@suronai/cli 2.0.1 → 2.0.2

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@suronai/cli",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "SURON CLI — manage secrets, push .env files, scaffold Node.js projects with Telegram approval",
   "main": "cli.js",
   "type": "module",
   "bin": {
-    "suron": "./cli.js"
+    "suron": "suron"
   },
   "engines": {
     "node": ">=18.0.0"
@@ -36,6 +36,7 @@
     "url": "https://github.com/your-org/suron/issues"
   },
   "files": [
+    "suron",
     "cli.js",
     "README.md",
     "LICENSE"

package/suron

@@ -0,0 +1,751 @@
+#!/usr/bin/env node
+/**
+ * SURON CLI v2
+ *
+ * suron help                          Full command reference
+ * suron init                          Interactive setup wizard
+ * suron login                         Browser-based auth
+ * suron logout                        Remove credentials
+ * suron whoami                        Show auth status
+ * suron new <dir>                      Scaffold a new Node.js project with SURON
+ * suron push --app <n> [--env .env]   Push .env to SURON
+ * suron apps                          List all apps
+ * suron apps create --name <n>        Register app, get token
+ * suron secrets [list] --app <n>      List secrets (key + masked preview)
+ * suron secrets reveal --app <n>      Show key=value table (cleartext)
+ * suron secrets set --app <n> -k K   Set a secret (prompted securely)
+ * suron secrets delete --app <n> -k K Delete a secret
+ * suron requests                      List pending approval requests
+ * suron approve --id <id>             Approve a request
+ * suron deny --id <id>                Deny a request
+ */
+
+import { ConvexHttpClient } from "convex/browser";
+import {
+  readFileSync, writeFileSync, existsSync,
+  mkdirSync, readdirSync
+} from "fs";
+import { resolve, join, basename } from "path";
+import { homedir } from "os";
+import { createInterface } from "readline";
+import { parse } from "dotenv";
+import { exec } from "child_process";
+
+// ── Terminal colors ───────────────────────────────────────────────────────────
+const c = {
+  orange: s => `\x1b[38;5;208m${s}\x1b[0m`,
+  green:  s => `\x1b[32m${s}\x1b[0m`,
+  red:    s => `\x1b[31m${s}\x1b[0m`,
+  gray:   s => `\x1b[90m${s}\x1b[0m`,
+  bold:   s => `\x1b[1m${s}\x1b[0m`,
+  cyan:   s => `\x1b[36m${s}\x1b[0m`,
+  dim:    s => `\x1b[2m${s}\x1b[0m`,
+  yellow: s => `\x1b[33m${s}\x1b[0m`,
+  white:  s => `\x1b[97m${s}\x1b[0m`,
+};
+
+// ── Logo ──────────────────────────────────────────────────────────────────────
+const logo = `
+  ${c.orange("▄▀  █ █ █▀▄ █▀█ █▄ █")}
+  ${c.orange("▀▄█ ▀▄█ █▀▄ █▄█ █ ▀█")}  ${c.gray("secrets manager · v2")}
+`;
+
+// ── Config ────────────────────────────────────────────────────────────────────
+const CONFIG_DIR  = join(homedir(), ".suron");
+const CONFIG_FILE = join(CONFIG_DIR, "config");
+
+function loadConfig() {
+  if (!existsSync(CONFIG_FILE)) return {};
+  try {
+    return Object.fromEntries(
+      readFileSync(CONFIG_FILE, "utf8")
+        .split("\n").filter(Boolean)
+        .map(l => { const i = l.indexOf("="); return [l.slice(0,i).trim(), l.slice(i+1).trim()]; })
+    );
+  } catch { return {}; }
+}
+function saveConfig(obj) {
+  if (!existsSync(CONFIG_DIR)) mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_FILE, Object.entries(obj).map(([k,v]) => `${k}=${v}`).join("\n"), "utf8");
+}
+function getConfig() {
+  const f = loadConfig();
+  return { url: process.env.SURON_URL ?? f.SURON_URL, token: process.env.SURON_TOKEN ?? f.SURON_TOKEN };
+}
+function requireConfig() {
+  const cfg = getConfig();
+  if (!cfg.url) {
+    console.error(c.red("✗ SURON_URL not set — run: suron init"));
+    process.exit(1);
+  }
+  return cfg;
+}
+function getClient() {
+  const { url } = requireConfig();
+  return new ConvexHttpClient(url);
+}
+
+// ── Prompt helpers ────────────────────────────────────────────────────────────
+function prompt(q) {
+  return new Promise(res => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(q, a => { rl.close(); res(a.trim()); });
+  });
+}
+function promptSecret(q) {
+  return new Promise(res => {
+    process.stdout.write(q);
+    const restore = () => { try { process.stdin.setRawMode(false); } catch {} };
+    try { process.stdin.setRawMode(true); } catch {}
+    process.stdin.resume(); process.stdin.setEncoding("utf8");
+    let val = "";
+    process.stdin.on("data", function handler(ch) {
+      if (ch === "\r" || ch === "\n") {
+        restore(); process.stdin.pause(); process.stdin.removeListener("data", handler);
+        process.stdout.write("\n"); res(val);
+      } else if (ch === "\u0003") { restore(); process.exit(); }
+      else if (ch === "\u007f") { if (val.length) { val = val.slice(0,-1); process.stdout.write("\b \b"); } }
+      else { val += ch; process.stdout.write("*"); }
+    });
+  });
+}
+
+// ── Version ───────────────────────────────────────────────────────────────────
+const VERSION = "2.0.0";
+
+// ── Arg helpers ───────────────────────────────────────────────────────────────
+const arg    = i => process.argv[i + 2];
+const flag   = n => { const i = process.argv.findIndex(a => a === `--${n}` || a === `-${n[0]}`); return i !== -1 ? process.argv[i+1] : undefined; };
+const hasFlag = n => process.argv.includes(`--${n}`) || process.argv.includes(`-${n[0]}`);
+
+// ── Table printer ─────────────────────────────────────────────────────────────
+function printTable(rows, cols, opts = {}) {
+  if (!rows.length) { console.log(c.gray("  (empty)")); return; }
+  // strip ANSI for width calculation
+  const strip = s => String(s ?? "").replace(/\x1b\[[0-9;]*m/g, "");
+  const widths = cols.map(col =>
+    Math.max(col.label?.length ?? col.length, ...rows.map(r => strip(r[col.key ?? col] ?? "").length))
+  );
+  const labels = cols.map((col, i) => (col.label ?? col).toUpperCase().padEnd(widths[i]));
+  console.log(c.gray("  " + labels.join("  ")));
+  console.log(c.gray("  " + widths.map(w => "─".repeat(w)).join("  ")));
+  rows.forEach(row => {
+    const cells = cols.map((col, i) => {
+      const key = col.key ?? col;
+      const val = String(row[key] ?? "");
+      const raw = strip(val);
+      return val + " ".repeat(Math.max(0, widths[i] - raw.length));
+    });
+    console.log("  " + cells.join("  "));
+  });
+  if (opts.footer) console.log(c.gray("\n  " + opts.footer));
+}
+
+// ── Browser opener ─────────────────────────────────────────────────────────────
+function openBrowser(url) {
+  const cmd = process.platform === "win32" ? `start "" "${url}"`
+            : process.platform === "darwin" ? `open "${url}"`
+            : `xdg-open "${url}"`;
+  exec(cmd, () => {});
+}
+
+// ── HELP ──────────────────────────────────────────────────────────────────────
+function printHelp() {
+  console.log(logo);
+  const sections = [
+    { heading: "Setup", cmds: [
+      ["suron init",                "",                               "Interactive setup wizard — saves ~/.suron/config"],
+      ["suron login",               "",                               "Authenticate CLI via browser (opens dashboard)"],
+      ["suron logout",              "",                               "Remove saved credentials"],
+      ["suron whoami",              "",                               "Show current auth status"],
+    ]},
+    { heading: "Scaffold", cmds: [
+      ["suron new <directory>",     "",                               "Scaffold a new Node.js project with SURON pre-wired"],
+    ]},
+    { heading: "Apps", cmds: [
+      ["suron apps",                "",                               "List all registered apps"],
+      ["suron apps create",         "--name <n>",                     "Register a new app and get its token"],
+    ]},
+    { heading: "Secrets", cmds: [
+      ["suron secrets",             "--app <n>",                      "List secrets (key + masked preview, no values)"],
+      ["suron secrets reveal",      "--app <n>",                      "Show full key=value table in terminal"],
+      ["suron secrets set",         "--app <n> --key K",              "Set a secret (prompted securely, no shell history)"],
+      ["suron secrets delete",      "--app <n> --key K",              "Delete a secret"],
+      ["suron push",                "--app <n> [--env .env]",         "Bulk-push .env file (skips SURON_* vars)"],
+    ]},
+    { heading: "Requests", cmds: [
+      ["suron requests",            "",                               "List pending access-approval requests"],
+      ["suron approve",             "--id <id>",                      "Approve a request"],
+      ["suron deny",                "--id <id>",                      "Deny a request"],
+    ]},
+    { heading: "Info", cmds: [
+      ["suron version",             "",                               "Show CLI version"],
+      ["suron help",                "",                               "Show this help message"],
+    ]},
+  ];
+
+  for (const { heading, cmds } of sections) {
+    console.log(`  ${c.gray("── " + heading)}`);
+    for (const [cmd, opts, desc] of cmds) {
+      const cmdPad = (c.orange(cmd) + " " + c.dim(opts)).padEnd(70);
+      console.log(`    ${cmdPad} ${c.gray(desc)}`);
+    }
+    console.log();
+  }
+
+  const cfg = getConfig();
+  console.log(`  ${c.gray("Config:")} ${cfg.url ? c.cyan(cfg.url) : c.red("not set — run: suron init")}`);
+  console.log(`  ${c.gray("Version:")} ${c.gray(VERSION)}`);
+  console.log(`  ${c.gray("Docs:  ")} ${c.cyan("https://github.com/your-org/suron")}\n`);
+}
+
+// ── INIT ──────────────────────────────────────────────────────────────────────
+async function cmdInit() {
+  console.log(logo);
+  console.log(`${c.bold("Setup Wizard")} — saves config to ${c.cyan(CONFIG_FILE)}\n`);
+  const ex = loadConfig();
+
+  const url     = await prompt(`Convex URL       ${ex.SURON_URL           ? c.gray("("+ex.SURON_URL+")") : c.gray("e.g. https://xxx.convex.cloud")}: `);
+  const dashUrl = await prompt(`Dashboard URL    ${ex.SURON_DASHBOARD_URL ? c.gray("("+ex.SURON_DASHBOARD_URL+")") : c.gray("e.g. https://suron.vercel.app")}: `);
+
+  const cfg = {
+    ...ex,
+    ...(url     ? { SURON_URL:           url     } : {}),
+    ...(dashUrl ? { SURON_DASHBOARD_URL: dashUrl } : {}),
+  };
+  saveConfig(cfg);
+  console.log(c.green(`\n✓ Config saved`));
+  console.log(c.gray(`  SURON_URL           = ${cfg.SURON_URL}`));
+  if (cfg.SURON_DASHBOARD_URL) console.log(c.gray(`  SURON_DASHBOARD_URL = ${cfg.SURON_DASHBOARD_URL}`));
+  console.log(`\n${c.dim("  Next: suron login   or   suron apps create --name my-app")}\n`);
+}
+
+// ── LOGIN ─────────────────────────────────────────────────────────────────────
+async function cmdLogin() {
+  const { url } = requireConfig();
+  const client = getClient();
+  console.log(logo);
+  console.log(`${c.bold("CLI Authentication")}\n`);
+
+  let sessionId, code;
+  try {
+    const r = await client.mutation("auth:createCliSession", {});
+    sessionId = r.sessionId; code = r.code;
+  } catch(e) { console.error(c.red(`✗ ${e.message}`)); process.exit(1); }
+
+  const dashUrl = process.env.SURON_DASHBOARD_URL ?? loadConfig().SURON_DASHBOARD_URL;
+  if (!dashUrl) {
+    console.error(c.red("✗ SURON_DASHBOARD_URL not set — run: suron init"));
+    process.exit(1);
+  }
+
+  const approvalUrl = `${dashUrl}/cli-auth?code=${code}`;
+  console.log(`  ${c.bold("Login code")}:  ${c.orange(c.bold(code))}\n`);
+  console.log(`  ${c.gray("Approval URL")}: ${c.cyan(approvalUrl)}\n`);
+  console.log(c.dim("  Press Enter to open in browser…"));
+  await prompt("");
+  openBrowser(approvalUrl);
+  console.log(c.gray("\n  Waiting for dashboard approval…  (Ctrl+C to cancel)\n"));
+
+  const deadline = Date.now() + 10 * 60 * 1000;
+  let dots = 0;
+  while (Date.now() < deadline) {
+    await new Promise(r => setTimeout(r, 1500));
+    let result;
+    try { result = await client.query("auth:pollCliSession", { sessionId }); } catch { continue; }
+    dots = (dots + 1) % 4;
+    process.stdout.write(`\r  ${c.gray("Waiting" + ".".repeat(dots).padEnd(3))}`);
+    if (result.status === "approved" && result.adminToken) {
+      process.stdout.write("\n");
+      const cfg = loadConfig();
+      cfg.SURON_ADMIN_TOKEN = result.adminToken;
+      saveConfig(cfg);
+      console.log(`\n${c.green("✓ Authenticated!")} Token saved to ${c.cyan(CONFIG_FILE)}\n`);
+      process.exit(0);
+    }
+    if (result.status === "denied") {
+      console.log("\n" + c.red("✗ Denied by dashboard.")); process.exit(1);
+    }
+    if (["expired","not_found"].includes(result.status)) {
+      console.log("\n" + c.red("✗ Session expired. Run: suron login")); process.exit(1);
+    }
+  }
+  console.log("\n" + c.red("✗ Timed out.")); process.exit(1);
+}
+
+// ── WHOAMI ────────────────────────────────────────────────────────────────────
+async function cmdWhoami() {
+  const cfg = loadConfig();
+  console.log(logo);
+  if (cfg.SURON_ADMIN_TOKEN) {
+    console.log(c.green("✓ Authenticated"));
+    console.log(`  ${c.gray("Token:")}     ${c.cyan("cli_..."+cfg.SURON_ADMIN_TOKEN.slice(-8))}`);
+    console.log(`  ${c.gray("Server:")}    ${cfg.SURON_URL ?? c.red("not set")}`);
+    if (cfg.SURON_DASHBOARD_URL) console.log(`  ${c.gray("Dashboard:")} ${cfg.SURON_DASHBOARD_URL}`);
+  } else {
+    console.log(c.red("✗ Not authenticated"));
+    console.log(`  ${c.gray("Run: suron login")}`);
+  }
+}
+
+// ── LOGOUT ────────────────────────────────────────────────────────────────────
+function cmdLogout() {
+  const cfg = loadConfig();
+  if (!cfg.SURON_ADMIN_TOKEN) { console.log(c.gray("Not logged in.")); return; }
+  delete cfg.SURON_ADMIN_TOKEN;
+  saveConfig(cfg);
+  console.log(c.green("✓ Logged out"));
+}
+
+// ── APPS ──────────────────────────────────────────────────────────────────────
+async function cmdApps() {
+  const sub = arg(1);
+  const client = getClient();
+
+  if (sub === "create") {
+    const name = flag("name") ?? flag("n");
+    if (!name) { console.error(c.red("✗ --name required")); process.exit(1); }
+    const { token } = await client.mutation("apps:createApp", {
+      name, displayName: flag("display") ?? name, ownerId: flag("owner") ?? "admin"
+    });
+    console.log(logo);
+    console.log(c.green(`✓ App '${name}' created\n`));
+    console.log(`  ${c.bold("Token:")} ${c.orange(token)}\n`);
+    console.log(c.gray("  Add to your project .env:"));
+    console.log(c.cyan(`  SURON_URL=${requireConfig().url}`));
+    console.log(c.cyan(`  SURON_TOKEN=${token}\n`));
+    console.log(c.dim("  This token is not shown again in the dashboard."));
+    return;
+  }
+
+  const apps = await client.query("apps:listApps");
+  console.log(logo); console.log(`${c.bold("Apps")}\n`);
+  if (!apps.length) { console.log(c.gray("  No apps. Run: suron apps create --name my-app\n")); return; }
+  printTable(
+    apps.map(a => ({
+      name:   c.white(a.name),
+      status: a.isActive ? c.green("● active") : c.gray("○ offline"),
+      host:   c.gray(a.hostname ?? "—"),
+      pid:    c.gray(String(a.pid ?? "—")),
+      seen:   c.gray(a.lastSeen ? new Date(a.lastSeen).toLocaleTimeString() : "never"),
+    })),
+    ["name","status","host","pid","seen"]
+  );
+  console.log();
+}
+
+// ── PUSH ──────────────────────────────────────────────────────────────────────
+async function cmdPush() {
+  const envFile = flag("env") ?? flag("f") ?? ".env";
+  const appName = flag("app") ?? flag("a");
+  if (!appName) { console.error(c.red("✗ --app required")); process.exit(1); }
+  const envPath = resolve(process.cwd(), envFile);
+  if (!existsSync(envPath)) { console.error(c.red(`✗ Not found: ${envPath}`)); process.exit(1); }
+  const parsed = parse(readFileSync(envPath, "utf8"));
+  const SKIP = new Set(["SURON_URL","SURON_TOKEN"]);
+  const entries = Object.entries(parsed).filter(([k]) => !SKIP.has(k));
+  console.log(logo);
+  console.log(`${c.bold("Push")} ${c.orange(envFile)} → ${c.bold(appName)}`);
+  console.log(c.gray(`  ${entries.length} secrets to push\n`));
+  const client = getClient();
+  let ok = 0;
+  for (const [key, value] of entries) {
+    try {
+      await client.mutation("secrets:upsertSecret", { appName, key, value });
+      console.log(`  ${c.green("✓")} ${c.white(key)}`);
+      ok++;
+    } catch(e) { console.log(`  ${c.red("✗")} ${key}: ${c.gray(e.message)}`); }
+  }
+  console.log(`\n${c.green(`✓ ${ok}/${entries.length} secrets pushed to '${appName}'`)}\n`);
+}
+
+// ── SECRETS ───────────────────────────────────────────────────────────────────
+async function cmdSecrets() {
+  const sub     = arg(1);
+  const appName = flag("app") ?? flag("a");
+  if (!appName) { console.error(c.red("✗ --app required  (--app my-app)")); process.exit(1); }
+  const client  = getClient();
+
+  // ── LIST (masked)
+  if (!sub || sub === "list") {
+    const secrets = await client.query("secrets:listSecrets", { appName });
+    console.log(logo);
+    console.log(`${c.bold("Secrets")} · ${c.orange(appName)}\n`);
+    if (!secrets.length) {
+      console.log(c.gray(`  No secrets. Run: suron secrets set --app ${appName} --key KEY\n`));
+      return;
+    }
+    printTable(
+      secrets.map(s => ({
+        key:     c.white(s.key),
+        value:   c.gray("••••••••"),
+        updated: c.gray(new Date(s.updatedAt).toLocaleString()),
+      })),
+      ["key","value","updated"],
+      { footer: `To reveal values: suron secrets reveal --app ${appName}` }
+    );
+    console.log();
+    return;
+  }
+
+  // ── REVEAL (cleartext table — for debugging)
+  if (sub === "reveal") {
+    const secrets = await client.query("secrets:listSecrets", { appName });
+    console.log(logo);
+    console.log(`${c.yellow("⚠  CLEARTEXT")} · ${c.orange(appName)}\n`);
+    if (!secrets.length) { console.log(c.gray("  No secrets.\n")); return; }
+    // Box-style output — easier for AI to parse
+    console.log(c.gray("  ┌─ ENV TABLE " + "─".repeat(Math.max(0, 60 - 12)) + "┐"));
+    secrets.forEach(s => {
+      const val = s.value ?? "(encrypted)";
+      const line = `  ${c.orange(s.key.padEnd(28))}= ${c.cyan(val)}`;
+      console.log(line);
+    });
+    console.log(c.gray("  └" + "─".repeat(62) + "┘"));
+    console.log(c.gray(`\n  ${secrets.length} secrets · ${appName}\n`));
+    return;
+  }
+
+  // ── SET
+  if (sub === "set") {
+    const key = flag("key") ?? flag("k");
+    if (!key) { console.error(c.red("✗ --key required")); process.exit(1); }
+    const value = await promptSecret(`Value for ${c.orange(key)}: `);
+    if (!value) { console.error(c.red("✗ Empty value — aborted")); process.exit(1); }
+    await client.mutation("secrets:upsertSecret", { appName, key, value });
+    console.log(c.green(`✓ '${key}' saved for '${appName}'`));
+    return;
+  }
+
+  // ── DELETE
+  if (sub === "delete") {
+    const key = flag("key") ?? flag("k");
+    if (!key) { console.error(c.red("✗ --key required")); process.exit(1); }
+    const confirm = await prompt(`Delete '${key}' from '${appName}'? ${c.gray("[y/N]")} `);
+    if (confirm.toLowerCase() !== "y") { console.log(c.gray("Aborted.")); return; }
+    await client.mutation("secrets:deleteSecret", { appName, key });
+    console.log(c.green(`✓ Deleted '${key}' from '${appName}'`));
+    return;
+  }
+
+  console.error(c.red(`✗ Unknown subcommand: ${sub}`));
+  console.log(c.gray("  Usage: suron secrets [list|reveal|set|delete] --app <name>"));
+}
+
+// ── REQUESTS ──────────────────────────────────────────────────────────────────
+async function cmdRequests() {
+  const client = getClient();
+  const reqs   = await client.query("secrets:listPendingRequests");
+  console.log(logo); console.log(`${c.bold("Pending Requests")}\n`);
+  if (!reqs.length) { console.log(c.green("  ✓ No pending requests\n")); return; }
+  printTable(
+    reqs.map(r => ({
+      id:        c.gray(r._id),
+      app:       c.white(r.appName),
+      key:       c.orange(r.secretKey),
+      requested: c.gray(new Date(r.requestedAt).toLocaleString()),
+    })),
+    ["id","app","key","requested"],
+    { footer: "suron approve --id <id>   or   suron deny --id <id>" }
+  );
+  console.log();
+}
+
+// ── APPROVE / DENY ────────────────────────────────────────────────────────────
+async function cmdResolve(deny = false) {
+  const id = flag("id");
+  if (!id) { console.error(c.red("✗ --id required")); process.exit(1); }
+  const client = getClient();
+  await client.mutation("secrets:resolveRequest", {
+    requestId: id, status: deny ? "denied" : "approved", resolvedBy: "cli"
+  });
+  console.log(deny ? c.red(`✗ Denied  ${id}`) : c.green(`✓ Approved ${id}`));
+}
+
+// ── SURON NEW — scaffold a complete Node.js project ───────────────────────────
+async function cmdNew() {
+  const dirName = arg(1);
+  if (!dirName) {
+    console.error(c.red("✗ Directory name required  (e.g. suron new my-project)"));
+    process.exit(1);
+  }
+
+  const projectDir = resolve(process.cwd(), dirName);
+  const projectName = basename(projectDir);
+
+  console.log(logo);
+  console.log(`${c.bold("Scaffold")} → ${c.orange(projectDir)}\n`);
+
+  if (existsSync(projectDir)) {
+    const ans = await prompt(c.yellow(`  '${dirName}' already exists. Continue? [y/N] `));
+    if (ans.toLowerCase() !== "y") { console.log(c.gray("  Aborted.")); return; }
+  } else {
+    mkdirSync(projectDir, { recursive: true });
+  }
+
+  // Prompt for app name
+  const appName = await prompt(`  App name in SURON ${c.gray(`(${projectName})`)}: `) || projectName;
+
+  const cfg = loadConfig();
+  const suronUrl   = cfg.SURON_URL   ?? "https://your-deployment.convex.cloud";
+  const suronDash  = cfg.SURON_DASHBOARD_URL ?? "https://your-dashboard.vercel.app";
+
+  // ── Files to create ───────────────────────────────────────────────────────
+  const files = {
+
+    // package.json
+    "package.json": JSON.stringify({
+      name: projectName,
+      version: "1.0.0",
+      type: "module",
+      description: "Node.js app powered by SURON secrets manager",
+      main: "src/index.js",
+      scripts: {
+        start:   "node src/index.js",
+        dev:     "node --watch src/index.js",
+        "secrets:list":   `suron secrets --app ${appName}`,
+        "secrets:reveal": `suron secrets reveal --app ${appName}`,
+        "secrets:push":   `suron push --app ${appName} --env .env.secrets`,
+      },
+      dependencies: {
+        "@suronai/sdk":  "^2.0.0",
+        "dotenv":      "^16.0.0",
+      },
+      engines: { node: ">=18.0.0" },
+      author: "",
+      license: "MIT",
+    }, null, 2),
+
+    // src/index.js — the entry point
+    "src/index.js": `/**
+ * ${projectName}
+ *
+ * Entry point — SURON handles all secrets.
+ * Run: npm start
+ * For dev (auto-restart): npm run dev
+ */
+
+import "dotenv/config";              // loads SURON_URL + SURON_TOKEN
+import { SURON } from "@suronai/sdk";
+
+// ── Bootstrap ─────────────────────────────────────────────────────────────────
+const env = await SURON.connect();
+
+// ── Load secrets (triggers Telegram approval on first run) ─────────────────────
+// Add your own keys here:
+const secrets = await env.getAll([
+  "EXAMPLE_API_KEY",
+  // "DATABASE_URL",
+  // "OPENAI_API_KEY",
+]);
+
+// ── Your app code starts here ──────────────────────────────────────────────────
+console.log("✓ Secrets loaded:", Object.keys(secrets).join(", "));
+console.log("  Example key:", secrets.EXAMPLE_API_KEY);
+
+// TODO: replace with your actual app logic
+`,
+
+    // .env — SURON credentials only
+    ".env": `# SURON connection — the ONLY vars needed here.
+# Your actual secrets (API keys, DB URLs) live on the SURON server.
+SURON_URL=${suronUrl}
+SURON_TOKEN=sk_YOUR_APP_TOKEN_HERE
+`,
+
+    // .env.example — safe to commit
+    ".env.example": `# SURON credentials — copy to .env and fill in your values.
+# Get your token: suron apps create --name ${appName}
+SURON_URL=${suronUrl}
+SURON_TOKEN=sk_...
+`,
+
+    // .env.secrets — for first-time push, then delete this file
+    ".env.secrets": `# Put your ACTUAL secrets here for the initial push.
+# Run: npm run secrets:push
+# Then DELETE this file — it is NOT committed.
+EXAMPLE_API_KEY=replace_me_with_your_api_key
+# DATABASE_URL=postgres://...
+# OPENAI_API_KEY=sk-...
+`,
+
+    // .gitignore
+    ".gitignore": `.env
+.env.secrets
+node_modules/
+dist/
+*.log
+.DS_Store
+`,
+
+    // README.md
+    "README.md": `# ${projectName}
+
+Node.js application using [SURON](${suronDash}) for secrets management.
+
+## Quick Start
+
+\`\`\`bash
+# 1. Install dependencies
+npm install
+
+# 2. Set your SURON token in .env
+#    Get one: suron apps create --name ${appName}
+nano .env
+
+# 3. Push initial secrets (edit .env.secrets first)
+npm run secrets:push
+
+# 4. Delete .env.secrets (never commit it)
+rm .env.secrets
+
+# 5. Run the app (will prompt Telegram approval on first secret access)
+npm start
+\`\`\`
+
+## Secrets Management
+
+\`\`\`bash
+# List secrets (masked)
+npm run secrets:list
+
+# Reveal secrets in terminal (for debugging)
+npm run secrets:reveal
+
+# Set a single secret
+suron secrets set --app ${appName} --key MY_KEY
+
+# Push entire .env file
+npm run secrets:push
+\`\`\`
+
+## How SURON Works
+
+1. App calls \`env.get('MY_KEY')\` at runtime
+2. SURON checks if already approved for this session → returns cached value
+3. If not → Telegram notification sent to owner
+4. Owner approves → secret returned and cached until app restarts
+
+See [llm.md](${suronDash}/llm.md) for AI integration guide.
+`,
+
+    // llm.md — AI integration hints specific to this project
+    "llm.md": `# AI Integration Notes — ${projectName}
+
+> This file is for AI assistants (Claude, Cursor, Copilot, etc.)
+> Read this before touching any secrets, .env files, or startup code.
+
+## Project Type
+Node.js ESM app using SURON for secrets management.
+
+## Key Rules
+
+1. **Never hardcode secrets** — they live on the SURON server.
+2. **Never use process.env.* for actual secrets** — use \`await env.get('KEY')\`.
+3. **SURON_URL and SURON_TOKEN** are the only vars in .env — they are not secrets.
+4. **.env.secrets** is for one-time push only — delete after use, never commit.
+
+## Adding a New Secret
+
+\`\`\`bash
+# Terminal — adds secret to SURON server
+suron secrets set --app ${appName} --key NEW_KEY
+
+# Then in code:
+const value = await env.get('NEW_KEY')
+\`\`\`
+
+## Revealing All Secrets (for debugging)
+
+\`\`\`bash
+suron secrets reveal --app ${appName}
+\`\`\`
+
+This shows a full key=value table for inspection.
+
+## Startup Pattern
+
+Always follow this pattern at the top of entry files:
+
+\`\`\`javascript
+import "dotenv/config";              // loads SURON_URL + SURON_TOKEN
+import { SURON } from "@suronai/sdk";
+
+const env = await SURON.connect();  // connects and registers app
+
+// Bulk-load all secrets at startup (one Telegram prompt per key)
+const secrets = await env.getAll(["KEY_A", "KEY_B", "KEY_C"]);
+\`\`\`
+
+## App Info
+
+- **App name in SURON**: \`${appName}\`
+- **Dashboard**: ${suronDash}
+- **Convex URL**: ${suronUrl}
+`,
+  };
+
+  // ── Write files ────────────────────────────────────────────────────────────
+  mkdirSync(join(projectDir, "src"), { recursive: true });
+  let written = 0;
+  for (const [filePath, content] of Object.entries(files)) {
+    const full = join(projectDir, filePath);
+    const exists = existsSync(full);
+    writeFileSync(full, content, "utf8");
+    console.log(`  ${c.green("✓")} ${c.white(filePath)} ${exists ? c.gray("(overwritten)") : ""}`);
+    written++;
+  }
+
+  console.log(`\n${c.green(`✓ ${written} files created in '${dirName}'`)}\n`);
+
+  // ── Next steps ─────────────────────────────────────────────────────────────
+  const nextSteps = [
+    [`cd ${dirName}`,                                  "Enter project directory"],
+    ["npm install",                                    "Install dependencies"],
+    [`suron apps create --name ${appName}`,            "Register app in SURON, get token"],
+    ["nano .env",                                      "Set SURON_TOKEN from above"],
+    ["nano .env.secrets",                              "Add your actual secrets"],
+    ["npm run secrets:push",                           "Upload secrets to SURON"],
+    ["rm .env.secrets",                                "Delete secrets file (never commit it)"],
+    ["npm start",                                      "Run the app"],
+  ];
+  console.log(c.gray("  Next steps:"));
+  nextSteps.forEach(([cmd, desc], i) => {
+    console.log(`  ${c.gray(String(i+1)+".")} ${c.cyan(cmd.padEnd(42))} ${c.dim(desc)}`);
+  });
+  console.log();
+}
+
+// ── ROUTER ────────────────────────────────────────────────────────────────────
+const cmd = arg(0);
+
+// Handle --version / -v flag at any position
+if (process.argv.includes("--version") || process.argv.includes("-v")) {
+  console.log(`suron v${VERSION}`);
+  process.exit(0);
+}
+
+try {
+  switch (cmd) {
+    case "help":
+    case "--help":
+    case "-h":        printHelp();              break;
+    case "version":   console.log(`suron v${VERSION}`); break;
+    case "init":      await cmdInit();          break;
+    case "login":     await cmdLogin();         break;
+    case "logout":    cmdLogout();              break;
+    case "whoami":    await cmdWhoami();        break;
+    case "new":       await cmdNew();           break;
+    case "push":      await cmdPush();          break;
+    case "apps":      await cmdApps();          break;
+    case "secrets":   await cmdSecrets();       break;
+    case "requests":  await cmdRequests();      break;
+    case "approve":   await cmdResolve(false);  break;
+    case "deny":      await cmdResolve(true);   break;
+    default:          printHelp();
+  }
+} catch(err) {
+  console.error(c.red(`\n✗ ${err.message}`));
+  if (hasFlag("debug")) console.error(err.stack);
+  process.exit(1);
+}