@oodarun/cli 0.1.13 → 0.1.15

package/dist/cli.js

@@ -298,7 +298,7 @@ createRoot(document.getElementById("root")!).render(
 });
 
 // src/cli/index.ts
-import path9 from "path";
+import path11 from "path";
 import readline2 from "readline";
 import { select as select3, confirm, Separator as Separator3 } from "@inquirer/prompts";
 
@@ -460,6 +460,7 @@ function parseConfig(jsonString) {
   }
   return {
     name: userConfig.name,
+    slug: userConfig.slug,
     description: userConfig.description,
     tools: mergedTools,
     claude: userConfig.claude || DEFAULT_CONFIG.claude
@@ -845,6 +846,31 @@ async function loginWithPassword(email, password) {
     return null;
   }
 }
+async function requestLoginCode(email) {
+  try {
+    const res = await fetch(`${ORG_API_BASE}/auth/request-code`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email })
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+async function verifyLoginCode(email, code) {
+  try {
+    const res = await fetch(`${ORG_API_BASE}/auth/verify-code`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email, code })
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
 async function signupWithPassword(email, password, name) {
   try {
     const res = await fetch(`${ORG_API_BASE}/auth/signup`, {
@@ -1128,58 +1154,49 @@ function patchFetchForOrg(orgId) {
   });
 }
 async function handleEmailPasswordAuth() {
-  const action = await select2({
-    message: "Do you have an account?",
+  const method = await select2({
+    message: "How would you like to sign in?",
     choices: [
-      { name: "Yes, log me in", value: "login" },
-      { name: "No, I need to sign up (requires invite)", value: "signup" }
+      { name: "Email me a login code (recommended)", value: "code" },
+      { name: "Use my password", value: "password" },
+      { name: "Sign up (requires invite)", value: "signup" }
     ]
   });
   console.log("");
-  if (action === "signup") {
-    const email2 = await prompt(`  ${c.blue}${c.bold}Email:${c.reset} `);
-    if (!email2) process.exit(1);
-    const name = await prompt(`  ${c.blue}${c.bold}Your name:${c.reset} `);
-    if (!name) process.exit(1);
-    for (let attempt = 0; attempt < 3; attempt++) {
-      const password = await promptPassword(`  ${c.blue}${c.bold}Password:${c.reset} `);
-      if (!password) process.exit(1);
-      const result = await signupWithPassword(email2, password, name);
-      if (!result) {
-        console.log(`  ${c.red}Could not reach the server. Check your connection.${c.reset}`);
-        process.exit(1);
-      }
-      if (result.ok) {
-        const loginResult = await loginWithPassword(email2, password);
-        if (!loginResult) {
-          console.log(`  ${c.red}Account created but login failed. Try again.${c.reset}`);
-          process.exit(1);
-        }
-        return completeJwtLogin(loginResult);
-      }
-      const remaining = 2 - attempt;
-      console.log(`  ${c.red}${result.error || "Signup failed"}${c.reset}`);
-      if (result.errors?.length) {
-        for (const err of result.errors) {
-          console.log(`    ${c.gray}\u2022 ${err}${c.reset}`);
-        }
-      }
-      if (remaining > 0) {
-        console.log(`  ${c.gray}${remaining} attempt${remaining > 1 ? "s" : ""} remaining${c.reset}`);
-      }
-    }
-    console.log(`  ${c.red}Too many failed attempts.${c.reset}`);
+  if (method === "code") return emailCodeLoginInteractive();
+  if (method === "signup") return signupInteractive();
+  return passwordLoginInteractive();
+}
+async function emailCodeLoginInteractive(prefillEmail) {
+  const email = prefillEmail || await prompt(`  ${c.blue}${c.bold}Email:${c.reset} `);
+  if (!email) process.exit(1);
+  if (!await requestLoginCode(email)) {
+    console.log(`  ${c.red}Couldn't send a login code. Check the email address and try again.${c.reset}`);
     process.exit(1);
   }
+  console.log(`  ${c.gray}We emailed a 6-digit code to ${email} (expires in 10 minutes).${c.reset}`);
+  console.log("");
+  for (let attempt = 0; attempt < 3; attempt++) {
+    const code = await promptToken(`  ${c.blue}${c.bold}Code:${c.reset} `);
+    if (!code) process.exit(1);
+    const result = await verifyLoginCode(email, code);
+    if (result) return completeJwtLogin(result);
+    const remaining = 2 - attempt;
+    if (remaining > 0) {
+      console.log(`  ${c.red}Invalid or expired code.${c.reset} ${c.gray}${remaining} attempt${remaining > 1 ? "s" : ""} remaining${c.reset}`);
+    }
+  }
+  console.log(`  ${c.red}Too many failed attempts.${c.reset}`);
+  process.exit(1);
+}
+async function passwordLoginInteractive() {
   const email = await prompt(`  ${c.blue}${c.bold}Email:${c.reset} `);
   if (!email) process.exit(1);
   for (let attempt = 0; attempt < 3; attempt++) {
     const password = await promptPassword(`  ${c.blue}${c.bold}Password:${c.reset} `);
     if (!password) process.exit(1);
     const result = await loginWithPassword(email, password);
-    if (result) {
-      return completeJwtLogin(result);
-    }
+    if (result) return completeJwtLogin(result);
     const remaining = 2 - attempt;
     if (remaining > 0) {
       console.log(`  ${c.red}Invalid password.${c.reset} ${c.gray}${remaining} attempt${remaining > 1 ? "s" : ""} remaining${c.reset}`);
@@ -1188,6 +1205,126 @@ async function handleEmailPasswordAuth() {
   console.log(`  ${c.red}Too many failed attempts.${c.reset}`);
   process.exit(1);
 }
+async function signupInteractive() {
+  const email = await prompt(`  ${c.blue}${c.bold}Email:${c.reset} `);
+  if (!email) process.exit(1);
+  const name = await prompt(`  ${c.blue}${c.bold}Your name:${c.reset} `);
+  if (!name) process.exit(1);
+  for (let attempt = 0; attempt < 3; attempt++) {
+    const password = await promptPassword(`  ${c.blue}${c.bold}Password:${c.reset} `);
+    if (!password) process.exit(1);
+    const result = await signupWithPassword(email, password, name);
+    if (!result) {
+      console.log(`  ${c.red}Could not reach the server. Check your connection.${c.reset}`);
+      process.exit(1);
+    }
+    if (result.ok) {
+      const loginResult = await loginWithPassword(email, password);
+      if (!loginResult) {
+        console.log(`  ${c.red}Account created but login failed. Try again.${c.reset}`);
+        process.exit(1);
+      }
+      return completeJwtLogin(loginResult);
+    }
+    const remaining = 2 - attempt;
+    console.log(`  ${c.red}${result.error || "Signup failed"}${c.reset}`);
+    if (result.errors?.length) {
+      for (const err of result.errors) {
+        console.log(`    ${c.gray}\u2022 ${err}${c.reset}`);
+      }
+    }
+    if (remaining > 0) {
+      console.log(`  ${c.gray}${remaining} attempt${remaining > 1 ? "s" : ""} remaining${c.reset}`);
+    }
+  }
+  console.log(`  ${c.red}Too many failed attempts.${c.reset}`);
+  process.exit(1);
+}
+async function loginCmd(opts) {
+  if (opts.email && opts.code) {
+    const result = await verifyLoginCode(opts.email, opts.code);
+    if (!result) return failLogin(opts.json, "Invalid or expired code.");
+    finalizeLogin(result, opts.org, opts.json);
+    return;
+  }
+  if (opts.email) {
+    if (!await requestLoginCode(opts.email)) return failLogin(opts.json, "Couldn't send a login code.");
+    if (opts.json) {
+      console.log(JSON.stringify({ ok: true, sent: true, email: opts.email }));
+    } else {
+      console.log(`
+  ${c.green}${c.bold}\u2713${c.reset} Code sent to ${c.bold}${opts.email}${c.reset}`);
+      console.log(`  ${c.gray}Check your email, then run:${c.reset}`);
+      console.log(`  ${c.cyan}ooda login --email ${opts.email} --code <code>${c.reset}
+`);
+    }
+    return;
+  }
+  await emailCodeLoginInteractive();
+}
+function finalizeLogin(result, orgFlag, json) {
+  if (result.orgs.length === 0) return failLogin(json, "No organizations for this account.");
+  let orgId;
+  let orgName;
+  if (orgFlag) {
+    const match = result.orgs.find((o) => o.orgId === orgFlag);
+    if (!match) return failLogin(json, `You're not a member of org "${orgFlag}".`);
+    orgId = match.orgId;
+    orgName = match.orgName;
+  } else if (result.orgs.length === 1) {
+    orgId = result.orgs[0].orgId;
+    orgName = result.orgs[0].orgName;
+  } else {
+    return failLogin(json, `Multiple organizations \u2014 pass --org <id>. Options: ${result.orgs.map((o) => o.orgId).join(", ")}`);
+  }
+  saveJwtTokens(result.accessToken, result.refreshToken, result.user.id, orgId);
+  const selected = result.orgs.find((o) => o.orgId === orgId);
+  setOrgMode(orgId, result.user.email, result.user.name, orgName, selected?.claudeConfig ?? void 0);
+  patchFetchForOrg(orgId);
+  if (json) {
+    console.log(JSON.stringify({ ok: true, email: result.user.email, orgId, orgName }));
+  } else {
+    console.log(`
+  ${c.green}${c.bold}\u2713${c.reset} Logged in as ${c.bold}${result.user.name}${c.reset} (${orgName})
+`);
+  }
+}
+function failLogin(json, message) {
+  if (json) {
+    console.log(JSON.stringify({ ok: false, error: message }));
+  } else {
+    console.log(`
+  ${c.red}${message}${c.reset}
+`);
+  }
+  process.exitCode = 1;
+}
+function whoamiCmd(opts) {
+  const orgId = getOrgId();
+  const token = getAccessToken();
+  if (!orgId || !token) {
+    if (opts.json) {
+      console.log(JSON.stringify({ ok: false, authenticated: false }));
+    } else {
+      console.log(`
+  ${c.yellow}Not signed in.${c.reset} ${c.gray}Run ${c.bold}ooda login${c.reset}${c.gray} to authenticate.${c.reset}
+`);
+    }
+    process.exitCode = 1;
+    return;
+  }
+  const orgName = getOrgName() || orgId;
+  const email = getOrgEmail();
+  const name = getOrgDisplayName();
+  if (opts.json) {
+    console.log(JSON.stringify({ ok: true, authenticated: true, orgId, orgName, email: email ?? null, name: name ?? null }));
+  } else {
+    const who = name || email;
+    console.log(`
+  ${c.green}${c.bold}\u2713${c.reset} Signed in${who ? ` as ${c.bold}${who}${c.reset}` : ""} ${c.gray}(${orgName})${c.reset}
+`);
+  }
+}
 async function completeJwtLogin(result) {
   let orgId;
   let orgName;
@@ -1216,7 +1353,8 @@ async function completeJwtLogin(result) {
   console.log("");
   return "org";
 }
-async function ensureAuth() {
+async function ensureAuth(opts = {}) {
+  const requireClaudeToken = opts.requireClaudeToken !== false;
   let apiToken = null;
   const orgClaude = isOrgMode() ? getOrgClaudeConfig() : null;
   let claudeToken = getClaudeToken(orgClaude?.apiKeyHelper || void 0);
@@ -1235,6 +1373,9 @@ async function ensureAuth() {
 `);
     apiToken = await handleEmailPasswordAuth();
   }
+  if (!requireClaudeToken) {
+    return { apiToken, claudeToken: "", claudeSource: "" };
+  }
   async function promptForClaudeToken() {
     const tokenType = await select2({
       message: "Claude token type:",
@@ -1928,19 +2069,27 @@ import path from 'path';
 
 const MAX_FILE_SIZE = 10 * 1024 * 1024;
 
-// Resolve publish URL and auth \u2014 org mode uses JWT via org proxy
-let PUBLISH_URL = 'https://ooda.run/api/publish';
-let publishToken = process.env.PUBLISH_TOKEN || '';
+// Resolve publish URL and auth. Publishing goes exclusively through the
+// authenticated org proxy (POST /org/{orgId}/publish), which records the site
+// in D1 and materializes its access-control policy. The old unauthenticated
+// loader endpoint is retired, so org credentials are REQUIRED.
+let PUBLISH_URL = '';
+let publishToken = '';
 let orgProjectName = '';
 try {
   const orgCreds = JSON.parse(fs.readFileSync('/tmp/ooda-org.json', 'utf-8'));
+  const apiBase = orgCreds.apiBase || 'https://api.ooda.run';
   if (orgCreds.orgId && orgCreds.jwt) {
-    PUBLISH_URL = 'https://api.ooda.run/org/' + orgCreds.orgId + '/publish';
+    PUBLISH_URL = apiBase + '/org/' + orgCreds.orgId + '/publish';
     publishToken = orgCreds.jwt;
   }
   if (orgCreds.projectName) orgProjectName = orgCreds.projectName;
 } catch {
-  // No org credentials \u2014 use default publish endpoint
+  // handled below
+}
+if (!PUBLISH_URL || !publishToken) {
+  console.error('ERROR: Missing ooda org credentials (/tmp/ooda-org.json). Reconnect the project with the ooda CLI to refresh credentials, then publish again.');
+  process.exit(1);
 }
 
 const projectDir = process.argv[2] || process.cwd();
@@ -2640,103 +2789,6 @@ export default function designBrowserSource() {
   };
 }
 `.trim();
-var PUBLISH_SCRIPT2 = `
-import fs from 'fs';
-import path from 'path';
-import { execSync } from 'child_process';
-
-const PUBLISH_URL = 'https://ooda.run/api/publish';
-const publishToken = process.env.PUBLISH_TOKEN || '';
-const MAX_FILE_SIZE = 10 * 1024 * 1024;
-
-// Find the project directory (first arg or cwd)
-const projectDir = process.argv[2] || process.cwd();
-
-// Detect build output directory
-const candidates = ['dist', 'build', 'out', '.output/public', '.next/static'];
-let outputDir = null;
-for (const c of candidates) {
-  const p = path.join(projectDir, c);
-  if (fs.existsSync(p) && fs.statSync(p).isDirectory()) {
-    outputDir = p;
-    break;
-  }
-}
-
-if (!outputDir) {
-  console.error('ERROR: No build output directory found. Run your build command first.');
-  console.error('Looked for: ' + candidates.join(', '));
-  process.exit(1);
-}
-
-console.log('Found build output: ' + outputDir);
-
-// Derive slug from project name (hostname)
-let slug;
-try {
-  slug = execSync('hostname', { encoding: 'utf-8' }).trim();
-} catch {
-  slug = path.basename(projectDir);
-}
-// Clean slug to match requirements
-slug = slug.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
-if (slug.length < 3) slug = slug + '-site';
-if (slug.length > 64) slug = slug.slice(0, 64);
-
-console.log('Publishing as: ' + slug);
-
-// Collect all files recursively
-function collectFiles(dir, base) {
-  const results = [];
-  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-    const full = path.join(dir, entry.name);
-    if (entry.isDirectory()) {
-      results.push(...collectFiles(full, base));
-    } else if (entry.isFile()) {
-      const stat = fs.statSync(full);
-      if (stat.size <= MAX_FILE_SIZE) {
-        const rel = path.relative(base, full);
-        const content = fs.readFileSync(full).toString('base64');
-        results.push({ path: rel, content });
-      } else {
-        console.log('Skipping large file: ' + path.relative(base, full));
-      }
-    }
-  }
-  return results;
-}
-
-const files = collectFiles(outputDir, outputDir);
-console.log('Collected ' + files.length + ' files');
-
-if (files.length === 0) {
-  console.error('ERROR: No files found in ' + outputDir);
-  process.exit(1);
-}
-
-// Upload
-const body = JSON.stringify({ slug, files });
-console.log('Uploading (' + (body.length / 1024 / 1024).toFixed(1) + 'MB)...');
-
-const res = await fetch(PUBLISH_URL, {
-  method: 'POST',
-  headers: { 'Content-Type': 'application/json', ...(publishToken ? { 'Authorization': 'Bearer ' + publishToken } : {}) },
-  body,
-});
-
-const result = await res.json();
-if (result.ok) {
-  console.log('');
-  console.log('Published successfully!');
-  console.log('URL: ' + result.url);
-  console.log('Version: ' + result.version);
-  console.log('Files: ' + result.fileCount);
-  console.log('Size: ' + (result.totalSize / 1024).toFixed(1) + 'KB');
-} else {
-  console.error('Publish failed: ' + (result.error || JSON.stringify(result)));
-  process.exit(1);
-}
-`.trim();
 var CONFIG_PATCH_SCRIPT = `
 import fs from 'fs';
 import path from 'path';
@@ -3010,7 +3062,7 @@ async function provisionFromFolder(localPath, projectName, token, onProgress, br
       await setupClaudeAuth(projectName, token, effectiveClaudeToken, progress, claudeEnv);
     }
     await deployClaudeConfig(projectName, token, projectRoot, project.framework, progress, gitInfo || null, branchName || null);
-    await writeRemoteFile("/home/user/.ooda/publish.mjs", PUBLISH_SCRIPT2);
+    await writeRemoteFile("/home/user/.ooda/publish.mjs", PUBLISH_SCRIPT);
     await patchServerConfig(projectName, token, projectRoot, progress);
     await installSourcePlugin(projectName, token, projectRoot, project.framework, progress);
     try {
@@ -3258,7 +3310,7 @@ async function provisionFromGitHub(parsed, projectName, token, onProgress, githu
       gitWorkflowPatch.trim() + "\n"
     );
     await writeRemoteFile(`${projectRoot}/CLAUDE.md`, updatedClaudeMd);
-    await writeRemoteFile(`${homeDir}/.ooda/publish.mjs`, PUBLISH_SCRIPT2);
+    await writeRemoteFile(`${homeDir}/.ooda/publish.mjs`, PUBLISH_SCRIPT);
     await patchServerConfig(projectName, token, projectRoot, progress);
     await installSourcePlugin(projectName, token, projectRoot, project.framework, progress);
     try {
@@ -3361,7 +3413,7 @@ async function provisionFromTemplate(projectName, templateId, token, onProgress,
       await setupClaudeAuth(projectName, token, effectiveClaudeToken, progress, claudeEnv);
     }
     await deployClaudeConfig(projectName, token, projectRoot, "vite", progress);
-    await writeFile("/home/user/.ooda/publish.mjs", PUBLISH_SCRIPT2);
+    await writeFile("/home/user/.ooda/publish.mjs", PUBLISH_SCRIPT);
     try {
       await deployToolsViaRest(projectName, token, projectRoot, (msg) => {
         progress({ step: msg });
@@ -3701,14 +3753,14 @@ async function pullChangesFromProject(projectName, token, projectRoot, localProj
     }
     execSync3(`git checkout -b "${localBranch}"`, localOpts);
     try {
-      const fs7 = await import("fs");
+      const fs9 = await import("fs");
       const os2 = await import("os");
-      const path10 = await import("path");
-      const patchFile = path10.join(os2.tmpdir(), `ooda-patch-${Date.now()}.patch`);
-      fs7.writeFileSync(patchFile, patchContent, "utf-8");
+      const path12 = await import("path");
+      const patchFile = path12.join(os2.tmpdir(), `ooda-patch-${Date.now()}.patch`);
+      fs9.writeFileSync(patchFile, patchContent, "utf-8");
       execSync3(`git am "${patchFile}"`, localOpts);
       try {
-        fs7.unlinkSync(patchFile);
+        fs9.unlinkSync(patchFile);
       } catch {
       }
     } catch (amError) {
@@ -4073,6 +4125,65 @@ function startServer(opts) {
 function buildSitesUrl(apiBase, orgId) {
   return `${apiBase}/org/${encodeURIComponent(orgId)}/dashboard/sites`;
 }
+function buildSiteUrl(apiBase, orgId, slug, sub) {
+  const base = `${buildSitesUrl(apiBase, orgId)}/${encodeURIComponent(slug)}`;
+  return sub ? `${base}/${sub}` : base;
+}
+var SitesApiError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "SitesApiError";
+  }
+};
+async function readJson(res) {
+  const text = await res.text();
+  let data;
+  try {
+    data = text ? JSON.parse(text) : {};
+  } catch {
+    data = {};
+  }
+  if (!res.ok) {
+    const msg = data?.error || `Request failed (${res.status})`;
+    throw new SitesApiError(res.status, msg);
+  }
+  return data;
+}
+function authHeaders(jwt, json = false) {
+  return {
+    Authorization: `Bearer ${jwt}`,
+    ...json ? { "Content-Type": "application/json" } : {}
+  };
+}
+async function listSites(auth) {
+  const res = await fetch(buildSitesUrl(auth.apiBase, auth.orgId), {
+    headers: authHeaders(auth.jwt)
+  });
+  const data = await readJson(res);
+  return data.sites ?? [];
+}
+async function updateSiteAccess(auth, slug, body) {
+  const res = await fetch(buildSiteUrl(auth.apiBase, auth.orgId, slug), {
+    method: "PATCH",
+    headers: authHeaders(auth.jwt, true),
+    body: JSON.stringify(body)
+  });
+  return readJson(res);
+}
+async function revealSitePassword(auth, slug) {
+  const res = await fetch(buildSiteUrl(auth.apiBase, auth.orgId, slug, "password"), {
+    headers: authHeaders(auth.jwt)
+  });
+  return readJson(res);
+}
+async function deleteSite(auth, slug) {
+  const res = await fetch(buildSiteUrl(auth.apiBase, auth.orgId, slug), {
+    method: "DELETE",
+    headers: authHeaders(auth.jwt)
+  });
+  return readJson(res);
+}
 async function fetchPublishedSiteUrl(opts) {
   try {
     const res = await fetch(buildSitesUrl(opts.apiBase, opts.orgId), {
@@ -4807,7 +4918,11 @@ async function connectAndRunClaude(projectName, apiToken, claudeToken, projectUr
     const orgId = getOrgId();
     const jwt = getAccessToken();
     if (orgId && jwt) {
-      await client.writeFile("/tmp/ooda-org.json", JSON.stringify({ orgId, jwt, projectName }));
+      const apiBase = process.env.OODA_API_BASE;
+      await client.writeFile(
+        "/tmp/ooda-org.json",
+        JSON.stringify({ orgId, jwt, projectName, ...apiBase ? { apiBase } : {} })
+      );
     }
   }
   const tokenType = getClaudeTokenType(claudeToken);
@@ -5459,8 +5574,392 @@ async function deployFromGitHubFlow(target, apiToken, claudeToken) {
   }
 }
 
+// src/cli/publish.ts
+import fs8 from "fs";
+import path10 from "path";
+
+// src/publish-core.ts
+import fs7 from "fs";
+import path9 from "path";
+var MAX_FILE_SIZE2 = 10 * 1024 * 1024;
+var BUILD_DIR_CANDIDATES = [
+  "dist",
+  "build",
+  "out",
+  ".output/public",
+  ".next/static"
+];
+function detectBuildDir(projectDir) {
+  for (const candidate of BUILD_DIR_CANDIDATES) {
+    const full = path9.join(projectDir, candidate);
+    try {
+      if (fs7.existsSync(full) && fs7.statSync(full).isDirectory()) {
+        return full;
+      }
+    } catch {
+    }
+  }
+  return null;
+}
+function deriveSlug(rawName) {
+  let slug = rawName.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  if (slug.length < 3) slug = `${slug}-site`;
+  if (slug.length > 64) slug = slug.slice(0, 64);
+  return slug;
+}
+function collectFiles2(dir, onSkip) {
+  const results = [];
+  const walk = (current) => {
+    for (const entry of fs7.readdirSync(current, { withFileTypes: true })) {
+      const full = path9.join(current, entry.name);
+      if (entry.isDirectory()) {
+        walk(full);
+      } else if (entry.isFile()) {
+        const rel = path9.relative(dir, full);
+        if (fs7.statSync(full).size > MAX_FILE_SIZE2) {
+          onSkip?.(rel);
+          continue;
+        }
+        results.push({ path: rel, content: fs7.readFileSync(full).toString("base64") });
+      }
+    }
+  };
+  walk(dir);
+  return results;
+}
+function appendSuffix(base, suffix) {
+  const maxBase = 64 - suffix.length - 1;
+  const trimmed = base.length > maxBase ? base.slice(0, maxBase).replace(/-+$/, "") : base;
+  return `${trimmed}-${suffix}`;
+}
+function randomSlugSuffix() {
+  let s = "";
+  const bytes = crypto.getRandomValues(new Uint8Array(4));
+  for (const b of bytes) s += (b % 36).toString(36);
+  return s;
+}
+function buildPublishBody(opts) {
+  return {
+    slug: opts.slug,
+    ...opts.projectName ? { projectName: opts.projectName } : {},
+    files: opts.files
+  };
+}
+
+// src/cli/publish.ts
+var MAX_SLUG_ATTEMPTS = 5;
+async function publishLocalDir(opts) {
+  const { projectDir, slugOverride, json } = opts;
+  if (!isOrgMode()) {
+    fail(json, "Publishing requires an organisation login. Run `ooda` and log in first.");
+    return;
+  }
+  const orgId = getOrgId();
+  const jwt = getAccessToken();
+  if (!orgId || !jwt) {
+    fail(json, "No active org session. Run `ooda` and log in first.");
+    return;
+  }
+  const apiBase = process.env.OODA_API_BASE || "https://api.ooda.run";
+  const auth = { apiBase, orgId, jwt };
+  const outputDir = detectBuildDir(projectDir);
+  if (!outputDir) {
+    fail(
+      json,
+      `No build output found in ${projectDir}. Run your build command first.
+  Looked for: ${BUILD_DIR_CANDIDATES.join(", ")}`
+    );
+    return;
+  }
+  const config = loadConfig(projectDir);
+  const explicit = Boolean(slugOverride && slugOverride.trim());
+  const persisted = !explicit && Boolean(config.slug);
+  const base = deriveSlug(
+    explicit ? slugOverride : config.slug || config.name || path10.basename(projectDir)
+  );
+  const allowSuffix = !explicit && !persisted;
+  const skipped = [];
+  const files = collectFiles2(outputDir, (rel) => skipped.push(rel));
+  if (files.length === 0) {
+    fail(json, `No files found in ${outputDir}.`);
+    return;
+  }
+  let candidate = base;
+  if (allowSuffix) {
+    try {
+      const taken = new Set((await listSites(auth)).map((s) => s.slug));
+      if (taken.has(candidate)) candidate = appendSuffix(base, randomSlugSuffix());
+    } catch {
+    }
+  }
+  if (!json) {
+    console.log(`  ${c.gray}Build output: ${outputDir}${c.reset}`);
+    for (const rel of skipped) console.log(`  ${c.yellow}!${c.reset} ${c.gray}Skipped large file: ${rel}${c.reset}`);
+  }
+  let result = null;
+  let finalSlug = candidate;
+  let lastClashError = "";
+  for (let attempt = 0; attempt < (allowSuffix ? MAX_SLUG_ATTEMPTS : 1); attempt++) {
+    if (!json) console.log(`  ${c.gray}Publishing ${files.length} files as ${c.reset}${c.bold}${candidate}${c.reset}${c.gray}...${c.reset}`);
+    const { status, data } = await postPublish(apiBase, orgId, jwt, candidate, files);
+    if (status >= 200 && status < 300 && data.ok) {
+      result = data;
+      finalSlug = candidate;
+      break;
+    }
+    if (status === 403 && allowSuffix) {
+      lastClashError = data.error || "slug taken";
+      candidate = appendSuffix(base, randomSlugSuffix());
+      continue;
+    }
+    if (status === 403) {
+      fail(json, `Slug "${candidate}" is taken by another organisation. Choose another with --slug.`);
+      return;
+    }
+    fail(json, data.error || `Publish failed (${status})`);
+    return;
+  }
+  if (!result) {
+    fail(json, `Couldn't find a free slug after ${MAX_SLUG_ATTEMPTS} attempts (last: ${lastClashError}).`);
+    return;
+  }
+  const wrote = persistSlug(projectDir, finalSlug);
+  const suffixed = finalSlug !== base;
+  const publicUrl = result.url ? toPublicUrl(result.url) : "";
+  if (json) {
+    console.log(JSON.stringify({ ...result, slug: finalSlug, url: publicUrl || result.url, savedToConfig: wrote }, null, 2));
+    return;
+  }
+  console.log(`
+  ${c.green}${c.bold}\u2713${c.reset} Published`);
+  console.log(`  ${c.cyan}${publicUrl}${c.reset}`);
+  if (result.version !== void 0) console.log(`  ${c.gray}Version ${result.version} \xB7 ${result.fileCount} files \xB7 ${((result.totalSize ?? 0) / 1024).toFixed(1)}KB${c.reset}`);
+  if (suffixed) console.log(`  ${c.gray}Slug auto-suffixed to avoid a collision.${c.reset}`);
+  if (wrote) console.log(`  ${c.gray}Saved slug to ooda.json so re-publishes reuse this URL.${c.reset}`);
+  console.log("");
+}
+async function postPublish(apiBase, orgId, jwt, slug, files) {
+  try {
+    const res = await fetch(`${apiBase}/org/${encodeURIComponent(orgId)}/publish`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${jwt}` },
+      body: JSON.stringify(buildPublishBody({ slug, files }))
+    });
+    const data = await res.json().catch(() => ({}));
+    return { status: res.status, data };
+  } catch (err) {
+    return { status: 0, data: { error: `Could not reach the server: ${err instanceof Error ? err.message : String(err)}` } };
+  }
+}
+function persistSlug(projectDir, slug) {
+  const p = path10.join(projectDir, "ooda.json");
+  let obj = {};
+  if (fs8.existsSync(p)) {
+    try {
+      const parsed = JSON.parse(fs8.readFileSync(p, "utf-8"));
+      if (parsed && typeof parsed === "object") obj = parsed;
+      else return false;
+    } catch {
+      return false;
+    }
+  }
+  if (obj.slug === slug) return false;
+  obj.slug = slug;
+  fs8.writeFileSync(p, JSON.stringify(obj, null, 2) + "\n");
+  return true;
+}
+function fail(json, message) {
+  if (json) {
+    console.log(JSON.stringify({ ok: false, error: message }));
+  } else {
+    console.log(`
+  ${c.red}${message}${c.reset}
+`);
+  }
+  process.exitCode = 1;
+}
+
+// src/cli/sites.ts
+var ACCESS_MODES = ["public", "password", "login"];
+async function runSitesCommand(args) {
+  if (!isOrgMode()) return fail2(args.json, "Managing sites requires an organisation login. Run `ooda` and log in first.");
+  const orgId = getOrgId();
+  const jwt = getAccessToken();
+  if (!orgId || !jwt) return fail2(args.json, "No active org session. Run `ooda` and log in first.");
+  const apiBase = process.env.OODA_API_BASE || "https://api.ooda.run";
+  const auth = { apiBase, orgId, jwt };
+  const sub = args.subcommand || "list";
+  try {
+    switch (sub) {
+      case "list":
+        return await listCmd(auth, args.json);
+      case "access":
+        return await accessCmd(auth, args);
+      case "password":
+        return await passwordCmd(auth, args);
+      case "delete":
+      case "unpublish":
+        return await deleteCmd(auth, args);
+      default:
+        return fail2(args.json, `Unknown sites subcommand: ${sub}. Use list | access | password | delete.`);
+    }
+  } catch (err) {
+    if (err instanceof SitesApiError) return fail2(args.json, err.message);
+    return fail2(args.json, err instanceof Error ? err.message : String(err));
+  }
+}
+async function listCmd(auth, json) {
+  const sites = await listSites(auth);
+  if (json) {
+    console.log(JSON.stringify(sites.map((s) => ({ ...s, url: toPublicUrl(s.url) })), null, 2));
+    return;
+  }
+  if (sites.length === 0) {
+    console.log(`  ${c.gray}No published sites.${c.reset}
+`);
+    return;
+  }
+  console.log("");
+  for (const s of sites) {
+    const own = s.isOwn ? `${c.green}*${c.reset}` : " ";
+    console.log(`  ${own} ${c.bold}${s.slug}${c.reset}  ${c.gray}${s.effectiveMode}${c.reset}`);
+    console.log(`    ${c.cyan}${toPublicUrl(s.url)}${c.reset}  ${c.gray}${s.publishedByName}${c.reset}`);
+  }
+  console.log("");
+}
+async function accessCmd(auth, args) {
+  if (!args.slug) return fail2(args.json, "Usage: ooda sites access <slug> --mode <public|password|login>");
+  const body = {};
+  if (args.clearMode) {
+    body.accessMode = null;
+  } else if (args.mode !== void 0) {
+    if (!ACCESS_MODES.includes(args.mode)) {
+      return fail2(args.json, `Invalid --mode. Must be one of: ${ACCESS_MODES.join(", ")}`);
+    }
+    body.accessMode = args.mode;
+  }
+  if (args.clearPassword) {
+    body.password = null;
+  } else if (args.password !== void 0) {
+    body.password = args.password;
+  }
+  if (Object.keys(body).length === 0) {
+    return fail2(args.json, "Nothing to change. Pass --mode, --password, --clear-password, or --clear-mode.");
+  }
+  const result = await updateSiteAccess(auth, args.slug, body);
+  if (args.json) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+  console.log(`
+  ${c.green}${c.bold}\u2713${c.reset} ${c.bold}${args.slug}${c.reset} \u2192 ${c.cyan}${result.effectiveMode}${c.reset}${c.gray}${result.accessMode === null ? " (inherits org default)" : ""}${c.reset}
+`);
+}
+async function passwordCmd(auth, args) {
+  if (!args.slug) return fail2(args.json, "Usage: ooda sites password <slug>");
+  const result = await revealSitePassword(auth, args.slug);
+  if (args.json) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+  if (!result.password) {
+    console.log(`
+  ${c.gray}No password set for ${args.slug} (not password-protected).${c.reset}
+`);
+    return;
+  }
+  console.log(`
+  ${c.bold}${args.slug}${c.reset} password: ${c.cyan}${result.password}${c.reset} ${c.gray}(source: ${result.source})${c.reset}
+`);
+}
+async function deleteCmd(auth, args) {
+  if (!args.slug) return fail2(args.json, "Usage: ooda sites delete <slug>");
+  await deleteSite(auth, args.slug);
+  if (args.json) {
+    console.log(JSON.stringify({ ok: true, slug: args.slug }));
+    return;
+  }
+  console.log(`
+  ${c.green}${c.bold}\u2713${c.reset} Unpublished ${c.bold}${args.slug}${c.reset}
+`);
+}
+function fail2(json, message) {
+  if (json) {
+    console.log(JSON.stringify({ ok: false, error: message }));
+  } else {
+    console.log(`
+  ${c.red}${message}${c.reset}
+`);
+  }
+  process.exitCode = 1;
+}
+
+// src/cli/help.ts
+function buildHelpText(version) {
+  return `ooda v${version} \u2014 Cloud dev environments for Claude Code
+
+Usage:
+  ooda [command] [options]
+
+Commands:
+  (no command)                 Open the interactive project menu
+  login                        Sign in with an email code (password fallback)
+  whoami                       Show the current session (exits non-zero if none)
+  list, ls                     List your projects
+  connect <project>            Connect to a project and run Claude (interactive)
+  deploy [path|github-url]     Deploy a local folder or GitHub repo as a project
+  publish [path]               Publish a built static site to {slug}-p.ooda.run
+  sites [list]                 List your org's published sites
+  sites access <slug>          Change a published site's access policy
+  sites password <slug>        Reveal a site's effective password
+  sites delete <slug>          Unpublish a site
+  help, --help, -h             Show this help
+
+login
+  Passwordless sign-in via a 6-digit email code. No flags \u2192 interactive (with a
+  password fallback). Flag mode (for agents/CI):
+    --email <e>                Send a login code to this email
+    --email <e> --code <c>     Verify the code and save the session
+    --org <id>                 Choose the org when the account has several
+    --json                     Machine-readable JSON output
+
+publish [path]
+  Publishes an already-built static site (no build is run). Looks for a build
+  output dir (dist, build, out, .output/public, .next/static) in [path] (default:
+  current dir). Requires an org login.
+    --slug <slug>              Override the slug (default: ooda.json name, else folder name)
+    --json                     Machine-readable JSON output
+
+sites access <slug>
+    --mode <public|password|login>  Set the access mode
+    --password <pw>            Set a per-site password (use with --mode password)
+    --clear-password           Remove the per-site password
+    --clear-mode               Clear the override (inherit the org default)
+    --json                     Machine-readable JSON output
+
+sites list | password | delete
+    --json                     Machine-readable JSON output
+
+Global:
+    --port <n>                 Dashboard port for the interactive menu (default 4444)
+
+Headless auth (for agents/CI):
+  Set OODA_ACCESS_TOKEN and OODA_ORG_ID to skip interactive login. publish and
+  sites then run fully non-interactively and exit 0 on success, non-zero on error.
+
+Local dev:
+  Set OODA_API_BASE (server) and OODA_LOADER_BASE (loader) to target a local
+  stack instead of production.
+
+Examples:
+  ooda publish ./dist --slug my-app
+  ooda sites list --json
+  ooda sites access my-app --mode password --password hunter2
+  ooda sites delete my-app --json`;
+}
+
 // src/cli/index.ts
-var CLI_VERSION = "0.1.13";
+var CLI_VERSION = "0.1.15";
 function formatMutationError(result) {
   const parts = [];
   if (result.status !== void 0) parts.push(String(result.status));
@@ -5498,27 +5997,77 @@ function waitForEventOrCancel(emitter, event) {
 }
 var DEFAULT_PORT = 4444;
 function parseArgs(argv) {
-  let port = DEFAULT_PORT;
+  const rest = argv.slice(2);
+  const first = rest[0];
   let command = "menu";
-  let connectTarget;
-  let deployTarget;
-  const firstArg = argv[2];
-  if (firstArg === "connect") {
-    command = "connect";
-    connectTarget = argv[3];
-  } else if (firstArg === "list" || firstArg === "ls") {
-    command = "list";
-  } else if (firstArg === "deploy") {
-    command = "deploy";
-    deployTarget = argv[3];
-  }
-  for (let i = 2; i < argv.length; i++) {
-    if (argv[i] === "--port" && argv[i + 1]) {
-      port = parseInt(argv[i + 1], 10) || DEFAULT_PORT;
+  if (first === "connect") command = "connect";
+  else if (first === "list" || first === "ls") command = "list";
+  else if (first === "deploy") command = "deploy";
+  else if (first === "publish") command = "publish";
+  else if (first === "sites") command = "sites";
+  else if (first === "login") command = "login";
+  else if (first === "whoami") command = "whoami";
+  else if (first === "help") command = "help";
+  if (rest.includes("--help") || rest.includes("-h")) command = "help";
+  const positionals = [];
+  const flags = {};
+  let port = DEFAULT_PORT;
+  const startIdx = command === "menu" ? 0 : 1;
+  for (let i = startIdx; i < rest.length; i++) {
+    const arg = rest[i];
+    if (arg === "--port" && rest[i + 1]) {
+      port = parseInt(rest[i + 1], 10) || DEFAULT_PORT;
       i++;
-    }
+    } else if (arg === "--slug" && rest[i + 1]) {
+      flags.slug = rest[i + 1];
+      i++;
+    } else if (arg === "--email" && rest[i + 1]) {
+      flags.email = rest[i + 1];
+      i++;
+    } else if (arg === "--code" && rest[i + 1]) {
+      flags.code = rest[i + 1];
+      i++;
+    } else if (arg === "--org" && rest[i + 1]) {
+      flags.org = rest[i + 1];
+      i++;
+    } else if (arg === "--mode" && rest[i + 1]) {
+      flags.mode = rest[i + 1];
+      i++;
+    } else if (arg === "--password" && rest[i + 1] !== void 0) {
+      flags.password = rest[i + 1];
+      i++;
+    } else if (arg === "--clear-password") flags.clearPassword = true;
+    else if (arg === "--clear-mode") flags.clearMode = true;
+    else if (arg === "--json") flags.json = true;
+    else if (!arg.startsWith("--")) positionals.push(arg);
+  }
+  const args = { port, command, json: Boolean(flags.json) };
+  if (command === "connect") {
+    args.connectTarget = positionals[0];
+  } else if (command === "deploy") {
+    args.deployTarget = positionals[0];
+  } else if (command === "publish") {
+    args.publishTarget = positionals[0];
+    args.publishSlug = flags.slug;
+  } else if (command === "sites") {
+    args.sites = {
+      subcommand: positionals[0],
+      slug: positionals[1],
+      mode: flags.mode,
+      password: flags.password,
+      clearPassword: Boolean(flags.clearPassword),
+      clearMode: Boolean(flags.clearMode),
+      json: Boolean(flags.json)
+    };
+  } else if (command === "login") {
+    args.login = {
+      email: flags.email,
+      code: flags.code,
+      org: flags.org,
+      json: Boolean(flags.json)
+    };
   }
-  return { port, command, connectTarget, deployTarget };
+  return args;
 }
 function eraseRenderedPrompt(visibleLines) {
   const total = visibleLines + 2;
@@ -5938,6 +6487,10 @@ async function main() {
   const args = parseArgs(process.argv);
   const cwd = process.cwd();
   printLogo(CLI_VERSION);
+  if (args.command === "help") {
+    console.log(buildHelpText(CLI_VERSION));
+    process.exit(0);
+  }
   if (args.command === "list") {
     await listProjectsCmd();
     process.exit(0);
@@ -5948,11 +6501,30 @@ async function main() {
     if (target && isGitHubTarget(target)) {
       await deployFromGitHubFlow(target, apiToken, claudeToken);
     } else {
-      const deployPath = target ? path9.resolve(target) : cwd;
+      const deployPath = target ? path11.resolve(target) : cwd;
       await deployCurrentDir(deployPath, apiToken, claudeToken);
     }
     process.exit(0);
   }
+  if (args.command === "publish") {
+    await ensureAuth({ requireClaudeToken: false });
+    const dir = args.publishTarget ? path11.resolve(args.publishTarget) : cwd;
+    await publishLocalDir({ projectDir: dir, slugOverride: args.publishSlug, json: args.json });
+    process.exit(process.exitCode ?? 0);
+  }
+  if (args.command === "sites") {
+    await ensureAuth({ requireClaudeToken: false });
+    await runSitesCommand(args.sites ?? {});
+    process.exit(process.exitCode ?? 0);
+  }
+  if (args.command === "login") {
+    await loginCmd(args.login ?? {});
+    process.exit(process.exitCode ?? 0);
+  }
+  if (args.command === "whoami") {
+    whoamiCmd({ json: args.json });
+    process.exit(process.exitCode ?? 0);
+  }
   if (args.command === "connect") {
     if (!args.connectTarget) {
       console.log(`  ${c.red}Usage: ooda connect <project-name>${c.reset}`);