@brewnet/cli 0.0.1 → 0.0.2

package/dist/{chunk-SIXBB6JU.js → chunk-Q6UUZR2V.js}

@@ -1,26 +1,38 @@
 #!/usr/bin/env node
+import {
+  createApp,
+  deployApp,
+  detectBasePath,
+  getAppBranches,
+  getAppDir,
+  getAppGitInfo,
+  getDeployHistory,
+  getDeploySettings,
+  getJobStatus,
+  listApps,
+  listGiteaRepos,
+  removeApp,
+  rollbackApp,
+  startApp,
+  stopApp,
+  updateDeploySettings
+} from "./chunk-FZZ3HP2G.js";
 import {
   DomainManager,
-  addApp,
   addService,
-  appendDeployHistory,
   createBackup,
   getLogStats,
   listBackups,
   queryLogs,
-  readApps,
-  readDeployHistory,
-  removeApp,
-  removeService,
-  updateApp
-} from "./chunk-2VWMDHGI.js";
+  removeService
+} from "./chunk-YAYXULLO.js";
 import {
   verifyToken
-} from "./chunk-JFPHGZ6Z.js";
+} from "./chunk-YXFDB5YX.js";
 import {
   SERVICE_REGISTRY,
   getServiceDefinition
-} from "./chunk-4TJMJZMO.js";
+} from "./chunk-AXSHZEB3.js";
 import {
   getLastProject,
   loadState,
@@ -33,1099 +45,13 @@ import {
 // src/services/admin-server.ts
 import { createServer } from "http";
 import { createConnection } from "net";
-import { join as join2, resolve, extname } from "path";
-import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, statSync, createReadStream } from "fs";
+import { join, resolve, extname } from "path";
+import { existsSync, readFileSync, writeFileSync, statSync, createReadStream } from "fs";
 import { fileURLToPath } from "url";
-import { homedir as homedir2 } from "os";
-import Dockerode from "dockerode";
-
-// src/services/app-manager.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, readdirSync } from "fs";
-import { join } from "path";
 import { homedir } from "os";
-import { randomBytes } from "crypto";
-import { execa } from "execa";
-
-// src/services/gitea-client.ts
-import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync, unlinkSync } from "fs";
-import { dirname } from "path";
-import { execSync } from "child_process";
-var GiteaClient = class {
-  config;
-  constructor(config) {
-    this.config = config;
-  }
-  // ---------------------------------------------------------------------------
-  // Token management
-  // ---------------------------------------------------------------------------
-  /**
-   * Create a Gitea API token via Basic Auth.
-   * If the admin account has mustChangePassword=true (403), auto-fixes via docker exec and retries.
-   * Saves the token to tokenPath on success.
-   */
-  async _createToken() {
-    const { tokenPath, baseUrl, username, password } = this.config;
-    const basic = Buffer.from(`${username}:${password}`).toString("base64");
-    const makeRequest = () => fetch(`${baseUrl}/api/v1/users/${username}/tokens`, {
-      method: "POST",
-      headers: { Authorization: `Basic ${basic}`, "Content-Type": "application/json" },
-      body: JSON.stringify({
-        name: `brewnet-${Date.now()}`,
-        scopes: ["write:repository", "read:repository", "write:user", "read:user"]
-      }),
-      signal: AbortSignal.timeout(8e3)
-    });
-    let res = await makeRequest();
-    let wasFixed = false;
-    if (!res.ok) {
-      const body = await res.text();
-      if (res.status === 403 && body.includes("must change")) {
-        try {
-          execSync(
-            `docker exec -u git brewnet-gitea gitea admin user change-password --username ${username} --password ${password} --must-change-password=false`,
-            { stdio: "pipe" }
-          );
-        } catch (e) {
-          const stderr = e.stderr?.toString().trim() ?? String(e);
-          throw new Error(
-            `Gitea admin requires password change \u2014 auto-fix failed:
-  ${stderr}
-  Manual fix: docker exec -u git brewnet-gitea gitea admin user change-password --username ${username} --password <password> --must-change-password=false`
-          );
-        }
-        wasFixed = true;
-        res = await makeRequest();
-        if (!res.ok) {
-          throw new Error(
-            `Gitea token creation failed after auto-fix: ${res.status} ${await res.text()}`
-          );
-        }
-      } else {
-        throw new Error(`Gitea token creation failed: ${res.status} ${body}`);
-      }
-    }
-    const data = await res.json();
-    mkdirSync(dirname(tokenPath), { recursive: true });
-    writeFileSync(tokenPath, data.sha1, "utf-8");
-    chmodSync(tokenPath, 384);
-    return { wasFixed };
-  }
-  /**
-   * Explicit setup step — call once before any API operations.
-   * Validates any cached token; deletes and re-creates if stale (401).
-   * Returns what happened so the caller can surface it in job step logs.
-   */
-  async prepare() {
-    const { tokenPath, baseUrl } = this.config;
-    if (existsSync(tokenPath)) {
-      const token = readFileSync(tokenPath, "utf-8").trim();
-      try {
-        const check = await fetch(`${baseUrl}/api/v1/user`, {
-          headers: { Authorization: `token ${token}` },
-          signal: AbortSignal.timeout(8e3)
-        });
-        if (check.status !== 401) {
-          return { autoFixed: false, message: "token cached" };
-        }
-        unlinkSync(tokenPath);
-      } catch {
-        return { autoFixed: false, message: "token cached (network check skipped)" };
-      }
-    }
-    const { wasFixed } = await this._createToken();
-    return {
-      autoFixed: wasFixed,
-      message: wasFixed ? "mustChangePassword was set \u2014 auto-fixed via docker exec; token created" : "token created"
-    };
-  }
-  async ensureToken() {
-    const { tokenPath } = this.config;
-    if (existsSync(tokenPath)) {
-      return readFileSync(tokenPath, "utf-8").trim();
-    }
-    await this._createToken();
-    return readFileSync(tokenPath, "utf-8").trim();
-  }
-  async authHeaders() {
-    return {
-      Authorization: `token ${await this.ensureToken()}`,
-      "Content-Type": "application/json"
-    };
-  }
-  // ---------------------------------------------------------------------------
-  // Repository operations
-  // ---------------------------------------------------------------------------
-  async repoExists(name) {
-    const { baseUrl, username } = this.config;
-    const res = await fetch(
-      `${baseUrl}/api/v1/repos/${username}/${name}`,
-      { headers: await this.authHeaders() }
-    );
-    return res.status === 200;
-  }
-  /** Returns true if the repo exists but has no commits (empty: true from Gitea API). */
-  async repoIsEmpty(name) {
-    const { baseUrl, username } = this.config;
-    const res = await fetch(
-      `${baseUrl}/api/v1/repos/${username}/${name}`,
-      { headers: await this.authHeaders() }
-    );
-    if (res.status !== 200) return false;
-    const data = await res.json();
-    return data.empty === true;
-  }
-  /** Creates a private repo and returns the clone URL. */
-  async createRepo(name, description = "") {
-    const { baseUrl } = this.config;
-    const res = await fetch(`${baseUrl}/api/v1/user/repos`, {
-      method: "POST",
-      headers: await this.authHeaders(),
-      body: JSON.stringify({ name, description, private: false, auto_init: false })
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      if (res.status === 409) {
-        const existing = await fetch(`${baseUrl}/api/v1/repos/${this.config.username}/${name}`, {
-          headers: await this.authHeaders()
-        });
-        if (existing.ok) {
-          const data2 = await existing.json();
-          return data2.clone_url;
-        }
-      }
-      if (res.status === 500 && body.includes("files already exist")) {
-        await this.deleteRepo(name).catch(() => {
-        });
-        const retry = await fetch(`${baseUrl}/api/v1/user/repos`, {
-          method: "POST",
-          headers: await this.authHeaders(),
-          body: JSON.stringify({ name, description, private: false, auto_init: false })
-        });
-        if (!retry.ok) {
-          throw new Error(`Gitea createRepo retry failed: ${retry.status} ${await retry.text()}`);
-        }
-        const retryData = await retry.json();
-        return retryData.clone_url;
-      }
-      throw new Error(`Gitea createRepo failed: ${res.status} ${body}`);
-    }
-    const data = await res.json();
-    return data.clone_url;
-  }
-  /** Patch a repo from private to public visibility. No-op if already public. */
-  async makeRepoPublic(name) {
-    const { baseUrl, username } = this.config;
-    const res = await fetch(`${baseUrl}/api/v1/repos/${username}/${name}`, {
-      method: "PATCH",
-      headers: await this.authHeaders(),
-      body: JSON.stringify({ private: false })
-    });
-    if (!res.ok) throw new Error(`Gitea makeRepoPublic failed: ${res.status} ${await res.text()}`);
-  }
-  async deleteRepo(name) {
-    const { baseUrl, username } = this.config;
-    await fetch(`${baseUrl}/api/v1/repos/${username}/${name}`, {
-      method: "DELETE",
-      headers: await this.authHeaders()
-    });
-  }
-  /** Returns all repos accessible to the authenticated user. */
-  async listRepos() {
-    const { baseUrl } = this.config;
-    const res = await fetch(`${baseUrl}/api/v1/user/repos`, {
-      headers: await this.authHeaders(),
-      signal: AbortSignal.timeout(8e3)
-    });
-    if (!res.ok) {
-      throw new Error(`Gitea listRepos failed: ${res.status} ${await res.text()}`);
-    }
-    return await res.json();
-  }
-  /** Fetch a single repo's detail (includes default_branch, ssh_url). */
-  async getRepo(name) {
-    const { baseUrl, username } = this.config;
-    const res = await fetch(`${baseUrl}/api/v1/repos/${username}/${name}`, {
-      headers: await this.authHeaders()
-    });
-    if (!res.ok) throw new Error(`Gitea getRepo failed: ${res.status} ${await res.text()}`);
-    return res.json();
-  }
-  /** Get the latest commit on a branch. Returns null for empty repos. */
-  async getLatestCommit(repoName, branch) {
-    const { baseUrl, username } = this.config;
-    const res = await fetch(
-      `${baseUrl}/api/v1/repos/${username}/${repoName}/commits?sha=${encodeURIComponent(branch)}&limit=1`,
-      { headers: await this.authHeaders() }
-    );
-    if (!res.ok) return null;
-    const commits = await res.json();
-    if (!commits.length) return null;
-    const c = commits[0];
-    return {
-      hash: c.sha,
-      shortHash: c.sha.slice(0, 7),
-      message: c.commit.message.split("\n")[0],
-      date: c.commit.committer.date
-    };
-  }
-  /** Register a push webhook on the repo. */
-  async createWebhook(repoName, webhookUrl, secret) {
-    const { baseUrl, username } = this.config;
-    const res = await fetch(`${baseUrl}/api/v1/repos/${username}/${repoName}/hooks`, {
-      method: "POST",
-      headers: await this.authHeaders(),
-      body: JSON.stringify({
-        type: "gitea",
-        config: { url: webhookUrl, content_type: "json", secret },
-        events: ["push"],
-        active: true
-      })
-    });
-    if (!res.ok) throw new Error(`Gitea createWebhook failed: ${res.status} ${await res.text()}`);
-  }
-  /** Returns branch names for a repo. Falls back to empty array on error. */
-  async listBranches(repoName) {
-    const { baseUrl, username } = this.config;
-    const res = await fetch(
-      `${baseUrl}/api/v1/repos/${username}/${repoName}/branches?limit=50`,
-      { headers: await this.authHeaders(), signal: AbortSignal.timeout(8e3) }
-    );
-    if (!res.ok) return [];
-    const data = await res.json();
-    return data.map((b) => b.name);
-  }
-  /** URL suitable for git remote add — includes credentials in URL (stored in .git/config which is chmod 600). */
-  authedCloneUrl(cloneUrl) {
-    const { username, password } = this.config;
-    const encUser = encodeURIComponent(username);
-    const encPass = encodeURIComponent(password);
-    return cloneUrl.replace("http://", `http://${encUser}:${encPass}@`);
-  }
-};
-
-// src/services/app-manager.ts
-var BREWNET_DIR = join(homedir(), ".brewnet");
-var GITEA_TOKEN_PATH = join(BREWNET_DIR, "gitea-token");
-var DEPLOY_HISTORY_PATH = join(BREWNET_DIR, "deploy-history.json");
-var jobs = /* @__PURE__ */ new Map();
-function resolveAppsJsonPath() {
-  return join(BREWNET_DIR, "apps.json");
-}
-function readDotEnvValue(envPath, key) {
-  if (!existsSync2(envPath)) return "";
-  const lines = readFileSync2(envPath, "utf-8").split("\n");
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (trimmed.startsWith(`${key}=`)) {
-      return trimmed.slice(key.length + 1).trim();
-    }
-  }
-  return "";
-}
-var _boilerplateRegistered = false;
-async function listApps() {
-  const appsJson = resolveAppsJsonPath();
-  const apps = readApps(appsJson);
-  if (_boilerplateRegistered) return apps;
-  _boilerplateRegistered = true;
-  try {
-    const ctx = resolveContext();
-    const bpPath = join(ctx.projectPath, ".brewnet-boilerplate.json");
-    if (existsSync2(bpPath)) {
-      const raw = JSON.parse(readFileSync2(bpPath, "utf-8"));
-      const bpMetas = Array.isArray(raw) ? raw : [raw];
-      let changed = false;
-      for (const bp of bpMetas) {
-        if (!bp.stackId || !bp.appDir) continue;
-        const exists = apps.some((a) => a.appDir === bp.appDir || a.stackId === bp.stackId);
-        if (!exists) {
-          const port = bp.backendUrl ? parseInt(new URL(bp.backendUrl).port || "8080", 10) : 8080;
-          const entry = {
-            name: bp.stackId,
-            mode: "boilerplate",
-            stackId: bp.stackId,
-            appDir: bp.appDir,
-            lang: bp.lang,
-            framework: bp.frameworkId,
-            port,
-            status: bp.status || "running",
-            createdAt: (/* @__PURE__ */ new Date()).toISOString()
-          };
-          apps.push(entry);
-          changed = true;
-        }
-      }
-      if (changed) {
-        writeFileSync2(appsJson, JSON.stringify(apps, null, 2), "utf-8");
-      }
-    }
-  } catch {
-  }
-  return apps;
-}
-function getDeployHistory(appName) {
-  const entries = readDeployHistory(DEPLOY_HISTORY_PATH);
-  if (!appName) return entries;
-  return entries.filter((e) => e.appName === appName);
-}
-async function listGiteaRepos() {
-  const ctx = resolveContext();
-  const gitea = new GiteaClient({
-    baseUrl: ctx.giteaBaseUrl,
-    username: ctx.giteaUser,
-    password: ctx.giteaPassword,
-    tokenPath: GITEA_TOKEN_PATH
-  });
-  await gitea.prepare();
-  return gitea.listRepos();
-}
-function getDeploySettings(appName) {
-  const apps = readApps(resolveAppsJsonPath());
-  const app = apps.find((a) => a.name === appName);
-  const settings = app?.deploySettings;
-  return settings ?? { autoDeploy: false, deployBranch: "main" };
-}
-function updateDeploySettings(appName, settings) {
-  const appsJson = resolveAppsJsonPath();
-  const apps = readApps(appsJson);
-  const app = apps.find((a) => a.name === appName);
-  if (!app) throw new Error(`App "${appName}" not found`);
-  const existing = app.deploySettings ?? { autoDeploy: false, deployBranch: "main" };
-  app.deploySettings = { ...existing, ...settings };
-  updateApp(appsJson, appName, app);
-}
-async function getAppGitInfo(appName) {
-  const ctx = resolveContext();
-  const apps = readApps(resolveAppsJsonPath());
-  const app = apps.find((a) => a.name === appName);
-  if (!app) throw new Error(`App "${appName}" not found`);
-  const gitea = new GiteaClient({
-    baseUrl: ctx.giteaBaseUrl,
-    username: ctx.giteaUser,
-    password: ctx.giteaPassword,
-    tokenPath: GITEA_TOKEN_PATH
-  });
-  let branch = "main";
-  let latestCommit = null;
-  let cloneUrlSsh = `ssh://git@localhost:2222/${ctx.giteaUser}/${appName}.git`;
-  try {
-    const repo = await gitea.getRepo(appName);
-    branch = repo.default_branch || "main";
-    cloneUrlSsh = repo.ssh_url || cloneUrlSsh;
-    if (repo.private) {
-      await gitea.makeRepoPublic(appName).catch((e) => {
-        console.warn(`[app-manager] makeRepoPublic failed for ${appName}: ${e instanceof Error ? e.message : String(e)}`);
-      });
-    }
-    latestCommit = await gitea.getLatestCommit(appName, branch);
-  } catch (e) {
-    console.warn(`[app-manager] getAppGitInfo Gitea call failed (${appName}): ${e instanceof Error ? e.message : String(e)}`);
-  }
-  return {
-    giteaUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}`,
-    cloneUrlHttp: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}.git`,
-    cloneUrlSsh,
-    localPath: app.appDir,
-    branch,
-    latestCommit
-  };
-}
-async function rollbackApp(appName, commitHash) {
-  const job = newJob(appName, ["Checkout", "Build & Start", "Health check"]);
-  jobs.set(job.jobId, job);
-  setImmediate(() => void _runRollback(job, appName, commitHash));
-  return job.jobId;
-}
-async function _runRollback(job, appName, commitHash) {
-  try {
-    const apps = readApps(resolveAppsJsonPath());
-    const app = apps.find((a) => a.name === appName);
-    if (!app) throw new Error(`App "${appName}" not found`);
-    const target = commitHash || "HEAD~1";
-    setStep(job, 0, "running", `git checkout ${target.slice(0, 7)}`);
-    await execa("git", ["checkout", target], { cwd: app.appDir });
-    setStep(job, 0, "done");
-    await _injectQuickTunnelIfNeeded(app.appDir, appName, app.port);
-    setStep(job, 1, "running", "docker compose up --build");
-    await _dockerComposeUp(app.appDir, job);
-    setStep(job, 1, "done", "containers started");
-    setStep(job, 2, "running");
-    const healthUrl = _buildHealthUrl(app.appDir, app.port);
-    setStep(job, 2, "running", `polling ${healthUrl}`);
-    await _pollHealth(healthUrl, 12e4, job);
-    setStep(job, 2, "done");
-    updateApp(resolveAppsJsonPath(), appName, { status: "running" });
-    appendDeployHistory(DEPLOY_HISTORY_PATH, {
-      appName,
-      commitHash,
-      commitMessage: `Rollback to ${commitHash.slice(0, 7)}`,
-      status: "success",
-      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-    job.status = "done";
-  } catch (err) {
-    job.status = "failed";
-    job.error = err instanceof Error ? err.message : String(err);
-    for (const step of job.steps) {
-      if (step.status === "running" || step.status === "pending") step.status = "failed";
-    }
-    appendDeployHistory(DEPLOY_HISTORY_PATH, {
-      appName,
-      commitHash,
-      commitMessage: `Rollback to ${commitHash.slice(0, 7)}`,
-      status: "failed",
-      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-  }
-}
-async function getAppBranches(appName) {
-  const ctx = resolveContext();
-  const gitea = new GiteaClient({
-    baseUrl: ctx.giteaBaseUrl,
-    username: ctx.giteaUser,
-    password: ctx.giteaPassword,
-    tokenPath: GITEA_TOKEN_PATH
-  });
-  return gitea.listBranches(appName);
-}
-async function setupWebhook(appName, webhookUrl) {
-  const ctx = resolveContext();
-  const settings = getDeploySettings(appName);
-  const secret = settings.webhookSecret ?? randomBytes(16).toString("hex");
-  const gitea = new GiteaClient({
-    baseUrl: ctx.giteaBaseUrl,
-    username: ctx.giteaUser,
-    password: ctx.giteaPassword,
-    tokenPath: GITEA_TOKEN_PATH
-  });
-  await gitea.createWebhook(appName, webhookUrl, secret);
-  updateDeploySettings(appName, { webhookSecret: secret });
-}
-async function deployApp(appName) {
-  const job = newJob(appName, ["Pull", "Build & Start", "Health check"]);
-  jobs.set(job.jobId, job);
-  setImmediate(() => void _runDeploy(job, appName));
-  return job.jobId;
-}
-async function _runDeploy(job, appName) {
-  const apps = readApps(resolveAppsJsonPath());
-  const app = apps.find((a) => a.name === appName);
-  if (!app) {
-    job.status = "failed";
-    job.error = `App "${appName}" not found`;
-    return;
-  }
-  try {
-    const settings = getDeploySettings(appName);
-    setStep(job, 0, "running");
-    try {
-      const ctx = resolveContext();
-      const gitea = new GiteaClient({
-        baseUrl: ctx.giteaBaseUrl,
-        username: ctx.giteaUser,
-        password: ctx.giteaPassword,
-        tokenPath: GITEA_TOKEN_PATH
-      });
-      await gitea.prepare();
-      const repoExists = await gitea.repoExists(appName);
-      if (!repoExists) {
-        appendLog(job, "[pull] Gitea repo not found \u2014 recreating and pushing local code");
-        const cloneUrl = await gitea.createRepo(appName, `Brewnet app: ${appName}`);
-        const authedUrl = gitea.authedCloneUrl(cloneUrl);
-        await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: app.appDir }).catch(
-          () => execa("git", ["remote", "set-url", "brewnet", authedUrl], { cwd: app.appDir })
-        );
-        await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: app.appDir });
-        appendLog(job, "[pull] Gitea repo recreated and code pushed \u2713");
-      } else if (!existsSync2(app.appDir)) {
-        appendLog(job, "[pull] appDir missing \u2014 cloning from Gitea");
-        const authedUrl = gitea.authedCloneUrl(`${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}.git`);
-        await execa("git", ["clone", authedUrl, app.appDir]);
-        appendLog(job, "[pull] re-cloned from Gitea \u2713");
-      } else if (await gitea.repoIsEmpty(appName)) {
-        appendLog(job, "[pull] Gitea repo is empty \u2014 pushing local code");
-        const isShallow = await execa("git", ["rev-parse", "--is-shallow-repository"], { cwd: app.appDir }).then((r) => r.stdout.trim() === "true").catch(() => false);
-        if (isShallow) {
-          appendLog(job, "[pull] shallow clone detected \u2014 unshallowing");
-          await execa("git", ["fetch", "--unshallow", "origin"], { cwd: app.appDir }).catch(async () => {
-            const { reinitGit } = await import("./boilerplate-manager-P6QYUU7Q.js");
-            await reinitGit(app.appDir);
-          });
-        }
-        const authedUrl = gitea.authedCloneUrl(`${ctx.giteaBaseUrl}/${ctx.giteaUser}/${appName}.git`);
-        await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: app.appDir }).catch(
-          () => execa("git", ["remote", "set-url", "brewnet", authedUrl], { cwd: app.appDir })
-        );
-        await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: app.appDir });
-        appendLog(job, "[pull] code pushed to Gitea \u2713");
-      } else {
-        await execa("git", ["pull", "brewnet", settings.deployBranch], { cwd: app.appDir }).catch((e) => {
-          appendLog(job, `[pull] git pull failed (non-critical): ${e instanceof Error ? e.message : String(e)}`);
-        });
-      }
-    } catch (e) {
-      appendLog(job, `[pull] Gitea sync failed (non-critical): ${e instanceof Error ? e.message : String(e)}`);
-    }
-    setStep(job, 0, "done");
-    const hasCompose = existsSync2(join(app.appDir, "docker-compose.yml")) || existsSync2(join(app.appDir, "compose.yml"));
-    if (!hasCompose) {
-      const projectType = _detectProjectType(app.appDir);
-      if (projectType) {
-        appendLog(job, `[scaffold] Detected ${projectType} project \u2014 generating Docker config`);
-        _scaffoldDockerConfig(app.appDir, appName, app.port, job, projectType);
-      } else {
-        throw new Error(
-          "This project has no docker-compose.yml or Dockerfile. Add a Dockerfile and docker-compose.yml to deploy, or use a Brewnet boilerplate."
-        );
-      }
-    }
-    await _injectQuickTunnelIfNeeded(app.appDir, appName, app.port);
-    setStep(job, 1, "running", "docker compose up --build");
-    await _dockerComposeUp(app.appDir, job);
-    setStep(job, 1, "done", "containers started");
-    setStep(job, 2, "running");
-    const healthUrlDeploy = _buildHealthUrl(app.appDir, app.port);
-    setStep(job, 2, "running", `polling ${healthUrlDeploy}`);
-    await _pollHealth(healthUrlDeploy, 12e4, job);
-    setStep(job, 2, "done");
-    updateApp(resolveAppsJsonPath(), appName, { status: "running" });
-    const headHash = await execa("git", ["rev-parse", "HEAD"], { cwd: app.appDir }).then((r) => r.stdout.trim()).catch(() => "");
-    const headMsg = await execa("git", ["log", "-1", "--format=%s"], { cwd: app.appDir }).then((r) => r.stdout.trim()).catch(() => "Manual deploy");
-    appendDeployHistory(DEPLOY_HISTORY_PATH, {
-      appName,
-      commitHash: headHash,
-      commitMessage: headMsg,
-      status: "success",
-      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-    job.status = "done";
-  } catch (err) {
-    job.status = "failed";
-    job.error = err instanceof Error ? err.message : String(err);
-    for (const step of job.steps) {
-      if (step.status === "running" || step.status === "pending") step.status = "failed";
-    }
-    const headHashFail = await execa("git", ["rev-parse", "HEAD"], { cwd: app.appDir }).then((r) => r.stdout.trim()).catch(() => "");
-    appendDeployHistory(DEPLOY_HISTORY_PATH, {
-      appName,
-      commitHash: headHashFail,
-      commitMessage: "Manual deploy",
-      status: "failed",
-      deployedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-  }
-}
-function getAppDir(appName) {
-  const apps = readApps(resolveAppsJsonPath());
-  return apps.find((a) => a.name === appName)?.appDir;
-}
-function getJobStatus(jobId) {
-  return jobs.get(jobId);
-}
-function newJob(appName, stepLabels) {
-  return {
-    jobId: randomBytes(8).toString("hex"),
-    appName,
-    status: "running",
-    steps: stepLabels.map((label) => ({ label, status: "pending" }))
-  };
-}
-function setStep(job, index, status, message) {
-  const step = job.steps[index];
-  if (step) {
-    step.status = status;
-    if (message) step.message = message;
-  }
-}
-function appendLog(job, line) {
-  if (!job.logs) job.logs = [];
-  job.logs.push(line);
-  if (job.logs.length > 200) job.logs.splice(0, job.logs.length - 200);
-}
-function readBoilerplateMeta(projectPath) {
-  const p = join(projectPath, ".brewnet-boilerplate.json");
-  if (!existsSync2(p)) return [];
-  try {
-    const raw = JSON.parse(readFileSync2(p, "utf-8"));
-    return Array.isArray(raw) ? raw : [raw];
-  } catch {
-    return [];
-  }
-}
-function resolveContext() {
-  const last = getLastProject();
-  const state = loadState(last ?? "");
-  const raw = state?.projectPath ?? process.cwd();
-  const projectPath = raw.startsWith("~") ? join(homedir(), raw.slice(1)) : raw;
-  const envPath = join(projectPath, ".env");
-  const giteaUser = readDotEnvValue(envPath, "GITEA_ADMIN_USER") || state?.admin?.username || "admin";
-  const secretsPath = join(projectPath, "secrets", "admin_password");
-  const secretsPassword = existsSync2(secretsPath) ? readFileSync2(secretsPath, "utf-8").trim() : "";
-  const giteaPassword = secretsPassword || readDotEnvValue(envPath, "GITEA_ADMIN_PASSWORD") || state?.admin?.password || "";
-  const tunnelMode = state?.domain?.cloudflare?.tunnelMode ?? "";
-  const gitPort = state?.servers?.gitServer?.port ?? 3e3;
-  const giteaBaseUrl = tunnelMode === "quick" ? "http://localhost/git" : `http://localhost:${gitPort}`;
-  return { projectPath, giteaBaseUrl, giteaUser, giteaPassword };
-}
-async function _injectQuickTunnelIfNeeded(appDir, appName, port) {
-  try {
-    const last = getLastProject();
-    const state = loadState(last ?? "");
-    if (state?.domain?.cloudflare?.tunnelMode !== "quick") return;
-    const { injectTraefikForQuickTunnel } = await import("./boilerplate-manager-P6QYUU7Q.js");
-    injectTraefikForQuickTunnel(appDir, appName, port);
-  } catch (err) {
-    console.error(`[Quick Tunnel] Failed to inject Traefik labels for ${appName}: ${err instanceof Error ? err.message : String(err)}`);
-  }
-}
-function _detectProjectType(dir) {
-  try {
-    if (existsSync2(join(dir, "next.config.ts")) || existsSync2(join(dir, "next.config.mjs")) || existsSync2(join(dir, "next.config.js"))) return "nextjs";
-    if (existsSync2(join(dir, "package.json"))) return "nodejs";
-    if (existsSync2(join(dir, "requirements.txt")) || existsSync2(join(dir, "pyproject.toml"))) return "python";
-    if (existsSync2(join(dir, "go.mod"))) return "go";
-    if (existsSync2(join(dir, "Cargo.toml"))) return "rust";
-    if (existsSync2(join(dir, "pom.xml")) || existsSync2(join(dir, "build.gradle")) || existsSync2(join(dir, "build.gradle.kts"))) return "java";
-    if (existsSync2(join(dir, "index.html"))) return "static";
-    if (readdirSync(dir).some((f) => f.endsWith(".html"))) return "static";
-  } catch {
-  }
-  return null;
-}
-function _scaffoldDockerConfig(dir, _appName, port, job, detectedType) {
-  const type = detectedType || _detectProjectType(dir);
-  if (!type) throw new Error(`Cannot auto-detect project type in ${dir}. Add a Dockerfile and docker-compose.yml manually.`);
-  if (job && !detectedType) appendLog(job, `[scaffold] Detected ${type} project \u2014 generating Docker config`);
-  let dockerfile = "";
-  switch (type) {
-    case "nextjs":
-      dockerfile = [
-        "FROM node:22-alpine",
-        "WORKDIR /app",
-        "COPY package.json package-lock.json* pnpm-lock.yaml* yarn.lock* ./",
-        "RUN npm install --legacy-peer-deps 2>/dev/null || yarn install 2>/dev/null || true",
-        "COPY . .",
-        "RUN npm run build",
-        "ENV PORT=3000 HOSTNAME=0.0.0.0",
-        "EXPOSE 3000",
-        'CMD ["npm", "start"]'
-      ].join("\n");
-      break;
-    case "nodejs":
-      dockerfile = [
-        "FROM node:22-alpine",
-        "WORKDIR /app",
-        "COPY package.json package-lock.json* pnpm-lock.yaml* yarn.lock* ./",
-        "RUN npm install --legacy-peer-deps || true",
-        "COPY . .",
-        "RUN npm run build 2>/dev/null || true",
-        "EXPOSE " + port,
-        'CMD ["npm", "start"]'
-      ].join("\n");
-      break;
-    case "python":
-      dockerfile = [
-        "FROM python:3.13-slim",
-        "WORKDIR /app",
-        "COPY requirements.txt* pyproject.toml* ./",
-        "RUN pip install --no-cache-dir -r requirements.txt 2>/dev/null || pip install --no-cache-dir . 2>/dev/null || true",
-        "COPY . .",
-        "EXPOSE " + port,
-        'CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "' + port + '"]'
-      ].join("\n");
-      break;
-    case "go":
-      dockerfile = [
-        "FROM golang:1.22-alpine AS builder",
-        "WORKDIR /app",
-        "COPY go.mod go.sum* ./",
-        "RUN go mod download",
-        "COPY . .",
-        "RUN CGO_ENABLED=0 go build -o server .",
-        "",
-        "FROM alpine",
-        "WORKDIR /app",
-        "COPY --from=builder /app/server .",
-        "EXPOSE " + port,
-        'CMD ["./server"]'
-      ].join("\n");
-      break;
-    case "rust":
-      dockerfile = [
-        "FROM rust:1.88 AS builder",
-        "WORKDIR /app",
-        "COPY . .",
-        "RUN cargo build --release",
-        "",
-        "FROM debian:bookworm-slim",
-        "WORKDIR /app",
-        "COPY --from=builder /app/target/release/* /app/ 2>/dev/null || true",
-        "EXPOSE " + port,
-        'CMD ["./app"]'
-      ].join("\n");
-      break;
-    case "java":
-      dockerfile = [
-        "FROM gradle:8.12-jdk21 AS builder",
-        "WORKDIR /app",
-        "COPY . .",
-        "RUN gradle build -x test 2>/dev/null || ./gradlew build -x test 2>/dev/null || mvn package -DskipTests 2>/dev/null || true",
-        "",
-        "FROM eclipse-temurin:21-jre-alpine",
-        "WORKDIR /app",
-        "COPY --from=builder /app/build/libs/*.jar app.jar 2>/dev/null || true",
-        "COPY --from=builder /app/target/*.jar app.jar 2>/dev/null || true",
-        "EXPOSE " + port,
-        'CMD ["java", "-jar", "app.jar"]'
-      ].join("\n");
-      break;
-    case "static":
-      dockerfile = [
-        "FROM nginx:1.27-alpine",
-        "COPY . /usr/share/nginx/html/",
-        "EXPOSE 80"
-      ].join("\n");
-      break;
-  }
-  const internalPort = type === "nextjs" ? 3e3 : type === "static" ? 80 : port;
-  const compose = [
-    "services:",
-    "  backend:",
-    "    build: .",
-    "    ports:",
-    `      - "${port}:${internalPort}"`,
-    "    restart: unless-stopped",
-    "    healthcheck:",
-    `      test: ["CMD", "wget", "-q", "-O", "/dev/null", "http://127.0.0.1:${internalPort}/"]`,
-    "      interval: 10s",
-    "      timeout: 5s",
-    "      retries: 5"
-  ].join("\n");
-  if (!existsSync2(join(dir, "Dockerfile"))) {
-    writeFileSync2(join(dir, "Dockerfile"), dockerfile, "utf-8");
-    if (job) appendLog(job, "[scaffold] Generated Dockerfile");
-  }
-  writeFileSync2(join(dir, "docker-compose.yml"), compose, "utf-8");
-  if (job) appendLog(job, "[scaffold] Generated docker-compose.yml");
-  if (!existsSync2(join(dir, ".dockerignore"))) {
-    writeFileSync2(join(dir, ".dockerignore"), "node_modules\n.next\n.git\n*.md\n", "utf-8");
-  }
-}
-function ensureComposeFile(dir, appName, port, job) {
-  if (existsSync2(join(dir, "docker-compose.yml")) || existsSync2(join(dir, "compose.yml"))) return;
-  _scaffoldDockerConfig(dir, appName, port, job);
-}
-function _resolveBackendPort(appDir, fallbackPort) {
-  const envPath = join(appDir, ".env");
-  const val = readDotEnvValue(envPath, "BACKEND_PORT");
-  const parsed = val ? parseInt(val, 10) : NaN;
-  return isNaN(parsed) ? fallbackPort : parsed;
-}
-function detectBasePath(appDir) {
-  for (const name of ["next.config.ts", "next.config.mjs", "next.config.js"]) {
-    const p = join(appDir, name);
-    if (existsSync2(p)) {
-      const content = readFileSync2(p, "utf-8");
-      const match = content.match(/basePath\s*:\s*['"`]([^'"`]+)['"`]/);
-      if (match) return match[1];
-    }
-  }
-  return "";
-}
-function _buildHealthUrl(appDir, fallbackPort) {
-  const healthPort = _resolveBackendPort(appDir, fallbackPort);
-  const basePath = detectBasePath(appDir);
-  const isBoilerplate = existsSync2(join(appDir, ".env.example")) && readFileSync2(join(appDir, ".env.example"), "utf-8").includes("STACK_LANG");
-  const hasHealthRoute = existsSync2(join(appDir, "src", "app", "health")) || existsSync2(join(appDir, "backend", "src"));
-  const healthPath = isBoilerplate || hasHealthRoute ? "/health" : "/";
-  return `http://127.0.0.1:${healthPort}${basePath}${healthPath}`;
-}
-async function _pollHealth(url, maxMs = 12e4, job) {
-  const deadline = Date.now() + maxMs;
-  let attempt = 0;
-  while (Date.now() < deadline) {
-    attempt++;
-    try {
-      const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
-      if (res.ok) {
-        if (job) appendLog(job, `[health] \u2713 ${url} \u2192 ${res.status} (attempt ${attempt})`);
-        return;
-      }
-      if (job) appendLog(job, `[health] ${url} \u2192 ${res.status} (attempt ${attempt})`);
-    } catch {
-      if (job && attempt % 3 === 1) appendLog(job, `[health] waiting... ${url} (attempt ${attempt})`);
-    }
-    await new Promise((r) => setTimeout(r, 3e3));
-  }
-  if (job) appendLog(job, `[health] \u2717 timeout after ${maxMs / 1e3}s`);
-  throw new Error(`Health check timed out after ${maxMs / 1e3}s: ${url}`);
-}
-async function _dockerComposeUp(cwd, job) {
-  appendLog(job, `[docker] $ docker compose up -d --build`);
-  appendLog(job, `[docker] cwd: ${cwd}`);
-  const proc = execa("docker", ["compose", "up", "-d", "--build"], { cwd, reject: false });
-  proc.stdout?.on("data", (chunk) => {
-    for (const line of chunk.toString().split("\n").filter(Boolean)) {
-      appendLog(job, `[docker] ${line}`);
-    }
-  });
-  proc.stderr?.on("data", (chunk) => {
-    for (const line of chunk.toString().split("\n").filter(Boolean)) {
-      appendLog(job, `[docker] ${line}`);
-    }
-  });
-  const result = await proc;
-  if (result.exitCode !== 0) {
-    appendLog(job, `[docker] \u2717 exit code ${result.exitCode}`);
-    throw new Error(`Command failed with exit code ${result.exitCode}: docker compose up -d --build
-${result.stderr}`);
-  }
-  appendLog(job, `[docker] \u2713 containers started`);
-}
-async function createApp(opts) {
-  const job = newJob(opts.appName, ["Validating", "Gitea setup", "Gitea repo", "Git push", "Docker up", "Health check"]);
-  jobs.set(job.jobId, job);
-  setImmediate(() => void _runCreateApp(job, opts));
-  return job.jobId;
-}
-async function _runCreateApp(job, opts) {
-  try {
-    const ctx = resolveContext();
-    const appsJson = resolveAppsJsonPath();
-    setStep(job, 0, "running");
-    if (opts.mode === "boilerplate") {
-      if (!opts.stackId) throw new Error("stackId is required for boilerplate mode");
-      const metas = readBoilerplateMeta(ctx.projectPath);
-      const meta = metas.find((m) => m.stackId === opts.stackId);
-      if (meta) {
-        opts._meta = meta;
-      } else {
-        appendLog(job, `[info] Stack "${opts.stackId}" not installed locally \u2014 cloning fresh from catalog`);
-        opts._resolvedStackId = opts.stackId;
-      }
-    } else if (opts.mode === "git-clone") {
-      if (!opts.gitUrl) throw new Error("gitUrl is required for Git Clone mode");
-    } else if (opts.mode === "new-project") {
-      const { resolveStackId } = await import("./frameworks-Z7VXDGP4.js");
-      const stackId = resolveStackId(opts.language ?? "nodejs", opts.frameworkId ?? "express");
-      if (!stackId) throw new Error(`Unknown stack: ${opts.language}/${opts.frameworkId}`);
-      opts._resolvedStackId = stackId;
-    }
-    setStep(job, 0, "done");
-    setStep(job, 1, "running");
-    const gitea = new GiteaClient({
-      baseUrl: ctx.giteaBaseUrl,
-      username: ctx.giteaUser,
-      password: ctx.giteaPassword,
-      tokenPath: GITEA_TOKEN_PATH
-    });
-    const giteaPrep = await gitea.prepare();
-    setStep(job, 1, "done", giteaPrep.message);
-    if (opts.mode === "boilerplate" && opts._meta) {
-      await _createModeA(job, opts, ctx, gitea, appsJson);
-    } else if (opts.mode === "git-clone") {
-      await _createModeB(job, opts, ctx, gitea, appsJson);
-    } else {
-      await _createModeC(job, opts, ctx, gitea, appsJson);
-    }
-    job.status = "done";
-  } catch (err) {
-    job.status = "failed";
-    job.error = err instanceof Error ? err.message : String(err);
-    for (const step of job.steps) {
-      if (step.status === "running" || step.status === "pending") step.status = "failed";
-    }
-  }
-}
-async function _createModeA(job, opts, ctx, gitea, appsJson) {
-  const meta = opts._meta;
-  const port = opts.port ?? meta.port ?? parseInt(meta.backendUrl.split(":").pop() ?? "8080", 10);
-  setStep(job, 2, "running", `checking ${ctx.giteaUser}/${opts.appName}`);
-  const alreadyExists = await gitea.repoExists(opts.appName);
-  let cloneUrl;
-  if (!alreadyExists) {
-    setStep(job, 2, "running", `creating ${ctx.giteaUser}/${opts.appName}`);
-    cloneUrl = await gitea.createRepo(opts.appName, `Brewnet app: ${opts.appName}`);
-  } else {
-    cloneUrl = `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}.git`;
-  }
-  setStep(job, 2, "done");
-  setStep(job, 3, "running", `pushing HEAD:main \u2192 ${ctx.giteaUser}/${opts.appName}`);
-  const shallowCheck = await execa("git", ["rev-parse", "--is-shallow-repository"], { cwd: meta.appDir }).catch(() => ({ stdout: "false" }));
-  if (shallowCheck.stdout.trim() === "true") {
-    await execa("git", ["fetch", "--unshallow", "origin"], { cwd: meta.appDir }).catch(async () => {
-      const { reinitGit } = await import("./boilerplate-manager-P6QYUU7Q.js");
-      await reinitGit(meta.appDir);
-    });
-  }
-  const authedUrl = gitea.authedCloneUrl(cloneUrl);
-  await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: meta.appDir }).catch(() => {
-    return execa("git", ["remote", "set-url", "brewnet", authedUrl], { cwd: meta.appDir });
-  });
-  await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: meta.appDir });
-  setStep(job, 3, "done");
-  setStep(job, 4, "running", "docker compose up --build");
-  ensureComposeFile(meta.appDir, opts.appName, port, job);
-  await _injectQuickTunnelIfNeeded(meta.appDir, opts.appName, port);
-  await _dockerComposeUp(meta.appDir, job);
-  setStep(job, 4, "done", "containers started");
-  setStep(job, 5, "running");
-  const healthUrlA = _buildHealthUrl(meta.appDir, port);
-  setStep(job, 5, "running", `polling ${healthUrlA}`);
-  await _pollHealth(healthUrlA, 12e4, job);
-  setStep(job, 5, "done");
-  addApp(appsJson, {
-    name: opts.appName,
-    mode: "boilerplate",
-    stackId: opts.stackId,
-    appDir: meta.appDir,
-    lang: meta.lang,
-    framework: meta.frameworkId,
-    port,
-    giteaRepoUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}`,
-    status: "running",
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
-  });
-  await setupWebhook(opts.appName, "http://localhost:8088/api/deploy/hook").catch((e) => {
-    console.warn("[webhook] registration failed (non-critical):", e instanceof Error ? e.message : String(e));
-  });
-}
-async function _createModeB(job, opts, ctx, gitea, appsJson) {
-  const port = opts.port ?? 8080;
-  const appDir = join(ctx.projectPath, "apps", opts.appName);
-  setStep(job, 2, "running", "Cloning external repository...");
-  const { reinitGit: reinitGitB } = await import("./boilerplate-manager-P6QYUU7Q.js");
-  const { rmSync } = await import("fs");
-  if (existsSync2(appDir)) {
-    rmSync(appDir, { recursive: true, force: true });
-  }
-  const cloneArgs = ["clone", "--depth", "1"];
-  if (opts.branch) cloneArgs.push("-b", opts.branch);
-  cloneArgs.push(opts.gitUrl, appDir);
-  await execa("git", cloneArgs);
-  const envExPath = join(appDir, ".env.example");
-  const envPath = join(appDir, ".env");
-  if (existsSync2(envExPath)) {
-    const { findFreePort: findFreePortB } = await import("./boilerplate-manager-P6QYUU7Q.js");
-    let envContent = readFileSync2(envExPath, "utf-8");
-    envContent = envContent.replace(/^BACKEND_PORT=.*/m, `BACKEND_PORT=${port}`);
-    const fePort = await findFreePortB(port + 1);
-    envContent = envContent.replace(/^FRONTEND_PORT=.*/m, `FRONTEND_PORT=${fePort}`);
-    writeFileSync2(envPath, envContent, "utf-8");
-  } else if (existsSync2(join(appDir, ".env"))) {
-    let envContent = readFileSync2(join(appDir, ".env"), "utf-8");
-    envContent = envContent.replace(/^BACKEND_PORT=.*/m, `BACKEND_PORT=${port}`);
-    writeFileSync2(join(appDir, ".env"), envContent, "utf-8");
-  }
-  await reinitGitB(appDir);
-  const alreadyExists = await gitea.repoExists(opts.appName);
-  const cloneUrl = alreadyExists ? `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}.git` : await gitea.createRepo(opts.appName, `Brewnet app: ${opts.appName}`);
-  setStep(job, 2, "done");
-  setStep(job, 3, "running");
-  const authedUrl = gitea.authedCloneUrl(cloneUrl);
-  await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: appDir });
-  await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: appDir });
-  setStep(job, 3, "done");
-  const hasCompose = existsSync2(join(appDir, "docker-compose.yml")) || existsSync2(join(appDir, "compose.yml"));
-  if (hasCompose) {
-    setStep(job, 4, "running", "docker compose up --build");
-    await _injectQuickTunnelIfNeeded(appDir, opts.appName, port);
-    await _dockerComposeUp(appDir, job);
-    setStep(job, 4, "done", "containers started");
-    setStep(job, 5, "running");
-    const healthUrlB = _buildHealthUrl(appDir, port);
-    setStep(job, 5, "running", `polling ${healthUrlB}`);
-    await _pollHealth(healthUrlB, 12e4, job);
-    setStep(job, 5, "done");
-  } else {
-    setStep(job, 4, "done", "skipped \u2014 no docker-compose.yml");
-    setStep(job, 5, "done", "skipped \u2014 deploy separately");
-    appendLog(job, "[clone] Gitea push completed \u2014 no docker-compose.yml, skipping Docker up");
-  }
-  addApp(appsJson, {
-    name: opts.appName,
-    mode: "git-clone",
-    sourceUrl: opts.gitUrl,
-    appDir,
-    port,
-    giteaRepoUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}`,
-    status: hasCompose ? "running" : "stopped",
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
-  });
-}
-async function _createModeC(job, opts, ctx, gitea, appsJson) {
-  const { cloneStack, generateEnv, reinitGit, findFreePort } = await import("./boilerplate-manager-P6QYUU7Q.js");
-  const { getStackById: getStackById2 } = await import("./stacks-M4FBTVO5.js");
-  const stackId = opts._resolvedStackId;
-  const requestedPort = opts.port ?? 8080;
-  const appDir = join(ctx.projectPath, "apps", opts.appName);
-  await cloneStack(stackId, appDir);
-  const port = await findFreePort(requestedPort);
-  const stackInfo = getStackById2(stackId);
-  const frontendPort = stackInfo && !stackInfo.isUnified ? await findFreePort(port + 1) : void 0;
-  generateEnv(appDir, stackId, "sqlite3", { hostPort: port, frontendPort });
-  await reinitGit(appDir);
-  setStep(job, 2, "running");
-  const cloneUrl = await gitea.createRepo(opts.appName, `Brewnet app: ${opts.appName}`);
-  setStep(job, 2, "done");
-  setStep(job, 3, "running");
-  const authedUrl = gitea.authedCloneUrl(cloneUrl);
-  await execa("git", ["remote", "add", "brewnet", authedUrl], { cwd: appDir });
-  await execa("git", ["push", "brewnet", "HEAD:main", "--force"], { cwd: appDir });
-  setStep(job, 3, "done");
-  setStep(job, 4, "running", "docker compose up --build");
-  ensureComposeFile(appDir, opts.appName, port, job);
-  await _injectQuickTunnelIfNeeded(appDir, opts.appName, port);
-  await _dockerComposeUp(appDir, job);
-  setStep(job, 4, "done", "containers started");
-  setStep(job, 5, "running");
-  const healthUrlC = _buildHealthUrl(appDir, port);
-  setStep(job, 5, "running", `polling ${healthUrlC}`);
-  await _pollHealth(healthUrlC, 12e4, job);
-  setStep(job, 5, "done");
-  addApp(appsJson, {
-    name: opts.appName,
-    mode: opts.mode === "boilerplate" ? "boilerplate" : "new-project",
-    stackId,
-    appDir,
-    lang: opts.language ?? stackInfo?.language,
-    framework: opts.frameworkId ?? stackInfo?.framework,
-    port,
-    giteaRepoUrl: `${ctx.giteaBaseUrl}/${ctx.giteaUser}/${opts.appName}`,
-    status: "running",
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
-  });
-}
-async function startApp(appName) {
-  const appsJson = resolveAppsJsonPath();
-  const apps = readApps(appsJson);
-  const app = apps.find((a) => a.name === appName);
-  if (!app) throw new Error(`App "${appName}" not found`);
-  await execa("docker", ["compose", "up", "-d"], { cwd: app.appDir });
-  updateApp(appsJson, appName, { status: "running" });
-}
-async function stopApp(appName) {
-  const appsJson = resolveAppsJsonPath();
-  const apps = readApps(appsJson);
-  const app = apps.find((a) => a.name === appName);
-  if (!app) throw new Error(`App "${appName}" not found`);
-  await execa("docker", ["compose", "down"], { cwd: app.appDir });
-  updateApp(appsJson, appName, { status: "stopped" });
-}
-async function removeApp2(appName) {
-  const appsJson = resolveAppsJsonPath();
-  const apps = readApps(appsJson);
-  const app = apps.find((a) => a.name === appName);
-  if (!app) throw new Error(`App "${appName}" not found`);
-  await execa("docker", ["compose", "down", "--volumes"], { cwd: app.appDir }).catch((e) => {
-    console.warn("[removeApp] docker compose down failed:", e instanceof Error ? e.message : String(e));
-  });
-  removeApp(appsJson, appName);
-}
-
-// src/services/admin-server.ts
-var PKG_ROOT = join2(fileURLToPath(import.meta.url), "../../../..");
-var ADMIN_UI_DIST = join2(PKG_ROOT, "packages/admin-ui/dist");
+import Dockerode from "dockerode";
+var PKG_ROOT = join(fileURLToPath(import.meta.url), "../../../..");
+var ADMIN_UI_DIST = join(PKG_ROOT, "packages/admin-ui/dist");
 var MIME_TYPES = {
   ".html": "text/html; charset=utf-8",
   ".js": "application/javascript; charset=utf-8",
@@ -1156,21 +82,21 @@ function serveStaticFile(filePath, res, statusCode = 200) {
 }
 var ICON_SVG = (() => {
   const candidates = [
-    join2(PKG_ROOT, "public/images/icon.svg"),
-    join2(PKG_ROOT, "../public/images/icon.svg")
+    join(PKG_ROOT, "public/images/icon.svg"),
+    join(PKG_ROOT, "../public/images/icon.svg")
   ];
   for (const p of candidates) {
-    if (existsSync3(p)) return readFileSync3(p, "utf-8");
+    if (existsSync(p)) return readFileSync(p, "utf-8");
   }
   return `<svg xmlns="http://www.w3.org/2000/svg" width="48" height="48" viewBox="4 6 38 38" fill="none" stroke="#f5a623" stroke-linecap="round" stroke-linejoin="round"><path d="M8 26H32V34C32 36.8 29.8 39 27 39H13C10.2 39 8 36.8 8 34V26Z" stroke-width="3.5" fill="none"/><path d="M32 28.5C35.5 28.5 37 30.5 37 32.5C37 34.5 35.5 36.5 32 36.5" stroke-width="3.5" fill="none"/><circle cx="20" cy="30" r="2.2" fill="#f5a623" stroke="none"/><path d="M16.5 20a5 5 0 0 1 7 0" stroke-width="3.5" fill="none"/><path d="M13.5 15.5a10 10 0 0 1 13 0" stroke-width="3.5" fill="none"/><path d="M10.5 11a15 15 0 0 1 19 0" stroke-width="3.5" fill="none"/></svg>`;
 })();
 var FAVICON_ICO = (() => {
   const candidates = [
-    join2(PKG_ROOT, "public/images/favicon.ico"),
-    join2(PKG_ROOT, "../public/images/favicon.ico")
+    join(PKG_ROOT, "public/images/favicon.ico"),
+    join(PKG_ROOT, "../public/images/favicon.ico")
   ];
   for (const p of candidates) {
-    if (existsSync3(p)) return readFileSync3(p);
+    if (existsSync(p)) return readFileSync(p);
   }
   return null;
 })();
@@ -1195,7 +121,8 @@ var SERVICE_DETAIL_MAP = {
       "Remove --api.insecure=true in production and add BasicAuth or Authelia",
       "Set exposedbydefault=false and explicitly enable each service with traefik.enable=true",
       "Add --certificatesresolvers.le.acme.email=YOUR_EMAIL for Let's Encrypt"
-    ]
+    ],
+    securityNote: "\uBCF4\uC548\uC0C1 \uC678\uBD80 \uB3C4\uBA54\uC778\uC73C\uB85C \uB178\uCD9C\uD558\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4. \uC11C\uBC84 \uB0B4\uBD80(localhost)\uC5D0\uC11C\uB9CC \uC811\uADFC \uAC00\uB2A5\uD569\uB2C8\uB2E4."
   },
   "Traefik Dashboard": {
     description: "Built-in Traefik web UI for monitoring routes, services, and middleware",
@@ -1273,6 +200,12 @@ var SERVICE_DETAIL_MAP = {
       summary: "Configured via POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB environment variables.",
       command: "docker exec -it brewnet-postgresql psql -U brewnet -d brewnet_db"
     },
+    connectionParams: [
+      { label: "host", value: "localhost" },
+      { label: "port", value: "5432" },
+      { label: "user", value: "brewnet" },
+      { label: "db", value: "brewnet_db" }
+    ],
     tips: [
       "Internal network only (brewnet-internal) \u2014 no host port exposed",
       "Data persisted in named volume \u2014 safe across container restarts",
@@ -1294,6 +227,12 @@ var SERVICE_DETAIL_MAP = {
       summary: "Configured via MYSQL_ROOT_PASSWORD, MYSQL_DATABASE, MYSQL_USER, MYSQL_PASSWORD environment variables.",
       command: "docker exec -it brewnet-mysql mysql -u brewnet -p brewnet_db"
     },
+    connectionParams: [
+      { label: "host", value: "localhost" },
+      { label: "port", value: "3306" },
+      { label: "user", value: "brewnet" },
+      { label: "db", value: "brewnet_db" }
+    ],
     tips: [
       "Internal network only (brewnet-internal) \u2014 no host port exposed",
       "Root password required at first startup",
@@ -1376,6 +315,12 @@ var SERVICE_DETAIL_MAP = {
       summary: "Uses admin username set in Pre-Step. Password auth enabled (PASSWORD_ACCESS=true); switch to key-only after setup.",
       command: "ssh -p 2222 USER@localhost"
     },
+    connectionParams: [
+      { label: "host", value: "localhost" },
+      { label: "port", value: "2222" },
+      { label: "user", value: "<admin-username>" },
+      { label: "protocol", value: "SSH / SFTP" }
+    ],
     tips: [
       "Switch to key-only auth after initial setup: set PASSWORD_ACCESS=false",
       "Port 2222 avoids conflict with host SSH (port 22)",
@@ -1563,7 +508,15 @@ async function readBody(req) {
     req.on("end", () => resolve2(body));
   });
 }
-async function handleGetServices(_req, res, _parts, _body, _projectPath, urlMap = TRAEFIK_PATH_SERVICES, quickTunnelUrl = "", allowedDirs) {
+async function handleGetServices(_req, res, _parts, _body, _projectPath, urlMap = TRAEFIK_PATH_SERVICES, quickTunnelUrl = "", allowedDirs, wizardState) {
+  const NAMED_SUBDOMAIN_MAP = {
+    gitea: "git",
+    nextcloud: "cloud",
+    jellyfin: "media",
+    filebrowser: "files",
+    pgadmin: "pgadmin",
+    minio: "minio"
+  };
   try {
     const allContainers = await docker.listContainers({ all: true });
     const services = [];
@@ -1597,7 +550,21 @@ async function handleGetServices(_req, res, _parts, _body, _projectPath, urlMap
       const localBasePath = traefikPath && !hasStripPrefix ? traefikPath : "";
       let externalUrl = null;
       const qtUrl = quickTunnelUrl;
-      if (qtUrl && traefikPath) {
+      const tunnelMode = wizardState?.domain?.cloudflare?.tunnelMode ?? "none";
+      const namedDomain = wizardState?.domain?.cloudflare?.zoneName || wizardState?.domain?.name || "";
+      if (tunnelMode === "named" && namedDomain) {
+        const sub = NAMED_SUBDOMAIN_MAP[composeService];
+        if (sub) {
+          externalUrl = `https://${sub}.${namedDomain}`;
+        }
+        if (!externalUrl) {
+          const appNameVariants = [composeService, composeService.replace(/^brewnet-/, "")];
+          const conn = (wizardState?.domainConnections ?? []).find(
+            (c2) => appNameVariants.includes(c2.appName)
+          );
+          if (conn) externalUrl = `https://${conn.hostname}`;
+        }
+      } else if (qtUrl && traefikPath) {
         let extPath = traefikPath;
         const stackLabel = labels["com.brewnet.stack"] ?? "";
         if (stackLabel === "nodejs-nextjs" || composeService === "backend" && extPath.includes("nextjs-app")) {
@@ -1605,7 +572,7 @@ async function handleGetServices(_req, res, _parts, _body, _projectPath, urlMap
         }
         externalUrl = qtUrl.replace(/\/$/, "") + extPath;
       }
-      if (!externalUrl && qtUrl) {
+      if (!externalUrl && qtUrl && tunnelMode !== "named") {
         const EXT_PATH_MAP = {
           traefik: "",
           gitea: "/git",
@@ -1762,7 +729,7 @@ async function handleGetCatalog(_req, res, _parts, _body, _projectPath) {
   }
 }
 async function handleBackup(req, res, _parts, _body, projectPath) {
-  const backupsDir = join2(homedir2(), ".brewnet", "backups");
+  const backupsDir = join(homedir(), ".brewnet", "backups");
   if (req.method === "GET") {
     try {
       const backups = listBackups(backupsDir);
@@ -1803,7 +770,7 @@ function createAdminServer(options = {}) {
     }
   }
   if (projectPath.startsWith("~/") || projectPath === "~") {
-    projectPath = join2(homedir2(), projectPath.slice(1));
+    projectPath = join(homedir(), projectPath.slice(1));
   }
   const username = wizardState?.admin?.username ?? "";
   const password = wizardState?.admin?.password ?? "";
@@ -1812,17 +779,17 @@ function createAdminServer(options = {}) {
   const allowedWorkingDirs = /* @__PURE__ */ new Set();
   allowedWorkingDirs.add(projectPath);
   try {
-    const bpMetaPath2 = join2(projectPath, ".brewnet-boilerplate.json");
-    if (existsSync3(bpMetaPath2)) {
-      const raw2 = JSON.parse(readFileSync3(bpMetaPath2, "utf-8"));
+    const bpMetaPath2 = join(projectPath, ".brewnet-boilerplate.json");
+    if (existsSync(bpMetaPath2)) {
+      const raw2 = JSON.parse(readFileSync(bpMetaPath2, "utf-8"));
       const stacks2 = Array.isArray(raw2) ? raw2 : raw2.stackId ? [raw2] : [];
       for (const s of stacks2) {
         if (s.appDir) allowedWorkingDirs.add(s.appDir);
       }
     }
-    const appsJsonPath = join2(homedir2(), ".brewnet", "apps.json");
-    if (existsSync3(appsJsonPath)) {
-      const apps = JSON.parse(readFileSync3(appsJsonPath, "utf-8"));
+    const appsJsonPath = join(homedir(), ".brewnet", "apps.json");
+    if (existsSync(appsJsonPath)) {
+      const apps = JSON.parse(readFileSync(appsJsonPath, "utf-8"));
       for (const app of apps) {
         if (app.appDir) allowedWorkingDirs.add(app.appDir);
       }
@@ -1926,7 +893,7 @@ function createAdminServer(options = {}) {
         res.end("Forbidden");
         return;
       }
-      if (existsSync3(safePath) && statSync(safePath).isFile()) {
+      if (existsSync(safePath) && statSync(safePath).isFile()) {
         serveStaticFile(safePath, res);
         return;
       }
@@ -1937,12 +904,12 @@ function createAdminServer(options = {}) {
     if (req.method === "GET" && !url.startsWith("/api/")) {
       const pathname = url.split("?")[0];
       const exactPath = resolve(ADMIN_UI_DIST, "." + (pathname === "/" ? "/index.html" : pathname));
-      if (exactPath.startsWith(ADMIN_UI_DIST) && existsSync3(exactPath) && statSync(exactPath).isFile()) {
+      if (exactPath.startsWith(ADMIN_UI_DIST) && existsSync(exactPath) && statSync(exactPath).isFile()) {
         serveStaticFile(exactPath, res);
         return;
       }
-      const indexPath = join2(ADMIN_UI_DIST, "index.html");
-      if (existsSync3(indexPath)) {
+      const indexPath = join(ADMIN_UI_DIST, "index.html");
+      if (existsSync(indexPath)) {
         serveStaticFile(indexPath, res);
         return;
       }
@@ -1964,7 +931,21 @@ function createAdminServer(options = {}) {
           return;
         }
         if (parts[1] === "services" && parts[2] === "catalog" && req.method === "GET") {
-          json(res, 200, { catalog: SERVICE_DETAIL_MAP, aliases: NAME_ALIASES });
+          const adminUser = wizardState?.admin?.username ?? "USER";
+          const catalog = { ...SERVICE_DETAIL_MAP };
+          if (catalog["SSH Server"]) {
+            catalog["SSH Server"] = {
+              ...catalog["SSH Server"],
+              credentials: {
+                ...catalog["SSH Server"].credentials,
+                command: `ssh -p 2222 ${adminUser}@localhost`
+              },
+              connectionParams: catalog["SSH Server"].connectionParams?.map(
+                (p) => p.label === "user" ? { ...p, value: adminUser } : p
+              )
+            };
+          }
+          json(res, 200, { catalog, aliases: NAME_ALIASES });
           return;
         }
         if (parts[1] === "config" && req.method === "GET") {
@@ -1982,7 +963,7 @@ function createAdminServer(options = {}) {
         }
         if (parts[1] === "services") {
           if (req.method === "GET" && parts.length === 2) {
-            await handleGetServices(req, res, parts, body, projectPath, runtimeUrlMap, dashConfig.quickTunnelUrl, allowedWorkingDirs);
+            await handleGetServices(req, res, parts, body, projectPath, runtimeUrlMap, dashConfig.quickTunnelUrl, allowedWorkingDirs, wizardState);
             return;
           }
           if (req.method === "POST" && parts[2] === "install") {
@@ -2047,11 +1028,11 @@ function createAdminServer(options = {}) {
             for (const h of history) {
               if (h.status === "success") historyByApp.set(h.appName, h);
             }
-            const bpMetaPath = join2(projectPath, ".brewnet-boilerplate.json");
-            let bpMetaMap = /* @__PURE__ */ new Map();
-            if (existsSync3(bpMetaPath)) {
+            const bpMetaPath = join(projectPath, ".brewnet-boilerplate.json");
+            const bpMetaMap = /* @__PURE__ */ new Map();
+            if (existsSync(bpMetaPath)) {
               try {
-                const raw = JSON.parse(readFileSync3(bpMetaPath, "utf-8"));
+                const raw = JSON.parse(readFileSync(bpMetaPath, "utf-8"));
                 const metas = Array.isArray(raw) ? raw : [raw];
                 for (const m of metas) bpMetaMap.set(m.stackId, m);
               } catch {
@@ -2066,25 +1047,26 @@ function createAdminServer(options = {}) {
               let externalUrl;
               let backendLocalUrl = null;
               let backendExternalUrl = null;
+              const domainConn = (wizardState?.domainConnections ?? []).find((c) => c.appName === a.name);
               if (isNonUnified) {
                 let frontendPort = 3e3;
-                const feEnvPath = join2(a.appDir, ".env");
-                if (existsSync3(feEnvPath)) {
-                  const feEnvContent = readFileSync3(feEnvPath, "utf-8");
+                const feEnvPath = join(a.appDir, ".env");
+                if (existsSync(feEnvPath)) {
+                  const feEnvContent = readFileSync(feEnvPath, "utf-8");
                   const fePortMatch = feEnvContent.match(/^FRONTEND_PORT=(\d+)/m);
                   if (fePortMatch) frontendPort = parseInt(fePortMatch[1], 10);
                 }
                 localUrl = `http://127.0.0.1:${frontendPort}`;
-                externalUrl = qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}-ui` : null;
+                externalUrl = domainConn ? `https://${domainConn.hostname}` : qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}-ui` : null;
                 backendLocalUrl = a.port ? `http://127.0.0.1:${a.port}` : null;
-                backendExternalUrl = qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}` : null;
+                backendExternalUrl = domainConn ? `https://${domainConn.hostname}` : qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}` : null;
               } else {
                 localUrl = a.port ? `http://localhost:${a.port}` : null;
                 if (a.appDir) {
                   const bp = detectBasePath(a.appDir);
                   if (bp && localUrl) localUrl += bp;
                 }
-                externalUrl = qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}` : null;
+                externalUrl = domainConn ? `https://${domainConn.hostname}` : qt ? `${qt.replace(/\/$/, "")}/apps/${a.name}` : null;
               }
               return { ...a, lastDeployedAt: lastDeploy?.deployedAt ?? null, localUrl, externalUrl, backendLocalUrl, backendExternalUrl };
             });
@@ -2093,10 +1075,10 @@ function createAdminServer(options = {}) {
             return;
           }
           if (req.method === "GET" && parts[2] === "boilerplates") {
-            const bpPath = join2(projectPath, ".brewnet-boilerplate.json");
+            const bpPath = join(projectPath, ".brewnet-boilerplate.json");
             const metas = [];
-            if (existsSync3(bpPath)) {
-              const raw = JSON.parse(readFileSync3(bpPath, "utf-8"));
+            if (existsSync(bpPath)) {
+              const raw = JSON.parse(readFileSync(bpPath, "utf-8"));
               const wizardMetas = Array.isArray(raw) ? raw : [raw];
               metas.push(...wizardMetas);
             }
@@ -2104,13 +1086,13 @@ function createAdminServer(options = {}) {
             for (const app of allApps) {
               if (app.mode !== "boilerplate" || !app.stackId) continue;
               if (metas.some((m) => m.appDir && app.appDir && m.appDir === app.appDir)) continue;
-              const envPath = join2(app.appDir, ".env");
+              const envPath = join(app.appDir, ".env");
               let frontendPort;
               let dbDriver;
               let dbUser;
               let dbName;
-              if (existsSync3(envPath)) {
-                const envContent = readFileSync3(envPath, "utf-8");
+              if (existsSync(envPath)) {
+                const envContent = readFileSync(envPath, "utf-8");
                 const fpMatch = envContent.match(/^FRONTEND_PORT=(\d+)/m);
                 if (fpMatch) frontendPort = parseInt(fpMatch[1], 10);
                 const ddMatch = envContent.match(/^DB_DRIVER=(.+)/m);
@@ -2141,12 +1123,12 @@ function createAdminServer(options = {}) {
           if (req.method === "POST" && parts[2] === "boilerplates" && parts[3] && (parts[4] === "stop" || parts[4] === "start")) {
             const stackId = decodeURIComponent(parts[3]);
             const action = parts[4];
-            const bpPath = join2(projectPath, ".brewnet-boilerplate.json");
-            if (!existsSync3(bpPath)) {
+            const bpPath = join(projectPath, ".brewnet-boilerplate.json");
+            if (!existsSync(bpPath)) {
               json(res, 404, { error: "No boilerplates found" });
               return;
             }
-            const bpRaw = JSON.parse(readFileSync3(bpPath, "utf-8"));
+            const bpRaw = JSON.parse(readFileSync(bpPath, "utf-8"));
             const bpMetas = Array.isArray(bpRaw) ? bpRaw : [bpRaw];
             const meta = bpMetas.find((m) => m.stackId === stackId);
             if (!meta) {
@@ -2161,8 +1143,8 @@ function createAdminServer(options = {}) {
               await execaBp("docker", ["compose", "up", "-d"], { cwd: meta.appDir });
               meta.status = "running";
             }
-            const { writeFileSync: writeFileSync4 } = await import("fs");
-            writeFileSync4(bpPath, JSON.stringify(bpMetas, null, 2), "utf-8");
+            const { writeFileSync: writeFileSync2 } = await import("fs");
+            writeFileSync2(bpPath, JSON.stringify(bpMetas, null, 2), "utf-8");
             json(res, 200, { success: true });
             return;
           }
@@ -2192,7 +1174,7 @@ function createAdminServer(options = {}) {
             return;
           }
           if (req.method === "DELETE" && parts[2]) {
-            await removeApp2(parts[2]);
+            await removeApp(parts[2]);
             json(res, 200, { success: true });
             return;
           }
@@ -2207,10 +1189,10 @@ function createAdminServer(options = {}) {
             const lastDeploy = history.filter((h) => h.appName === found.name && h.status === "success").pop() ?? null;
             const qt = dashConfig.quickTunnelUrl;
             const bpMetaSingle = found.mode === "boilerplate" && found.stackId ? (() => {
-              const p = join2(projectPath, ".brewnet-boilerplate.json");
-              if (!existsSync3(p)) return void 0;
+              const p = join(projectPath, ".brewnet-boilerplate.json");
+              if (!existsSync(p)) return void 0;
               try {
-                const raw = JSON.parse(readFileSync3(p, "utf-8"));
+                const raw = JSON.parse(readFileSync(p, "utf-8"));
                 const list = Array.isArray(raw) ? raw : [raw];
                 return list.find((m) => m.stackId === found.stackId);
               } catch {
@@ -2222,24 +1204,25 @@ function createAdminServer(options = {}) {
             let externalUrlSingle;
             let backendLocalUrlSingle = null;
             let backendExternalUrlSingle = null;
+            const domainConnSingle = (wizardState?.domainConnections ?? []).find((c) => c.appName === found.name);
             if (isNonUnified) {
               let frontendPort = 3e3;
-              const feEnvPath = join2(found.appDir, ".env");
-              if (existsSync3(feEnvPath)) {
-                const m = readFileSync3(feEnvPath, "utf-8").match(/^FRONTEND_PORT=(\d+)/m);
+              const feEnvPath = join(found.appDir, ".env");
+              if (existsSync(feEnvPath)) {
+                const m = readFileSync(feEnvPath, "utf-8").match(/^FRONTEND_PORT=(\d+)/m);
                 if (m) frontendPort = parseInt(m[1], 10);
               }
               localUrlSingle = `http://127.0.0.1:${frontendPort}`;
-              externalUrlSingle = qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}-ui` : null;
+              externalUrlSingle = domainConnSingle ? `https://${domainConnSingle.hostname}` : qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}-ui` : null;
               backendLocalUrlSingle = found.port ? `http://127.0.0.1:${found.port}` : null;
-              backendExternalUrlSingle = qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}` : null;
+              backendExternalUrlSingle = domainConnSingle ? `https://${domainConnSingle.hostname}` : qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}` : null;
             } else {
               localUrlSingle = found.port ? `http://localhost:${found.port}` : null;
               if (found.appDir) {
                 const bp = detectBasePath(found.appDir);
                 if (bp && localUrlSingle) localUrlSingle += bp;
               }
-              externalUrlSingle = qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}` : null;
+              externalUrlSingle = domainConnSingle ? `https://${domainConnSingle.hostname}` : qt ? `${qt.replace(/\/$/, "")}/apps/${found.name}` : null;
             }
             const app = { ...found, lastDeployedAt: lastDeploy?.deployedAt ?? null, localUrl: localUrlSingle, externalUrl: externalUrlSingle, backendLocalUrl: backendLocalUrlSingle, backendExternalUrl: backendExternalUrlSingle };
             json(res, 200, { app });
@@ -2258,7 +1241,7 @@ function createAdminServer(options = {}) {
             try {
               const branches = await getAppBranches(decodeURIComponent(parts[2] ?? ""));
               json(res, 200, { branches });
-            } catch (err) {
+            } catch (_err) {
               json(res, 200, { branches: [] });
             }
             return;
@@ -2446,8 +1429,8 @@ function createAdminServer(options = {}) {
             return;
           }
           try {
-            const appsPath = join2(homedir2(), ".brewnet", "apps.json");
-            let existing = existsSync3(appsPath) ? JSON.parse(readFileSync3(appsPath, "utf-8")) : [];
+            const appsPath = join(homedir(), ".brewnet", "apps.json");
+            let existing = existsSync(appsPath) ? JSON.parse(readFileSync(appsPath, "utf-8")) : [];
             const repos = await listGiteaRepos();
             const repo = repos.find((r) => r.name === repoName);
             if (!repo) {
@@ -2474,7 +1457,7 @@ function createAdminServer(options = {}) {
               app = {
                 name: appName,
                 mode: "boilerplate",
-                appDir: join2(projectPath, repoName),
+                appDir: join(projectPath, repoName),
                 lang,
                 port: port2,
                 giteaRepoUrl: repoUrl,
@@ -2489,7 +1472,7 @@ function createAdminServer(options = {}) {
             } else {
               app.giteaRepoUrl = repoUrl;
             }
-            writeFileSync3(appsPath, JSON.stringify(existing, null, 2));
+            writeFileSync(appsPath, JSON.stringify(existing, null, 2));
             json(res, 200, { ok: true });
           } catch (err) {
             json(res, 500, { error: String(err) });
@@ -2631,7 +1614,7 @@ async function handleDomainList(res, state) {
     const cf = state.domain.cloudflare;
     if (cf.tunnelId && cf.apiToken && cf.accountId) {
       try {
-        const { getTunnelHealth } = await import("./cloudflare-client-TFT6VCXF.js");
+        const { getTunnelHealth } = await import("./cloudflare-client-F2TGQXGS.js");
         const health = await getTunnelHealth(cf.apiToken, cf.accountId, cf.tunnelId);
         tunnel = { ...health, tunnelName: cf.tunnelName, tunnelId: cf.tunnelId };
       } catch {
@@ -2708,6 +1691,10 @@ async function handleDomainConnect(res, body, state) {
       json(res, statusCode, { success: false, error: result.error, message: result.error, steps: result.steps });
       return;
     }
+    const freshStateAfterConnect = loadState(state.projectName);
+    if (freshStateAfterConnect?.domainConnections) {
+      state.domainConnections = freshStateAfterConnect.domainConnections;
+    }
     json(res, 200, {
       success: true,
       hostname: result.hostname,
@@ -2731,6 +1718,10 @@ async function handleDomainDisconnect(res, appName, state) {
       json(res, statusCode, { success: false, error: result.error?.split(":")[0], message: result.error });
       return;
     }
+    const freshStateAfterDisconnect = loadState(state.projectName);
+    if (freshStateAfterDisconnect) {
+      state.domainConnections = freshStateAfterDisconnect.domainConnections ?? [];
+    }
     json(res, 200, {
       success: true,
       appName: result.appName,
@@ -2769,7 +1760,7 @@ async function handleCloudflareZones(res, state) {
     return;
   }
   try {
-    const { getZones } = await import("./cloudflare-client-TFT6VCXF.js");
+    const { getZones } = await import("./cloudflare-client-F2TGQXGS.js");
     const zones = await getZones(apiToken);
     if (!state.domain.cloudflare.accountId && zones.length > 0) {
       const firstAccountId = zones[0]?.accountId;
@@ -2788,7 +1779,7 @@ async function handleCloudflareZones(res, state) {
       return;
     }
     json(res, 200, { success: true, zones });
-  } catch (err) {
+  } catch (_err) {
     json(res, 400, {
       success: false,
       error: "TOKEN_INVALID",
@@ -2819,7 +1810,7 @@ async function handleCreateTunnel(res, body, state, projectPath) {
     return;
   }
   try {
-    const { createTunnel: cfCreateTunnel } = await import("./cloudflare-client-TFT6VCXF.js");
+    const { createTunnel: cfCreateTunnel } = await import("./cloudflare-client-F2TGQXGS.js");
     const result = await cfCreateTunnel(cf.apiToken, cf.accountId, tunnelName.trim());
     const { saveState: save } = await import("./state-2SI3P4JG.js");
     state.domain.cloudflare.tunnelId = result.tunnelId;
@@ -2828,13 +1819,27 @@ async function handleCreateTunnel(res, body, state, projectPath) {
     state.domain.cloudflare.tunnelMode = "named";
     state.domain.cloudflare.enabled = true;
     save(state);
+    if (cf.zoneName) {
+      state.domain.name = cf.zoneName;
+      save(state);
+    }
+    const zoneName = cf.zoneName;
+    try {
+      const { saveGiteaConfig } = await import("./app-manager-FIHPVUP7.js");
+      const adminUsername = state.admin?.username ?? "admin";
+      saveGiteaConfig("http://localhost/git", adminUsername);
+      logger.info("tunnel", `[${tunnelName}] gitea-config.json normalized \u2192 http://localhost/git`);
+    } catch (e) {
+      logger.warn("tunnel", `[${tunnelName}] gitea-config.json update failed: ${e instanceof Error ? e.message : e}`);
+    }
+    const steps = [];
     let composeUpdated = false;
     let containerRestarted = false;
-    const composePath = join2(projectPath, "docker-compose.yml");
+    const composePath = join(projectPath, "docker-compose.yml");
     const { existsSync: fsExists } = await import("fs");
     if (fsExists(composePath)) {
       try {
-        const { patchCloudflaredToNamedTunnel } = await import("./compose-generator-O7GSIJ2S.js");
+        const { patchCloudflaredToNamedTunnel } = await import("./compose-generator-OFJ2YWMB.js");
         composeUpdated = patchCloudflaredToNamedTunnel(composePath, result.tunnelToken);
         logger.info("tunnel", `[${tunnelName}] compose patch: composeUpdated=${composeUpdated}`);
       } catch (e) {
@@ -2858,6 +1863,67 @@ async function handleCreateTunnel(res, body, state, projectPath) {
           logger.warn("tunnel", `[${tunnelName}] cloudflared recreate exception: ${e instanceof Error ? e.message : e}`);
         }
       }
+      if (cf.apiToken && cf.accountId && cf.tunnelId && zoneName) {
+        try {
+          const { configureTunnelIngress, getActiveServiceRoutes } = await import("./cloudflare-client-F2TGQXGS.js");
+          const routes = getActiveServiceRoutes(state).map((r) => ({ ...r, domain: zoneName }));
+          await configureTunnelIngress(cf.apiToken, cf.accountId, cf.tunnelId, zoneName, routes);
+          steps.push({ step: "ingress_configured", success: true, services: routes.map((r) => r.subdomain) });
+          logger.info("tunnel", `[${tunnelName}] ingress configured for: ${routes.map((r) => r.subdomain).join(", ")}`);
+        } catch (e) {
+          const msg = e instanceof Error ? e.message : String(e);
+          steps.push({ step: "ingress_configured", success: false, detail: msg });
+          logger.warn("tunnel", `[${tunnelName}] ingress configure failed (non-fatal): ${msg}`);
+        }
+        const { createDnsRecord, getActiveServiceRoutes: getRoutes } = await import("./cloudflare-client-F2TGQXGS.js");
+        const dnsRoutes = getRoutes(state);
+        const dnsResults = [];
+        const dnsFailed = [];
+        for (const route of dnsRoutes) {
+          try {
+            await createDnsRecord(cf.apiToken, cf.zoneId, cf.tunnelId, route.subdomain, zoneName);
+            dnsResults.push(route.subdomain);
+          } catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            logger.warn("tunnel", `[${tunnelName}] DNS CNAME for ${route.subdomain} failed (non-fatal): ${msg}`);
+            dnsFailed.push(route.subdomain);
+          }
+        }
+        steps.push({ step: "dns_created", success: dnsFailed.length === 0, services: dnsResults, ...dnsFailed.length > 0 ? { detail: `skipped: ${dnsFailed.join(", ")}` } : {} });
+      }
+      if (zoneName) {
+        try {
+          const { patchBuiltinServicesForNamedTunnel } = await import("./compose-generator-OFJ2YWMB.js");
+          const patchedServices = patchBuiltinServicesForNamedTunnel(composePath, zoneName);
+          steps.push({ step: "services_env_patched", success: true, services: patchedServices });
+          logger.info("tunnel", `[${tunnelName}] env patched for: ${patchedServices.join(", ") || "none"}`);
+          if (patchedServices.length > 0) {
+            try {
+              const { execa: execaSvc } = await import("execa");
+              const restart = await execaSvc(
+                "docker",
+                ["compose", "-f", composePath, "up", "-d", "--force-recreate", ...patchedServices],
+                { cwd: projectPath, reject: false }
+              );
+              const restarted = restart.exitCode === 0;
+              steps.push({ step: "services_restarted", success: restarted, services: patchedServices });
+              if (!restarted) {
+                logger.warn("tunnel", `[${tunnelName}] service restart failed (exit ${restart.exitCode}): ${restart.stderr}`);
+              } else {
+                logger.info("tunnel", `[${tunnelName}] restarted: ${patchedServices.join(", ")}`);
+              }
+            } catch (e) {
+              const msg = e instanceof Error ? e.message : String(e);
+              steps.push({ step: "services_restarted", success: false, detail: msg });
+              logger.warn("tunnel", `[${tunnelName}] service restart exception: ${msg}`);
+            }
+          }
+        } catch (e) {
+          const msg = e instanceof Error ? e.message : String(e);
+          steps.push({ step: "services_env_patched", success: false, detail: msg });
+          logger.warn("tunnel", `[${tunnelName}] env patch failed (non-fatal): ${msg}`);
+        }
+      }
     } else {
       logger.warn("tunnel", `[${tunnelName}] compose file not found at ${composePath} \u2014 cloudflared must be updated manually`);
     }
@@ -2866,7 +1932,8 @@ async function handleCreateTunnel(res, body, state, projectPath) {
       tunnelId: result.tunnelId,
       tunnelName: tunnelName.trim(),
       composeUpdated,
-      containerRestarted
+      containerRestarted,
+      steps
     });
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -2935,13 +2002,13 @@ async function handleSettingsCloudflarePut(res, body, state) {
     }
     const { saveState: save } = await import("./state-2SI3P4JG.js");
     state.domain.cloudflare.apiToken = apiToken;
-    let resolvedAccountId = accountId || state.domain.cloudflare.accountId || await (await import("./cloudflare-client-TFT6VCXF.js")).getAccounts(apiToken).then((a) => a[0]?.id ?? "").catch(() => "");
+    let resolvedAccountId = accountId || state.domain.cloudflare.accountId || await (await import("./cloudflare-client-F2TGQXGS.js")).getAccounts(apiToken).then((a) => a[0]?.id ?? "").catch(() => "");
     if (zoneId) state.domain.cloudflare.zoneId = zoneId;
     if (tunnelId) state.domain.cloudflare.tunnelId = tunnelId;
     let zoneName = state.domain.cloudflare.zoneName;
     if (zoneId) {
       try {
-        const { getZones } = await import("./cloudflare-client-TFT6VCXF.js");
+        const { getZones } = await import("./cloudflare-client-F2TGQXGS.js");
         const zones = await getZones(apiToken);
         const found = zones.find((z) => z.id === zoneId);
         if (found) {
@@ -2970,4 +2037,4 @@ async function handleSettingsCloudflarePut(res, body, state) {
 export {
   createAdminServer
 };
-//# sourceMappingURL=chunk-SIXBB6JU.js.map
+//# sourceMappingURL=chunk-Q6UUZR2V.js.map