npm - @tryclean/create - Versions diffs - 0.1.0 - Mend

@tryclean/create 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1835 @@
+#!/usr/bin/env node
+import {
+  banner,
+  cancelled,
+  isCancel
+} from "./chunk-GALY4XWB.js";
+import {
+  exec,
+  execLive
+} from "./chunk-WHE6TEJG.js";
+// src/index.ts
+import { existsSync as existsSync3 } from "fs";
+import { join as join4 } from "path";
+// src/commands/setup.ts
+import * as p11 from "@clack/prompts";
+import pc10 from "picocolors";
+// src/steps/preflight.ts
+import * as p2 from "@clack/prompts";
+import pc from "picocolors";
+// src/lib/docker.ts
+import * as p from "@clack/prompts";
+async function isDockerInstalled() {
+  try {
+    await exec("docker --version");
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function isDockerRunning() {
+  try {
+    await exec("docker info", { timeout: 5e3 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function startDocker() {
+  if (process.platform === "darwin") {
+    await exec("open -a Docker");
+  } else if (process.platform === "linux") {
+    await exec("systemctl start docker");
+  } else {
+    throw new Error("Unsupported platform for auto-start");
+  }
+}
+async function ensureDocker() {
+  if (await isDockerRunning()) return;
+  const s = p.spinner();
+  s.start("Docker is not running \u2014 starting Docker Desktop");
+  try {
+    await startDocker();
+  } catch {
+  }
+  for (let i = 0; i < 30; i++) {
+    await new Promise((r) => setTimeout(r, 2e3));
+    if (await isDockerRunning()) {
+      s.stop("Docker started");
+      return;
+    }
+  }
+  s.stop("Docker not responding yet", 2);
+  p.log.info("Please start Docker Desktop manually.");
+  const s2 = p.spinner();
+  s2.start("Waiting for Docker (60s)");
+  for (let i = 0; i < 30; i++) {
+    await new Promise((r) => setTimeout(r, 2e3));
+    if (await isDockerRunning()) {
+      s2.stop("Docker is running");
+      return;
+    }
+  }
+  s2.stop("Docker still not available", 1);
+  p.log.error("Cannot proceed without Docker. Please start Docker and try again.");
+  process.exit(1);
+}
+async function hasComposePlugin() {
+  try {
+    await exec("docker compose version");
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function composePullLive(cwd) {
+  await ensureDocker();
+  execLive("docker compose pull", { cwd });
+}
+async function composeUp(cwd) {
+  await ensureDocker();
+  await exec("docker compose up -d", { cwd });
+}
+async function composePs(cwd) {
+  await ensureDocker();
+  const { stdout } = await exec("docker compose ps", { cwd });
+  return stdout;
+}
+async function composeExec(cwd, service, command2) {
+  await ensureDocker();
+  const { stdout } = await exec(`docker compose exec -T ${service} ${command2}`, { cwd });
+  return stdout;
+}
+async function composeCp(cwd, src, dest) {
+  await ensureDocker();
+  await exec(`docker compose cp ${src} ${dest}`, { cwd });
+}
+// src/lib/network.ts
+import { createServer } from "net";
+import { hostname } from "os";
+function checkPort(port) {
+  return new Promise((resolve) => {
+    const server = createServer();
+    server.once("error", () => resolve(false));
+    server.once("listening", () => {
+      server.close(() => resolve(true));
+    });
+    server.listen(port, "0.0.0.0");
+  });
+}
+async function getProcessOnPort(port) {
+  try {
+    const { stdout } = await exec(`lsof -ti :${port}`);
+    const pid = stdout.trim().split("\n")[0];
+    if (!pid) return null;
+    const { stdout: psOut } = await exec(`ps -p ${pid} -o comm=`);
+    return { pid, command: psOut.trim() };
+  } catch {
+    return null;
+  }
+}
+async function getDockerContainerOnPort(port) {
+  try {
+    const { stdout } = await exec(`docker ps --filter "publish=${port}" --format "{{.Names}}"`);
+    return stdout.trim().split("\n").filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+function isDockerProcess(command2) {
+  return command2.includes("docker") || command2.includes("com.docker");
+}
+async function killProcessOnPort(port) {
+  try {
+    const proc = await getProcessOnPort(port);
+    if (proc && isDockerProcess(proc.command)) {
+      const containers = await getDockerContainerOnPort(port);
+      if (containers.length > 0) {
+        for (const name of containers) {
+          await exec(`docker stop ${name}`);
+        }
+        await new Promise((r) => setTimeout(r, 1e3));
+        return true;
+      }
+    }
+    const { stdout } = await exec(`lsof -ti :${port}`);
+    const pids = stdout.trim().split("\n").filter(Boolean);
+    if (pids.length === 0) return false;
+    for (const pid of pids) {
+      await exec(`kill -9 ${pid}`);
+    }
+    await new Promise((r) => setTimeout(r, 500));
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getHostname() {
+  return hostname();
+}
+// src/steps/preflight.ts
+async function preflight() {
+  p2.log.step(pc.bold("Step 1: Preflight checks"));
+  const arch = process.arch;
+  const platform = process.platform;
+  const needsEmulation = arch === "arm64";
+  p2.log.info(
+    `${pc.dim("System:")} ${platform}/${arch}` + (needsEmulation ? ` ${pc.yellow("(ARM \u2014 will use amd64 emulation for images)")}` : "")
+  );
+  const s = p2.spinner();
+  s.start("Checking Docker installation");
+  const dockerInstalled = await isDockerInstalled();
+  if (!dockerInstalled) {
+    s.stop("Docker not found", 2);
+    const installCmd = process.platform === "darwin" ? "brew install --cask docker" : process.platform === "linux" ? "curl -fsSL https://get.docker.com | sh" : null;
+    if (installCmd) {
+      const install = await p2.confirm({
+        message: `Docker is required. Install it now? (${pc.cyan(installCmd)})`,
+        initialValue: true
+      });
+      if (isCancel(install)) cancelled();
+      if (install) {
+        const { exec: exec2 } = await import("./exec-OIKPD6DO.js");
+        s.start("Installing Docker");
+        try {
+          await exec2(installCmd);
+          s.stop("Docker installed");
+        } catch (err) {
+          s.stop("Installation failed", 1);
+          p2.log.error(
+            `Auto-install failed: ${err.message}
+  Install manually from ${pc.underline("https://docs.docker.com/get-docker/")}`
+          );
+          process.exit(1);
+        }
+      } else {
+        p2.log.error(`Install Docker from ${pc.underline("https://docs.docker.com/get-docker/")} and try again.`);
+        process.exit(1);
+      }
+    } else {
+      p2.log.error(`Install Docker from ${pc.underline("https://docs.docker.com/get-docker/")} and try again.`);
+      process.exit(1);
+    }
+  } else {
+    s.stop("Docker installed");
+  }
+  s.start("Checking Docker daemon");
+  let dockerRunning = await isDockerRunning();
+  if (!dockerRunning) {
+    s.stop("Docker not running", 2);
+    s.start("Starting Docker Desktop");
+    try {
+      await startDocker();
+      for (let i = 0; i < 30; i++) {
+        await new Promise((r) => setTimeout(r, 2e3));
+        dockerRunning = await isDockerRunning();
+        if (dockerRunning) break;
+      }
+    } catch {
+    }
+    if (!dockerRunning) {
+      s.stop("Could not start Docker", 1);
+      p2.log.error("Docker daemon could not be started. Please start Docker Desktop manually and try again.");
+      process.exit(1);
+    }
+    s.stop("Docker started");
+  } else {
+    s.stop("Docker daemon running");
+  }
+  s.start("Checking docker compose");
+  const compose = await hasComposePlugin();
+  if (!compose) {
+    s.stop("docker compose not found", 1);
+    p2.log.error(
+      `docker compose plugin is required.
+  It's included with Docker Desktop, or install it:
+  ${pc.cyan("https://docs.docker.com/compose/install/")}`
+    );
+    process.exit(1);
+  }
+  s.stop("docker compose available");
+  await resolvePort(8e3, "engine");
+  await resolvePort(3e3, "dashboard");
+  p2.log.success("Preflight checks passed");
+  return { arch, platform, needsEmulation };
+}
+async function resolvePort(port, label) {
+  const free = await checkPort(port);
+  if (free) return;
+  const containers = await getDockerContainerOnPort(port);
+  if (containers.length > 0) {
+    p2.log.info(`Stopping container ${pc.bold(containers.join(", "))} on port ${port}`);
+    const { exec: exec2 } = await import("./exec-OIKPD6DO.js");
+    for (const name of containers) {
+      try {
+        await exec2(`docker stop ${name}`);
+      } catch {
+      }
+    }
+    await new Promise((r) => setTimeout(r, 1e3));
+    const nowFree = await checkPort(port);
+    if (nowFree) {
+      p2.log.success(`Port ${port} freed`);
+    } else {
+      p2.log.warn(`Port ${port} still in use \u2014 will retry at launch`);
+    }
+    return;
+  }
+  const proc = await getProcessOnPort(port);
+  const procInfo = proc ? `${pc.bold(proc.command)} (PID ${proc.pid})` : "unknown process";
+  p2.log.warn(`Port ${pc.bold(String(port))} (${label}) is in use by ${procInfo}`);
+  const action = await p2.select({
+    message: `How to resolve port ${port}?`,
+    options: [
+      { value: "kill", label: `Kill ${proc?.command ?? "process"} on port ${port}`, hint: "recommended" },
+      { value: "continue", label: "Continue anyway", hint: "may cause errors later" },
+      { value: "cancel", label: "Cancel setup" }
+    ]
+  });
+  if (isCancel(action)) cancelled();
+  if (action === "kill") {
+    const killed = await killProcessOnPort(port);
+    if (killed) {
+      const nowFree = await checkPort(port);
+      if (nowFree) {
+        p2.log.success(`Port ${port} freed`);
+        return;
+      }
+    }
+    p2.log.warn(`Could not free port ${port}. Continuing anyway.`);
+  } else if (action === "cancel") {
+    cancelled();
+  }
+}
+// src/steps/license.ts
+import * as p3 from "@clack/prompts";
+import pc2 from "picocolors";
+// src/lib/license.ts
+import { createVerify } from "crypto";
+import { Buffer } from "buffer";
+var PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7wpHt0MYEbK24cyybwnfhsEapBcz
+Kyl7L9AauL4spTgX2a6x213pSI0N88VQm2i4gUeCAWhssjiYH370g+sYAQ==
+-----END PUBLIC KEY-----`;
+function base64UrlDecode(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  return Buffer.from(padded, "base64");
+}
+function decodeLicensePayload(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format \u2014 expected 3 dot-separated parts");
+  }
+  try {
+    const payload = JSON.parse(base64UrlDecode(parts[1]).toString("utf-8"));
+    return payload;
+  } catch {
+    throw new Error("Failed to decode JWT payload");
+  }
+}
+function rawSigToDer(raw) {
+  if (raw.length !== 64) throw new Error("Expected 64-byte raw signature");
+  const r = raw.subarray(0, 32);
+  const s = raw.subarray(32, 64);
+  function intBytes(buf) {
+    let i = 0;
+    while (i < buf.length - 1 && buf[i] === 0) i++;
+    const trimmed = buf.subarray(i);
+    if (trimmed[0] & 128) {
+      return Buffer.concat([Buffer.from([0]), trimmed]);
+    }
+    return trimmed;
+  }
+  const rDer = intBytes(r);
+  const sDer = intBytes(s);
+  const rTlv = Buffer.concat([Buffer.from([2, rDer.length]), rDer]);
+  const sTlv = Buffer.concat([Buffer.from([2, sDer.length]), sDer]);
+  const body = Buffer.concat([rTlv, sTlv]);
+  return Buffer.concat([Buffer.from([48, body.length]), body]);
+}
+function verifyLicenseSignature(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) return false;
+  const signedContent = `${parts[0]}.${parts[1]}`;
+  const rawSig = base64UrlDecode(parts[2]);
+  const derSig = rawSigToDer(rawSig);
+  const verify = createVerify("SHA256");
+  verify.update(signedContent);
+  verify.end();
+  return verify.verify(PUBLIC_KEY, derSig);
+}
+function validateLicense(token) {
+  if (!verifyLicenseSignature(token)) {
+    throw new Error("Invalid license signature \u2014 key may be tampered or corrupted");
+  }
+  const claims = decodeLicensePayload(token);
+  const required = ["sub", "tier", "max_repos", "max_users", "exp"];
+  const missing = required.filter((c) => !(c in claims));
+  if (missing.length > 0) {
+    throw new Error(`Malformed license: missing ${missing.join(", ")}`);
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (claims.exp < now) {
+    const expDate = new Date(claims.exp * 1e3).toISOString().split("T")[0];
+    throw new Error(`License expired on ${expDate}`);
+  }
+  return claims;
+}
+function formatExpiry(exp) {
+  const date = new Date(exp * 1e3);
+  const now = Date.now();
+  const daysLeft = Math.ceil((date.getTime() - now) / (1e3 * 60 * 60 * 24));
+  const dateStr = date.toISOString().split("T")[0];
+  return `${dateStr} (${daysLeft} days remaining)`;
+}
+async function activateLicense(code) {
+  const resp = await fetch("https://api.tryclean.com/activate", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ code })
+  });
+  if (!resp.ok) {
+    const text7 = await resp.text().catch(() => "");
+    throw new Error(`Activation failed (${resp.status}): ${text7 || resp.statusText}`);
+  }
+  const data = await resp.json();
+  return data.license_key;
+}
+// src/steps/license.ts
+async function licenseStep() {
+  p3.log.step(pc2.bold("Step 2: License activation"));
+  const method = await p3.select({
+    message: "How would you like to activate your license?",
+    options: [
+      {
+        value: "code",
+        label: "Activation code",
+        hint: "from your license email"
+      },
+      {
+        value: "jwt",
+        label: "Paste license key (JWT)",
+        hint: "for airgapped / offline setups"
+      }
+    ]
+  });
+  if (isCancel(method)) cancelled();
+  let licenseKey;
+  if (method === "code") {
+    const code = await p3.text({
+      message: "Enter your activation code:",
+      placeholder: "CLEAN-XXXX-XXXX-XXXX",
+      validate(value) {
+        if (!value.trim()) return "Activation code is required";
+      }
+    });
+    if (isCancel(code)) cancelled();
+    const s2 = p3.spinner();
+    s2.start("Activating license");
+    try {
+      licenseKey = await activateLicense(code);
+      s2.stop("License activated");
+    } catch (err) {
+      s2.stop("Activation failed", 1);
+      p3.log.warn(
+        `Could not activate online: ${err.message}
+  You can paste your license key (JWT) directly instead.`
+      );
+      const jwt = await p3.text({
+        message: "Paste your license key (JWT):",
+        validate(value) {
+          if (!value.trim()) return "License key is required";
+          if (value.split(".").length !== 3) return "Invalid JWT format";
+        }
+      });
+      if (isCancel(jwt)) cancelled();
+      licenseKey = jwt.trim();
+    }
+  } else {
+    const jwt = await p3.text({
+      message: "Paste your license key (JWT):",
+      validate(value) {
+        if (!value.trim()) return "License key is required";
+        if (value.split(".").length !== 3) return "Invalid JWT format";
+      }
+    });
+    if (isCancel(jwt)) cancelled();
+    licenseKey = jwt.trim();
+  }
+  const s = p3.spinner();
+  s.start("Validating license");
+  let claims;
+  try {
+    claims = validateLicense(licenseKey);
+  } catch (err) {
+    s.stop("Validation failed", 1);
+    p3.log.error(err.message);
+    try {
+      const decoded = decodeLicensePayload(licenseKey);
+      p3.log.info(
+        `  Decoded claims: customer=${decoded.sub}, tier=${decoded.tier}, exp=${decoded.exp}`
+      );
+    } catch {
+    }
+    return process.exit(1);
+  }
+  s.stop("License valid");
+  p3.log.info(
+    `${pc2.dim("Customer")}   ${claims.sub}
+  ${pc2.dim("Tier")}       ${claims.tier}
+  ${pc2.dim("Max repos")}  ${claims.max_repos}
+  ${pc2.dim("Max users")}  ${claims.max_users}
+  ${pc2.dim("Expires")}    ${formatExpiry(claims.exp)}`
+  );
+  p3.log.success("License validated");
+  return { licenseKey, claims };
+}
+// src/steps/dashboard-url.ts
+import * as p4 from "@clack/prompts";
+import pc3 from "picocolors";
+async function dashboardUrlStep() {
+  p4.log.step(pc3.bold("Step 3: Dashboard URL"));
+  const host = getHostname();
+  const defaultUrl = "http://localhost:3000";
+  const url = await p4.text({
+    message: "Dashboard URL (used for OAuth callback):",
+    placeholder: defaultUrl,
+    initialValue: defaultUrl,
+    validate(value) {
+      if (!value.trim()) return "URL is required";
+      try {
+        new URL(value);
+      } catch {
+        return "Invalid URL format (e.g., http://localhost:3000 or https://clean.example.com)";
+      }
+    }
+  });
+  if (isCancel(url)) cancelled();
+  p4.log.info(
+    `${pc3.dim("GitHub OAuth callback will be:")}
+  ${url.replace(/\/$/, "")}/api/auth/callback/github`
+  );
+  return url;
+}
+// src/steps/github-oauth.ts
+import * as p5 from "@clack/prompts";
+import pc4 from "picocolors";
+async function githubOauthStep(authUrl) {
+  p5.log.step(pc4.bold("Step 4: GitHub OAuth App"));
+  const callbackUrl = `${authUrl.replace(/\/$/, "")}/api/auth/callback/github`;
+  p5.log.message(
+    `Create a GitHub OAuth App:
+  1. Go to ${pc4.underline("https://github.com/settings/developers")}
+  2. Click ${pc4.bold("New OAuth App")}
+  3. Fill in:
+     ${pc4.dim("Application name:")}  Clean Dashboard
+     ${pc4.dim("Homepage URL:")}      ${authUrl}
+     ${pc4.dim("Callback URL:")}      ${pc4.cyan(callbackUrl)}
+  4. Click ${pc4.bold("Register application")}
+  5. Copy the ${pc4.bold("Client ID")} and generate a ${pc4.bold("Client Secret")}`
+  );
+  const openBrowser = await p5.confirm({
+    message: "Open GitHub developer settings in your browser?",
+    initialValue: true
+  });
+  if (isCancel(openBrowser)) cancelled();
+  if (openBrowser) {
+    const { exec: exec2 } = await import("./exec-OIKPD6DO.js");
+    const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+    try {
+      await exec2(`${openCmd} "https://github.com/settings/developers"`);
+    } catch {
+      p5.log.warn("Could not open browser. Please navigate to the URL manually.");
+    }
+  }
+  const githubId = await p5.text({
+    message: "GitHub OAuth Client ID:",
+    placeholder: "Ov23li...",
+    validate(value) {
+      if (!value.trim()) return "Client ID is required";
+      if (value.trim().length < 10) return "Client ID looks too short";
+    }
+  });
+  if (isCancel(githubId)) cancelled();
+  const githubSecret = await p5.text({
+    message: "GitHub OAuth Client Secret:",
+    placeholder: "paste secret here",
+    validate(value) {
+      if (!value.trim()) return "Client Secret is required";
+      if (value.trim().length < 20) return "Client Secret looks too short";
+    }
+  });
+  if (isCancel(githubSecret)) cancelled();
+  p5.log.success("GitHub OAuth configured");
+  return {
+    githubId: githubId.trim(),
+    githubSecret: githubSecret.trim()
+  };
+}
+// src/steps/access-control.ts
+import * as p6 from "@clack/prompts";
+import pc5 from "picocolors";
+async function accessControlStep() {
+  p6.log.step(pc5.bold("Step 5: Access control"));
+  const users = await p6.text({
+    message: "Allowed GitHub usernames (comma-separated, leave empty for unrestricted):",
+    placeholder: "alice,bob",
+    defaultValue: ""
+  });
+  if (isCancel(users)) cancelled();
+  const raw = users ?? "";
+  const trimmed = raw.split(",").map((u) => u.trim()).filter(Boolean).join(",");
+  if (!trimmed) {
+    p6.log.warn(
+      "No user restrictions set \u2014 anyone with your GitHub OAuth App callback URL\n  can log in to the dashboard. You can restrict this later in .env (ALLOWED_USERS)."
+    );
+  } else {
+    p6.log.info(`${pc5.dim("Allowed users:")} ${trimmed}`);
+  }
+  return trimmed;
+}
+// src/steps/networking.ts
+import * as p7 from "@clack/prompts";
+import pc6 from "picocolors";
+// src/lib/tailscale.ts
+async function isTailscaleInstalled() {
+  try {
+    await exec("tailscale version");
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function installTailscale() {
+  switch (process.platform) {
+    case "darwin":
+      await exec("brew install tailscale");
+      break;
+    case "linux":
+      await exec("curl -fsSL https://tailscale.com/install.sh | sh");
+      break;
+    default:
+      throw new Error("Unsupported platform for auto-install");
+  }
+}
+async function isDaemonRunning() {
+  try {
+    const { stderr } = await exec("tailscale status 2>&1");
+    if (stderr.includes("failed to connect")) return false;
+    return true;
+  } catch (err) {
+    const msg = String(err.stderr || err.stdout || err.message || "");
+    if (msg.includes("failed to connect")) return false;
+    return true;
+  }
+}
+async function findTailscaled() {
+  const candidates = [
+    "/opt/homebrew/opt/tailscale/bin/tailscaled",
+    "/usr/local/opt/tailscale/bin/tailscaled"
+  ];
+  try {
+    const { stdout } = await exec("brew --prefix tailscale");
+    const path = `${stdout.trim()}/bin/tailscaled`;
+    candidates.unshift(path);
+  } catch {
+  }
+  for (const bin of candidates) {
+    try {
+      await exec(`test -x ${bin}`);
+      return bin;
+    } catch {
+    }
+  }
+  return null;
+}
+async function startDaemon() {
+  const tried = [];
+  if (process.platform === "darwin") {
+    tried.push("brew services start tailscale");
+    try {
+      await exec("brew services start tailscale", { timeout: 1e4 });
+    } catch {
+    }
+    if (await waitForDaemon(5e3)) return tried;
+    const bin = await findTailscaled();
+    if (bin) {
+      const stateDir = `${process.env.HOME}/.local/share/tailscale`;
+      const cmd = `${bin} --state=${stateDir}/tailscaled.state --tun=userspace-networking`;
+      tried.push(cmd);
+      try {
+        await exec(`mkdir -p ${stateDir} && nohup ${cmd} </dev/null >/dev/null 2>&1 & disown`, {
+          timeout: 5e3
+        });
+      } catch {
+      }
+      if (await waitForDaemon(5e3)) return tried;
+    }
+  } else if (process.platform === "linux") {
+    tried.push("sudo systemctl enable --now tailscaled");
+    try {
+      await exec("sudo systemctl enable --now tailscaled", { timeout: 1e4 });
+    } catch {
+    }
+  }
+  return tried;
+}
+async function waitForDaemon(timeoutMs = 15e3) {
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    if (await isDaemonRunning()) return true;
+    await new Promise((r) => setTimeout(r, 1e3));
+  }
+  return false;
+}
+async function isTailscaleUp() {
+  try {
+    const { stdout } = await exec("tailscale status");
+    return !stdout.includes("Tailscale is stopped") && !stdout.includes("not logged in");
+  } catch {
+    return false;
+  }
+}
+function connectTailscale() {
+  execLive("tailscale up");
+}
+async function getTailscaleIp() {
+  try {
+    const { stdout } = await exec("tailscale ip -4");
+    return stdout.trim() || null;
+  } catch {
+    return null;
+  }
+}
+// src/lib/cloudflare.ts
+async function isCloudflaredInstalled() {
+  try {
+    await exec("cloudflared version");
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function installCloudflared() {
+  switch (process.platform) {
+    case "darwin":
+      await exec("brew install cloudflared");
+      break;
+    case "linux":
+      await exec(
+        "curl -fsSL https://pkg.cloudflare.com/cloudflared-linux-amd64.deb -o /tmp/cloudflared.deb && sudo dpkg -i /tmp/cloudflared.deb"
+      );
+      break;
+    default:
+      throw new Error("Unsupported platform for auto-install");
+  }
+}
+async function isLoggedIn() {
+  try {
+    await exec("cloudflared tunnel list");
+    return true;
+  } catch {
+    return false;
+  }
+}
+function loginCloudflared() {
+  execLive("cloudflared tunnel login");
+}
+async function tunnelExists(name) {
+  try {
+    const { stdout } = await exec("cloudflared tunnel list");
+    return stdout.includes(name);
+  } catch {
+    return false;
+  }
+}
+async function createTunnel(name) {
+  await exec(`cloudflared tunnel create ${name}`);
+}
+async function routeDns(tunnelName, hostname2) {
+  await exec(`cloudflared tunnel route dns ${tunnelName} ${hostname2}`);
+}
+// src/steps/networking.ts
+async function networkingStep(currentAuthUrl) {
+  p7.log.step(pc6.bold("Step 6: Networking"));
+  const choice = await p7.select({
+    message: "How will you expose Clean?",
+    options: [
+      { value: "localhost", label: "Localhost only", hint: "default, no setup needed" },
+      { value: "tailscale", label: "Tailscale", hint: "private mesh network" },
+      { value: "cloudflare", label: "Cloudflare Tunnel", hint: "public URL + WAF" },
+      { value: "skip", label: "Skip", hint: "I'll configure manually" }
+    ]
+  });
+  if (isCancel(choice)) cancelled();
+  let authUrl = currentAuthUrl;
+  if (choice === "tailscale") {
+    authUrl = await handleTailscale(currentAuthUrl);
+  } else if (choice === "cloudflare") {
+    authUrl = await handleCloudflare(currentAuthUrl);
+  } else if (choice === "skip") {
+    p7.log.info("Skipping networking setup. You can configure this later in .env (AUTH_URL).");
+  }
+  return { authUrl };
+}
+async function handleTailscale(currentAuthUrl) {
+  let installed = await isTailscaleInstalled();
+  if (!installed) {
+    const s = p7.spinner();
+    s.start("Installing Tailscale");
+    try {
+      await installTailscale();
+      installed = await isTailscaleInstalled();
+      if (installed) {
+        s.stop("Tailscale installed");
+      } else {
+        s.stop("Installation may have failed", 2);
+      }
+    } catch (err) {
+      s.stop("Installation failed", 1);
+      p7.log.error(`Could not install Tailscale: ${err.message}`);
+      p7.log.info("Continuing with current URL. Install Tailscale manually and update AUTH_URL in .env.");
+      return currentAuthUrl;
+    }
+  }
+  let daemonUp = await isDaemonRunning();
+  if (!daemonUp) {
+    const s = p7.spinner();
+    s.start("Starting Tailscale daemon (tailscaled)");
+    const tried = await startDaemon();
+    daemonUp = await waitForDaemon(1e4);
+    if (daemonUp) {
+      s.stop("Tailscale daemon running");
+    } else {
+      s.stop("Automatic start methods exhausted", 2);
+      p7.log.warn(
+        `Tried: ${tried.map((t) => pc6.dim(t)).join(", ")}
+  tailscaled needs to be running before we can continue.`
+      );
+      while (!daemonUp) {
+        const openTerminal = process.platform === "darwin";
+        const action = await p7.select({
+          message: "tailscaled isn't running yet. What to do?",
+          options: [
+            ...openTerminal ? [{ value: "open", label: "Open new terminal with sudo tailscaled", hint: "recommended" }] : [],
+            { value: "manual", label: "I'll start it myself", hint: "run in another tab" },
+            { value: "skip", label: "Skip Tailscale for now" }
+          ]
+        });
+        if (isCancel(action)) cancelled();
+        if (action === "open") {
+          try {
+            const { exec: run } = await import("./exec-OIKPD6DO.js");
+            await run(`osascript -e 'tell app "Terminal" to do script "sudo tailscaled"'`);
+            p7.log.info("Opened a new Terminal window \u2014 enter your password there.");
+          } catch {
+            p7.log.warn(
+              `Could not open Terminal. Run this in another tab:
+  ${pc6.cyan("sudo tailscaled")}`
+            );
+          }
+          const s2 = p7.spinner();
+          s2.start("Waiting for tailscaled to start (30s)");
+          daemonUp = await waitForDaemon(3e4);
+          if (daemonUp) {
+            s2.stop("Tailscale daemon running");
+          } else {
+            s2.stop("Still not responding", 2);
+          }
+        } else if (action === "manual") {
+          p7.log.info(
+            `In another terminal tab, run:
+  ${pc6.cyan("sudo tailscaled")}
+  Then come back here.`
+          );
+          const s2 = p7.spinner();
+          s2.start("Waiting for tailscaled (30s)");
+          daemonUp = await waitForDaemon(3e4);
+          if (daemonUp) {
+            s2.stop("Tailscale daemon detected");
+          } else {
+            s2.stop("Still not detected", 2);
+          }
+        } else {
+          p7.log.info("Skipping Tailscale. Update AUTH_URL in .env later.");
+          return currentAuthUrl;
+        }
+      }
+    }
+  }
+  const connected = await isTailscaleUp();
+  if (!connected) {
+    p7.log.message(
+      `Tailscale needs to authenticate. This will open your browser.
+  Press Enter to continue, then complete auth in the browser.`
+    );
+    const proceed = await p7.confirm({
+      message: "Run tailscale up now?",
+      initialValue: true
+    });
+    if (isCancel(proceed)) cancelled();
+    if (proceed) {
+      try {
+        p7.log.info(pc6.dim("Running tailscale up... (complete auth in browser)"));
+        connectTailscale();
+      } catch (err) {
+        p7.log.error(`tailscale up failed: ${err.message}`);
+        p7.log.info("Continuing with current URL. Run `tailscale up` manually and update AUTH_URL in .env.");
+        return currentAuthUrl;
+      }
+      const nowUp = await isTailscaleUp();
+      if (!nowUp) {
+        p7.log.warn("Tailscale doesn't appear connected yet. Continuing with current URL.");
+        return currentAuthUrl;
+      }
+    } else {
+      p7.log.info("Continuing with current URL. Run `tailscale up` later and update AUTH_URL in .env.");
+      return currentAuthUrl;
+    }
+  }
+  const ip = await getTailscaleIp();
+  if (!ip) {
+    p7.log.warn("Could not detect Tailscale IP. Continuing with current URL.");
+    return currentAuthUrl;
+  }
+  const tsUrl = `http://${ip}:3000`;
+  p7.log.success(`Tailscale connected \u2014 IP: ${pc6.bold(ip)}`);
+  const useIt = await p7.confirm({
+    message: `Use ${pc6.cyan(tsUrl)} as the dashboard URL?`,
+    initialValue: true
+  });
+  if (isCancel(useIt)) cancelled();
+  if (useIt) {
+    p7.log.warn(
+      `Update your GitHub OAuth App callback URL to:
+  ${pc6.cyan(`${tsUrl}/api/auth/callback/github`)}`
+    );
+    return tsUrl;
+  }
+  return currentAuthUrl;
+}
+async function handleCloudflare(currentAuthUrl) {
+  let installed = await isCloudflaredInstalled();
+  if (!installed) {
+    const s2 = p7.spinner();
+    s2.start("Installing cloudflared");
+    try {
+      await installCloudflared();
+      installed = await isCloudflaredInstalled();
+      if (installed) {
+        s2.stop("cloudflared installed");
+      } else {
+        s2.stop("Installation may have failed", 2);
+      }
+    } catch (err) {
+      s2.stop("Installation failed", 1);
+      p7.log.error(`Could not install cloudflared: ${err.message}`);
+      p7.log.info("Continuing with current URL. Install cloudflared manually and update AUTH_URL in .env.");
+      return currentAuthUrl;
+    }
+  }
+  const loggedIn = await isLoggedIn();
+  if (!loggedIn) {
+    p7.log.message("cloudflared needs to authenticate. This will open your browser.");
+    const proceed = await p7.confirm({
+      message: "Run cloudflared tunnel login now?",
+      initialValue: true
+    });
+    if (isCancel(proceed)) cancelled();
+    if (proceed) {
+      try {
+        p7.log.info(pc6.dim("Running cloudflared tunnel login... (complete auth in browser)"));
+        loginCloudflared();
+      } catch (err) {
+        p7.log.error(`Login failed: ${err.message}`);
+        p7.log.info("Continuing with current URL. Run `cloudflared tunnel login` manually.");
+        return currentAuthUrl;
+      }
+      if (!await isLoggedIn()) {
+        p7.log.warn("cloudflared doesn't appear authenticated. Continuing with current URL.");
+        return currentAuthUrl;
+      }
+    } else {
+      p7.log.info("Continuing with current URL. Run `cloudflared tunnel login` later.");
+      return currentAuthUrl;
+    }
+  }
+  const tunnelName = await p7.text({
+    message: "Tunnel name:",
+    placeholder: "clean",
+    initialValue: "clean",
+    validate(value) {
+      if (!value.trim()) return "Tunnel name is required";
+      if (!/^[a-zA-Z0-9-]+$/.test(value)) return "Letters, numbers, and hyphens only";
+    }
+  });
+  if (isCancel(tunnelName)) cancelled();
+  const name = tunnelName;
+  const exists = await tunnelExists(name);
+  if (!exists) {
+    const s2 = p7.spinner();
+    s2.start(`Creating tunnel "${name}"`);
+    try {
+      await createTunnel(name);
+      s2.stop(`Tunnel "${name}" created`);
+    } catch (err) {
+      s2.stop("Tunnel creation failed", 1);
+      p7.log.error(`Failed: ${err.message}`);
+      p7.log.info("Continuing with current URL. Create the tunnel manually.");
+      return currentAuthUrl;
+    }
+  } else {
+    p7.log.info(`Using existing tunnel "${name}"`);
+  }
+  const hostname2 = await p7.text({
+    message: "Public hostname for the dashboard (e.g., clean.example.com):",
+    validate(value) {
+      if (!value.trim()) return "Hostname is required";
+      if (!value.includes(".")) return "Needs to be a domain (e.g., clean.example.com)";
+    }
+  });
+  if (isCancel(hostname2)) cancelled();
+  const host = hostname2;
+  const tunnelUrl = `https://${host}`;
+  const s = p7.spinner();
+  s.start(`Routing ${host} to tunnel "${name}"`);
+  try {
+    await routeDns(name, host);
+    s.stop("DNS route created");
+  } catch (err) {
+    s.stop("DNS routing failed", 2);
+    p7.log.warn(
+      `Could not auto-route DNS: ${err.message}
+  You may need to run: ${pc6.cyan(`cloudflared tunnel route dns ${name} ${host}`)}`
+    );
+  }
+  p7.log.success(`Tunnel configured \u2014 ${pc6.cyan(tunnelUrl)}`);
+  p7.log.warn(
+    `Update your GitHub OAuth App callback URL to:
+  ${pc6.cyan(`${tunnelUrl}/api/auth/callback/github`)}`
+  );
+  p7.log.info(
+    `Start the tunnel with: ${pc6.cyan(`cloudflared tunnel run ${name}`)}
+  Or add it as a service: ${pc6.cyan(`sudo cloudflared service install`)}`
+  );
+  return tunnelUrl;
+}
+// src/steps/generate.ts
+import * as p8 from "@clack/prompts";
+import pc7 from "picocolors";
+import { writeFileSync, readFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+// src/lib/secrets.ts
+import { randomBytes } from "crypto";
+var generateHex = (bytes) => randomBytes(bytes).toString("hex");
+var generateBase64 = (bytes) => randomBytes(bytes).toString("base64");
+// src/lib/templates.ts
+function generateDockerCompose(vars) {
+  const plat = vars.needsEmulation ? "\n    platform: linux/amd64" : "";
+  return `services:
+  db:
+    image: postgres:16-alpine
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: clean
+      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD}
+      POSTGRES_DB: clean
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U clean"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    restart: unless-stopped
+  clean:
+    image: tryclean/clean:\${CLEAN_VERSION:-latest}${plat}
+    ports:
+      - "\${CLEAN_PORT:-8000}:8000"
+    volumes:
+      - clean-data:/data/clean
+    environment:
+      - DATABASE_URL=postgresql://clean:\${POSTGRES_PASSWORD}@db:5432/clean
+      - CLEAN_API_KEY=\${CLEAN_API_KEY}
+      - CLEAN_LICENSE_KEY=\${CLEAN_LICENSE_KEY}
+    env_file:
+      - path: .env
+        required: false
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: unless-stopped
+  dashboard:
+    image: tryclean/dashboard:\${CLEAN_VERSION:-latest}${plat}
+    ports:
+      - "\${DASHBOARD_PORT:-3000}:3000"
+    environment:
+      - DATABASE_URL=postgresql://clean:\${POSTGRES_PASSWORD}@db:5432/clean
+      - CLEAN_SERVER_URL=http://clean:8000
+      - CLEAN_API_KEY=\${CLEAN_API_KEY}
+      - AUTH_SECRET=\${AUTH_SECRET}
+      - AUTH_URL=\${AUTH_URL}
+      - GITHUB_ID=\${GITHUB_ID}
+      - GITHUB_SECRET=\${GITHUB_SECRET}
+      - ALLOWED_USERS=\${ALLOWED_USERS:-}
+    depends_on:
+      db:
+        condition: service_healthy
+      clean:
+        condition: service_started
+    restart: unless-stopped
+volumes:
+  clean-data:
+  pgdata:
+`;
+}
+function generateEnvFile(vars) {
+  return `# === Required (auto-generated by create-clean) ===
+# Postgres password (used by all services)
+POSTGRES_PASSWORD=${vars.postgresPassword}
+# License key \u2014 JWT issued by Clean team
+CLEAN_LICENSE_KEY=${vars.cleanLicenseKey}
+# API key \u2014 used by dashboard and AI tools to authenticate with the engine
+CLEAN_API_KEY=${vars.cleanApiKey}
+# GitHub OAuth App credentials (for dashboard login)
+GITHUB_ID=${vars.githubId}
+GITHUB_SECRET=${vars.githubSecret}
+# NextAuth session encryption secret
+AUTH_SECRET=${vars.authSecret}
+# Dashboard public URL
+AUTH_URL=${vars.authUrl}
+# === Optional ===
+# Pin image version (default: latest)
+CLEAN_VERSION=${vars.cleanVersion}
+# Restrict dashboard login to specific GitHub usernames (comma-separated)
+ALLOWED_USERS=${vars.allowedUsers}
+# Custom ports (defaults: engine=8000, dashboard=3000)
+CLEAN_PORT=${vars.cleanPort}
+DASHBOARD_PORT=${vars.dashboardPort}
+`;
+}
+// src/steps/generate.ts
+async function generateStep(input) {
+  p8.log.step(pc7.bold("Step 7: Generate configuration"));
+  const dirName = await p8.text({
+    message: "Installation directory:",
+    placeholder: "./clean",
+    initialValue: "./clean",
+    validate(value) {
+      if (!value.trim()) return "Directory name is required";
+    }
+  });
+  if (isCancel(dirName)) cancelled();
+  const installDir = dirName;
+  if (existsSync(installDir)) {
+    const composeFile = join(installDir, "docker-compose.yml");
+    const hasExisting = existsSync(composeFile);
+    if (hasExisting) {
+      let running = false;
+      try {
+        const { stdout } = await exec("docker compose ps -q", { cwd: installDir });
+        running = stdout.trim().length > 0;
+      } catch {
+      }
+      const action = await p8.select({
+        message: `Existing Clean installation found in ${installDir}`,
+        options: [
+          ...running ? [{ value: "teardown", label: "Stop existing services and overwrite", hint: "recommended for fresh install" }] : [],
+          { value: "overwrite", label: "Overwrite config files only", hint: "keeps data volumes" },
+          { value: "different", label: "Use a different directory" },
+          { value: "cancel", label: "Cancel setup" }
+        ]
+      });
+      if (isCancel(action)) cancelled();
+      if (action === "teardown") {
+        const s2 = p8.spinner();
+        s2.start("Stopping existing services and removing volumes");
+        try {
+          await exec("docker compose down -v", { cwd: installDir });
+          s2.stop("Services stopped, volumes removed");
+        } catch {
+          s2.stop("Could not stop services", 2);
+          p8.log.warn("Continuing anyway \u2014 old containers may conflict.");
+        }
+      } else if (action === "different") {
+        return generateStep(input);
+      } else if (action === "cancel") {
+        cancelled();
+      }
+    }
+  }
+  const existingEnvPath = join(installDir, ".env");
+  let existingPgPassword = null;
+  if (existsSync(existingEnvPath)) {
+    try {
+      const envContent = readFileSync(existingEnvPath, "utf-8");
+      const match = envContent.match(/^POSTGRES_PASSWORD=(.+)$/m);
+      if (match?.[1]) existingPgPassword = match[1];
+    } catch {
+    }
+  }
+  const s = p8.spinner();
+  s.start("Generating secrets and config files");
+  const vars = {
+    postgresPassword: existingPgPassword ?? generateHex(16),
+    cleanApiKey: generateHex(32),
+    cleanLicenseKey: input.licenseKey,
+    authSecret: generateBase64(32),
+    authUrl: input.authUrl,
+    githubId: input.githubId,
+    githubSecret: input.githubSecret,
+    allowedUsers: input.allowedUsers,
+    cleanVersion: "latest",
+    cleanPort: 8e3,
+    dashboardPort: 3e3,
+    needsEmulation: input.needsEmulation
+  };
+  mkdirSync(installDir, { recursive: true });
+  const composePath = join(installDir, "docker-compose.yml");
+  const envPath = join(installDir, ".env");
+  writeFileSync(composePath, generateDockerCompose(vars), "utf-8");
+  writeFileSync(envPath, generateEnvFile(vars), "utf-8");
+  s.stop("Config files written");
+  p8.log.info(
+    `${pc7.dim("Created:")}  ${composePath}
+  ${pc7.dim("Created:")}  ${envPath}`
+  );
+  p8.log.success("Configuration generated");
+  return { installDir, vars };
+}
+// src/steps/launch.ts
+import * as p9 from "@clack/prompts";
+import pc8 from "picocolors";
+var PORTS = [8e3, 3e3];
+async function launchStep(installDir) {
+  p9.log.step(pc8.bold("Step 8: Launch services"));
+  await cleanupBeforeStart(installDir);
+  await pullWithRetry(installDir);
+  await startWithRetry(installDir);
+  p9.log.success("All services launched");
+}
+async function cleanupBeforeStart(installDir) {
+  try {
+    await exec("docker compose down", { cwd: installDir });
+  } catch {
+  }
+  for (const port of PORTS) {
+    const containers = await getDockerContainerOnPort(port);
+    if (containers.length > 0) {
+      p9.log.info(
+        `Stopping container ${pc8.bold(containers.join(", "))} on port ${port}`
+      );
+      for (const name of containers) {
+        try {
+          await exec(`docker stop ${name}`);
+        } catch {
+        }
+      }
+    }
+  }
+  await new Promise((r) => setTimeout(r, 500));
+}
+async function pullWithRetry(installDir, attempts = 0) {
+  p9.log.info(pc8.dim("Pulling Docker images...\n"));
+  try {
+    await composePullLive(installDir);
+    console.log();
+    p9.log.success("Images pulled");
+  } catch (err) {
+    console.log();
+    if (attempts >= 3) {
+      p9.log.error(`Failed to pull images after ${attempts + 1} attempts.`);
+      process.exit(1);
+    }
+    p9.log.error("Pull failed");
+    const action = await p9.select({
+      message: "How to proceed?",
+      options: [
+        { value: "retry", label: "Retry pull" },
+        { value: "skip", label: "Skip pull", hint: "use cached images if available" },
+        { value: "cancel", label: "Cancel setup" }
+      ]
+    });
+    if (isCancel(action)) cancelled();
+    if (action === "retry") return pullWithRetry(installDir, attempts + 1);
+    if (action === "cancel") cancelled();
+  }
+}
+async function startWithRetry(installDir, attempts = 0) {
+  const s = p9.spinner();
+  s.start("Starting services");
+  try {
+    await composeUp(installDir);
+    s.stop("Services started");
+  } catch (err) {
+    s.stop("Start failed", 1);
+    if (attempts >= 3) {
+      p9.log.error(`Failed to start services after ${attempts + 1} attempts.`);
+      await showLogs(installDir);
+      process.exit(1);
+    }
+    const errMsg = err.message;
+    const portMatch = errMsg.match(/Bind for [\d.]+:(\d+) failed: port is already allocated/);
+    if (portMatch) {
+      const port = parseInt(portMatch[1], 10);
+      const containers = await getDockerContainerOnPort(port);
+      if (containers.length > 0) {
+        p9.log.info(`Stopping container ${pc8.bold(containers.join(", "))} on port ${port}`);
+        for (const name of containers) {
+          try {
+            await exec(`docker stop ${name}`);
+          } catch {
+          }
+        }
+        await new Promise((r) => setTimeout(r, 1e3));
+        p9.log.success(`Port ${port} freed`);
+        return startWithRetry(installDir, attempts + 1);
+      }
+      const proc = await getProcessOnPort(port);
+      const procInfo = proc ? `${pc8.bold(proc.command)} (PID ${proc.pid})` : "unknown process";
+      p9.log.warn(`Port ${pc8.bold(String(port))} is in use by ${procInfo}`);
+      const action2 = await p9.select({
+        message: `Kill ${proc?.command ?? "process"} on port ${port} and retry?`,
+        options: [
+          { value: "kill", label: `Kill and retry`, hint: "recommended" },
+          { value: "cancel", label: "Cancel setup" }
+        ]
+      });
+      if (isCancel(action2)) cancelled();
+      if (action2 === "kill") {
+        await killProcessOnPort(port);
+        const free = await checkPort(port);
+        if (free) p9.log.success(`Port ${port} freed`);
+        return startWithRetry(installDir, attempts + 1);
+      }
+      cancelled();
+    }
+    p9.log.warn(`Failed to start: ${errMsg}`);
+    await showLogs(installDir);
+    const action = await p9.select({
+      message: "How to proceed?",
+      options: [
+        { value: "retry", label: "Retry start" },
+        { value: "cancel", label: "Cancel setup" }
+      ]
+    });
+    if (isCancel(action)) cancelled();
+    if (action === "retry") return startWithRetry(installDir, attempts + 1);
+    cancelled();
+  }
+}
+async function showLogs(installDir) {
+  try {
+    const { stdout } = await exec(`docker compose logs --tail 20 2>&1`, { cwd: installDir });
+    if (stdout.trim()) {
+      p9.log.info(`${pc8.dim("Recent logs:")}
+${stdout.trim()}`);
+    }
+  } catch {
+  }
+}
+// src/steps/health.ts
+import * as p10 from "@clack/prompts";
+import pc9 from "picocolors";
+async function pollHealth(target) {
+  const start = Date.now();
+  const interval = 2e3;
+  while (Date.now() - start < target.timeoutMs) {
+    try {
+      const resp = await fetch(target.url, { signal: AbortSignal.timeout(3e3) });
+      if (resp.ok) return true;
+    } catch {
+    }
+    await new Promise((r) => setTimeout(r, interval));
+  }
+  return false;
+}
+async function getServiceLogs(installDir, service) {
+  try {
+    const { stdout } = await exec(`docker compose logs --tail 15 ${service} 2>&1`, {
+      cwd: installDir
+    });
+    return stdout.trim();
+  } catch {
+    return "";
+  }
+}
+async function healthStep(installDir, enginePort = 8e3, dashboardPort = 3e3) {
+  p10.log.step(pc9.bold("Step 9: Health checks"));
+  const targets = [
+    { name: "Engine", service: "clean", url: `http://localhost:${enginePort}/health`, timeoutMs: 12e4 },
+    { name: "Dashboard", service: "dashboard", url: `http://localhost:${dashboardPort}`, timeoutMs: 6e4 }
+  ];
+  for (const target of targets) {
+    await checkService(installDir, target);
+  }
+  p10.log.success("Health checks complete");
+}
+async function checkService(installDir, target) {
+  const s = p10.spinner();
+  const timeoutSec = Math.round(target.timeoutMs / 1e3);
+  s.start(`Waiting for ${target.name} (timeout: ${timeoutSec}s)`);
+  const healthy = await pollHealth(target);
+  if (healthy) {
+    s.stop(`${target.name} \u2014 healthy`);
+    return;
+  }
+  s.stop(`${target.name} \u2014 not responding`, 2);
+  const logs2 = await getServiceLogs(installDir, target.service);
+  if (logs2) {
+    p10.log.info(`${pc9.dim(`${target.name} logs:`)}
+${logs2}`);
+  }
+  const action = await p10.select({
+    message: `${target.name} didn't become healthy. What to do?`,
+    options: [
+      { value: "restart", label: `Restart ${target.name}`, hint: "recommended" },
+      { value: "wait", label: "Wait longer", hint: `another ${timeoutSec}s` },
+      { value: "skip", label: "Skip", hint: "check manually later" }
+    ]
+  });
+  if (isCancel(action)) cancelled();
+  if (action === "restart") {
+    const rs = p10.spinner();
+    rs.start(`Restarting ${target.service}`);
+    try {
+      await exec(`docker compose restart ${target.service}`, { cwd: installDir });
+      rs.stop(`${target.service} restarted`);
+    } catch {
+      rs.stop("Restart failed", 1);
+    }
+    const s2 = p10.spinner();
+    s2.start(`Waiting for ${target.name} after restart`);
+    const ok = await pollHealth(target);
+    if (ok) {
+      s2.stop(`${target.name} \u2014 healthy`);
+    } else {
+      s2.stop(`${target.name} \u2014 still not responding`, 2);
+      p10.log.warn(
+        `Check manually with: ${pc9.cyan(`docker compose logs ${target.service}`)}`
+      );
+    }
+  } else if (action === "wait") {
+    const s2 = p10.spinner();
+    s2.start(`Waiting for ${target.name} (another ${timeoutSec}s)`);
+    const ok = await pollHealth(target);
+    if (ok) {
+      s2.stop(`${target.name} \u2014 healthy`);
+    } else {
+      s2.stop(`${target.name} \u2014 still not responding`, 2);
+      p10.log.warn(
+        `Check manually with: ${pc9.cyan(`docker compose logs ${target.service}`)}`
+      );
+    }
+  }
+}
+// src/commands/setup.ts
+async function setup() {
+  banner();
+  p11.intro(pc10.bgCyan(pc10.black(" Clean Setup Wizard ")));
+  const { needsEmulation } = await preflight();
+  const { licenseKey } = await licenseStep();
+  let authUrl = await dashboardUrlStep();
+  const { githubId, githubSecret } = await githubOauthStep(authUrl);
+  const allowedUsers = await accessControlStep();
+  const networking = await networkingStep(authUrl);
+  authUrl = networking.authUrl;
+  const { installDir, vars } = await generateStep({
+    licenseKey,
+    authUrl,
+    githubId,
+    githubSecret,
+    allowedUsers,
+    needsEmulation
+  });
+  await launchStep(installDir);
+  await healthStep(installDir, vars.cleanPort, vars.dashboardPort);
+  const engineUrl = `http://localhost:${vars.cleanPort}`;
+  const dashboardUrl = authUrl;
+  const sseUrl = `${engineUrl}/mcp/sse`;
+  p11.note(
+    `${pc10.bold("Dashboard:")}  ${pc10.cyan(dashboardUrl)}
+${pc10.bold("Engine:")}     ${pc10.cyan(engineUrl)}
+${pc10.bold("API Key:")}    ${pc10.dim(vars.cleanApiKey.slice(0, 8) + "..." + vars.cleanApiKey.slice(-4))}
+${pc10.bold("MCP endpoint:")} ${pc10.cyan(sseUrl)}
+  Add to Claude Desktop / Cursor to give AI tools code search.
+  Run ${pc10.cyan("npx create-clean connect")} for full setup instructions.
+${pc10.bold("Management commands:")}
+  ${pc10.cyan("npx create-clean")}          \u2014 interactive menu
+  ${pc10.cyan("npx create-clean connect")}   \u2014 MCP setup for AI tools
+  ${pc10.cyan("npx create-clean status")}    \u2014 check service health
+  ${pc10.cyan("npx create-clean update")}    \u2014 pull latest images
+  ${pc10.cyan("npx create-clean logs")}      \u2014 tail service logs
+  ${pc10.cyan("npx create-clean backup")}    \u2014 backup data`,
+    "Setup complete!"
+  );
+  const openBrowser = await p11.confirm({
+    message: "Open the dashboard in your browser?",
+    initialValue: true
+  });
+  if (!p11.isCancel(openBrowser) && openBrowser) {
+    const { exec: exec2 } = await import("./exec-OIKPD6DO.js");
+    const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+    try {
+      await exec2(`${openCmd} "${dashboardUrl}"`);
+    } catch {
+    }
+  }
+  p11.outro(pc10.green("Happy coding!"));
+}
+// src/commands/update.ts
+import * as p12 from "@clack/prompts";
+import pc11 from "picocolors";
+async function update() {
+  banner();
+  p12.intro(pc11.bgCyan(pc11.black(" Clean Update ")));
+  const cwd = process.cwd();
+  const s = p12.spinner();
+  p12.log.info(pc11.dim("Pulling latest images...\n"));
+  try {
+    await composePullLive(cwd);
+    console.log();
+    p12.log.success("Images updated");
+  } catch (err) {
+    console.log();
+    p12.log.error(
+      `Failed to pull images: ${err.message}
+  Make sure you're in the Clean installation directory (contains docker-compose.yml).`
+    );
+    process.exit(1);
+  }
+  s.start("Restarting services");
+  try {
+    await composeUp(cwd);
+    s.stop("Services restarted");
+  } catch (err) {
+    s.stop("Restart failed", 1);
+    p12.log.error(`Failed to restart: ${err.message}`);
+    process.exit(1);
+  }
+  p12.outro(pc11.green("Update complete!"));
+}
+// src/commands/status.ts
+import * as p13 from "@clack/prompts";
+import pc12 from "picocolors";
+var SERVICES = [
+  { name: "Engine", url: "http://localhost:8000/health" },
+  { name: "Dashboard", url: "http://localhost:3000" }
+];
+async function checkHealth(svc) {
+  try {
+    const resp = await fetch(svc.url, { signal: AbortSignal.timeout(5e3) });
+    return { name: svc.name, ok: resp.ok, status: `${resp.status} ${resp.statusText}` };
+  } catch (err) {
+    return { name: svc.name, ok: false, status: err.message };
+  }
+}
+async function status() {
+  banner();
+  p13.intro(pc12.bgCyan(pc12.black(" Clean Status ")));
+  const cwd = process.cwd();
+  try {
+    const ps = await composePs(cwd);
+    p13.log.info(`${pc12.bold("Docker Compose:")}
+${ps}`);
+  } catch {
+    p13.log.warn(
+      "Could not get container status. Make sure you're in the Clean installation directory."
+    );
+  }
+  const s = p13.spinner();
+  s.start("Checking service health");
+  const results = await Promise.all(SERVICES.map(checkHealth));
+  s.stop("Health check complete");
+  for (const r of results) {
+    const icon = r.ok ? pc12.green("healthy") : pc12.red("unhealthy");
+    p13.log.info(`${pc12.bold(r.name.padEnd(12))} ${icon}  ${pc12.dim(r.status)}`);
+  }
+  p13.outro(results.every((r) => r.ok) ? pc12.green("All services healthy") : pc12.yellow("Some services need attention"));
+}
+// src/commands/logs.ts
+import pc13 from "picocolors";
+function logs() {
+  banner();
+  console.log(pc13.dim("  Tailing docker compose logs (Ctrl+C to stop)\n"));
+  try {
+    execLive("docker compose logs -f --tail 100", { cwd: process.cwd() });
+  } catch {
+    console.error(
+      pc13.red("Failed to tail logs.") + "\n  Make sure you're in the Clean installation directory."
+    );
+    process.exit(1);
+  }
+}
+// src/commands/backup.ts
+import * as p14 from "@clack/prompts";
+import pc14 from "picocolors";
+import { mkdirSync as mkdirSync2 } from "fs";
+import { join as join2 } from "path";
+async function backup() {
+  banner();
+  p14.intro(pc14.bgCyan(pc14.black(" Clean Backup ")));
+  const cwd = process.cwd();
+  const date = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
+  const backupDir = join2(cwd, `backup-${date}`);
+  mkdirSync2(backupDir, { recursive: true });
+  const s = p14.spinner();
+  s.start("Backing up PostgreSQL database");
+  const sqlFile = join2(backupDir, "clean.sql");
+  try {
+    const dump = await composeExec(cwd, "db", "pg_dump -U clean clean");
+    const { writeFileSync: writeFileSync2 } = await import("fs");
+    writeFileSync2(sqlFile, dump, "utf-8");
+    s.stop(`Database backup saved`);
+  } catch (err) {
+    s.stop("Database backup failed", 1);
+    p14.log.error(`Failed to dump database: ${err.message}`);
+  }
+  s.start("Backing up vector data");
+  const dataDir = join2(backupDir, "clean-data");
+  mkdirSync2(dataDir, { recursive: true });
+  try {
+    await composeCp(cwd, "clean:/data/clean/.", dataDir);
+    s.stop("Vector data backup saved");
+  } catch (err) {
+    s.stop("Vector data backup failed", 1);
+    p14.log.error(`Failed to copy vector data: ${err.message}`);
+  }
+  try {
+    const { stdout } = await exec(`du -sh "${backupDir}"`);
+    const size = stdout.split("	")[0];
+    p14.log.info(`${pc14.dim("Location:")}  ${backupDir}
+  ${pc14.dim("Size:")}      ${size}`);
+  } catch {
+    p14.log.info(`${pc14.dim("Location:")}  ${backupDir}`);
+  }
+  p14.outro(pc14.green("Backup complete!"));
+}
+// src/commands/connect.ts
+import * as p15 from "@clack/prompts";
+import pc15 from "picocolors";
+import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
+import { join as join3 } from "path";
+function readEnvVar(envPath, key) {
+  try {
+    const content = readFileSync2(envPath, "utf-8");
+    const match = content.match(new RegExp(`^${key}=(.+)$`, "m"));
+    return match?.[1] ?? null;
+  } catch {
+    return null;
+  }
+}
+async function connect() {
+  banner();
+  p15.intro(pc15.bgCyan(pc15.black(" Connect AI Tools ")));
+  const cwd = process.cwd();
+  const envPath = existsSync2(join3(cwd, ".env")) ? join3(cwd, ".env") : join3(cwd, "clean", ".env");
+  if (!existsSync2(envPath)) {
+    p15.log.error(
+      `No Clean installation found.
+  Run ${pc15.cyan("npx create-clean")} first, or cd into your installation directory.`
+    );
+    process.exit(1);
+  }
+  const apiKey = readEnvVar(envPath, "CLEAN_API_KEY") ?? "<your-api-key>";
+  const authUrl = readEnvVar(envPath, "AUTH_URL") ?? "http://localhost:3000";
+  const cleanPort = readEnvVar(envPath, "CLEAN_PORT") ?? "8000";
+  let engineUrl;
+  try {
+    const parsed = new URL(authUrl);
+    parsed.port = cleanPort;
+    engineUrl = parsed.toString().replace(/\/$/, "");
+  } catch {
+    engineUrl = `http://localhost:${cleanPort}`;
+  }
+  const sseUrl = `${engineUrl}/mcp/sse`;
+  const claudeConfig = JSON.stringify(
+    {
+      mcpServers: {
+        clean: {
+          url: sseUrl,
+          headers: {
+            Authorization: `Bearer ${apiKey}`
+          }
+        }
+      }
+    },
+    null,
+    2
+  );
+  p15.log.step(pc15.bold("MCP Server Connection"));
+  p15.log.info(
+    `${pc15.bold("Endpoint:")}  ${pc15.cyan(sseUrl)}
+  ${pc15.bold("API Key:")}   ${pc15.dim(apiKey.slice(0, 8) + "..." + apiKey.slice(-4))}`
+  );
+  p15.note(
+    `${pc15.bold("Claude Desktop / Claude Code")}
+Add to ${pc15.dim("~/.claude/claude_desktop_config.json")}:
+${pc15.cyan(claudeConfig)}`,
+    "Configuration"
+  );
+  p15.log.info(
+    `${pc15.bold("Cursor / VS Code")}
+  Add the same config to your MCP settings in the editor.
+  Cursor: ${pc15.dim("Settings \u2192 MCP Servers \u2192 Add")}
+  VS Code: ${pc15.dim(".vscode/mcp.json or settings.json")}`
+  );
+  p15.log.info(
+    `${pc15.bold("Dashboard API Keys")}
+  Create scoped API keys with repo restrictions at:
+  ${pc15.cyan(authUrl)}`
+  );
+  const copy = await p15.confirm({
+    message: "Copy MCP config to clipboard?",
+    initialValue: true
+  });
+  if (!p15.isCancel(copy) && copy) {
+    try {
+      const { exec: exec2 } = await import("./exec-OIKPD6DO.js");
+      if (process.platform === "darwin") {
+        await exec2(`echo ${JSON.stringify(claudeConfig)} | pbcopy`);
+      } else {
+        await exec2(`echo ${JSON.stringify(claudeConfig)} | xclip -selection clipboard`);
+      }
+      p15.log.success("Config copied to clipboard");
+    } catch {
+      p15.log.warn("Could not copy to clipboard \u2014 copy the config above manually");
+    }
+  }
+  p15.outro(pc15.green("Connect your AI tools and start searching!"));
+}
+// src/index.ts
+var command = process.argv[2];
+var commands = {
+  update,
+  status,
+  logs,
+  backup,
+  connect
+};
+function findInstallation() {
+  const cwd = process.cwd();
+  if (existsSync3(join4(cwd, "docker-compose.yml")) && existsSync3(join4(cwd, ".env"))) {
+    return cwd;
+  }
+  if (existsSync3(join4(cwd, "clean", "docker-compose.yml")) && existsSync3(join4(cwd, "clean", ".env"))) {
+    return join4(cwd, "clean");
+  }
+  return null;
+}
+async function smartStart() {
+  const installDir = findInstallation();
+  if (!installDir) {
+    await setup();
+    return;
+  }
+  const p16 = await import("@clack/prompts");
+  const pc16 = (await import("picocolors")).default;
+  const { banner: banner2 } = await import("./ui-6FJJNJ7F.js");
+  banner2();
+  p16.intro(pc16.bgCyan(pc16.black(" Clean ")));
+  p16.log.info(`Existing installation found in ${pc16.bold(installDir)}`);
+  const action = await p16.select({
+    message: "What would you like to do?",
+    options: [
+      { value: "status", label: "Check status", hint: "service health" },
+      { value: "update", label: "Update", hint: "pull latest images + restart" },
+      { value: "connect", label: "Connect AI tools", hint: "MCP setup for Claude, Cursor, etc." },
+      { value: "logs", label: "View logs", hint: "tail docker compose logs" },
+      { value: "backup", label: "Backup data", hint: "postgres + vector data" },
+      { value: "setup", label: "Re-run setup wizard", hint: "fresh install" }
+    ]
+  });
+  if (p16.isCancel(action)) {
+    p16.outro("Bye!");
+    return;
+  }
+  if (action === "setup") {
+    await setup();
+  } else if (action === "connect") {
+    await connect();
+  } else {
+    await commands[action]();
+  }
+}
+async function main() {
+  try {
+    if (command && command in commands) {
+      await commands[command]();
+    } else if (command === "--help" || command === "-h" || command === "help") {
+      console.log(`
+  create-clean \u2014 Set up Clean, semantic code search for AI agents
+  Usage:
+    npx create-clean              Interactive menu (or setup wizard)
+    npx create-clean setup        Full setup wizard
+    npx create-clean update       Pull latest images + restart
+    npx create-clean status       Check service health
+    npx create-clean connect      MCP setup for AI tools
+    npx create-clean logs         Tail docker compose logs
+    npx create-clean backup       Backup postgres + vector data
+`);
+    } else if (command === "setup") {
+      await setup();
+    } else if (command && command !== "--help") {
+      console.error(`Unknown command: ${command}`);
+      console.error(`Run "create-clean --help" for usage.`);
+      process.exit(1);
+    } else {
+      await smartStart();
+    }
+  } catch (err) {
+    if (err.message?.includes("User force closed")) {
+      console.log("\nCancelled.");
+      process.exit(0);
+    }
+    console.error("Fatal error:", err.message);
+    process.exit(1);
+  }
+}
+main();