npm - buildwithnexus - Versions diffs - 0.2.7 → 0.2.9 - Mend

buildwithnexus 0.2.7 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/bin.js +924 -315
package/dist/nexus-release.tar.gz +0 -0
package/dist/templates/cloud-init.yaml.ejs +22 -21
package/package.json +1 -1

package/dist/bin.js CHANGED Viewed

@@ -1,116 +1,18 @@
 #!/usr/bin/env node
-// src/cli.ts
-import { Command as Command12 } from "commander";
-// src/commands/init.ts
-import { Command } from "commander";
-// src/ui/banner.ts
-import chalk from "chalk";
-var BANNER = `
-  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
-  \u2551       ${chalk.bold.cyan("B U I L D   W I T H   N E X U S")}        \u2551
-  \u2551                                              \u2551
-  \u2551   Autonomous AI Runtime \xB7 Nested Isolation   \u2551
-  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
-`;
-function showBanner() {
-  console.log(BANNER);
-  console.log(chalk.dim("  v0.2.7 \xB7 buildwithnexus.dev\n"));
-}
-function showPhase(phase, total, description) {
-  const progress = chalk.cyan(`[${phase}/${total}]`);
-  console.log(`
-${progress} ${chalk.bold(description)}`);
-}
-function showCompletion(urls) {
-  const lines = [
-    "",
-    chalk.green("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"),
-    chalk.green("  \u2551  ") + chalk.bold.green("NEXUS Runtime is Live!") + chalk.green("                                 \u2551"),
-    chalk.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
-    chalk.green("  \u2551  ") + chalk.white(`Connect:    ${urls.ssh}`.padEnd(55)) + chalk.green("\u2551")
-  ];
-  if (urls.remote) {
-    lines.push(chalk.green("  \u2551  ") + chalk.white(`Remote:     ${urls.remote}`.padEnd(55)) + chalk.green("\u2551"));
-  }
-  lines.push(
-    chalk.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
-    chalk.green("  \u2551  ") + chalk.dim("Commands:".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus ssh       - Open CLI".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus status    - Check health".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus logs      - View logs".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus stop      - Shutdown".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus start     - Restart".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus update    - Update release".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus brainstorm - Brainstorm ideas".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus destroy   - Remove all".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"),
-    ""
-  );
-  console.log(lines.join("\n"));
-}
-// src/ui/spinner.ts
-import ora from "ora";
-import chalk2 from "chalk";
-function createSpinner(text) {
-  return ora({ text, color: "cyan", spinner: "dots" });
-}
-function succeed(spinner, text) {
-  spinner.succeed(chalk2.green(text));
-}
-function fail(spinner, text) {
-  spinner.fail(chalk2.red(text));
-}
-// src/ui/logger.ts
-import chalk3 from "chalk";
-var log = {
-  step(msg) {
-    console.log(chalk3.cyan("  \u2192 ") + msg);
-  },
-  success(msg) {
-    console.log(chalk3.green("  \u2713 ") + msg);
-  },
-  error(msg) {
-    console.error(chalk3.red("  \u2717 ") + msg);
-  },
-  warn(msg) {
-    console.log(chalk3.yellow("  \u26A0 ") + msg);
-  },
-  dim(msg) {
-    console.log(chalk3.dim("    " + msg));
-  },
-  detail(label, value) {
-    console.log(chalk3.dim("    " + label + ": ") + value);
-  }
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
 };
-// src/ui/prompts.ts
-import { input, confirm, password } from "@inquirer/prompts";
-import chalk4 from "chalk";
 // src/core/dlp.ts
 import crypto from "crypto";
 import fs from "fs";
 import path from "path";
-var NEXUS_HOME = path.join(process.env.HOME || "~", ".buildwithnexus");
-var SECRET_PATTERNS = [
-  /sk-ant-api03-[A-Za-z0-9_-]{20,}/g,
-  // Anthropic API key
-  /sk-[A-Za-z0-9]{20,}/g,
-  // OpenAI API key
-  /AIza[A-Za-z0-9_-]{35}/g
-  // Google AI API key
-];
-var FORBIDDEN_KEY_CHARS = /[\n\r\t'"\\`${}();&|<>!#%^]/;
-var KEY_VALIDATORS = {
-  ANTHROPIC_API_KEY: /^sk-ant-[A-Za-z0-9_-]{20,}$/,
-  OPENAI_API_KEY: /^sk-[A-Za-z0-9_-]{20,}$/,
-  GOOGLE_API_KEY: /^AIza[A-Za-z0-9_-]{35,}$/,
-  NEXUS_MASTER_SECRET: /^[A-Za-z0-9_-]{20,64}$/
-};
 function yamlEscape(value) {
   return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/\0/g, "");
 }
@@ -144,12 +46,6 @@ function redactError(err) {
   }
   return new Error(redact(String(err)));
 }
-var DlpViolation = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "DlpViolation";
-  }
-};
 function validateKeyValue(keyName, value) {
   if (FORBIDDEN_KEY_CHARS.test(value)) {
     throw new DlpViolation(
@@ -180,7 +76,6 @@ function validateAllKeys(keys) {
   }
   return violations;
 }
-var HMAC_PATH = path.join(NEXUS_HOME, ".keys.hmac");
 function computeFileHmac(filePath, secret) {
   const content = fs.readFileSync(filePath);
   return crypto.createHmac("sha256", secret).update(content).digest("hex");
@@ -205,8 +100,6 @@ function verifyKeysFile(keysPath, masterSecret) {
     return false;
   }
 }
-var AUDIT_PATH = path.join(NEXUS_HOME, "audit.log");
-var MAX_AUDIT_SIZE = 10 * 1024 * 1024;
 function audit(event, detail = "") {
   try {
     const dir = path.dirname(AUDIT_PATH);
@@ -233,20 +126,6 @@ function audit(event, detail = "") {
   } catch {
   }
 }
-var SCRUB_KEYS = [
-  "ANTHROPIC_API_KEY",
-  "OPENAI_API_KEY",
-  "GOOGLE_API_KEY",
-  "NEXUS_MASTER_SECRET",
-  "NEXUS_SECRET",
-  "AWS_SECRET_ACCESS_KEY",
-  "AWS_SESSION_TOKEN",
-  "GITHUB_TOKEN",
-  "GH_TOKEN",
-  "NPM_TOKEN",
-  "DOCKER_PASSWORD",
-  "CI_JOB_TOKEN"
-];
 function scrubEnv() {
   const clean = { ...process.env };
   for (const key of SCRUB_KEYS) {
@@ -265,145 +144,69 @@ function scrubEnv() {
   }
   return clean;
 }
-// src/ui/prompts.ts
-async function promptInitConfig() {
-  console.log(chalk4.bold("\n  API Keys\n"));
-  const anthropicKey = await password({
-    message: "Anthropic API key (required):",
-    mask: "*",
-    validate: (val) => {
-      if (!val) return "API key is required";
-      if (!val.startsWith("sk-ant-")) return "Must start with sk-ant-";
-      try {
-        validateKeyValue("ANTHROPIC_API_KEY", val);
-      } catch (err) {
-        if (err instanceof DlpViolation) return err.message;
-      }
-      return true;
-    }
-  });
-  const openaiKey = await password({
-    message: "OpenAI API key (optional, press Enter to skip):",
-    mask: "*",
-    validate: (val) => {
-      if (!val) return true;
-      try {
-        validateKeyValue("OPENAI_API_KEY", val);
-      } catch (err) {
-        if (err instanceof DlpViolation) return err.message;
-      }
-      return true;
-    }
-  });
-  const googleKey = await password({
-    message: "Google AI API key (optional, press Enter to skip):",
-    mask: "*",
-    validate: (val) => {
-      if (!val) return true;
-      try {
-        validateKeyValue("GOOGLE_API_KEY", val);
-      } catch (err) {
-        if (err instanceof DlpViolation) return err.message;
-      }
-      return true;
-    }
-  });
-  console.log(chalk4.bold("\n  VM Resources\n"));
-  const vmRam = Number(
-    await input({
-      message: "VM RAM in GB:",
-      default: "4",
-      validate: (v) => {
-        const n = Number(v);
-        if (!Number.isInteger(n) || n < 2 || n > 256) return "Must be a whole number between 2 and 256";
-        return true;
-      }
-    })
-  );
-  const vmCpus = Number(
-    await input({
-      message: "VM CPUs:",
-      default: "2",
-      validate: (v) => {
-        const n = Number(v);
-        if (!Number.isInteger(n) || n < 1 || n > 64) return "Must be a whole number between 1 and 64";
-        return true;
-      }
-    })
-  );
-  const vmDisk = Number(
-    await input({
-      message: "VM Disk in GB:",
-      default: "20",
-      validate: (v) => {
-        const n = Number(v);
-        if (!Number.isInteger(n) || n < 10 || n > 2048) return "Must be a whole number between 10 and 2048";
-        return true;
-      }
-    })
-  );
-  console.log(chalk4.bold("\n  Configuration\n"));
-  const enableTunnel = await confirm({
-    message: "Enable Cloudflare tunnel for remote access?",
-    default: true
-  });
-  return {
-    anthropicKey,
-    openaiKey,
-    googleKey,
-    vmRam,
-    vmCpus,
-    vmDisk,
-    enableTunnel
-  };
-}
-// src/core/platform.ts
-import os from "os";
-function detectPlatform() {
-  const platform = os.platform();
-  const arch = os.arch();
-  if (platform === "darwin") {
-    return {
-      os: "mac",
-      arch: arch === "arm64" ? "arm64" : "x64",
-      qemuBinary: "qemu-system-aarch64",
-      qemuCpuFlag: "-cpu host",
-      ubuntuImage: "jammy-server-cloudimg-arm64.img",
-      biosPath: "/opt/homebrew/share/qemu/edk2-aarch64-code.fd"
-    };
-  }
-  if (platform === "linux") {
-    return {
-      os: "linux",
-      arch: arch === "arm64" ? "arm64" : "x64",
-      qemuBinary: arch === "arm64" ? "qemu-system-aarch64" : "qemu-system-x86_64",
-      qemuCpuFlag: "-cpu host -enable-kvm",
-      ubuntuImage: arch === "arm64" ? "jammy-server-cloudimg-arm64.img" : "jammy-server-cloudimg-amd64.img",
-      biosPath: arch === "arm64" ? "/usr/share/qemu-efi-aarch64/QEMU_EFI.fd" : "/usr/share/OVMF/OVMF_CODE.fd"
+var NEXUS_HOME, SECRET_PATTERNS, FORBIDDEN_KEY_CHARS, KEY_VALIDATORS, DlpViolation, HMAC_PATH, AUDIT_PATH, MAX_AUDIT_SIZE, SCRUB_KEYS;
+var init_dlp = __esm({
+  "src/core/dlp.ts"() {
+    "use strict";
+    NEXUS_HOME = path.join(process.env.HOME || "~", ".buildwithnexus");
+    SECRET_PATTERNS = [
+      /sk-ant-api03-[A-Za-z0-9_-]{20,}/g,
+      // Anthropic API key
+      /sk-[A-Za-z0-9]{20,}/g,
+      // OpenAI API key
+      /AIza[A-Za-z0-9_-]{35}/g
+      // Google AI API key
+    ];
+    FORBIDDEN_KEY_CHARS = /[\n\r\t'"\\`${}();&|<>!#%^]/;
+    KEY_VALIDATORS = {
+      ANTHROPIC_API_KEY: /^sk-ant-[A-Za-z0-9_-]{20,}$/,
+      OPENAI_API_KEY: /^sk-[A-Za-z0-9_-]{20,}$/,
+      GOOGLE_API_KEY: /^AIza[A-Za-z0-9_-]{35,}$/,
+      NEXUS_MASTER_SECRET: /^[A-Za-z0-9_-]{20,64}$/
     };
-  }
-  if (platform === "win32") {
-    return {
-      os: "windows",
-      arch: "x64",
-      qemuBinary: "qemu-system-x86_64",
-      qemuCpuFlag: "-cpu qemu64",
-      ubuntuImage: "jammy-server-cloudimg-amd64.img",
-      biosPath: "C:\\Program Files\\qemu\\share\\edk2-x86_64-code.fd"
+    DlpViolation = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "DlpViolation";
+      }
     };
+    HMAC_PATH = path.join(NEXUS_HOME, ".keys.hmac");
+    AUDIT_PATH = path.join(NEXUS_HOME, "audit.log");
+    MAX_AUDIT_SIZE = 10 * 1024 * 1024;
+    SCRUB_KEYS = [
+      "ANTHROPIC_API_KEY",
+      "OPENAI_API_KEY",
+      "GOOGLE_API_KEY",
+      "NEXUS_MASTER_SECRET",
+      "NEXUS_SECRET",
+      "AWS_SECRET_ACCESS_KEY",
+      "AWS_SESSION_TOKEN",
+      "GITHUB_TOKEN",
+      "GH_TOKEN",
+      "NPM_TOKEN",
+      "DOCKER_PASSWORD",
+      "CI_JOB_TOKEN"
+    ];
   }
-  throw new Error(`Unsupported platform: ${platform} ${arch}`);
-}
+});
 // src/core/secrets.ts
+var secrets_exports = {};
+__export(secrets_exports, {
+  CONFIG_PATH: () => CONFIG_PATH,
+  KEYS_PATH: () => KEYS_PATH,
+  NEXUS_HOME: () => NEXUS_HOME2,
+  ensureHome: () => ensureHome,
+  generateMasterSecret: () => generateMasterSecret,
+  loadConfig: () => loadConfig,
+  loadKeys: () => loadKeys,
+  maskKey: () => maskKey,
+  saveConfig: () => saveConfig,
+  saveKeys: () => saveKeys
+});
 import fs2 from "fs";
 import path2 from "path";
 import crypto2 from "crypto";
-var NEXUS_HOME2 = path2.join(process.env.HOME || "~", ".buildwithnexus");
-var CONFIG_PATH = path2.join(NEXUS_HOME2, "config.json");
-var KEYS_PATH = path2.join(NEXUS_HOME2, ".env.keys");
 function ensureHome() {
   fs2.mkdirSync(NEXUS_HOME2, { recursive: true, mode: 448 });
   fs2.mkdirSync(path2.join(NEXUS_HOME2, "vm", "images"), { recursive: true, mode: 448 });
@@ -455,18 +258,36 @@ function maskKey(key) {
   const reveal = Math.min(4, Math.floor(key.length * 0.1));
   return key.slice(0, reveal) + "..." + key.slice(-reveal);
 }
+var NEXUS_HOME2, CONFIG_PATH, KEYS_PATH;
+var init_secrets = __esm({
+  "src/core/secrets.ts"() {
+    "use strict";
+    init_dlp();
+    NEXUS_HOME2 = path2.join(process.env.HOME || "~", ".buildwithnexus");
+    CONFIG_PATH = path2.join(NEXUS_HOME2, "config.json");
+    KEYS_PATH = path2.join(NEXUS_HOME2, ".env.keys");
+  }
+});
 // src/core/qemu.ts
+var qemu_exports = {};
+__export(qemu_exports, {
+  createDisk: () => createDisk,
+  downloadImage: () => downloadImage,
+  getVmPid: () => getVmPid,
+  installQemu: () => installQemu,
+  isQemuInstalled: () => isQemuInstalled,
+  isVmRunning: () => isVmRunning,
+  launchVm: () => launchVm,
+  resolvePortConflicts: () => resolvePortConflicts,
+  stopVm: () => stopVm
+});
 import fs3 from "fs";
 import net from "net";
 import path3 from "path";
 import { execa } from "execa";
 import { select } from "@inquirer/prompts";
 import chalk5 from "chalk";
-var VM_DIR = path3.join(NEXUS_HOME2, "vm");
-var IMAGES_DIR = path3.join(VM_DIR, "images");
-var PID_FILE = path3.join(VM_DIR, "qemu.pid");
-var UBUNTU_BASE_URL = "https://cloud-images.ubuntu.com/jammy/current";
 async function isQemuInstalled(platform) {
   try {
     await execa(platform.qemuBinary, ["--version"], { env: scrubEnv() });
@@ -593,31 +414,38 @@ async function resolvePortConflicts(ports) {
 async function launchVm(platform, diskPath, initIsoPath, ram, cpus, ports) {
   const machineArg = platform.os === "mac" ? "-machine virt,gic-version=3" : "-machine pc";
   const biosArgs = fs3.existsSync(platform.biosPath) ? ["-bios", platform.biosPath] : [];
-  const args = [
-    ...machineArg.split(" "),
-    ...platform.qemuCpuFlag.split(" "),
-    "-m",
-    `${ram}G`,
-    "-smp",
-    `${cpus}`,
-    "-drive",
-    `file=${diskPath},if=virtio,cache=writethrough`,
-    "-drive",
-    `file=${initIsoPath},if=virtio,format=raw,cache=writethrough`,
-    "-display",
-    "none",
-    "-serial",
-    "none",
-    "-net",
-    "nic,model=virtio",
-    "-net",
-    `user,hostfwd=tcp::${ports.ssh}-:22,hostfwd=tcp::${ports.http}-:4200,hostfwd=tcp::${ports.https}-:443`,
-    ...biosArgs,
-    "-pidfile",
-    PID_FILE,
-    "-daemonize"
-  ];
-  await execa(platform.qemuBinary, args, { env: scrubEnv() });
+  function buildArgs(cpuFlag) {
+    return [
+      ...machineArg.split(" "),
+      ...cpuFlag.split(" "),
+      "-m",
+      `${ram}G`,
+      "-smp",
+      `${cpus}`,
+      "-drive",
+      `file=${diskPath},if=virtio,cache=writethrough`,
+      "-drive",
+      `file=${initIsoPath},if=virtio,format=raw,cache=writethrough`,
+      "-display",
+      "none",
+      "-serial",
+      "none",
+      "-net",
+      "nic,model=virtio",
+      "-net",
+      `user,hostfwd=tcp::${ports.ssh}-:22,hostfwd=tcp::${ports.http}-:4200,hostfwd=tcp::${ports.https}-:443`,
+      ...biosArgs,
+      "-pidfile",
+      PID_FILE,
+      "-daemonize"
+    ];
+  }
+  try {
+    await execa(platform.qemuBinary, buildArgs(platform.qemuCpuFlag), { env: scrubEnv() });
+  } catch {
+    const fallbackCpu = platform.os === "mac" ? "-cpu max" : "-cpu qemu64";
+    await execa(platform.qemuBinary, buildArgs(fallbackCpu), { env: scrubEnv() });
+  }
   return ports;
 }
 function readValidPid() {
@@ -652,18 +480,36 @@ function stopVm() {
 function getVmPid() {
   return readValidPid();
 }
+var VM_DIR, IMAGES_DIR, PID_FILE, UBUNTU_BASE_URL;
+var init_qemu = __esm({
+  "src/core/qemu.ts"() {
+    "use strict";
+    init_secrets();
+    init_dlp();
+    VM_DIR = path3.join(NEXUS_HOME2, "vm");
+    IMAGES_DIR = path3.join(VM_DIR, "images");
+    PID_FILE = path3.join(VM_DIR, "qemu.pid");
+    UBUNTU_BASE_URL = "https://cloud-images.ubuntu.com/jammy/current";
+  }
+});
 // src/core/ssh.ts
+var ssh_exports = {};
+__export(ssh_exports, {
+  addSshConfig: () => addSshConfig,
+  generateSshKey: () => generateSshKey,
+  getKeyPath: () => getKeyPath,
+  getPubKey: () => getPubKey,
+  openInteractiveSsh: () => openInteractiveSsh,
+  sshExec: () => sshExec,
+  sshUploadFile: () => sshUploadFile,
+  waitForSsh: () => waitForSsh
+});
 import fs4 from "fs";
 import path4 from "path";
 import crypto3 from "crypto";
 import { execa as execa2 } from "execa";
 import { NodeSSH } from "node-ssh";
-var SSH_DIR = path4.join(NEXUS_HOME2, "ssh");
-var SSH_KEY = path4.join(SSH_DIR, "id_nexus_vm");
-var SSH_PUB_KEY = path4.join(SSH_DIR, "id_nexus_vm.pub");
-var KNOWN_HOSTS = path4.join(SSH_DIR, "known_hosts_nexus_vm");
-var PINNED_HOST_KEY = path4.join(SSH_DIR, "vm_host_key.pin");
 function getHostVerifier() {
   if (!fs4.existsSync(PINNED_HOST_KEY)) {
     return (key) => {
@@ -681,6 +527,9 @@ function getHostVerifier() {
     return match;
   };
 }
+function getKeyPath() {
+  return SSH_KEY;
+}
 function getPubKey() {
   return fs4.readFileSync(SSH_PUB_KEY, "utf-8").trim();
 }
@@ -769,14 +618,256 @@ async function sshUploadFile(port, localPath, remotePath) {
     privateKeyPath: SSH_KEY,
     hostVerifier: getHostVerifier()
   });
-  await ssh.putFile(localPath, remotePath);
-  ssh.dispose();
+  await ssh.putFile(localPath, remotePath);
+  ssh.dispose();
+}
+async function openInteractiveSsh(port) {
+  await execa2("ssh", ["nexus-vm"], { stdio: "inherit", env: scrubEnv() });
+}
+var SSH_DIR, SSH_KEY, SSH_PUB_KEY, KNOWN_HOSTS, PINNED_HOST_KEY;
+var init_ssh = __esm({
+  "src/core/ssh.ts"() {
+    "use strict";
+    init_secrets();
+    init_dlp();
+    SSH_DIR = path4.join(NEXUS_HOME2, "ssh");
+    SSH_KEY = path4.join(SSH_DIR, "id_nexus_vm");
+    SSH_PUB_KEY = path4.join(SSH_DIR, "id_nexus_vm.pub");
+    KNOWN_HOSTS = path4.join(SSH_DIR, "known_hosts_nexus_vm");
+    PINNED_HOST_KEY = path4.join(SSH_DIR, "vm_host_key.pin");
+  }
+});
+// src/cli.ts
+import { Command as Command13 } from "commander";
+// src/commands/init.ts
+import { Command } from "commander";
+// src/ui/banner.ts
+import chalk from "chalk";
+var BANNER = `
+  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+  \u2551       ${chalk.bold.cyan("B U I L D   W I T H   N E X U S")}        \u2551
+  \u2551                                              \u2551
+  \u2551   Autonomous AI Runtime \xB7 Nested Isolation   \u2551
+  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`;
+function showBanner() {
+  console.log(BANNER);
+  console.log(chalk.dim("  v0.2.8 \xB7 buildwithnexus.dev\n"));
+}
+function showPhase(phase, total, description) {
+  const progress = chalk.cyan(`[${phase}/${total}]`);
+  console.log(`
+${progress} ${chalk.bold(description)}`);
+}
+function showCompletion(urls) {
+  const lines = [
+    "",
+    chalk.green("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"),
+    chalk.green("  \u2551  ") + chalk.bold.green("NEXUS Runtime is Live!") + chalk.green("                                 \u2551"),
+    chalk.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
+    chalk.green("  \u2551  ") + chalk.white(`Connect:    ${urls.ssh}`.padEnd(55)) + chalk.green("\u2551")
+  ];
+  if (urls.remote) {
+    lines.push(chalk.green("  \u2551  ") + chalk.white(`Remote:     ${urls.remote}`.padEnd(55)) + chalk.green("\u2551"));
+  }
+  lines.push(
+    chalk.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
+    chalk.green("  \u2551  ") + chalk.dim("Commands:".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus ssh       - Open CLI".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus status    - Check health".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus logs      - View logs".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus stop      - Shutdown".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus start     - Restart".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus update    - Update release".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus brainstorm - Brainstorm ideas".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus destroy   - Remove all".padEnd(55)) + chalk.green("\u2551"),
+    chalk.green("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"),
+    ""
+  );
+  console.log(lines.join("\n"));
+}
+// src/ui/spinner.ts
+import ora from "ora";
+import chalk2 from "chalk";
+function createSpinner(text) {
+  return ora({ text, color: "cyan", spinner: "dots" });
+}
+function succeed(spinner, text) {
+  spinner.succeed(chalk2.green(text));
+}
+function fail(spinner, text) {
+  spinner.fail(chalk2.red(text));
+}
+// src/ui/logger.ts
+import chalk3 from "chalk";
+var log = {
+  step(msg) {
+    console.log(chalk3.cyan("  \u2192 ") + msg);
+  },
+  success(msg) {
+    console.log(chalk3.green("  \u2713 ") + msg);
+  },
+  error(msg) {
+    console.error(chalk3.red("  \u2717 ") + msg);
+  },
+  warn(msg) {
+    console.log(chalk3.yellow("  \u26A0 ") + msg);
+  },
+  dim(msg) {
+    console.log(chalk3.dim("    " + msg));
+  },
+  detail(label, value) {
+    console.log(chalk3.dim("    " + label + ": ") + value);
+  }
+};
+// src/ui/prompts.ts
+init_dlp();
+import { input, confirm, password } from "@inquirer/prompts";
+import chalk4 from "chalk";
+async function promptInitConfig() {
+  console.log(chalk4.bold("\n  API Keys\n"));
+  const anthropicKey = await password({
+    message: "Anthropic API key (required):",
+    mask: "*",
+    validate: (val) => {
+      if (!val) return "API key is required";
+      if (!val.startsWith("sk-ant-")) return "Must start with sk-ant-";
+      try {
+        validateKeyValue("ANTHROPIC_API_KEY", val);
+      } catch (err) {
+        if (err instanceof DlpViolation) return err.message;
+      }
+      return true;
+    }
+  });
+  const openaiKey = await password({
+    message: "OpenAI API key (optional, press Enter to skip):",
+    mask: "*",
+    validate: (val) => {
+      if (!val) return true;
+      try {
+        validateKeyValue("OPENAI_API_KEY", val);
+      } catch (err) {
+        if (err instanceof DlpViolation) return err.message;
+      }
+      return true;
+    }
+  });
+  const googleKey = await password({
+    message: "Google AI API key (optional, press Enter to skip):",
+    mask: "*",
+    validate: (val) => {
+      if (!val) return true;
+      try {
+        validateKeyValue("GOOGLE_API_KEY", val);
+      } catch (err) {
+        if (err instanceof DlpViolation) return err.message;
+      }
+      return true;
+    }
+  });
+  console.log(chalk4.bold("\n  VM Resources\n"));
+  const vmRam = Number(
+    await input({
+      message: "VM RAM in GB:",
+      default: "4",
+      validate: (v) => {
+        const n = Number(v);
+        if (!Number.isInteger(n) || n < 2 || n > 256) return "Must be a whole number between 2 and 256";
+        return true;
+      }
+    })
+  );
+  const vmCpus = Number(
+    await input({
+      message: "VM CPUs:",
+      default: "2",
+      validate: (v) => {
+        const n = Number(v);
+        if (!Number.isInteger(n) || n < 1 || n > 64) return "Must be a whole number between 1 and 64";
+        return true;
+      }
+    })
+  );
+  const vmDisk = Number(
+    await input({
+      message: "VM Disk in GB:",
+      default: "20",
+      validate: (v) => {
+        const n = Number(v);
+        if (!Number.isInteger(n) || n < 10 || n > 2048) return "Must be a whole number between 10 and 2048";
+        return true;
+      }
+    })
+  );
+  console.log(chalk4.bold("\n  Configuration\n"));
+  const enableTunnel = await confirm({
+    message: "Enable Cloudflare tunnel for remote access?",
+    default: true
+  });
+  return {
+    anthropicKey,
+    openaiKey,
+    googleKey,
+    vmRam,
+    vmCpus,
+    vmDisk,
+    enableTunnel
+  };
 }
-async function openInteractiveSsh(port) {
-  await execa2("ssh", ["nexus-vm"], { stdio: "inherit", env: scrubEnv() });
+// src/core/platform.ts
+import os from "os";
+function detectPlatform() {
+  const platform = os.platform();
+  const arch = os.arch();
+  if (platform === "darwin") {
+    return {
+      os: "mac",
+      arch: arch === "arm64" ? "arm64" : "x64",
+      qemuBinary: "qemu-system-aarch64",
+      qemuCpuFlag: "-accel hvf -cpu host",
+      ubuntuImage: "jammy-server-cloudimg-arm64.img",
+      biosPath: "/opt/homebrew/share/qemu/edk2-aarch64-code.fd"
+    };
+  }
+  if (platform === "linux") {
+    return {
+      os: "linux",
+      arch: arch === "arm64" ? "arm64" : "x64",
+      qemuBinary: arch === "arm64" ? "qemu-system-aarch64" : "qemu-system-x86_64",
+      qemuCpuFlag: "-cpu host -enable-kvm",
+      ubuntuImage: arch === "arm64" ? "jammy-server-cloudimg-arm64.img" : "jammy-server-cloudimg-amd64.img",
+      biosPath: arch === "arm64" ? "/usr/share/qemu-efi-aarch64/QEMU_EFI.fd" : "/usr/share/OVMF/OVMF_CODE.fd"
+    };
+  }
+  if (platform === "win32") {
+    return {
+      os: "windows",
+      arch: "x64",
+      qemuBinary: "qemu-system-x86_64",
+      qemuCpuFlag: "-cpu qemu64",
+      ubuntuImage: "jammy-server-cloudimg-amd64.img",
+      biosPath: "C:\\Program Files\\qemu\\share\\edk2-x86_64-code.fd"
+    };
+  }
+  throw new Error(`Unsupported platform: ${platform} ${arch}`);
 }
+// src/commands/init.ts
+init_secrets();
+init_qemu();
+init_ssh();
 // src/core/cloudinit.ts
+init_secrets();
+init_dlp();
 import fs5 from "fs";
 import path5 from "path";
 import ejs from "ejs";
@@ -870,6 +961,7 @@ async function createCloudInitIso(userDataPath) {
 }
 // src/core/health.ts
+init_ssh();
 async function checkHealth(port, vmRunning) {
   const status = {
     vmRunning,
@@ -930,6 +1022,8 @@ async function waitForCloudInit(port, timeoutMs = 9e5) {
 }
 // src/core/tunnel.ts
+init_ssh();
+init_dlp();
 var CLOUDFLARED_VERSION = "2024.12.2";
 var CLOUDFLARED_SHA256 = {
   amd64: "40ec9a0f5b58e3b04183aaf01c4ddd4dbc6af39b0f06be4b7ce8b1011d0a07ab",
@@ -977,6 +1071,8 @@ async function stopTunnel(sshPort) {
 }
 // src/commands/init.ts
+init_dlp();
+init_ssh();
 import fs6 from "fs";
 import path6 from "path";
 import os2 from "os";
@@ -1098,15 +1194,14 @@ var initCommand = new Command("init").description("Scaffold and launch a new NEX
     spinner.start();
     await sshUploadFile(config.sshPort, tarballPath, "/tmp/nexus-release.tar.gz");
     succeed(spinner, "Tarball uploaded");
-    spinner = createSpinner("Uploading API keys via SSH...");
+    spinner = createSpinner("Staging API keys...");
     spinner.start();
     const keysContent = Object.entries(keys).filter(([, v]) => v).map(([k, v]) => `${k}=${v}`).join("\n") + "\n";
     const tmpKeysPath = path6.join(os2.tmpdir(), `.nexus-keys-${crypto4.randomBytes(8).toString("hex")}`);
     fs6.writeFileSync(tmpKeysPath, keysContent, { mode: 384 });
     try {
-      await sshExec(config.sshPort, "sudo -u nexus mkdir -p /home/nexus/.nexus");
-      await sshUploadFile(config.sshPort, tmpKeysPath, "/home/nexus/.nexus/.env.keys");
-      await sshExec(config.sshPort, "chown nexus:nexus /home/nexus/.nexus/.env.keys && chmod 600 /home/nexus/.nexus/.env.keys");
+      await sshUploadFile(config.sshPort, tmpKeysPath, "/tmp/.nexus-env-keys");
+      await sshExec(config.sshPort, "chmod 600 /tmp/.nexus-env-keys");
     } finally {
       try {
         fs6.writeFileSync(tmpKeysPath, "0".repeat(keysContent.length));
@@ -1114,7 +1209,7 @@ var initCommand = new Command("init").description("Scaffold and launch a new NEX
       } catch {
       }
     }
-    succeed(spinner, "API keys delivered securely via SSH");
+    succeed(spinner, "API keys staged");
     spinner = createSpinner("Cloud-init provisioning (extracting NEXUS, building Docker, installing deps)...");
     spinner.start();
     const cloudInitDone = await waitForCloudInit(config.sshPort);
@@ -1124,6 +1219,10 @@ var initCommand = new Command("init").description("Scaffold and launch a new NEX
       process.exit(1);
     }
     succeed(spinner, "VM fully provisioned");
+    spinner = createSpinner("Delivering API keys...");
+    spinner.start();
+    await sshExec(config.sshPort, "mkdir -p /home/nexus/.nexus && mv /tmp/.nexus-env-keys /home/nexus/.nexus/.env.keys && chown -R nexus:nexus /home/nexus/.nexus && chmod 600 /home/nexus/.nexus/.env.keys");
+    succeed(spinner, "API keys delivered securely");
     showPhase(8, TOTAL_PHASES, "NEXUS Server Startup");
     spinner = createSpinner("Waiting for NEXUS server...");
     spinner.start();
@@ -1166,6 +1265,10 @@ var initCommand = new Command("init").description("Scaffold and launch a new NEX
 // src/commands/start.ts
 import { Command as Command2 } from "commander";
+init_secrets();
+init_qemu();
+init_ssh();
+init_secrets();
 import path7 from "path";
 var startCommand = new Command2("start").description("Start the NEXUS runtime").action(async () => {
   const config = loadConfig();
@@ -1220,6 +1323,9 @@ var startCommand = new Command2("start").description("Start the NEXUS runtime").
 // src/commands/stop.ts
 import { Command as Command3 } from "commander";
+init_secrets();
+init_qemu();
+init_ssh();
 var stopCommand = new Command3("stop").description("Gracefully shut down the NEXUS runtime").action(async () => {
   const config = loadConfig();
   if (!config) {
@@ -1256,6 +1362,8 @@ var stopCommand = new Command3("stop").description("Gracefully shut down the NEX
 // src/commands/status.ts
 import { Command as Command4 } from "commander";
 import chalk6 from "chalk";
+init_secrets();
+init_qemu();
 var statusCommand = new Command4("status").description("Check NEXUS runtime health").option("--json", "Output as JSON").action(async (opts) => {
   const config = loadConfig();
   if (!config) {
@@ -1287,6 +1395,8 @@ var statusCommand = new Command4("status").description("Check NEXUS runtime heal
 import { Command as Command5 } from "commander";
 import chalk7 from "chalk";
 import fs7 from "fs";
+init_qemu();
+init_secrets();
 import path8 from "path";
 import { execa as execa4 } from "execa";
 var doctorCommand = new Command5("doctor").description("Diagnose NEXUS runtime environment").action(async () => {
@@ -1354,6 +1464,10 @@ var doctorCommand = new Command5("doctor").description("Diagnose NEXUS runtime e
 // src/commands/logs.ts
 import { Command as Command6 } from "commander";
+init_secrets();
+init_qemu();
+init_ssh();
+init_dlp();
 import { execa as execa5 } from "execa";
 var logsCommand = new Command6("logs").description("View NEXUS server logs").option("-f, --follow", "Follow log output").option("-n, --lines <n>", "Number of lines to show", "50").action(async (opts) => {
   const config = loadConfig();
@@ -1392,6 +1506,9 @@ import { Command as Command7 } from "commander";
 import path9 from "path";
 import fs8 from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
+init_secrets();
+init_qemu();
+init_ssh();
 function getReleaseTarball2() {
   const dir = path9.dirname(fileURLToPath2(import.meta.url));
   const tarballPath = path9.join(dir, "nexus-release.tar.gz");
@@ -1450,6 +1567,8 @@ import { Command as Command8 } from "commander";
 import chalk8 from "chalk";
 import fs9 from "fs";
 import { input as input2 } from "@inquirer/prompts";
+init_secrets();
+init_qemu();
 import path10 from "path";
 var destroyCommand = new Command8("destroy").description("Remove NEXUS VM and all data").option("--force", "Skip confirmation").action(async (opts) => {
   const config = loadConfig();
@@ -1504,6 +1623,8 @@ var destroyCommand = new Command8("destroy").description("Remove NEXUS VM and al
 import { Command as Command9 } from "commander";
 import { password as password2 } from "@inquirer/prompts";
 import chalk9 from "chalk";
+init_secrets();
+init_dlp();
 var keysCommand = new Command9("keys").description("Manage API keys");
 keysCommand.command("list").description("Show configured API keys (masked)").action(() => {
   const keys = loadKeys();
@@ -1560,6 +1681,9 @@ keysCommand.command("set <key>").description("Set or update an API key (e.g. ANT
 // src/commands/ssh.ts
 import { Command as Command10 } from "commander";
+init_secrets();
+init_qemu();
+init_ssh();
 var sshCommand = new Command10("ssh").description("Open an SSH session into the NEXUS VM").action(async () => {
   const config = loadConfig();
   if (!config) {
@@ -1578,6 +1702,10 @@ var sshCommand = new Command10("ssh").description("Open an SSH session into the
 import { Command as Command11 } from "commander";
 import chalk10 from "chalk";
 import { input as input3 } from "@inquirer/prompts";
+init_secrets();
+init_qemu();
+init_ssh();
+init_dlp();
 var COS_PREFIX = chalk10.bold.cyan("  Chief of Staff");
 var YOU_PREFIX = chalk10.bold.white("  You");
 var DIVIDER = chalk10.dim("  " + "\u2500".repeat(56));
@@ -1692,8 +1820,478 @@ var brainstormCommand = new Command11("brainstorm").description("Brainstorm an i
   }
 });
+// src/commands/shell.ts
+import { Command as Command12 } from "commander";
+import chalk13 from "chalk";
+init_secrets();
+init_qemu();
+init_ssh();
+init_dlp();
+// src/ui/repl.ts
+init_secrets();
+import readline from "readline";
+import fs10 from "fs";
+import path11 from "path";
+import chalk11 from "chalk";
+var HISTORY_FILE = path11.join(NEXUS_HOME2, "shell_history");
+var MAX_HISTORY = 1e3;
+var Repl = class {
+  rl = null;
+  commands = /* @__PURE__ */ new Map();
+  onMessage;
+  history = [];
+  constructor(onMessage) {
+    this.onMessage = onMessage;
+    this.loadHistory();
+  }
+  registerCommand(cmd) {
+    this.commands.set(cmd.name, cmd);
+  }
+  loadHistory() {
+    try {
+      if (fs10.existsSync(HISTORY_FILE)) {
+        this.history = fs10.readFileSync(HISTORY_FILE, "utf-8").split("\n").filter(Boolean).slice(-MAX_HISTORY);
+      }
+    } catch {
+    }
+  }
+  saveHistory() {
+    try {
+      const dir = path11.dirname(HISTORY_FILE);
+      fs10.mkdirSync(dir, { recursive: true });
+      fs10.writeFileSync(HISTORY_FILE, this.history.slice(-MAX_HISTORY).join("\n") + "\n", { mode: 384 });
+    } catch {
+    }
+  }
+  async start() {
+    this.rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      prompt: chalk11.bold.cyan("nexus") + chalk11.dim(" \u276F "),
+      history: this.history,
+      historySize: MAX_HISTORY,
+      terminal: true
+    });
+    this.rl.prompt();
+    this.rl.on("line", async (line) => {
+      const trimmed = line.trim();
+      if (!trimmed) {
+        this.rl?.prompt();
+        return;
+      }
+      this.history.push(trimmed);
+      if (trimmed.startsWith("/")) {
+        const parts = trimmed.slice(1).split(/\s+/);
+        const cmdName = parts[0].toLowerCase();
+        if (cmdName === "help") {
+          this.showHelp();
+          this.rl?.prompt();
+          return;
+        }
+        if (cmdName === "exit" || cmdName === "quit") {
+          this.stop();
+          return;
+        }
+        const cmd = this.commands.get(cmdName);
+        if (cmd) {
+          try {
+            await cmd.handler();
+          } catch (err) {
+            console.log(chalk11.red(`  \u2717 Command failed: ${err.message}`));
+          }
+          this.rl?.prompt();
+          return;
+        }
+        console.log(chalk11.yellow(`  Unknown command: /${cmdName}. Type /help for available commands.`));
+        this.rl?.prompt();
+        return;
+      }
+      try {
+        await this.onMessage(trimmed);
+      } catch (err) {
+        console.log(chalk11.red(`  \u2717 ${err.message}`));
+      }
+      this.rl?.prompt();
+    });
+    this.rl.on("close", () => {
+      this.saveHistory();
+      console.log(chalk11.dim("\n  Session ended."));
+      process.exit(0);
+    });
+    this.rl.on("SIGINT", () => {
+      this.stop();
+    });
+  }
+  showHelp() {
+    console.log("");
+    console.log(chalk11.bold("  Available Commands:"));
+    console.log(chalk11.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    for (const [name, cmd] of this.commands) {
+      console.log(`  ${chalk11.cyan("/" + name.padEnd(14))} ${chalk11.dim(cmd.description)}`);
+    }
+    console.log(`  ${chalk11.cyan("/help".padEnd(15))} ${chalk11.dim("Show this help message")}`);
+    console.log(`  ${chalk11.cyan("/exit".padEnd(15))} ${chalk11.dim("Exit the shell")}`);
+    console.log(chalk11.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    console.log(chalk11.dim("  Type anything else to chat with NEXUS"));
+    console.log("");
+  }
+  write(text) {
+    if (this.rl) {
+      readline.clearLine(process.stdout, 0);
+      readline.cursorTo(process.stdout, 0);
+      console.log(text);
+      this.rl.prompt(true);
+    } else {
+      console.log(text);
+    }
+  }
+  stop() {
+    this.saveHistory();
+    if (this.rl) {
+      this.rl.close();
+      this.rl = null;
+    }
+  }
+};
+// src/core/event-stream.ts
+init_ssh();
+init_secrets();
+init_dlp();
+import chalk12 from "chalk";
+var ROLE_COLORS = {
+  "Chief of Staff": chalk12.bold.cyan,
+  "VP Engineering": chalk12.bold.blue,
+  "VP Product": chalk12.bold.magenta,
+  "Senior Engineer": chalk12.bold.green,
+  "Engineer": chalk12.green,
+  "QA Lead": chalk12.bold.yellow,
+  "Security Engineer": chalk12.bold.red,
+  "DevOps Engineer": chalk12.bold.hex("#FF8C00"),
+  "default": chalk12.bold.white
+};
+function getColor(role) {
+  if (!role) return ROLE_COLORS["default"];
+  return ROLE_COLORS[role] || ROLE_COLORS["default"];
+}
+function formatEvent(event) {
+  const color = getColor(event.role);
+  const prefix = event.role ? color(`  [${event.role}]`) : "";
+  switch (event.type) {
+    case "agent_thinking":
+      return `${prefix} ${chalk12.dim("thinking...")}`;
+    case "agent_response":
+      return `${prefix} ${redact(event.content ?? "")}`;
+    case "task_delegated":
+      return `${prefix} ${chalk12.dim("\u2192")} delegated to ${chalk12.bold(event.target ?? "agent")}`;
+    case "agent_complete":
+      return `${prefix} ${chalk12.green("\u2713")} ${chalk12.dim("complete")}`;
+    case "error":
+      return `  ${chalk12.red("\u2717")} ${redact(event.content ?? "Unknown error")}`;
+    case "heartbeat":
+      return null;
+    default:
+      return null;
+  }
+}
+function parseSSEData(raw) {
+  const events = [];
+  const blocks = raw.split("\n\n");
+  for (const block of blocks) {
+    if (!block.trim()) continue;
+    let data = "";
+    for (const line of block.split("\n")) {
+      if (line.startsWith("data: ")) {
+        data += line.slice(6);
+      }
+    }
+    if (data) {
+      try {
+        events.push(JSON.parse(data));
+      } catch {
+      }
+    }
+  }
+  return events;
+}
+var EventStream = class {
+  active = false;
+  lastId = "0";
+  onEvent;
+  pollInterval = null;
+  constructor(onEvent) {
+    this.onEvent = onEvent;
+  }
+  async start() {
+    this.active = true;
+    const config = loadConfig();
+    if (!config) return;
+    this.pollInterval = setInterval(async () => {
+      if (!this.active) return;
+      try {
+        const { stdout, code } = await sshExec(
+          config.sshPort,
+          `curl -sf -H 'Last-Event-ID: ${this.lastId}' http://localhost:4200/events?timeout=1 2>/dev/null || true`
+        );
+        if (code === 0 && stdout.trim()) {
+          const events = parseSSEData(stdout);
+          for (const event of events) {
+            if (event.id) this.lastId = event.id;
+            this.onEvent(event);
+          }
+        }
+      } catch {
+      }
+    }, 2e3);
+  }
+  stop() {
+    this.active = false;
+    if (this.pollInterval) {
+      clearInterval(this.pollInterval);
+      this.pollInterval = null;
+    }
+  }
+};
+// src/commands/shell.ts
+async function sendMessage2(sshPort, message) {
+  const payload = JSON.stringify({ message, source: "shell" });
+  const escaped = shellEscape(payload);
+  const { stdout, code } = await sshExec(
+    sshPort,
+    `curl -sf -X POST http://localhost:4200/message -H 'Content-Type: application/json' -d ${escaped}`
+  );
+  if (code !== 0) throw new Error("Server returned a non-zero exit code");
+  try {
+    const parsed = JSON.parse(stdout);
+    return parsed.response ?? parsed.message ?? stdout;
+  } catch {
+    return stdout;
+  }
+}
+function showShellBanner(health) {
+  const check = chalk13.green("\u2713");
+  const cross = chalk13.red("\u2717");
+  console.log("");
+  console.log(chalk13.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  console.log(chalk13.bold("  \u2551  ") + chalk13.bold.cyan("NEXUS Interactive Shell") + chalk13.bold("                                 \u2551"));
+  console.log(chalk13.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
+  console.log(chalk13.bold("  \u2551  ") + `${health.vmRunning ? check : cross} VM    ${health.sshReady ? check : cross} SSH    ${health.dockerReady ? check : cross} Docker    ${health.serverHealthy ? check : cross} Engine`.padEnd(55) + chalk13.bold("\u2551"));
+  if (health.tunnelUrl) {
+    console.log(chalk13.bold("  \u2551  ") + chalk13.dim(`Tunnel: ${health.tunnelUrl}`.padEnd(55)) + chalk13.bold("\u2551"));
+  }
+  console.log(chalk13.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
+  console.log(chalk13.bold("  \u2551  ") + chalk13.dim("Type naturally to chat \xB7 /help for commands".padEnd(55)) + chalk13.bold("\u2551"));
+  console.log(chalk13.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  console.log("");
+}
+async function getAgentList(sshPort) {
+  try {
+    const { stdout, code } = await sshExec(sshPort, "curl -sf http://localhost:4200/agents");
+    if (code !== 0) return "Could not retrieve agent list";
+    const agents = JSON.parse(stdout);
+    if (!Array.isArray(agents)) return stdout;
+    const lines = [""];
+    lines.push(chalk13.bold("  Registered Agents:"));
+    lines.push(chalk13.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    for (const agent of agents) {
+      const name = agent.name ?? agent.id ?? "unknown";
+      const role = agent.role ?? "";
+      const status = agent.status === "active" ? chalk13.green("\u25CF") : chalk13.dim("\u25CB");
+      lines.push(`  ${status} ${chalk13.bold(name.padEnd(24))} ${chalk13.dim(role)}`);
+    }
+    lines.push("");
+    return lines.join("\n");
+  } catch {
+    return "  Could not retrieve agent list";
+  }
+}
+async function getStatus(sshPort) {
+  try {
+    const vmRunning = isVmRunning();
+    const health = await checkHealth(sshPort, vmRunning);
+    const check = chalk13.green("\u2713");
+    const cross = chalk13.red("\u2717");
+    const lines = [""];
+    lines.push(chalk13.bold("  System Status:"));
+    lines.push(chalk13.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    lines.push(`  ${health.vmRunning ? check : cross} Virtual Machine`);
+    lines.push(`  ${health.sshReady ? check : cross} SSH Connection`);
+    lines.push(`  ${health.dockerReady ? check : cross} Docker Engine`);
+    lines.push(`  ${health.serverHealthy ? check : cross} NEXUS Engine`);
+    if (health.tunnelUrl) {
+      lines.push(`  ${check} Tunnel: ${health.tunnelUrl}`);
+    } else {
+      lines.push(`  ${cross} Tunnel: not active`);
+    }
+    lines.push("");
+    return lines.join("\n");
+  } catch {
+    return "  Could not check status";
+  }
+}
+async function getCost(sshPort) {
+  try {
+    const { stdout, code } = await sshExec(sshPort, "curl -sf http://localhost:4200/cost");
+    if (code !== 0) return "  Could not retrieve cost data";
+    const data = JSON.parse(stdout);
+    const lines = [""];
+    lines.push(chalk13.bold("  Token Costs:"));
+    lines.push(chalk13.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    if (data.total !== void 0) {
+      lines.push(`  Total: ${chalk13.bold.green("$" + Number(data.total).toFixed(4))}`);
+    }
+    if (data.today !== void 0) {
+      lines.push(`  Today: ${chalk13.bold("$" + Number(data.today).toFixed(4))}`);
+    }
+    if (data.by_agent && typeof data.by_agent === "object") {
+      lines.push("");
+      lines.push(chalk13.dim("  By Agent:"));
+      for (const [agent, cost] of Object.entries(data.by_agent)) {
+        lines.push(`    ${agent.padEnd(20)} $${Number(cost).toFixed(4)}`);
+      }
+    }
+    lines.push("");
+    return lines.join("\n");
+  } catch {
+    return "  Could not retrieve cost data";
+  }
+}
+var shellCommand2 = new Command12("shell").description("Launch the interactive NEXUS shell").action(async () => {
+  try {
+    const config = loadConfig();
+    if (!config) {
+      log.error("No NEXUS configuration found. Run: buildwithnexus init");
+      process.exit(1);
+    }
+    if (!isVmRunning()) {
+      log.error("VM is not running. Start it with: buildwithnexus start");
+      process.exit(1);
+    }
+    const spinner = createSpinner("Connecting to NEXUS...");
+    spinner.start();
+    const health = await checkHealth(config.sshPort, true);
+    if (!health.serverHealthy) {
+      fail(spinner, "NEXUS engine is not responding");
+      log.warn("Check status: buildwithnexus status");
+      process.exit(1);
+    }
+    succeed(spinner, "Connected to NEXUS engine");
+    showShellBanner(health);
+    const eventStream = new EventStream((event) => {
+      const formatted = formatEvent(event);
+      if (formatted) repl.write(formatted);
+    });
+    eventStream.start();
+    const repl = new Repl(async (text) => {
+      const thinkingSpinner = createSpinner("Processing...");
+      thinkingSpinner.start();
+      try {
+        const response = await sendMessage2(config.sshPort, text);
+        thinkingSpinner.stop();
+        thinkingSpinner.clear();
+        console.log("");
+        console.log(chalk13.bold.cyan("  Chief of Staff:"));
+        const lines = redact(response).split("\n");
+        for (const line of lines) {
+          console.log(chalk13.white("  " + line));
+        }
+        console.log("");
+      } catch (err) {
+        thinkingSpinner.stop();
+        thinkingSpinner.clear();
+        throw err;
+      }
+    });
+    repl.registerCommand({
+      name: "brainstorm",
+      description: "Enter brainstorm mode",
+      handler: async () => {
+        console.log(chalk13.dim("  Entering brainstorm mode... (type 'exit' to return)"));
+        const { input: input4 } = await import("@inquirer/prompts");
+        const idea = await input4({ message: "What would you like to brainstorm?" });
+        if (!idea.trim()) return;
+        const brainstormSpinner = createSpinner("Chief of Staff is consulting the team...");
+        brainstormSpinner.start();
+        const response = await sendMessage2(config.sshPort, `[BRAINSTORM] The CEO wants to brainstorm: ${idea}`);
+        brainstormSpinner.stop();
+        brainstormSpinner.clear();
+        console.log("");
+        console.log(chalk13.bold.cyan("  Chief of Staff:"));
+        for (const line of redact(response).split("\n")) {
+          console.log(chalk13.white("  " + line));
+        }
+        console.log("");
+      }
+    });
+    repl.registerCommand({
+      name: "status",
+      description: "Show system health status",
+      handler: async () => {
+        const result = await getStatus(config.sshPort);
+        console.log(result);
+      }
+    });
+    repl.registerCommand({
+      name: "agents",
+      description: "List registered agents",
+      handler: async () => {
+        const result = await getAgentList(config.sshPort);
+        console.log(result);
+      }
+    });
+    repl.registerCommand({
+      name: "cost",
+      description: "Show token usage and costs",
+      handler: async () => {
+        const result = await getCost(config.sshPort);
+        console.log(result);
+      }
+    });
+    repl.registerCommand({
+      name: "logs",
+      description: "Show recent server logs",
+      handler: async () => {
+        const { stdout } = await sshExec(config.sshPort, "tail -30 /home/nexus/.nexus/logs/server.log 2>/dev/null");
+        console.log("");
+        console.log(chalk13.bold("  Recent Logs:"));
+        console.log(chalk13.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+        for (const line of redact(stdout).split("\n")) {
+          console.log(chalk13.dim("  " + line));
+        }
+        console.log("");
+      }
+    });
+    repl.registerCommand({
+      name: "ssh",
+      description: "Open interactive SSH session",
+      handler: async () => {
+        const { openInteractiveSsh: openInteractiveSsh2 } = await Promise.resolve().then(() => (init_ssh(), ssh_exports));
+        eventStream.stop();
+        await openInteractiveSsh2(config.sshPort);
+        eventStream.start();
+      }
+    });
+    process.on("SIGINT", () => {
+      eventStream.stop();
+      repl.stop();
+    });
+    await repl.start();
+  } catch (err) {
+    if (err.code === "ERR_USE_AFTER_CLOSE") {
+      console.log("");
+      log.success("Shell session ended");
+      return;
+    }
+    const safeErr = redactError(err);
+    log.error(`Shell failed: ${safeErr.message}`);
+    process.exit(1);
+  }
+});
 // src/cli.ts
-var cli = new Command12().name("buildwithnexus").description("Auto-scaffold and launch a fully autonomous NEXUS runtime").version("0.2.7");
+var cli = new Command13().name("buildwithnexus").description("Auto-scaffold and launch a fully autonomous NEXUS runtime").version("0.2.8");
 cli.addCommand(initCommand);
 cli.addCommand(startCommand);
 cli.addCommand(stopCommand);
@@ -1705,23 +2303,34 @@ cli.addCommand(destroyCommand);
 cli.addCommand(keysCommand);
 cli.addCommand(sshCommand);
 cli.addCommand(brainstormCommand);
-cli.action(() => {
+cli.addCommand(shellCommand2);
+cli.action(async () => {
+  try {
+    const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_secrets(), secrets_exports));
+    const { isVmRunning: isVmRunning3 } = await Promise.resolve().then(() => (init_qemu(), qemu_exports));
+    const config = loadConfig2();
+    if (config && isVmRunning3()) {
+      await shellCommand2.parseAsync([], { from: "user" });
+      return;
+    }
+  } catch {
+  }
   cli.help();
 });
 // src/core/update-notifier.ts
-import fs10 from "fs";
-import path11 from "path";
+import fs11 from "fs";
+import path12 from "path";
 import os3 from "os";
 import https from "https";
-import chalk11 from "chalk";
+import chalk14 from "chalk";
 var PACKAGE_NAME = "buildwithnexus";
 var CHECK_INTERVAL_MS = 4 * 60 * 60 * 1e3;
-var STATE_DIR = path11.join(os3.homedir(), ".buildwithnexus");
-var STATE_FILE = path11.join(STATE_DIR, ".update-check.json");
+var STATE_DIR = path12.join(os3.homedir(), ".buildwithnexus");
+var STATE_FILE = path12.join(STATE_DIR, ".update-check.json");
 function readState() {
   try {
-    const raw = fs10.readFileSync(STATE_FILE, "utf-8");
+    const raw = fs11.readFileSync(STATE_FILE, "utf-8");
     return JSON.parse(raw);
   } catch {
     return { lastCheck: 0, latestVersion: null };
@@ -1729,8 +2338,8 @@ function readState() {
 }
 function writeState(state) {
   try {
-    fs10.mkdirSync(STATE_DIR, { recursive: true, mode: 448 });
-    fs10.writeFileSync(STATE_FILE, JSON.stringify(state), { mode: 384 });
+    fs11.mkdirSync(STATE_DIR, { recursive: true, mode: 448 });
+    fs11.writeFileSync(STATE_FILE, JSON.stringify(state), { mode: 384 });
   } catch {
   }
 }
@@ -1795,8 +2404,8 @@ async function checkForUpdates(currentVersion) {
 function printUpdateBanner(current, latest) {
   const msg = [
     "",
-    chalk11.yellow(`  Update available: ${current} \u2192 ${latest}`),
-    chalk11.cyan(`  Run: npm update -g buildwithnexus`),
+    chalk14.yellow(`  Update available: ${current} \u2192 ${latest}`),
+    chalk14.cyan(`  Run: npm update -g buildwithnexus`),
     ""
   ].join("\n");
   process.stderr.write(msg + "\n");