@nkmc/cli 0.2.5 → 0.3.3

package/dist/{chunk-5ZYHHSZI.js → chunk-HXHGF76V.js}

@@ -2,7 +2,7 @@
 import {
   getToken,
   saveToken
-} from "./chunk-MPXYSTOK.js";
+} from "./chunk-TDMTBOMD.js";
 
 // src/commands/register.ts
 import { readFile } from "fs/promises";

package/dist/{chunk-MPXYSTOK.js → chunk-TDMTBOMD.js}

@@ -72,11 +72,43 @@ async function getToken(domain) {
   }
   return entry.publishToken;
 }
+async function saveCredentials(creds) {
+  const dir = nkmcDir();
+  await mkdir(dir, { recursive: true });
+  const filePath = credentialsPath();
+  await writeFile(filePath, JSON.stringify(creds, null, 2) + "\n");
+  await chmod(filePath, 384);
+}
+async function saveKey(domain, auth) {
+  const creds = await loadCredentials();
+  if (!creds.keys) creds.keys = {};
+  creds.keys[domain] = { auth, updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  await saveCredentials(creds);
+}
+async function getKey(domain) {
+  const creds = await loadCredentials();
+  return creds.keys?.[domain] ?? null;
+}
+async function listKeys() {
+  const creds = await loadCredentials();
+  return creds.keys ?? {};
+}
+async function deleteKey(domain) {
+  const creds = await loadCredentials();
+  if (!creds.keys?.[domain]) return false;
+  delete creds.keys[domain];
+  await saveCredentials(creds);
+  return true;
+}
 
 export {
   loadCredentials,
   saveToken,
   saveAgentToken,
   getAgentToken,
-  getToken
+  getToken,
+  saveKey,
+  getKey,
+  listKeys,
+  deleteKey
 };

package/dist/chunk-ZFNDBUPR.js

@@ -0,0 +1,83 @@
+#!/usr/bin/env node
+
+// src/gateway/client.ts
+var GatewayClient = class {
+  constructor(gatewayUrl, token) {
+    this.gatewayUrl = gatewayUrl;
+    this.token = token;
+  }
+  baseUrl() {
+    return this.gatewayUrl.replace(/\/$/, "");
+  }
+  async execute(command) {
+    const url = `${this.baseUrl()}/execute`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${this.token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ command })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Gateway error ${res.status}: ${body}`);
+    }
+    return res.json();
+  }
+  // --- BYOK methods ---
+  async uploadByok(domain, auth) {
+    const url = `${this.baseUrl()}/byok/${domain}`;
+    const res = await fetch(url, {
+      method: "PUT",
+      headers: {
+        Authorization: `Bearer ${this.token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ auth })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`BYOK upload failed ${res.status}: ${body}`);
+    }
+  }
+  async listByok() {
+    const url = `${this.baseUrl()}/byok`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this.token}` }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`BYOK list failed ${res.status}: ${body}`);
+    }
+    return res.json();
+  }
+  async deleteByok(domain) {
+    const url = `${this.baseUrl()}/byok/${domain}`;
+    const res = await fetch(url, {
+      method: "DELETE",
+      headers: { Authorization: `Bearer ${this.token}` }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`BYOK delete failed ${res.status}: ${body}`);
+    }
+  }
+};
+async function createClient() {
+  const { getAgentToken } = await import("./credentials-O3WAXKAV.js");
+  const stored = await getAgentToken();
+  const gatewayUrl = process.env.NKMC_GATEWAY_URL ?? stored?.gatewayUrl ?? "https://api.nkmc.ai";
+  const token = process.env.NKMC_TOKEN ?? stored?.token ?? null;
+  if (!token) {
+    throw new Error(
+      "No token found. Run 'nkmc auth' first, or set NKMC_TOKEN."
+    );
+  }
+  return new GatewayClient(gatewayUrl, token);
+}
+
+export {
+  GatewayClient,
+  createClient
+};

package/dist/client-GXGVRLEH.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+import {
+  GatewayClient,
+  createClient
+} from "./chunk-ZFNDBUPR.js";
+export {
+  GatewayClient,
+  createClient
+};

package/dist/{credentials-42DL3WPT.js → credentials-O3WAXKAV.js}

@@ -1,15 +1,23 @@
 #!/usr/bin/env node
 import {
+  deleteKey,
   getAgentToken,
+  getKey,
   getToken,
+  listKeys,
   loadCredentials,
   saveAgentToken,
+  saveKey,
   saveToken
-} from "./chunk-MPXYSTOK.js";
+} from "./chunk-TDMTBOMD.js";
 export {
+  deleteKey,
   getAgentToken,
+  getKey,
   getToken,
+  listKeys,
   loadCredentials,
   saveAgentToken,
+  saveKey,
   saveToken
 };

package/dist/index.js

@@ -1,13 +1,20 @@
 #!/usr/bin/env node
 import {
   runRegister
-} from "./chunk-5ZYHHSZI.js";
+} from "./chunk-HXHGF76V.js";
 import {
+  deleteKey,
+  listKeys,
   saveAgentToken,
+  saveKey,
   saveToken
-} from "./chunk-MPXYSTOK.js";
+} from "./chunk-TDMTBOMD.js";
+import {
+  createClient
+} from "./chunk-ZFNDBUPR.js";
 
 // src/index.ts
+import { createRequire } from "module";
 import { Command } from "commander";
 
 // src/scanner/detect.ts
@@ -55,14 +62,14 @@ async function detectFramework(projectDir) {
 import { readFile as readFile2, writeFile } from "fs/promises";
 import { join as join2 } from "path";
 function generateConfig(options) {
-  const { name, version, roles, detected } = options;
+  const { name, version: version2, roles, detected } = options;
   const rolesStr = roles.map((r) => `"${r}"`).join(", ");
   const lines = [
     `import { defineConfig } from "@nkmc/core";`,
     ``,
     `export default defineConfig({`,
     `  name: "${name}",`,
-    `  version: "${version}",`,
+    `  version: "${version2}",`,
     `  roles: [${rolesStr}],`,
     `  framework: "${detected.framework}",`
   ];
@@ -444,7 +451,7 @@ async function runGenerate(projectDir, options) {
   await writeFile2(outputPath, md);
   console.log(`Generated ${outputPath}`);
   if (options?.register) {
-    const { registerService, resolveToken } = await import("./register-7SUETZ7U.js");
+    const { registerService, resolveToken } = await import("./register-UBRUY256.js");
     const gatewayUrl = options.gatewayUrl ?? process.env.NKMC_GATEWAY_URL;
     const domain = options.domain ?? process.env.NKMC_DOMAIN;
     if (!gatewayUrl || !domain) {
@@ -560,40 +567,160 @@ async function runAuth(opts) {
   console.log(`  Gateway: ${gatewayUrl}`);
 }
 
-// src/gateway/client.ts
-var GatewayClient = class {
-  constructor(gatewayUrl, token) {
-    this.gatewayUrl = gatewayUrl;
-    this.token = token;
-  }
-  async execute(command) {
-    const url = `${this.gatewayUrl.replace(/\/$/, "")}/execute`;
-    const res = await fetch(url, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${this.token}`,
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({ command })
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Gateway error ${res.status}: ${body}`);
-    }
-    return res.json();
+// src/keys/provider-map.ts
+var DOMAIN_AUTH_HINTS = {
+  // --- AI ---
+  "api.openai.com": {
+    envVar: "OPENAI_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://platform.openai.com/api-keys"
+  },
+  "api.anthropic.com": {
+    envVar: "ANTHROPIC_API_KEY",
+    authType: "api-key",
+    headerName: "x-api-key",
+    guideUrl: "https://console.anthropic.com/settings/keys"
+  },
+  "generativelanguage.googleapis.com": {
+    envVar: "GEMINI_API_KEY",
+    authType: "api-key",
+    headerName: "x-goog-api-key",
+    guideUrl: "https://aistudio.google.com/apikey"
+  },
+  "openrouter.ai": {
+    envVar: "OPENROUTER_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://openrouter.ai/keys"
+  },
+  "api.replicate.com": {
+    envVar: "REPLICATE_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://replicate.com/account/api-tokens"
+  },
+  // --- DevOps ---
+  "api.github.com": {
+    envVar: "GITHUB_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://github.com/settings/tokens"
+  },
+  "gitlab.com": {
+    envVar: "GITLAB_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://gitlab.com/-/user_settings/personal_access_tokens"
+  },
+  "api.cloudflare.com": {
+    envVar: "CLOUDFLARE_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://dash.cloudflare.com/profile/api-tokens"
+  },
+  "api.vercel.com": {
+    envVar: "VERCEL_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://vercel.com/account/tokens"
+  },
+  "fly.io": {
+    envVar: "FLY_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://fly.io/user/personal_access_tokens"
+  },
+  "api.render.com": {
+    envVar: "RENDER_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://render.com/docs/api#authentication"
+  },
+  // --- Collaboration ---
+  "api.notion.com": {
+    envVar: "NOTION_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://www.notion.so/my-integrations"
+  },
+  "app.asana.com": {
+    envVar: "ASANA_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://app.asana.com/0/developer-console"
+  },
+  "jira.atlassian.com": {
+    envVar: "JIRA_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://id.atlassian.com/manage-profile/security/api-tokens"
+  },
+  "slack.com": {
+    envVar: "SLACK_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://api.slack.com/apps"
+  },
+  "discord.com": {
+    envVar: "DISCORD_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://discord.com/developers/applications"
+  },
+  // --- Databases ---
+  "api.supabase.com": {
+    envVar: "SUPABASE_SERVICE_ROLE_KEY",
+    authType: "bearer",
+    guideUrl: "https://supabase.com/dashboard/project/_/settings/api"
+  },
+  "api.turso.tech": {
+    envVar: "TURSO_AUTH_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://turso.tech/app"
+  },
+  "console.neon.tech": {
+    envVar: "NEON_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://console.neon.tech"
+  },
+  // --- Communication ---
+  "api.twilio.com": {
+    envVar: "TWILIO_AUTH_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://console.twilio.com"
+  },
+  "api.resend.com": {
+    envVar: "RESEND_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://resend.com/api-keys"
+  },
+  // --- Payments ---
+  "api.stripe.com": {
+    envVar: "STRIPE_SECRET_KEY",
+    authType: "bearer",
+    guideUrl: "https://dashboard.stripe.com/apikeys"
+  },
+  // --- Monitoring ---
+  "sentry.io": {
+    envVar: "SENTRY_AUTH_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://sentry.io/settings/account/api/auth-tokens/"
+  },
+  "api.datadoghq.com": {
+    envVar: "DD_API_KEY",
+    authType: "api-key",
+    headerName: "DD-API-KEY",
+    guideUrl: "https://app.datadoghq.com/account/settings#api"
+  },
+  // --- Music ---
+  "api.spotify.com": {
+    envVar: "SPOTIFY_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://developer.spotify.com/dashboard"
+  },
+  // --- CI/CD ---
+  "circleci.com": {
+    envVar: "CIRCLECI_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://app.circleci.com/settings/user/tokens"
+  },
+  // --- API Tools ---
+  "api.getpostman.com": {
+    envVar: "POSTMAN_API_KEY",
+    authType: "api-key",
+    headerName: "X-Api-Key",
+    guideUrl: "https://web.postman.co/settings/me/api-keys"
   }
 };
-async function createClient() {
-  const { getAgentToken } = await import("./credentials-42DL3WPT.js");
-  const stored = await getAgentToken();
-  const gatewayUrl = process.env.NKMC_GATEWAY_URL ?? stored?.gatewayUrl ?? "https://api.nkmc.ai";
-  const token = process.env.NKMC_TOKEN ?? stored?.token ?? null;
-  if (!token) {
-    throw new Error(
-      "No token found. Run 'nkmc auth' first, or set NKMC_TOKEN."
-    );
-  }
-  return new GatewayClient(gatewayUrl, token);
+function getAuthHint(domain) {
+  return DOMAIN_AUTH_HINTS[domain] ?? null;
 }
 
 // src/commands/fs.ts
@@ -628,8 +755,33 @@ ${endpoints}`;
   }
   return JSON.stringify(data);
 }
-function handleError(err) {
+function extractDomain(path) {
+  const segments = path.replace(/^\/+/, "").split("/");
+  const first = segments[0];
+  if (!first) return null;
+  const domain = first.includes("@") ? first.slice(0, first.indexOf("@")) : first;
+  return domain.includes(".") ? domain : null;
+}
+function isAuthError(message) {
+  if (/Gateway error (401|403):/.test(message)) return true;
+  if (/Gateway error 500:/.test(message) && /\b(Unauthorized|Unauthenticated|authenticate|API key|api[_-]?key)\b/i.test(message)) return true;
+  return false;
+}
+function handleError(err, cmdPath) {
   const message = err instanceof Error ? err.message : String(err);
+  if (isAuthError(message)) {
+    const domain = cmdPath && extractDomain(cmdPath) || message.match(/([a-z0-9-]+(?:\.[a-z0-9-]+){1,})/i)?.[1] || null;
+    if (domain) {
+      const hint = getAuthHint(domain);
+      console.error(`Error: Authentication required for ${domain}`);
+      if (hint?.guideUrl) {
+        console.error(`  Get your key:  ${hint.guideUrl}`);
+      }
+      console.error(`  Set your key:  nkmc keys set ${domain} --token <YOUR_KEY> --sync`);
+      console.error(`  Then retry your command.`);
+      process.exit(1);
+    }
+  }
   console.error(JSON.stringify({ error: message }));
   process.exit(1);
 }
@@ -640,7 +792,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`ls ${path}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("cat").description("Read file contents").argument("<path>", "File path").action(async (path) => {
@@ -649,7 +801,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`cat ${path}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("write").description("Write data to a file").argument("<path>", "File path").argument("<data>", "Data to write").action(async (path, data) => {
@@ -658,7 +810,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`write ${path} ${data}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("rm").description("Remove a file").argument("<path>", "File path").action(async (path) => {
@@ -667,7 +819,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`rm ${path}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("grep").description("Search file contents").argument("<pattern>", "Search pattern").argument("<path>", "File or directory path").action(async (pattern, path) => {
@@ -676,7 +828,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`grep ${pattern} ${path}`);
       console.log(formatGrepResults(result));
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("pipe").description("Pipe commands: cat <path> | write <path>").argument("<expression...>", "Pipe expression").action(async (expression) => {
@@ -686,8 +838,8 @@ function registerFsCommands(program2) {
       if (parts.length !== 2) {
         throw new Error("Pipe expression must have exactly two stages separated by '|'");
       }
-      const [source, target] = parts;
-      if (!source.startsWith("cat ")) {
+      const [source2, target] = parts;
+      if (!source2.startsWith("cat ")) {
         throw new Error("Pipe step 1 must be a 'cat' command");
       }
       if (!target.startsWith("write ")) {
@@ -696,7 +848,7 @@ function registerFsCommands(program2) {
       const client = await createClient();
       let data;
       try {
-        data = await client.execute(source);
+        data = await client.execute(source2);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         throw new Error(`Pipe step 1 failed: ${msg}`);
@@ -711,14 +863,130 @@ function registerFsCommands(program2) {
       }
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, source.slice("cat ".length).trim());
+    }
+  });
+}
+
+// src/commands/keys.ts
+function registerKeysCommand(program2) {
+  const keys = program2.command("keys").description("Manage API keys for authenticated services (BYOK)");
+  keys.command("set <domain>").description("Set an API key for a domain").option("--token <value>", "API key / token value").option("--sync", "Also upload to gateway (BYOK)").action(async (domain, opts) => {
+    try {
+      const hint = getAuthHint(domain);
+      let tokenValue = opts.token;
+      if (!tokenValue) {
+        const envHint = hint ? `(${hint.envVar})` : "";
+        console.error(
+          `Usage: nkmc keys set ${domain} --token <value> ${envHint}`
+        );
+        if (hint?.guideUrl) {
+          console.error(`  Get your key: ${hint.guideUrl}`);
+        }
+        process.exit(1);
+      }
+      const auth = buildAuth(domain, tokenValue, hint);
+      await saveKey(domain, auth);
+      console.log(`Key saved for ${domain}`);
+      if (opts.sync) {
+        await syncToGateway(domain, auth);
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`Error: ${msg}`);
+      process.exit(1);
+    }
+  });
+  keys.command("list").description("List all saved API keys").option("--remote", "Also list keys stored on gateway").action(async (opts) => {
+    try {
+      const localKeys = await listKeys();
+      const domains = Object.keys(localKeys);
+      if (domains.length === 0 && !opts.remote) {
+        console.log("No keys stored. Use 'nkmc keys set <domain>' to add one.");
+        return;
+      }
+      if (domains.length > 0) {
+        console.log("Local keys:");
+        for (const domain of domains) {
+          const entry = localKeys[domain];
+          const maskedAuth = maskAuth(entry.auth);
+          console.log(`  ${domain}  ${maskedAuth}  (${entry.updatedAt})`);
+        }
+      }
+      if (opts.remote) {
+        try {
+          const { createClient: createClient2 } = await import("./client-GXGVRLEH.js");
+          const client = await createClient2();
+          const { domains: remoteDomains } = await client.listByok();
+          console.log("\nGateway BYOK keys:");
+          if (remoteDomains.length === 0) {
+            console.log("  (none)");
+          } else {
+            for (const d of remoteDomains) {
+              console.log(`  ${d}`);
+            }
+          }
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          console.error(`
+Could not fetch remote keys: ${msg}`);
+        }
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`Error: ${msg}`);
+      process.exit(1);
+    }
+  });
+  keys.command("remove <domain>").description("Remove an API key for a domain").option("--remote", "Also remove from gateway").action(async (domain, opts) => {
+    try {
+      const removed = await deleteKey(domain);
+      if (removed) {
+        console.log(`Key removed for ${domain}`);
+      } else {
+        console.log(`No key found for ${domain}`);
+      }
+      if (opts.remote) {
+        try {
+          const { createClient: createClient2 } = await import("./client-GXGVRLEH.js");
+          const client = await createClient2();
+          await client.deleteByok(domain);
+          console.log(`Gateway BYOK key removed for ${domain}`);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          console.error(`Could not remove remote key: ${msg}`);
+        }
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`Error: ${msg}`);
+      process.exit(1);
     }
   });
 }
+function buildAuth(domain, token, hint) {
+  if (hint?.authType === "api-key" && hint.headerName) {
+    return { type: "api-key", header: hint.headerName, key: token };
+  }
+  return { type: "bearer", token };
+}
+function maskAuth(auth) {
+  const value = auth.token ?? auth.key ?? "";
+  if (value.length <= 8) return `${auth.type}:****`;
+  return `${auth.type}:${value.slice(0, 4)}...${value.slice(-4)}`;
+}
+async function syncToGateway(domain, auth) {
+  const { createClient: createClient2 } = await import("./client-GXGVRLEH.js");
+  const client = await createClient2();
+  await client.uploadByok(domain, auth);
+  console.log(`Key synced to gateway for ${domain}`);
+}
 
 // src/index.ts
+var require2 = createRequire(import.meta.url);
+var { version } = require2("../../package.json");
 var program = new Command();
-program.name("nkmc").description("nkmc SDK CLI").version("0.1.0");
+program.name("nkmc").description("nkmc SDK CLI").version(version);
 program.command("init").description("Initialize nkmc in the current project").argument("[dir]", "Project directory", ".").action(async (dir) => {
   const projectDir = dir === "." ? process.cwd() : dir;
   await runInit(projectDir);
@@ -754,4 +1022,5 @@ program.command("auth").description("Authenticate with the nkmc gateway").option
   await runAuth({ gatewayUrl: opts.gatewayUrl });
 });
 registerFsCommands(program);
+registerKeysCommand(program);
 program.parse();

package/dist/{register-7SUETZ7U.js → register-UBRUY256.js}

@@ -3,8 +3,8 @@ import {
   registerService,
   resolveToken,
   runRegister
-} from "./chunk-5ZYHHSZI.js";
-import "./chunk-MPXYSTOK.js";
+} from "./chunk-HXHGF76V.js";
+import "./chunk-TDMTBOMD.js";
 export {
   registerService,
   resolveToken,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nkmc/cli",
-  "version": "0.2.5",
+  "version": "0.3.3",
   "description": "CLI for scanning and registering APIs with the nkmc gateway",
   "license": "MIT",
   "type": "module",
@@ -13,7 +13,7 @@
   },
   "dependencies": {
     "@mrleebo/prisma-ast": "^0.13.1",
-    "@nkmc/core": "^0.1.0",
+    "@nkmc/core": "^0.1.1",
     "commander": "^13.0.0",
     "ts-morph": "^27.0.2"
   },