@troxy/cli 0.1.0

package/.github/workflows/ci.yml

@@ -0,0 +1,63 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  # ─────────────────────────────────────────────
+  # TEST — runs on every push and PR
+  # ─────────────────────────────────────────────
+  test:
+    name: Test (Node ${{ matrix.node }})
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node: ['18', '20', '22']
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js ${{ matrix.node }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
+  # ─────────────────────────────────────────────
+  # PUBLISH — runs only on version tags (v*)
+  # Requires NPM_TOKEN secret in repo settings
+  # ─────────────────────────────────────────────
+  publish:
+    name: Publish to npm
+    runs-on: ubuntu-latest
+    needs: test
+    if: startsWith(github.ref, 'refs/tags/v')
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Publish
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/bin/troxy.js

@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+import { runInit }     from '../src/init.js';
+import { runMcp }      from '../src/mcp-server.js';
+import { runLogin, clearSession } from '../src/auth.js';
+import { runCards }    from '../src/cards.js';
+import { runPolicies } from '../src/policies.js';
+import { runActivity } from '../src/activity.js';
+import { api }         from '../src/api.js';
+import { requireJwt }  from '../src/auth.js';
+import { table }       from '../src/print.js';
+
+const [,, command, sub, ...rest] = process.argv;
+const allArgs = [sub, ...rest].filter(Boolean);
+
+// Parse --flag value pairs
+const flags = {};
+const positional = [];
+for (let i = 0; i < allArgs.length; i++) {
+  if (allArgs[i].startsWith('--')) {
+    const key  = allArgs[i].slice(2);
+    const next = allArgs[i + 1];
+    flags[key] = next && !next.startsWith('--') ? allArgs[++i] : true;
+  } else {
+    positional.push(allArgs[i]);
+  }
+}
+
+switch (command) {
+  // ── Setup ─────────────────────────────────────────────────────
+  case 'init':
+    await runInit(flags);
+    break;
+
+  // ── Auth ──────────────────────────────────────────────────────
+  case 'login':
+    await runLogin(flags);
+    break;
+
+  case 'logout':
+    clearSession();
+    console.log('\n  Logged out ✓\n');
+    break;
+
+  // ── MCP server (started by MCP clients) ───────────────────────
+  case 'mcp':
+    await runMcp();
+    break;
+
+  // ── Resources ─────────────────────────────────────────────────
+  case 'cards':
+    await runCards(positional, flags);
+    break;
+
+  case 'policies':
+    await runPolicies(positional, flags);
+    break;
+
+  case 'activity':
+    await runActivity(flags);
+    break;
+
+  // ── Status ────────────────────────────────────────────────────
+  case 'status': {
+    const health = await api.health();
+    console.log(`\n  API:  ${health.status === 'ok' ? '✓ online' : '✗ ' + health.status}`);
+    console.log(`  DB:   ${health.db}`);
+    console.log(`  Env:  ${health.env}\n`);
+    break;
+  }
+
+  // ── Help / default ────────────────────────────────────────────
+  default:
+    if (command) console.error(`  Unknown command: ${command}\n`);
+    console.log(`
+  Troxy — AI payment control
+
+  Setup
+    npx troxy init --key <api-key>      Initialize and patch MCP clients
+    npx troxy login                     Log in to your dashboard account
+    npx troxy logout                    Clear local session
+    npx troxy status                    Check API health
+
+  Cards
+    npx troxy cards list
+    npx troxy cards create --name "Personal" [--budget 500] [--provider stripe]
+    npx troxy cards delete --name "Personal"
+
+  Policies
+    npx troxy policies list
+    npx troxy policies create --name "Block high" --action BLOCK --field amount --operator gte --value 100
+    npx troxy policies enable  --name "Block high"
+    npx troxy policies disable --name "Block high"
+    npx troxy policies delete  --name "Block high"
+
+  Activity
+    npx troxy activity [--limit 50]
+`);
+    process.exit(command ? 1 : 0);
+}

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "@troxy/cli",
+  "version": "0.1.0",
+  "description": "AI payment control — protect your agent's payments with policies",
+  "type": "module",
+  "bin": {
+    "troxy": "./bin/troxy.js"
+  },
+  "scripts": {
+    "test": "node --test src/tests/*.test.js"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.10.2"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": ["mcp", "ai", "payments", "policy", "agents"],
+  "license": "MIT"
+}

package/src/activity.js

@@ -0,0 +1,26 @@
+import { api }        from './api.js';
+import { requireJwt } from './auth.js';
+import { table }      from './print.js';
+
+const DECISION_ICON = { ALLOW: '✓', BLOCK: '✗', ESCALATE: '⏳', NOTIFY: '~' };
+
+export async function runActivity(flags) {
+  const jwt   = requireJwt();
+  const limit = Number(flags.limit || 20);
+  const rows  = await api.activity(jwt, limit);
+
+  if (!rows.length) { console.log('\n  No activity yet.\n'); return; }
+
+  console.log();
+  table(
+    ['Decision', 'Agent', 'Merchant', 'Amount', 'Policy', 'Time'],
+    rows.map(r => [
+      `${DECISION_ICON[r.decision] || ' '} ${r.decision}`,
+      r.agent_name || 'unknown',
+      r.merchant_name || '—',
+      r.amount ? `$${Number(r.amount).toFixed(2)}` : '—',
+      r.policy_name || '—',
+      new Date(r.created_at).toLocaleString(),
+    ]),
+  );
+}

package/src/api.js

@@ -0,0 +1,50 @@
+export const BASE_URL =
+  process.env.TROXY_API_URL ||
+  'https://wuxyx33bka.execute-api.us-east-1.amazonaws.com';
+
+async function request(method, path, { apiKey, jwt, body } = {}) {
+  const headers = { 'Content-Type': 'application/json' };
+  if (apiKey) headers['X-Troxy-Key'] = apiKey;
+  if (jwt)    headers['Authorization'] = `Bearer ${jwt}`;
+
+  const res = await fetch(`${BASE_URL}${path}`, {
+    method,
+    headers,
+    body: body ? JSON.stringify(body) : undefined,
+  });
+
+  const data = await res.json();
+  if (!res.ok) throw new Error(data?.error || `HTTP ${res.status}`);
+  return data;
+}
+
+export const api = {
+  // Auth
+  health:     ()          => request('GET',    '/health'),
+  magicLink:  (email)     => request('POST',   '/auth/magic-link', { body: { email } }),
+  verify:     (token)     => request('POST',   '/auth/verify',     { body: { token } }),
+
+  // Cards
+  listCards:   (jwt)      => request('GET',    '/cards',    { jwt }),
+  createCard:  (jwt, b)   => request('POST',   '/cards',    { jwt, body: b }),
+  updateCard:  (jwt, id, b) => request('PUT',  `/cards/${id}`, { jwt, body: b }),
+  deleteCard:  (jwt, id)  => request('DELETE', `/cards/${id}`, { jwt }),
+
+  // Policies
+  listPolicies:  (jwt)       => request('GET',    '/dashboard/policies',        { jwt }),
+  createPolicy:  (jwt, b)    => request('POST',   '/dashboard/policies',        { jwt, body: b }),
+  updatePolicy:  (jwt, id, b) => request('PATCH', `/dashboard/policies/${id}`,  { jwt, body: b }),
+  deletePolicy:  (jwt, id)   => request('DELETE', `/dashboard/policies/${id}`,  { jwt }),
+
+  // Activity + insights
+  activity:   (jwt, limit) => request('GET', `/dashboard/activity?limit=${limit || 20}`, { jwt }),
+  insights:   (jwt)        => request('GET', '/dashboard/insights', { jwt }),
+
+  // Tokens
+  listTokens:   (jwt)     => request('GET',    '/tokens',        { jwt }),
+  createToken:  (jwt, b)  => request('POST',   '/tokens',        { jwt, body: b }),
+  revokeToken:  (jwt, id) => request('DELETE', `/tokens/${id}`,  { jwt }),
+
+  // Evaluate (agent API key)
+  evaluate: (body, apiKey) => request('POST', '/evaluate', { apiKey, body }),
+};

package/src/auth.js

@@ -0,0 +1,69 @@
+import fs       from 'fs';
+import os       from 'os';
+import path     from 'path';
+import readline from 'readline';
+import { api }  from './api.js';
+
+const SESSION_FILE = path.join(os.homedir(), '.troxy', 'session.json');
+
+export function loadSession() {
+  try {
+    return JSON.parse(fs.readFileSync(SESSION_FILE, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+export function saveSession(data) {
+  fs.mkdirSync(path.dirname(SESSION_FILE), { recursive: true });
+  fs.writeFileSync(SESSION_FILE, JSON.stringify(data, null, 2));
+}
+
+export function clearSession() {
+  try { fs.unlinkSync(SESSION_FILE); } catch {}
+}
+
+/** Require a valid JWT session or exit with a helpful message. */
+export function requireJwt() {
+  const session = loadSession();
+  if (!session?.jwt) {
+    console.error('\n  Not logged in. Run: npx troxy login\n');
+    process.exit(1);
+  }
+  return session.jwt;
+}
+
+/** Interactive magic-link login flow. */
+export async function runLogin({ email } = {}) {
+  if (!email) {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    email = await new Promise(resolve => rl.question('  Email: ', ans => { rl.close(); resolve(ans.trim()); }));
+  }
+
+  process.stdout.write(`\n  Sending magic link to ${email}... `);
+  try {
+    await api.magicLink(email);
+    console.log('✓');
+  } catch (err) {
+    console.log('✗');
+    console.error(`  Error: ${err.message}\n`);
+    process.exit(1);
+  }
+
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const token = await new Promise(resolve =>
+    rl.question('  Paste the code from the email: ', ans => { rl.close(); resolve(ans.trim()); })
+  );
+
+  process.stdout.write('  Verifying... ');
+  try {
+    const result = await api.verify(token);
+    saveSession({ jwt: result.token, email });
+    console.log('✓');
+    console.log(`\n  Logged in as ${email}\n`);
+  } catch (err) {
+    console.log('✗');
+    console.error(`  Error: ${err.message}\n`);
+    process.exit(1);
+  }
+}

package/src/cards.js

@@ -0,0 +1,58 @@
+import { api }        from './api.js';
+import { requireJwt } from './auth.js';
+import { table, fmt } from './print.js';
+
+export async function runCards([sub, ...args], flags) {
+  const jwt = requireJwt();
+
+  switch (sub) {
+    case 'list':
+    case undefined: {
+      const cards = await api.listCards(jwt);
+      if (!cards.length) { console.log('\n  No cards yet.\n'); return; }
+      console.log();
+      table(
+        ['Name', 'Status', 'Budget', 'Used', 'Provider'],
+        cards.map(c => [
+          c.alias_name,
+          c.status,
+          c.monthly_budget ? `$${c.monthly_budget}` : '—',
+          c.budget_used    ? `$${Number(c.budget_used).toFixed(2)}` : '$0.00',
+          c.provider || '—',
+        ]),
+      );
+      break;
+    }
+
+    case 'create': {
+      const name = flags.name;
+      if (!name) { console.error('  --name is required\n'); process.exit(1); }
+      const body = {
+        alias_name:     name,
+        monthly_budget: flags.budget ? Number(flags.budget) : null,
+        provider:       flags.provider || null,
+        card_number:    flags['card-number'] || null,
+        status:         'active',
+      };
+      const card = await api.createCard(jwt, body);
+      console.log(`\n  Card "${card.alias_name}" created ✓\n`);
+      break;
+    }
+
+    case 'delete': {
+      const name = flags.name;
+      if (!name) { console.error('  --name is required\n'); process.exit(1); }
+      const cards = await api.listCards(jwt);
+      const card  = cards.find(c => c.alias_name === name);
+      if (!card) { console.error(`  Card "${name}" not found\n`); process.exit(1); }
+      await api.deleteCard(jwt, card.id);
+      console.log(`\n  Card "${name}" deleted ✓\n`);
+      break;
+    }
+
+    default:
+      console.error(`  Unknown subcommand: ${sub}`);
+      console.error('  Usage: npx troxy cards [list|create|delete]\n');
+      process.exit(1);
+  }
+}

package/src/config.js

@@ -0,0 +1,19 @@
+import fs   from 'fs';
+import os   from 'os';
+import path from 'path';
+
+const CONFIG_DIR  = path.join(os.homedir(), '.troxy');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+
+export function loadConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+export function saveConfig(data) {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(data, null, 2));
+}

package/src/init.js

@@ -0,0 +1,119 @@
+import fs   from 'fs';
+import os   from 'os';
+import path from 'path';
+import { saveConfig }       from './config.js';
+import { evaluatePayment }  from './api.js';
+
+// MCP config locations per client and platform
+const MCP_CLIENTS = [
+  {
+    name: 'Claude Desktop',
+    path: {
+      darwin: path.join(os.homedir(), 'Library/Application Support/Claude/claude_desktop_config.json'),
+      win32:  path.join(process.env.APPDATA || os.homedir(), 'Claude/claude_desktop_config.json'),
+      linux:  path.join(os.homedir(), '.config/claude/claude_desktop_config.json'),
+    },
+  },
+  {
+    name: 'Cursor',
+    path: {
+      darwin: path.join(os.homedir(), '.cursor/mcp.json'),
+      win32:  path.join(os.homedir(), '.cursor/mcp.json'),
+      linux:  path.join(os.homedir(), '.cursor/mcp.json'),
+    },
+  },
+  {
+    name: 'Windsurf',
+    path: {
+      darwin: path.join(os.homedir(), '.codeium/windsurf/mcp_config.json'),
+      win32:  path.join(os.homedir(), '.codeium/windsurf/mcp_config.json'),
+      linux:  path.join(os.homedir(), '.codeium/windsurf/mcp_config.json'),
+    },
+  },
+];
+
+export async function runInit({ key } = {}) {
+  if (!key || !key.startsWith('txy-')) {
+    console.error('\n  Error: --key is required and must start with txy-');
+    console.error('  Usage: npx troxy init --key txy-...\n');
+    process.exit(1);
+  }
+
+  console.log('\n  Troxy — AI payment control\n');
+
+  // Validate the key by hitting /evaluate (404 card = key is valid)
+  process.stdout.write('  Validating API key...  ');
+  try {
+    const result = await evaluatePayment(
+      { agent: 'troxy-init', card_alias: '__ping__', amount: 0 },
+      key,
+    );
+    if (result.error === 'invalid or revoked API key') {
+      console.log('✗');
+      console.error('\n  Error: Invalid or revoked API key.\n');
+      process.exit(1);
+    }
+    console.log('✓');
+  } catch {
+    console.log('✗');
+    console.error('\n  Error: Could not reach Troxy API. Check your internet connection.\n');
+    process.exit(1);
+  }
+
+  // Save config
+  saveConfig({ apiKey: key });
+  console.log('  Config saved (~/.troxy/config.json)  ✓');
+
+  // Detect and patch MCP clients
+  const platform = process.platform;
+  const detected = MCP_CLIENTS.filter(c => {
+    const p = c.path[platform] ?? c.path.linux;
+    return fs.existsSync(p);
+  });
+
+  if (detected.length === 0) {
+    console.log('\n  No MCP clients detected (Claude Desktop, Cursor, Windsurf).');
+    console.log('  Troxy MCP server config:\n');
+    console.log(JSON.stringify(mcpEntry(key), null, 4));
+    console.log('\n  Add the above to your MCP client\'s config under "mcpServers".\n');
+  } else {
+    console.log('\n  MCP clients found:');
+    for (const client of detected) {
+      const configPath = client.path[platform] ?? client.path.linux;
+      try {
+        patchMcpConfig(configPath, key);
+        console.log(`    • ${client.name}  ✓`);
+      } catch (err) {
+        console.log(`    • ${client.name}  ✗  (${err.message})`);
+      }
+    }
+    console.log('\n  Restart your MCP client to activate Troxy.');
+  }
+
+  console.log('\n  Your payments are now protected.');
+  console.log('  Dashboard → https://dashboard.troxy.ai\n');
+}
+
+function mcpEntry(apiKey) {
+  return {
+    troxy: {
+      command: 'npx',
+      args:    ['troxy', 'mcp'],
+      env:     { TROXY_API_KEY: apiKey },
+    },
+  };
+}
+
+function patchMcpConfig(configPath, apiKey) {
+  let config = {};
+  try {
+    config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+  } catch {
+    // file exists but is empty or malformed — start fresh
+  }
+
+  if (!config.mcpServers) config.mcpServers = {};
+  config.mcpServers.troxy = mcpEntry(apiKey).troxy;
+
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+}

package/src/mcp-server.js

@@ -0,0 +1,110 @@
+import { Server }              from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+} from '@modelcontextprotocol/sdk/types.js';
+import { loadConfig }      from './config.js';
+import { evaluatePayment } from './api.js';
+
+export async function runMcp() {
+  const config = loadConfig();
+  const apiKey = process.env.TROXY_API_KEY || config?.apiKey;
+
+  if (!apiKey) {
+    process.stderr.write(
+      'Troxy: no API key found. Run: npx troxy init --key txy-...\n',
+    );
+    process.exit(1);
+  }
+
+  const server = new Server(
+    { name: 'troxy', version: '0.1.0' },
+    { capabilities: { tools: {} } },
+  );
+
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: [
+      {
+        name: 'evaluate_payment',
+        description:
+          'Evaluate whether a payment should be allowed, blocked, or escalated ' +
+          'based on your Troxy policies. Call this before initiating any payment.',
+        inputSchema: {
+          type: 'object',
+          required: ['card_alias', 'merchant_name', 'amount'],
+          properties: {
+            card_alias: {
+              type: 'string',
+              description: 'Card alias to charge (e.g. "Personal", "Business")',
+            },
+            merchant_name: {
+              type: 'string',
+              description: 'Name of the merchant or service',
+            },
+            amount: {
+              type: 'number',
+              description: 'Payment amount',
+            },
+            agent: {
+              type: 'string',
+              description: 'Name of the agent making the payment (optional)',
+            },
+            merchant_category: {
+              type: 'string',
+              description: 'Merchant category, e.g. "software", "travel" (optional)',
+            },
+            currency: {
+              type: 'string',
+              description: 'Currency code, defaults to USD (optional)',
+            },
+          },
+        },
+      },
+    ],
+  }));
+
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    if (request.params.name !== 'evaluate_payment') {
+      throw new Error(`Unknown tool: ${request.params.name}`);
+    }
+
+    const args   = request.params.arguments ?? {};
+    const result = await evaluatePayment(args, apiKey);
+
+    if (result.error) {
+      return {
+        content: [{ type: 'text', text: `Troxy error: ${result.error}` }],
+        isError: true,
+      };
+    }
+
+    const { decision, policy, audit_id } = result;
+    let text;
+
+    switch (decision) {
+      case 'ALLOW':
+        text = `✓ Payment approved.${policy ? ` Policy matched: "${policy}".` : ''} (audit: ${audit_id})`;
+        break;
+      case 'BLOCK':
+        text = `✗ Payment blocked by policy "${policy}". Do not proceed with this payment. (audit: ${audit_id})`;
+        break;
+      case 'ESCALATE':
+        text = `⏳ Payment requires human approval — a request has been sent to the account owner. Do not proceed until approved. (audit: ${audit_id})`;
+        break;
+      case 'NOTIFY':
+        text = `✓ Payment approved with notification. Policy matched: "${policy}". (audit: ${audit_id})`;
+        break;
+      default:
+        text = JSON.stringify(result);
+    }
+
+    return {
+      content: [{ type: 'text', text }],
+      isError: decision === 'BLOCK',
+    };
+  });
+
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}

package/src/policies.js

@@ -0,0 +1,88 @@
+import { api }        from './api.js';
+import { requireJwt } from './auth.js';
+import { table }      from './print.js';
+
+export async function runPolicies([sub, ...args], flags) {
+  const jwt = requireJwt();
+
+  switch (sub) {
+    case 'list':
+    case undefined: {
+      const policies = await api.listPolicies(jwt);
+      if (!policies.length) { console.log('\n  No policies yet.\n'); return; }
+      console.log();
+      table(
+        ['Name', 'Action', 'Priority', 'Status', 'Conditions'],
+        policies.map(p => [
+          p.name,
+          p.action,
+          p.priority,
+          p.enabled ? 'enabled' : 'disabled',
+          Array.isArray(p.conditions) ? `${p.conditions.length} condition(s)` : '—',
+        ]),
+      );
+      break;
+    }
+
+    case 'create': {
+      const name   = flags.name;
+      const action = (flags.action || '').toUpperCase();
+      if (!name)   { console.error('  --name is required\n');   process.exit(1); }
+      if (!action) { console.error('  --action is required\n'); process.exit(1); }
+      if (!['ALLOW','BLOCK','ESCALATE','NOTIFY'].includes(action)) {
+        console.error('  --action must be ALLOW, BLOCK, ESCALATE, or NOTIFY\n');
+        process.exit(1);
+      }
+
+      // Build a single condition if --field/--operator/--value are provided
+      const conditions = [];
+      if (flags.field) {
+        if (!flags.operator) { console.error('  --operator is required with --field\n'); process.exit(1); }
+        const cond = { field: flags.field, operator: flags.operator };
+        if (flags.value)  cond.value  = flags.value;
+        if (flags.value2) cond.value2 = flags.value2;
+        conditions.push(cond);
+      }
+
+      const body = {
+        name,
+        action,
+        conditions,
+        conditions_logic: (flags.logic || 'AND').toUpperCase(),
+        enabled: true,
+      };
+
+      const policy = await api.createPolicy(jwt, body);
+      console.log(`\n  Policy "${policy.name}" created ✓  (priority: ${policy.priority})\n`);
+      break;
+    }
+
+    case 'delete': {
+      const name = flags.name;
+      if (!name) { console.error('  --name is required\n'); process.exit(1); }
+      const policies = await api.listPolicies(jwt);
+      const policy   = policies.find(p => p.name === name);
+      if (!policy) { console.error(`  Policy "${name}" not found\n`); process.exit(1); }
+      await api.deletePolicy(jwt, policy.id);
+      console.log(`\n  Policy "${name}" deleted ✓\n`);
+      break;
+    }
+
+    case 'enable':
+    case 'disable': {
+      const name    = flags.name;
+      if (!name) { console.error('  --name is required\n'); process.exit(1); }
+      const policies = await api.listPolicies(jwt);
+      const policy   = policies.find(p => p.name === name);
+      if (!policy) { console.error(`  Policy "${name}" not found\n`); process.exit(1); }
+      await api.updatePolicy(jwt, policy.id, { enabled: sub === 'enable' });
+      console.log(`\n  Policy "${name}" ${sub}d ✓\n`);
+      break;
+    }
+
+    default:
+      console.error(`  Unknown subcommand: ${sub}`);
+      console.error('  Usage: npx troxy policies [list|create|delete|enable|disable]\n');
+      process.exit(1);
+  }
+}

package/src/print.js

@@ -0,0 +1,16 @@
+/** Print a simple ASCII table. */
+export function table(headers, rows) {
+  const cols = headers.length;
+  const widths = headers.map((h, i) =>
+    Math.max(String(h).length, ...rows.map(r => String(r[i] ?? '').length))
+  );
+
+  const line = () => '  ' + widths.map(w => '─'.repeat(w + 2)).join('┼') + '';
+  const row  = (cells, pad = ' ') =>
+    '  ' + cells.map((c, i) => ` ${String(c ?? '').padEnd(widths[i], pad)} `).join('│');
+
+  console.log(row(headers));
+  console.log('  ' + widths.map(w => '─'.repeat(w + 2)).join('┼'));
+  rows.forEach(r => console.log(row(r)));
+  console.log();
+}

package/src/tests/config.test.js

@@ -0,0 +1,25 @@
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert/strict';
+import fs   from 'node:fs';
+import os   from 'node:os';
+import path from 'node:path';
+
+// Point config at a temp dir so tests don't touch ~/.troxy
+const TMP = fs.mkdtempSync(path.join(os.tmpdir(), 'troxy-test-'));
+process.env.HOME = TMP;
+
+const { loadConfig, saveConfig } = await import('../config.js');
+
+describe('config', () => {
+  after(() => fs.rmSync(TMP, { recursive: true, force: true }));
+
+  it('returns null when no config exists', () => {
+    assert.equal(loadConfig(), null);
+  });
+
+  it('saves and loads config', () => {
+    saveConfig({ apiKey: 'txy-test123' });
+    const cfg = loadConfig();
+    assert.equal(cfg.apiKey, 'txy-test123');
+  });
+});

package/src/tests/init.test.js

@@ -0,0 +1,22 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+
+describe('flag validation', () => {
+  it('rejects missing key', async () => {
+    // Dynamically import and test the validation logic
+    // We test the guard condition directly rather than calling runInit
+    // (which would make real network calls)
+    const key = undefined;
+    assert.ok(!key || !String(key).startsWith('txy-'));
+  });
+
+  it('rejects key without txy- prefix', () => {
+    const key = 'sk-notavalid';
+    assert.ok(!key.startsWith('txy-'));
+  });
+
+  it('accepts valid key format', () => {
+    const key = 'txy-abc123xyz';
+    assert.ok(key.startsWith('txy-'));
+  });
+});