@nkmc/cli 0.2.5 → 0.3.4

package/dist/{chunk-5ZYHHSZI.js → chunk-HXHGF76V.js}

@@ -2,7 +2,7 @@
 import {
   getToken,
   saveToken
-} from "./chunk-MPXYSTOK.js";
+} from "./chunk-TDMTBOMD.js";
 
 // src/commands/register.ts
 import { readFile } from "fs/promises";

package/dist/{chunk-MPXYSTOK.js → chunk-TDMTBOMD.js}

@@ -72,11 +72,43 @@ async function getToken(domain) {
   }
   return entry.publishToken;
 }
+async function saveCredentials(creds) {
+  const dir = nkmcDir();
+  await mkdir(dir, { recursive: true });
+  const filePath = credentialsPath();
+  await writeFile(filePath, JSON.stringify(creds, null, 2) + "\n");
+  await chmod(filePath, 384);
+}
+async function saveKey(domain, auth) {
+  const creds = await loadCredentials();
+  if (!creds.keys) creds.keys = {};
+  creds.keys[domain] = { auth, updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  await saveCredentials(creds);
+}
+async function getKey(domain) {
+  const creds = await loadCredentials();
+  return creds.keys?.[domain] ?? null;
+}
+async function listKeys() {
+  const creds = await loadCredentials();
+  return creds.keys ?? {};
+}
+async function deleteKey(domain) {
+  const creds = await loadCredentials();
+  if (!creds.keys?.[domain]) return false;
+  delete creds.keys[domain];
+  await saveCredentials(creds);
+  return true;
+}
 
 export {
   loadCredentials,
   saveToken,
   saveAgentToken,
   getAgentToken,
-  getToken
+  getToken,
+  saveKey,
+  getKey,
+  listKeys,
+  deleteKey
 };

package/dist/chunk-ZFNDBUPR.js

@@ -0,0 +1,83 @@
+#!/usr/bin/env node
+
+// src/gateway/client.ts
+var GatewayClient = class {
+  constructor(gatewayUrl, token) {
+    this.gatewayUrl = gatewayUrl;
+    this.token = token;
+  }
+  baseUrl() {
+    return this.gatewayUrl.replace(/\/$/, "");
+  }
+  async execute(command) {
+    const url = `${this.baseUrl()}/execute`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${this.token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ command })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Gateway error ${res.status}: ${body}`);
+    }
+    return res.json();
+  }
+  // --- BYOK methods ---
+  async uploadByok(domain, auth) {
+    const url = `${this.baseUrl()}/byok/${domain}`;
+    const res = await fetch(url, {
+      method: "PUT",
+      headers: {
+        Authorization: `Bearer ${this.token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ auth })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`BYOK upload failed ${res.status}: ${body}`);
+    }
+  }
+  async listByok() {
+    const url = `${this.baseUrl()}/byok`;
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${this.token}` }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`BYOK list failed ${res.status}: ${body}`);
+    }
+    return res.json();
+  }
+  async deleteByok(domain) {
+    const url = `${this.baseUrl()}/byok/${domain}`;
+    const res = await fetch(url, {
+      method: "DELETE",
+      headers: { Authorization: `Bearer ${this.token}` }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`BYOK delete failed ${res.status}: ${body}`);
+    }
+  }
+};
+async function createClient() {
+  const { getAgentToken } = await import("./credentials-O3WAXKAV.js");
+  const stored = await getAgentToken();
+  const gatewayUrl = process.env.NKMC_GATEWAY_URL ?? stored?.gatewayUrl ?? "https://api.nkmc.ai";
+  const token = process.env.NKMC_TOKEN ?? stored?.token ?? null;
+  if (!token) {
+    throw new Error(
+      "No token found. Run 'nkmc auth' first, or set NKMC_TOKEN."
+    );
+  }
+  return new GatewayClient(gatewayUrl, token);
+}
+
+export {
+  GatewayClient,
+  createClient
+};

package/dist/client-GXGVRLEH.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+import {
+  GatewayClient,
+  createClient
+} from "./chunk-ZFNDBUPR.js";
+export {
+  GatewayClient,
+  createClient
+};

package/dist/{credentials-42DL3WPT.js → credentials-O3WAXKAV.js}

@@ -1,15 +1,23 @@
 #!/usr/bin/env node
 import {
+  deleteKey,
   getAgentToken,
+  getKey,
   getToken,
+  listKeys,
   loadCredentials,
   saveAgentToken,
+  saveKey,
   saveToken
-} from "./chunk-MPXYSTOK.js";
+} from "./chunk-TDMTBOMD.js";
 export {
+  deleteKey,
   getAgentToken,
+  getKey,
   getToken,
+  listKeys,
   loadCredentials,
   saveAgentToken,
+  saveKey,
   saveToken
 };

package/dist/dist-NYTRZS3R.js

@@ -0,0 +1,625 @@
+#!/usr/bin/env node
+
+// ../../node_modules/.pnpm/@shipkey+core@0.1.0/node_modules/@shipkey/core/dist/index.js
+import { execFile } from "child_process";
+function exec(cmd, args, env) {
+  return new Promise((resolve, reject) => {
+    execFile(
+      cmd,
+      args,
+      { maxBuffer: 10 * 1024 * 1024, env: env ?? process.env },
+      (err, stdout, stderr) => {
+        if (err)
+          reject(new Error(`${cmd} failed: ${stderr?.trim() || err.message}`));
+        else resolve(stdout.trim());
+      }
+    );
+  });
+}
+async function exec2(args) {
+  return exec("op", args, {
+    ...process.env,
+    OP_BIOMETRIC_UNLOCK_ENABLED: "true"
+  });
+}
+var OnePasswordBackend = class {
+  name = "1Password";
+  sectionName(project, env) {
+    return `${project}-${env}`;
+  }
+  buildRef(ref) {
+    const section = this.sectionName(ref.project, ref.env);
+    return `op://${ref.vault}/${ref.provider}/${section}/${ref.field}`;
+  }
+  buildInlineRef(ref) {
+    return this.buildRef(ref);
+  }
+  buildWriteArgs(entry) {
+    const { ref, value } = entry;
+    const section = this.sectionName(ref.project, ref.env);
+    const fieldKey = `${section}.${ref.field}`;
+    return [
+      "item",
+      "edit",
+      ref.provider,
+      "--vault",
+      ref.vault,
+      `${fieldKey}[password]=${value}`
+    ];
+  }
+  async isAvailable() {
+    const status = await this.checkStatus();
+    return status === "ready";
+  }
+  async checkStatus() {
+    try {
+      await exec2(["--version"]);
+    } catch {
+      return "not_installed";
+    }
+    try {
+      const output = await exec2(["account", "list", "--format=json"]);
+      const accounts = JSON.parse(output);
+      if (!Array.isArray(accounts) || accounts.length === 0) {
+        return "not_logged_in";
+      }
+      return "ready";
+    } catch {
+      return "not_logged_in";
+    }
+  }
+  async read(ref) {
+    return exec2(["read", this.buildRef(ref)]);
+  }
+  async readRaw(opUri) {
+    return exec2(["read", opUri]);
+  }
+  async listVaultItems(vault) {
+    try {
+      const raw = await exec2([
+        "item",
+        "list",
+        "--vault",
+        vault,
+        "--format",
+        "json"
+      ]);
+      return JSON.parse(raw);
+    } catch {
+      return [];
+    }
+  }
+  async getItemFields(provider, vault) {
+    try {
+      const raw = await exec2([
+        "item",
+        "get",
+        provider,
+        "--vault",
+        vault,
+        "--format",
+        "json"
+      ]);
+      const item = JSON.parse(raw);
+      if (!item.fields) return [];
+      return item.fields.filter((f) => f.section?.label && f.label).map((f) => ({
+        section: f.section.label,
+        label: f.label
+      }));
+    } catch {
+      return [];
+    }
+  }
+  async ensureVault(vault) {
+    try {
+      await exec2(["vault", "get", vault]);
+    } catch {
+      await exec2(["vault", "create", vault, "--icon", "vault-door"]);
+    }
+  }
+  async write(entry) {
+    const { ref, value } = entry;
+    const section = this.sectionName(ref.project, ref.env);
+    const fieldKey = `${section}.${ref.field}`;
+    await this.ensureVault(ref.vault);
+    try {
+      await exec2([
+        "item",
+        "edit",
+        ref.provider,
+        "--vault",
+        ref.vault,
+        `${fieldKey}[password]=${value}`
+      ]);
+    } catch {
+      await exec2([
+        "item",
+        "create",
+        "--vault",
+        ref.vault,
+        "--category",
+        "API Credential",
+        "--title",
+        ref.provider,
+        `${fieldKey}[password]=${value}`
+      ]);
+    }
+  }
+  async list(project, env, vault = "shipkey") {
+    const raw = await exec2([
+      "item",
+      "list",
+      "--vault",
+      vault,
+      "--format",
+      "json"
+    ]);
+    const items = JSON.parse(raw);
+    const refs = [];
+    for (const item of items) {
+      const detail = await exec2([
+        "item",
+        "get",
+        item.id,
+        "--format",
+        "json"
+      ]);
+      const parsed = JSON.parse(detail);
+      if (!parsed.fields) continue;
+      for (const field of parsed.fields) {
+        if (!field.section?.label) continue;
+        const sectionLabel = field.section.label;
+        const dashIndex = sectionLabel.lastIndexOf("-");
+        if (dashIndex === -1) continue;
+        const proj = sectionLabel.slice(0, dashIndex);
+        const e = sectionLabel.slice(dashIndex + 1);
+        if (project && proj !== project) continue;
+        if (env && e !== env) continue;
+        refs.push({
+          vault,
+          provider: item.title,
+          project: proj,
+          env: e,
+          field: field.label
+        });
+      }
+    }
+    return refs;
+  }
+};
+async function exec3(args) {
+  return exec("bw", args);
+}
+var FIELD_TYPE_HIDDEN = 1;
+var BitwardenBackend = class _BitwardenBackend {
+  name = "Bitwarden";
+  sectionName(project, env) {
+    return `${project}-${env}`;
+  }
+  /** Encode a field name for storage as a custom field: "project-env.FIELD_NAME" */
+  buildFieldName(ref) {
+    const section = this.sectionName(ref.project, ref.env);
+    return `${section}.${ref.field}`;
+  }
+  /** Parse a custom field name back into project, env, field */
+  static parseFieldName(fieldName) {
+    const dotIndex = fieldName.indexOf(".");
+    if (dotIndex === -1) return null;
+    const section = fieldName.slice(0, dotIndex);
+    const field = fieldName.slice(dotIndex + 1);
+    const dashIndex = section.lastIndexOf("-");
+    if (dashIndex === -1) return null;
+    return {
+      project: section.slice(0, dashIndex),
+      env: section.slice(dashIndex + 1),
+      field
+    };
+  }
+  buildInlineRef() {
+    return null;
+  }
+  async isAvailable() {
+    const status = await this.checkStatus();
+    return status === "ready";
+  }
+  async checkStatus() {
+    try {
+      await exec3(["--version"]);
+    } catch {
+      return "not_installed";
+    }
+    try {
+      const output = await exec3(["status"]);
+      const status = JSON.parse(output);
+      if (status.status === "unauthenticated") {
+        return "not_logged_in";
+      }
+      if (status.status === "locked") {
+        return "not_logged_in";
+      }
+      return "ready";
+    } catch {
+      return "not_logged_in";
+    }
+  }
+  async ensureUnlocked() {
+    const output = await exec3(["status"]);
+    const status = JSON.parse(output);
+    if (status.status === "locked") {
+      throw new Error("Bitwarden vault is locked. Run: bw unlock");
+    }
+    if (status.status === "unauthenticated") {
+      throw new Error("Bitwarden CLI not logged in. Run: bw login");
+    }
+  }
+  async findOrCreateFolder(name) {
+    const foldersRaw = await exec3(["list", "folders"]);
+    const folders = JSON.parse(foldersRaw);
+    const existing = folders.find((f) => f.name === name);
+    if (existing) return existing.id;
+    const templateRaw = await exec3(["get", "template", "folder"]);
+    const template = JSON.parse(templateRaw);
+    template.name = name;
+    const encodedFolder = Buffer.from(JSON.stringify(template)).toString(
+      "base64"
+    );
+    const created = await exec3(["create", "folder", encodedFolder]);
+    const folder = JSON.parse(created);
+    return folder.id;
+  }
+  async findItem(provider, folderId) {
+    try {
+      const raw = await exec3([
+        "list",
+        "items",
+        "--folderid",
+        folderId,
+        "--search",
+        provider
+      ]);
+      const items = JSON.parse(raw);
+      return items.find((i) => i.name === provider) || null;
+    } catch {
+      return null;
+    }
+  }
+  async read(ref) {
+    await this.ensureUnlocked();
+    const folderId = await this.findOrCreateFolder(ref.vault);
+    const item = await this.findItem(ref.provider, folderId);
+    if (!item) {
+      throw new Error(
+        `Item "${ref.provider}" not found in folder "${ref.vault}"`
+      );
+    }
+    const fieldName = this.buildFieldName(ref);
+    const field = item.fields?.find((f) => f.name === fieldName);
+    if (!field) {
+      throw new Error(
+        `Field "${fieldName}" not found in item "${ref.provider}"`
+      );
+    }
+    return field.value;
+  }
+  async write(entry) {
+    await this.ensureUnlocked();
+    const { ref, value } = entry;
+    const folderId = await this.findOrCreateFolder(ref.vault);
+    const fieldName = this.buildFieldName(ref);
+    const existingItem = await this.findItem(ref.provider, folderId);
+    if (existingItem) {
+      const fields = existingItem.fields || [];
+      const existingFieldIndex = fields.findIndex(
+        (f) => f.name === fieldName
+      );
+      if (existingFieldIndex !== -1) {
+        fields[existingFieldIndex].value = value;
+      } else {
+        fields.push({
+          name: fieldName,
+          value,
+          type: FIELD_TYPE_HIDDEN
+        });
+      }
+      existingItem.fields = fields;
+      const encoded = Buffer.from(JSON.stringify(existingItem)).toString(
+        "base64"
+      );
+      await exec3(["edit", "item", existingItem.id, encoded]);
+    } else {
+      const templateRaw = await exec3(["get", "template", "item"]);
+      const template = JSON.parse(templateRaw);
+      template.type = 2;
+      template.secureNote = { type: 0 };
+      template.name = ref.provider;
+      template.folderId = folderId;
+      template.fields = [
+        {
+          name: fieldName,
+          value,
+          type: FIELD_TYPE_HIDDEN
+        }
+      ];
+      const encoded = Buffer.from(JSON.stringify(template)).toString("base64");
+      await exec3(["create", "item", encoded]);
+    }
+  }
+  async list(project, env, vault = "shipkey") {
+    await this.ensureUnlocked();
+    const foldersRaw = await exec3(["list", "folders"]);
+    const folders = JSON.parse(foldersRaw);
+    const folder = folders.find((f) => f.name === vault);
+    if (!folder) return [];
+    const itemsRaw = await exec3([
+      "list",
+      "items",
+      "--folderid",
+      folder.id
+    ]);
+    const items = JSON.parse(itemsRaw);
+    const refs = [];
+    for (const item of items) {
+      if (!item.fields) continue;
+      for (const field of item.fields) {
+        const parsed = _BitwardenBackend.parseFieldName(field.name);
+        if (!parsed) continue;
+        if (project && parsed.project !== project) continue;
+        if (env && parsed.env !== env) continue;
+        refs.push({
+          vault,
+          provider: item.name,
+          project: parsed.project,
+          env: parsed.env,
+          field: parsed.field
+        });
+      }
+    }
+    return refs;
+  }
+};
+var BACKENDS = {
+  "1password": () => new OnePasswordBackend(),
+  bitwarden: () => new BitwardenBackend()
+};
+function getBackend(name = "1password") {
+  const factory = BACKENDS[name];
+  if (!factory) {
+    throw new Error(
+      `Unknown backend: ${name}. Available: ${Object.keys(BACKENDS).join(", ")}`
+    );
+  }
+  return factory();
+}
+function listBackends() {
+  return Object.keys(BACKENDS);
+}
+var PROVIDERS = [
+  // --- AI ---
+  {
+    name: "OpenRouter",
+    patterns: [/OPENROUTER/i],
+    guide_url: "https://openrouter.ai/keys",
+    guide: "OpenRouter \u2192 Keys \u2192 Create Key"
+  },
+  {
+    name: "OpenAI",
+    patterns: [/OPENAI/i],
+    guide_url: "https://platform.openai.com/api-keys",
+    guide: "OpenAI Platform \u2192 API Keys \u2192 Create new secret key"
+  },
+  {
+    name: "Anthropic",
+    patterns: [/ANTHROPIC/i, /CLAUDE_API/i],
+    guide_url: "https://console.anthropic.com/settings/keys",
+    guide: "Anthropic Console \u2192 Settings \u2192 API Keys \u2192 Create Key"
+  },
+  {
+    name: "Google AI",
+    patterns: [/GEMINI/i, /GOOGLE_AI/i, /GOOGLE_GENERATIVE/i],
+    guide_url: "https://aistudio.google.com/apikey",
+    guide: "Google AI Studio \u2192 Get API key \u2192 Create API key"
+  },
+  {
+    name: "Replicate",
+    patterns: [/REPLICATE/i],
+    guide_url: "https://replicate.com/account/api-tokens",
+    guide: "Replicate \u2192 Account \u2192 API Tokens"
+  },
+  {
+    name: "Hugging Face",
+    patterns: [/HUGGING_?FACE/i, /^HF_/i],
+    guide_url: "https://huggingface.co/settings/tokens",
+    guide: "Hugging Face \u2192 Settings \u2192 Access Tokens \u2192 New token"
+  },
+  {
+    name: "fal.ai",
+    patterns: [/FAL/i],
+    guide_url: "https://fal.ai/dashboard/keys",
+    guide: "fal.ai \u2192 Dashboard \u2192 Keys"
+  },
+  // --- Payments ---
+  {
+    name: "Stripe",
+    patterns: [/STRIPE/i],
+    guide_url: "https://dashboard.stripe.com/apikeys",
+    guide: "Stripe Dashboard \u2192 Developers \u2192 API Keys"
+  },
+  // --- Social / OAuth ---
+  {
+    name: "GitHub OAuth",
+    patterns: [/GITHUB/i],
+    guide_url: "https://github.com/settings/developers",
+    guide: "GitHub \u2192 Settings \u2192 Developer settings \u2192 OAuth Apps"
+  },
+  {
+    name: "Reddit",
+    patterns: [/REDDIT/i],
+    guide_url: "https://www.reddit.com/prefs/apps",
+    guide: "Reddit \u2192 Preferences \u2192 Apps \u2192 Create app"
+  },
+  {
+    name: "Product Hunt",
+    patterns: [/PRODUCTHUNT/i, /PRODUCT_HUNT/i, /^PH_/i],
+    guide_url: "https://www.producthunt.com/v2/oauth/applications",
+    guide: "Product Hunt \u2192 API Dashboard \u2192 Add an Application"
+  },
+  {
+    name: "Discord",
+    patterns: [/DISCORD/i],
+    guide_url: "https://discord.com/developers/applications",
+    guide: "Discord Developer Portal \u2192 Applications \u2192 Bot \u2192 Token"
+  },
+  {
+    name: "Slack",
+    patterns: [/SLACK/i],
+    guide_url: "https://api.slack.com/apps",
+    guide: "Slack API \u2192 Your Apps \u2192 Create New App \u2192 OAuth Tokens"
+  },
+  {
+    name: "Google",
+    patterns: [/GOOGLE/i, /^GCP_/i, /^GCLOUD_/i],
+    guide_url: "https://console.cloud.google.com/apis/credentials",
+    guide: "Google Cloud Console \u2192 APIs & Services \u2192 Credentials"
+  },
+  // --- Auth ---
+  {
+    name: "Clerk",
+    patterns: [/CLERK/i],
+    guide_url: "https://dashboard.clerk.com",
+    guide: "Clerk Dashboard \u2192 API Keys"
+  },
+  {
+    name: "Auth0",
+    patterns: [/AUTH0/i],
+    guide_url: "https://manage.auth0.com/dashboard",
+    guide: "Auth0 Dashboard \u2192 Applications \u2192 Settings"
+  },
+  // --- Communication ---
+  {
+    name: "Twilio",
+    patterns: [/TWILIO/i],
+    guide_url: "https://console.twilio.com",
+    guide: "Twilio Console \u2192 Account \u2192 API keys & tokens"
+  },
+  {
+    name: "SendGrid",
+    patterns: [/SENDGRID/i],
+    guide_url: "https://app.sendgrid.com/settings/api_keys",
+    guide: "SendGrid \u2192 Settings \u2192 API Keys \u2192 Create API Key"
+  },
+  {
+    name: "Resend",
+    patterns: [/RESEND/i],
+    guide_url: "https://resend.com/api-keys",
+    guide: "Resend \u2192 API Keys \u2192 Create API Key"
+  },
+  // --- Databases ---
+  {
+    name: "Supabase",
+    patterns: [/SUPABASE/i],
+    guide_url: "https://supabase.com/dashboard/project/_/settings/api",
+    guide: "Supabase \u2192 Project Settings \u2192 API"
+  },
+  {
+    name: "Turso",
+    patterns: [/TURSO/i],
+    guide_url: "https://turso.tech/app",
+    guide: "Turso \u2192 Dashboard \u2192 Database \u2192 Create Token"
+  },
+  {
+    name: "Upstash",
+    patterns: [/UPSTASH/i],
+    guide_url: "https://console.upstash.com",
+    guide: "Upstash Console \u2192 Database \u2192 REST API credentials"
+  },
+  {
+    name: "Neon",
+    patterns: [/NEON/i],
+    guide_url: "https://console.neon.tech",
+    guide: "Neon Console \u2192 Project \u2192 Connection Details"
+  },
+  {
+    name: "Database",
+    patterns: [/DATABASE/i, /^DB_/i]
+  },
+  {
+    name: "Redis",
+    patterns: [/REDIS/i]
+  },
+  // --- Infrastructure ---
+  {
+    name: "Cloudflare",
+    patterns: [/CLOUDFLARE/i],
+    guide_url: "https://dash.cloudflare.com/profile/api-tokens",
+    guide: "Cloudflare Dashboard \u2192 Profile \u2192 API Tokens \u2192 Create Token"
+  },
+  {
+    name: "npm",
+    patterns: [/^NPM/i],
+    guide_url: "https://www.npmjs.com/settings/~/tokens",
+    guide: "npmjs.com \u2192 Access Tokens \u2192 Generate New Token (Classic) \u2192 Publish"
+  },
+  {
+    name: "AWS",
+    patterns: [/^AWS/i],
+    guide_url: "https://console.aws.amazon.com/iam/",
+    guide: "AWS Console \u2192 IAM \u2192 Users \u2192 Security credentials"
+  },
+  {
+    name: "Vercel",
+    patterns: [/VERCEL/i],
+    guide_url: "https://vercel.com/account/tokens",
+    guide: "Vercel \u2192 Account Settings \u2192 Tokens"
+  },
+  {
+    name: "Fly",
+    patterns: [/FLY/i],
+    guide_url: "https://fly.io/user/personal_access_tokens",
+    guide: "Fly.io \u2192 Account \u2192 Access Tokens"
+  },
+  {
+    name: "Sentry",
+    patterns: [/SENTRY/i],
+    guide_url: "https://sentry.io/settings/account/api/auth-tokens/",
+    guide: "Sentry \u2192 Settings \u2192 Auth Tokens \u2192 Create New Token"
+  },
+  // --- Misc ---
+  {
+    name: "Session",
+    patterns: [/SESSION/i]
+  }
+];
+function guessProvider(key) {
+  for (const provider of PROVIDERS) {
+    if (provider.patterns.some((p) => p.test(key))) {
+      return provider.name;
+    }
+  }
+  return "General";
+}
+function groupByProvider(envKeys) {
+  const result = {};
+  for (const key of envKeys) {
+    const providerName = guessProvider(key);
+    if (!result[providerName]) {
+      const def = PROVIDERS.find((p) => p.name === providerName);
+      result[providerName] = {
+        fields: [],
+        ...def?.guide_url && { guide_url: def.guide_url },
+        ...def?.guide && { guide: def.guide }
+      };
+    }
+    result[providerName].fields.push(key);
+  }
+  return result;
+}
+export {
+  BitwardenBackend,
+  OnePasswordBackend,
+  PROVIDERS,
+  exec,
+  getBackend,
+  groupByProvider,
+  guessProvider,
+  listBackends
+};

package/dist/index.js

@@ -1,13 +1,22 @@
 #!/usr/bin/env node
 import {
   runRegister
-} from "./chunk-5ZYHHSZI.js";
+} from "./chunk-HXHGF76V.js";
 import {
+  deleteKey,
+  listKeys,
   saveAgentToken,
+  saveKey,
   saveToken
-} from "./chunk-MPXYSTOK.js";
+} from "./chunk-TDMTBOMD.js";
+import {
+  createClient
+} from "./chunk-ZFNDBUPR.js";
 
 // src/index.ts
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname as dirname2, resolve } from "path";
 import { Command } from "commander";
 
 // src/scanner/detect.ts
@@ -55,14 +64,14 @@ async function detectFramework(projectDir) {
 import { readFile as readFile2, writeFile } from "fs/promises";
 import { join as join2 } from "path";
 function generateConfig(options) {
-  const { name, version, roles, detected } = options;
+  const { name, version: version2, roles, detected } = options;
   const rolesStr = roles.map((r) => `"${r}"`).join(", ");
   const lines = [
     `import { defineConfig } from "@nkmc/core";`,
     ``,
     `export default defineConfig({`,
     `  name: "${name}",`,
-    `  version: "${version}",`,
+    `  version: "${version2}",`,
     `  roles: [${rolesStr}],`,
     `  framework: "${detected.framework}",`
   ];
@@ -444,7 +453,7 @@ async function runGenerate(projectDir, options) {
   await writeFile2(outputPath, md);
   console.log(`Generated ${outputPath}`);
   if (options?.register) {
-    const { registerService, resolveToken } = await import("./register-7SUETZ7U.js");
+    const { registerService, resolveToken } = await import("./register-UBRUY256.js");
     const gatewayUrl = options.gatewayUrl ?? process.env.NKMC_GATEWAY_URL;
     const domain = options.domain ?? process.env.NKMC_DOMAIN;
     if (!gatewayUrl || !domain) {
@@ -560,40 +569,160 @@ async function runAuth(opts) {
   console.log(`  Gateway: ${gatewayUrl}`);
 }
 
-// src/gateway/client.ts
-var GatewayClient = class {
-  constructor(gatewayUrl, token) {
-    this.gatewayUrl = gatewayUrl;
-    this.token = token;
-  }
-  async execute(command) {
-    const url = `${this.gatewayUrl.replace(/\/$/, "")}/execute`;
-    const res = await fetch(url, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${this.token}`,
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({ command })
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Gateway error ${res.status}: ${body}`);
-    }
-    return res.json();
+// src/keys/provider-map.ts
+var DOMAIN_AUTH_HINTS = {
+  // --- AI ---
+  "api.openai.com": {
+    envVar: "OPENAI_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://platform.openai.com/api-keys"
+  },
+  "api.anthropic.com": {
+    envVar: "ANTHROPIC_API_KEY",
+    authType: "api-key",
+    headerName: "x-api-key",
+    guideUrl: "https://console.anthropic.com/settings/keys"
+  },
+  "generativelanguage.googleapis.com": {
+    envVar: "GEMINI_API_KEY",
+    authType: "api-key",
+    headerName: "x-goog-api-key",
+    guideUrl: "https://aistudio.google.com/apikey"
+  },
+  "openrouter.ai": {
+    envVar: "OPENROUTER_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://openrouter.ai/keys"
+  },
+  "api.replicate.com": {
+    envVar: "REPLICATE_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://replicate.com/account/api-tokens"
+  },
+  // --- DevOps ---
+  "api.github.com": {
+    envVar: "GITHUB_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://github.com/settings/tokens"
+  },
+  "gitlab.com": {
+    envVar: "GITLAB_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://gitlab.com/-/user_settings/personal_access_tokens"
+  },
+  "api.cloudflare.com": {
+    envVar: "CLOUDFLARE_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://dash.cloudflare.com/profile/api-tokens"
+  },
+  "api.vercel.com": {
+    envVar: "VERCEL_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://vercel.com/account/tokens"
+  },
+  "fly.io": {
+    envVar: "FLY_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://fly.io/user/personal_access_tokens"
+  },
+  "api.render.com": {
+    envVar: "RENDER_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://render.com/docs/api#authentication"
+  },
+  // --- Collaboration ---
+  "api.notion.com": {
+    envVar: "NOTION_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://www.notion.so/my-integrations"
+  },
+  "app.asana.com": {
+    envVar: "ASANA_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://app.asana.com/0/developer-console"
+  },
+  "jira.atlassian.com": {
+    envVar: "JIRA_API_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://id.atlassian.com/manage-profile/security/api-tokens"
+  },
+  "slack.com": {
+    envVar: "SLACK_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://api.slack.com/apps"
+  },
+  "discord.com": {
+    envVar: "DISCORD_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://discord.com/developers/applications"
+  },
+  // --- Databases ---
+  "api.supabase.com": {
+    envVar: "SUPABASE_SERVICE_ROLE_KEY",
+    authType: "bearer",
+    guideUrl: "https://supabase.com/dashboard/project/_/settings/api"
+  },
+  "api.turso.tech": {
+    envVar: "TURSO_AUTH_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://turso.tech/app"
+  },
+  "console.neon.tech": {
+    envVar: "NEON_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://console.neon.tech"
+  },
+  // --- Communication ---
+  "api.twilio.com": {
+    envVar: "TWILIO_AUTH_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://console.twilio.com"
+  },
+  "api.resend.com": {
+    envVar: "RESEND_API_KEY",
+    authType: "bearer",
+    guideUrl: "https://resend.com/api-keys"
+  },
+  // --- Payments ---
+  "api.stripe.com": {
+    envVar: "STRIPE_SECRET_KEY",
+    authType: "bearer",
+    guideUrl: "https://dashboard.stripe.com/apikeys"
+  },
+  // --- Monitoring ---
+  "sentry.io": {
+    envVar: "SENTRY_AUTH_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://sentry.io/settings/account/api/auth-tokens/"
+  },
+  "api.datadoghq.com": {
+    envVar: "DD_API_KEY",
+    authType: "api-key",
+    headerName: "DD-API-KEY",
+    guideUrl: "https://app.datadoghq.com/account/settings#api"
+  },
+  // --- Music ---
+  "api.spotify.com": {
+    envVar: "SPOTIFY_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://developer.spotify.com/dashboard"
+  },
+  // --- CI/CD ---
+  "circleci.com": {
+    envVar: "CIRCLECI_TOKEN",
+    authType: "bearer",
+    guideUrl: "https://app.circleci.com/settings/user/tokens"
+  },
+  // --- API Tools ---
+  "api.getpostman.com": {
+    envVar: "POSTMAN_API_KEY",
+    authType: "api-key",
+    headerName: "X-Api-Key",
+    guideUrl: "https://web.postman.co/settings/me/api-keys"
   }
 };
-async function createClient() {
-  const { getAgentToken } = await import("./credentials-42DL3WPT.js");
-  const stored = await getAgentToken();
-  const gatewayUrl = process.env.NKMC_GATEWAY_URL ?? stored?.gatewayUrl ?? "https://api.nkmc.ai";
-  const token = process.env.NKMC_TOKEN ?? stored?.token ?? null;
-  if (!token) {
-    throw new Error(
-      "No token found. Run 'nkmc auth' first, or set NKMC_TOKEN."
-    );
-  }
-  return new GatewayClient(gatewayUrl, token);
+function getAuthHint(domain) {
+  return DOMAIN_AUTH_HINTS[domain] ?? null;
 }
 
 // src/commands/fs.ts
@@ -628,8 +757,33 @@ ${endpoints}`;
   }
   return JSON.stringify(data);
 }
-function handleError(err) {
+function extractDomain(path) {
+  const segments = path.replace(/^\/+/, "").split("/");
+  const first = segments[0];
+  if (!first) return null;
+  const domain = first.includes("@") ? first.slice(0, first.indexOf("@")) : first;
+  return domain.includes(".") ? domain : null;
+}
+function isAuthError(message) {
+  if (/Gateway error (401|403):/.test(message)) return true;
+  if (/Gateway error 500:/.test(message) && /\b(Unauthorized|Unauthenticated|authenticate|API key|api[_-]?key)\b/i.test(message)) return true;
+  return false;
+}
+function handleError(err, cmdPath) {
   const message = err instanceof Error ? err.message : String(err);
+  if (isAuthError(message)) {
+    const domain = cmdPath && extractDomain(cmdPath) || message.match(/([a-z0-9-]+(?:\.[a-z0-9-]+){1,})/i)?.[1] || null;
+    if (domain) {
+      const hint = getAuthHint(domain);
+      console.error(`Error: Authentication required for ${domain}`);
+      if (hint?.guideUrl) {
+        console.error(`  Get your key:  ${hint.guideUrl}`);
+      }
+      console.error(`  Set your key:  nkmc keys set ${domain} --token <YOUR_KEY> --sync`);
+      console.error(`  Then retry your command.`);
+      process.exit(1);
+    }
+  }
   console.error(JSON.stringify({ error: message }));
   process.exit(1);
 }
@@ -640,7 +794,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`ls ${path}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("cat").description("Read file contents").argument("<path>", "File path").action(async (path) => {
@@ -649,7 +803,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`cat ${path}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("write").description("Write data to a file").argument("<path>", "File path").argument("<data>", "Data to write").action(async (path, data) => {
@@ -658,7 +812,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`write ${path} ${data}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("rm").description("Remove a file").argument("<path>", "File path").action(async (path) => {
@@ -667,7 +821,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`rm ${path}`);
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("grep").description("Search file contents").argument("<pattern>", "Search pattern").argument("<path>", "File or directory path").action(async (pattern, path) => {
@@ -676,7 +830,7 @@ function registerFsCommands(program2) {
       const result = await client.execute(`grep ${pattern} ${path}`);
       console.log(formatGrepResults(result));
     } catch (err) {
-      handleError(err);
+      handleError(err, path);
     }
   });
   program2.command("pipe").description("Pipe commands: cat <path> | write <path>").argument("<expression...>", "Pipe expression").action(async (expression) => {
@@ -686,8 +840,8 @@ function registerFsCommands(program2) {
       if (parts.length !== 2) {
         throw new Error("Pipe expression must have exactly two stages separated by '|'");
       }
-      const [source, target] = parts;
-      if (!source.startsWith("cat ")) {
+      const [source2, target] = parts;
+      if (!source2.startsWith("cat ")) {
         throw new Error("Pipe step 1 must be a 'cat' command");
       }
       if (!target.startsWith("write ")) {
@@ -696,7 +850,7 @@ function registerFsCommands(program2) {
       const client = await createClient();
       let data;
       try {
-        data = await client.execute(source);
+        data = await client.execute(source2);
       } catch (err) {
         const msg = err instanceof Error ? err.message : String(err);
         throw new Error(`Pipe step 1 failed: ${msg}`);
@@ -711,14 +865,130 @@ function registerFsCommands(program2) {
       }
       output(result);
     } catch (err) {
-      handleError(err);
+      handleError(err, source.slice("cat ".length).trim());
+    }
+  });
+}
+
+// src/commands/keys.ts
+function registerKeysCommand(program2) {
+  const keys = program2.command("keys").description("Manage API keys for authenticated services (BYOK)");
+  keys.command("set <domain>").description("Set an API key for a domain").option("--token <value>", "API key / token value").option("--sync", "Also upload to gateway (BYOK)").action(async (domain, opts) => {
+    try {
+      const hint = getAuthHint(domain);
+      let tokenValue = opts.token;
+      if (!tokenValue) {
+        const envHint = hint ? `(${hint.envVar})` : "";
+        console.error(
+          `Usage: nkmc keys set ${domain} --token <value> ${envHint}`
+        );
+        if (hint?.guideUrl) {
+          console.error(`  Get your key: ${hint.guideUrl}`);
+        }
+        process.exit(1);
+      }
+      const auth = buildAuth(domain, tokenValue, hint);
+      await saveKey(domain, auth);
+      console.log(`Key saved for ${domain}`);
+      if (opts.sync) {
+        await syncToGateway(domain, auth);
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`Error: ${msg}`);
+      process.exit(1);
+    }
+  });
+  keys.command("list").description("List all saved API keys").option("--remote", "Also list keys stored on gateway").action(async (opts) => {
+    try {
+      const localKeys = await listKeys();
+      const domains = Object.keys(localKeys);
+      if (domains.length === 0 && !opts.remote) {
+        console.log("No keys stored. Use 'nkmc keys set <domain>' to add one.");
+        return;
+      }
+      if (domains.length > 0) {
+        console.log("Local keys:");
+        for (const domain of domains) {
+          const entry = localKeys[domain];
+          const maskedAuth = maskAuth(entry.auth);
+          console.log(`  ${domain}  ${maskedAuth}  (${entry.updatedAt})`);
+        }
+      }
+      if (opts.remote) {
+        try {
+          const { createClient: createClient2 } = await import("./client-GXGVRLEH.js");
+          const client = await createClient2();
+          const { domains: remoteDomains } = await client.listByok();
+          console.log("\nGateway BYOK keys:");
+          if (remoteDomains.length === 0) {
+            console.log("  (none)");
+          } else {
+            for (const d of remoteDomains) {
+              console.log(`  ${d}`);
+            }
+          }
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          console.error(`
+Could not fetch remote keys: ${msg}`);
+        }
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`Error: ${msg}`);
+      process.exit(1);
+    }
+  });
+  keys.command("remove <domain>").description("Remove an API key for a domain").option("--remote", "Also remove from gateway").action(async (domain, opts) => {
+    try {
+      const removed = await deleteKey(domain);
+      if (removed) {
+        console.log(`Key removed for ${domain}`);
+      } else {
+        console.log(`No key found for ${domain}`);
+      }
+      if (opts.remote) {
+        try {
+          const { createClient: createClient2 } = await import("./client-GXGVRLEH.js");
+          const client = await createClient2();
+          await client.deleteByok(domain);
+          console.log(`Gateway BYOK key removed for ${domain}`);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          console.error(`Could not remove remote key: ${msg}`);
+        }
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`Error: ${msg}`);
+      process.exit(1);
     }
   });
 }
+function buildAuth(domain, token, hint) {
+  if (hint?.authType === "api-key" && hint.headerName) {
+    return { type: "api-key", header: hint.headerName, key: token };
+  }
+  return { type: "bearer", token };
+}
+function maskAuth(auth) {
+  const value = auth.token ?? auth.key ?? "";
+  if (value.length <= 8) return `${auth.type}:****`;
+  return `${auth.type}:${value.slice(0, 4)}...${value.slice(-4)}`;
+}
+async function syncToGateway(domain, auth) {
+  const { createClient: createClient2 } = await import("./client-GXGVRLEH.js");
+  const client = await createClient2();
+  await client.uploadByok(domain, auth);
+  console.log(`Key synced to gateway for ${domain}`);
+}
 
 // src/index.ts
+var __dirname = dirname2(fileURLToPath(import.meta.url));
+var { version } = JSON.parse(readFileSync(resolve(__dirname, "../package.json"), "utf-8"));
 var program = new Command();
-program.name("nkmc").description("nkmc SDK CLI").version("0.1.0");
+program.name("nkmc").description("nkmc SDK CLI").version(version);
 program.command("init").description("Initialize nkmc in the current project").argument("[dir]", "Project directory", ".").action(async (dir) => {
   const projectDir = dir === "." ? process.cwd() : dir;
   await runInit(projectDir);
@@ -754,4 +1024,5 @@ program.command("auth").description("Authenticate with the nkmc gateway").option
   await runAuth({ gatewayUrl: opts.gatewayUrl });
 });
 registerFsCommands(program);
+registerKeysCommand(program);
 program.parse();

package/dist/{register-7SUETZ7U.js → register-UBRUY256.js}

@@ -3,8 +3,8 @@ import {
   registerService,
   resolveToken,
   runRegister
-} from "./chunk-5ZYHHSZI.js";
-import "./chunk-MPXYSTOK.js";
+} from "./chunk-HXHGF76V.js";
+import "./chunk-TDMTBOMD.js";
 export {
   registerService,
   resolveToken,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nkmc/cli",
-  "version": "0.2.5",
+  "version": "0.3.4",
   "description": "CLI for scanning and registering APIs with the nkmc gateway",
   "license": "MIT",
   "type": "module",
@@ -13,10 +13,13 @@
   },
   "dependencies": {
     "@mrleebo/prisma-ast": "^0.13.1",
-    "@nkmc/core": "^0.1.0",
+    "@nkmc/core": "^0.1.1",
     "commander": "^13.0.0",
     "ts-morph": "^27.0.2"
   },
+  "optionalDependencies": {
+    "@shipkey/core": "^0.1.0"
+  },
   "repository": {
     "type": "git",
     "url": "https://github.com/chekusu/nkmc-sdk.git",