@instafy/cli 0.1.0-staging.138

package/dist/runtime.js

@@ -0,0 +1,709 @@
+import { spawn, spawnSync } from "node:child_process";
+import { existsSync, mkdirSync, openSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import kleur from "kleur";
+import { fileURLToPath } from "node:url";
+import { randomUUID } from "node:crypto";
+import os from "node:os";
+import { ensureRatholeBinary } from "./rathole.js";
+const INSTAFY_DIR = path.join(os.homedir(), ".instafy");
+const STATE_FILE = path.join(INSTAFY_DIR, "cli-runtime-state.json");
+const LOG_DIR = path.join(INSTAFY_DIR, "cli-runtime-logs");
+function resolveRepoRoot() {
+    const __dirname = path.dirname(fileURLToPath(import.meta.url));
+    return path.resolve(__dirname, "../../..");
+}
+function resolveRuntimeBinary() {
+    // Reuse existing runtime-agent binary from workspace target (assumes `cargo build` done).
+    const repoRoot = resolveRepoRoot();
+    const candidates = [
+        path.join(repoRoot, "target", "debug", "runtime-agent"),
+        path.join(repoRoot, "target", "release", "runtime-agent"),
+        path.join(repoRoot, "packages", "runtime-agent", "target", "debug", "runtime-agent"),
+        path.join(repoRoot, "packages", "runtime-agent", "target", "release", "runtime-agent"),
+    ];
+    for (const candidate of candidates) {
+        if (existsSync(candidate)) {
+            return candidate;
+        }
+    }
+    throw new Error("runtime-agent binary not found. Build it with `cargo build -p runtime-agent`.");
+}
+function printStatus(label, value) {
+    console.log(`${kleur.cyan(label)} ${value}`);
+}
+function ensureStateDir() {
+    mkdirSync(INSTAFY_DIR, { recursive: true });
+}
+function ensureLogDir() {
+    mkdirSync(LOG_DIR, { recursive: true });
+}
+function writeState(state) {
+    ensureStateDir();
+    writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
+}
+function readState() {
+    try {
+        const raw = readFileSync(STATE_FILE, "utf8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+function clearState() {
+    try {
+        rmSync(STATE_FILE);
+    }
+    catch {
+        // ignore
+    }
+}
+function normalizeToken(value) {
+    if (typeof value !== "string") {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function setSharedFsEnv(env, opts) {
+    if (!opts)
+        return;
+    if (opts.host)
+        env["SHARED_FS_HOST"] = opts.host;
+    if (opts.port)
+        env["SHARED_FS_PORT"] = String(opts.port);
+    if (opts.user)
+        env["SHARED_FS_USER"] = opts.user;
+    if (opts.path)
+        env["SHARED_FS_PATH"] = opts.path;
+    if (opts.keyB64)
+        env["SHARED_FS_KEY_B64"] = opts.keyB64;
+    if (opts.keyPath)
+        env["SHARED_FS_KEY_PATH"] = opts.keyPath;
+    if (opts.options)
+        env["SHARED_FS_OPTIONS"] = opts.options;
+    if (opts.flat)
+        env["RUNTIME_SHARED_FS_FLAT"] = "1";
+    env["SHARED_FS_PROTOCOL"] = env["SHARED_FS_PROTOCOL"] ?? "sshfs";
+}
+async function fetchWorkspaceMountToken(params) {
+    const base = params.controllerUrl.replace(/\/+$/, "");
+    const url = `${base}/projects/${encodeURIComponent(params.projectId)}/workspace/mount-token`;
+    const res = await fetch(url, {
+        headers: {
+            authorization: `Bearer ${params.controllerAccessToken}`,
+            accept: "application/json",
+        },
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`Failed to fetch workspace mount token (${res.status} ${res.statusText}): ${text}`);
+    }
+    const json = (await res.json());
+    if (!json?.protocol || !json.host || !json.path) {
+        throw new Error("Workspace mount token response missing required fields.");
+    }
+    return json;
+}
+function prepareTempKey(keyB64) {
+    if (!keyB64)
+        return null;
+    const buf = Buffer.from(keyB64.trim(), "base64");
+    const tmpDir = path.join(os.tmpdir(), "instafy-shared-fs-cli");
+    mkdirSync(tmpDir, { recursive: true });
+    const file = path.join(tmpDir, `sshfs-key-${Date.now()}.pem`);
+    writeFileSync(file, buf, { mode: 0o600 });
+    return file;
+}
+export async function mountWorkspace(options) {
+    const mountDir = path.resolve(options.mountPath);
+    mkdirSync(mountDir, { recursive: true });
+    const token = await fetchWorkspaceMountToken({
+        controllerUrl: options.controllerUrl,
+        controllerAccessToken: options.controllerAccessToken,
+        projectId: options.project,
+    });
+    if (token.protocol !== "sshfs") {
+        throw new Error(`Unsupported mount protocol: ${token.protocol}`);
+    }
+    const sshfsBin = options.sshfsBin || process.env.SHARED_FS_BIN || "sshfs";
+    assertSshfsAvailable(sshfsBin);
+    const keyPath = prepareTempKey(token.key_b64 ?? null);
+    const args = [
+        `${token.user}@${token.host}:${token.path}`,
+        mountDir,
+        "-p",
+        String(token.port ?? 22),
+        "-o",
+        "StrictHostKeyChecking=no",
+    ];
+    const mergedOpts = token.options || options.extraOptions;
+    if (keyPath) {
+        args.push("-o", `IdentityFile=${keyPath}`);
+    }
+    if (mergedOpts && mergedOpts.trim()) {
+        args.push("-o", mergedOpts.trim());
+    }
+    const result = spawnSync(sshfsBin, args, {
+        stdio: "inherit",
+        env: process.env,
+    });
+    if (keyPath) {
+        try {
+            rmSync(keyPath);
+        }
+        catch {
+            // ignore
+        }
+    }
+    if (result.status !== 0) {
+        throw new Error(`sshfs mount failed (code ${result.status ?? result.error?.message ?? "unknown"})\n` +
+            `Command: ${sshfsBin} ${args.join(" ")}`);
+    }
+    validateMountHealthy(mountDir);
+    return mountDir;
+}
+export async function checkSshfs(binOverride) {
+    const bin = binOverride || process.env.SHARED_FS_BIN || "sshfs";
+    assertSshfsAvailable(bin);
+}
+function assertSshfsAvailable(bin) {
+    const check = spawnSync(bin, ["-V"], { stdio: "ignore" });
+    if ((check.status ?? check["code"] ?? 1) === 0) {
+        return;
+    }
+    const platform = process.platform;
+    const hints = {
+        darwin: "brew install --cask macfuse && brew install gromgit/fuse/sshfs-mac",
+        linux: "sudo apt-get update && sudo apt-get install -y sshfs",
+        win32: "Install WinFsp and SSHFS-Win: https://github.com/billziss-gh/sshfs-win",
+    };
+    const hint = hints[platform] ??
+        "Install sshfs for your platform and ensure it is on PATH (or pass --sshfs-bin).";
+    throw new Error(`sshfs binary '${bin}' not found or not executable. ${hint}`);
+}
+function validateMountHealthy(mountDir) {
+    try {
+        // Best-effort sanity check to catch "Transport endpoint not connected" right after mount.
+        const entries = spawnSync("ls", ["-la", mountDir], { stdio: "ignore" });
+        if ((entries.status ?? entries["code"] ?? 1) !== 0) {
+            throw new Error("ls failed");
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`sshfs mount appears unhealthy at ${mountDir}: ${message}. ` +
+            "Ensure the mount host is reachable and sshfs/fuse is enabled.");
+    }
+}
+export function findProjectManifest(startDir) {
+    let current = path.resolve(startDir);
+    const root = path.parse(current).root;
+    while (true) {
+        const candidate = path.join(current, ".instafy", "project.json");
+        if (existsSync(candidate)) {
+            try {
+                const parsed = JSON.parse(readFileSync(candidate, "utf8"));
+                if (parsed?.projectId) {
+                    return { manifest: parsed, path: candidate };
+                }
+            }
+            catch {
+                // ignore malformed manifest
+            }
+        }
+        if (current === root)
+            break;
+        current = path.dirname(current);
+    }
+    return { manifest: null, path: null };
+}
+function readTokenFromFile(filePath) {
+    const normalized = normalizeToken(filePath);
+    if (!normalized) {
+        return null;
+    }
+    const resolved = path.resolve(normalized);
+    const contents = readFileSync(resolved, "utf8").trim();
+    if (!contents) {
+        throw new Error(`token file ${resolved} was empty`);
+    }
+    return contents;
+}
+function resolveSupabaseAccessToken(options, env) {
+    const explicit = normalizeToken(options.supabaseAccessToken);
+    if (explicit) {
+        return explicit;
+    }
+    const fromFile = readTokenFromFile(options.supabaseAccessTokenFile);
+    if (fromFile) {
+        return fromFile;
+    }
+    const fromEnv = normalizeToken(env["SUPABASE_ACCESS_TOKEN"]);
+    if (fromEnv) {
+        return fromEnv;
+    }
+    return null;
+}
+function findRatholeOnPath() {
+    const names = process.platform === "win32" ? ["rathole.exe", "rathole"] : ["rathole"];
+    const pathEntries = (process.env.PATH ?? "")
+        .split(path.delimiter)
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+    for (const entry of pathEntries) {
+        for (const name of names) {
+            const candidate = path.join(entry, name);
+            if (existsSync(candidate)) {
+                return candidate;
+            }
+        }
+    }
+    return null;
+}
+export async function resolveRatholeBinaryForCli(options) {
+    const warn = options.warn ??
+        ((message) => {
+            console.warn(kleur.yellow(message));
+        });
+    const logger = options.logger ??
+        ((message) => {
+            console.log(kleur.cyan(`[rathole] ${message}`));
+        });
+    const existing = normalizeToken(options.env["RATHOLE_BIN"]);
+    if (existing) {
+        options.env["RATHOLE_BIN"] = existing;
+        return existing;
+    }
+    const finder = options.findBinary ?? findRatholeOnPath;
+    const detected = finder();
+    if (detected) {
+        options.env["RATHOLE_BIN"] = detected;
+        return detected;
+    }
+    const download = options.downloadBinary ??
+        ((params) => ensureRatholeBinary(params));
+    try {
+        const resolved = await download({
+            version: normalizeToken(options.version ?? undefined) ?? undefined,
+            cacheDir: normalizeToken(options.cacheDir ?? undefined) ?? undefined,
+            logger,
+        });
+        options.env["RATHOLE_BIN"] = resolved;
+        return resolved;
+    }
+    catch (error) {
+        const suffix = error instanceof Error
+            ? error.message
+            : typeof error === "string"
+                ? error
+                : JSON.stringify(error);
+        const osHint = process.platform === "darwin"
+            ? "Install with cargo (`cargo install --locked rathole`) or set RATHOLE_BIN to a downloaded binary."
+            : process.platform === "linux"
+                ? "Download from https://github.com/rapiz1/rathole/releases (matching your arch) or build via `cargo install --locked rathole`."
+                : "Download a rathole binary for your OS/arch and set RATHOLE_BIN.";
+        warn(`rathole unavailable (set RATHOLE_BIN or install on PATH). ${osHint} ${suffix}`);
+        return null;
+    }
+}
+export async function mintRuntimeAccessToken(params) {
+    const url = params.controllerUrl.replace(/\/$/, "");
+    const target = `${url}/projects/${encodeURIComponent(params.projectId)}/runtime/token`;
+    const response = await fetch(target, {
+        method: "POST",
+        headers: {
+            authorization: `Bearer ${params.controllerAccessToken}`,
+            "content-type": "application/json",
+        },
+        body: JSON.stringify({
+            runtimeId: params.runtimeId,
+            scopes: params.scopes,
+        }),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`Controller rejected runtime token request (${response.status} ${response.statusText}): ${text}`);
+    }
+    const payload = (await response.json());
+    const token = typeof payload.token === "string" ? payload.token.trim() : "";
+    if (!token) {
+        throw new Error("Controller response missing token field while minting runtime token.");
+    }
+    return token;
+}
+function isProcessAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function runtimeStart(options) {
+    const bin = resolveRuntimeBinary();
+    const env = { ...process.env };
+    const existing = readState();
+    if (existing && isProcessAlive(existing.pid)) {
+        throw new Error(`Runtime already running (pid ${existing.pid}) for project ${existing.projectId}. Stop it first.`);
+    }
+    const manifestInfo = findProjectManifest(options.workspace ?? process.cwd());
+    const projectId = options.project ?? env["PROJECT_ID"] ?? manifestInfo.manifest?.projectId ?? null;
+    if (!projectId) {
+        throw new Error("Project ID is required (--project or PROJECT_ID)");
+    }
+    env["PROJECT_ID"] = projectId;
+    const supabaseAccessToken = resolveSupabaseAccessToken(options, env);
+    if (supabaseAccessToken) {
+        env["SUPABASE_ACCESS_TOKEN"] = supabaseAccessToken;
+    }
+    let controllerAccessToken = normalizeToken(options.controllerAccessToken) ??
+        normalizeToken(env["CONTROLLER_ACCESS_TOKEN"]) ??
+        supabaseAccessToken;
+    let runtimeAccessToken = normalizeToken(options.runtimeToken) ?? normalizeToken(env["RUNTIME_ACCESS_TOKEN"]);
+    const agentKey = options.controllerToken ?? env["AGENT_LOGIN_KEY"] ?? env["AGENT_KEY"];
+    if (!agentKey && !controllerAccessToken && !runtimeAccessToken) {
+        throw new Error("Provide either --runtime-token/RUNTIME_ACCESS_TOKEN, --controller-access-token/CONTROLLER_ACCESS_TOKEN, --supabase-access-token/SUPABASE_ACCESS_TOKEN, or --controller-token/AGENT_LOGIN_KEY (legacy)");
+    }
+    if (agentKey) {
+        env["AGENT_LOGIN_KEY"] = agentKey;
+    }
+    if (controllerAccessToken) {
+        env["CONTROLLER_ACCESS_TOKEN"] = controllerAccessToken;
+    }
+    env["CONTROLLER_BASE_URL"] =
+        options.controllerUrl ?? env["CONTROLLER_BASE_URL"] ?? "http://127.0.0.1:8788";
+    if (!runtimeAccessToken && controllerAccessToken) {
+        runtimeAccessToken = await mintRuntimeAccessToken({
+            controllerUrl: env["CONTROLLER_BASE_URL"],
+            controllerAccessToken,
+            projectId,
+        });
+    }
+    if (runtimeAccessToken) {
+        env["RUNTIME_ACCESS_TOKEN"] = runtimeAccessToken;
+    }
+    // Auto-fetch workspace mount token if requested
+    if (options.mountControllerFs && controllerAccessToken && env["CONTROLLER_BASE_URL"]) {
+        const token = await fetchWorkspaceMountToken({
+            controllerUrl: env["CONTROLLER_BASE_URL"],
+            controllerAccessToken,
+            projectId,
+        });
+        setSharedFsEnv(env, {
+            host: token.host,
+            port: token.port,
+            user: token.user,
+            path: token.path,
+            keyB64: token.key_b64 ?? undefined,
+            options: token.options ?? undefined,
+            flat: true,
+        });
+    }
+    else {
+        // Shared FS mount options (sshfs) from flags/env
+        setSharedFsEnv(env, options.sharedFs);
+    }
+    if (options.codexBin)
+        env["CODEX_BIN"] = options.codexBin;
+    if (options.proxyBaseUrl)
+        env["PROXY_BASE_URL"] = options.proxyBaseUrl;
+    if (!env["CODEX_REASONING_EFFORT"]) {
+        env["CODEX_REASONING_EFFORT"] = "low";
+    }
+    const workspace = path.resolve(options.workspace ?? env["WORKSPACE_DIR"] ?? path.join(process.cwd(), ".instafy", "workspace"));
+    mkdirSync(workspace, { recursive: true });
+    env["WORKSPACE_DIR"] = workspace;
+    const originId = options.originId ?? env["ORIGIN_ID"] ?? randomUUID();
+    env["ORIGIN_ID"] = originId;
+    env["ORIGIN_BIND_HOST"] = options.bindHost ?? env["ORIGIN_BIND_HOST"] ?? "127.0.0.1";
+    env["ORIGIN_BIND_PORT"] = String(options.bindPort ?? env["ORIGIN_BIND_PORT"] ?? 54332);
+    env["ORIGIN_PROTOCOLS"] = env["ORIGIN_PROTOCOLS"] ?? "http";
+    if (options.originEndpoint && options.originEndpoint.trim()) {
+        env["ORIGIN_ENDPOINT"] = options.originEndpoint.trim();
+    }
+    let originToken = normalizeToken(options.originToken) ?? normalizeToken(env["ORIGIN_INTERNAL_TOKEN"]);
+    if (!originToken && runtimeAccessToken) {
+        originToken = runtimeAccessToken;
+    }
+    if (!originToken && controllerAccessToken) {
+        originToken = await mintRuntimeAccessToken({
+            controllerUrl: env["CONTROLLER_BASE_URL"],
+            controllerAccessToken,
+            projectId,
+            runtimeId: env["RUNTIME_ID"],
+        });
+    }
+    if (!originToken) {
+        throw new Error("Runtime/origin token is required (--origin-token or ORIGIN_INTERNAL_TOKEN), or provide --runtime-token/--controller-access-token to mint/use one");
+    }
+    env["ORIGIN_INTERNAL_TOKEN"] = originToken;
+    env["ORIGIN_SKIP_AUTH"] = env["ORIGIN_SKIP_AUTH"] ?? "1";
+    // Shared FS mount options (sshfs)
+    setSharedFsEnv(env, options.sharedFs);
+    env["RUNTIME_DISPLAY_NAME"] =
+        options.displayName ?? env["RUNTIME_DISPLAY_NAME"] ?? "Instafy CLI Runtime";
+    const manifestProvider = manifestInfo.manifest?.orgName?.trim() ||
+        manifestInfo.manifest?.orgId?.toString().trim();
+    env["RUNTIME_PROVIDER"] =
+        options.provider ?? env["RUNTIME_PROVIDER"] ?? manifestProvider ?? "self-hosted";
+    env["RUNTIME_VERSION"] = env["RUNTIME_VERSION"] ?? "0.1.0";
+    env["RUNTIME_REQUIRE_CODEX_BIN"] = env["RUNTIME_REQUIRE_CODEX_BIN"] || "1";
+    env["RUNTIME_CAPABILITIES"] =
+        env["RUNTIME_CAPABILITIES"] ||
+            JSON.stringify({ fs: true, github: true, supabase: true, runs: true, agent: true, origin: true });
+    if (options.runtimeId && options.runtimeId.trim()) {
+        env["RUNTIME_ID"] = options.runtimeId.trim();
+    }
+    if (options.runtimeLeaseId && options.runtimeLeaseId.trim()) {
+        env["RUNTIME_LEASE_ID"] = options.runtimeLeaseId.trim();
+    }
+    if (!env["ORIGIN_ENDPOINT"]) {
+        const ratholeResolved = await resolveRatholeBinaryForCli({
+            env,
+            version: process.env["RATHOLE_VERSION"] ?? null,
+            cacheDir: process.env["RATHOLE_CACHE_DIR"] ?? null,
+            logger: (message) => console.log(kleur.cyan(`[rathole] ${message}`)),
+            warn: (message) => console.warn(kleur.yellow(message)),
+        });
+        if (!ratholeResolved) {
+            throw new Error("Tunnel is required but rathole is unavailable. Set RATHOLE_BIN (recommended) or pass --origin-endpoint to use a reachable URL.");
+        }
+    }
+    printStatus("Starting runtime-agent:", bin);
+    printStatus("Project:", projectId);
+    printStatus("Workspace:", workspace);
+    printStatus("Origin:", originId);
+    const detached = Boolean(options.detach);
+    const logFile = options.logFile?.trim()
+        ? path.resolve(options.logFile)
+        : detached
+            ? path.join(LOG_DIR, `runtime-${Date.now()}.log`)
+            : undefined;
+    if (logFile) {
+        ensureLogDir();
+    }
+    let stdio;
+    if (!logFile && !detached) {
+        stdio = "inherit";
+    }
+    else {
+        const out = logFile ? openSync(logFile, "a") : "ignore";
+        stdio = ["ignore", out, out];
+    }
+    const spawnOptions = { env, stdio, detached };
+    const child = spawn(bin, spawnOptions);
+    if (detached) {
+        child.unref();
+    }
+    const startedAt = new Date().toISOString();
+    writeState({
+        pid: child.pid ?? -1,
+        projectId,
+        workspace,
+        controllerUrl: env["CONTROLLER_BASE_URL"],
+        originId,
+        runtimeId: env["RUNTIME_ID"] ?? null,
+        displayName: env["RUNTIME_DISPLAY_NAME"],
+        startedAt,
+        logFile,
+        detached,
+    });
+    child.on("exit", (code, signal) => {
+        const msg = code !== null ? `code ${code}` : `signal ${signal}`;
+        console.log(kleur.yellow(`runtime-agent exited (${msg})`));
+        const current = readState();
+        if (current && current.pid === child.pid) {
+            clearState();
+        }
+    });
+}
+function formatStatus(state, running) {
+    return {
+        running,
+        pid: state.pid,
+        projectId: state.projectId,
+        workspace: state.workspace,
+        controllerUrl: state.controllerUrl ?? null,
+        originId: state.originId ?? null,
+        runtimeId: state.runtimeId ?? null,
+        displayName: state.displayName ?? null,
+        startedAt: state.startedAt,
+        logFile: state.logFile ?? null,
+        detached: state.detached ?? false,
+    };
+}
+async function sendOfflineBeat(state) {
+    if (!state.controllerUrl || !state.projectId || !state.originId) {
+        return;
+    }
+    const directToken = normalizeToken(process.env["RUNTIME_ACCESS_TOKEN"]) ??
+        normalizeToken(process.env["ORIGIN_INTERNAL_TOKEN"]);
+    let bearer = directToken;
+    if (!bearer) {
+        const controllerAccessToken = normalizeToken(process.env["CONTROLLER_ACCESS_TOKEN"]) ??
+            normalizeToken(process.env["SUPABASE_ACCESS_TOKEN"]);
+        if (controllerAccessToken) {
+            try {
+                bearer = await mintRuntimeAccessToken({
+                    controllerUrl: state.controllerUrl,
+                    controllerAccessToken,
+                    projectId: state.projectId,
+                    runtimeId: state.runtimeId ?? undefined,
+                });
+            }
+            catch (error) {
+                const suffix = error instanceof Error ? `: ${error.message}` : error ? `: ${String(error)}` : "";
+                console.warn(kleur.yellow(`Could not mint runtime token for offline beat${suffix}`));
+            }
+        }
+    }
+    if (!bearer) {
+        return;
+    }
+    const offlinePayload = {
+        projectId: state.projectId,
+        originId: state.originId,
+        status: "offline",
+        latencyMs: null,
+        region: "iad",
+        metadata: { cli: true },
+    };
+    try {
+        await fetch(`${state.controllerUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(state.projectId)}/origin/presence/beat`, {
+            method: "POST",
+            headers: {
+                authorization: `Bearer ${bearer}`,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify(offlinePayload),
+        });
+    }
+    catch {
+        // ignore failures
+    }
+}
+async function waitForExit(pid, timeoutMs) {
+    const start = Date.now();
+    while (Date.now() - start < timeoutMs) {
+        if (!isProcessAlive(pid))
+            return true;
+        await new Promise((resolve) => setTimeout(resolve, 200));
+    }
+    return !isProcessAlive(pid);
+}
+export async function runtimeStatus(options) {
+    const state = readState();
+    if (!state) {
+        if (options?.json) {
+            console.log(JSON.stringify({ running: false }));
+        }
+        else {
+            console.log(kleur.yellow("No runtime state found."));
+        }
+        return;
+    }
+    const alive = isProcessAlive(state.pid);
+    const payload = formatStatus(state, alive);
+    if (options?.json) {
+        console.log(JSON.stringify(payload));
+        return;
+    }
+    console.log(alive ? kleur.green("Runtime is running") : kleur.red("Runtime is not running"));
+    printStatus("PID:", String(state.pid));
+    printStatus("Project:", state.projectId);
+    printStatus("Workspace:", state.workspace);
+    if (state.controllerUrl)
+        printStatus("Controller:", state.controllerUrl);
+    if (state.originId)
+        printStatus("Origin:", state.originId);
+    if (state.runtimeId)
+        printStatus("Runtime:", state.runtimeId);
+    if (state.displayName)
+        printStatus("Name:", state.displayName);
+    printStatus("Started:", state.startedAt);
+    if (state.logFile)
+        printStatus("Log:", state.logFile);
+    printStatus("Detached:", state.detached ? "yes" : "no");
+    if (!alive) {
+        console.log(kleur.yellow("State file exists but process is not alive."));
+    }
+}
+export async function runtimeStop(options) {
+    const state = readState();
+    if (!state) {
+        if (options?.json) {
+            console.log(JSON.stringify({ stopped: false, reason: "not_running" }));
+        }
+        else {
+            console.log(kleur.yellow("Runtime not running."));
+        }
+        return;
+    }
+    if (!isProcessAlive(state.pid)) {
+        clearState();
+        if (options?.json) {
+            console.log(JSON.stringify({ stopped: false, reason: "not_running" }));
+        }
+        else {
+            console.log(kleur.yellow("Runtime process already stopped. State cleared."));
+        }
+        return;
+    }
+    try {
+        process.kill(state.pid, "SIGINT");
+    }
+    catch (error) {
+        if (options?.json) {
+            console.log(JSON.stringify({ stopped: false, error: String(error) }));
+            return;
+        }
+        throw error;
+    }
+    const exited = await waitForExit(state.pid, 5000);
+    if (!exited) {
+        try {
+            process.kill(state.pid, "SIGTERM");
+        }
+        catch {
+            // ignore
+        }
+    }
+    const alive = isProcessAlive(state.pid);
+    if (!alive) {
+        clearState();
+    }
+    await sendOfflineBeat(state);
+    const result = { stopped: !alive, pid: state.pid };
+    if (options?.json) {
+        console.log(JSON.stringify(result));
+    }
+    else {
+        console.log(!alive ? kleur.green("Runtime stopped.") : kleur.red("Failed to stop runtime."));
+    }
+}
+export async function runtimeToken(options) {
+    const controllerUrl = options.controllerUrl ?? process.env["CONTROLLER_BASE_URL"] ?? "http://127.0.0.1:8788";
+    const token = options.controllerAccessToken ??
+        process.env["CONTROLLER_ACCESS_TOKEN"] ??
+        process.env["SUPABASE_ACCESS_TOKEN"];
+    if (!token) {
+        throw new Error("Controller access token is required (--controller-access-token or CONTROLLER_ACCESS_TOKEN)");
+    }
+    const minted = await mintRuntimeAccessToken({
+        controllerUrl,
+        controllerAccessToken: token,
+        projectId: options.project,
+        runtimeId: options.runtimeId,
+        scopes: options.scopes,
+    });
+    if (options.json) {
+        console.log(JSON.stringify({ token: minted }));
+    }
+    else {
+        console.log(minted);
+    }
+    return minted;
+}