  while (l.length < 3) l.push(0);
+  for (let i = 0; i < 3; i++) {
+    if (l[i] > c[i]) return 'update-available';
+    if (l[i] < c[i]) return 'newer';
+  }
+  return 'up-to-date';
+}
+export function parseChecksumFile(content) {
+  const result = {};
+  if (!content) return result;
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    // Format: <64-hex-hash>  <filename> (two spaces between)
+    const match = trimmed.match(/^([a-f0-9]{64})\s+(.+)$/);
+    if (match) {
+      result[match[2]] = match[1];
+    }
+  }
+  return result;
+}
+export function findAssetUrl(assets, binaryName) {
+  const asset = assets.find(a => a.name === binaryName);
+  return asset ? asset.browser_download_url : null;
+}
+export function findChecksumUrl(assets) {
+  const asset = assets.find(a => a.name === 'checksums.sha256');
+  return asset ? asset.browser_download_url : null;
+}
+// --- Internal helpers ---
+async function getCurrentGatewayVersion(binPath) {
+  // Try health endpoint first
+  const apiUrl = process.env.MOXXY_API_URL || 'http://localhost:3000';
+  try {
+    const resp = await fetch(`${apiUrl}/v1/health`, { signal: AbortSignal.timeout(2000) });
+    if (resp.ok) {
+      const data = await resp.json();
+      if (data.version) return data.version;
+    }
+  } catch { /* gateway not running, fallback */ }
+  // Fallback to binary --version
+  if (binPath && existsSync(binPath)) {
+    try {
+      const out = execSync(`"${binPath}" --version`, { encoding: 'utf-8', timeout: 5000 });
+      const match = out.trim().match(/moxxy-gateway\s+(.+)/);
+      if (match) return match[1];
+    } catch { /* binary not executable or other error */ }
+  }
+  return null;
+}
+function getCurrentCliVersion() {
+  try {
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = dirname(__filename);
+    const pkgPath = join(__dirname, '..', '..', 'package.json');
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return pkg.version;
+  } catch {
+    return null;
+  }
+}
+async function fetchLatestRelease() {
+  const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
+  const headers = { 'Accept': 'application/vnd.github+json', 'User-Agent': 'moxxy-cli' };
+  if (token) headers['Authorization'] = `Bearer ${token}`;
+  const url = `${GITHUB_API}/repos/${GITHUB_REPO}/releases/latest`;
+  const resp = await fetch(url, { headers, signal: AbortSignal.timeout(10000) });
+  if (resp.status === 403) {
+    const remaining = resp.headers.get('x-ratelimit-remaining');
+    if (remaining === '0') {
+      throw new Error('GitHub API rate limit exceeded. Set GITHUB_TOKEN env var to increase the limit.');
+    }
+    throw new Error(`GitHub API returned 403: ${resp.statusText}`);
+  }
+  if (resp.status === 404) {
+    throw new Error('No releases found. The project may not have published any releases yet.');
+  }
+  if (!resp.ok) {
+    throw new Error(`GitHub API error: ${resp.status} ${resp.statusText}`);
+  }
+  return resp.json();
+}
+async function downloadFile(url, destPath) {
+  const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
+  const headers = { 'User-Agent': 'moxxy-cli', 'Accept': 'application/octet-stream' };
+  if (token) headers['Authorization'] = `Bearer ${token}`;
+  const resp = await fetch(url, { headers, signal: AbortSignal.timeout(120000) });
+  if (!resp.ok) throw new Error(`Download failed: ${resp.status} ${resp.statusText}`);
+  const fileStream = createWriteStream(destPath);
+  await pipeline(resp.body, fileStream);
+}
+async function downloadText(url) {
+  const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
+  const headers = { 'User-Agent': 'moxxy-cli', 'Accept': 'application/octet-stream' };
+  if (token) headers['Authorization'] = `Bearer ${token}`;
+  const resp = await fetch(url, { headers, signal: AbortSignal.timeout(10000) });
+  if (!resp.ok) throw new Error(`Download failed: ${resp.status} ${resp.statusText}`);
+  return resp.text();
+}
+async function verifyChecksum(filePath, expectedHash) {
+  return new Promise((resolve, reject) => {
+    const hash = createHash('sha256');
+    const stream = createReadStream(filePath);
+    stream.on('data', (chunk) => hash.update(chunk));
+    stream.on('end', () => {
+      const actual = hash.digest('hex');
+      resolve(actual === expectedHash);
+    });
+    stream.on('error', reject);
+  });
+}
+async function healthCheckAfterUpdate() {
+  const apiUrl = process.env.MOXXY_API_URL || 'http://localhost:3000';
+  for (let i = 0; i < 10; i++) {
+    await new Promise(r => setTimeout(r, 500));
+    try {
+      const resp = await fetch(`${apiUrl}/v1/health`, { signal: AbortSignal.timeout(1000) });
+      if (resp.ok) {
+        const data = await resp.json();
+        return { healthy: true, version: data.version || null };
+      }
+    } catch { /* retry */ }
+  }
+  return { healthy: false, version: null };
+}
+async function isGatewayRunning() {
+  const apiUrl = process.env.MOXXY_API_URL || 'http://localhost:3000';
+  try {
+    const resp = await fetch(`${apiUrl}/v1/health`, { signal: AbortSignal.timeout(2000) });
+    return resp.ok;
+  } catch {
+    return false;
+  }
+}
+// --- Rollback ---
+async function runRollback(flags) {
+  const { bin: binPath } = paths();
+  const bakPath = binPath + '.bak';
+  if (!existsSync(bakPath)) {
+    p.log.error('No backup found. Cannot rollback (no .bak file exists).');
+    process.exitCode = 1;
+    return;
+  }
+  const wasRunning = await isGatewayRunning();
+  if (wasRunning) {
+    p.log.step('Stopping gateway...');
+    try { await stopGateway(); } catch (e) { p.log.warn(`Failed to stop gateway: ${e.message}`); }
+    await new Promise(r => setTimeout(r, 1000));
+  }
+  copyFileSync(bakPath, binPath);
+  chmodSync(binPath, 0o755);
+  p.log.success('Restored gateway binary from backup.');
+  if (wasRunning) {
+    p.log.step('Starting gateway...');
+    try { await startGateway(); } catch (e) { p.log.warn(`Failed to start gateway: ${e.message}`); }
+  }
+  const health = await healthCheckAfterUpdate();
+  if (health.healthy) {
+    p.log.success(`Gateway healthy${health.version ? ` (v${health.version})` : ''}.`);
+  } else if (wasRunning) {
+    p.log.warn('Gateway health check failed after rollback.');
+  }
+  if (flags.json) {
+    console.log(JSON.stringify({ rolled_back: true, healthy: health.healthy, version: health.version }));
+  }
+}
+// --- Main update flow ---
+export async function runUpdate(client, args) {
+  const flags = parseUpdateFlags(args);
+  if (flags.rollback) {
+    await runRollback(flags);
+    return;
+  }
+  const { binaryName } = detectPlatform();
+  const binPath = findBinary();
+  // Current versions
+  const currentGateway = await getCurrentGatewayVersion(binPath);
+  const currentCli = getCurrentCliVersion();
+  // Fetch latest release
+  let release;
+  try {
+    release = await fetchLatestRelease();
+  } catch (err) {
+    p.log.error(err.message);
+    process.exitCode = 1;
+    return;
+  }
+  const latestVersion = release.tag_name.replace(/^v/, '');
+  // Compare
+  const gatewayComparison = currentGateway
+    ? compareVersions(currentGateway, latestVersion)
+    : 'update-available';
+  const cliComparison = currentCli
+    ? compareVersions(currentCli, latestVersion)
+    : 'update-available';
+  // --check: just report
+  if (flags.check) {
+    if (flags.json) {
+      console.log(JSON.stringify({
+        current: { gateway: currentGateway, cli: currentCli },
+        latest: latestVersion,
+        gateway_status: gatewayComparison,
+        cli_status: cliComparison,
+      }));
+    } else {
+      p.log.info(`Current gateway: ${currentGateway || 'unknown'}`);
+      p.log.info(`Current CLI:     ${currentCli || 'unknown'}`);
+      p.log.info(`Latest release:  ${latestVersion}`);
+      if (gatewayComparison === 'update-available' || cliComparison === 'update-available') {
+        p.log.info('Update available! Run `moxxy update` to install.');
+      } else {
+        p.log.success('Everything is up to date.');
+      }
+    }
+    return;
+  }
+  // Up-to-date check
+  if (gatewayComparison === 'up-to-date' && cliComparison === 'up-to-date' && !flags.force) {
+    p.log.success(`Already up to date (v${latestVersion}).`);
+    return;
+  }
+  // --- Update gateway binary ---
+  if (gatewayComparison === 'update-available' || flags.force) {
+    const assetUrl = findAssetUrl(release.assets, binaryName);
+    if (!assetUrl) {
+      p.log.error(`No binary found for platform: ${binaryName}`);
+      p.log.info('Available assets: ' + release.assets.map(a => a.name).join(', '));
+      process.exitCode = 1;
+      return;
+    }
+    // Checksum
+    const checksumUrl = findChecksumUrl(release.assets);
+    let expectedHash = null;
+    if (checksumUrl) {
+      try {
+        const checksumContent = await downloadText(checksumUrl);
+        const checksums = parseChecksumFile(checksumContent);
+        expectedHash = checksums[binaryName] || null;
+      } catch (e) {
+        p.log.warn(`Could not download checksums: ${e.message}`);
+      }
+    } else {
+      p.log.warn('No checksum file found in release. Skipping verification.');
+    }
+    const { bin: installPath } = paths();
+    const tmpPath = installPath + '.download';
+    // Download
+    p.log.step(`Downloading ${binaryName}...`);
+    try {
+      await downloadFile(assetUrl, tmpPath);
+    } catch (err) {
+      try { unlinkSync(tmpPath); } catch { /* cleanup */ }
+      p.log.error(`Download failed: ${err.message}`);
+      process.exitCode = 1;
+      return;
+    }
+    // Verify checksum
+    if (expectedHash) {
+      const valid = await verifyChecksum(tmpPath, expectedHash);
+      if (!valid) {
+        try { unlinkSync(tmpPath); } catch { /* cleanup */ }
+        p.log.error('Checksum verification failed. The download may be corrupted.');
+        process.exitCode = 1;
+        return;
+      }
+      p.log.success('Checksum verified.');
+    }
+    // Stop gateway if running
+    const wasRunning = await isGatewayRunning();
+    if (wasRunning) {
+      p.log.step('Stopping gateway...');
+      try { await stopGateway(); } catch (e) { p.log.warn(`Failed to stop gateway: ${e.message}`); }
+      await new Promise(r => setTimeout(r, 1000));
+    }
+    // Backup + install
+    if (existsSync(installPath)) {
+      copyFileSync(installPath, installPath + '.bak');
+    }
+    renameSync(tmpPath, installPath);
+    chmodSync(installPath, 0o755);
+    p.log.success(`Gateway updated to v${latestVersion}.`);
+    // Restart if it was running
+    if (wasRunning) {
+      p.log.step('Starting gateway...');
+      try { await startGateway(); } catch (e) { p.log.warn(`Failed to start gateway: ${e.message}`); }
+      const health = await healthCheckAfterUpdate();
+      if (health.healthy) {
+        p.log.success('Gateway is healthy.');
+      } else {
+        p.log.warn('Gateway health check failed. Run `moxxy update --rollback` to restore the previous version.');
+      }
+    }
+  } else if (gatewayComparison !== 'update-available') {
+    p.log.info(`Gateway already at v${currentGateway}.`);
+  }
+  // --- Update CLI ---
+  if (cliComparison === 'update-available' || flags.force) {
+    p.log.step('Updating CLI...');
+    try {
+      execSync(`npm install -g @moxxy/cli@${latestVersion}`, { stdio: 'pipe', timeout: 60000 });
+      p.log.success(`CLI updated to v${latestVersion}.`);
+    } catch (err) {
+      p.log.warn(`CLI update failed. Install manually: npm install -g @moxxy/cli@${latestVersion}`);
+    }
+  } else if (cliComparison !== 'update-available') {
+    p.log.info(`CLI already at v${currentCli}.`);
+  }
+  p.log.success('Update complete.');
+}

package/src/commands/vault.js ADDED Viewed

@@ -0,0 +1,219 @@
+/**
+ * Vault commands: add/grant/revoke/list.
+ */
+import { parseFlags } from './auth.js';
+import { isInteractive, handleCancel, withSpinner, showResult, pickAgent, p } from '../ui.js';
+export async function runVault(client, args) {
+  let [action, ...rest] = args;
+  const flags = parseFlags(rest);
+  // Interactive sub-menu when no valid action
+  if (!['add', 'remove', 'grant', 'revoke', 'list'].includes(action) && isInteractive()) {
+    action = await p.select({
+      message: 'Vault action',
+      options: [
+        { value: 'add',    label: 'Add secret',    hint: 'register a new secret' },
+        { value: 'remove', label: 'Remove secret',  hint: 'delete a secret from the vault' },
+        { value: 'grant',  label: 'Grant access',  hint: 'grant agent access to a secret' },
+        { value: 'revoke', label: 'Revoke access', hint: 'revoke agent secret access' },
+        { value: 'list',   label: 'List secrets',  hint: 'show all secrets' },
+      ],
+    });
+    handleCancel(action);
+  }
+  switch (action) {
+    case 'add': {
+      // Interactive wizard when missing required fields
+      if ((!flags.key && !flags.name) && isInteractive()) {
+        const keyName = handleCancel(await p.text({
+          message: 'Secret key name',
+          placeholder: 'OPENAI_API_KEY',
+          validate: (val) => { if (!val) return 'Key name is required'; },
+        }));
+        const backendKey = handleCancel(await p.text({
+          message: 'Backend key reference',
+          placeholder: 'env:OPENAI_API_KEY',
+          validate: (val) => { if (!val) return 'Backend key is required'; },
+        }));
+        const policyLabel = handleCancel(await p.text({
+          message: 'Policy label',
+          placeholder: 'optional',
+        }));
+        const body = {
+          key_name: keyName,
+          backend_key: backendKey,
+        };
+        if (policyLabel) body.policy_label = policyLabel;
+        const result = await withSpinner('Adding secret...', () =>
+          client.request('/v1/vault/secrets', 'POST', body), 'Secret added.');
+        showResult('Secret Added', {
+          ID: result.id || result.secret_ref_id,
+          Key: keyName,
+          Backend: backendKey,
+        });
+        const grantNow = await p.confirm({
+          message: 'Grant to an agent?',
+          initialValue: false,
+        });
+        handleCancel(grantNow);
+        if (grantNow) {
+          const agentId = await pickAgent(client, 'Select agent to grant');
+          const secretId = result.id || result.secret_ref_id;
+          if (secretId) {
+            await withSpinner('Granting access...', () =>
+              client.request('/v1/vault/grants', 'POST', {
+                agent_id: agentId,
+                secret_ref_id: secretId,
+              }), 'Access granted.');
+          } else {
+            p.log.warn('Could not determine secret ID for grant.');
+          }
+        }
+        return result;
+      }
+      const body = {
+        key_name: flags.key || flags.name,
+        backend_key: flags.backend,
+      };
+      if (flags.label) body.policy_label = flags.label;
+      if (!body.key_name || !body.backend_key) {
+        throw new Error('Required: --key, --backend');
+      }
+      const result = await client.request('/v1/vault/secrets', 'POST', body);
+      console.log(JSON.stringify(result, null, 2));
+      return result;
+    }
+    case 'remove': {
+      let secretId = flags.id || flags.secret;
+      if (!secretId && isInteractive()) {
+        const secrets = await withSpinner('Fetching secrets...', () =>
+          client.listSecrets(), 'Secrets loaded.');
+        if (!Array.isArray(secrets) || secrets.length === 0) {
+          p.log.warn('No secrets to remove.');
+          return;
+        }
+        secretId = handleCancel(await p.select({
+          message: 'Select secret to remove',
+          options: secrets.map(s => ({
+            value: s.id,
+            label: s.key_name,
+            hint: `${s.id.slice(0, 12)}  backend=${s.backend_key}`,
+          })),
+        }));
+      }
+      if (!secretId) throw new Error('Required: --id');
+      if (isInteractive()) {
+        await withSpinner('Removing secret...', () =>
+          client.deleteSecret(secretId), 'Secret removed.');
+      } else {
+        await client.deleteSecret(secretId);
+        console.log(`Secret ${secretId} removed.`);
+      }
+      break;
+    }
+    case 'grant': {
+      if (!flags.agent || !flags.secret) {
+        throw new Error('Required: --agent, --secret');
+      }
+      const body = {
+        agent_id: flags.agent,
+        secret_ref_id: flags.secret,
+      };
+      const result = await client.request('/v1/vault/grants', 'POST', body);
+      console.log(`Grant created for agent ${flags.agent}.`);
+      return result;
+    }
+    case 'list': {
+      if (isInteractive()) {
+        const secrets = await withSpinner('Fetching secrets...', () =>
+          client.listSecrets(), 'Secrets loaded.');
+        const grants = await withSpinner('Fetching grants...', () =>
+          client.listGrants(), 'Grants loaded.');
+        if (Array.isArray(secrets) && secrets.length > 0) {
+          p.log.info('\u2500\u2500 Secrets \u2500\u2500');
+          for (const s of secrets) {
+            p.log.info(`  ${s.key_name}  (${s.id.slice(0, 12)})  backend=${s.backend_key}`);
+          }
+        } else {
+          p.log.warn('No secrets found.');
+        }
+        if (Array.isArray(grants) && grants.length > 0) {
+          p.log.info('\u2500\u2500 Grants \u2500\u2500');
+          for (const g of grants) {
+            const status = g.revoked_at ? 'revoked' : 'active';
+            p.log.info(`  agent=${g.agent_id.slice(0, 12)} secret=${g.secret_ref_id.slice(0, 12)}  [${status}]`);
+          }
+        } else {
+          p.log.info('No grants found.');
+        }
+      } else {
+        const secrets = await client.listSecrets();
+        const grants = await client.listGrants();
+        console.log(JSON.stringify({ secrets, grants }, null, 2));
+      }
+      break;
+    }
+    case 'revoke': {
+      let grantId = flags.id || flags.grant;
+      if (!grantId && isInteractive()) {
+        const grants = await withSpinner('Fetching grants...', () =>
+          client.listGrants(), 'Grants loaded.');
+        const active = (grants || []).filter(g => !g.revoked_at);
+        if (active.length === 0) {
+          p.log.warn('No active grants to revoke.');
+          return;
+        }
+        grantId = handleCancel(await p.select({
+          message: 'Select grant to revoke',
+          options: active.map(g => ({
+            value: g.id,
+            label: `agent=${g.agent_id.slice(0, 12)} secret=${g.secret_ref_id.slice(0, 12)}`,
+            hint: g.id.slice(0, 12),
+          })),
+        }));
+      }
+      if (!grantId) throw new Error('Required: --id');
+      if (isInteractive()) {
+        await withSpinner('Revoking grant...', () =>
+          client.revokeGrant(grantId), 'Grant revoked.');
+      } else {
+        await client.revokeGrant(grantId);
+        console.log(`Grant ${grantId} revoked.`);
+      }
+      break;
+    }
+    default: {
+      const { showHelp } = await import('../help.js');
+      showHelp('vault', p);
+      break;
+    }
+  }
+}