@tanagram/cli 0.3.1 → 0.4.0

package/commands/list.go

@@ -3,10 +3,11 @@ package commands
 import (
 	"fmt"
 
+	gitpkg "github.com/tanagram/cli/git"
 	"github.com/tanagram/cli/storage"
 )
 
-// List displays all cached policies
+// List displays all cached policies (both local and cloud)
 func List() error {
 	// Find git root
 	gitRoot, err := storage.FindGitRoot()
@@ -14,42 +15,97 @@ func List() error {
 		return err
 	}
 
-	// Load cache
+	// Load local cache
 	cache, err := storage.LoadCache(gitRoot)
 	if err != nil {
 		return fmt.Errorf("failed to load cache: %w", err)
 	}
 
-	if len(cache.Policies) == 0 {
-		fmt.Println("No cached policies found. Run 'tanagram sync' first.")
+	// Load local policies from cache
+	localPolicies, err := cache.GetAllPolicies()
+	if err != nil {
+		return fmt.Errorf("failed to load local policies: %w", err)
+	}
+
+	// Try to load cloud policies for current repo
+	cloudPolicies := []storage.SimplifiedPolicy{}
+	var repoInfo *gitpkg.RepoInfo
+
+	cloudStorage := storage.NewCloudPolicyStorage(gitRoot)
+	repoInfo, err = gitpkg.GetCurrentRepo()
+	if err == nil {
+		// Successfully detected repo, try to load cloud policies
+		repoFile, err := cloudStorage.LoadPoliciesForRepo(repoInfo.Owner, repoInfo.Name)
+		if err == nil && repoFile != nil {
+			cloudPolicies = repoFile.Policies
+		}
+	}
+
+	// Check if we have any policies to display
+	if len(localPolicies) == 0 && len(cloudPolicies) == 0 {
+		fmt.Println("No policies found.")
+		fmt.Println("\nTo get started:")
+		fmt.Println("  • Local policies: Run 'tanagram sync' to extract from AGENTS.md, POLICIES.md, etc.")
+		fmt.Println("  • Cloud policies: Run 'tanagram sync-policies' to fetch from Tanagram")
 		return nil
 	}
 
-	totalPolicies := 0
+	// Display local policies
+	if len(localPolicies) > 0 {
+		fmt.Println("═══════════════════════════════════════════════════════════════")
+		fmt.Printf("LOCAL POLICIES (%d policies)\n", len(localPolicies))
+		fmt.Println("═══════════════════════════════════════════════════════════════")
+		fmt.Println("Source: Local instruction files (AGENTS.md, POLICIES.md, etc.)")
+		fmt.Println()
 
-	fmt.Println("Cached Policies (All enforced via LLM):")
+		// Group by file
+		fileGroups := make(map[string][]storage.SerializablePolicy)
+		for filepath, serializablePolicies := range cache.Policies {
+			if len(serializablePolicies) > 0 {
+				fileGroups[filepath] = serializablePolicies
+			}
+		}
 
-	// Display policies grouped by file
-	for filepath, serializablePolicies := range cache.Policies {
-		if len(serializablePolicies) == 0 {
-			continue
+		for filepath, serializablePolicies := range fileGroups {
+			fmt.Printf("📄 %s (%d policies)\n", filepath, len(serializablePolicies))
+			fmt.Println("───────────────────────────────────────────────────────────────")
+			for _, sp := range serializablePolicies {
+				fmt.Printf("  • %s: %s\n", sp.Name, sp.Message)
+			}
+			fmt.Println()
 		}
+	}
 
-		fmt.Printf("📄 %s (%d policies)\n", filepath, len(serializablePolicies))
-		fmt.Println("─────────────────────────────────────────────────────────────")
+	// Display cloud policies
+	if len(cloudPolicies) > 0 {
+		fmt.Println("═══════════════════════════════════════════════════════════════")
+		fmt.Printf("CLOUD POLICIES (%d policies)\n", len(cloudPolicies))
+		fmt.Println("═══════════════════════════════════════════════════════════════")
+		fmt.Printf("Source: Tanagram (repository: %s/%s)\n", repoInfo.Owner, repoInfo.Name)
+		fmt.Println()
 
-		for _, sp := range serializablePolicies {
-			totalPolicies++
-			fmt.Printf("  • %s: %s\n", sp.Name, sp.Message)
+		for _, cp := range cloudPolicies {
+			status := "✓ enabled"
+			if !cp.Enabled {
+				status = "✗ disabled"
+			}
+			fmt.Printf("  • %s [%s]\n", cp.Name, status)
+			if cp.Message != "" {
+				fmt.Printf("    Message: %s\n", cp.Message)
+			}
 		}
 		fmt.Println()
 	}
 
 	// Summary
-	fmt.Println("═════════════════════════════════════════════════════════════")
-	fmt.Printf("Total: %d policies\n", totalPolicies)
-	fmt.Printf("Files: %d\n", len(cache.Policies))
-	fmt.Println("\nAll policies are enforced using LLM-based semantic analysis")
+	fmt.Println("═══════════════════════════════════════════════════════════════")
+	fmt.Printf("SUMMARY\n")
+	fmt.Println("═══════════════════════════════════════════════════════════════")
+	fmt.Printf("Local policies:  %d\n", len(localPolicies))
+	fmt.Printf("Cloud policies:  %d\n", len(cloudPolicies))
+	fmt.Printf("Total enforced:  %d\n", len(localPolicies)+len(cloudPolicies))
+	fmt.Println("\nNote: Cloud policies take precedence over local policies with the same name")
+	fmt.Println("All policies are enforced using LLM-based semantic analysis")
 
 	return nil
 }

package/commands/login.go

@@ -0,0 +1,159 @@
+package commands
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/pkg/browser"
+	"github.com/tanagram/cli/auth"
+)
+
+// getWebAppURL returns the web app URL based on environment
+func getWebAppURL() string {
+	// Check environment variable first
+	if url := os.Getenv("TANAGRAM_WEB_URL"); url != "" {
+		return url
+	}
+
+	// Default to production
+	return "https://web.tanagram.ai"
+}
+
+// generateCodeVerifier generates a random code verifier for PKCE
+func generateCodeVerifier() (string, error) {
+	// Generate 32 random bytes (256 bits)
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	// Base64 URL encode without padding
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+// generateCodeChallenge generates the code challenge from the verifier
+func generateCodeChallenge(verifier string) string {
+	hash := sha256.Sum256([]byte(verifier))
+	return base64.RawURLEncoding.EncodeToString(hash[:])
+}
+
+// Login implements the OAuth PKCE flow for CLI authentication
+func Login() error {
+	// Generate PKCE parameters
+	codeVerifier, err := generateCodeVerifier()
+	if err != nil {
+		return fmt.Errorf("failed to generate code verifier: %w", err)
+	}
+	codeChallenge := generateCodeChallenge(codeVerifier)
+
+	// Create a channel to receive the authorization code
+	codeChan := make(chan string, 1)
+	errChan := make(chan error, 1)
+
+	// Start local HTTP server for callback on a dynamic port
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		return fmt.Errorf("failed to start callback server: %w", err)
+	}
+
+	// Get the actual port assigned
+	port := listener.Addr().(*net.TCPAddr).Port
+	redirectURI := fmt.Sprintf("http://127.0.0.1:%d/callback", port)
+
+	// Setup callback handler
+	mux := http.NewServeMux()
+	mux.HandleFunc("/callback", func(w http.ResponseWriter, r *http.Request) {
+		code := r.URL.Query().Get("code")
+		if code == "" {
+			errChan <- fmt.Errorf("no authorization code received")
+			http.Error(w, "Authorization failed", http.StatusBadRequest)
+			return
+		}
+
+		// Send success message to browser
+		w.Header().Set("Content-Type", "text/html")
+		fmt.Fprintf(w, `
+			<!DOCTYPE html>
+			<html>
+			<head><title>Tanagram Login</title></head>
+			<body style="font-family: system-ui; text-align: center; padding: 50px;">
+				<h1>✓ Login Successful</h1>
+				<p>You can close this window and return to your terminal.</p>
+			</body>
+			</html>
+		`)
+
+		codeChan <- code
+	})
+
+	// Start the HTTP server
+	server := &http.Server{Handler: mux}
+	go func() {
+		if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
+			errChan <- fmt.Errorf("callback server error: %w", err)
+		}
+	}()
+
+	// Construct authorization URL pointing to web app's CLI authorization page
+	authURL := fmt.Sprintf("%s/cli-authorize?%s", getWebAppURL(), url.Values{
+		"redirect_uri":          {redirectURI},
+		"code_challenge":        {codeChallenge},
+		"code_challenge_method": {"S256"},
+	}.Encode())
+
+	fmt.Println("Opening browser for authentication...")
+	fmt.Printf("If the browser doesn't open automatically, visit:\n%s\n\n", authURL)
+
+	// Open browser
+	if err := browser.OpenURL(authURL); err != nil {
+		fmt.Printf("Warning: Could not open browser automatically: %v\n", err)
+	}
+
+	fmt.Println("Waiting for authentication...")
+
+	// Wait for callback or timeout
+	var authCode string
+	select {
+	case authCode = <-codeChan:
+		// Success
+	case err := <-errChan:
+		return err
+	case <-time.After(5 * time.Minute):
+		return fmt.Errorf("authentication timeout - please try again")
+	}
+
+	// Shutdown the callback server
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	server.Shutdown(ctx)
+
+	// The authorization code is actually the session JWT from the web app
+	// No need to exchange - we can use it directly
+	sessionJWT := authCode
+
+	// Verify token is valid
+	if sessionJWT == "" {
+		return fmt.Errorf("received empty session token")
+	}
+
+	// Store session JWT in OS keyring
+	fmt.Println("Storing session token securely...")
+
+	if err := auth.SetAccessToken(sessionJWT); err != nil {
+		return fmt.Errorf("failed to store session token: %w", err)
+	}
+
+	fmt.Println("\n✓ Successfully logged in to Tanagram")
+	fmt.Printf("Session token stored securely in OS keyring\n")
+
+	return nil
+}
+
+// Removed exchangeCodeForTokens - we receive the session JWT directly from the web app

package/commands/run.go

@@ -11,7 +11,7 @@ import (
 	"github.com/tanagram/cli/checker"
 	"github.com/tanagram/cli/config"
 	"github.com/tanagram/cli/extractor"
-	"github.com/tanagram/cli/git"
+	gitpkg "github.com/tanagram/cli/git"
 	"github.com/tanagram/cli/metrics"
 	"github.com/tanagram/cli/parser"
 	"github.com/tanagram/cli/snapshot"
@@ -186,21 +186,50 @@ func Run() error {
 		})
 	}
 
-	// Load all policies from cache
-	policies, err := cache.GetAllPolicies()
+	// Load local policies from cache
+	localPolicies, err := cache.GetAllPolicies()
 	if err != nil {
 		return fmt.Errorf("failed to load policies from cache: %w", err)
 	}
 
+	// Try to load cloud policies for current repo
+	cloudPolicies := []parser.Policy{}
+	cloudStorage := storage.NewCloudPolicyStorage(gitRoot)
+
+	repoInfo, err := gitpkg.GetCurrentRepo()
+	if err == nil {
+		// Successfully detected repo, try to load cloud policies
+		cloudPolicies, err = cloudStorage.LoadCloudPoliciesAsParserFormat(repoInfo.Owner, repoInfo.Name)
+		if err != nil {
+			// Cloud policies exist but failed to load - warn but continue
+			fmt.Printf("Warning: Failed to load cloud policies: %v\n", err)
+			cloudPolicies = []parser.Policy{}
+		} else if len(cloudPolicies) > 0 {
+			fmt.Printf("Loaded %d cloud policies for %s/%s\n", len(cloudPolicies), repoInfo.Owner, repoInfo.Name)
+		}
+	}
+	// If repo detection failed, silently continue with local-only policies
+
+	// Merge local and cloud policies (cloud takes precedence)
+	policies := storage.MergePolicies(localPolicies, cloudPolicies)
+
 	if len(policies) == 0 {
 		fmt.Println("No enforceable policies found")
 		return nil
 	}
 
-	fmt.Printf("Loaded %d policies\n", len(policies))
+	totalLocal := len(localPolicies)
+	totalCloud := len(cloudPolicies)
+	totalMerged := len(policies)
+
+	if totalCloud > 0 {
+		fmt.Printf("Total policies: %d (%d local, %d cloud, %d after merge)\n", totalMerged, totalLocal, totalCloud, totalMerged)
+	} else {
+		fmt.Printf("Loaded %d local policies\n", totalLocal)
+	}
 
 	// Check if a snapshot exists (from PreToolUse hook)
-	var changesToCheck []git.ChangedLine
+	var changesToCheck []gitpkg.ChangedLine
 	useSnapshot := false
 
 	if snapshot.Exists(gitRoot) {
@@ -226,7 +255,7 @@ func Run() error {
 
 		// Convert snapshot.ChangedLine to git.ChangedLine
 		for _, sc := range snapshotChanges {
-			changesToCheck = append(changesToCheck, git.ChangedLine{
+			changesToCheck = append(changesToCheck, gitpkg.ChangedLine{
 				File:       sc.File,
 				LineNumber: sc.LineNumber,
 				Content:    sc.Content,
@@ -243,7 +272,7 @@ func Run() error {
 	} else {
 		// No snapshot - fall back to checking all git changes
 		fmt.Println("Checking all changes (unstaged + staged)...")
-		diffResult, err := git.GetAllChanges()
+		diffResult, err := gitpkg.GetAllChanges()
 		if err != nil {
 			return fmt.Errorf("error getting git diff: %w", err)
 		}

package/commands/sync_policies.go

@@ -0,0 +1,88 @@
+package commands
+
+import (
+	"fmt"
+
+	"github.com/tanagram/cli/api"
+	"github.com/tanagram/cli/storage"
+)
+
+// SyncPolicies fetches policies from Tanagram API and saves them locally
+func SyncPolicies() error {
+	// Find git root
+	gitRoot, err := storage.FindGitRoot()
+	if err != nil {
+		return fmt.Errorf("not in a git repository: %w", err)
+	}
+
+	fmt.Println("Syncing policies from Tanagram...")
+
+	// Create API client
+	client, err := api.NewAPIClient()
+	if err != nil {
+		return err
+	}
+
+	// Fetch policies from API
+	fmt.Println("Fetching policies from API...")
+	response, err := client.GetPolicies()
+	if err != nil {
+		return err
+	}
+
+	if len(response.Policies) == 0 {
+		fmt.Println("No policies found for your organization")
+		return nil
+	}
+
+	fmt.Printf("Found %d policies\n", response.Total)
+
+	// Group policies by repository
+	repoMap := make(map[string][]api.Policy)
+	for _, policy := range response.Policies {
+		for _, repo := range policy.PolicyRepositories {
+			key := repo.Owner + "/" + repo.Name
+			repoMap[key] = append(repoMap[key], policy)
+		}
+	}
+
+	fmt.Printf("Policies apply to %d repositories\n", len(repoMap))
+
+	// Save policies for each repository
+	cloudStorage := storage.NewCloudPolicyStorage(gitRoot)
+	savedCount := 0
+
+	for repoKey, policies := range repoMap {
+		// Extract owner and repo name
+		owner := policies[0].PolicyRepositories[0].Owner
+		repo := policies[0].PolicyRepositories[0].Name
+
+		err := cloudStorage.SavePoliciesForRepo(owner, repo, policies)
+		if err != nil {
+			fmt.Printf("Warning: Failed to save policies for %s: %v\n", repoKey, err)
+			continue
+		}
+
+		savedCount++
+		fmt.Printf("  ✓ Saved %d policies for %s\n", len(policies), repoKey)
+	}
+
+	// Save metadata
+	orgID := ""
+	orgName := ""
+	if len(response.Policies) > 0 {
+		orgID = response.Policies[0].OrganizationID
+		// Organization name not in API response, use ID for now
+		orgName = orgID
+	}
+
+	err = cloudStorage.SaveMetadata(orgID, orgName, response.Total, len(repoMap))
+	if err != nil {
+		return fmt.Errorf("failed to save metadata: %w", err)
+	}
+
+	fmt.Printf("\n✓ Successfully synced %d policies across %d repositories\n", response.Total, savedCount)
+	fmt.Printf("Policies saved to: %s\n", cloudStorage.GetPoliciesDir())
+
+	return nil
+}

package/git/repo.go

@@ -0,0 +1,54 @@
+package git
+
+import (
+	"fmt"
+	"os/exec"
+	"regexp"
+	"strings"
+)
+
+// RepoInfo contains repository identification
+type RepoInfo struct {
+	Owner string
+	Name  string
+}
+
+// GetCurrentRepo detects the current repository from git remote
+func GetCurrentRepo() (*RepoInfo, error) {
+	// Get git remote URL
+	cmd := exec.Command("git", "remote", "get-url", "origin")
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get git remote: %w (not in a git repository?)", err)
+	}
+
+	remoteURL := strings.TrimSpace(string(output))
+
+	// Parse owner and repo name from various URL formats
+	// Examples:
+	// - git@github.com:owner/repo.git
+	// - https://github.com/owner/repo.git
+	// - https://github.com/owner/repo
+	// - https://username@github.com/owner/repo.git
+	// - https://username:password@github.com/owner/repo.git
+
+	// Try SSH format first
+	sshRegex := regexp.MustCompile(`git@[\w.-]+:([\w-]+)/([\w.-]+?)(\.git)?$`)
+	if matches := sshRegex.FindStringSubmatch(remoteURL); matches != nil {
+		return &RepoInfo{
+			Owner: matches[1],
+			Name:  strings.TrimSuffix(matches[2], ".git"),
+		}, nil
+	}
+
+	// Try HTTPS format (with optional username:password@ prefix)
+	httpsRegex := regexp.MustCompile(`https?://(?:[\w.-]+@)?[\w.-]+/([\w-]+)/([\w.-]+?)(\.git)?$`)
+	if matches := httpsRegex.FindStringSubmatch(remoteURL); matches != nil {
+		return &RepoInfo{
+			Owner: matches[1],
+			Name:  strings.TrimSuffix(matches[2], ".git"),
+		}, nil
+	}
+
+	return nil, fmt.Errorf("could not parse git remote URL: %s", remoteURL)
+}

package/go.mod

@@ -11,13 +11,16 @@ require (
 )
 
 require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/x/ansi v0.10.1 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
@@ -27,6 +30,7 @@ require (
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
@@ -38,6 +42,7 @@ require (
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zalando/go-keyring v0.2.6 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
 )

package/go.sum

@@ -1,3 +1,5 @@
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 github.com/anthropics/anthropic-sdk-go v1.17.0 h1:BwK8ApcmaAUkvZTiQE0yi3R9XneEFskDIjLTmOAFZxQ=
 github.com/anthropics/anthropic-sdk-go v1.17.0/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
@@ -14,12 +16,16 @@ github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd h1:vy0G
 github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -41,6 +47,8 @@ github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELU
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posthog/posthog-go v1.6.12 h1:rsOBL/YdMfLJtOVjKJLgdzYmvaL3aIW6IVbAteSe+aI=
@@ -76,11 +84,14 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

package/main.go

@@ -125,6 +125,16 @@ func main() {
 			fmt.Println("\nNo selection made")
 		}
 		return
+	case "login":
+		metrics.Track("cli.command.execute", map[string]interface{}{
+			"command": "login",
+		})
+		err = commands.Login()
+	case "sync-policies":
+		metrics.Track("cli.command.execute", map[string]interface{}{
+			"command": "sync-policies",
+		})
+		err = commands.SyncPolicies()
 	case "puzzle":
 		metrics.Track("cli.command.execute", map[string]interface{}{
 			"command": "puzzle",
@@ -168,6 +178,11 @@ USAGE:
 
 COMMANDS:
   run            Check git changes against policies (default)
+  login          Authenticate with Tanagram using Stytch B2B
+<<<<<<< HEAD
+  sync-policies  Sync cloud policies from Tanagram
+=======
+>>>>>>> origin/main
   snapshot       Create a snapshot of current file state (used by PreToolUse hook)
   sync           Manually sync instruction files to cache
   list           Show all cached policies
@@ -179,8 +194,13 @@ COMMANDS:
 EXAMPLES:
   tanagram               # Check changes (auto-syncs if files changed)
   tanagram run           # Same as above
+  tanagram login         # Authenticate with Tanagram
+<<<<<<< HEAD
+  tanagram sync-policies # Sync cloud policies from Tanagram
+=======
+>>>>>>> origin/main
   tanagram snapshot      # Create snapshot before making changes
-  tanagram sync          # Manually sync policies
+  tanagram sync          # Manually sync local instruction files
   tanagram list          # View all cached policies
   tanagram config claude # Setup Claude Code hooks in ~/.claude/settings.json
   tanagram config list   # Show where hooks are installed

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tanagram/cli",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "description": "Tanagram - Catch sloppy code before it ships",
   "main": "index.js",
   "bin": {

package/storage/cloud_policies.go

@@ -0,0 +1,258 @@
+package storage
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/tanagram/cli/api"
+	"github.com/tanagram/cli/parser"
+)
+
+// RepoPolicyFile represents policies for a specific repository
+type RepoPolicyFile struct {
+	Repository struct {
+		ID        string `json:"id"`
+		Name      string `json:"name"`
+		Owner     string `json:"owner"`
+		IsPrivate bool   `json:"is_private"`
+	} `json:"repository"`
+	Policies []SimplifiedPolicy `json:"policies"`
+	LastSync time.Time          `json:"last_sync"`
+}
+
+// SimplifiedPolicy is a policy optimized for CLI storage
+type SimplifiedPolicy struct {
+	ID                  string    `json:"id"`
+	Name                string    `json:"name"`
+	Substrate           string    `json:"substrate"`
+	Description         string    `json:"description"`
+	OriginalDescription string    `json:"original_description"`
+	Enabled             bool      `json:"enabled"`
+	Message             string    `json:"message"`
+	SyncedAt            time.Time `json:"synced_at"`
+}
+
+// PolicyMetadata tracks overall sync state
+type PolicyMetadata struct {
+	OrganizationID   string    `json:"organization_id"`
+	OrganizationName string    `json:"organization_name"`
+	LastSync         time.Time `json:"last_sync"`
+	TotalPolicies    int       `json:"total_policies"`
+	TotalRepos       int       `json:"total_repos"`
+	SyncMode         string    `json:"sync_mode"` // "auto" or "manual"
+}
+
+// CloudPolicyStorage handles cloud policy storage
+type CloudPolicyStorage struct {
+	gitRoot string // Not used for path, kept for compatibility
+}
+
+// NewCloudPolicyStorage creates a new cloud policy storage instance
+func NewCloudPolicyStorage(gitRoot string) *CloudPolicyStorage {
+	return &CloudPolicyStorage{gitRoot: gitRoot}
+}
+
+// GetPoliciesDir returns the cloud policies directory path (global, in user's home directory)
+func (s *CloudPolicyStorage) GetPoliciesDir() string {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		// Fallback to current directory if home dir can't be determined
+		return filepath.Join(".tanagram", "policies")
+	}
+	return filepath.Join(homeDir, ".tanagram", "policies")
+}
+
+// SavePoliciesForRepo saves policies for a specific repository
+func (s *CloudPolicyStorage) SavePoliciesForRepo(owner, repo string, policies []api.Policy) error {
+	// Create directory structure
+	repoDir := filepath.Join(s.GetPoliciesDir(), owner)
+	if err := os.MkdirAll(repoDir, 0755); err != nil {
+		return fmt.Errorf("failed to create directory: %w", err)
+	}
+
+	// Filter policies for this repo and convert to simplified format
+	var repoPolicies []SimplifiedPolicy
+	var repoInfo api.Repository
+
+	for _, policy := range policies {
+		// Check if this policy applies to this repo
+		for _, policyRepo := range policy.PolicyRepositories {
+			if policyRepo.Owner == owner && policyRepo.Name == repo {
+				repoInfo = policyRepo
+				repoPolicies = append(repoPolicies, SimplifiedPolicy{
+					ID:                  policy.ID,
+					Name:                policy.Name,
+					Substrate:           policy.Substrate,
+					Description:         policy.DescriptionRewrittenByLLM,
+					OriginalDescription: policy.DescriptionFromUser,
+					Enabled:             policy.EnabledStatus == "enabled",
+					Message:             policy.CustomMessage,
+					SyncedAt:            time.Now(),
+				})
+				break
+			}
+		}
+	}
+
+	// Create repo policy file
+	repoFile := RepoPolicyFile{
+		Policies: repoPolicies,
+		LastSync: time.Now(),
+	}
+	repoFile.Repository.ID = repoInfo.ID
+	repoFile.Repository.Name = repo
+	repoFile.Repository.Owner = owner
+	repoFile.Repository.IsPrivate = repoInfo.IsPrivate
+
+	// Save to file
+	filePath := filepath.Join(repoDir, repo+".json")
+	data, err := json.MarshalIndent(repoFile, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal policies: %w", err)
+	}
+
+	if err := os.WriteFile(filePath, data, 0644); err != nil {
+		return fmt.Errorf("failed to write policy file: %w", err)
+	}
+
+	return nil
+}
+
+// SaveMetadata saves sync metadata
+func (s *CloudPolicyStorage) SaveMetadata(orgID, orgName string, totalPolicies, totalRepos int) error {
+	metadata := PolicyMetadata{
+		OrganizationID:   orgID,
+		OrganizationName: orgName,
+		LastSync:         time.Now(),
+		TotalPolicies:    totalPolicies,
+		TotalRepos:       totalRepos,
+		SyncMode:         "manual",
+	}
+
+	metadataPath := filepath.Join(s.GetPoliciesDir(), "metadata.json")
+	data, err := json.MarshalIndent(metadata, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal metadata: %w", err)
+	}
+
+	// Ensure directory exists
+	if err := os.MkdirAll(s.GetPoliciesDir(), 0755); err != nil {
+		return fmt.Errorf("failed to create policies directory: %w", err)
+	}
+
+	if err := os.WriteFile(metadataPath, data, 0644); err != nil {
+		return fmt.Errorf("failed to write metadata: %w", err)
+	}
+
+	return nil
+}
+
+// LoadPoliciesForRepo loads policies for a specific repository
+func (s *CloudPolicyStorage) LoadPoliciesForRepo(owner, repo string) (*RepoPolicyFile, error) {
+	filePath := filepath.Join(s.GetPoliciesDir(), owner, repo+".json")
+
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil // No cloud policies for this repo
+		}
+		return nil, fmt.Errorf("failed to read policy file: %w", err)
+	}
+
+	var repoFile RepoPolicyFile
+	if err := json.Unmarshal(data, &repoFile); err != nil {
+		return nil, fmt.Errorf("failed to parse policy file: %w", err)
+	}
+
+	return &repoFile, nil
+}
+
+// LoadMetadata loads sync metadata
+func (s *CloudPolicyStorage) LoadMetadata() (*PolicyMetadata, error) {
+	metadataPath := filepath.Join(s.GetPoliciesDir(), "metadata.json")
+
+	data, err := os.ReadFile(metadataPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("failed to read metadata: %w", err)
+	}
+
+	var metadata PolicyMetadata
+	if err := json.Unmarshal(data, &metadata); err != nil {
+		return nil, fmt.Errorf("failed to parse metadata: %w", err)
+	}
+
+	return &metadata, nil
+}
+
+// GetCacheAge returns how old the cache is
+func (s *CloudPolicyStorage) GetCacheAge() (time.Duration, error) {
+	metadata, err := s.LoadMetadata()
+	if err != nil || metadata == nil {
+		return 0, fmt.Errorf("no cache found")
+	}
+
+	return time.Since(metadata.LastSync), nil
+}
+
+// LoadCloudPoliciesAsParserFormat loads cloud policies for a repo in parser.Policy format
+func (s *CloudPolicyStorage) LoadCloudPoliciesAsParserFormat(owner, repo string) ([]parser.Policy, error) {
+	repoFile, err := s.LoadPoliciesForRepo(owner, repo)
+	if err != nil {
+		return nil, err
+	}
+
+	if repoFile == nil {
+		// No cloud policies for this repo
+		return []parser.Policy{}, nil
+	}
+
+	// Convert SimplifiedPolicy to parser.Policy
+	var policies []parser.Policy
+	for _, cloudPolicy := range repoFile.Policies {
+		if !cloudPolicy.Enabled {
+			continue // Skip disabled policies
+		}
+
+		// Use the rewritten description as OriginalText (it's more detailed)
+		originalText := cloudPolicy.Description
+		if originalText == "" {
+			originalText = cloudPolicy.OriginalDescription
+		}
+
+		policies = append(policies, parser.Policy{
+			Name:         cloudPolicy.Name,
+			Message:      cloudPolicy.Message,
+			OriginalText: originalText,
+		})
+	}
+
+	return policies, nil
+}
+
+// MergePolicies merges local and cloud policies, with cloud taking precedence
+func MergePolicies(local, cloud []parser.Policy) []parser.Policy {
+	// Create map of cloud policy names for quick lookup
+	cloudNames := make(map[string]bool)
+	for _, p := range cloud {
+		cloudNames[p.Name] = true
+	}
+
+	// Start with all cloud policies
+	merged := make([]parser.Policy, len(cloud))
+	copy(merged, cloud)
+
+	// Add local policies that don't conflict with cloud
+	for _, localPolicy := range local {
+		if !cloudNames[localPolicy.Name] {
+			merged = append(merged, localPolicy)
+		}
+	}
+
+	return merged
+}