npm - @perceo/perceo - Versions diffs - 0.2.0 → 0.3.2 - Mend

@perceo/perceo 0.2.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -1,14 +1,27 @@
 #!/usr/bin/env node
+import {
+  clearStoredAuth,
+  getEffectiveAuth,
+  getStoredAuth,
+  isLoggedIn,
+  loginCommand
+} from "./chunk-Y65GRRTT.js";
 // src/index.ts
-import { Command as Command4 } from "commander";
+import { Command as Command6 } from "commander";
 // src/commands/init.ts
 import { Command } from "commander";
-import chalk from "chalk";
-import ora from "ora";
+import chalk3 from "chalk";
+import ora2 from "ora";
 import fs2 from "fs/promises";
+import path3 from "path";
+import { execSync as execSync2 } from "child_process";
+// src/projectAccess.ts
 import path2 from "path";
+import chalk from "chalk";
+import { PerceoDataClient, getSupabaseAnonKey } from "@perceo/supabase";
 // src/config.ts
 import fs from "fs/promises";
@@ -20,18 +33,31 @@ async function loadConfig(options = {}) {
   const projectDir = path.resolve(options.projectDir ?? process.cwd());
   const envPath = process.env.PERCEO_CONFIG_PATH;
   const baseConfigPath = envPath ? resolveMaybeRelativePath(envPath, projectDir) : path.join(projectDir, CONFIG_DIR, BASE_CONFIG_FILE);
-  const baseConfig = await readJsonFile(baseConfigPath);
+  let baseConfig = await readJsonFile(baseConfigPath);
   const isLocalEnv = (process.env.PERCEO_ENV || "").toLowerCase() === "local" || process.env.NODE_ENV === "development";
-  if (!isLocalEnv) {
-    return baseConfig;
+  if (isLocalEnv) {
+    const localConfigPath = path.join(projectDir, CONFIG_DIR, LOCAL_CONFIG_FILE);
+    const localExists = await fileExists(localConfigPath);
+    if (localExists) {
+      const localConfig = await readJsonFile(localConfigPath);
+      baseConfig = deepMerge(baseConfig, localConfig);
+    }
   }
-  const localConfigPath = path.join(projectDir, CONFIG_DIR, LOCAL_CONFIG_FILE);
-  const localExists = await fileExists(localConfigPath);
-  if (!localExists) {
-    return baseConfig;
+  if (process.env.PERCEO_TEMPORAL_ENABLED === "true") {
+    baseConfig.temporal = {
+      enabled: true,
+      address: process.env.PERCEO_TEMPORAL_ADDRESS || "localhost:7233",
+      namespace: process.env.PERCEO_TEMPORAL_NAMESPACE || "perceo",
+      taskQueue: process.env.PERCEO_TEMPORAL_TASK_QUEUE || "observer-engine"
+    };
+    if (process.env.PERCEO_TEMPORAL_TLS_CERT_PATH) {
+      baseConfig.temporal.tls = {
+        certPath: process.env.PERCEO_TEMPORAL_TLS_CERT_PATH,
+        keyPath: process.env.PERCEO_TEMPORAL_TLS_KEY_PATH || ""
+      };
+    }
   }
-  const localConfig = await readJsonFile(localConfigPath);
-  return deepMerge(baseConfig, localConfig);
+  return baseConfig;
 }
 async function readJsonFile(filePath) {
   const raw = await fs.readFile(filePath, "utf8");
@@ -70,74 +96,894 @@ function isPlainObject(value) {
   return typeof value === "object" && value !== null && (Object.getPrototypeOf(value) === Object.prototype || Object.getPrototypeOf(value) === null);
 }
+// src/projectAccess.ts
+var ADMIN_ROLES = ["owner", "admin"];
+async function ensureProjectAccess(options = {}) {
+  const projectDir = path2.resolve(options.projectDir ?? process.cwd());
+  const requireAdmin = options.requireAdmin ?? false;
+  const auth = await getEffectiveAuth(projectDir);
+  if (!auth?.access_token) {
+    console.error(chalk.red("You must log in first. Run ") + chalk.cyan("perceo login"));
+    process.exit(1);
+  }
+  const config = await loadConfig({ projectDir });
+  const projectId = config?.project?.id;
+  const projectName = config?.project?.name ?? path2.basename(projectDir);
+  if (!projectId) {
+    console.error(chalk.red("No project linked. Run ") + chalk.cyan("perceo init") + chalk.red(" in this directory first."));
+    process.exit(1);
+  }
+  const supabaseUrl = auth.supabaseUrl;
+  const supabaseKey = getSupabaseAnonKey();
+  const client = await PerceoDataClient.fromUserSession({
+    supabaseUrl,
+    supabaseKey,
+    accessToken: auth.access_token,
+    refreshToken: auth.refresh_token,
+    projectId
+  });
+  const role = await client.getProjectMemberRole(projectId);
+  if (!role) {
+    console.error(chalk.red("You don't have access to this project."));
+    console.error(chalk.gray("Only users added to the project can view or change it. Ask a project owner or admin to add you."));
+    process.exit(1);
+  }
+  if (requireAdmin && !ADMIN_ROLES.includes(role)) {
+    console.error(chalk.red("This action requires project owner or admin role."));
+    console.error(chalk.gray(`Your role: ${role}. Ask a project owner or admin to perform this action or change your role.`));
+    process.exit(1);
+  }
+  return { client, projectId, projectName, role, config };
+}
+async function checkProjectAccess(client, projectId, options = {}) {
+  const role = await client.getProjectMemberRole(projectId);
+  if (!role) return null;
+  if (options.requireAdmin && !ADMIN_ROLES.includes(role)) return null;
+  return role;
+}
+// src/commands/init.ts
+import { PerceoDataClient as PerceoDataClient2, getSupabaseAnonKey as getSupabaseAnonKey2 } from "@perceo/supabase";
+// src/github.ts
+import { execSync } from "child_process";
+import chalk2 from "chalk";
+import ora from "ora";
+var GITHUB_CLIENT_ID = process.env.PERCEO_GITHUB_CLIENT_ID || "";
+async function authorizeGitHub() {
+  if (!GITHUB_CLIENT_ID) {
+    throw new Error("GitHub OAuth client ID not configured. Set PERCEO_GITHUB_CLIENT_ID environment variable.");
+  }
+  const spinner = ora("Requesting device authorization...").start();
+  let deviceResponse;
+  try {
+    deviceResponse = await fetch("https://github.com/login/device/code", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      },
+      body: JSON.stringify({
+        client_id: GITHUB_CLIENT_ID,
+        scope: "repo"
+      })
+    });
+  } catch (fetchError) {
+    spinner.fail("Failed to connect to GitHub");
+    throw new Error(`Network error connecting to GitHub: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`);
+  }
+  if (!deviceResponse.ok) {
+    spinner.fail("Failed to request device code");
+    throw new Error(`GitHub API error: ${deviceResponse.statusText}`);
+  }
+  const deviceData = await deviceResponse.json();
+  const { device_code, user_code, verification_uri, expires_in, interval = 5 } = deviceData;
+  spinner.succeed("Device code received");
+  console.log("\n" + chalk2.bold.yellow("GitHub Authorization Required"));
+  console.log(chalk2.gray("\u2500".repeat(50)));
+  console.log("\n  1. Visit: " + chalk2.cyan.underline(verification_uri));
+  console.log("  2. Enter code: " + chalk2.bold.green(user_code));
+  console.log("\n" + chalk2.gray("  Waiting for you to authorize in your browser..."));
+  console.log(chalk2.gray("\u2500".repeat(50)) + "\n");
+  const startTime = Date.now();
+  const expiresAt = startTime + expires_in * 1e3;
+  while (Date.now() < expiresAt) {
+    await new Promise((resolve) => setTimeout(resolve, interval * 1e3));
+    let tokenResponse;
+    try {
+      tokenResponse = await fetch("https://github.com/login/oauth/access_token", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json"
+        },
+        body: JSON.stringify({
+          client_id: GITHUB_CLIENT_ID,
+          device_code,
+          grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+        })
+      });
+    } catch (fetchError) {
+      console.log(chalk2.yellow(`
+  Warning: Network error polling GitHub, retrying...`));
+      continue;
+    }
+    const tokenData = await tokenResponse.json();
+    if (tokenData.access_token) {
+      console.log(chalk2.green("\u2713 GitHub authorization successful!\n"));
+      return {
+        accessToken: tokenData.access_token,
+        tokenType: tokenData.token_type || "bearer"
+      };
+    }
+    if (tokenData.error === "authorization_pending") {
+      continue;
+    }
+    if (tokenData.error === "slow_down") {
+      await new Promise((resolve) => setTimeout(resolve, 5e3));
+      continue;
+    }
+    if (tokenData.error) {
+      throw new Error(`GitHub authorization failed: ${tokenData.error_description || tokenData.error}`);
+    }
+  }
+  throw new Error("GitHub authorization timed out. Please try again.");
+}
+async function createRepositorySecret(token, owner, repo, secretName, secretValue) {
+  let keyResponse;
+  try {
+    keyResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}/actions/secrets/public-key`, {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    });
+  } catch (fetchError) {
+    throw new Error(`Network error connecting to GitHub API: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`);
+  }
+  if (!keyResponse.ok) {
+    const error = await keyResponse.text();
+    throw new Error(`Failed to get repository public key: ${error}`);
+  }
+  const { key: publicKey, key_id: keyId } = await keyResponse.json();
+  const encryptedValue = await encryptSecret(secretValue, publicKey);
+  let secretResponse;
+  try {
+    secretResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}/actions/secrets/${secretName}`, {
+      method: "PUT",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        encrypted_value: encryptedValue,
+        key_id: keyId
+      })
+    });
+  } catch (fetchError) {
+    throw new Error(`Network error creating repository secret: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`);
+  }
+  if (!secretResponse.ok) {
+    const error = await secretResponse.text();
+    throw new Error(`Failed to create repository secret: ${error}`);
+  }
+}
+async function encryptSecret(secretValue, publicKeyBase64) {
+  try {
+    const publicKeyBuffer = Buffer.from(publicKeyBase64, "base64");
+    const sodium = await import("tweetnacl");
+    const { box, randomBytes } = sodium.default;
+    const messageBytes = new TextEncoder().encode(secretValue);
+    const publicKeyBytes = new Uint8Array(publicKeyBuffer);
+    const ephemeralKeyPair = box.keyPair();
+    const nonce = randomBytes(box.nonceLength);
+    const encrypted = box(messageBytes, nonce, publicKeyBytes, ephemeralKeyPair.secretKey);
+    const combined = new Uint8Array(ephemeralKeyPair.publicKey.length + nonce.length + encrypted.length);
+    combined.set(ephemeralKeyPair.publicKey);
+    combined.set(nonce, ephemeralKeyPair.publicKey.length);
+    combined.set(encrypted, ephemeralKeyPair.publicKey.length + nonce.length);
+    return Buffer.from(combined).toString("base64");
+  } catch (error) {
+    throw new Error(`Failed to encrypt secret. Install tweetnacl: npm install tweetnacl
+Error: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+function isGitRepository(projectDir) {
+  try {
+    execSync("git rev-parse --is-inside-work-tree", {
+      cwd: projectDir,
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "ignore"]
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function parseGitHubRemoteUrl(url) {
+  const trimmed = url.trim();
+  let match = trimmed.match(/github\.com[/:]([\w-]+)\/([\w.-]+?)(\.git)?$/);
+  if (match && match[1] && match[2]) {
+    return { owner: match[1], repo: match[2] };
+  }
+  match = trimmed.match(/^git@([^:]+):([\w-]+)\/([\w.-]+?)(\.git)?$/);
+  if (match && match[1] && match[2] && match[3] && /github/i.test(match[1])) {
+    return { owner: match[2], repo: match[3] };
+  }
+  return null;
+}
+function detectGitHubRemote(projectDir) {
+  if (!isGitRepository(projectDir)) {
+    return null;
+  }
+  try {
+    const origin = execSync("git remote get-url origin", {
+      cwd: projectDir,
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "ignore"]
+    }).trim();
+    const parsed = parseGitHubRemoteUrl(origin);
+    if (parsed) return parsed;
+  } catch {
+  }
+  try {
+    const out = execSync("git remote -v", {
+      cwd: projectDir,
+      encoding: "utf8",
+      stdio: ["pipe", "pipe", "ignore"]
+    });
+    for (const line of out.split("\n")) {
+      const tab = line.indexOf("	");
+      if (tab === -1) continue;
+      const url = line.slice(tab + 1).replace(/\s*\((?:fetch|push)\)\s*$/, "").trim();
+      const parsed = parseGitHubRemoteUrl(url);
+      if (parsed) return parsed;
+    }
+  } catch {
+  }
+  return null;
+}
+async function checkRepositoryPermissions(token, owner, repo) {
+  try {
+    const response = await fetch(`https://api.github.com/repos/${owner}/${repo}`, {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    });
+    if (!response.ok) {
+      console.log(chalk2.yellow(`  Warning: Failed to check repository permissions (HTTP ${response.status})`));
+      return false;
+    }
+    const data = await response.json();
+    return data.permissions?.admin || data.permissions?.push || false;
+  } catch (fetchError) {
+    console.log(chalk2.yellow(`  Warning: Network error checking repository permissions: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`));
+    return false;
+  }
+}
 // src/commands/init.ts
-import { ObserverEngine } from "@perceo/observer-engine";
+import { createInterface } from "readline";
+import os from "os";
 var CONFIG_DIR2 = ".perceo";
 var CONFIG_FILE = "config.json";
-var initCommand = new Command("init").description("Initialize Perceo in your project").option("-d, --dir <directory>", "Project directory", process.cwd()).action(async (options) => {
-  const projectDir = path2.resolve(options.dir || process.cwd());
-  const spinner = ora(`Initializing Perceo in ${chalk.cyan(projectDir)}...`).start();
+var SUPPORTED_FRAMEWORKS = ["nextjs", "react", "remix"];
+function formatDbError(err) {
+  if (err instanceof Error) return err.message;
+  const o = err;
+  if (o && typeof o.message === "string") {
+    const parts = [o.message];
+    if (typeof o.code === "string") parts.push(`(code: ${o.code})`);
+    if (typeof o.details === "string") parts.push(o.details);
+    return parts.join(" ");
+  }
+  return String(err);
+}
+var initCommand = new Command("init").description("Initialize Perceo in your project and discover flows").option("-d, --dir <directory>", "Project directory", process.cwd()).option("--skip-github", "Skip GitHub Actions setup", false).option("-y, --yes", "Skip confirmation prompt (e.g. for CI)", false).option("-b, --branch <branch>", "Main branch name (default: auto-detect)").option("--configure-personas", "Configure custom user personas instead of auto-generating them", false).action(async (options) => {
+  const projectDir = path3.resolve(options.dir || process.cwd());
+  const loggedIn = await isLoggedIn(projectDir);
+  if (!loggedIn) {
+    console.error(chalk3.red("You must log in first. Run ") + chalk3.cyan("perceo login") + chalk3.red(", then run ") + chalk3.cyan("perceo init") + chalk3.red(" again."));
+    process.exit(1);
+  }
+  if (!options.yes) {
+    const isGit = isGitRepository(projectDir);
+    const remote = detectGitHubRemote(projectDir);
+    const isHomeDir = projectDir === os.homedir();
+    console.log(chalk3.bold("Initialize Perceo in this directory?"));
+    console.log(chalk3.gray("  Directory:   ") + chalk3.cyan(projectDir));
+    if (remote) {
+      console.log(chalk3.gray("  Repository:  ") + chalk3.cyan(`${remote.owner}/${remote.repo}`));
+    } else if (isGit) {
+      console.log(chalk3.gray("  Repository:  ") + chalk3.yellow("Git repository (no GitHub remote)"));
+    } else {
+      console.log(chalk3.gray("  Repository:  ") + chalk3.yellow("Not a git repository"));
+    }
+    if (isHomeDir) {
+      console.log(chalk3.yellow("  Warning: This is your home directory. Prefer running from a project directory."));
+    }
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise((resolve) => {
+      rl.question(chalk3.bold("Continue? [y/N]: "), (ans) => {
+        rl.close();
+        resolve((ans || "n").trim().toLowerCase());
+      });
+    });
+    if (answer !== "y" && answer !== "yes") {
+      console.log(chalk3.gray("Init cancelled."));
+      process.exit(0);
+    }
+  }
+  const spinner = ora2(`Initializing Perceo in ${chalk3.cyan(projectDir)}...`).start();
   try {
     const pkg = await readPackageJson(projectDir);
-    const projectName = pkg?.name || path2.basename(projectDir);
+    const projectName = pkg?.name || path3.basename(projectDir);
     const framework = await detectFramework(projectDir, pkg);
-    const perceoDir = path2.join(projectDir, CONFIG_DIR2);
-    const perceoConfigPath = path2.join(perceoDir, CONFIG_FILE);
+    let branch = options.branch;
+    if (!branch) {
+      branch = detectDefaultBranch(projectDir);
+      console.log(chalk3.gray(`  Auto-detected default branch: ${branch}`));
+    } else {
+      console.log(chalk3.gray(`  Using specified branch: ${branch}`));
+    }
+    if (!SUPPORTED_FRAMEWORKS.includes(framework)) {
+      spinner.fail("Unsupported project type");
+      const detected = framework === "unknown" ? "No React/Next.js/Remix project detected" : `Detected: ${framework}`;
+      console.error(chalk3.red(detected + "."));
+      console.error(chalk3.yellow("Perceo currently supports React, Next.js, and Remix projects. Support for more frameworks is coming soon."));
+      process.exit(1);
+    }
+    const perceoDir = path3.join(projectDir, CONFIG_DIR2);
+    const perceoConfigPath = path3.join(perceoDir, CONFIG_FILE);
     await fs2.mkdir(perceoDir, { recursive: true });
+    spinner.text = "Bootstrapping project via Perceo Observer...";
+    const storedAuth = await getEffectiveAuth(projectDir);
+    if (!storedAuth) {
+      spinner.fail("Authentication required");
+      throw new Error("Please run 'perceo login' first");
+    }
+    const supabaseUrl = storedAuth.supabaseUrl;
+    const supabaseKey = getSupabaseAnonKey2();
+    let tempClient;
+    try {
+      console.log(chalk3.gray(`
+  Connecting to Perceo Cloud: ${supabaseUrl}`));
+      tempClient = await PerceoDataClient2.fromUserSession({
+        supabaseUrl: storedAuth.supabaseUrl,
+        supabaseKey,
+        accessToken: storedAuth.access_token,
+        refreshToken: storedAuth.refresh_token
+      });
+    } catch (authError) {
+      spinner.fail("Failed to connect to Perceo Cloud");
+      console.error(chalk3.red("\nAuthentication error details:"));
+      console.error(chalk3.gray(`  Supabase URL: ${supabaseUrl}`));
+      console.error(chalk3.gray(`  Error: ${authError instanceof Error ? authError.message : String(authError)}`));
+      if (authError instanceof Error && authError.stack) {
+        console.error(chalk3.gray(`  Stack: ${authError.stack}`));
+      }
+      throw new Error(`Failed to authenticate with Perceo Cloud. Try running 'perceo logout' followed by 'perceo login'.`);
+    }
+    let tempProject;
+    const remote = detectGitHubRemote(projectDir);
+    const gitRemoteUrl = remote ? `https://github.com/${remote.owner}/${remote.repo}` : null;
+    try {
+      spinner.text = "Looking up project...";
+      tempProject = await tempClient.getProjectByName(projectName);
+    } catch (dbError) {
+      spinner.fail("Failed to query project");
+      console.error(chalk3.red("\nDatabase error details:"));
+      console.error(chalk3.gray(`  ${formatDbError(dbError)}`));
+      throw new Error("Failed to query project from database");
+    }
+    if (!tempProject) {
+      try {
+        spinner.text = "Creating project...";
+        tempProject = await tempClient.createProject({
+          name: projectName,
+          framework,
+          config: { source: "cli-init" },
+          git_remote_url: gitRemoteUrl
+        });
+      } catch (createError) {
+        spinner.fail("Failed to create project");
+        console.error(chalk3.red("\nDatabase error details:"));
+        console.error(chalk3.gray(`  ${formatDbError(createError)}`));
+        throw new Error("Failed to create project in database");
+      }
+    } else {
+      const role = await checkProjectAccess(tempClient, tempProject.id);
+      if (!role) {
+        spinner.fail("Access denied");
+        console.error(chalk3.red(`
+You don't have access to the project "${tempProject.name}".`));
+        console.error(chalk3.gray("Only users added to the project can run init. Ask a project owner or admin to add you."));
+        process.exit(1);
+      }
+    }
+    spinner.text = "Generating workflow authorization key...";
+    let workflowApiKey;
+    try {
+      const {
+        data: { user }
+      } = await tempClient.getSupabaseClient().auth.getUser();
+      const userId = user?.id;
+      try {
+        const existingKeys = await tempClient.getApiKeys(tempProject.id);
+        const existingWorkflowKey = existingKeys.find((k) => k.name === "temporal-workflow-auth");
+        if (existingWorkflowKey) {
+          console.log(chalk3.gray("\n  \u2713 Found existing workflow key, deleting it"));
+          await tempClient.deleteApiKey(existingWorkflowKey.id);
+        }
+      } catch (cleanupError) {
+        console.log(chalk3.gray(`  Note: Could not check for existing keys: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`));
+      }
+      const { key } = await tempClient.createApiKey(tempProject.id, {
+        name: "temporal-workflow-auth",
+        scopes: ["workflows:start"],
+        createdBy: userId
+      });
+      workflowApiKey = key;
+      console.log(chalk3.gray("\n  \u2713 Workflow authorization key generated"));
+      console.log(chalk3.gray(`    Key prefix: ${key.substring(0, 12)}...`));
+    } catch (keyError) {
+      spinner.fail("Database key generation failed");
+      console.error(chalk3.red("\n  \u2717 CRITICAL: Cannot generate workflow authorization key in database"));
+      if (keyError && typeof keyError === "object") {
+        const err = keyError;
+        console.error(chalk3.gray(`    Error code: ${err.code || "N/A"}`));
+        console.error(chalk3.gray(`    Error message: ${err.message || "Unknown error"}`));
+        if (err.details) {
+          console.error(chalk3.gray(`    Details: ${err.details}`));
+        }
+        if (err.hint) {
+          console.error(chalk3.gray(`    Hint: ${err.hint}`));
+        }
+      } else if (keyError instanceof Error) {
+        console.error(chalk3.gray(`    Error: ${keyError.message}`));
+        if (keyError.stack) {
+          console.error(chalk3.gray(`    Stack: ${keyError.stack}`));
+        }
+      } else {
+        console.error(chalk3.gray(`    Error: ${String(keyError)}`));
+      }
+      const crypto = await import("crypto");
+      const keyBytes = crypto.randomBytes(32);
+      workflowApiKey = `prc_${keyBytes.toString("base64url")}`;
+      console.log(chalk3.yellow("\n  \u26A0 Using temporary local key as fallback"));
+      console.log(chalk3.gray(`    Key prefix: ${workflowApiKey.substring(0, 12)}...`));
+      console.log(chalk3.red("  \u2717 WARNING: Temporal workflows will NOT work with this key"));
+      console.log(chalk3.red("  \u2717 You must fix the database issue before workflows can run"));
+      throw new Error("Failed to generate workflow authorization key in database");
+    }
+    const workerApiUrl = process.env.PERCEO_WORKER_API_URL || "https://perceo-temporal-worker-331577200018.us-west1.run.app/";
+    const workerApiKey = process.env.PERCEO_WORKER_API_KEY;
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (workerApiKey) {
+      headers["x-api-key"] = workerApiKey;
+    }
+    spinner.stop();
+    console.log(chalk3.gray("\n  \u2139\uFE0F  LLM API key will be fetched from secure storage during bootstrap"));
+    console.log(chalk3.gray("     (configured by admin in Supabase project_secrets table)"));
+    let userConfiguredPersonas = [];
+    let useCustomPersonas = false;
+    if (options.configurePersonas) {
+      spinner.stop();
+      console.log(chalk3.bold("\n\u{1F3AD} Configure User Personas"));
+      console.log(chalk3.gray("Define custom user personas for your application, or let Perceo auto-generate them from your codebase."));
+      const rl = createInterface({ input: process.stdin, output: process.stdout });
+      const configurePersonasAnswer = await new Promise((resolve) => {
+        rl.question(chalk3.cyan("Do you want to configure custom personas? [y/N]: "), (ans) => {
+          resolve((ans || "n").trim().toLowerCase());
+        });
+      });
+      if (configurePersonasAnswer === "y" || configurePersonasAnswer === "yes") {
+        useCustomPersonas = true;
+        console.log(chalk3.green("\n\u2713 Configuring custom personas"));
+        console.log(chalk3.gray("Enter persona details (press Enter with empty name to finish):"));
+        let personaIndex = 1;
+        while (true) {
+          console.log(chalk3.bold(`
+Persona ${personaIndex}:`));
+          const name = await new Promise((resolve) => {
+            rl.question(chalk3.cyan("  Name: "), resolve);
+          });
+          if (!name.trim()) {
+            break;
+          }
+          const description = await new Promise((resolve) => {
+            rl.question(chalk3.cyan("  Description: "), resolve);
+          });
+          const behaviors = await new Promise((resolve) => {
+            rl.question(chalk3.cyan("  Key behaviors (comma-separated): "), resolve);
+          });
+          const behaviorList = behaviors.split(",").map((b) => b.trim()).filter((b) => b.length > 0);
+          const behaviorObj = {};
+          behaviorList.forEach((behavior, idx) => {
+            behaviorObj[`behavior_${idx + 1}`] = behavior;
+          });
+          userConfiguredPersonas.push({
+            name: name.trim(),
+            description: description.trim() || null,
+            behaviors: behaviorObj
+          });
+          console.log(chalk3.green(`  \u2713 Added persona: ${name}`));
+          personaIndex++;
+        }
+        if (userConfiguredPersonas.length === 0) {
+          console.log(chalk3.yellow("  No personas configured, will use auto-generation"));
+          useCustomPersonas = false;
+        } else {
+          console.log(chalk3.green(`
+\u2713 Configured ${userConfiguredPersonas.length} custom personas`));
+          try {
+            console.log(chalk3.gray("  Saving personas to database..."));
+            await tempClient.createUserConfiguredPersonas(userConfiguredPersonas, tempProject.id);
+            console.log(chalk3.green("  \u2713 Personas saved successfully"));
+          } catch (personaError) {
+            console.error(chalk3.red("  \u2717 Failed to save personas:"), personaError);
+            throw new Error("Failed to save custom personas to database");
+          }
+        }
+      }
+      rl.close();
+      spinner.start("Starting bootstrap workflow...");
+    } else {
+      spinner.start("Starting bootstrap workflow...");
+    }
+    let bootstrapResponse;
+    try {
+      console.log(chalk3.gray(`
+  Connecting to worker API: ${workerApiUrl}`));
+      console.log(chalk3.gray(`  Project ID: ${tempProject.id}`));
+      console.log(chalk3.gray(`  Git Remote URL: ${gitRemoteUrl || "Not detected"}`));
+      console.log(chalk3.gray(`  Workflow API Key: ${workflowApiKey.substring(0, 12)}...`));
+      if (!gitRemoteUrl) {
+        spinner.fail("Cannot start bootstrap workflow");
+        throw new Error("Git remote URL not detected. Please ensure this is a Git repository with a GitHub remote configured.");
+      }
+      bootstrapResponse = await fetch(`${workerApiUrl}/api/workflows/bootstrap`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+          projectId: tempProject.id,
+          gitRemoteUrl,
+          projectName,
+          framework,
+          branch,
+          workflowApiKey,
+          useCustomPersonas
+        })
+      });
+    } catch (fetchError) {
+      spinner.fail("Failed to connect to worker API");
+      console.error(chalk3.red("\nNetwork error details:"));
+      console.error(chalk3.gray(`  URL: ${workerApiUrl}/api/workflows/bootstrap`));
+      console.error(chalk3.gray(`  Error: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`));
+      if (fetchError instanceof Error && fetchError.cause) {
+        console.error(chalk3.gray(`  Cause: ${JSON.stringify(fetchError.cause, null, 2)}`));
+      }
+      throw new Error(`Failed to connect to worker API at ${workerApiUrl}. Check that PERCEO_WORKER_API_URL is correct and the service is running.`);
+    }
+    if (!bootstrapResponse.ok) {
+      const errorData = await bootstrapResponse.json().catch(() => ({}));
+      spinner.fail("Failed to start bootstrap workflow");
+      console.error(chalk3.red(`  HTTP ${bootstrapResponse.status}: ${bootstrapResponse.statusText}`));
+      throw new Error(`Bootstrap start failed: ${errorData.error || bootstrapResponse.statusText}`);
+    }
+    const { workflowId } = await bootstrapResponse.json();
+    console.log(chalk3.gray(`
+  Workflow ID: ${workflowId}`));
+    spinner.text = "Initializing workflow...";
+    let temporalResult;
+    for (; ; ) {
+      let queryResponse;
+      try {
+        queryResponse = await fetch(`${workerApiUrl}/api/workflows/${workflowId}`, {
+          headers
+        });
+      } catch (fetchError) {
+        console.log(chalk3.yellow("\n  Warning: Failed to query workflow progress (network error), retrying..."));
+        console.log(chalk3.gray(`    Error: ${fetchError instanceof Error ? fetchError.message : String(fetchError)}`));
+        await sleep(2e3);
+        continue;
+      }
+      if (!queryResponse.ok) {
+        console.log(chalk3.yellow(`
+  Warning: Failed to query workflow progress (HTTP ${queryResponse.status}), retrying...`));
+        await sleep(2e3);
+        continue;
+      }
+      const queryResult = await queryResponse.json();
+      if (queryResult.progress?.message) {
+        spinner.prefixText = chalk3.gray(`[${queryResult.progress.stage}]`);
+        spinner.text = `${queryResult.progress.message} (${queryResult.progress.percentage}%)`;
+      }
+      if (queryResult.completed) {
+        if (queryResult.error) {
+          spinner.fail("Bootstrap workflow failed");
+          throw new Error(queryResult.error);
+        }
+        if (!queryResult.result) {
+          spinner.fail("Bootstrap workflow completed but no result returned");
+          throw new Error("No result from workflow");
+        }
+        temporalResult = queryResult.result;
+        break;
+      }
+      if (queryResult.progress?.stage === "error") {
+        spinner.fail("Bootstrap workflow failed");
+        throw new Error(queryResult.progress.error || "Unknown workflow error");
+      }
+      await sleep(1e3);
+    }
+    spinner.succeed("Bootstrap complete!");
+    console.log(chalk3.green("\n\u2713 Bootstrap successful:"));
+    console.log(chalk3.gray(`  Personas: ${temporalResult.personasExtracted}`));
+    console.log(chalk3.gray(`  Flows: ${temporalResult.flowsExtracted}`));
+    console.log(chalk3.gray(`  Steps: ${temporalResult.stepsExtracted}`));
+    console.log(chalk3.gray(`  Commits: ${temporalResult.totalCommitsProcessed}`));
+    console.log();
+    spinner.start("Finishing initialization...");
+    spinner.text = "Connecting to Perceo Cloud...";
+    let client;
+    if (storedAuth) {
+      try {
+        client = await PerceoDataClient2.fromUserSession({
+          supabaseUrl: storedAuth.supabaseUrl,
+          supabaseKey,
+          accessToken: storedAuth.access_token,
+          refreshToken: storedAuth.refresh_token
+        });
+      } catch (authError) {
+        spinner.warn("Failed to attach user session, falling back to anonymous access");
+        console.log(chalk3.gray(`  ${authError instanceof Error ? authError.message : typeof authError === "string" ? authError : "Unknown error while restoring session"}`));
+        spinner.start("Connecting to Perceo Cloud...");
+        client = new PerceoDataClient2({ supabaseUrl, supabaseKey });
+      }
+    } else {
+      client = new PerceoDataClient2({ supabaseUrl, supabaseKey });
+    }
+    let project;
+    try {
+      spinner.text = "Syncing project...";
+      project = await client.getProjectByName(projectName);
+    } catch (dbError) {
+      spinner.fail("Failed to query project");
+      console.error(chalk3.red("\nDatabase error details:"));
+      console.error(chalk3.gray(`  ${formatDbError(dbError)}`));
+      throw new Error("Failed to query project from database");
+    }
+    if (!project) {
+      try {
+        spinner.text = "Creating project...";
+        project = await client.createProject({
+          name: projectName,
+          framework,
+          config: { source: "cli-init" },
+          git_remote_url: gitRemoteUrl
+        });
+      } catch (createError) {
+        spinner.fail("Failed to create project");
+        console.error(chalk3.red("\nDatabase error details:"));
+        console.error(chalk3.gray(`  ${formatDbError(createError)}`));
+        throw new Error("Failed to create project in database");
+      }
+    } else if (gitRemoteUrl && project.git_remote_url !== gitRemoteUrl) {
+      try {
+        await client.updateProject(project.id, { git_remote_url: gitRemoteUrl });
+      } catch (updateError) {
+        console.log(chalk3.yellow(`  Warning: Failed to update git remote URL: ${updateError instanceof Error ? updateError.message : String(updateError)}`));
+      }
+    }
+    const projectId = project.id;
+    const flowsDiscovered = temporalResult.flowsExtracted;
+    const flowsNew = temporalResult.flowsExtracted;
+    let apiKey = null;
+    let workflowCreated = false;
+    let githubAutoConfigured = false;
+    if (projectId && !options.skipGithub) {
+      spinner.text = "Generating CI API key...";
+      const scopes = ["ci:analyze", "ci:test", "flows:read", "insights:read", "events:publish"];
+      try {
+        const {
+          data: { user }
+        } = await client.getSupabaseClient().auth.getUser();
+        const userId = user?.id;
+        try {
+          const existingKeys = await client.getApiKeys(projectId);
+          const existingGhKey = existingKeys.find((k) => k.name === "github-actions");
+          if (existingGhKey) {
+            console.log(chalk3.gray("\n  \u2713 Found existing GitHub Actions key, deleting it"));
+            await client.deleteApiKey(existingGhKey.id);
+          }
+        } catch (cleanupError) {
+          console.log(chalk3.gray(`  Note: Could not check for existing keys: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`));
+        }
+        const { key } = await client.createApiKey(projectId, {
+          name: "github-actions",
+          scopes,
+          createdBy: userId
+        });
+        apiKey = key;
+        const remote2 = detectGitHubRemote(projectDir);
+        if (remote2) {
+          spinner.stop();
+          console.log(chalk3.cyan(`
+\u{1F4E6} Detected GitHub repository: ${remote2.owner}/${remote2.repo}`));
+          const rl = createInterface({ input: process.stdin, output: process.stdout });
+          const answer = await new Promise((resolve) => {
+            rl.question(chalk3.bold("Auto-configure GitHub Actions? (Y/n): "), (ans) => {
+              rl.close();
+              resolve((ans || "y").toLowerCase());
+            });
+          });
+          if (answer === "y" || answer === "yes" || answer === "") {
+            try {
+              spinner.start("Authorizing with GitHub...");
+              const ghAuth = await authorizeGitHub();
+              spinner.text = "Checking repository permissions...";
+              const hasPermission = await checkRepositoryPermissions(ghAuth.accessToken, remote2.owner, remote2.repo);
+              if (!hasPermission) {
+                spinner.warn("Insufficient permissions to write to repository");
+                console.log(chalk3.yellow("  You need admin or push access to configure secrets automatically."));
+              } else {
+                spinner.text = "Creating PERCEO_API_KEY secret...";
+                if (!apiKey) {
+                  throw new Error("API key not found after creation");
+                }
+                await createRepositorySecret(ghAuth.accessToken, remote2.owner, remote2.repo, "PERCEO_API_KEY", apiKey);
+                githubAutoConfigured = true;
+                spinner.text = "Creating GitHub Actions workflow...";
+              }
+            } catch (error) {
+              spinner.warn("GitHub authorization failed");
+              console.log(chalk3.yellow(`  ${error instanceof Error ? error.message : "Unknown error"}`));
+              console.log(chalk3.gray("  Continuing with manual setup instructions..."));
+            }
+          }
+          if (!githubAutoConfigured) {
+            spinner.start("Creating GitHub Actions workflow...");
+          }
+        } else {
+          spinner.text = "Creating GitHub Actions workflow...";
+        }
+        const workflowDir = path3.join(projectDir, ".github", "workflows");
+        const workflowPath = path3.join(workflowDir, "perceo.yml");
+        await fs2.mkdir(workflowDir, { recursive: true });
+        if (!await fileExists2(workflowPath)) {
+          const workflowContent = generateGitHubWorkflow(branch);
+          await fs2.writeFile(workflowPath, workflowContent, "utf8");
+          workflowCreated = true;
+        }
+      } catch (error) {
+        console.log(chalk3.yellow("\n  \u26A0 Database key generation failed, using local fallback"));
+        if (error && typeof error === "object") {
+          const err = error;
+          console.error(chalk3.gray(`    Error code: ${err.code || "N/A"}`));
+          console.error(chalk3.gray(`    Error message: ${err.message || "Unknown error"}`));
+          if (err.details) {
+            console.error(chalk3.gray(`    Details: ${err.details}`));
+          }
+          if (err.hint) {
+            console.error(chalk3.gray(`    Hint: ${err.hint}`));
+          }
+        } else if (error instanceof Error) {
+          console.error(chalk3.gray(`    Error: ${error.message}`));
+        } else {
+          console.error(chalk3.gray(`    Error: ${String(error)}`));
+        }
+        const crypto = await import("crypto");
+        const keyBytes = crypto.randomBytes(32);
+        apiKey = `prc_${keyBytes.toString("base64url")}`;
+        console.log(chalk3.gray("  \u2713 Local CI API key generated"));
+        console.log(chalk3.gray(`    Key prefix: ${apiKey.substring(0, 12)}...`));
+        console.log(chalk3.yellow("  \u26A0 This key is not stored in the database and is local-only"));
+        try {
+          const workflowDir = path3.join(projectDir, ".github", "workflows");
+          const workflowPath = path3.join(workflowDir, "perceo.yml");
+          await fs2.mkdir(workflowDir, { recursive: true });
+          if (!await fileExists2(workflowPath)) {
+            const workflowContent = generateGitHubWorkflow(branch);
+            await fs2.writeFile(workflowPath, workflowContent, "utf8");
+            workflowCreated = true;
+          }
+        } catch (workflowError) {
+          console.log(chalk3.yellow("  \u26A0 Could not create workflow file"));
+          console.log(chalk3.gray(`    ${workflowError instanceof Error ? workflowError.message : "Unknown error"}`));
+        }
+      }
+    }
     if (await fileExists2(perceoConfigPath)) {
       spinner.stop();
-      console.log(chalk.yellow(`
+      console.log(chalk3.yellow(`
 .perceo/${CONFIG_FILE} already exists. Skipping config generation.`));
     } else {
-      const config = createDefaultConfig(projectName, framework);
+      const config = createDefaultConfig(projectName, framework, projectId, branch);
       await fs2.writeFile(perceoConfigPath, JSON.stringify(config, null, 2) + "\n", "utf8");
     }
-    const readmePath = path2.join(perceoDir, "README.md");
+    const readmePath = path3.join(perceoDir, "README.md");
     if (!await fileExists2(readmePath)) {
       await fs2.writeFile(readmePath, createPerceoReadme(projectName), "utf8");
     }
-    let bootstrapSummary = null;
-    try {
-      spinner.text = "Initializing flows and personas with Perceo Observer Engine...";
-      const config = await loadConfig({ projectDir });
-      const observerConfig = {
-        observer: config.observer,
-        flowGraph: config.flowGraph,
-        eventBus: config.eventBus
-      };
-      const engine = new ObserverEngine(observerConfig);
-      const result = await engine.bootstrapProject({
-        projectDir,
-        projectName,
-        framework
-      });
-      const warnings = result.warnings && result.warnings.length > 0 ? ` (${result.warnings.length} warning${result.warnings.length > 1 ? "s" : ""})` : "";
-      bootstrapSummary = `Initialized ${result.flowsInitialized} flow(s) and ${result.personasInitialized} persona(s)${warnings}.`;
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Unknown error";
-      console.log(chalk.yellow(`
-\u26A0\uFE0F  Skipped automatic Observer bootstrap. You can configure managed services later. Details: ${message}`));
-    }
     spinner.succeed("Perceo initialized successfully!");
-    console.log("\n" + chalk.bold("Project: ") + projectName);
-    console.log(chalk.bold("Detected framework: ") + framework);
-    console.log(chalk.bold("Config: ") + path2.relative(projectDir, perceoConfigPath));
-    if (bootstrapSummary) {
-      console.log(chalk.bold("Observer bootstrap: ") + bootstrapSummary);
-    }
-    console.log("\n" + chalk.bold("Next steps:"));
-    console.log("  1. Review and customize " + chalk.cyan(`.perceo/${CONFIG_FILE}`) + " for your project.");
-    console.log("  2. Set up local managed services (Neo4j, Supabase) as described in " + chalk.cyan(".perceo/README.md") + ".");
-    console.log("  3. Start the watcher with: " + chalk.cyan("perceo watch --dev --analyze"));
-    console.log("\n" + chalk.gray("For full architecture and managed services guides, see docs/cli_architecture.md."));
+    console.log("\n" + chalk3.bold("Project: ") + projectName);
+    console.log(chalk3.bold("Framework: ") + framework);
+    console.log(chalk3.bold("Branch: ") + branch);
+    console.log(chalk3.bold("Config: ") + path3.relative(projectDir, perceoConfigPath));
+    console.log(chalk3.bold("Project ID: ") + projectId);
+    console.log(chalk3.bold("Flows discovered: ") + `${flowsDiscovered} (${flowsNew} new)`);
+    if (githubAutoConfigured && workflowCreated) {
+      console.log("\n" + chalk3.bold.green("\u2713 GitHub Actions configured automatically!"));
+      console.log(chalk3.gray("\u2500".repeat(50)));
+      console.log("\n  Workflow: " + chalk3.cyan(".github/workflows/perceo.yml"));
+      console.log("  Secret: " + chalk3.green("PERCEO_API_KEY") + " " + chalk3.gray("(already added)"));
+      console.log("\n" + chalk3.gray("  CI will run on pull requests automatically."));
+      console.log(chalk3.gray("\u2500".repeat(50)));
+    } else if (apiKey && workflowCreated) {
+      console.log("\n" + chalk3.bold.yellow("GitHub Actions Setup (Manual):"));
+      console.log(chalk3.gray("\u2500".repeat(50)));
+      console.log("\n  Workflow created at: " + chalk3.cyan(".github/workflows/perceo.yml"));
+      console.log("\n  " + chalk3.bold("Add this secret to your repository:"));
+      console.log("  " + chalk3.gray("Settings \u2192 Secrets and variables \u2192 Actions \u2192 New repository secret"));
+      console.log("\n  Name:  " + chalk3.yellow("PERCEO_API_KEY"));
+      console.log("  Value: " + chalk3.green(apiKey));
+      console.log("\n" + chalk3.gray("  \u26A0\uFE0F  This key is shown only once. Store it securely."));
+      console.log(chalk3.gray("  \u26A0\uFE0F  Manage keys with: perceo keys list"));
+      console.log(chalk3.gray("\u2500".repeat(50)));
+    } else if (apiKey && !workflowCreated) {
+      console.log("\n" + chalk3.bold.green("CI API Key Generated:"));
+      console.log(chalk3.gray("\u2500".repeat(50)));
+      console.log("\n  " + chalk3.bold("Add this secret to your CI:"));
+      console.log("\n  Name:  " + chalk3.yellow("PERCEO_API_KEY"));
+      console.log("  Value: " + chalk3.green(apiKey));
+      console.log("\n  Workflow already exists at .github/workflows/perceo.yml");
+      console.log(chalk3.gray("\u2500".repeat(50)));
+    } else if (!options.skipGithub && projectId) {
+      console.log("\n" + chalk3.yellow("\u26A0\uFE0F  GitHub Actions setup skipped."));
+    }
+    console.log("\n" + chalk3.bold("Next steps:"));
+    if (githubAutoConfigured) {
+      console.log("  1. Review flows: " + chalk3.cyan("perceo flows list"));
+      console.log("  2. Commit and push: " + chalk3.cyan("git add . && git commit -m 'Add Perceo' && git push"));
+      console.log("  3. Open a PR to see Perceo analyze your changes!");
+    } else if (apiKey) {
+      console.log("  1. " + chalk3.bold("Add the PERCEO_API_KEY secret to GitHub") + " (see above)");
+      console.log("  2. Review flows: " + chalk3.cyan("perceo flows list"));
+      console.log("  3. Commit and push to trigger CI: " + chalk3.cyan("git add . && git commit -m 'Add Perceo'"));
+    } else {
+      console.log("  1. Review flows: " + chalk3.cyan("perceo flows list"));
+      console.log("  2. Analyze PR changes: " + chalk3.cyan(`perceo analyze --base ${branch}`));
+    }
+    console.log("\n" + chalk3.gray("Run `perceo logout` to sign out if needed."));
   } catch (error) {
     spinner.fail("Failed to initialize Perceo");
-    console.error(chalk.red(error instanceof Error ? error.message : "Unknown error"));
+    if (error instanceof Error) {
+      console.error(chalk3.red(error.message));
+      if (process.env.PERCEO_DEBUG === "1" || process.env.NODE_ENV === "development") {
+        if (error.stack) {
+          console.error(chalk3.gray(error.stack));
+        }
+      }
+    } else {
+      try {
+        console.error(chalk3.red(`Unexpected error: ${JSON.stringify(error, null, 2)}`));
+      } catch {
+        console.error(chalk3.red(`Unexpected error: ${String(error)}`));
+      }
+    }
     process.exit(1);
   }
 });
 async function readPackageJson(projectDir) {
-  const pkgPath = path2.join(projectDir, "package.json");
+  const pkgPath = path3.join(projectDir, "package.json");
   if (!await fileExists2(pkgPath)) return null;
   try {
     const raw = await fs2.readFile(pkgPath, "utf8");
@@ -147,10 +993,10 @@ async function readPackageJson(projectDir) {
   }
 }
 async function detectFramework(projectDir, pkg) {
-  const nextConfig = await fileExists2(path2.join(projectDir, "next.config.js"));
-  const nextConfigTs = await fileExists2(path2.join(projectDir, "next.config.ts"));
+  const nextConfig = await fileExists2(path3.join(projectDir, "next.config.js"));
+  const nextConfigTs = await fileExists2(path3.join(projectDir, "next.config.ts"));
   if (nextConfig || nextConfigTs) return "nextjs";
-  const remixConfig = await fileExists2(path2.join(projectDir, "remix.config.js"));
+  const remixConfig = await fileExists2(path3.join(projectDir, "remix.config.js"));
   if (remixConfig) return "remix";
   const deps = {
     ...pkg?.dependencies || {},
@@ -171,74 +1017,57 @@ async function fileExists2(p) {
     return false;
   }
 }
-function createDefaultConfig(projectName, framework) {
+function detectDefaultBranch(projectDir) {
+  try {
+    const result = execSync2("git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@'", {
+      cwd: projectDir,
+      encoding: "utf-8"
+    }).trim();
+    if (result) return result;
+  } catch {
+  }
+  try {
+    const currentBranch = execSync2("git branch --show-current", {
+      cwd: projectDir,
+      encoding: "utf-8"
+    }).trim();
+    if (currentBranch) return currentBranch;
+  } catch {
+  }
+  try {
+    execSync2("git rev-parse --verify main", {
+      cwd: projectDir,
+      encoding: "utf-8",
+      stdio: "pipe"
+    });
+    return "main";
+  } catch {
+  }
+  try {
+    execSync2("git rev-parse --verify master", {
+      cwd: projectDir,
+      encoding: "utf-8",
+      stdio: "pipe"
+    });
+    return "master";
+  } catch {
+  }
+  return "main";
+}
+function createDefaultConfig(projectName, framework, projectId, branch) {
   return {
     version: "1.0",
     project: {
+      id: projectId,
       name: projectName,
-      framework
+      framework,
+      branch
     },
     observer: {
       watch: {
         paths: inferDefaultWatchPaths(framework),
         ignore: ["node_modules/", ".next/", "dist/", "build/"],
-        debounceMs: 500,
-        autoTest: true
-      },
-      ci: {
-        strategy: "affected-flows",
-        parallelism: 5
-      },
-      analysis: {
-        useLLM: true,
-        llmThreshold: 0.7
-      }
-    },
-    analyzer: {
-      insights: {
-        enabled: true,
-        updateInterval: 3600,
-        minSeverity: "medium"
-      },
-      predictions: {
-        enabled: true,
-        model: "ml",
-        confidenceThreshold: 0.6
-      },
-      coverage: {
-        minCoverageScore: 0.7,
-        alertOnGaps: true
-      }
-    },
-    analytics: {
-      provider: "ga4",
-      credentials: "${ANALYTICS_CREDENTIALS}",
-      syncInterval: 300,
-      correlation: {
-        algorithm: "smith-waterman",
-        minSimilarity: 0.7
-      },
-      revenueTracking: {
-        enabled: true,
-        avgOrderValueSource: "analytics"
-      }
-    },
-    flowGraph: {
-      endpoint: "bolt://localhost:7687",
-      database: "Perceo"
-    },
-    eventBus: {
-      type: "in-memory",
-      redisUrl: "redis://localhost:6379"
-    },
-    notifications: {
-      slack: {
-        enabled: false,
-        webhook: ""
-      },
-      email: {
-        enabled: false,
-        recipients: []
+        debounceMs: 500
       }
     }
   };
@@ -259,132 +1088,719 @@ function inferDefaultWatchPaths(framework) {
       return ["src/"];
   }
 }
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 function createPerceoReadme(projectName) {
   return `# Perceo configuration for ${projectName}
-This folder was generated by \`perceo init\` and contains configuration for the Perceo CLI.
+This folder was generated by \`perceo init\`.
 ## Files
-- \`.perceo/config.json\` \u2014 main configuration file for the Perceo CLI.
+- \`.perceo/config.json\` \u2014 project configuration (project id, name, branch). Access to this project is controlled in Perceo Cloud; only users added as members can view or change project data.
-## What this config does
+## Commands
-- Tells the Perceo backend which project and framework you are using.
-- Configures how the Observer, Analyzer, and Analytics features should behave for this project.
-- Stores connection settings that the Perceo backend and packages use to talk to managed services.
+- \`perceo analyze --base <branch>\` \u2014 analyze PR changes and find affected flows
+- \`perceo flows list\` \u2014 list all discovered flows
-The actual connection logic and authentication to Perceo-managed services (including any databases, event buses, or analytics backends) is handled by Perceo\u2019s backend packages and platform \u2014 not by this CLI config.
+## Environment Variables
-In most cases you should only need to:
-1. Review \`.perceo/config.json\` and adjust paths (for example, \`src/\` vs \`app/\`).
-2. Commit \`.perceo/config.json\` to your repository (if you want it shared with your team).
-3. Run:
+Set these to enable Supabase sync:
 \`\`\`bash
-perceo watch --dev --analyze
+PERCEO_SUPABASE_URL=https://your-project.supabase.co
+PERCEO_SUPABASE_ANON_KEY=your-anon-key
 \`\`\`
+`;
+}
+function generateGitHubWorkflow(branch) {
+  const branches = Array.from(/* @__PURE__ */ new Set([branch, "main", "master"])).join(", ");
+  return `# Perceo CI - Automated regression impact analysis
+# Generated by perceo init
+# Docs: https://perceo.dev/docs/ci
+name: Perceo CI
+on:
+  pull_request:
+    branches: [${branches}]
+  push:
+    branches: [${branches}]
-to start Perceo in your local development workflow.
+permissions:
+  contents: read
+  pull-requests: write  # For PR comments
+jobs:
+  analyze:
+    name: Analyze Changes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history for accurate diff
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Install Perceo CLI
+        run: npm install -g @perceo/perceo
+      - name: Analyze PR Changes
+        if: github.event_name == 'pull_request'
+        env:
+          PERCEO_API_KEY: \${{ secrets.PERCEO_API_KEY }}
+        run: |
+          perceo ci analyze \\
+            --base \${{ github.event.pull_request.base.sha }} \\
+            --head \${{ github.sha }} \\
+            --pr \${{ github.event.pull_request.number }}
+      - name: Analyze Push Changes
+        if: github.event_name == 'push'
+        env:
+          PERCEO_API_KEY: \${{ secrets.PERCEO_API_KEY }}
+        run: |
+          perceo ci analyze \\
+            --base \${{ github.event.before }} \\
+            --head \${{ github.sha }}
 `;
 }
-// src/commands/watch.ts
+// src/commands/logout.ts
 import { Command as Command2 } from "commander";
-import chalk2 from "chalk";
-import ora2 from "ora";
-import { ObserverEngine as ObserverEngine2 } from "@perceo/observer-engine";
-var watchCommand = new Command2("watch").description("Watch for code changes and run tests").option("--dev", "Run against local development server").option("--port <port>", "Development server port", "3000").action(async (options) => {
-  const spinner = ora2("Starting Perceo observer...").start();
+import chalk4 from "chalk";
+import path4 from "path";
+var logoutCommand = new Command2("logout").description("Log out from Perceo (remove stored auth for the given scope)").option("-s, --scope <scope>", "Which login to remove: 'project' or 'global'", "global").option("-d, --dir <directory>", "Project directory (for project scope)", process.cwd()).action(async (options) => {
+  const scope = options.scope?.toLowerCase() === "project" ? "project" : "global";
+  const projectDir = path4.resolve(options.dir || process.cwd());
+  const existing = await getStoredAuth(scope, scope === "project" ? projectDir : void 0);
+  if (!existing?.access_token) {
+    console.log(chalk4.yellow(`Not logged in (${scope} scope). Nothing to do.`));
+    return;
+  }
+  await clearStoredAuth(scope, scope === "project" ? projectDir : void 0);
+  console.log(chalk4.green(`Logged out successfully (${scope} scope).`));
+});
+// src/commands/del.ts
+import { Command as Command3 } from "commander";
+import chalk5 from "chalk";
+import fs3 from "fs/promises";
+import path5 from "path";
+import { createInterface as createInterface2 } from "readline";
+var CONFIG_DIR3 = ".perceo";
+var CONFIG_FILE2 = "config.json";
+var GITHUB_WORKFLOW_PATH = ".github/workflows/perceo.yml";
+async function fileExists3(p) {
   try {
-    const config = await loadConfig();
-    const observerConfig = {
-      observer: config.observer,
-      flowGraph: config.flowGraph,
-      eventBus: config.eventBus
+    await fs3.access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function readProjectFromConfig(projectDir) {
+  const configPath = path5.join(projectDir, CONFIG_DIR3, CONFIG_FILE2);
+  if (!await fileExists3(configPath)) return { id: null, name: null };
+  try {
+    const raw = await fs3.readFile(configPath, "utf8");
+    const config = JSON.parse(raw);
+    const project = config?.project;
+    return {
+      id: project?.id ?? null,
+      name: project?.name ?? null
+    };
+  } catch {
+    return { id: null, name: null };
+  }
+}
+async function fetchProjectData(client, projectId) {
+  try {
+    const project = await client.getProject(projectId);
+    if (!project) return null;
+    const [flows, personas, apiKeys, recentTestRuns, insights] = await Promise.all([
+      client.getFlows(projectId).catch(() => []),
+      client.getPersonas(projectId).catch(() => []),
+      client.getApiKeys(projectId).catch(() => []),
+      client.getRecentTestRuns(projectId, 1e3).catch(() => []),
+      client.getInsights(projectId).catch(() => [])
+    ]);
+    return {
+      id: project.id,
+      name: project.name,
+      flows: flows.map((f) => ({ id: f.id, name: f.name })),
+      personas: personas.map((p) => ({ id: p.id, name: p.name })),
+      apiKeys: apiKeys.map((k) => ({ id: k.id, name: k.name, key_prefix: k.key_prefix })),
+      testRunsCount: recentTestRuns.length,
+      insightsCount: insights.length
     };
-    const engine = new ObserverEngine2(observerConfig);
-    spinner.succeed("Observer started");
-    console.log(chalk2.blue("\n\u{1F440} Watching for changes..."));
-    console.log(chalk2.gray("Press Ctrl+C to stop\n"));
-    const envLabel = (process.env.PERCEO_ENV || "").toLowerCase() === "local" ? chalk2.yellow("local (using .perceo/config.local.json overrides when present)") : chalk2.green("default");
-    console.log(chalk2.bold("Environment: "), envLabel);
-    if (config?.flowGraph?.endpoint) {
-      console.log(chalk2.bold("Flow graph endpoint: "), config.flowGraph.endpoint);
-    }
-    if (config?.eventBus?.type) {
-      console.log(chalk2.bold("Event bus: "), config.eventBus.type);
-    }
-    if (options.dev) {
-      console.log(chalk2.green(`\u2713 Connected to localhost:${options.port}`));
-    }
-    process.stdin.resume();
   } catch (error) {
-    spinner.fail("Failed to start observer");
-    console.error(chalk2.red(error instanceof Error ? error.message : "Unknown error"));
-    process.exit(1);
+    console.warn(chalk5.yellow(`Warning: Could not fetch complete project data: ${error instanceof Error ? error.message : String(error)}`));
+    return null;
+  }
+}
+async function requireReauth(projectDir) {
+  console.log(chalk5.yellow.bold("\n\u{1F512} Re-authentication Required"));
+  console.log(chalk5.gray("For security, you must re-authenticate before deleting project data."));
+  console.log(chalk5.gray("Your current session will be cleared and you'll need to log in again.\n"));
+  const rl = createInterface2({ input: process.stdin, output: process.stdout });
+  const answer = await new Promise((resolve) => {
+    rl.question(chalk5.bold("Continue with re-authentication? [y/N]: "), (ans) => {
+      rl.close();
+      resolve((ans || "n").trim().toLowerCase());
+    });
+  });
+  if (answer !== "y" && answer !== "yes") {
+    console.log(chalk5.gray("Cancelled."));
+    return false;
+  }
+  try {
+    await clearStoredAuth("project", projectDir);
+    await clearStoredAuth("global");
+    console.log(chalk5.gray("Existing authentication cleared."));
+  } catch (error) {
+    console.warn(chalk5.yellow(`Warning: Could not clear existing auth: ${error instanceof Error ? error.message : String(error)}`));
+  }
+  console.log(chalk5.cyan("\nPlease log in again:"));
+  try {
+    const { loginCommand: loginCommand2 } = await import("./login-47R62VE3.js");
+    await loginCommand2.parseAsync(["login", "--scope", "global"], { from: "user" });
+    return true;
+  } catch (error) {
+    console.error(chalk5.red(`Re-authentication failed: ${error instanceof Error ? error.message : String(error)}`));
+    return false;
+  }
+}
+var delCommand = new Command3("del").description("Remove Perceo from this project - PERMANENTLY deletes ALL project data including flows, personas, test runs, and API keys").alias("rm").option("-d, --dir <directory>", "Project directory", process.cwd()).option("-y, --yes", "Skip confirmation prompt (NOT recommended)", false).option("--skip-server", "Only remove local files; do not delete the project on the server", false).option("--keep-github", "Do not remove .github/workflows/perceo.yml", false).option("--skip-reauth", "Skip re-authentication requirement (DANGEROUS - for development only)", false).action(async (options) => {
+  const projectDir = path5.resolve(options.dir || process.cwd());
+  const perceoDir = path5.join(projectDir, CONFIG_DIR3);
+  const workflowPath = path5.join(projectDir, GITHUB_WORKFLOW_PATH);
+  const hasPerceoDir = await fileExists3(perceoDir);
+  const hasWorkflow = await fileExists3(workflowPath);
+  const { id: projectId, name: projectName } = await readProjectFromConfig(projectDir);
+  const willDeleteServer = !options["skip-server"] && projectId;
+  if (!hasPerceoDir && !hasWorkflow && !willDeleteServer) {
+    console.log(chalk5.yellow("No Perceo setup found in this directory. Nothing to remove."));
+    return;
+  }
+  if (willDeleteServer && !options["skip-reauth"]) {
+    const reauthSuccess = await requireReauth(projectDir);
+    if (!reauthSuccess) {
+      console.log(chalk5.red("Re-authentication failed. Deletion cancelled for security."));
+      process.exit(1);
+    }
+  }
+  let projectData = null;
+  let deleteClient = null;
+  let resolvedProjectId = projectId;
+  if (willDeleteServer && (projectId || projectName)) {
+    try {
+      if (projectId) {
+        const access = await ensureProjectAccess({ projectDir, requireAdmin: true });
+        deleteClient = access.client;
+        resolvedProjectId = access.projectId;
+        projectData = await fetchProjectData(deleteClient, access.projectId);
+      } else {
+        const access = await ensureProjectAccess({ projectDir, requireAdmin: false });
+        const project = await access.client.getProjectByName(projectName);
+        if (!project) {
+          console.error(chalk5.red("Project not found or you don't have access."));
+          process.exit(1);
+        }
+        const role = await checkProjectAccess(access.client, project.id, { requireAdmin: true });
+        if (!role) {
+          console.error(chalk5.red("Deleting the project requires owner or admin role."));
+          process.exit(1);
+        }
+        deleteClient = access.client;
+        resolvedProjectId = project.id;
+        projectData = await fetchProjectData(deleteClient, project.id);
+      }
+    } catch (err) {
+      console.warn(chalk5.yellow(`Warning: Could not fetch project data for confirmation: ${err instanceof Error ? err.message : String(err)}`));
+    }
+  }
+  if (!options.yes) {
+    console.log(chalk5.red.bold("\n\u26A0\uFE0F  DESTRUCTIVE OPERATION - PERMANENT DATA DELETION"));
+    console.log(chalk5.red("This will permanently delete ALL Perceo data for this project."));
+    console.log(chalk5.red("This action CANNOT be undone.\n"));
+    console.log(chalk5.bold("\u{1F4C1} Local files to be removed:"));
+    console.log(chalk5.gray("  Directory: ") + chalk5.cyan(projectDir));
+    if (hasPerceoDir) console.log(chalk5.gray("  \u2022 ") + chalk5.cyan(".perceo/ (config, auth, etc.)"));
+    if (hasWorkflow && !options["keep-github"]) console.log(chalk5.gray("  \u2022 ") + chalk5.cyan(GITHUB_WORKFLOW_PATH));
+    if (willDeleteServer) {
+      console.log(chalk5.bold("\n\u{1F5C4}\uFE0F  Server data to be PERMANENTLY DELETED:"));
+      if (projectData) {
+        console.log(chalk5.gray("  Project: ") + chalk5.cyan(`${projectData.name} (${projectData.id})`));
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red(`${projectData.flows.length} flows`) + chalk5.gray(" (including all steps)"));
+        if (projectData.flows.length > 0) {
+          projectData.flows.slice(0, 5).forEach((flow) => {
+            console.log(chalk5.gray("    - ") + chalk5.cyan(flow.name));
+          });
+          if (projectData.flows.length > 5) {
+            console.log(chalk5.gray(`    ... and ${projectData.flows.length - 5} more`));
+          }
+        }
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red(`${projectData.personas.length} personas`));
+        if (projectData.personas.length > 0) {
+          projectData.personas.slice(0, 3).forEach((persona) => {
+            console.log(chalk5.gray("    - ") + chalk5.cyan(persona.name));
+          });
+          if (projectData.personas.length > 3) {
+            console.log(chalk5.gray(`    ... and ${projectData.personas.length - 3} more`));
+          }
+        }
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red(`${projectData.apiKeys.length} API keys`));
+        if (projectData.apiKeys.length > 0) {
+          projectData.apiKeys.forEach((key) => {
+            console.log(chalk5.gray("    - ") + chalk5.cyan(`${key.name} (${key.key_prefix}...)`));
+          });
+        }
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red(`${projectData.testRunsCount} test runs`));
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red(`${projectData.insightsCount} insights`));
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red("All project secrets"));
+      } else {
+        console.log(chalk5.gray("  Project: ") + chalk5.cyan(projectId ?? projectName ?? "Unknown"));
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red("All flows, personas, and related data"));
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red("All API keys and project secrets"));
+        console.log(chalk5.gray("  \u2022 ") + chalk5.red("All test runs and insights"));
+      }
+    }
+    console.log(chalk5.red.bold("\n\u{1F480} This deletion is PERMANENT and IRREVERSIBLE."));
+    console.log(chalk5.gray("Type the project name to confirm deletion:"));
+    const rl = createInterface2({ input: process.stdin, output: process.stdout });
+    const expectedName = projectData?.name ?? projectName ?? "CONFIRM";
+    const answer = await new Promise((resolve) => {
+      rl.question(chalk5.bold(`Enter "${expectedName}" to confirm: `), (ans) => {
+        rl.close();
+        resolve((ans || "").trim());
+      });
+    });
+    if (answer !== expectedName) {
+      console.log(chalk5.gray("Project name does not match. Deletion cancelled."));
+      process.exit(0);
+    }
+    const finalAnswer = await new Promise((resolve) => {
+      const rl2 = createInterface2({ input: process.stdin, output: process.stdout });
+      rl2.question(chalk5.red.bold("Are you absolutely sure? This cannot be undone. [type 'DELETE']: "), (ans) => {
+        rl2.close();
+        resolve((ans || "").trim());
+      });
+    });
+    if (finalAnswer !== "DELETE") {
+      console.log(chalk5.gray("Final confirmation failed. Deletion cancelled."));
+      process.exit(0);
+    }
+  }
+  console.log(chalk5.yellow("\n\u{1F5D1}\uFE0F  Starting deletion process..."));
+  const deletionSummary = {
+    localFiles: [],
+    serverData: {
+      project: null,
+      flows: 0,
+      personas: 0,
+      apiKeys: 0,
+      testRuns: 0,
+      insights: 0,
+      secrets: 0
+    }
+  };
+  if (willDeleteServer && deleteClient && resolvedProjectId) {
+    try {
+      if (projectData) {
+        deletionSummary.serverData = {
+          project: { id: projectData.id, name: projectData.name },
+          flows: projectData.flows.length,
+          personas: projectData.personas.length,
+          apiKeys: projectData.apiKeys.length,
+          testRuns: projectData.testRunsCount,
+          insights: projectData.insightsCount,
+          secrets: 0
+          // We can't easily count secrets, but they'll be deleted by cascade
+        };
+      }
+      await deleteClient.deleteProject(resolvedProjectId);
+      console.log(chalk5.green("\u2705 Deleted project and all related data on server"));
+    } catch (err) {
+      console.error(chalk5.red("\u274C Failed to delete project on server: " + (err instanceof Error ? err.message : String(err))));
+      process.exit(1);
+    }
+  }
+  if (hasWorkflow && !options["keep-github"]) {
+    await fs3.rm(workflowPath, { force: true });
+    deletionSummary.localFiles.push(GITHUB_WORKFLOW_PATH);
+    console.log(chalk5.green("\u2705 Removed ") + chalk5.cyan(GITHUB_WORKFLOW_PATH));
+  }
+  if (hasPerceoDir) {
+    await fs3.rm(perceoDir, { recursive: true, force: true });
+    deletionSummary.localFiles.push(".perceo/");
+    console.log(chalk5.green("\u2705 Removed ") + chalk5.cyan(".perceo/"));
+  }
+  console.log(chalk5.bold.green("\n\u{1F389} Perceo successfully removed from this project"));
+  console.log(chalk5.bold("\u{1F4CA} Deletion Summary:"));
+  if (deletionSummary.localFiles.length > 0) {
+    console.log(chalk5.gray("  Local files removed:"));
+    deletionSummary.localFiles.forEach((file) => {
+      console.log(chalk5.gray("    \u2022 ") + chalk5.cyan(file));
+    });
   }
+  if (deletionSummary.serverData.project) {
+    console.log(chalk5.gray("  Server data deleted:"));
+    console.log(chalk5.gray("    \u2022 Project: ") + chalk5.cyan(deletionSummary.serverData.project.name));
+    console.log(chalk5.gray("    \u2022 Flows: ") + chalk5.red(deletionSummary.serverData.flows.toString()));
+    console.log(chalk5.gray("    \u2022 Personas: ") + chalk5.red(deletionSummary.serverData.personas.toString()));
+    console.log(chalk5.gray("    \u2022 API Keys: ") + chalk5.red(deletionSummary.serverData.apiKeys.toString()));
+    console.log(chalk5.gray("    \u2022 Test Runs: ") + chalk5.red(deletionSummary.serverData.testRuns.toString()));
+    console.log(chalk5.gray("    \u2022 Insights: ") + chalk5.red(deletionSummary.serverData.insights.toString()));
+    console.log(chalk5.gray("    \u2022 Project secrets and all related data"));
+  }
+  console.log(chalk5.gray("\nTo set up Perceo again, run: ") + chalk5.cyan("perceo init"));
 });
-// src/commands/ci.ts
-import { Command as Command3 } from "commander";
-import chalk3 from "chalk";
+// src/commands/analyze.ts
+import { Command as Command4 } from "commander";
+import chalk6 from "chalk";
 import ora3 from "ora";
-import { ObserverEngine as ObserverEngine3 } from "@perceo/observer-engine";
-var ci = new Command3("ci").description("CI / PR analysis and testing");
-ci.command("analyze").description("Analyze changes between two Git refs and report affected flows").requiredOption("--base <sha>", "Base Git ref / SHA").requiredOption("--head <sha>", "Head Git ref / SHA").option("--project-dir <dir>", "Project directory (defaults to process.cwd())").option("--json", "Print machine-readable JSON output", false).action(async (options) => {
-  const projectRoot = options.projectDir ? options.projectDir : process.cwd();
-  const spinner = ora3("Analyzing changes with Perceo Observer Engine...").start();
+import path6 from "path";
+import { computeChangeAnalysis } from "@perceo/observer-engine";
+var analyzeCommand = new Command4("analyze").description("Analyze git diff to find affected flows").requiredOption("--base <sha>", "Base Git ref (e.g., main, origin/main, commit SHA)").option("--head <sha>", "Head Git ref (default: HEAD)", "HEAD").option("--project-dir <dir>", "Project directory", process.cwd()).option("--json", "Output JSON for CI integration", false).action(async (options) => {
+  const projectRoot = path6.resolve(options.projectDir ?? process.cwd());
+  const spinner = ora3("Analyzing changes...").start();
   try {
-    const rawConfig = await loadConfig({ projectDir: projectRoot });
-    const observerConfig = {
-      observer: rawConfig.observer,
-      flowGraph: rawConfig.flowGraph,
-      eventBus: rawConfig.eventBus
-    };
-    const engine = new ObserverEngine3(observerConfig);
-    const report = await engine.analyzeChanges({
-      baseSha: options.base,
-      headSha: options.head,
-      projectRoot
+    const { client, projectId, projectName } = await ensureProjectAccess({ projectDir: projectRoot });
+    spinner.text = "Computing git diff...";
+    const baseSha = options.base;
+    const headSha = options.head ?? "HEAD";
+    const analysis = await computeChangeAnalysis(projectRoot, baseSha, headSha);
+    if (analysis.files.length === 0) {
+      spinner.succeed("No changes found");
+      if (options.json) {
+        console.log(JSON.stringify({ flows: [], changes: [], riskLevel: "low", riskScore: 0 }, null, 2));
+      } else {
+        console.log(chalk6.green("\n\u2713 No files changed between the commits"));
+      }
+      return;
+    }
+    spinner.text = "Matching against flows...";
+    const flows = await client.getFlows(projectId);
+    if (flows.length === 0) {
+      spinner.warn("No flows found");
+      console.log(chalk6.yellow("\nNo flows have been discovered yet. Run `perceo init` to discover flows."));
+      return;
+    }
+    const affectedFlows = matchAffectedFlows(flows, analysis.files);
+    spinner.text = "Storing analysis...";
+    const codeChange = await client.createCodeChange({
+      project_id: projectId,
+      base_sha: baseSha,
+      head_sha: headSha,
+      files: analysis.files.map((f) => ({
+        path: f.path,
+        status: f.status
+      }))
+    });
+    const riskScore = calculateOverallRisk(affectedFlows);
+    const riskLevel = getRiskLevel(riskScore);
+    await client.updateCodeChangeAnalysis(codeChange.id, {
+      risk_level: riskLevel,
+      risk_score: riskScore,
+      affected_flow_ids: affectedFlows.map((f) => f.flow.id)
     });
+    if (affectedFlows.length > 0) {
+      await client.markFlowsAffected(
+        affectedFlows.map((f) => f.flow.id),
+        codeChange.id,
+        riskScore * 0.2
+      );
+    }
     spinner.succeed("Analysis complete");
+    const result = {
+      projectId,
+      projectName,
+      baseSha,
+      headSha,
+      flows: affectedFlows.map((f) => ({
+        id: f.flow.id,
+        name: f.flow.name,
+        priority: f.flow.priority,
+        riskScore: f.riskScore,
+        confidence: f.confidence,
+        matchedFiles: f.matchedFiles
+      })),
+      changes: analysis.files,
+      riskLevel,
+      riskScore,
+      createdAt: Date.now()
+    };
     if (options.json) {
-      process.stdout.write(JSON.stringify(report, null, 2) + "\n");
-      return;
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      printResults(result);
     }
-    console.log();
-    console.log(chalk3.bold("Change: ") + `${report.baseSha}...${report.headSha}`);
-    console.log(chalk3.bold("Flows affected: ") + report.flows.length);
-    if (report.flows.length > 0) {
-      console.log();
-      for (const flow of report.flows) {
-        const risk = flow.riskScore.toFixed(2);
-        const confidence = (flow.confidence * 100).toFixed(0) + "%";
-        const priority = flow.priority ? ` [${flow.priority}]` : "";
-        console.log(`- ${chalk3.cyan(flow.name)}${priority} (risk=${risk}, confidence=${confidence})`);
+  } catch (error) {
+    spinner.fail("Analysis failed");
+    console.error(chalk6.red(error instanceof Error ? error.message : "Unknown error"));
+    process.exit(1);
+  }
+});
+function matchAffectedFlows(flows, changedFiles) {
+  const affected = [];
+  for (const flow of flows) {
+    const matchedFiles = [];
+    let maxConfidence = 0;
+    for (const file of changedFiles) {
+      const confidence = calculateMatchConfidence(flow, file.path);
+      if (confidence > 0.3) {
+        matchedFiles.push(file.path);
+        maxConfidence = Math.max(maxConfidence, confidence);
       }
     }
-    if (report.changes.length > 0) {
-      console.log();
-      console.log(chalk3.bold("Files changed:"));
-      for (const file of report.changes) {
-        console.log(`- [${file.status}] ${file.path}`);
+    if (matchedFiles.length > 0) {
+      affected.push({
+        flow,
+        riskScore: calculateFlowRisk(flow, matchedFiles, changedFiles),
+        confidence: maxConfidence,
+        matchedFiles
+      });
+    }
+  }
+  return affected.sort((a, b) => b.riskScore - a.riskScore);
+}
+function calculateMatchConfidence(flow, filePath) {
+  const normalizedPath = filePath.toLowerCase();
+  const flowName = flow.name.toLowerCase();
+  if (flow.entry_point) {
+    const entryNormalized = flow.entry_point.toLowerCase().replace(/\//g, "");
+    if (normalizedPath.includes(entryNormalized)) {
+      return 0.9;
+    }
+  }
+  const keywords = flowName.split(/[\s-_]+/).filter((k) => k.length > 2);
+  for (const keyword of keywords) {
+    if (normalizedPath.includes(keyword)) {
+      return 0.7;
+    }
+  }
+  const graphData = flow.graph_data;
+  if (graphData) {
+    const allRefs = [...graphData.components ?? [], ...graphData.pages ?? []];
+    for (const ref of allRefs) {
+      if (normalizedPath.includes(ref.toLowerCase())) {
+        return 0.8;
       }
     }
+  }
+  return 0;
+}
+function calculateFlowRisk(flow, matchedFiles, allChanges) {
+  const priorityWeight = {
+    critical: 1,
+    high: 0.75,
+    medium: 0.5,
+    low: 0.25
+  };
+  const baseRisk = priorityWeight[flow.priority] ?? 0.5;
+  const fileRatio = matchedFiles.length / Math.max(allChanges.length, 1);
+  return Math.min(1, baseRisk + fileRatio * 0.3);
+}
+function calculateOverallRisk(affected) {
+  if (affected.length === 0) return 0;
+  let totalWeight = 0;
+  let weightedRisk = 0;
+  for (const a of affected) {
+    const weight = a.flow.priority === "critical" ? 2 : a.flow.priority === "high" ? 1.5 : 1;
+    totalWeight += weight;
+    weightedRisk += a.riskScore * weight;
+  }
+  return Math.min(1, weightedRisk / totalWeight);
+}
+function getRiskLevel(score) {
+  if (score >= 0.8) return "critical";
+  if (score >= 0.6) return "high";
+  if (score >= 0.3) return "medium";
+  return "low";
+}
+function printResults(result) {
+  console.log();
+  console.log(chalk6.bold("Project: ") + result.projectName);
+  console.log(chalk6.bold("Diff: ") + `${result.baseSha}...${result.headSha}`);
+  console.log();
+  const riskColor = result.riskLevel === "critical" ? chalk6.red : result.riskLevel === "high" ? chalk6.yellow : result.riskLevel === "medium" ? chalk6.blue : chalk6.green;
+  console.log(chalk6.bold("Overall Risk: ") + riskColor(`${result.riskLevel.toUpperCase()} (${(result.riskScore * 100).toFixed(0)}%)`));
+  console.log();
+  if (result.flows.length === 0) {
+    console.log(chalk6.green("\u2713 No flows affected by these changes"));
+  } else {
+    console.log(chalk6.bold(`${result.flows.length} flow(s) affected:`));
+    console.log();
+    for (const flow of result.flows) {
+      const riskColor2 = flow.riskScore > 0.7 ? chalk6.red : flow.riskScore > 0.4 ? chalk6.yellow : chalk6.green;
+      const priorityColor = flow.priority === "critical" ? chalk6.red : flow.priority === "high" ? chalk6.yellow : chalk6.gray;
+      const risk = (flow.riskScore * 100).toFixed(0);
+      const confidence = (flow.confidence * 100).toFixed(0);
+      console.log(`  ${chalk6.cyan(flow.name)} ${priorityColor(`[${flow.priority}]`)}`);
+      console.log(`     Risk: ${riskColor2(`${risk}%`)}  Confidence: ${confidence}%`);
+      console.log(`     Matched: ${chalk6.gray(flow.matchedFiles.slice(0, 3).join(", "))}${flow.matchedFiles.length > 3 ? ` (+${flow.matchedFiles.length - 3})` : ""}`);
+    }
+  }
+  console.log();
+  console.log(chalk6.bold(`${result.changes.length} file(s) changed:`));
+  const maxShow = 10;
+  for (const file of result.changes.slice(0, maxShow)) {
+    const icon = file.status === "added" ? chalk6.green("+") : file.status === "deleted" ? chalk6.red("-") : chalk6.yellow("~");
+    console.log(`  ${icon} ${file.path}`);
+  }
+  if (result.changes.length > maxShow) {
+    console.log(chalk6.gray(`  ... and ${result.changes.length - maxShow} more`));
+  }
+  console.log();
+  if (result.riskLevel === "critical" || result.riskLevel === "high") {
+    console.log(chalk6.red(`\u26A0\uFE0F  High-risk changes detected. Recommend running tests for affected flows.`));
+  } else if (result.flows.length > 0) {
+    console.log(chalk6.yellow(`\u2139\uFE0F  ${result.flows.length} flow(s) may be affected. Consider testing them.`));
+  } else {
+    console.log(chalk6.green(`\u2713 Low risk - no critical flows affected.`));
+  }
+}
+// src/commands/keys.ts
+import { Command as Command5 } from "commander";
+import chalk7 from "chalk";
+import ora4 from "ora";
+var keysCommand = new Command5("keys").description("Manage project API keys for CI/CD authentication");
+keysCommand.command("list").description("List all API keys for the current project").option("-a, --all", "Include revoked and expired keys", false).action(async (options) => {
+  const spinner = ora4("Loading API keys...").start();
+  try {
+    const { client, projectId } = await ensureProjectAccess();
+    const keys = options.all ? await client.getApiKeys(projectId) : await client.getActiveApiKeys(projectId);
+    spinner.stop();
+    if (keys.length === 0) {
+      console.log(chalk7.yellow("No API keys found."));
+      console.log(chalk7.gray("Create one with: perceo keys create --name <name>"));
+      return;
+    }
+    console.log(chalk7.bold("\nAPI Keys:\n"));
+    console.log(chalk7.gray("\u2500".repeat(80)));
+    for (const key of keys) {
+      const status = getKeyStatus(key);
+      const statusColor = status === "active" ? chalk7.green : status === "expired" ? chalk7.yellow : chalk7.red;
+      console.log(`  ${chalk7.bold(key.name)}`);
+      console.log(`    Prefix: ${chalk7.cyan(key.key_prefix)}...`);
+      console.log(`    Status: ${statusColor(status)}`);
+      console.log(`    Scopes: ${chalk7.gray(key.scopes.join(", "))}`);
+      console.log(`    Created: ${chalk7.gray(formatDate(key.created_at))}`);
+      if (key.last_used_at) {
+        console.log(`    Last used: ${chalk7.gray(formatDate(key.last_used_at))}`);
+      }
+      if (key.expires_at) {
+        console.log(`    Expires: ${chalk7.gray(formatDate(key.expires_at))}`);
+      }
+      console.log(chalk7.gray("\u2500".repeat(80)));
+    }
+    console.log(chalk7.gray(`
+Total: ${keys.length} key(s)`));
   } catch (error) {
-    spinner.fail("Analysis failed");
-    console.error(chalk3.red(error instanceof Error ? error.message : "Unknown error"));
+    spinner.fail("Failed to load API keys");
+    console.error(chalk7.red(error instanceof Error ? error.message : "Unknown error"));
+    process.exit(1);
+  }
+});
+keysCommand.command("create").description("Create a new API key").requiredOption("-n, --name <name>", "Name for the API key (e.g., 'github-actions', 'jenkins')").option("-s, --scopes <scopes>", "Comma-separated list of scopes", "ci:analyze,ci:test,flows:read,insights:read,events:publish").option("-e, --expires <days>", "Number of days until expiration (default: never)").action(async (options) => {
+  const spinner = ora4("Creating API key...").start();
+  try {
+    const { client, projectId } = await ensureProjectAccess({ requireAdmin: true });
+    const scopes = options.scopes.split(",").map((s) => s.trim());
+    const expiresAt = options.expires ? new Date(Date.now() + parseInt(options.expires, 10) * 24 * 60 * 60 * 1e3) : void 0;
+    const { key, keyRecord } = await client.createApiKey(projectId, {
+      name: options.name,
+      scopes,
+      expiresAt
+    });
+    spinner.succeed("API key created successfully!");
+    console.log("\n" + chalk7.bold.green("New API Key:"));
+    console.log(chalk7.gray("\u2500".repeat(60)));
+    console.log(`  Name:    ${chalk7.bold(keyRecord.name)}`);
+    console.log(`  Prefix:  ${chalk7.cyan(keyRecord.key_prefix)}...`);
+    console.log(`  Scopes:  ${chalk7.gray(scopes.join(", "))}`);
+    if (expiresAt) {
+      console.log(`  Expires: ${chalk7.gray(formatDate(expiresAt.toISOString()))}`);
+    }
+    console.log(chalk7.gray("\u2500".repeat(60)));
+    console.log("\n" + chalk7.bold.yellow("  API Key (copy this now - shown only once):"));
+    console.log("\n  " + chalk7.green(key));
+    console.log("\n" + chalk7.gray("\u2500".repeat(60)));
+    console.log(chalk7.gray("\n  Add this as a secret in your CI environment:"));
+    console.log(chalk7.gray("  - GitHub: Settings \u2192 Secrets \u2192 PERCEO_API_KEY"));
+    console.log(chalk7.gray("  - GitLab: Settings \u2192 CI/CD \u2192 Variables"));
+    console.log(chalk7.gray("  - Other: Set PERCEO_API_KEY environment variable\n"));
+  } catch (error) {
+    spinner.fail("Failed to create API key");
+    console.error(chalk7.red(error instanceof Error ? error.message : "Unknown error"));
+    process.exit(1);
+  }
+});
+keysCommand.command("revoke").description("Revoke an API key").argument("<prefix>", "Key prefix to revoke (e.g., prc_abc12345)").option("-r, --reason <reason>", "Reason for revocation").action(async (prefix, options) => {
+  const spinner = ora4("Revoking API key...").start();
+  try {
+    const { client, projectId } = await ensureProjectAccess({ requireAdmin: true });
+    const keys = await client.getApiKeys(projectId);
+    const keyToRevoke = keys.find((k) => k.key_prefix === prefix || k.key_prefix.startsWith(prefix));
+    if (!keyToRevoke) {
+      spinner.fail(`No key found with prefix: ${prefix}`);
+      console.log(chalk7.gray("Run 'perceo keys list' to see available keys."));
+      process.exit(1);
+    }
+    if (keyToRevoke.revoked_at) {
+      spinner.fail(`Key ${keyToRevoke.name} is already revoked.`);
+      process.exit(1);
+    }
+    await client.revokeApiKey(keyToRevoke.id, { reason: options.reason });
+    spinner.succeed(`API key "${keyToRevoke.name}" revoked successfully!`);
+    console.log(chalk7.gray("\nThe key can no longer be used for authentication."));
+  } catch (error) {
+    spinner.fail("Failed to revoke API key");
+    console.error(chalk7.red(error instanceof Error ? error.message : "Unknown error"));
     process.exit(1);
   }
 });
-var ciCommand = ci;
+function getKeyStatus(key) {
+  if (key.revoked_at) return "revoked";
+  if (key.expires_at && new Date(key.expires_at) < /* @__PURE__ */ new Date()) return "expired";
+  return "active";
+}
+function formatDate(dateStr) {
+  const date = new Date(dateStr);
+  return date.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "short",
+    day: "numeric",
+    hour: "2-digit",
+    minute: "2-digit"
+  });
+}
 // src/index.ts
-var program = new Command4();
+var originalEmit = process.emit.bind(process);
+process.emit = function(event, ...args) {
+  const warning = args[0];
+  if (event === "warning" && warning && typeof warning === "object" && "name" in warning && warning.name === "DeprecationWarning" && "message" in warning && typeof warning.message === "string" && (warning.message.includes("url.parse()") || warning.code === "DEP0169")) {
+    return true;
+  }
+  return originalEmit.apply(process, [event, ...args]);
+};
+var program = new Command6();
 program.name("perceo").description("Intelligent regression testing through multi-agent simulation").version("0.1.0");
+program.addCommand(loginCommand);
+program.addCommand(logoutCommand);
 program.addCommand(initCommand);
-program.addCommand(watchCommand);
-program.addCommand(ciCommand);
+program.addCommand(delCommand);
+program.addCommand(analyzeCommand);
+program.addCommand(keysCommand);
 program.parse();