@pocketenv/cli 0.2.0

package/dist/index.js

@@ -0,0 +1,1181 @@
+#!/usr/bin/env node
+import chalk from 'chalk';
+import { Command } from 'commander';
+import consola from 'consola';
+import fs from 'fs/promises';
+import path from 'path';
+import os from 'os';
+import { env as env$2 } from 'process';
+import axios from 'axios';
+import { cleanEnv, str } from 'envalid';
+import open from 'open';
+import express from 'express';
+import cors from 'cors';
+import fs$1 from 'node:fs/promises';
+import os$1 from 'node:os';
+import path$1 from 'node:path';
+import WebSocket from 'ws';
+import { EventSource } from 'eventsource';
+import Table from 'cli-table3';
+import dayjs from 'dayjs';
+import relativeTime from 'dayjs/plugin/relativeTime.js';
+import { password, editor, input } from '@inquirer/prompts';
+import sodium from 'libsodium-wrappers';
+
+var version = "0.2.0";
+
+async function getAccessToken() {
+  const tokenPath = path.join(os.homedir(), ".pocketenv", "token.json");
+  try {
+    await fs.access(tokenPath);
+  } catch (err) {
+    if (!env$2.POCKETENV_TOKEN) {
+      consola.error(
+        `You are not logged in. Please run ${chalk.greenBright(
+          "`pocketenv login <username>.bsky.social`"
+        )} first.`
+      );
+      process.exit(1);
+    }
+  }
+  const tokenData = await fs.readFile(tokenPath, "utf-8");
+  const { token } = JSON.parse(tokenData);
+  if (!token) {
+    consola.error(
+      `You are not logged in. Please run ${chalk.greenBright(
+        "`rocksky login <username>.bsky.social`"
+      )} first.`
+    );
+    process.exit(1);
+  }
+  return token;
+}
+
+const env$1 = cleanEnv(process.env, {
+  POCKETENV_TOKEN: str({ default: "" }),
+  POCKETENV_API_URL: str({ default: "https://api.pocketenv.io" }),
+  POCKETENV_CF_URL: str({ default: "https://sbx.pocketenv.io" }),
+  POCKETENV_TTY_URL: str({ default: "https://api.pocketenv.io" }),
+  POCKETENV_PUBLIC_KEY: str({
+    default: "2bf96e12d109e6948046a7803ef1696e12c11f04f20a6ce64dbd4bcd93db9341"
+  })
+});
+
+const client = axios.create({
+  baseURL: env$1.POCKETENV_API_URL
+});
+
+async function start(name) {
+  const token = await getAccessToken();
+  await client.post("/xrpc/io.pocketenv.sandbox.startSandbox", void 0, {
+    params: {
+      id: name
+    },
+    headers: {
+      Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+    }
+  });
+  consola.success(`Sandbox ${chalk.greenBright(name)} started`);
+  consola.log(
+    `Run ${chalk.greenBright(`pocketenv console ${name}`)} to access the sandbox`
+  );
+}
+
+async function login(handle) {
+  const app = express();
+  app.use(cors());
+  app.use(express.json());
+  const server = app.listen(6997);
+  app.post("/token", async (req, res) => {
+    console.log(chalk.bold(chalk.greenBright("Login successful!\n")));
+    const tokenPath = path$1.join(os$1.homedir(), ".pocketenv", "token.json");
+    await fs$1.mkdir(path$1.dirname(tokenPath), { recursive: true });
+    await fs$1.writeFile(
+      tokenPath,
+      JSON.stringify({ token: req.body.token }, null, 2)
+    );
+    res.json({
+      ok: 1
+    });
+    server.close();
+  });
+  const response = await client.post(`/login`, { handle, cli: true });
+  const redirectUrl = response.data;
+  if (!redirectUrl.includes("authorize")) {
+    console.error("Failed to login, please check your handle and try again.");
+    server.close();
+    return;
+  }
+  console.log("Please visit this URL to authorize the app:");
+  console.log(chalk.cyan(redirectUrl));
+  await open(response.data);
+}
+
+async function whoami() {
+  const token = await getAccessToken();
+  const profile = await client.get(
+    "/xrpc/io.pocketenv.actor.getProfile",
+    {
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  const handle = `@${profile.data.handle}`;
+  consola.log(
+    `You are logged in as ${chalk.cyan(handle)} (${profile.data.displayName}).`
+  );
+}
+
+function sendInput$1(ws, data) {
+  if (ws.readyState === WebSocket.OPEN) {
+    ws.send(data);
+  }
+}
+function sendResize$1(ws, cols, rows) {
+  if (ws.readyState === WebSocket.OPEN) {
+    ws.send(JSON.stringify({ type: "resize", cols, rows }));
+  }
+}
+function resolveWorkerUrl(baseSandbox, cfUrl) {
+  return cfUrl.replace("sbx", baseSandbox).replace("claude-code", "claudecode");
+}
+async function ssh$2(sandbox) {
+  const token = await getAccessToken();
+  const authToken = env$1.POCKETENV_TOKEN || token;
+  const tokenResponse = await client.get(
+    "/xrpc/io.pocketenv.actor.getTerminalToken",
+    { headers: { Authorization: `Bearer ${authToken}` } }
+  );
+  const terminalToken = tokenResponse.data.token;
+  if (!terminalToken) {
+    consola.error("Failed to obtain a terminal token.");
+    process.exit(1);
+  }
+  const cfBaseUrl = env$1.POCKETENV_CF_URL;
+  const workerUrl = resolveWorkerUrl(sandbox.baseSandbox, cfBaseUrl);
+  const wsBase = workerUrl.replace(/^http/, "ws");
+  const wsUrl = new URL(`${wsBase}/v1/sandboxes/${sandbox.id}/ws/terminal`);
+  wsUrl.searchParams.set("t", terminalToken);
+  wsUrl.searchParams.set("session", crypto.randomUUID());
+  let cols = process.stdout.columns ?? 220;
+  let rows = process.stdout.rows ?? 50;
+  consola.info(
+    `Connecting to ${chalk.cyanBright(sandbox.name)} via Cloudflare sandbox\u2026`
+  );
+  const ws = new WebSocket(wsUrl.toString(), {
+    headers: { "User-Agent": "pocketenv-cli" }
+  });
+  let exiting = false;
+  let stdinAttached = false;
+  function teardown(code = 0) {
+    if (exiting) return;
+    exiting = true;
+    if (process.stdin.isTTY) {
+      try {
+        process.stdin.setRawMode(false);
+      } catch {
+      }
+    }
+    process.stdin.pause();
+    if (ws.readyState === WebSocket.OPEN || ws.readyState === WebSocket.CONNECTING) {
+      ws.close(1e3, "client disconnect");
+    }
+    process.exit(code);
+  }
+  ws.on("open", () => {
+  });
+  ws.on("message", (raw, isBinary) => {
+    if (isBinary) {
+      process.stdout.write(raw);
+      return;
+    }
+    let msg;
+    try {
+      msg = JSON.parse(raw.toString());
+    } catch {
+      return;
+    }
+    switch (msg.type) {
+      case "ready": {
+        sendResize$1(ws, cols, rows);
+        if (stdinAttached) break;
+        stdinAttached = true;
+        if (process.stdin.isTTY) {
+          process.stdin.setRawMode(true);
+        }
+        process.stdin.resume();
+        process.stdin.on("data", (chunk) => {
+          sendInput$1(ws, chunk);
+        });
+        process.stdout.on("resize", () => {
+          cols = process.stdout.columns ?? cols;
+          rows = process.stdout.rows ?? rows;
+          sendResize$1(ws, cols, rows);
+        });
+        break;
+      }
+      case "error":
+        process.stderr.write(
+          `\r
+${chalk.red("Terminal error:")} ${msg.message}\r
+`
+        );
+        teardown(1);
+        break;
+      case "exit":
+        process.stderr.write(
+          `\r
+${chalk.dim(
+            `Session exited with code ${msg.code}${msg.signal ? ` (${msg.signal})` : ""}`
+          )}\r
+`
+        );
+        teardown(msg.code ?? 0);
+        break;
+    }
+  });
+  ws.on("close", (code, reason) => {
+    if (!exiting) {
+      process.stderr.write(
+        `\r
+${chalk.yellow("Connection closed")} (${code}${reason.length ? ` \u2013 ${reason}` : ""})\r
+`
+      );
+      teardown(0);
+    }
+  });
+  ws.on("error", (err) => {
+    consola.error("WebSocket error:", err.message);
+    teardown(1);
+  });
+  process.on("SIGINT", () => teardown(0));
+  process.on("SIGTERM", () => teardown(0));
+  await new Promise((resolve) => {
+    ws.on("close", resolve);
+    ws.on("error", () => resolve());
+  });
+}
+
+async function sendInput(ttyUrl, sandboxId, data, token) {
+  try {
+    await axios.post(
+      `${ttyUrl}/tty/${sandboxId}/input`,
+      data instanceof Buffer ? data.toString("utf-8") : data,
+      {
+        headers: {
+          "Content-Type": "text/plain",
+          Authorization: `Bearer ${token}`
+        }
+      }
+    );
+  } catch {
+  }
+}
+async function sendResize(ttyUrl, sandboxId, cols, rows, token) {
+  try {
+    await axios.post(
+      `${ttyUrl}/tty/${sandboxId}/resize`,
+      { cols, rows },
+      {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${token}`
+        }
+      }
+    );
+  } catch {
+  }
+}
+function makeAuthFetch(token) {
+  return (url, init) => {
+    const headers = new Headers(init.headers ?? {});
+    headers.set("Authorization", `Bearer ${token}`);
+    return fetch(url, { ...init, headers });
+  };
+}
+async function ssh$1(sandbox) {
+  const token = await getAccessToken();
+  const authToken = env$1.POCKETENV_TOKEN || token;
+  const ttyUrl = env$1.POCKETENV_TTY_URL;
+  let cols = process.stdout.columns ?? 220;
+  let rows = process.stdout.rows ?? 50;
+  consola.info(
+    `Connecting to ${chalk.cyanBright(sandbox.name)} via TTY stream\u2026`
+  );
+  let exiting = false;
+  let es = null;
+  let stdinAttached = false;
+  function teardown(code = 0) {
+    if (exiting) return;
+    exiting = true;
+    if (process.stdin.isTTY) {
+      try {
+        process.stdin.setRawMode(false);
+      } catch {
+      }
+    }
+    process.stdin.pause();
+    if (es) {
+      es.close();
+      es = null;
+    }
+    process.exit(code);
+  }
+  function attachStdin() {
+    if (stdinAttached) return;
+    stdinAttached = true;
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(true);
+    }
+    process.stdin.resume();
+    process.stdin.on("data", (chunk) => {
+      sendInput(ttyUrl, sandbox.id, chunk, authToken);
+    });
+    process.stdout.on("resize", () => {
+      cols = process.stdout.columns ?? cols;
+      rows = process.stdout.rows ?? rows;
+      sendResize(ttyUrl, sandbox.id, cols, rows, authToken);
+    });
+  }
+  process.stdout.write(`\x1B[35mConnecting to terminal...\x1B[0m\r
+`);
+  es = new EventSource(`${ttyUrl}/tty/${sandbox.id}/stream`, {
+    fetch: makeAuthFetch(authToken)
+  });
+  es.addEventListener("open", () => {
+    process.stdout.write("\r\x1B[K");
+    sendResize(ttyUrl, sandbox.id, cols, rows, authToken).then(() => {
+      attachStdin();
+    });
+  });
+  es.addEventListener("output", (event) => {
+    try {
+      const { data } = JSON.parse(event.data);
+      process.stdout.write(data);
+    } catch {
+      process.stdout.write(event.data);
+    }
+  });
+  es.addEventListener("exit", (event) => {
+    let code = 0;
+    try {
+      const parsed = JSON.parse(event.data);
+      code = parsed.code ?? 0;
+      process.stderr.write(
+        `\r
+${chalk.dim(`Process exited with code ${code}`)}\r
+`
+      );
+    } catch {
+      process.stderr.write(`\r
+${chalk.dim("Process exited.")}\r
+`);
+    }
+    teardown(code);
+  });
+  es.onerror = (err) => {
+    if (es && es.readyState === EventSource.CLOSED) {
+      const detail = err.message ? ` (${err.message})` : "";
+      process.stderr.write(
+        `\r
+${chalk.red(`Terminal connection lost${detail}`)}\r
+`
+      );
+      teardown(1);
+    }
+  };
+  process.on("SIGINT", () => teardown(0));
+  process.on("SIGTERM", () => teardown(0));
+  await new Promise((resolve) => {
+    const poll = setInterval(() => {
+      if (exiting) {
+        clearInterval(poll);
+        resolve();
+      }
+    }, 200);
+  });
+}
+
+async function ssh(sandboxName) {
+  const token = await getAccessToken();
+  const authToken = env$1.POCKETENV_TOKEN || token;
+  let sandbox;
+  if (!sandboxName) {
+    const profile = await client.get(
+      "/xrpc/io.pocketenv.actor.getProfile",
+      { headers: { Authorization: `Bearer ${authToken}` } }
+    );
+    const response = await client.get(
+      "/xrpc/io.pocketenv.actor.getActorSandboxes",
+      {
+        params: { did: profile.data.did, offset: 0, limit: 100 },
+        headers: { Authorization: `Bearer ${authToken}` }
+      }
+    );
+    const runningSandboxes = response.data.sandboxes.filter(
+      (s) => s.status === "RUNNING"
+    );
+    if (runningSandboxes.length === 0) {
+      consola.error(
+        `No running sandboxes found. Start one with ${chalk.greenBright("pocketenv start <sandbox>")} first.`
+      );
+      process.exit(1);
+    }
+    sandbox = runningSandboxes[0];
+    consola.info(`Connecting to sandbox ${chalk.greenBright(sandbox.name)}\u2026`);
+  } else {
+    const response = await client.get(
+      "/xrpc/io.pocketenv.sandbox.getSandbox",
+      {
+        params: { id: sandboxName },
+        headers: { Authorization: `Bearer ${authToken}` }
+      }
+    );
+    if (!response.data.sandbox) {
+      consola.error(`Sandbox ${chalk.yellowBright(sandboxName)} not found.`);
+      process.exit(1);
+    }
+    sandbox = response.data.sandbox;
+  }
+  if (sandbox.status !== "RUNNING") {
+    consola.error(
+      `Sandbox ${chalk.yellowBright(sandbox.name)} is not running. Start it with ${chalk.greenBright(`pocketenv start ${sandbox.name}`)}.`
+    );
+    process.exit(1);
+  }
+  switch (sandbox.provider) {
+    case "cloudflare":
+      await ssh$2(sandbox);
+      break;
+    case "daytona":
+      break;
+    case "deno":
+      break;
+    case "vercel":
+      break;
+    case "sprites":
+      await ssh$1(sandbox);
+      break;
+    default:
+      consola.error(
+        `Sandbox ${chalk.yellowBright(sandbox.name)} uses provider ${chalk.cyan(sandbox.provider)}, but this command only supports ${chalk.cyan("cloudflare")}, ${chalk.cyan("daytona")}, ${chalk.cyan("deno")}, ${chalk.cyan("vercel")}, or ${chalk.cyan("sprites")} sandboxes.`
+      );
+      process.exit(1);
+  }
+}
+
+dayjs.extend(relativeTime);
+async function listSandboxes() {
+  const token = await getAccessToken();
+  const profile = await client.get(
+    "/xrpc/io.pocketenv.actor.getProfile",
+    {
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  const response = await client.get(
+    "/xrpc/io.pocketenv.actor.getActorSandboxes",
+    {
+      params: {
+        did: profile.data.did,
+        offset: 0,
+        limit: 100
+      }
+    }
+  );
+  const table = new Table({
+    head: [
+      chalk.cyan("NAME"),
+      chalk.cyan("BASE"),
+      chalk.cyan("STATUS"),
+      chalk.cyan("CREATED AT")
+    ],
+    chars: {
+      top: "",
+      "top-mid": "",
+      "top-left": "",
+      "top-right": "",
+      bottom: "",
+      "bottom-mid": "",
+      "bottom-left": "",
+      "bottom-right": "",
+      left: "",
+      "left-mid": "",
+      mid: "",
+      "mid-mid": "",
+      right: "",
+      "right-mid": "",
+      middle: " "
+    },
+    style: {
+      border: [],
+      head: []
+    }
+  });
+  for (const sandbox of response.data.sandboxes) {
+    table.push([
+      chalk.greenBright(sandbox.name),
+      sandbox.baseSandbox,
+      sandbox.status === "RUNNING" ? chalk.greenBright(sandbox.status) : sandbox.status,
+      dayjs(sandbox.createdAt).fromNow()
+    ]);
+  }
+  consola.log(table.toString());
+}
+
+async function stop(name) {
+  const token = await getAccessToken();
+  await client.post("/xrpc/io.pocketenv.sandbox.stopSandbox", void 0, {
+    params: {
+      id: name
+    },
+    headers: {
+      Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+    }
+  });
+  consola.success(`Sandbox ${chalk.greenBright(name)} stopped`);
+}
+
+async function createSandbox(name, { provider, ssh: ssh$1 }) {
+  const token = await getAccessToken();
+  if (["deno", "vercel", "daytona"].includes(provider || "")) {
+    consola.error(
+      `This Sandbox Runtime is temporarily disabled. ${chalk.greenBright(provider ?? "")}`
+    );
+    process.exit(1);
+  }
+  try {
+    const sandbox = await client.post(
+      "/xrpc/io.pocketenv.sandbox.createSandbox",
+      {
+        name,
+        base: "at://did:plc:aturpi2ls3yvsmhc6wybomun/io.pocketenv.sandbox/openclaw",
+        provider: provider ?? "cloudflare"
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      }
+    );
+    if (!ssh$1) {
+      consola.success(
+        `Sandbox created successfully: ${chalk.greenBright(sandbox.data.name)}`
+      );
+      return;
+    }
+    await ssh(sandbox.data.name);
+  } catch (error) {
+    consola.error(`Failed to create sandbox: ${error}`);
+  }
+}
+
+async function logout() {
+  const tokenPath = path$1.join(os$1.homedir(), ".pocketenv", "token.json");
+  try {
+    await fs$1.access(tokenPath);
+  } catch {
+    consola.log("Logged out successfully");
+    return;
+  }
+  await fs$1.unlink(tokenPath);
+  consola.log("Logged out successfully");
+}
+
+async function deleteSandbox(id) {
+  const token = await getAccessToken();
+  try {
+    await client.post("/xrpc/io.pocketenv.sandbox.deleteSandbox", void 0, {
+      params: {
+        id
+      },
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    });
+    consola.success("Sandbox deleted successfully");
+  } catch {
+    consola.error("Failed to delete sandbox");
+  }
+}
+
+async function encrypt(message) {
+  await sodium.ready;
+  const sealed = sodium.crypto_box_seal(
+    sodium.from_string(message),
+    sodium.from_hex(env$1.POCKETENV_PUBLIC_KEY)
+  );
+  return sodium.to_base64(sealed, sodium.base64_variants.URLSAFE_NO_PADDING);
+}
+
+dayjs.extend(relativeTime);
+async function listSecrets(sandbox) {
+  const token = await getAccessToken();
+  const { data } = await client.get(
+    "/xrpc/io.pocketenv.sandbox.getSandbox",
+    {
+      params: {
+        id: sandbox
+      },
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  const response = await client.get(
+    "/xrpc/io.pocketenv.secret.getSecrets",
+    {
+      params: {
+        sandboxId: data.sandbox.id,
+        offset: 0,
+        limit: 100
+      },
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  const table = new Table({
+    head: [chalk.cyan("ID"), chalk.cyan("NAME"), chalk.cyan("CREATED AT")],
+    chars: {
+      top: "",
+      "top-mid": "",
+      "top-left": "",
+      "top-right": "",
+      bottom: "",
+      "bottom-mid": "",
+      "bottom-left": "",
+      "bottom-right": "",
+      left: "",
+      "left-mid": "",
+      mid: "",
+      "mid-mid": "",
+      right: "",
+      "right-mid": "",
+      middle: " "
+    },
+    style: {
+      border: [],
+      head: []
+    }
+  });
+  for (const secret of response.data.secrets) {
+    table.push([
+      chalk.greenBright(secret.id),
+      chalk.greenBright(secret.name),
+      dayjs(secret.createdAt).fromNow()
+    ]);
+  }
+  consola.log(table.toString());
+}
+async function putSecret(sandbox, key) {
+  const token = await getAccessToken();
+  const value = await password({ message: "Enter secret value" });
+  const { data } = await client.get("/xrpc/io.pocketenv.sandbox.getSandbox", {
+    params: {
+      id: sandbox
+    },
+    headers: {
+      Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+    }
+  });
+  if (!data.sandbox) {
+    consola.error(`Sandbox not found: ${chalk.greenBright(sandbox)}`);
+    process.exit(1);
+  }
+  await client.post(
+    "/xrpc/io.pocketenv.secret.addSecret",
+    {
+      secret: {
+        sandboxId: data.sandbox.id,
+        name: key,
+        value: await encrypt(value)
+      }
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+}
+async function deleteSecret(id) {
+  const token = await getAccessToken();
+  await client.post("/xrpc/io.pocketenv.secret.deleteSecret", void 0, {
+    params: {
+      id
+    },
+    headers: {
+      Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+    }
+  });
+  consola.success("Secret deleted successfully");
+}
+
+async function listEnvs(sandbox) {
+  const token = await getAccessToken();
+  const { data } = await client.get(
+    "/xrpc/io.pocketenv.sandbox.getSandbox",
+    {
+      params: {
+        id: sandbox
+      },
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    }
+  );
+  if (!data.sandbox) {
+    consola.error(`Sandbox not found: ${chalk.greenBright(sandbox)}`);
+    process.exit(1);
+  }
+  const response = await client.get(
+    "/xrpc/io.pocketenv.variable.getVariables",
+    {
+      params: {
+        sandboxId: data.sandbox.id,
+        offset: 0,
+        limit: 100
+      },
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  const table = new Table({
+    head: [
+      chalk.cyan("ID"),
+      chalk.cyan("NAME"),
+      chalk.cyan("VALUE"),
+      chalk.cyan("CREATED AT")
+    ],
+    chars: {
+      top: "",
+      "top-mid": "",
+      "top-left": "",
+      "top-right": "",
+      bottom: "",
+      "bottom-mid": "",
+      "bottom-left": "",
+      "bottom-right": "",
+      left: "",
+      "left-mid": "",
+      mid: "",
+      "mid-mid": "",
+      right: "",
+      "right-mid": "",
+      middle: " "
+    },
+    style: {
+      border: [],
+      head: []
+    }
+  });
+  for (const variable of response.data.variables) {
+    table.push([
+      chalk.greenBright(variable.id),
+      chalk.greenBright(variable.name),
+      variable.value,
+      dayjs(variable.createdAt).fromNow()
+    ]);
+  }
+  consola.log(table.toString());
+}
+async function putEnv(sandbox, key, value) {
+  const token = await getAccessToken();
+  const { data } = await client.get(
+    "/xrpc/io.pocketenv.sandbox.getSandbox",
+    {
+      params: {
+        id: sandbox
+      },
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  await client.post(
+    "/xrpc/io.pocketenv.variable.addVariable",
+    {
+      variable: { sandboxId: data.sandbox.id, name: key, value }
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  consola.success("Variable updated successfully");
+}
+async function deleteEnv(id) {
+  const token = await getAccessToken();
+  await client.post("/xrpc/io.pocketenv.variable.deleteVariable", void 0, {
+    params: { id },
+    headers: {
+      Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+    }
+  });
+  consola.success("Variable deleted successfully");
+}
+
+function u32(n) {
+  return new Uint8Array([
+    n >>> 24 & 255,
+    n >>> 16 & 255,
+    n >>> 8 & 255,
+    n & 255
+  ]);
+}
+function concatBytes(...arrays) {
+  const total = arrays.reduce((sum, arr) => sum + arr.length, 0);
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const arr of arrays) {
+    out.set(arr, offset);
+    offset += arr.length;
+  }
+  return out;
+}
+function sshString(bytes) {
+  return concatBytes(u32(bytes.length), bytes);
+}
+function text(value) {
+  return new TextEncoder().encode(value);
+}
+function wrapPem(label, bytes) {
+  const base64 = sodium.to_base64(bytes, sodium.base64_variants.ORIGINAL);
+  const lines = base64.match(/.{1,70}/g)?.join("\n") ?? base64;
+  return `-----BEGIN ${label}-----
+${lines}
+-----END ${label}-----
+`;
+}
+function buildEd25519PublicKeyBlob(publicKey) {
+  return concatBytes(sshString(text("ssh-ed25519")), sshString(publicKey));
+}
+function publicLineFromPublicKey(publicKey, comment) {
+  const blob = buildEd25519PublicKeyBlob(publicKey);
+  return `ssh-ed25519 ${sodium.to_base64(blob, sodium.base64_variants.ORIGINAL)} ${comment}`;
+}
+function buildOpenSSHEd25519PrivateKey(publicKey, seed, comment) {
+  if (publicKey.length !== 32) throw new Error("Invalid public key length");
+  if (seed.length !== 32) throw new Error("Invalid seed length");
+  const privateKey64 = concatBytes(seed, publicKey);
+  const publicBlob = buildEd25519PublicKeyBlob(publicKey);
+  const checkint = crypto.getRandomValues(new Uint32Array(1))[0];
+  const commentBytes = text(comment);
+  const privateSectionWithoutPadding = concatBytes(
+    u32(checkint),
+    u32(checkint),
+    sshString(text("ssh-ed25519")),
+    sshString(publicKey),
+    sshString(privateKey64),
+    sshString(commentBytes)
+  );
+  const blockSize = 8;
+  const remainder = privateSectionWithoutPadding.length % blockSize;
+  const padLen = remainder === 0 ? 0 : blockSize - remainder;
+  const padding = new Uint8Array(padLen);
+  for (let i = 0; i < padLen; i++) padding[i] = i + 1;
+  const privateSection = concatBytes(privateSectionWithoutPadding, padding);
+  const opensshKey = concatBytes(
+    text("openssh-key-v1\0"),
+    sshString(text("none")),
+    sshString(text("none")),
+    sshString(new Uint8Array()),
+    u32(1),
+    sshString(publicBlob),
+    sshString(privateSection)
+  );
+  return wrapPem("OPENSSH PRIVATE KEY", opensshKey);
+}
+async function generateEd25519SSHKeyPair(comment = "user@browser") {
+  await sodium.ready;
+  const seed = new Uint8Array(32);
+  crypto.getRandomValues(seed);
+  const kp = sodium.crypto_sign_seed_keypair(seed);
+  const publicKey = new Uint8Array(kp.publicKey);
+  const publicKeyOpenSSH = publicLineFromPublicKey(publicKey, comment);
+  const privateKeyOpenSSH = buildOpenSSHEd25519PrivateKey(
+    publicKey,
+    seed,
+    comment
+  );
+  return {
+    publicKey: publicKeyOpenSSH,
+    privateKey: privateKeyOpenSSH,
+    seedBase64: sodium.to_base64(seed, sodium.base64_variants.ORIGINAL)
+  };
+}
+
+async function getSshKey(sandbox) {
+  const token = await getAccessToken();
+  const { data } = await client.get(
+    "/xrpc/io.pocketenv.sandbox.getSandbox",
+    {
+      params: {
+        id: sandbox
+      },
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    }
+  );
+  if (!data.sandbox) {
+    consola.error(`Sandbox not found: ${chalk.greenBright(sandbox)}`);
+    process.exit(1);
+  }
+  try {
+    const { data: sshKeys } = await client.get(
+      "/xrpc/io.pocketenv.sandbox.getSshKeys",
+      {
+        params: {
+          id: data.sandbox.id
+        },
+        headers: {
+          Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+        }
+      }
+    );
+    consola.log("\nPrivate Key:");
+    consola.log(sshKeys.privateKey.replace(/\\n/g, "\n"));
+    consola.log("\nPublic Key:");
+    consola.log(sshKeys.publicKey, "\n");
+  } catch (error) {
+    consola.info(
+      `No SSH keys found for this sandbox.
+  Create one with ${chalk.greenBright(`pocketenv sshkeys put ${sandbox} --generate`)}.`
+    );
+  }
+}
+async function putKeys(sandbox, options) {
+  const token = await getAccessToken();
+  let privateKey;
+  let publicKey;
+  if (options.generate) {
+    const generated = await generateEd25519SSHKeyPair("");
+    privateKey = generated.privateKey;
+    publicKey = generated.publicKey;
+  }
+  if (options.privateKey && !options.generate) {
+    privateKey = await fs$1.readFile(options.privateKey, "utf8");
+  }
+  if (options.publicKey && !options.generate) {
+    publicKey = await fs$1.readFile(options.publicKey, "utf8");
+  }
+  const validatePrivateKey = (value) => {
+    const trimmed = value.trim();
+    if (!trimmed.startsWith("-----BEGIN")) {
+      return "Private key must start with a PEM header (e.g. -----BEGIN OPENSSH PRIVATE KEY-----)";
+    }
+    if (!trimmed.endsWith("-----")) {
+      return "Private key must end with a PEM footer (e.g. -----END OPENSSH PRIVATE KEY-----)";
+    }
+    return true;
+  };
+  if (!privateKey) {
+    privateKey = (await editor({
+      message: "Enter your SSH private key (opens in $EDITOR):",
+      postfix: ".pem",
+      waitForUserInput: false,
+      validate: validatePrivateKey
+    })).trim();
+  }
+  if (!publicKey) {
+    publicKey = (await input({
+      message: "Enter your SSH public key:",
+      validate: (value) => value.trim().length > 0 ? true : "Public key cannot be empty."
+    })).trim();
+  }
+  const { data } = await client.get(
+    "/xrpc/io.pocketenv.sandbox.getSandbox",
+    {
+      params: {
+        id: sandbox
+      },
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    }
+  );
+  if (!data.sandbox) {
+    consola.error(`Sandbox not found: ${chalk.greenBright(sandbox)}`);
+    process.exit(1);
+  }
+  const encryptedPrivateKey = await encrypt(privateKey);
+  const redacted = (() => {
+    const header = "-----BEGIN OPENSSH PRIVATE KEY-----";
+    const footer = "-----END OPENSSH PRIVATE KEY-----";
+    const headerIndex = privateKey.indexOf(header);
+    const footerIndex = privateKey.indexOf(footer);
+    if (headerIndex === -1 || footerIndex === -1)
+      return privateKey.replace(/\n/g, "\\n");
+    const body = privateKey.slice(headerIndex + header.length, footerIndex);
+    const chars = body.split("");
+    const nonNewlineIndices = chars.map((c, i) => c !== "\n" ? i : -1).filter((i) => i !== -1);
+    const maskedBody = nonNewlineIndices.length > 15 ? (() => {
+      const middleIndices = nonNewlineIndices.slice(10, -5);
+      middleIndices.forEach((i) => {
+        chars[i] = "*";
+      });
+      return chars.join("");
+    })() : body;
+    return `${header}${maskedBody}${footer}`.replace(/\n/g, "\\n");
+  })();
+  await client.post(
+    "/xrpc/io.pocketenv.sandbox.putSshKeys",
+    {
+      id: data.sandbox.id,
+      privateKey: encryptedPrivateKey,
+      publicKey,
+      redacted
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  consola.log("\nPrivate Key:");
+  consola.log(redacted.replace(/\\n/g, "\n"));
+  consola.log("\nPublic Key:");
+  consola.log(publicKey, "\n");
+  consola.success("SSH keys saved successfully!");
+}
+
+async function putAuthKey(sandbox) {
+  const token = await getAccessToken();
+  const authKey = (await password({ message: "Enter Tailscale Auth Key" })).trim();
+  if (!authKey.startsWith("tskey-auth-")) {
+    consola.error("Invalid Tailscale Auth Key");
+    process.exit(1);
+  }
+  const { data } = await client.get(
+    "/xrpc/io.pocketenv.sandbox.getSandbox",
+    {
+      params: {
+        id: sandbox
+      },
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    }
+  );
+  if (!data.sandbox) {
+    consola.error(`Sandbox not found: ${chalk.greenBright(sandbox)}`);
+    process.exit(1);
+  }
+  const redacted = authKey.length > 14 ? authKey.slice(0, 11) + "*".repeat(authKey.length - 14) + authKey.slice(-3) : authKey;
+  await client.post(
+    "/xrpc/io.pocketenv.sandbox.putTailscaleAuthKey",
+    {
+      id: data.sandbox.id,
+      authKey: await encrypt(authKey),
+      redacted
+    },
+    {
+      headers: {
+        Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+      }
+    }
+  );
+  consola.success(redacted);
+  consola.success(
+    `Tailscale auth key saved for sandbox: ${chalk.greenBright(sandbox)}`
+  );
+}
+async function getTailscaleAuthKey(sandbox) {
+  const token = await getAccessToken();
+  const { data } = await client.get(
+    "/xrpc/io.pocketenv.sandbox.getSandbox",
+    {
+      params: {
+        id: sandbox
+      },
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    }
+  );
+  if (!data.sandbox) {
+    consola.error(`Sandbox not found: ${chalk.greenBright(sandbox)}`);
+    process.exit(1);
+  }
+  try {
+    const { data: tailscale } = await client.get(
+      "/xrpc/io.pocketenv.sandbox.getTailscaleAuthKey",
+      {
+        params: {
+          id: data.sandbox.id
+        },
+        headers: {
+          Authorization: `Bearer ${env$1.POCKETENV_TOKEN || token}`
+        }
+      }
+    );
+    consola.info(`Tailscale auth key: ${chalk.greenBright(tailscale.authKey)}`);
+  } catch {
+    consola.error(
+      `No Tailscale Auth Key found for sandbox: ${chalk.greenBright(sandbox)}`
+    );
+    process.exit(1);
+  }
+}
+
+const program = new Command();
+program.name("pocketenv").description(
+  `
+    ___           __       __
+   / _ \\___  ____/ /_____ / /____ ___ _  __
+  / ___/ _ \\/ __/  '_/ -_) __/ -_) _ \\ |/ /
+ /_/   \\___/\\__/_/\\_\\__/\\__/\\__/_/ /_/___/
+
+ Open, interoperable sandbox platform for agents and humans \u{1F4E6} \u2728
+  `
+).version(version);
+program.configureHelp({
+  styleTitle: (str) => chalk.bold.cyan(str),
+  styleCommandText: (str) => chalk.yellow(str),
+  styleDescriptionText: (str) => chalk.white(str),
+  styleOptionText: (str) => chalk.green(str),
+  styleArgumentText: (str) => chalk.magenta(str),
+  styleSubcommandText: (str) => chalk.blue(str)
+});
+program.addHelpText(
+  "after",
+  `
+${chalk.bold("\nLearn more about Pocketenv:")}           ${chalk.magentaBright("https://docs.pocketenv.io")}
+${chalk.bold("Join our Discord community:")}           ${chalk.blueBright("https://discord.gg/9ada4pFUFS")}
+${chalk.bold("Report bugs:")}                          ${chalk.greenBright("https://github.com/pocketenv-io/pocketenv/issues")}
+`
+);
+program.command("login").argument("<handle>", "your AT Proto handle (e.g., <username>.bsky.social)").description("login with your AT Proto account and get a session token").action(login);
+program.command("whoami").description("get the current logged-in user").action(whoami);
+program.command("console").aliases(["shell", "ssh", "s"]).argument("[sandbox]", "the sandbox to connect to").description("open an interactive shell for the given sandbox").action(ssh);
+program.command("ls").description("list sandboxes").action(listSandboxes);
+program.command("start").argument("<sandbox>", "the sandbox to start").description("start the given sandbox").action(start);
+program.command("stop").argument("<sandbox>", "the sandbox to stop").description("stop the given sandbox").action(stop);
+program.command("create").aliases(["new"]).option("--provider, -p <provider>", "the provider to use for the sandbox").option("--ssh, -s", "connect to the Sandbox and automatically open a shell").argument("[name]", "the name of the sandbox to create").description("create a new sandbox").action(createSandbox);
+program.command("logout").description("logout (removes session token)").action(logout);
+program.command("rm").aliases(["delete", "remove"]).argument("<sandbox>", "the sandbox to delete").description("delete the given sandbox").action(deleteSandbox);
+const secret = program.command("secret").description("manage secrets");
+secret.command("put").argument("<sandbox>", "the sandbox to put the secret in").argument("<key>", "the key of the secret").description("put a secret in the given sandbox").action(putSecret);
+secret.command("list").aliases(["ls"]).argument("<sandbox>", "the sandbox to list secrets for").description("list secrets in the given sandbox").action(listSecrets);
+secret.command("delete").aliases(["rm", "remove"]).argument("<secret_id>", "the ID of the secret to delete").description("delete a secret").action(deleteSecret);
+const env = program.command("env").description("manage environment variables");
+env.command("put").argument("<sandbox>", "the sandbox to put the environment variable in").argument("<key>", "the key of the environment variable").argument("<value>", "the value of the environment variable").description("put an environment variable in the given sandbox").action(putEnv);
+env.command("list").aliases(["ls"]).argument("<sandbox>", "the sandbox to list environment variables for").description("list environment variables in the given sandbox").action(listEnvs);
+env.command("delete").aliases(["rm", "remove"]).argument("<variable_id>", "the ID of the environment variable to delete").description("delete an environment variable").action(deleteEnv);
+const sshkeys = program.command("sshkeys").description("manage SSH keys");
+sshkeys.command("put").argument("<sandbox>", "the sandbox to put the SSH key in").option("--private-key <path>", "the path to the SSH private key").option("--public-key <path>", "the path to the SSH public key").option("--generate, -g", "generate a new SSH key pair").description("put an SSH key in the given sandbox").action(putKeys);
+sshkeys.command("get").argument("<sandbox>", "the sandbox to get the SSH key from").description("get an SSH key (public key only) from the given sandbox").action(getSshKey);
+const tailscale = program.command("tailscale").description("manage Tailscale");
+tailscale.command("put").argument("<sandbox>", "the sandbox to put the Tailscale Auth Key in").description("put a Tailscale key in the given sandbox").action(putAuthKey);
+tailscale.command("get").argument("<sandbox>", "the sandbox to get the Tailscale key from").description("get a Tailscale key (redacted) from the given sandbox").action(getTailscaleAuthKey);
+if (process.argv.length <= 2) {
+  program.help();
+}
+program.parse(process.argv);