@suronai/cli 0.1.36 → 0.1.37

package/package.json

@@ -1,23 +1,23 @@
-{
-  "name": "@suronai/cli",
-  "version": "0.1.36",
-  "description": "CLI for Suron — suron login, init, whoami, recover",
-  "type": "module",
-  "bin": {
-    "suron": "./src/index.js"
-  },
-  "files": [
-    "src"
-  ],
-  "scripts": {
-    "build": "node --check src/index.js src/commands/login.js src/commands/init.js src/commands/whoami.js src/commands/recover.js src/utils/config.js src/utils/dotenvx.js src/utils/colors.js",
-    "lint": "node --check src/index.js src/commands/login.js src/commands/init.js src/commands/whoami.js src/commands/recover.js src/utils/config.js src/utils/dotenvx.js src/utils/colors.js"
-  },
-  "dependencies": {
-    "@dotenvx/dotenvx": "latest",
-    "commander": "latest"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  }
-}
+{
+  "name": "@suronai/cli",
+  "version": "0.1.37",
+  "description": "Suron CLI — secrets delivery",
+  "type": "module",
+  "bin": {
+    "suron": "./src/index.js"
+  },
+  "files": [
+    "src"
+  ],
+  "scripts": {
+    "start": "bun src/index.js",
+    "dev": "bun --watch src/index.js"
+  },
+  "dependencies": {
+    "@clack/prompts": "^1.3.0",
+    "commander": "^14.0.3"
+  },
+  "engines": {
+    "bun": ">=1.0.0"
+  }
+}

package/src/commands.js

@@ -0,0 +1,237 @@
+import { Command } from "commander";
+import { intro, outro, spinner, select, text, isCancel } from "@clack/prompts";
+import { existsSync, readFileSync, writeFileSync } from "fs";
+import { join } from "path";
+import { exec } from "child_process";
+import ui from "./utils/colors.js";
+import { getToken, requireToken, saveConfig, clearToken } from "./utils/config.js";
+import { api, BASE_URL } from "./utils/api.js";
+
+function cancel(msg) {
+  console.log(ui.blank());
+  console.log(ui.errBlock(msg));
+  console.log(ui.blank());
+  process.exit(1);
+}
+
+export const loginCommand = new Command("login")
+  .description("Authenticate via browser")
+  .option("--force", "Re-authenticate even if already logged in")
+  .action(async (opts) => {
+    const existing = getToken();
+    if (existing && !opts.force) {
+      console.log(ui.blank());
+      console.log(ui.errBlock("already logged in", "use --force to re-authenticate"));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    console.log(ui.logo());
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+
+    const chars = "abcdefghijklmnopqrstuvwxyz0123456789";
+    let code = "";
+    for (let i = 0; i < 6; i++) code += chars[Math.floor(Math.random() * chars.length)];
+
+    await api("/cli/auth-code", {
+      method: "POST",
+      body: JSON.stringify({ code }),
+    });
+
+    const loginUrl = `${BASE_URL}/clilogin?code=${code}`;
+
+    console.log(ui.infoBlock("Opening browser to complete login..."));
+    console.log(ui.blank());
+    console.log(ui.kv("URL", loginUrl, 6));
+    console.log(ui.blank());
+
+    exec(`open "${loginUrl}" 2>/dev/null || xdg-open "${loginUrl}" 2>/dev/null || cmd /c start "" "${loginUrl}" 2>/dev/null`);
+
+    const s = spinner();
+    s.start("Waiting for approval");
+
+    const deadline = Date.now() + 300_000;
+    let token = null;
+
+    while (Date.now() < deadline) {
+      await new Promise(r => setTimeout(r, 2000));
+      try {
+        const result = await api(`/cli/auth-code/status?code=${code}`);
+        if (result.status === "approved" && result.token) {
+          token = result.token;
+          break;
+        }
+      } catch {}
+    }
+
+    s.stop(token ? "Approved" : "Timed out");
+
+    if (!token) {
+      console.log(ui.blank());
+      console.log(ui.errBlock("login timed out", "try again"));
+      process.exit(1);
+    }
+
+    saveConfig({ token });
+
+    console.log(ui.blank());
+    console.log(ui.step("done", "logged in"));
+    console.log(ui.step("done", "saved  ~/.suron-config"));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+    console.log(ui.infoBlock("next  ›  cd your-project  &&  " + ui.code("suron init")));
+    console.log(ui.blank());
+  });
+
+export const logoutCommand = new Command("logout")
+  .description("Clear local session token")
+  .action(async () => {
+    clearToken();
+    try {
+      await api("/auth/logout", { method: "POST" });
+    } catch {}
+    console.log(ui.blank());
+    console.log(ui.okBlock("logged out"));
+    console.log(ui.blank());
+  });
+
+export const initCommand = new Command("init")
+  .description("Initialize Suron in this project")
+  .action(async () => {
+    const token = requireToken();
+
+    if (existsSync(".suron.json")) {
+      console.log(ui.blank());
+      console.log(ui.errBlock(".suron.json already exists", "use suron up to push a new version"));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    if (!existsSync(".env")) {
+      console.log(ui.blank());
+      console.log(ui.errBlock(".env not found", "create a .env file first"));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    console.log(ui.logo());
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+
+    const mode = await select({
+      message: "How do you want to link this project?",
+      options: [
+        { value: "new", label: "Create new app" },
+        { value: "existing", label: "Link to existing app" },
+      ],
+    });
+
+    if (isCancel(mode)) cancel("cancelled");
+
+    let app_id, app_name;
+
+    if (mode === "new") {
+      const name = await text({
+        message: "App name (alphanumeric)",
+        validate: v => /^[a-zA-Z0-9]+$/.test(v) ? undefined : "Alphanumeric only",
+      });
+      if (isCancel(name)) cancel("cancelled");
+
+      const result = await api("/apps", {
+        method: "POST",
+        body: JSON.stringify({ name }),
+      }).catch(err => cancel(err.message));
+
+      app_id = result.app_id;
+      app_name = result.name;
+    } else {
+      const apps = await api("/apps").catch(err => cancel(err.message));
+
+      if (!apps.length) {
+        console.log(ui.blank());
+        console.log(ui.errBlock("no apps found", "use 'Create new app' instead"));
+        process.exit(1);
+      }
+
+      const chosen = await select({
+        message: "Select an app",
+        options: apps.map(a => ({ value: a.app_id, label: a.name })),
+      });
+      if (isCancel(chosen)) cancel("cancelled");
+
+      const found = apps.find(a => a.app_id === chosen);
+      app_id = found.app_id;
+      app_name = found.name;
+    }
+
+    const env_plaintext = readFileSync(".env", "utf-8");
+
+    const s = spinner();
+    s.start("Pushing v1");
+
+    const result = await api(`/apps/${app_id}/versions`, {
+      method: "POST",
+      body: JSON.stringify({ env_plaintext }),
+    }).catch(err => { s.stop("failed"); cancel(err.message); });
+
+    s.stop("Done");
+
+    const suronJson = { app_name, app_id, version: result.version };
+    writeFileSync(".suron.json", JSON.stringify(suronJson, null, 2) + "\n");
+
+    console.log(ui.blank());
+    console.log(ui.step("done", "encrypted and uploaded .env"));
+    console.log(ui.step("done", `version  ${result.version}`));
+    console.log(ui.step("done", "wrote  .suron.json"));
+    console.log(ui.blank());
+    console.log(ui.hr());
+    console.log(ui.blank());
+    console.log(ui.infoBlock("add .suron.json to git  ·  add .env to .gitignore"));
+    console.log(ui.blank());
+  });
+
+export const upCommand = new Command("up")
+  .description("Push a new version of .env")
+  .action(async () => {
+    requireToken();
+
+    if (!existsSync(".suron.json")) {
+      console.log(ui.blank());
+      console.log(ui.errBlock(".suron.json not found", "run: suron init"));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    if (!existsSync(".env")) {
+      console.log(ui.blank());
+      console.log(ui.errBlock(".env not found"));
+      console.log(ui.blank());
+      process.exit(1);
+    }
+
+    const suronJson = JSON.parse(readFileSync(".suron.json", "utf-8"));
+    const { app_id, app_name } = suronJson;
+
+    const env_plaintext = readFileSync(".env", "utf-8");
+
+    const s = spinner();
+    s.start("Pushing new version");
+
+    const result = await api(`/apps/${app_id}/versions`, {
+      method: "POST",
+      body: JSON.stringify({ env_plaintext }),
+    }).catch(err => { s.stop("failed"); cancel(err.message); });
+
+    s.stop("Done");
+
+    suronJson.version = result.version;
+    writeFileSync(".suron.json", JSON.stringify(suronJson, null, 2) + "\n");
+
+    console.log(ui.blank());
+    console.log(ui.step("done", `version  ${result.version}  pushed`));
+    console.log(ui.blank());
+  });

package/src/index.js

@@ -2,13 +2,9 @@
 
 import { Command } from "commander";
 import { createRequire } from "module";
-import { loginCommand }   from "./commands/login.js";
-import { initCommand }    from "./commands/init.js";
-import { encryptCommand } from "./commands/encrypt.js";
-import { whoamiCommand }  from "./commands/whoami.js";
-import { recoverCommand } from "./commands/recover.js";
+import { loginCommand, logoutCommand, initCommand, upCommand } from "./commands.js";
 
-const require  = createRequire(import.meta.url);
+const require = createRequire(import.meta.url);
 const { version } = require("../package.json");
 
 const program = new Command();
@@ -19,9 +15,8 @@ program
   .version(version);
 
 program.addCommand(loginCommand);
+program.addCommand(logoutCommand);
 program.addCommand(initCommand);
-program.addCommand(encryptCommand);
-program.addCommand(whoamiCommand);
-program.addCommand(recoverCommand);
+program.addCommand(upCommand);
 
 program.parse(process.argv);

package/src/utils/api.js

@@ -0,0 +1,20 @@
+import { getToken } from "./config.js";
+
+const BASE_URL = "https://suronai.com";
+
+export async function api(path, options = {}) {
+  const token = getToken();
+  const headers = { "Content-Type": "application/json", ...options.headers };
+  if (token) headers["Authorization"] = `Bearer ${token}`;
+
+  const res = await fetch(`${BASE_URL}${path}`, { ...options, headers });
+
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error ?? `HTTP ${res.status}`);
+  }
+
+  return res.json();
+}
+
+export { BASE_URL };

package/src/utils/config.js

@@ -1,14 +1,10 @@
 import { homedir } from "os";
 import { join } from "path";
 import { readFileSync, writeFileSync, existsSync } from "fs";
-import readline from "readline";
 import ui from "./colors.js";
 
 const CONFIG_PATH = join(homedir(), ".suron-config");
 
-/**
- * @returns {{ apiUrl?: string }}
- */
 export function readConfig() {
   if (!existsSync(CONFIG_PATH)) return {};
   try {
@@ -19,7 +15,7 @@ export function readConfig() {
       const key = line.slice(0, eq).trim();
       const val = line.slice(eq + 1).trim();
       if (!val) continue;
-      if (key === "SURON_API_URL") config.apiUrl = val;
+      if (key === "SURON_TOKEN") config.token = val;
     }
     return config;
   } catch {
@@ -27,46 +23,28 @@ export function readConfig() {
   }
 }
 
-/**
- * @param {{ apiUrl?: string }} values
- */
 export function saveConfig(values) {
   const merged = { ...readConfig(), ...values };
   const lines = [];
-  if (merged.apiUrl) lines.push(`SURON_API_URL=${merged.apiUrl}`);
+  if (merged.token) lines.push(`SURON_TOKEN=${merged.token}`);
   writeFileSync(CONFIG_PATH, lines.join("\n") + "\n", { mode: 0o600 });
 }
 
-/** @returns {string | null} */
-export function getApiUrl() {
-  // Strip trailing slash from both sources so callers always get a clean URL.
-  const fromEnv    = process.env.SURON_API_URL?.replace(/\/$/, "");
-  const fromConfig = readConfig().apiUrl?.replace(/\/$/, "");
-  return fromEnv ?? fromConfig ?? null;
+export function getToken() {
+  return readConfig().token ?? null;
 }
 
-/** @returns {string} */
-export function requireApiUrl() {
-  const url = getApiUrl();
-  if (!url) {
+export function requireToken() {
+  const token = getToken();
+  if (!token) {
     console.error(ui.blank());
-    console.error(ui.errBlock("not configured", "run: suron login"));
+    console.error(ui.errBlock("not logged in", "run: suron login"));
     console.error(ui.blank());
     process.exit(1);
   }
-  return url;
+  return token;
 }
 
-/**
- * @param {string} question
- * @returns {Promise<string>}
- */
-export function prompt(question) {
-  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve) => {
-    rl.question(question, (answer) => {
-      rl.close();
-      resolve(answer.trim());
-    });
-  });
+export function clearToken() {
+  writeFileSync(CONFIG_PATH, "", { mode: 0o600 });
 }

package/src/utils/crypto.js

@@ -0,0 +1,7 @@
+export function encryptEnv(plaintext) {
+  return plaintext;
+}
+
+export function decryptEnv(plaintext) {
+  return plaintext;
+}

package/README.md

@@ -1,134 +0,0 @@
-# @suronai/cli
-
-CLI for [Suron](https://suronai.com) — encrypt your `.env`, register your app, and manage secret delivery gated by Telegram approval.
-
-## Install
-
-```bash
-npm install -g @suronai/cli
-```
-
-Requires Node.js 18+.
-
----
-
-## Quick start
-
-```bash
-suron login       # point the CLI at your Suron deployment
-cd my-project
-suron init        # encrypt .env, register app, patch entry point
-```
-
-After `suron init`, both `.env` and `.suron.json` are safe to commit.
-
----
-
-## Commands
-
-### `suron login`
-
-Saves your Convex deployment URL to `~/.suron-config`. Run this once per machine.
-
-```bash
-suron login
-```
-
-You can also set it via environment variable instead:
-
-```bash
-export SURON_API_URL=https://your-deployment.convex.site
-```
-
----
-
-### `suron init`
-
-Run inside your project directory. Does the full setup in one command:
-
-1. Encrypts `.env` in-place with [dotenvx](https://dotenvx.com)
-2. Registers your app with Suron (uploads the encrypted private key)
-3. Installs `@suronai/sdk` into your project
-4. Writes `.suron.json` with your app name and ID
-5. Deletes `.env.keys`
-6. Detects `dotenv` in your entry point and offers to replace it with `@suronai/sdk`
-
-```bash
-cd my-project
-suron init
-
-# set a custom app name without the interactive prompt
-suron init --name my-app
-```
-
-**Entry point patching**
-
-If `index.js` (or `src/index.js`) contains a `dotenv` bootstrap, `suron init` shows you exactly what will change and asks before touching anything:
-
-```
-▶  Found dotenv in index.js
-
-  Will replace:
-    - import { config } from 'dotenv'
-    - config()
-  With:
-    + import { config } from '@suronai/sdk'
-    + await config()
-
-  Replace? [Y/n] ›
-```
-
-If dotenv isn't found, the snippet is printed for you to add manually.
-
-**Files after `suron init`**
-
-| File | Commit? | Notes |
-|---|---|---|
-| `.env` | ✅ yes | encrypted by dotenvx, no plaintext secrets |
-| `.suron.json` | ✅ yes | app name, id, api_url — no secrets |
-| `.env.keys` | ⛔ no | keep safe, add to `.gitignore` |
-| `~/.suron-config` | ⛔ no | machine-local CLI config |
-
----
-
-### `suron whoami`
-
-Prints the configured Suron API URL.
-
-```bash
-suron whoami
-```
-
----
-
-### `suron rotate`
-
-Re-encrypts `.env` with a new private key, sends the updated key to Suron, and deletes `.env.keys`. Use this for routine key rotation or if a key may have been exposed.
-
-```bash
-suron rotate
-```
-
----
-
-## How it works
-
-```
-suron init
-  └─ dotenvx encrypt .env          # encrypts secrets in-place
-  └─ POST /cli/register-app        # sends encrypted private key to Convex
-  └─ writes .suron.json            # stores app_id locally
-  └─ deletes .env.keys             # private key lives in Convex only
-
-app boot (via @suronai/sdk)
-  └─ POST /request-access          # sends boot request, triggers Telegram message
-  └─ GET  /status (polling)        # waits for Approve / Deny tap
-  └─ POST /fetch-key               # retrieves private key (single-use)
-  └─ dotenvx.parse(.env, key)      # decrypts secrets into process.env
-```
-
----
-
-## Related
-
-- [`@suronai/sdk`](https://www.npmjs.com/package/@suronai/sdk) — the runtime SDK your app imports

package/src/commands/encrypt.js

@@ -1,88 +0,0 @@
-import { Command } from "commander";
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
-import { encryptDotenv } from "../utils/dotenvx.js";
-import ui from "../utils/colors.js";
-
-export const encryptCommand = new Command("encrypt")
-  .description("Encrypt new plaintext values added to .env (safe to run any time after init)")
-  .action(async () => {
-    const cwd = process.cwd();
-
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    if (!existsSync(join(cwd, ".suron.json"))) {
-      console.error(ui.errBlock(
-        ".suron.json not found",
-        "run suron init first"
-      ));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    if (!existsSync(join(cwd, ".env"))) {
-      console.error(ui.errBlock(".env not found"));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    // ── Scan for plaintext values ─────────────────────────────────────────────
-    const envLines = readFileSync(join(cwd, ".env"), "utf-8").split("\n");
-
-    const plaintextKeys = envLines
-      .filter(line => {
-        const t = line.trim();
-        if (!t || t.startsWith("#") || t.startsWith("#/")) return false;
-        const eq = t.indexOf("=");
-        if (eq === -1) return false;
-        const val = t.slice(eq + 1).trim().replace(/^["']|["']$/g, "");
-        return val.length > 0 && !val.startsWith("encrypted:");
-      })
-      .map(line => line.slice(0, line.indexOf("=")).trim());
-
-    if (plaintextKeys.length === 0) {
-      console.log(ui.step("skip", "all values already encrypted"));
-      console.log(ui.blank());
-      console.log(ui.hr());
-      console.log(ui.blank());
-      console.log(ui.infoBlock("to add secrets  ›  edit .env then run  " + ui.code("suron encrypt")));
-      console.log(ui.blank());
-      process.exit(0);
-    }
-
-    console.log(ui.kv("PENDING", String(plaintextKeys.length) + " value" + (plaintextKeys.length === 1 ? "" : "s")));
-    console.log(ui.blank());
-    for (const k of plaintextKeys) {
-      console.log(ui.INDENT + "   " + ui.slate("·  ") + ui.amber(k));
-    }
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    // ── Encrypt ───────────────────────────────────────────────────────────────
-    process.stdout.write(ui.INDENT + ui.slate("encrypting ···"));
-
-    try {
-      encryptDotenv(cwd);
-    } catch (err) {
-      process.stdout.write("\r" + " ".repeat(40) + "\r");
-      console.error(ui.errBlock(err.message));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    process.stdout.write("\r" + " ".repeat(40) + "\r");
-
-    console.log(ui.step("done", "encrypted  .env"));
-    console.log(ui.step("done", "cleaned    .env  +  .env.keys"));
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-    console.log(ui.readyBlock([
-      { label: ".env",      note: "encrypted  ·  safe to commit" },
-      { label: ".env.keys", note: "keep safe  ·  never commit" },
-    ]));
-    console.log(ui.blank());
-  });

package/src/commands/init.js

@@ -1,397 +0,0 @@
-import { Command } from "commander";
-import { existsSync, writeFileSync, readFileSync } from "fs";
-import { join, basename, relative } from "path";
-import { execSync } from "child_process";
-import { requireApiUrl, prompt } from "../utils/config.js";
-import { encryptDotenv, readPrivateKey } from "../utils/dotenvx.js";
-import ui from "../utils/colors.js";
-
-export const initCommand = new Command("init")
-  .description("Encrypt .env and register this app with Suron")
-  .option("--name <n>", "App name (skips interactive prompt)")
-  .action(async (opts) => {
-    const cwd    = process.cwd();
-    const apiUrl = requireApiUrl();
-
-    console.log(ui.logo());
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    if (existsSync(join(cwd, ".suron.json"))) {
-      console.error(ui.errBlock(
-        "already initialised",
-        "to restore a lost config  ›  suron recover"
-      ));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    if (!existsSync(join(cwd, ".env"))) {
-      console.error(ui.errBlock(
-        ".env not found",
-        "create a .env file with your secrets, then run: suron init"
-      ));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    // ── App name ──────────────────────────────────────────────────────────────
-    const suggested = sanitiseName(basename(cwd) || "myapp");
-    let appName;
-
-    if (opts.name) {
-      appName = sanitiseName(opts.name);
-    } else {
-      process.stdout.write(ui.promptLine("app name  [" + suggested + "]"));
-      const raw = await prompt("");
-      appName = sanitiseName(raw || suggested);
-    }
-
-    if (!appName) {
-      console.log(ui.blank());
-      console.error(ui.errBlock(
-        "app name required",
-        "example  ›  suron init --name MyApp"
-      ));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    console.log(ui.blank());
-    console.log(ui.kv("APP", appName));
-    console.log(ui.kv("DIR", ui.slate(cwd)));
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    // ── Steps ─────────────────────────────────────────────────────────────────
-    const steps = {
-      encrypt:   { label: "encrypt   .env",         status: "pending" },
-      keys:      { label: "key       .env.keys",     status: "pending" },
-      gitignore: { label: "gitignore .gitignore",    status: "pending" },
-      register:  { label: "register  " + appName,   status: "pending" },
-      sdk:       { label: "sdk       @suronai/sdk",  status: "pending" },
-    };
-
-    const printSteps = () => {
-      for (const s of Object.values(steps)) {
-        console.log(ui.step(s.status, s.label, s.note));
-      }
-    };
-
-    // ── Encrypt ───────────────────────────────────────────────────────────────
-    steps.encrypt.status  = "run";
-    steps.keys.status     = "run";
-    try {
-      encryptDotenv(cwd);
-      steps.encrypt.status = "done";
-      steps.keys.status    = "done";
-    } catch (err) {
-      steps.encrypt.status = "fail";
-      steps.keys.status    = "fail";
-      printSteps();
-      console.log(ui.blank());
-      console.log(ui.hr());
-      console.log(ui.blank());
-      console.error(ui.errBlock(err.message));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    let privateKey;
-    try {
-      privateKey = readPrivateKey(cwd);
-    } catch (err) {
-      steps.keys.status = "fail";
-      printSteps();
-      console.log(ui.blank());
-      console.log(ui.hr());
-      console.log(ui.blank());
-      console.error(ui.errBlock(err.message));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    // ── .gitignore ────────────────────────────────────────────────────────────
-    steps.gitignore.status = "run";
-    const gitignoreResult = ensureGitignore(cwd);
-    steps.gitignore.status = "done";
-    steps.gitignore.note   = gitignoreResult;
-
-    // ── Register ──────────────────────────────────────────────────────────────
-    steps.register.status = "run";
-    let res;
-    try {
-      res = await fetch(`${apiUrl}/cli/register-app`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ name: appName, private_key: privateKey }),
-      });
-    } catch (err) {
-      steps.register.status = "fail";
-      printSteps();
-      console.log(ui.blank());
-      console.log(ui.hr());
-      console.log(ui.blank());
-      console.error(ui.errBlock(`cannot reach API`, err.message));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    if (!res.ok) {
-      let body = {};
-      try { body = await res.json(); } catch { /* ignore */ }
-      steps.register.status = "fail";
-      printSteps();
-      console.log(ui.blank());
-      console.log(ui.hr());
-      console.log(ui.blank());
-      if (res.status === 409) {
-        const canonical = body?.existing_name ?? appName;
-        console.error(ui.errBlock(
-          `"${canonical}" already registered`,
-          `to restore a lost config  ›  suron recover --name ${canonical}`
-        ));
-      } else {
-        console.error(ui.errBlock(body?.error ?? `register failed (${res.status})`));
-      }
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    const { app_id } = await res.json();
-    steps.register.status = "done";
-
-    // ── Write .suron.json ─────────────────────────────────────────────────────
-    writeFileSync(
-      join(cwd, ".suron.json"),
-      JSON.stringify({ app: appName, id: app_id, api_url: apiUrl }, null, 2) + "\n",
-      "utf-8"
-    );
-
-    // ── Install SDK ───────────────────────────────────────────────────────────
-    const pkgJsonPath = join(cwd, "package.json");
-    let isEsm = false;
-    steps.sdk.status = "run";
-
-    if (existsSync(pkgJsonPath)) {
-      let alreadyInstalled = false;
-      try {
-        const pkg = JSON.parse(readFileSync(pkgJsonPath, "utf-8"));
-        alreadyInstalled = !!(pkg.dependencies?.["@suronai/sdk"] || pkg.devDependencies?.["@suronai/sdk"]);
-        isEsm = pkg.type === "module";
-      } catch { /* ignore */ }
-
-      if (!alreadyInstalled) {
-        const pm = detectPackageManager(cwd);
-        try {
-          execSync(`${pm} ${pmAddCmd(pm)} @suronai/sdk`, { cwd, stdio: "pipe" });
-          steps.sdk.status = "done";
-        } catch {
-          steps.sdk.status = "fail";
-          steps.sdk.note   = "run: npm install @suronai/sdk";
-        }
-      } else {
-        steps.sdk.status = "skip";
-        steps.sdk.note   = "already installed";
-      }
-    } else {
-      steps.sdk.status = "skip";
-      steps.sdk.note   = "no package.json";
-    }
-
-    printSteps();
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    // ── Patch entry point ─────────────────────────────────────────────────────
-    await patchEntryPoint(cwd, isEsm);
-
-    // ── Done ──────────────────────────────────────────────────────────────────
-    console.log(ui.readyBlock([
-      { label: ".env",        note: "encrypted  ·  safe to commit" },
-      { label: ".env.keys",   note: "gitignored  ·  keep safe" },
-      { label: ".suron.json", note: "safe to commit" },
-    ]));
-    console.log(ui.blank());
-  });
-
-// ── Helpers ──────────────────────────────────────────────────────────────────
-
-const GITIGNORE_ENTRIES = ["node_modules/", "package-lock.json", ".env.keys"];
-
-function ensureGitignore(cwd) {
-  const gitignorePath = join(cwd, ".gitignore");
-  if (!existsSync(gitignorePath)) {
-    writeFileSync(gitignorePath, GITIGNORE_ENTRIES.join("\n") + "\n", "utf-8");
-    return "created";
-  }
-  const content  = readFileSync(gitignorePath, "utf-8");
-  const existing = new Set(content.split("\n").map(l => l.trim()));
-  const missing  = GITIGNORE_ENTRIES.filter(e => !existing.has(e));
-  if (missing.length === 0) return "ok";
-  const sep = content.endsWith("\n") ? "" : "\n";
-  writeFileSync(gitignorePath, content + sep + missing.join("\n") + "\n", "utf-8");
-  return "updated";
-}
-
-function detectPackageManager(cwd) {
-  if (existsSync(join(cwd, "pnpm-lock.yaml"))) return "pnpm";
-  if (existsSync(join(cwd, "yarn.lock")))       return "yarn";
-  if (existsSync(join(cwd, "bun.lockb")))        return "bun";
-  return "npm";
-}
-
-function pmAddCmd(pm) {
-  return pm === "npm" ? "install" : "add";
-}
-
-/**
- * Strips everything except letters and digits while preserving case.
- * @param {string} name
- * @returns {string}
- */
-function sanitiseName(name) {
-  return name.replace(/[^a-zA-Z0-9]/g, "");
-}
-
-/**
- * @param {string} cwd
- * @param {boolean} isEsm
- */
-async function patchEntryPoint(cwd, isEsm) {
-  const candidates = isEsm
-    ? ["index.js", "index.mjs", "src/index.js", "src/index.mjs"]
-    : ["index.js", "index.cjs", "src/index.js", "src/index.cjs"];
-
-  let entryPath = null;
-  for (const rel of candidates) {
-    const abs = join(cwd, rel);
-    if (existsSync(abs)) { entryPath = abs; break; }
-  }
-
-  if (!entryPath) {
-    printSnippet(isEsm);
-    return;
-  }
-
-  let src;
-  try { src = readFileSync(entryPath, "utf-8"); } catch { return; }
-
-  const lines = src.split("\n");
-  const toReplace   = [];
-  const seenIndices = new Set();
-
-  for (let i = 0; i < lines.length; i++) {
-    const trimmed = lines[i].trim();
-    const indent  = lines[i].match(/^(\s*)/)[1];
-
-    if (lines[i].includes("dotenv")) {
-      seenIndices.add(i);
-      let replacement = null;
-      if (isEsm) {
-        if (trimmed.startsWith("import")) {
-          replacement = indent + trimmed.replace(/(from\s+)['"]dotenv(?:\/config)?['"]/, '$1"@suronai/sdk"');
-        }
-      } else {
-        if (trimmed.includes("require")) {
-          replacement = indent + "const { config } = require(\"@suronai/sdk\");\n" + indent + "await config();";
-        }
-      }
-      toReplace.push({ index: i, content: lines[i], replacement });
-    }
-  }
-
-  if (isEsm) {
-    for (let i = 0; i < lines.length; i++) {
-      if (seenIndices.has(i)) continue;
-      const trimmed = lines[i].trim();
-      const indent  = lines[i].match(/^(\s*)/)[1];
-      if (/^config\s*\(.*\);?$/.test(trimmed) && !trimmed.startsWith("//")) {
-        toReplace.push({
-          index: i,
-          content: lines[i],
-          replacement: indent + trimmed.replace(/^config\s*\(/, "await config("),
-        });
-      }
-    }
-    toReplace.sort((a, b) => a.index - b.index);
-  }
-
-  if (toReplace.length === 0) {
-    printSnippet(isEsm);
-    return;
-  }
-
-  const relEntry = relative(cwd, entryPath);
-
-  // ── Diff preview ───────────────────────────────────────────────────────────
-  console.log(ui.kv("ENTRY", relEntry, 8));
-  console.log(ui.blank());
-
-  for (const { content, replacement } of toReplace) {
-    console.log(ui.diff("remove", content.trim()));
-    if (replacement !== null) {
-      for (const l of replacement.split("\n")) {
-        console.log(ui.diff("add", l.trim()));
-      }
-    } else {
-      console.log(ui.diff("unknown", ""));
-    }
-    console.log(ui.blank());
-  }
-
-  process.stdout.write(ui.promptLine("apply patch?  [Y/n]"));
-  const answer = await prompt("");
-  const confirmed = answer === "" || /^y(es)?$/i.test(answer);
-  console.log(ui.blank());
-  console.log(ui.hr());
-  console.log(ui.blank());
-
-  if (!confirmed) {
-    printSnippet(isEsm);
-    return;
-  }
-
-  const indexMap = new Map(toReplace.map(r => [r.index, r]));
-  const outLines = lines.map((line, i) => {
-    const r = indexMap.get(i);
-    return (r && r.replacement !== null) ? r.replacement : line;
-  });
-
-  if (isEsm) {
-    const callLineIndex   = outLines.findIndex(l => /^\s*await config\s*\(/.test(l));
-    const lastImportIndex = outLines.reduce((last, l, i) => l.trimStart().startsWith("import ") ? i : last, -1);
-    if (callLineIndex !== -1 && callLineIndex > lastImportIndex + 2) {
-      const callLine = outLines[callLineIndex];
-      outLines.splice(callLineIndex, 1);
-      if (outLines[callLineIndex]?.trim() === "") outLines.splice(callLineIndex, 1);
-      const newLastImport = outLines.reduce((last, l, i) => l.trimStart().startsWith("import ") ? i : last, -1);
-      outLines.splice(newLastImport + 1, 0, "", callLine, "");
-    }
-  }
-
-  try {
-    writeFileSync(entryPath, outLines.join("\n"), "utf-8");
-  } catch (err) {
-    console.error(ui.errBlock("could not write " + relEntry, err.message));
-    printSnippet(isEsm);
-  }
-}
-
-function printSnippet(isEsm) {
-  console.log(ui.infoBlock("add to your entry point:"));
-  console.log(ui.blank());
-  if (isEsm) {
-    console.log(ui.INDENT + "   " + ui.amber('import { config } from "@suronai/sdk"'));
-    console.log(ui.INDENT + "   " + ui.amber("await config()"));
-  } else {
-    console.log(ui.INDENT + "   " + ui.amber('const { config } = require("@suronai/sdk")'));
-    console.log(ui.INDENT + "   " + ui.amber("await config()"));
-  }
-  console.log(ui.blank());
-  console.log(ui.hr());
-  console.log(ui.blank());
-}

package/src/commands/login.js

@@ -1,83 +0,0 @@
-import { Command } from "commander";
-import { getApiUrl, saveConfig, prompt } from "../utils/config.js";
-import ui from "../utils/colors.js";
-
-export const loginCommand = new Command("login")
-  .description("Configure the Suron API URL")
-  .action(async () => {
-    console.log(ui.logo());
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    let apiUrl = getApiUrl();
-
-    if (apiUrl) {
-      console.log(ui.kv("ENDPOINT", apiUrl));
-      console.log(ui.blank());
-      process.stdout.write(ui.promptLine("replace?  [y/N]"));
-      const change = await prompt("");
-      if (change.toLowerCase() !== "y") {
-        console.log(ui.blank());
-        console.log(ui.okBlock("no changes"));
-        console.log(ui.blank());
-        return;
-      }
-      console.log(ui.blank());
-    }
-
-    process.stdout.write(ui.promptLine("convex deployment URL"));
-    const input = await prompt("");
-
-    if (!input) {
-      console.log(ui.blank());
-      console.error(ui.errBlock("URL required"));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    apiUrl = input.trim().replace(/\/$/, "");
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    // Verify
-    process.stdout.write(ui.INDENT + ui.slate("verifying ···"));
-
-    let verified = false;
-    try {
-      const res = await fetch(`${apiUrl}/cli/verify`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({}),
-      });
-      verified = res.ok;
-      if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        process.stdout.write("\r" + " ".repeat(40) + "\r");
-        console.error(ui.errBlock(`backend returned ${res.status}`, text || undefined));
-        console.log(ui.blank());
-        process.exit(1);
-      }
-    } catch {
-      process.stdout.write("\r" + " ".repeat(40) + "\r");
-      console.error(ui.errBlock(
-        `cannot reach ${apiUrl}`,
-        "is the convex deployment running?"
-      ));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    process.stdout.write("\r" + " ".repeat(40) + "\r");
-
-    saveConfig({ apiUrl });
-
-    console.log(ui.step("done",  "connection verified"));
-    console.log(ui.step("done",  "saved  ~/.suron-config"));
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-    console.log(ui.infoBlock("next  ›  cd your-project  &&  " + ui.code("suron init")));
-    console.log(ui.blank());
-  });

package/src/commands/recover.js

@@ -1,112 +0,0 @@
-import { Command } from "commander";
-import { existsSync, writeFileSync } from "fs";
-import { join, basename } from "path";
-import { requireApiUrl, prompt } from "../utils/config.js";
-import ui from "../utils/colors.js";
-
-export const recoverCommand = new Command("recover")
-  .description("Restore a lost .suron.json by looking up your app name")
-  .option("--name <n>", "App name to recover (skips interactive prompt)")
-  .action(async (opts) => {
-    const cwd    = process.cwd();
-    const apiUrl = requireApiUrl();
-
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-    console.log(ui.kv("DIR", ui.slate(cwd)));
-    console.log(ui.blank());
-
-    if (existsSync(join(cwd, ".suron.json"))) {
-      console.log(ui.infoBlock(".suron.json already exists here"));
-      console.log(ui.blank());
-      process.stdout.write(ui.promptLine("overwrite?  [y/N]"));
-      const answer = await prompt("");
-      if (!/^y(es)?$/i.test(answer)) {
-        console.log(ui.blank());
-        console.log(ui.infoBlock("cancelled"));
-        console.log(ui.blank());
-        process.exit(0);
-      }
-      console.log(ui.blank());
-    }
-
-    // ── App name ──────────────────────────────────────────────────────────────
-    let appName;
-    if (opts.name) {
-      appName = opts.name.replace(/[^a-zA-Z0-9]/g, "");
-    } else {
-      const suggested = sanitiseName(basename(cwd) || "myapp");
-      process.stdout.write(ui.promptLine("app name  [" + suggested + "]"));
-      const raw = await prompt("");
-      appName = sanitiseName(raw || suggested);
-    }
-
-    if (!appName) {
-      console.log(ui.blank());
-      console.error(ui.errBlock("app name required"));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    console.log(ui.blank());
-    console.log(ui.kv("LOOKUP", appName));
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-
-    // ── Look up app ───────────────────────────────────────────────────────────
-    process.stdout.write(ui.INDENT + ui.slate("querying ···"));
-
-    let res;
-    try {
-      res = await fetch(`${apiUrl}/cli/recover-app`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ name: appName }),
-      });
-    } catch (err) {
-      process.stdout.write("\r" + " ".repeat(40) + "\r");
-      console.error(ui.errBlock(`cannot reach API`, err.message));
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    process.stdout.write("\r" + " ".repeat(40) + "\r");
-
-    if (!res.ok) {
-      let body = {};
-      try { body = await res.json(); } catch { /* ignore */ }
-      if (res.status === 404) {
-        console.error(ui.errBlock(
-          `"${appName}" not found`,
-          "lookup is case-insensitive — check spelling"
-        ));
-      } else {
-        console.error(ui.errBlock(body?.error ?? `recover failed (${res.status})`));
-      }
-      console.log(ui.blank());
-      process.exit(1);
-    }
-
-    const { app_id, name } = await res.json();
-
-    // ── Write .suron.json ─────────────────────────────────────────────────────
-    writeFileSync(
-      join(cwd, ".suron.json"),
-      JSON.stringify({ app: name, id: app_id, api_url: apiUrl }, null, 2) + "\n",
-      "utf-8"
-    );
-
-    console.log(ui.step("done", ".suron.json written"));
-    console.log(ui.blank());
-    console.log(ui.kv("APP", name));
-    console.log(ui.kv("ID",  app_id));
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-  });
-
-function sanitiseName(name) {
-  return name.replace(/[^a-zA-Z0-9]/g, "");
-}

package/src/commands/whoami.js

@@ -1,17 +0,0 @@
-import { Command } from "commander";
-import { requireApiUrl } from "../utils/config.js";
-import ui from "../utils/colors.js";
-
-export const whoamiCommand = new Command("whoami")
-  .description("Show configured Suron API URL")
-  .action(() => {
-    const apiUrl = requireApiUrl();
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-    console.log(ui.kv("ENDPOINT",   apiUrl));
-    console.log(ui.kv("CONFIG",     "~/.suron-config"));
-    console.log(ui.blank());
-    console.log(ui.hr());
-    console.log(ui.blank());
-  });

package/src/utils/dotenvx.js

@@ -1,110 +0,0 @@
-import { execSync } from "child_process";
-import { existsSync, readFileSync, writeFileSync } from "fs";
-import { join } from "path";
-
-/**
- * Strips the dotenvx banner comment block from a string of file content.
- *
- * dotenvx injects a block like this into both .env and .env.keys on every
- * encrypt call:
- *
- *   #/------------------!DOTENV_PRIVATE_KEYS!---...
- *   #/ private decryption keys. DO NOT commit ...
- *   #/     [how it works](https://dotenvx.com/encryption)
- *   #/           backup with: `dotenvx ops backup`
- *   #/----------------------------------------------------------/
- *
- * These lines all start with "#/" which regular user comments never do
- * (user comments use a plain "#" prefix), so this is a safe, targeted strip.
- *
- * @param {string} content  Raw file content
- * @returns {string}        Content with all #/ banner lines removed
- */
-export function stripDotenvxComments(content) {
-  return content
-    .split("\n")
-    .filter(line => !line.startsWith("#/"))
-    .join("\n")
-    .replace(/\n{3,}/g, "\n\n")  // collapse excess blank lines left behind
-    .trimStart();
-}
-
-/**
- * Strips dotenvx banner comments from .env and .env.keys in-place.
- * Called automatically by encryptDotenv() after every encrypt run,
- * but exported so callers can run it standalone if needed.
- * @param {string} cwd
- */
-export function cleanDotenvComments(cwd) {
-  for (const filename of [".env", ".env.keys"]) {
-    const filePath = join(cwd, filename);
-    if (!existsSync(filePath)) continue;
-    const raw = readFileSync(filePath, "utf-8");
-    const cleaned = stripDotenvxComments(raw);
-    if (cleaned !== raw) writeFileSync(filePath, cleaned, "utf-8");
-  }
-}
-
-/**
- * Encrypts .env in-place using dotenvx, then strips the injected banner
- * comments from both .env and .env.keys automatically.
- *
- * Idempotent — dotenvx only encrypts new plaintext values and leaves
- * already-encrypted values untouched, reusing the existing keypair.
- * Safe to call on first init AND any time new values are added to .env.
- *
- * @param {string} cwd
- */
-export function encryptDotenv(cwd) {
-  if (!existsSync(join(cwd, ".env"))) {
-    throw new Error(`.env not found in ${cwd}`);
-  }
-
-  // Strip all dotenvx keypair vars from the child environment.
-  // If dotenvx sees DOTENV_PRIVATE_KEY or DOTENV_PUBLIC_KEY already set
-  // it may skip writing .env.keys, breaking readPrivateKey() on first run.
-  const env = { ...process.env };
-  for (const k of Object.keys(env)) {
-    if (k.startsWith("DOTENV_PRIVATE_KEY") || k.startsWith("DOTENV_PUBLIC_KEY")) {
-      delete env[k];
-    }
-  }
-
-  try {
-    const output = execSync("npx @dotenvx/dotenvx encrypt", {
-      cwd,
-      env,
-      stdio: ["inherit", "pipe", "pipe"],
-    }).toString();
-    if (output) process.stdout.write(output);
-  } catch (err) {
-    const stderr = err.stderr?.toString() ?? "";
-    const stdout = err.stdout?.toString() ?? "";
-    if (stdout) process.stdout.write(stdout);
-    throw new Error(`dotenvx encrypt failed: ${stderr || err}`);
-  }
-
-  // Always strip the banner dotenvx injects on every encrypt call.
-  cleanDotenvComments(cwd);
-}
-
-/**
- * Reads the private key out of .env.keys after encryption.
- * @param {string} cwd
- * @returns {string}
- */
-export function readPrivateKey(cwd) {
-  const keysPath = join(cwd, ".env.keys");
-  if (!existsSync(keysPath)) {
-    throw new Error(
-      ".env.keys not found after encryption.\n" +
-      "  Your .env may already be encrypted — restore plaintext values and run: suron init"
-    );
-  }
-  const content = readFileSync(keysPath, "utf-8");
-  const match = content.match(/DOTENV_PRIVATE_KEY(?:_\w+)?="?([^"\n]+)"?/);
-  if (!match?.[1]) {
-    throw new Error("Could not parse DOTENV_PRIVATE_KEY from .env.keys");
-  }
-  return match[1].trim();
-}