@startanaicompany/cli 1.4.21 → 1.6.0

package/.claude/settings.local.json

@@ -0,0 +1,10 @@
+{
+  "permissions": {
+    "allow": [
+      "mcp__hive__send_direct_message",
+      "mcp__hive__hive"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

package/CLAUDE.md

@@ -146,16 +146,28 @@ Uses Commander.js to define:
 5. All subsequent API requests include X-Session-Token header
 6. Token expires after 1 year → user must login again
 
-**API Key Flow (CI/CD & Scripts):**
-1. User logs in with email + API key → API returns session token
-2. Environment variable `SAAC_API_KEY` can override stored credentials
-3. Useful for automation, scripts, and CI/CD pipelines
+**Auto-Login Flow (CI/CD & Automation):**
+1. User sets `SAAC_USER_API_KEY` and `SAAC_USER_EMAIL` environment variables
+2. Any command checks `ensureAuthenticated()` instead of `isAuthenticated()`
+3. If not logged in, `ensureAuthenticated()` checks for env vars
+4. If both present, automatically calls login API
+5. Session token saved to config, cached for subsequent commands
+6. Subsequent commands use cached session (fast path, no API call)
 
 **Authentication Priority:**
 ```javascript
-// In api.js createClient()
+// In commands (e.g., deploy.js, list.js, etc.)
+if (!(await ensureAuthenticated())) {
+  // Not logged in and auto-login failed
+  logger.error('Not logged in');
+  logger.info('Run: saac login -e <email> -k <api-key>');
+  logger.info('Or set: SAAC_USER_API_KEY and SAAC_USER_EMAIL');
+  process.exit(1);
+}
+
+// In api.js createClient() - Header priority:
 if (process.env.SAAC_API_KEY) {
-  headers['X-API-Key'] = SAAC_API_KEY;  // 1st priority
+  headers['X-API-Key'] = SAAC_API_KEY;  // 1st priority (legacy)
 } else if (user.sessionToken) {
   headers['X-Session-Token'] = sessionToken;  // 2nd priority
 } else if (user.apiKey) {
@@ -163,6 +175,11 @@ if (process.env.SAAC_API_KEY) {
 }
 ```
 
+**Environment Variables:**
+- `SAAC_USER_API_KEY` - API key for auto-login (NEW)
+- `SAAC_USER_EMAIL` - Email for auto-login (NEW)
+- `SAAC_API_KEY` - Legacy API key (used directly in API headers, bypasses login)
+
 ### Application Lifecycle
 
 1. **Create/Init** → applicationUuid saved to `.saac/config.json`
@@ -205,10 +222,53 @@ The CLI now uses session tokens instead of storing permanent API keys:
 ```
 
 **Token Validation Functions** (in `config.js`):
-- `isAuthenticated()` - Checks if user has valid, non-expired token
+- `isAuthenticated()` - Checks if user has valid, non-expired token (synchronous)
+- `ensureAuthenticated()` - **NEW**: Checks authentication + auto-login via env vars (async)
 - `isTokenExpired()` - Checks if session token has expired
 - `isTokenExpiringSoon()` - Checks if token expires within 7 days
 
+**ensureAuthenticated() Function:**
+```javascript
+async function ensureAuthenticated() {
+  // Step 1: Check if already authenticated (fast path)
+  if (isAuthenticated()) {
+    return true;
+  }
+
+  // Step 2: Check for environment variables
+  const apiKey = process.env.SAAC_USER_API_KEY;
+  const email = process.env.SAAC_USER_EMAIL;
+
+  if (!apiKey || !email) {
+    return false; // No env vars - cannot auto-login
+  }
+
+  // Step 3: Attempt auto-login via API
+  try {
+    const api = require('./api');
+    const result = await api.login(email, apiKey);
+
+    // Step 4: Save session token to config
+    saveUser({
+      email: result.user.email,
+      userId: result.user.id,
+      sessionToken: result.session_token,
+      expiresAt: result.expires_at,
+      verified: result.user.verified,
+    });
+
+    return true; // Auto-login successful
+  } catch (error) {
+    return false; // Auto-login failed
+  }
+}
+```
+
+**When to use:**
+- Use `ensureAuthenticated()` in ALL non-auth commands (deploy, list, create, etc.)
+- Use `isAuthenticated()` only when you don't want auto-login behavior
+- Commands that should NOT use `ensureAuthenticated()`: login, logout, register, verify
+
 **Backend Requirements:**
 - `POST /auth/login` - Accepts `X-API-Key` + email, returns session token
 - Middleware must accept both `X-Session-Token` and `X-API-Key` headers

package/README.md

@@ -272,6 +272,259 @@ saac whoami
 
 ---
 
+## Environment Variables for CI/CD
+
+The SAAC CLI supports **automatic authentication** via environment variables, perfect for CI/CD pipelines, Docker containers, and automation scripts.
+
+### How It Works
+
+When you run any SAAC command:
+1. CLI checks if you're already logged in (session token exists)
+2. If not logged in, checks for `SAAC_USER_API_KEY` and `SAAC_USER_EMAIL` environment variables
+3. If both are present, **automatically logs in** via API
+4. Session token is cached for subsequent commands (same performance as manual login)
+
+### Required Environment Variables
+
+- `SAAC_USER_API_KEY` - Your API key (format: `cw_...`)
+- `SAAC_USER_EMAIL` - Your email address
+
+**Both variables must be set** for auto-login to work.
+
+### Usage Examples
+
+#### GitHub Actions
+
+```yaml
+name: Deploy to SAAC
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install SAAC CLI
+        run: npm install -g @startanaicompany/cli
+
+      - name: Deploy Application
+        env:
+          SAAC_USER_API_KEY: ${{ secrets.SAAC_API_KEY }}
+          SAAC_USER_EMAIL: ${{ secrets.SAAC_EMAIL }}
+        run: |
+          saac deploy
+          saac logs --deployment
+```
+
+**Setup:**
+1. Go to your repo → Settings → Secrets → Actions
+2. Add `SAAC_API_KEY` with your API key
+3. Add `SAAC_EMAIL` with your email address
+
+#### GitLab CI/CD
+
+```yaml
+deploy:
+  stage: deploy
+  image: node:18
+  variables:
+    SAAC_USER_API_KEY: $CI_SAAC_API_KEY
+    SAAC_USER_EMAIL: $CI_SAAC_EMAIL
+  script:
+    - npm install -g @startanaicompany/cli
+    - saac deploy
+    - saac logs --deployment
+  only:
+    - main
+```
+
+**Setup:**
+1. Go to your project → Settings → CI/CD → Variables
+2. Add `CI_SAAC_API_KEY` (protected, masked)
+3. Add `CI_SAAC_EMAIL`
+
+#### Docker
+
+```dockerfile
+FROM node:18
+
+# Install SAAC CLI
+RUN npm install -g @startanaicompany/cli
+
+# Set environment variables (use build args for security)
+ARG SAAC_API_KEY
+ARG SAAC_EMAIL
+ENV SAAC_USER_API_KEY=$SAAC_API_KEY
+ENV SAAC_USER_EMAIL=$SAAC_EMAIL
+
+# Your application code
+WORKDIR /app
+COPY . .
+
+# Deploy on container startup
+CMD ["sh", "-c", "saac deploy && npm start"]
+```
+
+**Build with secrets:**
+```bash
+docker build \
+  --build-arg SAAC_API_KEY=cw_your_key \
+  --build-arg SAAC_EMAIL=your@email.com \
+  -t my-app .
+```
+
+#### Local Shell Script
+
+```bash
+#!/bin/bash
+set -e
+
+# Set environment variables
+export SAAC_USER_API_KEY=cw_your_api_key_here
+export SAAC_USER_EMAIL=your@email.com
+
+# Run SAAC commands
+saac deploy
+saac logs --deployment
+saac status
+
+echo "Deployment complete!"
+```
+
+#### With .env File (Local Development)
+
+Create `.env` file (**add to `.gitignore`!**):
+```bash
+SAAC_USER_API_KEY=cw_your_api_key_here
+SAAC_USER_EMAIL=your@email.com
+```
+
+Use with a script:
+```bash
+#!/bin/bash
+# Load .env file
+set -a
+source .env
+set +a
+
+# Run SAAC commands
+saac list
+saac status
+```
+
+### Security Best Practices
+
+✅ **DO:**
+- Store API keys in secrets management (GitHub Secrets, GitLab Variables, AWS Secrets Manager, etc.)
+- Use environment variables for automation
+- Add `.env` files to `.gitignore`
+- Rotate API keys periodically with `saac keys regenerate`
+- Use different API keys for different environments (dev, staging, prod)
+- Set secrets as "protected" and "masked" in CI/CD systems
+
+❌ **DON'T:**
+- Commit API keys to version control
+- Share API keys in plain text (Slack, email, etc.)
+- Hardcode API keys in scripts or Dockerfiles
+- Use the same API key across multiple teams/projects
+- Log API keys in CI/CD output
+
+### How It Differs from Manual Login
+
+| Feature | Manual Login | Auto-Login (Env Vars) |
+|---------|--------------|----------------------|
+| Session token created | ✅ Yes | ✅ Yes |
+| Session cached locally | ✅ Yes | ✅ Yes |
+| Session expires | ✅ 1 year | ✅ 1 year |
+| Requires user interaction | ❌ No (after first login) | ✅ Fully automated |
+| Perfect for CI/CD | ⚠️ Requires manual setup | ✅ Native support |
+| Performance | ⚡ Fast (cached) | ⚡ Fast (cached after first auto-login) |
+
+### Troubleshooting
+
+**"Not logged in" despite setting environment variables:**
+- Verify both `SAAC_USER_API_KEY` and `SAAC_USER_EMAIL` are set:
+  ```bash
+  echo $SAAC_USER_API_KEY
+  echo $SAAC_USER_EMAIL
+  ```
+- Ensure API key is valid (not revoked or expired)
+- Check API key format starts with `cw_`
+- Try logging in manually to verify credentials work:
+  ```bash
+  saac login -e $SAAC_USER_EMAIL -k $SAAC_USER_API_KEY
+  ```
+
+**Environment variables not being read:**
+- Make sure variables are exported: `export SAAC_USER_API_KEY=...`
+- Check for typos in variable names (must be exact)
+- In Docker, ensure ENV is set or use build args correctly
+- In CI/CD, verify secrets are configured correctly
+
+**Security concerns:**
+- Never print environment variables in logs: `echo $SAAC_USER_API_KEY` ❌
+- Use masked/protected secrets in CI/CD systems
+- Regenerate API key if accidentally exposed: `saac keys regenerate`
+- Monitor active sessions: `saac sessions`
+
+### Example: Complete CI/CD Workflow
+
+```yaml
+name: Full Deployment Workflow
+on:
+  push:
+    branches: [main, staging]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '18'
+
+      - name: Install Dependencies
+        run: npm install
+
+      - name: Run Tests
+        run: npm test
+
+      - name: Install SAAC CLI
+        run: npm install -g @startanaicompany/cli
+
+      - name: Deploy to SAAC
+        env:
+          SAAC_USER_API_KEY: ${{ secrets.SAAC_API_KEY }}
+          SAAC_USER_EMAIL: ${{ secrets.SAAC_EMAIL }}
+        run: |
+          # Auto-login happens automatically!
+          saac deploy
+
+          # Wait for deployment to complete (built-in timeout)
+          echo "Deployment finished!"
+
+      - name: Check Application Status
+        env:
+          SAAC_USER_API_KEY: ${{ secrets.SAAC_API_KEY }}
+          SAAC_USER_EMAIL: ${{ secrets.SAAC_EMAIL }}
+        run: |
+          saac status
+          saac logs --deployment | tail -20
+
+      - name: Notify on Failure
+        if: failure()
+        run: |
+          echo "Deployment failed! Check logs with: saac logs --deployment"
+```
+
+---
+
 ## Git OAuth
 
 SAAC CLI uses **OAuth-only authentication** for Git access. You must connect your Git account before creating applications.
@@ -374,6 +627,141 @@ saac git disconnect git.startanaicompany.com
 - Existing applications continue to work
 - New applications will require reconnection
 
+### `saac git repos <host>`
+
+List repositories from a connected Git host.
+
+```bash
+# Basic usage
+saac git repos git.startanaicompany.com
+saac git repos github.com
+
+# Include latest commit information
+saac git repos github.com --commits
+
+# Filter by visibility
+saac git repos github.com --visibility private
+saac git repos github.com --visibility public
+
+# With pagination
+saac git repos github.com --page 2 --per-page 10
+
+# Sort repositories
+saac git repos github.com --sort created
+saac git repos github.com --sort name
+
+# JSON output for scripting
+saac git repos github.com --json
+
+# Combine options
+saac git repos github.com --commits --visibility private --per-page 20
+```
+
+**Options:**
+- `-p, --page <number>` - Page number for pagination (default: 1)
+- `-n, --per-page <number>` - Results per page, max 100 (default: 20)
+- `-s, --sort <type>` - Sort order: `updated`, `created`, `name` (default: `updated`)
+- `-v, --visibility <type>` - Filter: `all`, `public`, `private` (default: `all`)
+- `-c, --commits` - Include latest commit info for each repository
+- `--json` - Output as JSON for scripting
+
+**Shows:**
+- Repository name
+- Visibility (public/private)
+- Last updated timestamp
+- Default branch
+- Primary language
+- Latest commit (with `--commits` flag)
+
+**Example output (without commits):**
+```
+Repositories on git.startanaicompany.com (ryan.gogo)
+────────────────────────────────────────────────────
+
+NAME                VISIBILITY   UPDATED                BRANCH  LANGUAGE
+mysimpleflowershop  private      1/27/2026, 12:52:18 AM master  JavaScript
+api-server          private      1/26/2026, 8:30:00 PM  main    TypeScript
+landing-page        public       1/25/2026, 3:15:00 PM  master  HTML
+
+Showing 3 repositories (page 1)
+```
+
+**Example output (with `--commits`):**
+```
+Repositories on git.startanaicompany.com (ryan.gogo)
+────────────────────────────────────────────────────
+
+NAME                VISIBILITY   LAST COMMIT
+mysimpleflowershop  private      4b2c63f Initial commit - Simple Flower (3d ago)
+api-server          private      a90373d Add user authentication (1d ago)
+landing-page        public       f1e2d3c Update homepage design (5h ago)
+
+Showing 3 repositories (page 1)
+```
+
+**JSON output:**
+```bash
+$ saac git repos github.com --json
+
+{
+  "success": true,
+  "git_host": "github.com",
+  "username": "johndoe",
+  "provider_type": "github",
+  "repositories": [
+    {
+      "name": "my-app",
+      "fullName": "johndoe/my-app",
+      "description": "A cool application",
+      "private": false,
+      "sshUrl": "git@github.com:johndoe/my-app.git",
+      "cloneUrl": "https://github.com/johndoe/my-app.git",
+      "htmlUrl": "https://github.com/johndoe/my-app",
+      "defaultBranch": "main",
+      "updatedAt": "2026-01-30T12:00:00Z",
+      "language": "JavaScript",
+      "latestCommit": {
+        "sha": "abc1234",
+        "message": "Fix authentication bug",
+        "author": "John Doe",
+        "date": "2026-01-30T11:30:00Z"
+      }
+    }
+  ],
+  "count": 1,
+  "page": 1,
+  "per_page": 100
+}
+```
+
+**Use Cases:**
+- Browse available repositories before creating an application
+- Find repository SSH URLs for `saac create` command
+- Check latest commits without visiting Git provider
+- Script repository discovery and automation
+- Filter personal vs organization repositories
+
+**Performance Notes:**
+- Without `--commits`: Fast (single API call)
+- With `--commits`: Slower (fetches commit info for each repo in parallel)
+- Use `--commits` only when you need commit information
+
+**Example Workflow:**
+```bash
+# 1. Connect to Git host
+saac git connect github.com
+
+# 2. List your repositories
+saac git repos github.com
+
+# 3. Find the repository you want to deploy
+saac git repos github.com --visibility private
+
+# 4. Copy the SSH URL from the output
+# 5. Create application with that repository
+saac create my-app -s myapp -r git@github.com:username/my-app.git
+```
+
 ---
 
 ## Application Management
@@ -392,31 +780,78 @@ saac init
 - Have an existing project
 - Want to manage an application from a different directory
 
-**What it does:**
-1. Fetches all your SAAC applications
-2. Shows interactive list to select from
-3. Saves selected application info to `.saac/config.json`
-4. Now you can use `saac deploy`, `saac logs`, etc.
+**Smart Auto-Detection (NEW!):**
+
+If you're in a Git repository, `saac init` automatically detects the remote URL and matches it to your applications:
 
-**Example:**
 ```bash
+$ cd mysimpleflowershop
 $ saac init
 
-Select Application
-──────────────────
+Initialize SAAC Project
+───────────────────────
 
-? Which application do you want to link to this directory?
-  ❯ mysimpleflowershop (mysimpleflowershop.startanaicompany.com)
-    api-server (api.startanaicompany.com)
-    landing-page (landing.startanaicompany.com)
+✓ Found 3 application(s)
+
+ℹ Auto-detected Git repository: git@git.startanaicompany.com:ryan.gogo/mysimpleflowershop.git
+
+  Matched Application: mysimpleflowershop
+  Domain: mysimpleflowershop.startanaicompany.com
+  Status: running:healthy
+
+? Link this application to the current directory? (Y/n) Yes
+
+✓ Project initialized!
+
+  Application: mysimpleflowershop
+  UUID: abc123-def456...
+  Domain: mysimpleflowershop.startanaicompany.com
+  Status: running:healthy
+
+You can now use:
+  saac deploy              Deploy your application
+  saac logs --follow       View deployment logs
+  saac status              Check application status
+  saac update --port 8080  Update configuration
+```
 
-✓ Application linked successfully!
+**How Auto-Detection Works:**
+1. Reads Git remote URL from `.git/config`
+2. Normalizes both Git remote and application repositories
+3. Matches against your applications automatically
+4. Asks for confirmation (defaults to Yes)
+5. Falls back to manual selection if no match found or if you decline
 
-ℹ Configuration saved to .saac/config.json
-ℹ You can now use:
-  saac deploy    - Deploy application
-  saac logs      - View logs
-  saac status    - Check status
+**Supports:**
+- SSH URLs: `git@github.com:user/repo.git`
+- HTTPS URLs: `https://github.com/user/repo.git`
+- With or without `.git` suffix
+- Case-insensitive matching
+
+**Manual Selection (fallback):**
+
+If not in a Git repository or no match found, shows interactive list:
+
+```bash
+$ saac init
+
+? Select application to link to this directory:
+  ❯ mysimpleflowershop - mysimpleflowershop.startanaicompany.com (running:healthy)
+    api-server - api.startanaicompany.com (running:healthy)
+    landing-page - landing.startanaicompany.com (stopped)
+```
+
+**What it saves:**
+
+Creates `.saac/config.json` in current directory:
+```json
+{
+  "applicationUuid": "abc123-def456...",
+  "applicationName": "mysimpleflowershop",
+  "subdomain": "mysimpleflowershop",
+  "domainSuffix": "startanaicompany.com",
+  "gitRepository": "git@git.startanaicompany.com:ryan.gogo/mysimpleflowershop.git"
+}
 ```
 
 ### `saac create <name>`

package/bin/saac.js

@@ -96,12 +96,6 @@ keysCommand
   .description('Generate a new API key (invalidates old one)')
   .action(keys.regenerate);
 
-keysCommand
-  .command('show')
-  .alias('info')
-  .description('Show API key information')
-  .action(keys.show);
-
 // Git OAuth commands
 const gitCommand = program
   .command('git')
@@ -150,6 +144,7 @@ program
   // Required options
   .option('-s, --subdomain <subdomain>', 'Subdomain')
   .option('-r, --repository <url>', 'Git repository URL (SSH format)')
+  .option('--org <organization_id>', 'Organization ID (required)')
   // Basic options
   .option('-b, --branch <branch>', 'Git branch', 'master')
   .option('-d, --domain-suffix <suffix>', 'Domain suffix', 'startanaicompany.com')
@@ -231,6 +226,7 @@ program
   .option('-t, --tail <lines>', 'Number of lines to show (runtime logs only)', '100')
   .option('-f, --follow', 'Follow log output (runtime logs only)')
   .option('--since <time>', 'Show logs since timestamp (runtime logs only)')
+  .option('--type <type>', 'Filter by log type: build, runtime, access (runtime logs only)')
   .action(logs);
 
 // Local development commands

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startanaicompany/cli",
-  "version": "1.4.21",
+  "version": "1.6.0",
   "description": "Official CLI for StartAnAiCompany.com - Deploy AI recruitment sites with ease",
   "main": "src/index.js",
   "bin": {