becki 0.5.0

package/dist/screens/git.js

@@ -0,0 +1,211 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * git.tsx — manage a GitHub personal access token for cloud git ingest.
+ *
+ * Stores the PAT at ${BECKI_HOME}/secrets.json (mode 0600). The token is
+ * never sent to the Becki backend from this CLI — that's Core v1.3 (#193).
+ * For now the local becki-mcp can use it for direct GitHub API calls when
+ * a watch folder is also a github.com origin.
+ *
+ * Light validation: HEAD https://api.github.com/user with the token; expect
+ * 200. No-op on failure (we don't have offline-clean validation).
+ */
+import { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync } from 'node:fs';
+import { join } from 'node:path';
+import { PATHS } from '../client.js';
+import { ScreenHeader, Kv, BackFooter, OkLine, ErrorLine, Loading } from './_shared.js';
+import { theme } from '../theme.js';
+const PROVIDERS = {
+    github: {
+        id: 'github',
+        label: 'GitHub',
+        validateUrl: 'https://api.github.com/user',
+        authHeaders: (t) => ({
+            Authorization: `Bearer ${t}`,
+            'User-Agent': 'becki-shell',
+            Accept: 'application/vnd.github+json',
+        }),
+        extractUser: (j) => j?.login,
+        helpUrl: 'github.com → Settings → Developer settings → Personal access tokens',
+    },
+    gitlab: {
+        id: 'gitlab',
+        label: 'GitLab',
+        validateUrl: 'https://gitlab.com/api/v4/user',
+        authHeaders: (t) => ({ 'PRIVATE-TOKEN': t, 'User-Agent': 'becki-shell' }),
+        extractUser: (j) => j?.username,
+        helpUrl: 'gitlab.com → Edit profile → Access tokens',
+    },
+    bitbucket: {
+        id: 'bitbucket',
+        label: 'Bitbucket',
+        validateUrl: 'https://api.bitbucket.org/2.0/user',
+        // Bitbucket API tokens use Basic with username:app_password OR Bearer for
+        // workspace access tokens. We treat the input as a Bearer token here —
+        // workspace access tokens are the recommended flow per Atlassian docs.
+        authHeaders: (t) => ({ Authorization: `Bearer ${t}`, 'User-Agent': 'becki-shell' }),
+        extractUser: (j) => j?.username
+            ?? j?.nickname,
+        helpUrl: 'bitbucket.org → Personal settings → App passwords (or Workspace access tokens)',
+    },
+};
+const PROVIDER_ORDER = ['github', 'gitlab', 'bitbucket'];
+const SECRETS_PATH = join(PATHS.beckiHome, 'secrets.json');
+function loadSecrets() {
+    try {
+        if (!existsSync(SECRETS_PATH))
+            return {};
+        const raw = JSON.parse(readFileSync(SECRETS_PATH, 'utf8'));
+        // Auto-migrate legacy github_pat → git_tokens.github so the UI is
+        // consistent. We don't write back until the user does something — the
+        // legacy fields stay readable in the file for one minor version.
+        if (raw.github_pat && !raw.git_tokens?.github) {
+            raw.git_tokens = { ...(raw.git_tokens ?? {}) };
+            raw.git_tokens.github = {
+                token: raw.github_pat,
+                login: raw.github_login,
+                validated_at: raw.github_pat_validated_at ?? Date.now(),
+            };
+        }
+        return raw;
+    }
+    catch {
+        return {};
+    }
+}
+function saveSecrets(s) {
+    mkdirSync(PATHS.beckiHome, { recursive: true });
+    writeFileSync(SECRETS_PATH, JSON.stringify(s, null, 2) + '\n', { mode: 0o600 });
+    try {
+        chmodSync(SECRETS_PATH, 0o600);
+    }
+    catch { /* best effort */ }
+}
+async function validatePat(provider, token) {
+    const spec = PROVIDERS[provider];
+    try {
+        const r = await fetch(spec.validateUrl, { headers: spec.authHeaders(token) });
+        if (r.status === 401)
+            return { ok: false, reason: 'token invalid (401)' };
+        if (r.status === 403)
+            return { ok: false, reason: 'token forbidden (403) — check scopes' };
+        if (!r.ok)
+            return { ok: false, reason: `${spec.label} ${r.status}` };
+        const j = await r.json();
+        return { ok: true, login: spec.extractUser(j) };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}
+function mask(t) {
+    if (t.length <= 12)
+        return t;
+    return `${t.slice(0, 6)}…${t.slice(-4)}`;
+}
+export function GitScreen({ onBack }) {
+    const [secrets, setSecrets] = useState(loadSecrets());
+    const [mode, setMode] = useState('view');
+    const [provider, setProvider] = useState('github');
+    const [input, setInput] = useState('');
+    const [msg, setMsg] = useState(null);
+    const [cursor, setCursor] = useState(0); // selects which provider row in view mode
+    const tokenFor = (p) => secrets.git_tokens?.[p];
+    const handleSave = async (token) => {
+        setMode('validating');
+        const result = await validatePat(provider, token);
+        if (!result.ok) {
+            setMsg({ kind: 'err', text: result.reason ?? 'validation failed' });
+            setMode('edit');
+            return;
+        }
+        const next = {
+            ...secrets,
+            git_tokens: {
+                ...(secrets.git_tokens ?? {}),
+                [provider]: {
+                    token,
+                    login: result.login,
+                    validated_at: Date.now(),
+                },
+            },
+        };
+        try {
+            saveSecrets(next);
+            setSecrets(next);
+            setMsg({ kind: 'ok', text: `${PROVIDERS[provider].label} saved · validated as ${result.login ?? 'unknown'}` });
+            setMode('view');
+        }
+        catch (err) {
+            setMsg({ kind: 'err', text: `save failed: ${err.message}` });
+            setMode('edit');
+        }
+    };
+    const handleDelete = (p) => {
+        if (!secrets.git_tokens?.[p])
+            return;
+        const nextTokens = { ...(secrets.git_tokens ?? {}) };
+        delete nextTokens[p];
+        const next = { ...secrets, git_tokens: nextTokens };
+        saveSecrets(next);
+        setSecrets(next);
+        setMsg({ kind: 'ok', text: `${PROVIDERS[p].label} token removed` });
+    };
+    useInput((typed, key) => {
+        if (mode === 'validating')
+            return;
+        if (mode === 'edit') {
+            if (key.escape) {
+                setMode('view');
+                setInput('');
+                return;
+            }
+            if (key.return) {
+                if (input.trim())
+                    handleSave(input.trim());
+                return;
+            }
+            if (key.backspace || key.delete) {
+                setInput((s) => s.slice(0, -1));
+                return;
+            }
+            if (typed && !key.ctrl && !key.meta)
+                setInput((s) => s + typed);
+            return;
+        }
+        // view mode — cursor moves between provider rows
+        if (key.escape || key.leftArrow) {
+            onBack();
+            return;
+        }
+        if (key.upArrow || typed === 'k')
+            setCursor((c) => Math.max(0, c - 1));
+        else if (key.downArrow || typed === 'j')
+            setCursor((c) => Math.min(PROVIDER_ORDER.length - 1, c + 1));
+        else if (typed === 'e' || key.return) {
+            const target = PROVIDER_ORDER[cursor];
+            setProvider(target);
+            setMode('edit');
+            setInput('');
+            setMsg(null);
+        }
+        else if (typed === 'd') {
+            const target = PROVIDER_ORDER[cursor];
+            if (tokenFor(target))
+                handleDelete(target);
+        }
+    });
+    if (mode === 'edit') {
+        const spec = PROVIDERS[provider];
+        return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsx(ScreenHeader, { title: `Paste ${spec.label} token`, subtitle: spec.helpUrl }), _jsxs(Box, { children: [_jsx(Text, { color: theme.gold, children: "\u25B8 " }), _jsx(Text, { color: theme.text, children: '*'.repeat(input.length) }), _jsx(Text, { color: theme.gold, children: "_" })] }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { color: theme.gray, dimColor: true, children: "enter validate+save \u00B7 esc cancel" }) })] }));
+    }
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsx(ScreenHeader, { title: "Git", subtitle: "provider tokens (cloud ingest \u2014 wired in Core v1.3)" }), _jsx(Kv, { k: "Stored at", v: SECRETS_PATH }), _jsx(Box, { marginTop: 1, flexDirection: "column", children: PROVIDER_ORDER.map((p, i) => {
+                    const sel = i === cursor;
+                    const entry = tokenFor(p);
+                    return (_jsxs(Box, { children: [_jsx(Box, { width: 3, children: _jsx(Text, { color: sel ? theme.gold : theme.gray, children: sel ? '▸ ' : '  ' }) }), _jsx(Box, { width: 12, children: _jsx(Text, { color: sel ? theme.gold : theme.text, bold: sel, children: PROVIDERS[p].label }) }), _jsx(Box, { width: 16, children: _jsx(Text, { color: entry ? theme.text : 'yellow', children: entry ? mask(entry.token) : 'not set' }) }), _jsx(Box, { width: 20, children: _jsx(Text, { color: theme.gray, children: entry?.login ? `@${entry.login}` : '—' }) }), _jsx(Text, { color: theme.gray, dimColor: true, children: entry?.validated_at
+                                    ? new Date(entry.validated_at).toLocaleDateString()
+                                    : '' })] }, p));
+                }) }), mode === 'validating' && (_jsx(Box, { marginTop: 1, children: _jsx(Loading, { label: `validating against ${PROVIDERS[provider].validateUrl}…` }) })), _jsx(Box, { marginTop: 1, children: msg && (msg.kind === 'ok' ? _jsx(OkLine, { message: msg.text }) : _jsx(ErrorLine, { message: msg.text })) }), _jsx(BackFooter, { extra: "\u2191/\u2193 pick provider \u00B7 e/enter add or replace \u00B7 d delete" })] }));
+}

package/dist/screens/install-token.js

@@ -0,0 +1,65 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * install-token.tsx — show, regenerate, copy the local install token.
+ *
+ * Token lives at ${BECKI_HOME}/mcp-ingest-token (0600). Regenerating issues
+ * a fresh token via the register-mcp-install edge function — requires user
+ * JWT, which the local CLI doesn't hold. So "regenerate" defers to the web
+ * portal; this screen shows + masks + copies what's on disk.
+ */
+import { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { spawn } from 'node:child_process';
+import { platform } from 'node:os';
+import { resolveAuth, PATHS } from '../client.js';
+import { ScreenHeader, Kv, BackFooter, OkLine } from './_shared.js';
+import { theme } from '../theme.js';
+function copyToClipboard(text) {
+    try {
+        const cmd = platform() === 'darwin' ? 'pbcopy' :
+            platform() === 'win32' ? 'clip' :
+                'xclip';
+        const args = platform() === 'linux' ? ['-selection', 'clipboard'] : [];
+        const proc = spawn(cmd, args, { stdio: ['pipe', 'ignore', 'ignore'] });
+        proc.stdin?.write(text);
+        proc.stdin?.end();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function openInBrowser(url) {
+    const cmd = platform() === 'darwin' ? 'open' : platform() === 'win32' ? 'cmd' : 'xdg-open';
+    const args = platform() === 'win32' ? ['/c', 'start', '', url] : [url];
+    spawn(cmd, args, { detached: true, stdio: 'ignore' }).unref();
+}
+function mask(token) {
+    if (token.length <= 12)
+        return token;
+    return `${token.slice(0, 6)}…${token.slice(-4)}`;
+}
+export function InstallTokenScreen({ onBack }) {
+    const auth = resolveAuth();
+    const [revealed, setRevealed] = useState(false);
+    const [copied, setCopied] = useState(false);
+    const [opened, setOpened] = useState(false);
+    const tokenPresent = !!auth.ingestToken;
+    const tokenRaw = auth.ingestToken ?? '';
+    useInput((input, key) => {
+        if (key.escape || key.leftArrow)
+            onBack();
+        else if (input === 's')
+            setRevealed((r) => !r);
+        else if (input === 'c' && tokenPresent) {
+            const ok = copyToClipboard(tokenRaw);
+            if (ok)
+                setCopied(true);
+        }
+        else if (input === 'r') {
+            openInBrowser('https://www.becki.io/account');
+            setOpened(true);
+        }
+    });
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsx(ScreenHeader, { title: "Install Token", subtitle: "authenticates becki-mcp to the Becki backend" }), _jsx(Kv, { k: "Path", v: PATHS.ingestToken }), _jsx(Kv, { k: "Status", v: tokenPresent ? 'present' : 'missing', color: tokenPresent ? 'green' : 'yellow' }), tokenPresent && (_jsx(Kv, { k: "Token", v: revealed ? tokenRaw : mask(tokenRaw) })), !tokenPresent && (_jsx(Box, { marginTop: 1, children: _jsx(Text, { color: "yellow", children: "No token. Generate one at becki.io/account, then paste into:" }) })), !tokenPresent && (_jsx(Box, { marginLeft: 2, children: _jsx(Text, { color: theme.gray, children: PATHS.ingestToken }) })), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [copied && _jsx(OkLine, { message: "copied to clipboard" }), opened && _jsx(OkLine, { message: "opened becki.io/account in your browser" })] }), _jsx(BackFooter, { extra: tokenPresent ? 's show/hide · c copy · r regenerate (browser)' : 'r regenerate (browser)' })] }));
+}

package/dist/screens/logs.js

@@ -0,0 +1,74 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * logs.tsx — show the tail of becki-mcp's log file.
+ *
+ * becki-mcp doesn't currently write a structured log file (it writes to
+ * stderr, which AI clients capture). When it does (planned in Core v0.7),
+ * this screen tails ${BECKI_HOME}/logs/becki-mcp.log. Until then, the
+ * screen surfaces that and offers a one-key "open log dir" handoff.
+ */
+import { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { existsSync, mkdirSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { spawn } from 'node:child_process';
+import { platform } from 'node:os';
+import { PATHS } from '../client.js';
+import { ScreenHeader, Kv, BackFooter, OkLine } from './_shared.js';
+import { theme } from '../theme.js';
+const LOG_DIR = join(PATHS.beckiHome, 'logs');
+const LOG_PATH = join(LOG_DIR, 'becki-mcp.log');
+const TAIL_LINES = 30;
+function readTail() {
+    if (!existsSync(LOG_PATH))
+        return { lines: [], mtime: null, size: 0 };
+    const stat = statSync(LOG_PATH);
+    // Read last ~64KB to extract tail without loading huge files.
+    const slice = Math.min(stat.size, 64 * 1024);
+    const buf = Buffer.alloc(slice);
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const fs = require('node:fs');
+    const fd = fs.openSync(LOG_PATH, 'r');
+    try {
+        fs.readSync(fd, buf, 0, slice, stat.size - slice);
+    }
+    finally {
+        fs.closeSync(fd);
+    }
+    const lines = buf.toString('utf8').split('\n').filter((l) => l.length > 0);
+    return { lines: lines.slice(-TAIL_LINES), mtime: stat.mtimeMs, size: stat.size };
+}
+function openDir(dir) {
+    try {
+        mkdirSync(dir, { recursive: true });
+    }
+    catch { /* ignore */ }
+    const cmd = platform() === 'darwin' ? 'open' : platform() === 'win32' ? 'explorer' : 'xdg-open';
+    spawn(cmd, [dir], { detached: true, stdio: 'ignore' }).unref();
+}
+function fmtSize(bytes) {
+    if (bytes < 1024)
+        return `${bytes} B`;
+    if (bytes < 1024 * 1024)
+        return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / 1024 / 1024).toFixed(1)} MB`;
+}
+export function LogsScreen({ onBack }) {
+    const [data, setData] = useState(readTail());
+    const [opened, setOpened] = useState(false);
+    useInput((input, key) => {
+        if (key.escape || key.leftArrow) {
+            onBack();
+            return;
+        }
+        if (input === 'r')
+            setData(readTail());
+        else if (input === 'o') {
+            openDir(LOG_DIR);
+            setOpened(true);
+        }
+    });
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsx(ScreenHeader, { title: "Logs", subtitle: `tail of ${LOG_PATH}` }), _jsx(Kv, { k: "Path", v: LOG_PATH }), _jsx(Kv, { k: "Size", v: data.size > 0 ? fmtSize(data.size) : 'absent', color: data.size > 0 ? theme.text : theme.gray }), _jsx(Kv, { k: "Modified", v: data.mtime ? new Date(data.mtime).toLocaleString() : '—' }), _jsx(Box, { marginTop: 1, flexDirection: "column", borderStyle: "single", borderColor: theme.gray, paddingX: 1, children: data.lines.length === 0
+                    ? _jsx(Text, { color: theme.gray, dimColor: true, children: "(no log file \u2014 becki-mcp writes to stderr today; structured logging ships v0.7)" })
+                    : data.lines.map((l, i) => _jsx(Text, { color: theme.text, children: l }, i)) }), _jsx(Box, { marginTop: 1, children: opened && _jsx(OkLine, { message: "opened log directory" }) }), _jsx(BackFooter, { extra: "r refresh \u00B7 o open log dir" })] }));
+}

package/dist/screens/status.js

@@ -0,0 +1,77 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text, useInput } from 'ink';
+import { existsSync, statSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir, platform } from 'node:os';
+import { resolveAuth, PATHS, listProjects } from '../client.js';
+import { ScreenHeader, Kv, BackFooter, Loading, ErrorLine, useAsync } from './_shared.js';
+import { theme } from '../theme.js';
+async function loadStatus() {
+    const auth = resolveAuth();
+    const cachePath = join(PATHS.beckiHome, 'cache.db');
+    const cacheExists = existsSync(cachePath);
+    const cacheSize = cacheExists ? statSync(cachePath).size : 0;
+    // Vault count via the SECURITY DEFINER project-rollup RPC (anon + explicit
+    // user_id bypasses RLS properly; the previous anon SELECT on
+    // vault_embeddings returned 0 because RLS evaluated auth.uid()=null).
+    let vaultCount = null;
+    let projectCount = 0;
+    if (auth.userId) {
+        try {
+            const projects = await listProjects(auth.userId);
+            projectCount = projects.length;
+            vaultCount = projects.reduce((sum, p) => sum + (p.atomic_count ?? 0), 0);
+        }
+        catch {
+            vaultCount = null;
+        }
+    }
+    // Detect the Mac.app's presence — true iff resolveBeckiHome() landed on
+    // the legacy Mac path (which only happens when that path actually exists).
+    const legacyMacPath = join(homedir(), 'Library', 'Application Support', 'Becki');
+    const studioDetected = platform() === 'darwin' && PATHS.beckiHome === legacyMacPath;
+    let studioDbs = [];
+    if (studioDetected) {
+        try {
+            studioDbs = readdirSync(PATHS.beckiHome)
+                .filter((f) => /\.(db|sqlite|sqlite3)$/i.test(f) && f !== 'cache.db')
+                .sort();
+        }
+        catch {
+            studioDbs = [];
+        }
+    }
+    return {
+        installTokenSet: !!auth.ingestToken,
+        userId: auth.userId,
+        beckiHome: PATHS.beckiHome,
+        cacheDbExists: cacheExists,
+        cacheDbSize: cacheSize,
+        lastDigestAt: null, // wired via becki-mcp cache.db read in a follow-up
+        vaultCount,
+        projectCount,
+        tokensToday: 0,
+        tokensTodayLimit: 80_000,
+        studioDetected,
+        studioDbs,
+    };
+}
+function fmtSize(bytes) {
+    if (bytes < 1024)
+        return `${bytes} B`;
+    if (bytes < 1024 * 1024)
+        return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / 1024 / 1024).toFixed(1)} MB`;
+}
+export function StatusScreen({ onBack }) {
+    const { loading, data, error, refresh } = useAsync(loadStatus);
+    useInput((input, key) => {
+        if (key.escape || key.leftArrow)
+            onBack();
+        else if (input === 'r')
+            refresh();
+    });
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsx(ScreenHeader, { title: "Status", subtitle: "becki-mcp + vault snapshot" }), loading && _jsx(Loading, {}), error && _jsx(ErrorLine, { message: error }), data && (_jsxs(Box, { flexDirection: "column", children: [_jsx(Kv, { k: "Becki home", v: data.beckiHome }), _jsx(Kv, { k: "Install token", v: data.installTokenSet ? 'set' : 'missing — run becki-mcp init or generate at /account', color: data.installTokenSet ? theme.text : 'yellow' }), _jsx(Kv, { k: "User ID", v: data.userId ?? 'not set', color: data.userId ? theme.text : 'yellow' }), _jsx(Kv, { k: "Core cache DB", v: data.cacheDbExists ? `present · ${fmtSize(data.cacheDbSize)}` : 'not yet created', color: data.cacheDbExists ? theme.text : theme.gray }), _jsx(Kv, { k: "Vault entries", v: data.vaultCount === null ? '— (auth required)' : `~${data.vaultCount.toLocaleString()} across ${data.projectCount} project${data.projectCount === 1 ? '' : 's'}`, color: data.vaultCount === null ? theme.gray : theme.text }), _jsx(Kv, { k: "Last digest", v: data.lastDigestAt ?? 'never (or not tracked yet — wired in v0.6)', color: data.lastDigestAt ? theme.text : theme.gray }), _jsx(Kv, { k: "Session-ingest budget", v: `${data.tokensToday.toLocaleString()} / ${data.tokensTodayLimit.toLocaleString()} Haiku tokens today` }), data.studioDetected && (_jsxs(Box, { flexDirection: "column", marginTop: 1, children: [_jsx(Text, { color: theme.gold, children: "\u25C6 Studio (Mac app) detected" }), _jsxs(Box, { marginLeft: 2, flexDirection: "column", children: [_jsx(Text, { color: theme.gray, children: "Becki shares the same Becki home dir, but Studio keeps" }), _jsx(Text, { color: theme.gray, children: "its own SQLite stores. Visible here (not managed by `becki`):" }), data.studioDbs.length === 0
+                                        ? _jsxs(Text, { color: theme.gray, dimColor: true, children: ["  (no other .db files in ", data.beckiHome, ")"] })
+                                        : data.studioDbs.map((f) => (_jsxs(Text, { color: theme.gray, dimColor: true, children: ["  \u00B7 ", f] }, f))), _jsx(Text, { color: theme.gray, dimColor: true, children: "Vault entries above counts what's in NeuraVault cloud (shared)." })] })] }))] })), _jsx(BackFooter, { extra: "r refresh" })] }));
+}

package/dist/screens/subscription.js

@@ -0,0 +1,60 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * subscription.tsx — display tier + status, open Stripe Customer Portal.
+ *
+ * Reads becki.subscriptions via the anon API scoped to auth.userId.
+ * Stripe Portal session is created server-side via the existing
+ * create-portal-session edge function; user JWT required for that call,
+ * so this screen instead deep-links to /account where the JWT lives.
+ */
+import React from 'react';
+import { Box, Text, useInput } from 'ink';
+import { spawn } from 'node:child_process';
+import { platform } from 'node:os';
+import { resolveAuth, SUPABASE_URL, SUPABASE_ANON_KEY } from '../client.js';
+import { ScreenHeader, Kv, BackFooter, Loading, ErrorLine, OkLine, useAsync } from './_shared.js';
+import { theme } from '../theme.js';
+async function loadSubscription(userId) {
+    if (!userId)
+        return null;
+    const r = await fetch(`${SUPABASE_URL}/rest/v1/subscriptions?select=plan,status,current_period_end,cancel_at_period_end,is_comped&user_id=eq.${userId}`, {
+        headers: {
+            apikey: SUPABASE_ANON_KEY,
+            Authorization: `Bearer ${SUPABASE_ANON_KEY}`,
+            'Accept-Profile': 'becki',
+        },
+    });
+    if (!r.ok)
+        throw new Error(`subscriptions ${r.status}`);
+    const rows = (await r.json());
+    return rows[0] ?? null;
+}
+function openInBrowser(url) {
+    const cmd = platform() === 'darwin' ? 'open' : platform() === 'win32' ? 'cmd' : 'xdg-open';
+    const args = platform() === 'win32' ? ['/c', 'start', '', url] : [url];
+    spawn(cmd, args, { detached: true, stdio: 'ignore' }).unref();
+}
+export function SubscriptionScreen({ onBack }) {
+    const auth = resolveAuth();
+    const { loading, data, error } = useAsync(() => loadSubscription(auth.userId), [auth.userId]);
+    const [opened, setOpened] = React.useState(false);
+    useInput((input, key) => {
+        if (key.escape || key.leftArrow)
+            onBack();
+        else if (input === 'p') {
+            openInBrowser('https://www.becki.io/account');
+            setOpened(true);
+        }
+    });
+    const planLabel = (p) => p === 'core' ? 'Core' : p === 'pro' ? 'Studio' : p === 'team' ? 'Team' : 'none';
+    const statusColor = (s) => {
+        if (s === 'active' || s === 'trialing')
+            return 'green';
+        if (s === 'past_due')
+            return 'yellow';
+        if (s === 'canceled' || s === 'unpaid')
+            return 'red';
+        return theme.gray;
+    };
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsx(ScreenHeader, { title: "Subscription", subtitle: "becki.io/account hosts the full billing portal" }), loading && _jsx(Loading, {}), error && _jsx(ErrorLine, { message: error }), !loading && !auth.userId && (_jsx(Text, { color: "yellow", children: "not signed in \u2014 open /account to sign in" })), data && (_jsxs(Box, { flexDirection: "column", children: [_jsx(Kv, { k: "Plan", v: planLabel(data.plan) }), _jsx(Kv, { k: "Status", v: data.is_comped ? 'comped' : (data.status ?? 'none'), color: data.is_comped ? 'green' : statusColor(data.status) }), _jsx(Kv, { k: "Renews", v: data.current_period_end ? new Date(data.current_period_end).toLocaleDateString() : '—' }), _jsx(Kv, { k: "Cancel at period end", v: data.cancel_at_period_end ? 'yes' : 'no' })] })), data === null && !loading && auth.userId && (_jsx(Text, { color: "yellow", children: "no subscription yet \u2014 visit /account to pick a plan" })), _jsx(Box, { marginTop: 1, children: opened && _jsx(OkLine, { message: "opened becki.io/account in your browser" }) }), _jsx(BackFooter, { extra: "p open billing portal" })] }));
+}

package/dist/screens/vault.js

@@ -0,0 +1,155 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+/**
+ * vault.tsx — high-level vault stats + JSON export.
+ *
+ * Counts vault entries via the anon API (scoped to auth.userId), exports the
+ * full vault as a JSON file in the user's home directory. The "delete-by-
+ * source" and "purge cache" actions are scaffolded but defer to /account
+ * (which has the user JWT needed for destructive RPCs).
+ */
+import { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { existsSync, writeFileSync, statSync, unlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { resolveAuth, SUPABASE_URL, SUPABASE_ANON_KEY, PATHS, listProjects } from '../client.js';
+import { ScreenHeader, Kv, BackFooter, Loading, ErrorLine, OkLine, useAsync } from './_shared.js';
+import { theme } from '../theme.js';
+async function loadVault(userId) {
+    // becki-mcp Core's cache (only present if user has run `becki-mcp init`
+    // from npm — Studio's bundled mcp uses mcp-runtime/ instead).
+    const cachePath = join(PATHS.beckiHome, 'cache.db');
+    const coreCacheSize = existsSync(cachePath) ? statSync(cachePath).size : 0;
+    // Studio Mac.app's actual data store. When present this is by far the
+    // largest local artifact and represents real user data — separate from
+    // anything becki-mcp Core does. Show it so users don't think their data
+    // is "absent" when it's sitting in becki.sqlite.
+    const studioSqlitePath = join(PATHS.beckiHome, 'becki.sqlite');
+    const studioSqliteSize = existsSync(studioSqlitePath) ? statSync(studioSqlitePath).size : 0;
+    if (!userId)
+        return { count: null, projectCount: 0, coreCacheSize, studioSqliteSize };
+    try {
+        // Same SECURITY DEFINER RPC the Status screen now uses — bypasses RLS
+        // properly via explicit pp_user_id. Previously this hit
+        // /rest/v1/vault_embeddings directly with the anon key and got 0
+        // because RLS evaluated auth.uid()=null before the WHERE clause.
+        const projects = await listProjects(userId);
+        const count = projects.reduce((sum, p) => sum + (p.atomic_count ?? 0), 0);
+        return { count, projectCount: projects.length, coreCacheSize, studioSqliteSize };
+    }
+    catch {
+        return { count: null, projectCount: 0, coreCacheSize, studioSqliteSize };
+    }
+}
+/**
+ * Export every vault row the user owns to a JSON file.
+ *
+ * Iterates known source types and calls list_vault_rows (SECURITY DEFINER,
+ * takes pp_user_id) per type — the direct /rest/v1/vault_embeddings query
+ * the previous implementation used returned 0 rows under anon auth because
+ * RLS evaluated auth.uid()=null before the user_id filter ran.
+ *
+ * 5000-row cap per type is a soft safety against runaway responses; if any
+ * single type hits the cap we record it in the result so the UI can warn.
+ */
+async function exportVault(userId) {
+    const SOURCE_TYPES = [
+        'decision', 'dead_end', 'commitment', 'open_loop', 'note', 'ask', 'code', 'meeting',
+    ];
+    const PER_TYPE_CAP = 5000;
+    const all = [];
+    const truncatedTypes = [];
+    for (const type of SOURCE_TYPES) {
+        const r = await fetch(`${SUPABASE_URL}/rest/v1/rpc/list_vault_rows`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                apikey: SUPABASE_ANON_KEY,
+                Authorization: `Bearer ${SUPABASE_ANON_KEY}`,
+                'Content-Profile': 'becki',
+            },
+            body: JSON.stringify({
+                p_project_id: null,
+                p_since: null,
+                p_until: null,
+                p_types: [type],
+                p_limit: PER_TYPE_CAP,
+                p_user_id: userId,
+            }),
+        });
+        if (!r.ok)
+            throw new Error(`list_vault_rows[${type}] ${r.status}: ${(await r.text()).slice(0, 200)}`);
+        const rows = (await r.json());
+        all.push(...rows);
+        if (rows.length >= PER_TYPE_CAP)
+            truncatedTypes.push(type);
+    }
+    const stamp = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
+    const path = join(homedir(), `becki-vault-${stamp}.json`);
+    writeFileSync(path, JSON.stringify(all, null, 2), 'utf8');
+    return { path, rows: all.length, truncatedTypes };
+}
+function fmtSize(bytes) {
+    if (bytes < 1024)
+        return `${bytes} B`;
+    if (bytes < 1024 * 1024)
+        return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / 1024 / 1024).toFixed(1)} MB`;
+}
+export function VaultScreen({ onBack }) {
+    const auth = resolveAuth();
+    const { loading, data, error, refresh } = useAsync(() => loadVault(auth.userId), [auth.userId]);
+    const [exportState, setExportState] = useState({ kind: 'idle' });
+    const runExport = async () => {
+        if (!auth.userId) {
+            setExportState({ kind: 'err', msg: 'need to be signed in (visit /account)' });
+            return;
+        }
+        setExportState({ kind: 'running' });
+        try {
+            const { path, rows, truncatedTypes } = await exportVault(auth.userId);
+            const note = truncatedTypes.length > 0
+                ? ` (capped at 5000 for: ${truncatedTypes.join(', ')} — older rows omitted)`
+                : '';
+            setExportState({ kind: 'done', msg: `${rows} rows → ${path}${note}` });
+        }
+        catch (err) {
+            setExportState({ kind: 'err', msg: err.message });
+        }
+    };
+    const purgeCache = () => {
+        const cachePath = join(PATHS.beckiHome, 'cache.db');
+        try {
+            if (existsSync(cachePath)) {
+                unlinkSync(cachePath);
+                setExportState({ kind: 'done', msg: `purged ${cachePath}` });
+                refresh();
+            }
+            else {
+                setExportState({ kind: 'err', msg: 'cache.db already absent' });
+            }
+        }
+        catch (err) {
+            setExportState({ kind: 'err', msg: err.message });
+        }
+    };
+    useInput((input, key) => {
+        if (exportState.kind === 'running')
+            return;
+        if (key.escape || key.leftArrow) {
+            onBack();
+            return;
+        }
+        if (input === 'e')
+            void runExport();
+        else if (input === 'p')
+            purgeCache();
+        else if (input === 'r')
+            refresh();
+    });
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 1, children: [_jsx(ScreenHeader, { title: "Vault", subtitle: "cloud-side entries + local cache" }), loading && _jsx(Loading, {}), error && _jsx(ErrorLine, { message: error }), data && (_jsxs(Box, { flexDirection: "column", children: [_jsx(Kv, { k: "Entries (cloud)", v: data.count === null
+                            ? '— (auth required)'
+                            : `~${data.count.toLocaleString()} across ${data.projectCount} project${data.projectCount === 1 ? '' : 's'}` }), data.studioSqliteSize > 0 && (_jsx(Kv, { k: "Studio local DB", v: `${fmtSize(data.studioSqliteSize)} · becki.sqlite (Mac app, GRDB)`, color: theme.text })), _jsx(Kv, { k: "Core daemon cache", v: data.coreCacheSize > 0
+                            ? `${fmtSize(data.coreCacheSize)} · cache.db`
+                            : 'absent (becki-mcp from npm not initialized — Studio uses its own runtime)', color: data.coreCacheSize > 0 ? theme.text : theme.gray }), _jsx(Kv, { k: "Becki home", v: PATHS.beckiHome }), _jsx(Box, { marginTop: 1, children: _jsxs(Text, { color: theme.gray, dimColor: true, children: ["~count derives from viz substrate atomic_count; consolidation can fold ", '<', "5% into aggregates. Exact count via a dedicated RPC ships in v0.6 (#195)."] }) }), data.studioSqliteSize > 0 && (_jsx(Box, { marginTop: 1, children: _jsx(Text, { color: theme.gray, dimColor: true, children: "Studio's becki.sqlite is the Mac app's primary store (meetings, transcripts, project state). Cloud entries above are the shared NeuraVault, written by both Studio and Core." }) }))] })), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [exportState.kind === 'running' && _jsx(Loading, { label: "exporting\u2026" }), exportState.kind === 'done' && _jsx(OkLine, { message: exportState.msg }), exportState.kind === 'err' && _jsx(ErrorLine, { message: exportState.msg })] }), _jsx(Box, { marginTop: 1, children: _jsx(Text, { color: theme.gray, dimColor: true, children: "delete-by-source needs user JWT \u2014 manage at becki.io/account" }) }), _jsx(BackFooter, { extra: "e export json \u00B7 p purge cache \u00B7 r refresh" })] }));
+}