@tangle-network/sandbox-cli 0.9.4-develop.20260629071229.145161 → 0.9.4-develop.20260701061438.a81baba

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.mjs CHANGED
@@ -1,6 +1,6 @@
1
- import{createRequire as e}from"node:module";import"dotenv/config";import{Command as t}from"commander";import{createHash as n,randomBytes as r,randomUUID as i}from"node:crypto";import a from"chalk";import*as o from"node:fs";import{chmodSync as s,existsSync as c,mkdirSync as l,readFileSync as u,renameSync as d,writeFileSync as f}from"node:fs";import*as p from"node:path";import{basename as ee,dirname as te,extname as ne,join as m,resolve as re}from"node:path";import{AuthError as h,NetworkError as g,NotFoundError as ie,QuotaError as _,Sandbox as v,ServerError as ae,StateError as oe,TimeoutError as se,ValidationError as ce,createConfidentialSandbox as le,generateAttestationNonce as ue,parseSSEStream as de}from"@tangle-network/sandbox";import*as fe from"node:os";import{homedir as pe,tmpdir as me}from"node:os";import{execFileSync as he,spawn as ge}from"node:child_process";import{HubClient as _e,HubSdkError as ve}from"@tangle-network/hub-sdk";import ye from"ora";import{CONTENT_COMPLETION_KEY as be,CONTENT_PROMPT_KEY as xe,CONTENT_TOOL_ARGS_KEY as Se,CONTENT_TOOL_NAME_KEY as Ce,CONTENT_TOOL_RESULT_KEY as we,TANGLE_SUBJECT_KEY as Te,asContentField as y,asContentString as Ee}from"@tangle-network/agent-core/telemetry";import{createMcpServer as De}from"@tangle-network/sandbox/agent";import{readFile as Oe}from"node:fs/promises";import{fileURLToPath as ke}from"node:url";import Ae from"ws";import{supervise as je,workerFromBackend as Me}from"@tangle-network/agent-runtime/loops";import{createIntelligenceClient as Ne}from"@tangle-network/sandbox/intelligence";function Pe(e){if(e.startsWith(`github:`)){let[t,n]=e.slice(7).split(`@`,2),r=t.split(`/`).filter(Boolean);if(r.length<3)throw Error(`invalid github ref "${e}": expected github:<owner>/<repo>/<path>[@<ref>]`);let i=`${r[0]}/${r[1]}`,a=r.slice(2).join(`/`);return{kind:`github`,repository:i,path:a,...n?{ref:n}:{},name:ee(a)}}let t;try{t=u(e,`utf8`)}catch{throw Error(`cannot read skill/tool "${e}": not a readable file and not a github: ref`)}return{kind:`inline`,name:ee(e),content:t}}function Fe(e){let t=(e.skills??[]).map(Pe),n=(e.tools??[]).map(Pe),r=t.length>0||n.length>0;if(!(!e.model&&!e.systemPrompt&&!r))return{...e.model?{model:{default:e.model}}:{},...e.systemPrompt?{prompt:{systemPrompt:e.systemPrompt}}:{},...r?{resources:{...t.length>0?{skills:t}:{},...n.length>0?{tools:n}:{}}}:{}}}async function Ie(e){let t;if(e.startsWith(`github:`)){let[n,r]=e.slice(7).split(`@`,2),i=n.split(`/`).filter(Boolean);if(i.length<3)throw Error(`invalid --profile github ref "${e}": expected github:<owner>/<repo>/<path>[@<ref>]`);let a=r??`main`;t=await We(`https://raw.githubusercontent.com/${i[0]}/${i[1]}/${a}/${i.slice(2).join(`/`)}`)}else t=/^https?:\/\//.test(e)?await We(e):u(e,`utf8`);let n;try{n=JSON.parse(t)}catch{throw Error(`profile at "${e}" is not valid JSON`)}return Be(n,e),n}const Le=[`prompt`,`model`,`permissions`,`tools`,`mcp`,`connections`,`subagents`,`resources`,`hooks`,`modes`,`confidential`,`extensions`],Re=new Set([...Le,`name`,`description`,`version`,`tags`,`metadata`]),ze=[`files`,`tools`,`skills`,`agents`,`commands`];function Be(e,t){if(!e||typeof e!=`object`||Array.isArray(e))throw Error(`profile at "${t}" is not an object`);let n=Object.keys(e),r=n.some(e=>Le.includes(e)),i=n.includes(`name`)&&n.every(e=>Re.has(e));if(!r&&!i)throw Error(`"${t}" does not look like an agent profile: no recognized profile keys (model, prompt, resources, tools, connections, …). Got: ${n.slice(0,6).join(`, `)||`(empty object)`}.`);Ve(e,t)}function Ve(e,t){let n=e.resources;if(!n||typeof n!=`object`)return;for(let e of ze){let r=n[e];if(r!==void 0){if(!Array.isArray(r))throw Error(`profile at "${t}" is malformed: resources.${e} must be an array`);for(let n of r)Ue(e===`files`?He(n):n,t)}}let r=n.instructions;r!==void 0&&typeof r!=`string`&&Ue(r,t)}function He(e){return e&&typeof e==`object`?e.resource:e}function Ue(e,t){let n=e&&typeof e==`object`?e.kind:void 0;if(n!==`inline`&&n!==`github`)throw Error(`profile at "${t}" has an invalid resource ref kind ${JSON.stringify(n)}: expected "inline" or "github"`)}async function We(e){let t=await fetch(e);if(!t.ok)throw Error(`failed to fetch ${e} (${t.status})`);return t.text()}async function Ge(e){let t=e.profileSource?await Ie(e.profileSource):void 0,n=Fe(e);return t?n?{...t,...n,...n.resources?{resources:{...t.resources,...n.resources}}:{}}:t:n}const Ke=p.join(fe.homedir(),`.tangle`),b=p.join(Ke,`credentials.json`),qe=`tangle-sandbox-cli`,Je=`TANGLE_ALLOW_PLAINTEXT_CREDENTIALS`;var Ye=class extends Error{constructor(e,t){super(`Credentials file at ${e} is corrupted and cannot be parsed. Inspect or remove it manually before retrying — refusing to overwrite it automatically.`),this.filePath=e,this.name=`CredentialsFileCorruptedError`,t&&(this.cause=t)}},Xe=class extends Error{constructor(){super(`Could not store credential in the OS keychain, and the plaintext fallback is not enabled. Install a keychain provider (macOS Keychain or libsecret/secret-tool on Linux), or set ${Je}=1 to opt into a plaintext credentials.json with mode 0600.`),this.name=`KeychainUnavailableError`}};function Ze(e){let t=tt(e);if(t)return{value:t,source:`keychain`};let n=it(e);return n?{value:n,source:`file`}:{source:`none`}}function Qe(e,t){if(nt(e,t))return ot(e),`keychain`;if(!et())throw new Xe;return at(e,t),`file`}function $e(e){rt(e),ot(e)}function et(){let e=process.env[Je];if(!e)return!1;let t=e.trim().toLowerCase();return t===`1`||t===`true`||t===`yes`}function tt(e){if(process.platform===`darwin`)try{return he(`security`,[`find-generic-password`,`-s`,qe,`-a`,ut(e),`-w`],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}if(process.platform===`linux`)try{return he(`secret-tool`,[`lookup`,`service`,qe,`account`,ut(e)],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}}function nt(e,t){if(process.platform===`darwin`)try{return he(`security`,[`add-generic-password`,`-U`,`-s`,qe,`-a`,ut(e),`-w`,t],{stdio:[`ignore`,`ignore`,`ignore`]}),!0}catch{return!1}if(process.platform===`linux`)try{return he(`secret-tool`,[`store`,`--label=Tangle Sandbox CLI`,`service`,qe,`account`,ut(e)],{input:t,stdio:[`pipe`,`ignore`,`ignore`]}),!0}catch{return!1}return!1}function rt(e){if(process.platform===`darwin`){try{he(`security`,[`delete-generic-password`,`-s`,qe,`-a`,ut(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}return}if(process.platform===`linux`)try{he(`secret-tool`,[`clear`,`service`,qe,`account`,ut(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}}function it(e){return st()[e]}function at(e,t){let n=st();n[e]=t,ct(n)}function ot(e){let t;try{t=st()}catch(e){if(e instanceof Ye)return;throw e}e in t&&(delete t[e],ct(t))}function st(){let e;try{e=o.readFileSync(b,`utf8`)}catch(e){if(e instanceof Error&&`code`in e&&e.code===`ENOENT`)return{};throw e}try{let t=JSON.parse(e);if(typeof t!=`object`||!t||Array.isArray(t))throw new Ye(b);let n={};for(let[e,r]of Object.entries(t))typeof r==`string`&&(n[e]=r);return n}catch(e){throw e instanceof Ye?e:new Ye(b,e instanceof Error?e:void 0)}}function ct(e){if(lt(),Object.keys(e).length===0){o.existsSync(b)&&o.unlinkSync(b);return}let t=`${b}.${process.pid}.tmp`;o.writeFileSync(t,`${JSON.stringify(e,null,2)}\n`,{mode:384}),o.renameSync(t,b)}function lt(){if(!o.existsSync(Ke)){o.mkdirSync(Ke,{mode:448,recursive:!0});return}if(process.platform!==`win32`)try{(o.statSync(Ke).mode&511)!=448&&o.chmodSync(Ke,448)}catch{}}function ut(e){return`profile:${e}`}const dt=p.join(fe.homedir(),`.tangle`),ft=p.join(dt,`credentials`),pt=p.join(dt,`config.json`),x=`default`;function mt(){o.existsSync(dt)||o.mkdirSync(dt,{mode:448,recursive:!0})}function ht(e,t){mt();let n=`${e}.${process.pid}.tmp`;o.writeFileSync(n,t,{mode:384}),o.renameSync(n,e)}function gt(){try{if(o.existsSync(ft)){let e=o.readFileSync(ft,`utf-8`).trim();return _t(e)?e:e.match(/api_key\s*=\s*(\S+)/)?.[1]}}catch{}}function _t(e){return e.startsWith(`sk_`)||e.startsWith(`sk-tan-`)}function vt(){try{o.existsSync(ft)&&o.unlinkSync(ft)}catch{}}function S(){return Lt(It())}function C(e){let t=Rt(S(),e);ht(pt,`${JSON.stringify(t,null,2)}\n`)}function w(e){return zt(e||process.env.TANGLE_PROFILE||process.env.SANDBOX_PROFILE||S().activeProfile||x)}function yt(e){C({activeProfile:zt(e)})}function bt(){return process.env.TANGLE_SANDBOX||S().currentSandbox||void 0}function xt(e){C({currentSandbox:e})}function St(){let e=S();delete e.currentSandbox,ht(pt,`${JSON.stringify(e,null,2)}\n`)}function Ct(){let e=S().deviceId;if(e&&/^[A-Za-z0-9_.-]{1,64}$/.test(e))return e;let t=fe.hostname().replace(/[^A-Za-z0-9_.-]/g,`-`).replace(/^-+|-+$/g,``).slice(0,32),n=r(4).toString(`hex`),i=`${t?`${t}-`:`device-`}${n}`;return C({deviceId:i}),i}function wt(e){let t=e||bt();if(!t)throw Error("No sandbox specified. Pass it positionally, set a default with `tangle use <id>`, pass `--box <id>`, or set TANGLE_SANDBOX.");return t}function Tt(){let e=S(),t=w(),n=new Set([x,...Object.keys(e.profiles??{})]);return e.activeProfile&&n.add(zt(e.activeProfile)),[...n].map(e=>{let n=Ze(e),r=e===x?gt():void 0,i=n.source===`none`?r?`legacy-file`:`none`:n.source;return{name:e,active:e===t,hasApiKey:n.source!==`none`||!!r,baseUrl:At(void 0,e),apiKeySource:i}}).sort((e,t)=>e.name.localeCompare(t.name))}function Et(e){let t=w(e);return{name:t,active:t===w(),apiKey:T(void 0,t),baseUrl:At(void 0,t),credentialSource:kt(void 0,t)}}function Dt(e,t){let n=zt(e),r=S(),i=Ft(n,r),a={},o=t.baseUrl??i.baseUrl;o&&(a.baseUrl=o);let s=t.activeTeamId??i.activeTeamId;s&&(a.activeTeamId=s);let c=t.activeTeamName??i.activeTeamName;c&&(a.activeTeamName=c);let l={...r.profiles??{}};a.baseUrl||a.activeTeamId||a.activeTeamName?l[n]=a:delete l[n];let u;return t.apiKey&&(u=Qe(n,t.apiKey),n===x&&vt()),C({profiles:Object.keys(l).length>0?l:{}}),u}function Ot(e){let t=w(e),n={...S().profiles??{}},r=n[t];if(r){let e={...r,apiKey:void 0};e.baseUrl||e.activeTeamId||e.activeTeamName?n[t]=e:delete n[t]}C({profiles:n}),$e(t),t===x&&vt()}function T(e,t){if(e)return e;let n=process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY;if(n)return n;let r=w(t),i=Ze(r);if(i.value)return i.value;if(r===x)return gt()}function kt(e,t){if(e)return`flag`;if(process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY)return`env`;let n=w(t),r=Ze(n);return r.source===`none`?n===x&&gt()?`legacy-file`:`none`:r.source}function At(e,t){if(e)return e;let n=process.env.TANGLE_BASE_URL||process.env.SANDBOX_BASE_URL;if(n)return n;let r=w(t),i=S(),a=Ft(r,i);return a.baseUrl?a.baseUrl:r===x&&i.baseUrl?i.baseUrl:`https://sandbox.tangle.tools`}function jt(e){if(e)return e.replace(/\/v1\/hub\/?$/,``)}function E(e){let t=w(e.profile),n=T(e.apiKey,t);if(!n)throw Error(`No API key found for profile '${t}'. Set TANGLE_API_KEY or run: tangle auth login${t===x?``:` --profile ${t}`}`);return{apiKey:n,baseUrl:At(e.baseUrl,t),timeout:e.timeout??3e4,profile:t,...Mt(t)}}function Mt(e){let t=S(),n=Ft(w(e),t);return{activeTeamId:n.activeTeamId,activeTeamName:n.activeTeamName}}function Nt(e,t){Dt(w(t),{activeTeamId:e.id,activeTeamName:e.name})}function Pt(e){let t=w(e),n=S(),r={...n.profiles??{}},i={baseUrl:Ft(t,n).baseUrl};i.baseUrl?r[t]=i:delete r[t],C({profiles:r})}function Ft(e,t=S()){let n=zt(e);return{...n===x?{baseUrl:t.baseUrl,activeTeamId:t.profiles?.[x]?.activeTeamId,activeTeamName:t.profiles?.[x]?.activeTeamName}:{},...t.profiles?.[n]??{}}}function It(){try{if(o.existsSync(pt)){let e=o.readFileSync(pt,`utf-8`);return JSON.parse(e)}}catch{}return{}}function Lt(e){let t=!1,n={};e.apiKey&&(Qe(x,e.apiKey),vt(),t=!0);for(let[r,i]of Object.entries(e.profiles??{})){i.apiKey&&(Qe(r,i.apiKey),t=!0);let e={};i.baseUrl&&(e.baseUrl=i.baseUrl),i.activeTeamId&&(e.activeTeamId=i.activeTeamId),i.activeTeamName&&(e.activeTeamName=i.activeTeamName),Object.keys(e).length>0&&(n[r]=e)}let r={...e,apiKey:void 0,profiles:Object.keys(n).length>0?n:void 0};return t&&ht(pt,`${JSON.stringify(r,null,2)}\n`),r}function Rt(e,t){let n=t.profiles===void 0?{...e.profiles??{}}:Object.fromEntries(Object.entries(t.profiles).filter(([,e])=>!!(e.apiKey||e.baseUrl||e.activeTeamId||e.activeTeamName)));return{...e,...t,profiles:Object.keys(n).length>0?n:void 0}}function zt(e){let t=e.trim().toLowerCase();if(!t)throw Error(`Profile name cannot be empty`);if(!/^[a-z0-9][a-z0-9._-]*$/.test(t))throw Error(`Profile names may only contain lowercase letters, numbers, dots, underscores, and hyphens`);return t}let D=null,O=null;function k(e){if(e)return D&&O&&O.apiKey===e.apiKey&&O.baseUrl===e.baseUrl&&O.timeout===e.timeout?D:(D=new v({apiKey:e.apiKey,baseUrl:e.baseUrl,timeoutMs:e.timeout}),O=e,D);if(D)return D;let t=E({});return D=new v({apiKey:t.apiKey,baseUrl:t.baseUrl,timeoutMs:t.timeout}),O=t,D}function Bt(){D=null,O=null}async function Vt(e,t){let n=t.trim();if(n.length===0)throw Error(`Connection reference is empty.`);if(n.startsWith(`hubconn_`))return n;let{connections:r}=await e.connections.list();return Ht(r,n)}function Ht(e,t){let n=t.trim();if(n.length===0)throw Error(`Connection reference is empty.`);let r=e.find(e=>e.id===n);if(r)return r.id;let i=n.indexOf(`:`),a=(i===-1?n:n.slice(0,i)).trim().toLowerCase(),o=i===-1?null:n.slice(i+1).trim(),s=e.filter(e=>e.status!==`revoked`&&e.providerId.toLowerCase()===a);if(o&&o.length>0){let e=o.toLowerCase();s=s.filter(t=>(t.accountDisplay??``).toLowerCase()===e||t.displayName.toLowerCase()===e)}if(s.length===1)return s[0].id;throw s.length===0?Error(`No hub connection matches "${t}". List your connections with \`tangle hub connections\`.`):Error(Ut(t,s))}function Ut(e,t){let n=t.map(e=>`- ${e.id} (provider: ${e.providerId}, account: ${e.accountDisplay??e.displayName})`).join(`
1
+ import{createRequire as e}from"node:module";import"dotenv/config";import{Command as t}from"commander";import{createHash as n,randomBytes as r,randomUUID as i}from"node:crypto";import a from"chalk";import*as o from"node:fs";import{chmodSync as s,existsSync as c,mkdirSync as l,readFileSync as u,renameSync as d,writeFileSync as f}from"node:fs";import*as p from"node:path";import{basename as ee,dirname as te,extname as ne,join as m,resolve as re}from"node:path";import{AuthError as ie,NetworkError as h,NotFoundError as ae,QuotaError as oe,Sandbox as g,ServerError as _,StateError as v,TimeoutError as se,ValidationError as ce,createConfidentialSandbox as le,generateAttestationNonce as ue,parseSSEStream as de}from"@tangle-network/sandbox";import*as fe from"node:os";import{homedir as pe,tmpdir as me}from"node:os";import{execFileSync as he,spawn as ge}from"node:child_process";import{HubClient as _e,HubSdkError as ve}from"@tangle-network/hub-sdk";import ye from"ora";import{CONTENT_COMPLETION_KEY as be,CONTENT_PROMPT_KEY as xe,CONTENT_TOOL_ARGS_KEY as Se,CONTENT_TOOL_NAME_KEY as Ce,CONTENT_TOOL_RESULT_KEY as we,TANGLE_SUBJECT_KEY as Te,asContentField as y,asContentString as Ee}from"@tangle-network/agent-core/telemetry";import{createMcpServer as De}from"@tangle-network/sandbox/agent";import{readFile as Oe}from"node:fs/promises";import{fileURLToPath as ke}from"node:url";import Ae from"ws";import{supervise as je,workerFromBackend as Me}from"@tangle-network/agent-runtime/loops";import{createIntelligenceClient as Ne}from"@tangle-network/sandbox/intelligence";function Pe(e){if(e.startsWith(`github:`)){let[t,n]=e.slice(7).split(`@`,2),r=t.split(`/`).filter(Boolean);if(r.length<3)throw Error(`invalid github ref "${e}": expected github:<owner>/<repo>/<path>[@<ref>]`);let i=`${r[0]}/${r[1]}`,a=r.slice(2).join(`/`);return{kind:`github`,repository:i,path:a,...n?{ref:n}:{},name:ee(a)}}let t;try{t=u(e,`utf8`)}catch{throw Error(`cannot read skill/tool "${e}": not a readable file and not a github: ref`)}return{kind:`inline`,name:ee(e),content:t}}function Fe(e){let t=(e.skills??[]).map(Pe),n=(e.tools??[]).map(Pe),r=t.length>0||n.length>0;if(!(!e.model&&!e.systemPrompt&&!r))return{...e.model?{model:{default:e.model}}:{},...e.systemPrompt?{prompt:{systemPrompt:e.systemPrompt}}:{},...r?{resources:{...t.length>0?{skills:t}:{},...n.length>0?{tools:n}:{}}}:{}}}async function Ie(e){let t;if(e.startsWith(`github:`)){let[n,r]=e.slice(7).split(`@`,2),i=n.split(`/`).filter(Boolean);if(i.length<3)throw Error(`invalid --profile github ref "${e}": expected github:<owner>/<repo>/<path>[@<ref>]`);let a=r??`main`;t=await We(`https://raw.githubusercontent.com/${i[0]}/${i[1]}/${a}/${i.slice(2).join(`/`)}`)}else t=/^https?:\/\//.test(e)?await We(e):u(e,`utf8`);let n;try{n=JSON.parse(t)}catch{throw Error(`profile at "${e}" is not valid JSON`)}return Be(n,e),n}const Le=[`prompt`,`model`,`permissions`,`tools`,`mcp`,`connections`,`subagents`,`resources`,`hooks`,`modes`,`confidential`,`extensions`],Re=new Set([...Le,`name`,`description`,`version`,`tags`,`metadata`]),ze=[`files`,`tools`,`skills`,`agents`,`commands`];function Be(e,t){if(!e||typeof e!=`object`||Array.isArray(e))throw Error(`profile at "${t}" is not an object`);let n=Object.keys(e),r=n.some(e=>Le.includes(e)),i=n.includes(`name`)&&n.every(e=>Re.has(e));if(!r&&!i)throw Error(`"${t}" does not look like an agent profile: no recognized profile keys (model, prompt, resources, tools, connections, …). Got: ${n.slice(0,6).join(`, `)||`(empty object)`}.`);Ve(e,t)}function Ve(e,t){let n=e.resources;if(!n||typeof n!=`object`)return;for(let e of ze){let r=n[e];if(r!==void 0){if(!Array.isArray(r))throw Error(`profile at "${t}" is malformed: resources.${e} must be an array`);for(let n of r)Ue(e===`files`?He(n):n,t)}}let r=n.instructions;r!==void 0&&typeof r!=`string`&&Ue(r,t)}function He(e){return e&&typeof e==`object`?e.resource:e}function Ue(e,t){let n=e&&typeof e==`object`?e.kind:void 0;if(n!==`inline`&&n!==`github`)throw Error(`profile at "${t}" has an invalid resource ref kind ${JSON.stringify(n)}: expected "inline" or "github"`)}async function We(e){let t=await fetch(e);if(!t.ok)throw Error(`failed to fetch ${e} (${t.status})`);return t.text()}async function Ge(e){let t=e.profileSource?await Ie(e.profileSource):void 0,n=Fe(e);return t?n?{...t,...n,...n.resources?{resources:{...t.resources,...n.resources}}:{}}:t:n}const Ke=p.join(fe.homedir(),`.tangle`),b=p.join(Ke,`credentials.json`),qe=`tangle-sandbox-cli`,Je=`TANGLE_ALLOW_PLAINTEXT_CREDENTIALS`;var Ye=class extends Error{constructor(e,t){super(`Credentials file at ${e} is corrupted and cannot be parsed. Inspect or remove it manually before retrying — refusing to overwrite it automatically.`),this.filePath=e,this.name=`CredentialsFileCorruptedError`,t&&(this.cause=t)}},Xe=class extends Error{constructor(){super(`Could not store credential in the OS keychain, and the plaintext fallback is not enabled. Install a keychain provider (macOS Keychain or libsecret/secret-tool on Linux), or set ${Je}=1 to opt into a plaintext credentials.json with mode 0600.`),this.name=`KeychainUnavailableError`}};function Ze(e){let t=tt(e);if(t)return{value:t,source:`keychain`};let n=it(e);return n?{value:n,source:`file`}:{source:`none`}}function Qe(e,t){if(nt(e,t))return ot(e),`keychain`;if(!et())throw new Xe;return at(e,t),`file`}function $e(e){rt(e),ot(e)}function et(){let e=process.env[Je];if(!e)return!1;let t=e.trim().toLowerCase();return t===`1`||t===`true`||t===`yes`}function tt(e){if(process.platform===`darwin`)try{return he(`security`,[`find-generic-password`,`-s`,qe,`-a`,ut(e),`-w`],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}if(process.platform===`linux`)try{return he(`secret-tool`,[`lookup`,`service`,qe,`account`,ut(e)],{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`]}).trim()}catch{return}}function nt(e,t){if(process.platform===`darwin`)try{return he(`security`,[`add-generic-password`,`-U`,`-s`,qe,`-a`,ut(e),`-w`,t],{stdio:[`ignore`,`ignore`,`ignore`]}),!0}catch{return!1}if(process.platform===`linux`)try{return he(`secret-tool`,[`store`,`--label=Tangle Sandbox CLI`,`service`,qe,`account`,ut(e)],{input:t,stdio:[`pipe`,`ignore`,`ignore`]}),!0}catch{return!1}return!1}function rt(e){if(process.platform===`darwin`){try{he(`security`,[`delete-generic-password`,`-s`,qe,`-a`,ut(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}return}if(process.platform===`linux`)try{he(`secret-tool`,[`clear`,`service`,qe,`account`,ut(e)],{stdio:[`ignore`,`ignore`,`ignore`]})}catch{}}function it(e){return st()[e]}function at(e,t){let n=st();n[e]=t,ct(n)}function ot(e){let t;try{t=st()}catch(e){if(e instanceof Ye)return;throw e}e in t&&(delete t[e],ct(t))}function st(){let e;try{e=o.readFileSync(b,`utf8`)}catch(e){if(e instanceof Error&&`code`in e&&e.code===`ENOENT`)return{};throw e}try{let t=JSON.parse(e);if(typeof t!=`object`||!t||Array.isArray(t))throw new Ye(b);let n={};for(let[e,r]of Object.entries(t))typeof r==`string`&&(n[e]=r);return n}catch(e){throw e instanceof Ye?e:new Ye(b,e instanceof Error?e:void 0)}}function ct(e){if(lt(),Object.keys(e).length===0){o.existsSync(b)&&o.unlinkSync(b);return}let t=`${b}.${process.pid}.tmp`;o.writeFileSync(t,`${JSON.stringify(e,null,2)}\n`,{mode:384}),o.renameSync(t,b)}function lt(){if(!o.existsSync(Ke)){o.mkdirSync(Ke,{mode:448,recursive:!0});return}if(process.platform!==`win32`)try{(o.statSync(Ke).mode&511)!=448&&o.chmodSync(Ke,448)}catch{}}function ut(e){return`profile:${e}`}const dt=p.join(fe.homedir(),`.tangle`),ft=p.join(dt,`credentials`),pt=p.join(dt,`config.json`),x=`default`;function mt(){o.existsSync(dt)||o.mkdirSync(dt,{mode:448,recursive:!0})}function ht(e,t){mt();let n=`${e}.${process.pid}.tmp`;o.writeFileSync(n,t,{mode:384}),o.renameSync(n,e)}function gt(){try{if(o.existsSync(ft)){let e=o.readFileSync(ft,`utf-8`).trim();return _t(e)?e:e.match(/api_key\s*=\s*(\S+)/)?.[1]}}catch{}}function _t(e){return e.startsWith(`sk_`)||e.startsWith(`sk-tan-`)}function vt(){try{o.existsSync(ft)&&o.unlinkSync(ft)}catch{}}function S(){return Rt(Lt())}function C(e){let t=zt(S(),e);ht(pt,`${JSON.stringify(t,null,2)}\n`)}function w(e){return Bt(e||process.env.TANGLE_PROFILE||process.env.SANDBOX_PROFILE||S().activeProfile||x)}function yt(e){C({activeProfile:Bt(e)})}function bt(){return process.env.TANGLE_SANDBOX||S().currentSandbox||void 0}function xt(e){C({currentSandbox:e})}function St(){let e=S();delete e.currentSandbox,ht(pt,`${JSON.stringify(e,null,2)}\n`)}function Ct(){let e=S().deviceId;if(e&&/^[A-Za-z0-9_.-]{1,64}$/.test(e))return e;let t=fe.hostname().replace(/[^A-Za-z0-9_.-]/g,`-`).replace(/^-+|-+$/g,``).slice(0,32),n=r(4).toString(`hex`),i=`${t?`${t}-`:`device-`}${n}`;return C({deviceId:i}),i}function wt(e){let t=e||bt();if(!t)throw Error("No sandbox specified. Pass it positionally, set a default with `tangle use <id>`, pass `--box <id>`, or set TANGLE_SANDBOX.");return t}function Tt(){let e=S(),t=w(),n=new Set([x,...Object.keys(e.profiles??{})]);return e.activeProfile&&n.add(Bt(e.activeProfile)),[...n].map(e=>{let n=Ze(e),r=e===x?gt():void 0,i=n.source===`none`?r?`legacy-file`:`none`:n.source;return{name:e,active:e===t,hasApiKey:n.source!==`none`||!!r,baseUrl:jt(void 0,e),apiKeySource:i}}).sort((e,t)=>e.name.localeCompare(t.name))}function Et(e){let t=w(e);return{name:t,active:t===w(),apiKey:kt(void 0,t),baseUrl:jt(void 0,t),credentialSource:At(void 0,t)}}function Dt(e,t){let n=Bt(e),r=S(),i=It(n,r),a={},o=t.baseUrl??i.baseUrl;o&&(a.baseUrl=o);let s=t.activeTeamId??i.activeTeamId;s&&(a.activeTeamId=s);let c=t.activeTeamName??i.activeTeamName;c&&(a.activeTeamName=c);let l={...r.profiles??{}};a.baseUrl||a.activeTeamId||a.activeTeamName?l[n]=a:delete l[n];let u;return t.apiKey&&(u=Qe(n,t.apiKey),n===x&&vt()),C({profiles:Object.keys(l).length>0?l:{}}),u}function Ot(e){let t=w(e),n={...S().profiles??{}},r=n[t];if(r){let e={...r,apiKey:void 0};e.baseUrl||e.activeTeamId||e.activeTeamName?n[t]=e:delete n[t]}C({profiles:n}),$e(t),t===x&&vt()}function kt(e,t){if(e)return e;let n=process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY;if(n)return n;let r=w(t),i=Ze(r);if(i.value)return i.value;if(r===x)return gt()}function At(e,t){if(e)return`flag`;if(process.env.TANGLE_API_KEY||process.env.SANDBOX_API_KEY)return`env`;let n=w(t),r=Ze(n);return r.source===`none`?n===x&&gt()?`legacy-file`:`none`:r.source}function jt(e,t){if(e)return e;let n=process.env.TANGLE_BASE_URL||process.env.SANDBOX_BASE_URL;if(n)return n;let r=w(t),i=S(),a=It(r,i);return a.baseUrl?a.baseUrl:r===x&&i.baseUrl?i.baseUrl:`https://sandbox.tangle.tools`}function Mt(e){if(e)return e.replace(/\/v1\/hub\/?$/,``)}function T(e){let t=w(e.profile),n=kt(e.apiKey,t);if(!n)throw Error(`No API key found for profile '${t}'. Set TANGLE_API_KEY or run: tangle auth login${t===x?``:` --profile ${t}`}`);return{apiKey:n,baseUrl:jt(e.baseUrl,t),timeout:e.timeout??3e4,profile:t,...Nt(t)}}function Nt(e){let t=S(),n=It(w(e),t);return{activeTeamId:n.activeTeamId,activeTeamName:n.activeTeamName}}function Pt(e,t){Dt(w(t),{activeTeamId:e.id,activeTeamName:e.name})}function Ft(e){let t=w(e),n=S(),r={...n.profiles??{}},i={baseUrl:It(t,n).baseUrl};i.baseUrl?r[t]=i:delete r[t],C({profiles:r})}function It(e,t=S()){let n=Bt(e);return{...n===x?{baseUrl:t.baseUrl,activeTeamId:t.profiles?.[x]?.activeTeamId,activeTeamName:t.profiles?.[x]?.activeTeamName}:{},...t.profiles?.[n]??{}}}function Lt(){try{if(o.existsSync(pt)){let e=o.readFileSync(pt,`utf-8`);return JSON.parse(e)}}catch{}return{}}function Rt(e){let t=!1,n={};e.apiKey&&(Qe(x,e.apiKey),vt(),t=!0);for(let[r,i]of Object.entries(e.profiles??{})){i.apiKey&&(Qe(r,i.apiKey),t=!0);let e={};i.baseUrl&&(e.baseUrl=i.baseUrl),i.activeTeamId&&(e.activeTeamId=i.activeTeamId),i.activeTeamName&&(e.activeTeamName=i.activeTeamName),Object.keys(e).length>0&&(n[r]=e)}let r={...e,apiKey:void 0,profiles:Object.keys(n).length>0?n:void 0};return t&&ht(pt,`${JSON.stringify(r,null,2)}\n`),r}function zt(e,t){let n=t.profiles===void 0?{...e.profiles??{}}:Object.fromEntries(Object.entries(t.profiles).filter(([,e])=>!!(e.apiKey||e.baseUrl||e.activeTeamId||e.activeTeamName)));return{...e,...t,profiles:Object.keys(n).length>0?n:void 0}}function Bt(e){let t=e.trim().toLowerCase();if(!t)throw Error(`Profile name cannot be empty`);if(!/^[a-z0-9][a-z0-9._-]*$/.test(t))throw Error(`Profile names may only contain lowercase letters, numbers, dots, underscores, and hyphens`);return t}let E=null,D=null;function O(e){if(e)return E&&D&&D.apiKey===e.apiKey&&D.baseUrl===e.baseUrl&&D.timeout===e.timeout?E:(E=new g({apiKey:e.apiKey,baseUrl:e.baseUrl,timeoutMs:e.timeout}),D=e,E);if(E)return E;let t=T({});return E=new g({apiKey:t.apiKey,baseUrl:t.baseUrl,timeoutMs:t.timeout}),D=t,E}function Vt(){E=null,D=null}async function Ht(e,t){let n=t.trim();if(n.length===0)throw Error(`Connection reference is empty.`);if(n.startsWith(`hubconn_`))return n;let{connections:r}=await e.connections.list();return Ut(r,n)}function Ut(e,t){let n=t.trim();if(n.length===0)throw Error(`Connection reference is empty.`);let r=e.find(e=>e.id===n);if(r)return r.id;let i=n.indexOf(`:`),a=(i===-1?n:n.slice(0,i)).trim().toLowerCase(),o=i===-1?null:n.slice(i+1).trim(),s=e.filter(e=>e.status!==`revoked`&&e.providerId.toLowerCase()===a);if(o&&o.length>0){let e=o.toLowerCase();s=s.filter(t=>(t.accountDisplay??``).toLowerCase()===e||t.displayName.toLowerCase()===e)}if(s.length===1)return s[0].id;throw s.length===0?Error(`No hub connection matches "${t}". List your connections with \`tangle hub connections\`.`):Error(Wt(t,s))}function Wt(e,t){let n=t.map(e=>`- ${e.id} (provider: ${e.providerId}, account: ${e.accountDisplay??e.displayName})`).join(`
2
2
  `);return`Hub connection reference is ambiguous: "${e}" matches ${t.length} connections. Use a connection id or provider:account instead.
3
- `+n}function Wt(e,t){return[...t,e]}async function Gt(e,t){let n=e.map(e=>{let t=e.trim(),n=t.indexOf(`:`);return n===-1?{raw:e,ref:null,tail:null}:{raw:e,ref:t.slice(0,n).trim(),tail:t.slice(n+1)}});if(!n.some(e=>e.ref!==null&&e.ref!==`*`&&!e.ref.startsWith(`hubconn_`)))return[...e];let{connections:r}=await(await t()).connections.list();return n.map(e=>e.ref===null||e.ref===`*`||e.ref.startsWith(`hubconn_`)?e.raw:`${Ht(r,e.ref)}:${e.tail}`)}function Kt(e){let t=new Map,n=[];for(let r of e){let e=r.trim(),i=e.indexOf(`:`);if(i===-1)throw Error(`Invalid --connection "${r}": expected <connectionId>:<capability>[,<capability>]. List connection ids with \`tangle hub connections\` and capability paths with \`tangle hub tools search <keyword>\`.`);let a=e.slice(0,i).trim();if(a.length===0)throw Error(`Invalid --connection "${r}": connection id is empty. Use <connectionId>:<capability> — list ids with \`tangle hub connections\`.`);let o=e.slice(i+1).split(`,`).map(e=>e.trim()).filter(e=>e.length>0);if(o.length===0)throw Error(`Invalid --connection "${r}": grant at least one capability, e.g. ${a}:gmail.messages.list. Discover paths with \`tangle hub tools search <keyword>\`.`);if(o.includes(`*`)&&o.length>1)throw Error(`Invalid --connection "${r}": "*" grants all capabilities and can't be combined with specific paths. Use <connectionId>:* alone, or list explicit paths.`);if(a===`*`&&!(o.length===1&&o[0]===`*`))throw Error(`Invalid --connection "${r}": a "*" connection is only valid as "*:*" (all connections, all capabilities). Name a connection id for specific paths.`);let s=t.get(a);s===void 0&&(s=new Set,t.set(a,s),n.push(a));for(let e of o)s.add(e)}return n.map(e=>{let n=t.get(e),r=n?[...n]:[];if(r.includes(`*`)&&r.length>1)throw Error(`Invalid --connection for "${e}": "*" can't be combined with specific capability paths across repeated --connection flags.`);return{connectionId:e,capabilities:r}})}function qt(e){return e==null?a.dim(`-`):typeof e==`boolean`?e?a.green(`yes`):a.red(`no`):e instanceof Date?Yt(e):typeof e==`string`&&Jt(e)?Yt(new Date(e)):String(e)}function Jt(e){return/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(e)}function Yt(e){let t=Date.now()-e.getTime();if(t<6e4)return`just now`;if(t<36e5)return`${Math.floor(t/6e4)} min ago`;if(t<864e5){let e=Math.floor(t/36e5);return`${e} hour${e>1?`s`:``} ago`}let n=Math.floor(t/864e5);return`${n} day${n>1?`s`:``} ago`}function Xt(e){switch(e){case`running`:return a.green(e);case`pending`:case`provisioning`:return a.yellow(e);case`stopped`:return a.gray(e);case`failed`:case`deleted`:return a.red(e);default:return e}}function A(e,t){if(e.length===0){console.log(a.dim(`No items found.`));return}let n=t.map(t=>{let n=t.header.length,r=Math.max(...e.map(e=>qt(e[t.key]).length));return t.width??Math.max(n,r)+2}),r=t.map((e,t)=>a.bold(e.header.padEnd(n[t]))).join(``);console.log(r);for(let r of e){let e=t.map((e,t)=>{let i=qt(r[e.key]);return e.key===`status`&&(i=Xt(String(r[e.key]))),i.padEnd(n[t])}).join(``);console.log(e)}}function j(e){console.log(JSON.stringify(e,null,2))}function M(e){console.log(a.green(`✓`),e)}function N(e){console.error(a.red(`✗`),e)}function Zt(e){console.log(a.yellow(`!`),e)}function P(e){console.log(a.blue(`→`),e)}const Qt=new Set;function F(e){let t=ye({text:e,color:`cyan`});return Qt.add(t),t}function $t(){for(let e of Qt)e.isSpinning&&e.stop();Qt.clear()}function I(e,t=0){let n=` `.repeat(t);for(let[t,r]of Object.entries(e))r!=null&&console.log(`${n}${a.dim(`${t}:`)} ${qt(r)}`)}function en(e){if(console.log(),console.log(a.bold(`Sandbox Details`)),console.log(a.dim(`─`.repeat(40))),I({ID:e.id,Name:e.name,Status:Xt(e.status),Created:e.createdAt,Expires:e.expiresAt}),e.connection){if(console.log(),console.log(a.bold(`Connection`)),console.log(a.dim(`─`.repeat(40))),e.connection.ssh){let{ssh:t}=e.connection,n=process.platform===`win32`?`NUL`:`/dev/null`,r=`ssh -o ProxyCommand="${t.proxyCommand}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=${n} -o GlobalKnownHostsFile=${n} -o LogLevel=ERROR -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o TCPKeepAlive=yes ${t.username}@localhost -p ${t.port}`;I({SSH:process.platform===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN='<token>'; ${r}`:`TANGLE_SSH_PROXY_AUTH_TOKEN='<token>' ${r}`})}e.connection.webTerminalUrl&&I({"Web Terminal":e.connection.webTerminalUrl}),e.connection.runtimeUrl&&I({"API URL":e.connection.runtimeUrl})}console.log()}function L(e,t){$t(),t?j({error:e.message}):N(e.message),process.exit(1)}function R(e){j(e)}function z(e,t){if(t.length===0){console.log(a.dim(`No items found.`));return}let n=e.map((e,n)=>{let r=Math.max(...t.map(e=>String(e[n]??``).length));return Math.max(e.length,r)+2});console.log(e.map((e,t)=>a.bold(e.padEnd(n[t]))).join(``));for(let e of t)console.log(e.map((e,t)=>String(e??``).padEnd(n[t])).join(``))}function B(e,t=!1){$t(),t&&(j(tn(e)),process.exit(ln(e)));let n=nn(e);console.error(a.red(`Error:`),n),process.exit(ln(e))}function tn(e){return e instanceof ve?{error:{code:e.code,message:e.message,...typeof e.status==`number`?{status:e.status}:{},...e.details===void 0?{}:{details:e.details}}}:cn(e)?{error:{code:e.code,message:e.message,status:e.status,...e.details===void 0?{}:{details:e.details}}}:{error:{message:nn(e)}}}function nn(e){if(e instanceof h)return`Authentication failed. Run 'tangle auth login' to authenticate.`;if(e instanceof ie)return`Resource not found. Check the ID and try again.`;if(e instanceof _)return`Quota exceeded. Upgrade your plan or wait for quota reset.`;if(e instanceof ce)return`Invalid input: ${e.message}`;if(e instanceof oe)return`Invalid state: ${e.message}`;if(e instanceof se)return`Request timed out after ${e.timeoutMs} ms. Retry, or re-run with a longer --timeout <ms> on commands that accept it (e.g. create, resume).`;if(e instanceof g)return`Network error. Check your connection and try again.`;if(e instanceof ae)return`${e.status?`HTTP ${e.status}`:`server error`}: ${e.message}`;if(e instanceof ve){let t=typeof e.status==`number`?` (HTTP ${e.status})`:``;return e.code===`HUB_CONNECTION_MISSING`?rn(e.code,t,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?on(e.code,t,e.message):e.code===`HUB_UNAUTHENTICATED`?sn(e.code,t,e.message):`${e.code}${t}: ${e.message}`}return cn(e)?e.code===`HUB_CONNECTION_MISSING`?rn(e.code,` (HTTP ${e.status})`,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?on(e.code,` (HTTP ${e.status})`,e.message):e.code===`HUB_UNAUTHENTICATED`?sn(e.code,` (HTTP ${e.status})`,e.message):`${e.code} (HTTP ${e.status}): ${e.message}`:e instanceof Error?e.message:String(e)}function rn(e,t,n,r){let i=an(r);return`${e}${t}: ${n}${i?`. Run: tangle hub connect ${i}`:``}`}function an(e){if(!e||typeof e!=`object`)return;let t=e.provider;return typeof t==`string`&&t.length>0?t:void 0}function on(e,t,n){return`${e}${t}: ${n}. Run the command again with --auto-approve, or run: tangle hub resume <approval-id> --accept. See: tangle hub resume --help`}function sn(e,t,n){return`${e}${t}: ${n}. The CLI auto-mints a short-lived Hub key from your login session, so this usually means that session has expired — run 'tangle auth login' to re-authenticate. To use a credential directly instead, set TANGLE_API_KEY, SANDBOX_API_KEY, or TANGLE_HUB_CAPABILITY_TOKEN (and pass --no-hub-key to skip auto-minting).`}function cn(e){if(!(e instanceof Error))return!1;let t=e;return typeof t.code==`string`&&t.code.startsWith(`HUB_`)&&typeof t.status==`number`}function ln(e){return e instanceof ce?2:1}function un(e,t){return n(`sha256`).update(`${e}${t}`).digest(`hex`).slice(0,32)}function dn(e){return`${e}:hub`}function fn(e){let{value:t}=Ze(dn(e));if(!t)return null;try{let e=JSON.parse(t);if(typeof e.key==`string`&&typeof e.expiresAt==`string`&&typeof e.platformUrl==`string`&&typeof e.sessionFingerprint==`string`)return{key:e.key,expiresAt:e.expiresAt,platformUrl:e.platformUrl,sessionFingerprint:e.sessionFingerprint}}catch{}return null}function pn(e,t){try{Qe(dn(e),JSON.stringify(t))}catch{}}async function mn(e,t,n){let r=`${e.replace(/\/+$/,``)}/auth/cli/hub-key`,i;try{i=await fetch(r,{method:`POST`,headers:{"Content-Type":`application/json`,Authorization:`Bearer ${t}`},body:JSON.stringify({device_id:n})})}catch(e){throw Error(`Could not reach ${r} to mint a Hub key: ${e instanceof Error?e.message:String(e)}`)}let a=await i.text(),o;try{o=JSON.parse(a)}catch{o=null}if(!i.ok||!o?.success){let e=typeof o?.error?.message==`string`?o.error.message:`HTTP ${i.status}`;throw Error(`Hub key minting failed: ${e}. Your sandbox session may have expired — run \`tangle auth login\`.`)}let s=o.data;if(typeof s?.api_key!=`string`||typeof s?.expires_at!=`string`||typeof s?.platform_url!=`string`)throw Error(`Hub key minting returned an unexpected response shape.`);return{key:s.api_key,expiresAt:s.expires_at,platformUrl:s.platform_url}}var hn=class{cache;fingerprint;constructor(e,t,n,r){this.profile=e,this.sandboxBaseUrl=t,this.sessionToken=n,this.deviceId=r,this.fingerprint=un(t,n);let i=fn(e);this.cache=i&&i.sessionFingerprint===this.fingerprint?i:null}isFresh(e){return e!==null&&Date.parse(e.expiresAt)-Date.now()>6e4}async ensure(e=!1){if(!e&&this.isFresh(this.cache))return this.cache;let t={...await mn(this.sandboxBaseUrl,this.sessionToken,this.deviceId),sessionFingerprint:this.fingerprint};return this.cache=t,pn(this.profile,t),t}};function gn(e){if(!e)return!1;let t=e.trim().toLowerCase();return t===`1`||t===`true`||t===`yes`}function _n(e,t){if(e.baseUrl)return e.baseUrl;let n=jt(process.env.TANGLE_HUB_URL);if(n)return n;let r=fn(t);return r?r.platformUrl:`https://id.tangle.tools`}function vn(e,t){let n=w(),r=T(e.apiKey,n),i=kt(e.apiKey,n),a=process.env.TANGLE_HUB_CAPABILITY_TOKEN?.trim()||void 0;if(a&&i===`env`)throw Error(`Set exactly one of TANGLE_API_KEY/SANDBOX_API_KEY or TANGLE_HUB_CAPABILITY_TOKEN, not both`);if(i===`flag`&&r)return{kind:`static`,apiKey:r,baseUrl:_n(e,n)};if(i===`env`&&r)return{kind:`static`,apiKey:a??r,baseUrl:_n(e,n)};if(a)return{kind:`static`,apiKey:a,baseUrl:_n(e,n)};if(!r)throw Error(`No API key found for profile '${n}'. Set TANGLE_API_KEY or run: tangle auth login${n===`default`?``:` --profile ${n}`}`);return t?{kind:`static`,apiKey:r,baseUrl:_n(e,n)}:{kind:`managed`,profile:n,sandboxBaseUrl:At(void 0,n),sessionToken:r,deviceId:Ct(),baseUrlOverride:e.baseUrl}}async function V(e={}){let t=vn(e,e.hubKey===!1||gn(process.env.TANGLE_SKIP_HUB_KEY));if(t.kind===`static`)return new _e({baseUrl:t.baseUrl,apiKey:t.apiKey});let n=new hn(t.profile,t.sandboxBaseUrl,t.sessionToken,t.deviceId),r=await n.ensure();return new _e({baseUrl:t.baseUrlOverride??r.platformUrl,authHeaders:async()=>({Authorization:`Bearer ${(await n.ensure()).key}`}),fetch:async(e,t)=>{let r=await fetch(e,t);if(r.status!==401)return r;let i=await n.ensure(!0),a=new Headers(t?.headers);return a.set(`Authorization`,`Bearer ${i.key}`),fetch(e,{...t,headers:a})}})}function yn(e){return e instanceof Date?e.toISOString():String(e)}function bn(e,t){return`Sandbox name is ambiguous: ${e}. Use a sandbox id instead.\n${t.map(e=>`- ${e.id} (status: ${e.status}, created: ${yn(e.createdAt)})`).join(`
3
+ `+n}function Gt(e,t){return[...t,e]}async function Kt(e,t){let n=e.map(e=>{let t=e.trim(),n=t.indexOf(`:`);return n===-1?{raw:e,ref:null,tail:null}:{raw:e,ref:t.slice(0,n).trim(),tail:t.slice(n+1)}});if(!n.some(e=>e.ref!==null&&e.ref!==`*`&&!e.ref.startsWith(`hubconn_`)))return[...e];let{connections:r}=await(await t()).connections.list();return n.map(e=>e.ref===null||e.ref===`*`||e.ref.startsWith(`hubconn_`)?e.raw:`${Ut(r,e.ref)}:${e.tail}`)}function qt(e){let t=new Map,n=[];for(let r of e){let e=r.trim(),i=e.indexOf(`:`);if(i===-1)throw Error(`Invalid --connection "${r}": expected <connectionId>:<capability>[,<capability>]. List connection ids with \`tangle hub connections\` and capability paths with \`tangle hub tools search <keyword>\`.`);let a=e.slice(0,i).trim();if(a.length===0)throw Error(`Invalid --connection "${r}": connection id is empty. Use <connectionId>:<capability> — list ids with \`tangle hub connections\`.`);let o=e.slice(i+1).split(`,`).map(e=>e.trim()).filter(e=>e.length>0);if(o.length===0)throw Error(`Invalid --connection "${r}": grant at least one capability, e.g. ${a}:gmail.messages.list. Discover paths with \`tangle hub tools search <keyword>\`.`);if(o.includes(`*`)&&o.length>1)throw Error(`Invalid --connection "${r}": "*" grants all capabilities and can't be combined with specific paths. Use <connectionId>:* alone, or list explicit paths.`);if(a===`*`&&!(o.length===1&&o[0]===`*`))throw Error(`Invalid --connection "${r}": a "*" connection is only valid as "*:*" (all connections, all capabilities). Name a connection id for specific paths.`);let s=t.get(a);s===void 0&&(s=new Set,t.set(a,s),n.push(a));for(let e of o)s.add(e)}return n.map(e=>{let n=t.get(e),r=n?[...n]:[];if(r.includes(`*`)&&r.length>1)throw Error(`Invalid --connection for "${e}": "*" can't be combined with specific capability paths across repeated --connection flags.`);return{connectionId:e,capabilities:r}})}function Jt(e){return e==null?a.dim(`-`):typeof e==`boolean`?e?a.green(`yes`):a.red(`no`):e instanceof Date?Xt(e):typeof e==`string`&&Yt(e)?Xt(new Date(e)):String(e)}function Yt(e){return/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(e)}function Xt(e){let t=Date.now()-e.getTime();if(t<6e4)return`just now`;if(t<36e5)return`${Math.floor(t/6e4)} min ago`;if(t<864e5){let e=Math.floor(t/36e5);return`${e} hour${e>1?`s`:``} ago`}let n=Math.floor(t/864e5);return`${n} day${n>1?`s`:``} ago`}function Zt(e){switch(e){case`running`:return a.green(e);case`pending`:case`provisioning`:return a.yellow(e);case`stopped`:return a.gray(e);case`failed`:case`deleted`:return a.red(e);default:return e}}function k(e,t){if(e.length===0){console.log(a.dim(`No items found.`));return}let n=t.map(t=>{let n=t.header.length,r=Math.max(...e.map(e=>Jt(e[t.key]).length));return t.width??Math.max(n,r)+2}),r=t.map((e,t)=>a.bold(e.header.padEnd(n[t]))).join(``);console.log(r);for(let r of e){let e=t.map((e,t)=>{let i=Jt(r[e.key]);return e.key===`status`&&(i=Zt(String(r[e.key]))),i.padEnd(n[t])}).join(``);console.log(e)}}function A(e){console.log(JSON.stringify(e,null,2))}function j(e){console.log(a.green(`✓`),e)}function M(e){console.error(a.red(`✗`),e)}function N(e){console.log(a.yellow(`!`),e)}function P(e){console.log(a.blue(`→`),e)}const Qt=new Set;function F(e){let t=ye({text:e,color:`cyan`});return Qt.add(t),t}function $t(){for(let e of Qt)e.isSpinning&&e.stop();Qt.clear()}function I(e,t=0){let n=` `.repeat(t);for(let[t,r]of Object.entries(e))r!=null&&console.log(`${n}${a.dim(`${t}:`)} ${Jt(r)}`)}function en(e){if(console.log(),console.log(a.bold(`Sandbox Details`)),console.log(a.dim(`─`.repeat(40))),I({ID:e.id,Name:e.name,Status:Zt(e.status),Created:e.createdAt,Expires:e.expiresAt}),e.connection){if(console.log(),console.log(a.bold(`Connection`)),console.log(a.dim(`─`.repeat(40))),e.connection.ssh){let{ssh:t}=e.connection,n=process.platform===`win32`?`NUL`:`/dev/null`,r=`ssh -o ProxyCommand="${t.proxyCommand}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=${n} -o GlobalKnownHostsFile=${n} -o LogLevel=ERROR -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o TCPKeepAlive=yes ${t.username}@localhost -p ${t.port}`;I({SSH:process.platform===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN='<token>'; ${r}`:`TANGLE_SSH_PROXY_AUTH_TOKEN='<token>' ${r}`})}e.connection.webTerminalUrl&&I({"Web Terminal":e.connection.webTerminalUrl}),e.connection.runtimeUrl&&I({"API URL":e.connection.runtimeUrl})}console.log()}function L(e,t){$t(),t?A({error:e.message}):M(e.message),process.exit(1)}function R(e){A(e)}function z(e,t){if(t.length===0){console.log(a.dim(`No items found.`));return}let n=e.map((e,n)=>{let r=Math.max(...t.map(e=>String(e[n]??``).length));return Math.max(e.length,r)+2});console.log(e.map((e,t)=>a.bold(e.padEnd(n[t]))).join(``));for(let e of t)console.log(e.map((e,t)=>String(e??``).padEnd(n[t])).join(``))}function B(e,t=!1){$t(),t&&(A(tn(e)),process.exit(ln(e)));let n=nn(e);console.error(a.red(`Error:`),n),process.exit(ln(e))}function tn(e){return e instanceof ve?{error:{code:e.code,message:e.message,...typeof e.status==`number`?{status:e.status}:{},...e.details===void 0?{}:{details:e.details}}}:cn(e)?{error:{code:e.code,message:e.message,status:e.status,...e.details===void 0?{}:{details:e.details}}}:{error:{message:nn(e)}}}function nn(e){if(e instanceof ie)return`Authentication failed. Run 'tangle auth login' to authenticate.`;if(e instanceof ae)return`Resource not found. Check the ID and try again.`;if(e instanceof oe)return`Quota exceeded. Upgrade your plan or wait for quota reset.`;if(e instanceof ce)return`Invalid input: ${e.message}`;if(e instanceof v)return`Invalid state: ${e.message}`;if(e instanceof se)return`Request timed out after ${e.timeoutMs} ms. Retry, or re-run with a longer --timeout <ms> on commands that accept it (e.g. create, resume).`;if(e instanceof h)return`Network error. Check your connection and try again.`;if(e instanceof _)return`${e.status?`HTTP ${e.status}`:`server error`}: ${e.message}`;if(e instanceof ve){let t=typeof e.status==`number`?` (HTTP ${e.status})`:``;return e.code===`HUB_CONNECTION_MISSING`?rn(e.code,t,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?on(e.code,t,e.message):e.code===`HUB_UNAUTHENTICATED`?sn(e.code,t,e.message):`${e.code}${t}: ${e.message}`}return cn(e)?e.code===`HUB_CONNECTION_MISSING`?rn(e.code,` (HTTP ${e.status})`,e.message,e.details):e.code===`HUB_APPROVAL_REQUIRED`?on(e.code,` (HTTP ${e.status})`,e.message):e.code===`HUB_UNAUTHENTICATED`?sn(e.code,` (HTTP ${e.status})`,e.message):`${e.code} (HTTP ${e.status}): ${e.message}`:e instanceof Error?e.message:String(e)}function rn(e,t,n,r){let i=an(r);return`${e}${t}: ${n}${i?`. Run: tangle hub connect ${i}`:``}`}function an(e){if(!e||typeof e!=`object`)return;let t=e.provider;return typeof t==`string`&&t.length>0?t:void 0}function on(e,t,n){return`${e}${t}: ${n}. Run the command again with --auto-approve, or run: tangle hub resume <approval-id> --accept. See: tangle hub resume --help`}function sn(e,t,n){return`${e}${t}: ${n}. The CLI auto-mints a short-lived Hub key from your login session, so this usually means that session has expired — run 'tangle auth login' to re-authenticate. To use a credential directly instead, set TANGLE_API_KEY, SANDBOX_API_KEY, or TANGLE_HUB_CAPABILITY_TOKEN (and pass --no-hub-key to skip auto-minting).`}function cn(e){if(!(e instanceof Error))return!1;let t=e;return typeof t.code==`string`&&t.code.startsWith(`HUB_`)&&typeof t.status==`number`}function ln(e){return e instanceof ce?2:1}function un(e,t){return n(`sha256`).update(`${e}${t}`).digest(`hex`).slice(0,32)}function dn(e){return`${e}:hub`}function fn(e){let{value:t}=Ze(dn(e));if(!t)return null;try{let e=JSON.parse(t);if(typeof e.key==`string`&&typeof e.expiresAt==`string`&&typeof e.platformUrl==`string`&&typeof e.sessionFingerprint==`string`)return{key:e.key,expiresAt:e.expiresAt,platformUrl:e.platformUrl,sessionFingerprint:e.sessionFingerprint}}catch{}return null}function pn(e,t){try{Qe(dn(e),JSON.stringify(t))}catch{}}async function mn(e,t,n){let r=`${e.replace(/\/+$/,``)}/auth/cli/hub-key`,i;try{i=await fetch(r,{method:`POST`,headers:{"Content-Type":`application/json`,Authorization:`Bearer ${t}`},body:JSON.stringify({device_id:n})})}catch(e){throw Error(`Could not reach ${r} to mint a Hub key: ${e instanceof Error?e.message:String(e)}`)}let a=await i.text(),o;try{o=JSON.parse(a)}catch{o=null}if(!i.ok||!o?.success){let e=typeof o?.error?.message==`string`?o.error.message:`HTTP ${i.status}`;throw Error(`Hub key minting failed: ${e}. Your sandbox session may have expired — run \`tangle auth login\`.`)}let s=o.data;if(typeof s?.api_key!=`string`||typeof s?.expires_at!=`string`||typeof s?.platform_url!=`string`)throw Error(`Hub key minting returned an unexpected response shape.`);return{key:s.api_key,expiresAt:s.expires_at,platformUrl:s.platform_url}}var hn=class{cache;fingerprint;constructor(e,t,n,r){this.profile=e,this.sandboxBaseUrl=t,this.sessionToken=n,this.deviceId=r,this.fingerprint=un(t,n);let i=fn(e);this.cache=i&&i.sessionFingerprint===this.fingerprint?i:null}isFresh(e){return e!==null&&Date.parse(e.expiresAt)-Date.now()>6e4}async ensure(e=!1){if(!e&&this.isFresh(this.cache))return this.cache;let t={...await mn(this.sandboxBaseUrl,this.sessionToken,this.deviceId),sessionFingerprint:this.fingerprint};return this.cache=t,pn(this.profile,t),t}};function gn(e){if(!e)return!1;let t=e.trim().toLowerCase();return t===`1`||t===`true`||t===`yes`}function _n(e,t){if(e.baseUrl)return e.baseUrl;let n=Mt(process.env.TANGLE_HUB_URL);if(n)return n;let r=fn(t);return r?r.platformUrl:`https://id.tangle.tools`}function vn(e,t){let n=w(),r=kt(e.apiKey,n),i=At(e.apiKey,n),a=process.env.TANGLE_HUB_CAPABILITY_TOKEN?.trim()||void 0;if(a&&i===`env`)throw Error(`Set exactly one of TANGLE_API_KEY/SANDBOX_API_KEY or TANGLE_HUB_CAPABILITY_TOKEN, not both`);if(i===`flag`&&r)return{kind:`static`,apiKey:r,baseUrl:_n(e,n)};if(i===`env`&&r)return{kind:`static`,apiKey:a??r,baseUrl:_n(e,n)};if(a)return{kind:`static`,apiKey:a,baseUrl:_n(e,n)};if(!r)throw Error(`No API key found for profile '${n}'. Set TANGLE_API_KEY or run: tangle auth login${n===`default`?``:` --profile ${n}`}`);return t?{kind:`static`,apiKey:r,baseUrl:_n(e,n)}:{kind:`managed`,profile:n,sandboxBaseUrl:jt(void 0,n),sessionToken:r,deviceId:Ct(),baseUrlOverride:e.baseUrl}}async function V(e={}){let t=vn(e,e.hubKey===!1||gn(process.env.TANGLE_SKIP_HUB_KEY));if(t.kind===`static`)return new _e({baseUrl:t.baseUrl,apiKey:t.apiKey});let n=new hn(t.profile,t.sandboxBaseUrl,t.sessionToken,t.deviceId),r=await n.ensure();return new _e({baseUrl:t.baseUrlOverride??r.platformUrl,authHeaders:async()=>({Authorization:`Bearer ${(await n.ensure()).key}`}),fetch:async(e,t)=>{let r=await fetch(e,t);if(r.status!==401)return r;let i=await n.ensure(!0),a=new Headers(t?.headers);return a.set(`Authorization`,`Bearer ${i.key}`),fetch(e,{...t,headers:a})}})}function yn(e){return e instanceof Date?e.toISOString():String(e)}function bn(e,t){return`Sandbox name is ambiguous: ${e}. Use a sandbox id instead.\n${t.map(e=>`- ${e.id} (status: ${e.status}, created: ${yn(e.createdAt)})`).join(`
4
4
  `)}`}function xn(e){return e.activeTeamId?`team:${e.activeTeamId}`:void 0}async function H(e,t,n){let r=await e.get(n);if(r||n.startsWith(`sandbox-`)){if(!r)throw Error(`Sandbox not found: ${n}`);return r}let i=(await e.list({scope:xn(t)})).filter(e=>e.name?.toLowerCase()===n.toLowerCase());if(i.length===0)throw Error(`Sandbox not found: ${n}`);if(i.length>1)throw Error(bn(n,i));return i[0]}async function U(e,t){if(e.status!==`stopped`)return e;let n=t?.resumeTimeoutMs??12e4;P(`Sandbox ${e.id} is stopped. Resuming...`);try{await e.resume({timeoutMs:n}),await e.waitFor(`running`,{timeoutMs:n})}catch(t){let r=t instanceof Error?t.message:String(t);throw Error(`Failed to resume sandbox ${e.id}: ${r}. Run \`tangle sandbox resume ${e.id} --timeout ${n}\` and retry.`)}return e}const Sn=[`anthropic`,`openai`,`vercel-ai`,`mastra`,`mcp-local`,`claude-desktop`,`cursor`,`zed`];function Cn(e,t,n){switch(e){case`anthropic`:return`// pnpm add @anthropic-ai/sdk @tangle-network/sandbox
5
5
  import Anthropic from "@anthropic-ai/sdk";
6
6
  import { Sandbox } from "@tangle-network/sandbox";
@@ -122,7 +122,7 @@ await connect(new StdioServerTransport());`;case`claude-desktop`:return`// Add t
122
122
  }
123
123
  }
124
124
  }`}}function wn(e){return{anthropic:`Anthropic Messages API (Claude)`,openai:`OpenAI Chat Completions (function calling)`,"vercel-ai":`Vercel AI SDK (generateText / streamText)`,mastra:`Mastra agent framework`,"mcp-local":`Local MCP server bridge (stdio)`,"claude-desktop":`Claude Desktop config (uses local MCP)`,cursor:`Cursor config (uses local MCP)`,zed:`Zed config (uses local MCP)`}[e]}function Tn(){return new t(`connect`).description(`Print a copy-paste SDK integration snippet for one of: ${Sn.join(`, `)} (to stream a local agent's telemetry to Intelligence, see 'tangle connect')`).argument(`<framework>`,Sn.join(` | `)).option(`-i, --sandbox <id>`,`Sandbox ID to embed in the snippet`,`<SANDBOX_ID>`).option(`-s, --session <id>`,`Session ID to embed in the snippet`,`default`).action((e,t)=>{Sn.includes(e)||(console.error(a.red(`unknown framework: ${e}`),`\nsupported: ${Sn.join(`, `)}`),process.exit(2));let n=e;process.stdout.write(a.cyan(`# ${wn(n)}\n\n`)),process.stdout.write(`${Cn(n,t.sandbox,t.session)}\n`)})}async function En(e){let{Writable:t}=await import(`node:stream`),n=await import(`node:readline`),r=!1,i=new t({write(e,t,n){r||process.stdout.write(e,t),n()}}),a=n.createInterface({input:process.stdin,output:i,terminal:!0});return process.stdout.write(e),r=!0,await new Promise(e=>{a.question(``,t=>{r=!1,a.close(),process.stdout.write(`
125
- `),e(t.trim())})})}async function W(e){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout}),n=await new Promise(n=>{t.question(e,e=>{t.close(),n(e.trim().toLowerCase())})});return n===`y`||n===`yes`}async function G(e,t){let n=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout}),r=t?` [${t}]`:``;return await new Promise(t=>{n.question(`${e}${r}: `,e=>{n.close(),t(e.trim())})})||t||``}async function Dn(){if(process.stdin.isTTY)throw Error(`Cannot read secret from stdin when stdin is a TTY`);let e=[];for await(let t of process.stdin)e.push(Buffer.isBuffer(t)?t:Buffer.from(t));return Buffer.concat(e).toString(`utf8`).replace(/\r?\n$/,``)}function On(){let e=new t(`profile`).description(`Create, inspect, and validate portable agent profiles`);return e.command(`create [output]`).description(`Create a profile — interactively (a wizard), or fully via flags`).option(`--name <name>`,`Profile name (when set, skips the wizard)`).option(`--description <text>`,`Profile description`).option(`--model <model>`,`Model (provider/model)`).option(`--system-prompt <text>`,`System prompt`).option(`--skills <ref...>`,`Skill refs: local path or github:<owner>/<repo>/<path>[@<ref>]`).option(`--tools <ref...>`,`Tool refs: local path or github:<owner>/<repo>/<path>[@<ref>]`).option(`--harness <name>`,`Harness hint shown in the run command`).option(`--json`,`Print the profile as JSON instead of writing a file`).action(async(e,t)=>{try{let n=t.name,r=t.description,i=t.harness,a=t.model,o=t.systemPrompt,s=t.skills??[],c=t.tools??[];if(!n&&process.stdin.isTTY&&(n=await G(`Profile name`,`my-agent`),r=await G(`Description (optional)`)||void 0,i=await G(`Harness`,`claude-code`)||void 0,a=await G(`Model (optional, provider/model)`)||void 0,o=await G(`System prompt (optional)`)||void 0,s=await kn(`Skill ref (local path or github:..., blank to finish)`),c=await kn(`Tool ref (blank to finish)`)),!n)throw Error(process.stdin.isTTY?`Profile name is required.`:"`agent profile create` needs at least --name in a non-interactive shell (no TTY to prompt). Pass --name <name> (and optionally --model/--skills/--tools/--system-prompt).");let l=Fe({model:a,systemPrompt:o,skills:s,tools:c}),u={...n?{name:n}:{},...r?{description:r}:{},...l??{}};if(t.json){j(u);return}let d=e??`agent-profile.json`;f(d,`${JSON.stringify(u,null,2)}\n`),P(`Wrote ${d}`),P(`Run it: tangle agent prompt <box> --profile ${d}${i?` --harness ${i}`:``}`)}catch(e){B(e,t.json)}}),e.command(`show <source>`).description(`Load and print a profile (local path, https URL, or github:owner/repo/path[@ref])`).action(async e=>{try{j(await Ie(e))}catch(e){B(e,!0)}}),e.command(`validate <source>`).description(`Check a profile loads and is a well-formed object`).action(async e=>{try{let t=await Ie(e);P(`OK — "${typeof t.name==`string`?t.name:`(unnamed)`}" loaded as a valid profile object`)}catch(e){B(e)}}),e}async function kn(e){let t=[];for(;;){let n=await G(e);if(!n)break;t.push(n)}return t}function An(e){let t=typeof e.type==`string`?e.type:void 0,n=t===`tool-invocation`||t===`tool_call`||t===`computer-use`||t===`computer_call`,r=e.toolInvocation??e.tool_invocation??e.computerUse??e.computer_use;if(!r&&!n)return;let i=r??e;if(t===`computer-use`||t===`computer_call`)return`computer-use:${i.action?.type??`action`}`;let a=i.toolName??i.tool_name??i.name;return typeof a==`string`&&a.length>0?a:void 0}function jn(e){return([process.env.SANDBOX_WEB_URL,process.env.TANGLE_SANDBOX_WEB_URL].map(e=>e?.trim()).find(e=>!!e)??e).replace(/\/+$/,``)}function Mn(e){let t=e.toolInvocation??e.tool_invocation??e.computerUse??e.computer_use??e,n=t.state?.status,r=typeof t.status==`string`?t.status:void 0;return n??r}function Nn(e,t){if(process.exitCode=1,e.status===`blocked_on_approval`){console.error(a.yellow(`⚠ Blocked on a hub approval.`));let t=e.approval?.approvalId;console.error(t?`Approve it: tangle hub approvals approve ${t}`:"Approve the pending request (`tangle hub approvals`), then re-run.");return}if(e.status===`awaiting_question`){console.error(a.yellow(`⚠ Agent is awaiting an answer to a question.`)),console.error(`Re-run with --interactive to answer it, or answer programmatically via box.session(<id>).answer({ ... }).`);return}console.error(a.red(`✗ ${e.error&&e.error.length>0?e.error:t}`))}function Pn(e,t){return process.exitCode=1,t&&j({status:`awaiting_question`,needsInput:e}),`Agent is awaiting an answer (questionId: ${e.questionId??`unknown`}). Re-run with --interactive to answer, or answer via box.session(<id>).answer({ ... }).`}function Fn(e){let t=e.part;if(t?.type===`text`)return t.text??t.content??void 0}function In(e){return e.finalText??e.response??e.output??e.content??e.text??void 0}function Ln(e){if(typeof e==`string`)return e;try{return JSON.stringify(e)??``}catch{return String(e)}}function Rn(e,t=0){if(t>6||typeof e!=`object`||!e)return;let n=e,r=n.approval;if(r&&typeof r.id==`string`)return r.id;for(let e of Object.values(n)){let n=Rn(e,t+1);if(n)return n}}function zn(e){let t=e?.toolInvocations;if(!Array.isArray(t))return;let n=t.find(e=>e?.isError===!0);if(n){if(Ln(n.result).includes(`HUB_APPROVAL_REQUIRED`)){let e=Rn(n.result);return e?`Blocked on hub approval — approve with: tangle hub approvals approve ${e}`:"Blocked on hub approval — approve the pending request (`tangle hub approvals`) then re-run."}return`Tool "${n.toolName??`unknown`}" failed`}}function Bn(e){if(e.sawError){console.error(a.red(`✗ ${e.errorMsg??`Agent run failed`}`)),process.exitCode=1;return}let t=Date.now()-e.startedAt,n=e.tokenUsage,r=[`${t}ms`,n?.inputTokens===void 0?void 0:`${n.inputTokens} in`,n?.outputTokens===void 0?void 0:`${n.outputTokens} out`].filter(e=>!!e);console.log(a.green(`✓ Done`),a.dim(`(${r.join(`, `)})`))}function Vn(e,t){let n=An(e);if(!n)return;let r=Mn(e),i=e.toolCallId??e.tool_call_id??e.callId??e.id,o=typeof i==`string`&&i.length>0?i:`${n}#${t.size}`;r===`running`||r===`in_progress`||r===void 0?t.has(o)||(t.add(o),console.log(a.dim(`\n[Tool: ${n}]`))):r===`completed`?console.log(a.dim(`[Tool ${n} completed]`)):(r===`failed`||r===`error`)&&console.log(a.yellow(`[Tool ${n} failed]`))}async function Hn(e,t,n){let r=``,i=!1,a,o,s,c=e=>{if(e.startsWith(r)){let t=e.slice(r.length);t&&process.stdout.write(t)}else process.stdout.write(e);r=e};try{for await(let t of e){switch(t.type){case`token`:{let e=t.data?.value;typeof e==`string`&&(process.stdout.write(e),r+=e);break}case`message.part.updated`:{let e=Fn(t.data);typeof e==`string`&&e.length>0&&c(e);break}case`raw`:n?.(t.data);break;case`result`:o=t.data;break;case`question`:{let e=t.data;s={questionId:e.questionId,questions:e.questions};break}case`error`:i=!0,a=t.data.message??JSON.stringify(t.data);break}if(s)break}}catch(e){i=!0,a=e instanceof Error?e.message:String(e)}if(s)return{awaitingQuestion:s,printed:r.length};if(r.length===0&&o){let e=In(o);typeof e==`string`&&e.length>0&&(process.stdout.write(e),r=e)}if(!i){let e=zn(o);e&&(i=!0,a=e)}return{outcome:{sawError:i,errorMsg:a,startedAt:t,tokenUsage:o?.tokenUsage},resultData:o,printed:r.length}}function Un(e){let t=Kt(e??[]);if(t.length!==0)return{profile:{connections:t}}}async function Wn(e){let t=Kt(e.connection??[]);if(t.length===0)throw Error(`--allow-writes needs at least one --connection to grant writes for.`);if(t.some(e=>e.connectionId===`*`))throw Error("--allow-writes needs explicit --connection ids; the `*:*` wildcard can't be bulk-granted. Grant per connection, e.g. --connection conn_x:* --allow-writes.");let n=await V({hubKey:e.hubKey});for(let r of t){let t=await n.permissions.allowWrites(r.connectionId);e.json||P(`Allowed ${t.writeActions} write action${t.writeActions===1?``:`s`} for connection ${r.connectionId} (${t.granted} newly granted).`)}e.json||P(`Revert anytime: ${t.map(e=>`tangle hub permissions revert-writes --connection ${e.connectionId}`).join(` · `)}`)}async function Gn(e){!e.connection||e.connection.length===0||(e.connection=await Gt(e.connection,()=>V({hubKey:e.hubKey})))}function Kn(){let e=new t(`agent`).description(`Interact with AI agent`);return e.command(`prompt <idOrMessage> [message]`).description("Send a single prompt to the agent. With one arg it's the prompt and the box comes from `tangle use` / --box / TANGLE_SANDBOX; with two it's <id> <message>.").option(`--box <id>`,`Target sandbox (overrides the active one)`).option(`--session <id>`,`Continue existing session`).option(`--model <model>`,`Model to use`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`300000`).option(`--stream`,`Stream response in real-time`).option(`--interactive`,`Spawn the harness's interactive TUI in the sandbox, inject this prompt, and print a link to watch + drive the live session in the browser (omit for the default headless run)`).option(`--harness <name>`,`Harness that executes this run (claude-code, codex, kimi-code, opencode, pi, amp, hermes). Defaults to the sandbox's configured backend. The box ships all harnesses, so this is a per-run choice.`).option(`--profile <source>`,`Agent profile to run: a local JSON path, an https URL, or github:<owner>/<repo>/<path>[@<ref>]`).option(`--skills <ref...>`,`Attach skills (repeatable): a local file path, or github:<owner>/<repo>/<path>[@<ref>] to pull from a repo`).option(`--tools <ref...>`,`Attach tools (repeatable): a local file path, or github:<owner>/<repo>/<path>[@<ref>]`).option(`--system-prompt <text>`,`Override the agent's system prompt for this run`).option(`--connection <spec>`,"Grant a hub connection to the agent as MCP tools (repeatable). The connection is a connection id or a provider name. Modes: <connection>:<cap1>,<cap2> (least privilege, recommended), <connection>:* (all of one connection), or *:* (all connections). List connections with `tangle hub connections`; paths with `tangle hub tools search <keyword>`.",Wt,[]).option(`--allow-writes`,"Pre-approve every WRITE action of each granted --connection so the agent can write unattended (reads are already allowed; destructive actions still prompt). Revert with `tangle hub permissions revert-writes`.").option(`--no-hub-key`,`Do not auto-mint a platform Hub key for --allow-writes; use the stored credential as-is`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=t===void 0?e:t,o=t===void 0?wt(n.box):e,s=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),c=k(s);if(n.interactive){let e=[n.profile?`--profile`:null,n.skills?.length?`--skills`:null,n.tools?.length?`--tools`:null,n.systemPrompt?`--system-prompt`:null,n.connection?.length?`--connection`:null,n.allowWrites?`--allow-writes`:null].filter(e=>e!==null);if(e.length>0)throw Error(`${e.join(`, `)} ${e.length===1?`is`:`are`} not supported with --interactive: the interactive harness launches its own TUI and is configured by --harness/--model. Drop --interactive to run with a profile, or bake the agent into the box with \`tangle backend configure\`.`)}let l=await Ge({profileSource:n.profile,systemPrompt:n.systemPrompt,skills:n.skills,tools:n.tools});await Gn(n);let u=Un(n.connection);n.allowWrites&&await Wn(n);let d=l||u?{...l??{},...u?.profile??{}}:void 0,f=d||n.harness?{...n.harness?{type:n.harness}:{},...d?{profile:d}:{}}:void 0,p=await H(c,s,o);if(p=await U(p),n.interactive){let e=n.session??`int-${i()}`,t=n.harness??(await p.backend.status()).type,a=p.session(e).interactive(),c=F(`Starting interactive ${t} session...`);c.start();let l;try{l=await a.start({harness:t,...n.model?{model:n.model}:{}})}finally{c.stop()}try{await a.sendPrompt(r)}catch(e){throw await a.stop().catch(()=>void 0),e}let u=`${jn(s.baseUrl)}/dashboard/sandbox/${encodeURIComponent(o)}?interactive=${encodeURIComponent(l.sessionId)}`;n.json?j({sessionId:l.sessionId,harness:l.harness,streamUrl:l.streamUrl,webUrl:u}):(P(`Interactive ${l.harness} session started — prompt sent.`),console.log(),I({"Watch & drive":u,Session:l.sessionId}),console.log(),P(`Open the link to watch the agent and type to take over. Send more prompts with --session ${l.sessionId} --interactive.`));return}if(n.stream){P(`Streaming response...`),console.log();let e=Date.now(),t=await Hn(p.streamPrompt(r,{sessionId:n.session,model:n.model,timeoutMs:Number.parseInt(n.timeout,10),...f?{backend:f}:{}}),e);if(`awaitingQuestion`in t){t.printed>0&&console.log();let e=Pn(t.awaitingQuestion,n.json);n.json||console.error(a.yellow(`⚠ ${e}`));return}t.printed>0&&console.log(),Bn(t.outcome)}else{let e=F(`Processing prompt...`);e.start();let t=await p.prompt(r,{sessionId:n.session,model:n.model,timeoutMs:Number.parseInt(n.timeout,10),...f?{backend:f}:{}});e.stop(),n.json?(j(t),t.success===!1&&(process.exitCode=1)):t.success===!1?Nn(t,`Agent prompt failed`):(console.log(t.response),console.log(),I({Duration:`${t.durationMs}ms`,"Input Tokens":t.usage?.inputTokens,"Output Tokens":t.usage?.outputTokens}))}}catch(e){B(e,n.json)}}),e.command(`task <idOrPrompt> [prompt]`).description("Execute a multi-turn task. One arg = the task (box from `tangle use` / --box / TANGLE_SANDBOX); two = <id> <prompt>.").option(`--box <id>`,`Target sandbox (overrides the active one)`).option(`--session <id>`,`Continue existing session`).option(`--model <model>`,`Model to use`).option(`--max-turns <n>`,`Maximum turns`,`10`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`600000`).option(`--stream`,`Stream events in real-time`).option(`--connection <spec>`,"Grant a hub connection to the agent as MCP tools (repeatable). The connection is a connection id or a provider name. Modes: <connection>:<cap1>,<cap2> (least privilege, recommended), <connection>:* (all of one connection), or *:* (all connections). List connections with `tangle hub connections`; paths with `tangle hub tools search <keyword>`.",Wt,[]).option(`--allow-writes`,"Pre-approve every WRITE action of each granted --connection so the agent can write unattended (reads are already allowed; destructive actions still prompt). Revert with `tangle hub permissions revert-writes`.").option(`--no-hub-key`,`Do not auto-mint a platform Hub key for --allow-writes; use the stored credential as-is`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=t===void 0?e:t,i=t===void 0?wt(n.box):e,o=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),s=k(o);await Gn(n);let c=Un(n.connection);n.allowWrites&&await Wn(n);let l=await H(s,o,i);if(l=await U(l),n.stream){P(`Executing task...`),console.log();let e=new Set,t=Date.now(),i=await Hn(l.streamTask(r,{sessionId:n.session,model:n.model,maxTurns:Number.parseInt(n.maxTurns,10),timeoutMs:Number.parseInt(n.timeout,10),...c?{backend:c}:{}}),t,t=>Vn(t,e));if(`awaitingQuestion`in i){i.printed>0&&console.log();let e=Pn(i.awaitingQuestion,n.json);n.json||console.error(a.yellow(`⚠ ${e}`));return}i.printed>0&&console.log(),Bn(i.outcome)}else{let e=F(`Executing task...`);e.start();let t=await l.task(r,{sessionId:n.session,model:n.model,maxTurns:Number.parseInt(n.maxTurns,10),timeoutMs:Number.parseInt(n.timeout,10),...c?{backend:c}:{}});e.stop(),n.json?(j(t),t.success===!1&&(process.exitCode=1)):t.success===!1?Nn(t,`Agent task failed`):(console.log(t.response),console.log(),I({"Session ID":t.sessionId,"Turns Used":t.turnsUsed,Duration:`${t.durationMs}ms`,"Input Tokens":t.usage?.inputTokens,"Output Tokens":t.usage?.outputTokens}))}}catch(e){B(e,n.json)}}),e.addCommand(Tn()),e.addCommand(On()),e}async function qn(e){let t=e.timeoutMs??1e4,n=e.baseUrl.replace(/\/$/,``),r=`${n}/v1/account/me`;try{let n=await fetch(r,{headers:{Accept:`application/json`,Authorization:`Bearer ${e.apiKey}`},signal:AbortSignal.timeout(t)});if(!n.ok){let e=await Yn(n);throw n.status===401||n.status===403?new h(e||`Invalid API key`):n.status>=500?new ae(e||`Sandbox API returned an unexpected error`,n.status):Error(e||`Credential validation failed with status ${n.status}`)}let i=await n.json();if(!i.success||!i.data)throw Error(`Sandbox API returned an invalid account response`);return{customerId:i.data.customer_id,email:i.data.email,name:i.data.name,tier:i.data.tier,createdAt:i.data.created_at}}catch(e){throw e instanceof h||e instanceof ae||e instanceof se?e:e instanceof Error&&e.name===`AbortError`?new se(t,`Timed out validating credentials against ${n}`):e instanceof Error&&!(e instanceof TypeError)?e:new g(`Failed to reach ${n}`,Jn(e))}}function Jn(e){return e instanceof Error?e:void 0}async function Yn(e){let t=await e.text();if(t)try{let e=JSON.parse(t);return e.error?.message??e.message??t}catch{return t}}function Xn(e){if(!Qn(e.hostHeader))return{kind:`host-mismatch`};let t;try{t=new URL(e.requestUrl??`/`,`http://127.0.0.1`)}catch{return{kind:`not-found`}}if(t.pathname!==`/callback`)return{kind:`not-found`};if(t.searchParams.get(`state`)!==e.expectedState)return{kind:`state-mismatch`};let n=t.searchParams.get(`error`);if(n)return{kind:`error`,reason:n};let r=t.searchParams.get(`grant_token`);return r?{kind:`ok`,token:r}:{kind:`missing-token`}}async function Zn(e){let t=e.timeoutMs??12e4,n=e.baseUrl.replace(/\/$/,``),i=await import(`node:http`),a=r(32).toString(`hex`),o=null,s=null,c=new Promise((e,t)=>{o=e,s=t}),l=i.createServer((e,t)=>{try{let n=Xn({hostHeader:e.headers.host,requestUrl:e.url,expectedState:a});switch(n.kind){case`host-mismatch`:t.writeHead(421,{"content-type":`text/plain; charset=utf-8`}),t.end(`Misdirected request`);return;case`not-found`:t.writeHead(404,{"content-type":`text/plain; charset=utf-8`}),t.end(`Not found`);return;case`state-mismatch`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(rr(`State mismatch — refusing login`)),s?.(Error(`Browser login state mismatch — refusing potentially hijacked callback`));return;case`error`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(rr(n.reason)),s?.(Error(`Browser login failed: ${n.reason}`));return;case`missing-token`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(rr(null)),s?.(Error(`Browser login did not return a grant token`));return;case`ok`:t.writeHead(200,{"content-type":`text/html; charset=utf-8`}),t.end(rr(null)),o?.(n.token);return}}catch(e){s?.(e instanceof Error?e:Error(`Browser login callback failed`))}});await new Promise((e,t)=>{l.once(`error`,t),l.listen(0,`127.0.0.1`,()=>e())});try{let r=l.address();if(!r||typeof r==`string`)throw Error(`Failed to bind local callback server`);let i=new URL(`http://127.0.0.1:${r.port}/callback`);i.searchParams.set(`state`,a);let o=new URL(`${n}/auth/cli/login`);o.searchParams.set(`callback_url`,i.toString()),e.provider&&o.searchParams.set(`provider`,e.provider);let s=await tr(o.toString());e.onLoginUrl?.({loginUrl:o.toString(),browserOpened:s});let u=await er({baseUrl:n,grantToken:await $n(c,t),timeoutMs:t});return{apiKey:u.apiKey,email:u.email,name:u.name,tier:u.tier}}finally{await new Promise((e,t)=>{l.close(n=>{if(n){t(n);return}e()})}).catch(()=>void 0)}}function Qn(e){if(!e)return!1;let t=e.toLowerCase().match(/^(\[[^\]]+\]|[^:]+)(?::\d+)?$/);if(!t)return!1;let n=t[1];return n===`127.0.0.1`||n===`localhost`||n===`[::1]`}async function $n(e,t){return await new Promise((n,r)=>{let i=setTimeout(()=>{r(new se(t,`Timed out waiting for browser login to complete`))},t);e.then(e=>{clearTimeout(i),n(e)},e=>{clearTimeout(i),r(e)})})}async function er(e){let t=await fetch(`${e.baseUrl}/auth/cli/exchange`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify({grant_token:e.grantToken}),signal:AbortSignal.timeout(e.timeoutMs)}).catch(t=>{throw new g(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),n=await t.json().catch(()=>null);if(!t.ok||!n?.success||!n.data?.api_key)throw Error(n?.error?.message||`Failed to exchange browser login grant`);return{apiKey:n.data.api_key,email:n.data.email,name:n.data.name,tier:n.data.tier}}async function tr(e){let{spawn:t}=await import(`node:child_process`),n=process.platform===`darwin`?[`open`,e]:process.platform===`win32`?[`cmd`,`/c`,`start`,``,e]:[`xdg-open`,e];return await new Promise(e=>{let r=t(n[0],n.slice(1),{detached:!0,stdio:`ignore`});r.once(`error`,()=>e(!1)),r.once(`spawn`,()=>{r.unref(),e(!0)})})}function nr(e){return e.replace(/&/g,`&amp;`).replace(/</g,`&lt;`).replace(/>/g,`&gt;`).replace(/"/g,`&quot;`).replace(/'/g,`&#39;`)}function rr(e){return`<!doctype html>
125
+ `),e(t.trim())})})}async function W(e){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout}),n=await new Promise(n=>{t.question(e,e=>{t.close(),n(e.trim().toLowerCase())})});return n===`y`||n===`yes`}async function G(e,t){let n=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout}),r=t?` [${t}]`:``;return await new Promise(t=>{n.question(`${e}${r}: `,e=>{n.close(),t(e.trim())})})||t||``}async function Dn(){if(process.stdin.isTTY)throw Error(`Cannot read secret from stdin when stdin is a TTY`);let e=[];for await(let t of process.stdin)e.push(Buffer.isBuffer(t)?t:Buffer.from(t));return Buffer.concat(e).toString(`utf8`).replace(/\r?\n$/,``)}function On(){let e=new t(`profile`).description(`Create, inspect, and validate portable agent profiles`);return e.command(`create [output]`).description(`Create a profile — interactively (a wizard), or fully via flags`).option(`--name <name>`,`Profile name (when set, skips the wizard)`).option(`--description <text>`,`Profile description`).option(`--model <model>`,`Model (provider/model)`).option(`--system-prompt <text>`,`System prompt`).option(`--skills <ref...>`,`Skill refs: local path or github:<owner>/<repo>/<path>[@<ref>]`).option(`--tools <ref...>`,`Tool refs: local path or github:<owner>/<repo>/<path>[@<ref>]`).option(`--harness <name>`,`Harness hint shown in the run command`).option(`--json`,`Print the profile as JSON instead of writing a file`).action(async(e,t)=>{try{let n=t.name,r=t.description,i=t.harness,a=t.model,o=t.systemPrompt,s=t.skills??[],c=t.tools??[];if(!n&&process.stdin.isTTY&&(n=await G(`Profile name`,`my-agent`),r=await G(`Description (optional)`)||void 0,i=await G(`Harness`,`claude-code`)||void 0,a=await G(`Model (optional, provider/model)`)||void 0,o=await G(`System prompt (optional)`)||void 0,s=await kn(`Skill ref (local path or github:..., blank to finish)`),c=await kn(`Tool ref (blank to finish)`)),!n)throw Error(process.stdin.isTTY?`Profile name is required.`:"`agent profile create` needs at least --name in a non-interactive shell (no TTY to prompt). Pass --name <name> (and optionally --model/--skills/--tools/--system-prompt).");let l=Fe({model:a,systemPrompt:o,skills:s,tools:c}),u={...n?{name:n}:{},...r?{description:r}:{},...l??{}};if(t.json){A(u);return}let d=e??`agent-profile.json`;f(d,`${JSON.stringify(u,null,2)}\n`),P(`Wrote ${d}`),P(`Run it: tangle agent prompt <box> --profile ${d}${i?` --harness ${i}`:``}`)}catch(e){B(e,t.json)}}),e.command(`show <source>`).description(`Load and print a profile (local path, https URL, or github:owner/repo/path[@ref])`).action(async e=>{try{A(await Ie(e))}catch(e){B(e,!0)}}),e.command(`validate <source>`).description(`Check a profile loads and is a well-formed object`).action(async e=>{try{let t=await Ie(e);P(`OK — "${typeof t.name==`string`?t.name:`(unnamed)`}" loaded as a valid profile object`)}catch(e){B(e)}}),e}async function kn(e){let t=[];for(;;){let n=await G(e);if(!n)break;t.push(n)}return t}function An(e){let t=typeof e.type==`string`?e.type:void 0,n=t===`tool-invocation`||t===`tool_call`||t===`computer-use`||t===`computer_call`,r=e.toolInvocation??e.tool_invocation??e.computerUse??e.computer_use;if(!r&&!n)return;let i=r??e;if(t===`computer-use`||t===`computer_call`)return`computer-use:${i.action?.type??`action`}`;let a=i.toolName??i.tool_name??i.name;return typeof a==`string`&&a.length>0?a:void 0}function jn(e){return([process.env.SANDBOX_WEB_URL,process.env.TANGLE_SANDBOX_WEB_URL].map(e=>e?.trim()).find(e=>!!e)??e).replace(/\/+$/,``)}function Mn(e){let t=e.toolInvocation??e.tool_invocation??e.computerUse??e.computer_use??e,n=t.state?.status,r=typeof t.status==`string`?t.status:void 0;return n??r}function Nn(e,t){if(process.exitCode=1,e.status===`blocked_on_approval`){console.error(a.yellow(`⚠ Blocked on a hub approval.`));let t=e.approval?.approvalId;console.error(t?`Approve it: tangle hub approvals approve ${t}`:"Approve the pending request (`tangle hub approvals`), then re-run.");return}if(e.status===`awaiting_question`){console.error(a.yellow(`⚠ Agent is awaiting an answer to a question.`)),console.error(`Re-run with --interactive to answer it, or answer programmatically via box.session(<id>).answer({ ... }).`);return}console.error(a.red(`✗ ${e.error&&e.error.length>0?e.error:t}`))}function Pn(e,t){return process.exitCode=1,t&&A({status:`awaiting_question`,needsInput:e}),`Agent is awaiting an answer (questionId: ${e.questionId??`unknown`}). Re-run with --interactive to answer, or answer via box.session(<id>).answer({ ... }).`}function Fn(e){let t=e.part;if(t?.type===`text`)return t.text??t.content??void 0}function In(e){return e.finalText??e.response??e.output??e.content??e.text??void 0}function Ln(e){if(typeof e==`string`)return e;try{return JSON.stringify(e)??``}catch{return String(e)}}function Rn(e,t=0){if(t>6||typeof e!=`object`||!e)return;let n=e,r=n.approval;if(r&&typeof r.id==`string`)return r.id;for(let e of Object.values(n)){let n=Rn(e,t+1);if(n)return n}}function zn(e){let t=e?.toolInvocations;if(!Array.isArray(t))return;let n=t.find(e=>e?.isError===!0);if(n){if(Ln(n.result).includes(`HUB_APPROVAL_REQUIRED`)){let e=Rn(n.result);return e?`Blocked on hub approval — approve with: tangle hub approvals approve ${e}`:"Blocked on hub approval — approve the pending request (`tangle hub approvals`) then re-run."}return`Tool "${n.toolName??`unknown`}" failed`}}function Bn(e){if(e.sawError){console.error(a.red(`✗ ${e.errorMsg??`Agent run failed`}`)),process.exitCode=1;return}let t=Date.now()-e.startedAt,n=e.tokenUsage,r=[`${t}ms`,n?.inputTokens===void 0?void 0:`${n.inputTokens} in`,n?.outputTokens===void 0?void 0:`${n.outputTokens} out`].filter(e=>!!e);console.log(a.green(`✓ Done`),a.dim(`(${r.join(`, `)})`))}function Vn(e,t){let n=An(e);if(!n)return;let r=Mn(e),i=e.toolCallId??e.tool_call_id??e.callId??e.id,o=typeof i==`string`&&i.length>0?i:`${n}#${t.size}`;r===`running`||r===`in_progress`||r===void 0?t.has(o)||(t.add(o),console.log(a.dim(`\n[Tool: ${n}]`))):r===`completed`?console.log(a.dim(`[Tool ${n} completed]`)):(r===`failed`||r===`error`)&&console.log(a.yellow(`[Tool ${n} failed]`))}async function Hn(e,t,n){let r=``,i=!1,a,o,s,c=e=>{if(e.startsWith(r)){let t=e.slice(r.length);t&&process.stdout.write(t)}else process.stdout.write(e);r=e};try{for await(let t of e){switch(t.type){case`token`:{let e=t.data?.value;typeof e==`string`&&(process.stdout.write(e),r+=e);break}case`message.part.updated`:{let e=Fn(t.data);typeof e==`string`&&e.length>0&&c(e);break}case`raw`:n?.(t.data);break;case`result`:o=t.data;break;case`question`:{let e=t.data;s={questionId:e.questionId,questions:e.questions};break}case`error`:i=!0,a=t.data.message??JSON.stringify(t.data);break}if(s)break}}catch(e){i=!0,a=e instanceof Error?e.message:String(e)}if(s)return{awaitingQuestion:s,printed:r.length};if(r.length===0&&o){let e=In(o);typeof e==`string`&&e.length>0&&(process.stdout.write(e),r=e)}if(!i){let e=zn(o);e&&(i=!0,a=e)}return{outcome:{sawError:i,errorMsg:a,startedAt:t,tokenUsage:o?.tokenUsage},resultData:o,printed:r.length}}function Un(e){let t=qt(e??[]);if(t.length!==0)return{profile:{connections:t}}}async function Wn(e){let t=qt(e.connection??[]);if(t.length===0)throw Error(`--allow-writes needs at least one --connection to grant writes for.`);if(t.some(e=>e.connectionId===`*`))throw Error("--allow-writes needs explicit --connection ids; the `*:*` wildcard can't be bulk-granted. Grant per connection, e.g. --connection conn_x:* --allow-writes.");let n=await V({hubKey:e.hubKey});for(let r of t){let t=await n.permissions.allowWrites(r.connectionId);e.json||P(`Allowed ${t.writeActions} write action${t.writeActions===1?``:`s`} for connection ${r.connectionId} (${t.granted} newly granted).`)}e.json||P(`Revert anytime: ${t.map(e=>`tangle hub permissions revert-writes --connection ${e.connectionId}`).join(` · `)}`)}async function Gn(e){!e.connection||e.connection.length===0||(e.connection=await Kt(e.connection,()=>V({hubKey:e.hubKey})))}function Kn(){let e=new t(`agent`).description(`Interact with AI agent`);return e.command(`prompt <idOrMessage> [message]`).description("Send a single prompt to the agent. With one arg it's the prompt and the box comes from `tangle use` / --box / TANGLE_SANDBOX; with two it's <id> <message>.").option(`--box <id>`,`Target sandbox (overrides the active one)`).option(`--session <id>`,`Continue existing session`).option(`--model <model>`,`Model to use`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`300000`).option(`--stream`,`Stream response in real-time`).option(`--interactive`,`Spawn the harness's interactive TUI in the sandbox, inject this prompt, and print a link to watch + drive the live session in the browser (omit for the default headless run)`).option(`--harness <name>`,`Harness that executes this run (claude-code, codex, kimi-code, opencode, pi, amp, hermes). Defaults to the sandbox's configured backend. The box ships all harnesses, so this is a per-run choice.`).option(`--profile <source>`,`Agent profile to run: a local JSON path, an https URL, or github:<owner>/<repo>/<path>[@<ref>]`).option(`--skills <ref...>`,`Attach skills (repeatable): a local file path, or github:<owner>/<repo>/<path>[@<ref>] to pull from a repo`).option(`--tools <ref...>`,`Attach tools (repeatable): a local file path, or github:<owner>/<repo>/<path>[@<ref>]`).option(`--system-prompt <text>`,`Override the agent's system prompt for this run`).option(`--connection <spec>`,"Grant a hub connection to the agent as MCP tools (repeatable). The connection is a connection id or a provider name. Modes: <connection>:<cap1>,<cap2> (least privilege, recommended), <connection>:* (all of one connection), or *:* (all connections). List connections with `tangle hub connections`; paths with `tangle hub tools search <keyword>`.",Gt,[]).option(`--allow-writes`,"Pre-approve every WRITE action of each granted --connection so the agent can write unattended (reads are already allowed; destructive actions still prompt). Revert with `tangle hub permissions revert-writes`.").option(`--no-hub-key`,`Do not auto-mint a platform Hub key for --allow-writes; use the stored credential as-is`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=t===void 0?e:t,o=t===void 0?wt(n.box):e,s=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),c=O(s);if(n.interactive){let e=[n.profile?`--profile`:null,n.skills?.length?`--skills`:null,n.tools?.length?`--tools`:null,n.systemPrompt?`--system-prompt`:null,n.connection?.length?`--connection`:null,n.allowWrites?`--allow-writes`:null].filter(e=>e!==null);if(e.length>0)throw Error(`${e.join(`, `)} ${e.length===1?`is`:`are`} not supported with --interactive: the interactive harness launches its own TUI and is configured by --harness/--model. Drop --interactive to run with a profile, or bake the agent into the box with \`tangle backend configure\`.`)}let l=await Ge({profileSource:n.profile,systemPrompt:n.systemPrompt,skills:n.skills,tools:n.tools});await Gn(n);let u=Un(n.connection);n.allowWrites&&await Wn(n);let d=l||u?{...l??{},...u?.profile??{}}:void 0,f=d||n.harness?{...n.harness?{type:n.harness}:{},...d?{profile:d}:{}}:void 0,p=await H(c,s,o);if(p=await U(p),n.interactive){let e=n.session??`int-${i()}`,t=n.harness??(await p.backend.status()).type,a=p.session(e).interactive(),c=F(`Starting interactive ${t} session...`);c.start();let l;try{l=await a.start({harness:t,...n.model?{model:n.model}:{}})}finally{c.stop()}try{await a.sendPrompt(r)}catch(e){throw await a.stop().catch(()=>void 0),e}let u=`${jn(s.baseUrl)}/dashboard/sandbox/${encodeURIComponent(o)}?interactive=${encodeURIComponent(l.sessionId)}`;n.json?A({sessionId:l.sessionId,harness:l.harness,streamUrl:l.streamUrl,webUrl:u}):(P(`Interactive ${l.harness} session started — prompt sent.`),console.log(),I({"Watch & drive":u,Session:l.sessionId}),console.log(),P(`Open the link to watch the agent and type to take over. Send more prompts with --session ${l.sessionId} --interactive.`));return}if(n.stream){P(`Streaming response...`),console.log();let e=Date.now(),t=await Hn(p.streamPrompt(r,{sessionId:n.session,model:n.model,timeoutMs:Number.parseInt(n.timeout,10),...f?{backend:f}:{}}),e);if(`awaitingQuestion`in t){t.printed>0&&console.log();let e=Pn(t.awaitingQuestion,n.json);n.json||console.error(a.yellow(`⚠ ${e}`));return}t.printed>0&&console.log(),Bn(t.outcome)}else{let e=F(`Processing prompt...`);e.start();let t=await p.prompt(r,{sessionId:n.session,model:n.model,timeoutMs:Number.parseInt(n.timeout,10),...f?{backend:f}:{}});e.stop(),n.json?(A(t),t.success===!1&&(process.exitCode=1)):t.success===!1?Nn(t,`Agent prompt failed`):(console.log(t.response),console.log(),I({Duration:`${t.durationMs}ms`,"Input Tokens":t.usage?.inputTokens,"Output Tokens":t.usage?.outputTokens}))}}catch(e){B(e,n.json)}}),e.command(`task <idOrPrompt> [prompt]`).description("Execute a multi-turn task. One arg = the task (box from `tangle use` / --box / TANGLE_SANDBOX); two = <id> <prompt>.").option(`--box <id>`,`Target sandbox (overrides the active one)`).option(`--session <id>`,`Continue existing session`).option(`--model <model>`,`Model to use`).option(`--max-turns <n>`,`Maximum turns`,`10`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`600000`).option(`--stream`,`Stream events in real-time`).option(`--connection <spec>`,"Grant a hub connection to the agent as MCP tools (repeatable). The connection is a connection id or a provider name. Modes: <connection>:<cap1>,<cap2> (least privilege, recommended), <connection>:* (all of one connection), or *:* (all connections). List connections with `tangle hub connections`; paths with `tangle hub tools search <keyword>`.",Gt,[]).option(`--allow-writes`,"Pre-approve every WRITE action of each granted --connection so the agent can write unattended (reads are already allowed; destructive actions still prompt). Revert with `tangle hub permissions revert-writes`.").option(`--no-hub-key`,`Do not auto-mint a platform Hub key for --allow-writes; use the stored credential as-is`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=t===void 0?e:t,i=t===void 0?wt(n.box):e,o=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),s=O(o);await Gn(n);let c=Un(n.connection);n.allowWrites&&await Wn(n);let l=await H(s,o,i);if(l=await U(l),n.stream){P(`Executing task...`),console.log();let e=new Set,t=Date.now(),i=await Hn(l.streamTask(r,{sessionId:n.session,model:n.model,maxTurns:Number.parseInt(n.maxTurns,10),timeoutMs:Number.parseInt(n.timeout,10),...c?{backend:c}:{}}),t,t=>Vn(t,e));if(`awaitingQuestion`in i){i.printed>0&&console.log();let e=Pn(i.awaitingQuestion,n.json);n.json||console.error(a.yellow(`⚠ ${e}`));return}i.printed>0&&console.log(),Bn(i.outcome)}else{let e=F(`Executing task...`);e.start();let t=await l.task(r,{sessionId:n.session,model:n.model,maxTurns:Number.parseInt(n.maxTurns,10),timeoutMs:Number.parseInt(n.timeout,10),...c?{backend:c}:{}});e.stop(),n.json?(A(t),t.success===!1&&(process.exitCode=1)):t.success===!1?Nn(t,`Agent task failed`):(console.log(t.response),console.log(),I({"Session ID":t.sessionId,"Turns Used":t.turnsUsed,Duration:`${t.durationMs}ms`,"Input Tokens":t.usage?.inputTokens,"Output Tokens":t.usage?.outputTokens}))}}catch(e){B(e,n.json)}}),e.addCommand(Tn()),e.addCommand(On()),e}async function qn(e){let t=e.timeoutMs??1e4,n=e.baseUrl.replace(/\/$/,``),r=`${n}/v1/account/me`;try{let n=await fetch(r,{headers:{Accept:`application/json`,Authorization:`Bearer ${e.apiKey}`},signal:AbortSignal.timeout(t)});if(!n.ok){let e=await Yn(n);throw n.status===401||n.status===403?new ie(e||`Invalid API key`):n.status>=500?new _(e||`Sandbox API returned an unexpected error`,n.status):Error(e||`Credential validation failed with status ${n.status}`)}let i=await n.json();if(!i.success||!i.data)throw Error(`Sandbox API returned an invalid account response`);return{customerId:i.data.customer_id,email:i.data.email,name:i.data.name,tier:i.data.tier,createdAt:i.data.created_at}}catch(e){throw e instanceof ie||e instanceof _||e instanceof se?e:e instanceof Error&&e.name===`AbortError`?new se(t,`Timed out validating credentials against ${n}`):e instanceof Error&&!(e instanceof TypeError)?e:new h(`Failed to reach ${n}`,Jn(e))}}function Jn(e){return e instanceof Error?e:void 0}async function Yn(e){let t=await e.text();if(t)try{let e=JSON.parse(t);return e.error?.message??e.message??t}catch{return t}}function Xn(e){if(!Qn(e.hostHeader))return{kind:`host-mismatch`};let t;try{t=new URL(e.requestUrl??`/`,`http://127.0.0.1`)}catch{return{kind:`not-found`}}if(t.pathname!==`/callback`)return{kind:`not-found`};if(t.searchParams.get(`state`)!==e.expectedState)return{kind:`state-mismatch`};let n=t.searchParams.get(`error`);if(n)return{kind:`error`,reason:n};let r=t.searchParams.get(`grant_token`);return r?{kind:`ok`,token:r}:{kind:`missing-token`}}async function Zn(e){let t=e.timeoutMs??12e4,n=e.baseUrl.replace(/\/$/,``),i=await import(`node:http`),a=r(32).toString(`hex`),o=null,s=null,c=new Promise((e,t)=>{o=e,s=t}),l=i.createServer((e,t)=>{try{let n=Xn({hostHeader:e.headers.host,requestUrl:e.url,expectedState:a});switch(n.kind){case`host-mismatch`:t.writeHead(421,{"content-type":`text/plain; charset=utf-8`}),t.end(`Misdirected request`);return;case`not-found`:t.writeHead(404,{"content-type":`text/plain; charset=utf-8`}),t.end(`Not found`);return;case`state-mismatch`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(rr(`State mismatch — refusing login`)),s?.(Error(`Browser login state mismatch — refusing potentially hijacked callback`));return;case`error`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(rr(n.reason)),s?.(Error(`Browser login failed: ${n.reason}`));return;case`missing-token`:t.writeHead(400,{"content-type":`text/html; charset=utf-8`}),t.end(rr(null)),s?.(Error(`Browser login did not return a grant token`));return;case`ok`:t.writeHead(200,{"content-type":`text/html; charset=utf-8`}),t.end(rr(null)),o?.(n.token);return}}catch(e){s?.(e instanceof Error?e:Error(`Browser login callback failed`))}});await new Promise((e,t)=>{l.once(`error`,t),l.listen(0,`127.0.0.1`,()=>e())});try{let r=l.address();if(!r||typeof r==`string`)throw Error(`Failed to bind local callback server`);let i=new URL(`http://127.0.0.1:${r.port}/callback`);i.searchParams.set(`state`,a);let o=new URL(`${n}/auth/cli/login`);o.searchParams.set(`callback_url`,i.toString()),e.provider&&o.searchParams.set(`provider`,e.provider);let s=await tr(o.toString());e.onLoginUrl?.({loginUrl:o.toString(),browserOpened:s});let u=await er({baseUrl:n,grantToken:await $n(c,t),timeoutMs:t});return{apiKey:u.apiKey,email:u.email,name:u.name,tier:u.tier}}finally{await new Promise((e,t)=>{l.close(n=>{if(n){t(n);return}e()})}).catch(()=>void 0)}}function Qn(e){if(!e)return!1;let t=e.toLowerCase().match(/^(\[[^\]]+\]|[^:]+)(?::\d+)?$/);if(!t)return!1;let n=t[1];return n===`127.0.0.1`||n===`localhost`||n===`[::1]`}async function $n(e,t){return await new Promise((n,r)=>{let i=setTimeout(()=>{r(new se(t,`Timed out waiting for browser login to complete`))},t);e.then(e=>{clearTimeout(i),n(e)},e=>{clearTimeout(i),r(e)})})}async function er(e){let t=await fetch(`${e.baseUrl}/auth/cli/exchange`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify({grant_token:e.grantToken}),signal:AbortSignal.timeout(e.timeoutMs)}).catch(t=>{throw new h(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),n=await t.json().catch(()=>null);if(!t.ok||!n?.success||!n.data?.api_key)throw Error(n?.error?.message||`Failed to exchange browser login grant`);return{apiKey:n.data.api_key,email:n.data.email,name:n.data.name,tier:n.data.tier}}async function tr(e){let{spawn:t}=await import(`node:child_process`),n=process.platform===`darwin`?[`open`,e]:process.platform===`win32`?[`cmd`,`/c`,`start`,``,e]:[`xdg-open`,e];return await new Promise(e=>{let r=t(n[0],n.slice(1),{detached:!0,stdio:`ignore`});r.once(`error`,()=>e(!1)),r.once(`spawn`,()=>{r.unref(),e(!0)})})}function nr(e){return e.replace(/&/g,`&amp;`).replace(/</g,`&lt;`).replace(/>/g,`&gt;`).replace(/"/g,`&quot;`).replace(/'/g,`&#39;`)}function rr(e){return`<!doctype html>
126
126
  <html lang="en">
127
127
  <head>
128
128
  <meta charset="utf-8" />
@@ -131,18 +131,18 @@ await connect(new StdioServerTransport());`;case`claude-desktop`:return`// Add t
131
131
  <body>
132
132
  <p>${e?`Sandbox CLI login failed: ${nr(e)}`:`Sandbox CLI login complete. You can close this window.`}</p>
133
133
  </body>
134
- </html>`}const ir=15*6e4;function ar(e){return Number.isFinite(e)&&e>0?e:ir}async function or(e){let t=e.timeoutMs??ir,n=Date.now(),r=await sr({baseUrl:e.baseUrl,timeoutMs:t,provider:e.provider});for(e.onInstructions?.({userCode:r.user_code,verificationUrl:r.verification_uri,verificationUrlComplete:r.verification_uri_complete,expiresIn:r.expires_in,intervalSeconds:r.interval});;){if(Date.now()-n>t)throw new se(t,`Timed out waiting for device authorization to complete`);let i=await cr({baseUrl:e.baseUrl,deviceCode:r.device_code,timeoutMs:t});if(i.status===`approved`)return i.data;let a=i.intervalSeconds*1e3;await new Promise(e=>setTimeout(e,a))}}async function sr(e){let t=ar(e.timeoutMs),n=await fetch(`${lr(e.baseUrl)}/auth/cli/device/start`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify(e.provider?{provider:e.provider}:{}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new g(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(!n.ok||!r?.success||!r.data?.device_code)throw Error(r?.error?.message||`Failed to start device login`);return r.data}async function cr(e){let t=ar(e.timeoutMs),n=await fetch(`${lr(e.baseUrl)}/auth/cli/device/poll`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify({device_code:e.deviceCode}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new g(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(n.status===428&&r?.error?.code===`AUTHORIZATION_PENDING`)return{status:`pending`,intervalSeconds:typeof r.data?.interval==`number`&&r.data.interval>0?r.data.interval:5};if(!n.ok||!r?.success||!r.data?.api_key||!r.data.email)throw Error(r?.error?.message||`Failed to complete device authorization`);return{status:`approved`,data:{apiKey:r.data.api_key,email:r.data.email,name:r.data.name,tier:r.data.tier}}}function lr(e){return e.replace(/\/$/,``)}function ur(){let e=new t(`auth`).description(`Manage authentication`);e.command(`login`).description(`Authenticate with browser login or an API key`).option(`--api-key <key>`,`API key`).option(`--no-browser`,`Use device-code login instead of opening a browser`).option(`--profile <name>`,`Profile name`).option(`--provider <provider>`,`Identity provider (github, google, microsoft)`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=e.apiKey,n=w(e.profile),r=gr(e.provider),i=At(e.baseUrl,n),a=e.browser!==!1;if(!t){if(a){let a=F(`Starting browser login...`);a.start();let o=await Zn({baseUrl:i,provider:r,onLoginUrl:({loginUrl:e,browserOpened:t})=>{a.stop(),P(t?`Browser login opened.`:`Open this URL to continue browser login:`),console.log(e)}}).finally(()=>{a.stop()});t=o.apiKey,pr({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Bt(),M(`Authenticated`),I({Profile:n,Email:o.email,Tier:o.tier,"Base URL":i}),P(mr);return}let o=F(`Starting device login...`);o.start();let s=await or({baseUrl:i,provider:r,onInstructions:({userCode:e,verificationUrl:t,verificationUrlComplete:n})=>{o.stop(),P(`Complete login in a browser on any device:`),I({"Verification URL":t,"Verification URL (prefilled)":n,"Device Code":e})}}).finally(()=>{o.stop()});t=s.apiKey,pr({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Bt(),M(`Authenticated`),I({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),P(mr);return}t||(N(`No API key provided.`),process.exit(1)),_t(t)||(N(`Invalid API key format. Keys should start with 'sk_' or 'sk-tan-'.`),process.exit(1));let o=F(`Validating credentials...`);o.start();let s=await qn({apiKey:t,baseUrl:i});o.stop(),pr({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Bt(),M(`Authenticated`),I({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),P(mr)}catch(e){B(e)}}),e.command(`logout`).description(`Remove stored credentials`).option(`--profile <name>`,`Profile name`).action(e=>{try{let t=w(e.profile);Ot(t),Bt(),M(`Logged out successfully.`),P(`Credentials removed for profile '${t}'.`)}catch(e){B(e)}}),e.command(`status`).description(`Show current authentication status`).option(`--json`,`Output as JSON`).option(`--profile <name>`,`Profile name`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=w(e.profile),n=T(e.apiKey,t),r=At(e.baseUrl,t),i=kt(e.apiKey,t);if(!n){if(e.json){j({authenticated:!1,reason:`missing_credentials`,profile:t,baseUrl:r,credentialSource:null});return}N(`Not authenticated`),P(`Run 'tangle auth login --profile ${t}' to authenticate.`),process.exit(1)}let a=e.json?null:F(`Checking credentials...`);a?.start();try{let o=await qn({apiKey:n,baseUrl:r});if(a?.stop(),e.json){j({authenticated:!0,profile:t,baseUrl:r,credentialSource:i,account:o});return}M(`Authenticated`),I({Profile:t,"API Key":dr(n),"Base URL":r,Source:fr(i),Email:o.email,Tier:o.tier})}catch(o){a?.stop(),e.json&&(j({authenticated:!1,profile:t,baseUrl:r,credentialSource:i,error:o instanceof Error?o.message:String(o)}),process.exit(1)),o instanceof h?N(`Stored credentials are invalid.`):Zt(`Stored credentials found, but validation could not complete.`),I({Profile:t,"API Key":dr(n),"Base URL":r,Source:fr(i),Error:o instanceof Error?o.message:String(o)}),process.exit(1)}}catch(e){B(e)}});let n=new t(`profiles`).description(`Manage CLI profiles`);return n.command(`list`).description(`List configured profiles`).option(`--json`,`Output as JSON`).action(e=>{try{let t=Tt();if(e.json){j(t);return}if(t.length===0){P(`No profiles found.`);return}z([`Profile`,`Active`,`Base URL`,`Credentials`,`Source`],t.map(e=>[e.name,e.active?`yes`:`no`,e.baseUrl,e.hasApiKey?`configured`:`none`,e.apiKeySource]))}catch(e){B(e)}}),n.command(`use <name>`).description(`Set the active profile`).action(e=>{try{yt(e);let t=Et(e);M(`Active profile set to '${t.name}'.`),I({"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`})}catch(e){B(e)}}),n.command(`current`).description(`Show the active profile`).option(`--json`,`Output as JSON`).action(e=>{try{let t=Et();if(e.json){j(t);return}I({Profile:t.name,"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`,Source:fr(t.credentialSource)})}catch(e){B(e)}}),e.addCommand(n),e}function dr(e){return e.length<=14?e:`${e.slice(0,10)}...${e.slice(-4)}`}function fr(e){switch(e){case`flag`:return`command flag`;case`env`:return`environment`;case`keychain`:return`OS keychain`;case`file`:return`credentials file`;case`legacy-file`:return`legacy credentials file`;default:return`unknown`}}function pr(e){let t=Dt(e.profile,{apiKey:e.apiKey,...e.baseUrl?{baseUrl:e.baseUrl}:{}});yt(e.profile),C({...e.baseUrl&&e.profile===`default`?{baseUrl:e.baseUrl}:{}}),mr=hr(e.profile,t)}let mr=`Credentials updated.`;function hr(e,t){return t===`keychain`?e===`default`?`API key saved to the OS keychain for the default profile`:`API key saved to the OS keychain for profile '${e}'`:t===`file`?e===`default`?`API key saved to ~/.tangle/credentials.json for the default profile`:`API key saved to ~/.tangle/credentials.json for profile '${e}'`:`Profile '${e}' updated.`}function gr(e){if(e===void 0||e===`github`||e===`google`||e===`microsoft`)return e;throw Error(`--provider must be one of: github, google, microsoft`)}function _r(){let e=new t(`backend`).description(`Manage sandbox AI agent backend`);return e.command(`status <sandboxId-or-name>`).description(`Get backend agent status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching backend status...`);i.start();let a=await(await H(r,n,e)).backend.status();i.stop(),t.json?j(a):(P(`Backend Type: ${a.type}`),P(`Status: ${a.status}`),a.version&&P(`Version: ${a.version}`),a.error&&P(`Error: ${a.error}`),a.metadata&&P(`Metadata: ${JSON.stringify(a.metadata,null,2)}`))}catch(e){B(e)}}),e.command(`capabilities <sandboxId-or-name>`).description(`Get backend capabilities`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching capabilities...`);i.start();let a=await(await H(r,n,e)).backend.capabilities();i.stop(),t.json?j(a):(P(`Backend Capabilities:`),P(` Streaming: ${a.streaming?`✓`:`✗`}`),P(` Tool Use: ${a.toolUse?`✓`:`✗`}`),P(` Reasoning: ${a.reasoning?`✓`:`✗`}`),P(` Multimodal: ${a.multimodal?`✓`:`✗`}`),P(` Context Window: ${a.contextWindow.toLocaleString()} tokens`))}catch(e){B(e)}}),e.command(`configure <sandboxId-or-name>`).description(`Update backend configuration`).option(`--model <model>`,`Model string (format: provider/model)`).option(`--max-thinking-tokens <n>`,`Maximum thinking tokens`).option(`--profile <name>`,`Backend profile name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Updating backend config...`);i.start();let a=await H(r,n,e),o={};if(t.profile&&(o.profile=t.profile),t.model||t.maxThinkingTokens){if(o.model={},t.model){let e=t.model.split(`/`);e.length>=2?(o.model.provider=e[0],o.model.model=e.slice(1).join(`/`)):o.model.model=t.model}t.maxThinkingTokens&&(o.model.maxThinkingTokens=Number.parseInt(t.maxThinkingTokens,10))}await a.backend.updateConfig(o),i.stop(),M(`Backend configuration updated`),t.json&&j(o)}catch(e){B(e)}}),e.command(`add-mcp <sandboxId-or-name>`).description(`Add an MCP server to the backend`).requiredOption(`--name <name>`,`MCP server name`).requiredOption(`--command <cmd>`,`Command to run (e.g., npx)`).option(`--args <args...>`,`Command arguments`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--cwd <dir>`,`Working directory`).option(`--url <url>`,`Remote MCP server URL (for SSE)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Adding MCP server...`);i.start();let a=await H(r,n,e),o={};if(t.env)for(let e of t.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(o[t]=n.join(`=`))}await a.backend.addMcp(t.name,{command:t.command,args:t.args,env:Object.keys(o).length>0?o:void 0,cwd:t.cwd,url:t.url}),i.stop(),M(`MCP server "${t.name}" added`),t.json&&j({name:t.name,command:t.command,args:t.args,env:Object.keys(o).length>0?o:void 0,cwd:t.cwd,url:t.url})}catch(e){B(e)}}),e.command(`mcp-status <sandboxId-or-name>`).description(`Get status of MCP servers`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching MCP status...`);i.start();let a=await(await H(r,n,e)).backend.getMcpStatus();if(i.stop(),t.json)j(a);else{let e=Object.entries(a);e.length===0?P(`No MCP servers configured`):A(e.map(([e,t])=>{let n=t;return{name:e,status:n.status,error:n.error??``}}),[{key:`name`,header:`Name`,width:24},{key:`status`,header:`Status`,width:12},{key:`error`,header:`Error`,width:40}])}}catch(e){B(e)}}),e.command(`restart <sandboxId-or-name>`).description(`Restart the backend agent`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Restarting backend...`);i.start(),await(await H(r,n,e)).backend.restart(),i.stop(),M(`Backend restarted`)}catch(e){B(e)}}),e}function vr(e){let t=e.indexOf(`=`);if(t<=0)throw Error(`Invalid --task "${e}": expected format id=message (e.g. t1=summarize README)`);let n=e.slice(0,t).trim(),r=e.slice(t+1).trim();if(!n||!r)throw Error(`Invalid --task "${e}": id and message must be non-empty`);return{id:n,message:r}}function yr(e){let t;try{t=JSON.parse(e)}catch(e){throw Error(`--tasks file is not valid JSON: ${e.message}`)}let n=Array.isArray(t)?t:t?.tasks;if(!Array.isArray(n))throw Error(`--tasks file must contain an array or an object with a "tasks" array`);return n.map((e,t)=>{if(!e||typeof e!=`object`)throw Error(`--tasks[${t}] must be an object`);let n=e,r=typeof n.id==`string`?n.id.trim():``,i=typeof n.message==`string`?n.message:``;if(!r)throw Error(`--tasks[${t}].id must be a non-empty string`);if(!i.trim())throw Error(`--tasks[${t}].message must be a non-empty string`);let a={id:r,message:i};return n.context&&typeof n.context==`object`&&(a.context=n.context),typeof n.timeoutMs==`number`&&n.timeoutMs>0&&(a.timeoutMs=n.timeoutMs),a})}function br(e){let t=e.readFile??(e=>u(e,`utf8`)),n=[];e.file&&n.push(...yr(t(e.file)));for(let t of e.inline??[])n.push(vr(t));if(n.length===0)throw Error(`No tasks provided. Use --tasks <file> and/or --task id=message.`);let r=new Set;for(let e of n){if(r.has(e.id))throw Error(`Duplicate task id: ${e.id}`);r.add(e.id)}return n}function xr(e){if(e!==`fastest`&&e!==`balanced`&&e!==`cheapest`)throw Error(`--scaling must be one of: fastest, balanced, cheapest (got "${e}")`);return e}function Sr(e){let t=e.trim(),n=t.indexOf(`/`);if(n<=0||n===t.length-1)throw Error(`--model must be in the form provider/model (got "${e}")`);return{provider:t.slice(0,n),model:t.slice(n+1)}}function Cr(){let e=new t(`batch`).description(`Run multiple agent tasks in parallel across sandboxes`);return e.command(`run`).description(`Execute a batch of tasks. Provide tasks via --tasks <file.json> and/or repeated --task id=message flags.`).option(`--tasks <file>`,`Path to a JSON file with an array of tasks (or {tasks: [...]})`).option(`--task <id=message>`,`Inline task, id=message. Repeatable.`,(e,t=[])=>[...t,e],[]).option(`--stream`,`Stream per-task events as they arrive`).option(`-t, --timeout <ms>`,`Total batch timeout in milliseconds`,`300000`).option(`--scaling <mode>`,`Scaling mode: fastest | balanced | cheapest`,`balanced`).option(`--persistent`,`Keep sandboxes alive after completion`,!1).option(`--model <provider/model>`,`Model override, e.g. anthropic/claude-sonnet-4-5-20250929`).option(`--profile <id>`,`Named execution profile to apply to every task`).option(`--json`,`Output the final result as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{let t=new AbortController,n=!1,r=()=>{n||(n=!0,P(`Cancel requested — stopping stream...`),t.abort())};process.on(`SIGINT`,r),process.on(`SIGTERM`,r);try{let n=br({file:e.tasks,inline:e.task}),r=xr(e.scaling),i=Number(e.timeout);if(!Number.isFinite(i)||i<=0)throw Error(`--timeout must be a positive number of milliseconds`);let o=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),s={type:`opencode`};e.model&&(s.model=Sr(e.model)),e.profile&&(s.profile=String(e.profile));let c={timeoutMs:i,scalingMode:r,persistent:!!e.persistent,signal:t.signal,backend:s};if(e.stream){P(`Streaming batch of ${n.length} task(s)...`),console.log();let t=new Map;for await(let e of o.streamBatch(n,c)){let r=e.data,i=r.taskId??``;switch(e.type){case`batch.started`:P(`Batch started (${r.totalTasks??n.length} tasks)`);break;case`task.started`:i&&console.log(a.dim(`→ ${i} started`));break;case`task.retry`:i&&console.log(a.yellow(`↻ ${i} retry ${r.attempt??`?`}: ${r.error??`retrying`}`));break;case`task.completed`:if(i){let e=r.usage,n=(e?.inputTokens??0)+(e?.outputTokens??0);t.set(i,{success:!0,durationMs:r.durationMs,retries:r.retries,tokensUsed:r.tokensUsed??(n>0?n:void 0),response:r.resultSummary??r.response}),console.log(a.green(`✓ ${i} completed in ${r.durationMs??`?`}ms`+(r.retries?` (${r.retries} retries)`:``)))}break;case`task.failed`:i&&(t.set(i,{success:!1,durationMs:r.durationMs,retries:r.retries,error:r.error}),console.log(a.red(`✗ ${i} failed: ${r.error??`unknown error`}`)));break;case`batch.failed`:throw Error(r.error??`Batch failed`);case`batch.completed`:break}}let r=[...t.values()].filter(e=>e.success).length,i=[...t.values()].filter(e=>!e.success).length,s=[...t.values()].reduce((e,t)=>e+(t.retries??0),0);console.log(),e.json?j({totalTasks:n.length,succeeded:r,failed:i,totalRetries:s,successRate:n.length>0?r/n.length*100:0,results:Array.from(t.entries()).map(([e,t])=>({taskId:e,...t}))}):I({"Total tasks":n.length,Succeeded:r,Failed:i,"Total retries":s,"Success rate":n.length>0?`${(r/n.length*100).toFixed(1)}%`:`0%`}),i>0&&(process.exitCode=1)}else{P(`Running batch of ${n.length} task(s)...`);let t=await o.runBatch(n,c);if(e.json)j(t);else if(console.log(),I({"Total tasks":t.totalTasks,Succeeded:t.succeeded,Failed:t.failed,"Total retries":t.totalRetries,"Success rate":`${t.successRate.toFixed(1)}%`}),t.results.length>0){console.log(),console.log(a.bold(`Task Results`)),console.log(a.dim(`─`.repeat(40)));for(let e of t.results){let t=e.success?a.green(`✓`):a.red(`✗`),n=typeof e.tokensUsed==`number`?` • ${e.tokensUsed} tokens`:``;console.log(`${t} ${e.taskId} ${a.dim(`(${e.durationMs}ms, ${e.retries} retries${n})`)}`),e.error&&console.log(a.red(` ${e.error}`))}}t.failed>0&&(process.exitCode=1)}}catch(e){if(n){console.log(),P(`Batch cancelled.`),process.exitCode=130;return}B(e)}finally{process.off(`SIGINT`,r),process.off(`SIGTERM`,r)}}),e}function wr(){let e=new t(`checkpoint`).description(`Manage sandbox filesystem checkpoints`);return e.command(`create`).description(`Create a checkpoint of the current sandbox state`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Creating checkpoint...`);t.json||i.start();let a=await(await H(r,n,e)).checkpoint();i.stop(),t.json?j(a):M(`Checkpoint created: ${a.checkpointId}`)}catch(e){B(e)}}),e.command(`list`).alias(`ls`).description(`List checkpoints for a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching checkpoints...`);t.json||i.start();let a=await(await H(r,n,e)).listCheckpoints();i.stop(),t.json?j(a):a.length===0?console.log(`No checkpoints found`):z([`ID`,`Created`],a.map(e=>[e.checkpointId,e.createdAt.toLocaleString()]))}catch(e){B(e)}}),e.command(`delete`).alias(`rm`).description(`Delete a checkpoint`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<checkpoint-id>`,`Checkpoint ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Deleting checkpoint...`);n.json||a.start(),await(await H(i,r,e)).deleteCheckpoint(t),a.stop(),n.json?j({success:!0,deleted:t}):M(`Checkpoint deleted: ${t}`)}catch(e){B(e)}}),e}const Tr=[`codex`,`claude-code`,`nanoclaw`,`kimi-code`,`opencode`,`pi`,`openclaw`,`hermes`],Er=`https://intelligence.tangle.tools/v1/otlp`,Dr=[`codex`,`claude-code`],Or=[`codex`,`claude-code`,`nanoclaw`],kr=[`SessionStart`,`UserPromptSubmit`,`PreToolUse`,`PostToolUse`,`Stop`],Ar={codex:{kind:`native`,surface:`codex`,label:`Codex`,buildFiles:Ur},"claude-code":{kind:`native`,surface:`claude-code`,label:`Claude Code`,buildFiles:Wr},nanoclaw:{kind:`native`,surface:`nanoclaw`,label:`NanoClaw`,buildFiles:Wr},"kimi-code":{kind:`manual`,surface:`kimi-code`,label:`Kimi Code`,reason:`Kimi Code loads hooks through an explicit config file, so use standard OTLP env wiring until the native config adapter is verified.`},opencode:{kind:`manual`,surface:`opencode`,label:`OpenCode`,reason:`OpenCode hooks run as plugins; use standard OTLP env wiring until the native plugin adapter is verified.`},pi:{kind:`manual`,surface:`pi`,label:`Pi`,reason:`Pi hooks run through TypeScript extensions; use standard OTLP env wiring until the native extension adapter is verified.`},openclaw:{kind:`manual`,surface:`openclaw`,label:`OpenClaw`,reason:`OpenClaw project hooks require user opt-in; use standard OTLP env wiring until the hook toggle and adapter are verified.`},hermes:{kind:`manual`,surface:`hermes`,label:`Hermes`,reason:`Hermes project plugins require explicit enablement; use standard OTLP env wiring until the plugin adapter is verified.`}};function jr(e){let t=e.split(`,`).map(e=>e.trim()).filter(Boolean).flatMap(e=>Hr(e));return t.length===0?[...Dr]:ri(t)}function Mr(e){return Object.hasOwn(Ar,e)}function Nr(e=process.cwd()){return ee(re(e))||`agent-workspace`}function Pr(){return m(pe(),`.tangle`,`intelligence.json`)}function Fr(e=Pr()){if(!c(e))return null;let t=ei(e),n=ii(t,`apiKey`),r=ii(t,`endpoint`),i=ii(t,`serviceName`),a=ii(t,`environment`);if(!n||!r||!i||!a)throw Error(`${e} is missing apiKey, endpoint, serviceName, or environment`);return{apiKey:n,endpoint:r,serviceName:i,environment:a}}async function Ir(e){let t=re(e.workspace),n=Pr(),r=jr(e.selection),i=[],a=[],o=[],s={apiKey:e.apiKey,endpoint:K(e.endpoint),serviceName:e.serviceName,environment:e.environment};e.dryRun||Zr(n,s),o.push(n);for(let n of r){let r=Ar[n];if(r.kind===`manual`){a.push({agent:r.surface,label:r.label,reason:r.reason});continue}i.push(r.surface);let s=t=>Lr(e.hookCommand,r.surface,t);for(let n of r.buildFiles(s)){let r=m(t,n.relPath);if(e.dryRun){o.push(r);continue}$r(r,JSON.parse(n.content),n.mode),o.push(r)}}return!e.smoke||e.dryRun?{configPath:n,written:o,agents:r,nativeAgents:i,manual:a}:{configPath:n,written:o,agents:r,nativeAgents:i,manual:a,smokeTraceId:await zr({agent:i[0]??r[0]??`codex`,event:`install.smoke`,endpoint:s.endpoint,apiKey:s.apiKey,serviceName:s.serviceName,environment:s.environment,sessionId:`install-smoke-${Date.now()}`,payload:{source:`tangle intelligence connect`}})}}function Lr(e,t,n){return`${e.trim()} --agent ${t} --event ${n} --non-blocking`}function Rr(e){let t=BigInt(Date.now())*1000000n,n=oi(16),r=oi(8),i=e.sessionId??Gr(e.payload),a={"service.name":e.serviceName,"deployment.environment":e.environment,"tangle.agent.surface":e.agent,"tangle.agent.hook.event":e.event,"tangle.agent.hook.source":`local-hook`,...Kr(e.payload)};return i&&(a[`session.id`]=i,a[`gen_ai.conversation.id`]=i,a[`tangle.sessionId`]=i),{body:{resourceSpans:[{resource:{attributes:[si(`service.name`,e.serviceName),si(`deployment.environment`,e.environment),si(`tangle.agent.surface`,e.agent)]},scopeSpans:[{scope:{name:`tangle.intelligence.agent-hook`,version:`1.0.0`},spans:[{traceId:n,spanId:r,name:`agent.${e.agent}.${e.event}`,kind:1,startTimeUnixNano:t.toString(),endTimeUnixNano:(t+1000000n).toString(),attributes:Object.entries(a).map(([e,t])=>si(e,t)),status:{code:1}}]}]}]},traceId:n}}async function zr(e){let{body:t,traceId:n}=Rr(e),r=await fetch(`${K(e.endpoint)}/v1/traces`,{method:`POST`,headers:{Authorization:`Bearer ${e.apiKey}`,"Content-Type":`application/json`},body:JSON.stringify(t)});if(!r.ok){let e=await r.text().catch(()=>``);throw Error(`OTLP smoke ingest failed: ${r.status}${e?` ${e}`:``}`)}return n}function Br(e){return K(e).replace(/\/v1\/otlp$/,``).replace(/\/+$/,``)}async function Vr(e){let t=`${Br(e.endpoint)}/v1/onboarding/status`,n=await fetch(t,{headers:{Authorization:`Bearer ${e.apiKey}`},signal:e.timeoutMs&&e.timeoutMs>0?AbortSignal.timeout(e.timeoutMs):void 0});if(!n.ok){let e=await n.text().catch(()=>``);throw Error(`onboarding status request failed: ${n.status}${e?` ${e}`:``}`)}let r=await n.json();return{tracesSeen:!!r.tracesSeen,contentSeen:!!r.contentSeen,lastSeenAt:typeof r.lastSeenAt==`string`?r.lastSeenAt:null,windowDays:typeof r.windowDays==`number`?r.windowDays:7,byAgent:r.byAgent&&typeof r.byAgent==`object`?r.byAgent:{}}}function K(e){let t=e.trim().replace(/\/+$/,``);return t.endsWith(`/v1/traces`)?t.slice(0,-10):t.endsWith(`/v1/logs`)?t.slice(0,-8):t}function Hr(e){switch(e){case`local`:case`both`:return[...Dr];case`all`:return[...Or];case`claude`:return[`claude-code`];case`kimi`:return[`kimi-code`];default:if(Mr(e))return[e];throw Error(`agent must be one of: local, all, both, ${Tr.join(`, `)}`)}}function Ur(e){let t=Object.fromEntries(kr.map(t=>[t,[{command:e(t),timeoutMs:3e3,blocking:!1,matcher:`*`}]]));return[{relPath:`.codex/hooks.json`,content:JSON.stringify({hooks:t},null,2)}]}function Wr(e){let t=Object.fromEntries(kr.map(t=>[t,[{matcher:`*`,hooks:[{type:`command`,command:e(t),timeout:3}]}]]));return[{relPath:`.claude/settings.json`,content:JSON.stringify({hooks:t},null,2)}]}function Gr(e){return Jr(e,[`session.id`,`sessionId`,`session_id`,`conversationId`,`conversation_id`,`threadId`,`thread_id`,`transcriptId`,`transcript_id`])||process.env.TANGLE_SESSION_ID||process.env.CODEX_THREAD_ID||process.env.CLAUDE_SESSION_ID||process.env.OPENCODE_SESSION_ID}function Kr(e){let t={},n=qr(e,[`tool.name`,`toolName`,`tool_name`,`tool`]),r=qr(e,[`command`,`cmd`,`shell_command`,`shellCommand`]),i=qr(e,[`tool.input`,`toolInput`,`tool_input`,`input`,`arguments`,`args`]),a=qr(e,[`tool.output`,`toolOutput`,`tool_output`,`output`,`result`]),o=qr(e,[`tool.exit_code`,`exitCode`,`exit_code`,`status`]),s=qr(e,[`tool.error.message`,`errorMessage`,`error_message`,`error`]);return n&&(t[`tool.name`]=n),r&&(t[`process.command`]=r),i&&(t[`tool.input.summary`]=i),a&&(t[`tool.output.summary`]=a),o&&(t[`tool.exit_code`]=o),s&&(t[`tool.error.message`]=s),t}function qr(e,t){let n=Yr(e,t);if(n===void 0)return null;if(typeof n==`string`)return Xr(n);if(typeof n==`number`||typeof n==`boolean`||typeof n==`bigint`)return String(n);try{return Xr(JSON.stringify(n))}catch{return null}}function Jr(e,t){let n=Yr(e,t);return typeof n==`string`&&n.length>0?n:void 0}function Yr(e,t){if(typeof e!=`object`||!e)return;let n=[e],r=new Set;for(;n.length;){let e=n.pop();if(typeof e!=`object`||!e||r.has(e))continue;r.add(e);let i=e;for(let e of t){let t=i[e];if(t!=null&&t!==``)return t}for(let e of Object.values(i))typeof e==`object`&&e&&n.push(e)}}function Xr(e){return e.length>4096?`${e.slice(0,4093)}...`:e}function Zr(e,t){Qr(e,`${JSON.stringify(t,null,2)}\n`)}function Qr(e,t){l(te(e),{mode:448,recursive:!0});let n=`${e}.${process.pid}.tmp`;f(n,t,{mode:384}),d(n,e)}function $r(e,t,n){l(te(e),{recursive:!0});let r=ti(ei(e),t);f(e,`${JSON.stringify(r,null,2)}\n`,{mode:n??420})}function ei(e){if(!c(e))return{};let t=JSON.parse(u(e,`utf8`));if(!ai(t))throw Error(`${e} must contain a JSON object`);return t}function ti(e,t){let n={...e};for(let[e,r]of Object.entries(t)){let t=n[e];ai(t)&&ai(r)?n[e]=ti(t,r):Array.isArray(t)&&Array.isArray(r)?n[e]=ni([...t,...r]):n[e]=r}return n}function ni(e){let t=new Set,n=[];for(let r of e){let e=JSON.stringify(r);t.has(e)||(t.add(e),n.push(r))}return n}function ri(e){return[...new Set(e)]}function ii(e,t){let n=e[t];return typeof n==`string`&&n.length>0?n:void 0}function ai(e){return typeof e==`object`&&!!e&&!Array.isArray(e)&&(Object.getPrototypeOf(e)===Object.prototype||Object.getPrototypeOf(e)===null)}function oi(e){return r(e).toString(`hex`)}function si(e,t){return{key:e,value:{stringValue:t}}}const ci=`tangle.opencode-exporter`,li=16384;function ui(e){return e.length<=li?e:`${e.slice(0,li-1)}…`}function q(e,t){return{key:e,value:{stringValue:t}}}function di(e){if(!e||typeof e!=`object`)return null;let t=e,n=y(t.type);return n?{type:n,properties:t.properties&&typeof t.properties==`object`?t.properties:void 0}:null}function fi(e,t){let n=[q(`event.name`,e),q(`gen_ai.system`,`opencode`),q(`service.name`,`opencode`)];return t&&(n.push(q(`session.id`,t)),n.push(q(`gen_ai.conversation.id`,t))),n}function pi(e){if(!e)return null;let t=e.part,n=e.info;return y(t?.sessionID)??y(n?.sessionID)??y(e.sessionID)??null}function mi(e,t){let n=y(e.role)??y(e.info?.role);if(n)return n.toLowerCase();let r=y(e.messageID),i=t?.(r)??null;return i?i.toLowerCase():null}function hi(e,t,n){let r=[],i=pi(e.properties),a=(n,r)=>({timeUnixNano:t,severityNumber:9,severityText:`INFO`,...n===null?{}:{body:{stringValue:ui(n)}},attributes:[...fi(e.type,i),...r]});if(e.type===`message.part.updated`){let t=e.properties?.part;if(!t)return r;let i=y(t.type);if(i===`text`||i===`reasoning`){let e=y(t.text);if(e){let i=mi(t,n)===`user`?xe:be;r.push(a(e,[q(i,ui(e))]))}return r}if(i===`tool`){let e=y(t.tool),n=t.state,i=Ee(n?.input),o=Ee(n?.output),s=y(n?.error)??(typeof n?.error==`object`&&n?.error!==null?Ee(n.error):null);if(e||i){let t=[];e&&t.push(q(Ce,e)),i&&t.push(q(Se,ui(i))),r.push(a(null,t))}let c=o??s;if(c){let t=[q(we,ui(c))];e&&t.push(q(Ce,e)),r.push(a(c,t))}return r}return r}if(e.type===`session.next.text.delta`||e.type===`session.next.text.ended`){let t=e.properties??{},n=y(t.text)??(e.type===`session.next.text.delta`?y(t.delta):null);return n&&r.push(a(n,[q(be,ui(n))])),r}return r}function gi(e=process.env.OTEL_RESOURCE_ATTRIBUTES){if(!e)return null;for(let t of e.split(`,`)){let e=t.indexOf(`=`);if(e===-1||t.slice(0,e).trim()!==Te)continue;let n=t.slice(e+1).trim();if(n.length>0)return n}return null}function _i(e,t){if(e.length===0)return null;let n=[q(`service.name`,`opencode`),q(`gen_ai.system`,`opencode`),q(`telemetry.sdk.name`,ci)];return t&&t.trim().length>0&&n.push(q(Te,t.trim())),{resourceLogs:[{resource:{attributes:n},scopeLogs:[{scope:{name:ci,version:`1.0.0`},logRecords:e}]}]}}function vi(e){return(e??process.env.OPENCODE_BASE_URL??`http://127.0.0.1:4096`).replace(/\/+$/,``)}async function yi(e){let t=K(e.endpoint),n=await(e.fetchImpl??fetch)(`${t}/v1/logs`,{method:`POST`,headers:{Authorization:`Bearer ${e.apiKey}`,"Content-Type":`application/json`},body:JSON.stringify(e.request),signal:e.timeoutMs&&e.timeoutMs>0?AbortSignal.timeout(e.timeoutMs):void 0});if(!n.ok){let e=await n.text().catch(()=>``);throw Error(`OpenCode OTLP logs ingest failed: ${n.status}${e?` ${e}`:``}`)}}var bi=class extends Error{partial;constructor(e,t){let n=e instanceof Error?e.message:String(e);super(n),this.name=`OpencodeExporterError`,this.partial=t,e instanceof Error&&(this.cause=e)}};function xi(){return(BigInt(Date.now())*1000000n).toString()}async function Si(e){let t=vi(e.opencodeBaseUrl),n=e.nowUnixNano??xi,r=e.fetchImpl??fetch,i=e.subjectKey===void 0?gi():e.subjectKey,a=await r(`${t}/event`,{headers:{Accept:`text/event-stream`},signal:e.signal});if(!a.ok){let e=await a.text().catch(()=>``);throw Error(`OpenCode event subscribe failed: ${a.status} at ${t}/event${e?` ${e}`:``}. Is OpenCode running with 'opencode serve'?`)}if(!a.body)throw Error(`OpenCode event stream at ${t}/event returned no body — cannot subscribe`);let o={eventsSeen:0,contentEventsExported:0,recordsExported:0},s=new Map,c=e=>e?s.get(e)??null:null;try{for await(let t of de(a.body,{signal:e.signal})){o.eventsSeen++;let a=di(t.data);if(!a)continue;if(a.type===`message.updated`){let e=a.properties?.info,t=y(e?.id),n=y(e?.role);t&&n&&s.set(t,n);continue}let l=hi(a,n(),c),u=_i(l,i);u&&(await yi({endpoint:e.endpoint,apiKey:e.apiKey,request:u,timeoutMs:e.postTimeoutMs,fetchImpl:r}),o.contentEventsExported++,o.recordsExported+=l.length,e.onExport?.({eventType:a.type,records:l.length}))}}catch(e){if(e instanceof Error&&(e.name===`AbortError`||e.message.toLowerCase().includes(`abort`)))return o;throw new bi(e,o)}return o}const Ci=[`claude-code`,`codex`,`opencode`],wi={"claude-code":`Claude Code`,codex:`Codex`,opencode:`OpenCode`},Ti=`# >>> tangle intelligence (claude-code) >>>`,Ei=`# <<< tangle intelligence (claude-code) <<<`;function Di(e){return Ci.includes(e)}function Oi(e){let t=e??process.env.TANGLE_INTELLIGENCE_API_KEY??T(void 0);if(!t)throw Error(`No Tangle API key found. Pass --api-key, set TANGLE_API_KEY, or run: tangle auth login`);return t}function ki(e){let t=K(e.endpoint),n=e.apiKey??"${TANGLE_API_KEY}",r=e.projectKey?[``,`# Groups your runs into a project so Tangle can roll up + automate per-project:`,`export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=${e.projectKey}`]:[``,`# Label this project so Tangle rolls up + automates per-project (pick your own):`,`# export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=<your project>`];return[`# Enable + point Claude Code at Tangle (JSON protocol — matches our adapter)`,`export CLAUDE_CODE_ENABLE_TELEMETRY=1`,`export OTEL_EXPORTER_OTLP_PROTOCOL=http/json`,`export OTEL_EXPORTER_OTLP_ENDPOINT=${t}`,`export OTEL_EXPORTER_OTLP_HEADERS="Authorization=Bearer ${n}"`,...r,``,`# CONTENT rides LOG EVENTS, so the logs exporter is MANDATORY.`,`export OTEL_LOGS_EXPORTER=otlp # required for prompt/completion/tool content`,`export OTEL_METRICS_EXPORTER=otlp # tokens / cost`,`export OTEL_TRACES_EXPORTER=otlp # spans (beta)`,``,`# THE CONTENT GATES (all default OFF):`,`export OTEL_LOG_USER_PROMPTS=1 # the user/task prompt text`,`export OTEL_LOG_TOOL_DETAILS=1 # tool arguments`,`export OTEL_LOG_TOOL_CONTENT=1 # full tool input+output bodies`,`export OTEL_LOG_RAW_API_BODIES=1 # full prompt+completion JSON (richest)`].join(`
135
- `)}function Ai(e){return[Ti,ki(e),Ei].join(`
136
- `)}function ji(e,t){let n=e.indexOf(Ti);if(n!==-1){let r=e.indexOf(Ei,n);if(r===-1)throw Error(`shell rc has a '${Ti}' marker without its closing '${Ei}' — fix it by hand and re-run`);let i=r+43,a=`${e.slice(0,n)}${t}${e.slice(i)}`;return{contents:a,changed:a!==e}}return{contents:`${e.length===0?``:Mi(e)}${t}\n`,changed:!0}}function Mi(e){return e.endsWith(`
134
+ </html>`}const ir=15*6e4;function ar(e){return Number.isFinite(e)&&e>0?e:ir}async function or(e){let t=e.timeoutMs??ir,n=Date.now(),r=await sr({baseUrl:e.baseUrl,timeoutMs:t,provider:e.provider});for(e.onInstructions?.({userCode:r.user_code,verificationUrl:r.verification_uri,verificationUrlComplete:r.verification_uri_complete,expiresIn:r.expires_in,intervalSeconds:r.interval});;){if(Date.now()-n>t)throw new se(t,`Timed out waiting for device authorization to complete`);let i=await cr({baseUrl:e.baseUrl,deviceCode:r.device_code,timeoutMs:t});if(i.status===`approved`)return i.data;let a=i.intervalSeconds*1e3;await new Promise(e=>setTimeout(e,a))}}async function sr(e){let t=ar(e.timeoutMs),n=await fetch(`${lr(e.baseUrl)}/auth/cli/device/start`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify(e.provider?{provider:e.provider}:{}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new h(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(!n.ok||!r?.success||!r.data?.device_code)throw Error(r?.error?.message||`Failed to start device login`);return r.data}async function cr(e){let t=ar(e.timeoutMs),n=await fetch(`${lr(e.baseUrl)}/auth/cli/device/poll`,{method:`POST`,headers:{Accept:`application/json`,"Content-Type":`application/json`},body:JSON.stringify({device_code:e.deviceCode}),signal:AbortSignal.timeout(t)}).catch(t=>{throw new h(`Failed to reach ${e.baseUrl}`,t instanceof Error?t:void 0)}),r=await n.json().catch(()=>null);if(n.status===428&&r?.error?.code===`AUTHORIZATION_PENDING`)return{status:`pending`,intervalSeconds:typeof r.data?.interval==`number`&&r.data.interval>0?r.data.interval:5};if(!n.ok||!r?.success||!r.data?.api_key||!r.data.email)throw Error(r?.error?.message||`Failed to complete device authorization`);return{status:`approved`,data:{apiKey:r.data.api_key,email:r.data.email,name:r.data.name,tier:r.data.tier}}}function lr(e){return e.replace(/\/$/,``)}function ur(){let e=new t(`auth`).description(`Manage authentication`);e.command(`login`).description(`Authenticate with browser login or an API key`).option(`--api-key <key>`,`API key`).option(`--no-browser`,`Use device-code login instead of opening a browser`).option(`--profile <name>`,`Profile name`).option(`--provider <provider>`,`Identity provider (github, google, microsoft)`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=e.apiKey,n=w(e.profile),r=gr(e.provider),i=jt(e.baseUrl,n),a=e.browser!==!1;if(!t){if(a){let a=F(`Starting browser login...`);a.start();let o=await Zn({baseUrl:i,provider:r,onLoginUrl:({loginUrl:e,browserOpened:t})=>{a.stop(),P(t?`Browser login opened.`:`Open this URL to continue browser login:`),console.log(e)}}).finally(()=>{a.stop()});t=o.apiKey,pr({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Vt(),j(`Authenticated`),I({Profile:n,Email:o.email,Tier:o.tier,"Base URL":i}),P(mr);return}let o=F(`Starting device login...`);o.start();let s=await or({baseUrl:i,provider:r,onInstructions:({userCode:e,verificationUrl:t,verificationUrlComplete:n})=>{o.stop(),P(`Complete login in a browser on any device:`),I({"Verification URL":t,"Verification URL (prefilled)":n,"Device Code":e})}}).finally(()=>{o.stop()});t=s.apiKey,pr({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Vt(),j(`Authenticated`),I({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),P(mr);return}t||(M(`No API key provided.`),process.exit(1)),_t(t)||(M(`Invalid API key format. Keys should start with 'sk_' or 'sk-tan-'.`),process.exit(1));let o=F(`Validating credentials...`);o.start();let s=await qn({apiKey:t,baseUrl:i});o.stop(),pr({profile:n,apiKey:t,baseUrl:e.baseUrl?i:void 0}),Vt(),j(`Authenticated`),I({Profile:n,Email:s.email,Tier:s.tier,"Base URL":i}),P(mr)}catch(e){B(e)}}),e.command(`logout`).description(`Remove stored credentials`).option(`--profile <name>`,`Profile name`).action(e=>{try{let t=w(e.profile);Ot(t),Vt(),j(`Logged out successfully.`),P(`Credentials removed for profile '${t}'.`)}catch(e){B(e)}}),e.command(`status`).description(`Show current authentication status`).option(`--json`,`Output as JSON`).option(`--profile <name>`,`Profile name`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=w(e.profile),n=kt(e.apiKey,t),r=jt(e.baseUrl,t),i=At(e.apiKey,t);if(!n){if(e.json){A({authenticated:!1,reason:`missing_credentials`,profile:t,baseUrl:r,credentialSource:null});return}M(`Not authenticated`),P(`Run 'tangle auth login --profile ${t}' to authenticate.`),process.exit(1)}let a=e.json?null:F(`Checking credentials...`);a?.start();try{let o=await qn({apiKey:n,baseUrl:r});if(a?.stop(),e.json){A({authenticated:!0,profile:t,baseUrl:r,credentialSource:i,account:o});return}j(`Authenticated`),I({Profile:t,"API Key":dr(n),"Base URL":r,Source:fr(i),Email:o.email,Tier:o.tier})}catch(o){a?.stop(),e.json&&(A({authenticated:!1,profile:t,baseUrl:r,credentialSource:i,error:o instanceof Error?o.message:String(o)}),process.exit(1)),o instanceof ie?M(`Stored credentials are invalid.`):N(`Stored credentials found, but validation could not complete.`),I({Profile:t,"API Key":dr(n),"Base URL":r,Source:fr(i),Error:o instanceof Error?o.message:String(o)}),process.exit(1)}}catch(e){B(e)}});let n=new t(`profiles`).description(`Manage CLI profiles`);return n.command(`list`).description(`List configured profiles`).option(`--json`,`Output as JSON`).action(e=>{try{let t=Tt();if(e.json){A(t);return}if(t.length===0){P(`No profiles found.`);return}z([`Profile`,`Active`,`Base URL`,`Credentials`,`Source`],t.map(e=>[e.name,e.active?`yes`:`no`,e.baseUrl,e.hasApiKey?`configured`:`none`,e.apiKeySource]))}catch(e){B(e)}}),n.command(`use <name>`).description(`Set the active profile`).action(e=>{try{yt(e);let t=Et(e);j(`Active profile set to '${t.name}'.`),I({"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`})}catch(e){B(e)}}),n.command(`current`).description(`Show the active profile`).option(`--json`,`Output as JSON`).action(e=>{try{let t=Et();if(e.json){A(t);return}I({Profile:t.name,"Base URL":t.baseUrl,Credentials:t.credentialSource===`none`?`missing`:`configured`,Source:fr(t.credentialSource)})}catch(e){B(e)}}),e.addCommand(n),e}function dr(e){return e.length<=14?e:`${e.slice(0,10)}...${e.slice(-4)}`}function fr(e){switch(e){case`flag`:return`command flag`;case`env`:return`environment`;case`keychain`:return`OS keychain`;case`file`:return`credentials file`;case`legacy-file`:return`legacy credentials file`;default:return`unknown`}}function pr(e){let t=Dt(e.profile,{apiKey:e.apiKey,...e.baseUrl?{baseUrl:e.baseUrl}:{}});yt(e.profile),C({...e.baseUrl&&e.profile===`default`?{baseUrl:e.baseUrl}:{}}),mr=hr(e.profile,t)}let mr=`Credentials updated.`;function hr(e,t){return t===`keychain`?e===`default`?`API key saved to the OS keychain for the default profile`:`API key saved to the OS keychain for profile '${e}'`:t===`file`?e===`default`?`API key saved to ~/.tangle/credentials.json for the default profile`:`API key saved to ~/.tangle/credentials.json for profile '${e}'`:`Profile '${e}' updated.`}function gr(e){if(e===void 0||e===`github`||e===`google`||e===`microsoft`)return e;throw Error(`--provider must be one of: github, google, microsoft`)}function _r(){let e=new t(`backend`).description(`Manage sandbox AI agent backend`);return e.command(`status <sandboxId-or-name>`).description(`Get backend agent status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching backend status...`);i.start();let a=await(await H(r,n,e)).backend.status();i.stop(),t.json?A(a):(P(`Backend Type: ${a.type}`),P(`Status: ${a.status}`),a.version&&P(`Version: ${a.version}`),a.error&&P(`Error: ${a.error}`),a.metadata&&P(`Metadata: ${JSON.stringify(a.metadata,null,2)}`))}catch(e){B(e)}}),e.command(`capabilities <sandboxId-or-name>`).description(`Get backend capabilities`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching capabilities...`);i.start();let a=await(await H(r,n,e)).backend.capabilities();i.stop(),t.json?A(a):(P(`Backend Capabilities:`),P(` Streaming: ${a.streaming?`✓`:`✗`}`),P(` Tool Use: ${a.toolUse?`✓`:`✗`}`),P(` Reasoning: ${a.reasoning?`✓`:`✗`}`),P(` Multimodal: ${a.multimodal?`✓`:`✗`}`),P(` Context Window: ${a.contextWindow.toLocaleString()} tokens`))}catch(e){B(e)}}),e.command(`configure <sandboxId-or-name>`).description(`Update backend configuration`).option(`--model <model>`,`Model string (format: provider/model)`).option(`--max-thinking-tokens <n>`,`Maximum thinking tokens`).option(`--profile <name>`,`Backend profile name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Updating backend config...`);i.start();let a=await H(r,n,e),o={};if(t.profile&&(o.profile=t.profile),t.model||t.maxThinkingTokens){if(o.model={},t.model){let e=t.model.split(`/`);e.length>=2?(o.model.provider=e[0],o.model.model=e.slice(1).join(`/`)):o.model.model=t.model}t.maxThinkingTokens&&(o.model.maxThinkingTokens=Number.parseInt(t.maxThinkingTokens,10))}await a.backend.updateConfig(o),i.stop(),j(`Backend configuration updated`),t.json&&A(o)}catch(e){B(e)}}),e.command(`add-mcp <sandboxId-or-name>`).description(`Add an MCP server to the backend`).requiredOption(`--name <name>`,`MCP server name`).requiredOption(`--command <cmd>`,`Command to run (e.g., npx)`).option(`--args <args...>`,`Command arguments`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--cwd <dir>`,`Working directory`).option(`--url <url>`,`Remote MCP server URL (for SSE)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Adding MCP server...`);i.start();let a=await H(r,n,e),o={};if(t.env)for(let e of t.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(o[t]=n.join(`=`))}await a.backend.addMcp(t.name,{command:t.command,args:t.args,env:Object.keys(o).length>0?o:void 0,cwd:t.cwd,url:t.url}),i.stop(),j(`MCP server "${t.name}" added`),t.json&&A({name:t.name,command:t.command,args:t.args,env:Object.keys(o).length>0?o:void 0,cwd:t.cwd,url:t.url})}catch(e){B(e)}}),e.command(`mcp-status <sandboxId-or-name>`).description(`Get status of MCP servers`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching MCP status...`);i.start();let a=await(await H(r,n,e)).backend.getMcpStatus();if(i.stop(),t.json)A(a);else{let e=Object.entries(a);e.length===0?P(`No MCP servers configured`):k(e.map(([e,t])=>{let n=t;return{name:e,status:n.status,error:n.error??``}}),[{key:`name`,header:`Name`,width:24},{key:`status`,header:`Status`,width:12},{key:`error`,header:`Error`,width:40}])}}catch(e){B(e)}}),e.command(`restart <sandboxId-or-name>`).description(`Restart the backend agent`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Restarting backend...`);i.start(),await(await H(r,n,e)).backend.restart(),i.stop(),j(`Backend restarted`)}catch(e){B(e)}}),e}function vr(e){let t=e.indexOf(`=`);if(t<=0)throw Error(`Invalid --task "${e}": expected format id=message (e.g. t1=summarize README)`);let n=e.slice(0,t).trim(),r=e.slice(t+1).trim();if(!n||!r)throw Error(`Invalid --task "${e}": id and message must be non-empty`);return{id:n,message:r}}function yr(e){let t;try{t=JSON.parse(e)}catch(e){throw Error(`--tasks file is not valid JSON: ${e.message}`)}let n=Array.isArray(t)?t:t?.tasks;if(!Array.isArray(n))throw Error(`--tasks file must contain an array or an object with a "tasks" array`);return n.map((e,t)=>{if(!e||typeof e!=`object`)throw Error(`--tasks[${t}] must be an object`);let n=e,r=typeof n.id==`string`?n.id.trim():``,i=typeof n.message==`string`?n.message:``;if(!r)throw Error(`--tasks[${t}].id must be a non-empty string`);if(!i.trim())throw Error(`--tasks[${t}].message must be a non-empty string`);let a={id:r,message:i};return n.context&&typeof n.context==`object`&&(a.context=n.context),typeof n.timeoutMs==`number`&&n.timeoutMs>0&&(a.timeoutMs=n.timeoutMs),a})}function br(e){let t=e.readFile??(e=>u(e,`utf8`)),n=[];e.file&&n.push(...yr(t(e.file)));for(let t of e.inline??[])n.push(vr(t));if(n.length===0)throw Error(`No tasks provided. Use --tasks <file> and/or --task id=message.`);let r=new Set;for(let e of n){if(r.has(e.id))throw Error(`Duplicate task id: ${e.id}`);r.add(e.id)}return n}function xr(e){if(e!==`fastest`&&e!==`balanced`&&e!==`cheapest`)throw Error(`--scaling must be one of: fastest, balanced, cheapest (got "${e}")`);return e}function Sr(e){let t=e.trim(),n=t.indexOf(`/`);if(n<=0||n===t.length-1)throw Error(`--model must be in the form provider/model (got "${e}")`);return{provider:t.slice(0,n),model:t.slice(n+1)}}function Cr(){let e=new t(`batch`).description(`Run multiple agent tasks in parallel across sandboxes`);return e.command(`run`).description(`Execute a batch of tasks. Provide tasks via --tasks <file.json> and/or repeated --task id=message flags.`).option(`--tasks <file>`,`Path to a JSON file with an array of tasks (or {tasks: [...]})`).option(`--task <id=message>`,`Inline task, id=message. Repeatable.`,(e,t=[])=>[...t,e],[]).option(`--stream`,`Stream per-task events as they arrive`).option(`-t, --timeout <ms>`,`Total batch timeout in milliseconds`,`300000`).option(`--scaling <mode>`,`Scaling mode: fastest | balanced | cheapest`,`balanced`).option(`--persistent`,`Keep sandboxes alive after completion`,!1).option(`--model <provider/model>`,`Model override, e.g. anthropic/claude-sonnet-4-5-20250929`).option(`--profile <id>`,`Named execution profile to apply to every task`).option(`--json`,`Output the final result as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{let t=new AbortController,n=!1,r=()=>{n||(n=!0,P(`Cancel requested — stopping stream...`),t.abort())};process.on(`SIGINT`,r),process.on(`SIGTERM`,r);try{let n=br({file:e.tasks,inline:e.task}),r=xr(e.scaling),i=Number(e.timeout);if(!Number.isFinite(i)||i<=0)throw Error(`--timeout must be a positive number of milliseconds`);let o=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),s={type:`opencode`};e.model&&(s.model=Sr(e.model)),e.profile&&(s.profile=String(e.profile));let c={timeoutMs:i,scalingMode:r,persistent:!!e.persistent,signal:t.signal,backend:s};if(e.stream){P(`Streaming batch of ${n.length} task(s)...`),console.log();let t=new Map;for await(let e of o.streamBatch(n,c)){let r=e.data,i=r.taskId??``;switch(e.type){case`batch.started`:P(`Batch started (${r.totalTasks??n.length} tasks)`);break;case`task.started`:i&&console.log(a.dim(`→ ${i} started`));break;case`task.retry`:i&&console.log(a.yellow(`↻ ${i} retry ${r.attempt??`?`}: ${r.error??`retrying`}`));break;case`task.completed`:if(i){let e=r.usage,n=(e?.inputTokens??0)+(e?.outputTokens??0);t.set(i,{success:!0,durationMs:r.durationMs,retries:r.retries,tokensUsed:r.tokensUsed??(n>0?n:void 0),response:r.resultSummary??r.response}),console.log(a.green(`✓ ${i} completed in ${r.durationMs??`?`}ms`+(r.retries?` (${r.retries} retries)`:``)))}break;case`task.failed`:i&&(t.set(i,{success:!1,durationMs:r.durationMs,retries:r.retries,error:r.error}),console.log(a.red(`✗ ${i} failed: ${r.error??`unknown error`}`)));break;case`batch.failed`:throw Error(r.error??`Batch failed`);case`batch.completed`:break}}let r=[...t.values()].filter(e=>e.success).length,i=[...t.values()].filter(e=>!e.success).length,s=[...t.values()].reduce((e,t)=>e+(t.retries??0),0);console.log(),e.json?A({totalTasks:n.length,succeeded:r,failed:i,totalRetries:s,successRate:n.length>0?r/n.length*100:0,results:Array.from(t.entries()).map(([e,t])=>({taskId:e,...t}))}):I({"Total tasks":n.length,Succeeded:r,Failed:i,"Total retries":s,"Success rate":n.length>0?`${(r/n.length*100).toFixed(1)}%`:`0%`}),i>0&&(process.exitCode=1)}else{P(`Running batch of ${n.length} task(s)...`);let t=await o.runBatch(n,c);if(e.json)A(t);else if(console.log(),I({"Total tasks":t.totalTasks,Succeeded:t.succeeded,Failed:t.failed,"Total retries":t.totalRetries,"Success rate":`${t.successRate.toFixed(1)}%`}),t.results.length>0){console.log(),console.log(a.bold(`Task Results`)),console.log(a.dim(`─`.repeat(40)));for(let e of t.results){let t=e.success?a.green(`✓`):a.red(`✗`),n=typeof e.tokensUsed==`number`?` • ${e.tokensUsed} tokens`:``;console.log(`${t} ${e.taskId} ${a.dim(`(${e.durationMs}ms, ${e.retries} retries${n})`)}`),e.error&&console.log(a.red(` ${e.error}`))}}t.failed>0&&(process.exitCode=1)}}catch(e){if(n){console.log(),P(`Batch cancelled.`),process.exitCode=130;return}B(e)}finally{process.off(`SIGINT`,r),process.off(`SIGTERM`,r)}}),e}function wr(){let e=new t(`branch`).description(`Branch a running sandbox into copy-on-write children`);return e.command(`create <sandbox-id-or-name>`).description(`Branch a running sandbox into N copy-on-write children`).option(`--count <n>`,`Number of children to create`,`1`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Number.parseInt(t.count,10);if(!Number.isInteger(n)||n<1)throw Error(`--count must be an integer >= 1 (got ${t.count})`);let r=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),i=O(r),a=F(`Branching into ${n} child(ren)...`);a.start();let o=await H(i,r,e),s=await o.branch(n);a.stop(),t.json?A(s.map(e=>({sandboxId:e.id}))):(j(`Branched ${s.length} child(ren) from ${o.id}`),k(s.map(e=>({sandboxId:e.id})),[{key:`sandboxId`,header:`Child Sandbox`,width:28}]))}catch(e){B(e)}}),e}const Tr=[`codex`,`claude-code`,`nanoclaw`,`kimi-code`,`opencode`,`pi`,`openclaw`,`hermes`],Er=`https://intelligence.tangle.tools/v1/otlp`,Dr=[`codex`,`claude-code`],Or=[`codex`,`claude-code`,`nanoclaw`],kr=[`SessionStart`,`UserPromptSubmit`,`PreToolUse`,`PostToolUse`,`Stop`],Ar={codex:{kind:`native`,surface:`codex`,label:`Codex`,buildFiles:Ur},"claude-code":{kind:`native`,surface:`claude-code`,label:`Claude Code`,buildFiles:Wr},nanoclaw:{kind:`native`,surface:`nanoclaw`,label:`NanoClaw`,buildFiles:Wr},"kimi-code":{kind:`manual`,surface:`kimi-code`,label:`Kimi Code`,reason:`Kimi Code loads hooks through an explicit config file, so use standard OTLP env wiring until the native config adapter is verified.`},opencode:{kind:`manual`,surface:`opencode`,label:`OpenCode`,reason:`OpenCode hooks run as plugins; use standard OTLP env wiring until the native plugin adapter is verified.`},pi:{kind:`manual`,surface:`pi`,label:`Pi`,reason:`Pi hooks run through TypeScript extensions; use standard OTLP env wiring until the native extension adapter is verified.`},openclaw:{kind:`manual`,surface:`openclaw`,label:`OpenClaw`,reason:`OpenClaw project hooks require user opt-in; use standard OTLP env wiring until the hook toggle and adapter are verified.`},hermes:{kind:`manual`,surface:`hermes`,label:`Hermes`,reason:`Hermes project plugins require explicit enablement; use standard OTLP env wiring until the plugin adapter is verified.`}};function jr(e){let t=e.split(`,`).map(e=>e.trim()).filter(Boolean).flatMap(e=>Hr(e));return t.length===0?[...Dr]:ri(t)}function Mr(e){return Object.hasOwn(Ar,e)}function Nr(e=process.cwd()){return ee(re(e))||`agent-workspace`}function Pr(){return m(pe(),`.tangle`,`intelligence.json`)}function Fr(e=Pr()){if(!c(e))return null;let t=ei(e),n=ii(t,`apiKey`),r=ii(t,`endpoint`),i=ii(t,`serviceName`),a=ii(t,`environment`);if(!n||!r||!i||!a)throw Error(`${e} is missing apiKey, endpoint, serviceName, or environment`);return{apiKey:n,endpoint:r,serviceName:i,environment:a}}async function Ir(e){let t=re(e.workspace),n=Pr(),r=jr(e.selection),i=[],a=[],o=[],s={apiKey:e.apiKey,endpoint:K(e.endpoint),serviceName:e.serviceName,environment:e.environment};e.dryRun||Zr(n,s),o.push(n);for(let n of r){let r=Ar[n];if(r.kind===`manual`){a.push({agent:r.surface,label:r.label,reason:r.reason});continue}i.push(r.surface);let s=t=>Lr(e.hookCommand,r.surface,t);for(let n of r.buildFiles(s)){let r=m(t,n.relPath);if(e.dryRun){o.push(r);continue}$r(r,JSON.parse(n.content),n.mode),o.push(r)}}return!e.smoke||e.dryRun?{configPath:n,written:o,agents:r,nativeAgents:i,manual:a}:{configPath:n,written:o,agents:r,nativeAgents:i,manual:a,smokeTraceId:await zr({agent:i[0]??r[0]??`codex`,event:`install.smoke`,endpoint:s.endpoint,apiKey:s.apiKey,serviceName:s.serviceName,environment:s.environment,sessionId:`install-smoke-${Date.now()}`,payload:{source:`tangle intelligence connect`}})}}function Lr(e,t,n){return`${e.trim()} --agent ${t} --event ${n} --non-blocking`}function Rr(e){let t=BigInt(Date.now())*1000000n,n=oi(16),r=oi(8),i=e.sessionId??Gr(e.payload),a={"service.name":e.serviceName,"deployment.environment":e.environment,"tangle.agent.surface":e.agent,"tangle.agent.hook.event":e.event,"tangle.agent.hook.source":`local-hook`,...Kr(e.payload)};return i&&(a[`session.id`]=i,a[`gen_ai.conversation.id`]=i,a[`tangle.sessionId`]=i),{body:{resourceSpans:[{resource:{attributes:[si(`service.name`,e.serviceName),si(`deployment.environment`,e.environment),si(`tangle.agent.surface`,e.agent)]},scopeSpans:[{scope:{name:`tangle.intelligence.agent-hook`,version:`1.0.0`},spans:[{traceId:n,spanId:r,name:`agent.${e.agent}.${e.event}`,kind:1,startTimeUnixNano:t.toString(),endTimeUnixNano:(t+1000000n).toString(),attributes:Object.entries(a).map(([e,t])=>si(e,t)),status:{code:1}}]}]}]},traceId:n}}async function zr(e){let{body:t,traceId:n}=Rr(e),r=await fetch(`${K(e.endpoint)}/v1/traces`,{method:`POST`,headers:{Authorization:`Bearer ${e.apiKey}`,"Content-Type":`application/json`},body:JSON.stringify(t)});if(!r.ok){let e=await r.text().catch(()=>``);throw Error(`OTLP smoke ingest failed: ${r.status}${e?` ${e}`:``}`)}return n}function Br(e){return K(e).replace(/\/v1\/otlp$/,``).replace(/\/+$/,``)}async function Vr(e){let t=`${Br(e.endpoint)}/v1/onboarding/status`,n=await fetch(t,{headers:{Authorization:`Bearer ${e.apiKey}`},signal:e.timeoutMs&&e.timeoutMs>0?AbortSignal.timeout(e.timeoutMs):void 0});if(!n.ok){let e=await n.text().catch(()=>``);throw Error(`onboarding status request failed: ${n.status}${e?` ${e}`:``}`)}let r=await n.json();return{tracesSeen:!!r.tracesSeen,contentSeen:!!r.contentSeen,lastSeenAt:typeof r.lastSeenAt==`string`?r.lastSeenAt:null,windowDays:typeof r.windowDays==`number`?r.windowDays:7,byAgent:r.byAgent&&typeof r.byAgent==`object`?r.byAgent:{}}}function K(e){let t=e.trim().replace(/\/+$/,``);return t.endsWith(`/v1/traces`)?t.slice(0,-10):t.endsWith(`/v1/logs`)?t.slice(0,-8):t}function Hr(e){switch(e){case`local`:case`both`:return[...Dr];case`all`:return[...Or];case`claude`:return[`claude-code`];case`kimi`:return[`kimi-code`];default:if(Mr(e))return[e];throw Error(`agent must be one of: local, all, both, ${Tr.join(`, `)}`)}}function Ur(e){let t=Object.fromEntries(kr.map(t=>[t,[{command:e(t),timeoutMs:3e3,blocking:!1,matcher:`*`}]]));return[{relPath:`.codex/hooks.json`,content:JSON.stringify({hooks:t},null,2)}]}function Wr(e){let t=Object.fromEntries(kr.map(t=>[t,[{matcher:`*`,hooks:[{type:`command`,command:e(t),timeout:3}]}]]));return[{relPath:`.claude/settings.json`,content:JSON.stringify({hooks:t},null,2)}]}function Gr(e){return Jr(e,[`session.id`,`sessionId`,`session_id`,`conversationId`,`conversation_id`,`threadId`,`thread_id`,`transcriptId`,`transcript_id`])||process.env.TANGLE_SESSION_ID||process.env.CODEX_THREAD_ID||process.env.CLAUDE_SESSION_ID||process.env.OPENCODE_SESSION_ID}function Kr(e){let t={},n=qr(e,[`tool.name`,`toolName`,`tool_name`,`tool`]),r=qr(e,[`command`,`cmd`,`shell_command`,`shellCommand`]),i=qr(e,[`tool.input`,`toolInput`,`tool_input`,`input`,`arguments`,`args`]),a=qr(e,[`tool.output`,`toolOutput`,`tool_output`,`output`,`result`]),o=qr(e,[`tool.exit_code`,`exitCode`,`exit_code`,`status`]),s=qr(e,[`tool.error.message`,`errorMessage`,`error_message`,`error`]);return n&&(t[`tool.name`]=n),r&&(t[`process.command`]=r),i&&(t[`tool.input.summary`]=i),a&&(t[`tool.output.summary`]=a),o&&(t[`tool.exit_code`]=o),s&&(t[`tool.error.message`]=s),t}function qr(e,t){let n=Yr(e,t);if(n===void 0)return null;if(typeof n==`string`)return Xr(n);if(typeof n==`number`||typeof n==`boolean`||typeof n==`bigint`)return String(n);try{return Xr(JSON.stringify(n))}catch{return null}}function Jr(e,t){let n=Yr(e,t);return typeof n==`string`&&n.length>0?n:void 0}function Yr(e,t){if(typeof e!=`object`||!e)return;let n=[e],r=new Set;for(;n.length;){let e=n.pop();if(typeof e!=`object`||!e||r.has(e))continue;r.add(e);let i=e;for(let e of t){let t=i[e];if(t!=null&&t!==``)return t}for(let e of Object.values(i))typeof e==`object`&&e&&n.push(e)}}function Xr(e){return e.length>4096?`${e.slice(0,4093)}...`:e}function Zr(e,t){Qr(e,`${JSON.stringify(t,null,2)}\n`)}function Qr(e,t){l(te(e),{mode:448,recursive:!0});let n=`${e}.${process.pid}.tmp`;f(n,t,{mode:384}),d(n,e)}function $r(e,t,n){l(te(e),{recursive:!0});let r=ti(ei(e),t);f(e,`${JSON.stringify(r,null,2)}\n`,{mode:n??420})}function ei(e){if(!c(e))return{};let t=JSON.parse(u(e,`utf8`));if(!ai(t))throw Error(`${e} must contain a JSON object`);return t}function ti(e,t){let n={...e};for(let[e,r]of Object.entries(t)){let t=n[e];ai(t)&&ai(r)?n[e]=ti(t,r):Array.isArray(t)&&Array.isArray(r)?n[e]=ni([...t,...r]):n[e]=r}return n}function ni(e){let t=new Set,n=[];for(let r of e){let e=JSON.stringify(r);t.has(e)||(t.add(e),n.push(r))}return n}function ri(e){return[...new Set(e)]}function ii(e,t){let n=e[t];return typeof n==`string`&&n.length>0?n:void 0}function ai(e){return typeof e==`object`&&!!e&&!Array.isArray(e)&&(Object.getPrototypeOf(e)===Object.prototype||Object.getPrototypeOf(e)===null)}function oi(e){return r(e).toString(`hex`)}function si(e,t){return{key:e,value:{stringValue:t}}}const ci=`tangle.opencode-exporter`,li=16384;function ui(e){return e.length<=li?e:`${e.slice(0,li-1)}…`}function q(e,t){return{key:e,value:{stringValue:t}}}function di(e){if(!e||typeof e!=`object`)return null;let t=e,n=y(t.type);return n?{type:n,properties:t.properties&&typeof t.properties==`object`?t.properties:void 0}:null}function fi(e,t){let n=[q(`event.name`,e),q(`gen_ai.system`,`opencode`),q(`service.name`,`opencode`)];return t&&(n.push(q(`session.id`,t)),n.push(q(`gen_ai.conversation.id`,t))),n}function pi(e){if(!e)return null;let t=e.part,n=e.info;return y(t?.sessionID)??y(n?.sessionID)??y(e.sessionID)??null}function mi(e,t){let n=y(e.role)??y(e.info?.role);if(n)return n.toLowerCase();let r=y(e.messageID),i=t?.(r)??null;return i?i.toLowerCase():null}function hi(e,t,n){let r=[],i=pi(e.properties),a=(n,r)=>({timeUnixNano:t,severityNumber:9,severityText:`INFO`,...n===null?{}:{body:{stringValue:ui(n)}},attributes:[...fi(e.type,i),...r]});if(e.type===`message.part.updated`){let t=e.properties?.part;if(!t)return r;let i=y(t.type);if(i===`text`||i===`reasoning`){let e=y(t.text);if(e){let i=mi(t,n)===`user`?xe:be;r.push(a(e,[q(i,ui(e))]))}return r}if(i===`tool`){let e=y(t.tool),n=t.state,i=Ee(n?.input),o=Ee(n?.output),s=y(n?.error)??(typeof n?.error==`object`&&n?.error!==null?Ee(n.error):null);if(e||i){let t=[];e&&t.push(q(Ce,e)),i&&t.push(q(Se,ui(i))),r.push(a(null,t))}let c=o??s;if(c){let t=[q(we,ui(c))];e&&t.push(q(Ce,e)),r.push(a(c,t))}return r}return r}if(e.type===`session.next.text.delta`||e.type===`session.next.text.ended`){let t=e.properties??{},n=y(t.text)??(e.type===`session.next.text.delta`?y(t.delta):null);return n&&r.push(a(n,[q(be,ui(n))])),r}return r}function gi(e=process.env.OTEL_RESOURCE_ATTRIBUTES){if(!e)return null;for(let t of e.split(`,`)){let e=t.indexOf(`=`);if(e===-1||t.slice(0,e).trim()!==Te)continue;let n=t.slice(e+1).trim();if(n.length>0)return n}return null}function _i(e,t){if(e.length===0)return null;let n=[q(`service.name`,`opencode`),q(`gen_ai.system`,`opencode`),q(`telemetry.sdk.name`,ci)];return t&&t.trim().length>0&&n.push(q(Te,t.trim())),{resourceLogs:[{resource:{attributes:n},scopeLogs:[{scope:{name:ci,version:`1.0.0`},logRecords:e}]}]}}function vi(e){return(e??process.env.OPENCODE_BASE_URL??`http://127.0.0.1:4096`).replace(/\/+$/,``)}async function yi(e){let t=K(e.endpoint),n=await(e.fetchImpl??fetch)(`${t}/v1/logs`,{method:`POST`,headers:{Authorization:`Bearer ${e.apiKey}`,"Content-Type":`application/json`},body:JSON.stringify(e.request),signal:e.timeoutMs&&e.timeoutMs>0?AbortSignal.timeout(e.timeoutMs):void 0});if(!n.ok){let e=await n.text().catch(()=>``);throw Error(`OpenCode OTLP logs ingest failed: ${n.status}${e?` ${e}`:``}`)}}var bi=class extends Error{partial;constructor(e,t){let n=e instanceof Error?e.message:String(e);super(n),this.name=`OpencodeExporterError`,this.partial=t,e instanceof Error&&(this.cause=e)}};function xi(){return(BigInt(Date.now())*1000000n).toString()}async function Si(e){let t=vi(e.opencodeBaseUrl),n=e.nowUnixNano??xi,r=e.fetchImpl??fetch,i=e.subjectKey===void 0?gi():e.subjectKey,a=await r(`${t}/event`,{headers:{Accept:`text/event-stream`},signal:e.signal});if(!a.ok){let e=await a.text().catch(()=>``);throw Error(`OpenCode event subscribe failed: ${a.status} at ${t}/event${e?` ${e}`:``}. Is OpenCode running with 'opencode serve'?`)}if(!a.body)throw Error(`OpenCode event stream at ${t}/event returned no body — cannot subscribe`);let o={eventsSeen:0,contentEventsExported:0,recordsExported:0},s=new Map,c=e=>e?s.get(e)??null:null;try{for await(let t of de(a.body,{signal:e.signal})){o.eventsSeen++;let a=di(t.data);if(!a)continue;if(a.type===`message.updated`){let e=a.properties?.info,t=y(e?.id),n=y(e?.role);t&&n&&s.set(t,n);continue}let l=hi(a,n(),c),u=_i(l,i);u&&(await yi({endpoint:e.endpoint,apiKey:e.apiKey,request:u,timeoutMs:e.postTimeoutMs,fetchImpl:r}),o.contentEventsExported++,o.recordsExported+=l.length,e.onExport?.({eventType:a.type,records:l.length}))}}catch(e){if(e instanceof Error&&(e.name===`AbortError`||e.message.toLowerCase().includes(`abort`)))return o;throw new bi(e,o)}return o}const Ci=[`claude-code`,`codex`,`opencode`,`openclaw`,`hermes`,`nanoclaw`],wi={"claude-code":`Claude Code`,codex:`Codex`,opencode:`OpenCode`,openclaw:`OpenClaw`,hermes:`Hermes`,nanoclaw:`NanoClaw`},Ti=`# >>> tangle intelligence (claude-code) >>>`,Ei=`# <<< tangle intelligence (claude-code) <<<`;function Di(e){return Ci.includes(e)}function Oi(e){let t=e??process.env.TANGLE_INTELLIGENCE_API_KEY??kt(void 0);if(!t)throw Error(`No Tangle API key found. Pass --api-key, set TANGLE_API_KEY, or run: tangle auth login`);return t}const ki={full:[{key:`OTEL_LOG_USER_PROMPTS`,comment:`the user/task prompt text`},{key:`OTEL_LOG_TOOL_DETAILS`,comment:`tool arguments`},{key:`OTEL_LOG_TOOL_CONTENT`,comment:`full tool input+output bodies`},{key:`OTEL_LOG_RAW_API_BODIES`,comment:`full prompt+completion JSON (richest)`}],prompts:[{key:`OTEL_LOG_USER_PROMPTS`,comment:`the user/task prompt text`},{key:`OTEL_LOG_TOOL_DETAILS`,comment:`tool arguments`}],metadata:[]};function Ai(e,t){return t===`env`?e:/\s/.test(e)?`"${e}"`:e}function ji(e,t){let n=t===`shell`?`export `:t===`dockerfile`?`ENV `:``,r=[];for(let i of e){if(i.kind===`blank`){t===`shell`&&r.push(``);continue}if(i.kind===`comment`){t===`shell`&&r.push(`# ${i.text}`);continue}let e=t===`shell`&&i.comment?` # ${i.comment}`:``;r.push(`${n}${i.key}=${Ai(i.value,t)}${e}`)}return r.join(`
135
+ `)}function Mi(e){let t=K(e.endpoint),n=e.apiKey??"${TANGLE_API_KEY}",r=e.content??`full`,i=e.format??`shell`,a=[{kind:`comment`,text:`Enable + point Claude Code at Tangle (JSON protocol — matches our adapter)`},{kind:`set`,key:`CLAUDE_CODE_ENABLE_TELEMETRY`,value:`1`},{kind:`set`,key:`OTEL_EXPORTER_OTLP_PROTOCOL`,value:`http/json`},{kind:`set`,key:`OTEL_EXPORTER_OTLP_ENDPOINT`,value:t},{kind:`set`,key:`OTEL_EXPORTER_OTLP_HEADERS`,value:`Authorization=Bearer ${n}`}];e.projectKey?a.push({kind:`blank`},{kind:`comment`,text:`Groups your runs into a project so Tangle can roll up + automate per-project:`},{kind:`set`,key:`OTEL_RESOURCE_ATTRIBUTES`,value:`tangle.subject.key=${e.projectKey}`}):a.push({kind:`blank`},{kind:`comment`,text:`Label this project so Tangle rolls up + automates per-project (pick your own):`},{kind:`comment`,text:` export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=<your project>`}),a.push({kind:`blank`},{kind:`comment`,text:`CONTENT rides LOG EVENTS, so the logs exporter is MANDATORY.`},{kind:`set`,key:`OTEL_LOGS_EXPORTER`,value:`otlp`,comment:`required for prompt/completion/tool content`},{kind:`set`,key:`OTEL_METRICS_EXPORTER`,value:`otlp`,comment:`tokens / cost`},{kind:`set`,key:`OTEL_TRACES_EXPORTER`,value:`otlp`,comment:`spans (beta)`},{kind:`blank`});let o=ki[r];if(o.length===0)a.push({kind:`comment`,text:`Content gates intentionally OFF (metadata-only: tokens, durations, tool names — no prompt/completion/tool bodies).`});else{a.push({kind:`comment`,text:`THE CONTENT GATES (all default OFF):`});for(let e of o)a.push({kind:`set`,key:e.key,value:`1`,comment:e.comment})}return ji(a,i)}function Ni(e){return[Ti,Mi(e),Ei].join(`
136
+ `)}function Pi(e,t){let n=e.indexOf(Ti);if(n!==-1){let r=e.indexOf(Ei,n);if(r===-1)throw Error(`shell rc has a '${Ti}' marker without its closing '${Ei}' — fix it by hand and re-run`);let i=r+43,a=`${e.slice(0,n)}${t}${e.slice(i)}`;return{contents:a,changed:a!==e}}return{contents:`${e.length===0?``:Fi(e)}${t}\n`,changed:!0}}function Fi(e){return e.endsWith(`
137
137
 
138
138
  `)?e:e.endsWith(`
139
- `)?`${e}\n`:`${e}\n\n`}function Ni(e){let t=[],n={header:null,body:[]};for(let r of e.split(`
140
- `))Pi(r)?(t.push(n),n={header:r.trim(),body:[]}):n.body.push(r);return t.push(n),t.length>1&&t[0].header===null&&t[0].body.every(e=>e.trim()===``)&&t.shift(),t}function Pi(e){let t=e.trim();return t.startsWith(`[`)&&t.endsWith(`]`)&&!t.includes(`=`)||t.startsWith(`[[`)&&t.endsWith(`]]`)}function Fi(e){let t=[];for(let n of e)n.header!==null&&t.push(n.header),t.push(...n.body);return t.join(`
141
- `)}function Ii(e){return[{key:`environment`,line:`environment = "prod"`},{key:`log_user_prompt`,line:`log_user_prompt = true`},{key:`exporter`,line:`exporter = { otlp-http = { endpoint = "${K(e.endpoint)}/v1/logs", protocol = "json", headers = { "Authorization" = "Bearer ${e.apiKey??"${TANGLE_API_KEY}"}" } } }`}]}function Li(e){let t=e.trim();if(t===``||t.startsWith(`#`))return null;let n=t.indexOf(`=`);if(n===-1)return null;let r=t.slice(0,n).trim();return/^[A-Za-z0-9_-]+$/.test(r)?r:null}function Ri(e,t){let n=Ii(t),r=new Set(n.map(e=>e.key));if(e.trim()===``)return{contents:`${[`[otel]`,...n.map(e=>e.line)].join(`
142
- `)}\n`,changed:!0};let i=Ni(e),a=i.find(e=>e.header===`[otel]`);if(!a){let t={header:`[otel]`,body:n.map(e=>e.line)},r=i[i.length-1];r&&!zi(r)&&r.body.push(``),i.push(t);let a=Bi(Fi(i));return{contents:a,changed:a!==Bi(e)}}let o=a.body.filter(e=>{let t=Li(e);return t===null||!r.has(t)}),s=[];for(;o.length>0&&o[o.length-1].trim()===``;)s.unshift(o.pop());a.body=[...o,...n.map(e=>e.line),...s];let c=Bi(Fi(i));return{contents:c,changed:c!==Bi(e)}}function zi(e){return e.body.length>0&&e.body[e.body.length-1].trim()===``}function Bi(e){return e.endsWith(`
143
- `)?e:`${e}\n`}function Vi(e){switch(e){case`claude-code`:return`Claude Code: set OTEL_LOGS_EXPORTER=otlp and the four OTEL_LOG_* gates (OTEL_LOG_USER_PROMPTS, OTEL_LOG_TOOL_DETAILS, OTEL_LOG_TOOL_CONTENT, OTEL_LOG_RAW_API_BODIES).`;case`codex`:return`Codex: set log_user_prompt = true in [otel] (default false redacts content).`;case`opencode`:return`OpenCode: a standalone install emits nothing without the tangle-opencode-exporter shim; inside a Tangle sandbox it is already instrumented.`}}function Hi(){let e=process.env.SHELL??``;return e.includes(`zsh`)?m(pe(),`.zshrc`):e.includes(`bash`)?m(pe(),`.bashrc`):m(pe(),`.zshrc`)}function Ui(e){return c(e)?u(e,`utf8`):``}function Wi(e,t){l(te(e),{recursive:!0});let n=`${e}.${process.pid}.tmp`;f(n,t,{mode:384}),s(n,384),d(n,e)}function Gi(){return new t(`connect`).description(`Connect a local coding agent's telemetry to Tangle Intelligence, content on (for SDK integration snippets, see 'tangle agent connect')`).argument(`[agent]`,`claude-code | codex | opencode`).option(`--api-key <key>`,`Tangle API key (or set TANGLE_API_KEY)`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`-p, --project <key>`,`Project label (tangle.subject.key) to group runs; omit to set it yourself`).option(`--rc <path>`,`Shell rc file to append the Claude Code env block to`).option(`--no-write`,`Print the config instead of writing files (Claude Code / Codex)`).option(`--inline-key`,"Embed the resolved API key literally in the config (default: keep ${TANGLE_API_KEY})").option(`--verify`,`Poll onboarding status and report whether CONTENT is flowing`).option(`--timeout <seconds>`,`Verify poll timeout in seconds`,`120`).option(`--run`,`OpenCode only: run the content exporter against a live OpenCode server until interrupted`).option(`--opencode-url <url>`,`OpenCode server base URL for --run (or set OPENCODE_BASE_URL)`).action(async(e,t)=>{try{let n=K(t.endpoint);if(t.run){if((e?qi(e):`opencode`)!==`opencode`)throw Error(`--run is OpenCode-only: it runs the content exporter against a live OpenCode server. Other agents export natively once configured.`);await $i({endpoint:n,apiKey:Oi(t.apiKey),opencodeUrl:t.opencodeUrl});return}if(t.verify){await ea({endpoint:n,apiKey:Oi(t.apiKey),agent:e?qi(e):void 0,timeoutSeconds:Ji(t.timeout,`timeout`)});return}let r=e?qi(e):await Yi(),i=t.inlineKey?Oi(t.apiKey):void 0;r===`claude-code`?await Xi({endpoint:n,apiKey:i,projectKey:t.project,rcPath:t.rc,write:t.write!==!1}):r===`codex`?Zi({endpoint:n,apiKey:i,projectKey:t.project,write:t.write!==!1}):Qi({endpoint:n}),console.log(),P(`Run your agent on a real task, then verify content is flowing: tangle connect ${r} --verify`)}catch(e){B(e)}})}function Ki(){return new t(`opencode-exporter`).description(`Export a running OpenCode's content to Tangle Intelligence (standalone shim)`).option(`--api-key <key>`,`Tangle API key (or set TANGLE_API_KEY)`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`--opencode-url <url>`,`OpenCode server base URL (or set OPENCODE_BASE_URL)`).action(async e=>{try{await $i({endpoint:K(e.endpoint),apiKey:Oi(e.apiKey),opencodeUrl:e.opencodeUrl})}catch(e){B(e)}})}function qi(e){if(Di(e))return e;throw Error(`Unknown agent '${e}'. Choose one of: ${Ci.join(`, `)}`)}function Ji(e,t){let n=Number.parseInt(e,10);if(!Number.isFinite(n)||n<=0)throw Error(`--${t} must be a positive integer`);return n}async function Yi(){if(!process.stdin.isTTY)throw Error(`Specify an agent: tangle connect <${Ci.join(`|`)}>`);console.log(`Which coding agent are you connecting?`),Ci.forEach((e,t)=>{console.log(` ${t+1}) ${wi[e]} (${e})`)});let e=await G(`Enter a number or name`,`1`);return Ci[Number.parseInt(e,10)-1]||qi(e.trim())}async function Xi(e){let t=ki({endpoint:e.endpoint,apiKey:e.apiKey,projectKey:e.projectKey});if(console.log(t),console.log(),P(`Privacy tiers: OTEL_LOG_RAW_API_BODIES=1 ships the whole conversation (extended-thinking redacted). Drop it and keep OTEL_LOG_USER_PROMPTS + OTEL_LOG_TOOL_DETAILS for task, prompts, and tool args only. Secrets are scrubbed server-side regardless.`),!e.write)return;let n=e.rcPath??Hi(),r=process.stdin.isTTY?await G(`Append this idempotent block to ${n}? (y/N)`,`n`):`n`;if(r.toLowerCase()!==`y`&&r.toLowerCase()!==`yes`){console.log(),P(`Not writing. To append later: tangle connect claude-code --rc ${n}`);return}let i=Ai({endpoint:e.endpoint,apiKey:e.apiKey,projectKey:e.projectKey}),{contents:a,changed:o}=ji(Ui(n),i);if(!o){console.log(),M(`Already present in ${n} — nothing to change.`);return}Wi(n,a),console.log(),M(`Wrote Tangle Intelligence env block to ${n}.`),P(`Reload your shell (e.g. 'source ${n}') before running the agent.`)}function Zi(e){let t=m(pe(),`.codex`,`config.toml`),{contents:n,changed:r}=Ri(Ui(t),{endpoint:e.endpoint,apiKey:e.apiKey});if(!e.write){console.log(n.trimEnd());return}if(!r){M(`${t} already has the Tangle [otel] block — nothing to change.`);return}Wi(t,n),M(`Merged the Tangle [otel] block into ${t}.`),P("Codex emits content on the logs signal (codex.* events). Set TANGLE_API_KEY in your env before running if you kept the ${TANGLE_API_KEY} reference."),P(`Label this project so Tangle rolls up + automates per-project: export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=${e.projectKey??`<your project>`} before running codex.`)}function Qi(e){let t=K(e.endpoint);Zt(`OpenCode has no native OTel exporter, so a standalone install emits nothing without a shim.`),console.log(),I({"Inside a Tangle sandbox":`already instrumented — our adapter exports OpenCode's event-stream content. Nothing to do.`,Standalone:`run 'tangle connect opencode --run' alongside a running OpenCode, exporting to ${t}.`}),console.log(),P(`Start OpenCode in server mode ('opencode serve'), then in another terminal run: tangle connect opencode --run`),P(`The exporter subscribes to OpenCode's SSE event bus and exports content-bearing OTLP (prompt/completion/tool content) to Tangle. Verify with: tangle connect opencode --verify`),P(`Label this project so Tangle rolls up + automates per-project: export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=my-project before starting the exporter.`)}async function $i(e){let t=vi(e.opencodeUrl),n=new AbortController,r=()=>n.abort();process.on(`SIGINT`,r),process.on(`SIGTERM`,r),P(`Subscribing to OpenCode at ${t} — exporting content to Tangle.`),P(`Run OpenCode tasks now. Press Ctrl-C to stop.`),console.log();let i=0,a;try{a=await Si({endpoint:e.endpoint,apiKey:e.apiKey,opencodeBaseUrl:t,signal:n.signal,onExport:({eventType:e,records:t})=>{i+=t,P(`exported ${t} record(s) from ${e} (total ${i})`)}})}catch(e){if(e instanceof bi){let{recordsExported:t,contentEventsExported:n}=e.partial;console.log(),Zt(`Exporter failed after exporting ${t} content record(s) from ${n} event(s): ${e.message}`)}throw e}finally{process.off(`SIGINT`,r),process.off(`SIGTERM`,r)}if(console.log(),a.contentEventsExported===0){Zt(`Saw ${a.eventsSeen} event(s) but none carried content. Run a real OpenCode task (a prompt that produces text or a tool call), then re-run.`);return}M(`Exported ${a.recordsExported} content record(s) from ${a.contentEventsExported} event(s).`),P(`Verify it landed: tangle connect opencode --verify`)}async function ea(e){let t=Date.now()+e.timeoutSeconds*1e3,n=3e3,r=Math.min(e.timeoutSeconds*1e3,1e4),i=F(`Checking whether content is flowing…`);i.start();let a;try{for(;;){try{a=await Vr({endpoint:e.endpoint,apiKey:e.apiKey,timeoutMs:r})}catch(e){if(Date.now()>=t)throw e;await na(n);continue}if(a.contentSeen||Date.now()>=t)break;await na(n)}}finally{i.stop()}if(!a)throw Error(`onboarding status check returned no result`);ta(a,e.agent),a.contentSeen||(process.exitCode=1)}function ta(e,t){if(e.contentSeen){M(`Content flowing — Tangle Intelligence can analyze this feed.`),I({"Last seen":e.lastSeenAt??`just now`,Window:`${e.windowDays}d`});return}if(e.tracesSeen){Zt(`Metadata-only — traces are arriving but carry no content. You missed a content gate.`);let n=t?[t]:Object.keys(e.byAgent).filter(Di),r=n.length>0?n:Ci;for(let n of r){let r=e.byAgent[n];(t||!r||r.tracesSeen&&!r.contentSeen)&&P(Vi(n))}return}Zt(`No traces yet for your tenant. Run your agent once on a real task, then re-run --verify.`),t&&P(Vi(t))}function na(e){return new Promise(t=>setTimeout(t,e))}function ra(){let e=new t(`environments`).alias(`env`).description(`Manage sandbox environments`);return e.command(`list`).alias(`ls`).description(`List available environments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Fetching environments...`);e.json||n.start();let r=await t.environments.list();n.stop(),e.json?j(r):r.length===0?console.log(`No environments found`):z([`ID`,`Description`,`Version`],r.map(e=>[e.id,e.description??``,e.version]))}catch(e){B(e)}}),e.command(`get`).description(`Get environment details`).argument(`<id>`,`Environment ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching environment...`);t.json||r.start();let i=await n.environments.get(e);if(r.stop(),!i){console.error(`Environment not found: ${e}`),process.exit(1);return}t.json?j(i):(console.log(`ID: ${i.id}`),console.log(`Description: ${i.description??`-`}`),console.log(`Version: ${i.version}`),i.base&&console.log(`Base: ${i.base}`))}catch(e){B(e)}}),e}function ia(){return new t(`exec`).description(`Execute a command in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<command...>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`60000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=t.join(` `),o={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(o[t]=n.join(`=`))}let s=F(`Executing: ${a}`);n.json||s.start();let c=await H(i,r,e);c=await U(c);let l=await c.exec(a,{cwd:n.cwd,env:Object.keys(o).length>0?o:void 0,timeoutMs:Number.parseInt(n.timeout,10)});s.stop(),n.json?j(l):(l.stdout&&process.stdout.write(l.stdout),l.stderr&&process.stderr.write(l.stderr),l.exitCode!==0&&process.exit(l.exitCode))}catch(e){if(e instanceof g){let t=`Exec transport lost before command status was confirmed. Remote command status is unknown. Original error: ${e.message}. For long-running commands, use \`tangle process spawn\`, \`tangle process logs\`, and \`tangle process kill --tree\`.`;return B(Error(t,{cause:e}))}B(e)}})}const aa=[`list`,`create`,`delete`,`exec`,`prompt`,`read`,`write`];function oa(){let e=new t(`fleet`).description(`Manage sandbox fleets`);return e.command(`create`).description(`Create a sandbox fleet`).option(`--fleet-id <id>`,`Stable fleet id (generated when omitted)`).option(`--count <n>`,`Number of worker machines`,`1`).option(`--image <env>`,`Environment/image for each machine`).option(`--cpu <cores>`,`CPU cores per machine`).option(`--memory <mb>`,`Memory in MB per machine`).option(`--disk <gb>`,`Disk in GB per machine`).option(`--driver <type>`,`Infrastructure driver type`).option(`--backend <id>`,`Agent backend type`).option(`--workspace <mode>`,`Workspace mode: isolated | shared`,`isolated`).option(`--max-spend-usd <n>`,`Fleet spend cap in USD (policy)`).option(`--max-lifetime <s>`,`Max machine lifetime in seconds (policy)`).option(`--spec <file.json>`,`Path to a JSON file describing the fleet (overrides synthesized machines)`).option(`--coordinator`,`Create a coordinator + workers fleet (routes to createWithCoordinator)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Creating fleet...`);n.start();let r=e.coordinator?await t.fleets.createWithCoordinator(ua(e)):await t.fleets.create(la(e));n.stop();let i=pa(r.machines);e.json?j({fleetId:r.fleetId,machines:i}):(M(`Fleet created: ${r.fleetId}`),A(i,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}]))}catch(e){B(e)}}),e.command(`list <fleet-id>`).description(`List the machines of one fleet (fleet id is required)`).option(`--status <status>`,`Filter machines by status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching fleet...`);r.start();let i=await n.fleets.list({fleetId:e,status:t.status});r.stop();let a=pa(i.machines);t.json?j({fleetId:i.fleetId,machines:a}):A(a,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}])}catch(e){B(e)}}),e.command(`get <fleet-id>`).description(`Show one fleet's manifest (server record)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching manifest...`);r.start();let i=await n.fleets.manifest(e);r.stop(),t.json?j(i):(I({"Fleet ID":i.fleetId??i.id,Machines:i.machines.length,"Workspace mode":i.workspace?.mode,"Workspace status":i.workspace?.status,"Max lifetime (s)":i.policy?.maxLifetimeSeconds,"Max spend (USD)":i.policy?.maxSpendUsd,Created:i.createdAt,Updated:i.updatedAt}),A(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,role:e.role,status:e.status})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`role`,header:`Role`,width:14},{key:`status`,header:`Status`,width:14}]))}catch(e){B(e)}}),e.command(`delete <fleet-id>`).description(`Delete a fleet's machine sandboxes and its record`).option(`--continue-on-error`,`Keep deleting remaining machines if one delete fails`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Deleting fleet...`);r.start(),await n.fleets.delete(e,{continueOnError:t.continueOnError}),r.stop(),t.json?j({success:!0,fleetId:e}):M(`Fleet deleted: ${e}`)}catch(e){B(e)}}),e.command(`reap`).description(`TTL cleanup of all expired fleets (fleet-wide)`).option(`--dry-run`,`Report what would be reaped without deleting`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Reaping expired fleets...`);n.start();let r=await t.fleets.reapExpired({dryRun:e.dryRun});n.stop(),e.json?j(r):(I({"Dry run":r.dryRun,Expired:r.expired,Deleted:r.deleted}),A(r.fleets.map(e=>({fleetId:e.fleetId,expiredAt:e.expiredAt,deleted:e.deleted})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`expiredAt`,header:`Expired`,width:18},{key:`deleted`,header:`Deleted`,width:10}]))}catch(e){B(e)}}),e.command(`reconcile`).description(`Drop fleet records whose underlying sandboxes vanished`).option(`--dry-run`,`Report orphans without removing them`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Reconciling fleets...`);n.start();let r=await t.fleets.reconcile({dryRun:e.dryRun});n.stop(),e.json?j(r):(I({"Dry run":r.dryRun,Checked:r.checked,Orphaned:r.orphaned,Removed:r.removed}),A(r.machines.map(e=>({fleetId:e.fleetId,machineId:e.machineId,sandboxId:e.sandboxId,removed:e.removed})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`removed`,header:`Removed`,width:10}]))}catch(e){B(e)}}),e.addCommand(sa()),e.command(`exec <fleet-id> <command>`).description(`Run a shell command across the fleet's machines`).option(`--machine <id...>`,`Restrict to a subset of machine ids (default: all)`).option(`--cwd <dir>`,`Working directory for the command`).option(`--timeout <ms>`,`Per-machine timeout in milliseconds`).option(`--max-concurrent <n>`,`Max concurrent dispatches`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=k(E({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=F(`Dispatching command...`);i.start();let a=await(await r.fleets.list({fleetId:e})).dispatchExecDetailed(t,{machines:n.machine,cwd:n.cwd,timeoutMs:n.timeout?Number(n.timeout):void 0,maxConcurrent:n.maxConcurrent?Number(n.maxConcurrent):void 0});if(i.stop(),n.json)j(a);else{A(a.results.map(e=>({machineId:e.machineId,ok:e.ok,exitCode:e.result?.exitCode,durationMs:e.durationMs})),[{key:`machineId`,header:`Machine`,width:20},{key:`ok`,header:`OK`,width:6},{key:`exitCode`,header:`Exit`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14}]);for(let e of a.results){let t=e.result?.stdout,n=e.result?.stderr;t&&(console.log(`\n[${e.machineId}] stdout:`),console.log(t)),n&&(console.log(`\n[${e.machineId}] stderr:`),console.log(n)),e.error&&console.log(`\n[${e.machineId}] error: ${e.error.message}`)}}a.results.some(e=>e.ok===!1)&&(process.exitCode=1)}catch(e){B(e)}}),e.command(`capabilities`).description(`List fleet drivers and their supported features`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Fetching capabilities...`);n.start();let r=await t.fleets.capabilities();n.stop(),e.json?j(r):A(r.drivers.map(e=>({driverType:e.driverType,sharedWorkspace:e.sharedWorkspace,accelerators:e.accelerators,queueTimings:e.queueTimings})),[{key:`driverType`,header:`Driver`,width:16},{key:`sharedWorkspace`,header:`Shared WS`,width:12},{key:`accelerators`,header:`Accel`,width:8},{key:`queueTimings`,header:`Queue`,width:8}])}catch(e){B(e)}}),e.command(`usage <fleet-id>`).description(`Show fleet usage and reliability insights`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching usage...`);r.start();let i=await n.fleets.usage(e);if(r.stop(),t.json)j(i);else if(I({"Fleet ID":i.usage.fleetId,Status:i.usage.status,Machines:i.usage.machineCount,Running:i.usage.runningMachines,Failed:i.usage.failedMachines,"Runtime (ms)":i.usage.meteredUsage?.runtimeMs,"Reliability score":i.insights.reliabilityScore,"Failure rate":i.insights.failureRate}),i.insights.recommendedActions.length>0){console.log(`
144
- Recommended actions:`);for(let e of i.insights.recommendedActions)console.log(` - ${e}`)}}catch(e){B(e)}}),e.command(`cost <fleet-id>`).description(`Show the fleet's cost estimate`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Estimating cost...`);r.start();let i=await n.fleets.cost(e);r.stop(),t.json?j(i):I({Plan:i.plan,Currency:i.currency,"Hourly (USD)":i.hourlyUsd,"Max lifetime (s)":i.maxLifetimeSeconds,"Estimated max lifetime (USD)":i.estimatedMaxLifetimeUsd,Machines:i.requestedResources.machines,"Total CPU":i.requestedResources.totalCpu,"Total memory (MB)":i.requestedResources.totalMemoryMb})}catch(e){B(e)}}),e.command(`token <fleet-id>`).description(`Mint a scoped fleet bearer token (treated as a secret)`).option(`--action <a...>`,`Allowed actions: list create delete exec prompt read write`).option(`--ttl-minutes <n>`,`Token lifetime in minutes`).option(`--json`,`Output as JSON (only path that prints the full token)`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Minting fleet token...`);r.start();let i=await n.fleets.createToken(e,{actions:ma(t.action),ttlMinutes:t.ttlMinutes?Number(t.ttlMinutes):void 0});r.stop(),t.json?j(i):(I({"Fleet ID":i.fleetId,Token:ha(i.token),"Expires at":new Date(i.expiresAt).toISOString(),Actions:i.actions.join(`, `)}),console.log(`
145
- Re-run with --json to print the full token value.`))}catch(e){B(e)}}),e}function sa(){let e=new t(`workspace`).description(`Manage a fleet's shared workspace`);return e.command(`snapshot <fleet-id>`).description(`Snapshot the fleet's shared workspace`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Creating workspace snapshot...`);r.start();let i=await n.fleets.createWorkspaceSnapshot(e);r.stop(),t.json?j(i):M(`Workspace snapshot created: ${i.snapshotId??i.id}`)}catch(e){B(e)}}),e.command(`restore <fleet-id> <snapshot-id>`).description(`Restore the fleet's shared workspace from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=k(E({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=F(`Restoring workspace...`);i.start();let a=await r.fleets.restoreWorkspaceSnapshot(e,t);i.stop(),n.json?j(a):M(`Workspace restored from ${a.snapshotId??t}`)}catch(e){B(e)}}),e.command(`reconcile <fleet-id>`).description(`Re-mount the shared workspace on all fleet machines`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Reconciling workspace...`);r.start();let i=await n.fleets.reconcileWorkspace(e);r.stop(),t.json?j(i):(I({"Fleet ID":i.fleetId,Checked:i.checked,"Orphaned mounts":i.orphanedMounts}),A(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,mounted:e.mounted})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`mounted`,header:`Mounted`,width:10}]))}catch(e){B(e)}}),e}function ca(e){if(e.spec){let t=JSON.parse(u(e.spec,`utf8`));return{base:{fleetId:e.fleetId,defaults:t.defaults,policy:t.policy,workspace:t.workspace,metadata:t.metadata},machines:t.machines??[]}}let t=da(e),n={...e.image?{environment:e.image}:{},...t?{resources:t}:{},...e.driver?{driver:{type:e.driver}}:{},...e.backend?{backend:{type:e.backend}}:{}},r=fa(e),i=Math.max(1,Number(e.count)||1),a=Array.from({length:i},(e,t)=>({machineId:`worker-${t+1}`}));return{base:{fleetId:e.fleetId,defaults:Object.keys(n).length>0?n:void 0,policy:r,workspace:{mode:e.workspace}},machines:a}}function la(e){let{base:t,machines:n}=ca(e);return{...t,machines:n}}function ua(e){let{base:t,machines:n}=ca(e);return{...t,workers:n}}function da(e){let t={};return e.cpu&&(t.cpuCores=Number(e.cpu)),e.memory&&(t.memoryMB=Number(e.memory)),e.disk&&(t.diskGB=Number(e.disk)),Object.keys(t).length>0?t:void 0}function fa(e){let t={};return e.maxSpendUsd&&(t.maxSpendUsd=Number(e.maxSpendUsd)),e.maxLifetime&&(t.maxLifetimeSeconds=Number(e.maxLifetime)),Object.keys(t).length>0?t:void 0}function pa(e){return[...e.entries()].map(([e,t])=>({machineId:e,sandboxId:t.id,status:t.status}))}function ma(e){if(!(!e||e.length===0)){for(let t of e)if(!aa.includes(t))throw Error(`Invalid token action '${t}'. Allowed: ${aa.join(`, `)}`);return e}}function ha(e){return e.length<=12?`****`:`${e.slice(0,6)}...${e.slice(-4)} (masked — use --json for full value)`}function ga(){let e=new t(`fs`).description(`File system operations on sandboxes`);return J(e.command(`upload`).description(`Upload a file to a sandbox`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<local-path>`,`Local file path`).argument(`<remote-path>`,`Remote destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let{context:i,client:a}=Y(r),s=await H(a,i,e);if(s=await U(s),!o.existsSync(t))throw Error(`Local file not found: ${t}`);let c=o.statSync(t),l=Date.now();console.log(`Uploading ${t} to ${n}...`),await s.fs.upload(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesUploaded}/${e.totalBytes} bytes)`)}});let u=Date.now()-l;console.log(``),r.json?R({success:!0,localPath:t,remotePath:n,size:c.size,durationMs:u}):console.log(`✓ Uploaded ${c.size} bytes in ${u}ms`)}catch(e){L(e,r.json)}}),J(e.command(`download`).description(`Download a file from a sandbox`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<remote-path>`,`Remote file path`).argument(`<local-path>`,`Local destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let{context:i,client:a}=Y(r),s=await H(a,i,e);s=await U(s);let c=Date.now();console.log(`Downloading ${t} to ${n}...`),await s.fs.download(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesDownloaded}/${e.totalBytes} bytes)`)}});let l=Date.now()-c,u=o.statSync(n);console.log(``),r.json?R({success:!0,remotePath:t,localPath:n,size:u.size,durationMs:l}):console.log(`✓ Downloaded ${u.size} bytes in ${l}ms`)}catch(e){L(e,r.json)}}),J(e.command(`ls`).description(`List directory contents`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`[path]`,`Directory path`,`.`).option(`-l, --long`,`Show detailed information`).option(`-a, --all`,`Include hidden files`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=Y(n),a=await H(i,r,e);a=await U(a);let o=await a.fs.list(t.startsWith(`/`)?t:`/${t}`,{all:n.all,long:n.long});if(n.json)R(o);else if(n.long)z([`Mode`,`Owner`,`Group`,`Size`,`Modified`,`Name`],o.map(e=>{let t=e.isDir?`d`:e.isSymlink?`l`:`-`,n=_a(e.permissions),r=e.isDir?`<DIR>`:va(e.size),i=e.modTime.toLocaleDateString();return[t+n,e.owner,e.group,r,i,e.name]}));else{let e=o.map(e=>e.isDir?`${e.name}/`:e.name);console.log(e.join(` `))}}catch(e){L(e,n.json)}}),J(e.command(`stat`).description(`Get file or directory information`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to file or directory`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=Y(n),a=await H(i,r,e);a=await U(a);let o=await a.fs.stat(t.startsWith(`/`)?t:`/${t}`);n.json?R(o):(console.log(` File: ${o.name}`),console.log(` Path: ${o.path}`),console.log(` Size: ${va(o.size)} (${o.size} bytes)`),console.log(` Type: ${o.isDir?`directory`:o.isSymlink?`symlink`:`file`}`),console.log(` Mode: ${_a(o.permissions)} (${o.permissions.toString(8)})`),console.log(` Owner: ${o.owner}`),console.log(` Group: ${o.group}`),console.log(` Modified: ${o.modTime.toISOString()}`),console.log(` Accessed: ${o.accessTime.toISOString()}`))}catch(e){L(e,n.json)}}),J(e.command(`cat`).description(`Print file contents`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to file`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=Y(n),a=await H(i,r,e);a=await U(a);let o=await a.read(t.startsWith(`/`)?t:`/${t}`);n.json?R({path:t,content:o}):console.log(o)}catch(e){L(e,n.json)}}),J(e.command(`rm`).description(`Delete a file or directory`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to delete`).option(`-r, --recursive`,`Delete directories recursively`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=Y(n),a=await H(i,r,e);a=await U(a),await a.fs.delete(t.startsWith(`/`)?t:`/${t}`,{recursive:n.recursive}),n.json?R({success:!0,path:t,deleted:!0}):console.log(`✓ Deleted: ${t}`)}catch(e){L(e,n.json)}}),J(e.command(`mkdir`).description(`Create a directory`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Directory path to create`).option(`-p, --parents`,`Create parent directories as needed`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=Y(n),a=await H(i,r,e);a=await U(a),await a.fs.mkdir(t.startsWith(`/`)?t:`/${t}`,{recursive:n.parents}),n.json?R({success:!0,path:t,created:!0}):console.log(`✓ Created: ${t}`)}catch(e){L(e,n.json)}}),J(e.command(`exists`).description(`Check if a path exists`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to check`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=Y(n),a=await H(i,r,e);a=await U(a);let o=await a.fs.exists(t.startsWith(`/`)?t:`/${t}`);n.json?R({path:t,exists:o}):(console.log(o?`exists`:`not found`),process.exit(+!o))}catch(e){L(e,n.json)}}),e}function _a(e){let t=[`r`,`w`,`x`],n=``;for(let r=2;r>=0;r--){let i=r*3;for(let r=0;r<3;r++)n+=e>>i+(2-r)&1?t[r]:`-`}return n}function va(e){let t=[`B`,`KB`,`MB`,`GB`,`TB`],n=e,r=0;for(;n>=1024&&r<t.length-1;)n/=1024,r++;return r===0?`${n}${t[r]}`:`${n.toFixed(1)}${t[r]}`}function J(e){return e.option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`)}function Y(e){let t=E({apiKey:e.apiKey,baseUrl:e.baseUrl});return{context:t,client:k(t)}}function ya(){let e=new t(`git`).description(`Git operations in a sandbox workspace`);return e.command(`status`).description(`Show git repository status`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching status...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.status();if(i.stop(),t.json)j(o);else{if(console.log(`Branch: ${o.branch}`),console.log(`HEAD: ${o.head.slice(0,7)}`),console.log(`Dirty: ${o.isDirty?`yes`:`no`}`),o.ahead&&console.log(`Ahead: ${o.ahead}`),o.behind&&console.log(`Behind: ${o.behind}`),o.staged.length>0){console.log(`\nStaged (${o.staged.length}):`);for(let e of o.staged)console.log(` + ${e}`)}if(o.modified.length>0){console.log(`\nModified (${o.modified.length}):`);for(let e of o.modified)console.log(` M ${e}`)}if(o.untracked.length>0){console.log(`\nUntracked (${o.untracked.length}):`);for(let e of o.untracked)console.log(` ? ${e}`)}}}catch(e){B(e)}}),e.command(`log`).description(`Show commit log`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`-n, --limit <count>`,`Max commits to show`,`10`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching log...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.log(Number.parseInt(t.limit,10));if(i.stop(),t.json)j(o);else if(o.length===0)console.log(`No commits found`);else for(let e of o)console.log(`${e.shortSha} ${e.message.split(`
146
- `)[0]} (${e.author}, ${e.date.toLocaleDateString()})`)}catch(e){B(e)}}),e.command(`diff`).description(`Show diff`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--ref <ref>`,`Ref to diff against`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching diff...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.diff(t.ref);i.stop(),t.json?j(o):o.raw?console.log(o.raw):console.log(`${o.additions} additions, ${o.deletions} deletions across ${o.files.length} files`)}catch(e){B(e)}}),e.command(`add`).description(`Stage files`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<paths...>`,`Paths to stage`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await H(k(r),r,e);i=await U(i),await i.git.add(t),M(`Staged: ${t.join(`, `)}`)}catch(e){B(e)}}),e.command(`commit`).description(`Create a commit`).argument(`<id-or-name>`,`Sandbox ID or name`).requiredOption(`-m, --message <msg>`,`Commit message`).option(`--amend`,`Amend the previous commit`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=await H(k(n),n,e);r=await U(r);let i=await r.git.commit(t.message,{amend:t.amend});t.json?j(i):M(`Committed: ${i.shortSha} ${i.message}`)}catch(e){B(e)}}),e.command(`push`).description(`Push to remote`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--force`,`Force push`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Pushing...`);i.start();let a=await H(r,n,e);a=await U(a),await a.git.push({force:t.force}),i.stop(),M(`Pushed to remote`)}catch(e){B(e)}}),e.command(`pull`).description(`Pull from remote`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--rebase`,`Rebase instead of merge`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Pulling...`);i.start();let a=await H(r,n,e);a=await U(a),await a.git.pull({rebase:t.rebase}),i.stop(),M(`Pulled from remote`)}catch(e){B(e)}}),e.command(`branches`).description(`List branches`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching branches...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.branches();i.stop(),t.json?j(o):o.length===0?console.log(`No branches found`):z([`Name`,`Current`,`Remote`],o.map(e=>[e.name,e.current?`* `:` `,e.upstream??`-`]))}catch(e){B(e)}}),e.command(`checkout`).description(`Checkout a branch or ref`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<ref>`,`Branch name or ref`).option(`-b, --create`,`Create a new branch`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await H(k(r),r,e);i=await U(i),await i.git.checkout(t,{create:n.create}),M(`Checked out: ${t}${n.create?` (new)`:``}`)}catch(e){B(e)}}),e}function ba(){let e=new t(`hub`).description(`Discover and run Tangle Hub tools`);e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{Sa(t)}),e.command(`connect`).description(`Connect a provider account`).argument(`provider`,`Provider to connect`).option(`--no-browser`,`Print the authorization URL instead of opening it`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await V(t)).connections.start(e,{cli:!0});if(t.json){j(za(n));return}Ra(n,t.browser===!1?!1:await tr(n.redirectUrl))}catch(e){X(e,t)}});let n=new t(`connections`).description(`List Hub provider connections`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).connections.list();if(e.json){j(t);return}La(t.connections)}catch(t){X(t,e)}});n.command(`revoke <connection-id>`).description(`Revoke a Hub provider connection`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await V(t),r=await Vt(n,e);if(!t.force&&!await W(`Revoke Hub connection ${r}? `)){P(`Revoke cancelled.`);return}let i=await n.connections.revoke(r);if(t.json){j(i);return}P(`Revoked Hub connection ${i.connection.id}.`)}catch(e){X(e,t)}}),e.addCommand(n);let r=new t(`permissions`).description(`Manage Hub action permissions`);r.command(`list`).description(`List Hub permissions for a connection`).requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await V(e),n=await Vt(t,e.connection),r=await t.permissions.list(n);if(e.json){j(r);return}Ma(r.policies)}catch(t){X(t,e)}}),r.command(`set`).description(`Set Hub permission for one action`).requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).requiredOption(`--action <path>`,`Executor action path`).requiredOption(`--decision <allow|ask|deny>`,`Permission decision`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);if(!e.action)throw Error(`--action is required.`);let t=Na(e.decision),n=await V(e),r=await Vt(n,e.connection),i=await n.permissions.set({connectionId:r,actionPath:e.action,decision:t});if(e.json){j(i);return}Ma([i.policy])}catch(t){X(t,e)}}),r.command(`revert-writes`).description("Revoke a bulk `--allow-writes` grant for a connection (deletes only the auto-granted write rows; manual permissions are untouched)").requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await V(e),n=await Vt(t,e.connection),r=await t.permissions.revertWrites(n);if(e.json){j(r);return}P(`Reverted ${r.reverted} write permission${r.reverted===1?``:`s`} for connection ${r.connectionId}.`)}catch(t){X(t,e)}}),e.addCommand(r);let i=new t(`approvals`).description(`List and resolve Hub execution approvals`);i.command(`list`).description(`List pending Hub execution approvals`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).approvals.list();if(e.json){j(t);return}Da(t.approvals)}catch(t){X(t,e)}}),i.command(`approve`).description(`Approve a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{Ea(e),Oa(await(await V(t)).approvals.approve(e),t.json===!0)}catch(e){X(e,t)}}),i.command(`deny`).description(`Deny a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{Ea(e),Oa(await(await V(t)).approvals.deny(e),t.json===!0)}catch(e){X(e,t)}}),e.addCommand(i);let a=new t(`tools`).description(`Discover Hub tools`);return a.command(`sources`).description(`List Hub tool sources`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).tools.sources();if(e.json){j(t);return}Pa(t.sources)}catch(t){X(t,e)}}),a.command(`describe`).description(`Describe a Hub tool`).argument(`path`,`Executor tool path`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await V(t)).tools.describe(e);if(t.json){j(n);return}Fa(n.tool)}catch(e){X(e,t)}}),a.command(`search`).description(`Search Hub tools`).argument(`<query...>`,`Search query`).option(`--provider <provider>`,`Filter by provider/source ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await V(t)).tools.search(e.join(` `),{provider:t.provider});if(t.json){j(n);return}ja(n.tools)}catch(e){X(e,t)}}),e.addCommand(a),e.addCommand(xa(`call`)),e.addCommand(xa(`exec`)),e.command(`resume`).description(`Resolve a Hub approval created by a paused execution`).argument(`approval-id`,`Hub approval ID from HUB_APPROVAL_REQUIRED`).option(`--accept`,`Approve the execution approval`).option(`--decline`,`Deny the execution approval`).option(`--cancel`,`Unsupported for approval-backed Hub resume`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(Ea(e),t.cancel)throw Error(`Hub approval resume does not support --cancel. Use --decline to deny the approval.`);if(t.accept&&t.decline)throw Error(`Choose only one of --accept or --decline.`);if(!t.accept&&!t.decline)throw Error(`Choose --accept to approve or --decline to deny the Hub approval.`);let n=await V(t);Oa(t.decline?await n.approvals.deny(e):await n.approvals.approve(e),t.json===!0)}catch(e){X(e,t)}}),e.command(`status`).description(`Show Hub auth and connection status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).status();if(e.json){j(t);return}Ba(t)}catch(t){X(t,e)}}),e}function xa(e){return new t(e).description(`Execute a Hub tool`).argument(`<args...>`,`Tool path tokens followed by JSON input`).option(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--auto-approve`,`Approve a HUB_APPROVAL_REQUIRED execution and retry once`).option(`--approve`,`Alias for --auto-approve`).option(`--no-hub-key`,`Do not auto-mint a platform Hub key; use the stored credential as-is`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let{args:n,approve:r}=Ta(e,t),{path:i,input:a}=Aa(n),o=await V(t),s=t.connection?await Vt(o,t.connection):void 0;j((await o.tools.invoke(i,a,{connectionId:s,approve:r})).result)}catch(e){X(e,t)}})}function Sa(e){if(!Ca(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function Ca(e,t){return e.options.some(e=>e.attributeName()===t)}function wa(e){return e.json===!0}function X(e,t){return wa(t)?B(e,!0):B(e)}function Ta(e,t){let n=t.autoApprove;return{args:e.filter(e=>e!==`--approve`&&e!==`--auto-approve`),approve:t.approve===!0||n===!0||e.includes(`--approve`)||e.includes(`--auto-approve`)}}function Ea(e){if(!/^[A-Za-z0-9_-]+$/.test(e))throw Error(`Hub approval ID must contain only letters, numbers, underscores, and dashes.`)}function Da(e){A(e.map(e=>({id:e.id,provider:e.providerId,action:e.actionPath,connection:e.connectionId,status:e.status,expires:e.expiresAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`connection`,header:`Connection`},{key:`status`,header:`Status`},{key:`expires`,header:`Expires`}])}function Oa(e,t){if(t){j(ka(e));return}P(`Hub approval ${e.approval.id} ${e.approval.status}.`),e.capabilityToken&&P("Capability token minted. Re-run the original command with `--approve` to execute automatically.")}function ka(e){return{approval:e.approval,...e.capabilityToken?{capabilityToken:{tokenId:e.capabilityToken.tokenId,expiresAt:e.capabilityToken.expiresAt}}:{}}}function Aa(e){if(e.length<2)throw Error(`Usage: tangle hub call <path> <json-input>`);let t=e.at(-1);if(t===void 0)throw Error(`Usage: tangle hub call <path> <json-input>`);try{return{path:e.slice(0,-1).join(`.`),input:JSON.parse(t)}}catch{throw Error(`Hub call input must be valid JSON.`)}}function ja(e){A(e.map(e=>({path:e.path,provider:e.providerId??e.requiredConnectionProviderId,title:e.title,description:e.description,connection:Ia(e),policy:e.policyState})),[{key:`path`,header:`Path`},{key:`provider`,header:`Provider`},{key:`title`,header:`Title`},{key:`description`,header:`Description`},{key:`connection`,header:`Connection`},{key:`policy`,header:`Policy`}])}function Ma(e){A(e.map(e=>({connection:e.connectionId,provider:e.providerId,action:e.actionPath,decision:e.decision,updated:e.updatedAt})),[{key:`connection`,header:`Connection`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`decision`,header:`Decision`},{key:`updated`,header:`Updated`}])}function Na(e){if(e===`allow`||e===`ask`||e===`deny`)return e;throw Error(`--decision must be one of: allow, ask, deny.`)}function Pa(e){A(e.map(e=>({source:e.sourceId,provider:e.displayName,tools:e.toolCount,connection:e.connectionStatus,health:e.health,configured:e.configured})),[{key:`source`,header:`Source`},{key:`provider`,header:`Provider`},{key:`tools`,header:`Tools`},{key:`connection`,header:`Connection`},{key:`health`,header:`Health`},{key:`configured`,header:`Configured`}])}function Fa(e){I({Path:e.path,Provider:e.providerId??e.requiredConnectionProviderId,Title:e.title,Description:e.description,Connection:Ia(e),Policy:e.policyState}),e.inputSchema!==void 0&&(P(`Input schema`),console.log(JSON.stringify(e.inputSchema,null,2))),e.outputSchema!==void 0&&(P(`Output schema`),console.log(JSON.stringify(e.outputSchema,null,2)))}function Ia(e){if(e.connectionRequired===!1)return`not required`;if(e.connectionStatus)return e.connectionStatus}function La(e){A(e.map(e=>({id:e.id,provider:e.providerId,account:e.accountDisplay??e.displayName,scopes:e.scopes.join(`, `),status:e.status,health:e.health,lastUsed:e.lastUsedAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`account`,header:`Account`},{key:`scopes`,header:`Scopes`},{key:`status`,header:`Status`},{key:`health`,header:`Health`},{key:`lastUsed`,header:`Last Used`}])}function Ra(e,t){t?P(`Opened browser to connect ${e.provider}.`):(P(`Open this URL to connect ${e.provider}:`),console.log(e.redirectUrl)),P("Finish authorization in the browser, then rerun `tangle hub status`.")}function za(e){return{provider:e.provider,redirectUrl:e.redirectUrl,expiresAt:e.expiresAt,scopes:e.scopes,cli:e.cli}}function Ba(e){let{principal:t,connections:n}=e;P(`Hub status`),I({Principal:t.kind,"User ID":t.userId,"API Key ID":t.apiKeyId,"Sandbox ID":t.sandboxId,"Connected Providers":n.connectedProviderCount,"Unhealthy Providers":n.unhealthyProviderCount}),n.unhealthyProviderCount>0&&P(`Some providers require reconnect.`)}function Va(){let e=new t(`intelligence`).description(`Create and inspect trace intelligence reports`);return e.command(`connect [agent]`).alias(`connect-agent`).description(`Connect local agent CLIs to Tangle Intelligence`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`--workspace <path>`,`Workspace to write hook files into`,`.`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`,`local`).option(`--dry-run`,`Print planned writes without changing files`).option(`--hook-command <command>`,`Command native hooks should run`,`tangle intelligence hook`).option(`--no-smoke`,`Skip the install smoke trace`).option(`--json`,`Output as JSON`).action(async(e,t)=>{try{let n=e??`local`;jr(n);let r=Ua(t.apiKey),i=await Ir({selection:n,workspace:t.workspace,apiKey:r,endpoint:t.endpoint,serviceName:t.serviceName??Nr(t.workspace),environment:t.environment,smoke:t.smoke,dryRun:!!t.dryRun,hookCommand:t.hookCommand}),a={configPath:i.configPath,agents:i.agents,nativeAgents:i.nativeAgents,manual:i.manual,written:i.written,smokeTraceId:i.smokeTraceId};if(t.json){j(a);return}I({Config:i.configPath,Agents:i.agents.join(`, `),"Native Hooks":i.nativeAgents.join(`, `)||void 0,"Manual Setup":i.manual.length?i.manual.map(e=>`${e.label}: ${e.reason}`).join(` `):void 0,Files:i.written.join(`, `),"Smoke Trace":i.smokeTraceId})}catch(e){B(e)}}),e.command(`doctor`).description(`Check whether your agent traces carry CONTENT or are metadata-only`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`--json`,`Output as JSON`).action(async e=>{try{let t=Fr(),n=await Vr({endpoint:e.endpoint===`https://intelligence.tangle.tools/v1/otlp`?t?.endpoint??`https://intelligence.tangle.tools/v1/otlp`:e.endpoint,apiKey:Ua(e.apiKey??t?.apiKey)});e.json?j(n):Ha(n),n.contentSeen||(process.exitCode=1)}catch(e){B(e)}}),e.command(`hook`).description(`Emit one local agent hook event to Tangle Intelligence`).requiredOption(`--agent <agent>`,`Agent surface`).requiredOption(`--event <event>`,`Hook event name`).option(`--payload <json>`,`Hook payload JSON`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`).option(`--session-id <id>`,`Session id override`).option(`--dry-run`,`Build the OTLP request without sending it`).option(`--non-blocking`,`Do not fail the parent agent process`).option(`--json`,`Output as JSON`).action(async e=>{try{let t=Wa(e.agent),n=Fr(),r={agent:t,event:e.event,endpoint:e.endpoint??n?.endpoint??`https://intelligence.tangle.tools/v1/otlp`,apiKey:Ua(e.apiKey??n?.apiKey),serviceName:e.serviceName??n?.serviceName??Nr(process.cwd()),environment:e.environment??n?.environment??`local`,sessionId:e.sessionId,payload:e.payload===void 0?await Ka():Ga(e.payload)};if(e.dryRun){let n=Rr(r);if(e.json){j(n);return}I({Trace:n.traceId,Agent:t,Event:e.event});return}let i=await zr(r);if(e.json){j({traceId:i});return}I({Trace:i,Agent:t,Event:e.event})}catch(t){if(e.nonBlocking){let n=t instanceof Error?t.message:String(t);e.json?j({ok:!1,error:n}):console.error(`Tangle Intelligence hook skipped: ${n}`);return}B(t)}}),e.command(`sandbox <sandbox-id>`).description(`Create an intelligence report for one sandbox`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await qa({type:`sandbox`,id:e},t)}),e.command(`fleet <fleet-id>`).description(`Create an intelligence report for a sandbox fleet`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await qa({type:`fleet`,id:e},t)}),e.command(`create`).description(`Create a trace intelligence report`).requiredOption(`--subject-type <type>`,`sandbox | fleet`).requiredOption(`--subject-id <id>`,`Subject identifier`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{await qa({type:Ya(e.subjectType),id:e.subjectId},e)}),e.command(`get <job-id>`).description(`Get an intelligence report`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=t.json?null:F(`Fetching intelligence report...`);r?.start();let i=await n.intelligence.getReport(e);if(r?.stop(),t.json){j(i);return}Ja(i)}catch(e){B(e)}}),e.command(`list`).description(`List intelligence reports`).option(`--subject-type <type>`,`sandbox | fleet`).option(`--subject-id <id>`,`Subject identifier`).option(`--limit <count>`,`Maximum reports to return`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:F(`Fetching intelligence reports...`);n?.start();let r=await t.intelligence.listReports({subjectType:e.subjectType===void 0?void 0:Ya(e.subjectType),subjectId:e.subjectId,limit:e.limit===void 0?void 0:Qa(e.limit)});if(n?.stop(),e.json){j(r);return}A(r.map(e=>({jobId:e.jobId,subject:`${e.subject.type}:${e.subject.id}`,mode:e.mode,status:e.status,cost:`$${e.billing.costUsd.toFixed(2)}`,updatedAt:e.updatedAt})),[{key:`jobId`,header:`Job`,width:20},{key:`subject`,header:`Subject`,width:28},{key:`mode`,header:`Mode`,width:15},{key:`status`,header:`Status`,width:14},{key:`cost`,header:`Cost`,width:10},{key:`updatedAt`,header:`Updated`,width:18}])}catch(e){B(e)}}),e}function Ha(e){I({Status:e.contentSeen?`content flowing`:e.tracesSeen?`metadata-only — a content gate is missing`:`no traces yet`,"Traces seen":e.tracesSeen?`yes`:`no`,"Content seen":e.contentSeen?`yes`:`no`,"Last seen":e.lastSeenAt??`never`,Window:`${e.windowDays}d`});let t=Object.entries(e.byAgent);t.length>0&&(console.log(),A(t.map(([e,t])=>({agent:e,traces:t.tracesSeen?`yes`:`no`,content:t.contentSeen?`yes`:`no`})),[{key:`agent`,header:`Agent`,width:18},{key:`traces`,header:`Traces`,width:10},{key:`content`,header:`Content`,width:10}]))}function Ua(e){let t=e??process.env.TANGLE_INTELLIGENCE_API_KEY??process.env.TANGLE_API_KEY;if(!t)throw Error(`--api-key, TANGLE_INTELLIGENCE_API_KEY, or TANGLE_API_KEY is required`);return t}function Wa(e){if(Mr(e))return e;throw Error(`agent must be a known Tangle Intelligence agent surface`)}function Ga(e){try{return JSON.parse(e)}catch(e){throw Error(`--payload must be JSON: ${e instanceof Error?e.message:String(e)}`)}}async function Ka(){if(process.stdin.isTTY)return;let e=``;for await(let t of process.stdin)if(e+=typeof t==`string`?t:t.toString(`utf8`),e.length>65536)throw Error(`hook payload exceeds 65536 bytes`);let t=e.trim();if(t)try{return JSON.parse(t)}catch{return{body:t.slice(0,4096)}}}async function qa(e,t){try{let n=Xa(t.mode),r=$a(t.metadata),i=t.maxUsd===void 0?void 0:Za(t.maxUsd);if(n===`agentic`&&i===void 0)throw Error(`Agentic intelligence reports require --max-usd`);let a=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),o=t.json?null:F(`Creating intelligence report...`);o?.start();let s=await a.intelligence.createReport({subject:e,mode:n,...i===void 0?{}:{budget:{billTo:`customer`,maxUsd:i}},...r===void 0?{}:{metadata:r}});if(o?.stop(),t.json){j(s);return}Ja(s)}catch(e){B(e)}}function Ja(e){I({Job:e.jobId,Subject:`${e.subject.type}:${e.subject.id}`,Mode:e.mode,Status:e.status,"Billed To":e.billing.billedTo,Cost:`$${e.billing.costUsd.toFixed(2)}`,Budget:e.billing.budgetMaxUsd===void 0?void 0:`$${e.billing.budgetMaxUsd.toFixed(2)}`,Updated:e.updatedAt}),e.result!==null&&(console.log(),j(e.result))}function Ya(e){if(e===`sandbox`||e===`fleet`)return e;throw Error(`subject type must be sandbox or fleet`)}function Xa(e){if(e===`deterministic`||e===`agentic`)return e;throw Error(`mode must be deterministic or agentic`)}function Za(e){let t=Number(e);if(!Number.isFinite(t)||t<0)throw Error(`--max-usd must be a non-negative number`);return t}function Qa(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function $a(e){if(e===void 0)return;let t=JSON.parse(e);if(!t||typeof t!=`object`||Array.isArray(t))throw Error(`--metadata must be a JSON object`);return t}const eo=[`router`,`sandbox`,`blueprint-agent`,`evals`,`agent-builder`];function to(e){return(e?.trim()||process.env.TANGLE_PLATFORM_URL?.trim()||`https://id.tangle.tools`).replace(/\/+$/,``)}async function no(e,t,n={}){let r=new Headers(n.headers);r.set(`Authorization`,`Bearer ${t}`),n.body&&!r.has(`content-type`)&&r.set(`content-type`,`application/json`);let i=await fetch(e,{...n,headers:r});if(n.expected!==void 0&&i.status!==n.expected){let t=await i.text().catch(()=>``),n=t?`: ${t.slice(0,400)}`:``;throw Error(`Platform request to ${e} returned ${i.status}${n}`)}return i}const ro=[`ID`,`Prefix`,`Name`,`Product`,`Created`,`Last used`,`Expires`];function io(e){return[e.id,e.keyPrefix??``,e.name,e.product??`all`,e.createdAt,e.lastUsedAt??`—`,e.expiresAt??`—`]}function ao(){let e=new t(`keys`).description(`Manage sk-tan-* API keys on id.tangle.tools`);return e.command(`list`).description(`List your active API keys`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async e=>{try{let t=E({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=await(await no(`${to(e.platformUrl)}/v1/keys`,t.apiKey,{expected:200})).json();if(e.json){j(n);return}z(ro,n.data.map(io))}catch(e){B(e)}}),e.command(`create`).description(`Create a new API key`).argument(`<name>`,`Human-readable name for the key`).option(`--product <product>`,`Restrict the key to one product (${eo.join(`|`)}). Omit for all products.`).option(`--budget-usd <amount>`,`Hard budget cap in USD`).option(`--rpm-limit <limit>`,`Requests-per-minute cap`).option(`--expires-in-days <days>`,`Expire the key after N days (integer)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{if(t.product!==void 0&&!eo.includes(t.product))throw Error(`Invalid --product. Expected one of ${eo.join(`, `)}`);let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=to(t.platformUrl),i=t.expiresInDays===void 0?void 0:new Date(Date.now()+Number.parseInt(t.expiresInDays,10)*24*60*60*1e3).toISOString(),a=F(`Creating API key...`);a.start();let o=await no(`${r}/v1/keys`,n.apiKey,{method:`POST`,expected:201,body:JSON.stringify({name:e,product:t.product,budgetUsd:t.budgetUsd?Number.parseFloat(t.budgetUsd):void 0,rpmLimit:t.rpmLimit?Number.parseInt(t.rpmLimit,10):void 0,expiresAt:i})});a.stop();let s=await o.json();if(t.json){j(s);return}M(`API key created: ${s.data.prefix}…`),P(`Copy this key now — it will never be shown again:\n${s.data.key}`)}catch(e){B(e)}}),e.command(`revoke`).description(`Revoke an API key`).argument(`<keyId>`,"Key ID (from `tcloud keys list`)").option(`--yes`,`Skip the confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=to(t.platformUrl);if(!t.yes&&!await W(`Revoke key ${e}? Any service still using it will start to fail.`)){P(`Aborted.`);return}let i=await(await no(`${r}/v1/keys/${encodeURIComponent(e)}`,n.apiKey,{method:`DELETE`,expected:200})).json();if(t.json){j(i);return}M(`Revoked ${e}`)}catch(e){B(e)}}),e}function oo(){let e=new t(`mcp`).description(`Model Context Protocol bridge commands.`);return e.command(`serve <id-or-name>`).description(`Run a local MCP server (stdio) backed by the given sandbox (ID or name). Pipe its stdio from an MCP client config to expose sandbox tools.`).option(`-s, --session <id>`,`Session id for kernel scoping`,`mcp-local`).option(`--name <name>`,`MCP server name reported to clients`,`tangle-sandbox`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=await H(k(n),n,e),i;try{i=(await import(`@modelcontextprotocol/sdk/server/stdio.js`)).StdioServerTransport}catch{throw Error("`@modelcontextprotocol/sdk` is not installed in this environment. Install it with: pnpm add -g @modelcontextprotocol/sdk (or as a dev dep in the project running this command).")}let{connect:a,close:o}=await De(r,{sessionId:t.session,name:t.name});await a(new i),process.stdin.resume(),process.stdin.on(`end`,()=>{o().finally(()=>process.exit(0))});for(let e of[`SIGINT`,`SIGTERM`])process.on(e,()=>{o().finally(()=>process.exit(0))})}catch(e){B(e)}}),e}function so(){let e=new t(`permissions`).description(`Manage sandbox user permissions`);return e.command(`list <sandboxId-or-name>`).description(`List all users in a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching users...`);i.start();let a=await(await H(r,n,e)).permissions.list();i.stop(),t.json?j(a):A(a.map(e=>({userId:e.userId,username:e.username,role:e.role,homeDir:e.homeDir,createdAt:e.createdAt.toISOString().split(`T`)[0]})),[{key:`userId`,header:`User ID`,width:20},{key:`username`,header:`Username`,width:16},{key:`role`,header:`Role`,width:12},{key:`homeDir`,header:`Home Directory`,width:24},{key:`createdAt`,header:`Created`,width:16}])}catch(e){B(e)}}),e.command(`get <sandboxId-or-name> <userId>`).description(`Get details for a specific user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Fetching user...`);a.start();let o=await(await H(i,r,e)).permissions.get(t);if(a.stop(),!o)throw Error(`User ${t} not found in sandbox ${e}`);n.json?j(o):(P(`User: ${o.userId}`),P(` Username: ${o.username}`),P(` Role: ${o.role}`),P(` Home: ${o.homeDir}`),P(` SSH Keys: ${o.sshKeys.length}`),P(` Created: ${o.createdAt.toISOString()}`))}catch(e){B(e)}}),e.command(`add <sandboxId-or-name>`).description(`Add a user to a sandbox`).requiredOption(`--user-id <id>`,`User ID (from your auth system)`).option(`--username <name>`,`Preferred username`).option(`--role <role>`,`Permission level (owner, admin, developer, viewer)`,`developer`).option(`--ssh-key <key>`,`SSH public key for access`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Adding user...`);i.start();let a=await(await H(r,n,e)).permissions.add({userId:t.userId,username:t.username,role:t.role,sshKeys:t.sshKey?[t.sshKey]:void 0});i.stop(),t.json?j(a):(M(`User ${a.userId} added as ${a.role}`),P(` Username: ${a.username}`),P(` Home: ${a.homeDir}`))}catch(e){B(e)}}),e.command(`update <sandboxId-or-name> <userId>`).description(`Update a user's permissions`).option(`--role <role>`,`New permission level (owner, admin, developer, viewer)`).option(`--add-ssh-key <key>`,`Add SSH public key`).option(`--remove-ssh-key <key>`,`Remove SSH public key`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Updating user...`);a.start();let o=await(await H(i,r,e)).permissions.update(t,{role:n.role,addSshKeys:n.addSshKey?[n.addSshKey]:void 0,removeSshKeys:n.removeSshKey?[n.removeSshKey]:void 0});a.stop(),n.json?j(o):(M(`User ${t} updated`),P(` Role: ${o.role}`),P(` SSH Keys: ${o.sshKeys.length}`))}catch(e){B(e)}}),e.command(`remove <sandboxId-or-name> <userId>`).description(`Remove a user from a sandbox`).option(`--preserve-home`,`Keep user's home directory`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{if(!n.force){let e=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{e.question(`Remove user ${t} from sandbox? [y/N] `,t=>{e.close(),n(t.toLowerCase()===`y`)})})){P(`Cancelled.`);return}}let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Removing user...`);a.start(),await(await H(i,r,e)).permissions.remove(t,{preserveHomeDir:n.preserveHome}),a.stop(),M(`User ${t} removed from sandbox ${e}`)}catch(e){B(e)}}),e.command(`policies <sandboxId-or-name> <userId>`).description(`Get access policies for a user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Fetching policies...`);a.start();let o=await(await H(i,r,e)).permissions.getAccessPolicies(t);a.stop(),n.json?j(o):o.length===0?P(`No access policies configured`):A(o.map(e=>({pattern:e.pattern,permission:e.permission,priority:e.priority??0})),[{key:`pattern`,header:`Pattern`,width:30},{key:`permission`,header:`Permission`,width:12},{key:`priority`,header:`Priority`,width:10}])}catch(e){B(e)}}),e.command(`check <sandboxId-or-name> <userId> <path> <action>`).description(`Check if a user can perform an action on a path`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r,i)=>{try{if(![`read`,`write`,`execute`].includes(r))throw Error(`Action must be: read, write, or execute`);let a=E({apiKey:i.apiKey,baseUrl:i.baseUrl}),o=k(a),s=F(`Checking access...`);s.start();let c=await(await H(o,a,e)).permissions.checkAccess(t,n,r);s.stop(),c?M(`✓ User ${t} CAN ${r} ${n}`):P(`✗ User ${t} CANNOT ${r} ${n}`)}catch(e){B(e)}}),e}function co(){let e=new t(`preview`).description(`Manage sandbox preview links`);return e.command(`list`).alias(`ls`).description(`List active preview links for a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching preview links...`);t.json||i.start();let a=await(await H(r,n,e)).previewLinks.list();i.stop(),t.json?j(a):a.length===0?console.log(`No preview links found`):z([`Preview ID`,`Port`,`URL`,`Status`],a.map(e=>[e.previewId.slice(0,12),String(e.port),e.url,e.status]))}catch(e){B(e)}}),e.command(`create`).description(`Create a preview link for a port`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<port>`,`Port number to preview`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Creating preview for port ${t}...`);n.json||a.start();let o=await(await H(i,r,e)).previewLinks.create(Number.parseInt(t,10));a.stop(),n.json?j(o):(M(`Preview created: ${o.url}`),console.log(`Preview ID: ${o.previewId}`))}catch(e){B(e)}}),e.command(`remove`).alias(`rm`).description(`Remove a preview link`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<preview-id>`,`Preview link ID (from 'preview list')`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Removing preview...`);n.json||a.start(),await(await H(i,r,e)).previewLinks.remove(t),a.stop(),n.json?j({success:!0,previewId:t}):M(`Preview removed: ${t}`)}catch(e){B(e)}}),e}function lo(){let e=new t(`process`).description(`Manage processes in a sandbox`);return e.command(`spawn`).description(`Spawn a process without blocking (returns PID)`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<command>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--blocking`,`Wait for completion (default: false)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=F(`Spawning: ${t}`);n.json||o.start();let s=await H(i,r,e);if(s=await U(s),n.blocking){let e=await s.exec(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?j(e):(e.stdout&&globalThis.process.stdout.write(e.stdout),e.stderr&&globalThis.process.stderr.write(e.stderr),e.exitCode!==0&&globalThis.process.exit(e.exitCode))}else{let r=await s.process.spawn(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?j({pid:r.pid,command:r.command}):(console.log(`Process started with PID: ${r.pid}`),console.log(`Use 'tangle process logs ${e} ${r.pid}' to view output`))}}catch(e){B(e)}}),e.command(`list`).alias(`ls`).description(`List all processes in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--running`,`Show only running processes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching processes...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.process.list();t.running&&(o=o.filter(e=>e.running)),i.stop(),t.json?j(o):o.length===0?console.log(`No processes found`):z([`PID`,`Command`,`Status`,`Exit Code`,`Started`],o.map(e=>[String(e.pid),e.command.length>40?`${e.command.slice(0,37)}...`:e.command,e.running?`running`:`exited`,String(e.exitCode),e.startedAt.toLocaleString()]))}catch(e){B(e)}}),e.command(`get`).description(`Get detailed info about a process`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Fetching process info...`);n.json||a.start();let o=await H(i,r,e);o=await U(o);let s=await o.process.get(Number.parseInt(t,10));if(a.stop(),!s){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}let c=await s.status();n.json?j(c):(console.log(`PID: ${c.pid}`),console.log(`Command: ${c.command}`),console.log(`CWD: ${c.cwd||`(default)`}`),console.log(`Status: ${c.running?`running`:`exited`}`),console.log(`Exit Code: ${c.exitCode}`),c.exitSignal&&console.log(`Signal: ${c.exitSignal}`),console.log(`Started: ${c.startedAt.toLocaleString()}`),c.exitedAt&&console.log(`Exited: ${c.exitedAt.toLocaleString()}`))}catch(e){B(e)}}),e.command(`kill`).description(`Kill a process`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`-s, --signal <signal>`,`Signal to send (SIGTERM, SIGKILL, etc.)`,`SIGTERM`).option(`--tree`,`Also kill descendants of the tracked process`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Sending ${n.signal} to PID ${t}...`);n.json||a.start();let o=await H(i,r,e);o=await U(o);let s=await o.process.get(Number.parseInt(t,10));if(!s){a.stop(),console.error(`Process ${t} not found`),globalThis.process.exit(1);return}n.tree?await s.kill(n.signal,{tree:!0}):await s.kill(n.signal),a.stop(),n.json?j({pid:Number.parseInt(t,10),signal:n.signal,...n.tree===!0?{tree:!0}:{},killed:!0}):console.log(n.tree?`Sent ${n.signal} to process tree ${t}`:`Sent ${n.signal} to process ${t}`)}catch(e){B(e)}}),e.command(`logs`).description(`Stream buffered and live process logs until the process exits`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`--stdout-only`,`Only show stdout`).option(`--stderr-only`,`Only show stderr`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await H(k(r),r,e);i=await U(i);let a=await i.process.get(Number.parseInt(t,10));if(!a){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}for await(let e of a.logs())n.stdoutOnly&&e.type!==`stdout`||n.stderrOnly&&e.type!==`stderr`||(n.json?console.log(JSON.stringify(e)):e.type===`stdout`?globalThis.process.stdout.write(e.data):globalThis.process.stderr.write(e.data))}catch(e){B(e)}}),e.command(`run-code`).description(`Execute Python code directly`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<code>`,`Python code to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=F(`Executing Python code...`);n.json||o.start();let s=await H(i,r,e);s=await U(s);let c=await s.process.runCode(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?j(c):(c.stdout&&globalThis.process.stdout.write(c.stdout),c.stderr&&globalThis.process.stderr.write(c.stderr),c.exitCode!==0&&globalThis.process.exit(c.exitCode))}catch(e){B(e)}}),e}const uo=[`python`,`node`,`typescript`,`bash`];function fo(e){switch(ne(e).toLowerCase()){case`.py`:return`python`;case`.js`:case`.mjs`:case`.cjs`:return`node`;case`.ts`:case`.tsx`:return`typescript`;case`.sh`:case`.bash`:return`bash`;default:return}}async function po(e){if(e===`-`){let e=[];for await(let t of process.stdin)e.push(typeof t==`string`?Buffer.from(t):t);return Buffer.concat(e).toString(`utf8`)}return await Oe(re(e),`utf8`)}async function mo(e,t,n=po){let r=t?uo.find(e=>e===t)??(()=>{throw Error(`unknown --lang ${t}: must be one of ${uo.join(`, `)}`)})():void 0;if(!e||e===`-`){if(!r)throw Error(`reading from stdin requires --lang. Example: tangle run <id> -l python -`);return{language:r,source:await n(`-`)}}let i=fo(e);return{language:r??i??(()=>{throw Error(`cannot infer language from "${e}". Pass it explicitly: tangle run <id> -l <python|node|typescript|bash> ${e}`)})(),source:await n(e)}}function ho(e){return m(me(),`tangle-run-images`,e)}function go(){return new t(`run`).description(`Run code in a persistent kernel inside a sandbox. Variables persist across calls in the same --session.`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`[file]`,`Path to source file. Language is inferred from extension. Use - for stdin (requires --lang).`).option(`-l, --lang <lang>`,`Force language: ${uo.join(` | `)}. Required for stdin.`).option(`-s, --session <id>`,`Session id for kernel scoping`).option(`-t, --timeout <ms>`,`Per-call timeout in ms (0 disables)`,`60000`).option(`--save-images <dir>`,`Write image results into this directory (default: $TMPDIR/tangle-run-images/<sandbox>/).`).option(`--no-save-images`,`Don't write image results to disk; print summary only`).option(`--json`,`Output the full CodeExecutionResult as JSON`).action(async(e,t,n)=>{try{let{language:r,source:i}=await mo(t,n.lang),o=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),s=await H(k(o),o,e);s=await U(s);let c=F(`Running ${r} (${i.length}b)…`);n.json||c.start();let u=await s.runCode(r,i,{sessionId:n.session,timeoutMs:Number.parseInt(n.timeout,10)});if(c.stop(),n.json){j(u),u.exitCode!==0&&process.exit(u.exitCode);return}u.stdout&&process.stdout.write(u.stdout),u.stderr&&process.stderr.write(u.stderr);let d=0;for(let t of u.results)if(t.type===`image`)if(n.saveImages!==!1){let r=typeof n.saveImages==`string`?n.saveImages:ho(e);l(r,{recursive:!0});let i=`${r}/${Date.now()}-${d}.${t.format}`;f(i,Buffer.from(t.data,`base64`)),process.stderr.write(a.green(`✓ image → ${i}\n`)),d++}else process.stderr.write(a.gray(`[image: ${t.format}, ${t.data.length}b base64]\n`));else if(t.type===`dataframe`){let e=t.columns.map(e=>`${e.name}:${e.dtype}`).join(` | `);process.stderr.write(a.gray(`[dataframe ${t.rows.length}×${t.columns.length}${t.truncated?` (truncated)`:``}]\n`)),process.stderr.write(`${e}\n`);for(let e of t.rows.slice(0,20))process.stderr.write(`${e.map(e=>String(e)).join(` | `)}\n`);t.rows.length>20&&process.stderr.write(a.gray(`… ${t.rows.length-20} more rows\n`))}else t.type===`json`?(process.stderr.write(a.gray(`[json] `)),process.stderr.write(`${JSON.stringify(t.value,null,2)}\n`)):t.type===`html`?process.stderr.write(a.gray(`[html ${t.value.length}b]\n`)):t.type===`error`?(process.stderr.write(a.red(`✗ ${t.name}: ${t.message}\n`)),t.traceback&&process.stderr.write(`${t.traceback}\n`)):t.type===`text`&&process.stderr.write(`${t.value}\n`);u.error&&(process.stderr.write(a.red(`\n✗ ${u.error.name}: ${u.error.message}\n`)),u.error.traceback&&process.stderr.write(`${u.error.traceback}\n`)),u.exitCode!==0&&process.exit(u.exitCode)}catch(e){B(e)}})}function _o(e){return`${e.name} (${e.id})`}async function vo(e,t){if(t.startsWith(`team_`))return e.teams.get(t);let n=(await e.teams.list()).filter(e=>e.name.toLowerCase()===t.toLowerCase());if(n.length===0)throw Error(`Team not found: ${t}`);if(n.length>1)throw Error(`Team name is ambiguous: ${t}. Use a team id instead.`);return n[0]}async function Z(e,t,n){if(t)return vo(e,t);let r=Mt(n);if(!r.activeTeamId)throw Error("No active team. Run `tangle team switch <team>` or pass `--team <team>`.");return e.teams.get(r.activeTeamId)}function yo(e,t){Nt({id:e.id,name:e.name},t)}function bo(e){Pt(e)}const xo=[{flag:`--git-token`,guidance:`Use --git-token-env <NAME> or --git-token-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--storage-secret-access-key`,guidance:`Use --storage-secret-access-key-env <NAME> or --storage-secret-access-key-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--backend-api-key`,guidance:`Use --backend-api-key-env <NAME> or --backend-api-key-stdin so the BYOK secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`}];function So(e){for(let{flag:t,guidance:n}of xo){let r=`${t}=`;if(e.some(e=>e===t||e.startsWith(r)))throw Error(`Refusing to read secret from ${t} on the command line. ${n}`)}}async function Co(e){let t=typeof e.envVarName==`string`&&e.envVarName.length>0?e.envVarName:null,n=!!e.fromStdin;if(t&&n)throw Error(`Pass either ${e.flagPrefix}-env or ${e.flagPrefix}-stdin, not both`);if(t){let n=process.env[t];if(!n||n.length===0)throw Error(`${e.flagPrefix}-env points at ${t}, but that environment variable is empty or unset`);return n}if(n){let t=await Dn();if(t.length===0)throw Error(`${e.flagPrefix}-stdin received empty input on stdin`);return t}}function wo(e){let t=e.split(`/`);return t.length>=2?{provider:t[0],model:t.slice(1).join(`/`)}:{model:e}}function To(){let e=new t(`sandbox`).description(`Manage sandboxes`);return e.command(`create`).description(`Create a new sandbox`).option(`-n, --name <name>`,`Sandbox name`).option(`-e, --environment <environment>`,`Environment name (e.g. universal, node, python)`).option(`-i, --image <image>`,`Alias for --environment (deprecated)`).option(`--bare`,`Create a bare sandbox without the agent runtime`).option(`--ssh`,`Enable SSH access`).option(`--ssh-key <key>`,`SSH public key for authentication`).option(`--ssh-keys <names...>`,`Stored SSH key names or IDs for authentication`).option(`--ssh-key-file <paths...>`,`SSH public key file paths for authentication`).option(`--web-terminal`,`Enable web terminal`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--secret <names...>`,`Secrets to inject as environment variables`).option(`--metadata <entries...>`,`Metadata entries (KEY=VALUE or KEY=JSON)`).option(`--cpu <cores>`,`CPU cores`,`2`).option(`--memory <mb>`,`Memory in MB`,`4096`).option(`--disk <gb>`,`Disk size in GB`,`20`).option(`--accelerator-kind <kind>`,`Accelerator kind, for example nvidia-h100 or amd-mi300x`).option(`--accelerator-count <count>`,`Accelerator device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum accelerator memory in MB`).option(`--lifetime <seconds>`,`Max wall-clock lifetime before the sandbox is deleted (default 3600 = 1h). Raise it for long sessions, e.g. --lifetime 7200`,`3600`).option(`--idle-timeout <seconds>`,"Idle time before the sandbox is stopped — not deleted (default 900 = 15m). Resume it later with `tangle sandbox resume <id-or-name>`, or it auto-resumes on next use. Raise it for demos, e.g. --idle-timeout 3600",`900`).option(`--from-snapshot <id>`,`Create the sandbox from a snapshot`).option(`--public-template <id-or-slug>`,`Create the sandbox from a published public template`).option(`--public-template-version <id>`,`Pin creation to a specific published public-template version`).option(`--team <team>`,`Create in a team by id or name`).option(`--personal`,`Create a personal sandbox even when a team is active`).option(`--port <ports...>`,`Ports to expose at creation time`).option(`--git-url <url>`,`Git repository URL to clone during provisioning`).option(`--git-ref <ref>`,`Git branch, tag, or commit to checkout`).option(`--git-depth <depth>`,`Git clone depth`).option(`--git-sparse <paths...>`,`Sparse checkout paths`).option(`--git-token-env <name>`,`Name of an environment variable containing the Git HTTPS auth token`).option(`--git-token-stdin`,`Read the Git HTTPS auth token from stdin`).option(`--git-token <token>`,`[removed] use --git-token-env or --git-token-stdin`).option(`--tool <specs...>`,`Tool versions to preinstall (NAME=VERSION)`).option(`--storage-type <type>`,`BYOS3 storage type (s3, gcs, r2)`).option(`--storage-bucket <name>`,`BYOS3 bucket name`).option(`--storage-endpoint <url>`,`BYOS3 endpoint URL`).option(`--storage-region <region>`,`BYOS3 region`).option(`--storage-prefix <prefix>`,`BYOS3 path prefix`).option(`--storage-access-key-id <id>`,`BYOS3 access key ID`).option(`--storage-secret-access-key-env <name>`,`Name of an environment variable containing the BYOS3 secret access key`).option(`--storage-secret-access-key-stdin`,`Read the BYOS3 secret access key from stdin`).option(`--storage-secret-access-key <key>`,`[removed] use --storage-secret-access-key-env or --storage-secret-access-key-stdin`).option(`--default-role <role>`,`Default permission role (owner, admin, developer, viewer)`).option(`--initial-user <specs...>`,`Initial users (USER_ID or USER_ID:ROLE)`).option(`--multi-user`,`Enable multi-user permissions at creation`).option(`--driver <type>`,`Infrastructure driver (docker, firecracker, host-agent, tangle)`).option(`--driver-criu`,`Enable CRIU checkpointing (firecracker only)`).option(`--driver-region <region>`,`Preferred region for host-agent driver`).option(`--backend <type>`,`Backend agent type (opencode, claude-code, codex, cursor, amp)`).option(`--backend-profile <name>`,`Backend profile name`).option(`--backend-model <model>`,`Model override (format: provider/model)`).option(`--backend-api-key-env <name>`,`Name of an environment variable containing the BYOK backend API key`).option(`--backend-api-key-stdin`,`Read the BYOK backend API key from stdin`).option(`--backend-api-key <key>`,`[removed] use --backend-api-key-env or --backend-api-key-stdin`).option(`--tee <type>`,`Require a TEE backend (any, tdx, nitro, sev-snp, phala-dstack)`).option(`--sealed`,`Request TEE sealed-secret support`).option(`--attestation-nonce <hex|auto>`,`Deploy-time attestation nonce; use auto to generate one`).option(`--attestation-refresh`,`Generate a fresh deploy-time attestation nonce when --tee is set`).option(`--require-attestation`,`Fail unless TEE attestation evidence is returned`).option(`--block-network`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`--timeout <ms>`,`HTTP timeout in milliseconds`,`30000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{So(process.argv);let t=await Co({envVarName:e.gitTokenEnv,fromStdin:e.gitTokenStdin,flagPrefix:`--git-token`}),n=await Co({envVarName:e.storageSecretAccessKeyEnv,fromStdin:e.storageSecretAccessKeyStdin,flagPrefix:`--storage-secret-access-key`}),r=await Co({envVarName:e.backendApiKeyEnv,fromStdin:e.backendApiKeyStdin,flagPrefix:`--backend-api-key`}),i=E({apiKey:e.apiKey,baseUrl:e.baseUrl,timeout:e.timeout?Number.parseInt(e.timeout,10):void 0}),a=k(i),o=F(`Creating sandbox...`);o.start();let s=await Po({client:a,explicitTeam:e.team,personal:e.personal,activeTeamId:i.activeTeamId}),c={};if(e.env)for(let t of e.env){let[e,...n]=t.split(`=`);e&&n.length>0&&(c[e]=n.join(`=`))}let l=e.tool?Do(e.tool,`--tool`,`tool spec`):void 0,d=e.metadata?Oo(e.metadata):void 0,f=jo(e,t),p=Mo(e,n),ee=No(e),te=e.port?Ao(e.port,`--port`):void 0,ne=e.driver?{type:e.driver,enableCriu:e.driverCriu||void 0,preferredRegion:e.driverRegion}:void 0,m=e.backend||e.backendProfile||e.backendModel?{type:e.backend??`opencode`,profile:e.backendProfile,model:e.backendModel||r?{...e.backendModel?wo(e.backendModel):{},apiKey:r}:void 0}:void 0,re=e.blockNetwork||e.allowList||te?{blockOutbound:e.blockNetwork||void 0,allowList:e.allowList?e.allowList.split(`,`).map(e=>e.trim()):void 0,ports:te}:void 0,h=[...e.sshKey?[e.sshKey]:[],...(e.sshKeyFile??[]).map(e=>u(e,`utf8`).trim())],g={name:e.name,environment:e.environment??e.image,bare:e.bare||void 0,sshEnabled:e.ssh||!!e.sshKey||h.length>0||!!e.sshKeys?.length,sshPublicKeys:h.length>0?h:void 0,sshKeyIds:e.sshKeys,webTerminalEnabled:e.webTerminal,env:Object.keys(c).length>0?c:void 0,git:f,tools:l,resources:{cpuCores:Number.parseInt(e.cpu,10),memoryMB:Number.parseInt(e.memory,10),diskGB:Number.parseInt(e.disk,10),accelerator:e.acceleratorKind?{kind:zo(String(e.acceleratorKind)),count:Bo(String(e.acceleratorCount),`--accelerator-count`),memoryMB:e.acceleratorMemory?Bo(String(e.acceleratorMemory),`--accelerator-memory`):void 0}:void 0},maxLifetimeSeconds:Number.parseInt(e.lifetime,10),idleTimeoutSeconds:Number.parseInt(e.idleTimeout,10),storage:p,fromSnapshot:e.fromSnapshot,publicTemplateId:e.publicTemplate,publicTemplateVersionId:e.publicTemplateVersion,teamId:s,secrets:e.secret,metadata:d,driver:ne,backend:m,permissions:ee,network:re},ie=e.tee?{tee:e.tee,sealed:e.sealed||void 0,attestationRefresh:e.attestationRefresh||e.attestationNonce===`auto`||void 0}:void 0,_=ie?await le(a,{...g,confidential:ie,attestationNonce:e.attestationNonce??(e.attestationRefresh?`auto`:void 0),requireAttestation:e.requireAttestation??!0}):void 0,v=_?.sandbox??await a.create(g);e.wait&&(o.text=`Waiting for sandbox to start...`,await v.waitFor(`running`,{timeoutMs:12e4}),await v.refresh()),o.stop(),e.json?j({id:v.id,name:v.name,status:v.status,createdAt:v.createdAt,expiresAt:v.expiresAt,connection:Eo(v.connection),teamId:s,confidential:ie,attestation:_?.attestation,attestationNonce:_?.attestationNonce}):(M(`Sandbox created: ${v.id}`),en({id:v.id,name:v.name,status:v.status,createdAt:v.createdAt?.toISOString(),expiresAt:v.expiresAt?.toISOString(),connection:v.connection}),s&&console.log(`Team: ${s}`),ie&&(console.log(`TEE: ${ie.tee}`),console.log(`Attestation: ${_?.attestation?`present`:`not returned`}`),_?.attestationNonce&&console.log(`Attestation nonce: ${_.attestationNonce}`)))}catch(e){B(e)}}),e.command(`attestation <id-or-name>`).description(`Fetch TEE attestation evidence for a sandbox`).option(`--nonce <hex|auto>`,`Nonce to bind into a fresh attestation report; use auto to generate one`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=t.nonce===`auto`?ue():t.nonce,a=F(`Fetching TEE attestation...`);a.start();let o=await(await H(r,n,e)).getTeeAttestation(i?{attestationNonce:i}:void 0);a.stop(),t.json?j(o):(M(`Attestation fetched for ${e}`),console.log(`TEE type: ${o.attestation.tee_type}`),console.log(`Evidence bytes: ${o.attestation.evidence.length}`),console.log(`Measurement bytes: ${o.attestation.measurement.length}`),console.log(`Timestamp: ${o.attestation.timestamp}`),o.attestationNonce&&console.log(`Nonce: ${o.attestationNonce}`))}catch(e){B(e)}}),e.command(`list`).description(`List all sandboxes`).option(`-s, --status <status>`,`Filter by status (running, stopped, all)`).option(`-l, --limit <n>`,`Limit results`,`50`).option(`--team <team>`,`List sandboxes for a team by id or name`).option(`--personal`,`List personal sandboxes`).option(`--all-scopes`,`List personal and team sandboxes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=E({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=k(t),r=F(`Fetching sandboxes...`);r.start();let i=await Fo({client:n,explicitTeam:e.team,personal:e.personal,allScopes:e.allScopes,activeTeamId:t.activeTeamId}),a=await n.list({status:e.status===`all`?void 0:e.status,limit:Number.parseInt(e.limit,10),scope:i});r.stop(),e.json?j(a):A(a.map(e=>({id:e.id,status:e.status,createdAt:e.createdAt,name:e.name??``})),[{key:`id`,header:`ID`,width:24},{key:`status`,header:`Status`,width:14},{key:`createdAt`,header:`Created`,width:16},{key:`name`,header:`Name`,width:20}])}catch(e){B(e)}}),e.command(`get <id-or-name>`).description(`Get sandbox details`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching sandbox...`);i.start();let a=await H(r,n,e);i.stop(),t.json?j(a):en({id:a.id,name:a.name,status:a.status,createdAt:a.createdAt?.toISOString(),expiresAt:a.expiresAt?.toISOString(),connection:a.connection})}catch(e){B(e)}}),e.command(`delete <id-or-name>`).description(`Delete a sandbox`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{t.question(`Delete sandbox ${e}? [y/N] `,e=>{t.close(),n(e.toLowerCase()===`y`)})})){P(`Cancelled.`);return}}let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Deleting sandbox...`);i.start(),await(await H(r,n,e)).delete(),i.stop(),M(`Sandbox ${e} deleted.`)}catch(e){B(e)}}),e.command(`stop <id-or-name>`).description(`Stop a running sandbox`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Stopping sandbox...`);i.start(),await(await H(r,n,e)).stop(),i.stop(),M(`Sandbox ${e} stopped.`)}catch(e){B(e)}}),e.command(`resume <id-or-name>`).description(`Resume a stopped sandbox`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`-t, --timeout <ms>`,`Resume timeout in milliseconds; a cold resume re-provisions the sandbox, so this defaults higher than other commands (default 120000)`,`120000`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Number.parseInt(t.timeout,10);if(!Number.isFinite(n)||n<=0)throw Error(`--timeout must be a positive number of milliseconds`);let r=E({apiKey:t.apiKey,baseUrl:t.baseUrl,timeout:n}),i=k(r),a=F(`Resuming sandbox...`);a.start();let o=await H(i,r,e);await o.resume({timeoutMs:n}),t.wait&&(a.text=`Waiting for sandbox to start...`,await o.waitFor(`running`,{timeoutMs:n})),a.stop(),M(`Sandbox ${o.id} resumed.`)}catch(e){B(e)}}),e.command(`network <id-or-name>`).description(`Update network configuration for a sandbox`).option(`--block-outbound`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--clear`,`Clear all network restrictions (allow all traffic)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Updating network configuration...`);i.start();let a=await H(r,n,e);if(t.clear)await a.network.update({blockOutbound:!1,allowList:[]});else if(t.blockOutbound)await a.network.update({blockOutbound:!0});else if(t.allowList){let e=t.allowList.split(`,`).map(e=>e.trim());await a.network.update({allowList:e})}else{i.stop();let e=await a.network.getConfig();t.json?j(e):(P(`Network Configuration:`),e.blockOutbound?P(` Block Outbound: true (all outbound traffic blocked)`):e.allowList&&e.allowList.length>0?P(` Allow List: ${e.allowList.join(`, `)}`):P(` No restrictions (all traffic allowed)`),e.ports&&e.ports.length>0&&P(` Exposed Ports: ${e.ports.join(`, `)}`));return}i.stop();let o=await a.network.getConfig();t.json?j(o):(M(`Network configuration updated.`),o.blockOutbound?P(` Block Outbound: true`):o.allowList&&o.allowList.length>0?P(` Allow List: ${o.allowList.join(`, `)}`):P(` All traffic allowed`))}catch(e){B(e)}}),e.command(`expose <id-or-name>`).description(`Expose a port and get a public URL`).option(`-p, --port <port>`,`Port to expose`,`8000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=Number.parseInt(t.port,10);if(Number.isNaN(i)||i<1||i>65535)throw Error(`Port must be a number between 1 and 65535`);let a=F(`Exposing port ${i}...`);a.start();let o=await(await H(r,n,e)).network.exposePort(i);a.stop(),t.json?j({port:i,url:o}):(M(`Port ${i} exposed.`),P(` URL: ${o}`))}catch(e){B(e)}}),e.command(`urls <id-or-name>`).description(`List exposed port URLs for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching exposed URLs...`);i.start();let a=await(await H(r,n,e)).network.listUrls();if(i.stop(),t.json)j(a);else{let e=Object.entries(a);if(e.length===0)P(`No ports exposed.`);else{P(`Exposed Ports:`);for(let[t,n]of e)P(` ${t}: ${n}`)}}}catch(e){B(e)}}),e}function Eo(e){return!e||e.authToken===void 0?e:{...e,authToken:`[REDACTED]`}}function Do(e,t,n){let r={};for(let i of e){let[e,...a]=i.split(`=`);if(!e||a.length===0)throw Error(`${t} expects ${n} values in KEY=VALUE format`);r[e]=a.join(`=`)}return r}function Oo(e){let t={};for(let n of e){let[e,...r]=n.split(`=`);if(!e||r.length===0)throw Error(`--metadata expects values in KEY=VALUE or KEY=JSON format`);t[e]=ko(r.join(`=`))}return t}function ko(e){try{return JSON.parse(e)}catch{return e}}function Ao(e,t){return e.map(e=>{let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1||n>65535)throw Error(`${t} values must be integers between 1 and 65535`);return n})}function jo(e,t){if(!(!e.gitUrl&&!e.gitRef&&!e.gitDepth&&!e.gitSparse&&!t)){if(!e.gitUrl||typeof e.gitUrl!=`string`)throw Error(`--git-url is required when using git provisioning options`);return{url:e.gitUrl,ref:typeof e.gitRef==`string`?e.gitRef:void 0,depth:typeof e.gitDepth==`string`?Bo(e.gitDepth,`--git-depth`):void 0,sparse:Array.isArray(e.gitSparse)?e.gitSparse:void 0,auth:t?{token:t}:void 0}}}function Mo(e,t){if(!(!e.storageType&&!e.storageBucket&&!e.storageEndpoint&&!e.storageRegion&&!e.storagePrefix&&!e.storageAccessKeyId&&!t)){if(typeof e.storageType!=`string`||typeof e.storageBucket!=`string`||typeof e.storageAccessKeyId!=`string`||!t)throw Error(`Storage config requires --storage-type, --storage-bucket, --storage-access-key-id, and one of --storage-secret-access-key-env / --storage-secret-access-key-stdin`);return{type:Ro(e.storageType),bucket:e.storageBucket,endpoint:typeof e.storageEndpoint==`string`?e.storageEndpoint:void 0,region:typeof e.storageRegion==`string`?e.storageRegion:void 0,prefix:typeof e.storagePrefix==`string`?e.storagePrefix:void 0,credentials:{accessKeyId:e.storageAccessKeyId,secretAccessKey:t}}}}function No(e){let t=Array.isArray(e.initialUser)?e.initialUser.map(Io):void 0,n=typeof e.defaultRole==`string`?Lo(e.defaultRole):void 0,r=e.multiUser?!0:void 0;if(!(!n&&!t&&!r))return{defaultRole:n,initialUsers:t,multiUser:r}}async function Po(e){if(e.explicitTeam&&e.personal)throw Error(`--team and --personal cannot be used together`);if(!e.personal)return e.explicitTeam?(await vo(e.client,e.explicitTeam)).id:e.activeTeamId}async function Fo(e){if([!!e.explicitTeam,!!e.personal,!!e.allScopes].filter(Boolean).length>1)throw Error(`--team, --personal, and --all-scopes are mutually exclusive`);if(e.allScopes)return`all`;if(e.personal)return`personal`;if(e.explicitTeam)return`team:${(await vo(e.client,e.explicitTeam)).id}`;if(e.activeTeamId)return`team:${e.activeTeamId}`}function Io(e){let[t,n]=e.split(`:`);if(!t)throw Error(`--initial-user expects USER_ID or USER_ID:ROLE`);return{userId:t,role:n?Lo(n):void 0}}function Lo(e){if(e===`owner`||e===`admin`||e===`developer`||e===`viewer`)return e;throw Error(`--default-role and --initial-user roles must be one of owner, admin, developer, viewer`)}function Ro(e){if(e===`s3`||e===`gcs`||e===`r2`)return e;throw Error(`--storage-type must be one of s3, gcs, or r2`)}function zo(e){let t=e.trim().toLowerCase();if(/^[a-z0-9][a-z0-9._-]*$/.test(t))return t;throw Error(`--accelerator-kind must contain only letters, numbers, dots, underscores, or hyphens`)}function Bo(e,t){let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1)throw Error(`${t} must be a positive integer`);return n}function Vo(){return new t(`search`).description(`Search for text patterns in sandbox files (ripgrep)`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pattern>`,`Search pattern (regex)`).option(`-g, --glob <pattern>`,`File glob filter (e.g. '**/*.ts')`).option(`-n, --max-results <count>`,`Max results to return`).option(`-i, --ignore-case`,`Case-insensitive search`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Searching...`);n.json||a.start();let o=await H(i,r,e),s=0,c=n.maxResults?Number.parseInt(n.maxResults,10):void 0,l={};n.glob&&(l.glob=n.glob),n.ignoreCase&&(l.ignoreCase=!0),c&&(l.maxResults=c);for await(let e of o.search(t,l))if(s===0&&a.stop(),s++,n.json?console.log(JSON.stringify(e)):console.log(`${e.path}:${e.line}:${e.column??0}: ${e.text}`),c&&s>=c)break;a.stop(),s===0&&!n.json&&console.log(`No matches found`)}catch(e){B(e)}})}function Ho(){let e=new t(`secret`).description(`Manage secrets`);return e.command(`create`).description(`Create a new secret`).argument(`<name>`,`Secret name (e.g., HF_TOKEN, AWS_ACCESS_KEY)`).argument(`[value]`,`Secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=k(E({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await Uo({value:t,valueStdin:n.valueStdin,prompt:`Enter value for secret '${e}': `}),a=F(`Creating secret...`);a.start();let o=await r.secrets.create(e,i);a.stop(),n.json?j({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):(M(`Secret created: ${o.name}`),P(`Use --secrets ${o.name} when creating a sandbox to inject it as an environment variable.`))}catch(e){B(e)}}),e.command(`list`).description(`List all secrets`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Fetching secrets...`);n.start();let r=await t.secrets.list();n.stop(),e.json?j(r.map(e=>({name:e.name,createdAt:e.createdAt.toISOString(),updatedAt:e.updatedAt.toISOString()}))):r.length===0?(P(`No secrets found.`),P(`Use 'tangle secret create <name> [value]' to create one.`)):z([`Name`,`Created At`,`Updated At`],r.map(e=>[e.name,e.createdAt.toLocaleString(),e.updatedAt.toLocaleString()]))}catch(e){B(e)}}),e.command(`show`).description(`Show a secret value (requires --reveal to print plaintext)`).argument(`<name>`,`Secret name`).option(`--reveal`,`Print the plaintext secret value to stdout. Without this flag the command exits with a redaction notice.`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.reveal){process.stderr.write(`Refusing to print secret '${e}' as plaintext. Re-run with --reveal to confirm and write the value to stdout.
147
- `),process.exitCode=1;return}let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching secret...`);r.start();let i=await n.secrets.get(e);r.stop(),process.stderr.write(`WARNING: secret '${e}' is being printed in plaintext. Avoid storing this output in shell history, screenshots, or logs.
148
- `),t.json?j({name:e,value:i}):console.log(i)}catch(e){B(e)}}),e.command(`update`).description(`Update a secret value`).argument(`<name>`,`Secret name`).argument(`[value]`,`New secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=k(E({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await Uo({value:t,valueStdin:n.valueStdin,prompt:`Enter new value for secret '${e}': `}),a=F(`Updating secret...`);a.start();let o=await r.secrets.update(e,i);a.stop(),n.json?j({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):M(`Secret updated: ${o.name}`)}catch(e){B(e)}}),e.command(`delete`).description(`Delete a secret`).argument(`<name>`,`Secret name`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=k(E({apiKey:t.apiKey,baseUrl:t.baseUrl}));if(!t.force&&!await W(`Are you sure you want to delete secret '${e}'? This cannot be undone. (y/N) `)){P(`Cancelled.`);return}let r=F(`Deleting secret...`);r.start(),await n.secrets.delete(e),r.stop(),t.json?j({success:!0,deleted:e}):M(`Secret deleted: ${e}`)}catch(e){B(e)}}),e}async function Uo(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await Dn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await En(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function Wo(){let e=new t(`skill`).description(`Print paths to shipped skill documentation`);return e.command(`path`).description(`Print the absolute path to the SKILL.md shipped with this CLI`).action(()=>{let e=p.dirname(ke(import.meta.url)),t=p.resolve(e,`..`,`SKILL.md`);console.log(t)}),e}function Go(){let e=new t(`snapshot`).description(`Manage snapshots`);return e.command(`create <sandbox-id-or-name>`).description(`Create a snapshot of a sandbox`).option(`--tags <tags...>`,`Tags for the snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Creating snapshot...`);i.start();let a=await(await H(r,n,e)).snapshot({tags:t.tags});i.stop(),t.json?j(a):(M(`Snapshot created: ${a.snapshotId}`),console.log(`Size: ${Ko(a.sizeBytes??0)}`))}catch(e){B(e)}}),e.command(`list <sandbox-id-or-name>`).description(`List snapshots for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching snapshots...`);i.start();let a=await(await H(r,n,e)).listSnapshots();i.stop(),t.json?j(a):A(a.map(e=>({...e,size:Ko(e.sizeBytes??0)})),[{key:`snapshotId`,header:`ID`,width:24},{key:`createdAt`,header:`Created`,width:16},{key:`size`,header:`Size`,width:12},{key:`sandboxId`,header:`Sandbox`,width:20}])}catch(e){B(e)}}),e.command(`restore <sandbox-id> <snapshot-id>`).description(`Create a new sandbox from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=k(E({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=F(`Restoring from snapshot...`);i.start();let a=await r.create({fromSnapshot:t,fromSandboxId:e});await a.waitFor(`running`,{timeoutMs:12e4}),i.stop(),n.json?j({sandboxId:a.id,restoredFrom:t,status:a.status}):(M(`New sandbox created: ${a.id}`),console.log(`Source snapshot: ${t}`))}catch(e){B(e)}}),e.command(`revert <sandbox-id-or-name> <snapshot-id>`).description(`Revert an existing sandbox to a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Reverting sandbox to snapshot...`);a.start();let o=await H(i,r,e),s=await o.revertToSnapshot(t);await o.refresh(),a.stop(),n.json?j({sandboxId:o.id,snapshotId:s.snapshotId,status:o.status}):(M(`Sandbox reverted: ${o.id}`),console.log(`Source snapshot: ${s.snapshotId}`))}catch(e){B(e)}}),e.command(`delete <sandbox-id-or-name> <snapshot-id>`).description(`Delete a sandbox snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Deleting snapshot...`);a.start(),await(await H(i,r,e)).deleteSnapshot(t),a.stop(),n.json?j({success:!0,sandboxId:e,snapshotId:t}):M(`Snapshot deleted: ${t}`)}catch(e){B(e)}}),e}function Ko(e){if(e===0)return`0 B`;let t=1024,n=[`B`,`KB`,`MB`,`GB`,`TB`],r=Math.floor(Math.log(e)/Math.log(t));return`${Number.parseFloat((e/t**r).toFixed(1))} ${n[r]}`}function qo(e,t){return`tangle ssh-proxy ${e.replace(/\/+$/,``)}/v1/sidecar-proxy/${t}/ssh`}function Jo(e){return/^[A-Za-z0-9_/:=@%+.,-]+$/.test(e)?e:`'${e.replace(/'/g,`'"'"'`)}'`}function Yo(e){return`'${e.replace(/'/g,`''`)}'`}function Xo(e){return e===`win32`?`NUL`:`/dev/null`}function Zo(e,t){return t===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN=${Yo(`<token>`)}; ssh ${e.map(Yo).join(` `)}`:`TANGLE_SSH_PROXY_AUTH_TOKEN=${Jo(`<token>`)} ssh ${e.map(Jo).join(` `)}`}function Qo(e){return e.connection!==void 0&&!e.connection.ssh}function $o(){N(`SSH is not enabled for this sandbox.`),P(`Create a sandbox with --ssh to enable SSH access.`),process.exit(1)}function es(e,t=[],n=process.platform){let r=Xo(n);return[`-o`,`ProxyCommand=${e.proxyCommand}`,`-o`,`StrictHostKeyChecking=no`,`-o`,`UserKnownHostsFile=${r}`,`-o`,`GlobalKnownHostsFile=${r}`,`-o`,`LogLevel=ERROR`,`-o`,`ServerAliveInterval=15`,`-o`,`ServerAliveCountMax=4`,`-o`,`TCPKeepAlive=yes`,`${e.username}@localhost`,`-p`,String(e.port),...t]}function ts(){return new t(`ssh`).description(`Open SSH session to a sandbox`).argument(`<ref>`,`Sandbox ID or name`).argument(`[sshArgs...]`,`Extra args passed through to ssh`).option(`-i, --identity-file <path>`,`Private key file to pass to ssh`).option(`--print`,`Print SSH command instead of connecting`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).allowUnknownOption(!0).action(async(e,t,n)=>{try{let r=E({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=k(r),a=F(`Getting SSH credentials...`);a.start();let o=await H(i,r,e);if(Qo(o)){a.stop(),$o();return}o=await U(o);let s=await o.ssh();if(a.stop(),!s){$o();return}let c={...s,proxyCommand:qo(r.baseUrl,o.id)};if(!r.apiKey)throw Error(`SSH proxy requires API key auth. Set TANGLE_API_KEY or pass --api-key.`);let l=es(c,[...n.identityFile?[`-i`,n.identityFile,`-o`,`IdentitiesOnly=yes`]:[],...t]);if(n.print){console.log(Zo(l,process.platform));return}P(`Connecting via tunnel...`);let u=ge(`ssh`,l,{stdio:`inherit`,env:{...process.env,TANGLE_SSH_PROXY_AUTH_TOKEN:r.apiKey}});u.on(`error`,e=>{e.code===`ENOENT`&&(N(`SSH client not found. Please install OpenSSH.`),process.exit(1)),B(e)}),u.on(`exit`,e=>{process.exit(e??0)})}catch(e){B(e)}})}function ns(){let e=new t(`ssh-keys`).description(`Manage SSH keys`);return e.command(`list`).description(`List SSH keys`).option(`--json`,`Output as JSON`).action(async e=>{let t=F(`Fetching SSH keys...`);try{t.start();let n=await k(E(e)).sshKeys.list();t.stop(),e.json?j({sshKeys:n}):n.length===0?P(`No SSH keys found.`):z([`Name`,`Type`,`Fingerprint`,`Created`],n.map(e=>[e.name,e.keyType,e.fingerprint,e.createdAt.toLocaleString()]))}catch(e){t.stop(),B(e)}}),e.command(`add`).description(`Add SSH key`).argument(`<name>`,`SSH key name`).requiredOption(`--key-file <path>`,`Public key file path`).option(`--json`,`Output as JSON`).action(async(e,t)=>{let n=F(`Adding SSH key...`);try{let r=u(t.keyFile,`utf8`).trim();n.start();let i=await k(E(t)).sshKeys.create(e,r);n.stop(),t.json?j({sshKey:i}):M(`Added SSH key ${i.name} (${i.fingerprint})`)}catch(e){n.stop(),B(e)}}),e.command(`delete`).description(`Delete SSH key`).argument(`<name>`,`SSH key name or ID`).action(async(e,t)=>{let n=F(`Deleting SSH key...`);try{n.start(),await k(E(t)).sshKeys.delete(e),n.stop(),M(`Deleted SSH key ${e}`)}catch(e){n.stop(),B(e)}}),e}function rs(e,t=1){process.stderr.write(`${e}\n`),process.exit(t)}function is(){return new t(`ssh-proxy`).description(`SSH proxy helper — pipes stdin/stdout to WebSocket`).argument(`<sidecar-url>`,`Sidecar WebSocket URL`).action(async e=>{let t=process.env.TANGLE_SSH_PROXY_AUTH_TOKEN;t||rs(`TANGLE_SSH_PROXY_AUTH_TOKEN not set`);let n=new Ae(new URL(e.replace(/^http/,`ws`)),{headers:{Authorization:`Bearer ${t}`},perMessageDeflate:!1}),r;function i(){r&&=(clearInterval(r),void 0)}n.on(`open`,()=>{r=setInterval(()=>{n.readyState===Ae.OPEN&&n.ping()},15e3),r.unref?.(),process.stdin.on(`data`,e=>{n.readyState===Ae.OPEN&&n.send(e,{binary:!0,compress:!1})}),process.stdin.on(`end`,()=>n.close(1e3))}),n.on(`message`,e=>{let t=Buffer.isBuffer(e)?e:Array.isArray(e)?Buffer.concat(e):Buffer.from(e);process.stdout.write(t)}),n.on(`error`,e=>{i(),rs(`WebSocket error: ${e.message}`)}),n.on(`close`,e=>{i(),process.exit(e===1e3?0:1)}),process.stdin.on(`error`,()=>n.close())})}const as=[`claude-code`,`opencode`,`codex`,`kimi-code`],os=[`session`,`project`,`read-only`],ss={min:1,max:15},cs=process.env.TANGLE_ROUTER_URL??`https://router.tangle.tools/v1`;function ls(e){let t=e.harness??`claude-code`;if(!as.includes(t))throw Error(`Unknown --harness '${t}'. Supported: ${as.join(`, `)}.`);let n=e.tokenScope??`session`;if(!os.includes(n))throw Error(`Unknown --token-scope '${n}'. Supported: ${os.join(`, `)}.`);let r=us(e.maxTokens,2e5,`--max-tokens`),i=us(e.maxIterations,50,`--max-iterations`),a=us(e.tokenTtl,10,`--token-ttl`);if(a<ss.min||a>ss.max)throw Error(`--token-ttl ${a} out of range; the SDK clamps to [${ss.min}, ${ss.max}] minutes.`);let o=e.maxWorkers===void 0?void 0:us(e.maxWorkers,0,`--max-workers`);return{harness:t,...e.model?{model:e.model}:{},maxTokens:r,maxIterations:i,tokenScope:n,tokenTtl:a,...o===void 0?{}:{maxWorkers:o}}}function us(e,t,n){if(e===void 0)return t;let r=Number.parseInt(e,10);if(!Number.isFinite(r)||r<=0)throw Error(`${n} must be a positive integer, got '${e}'.`);return r}function ds(e){let t={maxTokens:e.maxTokens,maxIterations:e.maxIterations};return e.maxWorkers===void 0?{budget:t}:{budget:t,perWorker:{maxTokens:Math.max(1,Math.floor(e.maxTokens/e.maxWorkers)),maxIterations:Math.max(1,Math.floor(e.maxIterations/e.maxWorkers))}}}function fs(e){let{client:t,scope:n,ttlMinutes:r,onScope:a}=e,o={async create(o){let s=await t.create(ps(o)),c={scope:n,ttlMinutes:r,...n===`session`?{sessionId:e.sessionIdFor?.(s)??`supervise-${i()}`}:{}},l=await s.mintScopedToken(c);return a({id:s.id,scope:l.scope,expiresAt:l.expiresAt,status:`spawned`}),s}};return typeof t.criuStatus==`function`&&(o.criuStatus=t.criuStatus.bind(t)),o}function ps(e){if(!e?.env)return e;let{TANGLE_API_KEY:t,SANDBOX_API_KEY:n,...r}=e.env;return{...e,env:r}}function ms(e){if(e.kind===`no-winner`)return{text:``,tokenUsage:{input:0,output:0},costUsd:0,status:`no-winner (${e.reason})`};let t=e.out;return{text:typeof t==`string`?t:hs(t)?t.content:JSON.stringify(t),tokenUsage:{input:e.spentTotal.tokens.input,output:e.spentTotal.tokens.output},costUsd:e.spentTotal.usd,status:`winner`}}function hs(e){return typeof e==`object`&&!!e&&typeof e.content==`string`}const gs={makeClient:e=>k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),resolveRouter:e=>({routerBaseUrl:cs,routerKey:E({apiKey:e.apiKey}).apiKey,model:e.model}),supervise:je};async function _s(e,t,n,r=gs){let a=r.makeClient({apiKey:n.apiKey,baseUrl:n.baseUrl}),{budget:o,perWorker:s}=ds(t),c=[],l=fs({client:a,scope:t.tokenScope,ttlMinutes:t.tokenTtl,onScope:e=>{if(c.push(e),!n.json){let n=`ttl ${t.tokenTtl}m`;P(`worker ${e.id} [${e.scope} token ${n}] spawned`)}}}),u=Me({backend:`sandbox`,harness:t.harness,sandboxClient:l,maxIterations:1}),d={name:`supervisor`,...t.model?{model:t.model}:{}},f=r.resolveRouter({apiKey:n.apiKey,model:t.model??`deepseek-v4-flash`}),p=ms(await r.supervise(d,{goal:e},{budget:o,makeWorkerAgent:u,router:f,...s?{perWorker:s}:{},...t.model?{allowedModels:[t.model]}:{},runId:`supervise-${i()}`})),ee=p.status===`winner`?`settled`:`failed`;for(let e of c)e.status=ee,n.json||P(`worker ${e.id} [${e.scope} token ttl ${t.tokenTtl}m] settled (${e.status})`);return{task:e,result:p.text,workers:c,tokenUsage:p.tokenUsage,costUsd:p.costUsd,status:p.status}}function vs(){let e=new t(`supervise`);return e.description(`Run a budget-conserving supervisor that spawns isolated sandbox workers to deliver a task. Each worker box mints a short-lived scoped token instead of receiving the root API key.`).argument(`<task>`,`What the supervisor should accomplish`).option(`--harness <name>`,`Worker harness (${as.join(` | `)})`,`claude-code`).option(`--model <id>`,`Model for the supervisor + workers`).option(`--max-tokens <n>`,`Conserved token budget for the whole run`,`200000`).option(`--max-iterations <n>`,`Conserved iteration budget for the whole run`,`50`).option(`--token-scope <scope>`,`Per-worker token scope (${os.join(` | `)})`,`session`).option(`--token-ttl <min>`,`Per-worker token TTL in minutes (SDK clamps to [1, 15])`,`10`).option(`--max-workers <n>`,`Bound the fanout; each worker reserves floor(max-tokens / n) tokens and floor(max-iterations / n) iterations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=ls({harness:t.harness,model:t.model,maxTokens:t.maxTokens,maxIterations:t.maxIterations,tokenScope:t.tokenScope,tokenTtl:t.tokenTtl,maxWorkers:t.maxWorkers});t.json||(P(`Supervising: ${e}`),P(`harness=${n.harness} budget=${n.maxTokens}tok/${n.maxIterations}it scope=${n.tokenScope} ttl=${n.tokenTtl}m`),console.log());let r=await _s(e,n,{apiKey:t.apiKey,baseUrl:t.baseUrl,json:t.json});if(t.json){j(r),r.status!==`winner`&&(process.exitCode=1);return}if(console.log(),r.status!==`winner`)throw Error(`Supervisor finished without a winner: ${r.status}`);console.log(r.result),console.log(),I({"Input Tokens":r.tokenUsage.input,"Output Tokens":r.tokenUsage.output,Cost:`$${r.costUsd.toFixed(4)}`})}catch(e){B(e,t.json)}}),e}function ys(){let e=new t(`team`).description(`Manage teams`);return e.command(`list`).description(`List teams for the current account`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async e=>{try{let t=E(e),n=k(t),r=e.json?null:F(`Fetching teams...`);r?.start();let i=await n.teams.list();if(r?.stop(),e.json){j({teams:i,activeTeamId:t.activeTeamId??null});return}A(i.map(e=>({active:e.id===t.activeTeamId,id:e.id,name:e.name,role:e.currentUserRole,members:e.memberCount})),[{key:`active`,header:`Active`,width:8},{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:24},{key:`role`,header:`Role`,width:10},{key:`members`,header:`Members`,width:10}])}catch(e){B(e)}}),e.command(`create <name>`).description(`Create a team`).option(`--org-id <id>`,`External organization id`).option(`--no-switch`,`Do not set the new team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=t.json?null:F(`Creating team...`);i?.start();let a=await r.teams.create({name:e,orgId:t.orgId});if(t.switch&&yo(a,n.profile),i?.stop(),t.json){j({team:a,active:!!t.switch});return}M(`Team created: ${_o(a)}`),t.switch&&M(`Active team set to ${a.name}`)}catch(e){B(e)}}),e.command(`switch <team>`).description(`Set the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=await vo(k(n),e);if(yo(r,n.profile),t.json){j({team:r,activeTeamId:r.id});return}M(`Active team set to ${_o(r)}`)}catch(e){B(e)}}),e.command(`current`).description(`Show the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{let t=Mt(e.profile);if(e.json){j(t.activeTeamId?t:{activeTeamId:null});return}if(!t.activeTeamId){console.log(`No active team.`);return}I({ID:t.activeTeamId,Name:t.activeTeamName})}catch(e){B(e)}}),e.command(`clear`).description(`Clear the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{if(bo(e.profile),e.json){j({activeTeamId:null});return}M(`Active team cleared.`)}catch(e){B(e)}}),e.command(`members [team]`).description(`List team members`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,e,n.profile),a=await r.teams.listMembers(i.id);if(t.json){j({team:i,members:a});return}A(a.map(e=>({id:e.id,email:e.customerEmail,role:e.role,status:e.status,joinedAt:e.joinedAt})),[{key:`id`,header:`ID`,width:36},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:10},{key:`joinedAt`,header:`Joined`,width:16}])}catch(e){B(e)}}),e.command(`update-member <member-id>`).description(`Update a team member role`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).requiredOption(`--role <role>`,`Role: admin, member, viewer`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,t.team,n.profile),a=bs(t.role),o=await r.teams.updateMember(i.id,e,{role:a});if(t.json){j({team:i,member:o});return}M(`Member updated: ${o.customerEmail}`),I({Team:i.name,Role:o.role,Status:o.status})}catch(e){B(e)}}),e.command(`invite <email>`).description(`Invite a user to a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--role <role>`,`Role: admin, member, viewer`,`member`).option(`--ttl-hours <hours>`,`Invitation lifetime in hours`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,t.team,n.profile),a=bs(t.role),o=await r.teams.invite(i.id,{email:e,role:a,ttlHours:t.ttlHours?Number.parseInt(t.ttlHours,10):void 0});if(t.json){j({team:i,invitation:o});return}M(`Invitation created for ${o.email}`),I({Team:i.name,Role:o.role,Expires:o.expiresAt,"Invitation ID":o.id}),M(`Re-run with --json to retrieve the invitation token for sharing.`)}catch(e){B(e)}}),e.command(`leave [team]`).description(`Leave a team as the current user`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,e,n.profile);if(!t.force&&!t.json&&!await W(`Leave team '${i.name}'? (y/N) `))return;if(await r.teams.leave(i.id),n.activeTeamId===i.id&&bo(n.profile),t.json){j({success:!0,teamId:i.id});return}M(`Left team: ${i.name}`)}catch(e){B(e)}}),e.command(`transfer <new-owner-customer-id> [team]`).description(`Transfer team ownership to another active member`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=E(n),i=k(r),a=await Z(i,t,r.profile);if(!n.force&&!n.json&&!await W(`Transfer ownership of '${a.name}' to ${e}? This cannot be undone without the new owner's cooperation. (y/N) `))return;if(await i.teams.transferOwnership(a.id,e),n.json){j({success:!0,teamId:a.id,newOwnerCustomerId:e});return}M(`Ownership transferred for ${a.name}`)}catch(e){B(e)}}),e.addCommand(xs()),e.addCommand(Ss()),e.command(`invitations [team]`).description(`List pending and historical team invitations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,e,n.profile),a=await r.teams.listInvitations(i.id);if(t.json){j({team:i,invitations:a});return}A(a.map(e=>({id:e.id,email:e.email,role:e.role,status:e.status,expiresAt:e.expiresAt})),[{key:`id`,header:`ID`,width:38},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:12},{key:`expiresAt`,header:`Expires`,width:16}])}catch(e){B(e)}}),e.command(`accept <token>`).description(`Accept a team invitation`).option(`--no-switch`,`Do not set the accepted team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await r.teams.acceptInvitation(e),a=t.switch===!1?null:await r.teams.get(i.teamId);if(a&&yo(a,n.profile),t.json){j({member:i,activeTeamId:a?.id??null});return}M(`Invitation accepted for team ${i.teamId}`),a&&M(`Active team set to ${a.name}`)}catch(e){B(e)}}),e.command(`revoke-invitation <invitation-id>`).description(`Revoke a pending team invitation`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{if(await k(E(t)).teams.revokeInvitation(e),t.json){j({success:!0,invitationId:e});return}M(`Invitation revoked: ${e}`)}catch(e){B(e)}}),e.command(`remove-member <member-id>`).description(`Remove a member from a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,t.team,n.profile);if(await r.teams.removeMember(i.id,e),t.json){j({success:!0,teamId:i.id,memberId:e});return}M(`Member removed: ${e}`)}catch(e){B(e)}}),e}function bs(e){if(e===`admin`||e===`member`||e===`viewer`)return e;throw Error(`Role must be one of: admin, member, viewer`)}function xs(){let e=new t(`secret`).description(`Manage team secrets`);return e.command(`list [team]`).description(`List team secret names`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,e,n.profile),a=await r.teams.listSecrets(i.id);if(t.json){j({team:i,secrets:a});return}A(a.map(e=>({name:e.name,updatedAt:e.updatedAt,updatedBy:e.updatedBy})),[{key:`name`,header:`Name`,width:28},{key:`updatedAt`,header:`Updated`,width:24},{key:`updatedBy`,header:`Updated By`,width:28}])}catch(e){B(e)}}),e.command(`set <name> [value]`).description(`Create or replace a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=E(n),i=k(r),a=await Z(i,n.team,r.profile),o=await Cs({value:t,valueStdin:n.valueStdin,prompt:`Enter value for team secret '${e}': `}),s=await i.teams.upsertSecret(a.id,e,o);if(n.json){j({team:a,secret:s});return}M(`Team secret saved: ${s.name}`)}catch(e){B(e)}}),e.command(`delete <name>`).description(`Delete a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,t.team,n.profile);if(!t.force&&!t.json&&!await W(`Delete team secret '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteSecret(i.id,e),t.json){j({success:!0,teamId:i.id,name:e});return}M(`Team secret deleted: ${e}`)}catch(e){B(e)}}),e.command(`reveal <name>`).description(`Reveal a team secret value`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,t.team,n.profile),a=await r.teams.revealSecret(i.id,e);if(t.json){j({teamId:i.id,...a});return}console.log(a.value)}catch(e){B(e)}}),e}function Ss(){let e=new t(`templates`).description(`Manage team golden-path templates`);return e.command(`list [team]`).description(`List a team's golden-path templates`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,e,n.profile),a=await r.teams.listTemplates(i.id);if(t.json){j({team:i,templates:a});return}if(a.length===0){console.log(`No templates yet for ${i.name}.`);return}A(a.map(e=>({id:e.id,name:e.name,environment:e.environment,snapshot:`${e.snapshotId.slice(0,12)}…`,updated:e.updatedAt})),[{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:28},{key:`environment`,header:`Env`,width:14},{key:`snapshot`,header:`Snapshot`,width:16},{key:`updated`,header:`Updated`,width:24}])}catch(e){B(e)}}),e.command(`create <name> <snapshot-id>`).description(`Create a golden-path template from a snapshot`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`-d, --description <description>`,`Human-readable description shown in the dashboard`).option(`-e, --environment <environment>`,`Default environment to apply (defaults to 'universal')`).option(`--config <json>`,`Optional JSON config object merged into sandboxes created from this template`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=E(n),i=k(r),a=await Z(i,n.team,r.profile),o;if(n.config)try{let e=JSON.parse(n.config);if(typeof e!=`object`||!e||Array.isArray(e))throw Error(`--config must be a JSON object`);o=e}catch(e){throw Error(`--config is not valid JSON: ${e instanceof Error?e.message:String(e)}`)}let s=await i.teams.createTemplate(a.id,{name:e,snapshotId:t,description:n.description,environment:n.environment,config:o});if(n.json){j({team:a,template:s});return}M(`Team template created: ${s.name} (${s.id})`)}catch(e){B(e)}}),e.command(`delete <template-id>`).description(`Delete a team golden-path template`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=E(t),r=k(n),i=await Z(r,t.team,n.profile);if(!t.force&&!t.json&&!await W(`Delete template '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteTemplate(i.id,e),t.json){j({success:!0,teamId:i.id,templateId:e});return}M(`Team template deleted: ${e}`)}catch(e){B(e)}}),e}async function Cs(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await Dn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await En(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function ws(){let e=new t(`template`).description(`Manage published public templates`);return e.command(`list`).option(`-q, --query <query>`,`Search query`).option(`--tag <tag>`,`Filter by tag`).option(`--featured`,`Show featured templates only`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E(e)),n=e.featured?await t.publicTemplates.featured():await t.publicTemplates.list({query:e.query,tag:e.tag});if(e.json){j({templates:n});return}A(n.map(e=>({slug:e.slug,name:e.name,forks:e.forkCount,sandboxes:e.sandboxCount,updated:e.updatedAt})),[{key:`slug`,header:`Slug`,width:28},{key:`name`,header:`Name`,width:28},{key:`forks`,header:`Forks`,width:8},{key:`sandboxes`,header:`Sandboxes`,width:12},{key:`updated`,header:`Updated`,width:24}])}catch(e){B(e)}}),e.command(`get <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await k(E(t)).publicTemplates.get(e);if(t.json){j({template:n});return}j(n)}catch(e){B(e)}}),e.command(`versions <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await k(E(t)).publicTemplates.versions(e);if(t.json){j({versions:n});return}A(n.map(e=>({...e})),[{key:`id`,header:`Version ID`,width:38},{key:`versionNumber`,header:`Version`,width:8},{key:`snapshotId`,header:`Snapshot`,width:20},{key:`createdAt`,header:`Created`,width:24}])}catch(e){B(e)}}),e.command(`publish <name> <snapshot-id> <sandbox-id>`).option(`--slug <slug>`,`Stable public slug`).option(`-d, --description <description>`,`Template description`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--team-id <id>`,`Publish under a team`).option(`--forked-from <id>`,`Fork source template id`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await k(E(r)).publicTemplates.publish({name:e,slug:r.slug,description:r.description,snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes,teamId:r.teamId,forkedFromTemplateId:r.forkedFrom});if(r.json){j({template:i});return}M(`Published template: ${i.slug}`)}catch(e){B(e)}}),e.command(`publish-version <id-or-slug> <snapshot-id> <sandbox-id>`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await k(E(r)).publicTemplates.publishVersion(e,{snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes});if(r.json){j({version:i});return}M(`Published template version: ${i.id}`)}catch(e){B(e)}}),e}function Ts(){let e=new t(`tools`).description(`Manage language runtimes and tools in a sandbox (via mise)`);return e.command(`list`).alias(`ls`).description(`List installed tools in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=k(n),i=F(`Fetching tools...`);t.json||i.start();let a=await(await H(r,n,e)).tools.list();i.stop(),t.json?j(a):a.length===0?console.log(`No tools installed`):z([`Tool`,`Version`,`Active`],a.map(e=>[e.name,e.version,e.active?`yes`:`no`]))}catch(e){B(e)}}),e.command(`install`).description(`Install a tool version`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name (e.g. node, python, go)`).argument(`<version>`,`Version to install (e.g. 20, 3.12, latest)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=E({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=k(i),o=F(`Installing ${t}@${n}...`);r.json||o.start(),await(await H(a,i,e)).tools.install(t,n),o.stop(),r.json?j({tool:t,version:n,installed:!0}):M(`Installed ${t}@${n}`)}catch(e){B(e)}}),e.command(`use`).description(`Activate a tool version for the current session`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<version>`,`Version to activate`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=E({apiKey:r.apiKey,baseUrl:r.baseUrl});await(await H(k(i),i,e)).tools.use(t,n),M(`Activated ${t}@${n}`)}catch(e){B(e)}}),e.command(`run`).description(`Run a command with a specific tool`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<args...>`,`Command arguments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=E({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=k(i),o=F(`Running ${t} ${n.join(` `)}...`);r.json||o.start();let s=await(await H(a,i,e)).tools.run(t,n);o.stop(),r.json?j(s):(s.stdout&&process.stdout.write(s.stdout),s.stderr&&process.stderr.write(s.stderr),s.exitCode!==0&&process.exit(s.exitCode))}catch(e){B(e)}}),e}function Es(){let e=new t(`traces`).description(`Read hosted agent traces, spans, and eval-runs from Tangle Intelligence`);return e.command(`list`).description(`List trace summaries (one row per trace), newest first`).option(`--from <iso>`,`ISO-8601 lower bound on received time (inclusive)`).option(`--to <iso>`,`ISO-8601 upper bound on received time (inclusive)`).option(`--model <model>`,`Exact model match (any span carried this model)`).option(`--run <runId>`,`Exact run id match`).option(`--status <status>`,`ERROR | OK`).option(`-q, --query <text>`,`Substring over span name`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size (clamped server-side to [1, 200])`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={from:e.from,to:e.to,model:e.model,runId:e.run,status:e.status===void 0?void 0:Ls(e.status),q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:Hs(e.limit)},n=Os(e),r=e.json?null:F(`Fetching traces...`);r?.start();let i=await n.listTraces(t);if(r?.stop(),e.json)return j(i);js(i.items),Fs(i.nextCursor)}catch(t){As(t,e)}}),e.command(`get <traceId>`).description(`Show one trace's spans. Streams NDJSON to stdout with --ndjson.`).option(`--ndjson`,`Stream the full span set as NDJSON to stdout`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Spans per page`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Os(t);if(t.ndjson){await ks(n,e);return}let r=t.json?null:F(`Fetching trace spans...`);r?.start();let i=await n.getTraceSpans(e,{cursor:t.cursor,limit:t.limit===void 0?void 0:Hs(t.limit)});if(r?.stop(),t.json)return j(i);Ms(i.items),i.truncated&&I({Spans:`${i.items.length} of ${i.total} (truncated)`}),Fs(i.nextCursor)}catch(e){As(e,t)}}),e.addCommand(Ds()),e}function Ds(){let e=new t(`runs`).description(`Read eval-runs pivoted off the trace surface`);return e.command(`list`).description(`List eval-runs, newest first`).option(`--status <status>`,`Run status filter`).option(`--gate <decision>`,`Promotion-gate decision filter`).option(`--label <key:value>`,`Match over the run's labels`).option(`--from <iso>`,`ISO-8601 lower bound on received time`).option(`--to <iso>`,`ISO-8601 upper bound on received time`).option(`-q, --query <text>`,`Substring over run dir`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={status:e.status===void 0?void 0:zs(e.status),gate:e.gate===void 0?void 0:Vs(e.gate),label:e.label,from:e.from,to:e.to,q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:Hs(e.limit)},n=Os(e),r=e.json?null:F(`Fetching runs...`);r?.start();let i=await n.listRuns(t);if(r?.stop(),e.json)return j(i);Ns(i.items),Fs(i.nextCursor)}catch(t){As(t,e)}}),e.command(`get <runId>`).description(`Show a single eval-run`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Os(t),r=t.json?null:F(`Fetching run...`);r?.start();let i=await n.getRun(e);if(r?.stop(),t.json)return j(i);Ps(i)}catch(e){As(e,t)}}),e}function Os(e){let t=T(e.apiKey);if(!t)throw Error(`No API key found. Set TANGLE_API_KEY or run: tangle auth login`);return Ne({apiKey:t,baseUrl:e.baseUrl??process.env.TANGLE_INTELLIGENCE_BASE_URL})}async function ks(e,t){let n=(await e.exportTraceSpansNdjson(t)).getReader();try{for(;;){let{value:e,done:t}=await n.read();if(t)break;e&&process.stdout.write(Buffer.from(e))}}finally{n.releaseLock()}}function As(e,t){return B(e,t.json===!0)}function js(e){A(e.map(e=>({traceId:e.traceId,root:e.rootName??`-`,model:e.model??`-`,spans:e.spanCount,errors:e.errorCount,durationMs:e.durationMs,cost:Is(e.costUsd)})),[{key:`traceId`,header:`Trace`,width:36},{key:`root`,header:`Root`,width:24},{key:`model`,header:`Model`,width:22},{key:`spans`,header:`Spans`,width:8},{key:`errors`,header:`Errors`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14},{key:`cost`,header:`Cost`,width:10}])}function Ms(e){A(e.map(e=>({spanId:e.id,name:e.name,model:e.model??`-`,status:e.statusCode??`-`,cost:e.costUsd===null?`-`:`$${e.costUsd}`})),[{key:`spanId`,header:`Span`,width:40},{key:`name`,header:`Name`,width:28},{key:`model`,header:`Model`,width:22},{key:`status`,header:`Status`,width:10},{key:`cost`,header:`Cost`,width:12}])}function Ns(e){A(e.map(e=>({runId:e.id,status:e.status,gate:e.gateDecision??`-`,cost:e.totalCostUsd===null?`-`:`$${e.totalCostUsd}`,receivedAt:e.receivedAt})),[{key:`runId`,header:`Run`,width:24},{key:`status`,header:`Status`,width:22},{key:`gate`,header:`Gate`,width:18},{key:`cost`,header:`Cost`,width:12},{key:`receivedAt`,header:`Received`,width:18}])}function Ps(e){I({Run:e.id,Status:e.status,Gate:e.gateDecision??void 0,"Run Dir":e.runDir??void 0,Cost:e.totalCostUsd===null?void 0:`$${e.totalCostUsd}`,Duration:e.totalDurationMs===null?void 0:`${e.totalDurationMs}ms`,"Holdout Lift":e.holdoutLift??void 0,Received:e.receivedAt})}function Fs(e){e&&I({"Next page":`--cursor ${e}`})}function Is(e){return e===null?`-`:`$${e.toFixed(4)}`}function Ls(e){if(e===`ERROR`||e===`OK`)return e;throw Error(`--status must be ERROR or OK`)}const Rs=[`started`,`baseline-complete`,`generation-complete`,`gate-decided`,`finished`,`errored`];function zs(e){let t=Rs.find(t=>t===e);if(t)return t;throw Error(`--status must be one of ${Rs.join(`, `)}`)}const Bs=[`ship`,`hold`,`need_more_work`,`model_ceiling`,`arch_ceiling`];function Vs(e){let t=Bs.find(t=>t===e);if(t)return t;throw Error(`--gate must be one of ${Bs.join(`, `)}`)}function Hs(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function Us(){return new t(`usage`).description(`Show account usage and billing information`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=k(E({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:F(`Fetching usage...`);n?.start();let[r,i]=await Promise.all([t.usage(),t.subscription().catch(()=>null)]);n?.stop(),e.json?j({...r,subscription:i}):(console.log(),console.log(`Account Usage`),console.log(`─`.repeat(40)),I({"Active Sandboxes":r.activeSandboxes,"Total Sandboxes":r.totalSandboxes,"Compute Minutes":Ws(r.computeMinutes)}),i&&(console.log(),console.log(`Subscription`),console.log(`─`.repeat(40)),I({Plan:i.plan,Status:i.status,"Credits Available":Gs(i.creditsAvailableUsd),"Credits Used":Gs(i.creditsUsedUsd),"Monthly Balance":Gs(i.monthlyBalanceUsd)})),console.log(),console.log(`Billing Period`),console.log(`─`.repeat(40)),I({Start:r.periodStart.toLocaleDateString(),End:r.periodEnd.toLocaleDateString()}),console.log())}catch(e){B(e)}})}function Ws(e){if(e===void 0)return`-`;if(e<60)return`${e} min`;let t=Math.floor(e/60),n=e%60;return n===0?`${t} hr`:`${t} hr ${n} min`}function Gs(e){return e<0?`-$${(-e).toFixed(2)}`:`$${e.toFixed(2)}`}function Ks(){return new t(`use`).description(`Set or show the active sandbox (used when a command omits the id)`).argument(`[id]`,`Sandbox id to make active`).option(`--clear`,`Clear the active sandbox`).action((e,t)=>{try{if(t.clear){St(),P(`Cleared the active sandbox.`);return}if(e){xt(e),P(`Active sandbox set to ${e}. Commands now default to it; override with --box or TANGLE_SANDBOX.`);return}let n=bt();P(n?`Active sandbox: ${n}`:"No active sandbox. Set one with `tangle use <id>`.")}catch(e){B(e)}})}function qs(){let e=new t(`workflows`).description(`Create and manage Tangle workflows`);return e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{Ys(t)}),e.command(`list`).description(`List your workflows`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await Q(e).workflows.list();if(e.json)return j(t);Qs(t)}catch(t){Zs(t,e)}}),e.command(`get`).description(`Show a workflow's definition and compiled triggers`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await Q(t).workflows.get(e);if(t.json)return j(n);$s(n)}catch(e){Zs(e,t)}}),e.command(`create`).description(`Create a workflow from a YAML file`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Js(e),r=await Q(t).workflows.create(n);if(t.json)return j(r);P(`Created workflow ${r.id} (${r.name}).`),$s(r)}catch(e){Zs(e,t)}}),e.command(`update`).description(`Replace a workflow's definition from a YAML file`).argument(`<id>`,`Workflow ID`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=Js(t),i=await Q(n).workflows.update(e,r);if(n.json)return j(i);P(`Updated workflow ${i.id} (${i.name}).`),$s(i)}catch(e){Zs(e,n)}}),e.command(`delete`).description(`Delete a workflow and its triggers`).argument(`<id>`,`Workflow ID`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await W(`Delete workflow ${e}? `)){P(`Delete cancelled.`);return}if(await Q(t).workflows.delete(e),t.json)return j({deleted:!0,id:e});P(`Deleted workflow ${e}.`)}catch(e){Zs(e,t)}}),e.command(`validate`).description(`Validate a workflow YAML file without saving it`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Js(e),r=await Q(t).workflows.validate(n);if(t.json)return j(r);if(r.valid)P(`Valid: ${r.name} (${r.actionCount} action(s), ${r.triggerCount} trigger(s)).`);else{P(`Invalid workflow:`);for(let e of r.errors)console.log(` ${e.path}: ${e.message}`);process.exitCode=1}}catch(e){Zs(e,t)}}),e.command(`schema`).description(`Print the JSON Schema for the workflow YAML`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{j(await Q(e).workflows.schema())}catch(t){Zs(t,e)}}),e}function Js(e){try{return u(e,`utf8`)}catch(t){throw Error(`Could not read workflow file "${e}": ${t instanceof Error?t.message:String(t)}`)}}function Q(e){let t=E({apiKey:T(e.apiKey),baseUrl:e.baseUrl??jt(process.env.TANGLE_HUB_URL)});return new _e({baseUrl:t.baseUrl,apiKey:t.apiKey})}function Ys(e){if(!Xs(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function Xs(e,t){return e.options.some(e=>e.attributeName()===t)}function Zs(e,t){return B(e,t.json===!0)}function Qs(e){A(e.map(e=>({id:e.id,name:e.name,enabled:e.enabled?`yes`:`no`,issues:e.validationErrors.length,updated:e.updatedAt})),[{key:`id`,header:`ID`},{key:`name`,header:`Name`},{key:`enabled`,header:`Enabled`},{key:`issues`,header:`Issues`},{key:`updated`,header:`Updated`}])}function $s(e){if(I({ID:e.id,Name:e.name,Description:e.description??``,Enabled:e.enabled?`yes`:`no`,Actions:e.actions.length}),e.triggers&&e.triggers.length>0&&(P(`Triggers`),ec(e.triggers)),e.validationErrors.length>0){P(`Validation issues`);for(let t of e.validationErrors)console.log(` ${t.path}: ${t.message}`)}}function ec(e){A(e.map(e=>({id:e.id,kind:e.kind,enabled:e.enabled?`yes`:`no`,detail:e.kind===`schedule`?`${e.cron??``} (${e.timezone??``})`:`${e.provider??``}:${e.eventFilter?.event??``}${e.eventFilter?.action?`.${e.eventFilter.action}`:``}`})),[{key:`id`,header:`ID`},{key:`kind`,header:`Kind`},{key:`enabled`,header:`Enabled`},{key:`detail`,header:`Detail`}])}function tc(e){let t={...nc(e)??{},...e.optsWithGlobals()};for(let n of e.options){let r=n.attributeName();e.getOptionValue(r)===void 0&&t[r]!==void 0&&e.setOptionValue(r,t[r])}}function nc(e){let t=e;for(;t?.parent;)t=t.parent;return t?t.opts():void 0}const rc=e(import.meta.url)(`../package.json`),$=new t;$.name(`tangle`).description(`CLI for Tangle Sandbox operations`).version(rc.version??`0.0.0`).option(`--api-key <key>`,`API key (or set TANGLE_API_KEY)`).option(`--base-url <url>`,`API base URL`),$.hook(`preAction`,(e,t)=>{tc(t)}),$.addCommand(ur()),$.addCommand(To()),$.addCommand(Ks()),$.addCommand(Ho()),$.addCommand(ao()),$.addCommand(ia()),$.addCommand(ts()),$.addCommand(ns()),$.addCommand(is()),$.addCommand(Kn()),$.addCommand(Go()),$.addCommand(oa()),$.addCommand(Us()),$.addCommand(ys()),$.addCommand(ws()),$.addCommand(so()),$.addCommand(_r()),$.addCommand(Cr()),$.addCommand(lo()),$.addCommand(ga()),$.addCommand(ya()),$.addCommand(ba()),$.addCommand(qs()),$.addCommand(ra()),$.addCommand(Ts()),$.addCommand(Vo()),$.addCommand(Wo()),$.addCommand(wr()),$.addCommand(co()),$.addCommand(Va()),$.addCommand(Gi()),$.addCommand(Ki()),$.addCommand(go()),$.addCommand(oo()),$.addCommand(Es()),$.addCommand(vs()),$.parseAsync(process.argv).catch(e=>{console.error(`Fatal error:`,e.message),process.exit(1)});export{};
139
+ `)?`${e}\n`:`${e}\n\n`}function Ii(e){let t=[],n={header:null,body:[]};for(let r of e.split(`
140
+ `))Li(r)?(t.push(n),n={header:r.trim(),body:[]}):n.body.push(r);return t.push(n),t.length>1&&t[0].header===null&&t[0].body.every(e=>e.trim()===``)&&t.shift(),t}function Li(e){let t=e.trim();return t.startsWith(`[`)&&t.endsWith(`]`)&&!t.includes(`=`)||t.startsWith(`[[`)&&t.endsWith(`]]`)}function Ri(e){let t=[];for(let n of e)n.header!==null&&t.push(n.header),t.push(...n.body);return t.join(`
141
+ `)}function zi(e){return[{key:`environment`,line:`environment = "prod"`},{key:`log_user_prompt`,line:`log_user_prompt = true`},{key:`exporter`,line:`exporter = { otlp-http = { endpoint = "${K(e.endpoint)}/v1/logs", protocol = "json", headers = { "Authorization" = "Bearer ${e.apiKey??"${TANGLE_API_KEY}"}" } } }`}]}function Bi(e){let t=e.trim();if(t===``||t.startsWith(`#`))return null;let n=t.indexOf(`=`);if(n===-1)return null;let r=t.slice(0,n).trim();return/^[A-Za-z0-9_-]+$/.test(r)?r:null}function Vi(e,t){let n=zi(t),r=new Set(n.map(e=>e.key));if(e.trim()===``)return{contents:`${[`[otel]`,...n.map(e=>e.line)].join(`
142
+ `)}\n`,changed:!0};let i=Ii(e),a=i.find(e=>e.header===`[otel]`);if(!a){let t={header:`[otel]`,body:n.map(e=>e.line)},r=i[i.length-1];r&&!Hi(r)&&r.body.push(``),i.push(t);let a=Ui(Ri(i));return{contents:a,changed:a!==Ui(e)}}let o=a.body.filter(e=>{let t=Bi(e);return t===null||!r.has(t)}),s=[];for(;o.length>0&&o[o.length-1].trim()===``;)s.unshift(o.pop());a.body=[...o,...n.map(e=>e.line),...s];let c=Ui(Ri(i));return{contents:c,changed:c!==Ui(e)}}function Hi(e){return e.body.length>0&&e.body[e.body.length-1].trim()===``}function Ui(e){return e.endsWith(`
143
+ `)?e:`${e}\n`}function Wi(e){switch(e){case`claude-code`:return`Claude Code: set OTEL_LOGS_EXPORTER=otlp and the four OTEL_LOG_* gates (OTEL_LOG_USER_PROMPTS, OTEL_LOG_TOOL_DETAILS, OTEL_LOG_TOOL_CONTENT, OTEL_LOG_RAW_API_BODIES).`;case`codex`:return`Codex: set log_user_prompt = true in [otel] (default false redacts content).`;case`opencode`:return`OpenCode: a standalone install emits nothing without the tangle-opencode-exporter shim; inside a Tangle sandbox it is already instrumented.`;case`openclaw`:case`hermes`:case`nanoclaw`:return`${wi[e]}: no native OTLP exporter and no standalone server to subscribe to — run it inside a Tangle sandbox, where the sidecar adapter exports its content with gen_ai.system=${e}. A bare standalone install emits metadata only.`}}function Gi(){let e=process.env.SHELL??``;return e.includes(`zsh`)?m(pe(),`.zshrc`):e.includes(`bash`)?m(pe(),`.bashrc`):m(pe(),`.zshrc`)}function Ki(e){return c(e)?u(e,`utf8`):``}function qi(e,t){l(te(e),{recursive:!0});let n=`${e}.${process.pid}.tmp`;f(n,t,{mode:384}),s(n,384),d(n,e)}function Ji(){return new t(`connect`).description(`Connect a local coding agent's telemetry to Tangle Intelligence, content on (for SDK integration snippets, see 'tangle agent connect')`).argument(`[agent]`,`claude-code | codex | opencode | openclaw | hermes | nanoclaw`).option(`--api-key <key>`,`Tangle API key (or set TANGLE_API_KEY)`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`-p, --project <key>`,`Project label (tangle.subject.key) to group runs; omit to set it yourself`).option(`--rc <path>`,`Shell rc file to append the Claude Code env block to`).option(`--no-write`,`Print the config instead of writing files (Claude Code / Codex)`).option(`--inline-key`,"Embed the resolved API key literally in the config (default: keep ${TANGLE_API_KEY})").option(`--verify`,`Poll onboarding status and report whether CONTENT is flowing`).option(`--timeout <seconds>`,`Verify poll timeout in seconds`,`120`).option(`--run`,`OpenCode only: run the content exporter against a live OpenCode server until interrupted`).option(`--opencode-url <url>`,`OpenCode server base URL for --run (or set OPENCODE_BASE_URL)`).option(`--format <kind>`,`Claude Code output: shell (export block) | env (.env / docker --env-file) | dockerfile (ENV lines). env/dockerfile are the cron/container path — printed to stdout, no shell-rc edit, no TTY`,`shell`).option(`--content <tier>`,`Claude Code content tier: full (everything) | prompts (task+prompts+tool-args) | metadata (telemetry on, content off)`,`full`).action(async(e,t)=>{try{let n=K(t.endpoint);if(t.run){if((e?Xi(e):`opencode`)!==`opencode`)throw Error(`--run is OpenCode-only: it runs the content exporter against a live OpenCode server. Other agents export natively once configured.`);await aa({endpoint:n,apiKey:Oi(t.apiKey),opencodeUrl:t.opencodeUrl});return}if(t.verify){await oa({endpoint:n,apiKey:Oi(t.apiKey),agent:e?Xi(e):void 0,timeoutSeconds:Zi(t.timeout,`timeout`)});return}let r=e?Xi(e):await ea(),i=t.inlineKey?Oi(t.apiKey):void 0;r===`claude-code`?await ta({endpoint:n,apiKey:i,projectKey:t.project,rcPath:t.rc,write:t.write!==!1,content:$i(t.content),format:Qi(t.format)}):r===`codex`?na({endpoint:n,apiKey:i,projectKey:t.project,write:t.write!==!1}):r===`opencode`?ra({endpoint:n}):ia(r,{endpoint:n}),console.log(),P(`Run your agent on a real task, then verify content is flowing: tangle connect ${r} --verify`)}catch(e){B(e)}})}function Yi(){return new t(`opencode-exporter`).description(`Export a running OpenCode's content to Tangle Intelligence (standalone shim)`).option(`--api-key <key>`,`Tangle API key (or set TANGLE_API_KEY)`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`--opencode-url <url>`,`OpenCode server base URL (or set OPENCODE_BASE_URL)`).action(async e=>{try{await aa({endpoint:K(e.endpoint),apiKey:Oi(e.apiKey),opencodeUrl:e.opencodeUrl})}catch(e){B(e)}})}function Xi(e){if(Di(e))return e;throw Error(`Unknown agent '${e}'. Choose one of: ${Ci.join(`, `)}`)}function Zi(e,t){let n=Number.parseInt(e,10);if(!Number.isFinite(n)||n<=0)throw Error(`--${t} must be a positive integer`);return n}function Qi(e){if(e===`shell`||e===`env`||e===`dockerfile`)return e;throw Error(`--format must be one of: shell, env, dockerfile (got '${e}')`)}function $i(e){if(e===`full`||e===`prompts`||e===`metadata`)return e;throw Error(`--content must be one of: full, prompts, metadata (got '${e}')`)}async function ea(){if(!process.stdin.isTTY)throw Error(`Specify an agent: tangle connect <${Ci.join(`|`)}>`);console.log(`Which coding agent are you connecting?`),Ci.forEach((e,t)=>{console.log(` ${t+1}) ${wi[e]} (${e})`)});let e=await G(`Enter a number or name`,`1`);return Ci[Number.parseInt(e,10)-1]||Xi(e.trim())}async function ta(e){let t=Mi({endpoint:e.endpoint,apiKey:e.apiKey,projectKey:e.projectKey,content:e.content,format:e.format});if(console.log(t),e.format!==`shell`){console.log(),P(e.format===`env`?"Cron/container path: feed these to your service env (.env, `docker run --env-file`, k8s envFrom). No shell-rc edit, no TTY needed.":`Dockerfile path: paste these ENV lines into your image. No shell-rc edit, no TTY needed.`);return}if(console.log(),P(`Privacy tiers: --content full ships the whole conversation; --content prompts keeps task, prompts, and tool args only; --content metadata turns content off (telemetry still flows). Secrets are scrubbed server-side regardless.`),!e.write)return;let n=e.rcPath??Gi(),r=process.stdin.isTTY?await G(`Append this idempotent block to ${n}? (y/N)`,`n`):`n`;if(r.toLowerCase()!==`y`&&r.toLowerCase()!==`yes`){console.log(),P(`Not writing. To append later: tangle connect claude-code --rc ${n}`);return}let i=Ni({endpoint:e.endpoint,apiKey:e.apiKey,projectKey:e.projectKey}),{contents:a,changed:o}=Pi(Ki(n),i);if(!o){console.log(),j(`Already present in ${n} — nothing to change.`);return}qi(n,a),console.log(),j(`Wrote Tangle Intelligence env block to ${n}.`),P(`Reload your shell (e.g. 'source ${n}') before running the agent.`)}function na(e){let t=m(pe(),`.codex`,`config.toml`),{contents:n,changed:r}=Vi(Ki(t),{endpoint:e.endpoint,apiKey:e.apiKey});if(!e.write){console.log(n.trimEnd());return}if(!r){j(`${t} already has the Tangle [otel] block — nothing to change.`);return}qi(t,n),j(`Merged the Tangle [otel] block into ${t}.`),P("Codex emits content on the logs signal (codex.* events). Set TANGLE_API_KEY in your env before running if you kept the ${TANGLE_API_KEY} reference."),P(`Label this project so Tangle rolls up + automates per-project: export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=${e.projectKey??`<your project>`} before running codex.`)}function ra(e){let t=K(e.endpoint);N(`OpenCode has no native OTel exporter, so a standalone install emits nothing without a shim.`),console.log(),I({"Inside a Tangle sandbox":`already instrumented — our adapter exports OpenCode's event-stream content. Nothing to do.`,Standalone:`run 'tangle connect opencode --run' alongside a running OpenCode, exporting to ${t}.`}),console.log(),P(`Start OpenCode in server mode ('opencode serve'), then in another terminal run: tangle connect opencode --run`),P(`The exporter subscribes to OpenCode's SSE event bus and exports content-bearing OTLP (prompt/completion/tool content) to Tangle. Verify with: tangle connect opencode --verify`),P(`Label this project so Tangle rolls up + automates per-project: export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=my-project before starting the exporter.`)}function ia(e,t){let n=K(t.endpoint),r=wi[e];N(`${r} has no native OTel exporter, so a standalone install emits nothing without instrumentation.`),console.log(),I({"Inside a Tangle sandbox":`already instrumented — the sidecar adapter exports ${r}'s prompt/completion/tool content (gen_ai.system=${e}) to ${n}. Nothing to do.`,Standalone:`${r} exposes no OTLP and no event-bus server; run it inside a Tangle sandbox to capture content.`}),console.log(),P(`Label this project so Tangle rolls up + automates per-project: export OTEL_RESOURCE_ATTRIBUTES=tangle.subject.key=my-project before starting ${r}.`),P(`Verify content is flowing: tangle connect ${e} --verify`)}async function aa(e){let t=vi(e.opencodeUrl),n=new AbortController,r=()=>n.abort();process.on(`SIGINT`,r),process.on(`SIGTERM`,r),P(`Subscribing to OpenCode at ${t} — exporting content to Tangle.`),P(`Run OpenCode tasks now. Press Ctrl-C to stop.`),console.log();let i=0,a;try{a=await Si({endpoint:e.endpoint,apiKey:e.apiKey,opencodeBaseUrl:t,signal:n.signal,onExport:({eventType:e,records:t})=>{i+=t,P(`exported ${t} record(s) from ${e} (total ${i})`)}})}catch(e){if(e instanceof bi){let{recordsExported:t,contentEventsExported:n}=e.partial;console.log(),N(`Exporter failed after exporting ${t} content record(s) from ${n} event(s): ${e.message}`)}throw e}finally{process.off(`SIGINT`,r),process.off(`SIGTERM`,r)}if(console.log(),a.contentEventsExported===0){N(`Saw ${a.eventsSeen} event(s) but none carried content. Run a real OpenCode task (a prompt that produces text or a tool call), then re-run.`);return}j(`Exported ${a.recordsExported} content record(s) from ${a.contentEventsExported} event(s).`),P(`Verify it landed: tangle connect opencode --verify`)}async function oa(e){let t=Date.now()+e.timeoutSeconds*1e3,n=3e3,r=Math.min(e.timeoutSeconds*1e3,1e4),i=F(`Checking whether content is flowing…`);i.start();let a;try{for(;;){try{a=await Vr({endpoint:e.endpoint,apiKey:e.apiKey,timeoutMs:r})}catch(e){if(Date.now()>=t)throw e;await ca(n);continue}if(a.contentSeen||Date.now()>=t)break;await ca(n)}}finally{i.stop()}if(!a)throw Error(`onboarding status check returned no result`);sa(a,e.agent),a.contentSeen||(process.exitCode=1)}function sa(e,t){if(e.contentSeen){j(`Content flowing — Tangle Intelligence can analyze this feed.`),I({"Last seen":e.lastSeenAt??`just now`,Window:`${e.windowDays}d`});return}if(e.tracesSeen){N(`Metadata-only — traces are arriving but carry no content. You missed a content gate.`);let n=t?[t]:Object.keys(e.byAgent).filter(Di),r=n.length>0?n:Ci;for(let n of r){let r=e.byAgent[n];(t||!r||r.tracesSeen&&!r.contentSeen)&&P(Wi(n))}return}N(`No traces yet for your tenant. Run your agent once on a real task, then re-run --verify.`),t&&P(Wi(t))}function ca(e){return new Promise(t=>setTimeout(t,e))}function la(){let e=new t(`environments`).alias(`env`).description(`Manage sandbox environments`);return e.command(`list`).alias(`ls`).description(`List available environments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Fetching environments...`);e.json||n.start();let r=await t.environments.list();n.stop(),e.json?A(r):r.length===0?console.log(`No environments found`):z([`ID`,`Description`,`Version`],r.map(e=>[e.id,e.description??``,e.version]))}catch(e){B(e)}}),e.command(`get`).description(`Get environment details`).argument(`<id>`,`Environment ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching environment...`);t.json||r.start();let i=await n.environments.get(e);if(r.stop(),!i){console.error(`Environment not found: ${e}`),process.exit(1);return}t.json?A(i):(console.log(`ID: ${i.id}`),console.log(`Description: ${i.description??`-`}`),console.log(`Version: ${i.version}`),i.base&&console.log(`Base: ${i.base}`))}catch(e){B(e)}}),e}function ua(){return new t(`exec`).description(`Execute a command in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<command...>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`,`60000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=t.join(` `),o={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(o[t]=n.join(`=`))}let s=F(`Executing: ${a}`);n.json||s.start();let c=await H(i,r,e);c=await U(c);let l=await c.exec(a,{cwd:n.cwd,env:Object.keys(o).length>0?o:void 0,timeoutMs:Number.parseInt(n.timeout,10)});s.stop(),n.json?A(l):(l.stdout&&process.stdout.write(l.stdout),l.stderr&&process.stderr.write(l.stderr),l.exitCode!==0&&process.exit(l.exitCode))}catch(e){if(e instanceof h){let t=`Exec transport lost before command status was confirmed. Remote command status is unknown. Original error: ${e.message}. For long-running commands, use \`tangle process spawn\`, \`tangle process logs\`, and \`tangle process kill --tree\`.`;return B(Error(t,{cause:e}))}B(e)}})}const da=[`runpod`,`vast-ai`,`lambda-labs`,`tensordock`,`paperspace`,`aws`,`gcp`,`azure`,`crusoe`,`fluidstack`];function fa(e){let t=e.memory?J(e.memory,`--accelerator-memory`):void 0;return{kind:_a(e.kind),count:e.count?J(e.count,`--accelerator-count`):1,...t===void 0?{}:{memoryMB:t}}}function pa(e,t,n){let r=!!(e.provider||e.image||e.env||e.maxSpendUsd||e.maxLifetime||e.idleTimeout);if(!t&&r)throw Error(n);if(t){if(!e.maxSpendUsd||!e.maxLifetime)throw Error(`--accelerator-kind requires --gpu-max-spend-usd and --gpu-max-lifetime`);return{...e.provider?{provider:ga(e.provider,`--gpu-provider`)}:{},...e.image?{image:e.image}:{},...e.env?{env:ha(e.env,`--gpu-env`,`GPU env`)}:{},maxSpendUsd:va(e.maxSpendUsd,`--gpu-max-spend-usd`),maxLifetimeSeconds:J(e.maxLifetime,`--gpu-max-lifetime`),...e.idleTimeout?{idleTimeoutSeconds:J(e.idleTimeout,`--gpu-idle-timeout`)}:{}}}}function ma(e){return{...e.provider?{provider:ga(e.provider,`GPU provider`)}:{},accelerator:fa({kind:e.acceleratorKind,count:e.acceleratorCount,memory:e.acceleratorMemory}),...e.image?{image:e.image}:{},...e.env?{env:ha(e.env,`--env`,`env`)}:{},maxSpendUsd:va(e.maxSpendUsd,`--max-spend-usd`),maxLifetimeSeconds:J(e.maxLifetime,`--max-lifetime`),...e.idleTimeout?{idleTimeoutSeconds:J(e.idleTimeout,`--idle-timeout`)}:{}}}function ha(e,t,n){let r={};for(let i of e){let[e,...a]=i.split(`=`);if(!e||a.length===0)throw Error(`${t} expects ${n} values in KEY=VALUE format`);r[e]=a.join(`=`)}return r}function J(e,t){if(!/^\d+$/.test(e))throw Error(`${t} must be a positive integer`);let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1)throw Error(`${t} must be a positive integer`);return n}function ga(e,t){if(da.includes(e))return e;throw Error(`${t} must be one of ${da.join(`, `)}`)}function _a(e){let t=e.trim().toLowerCase();if(/^[a-z0-9][a-z0-9._-]*$/.test(t))return t;throw Error(`--accelerator-kind must contain only letters, numbers, dots, underscores, or hyphens`)}function va(e,t){if(!/^(?:\d+|\d+\.\d+|\.\d+)$/.test(e))throw Error(`${t} must be a positive number`);let n=Number.parseFloat(e);if(!Number.isFinite(n)||n<=0)throw Error(`${t} must be a positive number`);return n}const ya=[`list`,`create`,`delete`,`exec`,`prompt`,`read`,`write`];function ba(){let e=new t(`fleet`).description(`Manage sandbox fleets`);return e.command(`create`).description(`Create a sandbox fleet`).option(`--fleet-id <id>`,`Stable fleet id (generated when omitted)`).option(`--count <n>`,`Number of worker machines`,`1`).option(`--image <env>`,`Environment/image for each machine`).option(`--cpu <cores>`,`CPU cores per machine`).option(`--memory <mb>`,`Memory in MB per machine`).option(`--disk <gb>`,`Disk in GB per machine`).option(`--accelerator-kind <kind>`,`Accelerator kind per machine, for example nvidia-l4 or nvidia-h100`).option(`--accelerator-count <count>`,`Accelerator devices per machine`).option(`--accelerator-memory <mb>`,`Minimum accelerator memory in MB per machine`).option(`--gpu-provider <provider>`,`GPU cloud provider per machine; omitted picks the cheapest configured provider`).option(`--gpu-worker-image <image>`,`GPU worker image override`).option(`--gpu-env <vars...>`,`Environment variables for each GPU worker (KEY=VALUE)`).option(`--gpu-max-spend-usd <usd>`,`Maximum spend per machine GPU lease`).option(`--gpu-max-lifetime <seconds>`,`Maximum GPU lease lifetime per machine in seconds`).option(`--gpu-idle-timeout <seconds>`,`Destroy each GPU lease after this many idle seconds`).option(`--driver <type>`,`Infrastructure driver type`).option(`--backend <id>`,`Agent backend type`).option(`--workspace <mode>`,`Workspace mode: isolated | shared`,`isolated`).option(`--max-spend-usd <n>`,`Fleet spend cap in USD (policy)`).option(`--max-lifetime <s>`,`Max machine lifetime in seconds (policy)`).option(`--spec <file.json>`,`Path to a JSON file describing the fleet (overrides synthesized machines)`).option(`--coordinator`,`Create a coordinator + workers fleet (routes to createWithCoordinator)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Creating fleet...`);n.start();let r=e.coordinator?await t.fleets.createWithCoordinator(wa(e)):await t.fleets.create(Ca(e));n.stop();let i=Oa(r.machines);e.json?A({fleetId:r.fleetId,machines:i}):(j(`Fleet created: ${r.fleetId}`),k(i,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}]))}catch(e){B(e)}}),e.command(`list <fleet-id>`).description(`List the machines of one fleet (fleet id is required)`).option(`--status <status>`,`Filter machines by status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching fleet...`);r.start();let i=await n.fleets.list({fleetId:e,status:t.status});r.stop();let a=Oa(i.machines);t.json?A({fleetId:i.fleetId,machines:a}):k(a,[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`status`,header:`Status`,width:14}])}catch(e){B(e)}}),e.command(`get <fleet-id>`).description(`Show one fleet's manifest (server record)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching manifest...`);r.start();let i=await n.fleets.manifest(e);r.stop(),t.json?A(i):(I({"Fleet ID":i.fleetId??i.id,Machines:i.machines.length,"Workspace mode":i.workspace?.mode,"Workspace status":i.workspace?.status,"Max lifetime (s)":i.policy?.maxLifetimeSeconds,"Max spend (USD)":i.policy?.maxSpendUsd,Created:i.createdAt,Updated:i.updatedAt}),k(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,role:e.role,status:e.status})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`role`,header:`Role`,width:14},{key:`status`,header:`Status`,width:14}]))}catch(e){B(e)}}),e.command(`delete <fleet-id>`).description(`Delete a fleet's machine sandboxes and its record`).option(`--continue-on-error`,`Keep deleting remaining machines if one delete fails`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Deleting fleet...`);r.start(),await n.fleets.delete(e,{continueOnError:t.continueOnError}),r.stop(),t.json?A({success:!0,fleetId:e}):j(`Fleet deleted: ${e}`)}catch(e){B(e)}}),e.command(`reap`).description(`TTL cleanup of all expired fleets (fleet-wide)`).option(`--dry-run`,`Report what would be reaped without deleting`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Reaping expired fleets...`);n.start();let r=await t.fleets.reapExpired({dryRun:e.dryRun});n.stop(),e.json?A(r):(I({"Dry run":r.dryRun,Expired:r.expired,Deleted:r.deleted}),k(r.fleets.map(e=>({fleetId:e.fleetId,expiredAt:e.expiredAt,deleted:e.deleted})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`expiredAt`,header:`Expired`,width:18},{key:`deleted`,header:`Deleted`,width:10}]))}catch(e){B(e)}}),e.command(`reconcile`).description(`Drop fleet records whose underlying sandboxes vanished`).option(`--dry-run`,`Report orphans without removing them`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Reconciling fleets...`);n.start();let r=await t.fleets.reconcile({dryRun:e.dryRun});n.stop(),e.json?A(r):(I({"Dry run":r.dryRun,Checked:r.checked,Orphaned:r.orphaned,Removed:r.removed}),k(r.machines.map(e=>({fleetId:e.fleetId,machineId:e.machineId,sandboxId:e.sandboxId,removed:e.removed})),[{key:`fleetId`,header:`Fleet`,width:24},{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`removed`,header:`Removed`,width:10}]))}catch(e){B(e)}}),e.addCommand(xa()),e.command(`exec <fleet-id> <command>`).description(`Run a shell command across the fleet's machines`).option(`--machine <id...>`,`Restrict to a subset of machine ids (default: all)`).option(`--cwd <dir>`,`Working directory for the command`).option(`--timeout <ms>`,`Per-machine timeout in milliseconds`).option(`--max-concurrent <n>`,`Max concurrent dispatches`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=O(T({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=F(`Dispatching command...`);i.start();let a=await(await r.fleets.list({fleetId:e})).dispatchExecDetailed(t,{machines:n.machine,cwd:n.cwd,timeoutMs:n.timeout?Number(n.timeout):void 0,maxConcurrent:n.maxConcurrent?Number(n.maxConcurrent):void 0});if(i.stop(),n.json)A(a);else{k(a.results.map(e=>({machineId:e.machineId,ok:e.ok,exitCode:e.result?.exitCode,durationMs:e.durationMs})),[{key:`machineId`,header:`Machine`,width:20},{key:`ok`,header:`OK`,width:6},{key:`exitCode`,header:`Exit`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14}]);for(let e of a.results){let t=e.result?.stdout,n=e.result?.stderr;t&&(console.log(`\n[${e.machineId}] stdout:`),console.log(t)),n&&(console.log(`\n[${e.machineId}] stderr:`),console.log(n)),e.error&&console.log(`\n[${e.machineId}] error: ${e.error.message}`)}}a.results.some(e=>e.ok===!1)&&(process.exitCode=1)}catch(e){B(e)}}),e.command(`capabilities`).description(`List fleet drivers and their supported features`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Fetching capabilities...`);n.start();let r=await t.fleets.capabilities();n.stop(),e.json?A(r):k(r.drivers.map(e=>({driverType:e.driverType,sharedWorkspace:e.sharedWorkspace,accelerators:e.accelerators,queueTimings:e.queueTimings})),[{key:`driverType`,header:`Driver`,width:16},{key:`sharedWorkspace`,header:`Shared WS`,width:12},{key:`accelerators`,header:`Accel`,width:8},{key:`queueTimings`,header:`Queue`,width:8}])}catch(e){B(e)}}),e.command(`usage <fleet-id>`).description(`Show fleet usage and reliability insights`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching usage...`);r.start();let i=await n.fleets.usage(e);if(r.stop(),t.json)A(i);else if(I({"Fleet ID":i.usage.fleetId,Status:i.usage.status,Machines:i.usage.machineCount,Running:i.usage.runningMachines,Failed:i.usage.failedMachines,"Runtime (ms)":i.usage.meteredUsage?.runtimeMs,"Reliability score":i.insights.reliabilityScore,"Failure rate":i.insights.failureRate}),i.insights.recommendedActions.length>0){console.log(`
144
+ Recommended actions:`);for(let e of i.insights.recommendedActions)console.log(` - ${e}`)}}catch(e){B(e)}}),e.command(`cost <fleet-id>`).description(`Show the fleet's cost estimate`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Estimating cost...`);r.start();let i=await n.fleets.cost(e);r.stop(),t.json?A(i):I({Plan:i.plan,Currency:i.currency,"Hourly (USD)":i.hourlyUsd,"Max lifetime (s)":i.maxLifetimeSeconds,"Estimated max lifetime (USD)":i.estimatedMaxLifetimeUsd,Machines:i.requestedResources.machines,"Total CPU":i.requestedResources.totalCpu,"Total memory (MB)":i.requestedResources.totalMemoryMb})}catch(e){B(e)}}),e.command(`token <fleet-id>`).description(`Mint a scoped fleet bearer token (treated as a secret)`).option(`--action <a...>`,`Allowed actions: list create delete exec prompt read write`).option(`--ttl-minutes <n>`,`Token lifetime in minutes`).option(`--json`,`Output as JSON (only path that prints the full token)`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Minting fleet token...`);r.start();let i=await n.fleets.createToken(e,{actions:ka(t.action),ttlMinutes:t.ttlMinutes?Number(t.ttlMinutes):void 0});r.stop(),t.json?A(i):(I({"Fleet ID":i.fleetId,Token:Aa(i.token),"Expires at":new Date(i.expiresAt).toISOString(),Actions:i.actions.join(`, `)}),console.log(`
145
+ Re-run with --json to print the full token value.`))}catch(e){B(e)}}),e}function xa(){let e=new t(`workspace`).description(`Manage a fleet's shared workspace`);return e.command(`snapshot <fleet-id>`).description(`Snapshot the fleet's shared workspace`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Creating workspace snapshot...`);r.start();let i=await n.fleets.createWorkspaceSnapshot(e);r.stop(),t.json?A(i):j(`Workspace snapshot created: ${i.snapshotId??i.id}`)}catch(e){B(e)}}),e.command(`restore <fleet-id> <snapshot-id>`).description(`Restore the fleet's shared workspace from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=O(T({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=F(`Restoring workspace...`);i.start();let a=await r.fleets.restoreWorkspaceSnapshot(e,t);i.stop(),n.json?A(a):j(`Workspace restored from ${a.snapshotId??t}`)}catch(e){B(e)}}),e.command(`reconcile <fleet-id>`).description(`Re-mount the shared workspace on all fleet machines`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Reconciling workspace...`);r.start();let i=await n.fleets.reconcileWorkspace(e);r.stop(),t.json?A(i):(I({"Fleet ID":i.fleetId,Checked:i.checked,"Orphaned mounts":i.orphanedMounts}),k(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,mounted:e.mounted})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`mounted`,header:`Mounted`,width:10}]))}catch(e){B(e)}}),e}function Sa(e){if(e.spec){let t=JSON.parse(u(e.spec,`utf8`));return{base:{fleetId:e.fleetId,defaults:t.defaults,policy:t.policy,workspace:t.workspace,metadata:t.metadata},machines:t.machines??[]}}let t=Ta(e),n=Ea(e,!!t?.accelerator),r={...e.image?{environment:e.image}:{},...t?{resources:t}:{},...e.driver?{driver:{type:e.driver}}:{},...n?{gpuLease:n}:{},...e.backend?{backend:{type:e.backend}}:{}},i=Da(e),a=Math.max(1,Number(e.count)||1),o=Array.from({length:a},(e,t)=>({machineId:`worker-${t+1}`}));return{base:{fleetId:e.fleetId,defaults:Object.keys(r).length>0?r:void 0,policy:i,workspace:{mode:e.workspace}},machines:o}}function Ca(e){let{base:t,machines:n}=Sa(e);return{...t,machines:n}}function wa(e){let{base:t,machines:n}=Sa(e);return{...t,workers:n}}function Ta(e){let t={};if(e.cpu&&(t.cpuCores=Number(e.cpu)),e.memory&&(t.memoryMB=Number(e.memory)),e.disk&&(t.diskGB=Number(e.disk)),e.acceleratorKind)t.accelerator=fa({kind:e.acceleratorKind,count:e.acceleratorCount,memory:e.acceleratorMemory});else if(e.acceleratorCount||e.acceleratorMemory)throw Error(`--accelerator-count and --accelerator-memory require --accelerator-kind`);return Object.keys(t).length>0?t:void 0}function Ea(e,t){return pa({provider:e.gpuProvider,image:e.gpuWorkerImage,env:e.gpuEnv,maxSpendUsd:e.gpuMaxSpendUsd,maxLifetime:e.gpuMaxLifetime,idleTimeout:e.gpuIdleTimeout},t,`Fleet GPU lease flags require --accelerator-kind`)}function Da(e){let t={};return e.maxSpendUsd&&(t.maxSpendUsd=Number(e.maxSpendUsd)),e.maxLifetime&&(t.maxLifetimeSeconds=Number(e.maxLifetime)),Object.keys(t).length>0?t:void 0}function Oa(e){return[...e.entries()].map(([e,t])=>({machineId:e,sandboxId:t.id,status:t.status}))}function ka(e){if(!(!e||e.length===0)){for(let t of e)if(!ya.includes(t))throw Error(`Invalid token action '${t}'. Allowed: ${ya.join(`, `)}`);return e}}function Aa(e){return e.length<=12?`****`:`${e.slice(0,6)}...${e.slice(-4)} (masked — use --json for full value)`}function ja(){let e=new t(`fs`).description(`File system operations on sandboxes`);return Y(e.command(`upload`).description(`Upload a file to a sandbox`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<local-path>`,`Local file path`).argument(`<remote-path>`,`Remote destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let{context:i,client:a}=X(r),s=await H(a,i,e);if(s=await U(s),!o.existsSync(t))throw Error(`Local file not found: ${t}`);let c=o.statSync(t),l=Date.now();console.log(`Uploading ${t} to ${n}...`),await s.fs.upload(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesUploaded}/${e.totalBytes} bytes)`)}});let u=Date.now()-l;console.log(``),r.json?R({success:!0,localPath:t,remotePath:n,size:c.size,durationMs:u}):console.log(`✓ Uploaded ${c.size} bytes in ${u}ms`)}catch(e){L(e,r.json)}}),Y(e.command(`download`).description(`Download a file from a sandbox`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<remote-path>`,`Remote file path`).argument(`<local-path>`,`Local destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let{context:i,client:a}=X(r),s=await H(a,i,e);s=await U(s);let c=Date.now();console.log(`Downloading ${t} to ${n}...`),await s.fs.download(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesDownloaded}/${e.totalBytes} bytes)`)}});let l=Date.now()-c,u=o.statSync(n);console.log(``),r.json?R({success:!0,remotePath:t,localPath:n,size:u.size,durationMs:l}):console.log(`✓ Downloaded ${u.size} bytes in ${l}ms`)}catch(e){L(e,r.json)}}),Y(e.command(`ls`).description(`List directory contents`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`[path]`,`Directory path`,`.`).option(`-l, --long`,`Show detailed information`).option(`-a, --all`,`Include hidden files`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=X(n),a=await H(i,r,e);a=await U(a);let o=await a.fs.list(t.startsWith(`/`)?t:`/${t}`,{all:n.all,long:n.long});if(n.json)R(o);else if(n.long)z([`Mode`,`Owner`,`Group`,`Size`,`Modified`,`Name`],o.map(e=>{let t=e.isDir?`d`:e.isSymlink?`l`:`-`,n=Ma(e.permissions),r=e.isDir?`<DIR>`:Na(e.size),i=e.modTime.toLocaleDateString();return[t+n,e.owner,e.group,r,i,e.name]}));else{let e=o.map(e=>e.isDir?`${e.name}/`:e.name);console.log(e.join(` `))}}catch(e){L(e,n.json)}}),Y(e.command(`stat`).description(`Get file or directory information`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to file or directory`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=X(n),a=await H(i,r,e);a=await U(a);let o=await a.fs.stat(t.startsWith(`/`)?t:`/${t}`);n.json?R(o):(console.log(` File: ${o.name}`),console.log(` Path: ${o.path}`),console.log(` Size: ${Na(o.size)} (${o.size} bytes)`),console.log(` Type: ${o.isDir?`directory`:o.isSymlink?`symlink`:`file`}`),console.log(` Mode: ${Ma(o.permissions)} (${o.permissions.toString(8)})`),console.log(` Owner: ${o.owner}`),console.log(` Group: ${o.group}`),console.log(` Modified: ${o.modTime.toISOString()}`),console.log(` Accessed: ${o.accessTime.toISOString()}`))}catch(e){L(e,n.json)}}),Y(e.command(`cat`).description(`Print file contents`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to file`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=X(n),a=await H(i,r,e);a=await U(a);let o=await a.read(t.startsWith(`/`)?t:`/${t}`);n.json?R({path:t,content:o}):console.log(o)}catch(e){L(e,n.json)}}),Y(e.command(`rm`).description(`Delete a file or directory`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to delete`).option(`-r, --recursive`,`Delete directories recursively`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=X(n),a=await H(i,r,e);a=await U(a),await a.fs.delete(t.startsWith(`/`)?t:`/${t}`,{recursive:n.recursive}),n.json?R({success:!0,path:t,deleted:!0}):console.log(`✓ Deleted: ${t}`)}catch(e){L(e,n.json)}}),Y(e.command(`mkdir`).description(`Create a directory`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Directory path to create`).option(`-p, --parents`,`Create parent directories as needed`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=X(n),a=await H(i,r,e);a=await U(a),await a.fs.mkdir(t.startsWith(`/`)?t:`/${t}`,{recursive:n.parents}),n.json?R({success:!0,path:t,created:!0}):console.log(`✓ Created: ${t}`)}catch(e){L(e,n.json)}}),Y(e.command(`exists`).description(`Check if a path exists`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to check`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=X(n),a=await H(i,r,e);a=await U(a);let o=await a.fs.exists(t.startsWith(`/`)?t:`/${t}`);n.json?R({path:t,exists:o}):(console.log(o?`exists`:`not found`),process.exit(+!o))}catch(e){L(e,n.json)}}),e}function Ma(e){let t=[`r`,`w`,`x`],n=``;for(let r=2;r>=0;r--){let i=r*3;for(let r=0;r<3;r++)n+=e>>i+(2-r)&1?t[r]:`-`}return n}function Na(e){let t=[`B`,`KB`,`MB`,`GB`,`TB`],n=e,r=0;for(;n>=1024&&r<t.length-1;)n/=1024,r++;return r===0?`${n}${t[r]}`:`${n.toFixed(1)}${t[r]}`}function Y(e){return e.option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`)}function X(e){let t=T({apiKey:e.apiKey,baseUrl:e.baseUrl});return{context:t,client:O(t)}}function Pa(){let e=new t(`git`).description(`Git operations in a sandbox workspace`);return e.command(`status`).description(`Show git repository status`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching status...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.status();if(i.stop(),t.json)A(o);else{if(console.log(`Branch: ${o.branch}`),console.log(`HEAD: ${o.head.slice(0,7)}`),console.log(`Dirty: ${o.isDirty?`yes`:`no`}`),o.ahead&&console.log(`Ahead: ${o.ahead}`),o.behind&&console.log(`Behind: ${o.behind}`),o.staged.length>0){console.log(`\nStaged (${o.staged.length}):`);for(let e of o.staged)console.log(` + ${e}`)}if(o.modified.length>0){console.log(`\nModified (${o.modified.length}):`);for(let e of o.modified)console.log(` M ${e}`)}if(o.untracked.length>0){console.log(`\nUntracked (${o.untracked.length}):`);for(let e of o.untracked)console.log(` ? ${e}`)}}}catch(e){B(e)}}),e.command(`log`).description(`Show commit log`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`-n, --limit <count>`,`Max commits to show`,`10`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching log...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.log(Number.parseInt(t.limit,10));if(i.stop(),t.json)A(o);else if(o.length===0)console.log(`No commits found`);else for(let e of o)console.log(`${e.shortSha} ${e.message.split(`
146
+ `)[0]} (${e.author}, ${e.date.toLocaleDateString()})`)}catch(e){B(e)}}),e.command(`diff`).description(`Show diff`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--ref <ref>`,`Ref to diff against`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching diff...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.diff(t.ref);i.stop(),t.json?A(o):o.raw?console.log(o.raw):console.log(`${o.additions} additions, ${o.deletions} deletions across ${o.files.length} files`)}catch(e){B(e)}}),e.command(`add`).description(`Stage files`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<paths...>`,`Paths to stage`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await H(O(r),r,e);i=await U(i),await i.git.add(t),j(`Staged: ${t.join(`, `)}`)}catch(e){B(e)}}),e.command(`commit`).description(`Create a commit`).argument(`<id-or-name>`,`Sandbox ID or name`).requiredOption(`-m, --message <msg>`,`Commit message`).option(`--amend`,`Amend the previous commit`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=await H(O(n),n,e);r=await U(r);let i=await r.git.commit(t.message,{amend:t.amend});t.json?A(i):j(`Committed: ${i.shortSha} ${i.message}`)}catch(e){B(e)}}),e.command(`push`).description(`Push to remote`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--force`,`Force push`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Pushing...`);i.start();let a=await H(r,n,e);a=await U(a),await a.git.push({force:t.force}),i.stop(),j(`Pushed to remote`)}catch(e){B(e)}}),e.command(`pull`).description(`Pull from remote`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--rebase`,`Rebase instead of merge`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Pulling...`);i.start();let a=await H(r,n,e);a=await U(a),await a.git.pull({rebase:t.rebase}),i.stop(),j(`Pulled from remote`)}catch(e){B(e)}}),e.command(`branches`).description(`List branches`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching branches...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.git.branches();i.stop(),t.json?A(o):o.length===0?console.log(`No branches found`):z([`Name`,`Current`,`Remote`],o.map(e=>[e.name,e.current?`* `:` `,e.upstream??`-`]))}catch(e){B(e)}}),e.command(`checkout`).description(`Checkout a branch or ref`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<ref>`,`Branch name or ref`).option(`-b, --create`,`Create a new branch`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await H(O(r),r,e);i=await U(i),await i.git.checkout(t,{create:n.create}),j(`Checked out: ${t}${n.create?` (new)`:``}`)}catch(e){B(e)}}),e}function Fa(){let e=new t(`hub`).description(`Discover and run Tangle Hub tools`);e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{La(t)}),e.command(`connect`).description(`Connect a provider account`).argument(`provider`,`Provider to connect`).option(`--no-browser`,`Print the authorization URL instead of opening it`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await V(t)).connections.start(e,{cli:!0});if(t.json){A(eo(n));return}$a(n,t.browser===!1?!1:await tr(n.redirectUrl))}catch(e){Z(e,t)}});let n=new t(`connections`).description(`List Hub provider connections`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).connections.list();if(e.json){A(t);return}Qa(t.connections)}catch(t){Z(t,e)}});n.command(`revoke <connection-id>`).description(`Revoke a Hub provider connection`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await V(t),r=await Ht(n,e);if(!t.force&&!await W(`Revoke Hub connection ${r}? `)){P(`Revoke cancelled.`);return}let i=await n.connections.revoke(r);if(t.json){A(i);return}P(`Revoked Hub connection ${i.connection.id}.`)}catch(e){Z(e,t)}}),e.addCommand(n);let r=new t(`permissions`).description(`Manage Hub action permissions`);r.command(`list`).description(`List Hub permissions for a connection`).requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await V(e),n=await Ht(t,e.connection),r=await t.permissions.list(n);if(e.json){A(r);return}qa(r.policies)}catch(t){Z(t,e)}}),r.command(`set`).description(`Set Hub permission for one action`).requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).requiredOption(`--action <path>`,`Executor action path`).requiredOption(`--decision <allow|ask|deny>`,`Permission decision`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);if(!e.action)throw Error(`--action is required.`);let t=Ja(e.decision),n=await V(e),r=await Ht(n,e.connection),i=await n.permissions.set({connectionId:r,actionPath:e.action,decision:t});if(e.json){A(i);return}qa([i.policy])}catch(t){Z(t,e)}}),r.command(`revert-writes`).description("Revoke a bulk `--allow-writes` grant for a connection (deletes only the auto-granted write rows; manual permissions are untouched)").requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await V(e),n=await Ht(t,e.connection),r=await t.permissions.revertWrites(n);if(e.json){A(r);return}P(`Reverted ${r.reverted} write permission${r.reverted===1?``:`s`} for connection ${r.connectionId}.`)}catch(t){Z(t,e)}}),e.addCommand(r);let i=new t(`approvals`).description(`List and resolve Hub execution approvals`);i.command(`list`).description(`List pending Hub execution approvals`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).approvals.list();if(e.json){A(t);return}Ha(t.approvals)}catch(t){Z(t,e)}}),i.command(`approve`).description(`Approve a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{Va(e),Ua(await(await V(t)).approvals.approve(e),t.json===!0)}catch(e){Z(e,t)}}),i.command(`deny`).description(`Deny a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{Va(e),Ua(await(await V(t)).approvals.deny(e),t.json===!0)}catch(e){Z(e,t)}}),e.addCommand(i);let a=new t(`tools`).description(`Discover Hub tools`);return a.command(`sources`).description(`List Hub tool sources`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).tools.sources();if(e.json){A(t);return}Ya(t.sources)}catch(t){Z(t,e)}}),a.command(`describe`).description(`Describe a Hub tool`).argument(`path`,`Executor tool path`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await V(t)).tools.describe(e);if(t.json){A(n);return}Xa(n.tool)}catch(e){Z(e,t)}}),a.command(`search`).description(`Search Hub tools`).argument(`<query...>`,`Search query`).option(`--provider <provider>`,`Filter by provider/source ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await V(t)).tools.search(e.join(` `),{provider:t.provider});if(t.json){A(n);return}Ka(n.tools)}catch(e){Z(e,t)}}),e.addCommand(a),e.addCommand(Ia(`call`)),e.addCommand(Ia(`exec`)),e.command(`resume`).description(`Resolve a Hub approval created by a paused execution`).argument(`approval-id`,`Hub approval ID from HUB_APPROVAL_REQUIRED`).option(`--accept`,`Approve the execution approval`).option(`--decline`,`Deny the execution approval`).option(`--cancel`,`Unsupported for approval-backed Hub resume`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(Va(e),t.cancel)throw Error(`Hub approval resume does not support --cancel. Use --decline to deny the approval.`);if(t.accept&&t.decline)throw Error(`Choose only one of --accept or --decline.`);if(!t.accept&&!t.decline)throw Error(`Choose --accept to approve or --decline to deny the Hub approval.`);let n=await V(t);Ua(t.decline?await n.approvals.deny(e):await n.approvals.approve(e),t.json===!0)}catch(e){Z(e,t)}}),e.command(`status`).description(`Show Hub auth and connection status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await V(e)).status();if(e.json){A(t);return}to(t)}catch(t){Z(t,e)}}),e}function Ia(e){return new t(e).description(`Execute a Hub tool`).argument(`<args...>`,`Tool path tokens followed by JSON input`).option(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--auto-approve`,`Approve a HUB_APPROVAL_REQUIRED execution and retry once`).option(`--approve`,`Alias for --auto-approve`).option(`--no-hub-key`,`Do not auto-mint a platform Hub key; use the stored credential as-is`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let{args:n,approve:r}=Ba(e,t),{path:i,input:a}=Ga(n),o=await V(t),s=t.connection?await Ht(o,t.connection):void 0;A((await o.tools.invoke(i,a,{connectionId:s,approve:r})).result)}catch(e){Z(e,t)}})}function La(e){if(!Ra(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function Ra(e,t){return e.options.some(e=>e.attributeName()===t)}function za(e){return e.json===!0}function Z(e,t){return za(t)?B(e,!0):B(e)}function Ba(e,t){let n=t.autoApprove;return{args:e.filter(e=>e!==`--approve`&&e!==`--auto-approve`),approve:t.approve===!0||n===!0||e.includes(`--approve`)||e.includes(`--auto-approve`)}}function Va(e){if(!/^[A-Za-z0-9_-]+$/.test(e))throw Error(`Hub approval ID must contain only letters, numbers, underscores, and dashes.`)}function Ha(e){k(e.map(e=>({id:e.id,provider:e.providerId,action:e.actionPath,connection:e.connectionId,status:e.status,expires:e.expiresAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`connection`,header:`Connection`},{key:`status`,header:`Status`},{key:`expires`,header:`Expires`}])}function Ua(e,t){if(t){A(Wa(e));return}P(`Hub approval ${e.approval.id} ${e.approval.status}.`),e.capabilityToken&&P("Capability token minted. Re-run the original command with `--approve` to execute automatically.")}function Wa(e){return{approval:e.approval,...e.capabilityToken?{capabilityToken:{tokenId:e.capabilityToken.tokenId,expiresAt:e.capabilityToken.expiresAt}}:{}}}function Ga(e){if(e.length<2)throw Error(`Usage: tangle hub call <path> <json-input>`);let t=e.at(-1);if(t===void 0)throw Error(`Usage: tangle hub call <path> <json-input>`);try{return{path:e.slice(0,-1).join(`.`),input:JSON.parse(t)}}catch{throw Error(`Hub call input must be valid JSON.`)}}function Ka(e){k(e.map(e=>({path:e.path,provider:e.providerId??e.requiredConnectionProviderId,title:e.title,description:e.description,connection:Za(e),policy:e.policyState})),[{key:`path`,header:`Path`},{key:`provider`,header:`Provider`},{key:`title`,header:`Title`},{key:`description`,header:`Description`},{key:`connection`,header:`Connection`},{key:`policy`,header:`Policy`}])}function qa(e){k(e.map(e=>({connection:e.connectionId,provider:e.providerId,action:e.actionPath,decision:e.decision,updated:e.updatedAt})),[{key:`connection`,header:`Connection`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`decision`,header:`Decision`},{key:`updated`,header:`Updated`}])}function Ja(e){if(e===`allow`||e===`ask`||e===`deny`)return e;throw Error(`--decision must be one of: allow, ask, deny.`)}function Ya(e){k(e.map(e=>({source:e.sourceId,provider:e.displayName,tools:e.toolCount,connection:e.connectionStatus,health:e.health,configured:e.configured})),[{key:`source`,header:`Source`},{key:`provider`,header:`Provider`},{key:`tools`,header:`Tools`},{key:`connection`,header:`Connection`},{key:`health`,header:`Health`},{key:`configured`,header:`Configured`}])}function Xa(e){I({Path:e.path,Provider:e.providerId??e.requiredConnectionProviderId,Title:e.title,Description:e.description,Connection:Za(e),Policy:e.policyState}),e.inputSchema!==void 0&&(P(`Input schema`),console.log(JSON.stringify(e.inputSchema,null,2))),e.outputSchema!==void 0&&(P(`Output schema`),console.log(JSON.stringify(e.outputSchema,null,2)))}function Za(e){if(e.connectionRequired===!1)return`not required`;if(e.connectionStatus)return e.connectionStatus}function Qa(e){k(e.map(e=>({id:e.id,provider:e.providerId,account:e.accountDisplay??e.displayName,scopes:e.scopes.join(`, `),status:e.status,health:e.health,lastUsed:e.lastUsedAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`account`,header:`Account`},{key:`scopes`,header:`Scopes`},{key:`status`,header:`Status`},{key:`health`,header:`Health`},{key:`lastUsed`,header:`Last Used`}])}function $a(e,t){t?P(`Opened browser to connect ${e.provider}.`):(P(`Open this URL to connect ${e.provider}:`),console.log(e.redirectUrl)),P("Finish authorization in the browser, then rerun `tangle hub status`.")}function eo(e){return{provider:e.provider,redirectUrl:e.redirectUrl,expiresAt:e.expiresAt,scopes:e.scopes,cli:e.cli}}function to(e){let{principal:t,connections:n}=e;P(`Hub status`),I({Principal:t.kind,"User ID":t.userId,"API Key ID":t.apiKeyId,"Sandbox ID":t.sandboxId,"Connected Providers":n.connectedProviderCount,"Unhealthy Providers":n.unhealthyProviderCount}),n.unhealthyProviderCount>0&&P(`Some providers require reconnect.`)}function no(){let e=new t(`intelligence`).description(`Create and inspect trace intelligence reports`);return e.command(`connect [agent]`).alias(`connect-agent`).description(`Connect local agent CLIs to Tangle Intelligence`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`--workspace <path>`,`Workspace to write hook files into`,`.`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`,`local`).option(`--dry-run`,`Print planned writes without changing files`).option(`--hook-command <command>`,`Command native hooks should run`,`tangle intelligence hook`).option(`--no-smoke`,`Skip the install smoke trace`).option(`--json`,`Output as JSON`).action(async(e,t)=>{try{let n=e??`local`;jr(n);let r=io(t.apiKey),i=await Ir({selection:n,workspace:t.workspace,apiKey:r,endpoint:t.endpoint,serviceName:t.serviceName??Nr(t.workspace),environment:t.environment,smoke:t.smoke,dryRun:!!t.dryRun,hookCommand:t.hookCommand}),a={configPath:i.configPath,agents:i.agents,nativeAgents:i.nativeAgents,manual:i.manual,written:i.written,smokeTraceId:i.smokeTraceId};if(t.json){A(a);return}I({Config:i.configPath,Agents:i.agents.join(`, `),"Native Hooks":i.nativeAgents.join(`, `)||void 0,"Manual Setup":i.manual.length?i.manual.map(e=>`${e.label}: ${e.reason}`).join(` `):void 0,Files:i.written.join(`, `),"Smoke Trace":i.smokeTraceId})}catch(e){B(e)}}),e.command(`doctor`).description(`Check whether your agent traces carry CONTENT or are metadata-only`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`,Er).option(`--json`,`Output as JSON`).action(async e=>{try{let t=Fr(),n=await Vr({endpoint:e.endpoint===`https://intelligence.tangle.tools/v1/otlp`?t?.endpoint??`https://intelligence.tangle.tools/v1/otlp`:e.endpoint,apiKey:io(e.apiKey??t?.apiKey)});e.json?A(n):ro(n),n.contentSeen||(process.exitCode=1)}catch(e){B(e)}}),e.command(`hook`).description(`Emit one local agent hook event to Tangle Intelligence`).requiredOption(`--agent <agent>`,`Agent surface`).requiredOption(`--event <event>`,`Hook event name`).option(`--payload <json>`,`Hook payload JSON`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`).option(`--session-id <id>`,`Session id override`).option(`--dry-run`,`Build the OTLP request without sending it`).option(`--non-blocking`,`Do not fail the parent agent process`).option(`--json`,`Output as JSON`).action(async e=>{try{let t=ao(e.agent),n=Fr(),r={agent:t,event:e.event,endpoint:e.endpoint??n?.endpoint??`https://intelligence.tangle.tools/v1/otlp`,apiKey:io(e.apiKey??n?.apiKey),serviceName:e.serviceName??n?.serviceName??Nr(process.cwd()),environment:e.environment??n?.environment??`local`,sessionId:e.sessionId,payload:e.payload===void 0?await so():oo(e.payload)};if(e.dryRun){let n=Rr(r);if(e.json){A(n);return}I({Trace:n.traceId,Agent:t,Event:e.event});return}let i=await zr(r);if(e.json){A({traceId:i});return}I({Trace:i,Agent:t,Event:e.event})}catch(t){if(e.nonBlocking){let n=t instanceof Error?t.message:String(t);e.json?A({ok:!1,error:n}):console.error(`Tangle Intelligence hook skipped: ${n}`);return}B(t)}}),e.command(`sandbox <sandbox-id>`).description(`Create an intelligence report for one sandbox`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await co({type:`sandbox`,id:e},t)}),e.command(`fleet <fleet-id>`).description(`Create an intelligence report for a sandbox fleet`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await co({type:`fleet`,id:e},t)}),e.command(`create`).description(`Create a trace intelligence report`).requiredOption(`--subject-type <type>`,`sandbox | fleet`).requiredOption(`--subject-id <id>`,`Subject identifier`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{await co({type:uo(e.subjectType),id:e.subjectId},e)}),e.command(`get <job-id>`).description(`Get an intelligence report`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=t.json?null:F(`Fetching intelligence report...`);r?.start();let i=await n.intelligence.getReport(e);if(r?.stop(),t.json){A(i);return}lo(i)}catch(e){B(e)}}),e.command(`list`).description(`List intelligence reports`).option(`--subject-type <type>`,`sandbox | fleet`).option(`--subject-id <id>`,`Subject identifier`).option(`--limit <count>`,`Maximum reports to return`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:F(`Fetching intelligence reports...`);n?.start();let r=await t.intelligence.listReports({subjectType:e.subjectType===void 0?void 0:uo(e.subjectType),subjectId:e.subjectId,limit:e.limit===void 0?void 0:mo(e.limit)});if(n?.stop(),e.json){A(r);return}k(r.map(e=>({jobId:e.jobId,subject:`${e.subject.type}:${e.subject.id}`,mode:e.mode,status:e.status,cost:`$${e.billing.costUsd.toFixed(2)}`,updatedAt:e.updatedAt})),[{key:`jobId`,header:`Job`,width:20},{key:`subject`,header:`Subject`,width:28},{key:`mode`,header:`Mode`,width:15},{key:`status`,header:`Status`,width:14},{key:`cost`,header:`Cost`,width:10},{key:`updatedAt`,header:`Updated`,width:18}])}catch(e){B(e)}}),e}function ro(e){I({Status:e.contentSeen?`content flowing`:e.tracesSeen?`metadata-only — a content gate is missing`:`no traces yet`,"Traces seen":e.tracesSeen?`yes`:`no`,"Content seen":e.contentSeen?`yes`:`no`,"Last seen":e.lastSeenAt??`never`,Window:`${e.windowDays}d`});let t=Object.entries(e.byAgent);t.length>0&&(console.log(),k(t.map(([e,t])=>({agent:e,traces:t.tracesSeen?`yes`:`no`,content:t.contentSeen?`yes`:`no`})),[{key:`agent`,header:`Agent`,width:18},{key:`traces`,header:`Traces`,width:10},{key:`content`,header:`Content`,width:10}]))}function io(e){let t=e??process.env.TANGLE_INTELLIGENCE_API_KEY??process.env.TANGLE_API_KEY;if(!t)throw Error(`--api-key, TANGLE_INTELLIGENCE_API_KEY, or TANGLE_API_KEY is required`);return t}function ao(e){if(Mr(e))return e;throw Error(`agent must be a known Tangle Intelligence agent surface`)}function oo(e){try{return JSON.parse(e)}catch(e){throw Error(`--payload must be JSON: ${e instanceof Error?e.message:String(e)}`)}}async function so(){if(process.stdin.isTTY)return;let e=``;for await(let t of process.stdin)if(e+=typeof t==`string`?t:t.toString(`utf8`),e.length>65536)throw Error(`hook payload exceeds 65536 bytes`);let t=e.trim();if(t)try{return JSON.parse(t)}catch{return{body:t.slice(0,4096)}}}async function co(e,t){try{let n=fo(t.mode),r=ho(t.metadata),i=t.maxUsd===void 0?void 0:po(t.maxUsd);if(n===`agentic`&&i===void 0)throw Error(`Agentic intelligence reports require --max-usd`);let a=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),o=t.json?null:F(`Creating intelligence report...`);o?.start();let s=await a.intelligence.createReport({subject:e,mode:n,...i===void 0?{}:{budget:{billTo:`customer`,maxUsd:i}},...r===void 0?{}:{metadata:r}});if(o?.stop(),t.json){A(s);return}lo(s)}catch(e){B(e)}}function lo(e){I({Job:e.jobId,Subject:`${e.subject.type}:${e.subject.id}`,Mode:e.mode,Status:e.status,"Billed To":e.billing.billedTo,Cost:`$${e.billing.costUsd.toFixed(2)}`,Budget:e.billing.budgetMaxUsd===void 0?void 0:`$${e.billing.budgetMaxUsd.toFixed(2)}`,Updated:e.updatedAt}),e.result!==null&&(console.log(),A(e.result))}function uo(e){if(e===`sandbox`||e===`fleet`)return e;throw Error(`subject type must be sandbox or fleet`)}function fo(e){if(e===`deterministic`||e===`agentic`)return e;throw Error(`mode must be deterministic or agentic`)}function po(e){let t=Number(e);if(!Number.isFinite(t)||t<0)throw Error(`--max-usd must be a non-negative number`);return t}function mo(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function ho(e){if(e===void 0)return;let t=JSON.parse(e);if(!t||typeof t!=`object`||Array.isArray(t))throw Error(`--metadata must be a JSON object`);return t}const go=[`router`,`sandbox`,`blueprint-agent`,`evals`,`agent-builder`];function _o(e){return(e?.trim()||process.env.TANGLE_PLATFORM_URL?.trim()||`https://id.tangle.tools`).replace(/\/+$/,``)}async function vo(e,t,n={}){let r=new Headers(n.headers);r.set(`Authorization`,`Bearer ${t}`),n.body&&!r.has(`content-type`)&&r.set(`content-type`,`application/json`);let i=await fetch(e,{...n,headers:r});if(n.expected!==void 0&&i.status!==n.expected){let t=await i.text().catch(()=>``),n=t?`: ${t.slice(0,400)}`:``;throw Error(`Platform request to ${e} returned ${i.status}${n}`)}return i}const yo=[`ID`,`Prefix`,`Name`,`Product`,`Created`,`Last used`,`Expires`];function bo(e){return[e.id,e.keyPrefix??``,e.name,e.product??`all`,e.createdAt,e.lastUsedAt??`—`,e.expiresAt??`—`]}function xo(){let e=new t(`keys`).description(`Manage sk-tan-* API keys on id.tangle.tools`);return e.command(`list`).description(`List your active API keys`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async e=>{try{let t=T({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=await(await vo(`${_o(e.platformUrl)}/v1/keys`,t.apiKey,{expected:200})).json();if(e.json){A(n);return}z(yo,n.data.map(bo))}catch(e){B(e)}}),e.command(`create`).description(`Create a new API key`).argument(`<name>`,`Human-readable name for the key`).option(`--product <product>`,`Restrict the key to one product (${go.join(`|`)}). Omit for all products.`).option(`--budget-usd <amount>`,`Hard budget cap in USD`).option(`--rpm-limit <limit>`,`Requests-per-minute cap`).option(`--expires-in-days <days>`,`Expire the key after N days (integer)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{if(t.product!==void 0&&!go.includes(t.product))throw Error(`Invalid --product. Expected one of ${go.join(`, `)}`);let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=_o(t.platformUrl),i=t.expiresInDays===void 0?void 0:new Date(Date.now()+Number.parseInt(t.expiresInDays,10)*24*60*60*1e3).toISOString(),a=F(`Creating API key...`);a.start();let o=await vo(`${r}/v1/keys`,n.apiKey,{method:`POST`,expected:201,body:JSON.stringify({name:e,product:t.product,budgetUsd:t.budgetUsd?Number.parseFloat(t.budgetUsd):void 0,rpmLimit:t.rpmLimit?Number.parseInt(t.rpmLimit,10):void 0,expiresAt:i})});a.stop();let s=await o.json();if(t.json){A(s);return}j(`API key created: ${s.data.prefix}…`),P(`Copy this key now — it will never be shown again:\n${s.data.key}`)}catch(e){B(e)}}),e.command(`revoke`).description(`Revoke an API key`).argument(`<keyId>`,"Key ID (from `tcloud keys list`)").option(`--yes`,`Skip the confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=_o(t.platformUrl);if(!t.yes&&!await W(`Revoke key ${e}? Any service still using it will start to fail.`)){P(`Aborted.`);return}let i=await(await vo(`${r}/v1/keys/${encodeURIComponent(e)}`,n.apiKey,{method:`DELETE`,expected:200})).json();if(t.json){A(i);return}j(`Revoked ${e}`)}catch(e){B(e)}}),e}function So(){let e=new t(`mcp`).description(`Model Context Protocol bridge commands.`);return e.command(`serve <id-or-name>`).description(`Run a local MCP server (stdio) backed by the given sandbox (ID or name). Pipe its stdio from an MCP client config to expose sandbox tools.`).option(`-s, --session <id>`,`Session id for kernel scoping`,`mcp-local`).option(`--name <name>`,`MCP server name reported to clients`,`tangle-sandbox`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=await H(O(n),n,e),i;try{i=(await import(`@modelcontextprotocol/sdk/server/stdio.js`)).StdioServerTransport}catch{throw Error("`@modelcontextprotocol/sdk` is not installed in this environment. Install it with: pnpm add -g @modelcontextprotocol/sdk (or as a dev dep in the project running this command).")}let{connect:a,close:o}=await De(r,{sessionId:t.session,name:t.name});await a(new i),process.stdin.resume(),process.stdin.on(`end`,()=>{o().finally(()=>process.exit(0))});for(let e of[`SIGINT`,`SIGTERM`])process.on(e,()=>{o().finally(()=>process.exit(0))})}catch(e){B(e)}}),e}function Co(){let e=new t(`permissions`).description(`Manage sandbox user permissions`);return e.command(`list <sandboxId-or-name>`).description(`List all users in a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching users...`);i.start();let a=await(await H(r,n,e)).permissions.list();i.stop(),t.json?A(a):k(a.map(e=>({userId:e.userId,username:e.username,role:e.role,homeDir:e.homeDir,createdAt:e.createdAt.toISOString().split(`T`)[0]})),[{key:`userId`,header:`User ID`,width:20},{key:`username`,header:`Username`,width:16},{key:`role`,header:`Role`,width:12},{key:`homeDir`,header:`Home Directory`,width:24},{key:`createdAt`,header:`Created`,width:16}])}catch(e){B(e)}}),e.command(`get <sandboxId-or-name> <userId>`).description(`Get details for a specific user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Fetching user...`);a.start();let o=await(await H(i,r,e)).permissions.get(t);if(a.stop(),!o)throw Error(`User ${t} not found in sandbox ${e}`);n.json?A(o):(P(`User: ${o.userId}`),P(` Username: ${o.username}`),P(` Role: ${o.role}`),P(` Home: ${o.homeDir}`),P(` SSH Keys: ${o.sshKeys.length}`),P(` Created: ${o.createdAt.toISOString()}`))}catch(e){B(e)}}),e.command(`add <sandboxId-or-name>`).description(`Add a user to a sandbox`).requiredOption(`--user-id <id>`,`User ID (from your auth system)`).option(`--username <name>`,`Preferred username`).option(`--role <role>`,`Permission level (owner, admin, developer, viewer)`,`developer`).option(`--ssh-key <key>`,`SSH public key for access`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Adding user...`);i.start();let a=await(await H(r,n,e)).permissions.add({userId:t.userId,username:t.username,role:t.role,sshKeys:t.sshKey?[t.sshKey]:void 0});i.stop(),t.json?A(a):(j(`User ${a.userId} added as ${a.role}`),P(` Username: ${a.username}`),P(` Home: ${a.homeDir}`))}catch(e){B(e)}}),e.command(`update <sandboxId-or-name> <userId>`).description(`Update a user's permissions`).option(`--role <role>`,`New permission level (owner, admin, developer, viewer)`).option(`--add-ssh-key <key>`,`Add SSH public key`).option(`--remove-ssh-key <key>`,`Remove SSH public key`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Updating user...`);a.start();let o=await(await H(i,r,e)).permissions.update(t,{role:n.role,addSshKeys:n.addSshKey?[n.addSshKey]:void 0,removeSshKeys:n.removeSshKey?[n.removeSshKey]:void 0});a.stop(),n.json?A(o):(j(`User ${t} updated`),P(` Role: ${o.role}`),P(` SSH Keys: ${o.sshKeys.length}`))}catch(e){B(e)}}),e.command(`remove <sandboxId-or-name> <userId>`).description(`Remove a user from a sandbox`).option(`--preserve-home`,`Keep user's home directory`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{if(!n.force){let e=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{e.question(`Remove user ${t} from sandbox? [y/N] `,t=>{e.close(),n(t.toLowerCase()===`y`)})})){P(`Cancelled.`);return}}let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Removing user...`);a.start(),await(await H(i,r,e)).permissions.remove(t,{preserveHomeDir:n.preserveHome}),a.stop(),j(`User ${t} removed from sandbox ${e}`)}catch(e){B(e)}}),e.command(`policies <sandboxId-or-name> <userId>`).description(`Get access policies for a user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Fetching policies...`);a.start();let o=await(await H(i,r,e)).permissions.getAccessPolicies(t);a.stop(),n.json?A(o):o.length===0?P(`No access policies configured`):k(o.map(e=>({pattern:e.pattern,permission:e.permission,priority:e.priority??0})),[{key:`pattern`,header:`Pattern`,width:30},{key:`permission`,header:`Permission`,width:12},{key:`priority`,header:`Priority`,width:10}])}catch(e){B(e)}}),e.command(`check <sandboxId-or-name> <userId> <path> <action>`).description(`Check if a user can perform an action on a path`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r,i)=>{try{if(![`read`,`write`,`execute`].includes(r))throw Error(`Action must be: read, write, or execute`);let a=T({apiKey:i.apiKey,baseUrl:i.baseUrl}),o=O(a),s=F(`Checking access...`);s.start();let c=await(await H(o,a,e)).permissions.checkAccess(t,n,r);s.stop(),c?j(`✓ User ${t} CAN ${r} ${n}`):P(`✗ User ${t} CANNOT ${r} ${n}`)}catch(e){B(e)}}),e}function wo(){let e=new t(`preview`).description(`Manage sandbox preview links`);return e.command(`list`).alias(`ls`).description(`List active preview links for a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching preview links...`);t.json||i.start();let a=await(await H(r,n,e)).previewLinks.list();i.stop(),t.json?A(a):a.length===0?console.log(`No preview links found`):z([`Preview ID`,`Port`,`URL`,`Status`],a.map(e=>[e.previewId.slice(0,12),String(e.port),e.url,e.status]))}catch(e){B(e)}}),e.command(`create`).description(`Create a preview link for a port`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<port>`,`Port number to preview`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Creating preview for port ${t}...`);n.json||a.start();let o=await(await H(i,r,e)).previewLinks.create(Number.parseInt(t,10));a.stop(),n.json?A(o):(j(`Preview created: ${o.url}`),console.log(`Preview ID: ${o.previewId}`))}catch(e){B(e)}}),e.command(`remove`).alias(`rm`).description(`Remove a preview link`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<preview-id>`,`Preview link ID (from 'preview list')`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Removing preview...`);n.json||a.start(),await(await H(i,r,e)).previewLinks.remove(t),a.stop(),n.json?A({success:!0,previewId:t}):j(`Preview removed: ${t}`)}catch(e){B(e)}}),e}function To(){let e=new t(`process`).description(`Manage processes in a sandbox`);return e.command(`spawn`).description(`Spawn a process without blocking (returns PID)`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<command>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--blocking`,`Wait for completion (default: false)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=F(`Spawning: ${t}`);n.json||o.start();let s=await H(i,r,e);if(s=await U(s),n.blocking){let e=await s.exec(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?A(e):(e.stdout&&globalThis.process.stdout.write(e.stdout),e.stderr&&globalThis.process.stderr.write(e.stderr),e.exitCode!==0&&globalThis.process.exit(e.exitCode))}else{let r=await s.process.spawn(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?A({pid:r.pid,command:r.command}):(console.log(`Process started with PID: ${r.pid}`),console.log(`Use 'tangle process logs ${e} ${r.pid}' to view output`))}}catch(e){B(e)}}),e.command(`list`).alias(`ls`).description(`List all processes in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--running`,`Show only running processes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching processes...`);t.json||i.start();let a=await H(r,n,e);a=await U(a);let o=await a.process.list();t.running&&(o=o.filter(e=>e.running)),i.stop(),t.json?A(o):o.length===0?console.log(`No processes found`):z([`PID`,`Command`,`Status`,`Exit Code`,`Started`],o.map(e=>[String(e.pid),e.command.length>40?`${e.command.slice(0,37)}...`:e.command,e.running?`running`:`exited`,String(e.exitCode),e.startedAt.toLocaleString()]))}catch(e){B(e)}}),e.command(`get`).description(`Get detailed info about a process`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Fetching process info...`);n.json||a.start();let o=await H(i,r,e);o=await U(o);let s=await o.process.get(Number.parseInt(t,10));if(a.stop(),!s){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}let c=await s.status();n.json?A(c):(console.log(`PID: ${c.pid}`),console.log(`Command: ${c.command}`),console.log(`CWD: ${c.cwd||`(default)`}`),console.log(`Status: ${c.running?`running`:`exited`}`),console.log(`Exit Code: ${c.exitCode}`),c.exitSignal&&console.log(`Signal: ${c.exitSignal}`),console.log(`Started: ${c.startedAt.toLocaleString()}`),c.exitedAt&&console.log(`Exited: ${c.exitedAt.toLocaleString()}`))}catch(e){B(e)}}),e.command(`kill`).description(`Kill a process`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`-s, --signal <signal>`,`Signal to send (SIGTERM, SIGKILL, etc.)`,`SIGTERM`).option(`--tree`,`Also kill descendants of the tracked process`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Sending ${n.signal} to PID ${t}...`);n.json||a.start();let o=await H(i,r,e);o=await U(o);let s=await o.process.get(Number.parseInt(t,10));if(!s){a.stop(),console.error(`Process ${t} not found`),globalThis.process.exit(1);return}n.tree?await s.kill(n.signal,{tree:!0}):await s.kill(n.signal),a.stop(),n.json?A({pid:Number.parseInt(t,10),signal:n.signal,...n.tree===!0?{tree:!0}:{},killed:!0}):console.log(n.tree?`Sent ${n.signal} to process tree ${t}`:`Sent ${n.signal} to process ${t}`)}catch(e){B(e)}}),e.command(`logs`).description(`Stream buffered and live process logs until the process exits`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`--stdout-only`,`Only show stdout`).option(`--stderr-only`,`Only show stderr`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await H(O(r),r,e);i=await U(i);let a=await i.process.get(Number.parseInt(t,10));if(!a){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}for await(let e of a.logs())n.stdoutOnly&&e.type!==`stdout`||n.stderrOnly&&e.type!==`stderr`||(n.json?console.log(JSON.stringify(e)):e.type===`stdout`?globalThis.process.stdout.write(e.data):globalThis.process.stderr.write(e.data))}catch(e){B(e)}}),e.command(`run-code`).description(`Execute Python code directly`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<code>`,`Python code to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=F(`Executing Python code...`);n.json||o.start();let s=await H(i,r,e);s=await U(s);let c=await s.process.runCode(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?A(c):(c.stdout&&globalThis.process.stdout.write(c.stdout),c.stderr&&globalThis.process.stderr.write(c.stderr),c.exitCode!==0&&globalThis.process.exit(c.exitCode))}catch(e){B(e)}}),e}const Eo=[`python`,`node`,`typescript`,`bash`];function Do(e){switch(ne(e).toLowerCase()){case`.py`:return`python`;case`.js`:case`.mjs`:case`.cjs`:return`node`;case`.ts`:case`.tsx`:return`typescript`;case`.sh`:case`.bash`:return`bash`;default:return}}async function Oo(e){if(e===`-`){let e=[];for await(let t of process.stdin)e.push(typeof t==`string`?Buffer.from(t):t);return Buffer.concat(e).toString(`utf8`)}return await Oe(re(e),`utf8`)}async function ko(e,t,n=Oo){let r=t?Eo.find(e=>e===t)??(()=>{throw Error(`unknown --lang ${t}: must be one of ${Eo.join(`, `)}`)})():void 0;if(!e||e===`-`){if(!r)throw Error(`reading from stdin requires --lang. Example: tangle run <id> -l python -`);return{language:r,source:await n(`-`)}}let i=Do(e);return{language:r??i??(()=>{throw Error(`cannot infer language from "${e}". Pass it explicitly: tangle run <id> -l <python|node|typescript|bash> ${e}`)})(),source:await n(e)}}function Ao(e){return m(me(),`tangle-run-images`,e)}function jo(){return new t(`run`).description(`Run code in a persistent kernel inside a sandbox. Variables persist across calls in the same --session.`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`[file]`,`Path to source file. Language is inferred from extension. Use - for stdin (requires --lang).`).option(`-l, --lang <lang>`,`Force language: ${Eo.join(` | `)}. Required for stdin.`).option(`-s, --session <id>`,`Session id for kernel scoping`).option(`-t, --timeout <ms>`,`Per-call timeout in ms (0 disables)`,`60000`).option(`--save-images <dir>`,`Write image results into this directory (default: $TMPDIR/tangle-run-images/<sandbox>/).`).option(`--no-save-images`,`Don't write image results to disk; print summary only`).option(`--json`,`Output the full CodeExecutionResult as JSON`).action(async(e,t,n)=>{try{let{language:r,source:i}=await ko(t,n.lang),o=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),s=await H(O(o),o,e);s=await U(s);let c=F(`Running ${r} (${i.length}b)…`);n.json||c.start();let u=await s.runCode(r,i,{sessionId:n.session,timeoutMs:Number.parseInt(n.timeout,10)});if(c.stop(),n.json){A(u),u.exitCode!==0&&process.exit(u.exitCode);return}u.stdout&&process.stdout.write(u.stdout),u.stderr&&process.stderr.write(u.stderr);let d=0;for(let t of u.results)if(t.type===`image`)if(n.saveImages!==!1){let r=typeof n.saveImages==`string`?n.saveImages:Ao(e);l(r,{recursive:!0});let i=`${r}/${Date.now()}-${d}.${t.format}`;f(i,Buffer.from(t.data,`base64`)),process.stderr.write(a.green(`✓ image → ${i}\n`)),d++}else process.stderr.write(a.gray(`[image: ${t.format}, ${t.data.length}b base64]\n`));else if(t.type===`dataframe`){let e=t.columns.map(e=>`${e.name}:${e.dtype}`).join(` | `);process.stderr.write(a.gray(`[dataframe ${t.rows.length}×${t.columns.length}${t.truncated?` (truncated)`:``}]\n`)),process.stderr.write(`${e}\n`);for(let e of t.rows.slice(0,20))process.stderr.write(`${e.map(e=>String(e)).join(` | `)}\n`);t.rows.length>20&&process.stderr.write(a.gray(`… ${t.rows.length-20} more rows\n`))}else t.type===`json`?(process.stderr.write(a.gray(`[json] `)),process.stderr.write(`${JSON.stringify(t.value,null,2)}\n`)):t.type===`html`?process.stderr.write(a.gray(`[html ${t.value.length}b]\n`)):t.type===`error`?(process.stderr.write(a.red(`✗ ${t.name}: ${t.message}\n`)),t.traceback&&process.stderr.write(`${t.traceback}\n`)):t.type===`text`&&process.stderr.write(`${t.value}\n`);u.error&&(process.stderr.write(a.red(`\n✗ ${u.error.name}: ${u.error.message}\n`)),u.error.traceback&&process.stderr.write(`${u.error.traceback}\n`)),u.exitCode!==0&&process.exit(u.exitCode)}catch(e){B(e)}})}function Mo(e){return`${e.name} (${e.id})`}async function No(e,t){if(t.startsWith(`team_`))return e.teams.get(t);let n=(await e.teams.list()).filter(e=>e.name.toLowerCase()===t.toLowerCase());if(n.length===0)throw Error(`Team not found: ${t}`);if(n.length>1)throw Error(`Team name is ambiguous: ${t}. Use a team id instead.`);return n[0]}async function Q(e,t,n){if(t)return No(e,t);let r=Nt(n);if(!r.activeTeamId)throw Error("No active team. Run `tangle team switch <team>` or pass `--team <team>`.");return e.teams.get(r.activeTeamId)}function Po(e,t){Pt({id:e.id,name:e.name},t)}function Fo(e){Ft(e)}const Io=[{flag:`--git-token`,guidance:`Use --git-token-env <NAME> or --git-token-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--storage-secret-access-key`,guidance:`Use --storage-secret-access-key-env <NAME> or --storage-secret-access-key-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--backend-api-key`,guidance:`Use --backend-api-key-env <NAME> or --backend-api-key-stdin so the BYOK secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`}];function Lo(e){for(let{flag:t,guidance:n}of Io){let r=`${t}=`;if(e.some(e=>e===t||e.startsWith(r)))throw Error(`Refusing to read secret from ${t} on the command line. ${n}`)}}async function Ro(e){let t=typeof e.envVarName==`string`&&e.envVarName.length>0?e.envVarName:null,n=!!e.fromStdin;if(t&&n)throw Error(`Pass either ${e.flagPrefix}-env or ${e.flagPrefix}-stdin, not both`);if(t){let n=process.env[t];if(!n||n.length===0)throw Error(`${e.flagPrefix}-env points at ${t}, but that environment variable is empty or unset`);return n}if(n){let t=await Dn();if(t.length===0)throw Error(`${e.flagPrefix}-stdin received empty input on stdin`);return t}}function zo(e){let t=e.split(`/`);return t.length>=2?{provider:t[0],model:t.slice(1).join(`/`)}:{model:e}}function Bo(){let e=new t(`sandbox`).description(`Manage sandboxes`);e.command(`create`).description(`Create a new sandbox`).option(`-n, --name <name>`,`Sandbox name`).option(`-e, --environment <environment>`,`Environment name (e.g. universal, node, python)`).option(`-i, --image <image>`,`Alias for --environment (deprecated)`).option(`--bare`,`Create a bare sandbox without the agent runtime`).option(`--ssh`,`Enable SSH access`).option(`--ssh-key <key>`,`SSH public key for authentication`).option(`--ssh-keys <names...>`,`Stored SSH key names or IDs for authentication`).option(`--ssh-key-file <paths...>`,`SSH public key file paths for authentication`).option(`--web-terminal`,`Enable web terminal`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--secret <names...>`,`Secrets to inject as environment variables`).option(`--metadata <entries...>`,`Metadata entries (KEY=VALUE or KEY=JSON)`).option(`--cpu <cores>`,`CPU cores`,`2`).option(`--memory <mb>`,`Memory in MB`,`4096`).option(`--disk <gb>`,`Disk size in GB`,`20`).option(`--accelerator-kind <kind>`,`Accelerator kind, for example nvidia-h100 or amd-mi300x`).option(`--accelerator-count <count>`,`Accelerator device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum accelerator memory in MB`).option(`--gpu-provider <provider>`,`GPU cloud provider; omitted picks the cheapest configured provider`).option(`--gpu-worker-image <image>`,`GPU worker image override`).option(`--gpu-env <vars...>`,`Environment variables for the GPU worker (KEY=VALUE)`).option(`--gpu-max-spend-usd <usd>`,`Maximum customer spend for the create-time GPU lease`).option(`--gpu-max-lifetime <seconds>`,`Maximum create-time GPU lease lifetime in seconds`).option(`--gpu-idle-timeout <seconds>`,`Destroy the create-time GPU lease after this many idle seconds`).option(`--lifetime <seconds>`,`Max wall-clock lifetime before the sandbox is deleted (default 3600 = 1h). Raise it for long sessions, e.g. --lifetime 7200`,`3600`).option(`--idle-timeout <seconds>`,"Idle time before the sandbox is stopped — not deleted (default 900 = 15m). Resume it later with `tangle sandbox resume <id-or-name>`, or it auto-resumes on next use. Raise it for demos, e.g. --idle-timeout 3600",`900`).option(`--from-snapshot <id>`,`Create the sandbox from a snapshot`).option(`--public-template <id-or-slug>`,`Create the sandbox from a published public template`).option(`--public-template-version <id>`,`Pin creation to a specific published public-template version`).option(`--team <team>`,`Create in a team by id or name`).option(`--personal`,`Create a personal sandbox even when a team is active`).option(`--port <ports...>`,`Ports to expose at creation time`).option(`--git-url <url>`,`Git repository URL to clone during provisioning`).option(`--git-ref <ref>`,`Git branch, tag, or commit to checkout`).option(`--git-depth <depth>`,`Git clone depth`).option(`--git-sparse <paths...>`,`Sparse checkout paths`).option(`--git-token-env <name>`,`Name of an environment variable containing the Git HTTPS auth token`).option(`--git-token-stdin`,`Read the Git HTTPS auth token from stdin`).option(`--git-token <token>`,`[removed] use --git-token-env or --git-token-stdin`).option(`--tool <specs...>`,`Tool versions to preinstall (NAME=VERSION)`).option(`--storage-type <type>`,`BYOS3 storage type (s3, gcs, r2)`).option(`--storage-bucket <name>`,`BYOS3 bucket name`).option(`--storage-endpoint <url>`,`BYOS3 endpoint URL`).option(`--storage-region <region>`,`BYOS3 region`).option(`--storage-prefix <prefix>`,`BYOS3 path prefix`).option(`--storage-access-key-id <id>`,`BYOS3 access key ID`).option(`--storage-secret-access-key-env <name>`,`Name of an environment variable containing the BYOS3 secret access key`).option(`--storage-secret-access-key-stdin`,`Read the BYOS3 secret access key from stdin`).option(`--storage-secret-access-key <key>`,`[removed] use --storage-secret-access-key-env or --storage-secret-access-key-stdin`).option(`--default-role <role>`,`Default permission role (owner, admin, developer, viewer)`).option(`--initial-user <specs...>`,`Initial users (USER_ID or USER_ID:ROLE)`).option(`--multi-user`,`Enable multi-user permissions at creation`).option(`--driver <type>`,`Infrastructure driver (docker, firecracker, host-agent, tangle)`).option(`--driver-criu`,`Enable CRIU checkpointing (firecracker only)`).option(`--driver-region <region>`,`Preferred region for host-agent driver`).option(`--backend <type>`,`Backend agent type (opencode, claude-code, codex, cursor, amp)`).option(`--backend-profile <name>`,`Backend profile name`).option(`--backend-model <model>`,`Model override (format: provider/model)`).option(`--backend-api-key-env <name>`,`Name of an environment variable containing the BYOK backend API key`).option(`--backend-api-key-stdin`,`Read the BYOK backend API key from stdin`).option(`--backend-api-key <key>`,`[removed] use --backend-api-key-env or --backend-api-key-stdin`).option(`--tee <type>`,`Require a TEE backend (any, tdx, nitro, sev-snp, phala-dstack)`).option(`--sealed`,`Request TEE sealed-secret support`).option(`--attestation-nonce <hex|auto>`,`Deploy-time attestation nonce; use auto to generate one`).option(`--attestation-refresh`,`Generate a fresh deploy-time attestation nonce when --tee is set`).option(`--require-attestation`,`Fail unless TEE attestation evidence is returned`).option(`--block-network`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`--timeout <ms>`,`HTTP timeout in milliseconds`,`30000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{Lo(process.argv);let t=await Ro({envVarName:e.gitTokenEnv,fromStdin:e.gitTokenStdin,flagPrefix:`--git-token`}),n=await Ro({envVarName:e.storageSecretAccessKeyEnv,fromStdin:e.storageSecretAccessKeyStdin,flagPrefix:`--storage-secret-access-key`}),r=await Ro({envVarName:e.backendApiKeyEnv,fromStdin:e.backendApiKeyStdin,flagPrefix:`--backend-api-key`}),i=T({apiKey:e.apiKey,baseUrl:e.baseUrl,timeout:e.timeout?Number.parseInt(e.timeout,10):void 0}),a=O(i),o=F(`Creating sandbox...`);o.start();let s=await Jo({client:a,explicitTeam:e.team,personal:e.personal,activeTeamId:i.activeTeamId}),c={};if(e.env)for(let t of e.env){let[e,...n]=t.split(`=`);e&&n.length>0&&(c[e]=n.join(`=`))}let l=e.tool?ha(e.tool,`--tool`,`tool spec`):void 0,d=e.metadata?Ho(e.metadata):void 0,f=Go(e,t),p=Ko(e,n),ee=qo(e),te=e.port?Wo(e.port,`--port`):void 0,ne=e.acceleratorKind?fa({kind:String(e.acceleratorKind),count:String(e.acceleratorCount),memory:typeof e.acceleratorMemory==`string`?e.acceleratorMemory:void 0}):void 0,m=pa({provider:typeof e.gpuProvider==`string`?e.gpuProvider:void 0,image:typeof e.gpuWorkerImage==`string`?e.gpuWorkerImage:void 0,env:Array.isArray(e.gpuEnv)?e.gpuEnv:void 0,maxSpendUsd:typeof e.gpuMaxSpendUsd==`string`?e.gpuMaxSpendUsd:void 0,maxLifetime:typeof e.gpuMaxLifetime==`string`?e.gpuMaxLifetime:void 0,idleTimeout:typeof e.gpuIdleTimeout==`string`?e.gpuIdleTimeout:void 0},!!ne,`Create-time GPU lease flags require --accelerator-kind`),re=e.driver?{type:e.driver,enableCriu:e.driverCriu||void 0,preferredRegion:e.driverRegion}:void 0,ie=e.backend||e.backendProfile||e.backendModel?{type:e.backend??`opencode`,profile:e.backendProfile,model:e.backendModel||r?{...e.backendModel?zo(e.backendModel):{},apiKey:r}:void 0}:void 0,h=e.blockNetwork||e.allowList||te?{blockOutbound:e.blockNetwork||void 0,allowList:e.allowList?e.allowList.split(`,`).map(e=>e.trim()):void 0,ports:te}:void 0,ae=[...e.sshKey?[e.sshKey]:[],...(e.sshKeyFile??[]).map(e=>u(e,`utf8`).trim())],oe={name:e.name,environment:e.environment??e.image,bare:e.bare||void 0,sshEnabled:e.ssh||!!e.sshKey||ae.length>0||!!e.sshKeys?.length,sshPublicKeys:ae.length>0?ae:void 0,sshKeyIds:e.sshKeys,webTerminalEnabled:e.webTerminal,env:Object.keys(c).length>0?c:void 0,git:f,tools:l,resources:{cpuCores:Number.parseInt(e.cpu,10),memoryMB:Number.parseInt(e.memory,10),diskGB:Number.parseInt(e.disk,10),accelerator:ne},gpuLease:m,maxLifetimeSeconds:Number.parseInt(e.lifetime,10),idleTimeoutSeconds:Number.parseInt(e.idleTimeout,10),storage:p,fromSnapshot:e.fromSnapshot,publicTemplateId:e.publicTemplate,publicTemplateVersionId:e.publicTemplateVersion,teamId:s,secrets:e.secret,metadata:d,driver:re,backend:ie,permissions:ee,network:h},g=e.tee?{tee:e.tee,sealed:e.sealed||void 0,attestationRefresh:e.attestationRefresh||e.attestationNonce===`auto`||void 0}:void 0,_=g?await le(a,{...oe,confidential:g,attestationNonce:e.attestationNonce??(e.attestationRefresh?`auto`:void 0),requireAttestation:e.requireAttestation??!0}):void 0,v=_?.sandbox??await a.create(oe);e.wait&&(o.text=`Waiting for sandbox to start...`,await v.waitFor(`running`,{timeoutMs:12e4}),await v.refresh()),o.stop(),e.json?A({id:v.id,name:v.name,status:v.status,createdAt:v.createdAt,expiresAt:v.expiresAt,connection:Vo(v.connection),teamId:s,gpuLease:v.gpuLease,confidential:g,attestation:_?.attestation,attestationNonce:_?.attestationNonce}):(j(`Sandbox created: ${v.id}`),en({id:v.id,name:v.name,status:v.status,createdAt:v.createdAt?.toISOString(),expiresAt:v.expiresAt?.toISOString(),connection:v.connection}),s&&console.log(`Team: ${s}`),v.gpuLease&&(console.log(`GPU lease: ${v.gpuLease.id}`),$o(v.gpuLease)),g&&(console.log(`TEE: ${g.tee}`),console.log(`Attestation: ${_?.attestation?`present`:`not returned`}`),_?.attestationNonce&&console.log(`Attestation nonce: ${_.attestationNonce}`)))}catch(e){B(e)}}),e.command(`attestation <id-or-name>`).description(`Fetch TEE attestation evidence for a sandbox`).option(`--nonce <hex|auto>`,`Nonce to bind into a fresh attestation report; use auto to generate one`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=t.nonce===`auto`?ue():t.nonce,a=F(`Fetching TEE attestation...`);a.start();let o=await(await H(r,n,e)).getTeeAttestation(i?{attestationNonce:i}:void 0);a.stop(),t.json?A(o):(j(`Attestation fetched for ${e}`),console.log(`TEE type: ${o.attestation.tee_type}`),console.log(`Evidence bytes: ${o.attestation.evidence.length}`),console.log(`Measurement bytes: ${o.attestation.measurement.length}`),console.log(`Timestamp: ${o.attestation.timestamp}`),o.attestationNonce&&console.log(`Nonce: ${o.attestationNonce}`))}catch(e){B(e)}}),e.command(`list`).description(`List all sandboxes`).option(`-s, --status <status>`,`Filter by status (running, stopped, all)`).option(`-l, --limit <n>`,`Limit results`,`50`).option(`--team <team>`,`List sandboxes for a team by id or name`).option(`--personal`,`List personal sandboxes`).option(`--all-scopes`,`List personal and team sandboxes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=T({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=O(t),r=F(`Fetching sandboxes...`);r.start();let i=await Yo({client:n,explicitTeam:e.team,personal:e.personal,allScopes:e.allScopes,activeTeamId:t.activeTeamId}),a=await n.list({status:e.status===`all`?void 0:e.status,limit:Number.parseInt(e.limit,10),scope:i});r.stop(),e.json?A(a):k(a.map(e=>({id:e.id,status:e.status,createdAt:e.createdAt,name:e.name??``})),[{key:`id`,header:`ID`,width:24},{key:`status`,header:`Status`,width:14},{key:`createdAt`,header:`Created`,width:16},{key:`name`,header:`Name`,width:20}])}catch(e){B(e)}}),e.command(`get <id-or-name>`).description(`Get sandbox details`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching sandbox...`);i.start();let a=await H(r,n,e);i.stop(),t.json?A(a):en({id:a.id,name:a.name,status:a.status,createdAt:a.createdAt?.toISOString(),expiresAt:a.expiresAt?.toISOString(),connection:a.connection})}catch(e){B(e)}}),e.command(`delete <id-or-name>`).description(`Delete a sandbox`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{t.question(`Delete sandbox ${e}? [y/N] `,e=>{t.close(),n(e.toLowerCase()===`y`)})})){P(`Cancelled.`);return}}let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Deleting sandbox...`);i.start(),await(await H(r,n,e)).delete(),i.stop(),j(`Sandbox ${e} deleted.`)}catch(e){B(e)}}),e.command(`stop <id-or-name>`).description(`Stop a running sandbox`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Stopping sandbox...`);i.start(),await(await H(r,n,e)).stop(),i.stop(),j(`Sandbox ${e} stopped.`)}catch(e){B(e)}}),e.command(`resume <id-or-name>`).description(`Resume a stopped sandbox`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`-t, --timeout <ms>`,`Resume timeout in milliseconds; a cold resume re-provisions the sandbox, so this defaults higher than other commands (default 120000)`,`120000`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Number.parseInt(t.timeout,10);if(!Number.isFinite(n)||n<=0)throw Error(`--timeout must be a positive number of milliseconds`);let r=T({apiKey:t.apiKey,baseUrl:t.baseUrl,timeout:n}),i=O(r),a=F(`Resuming sandbox...`);a.start();let o=await H(i,r,e);await o.resume({timeoutMs:n}),t.wait&&(a.text=`Waiting for sandbox to start...`,await o.waitFor(`running`,{timeoutMs:n})),a.stop(),j(`Sandbox ${o.id} resumed.`)}catch(e){B(e)}});let n=e.command(`gpu`).description(`Manage on-demand GPU leases for a sandbox`);return n.command(`attach <id-or-name>`).description(`Attach a temporary GPU worker to a sandbox`).requiredOption(`--accelerator-kind <kind>`,`GPU kind, for example nvidia-h100`).option(`--accelerator-count <count>`,`GPU device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum GPU memory in MB`).option(`--provider <provider>`,`GPU cloud provider; omitted picks the cheapest configured provider`).option(`--image <image>`,`GPU worker image override`).option(`--env <vars...>`,`Environment variables for the GPU worker (KEY=VALUE)`).requiredOption(`--max-spend-usd <usd>`,`Maximum customer spend for this lease`).requiredOption(`--max-lifetime <seconds>`,`Maximum lease lifetime in seconds`).option(`--idle-timeout <seconds>`,`Destroy after this many idle seconds`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Attaching GPU lease...`);i.start();let a=await(await H(r,n,e)).gpu.attach(ma(t));i.stop(),t.json?A(a):(j(`GPU lease attached: ${a.id}`),$o(a))}catch(e){B(e)}}),n.command(`run <id-or-name> <command...>`).description(`Attach a temporary GPU, run a command, then destroy it`).requiredOption(`--accelerator-kind <kind>`,`GPU kind, for example nvidia-h100`).option(`--accelerator-count <count>`,`GPU device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum GPU memory in MB`).option(`--provider <provider>`,`GPU cloud provider; omitted picks the cheapest configured provider`).option(`--image <image>`,`GPU worker image override`).option(`--env <vars...>`,`Environment variables for the GPU worker and command (KEY=VALUE)`).requiredOption(`--max-spend-usd <usd>`,`Maximum customer spend for this lease`).requiredOption(`--max-lifetime <seconds>`,`Maximum lease lifetime in seconds`).option(`--idle-timeout <seconds>`,`Destroy after this many idle seconds`).option(`--timeout <ms>`,`Command timeout in milliseconds`).option(`--cwd <path>`,`Working directory`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{let r,i,a,o;try{let a=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),o=await H(O(a),a,e),s=F(`Attaching GPU lease...`);s.start(),r=await o.gpu.attach(ma(n)),s.stop();let c=F(`Running GPU command...`);c.start(),i=await o.gpu.exec(r.id,{command:t.join(` `),timeoutMs:n.timeout?J(String(n.timeout),`--timeout`):void 0,cwd:n.cwd,env:n.env?ha(n.env,`--env`,`env`):void 0}),c.stop(),n.json||es(i)}catch(e){a=e}finally{if(r)try{let t=T({apiKey:n.apiKey,baseUrl:n.baseUrl});r=await(await H(O(t),t,e)).gpu.detach(r.id)}catch(e){o=e}}if(a){B(a),o&&B(o);return}if(o){B(o);return}n.json?A({lease:r,result:i}):r&&j(`GPU lease detached: ${r.id}`);let s=i?.result.exitCode;s&&s!==0&&(process.exitCode=s)}),n.command(`list <id-or-name>`).description(`List GPU leases attached to a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching GPU leases...`);i.start();let a=await(await H(r,n,e)).gpu.list();i.stop(),t.json?A(a):a.length===0?P(`No GPU leases attached.`):k(a.map(e=>({id:e.id,status:e.status,provider:e.provider,accelerator:`${e.accelerator.kind}x${e.accelerator.count}`,customerUsdHr:e.customerPricePerHourUsd??``})),[{key:`id`,header:`ID`,width:28},{key:`status`,header:`Status`,width:12},{key:`provider`,header:`Provider`,width:12},{key:`accelerator`,header:`GPU`,width:24},{key:`customerUsdHr`,header:`$/hr`,width:10}])}catch(e){B(e)}}),n.command(`exec <id-or-name> <lease-id> <command...>`).description(`Run a command on an attached GPU lease`).option(`--timeout <ms>`,`Command timeout in milliseconds`).option(`--cwd <path>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=T({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=O(i),o=F(`Running GPU command...`);o.start();let s=await(await H(a,i,e)).gpu.exec(t,{command:n.join(` `),timeoutMs:r.timeout?J(String(r.timeout),`--timeout`):void 0,cwd:r.cwd,env:r.env?ha(r.env,`--env`,`env`):void 0});o.stop(),r.json?A(s):es(s)}catch(e){B(e)}}),n.command(`detach <id-or-name> <lease-id>`).description(`Detach and destroy a GPU lease`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Detaching GPU lease...`);a.start();let o=await(await H(i,r,e)).gpu.detach(t);a.stop(),n.json?A(o):(j(`GPU lease detached: ${o.id}`),$o(o))}catch(e){B(e)}}),e.command(`network <id-or-name>`).description(`Update network configuration for a sandbox`).option(`--block-outbound`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--clear`,`Clear all network restrictions (allow all traffic)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Updating network configuration...`);i.start();let a=await H(r,n,e);if(t.clear)await a.network.update({blockOutbound:!1,allowList:[]});else if(t.blockOutbound)await a.network.update({blockOutbound:!0});else if(t.allowList){let e=t.allowList.split(`,`).map(e=>e.trim());await a.network.update({allowList:e})}else{i.stop();let e=await a.network.getConfig();t.json?A(e):(P(`Network Configuration:`),e.blockOutbound?P(` Block Outbound: true (all outbound traffic blocked)`):e.allowList&&e.allowList.length>0?P(` Allow List: ${e.allowList.join(`, `)}`):P(` No restrictions (all traffic allowed)`),e.ports&&e.ports.length>0&&P(` Exposed Ports: ${e.ports.join(`, `)}`));return}i.stop();let o=await a.network.getConfig();t.json?A(o):(j(`Network configuration updated.`),o.blockOutbound?P(` Block Outbound: true`):o.allowList&&o.allowList.length>0?P(` Allow List: ${o.allowList.join(`, `)}`):P(` All traffic allowed`))}catch(e){B(e)}}),e.command(`expose <id-or-name>`).description(`Expose a port and get a public URL`).option(`-p, --port <port>`,`Port to expose`,`8000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=Number.parseInt(t.port,10);if(Number.isNaN(i)||i<1||i>65535)throw Error(`Port must be a number between 1 and 65535`);let a=F(`Exposing port ${i}...`);a.start();let o=await(await H(r,n,e)).network.exposePort(i);a.stop(),t.json?A({port:i,url:o}):(j(`Port ${i} exposed.`),P(` URL: ${o}`))}catch(e){B(e)}}),e.command(`urls <id-or-name>`).description(`List exposed port URLs for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching exposed URLs...`);i.start();let a=await(await H(r,n,e)).network.listUrls();if(i.stop(),t.json)A(a);else{let e=Object.entries(a);if(e.length===0)P(`No ports exposed.`);else{P(`Exposed Ports:`);for(let[t,n]of e)P(` ${t}: ${n}`)}}}catch(e){B(e)}}),e}function Vo(e){return!e||e.authToken===void 0?e:{...e,authToken:`[REDACTED]`}}function Ho(e){let t={};for(let n of e){let[e,...r]=n.split(`=`);if(!e||r.length===0)throw Error(`--metadata expects values in KEY=VALUE or KEY=JSON format`);t[e]=Uo(r.join(`=`))}return t}function Uo(e){try{return JSON.parse(e)}catch{return e}}function Wo(e,t){return e.map(e=>{let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1||n>65535)throw Error(`${t} values must be integers between 1 and 65535`);return n})}function Go(e,t){if(!(!e.gitUrl&&!e.gitRef&&!e.gitDepth&&!e.gitSparse&&!t)){if(!e.gitUrl||typeof e.gitUrl!=`string`)throw Error(`--git-url is required when using git provisioning options`);return{url:e.gitUrl,ref:typeof e.gitRef==`string`?e.gitRef:void 0,depth:typeof e.gitDepth==`string`?J(e.gitDepth,`--git-depth`):void 0,sparse:Array.isArray(e.gitSparse)?e.gitSparse:void 0,auth:t?{token:t}:void 0}}}function Ko(e,t){if(!(!e.storageType&&!e.storageBucket&&!e.storageEndpoint&&!e.storageRegion&&!e.storagePrefix&&!e.storageAccessKeyId&&!t)){if(typeof e.storageType!=`string`||typeof e.storageBucket!=`string`||typeof e.storageAccessKeyId!=`string`||!t)throw Error(`Storage config requires --storage-type, --storage-bucket, --storage-access-key-id, and one of --storage-secret-access-key-env / --storage-secret-access-key-stdin`);return{type:Qo(e.storageType),bucket:e.storageBucket,endpoint:typeof e.storageEndpoint==`string`?e.storageEndpoint:void 0,region:typeof e.storageRegion==`string`?e.storageRegion:void 0,prefix:typeof e.storagePrefix==`string`?e.storagePrefix:void 0,credentials:{accessKeyId:e.storageAccessKeyId,secretAccessKey:t}}}}function qo(e){let t=Array.isArray(e.initialUser)?e.initialUser.map(Xo):void 0,n=typeof e.defaultRole==`string`?Zo(e.defaultRole):void 0,r=e.multiUser?!0:void 0;if(!(!n&&!t&&!r))return{defaultRole:n,initialUsers:t,multiUser:r}}async function Jo(e){if(e.explicitTeam&&e.personal)throw Error(`--team and --personal cannot be used together`);if(!e.personal)return e.explicitTeam?(await No(e.client,e.explicitTeam)).id:e.activeTeamId}async function Yo(e){if([!!e.explicitTeam,!!e.personal,!!e.allScopes].filter(Boolean).length>1)throw Error(`--team, --personal, and --all-scopes are mutually exclusive`);if(e.allScopes)return`all`;if(e.personal)return`personal`;if(e.explicitTeam)return`team:${(await No(e.client,e.explicitTeam)).id}`;if(e.activeTeamId)return`team:${e.activeTeamId}`}function Xo(e){let[t,n]=e.split(`:`);if(!t)throw Error(`--initial-user expects USER_ID or USER_ID:ROLE`);return{userId:t,role:n?Zo(n):void 0}}function Zo(e){if(e===`owner`||e===`admin`||e===`developer`||e===`viewer`)return e;throw Error(`--default-role and --initial-user roles must be one of owner, admin, developer, viewer`)}function Qo(e){if(e===`s3`||e===`gcs`||e===`r2`)return e;throw Error(`--storage-type must be one of s3, gcs, or r2`)}function $o(e){P(` Status: ${e.status}`),P(` Provider: ${e.provider}`),P(` GPU: ${e.accelerator.kind} x ${e.accelerator.count}`),e.customerPricePerHourUsd!==void 0&&P(` Customer price: $${e.customerPricePerHourUsd}/hr`),e.estimatedCustomerCostUsd!==void 0&&P(` Max estimate: $${e.estimatedCustomerCostUsd}`),e.billing&&(P(` Billed seconds: ${e.billing.seconds}`),P(` Customer cost: $${e.billing.customerCostUsd}`))}function es(e){e.result.stdout&&process.stdout.write(e.result.stdout),e.result.stderr&&process.stderr.write(e.result.stderr),P(`Exit code: ${e.result.exitCode}`)}function ts(){return new t(`search`).description(`Search for text patterns in sandbox files (ripgrep)`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pattern>`,`Search pattern (regex)`).option(`-g, --glob <pattern>`,`File glob filter (e.g. '**/*.ts')`).option(`-n, --max-results <count>`,`Max results to return`).option(`-i, --ignore-case`,`Case-insensitive search`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Searching...`);n.json||a.start();let o=await H(i,r,e),s=0,c=n.maxResults?Number.parseInt(n.maxResults,10):void 0,l={};n.glob&&(l.glob=n.glob),n.ignoreCase&&(l.ignoreCase=!0),c&&(l.maxResults=c);for await(let e of o.search(t,l))if(s===0&&a.stop(),s++,n.json?console.log(JSON.stringify(e)):console.log(`${e.path}:${e.line}:${e.column??0}: ${e.text}`),c&&s>=c)break;a.stop(),s===0&&!n.json&&console.log(`No matches found`)}catch(e){B(e)}})}function ns(){let e=new t(`secret`).description(`Manage secrets`);return e.command(`create`).description(`Create a new secret`).argument(`<name>`,`Secret name (e.g., HF_TOKEN, AWS_ACCESS_KEY)`).argument(`[value]`,`Secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=O(T({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await rs({value:t,valueStdin:n.valueStdin,prompt:`Enter value for secret '${e}': `}),a=F(`Creating secret...`);a.start();let o=await r.secrets.create(e,i);a.stop(),n.json?A({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):(j(`Secret created: ${o.name}`),P(`Use --secrets ${o.name} when creating a sandbox to inject it as an environment variable.`))}catch(e){B(e)}}),e.command(`list`).description(`List all secrets`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=F(`Fetching secrets...`);n.start();let r=await t.secrets.list();n.stop(),e.json?A(r.map(e=>({name:e.name,createdAt:e.createdAt.toISOString(),updatedAt:e.updatedAt.toISOString()}))):r.length===0?(P(`No secrets found.`),P(`Use 'tangle secret create <name> [value]' to create one.`)):z([`Name`,`Created At`,`Updated At`],r.map(e=>[e.name,e.createdAt.toLocaleString(),e.updatedAt.toLocaleString()]))}catch(e){B(e)}}),e.command(`show`).description(`Show a secret value (requires --reveal to print plaintext)`).argument(`<name>`,`Secret name`).option(`--reveal`,`Print the plaintext secret value to stdout. Without this flag the command exits with a redaction notice.`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.reveal){process.stderr.write(`Refusing to print secret '${e}' as plaintext. Re-run with --reveal to confirm and write the value to stdout.
147
+ `),process.exitCode=1;return}let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=F(`Fetching secret...`);r.start();let i=await n.secrets.get(e);r.stop(),process.stderr.write(`WARNING: secret '${e}' is being printed in plaintext. Avoid storing this output in shell history, screenshots, or logs.
148
+ `),t.json?A({name:e,value:i}):console.log(i)}catch(e){B(e)}}),e.command(`update`).description(`Update a secret value`).argument(`<name>`,`Secret name`).argument(`[value]`,`New secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=O(T({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await rs({value:t,valueStdin:n.valueStdin,prompt:`Enter new value for secret '${e}': `}),a=F(`Updating secret...`);a.start();let o=await r.secrets.update(e,i);a.stop(),n.json?A({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):j(`Secret updated: ${o.name}`)}catch(e){B(e)}}),e.command(`delete`).description(`Delete a secret`).argument(`<name>`,`Secret name`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=O(T({apiKey:t.apiKey,baseUrl:t.baseUrl}));if(!t.force&&!await W(`Are you sure you want to delete secret '${e}'? This cannot be undone. (y/N) `)){P(`Cancelled.`);return}let r=F(`Deleting secret...`);r.start(),await n.secrets.delete(e),r.stop(),t.json?A({success:!0,deleted:e}):j(`Secret deleted: ${e}`)}catch(e){B(e)}}),e}async function rs(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await Dn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await En(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function is(){let e=new t(`skill`).description(`Print paths to shipped skill documentation`);return e.command(`path`).description(`Print the absolute path to the SKILL.md shipped with this CLI`).action(()=>{let e=p.dirname(ke(import.meta.url)),t=p.resolve(e,`..`,`SKILL.md`);console.log(t)}),e}function as(){let e=new t(`snapshot`).description(`Manage snapshots`);return e.command(`create <sandbox-id-or-name>`).description(`Create a snapshot of a sandbox`).option(`--tags <tags...>`,`Tags for the snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Creating snapshot...`);i.start();let a=await(await H(r,n,e)).snapshot({tags:t.tags});i.stop(),t.json?A(a):(j(`Snapshot created: ${a.snapshotId}`),console.log(`Size: ${os(a.sizeBytes??0)}`))}catch(e){B(e)}}),e.command(`list <sandbox-id-or-name>`).description(`List snapshots for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching snapshots...`);i.start();let a=await(await H(r,n,e)).listSnapshots();i.stop(),t.json?A(a):k(a.map(e=>({...e,size:os(e.sizeBytes??0)})),[{key:`snapshotId`,header:`ID`,width:24},{key:`createdAt`,header:`Created`,width:16},{key:`size`,header:`Size`,width:12},{key:`sandboxId`,header:`Sandbox`,width:20}])}catch(e){B(e)}}),e.command(`restore <sandbox-id> <snapshot-id>`).description(`Create a new sandbox from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=O(T({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=F(`Restoring from snapshot...`);i.start();let a=await r.create({fromSnapshot:t,fromSandboxId:e});await a.waitFor(`running`,{timeoutMs:12e4}),i.stop(),n.json?A({sandboxId:a.id,restoredFrom:t,status:a.status}):(j(`New sandbox created: ${a.id}`),console.log(`Source snapshot: ${t}`))}catch(e){B(e)}}),e.command(`revert <sandbox-id-or-name> <snapshot-id>`).description(`Revert an existing sandbox to a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Reverting sandbox to snapshot...`);a.start();let o=await H(i,r,e),s=await o.revertToSnapshot(t);await o.refresh(),a.stop(),n.json?A({sandboxId:o.id,snapshotId:s.snapshotId,status:o.status}):(j(`Sandbox reverted: ${o.id}`),console.log(`Source snapshot: ${s.snapshotId}`))}catch(e){B(e)}}),e.command(`delete <sandbox-id-or-name> <snapshot-id>`).description(`Delete a sandbox snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Deleting snapshot...`);a.start(),await(await H(i,r,e)).deleteSnapshot(t),a.stop(),n.json?A({success:!0,sandboxId:e,snapshotId:t}):j(`Snapshot deleted: ${t}`)}catch(e){B(e)}}),e}function os(e){if(e===0)return`0 B`;let t=1024,n=[`B`,`KB`,`MB`,`GB`,`TB`],r=Math.floor(Math.log(e)/Math.log(t));return`${Number.parseFloat((e/t**r).toFixed(1))} ${n[r]}`}function ss(e,t){return`tangle ssh-proxy ${e.replace(/\/+$/,``)}/v1/sidecar-proxy/${t}/ssh`}function cs(e){return/^[A-Za-z0-9_/:=@%+.,-]+$/.test(e)?e:`'${e.replace(/'/g,`'"'"'`)}'`}function ls(e){return`'${e.replace(/'/g,`''`)}'`}function us(e){return e===`win32`?`NUL`:`/dev/null`}function ds(e,t){return t===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN=${ls(`<token>`)}; ssh ${e.map(ls).join(` `)}`:`TANGLE_SSH_PROXY_AUTH_TOKEN=${cs(`<token>`)} ssh ${e.map(cs).join(` `)}`}function fs(e){return e.connection!==void 0&&!e.connection.ssh}function ps(){M(`SSH is not enabled for this sandbox.`),P(`Create a sandbox with --ssh to enable SSH access.`),process.exit(1)}function ms(e,t=[],n=process.platform){let r=us(n);return[`-o`,`ProxyCommand=${e.proxyCommand}`,`-o`,`StrictHostKeyChecking=no`,`-o`,`UserKnownHostsFile=${r}`,`-o`,`GlobalKnownHostsFile=${r}`,`-o`,`LogLevel=ERROR`,`-o`,`ServerAliveInterval=15`,`-o`,`ServerAliveCountMax=4`,`-o`,`TCPKeepAlive=yes`,`${e.username}@localhost`,`-p`,String(e.port),...t]}function hs(){return new t(`ssh`).description(`Open SSH session to a sandbox`).argument(`<ref>`,`Sandbox ID or name`).argument(`[sshArgs...]`,`Extra args passed through to ssh`).option(`-i, --identity-file <path>`,`Private key file to pass to ssh`).option(`--print`,`Print SSH command instead of connecting`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).allowUnknownOption(!0).action(async(e,t,n)=>{try{let r=T({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=O(r),a=F(`Getting SSH credentials...`);a.start();let o=await H(i,r,e);if(fs(o)){a.stop(),ps();return}o=await U(o);let s=await o.ssh();if(a.stop(),!s){ps();return}let c={...s,proxyCommand:ss(r.baseUrl,o.id)};if(!r.apiKey)throw Error(`SSH proxy requires API key auth. Set TANGLE_API_KEY or pass --api-key.`);let l=ms(c,[...n.identityFile?[`-i`,n.identityFile,`-o`,`IdentitiesOnly=yes`]:[],...t]);if(n.print){console.log(ds(l,process.platform));return}P(`Connecting via tunnel...`);let u=ge(`ssh`,l,{stdio:`inherit`,env:{...process.env,TANGLE_SSH_PROXY_AUTH_TOKEN:r.apiKey}});u.on(`error`,e=>{e.code===`ENOENT`&&(M(`SSH client not found. Please install OpenSSH.`),process.exit(1)),B(e)}),u.on(`exit`,e=>{process.exit(e??0)})}catch(e){B(e)}})}function gs(){let e=new t(`ssh-keys`).description(`Manage SSH keys`);return e.command(`list`).description(`List SSH keys`).option(`--json`,`Output as JSON`).action(async e=>{let t=F(`Fetching SSH keys...`);try{t.start();let n=await O(T(e)).sshKeys.list();t.stop(),e.json?A({sshKeys:n}):n.length===0?P(`No SSH keys found.`):z([`Name`,`Type`,`Fingerprint`,`Created`],n.map(e=>[e.name,e.keyType,e.fingerprint,e.createdAt.toLocaleString()]))}catch(e){t.stop(),B(e)}}),e.command(`add`).description(`Add SSH key`).argument(`<name>`,`SSH key name`).requiredOption(`--key-file <path>`,`Public key file path`).option(`--json`,`Output as JSON`).action(async(e,t)=>{let n=F(`Adding SSH key...`);try{let r=u(t.keyFile,`utf8`).trim();n.start();let i=await O(T(t)).sshKeys.create(e,r);n.stop(),t.json?A({sshKey:i}):j(`Added SSH key ${i.name} (${i.fingerprint})`)}catch(e){n.stop(),B(e)}}),e.command(`delete`).description(`Delete SSH key`).argument(`<name>`,`SSH key name or ID`).action(async(e,t)=>{let n=F(`Deleting SSH key...`);try{n.start(),await O(T(t)).sshKeys.delete(e),n.stop(),j(`Deleted SSH key ${e}`)}catch(e){n.stop(),B(e)}}),e}function _s(e,t=1){process.stderr.write(`${e}\n`),process.exit(t)}function vs(){return new t(`ssh-proxy`).description(`SSH proxy helper — pipes stdin/stdout to WebSocket`).argument(`<sidecar-url>`,`Sidecar WebSocket URL`).action(async e=>{let t=process.env.TANGLE_SSH_PROXY_AUTH_TOKEN;t||_s(`TANGLE_SSH_PROXY_AUTH_TOKEN not set`);let n=new Ae(new URL(e.replace(/^http/,`ws`)),{headers:{Authorization:`Bearer ${t}`},perMessageDeflate:!1}),r;function i(){r&&=(clearInterval(r),void 0)}n.on(`open`,()=>{r=setInterval(()=>{n.readyState===Ae.OPEN&&n.ping()},15e3),r.unref?.(),process.stdin.on(`data`,e=>{n.readyState===Ae.OPEN&&n.send(e,{binary:!0,compress:!1})}),process.stdin.on(`end`,()=>n.close(1e3))}),n.on(`message`,e=>{let t=Buffer.isBuffer(e)?e:Array.isArray(e)?Buffer.concat(e):Buffer.from(e);process.stdout.write(t)}),n.on(`error`,e=>{i(),_s(`WebSocket error: ${e.message}`)}),n.on(`close`,e=>{i(),process.exit(e===1e3?0:1)}),process.stdin.on(`error`,()=>n.close())})}const ys=[`claude-code`,`opencode`,`codex`,`kimi-code`],bs=[`session`,`project`,`read-only`],xs={min:1,max:15},Ss=process.env.TANGLE_ROUTER_URL??`https://router.tangle.tools/v1`;function Cs(e){let t=e.harness??`claude-code`;if(!ys.includes(t))throw Error(`Unknown --harness '${t}'. Supported: ${ys.join(`, `)}.`);let n=e.tokenScope??`session`;if(!bs.includes(n))throw Error(`Unknown --token-scope '${n}'. Supported: ${bs.join(`, `)}.`);let r=ws(e.maxTokens,2e5,`--max-tokens`),i=ws(e.maxIterations,50,`--max-iterations`),a=ws(e.tokenTtl,10,`--token-ttl`);if(a<xs.min||a>xs.max)throw Error(`--token-ttl ${a} out of range; the SDK clamps to [${xs.min}, ${xs.max}] minutes.`);let o=e.maxWorkers===void 0?void 0:ws(e.maxWorkers,0,`--max-workers`);return{harness:t,...e.model?{model:e.model}:{},maxTokens:r,maxIterations:i,tokenScope:n,tokenTtl:a,...o===void 0?{}:{maxWorkers:o}}}function ws(e,t,n){if(e===void 0)return t;let r=Number.parseInt(e,10);if(!Number.isFinite(r)||r<=0)throw Error(`${n} must be a positive integer, got '${e}'.`);return r}function Ts(e){let t={maxTokens:e.maxTokens,maxIterations:e.maxIterations};return e.maxWorkers===void 0?{budget:t}:{budget:t,perWorker:{maxTokens:Math.max(1,Math.floor(e.maxTokens/e.maxWorkers)),maxIterations:Math.max(1,Math.floor(e.maxIterations/e.maxWorkers))}}}function Es(e){let{client:t,scope:n,ttlMinutes:r,onScope:a}=e,o={async create(o){let s=await t.create(Ds(o)),c={scope:n,ttlMinutes:r,...n===`session`?{sessionId:e.sessionIdFor?.(s)??`supervise-${i()}`}:{}},l=await s.mintScopedToken(c);return a({id:s.id,scope:l.scope,expiresAt:l.expiresAt,status:`spawned`}),s}};return typeof t.criuStatus==`function`&&(o.criuStatus=t.criuStatus.bind(t)),o}function Ds(e){if(!e?.env)return e;let{TANGLE_API_KEY:t,SANDBOX_API_KEY:n,...r}=e.env;return{...e,env:r}}function Os(e){if(e.kind===`no-winner`)return{text:``,tokenUsage:{input:0,output:0},costUsd:0,status:`no-winner (${e.reason})`};let t=e.out;return{text:typeof t==`string`?t:ks(t)?t.content:JSON.stringify(t),tokenUsage:{input:e.spentTotal.tokens.input,output:e.spentTotal.tokens.output},costUsd:e.spentTotal.usd,status:`winner`}}function ks(e){return typeof e==`object`&&!!e&&typeof e.content==`string`}const As={makeClient:e=>O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),resolveRouter:e=>({routerBaseUrl:Ss,routerKey:T({apiKey:e.apiKey}).apiKey,model:e.model}),supervise:je};async function js(e,t,n,r=As){let a=r.makeClient({apiKey:n.apiKey,baseUrl:n.baseUrl}),{budget:o,perWorker:s}=Ts(t),c=[],l=Es({client:a,scope:t.tokenScope,ttlMinutes:t.tokenTtl,onScope:e=>{if(c.push(e),!n.json){let n=`ttl ${t.tokenTtl}m`;P(`worker ${e.id} [${e.scope} token ${n}] spawned`)}}}),u=Me({backend:`sandbox`,harness:t.harness,sandboxClient:l,maxIterations:1}),d={name:`supervisor`,...t.model?{model:t.model}:{}},f=r.resolveRouter({apiKey:n.apiKey,model:t.model??`deepseek-v4-flash`}),p=Os(await r.supervise(d,{goal:e},{budget:o,makeWorkerAgent:u,router:f,...s?{perWorker:s}:{},...t.model?{allowedModels:[t.model]}:{},runId:`supervise-${i()}`})),ee=p.status===`winner`?`settled`:`failed`;for(let e of c)e.status=ee,n.json||P(`worker ${e.id} [${e.scope} token ttl ${t.tokenTtl}m] settled (${e.status})`);return{task:e,result:p.text,workers:c,tokenUsage:p.tokenUsage,costUsd:p.costUsd,status:p.status}}function Ms(){let e=new t(`supervise`);return e.description(`Run a budget-conserving supervisor that spawns isolated sandbox workers to deliver a task. Each worker box mints a short-lived scoped token instead of receiving the root API key.`).argument(`<task>`,`What the supervisor should accomplish`).option(`--harness <name>`,`Worker harness (${ys.join(` | `)})`,`claude-code`).option(`--model <id>`,`Model for the supervisor + workers`).option(`--max-tokens <n>`,`Conserved token budget for the whole run`,`200000`).option(`--max-iterations <n>`,`Conserved iteration budget for the whole run`,`50`).option(`--token-scope <scope>`,`Per-worker token scope (${bs.join(` | `)})`,`session`).option(`--token-ttl <min>`,`Per-worker token TTL in minutes (SDK clamps to [1, 15])`,`10`).option(`--max-workers <n>`,`Bound the fanout; each worker reserves floor(max-tokens / n) tokens and floor(max-iterations / n) iterations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Cs({harness:t.harness,model:t.model,maxTokens:t.maxTokens,maxIterations:t.maxIterations,tokenScope:t.tokenScope,tokenTtl:t.tokenTtl,maxWorkers:t.maxWorkers});t.json||(P(`Supervising: ${e}`),P(`harness=${n.harness} budget=${n.maxTokens}tok/${n.maxIterations}it scope=${n.tokenScope} ttl=${n.tokenTtl}m`),console.log());let r=await js(e,n,{apiKey:t.apiKey,baseUrl:t.baseUrl,json:t.json});if(t.json){A(r),r.status!==`winner`&&(process.exitCode=1);return}if(console.log(),r.status!==`winner`)throw Error(`Supervisor finished without a winner: ${r.status}`);console.log(r.result),console.log(),I({"Input Tokens":r.tokenUsage.input,"Output Tokens":r.tokenUsage.output,Cost:`$${r.costUsd.toFixed(4)}`})}catch(e){B(e,t.json)}}),e}function Ns(){let e=new t(`team`).description(`Manage teams`);return e.command(`list`).description(`List teams for the current account`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async e=>{try{let t=T(e),n=O(t),r=e.json?null:F(`Fetching teams...`);r?.start();let i=await n.teams.list();if(r?.stop(),e.json){A({teams:i,activeTeamId:t.activeTeamId??null});return}k(i.map(e=>({active:e.id===t.activeTeamId,id:e.id,name:e.name,role:e.currentUserRole,members:e.memberCount})),[{key:`active`,header:`Active`,width:8},{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:24},{key:`role`,header:`Role`,width:10},{key:`members`,header:`Members`,width:10}])}catch(e){B(e)}}),e.command(`create <name>`).description(`Create a team`).option(`--org-id <id>`,`External organization id`).option(`--no-switch`,`Do not set the new team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=t.json?null:F(`Creating team...`);i?.start();let a=await r.teams.create({name:e,orgId:t.orgId});if(t.switch&&Po(a,n.profile),i?.stop(),t.json){A({team:a,active:!!t.switch});return}j(`Team created: ${Mo(a)}`),t.switch&&j(`Active team set to ${a.name}`)}catch(e){B(e)}}),e.command(`switch <team>`).description(`Set the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=await No(O(n),e);if(Po(r,n.profile),t.json){A({team:r,activeTeamId:r.id});return}j(`Active team set to ${Mo(r)}`)}catch(e){B(e)}}),e.command(`current`).description(`Show the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{let t=Nt(e.profile);if(e.json){A(t.activeTeamId?t:{activeTeamId:null});return}if(!t.activeTeamId){console.log(`No active team.`);return}I({ID:t.activeTeamId,Name:t.activeTeamName})}catch(e){B(e)}}),e.command(`clear`).description(`Clear the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{if(Fo(e.profile),e.json){A({activeTeamId:null});return}j(`Active team cleared.`)}catch(e){B(e)}}),e.command(`members [team]`).description(`List team members`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,e,n.profile),a=await r.teams.listMembers(i.id);if(t.json){A({team:i,members:a});return}k(a.map(e=>({id:e.id,email:e.customerEmail,role:e.role,status:e.status,joinedAt:e.joinedAt})),[{key:`id`,header:`ID`,width:36},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:10},{key:`joinedAt`,header:`Joined`,width:16}])}catch(e){B(e)}}),e.command(`update-member <member-id>`).description(`Update a team member role`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).requiredOption(`--role <role>`,`Role: admin, member, viewer`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,t.team,n.profile),a=Ps(t.role),o=await r.teams.updateMember(i.id,e,{role:a});if(t.json){A({team:i,member:o});return}j(`Member updated: ${o.customerEmail}`),I({Team:i.name,Role:o.role,Status:o.status})}catch(e){B(e)}}),e.command(`invite <email>`).description(`Invite a user to a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--role <role>`,`Role: admin, member, viewer`,`member`).option(`--ttl-hours <hours>`,`Invitation lifetime in hours`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,t.team,n.profile),a=Ps(t.role),o=await r.teams.invite(i.id,{email:e,role:a,ttlHours:t.ttlHours?Number.parseInt(t.ttlHours,10):void 0});if(t.json){A({team:i,invitation:o});return}j(`Invitation created for ${o.email}`),I({Team:i.name,Role:o.role,Expires:o.expiresAt,"Invitation ID":o.id}),j(`Re-run with --json to retrieve the invitation token for sharing.`)}catch(e){B(e)}}),e.command(`leave [team]`).description(`Leave a team as the current user`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,e,n.profile);if(!t.force&&!t.json&&!await W(`Leave team '${i.name}'? (y/N) `))return;if(await r.teams.leave(i.id),n.activeTeamId===i.id&&Fo(n.profile),t.json){A({success:!0,teamId:i.id});return}j(`Left team: ${i.name}`)}catch(e){B(e)}}),e.command(`transfer <new-owner-customer-id> [team]`).description(`Transfer team ownership to another active member`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=T(n),i=O(r),a=await Q(i,t,r.profile);if(!n.force&&!n.json&&!await W(`Transfer ownership of '${a.name}' to ${e}? This cannot be undone without the new owner's cooperation. (y/N) `))return;if(await i.teams.transferOwnership(a.id,e),n.json){A({success:!0,teamId:a.id,newOwnerCustomerId:e});return}j(`Ownership transferred for ${a.name}`)}catch(e){B(e)}}),e.addCommand(Fs()),e.addCommand(Is()),e.command(`invitations [team]`).description(`List pending and historical team invitations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,e,n.profile),a=await r.teams.listInvitations(i.id);if(t.json){A({team:i,invitations:a});return}k(a.map(e=>({id:e.id,email:e.email,role:e.role,status:e.status,expiresAt:e.expiresAt})),[{key:`id`,header:`ID`,width:38},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:12},{key:`expiresAt`,header:`Expires`,width:16}])}catch(e){B(e)}}),e.command(`accept <token>`).description(`Accept a team invitation`).option(`--no-switch`,`Do not set the accepted team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await r.teams.acceptInvitation(e),a=t.switch===!1?null:await r.teams.get(i.teamId);if(a&&Po(a,n.profile),t.json){A({member:i,activeTeamId:a?.id??null});return}j(`Invitation accepted for team ${i.teamId}`),a&&j(`Active team set to ${a.name}`)}catch(e){B(e)}}),e.command(`revoke-invitation <invitation-id>`).description(`Revoke a pending team invitation`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{if(await O(T(t)).teams.revokeInvitation(e),t.json){A({success:!0,invitationId:e});return}j(`Invitation revoked: ${e}`)}catch(e){B(e)}}),e.command(`remove-member <member-id>`).description(`Remove a member from a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,t.team,n.profile);if(await r.teams.removeMember(i.id,e),t.json){A({success:!0,teamId:i.id,memberId:e});return}j(`Member removed: ${e}`)}catch(e){B(e)}}),e}function Ps(e){if(e===`admin`||e===`member`||e===`viewer`)return e;throw Error(`Role must be one of: admin, member, viewer`)}function Fs(){let e=new t(`secret`).description(`Manage team secrets`);return e.command(`list [team]`).description(`List team secret names`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,e,n.profile),a=await r.teams.listSecrets(i.id);if(t.json){A({team:i,secrets:a});return}k(a.map(e=>({name:e.name,updatedAt:e.updatedAt,updatedBy:e.updatedBy})),[{key:`name`,header:`Name`,width:28},{key:`updatedAt`,header:`Updated`,width:24},{key:`updatedBy`,header:`Updated By`,width:28}])}catch(e){B(e)}}),e.command(`set <name> [value]`).description(`Create or replace a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=T(n),i=O(r),a=await Q(i,n.team,r.profile),o=await Ls({value:t,valueStdin:n.valueStdin,prompt:`Enter value for team secret '${e}': `}),s=await i.teams.upsertSecret(a.id,e,o);if(n.json){A({team:a,secret:s});return}j(`Team secret saved: ${s.name}`)}catch(e){B(e)}}),e.command(`delete <name>`).description(`Delete a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,t.team,n.profile);if(!t.force&&!t.json&&!await W(`Delete team secret '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteSecret(i.id,e),t.json){A({success:!0,teamId:i.id,name:e});return}j(`Team secret deleted: ${e}`)}catch(e){B(e)}}),e.command(`reveal <name>`).description(`Reveal a team secret value`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,t.team,n.profile),a=await r.teams.revealSecret(i.id,e);if(t.json){A({teamId:i.id,...a});return}console.log(a.value)}catch(e){B(e)}}),e}function Is(){let e=new t(`templates`).description(`Manage team golden-path templates`);return e.command(`list [team]`).description(`List a team's golden-path templates`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,e,n.profile),a=await r.teams.listTemplates(i.id);if(t.json){A({team:i,templates:a});return}if(a.length===0){console.log(`No templates yet for ${i.name}.`);return}k(a.map(e=>({id:e.id,name:e.name,environment:e.environment,snapshot:`${e.snapshotId.slice(0,12)}…`,updated:e.updatedAt})),[{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:28},{key:`environment`,header:`Env`,width:14},{key:`snapshot`,header:`Snapshot`,width:16},{key:`updated`,header:`Updated`,width:24}])}catch(e){B(e)}}),e.command(`create <name> <snapshot-id>`).description(`Create a golden-path template from a snapshot`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`-d, --description <description>`,`Human-readable description shown in the dashboard`).option(`-e, --environment <environment>`,`Default environment to apply (defaults to 'universal')`).option(`--config <json>`,`Optional JSON config object merged into sandboxes created from this template`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=T(n),i=O(r),a=await Q(i,n.team,r.profile),o;if(n.config)try{let e=JSON.parse(n.config);if(typeof e!=`object`||!e||Array.isArray(e))throw Error(`--config must be a JSON object`);o=e}catch(e){throw Error(`--config is not valid JSON: ${e instanceof Error?e.message:String(e)}`)}let s=await i.teams.createTemplate(a.id,{name:e,snapshotId:t,description:n.description,environment:n.environment,config:o});if(n.json){A({team:a,template:s});return}j(`Team template created: ${s.name} (${s.id})`)}catch(e){B(e)}}),e.command(`delete <template-id>`).description(`Delete a team golden-path template`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=T(t),r=O(n),i=await Q(r,t.team,n.profile);if(!t.force&&!t.json&&!await W(`Delete template '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteTemplate(i.id,e),t.json){A({success:!0,teamId:i.id,templateId:e});return}j(`Team template deleted: ${e}`)}catch(e){B(e)}}),e}async function Ls(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await Dn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await En(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function Rs(){let e=new t(`template`).description(`Manage published public templates`);return e.command(`list`).option(`-q, --query <query>`,`Search query`).option(`--tag <tag>`,`Filter by tag`).option(`--featured`,`Show featured templates only`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T(e)),n=e.featured?await t.publicTemplates.featured():await t.publicTemplates.list({query:e.query,tag:e.tag});if(e.json){A({templates:n});return}k(n.map(e=>({slug:e.slug,name:e.name,forks:e.forkCount,sandboxes:e.sandboxCount,updated:e.updatedAt})),[{key:`slug`,header:`Slug`,width:28},{key:`name`,header:`Name`,width:28},{key:`forks`,header:`Forks`,width:8},{key:`sandboxes`,header:`Sandboxes`,width:12},{key:`updated`,header:`Updated`,width:24}])}catch(e){B(e)}}),e.command(`get <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await O(T(t)).publicTemplates.get(e);if(t.json){A({template:n});return}A(n)}catch(e){B(e)}}),e.command(`versions <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await O(T(t)).publicTemplates.versions(e);if(t.json){A({versions:n});return}k(n.map(e=>({...e})),[{key:`id`,header:`Version ID`,width:38},{key:`versionNumber`,header:`Version`,width:8},{key:`snapshotId`,header:`Snapshot`,width:20},{key:`createdAt`,header:`Created`,width:24}])}catch(e){B(e)}}),e.command(`publish <name> <snapshot-id> <sandbox-id>`).option(`--slug <slug>`,`Stable public slug`).option(`-d, --description <description>`,`Template description`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--team-id <id>`,`Publish under a team`).option(`--forked-from <id>`,`Fork source template id`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await O(T(r)).publicTemplates.publish({name:e,slug:r.slug,description:r.description,snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes,teamId:r.teamId,forkedFromTemplateId:r.forkedFrom});if(r.json){A({template:i});return}j(`Published template: ${i.slug}`)}catch(e){B(e)}}),e.command(`publish-version <id-or-slug> <snapshot-id> <sandbox-id>`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await O(T(r)).publicTemplates.publishVersion(e,{snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes});if(r.json){A({version:i});return}j(`Published template version: ${i.id}`)}catch(e){B(e)}}),e}function zs(){let e=new t(`tools`).description(`Manage language runtimes and tools in a sandbox (via mise)`);return e.command(`list`).alias(`ls`).description(`List installed tools in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=T({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=O(n),i=F(`Fetching tools...`);t.json||i.start();let a=await(await H(r,n,e)).tools.list();i.stop(),t.json?A(a):a.length===0?console.log(`No tools installed`):z([`Tool`,`Version`,`Active`],a.map(e=>[e.name,e.version,e.active?`yes`:`no`]))}catch(e){B(e)}}),e.command(`install`).description(`Install a tool version`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name (e.g. node, python, go)`).argument(`<version>`,`Version to install (e.g. 20, 3.12, latest)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=T({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=O(i),o=F(`Installing ${t}@${n}...`);r.json||o.start(),await(await H(a,i,e)).tools.install(t,n),o.stop(),r.json?A({tool:t,version:n,installed:!0}):j(`Installed ${t}@${n}`)}catch(e){B(e)}}),e.command(`use`).description(`Activate a tool version for the current session`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<version>`,`Version to activate`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=T({apiKey:r.apiKey,baseUrl:r.baseUrl});await(await H(O(i),i,e)).tools.use(t,n),j(`Activated ${t}@${n}`)}catch(e){B(e)}}),e.command(`run`).description(`Run a command with a specific tool`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<args...>`,`Command arguments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=T({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=O(i),o=F(`Running ${t} ${n.join(` `)}...`);r.json||o.start();let s=await(await H(a,i,e)).tools.run(t,n);o.stop(),r.json?A(s):(s.stdout&&process.stdout.write(s.stdout),s.stderr&&process.stderr.write(s.stderr),s.exitCode!==0&&process.exit(s.exitCode))}catch(e){B(e)}}),e}function Bs(){let e=new t(`traces`).description(`Read hosted agent traces, spans, and eval-runs from Tangle Intelligence`);return e.command(`list`).description(`List trace summaries (one row per trace), newest first`).option(`--from <iso>`,`ISO-8601 lower bound on received time (inclusive)`).option(`--to <iso>`,`ISO-8601 upper bound on received time (inclusive)`).option(`--model <model>`,`Exact model match (any span carried this model)`).option(`--run <runId>`,`Exact run id match`).option(`--status <status>`,`ERROR | OK`).option(`-q, --query <text>`,`Substring over span name`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size (clamped server-side to [1, 200])`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={from:e.from,to:e.to,model:e.model,runId:e.run,status:e.status===void 0?void 0:Zs(e.status),q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:nc(e.limit)},n=Hs(e),r=e.json?null:F(`Fetching traces...`);r?.start();let i=await n.listTraces(t);if(r?.stop(),e.json)return A(i);Gs(i.items),Ys(i.nextCursor)}catch(t){Ws(t,e)}}),e.command(`get <traceId>`).description(`Show one trace's spans. Streams NDJSON to stdout with --ndjson.`).option(`--ndjson`,`Stream the full span set as NDJSON to stdout`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Spans per page`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Hs(t);if(t.ndjson){await Us(n,e);return}let r=t.json?null:F(`Fetching trace spans...`);r?.start();let i=await n.getTraceSpans(e,{cursor:t.cursor,limit:t.limit===void 0?void 0:nc(t.limit)});if(r?.stop(),t.json)return A(i);Ks(i.items),i.truncated&&I({Spans:`${i.items.length} of ${i.total} (truncated)`}),Ys(i.nextCursor)}catch(e){Ws(e,t)}}),e.addCommand(Vs()),e}function Vs(){let e=new t(`runs`).description(`Read eval-runs pivoted off the trace surface`);return e.command(`list`).description(`List eval-runs, newest first`).option(`--status <status>`,`Run status filter`).option(`--gate <decision>`,`Promotion-gate decision filter`).option(`--label <key:value>`,`Match over the run's labels`).option(`--from <iso>`,`ISO-8601 lower bound on received time`).option(`--to <iso>`,`ISO-8601 upper bound on received time`).option(`-q, --query <text>`,`Substring over run dir`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={status:e.status===void 0?void 0:$s(e.status),gate:e.gate===void 0?void 0:tc(e.gate),label:e.label,from:e.from,to:e.to,q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:nc(e.limit)},n=Hs(e),r=e.json?null:F(`Fetching runs...`);r?.start();let i=await n.listRuns(t);if(r?.stop(),e.json)return A(i);qs(i.items),Ys(i.nextCursor)}catch(t){Ws(t,e)}}),e.command(`get <runId>`).description(`Show a single eval-run`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Hs(t),r=t.json?null:F(`Fetching run...`);r?.start();let i=await n.getRun(e);if(r?.stop(),t.json)return A(i);Js(i)}catch(e){Ws(e,t)}}),e}function Hs(e){let t=kt(e.apiKey);if(!t)throw Error(`No API key found. Set TANGLE_API_KEY or run: tangle auth login`);return Ne({apiKey:t,baseUrl:e.baseUrl??process.env.TANGLE_INTELLIGENCE_BASE_URL})}async function Us(e,t){let n=(await e.exportTraceSpansNdjson(t)).getReader();try{for(;;){let{value:e,done:t}=await n.read();if(t)break;e&&process.stdout.write(Buffer.from(e))}}finally{n.releaseLock()}}function Ws(e,t){return B(e,t.json===!0)}function Gs(e){k(e.map(e=>({traceId:e.traceId,root:e.rootName??`-`,model:e.model??`-`,spans:e.spanCount,errors:e.errorCount,durationMs:e.durationMs,cost:Xs(e.costUsd)})),[{key:`traceId`,header:`Trace`,width:36},{key:`root`,header:`Root`,width:24},{key:`model`,header:`Model`,width:22},{key:`spans`,header:`Spans`,width:8},{key:`errors`,header:`Errors`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14},{key:`cost`,header:`Cost`,width:10}])}function Ks(e){k(e.map(e=>({spanId:e.id,name:e.name,model:e.model??`-`,status:e.statusCode??`-`,cost:e.costUsd===null?`-`:`$${e.costUsd}`})),[{key:`spanId`,header:`Span`,width:40},{key:`name`,header:`Name`,width:28},{key:`model`,header:`Model`,width:22},{key:`status`,header:`Status`,width:10},{key:`cost`,header:`Cost`,width:12}])}function qs(e){k(e.map(e=>({runId:e.id,status:e.status,gate:e.gateDecision??`-`,cost:e.totalCostUsd===null?`-`:`$${e.totalCostUsd}`,receivedAt:e.receivedAt})),[{key:`runId`,header:`Run`,width:24},{key:`status`,header:`Status`,width:22},{key:`gate`,header:`Gate`,width:18},{key:`cost`,header:`Cost`,width:12},{key:`receivedAt`,header:`Received`,width:18}])}function Js(e){I({Run:e.id,Status:e.status,Gate:e.gateDecision??void 0,"Run Dir":e.runDir??void 0,Cost:e.totalCostUsd===null?void 0:`$${e.totalCostUsd}`,Duration:e.totalDurationMs===null?void 0:`${e.totalDurationMs}ms`,"Holdout Lift":e.holdoutLift??void 0,Received:e.receivedAt})}function Ys(e){e&&I({"Next page":`--cursor ${e}`})}function Xs(e){return e===null?`-`:`$${e.toFixed(4)}`}function Zs(e){if(e===`ERROR`||e===`OK`)return e;throw Error(`--status must be ERROR or OK`)}const Qs=[`started`,`baseline-complete`,`generation-complete`,`gate-decided`,`finished`,`errored`];function $s(e){let t=Qs.find(t=>t===e);if(t)return t;throw Error(`--status must be one of ${Qs.join(`, `)}`)}const ec=[`ship`,`hold`,`need_more_work`,`model_ceiling`,`arch_ceiling`];function tc(e){let t=ec.find(t=>t===e);if(t)return t;throw Error(`--gate must be one of ${ec.join(`, `)}`)}function nc(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function rc(){return new t(`usage`).description(`Show account usage and billing information`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=O(T({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:F(`Fetching usage...`);n?.start();let[r,i]=await Promise.all([t.usage(),t.subscription().catch(()=>null)]);n?.stop(),e.json?A({...r,subscription:i}):(console.log(),console.log(`Account Usage`),console.log(`─`.repeat(40)),I({"Active Sandboxes":r.activeSandboxes,"Total Sandboxes":r.totalSandboxes,"Compute Minutes":ic(r.computeMinutes),"GPU Seconds":r.gpuSeconds,"GPU Spend":ac(r.gpuCostUsd)}),i&&(console.log(),console.log(`Subscription`),console.log(`─`.repeat(40)),I({Plan:i.plan,Status:i.status,"Credits Available":ac(i.creditsAvailableUsd),"Credits Used":ac(i.creditsUsedUsd),"Monthly Balance":ac(i.monthlyBalanceUsd)})),console.log(),console.log(`Billing Period`),console.log(`─`.repeat(40)),I({Start:r.periodStart.toLocaleDateString(),End:r.periodEnd.toLocaleDateString()}),console.log())}catch(e){B(e)}})}function ic(e){if(e===void 0)return`-`;if(e<60)return`${e} min`;let t=Math.floor(e/60),n=e%60;return n===0?`${t} hr`:`${t} hr ${n} min`}function ac(e){return e<0?`-$${(-e).toFixed(2)}`:`$${e.toFixed(2)}`}function oc(){return new t(`use`).description(`Set or show the active sandbox (used when a command omits the id)`).argument(`[id]`,`Sandbox id to make active`).option(`--clear`,`Clear the active sandbox`).action((e,t)=>{try{if(t.clear){St(),P(`Cleared the active sandbox.`);return}if(e){xt(e),P(`Active sandbox set to ${e}. Commands now default to it; override with --box or TANGLE_SANDBOX.`);return}let n=bt();P(n?`Active sandbox: ${n}`:"No active sandbox. Set one with `tangle use <id>`.")}catch(e){B(e)}})}function sc(){let e=new t(`workflows`).description(`Create and manage Tangle workflows`);return e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{uc(t)}),e.command(`list`).description(`List your workflows`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await lc(e).workflows.list();if(e.json)return A(t);pc(t)}catch(t){fc(t,e)}}),e.command(`get`).description(`Show a workflow's definition and compiled triggers`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await lc(t).workflows.get(e);if(t.json)return A(n);mc(n)}catch(e){fc(e,t)}}),e.command(`create`).description(`Create a workflow from a YAML file`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=cc(e),r=await lc(t).workflows.create(n);if(t.json)return A(r);P(`Created workflow ${r.id} (${r.name}).`),mc(r)}catch(e){fc(e,t)}}),e.command(`update`).description(`Replace a workflow's definition from a YAML file`).argument(`<id>`,`Workflow ID`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=cc(t),i=await lc(n).workflows.update(e,r);if(n.json)return A(i);P(`Updated workflow ${i.id} (${i.name}).`),mc(i)}catch(e){fc(e,n)}}),e.command(`delete`).description(`Delete a workflow and its triggers`).argument(`<id>`,`Workflow ID`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await W(`Delete workflow ${e}? `)){P(`Delete cancelled.`);return}if(await lc(t).workflows.delete(e),t.json)return A({deleted:!0,id:e});P(`Deleted workflow ${e}.`)}catch(e){fc(e,t)}}),e.command(`validate`).description(`Validate a workflow YAML file without saving it`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=cc(e),r=await lc(t).workflows.validate(n);if(t.json)return A(r);if(r.valid)P(`Valid: ${r.name} (${r.actionCount} action(s), ${r.triggerCount} trigger(s)).`);else{P(`Invalid workflow:`);for(let e of r.errors)console.log(` ${e.path}: ${e.message}`);process.exitCode=1}}catch(e){fc(e,t)}}),e.command(`schema`).description(`Print the JSON Schema for the workflow YAML`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{A(await lc(e).workflows.schema())}catch(t){fc(t,e)}}),e}function cc(e){try{return u(e,`utf8`)}catch(t){throw Error(`Could not read workflow file "${e}": ${t instanceof Error?t.message:String(t)}`)}}function lc(e){let t=T({apiKey:kt(e.apiKey),baseUrl:e.baseUrl??Mt(process.env.TANGLE_HUB_URL)});return new _e({baseUrl:t.baseUrl,apiKey:t.apiKey})}function uc(e){if(!dc(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function dc(e,t){return e.options.some(e=>e.attributeName()===t)}function fc(e,t){return B(e,t.json===!0)}function pc(e){k(e.map(e=>({id:e.id,name:e.name,enabled:e.enabled?`yes`:`no`,issues:e.validationErrors.length,updated:e.updatedAt})),[{key:`id`,header:`ID`},{key:`name`,header:`Name`},{key:`enabled`,header:`Enabled`},{key:`issues`,header:`Issues`},{key:`updated`,header:`Updated`}])}function mc(e){if(I({ID:e.id,Name:e.name,Description:e.description??``,Enabled:e.enabled?`yes`:`no`,Actions:e.actions.length}),e.triggers&&e.triggers.length>0&&(P(`Triggers`),hc(e.triggers)),e.validationErrors.length>0){P(`Validation issues`);for(let t of e.validationErrors)console.log(` ${t.path}: ${t.message}`)}}function hc(e){k(e.map(e=>({id:e.id,kind:e.kind,enabled:e.enabled?`yes`:`no`,detail:e.kind===`schedule`?`${e.cron??``} (${e.timezone??``})`:`${e.provider??``}:${e.eventFilter?.event??``}${e.eventFilter?.action?`.${e.eventFilter.action}`:``}`})),[{key:`id`,header:`ID`},{key:`kind`,header:`Kind`},{key:`enabled`,header:`Enabled`},{key:`detail`,header:`Detail`}])}function gc(e){let t={..._c(e)??{},...e.optsWithGlobals()};for(let n of e.options){let r=n.attributeName();e.getOptionValue(r)===void 0&&t[r]!==void 0&&e.setOptionValue(r,t[r])}}function _c(e){let t=e;for(;t?.parent;)t=t.parent;return t?t.opts():void 0}const vc=e(import.meta.url)(`../package.json`),$=new t;$.name(`tangle`).description(`CLI for Tangle Sandbox operations`).version(vc.version??`0.0.0`).option(`--api-key <key>`,`API key (or set TANGLE_API_KEY)`).option(`--base-url <url>`,`API base URL`),$.hook(`preAction`,(e,t)=>{gc(t)}),$.addCommand(ur()),$.addCommand(Bo()),$.addCommand(oc()),$.addCommand(ns()),$.addCommand(xo()),$.addCommand(ua()),$.addCommand(hs()),$.addCommand(gs()),$.addCommand(vs()),$.addCommand(Kn()),$.addCommand(as()),$.addCommand(ba()),$.addCommand(rc()),$.addCommand(Ns()),$.addCommand(Rs()),$.addCommand(Co()),$.addCommand(_r()),$.addCommand(Cr()),$.addCommand(To()),$.addCommand(ja()),$.addCommand(Pa()),$.addCommand(Fa()),$.addCommand(sc()),$.addCommand(la()),$.addCommand(zs()),$.addCommand(ts()),$.addCommand(is()),$.addCommand(wr()),$.addCommand(wo()),$.addCommand(no()),$.addCommand(Ji()),$.addCommand(Yi()),$.addCommand(jo()),$.addCommand(So()),$.addCommand(Bs()),$.addCommand(Ms()),$.parseAsync(process.argv).catch(e=>{console.error(`Fatal error:`,e.message),process.exit(1)});export{};