@document-run/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,1928 @@
+#!/usr/bin/env node
+
+// src/settings.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var SETTINGS_DIR = join(homedir(), ".documentrun");
+var SETTINGS_PATH = join(SETTINGS_DIR, "settings.json");
+var DEFAULT_API_URL = "https://api.document.run";
+function loadSettings() {
+  if (!existsSync(SETTINGS_PATH))
+    return null;
+  try {
+    const raw = readFileSync(SETTINGS_PATH, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.token)
+      return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function saveSettings(settings) {
+  mkdirSync(SETTINGS_DIR, { recursive: true });
+  writeFileSync(SETTINGS_PATH, JSON.stringify({ ...settings, apiUrl: settings.apiUrl || DEFAULT_API_URL }, null, 2));
+}
+function isLoggedIn() {
+  const settings = loadSettings();
+  return settings !== null && !!settings.token;
+}
+function clearSettings() {
+  if (existsSync(SETTINGS_PATH)) {
+    unlinkSync(SETTINGS_PATH);
+  }
+}
+
+// src/local/app.ts
+import { Command } from "commander";
+
+// src/local/deploy.ts
+import chalk2 from "chalk";
+
+// src/config.ts
+import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
+import { resolve, dirname } from "path";
+import { parse as parseYaml } from "yaml";
+
+// ../core/src/utils/slugify.ts
+function slugify(input) {
+  return input.toLowerCase().replace(/[^a-z0-9\s-]/g, "").replace(/[\s]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+}
+// ../core/src/utils/tokens.ts
+function generateUuid() {
+  return crypto.randomUUID();
+}
+function generateAccessToken() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateDbPassword() {
+  const bytes = crypto.getRandomValues(new Uint8Array(24));
+  return btoa(String.fromCharCode(...bytes));
+}
+// ../core/src/utils/naming.ts
+var PREFIX = "documentrun";
+var APP_PATH = "/home/daytona/app";
+var SNAPSHOT_NAME = `${PREFIX}-dind`;
+function sandboxLabel(slug) {
+  return `${PREFIX}-${slug}`;
+}
+function composeProject(slug) {
+  return `${PREFIX}-${slug}`;
+}
+function tunnelName(slug) {
+  return `${PREFIX}-${slug}`;
+}
+function workerName(slug) {
+  return `${PREFIX}-${slug}`;
+}
+function sandboxHostname(slug, zone) {
+  return `${slug}.${zone}`;
+}
+function serviceHostname(serviceName, slug, zone) {
+  return `${serviceName}-${slug}.${zone}`;
+}
+function serviceFqdn(serviceName, index, slug, zone) {
+  return index === 0 ? sandboxHostname(slug, zone) : serviceHostname(serviceName, slug, zone);
+}
+function workerRoute(slug, zone) {
+  return `${slug}.${zone}/*`;
+}
+function workerServiceRoute(slug, zone) {
+  return `*-${slug}.${zone}/*`;
+}
+function isSandboxDnsRecord(name, slug, zone) {
+  return name === sandboxHostname(slug, zone) || name.endsWith(`-${slug}.${zone}`);
+}
+function sandboxUrl(slug, zone) {
+  return `https://${sandboxHostname(slug, zone)}`;
+}
+function wakeUrl(slug, apiUrl) {
+  return `${apiUrl}/v1/sandboxes/${slug}/wake`;
+}
+// src/config.ts
+function loadConfig(configPath = "documentrun.yaml", dir) {
+  const base = dir ? resolve(dir) : process.cwd();
+  const fullPath = resolve(base, configPath);
+  if (!existsSync2(fullPath)) {
+    throw new Error(`Config file not found: ${fullPath}`);
+  }
+  const raw = readFileSync2(fullPath, "utf-8");
+  const parsed = parseYaml(raw);
+  const envFileRelative = parsed.env_file || ".env";
+  const envFilePath = resolve(dirname(fullPath), envFileRelative);
+  const fileEnv = loadEnvFile(envFilePath);
+  const env = { ...fileEnv, ...process.env };
+  const resolved = resolveVars(raw, env);
+  const config2 = parseYaml(resolved);
+  validateRequired(config2);
+  const services = buildServices(config2.services);
+  const envVars = Object.entries(fileEnv).map(([key, value]) => ({
+    key,
+    value,
+    environment: "shared"
+  }));
+  const deploy = {
+    repo: {
+      name: config2.repo.name,
+      cloneUrl: config2.repo.clone_url,
+      branch: config2.repo.branch || "main",
+      private: config2.repo.private ?? false
+    },
+    sandbox: buildSandbox(config2),
+    services,
+    envVars,
+    githubToken: config2.github.token,
+    cloudflare: {
+      apiToken: config2.cloudflare.api_token,
+      accountId: config2.cloudflare.account_id,
+      zoneId: config2.cloudflare.zone_id,
+      zone: config2.cloudflare.zone
+    },
+    apiUrl: "https://api.document.run"
+  };
+  const daytona = {
+    apiUrl: config2.daytona.api_url,
+    apiKey: config2.daytona.api_key
+  };
+  if (config2.daytona.target != null)
+    daytona.target = config2.daytona.target;
+  return { deploy, daytona };
+}
+function buildSandbox(config2) {
+  const sandbox = {
+    id: generateUuid(),
+    slug: slugify(`${config2.repo.name}-${config2.repo.branch || "main"}`),
+    accessToken: generateAccessToken()
+  };
+  if (config2.sandbox?.cpu != null)
+    sandbox.cpu = config2.sandbox.cpu;
+  if (config2.sandbox?.memory != null)
+    sandbox.memory = config2.sandbox.memory;
+  if (config2.sandbox?.auto_stop_interval != null)
+    sandbox.autoStopInterval = config2.sandbox.auto_stop_interval;
+  return sandbox;
+}
+function buildServices(raw) {
+  return raw.map((s) => {
+    const name = slugify(s.label);
+    const isDb = !!s.image && /postgres|mysql|mariadb|mongo|redis/i.test(s.image);
+    const svc = {
+      name,
+      label: s.label,
+      port: s.port,
+      expose: s.expose ?? false,
+      setupCommands: s.setup_commands || [],
+      volumes: s.volumes || []
+    };
+    if (s.image != null)
+      svc.image = s.image;
+    if (s.command != null)
+      svc.command = s.command;
+    if (s.base_image != null)
+      svc.baseImage = s.base_image;
+    if (isDb && s.image?.includes("postgres")) {
+      svc.dbUser = "app";
+      svc.dbPassword = generateDbPassword();
+      svc.dbName = "app";
+    }
+    if (isDb && s.image?.includes("mysql")) {
+      svc.dbUser = "app";
+      svc.dbPassword = generateDbPassword();
+      svc.dbName = "app";
+    }
+    return svc;
+  });
+}
+function resolveVars(input, env) {
+  const pattern = /\$\{([^}]+)\}/g;
+  return input.replace(pattern, (match, varName) => {
+    const value = env[varName];
+    if (value === undefined) {
+      throw new Error(`Unresolved variable: \${${varName}}`);
+    }
+    return value;
+  });
+}
+function validateRequired(config2) {
+  const missing = [];
+  if (!config2.repo?.name)
+    missing.push("repo.name");
+  if (!config2.repo?.clone_url)
+    missing.push("repo.clone_url");
+  if (!config2.cloudflare?.api_token)
+    missing.push("cloudflare.api_token");
+  if (!config2.cloudflare?.account_id)
+    missing.push("cloudflare.account_id");
+  if (!config2.cloudflare?.zone_id)
+    missing.push("cloudflare.zone_id");
+  if (!config2.cloudflare?.zone)
+    missing.push("cloudflare.zone");
+  if (!config2.daytona?.api_url)
+    missing.push("daytona.api_url");
+  if (!config2.daytona?.api_key)
+    missing.push("daytona.api_key");
+  if (!config2.github?.token)
+    missing.push("github.token");
+  if (missing.length > 0) {
+    throw new Error(`Missing required config fields: ${missing.join(", ")}`);
+  }
+}
+function loadEnvFile(path) {
+  if (!existsSync2(path))
+    return {};
+  const content = readFileSync2(path, "utf-8");
+  const env = {};
+  for (const line of content.split(`
+`)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#"))
+      continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1)
+      continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    let value = trimmed.slice(eqIndex + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    env[key] = value;
+  }
+  return env;
+}
+
+// src/reporter.ts
+import ora from "ora";
+import chalk from "chalk";
+function createTerminalReporter() {
+  let spinner = ora();
+  return {
+    stepStart: async (name) => {
+      spinner = ora(name).start();
+    },
+    stepComplete: async (name, output) => {
+      spinner.succeed(`${name}: ${output}`);
+    },
+    stepFail: async (name, error) => {
+      spinner.fail(chalk.red(`${name}: ${error}`));
+    },
+    stateChange: async (state) => {
+      console.log(chalk.blue(`→ ${state}`));
+    }
+  };
+}
+
+// ../core/src/services/daytona-types.ts
+var DEFAULT_SNAPSHOT = {
+  name: SNAPSHOT_NAME,
+  image: "docker:28.3.3-dind",
+  cpuCount: 2,
+  memoryMB: 4096,
+  diskGB: 8,
+  entrypoint: "dockerd-entrypoint.sh"
+};
+
+// ../core/src/services/daytona.ts
+class DaytonaClient {
+  baseUrl;
+  apiKey;
+  target;
+  constructor(baseUrl, apiKey, target) {
+    this.baseUrl = baseUrl;
+    this.apiKey = apiKey;
+    this.target = target;
+  }
+  async request(path, opts = {}) {
+    const maxRetries = 3;
+    const retryableStatuses = [429, 502, 503];
+    let lastErr;
+    for (let attempt = 0;attempt <= maxRetries; attempt++) {
+      try {
+        const res = await fetch(`${this.baseUrl}${path}`, {
+          ...opts,
+          headers: {
+            authorization: `Bearer ${this.apiKey}`,
+            "content-type": "application/json",
+            ...opts.headers
+          }
+        });
+        if (!res.ok) {
+          if (attempt < maxRetries && retryableStatuses.includes(res.status)) {
+            await new Promise((r) => setTimeout(r, 1000 * 2 ** attempt));
+            continue;
+          }
+          const body = await res.text().catch(() => "");
+          throw new Error(`Daytona ${opts.method || "GET"} ${path}: ${res.status} ${body}`);
+        }
+        const text = await res.text();
+        if (!text)
+          return null;
+        return JSON.parse(text);
+      } catch (err) {
+        if (attempt < maxRetries && err instanceof TypeError) {
+          lastErr = err;
+          await new Promise((r) => setTimeout(r, 1000 * 2 ** attempt));
+          continue;
+        }
+        throw err;
+      }
+    }
+    throw lastErr ?? new Error(`Daytona ${opts.method || "GET"} ${path}: max retries exceeded`);
+  }
+  async getSnapshot(name) {
+    return this.request(`/snapshots/${name}`);
+  }
+  async createSnapshot(config2) {
+    return this.request("/snapshots", {
+      method: "POST",
+      body: JSON.stringify({
+        name: config2.name,
+        image: config2.image,
+        cpu: config2.cpuCount,
+        memory: config2.memoryMB,
+        disk: config2.diskGB,
+        entrypoint: config2.entrypoint,
+        ...this.target ? { regionId: this.target } : {}
+      })
+    });
+  }
+  async ensureSnapshot() {
+    try {
+      const snap = await this.getSnapshot(DEFAULT_SNAPSHOT.name);
+      if (snap && snap.state === "active")
+        return;
+    } catch {}
+    await this.createSnapshot(DEFAULT_SNAPSHOT);
+  }
+  async createSandbox(opts) {
+    const body = {
+      snapshot: DEFAULT_SNAPSHOT.name,
+      labels: { app: opts.label },
+      autoStopInterval: opts.autoStopInterval ?? 5,
+      public: false
+    };
+    if (this.target)
+      body.target = this.target;
+    if (opts.cpu != null)
+      body.cpu = opts.cpu;
+    if (opts.memory != null)
+      body.memory = opts.memory;
+    if (opts.disk != null)
+      body.disk = opts.disk;
+    return this.request("/sandbox", {
+      method: "POST",
+      body: JSON.stringify(body)
+    });
+  }
+  async getSandbox(id) {
+    return this.request(`/sandbox/${id}`);
+  }
+  async startSandbox(id) {
+    return this.request(`/sandbox/${id}/start`, { method: "POST", body: "{}" });
+  }
+  async stopSandbox(id) {
+    return this.request(`/sandbox/${id}/stop`, { method: "POST", body: "{}" });
+  }
+  async deleteSandbox(id) {
+    return this.request(`/sandbox/${id}`, { method: "DELETE" });
+  }
+  async listSandboxes(labels) {
+    const params = new URLSearchParams({ labels: JSON.stringify(labels) });
+    return this.request(`/sandbox?${params}`);
+  }
+  async exec(sandboxId, command, timeout = 60000) {
+    return this.request(`/toolbox/${sandboxId}/toolbox/process/execute`, {
+      method: "POST",
+      body: JSON.stringify({ command, timeout })
+    });
+  }
+  async gitClone(sandboxId, url, path, branch, username, password) {
+    return this.request(`/toolbox/${sandboxId}/toolbox/git/clone`, {
+      method: "POST",
+      body: JSON.stringify({ url, path, branch, username, password })
+    });
+  }
+  async uploadFile(sandboxId, filePath, content) {
+    const formData = new FormData;
+    formData.append("file", new Blob([content]), "file");
+    const res = await fetch(`${this.baseUrl}/toolbox/${sandboxId}/toolbox/files/upload?path=${encodeURIComponent(filePath)}`, {
+      method: "POST",
+      headers: { authorization: `Bearer ${this.apiKey}` },
+      body: formData
+    });
+    if (!res.ok)
+      throw new Error(`Daytona upload ${filePath}: ${res.status}`);
+  }
+}
+
+// ../core/src/services/cloudflare.ts
+var API = "https://api.cloudflare.com/client/v4";
+
+class CloudflareClient {
+  config;
+  constructor(config2) {
+    this.config = config2;
+  }
+  async request(path, opts = {}) {
+    const res = await fetch(`${API}${path}`, {
+      ...opts,
+      headers: {
+        authorization: `Bearer ${this.config.apiToken}`,
+        "content-type": "application/json",
+        ...opts.headers
+      }
+    });
+    const body = await res.json();
+    if (!body.success) {
+      const err = new Error(`Cloudflare API ${opts.method || "GET"} ${path}: ${JSON.stringify(body.errors)}`);
+      err.status = res.status;
+      throw err;
+    }
+    return body.result;
+  }
+  async listTunnels(name) {
+    return this.request(`/accounts/${this.config.accountId}/cfd_tunnel?name=${encodeURIComponent(name)}&is_deleted=false`);
+  }
+  async getTunnelToken(tunnelId) {
+    return this.request(`/accounts/${this.config.accountId}/cfd_tunnel/${tunnelId}/token`);
+  }
+  async createTunnel(name) {
+    const existing = await this.listTunnels(name);
+    const first = existing[0];
+    if (first) {
+      const token = await this.getTunnelToken(first.id);
+      return { id: first.id, token };
+    }
+    const secret = btoa(String.fromCharCode(...crypto.getRandomValues(new Uint8Array(32))));
+    const result = await this.request(`/accounts/${this.config.accountId}/cfd_tunnel`, {
+      method: "POST",
+      body: JSON.stringify({ name, tunnel_secret: secret })
+    });
+    return { id: result.id, token: result.token };
+  }
+  async cleanTunnelConnections(tunnelId) {
+    await this.request(`/accounts/${this.config.accountId}/cfd_tunnel/${tunnelId}/connections`, {
+      method: "DELETE"
+    }).catch((e) => {
+      if (e.status !== 404)
+        throw e;
+    });
+  }
+  async deleteTunnel(tunnelId) {
+    await this.cleanTunnelConnections(tunnelId);
+    await this.request(`/accounts/${this.config.accountId}/cfd_tunnel/${tunnelId}`, {
+      method: "DELETE",
+      body: JSON.stringify({})
+    }).catch((e) => {
+      if (e.status !== 404)
+        throw e;
+    });
+  }
+  async updateTunnelConfig(tunnelId, ingress) {
+    await this.request(`/accounts/${this.config.accountId}/cfd_tunnel/${tunnelId}/configurations`, {
+      method: "PUT",
+      body: JSON.stringify({ config: { ingress } })
+    });
+  }
+  async createDnsCname(hostname, tunnelId) {
+    const existing = await this.listDnsRecords(hostname);
+    const cname = existing.find((r) => r.type === "CNAME");
+    if (cname)
+      return cname.id;
+    const result = await this.request(`/zones/${this.config.zoneId}/dns_records`, {
+      method: "POST",
+      body: JSON.stringify({
+        type: "CNAME",
+        name: hostname,
+        content: `${tunnelId}.cfargotunnel.com`,
+        proxied: true
+      })
+    });
+    return result.id;
+  }
+  async deleteDnsRecord(recordId) {
+    await this.request(`/zones/${this.config.zoneId}/dns_records/${recordId}`, {
+      method: "DELETE"
+    }).catch((e) => {
+      if (e.status !== 404)
+        throw e;
+    });
+  }
+  async listDnsRecords(name) {
+    const params = name ? `?name=${encodeURIComponent(name)}` : "";
+    return this.request(`/zones/${this.config.zoneId}/dns_records${params}`);
+  }
+  async deployWorker(name, script, bindings) {
+    const metadata = JSON.stringify({
+      main_module: "worker.js",
+      bindings: bindings.map((b) => ({ ...b })),
+      compatibility_date: "2025-04-04",
+      compatibility_flags: ["nodejs_compat"]
+    });
+    const form = new FormData;
+    form.append("worker.js", new Blob([script], { type: "application/javascript+module" }), "worker.js");
+    form.append("metadata", new Blob([metadata], { type: "application/json" }), "metadata.json");
+    const res = await fetch(`${API}/accounts/${this.config.accountId}/workers/scripts/${name}`, {
+      method: "PUT",
+      headers: { authorization: `Bearer ${this.config.apiToken}` },
+      body: form
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Cloudflare deploy worker ${name}: ${res.status} ${body}`);
+    }
+  }
+  async getWorkerBindings(name) {
+    try {
+      const result = await this.request(`/accounts/${this.config.accountId}/workers/scripts/${name}/settings`);
+      return result.bindings || [];
+    } catch (e) {
+      if (e.status === 404)
+        return [];
+      throw e;
+    }
+  }
+  async deleteWorker(name) {
+    await this.request(`/accounts/${this.config.accountId}/workers/scripts/${name}`, {
+      method: "DELETE"
+    }).catch((e) => {
+      if (e.status !== 404)
+        throw e;
+    });
+  }
+  async listWorkerRoutes() {
+    return this.request(`/zones/${this.config.zoneId}/workers/routes`);
+  }
+  async setWorkerRoute(pattern, scriptName) {
+    const existing = await this.listWorkerRoutes();
+    const match = existing.find((r) => r.pattern === pattern);
+    if (match)
+      return match.id;
+    const result = await this.request(`/zones/${this.config.zoneId}/workers/routes`, {
+      method: "POST",
+      body: JSON.stringify({ pattern, script: scriptName })
+    });
+    return result.id;
+  }
+  async deleteWorkerRoute(routeId) {
+    await this.request(`/zones/${this.config.zoneId}/workers/routes/${routeId}`, {
+      method: "DELETE"
+    }).catch((e) => {
+      if (e.status !== 404)
+        throw e;
+    });
+  }
+}
+
+// ../core/src/provisioner/create-sandbox.ts
+async function createSandbox(ctx) {
+  const label = sandboxLabel(ctx.config.sandbox.slug);
+  await ctx.daytona.ensureSnapshot();
+  if (ctx.config.sandbox.daytonaSandboxId) {
+    try {
+      const existing = await ctx.daytona.getSandbox(ctx.config.sandbox.daytonaSandboxId);
+      if (existing) {
+        if (existing.state === "stopped") {
+          await ctx.daytona.startSandbox(existing.id);
+        }
+        return { success: true, output: `Reusing sandbox ${existing.id} (${existing.state})` };
+      }
+    } catch {}
+  }
+  const found = await ctx.daytona.listSandboxes({ app: label });
+  const first = found[0];
+  if (first) {
+    ctx.config.sandbox.daytonaSandboxId = first.id;
+    if (first.state === "stopped") {
+      await ctx.daytona.startSandbox(first.id);
+    }
+    return { success: true, output: `Recovered sandbox ${first.id} by label (${first.state})` };
+  }
+  const opts = { label };
+  if (ctx.config.sandbox.cpu != null)
+    opts.cpu = ctx.config.sandbox.cpu;
+  if (ctx.config.sandbox.memory != null)
+    opts.memory = ctx.config.sandbox.memory;
+  if (ctx.config.sandbox.autoStopInterval != null)
+    opts.autoStopInterval = ctx.config.sandbox.autoStopInterval;
+  const created = await ctx.daytona.createSandbox(opts);
+  ctx.config.sandbox.daytonaSandboxId = created.id;
+  return { success: true, output: `Created sandbox ${created.id}` };
+}
+
+// ../core/src/provisioner/wait-dockerd.ts
+var POLL_INTERVAL = 2000;
+var TIMEOUT = 120000;
+async function waitDockerd(ctx) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  const start = Date.now();
+  while (Date.now() - start < TIMEOUT) {
+    try {
+      const result = await ctx.daytona.exec(sandboxId, "sh -c 'docker info > /dev/null 2>&1 && echo ready'", 1e4);
+      if (result.result?.includes("ready"))
+        return { success: true, output: "Docker daemon ready" };
+    } catch {}
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL));
+  }
+  return { success: false, error: `Docker daemon not ready after ${TIMEOUT / 1000}s` };
+}
+
+// ../core/src/provisioner/clone-repo.ts
+function shellEscape(value) {
+  return "'" + value.replace(/'/g, "'\\''") + "'";
+}
+async function cloneRepo(ctx) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  const { cloneUrl, branch } = ctx.config.repo;
+  const check = await ctx.daytona.exec(sandboxId, `sh -c ${shellEscape(`test -d ${APP_PATH}/.git && echo exists || echo missing`)}`);
+  if (check.result?.includes("exists")) {
+    const authedUrl = cloneUrl.replace("https://", `https://x-access-token:${ctx.config.githubToken}@`);
+    const result = await ctx.daytona.exec(sandboxId, `sh -c ${shellEscape(`cd ${APP_PATH} && git remote set-url origin ${authedUrl} && git fetch origin && git reset --hard origin/${branch}`)}`, 120000);
+    if (result.exitCode !== 0)
+      return { success: false, error: `Git fetch failed: ${result.result}` };
+    return { success: true, output: `Fetched + reset to origin/${branch}` };
+  }
+  await ctx.daytona.gitClone(sandboxId, cloneUrl, APP_PATH, branch, "x-access-token", ctx.config.githubToken);
+  return { success: true, output: `Cloned ${ctx.config.repo.name} at ${branch}` };
+}
+
+// ../core/src/provisioner/install-claude.ts
+var TIMEOUT2 = 300000;
+async function installClaude(ctx) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  const result = await ctx.daytona.exec(sandboxId, "sh -c 'which claude >/dev/null 2>&1 || (apk add --no-cache nodejs npm && npm install -g @anthropic-ai/claude-code)'", TIMEOUT2);
+  if (result.exitCode !== 0)
+    return { success: false, error: `Install failed: ${result.result}` };
+  return { success: true, output: result.result?.includes("already") ? "Claude CLI already installed" : "Installed Node.js + Claude CLI" };
+}
+
+// ../core/src/provisioner/create-tunnel.ts
+async function createTunnel(ctx) {
+  const { config: config2, cloudflare: cf } = ctx;
+  const slug = config2.sandbox.slug;
+  const zone = config2.cloudflare.zone;
+  const tunnel = await cf.createTunnel(tunnelName(slug));
+  config2.sandbox.tunnelId = tunnel.id;
+  config2.sandbox.tunnelToken = tunnel.token;
+  const exposedServices = config2.services.filter((s) => s.expose && s.port);
+  const ingress = [];
+  for (let i = 0;i < exposedServices.length; i++) {
+    const svc = exposedServices[i];
+    ingress.push({ hostname: serviceFqdn(svc.name, i, slug, zone), service: `http://${svc.name}:${svc.port}` });
+  }
+  if (!exposedServices.length) {
+    ingress.push({ hostname: sandboxHostname(slug, zone), service: "http_status:502" });
+  }
+  ingress.push({ service: "http_status:404" });
+  await cf.updateTunnelConfig(tunnel.id, ingress);
+  const hostnames = ingress.filter((r) => ("hostname" in r)).map((r) => r.hostname);
+  for (const hostname of hostnames) {
+    await cf.createDnsCname(hostname, tunnel.id);
+  }
+  return {
+    success: true,
+    output: `Tunnel ${tunnel.id} with ${hostnames.length} hostname(s): ${hostnames.join(", ")}`
+  };
+}
+
+// ../core/src/services/compose-generator.ts
+function generateDockerfile(svc) {
+  const base = svc.baseImage || "ubuntu:24.04";
+  const setupCommands = Array.isArray(svc.setupCommands) ? svc.setupCommands : JSON.parse(svc.setupCommands || "[]");
+  const systemPattern = /^(apt-get|apt |apk |yum |dnf |pacman )/;
+  const systemCmds = [];
+  const appCmds = [];
+  for (const cmd of setupCommands) {
+    if (systemPattern.test(cmd.trim())) {
+      systemCmds.push(cmd);
+    } else {
+      appCmds.push(cmd);
+    }
+  }
+  const lines = [`FROM ${base}`, "WORKDIR /app"];
+  for (const cmd of systemCmds) {
+    lines.push(`RUN ${cmd}`);
+  }
+  return { dockerfile: lines.join(`
+`) + `
+`, appCommands: appCmds };
+}
+var DB_ENV = {
+  postgres: (svc) => ({
+    POSTGRES_USER: svc.dbUser || "postgres",
+    POSTGRES_PASSWORD: svc.dbPassword || "",
+    POSTGRES_DB: svc.dbName || "app"
+  }),
+  mysql: (svc) => ({
+    MYSQL_USER: svc.dbUser || "app",
+    MYSQL_PASSWORD: svc.dbPassword || "",
+    MYSQL_DATABASE: svc.dbName || "app",
+    MYSQL_ROOT_PASSWORD: svc.dbPassword || ""
+  }),
+  mariadb: (svc) => ({
+    MYSQL_USER: svc.dbUser || "app",
+    MYSQL_PASSWORD: svc.dbPassword || "",
+    MYSQL_DATABASE: svc.dbName || "app",
+    MYSQL_ROOT_PASSWORD: svc.dbPassword || ""
+  })
+};
+function isImageService(svc) {
+  return !!svc.image;
+}
+function dbEnvForImage(svc) {
+  if (!svc.image)
+    return {};
+  const match = Object.keys(DB_ENV).find((k) => svc.image.startsWith(k));
+  const factory = match ? DB_ENV[match] : undefined;
+  return factory ? factory(svc) : {};
+}
+function volumeName(path) {
+  return path.replace(/[^a-zA-Z0-9_]/g, "_").replace(/_+/g, "_").replace(/^_|_$/g, "");
+}
+function yamlQuote(val) {
+  if (!val || /[:{}\[\],&#*?|>!%@`'"]/.test(val) || /^(true|false|yes|no|null|~)$/i.test(val)) {
+    return `"${val.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"`;
+  }
+  return val;
+}
+function generateComposeWithFiles(services, envVars, tunnelToken) {
+  const lines = [];
+  const imageServices = services.filter(isImageService);
+  const commandServices = services.filter((s) => !isImageService(s) && s.command);
+  const allVolumes = [];
+  const dockerfiles = [];
+  lines.push("services:");
+  for (const svc of imageServices) {
+    lines.push(`  ${svc.name}:`);
+    lines.push(`    image: ${svc.image}`);
+    const env = dbEnvForImage(svc);
+    for (const ev of envVars) {
+      if ((ev.environment === "shared" || ev.environment === "sandbox") && env[ev.key] !== undefined) {
+        env[ev.key] = ev.value;
+      }
+    }
+    if (Object.keys(env).length) {
+      lines.push("    environment:");
+      for (const [k, v] of Object.entries(env)) {
+        lines.push(`      ${k}: ${yamlQuote(v)}`);
+      }
+    }
+    if (svc.port) {
+      lines.push("    ports:");
+      lines.push(`      - "${svc.port}:${svc.port}"`);
+    }
+    lines.push("    restart: unless-stopped");
+    lines.push("");
+  }
+  for (const svc of commandServices) {
+    const setupCmds = Array.isArray(svc.setupCommands) ? svc.setupCommands : JSON.parse(svc.setupCommands || "[]");
+    const hasSetup = setupCmds.length > 0;
+    lines.push(`  ${svc.name}:`);
+    if (hasSetup) {
+      const { dockerfile, appCommands } = generateDockerfile(svc);
+      const dockerfileName = `Dockerfile.${svc.name}`;
+      dockerfiles.push({ path: dockerfileName, content: dockerfile, appCommands });
+      lines.push(`    build:`);
+      lines.push(`      context: .`);
+      lines.push(`      dockerfile: ${dockerfileName}`);
+    } else if (svc.baseImage) {
+      lines.push(`    image: ${svc.baseImage}`);
+    }
+    lines.push(`    command: ${yamlQuote(svc.command)}`);
+    lines.push("    working_dir: /app");
+    lines.push("    stdin_open: true");
+    lines.push("    tty: true");
+    const svcVolumes = Array.isArray(svc.volumes) ? svc.volumes : JSON.parse(svc.volumes || "[]");
+    lines.push("    volumes:");
+    lines.push("      - .:/app");
+    for (const v of svcVolumes) {
+      const vn = volumeName(v);
+      lines.push(`      - ${vn}:${v}`);
+      allVolumes.push(vn);
+    }
+    const env = {};
+    for (const imgSvc of imageServices) {
+      const dbEnv = dbEnvForImage(imgSvc);
+      for (const ev of envVars) {
+        if ((ev.environment === "shared" || ev.environment === "sandbox") && dbEnv[ev.key] !== undefined) {
+          dbEnv[ev.key] = ev.value;
+        }
+      }
+      if (dbEnv.POSTGRES_USER) {
+        env.DATABASE_URL = `postgres://${dbEnv.POSTGRES_USER}:${dbEnv.POSTGRES_PASSWORD}@${imgSvc.name}:5432/${dbEnv.POSTGRES_DB}`;
+        env.POSTGRES_HOST = imgSvc.name;
+        Object.assign(env, dbEnv);
+      }
+      if (dbEnv.MYSQL_USER) {
+        env.DATABASE_URL = `mysql://${dbEnv.MYSQL_USER}:${dbEnv.MYSQL_PASSWORD}@${imgSvc.name}:3306/${dbEnv.MYSQL_DATABASE}`;
+        env.MYSQL_HOST = imgSvc.name;
+        Object.assign(env, dbEnv);
+      }
+    }
+    for (const ev of envVars) {
+      if (ev.environment === "shared" || ev.environment === "sandbox") {
+        env[ev.key] = ev.value;
+      }
+    }
+    if (Object.keys(env).length) {
+      lines.push("    environment:");
+      for (const [k, v] of Object.entries(env)) {
+        lines.push(`      ${k}: ${yamlQuote(v)}`);
+      }
+    }
+    if (svc.port && svc.expose) {
+      lines.push("    ports:");
+      lines.push(`      - "${svc.port}:${svc.port}"`);
+    }
+    if (imageServices.length) {
+      lines.push("    depends_on:");
+      for (const dep of imageServices) {
+        lines.push(`      - ${dep.name}`);
+      }
+    }
+    lines.push("    restart: unless-stopped");
+    lines.push("");
+  }
+  if (tunnelToken) {
+    lines.push("  tunnel:");
+    lines.push("    image: cloudflare/cloudflared:latest");
+    lines.push(`    command: tunnel --protocol http2 run --token ${tunnelToken}`);
+    lines.push("    restart: unless-stopped");
+    lines.push("");
+  }
+  if (allVolumes.length) {
+    lines.push("volumes:");
+    for (const v of [...new Set(allVolumes)]) {
+      lines.push(`  ${v}:`);
+    }
+  }
+  return { compose: lines.join(`
+`) + `
+`, dockerfiles };
+}
+
+// ../core/src/provisioner/generate-compose.ts
+async function generateComposeStep(ctx) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  const { compose, dockerfiles } = generateComposeWithFiles(ctx.config.services, ctx.config.envVars, ctx.config.sandbox.tunnelToken ?? undefined);
+  await ctx.daytona.uploadFile(sandboxId, `${APP_PATH}/docker-compose.yml`, compose);
+  for (const df of dockerfiles) {
+    await ctx.daytona.uploadFile(sandboxId, `${APP_PATH}/${df.path}`, df.content);
+  }
+  return { success: true, output: `Uploaded docker-compose.yml + ${dockerfiles.length} Dockerfile(s)` };
+}
+
+// ../core/src/provisioner/run-setup.ts
+function shellEscape2(value) {
+  return "'" + value.replace(/'/g, "'\\''") + "'";
+}
+async function runSetup(ctx) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  const compose = `docker compose -f ${APP_PATH}/docker-compose.yml`;
+  const output = [];
+  await ctx.daytona.exec(sandboxId, `${compose} pull --quiet --ignore-buildable`, 120000);
+  const commandServices = ctx.config.services.filter((s) => !s.image && s.command);
+  const setupInfo = commandServices.filter((svc) => {
+    const cmds = Array.isArray(svc.setupCommands) ? svc.setupCommands : JSON.parse(svc.setupCommands || "[]");
+    return cmds.length > 0;
+  }).map((svc) => {
+    const { appCommands } = generateDockerfile(svc);
+    return { name: svc.name, appCommands };
+  });
+  if (setupInfo.length) {
+    const result = await ctx.daytona.exec(sandboxId, `${compose} build`, 600000);
+    if (result.exitCode !== 0)
+      return { success: false, error: `Build failed: ${result.result}` };
+    output.push("Built service images");
+  }
+  const imageServices = ctx.config.services.filter((s) => s.image);
+  if (imageServices.length) {
+    const names = imageServices.map((s) => s.name).join(" ");
+    const result = await ctx.daytona.exec(sandboxId, `${compose} up -d ${names}`, 120000);
+    if (result.exitCode !== 0)
+      return { success: false, error: `Failed to start image services: ${result.result}` };
+    output.push(`Started ${names}`);
+    await new Promise((r) => setTimeout(r, 5000));
+  }
+  for (const { name, appCommands } of setupInfo) {
+    for (const cmd of appCommands) {
+      const result = await ctx.daytona.exec(sandboxId, `${compose} run --rm ${name} sh -c ${shellEscape2(cmd)}`, 300000);
+      if (result.exitCode !== 0)
+        return { success: false, error: `Setup command failed for ${name}: ${cmd}
+${result.result}` };
+      output.push(`${name}: ${cmd}`);
+    }
+  }
+  return { success: true, output: output.join(`
+`) || "No setup needed" };
+}
+
+// ../core/src/provisioner/compose-up.ts
+async function composeUp(ctx) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  const result = await ctx.daytona.exec(sandboxId, `docker compose -f ${APP_PATH}/docker-compose.yml up -d --remove-orphans`, 120000);
+  if (result.exitCode !== 0)
+    return { success: false, error: `compose up failed: ${result.result}` };
+  return { success: true, output: result.result };
+}
+
+// ../core/src/services/cloudflare-types.ts
+function buildWorkerScript() {
+  return `
+function parseCookies(h) {
+  const c = {};
+  if (!h) return c;
+  h.split(";").forEach(s => {
+    const [n, ...r] = s.trim().split("=");
+    if (n) c[n] = r.join("=");
+  });
+  return c;
+}
+
+function wakingPage() {
+  return new Response(\`<!DOCTYPE html>
+<html><head>
+  <meta charset="utf-8"><meta http-equiv="refresh" content="5">
+  <title>Waking up...</title>
+  <style>body{font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#fafafa;color:#333}</style>
+</head><body><p>Waking up sandbox&hellip;</p></body></html>\`,
+  { status: 503, headers: { "Content-Type": "text/html", "Retry-After": "5" } });
+}
+
+export default {
+  async fetch(request, env) {
+    const url = new URL(request.url);
+    const cookies = parseCookies(request.headers.get("Cookie") || "");
+    const token = url.searchParams.get("token") || cookies["documentrun_token"];
+
+    if (!token || token !== env.ACCESS_TOKEN) {
+      return new Response("Not Found", { status: 404 });
+    }
+
+    // Token via query param — set cookie and redirect (strips token from URL)
+    if (url.searchParams.get("token") && request.headers.get("Upgrade") !== "websocket") {
+      url.searchParams.delete("token");
+      return new Response(null, {
+        status: 302,
+        headers: {
+          "Location": url.toString(),
+          "Set-Cookie": "documentrun_token=" + token + "; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=86400",
+          "Cache-Control": "no-store",
+        },
+      });
+    }
+
+    let res;
+    try {
+      res = await fetch(request);
+    } catch (_e) {
+      if (env.WAKE_URL) {
+        try { await fetch(env.WAKE_URL, { method: "POST", headers: { "Authorization": "Bearer " + env.ACCESS_TOKEN } }); } catch (_e2) {}
+        return wakingPage();
+      }
+      return new Response("Service Unavailable", { status: 503 });
+    }
+
+    if (env.WAKE_URL && (res.status === 530 || res.status === 502 || res.status === 503)) {
+      try { await fetch(env.WAKE_URL, { method: "POST", headers: { "Authorization": "Bearer " + env.ACCESS_TOKEN } }); } catch (_e) {}
+      return wakingPage();
+    }
+
+    if (res.ok && res.headers.get("content-type")?.includes("text/html") && env.CONSOLE_SCRIPT_URL) {
+      const config = JSON.stringify({
+        sandboxId: env.SANDBOX_ID,
+        apiUrl: env.CONSOLE_API_URL,
+      });
+      return new HTMLRewriter()
+        .on("head", {
+          element(el) {
+            el.append(
+              \`<script>window.DOCUMENTRUN_CONSOLE_CONFIG = \${config};</script>\` +
+              \`<script type="module" src="\${env.CONSOLE_SCRIPT_URL}"></script>\`,
+              { html: true }
+            );
+          },
+        })
+        .transform(res);
+    }
+
+    return res;
+  }
+};`;
+}
+
+// ../core/src/provisioner/deploy-worker.ts
+async function deployWorker(ctx) {
+  const { config: config2, cloudflare: cf } = ctx;
+  const slug = config2.sandbox.slug;
+  const zone = config2.cloudflare.zone;
+  const name = workerName(slug);
+  const existingBindings = await cf.getWorkerBindings(name);
+  const existingToken = existingBindings.find((b) => b.name === "ACCESS_TOKEN")?.text;
+  const accessToken = existingToken || config2.sandbox.accessToken;
+  const script = buildWorkerScript();
+  const bindings = [
+    { type: "plain_text", name: "ACCESS_TOKEN", text: accessToken },
+    { type: "plain_text", name: "WAKE_URL", text: wakeUrl(slug, config2.apiUrl) },
+    { type: "plain_text", name: "SANDBOX_ID", text: config2.sandbox.id }
+  ];
+  if (config2.console) {
+    bindings.push({ type: "plain_text", name: "CONSOLE_SCRIPT_URL", text: config2.console.scriptUrl });
+    bindings.push({ type: "plain_text", name: "CONSOLE_API_URL", text: config2.console.apiUrl });
+  }
+  await cf.deployWorker(name, script, bindings);
+  await cf.setWorkerRoute(workerRoute(slug, zone), name);
+  const exposedServices = config2.services.filter((s) => s.expose && s.port);
+  if (exposedServices.length > 1) {
+    await cf.setWorkerRoute(workerServiceRoute(slug, zone), name);
+  }
+  return { success: true, output: `Worker ${name} deployed with ${bindings.length} bindings` };
+}
+
+// ../core/src/provisioner/index.ts
+var PROVISION_STEPS = [
+  { name: "create_sandbox", run: createSandbox },
+  { name: "wait_dockerd", run: waitDockerd },
+  { name: "clone_repo", run: cloneRepo },
+  { name: "install_claude", run: installClaude },
+  { name: "create_tunnel", run: createTunnel },
+  { name: "generate_compose", run: generateComposeStep },
+  { name: "run_setup", run: runSetup },
+  { name: "compose_up", run: composeUp },
+  { name: "deploy_worker", run: deployWorker }
+];
+async function runStep(ctx, step, reporter) {
+  await reporter.stepStart(step.name);
+  let result;
+  try {
+    result = await step.run(ctx);
+  } catch (err) {
+    result = { success: false, error: err instanceof Error ? err.message : String(err) };
+  }
+  if (result.success) {
+    await reporter.stepComplete(step.name, result.output || "ok");
+  } else {
+    await reporter.stepFail(step.name, result.error || `Step ${step.name} failed`);
+    throw new Error(result.error || `Step ${step.name} failed`);
+  }
+}
+async function provision(ctx, reporter) {
+  await reporter.stateChange("provisioning");
+  for (const step of PROVISION_STEPS) {
+    await runStep(ctx, step, reporter);
+  }
+  await reporter.stateChange("running");
+}
+async function wake(ctx, reporter) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  if (!sandboxId)
+    throw new Error("No Daytona sandbox ID");
+  await reporter.stateChange("starting");
+  try {
+    const remote = await ctx.daytona.getSandbox(sandboxId);
+    const state = String(remote.state).toLowerCase();
+    if (state === "stopped") {
+      await ctx.daytona.startSandbox(sandboxId);
+    } else if (state === "stopping") {
+      await pollUntilState(ctx, "stopped");
+      await ctx.daytona.startSandbox(sandboxId);
+    } else if (state === "starting") {
+      await pollUntilState(ctx, "started");
+    } else if (state !== "started") {
+      throw new Error(`Cannot wake sandbox in state: ${remote.state}`);
+    }
+    await requireDockerd(ctx);
+    await reporter.stateChange("running");
+  } catch (err) {
+    await reporter.stateChange("failed");
+    throw err;
+  }
+}
+async function stop(ctx, reporter) {
+  const sandboxId = ctx.config.sandbox.daytonaSandboxId;
+  if (!sandboxId)
+    return;
+  await reporter.stateChange("stopping");
+  await ctx.daytona.stopSandbox(sandboxId);
+  const remote = await ctx.daytona.getSandbox(sandboxId);
+  await reporter.stateChange(remote.state === "stopped" ? "stopped" : "stopping");
+}
+async function deprovision(ctx, reporter) {
+  const { config: config2, cloudflare: cf } = ctx;
+  const slug = config2.sandbox.slug;
+  const zone = config2.cloudflare.zone;
+  const wName = workerName(slug);
+  const routes = await cf.listWorkerRoutes();
+  for (const r of routes) {
+    if (r.script === wName) {
+      await cf.deleteWorkerRoute(r.id);
+    }
+  }
+  await cf.deleteWorker(wName);
+  const allRecords = await cf.listDnsRecords();
+  for (const r of allRecords) {
+    if (isSandboxDnsRecord(r.name, slug, zone)) {
+      await cf.deleteDnsRecord(r.id);
+    }
+  }
+  const tunnels = await cf.listTunnels(tunnelName(slug));
+  for (const t of tunnels) {
+    await cf.deleteTunnel(t.id);
+  }
+  const label = sandboxLabel(slug);
+  const sandboxes = await ctx.daytona.listSandboxes({ app: label });
+  for (const sb of sandboxes) {
+    await ctx.daytona.deleteSandbox(sb.id);
+  }
+  await reporter.stateChange("destroyed");
+}
+async function requireDockerd(ctx) {
+  const result = await waitDockerd(ctx);
+  if (!result.success) {
+    throw new Error(result.error || "Docker daemon not ready");
+  }
+}
+async function pollUntilState(ctx, target, timeout = 120000) {
+  const start = Date.now();
+  while (Date.now() - start < timeout) {
+    const remote = await ctx.daytona.getSandbox(ctx.config.sandbox.daytonaSandboxId);
+    if (remote.state === target)
+      return;
+    await new Promise((r) => setTimeout(r, 2000));
+  }
+  throw new Error(`Sandbox did not reach ${target} within ${timeout / 1000}s`);
+}
+
+// src/local/deploy.ts
+function deployCommand(program) {
+  program.command("deploy").description("Provision a sandbox from local config").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").action(async (opts) => {
+    const { deploy, daytona: daytonaCfg } = loadConfig(opts.config, opts.dir);
+    const daytona = new DaytonaClient(daytonaCfg.apiUrl, daytonaCfg.apiKey, daytonaCfg.target);
+    const cloudflare = new CloudflareClient(deploy.cloudflare);
+    const reporter = createTerminalReporter();
+    await provision({ config: deploy, daytona, cloudflare }, reporter);
+    console.log(chalk2.green(`
+✓ Sandbox ready: ${sandboxUrl(deploy.sandbox.slug, deploy.cloudflare.zone)}`));
+  });
+}
+
+// src/local/destroy.ts
+import chalk3 from "chalk";
+function destroyCommand(program) {
+  program.command("destroy").description("Destroy a provisioned sandbox").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").action(async (opts) => {
+    const { deploy, daytona: daytonaCfg } = loadConfig(opts.config, opts.dir);
+    const daytona = new DaytonaClient(daytonaCfg.apiUrl, daytonaCfg.apiKey, daytonaCfg.target);
+    const cloudflare = new CloudflareClient(deploy.cloudflare);
+    const reporter = createTerminalReporter();
+    await deprovision({ config: deploy, daytona, cloudflare }, reporter);
+    console.log(chalk3.green(`
+✓ Sandbox destroyed`));
+  });
+}
+
+// src/local/status.ts
+import chalk4 from "chalk";
+function statusCommand(program) {
+  program.command("status").description("Check sandbox status").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").action(async (opts) => {
+    const { deploy, daytona: daytonaCfg } = loadConfig(opts.config, opts.dir);
+    const daytona = new DaytonaClient(daytonaCfg.apiUrl, daytonaCfg.apiKey, daytonaCfg.target);
+    const label = sandboxLabel(deploy.sandbox.slug);
+    const sandboxes = await daytona.listSandboxes({ label });
+    if (sandboxes.length === 0) {
+      console.log(chalk4.yellow("No sandbox deployed"));
+      return;
+    }
+    const sandbox = sandboxes[0];
+    if (!sandbox) {
+      console.log(chalk4.yellow("No sandbox deployed"));
+      return;
+    }
+    const stateColor = sandbox.state === "started" ? chalk4.green : sandbox.state === "stopped" ? chalk4.yellow : chalk4.red;
+    console.log(`Repo:    ${chalk4.bold(deploy.repo.name)}`);
+    console.log(`State:   ${stateColor(sandbox.state)}`);
+    console.log(`Sandbox: ${sandbox.id}`);
+    console.log(`URL:     ${sandboxUrl(deploy.sandbox.slug, deploy.cloudflare.zone)}`);
+  });
+}
+
+// src/local/logs.ts
+import chalk5 from "chalk";
+function logsCommand(program) {
+  program.command("logs").description("Stream sandbox logs").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").option("-f, --follow", "Follow log output").option("-n, --tail <lines>", "Number of lines to show", "100").action(async (opts) => {
+    const { deploy, daytona: daytonaCfg } = loadConfig(opts.config, opts.dir);
+    const daytona = new DaytonaClient(daytonaCfg.apiUrl, daytonaCfg.apiKey, daytonaCfg.target);
+    const label = sandboxLabel(deploy.sandbox.slug);
+    const sandboxes = await daytona.listSandboxes({ label });
+    if (sandboxes.length === 0) {
+      console.log(chalk5.yellow("No sandbox deployed"));
+      return;
+    }
+    const sandbox = sandboxes[0];
+    if (!sandbox) {
+      console.log(chalk5.yellow("No sandbox deployed"));
+      return;
+    }
+    const project = composeProject(deploy.sandbox.slug);
+    const followFlag = opts.follow ? "-f" : "";
+    const result = await daytona.exec(sandbox.id, `cd ${APP_PATH} && docker compose -p ${project} logs --tail ${opts.tail} ${followFlag}`, opts.follow ? 300000 : 30000);
+    if (result.result) {
+      process.stdout.write(result.result);
+    }
+    if (result.exitCode !== 0) {
+      process.exit(result.exitCode);
+    }
+  });
+}
+
+// src/local/exec.ts
+import chalk6 from "chalk";
+function execCommand(program) {
+  program.command("exec <command...>").description("Run a command in the sandbox").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").action(async (args, opts) => {
+    const { deploy, daytona: daytonaCfg } = loadConfig(opts.config, opts.dir);
+    const daytona = new DaytonaClient(daytonaCfg.apiUrl, daytonaCfg.apiKey, daytonaCfg.target);
+    const label = sandboxLabel(deploy.sandbox.slug);
+    const sandboxes = await daytona.listSandboxes({ app: label });
+    if (sandboxes.length === 0) {
+      console.error(chalk6.red("No sandbox found"));
+      process.exit(1);
+    }
+    const sandbox = sandboxes[0];
+    if (!sandbox) {
+      console.error(chalk6.red("No sandbox found"));
+      process.exit(1);
+    }
+    const cmd = args.join(" ");
+    const result = await daytona.exec(sandbox.id, cmd, 300000);
+    if (result.result) {
+      process.stdout.write(result.result);
+    }
+    process.exit(result.exitCode);
+  });
+}
+
+// src/local/wake.ts
+import chalk7 from "chalk";
+function wakeCommand(program) {
+  program.command("wake").description("Wake a stopped sandbox").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").action(async (opts) => {
+    const { deploy, daytona: daytonaCfg } = loadConfig(opts.config, opts.dir);
+    const daytona = new DaytonaClient(daytonaCfg.apiUrl, daytonaCfg.apiKey, daytonaCfg.target);
+    const cloudflare = new CloudflareClient(deploy.cloudflare);
+    const label = sandboxLabel(deploy.sandbox.slug);
+    const sandboxes = await daytona.listSandboxes({ app: label });
+    if (sandboxes.length === 0) {
+      console.log(chalk7.yellow("No sandbox found"));
+      return;
+    }
+    const sandbox = sandboxes[0];
+    if (!sandbox) {
+      console.log(chalk7.yellow("No sandbox found"));
+      return;
+    }
+    deploy.sandbox.daytonaSandboxId = sandbox.id;
+    const reporter = createTerminalReporter();
+    await wake({ config: deploy, daytona, cloudflare }, reporter);
+    console.log(chalk7.green(`
+✓ Sandbox awake`));
+  });
+}
+
+// src/local/stop.ts
+import chalk8 from "chalk";
+function stopCommand(program) {
+  program.command("stop").description("Stop a running sandbox").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").action(async (opts) => {
+    const { deploy, daytona: daytonaCfg } = loadConfig(opts.config, opts.dir);
+    const daytona = new DaytonaClient(daytonaCfg.apiUrl, daytonaCfg.apiKey, daytonaCfg.target);
+    const cloudflare = new CloudflareClient(deploy.cloudflare);
+    const label = sandboxLabel(deploy.sandbox.slug);
+    const sandboxes = await daytona.listSandboxes({ app: label });
+    if (sandboxes.length === 0) {
+      console.log(chalk8.yellow("No sandbox found"));
+      return;
+    }
+    const sandbox = sandboxes[0];
+    if (!sandbox) {
+      console.log(chalk8.yellow("No sandbox found"));
+      return;
+    }
+    deploy.sandbox.daytonaSandboxId = sandbox.id;
+    const reporter = createTerminalReporter();
+    await stop({ config: deploy, daytona, cloudflare }, reporter);
+    console.log(chalk8.green(`
+✓ Sandbox stopped`));
+  });
+}
+
+// src/local/url.ts
+import chalk9 from "chalk";
+function urlCommand(program) {
+  program.command("url").description("Print sandbox URL with access token").option("--config <path>", "Config file path", "documentrun.yaml").option("--dir <path>", "Base directory for config and env files").action(async (opts) => {
+    const { deploy } = loadConfig(opts.config, opts.dir);
+    const cf = new CloudflareClient(deploy.cloudflare);
+    const name = workerName(deploy.sandbox.slug);
+    const bindings = await cf.getWorkerBindings(name);
+    const token = bindings.find((b) => b.name === "ACCESS_TOKEN")?.text;
+    if (!token) {
+      console.error(chalk9.yellow("No sandbox deployed. Run `dr deploy` first."));
+      process.exit(1);
+    }
+    console.log(`${sandboxUrl(deploy.sandbox.slug, deploy.cloudflare.zone)}?token=${token}`);
+  });
+}
+
+// src/cloud/logs.ts
+import chalk10 from "chalk";
+var WORKER_NAME = "document-run-api-production";
+function workerLogsCommand(program) {
+  program.command("worker-logs").description("Stream live API worker logs").action(async () => {
+    const accountId = process.env.CLOUDFLARE_ACCOUNT_ID;
+    const apiToken = process.env.CLOUDFLARE_API_TOKEN;
+    if (!accountId || !apiToken) {
+      console.error(chalk10.red("Missing CLOUDFLARE_ACCOUNT_ID or CLOUDFLARE_API_TOKEN in environment."));
+      console.error(chalk10.dim("Run via: ./bin/dev bun packages/cli/src/index.ts worker-logs"));
+      process.exit(1);
+    }
+    const res = await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/scripts/${WORKER_NAME}/tails`, {
+      method: "POST",
+      headers: { authorization: `Bearer ${apiToken}`, "content-type": "application/json" },
+      body: "{}"
+    });
+    const data = await res.json();
+    if (!data.success || !data.result) {
+      console.error(chalk10.red("Failed to create tail session"));
+      process.exit(1);
+    }
+    console.log(chalk10.blue(`Streaming logs from ${WORKER_NAME}...`));
+    console.log(chalk10.dim(`Expires: ${data.result.expires_at}`));
+    console.log();
+    const ws = new WebSocket(data.result.url);
+    ws.onmessage = (e) => {
+      try {
+        const event = JSON.parse(e.data);
+        const req = event.event?.request;
+        const resp = event.event?.response;
+        if (req?.method && req?.url) {
+          const path = new URL(req.url).pathname;
+          const status = resp?.status || "—";
+          const statusColor = (resp?.status || 0) >= 400 ? chalk10.red : chalk10.green;
+          console.log(`${chalk10.bold(req.method)} ${path} ${statusColor(String(status))}`);
+        }
+        for (const log of event.logs || []) {
+          if (log.message?.length) {
+            console.log(chalk10.dim(`  ${log.message.join(" ")}`));
+          }
+        }
+        for (const ex of event.exceptions || []) {
+          console.log(chalk10.red(`  ${ex.name}: ${ex.message}`));
+        }
+      } catch {}
+    };
+    ws.onclose = () => {
+      console.log(chalk10.yellow(`
+Log stream closed.`));
+      process.exit(0);
+    };
+    ws.onerror = () => {
+      console.error(chalk10.red("WebSocket error"));
+      process.exit(1);
+    };
+    await new Promise(() => {});
+  });
+}
+
+// src/local/app.ts
+function createLocalApp() {
+  const program = new Command;
+  program.name("dr").description("Document Run CLI (local mode)").version("0.0.1");
+  deployCommand(program);
+  destroyCommand(program);
+  statusCommand(program);
+  logsCommand(program);
+  execCommand(program);
+  wakeCommand(program);
+  stopCommand(program);
+  urlCommand(program);
+  workerLogsCommand(program);
+  return program;
+}
+
+// src/cloud/app.ts
+import { Command as Command2 } from "commander";
+
+// src/cloud/auth.ts
+import chalk11 from "chalk";
+
+// src/cloud/client.ts
+class ApiClient {
+  baseUrl;
+  token;
+  workspaceId;
+  constructor(baseUrl, token, workspaceId) {
+    this.baseUrl = baseUrl;
+    this.token = token;
+    this.workspaceId = workspaceId;
+  }
+  async request(method, path, body) {
+    const headers = {
+      "content-type": "application/json",
+      authorization: `Bearer ${this.token}`
+    };
+    if (this.workspaceId)
+      headers["x-workspace-id"] = this.workspaceId;
+    const res = await fetch(`${this.baseUrl}${path}`, {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : undefined
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(`API ${method} ${path}: ${res.status} ${text}`);
+    }
+    if (res.status === 204)
+      return;
+    return res.json();
+  }
+  async get(path) {
+    return this.request("GET", path);
+  }
+  async post(path, body) {
+    return this.request("POST", path, body);
+  }
+  async put(path, body) {
+    return this.request("PUT", path, body);
+  }
+  async del(path) {
+    return this.request("DELETE", path);
+  }
+  streamWebSocket(path, onMessage) {
+    return new Promise((resolve2, reject) => {
+      const protocol = this.baseUrl.startsWith("https") ? "wss" : "ws";
+      const host = this.baseUrl.replace(/^https?:\/\//, "");
+      const ws = new WebSocket(`${protocol}://${host}${path}`);
+      ws.onmessage = (e) => {
+        try {
+          const event = JSON.parse(e.data);
+          onMessage(event);
+          if (event.type === "state_change" && (event.state === "running" || event.state === "failed")) {
+            ws.close();
+          }
+        } catch {}
+      };
+      ws.onclose = () => resolve2();
+      ws.onerror = () => reject(new Error("WebSocket connection failed"));
+    });
+  }
+}
+
+// src/cloud/auth.ts
+function loginCommand(program) {
+  program.command("login").description("Log in to Document Run").option("--api-url <url>", "API URL", "https://api.document.run").action(async (opts) => {
+    const apiUrl = opts.apiUrl;
+    const server = Bun.serve({
+      port: 0,
+      async fetch(req) {
+        const url = new URL(req.url);
+        if (url.pathname === "/callback") {
+          const token = url.searchParams.get("token");
+          const workspaceId = url.searchParams.get("workspace_id");
+          if (token) {
+            const settings2 = { token, apiUrl };
+            if (workspaceId)
+              settings2.workspaceId = workspaceId;
+            saveSettings(settings2);
+            setTimeout(() => server.stop(), 100);
+            return new Response("<html><body><h2>Logged in! You can close this tab.</h2></body></html>", {
+              headers: { "content-type": "text/html" }
+            });
+          }
+          return new Response("Missing token", { status: 400 });
+        }
+        return new Response("Not found", { status: 404 });
+      }
+    });
+    const callbackUrl = `http://localhost:${server.port}/callback`;
+    const webUrl = apiUrl.replace("api.", "");
+    const loginUrl = `${webUrl}/auth/login?cli_redirect=${encodeURIComponent(callbackUrl)}`;
+    console.log(chalk11.blue(`Opening browser to log in...`));
+    console.log(chalk11.dim(loginUrl));
+    const proc = Bun.spawn(["open", loginUrl]);
+    await proc.exited;
+    console.log(chalk11.dim("Waiting for login callback..."));
+    await new Promise((resolve2) => {
+      const check = setInterval(() => {
+        if (loadSettings()) {
+          clearInterval(check);
+          resolve2();
+        }
+      }, 500);
+    });
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    try {
+      const me = await client.get("/auth/me");
+      console.log(chalk11.green(`
+✓ Logged in as ${me.user.name}${me.user.email ? ` (${me.user.email})` : ""}`));
+    } catch {
+      console.log(chalk11.green(`
+✓ Logged in`));
+    }
+  });
+}
+function logoutCommand(program) {
+  program.command("logout").description("Log out of Document Run").action(() => {
+    clearSettings();
+    console.log(chalk11.green("✓ Logged out"));
+  });
+}
+function whoamiCommand(program) {
+  program.command("whoami").description("Show current user").action(async () => {
+    const settings = loadSettings();
+    if (!settings) {
+      console.log(chalk11.yellow("Not logged in. Run `dr login` to authenticate."));
+      return;
+    }
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    try {
+      const me = await client.get("/auth/me");
+      console.log(`User:      ${chalk11.bold(me.user.name)}`);
+      console.log(`Email:     ${me.user.email}`);
+      console.log(`Workspace: ${me.workspace.name}`);
+      console.log(`API:       ${settings.apiUrl}`);
+    } catch (_err) {
+      console.log(chalk11.red("Session expired. Run `dr login` to re-authenticate."));
+    }
+  });
+}
+
+// src/cloud/deploy.ts
+import chalk12 from "chalk";
+function deployCommand2(program) {
+  program.command("deploy").description("Deploy a sandbox via API").requiredOption("--repo <slug>", "Repository slug").option("--branch <branch>", "Branch to deploy", "main").action(async (opts) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const reporter = createTerminalReporter();
+    console.log(chalk12.blue("Creating sandbox..."));
+    const { sandbox } = await client.post(`/repos/${opts.repo}/sandboxes`, {
+      branch: opts.branch
+    });
+    console.log(chalk12.dim(`Sandbox: ${sandbox.slug}`));
+    await client.streamWebSocket(`/ws/sandboxes/${sandbox.slug}`, (event) => {
+      switch (event.type) {
+        case "step_start":
+          reporter.stepStart(event.name);
+          break;
+        case "step_complete":
+          reporter.stepComplete(event.name, event.output || "ok");
+          break;
+        case "step_fail":
+          reporter.stepFail(event.name, event.error || "failed");
+          break;
+        case "state_change":
+          reporter.stateChange(event.state);
+          break;
+      }
+    });
+    console.log(chalk12.green(`
+✓ Sandbox deployed: ${sandbox.slug}`));
+  });
+}
+
+// src/cloud/repos.ts
+import { readFileSync as readFileSync3, existsSync as existsSync3 } from "fs";
+import { resolve as resolve2, dirname as dirname2 } from "path";
+import { parse as parseYaml2 } from "yaml";
+import chalk13 from "chalk";
+function loadEnvFile2(path) {
+  if (!existsSync3(path))
+    return [];
+  const content = readFileSync3(path, "utf-8");
+  const vars = [];
+  for (const line of content.split(`
+`)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#"))
+      continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1)
+      continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    let value = trimmed.slice(eqIndex + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    vars.push({ key, value });
+  }
+  return vars;
+}
+function reposCommand(program) {
+  const repos = program.command("repos").description("Manage repositories");
+  repos.command("list").description("List repositories").action(async () => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { repos: list } = await client.get("/repos");
+    if (list.length === 0) {
+      console.log(chalk13.yellow("No repositories"));
+      return;
+    }
+    for (const repo of list) {
+      console.log(`  ${chalk13.bold(repo.name)}  ${chalk13.dim(repo.slug)}`);
+    }
+  });
+  repos.command("init").description("Initialize a repository (from URL or template)").option("--url <url>", "GitHub repository URL").option("--branch <branch>", "Branch (default: repo default)").option("--template <path>", "Template file (documentrun.yaml)").action(async (opts) => {
+    if (!opts.url && !opts.template) {
+      console.error(chalk13.red("Provide --url or --template"));
+      process.exit(1);
+    }
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    if (opts.template) {
+      const fullPath = resolve2(opts.template);
+      if (!existsSync3(fullPath)) {
+        console.error(chalk13.red(`File not found: ${fullPath}`));
+        process.exit(1);
+      }
+      const raw = readFileSync3(fullPath, "utf-8");
+      const config2 = parseYaml2(raw);
+      const envFilePath = resolve2(dirname2(fullPath), config2.env_file || ".env");
+      const envVars = loadEnvFile2(envFilePath);
+      const { repo } = await client.post("/templates/import", {
+        template: config2,
+        envVars
+      });
+      console.log(chalk13.green(`✓ Initialized from template: ${repo.name} (${repo.id})`));
+    } else {
+      const match = opts.url.match(/github\.com\/([^/]+\/[^/]+)/);
+      if (!match) {
+        console.error(chalk13.red("Invalid GitHub URL"));
+        process.exit(1);
+      }
+      const name = match[1].replace(/\.git$/, "");
+      const cloneUrl = `https://github.com/${name}.git`;
+      const { repo } = await client.post("/repos", {
+        name,
+        cloneUrl,
+        branch: opts.branch || "main"
+      });
+      console.log(chalk13.green(`✓ Initialized: ${repo.name} (${repo.id})`));
+    }
+  });
+  repos.command("delete").description("Delete a repository").argument("<id>", "Repository ID").action(async (id) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.del(`/repos/${id}`);
+    console.log(chalk13.green(`✓ Deleted repo: ${id}`));
+  });
+}
+
+// src/cloud/sandboxes.ts
+import chalk14 from "chalk";
+var STATE_COLORS = {
+  running: chalk14.green,
+  failed: chalk14.red,
+  stopped: chalk14.yellow,
+  stopping: chalk14.yellow,
+  starting: chalk14.blue,
+  provisioning: chalk14.blue,
+  pending: chalk14.dim
+};
+function sandboxesCommand(program) {
+  const sb = program.command("sandboxes").description("Manage sandboxes");
+  sb.command("list <repo>").description("List sandboxes for a repository").action(async (repo) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { sandboxes } = await client.get(`/repos/${repo}/sandboxes`);
+    if (sandboxes.length === 0) {
+      console.log(chalk14.yellow("No sandboxes"));
+      return;
+    }
+    for (const s of sandboxes) {
+      const color = STATE_COLORS[s.state] || chalk14.dim;
+      console.log(`  ${chalk14.bold(s.slug)}  ${color(s.state)}  ${chalk14.dim(s.branch)}`);
+    }
+  });
+  sb.command("status <slug>").description("Show sandbox status (live from Daytona)").action(async (slug) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { sandbox } = await client.get(`/sandboxes/${slug}`);
+    const color = STATE_COLORS[sandbox.state] || chalk14.dim;
+    console.log(`Slug:    ${chalk14.bold(sandbox.slug)}`);
+    console.log(`Branch:  ${sandbox.branch}`);
+    console.log(`State:   ${color(sandbox.state)}`);
+    if (sandbox.lastError)
+      console.log(`Error:   ${chalk14.red(sandbox.lastError)}`);
+  });
+  sb.command("url <slug>").description("Print sandbox URL with access token").action(async (slug) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { sandbox } = await client.get(`/sandboxes/${slug}`);
+    if (!sandbox.accessToken) {
+      console.error(chalk14.red("No access token — sandbox not deployed"));
+      process.exit(1);
+    }
+    console.log(`${sandboxUrl(sandbox.slug, "document.run")}?token=${sandbox.accessToken}`);
+  });
+  sb.command("exec <slug> <command...>").description("Run a command inside the sandbox").action(async (slug, args) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const cmd = args.join(" ");
+    const { output, exitCode } = await client.post(`/sandboxes/${slug}/exec`, { command: cmd });
+    if (output)
+      process.stdout.write(output);
+    process.exit(exitCode);
+  });
+  sb.command("logs <slug>").description("Show docker compose logs").option("-n, --tail <lines>", "Number of lines", "100").action(async (slug, opts) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { output } = await client.get(`/sandboxes/${slug}/logs?tail=${opts.tail}`);
+    if (output)
+      process.stdout.write(output);
+  });
+  sb.command("stop <slug>").description("Stop a sandbox").action(async (slug) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.post(`/sandboxes/${slug}/stop`);
+    console.log(chalk14.green(`✓ Stopping: ${slug}`));
+  });
+  sb.command("wake <slug>").description("Wake a sandbox").action(async (slug) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.post(`/sandboxes/${slug}/wake`);
+    console.log(chalk14.green(`✓ Waking: ${slug}`));
+  });
+  sb.command("destroy <slug>").description("Destroy a sandbox").action(async (slug) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.del(`/sandboxes/${slug}`);
+    console.log(chalk14.green(`✓ Destroying: ${slug}`));
+  });
+}
+
+// src/cloud/github.ts
+import chalk15 from "chalk";
+function githubCommand(program) {
+  const github = program.command("github").description("Browse GitHub repositories");
+  github.command("repos").description("List your GitHub repositories").action(async () => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { repos } = await client.get("/github/repos");
+    if (repos.length === 0) {
+      console.log(chalk15.yellow("No repositories found"));
+      return;
+    }
+    for (const repo of repos) {
+      const badge = repo.private ? chalk15.dim(" [private]") : "";
+      const stars = repo.stargazers_count > 0 ? chalk15.dim(` ★ ${repo.stargazers_count}`) : "";
+      console.log(`  ${repo.full_name}${badge}${stars}  ${chalk15.dim(repo.default_branch)}`);
+    }
+  });
+  github.command("branches <repo>").description("List branches for a repository (owner/repo)").action(async (repo) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const [owner, name] = repo.split("/");
+    if (!owner || !name) {
+      console.error(chalk15.red("Usage: dr github branches owner/repo"));
+      process.exit(1);
+    }
+    const { branches } = await client.get(`/github/repos/${owner}/${name}/branches`);
+    for (const b of branches) {
+      console.log(`  ${b.name}`);
+    }
+  });
+}
+
+// src/cloud/services.ts
+import chalk16 from "chalk";
+function servicesCommand(program) {
+  const svc = program.command("services").description("Manage services");
+  svc.command("list <repo>").description("List services for a repository").action(async (repo) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { services } = await client.get(`/repos/${repo}/services`);
+    if (services.length === 0) {
+      console.log(chalk16.yellow("No services"));
+      return;
+    }
+    for (const s of services) {
+      const type = s.image ? s.image : `${s.baseImage || ""} → ${s.command || ""}`;
+      const port = s.port ? `:${s.port}` : "";
+      const expose = s.expose ? chalk16.blue(" expose") : "";
+      console.log(`  ${chalk16.bold(s.label)} ${chalk16.dim(`(${s.name})`)}  ${type}${port}${expose}`);
+    }
+  });
+  svc.command("add <repo>").description("Add a service").requiredOption("--label <label>", "Service label").option("--image <image>", "Docker image (for databases)").option("--command <cmd>", "Run command (for app services)").option("--base-image <image>", "Base image (with --command)").option("--port <port>", "Port number", "0").option("--expose", "Expose publicly", false).option("--setup-commands <cmds>", "Setup commands (comma-separated)").action(async (repo, opts) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const body = {
+      label: opts.label,
+      port: parseInt(opts.port, 10)
+    };
+    if (opts.image)
+      body.image = opts.image;
+    if (opts.command)
+      body.command = opts.command;
+    if (opts.baseImage)
+      body.baseImage = opts.baseImage;
+    if (opts.expose)
+      body.expose = true;
+    if (opts.setupCommands)
+      body.setupCommands = opts.setupCommands.split(",").map((s) => s.trim());
+    const { service } = await client.post(`/repos/${repo}/services`, body);
+    console.log(chalk16.green(`✓ Created service: ${service.name}`));
+  });
+  svc.command("delete <repo> <name>").description("Delete a service").action(async (repo, name) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.del(`/repos/${repo}/services/${name}`);
+    console.log(chalk16.green(`✓ Deleted service: ${name}`));
+  });
+}
+
+// src/cloud/env.ts
+import chalk17 from "chalk";
+function envCommand(program) {
+  const env = program.command("env").description("Manage environment variables");
+  env.command("list <repo>").description("List environment variables").action(async (repo) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { env_vars } = await client.get(`/repos/${repo}/env-vars`);
+    if (env_vars.length === 0) {
+      console.log(chalk17.yellow("No environment variables"));
+      return;
+    }
+    for (const ev of env_vars) {
+      const val = ev.secure ? chalk17.dim("••••••") : ev.value;
+      console.log(`  ${chalk17.bold(ev.key)}=${val}  ${chalk17.dim(ev.environment)}`);
+    }
+  });
+  env.command("set <repo>").description("Set an environment variable (upserts)").requiredOption("--key <key>", "Variable name").requiredOption("--value <value>", "Variable value").option("--environment <env>", "Environment (shared/sandbox/production)", "shared").option("--secure", "Mark as secure (mask in outputs)", false).action(async (repo, opts) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.post(`/repos/${repo}/env-vars`, {
+      key: opts.key,
+      value: opts.value,
+      environment: opts.environment,
+      secure: opts.secure
+    });
+    console.log(chalk17.green(`✓ Set: ${opts.key}`));
+  });
+  env.command("delete <repo> <key>").description("Delete an environment variable").action(async (repo, key) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.del(`/repos/${repo}/env-vars/${key}`);
+    console.log(chalk17.green(`✓ Deleted: ${key}`));
+  });
+}
+
+// src/cloud/issues.ts
+import chalk18 from "chalk";
+function issuesCommand(program) {
+  const issues = program.command("issues").description("Manage issues");
+  issues.command("list <repo>").description("List issues").action(async (repo) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    const { issues: list } = await client.get(`/repos/${repo}/issues`);
+    if (list.length === 0) {
+      console.log(chalk18.yellow("No issues synced"));
+      return;
+    }
+    for (const issue of list) {
+      const stateColor = issue.state === "open" ? chalk18.green : chalk18.dim;
+      const kind = issue.kind === "pull" ? chalk18.blue("PR") : "";
+      const author = issue.authorLogin ? chalk18.dim(` by ${issue.authorLogin}`) : "";
+      console.log(`  ${chalk18.dim(`#${issue.number}`)} ${issue.title} ${stateColor(issue.state)} ${kind}${author}`);
+    }
+  });
+  issues.command("sync <repo>").description("Sync issues from GitHub").action(async (repo) => {
+    const settings = loadSettings();
+    const client = new ApiClient(settings.apiUrl, settings.token, settings.workspaceId);
+    await client.post(`/repos/${repo}/sync-issues`);
+    console.log(chalk18.green("✓ Syncing issues..."));
+  });
+}
+
+// src/cloud/app.ts
+function createCloudApp() {
+  const program = new Command2;
+  program.name("dr").description("Document Run CLI (cloud mode)").version("0.0.1");
+  loginCommand(program);
+  logoutCommand(program);
+  whoamiCommand(program);
+  deployCommand2(program);
+  reposCommand(program);
+  sandboxesCommand(program);
+  workerLogsCommand(program);
+  githubCommand(program);
+  servicesCommand(program);
+  envCommand(program);
+  issuesCommand(program);
+  return program;
+}
+
+// src/index.ts
+var args = process.argv.slice(2);
+var cloudCommands = ["login", "logout", "whoami"];
+if (isLoggedIn() || args[0] && cloudCommands.includes(args[0])) {
+  createCloudApp().parse();
+} else {
+  createLocalApp().parse();
+}