npm - @getmonoceros/workbench - Versions diffs - 1.11.10 → 1.12.0 - Mend

@getmonoceros/workbench 1.11.10 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bin.js CHANGED Viewed

@@ -51,111 +51,23 @@ function shellQuote(arg) {
   return `'${arg.replace(/'/g, "'\\''")}'`;
 }
-// src/devcontainer/wsl-backend-bootstrap.ts
-import { spawnSync as spawnSync2 } from "child_process";
-// src/util/format.ts
-var ESC = "\x1B[";
-var ANSI_BOLD = `${ESC}1m`;
-var ANSI_UNDERLINE = `${ESC}4m`;
-var ANSI_CYAN = `${ESC}36m`;
-var ANSI_GREY = `${ESC}90m`;
-var ANSI_RESET = `${ESC}0m`;
-function makeWrap(isTty2) {
-  return (s, ...codes) => isTty2 ? codes.join("") + s + ANSI_RESET : s;
-}
-function makePalette(isTty2) {
-  const wrap = makeWrap(isTty2);
-  return {
-    bold: (s) => wrap(s, ANSI_BOLD),
-    underline: (s) => wrap(s, ANSI_UNDERLINE),
-    cyan: (s) => wrap(s, ANSI_CYAN),
-    dim: (s) => wrap(s, ANSI_GREY),
-    sectionLine: (label) => wrap(`\u25B8 ${label}`, ANSI_BOLD, ANSI_UNDERLINE)
-  };
-}
-function colorsFor(stream) {
-  return makePalette(stream.isTTY ?? false);
-}
-var stderrPalette = makePalette(process.stderr.isTTY ?? false);
-var bold = stderrPalette.bold;
-var underline = stderrPalette.underline;
-var cyan = stderrPalette.cyan;
-var dim = stderrPalette.dim;
-var sectionLine = stderrPalette.sectionLine;
-// src/devcontainer/wsl-backend-bootstrap.ts
-function bootstrapWslBackend(opts = {}) {
-  const platform = opts.platform ?? process.platform;
-  if (platform !== "win32") return;
-  const listDistros = opts.wslDistros ?? defaultWslDistros;
-  const raw = listDistros();
-  if (raw !== null && hasWsl2Distro(raw)) return;
-  const probe = opts.probe ?? defaultProbe2;
-  if (probe("docker", ["--version"]) !== 0) return;
-  const warn = opts.warn ?? ((m) => process.stderr.write(`${m}
-`));
-  warn(formatWslBackendHint());
-}
-function hasWsl2Distro(raw) {
-  const text = raw.split(String.fromCharCode(0)).join("");
-  for (const line of text.split(/\r?\n/)) {
-    const trimmed = line.trim();
-    if (!trimmed) continue;
-    if (/\bNAME\b/i.test(trimmed) && /\bVERSION\b/i.test(trimmed)) continue;
-    const tokens = trimmed.replace(/^\*\s*/, "").split(/\s+/);
-    if (tokens[tokens.length - 1] === "2") return true;
-  }
-  return false;
-}
-function formatWslBackendHint() {
-  return [
-    `Docker's daemon isn't reachable, and no WSL 2 distro is registered.`,
-    `Docker Desktop runs on the WSL 2 backend, so without a distro it`,
-    `can't start -- often shown as the misleading "Virtualization support`,
-    `not detected" (even with virtualization enabled in BIOS).`,
-    ``,
-    `Fix it in an elevated PowerShell:`,
-    ``,
-    cyan(`  wsl --set-default-version 2`),
-    cyan(`  wsl --update`),
-    cyan(`  wsl --install -d Ubuntu`),
-    ``,
-    `Then reboot and start Docker Desktop.`
-  ].join("\n");
-}
-function defaultProbe2(cmd, args) {
-  const result = spawnSync2(cmd, [...args], { stdio: "ignore", timeout: 1e4 });
-  return result.status ?? 1;
-}
-function defaultWslDistros() {
-  const result = spawnSync2("wsl", ["-l", "-v"], {
-    encoding: "utf8",
-    stdio: ["ignore", "pipe", "ignore"],
-    env: { ...process.env, WSL_UTF8: "1" },
-    timeout: 5e3
-  });
-  if (result.status !== 0 || typeof result.stdout !== "string") return null;
-  return result.stdout;
-}
 // src/help.ts
-var ANSI_BOLD2 = "\x1B[1m";
-var ANSI_UNDERLINE2 = "\x1B[4m";
-var ANSI_CYAN2 = "\x1B[36m";
-var ANSI_GREY2 = "\x1B[90m";
-var ANSI_RESET2 = "\x1B[0m";
+var ANSI_BOLD = "\x1B[1m";
+var ANSI_UNDERLINE = "\x1B[4m";
+var ANSI_CYAN = "\x1B[36m";
+var ANSI_GREY = "\x1B[90m";
+var ANSI_RESET = "\x1B[0m";
 function isTty() {
   return process.stdout.isTTY ?? false;
 }
 function color(text, ...codes) {
   if (!isTty()) return text;
-  return codes.join("") + text + ANSI_RESET2;
+  return codes.join("") + text + ANSI_RESET;
 }
-var bold2 = (s) => color(s, ANSI_BOLD2);
-var underline2 = (s) => color(s, ANSI_UNDERLINE2);
-var cyan2 = (s) => color(s, ANSI_CYAN2);
-var grey = (s) => color(s, ANSI_GREY2);
+var bold = (s) => color(s, ANSI_BOLD);
+var underline = (s) => color(s, ANSI_UNDERLINE);
+var cyan = (s) => color(s, ANSI_CYAN);
+var grey = (s) => color(s, ANSI_GREY);
 var GROUPS = [
   { key: "lifecycle", label: "Container lifecycle" },
   { key: "run", label: "Run + inspect" },
@@ -248,7 +160,7 @@ function collectSubCommands(cmd) {
 function renderCommandsBlock(entries) {
   if (entries.length === 0) return [];
   const lines = [];
-  lines.push(underline2(bold2("COMMANDS")));
+  lines.push(underline(bold("COMMANDS")));
   const byGroup = /* @__PURE__ */ new Map();
   for (const entry2 of entries) {
     const arr = byGroup.get(entry2.group) ?? [];
@@ -258,10 +170,10 @@ function renderCommandsBlock(entries) {
   const renderSection = (label, items) => {
     if (items.length === 0) return;
     lines.push("");
-    lines.push(underline2(grey(label)));
+    lines.push(underline(grey(label)));
     lines.push("");
     const rows = items.map((e) => [
-      cyan2(e.name),
+      cyan(e.name),
       e.description
     ]);
     lines.push(alignTable(rows, ""));
@@ -298,27 +210,27 @@ function renderUsageBlock(cmd, commandPath) {
   lines.push(grey(wrapText(header, terminalWidth(), "")));
   lines.push("");
   lines.push(
-    `${underline2(bold2("USAGE"))} ${cyan2([fullName, ...usageTokens].join(" "))}`
+    `${underline(bold("USAGE"))} ${cyan([fullName, ...usageTokens].join(" "))}`
   );
   lines.push("");
   if (positionals.length > 0) {
-    lines.push(underline2(bold2("ARGUMENTS")));
+    lines.push(underline(bold("ARGUMENTS")));
     lines.push("");
     const rows = positionals.map((p) => {
       const isRequired = p.required !== false && p.default === void 0;
-      return [cyan2(p.name.toUpperCase()), renderArgDescription(p, isRequired)];
+      return [cyan(p.name.toUpperCase()), renderArgDescription(p, isRequired)];
     });
     lines.push(alignTable(rows, "  "));
     lines.push("");
   }
   if (flags.length > 0) {
-    lines.push(underline2(bold2("OPTIONS")));
+    lines.push(underline(bold("OPTIONS")));
     lines.push("");
     const rows = flags.map((f) => {
       const isRequired = f.required === true && f.default === void 0;
       const aliases = (Array.isArray(f.alias) ? f.alias : f.alias ? [f.alias] : []).map((a) => `-${a}`);
       const label = [...aliases, `--${f.name}`].join(", ") + renderValueHint(f);
-      return [cyan2(label), renderArgDescription(f, isRequired)];
+      return [cyan(label), renderArgDescription(f, isRequired)];
     });
     lines.push(alignTable(rows, "  "));
     lines.push("");
@@ -328,7 +240,7 @@ function renderUsageBlock(cmd, commandPath) {
       lines.push(line);
     }
     lines.push(
-      `Use ${cyan2(`${fullName} <command> --help`)} for more information about a command.`
+      `Use ${cyan(`${fullName} <command> --help`)} for more information about a command.`
     );
     lines.push("");
   }
@@ -393,13 +305,13 @@ import { defineCommand as defineCommand30 } from "citty";
 // src/commands/add-apt-packages.ts
 import { defineCommand } from "citty";
-import { consola as consola3 } from "consola";
+import { consola as consola2 } from "consola";
 // src/modify/index.ts
 import { promises as fs8 } from "fs";
-import { consola as consola2 } from "consola";
+import { consola } from "consola";
 import { createPatch } from "diff";
-import path10 from "path";
+import path8 from "path";
 // src/config/io.ts
 import { promises as fs } from "fs";
@@ -661,6 +573,38 @@ function prettyPath(p) {
 import { spawn } from "child_process";
 import { promises as fs2 } from "fs";
 import path2 from "path";
+// src/util/format.ts
+var ESC = "\x1B[";
+var ANSI_BOLD2 = `${ESC}1m`;
+var ANSI_UNDERLINE2 = `${ESC}4m`;
+var ANSI_CYAN2 = `${ESC}36m`;
+var ANSI_GREY2 = `${ESC}90m`;
+var ANSI_RESET2 = `${ESC}0m`;
+function makeWrap(isTty2) {
+  return (s, ...codes) => isTty2 ? codes.join("") + s + ANSI_RESET2 : s;
+}
+function makePalette(isTty2) {
+  const wrap = makeWrap(isTty2);
+  return {
+    bold: (s) => wrap(s, ANSI_BOLD2),
+    underline: (s) => wrap(s, ANSI_UNDERLINE2),
+    cyan: (s) => wrap(s, ANSI_CYAN2),
+    dim: (s) => wrap(s, ANSI_GREY2),
+    sectionLine: (label) => wrap(`\u25B8 ${label}`, ANSI_BOLD2, ANSI_UNDERLINE2)
+  };
+}
+function colorsFor(stream) {
+  return makePalette(stream.isTTY ?? false);
+}
+var stderrPalette = makePalette(process.stderr.isTTY ?? false);
+var bold2 = stderrPalette.bold;
+var underline2 = stderrPalette.underline;
+var cyan2 = stderrPalette.cyan;
+var dim = stderrPalette.dim;
+var sectionLine = stderrPalette.sectionLine;
+// src/devcontainer/credentials.ts
 var realGitCredentialFill = (input) => {
   return new Promise((resolve, reject) => {
     const child = spawn("git", ["credential", "fill"], {
@@ -715,16 +659,18 @@ function uniqueHttpsHosts(repos) {
   }
   return [...byHost.values()];
 }
+var BREW_INSTALL_COMMAND = '/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"';
 function installCommandForOS(opts) {
-  switch (process.platform) {
-    case "darwin":
-      return cyan(opts.brew);
-    case "win32":
-      return cyan(opts.winget);
-    default:
-      if (opts.linuxBrew) return cyan(opts.linuxBrew);
-      return `See ${opts.linuxDocsUrl} for package instructions.`;
-  }
+  const withBrewBootstrap = (cmd) => [
+    "",
+    cyan2(BREW_INSTALL_COMMAND),
+    cyan2(cmd),
+    "",
+    dim("(Skip the first line if you already have Homebrew.)")
+  ].join("\n");
+  if (process.platform === "darwin") return withBrewBootstrap(opts.brew);
+  if (opts.linuxBrew) return withBrewBootstrap(opts.linuxBrew);
+  return `See ${opts.linuxDocsUrl} for package instructions.`;
 }
 function providerSetupHint(host, provider) {
   if (provider === "github") {
@@ -732,7 +678,6 @@ function providerSetupHint(host, provider) {
     const hostArg = isSaas ? "" : ` --hostname ${host}`;
     const install = installCommandForOS({
       brew: "brew install gh",
-      winget: "winget install --id GitHub.cli",
       linuxBrew: "brew install gh",
       linuxDocsUrl: "https://github.com/cli/cli#installation"
     });
@@ -743,8 +688,8 @@ function providerSetupHint(host, provider) {
         install,
         "",
         "Then run once:",
-        cyan(`gh auth login${hostArg}`),
-        cyan(`gh auth setup-git${hostArg}`),
+        cyan2(`gh auth login${hostArg}`),
+        cyan2(`gh auth setup-git${hostArg}`),
         "",
         "`gh auth login` walks through OAuth in your browser.",
         "`gh auth setup-git` wires gh into git as a credential helper."
@@ -756,7 +701,6 @@ function providerSetupHint(host, provider) {
     const hostArg = isSaas ? "" : ` --hostname ${host}`;
     const install = installCommandForOS({
       brew: "brew install glab",
-      winget: "winget install --id GLab.GLab",
       linuxBrew: "brew install glab",
       linuxDocsUrl: "https://gitlab.com/gitlab-org/cli#installation"
     });
@@ -767,7 +711,7 @@ function providerSetupHint(host, provider) {
         install,
         "",
         "Then run once:",
-        cyan(`glab auth login${hostArg}`),
+        cyan2(`glab auth login${hostArg}`),
         "",
         "Choose `HTTPS` when asked for git-protocol, then accept",
         '"Authenticate Git with your GitLab credentials" \u2014 glab',
@@ -786,7 +730,7 @@ function providerSetupHint(host, provider) {
           "https://id.atlassian.com/manage-profile/security/api-tokens",
           "",
           "Then store it via your OS credential helper:",
-          cyan(
+          cyan2(
             `git credential approve <<< $'protocol=https\\nhost=${host}\\nusername=<your-atlassian-email>\\npassword=<token>\\n'`
           )
         ].join("\n")
@@ -802,7 +746,7 @@ function providerSetupHint(host, provider) {
         "at least repo-read + repo-write scopes for the repos you need.",
         "",
         "Then store it via your OS credential helper:",
-        cyan(
+        cyan2(
           `git credential approve <<< $'protocol=https\\nhost=${host}\\nusername=<your-bitbucket-username>\\npassword=<token>\\n'`
         )
       ].join("\n")
@@ -820,7 +764,7 @@ function providerSetupHint(host, provider) {
       "need push from the container).",
       "",
       "Then store it via your OS credential helper:",
-      cyan(
+      cyan2(
         `git credential approve <<< $'protocol=https\\nhost=${host}\\nusername=<your-gitea-username>\\npassword=<token>\\n'`
       )
     ].join("\n")
@@ -933,7 +877,7 @@ function formatMissingCredentialsError(missing) {
       "",
       hint.body,
       "",
-      `Then re-run ${cyan("monoceros apply")}.`
+      `Then re-run ${cyan2("monoceros apply")}.`
     ].join("\n");
   }
   const lines = [
@@ -947,7 +891,7 @@ function formatMissingCredentialsError(missing) {
     lines.push(hint.body);
     lines.push("");
   }
-  lines.push(`Then re-run ${cyan("monoceros apply")}.`);
+  lines.push(`Then re-run ${cyan2("monoceros apply")}.`);
   return lines.join("\n");
 }
 function formatUnknownProviderError(hosts) {
@@ -959,32 +903,18 @@ function formatUnknownProviderError(hosts) {
     "For any other host (self-hosted GitLab, Gitea, Bitbucket Server, \u2026)",
     "declare the provider explicitly in the yml. Edit the repo entry:",
     "",
-    cyan("  repos:"),
-    cyan(`    - url: https://${sorted[0]}/\u2026`),
-    cyan("      provider: gitlab   # or: github, bitbucket, gitea"),
+    cyan2("  repos:"),
+    cyan2(`    - url: https://${sorted[0]}/\u2026`),
+    cyan2("      provider: gitlab   # or: github, bitbucket, gitea"),
     "",
-    `Or re-add with ${cyan("monoceros add-repo <name> <url> --provider=<github|gitlab|bitbucket|gitea>")}.`
+    `Or re-add with ${cyan2("monoceros add-repo <name> <url> --provider=<github|gitlab|bitbucket|gitea>")}.`
   ];
   return lines.join("\n");
 }
 // src/devcontainer/locate-running.ts
-import { spawn as spawn5 } from "child_process";
-// src/devcontainer/compose.ts
-import { spawn as spawn4 } from "child_process";
-import { existsSync as existsSync2 } from "fs";
-import path5 from "path";
-import { consola } from "consola";
-// src/proxy/index.ts
 import { spawn as spawn2 } from "child_process";
-import { promises as fs3 } from "fs";
-import path3 from "path";
-var PROXY_CONTAINER_NAME = "monoceros-proxy";
-var PROXY_NETWORK_NAME = "monoceros-proxy";
-var TRAEFIK_IMAGE = "traefik:v3.3";
-var defaultDockerExec = (args) => {
+var realDockerLookup = (args) => {
   return new Promise((resolve, reject) => {
     const child = spawn2("docker", args, {
       stdio: ["ignore", "pipe", "pipe"]
@@ -1004,988 +934,638 @@ var defaultDockerExec = (args) => {
     );
   });
 };
-var realDocker = defaultDockerExec;
-function proxyDynamicDir(home) {
-  return path3.join(home ?? monocerosHome(), "traefik", "dynamic");
-}
-async function kickProxyReload(opts = {}) {
-  if (process.platform !== "win32") return;
-  const docker = opts.docker ?? realDocker;
-  const inspect = await docker([
-    "inspect",
-    "--format",
-    "{{.State.Running}}",
-    PROXY_CONTAINER_NAME
+async function findRunningContainerByLocalFolder(containerPath, opts = {}) {
+  const docker = opts.docker ?? realDockerLookup;
+  const result = await docker([
+    "ps",
+    "-q",
+    "--filter",
+    `label=devcontainer.local_folder=${containerPath}`,
+    "--filter",
+    "status=running"
   ]);
-  if (inspect.exitCode !== 0) return;
-  if (inspect.stdout.trim() !== "true") return;
-  await docker(["restart", PROXY_CONTAINER_NAME]);
+  if (result.exitCode !== 0) return null;
+  const ids = result.stdout.split("\n").map((s) => s.trim()).filter((s) => s.length > 0);
+  return ids[0] ?? null;
 }
-async function ensureProxy(opts = {}) {
-  const docker = opts.docker ?? realDocker;
-  const dyn = proxyDynamicDir(opts.monocerosHome);
-  await fs3.mkdir(dyn, { recursive: true });
-  const netInspect = await docker(["network", "inspect", PROXY_NETWORK_NAME]);
-  if (netInspect.exitCode !== 0) {
-    const create = await docker(["network", "create", PROXY_NETWORK_NAME]);
-    if (create.exitCode !== 0) {
-      throw new Error(
-        `Could not create docker network ${PROXY_NETWORK_NAME}: ${create.stderr.trim() || `exit ${create.exitCode}`}`
-      );
-    }
-  }
-  const state = await docker([
-    "inspect",
-    "--format",
-    "{{.State.Running}}",
-    PROXY_CONTAINER_NAME
-  ]);
-  if (state.exitCode === 0) {
-    if (state.stdout.trim() === "true") return;
-    const start = await docker(["start", PROXY_CONTAINER_NAME]);
-    if (start.exitCode !== 0) {
-      throw new Error(
-        `Could not start existing ${PROXY_CONTAINER_NAME} container: ${start.stderr.trim() || `exit ${start.exitCode}`}`
-      );
-    }
-    return;
+var realContainerExec = (containerId, argv) => {
+  return new Promise((resolve, reject) => {
+    const child = spawn2("docker", ["exec", containerId, ...argv], {
+      // Inherit stdio so live git output reaches the user.
+      stdio: ["ignore", "inherit", "inherit"]
+    });
+    child.on("error", reject);
+    child.on("exit", (code) => resolve({ exitCode: code ?? 0 }));
+  });
+};
+// src/config/global.ts
+import { promises as fs3 } from "fs";
+import { z as z2 } from "zod";
+import { isMap, Pair, parseDocument as parseDocument2, Scalar, YAMLMap } from "yaml";
+var SCHEMA_VERSION = 1;
+var MonocerosConfigSchema = z2.object({
+  schemaVersion: z2.literal(SCHEMA_VERSION),
+  // .nullish() (= .optional().nullable()) on defaults so the shipped
+  // sample yml — where `defaults:` is uncommented but every sub-block
+  // is commented out — parses cleanly. YAML produces `defaults: null`
+  // in that case; without .nullish() the schema would reject it and
+  // we'd be back to forcing builders to comment-juggle three lines.
+  defaults: z2.object({
+    // .nullish() (not just .optional()) so the sample yml can leave
+    // `git:` uncommented as a category marker — YAML produces
+    // `git: null` for an empty mapping, which zod's plain
+    // `.optional()` would reject.
+    git: z2.object({
+      user: GitUserSchema.optional()
+    }).nullish(),
+    // .nullish() for the same reason as `git` — the sample keeps
+    // `features:` uncommented as a category marker.
+    features: z2.record(
+      z2.string().regex(
+        REGEX.featureRef,
+        "Invalid feature ref. Expected an OCI-image-style ref like 'ghcr.io/getmonoceros/monoceros-features/<name>:<tag>'."
+      ),
+      z2.record(z2.string(), FeatureOptionValueSchema)
+    ).nullish()
+  }).nullish(),
+  // Machine-global routing settings — one Traefik per builder, so
+  // host-port and similar live here rather than in any container yml.
+  // See ADR 0007.
+  routing: z2.object({
+    hostPort: z2.number().int().min(1).max(65535).optional().describe(
+      "Host port the Traefik singleton binds. Default 80. Set this when 80 is held by another service on your machine \u2014 URLs then become http://<name>.localhost:<port>/."
+    )
+  }).nullish()
+});
+async function readMonocerosConfig(opts = {}) {
+  const home = opts.monocerosHome ?? monocerosHome();
+  const filePath = monocerosConfigPath(home);
+  let text;
+  try {
+    text = await fs3.readFile(filePath, "utf8");
+  } catch {
+    return void 0;
   }
-  const hostPort = opts.hostPort ?? 80;
-  const run = await docker([
-    "run",
-    "-d",
-    "--name",
-    PROXY_CONTAINER_NAME,
-    "--network",
-    PROXY_NETWORK_NAME,
-    "-p",
-    `${hostPort}:80`,
-    "-v",
-    `${dyn}:/etc/traefik/dynamic:ro`,
-    "--label",
-    "monoceros.role=proxy",
-    TRAEFIK_IMAGE,
-    "--entrypoints.web.address=:80",
-    "--providers.file.directory=/etc/traefik/dynamic",
-    "--providers.file.watch=true",
-    "--providers.docker=false",
-    "--api.dashboard=false",
-    "--log.level=INFO"
-  ]);
-  if (run.exitCode !== 0) {
+  const doc = parseDocument2(text, { prettyErrors: true });
+  if (doc.errors.length > 0) {
     throw new Error(
-      `Could not start ${PROXY_CONTAINER_NAME}: ${run.stderr.trim() || `exit ${run.exitCode}`}`
+      `yaml parse error in ${filePath}: ${doc.errors[0].message}`
     );
   }
-  opts.logger?.info(
-    `Started ${PROXY_CONTAINER_NAME} (Traefik on :${hostPort}).`
-  );
-}
-async function maybeStopProxy(opts = {}) {
-  const docker = opts.docker ?? realDocker;
-  const logger = opts.logger;
-  const inspect = await docker([
-    "network",
-    "inspect",
-    PROXY_NETWORK_NAME,
-    "--format",
-    "{{range $k, $v := .Containers}}{{$v.Name}}\n{{end}}"
-  ]);
-  if (inspect.exitCode !== 0) {
-    return;
-  }
-  const others = inspect.stdout.split("\n").map((n) => n.trim()).filter((n) => n.length > 0 && n !== PROXY_CONTAINER_NAME);
-  if (others.length > 0) return;
-  await docker(["rm", "-f", PROXY_CONTAINER_NAME]);
-  const netRm = await docker(["network", "rm", PROXY_NETWORK_NAME]);
-  if (netRm.exitCode !== 0) {
-    logger?.warn?.(
-      `Could not remove docker network ${PROXY_NETWORK_NAME}: ${netRm.stderr.trim() || `exit ${netRm.exitCode}`}`
+  const result = MonocerosConfigSchema.safeParse(doc.toJS());
+  if (!result.success) {
+    const issues = result.error.issues.map((issue) => {
+      const where = issue.path.length > 0 ? issue.path.join(".") : "(root)";
+      return `  - ${where}: ${issue.message}`;
+    }).join("\n");
+    throw new Error(
+      `Invalid ${filePath}:
+${issues}
+See ${filePath.replace(
+        /\.yml$/,
+        ".sample.yml"
+      )} for a valid example.`
     );
-    return;
   }
-  logger?.info(
-    `Stopped ${PROXY_CONTAINER_NAME} (no dev-containers with ports left).`
-  );
+  return result.data;
 }
-// src/util/mask-secrets.ts
-import { Transform } from "stream";
-var PATTERNS = [
-  // Atlassian Cloud API token. Starts with literal `ATATT3xFf` plus
-  // a long URL-safe-base64 tail. Tightened to that prefix to avoid
-  // matching unrelated all-caps words.
-  { name: "atlassian-api", re: /ATATT3xFf[A-Za-z0-9+/=_-]{20,}/g },
-  // Bitbucket Cloud app password.
-  { name: "bitbucket-app", re: /ATBB[A-Za-z0-9+/=_-]{20,}/g },
-  // GitHub PAT (classic), OAuth, user, server, refresh — all share
-  // the `gh<lower-letter>_<base62>` shape per GitHub's token format.
-  { name: "github-token", re: /gh[a-z]_[A-Za-z0-9]{20,}/g },
-  // GitHub fine-grained PAT.
-  { name: "github-pat", re: /github_pat_[A-Za-z0-9_]{20,}/g },
-  // Anthropic API key.
-  { name: "anthropic-api", re: /sk-ant-[A-Za-z0-9_-]{20,}/g }
-];
-function maskSecrets(text) {
-  let result = text;
-  for (const { re } of PATTERNS) {
-    result = result.replace(re, maskOne);
+var DEFAULT_PROXY_HOST_PORT = 80;
+function proxyHostPort(config) {
+  return config?.routing?.hostPort ?? DEFAULT_PROXY_HOST_PORT;
+}
+async function writeGlobalDefaultGitUser(user, opts = {}) {
+  const home = opts.monocerosHome ?? monocerosHome();
+  const filePath = monocerosConfigPath(home);
+  let text;
+  try {
+    text = await fs3.readFile(filePath, "utf8");
+  } catch {
+    text = void 0;
   }
-  return result;
+  if (text === void 0) {
+    const fresh = [
+      "# Optional \u2014 global defaults for monoceros containers.",
+      "",
+      "schemaVersion: 1",
+      "",
+      "defaults:",
+      "  git:",
+      "    user:",
+      `      name: ${user.name}`,
+      `      email: ${user.email}`,
+      ""
+    ].join("\n");
+    await fs3.mkdir(home, { recursive: true });
+    await fs3.writeFile(filePath, fresh, "utf8");
+    return { filePath, created: true, alreadySet: false };
+  }
+  const doc = parseDocument2(text, { prettyErrors: true });
+  if (doc.errors.length > 0) {
+    throw new Error(
+      `yaml parse error in ${filePath}: ${doc.errors[0].message}`
+    );
+  }
+  const defaultsMap = ensureMap(doc, "defaults");
+  const gitMap = ensureSubMapAtTop(defaultsMap, "git");
+  const userMap = ensureSubMap(gitMap, "user");
+  const existingName = userMap.get("name");
+  const existingEmail = userMap.get("email");
+  if (typeof existingName === "string" && existingName.length > 0 && typeof existingEmail === "string" && existingEmail.length > 0) {
+    return { filePath, created: false, alreadySet: true };
+  }
+  relocateLeakedLeafComments(userMap, defaultsMap, "git");
+  userMap.set("name", user.name);
+  userMap.set("email", user.email);
+  const newText = String(doc);
+  await fs3.writeFile(filePath, newText, "utf8");
+  return { filePath, created: false, alreadySet: false };
 }
-function maskOne(token) {
-  if (token.length <= 12) return token;
-  return `${token.slice(0, 5)}\u2026${token.slice(-6)}`;
+function ensureMap(doc, key) {
+  const node = doc.get(key, true);
+  if (node && isMap(node)) return node;
+  const m = new YAMLMap();
+  doc.set(key, m);
+  return m;
 }
-function createSecretMaskStream() {
-  let buffer = "";
-  return new Transform({
-    decodeStrings: true,
-    transform(chunk, _enc, cb) {
-      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
-      buffer += text;
-      const lastNewline = buffer.lastIndexOf("\n");
-      if (lastNewline === -1) {
-        cb(null);
-        return;
-      }
-      const flushable = buffer.slice(0, lastNewline + 1);
-      buffer = buffer.slice(lastNewline + 1);
-      cb(null, maskSecrets(flushable));
-    },
-    flush(cb) {
-      if (buffer.length > 0) {
-        const tail = maskSecrets(buffer);
-        buffer = "";
-        cb(null, tail);
-        return;
+function ensureSubMap(parent, key) {
+  const node = parent.get(key, true);
+  if (node && isMap(node)) return node;
+  const m = new YAMLMap();
+  parent.set(key, m);
+  return m;
+}
+function ensureSubMapAtTop(parent, key) {
+  const node = parent.get(key, true);
+  if (node && isMap(node)) return node;
+  const parentMaybe = parent;
+  const newKey = new Scalar(key);
+  if (parent.items.length > 0 && typeof parentMaybe.commentBefore === "string" && parentMaybe.commentBefore.length > 0) {
+    const cleaned = stripCommentedKeySkeleton(parentMaybe.commentBefore, key);
+    const blankMatch = cleaned.match(/\n[ \t]*\n/);
+    let head;
+    let tail;
+    if (blankMatch && blankMatch.index !== void 0) {
+      head = cleaned.slice(0, blankMatch.index);
+      tail = cleaned.slice(blankMatch.index + blankMatch[0].length);
+    } else {
+      head = cleaned;
+      tail = "";
+    }
+    if (head.length > 0) {
+      newKey.commentBefore = head;
+      if (parentMaybe.spaceBefore) newKey.spaceBefore = true;
+    }
+    if (tail.length > 0) {
+      const firstKey = parent.items[0].key;
+      if (firstKey && typeof firstKey === "object") {
+        const existing = firstKey.commentBefore ?? "";
+        firstKey.commentBefore = existing ? `${tail}
+${existing}` : tail;
+        firstKey.spaceBefore = true;
       }
-      cb(null);
     }
-  });
+    parentMaybe.commentBefore = null;
+    parentMaybe.spaceBefore = false;
+  }
+  const m = new YAMLMap();
+  const pair = new Pair(newKey, m);
+  parent.items.unshift(pair);
+  return m;
 }
-// src/devcontainer/cli.ts
-import { spawn as spawn3 } from "child_process";
-import { readFileSync } from "fs";
-import { createRequire } from "module";
-import path4 from "path";
-// src/devcontainer/runtime-pull-hint.ts
-import { Transform as Transform2 } from "stream";
-var RUNTIME_PULL_MARKER = "No manifest found for ghcr.io/getmonoceros/monoceros-runtime";
-var RUNTIME_PULL_HINT = 'Downloading the Monoceros runtime image now -- expected on first apply, takes ~1-2 min (Docker pulls the multi-arch base with no progress output). The "No manifest found" line above is harmless. Please wait...';
-function createRuntimePullHintStream(state) {
-  let buffer = "";
-  const appendHintIfMarker = (block) => {
-    if (state.hinted || !block.includes(RUNTIME_PULL_MARKER)) return block;
-    state.hinted = true;
-    return `${block}${dim(`(i) ${RUNTIME_PULL_HINT}`)}
-`;
-  };
-  return new Transform2({
-    decodeStrings: true,
-    transform(chunk, _enc, cb) {
-      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
-      buffer += text;
-      const lastNewline = buffer.lastIndexOf("\n");
-      if (lastNewline === -1) {
-        cb(null);
-        return;
-      }
-      const flushable = buffer.slice(0, lastNewline + 1);
-      buffer = buffer.slice(lastNewline + 1);
-      cb(null, appendHintIfMarker(flushable));
-    },
-    flush(cb) {
-      if (buffer.length === 0) {
-        cb(null);
-        return;
+function stripCommentedKeySkeleton(commentBody, key) {
+  const lines = commentBody.split("\n");
+  const headRe = new RegExp(`^ ${escapeRegExp(key)}:\\s*$`);
+  const out = [];
+  let i = 0;
+  while (i < lines.length) {
+    const line = lines[i];
+    if (headRe.test(line)) {
+      i++;
+      while (i < lines.length && /^ {2,}\S/.test(lines[i])) {
+        i++;
       }
-      const tail = buffer;
-      buffer = "";
-      cb(null, appendHintIfMarker(tail));
+      continue;
     }
-  });
-}
-// src/devcontainer/cli.ts
-var require_ = createRequire(import.meta.url);
-var cachedBinaryPath = null;
-function devcontainerCliPath() {
-  if (cachedBinaryPath) return cachedBinaryPath;
-  const pkgJsonPath = require_.resolve("@devcontainers/cli/package.json");
-  const pkg = JSON.parse(readFileSync(pkgJsonPath, "utf8"));
-  const binEntry = typeof pkg.bin === "string" ? pkg.bin : pkg.bin?.devcontainer ?? "";
-  if (!binEntry) {
-    throw new Error("Could not resolve @devcontainers/cli bin entry.");
+    out.push(line);
+    i++;
   }
-  cachedBinaryPath = path4.resolve(path4.dirname(pkgJsonPath), binEntry);
-  return cachedBinaryPath;
+  return out.join("\n");
 }
-var spawnDevcontainer = (args, cwd, options = {}) => {
-  const binPath = devcontainerCliPath();
-  return new Promise((resolve, reject) => {
-    if (options.interactive) {
-      const child2 = spawn3(process.execPath, [binPath, ...args], {
-        cwd,
-        stdio: "inherit"
-      });
-      child2.on("error", reject);
-      child2.on("exit", (code) => resolve(code ?? 0));
-      return;
-    }
-    const child = spawn3(process.execPath, [binPath, ...args], {
-      cwd,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    if (options.quiet) {
-      const stdoutChunks = [];
-      const stderrChunks = [];
-      child.stdout?.on("data", (chunk) => stdoutChunks.push(chunk));
-      child.stderr?.on("data", (chunk) => stderrChunks.push(chunk));
-      child.on("error", reject);
-      child.on("exit", (code) => {
-        const exitCode = code ?? 0;
-        if (exitCode !== 0) {
-          process.stderr.write(
-            maskSecrets(Buffer.concat(stderrChunks).toString("utf8"))
-          );
-          process.stderr.write(
-            maskSecrets(Buffer.concat(stdoutChunks).toString("utf8"))
-          );
-        }
-        resolve(exitCode);
-      });
-      return;
-    }
-    const pullHint = { hinted: false };
-    child.stdout?.pipe(createSecretMaskStream()).pipe(createRuntimePullHintStream(pullHint)).pipe(process.stdout);
-    child.stderr?.pipe(createSecretMaskStream()).pipe(createRuntimePullHintStream(pullHint)).pipe(process.stderr);
-    child.on("error", reject);
-    child.on("exit", (code) => resolve(code ?? 0));
+function escapeRegExp(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function relocateLeakedLeafComments(leafMap, parent, ancestorKey) {
+  const items = parent.items;
+  const ancestorIdx = items.findIndex((p) => {
+    const k = p.key;
+    const v = typeof k === "string" ? k : k?.value ?? null;
+    return v === ancestorKey;
   });
-};
-// src/devcontainer/compose.ts
-var spawnDockerCompose = (args, cwd) => {
-  return new Promise((resolve, reject) => {
-    const child = spawn4("docker", ["compose", ...args], {
-      cwd,
-      stdio: ["inherit", "pipe", "pipe"]
+  if (ancestorIdx < 0 || ancestorIdx + 1 >= items.length) return;
+  const target = items[ancestorIdx + 1];
+  for (const pair of leafMap.items) {
+    const value = pair.value;
+    if (!value || typeof value !== "object") continue;
+    const leakedComment = value.comment;
+    const leakedSpace = value.spaceBefore;
+    if (!leakedComment && !leakedSpace) continue;
+    if (leakedComment) {
+      const targetKey = target.key;
+      if (targetKey && typeof targetKey === "object") {
+        const existing = targetKey.commentBefore ?? "";
+        targetKey.commentBefore = existing ? `${leakedComment}
+${existing}` : leakedComment;
+        if (leakedSpace) targetKey.spaceBefore = true;
+      }
+      value.comment = null;
+    }
+    if (leakedSpace) value.spaceBefore = false;
+  }
+}
+// src/init/components.ts
+import { existsSync as existsSync2, promises as fs4 } from "fs";
+import path3 from "path";
+import { z as z3 } from "zod";
+import { parse as parseYaml } from "yaml";
+var CategorySchema = z3.enum(["language", "service", "feature"]);
+var FeatureContributionSchema = z3.object({
+  ref: z3.string().regex(REGEX.featureRef),
+  options: z3.record(z3.string(), FeatureOptionValueSchema).optional()
+});
+var ComponentFileSchema = z3.object({
+  displayName: z3.string().min(1),
+  description: z3.string().min(1),
+  category: CategorySchema,
+  contributes: z3.object({
+    languages: z3.array(z3.string().min(1)).optional(),
+    services: z3.array(z3.string().min(1)).optional(),
+    features: z3.array(FeatureContributionSchema).optional()
+  })
+}).superRefine((data, ctx) => {
+  const c = data.contributes;
+  const filled = [
+    c.languages && c.languages.length > 0 ? "languages" : null,
+    c.services && c.services.length > 0 ? "services" : null,
+    c.features && c.features.length > 0 ? "features" : null
+  ].filter((x) => x !== null);
+  if (filled.length === 0) {
+    ctx.addIssue({
+      code: z3.ZodIssueCode.custom,
+      message: "contributes must set at least one of languages/services/features"
     });
-    child.stdout?.pipe(createSecretMaskStream()).pipe(process.stdout);
-    child.stderr?.pipe(createSecretMaskStream()).pipe(process.stderr);
-    child.on("error", reject);
-    child.on("exit", (code) => resolve(code ?? 0));
-  });
-};
-var spawnDocker = (args) => {
+    return;
+  }
+  if (filled.length > 1) {
+    ctx.addIssue({
+      code: z3.ZodIssueCode.custom,
+      message: `contributes must set exactly one of languages/services/features, got: ${filled.join(", ")}`
+    });
+    return;
+  }
+  const expected = data.category === "language" ? "languages" : data.category === "service" ? "services" : "features";
+  if (filled[0] !== expected) {
+    ctx.addIssue({
+      code: z3.ZodIssueCode.custom,
+      message: `category '${data.category}' requires contributes.${expected}, got contributes.${filled[0]}`
+    });
+  }
+});
+async function loadComponentCatalog(rootDir = componentsDir()) {
+  if (!existsSync2(rootDir)) {
+    return /* @__PURE__ */ new Map();
+  }
+  const out = /* @__PURE__ */ new Map();
+  await walk(rootDir, rootDir, out);
+  return out;
+}
+async function walk(baseDir, currentDir, out) {
+  const entries = await fs4.readdir(currentDir, { withFileTypes: true });
+  for (const entry2 of entries) {
+    const full = path3.join(currentDir, entry2.name);
+    if (entry2.isDirectory()) {
+      await walk(baseDir, full, out);
+      continue;
+    }
+    if (!entry2.isFile() || !entry2.name.endsWith(".yml")) continue;
+    const relative = path3.relative(baseDir, full);
+    const name = relative.replace(/\.yml$/, "").split(path3.sep).join("/");
+    const text = await fs4.readFile(full, "utf8");
+    let raw;
+    try {
+      raw = parseYaml(text);
+    } catch (err) {
+      throw new Error(
+        `Failed to parse component ${name} (${full}): ${err.message}`
+      );
+    }
+    const parsed = ComponentFileSchema.safeParse(raw);
+    if (!parsed.success) {
+      const issues = parsed.error.issues.map((issue) => {
+        const where = issue.path.length > 0 ? issue.path.join(".") : "(root)";
+        return `  - ${where}: ${issue.message}`;
+      }).join("\n");
+      throw new Error(`Invalid component ${name} (${full}):
+${issues}`);
+    }
+    out.set(name, { name, sourcePath: full, file: parsed.data });
+  }
+}
+function mergeComponents(resolved) {
+  const languages = [];
+  const services = [];
+  const featureByRef = /* @__PURE__ */ new Map();
+  for (const entry2 of resolved) {
+    const c = isResolvedComponent(entry2) ? entry2.component : entry2;
+    const version = isResolvedComponent(entry2) ? entry2.version : void 0;
+    const ct = c.file.contributes;
+    for (const lang of ct.languages ?? []) {
+      const value = version !== void 0 ? `${lang}:${version}` : lang;
+      if (!languages.includes(value)) languages.push(value);
+    }
+    for (const svc of ct.services ?? []) {
+      if (!services.includes(svc)) services.push(svc);
+    }
+    for (const f of ct.features ?? []) {
+      const existing = featureByRef.get(f.ref);
+      if (!existing) {
+        featureByRef.set(f.ref, {
+          ref: f.ref,
+          options: { ...f.options ?? {} }
+        });
+        continue;
+      }
+      existing.options = mergeFeatureOptions(existing.options, f.options ?? {});
+    }
+  }
+  return {
+    languages,
+    services,
+    features: [...featureByRef.values()]
+  };
+}
+function isResolvedComponent(x) {
+  return "component" in x;
+}
+function mergeFeatureOptions(a, b) {
+  const result = { ...a };
+  for (const [key, valueB] of Object.entries(b)) {
+    const valueA = result[key];
+    if (typeof valueA === "boolean" && typeof valueB === "boolean") {
+      result[key] = valueA || valueB;
+      continue;
+    }
+    result[key] = valueB;
+  }
+  return result;
+}
+function resolveComponents(catalog, names) {
+  const unknown = [];
+  const out = [];
+  for (const raw of names) {
+    const colon = raw.indexOf(":");
+    const name = colon === -1 ? raw : raw.slice(0, colon);
+    const version = colon === -1 ? void 0 : raw.slice(colon + 1);
+    const c = catalog.get(name);
+    if (!c) {
+      unknown.push(raw);
+      continue;
+    }
+    if (version !== void 0 && c.file.category !== "language") {
+      throw new Error(
+        `Component '${name}' is a ${c.file.category}, not a language \u2014 a ':${version}' suffix has no meaning here.`
+      );
+    }
+    out.push({ component: c, ...version !== void 0 ? { version } : {} });
+  }
+  if (unknown.length > 0) {
+    const available = [...catalog.keys()].sort();
+    throw new Error(
+      `Unknown component${unknown.length > 1 ? "s" : ""}: ${unknown.join(", ")}.
+Available: ${available.join(", ")}.`
+    );
+  }
+  return out;
+}
+// src/proxy/index.ts
+import { spawn as spawn3 } from "child_process";
+import { promises as fs5 } from "fs";
+import path4 from "path";
+var PROXY_CONTAINER_NAME = "monoceros-proxy";
+var PROXY_NETWORK_NAME = "monoceros-proxy";
+var TRAEFIK_IMAGE = "traefik:v3.3";
+var defaultDockerExec = (args) => {
   return new Promise((resolve, reject) => {
-    const child = spawn4("docker", args, {
+    const child = spawn3("docker", args, {
       stdio: ["ignore", "pipe", "pipe"]
     });
     let stdout = "";
     let stderr = "";
-    child.stdout?.on("data", (chunk) => {
-      stdout += chunk.toString("utf8");
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
     });
-    child.stderr?.on("data", (chunk) => {
-      stderr += chunk.toString("utf8");
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
     });
     child.on("error", reject);
     child.on(
       "exit",
-      (code) => resolve({ exitCode: code ?? 0, stdout, stderr })
+      (code) => resolve({ stdout, stderr, exitCode: code ?? 0 })
     );
   });
 };
-async function findContainerIds(filters, exec = spawnDocker) {
-  const ids = /* @__PURE__ */ new Set();
-  for (const filter of filters) {
-    const result = await exec(["ps", "-aq", "--filter", filter]);
-    if (result.exitCode !== 0) continue;
-    for (const line of result.stdout.split(/\r?\n/)) {
-      const id = line.trim();
-      if (id) ids.add(id);
+var realDocker = defaultDockerExec;
+function proxyDynamicDir(home) {
+  return path4.join(home ?? monocerosHome(), "traefik", "dynamic");
+}
+async function ensureProxy(opts = {}) {
+  const docker = opts.docker ?? realDocker;
+  const dyn = proxyDynamicDir(opts.monocerosHome);
+  await fs5.mkdir(dyn, { recursive: true });
+  const netInspect = await docker(["network", "inspect", PROXY_NETWORK_NAME]);
+  if (netInspect.exitCode !== 0) {
+    const create = await docker(["network", "create", PROXY_NETWORK_NAME]);
+    if (create.exitCode !== 0) {
+      throw new Error(
+        `Could not create docker network ${PROXY_NETWORK_NAME}: ${create.stderr.trim() || `exit ${create.exitCode}`}`
+      );
     }
   }
-  return [...ids];
-}
-async function cleanupDockerObjects(opts) {
-  const exec = opts.exec ?? spawnDocker;
-  const tag = opts.logTag ?? "cleanup";
-  opts.logger.info(`[${tag}] tearing down docker project ${opts.projectName}\u2026`);
-  const ids = await findContainerIds(opts.filters, exec);
-  let rmExit = 0;
-  if (ids.length > 0) {
-    opts.logger.info(`[${tag}] removing containers: ${ids.join(" ")}`);
-    const rmResult = await exec(["rm", "-f", ...ids]);
-    rmExit = rmResult.exitCode;
-    if (rmExit !== 0 && rmResult.stderr.trim()) {
-      opts.logger.info(`[${tag}] ${rmResult.stderr.trim()}`);
+  const state = await docker([
+    "inspect",
+    "--format",
+    "{{.State.Running}}",
+    PROXY_CONTAINER_NAME
+  ]);
+  if (state.exitCode === 0) {
+    if (state.stdout.trim() === "true") return;
+    const start = await docker(["start", PROXY_CONTAINER_NAME]);
+    if (start.exitCode !== 0) {
+      throw new Error(
+        `Could not start existing ${PROXY_CONTAINER_NAME} container: ${start.stderr.trim() || `exit ${start.exitCode}`}`
+      );
     }
-  } else {
-    opts.logger.info(`[${tag}] no containers found`);
+    return;
   }
-  if (opts.network) {
-    const netResult = await exec(["network", "rm", opts.network]);
-    if (netResult.exitCode === 0) {
-      opts.logger.info(`[${tag}] network ${opts.network} removed`);
-    }
+  const hostPort = opts.hostPort ?? 80;
+  const run = await docker([
+    "run",
+    "-d",
+    "--name",
+    PROXY_CONTAINER_NAME,
+    "--network",
+    PROXY_NETWORK_NAME,
+    "-p",
+    `${hostPort}:80`,
+    "-v",
+    `${dyn}:/etc/traefik/dynamic:ro`,
+    "--label",
+    "monoceros.role=proxy",
+    TRAEFIK_IMAGE,
+    "--entrypoints.web.address=:80",
+    "--providers.file.directory=/etc/traefik/dynamic",
+    "--providers.file.watch=true",
+    "--providers.docker=false",
+    "--api.dashboard=false",
+    "--log.level=INFO"
+  ]);
+  if (run.exitCode !== 0) {
+    throw new Error(
+      `Could not start ${PROXY_CONTAINER_NAME}: ${run.stderr.trim() || `exit ${run.exitCode}`}`
+    );
   }
-  opts.logger.info(`[${tag}] docker cleanup done`);
-  return { exitCode: rmExit, removedIds: ids };
-}
-function dockerLocalFolderLabel(p) {
-  if (process.platform !== "win32") return p;
-  return p.replace(
-    /^([A-Z]):/,
-    (_, drive) => `${drive.toLowerCase()}:`
+  opts.logger?.info(
+    `Started ${PROXY_CONTAINER_NAME} (Traefik on :${hostPort}).`
   );
 }
-function composeProjectName(root) {
-  return `${path5.basename(root)}_devcontainer`;
-}
-function resolveCompose(root) {
-  if (!existsSync2(path5.join(root, ".devcontainer"))) {
-    throw new Error(
-      `No .devcontainer/ at ${root}. Run \`monoceros apply <name>\` first.`
-    );
+async function maybeStopProxy(opts = {}) {
+  const docker = opts.docker ?? realDocker;
+  const logger = opts.logger;
+  const inspect = await docker([
+    "network",
+    "inspect",
+    PROXY_NETWORK_NAME,
+    "--format",
+    "{{range $k, $v := .Containers}}{{$v.Name}}\n{{end}}"
+  ]);
+  if (inspect.exitCode !== 0) {
+    return;
   }
-  const composeFile = path5.join(root, ".devcontainer", "compose.yaml");
-  if (!existsSync2(composeFile)) {
-    throw new Error(
-      `No compose.yaml at ${composeFile}. \`start\` / \`stop\` / \`status\` / \`logs\` require services configured via \`monoceros add-service <name> <svc>\`. Use \`monoceros shell <name>\` to enter the container directly.`
+  const others = inspect.stdout.split("\n").map((n) => n.trim()).filter((n) => n.length > 0 && n !== PROXY_CONTAINER_NAME);
+  if (others.length > 0) return;
+  await docker(["rm", "-f", PROXY_CONTAINER_NAME]);
+  const netRm = await docker(["network", "rm", PROXY_NETWORK_NAME]);
+  if (netRm.exitCode !== 0) {
+    logger?.warn?.(
+      `Could not remove docker network ${PROXY_NETWORK_NAME}: ${netRm.stderr.trim() || `exit ${netRm.exitCode}`}`
     );
+    return;
   }
-  return { composeFile, projectName: composeProjectName(root) };
-}
-async function runComposeAction(buildSubArgs, opts) {
-  const { composeFile, projectName } = resolveCompose(opts.root);
-  const spawnFn = opts.spawn ?? spawnDockerCompose;
-  const subArgs = buildSubArgs(opts.service);
-  return spawnFn(["-f", composeFile, "-p", projectName, ...subArgs], opts.root);
-}
-async function runStart(opts) {
-  resolveCompose(opts.root);
-  const logger = opts.logger ?? { info: (msg) => consola.info(msg) };
-  const spawnFn = opts.spawn ?? spawnDevcontainer;
-  logger.info(`Bringing devcontainer up at ${opts.root}\u2026`);
-  return spawnFn(
-    ["up", "--workspace-folder", opts.root, "--mount-workspace-git-root=false"],
-    opts.root
+  logger?.info(
+    `Stopped ${PROXY_CONTAINER_NAME} (no dev-containers with ports left).`
   );
 }
-async function runContainerCycle(root, opts) {
-  const { hasCompose, logger } = opts;
-  if (hasCompose) {
-    const projectName = composeProjectName(root);
-    logger.info(
-      `Force-removing existing ${projectName} containers (volumes preserved)\u2026`
+// src/proxy/dynamic.ts
+import { promises as fs6 } from "fs";
+import path5 from "path";
+async function writeDynamicConfig(name, ports, opts = {}) {
+  if (ports.length === 0) {
+    throw new Error(
+      `writeDynamicConfig requires at least one port. For empty port lists, call removeDynamicConfig(${JSON.stringify(name)}).`
     );
-    const exec = opts.dockerExec ?? spawnDocker;
-    const filters = [
-      `label=com.docker.compose.project=${projectName}`,
-      `name=^${projectName}-`
-    ];
-    const { exitCode: rmExit } = await cleanupDockerObjects({
-      projectName,
-      filters,
-      network: `${projectName}_default`,
-      logger,
-      exec
-    });
-    if (rmExit !== 0) return rmExit;
-    const remaining = await findContainerIds(filters, exec);
-    if (remaining.length > 0) {
-      const warn = logger.warn ?? logger.info;
-      warn(
-        `ERROR: containers under project ${projectName} reappeared after removal.
-This typically means VS Code's Remote Containers extension is connected
-to this devcontainer and auto-recreated it. Close the dev container
-session in VS Code (Cmd+Shift+P \u2192 'Dev Containers: Close Remote Connection')
-and retry \`monoceros apply\`.`
-      );
-      return 1;
-    }
-    return runStart({
-      root,
-      ...opts.devcontainerSpawn ? { spawn: opts.devcontainerSpawn } : {},
-      logger
-    });
   }
-  logger.info(`Recreating image-mode devcontainer at ${root}\u2026`);
-  const spawnFn = opts.devcontainerSpawn ?? spawnDevcontainer;
-  return spawnFn(
-    [
-      "up",
-      "--workspace-folder",
-      root,
-      "--mount-workspace-git-root=false",
-      "--remove-existing-container"
-    ],
-    root
-  );
+  const dir = proxyDynamicDir(opts.monocerosHome);
+  await fs6.mkdir(dir, { recursive: true });
+  const file = path5.join(dir, `${name}.yml`);
+  await fs6.writeFile(file, renderDynamicConfig(name, ports), "utf8");
+  return file;
 }
-function runStop(opts) {
-  return runComposeAction(
-    (service) => ["stop", ...service ? [service] : []],
-    opts
-  );
+async function removeDynamicConfig(name, opts = {}) {
+  const file = path5.join(proxyDynamicDir(opts.monocerosHome), `${name}.yml`);
+  await fs6.rm(file, { force: true });
 }
-function runStatus(opts) {
-  return runComposeAction(
-    (service) => ["ps", ...service ? [service] : []],
-    opts
+function renderDynamicConfig(name, ports) {
+  const lines = [];
+  lines.push("# Generated by Monoceros \u2014 do not edit by hand.");
+  lines.push(`# Container: ${name}`);
+  lines.push(`# Ports: ${ports.join(", ")}`);
+  lines.push("# Traefik file-provider re-reads this on change (~100 ms);");
+  lines.push(
+    "# to change routing, edit container-configs/" + name + ".yml or use"
   );
+  lines.push("# `monoceros add-port` / `monoceros remove-port`.");
+  lines.push("http:");
+  lines.push("  routers:");
+  ports.forEach((port, idx) => {
+    const router = `${name}-${port}`;
+    const hostExplicit = `${name}-${port}.localhost`;
+    const rule = idx === 0 ? `"Host(\`${name}.localhost\`) || Host(\`${hostExplicit}\`)"` : `"Host(\`${hostExplicit}\`)"`;
+    lines.push(`    ${router}:`);
+    lines.push(`      rule: ${rule}`);
+    lines.push(`      service: ${router}`);
+    lines.push("      entryPoints:");
+    lines.push("        - web");
+  });
+  lines.push("  services:");
+  for (const port of ports) {
+    const svc = `${name}-${port}`;
+    lines.push(`    ${svc}:`);
+    lines.push("      loadBalancer:");
+    lines.push("        servers:");
+    lines.push(`          - url: "http://${name}:${port}"`);
+  }
+  return lines.join("\n") + "\n";
 }
-function runLogs(opts) {
-  const follow = opts.follow ?? true;
-  return runComposeAction(
-    (service) => [
-      "logs",
-      ...follow ? ["-f"] : [],
-      ...service ? [service] : []
-    ],
-    opts
-  );
+function proxyUrlsFor(name, ports, hostPort = 80) {
+  const portSuffix = hostPort === 80 ? "" : `:${hostPort}`;
+  return ports.map((port, idx) => ({
+    port,
+    url: `http://${name}-${port}.localhost${portSuffix}`,
+    isDefault: idx === 0
+  }));
 }
-// src/devcontainer/locate-running.ts
-var realDockerLookup = (args) => {
-  return new Promise((resolve, reject) => {
-    const child = spawn5("docker", args, {
-      stdio: ["ignore", "pipe", "pipe"]
+// src/proxy/port-check.ts
+import { Socket } from "net";
+var CONNECT_TIMEOUT_MS = 750;
+var realPortProbe = (port) => {
+  return new Promise((resolve) => {
+    const socket = new Socket();
+    let settled = false;
+    const settle = (result) => {
+      if (settled) return;
+      settled = true;
+      socket.destroy();
+      resolve(result);
+    };
+    socket.setTimeout(CONNECT_TIMEOUT_MS);
+    socket.once("connect", () => {
+      settle({
+        ok: false,
+        code: "EADDRINUSE",
+        message: `another process is listening on ${port}`
+      });
     });
-    let stdout = "";
-    let stderr = "";
-    child.stdout.on("data", (chunk) => {
-      stdout += chunk.toString();
+    socket.once("timeout", () => {
+      settle({ ok: true });
     });
-    child.stderr.on("data", (chunk) => {
-      stderr += chunk.toString();
+    socket.once("error", (err) => {
+      const code = err.code ?? "UNKNOWN";
+      if (code === "ECONNREFUSED") {
+        settle({ ok: true });
+      } else {
+        settle({
+          ok: false,
+          code,
+          message: err.message
+        });
+      }
     });
-    child.on("error", reject);
-    child.on(
-      "exit",
-      (code) => resolve({ stdout, stderr, exitCode: code ?? 0 })
-    );
-  });
-};
-async function findRunningContainerByLocalFolder(containerPath, opts = {}) {
-  const docker = opts.docker ?? realDockerLookup;
-  const result = await docker([
-    "ps",
-    "-q",
-    "--filter",
-    `label=devcontainer.local_folder=${dockerLocalFolderLabel(containerPath)}`,
-    "--filter",
-    "status=running"
-  ]);
-  if (result.exitCode !== 0) return null;
-  const ids = result.stdout.split("\n").map((s) => s.trim()).filter((s) => s.length > 0);
-  return ids[0] ?? null;
-}
-var realContainerExec = (containerId, argv) => {
-  return new Promise((resolve, reject) => {
-    const child = spawn5("docker", ["exec", containerId, ...argv], {
-      // Inherit stdio so live git output reaches the user.
-      stdio: ["ignore", "inherit", "inherit"]
-    });
-    child.on("error", reject);
-    child.on("exit", (code) => resolve({ exitCode: code ?? 0 }));
-  });
-};
-// src/config/global.ts
-import { promises as fs4 } from "fs";
-import { z as z2 } from "zod";
-import { isMap, Pair, parseDocument as parseDocument2, Scalar, YAMLMap } from "yaml";
-var SCHEMA_VERSION = 1;
-var MonocerosConfigSchema = z2.object({
-  schemaVersion: z2.literal(SCHEMA_VERSION),
-  // .nullish() (= .optional().nullable()) on defaults so the shipped
-  // sample yml — where `defaults:` is uncommented but every sub-block
-  // is commented out — parses cleanly. YAML produces `defaults: null`
-  // in that case; without .nullish() the schema would reject it and
-  // we'd be back to forcing builders to comment-juggle three lines.
-  defaults: z2.object({
-    // .nullish() (not just .optional()) so the sample yml can leave
-    // `git:` uncommented as a category marker — YAML produces
-    // `git: null` for an empty mapping, which zod's plain
-    // `.optional()` would reject.
-    git: z2.object({
-      user: GitUserSchema.optional()
-    }).nullish(),
-    // .nullish() for the same reason as `git` — the sample keeps
-    // `features:` uncommented as a category marker.
-    features: z2.record(
-      z2.string().regex(
-        REGEX.featureRef,
-        "Invalid feature ref. Expected an OCI-image-style ref like 'ghcr.io/getmonoceros/monoceros-features/<name>:<tag>'."
-      ),
-      z2.record(z2.string(), FeatureOptionValueSchema)
-    ).nullish()
-  }).nullish(),
-  // Machine-global routing settings — one Traefik per builder, so
-  // host-port and similar live here rather than in any container yml.
-  // See ADR 0007.
-  routing: z2.object({
-    hostPort: z2.number().int().min(1).max(65535).optional().describe(
-      "Host port the Traefik singleton binds. Default 80. Set this when 80 is held by another service on your machine \u2014 URLs then become http://<name>.localhost:<port>/."
-    )
-  }).nullish()
-});
-async function readMonocerosConfig(opts = {}) {
-  const home = opts.monocerosHome ?? monocerosHome();
-  const filePath = monocerosConfigPath(home);
-  let text;
-  try {
-    text = await fs4.readFile(filePath, "utf8");
-  } catch {
-    return void 0;
-  }
-  const doc = parseDocument2(text, { prettyErrors: true });
-  if (doc.errors.length > 0) {
-    throw new Error(
-      `yaml parse error in ${filePath}: ${doc.errors[0].message}`
-    );
-  }
-  const result = MonocerosConfigSchema.safeParse(doc.toJS());
-  if (!result.success) {
-    const issues = result.error.issues.map((issue) => {
-      const where = issue.path.length > 0 ? issue.path.join(".") : "(root)";
-      return `  - ${where}: ${issue.message}`;
-    }).join("\n");
-    throw new Error(
-      `Invalid ${filePath}:
-${issues}
-See ${filePath.replace(
-        /\.yml$/,
-        ".sample.yml"
-      )} for a valid example.`
-    );
-  }
-  return result.data;
-}
-var DEFAULT_PROXY_HOST_PORT = 80;
-function proxyHostPort(config) {
-  return config?.routing?.hostPort ?? DEFAULT_PROXY_HOST_PORT;
-}
-async function writeGlobalDefaultGitUser(user, opts = {}) {
-  const home = opts.monocerosHome ?? monocerosHome();
-  const filePath = monocerosConfigPath(home);
-  let text;
-  try {
-    text = await fs4.readFile(filePath, "utf8");
-  } catch {
-    text = void 0;
-  }
-  if (text === void 0) {
-    const fresh = [
-      "# Optional \u2014 global defaults for monoceros containers.",
-      "",
-      "schemaVersion: 1",
-      "",
-      "defaults:",
-      "  git:",
-      "    user:",
-      `      name: ${user.name}`,
-      `      email: ${user.email}`,
-      ""
-    ].join("\n");
-    await fs4.mkdir(home, { recursive: true });
-    await fs4.writeFile(filePath, fresh, "utf8");
-    return { filePath, created: true, alreadySet: false };
-  }
-  const doc = parseDocument2(text, { prettyErrors: true });
-  if (doc.errors.length > 0) {
-    throw new Error(
-      `yaml parse error in ${filePath}: ${doc.errors[0].message}`
-    );
-  }
-  const defaultsMap = ensureMap(doc, "defaults");
-  const gitMap = ensureSubMapAtTop(defaultsMap, "git");
-  const userMap = ensureSubMap(gitMap, "user");
-  const existingName = userMap.get("name");
-  const existingEmail = userMap.get("email");
-  if (typeof existingName === "string" && existingName.length > 0 && typeof existingEmail === "string" && existingEmail.length > 0) {
-    return { filePath, created: false, alreadySet: true };
-  }
-  relocateLeakedLeafComments(userMap, defaultsMap, "git");
-  userMap.set("name", user.name);
-  userMap.set("email", user.email);
-  const newText = String(doc);
-  await fs4.writeFile(filePath, newText, "utf8");
-  return { filePath, created: false, alreadySet: false };
-}
-function ensureMap(doc, key) {
-  const node = doc.get(key, true);
-  if (node && isMap(node)) return node;
-  const m = new YAMLMap();
-  doc.set(key, m);
-  return m;
-}
-function ensureSubMap(parent, key) {
-  const node = parent.get(key, true);
-  if (node && isMap(node)) return node;
-  const m = new YAMLMap();
-  parent.set(key, m);
-  return m;
-}
-function ensureSubMapAtTop(parent, key) {
-  const node = parent.get(key, true);
-  if (node && isMap(node)) return node;
-  const parentMaybe = parent;
-  const newKey = new Scalar(key);
-  if (parent.items.length > 0 && typeof parentMaybe.commentBefore === "string" && parentMaybe.commentBefore.length > 0) {
-    const cleaned = stripCommentedKeySkeleton(parentMaybe.commentBefore, key);
-    const blankMatch = cleaned.match(/\n[ \t]*\n/);
-    let head;
-    let tail;
-    if (blankMatch && blankMatch.index !== void 0) {
-      head = cleaned.slice(0, blankMatch.index);
-      tail = cleaned.slice(blankMatch.index + blankMatch[0].length);
-    } else {
-      head = cleaned;
-      tail = "";
-    }
-    if (head.length > 0) {
-      newKey.commentBefore = head;
-      if (parentMaybe.spaceBefore) newKey.spaceBefore = true;
-    }
-    if (tail.length > 0) {
-      const firstKey = parent.items[0].key;
-      if (firstKey && typeof firstKey === "object") {
-        const existing = firstKey.commentBefore ?? "";
-        firstKey.commentBefore = existing ? `${tail}
-${existing}` : tail;
-        firstKey.spaceBefore = true;
-      }
-    }
-    parentMaybe.commentBefore = null;
-    parentMaybe.spaceBefore = false;
-  }
-  const m = new YAMLMap();
-  const pair = new Pair(newKey, m);
-  parent.items.unshift(pair);
-  return m;
-}
-function stripCommentedKeySkeleton(commentBody, key) {
-  const lines = commentBody.split("\n");
-  const headRe = new RegExp(`^ ${escapeRegExp(key)}:\\s*$`);
-  const out = [];
-  let i = 0;
-  while (i < lines.length) {
-    const line = lines[i];
-    if (headRe.test(line)) {
-      i++;
-      while (i < lines.length && /^ {2,}\S/.test(lines[i])) {
-        i++;
-      }
-      continue;
-    }
-    out.push(line);
-    i++;
-  }
-  return out.join("\n");
-}
-function escapeRegExp(s) {
-  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function relocateLeakedLeafComments(leafMap, parent, ancestorKey) {
-  const items = parent.items;
-  const ancestorIdx = items.findIndex((p) => {
-    const k = p.key;
-    const v = typeof k === "string" ? k : k?.value ?? null;
-    return v === ancestorKey;
-  });
-  if (ancestorIdx < 0 || ancestorIdx + 1 >= items.length) return;
-  const target = items[ancestorIdx + 1];
-  for (const pair of leafMap.items) {
-    const value = pair.value;
-    if (!value || typeof value !== "object") continue;
-    const leakedComment = value.comment;
-    const leakedSpace = value.spaceBefore;
-    if (!leakedComment && !leakedSpace) continue;
-    if (leakedComment) {
-      const targetKey = target.key;
-      if (targetKey && typeof targetKey === "object") {
-        const existing = targetKey.commentBefore ?? "";
-        targetKey.commentBefore = existing ? `${leakedComment}
-${existing}` : leakedComment;
-        if (leakedSpace) targetKey.spaceBefore = true;
-      }
-      value.comment = null;
-    }
-    if (leakedSpace) value.spaceBefore = false;
-  }
-}
-// src/init/components.ts
-import { existsSync as existsSync3, promises as fs5 } from "fs";
-import path6 from "path";
-import { z as z3 } from "zod";
-import { parse as parseYaml } from "yaml";
-var CategorySchema = z3.enum(["language", "service", "feature"]);
-var FeatureContributionSchema = z3.object({
-  ref: z3.string().regex(REGEX.featureRef),
-  options: z3.record(z3.string(), FeatureOptionValueSchema).optional()
-});
-var ComponentFileSchema = z3.object({
-  displayName: z3.string().min(1),
-  description: z3.string().min(1),
-  category: CategorySchema,
-  contributes: z3.object({
-    languages: z3.array(z3.string().min(1)).optional(),
-    services: z3.array(z3.string().min(1)).optional(),
-    features: z3.array(FeatureContributionSchema).optional()
-  })
-}).superRefine((data, ctx) => {
-  const c = data.contributes;
-  const filled = [
-    c.languages && c.languages.length > 0 ? "languages" : null,
-    c.services && c.services.length > 0 ? "services" : null,
-    c.features && c.features.length > 0 ? "features" : null
-  ].filter((x) => x !== null);
-  if (filled.length === 0) {
-    ctx.addIssue({
-      code: z3.ZodIssueCode.custom,
-      message: "contributes must set at least one of languages/services/features"
-    });
-    return;
-  }
-  if (filled.length > 1) {
-    ctx.addIssue({
-      code: z3.ZodIssueCode.custom,
-      message: `contributes must set exactly one of languages/services/features, got: ${filled.join(", ")}`
-    });
-    return;
-  }
-  const expected = data.category === "language" ? "languages" : data.category === "service" ? "services" : "features";
-  if (filled[0] !== expected) {
-    ctx.addIssue({
-      code: z3.ZodIssueCode.custom,
-      message: `category '${data.category}' requires contributes.${expected}, got contributes.${filled[0]}`
-    });
-  }
-});
-async function loadComponentCatalog(rootDir = componentsDir()) {
-  if (!existsSync3(rootDir)) {
-    return /* @__PURE__ */ new Map();
-  }
-  const out = /* @__PURE__ */ new Map();
-  await walk(rootDir, rootDir, out);
-  return out;
-}
-async function walk(baseDir, currentDir, out) {
-  const entries = await fs5.readdir(currentDir, { withFileTypes: true });
-  for (const entry2 of entries) {
-    const full = path6.join(currentDir, entry2.name);
-    if (entry2.isDirectory()) {
-      await walk(baseDir, full, out);
-      continue;
-    }
-    if (!entry2.isFile() || !entry2.name.endsWith(".yml")) continue;
-    const relative = path6.relative(baseDir, full);
-    const name = relative.replace(/\.yml$/, "").split(path6.sep).join("/");
-    const text = await fs5.readFile(full, "utf8");
-    let raw;
-    try {
-      raw = parseYaml(text);
-    } catch (err) {
-      throw new Error(
-        `Failed to parse component ${name} (${full}): ${err.message}`
-      );
-    }
-    const parsed = ComponentFileSchema.safeParse(raw);
-    if (!parsed.success) {
-      const issues = parsed.error.issues.map((issue) => {
-        const where = issue.path.length > 0 ? issue.path.join(".") : "(root)";
-        return `  - ${where}: ${issue.message}`;
-      }).join("\n");
-      throw new Error(`Invalid component ${name} (${full}):
-${issues}`);
-    }
-    out.set(name, { name, sourcePath: full, file: parsed.data });
-  }
-}
-function mergeComponents(resolved) {
-  const languages = [];
-  const services = [];
-  const featureByRef = /* @__PURE__ */ new Map();
-  for (const entry2 of resolved) {
-    const c = isResolvedComponent(entry2) ? entry2.component : entry2;
-    const version = isResolvedComponent(entry2) ? entry2.version : void 0;
-    const ct = c.file.contributes;
-    for (const lang of ct.languages ?? []) {
-      const value = version !== void 0 ? `${lang}:${version}` : lang;
-      if (!languages.includes(value)) languages.push(value);
-    }
-    for (const svc of ct.services ?? []) {
-      if (!services.includes(svc)) services.push(svc);
-    }
-    for (const f of ct.features ?? []) {
-      const existing = featureByRef.get(f.ref);
-      if (!existing) {
-        featureByRef.set(f.ref, {
-          ref: f.ref,
-          options: { ...f.options ?? {} }
-        });
-        continue;
-      }
-      existing.options = mergeFeatureOptions(existing.options, f.options ?? {});
-    }
-  }
-  return {
-    languages,
-    services,
-    features: [...featureByRef.values()]
-  };
-}
-function isResolvedComponent(x) {
-  return "component" in x;
-}
-function mergeFeatureOptions(a, b) {
-  const result = { ...a };
-  for (const [key, valueB] of Object.entries(b)) {
-    const valueA = result[key];
-    if (typeof valueA === "boolean" && typeof valueB === "boolean") {
-      result[key] = valueA || valueB;
-      continue;
-    }
-    result[key] = valueB;
-  }
-  return result;
-}
-function resolveComponents(catalog, names) {
-  const unknown = [];
-  const out = [];
-  for (const raw of names) {
-    const colon = raw.indexOf(":");
-    const name = colon === -1 ? raw : raw.slice(0, colon);
-    const version = colon === -1 ? void 0 : raw.slice(colon + 1);
-    const c = catalog.get(name);
-    if (!c) {
-      unknown.push(raw);
-      continue;
-    }
-    if (version !== void 0 && c.file.category !== "language") {
-      throw new Error(
-        `Component '${name}' is a ${c.file.category}, not a language \u2014 a ':${version}' suffix has no meaning here.`
-      );
-    }
-    out.push({ component: c, ...version !== void 0 ? { version } : {} });
-  }
-  if (unknown.length > 0) {
-    const available = [...catalog.keys()].sort();
-    throw new Error(
-      `Unknown component${unknown.length > 1 ? "s" : ""}: ${unknown.join(", ")}.
-Available: ${available.join(", ")}.`
-    );
-  }
-  return out;
-}
-// src/proxy/dynamic.ts
-import { promises as fs6 } from "fs";
-import path7 from "path";
-async function writeDynamicConfig(name, ports, opts = {}) {
-  if (ports.length === 0) {
-    throw new Error(
-      `writeDynamicConfig requires at least one port. For empty port lists, call removeDynamicConfig(${JSON.stringify(name)}).`
-    );
-  }
-  const dir = proxyDynamicDir(opts.monocerosHome);
-  await fs6.mkdir(dir, { recursive: true });
-  const file = path7.join(dir, `${name}.yml`);
-  await fs6.writeFile(file, renderDynamicConfig(name, ports), "utf8");
-  return file;
-}
-async function removeDynamicConfig(name, opts = {}) {
-  const file = path7.join(proxyDynamicDir(opts.monocerosHome), `${name}.yml`);
-  await fs6.rm(file, { force: true });
-}
-function renderDynamicConfig(name, ports) {
-  const lines = [];
-  lines.push("# Generated by Monoceros \u2014 do not edit by hand.");
-  lines.push(`# Container: ${name}`);
-  lines.push(`# Ports: ${ports.join(", ")}`);
-  lines.push("# Traefik file-provider re-reads this on change (~100 ms);");
-  lines.push(
-    "# to change routing, edit container-configs/" + name + ".yml or use"
-  );
-  lines.push("# `monoceros add-port` / `monoceros remove-port`.");
-  lines.push("http:");
-  lines.push("  routers:");
-  ports.forEach((port, idx) => {
-    const router = `${name}-${port}`;
-    const hostExplicit = `${name}-${port}.localhost`;
-    const rule = idx === 0 ? `"Host(\`${name}.localhost\`) || Host(\`${hostExplicit}\`)"` : `"Host(\`${hostExplicit}\`)"`;
-    lines.push(`    ${router}:`);
-    lines.push(`      rule: ${rule}`);
-    lines.push(`      service: ${router}`);
-    lines.push("      entryPoints:");
-    lines.push("        - web");
-  });
-  lines.push("  services:");
-  for (const port of ports) {
-    const svc = `${name}-${port}`;
-    lines.push(`    ${svc}:`);
-    lines.push("      loadBalancer:");
-    lines.push("        servers:");
-    lines.push(`          - url: "http://${name}:${port}"`);
-  }
-  return lines.join("\n") + "\n";
-}
-function proxyUrlsFor(name, ports, hostPort = 80) {
-  const portSuffix = hostPort === 80 ? "" : `:${hostPort}`;
-  return ports.map((port, idx) => ({
-    port,
-    url: `http://${name}-${port}.localhost${portSuffix}`,
-    isDefault: idx === 0
-  }));
-}
-// src/proxy/port-check.ts
-import { Socket } from "net";
-var CONNECT_TIMEOUT_MS = 750;
-var realPortProbe = (port) => {
-  return new Promise((resolve) => {
-    const socket = new Socket();
-    let settled = false;
-    const settle = (result) => {
-      if (settled) return;
-      settled = true;
-      socket.destroy();
-      resolve(result);
-    };
-    socket.setTimeout(CONNECT_TIMEOUT_MS);
-    socket.once("connect", () => {
-      settle({
-        ok: false,
-        code: "EADDRINUSE",
-        message: `another process is listening on ${port}`
-      });
-    });
-    socket.once("timeout", () => {
-      settle({ ok: true });
-    });
-    socket.once("error", (err) => {
-      const code = err.code ?? "UNKNOWN";
-      if (code === "ECONNREFUSED") {
-        settle({ ok: true });
-      } else {
-        settle({
-          ok: false,
-          code,
-          message: err.message
-        });
-      }
-    });
-    socket.connect(port, "127.0.0.1");
+    socket.connect(port, "127.0.0.1");
   });
 };
 async function preflightHostPort(hostPort, opts = {}) {
@@ -2110,8 +1690,8 @@ function knownServices() {
 }
 // src/create/scaffold.ts
-import { existsSync as existsSync4, readFileSync as readFileSync2, promises as fs7 } from "fs";
-import path8 from "path";
+import { existsSync as existsSync3, readFileSync, promises as fs7 } from "fs";
+import path6 from "path";
 // src/util/ref.ts
 var FEATURE_NAME_CHARSET = "[a-z0-9._-]+";
@@ -2282,8 +1862,8 @@ function resolveFeatures(opts) {
       if (match) {
         const name = match.name;
         const checkout = workbenchCheckoutRoot();
-        const localSourceDir = checkout ? path8.join(checkout, "images", "features", name) : null;
-        if (localSourceDir && existsSync4(localSourceDir)) {
+        const localSourceDir = checkout ? path6.join(checkout, "images", "features", name) : null;
+        if (localSourceDir && existsSync3(localSourceDir)) {
           const { paths, files } = readPersistentHomeEntries(localSourceDir);
           resolved.push({
             devcontainerKey: `./features/${name}`,
@@ -2307,9 +1887,9 @@ function resolveFeatures(opts) {
   return resolved;
 }
 function readPersistentHomeEntries(localSourceDir) {
-  const manifestPath = path8.join(localSourceDir, "devcontainer-feature.json");
+  const manifestPath = path6.join(localSourceDir, "devcontainer-feature.json");
   try {
-    const text = readFileSync2(manifestPath, "utf8");
+    const text = readFileSync(manifestPath, "utf8");
     const parsed = JSON.parse(text);
     return {
       paths: filterSubpaths(parsed["x-monoceros"]?.persistentHomePaths),
@@ -2592,17 +2172,17 @@ function buildPostCreateScript(opts) {
   return lines.join("\n") + "\n";
 }
 async function writePostCreateScript(devcontainerDir, opts) {
-  const dest = path8.join(devcontainerDir, "post-create.sh");
+  const dest = path6.join(devcontainerDir, "post-create.sh");
   await fs7.writeFile(dest, buildPostCreateScript(opts));
   await fs7.chmod(dest, 493);
 }
 async function writeScaffold(opts, targetDir, scaffoldOpts = {}) {
   const dockerMode = scaffoldOpts.dockerMode ?? "rootful";
-  const devcontainerDir = path8.join(targetDir, ".devcontainer");
-  const monocerosDir = path8.join(targetDir, ".monoceros");
-  const projectsDir = path8.join(targetDir, "projects");
-  const homeDir = path8.join(targetDir, "home");
-  const dataDir = path8.join(targetDir, "data");
+  const devcontainerDir = path6.join(targetDir, ".devcontainer");
+  const monocerosDir = path6.join(targetDir, ".monoceros");
+  const projectsDir = path6.join(targetDir, "projects");
+  const homeDir = path6.join(targetDir, "home");
+  const dataDir = path6.join(targetDir, "data");
   await fs7.mkdir(devcontainerDir, { recursive: true });
   await fs7.mkdir(monocerosDir, { recursive: true });
   await fs7.mkdir(projectsDir, { recursive: true });
@@ -2612,56 +2192,56 @@ async function writeScaffold(opts, targetDir, scaffoldOpts = {}) {
     for (const svcId of opts.services) {
       const def = SERVICE_CATALOG[svcId];
       if (def?.dataMount) {
-        await fs7.mkdir(path8.join(dataDir, def.id), { recursive: true });
+        await fs7.mkdir(path6.join(dataDir, def.id), { recursive: true });
       }
     }
   }
-  const containerGitignore = path8.join(targetDir, ".gitignore");
+  const containerGitignore = path6.join(targetDir, ".gitignore");
   await fs7.writeFile(containerGitignore, "/home/\n/.monoceros/\n/data/\n");
-  const gitkeep = path8.join(projectsDir, ".gitkeep");
-  if (!existsSync4(gitkeep)) {
+  const gitkeep = path6.join(projectsDir, ".gitkeep");
+  if (!existsSync3(gitkeep)) {
     await fs7.writeFile(gitkeep, "");
   }
   await fs7.writeFile(
-    path8.join(monocerosDir, ".gitignore"),
+    path6.join(monocerosDir, ".gitignore"),
     "git-credentials*\ngitconfig\n"
   );
   const devcontainerJson = buildDevcontainerJson(opts, dockerMode);
   await fs7.writeFile(
-    path8.join(devcontainerDir, "devcontainer.json"),
+    path6.join(devcontainerDir, "devcontainer.json"),
     JSON.stringify(devcontainerJson, null, 2) + "\n"
   );
-  const featuresDir = path8.join(devcontainerDir, "features");
-  if (existsSync4(featuresDir)) {
+  const featuresDir = path6.join(devcontainerDir, "features");
+  if (existsSync3(featuresDir)) {
     await fs7.rm(featuresDir, { recursive: true, force: true });
   }
   const resolvedFeatures = resolveFeatures(opts);
   for (const f of resolvedFeatures) {
     if (!f.localSourceDir || !f.localName) continue;
-    const dest = path8.join(featuresDir, f.localName);
+    const dest = path6.join(featuresDir, f.localName);
     await fs7.mkdir(dest, { recursive: true });
     await fs7.cp(f.localSourceDir, dest, { recursive: true });
   }
   for (const f of resolvedFeatures) {
     for (const sub of f.persistentHomePaths) {
-      await fs7.mkdir(path8.join(homeDir, sub), { recursive: true });
+      await fs7.mkdir(path6.join(homeDir, sub), { recursive: true });
     }
     for (const entry2 of f.persistentHomeFiles) {
-      const filePath = path8.join(homeDir, entry2.path);
-      await fs7.mkdir(path8.dirname(filePath), { recursive: true });
-      if (!existsSync4(filePath)) {
+      const filePath = path6.join(homeDir, entry2.path);
+      await fs7.mkdir(path6.dirname(filePath), { recursive: true });
+      if (!existsSync3(filePath)) {
         await fs7.writeFile(filePath, entry2.initialContent);
       }
     }
   }
   await writePostCreateScript(devcontainerDir, opts);
-  const composePath = path8.join(devcontainerDir, "compose.yaml");
+  const composePath = path6.join(devcontainerDir, "compose.yaml");
   if (needsCompose(opts)) {
     await fs7.writeFile(composePath, buildComposeYaml(opts, dockerMode));
-  } else if (existsSync4(composePath)) {
+  } else if (existsSync3(composePath)) {
     await fs7.rm(composePath);
   }
-  const workspacePath = path8.join(targetDir, `${opts.name}.code-workspace`);
+  const workspacePath = path6.join(targetDir, `${opts.name}.code-workspace`);
   let existingWorkspace;
   try {
     const raw = await fs7.readFile(workspacePath, "utf8");
@@ -2686,25 +2266,25 @@ import {
 } from "yaml";
 // src/init/manifest.ts
-import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
-import path9 from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import path7 from "path";
 function resolveManifestPath(name, checkoutRoot) {
   if (checkoutRoot) {
-    const checkoutPath = path9.join(
+    const checkoutPath = path7.join(
       checkoutRoot,
       "images",
       "features",
       name,
       "devcontainer-feature.json"
     );
-    if (existsSync5(checkoutPath)) return checkoutPath;
+    if (existsSync4(checkoutPath)) return checkoutPath;
   }
-  const bundlePath = path9.join(
+  const bundlePath = path7.join(
     bundledFeaturesDir(),
     name,
     "devcontainer-feature.json"
   );
-  if (existsSync5(bundlePath)) return bundlePath;
+  if (existsSync4(bundlePath)) return bundlePath;
   return null;
 }
 function loadFeatureManifestSummary(ref, checkoutRoot = workbenchCheckoutRoot()) {
@@ -2713,7 +2293,7 @@ function loadFeatureManifestSummary(ref, checkoutRoot = workbenchCheckoutRoot())
   const manifestPath = resolveManifestPath(match.name, checkoutRoot);
   if (!manifestPath) return void 0;
   try {
-    const text = readFileSync3(manifestPath, "utf8");
+    const text = readFileSync2(manifestPath, "utf8");
     const parsed = JSON.parse(text);
     const rawHints = parsed["x-monoceros"]?.optionHints;
     const optionHints = Array.isArray(rawHints) ? rawHints.filter(
@@ -3389,7 +2969,7 @@ async function tryCloneInRunningContainer(input, entry2) {
   logger.info(
     `Cloned ${entry2.url} into /workspaces/${containerName2}/${targetRel} inside the running container.`
   );
-  void path10;
+  void path8;
 }
 function shquote(value) {
   return `'${value.replace(/'/g, `'\\''`)}'`;
@@ -3608,13 +3188,13 @@ async function mutate(opts, apply) {
 }
 function defaultLogger() {
   return {
-    info: (m) => consola2.info(m),
-    success: (m) => consola2.success(m),
-    warn: (m) => consola2.warn(m)
+    info: (m) => consola.info(m),
+    success: (m) => consola.success(m),
+    warn: (m) => consola.warn(m)
   };
 }
 var defaultConfirm = async (message) => {
-  const result = await consola2.prompt(message, {
+  const result = await consola.prompt(message, {
     type: "confirm",
     initial: false
   });
@@ -3654,9 +3234,6 @@ async function syncPortsToProxy(input) {
         ...input.proxyDocker ? { docker: input.proxyDocker } : {},
         logger: { info: (m) => logger.info(m), warn: (m) => logger.warn(m) }
       });
-      await kickProxyReload({
-        ...input.proxyDocker ? { docker: input.proxyDocker } : {}
-      });
       const urls = proxyUrlsFor(input.name, allPorts, hostPort);
       const lines = urls.map((u) => {
         const tag = u.isDefault ? " (default)" : "";
@@ -3666,9 +3243,6 @@ async function syncPortsToProxy(input) {
 ${lines.join("\n")}`);
     } else {
       await removeDynamicConfig(input.name, { monocerosHome: home });
-      await kickProxyReload({
-        ...input.proxyDocker ? { docker: input.proxyDocker } : {}
-      });
       await maybeStopProxy({
         monocerosHome: home,
         ...input.proxyDocker ? { docker: input.proxyDocker } : {},
@@ -3705,7 +3279,7 @@ var addAptPackagesCommand = defineCommand({
   async run({ args }) {
     const packages = [...getInnerArgs()];
     if (packages.length === 0) {
-      consola3.error(
+      consola2.error(
         "No package names given. Usage: `monoceros add-apt-packages <containername> [--yes] -- <pkg> [<pkg> \u2026]`."
       );
       process.exit(1);
@@ -3718,7 +3292,7 @@ var addAptPackagesCommand = defineCommand({
       });
       process.exit(result.status === "aborted" ? 1 : 0);
     } catch (err) {
-      consola3.error(err instanceof Error ? err.message : String(err));
+      consola2.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
   }
@@ -3726,7 +3300,7 @@ var addAptPackagesCommand = defineCommand({
 // src/commands/add-feature.ts
 import { defineCommand as defineCommand2 } from "citty";
-import { consola as consola4 } from "consola";
+import { consola as consola3 } from "consola";
 var addFeatureCommand = defineCommand2({
   meta: {
     name: "add-feature",
@@ -3756,7 +3330,7 @@ var addFeatureCommand = defineCommand2({
     try {
       options = parseOptionsAfterDashes(getInnerArgs());
     } catch (err) {
-      consola4.error(err instanceof Error ? err.message : String(err));
+      consola3.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
     try {
@@ -3768,7 +3342,7 @@ var addFeatureCommand = defineCommand2({
       });
       process.exit(result.status === "aborted" ? 1 : 0);
     } catch (err) {
-      consola4.error(err instanceof Error ? err.message : String(err));
+      consola3.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
   }
@@ -3800,7 +3374,7 @@ function coerce(value) {
 // src/commands/add-from-url.ts
 import { defineCommand as defineCommand3 } from "citty";
-import { consola as consola5 } from "consola";
+import { consola as consola4 } from "consola";
 var addFromUrlCommand = defineCommand3({
   meta: {
     name: "add-from-url",
@@ -3837,7 +3411,7 @@ var addFromUrlCommand = defineCommand3({
       });
       process.exit(result.status === "aborted" ? 1 : 0);
     } catch (err) {
-      consola5.error(err instanceof Error ? err.message : String(err));
+      consola4.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
   }
@@ -3872,7 +3446,7 @@ function printSecurityWarning(url) {
 // src/commands/add-repo.ts
 import { defineCommand as defineCommand4 } from "citty";
-import { consola as consola6 } from "consola";
+import { consola as consola5 } from "consola";
 var addRepoCommand = defineCommand4({
   meta: {
     name: "add-repo",
@@ -3926,7 +3500,7 @@ var addRepoCommand = defineCommand4({
       });
       process.exit(result.status === "aborted" ? 1 : 0);
     } catch (err) {
-      consola6.error(err instanceof Error ? err.message : String(err));
+      consola5.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
   }
@@ -3934,7 +3508,7 @@ var addRepoCommand = defineCommand4({
 // src/commands/add-language.ts
 import { defineCommand as defineCommand5 } from "citty";
-import { consola as consola7 } from "consola";
+import { consola as consola6 } from "consola";
 var addLanguageCommand = defineCommand5({
   meta: {
     name: "add-language",
@@ -3967,207 +3541,549 @@ var addLanguageCommand = defineCommand5({
         yes: args.yes
       });
       process.exit(result.status === "aborted" ? 1 : 0);
+    } catch (err) {
+      consola6.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  }
+});
+// src/commands/add-port.ts
+import { defineCommand as defineCommand6 } from "citty";
+import { consola as consola7 } from "consola";
+var addPortCommand = defineCommand6({
+  meta: {
+    name: "add-port",
+    group: "edit",
+    description: "Add one or more ports to the container config so they become reachable from the host via Traefik (`<container>.localhost` / `<container>-<port>.localhost`). Pass port numbers after `--` (e.g. `monoceros add-port sandbox -- 3000 5173 6006`). Idempotent. Persisted in the yml so later `monoceros apply` runs restore the routes. Pass `--default` together with a single port to make it the bare `<container>.localhost` route \u2014 the port is inserted at position 0 (or moved there if it already exists)."
+  },
+  args: {
+    name: {
+      type: "positional",
+      description: "Container name (yml in $MONOCEROS_HOME/container-configs/).",
+      required: true
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip the interactive confirmation and apply the diff.",
+      alias: ["y"],
+      default: false
+    },
+    default: {
+      type: "boolean",
+      description: "Make the (single) port the new default route at `<container>.localhost`. Inserts the port at position 0 of `routing.ports`, or moves it there if it already exists. Errors when more than one port is passed.",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const tokens = [...getInnerArgs()];
+    if (tokens.length === 0) {
+      consola7.error(
+        "No ports given. Usage: `monoceros add-port <containername> [--yes] [--default] -- <port> [<port> \u2026]`."
+      );
+      process.exit(1);
+    }
+    try {
+      const result = await runAddPort({
+        name: args.name,
+        ports: tokens.map(coerceToken),
+        yes: args.yes,
+        asDefault: args.default
+      });
+      process.exit(result.status === "aborted" ? 1 : 0);
     } catch (err) {
       consola7.error(err instanceof Error ? err.message : String(err));
       process.exit(1);
     }
   }
-});
+});
+function coerceToken(raw) {
+  const n = Number(raw);
+  return Number.isFinite(n) ? n : raw;
+}
+// src/commands/add-service.ts
+import { defineCommand as defineCommand7 } from "citty";
+import { consola as consola8 } from "consola";
+var addServiceCommand = defineCommand7({
+  meta: {
+    name: "add-service",
+    group: "edit",
+    description: "Add a compose service (postgres, mysql, redis, \u2026) to the container config. Idempotent, prints a diff before writing."
+  },
+  args: {
+    name: {
+      type: "positional",
+      description: "Container name (yml in $MONOCEROS_HOME/container-configs/).",
+      required: true
+    },
+    service: {
+      type: "positional",
+      description: "Service identifier (postgres, mysql, redis).",
+      required: true
+    },
+    yes: {
+      type: "boolean",
+      description: "Skip the interactive confirmation and apply the diff.",
+      alias: ["y"],
+      default: false
+    }
+  },
+  async run({ args }) {
+    try {
+      const result = await runAddService({
+        name: args.name,
+        service: args.service,
+        yes: args.yes
+      });
+      process.exit(result.status === "aborted" ? 1 : 0);
+    } catch (err) {
+      consola8.error(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  }
+});
+// src/commands/apply.ts
+import { defineCommand as defineCommand8 } from "citty";
+// src/apply/index.ts
+import { existsSync as existsSync6, promises as fs11 } from "fs";
+import { consola as consola11 } from "consola";
+// src/config/state.ts
+import { promises as fs9 } from "fs";
+import path9 from "path";
+function buildStateFile(opts) {
+  return {
+    schemaVersion: CONFIG_SCHEMA_VERSION,
+    origin: opts.origin,
+    monocerosCliVersion: opts.cliVersion,
+    materializedAt: (opts.now ?? /* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function stateFilePath(targetDir) {
+  return path9.join(targetDir, ".monoceros", "state.json");
+}
+async function readStateFile(targetDir) {
+  try {
+    const content = await fs9.readFile(stateFilePath(targetDir), "utf8");
+    return JSON.parse(content);
+  } catch {
+    return void 0;
+  }
+}
+async function writeStateFile(targetDir, state) {
+  const monocerosDir = path9.join(targetDir, ".monoceros");
+  await fs9.mkdir(monocerosDir, { recursive: true });
+  await fs9.writeFile(
+    stateFilePath(targetDir),
+    JSON.stringify(state, null, 2) + "\n"
+  );
+}
+// src/config/transform.ts
+function solutionConfigToCreateOptions(config, featureDefaults = {}) {
+  const featureRecord = {};
+  for (const entry2 of config.features) {
+    const defaults = featureDefaults[entry2.ref] ?? {};
+    const containerOpts = Object.fromEntries(
+      Object.entries(entry2.options ?? {}).filter(([, v]) => v !== "")
+    );
+    featureRecord[entry2.ref] = { ...defaults, ...containerOpts };
+  }
+  const result = {
+    name: config.name,
+    languages: [...config.languages],
+    services: [...config.services]
+  };
+  if (config.externalServices.postgres !== void 0) {
+    result.postgresUrl = config.externalServices.postgres;
+  }
+  if (config.aptPackages.length > 0) {
+    result.aptPackages = [...config.aptPackages];
+  }
+  if (Object.keys(featureRecord).length > 0) {
+    result.features = featureRecord;
+  }
+  if (config.installUrls.length > 0) {
+    result.installUrls = [...config.installUrls];
+  }
+  if (config.repos.length > 0) {
+    result.repos = config.repos.map((r) => ({
+      url: r.url,
+      // `path` is optional in the yml; CreateOptions requires it.
+      // When the yml omits `path`, fall back to the URL-derived
+      // single-segment default (`https://.../foo.git` → `foo`),
+      // which lands the clone at `projects/foo/`.
+      path: r.path ?? deriveRepoName(r.url),
+      // gitUser is forwarded only when BOTH name + email are set.
+      // The relaxed GitUserSchema accepts nullable / empty strings
+      // (so a yml placeholder `name:` parses without error), so we
+      // re-check here before downstream code, which expects both
+      // values to be non-empty.
+      ...r.git?.user?.name && r.git.user.email ? { gitUser: { name: r.git.user.name, email: r.git.user.email } } : {},
+      ...r.provider ? { provider: r.provider } : {}
+    }));
+  }
+  const routingPorts = config.routing?.ports ?? [];
+  if (routingPorts.length > 0) {
+    const seen = /* @__PURE__ */ new Set();
+    const ports = [];
+    for (const entry2 of routingPorts) {
+      const n = portNumber(entry2);
+      if (seen.has(n)) continue;
+      seen.add(n);
+      ports.push(n);
+    }
+    result.ports = ports;
+  }
+  if (config.routing?.vscodeAutoForward !== void 0) {
+    result.vscodeAutoForward = config.routing.vscodeAutoForward;
+  }
+  return result;
+}
-// src/commands/add-port.ts
-import { defineCommand as defineCommand6 } from "citty";
-import { consola as consola8 } from "consola";
-var addPortCommand = defineCommand6({
-  meta: {
-    name: "add-port",
-    group: "edit",
-    description: "Add one or more ports to the container config so they become reachable from the host via Traefik (`<container>.localhost` / `<container>-<port>.localhost`). Pass port numbers after `--` (e.g. `monoceros add-port sandbox -- 3000 5173 6006`). Idempotent. Persisted in the yml so later `monoceros apply` runs restore the routes. Pass `--default` together with a single port to make it the bare `<container>.localhost` route \u2014 the port is inserted at position 0 (or moved there if it already exists)."
-  },
-  args: {
-    name: {
-      type: "positional",
-      description: "Container name (yml in $MONOCEROS_HOME/container-configs/).",
-      required: true
+// src/devcontainer/compose.ts
+import { spawn as spawn5 } from "child_process";
+import { existsSync as existsSync5 } from "fs";
+import path11 from "path";
+import { consola as consola9 } from "consola";
+// src/util/mask-secrets.ts
+import { Transform } from "stream";
+var PATTERNS = [
+  // Atlassian Cloud API token. Starts with literal `ATATT3xFf` plus
+  // a long URL-safe-base64 tail. Tightened to that prefix to avoid
+  // matching unrelated all-caps words.
+  { name: "atlassian-api", re: /ATATT3xFf[A-Za-z0-9+/=_-]{20,}/g },
+  // Bitbucket Cloud app password.
+  { name: "bitbucket-app", re: /ATBB[A-Za-z0-9+/=_-]{20,}/g },
+  // GitHub PAT (classic), OAuth, user, server, refresh — all share
+  // the `gh<lower-letter>_<base62>` shape per GitHub's token format.
+  { name: "github-token", re: /gh[a-z]_[A-Za-z0-9]{20,}/g },
+  // GitHub fine-grained PAT.
+  { name: "github-pat", re: /github_pat_[A-Za-z0-9_]{20,}/g },
+  // Anthropic API key.
+  { name: "anthropic-api", re: /sk-ant-[A-Za-z0-9_-]{20,}/g }
+];
+function maskSecrets(text) {
+  let result = text;
+  for (const { re } of PATTERNS) {
+    result = result.replace(re, maskOne);
+  }
+  return result;
+}
+function maskOne(token) {
+  if (token.length <= 12) return token;
+  return `${token.slice(0, 5)}\u2026${token.slice(-6)}`;
+}
+function createSecretMaskStream() {
+  let buffer = "";
+  return new Transform({
+    decodeStrings: true,
+    transform(chunk, _enc, cb) {
+      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
+      buffer += text;
+      const lastNewline = buffer.lastIndexOf("\n");
+      if (lastNewline === -1) {
+        cb(null);
+        return;
+      }
+      const flushable = buffer.slice(0, lastNewline + 1);
+      buffer = buffer.slice(lastNewline + 1);
+      cb(null, maskSecrets(flushable));
     },
-    yes: {
-      type: "boolean",
-      description: "Skip the interactive confirmation and apply the diff.",
-      alias: ["y"],
-      default: false
+    flush(cb) {
+      if (buffer.length > 0) {
+        const tail = maskSecrets(buffer);
+        buffer = "";
+        cb(null, tail);
+        return;
+      }
+      cb(null);
+    }
+  });
+}
+// src/devcontainer/cli.ts
+import { spawn as spawn4 } from "child_process";
+import { readFileSync as readFileSync3 } from "fs";
+import { createRequire } from "module";
+import path10 from "path";
+// src/devcontainer/runtime-pull-hint.ts
+import { Transform as Transform2 } from "stream";
+var RUNTIME_PULL_MARKER = "No manifest found for ghcr.io/getmonoceros/monoceros-runtime";
+var RUNTIME_PULL_HINT = 'Downloading the Monoceros runtime image now -- expected on first apply, takes ~1-2 min (Docker pulls the multi-arch base with no progress output). The "No manifest found" line above is harmless. Please wait...';
+function createRuntimePullHintStream(state) {
+  let buffer = "";
+  const appendHintIfMarker = (block) => {
+    if (state.hinted || !block.includes(RUNTIME_PULL_MARKER)) return block;
+    state.hinted = true;
+    return `${block}${dim(`(i) ${RUNTIME_PULL_HINT}`)}
+`;
+  };
+  return new Transform2({
+    decodeStrings: true,
+    transform(chunk, _enc, cb) {
+      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
+      buffer += text;
+      const lastNewline = buffer.lastIndexOf("\n");
+      if (lastNewline === -1) {
+        cb(null);
+        return;
+      }
+      const flushable = buffer.slice(0, lastNewline + 1);
+      buffer = buffer.slice(lastNewline + 1);
+      cb(null, appendHintIfMarker(flushable));
     },
-    default: {
-      type: "boolean",
-      description: "Make the (single) port the new default route at `<container>.localhost`. Inserts the port at position 0 of `routing.ports`, or moves it there if it already exists. Errors when more than one port is passed.",
-      default: false
+    flush(cb) {
+      if (buffer.length === 0) {
+        cb(null);
+        return;
+      }
+      const tail = buffer;
+      buffer = "";
+      cb(null, appendHintIfMarker(tail));
     }
-  },
-  async run({ args }) {
-    const tokens = [...getInnerArgs()];
-    if (tokens.length === 0) {
-      consola8.error(
-        "No ports given. Usage: `monoceros add-port <containername> [--yes] [--default] -- <port> [<port> \u2026]`."
-      );
-      process.exit(1);
+  });
+}
+// src/devcontainer/cli.ts
+var require_ = createRequire(import.meta.url);
+var cachedBinaryPath = null;
+function devcontainerCliPath() {
+  if (cachedBinaryPath) return cachedBinaryPath;
+  const pkgJsonPath = require_.resolve("@devcontainers/cli/package.json");
+  const pkg = JSON.parse(readFileSync3(pkgJsonPath, "utf8"));
+  const binEntry = typeof pkg.bin === "string" ? pkg.bin : pkg.bin?.devcontainer ?? "";
+  if (!binEntry) {
+    throw new Error("Could not resolve @devcontainers/cli bin entry.");
+  }
+  cachedBinaryPath = path10.resolve(path10.dirname(pkgJsonPath), binEntry);
+  return cachedBinaryPath;
+}
+var spawnDevcontainer = (args, cwd, options = {}) => {
+  const binPath = devcontainerCliPath();
+  return new Promise((resolve, reject) => {
+    if (options.interactive) {
+      const child2 = spawn4(process.execPath, [binPath, ...args], {
+        cwd,
+        stdio: "inherit"
+      });
+      child2.on("error", reject);
+      child2.on("exit", (code) => resolve(code ?? 0));
+      return;
     }
-    try {
-      const result = await runAddPort({
-        name: args.name,
-        ports: tokens.map(coerceToken),
-        yes: args.yes,
-        asDefault: args.default
+    const child = spawn4(process.execPath, [binPath, ...args], {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    if (options.quiet) {
+      const stdoutChunks = [];
+      const stderrChunks = [];
+      child.stdout?.on("data", (chunk) => stdoutChunks.push(chunk));
+      child.stderr?.on("data", (chunk) => stderrChunks.push(chunk));
+      child.on("error", reject);
+      child.on("exit", (code) => {
+        const exitCode = code ?? 0;
+        if (exitCode !== 0) {
+          process.stderr.write(
+            maskSecrets(Buffer.concat(stderrChunks).toString("utf8"))
+          );
+          process.stderr.write(
+            maskSecrets(Buffer.concat(stdoutChunks).toString("utf8"))
+          );
+        }
+        resolve(exitCode);
       });
-      process.exit(result.status === "aborted" ? 1 : 0);
-    } catch (err) {
-      consola8.error(err instanceof Error ? err.message : String(err));
-      process.exit(1);
+      return;
+    }
+    const pullHint = { hinted: false };
+    child.stdout?.pipe(createSecretMaskStream()).pipe(createRuntimePullHintStream(pullHint)).pipe(process.stdout);
+    child.stderr?.pipe(createSecretMaskStream()).pipe(createRuntimePullHintStream(pullHint)).pipe(process.stderr);
+    child.on("error", reject);
+    child.on("exit", (code) => resolve(code ?? 0));
+  });
+};
+// src/devcontainer/compose.ts
+var spawnDockerCompose = (args, cwd) => {
+  return new Promise((resolve, reject) => {
+    const child = spawn5("docker", ["compose", ...args], {
+      cwd,
+      stdio: ["inherit", "pipe", "pipe"]
+    });
+    child.stdout?.pipe(createSecretMaskStream()).pipe(process.stdout);
+    child.stderr?.pipe(createSecretMaskStream()).pipe(process.stderr);
+    child.on("error", reject);
+    child.on("exit", (code) => resolve(code ?? 0));
+  });
+};
+var spawnDocker = (args) => {
+  return new Promise((resolve, reject) => {
+    const child = spawn5("docker", args, {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString("utf8");
+    });
+    child.stderr?.on("data", (chunk) => {
+      stderr += chunk.toString("utf8");
+    });
+    child.on("error", reject);
+    child.on(
+      "exit",
+      (code) => resolve({ exitCode: code ?? 0, stdout, stderr })
+    );
+  });
+};
+async function findContainerIds(filters, exec = spawnDocker) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const filter of filters) {
+    const result = await exec(["ps", "-aq", "--filter", filter]);
+    if (result.exitCode !== 0) continue;
+    for (const line of result.stdout.split(/\r?\n/)) {
+      const id = line.trim();
+      if (id) ids.add(id);
     }
   }
-});
-function coerceToken(raw) {
-  const n = Number(raw);
-  return Number.isFinite(n) ? n : raw;
+  return [...ids];
 }
-// src/commands/add-service.ts
-import { defineCommand as defineCommand7 } from "citty";
-import { consola as consola9 } from "consola";
-var addServiceCommand = defineCommand7({
-  meta: {
-    name: "add-service",
-    group: "edit",
-    description: "Add a compose service (postgres, mysql, redis, \u2026) to the container config. Idempotent, prints a diff before writing."
-  },
-  args: {
-    name: {
-      type: "positional",
-      description: "Container name (yml in $MONOCEROS_HOME/container-configs/).",
-      required: true
-    },
-    service: {
-      type: "positional",
-      description: "Service identifier (postgres, mysql, redis).",
-      required: true
-    },
-    yes: {
-      type: "boolean",
-      description: "Skip the interactive confirmation and apply the diff.",
-      alias: ["y"],
-      default: false
+async function cleanupDockerObjects(opts) {
+  const exec = opts.exec ?? spawnDocker;
+  const tag = opts.logTag ?? "cleanup";
+  opts.logger.info(`[${tag}] tearing down docker project ${opts.projectName}\u2026`);
+  const ids = await findContainerIds(opts.filters, exec);
+  let rmExit = 0;
+  if (ids.length > 0) {
+    opts.logger.info(`[${tag}] removing containers: ${ids.join(" ")}`);
+    const rmResult = await exec(["rm", "-f", ...ids]);
+    rmExit = rmResult.exitCode;
+    if (rmExit !== 0 && rmResult.stderr.trim()) {
+      opts.logger.info(`[${tag}] ${rmResult.stderr.trim()}`);
     }
-  },
-  async run({ args }) {
-    try {
-      const result = await runAddService({
-        name: args.name,
-        service: args.service,
-        yes: args.yes
-      });
-      process.exit(result.status === "aborted" ? 1 : 0);
-    } catch (err) {
-      consola9.error(err instanceof Error ? err.message : String(err));
-      process.exit(1);
+  } else {
+    opts.logger.info(`[${tag}] no containers found`);
+  }
+  if (opts.network) {
+    const netResult = await exec(["network", "rm", opts.network]);
+    if (netResult.exitCode === 0) {
+      opts.logger.info(`[${tag}] network ${opts.network} removed`);
     }
   }
-});
-// src/commands/apply.ts
-import { defineCommand as defineCommand8 } from "citty";
-// src/apply/index.ts
-import { existsSync as existsSync6, promises as fs11 } from "fs";
-import { consola as consola11 } from "consola";
-// src/config/state.ts
-import { promises as fs9 } from "fs";
-import path11 from "path";
-function buildStateFile(opts) {
-  return {
-    schemaVersion: CONFIG_SCHEMA_VERSION,
-    origin: opts.origin,
-    monocerosCliVersion: opts.cliVersion,
-    materializedAt: (opts.now ?? /* @__PURE__ */ new Date()).toISOString()
-  };
+  opts.logger.info(`[${tag}] docker cleanup done`);
+  return { exitCode: rmExit, removedIds: ids };
 }
-function stateFilePath(targetDir) {
-  return path11.join(targetDir, ".monoceros", "state.json");
+function composeProjectName(root) {
+  return `${path11.basename(root)}_devcontainer`;
 }
-async function readStateFile(targetDir) {
-  try {
-    const content = await fs9.readFile(stateFilePath(targetDir), "utf8");
-    return JSON.parse(content);
-  } catch {
-    return void 0;
+function resolveCompose(root) {
+  if (!existsSync5(path11.join(root, ".devcontainer"))) {
+    throw new Error(
+      `No .devcontainer/ at ${root}. Run \`monoceros apply <name>\` first.`
+    );
+  }
+  const composeFile = path11.join(root, ".devcontainer", "compose.yaml");
+  if (!existsSync5(composeFile)) {
+    throw new Error(
+      `No compose.yaml at ${composeFile}. \`start\` / \`stop\` / \`status\` / \`logs\` require services configured via \`monoceros add-service <name> <svc>\`. Use \`monoceros shell <name>\` to enter the container directly.`
+    );
   }
+  return { composeFile, projectName: composeProjectName(root) };
 }
-async function writeStateFile(targetDir, state) {
-  const monocerosDir = path11.join(targetDir, ".monoceros");
-  await fs9.mkdir(monocerosDir, { recursive: true });
-  await fs9.writeFile(
-    stateFilePath(targetDir),
-    JSON.stringify(state, null, 2) + "\n"
+async function runComposeAction(buildSubArgs, opts) {
+  const { composeFile, projectName } = resolveCompose(opts.root);
+  const spawnFn = opts.spawn ?? spawnDockerCompose;
+  const subArgs = buildSubArgs(opts.service);
+  return spawnFn(["-f", composeFile, "-p", projectName, ...subArgs], opts.root);
+}
+async function runStart(opts) {
+  resolveCompose(opts.root);
+  const logger = opts.logger ?? { info: (msg) => consola9.info(msg) };
+  const spawnFn = opts.spawn ?? spawnDevcontainer;
+  logger.info(`Bringing devcontainer up at ${opts.root}\u2026`);
+  return spawnFn(
+    ["up", "--workspace-folder", opts.root, "--mount-workspace-git-root=false"],
+    opts.root
   );
 }
-// src/config/transform.ts
-function solutionConfigToCreateOptions(config, featureDefaults = {}) {
-  const featureRecord = {};
-  for (const entry2 of config.features) {
-    const defaults = featureDefaults[entry2.ref] ?? {};
-    const containerOpts = Object.fromEntries(
-      Object.entries(entry2.options ?? {}).filter(([, v]) => v !== "")
+async function runContainerCycle(root, opts) {
+  const { hasCompose, logger } = opts;
+  if (hasCompose) {
+    const projectName = composeProjectName(root);
+    logger.info(
+      `Force-removing existing ${projectName} containers (volumes preserved)\u2026`
     );
-    featureRecord[entry2.ref] = { ...defaults, ...containerOpts };
-  }
-  const result = {
-    name: config.name,
-    languages: [...config.languages],
-    services: [...config.services]
-  };
-  if (config.externalServices.postgres !== void 0) {
-    result.postgresUrl = config.externalServices.postgres;
-  }
-  if (config.aptPackages.length > 0) {
-    result.aptPackages = [...config.aptPackages];
-  }
-  if (Object.keys(featureRecord).length > 0) {
-    result.features = featureRecord;
-  }
-  if (config.installUrls.length > 0) {
-    result.installUrls = [...config.installUrls];
-  }
-  if (config.repos.length > 0) {
-    result.repos = config.repos.map((r) => ({
-      url: r.url,
-      // `path` is optional in the yml; CreateOptions requires it.
-      // When the yml omits `path`, fall back to the URL-derived
-      // single-segment default (`https://.../foo.git` → `foo`),
-      // which lands the clone at `projects/foo/`.
-      path: r.path ?? deriveRepoName(r.url),
-      // gitUser is forwarded only when BOTH name + email are set.
-      // The relaxed GitUserSchema accepts nullable / empty strings
-      // (so a yml placeholder `name:` parses without error), so we
-      // re-check here before downstream code, which expects both
-      // values to be non-empty.
-      ...r.git?.user?.name && r.git.user.email ? { gitUser: { name: r.git.user.name, email: r.git.user.email } } : {},
-      ...r.provider ? { provider: r.provider } : {}
-    }));
-  }
-  const routingPorts = config.routing?.ports ?? [];
-  if (routingPorts.length > 0) {
-    const seen = /* @__PURE__ */ new Set();
-    const ports = [];
-    for (const entry2 of routingPorts) {
-      const n = portNumber(entry2);
-      if (seen.has(n)) continue;
-      seen.add(n);
-      ports.push(n);
+    const exec = opts.dockerExec ?? spawnDocker;
+    const filters = [
+      `label=com.docker.compose.project=${projectName}`,
+      `name=^${projectName}-`
+    ];
+    const { exitCode: rmExit } = await cleanupDockerObjects({
+      projectName,
+      filters,
+      network: `${projectName}_default`,
+      logger,
+      exec
+    });
+    if (rmExit !== 0) return rmExit;
+    const remaining = await findContainerIds(filters, exec);
+    if (remaining.length > 0) {
+      const warn = logger.warn ?? logger.info;
+      warn(
+        `ERROR: containers under project ${projectName} reappeared after removal.
+This typically means VS Code's Remote Containers extension is connected
+to this devcontainer and auto-recreated it. Close the dev container
+session in VS Code (Cmd+Shift+P \u2192 'Dev Containers: Close Remote Connection')
+and retry \`monoceros apply\`.`
+      );
+      return 1;
     }
-    result.ports = ports;
-  }
-  if (config.routing?.vscodeAutoForward !== void 0) {
-    result.vscodeAutoForward = config.routing.vscodeAutoForward;
+    return runStart({
+      root,
+      ...opts.devcontainerSpawn ? { spawn: opts.devcontainerSpawn } : {},
+      logger
+    });
   }
-  return result;
+  logger.info(`Recreating image-mode devcontainer at ${root}\u2026`);
+  const spawnFn = opts.devcontainerSpawn ?? spawnDevcontainer;
+  return spawnFn(
+    [
+      "up",
+      "--workspace-folder",
+      root,
+      "--mount-workspace-git-root=false",
+      "--remove-existing-container"
+    ],
+    root
+  );
+}
+function runStop(opts) {
+  return runComposeAction(
+    (service) => ["stop", ...service ? [service] : []],
+    opts
+  );
+}
+function runStatus(opts) {
+  return runComposeAction(
+    (service) => ["ps", ...service ? [service] : []],
+    opts
+  );
+}
+function runLogs(opts) {
+  const follow = opts.follow ?? true;
+  return runComposeAction(
+    (service) => [
+      "logs",
+      ...follow ? ["-f"] : [],
+      ...service ? [service] : []
+    ],
+    opts
+  );
 }
 // src/devcontainer/repo-reachability.ts
@@ -4269,7 +4185,7 @@ function formatUnreachableReposError(failures) {
     }
     lines.push("");
   }
-  lines.push(`Then re-run ${cyan("monoceros apply")}.`);
+  lines.push(`Then re-run ${cyan2("monoceros apply")}.`);
   return lines.join("\n");
 }
 function headerForKind(kind) {
@@ -4352,14 +4268,14 @@ function formatRootlessNotSupportedError() {
     ``,
     `To fix, switch back to standard rootful Docker:`,
     ``,
-    cyan(
+    cyan2(
       `  systemctl --user stop docker.service docker.socket 2>/dev/null || true`
     ),
-    cyan(`  dockerd-rootless-setuptool.sh uninstall`),
-    cyan(`  rootlesskit rm -rf ~/.local/share/docker`),
-    cyan(`  unset DOCKER_HOST DOCKER_CONTEXT`),
-    cyan(`  sudo systemctl enable --now docker`),
-    cyan(`  sudo usermod -aG docker $USER`),
+    cyan2(`  dockerd-rootless-setuptool.sh uninstall`),
+    cyan2(`  rootlesskit rm -rf ~/.local/share/docker`),
+    cyan2(`  unset DOCKER_HOST DOCKER_CONTEXT`),
+    cyan2(`  sudo systemctl enable --now docker`),
+    cyan2(`  sudo usermod -aG docker $USER`),
     ``,
     `If you added DOCKER_HOST or DOCKER_CONTEXT to ~/.bashrc /`,
     `~/.profile (the rootless setup may have suggested it), remove`,
@@ -4664,7 +4580,7 @@ ${sectionLine(label)}
   section("Container");
   const featureRefs = parsed.config.features.map((f) => f.ref);
   if (featureRefs.length > 0) {
-    logger.info(`Features: ${featureRefs.map((r) => cyan(r)).join(", ")}`);
+    logger.info(`Features: ${featureRefs.map((r) => cyan2(r)).join(", ")}`);
   }
   logger.info(
     dim(
@@ -4687,14 +4603,8 @@ ${sectionLine(label)}
         hostPort: proxyHostPort(globalConfig),
         logger
       });
-      await kickProxyReload({
-        ...opts.proxyDocker ? { docker: opts.proxyDocker } : {}
-      });
     } else {
       await removeDynamicConfig(opts.name, { monocerosHome: home });
-      await kickProxyReload({
-        ...opts.proxyDocker ? { docker: opts.proxyDocker } : {}
-      });
     }
   } catch (err) {
     logger.warn?.(
@@ -4709,7 +4619,7 @@ ${sectionLine(label)}
   });
   if (exitCode === 0) {
     section("Next steps");
-    logger.info(`  ${cyan(`monoceros shell ${opts.name}`)}`);
+    logger.info(`  ${cyan2(`monoceros shell ${opts.name}`)}`);
   }
   return { targetDir, configPath: ymlPath, containerExitCode: exitCode };
 }
@@ -4807,7 +4717,7 @@ async function persistPromptedIdentity(prompted, ymlPath, home, logger) {
 }
 // src/version.ts
-var CLI_VERSION = true ? "1.11.10" : "dev";
+var CLI_VERSION = true ? "1.12.0" : "dev";
 // src/commands/_dispatch.ts
 import { consola as consola12 } from "consola";
@@ -6269,7 +6179,7 @@ async function runRemove(opts) {
     projectName,
     filters: [
       `label=com.docker.compose.project=${projectName}`,
-      `label=devcontainer.local_folder=${dockerLocalFolderLabel(containerPath)}`,
+      `label=devcontainer.local_folder=${containerPath}`,
       `name=^${projectName}-`,
       `name=^vsc-${opts.name}-`
     ],
@@ -6337,9 +6247,6 @@ async function runRemove(opts) {
   }
   try {
     await removeDynamicConfig(opts.name, { monocerosHome: home });
-    await kickProxyReload({
-      ...opts.proxyDocker ? { docker: opts.proxyDocker } : {}
-    });
   } catch (err) {
     logger.warn?.(
       `Could not remove Traefik dynamic config for ${opts.name}: ${err instanceof Error ? err.message : String(err)}. Ignored.`
@@ -7079,10 +6986,7 @@ async function lookupContainerNetwork(args) {
     "ps",
     "-q",
     "--filter",
-    // Windows-normalize: devcontainer-cli lowercases the drive letter
-    // when stamping the label, docker filter is byte-exact. No-op
-    // off Windows.
-    `label=devcontainer.local_folder=${dockerLocalFolderLabel(args.containerRoot)}`
+    `label=devcontainer.local_folder=${args.containerRoot}`
   ]);
   if (psResult.exitCode !== 0) {
     throw new Error(
@@ -7404,7 +7308,6 @@ var main = defineCommand30({
 // src/bin.ts
 bootstrapDockerGroup();
-bootstrapWslBackend();
 consumeInnerArgsFromProcessArgv();
 async function entry() {
   if (await maybeRenderHelp(process.argv.slice(2), main)) {