humanenv 0.1.0

package/packages/client/dist/cli.js

@@ -0,0 +1,1041 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/shared/errors.ts
+var ErrorCode, ErrorMessages, HumanEnvError;
+var init_errors = __esm({
+  "src/shared/errors.ts"() {
+    "use strict";
+    ErrorCode = /* @__PURE__ */ ((ErrorCode2) => {
+      ErrorCode2["SERVER_PK_NOT_AVAILABLE"] = "SERVER_PK_NOT_AVAILABLE";
+      ErrorCode2["CLIENT_AUTH_INVALID_PROJECT_NAME"] = "CLIENT_AUTH_INVALID_PROJECT_NAME";
+      ErrorCode2["CLIENT_AUTH_NOT_WHITELISTED"] = "CLIENT_AUTH_NOT_WHITELISTED";
+      ErrorCode2["CLIENT_AUTH_INVALID_API_KEY"] = "CLIENT_AUTH_INVALID_API_KEY";
+      ErrorCode2["CLIENT_CONN_MAX_RETRIES_EXCEEDED"] = "CLIENT_CONN_MAX_RETRIES_EXCEEDED";
+      ErrorCode2["ENV_API_MODE_ONLY"] = "ENV_API_MODE_ONLY";
+      ErrorCode2["SERVER_INTERNAL_ERROR"] = "SERVER_INTERNAL_ERROR";
+      ErrorCode2["WS_CONNECTION_FAILED"] = "WS_CONNECTION_FAILED";
+      ErrorCode2["DB_OPERATION_FAILED"] = "DB_OPERATION_FAILED";
+      return ErrorCode2;
+    })(ErrorCode || {});
+    ErrorMessages = {
+      SERVER_PK_NOT_AVAILABLE: "Server private key is not available. Restart pending.",
+      CLIENT_AUTH_INVALID_PROJECT_NAME: "Invalid or unknown project name.",
+      CLIENT_AUTH_NOT_WHITELISTED: "Client fingerprint is not whitelisted for this project.",
+      CLIENT_AUTH_INVALID_API_KEY: "Invalid or expired API key.",
+      CLIENT_CONN_MAX_RETRIES_EXCEEDED: "Maximum WS connection retries exceeded.",
+      ENV_API_MODE_ONLY: "This env is API-mode only and cannot be accessed via CLI.",
+      SERVER_INTERNAL_ERROR: "An internal server error occurred.",
+      WS_CONNECTION_FAILED: "Failed to establish WebSocket connection.",
+      DB_OPERATION_FAILED: "Database operation failed."
+    };
+    HumanEnvError = class extends Error {
+      code;
+      constructor(code, message) {
+        super(message ?? ErrorMessages[code]);
+        this.name = "HumanEnvError";
+        this.code = code;
+      }
+    };
+  }
+});
+
+// src/shared/types.ts
+var SKILL_CONTENT;
+var init_types = __esm({
+  "src/shared/types.ts"() {
+    "use strict";
+    SKILL_CONTENT = `---
+name: humanenv-usage
+description: Use humanenv to retrieve sensitives/envs. Never log/read sensitives from humanenv. They are envs for humans only.
+---
+
+## How to retrieve sensitives
+
+### JavaScript API
+Use \`humanenv.get('key')\` inside your application. The returned value must be used immediately and then set to \`null\` to prevent memory leaks.
+
+### CLI (non-TTY mode)
+Only non-API-mode envs are accessible. Do not attempt to use this to log or dump all envs.
+
+## Rules
+1. NEVER log env values retrieved from humanenv
+2. NEVER dump or export multiple values at once
+3. ALWAYS null variables after use
+4. NEVER write sensitives to files
+5. Do not generate scripts that use humanenv in loops or to exfiltrate data`;
+  }
+});
+
+// src/shared/crypto.ts
+function generateMnemonic() {
+  const entropy = crypto.randomBytes(16);
+  const words = [];
+  for (let i = 0; i < 32; i++) {
+    words.push(BIP39_WORDLIST[entropy[i] % BIP39_WORDLIST.length]);
+  }
+  return words.slice(0, 12).join(" ");
+}
+function validateMnemonic(mnemonic) {
+  const words = mnemonic.trim().toLowerCase().split(/\s+/);
+  if (words.length !== 12) return false;
+  return words.every((w) => BIP39_WORDLIST.includes(w));
+}
+function derivePkFromMnemonic(mnemonic) {
+  return crypto.pbkdf2Sync(
+    mnemonic.toLowerCase().trim(),
+    "humanenv-server-v1",
+    PBKDF2_ITERATIONS,
+    PK_KEY_LENGTH,
+    "sha256"
+  );
+}
+function hashPkForVerification(pk) {
+  return crypto.createHash("sha256").update(pk).digest("hex");
+}
+function encryptWithPk(value, pk, aad) {
+  const iv = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv("aes-256-gcm", pk, iv);
+  cipher.setAAD(crypto.createHash("sha256").update(aad).digest());
+  const encrypted = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, encrypted]).toString("base64");
+}
+function decryptWithPk(encryptedBase64, pk, aad) {
+  const buf = Buffer.from(encryptedBase64, "base64");
+  const iv = buf.subarray(0, 12);
+  const tag = buf.subarray(12, 28);
+  const ciphertext = buf.subarray(28);
+  const decipher = crypto.createDecipheriv("aes-256-gcm", pk, iv);
+  decipher.setAAD(crypto.createHash("sha256").update(aad).digest());
+  decipher.setAuthTag(tag);
+  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return decrypted.toString("utf8");
+}
+function generateFingerprint() {
+  const components = [
+    process.env.HOSTNAME || "unknown-host",
+    process.platform,
+    process.arch,
+    process.version
+  ];
+  return crypto.createHash("sha256").update(components.join("|")).digest("hex").slice(0, 16);
+}
+var crypto, PBKDF2_ITERATIONS, PK_KEY_LENGTH, BIP39_WORDLIST;
+var init_crypto = __esm({
+  "src/shared/crypto.ts"() {
+    "use strict";
+    crypto = __toESM(require("node:crypto"));
+    PBKDF2_ITERATIONS = 1e5;
+    PK_KEY_LENGTH = 32;
+    BIP39_WORDLIST = [
+      "abandon",
+      "ability",
+      "able",
+      "about",
+      "above",
+      "absent",
+      "absorb",
+      "abstract",
+      "absurd",
+      "abuse",
+      "access",
+      "accident",
+      "account",
+      "accuse",
+      "achieve",
+      "acid",
+      "acoustic",
+      "acquire",
+      "across",
+      "act",
+      "action",
+      "actor",
+      "actress",
+      "actual",
+      "adapt",
+      "add",
+      "addict",
+      "address",
+      "adjust",
+      "admit",
+      "adult",
+      "advance",
+      "advice",
+      "aerobic",
+      "affair",
+      "afford",
+      "afraid",
+      "again",
+      "age",
+      "agent",
+      "agree",
+      "ahead",
+      "aim",
+      "air",
+      "airport",
+      "aisle",
+      "alarm",
+      "album",
+      "alcohol",
+      "alert",
+      "alien",
+      "all",
+      "alley",
+      "allow",
+      "almost",
+      "alone",
+      "alpha",
+      "already",
+      "also",
+      "alter",
+      "always",
+      "amateur",
+      "amazing",
+      "among",
+      "amount",
+      "amused",
+      "analyst",
+      "anchor",
+      "ancient",
+      "anger",
+      "angle",
+      "angry",
+      "animal",
+      "ankle",
+      "announce",
+      "annual",
+      "another",
+      "answer",
+      "antenna",
+      "antique",
+      "anxiety",
+      "any",
+      "apart",
+      "apology",
+      "appear",
+      "apple",
+      "approve",
+      "april",
+      "arch",
+      "arctic",
+      "area",
+      "arena",
+      "argue",
+      "arm",
+      "armed",
+      "armor",
+      "army",
+      "around",
+      "arrest",
+      "arrive",
+      "arrow",
+      "art",
+      "artist",
+      "artwork",
+      "ask",
+      "aspect",
+      "assault",
+      "asset",
+      "assist",
+      "assume",
+      "asthma",
+      "athlete",
+      "atom",
+      "attack",
+      "attend",
+      "attitude",
+      "attract",
+      "auction",
+      "audit",
+      "august",
+      "aunt",
+      "author",
+      "auto",
+      "autumn",
+      "average",
+      "avocado",
+      "avoid",
+      "awake",
+      "aware",
+      "awesome",
+      "awful",
+      "awkward",
+      "axis",
+      "baby",
+      "bachelor",
+      "bacon",
+      "badge",
+      "bag",
+      "balance",
+      "balcony",
+      "ball",
+      "bamboo",
+      "banana",
+      "banner",
+      "bar",
+      "barely",
+      "bargain",
+      "barrel",
+      "base",
+      "basic",
+      "basket",
+      "battle",
+      "beach",
+      "bean",
+      "beauty",
+      "because",
+      "become",
+      "beef",
+      "before",
+      "begin",
+      "behave",
+      "behind",
+      "believe",
+      "below",
+      "bench",
+      "benefit",
+      "best",
+      "betray",
+      "better",
+      "between",
+      "beyond",
+      "bicycle",
+      "bid",
+      "bike",
+      "bind",
+      "biology",
+      "bird",
+      "birth",
+      "bitter",
+      "black",
+      "blade",
+      "blame",
+      "blanket",
+      "blast"
+    ];
+  }
+});
+
+// src/shared/index.ts
+var shared_exports = {};
+__export(shared_exports, {
+  ErrorCode: () => ErrorCode,
+  ErrorMessages: () => ErrorMessages,
+  HumanEnvError: () => HumanEnvError,
+  SKILL_CONTENT: () => SKILL_CONTENT,
+  decryptWithPk: () => decryptWithPk,
+  derivePkFromMnemonic: () => derivePkFromMnemonic,
+  encryptWithPk: () => encryptWithPk,
+  generateFingerprint: () => generateFingerprint,
+  generateMnemonic: () => generateMnemonic,
+  hashPkForVerification: () => hashPkForVerification,
+  validateMnemonic: () => validateMnemonic
+});
+var init_shared = __esm({
+  "src/shared/index.ts"() {
+    "use strict";
+    init_errors();
+    init_types();
+    init_crypto();
+  }
+});
+
+// src/ws-manager.ts
+var ws_manager_exports = {};
+__export(ws_manager_exports, {
+  HumanEnvClient: () => HumanEnvClient
+});
+var import_ws, HumanEnvClient;
+var init_ws_manager = __esm({
+  "src/ws-manager.ts"() {
+    "use strict";
+    init_shared();
+    import_ws = __toESM(require("ws"));
+    HumanEnvClient = class {
+      ws = null;
+      connected = false;
+      authenticated = false;
+      _whitelistStatus = null;
+      attempts = 0;
+      pending = /* @__PURE__ */ new Map();
+      config;
+      retryTimer = null;
+      pingTimer = null;
+      reconnecting = false;
+      disconnecting = false;
+      _authResolve = null;
+      _authReject = null;
+      get whitelistStatus() {
+        return this._whitelistStatus;
+      }
+      constructor(config) {
+        this.config = {
+          serverUrl: config.serverUrl,
+          projectName: config.projectName,
+          projectApiKey: config.projectApiKey || "",
+          maxRetries: config.maxRetries ?? 10
+        };
+      }
+      getFingerprint() {
+        return generateFingerprint();
+      }
+      async connect() {
+        return new Promise((resolve, reject) => {
+          this.doConnect(resolve, reject);
+        });
+      }
+      doConnect(resolve, reject) {
+        const proto = this.config.serverUrl.startsWith("https") ? "wss" : "ws";
+        const host = this.config.serverUrl.replace(/^https?:\/\//, "").replace(/\/+$/, "");
+        const url = `${proto}://${host}/ws`;
+        this.ws = new import_ws.default(url);
+        this.ws.on("open", () => {
+          this.connected = true;
+          this.attempts = 0;
+          this.reconnecting = false;
+          this.startPing();
+          this.sendAuth(resolve, reject);
+        });
+        this.ws.on("message", (raw) => {
+          try {
+            const msg = JSON.parse(raw.toString());
+            this.handleMessage(msg);
+          } catch {
+          }
+        });
+        this.ws.on("close", () => {
+          this.connected = false;
+          this.authenticated = false;
+          this.stopPing();
+          if (!this.disconnecting && !this.reconnecting) this.scheduleReconnect(reject);
+        });
+        this.ws.on("error", () => {
+        });
+      }
+      sendAuth(resolve, reject) {
+        this._authResolve = resolve;
+        this._authReject = reject;
+        this.ws?.send(JSON.stringify({
+          type: "auth",
+          payload: {
+            projectName: this.config.projectName,
+            apiKey: this.config.projectApiKey,
+            fingerprint: this.getFingerprint()
+          }
+        }));
+      }
+      handleMessage(msg) {
+        if (msg.type === "auth_response") {
+          if (msg.payload.success) {
+            this.authenticated = true;
+            this._whitelistStatus = msg.payload.status || (msg.payload.whitelisted ? "approved" : "pending");
+            this._authResolve?.();
+          } else {
+            this._authReject?.(new HumanEnvError(msg.payload.code, msg.payload.error));
+          }
+          this._authResolve = null;
+          this._authReject = null;
+          return;
+        }
+        if (msg.type === "get_response") {
+          this._resolvePending("get", msg.payload);
+          return;
+        }
+        if (msg.type === "set_response") {
+          this._resolvePending("set", msg.payload);
+          return;
+        }
+        if (msg.type === "pong") {
+        }
+      }
+      _resolvePending(kind, payload) {
+        for (const [id, op] of this.pending) {
+          clearTimeout(op.timeout);
+          this.pending.delete(id);
+          if (payload.error) {
+            op.reject(new HumanEnvError(payload.code, payload.error));
+          } else {
+            op.resolve(payload);
+          }
+          return;
+        }
+      }
+      async get(keyOrKeys) {
+        if (!this.connected || !this.authenticated) throw new HumanEnvError("CLIENT_AUTH_INVALID_API_KEY" /* CLIENT_AUTH_INVALID_API_KEY */);
+        if (Array.isArray(keyOrKeys)) {
+          const result = {};
+          await Promise.all(keyOrKeys.map(async (key) => {
+            result[key] = await this._getSingle(key);
+          }));
+          return result;
+        }
+        return this._getSingle(keyOrKeys);
+      }
+      _getSingle(key) {
+        return new Promise((resolve, reject) => {
+          const msgId = `${key}-${Date.now()}`;
+          const timeout = setTimeout(() => {
+            this.pending.delete(msgId);
+            reject(new Error(`Timeout getting env: ${key}`));
+          }, 8e3);
+          this.pending.set(msgId, { resolve: (v) => resolve(v.value), reject, timeout });
+          this.ws?.send(JSON.stringify({ type: "get", payload: { key } }));
+        });
+      }
+      async set(key, value) {
+        if (!this.connected || !this.authenticated) throw new HumanEnvError("CLIENT_AUTH_INVALID_API_KEY" /* CLIENT_AUTH_INVALID_API_KEY */);
+        const msgId = `set-${Date.now()}`;
+        return new Promise((resolve, reject) => {
+          const timeout = setTimeout(() => {
+            this.pending.delete(msgId);
+            reject(new Error(`Timeout setting env: ${key}`));
+          }, 8e3);
+          this.pending.set(msgId, { resolve, reject, timeout });
+          this.ws?.send(JSON.stringify({ type: "set", payload: { key, value } }));
+        });
+      }
+      scheduleReconnect(reject) {
+        if (this.attempts >= this.config.maxRetries) {
+          reject(new HumanEnvError("CLIENT_CONN_MAX_RETRIES_EXCEEDED" /* CLIENT_CONN_MAX_RETRIES_EXCEEDED */));
+          return;
+        }
+        this.reconnecting = true;
+        this.attempts++;
+        const delay = Math.min(1e3 * Math.pow(2, this.attempts - 1), 3e4);
+        if (process.stdout.isTTY) {
+          console.error(`[humanenv] Reconnecting in ${delay}ms (attempt ${this.attempts}/${this.config.maxRetries})...`);
+        }
+        this.retryTimer = setTimeout(() => {
+          this.doConnect(() => {
+          }, reject);
+        }, delay);
+      }
+      startPing() {
+        this.stopPing();
+        this.pingTimer = setInterval(() => {
+          if (this.ws?.readyState === import_ws.default.OPEN) {
+            this.ws.send(JSON.stringify({ type: "ping" }));
+          }
+        }, 3e4);
+      }
+      stopPing() {
+        if (this.pingTimer) {
+          clearInterval(this.pingTimer);
+          this.pingTimer = null;
+        }
+      }
+      /** Send a generate_api_key request to the server */
+      async generateApiKey() {
+        if (!this.connected || !this.authenticated) throw new Error("Client not authenticated");
+        return new Promise((resolve, reject) => {
+          const msgId = `genkey-${Date.now()}`;
+          const timeout = setTimeout(() => {
+            this.pending.delete(msgId);
+            reject(new Error("Timeout waiting for API key generation"));
+          }, 6e4);
+          this.pending.set(msgId, { resolve: (v) => resolve(v.apiKey), reject, timeout });
+          this.ws?.send(JSON.stringify({ type: "generate_api_key", payload: { projectName: this.config.projectName } }));
+        });
+      }
+      /** Connect (creates fresh WS) and waits for auth response up to `timeoutMs`. Resolves silently on timeout. */
+      async connectAndWaitForAuth(timeoutMs) {
+        return new Promise((resolve) => {
+          if (this.connected && this.authenticated) {
+            resolve();
+            return;
+          }
+          const deadline = Date.now() + timeoutMs;
+          const checkInterval = setInterval(() => {
+            if (this.connected && this.authenticated) {
+              clearInterval(checkInterval);
+              resolve();
+              return;
+            }
+            if (Date.now() >= deadline) {
+              clearInterval(checkInterval);
+              resolve();
+              return;
+            }
+          }, 200);
+          if (!this.connected) {
+            this.attempts = 0;
+            this.doConnect(() => {
+            }, () => {
+              clearInterval(checkInterval);
+              resolve();
+            });
+          }
+        });
+      }
+      disconnect() {
+        this.stopPing();
+        if (this.retryTimer) {
+          clearTimeout(this.retryTimer);
+          this.retryTimer = null;
+        }
+        this.disconnecting = true;
+        this.reconnecting = false;
+        this.ws?.close();
+      }
+    };
+  }
+});
+
+// src/cli/entry.js
+var { Command } = require("commander");
+var fs = require("fs");
+var path = require("path");
+var os = require("os");
+var { execSync } = require("child_process");
+var { generateFingerprint: generateFingerprint2, SKILL_CONTENT: SKILL_CONTENT2 } = (init_shared(), __toCommonJS(shared_exports));
+var { HumanEnvClient: HumanEnvClient2 } = (init_ws_manager(), __toCommonJS(ws_manager_exports));
+var CREDENTIALS_DIR = path.join(os.homedir(), ".humanenv");
+var isJson = process.argv.includes("--json") || process.argv.includes("-j");
+var cleanArgs = process.argv.slice(2).filter((a) => a !== "--json" && a !== "-j");
+var hasCmd = ["auth", "get", "set", "server"].some((c) => cleanArgs.includes(c));
+var wantsHelp = cleanArgs.includes("--help") || cleanArgs.includes("-h");
+if (wantsHelp && isJson) {
+  const commandName = cleanArgs.find((a) => ["auth", "get", "set", "server"].includes(a));
+  const commandsConfig = {
+    "auth": {
+      command: "auth",
+      description: "Authenticate with a HumanEnv server",
+      usage: "humanenv auth [options]",
+      options: [
+        { flags: "--project-name <name>", description: "Project name", required: false, optional: true, shorthand: "pn" },
+        { flags: "--pn <name>", description: "Project name (shorthand)", required: false, optional: true, shorthand: null },
+        { flags: "--server-url <url>", description: "Server URL", required: false, optional: true, shorthand: "su" },
+        { flags: "--su <url>", description: "Server URL (shorthand)", required: false, optional: true, shorthand: null },
+        { flags: "--api-key <key>", description: "API key (optional)", required: false, optional: true, shorthand: null },
+        { flags: "--generate-api-key", description: "Request a new API key from the server", required: false, optional: false, shorthand: null },
+        { flags: "-h, --help", description: "Display help", required: false, optional: false, shorthand: "h" }
+      ],
+      arguments: []
+    },
+    "get": {
+      command: "get",
+      description: "Retrieve an environment variable",
+      usage: "humanenv get <key>",
+      options: [
+        { flags: "-h, --help", description: "Display help", required: false, optional: false, shorthand: "h" }
+      ],
+      arguments: [{ name: "key", required: true, description: "Environment variable key" }]
+    },
+    "set": {
+      command: "set",
+      description: "Set an environment variable",
+      usage: "humanenv set <key> <value>",
+      options: [
+        { flags: "-h, --help", description: "Display help", required: false, optional: false, shorthand: "h" }
+      ],
+      arguments: [
+        { name: "key", required: true, description: "Environment variable key" },
+        { name: "value", required: true, description: "Environment variable value" }
+      ]
+    },
+    "server": {
+      command: "server",
+      description: "Start the HumanEnv admin server",
+      usage: "humanenv server [options]",
+      options: [
+        { flags: "--port <port>", description: "Port to listen on (default: 3056)", required: false, optional: true, shorthand: null },
+        { flags: "--basicAuth", description: "Enable basic auth for admin UI", required: false, optional: false, shorthand: null },
+        { flags: "-h, --help", description: "Display help", required: false, optional: false, shorthand: "h" }
+      ],
+      arguments: []
+    }
+  };
+  if (commandName && commandsConfig[commandName]) {
+    console.log(JSON.stringify(commandsConfig[commandName], null, 2));
+  } else {
+    console.log(JSON.stringify({
+      command: "humanenv",
+      description: "Secure environment variable injection",
+      usage: "humanenv [command] [options]",
+      commands: ["auth", "get", "set", "server"],
+      options: [
+        { flags: "--json", description: "Output in JSON format" },
+        { flags: "-j", description: "Shorthand for --json" },
+        { flags: "-h, --help", description: "Display help" }
+      ]
+    }, null, 2));
+  }
+  process.exit(0);
+}
+function errJson(code, msg, hint, extras) {
+  return JSON.stringify(Object.assign(
+    { success: false, code, error: msg },
+    hint ? { hint } : {},
+    extras || {}
+  ), null, 2);
+}
+function failJson(code, msg, hint, extras) {
+  if (isJson) {
+    console.error(errJson(code, msg, hint, extras));
+  } else {
+    console.error("Error:", msg);
+    if (hint) console.error("Hint:", hint);
+  }
+  process.exit(1);
+}
+if (!hasCmd && !wantsHelp) {
+  ensureSkillFile();
+  const sp = path.join(process.cwd(), ".agents", "skills", "humanenv-usage", "SKILL.md");
+  const creds = readCredentials();
+  const fp = generateFingerprint2();
+  if (!process.stdout.isTTY || isJson) {
+    if (fs.existsSync(sp)) console.log(fs.readFileSync(sp, "utf8"));
+    console.log("");
+    if (creds.projectName && creds.serverUrl) {
+      console.error(JSON.stringify({
+        code: "AUTH_STATUS",
+        status: "credentials_found",
+        fingerprint: fp,
+        projectName: creds.projectName,
+        serverUrl: creds.serverUrl,
+        step: "Run humanenv auth to connect, then ask the admin to whitelist your fingerprint in the dashboard."
+      }));
+    } else {
+      console.error(JSON.stringify({
+        code: "NOT_AUTHENTICATED",
+        fingerprint: fp,
+        step: "Run: humanenv auth --project-name <name> --server-url <url>  (shorthand: --pn / --su)"
+      }));
+    }
+  } else {
+    console.log("HumanEnv - Secure environment variable injection");
+    console.log("");
+    console.log("Your fingerprint:", fp);
+    console.log("Share this with the project admin to whitelist.");
+    if (creds.serverUrl) console.log("Admin UI:", creds.serverUrl);
+    console.log("");
+    if (creds.projectName && creds.serverUrl) {
+      console.log("Credentials configured:");
+      console.log("  projectName:", creds.projectName);
+      console.log("  serverUrl:", creds.serverUrl);
+      console.log("");
+      console.log("Next steps:");
+      console.log("  1. Run:  humanenv auth");
+      console.log("  2. Admin whitelists your fingerprint in the dashboard at", creds.serverUrl);
+      console.log("  3. Start using:  humanenv get <key>");
+    } else {
+      console.log("Usage:");
+      console.log("  humanenv auth  --project-name <name> --server-url <url> [--api-key <key>]");
+      console.log("  humanenv get   <key>");
+      console.log("  humanenv set   <key> <value>");
+      console.log("  humanenv server [--port 3056] [--basicAuth]");
+    }
+    console.log("");
+    console.log("Aliases:");
+    console.log("  --pn  short for --project-name");
+    console.log("  --su  short for --server-url");
+    console.log("  --json  structured JSON output (agent-friendly)");
+    console.log("");
+  }
+  process.exit(0);
+}
+function ensureSkillFile() {
+  const sp = path.join(process.cwd(), ".agents", "skills", "humanenv-usage", "SKILL.md");
+  if (!fs.existsSync(sp)) {
+    fs.mkdirSync(path.dirname(sp), { recursive: true });
+    fs.writeFileSync(sp, SKILL_CONTENT2, "utf8");
+  }
+  return sp;
+}
+function readCredentials() {
+  const p = path.join(CREDENTIALS_DIR, "credentials.json");
+  if (!fs.existsSync(p)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(p, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeCredentials(d) {
+  if (!fs.existsSync(CREDENTIALS_DIR)) fs.mkdirSync(CREDENTIALS_DIR, { recursive: true });
+  fs.writeFileSync(path.join(CREDENTIALS_DIR, "credentials.json"), JSON.stringify(d, null, 2), "utf8");
+}
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+var pName = (o) => o.projectName || o.pn;
+var pUrl = (o) => o.serverUrl || o.su;
+var nameOpt = ["--project-name <name>", "Project name"];
+var urlOpt = ["--server-url <url>", "Server URL"];
+var pnOpt = ["--pn <name>", "Project name (shorthand)"];
+var suOpt = ["--su <url>", "Server URL (shorthand)"];
+async function runAuth(opts) {
+  ensureSkillFile();
+  const projectName = pName(opts);
+  const serverUrl = pUrl(opts);
+  if (!projectName || !serverUrl) {
+    failJson(
+      "MISSING_ARGS",
+      "--project-name and --server-url are required",
+      "Run: humanenv auth --project-name <name> --server-url <url>  (shorthand: --pn / --su)"
+    );
+    return;
+  }
+  writeCredentials({ projectName, serverUrl, apiKey: opts.apiKey || void 0 });
+  if (opts.generateApiKey) {
+    const client2 = new HumanEnvClient2({ serverUrl, projectName, projectApiKey: opts.apiKey || "", maxRetries: 1 });
+    try {
+      await client2.connect();
+      const key = await client2.generateApiKey();
+      if (isJson) console.error(errJson("API_KEY_GENERATED", "API key generated.", null, { success: true, apiKey: key }));
+      else console.log("API key generated:", key);
+    } catch (e) {
+      const fingerprint2 = generateFingerprint2();
+      failJson(
+        "GENERATE_API_KEY_FAILED",
+        `API key generation failed: ${e.message}`,
+        "Ensure the server is running, the project exists, and an admin is online to approve.",
+        { fingerprint: fingerprint2, projectName, serverUrl }
+      );
+    } finally {
+      client2.disconnect();
+    }
+    return;
+  }
+  let client = new HumanEnvClient2({ serverUrl, projectName, projectApiKey: opts.apiKey || "", maxRetries: 1 });
+  try {
+    await client.connect();
+  } catch (e) {
+    const fingerprint2 = generateFingerprint2();
+    let hint = "Re-run auth to retry.";
+    if (/ECONNREFUSED|ENOTFOUND/i.test(e.message)) {
+      hint = `Start the server first:  humanenv server   (or check --server-url)`;
+    } else if (/project.*not.*found/i.test(e.message)) {
+      hint = `Create the project first via the admin UI at ${serverUrl}`;
+    } else if (/api.*key.*invalid/i.test(e.message)) {
+      hint = "Re-run auth with --generate-api-key to request a new key from the admin.";
+    }
+    failJson(
+      "AUTH_FAILED",
+      `Auth failed: ${e.message}`,
+      hint,
+      { fingerprint: fingerprint2, projectName, serverUrl }
+    );
+  }
+  if (client.whitelistStatus === "approved") {
+    if (isJson) {
+      console.error(errJson("AUTH_OK", "Authentication successful.", null, { success: true, whitelisted: true }));
+    } else {
+      console.log("Authentication successful.");
+    }
+    if (client) client.disconnect();
+    return;
+  }
+  const fingerprint = generateFingerprint2();
+  if (process.stdout.isTTY && !isJson) {
+    console.log("Auth OK, not whitelisted yet.");
+    console.log("Fingerprint:", fingerprint);
+    console.log("Waiting for admin approval... (120s timeout, Ctrl+C to abort)");
+    let attempts = 0;
+    while (attempts < 120) {
+      attempts++;
+      await sleep(1e3);
+      try {
+        if (client) client.disconnect();
+        await sleep(100);
+        client = new HumanEnvClient2({ serverUrl, projectName, projectApiKey: opts.apiKey || "", maxRetries: 1 });
+        await client.connect();
+        if (client.whitelistStatus === "approved") {
+          console.log("\nApproved. You can now use humanenv get/set.");
+          return;
+        }
+      } catch {
+      }
+    }
+    console.log("\nTimed out waiting for approval.");
+    console.log("To approve manually: open the admin UI at " + serverUrl);
+    console.log("Then go to the Whitelist tab and approve fingerprint:", fingerprint);
+    return;
+  }
+  if (isJson) {
+    console.error(errJson(
+      "AUTH_PENDING",
+      "Auth OK but not whitelisted yet.",
+      `Share this fingerprint with the admin to approve it.`,
+      {
+        success: true,
+        whitelisted: false,
+        fingerprint,
+        projectName,
+        serverUrl,
+        step: "admin_must_approve_whitelist"
+      }
+    ));
+  } else {
+    console.log("Auth OK, not whitelisted yet.");
+    console.log("Fingerprint:", fingerprint);
+    console.log("Share this with the admin to approve it.");
+  }
+  if (client) client.disconnect();
+}
+function resolveCreds(opts) {
+  const st = readCredentials();
+  const projectName = pName(opts) || st.projectName;
+  const serverUrl = pUrl(opts) || st.serverUrl;
+  if (!projectName || !serverUrl) {
+    failJson(
+      "NOT_AUTHENTICATED",
+      "No credentials found.",
+      "Run: humanenv auth --project-name <name> --server-url <url>  (or pass --pn / --su per-command)",
+      { tip: "You can also set HUMANENV_PROJECT_NAME and HUMANENV_SERVER_URL env vars." }
+    );
+  }
+  return {
+    projectName,
+    serverUrl,
+    apiKey: opts.apiKey || st.apiKey || "",
+    fingerprint: generateFingerprint2()
+  };
+}
+var program = new Command();
+program.command("auth").description("Authenticate with a HumanEnv server").option(...nameOpt).option(...pnOpt).option(...urlOpt).option(...suOpt).option("--api-key <key>", "API key (optional)").option("--generate-api-key", "Request a new API key from the server").action(async (o) => {
+  await runAuth(o);
+});
+program.command("get").description("Retrieve an environment variable").argument("<key>", "Environment variable key").option(...nameOpt).option(...pnOpt).option(...urlOpt).option(...suOpt).action(async (key, opts) => {
+  const c = resolveCreds(opts);
+  const cli = new HumanEnvClient2({
+    serverUrl: c.serverUrl,
+    projectName: c.projectName,
+    projectApiKey: c.apiKey || "",
+    maxRetries: 3
+  });
+  try {
+    await cli.connect();
+    const value = await cli.get(key);
+    if (isJson) {
+      console.error(JSON.stringify({ success: true, code: "ENV_RETRIEVED", key, hasValue: !!value }, null, 2));
+      process.stdout.write(value);
+    } else if (!process.stdout.isTTY) {
+      process.stdout.write(value);
+    } else {
+      console.log(value);
+    }
+  } catch (e) {
+    const fingerprint = c.fingerprint;
+    let hint = null;
+    let code = "GET_FAILED";
+    if (/whitelist/i.test(e.message) || /not.*approved/i.test(e.message)) {
+      code = "CLIENT_NOT_WHITELISTED";
+      hint = `Run humanenv auth to submit your fingerprint. Then ask the admin to approve it at ${c.serverUrl}`;
+    } else if (/api.?mode/i.test(e.message)) {
+      code = "ENV_API_MODE_ONLY";
+      hint = "This env flag is API-mode only: use the SDK (await humanenv.get()) instead of CLI.";
+    } else if (/not.*found|key.*not.*exist/i.test(e.message)) {
+      code = "ENV_KEY_NOT_FOUND";
+      hint = `Key "${key}" does not exist. Create it via humanenv set or the admin UI.`;
+    } else if (/ECONNREFUSED|ENOTFOUND/i.test(e.message)) {
+      hint = `Start the server first: humanenv server  (or verify ${c.serverUrl})`;
+    } else if (/timeout/i.test(e.message)) {
+      hint = "Server took too long to respond. Check network connectivity.";
+    } else if (/invalid.*api.*key/i.test(e.message)) {
+      hint = "Your API key may have expired. Run humanenv auth --generate-api-key for a new one.";
+    }
+    failJson(
+      code,
+      `Failed to get env: ${e.message}`,
+      hint,
+      { key, fingerprint, projectName: c.projectName, serverUrl: c.serverUrl }
+    );
+  } finally {
+    cli.disconnect();
+  }
+});
+program.command("set").description("Set an environment variable").argument("<key>", "Environment variable key").argument("<value>", "Environment variable value").option(...nameOpt).option(...pnOpt).option(...urlOpt).option(...suOpt).action(async (key, value, opts) => {
+  const c = resolveCreds(opts);
+  const cli = new HumanEnvClient2({
+    serverUrl: c.serverUrl,
+    projectName: c.projectName,
+    projectApiKey: c.apiKey || "",
+    maxRetries: 3
+  });
+  try {
+    await cli.connect();
+    await cli.set(key, value);
+    if (isJson) {
+      console.error(JSON.stringify({ success: true, code: "ENV_SET", key }, null, 2));
+    } else {
+      console.log("Set", key);
+    }
+  } catch (e) {
+    const fingerprint = c.fingerprint;
+    let hint = null;
+    let code = "SET_FAILED";
+    if (/whitelist/i.test(e.message) || /not.*approved/i.test(e.message)) {
+      code = "CLIENT_NOT_WHITELISTED";
+      hint = `Run humanenv auth to submit your fingerprint. Then ask the admin to approve it at ${c.serverUrl}`;
+    } else if (/ECONNREFUSED|ENOTFOUND/i.test(e.message)) {
+      hint = `Start the server first: humanenv server  (or verify ${c.serverUrl})`;
+    } else if (/timeout/i.test(e.message)) {
+      hint = "Server took too long to respond. Check network connectivity.";
+    }
+    failJson(
+      code,
+      `Failed to set env: ${e.message}`,
+      hint,
+      { key, fingerprint, projectName: c.projectName, serverUrl: c.serverUrl }
+    );
+  } finally {
+    cli.disconnect();
+  }
+});
+program.command("server").description("Start the HumanEnv admin server").option("--port <port>", "Port to listen on (default: 3056)").option("--basicAuth", "Enable basic auth for admin UI").action((opts) => {
+  const args = [];
+  if (opts.port) args.push("--port", opts.port);
+  if (opts.basicAuth) args.push("--basicAuth");
+  try {
+    execSync(
+      `npx tsx ${path.join(__dirname, "..", "..", "server", "src", "index.ts")} ${args.join(" ")}`,
+      { stdio: "inherit" }
+    );
+  } catch {
+    try {
+      execSync(
+        `node ${path.join(__dirname, "..", "..", "server", "dist", "index.js")} ${args.join(" ")}`,
+        { stdio: "inherit" }
+      );
+    } catch {
+      failJson(
+        "SERVER_NOT_FOUND",
+        "Server binary not found.",
+        "Install humanenv-server or run from the monorepo."
+      );
+    }
+  }
+});
+program.parse(["node", "humanenv", ...cleanArgs]);