@shadowob/cloud 1.1.6-dev.311

package/dist/chunk-KKK5H7YX.js

@@ -0,0 +1,3622 @@
+import {
+  applyRuntimeEnvRefPolicy,
+  collectRuntimeEnvFields,
+  collectRuntimeEnvRefPolicy,
+  collectRuntimeEnvRequirements,
+  isDeploymentRuntimeContextEmpty,
+  normalizeDeploymentRuntimeContext,
+  parseJsonc,
+  runtimeStatePvcName
+} from "./chunk-SUZ2ATT6.js";
+import {
+  getPluginRegistry,
+  loadAllPlugins
+} from "./chunk-JUPAE5IA.js";
+import {
+  __export,
+  __require
+} from "./chunk-R5U7XKVJ.js";
+
+// src/interfaces/cli/serve.command.ts
+import { Command } from "commander";
+
+// src/interfaces/http/server.ts
+import { randomBytes as randomBytes3 } from "crypto";
+import { existsSync as existsSync7 } from "fs";
+import { resolve as resolve6 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { serve } from "@hono/node-server";
+
+// src/dao/activity.dao.ts
+import { desc } from "drizzle-orm";
+
+// src/db/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  activities: () => activities,
+  configVersions: () => configVersions,
+  configs: () => configs,
+  deploymentBackups: () => deploymentBackups,
+  deploymentLogs: () => deploymentLogs,
+  deployments: () => deployments,
+  envGroups: () => envGroups,
+  envVars: () => envVars,
+  secrets: () => secrets
+});
+import { sql } from "drizzle-orm";
+import { integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+var secrets = sqliteTable("secrets", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  providerId: text("provider_id").notNull(),
+  key: text("key").notNull(),
+  encryptedValue: text("encrypted_value").notNull(),
+  iv: text("iv").notNull(),
+  groupName: text("group_name").notNull().default("default"),
+  createdAt: text("created_at").default(sql`(datetime('now'))`),
+  updatedAt: text("updated_at").default(sql`(datetime('now'))`)
+});
+var configs = sqliteTable("configs", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  name: text("name").notNull().unique(),
+  content: text("content", { mode: "json" }).notNull(),
+  templateSlug: text("template_slug"),
+  version: integer("version").notNull().default(1),
+  createdAt: text("created_at").default(sql`(datetime('now'))`),
+  updatedAt: text("updated_at").default(sql`(datetime('now'))`)
+});
+var deployments = sqliteTable("deployments", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  namespace: text("namespace").notNull(),
+  templateSlug: text("template_slug"),
+  version: integer("version"),
+  status: text("status").notNull().default("pending"),
+  config: text("config", { mode: "json" }),
+  agentCount: integer("agent_count"),
+  error: text("error"),
+  createdAt: text("created_at").default(sql`(datetime('now'))`),
+  updatedAt: text("updated_at").default(sql`(datetime('now'))`)
+});
+var deploymentLogs = sqliteTable("deployment_logs", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  deploymentId: integer("deployment_id").notNull().references(() => deployments.id, { onDelete: "cascade" }),
+  event: text("event").notNull().default("log"),
+  message: text("message").notNull(),
+  createdAt: text("created_at").default(sql`(datetime('now'))`)
+});
+var deploymentBackups = sqliteTable("deployment_backups", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  deploymentId: integer("deployment_id").references(() => deployments.id, { onDelete: "cascade" }),
+  namespace: text("namespace").notNull(),
+  agentId: text("agent_id").notNull(),
+  sandboxName: text("sandbox_name"),
+  pvcName: text("pvc_name").notNull(),
+  driver: text("driver").notNull(),
+  snapshotName: text("snapshot_name"),
+  objectKey: text("object_key"),
+  status: text("status").notNull().default("pending"),
+  error: text("error"),
+  expiresAt: text("expires_at"),
+  createdAt: text("created_at").default(sql`(datetime('now'))`),
+  updatedAt: text("updated_at").default(sql`(datetime('now'))`)
+});
+var activities = sqliteTable("activities", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  type: text("type").notNull(),
+  title: text("title").notNull(),
+  detail: text("detail"),
+  namespace: text("namespace"),
+  template: text("template"),
+  createdAt: text("created_at").default(sql`(datetime('now'))`)
+});
+var envVars = sqliteTable("env_vars", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  scope: text("scope").notNull().default("global"),
+  key: text("key").notNull(),
+  encryptedValue: text("encrypted_value").notNull(),
+  iv: text("iv").notNull(),
+  isSecret: integer("is_secret", { mode: "boolean" }).default(true),
+  groupName: text("group_name").notNull().default("default"),
+  createdAt: text("created_at").default(sql`(datetime('now'))`),
+  updatedAt: text("updated_at").default(sql`(datetime('now'))`)
+});
+var envGroups = sqliteTable("env_groups", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  name: text("name").notNull().unique(),
+  createdAt: text("created_at").default(sql`(datetime('now'))`),
+  updatedAt: text("updated_at").default(sql`(datetime('now'))`)
+});
+var configVersions = sqliteTable("config_versions", {
+  id: integer("id").primaryKey({ autoIncrement: true }),
+  configName: text("config_name").notNull(),
+  version: integer("version").notNull(),
+  content: text("content", { mode: "json" }).notNull(),
+  message: text("message"),
+  createdAt: text("created_at").default(sql`(datetime('now'))`)
+});
+
+// src/dao/activity.dao.ts
+var ActivityDao = class {
+  constructor(db) {
+    this.db = db;
+  }
+  findAll(limit = 500) {
+    return this.db.select().from(activities).orderBy(desc(activities.createdAt)).limit(limit).all();
+  }
+  create(data) {
+    return this.db.insert(activities).values(data).returning().get();
+  }
+  clear() {
+    this.db.delete(activities).run();
+  }
+};
+
+// src/dao/config.dao.ts
+import { desc as desc2, eq } from "drizzle-orm";
+var ConfigDao = class {
+  constructor(db) {
+    this.db = db;
+  }
+  findByName(name) {
+    return this.db.select().from(configs).where(eq(configs.name, name)).get();
+  }
+  findAll() {
+    return this.db.select().from(configs).all();
+  }
+  upsert(name, content, templateSlug) {
+    const existing = this.findByName(name);
+    if (existing) {
+      this.db.insert(configVersions).values({
+        configName: name,
+        version: existing.version ?? 1,
+        content: existing.content
+      }).run();
+      const newVersion = (existing.version ?? 1) + 1;
+      return this.db.update(configs).set({
+        content,
+        templateSlug,
+        version: newVersion,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }).where(eq(configs.name, name)).returning().get();
+    }
+    return this.db.insert(configs).values({ name, content, templateSlug, version: 1 }).returning().get();
+  }
+  getVersionHistory(name) {
+    return this.db.select().from(configVersions).where(eq(configVersions.configName, name)).orderBy(desc2(configVersions.version)).all();
+  }
+  getVersion(name, version) {
+    return this.db.select().from(configVersions).where(eq(configVersions.configName, name)).all().find((v) => v.version === version);
+  }
+  delete(name) {
+    this.db.delete(configs).where(eq(configs.name, name)).run();
+    this.db.delete(configVersions).where(eq(configVersions.configName, name)).run();
+  }
+};
+
+// src/dao/deployment.dao.ts
+import { desc as desc3, eq as eq2 } from "drizzle-orm";
+var DeploymentDao = class {
+  constructor(db) {
+    this.db = db;
+  }
+  findAll() {
+    return this.db.select().from(deployments).orderBy(desc3(deployments.createdAt)).all();
+  }
+  findById(id) {
+    return this.db.select().from(deployments).where(eq2(deployments.id, id)).get();
+  }
+  findByNamespace(namespace) {
+    return this.db.select().from(deployments).where(eq2(deployments.namespace, namespace)).orderBy(desc3(deployments.createdAt)).all();
+  }
+  create(data) {
+    return this.db.insert(deployments).values(data).returning().get();
+  }
+  update(id, data) {
+    return this.db.update(deployments).set({ ...data, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq2(deployments.id, id)).returning().get();
+  }
+  updateStatus(id, status, error) {
+    return this.update(id, { status, error });
+  }
+  delete(id) {
+    this.db.delete(deployments).where(eq2(deployments.id, id)).run();
+  }
+};
+
+// src/dao/deployment-backup.dao.ts
+import { and, desc as desc4, eq as eq3 } from "drizzle-orm";
+var DeploymentBackupDao = class {
+  constructor(db) {
+    this.db = db;
+  }
+  findByAgent(namespace, agentId) {
+    return this.db.select().from(deploymentBackups).where(
+      and(eq3(deploymentBackups.namespace, namespace), eq3(deploymentBackups.agentId, agentId))
+    ).orderBy(desc4(deploymentBackups.createdAt)).all();
+  }
+  create(data) {
+    return this.db.insert(deploymentBackups).values(data).returning().get();
+  }
+  update(id, data) {
+    return this.db.update(deploymentBackups).set({ ...data, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq3(deploymentBackups.id, id)).returning().get();
+  }
+};
+
+// src/dao/deployment-log.dao.ts
+import { asc, eq as eq4 } from "drizzle-orm";
+var DeploymentLogDao = class {
+  constructor(db) {
+    this.db = db;
+  }
+  findByDeploymentId(deploymentId) {
+    return this.db.select().from(deploymentLogs).where(eq4(deploymentLogs.deploymentId, deploymentId)).orderBy(asc(deploymentLogs.id)).all();
+  }
+  findByDeploymentIdSince(deploymentId, lastId) {
+    return this.findByDeploymentId(deploymentId).filter((log) => log.id > lastId);
+  }
+  create(data) {
+    return this.db.insert(deploymentLogs).values(data).returning().get();
+  }
+};
+
+// src/dao/env-group.dao.ts
+import { asc as asc2, eq as eq5 } from "drizzle-orm";
+var EnvGroupDao = class {
+  constructor(db) {
+    this.db = db;
+  }
+  findAll() {
+    const rows = this.db.select().from(envGroups).orderBy(asc2(envGroups.name)).all();
+    return rows.map((row) => row.name).sort((a, b) => a === "default" ? -1 : b === "default" ? 1 : a.localeCompare(b));
+  }
+  ensure(name) {
+    const normalized = name.trim() || "default";
+    this.db.insert(envGroups).values({ name: normalized }).onConflictDoNothing().run();
+  }
+  create(name) {
+    this.ensure(name);
+  }
+  delete(name) {
+    if (name === "default") return;
+    this.db.delete(envGroups).where(eq5(envGroups.name, name)).run();
+  }
+};
+
+// src/dao/envvar.dao.ts
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+import { and as and2, eq as eq6 } from "drizzle-orm";
+
+// src/utils/env-names.ts
+function normalizeToken(value) {
+  return value.trim().toUpperCase().replace(/-/g, "_");
+}
+function normalizeGroupName(value) {
+  const normalized = value?.trim();
+  return normalized ? normalized : "default";
+}
+function toProviderSecretEnvKey(providerId, key) {
+  const providerToken = normalizeToken(providerId);
+  const keyToken = normalizeToken(key);
+  if (keyToken === "APIKEY" || keyToken === "API_KEY") {
+    return `${providerToken}_API_KEY`;
+  }
+  return `${providerToken}_${keyToken}`;
+}
+function withLegacyEnvAliases(key, value) {
+  const envs = { [key]: value };
+  if (key.endsWith("_API_KEY")) {
+    envs[key.replace(/_API_KEY$/, "_APIKEY")] = value;
+  }
+  return envs;
+}
+
+// src/dao/envvar.dao.ts
+var ALGORITHM = "aes-256-gcm";
+var KEY_LENGTH = 32;
+var IV_LENGTH = 16;
+var AUTH_TAG_LENGTH = 16;
+function deriveKey(passphrase, salt) {
+  return scryptSync(passphrase, salt, KEY_LENGTH);
+}
+var EnvVarDao = class {
+  constructor(db, passphrase) {
+    this.db = db;
+    const configuredPassphrase = passphrase ?? process.env.SHADOWOB_PASSPHRASE;
+    if (configuredPassphrase) {
+      this.passphrase = configuredPassphrase;
+      return;
+    }
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("SHADOWOB_PASSPHRASE is required in production");
+    }
+    console.warn("[cloud] SHADOWOB_PASSPHRASE is not set; using insecure development fallback");
+    this.passphrase = "shadowob-cloud-default";
+  }
+  passphrase;
+  encrypt(plaintext) {
+    const salt = randomBytes(16);
+    const key = deriveKey(this.passphrase, salt);
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(plaintext, "utf-8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    return {
+      encrypted: salt.toString("hex") + authTag.toString("hex") + encrypted,
+      iv: iv.toString("hex")
+    };
+  }
+  decrypt(encryptedHex, ivHex) {
+    const salt = Buffer.from(encryptedHex.slice(0, 32), "hex");
+    const authTag = Buffer.from(encryptedHex.slice(32, 32 + AUTH_TAG_LENGTH * 2), "hex");
+    const ciphertext = encryptedHex.slice(32 + AUTH_TAG_LENGTH * 2);
+    const key = deriveKey(this.passphrase, salt);
+    const iv = Buffer.from(ivHex, "hex");
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(ciphertext, "hex", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  }
+  findByScope(scope) {
+    const rows = this.db.select().from(envVars).where(eq6(envVars.scope, scope)).all();
+    return rows.map((r) => ({
+      key: r.key,
+      value: this.decrypt(r.encryptedValue, r.iv),
+      isSecret: r.isSecret ?? true
+    }));
+  }
+  findOne(scope, key) {
+    const row = this.db.select().from(envVars).where(and2(eq6(envVars.scope, scope), eq6(envVars.key, key))).get();
+    if (!row) {
+      return null;
+    }
+    return {
+      scope: row.scope,
+      key: row.key,
+      value: this.decrypt(row.encryptedValue, row.iv),
+      isSecret: row.isSecret ?? true,
+      groupName: normalizeGroupName(row.groupName)
+    };
+  }
+  findAllMasked() {
+    const rows = this.db.select().from(envVars).all();
+    return rows.map((r) => {
+      const val = this.decrypt(r.encryptedValue, r.iv);
+      return {
+        scope: r.scope,
+        key: r.key,
+        maskedValue: r.isSecret ? val.length > 8 ? `${val.slice(0, 4)}${"\u2022".repeat(Math.min(val.length - 8, 20))}${val.slice(-4)}` : "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" : val,
+        isSecret: r.isSecret ?? true,
+        groupName: normalizeGroupName(r.groupName)
+      };
+    });
+  }
+  findMaskedByScope(scope) {
+    return this.findAllMasked().filter((entry) => entry.scope === scope);
+  }
+  findAllMaskedByScopes(scopes) {
+    const scopedEntries = this.findAllMasked().filter((entry) => scopes.includes(entry.scope));
+    const merged = /* @__PURE__ */ new Map();
+    for (const scope of scopes) {
+      for (const entry of scopedEntries.filter((item) => item.scope === scope)) {
+        merged.set(entry.key, entry);
+      }
+    }
+    return [...merged.values()].sort((left, right) => left.key.localeCompare(right.key));
+  }
+  upsert(scope, key, value, isSecret = true, groupName = "default") {
+    const existing = this.db.select().from(envVars).where(and2(eq6(envVars.scope, scope), eq6(envVars.key, key))).get();
+    const { encrypted, iv } = this.encrypt(value);
+    if (existing) {
+      return this.db.update(envVars).set({
+        encryptedValue: encrypted,
+        iv,
+        isSecret,
+        groupName: normalizeGroupName(groupName),
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }).where(eq6(envVars.id, existing.id)).returning().get();
+    }
+    return this.db.insert(envVars).values({
+      scope,
+      key,
+      encryptedValue: encrypted,
+      iv,
+      isSecret,
+      groupName: normalizeGroupName(groupName)
+    }).returning().get();
+  }
+  delete(scope, key) {
+    this.db.delete(envVars).where(and2(eq6(envVars.scope, scope), eq6(envVars.key, key))).run();
+  }
+  getValue(scope, key) {
+    const row = this.db.select().from(envVars).where(and2(eq6(envVars.scope, scope), eq6(envVars.key, key))).get();
+    if (!row) return null;
+    return this.decrypt(row.encryptedValue, row.iv);
+  }
+  /** Return all env vars (decrypted) as a flat key→value map for deploy resolution. */
+  findAllDecrypted() {
+    const rows = this.db.select().from(envVars).all();
+    const result = {};
+    for (const r of rows) {
+      Object.assign(result, withLegacyEnvAliases(r.key, this.decrypt(r.encryptedValue, r.iv)));
+    }
+    return result;
+  }
+  findAllDecryptedByScopes(scopes) {
+    const rows = this.db.select().from(envVars).all();
+    const result = {};
+    for (const scope of scopes) {
+      for (const row of rows.filter((entry) => entry.scope === scope)) {
+        Object.assign(
+          result,
+          withLegacyEnvAliases(row.key, this.decrypt(row.encryptedValue, row.iv))
+        );
+      }
+    }
+    return result;
+  }
+};
+
+// src/dao/secret.dao.ts
+import { createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2, randomBytes as randomBytes2, scryptSync as scryptSync2 } from "crypto";
+import { and as and3, eq as eq7 } from "drizzle-orm";
+var ALGORITHM2 = "aes-256-gcm";
+var KEY_LENGTH2 = 32;
+var IV_LENGTH2 = 16;
+var AUTH_TAG_LENGTH2 = 16;
+function deriveKey2(passphrase, salt) {
+  return scryptSync2(passphrase, salt, KEY_LENGTH2);
+}
+var SecretDao = class {
+  constructor(db, passphrase) {
+    this.db = db;
+    const configuredPassphrase = passphrase ?? process.env.SHADOWOB_PASSPHRASE;
+    if (configuredPassphrase) {
+      this.passphrase = configuredPassphrase;
+      return;
+    }
+    if (process.env.NODE_ENV === "production") {
+      throw new Error("SHADOWOB_PASSPHRASE is required in production");
+    }
+    console.warn("[cloud] SHADOWOB_PASSPHRASE is not set; using insecure development fallback");
+    this.passphrase = "shadowob-cloud-default";
+  }
+  passphrase;
+  encrypt(plaintext) {
+    const salt = randomBytes2(16);
+    const key = deriveKey2(this.passphrase, salt);
+    const iv = randomBytes2(IV_LENGTH2);
+    const cipher = createCipheriv2(ALGORITHM2, key, iv);
+    let encrypted = cipher.update(plaintext, "utf-8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    return {
+      encrypted: salt.toString("hex") + authTag.toString("hex") + encrypted,
+      iv: iv.toString("hex")
+    };
+  }
+  decrypt(encryptedHex, ivHex) {
+    const salt = Buffer.from(encryptedHex.slice(0, 32), "hex");
+    const authTag = Buffer.from(encryptedHex.slice(32, 32 + AUTH_TAG_LENGTH2 * 2), "hex");
+    const ciphertext = encryptedHex.slice(32 + AUTH_TAG_LENGTH2 * 2);
+    const key = deriveKey2(this.passphrase, salt);
+    const iv = Buffer.from(ivHex, "hex");
+    const decipher = createDecipheriv2(ALGORITHM2, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(ciphertext, "hex", "utf-8");
+    decrypted += decipher.final("utf-8");
+    return decrypted;
+  }
+  findByProvider(providerId) {
+    const rows = this.db.select().from(secrets).where(eq7(secrets.providerId, providerId)).all();
+    return rows.map((r) => ({
+      key: r.key,
+      value: this.decrypt(r.encryptedValue, r.iv)
+    }));
+  }
+  findAll() {
+    const rows = this.db.select().from(secrets).all();
+    return rows.map((r) => {
+      const val = this.decrypt(r.encryptedValue, r.iv);
+      return {
+        providerId: r.providerId,
+        key: r.key,
+        maskedValue: val.length > 8 ? `${val.slice(0, 4)}${"\u2022".repeat(val.length - 8)}${val.slice(-4)}` : "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022",
+        groupName: normalizeGroupName(r.groupName)
+      };
+    });
+  }
+  findAllDecryptedEntries() {
+    const rows = this.db.select().from(secrets).all();
+    return rows.map((row) => ({
+      providerId: row.providerId,
+      key: row.key,
+      value: this.decrypt(row.encryptedValue, row.iv),
+      groupName: normalizeGroupName(row.groupName)
+    }));
+  }
+  findByGroup(groupName) {
+    const rows = this.db.select().from(secrets).where(eq7(secrets.groupName, groupName)).all();
+    return rows.map((r) => {
+      const val = this.decrypt(r.encryptedValue, r.iv);
+      return {
+        providerId: r.providerId,
+        key: r.key,
+        maskedValue: val.length > 8 ? `${val.slice(0, 4)}${"\u2022".repeat(val.length - 8)}${val.slice(-4)}` : "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"
+      };
+    });
+  }
+  upsert(providerId, key, value, groupName = "default") {
+    const existing = this.db.select().from(secrets).where(and3(eq7(secrets.providerId, providerId), eq7(secrets.key, key))).get();
+    const { encrypted, iv } = this.encrypt(value);
+    if (existing) {
+      return this.db.update(secrets).set({
+        encryptedValue: encrypted,
+        iv,
+        groupName: normalizeGroupName(groupName),
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }).where(eq7(secrets.id, existing.id)).returning().get();
+    }
+    return this.db.insert(secrets).values({
+      providerId,
+      key,
+      encryptedValue: encrypted,
+      iv,
+      groupName: normalizeGroupName(groupName)
+    }).returning().get();
+  }
+  delete(providerId, key) {
+    this.db.delete(secrets).where(and3(eq7(secrets.providerId, providerId), eq7(secrets.key, key))).run();
+  }
+  deleteProvider(providerId) {
+    this.db.delete(secrets).where(eq7(secrets.providerId, providerId)).run();
+  }
+  deleteAll() {
+    this.db.delete(secrets).run();
+  }
+  /** Get decrypted value for a provider key — used internally by deploy flow. */
+  getValue(providerId, key) {
+    const row = this.db.select().from(secrets).where(and3(eq7(secrets.providerId, providerId), eq7(secrets.key, key))).get();
+    if (!row) return null;
+    return this.decrypt(row.encryptedValue, row.iv);
+  }
+  /** Return all secrets (decrypted) mapped to env var names for deploy resolution. */
+  findAllDecrypted() {
+    const result = {};
+    for (const entry of this.findAllDecryptedEntries()) {
+      Object.assign(
+        result,
+        withLegacyEnvAliases(toProviderSecretEnvKey(entry.providerId, entry.key), entry.value)
+      );
+    }
+    return result;
+  }
+};
+
+// src/db/index.ts
+import { mkdirSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import Database from "better-sqlite3";
+import { drizzle } from "drizzle-orm/better-sqlite3";
+function createDatabase(dbPath) {
+  const resolvedPath = dbPath ?? join(homedir(), ".shadowob", "cloud.db");
+  mkdirSync(join(homedir(), ".shadowob"), { recursive: true });
+  const sqlite = new Database(resolvedPath);
+  sqlite.pragma("journal_mode = WAL");
+  sqlite.pragma("foreign_keys = ON");
+  return drizzle(sqlite, { schema: schema_exports });
+}
+
+// src/db/migrate.ts
+function runMigrations(db) {
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS templates (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      slug TEXT NOT NULL UNIQUE,
+      name TEXT NOT NULL,
+      description TEXT,
+      category TEXT,
+      featured INTEGER DEFAULT 0,
+      content TEXT NOT NULL,
+      version TEXT DEFAULT '1.0.0',
+      metadata TEXT,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS secrets (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      provider_id TEXT NOT NULL,
+      key TEXT NOT NULL,
+      encrypted_value TEXT NOT NULL,
+      iv TEXT NOT NULL,
+      group_name TEXT NOT NULL DEFAULT 'default',
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS configs (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      name TEXT NOT NULL UNIQUE,
+      content TEXT NOT NULL,
+      template_slug TEXT,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS deployments (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      namespace TEXT NOT NULL,
+      template_slug TEXT,
+      status TEXT NOT NULL DEFAULT 'pending',
+      config TEXT,
+      agent_count INTEGER,
+      error TEXT,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS deployment_logs (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      deployment_id INTEGER NOT NULL,
+      event TEXT NOT NULL DEFAULT 'log',
+      message TEXT NOT NULL,
+      created_at TEXT DEFAULT (datetime('now')),
+      FOREIGN KEY (deployment_id) REFERENCES deployments(id) ON DELETE CASCADE
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS deployment_backups (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      deployment_id INTEGER,
+      namespace TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      sandbox_name TEXT,
+      pvc_name TEXT NOT NULL,
+      driver TEXT NOT NULL,
+      snapshot_name TEXT,
+      object_key TEXT,
+      status TEXT NOT NULL DEFAULT 'pending',
+      error TEXT,
+      expires_at TEXT,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now')),
+      FOREIGN KEY (deployment_id) REFERENCES deployments(id) ON DELETE CASCADE
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS activities (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      type TEXT NOT NULL,
+      title TEXT NOT NULL,
+      detail TEXT,
+      namespace TEXT,
+      template TEXT,
+      created_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS env_vars (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      scope TEXT NOT NULL DEFAULT 'global',
+      key TEXT NOT NULL,
+      encrypted_value TEXT NOT NULL,
+      iv TEXT NOT NULL,
+      is_secret INTEGER DEFAULT 1,
+      group_name TEXT NOT NULL DEFAULT 'default',
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS env_groups (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      name TEXT NOT NULL UNIQUE,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+  try {
+    db.run(
+      /*sql*/
+      `ALTER TABLE secrets ADD COLUMN group_name TEXT NOT NULL DEFAULT 'default'`
+    );
+  } catch {
+  }
+  try {
+    db.run(
+      /*sql*/
+      `ALTER TABLE env_vars ADD COLUMN group_name TEXT NOT NULL DEFAULT 'default'`
+    );
+  } catch {
+  }
+  db.run(
+    /*sql*/
+    `CREATE INDEX IF NOT EXISTS idx_deployment_logs_deployment_id ON deployment_logs(deployment_id, id)`
+  );
+  db.run(
+    /*sql*/
+    `CREATE INDEX IF NOT EXISTS idx_deployment_backups_agent ON deployment_backups(namespace, agent_id, id)`
+  );
+  db.run(
+    /*sql*/
+    `INSERT OR IGNORE INTO env_groups (name) VALUES ('default')`
+  );
+  try {
+    db.run(
+      /*sql*/
+      `ALTER TABLE configs ADD COLUMN version INTEGER NOT NULL DEFAULT 1`
+    );
+  } catch {
+  }
+  try {
+    db.run(
+      /*sql*/
+      `ALTER TABLE deployments ADD COLUMN version INTEGER`
+    );
+  } catch {
+  }
+  db.run(
+    /*sql*/
+    `
+    CREATE TABLE IF NOT EXISTS config_versions (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      config_name TEXT NOT NULL,
+      version INTEGER NOT NULL,
+      content TEXT NOT NULL,
+      message TEXT,
+      created_at TEXT DEFAULT (datetime('now'))
+    )
+  `
+  );
+}
+
+// src/interfaces/http/app.ts
+import { existsSync as existsSync6, readFileSync as readFileSync5, statSync } from "fs";
+import { extname, join as join5, resolve as resolve5 } from "path";
+import { fileURLToPath } from "url";
+import { Hono as Hono12 } from "hono";
+import { cors } from "hono/cors";
+
+// src/interfaces/http/handlers/activity.handler.ts
+import { Hono } from "hono";
+function createActivityHandler(ctx) {
+  const app = new Hono();
+  app.get("/activity", (c) => {
+    const activities2 = ctx.activityDao.findAll();
+    return c.json({ activities: activities2 });
+  });
+  app.post("/activity", async (c) => {
+    const entry = await c.req.json();
+    ctx.activityDao.create({
+      type: entry.type ?? "unknown",
+      title: entry.title ?? "",
+      detail: entry.detail ?? void 0,
+      namespace: entry.namespace ?? void 0,
+      template: entry.template ?? void 0
+    });
+    return c.json({ success: true });
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/cluster.handler.ts
+import { createHash } from "crypto";
+import { Hono as Hono2 } from "hono";
+import { streamSSE } from "hono/streaming";
+
+// src/utils/deployment-scope.ts
+var GLOBAL_ENV_SCOPE = "global";
+var DEPLOYMENT_ENV_SCOPE_PREFIX = "deployment:";
+function normalizeNamespace(value) {
+  const normalized = value?.trim();
+  return normalized ? normalized : "shadowob-cloud";
+}
+function toDeploymentEnvScope(namespace) {
+  return `${DEPLOYMENT_ENV_SCOPE_PREFIX}${normalizeNamespace(namespace)}`;
+}
+
+// src/utils/redact.ts
+var REDACTED = "[REDACTED]";
+var KEY_PATTERNS = [
+  // Anthropic: sk-ant-api03-...
+  /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g,
+  // OpenAI project key: sk-proj-...
+  /\bsk-proj-[A-Za-z0-9_-]{20,}\b/g,
+  // OpenAI legacy: sk-...
+  /\bsk-[A-Za-z0-9]{20,}\b/g,
+  // Groq: gsk_...
+  /\bgsk_[A-Za-z0-9]{20,}\b/g,
+  // xAI: xai-...
+  /\bxai-[A-Za-z0-9]{20,}\b/g,
+  // DeepSeek: sk-... (covered above)
+  // Generic key patterns
+  /\bkey-[A-Za-z0-9]{20,}\b/g,
+  // GitHub PAT
+  /\bghp_[A-Za-z0-9]{20,}\b/g,
+  // GitHub fine-grained PAT
+  /\bgithub_pat_[A-Za-z0-9_]{20,}\b/g,
+  // Bearer token in values
+  /Bearer\s+[A-Za-z0-9._-]{20,}/g
+];
+function redactSecrets(input) {
+  let result = input;
+  for (const pattern of KEY_PATTERNS) {
+    pattern.lastIndex = 0;
+    result = result.replace(pattern, REDACTED);
+  }
+  return result;
+}
+var INLINE_KEY_PREFIXES = [
+  "sk-ant-",
+  "sk-proj-",
+  "sk-",
+  "gsk_",
+  "xai-",
+  "key-",
+  "ghp_",
+  "github_pat_"
+];
+function detectInlineKey(value) {
+  if (/^\$\{(env|secret|file):/.test(value)) return null;
+  for (const prefix of INLINE_KEY_PREFIXES) {
+    if (value.startsWith(prefix) && value.length > prefix.length + 10) {
+      return prefix;
+    }
+  }
+  return null;
+}
+
+// src/interfaces/http/handlers/cluster.handler.ts
+function isRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stableJsonStringify(value) {
+  if (Array.isArray(value)) {
+    return `[${value.map((item) => stableJsonStringify(item)).join(",")}]`;
+  }
+  if (isRecord(value)) {
+    return `{${Object.keys(value).sort().map((key) => `${JSON.stringify(key)}:${stableJsonStringify(value[key])}`).join(",")}}`;
+  }
+  return JSON.stringify(value);
+}
+function shortHash(value) {
+  return createHash("sha256").update(stableJsonStringify(value)).digest("hex").slice(0, 16);
+}
+function readNonEmptyString(record, key) {
+  const value = record?.[key];
+  return typeof value === "string" && value.trim() ? value.trim() : null;
+}
+function inferTemplateSlugFromConfig(config) {
+  if (!isRecord(config)) return null;
+  const metadata = isRecord(config.metadata) ? config.metadata : null;
+  return readNonEmptyString(config, "templateSlug") ?? readNonEmptyString(config, "template") ?? readNonEmptyString(metadata, "templateSlug") ?? readNonEmptyString(metadata, "template") ?? readNonEmptyString(metadata, "sourceTemplateSlug") ?? readNonEmptyString(config, "name");
+}
+function uniqueNonEmptyStrings(values) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const value of values) {
+    const normalized = value?.trim();
+    if (!normalized || seen.has(normalized)) continue;
+    seen.add(normalized);
+    result.push(normalized);
+  }
+  return result;
+}
+function localTemplateSlugCandidates(options) {
+  return uniqueNonEmptyStrings([
+    options.templateSlug,
+    inferTemplateSlugFromConfig(options.config),
+    options.namespace
+  ]);
+}
+async function resolveLocalTemplateView(ctx, slug) {
+  if (!slug) return null;
+  const localConfig = ctx.configDao.findByName(`tpl:${slug}`);
+  if (localConfig) {
+    return {
+      id: slug,
+      slug,
+      name: slug,
+      description: null,
+      source: localConfig.templateSlug?.startsWith("git:") ? "git" : "local",
+      reviewStatus: "draft",
+      updatedAt: localConfig.updatedAt ?? localConfig.createdAt ?? null,
+      ownedByUser: true,
+      editable: true,
+      contentHash: shortHash(localConfig.content)
+    };
+  }
+  const catalogContent = await ctx.container.template.getTemplate(slug).catch(() => null);
+  if (!catalogContent) return null;
+  const meta = (await ctx.container.template.discover().catch(() => [])).find(
+    (item) => item.name === slug
+  );
+  return {
+    id: slug,
+    slug,
+    name: meta?.title ?? slug,
+    description: meta?.description ?? null,
+    source: "catalog",
+    reviewStatus: "approved",
+    updatedAt: null,
+    ownedByUser: false,
+    editable: false,
+    contentHash: shortHash(catalogContent)
+  };
+}
+function parseTimestamp(value) {
+  const parsed = Date.parse(value);
+  return Number.isNaN(parsed) ? 0 : parsed;
+}
+function clamp(value, min, max) {
+  return Math.min(max, Math.max(min, value));
+}
+function createClusterHandler(ctx) {
+  const app = new Hono2();
+  function resolveNamespaces() {
+    let discovered = [];
+    try {
+      discovered = ctx.container.k8s.getManagedNamespaces();
+    } catch {
+    }
+    const dbNamespaces = ctx.deploymentDao.findAll().map((deployment) => deployment.namespace).filter(Boolean);
+    const all = /* @__PURE__ */ new Set([...ctx.namespaces, ...discovered, ...dbNamespaces]);
+    const namespaces = [...all].sort();
+    const discoveredNamespaces = discovered.filter(
+      (namespace) => !ctx.namespaces.includes(namespace)
+    );
+    return { namespaces, discoveredNamespaces };
+  }
+  function resolvePods(namespace, agentId) {
+    const allPods = ctx.container.k8s.getPods(namespace);
+    return allPods.filter((pod) => agentId ? pod.name.includes(agentId) : true).sort((left, right) => {
+      if (left.status === "Running" && right.status !== "Running") return -1;
+      if (right.status === "Running" && left.status !== "Running") return 1;
+      return parseTimestamp(right.age) - parseTimestamp(left.age);
+    });
+  }
+  function resolvePrimaryPod(namespace, agentId) {
+    return resolvePods(namespace, agentId)[0] ?? null;
+  }
+  function resolveDeploymentState(namespace, agentId) {
+    return ctx.container.k8s.getDeployments(namespace).find((deployment) => deployment.name === agentId || deployment.sandboxName === agentId);
+  }
+  function newestDeploymentId(namespace) {
+    return ctx.deploymentDao.findByNamespace(namespace)[0]?.id;
+  }
+  app.get("/namespaces", (c) => {
+    const { namespaces, discoveredNamespaces } = resolveNamespaces();
+    return c.json({
+      configured: ctx.namespaces,
+      discovered: discoveredNamespaces,
+      all: namespaces
+    });
+  });
+  app.get("/deployments", (c) => {
+    const { namespaces } = resolveNamespaces();
+    const result = [];
+    for (const namespace of namespaces) {
+      try {
+        const deployments2 = ctx.container.k8s.getDeployments(namespace);
+        for (const deployment of deployments2) {
+          result.push({ ...deployment, namespace });
+        }
+      } catch {
+      }
+    }
+    return c.json(result);
+  });
+  app.get("/deployments/costs", (c) => {
+    const { namespaces } = resolveNamespaces();
+    return c.json(ctx.container.usageCost.collectOverview(namespaces));
+  });
+  app.get("/deployments/:ns/costs", (c) => {
+    const namespace = c.req.param("ns");
+    return c.json(ctx.container.usageCost.collectNamespace(namespace));
+  });
+  app.get("/deployments/:ns/manifest", async (c) => {
+    const namespace = c.req.param("ns");
+    const task = ctx.deploymentDao.findByNamespace(namespace)[0];
+    if (!task) {
+      return c.json({
+        deploymentId: null,
+        namespace,
+        name: namespace,
+        templateSlug: null,
+        template: null,
+        manifest: null,
+        drift: {
+          status: "unlinked",
+          templateAvailable: false,
+          templateChanged: false,
+          deployedTemplateHash: null,
+          currentTemplateHash: null,
+          configHash: null
+        },
+        configSnapshot: null
+      });
+    }
+    const redactedConfig = task.config ? JSON.parse(redactSecrets(JSON.stringify(task.config))) : null;
+    let linkedTemplateSlug = localTemplateSlugCandidates({
+      namespace,
+      templateSlug: task.templateSlug,
+      config: task.config
+    })[0] ?? null;
+    let template = null;
+    for (const candidate of localTemplateSlugCandidates({
+      namespace,
+      templateSlug: task.templateSlug,
+      config: task.config
+    })) {
+      const found = await resolveLocalTemplateView(ctx, candidate);
+      if (found) {
+        linkedTemplateSlug = candidate;
+        template = found;
+        break;
+      }
+    }
+    const configHash = task.config ? shortHash(task.config) : null;
+    const templateContentHash = template?.contentHash ?? null;
+    return c.json({
+      deploymentId: task.id,
+      namespace,
+      name: namespace,
+      templateSlug: linkedTemplateSlug,
+      template,
+      manifest: {
+        schemaVersion: 1,
+        revision: task.version ?? 1,
+        manifestId: `local-${task.id}`,
+        source: "snapshot-redeploy",
+        generatedAt: task.updatedAt ?? task.createdAt ?? null,
+        configHash,
+        manifestHash: configHash,
+        templateSlug: linkedTemplateSlug,
+        templateId: linkedTemplateSlug,
+        templateName: template?.name ?? linkedTemplateSlug,
+        templateSource: template?.source ?? null,
+        templateReviewStatus: template?.reviewStatus ?? null,
+        templateUpdatedAt: task.updatedAt ?? task.createdAt ?? null,
+        templateContentHash
+      },
+      drift: {
+        status: linkedTemplateSlug ? template ? "unknown" : "missing-template" : "unlinked",
+        templateAvailable: Boolean(template),
+        templateChanged: false,
+        deployedTemplateHash: templateContentHash,
+        currentTemplateHash: templateContentHash,
+        configHash
+      },
+      configSnapshot: redactedConfig
+    });
+  });
+  app.post("/deployments/:ns/template", async (c) => {
+    const namespace = c.req.param("ns");
+    const task = ctx.deploymentDao.findByNamespace(namespace)[0];
+    if (!task?.config) return c.json({ error: "No config stored for this namespace" }, 404);
+    const body = await c.req.json().catch(() => ({}));
+    const linkedTemplateSlug = localTemplateSlugCandidates({
+      namespace,
+      templateSlug: task.templateSlug,
+      config: task.config
+    })[0] ?? null;
+    const name = body.name?.trim() || linkedTemplateSlug || namespace;
+    ctx.configDao.upsert(
+      `tpl:${name}`,
+      body.content ?? task.config,
+      linkedTemplateSlug ?? void 0
+    );
+    if (task.templateSlug !== name) {
+      ctx.deploymentDao.update(task.id, { templateSlug: name });
+    }
+    return c.json({
+      ok: true,
+      action: linkedTemplateSlug ? "updated" : "forked",
+      template: {
+        id: name,
+        slug: name,
+        name,
+        source: "local",
+        reviewStatus: "draft",
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      },
+      manifest: {
+        deploymentId: task.id,
+        namespace,
+        templateSlug: name
+      }
+    });
+  });
+  app.get("/deployments/:ns/env", (c) => {
+    const namespace = c.req.param("ns");
+    const scope = toDeploymentEnvScope(namespace);
+    const mode = c.req.query("mode") === "scoped" ? "scoped" : "effective";
+    const envVars2 = mode === "scoped" ? ctx.envVarDao.findMaskedByScope(scope) : ctx.envVarDao.findAllMaskedByScopes([GLOBAL_ENV_SCOPE, scope]);
+    return c.json({ namespace, scope, mode, envVars: envVars2 });
+  });
+  app.get("/deployments/:ns/env/:key", (c) => {
+    const namespace = c.req.param("ns");
+    const key = c.req.param("key");
+    const scope = toDeploymentEnvScope(namespace);
+    const envVar = ctx.envVarDao.findOne(scope, key);
+    if (!envVar) return c.json({ error: "Environment value not found" }, 404);
+    return c.json({ envVar });
+  });
+  app.put("/deployments/:ns/env", async (c) => {
+    const namespace = c.req.param("ns");
+    const scope = toDeploymentEnvScope(namespace);
+    try {
+      const body = await c.req.json();
+      if (!body.key || body.value === void 0) {
+        return c.json({ error: "key and value are required" }, 400);
+      }
+      const groupName = normalizeGroupName(body.groupName);
+      ctx.envGroupDao.ensure(groupName);
+      ctx.envVarDao.upsert(scope, body.key, body.value, body.isSecret ?? true, groupName);
+      return c.json({ ok: true, namespace, scope });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.delete("/deployments/:ns/env/:key", (c) => {
+    const namespace = c.req.param("ns");
+    const key = c.req.param("key");
+    ctx.envVarDao.delete(toDeploymentEnvScope(namespace), key);
+    return c.json({ ok: true });
+  });
+  app.get("/deployments/:ns/logs", (c) => {
+    const namespace = c.req.param("ns");
+    const agent = c.req.query("agent");
+    const page = clamp(Number.parseInt(c.req.query("page") ?? "1", 10) || 1, 1, 100);
+    const limit = clamp(Number.parseInt(c.req.query("limit") ?? "200", 10) || 200, 20, 500);
+    const pod = resolvePrimaryPod(namespace, agent);
+    if (!pod) {
+      const state = agent ? resolveDeploymentState(namespace, agent) : void 0;
+      if (state?.runtimeState === "paused") {
+        return c.json({
+          namespace,
+          agent: agent ?? state.name,
+          podName: null,
+          runtimeState: "paused",
+          lines: [],
+          page,
+          limit,
+          hasMore: false
+        });
+      }
+      return c.json({ error: "No pod found for this agent" }, 404);
+    }
+    try {
+      const requestedTail = page * limit;
+      const allLines = ctx.container.k8s.readLogs(namespace, pod.name, { tail: requestedTail, timestamps: true }).split("\n").map((line) => line.trimEnd()).filter(Boolean).map((line) => redactSecrets(line));
+      const start = Math.max(allLines.length - requestedTail, 0);
+      const end = Math.max(allLines.length - (page - 1) * limit, 0);
+      const lines = allLines.slice(start, end);
+      return c.json({
+        namespace,
+        agent: agent ?? pod.name,
+        podName: pod.name,
+        page,
+        limit,
+        lines,
+        hasMore: allLines.length >= requestedTail
+      });
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  app.get("/deployments/:ns/:id/pods", (c) => {
+    const namespace = c.req.param("ns");
+    const agentId = c.req.param("id");
+    try {
+      return c.json(resolvePods(namespace, agentId));
+    } catch (err) {
+      return c.json({ error: String(err) }, 500);
+    }
+  });
+  app.get("/deployments/:ns/:id/logs", (c) => {
+    const namespace = c.req.param("ns");
+    const agentId = c.req.param("id");
+    const pod = resolvePrimaryPod(namespace, agentId);
+    if (!pod) {
+      const state = resolveDeploymentState(namespace, agentId);
+      if (state?.runtimeState === "paused") {
+        return c.json({ error: "Workload is paused", runtimeState: "paused" }, 409);
+      }
+      return c.json({ error: "No pod found for this agent" }, 404);
+    }
+    return streamSSE(c, async (stream) => {
+      const child = ctx.container.k8s.streamLogs(namespace, pod.name, { follow: true, tail: 200 });
+      stream.onAbort(() => {
+        child.kill();
+      });
+      let buffer = "";
+      child.stdout?.on("data", (chunk) => {
+        buffer += chunk.toString();
+        const lines = buffer.split("\n");
+        buffer = lines.pop() ?? "";
+        for (const line of lines) {
+          void stream.writeSSE({ data: JSON.stringify(redactSecrets(line)) });
+        }
+      });
+      child.stderr?.on("data", (chunk) => {
+        for (const line of chunk.toString().split("\n").filter(Boolean)) {
+          void stream.writeSSE({ data: JSON.stringify(redactSecrets(`[stderr] ${line}`)) });
+        }
+      });
+      await new Promise((resolve7) => {
+        child.on("close", () => {
+          void stream.writeSSE({ event: "close", data: "{}" });
+          resolve7();
+        });
+      });
+    });
+  });
+  app.post("/deployments/:ns/:id/scale", async (c) => {
+    const namespace = c.req.param("ns");
+    const name = c.req.param("id");
+    try {
+      const body = await c.req.json();
+      if (typeof body.replicas !== "number" || body.replicas < 0) {
+        return c.json({ error: "Invalid replicas count" }, 400);
+      }
+      ctx.container.k8s.scaleDeployment(namespace, name, body.replicas);
+      return c.json({ ok: true, name, namespace, replicas: body.replicas });
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  app.post("/deployments/:ns/:id/pause", (c) => {
+    const namespace = c.req.param("ns");
+    const name = c.req.param("id");
+    try {
+      ctx.container.k8s.pauseAgentSandbox(namespace, name);
+      return c.json({ ok: true, name, namespace, runtimeState: "paused" });
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  app.post("/deployments/:ns/:id/resume", (c) => {
+    const namespace = c.req.param("ns");
+    const name = c.req.param("id");
+    try {
+      ctx.container.k8s.resumeAgentSandbox(namespace, name);
+      return c.json({ ok: true, name, namespace, runtimeState: "resuming" });
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  app.get("/deployments/:ns/:id/backups", (c) => {
+    const namespace = c.req.param("ns");
+    const name = c.req.param("id");
+    return c.json({
+      namespace,
+      agent: name,
+      backups: ctx.deploymentBackupDao.findByAgent(namespace, name)
+    });
+  });
+  app.post("/deployments/:ns/:id/backups", async (c) => {
+    const namespace = c.req.param("ns");
+    const name = c.req.param("id");
+    const state = resolveDeploymentState(namespace, name);
+    const body = await c.req.json().catch(() => ({}));
+    const driver = body.driver ?? "volumeSnapshot";
+    const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+    const backup = ctx.deploymentBackupDao.create({
+      deploymentId: newestDeploymentId(namespace),
+      namespace,
+      agentId: name,
+      sandboxName: state?.sandboxName ?? name,
+      pvcName: state?.statePvc ?? runtimeStatePvcName(state?.sandboxName ?? name),
+      driver,
+      snapshotName: driver === "volumeSnapshot" ? `${name}-${stamp}` : void 0,
+      objectKey: driver === "restic" ? `${namespace}/${name}/${stamp}` : void 0,
+      status: "pending",
+      expiresAt: body.retentionDays ? new Date(Date.now() + body.retentionDays * 24 * 60 * 60 * 1e3).toISOString() : void 0
+    });
+    if (driver !== "volumeSnapshot") {
+      const failed = ctx.deploymentBackupDao.update(backup.id, {
+        status: "failed",
+        error: "restic backups require object storage repository configuration"
+      });
+      return c.json({ error: failed?.error, backup: failed ?? backup }, 501);
+    }
+    try {
+      await ctx.container.k8s.createVolumeSnapshotBackupAndWait({
+        namespace,
+        snapshotName: backup.snapshotName ?? `${name}-${stamp}`,
+        pvcName: backup.pvcName,
+        timeoutMs: 18e4
+      });
+      const updated = ctx.deploymentBackupDao.update(backup.id, { status: "succeeded" });
+      return c.json({ ok: true, backup: updated ?? backup }, 201);
+    } catch (err) {
+      const failed = ctx.deploymentBackupDao.update(backup.id, {
+        status: "failed",
+        error: err.message
+      });
+      return c.json({ error: err.message, backup: failed ?? backup }, 500);
+    }
+  });
+  app.post("/deployments/:ns/:id/restore", async (c) => {
+    const namespace = c.req.param("ns");
+    const name = c.req.param("id");
+    const body = await c.req.json().catch(() => ({}));
+    const backups = ctx.deploymentBackupDao.findByAgent(namespace, name);
+    const backup = body.backupId ? backups.find((item) => item.id === body.backupId) : backups.find((item) => item.status === "succeeded");
+    if (!backup) {
+      return c.json({ error: "No backup found for this agent" }, 404);
+    }
+    if (backup.status !== "succeeded") {
+      return c.json({ error: `Cannot restore backup in status "${backup.status}"` }, 422);
+    }
+    if (backup.driver !== "volumeSnapshot" || !backup.snapshotName) {
+      return c.json({ error: "Only VolumeSnapshot backups can be restored locally today" }, 422);
+    }
+    try {
+      ctx.container.k8s.pauseAgentSandbox(namespace, name);
+      await ctx.container.k8s.waitForAgentSandboxPaused({
+        namespace,
+        agentName: name,
+        timeoutMs: 12e4
+      });
+      await ctx.container.k8s.restorePvcFromVolumeSnapshot({
+        namespace,
+        pvcName: backup.pvcName,
+        snapshotName: backup.snapshotName,
+        timeoutMs: 18e4
+      });
+      ctx.container.k8s.resumeAgentSandbox(namespace, name);
+      await ctx.container.k8s.waitForAgentSandboxReady({
+        namespace,
+        agentName: name,
+        timeoutMs: 18e4
+      });
+      return c.json({ ok: true, backup, runtimeState: "running" }, 202);
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/community.handler.ts
+import { existsSync, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+import { Hono as Hono3 } from "hono";
+var DEFAULT_COMMUNITY_BASE_URL = "https://shadowob.com";
+function settingsPath() {
+  return join2(homedir2(), ".shadowob", "settings.json");
+}
+function readSettings() {
+  const p = settingsPath();
+  if (!existsSync(p)) return {};
+  try {
+    return JSON.parse(readFileSync(p, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeSettings(data) {
+  const p = settingsPath();
+  mkdirSync2(join2(homedir2(), ".shadowob"), { recursive: true });
+  writeFileSync(p, JSON.stringify(data, null, 2), "utf-8");
+}
+function normalizeCatalogTemplate(template) {
+  if (!template || typeof template !== "object" || Array.isArray(template)) return template;
+  const { teamName: legacyTitle, ...rest } = template;
+  const title = typeof rest.title === "string" ? rest.title : typeof legacyTitle === "string" ? legacyTitle : typeof rest.name === "string" ? rest.name : "";
+  return { ...rest, title };
+}
+function getCommunitySettings() {
+  const settings = readSettings();
+  const raw = settings.community;
+  return {
+    baseUrl: raw?.baseUrl ?? DEFAULT_COMMUNITY_BASE_URL,
+    token: raw?.token,
+    oauthConnected: raw?.oauthConnected ?? false
+  };
+}
+function saveCommunitySettings(community) {
+  const settings = readSettings();
+  writeSettings({ ...settings, community });
+}
+function createCommunityHandler(ctx) {
+  const app = new Hono3();
+  app.get("/community/settings", (c) => {
+    const cs = getCommunitySettings();
+    return c.json({
+      baseUrl: cs.baseUrl,
+      oauthConnected: cs.oauthConnected,
+      hasToken: Boolean(cs.token)
+    });
+  });
+  app.put("/community/settings", async (c) => {
+    const body = await c.req.json();
+    const current = getCommunitySettings();
+    const updated = {
+      baseUrl: typeof body.baseUrl === "string" && body.baseUrl.trim() ? body.baseUrl.trim().replace(/\/$/, "") : current.baseUrl,
+      token: typeof body.token === "string" ? body.token.trim() || void 0 : current.token,
+      oauthConnected: current.oauthConnected
+    };
+    if (typeof body.token === "string") {
+      updated.oauthConnected = false;
+    }
+    saveCommunitySettings(updated);
+    return c.json({ ok: true });
+  });
+  app.get("/community/templates/catalog", async (c) => {
+    const cs = getCommunitySettings();
+    const locale = c.req.query("locale") ?? "en";
+    const headers = { Accept: "application/json" };
+    if (cs.token) {
+      headers["Authorization"] = `Bearer ${cs.token}`;
+    }
+    try {
+      const res = await fetch(
+        `${cs.baseUrl}/api/templates/catalog?locale=${encodeURIComponent(locale)}`,
+        {
+          headers,
+          signal: AbortSignal.timeout(8e3)
+        }
+      );
+      if (res.ok) {
+        const data = await res.json();
+        const templates = Array.isArray(data.templates) ? data.templates.map(normalizeCatalogTemplate) : data.templates;
+        return c.json({ ...data, templates, source: "community" });
+      }
+    } catch {
+    }
+    const localCatalog = await ctx.container.templateI18n.listCatalog(locale);
+    return c.json({ ...localCatalog, source: "local" });
+  });
+  app.post("/community/templates/publish", async (c) => {
+    const body = await c.req.json();
+    const { name } = body;
+    if (!name) {
+      return c.json({ error: "name is required" }, 400);
+    }
+    const cfg = ctx.configDao.findByName(`tpl:${name}`);
+    if (!cfg) {
+      return c.json({ error: `Template not found: ${name}` }, 404);
+    }
+    const cs = getCommunitySettings();
+    if (!cs.token) {
+      return c.json(
+        { error: "Not connected to community. Please set a token or authorize via OAuth." },
+        401
+      );
+    }
+    try {
+      const res = await fetch(`${cs.baseUrl}/api/templates`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${cs.token}`
+        },
+        body: JSON.stringify({
+          slug: name,
+          name: body.description ? name : name,
+          description: body.description ?? "",
+          visibility: body.visibility ?? "public",
+          content: cfg.content
+        })
+      });
+      if (!res.ok) {
+        const errText = await res.text();
+        return c.json({ error: `Community server error: ${res.status} ${errText}` }, 502);
+      }
+      const result = await res.json();
+      return c.json({ ok: true, result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return c.json({ error: `Failed to reach community server: ${message}` }, 502);
+    }
+  });
+  app.get("/community/oauth/init", (c) => {
+    const cs = getCommunitySettings();
+    const authUrl = new URL("/oauth/authorize", cs.baseUrl);
+    authUrl.searchParams.set("client_id", "shadowob-cloud-cli");
+    authUrl.searchParams.set("response_type", "token");
+    authUrl.searchParams.set("scope", "templates:read templates:write");
+    return c.json({ url: authUrl.toString() });
+  });
+  app.get("/community/oauth/callback", (c) => {
+    const token = c.req.query("access_token");
+    if (!token) {
+      return c.html("<p>Missing access_token. Please try again.</p>", 400);
+    }
+    const cs = getCommunitySettings();
+    saveCommunitySettings({ ...cs, token, oauthConnected: true });
+    return c.html(`<!DOCTYPE html>
+<html>
+<head><title>Connected</title></head>
+<body>
+  <p>Connected to community. You may close this window.</p>
+  <script>
+    if (window.opener) {
+      window.opener.postMessage({ type: 'community-oauth-success' }, '*');
+      window.close();
+    }
+  </script>
+</body>
+</html>`);
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/config.handler.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve3 } from "path";
+import { Hono as Hono4 } from "hono";
+
+// src/application/config-schema.ts
+import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+
+// src/utils/package-asset-path.ts
+import { existsSync as existsSync2 } from "fs";
+import { dirname, resolve } from "path";
+function uniqueCandidates(candidates) {
+  const seen = /* @__PURE__ */ new Set();
+  const resolved = [];
+  for (const candidate of candidates) {
+    if (!candidate) continue;
+    const normalized = resolve(candidate);
+    if (seen.has(normalized)) continue;
+    seen.add(normalized);
+    resolved.push(normalized);
+  }
+  return resolved;
+}
+function resolveCloudPackageAssetDir(assetName) {
+  const entryFile = typeof process.argv[1] === "string" && process.argv[1].length > 0 ? resolve(process.argv[1]) : void 0;
+  const entryDir = entryFile ? dirname(entryFile) : void 0;
+  const candidates = uniqueCandidates([
+    entryDir ? resolve(entryDir, "..", assetName) : void 0,
+    entryDir ? resolve(entryDir, assetName) : void 0,
+    resolve(process.cwd(), assetName),
+    resolve(process.cwd(), "apps/cloud", assetName),
+    resolve(process.cwd(), "node_modules", "@shadowob", "cloud", assetName)
+  ]);
+  for (const candidate of candidates) {
+    if (existsSync2(candidate)) {
+      return candidate;
+    }
+  }
+  return candidates[0] ?? resolve(process.cwd(), "apps/cloud", assetName);
+}
+
+// src/application/config-schema.ts
+function loadCloudConfigSchema() {
+  const schemaPath = resolve2(resolveCloudPackageAssetDir("schemas"), "config.schema.json");
+  if (!existsSync3(schemaPath)) {
+    return {};
+  }
+  return JSON.parse(readFileSync2(schemaPath, "utf-8"));
+}
+
+// src/interfaces/http/handlers/config.handler.ts
+function createConfigHandler(ctx) {
+  const app = new Hono4();
+  app.get("/config", (c) => {
+    const pathParam = c.req.query("path");
+    if (pathParam) {
+      const absPath = resolve3(pathParam);
+      if (!existsSync4(absPath)) {
+        return c.json({ error: `Config file not found: ${absPath}` }, 404);
+      }
+      try {
+        const raw = readFileSync3(absPath, "utf-8");
+        return c.json({ path: absPath, content: raw });
+      } catch (err) {
+        return c.json({ error: err.message }, 500);
+      }
+    }
+    const configRow = ctx.configDao.findByName("current");
+    if (configRow) {
+      return c.json({
+        path: `db://configs/${configRow.id}`,
+        content: JSON.stringify(configRow.content, null, 2)
+      });
+    }
+    const defaultPath = resolve3("shadowob-cloud.json");
+    if (existsSync4(defaultPath)) {
+      const raw = readFileSync3(defaultPath, "utf-8");
+      return c.json({ path: defaultPath, content: raw });
+    }
+    return c.json({ error: "No config found. Initialize from a template first." }, 404);
+  });
+  app.put("/config", async (c) => {
+    try {
+      const body = await c.req.json();
+      const parsed = JSON.parse(body.content);
+      if (body.path && !body.path.startsWith("db://")) {
+        const filePath = resolve3(body.path);
+        mkdirSync3(resolve3(filePath, ".."), { recursive: true });
+        writeFileSync2(filePath, body.content, "utf-8");
+        return c.json({ ok: true, path: filePath });
+      }
+      const templateSlug = parsed.templateSlug ?? parsed.metadata?.template ?? void 0;
+      ctx.configDao.upsert("current", parsed, templateSlug);
+      return c.json({ ok: true, path: "db://configs/current" });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.get("/schema", (c) => {
+    const schema = loadCloudConfigSchema();
+    if (Object.keys(schema).length === 0) {
+      return c.json({ error: "Schema file not found. Run pnpm generate:schema first." }, 404);
+    }
+    return c.json(schema);
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/deploy.handler.ts
+import { writeFileSync as writeFileSync3 } from "fs";
+import { tmpdir } from "os";
+import { join as join3 } from "path";
+import { Hono as Hono5 } from "hono";
+import { streamSSE as streamSSE2 } from "hono/streaming";
+
+// src/interfaces/http/deploy-log-format.ts
+function formatDeploymentLogTimestamp(value) {
+  if (!value) {
+    return null;
+  }
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) {
+    return null;
+  }
+  return date.toLocaleString(void 0, {
+    year: "numeric",
+    month: "2-digit",
+    day: "2-digit",
+    hour: "2-digit",
+    minute: "2-digit",
+    second: "2-digit",
+    hour12: false
+  });
+}
+function formatDeploymentLogLine(message, createdAt) {
+  const timestamp = formatDeploymentLogTimestamp(createdAt);
+  return timestamp ? `[${timestamp}] ${message}` : message;
+}
+
+// src/interfaces/http/handlers/deploy.handler.ts
+function cleanupTmpFile(path) {
+  try {
+    const { unlinkSync } = __require("fs");
+    unlinkSync(path);
+  } catch {
+  }
+}
+function parseTaskId(raw) {
+  const taskId = Number(raw);
+  return Number.isInteger(taskId) && taskId > 0 ? taskId : null;
+}
+function buildTaskUrl(taskId) {
+  return `/deploy-tasks/${taskId}`;
+}
+function buildDonePayload(task) {
+  return {
+    exitCode: task?.status === "deployed" ? 0 : 1,
+    ...task?.error ? { error: task.error } : {},
+    result: {
+      namespace: task?.namespace,
+      agentCount: task?.agentCount ?? 0
+    }
+  };
+}
+function createDeployHandler(ctx) {
+  const app = new Hono5();
+  app.post("/deploy", async (c) => {
+    let config;
+    try {
+      config = await c.req.json();
+    } catch {
+      return c.json({ error: "Invalid JSON body" }, 400);
+    }
+    const task = await ctx.deployTaskManager.start(config);
+    return streamSSE2(c, async (stream) => {
+      let lastLogId = 0;
+      const sendLog = async (message) => {
+        await stream.writeSSE({ event: "log", data: JSON.stringify(message) });
+      };
+      const flushLogs = async () => {
+        const logs = ctx.deploymentLogDao.findByDeploymentIdSince(task.id, lastLogId);
+        for (const log of logs) {
+          lastLogId = log.id;
+          await sendLog(formatDeploymentLogLine(log.message, log.createdAt));
+        }
+      };
+      await stream.writeSSE({
+        event: "task",
+        data: JSON.stringify({ id: task.id, url: buildTaskUrl(task.id) })
+      });
+      await flushLogs();
+      const existingTask = ctx.deploymentDao.findById(task.id);
+      if (!ctx.deployTaskManager.isActive(task.id)) {
+        await stream.writeSSE({
+          event: "done",
+          data: JSON.stringify(buildDonePayload(existingTask))
+        });
+        return;
+      }
+      await new Promise((resolve7) => {
+        let finished = false;
+        const finish = async (payload) => {
+          if (finished) return;
+          finished = true;
+          await flushLogs();
+          await stream.writeSSE({
+            event: "done",
+            data: JSON.stringify(payload ?? buildDonePayload(ctx.deploymentDao.findById(task.id)))
+          });
+          resolve7();
+        };
+        const unsubscribe = ctx.deployTaskManager.subscribe(task.id, async (event) => {
+          if (event.type === "log") {
+            if (event.data.id <= lastLogId) return;
+            lastLogId = event.data.id;
+            await sendLog(formatDeploymentLogLine(event.data.message, event.data.createdAt));
+            return;
+          }
+          unsubscribe();
+          await finish(event.data);
+        });
+        void flushLogs().then(async () => {
+          if (!ctx.deployTaskManager.isActive(task.id)) {
+            unsubscribe();
+            await finish();
+          }
+        });
+        stream.onAbort(() => {
+          unsubscribe();
+          resolve7();
+        });
+      });
+    });
+  });
+  app.get("/deploy-tasks", (c) => {
+    const tasks = ctx.deploymentDao.findAll().map((task) => ({
+      task,
+      url: buildTaskUrl(task.id),
+      active: ctx.deployTaskManager.isActive(task.id)
+    }));
+    return c.json({ tasks });
+  });
+  app.get("/deploy-tasks/:id", (c) => {
+    const taskId = parseTaskId(c.req.param("id"));
+    if (!taskId) {
+      return c.json({ error: "Invalid task id" }, 400);
+    }
+    const task = ctx.deploymentDao.findById(taskId);
+    if (!task) {
+      return c.json({ error: "Deployment task not found" }, 404);
+    }
+    return c.json({
+      task,
+      url: buildTaskUrl(task.id),
+      active: ctx.deployTaskManager.isActive(task.id)
+    });
+  });
+  app.get("/deploy-tasks/:id/stream", (c) => {
+    const taskId = parseTaskId(c.req.param("id"));
+    if (!taskId) {
+      return c.json({ error: "Invalid task id" }, 400);
+    }
+    const task = ctx.deploymentDao.findById(taskId);
+    if (!task) {
+      return c.json({ error: "Deployment task not found" }, 404);
+    }
+    return streamSSE2(c, async (stream) => {
+      let lastLogId = 0;
+      const writeLog = async (message) => {
+        await stream.writeSSE({ data: JSON.stringify(message) });
+      };
+      const flushLogs = async () => {
+        const logs = ctx.deploymentLogDao.findByDeploymentIdSince(taskId, lastLogId);
+        for (const log of logs) {
+          lastLogId = log.id;
+          await writeLog(formatDeploymentLogLine(log.message, log.createdAt));
+        }
+      };
+      await flushLogs();
+      if (!ctx.deployTaskManager.isActive(taskId)) {
+        await stream.writeSSE({ event: "close", data: "{}" });
+        return;
+      }
+      await new Promise((resolve7) => {
+        let closed = false;
+        const close = async () => {
+          if (closed) return;
+          closed = true;
+          await flushLogs();
+          await stream.writeSSE({ event: "close", data: "{}" });
+          resolve7();
+        };
+        const unsubscribe = ctx.deployTaskManager.subscribe(taskId, async (event) => {
+          if (event.type === "log") {
+            if (event.data.id <= lastLogId) return;
+            lastLogId = event.data.id;
+            await writeLog(formatDeploymentLogLine(event.data.message, event.data.createdAt));
+            return;
+          }
+          unsubscribe();
+          await close();
+        });
+        void flushLogs().then(async () => {
+          if (!ctx.deployTaskManager.isActive(taskId)) {
+            unsubscribe();
+            await close();
+          }
+        });
+        stream.onAbort(() => {
+          unsubscribe();
+          resolve7();
+        });
+      });
+    });
+  });
+  app.post("/deploy-tasks/:id/cancel", async (c) => {
+    const taskId = parseTaskId(c.req.param("id"));
+    if (!taskId) return c.json({ error: "Invalid task id" }, 400);
+    const result = await ctx.deployTaskManager.cancel(taskId);
+    if (!result.ok) {
+      return c.json({ ok: false, error: result.error ?? "Unable to cancel deployment task" }, 422);
+    }
+    return c.json({ ok: true, status: result.status });
+  });
+  app.post("/deploy-tasks/:id/redeploy", async (c) => {
+    const taskId = parseTaskId(c.req.param("id"));
+    if (!taskId) return c.json({ error: "Invalid task id" }, 400);
+    const original = ctx.deploymentDao.findById(taskId);
+    if (!original) return c.json({ error: "Deployment task not found" }, 404);
+    if (!original.config) return c.json({ error: "No config stored for this task" }, 400);
+    let envOverrides;
+    try {
+      const body = await c.req.json().catch(() => ({}));
+      envOverrides = body.envVars;
+    } catch {
+    }
+    const config = {
+      ...original.config,
+      ...envOverrides ? {
+        envVars: {
+          ...original.config.envVars,
+          ...envOverrides
+        }
+      } : {}
+    };
+    const newTask = await ctx.deployTaskManager.start(config);
+    return streamSSE2(c, async (stream) => {
+      let lastLogId = 0;
+      const sendLog = async (message) => {
+        await stream.writeSSE({ event: "log", data: JSON.stringify(message) });
+      };
+      const flushLogs = async () => {
+        const logs = ctx.deploymentLogDao.findByDeploymentIdSince(newTask.id, lastLogId);
+        for (const log of logs) {
+          lastLogId = log.id;
+          await sendLog(formatDeploymentLogLine(log.message, log.createdAt));
+        }
+      };
+      await stream.writeSSE({
+        event: "task",
+        data: JSON.stringify({
+          id: newTask.id,
+          url: buildTaskUrl(newTask.id),
+          redeployFrom: taskId
+        })
+      });
+      await flushLogs();
+      if (!ctx.deployTaskManager.isActive(newTask.id)) {
+        await stream.writeSSE({
+          event: "done",
+          data: JSON.stringify(buildDonePayload(ctx.deploymentDao.findById(newTask.id)))
+        });
+        return;
+      }
+      await new Promise((resolve7) => {
+        let finished = false;
+        const finish = async (payload) => {
+          if (finished) return;
+          finished = true;
+          await flushLogs();
+          await stream.writeSSE({
+            event: "done",
+            data: JSON.stringify(
+              payload ?? buildDonePayload(ctx.deploymentDao.findById(newTask.id))
+            )
+          });
+          resolve7();
+        };
+        const unsubscribe = ctx.deployTaskManager.subscribe(newTask.id, async (event) => {
+          if (event.type === "log") {
+            if (event.data.id <= lastLogId) return;
+            lastLogId = event.data.id;
+            await sendLog(formatDeploymentLogLine(event.data.message, event.data.createdAt));
+            return;
+          }
+          unsubscribe();
+          await finish(event.data);
+        });
+        void flushLogs().then(async () => {
+          if (!ctx.deployTaskManager.isActive(newTask.id)) {
+            unsubscribe();
+            await finish();
+          }
+        });
+        stream.onAbort(() => {
+          unsubscribe();
+          resolve7();
+        });
+      });
+    });
+  });
+  app.post("/rollback", async (c) => {
+    try {
+      const body = await c.req.json();
+      const ns = body.namespace;
+      if (!ns) return c.json({ error: "namespace is required" }, 400);
+      ctx.container.k8s.rolloutUndoAll(ns);
+      return c.json({ ok: true, namespace: ns });
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  app.post("/destroy", async (c) => {
+    try {
+      const body = await c.req.json();
+      const ns = body.namespace ?? ctx.namespaces[0] ?? "shadowob-cloud";
+      const storedConfig = ctx.configDao.findByName("current")?.content;
+      await ctx.container.deploymentRuntime.destroy({
+        namespace: ns,
+        stack: body.stack,
+        configSnapshot: body.config ?? storedConfig
+      });
+      return c.json({ ok: true, namespace: ns });
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  app.post("/validate", async (c) => {
+    try {
+      const configData = await c.req.json();
+      const tmpFile = join3(tmpdir(), `shadowob-validate-${Date.now()}.json`);
+      writeFileSync3(tmpFile, JSON.stringify(configData, null, 2), "utf-8");
+      try {
+        const { config, violations } = await ctx.container.config.validate(tmpFile);
+        const refs = ctx.container.config.collectTemplateRefs(config);
+        const agents = config.deployments?.agents ?? [];
+        const configurations = config.registry?.configurations ?? [];
+        const configIds = new Set(configurations.map((cfg) => cfg.id));
+        const extendsErrors = [];
+        for (const agent of agents) {
+          if (agent.configuration.extends && !configIds.has(agent.configuration.extends)) {
+            extendsErrors.push(
+              `Agent "${agent.id}" extends "${agent.configuration.extends}" not in registry.configurations`
+            );
+          }
+        }
+        return c.json({
+          valid: violations.length === 0 && extendsErrors.length === 0,
+          agents: agents.length,
+          configurations: configurations.length,
+          violations: violations.map((v) => ({ path: v.path, prefix: v.prefix })),
+          extendsErrors,
+          templateRefs: {
+            env: refs.filter((r) => r.type === "env").length,
+            secret: refs.filter((r) => r.type === "secret").length,
+            file: refs.filter((r) => r.type === "file").length
+          }
+        });
+      } finally {
+        cleanupTmpFile(tmpFile);
+      }
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.post("/init", async (c) => {
+    try {
+      const body = await c.req.json();
+      const templateName = body.template ?? "gstack-buddy";
+      const content = await ctx.container.template.getTemplate(templateName);
+      if (!content) {
+        return c.json({ error: `Template not found: ${templateName}` }, 404);
+      }
+      ctx.configDao.upsert("current", content, templateName);
+      return c.json(content);
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.post("/provision", async (c) => {
+    try {
+      const body = await c.req.json();
+      const shadowUrl = body.shadowUrl;
+      const shadowToken = body.shadowToken;
+      if (!shadowUrl || !shadowToken) {
+        return c.json({ error: "shadowUrl and shadowToken are required" }, 400);
+      }
+      const tmpFile = join3(tmpdir(), `shadowob-provision-${Date.now()}.json`);
+      writeFileSync3(tmpFile, JSON.stringify(body.config, null, 2), "utf-8");
+      try {
+        const config = await ctx.container.config.parseFile(tmpFile);
+        const resolved = await ctx.container.config.resolve(config, tmpFile);
+        const namespace = resolved.deployments?.namespace ?? "shadowob-cloud";
+        const agents = resolved.deployments?.agents ?? [];
+        const extraSecrets = {
+          SHADOW_SERVER_URL: shadowUrl,
+          SHADOW_USER_TOKEN: shadowToken
+        };
+        const { executePluginProvisions, loadAllPlugins: loadAllPlugins2, getPluginRegistry: getPluginRegistry2 } = await import("./plugins-HZBWK3WQ.js");
+        try {
+          await loadAllPlugins2(getPluginRegistry2());
+        } catch {
+        }
+        const mergedStates = {};
+        for (const agent of agents) {
+          const provisionResults = await executePluginProvisions(
+            agent,
+            resolved,
+            namespace,
+            ctx.container.logger,
+            body.dryRun,
+            extraSecrets,
+            null
+          );
+          for (const [pluginId, state] of Object.entries(provisionResults.states)) {
+            mergedStates[pluginId] = { ...mergedStates[pluginId] ?? {}, ...state };
+          }
+        }
+        const shadowobState = mergedStates.shadowob ?? {};
+        return c.json({
+          ok: true,
+          servers: shadowobState.servers ?? {},
+          channels: shadowobState.channels ?? {},
+          buddies: Object.fromEntries(
+            Object.entries(shadowobState.buddies ?? {}).map(([id, info]) => [
+              id,
+              { agentId: info.agentId, userId: info.userId }
+            ])
+          )
+        });
+      } finally {
+        cleanupTmpFile(tmpFile);
+      }
+    } catch (err) {
+      return c.json({ error: err.message }, 500);
+    }
+  });
+  app.post("/generate/manifests", async (c) => {
+    try {
+      const body = await c.req.json();
+      const tmpFile = join3(tmpdir(), `shadowob-gen-${Date.now()}.json`);
+      writeFileSync3(tmpFile, JSON.stringify(body.config, null, 2), "utf-8");
+      try {
+        const config = await ctx.container.config.parseFile(tmpFile);
+        const resolved = await ctx.container.config.resolve(config);
+        const ns = body.namespace ?? config.deployments?.namespace ?? "shadowob-cloud";
+        const manifests = ctx.container.manifest.build({
+          config: resolved,
+          namespace: ns,
+          shadowServerUrl: body.shadowUrl
+        });
+        return c.json({ manifests, count: manifests.length });
+      } finally {
+        cleanupTmpFile(tmpFile);
+      }
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.post("/generate/openclaw-config", async (c) => {
+    try {
+      const body = await c.req.json();
+      const tmpFile = join3(tmpdir(), `shadowob-oc-${Date.now()}.json`);
+      writeFileSync3(tmpFile, JSON.stringify(body.config, null, 2), "utf-8");
+      try {
+        const config = await ctx.container.config.parseFile(tmpFile);
+        const resolved = await ctx.container.config.resolve(config);
+        const agent = resolved.deployments?.agents?.find((a) => a.id === body.agentId);
+        if (!agent) {
+          return c.json({ error: `Agent "${body.agentId}" not found` }, 404);
+        }
+        const openclawConfig = ctx.container.config.buildOpenClawConfig(agent, resolved);
+        delete openclawConfig._workspaceFiles;
+        return c.json(openclawConfig);
+      } finally {
+        cleanupTmpFile(tmpFile);
+      }
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/health.handler.ts
+import { execSync } from "child_process";
+import { Hono as Hono6 } from "hono";
+function getVersion(cmd, versionFlag = "--version") {
+  try {
+    return execSync(`${cmd} ${versionFlag}`, {
+      encoding: "utf-8",
+      timeout: 1e4,
+      stdio: ["ignore", "pipe", "pipe"]
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+function createHealthHandler(ctx) {
+  const app = new Hono6();
+  app.get("/health", (c) => c.json({ status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() }));
+  app.get("/doctor", async (c) => {
+    const { container } = ctx;
+    const checks = [];
+    const nodeVersion = process.version;
+    const major = Number.parseInt(nodeVersion.slice(1), 10);
+    checks.push(
+      major >= 22 ? { name: "Node.js", status: "pass", message: nodeVersion } : {
+        name: "Node.js",
+        status: major >= 20 ? "warn" : "fail",
+        message: `${nodeVersion} (22+ recommended)`
+      }
+    );
+    if (container.k8s.isToolInstalled("docker")) {
+      checks.push({ name: "Docker", status: "pass", message: getVersion("docker") ?? "installed" });
+    } else {
+      checks.push({ name: "Docker", status: "fail", message: "not found" });
+    }
+    if (container.k8s.isToolInstalled("kubectl")) {
+      const reachable = container.k8s.isKubeReachable();
+      checks.push({
+        name: "kubectl",
+        status: reachable ? "pass" : "warn",
+        message: reachable ? "connected" : "installed but unreachable"
+      });
+    } else {
+      checks.push({ name: "kubectl", status: "fail", message: "not found" });
+    }
+    if (container.k8s.isToolInstalled("pulumi")) {
+      checks.push({
+        name: "Pulumi",
+        status: "pass",
+        message: getVersion("pulumi", "version") ?? "installed"
+      });
+    } else {
+      checks.push({ name: "Pulumi", status: "fail", message: "not found" });
+    }
+    if (container.k8s.isToolInstalled("kind")) {
+      const hasCluster = container.k8s.kindClusterExists();
+      checks.push({
+        name: "kind",
+        status: "pass",
+        message: hasCluster ? "installed + cluster exists" : "installed"
+      });
+    } else {
+      checks.push({ name: "kind", status: "warn", message: "not found (optional)" });
+    }
+    try {
+      const { checkPluginHealth, loadAllPlugins: loadAllPlugins2, getPluginRegistry: getPluginRegistry2 } = await import("./plugins-HZBWK3WQ.js");
+      try {
+        await loadAllPlugins2(getPluginRegistry2());
+      } catch {
+      }
+      const configRow = ctx.configDao.findByName("current");
+      let cloudConfig = {};
+      if (configRow) {
+        cloudConfig = configRow.content;
+      }
+      const pluginHealthResults = await checkPluginHealth(cloudConfig);
+      for (const result of pluginHealthResults) {
+        checks.push({
+          name: `Plugin: ${result.name}`,
+          status: result.healthy ? "pass" : "warn",
+          message: result.message
+        });
+      }
+    } catch {
+    }
+    return c.json({
+      checks,
+      summary: {
+        pass: checks.filter((ch) => ch.status === "pass").length,
+        warn: checks.filter((ch) => ch.status === "warn").length,
+        fail: checks.filter((ch) => ch.status === "fail").length
+      }
+    });
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/my-templates.handler.ts
+import { Hono as Hono7 } from "hono";
+var PREFIX = "tpl:";
+function createMyTemplatesHandler(ctx) {
+  const app = new Hono7();
+  app.get("/my-templates", (c) => {
+    const all = ctx.configDao.findAll();
+    const userTemplates = all.filter((cfg) => cfg.name.startsWith(PREFIX)).map((cfg) => ({
+      name: cfg.name.slice(PREFIX.length),
+      slug: cfg.name.slice(PREFIX.length),
+      templateSlug: cfg.templateSlug,
+      content: cfg.content,
+      version: cfg.version ?? 1,
+      updatedAt: cfg.updatedAt ?? cfg.createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+    }));
+    return c.json(userTemplates);
+  });
+  app.get("/my-templates/:name", (c) => {
+    const name = c.req.param("name");
+    const cfg = ctx.configDao.findByName(`${PREFIX}${name}`);
+    if (!cfg) return c.json({ error: `Template not found: ${name}` }, 404);
+    return c.json({
+      name: cfg.name.slice(PREFIX.length),
+      slug: cfg.name.slice(PREFIX.length),
+      templateSlug: cfg.templateSlug,
+      content: cfg.content,
+      version: cfg.version ?? 1
+    });
+  });
+  app.get("/my-templates/:name/versions", (c) => {
+    const name = c.req.param("name");
+    const cfg = ctx.configDao.findByName(`${PREFIX}${name}`);
+    if (!cfg) return c.json({ error: `Template not found: ${name}` }, 404);
+    const history = ctx.configDao.getVersionHistory(`${PREFIX}${name}`);
+    return c.json({
+      current: cfg.version ?? 1,
+      versions: [
+        { version: cfg.version ?? 1, createdAt: cfg.updatedAt ?? cfg.createdAt, current: true },
+        ...history.map((v) => ({ version: v.version, createdAt: v.createdAt, current: false }))
+      ]
+    });
+  });
+  app.post("/my-templates/:name/versions/:version", (c) => {
+    const name = c.req.param("name");
+    const version = Number.parseInt(c.req.param("version"), 10);
+    const versionData = ctx.configDao.getVersion(`${PREFIX}${name}`, version);
+    if (!versionData) return c.json({ error: `Version ${version} not found` }, 404);
+    ctx.configDao.upsert(`${PREFIX}${name}`, versionData.content);
+    return c.json({ ok: true, restoredVersion: version });
+  });
+  app.put("/my-templates/:name", async (c) => {
+    const name = c.req.param("name");
+    try {
+      const body = await c.req.json();
+      ctx.configDao.upsert(`${PREFIX}${name}`, body.content, body.templateSlug);
+      return c.json({ ok: true });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.post("/my-templates/fork", async (c) => {
+    try {
+      const body = await c.req.json();
+      const sourceContent = await ctx.container.template.getTemplate(body.source);
+      if (!sourceContent) {
+        return c.json({ error: `Source template not found: ${body.source}` }, 404);
+      }
+      let newName = body.name ?? `my-${body.source}`;
+      const existing = ctx.configDao.findByName(`${PREFIX}${newName}`);
+      if (existing) {
+        let suffix = 2;
+        while (ctx.configDao.findByName(`${PREFIX}${newName}-${suffix}`)) {
+          suffix++;
+        }
+        newName = `${newName}-${suffix}`;
+      }
+      ctx.configDao.upsert(`${PREFIX}${newName}`, sourceContent, body.source);
+      return c.json({ name: newName, slug: newName });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.delete("/my-templates/:name", (c) => {
+    const name = c.req.param("name");
+    ctx.configDao.delete(`${PREFIX}${name}`);
+    return c.json({ ok: true });
+  });
+  app.get("/my-templates/:name/share", (c) => {
+    const name = c.req.param("name");
+    const cfg = ctx.configDao.findByName(`${PREFIX}${name}`);
+    if (!cfg) return c.json({ error: `Template not found: ${name}` }, 404);
+    return c.json({
+      name: cfg.name.slice(PREFIX.length),
+      templateSlug: cfg.templateSlug,
+      version: cfg.version ?? 1,
+      content: cfg.content,
+      sharedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  });
+  app.post("/my-templates/import", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.name || !body.content) {
+        return c.json({ error: "name and content are required" }, 400);
+      }
+      const existing = ctx.configDao.findByName(`${PREFIX}${body.name}`);
+      const importName = existing ? `${body.name}-${Date.now()}` : body.name;
+      ctx.configDao.upsert(`${PREFIX}${importName}`, body.content, body.templateSlug);
+      return c.json({ ok: true, name: importName });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.post("/my-templates/import-git", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.url) {
+        return c.json({ error: "url is required" }, 400);
+      }
+      const url = body.url.trim();
+      if (!url.startsWith("https://") && !url.startsWith("git@")) {
+        return c.json({ error: "Only HTTPS and SSH git URLs are supported" }, 400);
+      }
+      const { execSync: execSync2 } = await import("child_process");
+      const { mkdtempSync, readFileSync: readFileSync6, readdirSync, rmSync, existsSync: existsSync8 } = await import("fs");
+      const { tmpdir: tmpdir2 } = await import("os");
+      const { join: join6, basename } = await import("path");
+      const tmpDir = mkdtempSync(join6(tmpdir2(), "sc-git-"));
+      try {
+        const branch = body.branch ? `--branch ${body.branch}` : "";
+        execSync2(`git clone --depth 1 ${branch} ${url} ${tmpDir}/repo`, {
+          timeout: 3e4,
+          stdio: "pipe"
+        });
+        const repoDir = join6(tmpDir, "repo");
+        const configPath = body.path ? join6(repoDir, body.path) : findConfigFile(repoDir, readdirSync, existsSync8, join6);
+        if (!configPath || !existsSync8(configPath)) {
+          return c.json(
+            {
+              error: `No config file found. Specify path or ensure the repo contains shadowob.json, *.template.json, or cloud.json`
+            },
+            404
+          );
+        }
+        const content = parseJsonc(readFileSync6(configPath, "utf-8"), configPath);
+        const repoName = basename(url.replace(/\.git$/, "").replace(/\/$/, ""));
+        let newName = body.name ?? repoName;
+        const existing = ctx.configDao.findByName(`${PREFIX}${newName}`);
+        if (existing) {
+          let suffix = 2;
+          while (ctx.configDao.findByName(`${PREFIX}${newName}-${suffix}`)) suffix++;
+          newName = `${newName}-${suffix}`;
+        }
+        ctx.configDao.upsert(`${PREFIX}${newName}`, content, `git:${url}`);
+        return c.json({ ok: true, name: newName, source: url });
+      } finally {
+        rmSync(tmpDir, { recursive: true, force: true });
+      }
+    } catch (err) {
+      const msg = err.message ?? String(err);
+      if (msg.includes("git clone")) {
+        return c.json({ error: `Git clone failed: ${msg}` }, 400);
+      }
+      return c.json({ error: msg }, 400);
+    }
+  });
+  return app;
+}
+function findConfigFile(dir, readdirSync, existsSync8, join6) {
+  const candidates = ["shadowob.json", "shadowob-cloud.json", "cloud.json"];
+  for (const f of candidates) {
+    const p = join6(dir, f);
+    if (existsSync8(p)) return p;
+  }
+  try {
+    const files = readdirSync(dir);
+    const tpl = files.find((f) => f.endsWith(".template.json"));
+    if (tpl) return join6(dir, tpl);
+  } catch {
+  }
+  return null;
+}
+
+// src/interfaces/http/handlers/provider-profile.handler.ts
+import { randomUUID } from "crypto";
+import { Hono as Hono8 } from "hono";
+
+// src/application/llm-provider-platform.ts
+var LLM_PROVIDER_AUTH_TYPES = ["api_key"];
+var LLM_PROVIDER_API_FORMATS = ["openai", "anthropic", "gemini"];
+function isRecord2(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stringValue(value) {
+  return typeof value === "string" && value.trim() ? value.trim() : void 0;
+}
+function positiveNumber(value) {
+  const parsed = typeof value === "number" ? value : Number(value);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : void 0;
+}
+function booleanValue(value) {
+  return typeof value === "boolean" ? value : void 0;
+}
+function normalizeTags(value) {
+  if (!Array.isArray(value)) return [];
+  const tags = value.map((tag) => stringValue(tag)?.toLowerCase()).filter((tag) => Boolean(tag));
+  return [...new Set(tags)];
+}
+function normalizeLlmProviderModels(value) {
+  if (!Array.isArray(value)) return [];
+  const models = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const item of value) {
+    if (!isRecord2(item)) continue;
+    const id = stringValue(item.id);
+    if (!id || seen.has(id)) continue;
+    seen.add(id);
+    const cost = isRecord2(item.cost) ? {
+      ...positiveNumber(item.cost.input) ? { input: positiveNumber(item.cost.input) } : {},
+      ...positiveNumber(item.cost.output) ? { output: positiveNumber(item.cost.output) } : {}
+    } : void 0;
+    const capabilities = isRecord2(item.capabilities) ? {
+      ...booleanValue(item.capabilities.vision) !== void 0 ? { vision: booleanValue(item.capabilities.vision) } : {},
+      ...booleanValue(item.capabilities.tools) !== void 0 ? { tools: booleanValue(item.capabilities.tools) } : {},
+      ...booleanValue(item.capabilities.reasoning) !== void 0 ? { reasoning: booleanValue(item.capabilities.reasoning) } : {}
+    } : void 0;
+    models.push({
+      id,
+      ...stringValue(item.name) ? { name: stringValue(item.name) } : {},
+      ...normalizeTags(item.tags).length > 0 ? { tags: normalizeTags(item.tags) } : {},
+      ...positiveNumber(item.contextWindow) ? { contextWindow: positiveNumber(item.contextWindow) } : {},
+      ...positiveNumber(item.maxTokens) ? { maxTokens: positiveNumber(item.maxTokens) } : {},
+      ...cost && Object.keys(cost).length > 0 ? { cost } : {},
+      ...capabilities && Object.keys(capabilities).length > 0 ? { capabilities } : {}
+    });
+  }
+  return models;
+}
+function normalizeLlmProviderConfig(config) {
+  const apiFormat = stringValue(config.apiFormat);
+  const authType = stringValue(config.authType);
+  return {
+    ...stringValue(config.baseUrl) ? { baseUrl: stringValue(config.baseUrl) } : {},
+    ...apiFormat && LLM_PROVIDER_API_FORMATS.includes(apiFormat) ? { apiFormat } : {},
+    ...authType && LLM_PROVIDER_AUTH_TYPES.includes(authType) ? { authType } : {},
+    ...stringValue(config.discoveredAt) ? { discoveredAt: stringValue(config.discoveredAt) } : {},
+    models: normalizeLlmProviderModels(config.models)
+  };
+}
+
+// src/application/provider-catalogs.ts
+async function ensurePluginsLoaded() {
+  const registry = getPluginRegistry();
+  if (registry.size === 0) await loadAllPlugins(registry);
+}
+function providerSecretFields(provider) {
+  const fields = [
+    {
+      key: provider.envKey,
+      label: `${provider.id} API Key`,
+      required: false,
+      sensitive: true
+    }
+  ];
+  for (const alias of provider.envKeyAliases ?? []) {
+    fields.push({
+      key: alias,
+      label: `${provider.id} API Key Alias`,
+      required: false,
+      sensitive: true
+    });
+  }
+  if (provider.baseUrlEnvKey) {
+    fields.push({
+      key: provider.baseUrlEnvKey,
+      label: `${provider.id} Base URL`,
+      required: false,
+      sensitive: false
+    });
+  }
+  if (provider.modelEnvKey) {
+    fields.push({
+      key: provider.modelEnvKey,
+      label: `${provider.id} Model`,
+      required: false,
+      sensitive: false
+    });
+  }
+  return fields;
+}
+function dedupeFields(fields) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const field of fields) {
+    if (seen.has(field.key)) continue;
+    seen.add(field.key);
+    out.push(field);
+  }
+  return out;
+}
+async function listProviderCatalogs() {
+  await ensurePluginsLoaded();
+  return getPluginRegistry().getAll().flatMap(
+    (plugin) => (plugin.providerCatalogs ?? []).map((provider) => ({
+      pluginId: plugin.manifest.id,
+      pluginName: plugin.manifest.name,
+      provider,
+      secretFields: dedupeFields([
+        ...plugin.secretFields ?? [],
+        ...providerSecretFields(provider)
+      ])
+    }))
+  ).sort(
+    (a, b) => (a.provider.priority ?? 1e3) - (b.provider.priority ?? 1e3) || a.provider.id.localeCompare(b.provider.id)
+  );
+}
+
+// src/interfaces/http/handlers/provider-profile.handler.ts
+var PROVIDER_PROFILE_SCOPE_PREFIX = "provider:";
+var META_KEYS = {
+  id: "SHADOW_PROVIDER_PROFILE_ID",
+  providerId: "SHADOW_PROVIDER_ID",
+  name: "SHADOW_PROVIDER_PROFILE_NAME",
+  configJson: "SHADOW_PROVIDER_CONFIG_JSON",
+  enabled: "SHADOW_PROVIDER_ENABLED"
+};
+var META_KEY_SET = new Set(Object.values(META_KEYS));
+function normalizeProviderProfileId(input) {
+  return input.trim().toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 80);
+}
+function providerProfileScope(profileId) {
+  return `${PROVIDER_PROFILE_SCOPE_PREFIX}${profileId}`;
+}
+function parseConfig(value) {
+  if (!value) return {};
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function readProfiles(ctx) {
+  const masked = ctx.envVarDao.findAllMasked().filter((entry) => entry.scope.startsWith(PROVIDER_PROFILE_SCOPE_PREFIX));
+  const scopes = [...new Set(masked.map((entry) => entry.scope))];
+  return scopes.map((scope) => {
+    const values = new Map(
+      ctx.envVarDao.findByScope(scope).map((entry) => [entry.key, entry.value])
+    );
+    const fallbackId = scope.slice(PROVIDER_PROFILE_SCOPE_PREFIX.length);
+    const id = values.get(META_KEYS.id) ?? fallbackId;
+    const providerId = values.get(META_KEYS.providerId) ?? "";
+    if (!id || !providerId) return null;
+    return {
+      id,
+      providerId,
+      name: values.get(META_KEYS.name) ?? providerId,
+      scope,
+      enabled: values.get(META_KEYS.enabled) !== "false",
+      config: parseConfig(values.get(META_KEYS.configJson)),
+      envVars: masked.filter((entry) => entry.scope === scope && !META_KEY_SET.has(entry.key)).map((entry) => ({
+        key: entry.key,
+        maskedValue: entry.maskedValue,
+        isSecret: entry.isSecret
+      }))
+    };
+  }).filter((profile) => Boolean(profile)).sort((left, right) => left.name.localeCompare(right.name));
+}
+function createProviderProfileHandler(ctx) {
+  const app = new Hono8();
+  app.get("/provider-catalogs", async (c) => {
+    const providers = (await listProviderCatalogs()).map((entry) => ({
+      pluginId: entry.pluginId,
+      pluginName: entry.pluginName,
+      provider: entry.provider,
+      secretFields: entry.secretFields
+    }));
+    return c.json({ providers });
+  });
+  app.get("/provider-profiles", (c) => c.json({ profiles: readProfiles(ctx) }));
+  app.put("/provider-profiles", async (c) => {
+    const body = await c.req.json();
+    const profileId = normalizeProviderProfileId(body.id ?? `${body.providerId}-${randomUUID().slice(0, 8)}`) || `${body.providerId}-${randomUUID().slice(0, 8)}`;
+    const scope = providerProfileScope(profileId);
+    ctx.envVarDao.upsert(scope, META_KEYS.id, profileId, true);
+    ctx.envVarDao.upsert(scope, META_KEYS.providerId, body.providerId, true);
+    ctx.envVarDao.upsert(scope, META_KEYS.name, body.name, true);
+    ctx.envVarDao.upsert(scope, META_KEYS.configJson, JSON.stringify(body.config ?? {}), true);
+    ctx.envVarDao.upsert(scope, META_KEYS.enabled, String(body.enabled ?? true), true);
+    for (const [key, value] of Object.entries(body.envVars ?? {})) {
+      if (value.trim()) ctx.envVarDao.upsert(scope, key, value, true);
+    }
+    return c.json({
+      ok: true,
+      profile: readProfiles(ctx).find((profile) => profile.id === profileId)
+    });
+  });
+  app.post("/provider-profiles/:id/test", (c) => {
+    const profileId = normalizeProviderProfileId(c.req.param("id"));
+    const scope = providerProfileScope(profileId);
+    const values = new Map(
+      ctx.envVarDao.findByScope(scope).map((entry) => [entry.key, entry.value])
+    );
+    const enabled = values.get(META_KEYS.enabled) !== "false";
+    const providerId = values.get(META_KEYS.providerId);
+    const hasKey = [...values.keys()].some(
+      (key) => key !== META_KEYS.configJson && /KEY|TOKEN/i.test(key)
+    );
+    return c.json({
+      ok: Boolean(enabled && providerId && hasKey),
+      status: null,
+      message: enabled && providerId && hasKey ? "Connection check ready" : "Missing provider credentials",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  });
+  app.post("/provider-profiles/:id/models/refresh", async (c) => {
+    const profileId = normalizeProviderProfileId(c.req.param("id"));
+    const scope = providerProfileScope(profileId);
+    const values = new Map(
+      ctx.envVarDao.findByScope(scope).map((entry) => [entry.key, entry.value])
+    );
+    const providerId = values.get(META_KEYS.providerId);
+    const config = parseConfig(values.get(META_KEYS.configJson));
+    const catalogs = await listProviderCatalogs();
+    const catalog = catalogs.find((entry) => entry.provider.id === providerId);
+    const configuredModels = normalizeLlmProviderConfig(config).models ?? [];
+    const catalogModels = catalog?.provider.models.map((model) => ({
+      id: model.id,
+      name: model.name,
+      tags: model.tags,
+      contextWindow: model.contextWindow,
+      maxTokens: model.maxTokens
+    })) ?? [];
+    const models = configuredModels.length > 0 ? configuredModels : catalogModels;
+    const nextConfig = {
+      ...config,
+      models,
+      discoveredAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    ctx.envVarDao.upsert(scope, META_KEYS.configJson, JSON.stringify(nextConfig), true);
+    return c.json({
+      ok: true,
+      status: null,
+      message: `Discovered ${models.length} model(s)`,
+      models,
+      profile: readProfiles(ctx).find((profile) => profile.id === profileId)
+    });
+  });
+  app.delete("/provider-profiles/:id", (c) => {
+    const profileId = normalizeProviderProfileId(c.req.param("id"));
+    const scope = providerProfileScope(profileId);
+    for (const entry of ctx.envVarDao.findByScope(scope)) {
+      ctx.envVarDao.delete(scope, entry.key);
+    }
+    return c.json({ ok: true });
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/secret.handler.ts
+import { Hono as Hono9 } from "hono";
+function createSecretHandler(ctx) {
+  const app = new Hono9();
+  app.get("/secrets", (c) => {
+    const secrets2 = ctx.secretDao.findAll();
+    return c.json({ secrets: secrets2 });
+  });
+  app.get("/secrets/:providerId", (c) => {
+    const providerId = c.req.param("providerId");
+    const secrets2 = ctx.secretDao.findByProvider(providerId);
+    return c.json({ secrets: secrets2 });
+  });
+  app.put("/secrets/:providerId", async (c) => {
+    const providerId = c.req.param("providerId");
+    try {
+      const body = await c.req.json();
+      if (!body.key || !body.value) {
+        return c.json({ error: "key and value are required" }, 400);
+      }
+      ctx.secretDao.upsert(providerId, body.key, body.value, body.groupName);
+      return c.json({ ok: true });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.delete("/secrets/:providerId/:key", (c) => {
+    const providerId = c.req.param("providerId");
+    const key = c.req.param("key");
+    ctx.secretDao.delete(providerId, key);
+    return c.json({ ok: true });
+  });
+  app.delete("/secrets/:providerId", (c) => {
+    const providerId = c.req.param("providerId");
+    ctx.secretDao.deleteProvider(providerId);
+    return c.json({ ok: true });
+  });
+  app.get("/env/groups", (c) => {
+    const groups = new Set(ctx.envGroupDao.findAll());
+    for (const envVar of ctx.envVarDao.findAllMasked()) {
+      groups.add(normalizeGroupName(envVar.groupName));
+    }
+    return c.json({
+      groups: [...groups].sort(
+        (a, b) => a === "default" ? -1 : b === "default" ? 1 : a.localeCompare(b)
+      )
+    });
+  });
+  app.post("/env/groups", async (c) => {
+    try {
+      const body = await c.req.json();
+      const name = normalizeGroupName(body.name);
+      ctx.envGroupDao.create(name);
+      return c.json({ ok: true, name });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.delete("/env/groups/:name", (c) => {
+    const name = c.req.param("name");
+    if (!name || name === "default") {
+      return c.json({ error: "Cannot delete the default group" }, 400);
+    }
+    ctx.envGroupDao.delete(name);
+    return c.json({ ok: true });
+  });
+  app.get("/env", (c) => {
+    const envVars2 = ctx.envVarDao.findAllMasked();
+    const groups = new Set(ctx.envGroupDao.findAll());
+    for (const envVar of envVars2) {
+      groups.add(normalizeGroupName(envVar.groupName));
+    }
+    return c.json({
+      envVars: envVars2,
+      groups: [...groups].sort(
+        (a, b) => a === "default" ? -1 : b === "default" ? 1 : a.localeCompare(b)
+      )
+    });
+  });
+  app.get("/env/:scope", (c) => {
+    const scope = c.req.param("scope");
+    const envVars2 = ctx.envVarDao.findByScope(scope);
+    return c.json({ envVars: envVars2 });
+  });
+  app.get("/env/:scope/:key", (c) => {
+    const scope = c.req.param("scope");
+    const key = c.req.param("key");
+    const envVar = ctx.envVarDao.findOne(scope, key);
+    if (!envVar) {
+      return c.json({ error: "Environment value not found" }, 404);
+    }
+    return c.json({ envVar });
+  });
+  app.put("/env/:scope", async (c) => {
+    const scope = c.req.param("scope");
+    try {
+      const body = await c.req.json();
+      if (!body.key || body.value === void 0) {
+        return c.json({ error: "key and value are required" }, 400);
+      }
+      const groupName = normalizeGroupName(body.groupName);
+      ctx.envGroupDao.ensure(groupName);
+      ctx.envVarDao.upsert(scope, body.key, body.value, body.isSecret ?? true, groupName);
+      return c.json({ ok: true });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.delete("/env/:scope/:key", (c) => {
+    const scope = c.req.param("scope");
+    const key = c.req.param("key");
+    ctx.envVarDao.delete(scope, key);
+    return c.json({ ok: true });
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/settings.handler.ts
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join4, resolve as resolve4 } from "path";
+import { Hono as Hono10 } from "hono";
+function settingsPath2() {
+  return join4(homedir3(), ".shadowob", "settings.json");
+}
+function readSettings2() {
+  const p = settingsPath2();
+  if (!existsSync5(p)) return {};
+  try {
+    return JSON.parse(readFileSync4(p, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeSettings2(data) {
+  const p = settingsPath2();
+  mkdirSync4(join4(homedir3(), ".shadowob"), { recursive: true });
+  writeFileSync4(p, JSON.stringify(data, null, 2), "utf-8");
+}
+function normalizeSettings(ctx, settings) {
+  const normalized = JSON.parse(JSON.stringify(settings));
+  let changed = false;
+  if (Array.isArray(normalized.providers)) {
+    ctx.envGroupDao.ensure("default");
+    for (const provider of normalized.providers) {
+      if (!provider || typeof provider !== "object") continue;
+      const providerRecord = provider;
+      const providerId = typeof providerRecord.id === "string" ? providerRecord.id : null;
+      const apiKey = typeof providerRecord.apiKey === "string" ? providerRecord.apiKey : null;
+      if (providerId && apiKey && apiKey.trim()) {
+        const envKey = toProviderSecretEnvKey(providerId, "apiKey");
+        if (!ctx.envVarDao.getValue("global", envKey)) {
+          ctx.envVarDao.upsert("global", envKey, apiKey, true, "default");
+        }
+        delete providerRecord.apiKey;
+        changed = true;
+      }
+    }
+  }
+  return { normalized, changed };
+}
+function createSettingsHandler(ctx) {
+  const app = new Hono10();
+  app.get("/settings", (c) => {
+    const { normalized, changed } = normalizeSettings(ctx, readSettings2());
+    if (changed) {
+      writeSettings2(normalized);
+    }
+    return c.json(normalized);
+  });
+  app.put("/settings", async (c) => {
+    try {
+      const data = await c.req.json();
+      const { normalized } = normalizeSettings(ctx, data);
+      writeSettings2(normalized);
+      return c.json({ ok: true });
+    } catch (err) {
+      return c.json({ error: err.message }, 400);
+    }
+  });
+  app.get("/images", (c) => c.json(ctx.container.image.list()));
+  app.get("/runtimes", (c) => {
+    const runtimes = ctx.container.runtime.getAll();
+    return c.json(
+      runtimes.map((r) => ({ id: r.id, name: r.name, defaultImage: r.defaultImage }))
+    );
+  });
+  app.get("/plugins", async (c) => {
+    let enabledPlugins = {};
+    const configRow = ctx.configDao.findByName("current");
+    if (configRow) {
+      const content = configRow.content;
+      enabledPlugins = content.plugins ?? {};
+    } else {
+      const configPath = resolve4("shadowob-cloud.json");
+      try {
+        if (existsSync5(configPath)) {
+          const config = JSON.parse(readFileSync4(configPath, "utf-8"));
+          enabledPlugins = config.plugins ?? {};
+        }
+      } catch {
+      }
+    }
+    const { getPluginRegistry: getPluginRegistry2, loadAllPlugins: loadAllPlugins2 } = await import("./plugins-HZBWK3WQ.js");
+    try {
+      await loadAllPlugins2(getPluginRegistry2());
+    } catch {
+    }
+    const registry = getPluginRegistry2();
+    const plugins = registry.getAll().map((p) => ({
+      id: p.manifest.id,
+      name: p.manifest.name,
+      description: p.manifest.description,
+      category: p.manifest.category,
+      icon: p.manifest.icon,
+      version: p.manifest.version,
+      capabilities: p.manifest.capabilities,
+      tags: p.manifest.tags,
+      auth: {
+        type: p.manifest.auth.type,
+        fields: p.manifest.auth.fields.map((f) => ({
+          key: f.key,
+          label: f.label,
+          description: f.description,
+          required: f.required,
+          placeholder: f.placeholder
+        }))
+      },
+      enabled: !!enabledPlugins[p.manifest.id],
+      hasSkills: !!p.skills,
+      hasCli: !!p.cli,
+      hasMcp: !!p.mcp,
+      hasChannel: !!p.channel
+    }));
+    return c.json({ plugins });
+  });
+  app.put("/plugins/:id", async (c) => {
+    const pluginId = c.req.param("id");
+    const update = await c.req.json();
+    const configRow = ctx.configDao.findByName("current");
+    let config = configRow ? configRow.content : {};
+    if (!config.plugins) config.plugins = {};
+    const plugins = config.plugins;
+    if (!plugins[pluginId]) plugins[pluginId] = {};
+    if (update.enabled !== void 0) {
+      plugins[pluginId].enabled = update.enabled;
+    }
+    if (update.secrets) {
+      plugins[pluginId].secrets = update.secrets;
+    }
+    ctx.configDao.upsert("current", config);
+    return c.json({ success: true });
+  });
+  return app;
+}
+
+// src/interfaces/http/handlers/template.handler.ts
+import { Hono as Hono11 } from "hono";
+function extractEnvRefs(obj, policy) {
+  const refs = /* @__PURE__ */ new Set();
+  const pattern = /\$\{env:([A-Za-z_][A-Za-z0-9_]*)\}/g;
+  function walk(val) {
+    if (typeof val === "string") {
+      for (const match of val.matchAll(pattern)) {
+        const envKey = match[1];
+        if (!envKey || policy?.ignoredKeys?.includes(envKey)) continue;
+        refs.add(policy?.aliases?.[envKey] ?? envKey);
+      }
+    } else if (Array.isArray(val)) {
+      for (const item of val) walk(item);
+    } else if (val && typeof val === "object") {
+      for (const v of Object.values(val)) walk(v);
+    }
+  }
+  walk(obj);
+  return [...refs].sort();
+}
+function createTemplateHandler(ctx) {
+  const app = new Hono11();
+  app.get("/templates", async (c) => {
+    const locale = c.req.query("locale");
+    return c.json(await ctx.container.template.list(locale));
+  });
+  app.get("/templates/catalog", async (c) => {
+    const locale = c.req.query("locale");
+    return c.json(await ctx.container.templateI18n.listCatalog(locale));
+  });
+  app.get("/templates/:name/details", async (c) => {
+    const name = c.req.param("name");
+    const locale = c.req.query("locale");
+    const detail = await ctx.container.templateI18n.getTemplateDetail(name, locale);
+    if (!detail) return c.json({ error: `Template not found: ${name}` }, 404);
+    return c.json({ template: detail });
+  });
+  app.get("/templates/:name", async (c) => {
+    const name = c.req.param("name");
+    const content = await ctx.container.template.getTemplate(name);
+    if (!content) return c.json({ error: `Template not found: ${name}` }, 404);
+    return c.json(content);
+  });
+  app.get("/templates/:name/env-refs", async (c) => {
+    const name = c.req.param("name");
+    const content = await ctx.container.template.getTemplate(name);
+    if (!content) return c.json({ error: `Template not found: ${name}` }, 404);
+    const [envRefPolicy, runtimeFields, runtimeEnvVars] = await Promise.all([
+      collectRuntimeEnvRefPolicy(content),
+      collectRuntimeEnvFields(content),
+      collectRuntimeEnvRequirements(content)
+    ]);
+    const refs = extractEnvRefs(content, envRefPolicy);
+    const byKey = new Map(runtimeFields.map((field) => [field.key, field]));
+    for (const key of refs) {
+      if (!byKey.has(key)) {
+        byKey.set(key, {
+          key,
+          label: key,
+          required: true,
+          sensitive: /(TOKEN|SECRET|PASSWORD|PRIVATE|CREDENTIAL|API_KEY|_KEY$|_B64$)/i.test(key),
+          source: "template",
+          sourceId: "template",
+          sourceLabel: "Template"
+        });
+      }
+    }
+    const fields = [...byKey.values()].sort((a, b) => a.key.localeCompare(b.key));
+    const visibleKeys = new Set(fields.map((field) => field.key));
+    const hiddenKeys = new Set(envRefPolicy.hiddenKeys);
+    return c.json({
+      template: name,
+      requiredEnvVars: refs,
+      fields,
+      autoDetectedEnvVars: runtimeEnvVars.filter((key) => !visibleKeys.has(key) && !hiddenKeys.has(key)).sort()
+    });
+  });
+  return app;
+}
+
+// src/interfaces/http/middleware/auth.middleware.ts
+function createAuthMiddleware(authToken) {
+  return async (c, next) => {
+    const header = c.req.header("Authorization");
+    if (!header) return c.json({ error: "Authorization required" }, 401);
+    const token = header.replace(/^Bearer\s+/i, "");
+    if (token !== authToken) return c.json({ error: "Invalid token" }, 403);
+    await next();
+  };
+}
+
+// src/interfaces/http/middleware/error.middleware.ts
+function createErrorHandler(logger) {
+  return (err, c) => {
+    logger.error(`Request error: ${err.message}`);
+    return c.json({ error: err.message }, 500);
+  };
+}
+
+// src/interfaces/http/app.ts
+var MIME_TYPES = {
+  ".html": "text/html",
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2",
+  ".ttf": "font/ttf"
+};
+function consoleDir() {
+  return resolve5(fileURLToPath(import.meta.url), "..", "console");
+}
+function createCloudApp(ctx, authToken) {
+  const app = new Hono12();
+  app.onError(createErrorHandler(ctx.container.logger));
+  app.use("*", cors());
+  if (authToken) {
+    app.use("/api/*", createAuthMiddleware(authToken));
+  }
+  const healthHandler = createHealthHandler(ctx);
+  app.route("/api", healthHandler);
+  app.get("/health", (c) => c.json({ status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() }));
+  app.route("/api", createTemplateHandler(ctx));
+  app.route("/api", createDeployHandler(ctx));
+  app.route("/api", createClusterHandler(ctx));
+  app.route("/api", createConfigHandler(ctx));
+  app.route("/api", createSettingsHandler(ctx));
+  app.route("/api", createActivityHandler(ctx));
+  app.route("/api", createSecretHandler(ctx));
+  app.route("/api", createProviderProfileHandler(ctx));
+  app.route("/api", createMyTemplatesHandler(ctx));
+  app.route("/api", createCommunityHandler(ctx));
+  app.get("*", (c) => {
+    const distDir = consoleDir();
+    if (!existsSync6(distDir)) return c.json({ error: "Not found" }, 404);
+    const pathname = new URL(c.req.url).pathname;
+    const filePath = join5(distDir, pathname === "/" ? "index.html" : pathname);
+    if (existsSync6(filePath) && statSync(filePath).isFile()) {
+      const ext = extname(filePath);
+      const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
+      const content = readFileSync5(filePath);
+      return new Response(content, {
+        headers: {
+          "Content-Type": contentType,
+          "Cache-Control": ext === ".html" ? "no-cache" : "public, max-age=31536000, immutable"
+        }
+      });
+    }
+    const indexPath = join5(distDir, "index.html");
+    if (existsSync6(indexPath)) {
+      return c.html(readFileSync5(indexPath, "utf-8"));
+    }
+    return c.json({ error: "Not found" }, 404);
+  });
+  return app;
+}
+
+// src/application/cloud-saas-config.ts
+import { z } from "zod";
+var CLOUD_SAAS_RUNTIME_KEY = "__shadowobRuntime";
+var agentSnapshotSchema = z.object({
+  id: z.string().min(1),
+  runtime: z.string().min(1)
+}).passthrough();
+var cloudConfigSnapshotSchema = z.object({
+  version: z.string().min(1),
+  deployments: z.object({
+    agents: z.array(agentSnapshotSchema).min(1)
+  }).passthrough()
+}).passthrough();
+var runtimeMetadataSchema = z.object({
+  envVars: z.record(z.string()).default({}),
+  context: z.object({
+    locale: z.string().optional(),
+    timezone: z.string().optional()
+  }).optional(),
+  provisionState: z.unknown().optional()
+}).passthrough();
+var SENSITIVE_KEY_PATTERN = /(^|[_-])(token|secret|password|passphrase|api[-_]?key|private[-_]?key|credential|authorization|cookie|session|kubeconfig|encrypted)([_-]|$)/i;
+var SENSITIVE_CONTAINER_KEYS = /* @__PURE__ */ new Set(["secrets", "envVars"]);
+function formatValidationError(error) {
+  return error.issues.slice(0, 5).map((issue) => {
+    const path = issue.path.length > 0 ? issue.path.join(".") : "root";
+    return `${path}: ${issue.message}`;
+  }).join("; ");
+}
+function normalizeRuntimeEnvVars(envVars2) {
+  const normalized = {};
+  if (!envVars2) return normalized;
+  for (const [key, value] of Object.entries(envVars2)) {
+    if (typeof value !== "string") continue;
+    if (value === "__SAVED__" || value.trim() === "") continue;
+    normalized[key] = value;
+  }
+  return normalized;
+}
+function normalizeProvisionState(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return null;
+  const candidate = value;
+  const plugins = candidate.plugins;
+  if (!plugins || typeof plugins !== "object" || Array.isArray(plugins)) return null;
+  return {
+    provisionedAt: typeof candidate.provisionedAt === "string" ? candidate.provisionedAt : (/* @__PURE__ */ new Date()).toISOString(),
+    ...typeof candidate.stackName === "string" ? { stackName: candidate.stackName } : {},
+    ...typeof candidate.namespace === "string" ? { namespace: candidate.namespace } : {},
+    plugins
+  };
+}
+function isLoopbackShadowUrl(url) {
+  if (!url) return false;
+  try {
+    const parsed = new URL(url);
+    return parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "[::1]";
+  } catch {
+    return false;
+  }
+}
+function resolveProvisionShadowUrl(runtimeEnvVars, processEnv, fallbackShadowUrl) {
+  const explicitProvisionUrl = runtimeEnvVars.SHADOW_PROVISION_URL ?? processEnv.SHADOW_PROVISION_URL;
+  if (explicitProvisionUrl) return explicitProvisionUrl;
+  if (isLoopbackShadowUrl(fallbackShadowUrl)) {
+    return processEnv.SHADOW_SERVER_URL ?? fallbackShadowUrl;
+  }
+  return fallbackShadowUrl;
+}
+function redactUnknown(value, forceRedact = false) {
+  if (Array.isArray(value)) {
+    return value.map((item) => redactUnknown(item, forceRedact));
+  }
+  if (value && typeof value === "object") {
+    return Object.fromEntries(
+      Object.entries(value).map(([key, childValue]) => {
+        if (key === CLOUD_SAAS_RUNTIME_KEY) {
+          return [key, void 0];
+        }
+        if (forceRedact || SENSITIVE_CONTAINER_KEYS.has(key) || SENSITIVE_KEY_PATTERN.test(key)) {
+          return [key, redactUnknown(childValue, true)];
+        }
+        return [key, redactUnknown(childValue, false)];
+      })
+    );
+  }
+  if (forceRedact && value !== null && value !== void 0) {
+    return "[REDACTED]";
+  }
+  return value;
+}
+function validateCloudSaasConfigSnapshot(configSnapshot) {
+  const result = cloudConfigSnapshotSchema.safeParse(configSnapshot);
+  if (!result.success) {
+    throw Object.assign(
+      new Error(`Invalid configSnapshot: ${formatValidationError(result.error)}`),
+      { status: 422 }
+    );
+  }
+  return result.data;
+}
+function prepareCloudSaasConfigSnapshot(configSnapshot, envVars2, context) {
+  const validated = validateCloudSaasConfigSnapshot(configSnapshot);
+  const runtimeEnvVars = normalizeRuntimeEnvVars(envVars2);
+  const runtimeContext = normalizeDeploymentRuntimeContext(context);
+  const runtime = runtimeMetadataSchema.safeParse(validated[CLOUD_SAAS_RUNTIME_KEY]);
+  const configWithLocale = runtimeContext.locale ? { ...validated, locale: runtimeContext.locale } : validated;
+  if (Object.keys(runtimeEnvVars).length === 0 && isDeploymentRuntimeContextEmpty(runtimeContext)) {
+    return configWithLocale;
+  }
+  return {
+    ...configWithLocale,
+    [CLOUD_SAAS_RUNTIME_KEY]: {
+      ...runtime.success && runtime.data && typeof runtime.data === "object" ? runtime.data : {},
+      envVars: runtimeEnvVars,
+      ...isDeploymentRuntimeContextEmpty(runtimeContext) ? {} : { context: runtimeContext }
+    }
+  };
+}
+function attachCloudSaasProvisionState(configSnapshot, provisionState) {
+  const validated = validateCloudSaasConfigSnapshot(configSnapshot);
+  const runtime = runtimeMetadataSchema.safeParse(validated[CLOUD_SAAS_RUNTIME_KEY]);
+  const envVars2 = runtime.success ? normalizeRuntimeEnvVars(runtime.data.envVars) : {};
+  const context = runtime.success ? normalizeDeploymentRuntimeContext(runtime.data.context) : void 0;
+  return {
+    ...validated,
+    [CLOUD_SAAS_RUNTIME_KEY]: {
+      ...runtime.success && runtime.data && typeof runtime.data === "object" ? runtime.data : {},
+      envVars: envVars2,
+      ...context && !isDeploymentRuntimeContextEmpty(context) ? { context } : {},
+      provisionState
+    }
+  };
+}
+function extractCloudSaasRuntime(configSnapshot) {
+  if (!configSnapshot || typeof configSnapshot !== "object" || Array.isArray(configSnapshot)) {
+    return { configSnapshot: null, envVars: {}, context: {}, provisionState: null };
+  }
+  const snapshot = { ...configSnapshot };
+  const runtime = runtimeMetadataSchema.safeParse(snapshot[CLOUD_SAAS_RUNTIME_KEY]);
+  delete snapshot[CLOUD_SAAS_RUNTIME_KEY];
+  return {
+    configSnapshot: snapshot,
+    envVars: runtime.success ? normalizeRuntimeEnvVars(runtime.data.envVars) : {},
+    context: runtime.success ? normalizeDeploymentRuntimeContext(runtime.data.context) : {},
+    provisionState: runtime.success ? normalizeProvisionState(runtime.data.provisionState) : null
+  };
+}
+function resolveCloudSaasShadowRuntime(envVars2, processEnv = process.env) {
+  const runtimeEnvVars = normalizeRuntimeEnvVars(envVars2);
+  const runtimeShadowUrl = runtimeEnvVars.SHADOW_SERVER_URL ?? processEnv.SHADOW_SERVER_URL;
+  const shadowUrl = resolveProvisionShadowUrl(runtimeEnvVars, processEnv, runtimeShadowUrl);
+  const podShadowUrl = runtimeEnvVars.SHADOW_AGENT_SERVER_URL ?? processEnv.SHADOW_AGENT_SERVER_URL ?? runtimeShadowUrl ?? shadowUrl;
+  const shadowToken = runtimeEnvVars.SHADOW_USER_TOKEN ?? processEnv.SHADOW_USER_TOKEN;
+  return { shadowUrl, podShadowUrl, shadowToken };
+}
+function redactCloudSaasConfigSnapshot(configSnapshot) {
+  const { configSnapshot: snapshot } = extractCloudSaasRuntime(configSnapshot);
+  if (!snapshot) return null;
+  const redacted = redactUnknown(snapshot, false);
+  if (!redacted || typeof redacted !== "object" || Array.isArray(redacted)) {
+    return redacted;
+  }
+  const result = { ...redacted };
+  delete result[CLOUD_SAAS_RUNTIME_KEY];
+  return result;
+}
+function sanitizeCloudSaasDeployment(deployment) {
+  return {
+    ...deployment,
+    configSnapshot: redactCloudSaasConfigSnapshot(deployment.configSnapshot)
+  };
+}
+
+// src/interfaces/http/deploy-task-manager.ts
+function shouldSkipProgressLine(line) {
+  const trimmed = line.trim();
+  return trimmed === "." || trimmed === ".." || /^@\s+updating\.+/.test(trimmed) || /^\.\.+$/.test(trimmed);
+}
+var DeployTaskManager = class {
+  constructor(container, deploymentDao, deploymentLogDao, envVarDao) {
+    this.container = container;
+    this.deploymentDao = deploymentDao;
+    this.deploymentLogDao = deploymentLogDao;
+    this.envVarDao = envVarDao;
+  }
+  subscribers = /* @__PURE__ */ new Map();
+  activeTaskIds = /* @__PURE__ */ new Set();
+  cancelTokens = /* @__PURE__ */ new Map();
+  async start(config) {
+    const task = this.deploymentDao.create({
+      namespace: config.namespace ?? "shadowob-cloud",
+      templateSlug: config.templateSlug ?? config.name ?? null,
+      status: "pending",
+      config,
+      agentCount: 0
+    });
+    this.activeTaskIds.add(task.id);
+    queueMicrotask(() => {
+      void this.run(task.id, config);
+    });
+    return task;
+  }
+  isActive(taskId) {
+    return this.activeTaskIds.has(taskId);
+  }
+  async cancel(taskId) {
+    const task = this.deploymentDao.findById(taskId);
+    if (!task) return { ok: false, error: "Deployment task not found" };
+    if (!this.activeTaskIds.has(taskId)) {
+      if (task.status === "pending" || task.status === "running" || task.status === "cancelling") {
+        this.deploymentDao.update(taskId, { status: "failed", error: "cancelled by user" });
+        this.appendLog(taskId, "[cancel] Task was not running; marked cancelled");
+        return { ok: true, status: "failed" };
+      }
+      return { ok: false, error: `Cannot cancel deployment in status "${task.status}"` };
+    }
+    const token = this.cancelTokens.get(taskId);
+    if (!token) return { ok: true, status: "cancelling" };
+    token.cancelled = true;
+    this.deploymentDao.update(taskId, { status: "cancelling" });
+    this.appendLog(taskId, "[cancel] User requested cancellation");
+    if (token.stack && !token.cancelSignalled) {
+      token.cancelSignalled = true;
+      await token.stack.cancel().catch((err) => {
+        this.appendLog(taskId, `[cancel] Failed to signal Pulumi cancellation: ${String(err)}`);
+      });
+    }
+    return { ok: true, status: "cancelling" };
+  }
+  subscribe(taskId, listener) {
+    const listeners = this.subscribers.get(taskId) ?? /* @__PURE__ */ new Set();
+    listeners.add(listener);
+    this.subscribers.set(taskId, listeners);
+    return () => {
+      const current = this.subscribers.get(taskId);
+      if (!current) return;
+      current.delete(listener);
+      if (current.size === 0) {
+        this.subscribers.delete(taskId);
+      }
+    };
+  }
+  emit(taskId, event) {
+    const listeners = this.subscribers.get(taskId);
+    if (!listeners?.size) return;
+    for (const listener of listeners) {
+      void listener(event);
+    }
+  }
+  appendLog(taskId, message) {
+    const sanitized = redactSecrets(message);
+    const log = this.deploymentLogDao.create({
+      deploymentId: taskId,
+      event: "log",
+      message: sanitized
+    });
+    this.emit(taskId, {
+      type: "log",
+      data: { id: log.id, message: sanitized, createdAt: log.createdAt }
+    });
+  }
+  appendOutput(taskId, output) {
+    for (const line of output.split("\n").filter(Boolean)) {
+      if (shouldSkipProgressLine(line)) continue;
+      this.appendLog(taskId, line);
+    }
+  }
+  async buildEnvOverrides(config) {
+    const envOverrides = {};
+    const namespace = typeof config.namespace === "string" ? config.namespace : void 0;
+    const scopes = [GLOBAL_ENV_SCOPE];
+    if (namespace) scopes.push(toDeploymentEnvScope(namespace));
+    const savedEnvVars = this.envVarDao.findAllDecryptedByScopes(scopes);
+    Object.assign(envOverrides, savedEnvVars);
+    const wizardEnvVars = config.envVars;
+    if (wizardEnvVars && typeof wizardEnvVars === "object") {
+      for (const [key, value] of Object.entries(wizardEnvVars)) {
+        if (typeof value === "string" && value !== "__SAVED__" && value.trim() !== "") {
+          envOverrides[key] = value;
+        }
+      }
+    }
+    const runtimeContext = normalizeDeploymentRuntimeContext(
+      config.runtimeContext
+    );
+    const { envVars: _envVars, runtimeContext: _runtimeContext, ...templateConfig } = config;
+    if (runtimeContext.locale) {
+      templateConfig.locale = runtimeContext.locale;
+    }
+    const policy = await collectRuntimeEnvRefPolicy(templateConfig);
+    return {
+      envOverrides: applyRuntimeEnvRefPolicy(envOverrides, policy),
+      templateConfig,
+      runtimeContext
+    };
+  }
+  async run(taskId, config) {
+    const { envOverrides, templateConfig, runtimeContext } = await this.buildEnvOverrides(config);
+    const { shadowUrl, podShadowUrl, shadowToken } = resolveCloudSaasShadowRuntime(envOverrides);
+    const cancelToken = { cancelled: false };
+    this.cancelTokens.set(taskId, cancelToken);
+    try {
+      this.deploymentDao.update(taskId, {
+        status: "running",
+        namespace: templateConfig.namespace ?? config.namespace ?? "shadowob-cloud",
+        templateSlug: config.templateSlug ?? config.name ?? null,
+        config
+      });
+      this.appendLog(taskId, "Starting deployment...");
+      const result = await this.container.deploymentRuntime.deployFromSnapshot({
+        configSnapshot: templateConfig,
+        runtimeEnvVars: envOverrides,
+        runtimeContext,
+        namespace: templateConfig.namespace,
+        dryRun: templateConfig.dryRun,
+        shadowUrl,
+        shadowToken,
+        k8sShadowUrl: podShadowUrl,
+        onOutput: (output) => {
+          this.appendOutput(taskId, output);
+        },
+        onStackReady: (stack) => {
+          cancelToken.stack = stack;
+        },
+        isCancelled: () => cancelToken.cancelled
+      });
+      if (cancelToken.cancelled) {
+        throw new Error("Deployment cancelled by user");
+      }
+      this.deploymentDao.update(taskId, {
+        namespace: result.namespace ?? config.namespace ?? "shadowob-cloud",
+        templateSlug: config.templateSlug ?? config.name ?? null,
+        status: "deployed",
+        config,
+        agentCount: result.agentCount ?? 0,
+        error: null
+      });
+      const doneEvent = {
+        exitCode: 0,
+        result: {
+          namespace: result.namespace,
+          agentCount: result.agentCount
+        }
+      };
+      this.emit(taskId, { type: "done", data: doneEvent });
+    } catch (error) {
+      const message = error.message;
+      const cancelled = cancelToken.cancelled || /cancel/i.test(message);
+      this.deploymentDao.update(taskId, {
+        status: "failed",
+        error: cancelled ? "cancelled by user" : message
+      });
+      this.appendLog(taskId, cancelled ? `Cancelled: ${message}` : `Error: ${message}`);
+      this.emit(taskId, { type: "done", data: { exitCode: 1, error: message } });
+    } finally {
+      this.activeTaskIds.delete(taskId);
+      this.cancelTokens.delete(taskId);
+    }
+  }
+};
+
+// src/interfaces/http/server.ts
+function createHandlerContext(container, namespaces) {
+  const db = createDatabase();
+  runMigrations(db);
+  const configDao = new ConfigDao(db);
+  const secretDao = new SecretDao(db);
+  const deploymentDao = new DeploymentDao(db);
+  const deploymentBackupDao = new DeploymentBackupDao(db);
+  const deploymentLogDao = new DeploymentLogDao(db);
+  const activityDao = new ActivityDao(db);
+  const envVarDao = new EnvVarDao(db);
+  const envGroupDao = new EnvGroupDao(db);
+  const legacySecrets = secretDao.findAllDecryptedEntries();
+  for (const entry of legacySecrets) {
+    envGroupDao.ensure(entry.groupName);
+    const envKey = toProviderSecretEnvKey(entry.providerId, entry.key);
+    if (!envVarDao.getValue("global", envKey)) {
+      envVarDao.upsert("global", envKey, entry.value, true, entry.groupName);
+    }
+  }
+  if (legacySecrets.length > 0) {
+    secretDao.deleteAll();
+  }
+  const deployTaskManager = new DeployTaskManager(
+    container,
+    deploymentDao,
+    deploymentLogDao,
+    envVarDao
+  );
+  return {
+    container,
+    configDao,
+    secretDao,
+    deploymentDao,
+    deploymentBackupDao,
+    deploymentLogDao,
+    activityDao,
+    envVarDao,
+    envGroupDao,
+    deployTaskManager,
+    namespaces
+  };
+}
+function consoleDir2() {
+  return resolve6(fileURLToPath2(import.meta.url), "..", "console");
+}
+function startHttpServer(container, options) {
+  let authToken = options.authToken;
+  const isExternalBind = options.host !== "127.0.0.1" && options.host !== "localhost";
+  if (isExternalBind && !authToken) {
+    authToken = randomBytes3(32).toString("hex");
+    container.logger.warn(
+      `Binding to ${options.host} requires authentication. Auto-generated token:`
+    );
+    container.logger.info(`  ${authToken}`);
+    container.logger.dim("  Pass via: --auth-token <token> or Authorization: Bearer <token>");
+  }
+  const ctx = createHandlerContext(container, options.namespaces);
+  const app = createCloudApp(ctx, authToken);
+  const server = serve(
+    {
+      fetch: app.fetch,
+      port: options.port,
+      hostname: options.host
+    },
+    (info) => {
+      container.logger.success(
+        `shadowob-cloud console running at http://${options.host}:${info.port}`
+      );
+      container.logger.dim(`Watching namespaces: ${options.namespaces.join(", ")}`);
+      if (authToken) container.logger.dim("API authentication: enabled");
+      const distDir = consoleDir2();
+      if (existsSync7(distDir)) {
+        container.logger.dim("Console: serving from dist/console/");
+      } else {
+        container.logger.dim("Console: not built (run console:build first)");
+      }
+    }
+  );
+  return server;
+}
+
+// src/interfaces/cli/serve.command.ts
+function createServeCommand(container) {
+  return new Command("serve").description("Start the shadowob-cloud console API server").option("-p, --port <number>", "Port to listen on", "3004").option("-n, --namespace <ns...>", "Kubernetes namespace(s) to watch", ["shadowob-cloud"]).option("--host <host>", "Host to bind to", "127.0.0.1").option("--auth-token <token>", "Bearer token for API authentication").action((options) => {
+    const port = Number.parseInt(options.port, 10);
+    const namespaces = Array.isArray(options.namespace) ? options.namespace : [options.namespace];
+    startHttpServer(container, {
+      port,
+      host: options.host,
+      namespaces,
+      authToken: options.authToken
+    });
+  });
+}
+
+export {
+  CLOUD_SAAS_RUNTIME_KEY,
+  validateCloudSaasConfigSnapshot,
+  prepareCloudSaasConfigSnapshot,
+  attachCloudSaasProvisionState,
+  extractCloudSaasRuntime,
+  resolveCloudSaasShadowRuntime,
+  redactCloudSaasConfigSnapshot,
+  sanitizeCloudSaasDeployment,
+  resolveCloudPackageAssetDir,
+  loadCloudConfigSchema,
+  detectInlineKey,
+  listProviderCatalogs,
+  toProviderSecretEnvKey,
+  withLegacyEnvAliases,
+  createServeCommand
+};