@layr-labs/ecloud-sdk 0.2.0-dev.2 → 0.2.0

package/dist/index.cjs

@@ -30,10 +30,20 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  AuthRequiredError: () => AuthRequiredError,
+  BUILD_STATUS: () => BUILD_STATUS,
+  BadRequestError: () => BadRequestError,
+  BuildError: () => BuildError,
+  BuildFailedError: () => BuildFailedError,
+  ConflictError: () => ConflictError,
+  ForbiddenError: () => ForbiddenError,
   NoopClient: () => NoopClient,
+  NotFoundError: () => NotFoundError,
   PRIMARY_LANGUAGES: () => PRIMARY_LANGUAGES,
   PostHogClient: () => PostHogClient,
+  TimeoutError: () => TimeoutError,
   UserApiClient: () => UserApiClient,
+  addHexPrefix: () => addHexPrefix,
   addMetric: () => addMetric,
   addMetricWithDimensions: () => addMetricWithDimensions,
   assertValidFilePath: () => assertValidFilePath,
@@ -43,6 +53,7 @@ __export(index_exports, {
   createApp: () => createApp,
   createAppEnvironment: () => createAppEnvironment,
   createBillingModule: () => createBillingModule,
+  createBuildModule: () => createBuildModule,
   createComputeModule: () => createComputeModule,
   createECloudClient: () => createECloudClient,
   createMetricsContext: () => createMetricsContext,
@@ -86,12 +97,15 @@ __export(index_exports, {
   listStoredKeys: () => listStoredKeys,
   logs: () => logs,
   prepareDeploy: () => prepareDeploy,
+  prepareDeployFromVerifiableBuild: () => prepareDeployFromVerifiableBuild,
   prepareUpgrade: () => prepareUpgrade,
+  prepareUpgradeFromVerifiableBuild: () => prepareUpgradeFromVerifiableBuild,
   requirePrivateKey: () => requirePrivateKey,
   sanitizeString: () => sanitizeString,
   sanitizeURL: () => sanitizeURL,
   sanitizeXURL: () => sanitizeXURL,
   storePrivateKey: () => storePrivateKey,
+  stripHexPrefix: () => stripHexPrefix,
   validateAppID: () => validateAppID,
   validateAppName: () => validateAppName,
   validateCreateAppParams: () => validateCreateAppParams,
@@ -117,6 +131,7 @@ module.exports = __toCommonJS(index_exports);
 
 // src/client/modules/compute/app/index.ts
 var import_viem9 = require("viem");
+var import_accounts5 = require("viem/accounts");
 
 // src/client/common/config/environment.ts
 var SEPOLIA_CHAIN_ID = 11155111;
@@ -206,7 +221,7 @@ function getBillingEnvironmentConfig(build) {
   return config;
 }
 function getBuildType() {
-  const buildTimeType = true ? "dev"?.toLowerCase() : void 0;
+  const buildTimeType = true ? "prod"?.toLowerCase() : void 0;
   const runtimeType = process.env.BUILD_TYPE?.toLowerCase();
   const buildType = buildTimeType || runtimeType;
   if (buildType === "dev") {
@@ -257,6 +272,7 @@ async function buildDockerImage(buildContext, dockerfilePath, tag, logger) {
     tag,
     "-f",
     dockerfilePath,
+    "--load",
     "--progress=plain",
     buildContext
   ];
@@ -382,7 +398,7 @@ async function pullDockerImage(docker, imageTag, platform2 = "linux/amd64", logg
 var child_process2 = __toESM(require("child_process"), 1);
 var import_child_process = require("child_process");
 var import_util2 = require("util");
-var execAsync = (0, import_util2.promisify)(import_child_process.exec);
+var execFileAsync = (0, import_util2.promisify)(import_child_process.execFile);
 async function pushDockerImage(docker, imageRef, logger) {
   logger?.info?.(`Pushing image ${imageRef}...`);
   return new Promise((resolve2, reject) => {
@@ -423,9 +439,9 @@ async function pushDockerImage(docker, imageRef, logger) {
       if (!output.includes("digest:") && !output.includes("pushed") && !output.includes("Pushed")) {
         logger?.debug?.("No clear success indicator in push output, verifying...");
       }
-      logger?.info?.("Image push completed successfully");
       try {
         await verifyImageExists(imageRef, logger);
+        logger?.info?.("Image push completed successfully");
         resolve2();
       } catch (error) {
         reject(error);
@@ -449,7 +465,7 @@ async function verifyImageExists(imageRef, logger) {
   let retries = 5;
   while (retries > 0) {
     try {
-      await execAsync(`docker manifest inspect ${imageRef}`, {
+      await execFileAsync("docker", ["manifest", "inspect", imageRef], {
         maxBuffer: 10 * 1024 * 1024,
         timeout: 1e4
         // 10 second timeout
@@ -923,10 +939,10 @@ async function setupLayeredBuildDirectory(environmentConfig, layeredDockerfileCo
 // src/client/common/registry/digest.ts
 var child_process3 = __toESM(require("child_process"), 1);
 var import_util3 = require("util");
-var execFileAsync = (0, import_util3.promisify)(child_process3.execFile);
+var execFileAsync2 = (0, import_util3.promisify)(child_process3.execFile);
 async function getImageDigestAndName(imageRef) {
   try {
-    const { stdout } = await execFileAsync(
+    const { stdout } = await execFileAsync2(
       "docker",
       ["manifest", "inspect", imageRef],
       { maxBuffer: 10 * 1024 * 1024 }
@@ -966,7 +982,7 @@ function extractDigestFromMultiPlatform(manifest, imageRef) {
 }
 async function extractDigestFromSinglePlatform(manifest, imageRef) {
   try {
-    const { stdout } = await execFileAsync("docker", ["inspect", imageRef], {
+    const { stdout } = await execFileAsync2("docker", ["inspect", imageRef], {
       maxBuffer: 10 * 1024 * 1024
     });
     const inspectData = JSON.parse(stdout);
@@ -1264,6 +1280,67 @@ Please verify the image exists: docker manifest inspect ${finalImageRef}`
   };
 }
 
+// src/client/common/release/prebuilt.ts
+async function createReleaseFromImageDigest(options, logger) {
+  const { imageRef, imageDigest, envFilePath, instanceType, environmentConfig, appId } = options;
+  if (!/^sha256:[0-9a-f]{64}$/i.test(imageDigest)) {
+    throw new Error(`imageDigest must be in format sha256:<64 hex>, got: ${imageDigest}`);
+  }
+  let publicEnv = {};
+  let privateEnv = {};
+  if (envFilePath) {
+    logger.info("Parsing environment file...");
+    const parsed = parseAndValidateEnvFile(envFilePath);
+    publicEnv = parsed.public;
+    privateEnv = parsed.private;
+  } else {
+    logger.info("Continuing without environment file");
+  }
+  publicEnv["EIGEN_MACHINE_TYPE_PUBLIC"] = instanceType;
+  logger.info(`Instance type: ${instanceType}`);
+  logger.info("Encrypting environment variables...");
+  const { encryptionKey } = getKMSKeysForEnvironment(
+    environmentConfig.name,
+    environmentConfig.build
+  );
+  const protectedHeaders = getAppProtectedHeaders(appId);
+  const privateEnvBytes = Buffer.from(JSON.stringify(privateEnv));
+  const encryptedEnvStr = await encryptRSAOAEPAndAES256GCM(
+    encryptionKey,
+    privateEnvBytes,
+    protectedHeaders
+  );
+  const digestHex = imageDigest.split(":")[1];
+  const digestBytes = new Uint8Array(Buffer.from(digestHex, "hex"));
+  if (digestBytes.length !== 32) {
+    throw new Error(`Digest must be exactly 32 bytes, got ${digestBytes.length}`);
+  }
+  const registry = extractRegistryNameNoDocker(imageRef);
+  return {
+    rmsRelease: {
+      artifacts: [{ digest: digestBytes, registry }],
+      upgradeByTime: Math.floor(Date.now() / 1e3) + 3600
+    },
+    publicEnv: new Uint8Array(Buffer.from(JSON.stringify(publicEnv))),
+    encryptedEnv: new Uint8Array(Buffer.from(encryptedEnvStr))
+  };
+}
+function extractRegistryNameNoDocker(imageRef) {
+  let name = imageRef;
+  const tagIndex = name.lastIndexOf(":");
+  if (tagIndex !== -1 && !name.substring(tagIndex + 1).includes("/")) {
+    name = name.substring(0, tagIndex);
+  }
+  const digestIndex = name.indexOf("@");
+  if (digestIndex !== -1) {
+    name = name.substring(0, digestIndex);
+  }
+  if ([...name].filter((c) => c === "/").length === 1) {
+    name = `docker.io/${name}`;
+  }
+  return name;
+}
+
 // src/client/common/contract/caller.ts
 var import_accounts2 = require("viem/accounts");
 
@@ -2300,27 +2377,55 @@ var ERC7702Delegator_default = [
 ];
 
 // src/client/common/contract/eip7702.ts
+var EXECUTE_BATCH_MODE = "0x0100000000000000000000000000000000000000000000000000000000000000";
+var GAS_LIMIT_BUFFER_PERCENTAGE = 20n;
+var GAS_PRICE_BUFFER_PERCENTAGE = 100n;
+function encodeExecuteBatchData(executions) {
+  const encodedExecutions = (0, import_viem.encodeAbiParameters)(
+    [
+      {
+        type: "tuple[]",
+        components: [
+          { name: "target", type: "address" },
+          { name: "value", type: "uint256" },
+          { name: "callData", type: "bytes" }
+        ]
+      }
+    ],
+    [executions]
+  );
+  return (0, import_viem.encodeFunctionData)({
+    abi: ERC7702Delegator_default,
+    functionName: "execute",
+    args: [EXECUTE_BATCH_MODE, encodedExecutions]
+  });
+}
 async function estimateBatchGas(options) {
-  const { publicClient, executions } = options;
-  const fees = await publicClient.estimateFeesPerGas();
-  const baseGas = 100000n;
-  const perExecutionGas = 50000n;
-  const estimatedGas = baseGas + BigInt(executions.length) * perExecutionGas;
-  const gasLimit = estimatedGas * 120n / 100n;
-  const maxFeePerGas = fees.maxFeePerGas;
-  const maxPriorityFeePerGas = fees.maxPriorityFeePerGas;
+  const { publicClient, account, executions } = options;
+  const executeBatchData = encodeExecuteBatchData(executions);
+  const [gasTipCap, block, estimatedGas] = await Promise.all([
+    publicClient.estimateMaxPriorityFeePerGas(),
+    publicClient.getBlock(),
+    publicClient.estimateGas({
+      account,
+      to: account,
+      data: executeBatchData
+    })
+  ]);
+  const baseFee = block.baseFeePerGas ?? 0n;
+  const maxFeePerGas = (baseFee + gasTipCap) * (100n + GAS_PRICE_BUFFER_PERCENTAGE) / 100n;
+  const gasLimit = estimatedGas * (100n + GAS_LIMIT_BUFFER_PERCENTAGE) / 100n;
   const maxCostWei = gasLimit * maxFeePerGas;
-  const maxCostEth = formatETH(maxCostWei);
   return {
     gasLimit,
     maxFeePerGas,
-    maxPriorityFeePerGas,
+    maxPriorityFeePerGas: gasTipCap,
     maxCostWei,
-    maxCostEth
+    maxCostEth: formatETH(maxCostWei)
   };
 }
 async function checkERC7702Delegation(publicClient, account, delegatorAddress) {
-  const code = await publicClient.getBytecode({ address: account });
+  const code = await publicClient.getCode({ address: account });
   if (!code) {
     return false;
   }
@@ -2337,36 +2442,7 @@ async function executeBatch(options, logger) {
   if (!chain) {
     throw new Error("Wallet client must have a chain");
   }
-  const encodedExecutions = (0, import_viem.encodeAbiParameters)(
-    [
-      {
-        type: "tuple[]",
-        components: [
-          { name: "target", type: "address" },
-          { name: "value", type: "uint256" },
-          { name: "callData", type: "bytes" }
-        ]
-      }
-    ],
-    [executions]
-  );
-  const executeBatchMode = "0x0100000000000000000000000000000000000000000000000000000000000000";
-  let executeBatchData;
-  try {
-    executeBatchData = (0, import_viem.encodeFunctionData)({
-      abi: ERC7702Delegator_default,
-      functionName: "execute",
-      args: [executeBatchMode, encodedExecutions]
-    });
-  } catch {
-    const functionSignature = "execute(bytes32,bytes)";
-    const selector = (0, import_viem.keccak256)((0, import_viem.toBytes)(functionSignature)).slice(0, 10);
-    const encodedParams = (0, import_viem.encodeAbiParameters)(
-      [{ type: "bytes32" }, { type: "bytes" }],
-      [executeBatchMode, encodedExecutions]
-    );
-    executeBatchData = (0, import_viem.concat)([selector, encodedParams]);
-  }
+  const executeBatchData = encodeExecuteBatchData(executions);
   const isDelegated2 = await checkERC7702Delegation(
     publicClient,
     account.address,
@@ -2520,12 +2596,23 @@ function stripHexPrefix(value) {
 }
 
 // src/client/common/utils/userapi.ts
+function isJsonObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function readString(obj, key) {
+  const v = obj[key];
+  return typeof v === "string" ? v : void 0;
+}
+function readNumber(obj, key) {
+  const v = obj[key];
+  return typeof v === "number" && Number.isFinite(v) ? v : void 0;
+}
 var MAX_ADDRESS_COUNT = 5;
 var CanViewAppLogsPermission = "0x2fd3f2fe";
 var CanViewSensitiveAppInfoPermission = "0x0e67b22f";
 var CanUpdateAppProfilePermission = "0x036fef61";
 function getDefaultClientId() {
-  const version = true ? "0.2.0-dev.2" : "0.0.0";
+  const version = true ? "0.2.0" : "0.0.0";
   return `ecloud-sdk/v${version}`;
 }
 var UserApiClient = class {
@@ -2559,6 +2646,31 @@ var UserApiClient = class {
       };
     });
   }
+  /**
+   * Get app details from UserAPI (includes releases and build/provenance info when available).
+   *
+   * Endpoint: GET /apps/:appAddress
+   */
+  async getApp(appAddress) {
+    const endpoint = `${this.config.userApiServerURL}/apps/${appAddress}`;
+    const res = await this.makeAuthenticatedRequest(endpoint);
+    const raw = await res.json();
+    if (!isJsonObject(raw)) {
+      throw new Error("Unexpected /apps/:id response: expected object");
+    }
+    const id = readString(raw, "id");
+    if (!id) {
+      throw new Error("Unexpected /apps/:id response: missing 'id'");
+    }
+    const releasesRaw = raw.releases;
+    const releases = Array.isArray(releasesRaw) ? releasesRaw.map((r) => transformAppRelease(r)).filter((r) => !!r) : [];
+    return {
+      id,
+      creator: readString(raw, "creator"),
+      contractStatus: readString(raw, "contract_status") ?? readString(raw, "contractStatus"),
+      releases
+    };
+  }
   /**
    * Get available SKUs (instance types) from UserAPI
    */
@@ -2731,6 +2843,48 @@ Please check:
     };
   }
 };
+function transformAppReleaseBuild(raw) {
+  if (!isJsonObject(raw)) return void 0;
+  const depsRaw = raw.dependencies;
+  const deps = isJsonObject(depsRaw) ? Object.fromEntries(
+    Object.entries(depsRaw).flatMap(([digest, depRaw]) => {
+      const parsed = transformAppReleaseBuild(depRaw);
+      return parsed ? [[digest, parsed]] : [];
+    })
+  ) : void 0;
+  return {
+    buildId: readString(raw, "build_id") ?? readString(raw, "buildId"),
+    billingAddress: readString(raw, "billing_address") ?? readString(raw, "billingAddress"),
+    repoUrl: readString(raw, "repo_url") ?? readString(raw, "repoUrl"),
+    gitRef: readString(raw, "git_ref") ?? readString(raw, "gitRef"),
+    status: readString(raw, "status"),
+    buildType: readString(raw, "build_type") ?? readString(raw, "buildType"),
+    imageName: readString(raw, "image_name") ?? readString(raw, "imageName"),
+    imageDigest: readString(raw, "image_digest") ?? readString(raw, "imageDigest"),
+    imageUrl: readString(raw, "image_url") ?? readString(raw, "imageUrl"),
+    provenanceJson: raw.provenance_json ?? raw.provenanceJson,
+    provenanceSignature: readString(raw, "provenance_signature") ?? readString(raw, "provenanceSignature"),
+    createdAt: readString(raw, "created_at") ?? readString(raw, "createdAt"),
+    updatedAt: readString(raw, "updated_at") ?? readString(raw, "updatedAt"),
+    errorMessage: readString(raw, "error_message") ?? readString(raw, "errorMessage"),
+    dependencies: deps
+  };
+}
+function transformAppRelease(raw) {
+  if (!isJsonObject(raw)) return void 0;
+  return {
+    appId: readString(raw, "appId") ?? readString(raw, "app_id"),
+    rmsReleaseId: readString(raw, "rmsReleaseId") ?? readString(raw, "rms_release_id"),
+    imageDigest: readString(raw, "imageDigest") ?? readString(raw, "image_digest"),
+    registryUrl: readString(raw, "registryUrl") ?? readString(raw, "registry_url"),
+    publicEnv: readString(raw, "publicEnv") ?? readString(raw, "public_env"),
+    encryptedEnv: readString(raw, "encryptedEnv") ?? readString(raw, "encrypted_env"),
+    upgradeByTime: readNumber(raw, "upgradeByTime") ?? readNumber(raw, "upgrade_by_time"),
+    createdAt: readString(raw, "createdAt") ?? readString(raw, "created_at"),
+    createdAtBlock: readString(raw, "createdAtBlock") ?? readString(raw, "created_at_block"),
+    build: raw.build ? transformAppReleaseBuild(raw.build) : void 0
+  };
+}
 
 // src/client/common/utils/billing.ts
 function isSubscriptionActive(status) {
@@ -4423,20 +4577,20 @@ async function prepareDeployBatch(options, logger) {
     environmentConfig
   };
 }
-async function executeDeployBatch(prepared, gas, logger) {
+async function executeDeployBatch(data, context, gas, logger) {
   const pendingMessage = "Deploying new app...";
   const txHash = await executeBatch(
     {
-      walletClient: prepared.walletClient,
-      publicClient: prepared.publicClient,
-      environmentConfig: prepared.environmentConfig,
-      executions: prepared.executions,
+      walletClient: context.walletClient,
+      publicClient: context.publicClient,
+      environmentConfig: context.environmentConfig,
+      executions: data.executions,
       pendingMessage,
       gas
     },
     logger
   );
-  return { appId: prepared.appId, txHash };
+  return { appId: data.appId, txHash };
 }
 async function deployApp(options, logger) {
   const prepared = await prepareDeployBatch(
@@ -4450,7 +4604,17 @@ async function deployApp(options, logger) {
     },
     logger
   );
-  return executeDeployBatch(prepared, options.gas, logger);
+  const data = {
+    appId: prepared.appId,
+    salt: prepared.salt,
+    executions: prepared.executions
+  };
+  const context = {
+    walletClient: prepared.walletClient,
+    publicClient: prepared.publicClient,
+    environmentConfig: prepared.environmentConfig
+  };
+  return executeDeployBatch(data, context, options.gas, logger);
 }
 async function prepareUpgradeBatch(options) {
   const {
@@ -4546,14 +4710,14 @@ async function prepareUpgradeBatch(options) {
     environmentConfig
   };
 }
-async function executeUpgradeBatch(prepared, gas, logger) {
-  const pendingMessage = `Upgrading app ${prepared.appId}...`;
+async function executeUpgradeBatch(data, context, gas, logger) {
+  const pendingMessage = `Upgrading app ${data.appId}...`;
   const txHash = await executeBatch(
     {
-      walletClient: prepared.walletClient,
-      publicClient: prepared.publicClient,
-      environmentConfig: prepared.environmentConfig,
-      executions: prepared.executions,
+      walletClient: context.walletClient,
+      publicClient: context.publicClient,
+      environmentConfig: context.environmentConfig,
+      executions: data.executions,
       pendingMessage,
       gas
     },
@@ -4571,7 +4735,16 @@ async function upgradeApp(options, logger) {
     publicLogs: options.publicLogs,
     needsPermissionChange: options.needsPermissionChange
   });
-  return executeUpgradeBatch(prepared, options.gas, logger);
+  const data = {
+    appId: prepared.appId,
+    executions: prepared.executions
+  };
+  const context = {
+    walletClient: prepared.walletClient,
+    publicClient: prepared.publicClient,
+    environmentConfig: prepared.environmentConfig
+  };
+  return executeUpgradeBatch(data, context, options.gas, logger);
 }
 async function sendAndWaitForTransaction(options, logger) {
   const {
@@ -5533,6 +5706,97 @@ async function withSDKTelemetry(options, action) {
 }
 
 // src/client/modules/compute/app/deploy.ts
+async function prepareDeployFromVerifiableBuild(options, logger = defaultLogger) {
+  return withSDKTelemetry(
+    {
+      functionName: "prepareDeployFromVerifiableBuild",
+      skipTelemetry: options.skipTelemetry,
+      properties: {
+        environment: options.environment || "sepolia"
+      }
+    },
+    async () => {
+      if (!options.privateKey) throw new Error("privateKey is required for deployment");
+      if (!options.imageRef) throw new Error("imageRef is required for deployment");
+      if (!options.imageDigest) throw new Error("imageDigest is required for deployment");
+      assertValidImageReference(options.imageRef);
+      validateAppName(options.appName);
+      validateLogVisibility(options.logVisibility);
+      if (!/^sha256:[0-9a-f]{64}$/i.test(options.imageDigest)) {
+        throw new Error(
+          `imageDigest must be in format sha256:<64 hex>, got: ${options.imageDigest}`
+        );
+      }
+      const { publicLogs } = validateLogVisibility(options.logVisibility);
+      validateResourceUsageMonitoring(options.resourceUsageMonitoring);
+      logger.debug("Performing preflight checks...");
+      const preflightCtx = await doPreflightChecks(
+        {
+          privateKey: options.privateKey,
+          rpcUrl: options.rpcUrl,
+          environment: options.environment
+        },
+        logger
+      );
+      logger.debug("Checking quota availability...");
+      await checkQuotaAvailable(preflightCtx);
+      const salt = generateRandomSalt();
+      logger.debug(`Generated salt: ${Buffer.from(salt).toString("hex")}`);
+      logger.debug("Calculating app ID...");
+      const appIDToBeDeployed = await calculateAppID(
+        preflightCtx.privateKey,
+        options.rpcUrl || preflightCtx.rpcUrl,
+        preflightCtx.environmentConfig,
+        salt
+      );
+      logger.info(``);
+      logger.info(`App ID: ${appIDToBeDeployed}`);
+      logger.info(``);
+      const release = await createReleaseFromImageDigest(
+        {
+          imageRef: options.imageRef,
+          imageDigest: options.imageDigest,
+          envFilePath: options.envFilePath,
+          instanceType: options.instanceType,
+          environmentConfig: preflightCtx.environmentConfig,
+          appId: appIDToBeDeployed
+        },
+        logger
+      );
+      logger.debug("Preparing deploy batch...");
+      const batch = await prepareDeployBatch(
+        {
+          privateKey: preflightCtx.privateKey,
+          rpcUrl: options.rpcUrl || preflightCtx.rpcUrl,
+          environmentConfig: preflightCtx.environmentConfig,
+          salt,
+          release,
+          publicLogs
+        },
+        logger
+      );
+      logger.debug("Estimating gas...");
+      const gasEstimate = await estimateBatchGas({
+        publicClient: batch.publicClient,
+        account: batch.walletClient.account.address,
+        executions: batch.executions
+      });
+      const data = {
+        appId: batch.appId,
+        salt: batch.salt,
+        executions: batch.executions
+      };
+      return {
+        prepared: {
+          data,
+          appName: options.appName,
+          imageRef: options.imageRef
+        },
+        gasEstimate
+      };
+    }
+  );
+}
 function validateDeployOptions(options) {
   if (!options.privateKey) {
     throw new Error("privateKey is required for deployment");
@@ -5753,26 +6017,27 @@ async function prepareDeploy(options, logger = defaultLogger) {
       logger.debug("Estimating gas...");
       const gasEstimate = await estimateBatchGas({
         publicClient: batch.publicClient,
-        environmentConfig: batch.environmentConfig,
+        account: batch.walletClient.account.address,
         executions: batch.executions
       });
+      const data = {
+        appId: batch.appId,
+        salt: batch.salt,
+        executions: batch.executions
+      };
       return {
         prepared: {
-          batch,
+          data,
           appName,
-          imageRef: finalImageRef,
-          preflightCtx: {
-            privateKey: preflightCtx.privateKey,
-            rpcUrl: preflightCtx.rpcUrl,
-            environmentConfig: preflightCtx.environmentConfig
-          }
+          imageRef: finalImageRef
         },
         gasEstimate
       };
     }
   );
 }
-async function executeDeploy(prepared, gas, logger = defaultLogger, skipTelemetry) {
+async function executeDeploy(options) {
+  const { prepared, context, gas, logger = defaultLogger, skipTelemetry } = options;
   return withSDKTelemetry(
     {
       functionName: "executeDeploy",
@@ -5780,7 +6045,7 @@ async function executeDeploy(prepared, gas, logger = defaultLogger, skipTelemetr
     },
     async () => {
       logger.info("Deploying on-chain...");
-      const { appId, txHash } = await executeDeployBatch(prepared.batch, gas, logger);
+      const { appId, txHash } = await executeDeployBatch(prepared.data, context, gas, logger);
       return {
         appId,
         txHash,
@@ -5842,6 +6107,81 @@ async function checkAppLogPermission(preflightCtx, appAddress, logger) {
 }
 
 // src/client/modules/compute/app/upgrade.ts
+async function prepareUpgradeFromVerifiableBuild(options, logger = defaultLogger) {
+  return withSDKTelemetry(
+    {
+      functionName: "prepareUpgradeFromVerifiableBuild",
+      skipTelemetry: options.skipTelemetry,
+      properties: {
+        environment: options.environment || "sepolia"
+      }
+    },
+    async () => {
+      logger.debug("Performing preflight checks...");
+      const preflightCtx = await doPreflightChecks(
+        {
+          privateKey: options.privateKey,
+          rpcUrl: options.rpcUrl,
+          environment: options.environment
+        },
+        logger
+      );
+      const appID = validateUpgradeOptions(options);
+      assertValidImageReference(options.imageRef);
+      if (!/^sha256:[0-9a-f]{64}$/i.test(options.imageDigest)) {
+        throw new Error(
+          `imageDigest must be in format sha256:<64 hex>, got: ${options.imageDigest}`
+        );
+      }
+      const { publicLogs } = validateLogVisibility(options.logVisibility);
+      validateResourceUsageMonitoring(options.resourceUsageMonitoring);
+      const envFilePath = options.envFilePath || "";
+      logger.info("Preparing release (verifiable build, no local layering)...");
+      const release = await createReleaseFromImageDigest(
+        {
+          imageRef: options.imageRef,
+          imageDigest: options.imageDigest,
+          envFilePath,
+          instanceType: options.instanceType,
+          environmentConfig: preflightCtx.environmentConfig,
+          appId: appID
+        },
+        logger
+      );
+      logger.debug("Checking current log permission state...");
+      const currentlyPublic = await checkAppLogPermission(preflightCtx, appID, logger);
+      const needsPermissionChange = currentlyPublic !== publicLogs;
+      logger.debug("Preparing upgrade batch...");
+      const batch = await prepareUpgradeBatch({
+        privateKey: preflightCtx.privateKey,
+        rpcUrl: options.rpcUrl || preflightCtx.rpcUrl,
+        environmentConfig: preflightCtx.environmentConfig,
+        appId: appID,
+        release,
+        publicLogs,
+        needsPermissionChange
+      });
+      logger.debug("Estimating gas...");
+      const gasEstimate = await estimateBatchGas({
+        publicClient: batch.publicClient,
+        account: batch.walletClient.account.address,
+        executions: batch.executions
+      });
+      const data = {
+        appId: batch.appId,
+        executions: batch.executions
+      };
+      return {
+        prepared: {
+          data,
+          appId: appID,
+          imageRef: options.imageRef
+        },
+        gasEstimate
+      };
+    }
+  );
+}
 function validateUpgradeOptions(options) {
   if (!options.privateKey) {
     throw new Error("privateKey is required for upgrade");
@@ -6004,26 +6344,26 @@ async function prepareUpgrade(options, logger = defaultLogger) {
       logger.debug("Estimating gas...");
       const gasEstimate = await estimateBatchGas({
         publicClient: batch.publicClient,
-        environmentConfig: batch.environmentConfig,
+        account: batch.walletClient.account.address,
         executions: batch.executions
       });
+      const data = {
+        appId: batch.appId,
+        executions: batch.executions
+      };
       return {
         prepared: {
-          batch,
+          data,
           appId: appID,
-          imageRef: finalImageRef,
-          preflightCtx: {
-            privateKey: preflightCtx.privateKey,
-            rpcUrl: preflightCtx.rpcUrl,
-            environmentConfig: preflightCtx.environmentConfig
-          }
+          imageRef: finalImageRef
         },
         gasEstimate
       };
     }
   );
 }
-async function executeUpgrade(prepared, gas, logger = defaultLogger, skipTelemetry) {
+async function executeUpgrade(options) {
+  const { prepared, context, gas, logger = defaultLogger, skipTelemetry } = options;
   return withSDKTelemetry(
     {
       functionName: "executeUpgrade",
@@ -6031,7 +6371,7 @@ async function executeUpgrade(prepared, gas, logger = defaultLogger, skipTelemet
     },
     async () => {
       logger.info("Upgrading on-chain...");
-      const txHash = await executeUpgradeBatch(prepared.batch, gas, logger);
+      const txHash = await executeUpgradeBatch(prepared.data, context, gas, logger);
       return {
         appId: prepared.appId,
         imageRef: prepared.imageRef,
@@ -6162,8 +6502,8 @@ var path5 = __toESM(require("path"), 1);
 var os3 = __toESM(require("os"), 1);
 var import_child_process2 = require("child_process");
 var import_util4 = require("util");
-var execAsync2 = (0, import_util4.promisify)(import_child_process2.exec);
-var execFileAsync2 = (0, import_util4.promisify)(import_child_process2.execFile);
+var execAsync = (0, import_util4.promisify)(import_child_process2.exec);
+var execFileAsync3 = (0, import_util4.promisify)(import_child_process2.execFile);
 async function fetchTemplate(repoURL, ref, targetDir, config, logger) {
   if (!repoURL) {
     throw new Error("repoURL is required");
@@ -6172,13 +6512,13 @@ async function fetchTemplate(repoURL, ref, targetDir, config, logger) {
 Cloning repo: ${repoURL} \u2192 ${targetDir}
 `);
   try {
-    await execAsync2(`git clone --no-checkout --progress ${repoURL} ${targetDir}`, {
+    await execAsync(`git clone --no-checkout --progress ${repoURL} ${targetDir}`, {
       maxBuffer: 10 * 1024 * 1024
     });
-    await execFileAsync2("git", ["-C", targetDir, "checkout", "--quiet", ref], {
+    await execFileAsync3("git", ["-C", targetDir, "checkout", "--quiet", ref], {
       maxBuffer: 10 * 1024 * 1024
     });
-    await execFileAsync2(
+    await execFileAsync3(
       "git",
       ["-C", targetDir, "submodule", "update", "--init", "--recursive", "--progress"],
       { maxBuffer: 10 * 1024 * 1024 }
@@ -6223,14 +6563,14 @@ Cloning template: ${repoURL} \u2192 extracting ${subPath}
 }
 async function cloneSparse(repoURL, ref, subPath, tempDir) {
   try {
-    await execFileAsync2("git", ["init", tempDir]);
-    await execFileAsync2("git", ["-C", tempDir, "remote", "add", "origin", repoURL]);
-    await execFileAsync2("git", ["-C", tempDir, "config", "core.sparseCheckout", "true"]);
+    await execFileAsync3("git", ["init", tempDir]);
+    await execFileAsync3("git", ["-C", tempDir, "remote", "add", "origin", repoURL]);
+    await execFileAsync3("git", ["-C", tempDir, "config", "core.sparseCheckout", "true"]);
     const sparseCheckoutPath = path5.join(tempDir, ".git/info/sparse-checkout");
     fs5.writeFileSync(sparseCheckoutPath, `${subPath}
 `);
-    await execFileAsync2("git", ["-C", tempDir, "fetch", "origin", ref]);
-    await execFileAsync2("git", ["-C", tempDir, "checkout", ref]);
+    await execFileAsync3("git", ["-C", tempDir, "fetch", "origin", ref]);
+    await execFileAsync3("git", ["-C", tempDir, "checkout", ref]);
   } catch (error) {
     throw new Error(`Failed to clone sparse repository: ${error.message}`);
   }
@@ -6805,6 +7145,187 @@ function createAppModule(ctx) {
         imageRef: result.imageRef
       };
     },
+    // Granular deploy control
+    async prepareDeploy(opts) {
+      return prepareDeploy(
+        {
+          privateKey,
+          rpcUrl: ctx.rpcUrl,
+          environment: ctx.environment,
+          appName: opts.name,
+          instanceType: opts.instanceType,
+          dockerfilePath: opts.dockerfile,
+          envFilePath: opts.envFile,
+          imageRef: opts.imageRef,
+          logVisibility: opts.logVisibility,
+          resourceUsageMonitoring: opts.resourceUsageMonitoring,
+          skipTelemetry
+        },
+        logger
+      );
+    },
+    async prepareDeployFromVerifiableBuild(opts) {
+      return prepareDeployFromVerifiableBuild(
+        {
+          privateKey,
+          rpcUrl: ctx.rpcUrl,
+          environment: ctx.environment,
+          appName: opts.name,
+          instanceType: opts.instanceType,
+          envFilePath: opts.envFile,
+          imageRef: opts.imageRef,
+          imageDigest: opts.imageDigest,
+          logVisibility: opts.logVisibility,
+          resourceUsageMonitoring: opts.resourceUsageMonitoring,
+          skipTelemetry
+        },
+        logger
+      );
+    },
+    async executeDeploy(prepared, gas) {
+      const account = (0, import_accounts5.privateKeyToAccount)(privateKey);
+      const chain = getChainFromID(environment.chainID);
+      const publicClient = (0, import_viem9.createPublicClient)({
+        chain,
+        transport: (0, import_viem9.http)(ctx.rpcUrl)
+      });
+      const walletClient = (0, import_viem9.createWalletClient)({
+        account,
+        chain,
+        transport: (0, import_viem9.http)(ctx.rpcUrl)
+      });
+      const result = await executeDeploy({
+        prepared,
+        context: {
+          walletClient,
+          publicClient,
+          environmentConfig: environment
+        },
+        gas,
+        logger,
+        skipTelemetry
+      });
+      return {
+        appId: result.appId,
+        txHash: result.txHash,
+        appName: result.appName,
+        imageRef: result.imageRef
+      };
+    },
+    async watchDeployment(appId) {
+      return watchDeployment(
+        appId,
+        privateKey,
+        ctx.rpcUrl,
+        ctx.environment,
+        logger,
+        ctx.clientId,
+        skipTelemetry
+      );
+    },
+    // Granular upgrade control
+    async prepareUpgrade(appId, opts) {
+      return prepareUpgrade(
+        {
+          appId,
+          privateKey,
+          rpcUrl: ctx.rpcUrl,
+          environment: ctx.environment,
+          instanceType: opts.instanceType,
+          dockerfilePath: opts.dockerfile,
+          envFilePath: opts.envFile,
+          imageRef: opts.imageRef,
+          logVisibility: opts.logVisibility,
+          resourceUsageMonitoring: opts.resourceUsageMonitoring,
+          skipTelemetry
+        },
+        logger
+      );
+    },
+    async prepareUpgradeFromVerifiableBuild(appId, opts) {
+      return prepareUpgradeFromVerifiableBuild(
+        {
+          appId,
+          privateKey,
+          rpcUrl: ctx.rpcUrl,
+          environment: ctx.environment,
+          instanceType: opts.instanceType,
+          envFilePath: opts.envFile,
+          imageRef: opts.imageRef,
+          imageDigest: opts.imageDigest,
+          logVisibility: opts.logVisibility,
+          resourceUsageMonitoring: opts.resourceUsageMonitoring,
+          skipTelemetry
+        },
+        logger
+      );
+    },
+    async executeUpgrade(prepared, gas) {
+      const account = (0, import_accounts5.privateKeyToAccount)(privateKey);
+      const chain = getChainFromID(environment.chainID);
+      const publicClient = (0, import_viem9.createPublicClient)({
+        chain,
+        transport: (0, import_viem9.http)(ctx.rpcUrl)
+      });
+      const walletClient = (0, import_viem9.createWalletClient)({
+        account,
+        chain,
+        transport: (0, import_viem9.http)(ctx.rpcUrl)
+      });
+      const result = await executeUpgrade({
+        prepared,
+        context: {
+          walletClient,
+          publicClient,
+          environmentConfig: environment
+        },
+        gas,
+        logger,
+        skipTelemetry
+      });
+      return {
+        appId: result.appId,
+        txHash: result.txHash,
+        imageRef: result.imageRef
+      };
+    },
+    async watchUpgrade(appId) {
+      return watchUpgrade(
+        appId,
+        privateKey,
+        ctx.rpcUrl,
+        ctx.environment,
+        logger,
+        ctx.clientId,
+        skipTelemetry
+      );
+    },
+    // Profile management
+    async setProfile(appId, profile) {
+      return withSDKTelemetry(
+        {
+          functionName: "setProfile",
+          skipTelemetry,
+          properties: { environment: ctx.environment }
+        },
+        async () => {
+          const userApiClient = new UserApiClient(
+            environment,
+            privateKey,
+            ctx.rpcUrl,
+            ctx.clientId
+          );
+          return userApiClient.uploadAppProfile(
+            appId,
+            profile.name,
+            profile.website,
+            profile.description,
+            profile.xURL,
+            profile.imagePath
+          );
+        }
+      );
+    },
     async logs(opts) {
       return logs(
         {
@@ -6955,10 +7476,10 @@ function createComputeModule(config) {
 
 // src/client/common/utils/billingapi.ts
 var import_axios2 = __toESM(require("axios"), 1);
-var import_accounts5 = require("viem/accounts");
+var import_accounts6 = require("viem/accounts");
 var BillingApiClient = class {
   constructor(config, privateKey) {
-    this.account = (0, import_accounts5.privateKeyToAccount)(privateKey);
+    this.account = (0, import_accounts6.privateKeyToAccount)(privateKey);
     this.config = config;
   }
   async createSubscription(productId = "compute") {
@@ -7028,7 +7549,7 @@ Please check:
 
 // src/client/common/auth/keyring.ts
 var import_keyring = require("@napi-rs/keyring");
-var import_accounts6 = require("viem/accounts");
+var import_accounts7 = require("viem/accounts");
 var SERVICE_NAME = "ecloud";
 var ACCOUNT_NAME = "key";
 var EIGENX_SERVICE_NAME = "eigenx-cli";
@@ -7173,7 +7694,7 @@ function validatePrivateKey2(privateKey) {
 }
 function getAddressFromPrivateKey(privateKey) {
   const normalized = normalizePrivateKey(privateKey);
-  return (0, import_accounts6.privateKeyToAddress)(normalized);
+  return (0, import_accounts7.privateKeyToAddress)(normalized);
 }
 function decodeGoKeyringValue(rawValue) {
   if (rawValue.startsWith(GO_KEYRING_BASE64_PREFIX)) {
@@ -7255,10 +7776,10 @@ async function requirePrivateKey(options) {
 }
 
 // src/client/common/auth/generate.ts
-var import_accounts7 = require("viem/accounts");
+var import_accounts8 = require("viem/accounts");
 function generateNewPrivateKey() {
-  const privateKey = (0, import_accounts7.generatePrivateKey)();
-  const address = (0, import_accounts7.privateKeyToAddress)(privateKey);
+  const privateKey = (0, import_accounts8.generatePrivateKey)();
+  const address = (0, import_accounts8.privateKeyToAddress)(privateKey);
   return {
     privateKey,
     address
@@ -7360,6 +7881,360 @@ function createBillingModule(config) {
   };
 }
 
+// src/client/common/utils/buildapi.ts
+var import_axios3 = __toESM(require("axios"), 1);
+var import_accounts9 = require("viem/accounts");
+var BuildApiClient = class {
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/+$/, "");
+    this.clientId = options.clientId;
+    if (options.privateKey) {
+      this.account = (0, import_accounts9.privateKeyToAccount)(options.privateKey);
+    }
+  }
+  async submitBuild(payload) {
+    return this.authenticatedJsonRequest("/builds", "POST", payload);
+  }
+  async getBuild(buildId) {
+    return this.publicJsonRequest(`/builds/${encodeURIComponent(buildId)}`);
+  }
+  async getBuildByDigest(digest) {
+    return this.publicJsonRequest(`/builds/image/${encodeURIComponent(digest)}`);
+  }
+  async verify(identifier) {
+    return this.publicJsonRequest(`/builds/verify/${encodeURIComponent(identifier)}`);
+  }
+  async getLogs(buildId) {
+    return this.authenticatedTextRequest(`/builds/${encodeURIComponent(buildId)}/logs`);
+  }
+  async listBuilds(params) {
+    const res = await (0, import_axios3.default)({
+      url: `${this.baseUrl}/builds`,
+      method: "GET",
+      params,
+      headers: this.clientId ? { "x-client-id": this.clientId } : void 0,
+      timeout: 6e4,
+      validateStatus: () => true
+    });
+    if (res.status < 200 || res.status >= 300) throw buildApiHttpError(res);
+    return res.data;
+  }
+  async publicJsonRequest(path8) {
+    const res = await (0, import_axios3.default)({
+      url: `${this.baseUrl}${path8}`,
+      method: "GET",
+      headers: this.clientId ? { "x-client-id": this.clientId } : void 0,
+      timeout: 6e4,
+      validateStatus: () => true
+    });
+    if (res.status < 200 || res.status >= 300) throw buildApiHttpError(res);
+    return res.data;
+  }
+  async authenticatedJsonRequest(path8, method, body) {
+    if (!this.account) throw new Error("Private key required for authenticated requests");
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (this.clientId) headers["x-client-id"] = this.clientId;
+    const expiry = BigInt(Math.floor(Date.now() / 1e3) + 60);
+    const { signature } = await calculateBillingAuthSignature({
+      account: this.account,
+      product: "compute",
+      expiry
+    });
+    headers.Authorization = `Bearer ${signature}`;
+    headers["X-eigenx-expiry"] = expiry.toString();
+    headers["X-Account"] = this.account.address;
+    const res = await (0, import_axios3.default)({
+      url: `${this.baseUrl}${path8}`,
+      method,
+      headers,
+      data: body,
+      timeout: 6e4,
+      validateStatus: () => true
+    });
+    if (res.status < 200 || res.status >= 300) throw buildApiHttpError(res);
+    return res.data;
+  }
+  async authenticatedTextRequest(path8) {
+    if (!this.account) throw new Error("Private key required for authenticated requests");
+    const headers = {};
+    if (this.clientId) headers["x-client-id"] = this.clientId;
+    const expiry = BigInt(Math.floor(Date.now() / 1e3) + 60);
+    const { signature } = await calculateBillingAuthSignature({
+      account: this.account,
+      product: "compute",
+      expiry
+    });
+    headers.Authorization = `Bearer ${signature}`;
+    headers["X-eigenx-expiry"] = expiry.toString();
+    headers["X-Account"] = this.account.address;
+    const res = await (0, import_axios3.default)({
+      url: `${this.baseUrl}${path8}`,
+      method: "GET",
+      headers,
+      timeout: 6e4,
+      responseType: "text",
+      validateStatus: () => true
+    });
+    if (res.status < 200 || res.status >= 300) throw buildApiHttpError(res);
+    return typeof res.data === "string" ? res.data : JSON.stringify(res.data);
+  }
+};
+function buildApiHttpError(res) {
+  const status = res.status;
+  const body = typeof res.data === "string" ? res.data : res.data ? JSON.stringify(res.data) : "";
+  const url = res.config?.url ? ` ${res.config.url}` : "";
+  return new Error(`BuildAPI request failed: ${status}${url} - ${body || "Unknown error"}`);
+}
+
+// src/client/modules/build/types.ts
+var BUILD_STATUS = {
+  BUILDING: "building",
+  SUCCESS: "success",
+  FAILED: "failed"
+};
+
+// src/client/modules/build/errors.ts
+var BuildError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BuildError";
+  }
+};
+var AuthRequiredError = class extends BuildError {
+  constructor(message = "Authentication required") {
+    super(message);
+    this.name = "AuthRequiredError";
+  }
+};
+var BuildFailedError = class extends BuildError {
+  constructor(message, buildId) {
+    super(message);
+    this.buildId = buildId;
+    this.name = "BuildFailedError";
+  }
+};
+var ConflictError = class extends BuildError {
+  constructor(message = "Build already in progress") {
+    super(message);
+    this.name = "ConflictError";
+  }
+};
+var NotFoundError = class extends BuildError {
+  constructor(message = "Build not found") {
+    super(message);
+    this.name = "NotFoundError";
+  }
+};
+var ForbiddenError = class extends BuildError {
+  constructor(message = "Permission denied") {
+    super(message);
+    this.name = "ForbiddenError";
+  }
+};
+var TimeoutError = class extends BuildError {
+  constructor(message = "Operation timed out") {
+    super(message);
+    this.name = "TimeoutError";
+  }
+};
+var BadRequestError = class extends BuildError {
+  constructor(message = "Bad request") {
+    super(message);
+    this.name = "BadRequestError";
+  }
+};
+
+// src/client/modules/build/index.ts
+var DEFAULT_POLL_INTERVAL = 2e3;
+var DEFAULT_TIMEOUT = 30 * 60 * 1e3;
+function createBuildModule(config) {
+  const { verbose = false, skipTelemetry = false } = config;
+  const logger = getLogger(verbose);
+  const environment = config.environment || "sepolia";
+  const environmentConfig = getEnvironmentConfig(environment);
+  const api = new BuildApiClient({
+    baseUrl: environmentConfig.userApiServerURL,
+    privateKey: config.privateKey ? addHexPrefix(config.privateKey) : void 0,
+    clientId: config.clientId
+  });
+  return {
+    async submit(request) {
+      return withSDKTelemetry(
+        {
+          functionName: "build.submit",
+          skipTelemetry,
+          properties: { environment, repoUrl: request.repoUrl }
+        },
+        async () => {
+          if (!config.privateKey) throw new AuthRequiredError("Private key required for submit()");
+          const data = await api.submitBuild({
+            repo_url: request.repoUrl,
+            git_ref: request.gitRef,
+            dockerfile_path: request.dockerfilePath ?? "Dockerfile",
+            caddyfile_path: request.caddyfilePath,
+            build_context_path: request.buildContextPath ?? ".",
+            dependencies: request.dependencies ?? []
+          });
+          logger.debug(`Submitted build: ${data.build_id}`);
+          return { buildId: data.build_id };
+        }
+      );
+    },
+    async list(options) {
+      const { billingAddress, limit, offset } = options;
+      return withSDKTelemetry(
+        {
+          functionName: "build.list",
+          skipTelemetry,
+          properties: {
+            environment,
+            billingAddress,
+            ...limit !== void 0 ? { limit: String(limit) } : {},
+            ...offset !== void 0 ? { offset: String(offset) } : {}
+          }
+        },
+        async () => {
+          const data = await api.listBuilds({
+            billing_address: billingAddress,
+            limit,
+            offset
+          });
+          return Array.isArray(data) ? data.map(transformBuild) : [];
+        }
+      );
+    },
+    async get(buildId) {
+      return withSDKTelemetry(
+        { functionName: "build.get", skipTelemetry, properties: { environment, buildId } },
+        async () => transformBuild(await api.getBuild(buildId))
+      );
+    },
+    async getByDigest(digest) {
+      return withSDKTelemetry(
+        { functionName: "build.getByDigest", skipTelemetry, properties: { environment, digest } },
+        async () => transformBuild(await api.getBuildByDigest(digest))
+      );
+    },
+    async verify(identifier) {
+      return withSDKTelemetry(
+        { functionName: "build.verify", skipTelemetry, properties: { environment, identifier } },
+        async () => transformVerifyResult(await api.verify(identifier))
+      );
+    },
+    async getLogs(buildId) {
+      return withSDKTelemetry(
+        { functionName: "build.getLogs", skipTelemetry, properties: { environment, buildId } },
+        async () => {
+          if (!config.privateKey) throw new AuthRequiredError("Private key required for getLogs()");
+          return api.getLogs(buildId);
+        }
+      );
+    },
+    async submitAndWait(request, options = {}) {
+      const { buildId } = await this.submit(request);
+      return this.waitForBuild(buildId, options);
+    },
+    async waitForBuild(buildId, options = {}) {
+      const {
+        onLog,
+        onProgress,
+        pollIntervalMs = DEFAULT_POLL_INTERVAL,
+        timeoutMs = DEFAULT_TIMEOUT
+      } = options;
+      const startTime = Date.now();
+      let lastLogLength = 0;
+      while (true) {
+        if (Date.now() - startTime > timeoutMs) {
+          throw new TimeoutError(`Build timed out after ${timeoutMs}ms`);
+        }
+        const build = await this.get(buildId);
+        let logs2 = "";
+        try {
+          logs2 = await this.getLogs(buildId);
+          if (onLog && logs2.length > lastLogLength) {
+            onLog(logs2.slice(lastLogLength));
+            lastLogLength = logs2.length;
+          }
+        } catch {
+        }
+        onProgress?.({ build, logs: logs2 });
+        if (build.status === BUILD_STATUS.SUCCESS) return build;
+        if (build.status === BUILD_STATUS.FAILED) {
+          throw new BuildFailedError(build.errorMessage ?? "Build failed", buildId);
+        }
+        await sleep2(pollIntervalMs);
+      }
+    },
+    async *streamLogs(buildId, pollIntervalMs = DEFAULT_POLL_INTERVAL) {
+      let lastLength = 0;
+      while (true) {
+        const build = await this.get(buildId);
+        let logs2 = "";
+        try {
+          logs2 = await this.getLogs(buildId);
+        } catch {
+        }
+        if (logs2.length > lastLength) {
+          yield {
+            content: logs2.slice(lastLength),
+            totalLength: logs2.length,
+            isComplete: build.status !== BUILD_STATUS.BUILDING,
+            finalStatus: build.status !== BUILD_STATUS.BUILDING ? build.status : void 0
+          };
+          lastLength = logs2.length;
+        }
+        if (build.status !== BUILD_STATUS.BUILDING) break;
+        await sleep2(pollIntervalMs);
+      }
+    }
+  };
+}
+function sleep2(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+function transformBuild(raw) {
+  return {
+    buildId: raw.build_id,
+    billingAddress: raw.billing_address,
+    repoUrl: raw.repo_url,
+    gitRef: raw.git_ref,
+    status: raw.status,
+    buildType: raw.build_type,
+    imageName: raw.image_name,
+    imageUrl: raw.image_url,
+    imageDigest: raw.image_digest,
+    provenanceJson: raw.provenance_json ?? void 0,
+    provenanceSignature: raw.provenance_signature ?? void 0,
+    errorMessage: raw.error_message ?? void 0,
+    createdAt: raw.created_at,
+    updatedAt: raw.updated_at,
+    dependencies: raw.dependencies ? Object.fromEntries(Object.entries(raw.dependencies).map(([k, v]) => [k, transformBuild(v)])) : void 0
+  };
+}
+function transformVerifyResult(raw) {
+  if (raw.status === "verified") {
+    return {
+      status: "verified",
+      buildId: raw.build_id,
+      imageUrl: raw.image_url,
+      imageDigest: raw.image_digest,
+      repoUrl: raw.repo_url,
+      gitRef: raw.git_ref,
+      provenanceJson: raw.provenance_json,
+      provenanceSignature: raw.provenance_signature,
+      payloadType: raw.payload_type,
+      payload: raw.payload
+    };
+  }
+  return {
+    status: "failed",
+    error: raw.error,
+    buildId: raw.build_id
+  };
+}
+
 // src/client/common/utils/instance.ts
 async function getCurrentInstanceType(preflightCtx, appID, logger, clientId) {
   try {
@@ -7414,10 +8289,20 @@ function createECloudClient(cfg) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AuthRequiredError,
+  BUILD_STATUS,
+  BadRequestError,
+  BuildError,
+  BuildFailedError,
+  ConflictError,
+  ForbiddenError,
   NoopClient,
+  NotFoundError,
   PRIMARY_LANGUAGES,
   PostHogClient,
+  TimeoutError,
   UserApiClient,
+  addHexPrefix,
   addMetric,
   addMetricWithDimensions,
   assertValidFilePath,
@@ -7427,6 +8312,7 @@ function createECloudClient(cfg) {
   createApp,
   createAppEnvironment,
   createBillingModule,
+  createBuildModule,
   createComputeModule,
   createECloudClient,
   createMetricsContext,
@@ -7470,12 +8356,15 @@ function createECloudClient(cfg) {
   listStoredKeys,
   logs,
   prepareDeploy,
+  prepareDeployFromVerifiableBuild,
   prepareUpgrade,
+  prepareUpgradeFromVerifiableBuild,
   requirePrivateKey,
   sanitizeString,
   sanitizeURL,
   sanitizeXURL,
   storePrivateKey,
+  stripHexPrefix,
   validateAppID,
   validateAppName,
   validateCreateAppParams,