@agentuity/cli 0.1.13 → 0.1.15

package/src/cmd/build/webanalytics-generator.ts

@@ -114,6 +114,9 @@ import type { AnalyticsConfig } from './analytics-config';
 // Inject analytics config and script into HTML
 // Note: Only static config is injected (org, project, devmode, tracking options)
 // Session and thread IDs are read from cookies by the beacon script
+//
+// In production: beacon is served from CDN as a hashed asset (injected by Vite build)
+// In development: beacon is served from /_agentuity/webanalytics/analytics.js route
 export function injectAnalytics(html: string, analyticsConfig: AnalyticsConfig): string {
 	if (!analyticsConfig.enabled) return html;
 
@@ -132,7 +135,17 @@ export function injectAnalytics(html: string, analyticsConfig: AnalyticsConfig):
 	const configScript = \`<script>window.__AGENTUITY_ANALYTICS__=\${JSON.stringify(pageConfig)};</script>\`;
 	// Session script sets cookies and window.__AGENTUITY_SESSION__ (dynamic, not cached)
 	const sessionScript = '<script src="/_agentuity/webanalytics/session.js" async></script>';
-	// Beacon script - must be sync (not async/defer) to patch history API before the router loads
+
+	// In production, the beacon is already in HTML as a CDN asset (data-agentuity-beacon marker)
+	// Inject config/session BEFORE the beacon marker so config exists when beacon runs
+	const beaconMarker = '<script data-agentuity-beacon';
+	if (html.includes(beaconMarker)) {
+		// Production: inject config/session right before the beacon script
+		const injection = configScript + sessionScript;
+		return html.replace(beaconMarker, injection + beaconMarker);
+	}
+
+	// Development: beacon served from local route, inject all three scripts
 	const beaconScript = '<script src="/_agentuity/webanalytics/analytics.js"></script>';
 	const injection = configScript + sessionScript + beaconScript;
 
@@ -167,15 +180,18 @@ export function registerAnalyticsRoutes(app: ReturnType<typeof createRouter>): v
 		});
 	});
 
-	// Static beacon script - can be cached
-	app.get('/_agentuity/webanalytics/analytics.js', async (c: Context) => {
-		return new Response(BEACON_SCRIPT, {
-			headers: {
-				'Content-Type': 'application/javascript; charset=utf-8',
-				'Cache-Control': 'public, max-age=3600',
-			},
+	// Dev mode only: serve beacon script from local route
+	// In production, the beacon is served from CDN as a hashed asset
+	if (runtimeIsDevMode()) {
+		app.get('/_agentuity/webanalytics/analytics.js', async (c: Context) => {
+			return new Response(BEACON_SCRIPT, {
+				headers: {
+					'Content-Type': 'application/javascript; charset=utf-8',
+					'Cache-Control': 'no-store, no-cache, must-revalidate',
+				},
+			});
 		});
-	});
+	}
 }
 `;
 }

package/src/cmd/cloud/db/get.ts

@@ -12,6 +12,8 @@ const DBGetResponseSchema = z
 		name: z.string().describe('Database name'),
 		description: z.string().optional().describe('Database description'),
 		url: z.string().optional().describe('Database connection URL'),
+		org_id: z.string().optional().describe('Organization ID that owns this database'),
+		org_name: z.string().optional().describe('Organization name that owns this database'),
 	})
 	.or(
 		z.object({
@@ -175,6 +177,9 @@ export const getSubcommand = createSubcommand({
 			const tableData: Record<string, string> = {
 				Name: tui.bold(db.name),
 			};
+			if (db.org_name || db.org_id) {
+				tableData['Organization'] = db.org_name || db.org_id;
+			}
 			if (db.description) {
 				tableData['Description'] = db.description;
 			}
@@ -192,6 +197,8 @@ export const getSubcommand = createSubcommand({
 			name: db.name,
 			description: db.description ?? undefined,
 			url: db.url ?? undefined,
+			org_id: db.org_id,
+			org_name: db.org_name,
 		};
 	},
 });

package/src/cmd/cloud/db/list.ts

@@ -13,6 +13,8 @@ const DBListResponseSchema = z.object({
 				description: z.string().optional().describe('Database description'),
 				url: z.string().optional().describe('Database connection URL'),
 				cloud_region: z.string().optional().describe('Cloud region where database is hosted'),
+				org_id: z.string().optional().describe('Organization ID that owns this database'),
+				org_name: z.string().optional().describe('Organization name that owns this database'),
 			})
 		)
 		.describe('List of database resources'),
@@ -65,6 +67,10 @@ export const listSubcommand = createSubcommand({
 		const shouldShowCredentials = opts.showCredentials === true;
 		const shouldMask = !options.json && !shouldShowCredentials;
 
+		// Check if resources span multiple orgs
+		const uniqueOrgIds = new Set(resources.db.map((db) => db.org_id));
+		const showOrgColumn = uniqueOrgIds.size > 1;
+
 		if (!options.json) {
 			if (resources.db.length === 0) {
 				tui.info('No databases found');
@@ -73,12 +79,18 @@ export const listSubcommand = createSubcommand({
 					console.log(db.name);
 				}
 			} else {
-				const tableData = resources.db.map((db) => ({
-					Name: db.name,
-					Description: db.description ?? '',
-					Region: db.cloud_region,
-					URL: db.url ? (shouldMask ? tui.maskSecret(db.url) : db.url) : '',
-				}));
+				const tableData = resources.db.map((db) => {
+					const row: Record<string, string> = {
+						Name: db.name,
+					};
+					if (showOrgColumn) {
+						row.Organization = db.org_name || db.org_id;
+					}
+					row.Description = db.description ?? '';
+					row.Region = db.cloud_region;
+					row.URL = db.url ? (shouldMask ? tui.maskSecret(db.url) : db.url) : '';
+					return row;
+				});
 				tui.table(tableData);
 			}
 		}
@@ -89,6 +101,8 @@ export const listSubcommand = createSubcommand({
 				description: db.description ?? undefined,
 				url: db.url ?? undefined,
 				cloud_region: db.cloud_region,
+				org_id: db.org_id,
+				org_name: db.org_name,
 			})),
 		};
 	},

package/src/cmd/cloud/deploy.ts

@@ -121,7 +121,38 @@ export const deploySubcommand = createSubcommand({
 	},
 
 	async handler(ctx) {
-		const { project, apiClient, projectDir, config, options, logger, opts } = ctx;
+		let { project } = ctx;
+		const { apiClient, projectDir, config, options, logger, opts, auth } = ctx;
+
+		// Verify project access and offer import if needed
+		const { reconcileProject } = await import('../project/reconcile');
+		const { isTTY } = await import('../../auth');
+
+		const reconcileResult = await reconcileProject({
+			dir: projectDir,
+			auth,
+			apiClient,
+			config: config!,
+			logger,
+			interactive: isTTY(),
+		});
+
+		if (reconcileResult.status === 'error') {
+			tui.fatal(reconcileResult.message!, ErrorCode.PROJECT_NOT_FOUND);
+		}
+
+		if (reconcileResult.status === 'skipped') {
+			tui.fatal(
+				'Project must be registered with Agentuity Cloud to deploy.',
+				ErrorCode.PROJECT_NOT_FOUND
+			);
+		}
+
+		if (reconcileResult.status === 'imported' && reconcileResult.project) {
+			// Project was imported - use the new project config
+			project = reconcileResult.project;
+			tui.newline();
+		}
 
 		// Initialize build report collector if reportFile is specified
 		const collector = new BuildReportCollector();

package/src/cmd/cloud/deployment/show.ts

@@ -19,6 +19,7 @@ const DeploymentShowResponseSchema = z.object({
 	resourceStorage: z.string().nullable().optional().describe('the storage name'),
 	deploymentLogsURL: z.string().nullable().optional().describe('the url to the deployment logs'),
 	buildLogsURL: z.string().nullable().optional().describe('the url to the build logs'),
+	dnsRecords: z.array(z.string()).optional().describe('DNS records for custom domains'),
 	metadata: z
 		.object({
 			git: z
@@ -124,6 +125,9 @@ export const showSubcommand = createSubcommand({
 				if (deployment.buildLogsURL) {
 					tableData['Build Logs'] = tui.link(deployment.buildLogsURL);
 				}
+				if (deployment.dnsRecords && deployment.dnsRecords.length > 0) {
+					tableData['DNS Records'] = deployment.dnsRecords.join(', ');
+				}
 
 				tui.table([tableData], Object.keys(tableData), { layout: 'vertical', padStart: '  ' });
 
@@ -190,6 +194,7 @@ export const showSubcommand = createSubcommand({
 				resourceStorage: deployment.resourceStorage ?? undefined,
 				deploymentLogsURL: deployment.deploymentLogsURL ?? undefined,
 				buildLogsURL: deployment.buildLogsURL ?? undefined,
+				dnsRecords: deployment.dnsRecords ?? undefined,
 			};
 		} catch (ex) {
 			tui.fatal(`Failed to show deployment: ${ex}`);

package/src/cmd/cloud/index.ts

@@ -15,6 +15,7 @@ import apikeyCommand from './apikey';
 import streamCommand from './stream';
 import vectorCommand from './vector';
 import sandboxCommand from './sandbox';
+import { regionSubcommand } from './region';
 import { getCommand } from '../../command-prefix';
 
 export const command = createCommand({
@@ -24,6 +25,7 @@ export const command = createCommand({
 	examples: [
 		{ command: getCommand('cloud deploy'), description: 'Deploy your agent to the cloud' },
 		{ command: getCommand('cloud deployment list'), description: 'List all deployments' },
+		{ command: getCommand('cloud region select'), description: 'Set default region' },
 	],
 	subcommands: [
 		apikeyCommand,
@@ -42,5 +44,6 @@ export const command = createCommand({
 		sshSubcommand,
 		scpSubcommand,
 		deploymentCommand,
+		regionSubcommand,
 	],
 });

package/src/cmd/cloud/region/index.ts

@@ -0,0 +1,157 @@
+import { z } from 'zod';
+import { createSubcommand, createCommand } from '../../../types';
+import { getCommand } from '../../../command-prefix';
+import { saveRegion, clearRegion } from '../../../config';
+import * as tui from '../../../tui';
+
+const selectCommand = createSubcommand({
+	name: 'select',
+	description: 'Set the default cloud region for all commands',
+	tags: ['fast', 'requires-auth'],
+	requires: { auth: true, regions: true },
+	examples: [
+		{ command: getCommand('cloud region select'), description: 'Select default region' },
+		{
+			command: getCommand('cloud region select usc'),
+			description: 'Set specific region as default',
+		},
+	],
+	schema: {
+		args: z.object({
+			region: z.string().optional().describe('Region code to set as default'),
+		}),
+		response: z.object({
+			region: z.string().describe('The selected region code'),
+			description: z.string().describe('The region description'),
+		}),
+	},
+
+	async handler(ctx) {
+		const { regions, args, options } = ctx;
+
+		let selectedRegion = args.region;
+
+		if (selectedRegion) {
+			const region = regions.find((r) => r.region === selectedRegion);
+			if (!region) {
+				const available = regions.map((r) => r.region).join(', ');
+				tui.fatal(`Region '${selectedRegion}' not found. Available regions: ${available}`);
+			}
+		} else {
+			if (!process.stdin.isTTY) {
+				tui.fatal(
+					'Region code required in non-interactive mode. Usage: ' +
+						getCommand('cloud region select <region>')
+				);
+			}
+
+			if (regions.length === 1) {
+				selectedRegion = regions[0].region;
+			} else {
+				const response = await tui.createPrompt().select<string>({
+					message: 'Select a default region',
+					options: regions.map((r) => ({
+						value: r.region,
+						label: `${r.description} ${tui.muted(`(${r.region})`)}`,
+					})),
+				});
+				selectedRegion = response;
+			}
+		}
+
+		await saveRegion(selectedRegion);
+
+		const selectedRegionInfo = regions.find((r) => r.region === selectedRegion)!;
+
+		if (!options.json) {
+			tui.success(
+				`Default region set to ${tui.bold(selectedRegionInfo.description)} (${selectedRegion})`
+			);
+		}
+
+		return { region: selectedRegion, description: selectedRegionInfo.description };
+	},
+});
+
+const unselectCommand = createSubcommand({
+	name: 'unselect',
+	description: 'Clear the default region preference',
+	tags: ['fast'],
+	examples: [
+		{ command: getCommand('cloud region unselect'), description: 'Clear default region' },
+	],
+	schema: {
+		response: z.object({
+			cleared: z.boolean().describe('Whether the preference was cleared'),
+		}),
+	},
+
+	async handler(ctx) {
+		const { options, config } = ctx;
+
+		const hadRegion = !!config?.preferences?.region;
+
+		if (hadRegion && process.stdin.isTTY) {
+			const confirmed = await tui.confirm('Clear default region preference?', true);
+			if (!confirmed) {
+				if (!options.json) {
+					tui.info('Cancelled');
+				}
+				return { cleared: false };
+			}
+		}
+
+		await clearRegion();
+
+		if (!options.json) {
+			if (hadRegion) {
+				tui.success('Default region cleared');
+			} else {
+				tui.info('No default region was set');
+			}
+		}
+
+		return { cleared: hadRegion };
+	},
+});
+
+const currentCommand = createSubcommand({
+	name: 'current',
+	description: 'Show the current default region',
+	tags: ['read-only', 'fast'],
+	idempotent: true,
+	examples: [
+		{ command: getCommand('cloud region current'), description: 'Show default region' },
+		{
+			command: getCommand('cloud region current --json'),
+			description: 'Show output in JSON format',
+		},
+	],
+	schema: {
+		response: z.string().nullable().describe('The current region code or null if not set'),
+	},
+
+	async handler(ctx) {
+		const { options, config } = ctx;
+		const region = config?.preferences?.region || null;
+
+		if (!options.json) {
+			if (region) {
+				console.log(region);
+			}
+		}
+
+		return region;
+	},
+});
+
+export const regionSubcommand = createCommand({
+	name: 'region',
+	description: 'Manage default cloud region preference',
+	tags: ['fast'],
+	examples: [
+		{ command: getCommand('cloud region select'), description: 'Set default region' },
+		{ command: getCommand('cloud region current'), description: 'Show current default' },
+	],
+	subcommands: [selectCommand, unselectCommand, currentCommand],
+});

package/src/cmd/cloud/sandbox/snapshot/build.ts

@@ -1,6 +1,6 @@
 import { z } from 'zod';
 import { resolve, join, extname } from 'node:path';
-import { existsSync, statSync } from 'node:fs';
+import { existsSync, statSync, createReadStream, createWriteStream } from 'node:fs';
 import { YAML } from 'bun';
 import * as tar from 'tar';
 import { createCommand } from '../../../../types';
@@ -14,8 +14,9 @@ import {
 import type { SnapshotFileInfo } from '@agentuity/server';
 import { getCatalystAPIClient } from '../../../../config';
 import { validateAptDependencies } from '../../../../utils/apt-validator';
+import { encryptFIPSKEMDEMStream } from '../../../../crypto/box';
 import { tmpdir } from 'node:os';
-import { randomUUID, createHash } from 'node:crypto';
+import { randomUUID, createHash, createPublicKey } from 'node:crypto';
 import { rm } from 'node:fs/promises';
 
 export const SNAPSHOT_TAG_REGEX = /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/;
@@ -575,6 +576,7 @@ export const buildSubcommand = createCommand({
 						description: finalDescription,
 						contentHash,
 						force: opts.force,
+						encrypt: true,
 						orgId,
 					});
 				},
@@ -609,19 +611,54 @@ export const buildSubcommand = createCommand({
 				};
 			}
 
+			// Encrypt the archive if public key is provided
+			let uploadPath = archivePath;
+			let uploadSize = archiveSize;
+
+			if (initResult.publicKey) {
+				const encryptedPath = join(tempDir, 'snapshot.tar.gz.enc');
+
+				await tui.spinner({
+					message: 'Encrypting snapshot...',
+					type: 'simple',
+					clearOnSuccess: true,
+					callback: async () => {
+						const publicKey = createPublicKey({
+							key: initResult.publicKey!,
+							format: 'pem',
+							type: 'spki',
+						});
+
+						const src = createReadStream(archivePath);
+						const dst = createWriteStream(encryptedPath);
+
+						await encryptFIPSKEMDEMStream(publicKey, src, dst);
+
+						await new Promise<void>((resolve, reject) => {
+							dst.once('finish', resolve);
+							dst.once('error', reject);
+							dst.end();
+						});
+					},
+				});
+
+				uploadPath = encryptedPath;
+				uploadSize = Bun.file(encryptedPath).size;
+			}
+
 			await tui.spinner({
 				message: 'Uploading snapshot...',
 				type: 'progress',
 				clearOnSuccess: true,
 				callback: async (updateProgress) => {
-					const archiveBuffer = await archiveFile.arrayBuffer();
+					const uploadFile = Bun.file(uploadPath);
 					const response = await fetch(initResult.uploadUrl!, {
 						method: 'PUT',
 						headers: {
 							'Content-Type': 'application/gzip',
-							'Content-Length': String(archiveSize),
+							'Content-Length': String(uploadSize),
 						},
-						body: archiveBuffer,
+						body: uploadFile,
 					});
 
 					if (!response.ok) {

package/src/cmd/cloud/scp/download.ts

@@ -52,7 +52,7 @@ export const downloadCommand = createSubcommand({
 	},
 
 	async handler(ctx) {
-		const { apiClient, args, opts, project, projectDir, config, logger, auth, orgId } = ctx;
+		const { apiClient, args, opts, project, projectDir, config, logger, auth } = ctx;
 
 		let identifier = opts?.identifier ?? project?.projectId;
 
@@ -60,8 +60,12 @@ export const downloadCommand = createSubcommand({
 			identifier = await tui.showProjectList(apiClient, true);
 		}
 
-		// Look up region from identifier (project/deployment)
+		// Look up region from identifier (project/deployment/sandbox)
 		const profileName = config?.name;
+
+		// For sandbox identifiers, use saved org preference (no prompting)
+		const orgId = identifier.startsWith('sbx_') ? config?.preferences?.orgId : undefined;
+
 		const region = await getIdentifierRegion(
 			logger,
 			auth,

package/src/cmd/cloud/scp/upload.ts

@@ -55,7 +55,7 @@ export const uploadCommand = createSubcommand({
 	prerequisites: ['cloud deploy'],
 
 	async handler(ctx) {
-		const { apiClient, args, opts, project, projectDir, config, logger, auth, orgId } = ctx;
+		const { apiClient, args, opts, project, projectDir, config, logger, auth } = ctx;
 
 		let identifier = opts?.identifier ?? project?.projectId;
 
@@ -63,8 +63,12 @@ export const uploadCommand = createSubcommand({
 			identifier = await tui.showProjectList(apiClient, true);
 		}
 
-		// Look up region from identifier (project/deployment)
+		// Look up region from identifier (project/deployment/sandbox)
 		const profileName = config?.name;
+
+		// For sandbox identifiers, use saved org preference (no prompting)
+		const orgId = identifier.startsWith('sbx_') ? config?.preferences?.orgId : undefined;
+
 		const region = await getIdentifierRegion(
 			logger,
 			auth,

package/src/cmd/cloud/ssh.ts

@@ -46,7 +46,7 @@ export const sshSubcommand = createSubcommand({
 	schema: { args, options },
 
 	async handler(ctx) {
-		const { apiClient, project, projectDir, args, config, opts, logger, auth, orgId } = ctx;
+		const { apiClient, project, projectDir, args, config, opts, logger, auth } = ctx;
 
 		let projectId = project?.projectId;
 		let identifier = args?.identifier;
@@ -70,6 +70,10 @@ export const sshSubcommand = createSubcommand({
 		// Look up region from identifier (project/deployment/sandbox)
 		const profileName = config?.name;
 		const targetIdentifier = identifier ?? projectId!;
+
+		// For sandbox identifiers, use saved org preference (no prompting)
+		const orgId = targetIdentifier.startsWith('sbx_') ? config?.preferences?.orgId : undefined;
+
 		const region = await getIdentifierRegion(
 			logger,
 			auth,

package/src/cmd/cloud/storage/get.ts

@@ -13,6 +13,8 @@ const StorageGetResponseSchema = z.object({
 	secret_key: z.string().optional().describe('S3 secret key'),
 	region: z.string().optional().describe('S3 region'),
 	endpoint: z.string().optional().describe('S3 endpoint URL'),
+	org_id: z.string().optional().describe('Organization ID that owns this bucket'),
+	org_name: z.string().optional().describe('Organization name that owns this bucket'),
 });
 
 export const getSubcommand = createSubcommand({
@@ -100,24 +102,27 @@ export const getSubcommand = createSubcommand({
 		const shouldMask = !options.json && !shouldShowCredentials;
 
 		if (!options.json) {
-			console.log(tui.bold('Bucket Name: ') + bucket.bucket_name);
+			console.log(tui.bold('Bucket Name:  ') + bucket.bucket_name);
+			if (bucket.org_name || bucket.org_id) {
+				console.log(tui.bold('Organization: ') + (bucket.org_name || bucket.org_id));
+			}
 			if (bucket.access_key) {
 				const displayAccessKey = shouldMask
 					? tui.maskSecret(bucket.access_key)
 					: bucket.access_key;
-				console.log(tui.bold('Access Key:  ') + displayAccessKey);
+				console.log(tui.bold('Access Key:   ') + displayAccessKey);
 			}
 			if (bucket.secret_key) {
 				const displaySecretKey = shouldMask
 					? tui.maskSecret(bucket.secret_key)
 					: bucket.secret_key;
-				console.log(tui.bold('Secret Key:  ') + displaySecretKey);
+				console.log(tui.bold('Secret Key:   ') + displaySecretKey);
 			}
 			if (bucket.region) {
-				console.log(tui.bold('Region:      ') + bucket.region);
+				console.log(tui.bold('Region:       ') + bucket.region);
 			}
 			if (bucket.endpoint) {
-				console.log(tui.bold('Endpoint:    ') + bucket.endpoint);
+				console.log(tui.bold('Endpoint:     ') + bucket.endpoint);
 			}
 		}
 
@@ -127,6 +132,8 @@ export const getSubcommand = createSubcommand({
 			secret_key: bucket.secret_key ?? undefined,
 			region: bucket.region ?? undefined,
 			endpoint: bucket.endpoint ?? undefined,
+			org_id: bucket.org_id,
+			org_name: bucket.org_name,
 		};
 	},
 });

package/src/cmd/cloud/storage/list.ts

@@ -18,6 +18,8 @@ const StorageListResponseSchema = z.object({
 				region: z.string().optional().describe('S3 region'),
 				endpoint: z.string().optional().describe('S3 endpoint URL'),
 				cloud_region: z.string().optional().describe('Cloud region where bucket is hosted'),
+				org_id: z.string().optional().describe('Organization ID that owns this bucket'),
+				org_name: z.string().optional().describe('Organization name that owns this bucket'),
 			})
 		)
 		.optional()
@@ -189,6 +191,10 @@ export const listSubcommand = createSubcommand({
 		const shouldShowCredentials = opts.showCredentials === true;
 		const shouldMask = !options.json && !shouldShowCredentials;
 
+		// Check if resources span multiple orgs
+		const uniqueOrgIds = new Set(resources.s3.map((s3) => s3.org_id));
+		const showOrgColumn = uniqueOrgIds.size > 1;
+
 		if (!options.json) {
 			if (resources.s3.length === 0) {
 				tui.info('No storage buckets found');
@@ -203,6 +209,9 @@ export const listSubcommand = createSubcommand({
 						continue;
 					}
 					console.log(tui.bold(s3.bucket_name));
+					if (showOrgColumn) {
+						console.log(` Organization: ${tui.muted(s3.org_name || s3.org_id)}`);
+					}
 					if (s3.access_key) {
 						const displayAccessKey = shouldMask
 							? tui.maskSecret(s3.access_key)
@@ -230,6 +239,8 @@ export const listSubcommand = createSubcommand({
 				region: s3.region ?? undefined,
 				endpoint: s3.endpoint ?? undefined,
 				cloud_region: s3.cloud_region,
+				org_id: s3.org_id,
+				org_name: s3.org_name,
 			})),
 		};
 	},