gipity 1.0.386 → 1.0.388

package/README.md

@@ -8,27 +8,33 @@ This CLI connects [Claude Code](https://claude.ai/claude-code) to Gipity's cloud
 
 ## Getting Started
 
-You need **Node.js 18+** (which includes npm) and **Claude Code**.
+One line installs everything. It sets up Node 18+ (if you don't already have it) and the Gipity CLI, with no sudo required:
 
 ```bash
-# 1. Install Node.js (if you don't have it)
+# macOS / Linux / WSL
+curl -fsSL https://gipity.ai/install.sh | bash
 
-# macOS
-brew install node
+# Windows (PowerShell)
+irm https://gipity.ai/install.ps1 | iex
+```
+
+Then launch your coding agent wired into Gipity:
+
+```bash
+gipity claude
+```
 
-# Windows - download the installer from https://nodejs.org
+`gipity claude` walks you through login, project setup, and launches Claude Code. Using Codex, Gemini, or Cursor instead? Run `gipity init`.
 
-# Linux (Ubuntu/Debian)
-curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt install -y nodejs
+### Prefer npm
 
-# 2. Install Gipity CLI and Claude Code
-npm install -g gipity @anthropic-ai/claude-code
+If you already have **Node.js 18+** you can install directly:
 
-# 3. Go
-gipity claude
+```bash
+npm install -g gipity
 ```
 
-That's it. `claude` walks you through login, project setup, and launches Claude Code.
+If that fails with `EACCES`, your npm global prefix is root-owned. Don't reach for `sudo`: point npm at a user-owned prefix instead (`npm config set prefix ~/.npm-global` and add `~/.npm-global/bin` to your `PATH`), or just use the one-line installer above, which does this for you. See https://docs.npmjs.com/resolving-eacces-permissions-errors.
 
 ## Updates
 

package/dist/api.js

@@ -1,7 +1,7 @@
 import { Readable } from 'stream';
 import * as tar from 'tar-stream';
 import { getAuth, refreshTokenIfNeeded } from './auth.js';
-import { getConfig, getApiBaseOverride, requireConfig, saveConfig } from './config.js';
+import { resolveApiBase, requireConfig, saveConfig } from './config.js';
 export class ApiError extends Error {
     statusCode;
     code;
@@ -27,7 +27,7 @@ async function getHeaders() {
     };
 }
 function baseUrl() {
-    return getApiBaseOverride() || getConfig()?.apiBase || 'https://a.gipity.ai';
+    return resolveApiBase();
 }
 /** Exposed so streaming consumers (SSE) can build URLs without re-implementing
  *  the override / config resolution. */
@@ -101,6 +101,9 @@ export async function postForTarEntries(path, body) {
 export function put(path, body) {
     return request('PUT', path, body);
 }
+export function patch(path, body) {
+    return request('PATCH', path, body);
+}
 export function del(path, body) {
     return request('DELETE', path, body);
 }

package/dist/auth.js

@@ -1,4 +1,4 @@
-import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from 'fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync, chmodSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { decodeJwtExp } from './utils.js';
@@ -33,8 +33,16 @@ export function readAuthFresh() {
     }
 }
 export function saveAuth(data) {
-    mkdirSync(AUTH_DIR, { recursive: true });
-    writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2));
+    // Lock down to owner-only: this file holds the account access + 7-day refresh
+    // tokens, so a default 0644/0755 would let any other local user read them.
+    // (The relay state file already does this; auth.json is the more sensitive of
+    // the two.) chmod after write to also tighten any pre-existing loose file.
+    mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+    writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
+    try {
+        chmodSync(AUTH_FILE, 0o600);
+    }
+    catch { /* best-effort on platforms without chmod */ }
     cached = data;
 }
 export function clearAuth() {
@@ -73,7 +81,7 @@ export async function refreshTokenIfNeeded() {
         return; // not logged in, caller will handle
     try {
         const config = await import('./config.js');
-        const apiBase = config.getApiBaseOverride() || config.getConfig()?.apiBase || 'https://a.gipity.ai';
+        const apiBase = config.resolveApiBase();
         const res = await fetch(`${apiBase}/auth/refresh`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },

package/dist/banner.js

@@ -1,6 +1,6 @@
 // ── Gipity CLI Startup Banner ──────────────────────────────────────────
 // Two-panel box showing all AI models, platform tools, and sandbox capabilities.
-import { brand, bold, faint, muted } from './colors.js';
+import { brand, bold, faint, muted, fg } from './colors.js';
 // ── Static content ─────────────────────────────────────────────────────
 // ── Feature groups ────────────────────────────────────────────────────
 const AI_MODELS = [
@@ -38,11 +38,13 @@ const INFRASTRUCTURE = [
     'Deploy', 'Uploads', 'Rollback',
 ];
 // ── Egg color palette (shared) - gradient built around #FEA60E ───────
-const _hi = (s) => `\x1b[38;2;255;215;80m${s}\x1b[39m`; // golden highlight
-const _lt = (s) => `\x1b[38;2;254;190;45m${s}\x1b[39m`; // light
-const _br = (s) => `\x1b[38;2;254;166;14m${s}\x1b[39m`; // base - #FEA60E
-const _md = (s) => `\x1b[38;2;218;112;8m${s}\x1b[39m`; // medium-dark
-const _sh = (s) => `\x1b[38;2;170;68;4m${s}\x1b[39m`; // shadow
+// Colors route through fg() so they downgrade (256 / 16 / none) on terminals
+// without truecolor support instead of rendering as misparsed garbage.
+const _hi = fg(255, 215, 80); // golden highlight
+const _lt = fg(254, 190, 45); // light
+const _br = fg(254, 166, 14); // base - #FEA60E
+const _md = fg(218, 112, 8); // medium-dark
+const _sh = fg(170, 68, 4); // shadow
 // Wobbly egg - asymmetric left/right, organic feel (8 rows)
 // Widths: 6 → 8 → 10 → 12 → 14 → 12 → 10 → 8  |  Widest at row 5/8 (62%)
 function eggWobbly() {
@@ -76,8 +78,8 @@ function eggSym() {
 // Edge pairs: ▗/▖ cap → ▟/▙ expand → ▐/▌ straight → ▜/▛ contract → ▝/▘ cap
 function eggTall() {
     // Extra intermediate tones for a smoother gradient
-    const _m1 = (s) => `\x1b[38;2;238;138;10m${s}\x1b[39m`; // base → medium
-    const _dk = (s) => `\x1b[38;2;195;88;6m${s}\x1b[39m`; // medium → shadow
+    const _m1 = fg(238, 138, 10); // base to medium
+    const _dk = fg(195, 88, 6); // medium to shadow
     return [
         _lt('▗▄') + _br('██') + _md('▄▖'), //  6 - top cap
         _lt('▟') + _hi('█') + _br('████') + _m1('█▙'), //  8 - expanding, highlight
@@ -161,7 +163,7 @@ function buildLeftPanel(opts, panelW) {
     const nameDisplay = opts.email
         ? opts.email.split('@')[0].replace(/^./, c => c.toUpperCase())
         : null;
-    const white = (s) => `\x1b[38;2;255;255;255m${s}\x1b[39m`;
+    const white = fg(255, 255, 255);
     const welcome = nameDisplay
         ? white(bold(`Welcome back ${nameDisplay}!`))
         : white(bold('Welcome to Gipity'));

package/dist/colors.js

@@ -1,27 +1,127 @@
 // ── Gipity CLI Color System ─────────────────────────────────────────────
 // Centralized color definitions matching the Gipity platform palette.
 // All command files should import from here - no inline ANSI codes.
+//
+// Color depth is detected once at load. RGB colors automatically downgrade:
+//   level 3 → 24-bit truecolor   \x1b[38;2;R;G;Bm
+//   level 2 → 256-color          \x1b[38;5;Nm
+//   level 1 → 16-color           \x1b[3Xm / \x1b[9Xm
+//   level 0 → no color (plain text)
+// This avoids the failure mode where a terminal that does not understand the
+// 24-bit escape misparses it and renders garbage (e.g. the orange egg coming
+// out purple on consoles without truecolor support).
 const ESC = '\x1b';
-// Detect whether colors should be suppressed
-const noColor = !!process.env['NO_COLOR'] || !process.stdout.isTTY;
+// ── Color-depth detection ───────────────────────────────────────────────
+// 0 = none, 1 = 16-color, 2 = 256-color, 3 = truecolor. Mirrors the common
+// supports-color / chalk heuristics, biased toward NOT emitting truecolor
+// unless the terminal advertises it, so unknown terminals get a safe 256 or
+// 16-color approximation instead of a misparsed 24-bit sequence.
+function detectColorLevel() {
+    if (process.env['NO_COLOR'])
+        return 0;
+    // FORCE_COLOR overrides detection (matches Node / chalk semantics).
+    const force = process.env['FORCE_COLOR'];
+    if (force !== undefined) {
+        if (force === '0' || force === 'false')
+            return 0;
+        if (force === '3')
+            return 3;
+        if (force === '2')
+            return 2;
+        // '1', 'true', '' → at least basic color
+        if (force === '1' || force === 'true' || force === '')
+            return 1;
+    }
+    if (!process.stdout.isTTY)
+        return 0;
+    const term = (process.env['TERM'] || '').toLowerCase();
+    if (term === 'dumb')
+        return 0;
+    const colorterm = (process.env['COLORTERM'] || '').toLowerCase();
+    if (colorterm === 'truecolor' || colorterm === '24bit')
+        return 3;
+    const termProgram = process.env['TERM_PROGRAM'] || '';
+    if (termProgram === 'iTerm.app' || termProgram === 'vscode')
+        return 3;
+    if (termProgram === 'Apple_Terminal')
+        return 2;
+    if (/-256(color)?$/.test(term) || term.includes('256'))
+        return 2;
+    // Modern Windows consoles set COLORTERM (caught above). Older cmd.exe /
+    // conhost only do 16-color reliably.
+    if (process.platform === 'win32')
+        return 1;
+    if (term)
+        return 1;
+    return 0;
+}
+const COLOR_LEVEL = detectColorLevel();
 // Identity function for when colors are disabled
 const identity = (s) => s;
+// ── RGB downgrade helpers ───────────────────────────────────────────────
+// RGB → nearest xterm-256 palette index (6x6x6 cube + grayscale ramp).
+function rgbTo256(r, g, b) {
+    if (r === g && g === b) {
+        if (r < 8)
+            return 16;
+        if (r > 248)
+            return 231;
+        return Math.round(((r - 8) / 247) * 24) + 232;
+    }
+    return (16 +
+        36 * Math.round((r / 255) * 5) +
+        6 * Math.round((g / 255) * 5) +
+        Math.round((b / 255) * 5));
+}
+// RGB → nearest 16-color SGR foreground code (30-37 / 90-97).
+function rgbTo16(r, g, b) {
+    const value = Math.round((Math.max(r, g, b) / 255) * 3);
+    if (value === 0)
+        return 30;
+    let code = 30 +
+        ((Math.round(b / 255) << 2) |
+            (Math.round(g / 255) << 1) |
+            Math.round(r / 255));
+    if (value === 3)
+        code += 60; // bright variant
+    return code;
+}
 // ── Low-level builders ──────────────────────────────────────────────────
-function makeFg(r, g, b) {
-    if (noColor)
+export function makeFg(r, g, b) {
+    if (COLOR_LEVEL === 0)
         return identity;
-    return (s) => `${ESC}[38;2;${r};${g};${b}m${s}${ESC}[39m`;
+    if (COLOR_LEVEL === 3) {
+        return (s) => `${ESC}[38;2;${r};${g};${b}m${s}${ESC}[39m`;
+    }
+    if (COLOR_LEVEL === 2) {
+        const n = rgbTo256(r, g, b);
+        return (s) => `${ESC}[38;5;${n}m${s}${ESC}[39m`;
+    }
+    const code = rgbTo16(r, g, b);
+    return (s) => `${ESC}[${code}m${s}${ESC}[39m`;
 }
-function makeBg(r, g, b) {
-    if (noColor)
+export function makeBg(r, g, b) {
+    if (COLOR_LEVEL === 0)
         return identity;
-    return (s) => `${ESC}[48;2;${r};${g};${b}m${s}${ESC}[49m`;
+    if (COLOR_LEVEL === 3) {
+        return (s) => `${ESC}[48;2;${r};${g};${b}m${s}${ESC}[49m`;
+    }
+    if (COLOR_LEVEL === 2) {
+        const n = rgbTo256(r, g, b);
+        return (s) => `${ESC}[48;5;${n}m${s}${ESC}[49m`;
+    }
+    const code = rgbTo16(r, g, b) + 10; // fg 30-97 → bg 40-107
+    return (s) => `${ESC}[${code}m${s}${ESC}[49m`;
 }
 function makeStyle(open, close) {
-    if (noColor)
+    if (COLOR_LEVEL === 0)
         return identity;
     return (s) => `${ESC}[${open}m${s}${ESC}[${close}m`;
 }
+// Convenience alias for callers that just want an RGB foreground (e.g. banner).
+export const fg = makeFg;
+// The detected level, exported for callers that want to branch on it.
+export const colorLevel = COLOR_LEVEL;
 // ── Text style helpers ──────────────────────────────────────────────────
 export const bold = makeStyle(1, 22);
 export const dim = makeStyle(2, 22);

package/dist/commands/add.js

@@ -179,7 +179,8 @@ export const addCommand = new Command('add')
         }
         const { name: labelName, files } = buildLocalPayload(resolved);
         const kind = sniffPayloadKind(files);
-        console.log(muted(`Uploading ${files.length} file(s) from ${resolved} (${kind}) ...`));
+        // Progress goes to stderr so `gipity add … --json` keeps stdout pure JSON.
+        console.error(muted(`Uploading ${files.length} file(s) from ${resolved} (${kind}) ...`));
         body = {
             name: labelName,
             title: opts.title,

package/dist/commands/approval.js

@@ -58,11 +58,21 @@ approvalCommand
 approvalCommand
     .command('answer <guid> [selection...]')
     .description('Answer an approval: a = approve, b = deny, c = ignore, or free text for text-type')
+    .option('--deny', 'Resolve as denied; any trailing text is sent as feedback (e.g. requested edits)')
     .option('--json', 'Output as JSON')
     .action((guid, selectionParts, opts) => run('Answer', async () => {
     if (!guid.startsWith('ap_')) {
         throw new Error('Expected approval guid like ap_xxxxxxxx');
     }
+    // Deny with optional free-text feedback works for every response type -
+    // it's how a workflow gate's revision loop gets the user's edits
+    // ({{gate.action}} == rejected + {{gate.human_response}}).
+    if (opts.deny) {
+        const feedback = selectionParts.join(' ').trim();
+        await post(`/approvals/${guid}/resolve`, { status: 'denied', response: feedback || undefined });
+        printResult(`Denied${feedback ? `: ${feedback}` : '.'}`, opts, { guid, status: 'denied' });
+        return;
+    }
     const detailRes = await get(`/approvals/${guid}`);
     const detail = detailRes.data;
     const first = selectionParts[0];

package/dist/commands/claude.js

@@ -19,7 +19,7 @@ function resolveCommand(cmd) {
 }
 import { getAuth, saveAuth, clearAuth } from '../auth.js';
 import { get, post, publicPost, ApiError, getAccountSlug } from '../api.js';
-import { getConfig, saveConfigAt, clearConfigCache, getApiBaseOverride, getConfigPath } from '../config.js';
+import { getConfig, saveConfigAt, clearConfigCache, getApiBaseOverride, DEFAULT_API_BASE, getConfigPath } from '../config.js';
 import { sync } from '../sync.js';
 import { slugify, setupClaudeHooks, setupClaudeMd, setupAgentsMd, setupGitignore, DEFAULT_SYNC_IGNORE, isSyncIgnored } from '../setup.js';
 import { buildProjectContextBlock as buildProjectContextBlockText, buildNewProjectPrompt, buildResumeWrap, buildFreshWrap, } from '../prompts.js';
@@ -219,6 +219,10 @@ export const claudeCommand = new Command('claude')
     .option('--project <slug>', 'Open an existing project by slug or id')
     .option('--here', 'Use the current directory instead of ~/GipityProjects/<slug>/')
     .option('--quiet', "Suppress Claude's live progress output (headless --new-project/--project runs)")
+    // Forwarded to `claude` via the unknown-arg passthrough below (NOT in the
+    // gipity strip lists). Declared here only so it shows up in --help — without
+    // this, callers can't discover that the session model is selectable.
+    .option('--model <model>', 'Model for the Claude session, forwarded to claude (e.g. sonnet, opus, or a full id like claude-sonnet-4-6)')
     .allowUnknownOption(true)
     .allowExcessArguments(true)
     .action(async (opts) => {
@@ -384,7 +388,7 @@ export const claudeCommand = new Command('claude')
                 accountSlug,
                 agentGuid,
                 conversationGuid: null,
-                apiBase: getApiBaseOverride() || 'https://a.gipity.ai',
+                apiBase: getApiBaseOverride() || DEFAULT_API_BASE,
                 ignore: DEFAULT_SYNC_IGNORE,
             });
             console.log(`\n  Using ${projectDir}`);
@@ -470,7 +474,7 @@ export const claudeCommand = new Command('claude')
                         err?.code === 'ETIMEDOUT' || err?.cause?.code === 'ECONNREFUSED' ||
                         err?.cause?.code === 'ENOTFOUND' || err?.cause?.code === 'ETIMEDOUT';
                     if (isConnectionError) {
-                        const apiBase = getApiBaseOverride() || 'https://a.gipity.ai';
+                        const apiBase = getApiBaseOverride() || DEFAULT_API_BASE;
                         console.error(`  ${clrError(`Could not connect to ${apiBase}`)}`);
                         console.error(`  ${muted('Check your connection and try again.')}`);
                         process.exit(1);
@@ -554,7 +558,7 @@ export const claudeCommand = new Command('claude')
                     accountSlug,
                     agentGuid,
                     conversationGuid: null,
-                    apiBase: getApiBaseOverride() || 'https://a.gipity.ai',
+                    apiBase: getApiBaseOverride() || DEFAULT_API_BASE,
                     ignore: DEFAULT_SYNC_IGNORE,
                 });
                 console.log(`\n  Using ${projectDir}`);

package/dist/commands/deploy.js

@@ -20,7 +20,7 @@ export const deployCommand = new Command('deploy')
     .argument('[target]', 'dev or prod', 'dev')
     .option('--source-dir <dir>', 'Source directory to deploy from')
     .option('--only <phases>', 'Run only specific phases (comma-separated)')
-    .option('--force', 'Re-run all phases, ignore checksums')
+    .option('--force', 'Re-run all phases (ignore checksums) and bypass the sync bulk-deletion guard')
     .option('--no-sync', 'Skip sync-up before deploy')
     .option('--optimize', 'Run build optimization')
     .option('--json', 'Output as JSON')

package/dist/commands/fn.js

@@ -1,8 +1,9 @@
 import { Command } from 'commander';
-import { get, post } from '../api.js';
+import { get, post, del } from '../api.js';
 import { requireConfig } from '../config.js';
 import { error as clrError, bold, muted, success } from '../colors.js';
 import { run, printList } from '../helpers/index.js';
+import { confirm } from '../utils.js';
 export const fnCommand = new Command('fn')
     .description('Manage functions');
 fnCommand
@@ -45,4 +46,24 @@ fnCommand
     const res = await post(`/api/${config.projectGuid}/fn/${encodeURIComponent(name)}`, body);
     console.log(opts.json ? JSON.stringify(res.data) : JSON.stringify(res.data, null, 2));
 }));
+fnCommand
+    .command('delete <name>')
+    .alias('rm')
+    .description('Delete a function')
+    .option('--yes', 'Skip confirmation')
+    .option('--json', 'Output as JSON')
+    .action((name, opts) => run('Delete', async () => {
+    const config = requireConfig();
+    if (!await confirm(`Delete function '${name}'? This cannot be undone.`, { skip: opts.yes })) {
+        console.log('Cancelled.');
+        return;
+    }
+    await del(`/projects/${config.projectGuid}/functions/${encodeURIComponent(name)}`);
+    if (opts.json) {
+        console.log(JSON.stringify({ name, deleted: true }));
+    }
+    else {
+        console.log(success(`Deleted function '${name}'.`));
+    }
+}));
 //# sourceMappingURL=fn.js.map

package/dist/commands/page-eval.js

@@ -3,6 +3,8 @@ import { Command } from 'commander';
 import { post, get, ApiError } from '../api.js';
 import { brand, bold, muted, warning } from '../colors.js';
 import { run } from '../helpers/index.js';
+import { resolveProjectContext } from '../config.js';
+import { uploadPublicFixture, deleteFixture } from '../page-fixtures.js';
 // Shown when an eval runs cleanly but returns nothing serializable. Turns a
 // bare/opaque `null` into a deterministic, actionable nudge so the agent shapes
 // a returnable value instead of guessing and retrying.
@@ -135,6 +137,7 @@ export const pageEvalCommand = new Command('eval')
     .argument('<url>', 'URL to load')
     .argument('[expr]', 'JavaScript to evaluate in page context (inline expression or statement body with return/await; result is JSON-serialized). Omit when using --file.')
     .option('--file <path>', 'Read the script body from a file instead of the inline <expr> arg (mutually exclusive). Runs as an async function body, so top-level return/await work.')
+    .option('--fixture <path>', 'Host a local file and expose it to the eval as `fixtureUrl` (and under `fixtures` by basename) to fetch in-page. For verifying a render/parse path against a real binary (an MP3, an image) - no size limit, auto-deleted after the run. Repeat for several files (single-value so it never swallows the inline <expr>).', (val, prev) => [...prev, val], [])
     .option('--wait <ms>', 'Sleep this many ms after DOMContentLoaded before evaluating (lets late async work settle; max 30000)', '500')
     .option('--wait-for <selector>', 'Wait until this CSS selector appears before evaluating (deterministic; replaces --wait)')
     .option('--wait-timeout <ms>', 'Max ms to wait for --wait-for before giving up', '5000')
@@ -161,30 +164,66 @@ export const pageEvalCommand = new Command('eval')
     const waitMs = capWaitMs(opts.wait, url);
     const parsedTimeout = parseInt(opts.waitTimeout, 10);
     const waitForTimeoutMs = Number.isFinite(parsedTimeout) && parsedTimeout >= 0 ? parsedTimeout : 5000;
-    const kickoff = await post('/tools/browser/eval', {
-        url, expr, waitMs,
-        waitForSelector: opts.waitFor || undefined,
-        waitForTimeoutMs: opts.waitFor ? waitForTimeoutMs : undefined,
-    });
-    const d = await pollEvalResult(kickoff.data.evalJobId, waitMs);
-    const { result, noValue } = normalizeEvalResult(d.result);
-    const execTimeout = evalExecTimeoutMessage(d.result);
-    if (execTimeout)
-        throw new Error(execTimeout);
-    if (opts.json) {
-        console.log(JSON.stringify(noValue ? { ...d, result, hint: EVAL_NO_VALUE_HINT } : { ...d, result }));
-        return;
+    // --fixture: host each file publicly, then splice `fixtures` / `fixtureUrl`
+    // into the eval scope so the page can fetch the bytes. The prelude makes the
+    // body a statement (const/return), so the server's expression form fails to
+    // parse and it falls back to the function-body form - which runs both inline
+    // exprs (wrapped in `return (...)`) and --file scripts. Cleanup in `finally`.
+    const fixturePaths = opts.fixture ?? [];
+    const hosted = [];
+    let projectGuid;
+    let sentExpr = expr;
+    try {
+        if (fixturePaths.length) {
+            const { config } = await resolveProjectContext({});
+            projectGuid = config.projectGuid;
+            for (const p of fixturePaths) {
+                console.log(muted(`Hosting fixture ${p}…`));
+                hosted.push(await uploadPublicFixture(projectGuid, p));
+            }
+            const map = {};
+            for (const h of hosted)
+                map[h.name] = h.url;
+            const prelude = `const fixtures=${JSON.stringify(map)};const fixtureUrl=${JSON.stringify(hosted[0].url)};`;
+            sentExpr = opts.file ? `${prelude}\n${expr}` : `${prelude}\nreturn (${expr});`;
+        }
+        const kickoff = await post('/tools/browser/eval', {
+            url, expr: sentExpr, waitMs,
+            waitForSelector: opts.waitFor || undefined,
+            waitForTimeoutMs: opts.waitFor ? waitForTimeoutMs : undefined,
+        });
+        const d = await pollEvalResult(kickoff.data.evalJobId, waitMs);
+        const { result, noValue } = normalizeEvalResult(d.result);
+        const execTimeout = evalExecTimeoutMessage(d.result);
+        if (execTimeout)
+            throw new Error(execTimeout);
+        if (opts.json) {
+            console.log(JSON.stringify(noValue ? { ...d, result, hint: EVAL_NO_VALUE_HINT } : { ...d, result }));
+            return;
+        }
+        console.log(`${brand('Eval')} ${bold(d.url || url)}`);
+        if (d.navigationIncomplete) {
+            console.log(`${warning('⚠ Navigation incomplete:')} ${d.note || 'page did not reach full load'}`);
+        }
+        if (hosted.length)
+            console.log(`${muted('Fixtures:')} ${hosted.map((h) => h.name).join(', ')}`);
+        console.log(opts.file ? `${muted('Script:')} ${opts.file}` : `${muted('Expression:')} ${expr}`);
+        console.log(`\n${result.trim() ? result : muted('(empty result)')}`);
+        if (noValue)
+            console.log(muted(`\n${EVAL_NO_VALUE_HINT}`));
+        if (d.truncated)
+            console.log(muted('\n(result truncated to fit context - narrow the expression for the full value)'));
     }
-    console.log(`${brand('Eval')} ${bold(d.url || url)}`);
-    if (d.navigationIncomplete) {
-        console.log(`${warning('⚠ Navigation incomplete:')} ${d.note || 'page did not reach full load'}`);
+    finally {
+        for (const h of hosted) {
+            try {
+                await deleteFixture(projectGuid, h.guid);
+            }
+            catch (err) {
+                console.error(warning(`⚠ Could not auto-delete fixture "${h.name}" (${h.guid}) — still hosted at ${h.url}: ${err.message}`));
+            }
+        }
     }
-    console.log(opts.file ? `${muted('Script:')} ${opts.file}` : `${muted('Expression:')} ${expr}`);
-    console.log(`\n${result.trim() ? result : muted('(empty result)')}`);
-    if (noValue)
-        console.log(muted(`\n${EVAL_NO_VALUE_HINT}`));
-    if (d.truncated)
-        console.log(muted('\n(result truncated to fit context - narrow the expression for the full value)'));
 }));
 // Each `page eval` call runs to completion before the next starts, so two evals
 // fired back-to-back never coexist in time - they CANNOT test whether two live
@@ -197,6 +236,10 @@ Examples:
   # Functionally test a page's own code paths: save a script that drives the UI
   # and returns a JSON-serializable result, then run it (no /tmp + shell quoting):
   gipity page eval "https://dev.gipity.ai/me/app/" --file ./tests/draw-flow.js --json
+  # Verify a render/parse path against a REAL file: --fixture hosts it, injects a
+  # fetch-able 'fixtureUrl', runs the eval, then deletes the hosted copy:
+  gipity page eval "https://dev.gipity.ai/me/app/" --fixture ./sample.mp3 \\
+    "(async()=>{ const b = await fetch(fixtureUrl).then(r=>r.arrayBuffer()); return window.App.parseId3(b); })()"
 
 The eval body runs under a ~20s in-page execution budget (its own await/setTimeout
 pauses count; --wait only sleeps BEFORE the eval and does not extend it). For a long

package/dist/commands/records.js

@@ -1,9 +1,13 @@
 import { Command } from 'commander';
-import { get, post, put, del } from '../api.js';
+import { get, post, put, patch, del } from '../api.js';
 import { requireConfig } from '../config.js';
 import { bold, muted } from '../colors.js';
 import { run, printList, printResult } from '../helpers/index.js';
 import { confirm } from '../utils.js';
+// All commands hit the app API (https://a.gipity.ai/api/<guid>/records/...),
+// which authorizes the logged-in owner via their Bearer token. (The native
+// Records API is the only records surface that exists server-side; there is no
+// /projects/<guid>/records mirror.)
 export const recordsCommand = new Command('records')
     .description('Manage records');
 recordsCommand
@@ -12,8 +16,38 @@ recordsCommand
     .option('--json', 'Output as JSON')
     .action((opts) => run('List', async () => {
     const config = requireConfig();
-    const res = await get(`/projects/${config.projectGuid}/records-config`);
-    printList(res.data, opts, 'No tables configured for Records API.', t => `${bold(t.table_name)}  ${muted(t.auth_level)}  ${muted(`pk=${t.primary_key_column}`)}  ${muted(`db=${t.database_name}`)}`);
+    const res = await get(`/api/${config.projectGuid}/records-config`);
+    printList(res.data, opts, 'No tables configured for Records API. Configure one with `gipity records config <table> --auth <level>`.', t => `${bold(t.table_name)}  ${muted(t.auth_level)}  ${muted(`pk=${t.primary_key_column}`)}  ${muted(`db=${t.database_name}`)}`);
+}));
+recordsCommand
+    .command('config <table>')
+    .description('Show or set a table\'s Records API config (auth level, search, etc.)')
+    .option('--auth <level>', 'Auth level: public (anonymous writes), member (sign-in), or user')
+    .option('--searchable <bool>', 'Enable full-text search (true/false)')
+    .option('--primary-key <col>', 'Primary key column (default: id)')
+    .option('--soft-delete <col>', 'Soft-delete column (pass "none" to clear)')
+    .option('--json', 'Output as JSON')
+    .action((table, opts) => run('Config', async () => {
+    const config = requireConfig();
+    const base = `/api/${config.projectGuid}/records/${table}/config`;
+    // No setter flags → just show the current config.
+    const setting = opts.auth || opts.searchable !== undefined || opts.primaryKey || opts.softDelete;
+    if (!setting) {
+        const res = await get(base);
+        printResult(JSON.stringify(res.data, null, 2), opts, res.data);
+        return;
+    }
+    const body = {};
+    if (opts.auth)
+        body.auth_level = opts.auth;
+    if (opts.searchable !== undefined)
+        body.searchable = /^(true|1|on|yes)$/i.test(String(opts.searchable));
+    if (opts.primaryKey)
+        body.primary_key_column = opts.primaryKey;
+    if (opts.softDelete)
+        body.soft_delete_column = opts.softDelete === 'none' ? null : opts.softDelete;
+    const res = await patch(base, body);
+    printResult(`Configured "${table}": auth=${res.data.auth_level}, searchable=${res.data.searchable}, pk=${res.data.primary_key_column}`, opts, res.data);
 }));
 recordsCommand
     .command('query <table>')
@@ -35,7 +69,7 @@ recordsCommand
     params.set('offset', opts.offset);
     if (opts.fields)
         params.set('fields', opts.fields);
-    const res = await get(`/projects/${config.projectGuid}/records/${table}?${params}`);
+    const res = await get(`/api/${config.projectGuid}/records/${table}?${params}`);
     if (opts.json) {
         console.log(JSON.stringify(res));
     }
@@ -54,7 +88,7 @@ recordsCommand
     .option('--json', 'Output as JSON')
     .action((table, id, opts) => run('Get', async () => {
     const config = requireConfig();
-    const res = await get(`/projects/${config.projectGuid}/records/${table}/${id}`);
+    const res = await get(`/api/${config.projectGuid}/records/${table}/${id}`);
     console.log(opts.json ? JSON.stringify(res.data) : JSON.stringify(res.data, null, 2));
 }));
 recordsCommand
@@ -65,7 +99,7 @@ recordsCommand
     .action((table, opts) => run('Create', async () => {
     const config = requireConfig();
     const data = JSON.parse(opts.data);
-    const res = await post(`/projects/${config.projectGuid}/records/${table}`, data);
+    const res = await post(`/api/${config.projectGuid}/records/${table}`, data);
     printResult(`Created: ${JSON.stringify(res.data)}`, opts, res.data);
 }));
 recordsCommand
@@ -76,7 +110,7 @@ recordsCommand
     .action((table, id, opts) => run('Update', async () => {
     const config = requireConfig();
     const data = JSON.parse(opts.data);
-    const res = await put(`/projects/${config.projectGuid}/records/${table}/${id}`, data);
+    const res = await put(`/api/${config.projectGuid}/records/${table}/${id}`, data);
     printResult(`Updated: ${JSON.stringify(res.data)}`, opts, res.data);
 }));
 recordsCommand
@@ -88,7 +122,7 @@ recordsCommand
         return;
     }
     const config = requireConfig();
-    await del(`/projects/${config.projectGuid}/records/${table}/${id}`);
+    await del(`/api/${config.projectGuid}/records/${table}/${id}`);
     printResult('Deleted.', { json: false });
 }));
 //# sourceMappingURL=records.js.map