@tangle-network/sandbox-cli 0.2.14 → 0.8.3-develop.20260622185956.d77b0be
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.mjs +13 -13
- package/package.json +4 -2
package/dist/index.mjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import{createRequire as e}from"node:module";import"dotenv/config";import{Command as t}from"commander";import n from"chalk";import{AuthError as r,NetworkError as i,NotFoundError as a,QuotaError as o,Sandbox as s,ServerError as c,StateError as l,TimeoutError as u,ValidationError as ee,createConfidentialSandbox as te,generateAttestationNonce as ne}from"@tangle-network/sandbox";import*as d from"node:fs";import{mkdirSync as re,readFileSync as f,writeFileSync as ie}from"node:fs";import*as ae from"node:os";import{tmpdir as oe}from"node:os";import*as p from"node:path";import{extname as se,join as m,resolve as h}from"node:path";import{execFileSync as g,spawn as ce}from"node:child_process";import{HubClient as le,HubSdkError as ue}from"@tangle-network/hub-sdk";import de from"ora";import{randomBytes as fe}from"node:crypto";import{createMcpServer as pe}from"@tangle-network/sandbox/agent";import{readFile as me}from"node:fs/promises";import{fileURLToPath as he}from"node:url";import ge from"ws";import{createIntelligenceClient as _e}from"@tangle-network/sandbox/intelligence";const _=p.join(ae.homedir(),`.tangle`),v=p.join(_,`credentials.json`),y=`tangle-sandbox-cli`,ve=`TANGLE_ALLOW_PLAINTEXT_CREDENTIALS`;var ye=class extends Error{constructor(e,t){super(`Credentials file at ${e} is corrupted and cannot be parsed. Inspect or remove it manually before retrying — refusing to overwrite it automatically.`),this.filePath=e,this.name=`CredentialsFileCorruptedError`,t&&(this.cause=t)}},be=class extends Error{constructor(){super(`Could not store credential in the OS keychain, and the plaintext fallback is not enabled. Install a keychain provider (macOS Keychain or libsecret/secret-tool on Linux), or set ${ve}=1 to opt into a plaintext credentials.json with mode 0600.`),this.name=`KeychainUnavailableError`}};function xe(e){let t=Te(e);if(t)return{value:t,source:`keychain`};let n=Oe(e);return n?{value:n,source:`file`}:{source:`none`}}function Se(e,t){if(Ee(e,t))return Ae(e),`keychain`;if(!we())throw new be;return ke(e,t),`file`}function Ce(e){De(e),Ae(e)}function we(){let e=process.env[ve];if(!e)return!1;let t=e.trim().toLowerCase();return t===`1`||t===`true`||t===`yes`}function Te(e){if(process.platform===`darwin`)try{return g(`security`,[`find-generic-password`,`-s`,y,`-a`,b(e),`-w`],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}if(process.platform===`linux`)try{return g(`secret-tool`,[`lookup`,`service`,y,`account`,b(e)],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}}function Ee(e,t){if(process.platform===`darwin`)try{return g(`security`,[`add-generic-password`,`-U`,`-s`,y,`-a`,b(e),`-w`,t],{stdio:[`ignore`,`ignore`,`ignore`]}),!0}catch{return!1}if(process.platform===`linux`)try{return g(`secret-tool`,[`store`,`--label=Tangle Sandbox CLI`,`service`,y,`account`,b(e)],{input:t,stdio:[`pipe`,`ignore`,`ignore`]}),!0}catch{return!1}return!1}function De(e){if(process.platform===`darwin`){try{g(`security`,[`delete-generic-password`,`-s`,y,`-a`,b(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}return}if(process.platform===`linux`)try{g(`secret-tool`,[`clear`,`service`,y,`account`,b(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}}function Oe(e){return je()[e]}function ke(e,t){let n=je();n[e]=t,Me(n)}function Ae(e){let t;try{t=je()}catch(e){if(e instanceof ye)return;throw e}e in t&&(delete t[e],Me(t))}function je(){let e;try{e=d.readFileSync(v,`utf8`)}catch(e){if(e instanceof Error&&`code`in e&&e.code===`ENOENT`)return{};throw e}try{let t=JSON.parse(e);if(typeof t!=`object`||!t||Array.isArray(t))throw new ye(v);let n={};for(let[e,r]of Object.entries(t))typeof r==`string`&&(n[e]=r);return n}catch(e){throw e instanceof ye?e:new ye(v,e instanceof Error?e:void 0)}}function Me(e){if(Ne(),Object.keys(e).length===0){d.existsSync(v)&&d.unlinkSync(v);return}let t=`${v}.${process.pid}.tmp`;d.writeFileSync(t,`${JSON.stringify(e,null,2)}\n`,{mode:384}),d.renameSync(t,v)}function Ne(){if(!d.existsSync(_)){d.mkdirSync(_,{mode:448,recursive:!0});return}if(process.platform!==`win32`)try{(d.statSync(_).mode&511)!=448&&d.chmodSync(_,448)}catch{}}function b(e){return`profile:${e}`}const Pe=p.join(ae.homedir(),`.tangle`),Fe=p.join(Pe,`credentials`),x=p.join(Pe,`config.json`),S=`default`;function Ie(){d.existsSync(Pe)||d.mkdirSync(Pe,{mode:448,recursive:!0})}function Le(e,t){Ie();let n=`${e}.${process.pid}.tmp`;d.writeFileSync(n,t,{mode:384}),d.renameSync(n,e)}function Re(){try{if(d.existsSync(Fe)){let e=d.readFileSync(Fe,`utf-8`).trim();return ze(e)?e:e.match(/api_key\s*=\s*(\S+)/)?.[1]}}catch{}}function ze(e){return e.startsWith(`sk_`)||e.startsWith(`sk-tan-`)}function Be(){try{d.existsSync(Fe)&&d.unlinkSync(Fe)}catch{}}function C(){return $e(Qe())}function w(e){let t=et(C(),e);Le(x,`${JSON.stringify(t,null,2)}\n`)}function T(e){return k(e||process.env.TANGLE_PROFILE||process.env.SANDBOX_PROFILE||C().activeProfile||S)}function Ve(e){w({activeProfile:k(e)})}function He(){let e=C(),t=T(),n=new Set([S,...Object.keys(e.profiles??{})]);return e.activeProfile&&n.add(k(e.activeProfile)),[...n].map(e=>{let n=xe(e),r=e===S?Re():void 0,i=n.source===`none`?r?`legacy-file`:`none`:n.source;return{name:e,active:e===t,hasApiKey:n.source!==`none`||!!r,baseUrl:D(void 0,e),apiKeySource:i}}).sort((e,t)=>e.name.localeCompare(t.name))}function Ue(e){let t=T(e);return{name:t,active:t===T(),apiKey:E(void 0,t),baseUrl:D(void 0,t),credentialSource:Ke(void 0,t)}}function We(e,t){let n=k(e),r=C(),i=Ze(n,r),a={},o=t.baseUrl??i.baseUrl;o&&(a.baseUrl=o);let s=t.activeTeamId??i.activeTeamId;s&&(a.activeTeamId=s);let c=t.activeTeamName??i.activeTeamName;c&&(a.activeTeamName=c);let l={...r.profiles??{}};a.baseUrl||a.activeTeamId||a.activeTeamName?l[n]=a:delete l[n];let u;return t.apiKey&&(u=Se(n,t.apiKey),n===S&&Be()),w({profiles:Object.keys(l).length>0?l:{}}),u}function Ge(e){let t=T(e),n={...C().profiles??{}},r=n[t];if(r){let e={...r,apiKey:void 0};e.baseUrl||e.activeTeamId||e.activeTeamName?n[t]=e:delete n[t]}w({profiles:n}),Ce(t),t===S&&Be()}function E(e,t){if(e)return e;let n=process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY;if(n)return n;let r=T(t),i=xe(r);if(i.value)return i.value;if(r===S)return Re()}function Ke(e,t){if(e)return`flag`;if(process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY)return`env`;let n=T(t),r=xe(n);return r.source===`none`?n===S&&Re()?`legacy-file`:`none`:r.source}function D(e,t){if(e)return e;let n=process.env.TANGLE_BASE_URL||process.env.SANDBOX_BASE_URL;if(n)return n;let r=T(t),i=C(),a=Ze(r,i);return a.baseUrl?a.baseUrl:r===S&&i.baseUrl?i.baseUrl:`https://sandbox.tangle.tools`}function qe(e){if(e)return e.replace(/\/v1\/hub\/?$/,``)}function O(e){let t=T(e.profile),n=E(e.apiKey,t);if(!n)throw Error(`No API key found for profile '${t}'. Set TANGLE_API_KEY or run: tangle auth login${t===S?``:` --profile ${t}`}`);return{apiKey:n,baseUrl:D(e.baseUrl,t),timeout:e.timeout??3e4,profile:t,...Je(t)}}function Je(e){let t=C(),n=Ze(T(e),t);return{activeTeamId:n.activeTeamId,activeTeamName:n.activeTeamName}}function Ye(e,t){We(T(t),{activeTeamId:e.id,activeTeamName:e.name})}function Xe(e){let t=T(e),n=C(),r={...n.profiles??{}},i={baseUrl:Ze(t,n).baseUrl};i.baseUrl?r[t]=i:delete r[t],w({profiles:r})}function Ze(e,t=C()){let n=k(e);return{...n===S?{baseUrl:t.baseUrl,activeTeamId:t.profiles?.[S]?.activeTeamId,activeTeamName:t.profiles?.[S]?.activeTeamName}:{},...t.profiles?.[n]??{}}}function Qe(){try{if(d.existsSync(x)){let e=d.readFileSync(x,`utf-8`);return JSON.parse(e)}}catch{}return{}}function $e(e){let t=!1,n={};e.apiKey&&(Se(S,e.apiKey),Be(),t=!0);for(let[r,i]of Object.entries(e.profiles??{})){i.apiKey&&(Se(r,i.apiKey),t=!0);let e={};i.baseUrl&&(e.baseUrl=i.baseUrl),i.activeTeamId&&(e.activeTeamId=i.activeTeamId),i.activeTeamName&&(e.activeTeamName=i.activeTeamName),Object.keys(e).length>0&&(n[r]=e)}let r={...e,apiKey:void 0,profiles:Object.keys(n).length>0?n:void 0};return t&&Le(x,`${JSON.stringify(r,null,2)}\n`),r}function et(e,t){let n=t.profiles===void 0?{...e.profiles??{}}:Object.fromEntries(Object.entries(t.profiles).filter(([,e])=>!!(e.apiKey||e.baseUrl||e.activeTeamId||e.activeTeamName)));return{...e,...t,profiles:Object.keys(n).length>0?n:void 0}}function k(e){let t=e.trim().toLowerCase();if(!t)throw Error(`Profile name cannot be empty`);if(!/^[a-z0-9][a-z0-9._-]*$/.test(t))throw Error(`Profile names may only contain lowercase letters, numbers, dots, underscores, and hyphens`);return t}let A=null,j=null;function M(e){if(e)return A&&j&&j.apiKey===e.apiKey&&j.baseUrl===e.baseUrl?A:(A=new s({apiKey:e.apiKey,baseUrl:e.baseUrl,timeoutMs:e.timeout}),j=e,A);if(A)return A;let t=O({});return A=new s({apiKey:t.apiKey,baseUrl:t.baseUrl,timeoutMs:t.timeout}),j=t,A}function N(){A=null,j=null}function tt(e){return e==null?n.dim(`-`):typeof e==`boolean`?e?n.green(`yes`):n.red(`no`):e instanceof Date?rt(e):typeof e==`string`&&nt(e)?rt(new Date(e)):String(e)}function nt(e){return/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(e)}function rt(e){let t=Date.now()-e.getTime();if(t<6e4)return`just now`;if(t<36e5)return`${Math.floor(t/6e4)} min ago`;if(t<864e5){let e=Math.floor(t/36e5);return`${e} hour${e>1?`s`:``} ago`}let n=Math.floor(t/864e5);return`${n} day${n>1?`s`:``} ago`}function it(e){switch(e){case`running`:return n.green(e);case`pending`:case`provisioning`:return n.yellow(e);case`stopped`:return n.gray(e);case`failed`:case`deleted`:return n.red(e);default:return e}}function P(e,t){if(e.length===0){console.log(n.dim(`No items found.`));return}let r=t.map(t=>{let n=t.header.length,r=Math.max(...e.map(e=>tt(e[t.key]).length));return t.width??Math.max(n,r)+2}),i=t.map((e,t)=>n.bold(e.header.padEnd(r[t]))).join(``);console.log(i);for(let n of e){let e=t.map((e,t)=>{let i=tt(n[e.key]);return e.key===`status`&&(i=it(String(n[e.key]))),i.padEnd(r[t])}).join(``);console.log(e)}}function F(e){console.log(JSON.stringify(e,null,2))}function I(e){console.log(n.green(`✓`),e)}function L(e){console.error(n.red(`✗`),e)}function at(e){console.log(n.yellow(`!`),e)}function R(e){console.log(n.blue(`→`),e)}function z(e){return de({text:e,color:`cyan`})}function B(e,t=0){let r=` `.repeat(t);for(let[t,i]of Object.entries(e))i!=null&&console.log(`${r}${n.dim(`${t}:`)} ${tt(i)}`)}function ot(e){if(console.log(),console.log(n.bold(`Sandbox Details`)),console.log(n.dim(`─`.repeat(40))),B({ID:e.id,Name:e.name,Status:it(e.status),Created:e.createdAt,Expires:e.expiresAt}),e.connection){if(console.log(),console.log(n.bold(`Connection`)),console.log(n.dim(`─`.repeat(40))),e.connection.ssh){let{ssh:t}=e.connection,n=process.platform===`win32`?`NUL`:`/dev/null`,r=`ssh -o ProxyCommand="${t.proxyCommand}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=${n} -o GlobalKnownHostsFile=${n} -o LogLevel=ERROR -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o TCPKeepAlive=yes ${t.username}@localhost -p ${t.port}`;B({SSH:process.platform===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN='<token>'; ${r}`:`TANGLE_SSH_PROXY_AUTH_TOKEN='<token>' ${r}`})}e.connection.webTerminalUrl&&B({"Web Terminal":e.connection.webTerminalUrl}),e.connection.runtimeUrl&&B({"API URL":e.connection.runtimeUrl})}console.log()}function V(e,t){t?F({error:e.message}):L(e.message),process.exit(1)}function H(e){F(e)}function U(e,t){if(t.length===0){console.log(n.dim(`No items found.`));return}let r=e.map((e,n)=>{let r=Math.max(...t.map(e=>String(e[n]??``).length));return Math.max(e.length,r)+2});console.log(e.map((e,t)=>n.bold(e.padEnd(r[t]))).join(``));for(let e of t)console.log(e.map((e,t)=>String(e??``).padEnd(r[t])).join(``))}function W(e,t=!1){t&&(F(st(e)),process.exit(mt(e)));let r=ct(e);console.error(n.red(`Error:`),r),process.exit(mt(e))}function st(e){return e instanceof ue?{error:{code:e.code,message:e.message,...typeof e.status==`number`?{status:e.status}:{},...e.details===void 0?{}:{details:e.details}}}:pt(e)?{error:{code:e.code,message:e.message,status:e.status,...e.details===void 0?{}:{details:e.details}}}:{error:{message:ct(e)}}}function ct(e){if(e instanceof r)return`Authentication failed. Run 'tangle auth login' to authenticate.`;if(e instanceof a)return`Resource not found. Check the ID and try again.`;if(e instanceof o)return`Quota exceeded. Upgrade your plan or wait for quota reset.`;if(e instanceof ee)return`Invalid input: ${e.message}`;if(e instanceof l)return`Invalid state: ${e.message}`;if(e instanceof u)return`Request timed out. Try again or increase timeout with --timeout.`;if(e instanceof i)return`Network error. Check your connection and try again.`;if(e instanceof c)return`${e.status?`HTTP ${e.status}`:`server error`}: ${e.message}`;if(e instanceof ue){let t=typeof e.status==`number`?` (HTTP ${e.status})`:``;return e.code===`HUB_CONNECTION_MISSING`?lt(e.code,t,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?dt(e.code,t,e.message):e.code===`HUB_UNAUTHENTICATED`?ft(e.code,t,e.message):`${e.code}${t}: ${e.message}`}return pt(e)?e.code===`HUB_CONNECTION_MISSING`?lt(e.code,` (HTTP ${e.status})`,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?dt(e.code,` (HTTP ${e.status})`,e.message):e.code===`HUB_UNAUTHENTICATED`?ft(e.code,` (HTTP ${e.status})`,e.message):`${e.code} (HTTP ${e.status}): ${e.message}`:e instanceof Error?e.message:String(e)}function lt(e,t,n,r){let i=ut(r);return`${e}${t}: ${n}${i?`. Run: tangle hub connect ${i}`:``}`}function ut(e){if(!e||typeof e!=`object`)return;let t=e.provider;return typeof t==`string`&&t.length>0?t:void 0}function dt(e,t,n){return`${e}${t}: ${n}. Run the command again with --auto-approve, or run: tangle hub resume <approval-id> --accept. See: tangle hub resume --help`}function ft(e,t,n){return`${e}${t}: ${n}. Hub commands need a platform API key or Hub capability token. Set TANGLE_HUB_CAPABILITY_TOKEN, TANGLE_API_KEY, or SANDBOX_API_KEY. Stored credentials from tangle auth login may be sandbox JWTs and incompatible with Hub endpoints.`}function pt(e){if(!(e instanceof Error))return!1;let t=e;return typeof t.code==`string`&&t.code.startsWith(`HUB_`)&&typeof t.status==`number`}function mt(e){return e instanceof ee?2:1}const ht=[`anthropic`,`openai`,`vercel-ai`,`mastra`,`mcp-local`,`claude-desktop`,`cursor`,`zed`];function gt(e,t,n){switch(e){case`anthropic`:return`// pnpm add @anthropic-ai/sdk @tangle-network/sandbox
|
|
1
|
+
import{createRequire as e}from"node:module";import"dotenv/config";import{Command as t}from"commander";import{randomBytes as n,randomUUID as r}from"node:crypto";import i from"chalk";import*as a from"node:fs";import{existsSync as o,mkdirSync as s,readFileSync as c,renameSync as l,writeFileSync as u}from"node:fs";import*as d from"node:path";import{basename as f,dirname as p,extname as ee,join as te,resolve as ne}from"node:path";import{AuthError as re,NetworkError as m,NotFoundError as ie,QuotaError as ae,Sandbox as h,ServerError as g,StateError as _,TimeoutError as oe,ValidationError as se,createConfidentialSandbox as ce,generateAttestationNonce as le}from"@tangle-network/sandbox";import*as ue from"node:os";import{homedir as de,tmpdir as fe}from"node:os";import{execFileSync as v,spawn as pe}from"node:child_process";import{HubClient as me,HubSdkError as he}from"@tangle-network/hub-sdk";import ge from"ora";import{createMcpServer as _e}from"@tangle-network/sandbox/agent";import{readFile as ve}from"node:fs/promises";import{fileURLToPath as ye}from"node:url";import be from"ws";import{supervise as xe,workerFromBackend as Se}from"@tangle-network/agent-runtime/loops";import{createIntelligenceClient as Ce}from"@tangle-network/sandbox/intelligence";function we(e){if(e.startsWith(`github:`)){let[t,n]=e.slice(7).split(`@`,2),r=t.split(`/`).filter(Boolean);if(r.length<3)throw Error(`invalid github ref "${e}": expected github:<owner>/<repo>/<path>[@<ref>]`);let i=`${r[0]}/${r[1]}`,a=r.slice(2).join(`/`);return{kind:`github`,repository:i,path:a,...n?{ref:n}:{},name:f(a)}}let t;try{t=c(e,`utf8`)}catch{throw Error(`cannot read skill/tool "${e}": not a readable file and not a github: ref`)}return{kind:`inline`,name:f(e),content:t}}function Te(e){let t=(e.skills??[]).map(we),n=(e.tools??[]).map(we),r=t.length>0||n.length>0;if(!(!e.model&&!e.systemPrompt&&!r))return{...e.model?{model:{default:e.model}}:{},...e.systemPrompt?{prompt:{systemPrompt:e.systemPrompt}}:{},...r?{resources:{...t.length>0?{skills:t}:{},...n.length>0?{tools:n}:{}}}:{}}}async function Ee(e){let t;if(e.startsWith(`github:`)){let[n,r]=e.slice(7).split(`@`,2),i=n.split(`/`).filter(Boolean);if(i.length<3)throw Error(`invalid --profile github ref "${e}": expected github:<owner>/<repo>/<path>[@<ref>]`);let a=r??`main`;t=await Pe(`https://raw.githubusercontent.com/${i[0]}/${i[1]}/${a}/${i.slice(2).join(`/`)}`)}else t=/^https?:\/\//.test(e)?await Pe(e):c(e,`utf8`);let n;try{n=JSON.parse(t)}catch{throw Error(`profile at "${e}" is not valid JSON`)}return Ae(n,e),n}const De=[`prompt`,`model`,`permissions`,`tools`,`mcp`,`connections`,`subagents`,`resources`,`hooks`,`modes`,`confidential`,`extensions`],Oe=new Set([...De,`name`,`description`,`version`,`tags`,`metadata`]),ke=[`files`,`tools`,`skills`,`agents`,`commands`];function Ae(e,t){if(!e||typeof e!=`object`||Array.isArray(e))throw Error(`profile at "${t}" is not an object`);let n=Object.keys(e),r=n.some(e=>De.includes(e)),i=n.includes(`name`)&&n.every(e=>Oe.has(e));if(!r&&!i)throw Error(`"${t}" does not look like an agent profile: no recognized profile keys (model, prompt, resources, tools, connections, …). Got: ${n.slice(0,6).join(`, `)||`(empty object)`}.`);je(e,t)}function je(e,t){let n=e.resources;if(!n||typeof n!=`object`)return;for(let e of ke){let r=n[e];if(r!==void 0){if(!Array.isArray(r))throw Error(`profile at "${t}" is malformed: resources.${e} must be an array`);for(let n of r)Ne(e===`files`?Me(n):n,t)}}let r=n.instructions;r!==void 0&&typeof r!=`string`&&Ne(r,t)}function Me(e){return e&&typeof e==`object`?e.resource:e}function Ne(e,t){let n=e&&typeof e==`object`?e.kind:void 0;if(n!==`inline`&&n!==`github`)throw Error(`profile at "${t}" has an invalid resource ref kind ${JSON.stringify(n)}: expected "inline" or "github"`)}async function Pe(e){let t=await fetch(e);if(!t.ok)throw Error(`failed to fetch ${e} (${t.status})`);return t.text()}async function Fe(e){let t=e.profileSource?await Ee(e.profileSource):void 0,n=Te(e);return t?n?{...t,...n,...n.resources?{resources:{...t.resources,...n.resources}}:{}}:t:n}const Ie=d.join(ue.homedir(),`.tangle`),y=d.join(Ie,`credentials.json`),b=`tangle-sandbox-cli`,Le=`TANGLE_ALLOW_PLAINTEXT_CREDENTIALS`;var Re=class extends Error{constructor(e,t){super(`Credentials file at ${e} is corrupted and cannot be parsed. Inspect or remove it manually before retrying — refusing to overwrite it automatically.`),this.filePath=e,this.name=`CredentialsFileCorruptedError`,t&&(this.cause=t)}},ze=class extends Error{constructor(){super(`Could not store credential in the OS keychain, and the plaintext fallback is not enabled. Install a keychain provider (macOS Keychain or libsecret/secret-tool on Linux), or set ${Le}=1 to opt into a plaintext credentials.json with mode 0600.`),this.name=`KeychainUnavailableError`}};function Be(e){let t=We(e);if(t)return{value:t,source:`keychain`};let n=qe(e);return n?{value:n,source:`file`}:{source:`none`}}function Ve(e,t){if(Ge(e,t))return Ye(e),`keychain`;if(!Ue())throw new ze;return Je(e,t),`file`}function He(e){Ke(e),Ye(e)}function Ue(){let e=process.env[Le];if(!e)return!1;let t=e.trim().toLowerCase();return t===`1`||t===`true`||t===`yes`}function We(e){if(process.platform===`darwin`)try{return v(`security`,[`find-generic-password`,`-s`,b,`-a`,x(e),`-w`],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}if(process.platform===`linux`)try{return v(`secret-tool`,[`lookup`,`service`,b,`account`,x(e)],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}}function Ge(e,t){if(process.platform===`darwin`)try{return v(`security`,[`add-generic-password`,`-U`,`-s`,b,`-a`,x(e),`-w`,t],{stdio:[`ignore`,`ignore`,`ignore`]}),!0}catch{return!1}if(process.platform===`linux`)try{return v(`secret-tool`,[`store`,`--label=Tangle Sandbox CLI`,`service`,b,`account`,x(e)],{input:t,stdio:[`pipe`,`ignore`,`ignore`]}),!0}catch{return!1}return!1}function Ke(e){if(process.platform===`darwin`){try{v(`security`,[`delete-generic-password`,`-s`,b,`-a`,x(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}return}if(process.platform===`linux`)try{v(`secret-tool`,[`clear`,`service`,b,`account`,x(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}}function qe(e){return Xe()[e]}function Je(e,t){let n=Xe();n[e]=t,Ze(n)}function Ye(e){let t;try{t=Xe()}catch(e){if(e instanceof Re)return;throw e}e in t&&(delete t[e],Ze(t))}function Xe(){let e;try{e=a.readFileSync(y,`utf8`)}catch(e){if(e instanceof Error&&`code`in e&&e.code===`ENOENT`)return{};throw e}try{let t=JSON.parse(e);if(typeof t!=`object`||!t||Array.isArray(t))throw new Re(y);let n={};for(let[e,r]of Object.entries(t))typeof r==`string`&&(n[e]=r);return n}catch(e){throw e instanceof Re?e:new Re(y,e instanceof Error?e:void 0)}}function Ze(e){if(Qe(),Object.keys(e).length===0){a.existsSync(y)&&a.unlinkSync(y);return}let t=`${y}.${process.pid}.tmp`;a.writeFileSync(t,`${JSON.stringify(e,null,2)}\n`,{mode:384}),a.renameSync(t,y)}function Qe(){if(!a.existsSync(Ie)){a.mkdirSync(Ie,{mode:448,recursive:!0});return}if(process.platform!==`win32`)try{(a.statSync(Ie).mode&511)!=448&&a.chmodSync(Ie,448)}catch{}}function x(e){return`profile:${e}`}const $e=d.join(ue.homedir(),`.tangle`),et=d.join($e,`credentials`),tt=d.join($e,`config.json`),S=`default`;function nt(){a.existsSync($e)||a.mkdirSync($e,{mode:448,recursive:!0})}function rt(e,t){nt();let n=`${e}.${process.pid}.tmp`;a.writeFileSync(n,t,{mode:384}),a.renameSync(n,e)}function it(){try{if(a.existsSync(et)){let e=a.readFileSync(et,`utf-8`).trim();return at(e)?e:e.match(/api_key\s*=\s*(\S+)/)?.[1]}}catch{}}function at(e){return e.startsWith(`sk_`)||e.startsWith(`sk-tan-`)}function ot(){try{a.existsSync(et)&&a.unlinkSync(et)}catch{}}function C(){return Ct(St())}function w(e){let t=wt(C(),e);rt(tt,`${JSON.stringify(t,null,2)}\n`)}function T(e){return Tt(e||process.env.TANGLE_PROFILE||process.env.SANDBOX_PROFILE||C().activeProfile||S)}function st(e){w({activeProfile:Tt(e)})}function ct(){return process.env.TANGLE_SANDBOX||C().currentSandbox||void 0}function lt(e){w({currentSandbox:e})}function ut(){let e=C();delete e.currentSandbox,rt(tt,`${JSON.stringify(e,null,2)}\n`)}function dt(e){let t=e||ct();if(!t)throw Error("No sandbox specified. Pass it positionally, set a default with `tangle use <id>`, pass `--box <id>`, or set TANGLE_SANDBOX.");return t}function ft(){let e=C(),t=T(),n=new Set([S,...Object.keys(e.profiles??{})]);return e.activeProfile&&n.add(Tt(e.activeProfile)),[...n].map(e=>{let n=Be(e),r=e===S?it():void 0,i=n.source===`none`?r?`legacy-file`:`none`:n.source;return{name:e,active:e===t,hasApiKey:n.source!==`none`||!!r,baseUrl:D(void 0,e),apiKeySource:i}}).sort((e,t)=>e.name.localeCompare(t.name))}function pt(e){let t=T(e);return{name:t,active:t===T(),apiKey:E(void 0,t),baseUrl:D(void 0,t),credentialSource:gt(void 0,t)}}function mt(e,t){let n=Tt(e),r=C(),i=xt(n,r),a={},o=t.baseUrl??i.baseUrl;o&&(a.baseUrl=o);let s=t.activeTeamId??i.activeTeamId;s&&(a.activeTeamId=s);let c=t.activeTeamName??i.activeTeamName;c&&(a.activeTeamName=c);let l={...r.profiles??{}};a.baseUrl||a.activeTeamId||a.activeTeamName?l[n]=a:delete l[n];let u;return t.apiKey&&(u=Ve(n,t.apiKey),n===S&&ot()),w({profiles:Object.keys(l).length>0?l:{}}),u}function ht(e){let t=T(e),n={...C().profiles??{}},r=n[t];if(r){let e={...r,apiKey:void 0};e.baseUrl||e.activeTeamId||e.activeTeamName?n[t]=e:delete n[t]}w({profiles:n}),He(t),t===S&&ot()}function E(e,t){if(e)return e;let n=process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY;if(n)return n;let r=T(t),i=Be(r);if(i.value)return i.value;if(r===S)return it()}function gt(e,t){if(e)return`flag`;if(process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY)return`env`;let n=T(t),r=Be(n);return r.source===`none`?n===S&&it()?`legacy-file`:`none`:r.source}function D(e,t){if(e)return e;let n=process.env.TANGLE_BASE_URL||process.env.SANDBOX_BASE_URL;if(n)return n;let r=T(t),i=C(),a=xt(r,i);return a.baseUrl?a.baseUrl:r===S&&i.baseUrl?i.baseUrl:`https://sandbox.tangle.tools`}function _t(e){if(e)return e.replace(/\/v1\/hub\/?$/,``)}function O(e){let t=T(e.profile),n=E(e.apiKey,t);if(!n)throw Error(`No API key found for profile '${t}'. Set TANGLE_API_KEY or run: tangle auth login${t===S?``:` --profile ${t}`}`);return{apiKey:n,baseUrl:D(e.baseUrl,t),timeout:e.timeout??3e4,profile:t,...vt(t)}}function vt(e){let t=C(),n=xt(T(e),t);return{activeTeamId:n.activeTeamId,activeTeamName:n.activeTeamName}}function yt(e,t){mt(T(t),{activeTeamId:e.id,activeTeamName:e.name})}function bt(e){let t=T(e),n=C(),r={...n.profiles??{}},i={baseUrl:xt(t,n).baseUrl};i.baseUrl?r[t]=i:delete r[t],w({profiles:r})}function xt(e,t=C()){let n=Tt(e);return{...n===S?{baseUrl:t.baseUrl,activeTeamId:t.profiles?.[S]?.activeTeamId,activeTeamName:t.profiles?.[S]?.activeTeamName}:{},...t.profiles?.[n]??{}}}function St(){try{if(a.existsSync(tt)){let e=a.readFileSync(tt,`utf-8`);return JSON.parse(e)}}catch{}return{}}function Ct(e){let t=!1,n={};e.apiKey&&(Ve(S,e.apiKey),ot(),t=!0);for(let[r,i]of Object.entries(e.profiles??{})){i.apiKey&&(Ve(r,i.apiKey),t=!0);let e={};i.baseUrl&&(e.baseUrl=i.baseUrl),i.activeTeamId&&(e.activeTeamId=i.activeTeamId),i.activeTeamName&&(e.activeTeamName=i.activeTeamName),Object.keys(e).length>0&&(n[r]=e)}let r={...e,apiKey:void 0,profiles:Object.keys(n).length>0?n:void 0};return t&&rt(tt,`${JSON.stringify(r,null,2)}\n`),r}function wt(e,t){let n=t.profiles===void 0?{...e.profiles??{}}:Object.fromEntries(Object.entries(t.profiles).filter(([,e])=>!!(e.apiKey||e.baseUrl||e.activeTeamId||e.activeTeamName)));return{...e,...t,profiles:Object.keys(n).length>0?n:void 0}}function Tt(e){let t=e.trim().toLowerCase();if(!t)throw Error(`Profile name cannot be empty`);if(!/^[a-z0-9][a-z0-9._-]*$/.test(t))throw Error(`Profile names may only contain lowercase letters, numbers, dots, underscores, and hyphens`);return t}let k=null,A=null;function j(e){if(e)return k&&A&&A.apiKey===e.apiKey&&A.baseUrl===e.baseUrl?k:(k=new h({apiKey:e.apiKey,baseUrl:e.baseUrl,timeoutMs:e.timeout}),A=e,k);if(k)return k;let t=O({});return k=new h({apiKey:t.apiKey,baseUrl:t.baseUrl,timeoutMs:t.timeout}),A=t,k}function Et(){k=null,A=null}function Dt(e,t){return[...t,e]}function Ot(e){let t=new Map,n=[];for(let r of e){let e=r.trim(),i=e.indexOf(`:`);if(i===-1)throw Error(`Invalid --connection "${r}": expected <connectionId>:<capability>[,<capability>]. List connection ids with \`tangle hub connections\` and capability paths with \`tangle hub tools search <keyword>\`.`);let a=e.slice(0,i).trim();if(a.length===0)throw Error(`Invalid --connection "${r}": connection id is empty. Use <connectionId>:<capability> — list ids with \`tangle hub connections\`.`);let o=e.slice(i+1).split(`,`).map(e=>e.trim()).filter(e=>e.length>0);if(o.length===0)throw Error(`Invalid --connection "${r}": grant at least one capability, e.g. ${a}:gmail.messages.list. Discover paths with \`tangle hub tools search <keyword>\`.`);let s=t.get(a);s===void 0&&(s=new Set,t.set(a,s),n.push(a));for(let e of o)s.add(e)}return n.map(e=>{let n=t.get(e);return{connectionId:e,capabilities:n?[...n]:[]}})}function kt(e){return e==null?i.dim(`-`):typeof e==`boolean`?e?i.green(`yes`):i.red(`no`):e instanceof Date?jt(e):typeof e==`string`&&At(e)?jt(new Date(e)):String(e)}function At(e){return/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(e)}function jt(e){let t=Date.now()-e.getTime();if(t<6e4)return`just now`;if(t<36e5)return`${Math.floor(t/6e4)} min ago`;if(t<864e5){let e=Math.floor(t/36e5);return`${e} hour${e>1?`s`:``} ago`}let n=Math.floor(t/864e5);return`${n} day${n>1?`s`:``} ago`}function Mt(e){switch(e){case`running`:return i.green(e);case`pending`:case`provisioning`:return i.yellow(e);case`stopped`:return i.gray(e);case`failed`:case`deleted`:return i.red(e);default:return e}}function M(e,t){if(e.length===0){console.log(i.dim(`No items found.`));return}let n=t.map(t=>{let n=t.header.length,r=Math.max(...e.map(e=>kt(e[t.key]).length));return t.width??Math.max(n,r)+2}),r=t.map((e,t)=>i.bold(e.header.padEnd(n[t]))).join(``);console.log(r);for(let r of e){let e=t.map((e,t)=>{let i=kt(r[e.key]);return e.key===`status`&&(i=Mt(String(r[e.key]))),i.padEnd(n[t])}).join(``);console.log(e)}}function N(e){console.log(JSON.stringify(e,null,2))}function P(e){console.log(i.green(`✓`),e)}function F(e){console.error(i.red(`✗`),e)}function Nt(e){console.log(i.yellow(`!`),e)}function I(e){console.log(i.blue(`→`),e)}function L(e){return ge({text:e,color:`cyan`})}function R(e,t=0){let n=` `.repeat(t);for(let[t,r]of Object.entries(e))r!=null&&console.log(`${n}${i.dim(`${t}:`)} ${kt(r)}`)}function Pt(e){if(console.log(),console.log(i.bold(`Sandbox Details`)),console.log(i.dim(`─`.repeat(40))),R({ID:e.id,Name:e.name,Status:Mt(e.status),Created:e.createdAt,Expires:e.expiresAt}),e.connection){if(console.log(),console.log(i.bold(`Connection`)),console.log(i.dim(`─`.repeat(40))),e.connection.ssh){let{ssh:t}=e.connection,n=process.platform===`win32`?`NUL`:`/dev/null`,r=`ssh -o ProxyCommand="${t.proxyCommand}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=${n} -o GlobalKnownHostsFile=${n} -o LogLevel=ERROR -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o TCPKeepAlive=yes ${t.username}@localhost -p ${t.port}`;R({SSH:process.platform===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN='<token>'; ${r}`:`TANGLE_SSH_PROXY_AUTH_TOKEN='<token>' ${r}`})}e.connection.webTerminalUrl&&R({"Web Terminal":e.connection.webTerminalUrl}),e.connection.runtimeUrl&&R({"API URL":e.connection.runtimeUrl})}console.log()}function z(e,t){t?N({error:e.message}):F(e.message),process.exit(1)}function B(e){N(e)}function V(e,t){if(t.length===0){console.log(i.dim(`No items found.`));return}let n=e.map((e,n)=>{let r=Math.max(...t.map(e=>String(e[n]??``).length));return Math.max(e.length,r)+2});console.log(e.map((e,t)=>i.bold(e.padEnd(n[t]))).join(``));for(let e of t)console.log(e.map((e,t)=>String(e??``).padEnd(n[t])).join(``))}function H(e,t=!1){t&&(N(Ft(e)),process.exit(Ht(e)));let n=It(e);console.error(i.red(`Error:`),n),process.exit(Ht(e))}function Ft(e){return e instanceof he?{error:{code:e.code,message:e.message,...typeof e.status==`number`?{status:e.status}:{},...e.details===void 0?{}:{details:e.details}}}:Vt(e)?{error:{code:e.code,message:e.message,status:e.status,...e.details===void 0?{}:{details:e.details}}}:{error:{message:It(e)}}}function It(e){if(e instanceof re)return`Authentication failed. Run 'tangle auth login' to authenticate.`;if(e instanceof ie)return`Resource not found. Check the ID and try again.`;if(e instanceof ae)return`Quota exceeded. Upgrade your plan or wait for quota reset.`;if(e instanceof se)return`Invalid input: ${e.message}`;if(e instanceof _)return`Invalid state: ${e.message}`;if(e instanceof oe)return`Request timed out. Try again or increase timeout with --timeout.`;if(e instanceof m)return`Network error. Check your connection and try again.`;if(e instanceof g)return`${e.status?`HTTP ${e.status}`:`server error`}: ${e.message}`;if(e instanceof he){let t=typeof e.status==`number`?` (HTTP ${e.status})`:``;return e.code===`HUB_CONNECTION_MISSING`?Lt(e.code,t,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?zt(e.code,t,e.message):e.code===`HUB_UNAUTHENTICATED`?Bt(e.code,t,e.message):`${e.code}${t}: ${e.message}`}return Vt(e)?e.code===`HUB_CONNECTION_MISSING`?Lt(e.code,` (HTTP ${e.status})`,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?zt(e.code,` (HTTP ${e.status})`,e.message):e.code===`HUB_UNAUTHENTICATED`?Bt(e.code,` (HTTP ${e.status})`,e.message):`${e.code} (HTTP ${e.status}): ${e.message}`:e instanceof Error?e.message:String(e)}function Lt(e,t,n,r){let i=Rt(r);return`${e}${t}: ${n}${i?`. Run: tangle hub connect ${i}`:``}`}function Rt(e){if(!e||typeof e!=`object`)return;let t=e.provider;return typeof t==`string`&&t.length>0?t:void 0}function zt(e,t,n){return`${e}${t}: ${n}. Run the command again with --auto-approve, or run: tangle hub resume <approval-id> --accept. See: tangle hub resume --help`}function Bt(e,t,n){return`${e}${t}: ${n}. Hub commands need a platform API key or Hub capability token. Set TANGLE_HUB_CAPABILITY_TOKEN, TANGLE_API_KEY, or SANDBOX_API_KEY. Stored credentials from tangle auth login may be sandbox JWTs and incompatible with Hub endpoints.`}function Vt(e){if(!(e instanceof Error))return!1;let t=e;return typeof t.code==`string`&&t.code.startsWith(`HUB_`)&&typeof t.status==`number`}function Ht(e){return e instanceof se?2:1}const Ut=[`anthropic`,`openai`,`vercel-ai`,`mastra`,`mcp-local`,`claude-desktop`,`cursor`,`zed`];function Wt(e,t,n){switch(e){case`anthropic`:return`// pnpm add @anthropic-ai/sdk @tangle-network/sandbox
|
|
2
2
|
import Anthropic from "@anthropic-ai/sdk";
|
|
3
3
|
import { Sandbox } from "@tangle-network/sandbox";
|
|
4
4
|
import { anthropicTools } from "@tangle-network/sandbox/agent";
|
|
@@ -118,22 +118,22 @@ await connect(new StdioServerTransport());`;case`claude-desktop`:return`// Add t
|
|
|
118
118
|
}
|
|
119
119
|
}
|
|
120
120
|
}
|
|
121
|
-
}`}}function
|
|
122
|
-
|
|
123
|
-
Error:`),
|
|
121
|
+
}`}}function Gt(e){return{anthropic:`Anthropic Messages API (Claude)`,openai:`OpenAI Chat Completions (function calling)`,"vercel-ai":`Vercel AI SDK (generateText / streamText)`,mastra:`Mastra agent framework`,"mcp-local":`Local MCP server bridge (stdio)`,"claude-desktop":`Claude Desktop config (uses local MCP)`,cursor:`Cursor config (uses local MCP)`,zed:`Zed config (uses local MCP)`}[e]}function Kt(){return new t(`connect`).description(`Print a copy-paste integration snippet for one of: ${Ut.join(`, `)}`).argument(`<framework>`,Ut.join(` | `)).option(`-i, --sandbox <id>`,`Sandbox ID to embed in the snippet`,`<SANDBOX_ID>`).option(`-s, --session <id>`,`Session ID to embed in the snippet`,`default`).action((e,t)=>{Ut.includes(e)||(console.error(i.red(`unknown framework: ${e}`),`\nsupported: ${Ut.join(`, `)}`),process.exit(2));let n=e;process.stdout.write(i.cyan(`# ${Gt(n)}\n\n`)),process.stdout.write(`${Wt(n,t.sandbox,t.session)}\n`)})}async function qt(e){let{Writable:t}=await import(`node:stream`),n=await import(`node:readline`),r=!1,i=new t({write(e,t,n){r||process.stdout.write(e,t),n()}}),a=n.createInterface({input:process.stdin,output:i,terminal:!0});return process.stdout.write(e),r=!0,await new Promise(e=>{a.question(``,t=>{r=!1,a.close(),process.stdout.write(`
|
|
122
|
+
`),e(t.trim())})})}async function U(e){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout}),n=await new Promise(n=>{t.question(e,e=>{t.close(),n(e.trim().toLowerCase())})});return n===`y`||n===`yes`}async function W(e,t){let n=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout}),r=t?` [${t}]`:``;return await new Promise(t=>{n.question(`${e}${r}: `,e=>{n.close(),t(e.trim())})})||t||``}async function Jt(){if(process.stdin.isTTY)throw Error(`Cannot read secret from stdin when stdin is a TTY`);let e=[];for await(let t of process.stdin)e.push(Buffer.isBuffer(t)?t:Buffer.from(t));return Buffer.concat(e).toString(`utf8`).replace(/\r?\n$/,``)}function Yt(){let e=new t(`profile`).description(`Create, inspect, and validate portable agent profiles`);return e.command(`create [output]`).description(`Create a profile — interactively (a wizard), or fully via flags`).option(`--name <name>`,`Profile name (when set, skips the wizard)`).option(`--description <text>`,`Profile description`).option(`--model <model>`,`Model (provider/model)`).option(`--system-prompt <text>`,`System prompt`).option(`--skills <ref...>`,`Skill refs: local path or github:<owner>/<repo>/<path>[@<ref>]`).option(`--tools <ref...>`,`Tool refs: local path or github:<owner>/<repo>/<path>[@<ref>]`).option(`--harness <name>`,`Harness hint shown in the run command`).option(`--json`,`Print the profile as JSON instead of writing a file`).action(async(e,t)=>{try{let n=t.name,r=t.description,i=t.harness,a=t.model,o=t.systemPrompt,s=t.skills??[],c=t.tools??[];if(!n&&process.stdin.isTTY&&(n=await W(`Profile name`,`my-agent`),r=await W(`Description (optional)`)||void 0,i=await W(`Harness`,`claude-code`)||void 0,a=await W(`Model (optional, provider/model)`)||void 0,o=await W(`System prompt (optional)`)||void 0,s=await Xt(`Skill ref (local path or github:..., blank to finish)`),c=await Xt(`Tool ref (blank to finish)`)),!n)throw Error(process.stdin.isTTY?`Profile name is required.`:"`agent profile create` needs at least --name in a non-interactive shell (no TTY to prompt). Pass --name <name> (and optionally --model/--skills/--tools/--system-prompt).");let l=Te({model:a,systemPrompt:o,skills:s,tools:c}),d={...n?{name:n}:{},...r?{description:r}:{},...l??{}};if(t.json){N(d);return}let f=e??`agent-profile.json`;u(f,`${JSON.stringify(d,null,2)}\n`),I(`Wrote ${f}`),I(`Run it: tangle agent prompt <box> --profile ${f}${i?` --harness ${i}`:``}`)}catch(e){H(e,t.json)}}),e.command(`show <source>`).description(`Load and print a profile (local path, https URL, or github:owner/repo/path[@ref])`).action(async e=>{try{N(await Ee(e))}catch(e){H(e,!0)}}),e.command(`validate <source>`).description(`Check a profile loads and is a well-formed object`).action(async e=>{try{let t=await Ee(e);I(`OK — "${typeof t.name==`string`?t.name:`(unnamed)`}" loaded as a valid profile object`)}catch(e){H(e)}}),e}async function Xt(e){let t=[];for(;;){let n=await W(e);if(!n)break;t.push(n)}return t}function Zt(e){let t=typeof e.type==`string`?e.type:void 0,n=t===`tool-invocation`||t===`tool_call`||t===`computer-use`||t===`computer_call`,r=e.toolInvocation??e.tool_invocation??e.computerUse??e.computer_use;if(!r&&!n)return;let i=r??e;if(t===`computer-use`||t===`computer_call`)return`computer-use:${i.action?.type??`action`}`;let a=i.toolName??i.tool_name??i.name;return typeof a==`string`&&a.length>0?a:void 0}function Qt(e){return([process.env.SANDBOX_WEB_URL,process.env.TANGLE_SANDBOX_WEB_URL].map(e=>e?.trim()).find(e=>!!e)??e).replace(/\/+$/,``)}function $t(e){let t=e.toolInvocation??e.tool_invocation??e.computerUse??e.computer_use??e,n=t.state?.status,r=typeof t.status==`string`?t.status:void 0;return n??r}function en(e,t){if(e.success===!1)return e.error&&e.error.length>0?e.error:t}function tn(e){let t=Ot(e??[]);if(t.length!==0)return{profile:{connections:t}}}function nn(){let e=new t(`agent`).description(`Interact with AI agent`);return e.command(`prompt <idOrMessage> [message]`).description("Send a single prompt to the agent. With one arg it's the prompt and the box comes from `tangle use` / --box / TANGLE_SANDBOX; with two it's <id> <message>.").option(`--box <id>`,`Target sandbox (overrides the active one)`).option(`--session <id>`,`Continue existing session`).option(`--model <model>`,`Model to use`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`300000`).option(`--stream`,`Stream response in real-time`).option(`--interactive`,`Spawn the harness's interactive TUI in the sandbox, inject this prompt, and print a link to watch + drive the live session in the browser (omit for the default headless run)`).option(`--harness <name>`,`Harness that executes this run (claude-code, codex, kimi-code, opencode, pi, amp, hermes). Defaults to the sandbox's configured backend. The box ships all harnesses, so this is a per-run choice.`).option(`--profile <source>`,`Agent profile to run: a local JSON path, an https URL, or github:<owner>/<repo>/<path>[@<ref>]`).option(`--skills <ref...>`,`Attach skills (repeatable): a local file path, or github:<owner>/<repo>/<path>[@<ref>] to pull from a repo`).option(`--tools <ref...>`,`Attach tools (repeatable): a local file path, or github:<owner>/<repo>/<path>[@<ref>]`).option(`--system-prompt <text>`,`Override the agent's system prompt for this run`).option(`--connection <spec>`,"Grant a hub connection to the agent as MCP tools: <connectionId>:<cap1>,<cap2> (repeatable). Ids: `tangle hub connections`. Paths: `tangle hub tools search <keyword>`.",Dt,[]).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let a=t===void 0?e:t,o=t===void 0?dt(n.box):e,s=O({apiKey:n.apiKey,baseUrl:n.baseUrl}),c=j(s);if(n.interactive){let e=[n.profile?`--profile`:null,n.skills?.length?`--skills`:null,n.tools?.length?`--tools`:null,n.systemPrompt?`--system-prompt`:null,n.connection?.length?`--connection`:null].filter(e=>e!==null);if(e.length>0)throw Error(`${e.join(`, `)} ${e.length===1?`is`:`are`} not supported with --interactive: the interactive harness launches its own TUI and is configured by --harness/--model. Drop --interactive to run with a profile, or bake the agent into the box with \`tangle backend configure\`.`)}let l=await Fe({profileSource:n.profile,systemPrompt:n.systemPrompt,skills:n.skills,tools:n.tools}),u=tn(n.connection),d=l||u?{...l??{},...u?.profile??{}}:void 0,f=d||n.harness?{...n.harness?{type:n.harness}:{},...d?{profile:d}:{}}:void 0,p=await c.get(o);if(!p)throw Error(`Sandbox not found: ${o}`);if(n.interactive){let e=n.session??`int-${r()}`,t=n.harness??(await p.backend.status()).type,i=p.session(e).interactive(),c=L(`Starting interactive ${t} session...`);c.start();let l;try{l=await i.start({harness:t,...n.model?{model:n.model}:{}})}finally{c.stop()}try{await i.sendPrompt(a)}catch(e){throw await i.stop().catch(()=>void 0),e}let u=`${Qt(s.baseUrl)}/dashboard/sandbox/${encodeURIComponent(o)}?interactive=${encodeURIComponent(l.sessionId)}`;n.json?N({sessionId:l.sessionId,harness:l.harness,streamUrl:l.streamUrl,webUrl:u}):(I(`Interactive ${l.harness} session started — prompt sent.`),console.log(),R({"Watch & drive":u,Session:l.sessionId}),console.log(),I(`Open the link to watch the agent and type to take over. Send more prompts with --session ${l.sessionId} --interactive.`));return}if(n.stream){I(`Streaming response...`),console.log();for await(let e of p.streamPrompt(a,{sessionId:n.session,model:n.model,timeoutMs:Number.parseInt(n.timeout,10),...f?{backend:f}:{}}))switch(e.type){case`token`:{let t=e.data?.value;typeof t==`string`&&process.stdout.write(t);break}case`error`:{let t=e.data.message??JSON.stringify(e.data);console.error(i.red(`
|
|
123
|
+
Error:`),t);break}}console.log()}else{let e=L(`Processing prompt...`);e.start();let t=await p.prompt(a,{sessionId:n.session,model:n.model,timeoutMs:Number.parseInt(n.timeout,10),...f?{backend:f}:{}});e.stop();let r=en(t,`Agent prompt failed`);if(n.json)N(t),r&&(process.exitCode=1);else{if(r)throw Error(r);console.log(t.response),console.log(),R({Duration:`${t.durationMs}ms`,"Input Tokens":t.usage?.inputTokens,"Output Tokens":t.usage?.outputTokens})}}}catch(e){H(e,n.json)}}),e.command(`task <idOrPrompt> [prompt]`).description("Execute a multi-turn task. One arg = the task (box from `tangle use` / --box / TANGLE_SANDBOX); two = <id> <prompt>.").option(`--box <id>`,`Target sandbox (overrides the active one)`).option(`--session <id>`,`Continue existing session`).option(`--model <model>`,`Model to use`).option(`--max-turns <n>`,`Maximum turns`,`10`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`600000`).option(`--stream`,`Stream events in real-time`).option(`--connection <spec>`,"Grant a hub connection to the agent as MCP tools: <connectionId>:<cap1>,<cap2> (repeatable). Ids: `tangle hub connections`. Paths: `tangle hub tools search <keyword>`.",Dt,[]).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=t===void 0?e:t,a=t===void 0?dt(n.box):e,o=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),s=tn(n.connection),c=await o.get(a);if(!c)throw Error(`Sandbox not found: ${a}`);if(n.stream){I(`Executing task...`),console.log();let e=new Set;for await(let t of c.streamTask(r,{sessionId:n.session,model:n.model,maxTurns:Number.parseInt(n.maxTurns,10),timeoutMs:Number.parseInt(n.timeout,10),...s?{backend:s}:{}}))switch(t.type){case`token`:{let e=t.data?.value;typeof e==`string`&&process.stdout.write(e);break}case`raw`:{let n=Zt(t.data);if(!n)break;let r=$t(t.data),a=t.data,o=a.toolCallId??a.tool_call_id??a.callId??a.id,s=typeof o==`string`&&o.length>0?o:`${n}#${e.size}`;r===`running`||r===`in_progress`||r===void 0?e.has(s)||(e.add(s),console.log(i.dim(`\n[Tool: ${n}]`))):r===`completed`?console.log(i.dim(`[Tool ${n} completed]`)):(r===`failed`||r===`error`)&&console.log(i.yellow(`[Tool ${n} failed]`));break}case`error`:{let e=t.data.message??JSON.stringify(t.data);console.error(i.red(`
|
|
124
|
+
Error:`),e);break}}console.log()}else{let e=L(`Executing task...`);e.start();let t=await c.task(r,{sessionId:n.session,model:n.model,maxTurns:Number.parseInt(n.maxTurns,10),timeoutMs:Number.parseInt(n.timeout,10),...s?{backend:s}:{}});e.stop();let i=en(t,`Agent task failed`);if(n.json)N(t),i&&(process.exitCode=1);else{if(i)throw Error(i);console.log(t.response),console.log(),R({"Session ID":t.sessionId,"Turns Used":t.turnsUsed,Duration:`${t.durationMs}ms`,"Input Tokens":t.usage?.inputTokens,"Output Tokens":t.usage?.outputTokens})}}}catch(e){H(e,n.json)}}),e.addCommand(Kt()),e.addCommand(Yt()),e}async function rn(e){let t=e.timeoutMs??1e4,n=e.baseUrl.replace(/\/$/,``),r=`${n}/v1/account/me`;try{let n=await fetch(r,{headers:{Accept:`application/json`,Authorization:`Bearer ${e.apiKey}`},signal:AbortSignal.timeout(t)});if(!n.ok){let e=await on(n);throw n.status===401||n.status===403?new re(e||`Invalid API key`):n.status>=500?new g(e||`Sandbox API returned an unexpected error`,n.status):Error(e||`Credential validation failed with status ${n.status}`)}let i=await n.json();if(!i.success||!i.data)throw Error(`Sandbox API returned an invalid account response`);return{customerId:i.data.customer_id,email:i.data.email,name:i.data.name,tier:i.data.tier,createdAt:i.data.created_at}}catch(e){throw e instanceof re||e instanceof g||e instanceof oe?e:e instanceof Error&&e.name===`AbortError`?new oe(t,`Timed out validating credentials against ${n}`):e instanceof Error&&!(e instanceof TypeError)?e:new m(`Failed to reach ${n}`,an(e))}}function an(e){return e instanceof Error?e:void 0}async function on(e){let t=await e.text();if(t)try{let e=JSON.parse(t);return e.error?.message??e.message??t}catch{return t}}function sn(e){if(!ln(e.hostHeader))return{kind:`host-mismatch`};let t;try{t=new URL(e.requestUrl??`/`,`http://127.0.0.1`)}catch{return{kind:`not-found`}}if(t.pathname!==`/callback`)return{kind:`not-found`};if(t.searchParams.get(`state`)!==e.expectedState)return{kind:`state-mismatch`};let n=t.searchParams.get(`error`);if(n)return{kind:`error`,reason:n};let r=t.searchParams.get(`grant_token`);return r?{kind:`ok`,token:r}:{kind:`missing-token`}}async function cn(e){let t=e.timeoutMs??12e4,r=e.baseUrl.replace(/\/$/,``),i=await import(`node:http`),a=n(32).toString(`hex`),o=null,s=null,c=new Promise((e,t)=>{o=e,s=t}),l=i.createServer((e,t)=>{try{let n=sn({hostHeader:e.headers.host,requestUrl:e.url,expectedState:a});switch(n.kind){case`host-mismatch`:t.writeHead(421,{"content-type":`text/plain; charset=utf-8`}),t.end(`Misdirected request`);return;case`not-found`:t.writeHead(404,{"content-type":`text/plain; charset=utf-8`}),t.end(`Not found`);return;case`state-mismatch`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(mn(`State mismatch — refusing login`)),s?.(Error(`Browser login state mismatch — refusing potentially hijacked callback`));return;case`error`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(mn(n.reason)),s?.(Error(`Browser login failed: ${n.reason}`));return;case`missing-token`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(mn(null)),s?.(Error(`Browser login did not return a grant token`));return;case`ok`:t.writeHead(200,{"content-type":`text/html; charset=utf-8`}),t.end(mn(null)),o?.(n.token);return}}catch(e){s?.(e instanceof Error?e:Error(`Browser login callback failed`))}});await new Promise((e,t)=>{l.once(`error`,t),l.listen(0,`127.0.0.1`,()=>e())});try{let n=l.address();if(!n||typeof n==`string`)throw Error(`Failed to bind local callback server`);let i=new URL(`http://127.0.0.1:${n.port}/callback`);i.searchParams.set(`state`,a);let o=new URL(`${r}/auth/cli/login`);o.searchParams.set(`callback_url`,i.toString()),e.provider&&o.searchParams.set(`provider`,e.provider);let s=await fn(o.toString());e.onLoginUrl?.({loginUrl:o.toString(),browserOpened:s});let u=await dn({baseUrl:r,grantToken:await un(c,t),timeoutMs:t});return{apiKey:u.apiKey,email:u.email,name:u.name,tier:u.tier}}finally{await new Promise((e,t)=>{l.close(n=>{if(n){t(n);return}e()})}).catch(()=>void 0)}}function ln(e){if(!e)return!1;let t=e.toLowerCase().match(/^(\[[^\]]+\]|[^:]+)(?::\d+)?$/);if(!t)return!1;let n=t[1];return n===`127.0.0.1`||n===`localhost`||n===`[::1]`}async function un(e,t){return await new Promise((n,r)=>{let i=setTimeout(()=>{r(new oe(t,`Timed out waiting for browser login to complete`))},t);e.then(e=>{clearTimeout(i),n(e)},e=>{clearTimeout(i),r(e)})})}async function dn(e){let t=await fetch(`${e.baseUrl}/auth/cli/exchange`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify({grant_token:e.grantToken}),signal:AbortSignal.timeout(e.timeoutMs)}).catch(t=>{throw new m(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),n=await t.json().catch(()=>null);if(!t.ok||!n?.success||!n.data?.api_key)throw Error(n?.error?.message||`Failed to exchange browser login grant`);return{apiKey:n.data.api_key,email:n.data.email,name:n.data.name,tier:n.data.tier}}async function fn(e){let{spawn:t}=await import(`node:child_process`),n=process.platform===`darwin`?[`open`,e]:process.platform===`win32`?[`cmd`,`/c`,`start`,``,e]:[`xdg-open`,e];return await new Promise(e=>{let r=t(n[0],n.slice(1),{detached:!0,stdio:`ignore`});r.once(`error`,()=>e(!1)),r.once(`spawn`,()=>{r.unref(),e(!0)})})}function pn(e){return e.replace(/&/g,`&`).replace(/</g,`<`).replace(/>/g,`>`).replace(/"/g,`"`).replace(/'/g,`'`)}function mn(e){return`<!doctype html>
|
|
124
125
|
<html lang="en">
|
|
125
126
|
<head>
|
|
126
127
|
<meta charset="utf-8" />
|
|
127
128
|
<title>Sandbox CLI Login</title>
|
|
128
129
|
</head>
|
|
129
130
|
<body>
|
|
130
|
-
<p>${e?`Sandbox CLI login failed: ${
|
|
131
|
+
<p>${e?`Sandbox CLI login failed: ${pn(e)}`:`Sandbox CLI login complete. You can close this window.`}</p>
|
|
131
132
|
</body>
|
|
132
|
-
</html>`}const Pt=15*6e4;function Ft(e){return Number.isFinite(e)&&e>0?e:Pt}async function It(e){let t=e.timeoutMs??Pt,n=Date.now(),r=await Lt({baseUrl:e.baseUrl,timeoutMs:t,provider:e.provider});for(e.onInstructions?.({userCode:r.user_code,verificationUrl:r.verification_uri,verificationUrlComplete:r.verification_uri_complete,expiresIn:r.expires_in,intervalSeconds:r.interval});;){if(Date.now()-n>t)throw new u(t,`Timed out waiting for device authorization to complete`);let i=await Rt({baseUrl:e.baseUrl,deviceCode:r.device_code,timeoutMs:t});if(i.status===`approved`)return i.data;let a=i.intervalSeconds*1e3;await new Promise(e=>setTimeout(e,a))}}async function Lt(e){let t=Ft(e.timeoutMs),n=await fetch(`${zt(e.baseUrl)}/auth/cli/device/start`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify(e.provider?{provider:e.provider}:{}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new i(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(!n.ok||!r?.success||!r.data?.device_code)throw Error(r?.error?.message||`Failed to start device login`);return r.data}async function Rt(e){let t=Ft(e.timeoutMs),n=await fetch(`${zt(e.baseUrl)}/auth/cli/device/poll`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify({device_code:e.deviceCode}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new i(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(n.status===428&&r?.error?.code===`AUTHORIZATION_PENDING`)return{status:`pending`,intervalSeconds:typeof r.data?.interval==`number`&&r.data.interval>0?r.data.interval:5};if(!n.ok||!r?.success||!r.data?.api_key||!r.data.email)throw Error(r?.error?.message||`Failed to complete device authorization`);return{status:`approved`,data:{apiKey:r.data.api_key,email:r.data.email,name:r.data.name,tier:r.data.tier}}}function zt(e){return e.replace(/\/$/,``)}function Bt(){let e=new t(`auth`).description(`Manage authentication`);e.command(`login`).description(`Authenticate with browser login or an API key`).option(`--api-key <key>`,`API key`).option(`--no-browser`,`Use device-code login instead of opening a browser`).option(`--profile <name>`,`Profile name`).option(`--provider <provider>`,`Identity provider (github, google, microsoft)`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=e.apiKey,n=T(e.profile),r=Kt(e.provider),i=D(e.baseUrl,n),a=e.browser!==!1;if(!t){if(a){let a=z(`Starting browser login...`);a.start();let o=await Dt({baseUrl:i,provider:r,onLoginUrl:({loginUrl:e,browserOpened:t})=>{a.stop(),R(t?`Browser login opened.`:`Open this URL to continue browser login:`),console.log(e)}}).finally(()=>{a.stop()});t=o.apiKey,Ut({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),N(),I(`Authenticated`),B({Profile:n,Email:o.email,Tier:o.tier,"Base URL":i}),R(Wt);return}let o=z(`Starting device login...`);o.start();let s=await It({baseUrl:i,provider:r,onInstructions:({userCode:e,verificationUrl:t,verificationUrlComplete:n})=>{o.stop(),R(`Complete login in a browser on any device:`),B({"Verification URL":t,"Verification URL (prefilled)":n,"Device Code":e})}}).finally(()=>{o.stop()});t=s.apiKey,Ut({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),N(),I(`Authenticated`),B({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),R(Wt);return}t||(L(`No API key provided.`),process.exit(1)),ze(t)||(L(`Invalid API key format. Keys should start with 'sk_' or 'sk-tan-'.`),process.exit(1));let o=z(`Validating credentials...`);o.start();let s=await Ct({apiKey:t,baseUrl:i});o.stop(),Ut({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),N(),I(`Authenticated`),B({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),R(Wt)}catch(e){W(e)}}),e.command(`logout`).description(`Remove stored credentials`).option(`--profile <name>`,`Profile name`).action(e=>{try{let t=T(e.profile);Ge(t),N(),I(`Logged out successfully.`),R(`Credentials removed for profile '${t}'.`)}catch(e){W(e)}}),e.command(`status`).description(`Show current authentication status`).option(`--json`,`Output as JSON`).option(`--profile <name>`,`Profile name`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=T(e.profile),n=E(e.apiKey,t),i=D(e.baseUrl,t),a=Ke(e.apiKey,t);if(!n){if(e.json){F({authenticated:!1,reason:`missing_credentials`,profile:t,baseUrl:i,credentialSource:null});return}L(`Not authenticated`),R(`Run 'tangle auth login --profile ${t}' to authenticate.`),process.exit(1)}let o=e.json?null:z(`Checking credentials...`);o?.start();try{let r=await Ct({apiKey:n,baseUrl:i});if(o?.stop(),e.json){F({authenticated:!0,profile:t,baseUrl:i,credentialSource:a,account:r});return}I(`Authenticated`),B({Profile:t,"API Key":Vt(n),"Base URL":i,Source:Ht(a),Email:r.email,Tier:r.tier})}catch(s){o?.stop(),e.json&&(F({authenticated:!1,profile:t,baseUrl:i,credentialSource:a,error:s instanceof Error?s.message:String(s)}),process.exit(1)),s instanceof r?L(`Stored credentials are invalid.`):at(`Stored credentials found, but validation could not complete.`),B({Profile:t,"API Key":Vt(n),"Base URL":i,Source:Ht(a),Error:s instanceof Error?s.message:String(s)}),process.exit(1)}}catch(e){W(e)}});let n=new t(`profiles`).description(`Manage CLI profiles`);return n.command(`list`).description(`List configured profiles`).option(`--json`,`Output as JSON`).action(e=>{try{let t=He();if(e.json){F(t);return}if(t.length===0){R(`No profiles found.`);return}U([`Profile`,`Active`,`Base URL`,`Credentials`,`Source`],t.map(e=>[e.name,e.active?`yes`:`no`,e.baseUrl,e.hasApiKey?`configured`:`none`,e.apiKeySource]))}catch(e){W(e)}}),n.command(`use <name>`).description(`Set the active profile`).action(e=>{try{Ve(e);let t=Ue(e);I(`Active profile set to '${t.name}'.`),B({"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`})}catch(e){W(e)}}),n.command(`current`).description(`Show the active profile`).option(`--json`,`Output as JSON`).action(e=>{try{let t=Ue();if(e.json){F(t);return}B({Profile:t.name,"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`,Source:Ht(t.credentialSource)})}catch(e){W(e)}}),e.addCommand(n),e}function Vt(e){return e.length<=14?e:`${e.slice(0,10)}...${e.slice(-4)}`}function Ht(e){switch(e){case`flag`:return`command flag`;case`env`:return`environment`;case`keychain`:return`OS keychain`;case`file`:return`credentials file`;case`legacy-file`:return`legacy credentials file`;default:return`unknown`}}function Ut(e){let t=We(e.profile,{apiKey:e.apiKey,...e.baseUrl?{baseUrl:e.baseUrl}:{}});Ve(e.profile),w({...e.baseUrl&&e.profile===`default`?{baseUrl:e.baseUrl}:{}}),Wt=Gt(e.profile,t)}let Wt=`Credentials updated.`;function Gt(e,t){return t===`keychain`?e===`default`?`API key saved to the OS keychain for the default profile`:`API key saved to the OS keychain for profile '${e}'`:t===`file`?e===`default`?`API key saved to ~/.tangle/credentials.json for the default profile`:`API key saved to ~/.tangle/credentials.json for profile '${e}'`:`Profile '${e}' updated.`}function Kt(e){if(e===void 0||e===`github`||e===`google`||e===`microsoft`)return e;throw Error(`--provider must be one of: github, google, microsoft`)}function qt(){let e=new t(`backend`).description(`Manage sandbox AI agent backend`);return e.command(`status <sandboxId>`).description(`Get backend agent status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching backend status...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.backend.status();r.stop(),t.json?F(a):(R(`Backend Type: ${a.type}`),R(`Status: ${a.status}`),a.version&&R(`Version: ${a.version}`),a.error&&R(`Error: ${a.error}`),a.metadata&&R(`Metadata: ${JSON.stringify(a.metadata,null,2)}`))}catch(e){W(e)}}),e.command(`capabilities <sandboxId>`).description(`Get backend capabilities`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching capabilities...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.backend.capabilities();r.stop(),t.json?F(a):(R(`Backend Capabilities:`),R(` Streaming: ${a.streaming?`✓`:`✗`}`),R(` Tool Use: ${a.toolUse?`✓`:`✗`}`),R(` Reasoning: ${a.reasoning?`✓`:`✗`}`),R(` Multimodal: ${a.multimodal?`✓`:`✗`}`),R(` Context Window: ${a.contextWindow.toLocaleString()} tokens`))}catch(e){W(e)}}),e.command(`configure <sandboxId>`).description(`Update backend configuration`).option(`--model <model>`,`Model string (format: provider/model)`).option(`--max-thinking-tokens <n>`,`Maximum thinking tokens`).option(`--profile <name>`,`Backend profile name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Updating backend config...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a={};if(t.profile&&(a.profile=t.profile),t.model||t.maxThinkingTokens){if(a.model={},t.model){let e=t.model.split(`/`);e.length>=2?(a.model.provider=e[0],a.model.model=e.slice(1).join(`/`)):a.model.model=t.model}t.maxThinkingTokens&&(a.model.maxThinkingTokens=Number.parseInt(t.maxThinkingTokens,10))}await i.backend.updateConfig(a),r.stop(),I(`Backend configuration updated`),t.json&&F(a)}catch(e){W(e)}}),e.command(`add-mcp <sandboxId>`).description(`Add an MCP server to the backend`).requiredOption(`--name <name>`,`MCP server name`).requiredOption(`--command <cmd>`,`Command to run (e.g., npx)`).option(`--args <args...>`,`Command arguments`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--cwd <dir>`,`Working directory`).option(`--url <url>`,`Remote MCP server URL (for SSE)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Adding MCP server...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a={};if(t.env)for(let e of t.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}await i.backend.addMcp(t.name,{command:t.command,args:t.args,env:Object.keys(a).length>0?a:void 0,cwd:t.cwd,url:t.url}),r.stop(),I(`MCP server "${t.name}" added`),t.json&&F({name:t.name,command:t.command,args:t.args,env:Object.keys(a).length>0?a:void 0,cwd:t.cwd,url:t.url})}catch(e){W(e)}}),e.command(`mcp-status <sandboxId>`).description(`Get status of MCP servers`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching MCP status...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.backend.getMcpStatus();if(r.stop(),t.json)F(a);else{let e=Object.entries(a);e.length===0?R(`No MCP servers configured`):P(e.map(([e,t])=>{let n=t;return{name:e,status:n.status,error:n.error??``}}),[{key:`name`,header:`Name`,width:24},{key:`status`,header:`Status`,width:12},{key:`error`,header:`Error`,width:40}])}}catch(e){W(e)}}),e.command(`restart <sandboxId>`).description(`Restart the backend agent`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Restarting backend...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);await i.backend.restart(),r.stop(),I(`Backend restarted`)}catch(e){W(e)}}),e}function Jt(e){let t=e.indexOf(`=`);if(t<=0)throw Error(`Invalid --task "${e}": expected format id=message (e.g. t1=summarize README)`);let n=e.slice(0,t).trim(),r=e.slice(t+1).trim();if(!n||!r)throw Error(`Invalid --task "${e}": id and message must be non-empty`);return{id:n,message:r}}function Yt(e){let t;try{t=JSON.parse(e)}catch(e){throw Error(`--tasks file is not valid JSON: ${e.message}`)}let n=Array.isArray(t)?t:t?.tasks;if(!Array.isArray(n))throw Error(`--tasks file must contain an array or an object with a "tasks" array`);return n.map((e,t)=>{if(!e||typeof e!=`object`)throw Error(`--tasks[${t}] must be an object`);let n=e,r=typeof n.id==`string`?n.id.trim():``,i=typeof n.message==`string`?n.message:``;if(!r)throw Error(`--tasks[${t}].id must be a non-empty string`);if(!i.trim())throw Error(`--tasks[${t}].message must be a non-empty string`);let a={id:r,message:i};return n.context&&typeof n.context==`object`&&(a.context=n.context),typeof n.timeoutMs==`number`&&n.timeoutMs>0&&(a.timeoutMs=n.timeoutMs),a})}function Xt(e){let t=e.readFile??(e=>f(e,`utf8`)),n=[];e.file&&n.push(...Yt(t(e.file)));for(let t of e.inline??[])n.push(Jt(t));if(n.length===0)throw Error(`No tasks provided. Use --tasks <file> and/or --task id=message.`);let r=new Set;for(let e of n){if(r.has(e.id))throw Error(`Duplicate task id: ${e.id}`);r.add(e.id)}return n}function Zt(e){if(e!==`fastest`&&e!==`balanced`&&e!==`cheapest`)throw Error(`--scaling must be one of: fastest, balanced, cheapest (got "${e}")`);return e}function Qt(e){let t=e.trim(),n=t.indexOf(`/`);if(n<=0||n===t.length-1)throw Error(`--model must be in the form provider/model (got "${e}")`);return{provider:t.slice(0,n),model:t.slice(n+1)}}function $t(){let e=new t(`batch`).description(`Run multiple agent tasks in parallel across sandboxes`);return e.command(`run`).description(`Execute a batch of tasks. Provide tasks via --tasks <file.json> and/or repeated --task id=message flags.`).option(`--tasks <file>`,`Path to a JSON file with an array of tasks (or {tasks: [...]})`).option(`--task <id=message>`,`Inline task, id=message. Repeatable.`,(e,t=[])=>[...t,e],[]).option(`--stream`,`Stream per-task events as they arrive`).option(`-t, --timeout <ms>`,`Total batch timeout in milliseconds`,`300000`).option(`--scaling <mode>`,`Scaling mode: fastest | balanced | cheapest`,`balanced`).option(`--persistent`,`Keep sandboxes alive after completion`,!1).option(`--model <provider/model>`,`Model override, e.g. anthropic/claude-sonnet-4-5-20250929`).option(`--profile <id>`,`Named execution profile to apply to every task`).option(`--json`,`Output the final result as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{let t=new AbortController,r=!1,i=()=>{r||(r=!0,R(`Cancel requested — stopping stream...`),t.abort())};process.on(`SIGINT`,i),process.on(`SIGTERM`,i);try{let r=Xt({file:e.tasks,inline:e.task}),i=Zt(e.scaling),a=Number(e.timeout);if(!Number.isFinite(a)||a<=0)throw Error(`--timeout must be a positive number of milliseconds`);let o=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),s={type:`opencode`};e.model&&(s.model=Qt(e.model)),e.profile&&(s.profile=String(e.profile));let c={timeoutMs:a,scalingMode:i,persistent:!!e.persistent,signal:t.signal,backend:s};if(e.stream){R(`Streaming batch of ${r.length} task(s)...`),console.log();let t=new Map;for await(let e of o.streamBatch(r,c)){let i=e.data,a=i.taskId??``;switch(e.type){case`batch.started`:R(`Batch started (${i.totalTasks??r.length} tasks)`);break;case`task.started`:a&&console.log(n.dim(`→ ${a} started`));break;case`task.retry`:a&&console.log(n.yellow(`↻ ${a} retry ${i.attempt??`?`}: ${i.error??`retrying`}`));break;case`task.completed`:if(a){let e=i.usage,r=(e?.inputTokens??0)+(e?.outputTokens??0);t.set(a,{success:!0,durationMs:i.durationMs,retries:i.retries,tokensUsed:i.tokensUsed??(r>0?r:void 0),response:i.resultSummary??i.response}),console.log(n.green(`✓ ${a} completed in ${i.durationMs??`?`}ms`+(i.retries?` (${i.retries} retries)`:``)))}break;case`task.failed`:a&&(t.set(a,{success:!1,durationMs:i.durationMs,retries:i.retries,error:i.error}),console.log(n.red(`✗ ${a} failed: ${i.error??`unknown error`}`)));break;case`batch.failed`:throw Error(i.error??`Batch failed`);case`batch.completed`:break}}let i=[...t.values()].filter(e=>e.success).length,a=[...t.values()].filter(e=>!e.success).length,s=[...t.values()].reduce((e,t)=>e+(t.retries??0),0);console.log(),e.json?F({totalTasks:r.length,succeeded:i,failed:a,totalRetries:s,successRate:r.length>0?i/r.length*100:0,results:Array.from(t.entries()).map(([e,t])=>({taskId:e,...t}))}):B({"Total tasks":r.length,Succeeded:i,Failed:a,"Total retries":s,"Success rate":r.length>0?`${(i/r.length*100).toFixed(1)}%`:`0%`}),a>0&&(process.exitCode=1)}else{R(`Running batch of ${r.length} task(s)...`);let t=await o.runBatch(r,c);if(e.json)F(t);else if(console.log(),B({"Total tasks":t.totalTasks,Succeeded:t.succeeded,Failed:t.failed,"Total retries":t.totalRetries,"Success rate":`${t.successRate.toFixed(1)}%`}),t.results.length>0){console.log(),console.log(n.bold(`Task Results`)),console.log(n.dim(`─`.repeat(40)));for(let e of t.results){let t=e.success?n.green(`✓`):n.red(`✗`),r=typeof e.tokensUsed==`number`?` • ${e.tokensUsed} tokens`:``;console.log(`${t} ${e.taskId} ${n.dim(`(${e.durationMs}ms, ${e.retries} retries${r})`)}`),e.error&&console.log(n.red(` ${e.error}`))}}t.failed>0&&(process.exitCode=1)}}catch(e){if(r){console.log(),R(`Batch cancelled.`),process.exitCode=130;return}W(e)}finally{process.off(`SIGINT`,i),process.off(`SIGTERM`,i)}}),e}function en(){let e=new t(`checkpoint`).description(`Manage sandbox filesystem checkpoints`);return e.command(`create`).description(`Create a checkpoint of the current sandbox state`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Creating checkpoint...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.checkpoint();r.stop(),t.json?F(a):I(`Checkpoint created: ${a.checkpointId}`)}catch(e){W(e)}}),e.command(`list`).alias(`ls`).description(`List checkpoints for a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching checkpoints...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.listCheckpoints();r.stop(),t.json?F(a):a.length===0?console.log(`No checkpoints found`):U([`ID`,`Created`],a.map(e=>[e.checkpointId,e.createdAt.toLocaleString()]))}catch(e){W(e)}}),e.command(`delete`).alias(`rm`).description(`Delete a checkpoint`).argument(`<id>`,`Sandbox ID`).argument(`<checkpoint-id>`,`Checkpoint ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Deleting checkpoint...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);await a.deleteCheckpoint(t),i.stop(),n.json?F({success:!0,deleted:t}):I(`Checkpoint deleted: ${t}`)}catch(e){W(e)}}),e}function tn(){let e=new t(`environments`).alias(`env`).description(`Manage sandbox environments`);return e.command(`list`).alias(`ls`).description(`List available environments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=z(`Fetching environments...`);e.json||n.start();let r=await t.environments.list();n.stop(),e.json?F(r):r.length===0?console.log(`No environments found`):U([`ID`,`Description`,`Version`],r.map(e=>[e.id,e.description??``,e.version]))}catch(e){W(e)}}),e.command(`get`).description(`Get environment details`).argument(`<id>`,`Environment ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching environment...`);t.json||r.start();let i=await n.environments.get(e);if(r.stop(),!i){console.error(`Environment not found: ${e}`),process.exit(1);return}t.json?F(i):(console.log(`ID: ${i.id}`),console.log(`Description: ${i.description??`-`}`),console.log(`Version: ${i.version}`),i.base&&console.log(`Base: ${i.base}`))}catch(e){W(e)}}),e}function nn(){return new t(`exec`).description(`Execute a command in a sandbox`).argument(`<id>`,`Sandbox ID`).argument(`<command...>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`60000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=t.join(` `),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=z(`Executing: ${i}`);n.json||o.start();let s=await r.get(e);if(!s)throw Error(`Sandbox not found: ${e}`);let c=await s.exec(i,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:Number.parseInt(n.timeout,10)});o.stop(),n.json?F(c):(c.stdout&&process.stdout.write(c.stdout),c.stderr&&process.stderr.write(c.stderr),c.exitCode!==0&&process.exit(c.exitCode))}catch(e){if(e instanceof i){let t=`Exec transport lost before command status was confirmed. Remote command status is unknown. Original error: ${e.message}. For long-running commands, use \`tangle process spawn\`, \`tangle process logs\`, and \`tangle process kill --tree\`.`;return W(Error(t,{cause:e}))}W(e)}})}const rn=[`list`,`create`,`delete`,`exec`,`prompt`,`read`,`write`];function an(){let e=new t(`fleet`).description(`Manage sandbox fleets`);return e.command(`create`).description(`Create a sandbox fleet`).option(`--fleet-id <id>`,`Stable fleet id (generated when omitted)`).option(`--count <n>`,`Number of worker machines`,`1`).option(`--image <env>`,`Environment/image for each machine`).option(`--cpu <cores>`,`CPU cores per machine`).option(`--memory <mb>`,`Memory in MB per machine`).option(`--disk <gb>`,`Disk in GB per machine`).option(`--driver <type>`,`Infrastructure driver type`).option(`--backend <id>`,`Agent backend type`).option(`--workspace <mode>`,`Workspace mode: isolated | shared`,`isolated`).option(`--max-spend-usd <n>`,`Fleet spend cap in USD (policy)`).option(`--max-lifetime <s>`,`Max machine lifetime in seconds (policy)`).option(`--spec <file.json>`,`Path to a JSON file describing the fleet (overrides synthesized machines)`).option(`--coordinator`,`Create a coordinator + workers fleet (routes to createWithCoordinator)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=z(`Creating fleet...`);n.start();let r=e.coordinator?await t.fleets.createWithCoordinator(ln(e)):await t.fleets.create(cn(e));n.stop();let i=fn(r.machines);e.json?F({fleetId:r.fleetId,machines:i}):(I(`Fleet created: ${r.fleetId}`),P(i,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}]))}catch(e){W(e)}}),e.command(`list <fleet-id>`).description(`List the machines of one fleet (fleet id is required)`).option(`--status <status>`,`Filter machines by status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching fleet...`);r.start();let i=await n.fleets.list({fleetId:e,status:t.status});r.stop();let a=fn(i.machines);t.json?F({fleetId:i.fleetId,machines:a}):P(a,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}])}catch(e){W(e)}}),e.command(`get <fleet-id>`).description(`Show one fleet's manifest (server record)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching manifest...`);r.start();let i=await n.fleets.manifest(e);r.stop(),t.json?F(i):(B({"Fleet ID":i.fleetId??i.id,Machines:i.machines.length,"Workspace mode":i.workspace?.mode,"Workspace status":i.workspace?.status,"Max lifetime (s)":i.policy?.maxLifetimeSeconds,"Max spend (USD)":i.policy?.maxSpendUsd,Created:i.createdAt,Updated:i.updatedAt}),P(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,role:e.role,status:e.status})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`role`,header:`Role`,width:14},{key:`status`,header:`Status`,width:14}]))}catch(e){W(e)}}),e.command(`delete <fleet-id>`).description(`Delete a fleet's machine sandboxes and its record`).option(`--continue-on-error`,`Keep deleting remaining machines if one delete fails`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Deleting fleet...`);r.start(),await n.fleets.delete(e,{continueOnError:t.continueOnError}),r.stop(),t.json?F({success:!0,fleetId:e}):I(`Fleet deleted: ${e}`)}catch(e){W(e)}}),e.command(`reap`).description(`TTL cleanup of all expired fleets (fleet-wide)`).option(`--dry-run`,`Report what would be reaped without deleting`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=z(`Reaping expired fleets...`);n.start();let r=await t.fleets.reapExpired({dryRun:e.dryRun});n.stop(),e.json?F(r):(B({"Dry run":r.dryRun,Expired:r.expired,Deleted:r.deleted}),P(r.fleets.map(e=>({fleetId:e.fleetId,expiredAt:e.expiredAt,deleted:e.deleted})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`expiredAt`,header:`Expired`,width:18},{key:`deleted`,header:`Deleted`,width:10}]))}catch(e){W(e)}}),e.command(`reconcile`).description(`Drop fleet records whose underlying sandboxes vanished`).option(`--dry-run`,`Report orphans without removing them`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=z(`Reconciling fleets...`);n.start();let r=await t.fleets.reconcile({dryRun:e.dryRun});n.stop(),e.json?F(r):(B({"Dry run":r.dryRun,Checked:r.checked,Orphaned:r.orphaned,Removed:r.removed}),P(r.machines.map(e=>({fleetId:e.fleetId,machineId:e.machineId,sandboxId:e.sandboxId,removed:e.removed})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`removed`,header:`Removed`,width:10}]))}catch(e){W(e)}}),e.addCommand(on()),e.command(`exec <fleet-id> <command>`).description(`Run a shell command across the fleet's machines`).option(`--machine <id...>`,`Restrict to a subset of machine ids (default: all)`).option(`--cwd <dir>`,`Working directory for the command`).option(`--timeout <ms>`,`Per-machine timeout in milliseconds`).option(`--max-concurrent <n>`,`Max concurrent dispatches`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Dispatching command...`);i.start();let a=await(await r.fleets.list({fleetId:e})).dispatchExecDetailed(t,{machines:n.machine,cwd:n.cwd,timeoutMs:n.timeout?Number(n.timeout):void 0,maxConcurrent:n.maxConcurrent?Number(n.maxConcurrent):void 0});if(i.stop(),n.json)F(a);else{P(a.results.map(e=>({machineId:e.machineId,ok:e.ok,exitCode:e.result?.exitCode,durationMs:e.durationMs})),[{key:`machineId`,header:`Machine`,width:20},{key:`ok`,header:`OK`,width:6},{key:`exitCode`,header:`Exit`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14}]);for(let e of a.results){let t=e.result?.stdout,n=e.result?.stderr;t&&(console.log(`\n[${e.machineId}] stdout:`),console.log(t)),n&&(console.log(`\n[${e.machineId}] stderr:`),console.log(n)),e.error&&console.log(`\n[${e.machineId}] error: ${e.error.message}`)}}a.results.some(e=>e.ok===!1)&&(process.exitCode=1)}catch(e){W(e)}}),e.command(`capabilities`).description(`List fleet drivers and their supported features`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=z(`Fetching capabilities...`);n.start();let r=await t.fleets.capabilities();n.stop(),e.json?F(r):P(r.drivers.map(e=>({driverType:e.driverType,sharedWorkspace:e.sharedWorkspace,accelerators:e.accelerators,queueTimings:e.queueTimings})),[{key:`driverType`,header:`Driver`,width:16},{key:`sharedWorkspace`,header:`Shared WS`,width:12},{key:`accelerators`,header:`Accel`,width:8},{key:`queueTimings`,header:`Queue`,width:8}])}catch(e){W(e)}}),e.command(`usage <fleet-id>`).description(`Show fleet usage and reliability insights`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching usage...`);r.start();let i=await n.fleets.usage(e);if(r.stop(),t.json)F(i);else if(B({"Fleet ID":i.usage.fleetId,Status:i.usage.status,Machines:i.usage.machineCount,Running:i.usage.runningMachines,Failed:i.usage.failedMachines,"Runtime (ms)":i.usage.meteredUsage?.runtimeMs,"Reliability score":i.insights.reliabilityScore,"Failure rate":i.insights.failureRate}),i.insights.recommendedActions.length>0){console.log(`
|
|
133
|
-
Recommended actions:`);for(let e of i.insights.recommendedActions)console.log(` - ${e}`)}}catch(e){
|
|
134
|
-
Re-run with --json to print the full token value.`))}catch(e){W(e)}}),e}function on(){let e=new t(`workspace`).description(`Manage a fleet's shared workspace`);return e.command(`snapshot <fleet-id>`).description(`Snapshot the fleet's shared workspace`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Creating workspace snapshot...`);r.start();let i=await n.fleets.createWorkspaceSnapshot(e);r.stop(),t.json?F(i):I(`Workspace snapshot created: ${i.snapshotId??i.id}`)}catch(e){W(e)}}),e.command(`restore <fleet-id> <snapshot-id>`).description(`Restore the fleet's shared workspace from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Restoring workspace...`);i.start();let a=await r.fleets.restoreWorkspaceSnapshot(e,t);i.stop(),n.json?F(a):I(`Workspace restored from ${a.snapshotId??t}`)}catch(e){W(e)}}),e.command(`reconcile <fleet-id>`).description(`Re-mount the shared workspace on all fleet machines`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Reconciling workspace...`);r.start();let i=await n.fleets.reconcileWorkspace(e);r.stop(),t.json?F(i):(B({"Fleet ID":i.fleetId,Checked:i.checked,"Orphaned mounts":i.orphanedMounts}),P(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,mounted:e.mounted})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`mounted`,header:`Mounted`,width:10}]))}catch(e){W(e)}}),e}function sn(e){if(e.spec){let t=JSON.parse(f(e.spec,`utf8`));return{base:{fleetId:e.fleetId,defaults:t.defaults,policy:t.policy,workspace:t.workspace,metadata:t.metadata},machines:t.machines??[]}}let t=un(e),n={...e.image?{environment:e.image}:{},...t?{resources:t}:{},...e.driver?{driver:{type:e.driver}}:{},...e.backend?{backend:{type:e.backend}}:{}},r=dn(e),i=Math.max(1,Number(e.count)||1),a=Array.from({length:i},(e,t)=>({machineId:`worker-${t+1}`}));return{base:{fleetId:e.fleetId,defaults:Object.keys(n).length>0?n:void 0,policy:r,workspace:{mode:e.workspace}},machines:a}}function cn(e){let{base:t,machines:n}=sn(e);return{...t,machines:n}}function ln(e){let{base:t,machines:n}=sn(e);return{...t,workers:n}}function un(e){let t={};return e.cpu&&(t.cpuCores=Number(e.cpu)),e.memory&&(t.memoryMB=Number(e.memory)),e.disk&&(t.diskGB=Number(e.disk)),Object.keys(t).length>0?t:void 0}function dn(e){let t={};return e.maxSpendUsd&&(t.maxSpendUsd=Number(e.maxSpendUsd)),e.maxLifetime&&(t.maxLifetimeSeconds=Number(e.maxLifetime)),Object.keys(t).length>0?t:void 0}function fn(e){return[...e.entries()].map(([e,t])=>({machineId:e,sandboxId:t.id,status:t.status}))}function pn(e){if(!(!e||e.length===0)){for(let t of e)if(!rn.includes(t))throw Error(`Invalid token action '${t}'. Allowed: ${rn.join(`, `)}`);return e}}function mn(e){return e.length<=12?`****`:`${e.slice(0,6)}...${e.slice(-4)} (masked — use --json for full value)`}function hn(){let e=new t(`fs`).description(`File system operations on sandboxes`);return G(e.command(`upload`).description(`Upload a file to a sandbox`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<local-path>`,`Local file path`).argument(`<remote-path>`,`Remote destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let i=await K(r).get(e);if(!i)throw Error(`Sandbox not found: ${e}`);if(!d.existsSync(t))throw Error(`Local file not found: ${t}`);let a=d.statSync(t),o=Date.now();console.log(`Uploading ${t} to ${n}...`),await i.fs.upload(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesUploaded}/${e.totalBytes} bytes)`)}});let s=Date.now()-o;console.log(``),r.json?H({success:!0,localPath:t,remotePath:n,size:a.size,durationMs:s}):console.log(`✓ Uploaded ${a.size} bytes in ${s}ms`)}catch(e){V(e,r.json)}}),G(e.command(`download`).description(`Download a file from a sandbox`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<remote-path>`,`Remote file path`).argument(`<local-path>`,`Local destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let i=await K(r).get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=Date.now();console.log(`Downloading ${t} to ${n}...`),await i.fs.download(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesDownloaded}/${e.totalBytes} bytes)`)}});let o=Date.now()-a,s=d.statSync(n);console.log(``),r.json?H({success:!0,remotePath:t,localPath:n,size:s.size,durationMs:o}):console.log(`✓ Downloaded ${s.size} bytes in ${o}ms`)}catch(e){V(e,r.json)}}),G(e.command(`ls`).description(`List directory contents`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`[path]`,`Directory path`,`.`).option(`-l, --long`,`Show detailed information`).option(`-a, --all`,`Include hidden files`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.fs.list(t.startsWith(`/`)?t:`/${t}`,{all:n.all,long:n.long});if(n.json)H(i);else if(n.long)U([`Mode`,`Owner`,`Group`,`Size`,`Modified`,`Name`],i.map(e=>{let t=e.isDir?`d`:e.isSymlink?`l`:`-`,n=gn(e.permissions),r=e.isDir?`<DIR>`:_n(e.size),i=e.modTime.toLocaleDateString();return[t+n,e.owner,e.group,r,i,e.name]}));else{let e=i.map(e=>e.isDir?`${e.name}/`:e.name);console.log(e.join(` `))}}catch(e){V(e,n.json)}}),G(e.command(`stat`).description(`Get file or directory information`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to file or directory`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.fs.stat(t.startsWith(`/`)?t:`/${t}`);n.json?H(i):(console.log(` File: ${i.name}`),console.log(` Path: ${i.path}`),console.log(` Size: ${_n(i.size)} (${i.size} bytes)`),console.log(` Type: ${i.isDir?`directory`:i.isSymlink?`symlink`:`file`}`),console.log(` Mode: ${gn(i.permissions)} (${i.permissions.toString(8)})`),console.log(` Owner: ${i.owner}`),console.log(` Group: ${i.group}`),console.log(` Modified: ${i.modTime.toISOString()}`),console.log(` Accessed: ${i.accessTime.toISOString()}`))}catch(e){V(e,n.json)}}),G(e.command(`cat`).description(`Print file contents`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to file`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.read(t.startsWith(`/`)?t:`/${t}`);n.json?H({path:t,content:i}):console.log(i)}catch(e){V(e,n.json)}}),G(e.command(`rm`).description(`Delete a file or directory`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to delete`).option(`-r, --recursive`,`Delete directories recursively`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.fs.delete(t.startsWith(`/`)?t:`/${t}`,{recursive:n.recursive}),n.json?H({success:!0,path:t,deleted:!0}):console.log(`✓ Deleted: ${t}`)}catch(e){V(e,n.json)}}),G(e.command(`mkdir`).description(`Create a directory`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Directory path to create`).option(`-p, --parents`,`Create parent directories as needed`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.fs.mkdir(t.startsWith(`/`)?t:`/${t}`,{recursive:n.parents}),n.json?H({success:!0,path:t,created:!0}):console.log(`✓ Created: ${t}`)}catch(e){V(e,n.json)}}),G(e.command(`exists`).description(`Check if a path exists`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to check`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.fs.exists(t.startsWith(`/`)?t:`/${t}`);n.json?H({path:t,exists:i}):(console.log(i?`exists`:`not found`),process.exit(+!i))}catch(e){V(e,n.json)}}),e}function gn(e){let t=[`r`,`w`,`x`],n=``;for(let r=2;r>=0;r--){let i=r*3;for(let r=0;r<3;r++)n+=e>>i+(2-r)&1?t[r]:`-`}return n}function _n(e){let t=[`B`,`KB`,`MB`,`GB`,`TB`],n=e,r=0;for(;n>=1024&&r<t.length-1;)n/=1024,r++;return r===0?`${n}${t[r]}`:`${n.toFixed(1)}${t[r]}`}function G(e){return e.option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`)}function K(e){return M(O({apiKey:e.apiKey,baseUrl:e.baseUrl}))}function vn(){let e=new t(`git`).description(`Git operations in a sandbox workspace`);return e.command(`status`).description(`Show git repository status`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching status...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.status();if(r.stop(),t.json)F(a);else{if(console.log(`Branch: ${a.branch}`),console.log(`HEAD: ${a.head.slice(0,7)}`),console.log(`Dirty: ${a.isDirty?`yes`:`no`}`),a.ahead&&console.log(`Ahead: ${a.ahead}`),a.behind&&console.log(`Behind: ${a.behind}`),a.staged.length>0){console.log(`\nStaged (${a.staged.length}):`);for(let e of a.staged)console.log(` + ${e}`)}if(a.modified.length>0){console.log(`\nModified (${a.modified.length}):`);for(let e of a.modified)console.log(` M ${e}`)}if(a.untracked.length>0){console.log(`\nUntracked (${a.untracked.length}):`);for(let e of a.untracked)console.log(` ? ${e}`)}}}catch(e){W(e)}}),e.command(`log`).description(`Show commit log`).argument(`<id>`,`Sandbox ID`).option(`-n, --limit <count>`,`Max commits to show`,`10`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching log...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.log(Number.parseInt(t.limit,10));if(r.stop(),t.json)F(a);else if(a.length===0)console.log(`No commits found`);else for(let e of a)console.log(`${e.shortSha} ${e.message.split(`
|
|
135
|
-
`)[0]} (${e.author}, ${e.date.toLocaleDateString()})`)}catch(e){W(e)}}),e.command(`diff`).description(`Show diff`).argument(`<id>`,`Sandbox ID`).option(`--ref <ref>`,`Ref to diff against`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching diff...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.diff(t.ref);r.stop(),t.json?F(a):a.raw?console.log(a.raw):console.log(`${a.additions} additions, ${a.deletions} deletions across ${a.files.length} files`)}catch(e){W(e)}}),e.command(`add`).description(`Stage files`).argument(`<id>`,`Sandbox ID`).argument(`<paths...>`,`Paths to stage`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.git.add(t),I(`Staged: ${t.join(`, `)}`)}catch(e){W(e)}}),e.command(`commit`).description(`Create a commit`).argument(`<id>`,`Sandbox ID`).requiredOption(`-m, --message <msg>`,`Commit message`).option(`--amend`,`Amend the previous commit`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})).get(e);if(!n)throw Error(`Sandbox not found: ${e}`);let r=await n.git.commit(t.message,{amend:t.amend});t.json?F(r):I(`Committed: ${r.shortSha} ${r.message}`)}catch(e){W(e)}}),e.command(`push`).description(`Push to remote`).argument(`<id>`,`Sandbox ID`).option(`--force`,`Force push`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Pushing...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.git.push({force:t.force}),r.stop(),I(`Pushed to remote`)}catch(e){W(e)}}),e.command(`pull`).description(`Pull from remote`).argument(`<id>`,`Sandbox ID`).option(`--rebase`,`Rebase instead of merge`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Pulling...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.git.pull({rebase:t.rebase}),r.stop(),I(`Pulled from remote`)}catch(e){W(e)}}),e.command(`branches`).description(`List branches`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching branches...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.branches();r.stop(),t.json?F(a):a.length===0?console.log(`No branches found`):U([`Name`,`Current`,`Remote`],a.map(e=>[e.name,e.current?`* `:` `,e.upstream??`-`]))}catch(e){W(e)}}),e.command(`checkout`).description(`Checkout a branch or ref`).argument(`<id>`,`Sandbox ID`).argument(`<ref>`,`Branch name or ref`).option(`-b, --create`,`Create a new branch`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.git.checkout(t,{create:n.create}),I(`Checked out: ${t}${n.create?` (new)`:``}`)}catch(e){W(e)}}),e}async function yn(e){let{Writable:t}=await import(`node:stream`),n=await import(`node:readline`),r=!1,i=new t({write(e,t,n){r||process.stdout.write(e,t),n()}}),a=n.createInterface({input:process.stdin,output:i,terminal:!0});return process.stdout.write(e),r=!0,await new Promise(e=>{a.question(``,t=>{r=!1,a.close(),process.stdout.write(`
|
|
136
|
-
`),e(t.trim())})})}async function q(e){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout}),n=await new Promise(n=>{t.question(e,e=>{t.close(),n(e.trim().toLowerCase())})});return n===`y`||n===`yes`}async function bn(){if(process.stdin.isTTY)throw Error(`Cannot read secret from stdin when stdin is a TTY`);let e=[];for await(let t of process.stdin)e.push(Buffer.isBuffer(t)?t:Buffer.from(t));return Buffer.concat(e).toString(`utf8`).replace(/\r?\n$/,``)}function xn(){let e=new t(`hub`).description(`Discover and run Tangle Hub tools`);e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{wn(t)}),e.command(`connect`).description(`Connect a provider account`).argument(`provider`,`Provider to connect`).option(`--no-browser`,`Print the authorization URL instead of opening it`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await J(t).connections.start(e,{cli:!0});if(t.json){F(Vn(n));return}Bn(n,t.browser===!1?!1:await jt(n.redirectUrl))}catch(e){Y(e,t)}});let n=new t(`connections`).description(`List Hub provider connections`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await J(e).connections.list();if(e.json){F(t);return}zn(t.connections)}catch(t){Y(t,e)}});n.command(`revoke <connection-id>`).description(`Revoke a Hub provider connection`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await q(`Revoke Hub connection ${e}? `)){R(`Revoke cancelled.`);return}let n=await J(t).connections.revoke(e);if(t.json){F(n);return}R(`Revoked Hub connection ${n.connection.id}.`)}catch(e){Y(e,t)}}),e.addCommand(n);let r=new t(`permissions`).description(`Manage Hub action permissions`);r.command(`list`).description(`List Hub permissions for a connection`).requiredOption(`--connection <id>`,`Hub connection ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await J(e).permissions.list(e.connection);if(e.json){F(t);return}Pn(t.policies)}catch(t){Y(t,e)}}),r.command(`set`).description(`Set Hub permission for one action`).requiredOption(`--connection <id>`,`Hub connection ID`).requiredOption(`--action <path>`,`Executor action path`).requiredOption(`--decision <allow|ask|deny>`,`Permission decision`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);if(!e.action)throw Error(`--action is required.`);let t=Fn(e.decision),n=await J(e).permissions.set({connectionId:e.connection,actionPath:e.action,decision:t});if(e.json){F(n);return}Pn([n.policy])}catch(t){Y(t,e)}}),e.addCommand(r);let i=new t(`approvals`).description(`List and resolve Hub execution approvals`);i.command(`list`).description(`List pending Hub execution approvals`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await J(e).approvals.list();if(e.json){F(t);return}kn(t.approvals)}catch(t){Y(t,e)}}),i.command(`approve`).description(`Approve a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{On(e),An(await J(t).approvals.approve(e),t.json===!0)}catch(e){Y(e,t)}}),i.command(`deny`).description(`Deny a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{On(e),An(await J(t).approvals.deny(e),t.json===!0)}catch(e){Y(e,t)}}),e.addCommand(i);let a=new t(`tools`).description(`Discover Hub tools`);return a.command(`sources`).description(`List Hub tool sources`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await J(e).tools.sources();if(e.json){F(t);return}In(t.sources)}catch(t){Y(t,e)}}),a.command(`describe`).description(`Describe a Hub tool`).argument(`path`,`Executor tool path`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await J(t).tools.describe(e);if(t.json){F(n);return}Ln(n.tool)}catch(e){Y(e,t)}}),a.command(`search`).description(`Search Hub tools`).argument(`<query...>`,`Search query`).option(`--provider <provider>`,`Filter by provider/source ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await J(t).tools.search(e.join(` `),{provider:t.provider});if(t.json){F(n);return}Nn(n.tools)}catch(e){Y(e,t)}}),e.addCommand(a),e.addCommand(Cn(`call`)),e.addCommand(Cn(`exec`)),e.command(`resume`).description(`Resolve a Hub approval created by a paused execution`).argument(`approval-id`,`Hub approval ID from HUB_APPROVAL_REQUIRED`).option(`--accept`,`Approve the execution approval`).option(`--decline`,`Deny the execution approval`).option(`--cancel`,`Unsupported for approval-backed Hub resume`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(On(e),t.cancel)throw Error(`Hub approval resume does not support --cancel. Use --decline to deny the approval.`);if(t.accept&&t.decline)throw Error(`Choose only one of --accept or --decline.`);if(!t.accept&&!t.decline)throw Error(`Choose --accept to approve or --decline to deny the Hub approval.`);let n=J(t);An(t.decline?await n.approvals.deny(e):await n.approvals.approve(e),t.json===!0)}catch(e){Y(e,t)}}),e.command(`status`).description(`Show Hub auth and connection status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await J(e).status();if(e.json){F(t);return}Hn(t)}catch(t){Y(t,e)}}),e}function J(e){let t=Sn(e);return new le({baseUrl:t.baseUrl,apiKey:t.apiKey})}function Sn(e){let t=E(e.apiKey),n=Ke(e.apiKey),r=process.env.TANGLE_HUB_CAPABILITY_TOKEN?.trim();if(r&&n===`env`)throw Error(`Set exactly one of TANGLE_API_KEY/SANDBOX_API_KEY or TANGLE_HUB_CAPABILITY_TOKEN, not both`);return O({apiKey:n===`flag`?t:r||t,baseUrl:e.baseUrl??qe(process.env.TANGLE_HUB_URL)})}function Cn(e){return new t(e).description(`Execute a Hub tool`).argument(`<args...>`,`Tool path tokens followed by JSON input`).option(`--connection <id>`,`Hub connection ID`).option(`--auto-approve`,`Approve a HUB_APPROVAL_REQUIRED execution and retry once`).option(`--approve`,`Alias for --auto-approve`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let{args:n,approve:r}=Dn(e,t),{path:i,input:a}=Mn(n);F((await J(t).tools.invoke(i,a,{connectionId:t.connection,approve:r})).result)}catch(e){Y(e,t)}})}function wn(e){if(!Tn(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function Tn(e,t){return e.options.some(e=>e.attributeName()===t)}function En(e){return e.json===!0}function Y(e,t){return En(t)?W(e,!0):W(e)}function Dn(e,t){let n=t.autoApprove;return{args:e.filter(e=>e!==`--approve`&&e!==`--auto-approve`),approve:t.approve===!0||n===!0||e.includes(`--approve`)||e.includes(`--auto-approve`)}}function On(e){if(!/^[A-Za-z0-9_-]+$/.test(e))throw Error(`Hub approval ID must contain only letters, numbers, underscores, and dashes.`)}function kn(e){P(e.map(e=>({id:e.id,provider:e.providerId,action:e.actionPath,connection:e.connectionId,status:e.status,expires:e.expiresAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`connection`,header:`Connection`},{key:`status`,header:`Status`},{key:`expires`,header:`Expires`}])}function An(e,t){if(t){F(jn(e));return}R(`Hub approval ${e.approval.id} ${e.approval.status}.`),e.capabilityToken&&R("Capability token minted. Re-run the original command with `--approve` to execute automatically.")}function jn(e){return{approval:e.approval,...e.capabilityToken?{capabilityToken:{tokenId:e.capabilityToken.tokenId,expiresAt:e.capabilityToken.expiresAt}}:{}}}function Mn(e){if(e.length<2)throw Error(`Usage: tangle hub call <path> <json-input>`);let t=e.at(-1);if(t===void 0)throw Error(`Usage: tangle hub call <path> <json-input>`);try{return{path:e.slice(0,-1).join(`.`),input:JSON.parse(t)}}catch{throw Error(`Hub call input must be valid JSON.`)}}function Nn(e){P(e.map(e=>({path:e.path,provider:e.providerId??e.requiredConnectionProviderId,title:e.title,description:e.description,connection:Rn(e),policy:e.policyState})),[{key:`path`,header:`Path`},{key:`provider`,header:`Provider`},{key:`title`,header:`Title`},{key:`description`,header:`Description`},{key:`connection`,header:`Connection`},{key:`policy`,header:`Policy`}])}function Pn(e){P(e.map(e=>({connection:e.connectionId,provider:e.providerId,action:e.actionPath,decision:e.decision,updated:e.updatedAt})),[{key:`connection`,header:`Connection`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`decision`,header:`Decision`},{key:`updated`,header:`Updated`}])}function Fn(e){if(e===`allow`||e===`ask`||e===`deny`)return e;throw Error(`--decision must be one of: allow, ask, deny.`)}function In(e){P(e.map(e=>({source:e.sourceId,provider:e.displayName,tools:e.toolCount,connection:e.connectionStatus,health:e.health,configured:e.configured})),[{key:`source`,header:`Source`},{key:`provider`,header:`Provider`},{key:`tools`,header:`Tools`},{key:`connection`,header:`Connection`},{key:`health`,header:`Health`},{key:`configured`,header:`Configured`}])}function Ln(e){B({Path:e.path,Provider:e.providerId??e.requiredConnectionProviderId,Title:e.title,Description:e.description,Connection:Rn(e),Policy:e.policyState}),e.inputSchema!==void 0&&(R(`Input schema`),console.log(JSON.stringify(e.inputSchema,null,2))),e.outputSchema!==void 0&&(R(`Output schema`),console.log(JSON.stringify(e.outputSchema,null,2)))}function Rn(e){if(e.connectionRequired===!1)return`not required`;if(e.connectionStatus)return e.connectionStatus}function zn(e){P(e.map(e=>({id:e.id,provider:e.providerId,account:e.accountDisplay??e.displayName,scopes:e.scopes.join(`, `),status:e.status,health:e.health,lastUsed:e.lastUsedAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`account`,header:`Account`},{key:`scopes`,header:`Scopes`},{key:`status`,header:`Status`},{key:`health`,header:`Health`},{key:`lastUsed`,header:`Last Used`}])}function Bn(e,t){t?R(`Opened browser to connect ${e.provider}.`):(R(`Open this URL to connect ${e.provider}:`),console.log(e.redirectUrl)),R("Finish authorization in the browser, then rerun `tangle hub status`.")}function Vn(e){return{provider:e.provider,redirectUrl:e.redirectUrl,expiresAt:e.expiresAt,scopes:e.scopes,cli:e.cli}}function Hn(e){let{principal:t,connections:n}=e;R(`Hub status`),B({Principal:t.kind,"User ID":t.userId,"API Key ID":t.apiKeyId,"Sandbox ID":t.sandboxId,"Connected Providers":n.connectedProviderCount,"Unhealthy Providers":n.unhealthyProviderCount}),n.unhealthyProviderCount>0&&R(`Some providers require reconnect.`)}function Un(){let e=new t(`intelligence`).description(`Create and inspect trace intelligence reports`);return e.command(`sandbox <sandbox-id>`).description(`Create an intelligence report for one sandbox`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await Wn({type:`sandbox`,id:e},t)}),e.command(`fleet <fleet-id>`).description(`Create an intelligence report for a sandbox fleet`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await Wn({type:`fleet`,id:e},t)}),e.command(`create`).description(`Create a trace intelligence report`).requiredOption(`--subject-type <type>`,`sandbox | fleet`).requiredOption(`--subject-id <id>`,`Subject identifier`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{await Wn({type:Kn(e.subjectType),id:e.subjectId},e)}),e.command(`get <job-id>`).description(`Get an intelligence report`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=t.json?null:z(`Fetching intelligence report...`);r?.start();let i=await n.intelligence.getReport(e);if(r?.stop(),t.json){F(i);return}Gn(i)}catch(e){W(e)}}),e.command(`list`).description(`List intelligence reports`).option(`--subject-type <type>`,`sandbox | fleet`).option(`--subject-id <id>`,`Subject identifier`).option(`--limit <count>`,`Maximum reports to return`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:z(`Fetching intelligence reports...`);n?.start();let r=await t.intelligence.listReports({subjectType:e.subjectType===void 0?void 0:Kn(e.subjectType),subjectId:e.subjectId,limit:e.limit===void 0?void 0:Yn(e.limit)});if(n?.stop(),e.json){F(r);return}P(r.map(e=>({jobId:e.jobId,subject:`${e.subject.type}:${e.subject.id}`,mode:e.mode,status:e.status,cost:`$${e.billing.costUsd.toFixed(2)}`,updatedAt:e.updatedAt})),[{key:`jobId`,header:`Job`,width:20},{key:`subject`,header:`Subject`,width:28},{key:`mode`,header:`Mode`,width:15},{key:`status`,header:`Status`,width:14},{key:`cost`,header:`Cost`,width:10},{key:`updatedAt`,header:`Updated`,width:18}])}catch(e){W(e)}}),e}async function Wn(e,t){try{let n=qn(t.mode),r=Xn(t.metadata),i=t.maxUsd===void 0?void 0:Jn(t.maxUsd);if(n===`agentic`&&i===void 0)throw Error(`Agentic intelligence reports require --max-usd`);let a=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),o=t.json?null:z(`Creating intelligence report...`);o?.start();let s=await a.intelligence.createReport({subject:e,mode:n,...i===void 0?{}:{budget:{billTo:`customer`,maxUsd:i}},...r===void 0?{}:{metadata:r}});if(o?.stop(),t.json){F(s);return}Gn(s)}catch(e){W(e)}}function Gn(e){B({Job:e.jobId,Subject:`${e.subject.type}:${e.subject.id}`,Mode:e.mode,Status:e.status,"Billed To":e.billing.billedTo,Cost:`$${e.billing.costUsd.toFixed(2)}`,Budget:e.billing.budgetMaxUsd===void 0?void 0:`$${e.billing.budgetMaxUsd.toFixed(2)}`,Updated:e.updatedAt}),e.result!==null&&(console.log(),F(e.result))}function Kn(e){if(e===`sandbox`||e===`fleet`)return e;throw Error(`subject type must be sandbox or fleet`)}function qn(e){if(e===`deterministic`||e===`agentic`)return e;throw Error(`mode must be deterministic or agentic`)}function Jn(e){let t=Number(e);if(!Number.isFinite(t)||t<0)throw Error(`--max-usd must be a non-negative number`);return t}function Yn(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function Xn(e){if(e===void 0)return;let t=JSON.parse(e);if(!t||typeof t!=`object`||Array.isArray(t))throw Error(`--metadata must be a JSON object`);return t}const Zn=[`router`,`sandbox`,`blueprint-agent`,`evals`,`agent-builder`];function Qn(e){return(e?.trim()||process.env.TANGLE_PLATFORM_URL?.trim()||`https://id.tangle.tools`).replace(/\/+$/,``)}async function $n(e,t,n={}){let r=new Headers(n.headers);r.set(`Authorization`,`Bearer ${t}`),n.body&&!r.has(`content-type`)&&r.set(`content-type`,`application/json`);let i=await fetch(e,{...n,headers:r});if(n.expected!==void 0&&i.status!==n.expected){let t=await i.text().catch(()=>``),n=t?`: ${t.slice(0,400)}`:``;throw Error(`Platform request to ${e} returned ${i.status}${n}`)}return i}const er=[`ID`,`Prefix`,`Name`,`Product`,`Created`,`Last used`,`Expires`];function tr(e){return[e.id,e.keyPrefix??``,e.name,e.product??`all`,e.createdAt,e.lastUsedAt??`—`,e.expiresAt??`—`]}function nr(){let e=new t(`keys`).description(`Manage sk-tan-* API keys on id.tangle.tools`);return e.command(`list`).description(`List your active API keys`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async e=>{try{let t=O({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=await(await $n(`${Qn(e.platformUrl)}/v1/keys`,t.apiKey,{expected:200})).json();if(e.json){F(n);return}U(er,n.data.map(tr))}catch(e){W(e)}}),e.command(`create`).description(`Create a new API key`).argument(`<name>`,`Human-readable name for the key`).option(`--product <product>`,`Restrict the key to one product (${Zn.join(`|`)}). Omit for all products.`).option(`--budget-usd <amount>`,`Hard budget cap in USD`).option(`--rpm-limit <limit>`,`Requests-per-minute cap`).option(`--expires-in-days <days>`,`Expire the key after N days (integer)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{if(t.product!==void 0&&!Zn.includes(t.product))throw Error(`Invalid --product. Expected one of ${Zn.join(`, `)}`);let n=O({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=Qn(t.platformUrl),i=t.expiresInDays===void 0?void 0:new Date(Date.now()+Number.parseInt(t.expiresInDays,10)*24*60*60*1e3).toISOString(),a=z(`Creating API key...`);a.start();let o=await $n(`${r}/v1/keys`,n.apiKey,{method:`POST`,expected:201,body:JSON.stringify({name:e,product:t.product,budgetUsd:t.budgetUsd?Number.parseFloat(t.budgetUsd):void 0,rpmLimit:t.rpmLimit?Number.parseInt(t.rpmLimit,10):void 0,expiresAt:i})});a.stop();let s=await o.json();if(t.json){F(s);return}I(`API key created: ${s.data.prefix}…`),R(`Copy this key now — it will never be shown again:\n${s.data.key}`)}catch(e){W(e)}}),e.command(`revoke`).description(`Revoke an API key`).argument(`<keyId>`,"Key ID (from `tcloud keys list`)").option(`--yes`,`Skip the confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{let n=O({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=Qn(t.platformUrl);if(!t.yes&&!await q(`Revoke key ${e}? Any service still using it will start to fail.`)){R(`Aborted.`);return}let i=await(await $n(`${r}/v1/keys/${encodeURIComponent(e)}`,n.apiKey,{method:`DELETE`,expected:200})).json();if(t.json){F(i);return}I(`Revoked ${e}`)}catch(e){W(e)}}),e}function rr(){let e=new t(`mcp`).description(`Model Context Protocol bridge commands.`);return e.command(`serve <id>`).description(`Run a local MCP server (stdio) backed by the given sandbox. Pipe its stdio from an MCP client config to expose sandbox tools.`).option(`-s, --session <id>`,`Session id for kernel scoping`,`mcp-local`).option(`--name <name>`,`MCP server name reported to clients`,`tangle-sandbox`).action(async(e,t)=>{try{let n=await M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})).get(e);if(!n)throw Error(`Sandbox not found: ${e}`);let r;try{r=(await import(`@modelcontextprotocol/sdk/server/stdio.js`)).StdioServerTransport}catch{throw Error("`@modelcontextprotocol/sdk` is not installed in this environment. Install it with: pnpm add -g @modelcontextprotocol/sdk (or as a dev dep in the project running this command).")}let{connect:i,close:a}=await pe(n,{sessionId:t.session,name:t.name});await i(new r),process.stdin.resume(),process.stdin.on(`end`,()=>{a().finally(()=>process.exit(0))});for(let e of[`SIGINT`,`SIGTERM`])process.on(e,()=>{a().finally(()=>process.exit(0))})}catch(e){W(e)}}),e}function ir(){let e=new t(`permissions`).description(`Manage sandbox user permissions`);return e.command(`list <sandboxId>`).description(`List all users in a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching users...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.permissions.list();r.stop(),t.json?F(a):P(a.map(e=>({userId:e.userId,username:e.username,role:e.role,homeDir:e.homeDir,createdAt:e.createdAt.toISOString().split(`T`)[0]})),[{key:`userId`,header:`User ID`,width:20},{key:`username`,header:`Username`,width:16},{key:`role`,header:`Role`,width:12},{key:`homeDir`,header:`Home Directory`,width:24},{key:`createdAt`,header:`Created`,width:16}])}catch(e){W(e)}}),e.command(`get <sandboxId> <userId>`).description(`Get details for a specific user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Fetching user...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);let o=await a.permissions.get(t);if(i.stop(),!o)throw Error(`User ${t} not found in sandbox ${e}`);n.json?F(o):(R(`User: ${o.userId}`),R(` Username: ${o.username}`),R(` Role: ${o.role}`),R(` Home: ${o.homeDir}`),R(` SSH Keys: ${o.sshKeys.length}`),R(` Created: ${o.createdAt.toISOString()}`))}catch(e){W(e)}}),e.command(`add <sandboxId>`).description(`Add a user to a sandbox`).requiredOption(`--user-id <id>`,`User ID (from your auth system)`).option(`--username <name>`,`Preferred username`).option(`--role <role>`,`Permission level (owner, admin, developer, viewer)`,`developer`).option(`--ssh-key <key>`,`SSH public key for access`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Adding user...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.permissions.add({userId:t.userId,username:t.username,role:t.role,sshKeys:t.sshKey?[t.sshKey]:void 0});r.stop(),t.json?F(a):(I(`User ${a.userId} added as ${a.role}`),R(` Username: ${a.username}`),R(` Home: ${a.homeDir}`))}catch(e){W(e)}}),e.command(`update <sandboxId> <userId>`).description(`Update a user's permissions`).option(`--role <role>`,`New permission level (owner, admin, developer, viewer)`).option(`--add-ssh-key <key>`,`Add SSH public key`).option(`--remove-ssh-key <key>`,`Remove SSH public key`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Updating user...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);let o=await a.permissions.update(t,{role:n.role,addSshKeys:n.addSshKey?[n.addSshKey]:void 0,removeSshKeys:n.removeSshKey?[n.removeSshKey]:void 0});i.stop(),n.json?F(o):(I(`User ${t} updated`),R(` Role: ${o.role}`),R(` SSH Keys: ${o.sshKeys.length}`))}catch(e){W(e)}}),e.command(`remove <sandboxId> <userId>`).description(`Remove a user from a sandbox`).option(`--preserve-home`,`Keep user's home directory`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{if(!n.force){let e=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{e.question(`Remove user ${t} from sandbox? [y/N] `,t=>{e.close(),n(t.toLowerCase()===`y`)})})){R(`Cancelled.`);return}}let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Removing user...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);await a.permissions.remove(t,{preserveHomeDir:n.preserveHome}),i.stop(),I(`User ${t} removed from sandbox ${e}`)}catch(e){W(e)}}),e.command(`policies <sandboxId> <userId>`).description(`Get access policies for a user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Fetching policies...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);let o=await a.permissions.getAccessPolicies(t);i.stop(),n.json?F(o):o.length===0?R(`No access policies configured`):P(o.map(e=>({pattern:e.pattern,permission:e.permission,priority:e.priority??0})),[{key:`pattern`,header:`Pattern`,width:30},{key:`permission`,header:`Permission`,width:12},{key:`priority`,header:`Priority`,width:10}])}catch(e){W(e)}}),e.command(`check <sandboxId> <userId> <path> <action>`).description(`Check if a user can perform an action on a path`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r,i)=>{try{if(![`read`,`write`,`execute`].includes(r))throw Error(`Action must be: read, write, or execute`);let a=M(O({apiKey:i.apiKey,baseUrl:i.baseUrl})),o=z(`Checking access...`);o.start();let s=await a.get(e);if(!s)throw o.stop(),Error(`Sandbox ${e} not found`);let c=await s.permissions.checkAccess(t,n,r);o.stop(),c?I(`✓ User ${t} CAN ${r} ${n}`):R(`✗ User ${t} CANNOT ${r} ${n}`)}catch(e){W(e)}}),e}function ar(){let e=new t(`preview`).description(`Manage sandbox preview links`);return e.command(`list`).alias(`ls`).description(`List active preview links for a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching preview links...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.previewLinks.list();r.stop(),t.json?F(a):a.length===0?console.log(`No preview links found`):U([`Preview ID`,`Port`,`URL`,`Status`],a.map(e=>[e.previewId.slice(0,12),String(e.port),e.url,e.status]))}catch(e){W(e)}}),e.command(`create`).description(`Create a preview link for a port`).argument(`<id>`,`Sandbox ID`).argument(`<port>`,`Port number to preview`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Creating preview for port ${t}...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.previewLinks.create(Number.parseInt(t,10));i.stop(),n.json?F(o):(I(`Preview created: ${o.url}`),console.log(`Preview ID: ${o.previewId}`))}catch(e){W(e)}}),e.command(`remove`).alias(`rm`).description(`Remove a preview link`).argument(`<id>`,`Sandbox ID`).argument(`<preview-id>`,`Preview link ID (from 'preview list')`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Removing preview...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);await a.previewLinks.remove(t),i.stop(),n.json?F({success:!0,previewId:t}):I(`Preview removed: ${t}`)}catch(e){W(e)}}),e}function or(){let e=new t(`process`).description(`Manage processes in a sandbox`);return e.command(`spawn`).description(`Spawn a process without blocking (returns PID)`).argument(`<id>`,`Sandbox ID`).argument(`<command>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--blocking`,`Wait for completion (default: false)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(i[t]=n.join(`=`))}let a=z(`Spawning: ${t}`);n.json||a.start();let o=await r.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);if(n.blocking){let e=await o.exec(t,{cwd:n.cwd,env:Object.keys(i).length>0?i:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});a.stop(),n.json?F(e):(e.stdout&&globalThis.process.stdout.write(e.stdout),e.stderr&&globalThis.process.stderr.write(e.stderr),e.exitCode!==0&&globalThis.process.exit(e.exitCode))}else{let r=await o.process.spawn(t,{cwd:n.cwd,env:Object.keys(i).length>0?i:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});a.stop(),n.json?F({pid:r.pid,command:r.command}):(console.log(`Process started with PID: ${r.pid}`),console.log(`Use 'tangle process logs ${e} ${r.pid}' to view output`))}}catch(e){W(e)}}),e.command(`list`).alias(`ls`).description(`List all processes in a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--running`,`Show only running processes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching processes...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.process.list();t.running&&(a=a.filter(e=>e.running)),r.stop(),t.json?F(a):a.length===0?console.log(`No processes found`):U([`PID`,`Command`,`Status`,`Exit Code`,`Started`],a.map(e=>[String(e.pid),e.command.length>40?`${e.command.slice(0,37)}...`:e.command,e.running?`running`:`exited`,String(e.exitCode),e.startedAt.toLocaleString()]))}catch(e){W(e)}}),e.command(`get`).description(`Get detailed info about a process`).argument(`<id>`,`Sandbox ID`).argument(`<pid>`,`Process ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Fetching process info...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.process.get(Number.parseInt(t,10));if(i.stop(),!o){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}let s=await o.status();n.json?F(s):(console.log(`PID: ${s.pid}`),console.log(`Command: ${s.command}`),console.log(`CWD: ${s.cwd||`(default)`}`),console.log(`Status: ${s.running?`running`:`exited`}`),console.log(`Exit Code: ${s.exitCode}`),s.exitSignal&&console.log(`Signal: ${s.exitSignal}`),console.log(`Started: ${s.startedAt.toLocaleString()}`),s.exitedAt&&console.log(`Exited: ${s.exitedAt.toLocaleString()}`))}catch(e){W(e)}}),e.command(`kill`).description(`Kill a process`).argument(`<id>`,`Sandbox ID`).argument(`<pid>`,`Process ID`).option(`-s, --signal <signal>`,`Signal to send (SIGTERM, SIGKILL, etc.)`,`SIGTERM`).option(`--tree`,`Also kill descendants of the tracked process`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Sending ${n.signal} to PID ${t}...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.process.get(Number.parseInt(t,10));if(!o){i.stop(),console.error(`Process ${t} not found`),globalThis.process.exit(1);return}n.tree?await o.kill(n.signal,{tree:!0}):await o.kill(n.signal),i.stop(),n.json?F({pid:Number.parseInt(t,10),signal:n.signal,...n.tree===!0?{tree:!0}:{},killed:!0}):console.log(n.tree?`Sent ${n.signal} to process tree ${t}`:`Sent ${n.signal} to process ${t}`)}catch(e){W(e)}}),e.command(`logs`).description(`Stream buffered and live process logs until the process exits`).argument(`<id>`,`Sandbox ID`).argument(`<pid>`,`Process ID`).option(`--stdout-only`,`Only show stdout`).option(`--stderr-only`,`Only show stderr`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.process.get(Number.parseInt(t,10));if(!i){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}for await(let e of i.logs())n.stdoutOnly&&e.type!==`stdout`||n.stderrOnly&&e.type!==`stderr`||(n.json?console.log(JSON.stringify(e)):e.type===`stdout`?globalThis.process.stdout.write(e.data):globalThis.process.stderr.write(e.data))}catch(e){W(e)}}),e.command(`run-code`).description(`Execute Python code directly`).argument(`<id>`,`Sandbox ID`).argument(`<code>`,`Python code to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(i[t]=n.join(`=`))}let a=z(`Executing Python code...`);n.json||a.start();let o=await r.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);let s=await o.process.runCode(t,{cwd:n.cwd,env:Object.keys(i).length>0?i:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});a.stop(),n.json?F(s):(s.stdout&&globalThis.process.stdout.write(s.stdout),s.stderr&&globalThis.process.stderr.write(s.stderr),s.exitCode!==0&&globalThis.process.exit(s.exitCode))}catch(e){W(e)}}),e}const sr=[`python`,`node`,`typescript`,`bash`];function cr(e){switch(se(e).toLowerCase()){case`.py`:return`python`;case`.js`:case`.mjs`:case`.cjs`:return`node`;case`.ts`:case`.tsx`:return`typescript`;case`.sh`:case`.bash`:return`bash`;default:return}}async function lr(e){if(e===`-`){let e=[];for await(let t of process.stdin)e.push(typeof t==`string`?Buffer.from(t):t);return Buffer.concat(e).toString(`utf8`)}return await me(h(e),`utf8`)}async function ur(e,t,n=lr){let r=t?sr.find(e=>e===t)??(()=>{throw Error(`unknown --lang ${t}: must be one of ${sr.join(`, `)}`)})():void 0;if(!e||e===`-`){if(!r)throw Error(`reading from stdin requires --lang. Example: tangle run <id> -l python -`);return{language:r,source:await n(`-`)}}let i=cr(e);return{language:r??i??(()=>{throw Error(`cannot infer language from "${e}". Pass it explicitly: tangle run <id> -l <python|node|typescript|bash> ${e}`)})(),source:await n(e)}}function dr(e){return m(oe(),`tangle-run-images`,e)}function fr(){return new t(`run`).description(`Run code in a persistent kernel inside a sandbox. Variables persist across calls in the same --session.`).argument(`<id>`,`Sandbox ID`).argument(`[file]`,`Path to source file. Language is inferred from extension. Use - for stdin (requires --lang).`).option(`-l, --lang <lang>`,`Force language: ${sr.join(` | `)}. Required for stdin.`).option(`-s, --session <id>`,`Session id for kernel scoping`).option(`-t, --timeout <ms>`,`Per-call timeout in ms (0 disables)`,`60000`).option(`--save-images <dir>`,`Write image results into this directory (default: $TMPDIR/tangle-run-images/<sandbox>/).`).option(`--no-save-images`,`Don't write image results to disk; print summary only`).option(`--json`,`Output the full CodeExecutionResult as JSON`).action(async(e,t,r)=>{try{let{language:i,source:a}=await ur(t,r.lang),o=await M(O({apiKey:r.apiKey,baseUrl:r.baseUrl})).get(e);if(!o)throw Error(`Sandbox not found: ${e}`);let s=z(`Running ${i} (${a.length}b)…`);r.json||s.start();let c=await o.runCode(i,a,{sessionId:r.session,timeoutMs:Number.parseInt(r.timeout,10)});if(s.stop(),r.json){F(c),c.exitCode!==0&&process.exit(c.exitCode);return}c.stdout&&process.stdout.write(c.stdout),c.stderr&&process.stderr.write(c.stderr);let l=0;for(let t of c.results)if(t.type===`image`)if(r.saveImages!==!1){let i=typeof r.saveImages==`string`?r.saveImages:dr(e);re(i,{recursive:!0});let a=`${i}/${Date.now()}-${l}.${t.format}`;ie(a,Buffer.from(t.data,`base64`)),process.stderr.write(n.green(`✓ image → ${a}\n`)),l++}else process.stderr.write(n.gray(`[image: ${t.format}, ${t.data.length}b base64]\n`));else if(t.type===`dataframe`){let e=t.columns.map(e=>`${e.name}:${e.dtype}`).join(` | `);process.stderr.write(n.gray(`[dataframe ${t.rows.length}×${t.columns.length}${t.truncated?` (truncated)`:``}]\n`)),process.stderr.write(`${e}\n`);for(let e of t.rows.slice(0,20))process.stderr.write(`${e.map(e=>String(e)).join(` | `)}\n`);t.rows.length>20&&process.stderr.write(n.gray(`… ${t.rows.length-20} more rows\n`))}else t.type===`json`?(process.stderr.write(n.gray(`[json] `)),process.stderr.write(`${JSON.stringify(t.value,null,2)}\n`)):t.type===`html`?process.stderr.write(n.gray(`[html ${t.value.length}b]\n`)):t.type===`error`?(process.stderr.write(n.red(`✗ ${t.name}: ${t.message}\n`)),t.traceback&&process.stderr.write(`${t.traceback}\n`)):t.type===`text`&&process.stderr.write(`${t.value}\n`);c.error&&(process.stderr.write(n.red(`\n✗ ${c.error.name}: ${c.error.message}\n`)),c.error.traceback&&process.stderr.write(`${c.error.traceback}\n`)),c.exitCode!==0&&process.exit(c.exitCode)}catch(e){W(e)}})}function pr(e){return`${e.name} (${e.id})`}async function mr(e,t){if(t.startsWith(`team_`))return e.teams.get(t);let n=(await e.teams.list()).filter(e=>e.name.toLowerCase()===t.toLowerCase());if(n.length===0)throw Error(`Team not found: ${t}`);if(n.length>1)throw Error(`Team name is ambiguous: ${t}. Use a team id instead.`);return n[0]}async function X(e,t,n){if(t)return mr(e,t);let r=Je(n);if(!r.activeTeamId)throw Error("No active team. Run `tangle team switch <team>` or pass `--team <team>`.");return e.teams.get(r.activeTeamId)}function hr(e,t){Ye({id:e.id,name:e.name},t)}function gr(e){Xe(e)}const _r=[{flag:`--git-token`,guidance:`Use --git-token-env <NAME> or --git-token-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--storage-secret-access-key`,guidance:`Use --storage-secret-access-key-env <NAME> or --storage-secret-access-key-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--backend-api-key`,guidance:`Use --backend-api-key-env <NAME> or --backend-api-key-stdin so the BYOK secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`}];function vr(e){for(let{flag:t,guidance:n}of _r){let r=`${t}=`;if(e.some(e=>e===t||e.startsWith(r)))throw Error(`Refusing to read secret from ${t} on the command line. ${n}`)}}async function yr(e){let t=typeof e.envVarName==`string`&&e.envVarName.length>0?e.envVarName:null,n=!!e.fromStdin;if(t&&n)throw Error(`Pass either ${e.flagPrefix}-env or ${e.flagPrefix}-stdin, not both`);if(t){let n=process.env[t];if(!n||n.length===0)throw Error(`${e.flagPrefix}-env points at ${t}, but that environment variable is empty or unset`);return n}if(n){let t=await bn();if(t.length===0)throw Error(`${e.flagPrefix}-stdin received empty input on stdin`);return t}}function br(e){let t=e.split(`/`);return t.length>=2?{provider:t[0],model:t.slice(1).join(`/`)}:{model:e}}function xr(){let e=new t(`sandbox`).description(`Manage sandboxes`);return e.command(`create`).description(`Create a new sandbox`).option(`-n, --name <name>`,`Sandbox name`).option(`-e, --environment <environment>`,`Environment name (e.g. universal, node, python)`).option(`-i, --image <image>`,`Alias for --environment (deprecated)`).option(`--bare`,`Create a bare sandbox without the agent runtime`).option(`--ssh`,`Enable SSH access`).option(`--ssh-key <key>`,`SSH public key for authentication`).option(`--ssh-keys <names...>`,`Stored SSH key names or IDs for authentication`).option(`--ssh-key-file <paths...>`,`SSH public key file paths for authentication`).option(`--web-terminal`,`Enable web terminal`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--secret <names...>`,`Secrets to inject as environment variables`).option(`--metadata <entries...>`,`Metadata entries (KEY=VALUE or KEY=JSON)`).option(`--cpu <cores>`,`CPU cores`,`2`).option(`--memory <mb>`,`Memory in MB`,`4096`).option(`--disk <gb>`,`Disk size in GB`,`20`).option(`--accelerator-kind <kind>`,`Accelerator kind, for example nvidia-h100 or amd-mi300x`).option(`--accelerator-count <count>`,`Accelerator device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum accelerator memory in MB`).option(`--lifetime <seconds>`,`Max lifetime in seconds`,`3600`).option(`--idle-timeout <seconds>`,`Idle timeout in seconds`,`900`).option(`--from-snapshot <id>`,`Create the sandbox from a snapshot`).option(`--public-template <id-or-slug>`,`Create the sandbox from a published public template`).option(`--public-template-version <id>`,`Pin creation to a specific published public-template version`).option(`--team <team>`,`Create in a team by id or name`).option(`--personal`,`Create a personal sandbox even when a team is active`).option(`--port <ports...>`,`Ports to expose at creation time`).option(`--git-url <url>`,`Git repository URL to clone during provisioning`).option(`--git-ref <ref>`,`Git branch, tag, or commit to checkout`).option(`--git-depth <depth>`,`Git clone depth`).option(`--git-sparse <paths...>`,`Sparse checkout paths`).option(`--git-token-env <name>`,`Name of an environment variable containing the Git HTTPS auth token`).option(`--git-token-stdin`,`Read the Git HTTPS auth token from stdin`).option(`--git-token <token>`,`[removed] use --git-token-env or --git-token-stdin`).option(`--tool <specs...>`,`Tool versions to preinstall (NAME=VERSION)`).option(`--storage-type <type>`,`BYOS3 storage type (s3, gcs, r2)`).option(`--storage-bucket <name>`,`BYOS3 bucket name`).option(`--storage-endpoint <url>`,`BYOS3 endpoint URL`).option(`--storage-region <region>`,`BYOS3 region`).option(`--storage-prefix <prefix>`,`BYOS3 path prefix`).option(`--storage-access-key-id <id>`,`BYOS3 access key ID`).option(`--storage-secret-access-key-env <name>`,`Name of an environment variable containing the BYOS3 secret access key`).option(`--storage-secret-access-key-stdin`,`Read the BYOS3 secret access key from stdin`).option(`--storage-secret-access-key <key>`,`[removed] use --storage-secret-access-key-env or --storage-secret-access-key-stdin`).option(`--default-role <role>`,`Default permission role (owner, admin, developer, viewer)`).option(`--initial-user <specs...>`,`Initial users (USER_ID or USER_ID:ROLE)`).option(`--multi-user`,`Enable multi-user permissions at creation`).option(`--driver <type>`,`Infrastructure driver (docker, firecracker, host-agent, tangle)`).option(`--driver-criu`,`Enable CRIU checkpointing (firecracker only)`).option(`--driver-region <region>`,`Preferred region for host-agent driver`).option(`--backend <type>`,`Backend agent type (opencode, claude-code, codex, cursor, amp)`).option(`--backend-profile <name>`,`Backend profile name`).option(`--backend-model <model>`,`Model override (format: provider/model)`).option(`--backend-api-key-env <name>`,`Name of an environment variable containing the BYOK backend API key`).option(`--backend-api-key-stdin`,`Read the BYOK backend API key from stdin`).option(`--backend-api-key <key>`,`[removed] use --backend-api-key-env or --backend-api-key-stdin`).option(`--tee <type>`,`Require a TEE backend (any, tdx, nitro, sev-snp, phala-dstack)`).option(`--sealed`,`Request TEE sealed-secret support`).option(`--attestation-nonce <hex|auto>`,`Deploy-time attestation nonce; use auto to generate one`).option(`--attestation-refresh`,`Generate a fresh deploy-time attestation nonce when --tee is set`).option(`--require-attestation`,`Fail unless TEE attestation evidence is returned`).option(`--block-network`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`--timeout <ms>`,`HTTP timeout in milliseconds`,`30000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{vr(process.argv);let t=await yr({envVarName:e.gitTokenEnv,fromStdin:e.gitTokenStdin,flagPrefix:`--git-token`}),n=await yr({envVarName:e.storageSecretAccessKeyEnv,fromStdin:e.storageSecretAccessKeyStdin,flagPrefix:`--storage-secret-access-key`}),r=await yr({envVarName:e.backendApiKeyEnv,fromStdin:e.backendApiKeyStdin,flagPrefix:`--backend-api-key`}),i=O({apiKey:e.apiKey,baseUrl:e.baseUrl,timeout:e.timeout?Number.parseInt(e.timeout,10):void 0}),a=M(i),o=z(`Creating sandbox...`);o.start();let s=await Ar({client:a,explicitTeam:e.team,personal:e.personal,activeTeamId:i.activeTeamId}),c={};if(e.env)for(let t of e.env){let[e,...n]=t.split(`=`);e&&n.length>0&&(c[e]=n.join(`=`))}let l=e.tool?Cr(e.tool,`--tool`,`tool spec`):void 0,u=e.metadata?wr(e.metadata):void 0,ee=Dr(e,t),ne=Or(e,n),d=kr(e),re=e.port?Er(e.port,`--port`):void 0,ie=e.driver?{type:e.driver,enableCriu:e.driverCriu||void 0,preferredRegion:e.driverRegion}:void 0,ae=e.backend||e.backendProfile||e.backendModel?{type:e.backend??`opencode`,profile:e.backendProfile,model:e.backendModel||r?{...e.backendModel?br(e.backendModel):{},apiKey:r}:void 0}:void 0,oe=e.blockNetwork||e.allowList||re?{blockOutbound:e.blockNetwork||void 0,allowList:e.allowList?e.allowList.split(`,`).map(e=>e.trim()):void 0,ports:re}:void 0,p=[...e.sshKey?[e.sshKey]:[],...(e.sshKeyFile??[]).map(e=>f(e,`utf8`).trim())],se={name:e.name,environment:e.environment??e.image,bare:e.bare||void 0,sshEnabled:e.ssh||!!e.sshKey||p.length>0||!!e.sshKeys?.length,sshPublicKeys:p.length>0?p:void 0,sshKeyIds:e.sshKeys,webTerminalEnabled:e.webTerminal,env:Object.keys(c).length>0?c:void 0,git:ee,tools:l,resources:{cpuCores:Number.parseInt(e.cpu,10),memoryMB:Number.parseInt(e.memory,10),diskGB:Number.parseInt(e.disk,10),accelerator:e.acceleratorKind?{kind:Fr(String(e.acceleratorKind)),count:Ir(String(e.acceleratorCount),`--accelerator-count`),memoryMB:e.acceleratorMemory?Ir(String(e.acceleratorMemory),`--accelerator-memory`):void 0}:void 0},maxLifetimeSeconds:Number.parseInt(e.lifetime,10),idleTimeoutSeconds:Number.parseInt(e.idleTimeout,10),storage:ne,fromSnapshot:e.fromSnapshot,publicTemplateId:e.publicTemplate,publicTemplateVersionId:e.publicTemplateVersion,teamId:s,secrets:e.secret,metadata:u,driver:ie,backend:ae,permissions:d,network:oe},m=e.tee?{tee:e.tee,sealed:e.sealed||void 0,attestationRefresh:e.attestationRefresh||e.attestationNonce===`auto`||void 0}:void 0,h=m?await te(a,{...se,confidential:m,attestationNonce:e.attestationNonce??(e.attestationRefresh?`auto`:void 0),requireAttestation:e.requireAttestation??!0}):void 0,g=h?.sandbox??await a.create(se);e.wait&&(o.text=`Waiting for sandbox to start...`,await g.waitFor(`running`,{timeoutMs:12e4}),await g.refresh()),o.stop(),e.json?F({id:g.id,name:g.name,status:g.status,createdAt:g.createdAt,expiresAt:g.expiresAt,connection:Sr(g.connection),teamId:s,confidential:m,attestation:h?.attestation,attestationNonce:h?.attestationNonce}):(I(`Sandbox created: ${g.id}`),ot({id:g.id,name:g.name,status:g.status,createdAt:g.createdAt?.toISOString(),expiresAt:g.expiresAt?.toISOString(),connection:g.connection}),s&&console.log(`Team: ${s}`),m&&(console.log(`TEE: ${m.tee}`),console.log(`Attestation: ${h?.attestation?`present`:`not returned`}`),h?.attestationNonce&&console.log(`Attestation nonce: ${h.attestationNonce}`)))}catch(e){W(e)}}),e.command(`attestation <id>`).description(`Fetch TEE attestation evidence for a sandbox`).option(`--nonce <hex|auto>`,`Nonce to bind into a fresh attestation report; use auto to generate one`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=t.nonce===`auto`?ne():t.nonce,i=z(`Fetching TEE attestation...`);i.start();let a=await n.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.getTeeAttestation(r?{attestationNonce:r}:void 0);i.stop(),t.json?F(o):(I(`Attestation fetched for ${e}`),console.log(`TEE type: ${o.attestation.tee_type}`),console.log(`Evidence bytes: ${o.attestation.evidence.length}`),console.log(`Measurement bytes: ${o.attestation.measurement.length}`),console.log(`Timestamp: ${o.attestation.timestamp}`),o.attestationNonce&&console.log(`Nonce: ${o.attestationNonce}`))}catch(e){W(e)}}),e.command(`list`).description(`List all sandboxes`).option(`-s, --status <status>`,`Filter by status (running, stopped, all)`).option(`-l, --limit <n>`,`Limit results`,`50`).option(`--team <team>`,`List sandboxes for a team by id or name`).option(`--personal`,`List personal sandboxes`).option(`--all-scopes`,`List personal and team sandboxes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=M(t),r=z(`Fetching sandboxes...`);r.start();let i=await jr({client:n,explicitTeam:e.team,personal:e.personal,allScopes:e.allScopes,activeTeamId:t.activeTeamId}),a=await n.list({status:e.status===`all`?void 0:e.status,limit:Number.parseInt(e.limit,10),scope:i});r.stop(),e.json?F(a):P(a.map(e=>({id:e.id,status:e.status,createdAt:e.createdAt,name:e.name??``})),[{key:`id`,header:`ID`,width:24},{key:`status`,header:`Status`,width:14},{key:`createdAt`,header:`Created`,width:16},{key:`name`,header:`Name`,width:20}])}catch(e){W(e)}}),e.command(`get <id>`).description(`Get sandbox details`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching sandbox...`);r.start();let i=await n.get(e);if(r.stop(),!i)throw Error(`Sandbox not found: ${e}`);t.json?F(i):ot({id:i.id,name:i.name,status:i.status,createdAt:i.createdAt?.toISOString(),expiresAt:i.expiresAt?.toISOString(),connection:i.connection})}catch(e){W(e)}}),e.command(`delete <id>`).description(`Delete a sandbox`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{t.question(`Delete sandbox ${e}? [y/N] `,e=>{t.close(),n(e.toLowerCase()===`y`)})})){R(`Cancelled.`);return}}let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Deleting sandbox...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.delete(),r.stop(),I(`Sandbox ${e} deleted.`)}catch(e){W(e)}}),e.command(`stop <id>`).description(`Stop a running sandbox`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Stopping sandbox...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.stop(),r.stop(),I(`Sandbox ${e} stopped.`)}catch(e){W(e)}}),e.command(`resume <id>`).description(`Resume a stopped sandbox`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Resuming sandbox...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.resume(),t.wait&&(r.text=`Waiting for sandbox to start...`,await i.waitFor(`running`,{timeoutMs:12e4})),r.stop(),I(`Sandbox ${e} resumed.`)}catch(e){W(e)}}),e.command(`network <id>`).description(`Update network configuration for a sandbox`).option(`--block-outbound`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--clear`,`Clear all network restrictions (allow all traffic)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Updating network configuration...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);if(t.clear)await i.network.update({blockOutbound:!1,allowList:[]});else if(t.blockOutbound)await i.network.update({blockOutbound:!0});else if(t.allowList){let e=t.allowList.split(`,`).map(e=>e.trim());await i.network.update({allowList:e})}else{r.stop();let e=await i.network.getConfig();t.json?F(e):(R(`Network Configuration:`),e.blockOutbound?R(` Block Outbound: true (all outbound traffic blocked)`):e.allowList&&e.allowList.length>0?R(` Allow List: ${e.allowList.join(`, `)}`):R(` No restrictions (all traffic allowed)`),e.ports&&e.ports.length>0&&R(` Exposed Ports: ${e.ports.join(`, `)}`));return}r.stop();let a=await i.network.getConfig();t.json?F(a):(I(`Network configuration updated.`),a.blockOutbound?R(` Block Outbound: true`):a.allowList&&a.allowList.length>0?R(` Allow List: ${a.allowList.join(`, `)}`):R(` All traffic allowed`))}catch(e){W(e)}}),e.command(`expose <id>`).description(`Expose a port and get a public URL`).option(`-p, --port <port>`,`Port to expose`,`8000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=Number.parseInt(t.port,10);if(Number.isNaN(r)||r<1||r>65535)throw Error(`Port must be a number between 1 and 65535`);let i=z(`Exposing port ${r}...`);i.start();let a=await n.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.network.exposePort(r);i.stop(),t.json?F({port:r,url:o}):(I(`Port ${r} exposed.`),R(` URL: ${o}`))}catch(e){W(e)}}),e.command(`urls <id>`).description(`List exposed port URLs for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching exposed URLs...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.network.listUrls();if(r.stop(),t.json)F(a);else{let e=Object.entries(a);if(e.length===0)R(`No ports exposed.`);else{R(`Exposed Ports:`);for(let[t,n]of e)R(` ${t}: ${n}`)}}}catch(e){W(e)}}),e}function Sr(e){return!e||e.authToken===void 0?e:{...e,authToken:`[REDACTED]`}}function Cr(e,t,n){let r={};for(let i of e){let[e,...a]=i.split(`=`);if(!e||a.length===0)throw Error(`${t} expects ${n} values in KEY=VALUE format`);r[e]=a.join(`=`)}return r}function wr(e){let t={};for(let n of e){let[e,...r]=n.split(`=`);if(!e||r.length===0)throw Error(`--metadata expects values in KEY=VALUE or KEY=JSON format`);t[e]=Tr(r.join(`=`))}return t}function Tr(e){try{return JSON.parse(e)}catch{return e}}function Er(e,t){return e.map(e=>{let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1||n>65535)throw Error(`${t} values must be integers between 1 and 65535`);return n})}function Dr(e,t){if(!(!e.gitUrl&&!e.gitRef&&!e.gitDepth&&!e.gitSparse&&!t)){if(!e.gitUrl||typeof e.gitUrl!=`string`)throw Error(`--git-url is required when using git provisioning options`);return{url:e.gitUrl,ref:typeof e.gitRef==`string`?e.gitRef:void 0,depth:typeof e.gitDepth==`string`?Ir(e.gitDepth,`--git-depth`):void 0,sparse:Array.isArray(e.gitSparse)?e.gitSparse:void 0,auth:t?{token:t}:void 0}}}function Or(e,t){if(!(!e.storageType&&!e.storageBucket&&!e.storageEndpoint&&!e.storageRegion&&!e.storagePrefix&&!e.storageAccessKeyId&&!t)){if(typeof e.storageType!=`string`||typeof e.storageBucket!=`string`||typeof e.storageAccessKeyId!=`string`||!t)throw Error(`Storage config requires --storage-type, --storage-bucket, --storage-access-key-id, and one of --storage-secret-access-key-env / --storage-secret-access-key-stdin`);return{type:Pr(e.storageType),bucket:e.storageBucket,endpoint:typeof e.storageEndpoint==`string`?e.storageEndpoint:void 0,region:typeof e.storageRegion==`string`?e.storageRegion:void 0,prefix:typeof e.storagePrefix==`string`?e.storagePrefix:void 0,credentials:{accessKeyId:e.storageAccessKeyId,secretAccessKey:t}}}}function kr(e){let t=Array.isArray(e.initialUser)?e.initialUser.map(Mr):void 0,n=typeof e.defaultRole==`string`?Nr(e.defaultRole):void 0,r=e.multiUser?!0:void 0;if(!(!n&&!t&&!r))return{defaultRole:n,initialUsers:t,multiUser:r}}async function Ar(e){if(e.explicitTeam&&e.personal)throw Error(`--team and --personal cannot be used together`);if(!e.personal)return e.explicitTeam?(await mr(e.client,e.explicitTeam)).id:e.activeTeamId}async function jr(e){if([!!e.explicitTeam,!!e.personal,!!e.allScopes].filter(Boolean).length>1)throw Error(`--team, --personal, and --all-scopes are mutually exclusive`);if(e.allScopes)return`all`;if(e.personal)return`personal`;if(e.explicitTeam)return`team:${(await mr(e.client,e.explicitTeam)).id}`;if(e.activeTeamId)return`team:${e.activeTeamId}`}function Mr(e){let[t,n]=e.split(`:`);if(!t)throw Error(`--initial-user expects USER_ID or USER_ID:ROLE`);return{userId:t,role:n?Nr(n):void 0}}function Nr(e){if(e===`owner`||e===`admin`||e===`developer`||e===`viewer`)return e;throw Error(`--default-role and --initial-user roles must be one of owner, admin, developer, viewer`)}function Pr(e){if(e===`s3`||e===`gcs`||e===`r2`)return e;throw Error(`--storage-type must be one of s3, gcs, or r2`)}function Fr(e){let t=e.trim().toLowerCase();if(/^[a-z0-9][a-z0-9._-]*$/.test(t))return t;throw Error(`--accelerator-kind must contain only letters, numbers, dots, underscores, or hyphens`)}function Ir(e,t){let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1)throw Error(`${t} must be a positive integer`);return n}function Lr(){return new t(`search`).description(`Search for text patterns in sandbox files (ripgrep)`).argument(`<id>`,`Sandbox ID`).argument(`<pattern>`,`Search pattern (regex)`).option(`-g, --glob <pattern>`,`File glob filter (e.g. '**/*.ts')`).option(`-n, --max-results <count>`,`Max results to return`).option(`-i, --ignore-case`,`Case-insensitive search`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Searching...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=0,s=n.maxResults?Number.parseInt(n.maxResults,10):void 0,c={};n.glob&&(c.glob=n.glob),n.ignoreCase&&(c.ignoreCase=!0),s&&(c.maxResults=s);for await(let e of a.search(t,c))if(o===0&&i.stop(),o++,n.json?console.log(JSON.stringify(e)):console.log(`${e.path}:${e.line}:${e.column??0}: ${e.text}`),s&&o>=s)break;i.stop(),o===0&&!n.json&&console.log(`No matches found`)}catch(e){W(e)}})}function Rr(){let e=new t(`secret`).description(`Manage secrets`);return e.command(`create`).description(`Create a new secret`).argument(`<name>`,`Secret name (e.g., HF_TOKEN, AWS_ACCESS_KEY)`).argument(`[value]`,`Secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await zr({value:t,valueStdin:n.valueStdin,prompt:`Enter value for secret '${e}': `}),a=z(`Creating secret...`);a.start();let o=await r.secrets.create(e,i);a.stop(),n.json?F({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):(I(`Secret created: ${o.name}`),R(`Use --secrets ${o.name} when creating a sandbox to inject it as an environment variable.`))}catch(e){W(e)}}),e.command(`list`).description(`List all secrets`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=z(`Fetching secrets...`);n.start();let r=await t.secrets.list();n.stop(),e.json?F(r.map(e=>({name:e.name,createdAt:e.createdAt.toISOString(),updatedAt:e.updatedAt.toISOString()}))):r.length===0?(R(`No secrets found.`),R(`Use 'tangle secret create <name> [value]' to create one.`)):U([`Name`,`Created At`,`Updated At`],r.map(e=>[e.name,e.createdAt.toLocaleString(),e.updatedAt.toLocaleString()]))}catch(e){W(e)}}),e.command(`show`).description(`Show a secret value (requires --reveal to print plaintext)`).argument(`<name>`,`Secret name`).option(`--reveal`,`Print the plaintext secret value to stdout. Without this flag the command exits with a redaction notice.`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.reveal){process.stderr.write(`Refusing to print secret '${e}' as plaintext. Re-run with --reveal to confirm and write the value to stdout.
|
|
137
|
-
`),
|
|
138
|
-
`),t.json?F({name:e,value:i}):console.log(i)}catch(e){W(e)}}),e.command(`update`).description(`Update a secret value`).argument(`<name>`,`Secret name`).argument(`[value]`,`New secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await zr({value:t,valueStdin:n.valueStdin,prompt:`Enter new value for secret '${e}': `}),a=z(`Updating secret...`);a.start();let o=await r.secrets.update(e,i);a.stop(),n.json?F({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):I(`Secret updated: ${o.name}`)}catch(e){W(e)}}),e.command(`delete`).description(`Delete a secret`).argument(`<name>`,`Secret name`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl}));if(!t.force&&!await q(`Are you sure you want to delete secret '${e}'? This cannot be undone. (y/N) `)){R(`Cancelled.`);return}let r=z(`Deleting secret...`);r.start(),await n.secrets.delete(e),r.stop(),t.json?F({success:!0,deleted:e}):I(`Secret deleted: ${e}`)}catch(e){W(e)}}),e}async function zr(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await bn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await yn(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function Br(){let e=new t(`skill`).description(`Print paths to shipped skill documentation`);return e.command(`path`).description(`Print the absolute path to the SKILL.md shipped with this CLI`).action(()=>{let e=p.dirname(he(import.meta.url)),t=p.resolve(e,`..`,`SKILL.md`);console.log(t)}),e}function Vr(){let e=new t(`snapshot`).description(`Manage snapshots`);return e.command(`create <sandbox-id>`).description(`Create a snapshot of a sandbox`).option(`--tags <tags...>`,`Tags for the snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Creating snapshot...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.snapshot({tags:t.tags});r.stop(),t.json?F(a):(I(`Snapshot created: ${a.snapshotId}`),console.log(`Size: ${Hr(a.sizeBytes??0)}`))}catch(e){W(e)}}),e.command(`list <sandbox-id>`).description(`List snapshots for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching snapshots...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.listSnapshots();r.stop(),t.json?F(a):P(a.map(e=>({...e,size:Hr(e.sizeBytes??0)})),[{key:`snapshotId`,header:`ID`,width:24},{key:`createdAt`,header:`Created`,width:16},{key:`size`,header:`Size`,width:12},{key:`sandboxId`,header:`Sandbox`,width:20}])}catch(e){W(e)}}),e.command(`restore <sandbox-id> <snapshot-id>`).description(`Create a new sandbox from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Restoring from snapshot...`);i.start();let a=await r.create({fromSnapshot:t,fromSandboxId:e});await a.waitFor(`running`,{timeoutMs:12e4}),i.stop(),n.json?F({sandboxId:a.id,restoredFrom:t,status:a.status}):(I(`New sandbox created: ${a.id}`),console.log(`Source snapshot: ${t}`))}catch(e){W(e)}}),e.command(`revert <sandbox-id> <snapshot-id>`).description(`Revert an existing sandbox to a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Reverting sandbox to snapshot...`);i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.revertToSnapshot(t);await a.refresh(),i.stop(),n.json?F({sandboxId:a.id,snapshotId:o.snapshotId,status:a.status}):(I(`Sandbox reverted: ${a.id}`),console.log(`Source snapshot: ${o.snapshotId}`))}catch(e){W(e)}}),e.command(`delete <sandbox-id> <snapshot-id>`).description(`Delete a sandbox snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=M(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=z(`Deleting snapshot...`);i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);await a.deleteSnapshot(t),i.stop(),n.json?F({success:!0,sandboxId:e,snapshotId:t}):I(`Snapshot deleted: ${t}`)}catch(e){W(e)}}),e}function Hr(e){if(e===0)return`0 B`;let t=1024,n=[`B`,`KB`,`MB`,`GB`,`TB`],r=Math.floor(Math.log(e)/Math.log(t));return`${Number.parseFloat((e/t**r).toFixed(1))} ${n[r]}`}function Ur(e,t){return`tangle ssh-proxy ${e.replace(/\/+$/,``)}/v1/sidecar-proxy/${t}/ssh`}function Wr(e){return/^[A-Za-z0-9_/:=@%+.,-]+$/.test(e)?e:`'${e.replace(/'/g,`'"'"'`)}'`}function Gr(e){return`'${e.replace(/'/g,`''`)}'`}function Kr(e){return e===`win32`?`NUL`:`/dev/null`}function qr(e,t){return t===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN=${Gr(`<token>`)}; ssh ${e.map(Gr).join(` `)}`:`TANGLE_SSH_PROXY_AUTH_TOKEN=${Wr(`<token>`)} ssh ${e.map(Wr).join(` `)}`}function Jr(e){return e instanceof Date?e.toISOString():String(e)}function Yr(e,t){return`Sandbox name is ambiguous: ${e}. Use a sandbox id instead.\n${t.map(e=>`- ${e.id} (status: ${e.status}, created: ${Jr(e.createdAt)})`).join(`
|
|
139
|
-
`)}`}function Xr(e){return e.activeTeamId?`team:${e.activeTeamId}`:void 0}async function Zr(e,t,n){let r=await e.get(n);if(r||n.startsWith(`sandbox-`)){if(!r)throw Error(`Sandbox not found: ${n}`);return r}let i=(await e.list({scope:Xr(t)})).filter(e=>e.name?.toLowerCase()===n.toLowerCase());if(i.length===0)throw Error(`Sandbox not found: ${n}`);if(i.length>1)throw Error(Yr(n,i));return i[0]}async function Qr(e){if(e.status===`stopped`){R(`Sandbox ${e.id} is stopped. Resuming...`);try{await e.resume(),await e.waitFor(`running`,{timeoutMs:12e4})}catch(t){let n=t instanceof Error?t.message:String(t);throw Error(`Failed to resume sandbox ${e.id}: ${n}. Run \`tangle sandbox resume ${e.id}\` and retry SSH.`)}}}function $r(e){return e.connection!==void 0&&!e.connection.ssh}function ei(){L(`SSH is not enabled for this sandbox.`),R(`Create a sandbox with --ssh to enable SSH access.`),process.exit(1)}function ti(e,t=[],n=process.platform){let r=Kr(n);return[`-o`,`ProxyCommand=${e.proxyCommand}`,`-o`,`StrictHostKeyChecking=no`,`-o`,`UserKnownHostsFile=${r}`,`-o`,`GlobalKnownHostsFile=${r}`,`-o`,`LogLevel=ERROR`,`-o`,`ServerAliveInterval=15`,`-o`,`ServerAliveCountMax=4`,`-o`,`TCPKeepAlive=yes`,`${e.username}@localhost`,`-p`,String(e.port),...t]}function ni(){return new t(`ssh`).description(`Open SSH session to a sandbox`).argument(`<ref>`,`Sandbox ID or name`).argument(`[sshArgs...]`,`Extra args passed through to ssh`).option(`-i, --identity-file <path>`,`Private key file to pass to ssh`).option(`--print`,`Print SSH command instead of connecting`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).allowUnknownOption(!0).action(async(e,t,n)=>{try{let r=O({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=M(r),a=z(`Getting SSH credentials...`);a.start();let o=await Zr(i,r,e);if($r(o)){a.stop(),ei();return}await Qr(o);let s=await o.ssh();if(a.stop(),!s){ei();return}let c={...s,proxyCommand:Ur(r.baseUrl,o.id)};if(!r.apiKey)throw Error(`SSH proxy requires API key auth. Set TANGLE_API_KEY or pass --api-key.`);let l=ti(c,[...n.identityFile?[`-i`,n.identityFile]:[],...t]);if(n.print){console.log(qr(l,process.platform));return}R(`Connecting via tunnel...`);let u=ce(`ssh`,l,{stdio:`inherit`,env:{...process.env,TANGLE_SSH_PROXY_AUTH_TOKEN:r.apiKey}});u.on(`error`,e=>{e.code===`ENOENT`&&(L(`SSH client not found. Please install OpenSSH.`),process.exit(1)),W(e)}),u.on(`exit`,e=>{process.exit(e??0)})}catch(e){W(e)}})}function ri(){let e=new t(`ssh-keys`).description(`Manage SSH keys`);return e.command(`list`).description(`List SSH keys`).option(`--json`,`Output as JSON`).action(async e=>{let t=z(`Fetching SSH keys...`);try{t.start();let n=await M(O(e)).sshKeys.list();t.stop(),e.json?F({sshKeys:n}):n.length===0?R(`No SSH keys found.`):U([`Name`,`Type`,`Fingerprint`,`Created`],n.map(e=>[e.name,e.keyType,e.fingerprint,e.createdAt.toLocaleString()]))}catch(e){t.stop(),W(e)}}),e.command(`add`).description(`Add SSH key`).argument(`<name>`,`SSH key name`).requiredOption(`--key-file <path>`,`Public key file path`).option(`--json`,`Output as JSON`).action(async(e,t)=>{let n=z(`Adding SSH key...`);try{let r=f(t.keyFile,`utf8`).trim();n.start();let i=await M(O(t)).sshKeys.create(e,r);n.stop(),t.json?F({sshKey:i}):I(`Added SSH key ${i.name} (${i.fingerprint})`)}catch(e){n.stop(),W(e)}}),e.command(`delete`).description(`Delete SSH key`).argument(`<name>`,`SSH key name or ID`).action(async(e,t)=>{let n=z(`Deleting SSH key...`);try{n.start(),await M(O(t)).sshKeys.delete(e),n.stop(),I(`Deleted SSH key ${e}`)}catch(e){n.stop(),W(e)}}),e}function ii(e,t=1){process.stderr.write(`${e}\n`),process.exit(t)}function ai(){return new t(`ssh-proxy`).description(`SSH proxy helper — pipes stdin/stdout to WebSocket`).argument(`<sidecar-url>`,`Sidecar WebSocket URL`).action(async e=>{let t=process.env.TANGLE_SSH_PROXY_AUTH_TOKEN;t||ii(`TANGLE_SSH_PROXY_AUTH_TOKEN not set`);let n=new ge(new URL(e.replace(/^http/,`ws`)),{headers:{Authorization:`Bearer ${t}`},perMessageDeflate:!1}),r;function i(){r&&=(clearInterval(r),void 0)}n.on(`open`,()=>{r=setInterval(()=>{n.readyState===ge.OPEN&&n.ping()},15e3),r.unref?.(),process.stdin.on(`data`,e=>{n.readyState===ge.OPEN&&n.send(e,{binary:!0,compress:!1})}),process.stdin.on(`end`,()=>n.close(1e3))}),n.on(`message`,e=>{let t=Buffer.isBuffer(e)?e:Array.isArray(e)?Buffer.concat(e):Buffer.from(e);process.stdout.write(t)}),n.on(`error`,e=>{i(),ii(`WebSocket error: ${e.message}`)}),n.on(`close`,e=>{i(),process.exit(e===1e3?0:1)}),process.stdin.on(`error`,()=>n.close())})}function oi(){let e=new t(`team`).description(`Manage teams`);return e.command(`list`).description(`List teams for the current account`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async e=>{try{let t=O(e),n=M(t),r=e.json?null:z(`Fetching teams...`);r?.start();let i=await n.teams.list();if(r?.stop(),e.json){F({teams:i,activeTeamId:t.activeTeamId??null});return}P(i.map(e=>({active:e.id===t.activeTeamId,id:e.id,name:e.name,role:e.currentUserRole,members:e.memberCount})),[{key:`active`,header:`Active`,width:8},{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:24},{key:`role`,header:`Role`,width:10},{key:`members`,header:`Members`,width:10}])}catch(e){W(e)}}),e.command(`create <name>`).description(`Create a team`).option(`--org-id <id>`,`External organization id`).option(`--no-switch`,`Do not set the new team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=t.json?null:z(`Creating team...`);i?.start();let a=await r.teams.create({name:e,orgId:t.orgId});if(t.switch&&hr(a,n.profile),i?.stop(),t.json){F({team:a,active:!!t.switch});return}I(`Team created: ${pr(a)}`),t.switch&&I(`Active team set to ${a.name}`)}catch(e){W(e)}}),e.command(`switch <team>`).description(`Set the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=await mr(M(n),e);if(hr(r,n.profile),t.json){F({team:r,activeTeamId:r.id});return}I(`Active team set to ${pr(r)}`)}catch(e){W(e)}}),e.command(`current`).description(`Show the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{let t=Je(e.profile);if(e.json){F(t.activeTeamId?t:{activeTeamId:null});return}if(!t.activeTeamId){console.log(`No active team.`);return}B({ID:t.activeTeamId,Name:t.activeTeamName})}catch(e){W(e)}}),e.command(`clear`).description(`Clear the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{if(gr(e.profile),e.json){F({activeTeamId:null});return}I(`Active team cleared.`)}catch(e){W(e)}}),e.command(`members [team]`).description(`List team members`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,e,n.profile),a=await r.teams.listMembers(i.id);if(t.json){F({team:i,members:a});return}P(a.map(e=>({id:e.id,email:e.customerEmail,role:e.role,status:e.status,joinedAt:e.joinedAt})),[{key:`id`,header:`ID`,width:36},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:10},{key:`joinedAt`,header:`Joined`,width:16}])}catch(e){W(e)}}),e.command(`update-member <member-id>`).description(`Update a team member role`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).requiredOption(`--role <role>`,`Role: admin, member, viewer`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,t.team,n.profile),a=si(t.role),o=await r.teams.updateMember(i.id,e,{role:a});if(t.json){F({team:i,member:o});return}I(`Member updated: ${o.customerEmail}`),B({Team:i.name,Role:o.role,Status:o.status})}catch(e){W(e)}}),e.command(`invite <email>`).description(`Invite a user to a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--role <role>`,`Role: admin, member, viewer`,`member`).option(`--ttl-hours <hours>`,`Invitation lifetime in hours`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,t.team,n.profile),a=si(t.role),o=await r.teams.invite(i.id,{email:e,role:a,ttlHours:t.ttlHours?Number.parseInt(t.ttlHours,10):void 0});if(t.json){F({team:i,invitation:o});return}I(`Invitation created for ${o.email}`),B({Team:i.name,Role:o.role,Expires:o.expiresAt,"Invitation ID":o.id}),I(`Re-run with --json to retrieve the invitation token for sharing.`)}catch(e){W(e)}}),e.command(`leave [team]`).description(`Leave a team as the current user`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,e,n.profile);if(!t.force&&!t.json&&!await q(`Leave team '${i.name}'? (y/N) `))return;if(await r.teams.leave(i.id),n.activeTeamId===i.id&&gr(n.profile),t.json){F({success:!0,teamId:i.id});return}I(`Left team: ${i.name}`)}catch(e){W(e)}}),e.command(`transfer <new-owner-customer-id> [team]`).description(`Transfer team ownership to another active member`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=O(n),i=M(r),a=await X(i,t,r.profile);if(!n.force&&!n.json&&!await q(`Transfer ownership of '${a.name}' to ${e}? This cannot be undone without the new owner's cooperation. (y/N) `))return;if(await i.teams.transferOwnership(a.id,e),n.json){F({success:!0,teamId:a.id,newOwnerCustomerId:e});return}I(`Ownership transferred for ${a.name}`)}catch(e){W(e)}}),e.addCommand(ci()),e.addCommand(li()),e.command(`invitations [team]`).description(`List pending and historical team invitations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,e,n.profile),a=await r.teams.listInvitations(i.id);if(t.json){F({team:i,invitations:a});return}P(a.map(e=>({id:e.id,email:e.email,role:e.role,status:e.status,expiresAt:e.expiresAt})),[{key:`id`,header:`ID`,width:38},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:12},{key:`expiresAt`,header:`Expires`,width:16}])}catch(e){W(e)}}),e.command(`accept <token>`).description(`Accept a team invitation`).option(`--no-switch`,`Do not set the accepted team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await r.teams.acceptInvitation(e),a=t.switch===!1?null:await r.teams.get(i.teamId);if(a&&hr(a,n.profile),t.json){F({member:i,activeTeamId:a?.id??null});return}I(`Invitation accepted for team ${i.teamId}`),a&&I(`Active team set to ${a.name}`)}catch(e){W(e)}}),e.command(`revoke-invitation <invitation-id>`).description(`Revoke a pending team invitation`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{if(await M(O(t)).teams.revokeInvitation(e),t.json){F({success:!0,invitationId:e});return}I(`Invitation revoked: ${e}`)}catch(e){W(e)}}),e.command(`remove-member <member-id>`).description(`Remove a member from a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,t.team,n.profile);if(await r.teams.removeMember(i.id,e),t.json){F({success:!0,teamId:i.id,memberId:e});return}I(`Member removed: ${e}`)}catch(e){W(e)}}),e}function si(e){if(e===`admin`||e===`member`||e===`viewer`)return e;throw Error(`Role must be one of: admin, member, viewer`)}function ci(){let e=new t(`secret`).description(`Manage team secrets`);return e.command(`list [team]`).description(`List team secret names`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,e,n.profile),a=await r.teams.listSecrets(i.id);if(t.json){F({team:i,secrets:a});return}P(a.map(e=>({name:e.name,updatedAt:e.updatedAt,updatedBy:e.updatedBy})),[{key:`name`,header:`Name`,width:28},{key:`updatedAt`,header:`Updated`,width:24},{key:`updatedBy`,header:`Updated By`,width:28}])}catch(e){W(e)}}),e.command(`set <name> [value]`).description(`Create or replace a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=O(n),i=M(r),a=await X(i,n.team,r.profile),o=await ui({value:t,valueStdin:n.valueStdin,prompt:`Enter value for team secret '${e}': `}),s=await i.teams.upsertSecret(a.id,e,o);if(n.json){F({team:a,secret:s});return}I(`Team secret saved: ${s.name}`)}catch(e){W(e)}}),e.command(`delete <name>`).description(`Delete a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await q(`Delete team secret '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteSecret(i.id,e),t.json){F({success:!0,teamId:i.id,name:e});return}I(`Team secret deleted: ${e}`)}catch(e){W(e)}}),e.command(`reveal <name>`).description(`Reveal a team secret value`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,t.team,n.profile),a=await r.teams.revealSecret(i.id,e);if(t.json){F({teamId:i.id,...a});return}console.log(a.value)}catch(e){W(e)}}),e}function li(){let e=new t(`templates`).description(`Manage team golden-path templates`);return e.command(`list [team]`).description(`List a team's golden-path templates`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,e,n.profile),a=await r.teams.listTemplates(i.id);if(t.json){F({team:i,templates:a});return}if(a.length===0){console.log(`No templates yet for ${i.name}.`);return}P(a.map(e=>({id:e.id,name:e.name,environment:e.environment,snapshot:`${e.snapshotId.slice(0,12)}…`,updated:e.updatedAt})),[{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:28},{key:`environment`,header:`Env`,width:14},{key:`snapshot`,header:`Snapshot`,width:16},{key:`updated`,header:`Updated`,width:24}])}catch(e){W(e)}}),e.command(`create <name> <snapshot-id>`).description(`Create a golden-path template from a snapshot`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`-d, --description <description>`,`Human-readable description shown in the dashboard`).option(`-e, --environment <environment>`,`Default environment to apply (defaults to 'universal')`).option(`--config <json>`,`Optional JSON config object merged into sandboxes created from this template`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=O(n),i=M(r),a=await X(i,n.team,r.profile),o;if(n.config)try{let e=JSON.parse(n.config);if(typeof e!=`object`||!e||Array.isArray(e))throw Error(`--config must be a JSON object`);o=e}catch(e){throw Error(`--config is not valid JSON: ${e instanceof Error?e.message:String(e)}`)}let s=await i.teams.createTemplate(a.id,{name:e,snapshotId:t,description:n.description,environment:n.environment,config:o});if(n.json){F({team:a,template:s});return}I(`Team template created: ${s.name} (${s.id})`)}catch(e){W(e)}}),e.command(`delete <template-id>`).description(`Delete a team golden-path template`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=M(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await q(`Delete template '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteTemplate(i.id,e),t.json){F({success:!0,teamId:i.id,templateId:e});return}I(`Team template deleted: ${e}`)}catch(e){W(e)}}),e}async function ui(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await bn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await yn(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function di(){let e=new t(`template`).description(`Manage published public templates`);return e.command(`list`).option(`-q, --query <query>`,`Search query`).option(`--tag <tag>`,`Filter by tag`).option(`--featured`,`Show featured templates only`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O(e)),n=e.featured?await t.publicTemplates.featured():await t.publicTemplates.list({query:e.query,tag:e.tag});if(e.json){F({templates:n});return}P(n.map(e=>({slug:e.slug,name:e.name,forks:e.forkCount,sandboxes:e.sandboxCount,updated:e.updatedAt})),[{key:`slug`,header:`Slug`,width:28},{key:`name`,header:`Name`,width:28},{key:`forks`,header:`Forks`,width:8},{key:`sandboxes`,header:`Sandboxes`,width:12},{key:`updated`,header:`Updated`,width:24}])}catch(e){W(e)}}),e.command(`get <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await M(O(t)).publicTemplates.get(e);if(t.json){F({template:n});return}F(n)}catch(e){W(e)}}),e.command(`versions <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await M(O(t)).publicTemplates.versions(e);if(t.json){F({versions:n});return}P(n.map(e=>({...e})),[{key:`id`,header:`Version ID`,width:38},{key:`versionNumber`,header:`Version`,width:8},{key:`snapshotId`,header:`Snapshot`,width:20},{key:`createdAt`,header:`Created`,width:24}])}catch(e){W(e)}}),e.command(`publish <name> <snapshot-id> <sandbox-id>`).option(`--slug <slug>`,`Stable public slug`).option(`-d, --description <description>`,`Template description`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--team-id <id>`,`Publish under a team`).option(`--forked-from <id>`,`Fork source template id`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await M(O(r)).publicTemplates.publish({name:e,slug:r.slug,description:r.description,snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes,teamId:r.teamId,forkedFromTemplateId:r.forkedFrom});if(r.json){F({template:i});return}I(`Published template: ${i.slug}`)}catch(e){W(e)}}),e.command(`publish-version <id-or-slug> <snapshot-id> <sandbox-id>`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await M(O(r)).publicTemplates.publishVersion(e,{snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes});if(r.json){F({version:i});return}I(`Published template version: ${i.id}`)}catch(e){W(e)}}),e}function fi(){let e=new t(`tools`).description(`Manage language runtimes and tools in a sandbox (via mise)`);return e.command(`list`).alias(`ls`).description(`List installed tools in a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=M(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=z(`Fetching tools...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.tools.list();r.stop(),t.json?F(a):a.length===0?console.log(`No tools installed`):U([`Tool`,`Version`,`Active`],a.map(e=>[e.name,e.version,e.active?`yes`:`no`]))}catch(e){W(e)}}),e.command(`install`).description(`Install a tool version`).argument(`<id>`,`Sandbox ID`).argument(`<tool>`,`Tool name (e.g. node, python, go)`).argument(`<version>`,`Version to install (e.g. 20, 3.12, latest)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=M(O({apiKey:r.apiKey,baseUrl:r.baseUrl})),a=z(`Installing ${t}@${n}...`);r.json||a.start();let o=await i.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);await o.tools.install(t,n),a.stop(),r.json?F({tool:t,version:n,installed:!0}):I(`Installed ${t}@${n}`)}catch(e){W(e)}}),e.command(`use`).description(`Activate a tool version for the current session`).argument(`<id>`,`Sandbox ID`).argument(`<tool>`,`Tool name`).argument(`<version>`,`Version to activate`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await M(O({apiKey:r.apiKey,baseUrl:r.baseUrl})).get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.tools.use(t,n),I(`Activated ${t}@${n}`)}catch(e){W(e)}}),e.command(`run`).description(`Run a command with a specific tool`).argument(`<id>`,`Sandbox ID`).argument(`<tool>`,`Tool name`).argument(`<args...>`,`Command arguments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=M(O({apiKey:r.apiKey,baseUrl:r.baseUrl})),a=z(`Running ${t} ${n.join(` `)}...`);r.json||a.start();let o=await i.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);let s=await o.tools.run(t,n);a.stop(),r.json?F(s):(s.stdout&&process.stdout.write(s.stdout),s.stderr&&process.stderr.write(s.stderr),s.exitCode!==0&&process.exit(s.exitCode))}catch(e){W(e)}}),e}function pi(){let e=new t(`traces`).description(`Read hosted agent traces, spans, and eval-runs from Tangle Intelligence`);return e.command(`list`).description(`List trace summaries (one row per trace), newest first`).option(`--from <iso>`,`ISO-8601 lower bound on received time (inclusive)`).option(`--to <iso>`,`ISO-8601 upper bound on received time (inclusive)`).option(`--model <model>`,`Exact model match (any span carried this model)`).option(`--run <runId>`,`Exact run id match`).option(`--status <status>`,`ERROR | OK`).option(`-q, --query <text>`,`Substring over span name`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size (clamped server-side to [1, 200])`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={from:e.from,to:e.to,model:e.model,runId:e.run,status:e.status===void 0?void 0:wi(e.status),q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ki(e.limit)},n=hi(e),r=e.json?null:z(`Fetching traces...`);r?.start();let i=await n.listTraces(t);if(r?.stop(),e.json)return F(i);vi(i.items),Si(i.nextCursor)}catch(t){_i(t,e)}}),e.command(`get <traceId>`).description(`Show one trace's spans. Streams NDJSON to stdout with --ndjson.`).option(`--ndjson`,`Stream the full span set as NDJSON to stdout`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Spans per page`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=hi(t);if(t.ndjson){await gi(n,e);return}let r=t.json?null:z(`Fetching trace spans...`);r?.start();let i=await n.getTraceSpans(e,{cursor:t.cursor,limit:t.limit===void 0?void 0:ki(t.limit)});if(r?.stop(),t.json)return F(i);yi(i.items),i.truncated&&B({Spans:`${i.items.length} of ${i.total} (truncated)`}),Si(i.nextCursor)}catch(e){_i(e,t)}}),e.addCommand(mi()),e}function mi(){let e=new t(`runs`).description(`Read eval-runs pivoted off the trace surface`);return e.command(`list`).description(`List eval-runs, newest first`).option(`--status <status>`,`Run status filter`).option(`--gate <decision>`,`Promotion-gate decision filter`).option(`--label <key:value>`,`Match over the run's labels`).option(`--from <iso>`,`ISO-8601 lower bound on received time`).option(`--to <iso>`,`ISO-8601 upper bound on received time`).option(`-q, --query <text>`,`Substring over run dir`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={status:e.status===void 0?void 0:Ei(e.status),gate:e.gate===void 0?void 0:Oi(e.gate),label:e.label,from:e.from,to:e.to,q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ki(e.limit)},n=hi(e),r=e.json?null:z(`Fetching runs...`);r?.start();let i=await n.listRuns(t);if(r?.stop(),e.json)return F(i);bi(i.items),Si(i.nextCursor)}catch(t){_i(t,e)}}),e.command(`get <runId>`).description(`Show a single eval-run`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=hi(t),r=t.json?null:z(`Fetching run...`);r?.start();let i=await n.getRun(e);if(r?.stop(),t.json)return F(i);xi(i)}catch(e){_i(e,t)}}),e}function hi(e){let t=E(e.apiKey);if(!t)throw Error(`No API key found. Set TANGLE_API_KEY or run: tangle auth login`);return _e({apiKey:t,baseUrl:e.baseUrl??process.env.TANGLE_INTELLIGENCE_BASE_URL})}async function gi(e,t){let n=(await e.exportTraceSpansNdjson(t)).getReader();try{for(;;){let{value:e,done:t}=await n.read();if(t)break;e&&process.stdout.write(Buffer.from(e))}}finally{n.releaseLock()}}function _i(e,t){return W(e,t.json===!0)}function vi(e){P(e.map(e=>({traceId:e.traceId,root:e.rootName??`-`,model:e.model??`-`,spans:e.spanCount,errors:e.errorCount,durationMs:e.durationMs,cost:Ci(e.costUsd)})),[{key:`traceId`,header:`Trace`,width:36},{key:`root`,header:`Root`,width:24},{key:`model`,header:`Model`,width:22},{key:`spans`,header:`Spans`,width:8},{key:`errors`,header:`Errors`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14},{key:`cost`,header:`Cost`,width:10}])}function yi(e){P(e.map(e=>({spanId:e.id,name:e.name,model:e.model??`-`,status:e.statusCode??`-`,cost:e.costUsd===null?`-`:`$${e.costUsd}`})),[{key:`spanId`,header:`Span`,width:40},{key:`name`,header:`Name`,width:28},{key:`model`,header:`Model`,width:22},{key:`status`,header:`Status`,width:10},{key:`cost`,header:`Cost`,width:12}])}function bi(e){P(e.map(e=>({runId:e.id,status:e.status,gate:e.gateDecision??`-`,cost:e.totalCostUsd===null?`-`:`$${e.totalCostUsd}`,receivedAt:e.receivedAt})),[{key:`runId`,header:`Run`,width:24},{key:`status`,header:`Status`,width:22},{key:`gate`,header:`Gate`,width:18},{key:`cost`,header:`Cost`,width:12},{key:`receivedAt`,header:`Received`,width:18}])}function xi(e){B({Run:e.id,Status:e.status,Gate:e.gateDecision??void 0,"Run Dir":e.runDir??void 0,Cost:e.totalCostUsd===null?void 0:`$${e.totalCostUsd}`,Duration:e.totalDurationMs===null?void 0:`${e.totalDurationMs}ms`,"Holdout Lift":e.holdoutLift??void 0,Received:e.receivedAt})}function Si(e){e&&B({"Next page":`--cursor ${e}`})}function Ci(e){return e===null?`-`:`$${e.toFixed(4)}`}function wi(e){if(e===`ERROR`||e===`OK`)return e;throw Error(`--status must be ERROR or OK`)}const Ti=[`started`,`baseline-complete`,`generation-complete`,`gate-decided`,`finished`,`errored`];function Ei(e){let t=Ti.find(t=>t===e);if(t)return t;throw Error(`--status must be one of ${Ti.join(`, `)}`)}const Di=[`ship`,`hold`,`need_more_work`,`model_ceiling`,`arch_ceiling`];function Oi(e){let t=Di.find(t=>t===e);if(t)return t;throw Error(`--gate must be one of ${Di.join(`, `)}`)}function ki(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function Ai(){return new t(`usage`).description(`Show account usage and billing information`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=M(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:z(`Fetching usage...`);n?.start();let[r,i]=await Promise.all([t.usage(),t.subscription().catch(()=>null)]);n?.stop(),e.json?F({...r,subscription:i}):(console.log(),console.log(`Account Usage`),console.log(`─`.repeat(40)),B({"Active Sandboxes":r.activeSandboxes,"Total Sandboxes":r.totalSandboxes,"Compute Minutes":ji(r.computeMinutes)}),i&&(console.log(),console.log(`Subscription`),console.log(`─`.repeat(40)),B({Plan:i.plan,Status:i.status,"Credits Available":Mi(i.creditsAvailableUsd),"Credits Used":Mi(i.creditsUsedUsd),"Monthly Balance":Mi(i.monthlyBalanceUsd)})),console.log(),console.log(`Billing Period`),console.log(`─`.repeat(40)),B({Start:r.periodStart.toLocaleDateString(),End:r.periodEnd.toLocaleDateString()}),console.log())}catch(e){W(e)}})}function ji(e){if(e===void 0)return`-`;if(e<60)return`${e} min`;let t=Math.floor(e/60),n=e%60;return n===0?`${t} hr`:`${t} hr ${n} min`}function Mi(e){return e<0?`-$${(-e).toFixed(2)}`:`$${e.toFixed(2)}`}function Ni(){let e=new t(`workflows`).description(`Create and manage Tangle workflows`);return e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{Fi(t)}),e.command(`list`).description(`List your workflows`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await Z(e).workflows.list();if(e.json)return F(t);Li(t)}catch(t){Q(t,e)}}),e.command(`get`).description(`Show a workflow's definition and compiled triggers`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await Z(t).workflows.get(e);if(t.json)return F(n);Ri(n)}catch(e){Q(e,t)}}),e.command(`create`).description(`Create a workflow from a YAML file`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Pi(e),r=await Z(t).workflows.create(n);if(t.json)return F(r);R(`Created workflow ${r.id} (${r.name}).`),Ri(r)}catch(e){Q(e,t)}}),e.command(`update`).description(`Replace a workflow's definition from a YAML file`).argument(`<id>`,`Workflow ID`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=Pi(t),i=await Z(n).workflows.update(e,r);if(n.json)return F(i);R(`Updated workflow ${i.id} (${i.name}).`),Ri(i)}catch(e){Q(e,n)}}),e.command(`delete`).description(`Delete a workflow and its triggers`).argument(`<id>`,`Workflow ID`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await q(`Delete workflow ${e}? `)){R(`Delete cancelled.`);return}if(await Z(t).workflows.delete(e),t.json)return F({deleted:!0,id:e});R(`Deleted workflow ${e}.`)}catch(e){Q(e,t)}}),e.command(`validate`).description(`Validate a workflow YAML file without saving it`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Pi(e),r=await Z(t).workflows.validate(n);if(t.json)return F(r);if(r.valid)R(`Valid: ${r.name} (${r.actionCount} action(s), ${r.triggerCount} trigger(s)).`);else{R(`Invalid workflow:`);for(let e of r.errors)console.log(` ${e.path}: ${e.message}`);process.exitCode=1}}catch(e){Q(e,t)}}),e.command(`schema`).description(`Print the JSON Schema for the workflow YAML`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{F(await Z(e).workflows.schema())}catch(t){Q(t,e)}}),e}function Pi(e){try{return f(e,`utf8`)}catch(t){throw Error(`Could not read workflow file "${e}": ${t instanceof Error?t.message:String(t)}`)}}function Z(e){let t=O({apiKey:E(e.apiKey),baseUrl:e.baseUrl??qe(process.env.TANGLE_HUB_URL)});return new le({baseUrl:t.baseUrl,apiKey:t.apiKey})}function Fi(e){if(!Ii(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function Ii(e,t){return e.options.some(e=>e.attributeName()===t)}function Q(e,t){return W(e,t.json===!0)}function Li(e){P(e.map(e=>({id:e.id,name:e.name,enabled:e.enabled?`yes`:`no`,issues:e.validationErrors.length,updated:e.updatedAt})),[{key:`id`,header:`ID`},{key:`name`,header:`Name`},{key:`enabled`,header:`Enabled`},{key:`issues`,header:`Issues`},{key:`updated`,header:`Updated`}])}function Ri(e){if(B({ID:e.id,Name:e.name,Description:e.description??``,Enabled:e.enabled?`yes`:`no`,Actions:e.actions.length}),e.triggers&&e.triggers.length>0&&(R(`Triggers`),zi(e.triggers)),e.validationErrors.length>0){R(`Validation issues`);for(let t of e.validationErrors)console.log(` ${t.path}: ${t.message}`)}}function zi(e){P(e.map(e=>({id:e.id,kind:e.kind,enabled:e.enabled?`yes`:`no`,detail:e.kind===`schedule`?`${e.cron??``} (${e.timezone??``})`:`${e.provider??``}:${e.eventFilter?.event??``}${e.eventFilter?.action?`.${e.eventFilter.action}`:``}`})),[{key:`id`,header:`ID`},{key:`kind`,header:`Kind`},{key:`enabled`,header:`Enabled`},{key:`detail`,header:`Detail`}])}function Bi(e){let t={...Vi(e)??{},...e.optsWithGlobals()};for(let n of e.options){let r=n.attributeName();e.getOptionValue(r)===void 0&&t[r]!==void 0&&e.setOptionValue(r,t[r])}}function Vi(e){let t=e;for(;t?.parent;)t=t.parent;return t?t.opts():void 0}const Hi=e(import.meta.url)(`../package.json`),$=new t;$.name(`tangle`).description(`CLI for Tangle Sandbox operations`).version(Hi.version??`0.0.0`).option(`--api-key <key>`,`API key (or set TANGLE_API_KEY)`).option(`--base-url <url>`,`API base URL`),$.hook(`preAction`,(e,t)=>{Bi(t)}),$.addCommand(Bt()),$.addCommand(xr()),$.addCommand(Rr()),$.addCommand(nr()),$.addCommand(nn()),$.addCommand(ni()),$.addCommand(ri()),$.addCommand(ai()),$.addCommand(St()),$.addCommand(Vr()),$.addCommand(an()),$.addCommand(Ai()),$.addCommand(oi()),$.addCommand(di()),$.addCommand(ir()),$.addCommand(qt()),$.addCommand($t()),$.addCommand(or()),$.addCommand(hn()),$.addCommand(vn()),$.addCommand(xn()),$.addCommand(Ni()),$.addCommand(tn()),$.addCommand(fi()),$.addCommand(Lr()),$.addCommand(Br()),$.addCommand(en()),$.addCommand(ar()),$.addCommand(Un()),$.addCommand(fr()),$.addCommand(rr()),$.addCommand(pi()),$.parseAsync(process.argv).catch(e=>{console.error(`Fatal error:`,e.message),process.exit(1)});export{};
|
|
133
|
+
</html>`}const hn=15*6e4;function gn(e){return Number.isFinite(e)&&e>0?e:hn}async function _n(e){let t=e.timeoutMs??hn,n=Date.now(),r=await vn({baseUrl:e.baseUrl,timeoutMs:t,provider:e.provider});for(e.onInstructions?.({userCode:r.user_code,verificationUrl:r.verification_uri,verificationUrlComplete:r.verification_uri_complete,expiresIn:r.expires_in,intervalSeconds:r.interval});;){if(Date.now()-n>t)throw new oe(t,`Timed out waiting for device authorization to complete`);let i=await yn({baseUrl:e.baseUrl,deviceCode:r.device_code,timeoutMs:t});if(i.status===`approved`)return i.data;let a=i.intervalSeconds*1e3;await new Promise(e=>setTimeout(e,a))}}async function vn(e){let t=gn(e.timeoutMs),n=await fetch(`${bn(e.baseUrl)}/auth/cli/device/start`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify(e.provider?{provider:e.provider}:{}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new m(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(!n.ok||!r?.success||!r.data?.device_code)throw Error(r?.error?.message||`Failed to start device login`);return r.data}async function yn(e){let t=gn(e.timeoutMs),n=await fetch(`${bn(e.baseUrl)}/auth/cli/device/poll`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify({device_code:e.deviceCode}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new m(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(n.status===428&&r?.error?.code===`AUTHORIZATION_PENDING`)return{status:`pending`,intervalSeconds:typeof r.data?.interval==`number`&&r.data.interval>0?r.data.interval:5};if(!n.ok||!r?.success||!r.data?.api_key||!r.data.email)throw Error(r?.error?.message||`Failed to complete device authorization`);return{status:`approved`,data:{apiKey:r.data.api_key,email:r.data.email,name:r.data.name,tier:r.data.tier}}}function bn(e){return e.replace(/\/$/,``)}function xn(){let e=new t(`auth`).description(`Manage authentication`);e.command(`login`).description(`Authenticate with browser login or an API key`).option(`--api-key <key>`,`API key`).option(`--no-browser`,`Use device-code login instead of opening a browser`).option(`--profile <name>`,`Profile name`).option(`--provider <provider>`,`Identity provider (github, google, microsoft)`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=e.apiKey,n=T(e.profile),r=Dn(e.provider),i=D(e.baseUrl,n),a=e.browser!==!1;if(!t){if(a){let a=L(`Starting browser login...`);a.start();let o=await cn({baseUrl:i,provider:r,onLoginUrl:({loginUrl:e,browserOpened:t})=>{a.stop(),I(t?`Browser login opened.`:`Open this URL to continue browser login:`),console.log(e)}}).finally(()=>{a.stop()});t=o.apiKey,wn({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Et(),P(`Authenticated`),R({Profile:n,Email:o.email,Tier:o.tier,"Base URL":i}),I(Tn);return}let o=L(`Starting device login...`);o.start();let s=await _n({baseUrl:i,provider:r,onInstructions:({userCode:e,verificationUrl:t,verificationUrlComplete:n})=>{o.stop(),I(`Complete login in a browser on any device:`),R({"Verification URL":t,"Verification URL (prefilled)":n,"Device Code":e})}}).finally(()=>{o.stop()});t=s.apiKey,wn({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Et(),P(`Authenticated`),R({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),I(Tn);return}t||(F(`No API key provided.`),process.exit(1)),at(t)||(F(`Invalid API key format. Keys should start with 'sk_' or 'sk-tan-'.`),process.exit(1));let o=L(`Validating credentials...`);o.start();let s=await rn({apiKey:t,baseUrl:i});o.stop(),wn({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Et(),P(`Authenticated`),R({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),I(Tn)}catch(e){H(e)}}),e.command(`logout`).description(`Remove stored credentials`).option(`--profile <name>`,`Profile name`).action(e=>{try{let t=T(e.profile);ht(t),Et(),P(`Logged out successfully.`),I(`Credentials removed for profile '${t}'.`)}catch(e){H(e)}}),e.command(`status`).description(`Show current authentication status`).option(`--json`,`Output as JSON`).option(`--profile <name>`,`Profile name`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=T(e.profile),n=E(e.apiKey,t),r=D(e.baseUrl,t),i=gt(e.apiKey,t);if(!n){if(e.json){N({authenticated:!1,reason:`missing_credentials`,profile:t,baseUrl:r,credentialSource:null});return}F(`Not authenticated`),I(`Run 'tangle auth login --profile ${t}' to authenticate.`),process.exit(1)}let a=e.json?null:L(`Checking credentials...`);a?.start();try{let o=await rn({apiKey:n,baseUrl:r});if(a?.stop(),e.json){N({authenticated:!0,profile:t,baseUrl:r,credentialSource:i,account:o});return}P(`Authenticated`),R({Profile:t,"API Key":Sn(n),"Base URL":r,Source:Cn(i),Email:o.email,Tier:o.tier})}catch(o){a?.stop(),e.json&&(N({authenticated:!1,profile:t,baseUrl:r,credentialSource:i,error:o instanceof Error?o.message:String(o)}),process.exit(1)),o instanceof re?F(`Stored credentials are invalid.`):Nt(`Stored credentials found, but validation could not complete.`),R({Profile:t,"API Key":Sn(n),"Base URL":r,Source:Cn(i),Error:o instanceof Error?o.message:String(o)}),process.exit(1)}}catch(e){H(e)}});let n=new t(`profiles`).description(`Manage CLI profiles`);return n.command(`list`).description(`List configured profiles`).option(`--json`,`Output as JSON`).action(e=>{try{let t=ft();if(e.json){N(t);return}if(t.length===0){I(`No profiles found.`);return}V([`Profile`,`Active`,`Base URL`,`Credentials`,`Source`],t.map(e=>[e.name,e.active?`yes`:`no`,e.baseUrl,e.hasApiKey?`configured`:`none`,e.apiKeySource]))}catch(e){H(e)}}),n.command(`use <name>`).description(`Set the active profile`).action(e=>{try{st(e);let t=pt(e);P(`Active profile set to '${t.name}'.`),R({"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`})}catch(e){H(e)}}),n.command(`current`).description(`Show the active profile`).option(`--json`,`Output as JSON`).action(e=>{try{let t=pt();if(e.json){N(t);return}R({Profile:t.name,"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`,Source:Cn(t.credentialSource)})}catch(e){H(e)}}),e.addCommand(n),e}function Sn(e){return e.length<=14?e:`${e.slice(0,10)}...${e.slice(-4)}`}function Cn(e){switch(e){case`flag`:return`command flag`;case`env`:return`environment`;case`keychain`:return`OS keychain`;case`file`:return`credentials file`;case`legacy-file`:return`legacy credentials file`;default:return`unknown`}}function wn(e){let t=mt(e.profile,{apiKey:e.apiKey,...e.baseUrl?{baseUrl:e.baseUrl}:{}});st(e.profile),w({...e.baseUrl&&e.profile===`default`?{baseUrl:e.baseUrl}:{}}),Tn=En(e.profile,t)}let Tn=`Credentials updated.`;function En(e,t){return t===`keychain`?e===`default`?`API key saved to the OS keychain for the default profile`:`API key saved to the OS keychain for profile '${e}'`:t===`file`?e===`default`?`API key saved to ~/.tangle/credentials.json for the default profile`:`API key saved to ~/.tangle/credentials.json for profile '${e}'`:`Profile '${e}' updated.`}function Dn(e){if(e===void 0||e===`github`||e===`google`||e===`microsoft`)return e;throw Error(`--provider must be one of: github, google, microsoft`)}function On(){let e=new t(`backend`).description(`Manage sandbox AI agent backend`);return e.command(`status <sandboxId>`).description(`Get backend agent status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching backend status...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.backend.status();r.stop(),t.json?N(a):(I(`Backend Type: ${a.type}`),I(`Status: ${a.status}`),a.version&&I(`Version: ${a.version}`),a.error&&I(`Error: ${a.error}`),a.metadata&&I(`Metadata: ${JSON.stringify(a.metadata,null,2)}`))}catch(e){H(e)}}),e.command(`capabilities <sandboxId>`).description(`Get backend capabilities`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching capabilities...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.backend.capabilities();r.stop(),t.json?N(a):(I(`Backend Capabilities:`),I(` Streaming: ${a.streaming?`✓`:`✗`}`),I(` Tool Use: ${a.toolUse?`✓`:`✗`}`),I(` Reasoning: ${a.reasoning?`✓`:`✗`}`),I(` Multimodal: ${a.multimodal?`✓`:`✗`}`),I(` Context Window: ${a.contextWindow.toLocaleString()} tokens`))}catch(e){H(e)}}),e.command(`configure <sandboxId>`).description(`Update backend configuration`).option(`--model <model>`,`Model string (format: provider/model)`).option(`--max-thinking-tokens <n>`,`Maximum thinking tokens`).option(`--profile <name>`,`Backend profile name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Updating backend config...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a={};if(t.profile&&(a.profile=t.profile),t.model||t.maxThinkingTokens){if(a.model={},t.model){let e=t.model.split(`/`);e.length>=2?(a.model.provider=e[0],a.model.model=e.slice(1).join(`/`)):a.model.model=t.model}t.maxThinkingTokens&&(a.model.maxThinkingTokens=Number.parseInt(t.maxThinkingTokens,10))}await i.backend.updateConfig(a),r.stop(),P(`Backend configuration updated`),t.json&&N(a)}catch(e){H(e)}}),e.command(`add-mcp <sandboxId>`).description(`Add an MCP server to the backend`).requiredOption(`--name <name>`,`MCP server name`).requiredOption(`--command <cmd>`,`Command to run (e.g., npx)`).option(`--args <args...>`,`Command arguments`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--cwd <dir>`,`Working directory`).option(`--url <url>`,`Remote MCP server URL (for SSE)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Adding MCP server...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a={};if(t.env)for(let e of t.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}await i.backend.addMcp(t.name,{command:t.command,args:t.args,env:Object.keys(a).length>0?a:void 0,cwd:t.cwd,url:t.url}),r.stop(),P(`MCP server "${t.name}" added`),t.json&&N({name:t.name,command:t.command,args:t.args,env:Object.keys(a).length>0?a:void 0,cwd:t.cwd,url:t.url})}catch(e){H(e)}}),e.command(`mcp-status <sandboxId>`).description(`Get status of MCP servers`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching MCP status...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.backend.getMcpStatus();if(r.stop(),t.json)N(a);else{let e=Object.entries(a);e.length===0?I(`No MCP servers configured`):M(e.map(([e,t])=>{let n=t;return{name:e,status:n.status,error:n.error??``}}),[{key:`name`,header:`Name`,width:24},{key:`status`,header:`Status`,width:12},{key:`error`,header:`Error`,width:40}])}}catch(e){H(e)}}),e.command(`restart <sandboxId>`).description(`Restart the backend agent`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Restarting backend...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);await i.backend.restart(),r.stop(),P(`Backend restarted`)}catch(e){H(e)}}),e}function kn(e){let t=e.indexOf(`=`);if(t<=0)throw Error(`Invalid --task "${e}": expected format id=message (e.g. t1=summarize README)`);let n=e.slice(0,t).trim(),r=e.slice(t+1).trim();if(!n||!r)throw Error(`Invalid --task "${e}": id and message must be non-empty`);return{id:n,message:r}}function An(e){let t;try{t=JSON.parse(e)}catch(e){throw Error(`--tasks file is not valid JSON: ${e.message}`)}let n=Array.isArray(t)?t:t?.tasks;if(!Array.isArray(n))throw Error(`--tasks file must contain an array or an object with a "tasks" array`);return n.map((e,t)=>{if(!e||typeof e!=`object`)throw Error(`--tasks[${t}] must be an object`);let n=e,r=typeof n.id==`string`?n.id.trim():``,i=typeof n.message==`string`?n.message:``;if(!r)throw Error(`--tasks[${t}].id must be a non-empty string`);if(!i.trim())throw Error(`--tasks[${t}].message must be a non-empty string`);let a={id:r,message:i};return n.context&&typeof n.context==`object`&&(a.context=n.context),typeof n.timeoutMs==`number`&&n.timeoutMs>0&&(a.timeoutMs=n.timeoutMs),a})}function jn(e){let t=e.readFile??(e=>c(e,`utf8`)),n=[];e.file&&n.push(...An(t(e.file)));for(let t of e.inline??[])n.push(kn(t));if(n.length===0)throw Error(`No tasks provided. Use --tasks <file> and/or --task id=message.`);let r=new Set;for(let e of n){if(r.has(e.id))throw Error(`Duplicate task id: ${e.id}`);r.add(e.id)}return n}function Mn(e){if(e!==`fastest`&&e!==`balanced`&&e!==`cheapest`)throw Error(`--scaling must be one of: fastest, balanced, cheapest (got "${e}")`);return e}function Nn(e){let t=e.trim(),n=t.indexOf(`/`);if(n<=0||n===t.length-1)throw Error(`--model must be in the form provider/model (got "${e}")`);return{provider:t.slice(0,n),model:t.slice(n+1)}}function Pn(){let e=new t(`batch`).description(`Run multiple agent tasks in parallel across sandboxes`);return e.command(`run`).description(`Execute a batch of tasks. Provide tasks via --tasks <file.json> and/or repeated --task id=message flags.`).option(`--tasks <file>`,`Path to a JSON file with an array of tasks (or {tasks: [...]})`).option(`--task <id=message>`,`Inline task, id=message. Repeatable.`,(e,t=[])=>[...t,e],[]).option(`--stream`,`Stream per-task events as they arrive`).option(`-t, --timeout <ms>`,`Total batch timeout in milliseconds`,`300000`).option(`--scaling <mode>`,`Scaling mode: fastest | balanced | cheapest`,`balanced`).option(`--persistent`,`Keep sandboxes alive after completion`,!1).option(`--model <provider/model>`,`Model override, e.g. anthropic/claude-sonnet-4-5-20250929`).option(`--profile <id>`,`Named execution profile to apply to every task`).option(`--json`,`Output the final result as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{let t=new AbortController,n=!1,r=()=>{n||(n=!0,I(`Cancel requested — stopping stream...`),t.abort())};process.on(`SIGINT`,r),process.on(`SIGTERM`,r);try{let n=jn({file:e.tasks,inline:e.task}),r=Mn(e.scaling),a=Number(e.timeout);if(!Number.isFinite(a)||a<=0)throw Error(`--timeout must be a positive number of milliseconds`);let o=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),s={type:`opencode`};e.model&&(s.model=Nn(e.model)),e.profile&&(s.profile=String(e.profile));let c={timeoutMs:a,scalingMode:r,persistent:!!e.persistent,signal:t.signal,backend:s};if(e.stream){I(`Streaming batch of ${n.length} task(s)...`),console.log();let t=new Map;for await(let e of o.streamBatch(n,c)){let r=e.data,a=r.taskId??``;switch(e.type){case`batch.started`:I(`Batch started (${r.totalTasks??n.length} tasks)`);break;case`task.started`:a&&console.log(i.dim(`→ ${a} started`));break;case`task.retry`:a&&console.log(i.yellow(`↻ ${a} retry ${r.attempt??`?`}: ${r.error??`retrying`}`));break;case`task.completed`:if(a){let e=r.usage,n=(e?.inputTokens??0)+(e?.outputTokens??0);t.set(a,{success:!0,durationMs:r.durationMs,retries:r.retries,tokensUsed:r.tokensUsed??(n>0?n:void 0),response:r.resultSummary??r.response}),console.log(i.green(`✓ ${a} completed in ${r.durationMs??`?`}ms`+(r.retries?` (${r.retries} retries)`:``)))}break;case`task.failed`:a&&(t.set(a,{success:!1,durationMs:r.durationMs,retries:r.retries,error:r.error}),console.log(i.red(`✗ ${a} failed: ${r.error??`unknown error`}`)));break;case`batch.failed`:throw Error(r.error??`Batch failed`);case`batch.completed`:break}}let r=[...t.values()].filter(e=>e.success).length,a=[...t.values()].filter(e=>!e.success).length,s=[...t.values()].reduce((e,t)=>e+(t.retries??0),0);console.log(),e.json?N({totalTasks:n.length,succeeded:r,failed:a,totalRetries:s,successRate:n.length>0?r/n.length*100:0,results:Array.from(t.entries()).map(([e,t])=>({taskId:e,...t}))}):R({"Total tasks":n.length,Succeeded:r,Failed:a,"Total retries":s,"Success rate":n.length>0?`${(r/n.length*100).toFixed(1)}%`:`0%`}),a>0&&(process.exitCode=1)}else{I(`Running batch of ${n.length} task(s)...`);let t=await o.runBatch(n,c);if(e.json)N(t);else if(console.log(),R({"Total tasks":t.totalTasks,Succeeded:t.succeeded,Failed:t.failed,"Total retries":t.totalRetries,"Success rate":`${t.successRate.toFixed(1)}%`}),t.results.length>0){console.log(),console.log(i.bold(`Task Results`)),console.log(i.dim(`─`.repeat(40)));for(let e of t.results){let t=e.success?i.green(`✓`):i.red(`✗`),n=typeof e.tokensUsed==`number`?` • ${e.tokensUsed} tokens`:``;console.log(`${t} ${e.taskId} ${i.dim(`(${e.durationMs}ms, ${e.retries} retries${n})`)}`),e.error&&console.log(i.red(` ${e.error}`))}}t.failed>0&&(process.exitCode=1)}}catch(e){if(n){console.log(),I(`Batch cancelled.`),process.exitCode=130;return}H(e)}finally{process.off(`SIGINT`,r),process.off(`SIGTERM`,r)}}),e}function Fn(){let e=new t(`checkpoint`).description(`Manage sandbox filesystem checkpoints`);return e.command(`create`).description(`Create a checkpoint of the current sandbox state`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Creating checkpoint...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.checkpoint();r.stop(),t.json?N(a):P(`Checkpoint created: ${a.checkpointId}`)}catch(e){H(e)}}),e.command(`list`).alias(`ls`).description(`List checkpoints for a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching checkpoints...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.listCheckpoints();r.stop(),t.json?N(a):a.length===0?console.log(`No checkpoints found`):V([`ID`,`Created`],a.map(e=>[e.checkpointId,e.createdAt.toLocaleString()]))}catch(e){H(e)}}),e.command(`delete`).alias(`rm`).description(`Delete a checkpoint`).argument(`<id>`,`Sandbox ID`).argument(`<checkpoint-id>`,`Checkpoint ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Deleting checkpoint...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);await a.deleteCheckpoint(t),i.stop(),n.json?N({success:!0,deleted:t}):P(`Checkpoint deleted: ${t}`)}catch(e){H(e)}}),e}function In(){let e=new t(`environments`).alias(`env`).description(`Manage sandbox environments`);return e.command(`list`).alias(`ls`).description(`List available environments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=L(`Fetching environments...`);e.json||n.start();let r=await t.environments.list();n.stop(),e.json?N(r):r.length===0?console.log(`No environments found`):V([`ID`,`Description`,`Version`],r.map(e=>[e.id,e.description??``,e.version]))}catch(e){H(e)}}),e.command(`get`).description(`Get environment details`).argument(`<id>`,`Environment ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching environment...`);t.json||r.start();let i=await n.environments.get(e);if(r.stop(),!i){console.error(`Environment not found: ${e}`),process.exit(1);return}t.json?N(i):(console.log(`ID: ${i.id}`),console.log(`Description: ${i.description??`-`}`),console.log(`Version: ${i.version}`),i.base&&console.log(`Base: ${i.base}`))}catch(e){H(e)}}),e}function Ln(){return new t(`exec`).description(`Execute a command in a sandbox`).argument(`<id>`,`Sandbox ID`).argument(`<command...>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`60000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=t.join(` `),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=L(`Executing: ${i}`);n.json||o.start();let s=await r.get(e);if(!s)throw Error(`Sandbox not found: ${e}`);let c=await s.exec(i,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:Number.parseInt(n.timeout,10)});o.stop(),n.json?N(c):(c.stdout&&process.stdout.write(c.stdout),c.stderr&&process.stderr.write(c.stderr),c.exitCode!==0&&process.exit(c.exitCode))}catch(e){if(e instanceof m){let t=`Exec transport lost before command status was confirmed. Remote command status is unknown. Original error: ${e.message}. For long-running commands, use \`tangle process spawn\`, \`tangle process logs\`, and \`tangle process kill --tree\`.`;return H(Error(t,{cause:e}))}H(e)}})}const Rn=[`list`,`create`,`delete`,`exec`,`prompt`,`read`,`write`];function zn(){let e=new t(`fleet`).description(`Manage sandbox fleets`);return e.command(`create`).description(`Create a sandbox fleet`).option(`--fleet-id <id>`,`Stable fleet id (generated when omitted)`).option(`--count <n>`,`Number of worker machines`,`1`).option(`--image <env>`,`Environment/image for each machine`).option(`--cpu <cores>`,`CPU cores per machine`).option(`--memory <mb>`,`Memory in MB per machine`).option(`--disk <gb>`,`Disk in GB per machine`).option(`--driver <type>`,`Infrastructure driver type`).option(`--backend <id>`,`Agent backend type`).option(`--workspace <mode>`,`Workspace mode: isolated | shared`,`isolated`).option(`--max-spend-usd <n>`,`Fleet spend cap in USD (policy)`).option(`--max-lifetime <s>`,`Max machine lifetime in seconds (policy)`).option(`--spec <file.json>`,`Path to a JSON file describing the fleet (overrides synthesized machines)`).option(`--coordinator`,`Create a coordinator + workers fleet (routes to createWithCoordinator)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=L(`Creating fleet...`);n.start();let r=e.coordinator?await t.fleets.createWithCoordinator(Un(e)):await t.fleets.create(Hn(e));n.stop();let i=Kn(r.machines);e.json?N({fleetId:r.fleetId,machines:i}):(P(`Fleet created: ${r.fleetId}`),M(i,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}]))}catch(e){H(e)}}),e.command(`list <fleet-id>`).description(`List the machines of one fleet (fleet id is required)`).option(`--status <status>`,`Filter machines by status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching fleet...`);r.start();let i=await n.fleets.list({fleetId:e,status:t.status});r.stop();let a=Kn(i.machines);t.json?N({fleetId:i.fleetId,machines:a}):M(a,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}])}catch(e){H(e)}}),e.command(`get <fleet-id>`).description(`Show one fleet's manifest (server record)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching manifest...`);r.start();let i=await n.fleets.manifest(e);r.stop(),t.json?N(i):(R({"Fleet ID":i.fleetId??i.id,Machines:i.machines.length,"Workspace mode":i.workspace?.mode,"Workspace status":i.workspace?.status,"Max lifetime (s)":i.policy?.maxLifetimeSeconds,"Max spend (USD)":i.policy?.maxSpendUsd,Created:i.createdAt,Updated:i.updatedAt}),M(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,role:e.role,status:e.status})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`role`,header:`Role`,width:14},{key:`status`,header:`Status`,width:14}]))}catch(e){H(e)}}),e.command(`delete <fleet-id>`).description(`Delete a fleet's machine sandboxes and its record`).option(`--continue-on-error`,`Keep deleting remaining machines if one delete fails`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Deleting fleet...`);r.start(),await n.fleets.delete(e,{continueOnError:t.continueOnError}),r.stop(),t.json?N({success:!0,fleetId:e}):P(`Fleet deleted: ${e}`)}catch(e){H(e)}}),e.command(`reap`).description(`TTL cleanup of all expired fleets (fleet-wide)`).option(`--dry-run`,`Report what would be reaped without deleting`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=L(`Reaping expired fleets...`);n.start();let r=await t.fleets.reapExpired({dryRun:e.dryRun});n.stop(),e.json?N(r):(R({"Dry run":r.dryRun,Expired:r.expired,Deleted:r.deleted}),M(r.fleets.map(e=>({fleetId:e.fleetId,expiredAt:e.expiredAt,deleted:e.deleted})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`expiredAt`,header:`Expired`,width:18},{key:`deleted`,header:`Deleted`,width:10}]))}catch(e){H(e)}}),e.command(`reconcile`).description(`Drop fleet records whose underlying sandboxes vanished`).option(`--dry-run`,`Report orphans without removing them`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=L(`Reconciling fleets...`);n.start();let r=await t.fleets.reconcile({dryRun:e.dryRun});n.stop(),e.json?N(r):(R({"Dry run":r.dryRun,Checked:r.checked,Orphaned:r.orphaned,Removed:r.removed}),M(r.machines.map(e=>({fleetId:e.fleetId,machineId:e.machineId,sandboxId:e.sandboxId,removed:e.removed})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`removed`,header:`Removed`,width:10}]))}catch(e){H(e)}}),e.addCommand(Bn()),e.command(`exec <fleet-id> <command>`).description(`Run a shell command across the fleet's machines`).option(`--machine <id...>`,`Restrict to a subset of machine ids (default: all)`).option(`--cwd <dir>`,`Working directory for the command`).option(`--timeout <ms>`,`Per-machine timeout in milliseconds`).option(`--max-concurrent <n>`,`Max concurrent dispatches`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Dispatching command...`);i.start();let a=await(await r.fleets.list({fleetId:e})).dispatchExecDetailed(t,{machines:n.machine,cwd:n.cwd,timeoutMs:n.timeout?Number(n.timeout):void 0,maxConcurrent:n.maxConcurrent?Number(n.maxConcurrent):void 0});if(i.stop(),n.json)N(a);else{M(a.results.map(e=>({machineId:e.machineId,ok:e.ok,exitCode:e.result?.exitCode,durationMs:e.durationMs})),[{key:`machineId`,header:`Machine`,width:20},{key:`ok`,header:`OK`,width:6},{key:`exitCode`,header:`Exit`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14}]);for(let e of a.results){let t=e.result?.stdout,n=e.result?.stderr;t&&(console.log(`\n[${e.machineId}] stdout:`),console.log(t)),n&&(console.log(`\n[${e.machineId}] stderr:`),console.log(n)),e.error&&console.log(`\n[${e.machineId}] error: ${e.error.message}`)}}a.results.some(e=>e.ok===!1)&&(process.exitCode=1)}catch(e){H(e)}}),e.command(`capabilities`).description(`List fleet drivers and their supported features`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=L(`Fetching capabilities...`);n.start();let r=await t.fleets.capabilities();n.stop(),e.json?N(r):M(r.drivers.map(e=>({driverType:e.driverType,sharedWorkspace:e.sharedWorkspace,accelerators:e.accelerators,queueTimings:e.queueTimings})),[{key:`driverType`,header:`Driver`,width:16},{key:`sharedWorkspace`,header:`Shared WS`,width:12},{key:`accelerators`,header:`Accel`,width:8},{key:`queueTimings`,header:`Queue`,width:8}])}catch(e){H(e)}}),e.command(`usage <fleet-id>`).description(`Show fleet usage and reliability insights`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching usage...`);r.start();let i=await n.fleets.usage(e);if(r.stop(),t.json)N(i);else if(R({"Fleet ID":i.usage.fleetId,Status:i.usage.status,Machines:i.usage.machineCount,Running:i.usage.runningMachines,Failed:i.usage.failedMachines,"Runtime (ms)":i.usage.meteredUsage?.runtimeMs,"Reliability score":i.insights.reliabilityScore,"Failure rate":i.insights.failureRate}),i.insights.recommendedActions.length>0){console.log(`
|
|
134
|
+
Recommended actions:`);for(let e of i.insights.recommendedActions)console.log(` - ${e}`)}}catch(e){H(e)}}),e.command(`cost <fleet-id>`).description(`Show the fleet's cost estimate`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Estimating cost...`);r.start();let i=await n.fleets.cost(e);r.stop(),t.json?N(i):R({Plan:i.plan,Currency:i.currency,"Hourly (USD)":i.hourlyUsd,"Max lifetime (s)":i.maxLifetimeSeconds,"Estimated max lifetime (USD)":i.estimatedMaxLifetimeUsd,Machines:i.requestedResources.machines,"Total CPU":i.requestedResources.totalCpu,"Total memory (MB)":i.requestedResources.totalMemoryMb})}catch(e){H(e)}}),e.command(`token <fleet-id>`).description(`Mint a scoped fleet bearer token (treated as a secret)`).option(`--action <a...>`,`Allowed actions: list create delete exec prompt read write`).option(`--ttl-minutes <n>`,`Token lifetime in minutes`).option(`--json`,`Output as JSON (only path that prints the full token)`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Minting fleet token...`);r.start();let i=await n.fleets.createToken(e,{actions:qn(t.action),ttlMinutes:t.ttlMinutes?Number(t.ttlMinutes):void 0});r.stop(),t.json?N(i):(R({"Fleet ID":i.fleetId,Token:Jn(i.token),"Expires at":new Date(i.expiresAt).toISOString(),Actions:i.actions.join(`, `)}),console.log(`
|
|
135
|
+
Re-run with --json to print the full token value.`))}catch(e){H(e)}}),e}function Bn(){let e=new t(`workspace`).description(`Manage a fleet's shared workspace`);return e.command(`snapshot <fleet-id>`).description(`Snapshot the fleet's shared workspace`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Creating workspace snapshot...`);r.start();let i=await n.fleets.createWorkspaceSnapshot(e);r.stop(),t.json?N(i):P(`Workspace snapshot created: ${i.snapshotId??i.id}`)}catch(e){H(e)}}),e.command(`restore <fleet-id> <snapshot-id>`).description(`Restore the fleet's shared workspace from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Restoring workspace...`);i.start();let a=await r.fleets.restoreWorkspaceSnapshot(e,t);i.stop(),n.json?N(a):P(`Workspace restored from ${a.snapshotId??t}`)}catch(e){H(e)}}),e.command(`reconcile <fleet-id>`).description(`Re-mount the shared workspace on all fleet machines`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Reconciling workspace...`);r.start();let i=await n.fleets.reconcileWorkspace(e);r.stop(),t.json?N(i):(R({"Fleet ID":i.fleetId,Checked:i.checked,"Orphaned mounts":i.orphanedMounts}),M(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,mounted:e.mounted})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`mounted`,header:`Mounted`,width:10}]))}catch(e){H(e)}}),e}function Vn(e){if(e.spec){let t=JSON.parse(c(e.spec,`utf8`));return{base:{fleetId:e.fleetId,defaults:t.defaults,policy:t.policy,workspace:t.workspace,metadata:t.metadata},machines:t.machines??[]}}let t=Wn(e),n={...e.image?{environment:e.image}:{},...t?{resources:t}:{},...e.driver?{driver:{type:e.driver}}:{},...e.backend?{backend:{type:e.backend}}:{}},r=Gn(e),i=Math.max(1,Number(e.count)||1),a=Array.from({length:i},(e,t)=>({machineId:`worker-${t+1}`}));return{base:{fleetId:e.fleetId,defaults:Object.keys(n).length>0?n:void 0,policy:r,workspace:{mode:e.workspace}},machines:a}}function Hn(e){let{base:t,machines:n}=Vn(e);return{...t,machines:n}}function Un(e){let{base:t,machines:n}=Vn(e);return{...t,workers:n}}function Wn(e){let t={};return e.cpu&&(t.cpuCores=Number(e.cpu)),e.memory&&(t.memoryMB=Number(e.memory)),e.disk&&(t.diskGB=Number(e.disk)),Object.keys(t).length>0?t:void 0}function Gn(e){let t={};return e.maxSpendUsd&&(t.maxSpendUsd=Number(e.maxSpendUsd)),e.maxLifetime&&(t.maxLifetimeSeconds=Number(e.maxLifetime)),Object.keys(t).length>0?t:void 0}function Kn(e){return[...e.entries()].map(([e,t])=>({machineId:e,sandboxId:t.id,status:t.status}))}function qn(e){if(!(!e||e.length===0)){for(let t of e)if(!Rn.includes(t))throw Error(`Invalid token action '${t}'. Allowed: ${Rn.join(`, `)}`);return e}}function Jn(e){return e.length<=12?`****`:`${e.slice(0,6)}...${e.slice(-4)} (masked — use --json for full value)`}function Yn(){let e=new t(`fs`).description(`File system operations on sandboxes`);return G(e.command(`upload`).description(`Upload a file to a sandbox`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<local-path>`,`Local file path`).argument(`<remote-path>`,`Remote destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let i=await K(r).get(e);if(!i)throw Error(`Sandbox not found: ${e}`);if(!a.existsSync(t))throw Error(`Local file not found: ${t}`);let o=a.statSync(t),s=Date.now();console.log(`Uploading ${t} to ${n}...`),await i.fs.upload(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesUploaded}/${e.totalBytes} bytes)`)}});let c=Date.now()-s;console.log(``),r.json?B({success:!0,localPath:t,remotePath:n,size:o.size,durationMs:c}):console.log(`✓ Uploaded ${o.size} bytes in ${c}ms`)}catch(e){z(e,r.json)}}),G(e.command(`download`).description(`Download a file from a sandbox`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<remote-path>`,`Remote file path`).argument(`<local-path>`,`Local destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let i=await K(r).get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let o=Date.now();console.log(`Downloading ${t} to ${n}...`),await i.fs.download(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesDownloaded}/${e.totalBytes} bytes)`)}});let s=Date.now()-o,c=a.statSync(n);console.log(``),r.json?B({success:!0,remotePath:t,localPath:n,size:c.size,durationMs:s}):console.log(`✓ Downloaded ${c.size} bytes in ${s}ms`)}catch(e){z(e,r.json)}}),G(e.command(`ls`).description(`List directory contents`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`[path]`,`Directory path`,`.`).option(`-l, --long`,`Show detailed information`).option(`-a, --all`,`Include hidden files`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.fs.list(t.startsWith(`/`)?t:`/${t}`,{all:n.all,long:n.long});if(n.json)B(i);else if(n.long)V([`Mode`,`Owner`,`Group`,`Size`,`Modified`,`Name`],i.map(e=>{let t=e.isDir?`d`:e.isSymlink?`l`:`-`,n=Xn(e.permissions),r=e.isDir?`<DIR>`:Zn(e.size),i=e.modTime.toLocaleDateString();return[t+n,e.owner,e.group,r,i,e.name]}));else{let e=i.map(e=>e.isDir?`${e.name}/`:e.name);console.log(e.join(` `))}}catch(e){z(e,n.json)}}),G(e.command(`stat`).description(`Get file or directory information`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to file or directory`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.fs.stat(t.startsWith(`/`)?t:`/${t}`);n.json?B(i):(console.log(` File: ${i.name}`),console.log(` Path: ${i.path}`),console.log(` Size: ${Zn(i.size)} (${i.size} bytes)`),console.log(` Type: ${i.isDir?`directory`:i.isSymlink?`symlink`:`file`}`),console.log(` Mode: ${Xn(i.permissions)} (${i.permissions.toString(8)})`),console.log(` Owner: ${i.owner}`),console.log(` Group: ${i.group}`),console.log(` Modified: ${i.modTime.toISOString()}`),console.log(` Accessed: ${i.accessTime.toISOString()}`))}catch(e){z(e,n.json)}}),G(e.command(`cat`).description(`Print file contents`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to file`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.read(t.startsWith(`/`)?t:`/${t}`);n.json?B({path:t,content:i}):console.log(i)}catch(e){z(e,n.json)}}),G(e.command(`rm`).description(`Delete a file or directory`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to delete`).option(`-r, --recursive`,`Delete directories recursively`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.fs.delete(t.startsWith(`/`)?t:`/${t}`,{recursive:n.recursive}),n.json?B({success:!0,path:t,deleted:!0}):console.log(`✓ Deleted: ${t}`)}catch(e){z(e,n.json)}}),G(e.command(`mkdir`).description(`Create a directory`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Directory path to create`).option(`-p, --parents`,`Create parent directories as needed`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.fs.mkdir(t.startsWith(`/`)?t:`/${t}`,{recursive:n.parents}),n.json?B({success:!0,path:t,created:!0}):console.log(`✓ Created: ${t}`)}catch(e){z(e,n.json)}}),G(e.command(`exists`).description(`Check if a path exists`).argument(`<sandbox-id>`,`Sandbox ID`).argument(`<path>`,`Path to check`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let r=await K(n).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.fs.exists(t.startsWith(`/`)?t:`/${t}`);n.json?B({path:t,exists:i}):(console.log(i?`exists`:`not found`),process.exit(+!i))}catch(e){z(e,n.json)}}),e}function Xn(e){let t=[`r`,`w`,`x`],n=``;for(let r=2;r>=0;r--){let i=r*3;for(let r=0;r<3;r++)n+=e>>i+(2-r)&1?t[r]:`-`}return n}function Zn(e){let t=[`B`,`KB`,`MB`,`GB`,`TB`],n=e,r=0;for(;n>=1024&&r<t.length-1;)n/=1024,r++;return r===0?`${n}${t[r]}`:`${n.toFixed(1)}${t[r]}`}function G(e){return e.option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`)}function K(e){return j(O({apiKey:e.apiKey,baseUrl:e.baseUrl}))}function Qn(){let e=new t(`git`).description(`Git operations in a sandbox workspace`);return e.command(`status`).description(`Show git repository status`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching status...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.status();if(r.stop(),t.json)N(a);else{if(console.log(`Branch: ${a.branch}`),console.log(`HEAD: ${a.head.slice(0,7)}`),console.log(`Dirty: ${a.isDirty?`yes`:`no`}`),a.ahead&&console.log(`Ahead: ${a.ahead}`),a.behind&&console.log(`Behind: ${a.behind}`),a.staged.length>0){console.log(`\nStaged (${a.staged.length}):`);for(let e of a.staged)console.log(` + ${e}`)}if(a.modified.length>0){console.log(`\nModified (${a.modified.length}):`);for(let e of a.modified)console.log(` M ${e}`)}if(a.untracked.length>0){console.log(`\nUntracked (${a.untracked.length}):`);for(let e of a.untracked)console.log(` ? ${e}`)}}}catch(e){H(e)}}),e.command(`log`).description(`Show commit log`).argument(`<id>`,`Sandbox ID`).option(`-n, --limit <count>`,`Max commits to show`,`10`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching log...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.log(Number.parseInt(t.limit,10));if(r.stop(),t.json)N(a);else if(a.length===0)console.log(`No commits found`);else for(let e of a)console.log(`${e.shortSha} ${e.message.split(`
|
|
136
|
+
`)[0]} (${e.author}, ${e.date.toLocaleDateString()})`)}catch(e){H(e)}}),e.command(`diff`).description(`Show diff`).argument(`<id>`,`Sandbox ID`).option(`--ref <ref>`,`Ref to diff against`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching diff...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.diff(t.ref);r.stop(),t.json?N(a):a.raw?console.log(a.raw):console.log(`${a.additions} additions, ${a.deletions} deletions across ${a.files.length} files`)}catch(e){H(e)}}),e.command(`add`).description(`Stage files`).argument(`<id>`,`Sandbox ID`).argument(`<paths...>`,`Paths to stage`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.git.add(t),P(`Staged: ${t.join(`, `)}`)}catch(e){H(e)}}),e.command(`commit`).description(`Create a commit`).argument(`<id>`,`Sandbox ID`).requiredOption(`-m, --message <msg>`,`Commit message`).option(`--amend`,`Amend the previous commit`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})).get(e);if(!n)throw Error(`Sandbox not found: ${e}`);let r=await n.git.commit(t.message,{amend:t.amend});t.json?N(r):P(`Committed: ${r.shortSha} ${r.message}`)}catch(e){H(e)}}),e.command(`push`).description(`Push to remote`).argument(`<id>`,`Sandbox ID`).option(`--force`,`Force push`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Pushing...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.git.push({force:t.force}),r.stop(),P(`Pushed to remote`)}catch(e){H(e)}}),e.command(`pull`).description(`Pull from remote`).argument(`<id>`,`Sandbox ID`).option(`--rebase`,`Rebase instead of merge`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Pulling...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.git.pull({rebase:t.rebase}),r.stop(),P(`Pulled from remote`)}catch(e){H(e)}}),e.command(`branches`).description(`List branches`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching branches...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.git.branches();r.stop(),t.json?N(a):a.length===0?console.log(`No branches found`):V([`Name`,`Current`,`Remote`],a.map(e=>[e.name,e.current?`* `:` `,e.upstream??`-`]))}catch(e){H(e)}}),e.command(`checkout`).description(`Checkout a branch or ref`).argument(`<id>`,`Sandbox ID`).argument(`<ref>`,`Branch name or ref`).option(`-b, --create`,`Create a new branch`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);await r.git.checkout(t,{create:n.create}),P(`Checked out: ${t}${n.create?` (new)`:``}`)}catch(e){H(e)}}),e}function $n(){let e=new t(`hub`).description(`Discover and run Tangle Hub tools`);e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{nr(t)}),e.command(`connect`).description(`Connect a provider account`).argument(`provider`,`Provider to connect`).option(`--no-browser`,`Print the authorization URL instead of opening it`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await q(t).connections.start(e,{cli:!0});if(t.json){N(yr(n));return}vr(n,t.browser===!1?!1:await fn(n.redirectUrl))}catch(e){J(e,t)}});let n=new t(`connections`).description(`List Hub provider connections`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await q(e).connections.list();if(e.json){N(t);return}_r(t.connections)}catch(t){J(t,e)}});n.command(`revoke <connection-id>`).description(`Revoke a Hub provider connection`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await U(`Revoke Hub connection ${e}? `)){I(`Revoke cancelled.`);return}let n=await q(t).connections.revoke(e);if(t.json){N(n);return}I(`Revoked Hub connection ${n.connection.id}.`)}catch(e){J(e,t)}}),e.addCommand(n);let r=new t(`permissions`).description(`Manage Hub action permissions`);r.command(`list`).description(`List Hub permissions for a connection`).requiredOption(`--connection <id>`,`Hub connection ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await q(e).permissions.list(e.connection);if(e.json){N(t);return}fr(t.policies)}catch(t){J(t,e)}}),r.command(`set`).description(`Set Hub permission for one action`).requiredOption(`--connection <id>`,`Hub connection ID`).requiredOption(`--action <path>`,`Executor action path`).requiredOption(`--decision <allow|ask|deny>`,`Permission decision`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);if(!e.action)throw Error(`--action is required.`);let t=pr(e.decision),n=await q(e).permissions.set({connectionId:e.connection,actionPath:e.action,decision:t});if(e.json){N(n);return}fr([n.policy])}catch(t){J(t,e)}}),e.addCommand(r);let i=new t(`approvals`).description(`List and resolve Hub execution approvals`);i.command(`list`).description(`List pending Hub execution approvals`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await q(e).approvals.list();if(e.json){N(t);return}sr(t.approvals)}catch(t){J(t,e)}}),i.command(`approve`).description(`Approve a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{or(e),cr(await q(t).approvals.approve(e),t.json===!0)}catch(e){J(e,t)}}),i.command(`deny`).description(`Deny a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{or(e),cr(await q(t).approvals.deny(e),t.json===!0)}catch(e){J(e,t)}}),e.addCommand(i);let a=new t(`tools`).description(`Discover Hub tools`);return a.command(`sources`).description(`List Hub tool sources`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await q(e).tools.sources();if(e.json){N(t);return}mr(t.sources)}catch(t){J(t,e)}}),a.command(`describe`).description(`Describe a Hub tool`).argument(`path`,`Executor tool path`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await q(t).tools.describe(e);if(t.json){N(n);return}hr(n.tool)}catch(e){J(e,t)}}),a.command(`search`).description(`Search Hub tools`).argument(`<query...>`,`Search query`).option(`--provider <provider>`,`Filter by provider/source ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await q(t).tools.search(e.join(` `),{provider:t.provider});if(t.json){N(n);return}dr(n.tools)}catch(e){J(e,t)}}),e.addCommand(a),e.addCommand(tr(`call`)),e.addCommand(tr(`exec`)),e.command(`resume`).description(`Resolve a Hub approval created by a paused execution`).argument(`approval-id`,`Hub approval ID from HUB_APPROVAL_REQUIRED`).option(`--accept`,`Approve the execution approval`).option(`--decline`,`Deny the execution approval`).option(`--cancel`,`Unsupported for approval-backed Hub resume`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(or(e),t.cancel)throw Error(`Hub approval resume does not support --cancel. Use --decline to deny the approval.`);if(t.accept&&t.decline)throw Error(`Choose only one of --accept or --decline.`);if(!t.accept&&!t.decline)throw Error(`Choose --accept to approve or --decline to deny the Hub approval.`);let n=q(t);cr(t.decline?await n.approvals.deny(e):await n.approvals.approve(e),t.json===!0)}catch(e){J(e,t)}}),e.command(`status`).description(`Show Hub auth and connection status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await q(e).status();if(e.json){N(t);return}br(t)}catch(t){J(t,e)}}),e}function q(e){let t=er(e);return new me({baseUrl:t.baseUrl,apiKey:t.apiKey})}function er(e){let t=E(e.apiKey),n=gt(e.apiKey),r=process.env.TANGLE_HUB_CAPABILITY_TOKEN?.trim();if(r&&n===`env`)throw Error(`Set exactly one of TANGLE_API_KEY/SANDBOX_API_KEY or TANGLE_HUB_CAPABILITY_TOKEN, not both`);return O({apiKey:n===`flag`?t:r||t,baseUrl:e.baseUrl??_t(process.env.TANGLE_HUB_URL)})}function tr(e){return new t(e).description(`Execute a Hub tool`).argument(`<args...>`,`Tool path tokens followed by JSON input`).option(`--connection <id>`,`Hub connection ID`).option(`--auto-approve`,`Approve a HUB_APPROVAL_REQUIRED execution and retry once`).option(`--approve`,`Alias for --auto-approve`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let{args:n,approve:r}=ar(e,t),{path:i,input:a}=ur(n);N((await q(t).tools.invoke(i,a,{connectionId:t.connection,approve:r})).result)}catch(e){J(e,t)}})}function nr(e){if(!rr(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function rr(e,t){return e.options.some(e=>e.attributeName()===t)}function ir(e){return e.json===!0}function J(e,t){return ir(t)?H(e,!0):H(e)}function ar(e,t){let n=t.autoApprove;return{args:e.filter(e=>e!==`--approve`&&e!==`--auto-approve`),approve:t.approve===!0||n===!0||e.includes(`--approve`)||e.includes(`--auto-approve`)}}function or(e){if(!/^[A-Za-z0-9_-]+$/.test(e))throw Error(`Hub approval ID must contain only letters, numbers, underscores, and dashes.`)}function sr(e){M(e.map(e=>({id:e.id,provider:e.providerId,action:e.actionPath,connection:e.connectionId,status:e.status,expires:e.expiresAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`connection`,header:`Connection`},{key:`status`,header:`Status`},{key:`expires`,header:`Expires`}])}function cr(e,t){if(t){N(lr(e));return}I(`Hub approval ${e.approval.id} ${e.approval.status}.`),e.capabilityToken&&I("Capability token minted. Re-run the original command with `--approve` to execute automatically.")}function lr(e){return{approval:e.approval,...e.capabilityToken?{capabilityToken:{tokenId:e.capabilityToken.tokenId,expiresAt:e.capabilityToken.expiresAt}}:{}}}function ur(e){if(e.length<2)throw Error(`Usage: tangle hub call <path> <json-input>`);let t=e.at(-1);if(t===void 0)throw Error(`Usage: tangle hub call <path> <json-input>`);try{return{path:e.slice(0,-1).join(`.`),input:JSON.parse(t)}}catch{throw Error(`Hub call input must be valid JSON.`)}}function dr(e){M(e.map(e=>({path:e.path,provider:e.providerId??e.requiredConnectionProviderId,title:e.title,description:e.description,connection:gr(e),policy:e.policyState})),[{key:`path`,header:`Path`},{key:`provider`,header:`Provider`},{key:`title`,header:`Title`},{key:`description`,header:`Description`},{key:`connection`,header:`Connection`},{key:`policy`,header:`Policy`}])}function fr(e){M(e.map(e=>({connection:e.connectionId,provider:e.providerId,action:e.actionPath,decision:e.decision,updated:e.updatedAt})),[{key:`connection`,header:`Connection`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`decision`,header:`Decision`},{key:`updated`,header:`Updated`}])}function pr(e){if(e===`allow`||e===`ask`||e===`deny`)return e;throw Error(`--decision must be one of: allow, ask, deny.`)}function mr(e){M(e.map(e=>({source:e.sourceId,provider:e.displayName,tools:e.toolCount,connection:e.connectionStatus,health:e.health,configured:e.configured})),[{key:`source`,header:`Source`},{key:`provider`,header:`Provider`},{key:`tools`,header:`Tools`},{key:`connection`,header:`Connection`},{key:`health`,header:`Health`},{key:`configured`,header:`Configured`}])}function hr(e){R({Path:e.path,Provider:e.providerId??e.requiredConnectionProviderId,Title:e.title,Description:e.description,Connection:gr(e),Policy:e.policyState}),e.inputSchema!==void 0&&(I(`Input schema`),console.log(JSON.stringify(e.inputSchema,null,2))),e.outputSchema!==void 0&&(I(`Output schema`),console.log(JSON.stringify(e.outputSchema,null,2)))}function gr(e){if(e.connectionRequired===!1)return`not required`;if(e.connectionStatus)return e.connectionStatus}function _r(e){M(e.map(e=>({id:e.id,provider:e.providerId,account:e.accountDisplay??e.displayName,scopes:e.scopes.join(`, `),status:e.status,health:e.health,lastUsed:e.lastUsedAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`account`,header:`Account`},{key:`scopes`,header:`Scopes`},{key:`status`,header:`Status`},{key:`health`,header:`Health`},{key:`lastUsed`,header:`Last Used`}])}function vr(e,t){t?I(`Opened browser to connect ${e.provider}.`):(I(`Open this URL to connect ${e.provider}:`),console.log(e.redirectUrl)),I("Finish authorization in the browser, then rerun `tangle hub status`.")}function yr(e){return{provider:e.provider,redirectUrl:e.redirectUrl,expiresAt:e.expiresAt,scopes:e.scopes,cli:e.cli}}function br(e){let{principal:t,connections:n}=e;I(`Hub status`),R({Principal:t.kind,"User ID":t.userId,"API Key ID":t.apiKeyId,"Sandbox ID":t.sandboxId,"Connected Providers":n.connectedProviderCount,"Unhealthy Providers":n.unhealthyProviderCount}),n.unhealthyProviderCount>0&&I(`Some providers require reconnect.`)}const xr=[`codex`,`claude-code`,`nanoclaw`,`kimi-code`,`opencode`,`pi`,`openclaw`,`hermes`],Sr=[`codex`,`claude-code`],Cr=[`codex`,`claude-code`,`nanoclaw`],wr=[`SessionStart`,`UserPromptSubmit`,`PreToolUse`,`PostToolUse`,`Stop`],Tr={codex:{kind:`native`,surface:`codex`,label:`Codex`,buildFiles:Lr},"claude-code":{kind:`native`,surface:`claude-code`,label:`Claude Code`,buildFiles:Rr},nanoclaw:{kind:`native`,surface:`nanoclaw`,label:`NanoClaw`,buildFiles:Rr},"kimi-code":{kind:`manual`,surface:`kimi-code`,label:`Kimi Code`,reason:`Kimi Code loads hooks through an explicit config file, so use standard OTLP env wiring until the native config adapter is verified.`},opencode:{kind:`manual`,surface:`opencode`,label:`OpenCode`,reason:`OpenCode hooks run as plugins; use standard OTLP env wiring until the native plugin adapter is verified.`},pi:{kind:`manual`,surface:`pi`,label:`Pi`,reason:`Pi hooks run through TypeScript extensions; use standard OTLP env wiring until the native extension adapter is verified.`},openclaw:{kind:`manual`,surface:`openclaw`,label:`OpenClaw`,reason:`OpenClaw project hooks require user opt-in; use standard OTLP env wiring until the hook toggle and adapter are verified.`},hermes:{kind:`manual`,surface:`hermes`,label:`Hermes`,reason:`Hermes project plugins require explicit enablement; use standard OTLP env wiring until the plugin adapter is verified.`}};function Er(e){let t=e.split(`,`).map(e=>e.trim()).filter(Boolean).flatMap(e=>Ir(e));return t.length===0?[...Sr]:Xr(t)}function Dr(e){return Object.hasOwn(Tr,e)}function Or(e=process.cwd()){return f(ne(e))||`agent-workspace`}function kr(){return te(de(),`.tangle`,`intelligence.json`)}function Ar(e=kr()){if(!o(e))return null;let t=qr(e),n=Zr(t,`apiKey`),r=Zr(t,`endpoint`),i=Zr(t,`serviceName`),a=Zr(t,`environment`);if(!n||!r||!i||!a)throw Error(`${e} is missing apiKey, endpoint, serviceName, or environment`);return{apiKey:n,endpoint:r,serviceName:i,environment:a}}async function jr(e){let t=ne(e.workspace),n=kr(),r=Er(e.selection),i=[],a=[],o=[],s={apiKey:e.apiKey,endpoint:Fr(e.endpoint),serviceName:e.serviceName,environment:e.environment};e.dryRun||Wr(n,s),o.push(n);for(let n of r){let r=Tr[n];if(r.kind===`manual`){a.push({agent:r.surface,label:r.label,reason:r.reason});continue}i.push(r.surface);let s=t=>Mr(e.hookCommand,r.surface,t);for(let n of r.buildFiles(s)){let r=te(t,n.relPath);if(e.dryRun){o.push(r);continue}Kr(r,JSON.parse(n.content),n.mode),o.push(r)}}return!e.smoke||e.dryRun?{configPath:n,written:o,agents:r,nativeAgents:i,manual:a}:{configPath:n,written:o,agents:r,nativeAgents:i,manual:a,smokeTraceId:await Pr({agent:i[0]??r[0]??`codex`,event:`install.smoke`,endpoint:s.endpoint,apiKey:s.apiKey,serviceName:s.serviceName,environment:s.environment,sessionId:`install-smoke-${Date.now()}`,payload:{source:`tangle intelligence connect`}})}}function Mr(e,t,n){return`${e.trim()} --agent ${t} --event ${n} --non-blocking`}function Nr(e){let t=BigInt(Date.now())*1000000n,n=$r(16),r=$r(8),i=e.sessionId??zr(e.payload),a={"service.name":e.serviceName,"deployment.environment":e.environment,"tangle.agent.surface":e.agent,"tangle.agent.hook.event":e.event,"tangle.agent.hook.source":`local-hook`,...Br(e.payload)};return i&&(a[`session.id`]=i,a[`gen_ai.conversation.id`]=i,a[`tangle.sessionId`]=i),{body:{resourceSpans:[{resource:{attributes:[ei(`service.name`,e.serviceName),ei(`deployment.environment`,e.environment),ei(`tangle.agent.surface`,e.agent)]},scopeSpans:[{scope:{name:`tangle.intelligence.agent-hook`,version:`1.0.0`},spans:[{traceId:n,spanId:r,name:`agent.${e.agent}.${e.event}`,kind:1,startTimeUnixNano:t.toString(),endTimeUnixNano:(t+1000000n).toString(),attributes:Object.entries(a).map(([e,t])=>ei(e,t)),status:{code:1}}]}]}]},traceId:n}}async function Pr(e){let{body:t,traceId:n}=Nr(e),r=await fetch(`${Fr(e.endpoint)}/v1/traces`,{method:`POST`,headers:{Authorization:`Bearer ${e.apiKey}`,"Content-Type":`application/json`},body:JSON.stringify(t)});if(!r.ok){let e=await r.text().catch(()=>``);throw Error(`OTLP smoke ingest failed: ${r.status}${e?` ${e}`:``}`)}return n}function Fr(e){let t=e.trim().replace(/\/+$/,``);return t.endsWith(`/v1/traces`)?t.slice(0,-10):t.endsWith(`/v1/logs`)?t.slice(0,-8):t}function Ir(e){switch(e){case`local`:case`both`:return[...Sr];case`all`:return[...Cr];case`claude`:return[`claude-code`];case`kimi`:return[`kimi-code`];default:if(Dr(e))return[e];throw Error(`agent must be one of: local, all, both, ${xr.join(`, `)}`)}}function Lr(e){let t=Object.fromEntries(wr.map(t=>[t,[{command:e(t),timeoutMs:3e3,blocking:!1,matcher:`*`}]]));return[{relPath:`.codex/hooks.json`,content:JSON.stringify({hooks:t},null,2)}]}function Rr(e){let t=Object.fromEntries(wr.map(t=>[t,[{matcher:`*`,hooks:[{type:`command`,command:e(t),timeout:3}]}]]));return[{relPath:`.claude/settings.json`,content:JSON.stringify({hooks:t},null,2)}]}function zr(e){return Vr(e,[`session.id`,`sessionId`,`session_id`,`conversationId`,`conversation_id`,`threadId`,`thread_id`,`transcriptId`,`transcript_id`])||process.env.TANGLE_SESSION_ID||process.env.CODEX_THREAD_ID||process.env.CLAUDE_SESSION_ID||process.env.OPENCODE_SESSION_ID}function Br(e){let t={},n=Y(e,[`tool.name`,`toolName`,`tool_name`,`tool`]),r=Y(e,[`command`,`cmd`,`shell_command`,`shellCommand`]),i=Y(e,[`tool.input`,`toolInput`,`tool_input`,`input`,`arguments`,`args`]),a=Y(e,[`tool.output`,`toolOutput`,`tool_output`,`output`,`result`]),o=Y(e,[`tool.exit_code`,`exitCode`,`exit_code`,`status`]),s=Y(e,[`tool.error.message`,`errorMessage`,`error_message`,`error`]);return n&&(t[`tool.name`]=n),r&&(t[`process.command`]=r),i&&(t[`tool.input.summary`]=i),a&&(t[`tool.output.summary`]=a),o&&(t[`tool.exit_code`]=o),s&&(t[`tool.error.message`]=s),t}function Y(e,t){let n=Hr(e,t);if(n===void 0)return null;if(typeof n==`string`)return Ur(n);if(typeof n==`number`||typeof n==`boolean`||typeof n==`bigint`)return String(n);try{return Ur(JSON.stringify(n))}catch{return null}}function Vr(e,t){let n=Hr(e,t);return typeof n==`string`&&n.length>0?n:void 0}function Hr(e,t){if(typeof e!=`object`||!e)return;let n=[e],r=new Set;for(;n.length;){let e=n.pop();if(typeof e!=`object`||!e||r.has(e))continue;r.add(e);let i=e;for(let e of t){let t=i[e];if(t!=null&&t!==``)return t}for(let e of Object.values(i))typeof e==`object`&&e&&n.push(e)}}function Ur(e){return e.length>4096?`${e.slice(0,4093)}...`:e}function Wr(e,t){Gr(e,`${JSON.stringify(t,null,2)}\n`)}function Gr(e,t){s(p(e),{mode:448,recursive:!0});let n=`${e}.${process.pid}.tmp`;u(n,t,{mode:384}),l(n,e)}function Kr(e,t,n){s(p(e),{recursive:!0});let r=Jr(qr(e),t);u(e,`${JSON.stringify(r,null,2)}\n`,{mode:n??420})}function qr(e){if(!o(e))return{};let t=JSON.parse(c(e,`utf8`));if(!Qr(t))throw Error(`${e} must contain a JSON object`);return t}function Jr(e,t){let n={...e};for(let[e,r]of Object.entries(t)){let t=n[e];Qr(t)&&Qr(r)?n[e]=Jr(t,r):Array.isArray(t)&&Array.isArray(r)?n[e]=Yr([...t,...r]):n[e]=r}return n}function Yr(e){let t=new Set,n=[];for(let r of e){let e=JSON.stringify(r);t.has(e)||(t.add(e),n.push(r))}return n}function Xr(e){return[...new Set(e)]}function Zr(e,t){let n=e[t];return typeof n==`string`&&n.length>0?n:void 0}function Qr(e){return typeof e==`object`&&!!e&&!Array.isArray(e)&&(Object.getPrototypeOf(e)===Object.prototype||Object.getPrototypeOf(e)===null)}function $r(e){return n(e).toString(`hex`)}function ei(e,t){return{key:e,value:{stringValue:t}}}function ti(){let e=new t(`intelligence`).description(`Create and inspect trace intelligence reports`);return e.command(`connect [agent]`).alias(`connect-agent`).description(`Connect local agent CLIs to Tangle Intelligence`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`,`https://intelligence.tangle.tools/v1/otlp`).option(`--workspace <path>`,`Workspace to write hook files into`,`.`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`,`local`).option(`--dry-run`,`Print planned writes without changing files`).option(`--hook-command <command>`,`Command native hooks should run`,`tangle intelligence hook`).option(`--no-smoke`,`Skip the install smoke trace`).option(`--json`,`Output as JSON`).action(async(e,t)=>{try{let n=e??`local`;Er(n);let r=ni(t.apiKey),i=await jr({selection:n,workspace:t.workspace,apiKey:r,endpoint:t.endpoint,serviceName:t.serviceName??Or(t.workspace),environment:t.environment,smoke:t.smoke,dryRun:!!t.dryRun,hookCommand:t.hookCommand}),a={configPath:i.configPath,agents:i.agents,nativeAgents:i.nativeAgents,manual:i.manual,written:i.written,smokeTraceId:i.smokeTraceId};if(t.json){N(a);return}R({Config:i.configPath,Agents:i.agents.join(`, `),"Native Hooks":i.nativeAgents.join(`, `)||void 0,"Manual Setup":i.manual.length?i.manual.map(e=>`${e.label}: ${e.reason}`).join(` `):void 0,Files:i.written.join(`, `),"Smoke Trace":i.smokeTraceId})}catch(e){H(e)}}),e.command(`hook`).description(`Emit one local agent hook event to Tangle Intelligence`).requiredOption(`--agent <agent>`,`Agent surface`).requiredOption(`--event <event>`,`Hook event name`).option(`--payload <json>`,`Hook payload JSON`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`).option(`--session-id <id>`,`Session id override`).option(`--dry-run`,`Build the OTLP request without sending it`).option(`--non-blocking`,`Do not fail the parent agent process`).option(`--json`,`Output as JSON`).action(async e=>{try{let t=ri(e.agent),n=Ar(),r={agent:t,event:e.event,endpoint:e.endpoint??n?.endpoint??`https://intelligence.tangle.tools/v1/otlp`,apiKey:ni(e.apiKey??n?.apiKey),serviceName:e.serviceName??n?.serviceName??Or(process.cwd()),environment:e.environment??n?.environment??`local`,sessionId:e.sessionId,payload:e.payload===void 0?await ai():ii(e.payload)};if(e.dryRun){let n=Nr(r);if(e.json){N(n);return}R({Trace:n.traceId,Agent:t,Event:e.event});return}let i=await Pr(r);if(e.json){N({traceId:i});return}R({Trace:i,Agent:t,Event:e.event})}catch(t){if(e.nonBlocking){let n=t instanceof Error?t.message:String(t);e.json?N({ok:!1,error:n}):console.error(`Tangle Intelligence hook skipped: ${n}`);return}H(t)}}),e.command(`sandbox <sandbox-id>`).description(`Create an intelligence report for one sandbox`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await oi({type:`sandbox`,id:e},t)}),e.command(`fleet <fleet-id>`).description(`Create an intelligence report for a sandbox fleet`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await oi({type:`fleet`,id:e},t)}),e.command(`create`).description(`Create a trace intelligence report`).requiredOption(`--subject-type <type>`,`sandbox | fleet`).requiredOption(`--subject-id <id>`,`Subject identifier`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{await oi({type:ci(e.subjectType),id:e.subjectId},e)}),e.command(`get <job-id>`).description(`Get an intelligence report`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=t.json?null:L(`Fetching intelligence report...`);r?.start();let i=await n.intelligence.getReport(e);if(r?.stop(),t.json){N(i);return}si(i)}catch(e){H(e)}}),e.command(`list`).description(`List intelligence reports`).option(`--subject-type <type>`,`sandbox | fleet`).option(`--subject-id <id>`,`Subject identifier`).option(`--limit <count>`,`Maximum reports to return`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:L(`Fetching intelligence reports...`);n?.start();let r=await t.intelligence.listReports({subjectType:e.subjectType===void 0?void 0:ci(e.subjectType),subjectId:e.subjectId,limit:e.limit===void 0?void 0:di(e.limit)});if(n?.stop(),e.json){N(r);return}M(r.map(e=>({jobId:e.jobId,subject:`${e.subject.type}:${e.subject.id}`,mode:e.mode,status:e.status,cost:`$${e.billing.costUsd.toFixed(2)}`,updatedAt:e.updatedAt})),[{key:`jobId`,header:`Job`,width:20},{key:`subject`,header:`Subject`,width:28},{key:`mode`,header:`Mode`,width:15},{key:`status`,header:`Status`,width:14},{key:`cost`,header:`Cost`,width:10},{key:`updatedAt`,header:`Updated`,width:18}])}catch(e){H(e)}}),e}function ni(e){let t=e??process.env.TANGLE_INTELLIGENCE_API_KEY??process.env.TANGLE_API_KEY;if(!t)throw Error(`--api-key, TANGLE_INTELLIGENCE_API_KEY, or TANGLE_API_KEY is required`);return t}function ri(e){if(Dr(e))return e;throw Error(`agent must be a known Tangle Intelligence agent surface`)}function ii(e){try{return JSON.parse(e)}catch(e){throw Error(`--payload must be JSON: ${e instanceof Error?e.message:String(e)}`)}}async function ai(){if(process.stdin.isTTY)return;let e=``;for await(let t of process.stdin)if(e+=typeof t==`string`?t:t.toString(`utf8`),e.length>65536)throw Error(`hook payload exceeds 65536 bytes`);let t=e.trim();if(t)try{return JSON.parse(t)}catch{return{body:t.slice(0,4096)}}}async function oi(e,t){try{let n=li(t.mode),r=fi(t.metadata),i=t.maxUsd===void 0?void 0:ui(t.maxUsd);if(n===`agentic`&&i===void 0)throw Error(`Agentic intelligence reports require --max-usd`);let a=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),o=t.json?null:L(`Creating intelligence report...`);o?.start();let s=await a.intelligence.createReport({subject:e,mode:n,...i===void 0?{}:{budget:{billTo:`customer`,maxUsd:i}},...r===void 0?{}:{metadata:r}});if(o?.stop(),t.json){N(s);return}si(s)}catch(e){H(e)}}function si(e){R({Job:e.jobId,Subject:`${e.subject.type}:${e.subject.id}`,Mode:e.mode,Status:e.status,"Billed To":e.billing.billedTo,Cost:`$${e.billing.costUsd.toFixed(2)}`,Budget:e.billing.budgetMaxUsd===void 0?void 0:`$${e.billing.budgetMaxUsd.toFixed(2)}`,Updated:e.updatedAt}),e.result!==null&&(console.log(),N(e.result))}function ci(e){if(e===`sandbox`||e===`fleet`)return e;throw Error(`subject type must be sandbox or fleet`)}function li(e){if(e===`deterministic`||e===`agentic`)return e;throw Error(`mode must be deterministic or agentic`)}function ui(e){let t=Number(e);if(!Number.isFinite(t)||t<0)throw Error(`--max-usd must be a non-negative number`);return t}function di(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function fi(e){if(e===void 0)return;let t=JSON.parse(e);if(!t||typeof t!=`object`||Array.isArray(t))throw Error(`--metadata must be a JSON object`);return t}const pi=[`router`,`sandbox`,`blueprint-agent`,`evals`,`agent-builder`];function mi(e){return(e?.trim()||process.env.TANGLE_PLATFORM_URL?.trim()||`https://id.tangle.tools`).replace(/\/+$/,``)}async function hi(e,t,n={}){let r=new Headers(n.headers);r.set(`Authorization`,`Bearer ${t}`),n.body&&!r.has(`content-type`)&&r.set(`content-type`,`application/json`);let i=await fetch(e,{...n,headers:r});if(n.expected!==void 0&&i.status!==n.expected){let t=await i.text().catch(()=>``),n=t?`: ${t.slice(0,400)}`:``;throw Error(`Platform request to ${e} returned ${i.status}${n}`)}return i}const gi=[`ID`,`Prefix`,`Name`,`Product`,`Created`,`Last used`,`Expires`];function _i(e){return[e.id,e.keyPrefix??``,e.name,e.product??`all`,e.createdAt,e.lastUsedAt??`—`,e.expiresAt??`—`]}function vi(){let e=new t(`keys`).description(`Manage sk-tan-* API keys on id.tangle.tools`);return e.command(`list`).description(`List your active API keys`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async e=>{try{let t=O({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=await(await hi(`${mi(e.platformUrl)}/v1/keys`,t.apiKey,{expected:200})).json();if(e.json){N(n);return}V(gi,n.data.map(_i))}catch(e){H(e)}}),e.command(`create`).description(`Create a new API key`).argument(`<name>`,`Human-readable name for the key`).option(`--product <product>`,`Restrict the key to one product (${pi.join(`|`)}). Omit for all products.`).option(`--budget-usd <amount>`,`Hard budget cap in USD`).option(`--rpm-limit <limit>`,`Requests-per-minute cap`).option(`--expires-in-days <days>`,`Expire the key after N days (integer)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{if(t.product!==void 0&&!pi.includes(t.product))throw Error(`Invalid --product. Expected one of ${pi.join(`, `)}`);let n=O({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=mi(t.platformUrl),i=t.expiresInDays===void 0?void 0:new Date(Date.now()+Number.parseInt(t.expiresInDays,10)*24*60*60*1e3).toISOString(),a=L(`Creating API key...`);a.start();let o=await hi(`${r}/v1/keys`,n.apiKey,{method:`POST`,expected:201,body:JSON.stringify({name:e,product:t.product,budgetUsd:t.budgetUsd?Number.parseFloat(t.budgetUsd):void 0,rpmLimit:t.rpmLimit?Number.parseInt(t.rpmLimit,10):void 0,expiresAt:i})});a.stop();let s=await o.json();if(t.json){N(s);return}P(`API key created: ${s.data.prefix}…`),I(`Copy this key now — it will never be shown again:\n${s.data.key}`)}catch(e){H(e)}}),e.command(`revoke`).description(`Revoke an API key`).argument(`<keyId>`,"Key ID (from `tcloud keys list`)").option(`--yes`,`Skip the confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{let n=O({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=mi(t.platformUrl);if(!t.yes&&!await U(`Revoke key ${e}? Any service still using it will start to fail.`)){I(`Aborted.`);return}let i=await(await hi(`${r}/v1/keys/${encodeURIComponent(e)}`,n.apiKey,{method:`DELETE`,expected:200})).json();if(t.json){N(i);return}P(`Revoked ${e}`)}catch(e){H(e)}}),e}function yi(){let e=new t(`mcp`).description(`Model Context Protocol bridge commands.`);return e.command(`serve <id>`).description(`Run a local MCP server (stdio) backed by the given sandbox. Pipe its stdio from an MCP client config to expose sandbox tools.`).option(`-s, --session <id>`,`Session id for kernel scoping`,`mcp-local`).option(`--name <name>`,`MCP server name reported to clients`,`tangle-sandbox`).action(async(e,t)=>{try{let n=await j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})).get(e);if(!n)throw Error(`Sandbox not found: ${e}`);let r;try{r=(await import(`@modelcontextprotocol/sdk/server/stdio.js`)).StdioServerTransport}catch{throw Error("`@modelcontextprotocol/sdk` is not installed in this environment. Install it with: pnpm add -g @modelcontextprotocol/sdk (or as a dev dep in the project running this command).")}let{connect:i,close:a}=await _e(n,{sessionId:t.session,name:t.name});await i(new r),process.stdin.resume(),process.stdin.on(`end`,()=>{a().finally(()=>process.exit(0))});for(let e of[`SIGINT`,`SIGTERM`])process.on(e,()=>{a().finally(()=>process.exit(0))})}catch(e){H(e)}}),e}function bi(){let e=new t(`permissions`).description(`Manage sandbox user permissions`);return e.command(`list <sandboxId>`).description(`List all users in a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching users...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.permissions.list();r.stop(),t.json?N(a):M(a.map(e=>({userId:e.userId,username:e.username,role:e.role,homeDir:e.homeDir,createdAt:e.createdAt.toISOString().split(`T`)[0]})),[{key:`userId`,header:`User ID`,width:20},{key:`username`,header:`Username`,width:16},{key:`role`,header:`Role`,width:12},{key:`homeDir`,header:`Home Directory`,width:24},{key:`createdAt`,header:`Created`,width:16}])}catch(e){H(e)}}),e.command(`get <sandboxId> <userId>`).description(`Get details for a specific user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Fetching user...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);let o=await a.permissions.get(t);if(i.stop(),!o)throw Error(`User ${t} not found in sandbox ${e}`);n.json?N(o):(I(`User: ${o.userId}`),I(` Username: ${o.username}`),I(` Role: ${o.role}`),I(` Home: ${o.homeDir}`),I(` SSH Keys: ${o.sshKeys.length}`),I(` Created: ${o.createdAt.toISOString()}`))}catch(e){H(e)}}),e.command(`add <sandboxId>`).description(`Add a user to a sandbox`).requiredOption(`--user-id <id>`,`User ID (from your auth system)`).option(`--username <name>`,`Preferred username`).option(`--role <role>`,`Permission level (owner, admin, developer, viewer)`,`developer`).option(`--ssh-key <key>`,`SSH public key for access`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Adding user...`);r.start();let i=await n.get(e);if(!i)throw r.stop(),Error(`Sandbox ${e} not found`);let a=await i.permissions.add({userId:t.userId,username:t.username,role:t.role,sshKeys:t.sshKey?[t.sshKey]:void 0});r.stop(),t.json?N(a):(P(`User ${a.userId} added as ${a.role}`),I(` Username: ${a.username}`),I(` Home: ${a.homeDir}`))}catch(e){H(e)}}),e.command(`update <sandboxId> <userId>`).description(`Update a user's permissions`).option(`--role <role>`,`New permission level (owner, admin, developer, viewer)`).option(`--add-ssh-key <key>`,`Add SSH public key`).option(`--remove-ssh-key <key>`,`Remove SSH public key`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Updating user...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);let o=await a.permissions.update(t,{role:n.role,addSshKeys:n.addSshKey?[n.addSshKey]:void 0,removeSshKeys:n.removeSshKey?[n.removeSshKey]:void 0});i.stop(),n.json?N(o):(P(`User ${t} updated`),I(` Role: ${o.role}`),I(` SSH Keys: ${o.sshKeys.length}`))}catch(e){H(e)}}),e.command(`remove <sandboxId> <userId>`).description(`Remove a user from a sandbox`).option(`--preserve-home`,`Keep user's home directory`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{if(!n.force){let e=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{e.question(`Remove user ${t} from sandbox? [y/N] `,t=>{e.close(),n(t.toLowerCase()===`y`)})})){I(`Cancelled.`);return}}let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Removing user...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);await a.permissions.remove(t,{preserveHomeDir:n.preserveHome}),i.stop(),P(`User ${t} removed from sandbox ${e}`)}catch(e){H(e)}}),e.command(`policies <sandboxId> <userId>`).description(`Get access policies for a user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Fetching policies...`);i.start();let a=await r.get(e);if(!a)throw i.stop(),Error(`Sandbox ${e} not found`);let o=await a.permissions.getAccessPolicies(t);i.stop(),n.json?N(o):o.length===0?I(`No access policies configured`):M(o.map(e=>({pattern:e.pattern,permission:e.permission,priority:e.priority??0})),[{key:`pattern`,header:`Pattern`,width:30},{key:`permission`,header:`Permission`,width:12},{key:`priority`,header:`Priority`,width:10}])}catch(e){H(e)}}),e.command(`check <sandboxId> <userId> <path> <action>`).description(`Check if a user can perform an action on a path`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r,i)=>{try{if(![`read`,`write`,`execute`].includes(r))throw Error(`Action must be: read, write, or execute`);let a=j(O({apiKey:i.apiKey,baseUrl:i.baseUrl})),o=L(`Checking access...`);o.start();let s=await a.get(e);if(!s)throw o.stop(),Error(`Sandbox ${e} not found`);let c=await s.permissions.checkAccess(t,n,r);o.stop(),c?P(`✓ User ${t} CAN ${r} ${n}`):I(`✗ User ${t} CANNOT ${r} ${n}`)}catch(e){H(e)}}),e}function xi(){let e=new t(`preview`).description(`Manage sandbox preview links`);return e.command(`list`).alias(`ls`).description(`List active preview links for a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching preview links...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.previewLinks.list();r.stop(),t.json?N(a):a.length===0?console.log(`No preview links found`):V([`Preview ID`,`Port`,`URL`,`Status`],a.map(e=>[e.previewId.slice(0,12),String(e.port),e.url,e.status]))}catch(e){H(e)}}),e.command(`create`).description(`Create a preview link for a port`).argument(`<id>`,`Sandbox ID`).argument(`<port>`,`Port number to preview`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Creating preview for port ${t}...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.previewLinks.create(Number.parseInt(t,10));i.stop(),n.json?N(o):(P(`Preview created: ${o.url}`),console.log(`Preview ID: ${o.previewId}`))}catch(e){H(e)}}),e.command(`remove`).alias(`rm`).description(`Remove a preview link`).argument(`<id>`,`Sandbox ID`).argument(`<preview-id>`,`Preview link ID (from 'preview list')`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Removing preview...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);await a.previewLinks.remove(t),i.stop(),n.json?N({success:!0,previewId:t}):P(`Preview removed: ${t}`)}catch(e){H(e)}}),e}function Si(){let e=new t(`process`).description(`Manage processes in a sandbox`);return e.command(`spawn`).description(`Spawn a process without blocking (returns PID)`).argument(`<id>`,`Sandbox ID`).argument(`<command>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--blocking`,`Wait for completion (default: false)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(i[t]=n.join(`=`))}let a=L(`Spawning: ${t}`);n.json||a.start();let o=await r.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);if(n.blocking){let e=await o.exec(t,{cwd:n.cwd,env:Object.keys(i).length>0?i:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});a.stop(),n.json?N(e):(e.stdout&&globalThis.process.stdout.write(e.stdout),e.stderr&&globalThis.process.stderr.write(e.stderr),e.exitCode!==0&&globalThis.process.exit(e.exitCode))}else{let r=await o.process.spawn(t,{cwd:n.cwd,env:Object.keys(i).length>0?i:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});a.stop(),n.json?N({pid:r.pid,command:r.command}):(console.log(`Process started with PID: ${r.pid}`),console.log(`Use 'tangle process logs ${e} ${r.pid}' to view output`))}}catch(e){H(e)}}),e.command(`list`).alias(`ls`).description(`List all processes in a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--running`,`Show only running processes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching processes...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.process.list();t.running&&(a=a.filter(e=>e.running)),r.stop(),t.json?N(a):a.length===0?console.log(`No processes found`):V([`PID`,`Command`,`Status`,`Exit Code`,`Started`],a.map(e=>[String(e.pid),e.command.length>40?`${e.command.slice(0,37)}...`:e.command,e.running?`running`:`exited`,String(e.exitCode),e.startedAt.toLocaleString()]))}catch(e){H(e)}}),e.command(`get`).description(`Get detailed info about a process`).argument(`<id>`,`Sandbox ID`).argument(`<pid>`,`Process ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Fetching process info...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.process.get(Number.parseInt(t,10));if(i.stop(),!o){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}let s=await o.status();n.json?N(s):(console.log(`PID: ${s.pid}`),console.log(`Command: ${s.command}`),console.log(`CWD: ${s.cwd||`(default)`}`),console.log(`Status: ${s.running?`running`:`exited`}`),console.log(`Exit Code: ${s.exitCode}`),s.exitSignal&&console.log(`Signal: ${s.exitSignal}`),console.log(`Started: ${s.startedAt.toLocaleString()}`),s.exitedAt&&console.log(`Exited: ${s.exitedAt.toLocaleString()}`))}catch(e){H(e)}}),e.command(`kill`).description(`Kill a process`).argument(`<id>`,`Sandbox ID`).argument(`<pid>`,`Process ID`).option(`-s, --signal <signal>`,`Signal to send (SIGTERM, SIGKILL, etc.)`,`SIGTERM`).option(`--tree`,`Also kill descendants of the tracked process`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Sending ${n.signal} to PID ${t}...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.process.get(Number.parseInt(t,10));if(!o){i.stop(),console.error(`Process ${t} not found`),globalThis.process.exit(1);return}n.tree?await o.kill(n.signal,{tree:!0}):await o.kill(n.signal),i.stop(),n.json?N({pid:Number.parseInt(t,10),signal:n.signal,...n.tree===!0?{tree:!0}:{},killed:!0}):console.log(n.tree?`Sent ${n.signal} to process tree ${t}`:`Sent ${n.signal} to process ${t}`)}catch(e){H(e)}}),e.command(`logs`).description(`Stream buffered and live process logs until the process exits`).argument(`<id>`,`Sandbox ID`).argument(`<pid>`,`Process ID`).option(`--stdout-only`,`Only show stdout`).option(`--stderr-only`,`Only show stderr`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})).get(e);if(!r)throw Error(`Sandbox not found: ${e}`);let i=await r.process.get(Number.parseInt(t,10));if(!i){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}for await(let e of i.logs())n.stdoutOnly&&e.type!==`stdout`||n.stderrOnly&&e.type!==`stderr`||(n.json?console.log(JSON.stringify(e)):e.type===`stdout`?globalThis.process.stdout.write(e.data):globalThis.process.stderr.write(e.data))}catch(e){H(e)}}),e.command(`run-code`).description(`Execute Python code directly`).argument(`<id>`,`Sandbox ID`).argument(`<code>`,`Python code to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(i[t]=n.join(`=`))}let a=L(`Executing Python code...`);n.json||a.start();let o=await r.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);let s=await o.process.runCode(t,{cwd:n.cwd,env:Object.keys(i).length>0?i:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});a.stop(),n.json?N(s):(s.stdout&&globalThis.process.stdout.write(s.stdout),s.stderr&&globalThis.process.stderr.write(s.stderr),s.exitCode!==0&&globalThis.process.exit(s.exitCode))}catch(e){H(e)}}),e}const Ci=[`python`,`node`,`typescript`,`bash`];function wi(e){switch(ee(e).toLowerCase()){case`.py`:return`python`;case`.js`:case`.mjs`:case`.cjs`:return`node`;case`.ts`:case`.tsx`:return`typescript`;case`.sh`:case`.bash`:return`bash`;default:return}}async function Ti(e){if(e===`-`){let e=[];for await(let t of process.stdin)e.push(typeof t==`string`?Buffer.from(t):t);return Buffer.concat(e).toString(`utf8`)}return await ve(ne(e),`utf8`)}async function Ei(e,t,n=Ti){let r=t?Ci.find(e=>e===t)??(()=>{throw Error(`unknown --lang ${t}: must be one of ${Ci.join(`, `)}`)})():void 0;if(!e||e===`-`){if(!r)throw Error(`reading from stdin requires --lang. Example: tangle run <id> -l python -`);return{language:r,source:await n(`-`)}}let i=wi(e);return{language:r??i??(()=>{throw Error(`cannot infer language from "${e}". Pass it explicitly: tangle run <id> -l <python|node|typescript|bash> ${e}`)})(),source:await n(e)}}function Di(e){return te(fe(),`tangle-run-images`,e)}function Oi(){return new t(`run`).description(`Run code in a persistent kernel inside a sandbox. Variables persist across calls in the same --session.`).argument(`<id>`,`Sandbox ID`).argument(`[file]`,`Path to source file. Language is inferred from extension. Use - for stdin (requires --lang).`).option(`-l, --lang <lang>`,`Force language: ${Ci.join(` | `)}. Required for stdin.`).option(`-s, --session <id>`,`Session id for kernel scoping`).option(`-t, --timeout <ms>`,`Per-call timeout in ms (0 disables)`,`60000`).option(`--save-images <dir>`,`Write image results into this directory (default: $TMPDIR/tangle-run-images/<sandbox>/).`).option(`--no-save-images`,`Don't write image results to disk; print summary only`).option(`--json`,`Output the full CodeExecutionResult as JSON`).action(async(e,t,n)=>{try{let{language:r,source:a}=await Ei(t,n.lang),o=await j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})).get(e);if(!o)throw Error(`Sandbox not found: ${e}`);let c=L(`Running ${r} (${a.length}b)…`);n.json||c.start();let l=await o.runCode(r,a,{sessionId:n.session,timeoutMs:Number.parseInt(n.timeout,10)});if(c.stop(),n.json){N(l),l.exitCode!==0&&process.exit(l.exitCode);return}l.stdout&&process.stdout.write(l.stdout),l.stderr&&process.stderr.write(l.stderr);let d=0;for(let t of l.results)if(t.type===`image`)if(n.saveImages!==!1){let r=typeof n.saveImages==`string`?n.saveImages:Di(e);s(r,{recursive:!0});let a=`${r}/${Date.now()}-${d}.${t.format}`;u(a,Buffer.from(t.data,`base64`)),process.stderr.write(i.green(`✓ image → ${a}\n`)),d++}else process.stderr.write(i.gray(`[image: ${t.format}, ${t.data.length}b base64]\n`));else if(t.type===`dataframe`){let e=t.columns.map(e=>`${e.name}:${e.dtype}`).join(` | `);process.stderr.write(i.gray(`[dataframe ${t.rows.length}×${t.columns.length}${t.truncated?` (truncated)`:``}]\n`)),process.stderr.write(`${e}\n`);for(let e of t.rows.slice(0,20))process.stderr.write(`${e.map(e=>String(e)).join(` | `)}\n`);t.rows.length>20&&process.stderr.write(i.gray(`… ${t.rows.length-20} more rows\n`))}else t.type===`json`?(process.stderr.write(i.gray(`[json] `)),process.stderr.write(`${JSON.stringify(t.value,null,2)}\n`)):t.type===`html`?process.stderr.write(i.gray(`[html ${t.value.length}b]\n`)):t.type===`error`?(process.stderr.write(i.red(`✗ ${t.name}: ${t.message}\n`)),t.traceback&&process.stderr.write(`${t.traceback}\n`)):t.type===`text`&&process.stderr.write(`${t.value}\n`);l.error&&(process.stderr.write(i.red(`\n✗ ${l.error.name}: ${l.error.message}\n`)),l.error.traceback&&process.stderr.write(`${l.error.traceback}\n`)),l.exitCode!==0&&process.exit(l.exitCode)}catch(e){H(e)}})}function ki(e){return`${e.name} (${e.id})`}async function Ai(e,t){if(t.startsWith(`team_`))return e.teams.get(t);let n=(await e.teams.list()).filter(e=>e.name.toLowerCase()===t.toLowerCase());if(n.length===0)throw Error(`Team not found: ${t}`);if(n.length>1)throw Error(`Team name is ambiguous: ${t}. Use a team id instead.`);return n[0]}async function X(e,t,n){if(t)return Ai(e,t);let r=vt(n);if(!r.activeTeamId)throw Error("No active team. Run `tangle team switch <team>` or pass `--team <team>`.");return e.teams.get(r.activeTeamId)}function ji(e,t){yt({id:e.id,name:e.name},t)}function Mi(e){bt(e)}const Ni=[{flag:`--git-token`,guidance:`Use --git-token-env <NAME> or --git-token-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--storage-secret-access-key`,guidance:`Use --storage-secret-access-key-env <NAME> or --storage-secret-access-key-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--backend-api-key`,guidance:`Use --backend-api-key-env <NAME> or --backend-api-key-stdin so the BYOK secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`}];function Pi(e){for(let{flag:t,guidance:n}of Ni){let r=`${t}=`;if(e.some(e=>e===t||e.startsWith(r)))throw Error(`Refusing to read secret from ${t} on the command line. ${n}`)}}async function Fi(e){let t=typeof e.envVarName==`string`&&e.envVarName.length>0?e.envVarName:null,n=!!e.fromStdin;if(t&&n)throw Error(`Pass either ${e.flagPrefix}-env or ${e.flagPrefix}-stdin, not both`);if(t){let n=process.env[t];if(!n||n.length===0)throw Error(`${e.flagPrefix}-env points at ${t}, but that environment variable is empty or unset`);return n}if(n){let t=await Jt();if(t.length===0)throw Error(`${e.flagPrefix}-stdin received empty input on stdin`);return t}}function Ii(e){let t=e.split(`/`);return t.length>=2?{provider:t[0],model:t.slice(1).join(`/`)}:{model:e}}function Li(){let e=new t(`sandbox`).description(`Manage sandboxes`);return e.command(`create`).description(`Create a new sandbox`).option(`-n, --name <name>`,`Sandbox name`).option(`-e, --environment <environment>`,`Environment name (e.g. universal, node, python)`).option(`-i, --image <image>`,`Alias for --environment (deprecated)`).option(`--bare`,`Create a bare sandbox without the agent runtime`).option(`--ssh`,`Enable SSH access`).option(`--ssh-key <key>`,`SSH public key for authentication`).option(`--ssh-keys <names...>`,`Stored SSH key names or IDs for authentication`).option(`--ssh-key-file <paths...>`,`SSH public key file paths for authentication`).option(`--web-terminal`,`Enable web terminal`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--secret <names...>`,`Secrets to inject as environment variables`).option(`--metadata <entries...>`,`Metadata entries (KEY=VALUE or KEY=JSON)`).option(`--cpu <cores>`,`CPU cores`,`2`).option(`--memory <mb>`,`Memory in MB`,`4096`).option(`--disk <gb>`,`Disk size in GB`,`20`).option(`--accelerator-kind <kind>`,`Accelerator kind, for example nvidia-h100 or amd-mi300x`).option(`--accelerator-count <count>`,`Accelerator device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum accelerator memory in MB`).option(`--lifetime <seconds>`,`Max lifetime in seconds`,`3600`).option(`--idle-timeout <seconds>`,`Idle timeout in seconds`,`900`).option(`--from-snapshot <id>`,`Create the sandbox from a snapshot`).option(`--public-template <id-or-slug>`,`Create the sandbox from a published public template`).option(`--public-template-version <id>`,`Pin creation to a specific published public-template version`).option(`--team <team>`,`Create in a team by id or name`).option(`--personal`,`Create a personal sandbox even when a team is active`).option(`--port <ports...>`,`Ports to expose at creation time`).option(`--git-url <url>`,`Git repository URL to clone during provisioning`).option(`--git-ref <ref>`,`Git branch, tag, or commit to checkout`).option(`--git-depth <depth>`,`Git clone depth`).option(`--git-sparse <paths...>`,`Sparse checkout paths`).option(`--git-token-env <name>`,`Name of an environment variable containing the Git HTTPS auth token`).option(`--git-token-stdin`,`Read the Git HTTPS auth token from stdin`).option(`--git-token <token>`,`[removed] use --git-token-env or --git-token-stdin`).option(`--tool <specs...>`,`Tool versions to preinstall (NAME=VERSION)`).option(`--storage-type <type>`,`BYOS3 storage type (s3, gcs, r2)`).option(`--storage-bucket <name>`,`BYOS3 bucket name`).option(`--storage-endpoint <url>`,`BYOS3 endpoint URL`).option(`--storage-region <region>`,`BYOS3 region`).option(`--storage-prefix <prefix>`,`BYOS3 path prefix`).option(`--storage-access-key-id <id>`,`BYOS3 access key ID`).option(`--storage-secret-access-key-env <name>`,`Name of an environment variable containing the BYOS3 secret access key`).option(`--storage-secret-access-key-stdin`,`Read the BYOS3 secret access key from stdin`).option(`--storage-secret-access-key <key>`,`[removed] use --storage-secret-access-key-env or --storage-secret-access-key-stdin`).option(`--default-role <role>`,`Default permission role (owner, admin, developer, viewer)`).option(`--initial-user <specs...>`,`Initial users (USER_ID or USER_ID:ROLE)`).option(`--multi-user`,`Enable multi-user permissions at creation`).option(`--driver <type>`,`Infrastructure driver (docker, firecracker, host-agent, tangle)`).option(`--driver-criu`,`Enable CRIU checkpointing (firecracker only)`).option(`--driver-region <region>`,`Preferred region for host-agent driver`).option(`--backend <type>`,`Backend agent type (opencode, claude-code, codex, cursor, amp)`).option(`--backend-profile <name>`,`Backend profile name`).option(`--backend-model <model>`,`Model override (format: provider/model)`).option(`--backend-api-key-env <name>`,`Name of an environment variable containing the BYOK backend API key`).option(`--backend-api-key-stdin`,`Read the BYOK backend API key from stdin`).option(`--backend-api-key <key>`,`[removed] use --backend-api-key-env or --backend-api-key-stdin`).option(`--tee <type>`,`Require a TEE backend (any, tdx, nitro, sev-snp, phala-dstack)`).option(`--sealed`,`Request TEE sealed-secret support`).option(`--attestation-nonce <hex|auto>`,`Deploy-time attestation nonce; use auto to generate one`).option(`--attestation-refresh`,`Generate a fresh deploy-time attestation nonce when --tee is set`).option(`--require-attestation`,`Fail unless TEE attestation evidence is returned`).option(`--block-network`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`--timeout <ms>`,`HTTP timeout in milliseconds`,`30000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{Pi(process.argv);let t=await Fi({envVarName:e.gitTokenEnv,fromStdin:e.gitTokenStdin,flagPrefix:`--git-token`}),n=await Fi({envVarName:e.storageSecretAccessKeyEnv,fromStdin:e.storageSecretAccessKeyStdin,flagPrefix:`--storage-secret-access-key`}),r=await Fi({envVarName:e.backendApiKeyEnv,fromStdin:e.backendApiKeyStdin,flagPrefix:`--backend-api-key`}),i=O({apiKey:e.apiKey,baseUrl:e.baseUrl,timeout:e.timeout?Number.parseInt(e.timeout,10):void 0}),a=j(i),o=L(`Creating sandbox...`);o.start();let s=await Ki({client:a,explicitTeam:e.team,personal:e.personal,activeTeamId:i.activeTeamId}),l={};if(e.env)for(let t of e.env){let[e,...n]=t.split(`=`);e&&n.length>0&&(l[e]=n.join(`=`))}let u=e.tool?zi(e.tool,`--tool`,`tool spec`):void 0,d=e.metadata?Bi(e.metadata):void 0,f=Ui(e,t),p=Wi(e,n),ee=Gi(e),te=e.port?Hi(e.port,`--port`):void 0,ne=e.driver?{type:e.driver,enableCriu:e.driverCriu||void 0,preferredRegion:e.driverRegion}:void 0,re=e.backend||e.backendProfile||e.backendModel?{type:e.backend??`opencode`,profile:e.backendProfile,model:e.backendModel||r?{...e.backendModel?Ii(e.backendModel):{},apiKey:r}:void 0}:void 0,m=e.blockNetwork||e.allowList||te?{blockOutbound:e.blockNetwork||void 0,allowList:e.allowList?e.allowList.split(`,`).map(e=>e.trim()):void 0,ports:te}:void 0,ie=[...e.sshKey?[e.sshKey]:[],...(e.sshKeyFile??[]).map(e=>c(e,`utf8`).trim())],ae={name:e.name,environment:e.environment??e.image,bare:e.bare||void 0,sshEnabled:e.ssh||!!e.sshKey||ie.length>0||!!e.sshKeys?.length,sshPublicKeys:ie.length>0?ie:void 0,sshKeyIds:e.sshKeys,webTerminalEnabled:e.webTerminal,env:Object.keys(l).length>0?l:void 0,git:f,tools:u,resources:{cpuCores:Number.parseInt(e.cpu,10),memoryMB:Number.parseInt(e.memory,10),diskGB:Number.parseInt(e.disk,10),accelerator:e.acceleratorKind?{kind:Zi(String(e.acceleratorKind)),count:Qi(String(e.acceleratorCount),`--accelerator-count`),memoryMB:e.acceleratorMemory?Qi(String(e.acceleratorMemory),`--accelerator-memory`):void 0}:void 0},maxLifetimeSeconds:Number.parseInt(e.lifetime,10),idleTimeoutSeconds:Number.parseInt(e.idleTimeout,10),storage:p,fromSnapshot:e.fromSnapshot,publicTemplateId:e.publicTemplate,publicTemplateVersionId:e.publicTemplateVersion,teamId:s,secrets:e.secret,metadata:d,driver:ne,backend:re,permissions:ee,network:m},h=e.tee?{tee:e.tee,sealed:e.sealed||void 0,attestationRefresh:e.attestationRefresh||e.attestationNonce===`auto`||void 0}:void 0,g=h?await ce(a,{...ae,confidential:h,attestationNonce:e.attestationNonce??(e.attestationRefresh?`auto`:void 0),requireAttestation:e.requireAttestation??!0}):void 0,_=g?.sandbox??await a.create(ae);e.wait&&(o.text=`Waiting for sandbox to start...`,await _.waitFor(`running`,{timeoutMs:12e4}),await _.refresh()),o.stop(),e.json?N({id:_.id,name:_.name,status:_.status,createdAt:_.createdAt,expiresAt:_.expiresAt,connection:Ri(_.connection),teamId:s,confidential:h,attestation:g?.attestation,attestationNonce:g?.attestationNonce}):(P(`Sandbox created: ${_.id}`),Pt({id:_.id,name:_.name,status:_.status,createdAt:_.createdAt?.toISOString(),expiresAt:_.expiresAt?.toISOString(),connection:_.connection}),s&&console.log(`Team: ${s}`),h&&(console.log(`TEE: ${h.tee}`),console.log(`Attestation: ${g?.attestation?`present`:`not returned`}`),g?.attestationNonce&&console.log(`Attestation nonce: ${g.attestationNonce}`)))}catch(e){H(e)}}),e.command(`attestation <id>`).description(`Fetch TEE attestation evidence for a sandbox`).option(`--nonce <hex|auto>`,`Nonce to bind into a fresh attestation report; use auto to generate one`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=t.nonce===`auto`?le():t.nonce,i=L(`Fetching TEE attestation...`);i.start();let a=await n.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.getTeeAttestation(r?{attestationNonce:r}:void 0);i.stop(),t.json?N(o):(P(`Attestation fetched for ${e}`),console.log(`TEE type: ${o.attestation.tee_type}`),console.log(`Evidence bytes: ${o.attestation.evidence.length}`),console.log(`Measurement bytes: ${o.attestation.measurement.length}`),console.log(`Timestamp: ${o.attestation.timestamp}`),o.attestationNonce&&console.log(`Nonce: ${o.attestationNonce}`))}catch(e){H(e)}}),e.command(`list`).description(`List all sandboxes`).option(`-s, --status <status>`,`Filter by status (running, stopped, all)`).option(`-l, --limit <n>`,`Limit results`,`50`).option(`--team <team>`,`List sandboxes for a team by id or name`).option(`--personal`,`List personal sandboxes`).option(`--all-scopes`,`List personal and team sandboxes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=j(t),r=L(`Fetching sandboxes...`);r.start();let i=await qi({client:n,explicitTeam:e.team,personal:e.personal,allScopes:e.allScopes,activeTeamId:t.activeTeamId}),a=await n.list({status:e.status===`all`?void 0:e.status,limit:Number.parseInt(e.limit,10),scope:i});r.stop(),e.json?N(a):M(a.map(e=>({id:e.id,status:e.status,createdAt:e.createdAt,name:e.name??``})),[{key:`id`,header:`ID`,width:24},{key:`status`,header:`Status`,width:14},{key:`createdAt`,header:`Created`,width:16},{key:`name`,header:`Name`,width:20}])}catch(e){H(e)}}),e.command(`get <id>`).description(`Get sandbox details`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching sandbox...`);r.start();let i=await n.get(e);if(r.stop(),!i)throw Error(`Sandbox not found: ${e}`);t.json?N(i):Pt({id:i.id,name:i.name,status:i.status,createdAt:i.createdAt?.toISOString(),expiresAt:i.expiresAt?.toISOString(),connection:i.connection})}catch(e){H(e)}}),e.command(`delete <id>`).description(`Delete a sandbox`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{t.question(`Delete sandbox ${e}? [y/N] `,e=>{t.close(),n(e.toLowerCase()===`y`)})})){I(`Cancelled.`);return}}let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Deleting sandbox...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.delete(),r.stop(),P(`Sandbox ${e} deleted.`)}catch(e){H(e)}}),e.command(`stop <id>`).description(`Stop a running sandbox`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Stopping sandbox...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.stop(),r.stop(),P(`Sandbox ${e} stopped.`)}catch(e){H(e)}}),e.command(`resume <id>`).description(`Resume a stopped sandbox`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Resuming sandbox...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.resume(),t.wait&&(r.text=`Waiting for sandbox to start...`,await i.waitFor(`running`,{timeoutMs:12e4})),r.stop(),P(`Sandbox ${e} resumed.`)}catch(e){H(e)}}),e.command(`network <id>`).description(`Update network configuration for a sandbox`).option(`--block-outbound`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--clear`,`Clear all network restrictions (allow all traffic)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Updating network configuration...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);if(t.clear)await i.network.update({blockOutbound:!1,allowList:[]});else if(t.blockOutbound)await i.network.update({blockOutbound:!0});else if(t.allowList){let e=t.allowList.split(`,`).map(e=>e.trim());await i.network.update({allowList:e})}else{r.stop();let e=await i.network.getConfig();t.json?N(e):(I(`Network Configuration:`),e.blockOutbound?I(` Block Outbound: true (all outbound traffic blocked)`):e.allowList&&e.allowList.length>0?I(` Allow List: ${e.allowList.join(`, `)}`):I(` No restrictions (all traffic allowed)`),e.ports&&e.ports.length>0&&I(` Exposed Ports: ${e.ports.join(`, `)}`));return}r.stop();let a=await i.network.getConfig();t.json?N(a):(P(`Network configuration updated.`),a.blockOutbound?I(` Block Outbound: true`):a.allowList&&a.allowList.length>0?I(` Allow List: ${a.allowList.join(`, `)}`):I(` All traffic allowed`))}catch(e){H(e)}}),e.command(`expose <id>`).description(`Expose a port and get a public URL`).option(`-p, --port <port>`,`Port to expose`,`8000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=Number.parseInt(t.port,10);if(Number.isNaN(r)||r<1||r>65535)throw Error(`Port must be a number between 1 and 65535`);let i=L(`Exposing port ${r}...`);i.start();let a=await n.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.network.exposePort(r);i.stop(),t.json?N({port:r,url:o}):(P(`Port ${r} exposed.`),I(` URL: ${o}`))}catch(e){H(e)}}),e.command(`urls <id>`).description(`List exposed port URLs for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching exposed URLs...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.network.listUrls();if(r.stop(),t.json)N(a);else{let e=Object.entries(a);if(e.length===0)I(`No ports exposed.`);else{I(`Exposed Ports:`);for(let[t,n]of e)I(` ${t}: ${n}`)}}}catch(e){H(e)}}),e}function Ri(e){return!e||e.authToken===void 0?e:{...e,authToken:`[REDACTED]`}}function zi(e,t,n){let r={};for(let i of e){let[e,...a]=i.split(`=`);if(!e||a.length===0)throw Error(`${t} expects ${n} values in KEY=VALUE format`);r[e]=a.join(`=`)}return r}function Bi(e){let t={};for(let n of e){let[e,...r]=n.split(`=`);if(!e||r.length===0)throw Error(`--metadata expects values in KEY=VALUE or KEY=JSON format`);t[e]=Vi(r.join(`=`))}return t}function Vi(e){try{return JSON.parse(e)}catch{return e}}function Hi(e,t){return e.map(e=>{let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1||n>65535)throw Error(`${t} values must be integers between 1 and 65535`);return n})}function Ui(e,t){if(!(!e.gitUrl&&!e.gitRef&&!e.gitDepth&&!e.gitSparse&&!t)){if(!e.gitUrl||typeof e.gitUrl!=`string`)throw Error(`--git-url is required when using git provisioning options`);return{url:e.gitUrl,ref:typeof e.gitRef==`string`?e.gitRef:void 0,depth:typeof e.gitDepth==`string`?Qi(e.gitDepth,`--git-depth`):void 0,sparse:Array.isArray(e.gitSparse)?e.gitSparse:void 0,auth:t?{token:t}:void 0}}}function Wi(e,t){if(!(!e.storageType&&!e.storageBucket&&!e.storageEndpoint&&!e.storageRegion&&!e.storagePrefix&&!e.storageAccessKeyId&&!t)){if(typeof e.storageType!=`string`||typeof e.storageBucket!=`string`||typeof e.storageAccessKeyId!=`string`||!t)throw Error(`Storage config requires --storage-type, --storage-bucket, --storage-access-key-id, and one of --storage-secret-access-key-env / --storage-secret-access-key-stdin`);return{type:Xi(e.storageType),bucket:e.storageBucket,endpoint:typeof e.storageEndpoint==`string`?e.storageEndpoint:void 0,region:typeof e.storageRegion==`string`?e.storageRegion:void 0,prefix:typeof e.storagePrefix==`string`?e.storagePrefix:void 0,credentials:{accessKeyId:e.storageAccessKeyId,secretAccessKey:t}}}}function Gi(e){let t=Array.isArray(e.initialUser)?e.initialUser.map(Ji):void 0,n=typeof e.defaultRole==`string`?Yi(e.defaultRole):void 0,r=e.multiUser?!0:void 0;if(!(!n&&!t&&!r))return{defaultRole:n,initialUsers:t,multiUser:r}}async function Ki(e){if(e.explicitTeam&&e.personal)throw Error(`--team and --personal cannot be used together`);if(!e.personal)return e.explicitTeam?(await Ai(e.client,e.explicitTeam)).id:e.activeTeamId}async function qi(e){if([!!e.explicitTeam,!!e.personal,!!e.allScopes].filter(Boolean).length>1)throw Error(`--team, --personal, and --all-scopes are mutually exclusive`);if(e.allScopes)return`all`;if(e.personal)return`personal`;if(e.explicitTeam)return`team:${(await Ai(e.client,e.explicitTeam)).id}`;if(e.activeTeamId)return`team:${e.activeTeamId}`}function Ji(e){let[t,n]=e.split(`:`);if(!t)throw Error(`--initial-user expects USER_ID or USER_ID:ROLE`);return{userId:t,role:n?Yi(n):void 0}}function Yi(e){if(e===`owner`||e===`admin`||e===`developer`||e===`viewer`)return e;throw Error(`--default-role and --initial-user roles must be one of owner, admin, developer, viewer`)}function Xi(e){if(e===`s3`||e===`gcs`||e===`r2`)return e;throw Error(`--storage-type must be one of s3, gcs, or r2`)}function Zi(e){let t=e.trim().toLowerCase();if(/^[a-z0-9][a-z0-9._-]*$/.test(t))return t;throw Error(`--accelerator-kind must contain only letters, numbers, dots, underscores, or hyphens`)}function Qi(e,t){let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1)throw Error(`${t} must be a positive integer`);return n}function $i(){return new t(`search`).description(`Search for text patterns in sandbox files (ripgrep)`).argument(`<id>`,`Sandbox ID`).argument(`<pattern>`,`Search pattern (regex)`).option(`-g, --glob <pattern>`,`File glob filter (e.g. '**/*.ts')`).option(`-n, --max-results <count>`,`Max results to return`).option(`-i, --ignore-case`,`Case-insensitive search`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Searching...`);n.json||i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=0,s=n.maxResults?Number.parseInt(n.maxResults,10):void 0,c={};n.glob&&(c.glob=n.glob),n.ignoreCase&&(c.ignoreCase=!0),s&&(c.maxResults=s);for await(let e of a.search(t,c))if(o===0&&i.stop(),o++,n.json?console.log(JSON.stringify(e)):console.log(`${e.path}:${e.line}:${e.column??0}: ${e.text}`),s&&o>=s)break;i.stop(),o===0&&!n.json&&console.log(`No matches found`)}catch(e){H(e)}})}function ea(){let e=new t(`secret`).description(`Manage secrets`);return e.command(`create`).description(`Create a new secret`).argument(`<name>`,`Secret name (e.g., HF_TOKEN, AWS_ACCESS_KEY)`).argument(`[value]`,`Secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await ta({value:t,valueStdin:n.valueStdin,prompt:`Enter value for secret '${e}': `}),a=L(`Creating secret...`);a.start();let o=await r.secrets.create(e,i);a.stop(),n.json?N({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):(P(`Secret created: ${o.name}`),I(`Use --secrets ${o.name} when creating a sandbox to inject it as an environment variable.`))}catch(e){H(e)}}),e.command(`list`).description(`List all secrets`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=L(`Fetching secrets...`);n.start();let r=await t.secrets.list();n.stop(),e.json?N(r.map(e=>({name:e.name,createdAt:e.createdAt.toISOString(),updatedAt:e.updatedAt.toISOString()}))):r.length===0?(I(`No secrets found.`),I(`Use 'tangle secret create <name> [value]' to create one.`)):V([`Name`,`Created At`,`Updated At`],r.map(e=>[e.name,e.createdAt.toLocaleString(),e.updatedAt.toLocaleString()]))}catch(e){H(e)}}),e.command(`show`).description(`Show a secret value (requires --reveal to print plaintext)`).argument(`<name>`,`Secret name`).option(`--reveal`,`Print the plaintext secret value to stdout. Without this flag the command exits with a redaction notice.`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.reveal){process.stderr.write(`Refusing to print secret '${e}' as plaintext. Re-run with --reveal to confirm and write the value to stdout.
|
|
137
|
+
`),process.exitCode=1;return}let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching secret...`);r.start();let i=await n.secrets.get(e);r.stop(),process.stderr.write(`WARNING: secret '${e}' is being printed in plaintext. Avoid storing this output in shell history, screenshots, or logs.
|
|
138
|
+
`),t.json?N({name:e,value:i}):console.log(i)}catch(e){H(e)}}),e.command(`update`).description(`Update a secret value`).argument(`<name>`,`Secret name`).argument(`[value]`,`New secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await ta({value:t,valueStdin:n.valueStdin,prompt:`Enter new value for secret '${e}': `}),a=L(`Updating secret...`);a.start();let o=await r.secrets.update(e,i);a.stop(),n.json?N({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):P(`Secret updated: ${o.name}`)}catch(e){H(e)}}),e.command(`delete`).description(`Delete a secret`).argument(`<name>`,`Secret name`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl}));if(!t.force&&!await U(`Are you sure you want to delete secret '${e}'? This cannot be undone. (y/N) `)){I(`Cancelled.`);return}let r=L(`Deleting secret...`);r.start(),await n.secrets.delete(e),r.stop(),t.json?N({success:!0,deleted:e}):P(`Secret deleted: ${e}`)}catch(e){H(e)}}),e}async function ta(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await Jt();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await qt(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function na(){let e=new t(`skill`).description(`Print paths to shipped skill documentation`);return e.command(`path`).description(`Print the absolute path to the SKILL.md shipped with this CLI`).action(()=>{let e=d.dirname(ye(import.meta.url)),t=d.resolve(e,`..`,`SKILL.md`);console.log(t)}),e}function ra(){let e=new t(`snapshot`).description(`Manage snapshots`);return e.command(`create <sandbox-id>`).description(`Create a snapshot of a sandbox`).option(`--tags <tags...>`,`Tags for the snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Creating snapshot...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.snapshot({tags:t.tags});r.stop(),t.json?N(a):(P(`Snapshot created: ${a.snapshotId}`),console.log(`Size: ${ia(a.sizeBytes??0)}`))}catch(e){H(e)}}),e.command(`list <sandbox-id>`).description(`List snapshots for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching snapshots...`);r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.listSnapshots();r.stop(),t.json?N(a):M(a.map(e=>({...e,size:ia(e.sizeBytes??0)})),[{key:`snapshotId`,header:`ID`,width:24},{key:`createdAt`,header:`Created`,width:16},{key:`size`,header:`Size`,width:12},{key:`sandboxId`,header:`Sandbox`,width:20}])}catch(e){H(e)}}),e.command(`restore <sandbox-id> <snapshot-id>`).description(`Create a new sandbox from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Restoring from snapshot...`);i.start();let a=await r.create({fromSnapshot:t,fromSandboxId:e});await a.waitFor(`running`,{timeoutMs:12e4}),i.stop(),n.json?N({sandboxId:a.id,restoredFrom:t,status:a.status}):(P(`New sandbox created: ${a.id}`),console.log(`Source snapshot: ${t}`))}catch(e){H(e)}}),e.command(`revert <sandbox-id> <snapshot-id>`).description(`Revert an existing sandbox to a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Reverting sandbox to snapshot...`);i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);let o=await a.revertToSnapshot(t);await a.refresh(),i.stop(),n.json?N({sandboxId:a.id,snapshotId:o.snapshotId,status:a.status}):(P(`Sandbox reverted: ${a.id}`),console.log(`Source snapshot: ${o.snapshotId}`))}catch(e){H(e)}}),e.command(`delete <sandbox-id> <snapshot-id>`).description(`Delete a sandbox snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=j(O({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=L(`Deleting snapshot...`);i.start();let a=await r.get(e);if(!a)throw Error(`Sandbox not found: ${e}`);await a.deleteSnapshot(t),i.stop(),n.json?N({success:!0,sandboxId:e,snapshotId:t}):P(`Snapshot deleted: ${t}`)}catch(e){H(e)}}),e}function ia(e){if(e===0)return`0 B`;let t=1024,n=[`B`,`KB`,`MB`,`GB`,`TB`],r=Math.floor(Math.log(e)/Math.log(t));return`${Number.parseFloat((e/t**r).toFixed(1))} ${n[r]}`}function aa(e,t){return`tangle ssh-proxy ${e.replace(/\/+$/,``)}/v1/sidecar-proxy/${t}/ssh`}function oa(e){return/^[A-Za-z0-9_/:=@%+.,-]+$/.test(e)?e:`'${e.replace(/'/g,`'"'"'`)}'`}function sa(e){return`'${e.replace(/'/g,`''`)}'`}function ca(e){return e===`win32`?`NUL`:`/dev/null`}function la(e,t){return t===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN=${sa(`<token>`)}; ssh ${e.map(sa).join(` `)}`:`TANGLE_SSH_PROXY_AUTH_TOKEN=${oa(`<token>`)} ssh ${e.map(oa).join(` `)}`}function ua(e){return e instanceof Date?e.toISOString():String(e)}function da(e,t){return`Sandbox name is ambiguous: ${e}. Use a sandbox id instead.\n${t.map(e=>`- ${e.id} (status: ${e.status}, created: ${ua(e.createdAt)})`).join(`
|
|
139
|
+
`)}`}function fa(e){return e.activeTeamId?`team:${e.activeTeamId}`:void 0}async function pa(e,t,n){let r=await e.get(n);if(r||n.startsWith(`sandbox-`)){if(!r)throw Error(`Sandbox not found: ${n}`);return r}let i=(await e.list({scope:fa(t)})).filter(e=>e.name?.toLowerCase()===n.toLowerCase());if(i.length===0)throw Error(`Sandbox not found: ${n}`);if(i.length>1)throw Error(da(n,i));return i[0]}async function ma(e){if(e.status===`stopped`){I(`Sandbox ${e.id} is stopped. Resuming...`);try{await e.resume(),await e.waitFor(`running`,{timeoutMs:12e4})}catch(t){let n=t instanceof Error?t.message:String(t);throw Error(`Failed to resume sandbox ${e.id}: ${n}. Run \`tangle sandbox resume ${e.id}\` and retry SSH.`)}}}function ha(e){return e.connection!==void 0&&!e.connection.ssh}function ga(){F(`SSH is not enabled for this sandbox.`),I(`Create a sandbox with --ssh to enable SSH access.`),process.exit(1)}function _a(e,t=[],n=process.platform){let r=ca(n);return[`-o`,`ProxyCommand=${e.proxyCommand}`,`-o`,`StrictHostKeyChecking=no`,`-o`,`UserKnownHostsFile=${r}`,`-o`,`GlobalKnownHostsFile=${r}`,`-o`,`LogLevel=ERROR`,`-o`,`ServerAliveInterval=15`,`-o`,`ServerAliveCountMax=4`,`-o`,`TCPKeepAlive=yes`,`${e.username}@localhost`,`-p`,String(e.port),...t]}function va(){return new t(`ssh`).description(`Open SSH session to a sandbox`).argument(`<ref>`,`Sandbox ID or name`).argument(`[sshArgs...]`,`Extra args passed through to ssh`).option(`-i, --identity-file <path>`,`Private key file to pass to ssh`).option(`--print`,`Print SSH command instead of connecting`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).allowUnknownOption(!0).action(async(e,t,n)=>{try{let r=O({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=j(r),a=L(`Getting SSH credentials...`);a.start();let o=await pa(i,r,e);if(ha(o)){a.stop(),ga();return}await ma(o);let s=await o.ssh();if(a.stop(),!s){ga();return}let c={...s,proxyCommand:aa(r.baseUrl,o.id)};if(!r.apiKey)throw Error(`SSH proxy requires API key auth. Set TANGLE_API_KEY or pass --api-key.`);let l=_a(c,[...n.identityFile?[`-i`,n.identityFile,`-o`,`IdentitiesOnly=yes`]:[],...t]);if(n.print){console.log(la(l,process.platform));return}I(`Connecting via tunnel...`);let u=pe(`ssh`,l,{stdio:`inherit`,env:{...process.env,TANGLE_SSH_PROXY_AUTH_TOKEN:r.apiKey}});u.on(`error`,e=>{e.code===`ENOENT`&&(F(`SSH client not found. Please install OpenSSH.`),process.exit(1)),H(e)}),u.on(`exit`,e=>{process.exit(e??0)})}catch(e){H(e)}})}function ya(){let e=new t(`ssh-keys`).description(`Manage SSH keys`);return e.command(`list`).description(`List SSH keys`).option(`--json`,`Output as JSON`).action(async e=>{let t=L(`Fetching SSH keys...`);try{t.start();let n=await j(O(e)).sshKeys.list();t.stop(),e.json?N({sshKeys:n}):n.length===0?I(`No SSH keys found.`):V([`Name`,`Type`,`Fingerprint`,`Created`],n.map(e=>[e.name,e.keyType,e.fingerprint,e.createdAt.toLocaleString()]))}catch(e){t.stop(),H(e)}}),e.command(`add`).description(`Add SSH key`).argument(`<name>`,`SSH key name`).requiredOption(`--key-file <path>`,`Public key file path`).option(`--json`,`Output as JSON`).action(async(e,t)=>{let n=L(`Adding SSH key...`);try{let r=c(t.keyFile,`utf8`).trim();n.start();let i=await j(O(t)).sshKeys.create(e,r);n.stop(),t.json?N({sshKey:i}):P(`Added SSH key ${i.name} (${i.fingerprint})`)}catch(e){n.stop(),H(e)}}),e.command(`delete`).description(`Delete SSH key`).argument(`<name>`,`SSH key name or ID`).action(async(e,t)=>{let n=L(`Deleting SSH key...`);try{n.start(),await j(O(t)).sshKeys.delete(e),n.stop(),P(`Deleted SSH key ${e}`)}catch(e){n.stop(),H(e)}}),e}function ba(e,t=1){process.stderr.write(`${e}\n`),process.exit(t)}function xa(){return new t(`ssh-proxy`).description(`SSH proxy helper — pipes stdin/stdout to WebSocket`).argument(`<sidecar-url>`,`Sidecar WebSocket URL`).action(async e=>{let t=process.env.TANGLE_SSH_PROXY_AUTH_TOKEN;t||ba(`TANGLE_SSH_PROXY_AUTH_TOKEN not set`);let n=new be(new URL(e.replace(/^http/,`ws`)),{headers:{Authorization:`Bearer ${t}`},perMessageDeflate:!1}),r;function i(){r&&=(clearInterval(r),void 0)}n.on(`open`,()=>{r=setInterval(()=>{n.readyState===be.OPEN&&n.ping()},15e3),r.unref?.(),process.stdin.on(`data`,e=>{n.readyState===be.OPEN&&n.send(e,{binary:!0,compress:!1})}),process.stdin.on(`end`,()=>n.close(1e3))}),n.on(`message`,e=>{let t=Buffer.isBuffer(e)?e:Array.isArray(e)?Buffer.concat(e):Buffer.from(e);process.stdout.write(t)}),n.on(`error`,e=>{i(),ba(`WebSocket error: ${e.message}`)}),n.on(`close`,e=>{i(),process.exit(e===1e3?0:1)}),process.stdin.on(`error`,()=>n.close())})}const Sa=[`claude-code`,`opencode`,`codex`,`kimi-code`],Ca=[`session`,`project`,`read-only`],wa={min:1,max:15},Ta=process.env.TANGLE_ROUTER_URL??`https://router.tangle.tools/v1`;function Ea(e){let t=e.harness??`claude-code`;if(!Sa.includes(t))throw Error(`Unknown --harness '${t}'. Supported: ${Sa.join(`, `)}.`);let n=e.tokenScope??`session`;if(!Ca.includes(n))throw Error(`Unknown --token-scope '${n}'. Supported: ${Ca.join(`, `)}.`);let r=Da(e.maxTokens,2e5,`--max-tokens`),i=Da(e.maxIterations,50,`--max-iterations`),a=Da(e.tokenTtl,10,`--token-ttl`);if(a<wa.min||a>wa.max)throw Error(`--token-ttl ${a} out of range; the SDK clamps to [${wa.min}, ${wa.max}] minutes.`);let o=e.maxWorkers===void 0?void 0:Da(e.maxWorkers,0,`--max-workers`);return{harness:t,...e.model?{model:e.model}:{},maxTokens:r,maxIterations:i,tokenScope:n,tokenTtl:a,...o===void 0?{}:{maxWorkers:o}}}function Da(e,t,n){if(e===void 0)return t;let r=Number.parseInt(e,10);if(!Number.isFinite(r)||r<=0)throw Error(`${n} must be a positive integer, got '${e}'.`);return r}function Oa(e){let t={maxTokens:e.maxTokens,maxIterations:e.maxIterations};return e.maxWorkers===void 0?{budget:t}:{budget:t,perWorker:{maxTokens:Math.max(1,Math.floor(e.maxTokens/e.maxWorkers)),maxIterations:Math.max(1,Math.floor(e.maxIterations/e.maxWorkers))}}}function ka(e){let{client:t,scope:n,ttlMinutes:i,onScope:a}=e,o={async create(o){let s=await t.create(Aa(o)),c={scope:n,ttlMinutes:i,...n===`session`?{sessionId:e.sessionIdFor?.(s)??`supervise-${r()}`}:{}},l=await s.mintScopedToken(c);return a({id:s.id,scope:l.scope,expiresAt:l.expiresAt,status:`spawned`}),s}};return typeof t.criuStatus==`function`&&(o.criuStatus=t.criuStatus.bind(t)),o}function Aa(e){if(!e?.env)return e;let{TANGLE_API_KEY:t,SANDBOX_API_KEY:n,...r}=e.env;return{...e,env:r}}function ja(e){if(e.kind===`no-winner`)return{text:``,tokenUsage:{input:0,output:0},costUsd:0,status:`no-winner (${e.reason})`};let t=e.out;return{text:typeof t==`string`?t:Ma(t)?t.content:JSON.stringify(t),tokenUsage:{input:e.spentTotal.tokens.input,output:e.spentTotal.tokens.output},costUsd:e.spentTotal.usd,status:`winner`}}function Ma(e){return typeof e==`object`&&!!e&&typeof e.content==`string`}const Na={makeClient:e=>j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),resolveRouter:e=>({routerBaseUrl:Ta,routerKey:O({apiKey:e.apiKey}).apiKey,model:e.model}),supervise:xe};async function Pa(e,t,n,i=Na){let a=i.makeClient({apiKey:n.apiKey,baseUrl:n.baseUrl}),{budget:o,perWorker:s}=Oa(t),c=[],l=ka({client:a,scope:t.tokenScope,ttlMinutes:t.tokenTtl,onScope:e=>{if(c.push(e),!n.json){let n=`ttl ${t.tokenTtl}m`;I(`worker ${e.id} [${e.scope} token ${n}] spawned`)}}}),u=Se({backend:`sandbox`,harness:t.harness,sandboxClient:l,maxIterations:1}),d={name:`supervisor`,...t.model?{model:t.model}:{}},f=i.resolveRouter({apiKey:n.apiKey,model:t.model??`deepseek-v4-flash`}),p=ja(await i.supervise(d,{goal:e},{budget:o,makeWorkerAgent:u,router:f,...s?{perWorker:s}:{},...t.model?{allowedModels:[t.model]}:{},runId:`supervise-${r()}`})),ee=p.status===`winner`?`settled`:`failed`;for(let e of c)e.status=ee,n.json||I(`worker ${e.id} [${e.scope} token ttl ${t.tokenTtl}m] settled (${e.status})`);return{task:e,result:p.text,workers:c,tokenUsage:p.tokenUsage,costUsd:p.costUsd,status:p.status}}function Fa(){let e=new t(`supervise`);return e.description(`Run a budget-conserving supervisor that spawns isolated sandbox workers to deliver a task. Each worker box mints a short-lived scoped token instead of receiving the root API key.`).argument(`<task>`,`What the supervisor should accomplish`).option(`--harness <name>`,`Worker harness (${Sa.join(` | `)})`,`claude-code`).option(`--model <id>`,`Model for the supervisor + workers`).option(`--max-tokens <n>`,`Conserved token budget for the whole run`,`200000`).option(`--max-iterations <n>`,`Conserved iteration budget for the whole run`,`50`).option(`--token-scope <scope>`,`Per-worker token scope (${Ca.join(` | `)})`,`session`).option(`--token-ttl <min>`,`Per-worker token TTL in minutes (SDK clamps to [1, 15])`,`10`).option(`--max-workers <n>`,`Bound the fanout; each worker reserves floor(max-tokens / n) tokens and floor(max-iterations / n) iterations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Ea({harness:t.harness,model:t.model,maxTokens:t.maxTokens,maxIterations:t.maxIterations,tokenScope:t.tokenScope,tokenTtl:t.tokenTtl,maxWorkers:t.maxWorkers});t.json||(I(`Supervising: ${e}`),I(`harness=${n.harness} budget=${n.maxTokens}tok/${n.maxIterations}it scope=${n.tokenScope} ttl=${n.tokenTtl}m`),console.log());let r=await Pa(e,n,{apiKey:t.apiKey,baseUrl:t.baseUrl,json:t.json});if(t.json){N(r),r.status!==`winner`&&(process.exitCode=1);return}if(console.log(),r.status!==`winner`)throw Error(`Supervisor finished without a winner: ${r.status}`);console.log(r.result),console.log(),R({"Input Tokens":r.tokenUsage.input,"Output Tokens":r.tokenUsage.output,Cost:`$${r.costUsd.toFixed(4)}`})}catch(e){H(e,t.json)}}),e}function Ia(){let e=new t(`team`).description(`Manage teams`);return e.command(`list`).description(`List teams for the current account`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async e=>{try{let t=O(e),n=j(t),r=e.json?null:L(`Fetching teams...`);r?.start();let i=await n.teams.list();if(r?.stop(),e.json){N({teams:i,activeTeamId:t.activeTeamId??null});return}M(i.map(e=>({active:e.id===t.activeTeamId,id:e.id,name:e.name,role:e.currentUserRole,members:e.memberCount})),[{key:`active`,header:`Active`,width:8},{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:24},{key:`role`,header:`Role`,width:10},{key:`members`,header:`Members`,width:10}])}catch(e){H(e)}}),e.command(`create <name>`).description(`Create a team`).option(`--org-id <id>`,`External organization id`).option(`--no-switch`,`Do not set the new team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=t.json?null:L(`Creating team...`);i?.start();let a=await r.teams.create({name:e,orgId:t.orgId});if(t.switch&&ji(a,n.profile),i?.stop(),t.json){N({team:a,active:!!t.switch});return}P(`Team created: ${ki(a)}`),t.switch&&P(`Active team set to ${a.name}`)}catch(e){H(e)}}),e.command(`switch <team>`).description(`Set the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=await Ai(j(n),e);if(ji(r,n.profile),t.json){N({team:r,activeTeamId:r.id});return}P(`Active team set to ${ki(r)}`)}catch(e){H(e)}}),e.command(`current`).description(`Show the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{let t=vt(e.profile);if(e.json){N(t.activeTeamId?t:{activeTeamId:null});return}if(!t.activeTeamId){console.log(`No active team.`);return}R({ID:t.activeTeamId,Name:t.activeTeamName})}catch(e){H(e)}}),e.command(`clear`).description(`Clear the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{if(Mi(e.profile),e.json){N({activeTeamId:null});return}P(`Active team cleared.`)}catch(e){H(e)}}),e.command(`members [team]`).description(`List team members`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,e,n.profile),a=await r.teams.listMembers(i.id);if(t.json){N({team:i,members:a});return}M(a.map(e=>({id:e.id,email:e.customerEmail,role:e.role,status:e.status,joinedAt:e.joinedAt})),[{key:`id`,header:`ID`,width:36},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:10},{key:`joinedAt`,header:`Joined`,width:16}])}catch(e){H(e)}}),e.command(`update-member <member-id>`).description(`Update a team member role`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).requiredOption(`--role <role>`,`Role: admin, member, viewer`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,t.team,n.profile),a=La(t.role),o=await r.teams.updateMember(i.id,e,{role:a});if(t.json){N({team:i,member:o});return}P(`Member updated: ${o.customerEmail}`),R({Team:i.name,Role:o.role,Status:o.status})}catch(e){H(e)}}),e.command(`invite <email>`).description(`Invite a user to a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--role <role>`,`Role: admin, member, viewer`,`member`).option(`--ttl-hours <hours>`,`Invitation lifetime in hours`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,t.team,n.profile),a=La(t.role),o=await r.teams.invite(i.id,{email:e,role:a,ttlHours:t.ttlHours?Number.parseInt(t.ttlHours,10):void 0});if(t.json){N({team:i,invitation:o});return}P(`Invitation created for ${o.email}`),R({Team:i.name,Role:o.role,Expires:o.expiresAt,"Invitation ID":o.id}),P(`Re-run with --json to retrieve the invitation token for sharing.`)}catch(e){H(e)}}),e.command(`leave [team]`).description(`Leave a team as the current user`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,e,n.profile);if(!t.force&&!t.json&&!await U(`Leave team '${i.name}'? (y/N) `))return;if(await r.teams.leave(i.id),n.activeTeamId===i.id&&Mi(n.profile),t.json){N({success:!0,teamId:i.id});return}P(`Left team: ${i.name}`)}catch(e){H(e)}}),e.command(`transfer <new-owner-customer-id> [team]`).description(`Transfer team ownership to another active member`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=O(n),i=j(r),a=await X(i,t,r.profile);if(!n.force&&!n.json&&!await U(`Transfer ownership of '${a.name}' to ${e}? This cannot be undone without the new owner's cooperation. (y/N) `))return;if(await i.teams.transferOwnership(a.id,e),n.json){N({success:!0,teamId:a.id,newOwnerCustomerId:e});return}P(`Ownership transferred for ${a.name}`)}catch(e){H(e)}}),e.addCommand(Ra()),e.addCommand(za()),e.command(`invitations [team]`).description(`List pending and historical team invitations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,e,n.profile),a=await r.teams.listInvitations(i.id);if(t.json){N({team:i,invitations:a});return}M(a.map(e=>({id:e.id,email:e.email,role:e.role,status:e.status,expiresAt:e.expiresAt})),[{key:`id`,header:`ID`,width:38},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:12},{key:`expiresAt`,header:`Expires`,width:16}])}catch(e){H(e)}}),e.command(`accept <token>`).description(`Accept a team invitation`).option(`--no-switch`,`Do not set the accepted team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await r.teams.acceptInvitation(e),a=t.switch===!1?null:await r.teams.get(i.teamId);if(a&&ji(a,n.profile),t.json){N({member:i,activeTeamId:a?.id??null});return}P(`Invitation accepted for team ${i.teamId}`),a&&P(`Active team set to ${a.name}`)}catch(e){H(e)}}),e.command(`revoke-invitation <invitation-id>`).description(`Revoke a pending team invitation`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{if(await j(O(t)).teams.revokeInvitation(e),t.json){N({success:!0,invitationId:e});return}P(`Invitation revoked: ${e}`)}catch(e){H(e)}}),e.command(`remove-member <member-id>`).description(`Remove a member from a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,t.team,n.profile);if(await r.teams.removeMember(i.id,e),t.json){N({success:!0,teamId:i.id,memberId:e});return}P(`Member removed: ${e}`)}catch(e){H(e)}}),e}function La(e){if(e===`admin`||e===`member`||e===`viewer`)return e;throw Error(`Role must be one of: admin, member, viewer`)}function Ra(){let e=new t(`secret`).description(`Manage team secrets`);return e.command(`list [team]`).description(`List team secret names`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,e,n.profile),a=await r.teams.listSecrets(i.id);if(t.json){N({team:i,secrets:a});return}M(a.map(e=>({name:e.name,updatedAt:e.updatedAt,updatedBy:e.updatedBy})),[{key:`name`,header:`Name`,width:28},{key:`updatedAt`,header:`Updated`,width:24},{key:`updatedBy`,header:`Updated By`,width:28}])}catch(e){H(e)}}),e.command(`set <name> [value]`).description(`Create or replace a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=O(n),i=j(r),a=await X(i,n.team,r.profile),o=await Ba({value:t,valueStdin:n.valueStdin,prompt:`Enter value for team secret '${e}': `}),s=await i.teams.upsertSecret(a.id,e,o);if(n.json){N({team:a,secret:s});return}P(`Team secret saved: ${s.name}`)}catch(e){H(e)}}),e.command(`delete <name>`).description(`Delete a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await U(`Delete team secret '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteSecret(i.id,e),t.json){N({success:!0,teamId:i.id,name:e});return}P(`Team secret deleted: ${e}`)}catch(e){H(e)}}),e.command(`reveal <name>`).description(`Reveal a team secret value`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,t.team,n.profile),a=await r.teams.revealSecret(i.id,e);if(t.json){N({teamId:i.id,...a});return}console.log(a.value)}catch(e){H(e)}}),e}function za(){let e=new t(`templates`).description(`Manage team golden-path templates`);return e.command(`list [team]`).description(`List a team's golden-path templates`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,e,n.profile),a=await r.teams.listTemplates(i.id);if(t.json){N({team:i,templates:a});return}if(a.length===0){console.log(`No templates yet for ${i.name}.`);return}M(a.map(e=>({id:e.id,name:e.name,environment:e.environment,snapshot:`${e.snapshotId.slice(0,12)}…`,updated:e.updatedAt})),[{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:28},{key:`environment`,header:`Env`,width:14},{key:`snapshot`,header:`Snapshot`,width:16},{key:`updated`,header:`Updated`,width:24}])}catch(e){H(e)}}),e.command(`create <name> <snapshot-id>`).description(`Create a golden-path template from a snapshot`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`-d, --description <description>`,`Human-readable description shown in the dashboard`).option(`-e, --environment <environment>`,`Default environment to apply (defaults to 'universal')`).option(`--config <json>`,`Optional JSON config object merged into sandboxes created from this template`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=O(n),i=j(r),a=await X(i,n.team,r.profile),o;if(n.config)try{let e=JSON.parse(n.config);if(typeof e!=`object`||!e||Array.isArray(e))throw Error(`--config must be a JSON object`);o=e}catch(e){throw Error(`--config is not valid JSON: ${e instanceof Error?e.message:String(e)}`)}let s=await i.teams.createTemplate(a.id,{name:e,snapshotId:t,description:n.description,environment:n.environment,config:o});if(n.json){N({team:a,template:s});return}P(`Team template created: ${s.name} (${s.id})`)}catch(e){H(e)}}),e.command(`delete <template-id>`).description(`Delete a team golden-path template`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=O(t),r=j(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await U(`Delete template '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteTemplate(i.id,e),t.json){N({success:!0,teamId:i.id,templateId:e});return}P(`Team template deleted: ${e}`)}catch(e){H(e)}}),e}async function Ba(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await Jt();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await qt(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function Va(){let e=new t(`template`).description(`Manage published public templates`);return e.command(`list`).option(`-q, --query <query>`,`Search query`).option(`--tag <tag>`,`Filter by tag`).option(`--featured`,`Show featured templates only`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O(e)),n=e.featured?await t.publicTemplates.featured():await t.publicTemplates.list({query:e.query,tag:e.tag});if(e.json){N({templates:n});return}M(n.map(e=>({slug:e.slug,name:e.name,forks:e.forkCount,sandboxes:e.sandboxCount,updated:e.updatedAt})),[{key:`slug`,header:`Slug`,width:28},{key:`name`,header:`Name`,width:28},{key:`forks`,header:`Forks`,width:8},{key:`sandboxes`,header:`Sandboxes`,width:12},{key:`updated`,header:`Updated`,width:24}])}catch(e){H(e)}}),e.command(`get <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await j(O(t)).publicTemplates.get(e);if(t.json){N({template:n});return}N(n)}catch(e){H(e)}}),e.command(`versions <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await j(O(t)).publicTemplates.versions(e);if(t.json){N({versions:n});return}M(n.map(e=>({...e})),[{key:`id`,header:`Version ID`,width:38},{key:`versionNumber`,header:`Version`,width:8},{key:`snapshotId`,header:`Snapshot`,width:20},{key:`createdAt`,header:`Created`,width:24}])}catch(e){H(e)}}),e.command(`publish <name> <snapshot-id> <sandbox-id>`).option(`--slug <slug>`,`Stable public slug`).option(`-d, --description <description>`,`Template description`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--team-id <id>`,`Publish under a team`).option(`--forked-from <id>`,`Fork source template id`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await j(O(r)).publicTemplates.publish({name:e,slug:r.slug,description:r.description,snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes,teamId:r.teamId,forkedFromTemplateId:r.forkedFrom});if(r.json){N({template:i});return}P(`Published template: ${i.slug}`)}catch(e){H(e)}}),e.command(`publish-version <id-or-slug> <snapshot-id> <sandbox-id>`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await j(O(r)).publicTemplates.publishVersion(e,{snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes});if(r.json){N({version:i});return}P(`Published template version: ${i.id}`)}catch(e){H(e)}}),e}function Ha(){let e=new t(`tools`).description(`Manage language runtimes and tools in a sandbox (via mise)`);return e.command(`list`).alias(`ls`).description(`List installed tools in a sandbox`).argument(`<id>`,`Sandbox ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=j(O({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=L(`Fetching tools...`);t.json||r.start();let i=await n.get(e);if(!i)throw Error(`Sandbox not found: ${e}`);let a=await i.tools.list();r.stop(),t.json?N(a):a.length===0?console.log(`No tools installed`):V([`Tool`,`Version`,`Active`],a.map(e=>[e.name,e.version,e.active?`yes`:`no`]))}catch(e){H(e)}}),e.command(`install`).description(`Install a tool version`).argument(`<id>`,`Sandbox ID`).argument(`<tool>`,`Tool name (e.g. node, python, go)`).argument(`<version>`,`Version to install (e.g. 20, 3.12, latest)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=j(O({apiKey:r.apiKey,baseUrl:r.baseUrl})),a=L(`Installing ${t}@${n}...`);r.json||a.start();let o=await i.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);await o.tools.install(t,n),a.stop(),r.json?N({tool:t,version:n,installed:!0}):P(`Installed ${t}@${n}`)}catch(e){H(e)}}),e.command(`use`).description(`Activate a tool version for the current session`).argument(`<id>`,`Sandbox ID`).argument(`<tool>`,`Tool name`).argument(`<version>`,`Version to activate`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await j(O({apiKey:r.apiKey,baseUrl:r.baseUrl})).get(e);if(!i)throw Error(`Sandbox not found: ${e}`);await i.tools.use(t,n),P(`Activated ${t}@${n}`)}catch(e){H(e)}}),e.command(`run`).description(`Run a command with a specific tool`).argument(`<id>`,`Sandbox ID`).argument(`<tool>`,`Tool name`).argument(`<args...>`,`Command arguments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=j(O({apiKey:r.apiKey,baseUrl:r.baseUrl})),a=L(`Running ${t} ${n.join(` `)}...`);r.json||a.start();let o=await i.get(e);if(!o)throw Error(`Sandbox not found: ${e}`);let s=await o.tools.run(t,n);a.stop(),r.json?N(s):(s.stdout&&process.stdout.write(s.stdout),s.stderr&&process.stderr.write(s.stderr),s.exitCode!==0&&process.exit(s.exitCode))}catch(e){H(e)}}),e}function Ua(){let e=new t(`traces`).description(`Read hosted agent traces, spans, and eval-runs from Tangle Intelligence`);return e.command(`list`).description(`List trace summaries (one row per trace), newest first`).option(`--from <iso>`,`ISO-8601 lower bound on received time (inclusive)`).option(`--to <iso>`,`ISO-8601 upper bound on received time (inclusive)`).option(`--model <model>`,`Exact model match (any span carried this model)`).option(`--run <runId>`,`Exact run id match`).option(`--status <status>`,`ERROR | OK`).option(`-q, --query <text>`,`Substring over span name`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size (clamped server-side to [1, 200])`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={from:e.from,to:e.to,model:e.model,runId:e.run,status:e.status===void 0?void 0:eo(e.status),q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ao(e.limit)},n=Ga(e),r=e.json?null:L(`Fetching traces...`);r?.start();let i=await n.listTraces(t);if(r?.stop(),e.json)return N(i);Ja(i.items),Qa(i.nextCursor)}catch(t){qa(t,e)}}),e.command(`get <traceId>`).description(`Show one trace's spans. Streams NDJSON to stdout with --ndjson.`).option(`--ndjson`,`Stream the full span set as NDJSON to stdout`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Spans per page`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Ga(t);if(t.ndjson){await Ka(n,e);return}let r=t.json?null:L(`Fetching trace spans...`);r?.start();let i=await n.getTraceSpans(e,{cursor:t.cursor,limit:t.limit===void 0?void 0:ao(t.limit)});if(r?.stop(),t.json)return N(i);Ya(i.items),i.truncated&&R({Spans:`${i.items.length} of ${i.total} (truncated)`}),Qa(i.nextCursor)}catch(e){qa(e,t)}}),e.addCommand(Wa()),e}function Wa(){let e=new t(`runs`).description(`Read eval-runs pivoted off the trace surface`);return e.command(`list`).description(`List eval-runs, newest first`).option(`--status <status>`,`Run status filter`).option(`--gate <decision>`,`Promotion-gate decision filter`).option(`--label <key:value>`,`Match over the run's labels`).option(`--from <iso>`,`ISO-8601 lower bound on received time`).option(`--to <iso>`,`ISO-8601 upper bound on received time`).option(`-q, --query <text>`,`Substring over run dir`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={status:e.status===void 0?void 0:no(e.status),gate:e.gate===void 0?void 0:io(e.gate),label:e.label,from:e.from,to:e.to,q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ao(e.limit)},n=Ga(e),r=e.json?null:L(`Fetching runs...`);r?.start();let i=await n.listRuns(t);if(r?.stop(),e.json)return N(i);Xa(i.items),Qa(i.nextCursor)}catch(t){qa(t,e)}}),e.command(`get <runId>`).description(`Show a single eval-run`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Ga(t),r=t.json?null:L(`Fetching run...`);r?.start();let i=await n.getRun(e);if(r?.stop(),t.json)return N(i);Za(i)}catch(e){qa(e,t)}}),e}function Ga(e){let t=E(e.apiKey);if(!t)throw Error(`No API key found. Set TANGLE_API_KEY or run: tangle auth login`);return Ce({apiKey:t,baseUrl:e.baseUrl??process.env.TANGLE_INTELLIGENCE_BASE_URL})}async function Ka(e,t){let n=(await e.exportTraceSpansNdjson(t)).getReader();try{for(;;){let{value:e,done:t}=await n.read();if(t)break;e&&process.stdout.write(Buffer.from(e))}}finally{n.releaseLock()}}function qa(e,t){return H(e,t.json===!0)}function Ja(e){M(e.map(e=>({traceId:e.traceId,root:e.rootName??`-`,model:e.model??`-`,spans:e.spanCount,errors:e.errorCount,durationMs:e.durationMs,cost:$a(e.costUsd)})),[{key:`traceId`,header:`Trace`,width:36},{key:`root`,header:`Root`,width:24},{key:`model`,header:`Model`,width:22},{key:`spans`,header:`Spans`,width:8},{key:`errors`,header:`Errors`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14},{key:`cost`,header:`Cost`,width:10}])}function Ya(e){M(e.map(e=>({spanId:e.id,name:e.name,model:e.model??`-`,status:e.statusCode??`-`,cost:e.costUsd===null?`-`:`$${e.costUsd}`})),[{key:`spanId`,header:`Span`,width:40},{key:`name`,header:`Name`,width:28},{key:`model`,header:`Model`,width:22},{key:`status`,header:`Status`,width:10},{key:`cost`,header:`Cost`,width:12}])}function Xa(e){M(e.map(e=>({runId:e.id,status:e.status,gate:e.gateDecision??`-`,cost:e.totalCostUsd===null?`-`:`$${e.totalCostUsd}`,receivedAt:e.receivedAt})),[{key:`runId`,header:`Run`,width:24},{key:`status`,header:`Status`,width:22},{key:`gate`,header:`Gate`,width:18},{key:`cost`,header:`Cost`,width:12},{key:`receivedAt`,header:`Received`,width:18}])}function Za(e){R({Run:e.id,Status:e.status,Gate:e.gateDecision??void 0,"Run Dir":e.runDir??void 0,Cost:e.totalCostUsd===null?void 0:`$${e.totalCostUsd}`,Duration:e.totalDurationMs===null?void 0:`${e.totalDurationMs}ms`,"Holdout Lift":e.holdoutLift??void 0,Received:e.receivedAt})}function Qa(e){e&&R({"Next page":`--cursor ${e}`})}function $a(e){return e===null?`-`:`$${e.toFixed(4)}`}function eo(e){if(e===`ERROR`||e===`OK`)return e;throw Error(`--status must be ERROR or OK`)}const to=[`started`,`baseline-complete`,`generation-complete`,`gate-decided`,`finished`,`errored`];function no(e){let t=to.find(t=>t===e);if(t)return t;throw Error(`--status must be one of ${to.join(`, `)}`)}const ro=[`ship`,`hold`,`need_more_work`,`model_ceiling`,`arch_ceiling`];function io(e){let t=ro.find(t=>t===e);if(t)return t;throw Error(`--gate must be one of ${ro.join(`, `)}`)}function ao(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function oo(){return new t(`usage`).description(`Show account usage and billing information`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=j(O({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:L(`Fetching usage...`);n?.start();let[r,i]=await Promise.all([t.usage(),t.subscription().catch(()=>null)]);n?.stop(),e.json?N({...r,subscription:i}):(console.log(),console.log(`Account Usage`),console.log(`─`.repeat(40)),R({"Active Sandboxes":r.activeSandboxes,"Total Sandboxes":r.totalSandboxes,"Compute Minutes":so(r.computeMinutes)}),i&&(console.log(),console.log(`Subscription`),console.log(`─`.repeat(40)),R({Plan:i.plan,Status:i.status,"Credits Available":co(i.creditsAvailableUsd),"Credits Used":co(i.creditsUsedUsd),"Monthly Balance":co(i.monthlyBalanceUsd)})),console.log(),console.log(`Billing Period`),console.log(`─`.repeat(40)),R({Start:r.periodStart.toLocaleDateString(),End:r.periodEnd.toLocaleDateString()}),console.log())}catch(e){H(e)}})}function so(e){if(e===void 0)return`-`;if(e<60)return`${e} min`;let t=Math.floor(e/60),n=e%60;return n===0?`${t} hr`:`${t} hr ${n} min`}function co(e){return e<0?`-$${(-e).toFixed(2)}`:`$${e.toFixed(2)}`}function lo(){return new t(`use`).description(`Set or show the active sandbox (used when a command omits the id)`).argument(`[id]`,`Sandbox id to make active`).option(`--clear`,`Clear the active sandbox`).action((e,t)=>{try{if(t.clear){ut(),I(`Cleared the active sandbox.`);return}if(e){lt(e),I(`Active sandbox set to ${e}. Commands now default to it; override with --box or TANGLE_SANDBOX.`);return}let n=ct();I(n?`Active sandbox: ${n}`:"No active sandbox. Set one with `tangle use <id>`.")}catch(e){H(e)}})}function uo(){let e=new t(`workflows`).description(`Create and manage Tangle workflows`);return e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{po(t)}),e.command(`list`).description(`List your workflows`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await Z(e).workflows.list();if(e.json)return N(t);ho(t)}catch(t){Q(t,e)}}),e.command(`get`).description(`Show a workflow's definition and compiled triggers`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await Z(t).workflows.get(e);if(t.json)return N(n);go(n)}catch(e){Q(e,t)}}),e.command(`create`).description(`Create a workflow from a YAML file`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=fo(e),r=await Z(t).workflows.create(n);if(t.json)return N(r);I(`Created workflow ${r.id} (${r.name}).`),go(r)}catch(e){Q(e,t)}}),e.command(`update`).description(`Replace a workflow's definition from a YAML file`).argument(`<id>`,`Workflow ID`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=fo(t),i=await Z(n).workflows.update(e,r);if(n.json)return N(i);I(`Updated workflow ${i.id} (${i.name}).`),go(i)}catch(e){Q(e,n)}}),e.command(`delete`).description(`Delete a workflow and its triggers`).argument(`<id>`,`Workflow ID`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await U(`Delete workflow ${e}? `)){I(`Delete cancelled.`);return}if(await Z(t).workflows.delete(e),t.json)return N({deleted:!0,id:e});I(`Deleted workflow ${e}.`)}catch(e){Q(e,t)}}),e.command(`validate`).description(`Validate a workflow YAML file without saving it`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=fo(e),r=await Z(t).workflows.validate(n);if(t.json)return N(r);if(r.valid)I(`Valid: ${r.name} (${r.actionCount} action(s), ${r.triggerCount} trigger(s)).`);else{I(`Invalid workflow:`);for(let e of r.errors)console.log(` ${e.path}: ${e.message}`);process.exitCode=1}}catch(e){Q(e,t)}}),e.command(`schema`).description(`Print the JSON Schema for the workflow YAML`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{N(await Z(e).workflows.schema())}catch(t){Q(t,e)}}),e}function fo(e){try{return c(e,`utf8`)}catch(t){throw Error(`Could not read workflow file "${e}": ${t instanceof Error?t.message:String(t)}`)}}function Z(e){let t=O({apiKey:E(e.apiKey),baseUrl:e.baseUrl??_t(process.env.TANGLE_HUB_URL)});return new me({baseUrl:t.baseUrl,apiKey:t.apiKey})}function po(e){if(!mo(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function mo(e,t){return e.options.some(e=>e.attributeName()===t)}function Q(e,t){return H(e,t.json===!0)}function ho(e){M(e.map(e=>({id:e.id,name:e.name,enabled:e.enabled?`yes`:`no`,issues:e.validationErrors.length,updated:e.updatedAt})),[{key:`id`,header:`ID`},{key:`name`,header:`Name`},{key:`enabled`,header:`Enabled`},{key:`issues`,header:`Issues`},{key:`updated`,header:`Updated`}])}function go(e){if(R({ID:e.id,Name:e.name,Description:e.description??``,Enabled:e.enabled?`yes`:`no`,Actions:e.actions.length}),e.triggers&&e.triggers.length>0&&(I(`Triggers`),_o(e.triggers)),e.validationErrors.length>0){I(`Validation issues`);for(let t of e.validationErrors)console.log(` ${t.path}: ${t.message}`)}}function _o(e){M(e.map(e=>({id:e.id,kind:e.kind,enabled:e.enabled?`yes`:`no`,detail:e.kind===`schedule`?`${e.cron??``} (${e.timezone??``})`:`${e.provider??``}:${e.eventFilter?.event??``}${e.eventFilter?.action?`.${e.eventFilter.action}`:``}`})),[{key:`id`,header:`ID`},{key:`kind`,header:`Kind`},{key:`enabled`,header:`Enabled`},{key:`detail`,header:`Detail`}])}function vo(e){let t={...yo(e)??{},...e.optsWithGlobals()};for(let n of e.options){let r=n.attributeName();e.getOptionValue(r)===void 0&&t[r]!==void 0&&e.setOptionValue(r,t[r])}}function yo(e){let t=e;for(;t?.parent;)t=t.parent;return t?t.opts():void 0}const bo=e(import.meta.url)(`../package.json`),$=new t;$.name(`tangle`).description(`CLI for Tangle Sandbox operations`).version(bo.version??`0.0.0`).option(`--api-key <key>`,`API key (or set TANGLE_API_KEY)`).option(`--base-url <url>`,`API base URL`),$.hook(`preAction`,(e,t)=>{vo(t)}),$.addCommand(xn()),$.addCommand(Li()),$.addCommand(lo()),$.addCommand(ea()),$.addCommand(vi()),$.addCommand(Ln()),$.addCommand(va()),$.addCommand(ya()),$.addCommand(xa()),$.addCommand(nn()),$.addCommand(ra()),$.addCommand(zn()),$.addCommand(oo()),$.addCommand(Ia()),$.addCommand(Va()),$.addCommand(bi()),$.addCommand(On()),$.addCommand(Pn()),$.addCommand(Si()),$.addCommand(Yn()),$.addCommand(Qn()),$.addCommand($n()),$.addCommand(uo()),$.addCommand(In()),$.addCommand(Ha()),$.addCommand($i()),$.addCommand(na()),$.addCommand(Fn()),$.addCommand(xi()),$.addCommand(ti()),$.addCommand(Oi()),$.addCommand(yi()),$.addCommand(Ua()),$.addCommand(Fa()),$.parseAsync(process.argv).catch(e=>{console.error(`Fatal error:`,e.message),process.exit(1)});export{};
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@tangle-network/sandbox-cli",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.8.3-develop.20260622185956.d77b0be",
|
|
4
4
|
"description": "CLI for Tangle Sandbox operations",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -15,13 +15,15 @@
|
|
|
15
15
|
"hub-reference.md"
|
|
16
16
|
],
|
|
17
17
|
"dependencies": {
|
|
18
|
+
"@tangle-network/agent-eval": "^0.95.1",
|
|
19
|
+
"@tangle-network/agent-runtime": "^0.70.1",
|
|
18
20
|
"chalk": "^5.4.1",
|
|
19
21
|
"commander": "12.1.0",
|
|
20
22
|
"dotenv": "17.2.3",
|
|
21
23
|
"ora": "^9.4.0",
|
|
22
24
|
"ws": "^8.20.0",
|
|
23
25
|
"@tangle-network/hub-sdk": "0.2.2",
|
|
24
|
-
"@tangle-network/sandbox": "0.8.
|
|
26
|
+
"@tangle-network/sandbox": "0.8.3-develop.20260622185956.d77b0be"
|
|
25
27
|
},
|
|
26
28
|
"devDependencies": {
|
|
27
29
|
"@types/node": "25.6.0",
|