@kadi.build/deploy-ability 0.0.7 → 0.0.9

package/.env-example

@@ -0,0 +1,72 @@
+# Local & Remote File Manager Configuration
+# Copy this file to .env and customize the values
+
+# =============================================================================
+# LOCAL FILE SYSTEM CONFIGURATION
+# =============================================================================
+
+# Directory Paths (customize these for your setup)
+DEFAULT_LOCAL_ROOT=/Users/yourname/Documents
+DEFAULT_UPLOAD_DIRECTORY=./uploads
+DEFAULT_DOWNLOAD_DIRECTORY=./downloads
+DEFAULT_TEMP_DIRECTORY=./temp
+
+# File Operation Limits
+MAX_FILE_SIZE=1073741824
+CHUNK_SIZE=8388608
+MAX_RETRY_ATTEMPTS=3
+TIMEOUT_MS=30000
+
+# Performance Settings
+MAX_CONCURRENT_OPERATIONS=5
+ENABLE_PROGRESS_TRACKING=true
+ENABLE_CHECKSUM_VERIFICATION=true
+
+# Security Settings
+ALLOW_SYMLINKS=false
+RESTRICT_TO_BASE_PATH=true
+MAX_PATH_LENGTH=255
+
+# =============================================================================
+# FEATURE CONFIGURATION (Future Buckets)
+# =============================================================================
+
+# File Watching (Bucket 2)
+WATCH_ENABLED=true
+WATCH_RECURSIVE=true
+WATCH_IGNORE_DOTFILES=true
+WATCH_DEBOUNCE_MS=100
+
+# Compression (Bucket 3)
+COMPRESSION_ENABLED=true
+COMPRESSION_LEVEL=6
+COMPRESSION_FORMAT=zip
+
+# Tunneling (Bucket 4) - Multi-Service Configuration
+TUNNEL_SERVICE=kadi
+TUNNEL_FALLBACK_SERVICES=ngrok,serveo,localtunnel
+TUNNEL_AUTH_TOKEN=
+TUNNEL_SUBDOMAIN=
+TUNNEL_REGION=us
+TUNNEL_AUTO_FALLBACK=true
+
+# Ngrok-specific configuration
+NGROK_AUTH_TOKEN=your-ngrok-auth-token
+NGROK_REGION=us
+NGROK_PROTOCOL=http
+
+# KĀDI Tunnel Configuration
+KADI_TUNNEL_SERVER=broker.kadi.build
+KADI_TUNNEL_SSH_PORT=2200
+KADI_TUNNEL_TOKEN=your-kadi-tunnel-token
+KADI_TUNNEL_DOMAIN=tunnel.kadi.build
+KADI_TUNNEL_MODE=frpc
+KADI_TUNNEL_TRANSPORT=wss
+KADI_TUNNEL_WSS_HOST=tunnel-control.kadi.build
+KADI_AGENT_ID=kadi
+
+
+# Logging
+LOG_LEVEL=info
+ENABLE_FILE_LOGGING=false
+LOG_FILE_PATH=./logs/application.log

package/README.md

@@ -16,6 +16,7 @@
 **Type-Safe** - Complete TypeScript support with zero `any` types
 **Delightful API** - Simple for common tasks, powerful for advanced use cases
 **Flexible Wallet Support** - Human approval (WalletConnect) or autonomous signing (agents)
+**Autonomous Mode** - Fully automated deployments with secure secrets integration
 **Well-Documented** - Comprehensive JSDoc with IntelliSense
 **Production-Ready** - Handles Akash Network complexity elegantly
 
@@ -167,6 +168,30 @@ if (result.success) {
 }
 ```
 
+### Autonomous Deployment (Agent-Controlled)
+
+For fully automated deployments with secrets integration:
+
+```typescript
+import { createSecretsProvider, deployToAkash } from 'deploy-ability';
+
+// In a KADI agent:
+const secrets = createSecretsProvider(this.secrets);
+
+const result = await deployToAkash({
+  autonomous: { secrets, bidStrategy: 'cheapest' },
+  projectRoot: process.cwd(),
+  profile: 'production',
+  network: 'mainnet',
+});
+
+if (result.success) {
+  console.log(`Deployed! DSEQ: ${result.data.dseq}`);
+}
+```
+
+See [Autonomous Deployment with Secrets Integration](#autonomous-deployment-with-secrets-integration) for full details.
+
 ### Deploy to Local Docker
 
 ```typescript
@@ -329,6 +354,221 @@ class SelfDeployingAgent {
 
 ---
 
+## Autonomous Deployment with Secrets Integration
+
+For fully automated deployments, deploy-ability integrates with KADI's `secret-ability` to securely retrieve wallet mnemonics from encrypted vaults. This enables agents to deploy without any user interaction while keeping secrets secure.
+
+### How It Works
+
+```mermaid
+sequenceDiagram
+    participant Agent as KADI Agent
+    participant Secrets as secret-ability
+    participant Keychain as OS Keychain
+    participant Deploy as deploy-ability
+    participant Akash as Akash Network
+
+    Agent->>Secrets: Get mnemonic from vault
+    Secrets->>Keychain: Get master key
+    Keychain-->>Secrets: Master key
+    Secrets-->>Agent: Decrypted mnemonic
+    Agent->>Deploy: deployToAkash({ autonomous: { secrets } })
+    Deploy->>Akash: Create deployment (auto-sign)
+    Akash-->>Deploy: Deployment result
+    Deploy-->>Agent: Success!
+```
+
+### Vault Configuration
+
+Secrets are stored in a **global vault** at the machine level:
+
+| Setting | Value |
+|---------|-------|
+| Config Path | `~/.kadi/secrets/config.toml` |
+| Vault Name | `global` |
+| Vault Type | `age` (ChaCha20-Poly1305 encryption) |
+| Master Key | Stored in OS Keychain (macOS Keychain, GNOME Keyring, etc.) |
+
+### Secret Keys
+
+| Key | Description |
+|-----|-------------|
+| `AKASH_WALLET` | BIP39 mnemonic phrase (12 or 24 words) |
+| `akash-tls-certificate` | Cached TLS certificate for provider communication |
+| `akash-wallet-password` | Optional BIP39 passphrase |
+
+### Setup: Store Your Mnemonic
+
+Before using autonomous deployment, store your mnemonic in the global vault:
+
+```bash
+# Using KADI CLI
+kadi secrets set --vault global --key AKASH_WALLET --value "your 12 or 24 word mnemonic phrase here"
+```
+
+Or programmatically with secret-ability:
+
+```typescript
+// 1. Create the global vault (one-time)
+await secrets.invoke('config.createVault', {
+  configPath: '~/.kadi/secrets/config.toml',
+  name: 'global',
+  type: 'age'
+});
+
+// 2. Store the mnemonic
+await secrets.invoke('set', {
+  configPath: '~/.kadi/secrets/config.toml',
+  vault: 'global',
+  key: 'AKASH_WALLET',
+  value: 'your 12 or 24 word mnemonic phrase here'
+});
+```
+
+### Usage: Autonomous Deployment
+
+#### Option 1: Using `createSecretsProvider` (Recommended)
+
+Integrates directly with KADI's secret-ability:
+
+```typescript
+import { 
+  createSecretsProvider, 
+  deployToAkash 
+} from 'deploy-ability';
+
+// In a KADI agent context:
+class DeploymentAgent {
+  async deploy(profile: string) {
+    // Create secrets provider from secret-ability client
+    const secrets = createSecretsProvider(this.secrets);
+
+    // Deploy autonomously - no user interaction needed!
+    const result = await deployToAkash({
+      autonomous: {
+        secrets,
+        bidStrategy: 'cheapest',  // or 'most-reliable'
+      },
+      projectRoot: process.cwd(),
+      profile,
+      network: 'mainnet',
+    });
+
+    if (result.success) {
+      console.log(`Deployed! DSEQ: ${result.data.dseq}`);
+      console.log(`Provider: ${result.data.providerUri}`);
+    }
+
+    return result;
+  }
+}
+```
+
+#### Option 2: Using `createSimpleMnemonicProvider` (Testing)
+
+For testing or when secret-ability is not available:
+
+```typescript
+import { 
+  createSimpleMnemonicProvider, 
+  deployToAkash 
+} from 'deploy-ability';
+
+// ⚠️ For testing only - mnemonic stored in memory
+const secrets = createSimpleMnemonicProvider(
+  'test test test test test test test test test test test junk'
+);
+
+const result = await deployToAkash({
+  autonomous: {
+    secrets,
+    bidStrategy: 'cheapest',
+  },
+  projectRoot: './my-app',
+  profile: 'production',
+  network: 'testnet',  // Use testnet for testing!
+});
+```
+
+#### Option 3: Custom SecretsProvider
+
+Implement the `SecretsProvider` interface for custom secret backends:
+
+```typescript
+import { deployToAkash, SecretsProvider } from 'deploy-ability';
+
+// Custom provider (e.g., AWS Secrets Manager, HashiCorp Vault)
+const customSecrets: SecretsProvider = {
+  async getMnemonic() {
+    // Fetch from your secret backend
+    return await mySecretManager.getSecret('akash-wallet-mnemonic');
+  },
+
+  async getCertificate() {
+    // Optional: return cached certificate
+    const cert = await mySecretManager.getSecret('akash-certificate');
+    return cert ? JSON.parse(cert) : null;
+  },
+
+  async storeCertificate(cert) {
+    // Optional: cache the certificate
+    await mySecretManager.setSecret('akash-certificate', JSON.stringify(cert));
+  },
+};
+
+const result = await deployToAkash({
+  autonomous: { secrets: customSecrets, bidStrategy: 'cheapest' },
+  projectRoot: './my-app',
+  profile: 'production',
+  network: 'mainnet',
+});
+```
+
+### Bid Selection Strategies
+
+When deploying autonomously, you must specify a bid selection strategy:
+
+| Strategy | Description |
+|----------|-------------|
+| `'cheapest'` | Select the lowest price bid |
+| `'most-reliable'` | Select the bid with highest provider uptime |
+| `'balanced'` | Balance between price and provider reliability |
+
+You can also add filters:
+
+```typescript
+autonomous: {
+  secrets,
+  bidStrategy: 'cheapest',
+  bidFilter: {
+    maxPricePerMonth: { uakt: 5_000_000 },  // Max 5 AKT/month
+    requireAudited: true,                    // Only audited providers
+    minUptime: { value: 0.95, period: '7d' }, // 95% uptime over 7 days
+  },
+}
+```
+
+### Exported Constants
+
+For programmatic access to configuration:
+
+```typescript
+import {
+  AKASH_VAULT_NAME,      // 'global'
+  GLOBAL_CONFIG_PATH,    // '~/.kadi/secrets/config.toml'
+  AKASH_SECRET_KEYS,     // { WALLET_MNEMONIC: 'AKASH_WALLET', ... }
+} from 'deploy-ability';
+```
+
+### Security Model
+
+1. **Encrypted at Rest**: Secrets are encrypted with ChaCha20-Poly1305 in `config.toml`
+2. **Master Key in Keychain**: The encryption key is stored in the OS keychain (never in files)
+3. **No Plaintext**: Mnemonics are never written to disk in plaintext
+4. **Per-Machine**: Secrets are tied to the machine's keychain - can't be copied
+
+---
+
 ## Error Handling
 
 deploy-ability uses a **Result type pattern** for predictable error handling:

package/dist/targets/akash/deployer.d.ts

@@ -12,24 +12,29 @@
  *
  * @module targets/akash/deployer
  */
-import { type AkashDeploymentOptions, type AkashDeploymentResult } from '../../types/index.js';
+import { type AkashDeploymentOptions, type AkashDeploymentResult, type AutonomousDeploymentConfig } from '../../types/index.js';
 import type { BidSelector } from './bids.js';
 import type { AkashProviderTlsCertificate, WalletContext } from './types.js';
 /**
  * Additional parameters required to execute a deployment
  *
+ * Supports two modes:
+ * 1. **Manual mode**: Provide `wallet`, `certificate`, and `bidSelector` directly
+ * 2. **Autonomous mode**: Provide `autonomous` config for fully automated deployment
+ *
  * For dry-run mode, wallet and certificate are optional (only SDL generation needed).
- * For actual deployments, wallet, certificate, and bidSelector are all required.
  */
 export interface AkashDeploymentExecution extends AkashDeploymentOptions {
     readonly wallet?: WalletContext;
     readonly certificate?: AkashProviderTlsCertificate;
     /**
-     * Bid selection function
+     * Bid selection function (manual mode)
      *
      * Called with all available bids after waiting for provider responses.
      * Must return the selected bid or null if none are acceptable.
      *
+     * Not required when using `autonomous` mode.
+     *
      * @example
      * ```typescript
      * import { deployToAkash, selectCheapestBid} from '@kadi.build/deploy-ability/akash';
@@ -49,9 +54,65 @@ export interface AkashDeploymentExecution extends AkashDeploymentOptions {
      * @default 180000 (3 minutes)
      */
     readonly bidTimeout?: number;
+    /**
+     * Autonomous deployment configuration
+     *
+     * When provided, enables fully automated deployment without user interaction:
+     * - Wallet is created from mnemonic provided by SecretsProvider
+     * - Certificate is retrieved from cache or auto-generated
+     * - Bids are selected algorithmically based on strategy
+     *
+     * This is mutually exclusive with `wallet`, `certificate`, and `bidSelector`.
+     *
+     * @example
+     * ```typescript
+     * const result = await deployToAkash({
+     *   projectRoot: './',
+     *   profile: 'production',
+     *   autonomous: {
+     *     secrets: {
+     *       getMnemonic: () => vault.getSecret('wallet-mnemonic'),
+     *       getCertificate: () => storage.get('akash-cert'),
+     *       storeCertificate: (cert) => storage.set('akash-cert', cert),
+     *     },
+     *     bidStrategy: 'cheapest',
+     *   }
+     * });
+     * ```
+     */
+    readonly autonomous?: AutonomousDeploymentConfig;
 }
 /**
  * Executes a full Akash deployment.
+ *
+ * Supports two modes:
+ * 1. **Manual mode**: Provide `wallet`, `certificate`, and `bidSelector` directly
+ * 2. **Autonomous mode**: Provide `autonomous` config for fully automated deployment
+ *
+ * @example Manual mode
+ * ```typescript
+ * const result = await deployToAkash({
+ *   wallet: myWallet,
+ *   certificate: myCert,
+ *   bidSelector: selectCheapestBid,
+ *   projectRoot: './',
+ *   profile: 'production',
+ * });
+ * ```
+ *
+ * @example Autonomous mode (agent-controlled)
+ * ```typescript
+ * const result = await deployToAkash({
+ *   projectRoot: './',
+ *   profile: 'production',
+ *   autonomous: {
+ *     secrets: {
+ *       getMnemonic: () => vault.getSecret('wallet-mnemonic'),
+ *     },
+ *     bidStrategy: 'cheapest',
+ *   }
+ * });
+ * ```
  */
 export declare function deployToAkash(params: AkashDeploymentExecution): Promise<AkashDeploymentResult>;
 //# sourceMappingURL=deployer.d.ts.map

package/dist/targets/akash/deployer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deployer.d.ts","sourceRoot":"","sources":["../../../src/targets/akash/deployer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAGL,KAAK,sBAAsB,EAC3B,KAAK,qBAAqB,EAM3B,MAAM,sBAAsB,CAAC;AAQ9B,OAAO,KAAK,EAAe,WAAW,EAAe,MAAM,WAAW,CAAC;AAcvE,OAAO,KAAK,EAAE,2BAA2B,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAuF7E;;;;;GAKG;AACH,MAAM,WAAW,wBAAyB,SAAQ,sBAAsB;IACtE,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,2BAA2B,CAAC;IAEnD;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,WAAW,CAAC;IAEnC;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,qBAAqB,CAAC,CAwdhC"}
+{"version":3,"file":"deployer.d.ts","sourceRoot":"","sources":["../../../src/targets/akash/deployer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAGL,KAAK,sBAAsB,EAC3B,KAAK,qBAAqB,EAI1B,KAAK,0BAA0B,EAGhC,MAAM,sBAAsB,CAAC;AAQ9B,OAAO,KAAK,EAAe,WAAW,EAAe,MAAM,WAAW,CAAC;AAoBvE,OAAO,KAAK,EAAE,2BAA2B,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAyF7E;;;;;;;;GAQG;AACH,MAAM,WAAW,wBAAyB,SAAQ,sBAAsB;IACtE,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,2BAA2B,CAAC;IAEnD;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,WAAW,CAAC;IAEnC;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAE7B;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,0BAA0B,CAAC;CAClD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,qBAAqB,CAAC,CA+lBhC"}

package/dist/targets/akash/deployer.js

@@ -16,12 +16,15 @@ import Long from 'long';
 import { success, failure, createWalletAddress, createDeploymentSequence, } from '../../types/index.js';
 import { defaultLogger } from '../../utils/logger.js';
 import { loadProfile } from '../../utils/profile-loader.js';
+import { selectCheapestBid, selectMostReliableBid, selectBalancedBid, filterBids, } from './bids.js';
 import { sendManifestToProvider, fetchProviderLeaseStatus, } from './provider-manager.js';
 import { AkashClient } from './client.js';
 import { waitForContainersRunning } from './lease-monitor.js';
 import { LeasePrice } from './pricing.js';
 import { generateAkashSdl, createSdlObject, } from './sdl-generator.js';
 import { DeploymentError, getErrorMessage } from '../../errors/index.js';
+import { createWalletFromMnemonic } from './wallet-manager.js';
+import { CertificateManager } from './certificate-manager.js';
 /**
  * Intelligent blacklist resolution with progressive disclosure
  *
@@ -85,9 +88,38 @@ function resolveBlacklist(profileBlacklist, optionsBlacklist, logger) {
 }
 /**
  * Executes a full Akash deployment.
+ *
+ * Supports two modes:
+ * 1. **Manual mode**: Provide `wallet`, `certificate`, and `bidSelector` directly
+ * 2. **Autonomous mode**: Provide `autonomous` config for fully automated deployment
+ *
+ * @example Manual mode
+ * ```typescript
+ * const result = await deployToAkash({
+ *   wallet: myWallet,
+ *   certificate: myCert,
+ *   bidSelector: selectCheapestBid,
+ *   projectRoot: './',
+ *   profile: 'production',
+ * });
+ * ```
+ *
+ * @example Autonomous mode (agent-controlled)
+ * ```typescript
+ * const result = await deployToAkash({
+ *   projectRoot: './',
+ *   profile: 'production',
+ *   autonomous: {
+ *     secrets: {
+ *       getMnemonic: () => vault.getSecret('wallet-mnemonic'),
+ *     },
+ *     bidStrategy: 'cheapest',
+ *   }
+ * });
+ * ```
  */
 export async function deployToAkash(params) {
-    const { wallet, certificate, bidSelector, logger: customLogger, dryRun = false, ...options } = params;
+    const { wallet: providedWallet, certificate: providedCertificate, bidSelector: providedBidSelector, autonomous, logger: customLogger, dryRun = false, ...options } = params;
     const logger = customLogger ?? defaultLogger;
     // ---------------------------------------------------------------------------
     // Load and validate deployment profile
@@ -133,17 +165,106 @@ export async function deployToAkash(params) {
         return success(dryRunResult);
     }
     // ---------------------------------------------------------------------------
+    // Resolve wallet, certificate, and bid selector
+    // Either from direct params (manual mode) or autonomous config
+    // ---------------------------------------------------------------------------
+    let wallet = providedWallet;
+    let certificate = providedCertificate;
+    let bidSelector = providedBidSelector;
+    // Track if we're in autonomous mode for cleanup
+    // Note: isAutonomous could be used for future cleanup logic
+    const _isAutonomous = !!autonomous;
+    void _isAutonomous;
+    if (autonomous) {
+        logger.log('🤖 Autonomous mode: setting up agent-controlled wallet...');
+        // Step 1: Get mnemonic from secrets provider
+        let mnemonic;
+        try {
+            mnemonic = await autonomous.secrets.getMnemonic();
+        }
+        catch (error) {
+            const errMsg = getErrorMessage(error);
+            return failure(new DeploymentError(`Failed to retrieve mnemonic from secrets provider: ${errMsg}`, 'SECRETS_ERROR', { error: errMsg }, false, 'Ensure your SecretsProvider.getMnemonic() is working correctly'));
+        }
+        // Step 2: Create wallet from mnemonic
+        const walletResult = await createWalletFromMnemonic(mnemonic, network);
+        if (!walletResult.success) {
+            return failure(new DeploymentError(`Failed to create wallet from mnemonic: ${walletResult.error.message}`, 'WALLET_CREATION_FAILED', { originalError: walletResult.error }, false, 'Check that the mnemonic is a valid BIP39 phrase (12 or 24 words)'));
+        }
+        wallet = walletResult.data;
+        logger.log(`✓ Wallet ready: ${wallet.address}`);
+        // Step 3: Get or create certificate
+        // First, try to get existing certificate from secrets provider
+        if (autonomous.secrets.getCertificate) {
+            try {
+                const existingCert = await autonomous.secrets.getCertificate();
+                if (existingCert) {
+                    certificate = existingCert;
+                    logger.log('✓ Using cached certificate from secrets provider');
+                }
+            }
+            catch (error) {
+                // Non-fatal: we'll generate a new certificate
+                logger.debug?.(`Could not retrieve cached certificate: ${getErrorMessage(error)}`);
+            }
+        }
+        // If no cached certificate, generate and broadcast a new one
+        if (!certificate) {
+            logger.log('🔐 Generating new TLS certificate...');
+            // Create a temporary client with signing capability for certificate operations
+            const tempClient = new AkashClient({
+                network,
+                signer: wallet.signer,
+            });
+            const certManager = new CertificateManager(tempClient);
+            let certResult = await certManager.getOrCreate(wallet.address);
+            // Auto-revoke stale on-chain certificate when deploying from a new machine
+            // (cert exists on blockchain but private key is not available locally)
+            if (!certResult.success && certResult.error.code === 'CERT_NOT_FOUND') {
+                logger.log('\u26A0 Certificate exists on-chain but not available locally \u2014 revoking and creating new...');
+                const revokeResult = await certManager.revoke(wallet.address);
+                if (!revokeResult.success) {
+                    return failure(new DeploymentError(`Failed to revoke stale certificate: ${revokeResult.error.message}`, 'CERTIFICATE_CREATION_FAILED', { originalError: revokeResult.error }, false, 'Could not revoke existing on-chain certificate to create a new one'));
+                }
+                logger.log(`\u2713 Revoked ${revokeResult.data.revokedCount} stale certificate(s)`);
+                // Retry - blockchain is now clear for a fresh certificate
+                certResult = await certManager.getOrCreate(wallet.address);
+            }
+            if (!certResult.success) {
+                return failure(new DeploymentError(`Failed to create certificate: ${certResult.error.message}`, 'CERTIFICATE_CREATION_FAILED', { originalError: certResult.error }, false, 'Certificate generation or blockchain broadcast failed'));
+            }
+            certificate = certResult.data;
+            logger.log('✓ Certificate generated and broadcast to blockchain');
+            // Store the new certificate if the secrets provider supports it
+            if (autonomous.secrets.storeCertificate) {
+                try {
+                    await autonomous.secrets.storeCertificate(certificate);
+                    logger.debug?.('Certificate stored in secrets provider for future use');
+                }
+                catch (error) {
+                    // Non-fatal: certificate is already on blockchain
+                    logger.warn?.(`Could not store certificate: ${getErrorMessage(error)}`);
+                }
+            }
+        }
+        // Step 4: Create bid selector from strategy
+        const strategy = autonomous.bidStrategy ?? 'cheapest';
+        const filter = autonomous.bidFilter;
+        bidSelector = createBidSelectorFromStrategy(strategy, filter, logger);
+        logger.log(`✓ Bid selection strategy: ${strategy}`);
+    }
+    // ---------------------------------------------------------------------------
     // Runtime validation: wallet and certificate required for actual deployment
     // ---------------------------------------------------------------------------
     if (!wallet) {
-        return failure(new DeploymentError('Wallet is required for deployment (not dry-run)', 'WALLET_REQUIRED', {}, false, 'Connect wallet using wallet-manager before deployment'));
+        return failure(new DeploymentError('Wallet is required for deployment (not dry-run)', 'WALLET_REQUIRED', {}, false, 'Connect wallet using wallet-manager before deployment, or use autonomous mode'));
     }
     if (!certificate) {
-        return failure(new DeploymentError('TLS certificate is required to communicate with the provider', 'CERTIFICATE_REQUIRED', {}, false, 'Generate or load a certificate using certificate-manager before deployment'));
+        return failure(new DeploymentError('TLS certificate is required to communicate with the provider', 'CERTIFICATE_REQUIRED', {}, false, 'Generate or load a certificate using certificate-manager before deployment, or use autonomous mode'));
     }
     if (!bidSelector) {
         return failure(new DeploymentError('Bid selector function is required for deployment', 'BID_SELECTOR_REQUIRED', {}, false, 'Provide a bidSelector function to choose which provider bid to accept. ' +
-            'Use pre-built selectors like selectCheapestBid, selectMostReliableBid, or implement custom logic.'));
+            'Use pre-built selectors like selectCheapestBid, selectMostReliableBid, or use autonomous mode.'));
     }
     // -----------------------------------------------------------------------
     // Initialize AkashClient with signing capability
@@ -390,6 +511,51 @@ function determineDeposit(options, profile) {
     }
     return 5; // Default deposit in AKT
 }
+/**
+ * Creates a bid selector function from strategy and filter criteria
+ *
+ * Used by autonomous mode to convert configuration into a BidSelector function.
+ */
+function createBidSelectorFromStrategy(strategy, filter, logger) {
+    return async (bids) => {
+        let filteredBids = bids;
+        // Apply filter criteria if provided
+        if (filter) {
+            // Convert per-block price to per-month for filterBids
+            // Blocks per month: ~431,572 (6.098s per block)
+            const BLOCKS_PER_MONTH = 431572;
+            const maxPricePerMonth = filter.maxPricePerBlock
+                ? { uakt: filter.maxPricePerBlock * BLOCKS_PER_MONTH }
+                : undefined;
+            filteredBids = filterBids(bids, {
+                maxPricePerMonth,
+                minUptime: filter.minUptime,
+                requireAudited: filter.requireAudited,
+                preferredRegions: filter.preferredRegions ? [...filter.preferredRegions] : undefined,
+                requireOnline: filter.requireOnline,
+            });
+            logger.debug?.(`Filtered bids: ${filteredBids.length}/${bids.length} passed criteria`);
+            if (filteredBids.length === 0) {
+                logger.warn?.('No bids passed filter criteria');
+                return null;
+            }
+        }
+        // Apply strategy to select best bid
+        switch (strategy) {
+            case 'cheapest':
+                return selectCheapestBid(filteredBids);
+            case 'most-reliable':
+                return selectMostReliableBid(filteredBids);
+            case 'balanced':
+                return selectBalancedBid(filteredBids);
+            default: {
+                // Fallback for any unknown strategy
+                logger.warn?.(`Unknown bid strategy, falling back to cheapest`);
+                return selectCheapestBid(filteredBids);
+            }
+        }
+    };
+}
 /** Normalises deployment data into the published AkashDeploymentData structure */
 function createDeploymentData(params) {
     const { deployment, lease, leaseDetails, deploymentDetails, providerUri, profileName, network, certificate, providerStatus, selectedBid, } = params;