@vtriv/cli 0.1.0 → 0.1.2

package/index.ts

@@ -2,13 +2,17 @@
 /**
  * vtriv-cli - Command-line interface for vtriv services
  *
- * Gateway-first: single baseUrl with service routing by path prefix
- * Auto-mints JWTs for non-auth services using root key
+ * Configuration hierarchy:
+ * 1. Account key (vtriv_ak_*) - set via `vtriv config`
+ * 2. Project profiles - created via `vtriv init <name>`
+ *
+ * The CLI auto-creates projects prefixed with account slug,
+ * and translates short names to full names transparently.
  */
 
-import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from "node:fs";
 import { homedir } from "node:os";
-import { join } from "node:path";
+import { join, dirname } from "node:path";
 import { Command } from "commander";
 import chalk from "chalk";
 
@@ -17,14 +21,15 @@ import chalk from "chalk";
 // =============================================================================
 
 interface Profile {
-	baseUrl: string;
-	rootKey: string;
+	apiKey: string; // vtriv_sk_*
 }
 
 interface Config {
-	default: string;
+	baseUrl: string;
+	accountKey?: string; // vtriv_ak_*
+	accountSlug?: string;
+	default?: string;
 	profiles: Record<string, Profile>;
-	apiKeys?: Record<string, string>;
 }
 
 interface GlobalOptions {
@@ -37,34 +42,55 @@ interface GlobalOptions {
 // Configuration
 // =============================================================================
 
-const CONFIG_PATH = join(homedir(), ".vtrivrc");
+function getConfigPath(): string {
+	const xdgConfig = process.env.XDG_CONFIG_HOME || join(homedir(), ".config");
+	return join(xdgConfig, "vtriv", "config.json");
+}
 
 function loadConfig(): Config | null {
-	if (!existsSync(CONFIG_PATH)) return null;
+	const configPath = getConfigPath();
+	if (!existsSync(configPath)) return null;
 	try {
-		return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+		return JSON.parse(readFileSync(configPath, "utf-8"));
 	} catch {
 		return null;
 	}
 }
 
 function saveConfig(config: Config): void {
-	writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+	const configPath = getConfigPath();
+	const configDir = dirname(configPath);
+	if (!existsSync(configDir)) {
+		mkdirSync(configDir, { recursive: true, mode: 0o700 });
+	}
+	writeFileSync(configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+	chmodSync(configPath, 0o600);
 }
 
-function getProfile(profileName?: string): Profile {
+function getConfig(): Config {
 	const config = loadConfig();
 	if (!config) {
-		console.error(chalk.red("No config found. Run 'vtriv init' first."));
+		console.error(chalk.red("No config found. Run 'vtriv config' first."));
+		process.exit(1);
+	}
+	return config;
+}
+
+function getProfile(profileName?: string): { config: Config; profile: Profile; fullProjectName: string; shortName: string } {
+	const config = getConfig();
+	const shortName = profileName || config.default;
+	if (!shortName) {
+		console.error(chalk.red("No default profile. Run 'vtriv init <name>' to create one."));
 		process.exit(1);
 	}
-	const name = profileName || config.default;
-	const profile = config.profiles[name];
+	const profile = config.profiles[shortName];
 	if (!profile) {
-		console.error(chalk.red(`Profile '${name}' not found.`));
+		console.error(chalk.red(`Profile '${shortName}' not found. Run 'vtriv init ${shortName}' to create it.`));
 		process.exit(1);
 	}
-	return profile;
+	// Expand short name to full project name
+	const fullProjectName = config.accountSlug ? `${config.accountSlug}-${shortName}` : shortName;
+	return { config, profile, fullProjectName, shortName };
 }
 
 // =============================================================================
@@ -107,7 +133,7 @@ function printTable(rows: Record<string, unknown>[]): void {
 	}
 }
 
-function error(msg: string, opts: GlobalOptions): void {
+function error(msg: string, opts: GlobalOptions): never {
 	if (opts.json) {
 		console.error(JSON.stringify({ error: msg }));
 	} else {
@@ -117,45 +143,86 @@ function error(msg: string, opts: GlobalOptions): void {
 }
 
 // =============================================================================
-// HTTP Request Helper
+// Token Management
 // =============================================================================
 
-// Cache for minted tokens per project
+// In-memory cache for minted tokens (per profile)
 const tokenCache = new Map<string, { token: string; expires: number }>();
 
+async function getToken(opts: GlobalOptions, template?: string): Promise<string> {
+	const { config, profile, fullProjectName } = getProfile(opts.profile);
+	
+	// Cache key includes template
+	const cacheKey = template ? `${fullProjectName}:${template}` : fullProjectName;
+	const cached = tokenCache.get(cacheKey);
+	if (cached && cached.expires > Date.now()) {
+		return cached.token;
+	}
+
+	// Mint a new token using the API key
+	const body: Record<string, unknown> = { expires_in: 3600 };
+	if (template) {
+		body.template = template;
+	}
+
+	const mintRes = await fetch(`${config.baseUrl}/auth/${fullProjectName}/token`, {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${profile.apiKey}`,
+			"Content-Type": "application/json",
+		},
+		body: JSON.stringify(body),
+	});
+
+	if (!mintRes.ok) {
+		const err = await mintRes.text();
+		let msg: string;
+		try {
+			msg = JSON.parse(err).error || err;
+		} catch {
+			msg = err;
+		}
+		error(`Failed to mint token: ${msg}`, opts);
+	}
+
+	const tokenData = (await mintRes.json()) as { token: string };
+	const token = tokenData.token;
+
+	// Cache for 55 minutes (token valid for 60)
+	tokenCache.set(cacheKey, { token, expires: Date.now() + 55 * 60 * 1000 });
+
+	return token;
+}
+
+// =============================================================================
+// HTTP Request Helper
+// =============================================================================
+
 async function request(
 	service: string,
 	path: string,
 	options: {
 		method?: string;
 		body?: unknown;
-		project?: string;
+		template?: string;
 	},
 	opts: GlobalOptions
 ): Promise<unknown> {
-	const profile = getProfile(opts.profile);
-	const url = `${profile.baseUrl}/${service}${path}`;
+	const { config, fullProjectName } = getProfile(opts.profile);
+	const url = `${config.baseUrl}/${service}/${fullProjectName}${path}`;
 	const method = options.method || "GET";
 
 	const headers: Record<string, string> = {
 		"Content-Type": "application/json",
 	};
 
-	// Auth service uses root key via Bearer header
-	if (service === "auth") {
-		headers["Authorization"] = `Bearer ${profile.rootKey}`;
-	} else if (options.project) {
-		// Other services need a JWT minted via auth
-		const token = await getProjectToken(options.project, opts);
-		headers["Authorization"] = `Bearer ${token}`;
-	}
+	// Get a JWT token for the request
+	const token = await getToken(opts, options.template);
+	headers.Authorization = `Bearer ${token}`;
 
 	if (opts.debug) {
 		const bodyArg = options.body ? `-d '${JSON.stringify(options.body)}'` : "";
-		const authArg = headers["Authorization"]
-			? `-H "Authorization: ${headers["Authorization"]}"`
-			: "";
-		console.error(chalk.dim(`curl -X ${method} "${url}" ${authArg} ${bodyArg}`));
+		console.error(chalk.dim(`curl -X ${method} "${url}" -H "Authorization: Bearer <token>" ${bodyArg}`));
 	}
 
 	const res = await fetch(url, {
@@ -173,95 +240,16 @@ async function request(
 	}
 
 	if (!res.ok) {
-		const errMsg = typeof data === "object" && data !== null && "error" in data
-			? (data as { error: string }).error
-			: text;
+		const errMsg =
+			typeof data === "object" && data !== null && "error" in data
+				? (data as { error: string }).error
+				: text;
 		error(errMsg, opts);
 	}
 
 	return data;
 }
 
-async function getProjectToken(project: string, opts: GlobalOptions): Promise<string> {
-	const cached = tokenCache.get(project);
-	if (cached && cached.expires > Date.now()) {
-		return cached.token;
-	}
-
-	const profile = getProfile(opts.profile);
-	
-	// Get or create a CLI API key
-	let cliApiKey = getCachedApiKey(project);
-	
-	if (!cliApiKey) {
-		// Create a new API key for CLI use
-		const createKeyRes = await fetch(`${profile.baseUrl}/auth/${project}/api-keys`, {
-			method: "POST",
-			headers: {
-				"Authorization": `Bearer ${profile.rootKey}`,
-				"Content-Type": "application/json",
-			},
-			body: JSON.stringify({ name: "vtriv-cli" }),
-		});
-		
-		if (!createKeyRes.ok) {
-			const err = await createKeyRes.text();
-			error(`Failed to create CLI API key: ${err}`, opts);
-		}
-		
-		const keyData = (await createKeyRes.json()) as { api_key: string };
-		cliApiKey = keyData.api_key;
-		cacheApiKey(project, cliApiKey);
-	}
-	
-	// Now mint a token using the API key
-	const mintRes = await fetch(`${profile.baseUrl}/auth/${project}/token`, {
-		method: "POST",
-		headers: {
-			"Authorization": `Bearer ${cliApiKey}`,
-			"Content-Type": "application/json",
-		},
-		body: JSON.stringify({ expires_in: 3600 }),
-	});
-	
-	if (!mintRes.ok) {
-		// API key might be invalid/deleted, clear cache and retry
-		clearCachedApiKey(project);
-		error(`Failed to mint token. Try again.`, opts);
-	}
-	
-	const tokenData = (await mintRes.json()) as { token: string };
-	const token = tokenData.token;
-	
-	// Cache for 55 minutes (token valid for 60)
-	tokenCache.set(project, { token, expires: Date.now() + 55 * 60 * 1000 });
-	
-	return token;
-}
-
-// API key cache (stored in config)
-function getCachedApiKey(project: string): string | null {
-	const config = loadConfig();
-	return config?.apiKeys?.[project] || null;
-}
-
-function cacheApiKey(project: string, apiKey: string): void {
-	const config = loadConfig();
-	if (!config) return;
-	config.apiKeys = config.apiKeys || {};
-	config.apiKeys[project] = apiKey;
-	saveConfig(config);
-}
-
-function clearCachedApiKey(project: string): void {
-	const config = loadConfig();
-	if (!config) return;
-	if (config.apiKeys) {
-		delete config.apiKeys[project];
-		saveConfig(config);
-	}
-}
-
 // =============================================================================
 // Program
 // =============================================================================
@@ -277,189 +265,304 @@ program
 	.option("--debug", "Show HTTP requests");
 
 // =============================================================================
-// Init Command
+// Config Command
 // =============================================================================
 
 program
-	.command("init")
-	.description("Initialize CLI configuration")
+	.command("config")
+	.description("Configure account key and base URL")
 	.action(async () => {
 		const existing = loadConfig();
-		
-		console.log(chalk.bold("vtriv CLI Setup\n"));
-		
+
+		console.log(chalk.bold("vtriv Account Configuration\n"));
+
 		const readline = await import("node:readline");
 		const rl = readline.createInterface({
 			input: process.stdin,
 			output: process.stdout,
 		});
-		
+
 		const question = (q: string): Promise<string> =>
 			new Promise((resolve) => rl.question(q, resolve));
-		
-		const baseUrl = await question(
-			`Base URL [${existing?.profiles?.prod?.baseUrl || "https://api.vtriv.com"}]: `
-		) || existing?.profiles?.prod?.baseUrl || "https://api.vtriv.com";
-		
-		const rootKey = await question("Root Key (vtriv_rk_...): ");
-		
-		if (!rootKey) {
-			console.error(chalk.red("Root key is required."));
+
+		const baseUrl =
+			(await question(`Base URL [${existing?.baseUrl || "http://localhost:3000"}]: `)) ||
+			existing?.baseUrl ||
+			"http://localhost:3000";
+
+		const accountKey = await question("Account Key (vtriv_ak_...): ");
+		if (!accountKey) {
+			console.error(chalk.red("Account key is required."));
 			rl.close();
 			process.exit(1);
 		}
-		
-		if (!rootKey.startsWith("vtriv_rk_")) {
-			console.error(chalk.red("Root key must start with 'vtriv_rk_'."));
+
+		if (!accountKey.startsWith("vtriv_ak_")) {
+			console.error(chalk.red("Account key must start with 'vtriv_ak_'."));
 			rl.close();
 			process.exit(1);
 		}
-		
+
+		rl.close();
+
+		// Fetch account info to get slug
+		console.log(chalk.dim("\nVerifying account key..."));
+		const res = await fetch(`${baseUrl}/auth/accounts/me`, {
+			headers: { Authorization: `Bearer ${accountKey}` },
+		});
+
+		if (!res.ok) {
+			const err = await res.text();
+			let msg: string;
+			try {
+				msg = JSON.parse(err).error || err;
+			} catch {
+				msg = err;
+			}
+			console.error(chalk.red(`Failed to verify account: ${msg}`));
+			process.exit(1);
+		}
+
+		const accountInfo = (await res.json()) as { id: string; slug: string; name: string | null };
+
 		const config: Config = {
-			default: "prod",
-			profiles: {
-				prod: { baseUrl, rootKey },
-			},
+			baseUrl,
+			accountKey,
+			accountSlug: accountInfo.slug,
+			default: existing?.default,
+			profiles: existing?.profiles || {},
 		};
-		
+
 		saveConfig(config);
-		console.log(chalk.green(`\nConfig saved to ${CONFIG_PATH}`));
-		rl.close();
+		console.log(chalk.green(`\nAccount configured!`));
+		console.log(chalk.dim(`  Slug: ${accountInfo.slug}`));
+		console.log(chalk.dim(`  Name: ${accountInfo.name || "(none)"}`));
+		console.log(chalk.dim(`  Config: ${getConfigPath()}`));
 	});
 
 // =============================================================================
-// Auth Commands
+// Init Command
 // =============================================================================
 
-const auth = program.command("auth").description("Auth service commands");
+program
+	.command("init")
+	.description("Create a project and configure profile")
+	.argument("<name>", "Project name (short name, will be prefixed with account slug)")
+	.option("--default", "Set as default profile")
+	.action(async (name: string, cmdOpts: { default?: boolean }) => {
+		const config = loadConfig();
+		
+		if (!config?.accountKey || !config?.accountSlug) {
+			console.error(chalk.red("No account configured. Run 'vtriv config' first."));
+			process.exit(1);
+		}
 
-// Account commands (root key only)
-auth
-	.command("account:list")
-	.description("List all accounts")
-	.action(async () => {
-		const opts = program.opts<GlobalOptions>();
-		const data = (await request("auth", "/accounts", {}, opts)) as { accounts: unknown[] };
-		output(data.accounts, opts);
-	});
+		// Validate project name
+		if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
+			console.error(chalk.red("Invalid project name. Use alphanumeric, dash, or underscore only."));
+			process.exit(1);
+		}
 
-auth
-	.command("account:create")
-	.description("Create a new account")
-	.option("--name <name>", "Account name")
-	.action(async (cmdOpts: { name?: string }) => {
-		const opts = program.opts<GlobalOptions>();
-		const body: Record<string, unknown> = {};
-		if (cmdOpts.name) body.name = cmdOpts.name;
-		const data = await request("auth", "/accounts", { method: "POST", body }, opts);
-		output(data, opts);
-		if (!opts.json) {
-			console.log(chalk.yellow("\nIMPORTANT: Save the account_key above - it cannot be retrieved later!"));
+		const fullProjectName = `${config.accountSlug}-${name}`;
+
+		// Try to create project
+		console.log(chalk.dim(`Creating project ${fullProjectName}...`));
+		const createRes = await fetch(`${config.baseUrl}/auth/projects`, {
+			method: "POST",
+			headers: {
+				Authorization: `Bearer ${config.accountKey}`,
+				"Content-Type": "application/json",
+			},
+			body: JSON.stringify({ name }),
+		});
+
+		let projectExists = false;
+		if (!createRes.ok) {
+			const err = (await createRes.json()) as { error?: string };
+			if (err.error === "Project already exists") {
+				projectExists = true;
+				console.log(chalk.yellow(`Project ${fullProjectName} already exists.`));
+			} else {
+				console.error(chalk.red(`Failed to create project: ${err.error}`));
+				process.exit(1);
+			}
+		} else {
+			console.log(chalk.green(`Created project ${fullProjectName}`));
 		}
-	});
 
-auth
-	.command("account:get")
-	.description("Get account details")
-	.argument("<id>", "Account ID")
-	.action(async (id: string) => {
-		const opts = program.opts<GlobalOptions>();
-		const data = await request("auth", `/accounts/${id}`, {}, opts);
-		output(data, opts);
+		// Create or fetch API key
+		console.log(chalk.dim("Creating API key..."));
+		const keyRes = await fetch(`${config.baseUrl}/auth/${fullProjectName}/api-keys`, {
+			method: "POST",
+			headers: {
+				Authorization: `Bearer ${config.accountKey}`,
+				"Content-Type": "application/json",
+			},
+			body: JSON.stringify({ name: "CLI" }),
+		});
+
+		if (!keyRes.ok) {
+			const err = (await keyRes.json()) as { error?: string };
+			console.error(chalk.red(`Failed to create API key: ${err.error}`));
+			process.exit(1);
+		}
+
+		const keyData = (await keyRes.json()) as { api_key: string };
+
+		// Save profile
+		config.profiles[name] = { apiKey: keyData.api_key };
+		if (cmdOpts.default || !config.default) {
+			config.default = name;
+		}
+
+		saveConfig(config);
+		console.log(chalk.green(`\nProfile '${name}' saved.`));
+		if (config.default === name) {
+			console.log(chalk.dim("Set as default profile."));
+		}
+		if (projectExists) {
+			console.log(chalk.dim("Note: A new API key was created for the existing project."));
+		}
 	});
 
-auth
-	.command("account:delete")
-	.description("Delete an account")
-	.argument("<id>", "Account ID")
-	.action(async (id: string) => {
+// =============================================================================
+// Status Command
+// =============================================================================
+
+program
+	.command("status")
+	.description("Show configuration and profiles")
+	.action(() => {
 		const opts = program.opts<GlobalOptions>();
-		const data = await request("auth", `/accounts/${id}`, { method: "DELETE" }, opts);
-		output(data, opts);
+		const config = loadConfig();
+		if (!config) {
+			console.log(chalk.dim("No config found. Run 'vtriv config' first."));
+			return;
+		}
+
+		if (opts.json) {
+			// Don't expose the actual keys
+			const safeConfig = {
+				baseUrl: config.baseUrl,
+				accountSlug: config.accountSlug,
+				hasAccountKey: !!config.accountKey,
+				default: config.default,
+				profiles: Object.keys(config.profiles),
+			};
+			console.log(JSON.stringify(safeConfig, null, 2));
+			return;
+		}
+
+		console.log(chalk.bold("Configuration"));
+		console.log(`  Base URL: ${config.baseUrl}`);
+		console.log(`  Account: ${config.accountSlug || chalk.dim("(not configured)")}`);
+		console.log(`  Default: ${config.default || chalk.dim("(none)")}`);
+		console.log();
+
+		if (Object.keys(config.profiles).length === 0) {
+			console.log(chalk.dim("No profiles. Run 'vtriv init <name>' to create one."));
+			return;
+		}
+
+		console.log(chalk.bold("Profiles"));
+		for (const [name] of Object.entries(config.profiles)) {
+			const fullName = config.accountSlug ? `${config.accountSlug}-${name}` : name;
+			const isDefault = name === config.default ? chalk.green(" (default)") : "";
+			console.log(`  ${name}${isDefault}`);
+			console.log(chalk.dim(`    → ${fullName}`));
+		}
 	});
 
-// Project commands
-auth
-	.command("project:list")
-	.description("List all projects")
+// =============================================================================
+// Project Commands
+// =============================================================================
+
+const project = program.command("project").description("Project management");
+
+project
+	.command("ls")
+	.description("List projects")
 	.action(async () => {
 		const opts = program.opts<GlobalOptions>();
-		const data = (await request("auth", "/projects", {}, opts)) as { projects: unknown[] };
-		output(data.projects, opts);
-	});
+		const config = getConfig();
 
-auth
-	.command("project:create")
-	.description("Create a new project")
-	.argument("<name>", "Project name")
-	.action(async (name: string) => {
-		const opts = program.opts<GlobalOptions>();
-		const data = await request("auth", "/projects", { method: "POST", body: { name } }, opts);
-		output(data, opts);
-	});
+		if (!config.accountKey) {
+			console.error(chalk.red("No account configured. Run 'vtriv config' first."));
+			process.exit(1);
+		}
 
-auth
-	.command("project:get")
-	.description("Get project details")
-	.argument("<name>", "Project name")
-	.action(async (name: string) => {
-		const opts = program.opts<GlobalOptions>();
-		const data = await request("auth", `/projects/${name}`, {}, opts);
-		output(data, opts);
+		const res = await fetch(`${config.baseUrl}/auth/projects`, {
+			headers: { Authorization: `Bearer ${config.accountKey}` },
+		});
+
+		if (!res.ok) {
+			const err = (await res.json()) as { error?: string };
+			error(err.error || "Failed to list projects", opts);
+		}
+
+		const data = (await res.json()) as { projects: Array<{ name: string; short_name: string; created_at: string }> };
+
+		if (opts.json) {
+			console.log(JSON.stringify(data.projects, null, 2));
+		} else {
+			const rows = data.projects.map((p) => ({
+				name: p.short_name,
+				full_name: p.name,
+				created: p.created_at.split("T")[0],
+				profile: config.profiles[p.short_name] ? "✓" : "",
+			}));
+			printTable(rows);
+		}
 	});
 
-auth
-	.command("project:delete")
+project
+	.command("rm")
 	.description("Delete a project")
-	.argument("<name>", "Project name")
+	.argument("<name>", "Project name (short name)")
 	.action(async (name: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const data = await request("auth", `/projects/${name}`, { method: "DELETE" }, opts);
-		output(data, opts);
-	});
+		const config = getConfig();
 
-auth
-	.command("user:list")
-	.description("List users in a project")
-	.argument("<project>", "Project name")
-	.action(async (project: string) => {
-		const opts = program.opts<GlobalOptions>();
-		const data = (await request("auth", `/${project}/users`, {}, opts)) as { users: unknown[] };
-		output(data.users, opts);
-	});
+		if (!config.accountKey || !config.accountSlug) {
+			console.error(chalk.red("No account configured. Run 'vtriv config' first."));
+			process.exit(1);
+		}
 
-auth
-	.command("user:create")
-	.description("Create a user")
-	.argument("<project>", "Project name")
-	.argument("<email>", "User email")
-	.argument("[password]", "User password")
-	.action(async (project: string, email: string, password?: string) => {
-		const opts = program.opts<GlobalOptions>();
-		const body: Record<string, unknown> = { email };
-		if (password) body.password = password;
-		const data = await request("auth", `/${project}/users`, { method: "POST", body }, opts);
-		output(data, opts);
-	});
+		const fullName = `${config.accountSlug}-${name}`;
 
-auth
-	.command("user:delete")
-	.description("Delete a user")
-	.argument("<project>", "Project name")
-	.argument("<id>", "User ID")
-	.action(async (project: string, id: string) => {
-		const opts = program.opts<GlobalOptions>();
-		const data = await request("auth", `/${project}/users/${id}`, { method: "DELETE" }, opts);
-		output(data, opts);
+		const res = await fetch(`${config.baseUrl}/auth/projects/${fullName}`, {
+			method: "DELETE",
+			headers: { Authorization: `Bearer ${config.accountKey}` },
+		});
+
+		if (!res.ok) {
+			const err = (await res.json()) as { error?: string };
+			error(err.error || "Failed to delete project", opts);
+		}
+
+		// Remove from local profiles
+		if (config.profiles[name]) {
+			delete config.profiles[name];
+			if (config.default === name) {
+				config.default = Object.keys(config.profiles)[0];
+			}
+			saveConfig(config);
+		}
+
+		console.log(chalk.green(`Deleted project ${fullName}`));
 	});
 
-auth
-	.command("token:mint")
-	.description("Mint a JWT token for a project")
-	.argument("<project>", "Project name")
-	.action(async (project: string) => {
+// =============================================================================
+// Token Command
+// =============================================================================
+
+program
+	.command("token")
+	.description("Mint and display a JWT token")
+	.option("-t, --template <name>", "Use a specific template")
+	.action(async (cmdOpts: { template?: string }) => {
 		const opts = program.opts<GlobalOptions>();
-		const token = await getProjectToken(project, opts);
+		const token = await getToken(opts, cmdOpts.template);
 		if (opts.json) {
 			console.log(JSON.stringify({ token }));
 		} else {
@@ -467,38 +570,128 @@ auth
 		}
 	});
 
-auth
-	.command("apikey:list")
-	.description("List API keys for a project")
-	.argument("<project>", "Project name")
-	.action(async (project: string) => {
+// =============================================================================
+// Template Commands
+// =============================================================================
+
+const template = program.command("template").description("Token template management");
+
+template
+	.command("ls")
+	.description("List all templates")
+	.action(async () => {
 		const opts = program.opts<GlobalOptions>();
-		const data = (await request("auth", `/${project}/api-keys`, {}, opts)) as { api_keys: unknown[] };
-		output(data.api_keys, opts);
+		const { config, profile, fullProjectName } = getProfile(opts.profile);
+
+		const res = await fetch(`${config.baseUrl}/auth/${fullProjectName}/templates`, {
+			headers: { Authorization: `Bearer ${profile.apiKey}` },
+		});
+
+		if (!res.ok) {
+			const data = await res.json();
+			error((data as { error?: string }).error || "Failed to list templates", opts);
+		}
+
+		const data = (await res.json()) as { templates: Record<string, { claims: Record<string, unknown> }> };
+
+		if (opts.json) {
+			console.log(JSON.stringify(data.templates, null, 2));
+		} else {
+			const rows = Object.entries(data.templates).map(([name, tmpl]) => ({
+				name,
+				claims: JSON.stringify(tmpl.claims),
+			}));
+			printTable(rows);
+		}
 	});
 
-auth
-	.command("apikey:create")
-	.description("Create an API key")
-	.argument("<project>", "Project name")
-	.option("--name <name>", "Key name")
-	.action(async (project: string, cmdOpts: { name?: string }) => {
+template
+	.command("get")
+	.description("Get a specific template")
+	.argument("<name>", "Template name")
+	.action(async (name: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const body: Record<string, unknown> = {};
-		if (cmdOpts.name) body.name = cmdOpts.name;
-		const data = await request("auth", `/${project}/api-keys`, { method: "POST", body }, opts);
+		const { config, profile, fullProjectName } = getProfile(opts.profile);
+
+		const res = await fetch(`${config.baseUrl}/auth/${fullProjectName}/templates/${name}`, {
+			headers: { Authorization: `Bearer ${profile.apiKey}` },
+		});
+
+		if (!res.ok) {
+			const data = await res.json();
+			error((data as { error?: string }).error || "Failed to get template", opts);
+		}
+
+		const data = await res.json();
 		output(data, opts);
 	});
 
-auth
-	.command("apikey:delete")
-	.description("Delete an API key")
-	.argument("<project>", "Project name")
-	.argument("<id>", "API key ID")
-	.action(async (project: string, id: string) => {
+template
+	.command("set")
+	.description("Create or update a template (reads JSON from stdin)")
+	.argument("<name>", "Template name")
+	.action(async (name: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const data = await request("auth", `/${project}/api-keys/${id}`, { method: "DELETE" }, opts);
-		output(data, opts);
+		const { config, profile, fullProjectName } = getProfile(opts.profile);
+
+		// Read claims JSON from stdin
+		const chunks: Buffer[] = [];
+		for await (const chunk of Bun.stdin.stream()) {
+			chunks.push(Buffer.from(chunk));
+		}
+		const input = Buffer.concat(chunks).toString("utf-8").trim();
+
+		if (!input) {
+			error("No JSON provided on stdin. Provide claims object, e.g. {\"x-ai\": true}", opts);
+		}
+
+		let claims: Record<string, unknown>;
+		try {
+			claims = JSON.parse(input);
+		} catch {
+			error("Invalid JSON on stdin", opts);
+		}
+
+		const res = await fetch(`${config.baseUrl}/auth/${fullProjectName}/templates/${name}`, {
+			method: "PUT",
+			headers: {
+				Authorization: `Bearer ${profile.apiKey}`,
+				"Content-Type": "application/json",
+			},
+			body: JSON.stringify({ claims }),
+		});
+
+		if (!res.ok) {
+			const data = await res.json();
+			error((data as { error?: string }).error || "Failed to set template", opts);
+		}
+
+		console.log(chalk.green(`Template '${name}' saved.`));
+	});
+
+template
+	.command("rm")
+	.description("Delete a template")
+	.argument("<name>", "Template name")
+	.action(async (name: string) => {
+		const opts = program.opts<GlobalOptions>();
+		const { config, profile, fullProjectName } = getProfile(opts.profile);
+
+		if (name === "default") {
+			error("Cannot delete the default template", opts);
+		}
+
+		const res = await fetch(`${config.baseUrl}/auth/${fullProjectName}/templates/${name}`, {
+			method: "DELETE",
+			headers: { Authorization: `Bearer ${profile.apiKey}` },
+		});
+
+		if (!res.ok) {
+			const data = await res.json();
+			error((data as { error?: string }).error || "Failed to delete template", opts);
+		}
+
+		console.log(chalk.green(`Template '${name}' deleted.`));
 	});
 
 // =============================================================================
@@ -507,15 +700,13 @@ auth
 
 const db = program.command("db").description("Database service commands");
 
-db
-	.command("ls")
+db.command("ls")
 	.description("List documents")
-	.argument("<project>", "Project name")
 	.argument("<collection>", "Collection name")
 	.option("-f, --filter <json>", "Filter criteria (JSON)")
 	.option("-l, --limit <n>", "Limit results")
 	.option("-s, --sort <field>", "Sort field (prefix with - for desc)")
-	.action(async (project: string, collection: string, cmdOpts: { filter?: string; limit?: string; sort?: string }) => {
+	.action(async (collection: string, cmdOpts: { filter?: string; limit?: string; sort?: string }) => {
 		const opts = program.opts<GlobalOptions>();
 		const params = new URLSearchParams();
 		if (cmdOpts.filter) {
@@ -527,81 +718,71 @@ db
 		if (cmdOpts.limit) params.set("_limit", cmdOpts.limit);
 		if (cmdOpts.sort) params.set("_sort", cmdOpts.sort);
 		const query = params.toString() ? `?${params.toString()}` : "";
-		const data = (await request("db", `/${project}/${collection}${query}`, { project }, opts)) as { data: unknown[] };
+		const data = (await request("db", `/${collection}${query}`, {}, opts)) as { data: unknown[] };
 		output(data.data, opts);
 	});
 
-db
-	.command("get")
+db.command("get")
 	.description("Get a document")
-	.argument("<project>", "Project name")
 	.argument("<collection>", "Collection name")
 	.argument("<id>", "Document ID")
-	.action(async (project: string, collection: string, id: string) => {
+	.action(async (collection: string, id: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const data = await request("db", `/${project}/${collection}/${id}`, { project }, opts);
+		const data = await request("db", `/${collection}/${id}`, {}, opts);
 		output(data, opts);
 	});
 
-db
-	.command("put")
+db.command("put")
 	.description("Create or update a document (reads JSON from stdin)")
-	.argument("<project>", "Project name")
 	.argument("<collection>", "Collection name")
 	.argument("[id]", "Document ID (for update)")
-	.action(async (project: string, collection: string, id?: string) => {
+	.action(async (collection: string, id?: string) => {
 		const opts = program.opts<GlobalOptions>();
-		
+
 		// Read from stdin
 		const chunks: Buffer[] = [];
 		for await (const chunk of Bun.stdin.stream()) {
 			chunks.push(Buffer.from(chunk));
 		}
 		const input = Buffer.concat(chunks).toString("utf-8").trim();
-		
+
 		if (!input) {
 			error("No JSON provided on stdin", opts);
 		}
-		
+
 		let body: unknown;
 		try {
 			body = JSON.parse(input);
 		} catch {
 			error("Invalid JSON on stdin", opts);
 		}
-		
+
 		if (id) {
-			// Update (PUT)
-			const data = await request("db", `/${project}/${collection}/${id}`, { method: "PUT", body, project }, opts);
+			const data = await request("db", `/${collection}/${id}`, { method: "PUT", body }, opts);
 			output(data, opts);
 		} else {
-			// Create (POST)
-			const data = await request("db", `/${project}/${collection}`, { method: "POST", body, project }, opts);
+			const data = await request("db", `/${collection}`, { method: "POST", body }, opts);
 			output(data, opts);
 		}
 	});
 
-db
-	.command("rm")
+db.command("rm")
 	.description("Delete a document")
-	.argument("<project>", "Project name")
 	.argument("<collection>", "Collection name")
 	.argument("<id>", "Document ID")
-	.action(async (project: string, collection: string, id: string) => {
+	.action(async (collection: string, id: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const data = await request("db", `/${project}/${collection}/${id}`, { method: "DELETE", project }, opts);
+		const data = await request("db", `/${collection}/${id}`, { method: "DELETE" }, opts);
 		output(data, opts);
 	});
 
-db
-	.command("schema")
+db.command("schema")
 	.description("Get or set collection schema")
-	.argument("<project>", "Project name")
 	.argument("<collection>", "Collection name")
 	.option("--set", "Set schema (reads JSON from stdin)")
-	.action(async (project: string, collection: string, cmdOpts: { set?: boolean }) => {
+	.action(async (collection: string, cmdOpts: { set?: boolean }) => {
 		const opts = program.opts<GlobalOptions>();
-		
+
 		if (cmdOpts.set) {
 			const chunks: Buffer[] = [];
 			for await (const chunk of Bun.stdin.stream()) {
@@ -609,10 +790,10 @@ db
 			}
 			const input = Buffer.concat(chunks).toString("utf-8").trim();
 			const body = JSON.parse(input);
-			const data = await request("db", `/${project}/${collection}/_schema`, { method: "PUT", body, project }, opts);
+			const data = await request("db", `/${collection}/_schema`, { method: "PUT", body }, opts);
 			output(data, opts);
 		} else {
-			const data = await request("db", `/${project}/${collection}/_schema`, { project }, opts);
+			const data = await request("db", `/${collection}/_schema`, {}, opts);
 			output(data, opts);
 		}
 	});
@@ -626,34 +807,33 @@ const blob = program.command("blob").description("Blob storage commands");
 blob
 	.command("put")
 	.description("Upload a file")
-	.argument("<project>", "Project name")
 	.argument("<path>", "Remote path")
 	.argument("<file>", "Local file path")
-	.action(async (project: string, remotePath: string, localFile: string) => {
+	.action(async (remotePath: string, localFile: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const profile = getProfile(opts.profile);
-		const token = await getProjectToken(project, opts);
-		
+		const { config, fullProjectName } = getProfile(opts.profile);
+		const token = await getToken(opts);
+
 		const file = Bun.file(localFile);
 		if (!(await file.exists())) {
 			error(`File not found: ${localFile}`, opts);
 		}
-		
-		const url = `${profile.baseUrl}/blob/${project}/${remotePath}`;
-		
+
+		const url = `${config.baseUrl}/blob/${fullProjectName}/${remotePath}`;
+
 		if (opts.debug) {
 			console.error(chalk.dim(`curl -X PUT "${url}" -T "${localFile}"`));
 		}
-		
+
 		const res = await fetch(url, {
 			method: "PUT",
 			headers: {
-				"Authorization": `Bearer ${token}`,
+				Authorization: `Bearer ${token}`,
 				"Content-Type": file.type || "application/octet-stream",
 			},
 			body: file,
 		});
-		
+
 		const data = await res.json();
 		if (!res.ok) {
 			error((data as { error?: string }).error || "Upload failed", opts);
@@ -664,28 +844,27 @@ blob
 blob
 	.command("get")
 	.description("Download a file (outputs to stdout)")
-	.argument("<project>", "Project name")
 	.argument("<path>", "Remote path")
-	.action(async (project: string, remotePath: string) => {
+	.action(async (remotePath: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const profile = getProfile(opts.profile);
-		const token = await getProjectToken(project, opts);
-		
-		const url = `${profile.baseUrl}/blob/${project}/${remotePath}`;
-		
+		const { config, fullProjectName } = getProfile(opts.profile);
+		const token = await getToken(opts);
+
+		const url = `${config.baseUrl}/blob/${fullProjectName}/${remotePath}`;
+
 		if (opts.debug) {
 			console.error(chalk.dim(`curl "${url}"`));
 		}
-		
+
 		const res = await fetch(url, {
-			headers: { "Authorization": `Bearer ${token}` },
+			headers: { Authorization: `Bearer ${token}` },
 		});
-		
+
 		if (!res.ok) {
 			const data = await res.json();
 			error((data as { error?: string }).error || "Download failed", opts);
 		}
-		
+
 		// Stream to stdout
 		const writer = Bun.stdout.writer();
 		const reader = res.body?.getReader();
@@ -702,20 +881,19 @@ blob
 blob
 	.command("rm")
 	.description("Delete a file")
-	.argument("<project>", "Project name")
 	.argument("<path>", "Remote path")
-	.action(async (project: string, remotePath: string) => {
+	.action(async (remotePath: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const profile = getProfile(opts.profile);
-		const token = await getProjectToken(project, opts);
-		
-		const url = `${profile.baseUrl}/blob/${project}/${remotePath}`;
-		
+		const { config, fullProjectName } = getProfile(opts.profile);
+		const token = await getToken(opts);
+
+		const url = `${config.baseUrl}/blob/${fullProjectName}/${remotePath}`;
+
 		const res = await fetch(url, {
 			method: "DELETE",
-			headers: { "Authorization": `Bearer ${token}` },
+			headers: { Authorization: `Bearer ${token}` },
 		});
-		
+
 		const data = await res.json();
 		if (!res.ok) {
 			error((data as { error?: string }).error || "Delete failed", opts);
@@ -732,58 +910,54 @@ const cron = program.command("cron").description("Cron service commands");
 cron
 	.command("ls")
 	.description("List jobs")
-	.argument("<project>", "Project name")
-	.action(async (project: string) => {
+	.action(async () => {
 		const opts = program.opts<GlobalOptions>();
-		const data = (await request("cron", `/${project}/jobs`, { project }, opts)) as { jobs: unknown[] };
+		const data = (await request("cron", "/jobs", {}, opts)) as { jobs: unknown[] };
 		output(data.jobs, opts);
 	});
 
 cron
 	.command("runs")
 	.description("List run history")
-	.argument("<project>", "Project name")
 	.option("-l, --limit <n>", "Limit results", "100")
 	.option("--job <id>", "Filter by job ID")
-	.action(async (project: string, cmdOpts: { limit: string; job?: string }) => {
+	.action(async (cmdOpts: { limit: string; job?: string }) => {
 		const opts = program.opts<GlobalOptions>();
 		const params = new URLSearchParams({ limit: cmdOpts.limit });
 		if (cmdOpts.job) params.set("job_id", cmdOpts.job);
-		const data = (await request("cron", `/${project}/runs?${params}`, { project }, opts)) as { runs: unknown[] };
+		const data = (await request("cron", `/runs?${params}`, {}, opts)) as { runs: unknown[] };
 		output(data.runs, opts);
 	});
 
 cron
 	.command("trigger")
 	.description("Manually trigger a job")
-	.argument("<project>", "Project name")
 	.argument("<job_id>", "Job ID")
-	.action(async (project: string, jobId: string) => {
+	.action(async (jobId: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const data = await request("cron", `/${project}/jobs/${jobId}/trigger`, { method: "POST", project }, opts);
+		const data = await request("cron", `/jobs/${jobId}/trigger`, { method: "POST" }, opts);
 		output(data, opts);
 	});
 
 cron
 	.command("script:cat")
 	.description("Output script content")
-	.argument("<project>", "Project name")
 	.argument("<script>", "Script name")
-	.action(async (project: string, script: string) => {
+	.action(async (script: string) => {
 		const opts = program.opts<GlobalOptions>();
-		const profile = getProfile(opts.profile);
-		const token = await getProjectToken(project, opts);
-		
-		const url = `${profile.baseUrl}/cron/${project}/scripts/${script}`;
+		const { config, fullProjectName } = getProfile(opts.profile);
+		const token = await getToken(opts);
+
+		const url = `${config.baseUrl}/cron/${fullProjectName}/scripts/${script}`;
 		const res = await fetch(url, {
-			headers: { "Authorization": `Bearer ${token}` },
+			headers: { Authorization: `Bearer ${token}` },
 		});
-		
+
 		if (!res.ok) {
 			const data = await res.json();
 			error((data as { error?: string }).error || "Failed to get script", opts);
 		}
-		
+
 		console.log(await res.text());
 	});
 
@@ -793,52 +967,60 @@ cron
 
 const ai = program.command("ai").description("AI service commands");
 
-ai
-	.command("stats")
+ai.command("stats")
 	.description("View usage statistics")
-	.argument("<project>", "Project name")
 	.option("-p, --period <days>", "Period in days", "30")
-	.action(async (project: string, cmdOpts: { period: string }) => {
+	.action(async (cmdOpts: { period: string }) => {
 		const opts = program.opts<GlobalOptions>();
-		const data = await request("ai", `/usage/stats?period=${cmdOpts.period}d`, { project }, opts);
-		output(data, opts);
+		const { config } = getProfile(opts.profile);
+		const token = await getToken(opts);
+
+		const url = `${config.baseUrl}/ai/usage/stats?period=${cmdOpts.period}d`;
+		const res = await fetch(url, {
+			headers: { Authorization: `Bearer ${token}` },
+		});
+
+		if (!res.ok) {
+			const data = await res.json();
+			error((data as { error?: string }).error || "Failed to get stats", opts);
+		}
+
+		output(await res.json(), opts);
 	});
 
-ai
-	.command("chat")
+ai.command("chat")
 	.description("Send a chat completion request")
-	.argument("<project>", "Project name")
 	.argument("<prompt>", "Chat prompt")
 	.option("-m, --model <model>", "Model to use (defaults to project config)")
-	.action(async (project: string, prompt: string, cmdOpts: { model?: string }) => {
+	.action(async (prompt: string, cmdOpts: { model?: string }) => {
 		const opts = program.opts<GlobalOptions>();
-		const profile = getProfile(opts.profile);
-		const token = await getProjectToken(project, opts);
-		
+		const { config } = getProfile(opts.profile);
+		const token = await getToken(opts);
+
 		// Get default model from project config if not specified
 		let model = cmdOpts.model;
 		if (!model) {
-			const configRes = await fetch(`${profile.baseUrl}/ai/config`, {
-				headers: { "Authorization": `Bearer ${token}` },
+			const configRes = await fetch(`${config.baseUrl}/ai/config`, {
+				headers: { Authorization: `Bearer ${token}` },
 			});
 			if (configRes.ok) {
-				const config = await configRes.json() as { default_model?: string };
-				model = config.default_model || "openai/gpt-4o-mini";
+				const aiConfig = (await configRes.json()) as { default_model?: string };
+				model = aiConfig.default_model || "openai/gpt-4o-mini";
 			} else {
 				model = "openai/gpt-4o-mini";
 			}
 		}
-		
-		const url = `${profile.baseUrl}/ai/v1/chat/completions`;
-		
+
+		const url = `${config.baseUrl}/ai/v1/chat/completions`;
+
 		if (opts.debug) {
 			console.error(chalk.dim(`curl -X POST "${url}" ...`));
 		}
-		
+
 		const res = await fetch(url, {
 			method: "POST",
 			headers: {
-				"Authorization": `Bearer ${token}`,
+				Authorization: `Bearer ${token}`,
 				"Content-Type": "application/json",
 			},
 			body: JSON.stringify({
@@ -846,44 +1028,60 @@ ai
 				messages: [{ role: "user", content: prompt }],
 			}),
 		});
-		
+
 		const data = await res.json();
 		if (!res.ok) {
 			error((data as { error?: string }).error || "Chat failed", opts);
 		}
-		
+
 		if (opts.json) {
 			console.log(JSON.stringify(data, null, 2));
 		} else {
-			const content = (data as { choices: Array<{ message: { content: string } }> }).choices?.[0]?.message?.content;
+			const content = (data as { choices: Array<{ message: { content: string } }> }).choices?.[0]
+				?.message?.content;
 			console.log(content || "(no response)");
 		}
 	});
 
-ai
-	.command("config")
-	.description("Get or set AI config for a project")
-	.argument("<project>", "Project name")
+ai.command("config")
+	.description("Get or set AI config")
 	.option("--model <model>", "Set default model")
 	.option("--rate-limit <usd>", "Set rate limit in USD")
 	.option("--key <key>", "Set custom OpenRouter API key")
-	.action(async (project: string, cmdOpts: { model?: string; rateLimit?: string; key?: string }) => {
+	.action(async (cmdOpts: { model?: string; rateLimit?: string; key?: string }) => {
 		const opts = program.opts<GlobalOptions>();
-		
+		const { config } = getProfile(opts.profile);
+		const token = await getToken(opts);
+
 		// If any options provided, update config
 		if (cmdOpts.model || cmdOpts.rateLimit || cmdOpts.key) {
 			const body: Record<string, unknown> = {};
 			if (cmdOpts.model) body.default_model = cmdOpts.model;
 			if (cmdOpts.rateLimit) body.rate_limit_usd = Number.parseFloat(cmdOpts.rateLimit);
 			if (cmdOpts.key) body.key = cmdOpts.key;
-			
-			await request("ai", "/config", { method: "PUT", body, project }, opts);
+
+			const updateRes = await fetch(`${config.baseUrl}/ai/config`, {
+				method: "PUT",
+				headers: {
+					Authorization: `Bearer ${token}`,
+					"Content-Type": "application/json",
+				},
+				body: JSON.stringify(body),
+			});
+
+			if (!updateRes.ok) {
+				const data = await updateRes.json();
+				error((data as { error?: string }).error || "Failed to update config", opts);
+			}
+
 			console.log("Config updated");
 		}
-		
+
 		// Always show current config
-		const data = await request("ai", "/config", { project }, opts);
-		output(data, opts);
+		const res = await fetch(`${config.baseUrl}/ai/config`, {
+			headers: { Authorization: `Bearer ${token}` },
+		});
+		output(await res.json(), opts);
 	});
 
 // =============================================================================
@@ -895,12 +1093,11 @@ const search = program.command("search").description("Search service commands");
 search
 	.command("config")
 	.description("Get or set index configuration")
-	.argument("<project>", "Project name")
 	.argument("<index>", "Index name")
 	.option("--set", "Set config (reads JSON from stdin)")
-	.action(async (project: string, index: string, cmdOpts: { set?: boolean }) => {
+	.action(async (index: string, cmdOpts: { set?: boolean }) => {
 		const opts = program.opts<GlobalOptions>();
-		
+
 		if (cmdOpts.set) {
 			const chunks: Buffer[] = [];
 			for await (const chunk of Bun.stdin.stream()) {
@@ -908,10 +1105,10 @@ search
 			}
 			const input = Buffer.concat(chunks).toString("utf-8").trim();
 			const body = JSON.parse(input);
-			const data = await request("search", `/${project}/${index}/_config`, { method: "PUT", body, project }, opts);
+			const data = await request("search", `/${index}/_config`, { method: "PUT", body }, opts);
 			output(data, opts);
 		} else {
-			const data = await request("search", `/${project}/${index}/_config`, { project }, opts);
+			const data = await request("search", `/${index}/_config`, {}, opts);
 			output(data, opts);
 		}
 	});
@@ -919,14 +1116,15 @@ search
 search
 	.command("query")
 	.description("Search an index")
-	.argument("<project>", "Project name")
 	.argument("<index>", "Index name")
 	.argument("<q>", "Search query")
 	.option("-l, --limit <n>", "Limit results", "10")
-	.action(async (project: string, index: string, q: string, cmdOpts: { limit: string }) => {
+	.action(async (index: string, q: string, cmdOpts: { limit: string }) => {
 		const opts = program.opts<GlobalOptions>();
 		const params = new URLSearchParams({ q, limit: cmdOpts.limit });
-		const data = (await request("search", `/${project}/${index}/search?${params}`, { project }, opts)) as { results: unknown[] };
+		const data = (await request("search", `/${index}/search?${params}`, {}, opts)) as {
+			results: unknown[];
+		};
 		output(data.results, opts);
 	});