@tuskydp/cli 0.2.1 → 0.4.0

package/src/commands/mcp.ts

@@ -9,7 +9,7 @@ import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
 import { join, dirname, resolve } from 'path';
 import { homedir } from 'os';
 import chalk from 'chalk';
-import { getApiUrl, getApiKey, cliConfig } from '../config.js';
+import { getApiUrl, getApiKey, cliConfig, getSuiPrivateKey } from '../config.js';
 import { startMcpServer } from '../mcp/server.js';
 
 // ---------------------------------------------------------------------------
@@ -93,15 +93,16 @@ function getTuskyBinaryCommand(): { command: string; args: string[] } {
   return { command: 'npx', args: ['-y', '@tuskydp/cli', 'mcp', 'serve'] };
 }
 
-function buildMcpServerEntry(apiKey?: string, apiUrl?: string) {
+function buildMcpServerEntry(apiKey?: string, apiUrl?: string, suiPrivKey?: string) {
   const { command, args } = getTuskyBinaryCommand();
 
   const env: Record<string, string> = {};
   if (apiKey) env.TUSKYDP_API_KEY = apiKey;
   if (apiUrl) env.TUSKYDP_API_URL = apiUrl;
 
-  // Placeholder for password — user fills in
-  env.TUSKYDP_PASSWORD = '';
+  // Include Sui private key if provided or stored in config
+  const resolvedSuiKey = suiPrivKey || getSuiPrivateKey() || '';
+  env.TUSKYDP_SUI_PRIVATE_KEY = resolvedSuiKey;
 
   const entry: Record<string, unknown> = {
     command,
@@ -158,7 +159,8 @@ export function registerMcpCommands(program: Command) {
     .option('--target <target>', 'Target client: claude-code, claude-desktop, cursor', 'claude-code')
     .option('--api-key <key>', 'API key to embed (defaults to stored key)')
     .option('--api-url <url>', 'API URL override')
-    .action(async (options: { target: string; apiKey?: string; apiUrl?: string }) => {
+    .option('--sui-priv-key <key>', 'Sui Ed25519 private key for shared vault access (defaults to stored key)')
+    .action(async (options: { target: string; apiKey?: string; apiUrl?: string; suiPrivKey?: string }) => {
       const targets = getTargets();
       const target = targets.find((t) => t.name === options.target);
 
@@ -177,8 +179,8 @@ export function registerMcpCommands(program: Command) {
       // Only include non-default values
       const resolvedApiUrl = apiUrl && apiUrl !== 'https://api.tusky.ai' ? apiUrl : undefined;
 
-      // Build the server entry
-      const serverEntry = buildMcpServerEntry(apiKey, resolvedApiUrl);
+      // Build the server entry (SUI key: flag > config)
+      const serverEntry = buildMcpServerEntry(apiKey, resolvedApiUrl, options.suiPrivKey);
 
       // Read existing config
       const config = readJsonFile(target.configPath);
@@ -205,9 +207,13 @@ export function registerMcpCommands(program: Command) {
         console.log('');
       }
 
-      console.log(chalk.yellow('  Remember to set TUSKYDP_PASSWORD in the config for private vault encryption:'));
-      console.log(chalk.dim(`  Edit the env block in ${target.configPath}`));
-      console.log('');
+      const suiKey = options.suiPrivKey || getSuiPrivateKey();
+      if (!suiKey) {
+        console.log(chalk.yellow('  Note: No Sui key found. Set it up for shared vault access:'));
+        console.log(chalk.dim('  Run: tusky sui setup <suiprivkey1...>'));
+        console.log(chalk.dim('  Then re-run: tusky mcp install-config'));
+        console.log('');
+      }
 
       if (options.target === 'claude-desktop') {
         console.log(chalk.dim('  Restart Claude Desktop to pick up the changes.'));

package/src/commands/rehydrate.ts

@@ -1,14 +1,17 @@
 import type { Command } from 'commander';
 import { writeFileSync } from 'fs';
 import { join } from 'path';
+import ora from 'ora';
 import { resolveWalrusConfig } from '@tuskydp/shared/walrus-networks.js';
 import { formatBytes } from '../lib/output.js';
-import { createSpinner } from '../lib/progress.js';
 
 export async function rehydrateCommand(blobId: string, options: {
   output?: string;
+  stdout?: boolean;
 }, _program: Command) {
-  const spinner = createSpinner('Fetching blob from Walrus...');
+  // When piping to stdout, send spinner to stderr to avoid polluting the binary stream
+  const spinnerStream = options.stdout ? process.stderr : process.stdout;
+  const spinner = ora({ text: 'Fetching blob from Walrus...', stream: spinnerStream as NodeJS.WritableStream });
   spinner.start();
 
   try {
@@ -24,12 +27,16 @@ export async function rehydrateCommand(blobId: string, options: {
     const arrayBuf = await response.arrayBuffer();
     const fileBuffer = Buffer.from(new Uint8Array(arrayBuf));
 
-    // Sanitize blob ID for use as filename (replace non-filesystem-safe characters)
-    const safeBlobId = blobId.replace(/[^a-zA-Z0-9_-]/g, '_');
-    const outputPath = options.output || join(process.cwd(), `blob-${safeBlobId}`);
-    writeFileSync(outputPath, fileBuffer);
-
-    spinner.succeed(`Downloaded -> ${outputPath} (${formatBytes(fileBuffer.length)})`);
+    if (options.stdout) {
+      spinner.stop();
+      process.stdout.write(fileBuffer);
+    } else {
+      // Sanitize blob ID for use as filename (replace non-filesystem-safe characters)
+      const safeBlobId = blobId.replace(/[^a-zA-Z0-9_-]/g, '_');
+      const outputPath = options.output || join(process.cwd(), `blob-${safeBlobId}`);
+      writeFileSync(outputPath, fileBuffer);
+      spinner.succeed(`Downloaded -> ${outputPath} (${formatBytes(fileBuffer.length)})`);
+    }
   } catch (err: any) {
     spinner.fail(`Rehydrate failed: ${err.message}`);
     process.exit(1);

package/src/commands/sui.ts

@@ -0,0 +1,69 @@
+import type { Command } from 'commander';
+import chalk from 'chalk';
+import { cliConfig } from '../config.js';
+import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
+
+export function registerSuiCommands(program: Command) {
+  const sui = program
+    .command('sui')
+    .description('Manage Sui wallet key for shared vault access');
+
+  // ── tusky sui setup ──────────────────────────────────────────────────
+  sui
+    .command('setup <private-key>')
+    .description('Save a Sui Ed25519 private key to config for shared vault operations')
+    .action((privateKey: string) => {
+      let address: string;
+      try {
+        const keypair = Ed25519Keypair.fromSecretKey(privateKey);
+        address = keypair.toSuiAddress();
+      } catch {
+        console.error(chalk.red('Invalid Sui private key. Expected suiprivkey1... format.'));
+        process.exit(1);
+      }
+
+      cliConfig.set('suiPrivateKey', privateKey);
+      console.log(chalk.green('Sui private key saved to config.'));
+      console.log(chalk.dim(`  Sui address: ${address}`));
+      console.log('');
+      console.log(chalk.yellow('  Security note: The key is stored in your local config file.'));
+      console.log(chalk.dim(`  Location: ${cliConfig.path}`));
+      console.log(chalk.dim('  Run `tusky sui clear` to remove it.'));
+    });
+
+  // ── tusky sui show ───────────────────────────────────────────────────
+  sui
+    .command('show')
+    .description('Show the configured Sui address (does not reveal the private key)')
+    .action(() => {
+      const envKey = process.env.TUSKYDP_SUI_PRIVATE_KEY;
+      const configKey = cliConfig.get('suiPrivateKey');
+      const key = envKey || configKey;
+      const source = envKey ? 'env var (TUSKYDP_SUI_PRIVATE_KEY)' : 'config';
+
+      if (!key) {
+        console.log(chalk.dim('No Sui private key configured.'));
+        console.log(chalk.dim('Run: tusky sui setup <private-key>'));
+        return;
+      }
+
+      try {
+        const keypair = Ed25519Keypair.fromSecretKey(key);
+        const address = keypair.toSuiAddress();
+        console.log(`Sui address: ${address}`);
+        console.log(chalk.dim(`Source:      ${source}`));
+      } catch {
+        console.error(chalk.red('Stored Sui key is invalid. Run: tusky sui setup <private-key>'));
+        process.exit(1);
+      }
+    });
+
+  // ── tusky sui clear ──────────────────────────────────────────────────
+  sui
+    .command('clear')
+    .description('Remove the stored Sui private key from config')
+    .action(() => {
+      cliConfig.delete('suiPrivateKey');
+      console.log(chalk.green('Sui private key removed from config.'));
+    });
+}

package/src/commands/trash.ts

@@ -0,0 +1,121 @@
+import type { Command } from 'commander';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { cliConfig } from '../config.js';
+import { getSDKClientFromParent } from '../sdk.js';
+import { createTable, formatBytes, formatDate, shortId } from '../lib/output.js';
+
+export function registerTrashCommands(program: Command) {
+  const trash = program.command('trash').description('Manage trashed items');
+
+  // ── list ────────────────────────────────────────────────────────────
+  trash.command('list')
+    .description('List trashed files and vaults')
+    .action(async () => {
+      const sdk = getSDKClientFromParent(trash);
+      const root = trash.parent || trash;
+      const format = root.opts().format || cliConfig.get('outputFormat');
+      const trashed = await sdk.trash.list();
+
+      if (format === 'json') {
+        console.log(JSON.stringify(trashed, null, 2));
+        return;
+      }
+
+      const totalItems = trashed.files.length + trashed.vaults.length;
+      if (totalItems === 0) {
+        console.log(chalk.dim('Trash is empty.'));
+        return;
+      }
+
+      if (trashed.vaults.length > 0) {
+        console.log(chalk.bold('Trashed Vaults:'));
+        const table = createTable(['Name', 'Visibility', 'Files', 'Size', 'Deleted', 'ID']);
+        for (const v of trashed.vaults) {
+          table.push([
+            v.name,
+            v.visibility,
+            String(v.fileCount),
+            formatBytes(v.totalSizeBytes),
+            v.deletedAt ? formatDate(v.deletedAt) : 'N/A',
+            chalk.dim(shortId(v.id)),
+          ]);
+        }
+        console.log(table.toString());
+      }
+
+      if (trashed.files.length > 0) {
+        if (trashed.vaults.length > 0) console.log('');
+        console.log(chalk.bold('Trashed Files:'));
+        const table = createTable(['Name', 'Size', 'Status', 'Deleted', 'ID']);
+        for (const f of trashed.files) {
+          table.push([
+            f.name,
+            formatBytes(f.sizeBytes),
+            f.status,
+            f.deletedAt ? formatDate(f.deletedAt) : 'N/A',
+            chalk.dim(shortId(f.id)),
+          ]);
+        }
+        console.log(table.toString());
+      }
+
+      console.log(chalk.dim(`\n${totalItems} item(s) in trash. Items are permanently deleted after 7 days.`));
+    });
+
+  // ── restore ─────────────────────────────────────────────────────────
+  trash.command('restore <id>')
+    .description('Restore a trashed item (file or vault)')
+    .action(async (id: string) => {
+      const sdk = getSDKClientFromParent(trash);
+      const result = await sdk.trash.restore(id);
+      console.log(chalk.green(`Restored ${result.type || 'item'}: ${id}`));
+    });
+
+  // ── delete ──────────────────────────────────────────────────────────
+  trash.command('delete <id>')
+    .description('Permanently delete a single trashed item')
+    .option('--force', 'Skip confirmation prompt')
+    .action(async (id: string, options) => {
+      const sdk = getSDKClientFromParent(trash);
+
+      if (!options.force) {
+        const answers = await inquirer.prompt([{
+          type: 'confirm',
+          name: 'confirm',
+          message: 'Permanently delete this item? This cannot be undone.',
+          default: false,
+        }]);
+        if (!answers.confirm) return;
+      }
+
+      await sdk.trash.delete(id);
+      console.log(chalk.green(`Permanently deleted: ${id}`));
+    });
+
+  // ── empty ───────────────────────────────────────────────────────────
+  trash.command('empty')
+    .description('Permanently delete ALL trashed items')
+    .option('--force', 'Skip confirmation prompt')
+    .action(async (options) => {
+      const sdk = getSDKClientFromParent(trash);
+
+      if (!options.force) {
+        const answers = await inquirer.prompt([{
+          type: 'confirm',
+          name: 'confirm',
+          message: 'Permanently delete ALL trashed items? This cannot be undone.',
+          default: false,
+        }]);
+        if (!answers.confirm) return;
+      }
+
+      await sdk.trash.empty();
+      console.log(chalk.green('Trash emptied.'));
+    });
+
+  // Default action for `tusky trash` with no subcommand → run list
+  trash.action(async () => {
+    await trash.commands.find(c => c.name() === 'list')?.parseAsync([], { from: 'user' });
+  });
+}

package/src/commands/upload.ts

@@ -9,9 +9,16 @@ import { createSDKClient } from '../sdk.js';
 import { resolveVault } from '../lib/resolve.js';
 import { formatBytes } from '../lib/output.js';
 import { createSpinner } from '../lib/progress.js';
-import { encryptBuffer } from '../crypto.js';
-import { loadMasterKey } from '../lib/keyring.js';
-import { isSealConfigured, sealEncrypt, getSuiKeypair } from '../seal.js';
+import { isSealConfigured, sealEncrypt, sealEncryptMetadata, getSuiKeypair } from '../seal.js';
+
+async function readStdin(): Promise<Buffer> {
+  return new Promise((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    process.stdin.on('data', (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+    process.stdin.on('end', () => resolve(Buffer.concat(chunks)));
+    process.stdin.on('error', reject);
+  });
+}
 
 async function expandPaths(paths: string[], recursive?: boolean): Promise<string[]> {
   const result: string[] = [];
@@ -44,25 +51,97 @@ async function expandPaths(paths: string[], recursive?: boolean): Promise<string
 export async function uploadCommand(paths: string[], options: {
   vault?: string;
   recursive?: boolean;
+  folder?: string;
+  content?: string;
+  stdin?: boolean;
+  name?: string;
 }, program: Command) {
   const apiUrl = getApiUrl(program.opts().apiUrl);
   const apiKey = getApiKey(program.opts().apiKey);
   const sdk = createSDKClient(apiUrl, apiKey);
 
-  const vaultId = await resolveVault(sdk, options.vault);
-  const vault = await sdk.vaults.get(vaultId);
-  const isPrivate = vault.visibility === 'private';
-  const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
-
-  let masterKey: Buffer | null = null;
-  if (isPrivate) {
-    masterKey = loadMasterKey();
-    if (!masterKey) {
-      console.error(chalk.red('Encryption session not unlocked. Run: tusky encryption unlock'));
+  // ── Inline content / stdin mode ──────────────────────────────────
+  if (options.content !== undefined || options.stdin) {
+    if (!options.name) {
+      console.error(chalk.red('--name <filename> is required when using --content or --stdin'));
       process.exit(1);
     }
+
+    const fileName = options.name;
+    let fileBuffer: Buffer;
+    if (options.stdin) {
+      fileBuffer = await readStdin();
+    } else {
+      fileBuffer = Buffer.from(options.content as string, 'utf8');
+    }
+
+    const vaultId = await resolveVault(sdk, options.vault);
+    const vault = await sdk.vaults.get(vaultId);
+    const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
+
+    const spinner = createSpinner(`Uploading ${fileName}`);
+    spinner.start();
+
+    try {
+      const mimeType = lookup(fileName) || 'application/octet-stream';
+      let uploadBody: Buffer;
+      let encryptionMeta: {
+        sealIdentity?: string;
+        sealEncryptedObject?: string;
+        encryptedMetadata?: string;
+      } = {};
+
+      if (isShared) {
+        spinner.text = `SEAL encrypting ${fileName}...`;
+        const fileNonce = randomUUID();
+        const sealResult = await sealEncrypt(new Uint8Array(fileBuffer), vault, fileNonce);
+        uploadBody = Buffer.from(sealResult.encryptedData);
+        encryptionMeta = {
+          sealIdentity: sealResult.sealIdentity,
+          sealEncryptedObject: sealResult.sealEncryptedObject,
+          encryptedMetadata: await sealEncryptMetadata(fileName, mimeType, vault, fileNonce),
+        };
+      } else {
+        uploadBody = fileBuffer;
+      }
+
+      spinner.text = `Requesting upload URL for ${fileName}...`;
+      const { fileId, uploadUrl } = await sdk.files.requestUpload({
+        name: fileName,
+        mimeType,
+        sizeBytes: uploadBody.length,
+        vaultId,
+        ...(options.folder ? { folderId: options.folder } : {}),
+        ...encryptionMeta,
+      });
+
+      spinner.text = `Uploading ${fileName} (${formatBytes(uploadBody.length)})...`;
+      const uploadResponse = await fetch(uploadUrl, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/octet-stream' },
+        body: new Uint8Array(uploadBody),
+      });
+      if (!uploadResponse.ok) throw new Error(`Upload failed: ${uploadResponse.status}`);
+
+      spinner.text = `Confirming ${fileName}...`;
+      await sdk.files.confirmUpload(fileId);
+
+      spinner.succeed(`${fileName} -> ${fileId} (${formatBytes(uploadBody.length)})`);
+    } catch (err: any) {
+      spinner.fail(`Failed: ${fileName} — ${err.message}`);
+      if (err.statusCode === 402) {
+        console.error(chalk.yellow('  This may require topping up your wallet balance.'));
+        console.error(chalk.dim('  Check your wallet: tusky wallet info'));
+      }
+    }
+    return;
   }
 
+  // ── File path mode (original behavior) ───────────────────────────
+  const vaultId = await resolveVault(sdk, options.vault);
+  const vault = await sdk.vaults.get(vaultId);
+  const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
+
   if (isShared) {
     const keypair = getSuiKeypair();
     if (!keypair) {
@@ -91,25 +170,12 @@ export async function uploadCommand(paths: string[], options: {
 
       let uploadBody: Buffer;
       let encryptionMeta: {
-        wrappedKey?: string;
-        encryptionIv?: string;
-        plaintextSizeBytes?: number;
-        plaintextChecksumSha256?: string;
         sealIdentity?: string;
         sealEncryptedObject?: string;
+        encryptedMetadata?: string;
       } = {};
 
-      if (isPrivate && masterKey) {
-        spinner.text = `Encrypting ${basename(filePath)}...`;
-        const { ciphertext, wrappedKey, iv, plaintextChecksum } = encryptBuffer(fileBuffer, masterKey);
-        uploadBody = ciphertext;
-        encryptionMeta = {
-          wrappedKey,
-          encryptionIv: iv,
-          plaintextSizeBytes: stat.size,
-          plaintextChecksumSha256: plaintextChecksum,
-        };
-      } else if (isShared) {
+      if (isShared) {
         spinner.text = `SEAL encrypting ${basename(filePath)}...`;
         const fileNonce = randomUUID();
         const sealResult = await sealEncrypt(new Uint8Array(fileBuffer), vault, fileNonce);
@@ -117,7 +183,7 @@ export async function uploadCommand(paths: string[], options: {
         encryptionMeta = {
           sealIdentity: sealResult.sealIdentity,
           sealEncryptedObject: sealResult.sealEncryptedObject,
-          plaintextSizeBytes: stat.size,
+          encryptedMetadata: await sealEncryptMetadata(basename(filePath), mimeType, vault, fileNonce),
         };
       } else {
         uploadBody = fileBuffer;
@@ -130,6 +196,7 @@ export async function uploadCommand(paths: string[], options: {
         mimeType,
         sizeBytes: uploadBody.length,
         vaultId,
+        ...(options.folder ? { folderId: options.folder } : {}),
         ...encryptionMeta,
       });
 
@@ -154,13 +221,13 @@ export async function uploadCommand(paths: string[], options: {
       // Surface PPU payment details if present (402 errors)
       if (err.statusCode === 402) {
         console.error(chalk.yellow('  This may require topping up your wallet balance.'));
-        console.error(chalk.dim('  Check your wallet: tusky account usage'));
+        console.error(chalk.dim('  Check your wallet: tusky wallet info'));
       }
     }
   }
 
   if (filePaths.length > 1) {
-    const label = isPrivate ? 'private' : isShared ? 'shared' : 'public';
+    const label = isShared ? 'shared' : 'public';
     console.log(`\nUploaded ${successCount} file(s) (${formatBytes(totalSize)}) to vault "${vault.name}" [${label}]`);
   }
 }

package/src/commands/vault.ts

@@ -8,7 +8,6 @@ import { resolveVault } from '../lib/resolve.js';
 
 /** Map vault visibility to a display label. */
 function visibilityLabel(v: string): string {
-  if (v === 'private') return 'private';
   if (v === 'shared') return 'shared';
   return 'public';
 }
@@ -18,34 +17,14 @@ export function registerVaultCommands(program: Command) {
 
   // ── create ──────────────────────────────────────────────────────────
   vault.command('create <name>')
-    .description('Create a new vault (private/encrypted by default)')
-    .option('--public', 'Create as public vault (unencrypted, shareable via URL)')
+    .description('Create a new vault (public by default)')
     .option('--shared', 'Create as shared vault (SEAL-encrypted, requires linked Sui address)')
     .option('--description <text>', 'Vault description')
     .action(async (name: string, options) => {
       const sdk = getSDKClientFromParent(vault);
-      let visibility: 'public' | 'private' | 'shared' = 'private';
-      if (options.public) visibility = 'public';
+      let visibility: 'public' | 'shared' = 'public';
       if (options.shared) visibility = 'shared';
 
-      if (options.public && options.shared) {
-        console.error(chalk.red('Cannot use both --public and --shared.'));
-        return;
-      }
-
-      if (visibility === 'private') {
-        try {
-          const { setupComplete } = await sdk.account.getEncryptionParams();
-          if (!setupComplete) {
-            console.log(chalk.red('Encryption must be set up before creating private vaults.'));
-            console.log(chalk.dim('  Run: tusky encryption setup'));
-            return;
-          }
-        } catch {
-          // If endpoint fails, proceed anyway
-        }
-      }
-
       if (visibility === 'shared') {
         try {
           const acct = await sdk.account.get();