@layr-labs/ecloud-cli 0.2.0-dev.2 → 0.2.0-dev.3

package/dist/commands/compute/app/deploy.js

@@ -2,14 +2,7 @@
 
 // src/commands/compute/app/deploy.ts
 import { Command, Flags as Flags2 } from "@oclif/core";
-import {
-  getEnvironmentConfig as getEnvironmentConfig2,
-  UserApiClient as UserApiClient3,
-  isMainnet,
-  prepareDeploy,
-  executeDeploy,
-  watchDeployment
-} from "@layr-labs/ecloud-sdk";
+import { getEnvironmentConfig as getEnvironmentConfig3, UserApiClient as UserApiClient3, isMainnet } from "@layr-labs/ecloud-sdk";
 
 // src/telemetry.ts
 import {
@@ -71,6 +64,29 @@ function saveGlobalConfig(config) {
   const content = dumpYaml(config, { lineWidth: -1 });
   fs.writeFileSync(configPath, content, { mode: 420 });
 }
+function normalizeDirectoryPath(directoryPath) {
+  const resolved = path.resolve(directoryPath);
+  try {
+    return fs.realpathSync(resolved);
+  } catch {
+    return resolved;
+  }
+}
+function setLinkedAppForDirectory(environment, directoryPath, appId) {
+  if (!directoryPath || !environment) {
+    return;
+  }
+  const config = loadGlobalConfig();
+  if (!config.directory_links) {
+    config.directory_links = {};
+  }
+  if (!config.directory_links[environment]) {
+    config.directory_links[environment] = {};
+  }
+  const normalizedPath = normalizeDirectoryPath(directoryPath);
+  config.directory_links[environment][normalizedPath] = appId.toLowerCase();
+  saveGlobalConfig(config);
+}
 function getDefaultEnvironment() {
   const config = loadGlobalConfig();
   return config.default_environment;
@@ -161,6 +177,7 @@ async function withTelemetry(command, action) {
 
 // src/flags.ts
 import { Flags } from "@oclif/core";
+import { getBuildType as getBuildType3 } from "@layr-labs/ecloud-sdk";
 
 // src/utils/prompts.ts
 import { input, select, password, confirm as inquirerConfirm } from "@inquirer/prompts";
@@ -256,7 +273,7 @@ function findAvailableName(environment, baseName) {
 
 // src/utils/version.ts
 function getCliVersion() {
-  return true ? "0.2.0-dev.2" : "0.0.0";
+  return true ? "0.2.0-dev.3" : "0.0.0";
 }
 function getClientId() {
   return `ecloud-cli/v${getCliVersion()}`;
@@ -290,6 +307,113 @@ Found Dockerfile in ${cwd}`);
       throw new Error(`Unexpected choice: ${choice}`);
   }
 }
+async function promptUseVerifiableBuild() {
+  return confirmWithDefault("Build from verifiable source?", false);
+}
+async function promptVerifiableSourceType() {
+  return select({
+    message: "Choose verifiable source type:",
+    choices: [
+      { name: "Build from git source (public repo required)", value: "git" },
+      { name: "Use a prebuilt verifiable image (eigencloud-containers)", value: "prebuilt" }
+    ]
+  });
+}
+async function promptVerifiableGitSourceInputs() {
+  const repoUrl = (await input({
+    message: "Enter public git repository URL:",
+    default: "",
+    validate: (value) => {
+      if (!value.trim()) return "Repository URL is required";
+      try {
+        const url = new URL(value.trim());
+        if (url.protocol !== "https:") return "Repository URL must start with https://";
+        if (url.hostname.toLowerCase() !== "github.com")
+          return "Repository URL must be a public GitHub HTTPS URL (github.com)";
+        const parts = url.pathname.replace(/\/+$/, "").split("/").filter(Boolean);
+        if (parts.length < 2) return "Repository URL must be https://github.com/<owner>/<repo>";
+        const [owner, repo] = parts;
+        if (!owner || !repo) return "Repository URL must be https://github.com/<owner>/<repo>";
+        if (repo.toLowerCase() === "settings") return "Repository URL looks invalid";
+        if (url.search || url.hash)
+          return "Repository URL must not include query params or fragments";
+      } catch {
+        return "Invalid URL format";
+      }
+      return true;
+    }
+  })).trim();
+  const gitRef = (await input({
+    message: "Enter git commit SHA (40 hex chars):",
+    default: "",
+    validate: (value) => {
+      const trimmed = value.trim();
+      if (!trimmed) return "Commit SHA is required";
+      if (!/^[0-9a-f]{40}$/i.test(trimmed))
+        return "Commit must be a 40-character hexadecimal SHA";
+      return true;
+    }
+  })).trim();
+  const buildContextPath = (await input({
+    message: "Enter build context path (relative to repo):",
+    default: ".",
+    validate: (value) => value.trim() ? true : "Build context path cannot be empty"
+  })).trim();
+  const dockerfilePath = (await input({
+    message: "Enter Dockerfile path (relative to build context):",
+    default: "Dockerfile",
+    validate: (value) => value.trim() ? true : "Dockerfile path cannot be empty"
+  })).trim();
+  const caddyfileRaw = (await input({
+    message: "Enter Caddyfile path (relative to build context, optional):",
+    default: "",
+    validate: (value) => {
+      const trimmed = value.trim();
+      if (!trimmed) return true;
+      if (trimmed.includes("..")) return "Caddyfile path must not contain '..'";
+      return true;
+    }
+  })).trim();
+  const depsRaw = (await input({
+    message: "Enter dependency digests (comma-separated sha256:..., optional):",
+    default: "",
+    validate: (value) => {
+      const trimmed = value.trim();
+      if (!trimmed) return true;
+      const parts = trimmed.split(",").map((p) => p.trim()).filter(Boolean);
+      for (const p of parts) {
+        if (!/^sha256:[0-9a-f]{64}$/i.test(p)) {
+          return `Invalid dependency digest: ${p} (expected sha256:<64 hex>)`;
+        }
+      }
+      return true;
+    }
+  })).trim();
+  const dependencies = depsRaw === "" ? [] : depsRaw.split(",").map((p) => p.trim()).filter(Boolean);
+  return {
+    repoUrl,
+    gitRef,
+    dockerfilePath,
+    caddyfilePath: caddyfileRaw === "" ? void 0 : caddyfileRaw,
+    buildContextPath,
+    dependencies
+  };
+}
+async function promptVerifiablePrebuiltImageRef() {
+  const ref = await input({
+    message: "Enter prebuilt verifiable image ref:",
+    default: "docker.io/eigenlayer/eigencloud-containers:",
+    validate: (value) => {
+      const trimmed = value.trim();
+      if (!trimmed) return "Image reference is required";
+      if (!/^docker\.io\/eigenlayer\/eigencloud-containers:[^@\s]+$/i.test(trimmed)) {
+        return "Image ref must match docker.io/eigenlayer/eigencloud-containers:<tag>";
+      }
+      return true;
+    }
+  });
+  return ref.trim();
+}
 function extractHostname(registry) {
   let hostname = registry.replace(/^https?:\/\//, "");
   hostname = hostname.split("/")[0];
@@ -538,9 +662,9 @@ async function getImageReferenceInteractive(imageRef, buildFromDockerfile = fals
   });
   return imageRefInput;
 }
-async function getAvailableAppNameInteractive(environment, imageRef) {
-  const baseName = extractAppNameFromImage(imageRef);
-  const suggestedName = findAvailableName(environment, baseName);
+async function getAvailableAppNameInteractive(environment, imageRef, suggestedBaseName, skipDefaultName) {
+  const baseName = skipDefaultName ? void 0 : suggestedBaseName || extractAppNameFromImage(imageRef);
+  const suggestedName = baseName ? findAvailableName(environment, baseName) : void 0;
   while (true) {
     console.log("\nApp name selection:");
     const name = await input({
@@ -563,16 +687,16 @@ async function getAvailableAppNameInteractive(environment, imageRef) {
     console.log(`Suggested alternative: ${newSuggested}`);
   }
 }
-async function getOrPromptAppName(appName, environment, imageRef) {
+async function getOrPromptAppName(appName, environment, imageRef, suggestedBaseName, skipDefaultName) {
   if (appName) {
     validateAppName(appName);
     if (isAppNameAvailable(environment, appName)) {
       return appName;
     }
     console.log(`Warning: App name '${appName}' is already taken.`);
-    return getAvailableAppNameInteractive(environment, imageRef);
+    return getAvailableAppNameInteractive(environment, imageRef, suggestedBaseName, skipDefaultName);
   }
-  return getAvailableAppNameInteractive(environment, imageRef);
+  return getAvailableAppNameInteractive(environment, imageRef, suggestedBaseName, skipDefaultName);
 }
 async function getEnvFileInteractive(envFilePath) {
   if (envFilePath && fs3.existsSync(envFilePath)) {
@@ -710,8 +834,8 @@ async function getPrivateKeyInteractive(privateKey) {
     }
     return privateKey;
   }
-  const { getPrivateKeyWithSource } = await import("@layr-labs/ecloud-sdk");
-  const result = await getPrivateKeyWithSource({ privateKey: void 0 });
+  const { getPrivateKeyWithSource: getPrivateKeyWithSource2 } = await import("@layr-labs/ecloud-sdk");
+  const result = await getPrivateKeyWithSource2({ privateKey: void 0 });
   if (result) {
     return result.key;
   }
@@ -730,6 +854,50 @@ async function getPrivateKeyInteractive(privateKey) {
   });
   return key.trim();
 }
+async function getEnvironmentInteractive(environment) {
+  if (environment) {
+    try {
+      getEnvironmentConfig(environment);
+      if (!isEnvironmentAvailable(environment)) {
+        throw new Error(`Environment ${environment} is not available in this build`);
+      }
+      return environment;
+    } catch {
+    }
+  }
+  const availableEnvs = getAvailableEnvironments();
+  let defaultEnv;
+  const configDefaultEnv = getDefaultEnvironment();
+  if (configDefaultEnv && availableEnvs.includes(configDefaultEnv)) {
+    try {
+      getEnvironmentConfig(configDefaultEnv);
+      defaultEnv = configDefaultEnv;
+    } catch {
+    }
+  }
+  const choices = [];
+  if (availableEnvs.includes("sepolia")) {
+    choices.push({ name: "sepolia - Ethereum Sepolia testnet", value: "sepolia" });
+  }
+  if (availableEnvs.includes("sepolia-dev")) {
+    choices.push({ name: "sepolia-dev - Ethereum Sepolia testnet (dev)", value: "sepolia-dev" });
+  }
+  if (availableEnvs.includes("mainnet-alpha")) {
+    choices.push({
+      name: "mainnet-alpha - Ethereum mainnet (\u26A0\uFE0F  uses real funds)",
+      value: "mainnet-alpha"
+    });
+  }
+  if (choices.length === 0) {
+    throw new Error("No environments available in this build");
+  }
+  const env = await select({
+    message: "Select environment:",
+    choices,
+    default: defaultEnv
+  });
+  return env;
+}
 var MAX_DESCRIPTION_LENGTH = 1e3;
 var MAX_IMAGE_SIZE = 4 * 1024 * 1024;
 var VALID_IMAGE_EXTENSIONS = [".jpg", ".jpeg", ".png"];
@@ -957,7 +1125,8 @@ var commonFlags = {
   environment: Flags.string({
     required: false,
     description: "Deployment environment to use",
-    env: "ECLOUD_ENV"
+    env: "ECLOUD_ENV",
+    default: async () => getDefaultEnvironment() || (getBuildType3() === "dev" ? "sepolia-dev" : "sepolia")
   }),
   "private-key": Flags.string({
     required: false,
@@ -975,9 +1144,227 @@ var commonFlags = {
     default: false
   })
 };
+async function validateCommonFlags(flags, options) {
+  flags["environment"] = await getEnvironmentInteractive(flags["environment"]);
+  if (options?.requirePrivateKey !== false) {
+    flags["private-key"] = await getPrivateKeyInteractive(flags["private-key"]);
+  }
+  return flags;
+}
+
+// src/client.ts
+import {
+  createComputeModule,
+  createBillingModule,
+  createBuildModule,
+  getEnvironmentConfig as getEnvironmentConfig2,
+  requirePrivateKey,
+  getPrivateKeyWithSource
+} from "@layr-labs/ecloud-sdk";
+async function createComputeClient(flags) {
+  flags = await validateCommonFlags(flags);
+  const environment = flags.environment;
+  const environmentConfig = getEnvironmentConfig2(environment);
+  const rpcUrl = flags["rpc-url"] || environmentConfig.defaultRPCURL;
+  const { key: privateKey, source } = await requirePrivateKey({
+    privateKey: flags["private-key"]
+  });
+  if (flags.verbose) {
+    console.log(`Using private key from: ${source}`);
+  }
+  return createComputeModule({
+    verbose: flags.verbose,
+    privateKey,
+    rpcUrl,
+    environment,
+    clientId: getClientId(),
+    skipTelemetry: true
+    // CLI already has telemetry, skip SDK telemetry
+  });
+}
+async function createBuildClient(flags) {
+  flags = await validateCommonFlags(flags, { requirePrivateKey: false });
+  return createBuildModule({
+    verbose: flags.verbose,
+    privateKey: flags["private-key"],
+    environment: flags.environment,
+    clientId: getClientId(),
+    skipTelemetry: true
+    // CLI already has telemetry, skip SDK telemetry
+  });
+}
 
 // src/commands/compute/app/deploy.ts
 import chalk from "chalk";
+
+// src/utils/build.ts
+function formatSourceLink(repoUrl, gitRef) {
+  const normalizedRepo = repoUrl.replace(/\.git$/, "");
+  try {
+    const url = new URL(normalizedRepo);
+    const host = url.host.toLowerCase();
+    if (host === "github.com") {
+      const path4 = url.pathname.replace(/\/+$/, "");
+      if (path4.split("/").filter(Boolean).length >= 2) {
+        return `https://github.com${path4}/tree/${gitRef}`;
+      }
+    }
+  } catch {
+  }
+  return `${repoUrl}@${gitRef}`;
+}
+function extractRepoName(repoUrl) {
+  const normalized = repoUrl.replace(/\.git$/, "");
+  const match = normalized.match(/\/([^/]+?)$/);
+  return match?.[1];
+}
+function formatDependencyLines(dependencies) {
+  if (!dependencies || Object.keys(dependencies).length === 0) return [];
+  const lines = [];
+  lines.push("Dependencies (resolved builds):");
+  for (const [digest, dep] of Object.entries(dependencies)) {
+    const name = extractRepoName(dep.repoUrl);
+    const depSource = formatSourceLink(dep.repoUrl, dep.gitRef);
+    lines.push(`  - ${digest} \u2713${name ? ` ${name}` : ""}`);
+    lines.push(`    ${depSource}`);
+  }
+  return lines;
+}
+function formatVerifiableBuildSummary(options) {
+  const lines = [];
+  lines.push("Build completed successfully \u2713");
+  lines.push("");
+  lines.push(`Image:  ${options.imageUrl}`);
+  lines.push(`Digest: ${options.imageDigest}`);
+  lines.push(`Source: ${formatSourceLink(options.repoUrl, options.gitRef)}`);
+  const depLines = formatDependencyLines(options.dependencies);
+  if (depLines.length) {
+    lines.push("");
+    lines.push(...depLines);
+  }
+  lines.push("");
+  lines.push("Provenance signature verified \u2713");
+  lines.push(`provenance_signature: ${options.provenanceSignature}`);
+  if (options.buildId) {
+    lines.push("");
+    lines.push(`Build ID: ${options.buildId}`);
+  }
+  return lines;
+}
+
+// src/utils/verifiableBuild.ts
+import { BUILD_STATUS } from "@layr-labs/ecloud-sdk";
+function assertCommitSha40(commit) {
+  if (!/^[0-9a-f]{40}$/i.test(commit)) {
+    throw new Error("Commit must be a 40-character hexadecimal SHA");
+  }
+}
+async function runVerifiableBuildAndVerify(client, request, options = {}) {
+  const { buildId } = await client.submit(request);
+  const completed = await client.waitForBuild(buildId, { onLog: options.onLog });
+  if (completed.status !== BUILD_STATUS.SUCCESS) {
+    throw new Error(`Build did not complete successfully (status: ${completed.status})`);
+  }
+  const [build, verify] = await Promise.all([client.get(buildId), client.verify(buildId)]);
+  if (verify.status !== "verified") {
+    throw new Error(`Provenance verification failed: ${verify.error}`);
+  }
+  return { build, verified: verify };
+}
+
+// src/utils/dockerhub.ts
+var DOCKERHUB_OWNER = "eigenlayer";
+var DOCKERHUB_REPO = "eigencloud-containers";
+function parseEigencloudContainersImageRef(imageRef) {
+  const trimmed = imageRef.trim();
+  const match = /^docker\.io\/([^/]+)\/([^:@]+):([^@\s]+)$/i.exec(trimmed);
+  if (!match) {
+    throw new Error("Image ref must match docker.io/eigenlayer/eigencloud-containers:<tag>");
+  }
+  const owner = match[1].toLowerCase();
+  const repo = match[2].toLowerCase();
+  const tag = match[3];
+  if (owner !== DOCKERHUB_OWNER || repo !== DOCKERHUB_REPO) {
+    throw new Error(`Image ref must be from docker.io/${DOCKERHUB_OWNER}/${DOCKERHUB_REPO}:<tag>`);
+  }
+  if (!tag.trim()) {
+    throw new Error("Image tag cannot be empty");
+  }
+  return { owner, repo, tag };
+}
+function assertEigencloudContainersImageRef(imageRef) {
+  parseEigencloudContainersImageRef(imageRef);
+}
+async function getDockerHubToken(owner, repo) {
+  const url = new URL("https://auth.docker.io/token");
+  url.searchParams.set("service", "registry.docker.io");
+  url.searchParams.set("scope", `repository:${owner}/${repo}:pull`);
+  const res = await fetch(url.toString(), { method: "GET" });
+  if (!res.ok) {
+    const body = await safeReadText(res);
+    throw new Error(`Failed to fetch Docker Hub token (${res.status}): ${body || res.statusText}`);
+  }
+  const data = await res.json();
+  if (!data.token) {
+    throw new Error("Docker Hub token response missing 'token'");
+  }
+  return data.token;
+}
+async function safeReadText(res) {
+  try {
+    return (await res.text()).trim();
+  } catch {
+    return "";
+  }
+}
+async function resolveDockerHubImageDigest(imageRef) {
+  const { owner, repo, tag } = parseEigencloudContainersImageRef(imageRef);
+  const token = await getDockerHubToken(owner, repo);
+  const manifestUrl = `https://registry-1.docker.io/v2/${owner}/${repo}/manifests/${encodeURIComponent(tag)}`;
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    Accept: "application/vnd.docker.distribution.manifest.v2+json"
+  };
+  let res = await fetch(manifestUrl, { method: "HEAD", headers });
+  if (!res.ok) {
+    res = await fetch(manifestUrl, { method: "GET", headers });
+  }
+  if (!res.ok) {
+    const body = await safeReadText(res);
+    throw new Error(
+      `Failed to resolve digest for ${imageRef} (${res.status}) at ${manifestUrl}: ${body || res.statusText}`
+    );
+  }
+  const digest = res.headers.get("docker-content-digest") || res.headers.get("Docker-Content-Digest");
+  if (!digest) {
+    throw new Error(
+      `Docker registry response missing Docker-Content-Digest header for ${imageRef}`
+    );
+  }
+  if (!/^sha256:[0-9a-f]{64}$/i.test(digest)) {
+    throw new Error(`Unexpected digest format from Docker registry: ${digest}`);
+  }
+  return digest;
+}
+
+// src/utils/tls.ts
+import fs4 from "fs";
+function isTlsEnabledFromDomain(domain) {
+  const d = (domain ?? "").trim();
+  if (!d) return false;
+  if (d.toLowerCase() === "localhost") return false;
+  return true;
+}
+function isTlsEnabledFromEnvFile(envFilePath) {
+  if (!envFilePath) return false;
+  if (!fs4.existsSync(envFilePath)) return false;
+  const envContent = fs4.readFileSync(envFilePath, "utf-8");
+  const match = envContent.match(/^DOMAIN=(.+)$/m);
+  if (!match?.[1]) return false;
+  return isTlsEnabledFromDomain(match[1]);
+}
+
+// src/commands/compute/app/deploy.ts
 var AppDeploy = class _AppDeploy extends Command {
   static description = "Deploy new app";
   static flags = {
@@ -1040,26 +1427,184 @@ var AppDeploy = class _AppDeploy extends Command {
     image: Flags2.string({
       required: false,
       description: "Path to app icon/logo image - JPG/PNG, max 4MB, square recommended (optional)"
+    }),
+    // Verifiable build flags
+    verifiable: Flags2.boolean({
+      description: "Enable verifiable build mode (either build from git source via --repo/--commit, or deploy a prebuilt verifiable image via --image-ref)",
+      default: false
+    }),
+    repo: Flags2.string({
+      description: "Git repository URL (required with --verifiable git source mode)",
+      env: "ECLOUD_BUILD_REPO"
+    }),
+    commit: Flags2.string({
+      description: "Git commit SHA (required with --verifiable git source mode)",
+      env: "ECLOUD_BUILD_COMMIT"
+    }),
+    "build-dockerfile": Flags2.string({
+      description: "Dockerfile path for verifiable build (git source mode)",
+      default: "Dockerfile",
+      env: "ECLOUD_BUILD_DOCKERFILE"
+    }),
+    "build-context": Flags2.string({
+      description: "Build context path for verifiable build (git source mode)",
+      default: ".",
+      env: "ECLOUD_BUILD_CONTEXT"
+    }),
+    "build-dependencies": Flags2.string({
+      description: "Dependency digests for verifiable build (git source mode) (sha256:...)",
+      multiple: true
     })
   };
   async run() {
     return withTelemetry(this, async () => {
       const { flags } = await this.parse(_AppDeploy);
-      const logger = {
-        info: (msg) => this.log(msg),
-        warn: (msg) => this.warn(msg),
-        error: (msg) => this.error(msg),
-        debug: (msg) => flags.verbose && this.log(msg)
-      };
-      const environment = flags.environment || "sepolia";
-      const environmentConfig = getEnvironmentConfig2(environment);
+      const compute = await createComputeClient(flags);
+      const environment = flags.environment;
+      const environmentConfig = getEnvironmentConfig3(environment);
       const rpcUrl = flags["rpc-url"] || environmentConfig.defaultRPCURL;
-      const privateKey = await getPrivateKeyInteractive(flags["private-key"]);
-      const dockerfilePath = await getDockerfileInteractive(flags.dockerfile);
+      const privateKey = flags["private-key"];
+      let buildClient;
+      const getBuildClient = async () => {
+        if (buildClient) return buildClient;
+        buildClient = await createBuildClient({
+          ...flags,
+          "private-key": privateKey
+        });
+        return buildClient;
+      };
+      let verifiableImageUrl;
+      let verifiableImageDigest;
+      let suggestedAppBaseName;
+      let skipDefaultAppName = false;
+      let verifiableMode = "none";
+      let envFilePath;
+      const suggestAppBaseNameFromRepoUrl = (repoUrl) => {
+        const normalized = String(repoUrl || "").trim().replace(/\.git$/i, "").replace(/\/+$/, "");
+        if (!normalized) return void 0;
+        const lastSlash = normalized.lastIndexOf("/");
+        const lastColon = normalized.lastIndexOf(":");
+        const idx = Math.max(lastSlash, lastColon);
+        const raw = (idx >= 0 ? normalized.slice(idx + 1) : normalized).trim();
+        if (!raw) return void 0;
+        const cleaned = raw.toLowerCase().replace(/_/g, "-").replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-+|-+$/g, "");
+        return cleaned || void 0;
+      };
+      if (flags.verifiable) {
+        if (flags.repo || flags.commit) {
+          verifiableMode = "git";
+          if (!flags.repo)
+            this.error("--repo is required when using --verifiable (git source mode)");
+          if (!flags.commit)
+            this.error("--commit is required when using --verifiable (git source mode)");
+          try {
+            assertCommitSha40(flags.commit);
+          } catch (e) {
+            this.error(e?.message || String(e));
+          }
+        } else if (flags["image-ref"]) {
+          verifiableMode = "prebuilt";
+          try {
+            assertEigencloudContainersImageRef(flags["image-ref"]);
+          } catch (e) {
+            this.error(e?.message || String(e));
+          }
+        } else {
+          this.error(
+            "When using --verifiable, you must provide either --repo/--commit or --image-ref"
+          );
+        }
+      } else {
+        if (!flags.dockerfile) {
+          const useVerifiable = await promptUseVerifiableBuild();
+          if (useVerifiable) {
+            const sourceType = await promptVerifiableSourceType();
+            verifiableMode = sourceType;
+          }
+        }
+      }
+      if (verifiableMode === "git") {
+        const inputs = flags.verifiable ? {
+          repoUrl: flags.repo,
+          gitRef: flags.commit,
+          dockerfilePath: flags["build-dockerfile"],
+          caddyfilePath: void 0,
+          buildContextPath: flags["build-context"],
+          dependencies: flags["build-dependencies"]
+        } : await promptVerifiableGitSourceInputs();
+        envFilePath = await getEnvFileInteractive(flags["env-file"]);
+        const includeTlsCaddyfile = isTlsEnabledFromEnvFile(envFilePath);
+        if (includeTlsCaddyfile && !inputs.caddyfilePath) {
+          inputs.caddyfilePath = "Caddyfile";
+        }
+        this.log(chalk.blue("Building from source with verifiable build..."));
+        this.log("");
+        const buildClient2 = await getBuildClient();
+        const { build, verified } = await runVerifiableBuildAndVerify(buildClient2, inputs, {
+          onLog: (chunk) => process.stdout.write(chunk)
+        });
+        if (!build.imageUrl || !build.imageDigest) {
+          this.error(
+            "Build completed but did not return imageUrl/imageDigest; cannot deploy verifiable build"
+          );
+        }
+        verifiableImageUrl = build.imageUrl;
+        verifiableImageDigest = build.imageDigest;
+        suggestedAppBaseName = suggestAppBaseNameFromRepoUrl(build.repoUrl);
+        for (const line of formatVerifiableBuildSummary({
+          buildId: build.buildId,
+          imageUrl: build.imageUrl,
+          imageDigest: build.imageDigest,
+          repoUrl: build.repoUrl,
+          gitRef: build.gitRef,
+          dependencies: build.dependencies,
+          provenanceSignature: verified.provenanceSignature
+        })) {
+          this.log(line);
+        }
+      }
+      if (verifiableMode === "prebuilt") {
+        const imageRef2 = flags.verifiable ? flags["image-ref"] : await promptVerifiablePrebuiltImageRef();
+        try {
+          assertEigencloudContainersImageRef(imageRef2);
+        } catch (e) {
+          this.error(e?.message || String(e));
+        }
+        this.log(chalk.blue("Resolving and verifying prebuilt verifiable image..."));
+        this.log("");
+        const digest = await resolveDockerHubImageDigest(imageRef2);
+        const buildClient2 = await getBuildClient();
+        const verify = await buildClient2.verify(digest);
+        if (verify.status !== "verified") {
+          this.error(`Provenance verification failed: ${verify.error}`);
+        }
+        verifiableImageUrl = imageRef2;
+        verifiableImageDigest = digest;
+        skipDefaultAppName = true;
+        for (const line of formatVerifiableBuildSummary({
+          buildId: verify.buildId,
+          imageUrl: imageRef2,
+          imageDigest: digest,
+          repoUrl: verify.repoUrl,
+          gitRef: verify.gitRef,
+          dependencies: void 0,
+          provenanceSignature: verify.provenanceSignature
+        })) {
+          this.log(line);
+        }
+      }
+      const isVerifiable = verifiableMode !== "none";
+      const dockerfilePath = isVerifiable ? "" : await getDockerfileInteractive(flags.dockerfile);
       const buildFromDockerfile = dockerfilePath !== "";
-      const imageRef = await getImageReferenceInteractive(flags["image-ref"], buildFromDockerfile);
-      const appName = await getOrPromptAppName(flags.name, environment, imageRef);
-      const envFilePath = await getEnvFileInteractive(flags["env-file"]);
+      const imageRef = verifiableImageUrl ? verifiableImageUrl : await getImageReferenceInteractive(flags["image-ref"], buildFromDockerfile);
+      const appName = await getOrPromptAppName(
+        flags.name,
+        environment,
+        imageRef,
+        suggestedAppBaseName,
+        skipDefaultAppName
+      );
+      envFilePath = envFilePath ?? await getEnvFileInteractive(flags["env-file"]);
       const availableTypes = await fetchAvailableInstanceTypes(
         environmentConfig,
         privateKey,
@@ -1078,22 +1623,23 @@ var AppDeploy = class _AppDeploy extends Command {
         flags["resource-usage-monitoring"]
       );
       const logVisibility = logSettings.publicLogs ? "public" : logSettings.logRedirect ? "private" : "off";
-      const { prepared, gasEstimate } = await prepareDeploy(
-        {
-          privateKey,
-          rpcUrl,
-          environment,
-          dockerfilePath,
-          imageRef,
-          envFilePath,
-          appName,
-          instanceType,
-          logVisibility,
-          resourceUsageMonitoring,
-          skipTelemetry: true
-        },
-        logger
-      );
+      const { prepared, gasEstimate } = isVerifiable ? await compute.app.prepareDeployFromVerifiableBuild({
+        name: appName,
+        imageRef,
+        imageDigest: verifiableImageDigest,
+        envFile: envFilePath,
+        instanceType,
+        logVisibility,
+        resourceUsageMonitoring
+      }) : await compute.app.prepareDeploy({
+        name: appName,
+        dockerfile: dockerfilePath,
+        imageRef,
+        envFile: envFilePath,
+        instanceType,
+        logVisibility,
+        resourceUsageMonitoring
+      });
       this.log(`
 Estimated transaction cost: ${chalk.cyan(gasEstimate.maxCostEth)} ETH`);
       if (isMainnet(environmentConfig)) {
@@ -1104,16 +1650,10 @@ ${chalk.gray(`Deployment cancelled`)}`);
           return;
         }
       }
-      const res = await executeDeploy(
-        prepared,
-        {
-          maxFeePerGas: gasEstimate.maxFeePerGas,
-          maxPriorityFeePerGas: gasEstimate.maxPriorityFeePerGas
-        },
-        logger,
-        true
-        // skipTelemetry
-      );
+      const res = await compute.app.executeDeploy(prepared, {
+        maxFeePerGas: gasEstimate.maxFeePerGas,
+        maxPriorityFeePerGas: gasEstimate.maxPriorityFeePerGas
+      });
       if (!flags["skip-profile"]) {
         const hasProfileFlags = flags.website || flags.description || flags["x-url"] || flags.image;
         let profile = null;
@@ -1132,47 +1672,35 @@ ${chalk.gray(`Deployment cancelled`)}`);
           try {
             profile = await getAppProfileInteractive(appName, true) || null;
           } catch {
-            logger.debug("Profile collection skipped or cancelled");
+            if (flags.verbose) {
+              this.log("Profile collection skipped or cancelled");
+            }
           }
         }
         if (profile) {
-          logger.info("Uploading app profile...");
+          this.log("Uploading app profile...");
           try {
-            const userApiClient = new UserApiClient3(
-              environmentConfig,
-              privateKey,
-              rpcUrl,
-              getClientId()
-            );
-            await userApiClient.uploadAppProfile(
-              res.appId,
-              profile.name,
-              profile.website,
-              profile.description,
-              profile.xURL,
-              profile.imagePath
-            );
-            logger.info("\u2713 Profile uploaded successfully");
+            await compute.app.setProfile(res.appId, profile);
+            this.log("\u2713 Profile uploaded successfully");
             try {
               invalidateProfileCache(environment);
             } catch (cacheErr) {
-              logger.debug(`Failed to invalidate profile cache: ${cacheErr.message}`);
+              if (flags.verbose) {
+                this.log(`Failed to invalidate profile cache: ${cacheErr.message}`);
+              }
             }
           } catch (uploadErr) {
-            logger.warn(`Failed to upload profile: ${uploadErr.message}`);
+            this.warn(`Failed to upload profile: ${uploadErr.message}`);
           }
         }
       }
-      const ipAddress = await watchDeployment(
-        res.appId,
-        privateKey,
-        rpcUrl,
-        environment,
-        logger,
-        getClientId(),
-        true
-        // skipTelemetry - CLI already has telemetry
-      );
+      const ipAddress = await compute.app.watchDeployment(res.appId);
+      try {
+        const cwd = process.env.INIT_CWD || process.cwd();
+        setLinkedAppForDirectory(environment, cwd, res.appId);
+      } catch (err) {
+        this.debug(`Failed to link directory to app: ${err.message}`);
+      }
       this.log(
         `
 \u2705 ${chalk.green(`App deployed successfully ${chalk.bold(`(id: ${res.appId}, ip: ${ipAddress})`)}`)}`