npm - @suronai/cli - Versions diffs - 2.0.1 → 2.0.3 - Mend

@suronai/cli 2.0.1 → 2.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli.js CHANGED Viewed

@@ -46,8 +46,8 @@ const c = {
 // ── Logo ──────────────────────────────────────────────────────────────────────
 const logo = `
-  ${c.orange("▄▀  █ █ █▀▄ █▀█ █▄ █")}
-  ${c.orange("▀▄█ ▀▄█ █▀▄ █▄█ █ ▀█")}  ${c.gray("secrets manager · v2")}
+  ${c.orange("▄▀▀ █ █ █▀▄ █▀█ █▄ █")}
+  ${c.orange("▀▀▄ ▀▄█ █▀▄ █▄█ █ ▀█")}  ${c.gray("secrets manager · v2")}
 `;
 // ── Config ────────────────────────────────────────────────────────────────────
@@ -75,7 +75,7 @@ function getConfig() {
 function requireConfig() {
   const cfg = getConfig();
   if (!cfg.url) {
-    console.error(c.red("✗ SURON_URL not set — run: suron init"));
+    console.error(c.red("✗ SURON_URL not set — run: suron login"));
     process.exit(1);
   }
   return cfg;
@@ -154,10 +154,10 @@ function printHelp() {
   console.log(logo);
   const sections = [
     { heading: "Setup", cmds: [
-      ["suron init",                "",                               "Interactive setup wizard — saves ~/.suron/config"],
-      ["suron login",               "",                               "Authenticate CLI via browser (opens dashboard)"],
+      ["suron login",               "",                               "Authenticate CLI — asks for URLs + opens approval page in browser"],
       ["suron logout",              "",                               "Remove saved credentials"],
       ["suron whoami",              "",                               "Show current auth status"],
+      ["suron init",                "",                               "(legacy) — just runs: suron login"],
     ]},
     { heading: "Scaffold", cmds: [
       ["suron new <directory>",     "",                               "Scaffold a new Node.js project with SURON pre-wired"],
@@ -196,57 +196,65 @@ function printHelp() {
   const cfg = getConfig();
   console.log(`  ${c.gray("Config:")} ${cfg.url ? c.cyan(cfg.url) : c.red("not set — run: suron init")}`);
   console.log(`  ${c.gray("Version:")} ${c.gray(VERSION)}`);
-  console.log(`  ${c.gray("Docs:  ")} ${c.cyan("https://github.com/your-org/suron")}\n`);
+  console.log(`  ${c.gray("Docs:  ")} ${c.cyan("https://github.com/Cryptoistaken/Suron")}\n`);
 }
 // ── INIT ──────────────────────────────────────────────────────────────────────
 async function cmdInit() {
   console.log(logo);
-  console.log(`${c.bold("Setup Wizard")} — saves config to ${c.cyan(CONFIG_FILE)}\n`);
-  const ex = loadConfig();
-  const url     = await prompt(`Convex URL       ${ex.SURON_URL           ? c.gray("("+ex.SURON_URL+")") : c.gray("e.g. https://xxx.convex.cloud")}: `);
-  const dashUrl = await prompt(`Dashboard URL    ${ex.SURON_DASHBOARD_URL ? c.gray("("+ex.SURON_DASHBOARD_URL+")") : c.gray("e.g. https://suron.vercel.app")}: `);
-  const cfg = {
-    ...ex,
-    ...(url     ? { SURON_URL:           url     } : {}),
-    ...(dashUrl ? { SURON_DASHBOARD_URL: dashUrl } : {}),
-  };
-  saveConfig(cfg);
-  console.log(c.green(`\n✓ Config saved`));
-  console.log(c.gray(`  SURON_URL           = ${cfg.SURON_URL}`));
-  if (cfg.SURON_DASHBOARD_URL) console.log(c.gray(`  SURON_DASHBOARD_URL = ${cfg.SURON_DASHBOARD_URL}`));
-  console.log(`\n${c.dim("  Next: suron login   or   suron apps create --name my-app")}\n`);
+  console.log(`${c.bold("Setup Wizard")}\n`);
+  console.log(c.gray("  suron init is no longer needed for URL setup."));
+  console.log(c.gray("  Run ") + c.cyan("suron login") + c.gray(" — it will ask for your Convex URL and Dashboard URL automatically.\n"));
+  console.log(c.dim("  Or run: suron whoami   to check current status\n"));
 }
 // ── LOGIN ─────────────────────────────────────────────────────────────────────
 async function cmdLogin() {
-  const { url } = requireConfig();
-  const client = getClient();
   console.log(logo);
   console.log(`${c.bold("CLI Authentication")}\n`);
+  // ── Step 1: ensure Convex URL is set
+  let cfg = loadConfig();
+  let convexUrl = process.env.SURON_URL ?? cfg.SURON_URL;
+  if (!convexUrl) {
+    console.log(c.gray("  No Convex URL found. Let's set it up.\n"));
+    convexUrl = await prompt(`  Convex URL ${c.gray("(e.g. https://xxx.eu-west-1.convex.cloud)")}: `);
+    if (!convexUrl) { console.error(c.red("✗ Convex URL is required")); await new Promise(r => setTimeout(r, 50)); process.exit(1); }
+    cfg = { ...cfg, SURON_URL: convexUrl };
+    saveConfig(cfg);
+    console.log(c.green("  ✓ Convex URL saved\n"));
+  }
+  // ── Step 2: ensure Dashboard URL is set
+  let dashUrl = process.env.SURON_DASHBOARD_URL ?? cfg.SURON_DASHBOARD_URL;
+  if (!dashUrl) {
+    console.log(c.gray("  No Dashboard URL found. Where is your SURON dashboard deployed?\n"));
+    dashUrl = await prompt(`  Dashboard URL ${c.gray("(e.g. https://suron.vercel.app)")}: `);
+    if (!dashUrl) { console.error(c.red("✗ Dashboard URL is required")); await new Promise(r => setTimeout(r, 50)); process.exit(1); }
+    cfg = { ...cfg, SURON_DASHBOARD_URL: dashUrl };
+    saveConfig(cfg);
+    console.log(c.green("  ✓ Dashboard URL saved\n"));
+  }
+  // ── Step 3: create session and open browser
+  const client = new ConvexHttpClient(convexUrl);
   let sessionId, code;
   try {
     const r = await client.mutation("auth:createCliSession", {});
     sessionId = r.sessionId; code = r.code;
-  } catch(e) { console.error(c.red(`✗ ${e.message}`)); process.exit(1); }
+  } catch(e) { console.error(c.red(`✗ ${e.message}`)); await new Promise(r => setTimeout(r, 50)); process.exit(1); }
-  const dashUrl = process.env.SURON_DASHBOARD_URL ?? loadConfig().SURON_DASHBOARD_URL;
-  if (!dashUrl) {
-    console.error(c.red("✗ SURON_DASHBOARD_URL not set — run: suron init"));
-    process.exit(1);
-  }
+  const approvalUrl = `${dashUrl.replace(/\/$/, "")}/approve?code=${code}`;
-  const approvalUrl = `${dashUrl}/cli-auth?code=${code}`;
-  console.log(`  ${c.bold("Login code")}:  ${c.orange(c.bold(code))}\n`);
-  console.log(`  ${c.gray("Approval URL")}: ${c.cyan(approvalUrl)}\n`);
-  console.log(c.dim("  Press Enter to open in browser…"));
+  console.log(`  ${c.bold("Your code")}: ${c.orange(c.bold(code))}\n`);
+  console.log(`  ${c.gray("Opening approval page in browser…")}`);
+  console.log(`  ${c.dim(approvalUrl)}\n`);
+  console.log(c.dim("  Press Enter to open in browser, or visit the URL above manually."));
   await prompt("");
   openBrowser(approvalUrl);
-  console.log(c.gray("\n  Waiting for dashboard approval…  (Ctrl+C to cancel)\n"));
+  console.log(c.gray("\n  Waiting for approval…  (Ctrl+C to cancel)\n"));
+  // ── Step 4: poll
   const deadline = Date.now() + 10 * 60 * 1000;
   let dots = 0;
   while (Date.now() < deadline) {
@@ -257,20 +265,23 @@ async function cmdLogin() {
     process.stdout.write(`\r  ${c.gray("Waiting" + ".".repeat(dots).padEnd(3))}`);
     if (result.status === "approved" && result.adminToken) {
       process.stdout.write("\n");
-      const cfg = loadConfig();
       cfg.SURON_ADMIN_TOKEN = result.adminToken;
       saveConfig(cfg);
       console.log(`\n${c.green("✓ Authenticated!")} Token saved to ${c.cyan(CONFIG_FILE)}\n`);
+      await new Promise(r => setTimeout(r, 50));
       process.exit(0);
     }
     if (result.status === "denied") {
-      console.log("\n" + c.red("✗ Denied by dashboard.")); process.exit(1);
+      process.stdout.write("\n"); console.log(c.red("✗ Denied."));
+      await new Promise(r => setTimeout(r, 50)); process.exit(1);
     }
     if (["expired","not_found"].includes(result.status)) {
-      console.log("\n" + c.red("✗ Session expired. Run: suron login")); process.exit(1);
+      process.stdout.write("\n"); console.log(c.red("✗ Session expired. Run: suron login"));
+      await new Promise(r => setTimeout(r, 50)); process.exit(1);
     }
   }
-  console.log("\n" + c.red("✗ Timed out.")); process.exit(1);
+  process.stdout.write("\n"); console.log(c.red("✗ Timed out."));
+  await new Promise(r => setTimeout(r, 50)); process.exit(1);
 }
 // ── WHOAMI ────────────────────────────────────────────────────────────────────
@@ -731,7 +742,7 @@ try {
     case "--help":
     case "-h":        printHelp();              break;
     case "version":   console.log(`suron v${VERSION}`); break;
-    case "init":      await cmdInit();          break;
+    case "init":      await cmdLogin();          break;  // init now just runs login
     case "login":     await cmdLogin();         break;
     case "logout":    cmdLogout();              break;
     case "whoami":    await cmdWhoami();        break;

package/package.json CHANGED Viewed

@@ -1,11 +1,11 @@
 {
   "name": "@suronai/cli",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "description": "SURON CLI — manage secrets, push .env files, scaffold Node.js projects with Telegram approval",
   "main": "cli.js",
   "type": "module",
   "bin": {
-    "suron": "./cli.js"
+    "suron": "suron"
   },
   "engines": {
     "node": ">=18.0.0"
@@ -26,16 +26,17 @@
   ],
   "license": "MIT",
   "author": "SuronAI",
-  "homepage": "https://github.com/your-org/suron",
+  "homepage": "https://github.com/Cryptoistaken/Suron",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/your-org/suron.git",
+    "url": "git+https://github.com/Cryptoistaken/Suron.git",
     "directory": "SDK/CLI"
   },
   "bugs": {
-    "url": "https://github.com/your-org/suron/issues"
+    "url": "https://github.com/Cryptoistaken/Suron/issues"
   },
   "files": [
+    "suron",
     "cli.js",
     "README.md",
     "LICENSE"

package/suron ADDED Viewed

@@ -0,0 +1,776 @@
+#!/usr/bin/env node
+/**
+ * SURON CLI v2
+ *
+ * suron help                          Full command reference
+ * suron init                          Interactive setup wizard
+ * suron login                         Browser-based auth
+ * suron logout                        Remove credentials
+ * suron whoami                        Show auth status
+ * suron new <dir>                      Scaffold a new Node.js project with SURON
+ * suron push --app <n> [--env .env]   Push .env to SURON
+ * suron apps                          List all apps
+ * suron apps create --name <n>        Register app, get token
+ * suron secrets [list] --app <n>      List secrets (key + masked preview)
+ * suron secrets reveal --app <n>      Show key=value table (cleartext)
+ * suron secrets set --app <n> -k K   Set a secret (prompted securely)
+ * suron secrets delete --app <n> -k K Delete a secret
+ * suron requests                      List pending approval requests
+ * suron approve --id <id>             Approve a request
+ * suron deny --id <id>                Deny a request
+ */
+import { ConvexHttpClient } from "convex/browser";
+import {
+  readFileSync, writeFileSync, existsSync,
+  mkdirSync, readdirSync
+} from "fs";
+import { resolve, join, basename } from "path";
+import { homedir } from "os";
+import { createInterface } from "readline";
+import { parse } from "dotenv";
+import { exec } from "child_process";
+// ── Terminal colors ───────────────────────────────────────────────────────────
+const c = {
+  orange: s => `\x1b[38;5;208m${s}\x1b[0m`,
+  green:  s => `\x1b[32m${s}\x1b[0m`,
+  red:    s => `\x1b[31m${s}\x1b[0m`,
+  gray:   s => `\x1b[90m${s}\x1b[0m`,
+  bold:   s => `\x1b[1m${s}\x1b[0m`,
+  cyan:   s => `\x1b[36m${s}\x1b[0m`,
+  dim:    s => `\x1b[2m${s}\x1b[0m`,
+  yellow: s => `\x1b[33m${s}\x1b[0m`,
+  white:  s => `\x1b[97m${s}\x1b[0m`,
+};
+// ── Logo ──────────────────────────────────────────────────────────────────────
+const logo = `
+  ${c.orange("▄▀  █ █ █▀▄ █▀█ █▄ █")}
+  ${c.orange("▀▄█ ▀▄█ █▀▄ █▄█ █ ▀█")}  ${c.gray("secrets manager · v2")}
+`;
+// ── Config ────────────────────────────────────────────────────────────────────
+const CONFIG_DIR  = join(homedir(), ".suron");
+const CONFIG_FILE = join(CONFIG_DIR, "config");
+function loadConfig() {
+  if (!existsSync(CONFIG_FILE)) return {};
+  try {
+    return Object.fromEntries(
+      readFileSync(CONFIG_FILE, "utf8")
+        .split("\n").filter(Boolean)
+        .map(l => { const i = l.indexOf("="); return [l.slice(0,i).trim(), l.slice(i+1).trim()]; })
+    );
+  } catch { return {}; }
+}
+function saveConfig(obj) {
+  if (!existsSync(CONFIG_DIR)) mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_FILE, Object.entries(obj).map(([k,v]) => `${k}=${v}`).join("\n"), "utf8");
+}
+function getConfig() {
+  const f = loadConfig();
+  return { url: process.env.SURON_URL ?? f.SURON_URL, token: process.env.SURON_TOKEN ?? f.SURON_TOKEN };
+}
+function requireConfig() {
+  const cfg = getConfig();
+  if (!cfg.url) {
+    console.error(c.red("✗ SURON_URL not set — run: suron init"));
+    process.exit(1);
+  }
+  return cfg;
+}
+function getClient() {
+  const { url } = requireConfig();
+  return new ConvexHttpClient(url);
+}
+// ── Prompt helpers ────────────────────────────────────────────────────────────
+function prompt(q) {
+  return new Promise(res => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(q, a => { rl.close(); res(a.trim()); });
+  });
+}
+function promptSecret(q) {
+  return new Promise(res => {
+    process.stdout.write(q);
+    const restore = () => { try { process.stdin.setRawMode(false); } catch {} };
+    try { process.stdin.setRawMode(true); } catch {}
+    process.stdin.resume(); process.stdin.setEncoding("utf8");
+    let val = "";
+    process.stdin.on("data", function handler(ch) {
+      if (ch === "\r" || ch === "\n") {
+        restore(); process.stdin.pause(); process.stdin.removeListener("data", handler);
+        process.stdout.write("\n"); res(val);
+      } else if (ch === "\u0003") { restore(); process.exit(); }
+      else if (ch === "\u007f") { if (val.length) { val = val.slice(0,-1); process.stdout.write("\b \b"); } }
+      else { val += ch; process.stdout.write("*"); }
+    });
+  });
+}
+// ── Version ───────────────────────────────────────────────────────────────────
+const VERSION = "2.0.0";
+// ── Arg helpers ───────────────────────────────────────────────────────────────
+const arg    = i => process.argv[i + 2];
+const flag   = n => { const i = process.argv.findIndex(a => a === `--${n}` || a === `-${n[0]}`); return i !== -1 ? process.argv[i+1] : undefined; };
+const hasFlag = n => process.argv.includes(`--${n}`) || process.argv.includes(`-${n[0]}`);
+// ── Table printer ─────────────────────────────────────────────────────────────
+function printTable(rows, cols, opts = {}) {
+  if (!rows.length) { console.log(c.gray("  (empty)")); return; }
+  // strip ANSI for width calculation
+  const strip = s => String(s ?? "").replace(/\x1b\[[0-9;]*m/g, "");
+  const widths = cols.map(col =>
+    Math.max(col.label?.length ?? col.length, ...rows.map(r => strip(r[col.key ?? col] ?? "").length))
+  );
+  const labels = cols.map((col, i) => (col.label ?? col).toUpperCase().padEnd(widths[i]));
+  console.log(c.gray("  " + labels.join("  ")));
+  console.log(c.gray("  " + widths.map(w => "─".repeat(w)).join("  ")));
+  rows.forEach(row => {
+    const cells = cols.map((col, i) => {
+      const key = col.key ?? col;
+      const val = String(row[key] ?? "");
+      const raw = strip(val);
+      return val + " ".repeat(Math.max(0, widths[i] - raw.length));
+    });
+    console.log("  " + cells.join("  "));
+  });
+  if (opts.footer) console.log(c.gray("\n  " + opts.footer));
+}
+// ── Browser opener ─────────────────────────────────────────────────────────────
+function openBrowser(url) {
+  const cmd = process.platform === "win32" ? `start "" "${url}"`
+            : process.platform === "darwin" ? `open "${url}"`
+            : `xdg-open "${url}"`;
+  exec(cmd, () => {});
+}
+// ── HELP ──────────────────────────────────────────────────────────────────────
+function printHelp() {
+  console.log(logo);
+  const sections = [
+    { heading: "Setup", cmds: [
+      ["suron init",                "",                               "Interactive setup wizard — saves ~/.suron/config"],
+      ["suron login",               "",                               "Authenticate CLI via browser (opens dashboard)"],
+      ["suron logout",              "",                               "Remove saved credentials"],
+      ["suron whoami",              "",                               "Show current auth status"],
+    ]},
+    { heading: "Scaffold", cmds: [
+      ["suron new <directory>",     "",                               "Scaffold a new Node.js project with SURON pre-wired"],
+    ]},
+    { heading: "Apps", cmds: [
+      ["suron apps",                "",                               "List all registered apps"],
+      ["suron apps create",         "--name <n>",                     "Register a new app and get its token"],
+    ]},
+    { heading: "Secrets", cmds: [
+      ["suron secrets",             "--app <n>",                      "List secrets (key + masked preview, no values)"],
+      ["suron secrets reveal",      "--app <n>",                      "Show full key=value table in terminal"],
+      ["suron secrets set",         "--app <n> --key K",              "Set a secret (prompted securely, no shell history)"],
+      ["suron secrets delete",      "--app <n> --key K",              "Delete a secret"],
+      ["suron push",                "--app <n> [--env .env]",         "Bulk-push .env file (skips SURON_* vars)"],
+    ]},
+    { heading: "Requests", cmds: [
+      ["suron requests",            "",                               "List pending access-approval requests"],
+      ["suron approve",             "--id <id>",                      "Approve a request"],
+      ["suron deny",                "--id <id>",                      "Deny a request"],
+    ]},
+    { heading: "Info", cmds: [
+      ["suron version",             "",                               "Show CLI version"],
+      ["suron help",                "",                               "Show this help message"],
+    ]},
+  ];
+  for (const { heading, cmds } of sections) {
+    console.log(`  ${c.gray("── " + heading)}`);
+    for (const [cmd, opts, desc] of cmds) {
+      const cmdPad = (c.orange(cmd) + " " + c.dim(opts)).padEnd(70);
+      console.log(`    ${cmdPad} ${c.gray(desc)}`);
+    }
+    console.log();
+  }
+  const cfg = getConfig();
+  console.log(`  ${c.gray("Config:")} ${cfg.url ? c.cyan(cfg.url) : c.red("not set — run: suron init")}`);
+  console.log(`  ${c.gray("Version:")} ${c.gray(VERSION)}`);
+  console.log(`  ${c.gray("Docs:  ")} ${c.cyan("https://github.com/your-org/suron")}\n`);
+}
+// ── INIT ──────────────────────────────────────────────────────────────────────
+async function cmdInit() {
+  console.log(logo);
+  console.log(`${c.bold("Setup Wizard")} — saves config to ${c.cyan(CONFIG_FILE)}\n`);
+  console.log(c.dim("  Tip: suron login will also ask for these URLs if not set.\n"));
+  const ex = loadConfig();
+  const url = await prompt(`Convex URL  ${ex.SURON_URL ? c.gray("("+ex.SURON_URL+")") : c.gray("e.g. https://xxx.convex.cloud")}: `);
+  const cfg = {
+    ...ex,
+    ...(url ? { SURON_URL: url } : {}),
+  };
+  saveConfig(cfg);
+  console.log(c.green(`\n✓ Config saved`));
+  console.log(c.gray(`  SURON_URL = ${cfg.SURON_URL ?? c.red("(not set)")}`));
+  console.log(`\n${c.dim("  Next: suron login")}\n`);
+}
+// ── LOGIN ─────────────────────────────────────────────────────────────────────
+async function cmdLogin() {
+  console.log(logo);
+  console.log(`${c.bold("CLI Authentication")}\n`);
+  // ── Step 1: ensure Convex URL is set ────────────────────────────────────────
+  let cfg = loadConfig();
+  let convexUrl = process.env.SURON_URL ?? cfg.SURON_URL;
+  if (!convexUrl) {
+    console.log(c.gray("  No Convex URL found. Let's set it up.\n"));
+    convexUrl = await prompt(`  Convex URL ${c.gray("(e.g. https://xxx.eu-west-1.convex.cloud)")}: `);
+    if (!convexUrl) { console.error(c.red("✗ Convex URL is required")); await new Promise(r => setTimeout(r, 50)); process.exit(1); }
+    cfg = { ...cfg, SURON_URL: convexUrl };
+    saveConfig(cfg);
+    console.log(c.green("  ✓ Convex URL saved\n"));
+  }
+  // ── Step 2: ensure Dashboard URL is set ─────────────────────────────────────
+  let dashUrl = process.env.SURON_DASHBOARD_URL ?? cfg.SURON_DASHBOARD_URL;
+  if (!dashUrl) {
+    console.log(c.gray("  No Dashboard URL found. Where is your SURON dashboard deployed?\n"));
+    dashUrl = await prompt(`  Dashboard URL ${c.gray("(e.g. https://suron.vercel.app)")}: `);
+    if (!dashUrl) { console.error(c.red("✗ Dashboard URL is required")); await new Promise(r => setTimeout(r, 50)); process.exit(1); }
+    cfg = { ...cfg, SURON_DASHBOARD_URL: dashUrl };
+    saveConfig(cfg);
+    console.log(c.green("  ✓ Dashboard URL saved\n"));
+  }
+  // ── Step 3: create session and open browser ──────────────────────────────────
+  const client = new ConvexHttpClient(convexUrl);
+  let sessionId, code;
+  try {
+    const r = await client.mutation("auth:createCliSession", {});
+    sessionId = r.sessionId; code = r.code;
+  } catch(e) { console.error(c.red(`✗ ${e.message}`)); await new Promise(r => setTimeout(r, 50)); process.exit(1); }
+  // Open a clean standalone approval page (not the full dashboard)
+  const approvalUrl = `${dashUrl.replace(/\/$/, "")}/approve?code=${code}`;
+  console.log(`  ${c.bold("Your code")}: ${c.orange(c.bold(code))}\n`);
+  console.log(`  ${c.gray("Opening approval page in browser…")}`);
+  console.log(`  ${c.dim(approvalUrl)}\n`);
+  console.log(c.dim("  Press Enter to open in browser, or visit the URL above manually."));
+  await prompt("");
+  openBrowser(approvalUrl);
+  console.log(c.gray("\n  Waiting for approval…  (Ctrl+C to cancel)\n"));
+  // ── Step 4: poll until approved/denied/expired ───────────────────────────────
+  const deadline = Date.now() + 10 * 60 * 1000;
+  let dots = 0;
+  while (Date.now() < deadline) {
+    await new Promise(r => setTimeout(r, 1500));
+    let result;
+    try { result = await client.query("auth:pollCliSession", { sessionId }); } catch { continue; }
+    dots = (dots + 1) % 4;
+    process.stdout.write(`\r  ${c.gray("Waiting" + ".".repeat(dots).padEnd(3))}`);
+    if (result.status === "approved" && result.adminToken) {
+      process.stdout.write("\n");
+      cfg.SURON_ADMIN_TOKEN = result.adminToken;
+      saveConfig(cfg);
+      console.log(`\n${c.green("✓ Authenticated!")} Token saved to ${c.cyan(CONFIG_FILE)}\n`);
+      await new Promise(r => setTimeout(r, 50));
+      process.exit(0);
+    }
+    if (result.status === "denied") {
+      process.stdout.write("\n");
+      console.log(c.red("✗ Denied."));
+      await new Promise(r => setTimeout(r, 50)); process.exit(1);
+    }
+    if (["expired","not_found"].includes(result.status)) {
+      process.stdout.write("\n");
+      console.log(c.red("✗ Session expired. Run: suron login"));
+      await new Promise(r => setTimeout(r, 50)); process.exit(1);
+    }
+  }
+  process.stdout.write("\n");
+  console.log(c.red("✗ Timed out."));
+  await new Promise(r => setTimeout(r, 50)); process.exit(1);
+}
+// ── WHOAMI ────────────────────────────────────────────────────────────────────
+async function cmdWhoami() {
+  const cfg = loadConfig();
+  console.log(logo);
+  if (cfg.SURON_ADMIN_TOKEN) {
+    console.log(c.green("✓ Authenticated"));
+    console.log(`  ${c.gray("Token:")}     ${c.cyan("cli_..."+cfg.SURON_ADMIN_TOKEN.slice(-8))}`);
+    console.log(`  ${c.gray("Server:")}    ${cfg.SURON_URL ?? c.red("not set")}`);
+    if (cfg.SURON_DASHBOARD_URL) console.log(`  ${c.gray("Dashboard:")} ${cfg.SURON_DASHBOARD_URL}`);
+  } else {
+    console.log(c.red("✗ Not authenticated"));
+    console.log(`  ${c.gray("Run: suron login")}`);
+  }
+}
+// ── LOGOUT ────────────────────────────────────────────────────────────────────
+function cmdLogout() {
+  const cfg = loadConfig();
+  if (!cfg.SURON_ADMIN_TOKEN) { console.log(c.gray("Not logged in.")); return; }
+  delete cfg.SURON_ADMIN_TOKEN;
+  saveConfig(cfg);
+  console.log(c.green("✓ Logged out"));
+}
+// ── APPS ──────────────────────────────────────────────────────────────────────
+async function cmdApps() {
+  const sub = arg(1);
+  const client = getClient();
+  if (sub === "create") {
+    const name = flag("name") ?? flag("n");
+    if (!name) { console.error(c.red("✗ --name required")); process.exit(1); }
+    const { token } = await client.mutation("apps:createApp", {
+      name, displayName: flag("display") ?? name, ownerId: flag("owner") ?? "admin"
+    });
+    console.log(logo);
+    console.log(c.green(`✓ App '${name}' created\n`));
+    console.log(`  ${c.bold("Token:")} ${c.orange(token)}\n`);
+    console.log(c.gray("  Add to your project .env:"));
+    console.log(c.cyan(`  SURON_URL=${requireConfig().url}`));
+    console.log(c.cyan(`  SURON_TOKEN=${token}\n`));
+    console.log(c.dim("  This token is not shown again in the dashboard."));
+    return;
+  }
+  const apps = await client.query("apps:listApps");
+  console.log(logo); console.log(`${c.bold("Apps")}\n`);
+  if (!apps.length) { console.log(c.gray("  No apps. Run: suron apps create --name my-app\n")); return; }
+  printTable(
+    apps.map(a => ({
+      name:   c.white(a.name),
+      status: a.isActive ? c.green("● active") : c.gray("○ offline"),
+      host:   c.gray(a.hostname ?? "—"),
+      pid:    c.gray(String(a.pid ?? "—")),
+      seen:   c.gray(a.lastSeen ? new Date(a.lastSeen).toLocaleTimeString() : "never"),
+    })),
+    ["name","status","host","pid","seen"]
+  );
+  console.log();
+}
+// ── PUSH ──────────────────────────────────────────────────────────────────────
+async function cmdPush() {
+  const envFile = flag("env") ?? flag("f") ?? ".env";
+  const appName = flag("app") ?? flag("a");
+  if (!appName) { console.error(c.red("✗ --app required")); process.exit(1); }
+  const envPath = resolve(process.cwd(), envFile);
+  if (!existsSync(envPath)) { console.error(c.red(`✗ Not found: ${envPath}`)); process.exit(1); }
+  const parsed = parse(readFileSync(envPath, "utf8"));
+  const SKIP = new Set(["SURON_URL","SURON_TOKEN"]);
+  const entries = Object.entries(parsed).filter(([k]) => !SKIP.has(k));
+  console.log(logo);
+  console.log(`${c.bold("Push")} ${c.orange(envFile)} → ${c.bold(appName)}`);
+  console.log(c.gray(`  ${entries.length} secrets to push\n`));
+  const client = getClient();
+  let ok = 0;
+  for (const [key, value] of entries) {
+    try {
+      await client.mutation("secrets:upsertSecret", { appName, key, value });
+      console.log(`  ${c.green("✓")} ${c.white(key)}`);
+      ok++;
+    } catch(e) { console.log(`  ${c.red("✗")} ${key}: ${c.gray(e.message)}`); }
+  }
+  console.log(`\n${c.green(`✓ ${ok}/${entries.length} secrets pushed to '${appName}'`)}\n`);
+}
+// ── SECRETS ───────────────────────────────────────────────────────────────────
+async function cmdSecrets() {
+  const sub     = arg(1);
+  const appName = flag("app") ?? flag("a");
+  if (!appName) { console.error(c.red("✗ --app required  (--app my-app)")); process.exit(1); }
+  const client  = getClient();
+  // ── LIST (masked)
+  if (!sub || sub === "list") {
+    const secrets = await client.query("secrets:listSecrets", { appName });
+    console.log(logo);
+    console.log(`${c.bold("Secrets")} · ${c.orange(appName)}\n`);
+    if (!secrets.length) {
+      console.log(c.gray(`  No secrets. Run: suron secrets set --app ${appName} --key KEY\n`));
+      return;
+    }
+    printTable(
+      secrets.map(s => ({
+        key:     c.white(s.key),
+        value:   c.gray("••••••••"),
+        updated: c.gray(new Date(s.updatedAt).toLocaleString()),
+      })),
+      ["key","value","updated"],
+      { footer: `To reveal values: suron secrets reveal --app ${appName}` }
+    );
+    console.log();
+    return;
+  }
+  // ── REVEAL (cleartext table — for debugging)
+  if (sub === "reveal") {
+    const secrets = await client.query("secrets:listSecrets", { appName });
+    console.log(logo);
+    console.log(`${c.yellow("⚠  CLEARTEXT")} · ${c.orange(appName)}\n`);
+    if (!secrets.length) { console.log(c.gray("  No secrets.\n")); return; }
+    // Box-style output — easier for AI to parse
+    console.log(c.gray("  ┌─ ENV TABLE " + "─".repeat(Math.max(0, 60 - 12)) + "┐"));
+    secrets.forEach(s => {
+      const val = s.value ?? "(encrypted)";
+      const line = `  ${c.orange(s.key.padEnd(28))}= ${c.cyan(val)}`;
+      console.log(line);
+    });
+    console.log(c.gray("  └" + "─".repeat(62) + "┘"));
+    console.log(c.gray(`\n  ${secrets.length} secrets · ${appName}\n`));
+    return;
+  }
+  // ── SET
+  if (sub === "set") {
+    const key = flag("key") ?? flag("k");
+    if (!key) { console.error(c.red("✗ --key required")); process.exit(1); }
+    const value = await promptSecret(`Value for ${c.orange(key)}: `);
+    if (!value) { console.error(c.red("✗ Empty value — aborted")); process.exit(1); }
+    await client.mutation("secrets:upsertSecret", { appName, key, value });
+    console.log(c.green(`✓ '${key}' saved for '${appName}'`));
+    return;
+  }
+  // ── DELETE
+  if (sub === "delete") {
+    const key = flag("key") ?? flag("k");
+    if (!key) { console.error(c.red("✗ --key required")); process.exit(1); }
+    const confirm = await prompt(`Delete '${key}' from '${appName}'? ${c.gray("[y/N]")} `);
+    if (confirm.toLowerCase() !== "y") { console.log(c.gray("Aborted.")); return; }
+    await client.mutation("secrets:deleteSecret", { appName, key });
+    console.log(c.green(`✓ Deleted '${key}' from '${appName}'`));
+    return;
+  }
+  console.error(c.red(`✗ Unknown subcommand: ${sub}`));
+  console.log(c.gray("  Usage: suron secrets [list|reveal|set|delete] --app <name>"));
+}
+// ── REQUESTS ──────────────────────────────────────────────────────────────────
+async function cmdRequests() {
+  const client = getClient();
+  const reqs   = await client.query("secrets:listPendingRequests");
+  console.log(logo); console.log(`${c.bold("Pending Requests")}\n`);
+  if (!reqs.length) { console.log(c.green("  ✓ No pending requests\n")); return; }
+  printTable(
+    reqs.map(r => ({
+      id:        c.gray(r._id),
+      app:       c.white(r.appName),
+      key:       c.orange(r.secretKey),
+      requested: c.gray(new Date(r.requestedAt).toLocaleString()),
+    })),
+    ["id","app","key","requested"],
+    { footer: "suron approve --id <id>   or   suron deny --id <id>" }
+  );
+  console.log();
+}
+// ── APPROVE / DENY ────────────────────────────────────────────────────────────
+async function cmdResolve(deny = false) {
+  const id = flag("id");
+  if (!id) { console.error(c.red("✗ --id required")); process.exit(1); }
+  const client = getClient();
+  await client.mutation("secrets:resolveRequest", {
+    requestId: id, status: deny ? "denied" : "approved", resolvedBy: "cli"
+  });
+  console.log(deny ? c.red(`✗ Denied  ${id}`) : c.green(`✓ Approved ${id}`));
+}
+// ── SURON NEW — scaffold a complete Node.js project ───────────────────────────
+async function cmdNew() {
+  const dirName = arg(1);
+  if (!dirName) {
+    console.error(c.red("✗ Directory name required  (e.g. suron new my-project)"));
+    process.exit(1);
+  }
+  const projectDir = resolve(process.cwd(), dirName);
+  const projectName = basename(projectDir);
+  console.log(logo);
+  console.log(`${c.bold("Scaffold")} → ${c.orange(projectDir)}\n`);
+  if (existsSync(projectDir)) {
+    const ans = await prompt(c.yellow(`  '${dirName}' already exists. Continue? [y/N] `));
+    if (ans.toLowerCase() !== "y") { console.log(c.gray("  Aborted.")); return; }
+  } else {
+    mkdirSync(projectDir, { recursive: true });
+  }
+  // Prompt for app name
+  const appName = await prompt(`  App name in SURON ${c.gray(`(${projectName})`)}: `) || projectName;
+  const cfg = loadConfig();
+  const suronUrl   = cfg.SURON_URL   ?? "https://your-deployment.convex.cloud";
+  const suronDash  = cfg.SURON_DASHBOARD_URL ?? "https://your-dashboard.vercel.app";
+  // ── Files to create ───────────────────────────────────────────────────────
+  const files = {
+    // package.json
+    "package.json": JSON.stringify({
+      name: projectName,
+      version: "1.0.0",
+      type: "module",
+      description: "Node.js app powered by SURON secrets manager",
+      main: "src/index.js",
+      scripts: {
+        start:   "node src/index.js",
+        dev:     "node --watch src/index.js",
+        "secrets:list":   `suron secrets --app ${appName}`,
+        "secrets:reveal": `suron secrets reveal --app ${appName}`,
+        "secrets:push":   `suron push --app ${appName} --env .env.secrets`,
+      },
+      dependencies: {
+        "@suronai/sdk":  "^2.0.0",
+        "dotenv":      "^16.0.0",
+      },
+      engines: { node: ">=18.0.0" },
+      author: "",
+      license: "MIT",
+    }, null, 2),
+    // src/index.js — the entry point
+    "src/index.js": `/**
+ * ${projectName}
+ *
+ * Entry point — SURON handles all secrets.
+ * Run: npm start
+ * For dev (auto-restart): npm run dev
+ */
+import "dotenv/config";              // loads SURON_URL + SURON_TOKEN
+import { SURON } from "@suronai/sdk";
+// ── Bootstrap ─────────────────────────────────────────────────────────────────
+const env = await SURON.connect();
+// ── Load secrets (triggers Telegram approval on first run) ─────────────────────
+// Add your own keys here:
+const secrets = await env.getAll([
+  "EXAMPLE_API_KEY",
+  // "DATABASE_URL",
+  // "OPENAI_API_KEY",
+]);
+// ── Your app code starts here ──────────────────────────────────────────────────
+console.log("✓ Secrets loaded:", Object.keys(secrets).join(", "));
+console.log("  Example key:", secrets.EXAMPLE_API_KEY);
+// TODO: replace with your actual app logic
+`,
+    // .env — SURON credentials only
+    ".env": `# SURON connection — the ONLY vars needed here.
+# Your actual secrets (API keys, DB URLs) live on the SURON server.
+SURON_URL=${suronUrl}
+SURON_TOKEN=sk_YOUR_APP_TOKEN_HERE
+`,
+    // .env.example — safe to commit
+    ".env.example": `# SURON credentials — copy to .env and fill in your values.
+# Get your token: suron apps create --name ${appName}
+SURON_URL=${suronUrl}
+SURON_TOKEN=sk_...
+`,
+    // .env.secrets — for first-time push, then delete this file
+    ".env.secrets": `# Put your ACTUAL secrets here for the initial push.
+# Run: npm run secrets:push
+# Then DELETE this file — it is NOT committed.
+EXAMPLE_API_KEY=replace_me_with_your_api_key
+# DATABASE_URL=postgres://...
+# OPENAI_API_KEY=sk-...
+`,
+    // .gitignore
+    ".gitignore": `.env
+.env.secrets
+node_modules/
+dist/
+*.log
+.DS_Store
+`,
+    // README.md
+    "README.md": `# ${projectName}
+Node.js application using [SURON](${suronDash}) for secrets management.
+## Quick Start
+\`\`\`bash
+# 1. Install dependencies
+npm install
+# 2. Set your SURON token in .env
+#    Get one: suron apps create --name ${appName}
+nano .env
+# 3. Push initial secrets (edit .env.secrets first)
+npm run secrets:push
+# 4. Delete .env.secrets (never commit it)
+rm .env.secrets
+# 5. Run the app (will prompt Telegram approval on first secret access)
+npm start
+\`\`\`
+## Secrets Management
+\`\`\`bash
+# List secrets (masked)
+npm run secrets:list
+# Reveal secrets in terminal (for debugging)
+npm run secrets:reveal
+# Set a single secret
+suron secrets set --app ${appName} --key MY_KEY
+# Push entire .env file
+npm run secrets:push
+\`\`\`
+## How SURON Works
+1. App calls \`env.get('MY_KEY')\` at runtime
+2. SURON checks if already approved for this session → returns cached value
+3. If not → Telegram notification sent to owner
+4. Owner approves → secret returned and cached until app restarts
+See [llm.md](${suronDash}/llm.md) for AI integration guide.
+`,
+    // llm.md — AI integration hints specific to this project
+    "llm.md": `# AI Integration Notes — ${projectName}
+> This file is for AI assistants (Claude, Cursor, Copilot, etc.)
+> Read this before touching any secrets, .env files, or startup code.
+## Project Type
+Node.js ESM app using SURON for secrets management.
+## Key Rules
+1. **Never hardcode secrets** — they live on the SURON server.
+2. **Never use process.env.* for actual secrets** — use \`await env.get('KEY')\`.
+3. **SURON_URL and SURON_TOKEN** are the only vars in .env — they are not secrets.
+4. **.env.secrets** is for one-time push only — delete after use, never commit.
+## Adding a New Secret
+\`\`\`bash
+# Terminal — adds secret to SURON server
+suron secrets set --app ${appName} --key NEW_KEY
+# Then in code:
+const value = await env.get('NEW_KEY')
+\`\`\`
+## Revealing All Secrets (for debugging)
+\`\`\`bash
+suron secrets reveal --app ${appName}
+\`\`\`
+This shows a full key=value table for inspection.
+## Startup Pattern
+Always follow this pattern at the top of entry files:
+\`\`\`javascript
+import "dotenv/config";              // loads SURON_URL + SURON_TOKEN
+import { SURON } from "@suronai/sdk";
+const env = await SURON.connect();  // connects and registers app
+// Bulk-load all secrets at startup (one Telegram prompt per key)
+const secrets = await env.getAll(["KEY_A", "KEY_B", "KEY_C"]);
+\`\`\`
+## App Info
+- **App name in SURON**: \`${appName}\`
+- **Dashboard**: ${suronDash}
+- **Convex URL**: ${suronUrl}
+`,
+  };
+  // ── Write files ────────────────────────────────────────────────────────────
+  mkdirSync(join(projectDir, "src"), { recursive: true });
+  let written = 0;
+  for (const [filePath, content] of Object.entries(files)) {
+    const full = join(projectDir, filePath);
+    const exists = existsSync(full);
+    writeFileSync(full, content, "utf8");
+    console.log(`  ${c.green("✓")} ${c.white(filePath)} ${exists ? c.gray("(overwritten)") : ""}`);
+    written++;
+  }
+  console.log(`\n${c.green(`✓ ${written} files created in '${dirName}'`)}\n`);
+  // ── Next steps ─────────────────────────────────────────────────────────────
+  const nextSteps = [
+    [`cd ${dirName}`,                                  "Enter project directory"],
+    ["npm install",                                    "Install dependencies"],
+    [`suron apps create --name ${appName}`,            "Register app in SURON, get token"],
+    ["nano .env",                                      "Set SURON_TOKEN from above"],
+    ["nano .env.secrets",                              "Add your actual secrets"],
+    ["npm run secrets:push",                           "Upload secrets to SURON"],
+    ["rm .env.secrets",                                "Delete secrets file (never commit it)"],
+    ["npm start",                                      "Run the app"],
+  ];
+  console.log(c.gray("  Next steps:"));
+  nextSteps.forEach(([cmd, desc], i) => {
+    console.log(`  ${c.gray(String(i+1)+".")} ${c.cyan(cmd.padEnd(42))} ${c.dim(desc)}`);
+  });
+  console.log();
+}
+// ── ROUTER ────────────────────────────────────────────────────────────────────
+const cmd = arg(0);
+// Handle --version / -v flag at any position
+if (process.argv.includes("--version") || process.argv.includes("-v")) {
+  console.log(`suron v${VERSION}`);
+  process.exit(0);
+}
+try {
+  switch (cmd) {
+    case "help":
+    case "--help":
+    case "-h":        printHelp();              break;
+    case "version":   console.log(`suron v${VERSION}`); break;
+    case "init":      await cmdInit();          break;
+    case "login":     await cmdLogin();         break;
+    case "logout":    cmdLogout();              break;
+    case "whoami":    await cmdWhoami();        break;
+    case "new":       await cmdNew();           break;
+    case "push":      await cmdPush();          break;
+    case "apps":      await cmdApps();          break;
+    case "secrets":   await cmdSecrets();       break;
+    case "requests":  await cmdRequests();      break;
+    case "approve":   await cmdResolve(false);  break;
+    case "deny":      await cmdResolve(true);   break;
+    default:          printHelp();
+  }
+} catch(err) {
+  console.error(c.red(`\n✗ ${err.message}`));
+  if (hasFlag("debug")) console.error(err.stack);
+  process.exit(1);
+}