feat(cli): add execution engine with project, auth, and execute commands

[pyramation]

feat(cli): add execution engine with project, auth, and execute commands

Summary

This PR adds an execution engine to the cnc CLI that enables agents and users to make GraphQL requests against Constructive APIs. The implementation includes:

Config Management (src/config/):

• Uses appstash for standardized config storage at ~/.cnc/
• Project configs store domain, subdomain, and endpoints for all 5 APIs (public, admin, auth, private, app)
• Credentials stored separately with 0o600 file permissions

New Commands:

• cnc project init|list|use|info|delete - Manage project configurations
• cnc auth set-token|status|logout - Manage API tokens per project
• cnc execute - Execute JSON protocol operations with auto-routing to correct API

Lightweight SDK Client (src/sdk/):

• GraphQL client that mirrors the SDK patterns
• Operation builders for queries/mutations (findMany, findFirst, create, update, delete)
• JSON Protocol executor with model-to-API routing (e.g., database → public, membership → admin, user → auth)

Updates since last revision

• Password masking for token input: The cnc auth set-token command now uses type: 'password' instead of type: 'text', so tokens are masked with asterisks while typing. This requires the new password input type from inquirerer (see dev-utils PR #58).

Review & Testing Checklist for Human

• Verify inquirerer password type is available - This PR depends on the password input type from dev-utils PR modules #58. Ensure that PR is merged and inquirerer is updated before this can work correctly.
• Verify model-to-API routing in src/sdk/executor.ts - The MODEL_API_MAP makes assumptions about which models belong to which API. Confirm these mappings match the actual Constructive API structure.
• Verify endpoint URL generation in src/config/types.ts - The generateEndpoints() function assumes URL patterns like https://public-{subdomain}.{domain}/graphql. Confirm this matches production.
• Test credential storage security - Verify that ~/.cnc/config/credentials.json is created with mode 0o600 (owner read/write only).
• Manual test the commands - Run through the basic flow:

  cnc project init my-app --domain constructive.io
  cnc auth set-token  # Should now mask input with asterisks
  cnc execute --model database --action findMany --first 5

Recommended Test Plan:

1. Install the CLI locally and run cnc project init to create a project
2. Set a real API token with cnc auth set-token and verify input is masked
3. Try cnc execute against a real Constructive API to verify the GraphQL client works
4. Check ~/.cnc/config/ to verify file structure and permissions

Notes

• No automated tests are included for the new functionality - manual testing is required
• The lockfile has formatting changes due to pnpm version differences (not functional changes)
• OAuth login flow is not implemented - only manual token setting via cnc auth set-token
• Password masking depends on inquirerer password type from dev-utils PR modules #58

Link to Devin run: https://app.devin.ai/sessions/041b1d6074a549febda2c95195f1e758
Requested by: Dan Lynch (@pyramation)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring