@suronai/cli 0.1.23 → 0.1.24

package/README.md

@@ -1,6 +1,6 @@
 # @suronai/cli
 
-CLI for Suron — configure your deployment and manage apps.
+CLI for [Suron](https://suronai.com) — encrypt your `.env`, register your app, and manage secret delivery gated by Telegram approval.
 
 ## Install
 
@@ -8,87 +8,127 @@ CLI for Suron — configure your deployment and manage apps.
 npm install -g @suronai/cli
 ```
 
+Requires Node.js 18+.
+
+---
+
+## Quick start
+
+```bash
+suron login       # point the CLI at your Suron deployment
+cd my-project
+suron init        # encrypt .env, register app, patch entry point
+```
+
+After `suron init`, both `.env` and `.suron.json` are safe to commit.
+
+---
+
 ## Commands
 
 ### `suron login`
 
-Prompts for your Convex deployment URL, verifies the backend is reachable, and saves the URL to `~/.suron-config`.
+Saves your Convex deployment URL to `~/.suron-config`. Run this once per machine.
 
 ```bash
 suron login
 ```
 
+You can also set it via environment variable instead:
+
+```bash
+export SURON_API_URL=https://your-deployment.convex.site
+```
+
+---
+
 ### `suron init`
 
-Run inside your project directory. Does everything needed to protect your app with Suron:
+Run inside your project directory. Does the full setup in one command:
 
-1. Encrypts `.env` in-place with dotenvx
-2. Registers your app in Convex (stores the encrypted private key)
-3. Installs `@suronai/sdk` into your project (detects npm / pnpm / yarn / bun)
+1. Encrypts `.env` in-place with [dotenvx](https://dotenvx.com)
+2. Registers your app with Suron (uploads the encrypted private key)
+3. Installs `@suronai/sdk` into your project
 4. Writes `.suron.json` with your app name and ID
 5. Deletes `.env.keys`
-6. Patches your entry point — replaces `dotenv` with `@suronai/sdk` (interactive, asks before changing)
+6. Detects `dotenv` in your entry point and offers to replace it with `@suronai/sdk`
 
 ```bash
 cd my-project
 suron init
 
-# optional: set a custom app name
+# set a custom app name without the interactive prompt
 suron init --name my-app
 ```
 
-After `suron init`, both `.env` and `.suron.json` are safe to commit.
+**Entry point patching**
+
+If `index.js` (or `src/index.js`) contains a `dotenv` bootstrap, `suron init` shows you exactly what will change and asks before touching anything:
 
-**What the patched entry point looks like:**
+```
+▶  Found dotenv in index.js
 
-```js
-// before
-import { config } from 'dotenv'
-config()
+  Will replace:
+    - import { config } from 'dotenv'
+    - config()
+  With:
+    + import { config } from '@suronai/sdk'
+    + await config()
 
-// after
-import { config } from '@suronai/sdk'
-await config()
+  Replace? [Y/n] ›
 ```
 
-If dotenv isn't detected, `suron init` prints the snippet to add manually.
+If dotenv isn't found, the snippet is printed for you to add manually.
+
+**Files after `suron init`**
+
+| File | Commit? | Notes |
+|---|---|---|
+| `.env` | ✅ yes | encrypted by dotenvx, no plaintext secrets |
+| `.suron.json` | ✅ yes | app name, id, api_url — no secrets |
+| `.env.keys` | ⛔ no | keep safe, add to `.gitignore` |
+| `~/.suron-config` | ⛔ no | machine-local CLI config |
+
+---
 
 ### `suron whoami`
 
-Prints the configured Convex API URL.
+Prints the configured Suron API URL.
 
 ```bash
 suron whoami
 ```
 
+---
+
 ### `suron rotate`
 
-Re-encrypts `.env` with a new private key, sends the new key to Convex, deletes `.env.keys`.
+Re-encrypts `.env` with a new private key, sends the updated key to Suron, and deletes `.env.keys`. Use this for routine key rotation or if a key may have been exposed.
 
 ```bash
 suron rotate
 ```
 
-Use this if your private key may have been compromised, or as a routine rotation.
-
 ---
 
-## Configuration
-
-The CLI reads `SURON_API_URL` from the environment first, then falls back to `~/.suron-config`.
+## How it works
 
-```bash
-# Override without running suron login:
-export SURON_API_URL=https://your-deployment.convex.site
+```
+suron init
+  └─ dotenvx encrypt .env          # encrypts secrets in-place
+  └─ POST /cli/register-app        # sends encrypted private key to Convex
+  └─ writes .suron.json            # stores app_id locally
+  └─ deletes .env.keys             # private key lives in Convex only
+
+app boot (via @suronai/sdk)
+  └─ POST /request-access          # sends boot request, triggers Telegram message
+  └─ GET  /status (polling)        # waits for Approve / Deny tap
+  └─ POST /fetch-key               # retrieves private key (single-use)
+  └─ dotenvx.parse(.env, key)      # decrypts secrets into process.env
 ```
 
 ---
 
-## Files
+## Related
 
-| File | Commit? | Notes |
-|---|---|---|
-| `.suron.json` | ✅ yes | app name + id + api_url, no secrets |
-| `.env` | ✅ yes | encrypted by dotenvx |
-| `.env.keys` | ⛔ no | deleted automatically by `suron init` |
-| `~/.suron-config` | ⛔ no | CLI config — lives on developer machine only |
+- [`@suronai/sdk`](https://www.npmjs.com/package/@suronai/sdk) — the runtime SDK your app imports

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@suronai/cli",
-  "version": "0.1.23",
+  "version": "0.1.24",
   "description": "CLI for Suron — suron login, init, whoami, rotate",
   "type": "module",
   "bin": {

package/src/commands/init.js

@@ -3,7 +3,7 @@ import { existsSync, writeFileSync, readFileSync } from "fs";
 import { join, basename } from "path";
 import { execSync } from "child_process";
 import { requireApiUrl, prompt } from "../utils/config.js";
-import { encryptDotenv, readPrivateKey, deleteKeysFile } from "../utils/dotenvx.js";
+import { encryptDotenv, readPrivateKey } from "../utils/dotenvx.js";
 import c from "../utils/colors.js";
 
 export const initCommand = new Command("init")
@@ -78,9 +78,7 @@ export const initCommand = new Command("init")
 
     const { app_id } = await res.json();
 
-    // ── Write .suron.json + clean up ──────────────────────────────────────────
-    deleteKeysFile(cwd);
-
+    // ── Write .suron.json ─────────────────────────────────────────────────────
     writeFileSync(
       join(cwd, ".suron.json"),
       JSON.stringify({ app: appName, id: app_id, api_url: apiUrl }, null, 2) + "\n",
@@ -110,13 +108,13 @@ export const initCommand = new Command("init")
       }
     }
 
-    // ── Auto-patch entry point ────────────────────────────────────────────────
+    // ── Patch entry point ─────────────────────────────────────────────────────
     await patchEntryPoint(cwd, isEsm);
 
     // ── Done ──────────────────────────────────────────────────────────────────
     console.log();
     console.log("  " + c.green("✓") + "  .env encrypted          " + c.dim("(safe to commit)"));
-    console.log("  " + c.green("✓") + "  .env.keys deleted");
+    console.log("  " + c.green("✓") + "  .env.keys kept           " + c.dim("(add to .gitignore)"));
     console.log("  " + c.green("✓") + "  .suron.json written      " + c.dim("(safe to commit)"));
     console.log("  " + c.green("✓") + "  @suronai/sdk installed");
     console.log();
@@ -146,22 +144,17 @@ function sanitiseName(name) {
 }
 
 /**
- * Looks for a dotenv bootstrap in the project entry point and offers
- * to replace it with the Suron equivalent.
- *
- * Detects both ESM and CJS patterns:
- *   ESM: import { config } from "dotenv"; config();
- *   CJS: require("dotenv").config();
+ * Scans the entry point line-by-line for any lines that reference "dotenv".
+ * Shows the user exactly what was found and what it will be replaced with,
+ * then asks for confirmation before writing.
  *
- * Replaces with the correct form based on the project type:
- *   ESM: import { config } from "@suronai/sdk"; await config();
- *   CJS: const { config } = require("@suronai/sdk"); await config();
+ * Works for any import/require pattern because it does a literal line search
+ * rather than trying to anticipate every possible dotenv usage style.
  *
  * @param {string} cwd
  * @param {boolean} isEsm
  */
 async function patchEntryPoint(cwd, isEsm) {
-  // Candidates in priority order
   const candidates = isEsm
     ? ["index.js", "index.mjs", "src/index.js", "src/index.mjs"]
     : ["index.js", "index.cjs", "src/index.js", "src/index.cjs"];
@@ -173,8 +166,7 @@ async function patchEntryPoint(cwd, isEsm) {
   }
 
   if (!entryPath) {
-    // No entry point found — just print the manual snippet
-    console.log("  Add to your app entry point:\n");
+    console.log("\n  Add to your app entry point:\n");
     printSnippet(isEsm);
     return;
   }
@@ -182,38 +174,72 @@ async function patchEntryPoint(cwd, isEsm) {
   let src;
   try { src = readFileSync(entryPath, "utf-8"); } catch { return; }
 
-  // Build regex patterns for both dotenv styles
-  const esmPattern = /^import\s+\{\s*config\s*\}\s+from\s+["']dotenv["'];?[ \t]*(?:\r?\n[ \t]*)*config\(\);?/m;
-  const cjsPattern = /^(?:const\s+)?require\(["']dotenv["']\)\.config\(\);?/m;
-  const pattern = isEsm ? esmPattern : cjsPattern;
+  const lines = src.split("\n");
 
-  const match = src.match(pattern);
+  // Find every line that references dotenv (import or require, any style)
+  const dotenvLines = [];
+  for (let i = 0; i < lines.length; i++) {
+    if (lines[i].includes("dotenv")) {
+      dotenvLines.push({ index: i, content: lines[i] });
+    }
+  }
 
-  if (!match) {
-    // dotenv not found — print manual snippet
+  if (dotenvLines.length === 0) {
     console.log("\n  Add to your app entry point:\n");
     printSnippet(isEsm);
     return;
   }
 
-  // dotenv detected — ask user
   const relEntry = entryPath.replace(cwd + "\\", "").replace(cwd + "/", "");
   console.log();
-  console.log("  " + c.yellow("▶") + "  Found " + c.cyan("dotenv") + " in " + c.dim(relEntry));
+  console.log("  " + c.yellow("▶") + "  Found dotenv in " + c.dim(relEntry) + ":");
   console.log();
-  console.log("  " + c.dim("Will replace:"));
-  console.log("    " + c.red("-") + " " + c.dim(match[0].replace(/\n/g, "\n    - ")));
-  console.log("  " + c.dim("With:"));
-  if (isEsm) {
-    console.log("    " + c.green("+") + " " + c.cyan("import") + " { config } from " + c.green("'@suronai/sdk'"));
-    console.log("    " + c.green("+") + " " + c.cyan("await") + " config()");
-  } else {
-    console.log("    " + c.green("+") + " const { config } = " + c.cyan("require") + "(" + c.green("'@suronai/sdk'") + ")");
-    console.log("    " + c.green("+") + " " + c.cyan("await") + " config()");
+
+  // For each dotenv line, compute its replacement.
+  // We preserve the original line's leading whitespace (indent) and only
+  // swap out the dotenv-specific part — nothing else on the line is touched.
+  const replacements = dotenvLines.map(({ index, content }) => {
+    const trimmed = content.trim();
+    const indent  = content.match(/^(\s*)/)[1];
+    let replacement = null;
+
+    if (isEsm) {
+      // import { config } from "dotenv"  →  import { config } from "@suronai/sdk"
+      // Preserves the quote style and anything else on the line.
+      if (trimmed.startsWith("import") && trimmed.includes("dotenv")) {
+        replacement = indent + trimmed.replace(/(from\s+)['"]dotenv['"]/, '$1"@suronai/sdk"');
+      }
+      // config();  →  await config();
+      // Only matches lines that are purely a config() call, nothing else.
+      else if (/^config\s*\(\s*\);?$/.test(trimmed)) {
+        replacement = indent + trimmed.replace(/^config\s*\(/, "await config(");
+      }
+    } else {
+      // require("dotenv").config()  →  const { config } = require("@suronai/sdk"); await config();
+      if (trimmed.includes("require") && trimmed.includes("dotenv")) {
+        replacement = indent + "const { config } = require(\"@suronai/sdk\");\n" + indent + "await config();";
+      }
+    }
+
+    // If we found a dotenv line but don't know how to replace it, show it
+    // with a warning so the user knows to handle it manually.
+    return { index, content, replacement };
+  });
+
+  // Show the diff preview
+  for (const { content, replacement } of replacements) {
+    console.log("    " + c.red("-") + "  " + c.dim(content.trim()));
+    if (replacement !== null) {
+      for (const l of replacement.split("\n")) {
+        console.log("    " + c.green("+") + "  " + c.cyan(l.trim()));
+      }
+    } else {
+      console.log("    " + c.yellow("?") + "  " + c.dim("(no automatic replacement — update manually)"));
+    }
+    console.log();
   }
-  console.log();
 
-  const answer = await prompt("  Replace? [" + c.green("Y") + "/n] › ");
+  const answer = await prompt("  Apply replacements? [" + c.green("Y") + "/n] › ");
   const confirmed = answer === "" || /^y(es)?$/i.test(answer);
 
   if (!confirmed) {
@@ -222,15 +248,35 @@ async function patchEntryPoint(cwd, isEsm) {
     return;
   }
 
-  // Perform the replacement
-  const replacement = isEsm
-    ? `import { config } from '@suronai/sdk';\nawait config();`
-    : `const { config } = require('@suronai/sdk');\nawait config();`;
+  // Apply — walk lines, replace only the matched dotenv lines, touch nothing else
+  const indexMap = new Map(replacements.map(r => [r.index, r]));
+  const outLines = lines.map((line, i) => {
+    const r = indexMap.get(i);
+    return (r && r.replacement !== null) ? r.replacement : line;
+  });
+
+  // For ESM: if await config() isn't already right after the imports, move it there
+  // automatically as part of the same patch — no second prompt needed.
+  if (isEsm) {
+    const callLineIndex = outLines.findIndex(l => /^\s*await config\s*\(\s*\);?\s*$/.test(l));
+    const lastImportIndex = outLines.reduce((last, l, i) => l.trimStart().startsWith("import ") ? i : last, -1);
+
+    if (callLineIndex !== -1 && callLineIndex !== lastImportIndex + 1 && callLineIndex !== lastImportIndex + 2) {
+      const callLine = outLines[callLineIndex];
+      // Remove from current position (and any adjacent blank line below it)
+      outLines.splice(callLineIndex, 1);
+      if (outLines[callLineIndex]?.trim() === "") outLines.splice(callLineIndex, 1);
 
-  const patched = src.replace(pattern, replacement);
+      // Re-find last import index after splice (indices shifted)
+      const newLastImport = outLines.reduce((last, l, i) => l.trimStart().startsWith("import ") ? i : last, -1);
+
+      // Insert: blank line + await config() + blank line, after last import
+      outLines.splice(newLastImport + 1, 0, "", callLine, "");
+    }
+  }
 
   try {
-    writeFileSync(entryPath, patched, "utf-8");
+    writeFileSync(entryPath, outLines.join("\n"), "utf-8");
     console.log("  " + c.green("✓") + "  " + c.dim(relEntry) + " patched");
   } catch (err) {
     console.error("  " + c.red("✗") + "  Could not write " + relEntry + ": " + err.message);

package/src/utils/dotenvx.js

@@ -1,5 +1,5 @@
 import { execSync } from "child_process";
-import { existsSync, readFileSync, unlinkSync } from "fs";
+import { existsSync, readFileSync } from "fs";
 import { join } from "path";
 
 /**
@@ -23,7 +23,7 @@ export function encryptDotenv(cwd) {
   }
 
   try {
-    const output = execSync("npx @dotenvx/dotenvx encrypt", {
+    const output = execSync("npx @dotenvx/dotenvx encrypt --force", {
       cwd,
       env,
       stdio: ["inherit", "pipe", "pipe"],
@@ -58,11 +58,4 @@ export function readPrivateKey(cwd) {
   return match[1].trim();
 }
 
-/**
- * Deletes .env.keys after the private key has been stored in Convex.
- * @param {string} cwd
- */
-export function deleteKeysFile(cwd) {
-  const keysPath = join(cwd, ".env.keys");
-  if (existsSync(keysPath)) unlinkSync(keysPath);
-}
+