@tangle-network/sandbox-cli 0.9.4-develop.20260708194108.6294bc2 → 0.9.4-develop.20260710185349.82fda5c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.mjs +1 -1
  2. package/package.json +4 -4
package/dist/index.mjs CHANGED
@@ -145,4 +145,4 @@ Recommended actions:`);for(let e of i.insights.recommendedActions)console.log(`
145
145
  Re-run with --json to print the full token value.`))}catch(e){R(e)}}),e}function Ca(){let e=new t(`workspace`).description(`Manage a fleet's shared workspace`);return e.command(`snapshot <fleet-id>`).description(`Snapshot the fleet's shared workspace`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E(C({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=N(`Creating workspace snapshot...`);r.start();let i=await n.fleets.createWorkspaceSnapshot(e);r.stop(),t.json?O(i):k(`Workspace snapshot created: ${i.snapshotId??i.id}`)}catch(e){R(e)}}),e.command(`restore <fleet-id> <snapshot-id>`).description(`Restore the fleet's shared workspace from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E(C({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=N(`Restoring workspace...`);i.start();let a=await r.fleets.restoreWorkspaceSnapshot(e,t);i.stop(),n.json?O(a):k(`Workspace restored from ${a.snapshotId??t}`)}catch(e){R(e)}}),e.command(`reconcile <fleet-id>`).description(`Re-mount the shared workspace on all fleet machines`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E(C({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=N(`Reconciling workspace...`);r.start();let i=await n.fleets.reconcileWorkspace(e);r.stop(),t.json?O(i):(P({"Fleet ID":i.fleetId,Checked:i.checked,"Orphaned mounts":i.orphanedMounts}),D(i.machines.map(e=>({machineId:e.machineId,sandboxId:e.sandboxId,mounted:e.mounted})),[{key:`machineId`,header:`Machine`,width:20},{key:`sandboxId`,header:`Sandbox`,width:24},{key:`mounted`,header:`Mounted`,width:10}]))}catch(e){R(e)}}),e}function wa(e){if(e.spec){let t=JSON.parse(u(e.spec,`utf8`));return{base:{fleetId:e.fleetId,defaults:t.defaults,policy:t.policy,workspace:t.workspace,metadata:t.metadata},machines:t.machines??[]}}let t=Da(e),n=Oa(e,!!t?.accelerator),r={...e.image?{environment:e.image}:{},...t?{resources:t}:{},...e.driver?{driver:{type:e.driver}}:{},...n?{gpuLease:n}:{},...e.backend?{backend:{type:e.backend}}:{}},i=ka(e),a=Math.max(1,Number(e.count)||1),o=Array.from({length:a},(e,t)=>({machineId:`worker-${t+1}`}));return{base:{fleetId:e.fleetId,defaults:Object.keys(r).length>0?r:void 0,policy:i,workspace:{mode:e.workspace}},machines:o}}function Ta(e){let{base:t,machines:n}=wa(e);return{...t,machines:n}}function Ea(e){let{base:t,machines:n}=wa(e);return{...t,workers:n}}function Da(e){let t={};if(e.cpu&&(t.cpuCores=Number(e.cpu)),e.memory&&(t.memoryMB=Number(e.memory)),e.disk&&(t.diskGB=Number(e.disk)),e.acceleratorKind)t.accelerator=ma({kind:e.acceleratorKind,count:e.acceleratorCount,memory:e.acceleratorMemory});else if(e.acceleratorCount||e.acceleratorMemory)throw Error(`--accelerator-count and --accelerator-memory require --accelerator-kind`);return Object.keys(t).length>0?t:void 0}function Oa(e,t){return ha({provider:e.gpuProvider,image:e.gpuWorkerImage,env:e.gpuEnv,maxSpendUsd:e.gpuMaxSpendUsd,maxLifetime:e.gpuMaxLifetime,idleTimeout:e.gpuIdleTimeout},t,`Fleet GPU lease flags require --accelerator-kind`)}function ka(e){let t={};return e.maxSpendUsd&&(t.maxSpendUsd=Number(e.maxSpendUsd)),e.maxLifetime&&(t.maxLifetimeSeconds=Number(e.maxLifetime)),Object.keys(t).length>0?t:void 0}function Aa(e){return[...e.entries()].map(([e,t])=>({machineId:e,sandboxId:t.id,status:t.status}))}function ja(e){if(!(!e||e.length===0)){for(let t of e)if(!xa.includes(t))throw Error(`Invalid token action '${t}'. Allowed: ${xa.join(`, `)}`);return e}}function Ma(e){return e.length<=12?`****`:`${e.slice(0,6)}...${e.slice(-4)} (masked — use --json for full value)`}function Na(){let e=new t(`fs`).description(`File system operations on sandboxes`);return q(e.command(`upload`).description(`Upload a file to a sandbox`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<local-path>`,`Local file path`).argument(`<remote-path>`,`Remote destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let{context:i,client:a}=J(r),s=await B(a,i,e);if(s=await V(s),!o.existsSync(t))throw Error(`Local file not found: ${t}`);let c=o.statSync(t),l=Date.now();console.log(`Uploading ${t} to ${n}...`),await s.fs.upload(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesUploaded}/${e.totalBytes} bytes)`)}});let u=Date.now()-l;console.log(``),r.json?I({success:!0,localPath:t,remotePath:n,size:c.size,durationMs:u}):console.log(`✓ Uploaded ${c.size} bytes in ${u}ms`)}catch(e){F(e,r.json)}}),q(e.command(`download`).description(`Download a file from a sandbox`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<remote-path>`,`Remote file path`).argument(`<local-path>`,`Local destination path`).option(`--json`,`Output as JSON`)).action(async(e,t,n,r)=>{try{let{context:i,client:a}=J(r),s=await B(a,i,e);s=await V(s);let c=Date.now();console.log(`Downloading ${t} to ${n}...`),await s.fs.download(t,n,{onProgress:e=>{let t=e.percentage.toFixed(1);process.stdout.write(`\rProgress: ${t}% (${e.bytesDownloaded}/${e.totalBytes} bytes)`)}});let l=Date.now()-c,u=o.statSync(n);console.log(``),r.json?I({success:!0,remotePath:t,localPath:n,size:u.size,durationMs:l}):console.log(`✓ Downloaded ${u.size} bytes in ${l}ms`)}catch(e){F(e,r.json)}}),q(e.command(`ls`).description(`List directory contents`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`[path]`,`Directory path`,`.`).option(`-l, --long`,`Show detailed information`).option(`-a, --all`,`Include hidden files`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=J(n),a=await B(i,r,e);a=await V(a);let o=await a.fs.list(t.startsWith(`/`)?t:`/${t}`,{all:n.all,long:n.long});if(n.json)I(o);else if(n.long)L([`Mode`,`Owner`,`Group`,`Size`,`Modified`,`Name`],o.map(e=>{let t=e.isDir?`d`:e.isSymlink?`l`:`-`,n=Pa(e.permissions),r=e.isDir?`<DIR>`:Fa(e.size),i=e.modTime.toLocaleDateString();return[t+n,e.owner,e.group,r,i,e.name]}));else{let e=o.map(e=>e.isDir?`${e.name}/`:e.name);console.log(e.join(` `))}}catch(e){F(e,n.json)}}),q(e.command(`stat`).description(`Get file or directory information`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to file or directory`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=J(n),a=await B(i,r,e);a=await V(a);let o=await a.fs.stat(t.startsWith(`/`)?t:`/${t}`);n.json?I(o):(console.log(` File: ${o.name}`),console.log(` Path: ${o.path}`),console.log(` Size: ${Fa(o.size)} (${o.size} bytes)`),console.log(` Type: ${o.isDir?`directory`:o.isSymlink?`symlink`:`file`}`),console.log(` Mode: ${Pa(o.permissions)} (${o.permissions.toString(8)})`),console.log(` Owner: ${o.owner}`),console.log(` Group: ${o.group}`),console.log(` Modified: ${o.modTime.toISOString()}`),console.log(` Accessed: ${o.accessTime.toISOString()}`))}catch(e){F(e,n.json)}}),q(e.command(`cat`).description(`Print file contents`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to file`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=J(n),a=await B(i,r,e);a=await V(a);let o=await a.read(t.startsWith(`/`)?t:`/${t}`);n.json?I({path:t,content:o}):console.log(o)}catch(e){F(e,n.json)}}),q(e.command(`rm`).description(`Delete a file or directory`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to delete`).option(`-r, --recursive`,`Delete directories recursively`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=J(n),a=await B(i,r,e);a=await V(a),await a.fs.delete(t.startsWith(`/`)?t:`/${t}`,{recursive:n.recursive}),n.json?I({success:!0,path:t,deleted:!0}):console.log(`✓ Deleted: ${t}`)}catch(e){F(e,n.json)}}),q(e.command(`mkdir`).description(`Create a directory`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Directory path to create`).option(`-p, --parents`,`Create parent directories as needed`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=J(n),a=await B(i,r,e);a=await V(a),await a.fs.mkdir(t.startsWith(`/`)?t:`/${t}`,{recursive:n.parents}),n.json?I({success:!0,path:t,created:!0}):console.log(`✓ Created: ${t}`)}catch(e){F(e,n.json)}}),q(e.command(`exists`).description(`Check if a path exists`).argument(`<sandbox-id-or-name>`,`Sandbox ID or name`).argument(`<path>`,`Path to check`).option(`--json`,`Output as JSON`)).action(async(e,t,n)=>{try{let{context:r,client:i}=J(n),a=await B(i,r,e);a=await V(a);let o=await a.fs.exists(t.startsWith(`/`)?t:`/${t}`);n.json?I({path:t,exists:o}):(console.log(o?`exists`:`not found`),process.exit(+!o))}catch(e){F(e,n.json)}}),e}function Pa(e){let t=[`r`,`w`,`x`],n=``;for(let r=2;r>=0;r--){let i=r*3;for(let r=0;r<3;r++)n+=e>>i+(2-r)&1?t[r]:`-`}return n}function Fa(e){let t=[`B`,`KB`,`MB`,`GB`,`TB`],n=e,r=0;for(;n>=1024&&r<t.length-1;)n/=1024,r++;return r===0?`${n}${t[r]}`:`${n.toFixed(1)}${t[r]}`}function q(e){return e.option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`)}function J(e){let t=C({apiKey:e.apiKey,baseUrl:e.baseUrl});return{context:t,client:E(t)}}function Ia(){let e=new t(`git`).description(`Git operations in a sandbox workspace`);return e.command(`status`).description(`Show git repository status`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching status...`);t.json||i.start();let a=await B(r,n,e);a=await V(a);let o=await a.git.status();if(i.stop(),t.json)O(o);else{if(console.log(`Branch: ${o.branch}`),console.log(`HEAD: ${o.head.slice(0,7)}`),console.log(`Dirty: ${o.isDirty?`yes`:`no`}`),o.ahead&&console.log(`Ahead: ${o.ahead}`),o.behind&&console.log(`Behind: ${o.behind}`),o.staged.length>0){console.log(`\nStaged (${o.staged.length}):`);for(let e of o.staged)console.log(` + ${e}`)}if(o.modified.length>0){console.log(`\nModified (${o.modified.length}):`);for(let e of o.modified)console.log(` M ${e}`)}if(o.untracked.length>0){console.log(`\nUntracked (${o.untracked.length}):`);for(let e of o.untracked)console.log(` ? ${e}`)}}}catch(e){R(e)}}),e.command(`log`).description(`Show commit log`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`-n, --limit <count>`,`Max commits to show`,`10`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching log...`);t.json||i.start();let a=await B(r,n,e);a=await V(a);let o=await a.git.log(Number.parseInt(t.limit,10));if(i.stop(),t.json)O(o);else if(o.length===0)console.log(`No commits found`);else for(let e of o)console.log(`${e.shortSha} ${e.message.split(`
146
146
  `)[0]} (${e.author}, ${e.date.toLocaleDateString()})`)}catch(e){R(e)}}),e.command(`diff`).description(`Show diff`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--ref <ref>`,`Ref to diff against`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching diff...`);t.json||i.start();let a=await B(r,n,e);a=await V(a);let o=await a.git.diff(t.ref);i.stop(),t.json?O(o):o.raw?console.log(o.raw):console.log(`${o.additions} additions, ${o.deletions} deletions across ${o.files.length} files`)}catch(e){R(e)}}),e.command(`add`).description(`Stage files`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<paths...>`,`Paths to stage`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await B(E(r),r,e);i=await V(i),await i.git.add(t),k(`Staged: ${t.join(`, `)}`)}catch(e){R(e)}}),e.command(`commit`).description(`Create a commit`).argument(`<id-or-name>`,`Sandbox ID or name`).requiredOption(`-m, --message <msg>`,`Commit message`).option(`--amend`,`Amend the previous commit`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=await B(E(n),n,e);r=await V(r);let i=await r.git.commit(t.message,{amend:t.amend});t.json?O(i):k(`Committed: ${i.shortSha} ${i.message}`)}catch(e){R(e)}}),e.command(`push`).description(`Push to remote`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--force`,`Force push`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Pushing...`);i.start();let a=await B(r,n,e);a=await V(a),await a.git.push({force:t.force}),i.stop(),k(`Pushed to remote`)}catch(e){R(e)}}),e.command(`pull`).description(`Pull from remote`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--rebase`,`Rebase instead of merge`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Pulling...`);i.start();let a=await B(r,n,e);a=await V(a),await a.git.pull({rebase:t.rebase}),i.stop(),k(`Pulled from remote`)}catch(e){R(e)}}),e.command(`branches`).description(`List branches`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching branches...`);t.json||i.start();let a=await B(r,n,e);a=await V(a);let o=await a.git.branches();i.stop(),t.json?O(o):o.length===0?console.log(`No branches found`):L([`Name`,`Current`,`Remote`],o.map(e=>[e.name,e.current?`* `:` `,e.upstream??`-`]))}catch(e){R(e)}}),e.command(`checkout`).description(`Checkout a branch or ref`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<ref>`,`Branch name or ref`).option(`-b, --create`,`Create a new branch`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await B(E(r),r,e);i=await V(i),await i.git.checkout(t,{create:n.create}),k(`Checked out: ${t}${n.create?` (new)`:``}`)}catch(e){R(e)}}),e}function La(){let e=new t(`hub`).description(`Discover and run Tangle Hub tools`);e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{za(t)}),e.command(`connect`).description(`Connect a provider account`).argument(`provider`,`Provider to connect`).option(`--no-browser`,`Print the authorization URL instead of opening it`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await z(t)).connections.start(e,{cli:!0});if(t.json){O(no(n));return}to(n,t.browser===!1?!1:await rr(n.redirectUrl))}catch(e){Y(e,t)}});let n=new t(`connections`).description(`List Hub provider connections`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await z(e)).connections.list();if(e.json){O(t);return}eo(t.connections)}catch(t){Y(t,e)}});n.command(`revoke <connection-id>`).description(`Revoke a Hub provider connection`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await z(t),r=await Wt(n,e);if(!t.force&&!await H(`Revoke Hub connection ${r}? `)){M(`Revoke cancelled.`);return}let i=await n.connections.revoke(r);if(t.json){O(i);return}M(`Revoked Hub connection ${i.connection.id}.`)}catch(e){Y(e,t)}}),e.addCommand(n);let r=new t(`permissions`).description(`Manage Hub action permissions`);r.command(`list`).description(`List Hub permissions for a connection`).requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await z(e),n=await Wt(t,e.connection),r=await t.permissions.list(n);if(e.json){O(r);return}Ya(r.policies)}catch(t){Y(t,e)}}),r.command(`set`).description(`Set Hub permission for one action`).requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).requiredOption(`--action <path>`,`Executor action path`).requiredOption(`--decision <allow|ask|deny>`,`Permission decision`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);if(!e.action)throw Error(`--action is required.`);let t=Xa(e.decision),n=await z(e),r=await Wt(n,e.connection),i=await n.permissions.set({connectionId:r,actionPath:e.action,decision:t});if(e.json){O(i);return}Ya([i.policy])}catch(t){Y(t,e)}}),r.command(`revert-writes`).description("Revoke a bulk `--allow-writes` grant for a connection (deletes only the auto-granted write rows; manual permissions are untouched)").requiredOption(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{if(!e.connection)throw Error(`--connection is required.`);let t=await z(e),n=await Wt(t,e.connection),r=await t.permissions.revertWrites(n);if(e.json){O(r);return}M(`Reverted ${r.reverted} write permission${r.reverted===1?``:`s`} for connection ${r.connectionId}.`)}catch(t){Y(t,e)}}),e.addCommand(r);let i=new t(`approvals`).description(`List and resolve Hub execution approvals`);i.command(`list`).description(`List pending Hub execution approvals`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await z(e)).approvals.list();if(e.json){O(t);return}Wa(t.approvals)}catch(t){Y(t,e)}}),i.command(`approve`).description(`Approve a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{Ua(e),Ga(await(await z(t)).approvals.approve(e),t.json===!0)}catch(e){Y(e,t)}}),i.command(`deny`).description(`Deny a pending Hub execution approval`).argument(`approval-id`,`Hub approval ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{Ua(e),Ga(await(await z(t)).approvals.deny(e),t.json===!0)}catch(e){Y(e,t)}}),e.addCommand(i);let a=new t(`tools`).description(`Discover Hub tools`);return a.command(`sources`).description(`List Hub tool sources`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await z(e)).tools.sources();if(e.json){O(t);return}Za(t.sources)}catch(t){Y(t,e)}}),a.command(`describe`).description(`Describe a Hub tool`).argument(`path`,`Executor tool path`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await z(t)).tools.describe(e);if(t.json){O(n);return}Qa(n.tool)}catch(e){Y(e,t)}}),a.command(`search`).description(`Search Hub tools`).argument(`<query...>`,`Search query`).option(`--provider <provider>`,`Filter by provider/source ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await(await z(t)).tools.search(e.join(` `),{provider:t.provider});if(t.json){O(n);return}Ja(n.tools)}catch(e){Y(e,t)}}),e.addCommand(a),e.addCommand(Ra(`call`)),e.addCommand(Ra(`exec`)),e.command(`resume`).description(`Resolve a Hub approval created by a paused execution`).argument(`approval-id`,`Hub approval ID from HUB_APPROVAL_REQUIRED`).option(`--accept`,`Approve the execution approval`).option(`--decline`,`Deny the execution approval`).option(`--cancel`,`Unsupported for approval-backed Hub resume`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(Ua(e),t.cancel)throw Error(`Hub approval resume does not support --cancel. Use --decline to deny the approval.`);if(t.accept&&t.decline)throw Error(`Choose only one of --accept or --decline.`);if(!t.accept&&!t.decline)throw Error(`Choose --accept to approve or --decline to deny the Hub approval.`);let n=await z(t);Ga(t.decline?await n.approvals.deny(e):await n.approvals.approve(e),t.json===!0)}catch(e){Y(e,t)}}),e.command(`status`).description(`Show Hub auth and connection status`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await(await z(e)).status();if(e.json){O(t);return}ro(t)}catch(t){Y(t,e)}}),e}function Ra(e){return new t(e).description(`Execute a Hub tool`).argument(`<args...>`,`Tool path tokens followed by JSON input`).option(`--connection <ref>`,`Hub connection id, or provider[:account]`).option(`--auto-approve`,`Approve a HUB_APPROVAL_REQUIRED execution and retry once`).option(`--approve`,`Alias for --auto-approve`).option(`--no-hub-key`,`Do not auto-mint a platform Hub key; use the stored credential as-is`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let{args:n,approve:r}=Ha(e,t),{path:i,input:a}=qa(n),o=await z(t),s=t.connection?await Wt(o,t.connection):void 0;O((await o.tools.invoke(i,a,{connectionId:s,approve:r})).result)}catch(e){Y(e,t)}})}function za(e){if(!Ba(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function Ba(e,t){return e.options.some(e=>e.attributeName()===t)}function Va(e){return e.json===!0}function Y(e,t){return Va(t)?R(e,!0):R(e)}function Ha(e,t){let n=t.autoApprove;return{args:e.filter(e=>e!==`--approve`&&e!==`--auto-approve`),approve:t.approve===!0||n===!0||e.includes(`--approve`)||e.includes(`--auto-approve`)}}function Ua(e){if(!/^[A-Za-z0-9_-]+$/.test(e))throw Error(`Hub approval ID must contain only letters, numbers, underscores, and dashes.`)}function Wa(e){D(e.map(e=>({id:e.id,provider:e.providerId,action:e.actionPath,connection:e.connectionId,status:e.status,expires:e.expiresAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`connection`,header:`Connection`},{key:`status`,header:`Status`},{key:`expires`,header:`Expires`}])}function Ga(e,t){if(t){O(Ka(e));return}M(`Hub approval ${e.approval.id} ${e.approval.status}.`),e.capabilityToken&&M("Capability token minted. Re-run the original command with `--approve` to execute automatically.")}function Ka(e){return{approval:e.approval,...e.capabilityToken?{capabilityToken:{tokenId:e.capabilityToken.tokenId,expiresAt:e.capabilityToken.expiresAt}}:{}}}function qa(e){if(e.length<2)throw Error(`Usage: tangle hub call <path> <json-input>`);let t=e.at(-1);if(t===void 0)throw Error(`Usage: tangle hub call <path> <json-input>`);try{return{path:e.slice(0,-1).join(`.`),input:JSON.parse(t)}}catch{throw Error(`Hub call input must be valid JSON.`)}}function Ja(e){D(e.map(e=>({path:e.path,provider:e.providerId??e.requiredConnectionProviderId,title:e.title,description:e.description,connection:$a(e),policy:e.policyState})),[{key:`path`,header:`Path`},{key:`provider`,header:`Provider`},{key:`title`,header:`Title`},{key:`description`,header:`Description`},{key:`connection`,header:`Connection`},{key:`policy`,header:`Policy`}])}function Ya(e){D(e.map(e=>({connection:e.connectionId,provider:e.providerId,action:e.actionPath,decision:e.decision,updated:e.updatedAt})),[{key:`connection`,header:`Connection`},{key:`provider`,header:`Provider`},{key:`action`,header:`Action`},{key:`decision`,header:`Decision`},{key:`updated`,header:`Updated`}])}function Xa(e){if(e===`allow`||e===`ask`||e===`deny`)return e;throw Error(`--decision must be one of: allow, ask, deny.`)}function Za(e){D(e.map(e=>({source:e.sourceId,provider:e.displayName,tools:e.toolCount,connection:e.connectionStatus,health:e.health,configured:e.configured})),[{key:`source`,header:`Source`},{key:`provider`,header:`Provider`},{key:`tools`,header:`Tools`},{key:`connection`,header:`Connection`},{key:`health`,header:`Health`},{key:`configured`,header:`Configured`}])}function Qa(e){P({Path:e.path,Provider:e.providerId??e.requiredConnectionProviderId,Title:e.title,Description:e.description,Connection:$a(e),Policy:e.policyState}),e.inputSchema!==void 0&&(M(`Input schema`),console.log(JSON.stringify(e.inputSchema,null,2))),e.outputSchema!==void 0&&(M(`Output schema`),console.log(JSON.stringify(e.outputSchema,null,2)))}function $a(e){if(e.connectionRequired===!1)return`not required`;if(e.connectionStatus)return e.connectionStatus}function eo(e){D(e.map(e=>({id:e.id,provider:e.providerId,account:e.accountDisplay??e.displayName,scopes:e.scopes.join(`, `),status:e.status,health:e.health,lastUsed:e.lastUsedAt})),[{key:`id`,header:`ID`},{key:`provider`,header:`Provider`},{key:`account`,header:`Account`},{key:`scopes`,header:`Scopes`},{key:`status`,header:`Status`},{key:`health`,header:`Health`},{key:`lastUsed`,header:`Last Used`}])}function to(e,t){t?M(`Opened browser to connect ${e.provider}.`):(M(`Open this URL to connect ${e.provider}:`),console.log(e.redirectUrl)),M("Finish authorization in the browser, then rerun `tangle hub status`.")}function no(e){return{provider:e.provider,redirectUrl:e.redirectUrl,expiresAt:e.expiresAt,scopes:e.scopes,cli:e.cli}}function ro(e){let{principal:t,connections:n}=e;M(`Hub status`),P({Principal:t.kind,"User ID":t.userId,"API Key ID":t.apiKeyId,"Sandbox ID":t.sandboxId,"Connected Providers":n.connectedProviderCount,"Unhealthy Providers":n.unhealthyProviderCount}),n.unhealthyProviderCount>0&&M(`Some providers require reconnect.`)}function io(){let e=new t(`intelligence`).description(`Create and inspect trace intelligence reports`);return e.command(`connect [agent]`).alias(`connect-agent`).description(`Connect local agent CLIs to Tangle Intelligence`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`,Or).option(`--workspace <path>`,`Workspace to write hook files into`,`.`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`,`local`).option(`--dry-run`,`Print planned writes without changing files`).option(`--hook-command <command>`,`Command native hooks should run`,`tangle intelligence hook`).option(`--no-smoke`,`Skip the install smoke trace`).option(`--json`,`Output as JSON`).action(async(e,t)=>{try{let n=e??`local`;Nr(n);let r=oo(t.apiKey),i=await Rr({selection:n,workspace:t.workspace,apiKey:r,endpoint:t.endpoint,serviceName:t.serviceName??Fr(t.workspace),environment:t.environment,smoke:t.smoke,dryRun:!!t.dryRun,hookCommand:t.hookCommand}),a={configPath:i.configPath,agents:i.agents,nativeAgents:i.nativeAgents,manual:i.manual,written:i.written,smokeTraceId:i.smokeTraceId};if(t.json){O(a);return}P({Config:i.configPath,Agents:i.agents.join(`, `),"Native Hooks":i.nativeAgents.join(`, `)||void 0,"Manual Setup":i.manual.length?i.manual.map(e=>`${e.label}: ${e.reason}`).join(` `):void 0,Files:i.written.join(`, `),"Smoke Trace":i.smokeTraceId})}catch(e){R(e)}}),e.command(`doctor`).description(`Check whether your agent traces carry CONTENT or are metadata-only`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`,Or).option(`--json`,`Output as JSON`).action(async e=>{try{let t=Lr(),n=await Ur({endpoint:e.endpoint===`https://intelligence.tangle.tools/v1/otlp`?t?.endpoint??`https://intelligence.tangle.tools/v1/otlp`:e.endpoint,apiKey:oo(e.apiKey??t?.apiKey)});e.json?O(n):ao(n),n.contentSeen||(process.exitCode=1)}catch(e){R(e)}}),e.command(`hook`).description(`Emit one local agent hook event to Tangle Intelligence`).requiredOption(`--agent <agent>`,`Agent surface`).requiredOption(`--event <event>`,`Hook event name`).option(`--payload <json>`,`Hook payload JSON`).option(`--api-key <key>`,`Intelligence ingest API key`).option(`--endpoint <url>`,`OTLP endpoint base`).option(`--service-name <name>`,`OTel service.name label`).option(`--environment <name>`,`OTel deployment.environment label`).option(`--session-id <id>`,`Session id override`).option(`--dry-run`,`Build the OTLP request without sending it`).option(`--non-blocking`,`Do not fail the parent agent process`).option(`--json`,`Output as JSON`).action(async e=>{try{let t=so(e.agent),n=Lr(),r={agent:t,event:e.event,endpoint:e.endpoint??n?.endpoint??`https://intelligence.tangle.tools/v1/otlp`,apiKey:oo(e.apiKey??n?.apiKey),serviceName:e.serviceName??n?.serviceName??Fr(process.cwd()),environment:e.environment??n?.environment??`local`,sessionId:e.sessionId,payload:e.payload===void 0?await lo():co(e.payload)};if(e.dryRun){let n=Br(r);if(e.json){O(n);return}P({Trace:n.traceId,Agent:t,Event:e.event});return}let i=await Vr(r);if(e.json){O({traceId:i});return}P({Trace:i,Agent:t,Event:e.event})}catch(t){if(e.nonBlocking){let n=t instanceof Error?t.message:String(t);e.json?O({ok:!1,error:n}):console.error(`Tangle Intelligence hook skipped: ${n}`);return}R(t)}}),e.command(`sandbox <sandbox-id>`).description(`Create an intelligence report for one sandbox`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await uo({type:`sandbox`,id:e},t)}),e.command(`fleet <fleet-id>`).description(`Create an intelligence report for a sandbox fleet`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await uo({type:`fleet`,id:e},t)}),e.command(`create`).description(`Create a trace intelligence report`).requiredOption(`--subject-type <type>`,`sandbox | fleet`).requiredOption(`--subject-id <id>`,`Subject identifier`).option(`--mode <mode>`,`deterministic | agentic`,`deterministic`).option(`--max-usd <amount>`,`Maximum customer charge for agentic analysis`).option(`--metadata <json>`,`Metadata JSON object`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{await uo({type:po(e.subjectType),id:e.subjectId},e)}),e.command(`get <job-id>`).description(`Get an intelligence report`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E(C({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=t.json?null:N(`Fetching intelligence report...`);r?.start();let i=await n.intelligence.getReport(e);if(r?.stop(),t.json){O(i);return}fo(i)}catch(e){R(e)}}),e.command(`list`).description(`List intelligence reports`).option(`--subject-type <type>`,`sandbox | fleet`).option(`--subject-id <id>`,`Subject identifier`).option(`--limit <count>`,`Maximum reports to return`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=E(C({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:N(`Fetching intelligence reports...`);n?.start();let r=await t.intelligence.listReports({subjectType:e.subjectType===void 0?void 0:po(e.subjectType),subjectId:e.subjectId,limit:e.limit===void 0?void 0:go(e.limit)});if(n?.stop(),e.json){O(r);return}D(r.map(e=>({jobId:e.jobId,subject:`${e.subject.type}:${e.subject.id}`,mode:e.mode,status:e.status,cost:`$${e.billing.costUsd.toFixed(2)}`,updatedAt:e.updatedAt})),[{key:`jobId`,header:`Job`,width:20},{key:`subject`,header:`Subject`,width:28},{key:`mode`,header:`Mode`,width:15},{key:`status`,header:`Status`,width:14},{key:`cost`,header:`Cost`,width:10},{key:`updatedAt`,header:`Updated`,width:18}])}catch(e){R(e)}}),e}function ao(e){P({Status:e.contentSeen?`content flowing`:e.tracesSeen?`metadata-only — a content gate is missing`:`no traces yet`,"Traces seen":e.tracesSeen?`yes`:`no`,"Content seen":e.contentSeen?`yes`:`no`,"Last seen":e.lastSeenAt??`never`,Window:`${e.windowDays}d`});let t=Object.entries(e.byAgent);t.length>0&&(console.log(),D(t.map(([e,t])=>({agent:e,traces:t.tracesSeen?`yes`:`no`,content:t.contentSeen?`yes`:`no`})),[{key:`agent`,header:`Agent`,width:18},{key:`traces`,header:`Traces`,width:10},{key:`content`,header:`Content`,width:10}]))}function oo(e){let t=e??process.env.TANGLE_INTELLIGENCE_API_KEY??process.env.TANGLE_API_KEY;if(!t)throw Error(`--api-key, TANGLE_INTELLIGENCE_API_KEY, or TANGLE_API_KEY is required`);return t}function so(e){if(Pr(e))return e;throw Error(`agent must be a known Tangle Intelligence agent surface`)}function co(e){try{return JSON.parse(e)}catch(e){throw Error(`--payload must be JSON: ${e instanceof Error?e.message:String(e)}`)}}async function lo(){if(process.stdin.isTTY)return;let e=``;for await(let t of process.stdin)if(e+=typeof t==`string`?t:t.toString(`utf8`),e.length>65536)throw Error(`hook payload exceeds 65536 bytes`);let t=e.trim();if(t)try{return JSON.parse(t)}catch{return{body:t.slice(0,4096)}}}async function uo(e,t){try{let n=mo(t.mode),r=_o(t.metadata),i=t.maxUsd===void 0?void 0:ho(t.maxUsd);if(n===`agentic`&&i===void 0)throw Error(`Agentic intelligence reports require --max-usd`);let a=E(C({apiKey:t.apiKey,baseUrl:t.baseUrl})),o=t.json?null:N(`Creating intelligence report...`);o?.start();let s=await a.intelligence.createReport({subject:e,mode:n,...i===void 0?{}:{budget:{billTo:`customer`,maxUsd:i}},...r===void 0?{}:{metadata:r}});if(o?.stop(),t.json){O(s);return}fo(s)}catch(e){R(e)}}function fo(e){P({Job:e.jobId,Subject:`${e.subject.type}:${e.subject.id}`,Mode:e.mode,Status:e.status,"Billed To":e.billing.billedTo,Cost:`$${e.billing.costUsd.toFixed(2)}`,Budget:e.billing.budgetMaxUsd===void 0?void 0:`$${e.billing.budgetMaxUsd.toFixed(2)}`,Updated:e.updatedAt}),e.result!==null&&(console.log(),O(e.result))}function po(e){if(e===`sandbox`||e===`fleet`)return e;throw Error(`subject type must be sandbox or fleet`)}function mo(e){if(e===`deterministic`||e===`agentic`)return e;throw Error(`mode must be deterministic or agentic`)}function ho(e){let t=Number(e);if(!Number.isFinite(t)||t<0)throw Error(`--max-usd must be a non-negative number`);return t}function go(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function _o(e){if(e===void 0)return;let t=JSON.parse(e);if(!t||typeof t!=`object`||Array.isArray(t))throw Error(`--metadata must be a JSON object`);return t}const vo=[`router`,`sandbox`,`blueprint-agent`,`evals`,`agent-builder`];function yo(e){return(e?.trim()||process.env.TANGLE_PLATFORM_URL?.trim()||`https://id.tangle.tools`).replace(/\/+$/,``)}async function bo(e,t,n={}){let r=new Headers(n.headers);r.set(`Authorization`,`Bearer ${t}`),n.body&&!r.has(`content-type`)&&r.set(`content-type`,`application/json`);let i=await fetch(e,{...n,headers:r});if(n.expected!==void 0&&i.status!==n.expected){let t=await i.text().catch(()=>``),n=t?`: ${t.slice(0,400)}`:``;throw Error(`Platform request to ${e} returned ${i.status}${n}`)}return i}const xo=[`ID`,`Prefix`,`Name`,`Product`,`Created`,`Last used`,`Expires`];function So(e){return[e.id,e.keyPrefix??``,e.name,e.product??`all`,e.createdAt,e.lastUsedAt??`—`,e.expiresAt??`—`]}function Co(){let e=new t(`keys`).description(`Manage sk-tan-* API keys on id.tangle.tools`);return e.command(`list`).description(`List your active API keys`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async e=>{try{let t=C({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=await(await bo(`${yo(e.platformUrl)}/v1/keys`,t.apiKey,{expected:200})).json();if(e.json){O(n);return}L(xo,n.data.map(So))}catch(e){R(e)}}),e.command(`create`).description(`Create a new API key`).argument(`<name>`,`Human-readable name for the key`).option(`--product <product>`,`Restrict the key to one product (${vo.join(`|`)}). Omit for all products.`).option(`--budget-usd <amount>`,`Hard budget cap in USD`).option(`--rpm-limit <limit>`,`Requests-per-minute cap`).option(`--expires-in-days <days>`,`Expire the key after N days (integer)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{if(t.product!==void 0&&!vo.includes(t.product))throw Error(`Invalid --product. Expected one of ${vo.join(`, `)}`);let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=yo(t.platformUrl),i=t.expiresInDays===void 0?void 0:new Date(Date.now()+Number.parseInt(t.expiresInDays,10)*24*60*60*1e3).toISOString(),a=N(`Creating API key...`);a.start();let o=await bo(`${r}/v1/keys`,n.apiKey,{method:`POST`,expected:201,body:JSON.stringify({name:e,product:t.product,budgetUsd:t.budgetUsd?Number.parseFloat(t.budgetUsd):void 0,rpmLimit:t.rpmLimit?Number.parseInt(t.rpmLimit,10):void 0,expiresAt:i})});a.stop();let s=await o.json();if(t.json){O(s);return}k(`API key created: ${s.data.prefix}…`),M(`Copy this key now — it will never be shown again:\n${s.data.key}`)}catch(e){R(e)}}),e.command(`revoke`).description(`Revoke an API key`).argument(`<keyId>`,"Key ID (from `tcloud keys list`)").option(`--yes`,`Skip the confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key (overrides configured credentials)`).option(`--base-url <url>`,`Sandbox API base URL (not platform URL)`).option(`--platform-url <url>`,`Override the platform URL (id.tangle.tools)`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=yo(t.platformUrl);if(!t.yes&&!await H(`Revoke key ${e}? Any service still using it will start to fail.`)){M(`Aborted.`);return}let i=await(await bo(`${r}/v1/keys/${encodeURIComponent(e)}`,n.apiKey,{method:`DELETE`,expected:200})).json();if(t.json){O(i);return}k(`Revoked ${e}`)}catch(e){R(e)}}),e}function wo(){let e=new t(`mcp`).description(`Model Context Protocol bridge commands.`);return e.command(`serve <id-or-name>`).description(`Run a local MCP server (stdio) backed by the given sandbox (ID or name). Pipe its stdio from an MCP client config to expose sandbox tools.`).option(`-s, --session <id>`,`Session id for kernel scoping`,`mcp-local`).option(`--name <name>`,`MCP server name reported to clients`,`tangle-sandbox`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=await B(E(n),n,e),i;try{i=(await import(`@modelcontextprotocol/sdk/server/stdio.js`)).StdioServerTransport}catch{throw Error("`@modelcontextprotocol/sdk` is not installed in this environment. Install it with: pnpm add -g @modelcontextprotocol/sdk (or as a dev dep in the project running this command).")}let{connect:a,close:o}=await Oe(r,{sessionId:t.session,name:t.name});await a(new i),process.stdin.resume(),process.stdin.on(`end`,()=>{o().finally(()=>process.exit(0))});for(let e of[`SIGINT`,`SIGTERM`])process.on(e,()=>{o().finally(()=>process.exit(0))})}catch(e){R(e)}}),e}function To(){let e=new t(`permissions`).description(`Manage sandbox user permissions`);return e.command(`list <sandboxId-or-name>`).description(`List all users in a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching users...`);i.start();let a=await(await B(r,n,e)).permissions.list();i.stop(),t.json?O(a):D(a.map(e=>({userId:e.userId,username:e.username,role:e.role,homeDir:e.homeDir,createdAt:e.createdAt.toISOString().split(`T`)[0]})),[{key:`userId`,header:`User ID`,width:20},{key:`username`,header:`Username`,width:16},{key:`role`,header:`Role`,width:12},{key:`homeDir`,header:`Home Directory`,width:24},{key:`createdAt`,header:`Created`,width:16}])}catch(e){R(e)}}),e.command(`get <sandboxId-or-name> <userId>`).description(`Get details for a specific user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Fetching user...`);a.start();let o=await(await B(i,r,e)).permissions.get(t);if(a.stop(),!o)throw Error(`User ${t} not found in sandbox ${e}`);n.json?O(o):(M(`User: ${o.userId}`),M(` Username: ${o.username}`),M(` Role: ${o.role}`),M(` Home: ${o.homeDir}`),M(` SSH Keys: ${o.sshKeys.length}`),M(` Created: ${o.createdAt.toISOString()}`))}catch(e){R(e)}}),e.command(`add <sandboxId-or-name>`).description(`Add a user to a sandbox`).requiredOption(`--user-id <id>`,`User ID (from your auth system)`).option(`--username <name>`,`Preferred username`).option(`--role <role>`,`Permission level (owner, admin, developer, viewer)`,`developer`).option(`--ssh-key <key>`,`SSH public key for access`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Adding user...`);i.start();let a=await(await B(r,n,e)).permissions.add({userId:t.userId,username:t.username,role:t.role,sshKeys:t.sshKey?[t.sshKey]:void 0});i.stop(),t.json?O(a):(k(`User ${a.userId} added as ${a.role}`),M(` Username: ${a.username}`),M(` Home: ${a.homeDir}`))}catch(e){R(e)}}),e.command(`update <sandboxId-or-name> <userId>`).description(`Update a user's permissions`).option(`--role <role>`,`New permission level (owner, admin, developer, viewer)`).option(`--add-ssh-key <key>`,`Add SSH public key`).option(`--remove-ssh-key <key>`,`Remove SSH public key`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Updating user...`);a.start();let o=await(await B(i,r,e)).permissions.update(t,{role:n.role,addSshKeys:n.addSshKey?[n.addSshKey]:void 0,removeSshKeys:n.removeSshKey?[n.removeSshKey]:void 0});a.stop(),n.json?O(o):(k(`User ${t} updated`),M(` Role: ${o.role}`),M(` SSH Keys: ${o.sshKeys.length}`))}catch(e){R(e)}}),e.command(`remove <sandboxId-or-name> <userId>`).description(`Remove a user from a sandbox`).option(`--preserve-home`,`Keep user's home directory`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{if(!n.force){let e=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{e.question(`Remove user ${t} from sandbox? [y/N] `,t=>{e.close(),n(t.toLowerCase()===`y`)})})){M(`Cancelled.`);return}}let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Removing user...`);a.start(),await(await B(i,r,e)).permissions.remove(t,{preserveHomeDir:n.preserveHome}),a.stop(),k(`User ${t} removed from sandbox ${e}`)}catch(e){R(e)}}),e.command(`policies <sandboxId-or-name> <userId>`).description(`Get access policies for a user`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Fetching policies...`);a.start();let o=await(await B(i,r,e)).permissions.getAccessPolicies(t);a.stop(),n.json?O(o):o.length===0?M(`No access policies configured`):D(o.map(e=>({pattern:e.pattern,permission:e.permission,priority:e.priority??0})),[{key:`pattern`,header:`Pattern`,width:30},{key:`permission`,header:`Permission`,width:12},{key:`priority`,header:`Priority`,width:10}])}catch(e){R(e)}}),e.command(`check <sandboxId-or-name> <userId> <path> <action>`).description(`Check if a user can perform an action on a path`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r,i)=>{try{if(![`read`,`write`,`execute`].includes(r))throw Error(`Action must be: read, write, or execute`);let a=C({apiKey:i.apiKey,baseUrl:i.baseUrl}),o=E(a),s=N(`Checking access...`);s.start();let c=await(await B(o,a,e)).permissions.checkAccess(t,n,r);s.stop(),c?k(`✓ User ${t} CAN ${r} ${n}`):M(`✗ User ${t} CANNOT ${r} ${n}`)}catch(e){R(e)}}),e}function Eo(){let e=new t(`preview`).description(`Manage sandbox preview links`);return e.command(`list`).alias(`ls`).description(`List active preview links for a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching preview links...`);t.json||i.start();let a=await(await B(r,n,e)).previewLinks.list();i.stop(),t.json?O(a):a.length===0?console.log(`No preview links found`):L([`Preview ID`,`Port`,`URL`,`Status`],a.map(e=>[e.previewId.slice(0,12),String(e.port),e.url,e.status]))}catch(e){R(e)}}),e.command(`create`).description(`Create a preview link for a port`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<port>`,`Port number to preview`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Creating preview for port ${t}...`);n.json||a.start();let o=await(await B(i,r,e)).previewLinks.create(Number.parseInt(t,10));a.stop(),n.json?O(o):(k(`Preview created: ${o.url}`),console.log(`Preview ID: ${o.previewId}`))}catch(e){R(e)}}),e.command(`remove`).alias(`rm`).description(`Remove a preview link`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<preview-id>`,`Preview link ID (from 'preview list')`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Removing preview...`);n.json||a.start(),await(await B(i,r,e)).previewLinks.remove(t),a.stop(),n.json?O({success:!0,previewId:t}):k(`Preview removed: ${t}`)}catch(e){R(e)}}),e}function Do(){let e=new t(`process`).description(`Manage processes in a sandbox`);return e.command(`spawn`).description(`Spawn a process without blocking (returns PID)`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<command>`,`Command to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--blocking`,`Wait for completion (default: false)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=N(`Spawning: ${t}`);n.json||o.start();let s=await B(i,r,e);if(s=await V(s),n.blocking){let e=await s.exec(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?O(e):(e.stdout&&globalThis.process.stdout.write(e.stdout),e.stderr&&globalThis.process.stderr.write(e.stderr),e.exitCode!==0&&globalThis.process.exit(e.exitCode))}else{let r=await s.process.spawn(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?O({pid:r.pid,command:r.command}):(console.log(`Process started with PID: ${r.pid}`),console.log(`Use 'tangle process logs ${e} ${r.pid}' to view output`))}}catch(e){R(e)}}),e.command(`list`).alias(`ls`).description(`List all processes in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--running`,`Show only running processes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching processes...`);t.json||i.start();let a=await B(r,n,e);a=await V(a);let o=await a.process.list();t.running&&(o=o.filter(e=>e.running)),i.stop(),t.json?O(o):o.length===0?console.log(`No processes found`):L([`PID`,`Command`,`Status`,`Exit Code`,`Started`],o.map(e=>[String(e.pid),e.command.length>40?`${e.command.slice(0,37)}...`:e.command,e.running?`running`:`exited`,String(e.exitCode),e.startedAt.toLocaleString()]))}catch(e){R(e)}}),e.command(`get`).description(`Get detailed info about a process`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Fetching process info...`);n.json||a.start();let o=await B(i,r,e);o=await V(o);let s=await o.process.get(Number.parseInt(t,10));if(a.stop(),!s){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}let c=await s.status();n.json?O(c):(console.log(`PID: ${c.pid}`),console.log(`Command: ${c.command}`),console.log(`CWD: ${c.cwd||`(default)`}`),console.log(`Status: ${c.running?`running`:`exited`}`),console.log(`Exit Code: ${c.exitCode}`),c.exitSignal&&console.log(`Signal: ${c.exitSignal}`),console.log(`Started: ${c.startedAt.toLocaleString()}`),c.exitedAt&&console.log(`Exited: ${c.exitedAt.toLocaleString()}`))}catch(e){R(e)}}),e.command(`kill`).description(`Kill a process`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`-s, --signal <signal>`,`Signal to send (SIGTERM, SIGKILL, etc.)`,`SIGTERM`).option(`--tree`,`Also kill descendants of the tracked process`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Sending ${n.signal} to PID ${t}...`);n.json||a.start();let o=await B(i,r,e);o=await V(o);let s=await o.process.get(Number.parseInt(t,10));if(!s){a.stop(),console.error(`Process ${t} not found`),globalThis.process.exit(1);return}n.tree?await s.kill(n.signal,{tree:!0}):await s.kill(n.signal),a.stop(),n.json?O({pid:Number.parseInt(t,10),signal:n.signal,...n.tree===!0?{tree:!0}:{},killed:!0}):console.log(n.tree?`Sent ${n.signal} to process tree ${t}`:`Sent ${n.signal} to process ${t}`)}catch(e){R(e)}}),e.command(`logs`).description(`Stream buffered and live process logs until the process exits`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pid>`,`Process ID`).option(`--stdout-only`,`Only show stdout`).option(`--stderr-only`,`Only show stderr`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=await B(E(r),r,e);i=await V(i);let a=await i.process.get(Number.parseInt(t,10));if(!a){console.error(`Process ${t} not found`),globalThis.process.exit(1);return}for await(let e of a.logs())n.stdoutOnly&&e.type!==`stdout`||n.stderrOnly&&e.type!==`stderr`||(n.json?console.log(JSON.stringify(e)):e.type===`stdout`?globalThis.process.stdout.write(e.data):globalThis.process.stderr.write(e.data))}catch(e){R(e)}}),e.command(`run-code`).description(`Execute Python code directly`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<code>`,`Python code to execute`).option(`--cwd <dir>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`-t, --timeout <ms>`,`Timeout in milliseconds`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a={};if(n.env)for(let e of n.env){let[t,...n]=e.split(`=`);t&&n.length>0&&(a[t]=n.join(`=`))}let o=N(`Executing Python code...`);n.json||o.start();let s=await B(i,r,e);s=await V(s);let c=await s.process.runCode(t,{cwd:n.cwd,env:Object.keys(a).length>0?a:void 0,timeoutMs:n.timeout?Number.parseInt(n.timeout,10):void 0});o.stop(),n.json?O(c):(c.stdout&&globalThis.process.stdout.write(c.stdout),c.stderr&&globalThis.process.stderr.write(c.stderr),c.exitCode!==0&&globalThis.process.exit(c.exitCode))}catch(e){R(e)}}),e}const Oo=[`python`,`node`,`typescript`,`bash`];function ko(e){switch(ne(e).toLowerCase()){case`.py`:return`python`;case`.js`:case`.mjs`:case`.cjs`:return`node`;case`.ts`:case`.tsx`:return`typescript`;case`.sh`:case`.bash`:return`bash`;default:return}}async function Ao(e){if(e===`-`){let e=[];for await(let t of process.stdin)e.push(typeof t==`string`?Buffer.from(t):t);return Buffer.concat(e).toString(`utf8`)}return await ke(re(e),`utf8`)}async function jo(e,t,n=Ao){let r=t?Oo.find(e=>e===t)??(()=>{throw Error(`unknown --lang ${t}: must be one of ${Oo.join(`, `)}`)})():void 0;if(!e||e===`-`){if(!r)throw Error(`reading from stdin requires --lang. Example: tangle run <id> -l python -`);return{language:r,source:await n(`-`)}}let i=ko(e);return{language:r??i??(()=>{throw Error(`cannot infer language from "${e}". Pass it explicitly: tangle run <id> -l <python|node|typescript|bash> ${e}`)})(),source:await n(e)}}function Mo(e){return m(he(),`tangle-run-images`,e)}function No(){return new t(`run`).description(`Run code in a persistent kernel inside a sandbox. Variables persist across calls in the same --session.`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`[file]`,`Path to source file. Language is inferred from extension. Use - for stdin (requires --lang).`).option(`-l, --lang <lang>`,`Force language: ${Oo.join(` | `)}. Required for stdin.`).option(`-s, --session <id>`,`Session id for kernel scoping`).option(`-t, --timeout <ms>`,`Per-call timeout in ms (0 disables)`,`60000`).option(`--save-images <dir>`,`Write image results into this directory (default: $TMPDIR/tangle-run-images/<sandbox>/).`).option(`--no-save-images`,`Don't write image results to disk; print summary only`).option(`--json`,`Output the full CodeExecutionResult as JSON`).action(async(e,t,n)=>{try{let{language:r,source:i}=await jo(t,n.lang),o=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),s=await B(E(o),o,e);s=await V(s);let c=N(`Running ${r} (${i.length}b)…`);n.json||c.start();let u=await s.runCode(r,i,{sessionId:n.session,timeoutMs:Number.parseInt(n.timeout,10)});if(c.stop(),n.json){O(u),u.exitCode!==0&&process.exit(u.exitCode);return}u.stdout&&process.stdout.write(u.stdout),u.stderr&&process.stderr.write(u.stderr);let d=0;for(let t of u.results)if(t.type===`image`)if(n.saveImages!==!1){let r=typeof n.saveImages==`string`?n.saveImages:Mo(e);l(r,{recursive:!0});let i=`${r}/${Date.now()}-${d}.${t.format}`;f(i,Buffer.from(t.data,`base64`)),process.stderr.write(a.green(`✓ image → ${i}\n`)),d++}else process.stderr.write(a.gray(`[image: ${t.format}, ${t.data.length}b base64]\n`));else if(t.type===`dataframe`){let e=t.columns.map(e=>`${e.name}:${e.dtype}`).join(` | `);process.stderr.write(a.gray(`[dataframe ${t.rows.length}×${t.columns.length}${t.truncated?` (truncated)`:``}]\n`)),process.stderr.write(`${e}\n`);for(let e of t.rows.slice(0,20))process.stderr.write(`${e.map(e=>String(e)).join(` | `)}\n`);t.rows.length>20&&process.stderr.write(a.gray(`… ${t.rows.length-20} more rows\n`))}else t.type===`json`?(process.stderr.write(a.gray(`[json] `)),process.stderr.write(`${JSON.stringify(t.value,null,2)}\n`)):t.type===`html`?process.stderr.write(a.gray(`[html ${t.value.length}b]\n`)):t.type===`error`?(process.stderr.write(a.red(`✗ ${t.name}: ${t.message}\n`)),t.traceback&&process.stderr.write(`${t.traceback}\n`)):t.type===`text`&&process.stderr.write(`${t.value}\n`);u.error&&(process.stderr.write(a.red(`\n✗ ${u.error.name}: ${u.error.message}\n`)),u.error.traceback&&process.stderr.write(`${u.error.traceback}\n`)),u.exitCode!==0&&process.exit(u.exitCode)}catch(e){R(e)}})}function Po(e){return`${e.name} (${e.id})`}async function Fo(e,t){if(t.startsWith(`team_`))return e.teams.get(t);let n=(await e.teams.list()).filter(e=>e.name.toLowerCase()===t.toLowerCase());if(n.length===0)throw Error(`Team not found: ${t}`);if(n.length>1)throw Error(`Team name is ambiguous: ${t}. Use a team id instead.`);return n[0]}async function X(e,t,n){if(t)return Fo(e,t);let r=Ft(n);if(!r.activeTeamId)throw Error("No active team. Run `tangle team switch <team>` or pass `--team <team>`.");return e.teams.get(r.activeTeamId)}function Io(e,t){It({id:e.id,name:e.name},t)}function Lo(e){Lt(e)}const Ro=[{flag:`--git-token`,guidance:`Use --git-token-env <NAME> or --git-token-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--storage-secret-access-key`,guidance:`Use --storage-secret-access-key-env <NAME> or --storage-secret-access-key-stdin so the secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`},{flag:`--backend-api-key`,guidance:`Use --backend-api-key-env <NAME> or --backend-api-key-stdin so the BYOK secret never appears in argv (visible to other processes via /proc/<pid>/cmdline) or in shell history.`}];function zo(e){for(let{flag:t,guidance:n}of Ro){let r=`${t}=`;if(e.some(e=>e===t||e.startsWith(r)))throw Error(`Refusing to read secret from ${t} on the command line. ${n}`)}}async function Bo(e){let t=typeof e.envVarName==`string`&&e.envVarName.length>0?e.envVarName:null,n=!!e.fromStdin;if(t&&n)throw Error(`Pass either ${e.flagPrefix}-env or ${e.flagPrefix}-stdin, not both`);if(t){let n=process.env[t];if(!n||n.length===0)throw Error(`${e.flagPrefix}-env points at ${t}, but that environment variable is empty or unset`);return n}if(n){let t=await kn();if(t.length===0)throw Error(`${e.flagPrefix}-stdin received empty input on stdin`);return t}}function Vo(e){let t=e.split(`/`);return t.length>=2?{provider:t[0],model:t.slice(1).join(`/`)}:{model:e}}function Ho(){let e=new t(`sandbox`).description(`Manage sandboxes`);e.command(`create`).description(`Create a new sandbox`).option(`-n, --name <name>`,`Sandbox name`).option(`-e, --environment <environment>`,`Environment name (e.g. universal, node, python)`).option(`-i, --image <image>`,`Alias for --environment (deprecated)`).option(`--bare`,`Create a bare sandbox without the agent runtime`).option(`--ssh`,`Enable SSH access`).option(`--ssh-key <key>`,`SSH public key for authentication`).option(`--ssh-keys <names...>`,`Stored SSH key names or IDs for authentication`).option(`--ssh-key-file <paths...>`,`SSH public key file paths for authentication`).option(`--web-terminal`,`Enable web terminal`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--secret <names...>`,`Secrets to inject as environment variables`).option(`--metadata <entries...>`,`Metadata entries (KEY=VALUE or KEY=JSON)`).option(`--cpu <cores>`,`CPU cores`,`2`).option(`--memory <mb>`,`Memory in MB`,`4096`).option(`--disk <gb>`,`Disk size in GB`,`20`).option(`--accelerator-kind <kind>`,`Accelerator kind, for example nvidia-h100 or amd-mi300x`).option(`--accelerator-count <count>`,`Accelerator device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum accelerator memory in MB`).option(`--gpu-provider <provider>`,`GPU cloud provider; omitted picks the cheapest configured provider`).option(`--gpu-worker-image <image>`,`GPU worker image override`).option(`--gpu-env <vars...>`,`Environment variables for the GPU worker (KEY=VALUE)`).option(`--gpu-max-spend-usd <usd>`,`Maximum customer spend for the create-time GPU lease`).option(`--gpu-max-lifetime <seconds>`,`Maximum create-time GPU lease lifetime in seconds`).option(`--gpu-idle-timeout <seconds>`,`Destroy the create-time GPU lease after this many idle seconds`).option(`--lifetime <seconds>`,`Max wall-clock lifetime before the sandbox is deleted (default 3600 = 1h). Raise it for long sessions, e.g. --lifetime 7200`,`3600`).option(`--idle-timeout <seconds>`,"Idle time before the sandbox is stopped — not deleted (default 900 = 15m). Resume it later with `tangle sandbox resume <id-or-name>`, or it auto-resumes on next use. Raise it for demos, e.g. --idle-timeout 3600",`900`).option(`--from-snapshot <id>`,`Create the sandbox from a snapshot`).option(`--public-template <id-or-slug>`,`Create the sandbox from a published public template`).option(`--public-template-version <id>`,`Pin creation to a specific published public-template version`).option(`--team <team>`,`Create in a team by id or name`).option(`--personal`,`Create a personal sandbox even when a team is active`).option(`--port <ports...>`,`Ports to expose at creation time`).option(`--git-url <url>`,`Git repository URL to clone during provisioning`).option(`--git-ref <ref>`,`Git branch, tag, or commit to checkout`).option(`--git-depth <depth>`,`Git clone depth`).option(`--git-sparse <paths...>`,`Sparse checkout paths`).option(`--git-token-env <name>`,`Name of an environment variable containing the Git HTTPS auth token`).option(`--git-token-stdin`,`Read the Git HTTPS auth token from stdin`).option(`--git-token <token>`,`[removed] use --git-token-env or --git-token-stdin`).option(`--tool <specs...>`,`Tool versions to preinstall (NAME=VERSION)`).option(`--storage-type <type>`,`BYOS3 storage type (s3, gcs, r2)`).option(`--storage-bucket <name>`,`BYOS3 bucket name`).option(`--storage-endpoint <url>`,`BYOS3 endpoint URL`).option(`--storage-region <region>`,`BYOS3 region`).option(`--storage-prefix <prefix>`,`BYOS3 path prefix`).option(`--storage-access-key-id <id>`,`BYOS3 access key ID`).option(`--storage-secret-access-key-env <name>`,`Name of an environment variable containing the BYOS3 secret access key`).option(`--storage-secret-access-key-stdin`,`Read the BYOS3 secret access key from stdin`).option(`--storage-secret-access-key <key>`,`[removed] use --storage-secret-access-key-env or --storage-secret-access-key-stdin`).option(`--default-role <role>`,`Default permission role (owner, admin, developer, viewer)`).option(`--initial-user <specs...>`,`Initial users (USER_ID or USER_ID:ROLE)`).option(`--multi-user`,`Enable multi-user permissions at creation`).option(`--driver <type>`,`Infrastructure driver (docker, firecracker, host-agent, tangle)`).option(`--driver-criu`,`Enable CRIU checkpointing (firecracker only)`).option(`--driver-region <region>`,`Preferred region for host-agent driver`).option(`--backend <type>`,`Backend agent type (opencode, claude-code, codex, cursor, amp)`).option(`--backend-profile <name>`,`Backend profile name`).option(`--backend-model <model>`,`Model override (format: provider/model)`).option(`--backend-api-key-env <name>`,`Name of an environment variable containing the BYOK backend API key`).option(`--backend-api-key-stdin`,`Read the BYOK backend API key from stdin`).option(`--backend-api-key <key>`,`[removed] use --backend-api-key-env or --backend-api-key-stdin`).option(`--tee <type>`,`Require a TEE backend (any, tdx, nitro, sev-snp, phala-dstack)`).option(`--sealed`,`Request TEE sealed-secret support`).option(`--attestation-nonce <hex|auto>`,`Deploy-time attestation nonce; use auto to generate one`).option(`--attestation-refresh`,`Generate a fresh deploy-time attestation nonce when --tee is set`).option(`--require-attestation`,`Fail unless TEE attestation evidence is returned`).option(`--block-network`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`--timeout <ms>`,`HTTP timeout in milliseconds`,`30000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{zo(process.argv);let t=await Bo({envVarName:e.gitTokenEnv,fromStdin:e.gitTokenStdin,flagPrefix:`--git-token`}),n=await Bo({envVarName:e.storageSecretAccessKeyEnv,fromStdin:e.storageSecretAccessKeyStdin,flagPrefix:`--storage-secret-access-key`}),r=await Bo({envVarName:e.backendApiKeyEnv,fromStdin:e.backendApiKeyStdin,flagPrefix:`--backend-api-key`}),i=C({apiKey:e.apiKey,baseUrl:e.baseUrl,timeout:e.timeout?Number.parseInt(e.timeout,10):void 0}),a=E(i),o=N(`Creating sandbox...`);o.start();let s=await Xo({client:a,explicitTeam:e.team,personal:e.personal,activeTeamId:i.activeTeamId}),c={};if(e.env)for(let t of e.env){let[e,...n]=t.split(`=`);e&&n.length>0&&(c[e]=n.join(`=`))}let l=e.tool?_a(e.tool,`--tool`,`tool spec`):void 0,d=e.metadata?Wo(e.metadata):void 0,f=qo(e,t),p=Jo(e,n),ee=Yo(e),te=e.port?Ko(e.port,`--port`):void 0,ne=e.acceleratorKind?ma({kind:String(e.acceleratorKind),count:String(e.acceleratorCount),memory:typeof e.acceleratorMemory==`string`?e.acceleratorMemory:void 0}):void 0,m=ha({provider:typeof e.gpuProvider==`string`?e.gpuProvider:void 0,image:typeof e.gpuWorkerImage==`string`?e.gpuWorkerImage:void 0,env:Array.isArray(e.gpuEnv)?e.gpuEnv:void 0,maxSpendUsd:typeof e.gpuMaxSpendUsd==`string`?e.gpuMaxSpendUsd:void 0,maxLifetime:typeof e.gpuMaxLifetime==`string`?e.gpuMaxLifetime:void 0,idleTimeout:typeof e.gpuIdleTimeout==`string`?e.gpuIdleTimeout:void 0},!!ne,`Create-time GPU lease flags require --accelerator-kind`),re=e.driver?{type:e.driver,enableCriu:e.driverCriu||void 0,preferredRegion:e.driverRegion}:void 0,ie=e.backend||e.backendProfile||e.backendModel?{type:e.backend??`opencode`,profile:e.backendProfile,model:e.backendModel||r?{...e.backendModel?Vo(e.backendModel):{},apiKey:r}:void 0}:void 0,ae=e.blockNetwork||e.allowList||te?{blockOutbound:e.blockNetwork||void 0,allowList:e.allowList?e.allowList.split(`,`).map(e=>e.trim()):void 0,ports:te}:void 0,oe=[...e.sshKey?[e.sshKey]:[],...(e.sshKeyFile??[]).map(e=>u(e,`utf8`).trim())],se={name:e.name,environment:e.environment??e.image,bare:e.bare||void 0,sshEnabled:e.ssh||!!e.sshKey||oe.length>0||!!e.sshKeys?.length,sshPublicKeys:oe.length>0?oe:void 0,sshKeyIds:e.sshKeys,webTerminalEnabled:e.webTerminal,env:Object.keys(c).length>0?c:void 0,git:f,tools:l,resources:{cpuCores:Number.parseInt(e.cpu,10),memoryMB:Number.parseInt(e.memory,10),diskGB:Number.parseInt(e.disk,10),accelerator:ne},gpuLease:m,maxLifetimeSeconds:Number.parseInt(e.lifetime,10),idleTimeoutSeconds:Number.parseInt(e.idleTimeout,10),storage:p,fromSnapshot:e.fromSnapshot,publicTemplateId:e.publicTemplate,publicTemplateVersionId:e.publicTemplateVersion,teamId:s,secrets:e.secret,metadata:d,driver:re,backend:ie,permissions:ee,network:ae},h=e.tee?{tee:e.tee,sealed:e.sealed||void 0,attestationRefresh:e.attestationRefresh||e.attestationNonce===`auto`||void 0}:void 0,g=h?await ue(a,{...se,confidential:h,attestationNonce:e.attestationNonce??(e.attestationRefresh?`auto`:void 0),requireAttestation:e.requireAttestation??!0}):void 0,_=g?.sandbox??await a.create(se);e.wait&&(o.text=`Waiting for sandbox to start...`,await _.waitFor(`running`,{timeoutMs:12e4}),await _.refresh()),o.stop(),e.json?O({id:_.id,name:_.name,status:_.status,createdAt:_.createdAt,expiresAt:_.expiresAt,connection:Uo(_.connection),teamId:s,gpuLease:_.gpuLease,confidential:h,attestation:g?.attestation,attestationNonce:g?.attestationNonce}):(k(`Sandbox created: ${_.id}`),nn({id:_.id,name:_.name,status:_.status,createdAt:_.createdAt?.toISOString(),expiresAt:_.expiresAt?.toISOString(),connection:_.connection}),s&&console.log(`Team: ${s}`),_.gpuLease&&(console.log(`GPU lease: ${_.gpuLease.id}`),ts(_.gpuLease)),h&&(console.log(`TEE: ${h.tee}`),console.log(`Attestation: ${g?.attestation?`present`:`not returned`}`),g?.attestationNonce&&console.log(`Attestation nonce: ${g.attestationNonce}`)))}catch(e){R(e)}}),e.command(`attestation <id-or-name>`).description(`Fetch TEE attestation evidence for a sandbox`).option(`--nonce <hex|auto>`,`Nonce to bind into a fresh attestation report; use auto to generate one`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=t.nonce===`auto`?de():t.nonce,a=N(`Fetching TEE attestation...`);a.start();let o=await(await B(r,n,e)).getTeeAttestation(i?{attestationNonce:i}:void 0);a.stop(),t.json?O(o):(k(`Attestation fetched for ${e}`),console.log(`TEE type: ${o.attestation.tee_type}`),console.log(`Evidence bytes: ${o.attestation.evidence.length}`),console.log(`Measurement bytes: ${o.attestation.measurement.length}`),console.log(`Timestamp: ${o.attestation.timestamp}`),o.attestationNonce&&console.log(`Nonce: ${o.attestationNonce}`))}catch(e){R(e)}}),e.command(`list`).description(`List all sandboxes`).option(`-s, --status <status>`,`Filter by status (running, stopped, all)`).option(`-l, --limit <n>`,`Limit results`,`50`).option(`--team <team>`,`List sandboxes for a team by id or name`).option(`--personal`,`List personal sandboxes`).option(`--all-scopes`,`List personal and team sandboxes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=C({apiKey:e.apiKey,baseUrl:e.baseUrl}),n=E(t),r=N(`Fetching sandboxes...`);r.start();let i=await Zo({client:n,explicitTeam:e.team,personal:e.personal,allScopes:e.allScopes,activeTeamId:t.activeTeamId}),a=await n.list({status:e.status===`all`?void 0:e.status,limit:Number.parseInt(e.limit,10),scope:i});r.stop(),e.json?O(a):D(a.map(e=>({id:e.id,status:e.status,createdAt:e.createdAt,name:e.name??``})),[{key:`id`,header:`ID`,width:24},{key:`status`,header:`Status`,width:14},{key:`createdAt`,header:`Created`,width:16},{key:`name`,header:`Name`,width:20}])}catch(e){R(e)}}),e.command(`get <id-or-name>`).description(`Get sandbox details`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching sandbox...`);i.start();let a=await B(r,n,e);i.stop(),t.json?O(a):nn({id:a.id,name:a.name,status:a.status,createdAt:a.createdAt?.toISOString(),expiresAt:a.expiresAt?.toISOString(),connection:a.connection})}catch(e){R(e)}}),e.command(`delete <id-or-name>`).description(`Delete a sandbox`).option(`-f, --force`,`Skip confirmation`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force){let t=(await import(`node:readline`)).createInterface({input:process.stdin,output:process.stdout});if(!await new Promise(n=>{t.question(`Delete sandbox ${e}? [y/N] `,e=>{t.close(),n(e.toLowerCase()===`y`)})})){M(`Cancelled.`);return}}let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Deleting sandbox...`);i.start(),await(await B(r,n,e)).delete(),i.stop(),k(`Sandbox ${e} deleted.`)}catch(e){R(e)}}),e.command(`stop <id-or-name>`).description(`Stop a running sandbox`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Stopping sandbox...`);i.start(),await(await B(r,n,e)).stop(),i.stop(),k(`Sandbox ${e} stopped.`)}catch(e){R(e)}}),e.command(`resume <id-or-name>`).description(`Resume a stopped sandbox`).option(`--wait`,`Wait for sandbox to be running`,!0).option(`-t, --timeout <ms>`,`Resume timeout in milliseconds; a cold resume re-provisions the sandbox, so this defaults higher than other commands (default 120000)`,`120000`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Number.parseInt(t.timeout,10);if(!Number.isFinite(n)||n<=0)throw Error(`--timeout must be a positive number of milliseconds`);let r=C({apiKey:t.apiKey,baseUrl:t.baseUrl,timeout:n}),i=E(r),a=N(`Resuming sandbox...`);a.start();let o=await B(i,r,e);await o.resume({timeoutMs:n}),t.wait&&(a.text=`Waiting for sandbox to start...`,await o.waitFor(`running`,{timeoutMs:n})),a.stop(),k(`Sandbox ${o.id} resumed.`)}catch(e){R(e)}});let n=e.command(`gpu`).description(`Manage on-demand GPU leases for a sandbox`);return n.command(`attach <id-or-name>`).description(`Attach a temporary GPU worker to a sandbox`).requiredOption(`--accelerator-kind <kind>`,`GPU kind, for example nvidia-h100`).option(`--accelerator-count <count>`,`GPU device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum GPU memory in MB`).option(`--provider <provider>`,`GPU cloud provider; omitted picks the cheapest configured provider`).option(`--image <image>`,`GPU worker image override`).option(`--env <vars...>`,`Environment variables for the GPU worker (KEY=VALUE)`).requiredOption(`--max-spend-usd <usd>`,`Maximum customer spend for this lease`).requiredOption(`--max-lifetime <seconds>`,`Maximum lease lifetime in seconds`).option(`--idle-timeout <seconds>`,`Destroy after this many idle seconds`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Attaching GPU lease...`);i.start();let a=await(await B(r,n,e)).gpu.attach(ga(t));i.stop(),t.json?O(a):(k(`GPU lease attached: ${a.id}`),ts(a))}catch(e){R(e)}}),n.command(`run <id-or-name> <command...>`).description(`Attach a temporary GPU, run a command, then destroy it`).requiredOption(`--accelerator-kind <kind>`,`GPU kind, for example nvidia-h100`).option(`--accelerator-count <count>`,`GPU device count`,`1`).option(`--accelerator-memory <mb>`,`Minimum GPU memory in MB`).option(`--provider <provider>`,`GPU cloud provider; omitted picks the cheapest configured provider`).option(`--image <image>`,`GPU worker image override`).option(`--env <vars...>`,`Environment variables for the GPU worker and command (KEY=VALUE)`).requiredOption(`--max-spend-usd <usd>`,`Maximum customer spend for this lease`).requiredOption(`--max-lifetime <seconds>`,`Maximum lease lifetime in seconds`).option(`--idle-timeout <seconds>`,`Destroy after this many idle seconds`).option(`--timeout <ms>`,`Command timeout in milliseconds`).option(`--cwd <path>`,`Working directory`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{let r,i,a,o;try{let a=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),o=await B(E(a),a,e),s=N(`Attaching GPU lease...`);s.start(),r=await o.gpu.attach(ga(n)),s.stop();let c=N(`Running GPU command...`);c.start(),i=await o.gpu.exec(r.id,{command:t.join(` `),timeoutMs:n.timeout?K(String(n.timeout),`--timeout`):void 0,cwd:n.cwd,env:n.env?_a(n.env,`--env`,`env`):void 0}),c.stop(),n.json||ns(i)}catch(e){a=e}finally{if(r)try{let t=C({apiKey:n.apiKey,baseUrl:n.baseUrl});r=await(await B(E(t),t,e)).gpu.detach(r.id)}catch(e){o=e}}if(a){R(a),o&&R(o);return}if(o){R(o);return}n.json?O({lease:r,result:i}):r&&k(`GPU lease detached: ${r.id}`);let s=i?.result.exitCode;s&&s!==0&&(process.exitCode=s)}),n.command(`list <id-or-name>`).description(`List GPU leases attached to a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching GPU leases...`);i.start();let a=await(await B(r,n,e)).gpu.list();i.stop(),t.json?O(a):a.length===0?M(`No GPU leases attached.`):D(a.map(e=>({id:e.id,status:e.status,provider:e.provider,accelerator:`${e.accelerator.kind}x${e.accelerator.count}`,customerUsdHr:e.customerPricePerHourUsd??``})),[{key:`id`,header:`ID`,width:28},{key:`status`,header:`Status`,width:12},{key:`provider`,header:`Provider`,width:12},{key:`accelerator`,header:`GPU`,width:24},{key:`customerUsdHr`,header:`$/hr`,width:10}])}catch(e){R(e)}}),n.command(`exec <id-or-name> <lease-id> <command...>`).description(`Run a command on an attached GPU lease`).option(`--timeout <ms>`,`Command timeout in milliseconds`).option(`--cwd <path>`,`Working directory`).option(`--env <vars...>`,`Environment variables (KEY=VALUE)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=C({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=E(i),o=N(`Running GPU command...`);o.start();let s=await(await B(a,i,e)).gpu.exec(t,{command:n.join(` `),timeoutMs:r.timeout?K(String(r.timeout),`--timeout`):void 0,cwd:r.cwd,env:r.env?_a(r.env,`--env`,`env`):void 0});o.stop(),r.json?O(s):ns(s)}catch(e){R(e)}}),n.command(`detach <id-or-name> <lease-id>`).description(`Detach and destroy a GPU lease`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Detaching GPU lease...`);a.start();let o=await(await B(i,r,e)).gpu.detach(t);a.stop(),n.json?O(o):(k(`GPU lease detached: ${o.id}`),ts(o))}catch(e){R(e)}}),e.command(`network <id-or-name>`).description(`Update network configuration for a sandbox`).option(`--block-outbound`,`Block all outbound network traffic`).option(`--allow-list <cidrs>`,`CIDR allowlist for outbound traffic (comma-separated)`).option(`--clear`,`Clear all network restrictions (allow all traffic)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Updating network configuration...`);i.start();let a=await B(r,n,e);if(t.clear)await a.network.update({blockOutbound:!1,allowList:[]});else if(t.blockOutbound)await a.network.update({blockOutbound:!0});else if(t.allowList){let e=t.allowList.split(`,`).map(e=>e.trim());await a.network.update({allowList:e})}else{i.stop();let e=await a.network.getConfig();t.json?O(e):(M(`Network Configuration:`),e.blockOutbound?M(` Block Outbound: true (all outbound traffic blocked)`):e.allowList&&e.allowList.length>0?M(` Allow List: ${e.allowList.join(`, `)}`):M(` No restrictions (all traffic allowed)`),e.ports&&e.ports.length>0&&M(` Exposed Ports: ${e.ports.join(`, `)}`));return}i.stop();let o=await a.network.getConfig();t.json?O(o):(k(`Network configuration updated.`),o.blockOutbound?M(` Block Outbound: true`):o.allowList&&o.allowList.length>0?M(` Allow List: ${o.allowList.join(`, `)}`):M(` All traffic allowed`))}catch(e){R(e)}}),e.command(`expose <id-or-name>`).description(`Expose a port and get a public URL`).option(`-p, --port <port>`,`Port to expose`,`8000`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=Number.parseInt(t.port,10);if(Number.isNaN(i)||i<1||i>65535)throw Error(`Port must be a number between 1 and 65535`);let a=N(`Exposing port ${i}...`);a.start();let o=await(await B(r,n,e)).network.exposePort(i);a.stop(),t.json?O({port:i,url:o}):(k(`Port ${i} exposed.`),M(` URL: ${o}`))}catch(e){R(e)}}),e.command(`urls <id-or-name>`).description(`List exposed port URLs for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching exposed URLs...`);i.start();let a=await(await B(r,n,e)).network.listUrls();if(i.stop(),t.json)O(a);else{let e=Object.entries(a);if(e.length===0)M(`No ports exposed.`);else{M(`Exposed Ports:`);for(let[t,n]of e)M(` ${t}: ${n}`)}}}catch(e){R(e)}}),e}function Uo(e){return!e||e.authToken===void 0?e:{...e,authToken:`[REDACTED]`}}function Wo(e){let t={};for(let n of e){let[e,...r]=n.split(`=`);if(!e||r.length===0)throw Error(`--metadata expects values in KEY=VALUE or KEY=JSON format`);t[e]=Go(r.join(`=`))}return t}function Go(e){try{return JSON.parse(e)}catch{return e}}function Ko(e,t){return e.map(e=>{let n=Number.parseInt(e,10);if(Number.isNaN(n)||n<1||n>65535)throw Error(`${t} values must be integers between 1 and 65535`);return n})}function qo(e,t){if(!(!e.gitUrl&&!e.gitRef&&!e.gitDepth&&!e.gitSparse&&!t)){if(!e.gitUrl||typeof e.gitUrl!=`string`)throw Error(`--git-url is required when using git provisioning options`);return{url:e.gitUrl,ref:typeof e.gitRef==`string`?e.gitRef:void 0,depth:typeof e.gitDepth==`string`?K(e.gitDepth,`--git-depth`):void 0,sparse:Array.isArray(e.gitSparse)?e.gitSparse:void 0,auth:t?{token:t}:void 0}}}function Jo(e,t){if(!(!e.storageType&&!e.storageBucket&&!e.storageEndpoint&&!e.storageRegion&&!e.storagePrefix&&!e.storageAccessKeyId&&!t)){if(typeof e.storageType!=`string`||typeof e.storageBucket!=`string`||typeof e.storageAccessKeyId!=`string`||!t)throw Error(`Storage config requires --storage-type, --storage-bucket, --storage-access-key-id, and one of --storage-secret-access-key-env / --storage-secret-access-key-stdin`);return{type:es(e.storageType),bucket:e.storageBucket,endpoint:typeof e.storageEndpoint==`string`?e.storageEndpoint:void 0,region:typeof e.storageRegion==`string`?e.storageRegion:void 0,prefix:typeof e.storagePrefix==`string`?e.storagePrefix:void 0,credentials:{accessKeyId:e.storageAccessKeyId,secretAccessKey:t}}}}function Yo(e){let t=Array.isArray(e.initialUser)?e.initialUser.map(Qo):void 0,n=typeof e.defaultRole==`string`?$o(e.defaultRole):void 0,r=e.multiUser?!0:void 0;if(!(!n&&!t&&!r))return{defaultRole:n,initialUsers:t,multiUser:r}}async function Xo(e){if(e.explicitTeam&&e.personal)throw Error(`--team and --personal cannot be used together`);if(!e.personal)return e.explicitTeam?(await Fo(e.client,e.explicitTeam)).id:e.activeTeamId}async function Zo(e){if([!!e.explicitTeam,!!e.personal,!!e.allScopes].filter(Boolean).length>1)throw Error(`--team, --personal, and --all-scopes are mutually exclusive`);if(e.allScopes)return`all`;if(e.personal)return`personal`;if(e.explicitTeam)return`team:${(await Fo(e.client,e.explicitTeam)).id}`;if(e.activeTeamId)return`team:${e.activeTeamId}`}function Qo(e){let[t,n]=e.split(`:`);if(!t)throw Error(`--initial-user expects USER_ID or USER_ID:ROLE`);return{userId:t,role:n?$o(n):void 0}}function $o(e){if(e===`owner`||e===`admin`||e===`developer`||e===`viewer`)return e;throw Error(`--default-role and --initial-user roles must be one of owner, admin, developer, viewer`)}function es(e){if(e===`s3`||e===`gcs`||e===`r2`)return e;throw Error(`--storage-type must be one of s3, gcs, or r2`)}function ts(e){M(` Status: ${e.status}`),M(` Provider: ${e.provider}`),M(` GPU: ${e.accelerator.kind} x ${e.accelerator.count}`),e.customerPricePerHourUsd!==void 0&&M(` Customer price: $${e.customerPricePerHourUsd}/hr`),e.estimatedCustomerCostUsd!==void 0&&M(` Max estimate: $${e.estimatedCustomerCostUsd}`),e.billing&&(M(` Billed seconds: ${e.billing.seconds}`),M(` Customer cost: $${e.billing.customerCostUsd}`))}function ns(e){e.result.stdout&&process.stdout.write(e.result.stdout),e.result.stderr&&process.stderr.write(e.result.stderr),M(`Exit code: ${e.result.exitCode}`)}function rs(){return new t(`search`).description(`Search for text patterns in sandbox files (ripgrep)`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<pattern>`,`Search pattern (regex)`).option(`-g, --glob <pattern>`,`File glob filter (e.g. '**/*.ts')`).option(`-n, --max-results <count>`,`Max results to return`).option(`-i, --ignore-case`,`Case-insensitive search`).option(`--json`,`Output as JSON lines`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Searching...`);n.json||a.start();let o=await B(i,r,e),s=0,c=n.maxResults?Number.parseInt(n.maxResults,10):void 0,l={};n.glob&&(l.glob=n.glob),n.ignoreCase&&(l.ignoreCase=!0),c&&(l.maxResults=c);for await(let e of o.search(t,l))if(s===0&&a.stop(),s++,n.json?console.log(JSON.stringify(e)):console.log(`${e.path}:${e.line}:${e.column??0}: ${e.text}`),c&&s>=c)break;a.stop(),s===0&&!n.json&&console.log(`No matches found`)}catch(e){R(e)}})}function is(){let e=new t(`secret`).description(`Manage secrets`);return e.command(`create`).description(`Create a new secret`).argument(`<name>`,`Secret name (e.g., HF_TOKEN, AWS_ACCESS_KEY)`).argument(`[value]`,`Secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E(C({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await as({value:t,valueStdin:n.valueStdin,prompt:`Enter value for secret '${e}': `}),a=N(`Creating secret...`);a.start();let o=await r.secrets.create(e,i);a.stop(),n.json?O({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):(k(`Secret created: ${o.name}`),M(`Use --secrets ${o.name} when creating a sandbox to inject it as an environment variable.`))}catch(e){R(e)}}),e.command(`list`).description(`List all secrets`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=E(C({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=N(`Fetching secrets...`);n.start();let r=await t.secrets.list();n.stop(),e.json?O(r.map(e=>({name:e.name,createdAt:e.createdAt.toISOString(),updatedAt:e.updatedAt.toISOString()}))):r.length===0?(M(`No secrets found.`),M(`Use 'tangle secret create <name> [value]' to create one.`)):L([`Name`,`Created At`,`Updated At`],r.map(e=>[e.name,e.createdAt.toLocaleString(),e.updatedAt.toLocaleString()]))}catch(e){R(e)}}),e.command(`show`).description(`Show a secret value (requires --reveal to print plaintext)`).argument(`<name>`,`Secret name`).option(`--reveal`,`Print the plaintext secret value to stdout. Without this flag the command exits with a redaction notice.`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.reveal){process.stderr.write(`Refusing to print secret '${e}' as plaintext. Re-run with --reveal to confirm and write the value to stdout.
147
147
  `),process.exitCode=1;return}let n=E(C({apiKey:t.apiKey,baseUrl:t.baseUrl})),r=N(`Fetching secret...`);r.start();let i=await n.secrets.get(e);r.stop(),process.stderr.write(`WARNING: secret '${e}' is being printed in plaintext. Avoid storing this output in shell history, screenshots, or logs.
148
- `),t.json?O({name:e,value:i}):console.log(i)}catch(e){R(e)}}),e.command(`update`).description(`Update a secret value`).argument(`<name>`,`Secret name`).argument(`[value]`,`New secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E(C({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await as({value:t,valueStdin:n.valueStdin,prompt:`Enter new value for secret '${e}': `}),a=N(`Updating secret...`);a.start();let o=await r.secrets.update(e,i);a.stop(),n.json?O({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):k(`Secret updated: ${o.name}`)}catch(e){R(e)}}),e.command(`delete`).description(`Delete a secret`).argument(`<name>`,`Secret name`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E(C({apiKey:t.apiKey,baseUrl:t.baseUrl}));if(!t.force&&!await H(`Are you sure you want to delete secret '${e}'? This cannot be undone. (y/N) `)){M(`Cancelled.`);return}let r=N(`Deleting secret...`);r.start(),await n.secrets.delete(e),r.stop(),t.json?O({success:!0,deleted:e}):k(`Secret deleted: ${e}`)}catch(e){R(e)}}),e}async function as(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await kn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await On(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function os(){let e=new t(`skill`).description(`Print paths to shipped skill documentation`);return e.command(`path`).description(`Print the absolute path to the SKILL.md shipped with this CLI`).action(()=>{let e=p.dirname(Ae(import.meta.url)),t=p.resolve(e,`..`,`SKILL.md`);console.log(t)}),e}function ss(){let e=new t(`snapshot`).description(`Manage snapshots`);return e.command(`create <sandbox-id-or-name>`).description(`Create a snapshot of a sandbox`).option(`--tags <tags...>`,`Tags for the snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Creating snapshot...`);i.start();let a=await(await B(r,n,e)).snapshot({tags:t.tags});i.stop(),t.json?O(a):(k(`Snapshot created: ${a.snapshotId}`),console.log(`Size: ${cs(a.sizeBytes??0)}`))}catch(e){R(e)}}),e.command(`list <sandbox-id-or-name>`).description(`List snapshots for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching snapshots...`);i.start();let a=await(await B(r,n,e)).listSnapshots();i.stop(),t.json?O(a):D(a.map(e=>({...e,size:cs(e.sizeBytes??0)})),[{key:`snapshotId`,header:`ID`,width:24},{key:`createdAt`,header:`Created`,width:16},{key:`size`,header:`Size`,width:12},{key:`sandboxId`,header:`Sandbox`,width:20}])}catch(e){R(e)}}),e.command(`restore <sandbox-id> <snapshot-id>`).description(`Create a new sandbox from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E(C({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=N(`Restoring from snapshot...`);i.start();let a=await r.create({fromSnapshot:t,fromSandboxId:e});await a.waitFor(`running`,{timeoutMs:12e4}),i.stop(),n.json?O({sandboxId:a.id,restoredFrom:t,status:a.status}):(k(`New sandbox created: ${a.id}`),console.log(`Source snapshot: ${t}`))}catch(e){R(e)}}),e.command(`revert <sandbox-id-or-name> <snapshot-id>`).description(`Revert an existing sandbox to a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Reverting sandbox to snapshot...`);a.start();let o=await B(i,r,e),s=await o.revertToSnapshot(t);await o.refresh(),a.stop(),n.json?O({sandboxId:o.id,snapshotId:s.snapshotId,status:o.status}):(k(`Sandbox reverted: ${o.id}`),console.log(`Source snapshot: ${s.snapshotId}`))}catch(e){R(e)}}),e.command(`delete <sandbox-id-or-name> <snapshot-id>`).description(`Delete a sandbox snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Deleting snapshot...`);a.start(),await(await B(i,r,e)).deleteSnapshot(t),a.stop(),n.json?O({success:!0,sandboxId:e,snapshotId:t}):k(`Snapshot deleted: ${t}`)}catch(e){R(e)}}),e}function cs(e){if(e===0)return`0 B`;let t=1024,n=[`B`,`KB`,`MB`,`GB`,`TB`],r=Math.floor(Math.log(e)/Math.log(t));return`${Number.parseFloat((e/t**r).toFixed(1))} ${n[r]}`}function ls(e,t){return`tangle ssh-proxy ${e.replace(/\/+$/,``)}/v1/sidecar-proxy/${t}/ssh`}function us(e){return/^[A-Za-z0-9_/:=@%+.,-]+$/.test(e)?e:`'${e.replace(/'/g,`'"'"'`)}'`}function ds(e){return`'${e.replace(/'/g,`''`)}'`}function fs(e){return e===`win32`?`NUL`:`/dev/null`}function ps(e,t){return t===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN=${ds(`<token>`)}; ssh ${e.map(ds).join(` `)}`:`TANGLE_SSH_PROXY_AUTH_TOKEN=${us(`<token>`)} ssh ${e.map(us).join(` `)}`}function ms(e){return e.connection!==void 0&&!e.connection.ssh}function hs(){A(`SSH is not enabled for this sandbox.`),M(`Create a sandbox with --ssh to enable SSH access.`),process.exit(1)}function gs(e,t=[],n=process.platform){let r=fs(n);return[`-o`,`ProxyCommand=${e.proxyCommand}`,`-o`,`StrictHostKeyChecking=no`,`-o`,`UserKnownHostsFile=${r}`,`-o`,`GlobalKnownHostsFile=${r}`,`-o`,`LogLevel=ERROR`,`-o`,`ServerAliveInterval=15`,`-o`,`ServerAliveCountMax=4`,`-o`,`TCPKeepAlive=yes`,`${e.username}@localhost`,`-p`,String(e.port),...t]}function _s(){return new t(`ssh`).description(`Open SSH session to a sandbox`).argument(`<ref>`,`Sandbox ID or name`).argument(`[sshArgs...]`,`Extra args passed through to ssh`).option(`-i, --identity-file <path>`,`Private key file to pass to ssh`).option(`--print`,`Print SSH command instead of connecting`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).allowUnknownOption(!0).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Getting SSH credentials...`);a.start();let o=await B(i,r,e);if(ms(o)){a.stop(),hs();return}o=await V(o);let s=await o.ssh();if(a.stop(),!s){hs();return}let c={...s,proxyCommand:ls(r.baseUrl,o.id)};if(!r.apiKey)throw Error(`SSH proxy requires API key auth. Set TANGLE_API_KEY or pass --api-key.`);let l=gs(c,[...n.identityFile?[`-i`,n.identityFile,`-o`,`IdentitiesOnly=yes`]:[],...t]);if(n.print){console.log(ps(l,process.platform));return}M(`Connecting via tunnel...`);let u=_e(`ssh`,l,{stdio:`inherit`,env:{...process.env,TANGLE_SSH_PROXY_AUTH_TOKEN:r.apiKey}});u.on(`error`,e=>{e.code===`ENOENT`&&(A(`SSH client not found. Please install OpenSSH.`),process.exit(1)),R(e)}),u.on(`exit`,e=>{process.exit(e??0)})}catch(e){R(e)}})}function vs(){let e=new t(`ssh-keys`).description(`Manage SSH keys`);return e.command(`list`).description(`List SSH keys`).option(`--json`,`Output as JSON`).action(async e=>{let t=N(`Fetching SSH keys...`);try{t.start();let n=await E(C(e)).sshKeys.list();t.stop(),e.json?O({sshKeys:n}):n.length===0?M(`No SSH keys found.`):L([`Name`,`Type`,`Fingerprint`,`Created`],n.map(e=>[e.name,e.keyType,e.fingerprint,e.createdAt.toLocaleString()]))}catch(e){t.stop(),R(e)}}),e.command(`add`).description(`Add SSH key`).argument(`<name>`,`SSH key name`).requiredOption(`--key-file <path>`,`Public key file path`).option(`--json`,`Output as JSON`).action(async(e,t)=>{let n=N(`Adding SSH key...`);try{let r=u(t.keyFile,`utf8`).trim();n.start();let i=await E(C(t)).sshKeys.create(e,r);n.stop(),t.json?O({sshKey:i}):k(`Added SSH key ${i.name} (${i.fingerprint})`)}catch(e){n.stop(),R(e)}}),e.command(`delete`).description(`Delete SSH key`).argument(`<name>`,`SSH key name or ID`).action(async(e,t)=>{let n=N(`Deleting SSH key...`);try{n.start(),await E(C(t)).sshKeys.delete(e),n.stop(),k(`Deleted SSH key ${e}`)}catch(e){n.stop(),R(e)}}),e}function ys(e,t=1){process.stderr.write(`${e}\n`),process.exit(t)}function bs(){return new t(`ssh-proxy`).description(`SSH proxy helper — pipes stdin/stdout to WebSocket`).argument(`<sidecar-url>`,`Sidecar WebSocket URL`).action(async e=>{let t=process.env.TANGLE_SSH_PROXY_AUTH_TOKEN;t||ys(`TANGLE_SSH_PROXY_AUTH_TOKEN not set`);let n=new je(new URL(e.replace(/^http/,`ws`)),{headers:{Authorization:`Bearer ${t}`},perMessageDeflate:!1}),r;function i(){r&&=(clearInterval(r),void 0)}n.on(`open`,()=>{r=setInterval(()=>{n.readyState===je.OPEN&&n.ping()},15e3),r.unref?.(),process.stdin.on(`data`,e=>{n.readyState===je.OPEN&&n.send(e,{binary:!0,compress:!1})}),process.stdin.on(`end`,()=>n.close(1e3))}),n.on(`message`,e=>{let t=Buffer.isBuffer(e)?e:Array.isArray(e)?Buffer.concat(e):Buffer.from(e);process.stdout.write(t)}),n.on(`error`,e=>{i(),ys(`WebSocket error: ${e.message}`)}),n.on(`close`,e=>{i(),process.exit(e===1e3?0:1)}),process.stdin.on(`error`,()=>n.close())})}const xs=[`claude-code`,`opencode`,`codex`,`kimi-code`],Ss=[`session`,`project`,`read-only`],Cs={min:1,max:15},ws=process.env.TANGLE_ROUTER_URL??`https://router.tangle.tools/v1`;function Ts(e){let t=e.harness??`claude-code`;if(!xs.includes(t))throw Error(`Unknown --harness '${t}'. Supported: ${xs.join(`, `)}.`);let n=e.tokenScope??`session`;if(!Ss.includes(n))throw Error(`Unknown --token-scope '${n}'. Supported: ${Ss.join(`, `)}.`);let r=Es(e.maxTokens,2e5,`--max-tokens`),i=Es(e.maxIterations,50,`--max-iterations`),a=Es(e.tokenTtl,10,`--token-ttl`);if(a<Cs.min||a>Cs.max)throw Error(`--token-ttl ${a} out of range; the SDK clamps to [${Cs.min}, ${Cs.max}] minutes.`);let o=e.maxWorkers===void 0?void 0:Es(e.maxWorkers,0,`--max-workers`);return{harness:t,...e.model?{model:e.model}:{},maxTokens:r,maxIterations:i,tokenScope:n,tokenTtl:a,...o===void 0?{}:{maxWorkers:o}}}function Es(e,t,n){if(e===void 0)return t;let r=Number.parseInt(e,10);if(!Number.isFinite(r)||r<=0)throw Error(`${n} must be a positive integer, got '${e}'.`);return r}function Ds(e){let t={maxTokens:e.maxTokens,maxIterations:e.maxIterations};return e.maxWorkers===void 0?{budget:t}:{budget:t,perWorker:{maxTokens:Math.max(1,Math.floor(e.maxTokens/e.maxWorkers)),maxIterations:Math.max(1,Math.floor(e.maxIterations/e.maxWorkers))}}}function Os(e){let{client:t,scope:n,ttlMinutes:r,onScope:a}=e,o={async create(o){let s=await t.create(ks(o)),c={scope:n,ttlMinutes:r,...n===`session`?{sessionId:e.sessionIdFor?.(s)??`supervise-${i()}`}:{}},l=await s.mintScopedToken(c);return a({id:s.id,scope:l.scope,expiresAt:l.expiresAt,status:`spawned`}),s}};return typeof t.criuStatus==`function`&&(o.criuStatus=t.criuStatus.bind(t)),o}function ks(e){if(!e?.env)return e;let{TANGLE_API_KEY:t,SANDBOX_API_KEY:n,...r}=e.env;return{...e,env:r}}function As(e){if(e.kind===`no-winner`)return{text:``,tokenUsage:{input:0,output:0},costUsd:0,status:`no-winner (${e.reason})`};let t=e.out;return{text:typeof t==`string`?t:js(t)?t.content:JSON.stringify(t),tokenUsage:{input:e.spentTotal.tokens.input,output:e.spentTotal.tokens.output},costUsd:e.spentTotal.usd,status:`winner`}}function js(e){return typeof e==`object`&&!!e&&typeof e.content==`string`}const Ms={makeClient:e=>E(C({apiKey:e.apiKey,baseUrl:e.baseUrl})),resolveRouter:e=>({routerBaseUrl:ws,routerKey:C({apiKey:e.apiKey}).apiKey,model:e.model}),supervise:Me};async function Ns(e,t,n,r=Ms){let a=r.makeClient({apiKey:n.apiKey,baseUrl:n.baseUrl}),{budget:o,perWorker:s}=Ds(t),c=[],l=Os({client:a,scope:t.tokenScope,ttlMinutes:t.tokenTtl,onScope:e=>{if(c.push(e),!n.json){let n=`ttl ${t.tokenTtl}m`;M(`worker ${e.id} [${e.scope} token ${n}] spawned`)}}}),u=Ne({backend:`sandbox`,harness:t.harness,sandboxClient:l,maxIterations:1}),d={name:`supervisor`,...t.model?{model:t.model}:{}},f=r.resolveRouter({apiKey:n.apiKey,model:t.model??`deepseek-v4-flash`}),p=As(await r.supervise(d,{goal:e},{budget:o,makeWorkerAgent:u,router:f,...s?{perWorker:s}:{},...t.model?{allowedModels:[t.model]}:{},runId:`supervise-${i()}`})),ee=p.status===`winner`?`settled`:`failed`;for(let e of c)e.status=ee,n.json||M(`worker ${e.id} [${e.scope} token ttl ${t.tokenTtl}m] settled (${e.status})`);return{task:e,result:p.text,workers:c,tokenUsage:p.tokenUsage,costUsd:p.costUsd,status:p.status}}function Ps(){let e=new t(`supervise`);return e.description(`Run a budget-conserving supervisor that spawns isolated sandbox workers to deliver a task. Each worker box mints a short-lived scoped token instead of receiving the root API key.`).argument(`<task>`,`What the supervisor should accomplish`).option(`--harness <name>`,`Worker harness (${xs.join(` | `)})`,`claude-code`).option(`--model <id>`,`Model for the supervisor + workers`).option(`--max-tokens <n>`,`Conserved token budget for the whole run`,`200000`).option(`--max-iterations <n>`,`Conserved iteration budget for the whole run`,`50`).option(`--token-scope <scope>`,`Per-worker token scope (${Ss.join(` | `)})`,`session`).option(`--token-ttl <min>`,`Per-worker token TTL in minutes (SDK clamps to [1, 15])`,`10`).option(`--max-workers <n>`,`Bound the fanout; each worker reserves floor(max-tokens / n) tokens and floor(max-iterations / n) iterations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Ts({harness:t.harness,model:t.model,maxTokens:t.maxTokens,maxIterations:t.maxIterations,tokenScope:t.tokenScope,tokenTtl:t.tokenTtl,maxWorkers:t.maxWorkers});t.json||(M(`Supervising: ${e}`),M(`harness=${n.harness} budget=${n.maxTokens}tok/${n.maxIterations}it scope=${n.tokenScope} ttl=${n.tokenTtl}m`),console.log());let r=await Ns(e,n,{apiKey:t.apiKey,baseUrl:t.baseUrl,json:t.json});if(t.json){O(r),r.status!==`winner`&&(process.exitCode=1);return}if(console.log(),r.status!==`winner`)throw Error(`Supervisor finished without a winner: ${r.status}`);console.log(r.result),console.log(),P({"Input Tokens":r.tokenUsage.input,"Output Tokens":r.tokenUsage.output,Cost:`$${r.costUsd.toFixed(4)}`})}catch(e){R(e,t.json)}}),e}function Fs(){let e=new t(`team`).description(`Manage teams`);return e.command(`list`).description(`List teams for the current account`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async e=>{try{let t=C(e),n=E(t),r=e.json?null:N(`Fetching teams...`);r?.start();let i=await n.teams.list();if(r?.stop(),e.json){O({teams:i,activeTeamId:t.activeTeamId??null});return}D(i.map(e=>({active:e.id===t.activeTeamId,id:e.id,name:e.name,role:e.currentUserRole,members:e.memberCount})),[{key:`active`,header:`Active`,width:8},{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:24},{key:`role`,header:`Role`,width:10},{key:`members`,header:`Members`,width:10}])}catch(e){R(e)}}),e.command(`create <name>`).description(`Create a team`).option(`--org-id <id>`,`External organization id`).option(`--no-switch`,`Do not set the new team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=t.json?null:N(`Creating team...`);i?.start();let a=await r.teams.create({name:e,orgId:t.orgId});if(t.switch&&Io(a,n.profile),i?.stop(),t.json){O({team:a,active:!!t.switch});return}k(`Team created: ${Po(a)}`),t.switch&&k(`Active team set to ${a.name}`)}catch(e){R(e)}}),e.command(`switch <team>`).description(`Set the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=await Fo(E(n),e);if(Io(r,n.profile),t.json){O({team:r,activeTeamId:r.id});return}k(`Active team set to ${Po(r)}`)}catch(e){R(e)}}),e.command(`current`).description(`Show the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{let t=Ft(e.profile);if(e.json){O(t.activeTeamId?t:{activeTeamId:null});return}if(!t.activeTeamId){console.log(`No active team.`);return}P({ID:t.activeTeamId,Name:t.activeTeamName})}catch(e){R(e)}}),e.command(`clear`).description(`Clear the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{if(Lo(e.profile),e.json){O({activeTeamId:null});return}k(`Active team cleared.`)}catch(e){R(e)}}),e.command(`members [team]`).description(`List team members`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listMembers(i.id);if(t.json){O({team:i,members:a});return}D(a.map(e=>({id:e.id,email:e.customerEmail,role:e.role,status:e.status,joinedAt:e.joinedAt})),[{key:`id`,header:`ID`,width:36},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:10},{key:`joinedAt`,header:`Joined`,width:16}])}catch(e){R(e)}}),e.command(`update-member <member-id>`).description(`Update a team member role`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).requiredOption(`--role <role>`,`Role: admin, member, viewer`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile),a=Is(t.role),o=await r.teams.updateMember(i.id,e,{role:a});if(t.json){O({team:i,member:o});return}k(`Member updated: ${o.customerEmail}`),P({Team:i.name,Role:o.role,Status:o.status})}catch(e){R(e)}}),e.command(`invite <email>`).description(`Invite a user to a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--role <role>`,`Role: admin, member, viewer`,`member`).option(`--ttl-hours <hours>`,`Invitation lifetime in hours`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile),a=Is(t.role),o=await r.teams.invite(i.id,{email:e,role:a,ttlHours:t.ttlHours?Number.parseInt(t.ttlHours,10):void 0});if(t.json){O({team:i,invitation:o});return}k(`Invitation created for ${o.email}`),P({Team:i.name,Role:o.role,Expires:o.expiresAt,"Invitation ID":o.id}),k(`Re-run with --json to retrieve the invitation token for sharing.`)}catch(e){R(e)}}),e.command(`leave [team]`).description(`Leave a team as the current user`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile);if(!t.force&&!t.json&&!await H(`Leave team '${i.name}'? (y/N) `))return;if(await r.teams.leave(i.id),n.activeTeamId===i.id&&Lo(n.profile),t.json){O({success:!0,teamId:i.id});return}k(`Left team: ${i.name}`)}catch(e){R(e)}}),e.command(`transfer <new-owner-customer-id> [team]`).description(`Transfer team ownership to another active member`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=C(n),i=E(r),a=await X(i,t,r.profile);if(!n.force&&!n.json&&!await H(`Transfer ownership of '${a.name}' to ${e}? This cannot be undone without the new owner's cooperation. (y/N) `))return;if(await i.teams.transferOwnership(a.id,e),n.json){O({success:!0,teamId:a.id,newOwnerCustomerId:e});return}k(`Ownership transferred for ${a.name}`)}catch(e){R(e)}}),e.addCommand(Ls()),e.addCommand(Rs()),e.command(`invitations [team]`).description(`List pending and historical team invitations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listInvitations(i.id);if(t.json){O({team:i,invitations:a});return}D(a.map(e=>({id:e.id,email:e.email,role:e.role,status:e.status,expiresAt:e.expiresAt})),[{key:`id`,header:`ID`,width:38},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:12},{key:`expiresAt`,header:`Expires`,width:16}])}catch(e){R(e)}}),e.command(`accept <token>`).description(`Accept a team invitation`).option(`--no-switch`,`Do not set the accepted team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await r.teams.acceptInvitation(e),a=t.switch===!1?null:await r.teams.get(i.teamId);if(a&&Io(a,n.profile),t.json){O({member:i,activeTeamId:a?.id??null});return}k(`Invitation accepted for team ${i.teamId}`),a&&k(`Active team set to ${a.name}`)}catch(e){R(e)}}),e.command(`revoke-invitation <invitation-id>`).description(`Revoke a pending team invitation`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{if(await E(C(t)).teams.revokeInvitation(e),t.json){O({success:!0,invitationId:e});return}k(`Invitation revoked: ${e}`)}catch(e){R(e)}}),e.command(`remove-member <member-id>`).description(`Remove a member from a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile);if(await r.teams.removeMember(i.id,e),t.json){O({success:!0,teamId:i.id,memberId:e});return}k(`Member removed: ${e}`)}catch(e){R(e)}}),e}function Is(e){if(e===`admin`||e===`member`||e===`viewer`)return e;throw Error(`Role must be one of: admin, member, viewer`)}function Ls(){let e=new t(`secret`).description(`Manage team secrets`);return e.command(`list [team]`).description(`List team secret names`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listSecrets(i.id);if(t.json){O({team:i,secrets:a});return}D(a.map(e=>({name:e.name,updatedAt:e.updatedAt,updatedBy:e.updatedBy})),[{key:`name`,header:`Name`,width:28},{key:`updatedAt`,header:`Updated`,width:24},{key:`updatedBy`,header:`Updated By`,width:28}])}catch(e){R(e)}}),e.command(`set <name> [value]`).description(`Create or replace a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=C(n),i=E(r),a=await X(i,n.team,r.profile),o=await zs({value:t,valueStdin:n.valueStdin,prompt:`Enter value for team secret '${e}': `}),s=await i.teams.upsertSecret(a.id,e,o);if(n.json){O({team:a,secret:s});return}k(`Team secret saved: ${s.name}`)}catch(e){R(e)}}),e.command(`delete <name>`).description(`Delete a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await H(`Delete team secret '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteSecret(i.id,e),t.json){O({success:!0,teamId:i.id,name:e});return}k(`Team secret deleted: ${e}`)}catch(e){R(e)}}),e.command(`reveal <name>`).description(`Reveal a team secret value`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile),a=await r.teams.revealSecret(i.id,e);if(t.json){O({teamId:i.id,...a});return}console.log(a.value)}catch(e){R(e)}}),e}function Rs(){let e=new t(`templates`).description(`Manage team golden-path templates`);return e.command(`list [team]`).description(`List a team's golden-path templates`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listTemplates(i.id);if(t.json){O({team:i,templates:a});return}if(a.length===0){console.log(`No templates yet for ${i.name}.`);return}D(a.map(e=>({id:e.id,name:e.name,environment:e.environment,snapshot:`${e.snapshotId.slice(0,12)}…`,updated:e.updatedAt})),[{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:28},{key:`environment`,header:`Env`,width:14},{key:`snapshot`,header:`Snapshot`,width:16},{key:`updated`,header:`Updated`,width:24}])}catch(e){R(e)}}),e.command(`create <name> <snapshot-id>`).description(`Create a golden-path template from a snapshot`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`-d, --description <description>`,`Human-readable description shown in the dashboard`).option(`-e, --environment <environment>`,`Default environment to apply (defaults to 'universal')`).option(`--config <json>`,`Optional JSON config object merged into sandboxes created from this template`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=C(n),i=E(r),a=await X(i,n.team,r.profile),o;if(n.config)try{let e=JSON.parse(n.config);if(typeof e!=`object`||!e||Array.isArray(e))throw Error(`--config must be a JSON object`);o=e}catch(e){throw Error(`--config is not valid JSON: ${e instanceof Error?e.message:String(e)}`)}let s=await i.teams.createTemplate(a.id,{name:e,snapshotId:t,description:n.description,environment:n.environment,config:o});if(n.json){O({team:a,template:s});return}k(`Team template created: ${s.name} (${s.id})`)}catch(e){R(e)}}),e.command(`delete <template-id>`).description(`Delete a team golden-path template`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await H(`Delete template '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteTemplate(i.id,e),t.json){O({success:!0,teamId:i.id,templateId:e});return}k(`Team template deleted: ${e}`)}catch(e){R(e)}}),e}async function zs(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await kn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await On(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function Bs(){let e=new t(`template`).description(`Manage published public templates`);return e.command(`list`).option(`-q, --query <query>`,`Search query`).option(`--tag <tag>`,`Filter by tag`).option(`--featured`,`Show featured templates only`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=E(C(e)),n=e.featured?await t.publicTemplates.featured():await t.publicTemplates.list({query:e.query,tag:e.tag});if(e.json){O({templates:n});return}D(n.map(e=>({slug:e.slug,name:e.name,forks:e.forkCount,sandboxes:e.sandboxCount,updated:e.updatedAt})),[{key:`slug`,header:`Slug`,width:28},{key:`name`,header:`Name`,width:28},{key:`forks`,header:`Forks`,width:8},{key:`sandboxes`,header:`Sandboxes`,width:12},{key:`updated`,header:`Updated`,width:24}])}catch(e){R(e)}}),e.command(`get <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await E(C(t)).publicTemplates.get(e);if(t.json){O({template:n});return}O(n)}catch(e){R(e)}}),e.command(`versions <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await E(C(t)).publicTemplates.versions(e);if(t.json){O({versions:n});return}D(n.map(e=>({...e})),[{key:`id`,header:`Version ID`,width:38},{key:`versionNumber`,header:`Version`,width:8},{key:`snapshotId`,header:`Snapshot`,width:20},{key:`createdAt`,header:`Created`,width:24}])}catch(e){R(e)}}),e.command(`publish <name> <snapshot-id> <sandbox-id>`).option(`--slug <slug>`,`Stable public slug`).option(`-d, --description <description>`,`Template description`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--team-id <id>`,`Publish under a team`).option(`--forked-from <id>`,`Fork source template id`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await E(C(r)).publicTemplates.publish({name:e,slug:r.slug,description:r.description,snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes,teamId:r.teamId,forkedFromTemplateId:r.forkedFrom});if(r.json){O({template:i});return}k(`Published template: ${i.slug}`)}catch(e){R(e)}}),e.command(`publish-version <id-or-slug> <snapshot-id> <sandbox-id>`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await E(C(r)).publicTemplates.publishVersion(e,{snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes});if(r.json){O({version:i});return}k(`Published template version: ${i.id}`)}catch(e){R(e)}}),e}function Vs(){let e=new t(`tools`).description(`Manage language runtimes and tools in a sandbox (via mise)`);return e.command(`list`).alias(`ls`).description(`List installed tools in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching tools...`);t.json||i.start();let a=await(await B(r,n,e)).tools.list();i.stop(),t.json?O(a):a.length===0?console.log(`No tools installed`):L([`Tool`,`Version`,`Active`],a.map(e=>[e.name,e.version,e.active?`yes`:`no`]))}catch(e){R(e)}}),e.command(`install`).description(`Install a tool version`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name (e.g. node, python, go)`).argument(`<version>`,`Version to install (e.g. 20, 3.12, latest)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=C({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=E(i),o=N(`Installing ${t}@${n}...`);r.json||o.start(),await(await B(a,i,e)).tools.install(t,n),o.stop(),r.json?O({tool:t,version:n,installed:!0}):k(`Installed ${t}@${n}`)}catch(e){R(e)}}),e.command(`use`).description(`Activate a tool version for the current session`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<version>`,`Version to activate`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=C({apiKey:r.apiKey,baseUrl:r.baseUrl});await(await B(E(i),i,e)).tools.use(t,n),k(`Activated ${t}@${n}`)}catch(e){R(e)}}),e.command(`run`).description(`Run a command with a specific tool`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<args...>`,`Command arguments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=C({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=E(i),o=N(`Running ${t} ${n.join(` `)}...`);r.json||o.start();let s=await(await B(a,i,e)).tools.run(t,n);o.stop(),r.json?O(s):(s.stdout&&process.stdout.write(s.stdout),s.stderr&&process.stderr.write(s.stderr),s.exitCode!==0&&process.exit(s.exitCode))}catch(e){R(e)}}),e}function Hs(){let e=new t(`traces`).description(`Read hosted agent traces, spans, and eval-runs from Tangle Intelligence`);return e.command(`list`).description(`List trace summaries (one row per trace), newest first`).option(`--from <iso>`,`ISO-8601 lower bound on received time (inclusive)`).option(`--to <iso>`,`ISO-8601 upper bound on received time (inclusive)`).option(`--model <model>`,`Exact model match (any span carried this model)`).option(`--run <runId>`,`Exact run id match`).option(`--status <status>`,`ERROR | OK`).option(`-q, --query <text>`,`Substring over span name`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size (clamped server-side to [1, 200])`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={from:e.from,to:e.to,model:e.model,runId:e.run,status:e.status===void 0?void 0:$s(e.status),q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ic(e.limit)},n=Ws(e),r=e.json?null:N(`Fetching traces...`);r?.start();let i=await n.listTraces(t);if(r?.stop(),e.json)return O(i);qs(i.items),Zs(i.nextCursor)}catch(t){Ks(t,e)}}),e.command(`get <traceId>`).description(`Show one trace's spans. Streams NDJSON to stdout with --ndjson.`).option(`--ndjson`,`Stream the full span set as NDJSON to stdout`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Spans per page`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Ws(t);if(t.ndjson){await Gs(n,e);return}let r=t.json?null:N(`Fetching trace spans...`);r?.start();let i=await n.getTraceSpans(e,{cursor:t.cursor,limit:t.limit===void 0?void 0:ic(t.limit)});if(r?.stop(),t.json)return O(i);Js(i.items),i.truncated&&P({Spans:`${i.items.length} of ${i.total} (truncated)`}),Zs(i.nextCursor)}catch(e){Ks(e,t)}}),e.addCommand(Us()),e}function Us(){let e=new t(`runs`).description(`Read eval-runs pivoted off the trace surface`);return e.command(`list`).description(`List eval-runs, newest first`).option(`--status <status>`,`Run status filter`).option(`--gate <decision>`,`Promotion-gate decision filter`).option(`--label <key:value>`,`Match over the run's labels`).option(`--from <iso>`,`ISO-8601 lower bound on received time`).option(`--to <iso>`,`ISO-8601 upper bound on received time`).option(`-q, --query <text>`,`Substring over run dir`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={status:e.status===void 0?void 0:tc(e.status),gate:e.gate===void 0?void 0:rc(e.gate),label:e.label,from:e.from,to:e.to,q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ic(e.limit)},n=Ws(e),r=e.json?null:N(`Fetching runs...`);r?.start();let i=await n.listRuns(t);if(r?.stop(),e.json)return O(i);Ys(i.items),Zs(i.nextCursor)}catch(t){Ks(t,e)}}),e.command(`get <runId>`).description(`Show a single eval-run`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Ws(t),r=t.json?null:N(`Fetching run...`);r?.start();let i=await n.getRun(e);if(r?.stop(),t.json)return O(i);Xs(i)}catch(e){Ks(e,t)}}),e}function Ws(e){let t=jt(e.apiKey);if(!t)throw Error(`No API key found. Set TANGLE_API_KEY or run: tangle auth login`);return Pe({apiKey:t,baseUrl:e.baseUrl??process.env.TANGLE_INTELLIGENCE_BASE_URL})}async function Gs(e,t){let n=(await e.exportTraceSpansNdjson(t)).getReader();try{for(;;){let{value:e,done:t}=await n.read();if(t)break;e&&process.stdout.write(Buffer.from(e))}}finally{n.releaseLock()}}function Ks(e,t){return R(e,t.json===!0)}function qs(e){D(e.map(e=>({traceId:e.traceId,root:e.rootName??`-`,model:e.model??`-`,spans:e.spanCount,errors:e.errorCount,durationMs:e.durationMs,cost:Qs(e.costUsd)})),[{key:`traceId`,header:`Trace`,width:36},{key:`root`,header:`Root`,width:24},{key:`model`,header:`Model`,width:22},{key:`spans`,header:`Spans`,width:8},{key:`errors`,header:`Errors`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14},{key:`cost`,header:`Cost`,width:10}])}function Js(e){D(e.map(e=>({spanId:e.id,name:e.name,model:e.model??`-`,status:e.statusCode??`-`,cost:e.costUsd===null?`-`:`$${e.costUsd}`})),[{key:`spanId`,header:`Span`,width:40},{key:`name`,header:`Name`,width:28},{key:`model`,header:`Model`,width:22},{key:`status`,header:`Status`,width:10},{key:`cost`,header:`Cost`,width:12}])}function Ys(e){D(e.map(e=>({runId:e.id,status:e.status,gate:e.gateDecision??`-`,cost:e.totalCostUsd===null?`-`:`$${e.totalCostUsd}`,receivedAt:e.receivedAt})),[{key:`runId`,header:`Run`,width:24},{key:`status`,header:`Status`,width:22},{key:`gate`,header:`Gate`,width:18},{key:`cost`,header:`Cost`,width:12},{key:`receivedAt`,header:`Received`,width:18}])}function Xs(e){P({Run:e.id,Status:e.status,Gate:e.gateDecision??void 0,"Run Dir":e.runDir??void 0,Cost:e.totalCostUsd===null?void 0:`$${e.totalCostUsd}`,Duration:e.totalDurationMs===null?void 0:`${e.totalDurationMs}ms`,"Holdout Lift":e.holdoutLift??void 0,Received:e.receivedAt})}function Zs(e){e&&P({"Next page":`--cursor ${e}`})}function Qs(e){return e===null?`-`:`$${e.toFixed(4)}`}function $s(e){if(e===`ERROR`||e===`OK`)return e;throw Error(`--status must be ERROR or OK`)}const ec=[`started`,`baseline-complete`,`generation-complete`,`gate-decided`,`finished`,`errored`];function tc(e){let t=ec.find(t=>t===e);if(t)return t;throw Error(`--status must be one of ${ec.join(`, `)}`)}const nc=[`ship`,`hold`,`need_more_work`,`model_ceiling`,`arch_ceiling`];function rc(e){let t=nc.find(t=>t===e);if(t)return t;throw Error(`--gate must be one of ${nc.join(`, `)}`)}function ic(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function ac(){return new t(`usage`).description(`Show account usage and billing information`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=E(C({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:N(`Fetching usage...`);n?.start();let[r,i]=await Promise.all([t.usage(),t.subscription().catch(()=>null)]);n?.stop(),e.json?O({...r,subscription:i}):(console.log(),console.log(`Account Usage`),console.log(`─`.repeat(40)),P({"Active Sandboxes":r.activeSandboxes,"Total Sandboxes":r.totalSandboxes,"Compute Minutes":oc(r.computeMinutes),"GPU Seconds":r.gpuSeconds,"GPU Spend":sc(r.gpuCostUsd)}),i&&(console.log(),console.log(`Subscription`),console.log(`─`.repeat(40)),P({Plan:i.plan,Status:i.status,"Credits Available":sc(i.creditsAvailableUsd),"Credits Used":sc(i.creditsUsedUsd),"Monthly Balance":sc(i.monthlyBalanceUsd)})),console.log(),console.log(`Billing Period`),console.log(`─`.repeat(40)),P({Start:r.periodStart.toLocaleDateString(),End:r.periodEnd.toLocaleDateString()}),console.log())}catch(e){R(e)}})}function oc(e){if(e===void 0)return`-`;if(e<60)return`${e} min`;let t=Math.floor(e/60),n=e%60;return n===0?`${t} hr`:`${t} hr ${n} min`}function sc(e){return e<0?`-$${(-e).toFixed(2)}`:`$${e.toFixed(2)}`}function cc(){return new t(`use`).description(`Set or show the active sandbox (used when a command omits the id)`).argument(`[id]`,`Sandbox id to make active`).option(`--clear`,`Clear the active sandbox`).action((e,t)=>{try{if(t.clear){wt(),M(`Cleared the active sandbox.`);return}if(e){Ct(e),M(`Active sandbox set to ${e}. Commands now default to it; override with --box or TANGLE_SANDBOX.`);return}let n=St();M(n?`Active sandbox: ${n}`:"No active sandbox. Set one with `tangle use <id>`.")}catch(e){R(e)}})}const lc=1e3;function uc(){let e=new t(`workflows`).description(`Create and manage Tangle workflows`);return e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{pc(t)}),e.command(`list`).description(`List your workflows`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await Z(e).workflows.list();if(e.json)return O(t);hc(t)}catch(t){Q(t,e)}}),e.command(`get`).description(`Show a workflow's definition and compiled triggers`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await Z(t).workflows.get(e);if(t.json)return O(n);gc(n)}catch(e){Q(e,t)}}),e.command(`create`).description(`Create a workflow from a YAML file`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=fc(e),r=await Z(t).workflows.create(n);if(t.json)return O(r);M(`Created workflow ${r.id} (${r.name}).`),gc(r)}catch(e){Q(e,t)}}),e.command(`update`).description(`Replace a workflow's definition from a YAML file`).argument(`<id>`,`Workflow ID`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=fc(t),i=await Z(n).workflows.update(e,r);if(n.json)return O(i);M(`Updated workflow ${i.id} (${i.name}).`),gc(i)}catch(e){Q(e,n)}}),e.command(`delete`).description(`Delete a workflow and its triggers`).argument(`<id>`,`Workflow ID`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await H(`Delete workflow ${e}? `)){M(`Delete cancelled.`);return}if(await Z(t).workflows.delete(e),t.json)return O({deleted:!0,id:e});M(`Deleted workflow ${e}.`)}catch(e){Q(e,t)}}),e.command(`validate`).description(`Validate a workflow YAML file without saving it`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=fc(e),r=await Z(t).workflows.validate(n);if(t.json)return O(r);if(r.valid)M(`Valid: ${r.name} (${r.actionCount} action(s), ${r.triggerCount} trigger(s)).`);else{M(`Invalid workflow:`);for(let e of r.errors)console.log(` ${e.path}: ${e.message}`);process.exitCode=1}}catch(e){Q(e,t)}}),e.command(`schema`).description(`Print the JSON Schema for the workflow YAML`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{O(await Z(e).workflows.schema())}catch(t){Q(t,e)}}),e.command(`run`).description(`Trigger an immediate run of a workflow`).argument(`<id>`,`Workflow ID`).option(`--input <key=value>`,`Trigger input as key=value (e.g. pull_request.number=123). Repeatable.`,_c,[]).option(`--wait`,`Wait for the run to finish and print its result`).option(`--timeout <ms>`,`With --wait, fail if the run has not finished after this many milliseconds`).option(`--poll-interval <ms>`,`With --wait, how often to poll for completion (default 2000)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=vc(t.input),r=t.timeout===void 0?void 0:Ti(t.timeout,`--timeout`),i=t.pollInterval===void 0?void 0:Ti(t.pollInterval,`--poll-interval`),a=Z(t),{runId:o}=await a.workflows.run(e,n);if(!t.wait){if(t.json)return O({runId:o});M(`Started run ${o} for workflow ${e}.`),M(`Inspect it with: tangle workflows run-detail ${e} ${o}`);return}let s=t.json?null:N(`Waiting for run ${o} to finish...`).start(),c;try{c=await a.workflows.waitForRun(e,o,{...r===void 0?{}:{timeoutMs:r},...i===void 0?{}:{pollIntervalMs:i}})}finally{s?.stop()}if(c.status===`failed`&&(process.exitCode=1),t.json)return O(c);bc(c)}catch(e){Q(e,t)}}),e.command(`runs`).description(`List a workflow's run history (newest first)`).argument(`<id>`,`Workflow ID`).option(`--limit <n>`,`Runs per page (1-100)`).option(`--cursor <cursor>`,`Pagination cursor from a previous page`).option(`--all`,`Fetch every page, not just the first`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Z(t),r=t.limit===void 0?void 0:Ti(t.limit,`--limit`);if(t.all){let i=[],a=t.cursor,o=0,s=null;for(;;){let c=await n.workflows.listRuns(e,{...r===void 0?{}:{limit:r},...a===void 0?{}:{cursor:a}});if(i.push(...c.runs),o+=1,!c.nextCursor)break;if(o>=lc){s=c.nextCursor,t.json||M(`Stopped after ${lc} pages (${i.length} runs); more may exist — resume with --cursor ${c.nextCursor}`);break}a=c.nextCursor}if(t.json)return O({runs:i,nextCursor:s});yc(i);return}let i=await n.workflows.listRuns(e,{...r===void 0?{}:{limit:r},...t.cursor===void 0?{}:{cursor:t.cursor}});if(t.json)return O(i);yc(i.runs),i.nextCursor&&M(`More runs available — next page: --cursor ${i.nextCursor}`)}catch(e){Q(e,t)}}),e.command(`run-detail`).description(`Show a single run's detail (per-action output and errors)`).argument(`<id>`,`Workflow ID`).argument(`<runId>`,`Run ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await Z(n).workflows.getRun(e,t);if(n.json)return O(r);bc(r)}catch(e){Q(e,n)}}),e.command(`cancel`).description(`Cancel a queued or in-progress run`).argument(`<id>`,`Workflow ID`).argument(`<runId>`,`Run ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await Z(n).workflows.cancel(e,t);if(n.json)return O(r);xc(r)}catch(e){Q(e,n)}}),e.command(`events`).description(`Tail a run's live progress events until it finishes`).argument(`<id>`,`Workflow ID`).argument(`<runId>`,`Run ID`).option(`--json`,`Emit each event as a JSON line`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=Z(n);for await(let i of r.workflows.watchRun(e,t))n.json?console.log(JSON.stringify(i)):Sc(i),i.type===`run.done`&&i.status===`failed`&&(process.exitCode=1)}catch(e){Q(e,n)}}),e.command(`enable`).description(`Enable a workflow so its triggers and manual runs fire`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await dc(e,!0,t)}),e.command(`disable`).description(`Disable a workflow (pause its triggers and manual runs)`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await dc(e,!1,t)}),e}async function dc(e,t,n){try{let r=await Z(n).workflows.setEnabled(e,t);if(n.json)return O(r);M(`${t?`Enabled`:`Disabled`} workflow ${r.id}.`),gc(r)}catch(e){Q(e,n)}}function fc(e){try{return u(e,`utf8`)}catch(t){throw Error(`Could not read workflow file "${e}": ${t instanceof Error?t.message:String(t)}`)}}function Z(e){let t=C({apiKey:jt(e.apiKey),baseUrl:e.baseUrl??Pt(process.env.TANGLE_HUB_URL)});return new ve({baseUrl:t.baseUrl,apiKey:t.apiKey})}function pc(e){if(!mc(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function mc(e,t){return e.options.some(e=>e.attributeName()===t)}function Q(e,t){return R(e,t.json===!0)}function hc(e){D(e.map(e=>({id:e.id,name:e.name,enabled:e.enabled?`yes`:`no`,issues:e.validationErrors.length,updated:e.updatedAt})),[{key:`id`,header:`ID`},{key:`name`,header:`Name`},{key:`enabled`,header:`Enabled`},{key:`issues`,header:`Issues`},{key:`updated`,header:`Updated`}])}function gc(e){if(P({ID:e.id,Name:e.name,Description:e.description??``,Enabled:e.enabled?`yes`:`no`,Actions:e.actions.length}),e.triggers&&e.triggers.length>0&&(M(`Triggers`),Cc(e.triggers)),e.validationErrors.length>0){M(`Validation issues`);for(let t of e.validationErrors)console.log(` ${t.path}: ${t.message}`)}}function _c(e,t){return[...t,e]}function vc(e){if(!e||e.length===0)return;let t={};for(let n of e){let e=n.indexOf(`=`);if(e<=0)throw Error(`Invalid --input "${n}": expected key=value (e.g. pull_request.number=123)`);t[n.slice(0,e)]=n.slice(e+1)}return t}function yc(e){D(e.map(e=>({id:e.id,status:e.status,attempts:e.attempts,created:e.createdAt,completed:e.completedAt??``})),[{key:`id`,header:`Run ID`},{key:`status`,header:`Status`},{key:`attempts`,header:`Attempts`},{key:`created`,header:`Created`},{key:`completed`,header:`Completed`}])}function bc(e){P({"Run ID":e.id,Workflow:e.workflowId,Status:e.status,Error:e.error??``,Attempts:e.attempts,Created:e.createdAt,Started:e.startedAt??``,Completed:e.completedAt??``}),e.actionResults.length>0&&(M(`Actions`),D(e.actionResults.map(e=>({index:e.index,kind:e.kind,status:e.status,error:e.error??``,cost:e.costUsd??``})),[{key:`index`,header:`#`},{key:`kind`,header:`Kind`},{key:`status`,header:`Status`},{key:`error`,header:`Error`},{key:`cost`,header:`Cost (USD)`}]))}function xc(e){if(e.status===`cancelled`){M(`Cancelled run ${e.runId}.`);return}if(e.signalled){M(`Cancelling run ${e.runId} — signalled the worker; it will stop shortly.`);return}M(`Requested cancellation of run ${e.runId}, but couldn't confirm it — the run may have just finished, or it's running on another instance and will stop on its own.`)}function Sc(e){switch(e.type){case`snapshot`:M(`snapshot: ${e.run.status} (${e.run.actionResults.length} action(s))`);break;case`action.started`:console.log(`→ action[${e.index}] ${e.kind} started`);break;case`action.finished`:console.log(`${e.status===`succeeded`?`✓`:`✗`} action[${e.index}] ${e.kind} ${e.status}${e.error?`: ${e.error}`:``}`);break;case`iteration.started`:console.log(` · action[${e.actionIndex}] iteration ${e.iterationIndex} started`);break;case`iteration.ended`:console.log(` · action[${e.actionIndex}] iteration ${e.iterationIndex} ${e.status}`);break;case`token`:typeof e.delta==`string`&&process.stdout.write(e.delta);break;case`ping`:break;case`run.done`:console.log(`\nrun.done: ${e.status}${e.error?`: ${e.error}`:``}`);break}}function Cc(e){D(e.map(e=>({id:e.id,kind:e.kind,enabled:e.enabled?`yes`:`no`,detail:e.kind===`schedule`?`${e.cron??``} (${e.timezone??``})`:`${e.provider??``}:${e.eventFilter?.event??``}${e.eventFilter?.action?`.${e.eventFilter.action}`:``}`})),[{key:`id`,header:`ID`},{key:`kind`,header:`Kind`},{key:`enabled`,header:`Enabled`},{key:`detail`,header:`Detail`}])}function wc(e){let t={...Tc(e)??{},...e.optsWithGlobals()};for(let n of e.options){let r=n.attributeName();e.getOptionValue(r)===void 0&&t[r]!==void 0&&e.setOptionValue(r,t[r])}}function Tc(e){let t=e;for(;t?.parent;)t=t.parent;return t?t.opts():void 0}const Ec=e(import.meta.url)(`../package.json`),$=new t;$.name(`tangle`).description(`CLI for Tangle Sandbox operations`).version(Ec.version??`0.0.0`).option(`--api-key <key>`,`API key (or set TANGLE_API_KEY)`).option(`--base-url <url>`,`API base URL`),$.hook(`preAction`,(e,t)=>{wc(t)}),$.addCommand(fr()),$.addCommand(Ho()),$.addCommand(cc()),$.addCommand(is()),$.addCommand(Co()),$.addCommand(fa()),$.addCommand(_s()),$.addCommand(vs()),$.addCommand(bs()),$.addCommand(Jn()),$.addCommand(ss()),$.addCommand(Sa()),$.addCommand(ac()),$.addCommand(Fs()),$.addCommand(Bs()),$.addCommand(To()),$.addCommand(yr()),$.addCommand(Tr()),$.addCommand(Do()),$.addCommand(Na()),$.addCommand(Ia()),$.addCommand(La()),$.addCommand(uc()),$.addCommand(da()),$.addCommand(Vs()),$.addCommand(rs()),$.addCommand(os()),$.addCommand(Er()),$.addCommand(Eo()),$.addCommand(io()),$.addCommand(Zi()),$.addCommand(Qi()),$.addCommand(No()),$.addCommand(wo()),$.addCommand(Hs()),$.addCommand(Ps()),$.parseAsync(process.argv).catch(e=>{console.error(`Fatal error:`,e.message),process.exit(1)});export{};
148
+ `),t.json?O({name:e,value:i}):console.log(i)}catch(e){R(e)}}),e.command(`update`).description(`Update a secret value`).argument(`<name>`,`Secret name`).argument(`[value]`,`New secret value`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E(C({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=await as({value:t,valueStdin:n.valueStdin,prompt:`Enter new value for secret '${e}': `}),a=N(`Updating secret...`);a.start();let o=await r.secrets.update(e,i);a.stop(),n.json?O({name:o.name,createdAt:o.createdAt.toISOString(),updatedAt:o.updatedAt.toISOString()}):k(`Secret updated: ${o.name}`)}catch(e){R(e)}}),e.command(`delete`).description(`Delete a secret`).argument(`<name>`,`Secret name`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=E(C({apiKey:t.apiKey,baseUrl:t.baseUrl}));if(!t.force&&!await H(`Are you sure you want to delete secret '${e}'? This cannot be undone. (y/N) `)){M(`Cancelled.`);return}let r=N(`Deleting secret...`);r.start(),await n.secrets.delete(e),r.stop(),t.json?O({success:!0,deleted:e}):k(`Secret deleted: ${e}`)}catch(e){R(e)}}),e}async function as(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await kn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await On(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function os(){let e=new t(`skill`).description(`Print paths to shipped skill documentation`);return e.command(`path`).description(`Print the absolute path to the SKILL.md shipped with this CLI`).action(()=>{let e=p.dirname(Ae(import.meta.url)),t=p.resolve(e,`..`,`SKILL.md`);console.log(t)}),e}function ss(){let e=new t(`snapshot`).description(`Manage snapshots`);return e.command(`create <sandbox-id-or-name>`).description(`Create a snapshot of a sandbox`).option(`--tags <tags...>`,`Tags for the snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Creating snapshot...`);i.start();let a=await(await B(r,n,e)).snapshot({tags:t.tags});i.stop(),t.json?O(a):(k(`Snapshot created: ${a.snapshotId}`),console.log(`Size: ${cs(a.sizeBytes??0)}`))}catch(e){R(e)}}),e.command(`list <sandbox-id-or-name>`).description(`List snapshots for a sandbox`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching snapshots...`);i.start();let a=await(await B(r,n,e)).listSnapshots();i.stop(),t.json?O(a):D(a.map(e=>({...e,size:cs(e.sizeBytes??0)})),[{key:`snapshotId`,header:`ID`,width:24},{key:`createdAt`,header:`Created`,width:16},{key:`size`,header:`Size`,width:12},{key:`sandboxId`,header:`Sandbox`,width:20}])}catch(e){R(e)}}),e.command(`restore <sandbox-id> <snapshot-id>`).description(`Create a new sandbox from a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=E(C({apiKey:n.apiKey,baseUrl:n.baseUrl})),i=N(`Restoring from snapshot...`);i.start();let a=await r.create({fromSnapshot:t,fromSandboxId:e});await a.waitFor(`running`,{timeoutMs:12e4}),i.stop(),n.json?O({sandboxId:a.id,restoredFrom:t,status:a.status}):(k(`New sandbox created: ${a.id}`),console.log(`Source snapshot: ${t}`))}catch(e){R(e)}}),e.command(`revert <sandbox-id-or-name> <snapshot-id>`).description(`Revert an existing sandbox to a snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Reverting sandbox to snapshot...`);a.start();let o=await B(i,r,e),s=await o.revertToSnapshot(t);await o.refresh(),a.stop(),n.json?O({sandboxId:o.id,snapshotId:s.snapshotId,status:o.status}):(k(`Sandbox reverted: ${o.id}`),console.log(`Source snapshot: ${s.snapshotId}`))}catch(e){R(e)}}),e.command(`delete <sandbox-id-or-name> <snapshot-id>`).description(`Delete a sandbox snapshot`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Deleting snapshot...`);a.start(),await(await B(i,r,e)).deleteSnapshot(t),a.stop(),n.json?O({success:!0,sandboxId:e,snapshotId:t}):k(`Snapshot deleted: ${t}`)}catch(e){R(e)}}),e}function cs(e){if(e===0)return`0 B`;let t=1024,n=[`B`,`KB`,`MB`,`GB`,`TB`],r=Math.floor(Math.log(e)/Math.log(t));return`${Number.parseFloat((e/t**r).toFixed(1))} ${n[r]}`}function ls(e,t){return`tangle ssh-proxy ${e.replace(/\/+$/,``)}/v1/sidecar-proxy/${t}/ssh`}function us(e){return/^[A-Za-z0-9_/:=@%+.,-]+$/.test(e)?e:`'${e.replace(/'/g,`'"'"'`)}'`}function ds(e){return`'${e.replace(/'/g,`''`)}'`}function fs(e){return e===`win32`?`NUL`:`/dev/null`}function ps(e,t){return t===`win32`?`$env:TANGLE_SSH_PROXY_AUTH_TOKEN=${ds(`<token>`)}; ssh ${e.map(ds).join(` `)}`:`TANGLE_SSH_PROXY_AUTH_TOKEN=${us(`<token>`)} ssh ${e.map(us).join(` `)}`}function ms(e){return e.connection!==void 0&&!e.connection.ssh}function hs(){A(`SSH is not enabled for this sandbox.`),M(`Create a sandbox with --ssh to enable SSH access.`),process.exit(1)}function gs(e,t=[],n=process.platform){let r=fs(n);return[`-o`,`ProxyCommand=${e.proxyCommand}`,`-o`,`StrictHostKeyChecking=no`,`-o`,`UserKnownHostsFile=${r}`,`-o`,`GlobalKnownHostsFile=${r}`,`-o`,`LogLevel=ERROR`,`-o`,`ServerAliveInterval=15`,`-o`,`ServerAliveCountMax=4`,`-o`,`TCPKeepAlive=yes`,`${e.username}@localhost`,`-p`,String(e.port),...t]}function _s(){return new t(`ssh`).description(`Open SSH session to a sandbox`).argument(`<ref>`,`Sandbox ID or name`).argument(`[sshArgs...]`,`Extra args passed through to ssh`).option(`-i, --identity-file <path>`,`Private key file to pass to ssh`).option(`--print`,`Print SSH command instead of connecting`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).allowUnknownOption(!0).action(async(e,t,n)=>{try{let r=C({apiKey:n.apiKey,baseUrl:n.baseUrl}),i=E(r),a=N(`Getting SSH credentials...`);a.start();let o=await B(i,r,e);if(ms(o)){a.stop(),hs();return}o=await V(o);let s=await o.ssh();if(a.stop(),!s){hs();return}let c={...s,proxyCommand:ls(r.baseUrl,o.id)};if(!r.apiKey)throw Error(`SSH proxy requires API key auth. Set TANGLE_API_KEY or pass --api-key.`);let l=gs(c,[...n.identityFile?[`-i`,n.identityFile,`-o`,`IdentitiesOnly=yes`]:[],...t]);if(n.print){console.log(ps(l,process.platform));return}M(`Connecting via tunnel...`);let u=_e(`ssh`,l,{stdio:`inherit`,env:{...process.env,TANGLE_SSH_PROXY_AUTH_TOKEN:r.apiKey}});u.on(`error`,e=>{e.code===`ENOENT`&&(A(`SSH client not found. Please install OpenSSH.`),process.exit(1)),R(e)}),u.on(`exit`,e=>{process.exit(e??0)})}catch(e){R(e)}})}function vs(){let e=new t(`ssh-keys`).description(`Manage SSH keys`);return e.command(`list`).description(`List SSH keys`).option(`--json`,`Output as JSON`).action(async e=>{let t=N(`Fetching SSH keys...`);try{t.start();let n=await E(C(e)).sshKeys.list();t.stop(),e.json?O({sshKeys:n}):n.length===0?M(`No SSH keys found.`):L([`Name`,`Type`,`Fingerprint`,`Created`],n.map(e=>[e.name,e.keyType,e.fingerprint,e.createdAt.toLocaleString()]))}catch(e){t.stop(),R(e)}}),e.command(`add`).description(`Add SSH key`).argument(`<name>`,`SSH key name`).requiredOption(`--key-file <path>`,`Public key file path`).option(`--json`,`Output as JSON`).action(async(e,t)=>{let n=N(`Adding SSH key...`);try{let r=u(t.keyFile,`utf8`).trim();n.start();let i=await E(C(t)).sshKeys.create(e,r);n.stop(),t.json?O({sshKey:i}):k(`Added SSH key ${i.name} (${i.fingerprint})`)}catch(e){n.stop(),R(e)}}),e.command(`delete`).description(`Delete SSH key`).argument(`<name>`,`SSH key name or ID`).action(async(e,t)=>{let n=N(`Deleting SSH key...`);try{n.start(),await E(C(t)).sshKeys.delete(e),n.stop(),k(`Deleted SSH key ${e}`)}catch(e){n.stop(),R(e)}}),e}function ys(e,t=1){process.stderr.write(`${e}\n`),process.exit(t)}function bs(){return new t(`ssh-proxy`).description(`SSH proxy helper — pipes stdin/stdout to WebSocket`).argument(`<sidecar-url>`,`Sidecar WebSocket URL`).action(async e=>{let t=process.env.TANGLE_SSH_PROXY_AUTH_TOKEN;t||ys(`TANGLE_SSH_PROXY_AUTH_TOKEN not set`);let n=new je(new URL(e.replace(/^http/,`ws`)),{headers:{Authorization:`Bearer ${t}`},perMessageDeflate:!1}),r;function i(){r&&=(clearInterval(r),void 0)}n.on(`open`,()=>{r=setInterval(()=>{n.readyState===je.OPEN&&n.ping()},15e3),r.unref?.(),process.stdin.on(`data`,e=>{n.readyState===je.OPEN&&n.send(e,{binary:!0,compress:!1})}),process.stdin.on(`end`,()=>n.close(1e3))}),n.on(`message`,e=>{let t=Buffer.isBuffer(e)?e:Array.isArray(e)?Buffer.concat(e):Buffer.from(e);process.stdout.write(t)}),n.on(`error`,e=>{i(),ys(`WebSocket error: ${e.message}`)}),n.on(`close`,e=>{i(),process.exit(e===1e3?0:1)}),process.stdin.on(`error`,()=>n.close())})}const xs=[`claude-code`,`opencode`,`codex`,`kimi-code`],Ss=[`session`,`project`,`read-only`],Cs={min:1,max:15},ws=process.env.TANGLE_ROUTER_URL??`https://router.tangle.tools/v1`;function Ts(e){let t=e.harness??`claude-code`;if(!xs.includes(t))throw Error(`Unknown --harness '${t}'. Supported: ${xs.join(`, `)}.`);let n=e.tokenScope??`session`;if(!Ss.includes(n))throw Error(`Unknown --token-scope '${n}'. Supported: ${Ss.join(`, `)}.`);let r=Es(e.maxTokens,2e5,`--max-tokens`),i=Es(e.maxIterations,50,`--max-iterations`),a=Es(e.tokenTtl,10,`--token-ttl`);if(a<Cs.min||a>Cs.max)throw Error(`--token-ttl ${a} out of range; the SDK clamps to [${Cs.min}, ${Cs.max}] minutes.`);let o=e.maxWorkers===void 0?void 0:Es(e.maxWorkers,0,`--max-workers`);return{harness:t,...e.model?{model:e.model}:{},maxTokens:r,maxIterations:i,tokenScope:n,tokenTtl:a,...o===void 0?{}:{maxWorkers:o}}}function Es(e,t,n){if(e===void 0)return t;let r=Number.parseInt(e,10);if(!Number.isFinite(r)||r<=0)throw Error(`${n} must be a positive integer, got '${e}'.`);return r}function Ds(e){let t={maxTokens:e.maxTokens,maxIterations:e.maxIterations};return e.maxWorkers===void 0?{budget:t}:{budget:t,perWorker:{maxTokens:Math.max(1,Math.floor(e.maxTokens/e.maxWorkers)),maxIterations:Math.max(1,Math.floor(e.maxIterations/e.maxWorkers))}}}function Os(e){let{client:t,scope:n,ttlMinutes:r,onScope:a}=e,o={async create(o){let s=await t.create(ks(o)),c={scope:n,ttlMinutes:r,...n===`session`?{sessionId:e.sessionIdFor?.(s)??`supervise-${i()}`}:{}},l=await s.mintScopedToken(c);return a({id:s.id,scope:l.scope,expiresAt:l.expiresAt,status:`spawned`}),s}};return typeof t.criuStatus==`function`&&(o.criuStatus=t.criuStatus.bind(t)),o}function ks(e){if(!e?.env)return e;let{TANGLE_API_KEY:t,SANDBOX_API_KEY:n,...r}=e.env;return{...e,env:r}}function As(e){if(e.kind===`no-winner`)return{text:``,tokenUsage:{input:0,output:0},costUsd:0,status:`no-winner (${e.reason})`};let t=e.out;return{text:typeof t==`string`?t:js(t)?t.content:JSON.stringify(t),tokenUsage:{input:e.spentTotal.tokens.input,output:e.spentTotal.tokens.output},costUsd:e.spentTotal.usd,status:`winner`}}function js(e){return typeof e==`object`&&!!e&&typeof e.content==`string`}const Ms={makeClient:e=>E(C({apiKey:e.apiKey,baseUrl:e.baseUrl})),resolveRouter:e=>({routerBaseUrl:ws,routerKey:C({apiKey:e.apiKey}).apiKey,model:e.model}),supervise:Me};async function Ns(e,t,n,r=Ms){let a=r.makeClient({apiKey:n.apiKey,baseUrl:n.baseUrl}),{budget:o,perWorker:s}=Ds(t),c=[],l=Os({client:a,scope:t.tokenScope,ttlMinutes:t.tokenTtl,onScope:e=>{if(c.push(e),!n.json){let n=`ttl ${t.tokenTtl}m`;M(`worker ${e.id} [${e.scope} token ${n}] spawned`)}}}),u=Ne({backend:`sandbox`,harness:t.harness,sandboxClient:l,maxIterations:1}),d={name:`supervisor`,...t.model?{model:t.model}:{}},f=r.resolveRouter({apiKey:n.apiKey,model:t.model??`deepseek-v4-flash`}),p=As(await r.supervise(d,{goal:e},{budget:o,makeWorkerAgent:u,router:f,...s?{perWorker:s}:{},...t.model?{allowedModels:[t.model]}:{},runId:`supervise-${i()}`})),ee=p.status===`winner`?`settled`:`failed`;for(let e of c)e.status=ee,n.json||M(`worker ${e.id} [${e.scope} token ttl ${t.tokenTtl}m] settled (${e.status})`);return{task:e,result:p.text,workers:c,tokenUsage:p.tokenUsage,costUsd:p.costUsd,status:p.status}}function Ps(){let e=new t(`supervise`);return e.description(`Run a budget-conserving supervisor that spawns isolated sandbox workers to deliver a task. Each worker box mints a short-lived scoped token instead of receiving the root API key.`).argument(`<task>`,`What the supervisor should accomplish`).option(`--harness <name>`,`Worker harness (${xs.join(` | `)})`,`claude-code`).option(`--model <id>`,`Model for the supervisor + workers`).option(`--max-tokens <n>`,`Conserved token budget for the whole run`,`200000`).option(`--max-iterations <n>`,`Conserved iteration budget for the whole run`,`50`).option(`--token-scope <scope>`,`Per-worker token scope (${Ss.join(` | `)})`,`session`).option(`--token-ttl <min>`,`Per-worker token TTL in minutes (SDK clamps to [1, 15])`,`10`).option(`--max-workers <n>`,`Bound the fanout; each worker reserves floor(max-tokens / n) tokens and floor(max-iterations / n) iterations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Ts({harness:t.harness,model:t.model,maxTokens:t.maxTokens,maxIterations:t.maxIterations,tokenScope:t.tokenScope,tokenTtl:t.tokenTtl,maxWorkers:t.maxWorkers});t.json||(M(`Supervising: ${e}`),M(`harness=${n.harness} budget=${n.maxTokens}tok/${n.maxIterations}it scope=${n.tokenScope} ttl=${n.tokenTtl}m`),console.log());let r=await Ns(e,n,{apiKey:t.apiKey,baseUrl:t.baseUrl,json:t.json});if(t.json){O(r),r.status!==`winner`&&(process.exitCode=1);return}if(console.log(),r.status!==`winner`)throw Error(`Supervisor finished without a winner: ${r.status}`);console.log(r.result),console.log(),P({"Input Tokens":r.tokenUsage.input,"Output Tokens":r.tokenUsage.output,Cost:`$${r.costUsd.toFixed(4)}`})}catch(e){R(e,t.json)}}),e}function Fs(){let e=new t(`team`).description(`Manage teams`);return e.command(`list`).description(`List teams for the current account`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async e=>{try{let t=C(e),n=E(t),r=e.json?null:N(`Fetching teams...`);r?.start();let i=await n.teams.list();if(r?.stop(),e.json){O({teams:i,activeTeamId:t.activeTeamId??null});return}D(i.map(e=>({active:e.id===t.activeTeamId,id:e.id,name:e.name,role:e.currentUserRole,members:e.memberCount})),[{key:`active`,header:`Active`,width:8},{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:24},{key:`role`,header:`Role`,width:10},{key:`members`,header:`Members`,width:10}])}catch(e){R(e)}}),e.command(`create <name>`).description(`Create a team`).option(`--org-id <id>`,`External organization id`).option(`--no-switch`,`Do not set the new team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=t.json?null:N(`Creating team...`);i?.start();let a=await r.teams.create({name:e,orgId:t.orgId});if(t.switch&&Io(a,n.profile),i?.stop(),t.json){O({team:a,active:!!t.switch});return}k(`Team created: ${Po(a)}`),t.switch&&k(`Active team set to ${a.name}`)}catch(e){R(e)}}),e.command(`switch <team>`).description(`Set the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=await Fo(E(n),e);if(Io(r,n.profile),t.json){O({team:r,activeTeamId:r.id});return}k(`Active team set to ${Po(r)}`)}catch(e){R(e)}}),e.command(`current`).description(`Show the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{let t=Ft(e.profile);if(e.json){O(t.activeTeamId?t:{activeTeamId:null});return}if(!t.activeTeamId){console.log(`No active team.`);return}P({ID:t.activeTeamId,Name:t.activeTeamName})}catch(e){R(e)}}),e.command(`clear`).description(`Clear the active team for the current profile`).option(`--json`,`Output as JSON`).option(`--profile <profile>`,`Credential profile`).action(e=>{try{if(Lo(e.profile),e.json){O({activeTeamId:null});return}k(`Active team cleared.`)}catch(e){R(e)}}),e.command(`members [team]`).description(`List team members`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listMembers(i.id);if(t.json){O({team:i,members:a});return}D(a.map(e=>({id:e.id,email:e.customerEmail,role:e.role,status:e.status,joinedAt:e.joinedAt})),[{key:`id`,header:`ID`,width:36},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:10},{key:`joinedAt`,header:`Joined`,width:16}])}catch(e){R(e)}}),e.command(`update-member <member-id>`).description(`Update a team member role`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).requiredOption(`--role <role>`,`Role: admin, member, viewer`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile),a=Is(t.role),o=await r.teams.updateMember(i.id,e,{role:a});if(t.json){O({team:i,member:o});return}k(`Member updated: ${o.customerEmail}`),P({Team:i.name,Role:o.role,Status:o.status})}catch(e){R(e)}}),e.command(`invite <email>`).description(`Invite a user to a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--role <role>`,`Role: admin, member, viewer`,`member`).option(`--ttl-hours <hours>`,`Invitation lifetime in hours`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile),a=Is(t.role),o=await r.teams.invite(i.id,{email:e,role:a,ttlHours:t.ttlHours?Number.parseInt(t.ttlHours,10):void 0});if(t.json){O({team:i,invitation:o});return}k(`Invitation created for ${o.email}`),P({Team:i.name,Role:o.role,Expires:o.expiresAt,"Invitation ID":o.id}),k(`Re-run with --json to retrieve the invitation token for sharing.`)}catch(e){R(e)}}),e.command(`leave [team]`).description(`Leave a team as the current user`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile);if(!t.force&&!t.json&&!await H(`Leave team '${i.name}'? (y/N) `))return;if(await r.teams.leave(i.id),n.activeTeamId===i.id&&Lo(n.profile),t.json){O({success:!0,teamId:i.id});return}k(`Left team: ${i.name}`)}catch(e){R(e)}}),e.command(`transfer <new-owner-customer-id> [team]`).description(`Transfer team ownership to another active member`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=C(n),i=E(r),a=await X(i,t,r.profile);if(!n.force&&!n.json&&!await H(`Transfer ownership of '${a.name}' to ${e}? This cannot be undone without the new owner's cooperation. (y/N) `))return;if(await i.teams.transferOwnership(a.id,e),n.json){O({success:!0,teamId:a.id,newOwnerCustomerId:e});return}k(`Ownership transferred for ${a.name}`)}catch(e){R(e)}}),e.addCommand(Ls()),e.addCommand(Rs()),e.command(`invitations [team]`).description(`List pending and historical team invitations`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listInvitations(i.id);if(t.json){O({team:i,invitations:a});return}D(a.map(e=>({id:e.id,email:e.email,role:e.role,status:e.status,expiresAt:e.expiresAt})),[{key:`id`,header:`ID`,width:38},{key:`email`,header:`Email`,width:28},{key:`role`,header:`Role`,width:10},{key:`status`,header:`Status`,width:12},{key:`expiresAt`,header:`Expires`,width:16}])}catch(e){R(e)}}),e.command(`accept <token>`).description(`Accept a team invitation`).option(`--no-switch`,`Do not set the accepted team as active`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await r.teams.acceptInvitation(e),a=t.switch===!1?null:await r.teams.get(i.teamId);if(a&&Io(a,n.profile),t.json){O({member:i,activeTeamId:a?.id??null});return}k(`Invitation accepted for team ${i.teamId}`),a&&k(`Active team set to ${a.name}`)}catch(e){R(e)}}),e.command(`revoke-invitation <invitation-id>`).description(`Revoke a pending team invitation`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{if(await E(C(t)).teams.revokeInvitation(e),t.json){O({success:!0,invitationId:e});return}k(`Invitation revoked: ${e}`)}catch(e){R(e)}}),e.command(`remove-member <member-id>`).description(`Remove a member from a team`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile);if(await r.teams.removeMember(i.id,e),t.json){O({success:!0,teamId:i.id,memberId:e});return}k(`Member removed: ${e}`)}catch(e){R(e)}}),e}function Is(e){if(e===`admin`||e===`member`||e===`viewer`)return e;throw Error(`Role must be one of: admin, member, viewer`)}function Ls(){let e=new t(`secret`).description(`Manage team secrets`);return e.command(`list [team]`).description(`List team secret names`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listSecrets(i.id);if(t.json){O({team:i,secrets:a});return}D(a.map(e=>({name:e.name,updatedAt:e.updatedAt,updatedBy:e.updatedBy})),[{key:`name`,header:`Name`,width:28},{key:`updatedAt`,header:`Updated`,width:24},{key:`updatedBy`,header:`Updated By`,width:28}])}catch(e){R(e)}}),e.command(`set <name> [value]`).description(`Create or replace a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--value-stdin`,`Read secret value from stdin`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=C(n),i=E(r),a=await X(i,n.team,r.profile),o=await zs({value:t,valueStdin:n.valueStdin,prompt:`Enter value for team secret '${e}': `}),s=await i.teams.upsertSecret(a.id,e,o);if(n.json){O({team:a,secret:s});return}k(`Team secret saved: ${s.name}`)}catch(e){R(e)}}),e.command(`delete <name>`).description(`Delete a team secret`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await H(`Delete team secret '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteSecret(i.id,e),t.json){O({success:!0,teamId:i.id,name:e});return}k(`Team secret deleted: ${e}`)}catch(e){R(e)}}),e.command(`reveal <name>`).description(`Reveal a team secret value`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile),a=await r.teams.revealSecret(i.id,e);if(t.json){O({teamId:i.id,...a});return}console.log(a.value)}catch(e){R(e)}}),e}function Rs(){let e=new t(`templates`).description(`Manage team golden-path templates`);return e.command(`list [team]`).description(`List a team's golden-path templates`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,e,n.profile),a=await r.teams.listTemplates(i.id);if(t.json){O({team:i,templates:a});return}if(a.length===0){console.log(`No templates yet for ${i.name}.`);return}D(a.map(e=>({id:e.id,name:e.name,environment:e.environment,snapshot:`${e.snapshotId.slice(0,12)}…`,updated:e.updatedAt})),[{key:`id`,header:`ID`,width:38},{key:`name`,header:`Name`,width:28},{key:`environment`,header:`Env`,width:14},{key:`snapshot`,header:`Snapshot`,width:16},{key:`updated`,header:`Updated`,width:24}])}catch(e){R(e)}}),e.command(`create <name> <snapshot-id>`).description(`Create a golden-path template from a snapshot`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`-d, --description <description>`,`Human-readable description shown in the dashboard`).option(`-e, --environment <environment>`,`Default environment to apply (defaults to 'universal')`).option(`--config <json>`,`Optional JSON config object merged into sandboxes created from this template`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t,n)=>{try{let r=C(n),i=E(r),a=await X(i,n.team,r.profile),o;if(n.config)try{let e=JSON.parse(n.config);if(typeof e!=`object`||!e||Array.isArray(e))throw Error(`--config must be a JSON object`);o=e}catch(e){throw Error(`--config is not valid JSON: ${e instanceof Error?e.message:String(e)}`)}let s=await i.teams.createTemplate(a.id,{name:e,snapshotId:t,description:n.description,environment:n.environment,config:o});if(n.json){O({team:a,template:s});return}k(`Team template created: ${s.name} (${s.id})`)}catch(e){R(e)}}),e.command(`delete <template-id>`).description(`Delete a team golden-path template`).option(`-t, --team <team>`,`Team id or name (defaults to active team)`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).option(`--profile <profile>`,`Credential profile`).action(async(e,t)=>{try{let n=C(t),r=E(n),i=await X(r,t.team,n.profile);if(!t.force&&!t.json&&!await H(`Delete template '${e}' from '${i.name}'? (y/N) `))return;if(await r.teams.deleteTemplate(i.id,e),t.json){O({success:!0,teamId:i.id,templateId:e});return}k(`Team template deleted: ${e}`)}catch(e){R(e)}}),e}async function zs(e){if(e.value!==void 0&&e.valueStdin)throw Error(`Provide either a secret value argument or --value-stdin, not both`);if(e.value!==void 0){if(e.value.length===0)throw Error(`Secret value cannot be empty`);return e.value}if(e.valueStdin){let e=await kn();if(e.length===0)throw Error(`Secret value from stdin cannot be empty`);return e}let t=await On(e.prompt);if(t.length===0)throw Error(`Secret value cannot be empty`);return t}function Bs(){let e=new t(`template`).description(`Manage published public templates`);return e.command(`list`).option(`-q, --query <query>`,`Search query`).option(`--tag <tag>`,`Filter by tag`).option(`--featured`,`Show featured templates only`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=E(C(e)),n=e.featured?await t.publicTemplates.featured():await t.publicTemplates.list({query:e.query,tag:e.tag});if(e.json){O({templates:n});return}D(n.map(e=>({slug:e.slug,name:e.name,forks:e.forkCount,sandboxes:e.sandboxCount,updated:e.updatedAt})),[{key:`slug`,header:`Slug`,width:28},{key:`name`,header:`Name`,width:28},{key:`forks`,header:`Forks`,width:8},{key:`sandboxes`,header:`Sandboxes`,width:12},{key:`updated`,header:`Updated`,width:24}])}catch(e){R(e)}}),e.command(`get <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await E(C(t)).publicTemplates.get(e);if(t.json){O({template:n});return}O(n)}catch(e){R(e)}}),e.command(`versions <id-or-slug>`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await E(C(t)).publicTemplates.versions(e);if(t.json){O({versions:n});return}D(n.map(e=>({...e})),[{key:`id`,header:`Version ID`,width:38},{key:`versionNumber`,header:`Version`,width:8},{key:`snapshotId`,header:`Snapshot`,width:20},{key:`createdAt`,header:`Created`,width:24}])}catch(e){R(e)}}),e.command(`publish <name> <snapshot-id> <sandbox-id>`).option(`--slug <slug>`,`Stable public slug`).option(`-d, --description <description>`,`Template description`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--team-id <id>`,`Publish under a team`).option(`--forked-from <id>`,`Fork source template id`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await E(C(r)).publicTemplates.publish({name:e,slug:r.slug,description:r.description,snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes,teamId:r.teamId,forkedFromTemplateId:r.forkedFrom});if(r.json){O({template:i});return}k(`Published template: ${i.slug}`)}catch(e){R(e)}}),e.command(`publish-version <id-or-slug> <snapshot-id> <sandbox-id>`).option(`--readme <markdown>`,`README markdown`).option(`--tags <tags...>`,`Template tags`).option(`--release-notes <text>`,`Release notes`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=await E(C(r)).publicTemplates.publishVersion(e,{snapshotId:t,sourceSandboxId:n,readmeMarkdown:r.readme,tags:r.tags,releaseNotes:r.releaseNotes});if(r.json){O({version:i});return}k(`Published template version: ${i.id}`)}catch(e){R(e)}}),e}function Vs(){let e=new t(`tools`).description(`Manage language runtimes and tools in a sandbox (via mise)`);return e.command(`list`).alias(`ls`).description(`List installed tools in a sandbox`).argument(`<id-or-name>`,`Sandbox ID or name`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=C({apiKey:t.apiKey,baseUrl:t.baseUrl}),r=E(n),i=N(`Fetching tools...`);t.json||i.start();let a=await(await B(r,n,e)).tools.list();i.stop(),t.json?O(a):a.length===0?console.log(`No tools installed`):L([`Tool`,`Version`,`Active`],a.map(e=>[e.name,e.version,e.active?`yes`:`no`]))}catch(e){R(e)}}),e.command(`install`).description(`Install a tool version`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name (e.g. node, python, go)`).argument(`<version>`,`Version to install (e.g. 20, 3.12, latest)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=C({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=E(i),o=N(`Installing ${t}@${n}...`);r.json||o.start(),await(await B(a,i,e)).tools.install(t,n),o.stop(),r.json?O({tool:t,version:n,installed:!0}):k(`Installed ${t}@${n}`)}catch(e){R(e)}}),e.command(`use`).description(`Activate a tool version for the current session`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<version>`,`Version to activate`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=C({apiKey:r.apiKey,baseUrl:r.baseUrl});await(await B(E(i),i,e)).tools.use(t,n),k(`Activated ${t}@${n}`)}catch(e){R(e)}}),e.command(`run`).description(`Run a command with a specific tool`).argument(`<id-or-name>`,`Sandbox ID or name`).argument(`<tool>`,`Tool name`).argument(`<args...>`,`Command arguments`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n,r)=>{try{let i=C({apiKey:r.apiKey,baseUrl:r.baseUrl}),a=E(i),o=N(`Running ${t} ${n.join(` `)}...`);r.json||o.start();let s=await(await B(a,i,e)).tools.run(t,n);o.stop(),r.json?O(s):(s.stdout&&process.stdout.write(s.stdout),s.stderr&&process.stderr.write(s.stderr),s.exitCode!==0&&process.exit(s.exitCode))}catch(e){R(e)}}),e}function Hs(){let e=new t(`traces`).description(`Read hosted agent traces, spans, and eval-runs from Tangle Intelligence`);return e.command(`list`).description(`List trace summaries (one row per trace), newest first`).option(`--from <iso>`,`ISO-8601 lower bound on received time (inclusive)`).option(`--to <iso>`,`ISO-8601 upper bound on received time (inclusive)`).option(`--model <model>`,`Exact model match (any span carried this model)`).option(`--run <runId>`,`Exact run id match`).option(`--status <status>`,`ERROR | OK`).option(`-q, --query <text>`,`Substring over span name`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size (clamped server-side to [1, 200])`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={from:e.from,to:e.to,model:e.model,runId:e.run,status:e.status===void 0?void 0:$s(e.status),q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ic(e.limit)},n=Ws(e),r=e.json?null:N(`Fetching traces...`);r?.start();let i=await n.listTraces(t);if(r?.stop(),e.json)return O(i);qs(i.items),Zs(i.nextCursor)}catch(t){Ks(t,e)}}),e.command(`get <traceId>`).description(`Show one trace's spans. Streams NDJSON to stdout with --ndjson.`).option(`--ndjson`,`Stream the full span set as NDJSON to stdout`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Spans per page`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Ws(t);if(t.ndjson){await Gs(n,e);return}let r=t.json?null:N(`Fetching trace spans...`);r?.start();let i=await n.getTraceSpans(e,{cursor:t.cursor,limit:t.limit===void 0?void 0:ic(t.limit)});if(r?.stop(),t.json)return O(i);Js(i.items),i.truncated&&P({Spans:`${i.items.length} of ${i.total} (truncated)`}),Zs(i.nextCursor)}catch(e){Ks(e,t)}}),e.addCommand(Us()),e}function Us(){let e=new t(`runs`).description(`Read eval-runs pivoted off the trace surface`);return e.command(`list`).description(`List eval-runs, newest first`).option(`--status <status>`,`Run status filter`).option(`--gate <decision>`,`Promotion-gate decision filter`).option(`--label <key:value>`,`Match over the run's labels`).option(`--from <iso>`,`ISO-8601 lower bound on received time`).option(`--to <iso>`,`ISO-8601 upper bound on received time`).option(`-q, --query <text>`,`Substring over run dir`).option(`--cursor <cursor>`,`Opaque pagination cursor from a prior page`).option(`--limit <count>`,`Page size`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async e=>{try{let t={status:e.status===void 0?void 0:tc(e.status),gate:e.gate===void 0?void 0:rc(e.gate),label:e.label,from:e.from,to:e.to,q:e.query,cursor:e.cursor,limit:e.limit===void 0?void 0:ic(e.limit)},n=Ws(e),r=e.json?null:N(`Fetching runs...`);r?.start();let i=await n.listRuns(t);if(r?.stop(),e.json)return O(i);Ys(i.items),Zs(i.nextCursor)}catch(t){Ks(t,e)}}),e.command(`get <runId>`).description(`Show a single eval-run`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`Intelligence API base URL`).action(async(e,t)=>{try{let n=Ws(t),r=t.json?null:N(`Fetching run...`);r?.start();let i=await n.getRun(e);if(r?.stop(),t.json)return O(i);Xs(i)}catch(e){Ks(e,t)}}),e}function Ws(e){let t=jt(e.apiKey);if(!t)throw Error(`No API key found. Set TANGLE_API_KEY or run: tangle auth login`);return Pe({apiKey:t,baseUrl:e.baseUrl??process.env.TANGLE_INTELLIGENCE_BASE_URL})}async function Gs(e,t){let n=(await e.exportTraceSpansNdjson(t)).getReader();try{for(;;){let{value:e,done:t}=await n.read();if(t)break;e&&process.stdout.write(Buffer.from(e))}}finally{n.releaseLock()}}function Ks(e,t){return R(e,t.json===!0)}function qs(e){D(e.map(e=>({traceId:e.traceId,root:e.rootName??`-`,model:e.model??`-`,spans:e.spanCount,errors:e.errorCount,durationMs:e.durationMs,cost:Qs(e.costUsd)})),[{key:`traceId`,header:`Trace`,width:36},{key:`root`,header:`Root`,width:24},{key:`model`,header:`Model`,width:22},{key:`spans`,header:`Spans`,width:8},{key:`errors`,header:`Errors`,width:8},{key:`durationMs`,header:`Duration(ms)`,width:14},{key:`cost`,header:`Cost`,width:10}])}function Js(e){D(e.map(e=>({spanId:e.id,name:e.name,model:e.model??`-`,status:e.statusCode??`-`,cost:e.costUsd===null?`-`:`$${e.costUsd}`})),[{key:`spanId`,header:`Span`,width:40},{key:`name`,header:`Name`,width:28},{key:`model`,header:`Model`,width:22},{key:`status`,header:`Status`,width:10},{key:`cost`,header:`Cost`,width:12}])}function Ys(e){D(e.map(e=>({runId:e.id,status:e.status,gate:e.gateDecision??`-`,cost:e.totalCostUsd===null?`-`:`$${e.totalCostUsd}`,receivedAt:e.receivedAt})),[{key:`runId`,header:`Run`,width:24},{key:`status`,header:`Status`,width:22},{key:`gate`,header:`Gate`,width:18},{key:`cost`,header:`Cost`,width:12},{key:`receivedAt`,header:`Received`,width:18}])}function Xs(e){P({Run:e.id,Status:e.status,Gate:e.gateDecision??void 0,"Run Dir":e.runDir??void 0,Cost:e.totalCostUsd===null?void 0:`$${e.totalCostUsd}`,Duration:e.totalDurationMs===null?void 0:`${e.totalDurationMs}ms`,"Holdout Lift":e.holdoutLift??void 0,Received:e.receivedAt})}function Zs(e){e&&P({"Next page":`--cursor ${e}`})}function Qs(e){return e===null?`-`:`$${e.toFixed(4)}`}function $s(e){if(e===`ERROR`||e===`OK`)return e;throw Error(`--status must be ERROR or OK`)}const ec=[`started`,`baseline-complete`,`generation-complete`,`gate-decided`,`finished`,`errored`];function tc(e){let t=ec.find(t=>t===e);if(t)return t;throw Error(`--status must be one of ${ec.join(`, `)}`)}const nc=[`ship`,`hold`,`need_more_work`,`model_ceiling`,`arch_ceiling`];function rc(e){let t=nc.find(t=>t===e);if(t)return t;throw Error(`--gate must be one of ${nc.join(`, `)}`)}function ic(e){let t=Number(e);if(!Number.isInteger(t)||t<1)throw Error(`--limit must be a positive integer`);return t}function ac(){return new t(`usage`).description(`Show account usage and billing information`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=E(C({apiKey:e.apiKey,baseUrl:e.baseUrl})),n=e.json?null:N(`Fetching usage...`);n?.start();let[r,i]=await Promise.all([t.usage(),t.subscription().catch(()=>null)]);n?.stop(),e.json?O({...r,subscription:i}):(console.log(),console.log(`Account Usage`),console.log(`─`.repeat(40)),P({"Active Sandboxes":r.activeSandboxes,"Total Sandboxes":r.totalSandboxes,"Compute Minutes":oc(r.computeMinutes),"GPU Seconds":r.gpuSeconds,"GPU Spend":sc(r.gpuCostUsd)}),i&&(console.log(),console.log(`Subscription`),console.log(`─`.repeat(40)),P({Plan:i.plan,Status:i.status,"Credits Available":sc(i.creditsAvailableUsd),"Credits Used":sc(i.creditsUsedUsd),"Monthly Balance":sc(i.monthlyBalanceUsd)})),console.log(),console.log(`Billing Period`),console.log(`─`.repeat(40)),P({Start:r.periodStart.toLocaleDateString(),End:r.periodEnd.toLocaleDateString()}),console.log())}catch(e){R(e)}})}function oc(e){if(e===void 0)return`-`;if(e<60)return`${e} min`;let t=Math.floor(e/60),n=e%60;return n===0?`${t} hr`:`${t} hr ${n} min`}function sc(e){return e<0?`-$${(-e).toFixed(2)}`:`$${e.toFixed(2)}`}function cc(){return new t(`use`).description(`Set or show the active sandbox (used when a command omits the id)`).argument(`[id]`,`Sandbox id to make active`).option(`--clear`,`Clear the active sandbox`).action((e,t)=>{try{if(t.clear){wt(),M(`Cleared the active sandbox.`);return}if(e){Ct(e),M(`Active sandbox set to ${e}. Commands now default to it; override with --box or TANGLE_SANDBOX.`);return}let n=St();M(n?`Active sandbox: ${n}`:"No active sandbox. Set one with `tangle use <id>`.")}catch(e){R(e)}})}const lc=1e3;function uc(){let e=new t(`workflows`).description(`Create and manage Tangle workflows`);return e.option(`--json`,`Output as JSON`),e.hook(`preAction`,(e,t)=>{pc(t)}),e.command(`list`).description(`List your workflows`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{let t=await Z(e).workflows.list();if(e.json)return O(t);hc(t)}catch(t){Q(t,e)}}),e.command(`get`).description(`Show a workflow's definition and compiled triggers`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=await Z(t).workflows.get(e);if(t.json)return O(n);gc(n)}catch(e){Q(e,t)}}),e.command(`create`).description(`Create a workflow from a YAML file`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=fc(e),r=await Z(t).workflows.create(n);if(t.json)return O(r);M(`Created workflow ${r.id} (${r.name}).`),gc(r)}catch(e){Q(e,t)}}),e.command(`update`).description(`Replace a workflow's definition from a YAML file`).argument(`<id>`,`Workflow ID`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=fc(t),i=await Z(n).workflows.update(e,r);if(n.json)return O(i);M(`Updated workflow ${i.id} (${i.name}).`),gc(i)}catch(e){Q(e,n)}}),e.command(`delete`).description(`Delete a workflow and its triggers`).argument(`<id>`,`Workflow ID`).option(`--force`,`Skip confirmation prompt`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{if(!t.force&&!await H(`Delete workflow ${e}? `)){M(`Delete cancelled.`);return}if(await Z(t).workflows.delete(e),t.json)return O({deleted:!0,id:e});M(`Deleted workflow ${e}.`)}catch(e){Q(e,t)}}),e.command(`validate`).description(`Validate a workflow YAML file without saving it`).argument(`<file>`,`Path to the workflow YAML`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=fc(e),r=await Z(t).workflows.validate(n);if(t.json)return O(r);if(r.valid)M(`Valid: ${r.name} (${r.actionCount} action(s), ${r.triggerCount} trigger(s)).`);else{M(`Invalid workflow:`);for(let e of r.errors)console.log(` ${e.path}: ${e.message}`);process.exitCode=1}}catch(e){Q(e,t)}}),e.command(`schema`).description(`Print the JSON Schema for the workflow YAML`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async e=>{try{O(await Z(e).workflows.schema())}catch(t){Q(t,e)}}),e.command(`run`).description(`Trigger an immediate run of a workflow`).argument(`<id>`,`Workflow ID`).option(`--input <key=value>`,`Trigger input as key=value (e.g. pull_request.number=123). Repeatable.`,_c,[]).option(`--wait`,`Wait for the run to finish and print its result`).option(`--timeout <ms>`,`With --wait, fail if the run has not finished after this many milliseconds`).option(`--poll-interval <ms>`,`With --wait, how often to poll for completion (default 2000)`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=vc(t.input),r=t.timeout===void 0?void 0:Ti(t.timeout,`--timeout`),i=t.pollInterval===void 0?void 0:Ti(t.pollInterval,`--poll-interval`),a=Z(t),{runId:o}=await a.workflows.run(e,n);if(!t.wait){if(t.json)return O({runId:o});M(`Started run ${o} for workflow ${e}.`),M(`Inspect it with: tangle workflows run-detail ${e} ${o}`);return}let s=t.json?null:N(`Waiting for run ${o} to finish...`).start(),c;try{c=await a.workflows.waitForRun(e,o,{...r===void 0?{}:{timeoutMs:r},...i===void 0?{}:{pollIntervalMs:i}})}finally{s?.stop()}if(c.status===`failed`&&(process.exitCode=1),t.json)return O(c);bc(c)}catch(e){Q(e,t)}}),e.command(`runs`).description(`List a workflow's run history (newest first)`).argument(`<id>`,`Workflow ID`).option(`--limit <n>`,`Runs per page (1-100)`).option(`--cursor <cursor>`,`Pagination cursor from a previous page`).option(`--all`,`Fetch every page, not just the first`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{try{let n=Z(t),r=t.limit===void 0?void 0:Ti(t.limit,`--limit`);if(t.all){let i=[],a=t.cursor,o=0,s=null;for(;;){let c=await n.workflows.listRuns(e,{...r===void 0?{}:{limit:r},...a===void 0?{}:{cursor:a}});if(i.push(...c.runs),o+=1,!c.nextCursor)break;if(o>=lc){s=c.nextCursor,t.json||M(`Stopped after ${lc} pages (${i.length} runs); more may exist — resume with --cursor ${c.nextCursor}`);break}a=c.nextCursor}if(t.json)return O({runs:i,nextCursor:s});yc(i);return}let i=await n.workflows.listRuns(e,{...r===void 0?{}:{limit:r},...t.cursor===void 0?{}:{cursor:t.cursor}});if(t.json)return O(i);yc(i.runs),i.nextCursor&&M(`More runs available — next page: --cursor ${i.nextCursor}`)}catch(e){Q(e,t)}}),e.command(`run-detail`).description(`Show a single run's detail (per-action output and errors)`).argument(`<id>`,`Workflow ID`).argument(`<runId>`,`Run ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await Z(n).workflows.getRun(e,t);if(n.json)return O(r);bc(r)}catch(e){Q(e,n)}}),e.command(`cancel`).description(`Cancel a queued or in-progress run`).argument(`<id>`,`Workflow ID`).argument(`<runId>`,`Run ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=await Z(n).workflows.cancel(e,t);if(n.json)return O(r);xc(r)}catch(e){Q(e,n)}}),e.command(`events`).description(`Tail a run's live progress events until it finishes`).argument(`<id>`,`Workflow ID`).argument(`<runId>`,`Run ID`).option(`--json`,`Emit each event as a JSON line`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t,n)=>{try{let r=Z(n);for await(let i of r.workflows.watchRun(e,t))n.json?console.log(JSON.stringify(i)):Sc(i),i.type===`run.done`&&i.status===`failed`&&(process.exitCode=1)}catch(e){Q(e,n)}}),e.command(`enable`).description(`Enable a workflow so its triggers and manual runs fire`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await dc(e,!0,t)}),e.command(`disable`).description(`Disable a workflow (pause its triggers and manual runs)`).argument(`<id>`,`Workflow ID`).option(`--json`,`Output as JSON`).option(`--api-key <key>`,`API key`).option(`--base-url <url>`,`API base URL`).action(async(e,t)=>{await dc(e,!1,t)}),e}async function dc(e,t,n){try{let r=await Z(n).workflows.setEnabled(e,t);if(n.json)return O(r);M(`${t?`Enabled`:`Disabled`} workflow ${r.id}.`),gc(r)}catch(e){Q(e,n)}}function fc(e){try{return u(e,`utf8`)}catch(t){throw Error(`Could not read workflow file "${e}": ${t instanceof Error?t.message:String(t)}`)}}function Z(e){let t=C({apiKey:jt(e.apiKey),baseUrl:e.baseUrl??Pt(process.env.TANGLE_HUB_URL)});return new ve({baseUrl:t.baseUrl,apiKey:t.apiKey})}function pc(e){if(!mc(e,`json`)||e.getOptionValue(`json`)!==void 0)return;let t=e.parent;for(;t;){let n=t.getOptionValue(`json`);if(n!==void 0){e.setOptionValue(`json`,n);return}t=t.parent}}function mc(e,t){return e.options.some(e=>e.attributeName()===t)}function Q(e,t){return R(e,t.json===!0)}function hc(e){D(e.map(e=>({id:e.id,name:e.name,enabled:e.enabled?`yes`:`no`,issues:e.validationErrors.length,updated:e.updatedAt})),[{key:`id`,header:`ID`},{key:`name`,header:`Name`},{key:`enabled`,header:`Enabled`},{key:`issues`,header:`Issues`},{key:`updated`,header:`Updated`}])}function gc(e){if(P({ID:e.id,Name:e.name,Description:e.description??``,Enabled:e.enabled?`yes`:`no`,Actions:e.actions.length}),e.triggers&&e.triggers.length>0&&(M(`Triggers`),Cc(e.triggers)),e.validationErrors.length>0){M(`Validation issues`);for(let t of e.validationErrors)console.log(` ${t.path}: ${t.message}`)}}function _c(e,t){return[...t,e]}function vc(e){if(!e||e.length===0)return;let t={};for(let n of e){let e=n.indexOf(`=`);if(e<=0)throw Error(`Invalid --input "${n}": expected key=value (e.g. pull_request.number=123)`);t[n.slice(0,e)]=n.slice(e+1)}return t}function yc(e){D(e.map(e=>({id:e.id,status:e.status,attempts:e.attempts,created:e.createdAt,completed:e.completedAt??``})),[{key:`id`,header:`Run ID`},{key:`status`,header:`Status`},{key:`attempts`,header:`Attempts`},{key:`created`,header:`Created`},{key:`completed`,header:`Completed`}])}function bc(e){P({"Run ID":e.id,Workflow:e.workflowId,Status:e.status,Error:e.error??``,Attempts:e.attempts,Created:e.createdAt,Started:e.startedAt??``,Completed:e.completedAt??``}),e.actionResults.length>0&&(M(`Actions`),D(e.actionResults.map(e=>({index:e.index,kind:e.kind,status:e.status,error:e.error??``,cost:e.costUsd??``})),[{key:`index`,header:`#`},{key:`kind`,header:`Kind`},{key:`status`,header:`Status`},{key:`error`,header:`Error`},{key:`cost`,header:`Cost (USD)`}]))}function xc(e){if(e.status===`cancelled`){M(`Cancelled run ${e.runId}.`);return}if(e.signalled){M(`Cancelling run ${e.runId} — signalled the worker; it will stop shortly.`);return}M(`Requested cancellation of run ${e.runId}, but couldn't confirm it — the run may have just finished, or it's running on another instance and will stop on its own.`)}function Sc(e){switch(e.type){case`snapshot`:M(`snapshot: ${e.run.status} (${e.run.actionResults.length} action(s))`);break;case`action.started`:console.log(`→ action[${e.index}] ${e.kind} started`);break;case`action.finished`:{let t=e.status===`succeeded`?`✓`:e.status===`skipped`?`⊘`:`✗`;console.log(`${t} action[${e.index}] ${e.kind} ${e.status}${e.error?`: ${e.error}`:``}`);break}case`iteration.started`:console.log(` · action[${e.actionIndex}] iteration ${e.iterationIndex} started`);break;case`iteration.ended`:console.log(` · action[${e.actionIndex}] iteration ${e.iterationIndex} ${e.status}`);break;case`token`:typeof e.delta==`string`&&process.stdout.write(e.delta);break;case`ping`:break;case`run.done`:console.log(`\nrun.done: ${e.status}${e.error?`: ${e.error}`:``}`);break}}function Cc(e){D(e.map(e=>({id:e.id,kind:e.kind,enabled:e.enabled?`yes`:`no`,detail:e.kind===`schedule`?`${e.cron??``} (${e.timezone??``})`:`${e.provider??``}:${e.eventFilter?.event??``}${e.eventFilter?.action?`.${e.eventFilter.action}`:``}`})),[{key:`id`,header:`ID`},{key:`kind`,header:`Kind`},{key:`enabled`,header:`Enabled`},{key:`detail`,header:`Detail`}])}function wc(e){let t={...Tc(e)??{},...e.optsWithGlobals()};for(let n of e.options){let r=n.attributeName();e.getOptionValue(r)===void 0&&t[r]!==void 0&&e.setOptionValue(r,t[r])}}function Tc(e){let t=e;for(;t?.parent;)t=t.parent;return t?t.opts():void 0}const Ec=e(import.meta.url)(`../package.json`),$=new t;$.name(`tangle`).description(`CLI for Tangle Sandbox operations`).version(Ec.version??`0.0.0`).option(`--api-key <key>`,`API key (or set TANGLE_API_KEY)`).option(`--base-url <url>`,`API base URL`),$.hook(`preAction`,(e,t)=>{wc(t)}),$.addCommand(fr()),$.addCommand(Ho()),$.addCommand(cc()),$.addCommand(is()),$.addCommand(Co()),$.addCommand(fa()),$.addCommand(_s()),$.addCommand(vs()),$.addCommand(bs()),$.addCommand(Jn()),$.addCommand(ss()),$.addCommand(Sa()),$.addCommand(ac()),$.addCommand(Fs()),$.addCommand(Bs()),$.addCommand(To()),$.addCommand(yr()),$.addCommand(Tr()),$.addCommand(Do()),$.addCommand(Na()),$.addCommand(Ia()),$.addCommand(La()),$.addCommand(uc()),$.addCommand(da()),$.addCommand(Vs()),$.addCommand(rs()),$.addCommand(os()),$.addCommand(Er()),$.addCommand(Eo()),$.addCommand(io()),$.addCommand(Zi()),$.addCommand(Qi()),$.addCommand(No()),$.addCommand(wo()),$.addCommand(Hs()),$.addCommand(Ps()),$.parseAsync(process.argv).catch(e=>{console.error(`Fatal error:`,e.message),process.exit(1)});export{};
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@tangle-network/sandbox-cli",
3
- "version": "0.9.4-develop.20260708194108.6294bc2",
3
+ "version": "0.9.4-develop.20260710185349.82fda5c",
4
4
  "description": "CLI for Tangle Sandbox operations",
5
5
  "type": "module",
6
6
  "bin": {
@@ -16,15 +16,15 @@
16
16
  ],
17
17
  "dependencies": {
18
18
  "@tangle-network/agent-core": "^0.4.0",
19
- "@tangle-network/agent-eval": "^0.107.0",
20
- "@tangle-network/agent-runtime": "^0.89.0",
19
+ "@tangle-network/agent-eval": "^0.111.0",
20
+ "@tangle-network/agent-runtime": "^0.90.1",
21
21
  "chalk": "^5.4.1",
22
22
  "commander": "12.1.0",
23
23
  "dotenv": "17.2.3",
24
24
  "ora": "^9.4.0",
25
25
  "ws": "^8.20.0",
26
26
  "@tangle-network/hub-sdk": "0.2.2",
27
- "@tangle-network/sandbox": "0.9.4-develop.20260708194108.6294bc2"
27
+ "@tangle-network/sandbox": "0.9.4-develop.20260710185349.82fda5c"
28
28
  },
29
29
  "devDependencies": {
30
30
  "@types/node": "25.6.0",