studiograph 1.3.3 → 1.3.4

package/dist/cli/commands/sync.js

@@ -2,25 +2,33 @@
  * studiograph pull / push commands
  *
  * Pull and push changes across the workspace:
- *   - the .studiograph config repo
- *   - each entity repo that has a github_url and is cloned locally
+ *   - the .studiograph config repo (if it has a git remote)
+ *   - each entity collection that is a git repo with a remote
+ *
+ * Works with both GitHub remotes and the embedded git server.
  */
 import { Command } from 'commander';
-import { log, outro } from '@clack/prompts';
-import { existsSync } from 'fs';
+import { log, outro, text, password as passwordPrompt } from '@clack/prompts';
+import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import { Workspace } from '../../core/workspace.js';
-import { gitPull, gitPush, gitStashPop } from '../../utils/git.js';
-import { resolveConflicts } from '../../utils/merge-resolver.js';
+import { AuthService } from '../../services/auth-service.js';
+import { ConnectorManager } from '../../mcp/connector-manager.js';
+import { gitPull, gitPush, gitPushWithCredentials, gitSetRemote, gitHasRemote } from '../../utils/git.js';
 async function getRepoEntries(workspace, workspaceRoot) {
     const entries = [];
     // The .studiograph config directory is itself a git repo (when GitHub-provisioned)
-    entries.push({ name: '.studiograph', path: join(workspaceRoot, '.studiograph') });
+    const configPath = join(workspaceRoot, '.studiograph');
+    if (isGitRepo(configPath) && gitHasRemote(configPath)) {
+        entries.push({ name: '.studiograph', path: configPath });
+    }
     const config = await workspace.loadConfig();
     for (const repo of config.repos) {
-        if (!repo.github_url)
-            continue; // no remote configured — skip
+        if (repo.private)
+            continue; // private repos are local-only
         const repoPath = join(workspaceRoot, repo.path);
+        if (!isGitRepo(repoPath) || !gitHasRemote(repoPath))
+            continue;
         entries.push({ name: repo.name, path: repoPath });
     }
     return entries;
@@ -29,47 +37,148 @@ function isGitRepo(path) {
     return existsSync(path) && existsSync(join(path, '.git'));
 }
 /**
- * Print per-file resolution summaries after conflict resolution.
+ * Print manual resolution guidance when pull has diverged.
  */
-function logResolutions(entryName, resolution) {
-    if (resolution.resolutions.length === 0)
+function logManualGuidance(entryPath) {
+    log.info(`     cd ${entryPath} && git pull --rebase`);
+}
+async function pullRemoteConfig(remoteUrl) {
+    const workspace = new Workspace();
+    if (!workspace.isWorkspace()) {
+        console.error('❌ Not a Studiograph workspace. Run `studiograph init` first.');
+        process.exit(1);
         return;
-    const resolvedCount = resolution.resolutions.filter(r => r.resolved).length;
-    if (resolution.success) {
-        log.success(`${entryName}: updated (${resolvedCount} conflict${resolvedCount === 1 ? '' : 's'} resolved)`);
-        for (const r of resolution.resolutions) {
-            if (r.resolved) {
-                log.info(`     ${r.file} — ${r.summary}`);
-            }
+    }
+    const base = remoteUrl.replace(/\/+$/, '');
+    // Prompt for admin credentials
+    const email = await text({ message: 'Admin email:', validate: (v) => v.includes('@') ? undefined : 'Enter a valid email' });
+    if (typeof email === 'symbol') {
+        outro('Cancelled');
+        process.exit(0);
+        return;
+    }
+    const password = await passwordPrompt({ message: 'Password:' });
+    if (typeof password === 'symbol') {
+        outro('Cancelled');
+        process.exit(0);
+        return;
+    }
+    // Login to get session token
+    log.info('Authenticating...');
+    let token;
+    try {
+        const loginRes = await fetch(`${base}/api/auth/login`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ email, password }),
+        });
+        if (!loginRes.ok) {
+            const body = await loginRes.json().catch(() => ({}));
+            outro(`Login failed: ${body.error || loginRes.statusText}`);
+            process.exit(1);
+            return;
         }
+        const cookies = loginRes.headers.getSetCookie?.() ?? [];
+        const tokenCookie = cookies.find(c => c.startsWith('__sg_token='));
+        if (!tokenCookie) {
+            outro('Login succeeded but no session cookie was returned');
+            process.exit(1);
+            return;
+        }
+        token = tokenCookie.split(';')[0];
+    }
+    catch (err) {
+        outro(`Could not connect to ${base}: ${err.message}`);
+        process.exit(1);
+        return;
     }
-    else {
-        const failed = resolution.resolutions.filter(r => !r.resolved);
-        log.warn(`${entryName}: ${failed.length} conflict${failed.length === 1 ? '' : 's'} could not be resolved`);
-        for (const r of resolution.resolutions) {
-            if (!r.resolved) {
-                log.info(`     ${r.file} — ${r.summary ?? 'unresolved'}`);
+    // Fetch config bundle (fall back to auth seed for older servers)
+    log.info('Fetching workspace config...');
+    const workspaceRoot = workspace.getWorkspacePath();
+    const sgDir = join(workspaceRoot, '.studiograph');
+    try {
+        const bundleRes = await fetch(`${base}/api/config/bundle`, {
+            headers: { 'Cookie': token },
+        });
+        if (bundleRes.ok) {
+            const bundle = await bundleRes.json();
+            // 1. Auth seed
+            writeFileSync(join(sgDir, 'auth-seed.json'), JSON.stringify(bundle.authSeed, null, 2), 'utf-8');
+            const authService = new AuthService(sgDir);
+            authService.applySeed();
+            authService.close();
+            log.success(`Team: ${bundle.authSeed.users.length} user${bundle.authSeed.users.length === 1 ? '' : 's'}`);
+            // 2. Workspace config — merge: keep local-only fields (server_url), update shared fields
+            if (bundle.workspace) {
+                const local = await workspace.loadConfig().catch(() => ({}));
+                const merged = { ...local, ...bundle.workspace };
+                if (local.server_url)
+                    merged.server_url = local.server_url;
+                writeFileSync(join(sgDir, 'workspace.json'), JSON.stringify(merged, null, 2), 'utf-8');
+                log.success(`Workspace config: ${bundle.workspace.repos?.length ?? 0} collection${(bundle.workspace.repos?.length ?? 0) === 1 ? '' : 's'}`);
             }
-            else {
-                log.info(`     ${r.file} — ${r.summary} (resolved, but rebase aborted)`);
+            // 3. ABOUT.md
+            if (bundle.about !== null && bundle.about !== undefined) {
+                writeFileSync(join(sgDir, 'ABOUT.md'), bundle.about, 'utf-8');
+                log.success('Workspace identity (ABOUT.md)');
+            }
+            // 4. Sources
+            const sourceNames = Object.keys(bundle.sources ?? {});
+            if (sourceNames.length > 0) {
+                const sourcesDir = join(sgDir, 'sources');
+                mkdirSync(sourcesDir, { recursive: true });
+                for (const [name, def] of Object.entries(bundle.sources)) {
+                    writeFileSync(join(sourcesDir, `${name}.json`), JSON.stringify(def, null, 2), 'utf-8');
+                }
+                log.success(`Sources: ${sourceNames.join(', ')}`);
+            }
+            // 5. Connectors (sanitized — no secrets)
+            if (bundle.connectors && bundle.connectors.length > 0) {
+                const connectorsDir = join(sgDir, 'connectors');
+                mkdirSync(connectorsDir, { recursive: true });
+                for (const conn of bundle.connectors) {
+                    writeFileSync(join(connectorsDir, `${conn.name}.json`), JSON.stringify(conn, null, 2), 'utf-8');
+                }
+                log.success(`Connectors: ${bundle.connectors.map(c => c.name).join(', ')}`);
+            }
+            outro(`Pulled config from ${base}`);
+        }
+        else if (bundleRes.status === 404) {
+            // Older server — fall back to auth seed only
+            log.info('Server does not support config bundle, falling back to auth seed...');
+            const seedRes = await fetch(`${base}/api/auth/seed`, { headers: { 'Cookie': token } });
+            if (!seedRes.ok) {
+                const body = await seedRes.json().catch(() => ({}));
+                outro(`Failed to fetch seed: ${body.error || seedRes.statusText}`);
+                process.exit(1);
+                return;
             }
+            const seed = await seedRes.json();
+            writeFileSync(join(sgDir, 'auth-seed.json'), JSON.stringify(seed, null, 2), 'utf-8');
+            const authService = new AuthService(sgDir);
+            authService.applySeed();
+            authService.close();
+            outro(`Pulled ${seed.users.length} user${seed.users.length === 1 ? '' : 's'} from ${base}`);
+        }
+        else {
+            const body = await bundleRes.json().catch(() => ({}));
+            outro(`Failed: ${body.error || bundleRes.statusText}`);
+            process.exit(1);
         }
     }
-}
-/**
- * Print manual resolution guidance for a failed conflict.
- */
-function logManualGuidance(entryPath) {
-    log.info('');
-    log.info('   To resolve manually:');
-    log.info(`     cd ${entryPath}`);
-    log.info('     git status');
-    log.info('     # edit conflicted files, then: git add <file> && git rebase --continue');
+    catch (err) {
+        outro(`Failed: ${err.message}`);
+        process.exit(1);
+    }
 }
 // ─── pull ─────────────────────────────────────────────────────────────────────
 export const pullCommand = new Command('pull')
     .description('Pull latest changes from remote across the workspace')
-    .action(async () => {
+    .option('--remote <url>', 'Pull config from a remote Studiograph server')
+    .action(async (opts) => {
+    if (opts.remote) {
+        return pullRemoteConfig(opts.remote);
+    }
     const workspace = new Workspace();
     if (!workspace.isWorkspace()) {
         console.error('❌ Not a Studiograph workspace. Run `studiograph init` first.');
@@ -77,50 +186,132 @@ export const pullCommand = new Command('pull')
         return;
     }
     const workspaceRoot = workspace.getWorkspacePath();
-    const entries = await getRepoEntries(workspace, workspaceRoot);
     let hasConflict = false;
     let hasError = false;
-    for (const entry of entries) {
-        if (!existsSync(entry.path)) {
-            log.info(`${entry.name}: skipped (not cloned locally)`);
-            continue;
+    // Preserve server_url before pulling — it's local-only and gets overwritten
+    // when git pull brings down the config repo's workspace.json (which never has it).
+    const prePullConfig = await workspace.loadConfig().catch(() => ({}));
+    const savedServerUrl = prePullConfig.server_url;
+    // ── Step 1: pull .studiograph first so workspace.json is up to date ──────
+    const configPath = join(workspaceRoot, '.studiograph');
+    if (isGitRepo(configPath) && gitHasRemote(configPath)) {
+        try {
+            const result = gitPull(configPath);
+            if (result === 'updated') {
+                log.success('.studiograph: updated');
+            }
+            else if (result === 'up-to-date') {
+                log.info('.studiograph: already up to date');
+            }
         }
-        if (!isGitRepo(entry.path)) {
-            log.info(`${entry.name}: skipped (not a git collection)`);
+        catch (error) {
+            log.error(`.studiograph: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            hasError = true;
+        }
+    }
+    // ── Step 2: reload config — picks up any new collections added server-side ─
+    // Must use a fresh Workspace instance — loadConfig() caches this.config on
+    // first call, so the original instance would return stale data after the pull.
+    const freshWorkspace = new Workspace(workspaceRoot);
+    const config = await freshWorkspace.loadConfig();
+    // Re-apply server_url if the pull overwrote it (config repo never stores it).
+    if (savedServerUrl && !config.server_url) {
+        config.server_url = savedServerUrl;
+        freshWorkspace.writeConfig(config);
+    }
+    const serverUrl = (config.server_url ?? savedServerUrl)?.replace(/\/+$/, '');
+    // ── Step 3: pull or clone each collection ────────────────────────────────
+    // Resolve git credentials for the embedded server:
+    //   1. Stored JWT from `studiograph join` — per-user access control (preferred)
+    //   2. API key from auth-seed.json — admin access (fallback for workspace owners)
+    let serverGitCredentials;
+    if (serverUrl) {
+        // Try stored JWT first (saved by studiograph join)
+        const serverAuthPath = join(workspaceRoot, '.studiograph', 'server-auth.json');
+        if (existsSync(serverAuthPath)) {
+            try {
+                const serverAuth = JSON.parse(readFileSync(serverAuthPath, 'utf-8'));
+                if (serverAuth.email && serverAuth.jwtToken) {
+                    serverGitCredentials = { username: serverAuth.email, password: serverAuth.jwtToken };
+                }
+            }
+            catch { /* non-fatal */ }
+        }
+        // Fall back to API key (used by workspace owners who set up with `studiograph serve`)
+        if (!serverGitCredentials) {
+            try {
+                const seedPath = join(workspaceRoot, '.studiograph', 'auth-seed.json');
+                if (existsSync(seedPath)) {
+                    const seed = JSON.parse(readFileSync(seedPath, 'utf-8'));
+                    const apiKey = seed.apiKey;
+                    if (apiKey)
+                        serverGitCredentials = { username: '_apikey_', password: apiKey };
+                }
+            }
+            catch { /* non-fatal */ }
+        }
+    }
+    for (const repo of config.repos) {
+        if (repo.private)
+            continue;
+        const repoPath = join(workspaceRoot, repo.path);
+        // New collection — directory missing or exists but isn't a git repo (e.g. failed clone)
+        if (!isGitRepo(repoPath)) {
+            const cloneUrl = serverUrl ? `${serverUrl}/git/${repo.name}` : null;
+            if (!cloneUrl) {
+                log.warn(`${repo.name}: new collection has no remote — skipping`);
+                continue;
+            }
+            try {
+                const { gitClone } = await import('../../utils/git.js');
+                const { rmSync } = await import('fs');
+                // Remove any leftover empty/partial directory from a previous failed clone
+                if (existsSync(repoPath))
+                    rmSync(repoPath, { recursive: true, force: true });
+                mkdirSync(repoPath, { recursive: true });
+                gitClone(cloneUrl, repoPath, { silent: true, credentials: serverGitCredentials });
+                log.success(`${repo.name}: cloned`);
+            }
+            catch (error) {
+                log.error(`${repo.name}: clone failed — ${error instanceof Error ? error.message : 'Unknown error'}`);
+                hasError = true;
+            }
             continue;
         }
+        // Existing collection — pull if it has a remote
+        if (!isGitRepo(repoPath) || !gitHasRemote(repoPath))
+            continue;
         try {
-            const result = gitPull(entry.path, { abortOnConflict: false });
+            const result = gitPull(repoPath, { credentials: serverGitCredentials });
             if (result === 'updated') {
-                log.success(`${entry.name}: updated`);
+                log.success(`${repo.name}: updated`);
             }
             else if (result === 'up-to-date') {
-                log.info(`${entry.name}: already up to date`);
+                log.info(`${repo.name}: already up to date`);
             }
             else {
-                // Conflict — attempt resolution
-                const resolution = await resolveConflicts(entry.path, (msg) => log.info(msg));
-                gitStashPop(entry.path); // restore any auto-stashed local changes
-                if (resolution.success) {
-                    logResolutions(entry.name, resolution);
-                }
-                else if (resolution.resolutions.length > 0) {
-                    logResolutions(entry.name, resolution);
-                    logManualGuidance(entry.path);
-                    hasConflict = true;
-                }
-                else {
-                    log.warn(`${entry.name}: conflict — resolve manually in ${entry.path}`);
-                    logManualGuidance(entry.path);
-                    hasConflict = true;
-                }
+                log.warn(`${repo.name}: diverged — has local commits not on the server`);
+                logManualGuidance(repoPath);
+                hasConflict = true;
             }
         }
         catch (error) {
-            log.error(`${entry.name}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            log.error(`${repo.name}: ${error instanceof Error ? error.message : 'Unknown error'}`);
             hasError = true;
         }
     }
+    // Apply auth seed if it was updated by pulling .studiograph
+    const seedPath = join(workspaceRoot, '.studiograph', 'auth-seed.json');
+    if (existsSync(seedPath)) {
+        try {
+            const authService = new AuthService(join(workspaceRoot, '.studiograph'));
+            authService.applySeed();
+            authService.close();
+        }
+        catch {
+            // Non-fatal — seed apply can fail if DB is locked by running server
+        }
+    }
     if (hasConflict) {
         outro('⚠️  Pull complete with conflicts. Resolve them, then run `studiograph push`.');
         process.exit(1);
@@ -130,10 +321,156 @@ export const pullCommand = new Command('pull')
         process.exit(1);
     }
 });
+// ─── Remote config push ─────────────────────────────────────────────────────
+async function pushRemoteConfig(remoteUrl) {
+    const workspace = new Workspace();
+    if (!workspace.isWorkspace()) {
+        console.error('❌ Not a Studiograph workspace. Run `studiograph init` first.');
+        process.exit(1);
+        return;
+    }
+    const base = remoteUrl.replace(/\/+$/, '');
+    const workspaceRoot = workspace.getWorkspacePath();
+    const sgDir = join(workspaceRoot, '.studiograph');
+    // Prompt for admin credentials
+    const email = await text({ message: 'Admin email:', validate: (v) => v.includes('@') ? undefined : 'Enter a valid email' });
+    if (typeof email === 'symbol') {
+        outro('Cancelled');
+        process.exit(0);
+        return;
+    }
+    const password = await passwordPrompt({ message: 'Password:' });
+    if (typeof password === 'symbol') {
+        outro('Cancelled');
+        process.exit(0);
+        return;
+    }
+    // Login
+    log.info('Authenticating...');
+    let token;
+    try {
+        const loginRes = await fetch(`${base}/api/auth/login`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ email, password }),
+        });
+        if (!loginRes.ok) {
+            const body = await loginRes.json().catch(() => ({}));
+            outro(`Login failed: ${body.error || loginRes.statusText}`);
+            process.exit(1);
+            return;
+        }
+        const cookies = loginRes.headers.getSetCookie?.() ?? [];
+        const tokenCookie = cookies.find(c => c.startsWith('__sg_token='));
+        if (!tokenCookie) {
+            outro('Login succeeded but no session cookie was returned');
+            process.exit(1);
+            return;
+        }
+        token = tokenCookie.split(';')[0];
+    }
+    catch (err) {
+        outro(`Could not connect to ${base}: ${err.message}`);
+        process.exit(1);
+        return;
+    }
+    // Build config bundle from local workspace
+    log.info('Building config bundle...');
+    const config = await workspace.loadConfig();
+    const about = workspace.loadAbout();
+    // Auth seed
+    let authSeed;
+    const seedPath = join(sgDir, 'auth-seed.json');
+    if (existsSync(seedPath)) {
+        try {
+            authSeed = JSON.parse(readFileSync(seedPath, 'utf-8'));
+        }
+        catch { /* skip */ }
+    }
+    // Sources
+    const sources = {};
+    const sourcesDir = join(sgDir, 'sources');
+    if (existsSync(sourcesDir)) {
+        for (const entry of readdirSync(sourcesDir)) {
+            if (!entry.endsWith('.json'))
+                continue;
+            try {
+                sources[entry.replace('.json', '')] = JSON.parse(readFileSync(join(sourcesDir, entry), 'utf-8'));
+            }
+            catch { /* skip */ }
+        }
+    }
+    // Connectors (workspace-level, already sanitized)
+    const connectors = ConnectorManager.loadWorkspaceConfigs(workspaceRoot);
+    const bundle = { workspace: config, about, authSeed, sources, connectors };
+    // Push to remote
+    log.info('Pushing config...');
+    try {
+        const res = await fetch(`${base}/api/config/bundle`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'Cookie': token },
+            body: JSON.stringify(bundle),
+        });
+        if (!res.ok) {
+            const body = await res.json().catch(() => ({}));
+            outro(`Failed: ${body.error || res.statusText}`);
+            process.exit(1);
+            return;
+        }
+        const result = await res.json();
+        if (result.applied?.length) {
+            for (const item of result.applied) {
+                log.success(item);
+            }
+        }
+        outro(`Pushed config to ${base}`);
+    }
+    catch (err) {
+        outro(`Failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+// ─── Server-aware push helpers ───────────────────────────────────────────────
+function makeBasicAuth(username, password) {
+    return 'Basic ' + Buffer.from(`${username}:${password}`).toString('base64');
+}
+async function serverFetch(serverUrl, path, authHeader) {
+    const res = await fetch(`${serverUrl}${path}`, {
+        headers: {
+            'Authorization': authHeader,
+            'Accept': 'application/json',
+        },
+    });
+    if (!res.ok) {
+        if (res.status === 401)
+            throw new Error('Invalid credentials');
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error || `Server returned ${res.status}`);
+    }
+    return res.json();
+}
+async function ensureServerCollection(serverUrl, repoName, isPrivate, authHeader) {
+    const res = await fetch(`${serverUrl}/api/repos`, {
+        method: 'POST',
+        headers: { 'Authorization': authHeader, 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: repoName, ...(isPrivate ? { private: true } : {}) }),
+    });
+    if (res.ok)
+        return 'created';
+    if (res.status === 409)
+        return 'exists'; // already exists
+    const body = await res.json().catch(() => ({}));
+    throw new Error(body.error || `Failed to create collection "${repoName}": ${res.statusText}`);
+}
 // ─── push ─────────────────────────────────────────────────────────────────────
 export const pushCommand = new Command('push')
     .description('Push local commits to remote across the workspace')
-    .action(async () => {
+    .argument('[collection]', 'Push a specific collection (default: all)')
+    .option('--remote <url>', 'Push config to a remote Studiograph server')
+    .action(async (collection, opts) => {
+    if (opts.remote) {
+        return pushRemoteConfig(opts.remote);
+    }
     const workspace = new Workspace();
     if (!workspace.isWorkspace()) {
         console.error('❌ Not a Studiograph workspace. Run `studiograph init` first.');
@@ -141,41 +478,139 @@ export const pushCommand = new Command('push')
         return;
     }
     const workspaceRoot = workspace.getWorkspacePath();
-    const entries = await getRepoEntries(workspace, workspaceRoot);
-    let hasError = false;
-    for (const entry of entries) {
-        if (!existsSync(entry.path)) {
-            log.info(`${entry.name}: skipped (not cloned locally)`);
-            continue;
-        }
-        if (!isGitRepo(entry.path)) {
-            log.info(`${entry.name}: skipped (not a git collection)`);
-            continue;
+    const config = await workspace.loadConfig();
+    const serverUrl = config.server_url?.replace(/\/+$/, '');
+    // Build list of repos to push
+    let repos = config.repos.filter(r => !r.private || serverUrl); // include private only when pushing to server
+    if (collection) {
+        const match = repos.find(r => r.name === collection);
+        if (!match) {
+            log.error(`Collection "${collection}" not found in workspace.`);
+            process.exit(1);
+            return;
         }
+        repos = [match];
+    }
+    // Server-aware push: workspace has a server_url (set by `studiograph join`)
+    if (serverUrl) {
+        // Resolve credentials: JWT (per-user) → API key (admin) → prompt
+        let authHeader;
+        let gitCredentials;
+        // 1. Stored JWT from `studiograph join` (per-user access control)
+        const pushServerAuthPath = join(workspaceRoot, '.studiograph', 'server-auth.json');
         try {
-            let result = gitPush(entry.path);
-            // Auto pull-rebase and retry if remote has newer commits
-            if (result === 'rejected') {
-                log.info(`${entry.name}: remote has newer commits, pulling...`);
-                const pullResult = gitPull(entry.path, { abortOnConflict: false });
-                if (pullResult === 'conflict') {
-                    const resolution = await resolveConflicts(entry.path, (msg) => log.info(msg));
-                    gitStashPop(entry.path); // restore any auto-stashed local changes
-                    if (!resolution.success) {
-                        logResolutions(entry.name, resolution);
-                        logManualGuidance(entry.path);
-                        hasError = true;
-                        continue;
+            if (existsSync(pushServerAuthPath)) {
+                const sa = JSON.parse(readFileSync(pushServerAuthPath, 'utf-8'));
+                if (sa.email && sa.jwtToken) {
+                    authHeader = makeBasicAuth(sa.email, sa.jwtToken);
+                    gitCredentials = { username: sa.email, password: sa.jwtToken };
+                }
+            }
+        }
+        catch { /* non-fatal */ }
+        // 2. API key fallback (workspace owners who set up with `studiograph serve`)
+        if (!authHeader) {
+            try {
+                const seedPathPush = join(workspaceRoot, '.studiograph', 'auth-seed.json');
+                if (existsSync(seedPathPush)) {
+                    const seed = JSON.parse(readFileSync(seedPathPush, 'utf-8'));
+                    const pushApiKey = seed.apiKey;
+                    if (pushApiKey) {
+                        authHeader = makeBasicAuth('_apikey_', pushApiKey);
+                        gitCredentials = { username: '_apikey_', password: pushApiKey };
                     }
-                    logResolutions(entry.name, resolution);
                 }
-                // Retry push after successful pull
-                result = gitPush(entry.path);
+            }
+            catch { /* non-fatal */ }
+        }
+        // 3. Interactive credential prompt as last resort
+        if (!authHeader) {
+            const email = await text({ message: 'Email:', validate: (v) => v.includes('@') ? undefined : 'Enter a valid email' });
+            if (typeof email === 'symbol') {
+                outro('Cancelled');
+                process.exit(0);
+                return;
+            }
+            const pass = await passwordPrompt({ message: 'Password:' });
+            if (typeof pass === 'symbol') {
+                outro('Cancelled');
+                process.exit(0);
+                return;
+            }
+            authHeader = makeBasicAuth(String(email), String(pass));
+            gitCredentials = { username: String(email), password: String(pass) };
+        }
+        // All three branches above either set credentials or exit — this is a safety guard
+        if (!authHeader || !gitCredentials) {
+            outro('Could not resolve credentials');
+            process.exit(1);
+            return;
+        }
+        // Validate credentials
+        try {
+            await serverFetch(serverUrl, '/api/workspace', authHeader);
+        }
+        catch (err) {
+            outro(`Authentication failed: ${err.message}`);
+            process.exit(1);
+            return;
+        }
+        let hasError = false;
+        for (const repo of repos) {
+            const repoPath = join(workspaceRoot, repo.path);
+            if (!isGitRepo(repoPath)) {
+                log.warn(`${repo.name}: not a git repo, skipping`);
+                continue;
+            }
+            try {
+                // Ensure collection exists on server
+                const status = await ensureServerCollection(serverUrl, repo.name, !!repo.private, authHeader);
+                if (status === 'created') {
+                    log.info(`${repo.name}: created on server`);
+                }
+                // Set origin to server git URL
+                gitSetRemote(repoPath, `${serverUrl}/git/${repo.name}`);
+                // Push with credentials
+                let result = gitPushWithCredentials(repoPath, gitCredentials);
                 if (result === 'rejected') {
-                    log.warn(`${entry.name}: push still rejected after pull`);
+                    log.warn(`${repo.name}: push rejected — run \`studiograph pull\` first`);
                     hasError = true;
                     continue;
                 }
+                if (result === 'pushed') {
+                    log.success(`${repo.name}: pushed`);
+                }
+                else {
+                    log.info(`${repo.name}: nothing to push`);
+                }
+            }
+            catch (error) {
+                log.error(`${repo.name}: ${error instanceof Error ? error.message : 'Unknown error'}`);
+                hasError = true;
+            }
+        }
+        if (hasError) {
+            outro('Push completed with errors.');
+            process.exit(1);
+        }
+        return;
+    }
+    // Fallback: plain git push for repos that already have remotes
+    const entries = await getRepoEntries(workspace, workspaceRoot);
+    if (entries.length === 0) {
+        log.info('No collections with remotes to push to. Use `studiograph join` to connect to a server.');
+        return;
+    }
+    let hasError = false;
+    for (const entry of entries) {
+        if (collection && entry.name !== collection)
+            continue;
+        try {
+            let result = gitPush(entry.path);
+            if (result === 'rejected') {
+                log.warn(`${entry.name}: push rejected — run \`studiograph pull\` first`);
+                hasError = true;
+                continue;
             }
             if (result === 'pushed') {
                 log.success(`${entry.name}: pushed`);
@@ -190,7 +625,7 @@ export const pushCommand = new Command('push')
         }
     }
     if (hasError) {
-        outro('❌ Push failed for one or more collections.');
+        outro('Push failed for one or more collections.');
         process.exit(1);
     }
 });