@agentuity/cli 0.1.9 → 0.1.11

package/src/cmd/cloud/env/push.ts

@@ -2,18 +2,26 @@ import { z } from 'zod';
 import { createSubcommand } from '../../../types';
 import * as tui from '../../../tui';
 import { projectEnvUpdate } from '@agentuity/server';
-import { findExistingEnvFile, readEnvFile, filterAgentuitySdkKeys } from '../../../env-util';
+import {
+	findExistingEnvFile,
+	readEnvFile,
+	filterAgentuitySdkKeys,
+	splitEnvAndSecrets,
+	validateNoPublicSecrets,
+} from '../../../env-util';
 import { getCommand } from '../../../command-prefix';
 
 const EnvPushResponseSchema = z.object({
 	success: z.boolean().describe('Whether push succeeded'),
 	pushed: z.number().describe('Number of items pushed'),
+	envCount: z.number().describe('Number of env vars pushed'),
+	secretCount: z.number().describe('Number of secrets pushed'),
 	source: z.string().describe('Source file path'),
 });
 
 export const pushSubcommand = createSubcommand({
 	name: 'push',
-	description: 'Push environment variables from local .env file to cloud',
+	description: 'Push environment variables and secrets from local .env file to cloud',
 	tags: [
 		'mutating',
 		'updates-resource',
@@ -23,7 +31,7 @@ export const pushSubcommand = createSubcommand({
 		'requires-project',
 	],
 	idempotent: true,
-	examples: [{ command: getCommand('env push'), description: 'Run push command' }],
+	examples: [{ command: getCommand('env push'), description: 'Push all variables to cloud' }],
 	requires: { auth: true, project: true, apiClient: true },
 	prerequisites: ['env set'],
 	schema: {
@@ -33,36 +41,61 @@ export const pushSubcommand = createSubcommand({
 	async handler(ctx) {
 		const { apiClient, project, projectDir } = ctx;
 
-		// Read local env file (prefer .env)
+		// Read local env file
 		const envFilePath = await findExistingEnvFile(projectDir);
 		const localEnv = await readEnvFile(envFilePath);
 
-		// Filter out AGENTUITY_ prefixed keys (don't push SDK keys)
+		// Filter out reserved AGENTUITY_ prefixed keys
 		const filteredEnv = filterAgentuitySdkKeys(localEnv);
 
 		if (Object.keys(filteredEnv).length === 0) {
-			tui.warning('No environment variables to push');
+			tui.warning('No variables to push');
 			return {
 				success: false,
 				pushed: 0,
+				envCount: 0,
+				secretCount: 0,
 				source: envFilePath,
 			};
 		}
 
+		// Split into env and secrets based on key naming conventions
+		const { env, secrets } = splitEnvAndSecrets(filteredEnv);
+
+		// Check for any public vars that would have been treated as secrets
+		const publicSecretKeys = validateNoPublicSecrets(secrets);
+		if (publicSecretKeys.length > 0) {
+			tui.warning(
+				`Moving public variables to env: ${publicSecretKeys.join(', ')} (these are exposed to the frontend)`
+			);
+			for (const key of publicSecretKeys) {
+				delete secrets[key];
+				env[key] = filteredEnv[key];
+			}
+		}
+
 		// Push to cloud
-		await tui.spinner('Pushing environment variables to cloud', () => {
+		await tui.spinner('Pushing variables to cloud', () => {
 			return projectEnvUpdate(apiClient, {
 				id: project.projectId,
-				env: filteredEnv,
+				env,
+				secrets,
 			});
 		});
 
-		const count = Object.keys(filteredEnv).length;
-		tui.success(`Pushed ${count} environment variable${count !== 1 ? 's' : ''} to cloud`);
+		const envCount = Object.keys(env).length;
+		const secretCount = Object.keys(secrets).length;
+		const totalCount = envCount + secretCount;
+
+		tui.success(
+			`Pushed ${totalCount} variable${totalCount !== 1 ? 's' : ''} to cloud (${envCount} env, ${secretCount} secret${secretCount !== 1 ? 's' : ''})`
+		);
 
 		return {
 			success: true,
-			pushed: count,
+			pushed: totalCount,
+			envCount,
+			secretCount,
 			source: envFilePath,
 		};
 	},

package/src/cmd/cloud/env/set.ts

@@ -8,6 +8,9 @@ import {
 	writeEnvFile,
 	filterAgentuitySdkKeys,
 	looksLikeSecret,
+	isReservedAgentuityKey,
+	isPublicVarKey,
+	PUBLIC_VAR_PREFIXES,
 } from '../../../env-util';
 import { getCommand } from '../../../command-prefix';
 
@@ -15,64 +18,77 @@ const EnvSetResponseSchema = z.object({
 	success: z.boolean().describe('Whether the operation succeeded'),
 	key: z.string().describe('Environment variable key'),
 	path: z.string().describe('Local file path where env var was saved'),
+	secret: z.boolean().describe('Whether the value was stored as a secret'),
 });
 
 export const setSubcommand = createSubcommand({
 	name: 'set',
-	description: 'Set an environment variable',
+	description: 'Set an environment variable or secret',
 	tags: ['mutating', 'updates-resource', 'slow', 'requires-auth', 'requires-project'],
 	idempotent: true,
 	requires: { auth: true, project: true, apiClient: true },
 	examples: [
-		{ command: getCommand('env set NODE_ENV production'), description: 'Run production command' },
-		{ command: getCommand('env set PORT 3000'), description: 'Run 3000 command' },
-		{ command: getCommand('env set LOG_LEVEL debug'), description: 'Run debug command' },
+		{
+			command: getCommand('env set NODE_ENV production'),
+			description: 'Set environment variable',
+		},
+		{ command: getCommand('env set PORT 3000'), description: 'Set port number' },
+		{
+			command: getCommand('env set API_KEY "sk_..." --secret'),
+			description: 'Set a secret value',
+		},
 	],
 	schema: {
 		args: z.object({
 			key: z.string().describe('the environment variable key'),
 			value: z.string().describe('the environment variable value'),
 		}),
+		options: z.object({
+			secret: z
+				.boolean()
+				.default(false)
+				.describe('store as a secret (encrypted and masked in UI)'),
+		}),
 		response: EnvSetResponseSchema,
 	},
 
 	async handler(ctx) {
-		const { args, apiClient, project, projectDir } = ctx;
+		const { args, opts, apiClient, project, projectDir } = ctx;
+		let isSecret = opts?.secret ?? false;
+		const isPublic = isPublicVarKey(args.key);
 
-		// Validate key doesn't start with AGENTUITY_
-		if (args.key.startsWith('AGENTUITY_')) {
+		// Validate key doesn't start with reserved AGENTUITY_ prefix (except AGENTUITY_PUBLIC_)
+		if (isReservedAgentuityKey(args.key)) {
 			tui.fatal('Cannot set AGENTUITY_ prefixed variables. These are reserved for system use.');
 		}
 
-		// Detect if this looks like a secret
-		if (looksLikeSecret(args.key, args.value)) {
+		// Validate public vars cannot be secrets
+		if (isSecret && isPublic) {
+			tui.fatal(
+				`Cannot set public variables as secrets. Keys with prefixes (${PUBLIC_VAR_PREFIXES.join(', ')}) are exposed to the frontend.`
+			);
+		}
+
+		// Auto-detect if this looks like a secret and offer to store as secret
+		// Skip auto-detect for public vars since they can never be secrets
+		if (!isSecret && !isPublic && looksLikeSecret(args.key, args.value)) {
 			tui.warning(`The variable '${args.key}' looks like it should be a secret.`);
-			tui.info(`Secrets should be stored using: ${getCommand('secret set <key> <value>')}`);
-			tui.info('This keeps them more secure and properly masked in the cloud.');
 
-			const response = await tui.confirm(
-				'Do you still want to store this as a regular environment variable?',
-				false
-			);
+			const storeAsSecret = await tui.confirm('Store as a secret instead?', true);
 
-			if (!response) {
-				tui.info(
-					`Cancelled. Use "${getCommand('secret set')}" to store this as a secret instead.`
-				);
-				return {
-					success: false,
-					key: args.key,
-					path: '',
-				};
+			if (storeAsSecret) {
+				isSecret = true;
 			}
 		}
 
 		// Set in cloud
-		await tui.spinner('Setting environment variable in cloud', () => {
-			return projectEnvUpdate(apiClient, {
-				id: project.projectId,
-				env: { [args.key]: args.value },
-			});
+		const updatePayload = isSecret
+			? { id: project.projectId, secrets: { [args.key]: args.value } }
+			: { id: project.projectId, env: { [args.key]: args.value } };
+
+		const label = isSecret ? 'secret' : 'environment variable';
+		await tui.spinner(`Setting ${label} in cloud`, () => {
+			return projectEnvUpdate(apiClient, updatePayload);
 		});
 
 		// Update local .env file
@@ -84,12 +100,15 @@ export const setSubcommand = createSubcommand({
 		const filteredEnv = filterAgentuitySdkKeys(currentEnv);
 		await writeEnvFile(envFilePath, filteredEnv);
 
-		tui.success(`Environment variable '${args.key}' set successfully (cloud + ${envFilePath})`);
+		tui.success(
+			`${isSecret ? 'Secret' : 'Environment variable'} '${args.key}' set successfully (cloud + ${envFilePath})`
+		);
 
 		return {
 			success: true,
 			key: args.key,
 			path: envFilePath,
+			secret: isSecret,
 		};
 	},
 });

package/src/cmd/cloud/index.ts

@@ -11,7 +11,6 @@ import { deploymentCommand } from './deployment';
 import keyvalueCommand from './keyvalue';
 import { agentCommand } from './agent';
 import envCommand from './env';
-import secretCommand from './secret';
 import apikeyCommand from './apikey';
 import streamCommand from './stream';
 import vectorCommand from './vector';
@@ -34,7 +33,6 @@ export const command = createCommand({
 		vectorCommand,
 		sandboxCommand,
 		envCommand,
-		secretCommand,
 		deploySubcommand,
 		dbCommand,
 		redisCommand,

package/src/cmd/cloud/region-lookup.ts

@@ -0,0 +1,89 @@
+import type { Logger } from '@agentuity/core';
+import { projectGet, sandboxGet, deploymentGet, type APIClient } from '@agentuity/server';
+import { getResourceRegion, setResourceRegion } from '../../cache';
+import { getGlobalCatalystAPIClient } from '../../config';
+import type { AuthData } from '../../types';
+import * as tui from '../../tui';
+import { ErrorCode } from '../../errors';
+
+export type IdentifierType = 'project' | 'deployment' | 'sandbox';
+
+/**
+ * Determine the type of identifier based on its prefix
+ */
+export function getIdentifierType(identifier: string): IdentifierType {
+	if (identifier.startsWith('proj_')) {
+		return 'project';
+	}
+	if (identifier.startsWith('deploy_')) {
+		return 'deployment';
+	}
+	if (identifier.startsWith('sbx_')) {
+		return 'sandbox';
+	}
+	// Default to project for unknown prefixes
+	return 'project';
+}
+
+/**
+ * Look up the region for a project, deployment, or sandbox identifier.
+ * Uses cache-first strategy with API fallback.
+ */
+export async function getIdentifierRegion(
+	logger: Logger,
+	auth: AuthData,
+	apiClient: APIClient,
+	profileName = 'production',
+	identifier: string,
+	orgId?: string
+): Promise<string> {
+	const identifierType = getIdentifierType(identifier);
+
+	// For project, deployment, and sandbox, check cache first
+	const cachedRegion = await getResourceRegion(identifierType, profileName, identifier);
+	if (cachedRegion) {
+		logger.trace(`[region-lookup] Found cached region for ${identifier}: ${cachedRegion}`);
+		return cachedRegion;
+	}
+
+	logger.trace(`[region-lookup] Cache miss for ${identifier}, fetching from API`);
+
+	let region: string | null = null;
+
+	if (identifierType === 'project') {
+		const project = await projectGet(apiClient, { id: identifier, mask: true, keys: false });
+		region = project.cloudRegion ?? null;
+	} else if (identifierType === 'deployment') {
+		const deployment = await deploymentGet(apiClient, identifier);
+		region = deployment.cloudRegion ?? null;
+	} else {
+		// sandbox
+		const globalClient = await getGlobalCatalystAPIClient(logger, auth, profileName);
+		const sandbox = await sandboxGet(globalClient, { sandboxId: identifier, orgId });
+		region = sandbox.region ?? null;
+	}
+
+	if (!region) {
+		tui.fatal(
+			`Could not determine region for ${identifierType} '${identifier}'. Use --region flag to specify.`,
+			ErrorCode.RESOURCE_NOT_FOUND
+		);
+	}
+
+	// Cache the result
+	await setResourceRegion(identifierType, profileName, identifier, region);
+	logger.trace(`[region-lookup] Cached region for ${identifier}: ${region}`);
+
+	return region;
+}
+
+/**
+ * Cache the region for a project after creation
+ */
+export async function cacheProjectRegion(
+	profileName = 'production',
+	projectId: string,
+	region: string
+): Promise<void> {
+	await setResourceRegion('project', profileName, projectId, region);
+}

package/src/cmd/cloud/sandbox/cp.ts

@@ -3,7 +3,7 @@ import { readFileSync, writeFileSync, mkdirSync, statSync, readdirSync } from 'n
 import { dirname, resolve, basename, join, relative } from 'node:path';
 import { createCommand } from '../../../types';
 import * as tui from '../../../tui';
-import { createSandboxClient } from './util';
+import { getSandboxRegion, createSandboxClient } from './util';
 import { getCommand } from '../../../command-prefix';
 import {
 	sandboxWriteFiles,
@@ -47,7 +47,7 @@ export const cpSubcommand = createCommand({
 	aliases: ['copy'],
 	description: 'Copy files or directories to or from a sandbox',
 	tags: ['slow', 'requires-auth'],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 	examples: [
 		{
 			command: getCommand('cloud sandbox cp ./local-file.txt snbx_abc123:/path/to/file.txt'),
@@ -84,7 +84,7 @@ export const cpSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { args, opts, options, auth, region, logger, orgId } = ctx;
+		const { args, opts, options, auth, logger, orgId, config } = ctx;
 
 		const source = parsePath(args.source);
 		const destination = parsePath(args.destination);
@@ -101,6 +101,8 @@ export const cpSubcommand = createCommand({
 			);
 		}
 
+		const sandboxId = source.sandboxId ?? destination.sandboxId!;
+		const region = await getSandboxRegion(logger, auth, config?.name, sandboxId, orgId);
 		const client = createSandboxClient(logger, auth, region);
 		const recursive = opts.recursive ?? false;
 

package/src/cmd/cloud/sandbox/create.ts

@@ -1,10 +1,12 @@
 import { z } from 'zod';
 import { createCommand } from '../../../types';
 import * as tui from '../../../tui';
-import { createSandboxClient, parseFileArgs } from './util';
+import { createSandboxClient, parseFileArgs, cacheSandboxRegion } from './util';
 import { getCommand } from '../../../command-prefix';
 import { sandboxCreate } from '@agentuity/server';
 import { StructuredError } from '@agentuity/core';
+import { validateAptDependencies } from '../../../utils/apt-validator';
+import { ErrorCode } from '../../../errors';
 
 const InvalidMetadataError = StructuredError(
 	'InvalidMetadataError',
@@ -47,10 +49,7 @@ export const createSubcommand = createCommand({
 	],
 	schema: {
 		options: z.object({
-			runtime: z
-				.string()
-				.optional()
-				.describe('Runtime name (e.g., "bun:1", "python:3.14")'),
+			runtime: z.string().optional().describe('Runtime name (e.g., "bun:1", "python:3.14")'),
 			runtimeId: z.string().optional().describe('Runtime ID (e.g., "srt_xxx")'),
 			name: z.string().optional().describe('Sandbox name'),
 			description: z.string().optional().describe('Sandbox description'),
@@ -78,10 +77,52 @@ export const createSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { opts, options, auth, region, logger, orgId } = ctx;
+		const { opts, options, auth, region, config, logger, orgId } = ctx;
 		const client = createSandboxClient(logger, auth, region);
 		const started = Date.now();
 
+		// Validate apt dependencies before creating sandbox
+		if (opts.dependency && opts.dependency.length > 0) {
+			const aptValidation = await tui.spinner({
+				message: 'Validating apt dependencies...',
+				type: 'simple',
+				callback: async () => {
+					return await validateAptDependencies(opts.dependency!, region, config, logger);
+				},
+			});
+
+			if (aptValidation.invalid.length > 0) {
+				if (options.json) {
+					return {
+						sandboxId: '',
+						status: 'failed',
+						errors: aptValidation.invalid.map((pkg) => ({
+							type: 'invalid-apt-dependency',
+							package: pkg.package,
+							error: pkg.error,
+							searchUrl: pkg.searchUrl,
+							availableVersions: pkg.availableVersions,
+						})),
+					} as never;
+				}
+
+				tui.error('Invalid apt dependencies:');
+				tui.newline();
+				for (const pkg of aptValidation.invalid) {
+					tui.bullet(`${tui.bold(pkg.package)}: ${pkg.error}`);
+					if (pkg.availableVersions && pkg.availableVersions.length > 0) {
+						tui.muted(`    Available versions: ${pkg.availableVersions.join(', ')}`);
+					}
+					tui.muted(`    Search: ${tui.link(pkg.searchUrl)}`);
+				}
+				tui.newline();
+				tui.fatal(
+					'Fix the apt dependencies and try again. Search for valid packages at: https://packages.debian.org/stable/',
+					ErrorCode.CONFIG_INVALID
+				);
+			}
+		}
+
 		const envMap: Record<string, string> = {};
 		if (opts.env) {
 			for (const e of opts.env) {
@@ -134,6 +175,9 @@ export const createSubcommand = createCommand({
 			orgId,
 		});
 
+		// Cache the region for future lookups
+		await cacheSandboxRegion(config?.name, result.sandboxId, region);
+
 		if (!options.json) {
 			const duration = Date.now() - started;
 			tui.success(`created sandbox ${tui.bold(result.sandboxId)} in ${duration}ms`);

package/src/cmd/cloud/sandbox/delete.ts

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { createCommand } from '../../../types';
 import * as tui from '../../../tui';
-import { createSandboxClient } from './util';
+import { getSandboxRegion, createSandboxClient, clearSandboxRegionCache } from './util';
 import { getCommand } from '../../../command-prefix';
 import { sandboxDestroy } from '@agentuity/server';
 
@@ -17,7 +17,7 @@ export const deleteSubcommand = createCommand({
 	aliases: ['del', 'remove', 'destroy'],
 	description: 'Delete a sandbox',
 	tags: ['destructive', 'deletes-resource', 'slow', 'requires-auth'],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 	idempotent: true,
 	examples: [
 		{
@@ -40,7 +40,7 @@ export const deleteSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { args, options, opts, auth, region, logger, orgId } = ctx;
+		const { args, options, opts, auth, config, logger, orgId } = ctx;
 
 		if (!opts.confirm) {
 			const confirmed = await tui.confirm(`Delete sandbox "${args.sandboxId}"?`, false);
@@ -56,11 +56,14 @@ export const deleteSubcommand = createCommand({
 		}
 
 		const started = Date.now();
+		const region = await getSandboxRegion(logger, auth, config?.name, args.sandboxId, orgId);
 		const client = createSandboxClient(logger, auth, region);
 
 		await sandboxDestroy(client, { sandboxId: args.sandboxId, orgId });
 		const durationMs = Date.now() - started;
 
+		await clearSandboxRegionCache(config?.name, args.sandboxId);
+
 		if (!options.json) {
 			tui.success(`deleted sandbox ${tui.bold(args.sandboxId)} in ${durationMs}ms`);
 		}

package/src/cmd/cloud/sandbox/download.ts

@@ -2,7 +2,7 @@ import { z } from 'zod';
 import { writeFileSync } from 'node:fs';
 import { createCommand } from '../../../types';
 import * as tui from '../../../tui';
-import { createSandboxClient } from './util';
+import { createSandboxClient, getSandboxRegion } from './util';
 import { getCommand } from '../../../command-prefix';
 import { sandboxDownloadArchive } from '@agentuity/server';
 
@@ -11,7 +11,7 @@ export const downloadSubcommand = createCommand({
 	aliases: ['dl'],
 	description: 'Download files from a sandbox as a compressed archive',
 	tags: ['slow', 'requires-auth'],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 	examples: [
 		{
 			command: getCommand('cloud sandbox download sbx_abc123 ./backup.tar.gz'),
@@ -47,8 +47,9 @@ export const downloadSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { args, opts, options, auth, region, logger, orgId } = ctx;
+		const { args, opts, options, auth, logger, orgId, config } = ctx;
 
+		const region = await getSandboxRegion(logger, auth, config?.name, args.sandboxId, orgId);
 		const client = createSandboxClient(logger, auth, region);
 		const format = opts.format || 'tar.gz';
 

package/src/cmd/cloud/sandbox/env.ts

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { createCommand } from '../../../types';
 import * as tui from '../../../tui';
-import { createSandboxClient } from './util';
+import { getSandboxRegion, createSandboxClient } from './util';
 import { getCommand } from '../../../command-prefix';
 import { sandboxSetEnv } from '@agentuity/server';
 
@@ -9,7 +9,7 @@ export const envSubcommand = createCommand({
 	name: 'env',
 	description: 'Set or delete environment variables on a sandbox',
 	tags: ['slow', 'requires-auth'],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 	examples: [
 		{
 			command: getCommand('cloud sandbox env sbx_abc123 MY_VAR=value'),
@@ -42,8 +42,9 @@ export const envSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { args, opts, options, auth, region, logger, orgId } = ctx;
+		const { args, opts, options, auth, config, logger, orgId } = ctx;
 
+		const region = await getSandboxRegion(logger, auth, config?.name, args.sandboxId, orgId);
 		const client = createSandboxClient(logger, auth, region);
 
 		const envMap: Record<string, string | null> = {};

package/src/cmd/cloud/sandbox/exec.ts

@@ -2,7 +2,7 @@ import { z } from 'zod';
 import { Writable } from 'node:stream';
 import { createCommand } from '../../../types';
 import * as tui from '../../../tui';
-import { createSandboxClient } from './util';
+import { getSandboxRegion, createSandboxClient } from './util';
 import { getCommand } from '../../../command-prefix';
 import { sandboxExecute, executionGet, writeAndDrain } from '@agentuity/server';
 import type { Logger } from '@agentuity/core';
@@ -23,7 +23,7 @@ export const execSubcommand = createCommand({
 	aliases: ['execute'],
 	description: 'Execute a command in a running sandbox',
 	tags: ['slow', 'requires-auth'],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 	examples: [
 		{
 			command: getCommand('cloud sandbox exec abc123 -- echo "hello"'),
@@ -51,7 +51,8 @@ export const execSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { args, opts, options, auth, region, logger, orgId } = ctx;
+		const { args, opts, options, auth, config, logger, orgId } = ctx;
+		const region = await getSandboxRegion(logger, auth, config?.name, args.sandboxId, orgId);
 		const client = createSandboxClient(logger, auth, region);
 		const started = Date.now();
 

package/src/cmd/cloud/sandbox/execution/get.ts

@@ -1,9 +1,9 @@
 import { z } from 'zod';
 import { createCommand } from '../../../../types';
 import * as tui from '../../../../tui';
-import { createSandboxClient } from '../util';
 import { getCommand } from '../../../../command-prefix';
 import { executionGet } from '@agentuity/server';
+import { getGlobalCatalystAPIClient } from '../../../../config';
 
 const ExecutionGetResponseSchema = z.object({
 	executionId: z.string().describe('Execution ID'),
@@ -24,7 +24,7 @@ export const getSubcommand = createCommand({
 	aliases: ['info', 'show'],
 	description: 'Get information about a specific execution',
 	tags: ['read-only', 'fast', 'requires-auth'],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 	idempotent: true,
 	examples: [
 		{
@@ -40,8 +40,8 @@ export const getSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { args, options, auth, region, logger, orgId } = ctx;
-		const client = createSandboxClient(logger, auth, region);
+		const { args, options, auth, logger, orgId, config } = ctx;
+		const client = await getGlobalCatalystAPIClient(logger, auth, config?.name);
 
 		const result = await executionGet(client, { executionId: args.executionId, orgId });
 

package/src/cmd/cloud/sandbox/execution/index.ts

@@ -19,7 +19,7 @@ export const command = createCommand({
 		},
 	],
 	subcommands: [getSubcommand, listSubcommand],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 });
 
 export default command;

package/src/cmd/cloud/sandbox/execution/list.ts

@@ -1,7 +1,7 @@
 import { z } from 'zod';
 import { createCommand } from '../../../../types';
 import * as tui from '../../../../tui';
-import { createSandboxClient } from '../util';
+import { getSandboxRegion, createSandboxClient } from '../util';
 import { getCommand } from '../../../../command-prefix';
 import { executionList } from '@agentuity/server';
 
@@ -25,7 +25,7 @@ export const listSubcommand = createCommand({
 	aliases: ['ls'],
 	description: 'List executions for a sandbox',
 	tags: ['read-only', 'fast', 'requires-auth'],
-	requires: { auth: true, region: true, org: true },
+	requires: { auth: true, org: true },
 	idempotent: true,
 	examples: [
 		{
@@ -48,7 +48,8 @@ export const listSubcommand = createCommand({
 	},
 
 	async handler(ctx) {
-		const { args, opts, options, auth, region, logger, orgId } = ctx;
+		const { args, opts, options, auth, logger, orgId, config } = ctx;
+		const region = await getSandboxRegion(logger, auth, config?.name, args.sandboxId, orgId);
 		const client = createSandboxClient(logger, auth, region);
 
 		const result = await executionList(client, {