buildwithnexus 0.5.13 → 0.5.15

package/dist/bin.js

@@ -23,12 +23,12 @@ import { dirname, join } from "path";
 import { fileURLToPath } from "url";
 function getVersion() {
   try {
-    const __dirname2 = dirname(fileURLToPath(import.meta.url));
-    const packagePath = join(__dirname2, "..", "..", "package.json");
-    const packageJson2 = JSON.parse(readFileSync(packagePath, "utf-8"));
-    return packageJson2.version;
+    const __dirname = dirname(fileURLToPath(import.meta.url));
+    const packagePath = join(__dirname, "..", "..", "package.json");
+    const packageJson = JSON.parse(readFileSync(packagePath, "utf-8"));
+    return packageJson.version;
   } catch (e) {
-    return "0.5.10";
+    return "0.5.15";
   }
 }
 function showBanner() {
@@ -296,26 +296,26 @@ __export(secrets_exports, {
   saveConfig: () => saveConfig,
   saveKeys: () => saveKeys
 });
-import fs3 from "fs";
-import path3 from "path";
+import fs2 from "fs";
+import path2 from "path";
 import crypto2 from "crypto";
 function ensureHome() {
-  fs3.mkdirSync(NEXUS_HOME2, { recursive: true, mode: 448 });
-  fs3.mkdirSync(path3.join(NEXUS_HOME2, "vm", "images"), { recursive: true, mode: 448 });
-  fs3.mkdirSync(path3.join(NEXUS_HOME2, "vm", "configs"), { recursive: true, mode: 448 });
-  fs3.mkdirSync(path3.join(NEXUS_HOME2, "vm", "logs"), { recursive: true, mode: 448 });
-  fs3.mkdirSync(path3.join(NEXUS_HOME2, "ssh"), { recursive: true, mode: 448 });
+  fs2.mkdirSync(NEXUS_HOME2, { recursive: true, mode: 448 });
+  fs2.mkdirSync(path2.join(NEXUS_HOME2, "vm", "images"), { recursive: true, mode: 448 });
+  fs2.mkdirSync(path2.join(NEXUS_HOME2, "vm", "configs"), { recursive: true, mode: 448 });
+  fs2.mkdirSync(path2.join(NEXUS_HOME2, "vm", "logs"), { recursive: true, mode: 448 });
+  fs2.mkdirSync(path2.join(NEXUS_HOME2, "ssh"), { recursive: true, mode: 448 });
 }
 function generateMasterSecret() {
   return crypto2.randomBytes(32).toString("base64url");
 }
 function saveConfig(config) {
   const { masterSecret: _secret, ...safeConfig } = config;
-  fs3.writeFileSync(CONFIG_PATH, JSON.stringify(safeConfig, null, 2), { mode: 384 });
+  fs2.writeFileSync(CONFIG_PATH, JSON.stringify(safeConfig, null, 2), { mode: 384 });
 }
 function loadConfig() {
-  if (!fs3.existsSync(CONFIG_PATH)) return null;
-  return JSON.parse(fs3.readFileSync(CONFIG_PATH, "utf-8"));
+  if (!fs2.existsSync(CONFIG_PATH)) return null;
+  return JSON.parse(fs2.readFileSync(CONFIG_PATH, "utf-8"));
 }
 function saveKeys(keys) {
   const violations = validateAllKeys(keys);
@@ -323,13 +323,13 @@ function saveKeys(keys) {
     throw new DlpViolation(`Key validation failed: ${violations.join("; ")}`);
   }
   const lines = Object.entries(keys).filter(([, v]) => v).map(([k, v]) => `${k}=${v}`);
-  fs3.writeFileSync(KEYS_PATH, lines.join("\n") + "\n", { mode: 384 });
+  fs2.writeFileSync(KEYS_PATH, lines.join("\n") + "\n", { mode: 384 });
   sealKeysFile(KEYS_PATH, keys.NEXUS_MASTER_SECRET);
   audit("keys_saved", `${Object.keys(keys).filter((k) => keys[k]).length} keys saved`);
 }
 function loadKeys() {
-  if (!fs3.existsSync(KEYS_PATH)) return null;
-  const content = fs3.readFileSync(KEYS_PATH, "utf-8");
+  if (!fs2.existsSync(KEYS_PATH)) return null;
+  const content = fs2.readFileSync(KEYS_PATH, "utf-8");
   const keys = {};
   for (const line of content.split("\n")) {
     const eq = line.indexOf("=");
@@ -355,9 +355,9 @@ var init_secrets = __esm({
   "src/core/secrets.ts"() {
     "use strict";
     init_dlp();
-    NEXUS_HOME2 = process.env.NEXUS_HOME || path3.join(process.env.HOME || "~", ".buildwithnexus");
-    CONFIG_PATH = process.env.NEXUS_CONFIG_PATH || path3.join(NEXUS_HOME2, "config.json");
-    KEYS_PATH = process.env.NEXUS_KEYS_PATH || path3.join(NEXUS_HOME2, ".env.keys");
+    NEXUS_HOME2 = process.env.NEXUS_HOME || path2.join(process.env.HOME || "~", ".buildwithnexus");
+    CONFIG_PATH = process.env.NEXUS_CONFIG_PATH || path2.join(NEXUS_HOME2, "config.json");
+    KEYS_PATH = process.env.NEXUS_KEYS_PATH || path2.join(NEXUS_HOME2, ".env.keys");
   }
 });
 
@@ -374,9 +374,9 @@ __export(qemu_exports, {
   resolvePortConflicts: () => resolvePortConflicts,
   stopVm: () => stopVm
 });
-import fs4 from "fs";
+import fs3 from "fs";
 import net from "net";
-import path4 from "path";
+import path3 from "path";
 import { execa, execaSync } from "execa";
 import { select } from "@inquirer/prompts";
 import chalk5 from "chalk";
@@ -409,15 +409,15 @@ async function installQemu(platform) {
   }
 }
 async function downloadImage(platform) {
-  const imagePath = path4.join(IMAGES_DIR, platform.ubuntuImage);
-  if (fs4.existsSync(imagePath)) return imagePath;
+  const imagePath = path3.join(IMAGES_DIR, platform.ubuntuImage);
+  if (fs3.existsSync(imagePath)) return imagePath;
   const url = `${UBUNTU_BASE_URL}/${platform.ubuntuImage}`;
   await execa("curl", ["-L", "-C", "-", "-o", imagePath, "--progress-bar", url], { stdio: "inherit", env: scrubEnv() });
   return imagePath;
 }
 async function createDisk(basePath, sizeGb) {
-  const diskPath = path4.join(IMAGES_DIR, "nexus-vm-disk.qcow2");
-  if (fs4.existsSync(diskPath)) return diskPath;
+  const diskPath = path3.join(IMAGES_DIR, "nexus-vm-disk.qcow2");
+  if (fs3.existsSync(diskPath)) return diskPath;
   await execa("qemu-img", ["create", "-f", "qcow2", "-b", basePath, "-F", "qcow2", diskPath, `${sizeGb}G`], { env: scrubEnv() });
   return diskPath;
 }
@@ -511,36 +511,31 @@ async function resolvePortConflicts(ports) {
 }
 async function launchVm(platform, diskPath, initIsoPath, ram, cpus, ports) {
   const machineArgs = platform.os === "mac" ? ["-machine", "virt,gic-version=3"] : ["-machine", "pc"];
-  const biosArgs = fs4.existsSync(platform.biosPath) ? ["-bios", platform.biosPath] : [];
-  const buildArgs = (cpuArgs) => {
-    const logsDir = path4.join(NEXUS_HOME2, "vm", "logs");
-    fs4.mkdirSync(logsDir, { recursive: true });
-    const serialLogPath = path4.join(logsDir, "serial.log");
-    return [
-      ...machineArgs,
-      ...cpuArgs,
-      "-m",
-      `${ram}G`,
-      "-smp",
-      `${cpus}`,
-      "-drive",
-      `file=${diskPath},if=virtio,cache=writethrough`,
-      "-drive",
-      `file=${initIsoPath},if=ide,media=cdrom`,
-      "-display",
-      "none",
-      "-serial",
-      `file:${serialLogPath}`,
-      "-net",
-      "nic,model=virtio",
-      "-net",
-      `user,hostfwd=tcp::${ports.ssh}-:22,hostfwd=tcp::${ports.http}-:4200,hostfwd=tcp::${ports.https}-:443`,
-      ...biosArgs,
-      "-pidfile",
-      PID_FILE,
-      "-daemonize"
-    ];
-  };
+  const biosArgs = fs3.existsSync(platform.biosPath) ? ["-bios", platform.biosPath] : [];
+  const buildArgs = (cpuArgs) => [
+    ...machineArgs,
+    ...cpuArgs,
+    "-m",
+    `${ram}G`,
+    "-smp",
+    `${cpus}`,
+    "-drive",
+    `file=${diskPath},if=virtio,cache=writethrough`,
+    "-drive",
+    `file=${initIsoPath},if=virtio,format=raw,cache=writethrough`,
+    "-display",
+    "none",
+    "-serial",
+    "none",
+    "-net",
+    "nic,model=virtio",
+    "-net",
+    `user,hostfwd=tcp::${ports.ssh}-:22,hostfwd=tcp::${ports.http}-:4200,hostfwd=tcp::${ports.https}-:443`,
+    ...biosArgs,
+    "-pidfile",
+    PID_FILE,
+    "-daemonize"
+  ];
   try {
     await execa(platform.qemuBinary, buildArgs(platform.qemuCpuFlag.split(" ")), { env: scrubEnv() });
   } catch {
@@ -550,8 +545,8 @@ async function launchVm(platform, diskPath, initIsoPath, ram, cpus, ports) {
   return ports;
 }
 function readValidPid() {
-  if (!fs4.existsSync(PID_FILE)) return null;
-  const raw = fs4.readFileSync(PID_FILE, "utf-8").trim();
+  if (!fs3.existsSync(PID_FILE)) return null;
+  const raw = fs3.readFileSync(PID_FILE, "utf-8").trim();
   const pid = parseInt(raw, 10);
   if (!Number.isInteger(pid) || pid <= 1 || pid > 4194304) return null;
   return pid;
@@ -579,7 +574,7 @@ function stopVm() {
   if (!pid) return;
   if (!isQemuPid(pid)) {
     try {
-      fs4.unlinkSync(PID_FILE);
+      fs3.unlinkSync(PID_FILE);
     } catch {
     }
     return;
@@ -589,7 +584,7 @@ function stopVm() {
   } catch {
   }
   try {
-    fs4.unlinkSync(PID_FILE);
+    fs3.unlinkSync(PID_FILE);
   } catch {
   }
 }
@@ -602,9 +597,9 @@ var init_qemu = __esm({
     "use strict";
     init_secrets();
     init_dlp();
-    VM_DIR = path4.join(NEXUS_HOME2, "vm");
-    IMAGES_DIR = path4.join(VM_DIR, "images");
-    PID_FILE = path4.join(VM_DIR, "qemu.pid");
+    VM_DIR = path3.join(NEXUS_HOME2, "vm");
+    IMAGES_DIR = path3.join(VM_DIR, "images");
+    PID_FILE = path3.join(VM_DIR, "qemu.pid");
     UBUNTU_BASE_URL = "https://cloud-images.ubuntu.com/jammy/current";
   }
 });
@@ -621,21 +616,21 @@ __export(ssh_exports, {
   sshUploadFile: () => sshUploadFile,
   waitForSsh: () => waitForSsh
 });
-import fs5 from "fs";
-import path5 from "path";
+import fs4 from "fs";
+import path4 from "path";
 import crypto3 from "crypto";
 import { execa as execa2 } from "execa";
 import { NodeSSH } from "node-ssh";
 function getHostVerifier() {
-  if (!fs5.existsSync(PINNED_HOST_KEY)) {
+  if (!fs4.existsSync(PINNED_HOST_KEY)) {
     return (key) => {
       const fp = crypto3.createHash("sha256").update(key).digest("base64");
-      fs5.writeFileSync(PINNED_HOST_KEY, fp, { mode: 384 });
+      fs4.writeFileSync(PINNED_HOST_KEY, fp, { mode: 384 });
       audit("ssh_exec", `host key pinned: SHA256:${fp}`);
       return true;
     };
   }
-  const pinned = fs5.readFileSync(PINNED_HOST_KEY, "utf-8").trim();
+  const pinned = fs4.readFileSync(PINNED_HOST_KEY, "utf-8").trim();
   return (key) => {
     const fp = crypto3.createHash("sha256").update(key).digest("base64");
     const match = fp === pinned;
@@ -647,11 +642,11 @@ function getKeyPath() {
   return SSH_KEY;
 }
 function getPubKey() {
-  return fs5.readFileSync(SSH_PUB_KEY, "utf-8").trim();
+  return fs4.readFileSync(SSH_PUB_KEY, "utf-8").trim();
 }
 async function generateSshKey() {
-  if (fs5.existsSync(SSH_KEY)) return;
-  fs5.mkdirSync(SSH_DIR, { recursive: true });
+  if (fs4.existsSync(SSH_KEY)) return;
+  fs4.mkdirSync(SSH_DIR, { recursive: true });
   await execa2("ssh-keygen", [
     "-t",
     "ed25519",
@@ -663,13 +658,13 @@ async function generateSshKey() {
     "buildwithnexus@localhost",
     "-q"
   ], { env: scrubEnv() });
-  fs5.chmodSync(SSH_KEY, 384);
-  fs5.chmodSync(SSH_PUB_KEY, 420);
+  fs4.chmodSync(SSH_KEY, 384);
+  fs4.chmodSync(SSH_PUB_KEY, 420);
 }
 function addSshConfig(port) {
-  const sshConfigPath = path5.join(process.env.HOME || "~", ".ssh", "config");
-  const sshDir = path5.dirname(sshConfigPath);
-  fs5.mkdirSync(sshDir, { recursive: true });
+  const sshConfigPath = path4.join(process.env.HOME || "~", ".ssh", "config");
+  const sshDir = path4.dirname(sshConfigPath);
+  fs4.mkdirSync(sshDir, { recursive: true });
   const block = [
     "",
     "Host nexus-vm",
@@ -682,21 +677,19 @@ function addSshConfig(port) {
     "    ServerAliveInterval 60",
     ""
   ].join("\n");
-  if (fs5.existsSync(sshConfigPath)) {
-    const existing = fs5.readFileSync(sshConfigPath, "utf-8");
+  if (fs4.existsSync(sshConfigPath)) {
+    const existing = fs4.readFileSync(sshConfigPath, "utf-8");
     if (existing.includes("Host nexus-vm")) return;
-    fs5.appendFileSync(sshConfigPath, block);
+    fs4.appendFileSync(sshConfigPath, block);
   } else {
-    fs5.writeFileSync(sshConfigPath, block, { mode: 384 });
+    fs4.writeFileSync(sshConfigPath, block, { mode: 384 });
   }
 }
-async function waitForSsh(port, timeoutMs = 6e5) {
+async function waitForSsh(port, timeoutMs = 9e5) {
   const start = Date.now();
-  let attempt = 0;
-  const backoffMs = (n) => Math.min(3e3 * Math.pow(2, n), 3e4);
   while (Date.now() - start < timeoutMs) {
-    const ssh = new NodeSSH();
     try {
+      const ssh = new NodeSSH();
       await ssh.connect({
         host: "localhost",
         port,
@@ -708,14 +701,7 @@ async function waitForSsh(port, timeoutMs = 6e5) {
       ssh.dispose();
       return true;
     } catch {
-      try {
-        ssh.dispose();
-      } catch {
-      }
-      const delay = backoffMs(attempt++);
-      const remaining = timeoutMs - (Date.now() - start);
-      if (remaining <= 0) break;
-      await new Promise((r) => setTimeout(r, Math.min(delay, remaining)));
+      await new Promise((r) => setTimeout(r, 1e4));
     }
   }
   return false;
@@ -728,6 +714,7 @@ async function sshExec(port, command) {
     port,
     username: "nexus",
     privateKeyPath: SSH_KEY,
+    readyTimeout: 3e4,
     hostVerifier: getHostVerifier()
   });
   const result = await ssh.execCommand(command);
@@ -755,19 +742,16 @@ var init_ssh = __esm({
     "use strict";
     init_secrets();
     init_dlp();
-    SSH_DIR = path5.join(NEXUS_HOME2, "ssh");
-    SSH_KEY = path5.join(SSH_DIR, "id_nexus_vm");
-    SSH_PUB_KEY = path5.join(SSH_DIR, "id_nexus_vm.pub");
-    KNOWN_HOSTS = path5.join(SSH_DIR, "known_hosts_nexus_vm");
-    PINNED_HOST_KEY = path5.join(SSH_DIR, "vm_host_key.pin");
+    SSH_DIR = path4.join(NEXUS_HOME2, "ssh");
+    SSH_KEY = path4.join(SSH_DIR, "id_nexus_vm");
+    SSH_PUB_KEY = path4.join(SSH_DIR, "id_nexus_vm.pub");
+    KNOWN_HOSTS = path4.join(SSH_DIR, "known_hosts_nexus_vm");
+    PINNED_HOST_KEY = path4.join(SSH_DIR, "vm_host_key.pin");
   }
 });
 
 // src/cli.ts
 import { Command as Command14 } from "commander";
-import { readFileSync as readFileSync2 } from "fs";
-import { dirname as dirname2, join as join2 } from "path";
-import { fileURLToPath as fileURLToPath4 } from "url";
 
 // src/commands/init.ts
 init_banner();
@@ -821,39 +805,6 @@ var log = {
 init_dlp();
 import { input, confirm, password } from "@inquirer/prompts";
 import chalk4 from "chalk";
-import fs2 from "fs";
-import path2 from "path";
-import os from "os";
-function loadInitConfigFromDisk() {
-  const homeDir = os.homedir();
-  const configPath = path2.join(homeDir, ".buildwithnexus", "config.json");
-  const keysPath = path2.join(homeDir, ".buildwithnexus", ".env.keys");
-  if (!fs2.existsSync(configPath)) return null;
-  try {
-    const configData = JSON.parse(fs2.readFileSync(configPath, "utf-8"));
-    const keysData = {};
-    if (fs2.existsSync(keysPath)) {
-      const keysContent = fs2.readFileSync(keysPath, "utf-8");
-      keysContent.split("\n").forEach((line) => {
-        const [key, ...valueParts] = line.split("=");
-        if (key && valueParts.length > 0) {
-          keysData[key] = valueParts.join("=");
-        }
-      });
-    }
-    return {
-      anthropicKey: keysData["ANTHROPIC_API_KEY"] || "",
-      openaiKey: keysData["OPENAI_API_KEY"] || "",
-      googleKey: keysData["GOOGLE_API_KEY"] || "",
-      vmRam: configData.vmRam || 4,
-      vmCpus: configData.vmCpus || 2,
-      vmDisk: configData.vmDisk || 10,
-      enableTunnel: configData.enableTunnel !== false
-    };
-  } catch {
-    return null;
-  }
-}
 async function promptInitConfig() {
   console.log(chalk4.bold("\n  API Keys\n"));
   const anthropicKey = await password({
@@ -947,10 +898,10 @@ async function promptInitConfig() {
 }
 
 // src/core/platform.ts
-import os2 from "os";
+import os from "os";
 function detectPlatform() {
-  const platform = os2.platform();
-  const arch = os2.arch();
+  const platform = os.platform();
+  const arch = os.arch();
   if (platform === "darwin") {
     return {
       os: "mac",
@@ -992,12 +943,12 @@ init_ssh();
 // src/core/cloudinit.ts
 init_secrets();
 init_dlp();
-import fs6 from "fs";
-import path6 from "path";
+import fs5 from "fs";
+import path5 from "path";
 import ejs from "ejs";
 import { execa as execa3 } from "execa";
-var CONFIGS_DIR = path6.join(NEXUS_HOME2, "vm", "configs");
-var IMAGES_DIR2 = path6.join(NEXUS_HOME2, "vm", "images");
+var CONFIGS_DIR = path5.join(NEXUS_HOME2, "vm", "configs");
+var IMAGES_DIR2 = path5.join(NEXUS_HOME2, "vm", "images");
 async function renderCloudInit(data, templateContent) {
   const trimmedPubKey = data.sshPubKey.trim();
   if (!/^(ssh-ed25519|ssh-rsa|ecdsa-sha2-nistp\d+) [A-Za-z0-9+/=]+ ?\S*$/.test(trimmedPubKey)) {
@@ -1009,22 +960,17 @@ async function renderCloudInit(data, templateContent) {
   }
   const safeData = { ...data, sshPubKey: yamlEscape(trimmedPubKey), keys: safeKeys };
   const rendered = ejs.render(templateContent, safeData);
-  const outputPath = path6.join(CONFIGS_DIR, "user-data.yaml");
-  fs6.writeFileSync(outputPath, rendered, { mode: 384 });
+  const outputPath = path5.join(CONFIGS_DIR, "user-data.yaml");
+  fs5.writeFileSync(outputPath, rendered, { mode: 384 });
   audit("cloudinit_rendered", "user-data.yaml written");
   return outputPath;
 }
 async function createCloudInitIso(userDataPath) {
-  const metaDataPath = path6.join(CONFIGS_DIR, "meta-data.yaml");
-  fs6.writeFileSync(metaDataPath, "instance-id: nexus-vm-1\nlocal-hostname: nexus-vm\n", { mode: 384 });
-  const isoPath = path6.join(IMAGES_DIR2, "init.iso");
+  const metaDataPath = path5.join(CONFIGS_DIR, "meta-data.yaml");
+  fs5.writeFileSync(metaDataPath, "instance-id: nexus-vm-1\nlocal-hostname: nexus-vm\n", { mode: 384 });
+  const isoPath = path5.join(IMAGES_DIR2, "init.iso");
   const env = scrubEnv();
   try {
-    const stagingDir = path6.join(CONFIGS_DIR, "cidata-staging");
-    fs6.rmSync(stagingDir, { recursive: true, force: true });
-    fs6.mkdirSync(stagingDir, { recursive: true, mode: 448 });
-    fs6.copyFileSync(userDataPath, path6.join(stagingDir, "user-data"));
-    fs6.copyFileSync(metaDataPath, path6.join(stagingDir, "meta-data"));
     let created = false;
     for (const tool of ["mkisofs", "genisoimage"]) {
       if (created) break;
@@ -1036,7 +982,8 @@ async function createCloudInitIso(userDataPath) {
           "cidata",
           "-joliet",
           "-rock",
-          stagingDir
+          userDataPath,
+          metaDataPath
         ], { env });
         created = true;
       } catch {
@@ -1044,10 +991,10 @@ async function createCloudInitIso(userDataPath) {
     }
     if (!created) {
       try {
-        const stagingDir2 = path6.join(CONFIGS_DIR, "cidata-staging");
-        fs6.mkdirSync(stagingDir2, { recursive: true, mode: 448 });
-        fs6.copyFileSync(userDataPath, path6.join(stagingDir2, "user-data"));
-        fs6.copyFileSync(metaDataPath, path6.join(stagingDir2, "meta-data"));
+        const stagingDir = path5.join(CONFIGS_DIR, "cidata-staging");
+        fs5.mkdirSync(stagingDir, { recursive: true, mode: 448 });
+        fs5.copyFileSync(userDataPath, path5.join(stagingDir, "user-data"));
+        fs5.copyFileSync(metaDataPath, path5.join(stagingDir, "meta-data"));
         await execa3("hdiutil", [
           "makehybrid",
           "-o",
@@ -1056,9 +1003,9 @@ async function createCloudInitIso(userDataPath) {
           "-iso",
           "-default-volume-name",
           "cidata",
-          stagingDir2
+          stagingDir
         ], { env });
-        fs6.rmSync(stagingDir2, { recursive: true, force: true });
+        fs5.rmSync(stagingDir, { recursive: true, force: true });
         created = true;
       } catch {
       }
@@ -1068,16 +1015,16 @@ async function createCloudInitIso(userDataPath) {
         "Cannot create cloud-init ISO: none of mkisofs, genisoimage, or hdiutil are available. On macOS, install cdrtools: brew install cdrtools. On Linux: sudo apt install genisoimage"
       );
     }
-    fs6.chmodSync(isoPath, 384);
+    fs5.chmodSync(isoPath, 384);
     audit("cloudinit_iso_created", "init.iso created");
     return isoPath;
   } finally {
     try {
-      fs6.unlinkSync(userDataPath);
+      fs5.unlinkSync(userDataPath);
     } catch {
     }
     try {
-      fs6.unlinkSync(metaDataPath);
+      fs5.unlinkSync(metaDataPath);
     } catch {
     }
     audit("cloudinit_plaintext_deleted", "user-data.yaml and meta-data.yaml removed");
@@ -1225,14 +1172,12 @@ async function installCloudflared(sshPort, arch) {
   ].join(" && "));
 }
 async function startTunnel(sshPort) {
-  await sshExec(sshPort, [
-    "install -m 600 /dev/null /home/nexus/.nexus/tunnel.log",
-    "&& nohup cloudflared tunnel --no-autoupdate --url http://localhost:4200",
-    "> /home/nexus/.nexus/tunnel.log 2>&1 &",
-    "disown"
-  ].join(" "));
+  await sshExec(
+    sshPort,
+    "install -m 600 /dev/null /home/nexus/.nexus/tunnel.log && bash -c 'nohup cloudflared tunnel --no-autoupdate --url http://localhost:4200 > /home/nexus/.nexus/tunnel.log 2>&1 &'"
+  );
   const start = Date.now();
-  while (Date.now() - start < 6e4) {
+  while (Date.now() - start < 12e4) {
     try {
       const { stdout } = await sshExec(sshPort, "grep -oE 'https://[a-z0-9-]+\\.trycloudflare\\.com' /home/nexus/.nexus/tunnel.log 2>/dev/null | head -1");
       if (stdout.includes("https://")) {
@@ -1258,25 +1203,32 @@ async function stopTunnel(sshPort) {
 // src/commands/init.ts
 init_dlp();
 init_ssh();
-import fs7 from "fs";
-import path7 from "path";
-import os3 from "os";
+import fs6 from "fs";
+import path6 from "path";
+import os2 from "os";
 import crypto4 from "crypto";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function getReleaseTarball() {
-  const dir = path7.dirname(fileURLToPath2(import.meta.url));
-  const tarballPath = path7.join(dir, "nexus-release.tar.gz");
-  if (fs7.existsSync(tarballPath)) return tarballPath;
-  const rootPath = path7.resolve(dir, "..", "dist", "nexus-release.tar.gz");
-  if (fs7.existsSync(rootPath)) return rootPath;
-  throw new Error("nexus-release.tar.gz not found. Run: npm run bundle");
+  const dir = path6.dirname(fileURLToPath2(import.meta.url));
+  const possiblePaths = [
+    // Current directory (dev)
+    path6.join(dir, "nexus-release.tar.gz"),
+    // dist folder (when built)
+    path6.resolve(dir, "..", "dist", "nexus-release.tar.gz"),
+    // node_modules location (when installed from npm)
+    path6.resolve(dir, "..", "nexus-release.tar.gz")
+  ];
+  for (const tarballPath of possiblePaths) {
+    if (fs6.existsSync(tarballPath)) return tarballPath;
+  }
+  throw new Error("nexus-release.tar.gz not found. Run: npm install buildwithnexus@latest");
 }
 function getCloudInitTemplate() {
-  const dir = path7.dirname(fileURLToPath2(import.meta.url));
-  const templatePath = path7.join(dir, "templates", "cloud-init.yaml.ejs");
-  if (fs7.existsSync(templatePath)) return fs7.readFileSync(templatePath, "utf-8");
-  const srcPath = path7.resolve(dir, "..", "src", "templates", "cloud-init.yaml.ejs");
-  return fs7.readFileSync(srcPath, "utf-8");
+  const dir = path6.dirname(fileURLToPath2(import.meta.url));
+  const templatePath = path6.join(dir, "templates", "cloud-init.yaml.ejs");
+  if (fs6.existsSync(templatePath)) return fs6.readFileSync(templatePath, "utf-8");
+  const srcPath = path6.resolve(dir, "..", "src", "templates", "cloud-init.yaml.ejs");
+  return fs6.readFileSync(srcPath, "utf-8");
 }
 async function withSpinner(spinner, label, fn) {
   spinner.text = label;
@@ -1294,11 +1246,7 @@ var phases = [
       const platform = detectPlatform();
       log.detail("Platform", `${platform.os} ${platform.arch}`);
       log.detail("QEMU", platform.qemuBinary);
-      const isNonInteractive = process.env.BUILDWITHNEXUS_NONINTERACTIVE === "1" || process.env.CI === "true";
-      let userConfig = isNonInteractive ? loadInitConfigFromDisk() : null;
-      if (!userConfig) {
-        userConfig = await promptInitConfig();
-      }
+      const userConfig = await promptInitConfig();
       ensureHome();
       const masterSecret = generateMasterSecret();
       const config = {
@@ -1352,6 +1300,11 @@ var phases = [
       const { config } = ctx;
       await withSpinner(spinner, "Generating SSH key...", async () => {
         await generateSshKey();
+        const pinFile = path6.join(path6.dirname(getKeyPath()), "vm_host_key.pin");
+        try {
+          fs6.unlinkSync(pinFile);
+        } catch {
+        }
         addSshConfig(config.sshPort);
       });
     }
@@ -1434,15 +1387,15 @@ var phases = [
       );
       await withSpinner(spinner, "Staging API keys...", async () => {
         const keysContent = Object.entries(keys).filter(([, v]) => v).map(([k, v]) => `${k}=${v}`).join("\n") + "\n";
-        const tmpKeysPath = path7.join(os3.tmpdir(), `.nexus-keys-${crypto4.randomBytes(8).toString("hex")}`);
-        fs7.writeFileSync(tmpKeysPath, keysContent, { mode: 384 });
+        const tmpKeysPath = path6.join(os2.tmpdir(), `.nexus-keys-${crypto4.randomBytes(8).toString("hex")}`);
+        fs6.writeFileSync(tmpKeysPath, keysContent, { mode: 384 });
         try {
           await sshUploadFile(config.sshPort, tmpKeysPath, "/tmp/.nexus-env-keys");
           await sshExec(config.sshPort, "chmod 600 /tmp/.nexus-env-keys");
         } finally {
           try {
-            fs7.writeFileSync(tmpKeysPath, "0".repeat(keysContent.length));
-            fs7.unlinkSync(tmpKeysPath);
+            fs6.writeFileSync(tmpKeysPath, "0".repeat(keysContent.length));
+            fs6.unlinkSync(tmpKeysPath);
           } catch {
           }
         }
@@ -1563,7 +1516,7 @@ init_secrets();
 init_qemu();
 init_ssh();
 init_secrets();
-import path8 from "path";
+import path7 from "path";
 var startCommand = new Command2("start").description("Start the NEXUS runtime").action(async () => {
   const config = loadConfig();
   if (!config) {
@@ -1575,8 +1528,8 @@ var startCommand = new Command2("start").description("Start the NEXUS runtime").
     return;
   }
   const platform = detectPlatform();
-  const diskPath = path8.join(NEXUS_HOME2, "vm", "images", "nexus-vm-disk.qcow2");
-  const isoPath = path8.join(NEXUS_HOME2, "vm", "images", "init.iso");
+  const diskPath = path7.join(NEXUS_HOME2, "vm", "images", "nexus-vm-disk.qcow2");
+  const isoPath = path7.join(NEXUS_HOME2, "vm", "images", "init.iso");
   let spinner = createSpinner("Starting VM...");
   spinner.start();
   await launchVm(platform, diskPath, isoPath, config.vmRam, config.vmCpus, {
@@ -1692,10 +1645,10 @@ var statusCommand = new Command4("status").description("Check NEXUS runtime heal
 // src/commands/doctor.ts
 import { Command as Command5 } from "commander";
 import chalk8 from "chalk";
-import fs8 from "fs";
+import fs7 from "fs";
 init_qemu();
 init_secrets();
-import path9 from "path";
+import path8 from "path";
 import { execa as execa4 } from "execa";
 var doctorCommand = new Command5("doctor").description("Diagnose NEXUS runtime environment").action(async () => {
   const platform = detectPlatform();
@@ -1725,11 +1678,11 @@ var doctorCommand = new Command5("doctor").description("Diagnose NEXUS runtime e
   } catch {
   }
   console.log(`  ${check(isoTool)}  ISO tool (mkisofs/genisoimage)`);
-  const keyExists = fs8.existsSync(path9.join(NEXUS_HOME2, "ssh", "id_nexus_vm"));
+  const keyExists = fs7.existsSync(path8.join(NEXUS_HOME2, "ssh", "id_nexus_vm"));
   console.log(`  ${check(keyExists)}  SSH key`);
   const config = loadConfig();
   console.log(`  ${check(!!config)}  Configuration`);
-  const diskExists = fs8.existsSync(path9.join(NEXUS_HOME2, "vm", "images", "nexus-vm-disk.qcow2"));
+  const diskExists = fs7.existsSync(path8.join(NEXUS_HOME2, "vm", "images", "nexus-vm-disk.qcow2"));
   console.log(`  ${check(diskExists)}  VM disk image`);
   if (config) {
     for (const [name, port] of [["SSH", config.sshPort], ["HTTP", config.httpPort], ["HTTPS", config.httpsPort]]) {
@@ -1750,7 +1703,7 @@ var doctorCommand = new Command5("doctor").description("Diagnose NEXUS runtime e
       }
     }
   }
-  const biosOk = fs8.existsSync(platform.biosPath);
+  const biosOk = fs7.existsSync(platform.biosPath);
   console.log(`  ${check(biosOk)}  UEFI firmware ${biosOk ? "" : chalk8.dim(platform.biosPath)}`);
   console.log("");
   if (qemuOk && isoTool && biosOk) {
@@ -1801,18 +1754,18 @@ var logsCommand = new Command6("logs").description("View NEXUS server logs").opt
 
 // src/commands/update.ts
 import { Command as Command7 } from "commander";
-import path10 from "path";
-import fs9 from "fs";
+import path9 from "path";
+import fs8 from "fs";
 import { fileURLToPath as fileURLToPath3 } from "url";
 init_secrets();
 init_qemu();
 init_ssh();
 function getReleaseTarball2() {
-  const dir = path10.dirname(fileURLToPath3(import.meta.url));
-  const tarballPath = path10.join(dir, "nexus-release.tar.gz");
-  if (fs9.existsSync(tarballPath)) return tarballPath;
-  const rootPath = path10.resolve(dir, "..", "dist", "nexus-release.tar.gz");
-  if (fs9.existsSync(rootPath)) return rootPath;
+  const dir = path9.dirname(fileURLToPath3(import.meta.url));
+  const tarballPath = path9.join(dir, "nexus-release.tar.gz");
+  if (fs8.existsSync(tarballPath)) return tarballPath;
+  const rootPath = path9.resolve(dir, "..", "dist", "nexus-release.tar.gz");
+  if (fs8.existsSync(rootPath)) return rootPath;
   throw new Error("nexus-release.tar.gz not found. Reinstall buildwithnexus to get the latest release.");
 }
 var updateCommand = new Command7("update").description("Update NEXUS to the latest bundled release and restart").action(async () => {
@@ -1863,11 +1816,11 @@ var updateCommand = new Command7("update").description("Update NEXUS to the late
 // src/commands/destroy.ts
 import { Command as Command8 } from "commander";
 import chalk9 from "chalk";
-import fs10 from "fs";
+import fs9 from "fs";
 import { input as input2 } from "@inquirer/prompts";
 init_secrets();
 init_qemu();
-import path11 from "path";
+import path10 from "path";
 var destroyCommand = new Command8("destroy").description("Remove NEXUS VM and all data").option("--force", "Skip confirmation").action(async (opts) => {
   const config = loadConfig();
   if (!opts.force) {
@@ -1895,9 +1848,9 @@ var destroyCommand = new Command8("destroy").description("Remove NEXUS VM and al
     }
     stopVm();
   }
-  const sshConfigPath = path11.join(process.env.HOME || "~", ".ssh", "config");
-  if (fs10.existsSync(sshConfigPath)) {
-    const content = fs10.readFileSync(sshConfigPath, "utf-8");
+  const sshConfigPath = path10.join(process.env.HOME || "~", ".ssh", "config");
+  if (fs9.existsSync(sshConfigPath)) {
+    const content = fs9.readFileSync(sshConfigPath, "utf-8");
     const lines = content.split("\n");
     const filtered = [];
     let skip = false;
@@ -1910,9 +1863,9 @@ var destroyCommand = new Command8("destroy").description("Remove NEXUS VM and al
       skip = false;
       filtered.push(line);
     }
-    fs10.writeFileSync(sshConfigPath, filtered.join("\n"));
+    fs9.writeFileSync(sshConfigPath, filtered.join("\n"));
   }
-  fs10.rmSync(NEXUS_HOME2, { recursive: true, force: true });
+  fs9.rmSync(NEXUS_HOME2, { recursive: true, force: true });
   succeed(spinner, "NEXUS runtime destroyed");
   log.dim("Run 'buildwithnexus init' to set up again");
 });
@@ -2325,10 +2278,10 @@ init_dlp();
 // src/ui/repl.ts
 init_secrets();
 import readline from "readline";
-import fs11 from "fs";
-import path12 from "path";
+import fs10 from "fs";
+import path11 from "path";
 import chalk13 from "chalk";
-var HISTORY_FILE = path12.join(NEXUS_HOME2, "shell_history");
+var HISTORY_FILE = path11.join(NEXUS_HOME2, "shell_history");
 var MAX_HISTORY = 1e3;
 var Repl = class {
   rl = null;
@@ -2344,17 +2297,17 @@ var Repl = class {
   }
   loadHistory() {
     try {
-      if (fs11.existsSync(HISTORY_FILE)) {
-        this.history = fs11.readFileSync(HISTORY_FILE, "utf-8").split("\n").filter(Boolean).slice(-MAX_HISTORY);
+      if (fs10.existsSync(HISTORY_FILE)) {
+        this.history = fs10.readFileSync(HISTORY_FILE, "utf-8").split("\n").filter(Boolean).slice(-MAX_HISTORY);
       }
     } catch {
     }
   }
   saveHistory() {
     try {
-      const dir = path12.dirname(HISTORY_FILE);
-      fs11.mkdirSync(dir, { recursive: true });
-      fs11.writeFileSync(HISTORY_FILE, this.history.slice(-MAX_HISTORY).join("\n") + "\n", { mode: 384 });
+      const dir = path11.dirname(HISTORY_FILE);
+      fs10.mkdirSync(dir, { recursive: true });
+      fs10.writeFileSync(HISTORY_FILE, this.history.slice(-MAX_HISTORY).join("\n") + "\n", { mode: 384 });
     } catch {
     }
   }
@@ -2969,9 +2922,7 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
 });
 
 // src/cli.ts
-var __dirname = dirname2(fileURLToPath4(import.meta.url));
-var packageJson = JSON.parse(readFileSync2(join2(__dirname, "..", "package.json"), "utf-8"));
-var cli = new Command14().name("buildwithnexus").description("Auto-scaffold and launch a fully autonomous NEXUS runtime").version(packageJson.version);
+var cli = new Command14().name("buildwithnexus").description("Auto-scaffold and launch a fully autonomous NEXUS runtime").version("0.3.1");
 cli.addCommand(initCommand);
 cli.addCommand(startCommand);
 cli.addCommand(stopCommand);
@@ -3000,18 +2951,18 @@ cli.action(async () => {
 });
 
 // src/core/update-notifier.ts
-import fs12 from "fs";
-import path13 from "path";
-import os4 from "os";
+import fs11 from "fs";
+import path12 from "path";
+import os3 from "os";
 import https from "https";
 import chalk16 from "chalk";
 var PACKAGE_NAME = "buildwithnexus";
 var CHECK_INTERVAL_MS = 4 * 60 * 60 * 1e3;
-var STATE_DIR = path13.join(os4.homedir(), ".buildwithnexus");
-var STATE_FILE = path13.join(STATE_DIR, ".update-check.json");
+var STATE_DIR = path12.join(os3.homedir(), ".buildwithnexus");
+var STATE_FILE = path12.join(STATE_DIR, ".update-check.json");
 function readState() {
   try {
-    const raw = fs12.readFileSync(STATE_FILE, "utf-8");
+    const raw = fs11.readFileSync(STATE_FILE, "utf-8");
     return JSON.parse(raw);
   } catch {
     return { lastCheck: 0, latestVersion: null };
@@ -3019,8 +2970,8 @@ function readState() {
 }
 function writeState(state) {
   try {
-    fs12.mkdirSync(STATE_DIR, { recursive: true, mode: 448 });
-    fs12.writeFileSync(STATE_FILE, JSON.stringify(state), { mode: 384 });
+    fs11.mkdirSync(STATE_DIR, { recursive: true, mode: 448 });
+    fs11.writeFileSync(STATE_FILE, JSON.stringify(state), { mode: 384 });
   } catch {
   }
 }

package/dist/templates/cloud-init.yaml.ejs

@@ -10,7 +10,7 @@ users:
 runcmd:
   # Wait for network + install packages (QEMU SLIRP DNS is slow at boot)
   - |
-    PACKAGES="openssh-server docker.io docker-compose software-properties-common git curl wget jq tmux auditd ufw libvirt-daemon libvirt-daemon-system libvirt-clients"
+    PACKAGES="docker.io docker-compose software-properties-common git curl wget jq tmux auditd ufw libvirt-daemon libvirt-daemon-system libvirt-clients"
     for attempt in $(seq 1 10); do
       apt-get update && \
       DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing $PACKAGES && \
@@ -36,13 +36,10 @@ runcmd:
   - systemctl enable auditd
   - systemctl start auditd
 
-  # SSH hardening + ensure service is running
+  # SSH hardening
   - sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
   - sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
-  - systemctl enable ssh
   - systemctl restart ssh
-  - sleep 2
-  - systemctl is-active ssh || systemctl start ssh
 
   # Docker setup
   - usermod -aG docker nexus

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "buildwithnexus",
-  "version": "0.5.13",
+  "version": "0.5.15",
   "description": "Launch an autonomous AI runtime with triple-nested VM isolation in one command",
   "type": "module",
   "bin": {
@@ -19,7 +19,7 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "prepublishOnly": "npm run build && npm run bundle"
+    "prepublishOnly": "npm run build && NEXUS_SRC=/Users/garretteaglin/Projects/nexus npm run bundle"
   },
   "engines": {
     "node": ">=18"