buildwithnexus 0.5.17 → 0.6.0

package/dist/bin.js

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __esm = (fn, res) => function __init() {
@@ -17,98 +16,1451 @@ __export(banner_exports, {
   showPhase: () => showPhase,
   showSecurityPosture: () => showSecurityPosture
 });
-import chalk from "chalk";
+import chalk5 from "chalk";
 import { readFileSync } from "fs";
 import { dirname, join } from "path";
-import { fileURLToPath } from "url";
+import { fileURLToPath as fileURLToPath2 } from "url";
 function getVersion() {
   try {
-    const __dirname = dirname(fileURLToPath(import.meta.url));
-    const packagePath = join(__dirname, "..", "package.json");
-    const packageJson = JSON.parse(readFileSync(packagePath, "utf-8"));
-    return packageJson.version;
-  } catch (e) {
-    console.error(`[DEBUG] getVersion() failed: ${e instanceof Error ? e.message : String(e)}`);
-    return "0.5.16";
+    const __dirname2 = dirname(fileURLToPath2(import.meta.url));
+    const packagePath = join(__dirname2, "..", "package.json");
+    const packageJson = JSON.parse(readFileSync(packagePath, "utf-8"));
+    return packageJson.version;
+  } catch {
+    return true ? "0.6.0" : "0.0.0-unknown";
+  }
+}
+function showBanner() {
+  console.log(BANNER);
+  console.log(chalk5.dim(`  v${getVersion()} \xB7 buildwithnexus.dev
+`));
+}
+function showPhase(phase, total, description) {
+  const progress = chalk5.cyan(`[${phase}/${total}]`);
+  console.log(`
+${progress} ${chalk5.bold(description)}`);
+}
+function showSecurityPosture() {
+  const lines = [
+    "",
+    chalk5.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"),
+    chalk5.bold("  \u2551  ") + chalk5.bold.green("Security Posture") + chalk5.bold("                                        \u2551"),
+    chalk5.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" Triple-nested isolation: Host \u2192 VM \u2192 Docker \u2192 KVM".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" Network hardened: UFW deny-all, allow 22/80/443/4200".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" All databases encrypted at rest (AES-256-CBC)".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" API keys never embedded in VM \u2014 delivered via SCP".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" SSH-only communication (no exposed network ports)".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" DLP: secret detection, shell escaping, output redaction".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" HMAC integrity verification on all key files".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2551  ") + chalk5.green("\u2713") + chalk5.white(" Docker: --read-only, no-new-privileges, cap-drop=ALL".padEnd(54)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
+    chalk5.bold("  \u2551  ") + chalk5.dim("Full details: https://buildwithnexus.dev/security".padEnd(55)) + chalk5.bold("\u2551"),
+    chalk5.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"),
+    ""
+  ];
+  console.log(lines.join("\n"));
+}
+function showCompletion(urls) {
+  const lines = [
+    "",
+    chalk5.green("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"),
+    chalk5.green("  \u2551  ") + chalk5.bold.green("NEXUS Runtime is Live!") + chalk5.green("                                 \u2551"),
+    chalk5.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
+    chalk5.green("  \u2551  ") + chalk5.white(`Connect:    ${urls.ssh}`.padEnd(55)) + chalk5.green("\u2551")
+  ];
+  if (urls.remote) {
+    lines.push(chalk5.green("  \u2551  ") + chalk5.white(`Remote:     ${urls.remote}`.padEnd(55)) + chalk5.green("\u2551"));
+  }
+  lines.push(
+    chalk5.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
+    chalk5.green("  \u2551  ") + chalk5.dim("Quick Start:".padEnd(55)) + chalk5.green("\u2551"),
+    chalk5.green("  \u2551  ") + chalk5.white("  buildwithnexus           - Interactive shell".padEnd(55)) + chalk5.green("\u2551"),
+    chalk5.green("  \u2551  ") + chalk5.white("  buildwithnexus brainstorm - Brainstorm ideas".padEnd(55)) + chalk5.green("\u2551"),
+    chalk5.green("  \u2551  ") + chalk5.white("  buildwithnexus status    - Check health".padEnd(55)) + chalk5.green("\u2551"),
+    chalk5.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
+    chalk5.green("  \u2551  ") + chalk5.dim("All commands:".padEnd(55)) + chalk5.green("\u2551"),
+    chalk5.green("  \u2551  ") + chalk5.white("  buildwithnexus stop/start/update/logs/ssh/destroy".padEnd(55)) + chalk5.green("\u2551"),
+    chalk5.green("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"),
+    ""
+  );
+  console.log(lines.join("\n"));
+}
+var BANNER;
+var init_banner = __esm({
+  "src/ui/banner.ts"() {
+    "use strict";
+    BANNER = `
+  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+  \u2551       ${chalk5.bold.cyan("B U I L D   W I T H   N E X U S")}        \u2551
+  \u2551                                              \u2551
+  \u2551   Autonomous AI Runtime \xB7 Nested Isolation   \u2551
+  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`;
+  }
+});
+
+// src/bin.ts
+import { program } from "commander";
+
+// src/cli/init-command.ts
+import fs from "fs";
+import path from "path";
+import { input, confirm } from "@inquirer/prompts";
+async function deepAgentsInitCommand() {
+  console.log(`
+\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551  Deep Agents -- First Time Setup       \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+`);
+  const envPath = path.join(process.cwd(), ".env.local");
+  const hasEnv = fs.existsSync(envPath);
+  if (hasEnv) {
+    const shouldReset = await confirm({
+      message: ".env.local already exists. Reconfigure?",
+      default: false
+    });
+    if (!shouldReset) {
+      console.log("Setup complete -- using existing configuration.");
+      return;
+    }
+  }
+  console.log(
+    "Please provide your LLM API keys:\n(You can set these later by editing .env.local)\n"
+  );
+  const anthropicKey = await input({
+    message: "ANTHROPIC_API_KEY (Claude)",
+    default: "",
+    validate: (val) => {
+      if (!val) {
+        return "At least one API key is required";
+      }
+      return true;
+    }
+  });
+  const openaiKey = await input({
+    message: "OPENAI_API_KEY (GPT - optional)",
+    default: ""
+  });
+  const backendUrl = await input({
+    message: "Backend URL",
+    default: "http://localhost:4200"
+  });
+  const dashboardPort = await input({
+    message: "Dashboard port",
+    default: "4201"
+  });
+  const envContent = `# Deep Agents Configuration
+# Generated by buildwithnexus init
+
+# LLM API Keys
+ANTHROPIC_API_KEY=${anthropicKey}
+${openaiKey ? `OPENAI_API_KEY=${openaiKey}` : "# OPENAI_API_KEY="}
+
+# Backend
+BACKEND_URL=${backendUrl}
+DASHBOARD_PORT=${dashboardPort}
+
+# Optional
+# LOG_LEVEL=debug
+`;
+  fs.writeFileSync(envPath, envContent);
+  console.log(`
+Configuration saved to .env.local
+
+Next steps:
+  1. Start the backend:
+     cd ~/Projects/nexus && python -m src.deep_agents_server
+
+  2. Start the dashboard:
+     buildwithnexus dashboard
+
+  3. Run your first task:
+     deep-agents run "List files in the current directory"
+
+For help, run:
+  deep-agents --help
+`);
+}
+
+// src/cli/tui.ts
+import chalk from "chalk";
+var TUI = class {
+  taskStartTime = 0;
+  eventCount = 0;
+  displayHeader(task, agent) {
+    console.clear();
+    console.log(
+      chalk.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557")
+    );
+    console.log(
+      chalk.cyan("\u2551") + chalk.bold.white("        \u{1F680} DEEP AGENTS - Autonomous Execution Engine        ") + chalk.cyan("\u2551")
+    );
+    console.log(
+      chalk.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D")
+    );
+    console.log("");
+    console.log(chalk.bold("\u{1F4CB} Task:"), task);
+    console.log(chalk.bold("\u{1F464} Agent:"), chalk.blue(agent));
+    console.log(chalk.gray("\u2500".repeat(60)));
+    console.log("");
+    this.taskStartTime = Date.now();
+  }
+  displayConnecting() {
+    console.log(chalk.yellow("\u23F3 Connecting to backend..."));
+  }
+  displayConnected(runId) {
+    console.log(chalk.green("\u2713 Connected"), chalk.gray(`(Run ID: ${runId})`));
+    console.log(chalk.gray("\u2500".repeat(60)));
+    console.log("");
+  }
+  displayStreamStart() {
+    console.log(chalk.bold.cyan("\u{1F4E1} Streaming Events:"));
+    console.log("");
+  }
+  displayPlan(task, steps) {
+    console.log("");
+    console.log(chalk.bold.cyan("\u{1F50D} Chief of Staff Analysis"));
+    console.log(chalk.gray("\u2500".repeat(60)));
+    steps.forEach((step, i) => {
+      console.log(`  ${chalk.bold.white(`Step ${i + 1}:`)} ${chalk.white(step)}`);
+    });
+    console.log("");
+  }
+  displayEvent(type, data) {
+    this.eventCount++;
+    const content = data["content"] || "";
+    if (type === "agent_working") {
+      const agent = data["agent"] || "Agent";
+      const agentTask = data["task"] || "";
+      console.log("");
+      console.log(`  ${chalk.bold.blue("\u{1F464}")} ${chalk.bold.blue(agent)} ${chalk.gray("working on:")} ${chalk.white(agentTask)}`);
+      return;
+    }
+    if (type === "agent_result") {
+      const result = data["result"] || "";
+      let displayResult = result;
+      if (displayResult.length > 120) {
+        displayResult = displayResult.substring(0, 117) + "...";
+      }
+      console.log(`     ${chalk.green("\u2713")} ${chalk.green(displayResult)}`);
+      return;
+    }
+    const emoji = {
+      thought: "\u{1F4AD}",
+      action: "\u{1F528}",
+      observation: "\u2713",
+      started: "\u25B6\uFE0F",
+      done: "\u2728",
+      execution_complete: "\u2728",
+      error: "\u274C"
+    };
+    const color = {
+      thought: chalk.cyan,
+      action: chalk.yellow,
+      observation: chalk.green,
+      started: chalk.blue,
+      done: chalk.magenta,
+      execution_complete: chalk.magenta,
+      error: chalk.red
+    };
+    const icon = emoji[type] || "\u25CF";
+    const colorFn = color[type] || chalk.white;
+    let displayContent = content;
+    if (displayContent.length > 120) {
+      displayContent = displayContent.substring(0, 117) + "...";
+    }
+    console.log(`  ${icon} ${colorFn(displayContent)}`);
+  }
+  displayResults(summary, todosCompleted) {
+    console.log("");
+    console.log(chalk.gray("\u2500".repeat(60)));
+    console.log(chalk.bold.green("\u2728 Complete!"));
+    const lines = summary.split("\n");
+    for (const line of lines) {
+      console.log(`  ${chalk.white(line)}`);
+    }
+    console.log(chalk.gray(`  ${todosCompleted} step(s) completed`));
+    console.log("");
+  }
+  displayError(error) {
+    console.log("");
+    console.log(chalk.red.bold("\u274C Error Occurred:"));
+    console.log(chalk.red(error));
+    console.log("");
+  }
+  displayComplete(duration) {
+    console.log("");
+    console.log(chalk.gray("\u2500".repeat(60)));
+    console.log(
+      chalk.green.bold("\u2728 Workflow Complete!") + chalk.gray(` (${duration}ms, ${this.eventCount} events)`)
+    );
+    console.log("");
+  }
+  displayBox(title, content) {
+    const width = 60;
+    const borderColor = chalk.blue;
+    console.log(borderColor("\u250C" + "\u2500".repeat(width - 2) + "\u2510"));
+    console.log(
+      borderColor("\u2502") + chalk.bold.white(` ${title}`.padEnd(width - 3)) + borderColor("\u2502")
+    );
+    console.log(borderColor("\u251C" + "\u2500".repeat(width - 2) + "\u2524"));
+    const lines = content.split("\n");
+    for (const line of lines) {
+      const padded = line.substring(0, width - 4).padEnd(width - 4);
+      console.log(borderColor("\u2502") + "  " + padded + borderColor("\u2502"));
+    }
+    console.log(borderColor("\u2514" + "\u2500".repeat(width - 2) + "\u2518"));
+    console.log("");
+  }
+  getElapsedTime() {
+    return Date.now() - this.taskStartTime;
+  }
+  displayModeBar(current) {
+    const modes = ["PLAN", "BUILD", "BRAINSTORM"];
+    const modeColor = {
+      PLAN: chalk.bold.cyan,
+      BUILD: chalk.bold.green,
+      BRAINSTORM: chalk.bold.blue
+    };
+    const parts = modes.map((m) => {
+      if (m === current) {
+        return modeColor[m](`[${m}]`);
+      }
+      return chalk.gray(m);
+    });
+    console.log(chalk.gray("MODE: ") + parts.join(chalk.gray(" | ")));
+    console.log(chalk.gray("Shift+Tab to swap modes"));
+    console.log(chalk.gray("\u2500".repeat(60)));
+  }
+  displayModeHeader(mode) {
+    const modeColor = {
+      PLAN: chalk.bold.cyan,
+      BUILD: chalk.bold.green,
+      BRAINSTORM: chalk.bold.blue
+    };
+    const modeIcon = {
+      PLAN: "\u{1F4CB}",
+      BUILD: "\u2699\uFE0F ",
+      BRAINSTORM: "\u{1F4A1}"
+    };
+    const modeDesc = {
+      PLAN: "Plan & review steps before executing",
+      BUILD: "Execute immediately with live streaming",
+      BRAINSTORM: "Free-form Q&A and idea exploration"
+    };
+    console.log("");
+    console.log(modeColor[mode](`${modeIcon[mode]} ${mode} MODE`));
+    console.log(chalk.gray(modeDesc[mode]));
+    console.log("");
+  }
+  displaySuggestedMode(mode, task) {
+    const modeColor = {
+      PLAN: chalk.cyan,
+      BUILD: chalk.green,
+      BRAINSTORM: chalk.blue
+    };
+    console.log("");
+    console.log(
+      chalk.bold("Suggested mode: ") + modeColor[mode](mode) + chalk.gray(` for: "${task.length > 50 ? task.substring(0, 47) + "..." : task}"`)
+    );
+  }
+  displayBrainstormResponse(response) {
+    console.log("");
+    console.log(chalk.bold.blue("\u{1F4A1} Agent:"));
+    const lines = response.split("\n");
+    for (const line of lines) {
+      console.log("  " + chalk.white(line));
+    }
+    console.log("");
+  }
+  displayPermissionPrompt(message) {
+    return chalk.bold.white(message) + chalk.gray(" [Y/n] ");
+  }
+};
+var tui = new TUI();
+
+// src/cli/run-command.ts
+async function runCommand(task, options) {
+  const backendUrl = process.env.BACKEND_URL || "http://localhost:4200";
+  tui.displayHeader(task, options.agent);
+  tui.displayConnecting();
+  try {
+    let healthOk = false;
+    try {
+      const healthResponse = await fetch(`${backendUrl}/health`);
+      healthOk = healthResponse.ok;
+    } catch {
+    }
+    if (!healthOk) {
+      console.error(
+        "Backend not responding. Start it with:\n   buildwithnexus server"
+      );
+      process.exit(1);
+    }
+    const response = await fetch(`${backendUrl}/api/run`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        task,
+        agent_role: options.agent,
+        agent_goal: options.goal || ""
+      })
+    });
+    if (!response.ok) {
+      console.error("Backend error");
+      console.error(await response.text());
+      process.exit(1);
+    }
+    const { run_id } = await response.json();
+    tui.displayConnected(run_id);
+    tui.displayStreamStart();
+    const eventSourceUrl = `${backendUrl}/api/stream/${run_id}`;
+    try {
+      const response2 = await fetch(eventSourceUrl);
+      const reader = response2.body?.getReader();
+      const decoder = new TextDecoder();
+      if (!reader) {
+        throw new Error("No response body");
+      }
+      let buffer = "";
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        buffer += decoder.decode(value, { stream: true });
+        const lines = buffer.split("\n");
+        buffer = lines.pop() || "";
+        for (const line of lines) {
+          if (line.startsWith("data: ")) {
+            try {
+              const data = JSON.parse(line.slice(6));
+              const type = data.type;
+              const content = data.data["content"] || "";
+              if (type === "done") {
+                tui.displayEvent(type, "Task completed successfully");
+                tui.displayComplete(tui.getElapsedTime());
+                process.exit(0);
+              } else if (type === "error") {
+                tui.displayError(content);
+                process.exit(1);
+              } else {
+                tui.displayEvent(type, content);
+              }
+            } catch {
+            }
+          }
+        }
+      }
+    } catch (error) {
+      console.error(
+        "\nStream error. Make sure backend is running:\n   buildwithnexus server"
+      );
+      process.exit(1);
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error("Error:", message);
+    process.exit(1);
+  }
+}
+
+// src/cli/dashboard-command.ts
+import { spawn } from "child_process";
+import { fileURLToPath } from "url";
+import path2 from "path";
+var __dirname = path2.dirname(fileURLToPath(import.meta.url));
+async function dashboardCommand(options) {
+  const port = options.port || "4201";
+  console.log(`Starting Deep Agents Dashboard on http://localhost:${port}
+`);
+  const dashboardPath = path2.join(__dirname, "../deep-agents/dashboard/server.js");
+  const dashboard = spawn("node", [dashboardPath], {
+    env: { ...process.env, PORT: port },
+    stdio: "inherit"
+  });
+  dashboard.on("error", (err) => {
+    console.error("Failed to start dashboard:", err);
+    process.exit(1);
+  });
+  console.log(`Dashboard ready! Open: http://localhost:${port}`);
+  console.log("Press Ctrl+C to stop\n");
+}
+
+// src/cli/interactive.ts
+import * as readline from "readline";
+import chalk2 from "chalk";
+
+// src/cli/intent-classifier.ts
+var PLAN_KEYWORDS = [
+  "design",
+  "plan",
+  "architect",
+  "structure",
+  "outline",
+  "roadmap",
+  "strategy",
+  "organize",
+  "breakdown",
+  "scope",
+  "model",
+  "schema"
+];
+var BUILD_KEYWORDS = [
+  "build",
+  "create",
+  "make",
+  "write",
+  "implement",
+  "code",
+  "generate",
+  "add",
+  "fix",
+  "update",
+  "deploy",
+  "run",
+  "start",
+  "launch",
+  "install",
+  "set up",
+  "setup",
+  "refactor",
+  "migrate"
+];
+var BRAINSTORM_KEYWORDS = [
+  "what",
+  "should",
+  "idea",
+  "ideas",
+  "think",
+  "consider",
+  "suggest",
+  "brainstorm",
+  "explore",
+  "wonder",
+  "might",
+  "could",
+  "would",
+  "how about",
+  "what if",
+  "options",
+  "alternatives",
+  "thoughts"
+];
+function classifyIntent(task) {
+  const lower = task.toLowerCase().trim();
+  let planScore = 0;
+  let buildScore = 0;
+  let brainstormScore = 0;
+  for (const kw of PLAN_KEYWORDS) {
+    if (lower.includes(kw)) planScore++;
+  }
+  for (const kw of BUILD_KEYWORDS) {
+    if (lower.includes(kw)) buildScore++;
+  }
+  for (const kw of BRAINSTORM_KEYWORDS) {
+    if (lower.includes(kw)) brainstormScore++;
+  }
+  const wordCount = lower.split(/\s+/).length;
+  if (wordCount > 12 && planScore === buildScore && buildScore === brainstormScore) {
+    return "plan";
+  }
+  if (brainstormScore > planScore && brainstormScore > buildScore) return "brainstorm";
+  if (buildScore > planScore && buildScore > brainstormScore) return "build";
+  if (planScore > 0) return "plan";
+  return wordCount > 6 ? "plan" : "build";
+}
+
+// src/cli/interactive.ts
+async function interactiveMode() {
+  const backendUrl = process.env.BACKEND_URL || "http://localhost:4200";
+  try {
+    const response = await fetch(`${backendUrl}/health`);
+    if (!response.ok) {
+      console.error(chalk2.red("\u274C Backend not running. Start it with: buildwithnexus server"));
+      process.exit(1);
+    }
+  } catch {
+    console.error(chalk2.red("\u274C Cannot connect to backend at " + backendUrl));
+    process.exit(1);
+  }
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  const ask = (question) => new Promise((resolve) => rl.question(question, resolve));
+  console.clear();
+  console.log(chalk2.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  console.log(
+    chalk2.cyan("\u2551") + chalk2.bold.white("        \u{1F680} DEEP AGENTS - Autonomous Execution Engine        ") + chalk2.cyan("\u2551")
+  );
+  console.log(chalk2.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  console.log("");
+  console.log(chalk2.gray("Welcome! Describe what you want the AI agents to do."));
+  console.log(chalk2.gray('Type "exit" to quit.\n'));
+  while (true) {
+    const task = await ask(chalk2.bold.blue("\u{1F4DD} Task: "));
+    if (task.toLowerCase() === "exit") {
+      console.log(chalk2.yellow("\nGoodbye! \u{1F44B}\n"));
+      rl.close();
+      process.exit(0);
+    }
+    if (!task.trim()) {
+      console.log(chalk2.red("Please enter a task.\n"));
+      continue;
+    }
+    const suggestedMode = classifyIntent(task).toUpperCase();
+    tui.displaySuggestedMode(suggestedMode, task);
+    const currentMode = await selectMode(suggestedMode, ask);
+    await runModeLoop(currentMode, task, backendUrl, rl, ask);
+    console.log("");
+  }
+}
+async function selectMode(suggested, ask) {
+  const modeColor = {
+    PLAN: chalk2.cyan,
+    BUILD: chalk2.green,
+    BRAINSTORM: chalk2.blue
+  };
+  console.log("");
+  console.log(
+    chalk2.gray("Press ") + chalk2.bold("Enter") + chalk2.gray(" to use ") + modeColor[suggested](suggested) + chalk2.gray(" or type ") + chalk2.bold("p") + chalk2.gray("/") + chalk2.bold("b") + chalk2.gray("/") + chalk2.bold("br") + chalk2.gray(" to switch: ")
+  );
+  const answer = await ask(chalk2.gray("> "));
+  const lower = answer.trim().toLowerCase();
+  if (lower === "p" || lower === "plan") return "PLAN";
+  if (lower === "b" || lower === "build") return "BUILD";
+  if (lower === "br" || lower === "brainstorm") return "BRAINSTORM";
+  return suggested;
+}
+async function runModeLoop(mode, task, backendUrl, rl, ask) {
+  let currentMode = mode;
+  while (true) {
+    console.clear();
+    printAppHeader();
+    tui.displayModeBar(currentMode);
+    tui.displayModeHeader(currentMode);
+    if (currentMode === "PLAN") {
+      const next = await planModeLoop(task, backendUrl, rl, ask);
+      if (next === "BUILD") {
+        currentMode = "BUILD";
+        continue;
+      }
+      if (next === "switch") {
+        currentMode = await promptModeSwitch(currentMode, ask);
+        continue;
+      }
+      return;
+    }
+    if (currentMode === "BUILD") {
+      const next = await buildModeLoop(task, backendUrl, rl, ask);
+      if (next === "switch") {
+        currentMode = await promptModeSwitch(currentMode, ask);
+        continue;
+      }
+      return;
+    }
+    if (currentMode === "BRAINSTORM") {
+      const next = await brainstormModeLoop(task, backendUrl, rl, ask);
+      if (next === "switch") {
+        currentMode = await promptModeSwitch(currentMode, ask);
+        continue;
+      }
+      return;
+    }
+  }
+}
+function printAppHeader() {
+  console.log(chalk2.cyan("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  console.log(
+    chalk2.cyan("\u2551") + chalk2.bold.white("        \u{1F680} DEEP AGENTS - Autonomous Execution Engine        ") + chalk2.cyan("\u2551")
+  );
+  console.log(chalk2.cyan("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  console.log("");
+}
+async function promptModeSwitch(current, ask) {
+  const others = ["PLAN", "BUILD", "BRAINSTORM"].filter((m) => m !== current);
+  console.log("");
+  console.log(
+    chalk2.gray("Switch to: ") + others.map((m, i) => chalk2.bold(`[${i + 1}] ${m}`)).join(chalk2.gray("  ")) + chalk2.gray("  [Enter to stay in ") + chalk2.bold(current) + chalk2.gray("]")
+  );
+  const answer = await ask(chalk2.gray("> "));
+  const n = parseInt(answer.trim(), 10);
+  if (n === 1) return others[0];
+  if (n === 2) return others[1];
+  return current;
+}
+async function planModeLoop(task, backendUrl, rl, ask) {
+  console.log(chalk2.bold("Task:"), chalk2.white(task));
+  console.log("");
+  console.log(chalk2.yellow("\u23F3 Fetching plan from backend..."));
+  let steps = [];
+  try {
+    const response = await fetch(`${backendUrl}/api/run`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ task, agent_role: "engineer", agent_goal: "" })
+    });
+    if (!response.ok) {
+      console.error(chalk2.red("Backend error \u2014 cannot fetch plan."));
+      return "cancel";
+    }
+    const { run_id } = await response.json();
+    tui.displayConnected(run_id);
+    const streamResponse = await fetch(`${backendUrl}/api/stream/${run_id}`);
+    const reader = streamResponse.body?.getReader();
+    const decoder = new TextDecoder();
+    if (!reader) throw new Error("No response body");
+    let buffer = "";
+    let planReceived = false;
+    outer: while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() || "";
+      for (const line of lines) {
+        if (!line.startsWith("data: ")) continue;
+        try {
+          const parsed = JSON.parse(line.slice(6));
+          if (parsed.type === "plan") {
+            steps = parsed.data["steps"] || [];
+            planReceived = true;
+            break outer;
+          } else if (parsed.type === "error") {
+            tui.displayError(parsed.data["content"] || "Unknown error");
+            return "cancel";
+          }
+        } catch {
+        }
+      }
+    }
+    reader.cancel();
+    if (!planReceived || steps.length === 0) {
+      console.log(chalk2.yellow("No plan received from backend."));
+      steps = ["(no steps returned \u2014 execute anyway?)"];
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(chalk2.red("Error: " + msg));
+    return "cancel";
+  }
+  displayPlanSteps(steps);
+  while (true) {
+    console.log(chalk2.gray("Options: ") + chalk2.bold("[Y]") + chalk2.gray(" Execute  ") + chalk2.bold("[e]") + chalk2.gray(" Edit step  ") + chalk2.bold("[s]") + chalk2.gray(" Switch mode  ") + chalk2.bold("[Esc/n]") + chalk2.gray(" Cancel"));
+    const answer = (await ask(tui.displayPermissionPrompt("Execute this plan?"))).trim().toLowerCase();
+    if (answer === "" || answer === "y") {
+      return "BUILD";
+    }
+    if (answer === "n" || answer === "\x1B") {
+      console.log(chalk2.yellow("\nExecution cancelled.\n"));
+      return "cancel";
+    }
+    if (answer === "e" || answer === "edit") {
+      steps = await editPlanSteps(steps, ask);
+      displayPlanSteps(steps);
+      continue;
+    }
+    if (answer === "s" || answer === "switch") {
+      return "switch";
+    }
+  }
+}
+function displayPlanSteps(steps) {
+  console.log("");
+  console.log(chalk2.bold.cyan("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+  console.log(chalk2.bold.cyan("\u2502") + chalk2.bold.white("  \u{1F4CB} Execution Plan                                      ") + chalk2.bold.cyan("\u2502"));
+  console.log(chalk2.bold.cyan("\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524"));
+  steps.forEach((step, i) => {
+    const label = `  Step ${i + 1}: `;
+    const maxContentWidth = 57 - label.length;
+    const truncated = step.length > maxContentWidth ? step.substring(0, maxContentWidth - 3) + "..." : step;
+    const line = label + truncated;
+    const padded = line.padEnd(57);
+    console.log(chalk2.bold.cyan("\u2502") + chalk2.white(padded) + chalk2.bold.cyan("\u2502"));
+  });
+  console.log(chalk2.bold.cyan("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+  console.log("");
+}
+async function editPlanSteps(steps, ask) {
+  console.log(chalk2.gray("Enter step number to edit, or press Enter to finish editing:"));
+  const numStr = await ask(chalk2.bold("Step #: "));
+  const n = parseInt(numStr.trim(), 10);
+  if (!isNaN(n) && n >= 1 && n <= steps.length) {
+    console.log(chalk2.gray(`Current: ${steps[n - 1]}`));
+    const updated = await ask(chalk2.bold("New text: "));
+    if (updated.trim()) steps[n - 1] = updated.trim();
+  }
+  return steps;
+}
+async function buildModeLoop(task, backendUrl, rl, ask) {
+  console.log(chalk2.bold("Task:"), chalk2.white(task));
+  tui.displayConnecting();
+  try {
+    const response = await fetch(`${backendUrl}/api/run`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ task, agent_role: "engineer", agent_goal: "" })
+    });
+    if (!response.ok) {
+      console.error(chalk2.red("Backend error"));
+      return "done";
+    }
+    const { run_id } = await response.json();
+    tui.displayConnected(run_id);
+    console.log(chalk2.bold.green("\u2699\uFE0F  Executing..."));
+    tui.displayStreamStart();
+    const streamResponse = await fetch(`${backendUrl}/api/stream/${run_id}`);
+    const reader = streamResponse.body?.getReader();
+    const decoder = new TextDecoder();
+    if (!reader) throw new Error("No response body");
+    let buffer = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() || "";
+      for (const line of lines) {
+        if (!line.startsWith("data: ")) continue;
+        try {
+          const parsed = JSON.parse(line.slice(6));
+          const type = parsed.type;
+          if (type === "execution_complete") {
+            const summary = parsed.data["summary"] || "";
+            const count = parsed.data["todos_completed"] || 0;
+            tui.displayResults(summary, count);
+            tui.displayComplete(tui.getElapsedTime());
+            break;
+          } else if (type === "done") {
+            tui.displayEvent(type, { content: "Task completed successfully" });
+            tui.displayComplete(tui.getElapsedTime());
+            break;
+          } else if (type === "error") {
+            tui.displayError(parsed.data["content"] || "Unknown error");
+            break;
+          } else if (type !== "plan") {
+            tui.displayEvent(type, parsed.data);
+          }
+        } catch {
+        }
+      }
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(chalk2.red("Error: " + msg));
+  }
+  console.log("");
+  console.log(
+    chalk2.gray("Options: ") + chalk2.bold("[Enter]") + chalk2.gray(" Done  ") + chalk2.bold("[s]") + chalk2.gray(" Switch mode")
+  );
+  const answer = (await ask(chalk2.bold("> "))).trim().toLowerCase();
+  if (answer === "s" || answer === "switch") return "switch";
+  return "done";
+}
+async function brainstormModeLoop(task, backendUrl, rl, ask) {
+  console.log(chalk2.bold("Starting topic:"), chalk2.white(task));
+  console.log(chalk2.gray('Ask follow-up questions. Type "done" to exit, "switch" to change mode.\n'));
+  let currentQuestion = task;
+  while (true) {
+    console.log(chalk2.bold.blue("\u{1F4A1} Thinking..."));
+    try {
+      const response = await fetch(`${backendUrl}/api/run`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          task: currentQuestion,
+          agent_role: "brainstorm",
+          agent_goal: "Generate ideas, considerations, and suggestions. Be concise and helpful."
+        })
+      });
+      if (response.ok) {
+        const { run_id } = await response.json();
+        const streamResponse = await fetch(`${backendUrl}/api/stream/${run_id}`);
+        const reader = streamResponse.body?.getReader();
+        const decoder = new TextDecoder();
+        if (reader) {
+          let buffer = "";
+          let responseText = "";
+          outer: while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            buffer += decoder.decode(value, { stream: true });
+            const lines = buffer.split("\n");
+            buffer = lines.pop() || "";
+            for (const line of lines) {
+              if (!line.startsWith("data: ")) continue;
+              try {
+                const parsed = JSON.parse(line.slice(6));
+                if (parsed.type === "done" || parsed.type === "execution_complete") {
+                  const summary = parsed.data["summary"] || "";
+                  if (summary) responseText = summary;
+                  break outer;
+                } else if (parsed.type === "thought" || parsed.type === "observation") {
+                  const content = parsed.data["content"] || "";
+                  if (content) responseText += content + "\n";
+                }
+              } catch {
+              }
+            }
+          }
+          reader.cancel();
+          if (responseText.trim()) {
+            tui.displayBrainstormResponse(responseText.trim());
+          } else {
+            console.log(chalk2.gray("(No response received from agent)"));
+          }
+        }
+      } else {
+        console.log(chalk2.red("Could not reach backend for brainstorm response."));
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(chalk2.red("Error: " + msg));
+    }
+    const followUp = await ask(chalk2.bold.blue("\u{1F4AC} You: "));
+    const lower = followUp.trim().toLowerCase();
+    if (lower === "done" || lower === "exit") return "done";
+    if (lower === "switch") return "switch";
+    if (!followUp.trim()) continue;
+    currentQuestion = followUp.trim();
+  }
+}
+
+// src/cli.ts
+import { Command as Command15 } from "commander";
+import { readFileSync as readFileSync2 } from "fs";
+import { dirname as dirname2, join as join2 } from "path";
+import { fileURLToPath as fileURLToPath4 } from "url";
+
+// src/commands/install.ts
+import { Command } from "commander";
+import { execa as execa2 } from "execa";
+
+// src/ui/spinner.ts
+import ora from "ora";
+import chalk3 from "chalk";
+function createSpinner(text) {
+  return ora({ text, color: "cyan", spinner: "dots" });
+}
+function succeed(spinner, text) {
+  spinner.succeed(chalk3.green(text));
+}
+function fail(spinner, text) {
+  spinner.fail(chalk3.red(text));
+}
+
+// src/ui/logger.ts
+import chalk4 from "chalk";
+var log = {
+  step(msg) {
+    console.log(chalk4.cyan("  \u2192 ") + msg);
+  },
+  success(msg) {
+    console.log(chalk4.green("  \u2713 ") + msg);
+  },
+  error(msg) {
+    console.error(chalk4.red("  \u2717 ") + msg);
+  },
+  warn(msg) {
+    console.log(chalk4.yellow("  \u26A0 ") + msg);
+  },
+  dim(msg) {
+    console.log(chalk4.dim("    " + msg));
+  },
+  detail(label, value) {
+    console.log(chalk4.dim("    " + label + ": ") + value);
+  },
+  progress(current, total, label) {
+    const pct = Math.round(current / total * 100);
+    const filled = Math.round(current / total * 20);
+    const bar = chalk4.cyan("\u2588".repeat(filled)) + chalk4.dim("\u2591".repeat(20 - filled));
+    process.stdout.write(`\r  [${bar}] ${chalk4.bold(`${pct}%`)} ${chalk4.dim(label)}`);
+    if (current >= total) process.stdout.write("\n");
+  }
+};
+
+// src/core/platform.ts
+import os from "os";
+function detectPlatform() {
+  const platform = os.platform();
+  const arch = os.arch();
+  if (platform === "darwin") {
+    return {
+      os: "mac",
+      arch: arch === "arm64" ? "arm64" : "x64",
+      dockerPlatform: arch === "arm64" ? "linux/arm64" : "linux/amd64"
+    };
+  }
+  if (platform === "linux") {
+    return {
+      os: "linux",
+      arch: arch === "arm64" ? "arm64" : "x64",
+      dockerPlatform: arch === "arm64" ? "linux/arm64" : "linux/amd64"
+    };
+  }
+  if (platform === "win32") {
+    return {
+      os: "windows",
+      arch: "x64",
+      dockerPlatform: "linux/amd64"
+    };
+  }
+  throw new Error(`Unsupported platform: ${platform} ${arch}`);
+}
+
+// src/core/docker.ts
+import { existsSync } from "fs";
+import { execa } from "execa";
+var CONTAINER_NAME = "nexus";
+var DOCKER_DESKTOP_APP_PATH = "/Applications/Docker.app";
+async function isDockerInstalled() {
+  try {
+    await execa("docker", ["info"]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function isDockerInstalledButNotRunning() {
+  try {
+    await execa("docker", ["--version"]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function dockerDesktopExists() {
+  return existsSync(DOCKER_DESKTOP_APP_PATH);
+}
+async function ensureHomebrew() {
+  try {
+    await execa("which", ["brew"]);
+    log.dim("Homebrew is already installed.");
+    return;
+  } catch {
+  }
+  log.step("Installing Homebrew...");
+  try {
+    await execa("/bin/bash", [
+      "-c",
+      "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+    ], {
+      stdio: "inherit",
+      env: { ...process.env, NONINTERACTIVE: "1" }
+    });
+  } catch {
+    throw new Error(
+      'Failed to install Homebrew automatically.\n\n  Install Homebrew manually:\n    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"\n\n  Then re-run:\n    buildwithnexus init'
+    );
+  }
+  try {
+    await execa("which", ["brew"]);
+  } catch {
+    const armPath = "/opt/homebrew/bin";
+    const intelPath = "/usr/local/bin";
+    process.env.PATH = `${armPath}:${intelPath}:${process.env.PATH}`;
+    log.dim("Added Homebrew paths to PATH for this session.");
+  }
+  try {
+    await execa("brew", ["--version"]);
+    log.success("Homebrew installed successfully.");
+  } catch {
+    throw new Error(
+      "Homebrew was installed but is not available on PATH.\n\n  Try opening a new terminal and re-running:\n    buildwithnexus init"
+    );
+  }
+}
+async function installDocker(platform) {
+  const p = platform ?? detectPlatform();
+  switch (p.os) {
+    case "mac": {
+      if (await isDockerInstalled()) {
+        log.success("Docker is already running.");
+        return;
+      }
+      if (dockerDesktopExists()) {
+        log.step(`Docker Desktop found at ${DOCKER_DESKTOP_APP_PATH} but not running. Attempting to start...`);
+        let launched = false;
+        log.dim(`Trying: open ${DOCKER_DESKTOP_APP_PATH}`);
+        try {
+          await execa("open", [DOCKER_DESKTOP_APP_PATH]);
+          launched = true;
+          log.dim(`Launch command succeeded via ${DOCKER_DESKTOP_APP_PATH}`);
+        } catch {
+          log.warn(`Could not launch via ${DOCKER_DESKTOP_APP_PATH} \u2014 trying fallback...`);
+        }
+        if (!launched) {
+          log.dim("Trying: open -a Docker");
+          try {
+            await execa("open", ["-a", "Docker"]);
+            launched = true;
+            log.dim("Launch command succeeded via open -a Docker");
+          } catch {
+            log.warn("Both launch attempts failed.");
+          }
+        }
+        if (launched) {
+          log.step("Docker Desktop is starting up. Waiting for the daemon to be ready (up to 120s)...");
+          try {
+            await waitForDockerDaemon(12e4);
+            return;
+          } catch {
+            log.warn("Docker Desktop was launched but the daemon did not become ready in time.");
+          }
+        } else {
+          log.warn("Could not launch Docker Desktop. Will fall back to reinstalling via Homebrew.");
+        }
+      } else {
+        log.step(`Docker Desktop not found at ${DOCKER_DESKTOP_APP_PATH}.`);
+      }
+      log.step("Installing Docker Desktop via Homebrew...");
+      await ensureHomebrew();
+      try {
+        await execa("brew", ["install", "--cask", "docker"], {
+          stdio: "inherit",
+          timeout: 6e4
+        });
+      } catch (err) {
+        const e = err;
+        if (e.killed && e.signal === "SIGINT") {
+          throw new Error("Docker installation cancelled by user (Ctrl+C)");
+        }
+        if (e.timedOut) {
+          throw new Error(
+            "Docker installation via Homebrew timed out after 60 seconds.\n\n  The password prompt may be waiting for input. Try installing manually:\n    brew install --cask docker\n\n  After installing, re-run:\n    buildwithnexus init"
+          );
+        }
+        throw new Error(
+          "Failed to install Docker via Homebrew.\n\n  Try installing Docker Desktop manually:\n    https://www.docker.com/products/docker-desktop\n\n  After installing, re-run:\n    buildwithnexus init"
+        );
+      }
+      log.step("Launching Docker Desktop...");
+      let postInstallLaunched = false;
+      log.dim(`Trying: open ${DOCKER_DESKTOP_APP_PATH}`);
+      try {
+        await execa("open", [DOCKER_DESKTOP_APP_PATH]);
+        postInstallLaunched = true;
+        log.dim(`Launch command succeeded via ${DOCKER_DESKTOP_APP_PATH}`);
+      } catch {
+        log.warn(`Could not launch via ${DOCKER_DESKTOP_APP_PATH} \u2014 trying fallback...`);
+      }
+      if (!postInstallLaunched) {
+        log.dim("Trying: open -a Docker");
+        try {
+          await execa("open", ["-a", "Docker"]);
+          postInstallLaunched = true;
+          log.dim("Launch command succeeded via open -a Docker");
+        } catch {
+          log.warn("Both launch attempts failed after install.");
+        }
+      }
+      if (!postInstallLaunched) {
+        throw new Error(
+          "Docker Desktop was installed but could not be started automatically.\n\n  Next steps:\n    1. Open Docker Desktop manually from your Applications folder\n    2. Wait for the whale icon to appear in the menu bar\n    3. Re-run: buildwithnexus init"
+        );
+      }
+      log.step("Docker Desktop is starting up. Waiting for the daemon to be ready (up to 120s)...");
+      await waitForDockerDaemon(12e4);
+      break;
+    }
+    case "linux": {
+      const linuxBinaryExists = await isDockerInstalledButNotRunning();
+      if (linuxBinaryExists) {
+        log.step("Docker is installed but the daemon is not running.");
+        log.step("Starting Docker daemon...");
+        try {
+          await execa("sudo", ["systemctl", "start", "docker"], { stdio: "inherit" });
+          log.dim("Started Docker daemon via systemctl.");
+        } catch {
+          try {
+            await execa("sudo", ["service", "docker", "start"], { stdio: "inherit" });
+            log.dim("Started Docker daemon via service command.");
+          } catch {
+            throw new Error(
+              "Docker is installed but the daemon could not be started.\n\n  Try starting it manually:\n    sudo systemctl start docker\n\n  Then re-run:\n    buildwithnexus init"
+            );
+          }
+        }
+        log.step("Waiting for Docker...");
+        await waitForDockerDaemon(3e4);
+        return;
+      }
+      log.step("Installing Docker...");
+      log.warn("This may require your sudo password.");
+      log.dim("Running official Docker install script from https://get.docker.com ...");
+      try {
+        const { stdout: script } = await execa("curl", ["-fsSL", "https://get.docker.com"]);
+        await execa("sudo", ["sh", "-c", script], { stdio: "inherit" });
+        log.success("Docker installed successfully.");
+      } catch {
+        throw new Error(
+          "Failed to install Docker on Linux.\n\n  Try installing manually:\n    curl -fsSL https://get.docker.com | sudo sh\n\n  After installing, re-run:\n    buildwithnexus init"
+        );
+      }
+      log.dim("Adding current user to docker group...");
+      try {
+        const user = (await execa("whoami")).stdout.trim();
+        await execa("sudo", ["usermod", "-aG", "docker", user]);
+        log.dim(`Added user '${user}' to docker group (may require re-login for effect).`);
+      } catch {
+        log.warn("Could not add user to docker group. You may need sudo for docker commands.");
+      }
+      log.step("Starting Docker daemon...");
+      try {
+        await execa("sudo", ["systemctl", "start", "docker"], { stdio: "inherit" });
+        log.dim("Started Docker daemon via systemctl.");
+      } catch {
+        try {
+          await execa("sudo", ["service", "docker", "start"], { stdio: "inherit" });
+          log.dim("Started Docker daemon via service command.");
+        } catch {
+          throw new Error(
+            "Docker was installed but the daemon could not be started.\n\n  Try starting it manually:\n    sudo systemctl start docker\n\n  Then re-run:\n    buildwithnexus init"
+          );
+        }
+      }
+      log.step("Waiting for Docker...");
+      await waitForDockerDaemon(3e4);
+      break;
+    }
+    case "windows": {
+      const winBinaryExists = await isDockerInstalledButNotRunning();
+      if (winBinaryExists) {
+        log.step("Docker Desktop is installed but not running. Attempting to start...");
+        log.step("Launching Docker...");
+        try {
+          await execa("powershell", ["-Command", "Start-Process 'Docker Desktop'"], { stdio: "inherit" });
+          log.dim("Docker Desktop launch command sent.");
+        } catch {
+          log.warn("Could not launch Docker Desktop automatically. It may need to be started manually.");
+        }
+        log.step("Waiting for Docker...");
+        try {
+          await waitForDockerDaemon(12e4);
+        } catch {
+          throw new Error(
+            "Docker Desktop did not start within 120 seconds.\n\n  Next steps:\n    1. Open Docker Desktop manually from the Start Menu\n    2. Wait for the whale icon to appear in the system tray\n    3. Re-run: buildwithnexus init"
+          );
+        }
+        return;
+      }
+      log.step("Installing Docker Desktop...");
+      let installed = false;
+      try {
+        await execa("choco", ["--version"]);
+        log.dim("Chocolatey detected. Installing Docker Desktop via choco...");
+        try {
+          await execa("choco", ["install", "docker-desktop", "-y"], { stdio: "inherit" });
+          installed = true;
+          log.success("Docker Desktop installed via Chocolatey.");
+        } catch {
+          log.warn("Chocolatey install failed. Falling back to direct download...");
+        }
+      } catch {
+        log.dim("Chocolatey not found. Using direct download...");
+      }
+      if (!installed) {
+        log.dim("Downloading Docker Desktop installer from docker.com...");
+        try {
+          await execa("powershell", [
+            "-Command",
+            "Invoke-WebRequest -Uri 'https://desktop.docker.com/win/main/amd64/Docker Desktop Installer.exe' -OutFile '$env:TEMP\\DockerInstaller.exe'; & '$env:TEMP\\DockerInstaller.exe' Install --quiet; Remove-Item '$env:TEMP\\DockerInstaller.exe' -Force -ErrorAction SilentlyContinue"
+          ], { stdio: "inherit" });
+          installed = true;
+          log.success("Docker Desktop installed via direct download.");
+        } catch {
+          throw new Error(
+            "Failed to install Docker Desktop on Windows.\n\n  Please install Docker Desktop manually:\n    1. Download from https://www.docker.com/products/docker-desktop\n    2. Run the installer and follow the prompts\n    3. Start Docker Desktop\n    4. Re-run: buildwithnexus init"
+          );
+        }
+      }
+      log.step("Launching Docker...");
+      try {
+        await execa("powershell", ["-Command", "Start-Process 'Docker Desktop'"], { stdio: "inherit" });
+        log.dim("Docker Desktop launch command sent.");
+      } catch {
+        log.warn("Could not launch Docker Desktop automatically after install.");
+      }
+      log.step("Waiting for Docker...");
+      try {
+        await waitForDockerDaemon(12e4);
+      } catch {
+        throw new Error(
+          "Docker Desktop was installed but did not start within 120 seconds.\n\n  Next steps:\n    1. You may need to restart your computer for Docker to work\n    2. Open Docker Desktop from the Start Menu\n    3. Wait for the whale icon to appear in the system tray\n    4. Re-run: buildwithnexus init"
+        );
+      }
+      break;
+    }
+    default:
+      throw new Error(`Unsupported platform: ${p.os}`);
+  }
+}
+async function waitForDockerDaemon(timeoutMs) {
+  const start = Date.now();
+  log.step("Waiting for Docker daemon...");
+  while (Date.now() - start < timeoutMs) {
+    try {
+      await execa("docker", ["info"]);
+      log.success("Docker daemon is ready");
+      return;
+    } catch {
+    }
+    await new Promise((r) => setTimeout(r, 3e3));
+  }
+  throw new Error(
+    `Docker daemon did not become ready within ${Math.round(timeoutMs / 1e3)}s.
+
+  Please ensure Docker is running, then re-run:
+    buildwithnexus init`
+  );
+}
+async function imageExistsLocally(image, tag) {
+  const ref = `${image}:${tag}`;
+  try {
+    await execa("docker", ["image", "inspect", ref]);
+    return true;
+  } catch {
+    return false;
   }
 }
-function showBanner() {
-  console.log(BANNER);
-  console.log(chalk.dim(`  v${getVersion()} \xB7 buildwithnexus.dev
-`));
+async function pullImage(image, tag) {
+  const ref = `${image}:${tag}`;
+  log.step(`Pulling image ${ref}...`);
+  try {
+    await execa("docker", ["pull", ref], { stdio: "inherit" });
+    log.success(`Image ${ref} pulled`);
+  } catch (err) {
+    log.error(`Failed to pull image ${ref}`);
+    throw err;
+  }
 }
-function showPhase(phase, total, description) {
-  const progress = chalk.cyan(`[${phase}/${total}]`);
-  console.log(`
-${progress} ${chalk.bold(description)}`);
+async function startNexus(keys, config) {
+  log.step("Starting NEXUS container...");
+  try {
+    await execa("docker", [
+      "run",
+      "-d",
+      "--name",
+      CONTAINER_NAME,
+      "-e",
+      `ANTHROPIC_API_KEY=${keys.anthropic}`,
+      "-e",
+      `OPENAI_API_KEY=${keys.openai}`,
+      "-p",
+      `${config.port}:${config.port}`,
+      "buildwithnexus/nexus:latest"
+    ]);
+    log.success(`NEXUS container started on port ${config.port}`);
+  } catch (err) {
+    log.error("Failed to start NEXUS container");
+    throw err;
+  }
 }
-function showSecurityPosture() {
-  const lines = [
-    "",
-    chalk.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"),
-    chalk.bold("  \u2551  ") + chalk.bold.green("Security Posture") + chalk.bold("                                        \u2551"),
-    chalk.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" Triple-nested isolation: Host \u2192 VM \u2192 Docker \u2192 KVM".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" Network hardened: UFW deny-all, allow 22/80/443/4200".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" All databases encrypted at rest (AES-256-CBC)".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" API keys never embedded in VM \u2014 delivered via SCP".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" SSH-only communication (no exposed network ports)".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" DLP: secret detection, shell escaping, output redaction".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" HMAC integrity verification on all key files".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2551  ") + chalk.green("\u2713") + chalk.white(" Docker: --read-only, no-new-privileges, cap-drop=ALL".padEnd(54)) + chalk.bold("\u2551"),
-    chalk.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
-    chalk.bold("  \u2551  ") + chalk.dim("Full details: https://buildwithnexus.dev/security".padEnd(55)) + chalk.bold("\u2551"),
-    chalk.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"),
-    ""
-  ];
-  console.log(lines.join("\n"));
+async function stopNexus() {
+  log.step("Stopping NEXUS container...");
+  try {
+    await execa("docker", ["rm", "-f", CONTAINER_NAME]);
+    log.success("NEXUS container stopped and removed");
+  } catch (err) {
+    log.error("Failed to stop NEXUS container");
+    throw err;
+  }
 }
-function showCompletion(urls) {
-  const lines = [
-    "",
-    chalk.green("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"),
-    chalk.green("  \u2551  ") + chalk.bold.green("NEXUS Runtime is Live!") + chalk.green("                                 \u2551"),
-    chalk.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
-    chalk.green("  \u2551  ") + chalk.white(`Connect:    ${urls.ssh}`.padEnd(55)) + chalk.green("\u2551")
-  ];
-  if (urls.remote) {
-    lines.push(chalk.green("  \u2551  ") + chalk.white(`Remote:     ${urls.remote}`.padEnd(55)) + chalk.green("\u2551"));
+async function dockerExec(command) {
+  try {
+    const { stdout, stderr } = await execa("docker", ["exec", CONTAINER_NAME, "sh", "-c", command]);
+    return { stdout, stderr, code: 0 };
+  } catch (err) {
+    const e = err;
+    return { stdout: e.stdout ?? "", stderr: e.stderr ?? "", code: e.exitCode ?? 1 };
   }
-  lines.push(
-    chalk.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
-    chalk.green("  \u2551  ") + chalk.dim("Quick Start:".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus           - Interactive shell".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus brainstorm - Brainstorm ideas".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus status    - Check health".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"),
-    chalk.green("  \u2551  ") + chalk.dim("All commands:".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u2551  ") + chalk.white("  buildwithnexus stop/start/update/logs/ssh/destroy".padEnd(55)) + chalk.green("\u2551"),
-    chalk.green("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"),
-    ""
-  );
-  console.log(lines.join("\n"));
 }
-var BANNER;
-var init_banner = __esm({
-  "src/ui/banner.ts"() {
-    "use strict";
-    BANNER = `
-  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
-  \u2551       ${chalk.bold.cyan("B U I L D   W I T H   N E X U S")}        \u2551
-  \u2551                                              \u2551
-  \u2551   Autonomous AI Runtime \xB7 Nested Isolation   \u2551
-  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
-`;
+async function isNexusRunning() {
+  try {
+    const { stdout } = await execa("docker", [
+      "ps",
+      "--filter",
+      `name=^/${CONTAINER_NAME}$`,
+      "--format",
+      "{{.Names}}"
+    ]);
+    return stdout.trim() === CONTAINER_NAME;
+  } catch {
+    return false;
+  }
+}
+
+// src/commands/install.ts
+var installCommand = new Command("install").description("Install Docker and configure system prerequisites").action(async () => {
+  const spinner = createSpinner("");
+  log.step("Checking Docker installation...");
+  const alreadyInstalled = await isDockerInstalled();
+  if (alreadyInstalled) {
+    try {
+      const { stdout } = await execa2("docker", ["--version"]);
+      log.success(`Docker is already installed and running: ${stdout.trim()}`);
+    } catch {
+      log.success("Docker is already installed and running.");
+    }
+    return;
+  }
+  const platform = detectPlatform();
+  log.step(`Installing Docker for ${platform.os} (${platform.arch})...`);
+  try {
+    await installDocker(platform);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    log.error(`Docker installation failed: ${msg}`);
+    process.exit(1);
+  }
+  spinner.text = "Verifying Docker installation...";
+  spinner.start();
+  const verified = await isDockerInstalled();
+  if (!verified) {
+    fail(spinner, "Docker installation could not be verified");
+    log.error(
+      "Docker was installed but is not responding.\n\n  Please ensure Docker is running, then verify with:\n    docker --version\n\n  Once Docker is running, you can proceed with:\n    buildwithnexus init"
+    );
+    process.exit(1);
+  }
+  try {
+    const { stdout } = await execa2("docker", ["--version"]);
+    succeed(spinner, `Docker verified: ${stdout.trim()}`);
+  } catch {
+    succeed(spinner, "Docker is installed and running");
   }
+  log.success("\nDocker setup complete! You can now run:\n\n  buildwithnexus init\n");
 });
 
+// src/commands/init.ts
+init_banner();
+import { Command as Command2 } from "commander";
+import chalk7 from "chalk";
+
+// src/ui/prompts.ts
+import { confirm as confirm2, password } from "@inquirer/prompts";
+import chalk6 from "chalk";
+
 // src/core/dlp.ts
 import crypto from "crypto";
-import fs from "fs";
-import path from "path";
-function yamlEscape(value) {
-  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/\0/g, "");
-}
+import fs2 from "fs";
+import path3 from "path";
+var NEXUS_HOME = path3.join(process.env.HOME || "~", ".buildwithnexus");
+var SECRET_PATTERNS = [
+  /sk-ant-api03-[A-Za-z0-9_-]{20,}/g,
+  // Anthropic API key
+  /sk-[A-Za-z0-9]{20,}/g,
+  // OpenAI API key
+  /AIza[A-Za-z0-9_-]{35}/g
+  // Google AI API key
+];
+var FORBIDDEN_KEY_CHARS = /[\n\r\t'"\\`${}();&|<>!#%^]/;
+var KEY_VALIDATORS = {
+  ANTHROPIC_API_KEY: /^sk-ant-[A-Za-z0-9_-]{20,}$/,
+  OPENAI_API_KEY: /^sk-[A-Za-z0-9_-]{20,}$/,
+  GOOGLE_API_KEY: /^AIza[A-Za-z0-9_-]{35,}$/,
+  NEXUS_MASTER_SECRET: /^[A-Za-z0-9_-]{20,64}$/
+};
 function shellEscape(value) {
   if (value.includes("\0")) {
     throw new DlpViolation("Null byte in shell argument");
@@ -139,6 +1491,12 @@ function redactError(err) {
   }
   return new Error(redact(String(err)));
 }
+var DlpViolation = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DlpViolation";
+  }
+};
 function validateKeyValue(keyName, value) {
   if (FORBIDDEN_KEY_CHARS.test(value)) {
     throw new DlpViolation(
@@ -169,21 +1527,22 @@ function validateAllKeys(keys) {
   }
   return violations;
 }
+var HMAC_PATH = path3.join(NEXUS_HOME, ".keys.hmac");
 function computeFileHmac(filePath, secret) {
-  const content = fs.readFileSync(filePath);
+  const content = fs2.readFileSync(filePath);
   return crypto.createHmac("sha256", secret).update(content).digest("hex");
 }
 function sealKeysFile(keysPath, masterSecret) {
   const hmac = computeFileHmac(keysPath, masterSecret);
-  fs.writeFileSync(HMAC_PATH, hmac, { mode: 384 });
+  fs2.writeFileSync(HMAC_PATH, hmac, { mode: 384 });
 }
 function verifyKeysFile(keysPath, masterSecret) {
-  const keysExist = fs.existsSync(keysPath);
-  const hmacExist = fs.existsSync(HMAC_PATH);
+  const keysExist = fs2.existsSync(keysPath);
+  const hmacExist = fs2.existsSync(HMAC_PATH);
   if (!keysExist && !hmacExist) return true;
   if (keysExist && !hmacExist) return false;
   try {
-    const stored = fs.readFileSync(HMAC_PATH, "utf-8").trim();
+    const stored = fs2.readFileSync(HMAC_PATH, "utf-8").trim();
     const computed = computeFileHmac(keysPath, masterSecret);
     return crypto.timingSafeEqual(
       Buffer.from(stored, "hex"),
@@ -193,624 +1552,38 @@ function verifyKeysFile(keysPath, masterSecret) {
     return false;
   }
 }
+var AUDIT_PATH = path3.join(NEXUS_HOME, "audit.log");
+var MAX_AUDIT_SIZE = 10 * 1024 * 1024;
 function audit(event, detail = "") {
   try {
-    const dir = path.dirname(AUDIT_PATH);
-    if (!fs.existsSync(dir)) return;
-    if (fs.existsSync(AUDIT_PATH)) {
-      const stat = fs.statSync(AUDIT_PATH);
+    const dir = path3.dirname(AUDIT_PATH);
+    if (!fs2.existsSync(dir)) return;
+    if (fs2.existsSync(AUDIT_PATH)) {
+      const stat = fs2.statSync(AUDIT_PATH);
       if (stat.size > MAX_AUDIT_SIZE) {
         const rotated = AUDIT_PATH + ".1";
-        if (fs.existsSync(rotated)) fs.unlinkSync(rotated);
-        fs.renameSync(AUDIT_PATH, rotated);
+        if (fs2.existsSync(rotated)) fs2.unlinkSync(rotated);
+        fs2.renameSync(AUDIT_PATH, rotated);
         try {
-          fs.chmodSync(rotated, 384);
+          fs2.chmodSync(rotated, 384);
         } catch {
         }
       }
     }
     const line = `${(/* @__PURE__ */ new Date()).toISOString()} | ${event} | ${redact(detail)}
 `;
-    fs.appendFileSync(AUDIT_PATH, line, { mode: 384 });
-    try {
-      fs.chmodSync(AUDIT_PATH, 384);
-    } catch {
-    }
-  } catch {
-  }
-}
-function scrubEnv() {
-  const clean = { ...process.env };
-  for (const key of SCRUB_KEYS) {
-    delete clean[key];
-  }
-  for (const [key, value] of Object.entries(clean)) {
-    if (value) {
-      for (const pattern of SECRET_PATTERNS) {
-        pattern.lastIndex = 0;
-        if (pattern.test(value)) {
-          delete clean[key];
-          break;
-        }
-      }
-    }
-  }
-  return clean;
-}
-var NEXUS_HOME, SECRET_PATTERNS, FORBIDDEN_KEY_CHARS, KEY_VALIDATORS, DlpViolation, HMAC_PATH, AUDIT_PATH, MAX_AUDIT_SIZE, SCRUB_KEYS;
-var init_dlp = __esm({
-  "src/core/dlp.ts"() {
-    "use strict";
-    NEXUS_HOME = path.join(process.env.HOME || "~", ".buildwithnexus");
-    SECRET_PATTERNS = [
-      /sk-ant-api03-[A-Za-z0-9_-]{20,}/g,
-      // Anthropic API key
-      /sk-[A-Za-z0-9]{20,}/g,
-      // OpenAI API key
-      /AIza[A-Za-z0-9_-]{35}/g
-      // Google AI API key
-    ];
-    FORBIDDEN_KEY_CHARS = /[\n\r\t'"\\`${}();&|<>!#%^]/;
-    KEY_VALIDATORS = {
-      ANTHROPIC_API_KEY: /^sk-ant-[A-Za-z0-9_-]{20,}$/,
-      OPENAI_API_KEY: /^sk-[A-Za-z0-9_-]{20,}$/,
-      GOOGLE_API_KEY: /^AIza[A-Za-z0-9_-]{35,}$/,
-      NEXUS_MASTER_SECRET: /^[A-Za-z0-9_-]{20,64}$/
-    };
-    DlpViolation = class extends Error {
-      constructor(message) {
-        super(message);
-        this.name = "DlpViolation";
-      }
-    };
-    HMAC_PATH = path.join(NEXUS_HOME, ".keys.hmac");
-    AUDIT_PATH = path.join(NEXUS_HOME, "audit.log");
-    MAX_AUDIT_SIZE = 10 * 1024 * 1024;
-    SCRUB_KEYS = [
-      "ANTHROPIC_API_KEY",
-      "OPENAI_API_KEY",
-      "GOOGLE_API_KEY",
-      "NEXUS_MASTER_SECRET",
-      "NEXUS_SECRET",
-      "AWS_SECRET_ACCESS_KEY",
-      "AWS_SESSION_TOKEN",
-      "GITHUB_TOKEN",
-      "GH_TOKEN",
-      "NPM_TOKEN",
-      "DOCKER_PASSWORD",
-      "CI_JOB_TOKEN"
-    ];
-  }
-});
-
-// src/core/secrets.ts
-var secrets_exports = {};
-__export(secrets_exports, {
-  CONFIG_PATH: () => CONFIG_PATH,
-  KEYS_PATH: () => KEYS_PATH,
-  NEXUS_HOME: () => NEXUS_HOME2,
-  ensureHome: () => ensureHome,
-  generateMasterSecret: () => generateMasterSecret,
-  loadConfig: () => loadConfig,
-  loadKeys: () => loadKeys,
-  maskKey: () => maskKey,
-  saveConfig: () => saveConfig,
-  saveKeys: () => saveKeys
-});
-import fs2 from "fs";
-import path2 from "path";
-import crypto2 from "crypto";
-function ensureHome() {
-  fs2.mkdirSync(NEXUS_HOME2, { recursive: true, mode: 448 });
-  fs2.mkdirSync(path2.join(NEXUS_HOME2, "vm", "images"), { recursive: true, mode: 448 });
-  fs2.mkdirSync(path2.join(NEXUS_HOME2, "vm", "configs"), { recursive: true, mode: 448 });
-  fs2.mkdirSync(path2.join(NEXUS_HOME2, "vm", "logs"), { recursive: true, mode: 448 });
-  fs2.mkdirSync(path2.join(NEXUS_HOME2, "ssh"), { recursive: true, mode: 448 });
-}
-function generateMasterSecret() {
-  return crypto2.randomBytes(32).toString("base64url");
-}
-function saveConfig(config) {
-  const { masterSecret: _secret, ...safeConfig } = config;
-  fs2.writeFileSync(CONFIG_PATH, JSON.stringify(safeConfig, null, 2), { mode: 384 });
-}
-function loadConfig() {
-  if (!fs2.existsSync(CONFIG_PATH)) return null;
-  return JSON.parse(fs2.readFileSync(CONFIG_PATH, "utf-8"));
-}
-function saveKeys(keys) {
-  const violations = validateAllKeys(keys);
-  if (violations.length > 0) {
-    throw new DlpViolation(`Key validation failed: ${violations.join("; ")}`);
-  }
-  const lines = Object.entries(keys).filter(([, v]) => v).map(([k, v]) => `${k}=${v}`);
-  fs2.writeFileSync(KEYS_PATH, lines.join("\n") + "\n", { mode: 384 });
-  sealKeysFile(KEYS_PATH, keys.NEXUS_MASTER_SECRET);
-  audit("keys_saved", `${Object.keys(keys).filter((k) => keys[k]).length} keys saved`);
-}
-function loadKeys() {
-  if (!fs2.existsSync(KEYS_PATH)) return null;
-  const content = fs2.readFileSync(KEYS_PATH, "utf-8");
-  const keys = {};
-  for (const line of content.split("\n")) {
-    const eq = line.indexOf("=");
-    if (eq > 0) keys[line.slice(0, eq)] = line.slice(eq + 1);
-  }
-  const result = keys;
-  if (result.NEXUS_MASTER_SECRET && !verifyKeysFile(KEYS_PATH, result.NEXUS_MASTER_SECRET)) {
-    audit("keys_tampered", "HMAC mismatch on .env.keys");
-    throw new DlpViolation(
-      ".env.keys has been modified outside of buildwithnexus. Run 'buildwithnexus keys set' to re-enter your keys, or 'buildwithnexus destroy' to start fresh."
-    );
-  }
-  audit("keys_loaded", `${Object.keys(keys).length} keys loaded`);
-  return result;
-}
-function maskKey(key) {
-  if (key.length <= 8) return "***";
-  const reveal = Math.min(4, Math.floor(key.length * 0.1));
-  return key.slice(0, reveal) + "..." + key.slice(-reveal);
-}
-var NEXUS_HOME2, CONFIG_PATH, KEYS_PATH;
-var init_secrets = __esm({
-  "src/core/secrets.ts"() {
-    "use strict";
-    init_dlp();
-    NEXUS_HOME2 = process.env.NEXUS_HOME || path2.join(process.env.HOME || "~", ".buildwithnexus");
-    CONFIG_PATH = process.env.NEXUS_CONFIG_PATH || path2.join(NEXUS_HOME2, "config.json");
-    KEYS_PATH = process.env.NEXUS_KEYS_PATH || path2.join(NEXUS_HOME2, ".env.keys");
-  }
-});
-
-// src/core/qemu.ts
-var qemu_exports = {};
-__export(qemu_exports, {
-  createDisk: () => createDisk,
-  downloadImage: () => downloadImage,
-  getVmPid: () => getVmPid,
-  installQemu: () => installQemu,
-  isQemuInstalled: () => isQemuInstalled,
-  isVmRunning: () => isVmRunning,
-  launchVm: () => launchVm,
-  resolvePortConflicts: () => resolvePortConflicts,
-  stopVm: () => stopVm
-});
-import fs3 from "fs";
-import net from "net";
-import path3 from "path";
-import { execa, execaSync } from "execa";
-import { select } from "@inquirer/prompts";
-import chalk5 from "chalk";
-async function isQemuInstalled(platform) {
-  try {
-    await execa(platform.qemuBinary, ["--version"], { env: scrubEnv() });
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function installQemu(platform) {
-  if (platform.os === "mac") {
-    await execa("brew", ["install", "qemu", "cdrtools"], { stdio: "inherit", env: scrubEnv() });
-  } else if (platform.os === "linux") {
-    let hasApt = false;
-    try {
-      await execa("which", ["apt-get"], { env: scrubEnv() });
-      hasApt = true;
-    } catch {
-    }
-    if (hasApt) {
-      await execa("sudo", ["apt-get", "update"], { stdio: "inherit", env: scrubEnv() });
-      await execa("sudo", ["apt-get", "install", "-y", "qemu-system", "qemu-utils", "genisoimage"], { stdio: "inherit", env: scrubEnv() });
-    } else {
-      await execa("sudo", ["yum", "install", "-y", "qemu-system-arm", "qemu-system-x86", "qemu-img", "genisoimage"], { stdio: "inherit", env: scrubEnv() });
-    }
-  } else {
-    throw new Error("Windows: Please install QEMU manually from https://www.qemu.org/download/#windows");
-  }
-}
-async function downloadImage(platform) {
-  const imagePath = path3.join(IMAGES_DIR, platform.ubuntuImage);
-  if (fs3.existsSync(imagePath)) return imagePath;
-  const url = `${UBUNTU_BASE_URL}/${platform.ubuntuImage}`;
-  await execa("curl", ["-L", "-C", "-", "-o", imagePath, "--progress-bar", url], { stdio: "inherit", env: scrubEnv() });
-  return imagePath;
-}
-async function createDisk(basePath, sizeGb) {
-  const diskPath = path3.join(IMAGES_DIR, "nexus-vm-disk.qcow2");
-  if (fs3.existsSync(diskPath)) return diskPath;
-  await execa("qemu-img", ["create", "-f", "qcow2", "-b", basePath, "-F", "qcow2", diskPath, `${sizeGb}G`], { env: scrubEnv() });
-  return diskPath;
-}
-function tryBind(port, host) {
-  return new Promise((resolve) => {
-    const server = net.createServer();
-    server.once("error", () => resolve(false));
-    server.once("listening", () => {
-      server.close(() => resolve(true));
-    });
-    server.listen(port, host);
-  });
-}
-async function isPortFree(port) {
-  const free0 = await tryBind(port, "0.0.0.0");
-  if (!free0) return false;
-  const free1 = await tryBind(port, "127.0.0.1");
-  return free1;
-}
-async function getPortBlocker(port) {
-  try {
-    const { stdout } = await execa("lsof", ["-i", `:${port}`, "-t", "-sTCP:LISTEN"], { env: scrubEnv() });
-    const pid = parseInt(stdout.trim().split("\n")[0], 10);
-    if (!pid) return null;
-    try {
-      const { stdout: psOut } = await execa("ps", ["-p", String(pid), "-o", "comm="], { env: scrubEnv() });
-      return { port, pid, process: psOut.trim() };
-    } catch {
-      return { port, pid, process: "unknown" };
-    }
-  } catch {
-    return null;
-  }
-}
-async function findFreePort(preferred, max = 20) {
-  for (let offset = 0; offset < max; offset++) {
-    if (await isPortFree(preferred + offset)) return preferred + offset;
-  }
-  throw new Error(`No free port found near ${preferred}`);
-}
-async function resolvePortConflicts(ports) {
-  const labels = { ssh: "SSH", http: "HTTP", https: "HTTPS" };
-  const resolved = { ...ports };
-  for (const [key, port] of Object.entries(ports)) {
-    if (await isPortFree(port)) continue;
-    const blocker = await getPortBlocker(port);
-    const desc = blocker ? `${blocker.process} (PID ${blocker.pid})` : "unknown process";
-    const altPort = await findFreePort(port + 1).catch(() => null);
-    const choices = [];
-    if (blocker) {
-      choices.push({
-        name: `Kill ${desc} and use port ${port}`,
-        value: "kill"
-      });
-    }
-    if (altPort) {
-      choices.push({
-        name: `Use alternate port ${altPort} instead`,
-        value: "alt"
-      });
-    }
-    choices.push({ name: "Abort init", value: "abort" });
-    console.log("");
-    console.log(chalk5.yellow(`  \u26A0 Port ${port} (${labels[key]}) is in use by ${desc}`));
-    const action = await select({
-      message: `How would you like to resolve the ${labels[key]} port conflict?`,
-      choices
-    });
-    if (action === "kill" && blocker) {
-      try {
-        process.kill(blocker.pid, "SIGTERM");
-        await new Promise((r) => setTimeout(r, 1e3));
-        if (!await isPortFree(port)) {
-          process.kill(blocker.pid, "SIGKILL");
-          await new Promise((r) => setTimeout(r, 500));
-        }
-        console.log(chalk5.green(`  \u2713 Killed ${desc}, port ${port} is now free`));
-      } catch {
-        console.log(chalk5.red(`  \u2717 Failed to kill PID ${blocker.pid}. Try: sudo kill ${blocker.pid}`));
-        process.exit(1);
-      }
-    } else if (action === "alt" && altPort) {
-      resolved[key] = altPort;
-      console.log(chalk5.green(`  \u2713 Using port ${altPort} for ${labels[key]}`));
-    } else {
-      console.log(chalk5.dim("  Init aborted."));
-      process.exit(0);
-    }
-  }
-  return resolved;
-}
-async function launchVm(platform, diskPath, initIsoPath, ram, cpus, ports) {
-  const machineArgs = platform.os === "mac" ? ["-machine", "virt,gic-version=3"] : ["-machine", "pc"];
-  const biosArgs = fs3.existsSync(platform.biosPath) ? ["-bios", platform.biosPath] : [];
-  const buildArgs = (cpuArgs) => [
-    ...machineArgs,
-    ...cpuArgs,
-    "-m",
-    `${ram}G`,
-    "-smp",
-    `${cpus}`,
-    "-drive",
-    `file=${diskPath},if=virtio,cache=writethrough`,
-    "-drive",
-    `file=${initIsoPath},if=virtio,format=raw,cache=writethrough`,
-    "-display",
-    "none",
-    "-serial",
-    "none",
-    "-net",
-    "nic,model=virtio",
-    "-net",
-    `user,hostfwd=tcp::${ports.ssh}-:22,hostfwd=tcp::${ports.http}-:4200,hostfwd=tcp::${ports.https}-:443`,
-    ...biosArgs,
-    "-pidfile",
-    PID_FILE,
-    "-daemonize"
-  ];
-  try {
-    await execa(platform.qemuBinary, buildArgs(platform.qemuCpuFlag.split(" ")), { env: scrubEnv() });
-  } catch {
-    const fallbackCpu = platform.os === "mac" ? ["-cpu", "max"] : ["-cpu", "qemu64"];
-    await execa(platform.qemuBinary, buildArgs(fallbackCpu), { env: scrubEnv() });
-  }
-  return ports;
-}
-function readValidPid() {
-  if (!fs3.existsSync(PID_FILE)) return null;
-  const raw = fs3.readFileSync(PID_FILE, "utf-8").trim();
-  const pid = parseInt(raw, 10);
-  if (!Number.isInteger(pid) || pid <= 1 || pid > 4194304) return null;
-  return pid;
-}
-function isQemuPid(pid) {
-  try {
-    const { stdout } = execaSync("ps", ["-p", String(pid), "-o", "comm="], { env: scrubEnv() });
-    return stdout.trim().toLowerCase().includes("qemu");
-  } catch {
-    return false;
-  }
-}
-function isVmRunning() {
-  const pid = readValidPid();
-  if (!pid) return false;
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch {
-    return false;
-  }
-}
-function stopVm() {
-  const pid = readValidPid();
-  if (!pid) return;
-  if (!isQemuPid(pid)) {
-    try {
-      fs3.unlinkSync(PID_FILE);
-    } catch {
-    }
-    return;
-  }
-  try {
-    process.kill(pid, "SIGTERM");
-  } catch {
-  }
-  try {
-    fs3.unlinkSync(PID_FILE);
-  } catch {
-  }
-}
-function getVmPid() {
-  return readValidPid();
-}
-var VM_DIR, IMAGES_DIR, PID_FILE, UBUNTU_BASE_URL;
-var init_qemu = __esm({
-  "src/core/qemu.ts"() {
-    "use strict";
-    init_secrets();
-    init_dlp();
-    VM_DIR = path3.join(NEXUS_HOME2, "vm");
-    IMAGES_DIR = path3.join(VM_DIR, "images");
-    PID_FILE = path3.join(VM_DIR, "qemu.pid");
-    UBUNTU_BASE_URL = "https://cloud-images.ubuntu.com/jammy/current";
-  }
-});
-
-// src/core/ssh.ts
-var ssh_exports = {};
-__export(ssh_exports, {
-  addSshConfig: () => addSshConfig,
-  generateSshKey: () => generateSshKey,
-  getKeyPath: () => getKeyPath,
-  getPubKey: () => getPubKey,
-  openInteractiveSsh: () => openInteractiveSsh,
-  sshExec: () => sshExec,
-  sshUploadFile: () => sshUploadFile,
-  waitForSsh: () => waitForSsh
-});
-import fs4 from "fs";
-import path4 from "path";
-import crypto3 from "crypto";
-import { execa as execa2 } from "execa";
-import { NodeSSH } from "node-ssh";
-function getHostVerifier() {
-  if (!fs4.existsSync(PINNED_HOST_KEY)) {
-    return (key) => {
-      const fp = crypto3.createHash("sha256").update(key).digest("base64");
-      fs4.writeFileSync(PINNED_HOST_KEY, fp, { mode: 384 });
-      audit("ssh_exec", `host key pinned: SHA256:${fp}`);
-      return true;
-    };
-  }
-  const pinned = fs4.readFileSync(PINNED_HOST_KEY, "utf-8").trim();
-  return (key) => {
-    const fp = crypto3.createHash("sha256").update(key).digest("base64");
-    const match = fp === pinned;
-    if (!match) audit("ssh_exec", `host key mismatch: expected ${pinned}, got ${fp}`);
-    return match;
-  };
-}
-function getKeyPath() {
-  return SSH_KEY;
-}
-function getPubKey() {
-  return fs4.readFileSync(SSH_PUB_KEY, "utf-8").trim();
-}
-async function generateSshKey() {
-  if (fs4.existsSync(SSH_KEY)) return;
-  fs4.mkdirSync(SSH_DIR, { recursive: true });
-  await execa2("ssh-keygen", [
-    "-t",
-    "ed25519",
-    "-f",
-    SSH_KEY,
-    "-N",
-    "",
-    "-C",
-    "buildwithnexus@localhost",
-    "-q"
-  ], { env: scrubEnv() });
-  fs4.chmodSync(SSH_KEY, 384);
-  fs4.chmodSync(SSH_PUB_KEY, 420);
-}
-function addSshConfig(port) {
-  const sshConfigPath = path4.join(process.env.HOME || "~", ".ssh", "config");
-  const sshDir = path4.dirname(sshConfigPath);
-  fs4.mkdirSync(sshDir, { recursive: true });
-  const block = [
-    "",
-    "Host nexus-vm",
-    "    HostName localhost",
-    `    Port ${port}`,
-    "    User nexus",
-    `    IdentityFile ${SSH_KEY}`,
-    "    StrictHostKeyChecking accept-new",
-    `    UserKnownHostsFile ${KNOWN_HOSTS}`,
-    "    ServerAliveInterval 60",
-    ""
-  ].join("\n");
-  if (fs4.existsSync(sshConfigPath)) {
-    const existing = fs4.readFileSync(sshConfigPath, "utf-8");
-    if (existing.includes("Host nexus-vm")) return;
-    fs4.appendFileSync(sshConfigPath, block);
-  } else {
-    fs4.writeFileSync(sshConfigPath, block, { mode: 384 });
-  }
-}
-async function waitForSsh(port, timeoutMs = 9e5) {
-  const start = Date.now();
-  while (Date.now() - start < timeoutMs) {
+    fs2.appendFileSync(AUDIT_PATH, line, { mode: 384 });
     try {
-      const ssh = new NodeSSH();
-      await ssh.connect({
-        host: "localhost",
-        port,
-        username: "nexus",
-        privateKeyPath: SSH_KEY,
-        readyTimeout: 1e4,
-        hostVerifier: getHostVerifier()
-      });
-      ssh.dispose();
-      return true;
+      fs2.chmodSync(AUDIT_PATH, 384);
     } catch {
-      await new Promise((r) => setTimeout(r, 1e4));
     }
+  } catch {
   }
-  return false;
-}
-async function sshExec(port, command) {
-  audit("ssh_exec", redact(command));
-  const ssh = new NodeSSH();
-  await ssh.connect({
-    host: "localhost",
-    port,
-    username: "nexus",
-    privateKeyPath: SSH_KEY,
-    readyTimeout: 3e4,
-    hostVerifier: getHostVerifier()
-  });
-  const result = await ssh.execCommand(command);
-  ssh.dispose();
-  return { stdout: redact(result.stdout), stderr: redact(result.stderr), code: result.code ?? 0 };
-}
-async function sshUploadFile(port, localPath, remotePath) {
-  const ssh = new NodeSSH();
-  await ssh.connect({
-    host: "localhost",
-    port,
-    username: "nexus",
-    privateKeyPath: SSH_KEY,
-    hostVerifier: getHostVerifier()
-  });
-  await ssh.putFile(localPath, remotePath);
-  ssh.dispose();
-}
-async function openInteractiveSsh(port) {
-  await execa2("ssh", ["nexus-vm"], { stdio: "inherit", env: scrubEnv() });
-}
-var SSH_DIR, SSH_KEY, SSH_PUB_KEY, KNOWN_HOSTS, PINNED_HOST_KEY;
-var init_ssh = __esm({
-  "src/core/ssh.ts"() {
-    "use strict";
-    init_secrets();
-    init_dlp();
-    SSH_DIR = path4.join(NEXUS_HOME2, "ssh");
-    SSH_KEY = path4.join(SSH_DIR, "id_nexus_vm");
-    SSH_PUB_KEY = path4.join(SSH_DIR, "id_nexus_vm.pub");
-    KNOWN_HOSTS = path4.join(SSH_DIR, "known_hosts_nexus_vm");
-    PINNED_HOST_KEY = path4.join(SSH_DIR, "vm_host_key.pin");
-  }
-});
-
-// src/cli.ts
-import { Command as Command14 } from "commander";
-import { readFileSync as readFileSync2 } from "fs";
-import { dirname as dirname2, join as join2 } from "path";
-import { fileURLToPath as fileURLToPath4 } from "url";
-
-// src/commands/init.ts
-init_banner();
-import { Command } from "commander";
-import chalk6 from "chalk";
-
-// src/ui/spinner.ts
-import ora from "ora";
-import chalk2 from "chalk";
-function createSpinner(text) {
-  return ora({ text, color: "cyan", spinner: "dots" });
-}
-function succeed(spinner, text) {
-  spinner.succeed(chalk2.green(text));
-}
-function fail(spinner, text) {
-  spinner.fail(chalk2.red(text));
 }
 
-// src/ui/logger.ts
-import chalk3 from "chalk";
-var log = {
-  step(msg) {
-    console.log(chalk3.cyan("  \u2192 ") + msg);
-  },
-  success(msg) {
-    console.log(chalk3.green("  \u2713 ") + msg);
-  },
-  error(msg) {
-    console.error(chalk3.red("  \u2717 ") + msg);
-  },
-  warn(msg) {
-    console.log(chalk3.yellow("  \u26A0 ") + msg);
-  },
-  dim(msg) {
-    console.log(chalk3.dim("    " + msg));
-  },
-  detail(label, value) {
-    console.log(chalk3.dim("    " + label + ": ") + value);
-  },
-  progress(current, total, label) {
-    const pct = Math.round(current / total * 100);
-    const filled = Math.round(current / total * 20);
-    const bar = chalk3.cyan("\u2588".repeat(filled)) + chalk3.dim("\u2591".repeat(20 - filled));
-    process.stdout.write(`\r  [${bar}] ${chalk3.bold(`${pct}%`)} ${chalk3.dim(label)}`);
-    if (current >= total) process.stdout.write("\n");
-  }
-};
-
 // src/ui/prompts.ts
-init_dlp();
-import { input, confirm, password } from "@inquirer/prompts";
-import chalk4 from "chalk";
 async function promptInitConfig() {
-  console.log(chalk4.bold("\n  API Keys\n"));
+  console.log(chalk6.bold("\n  API Keys\n"));
   const anthropicKey = await password({
     message: "Anthropic API key (required):",
     mask: "*",
@@ -851,42 +1624,7 @@ async function promptInitConfig() {
       return true;
     }
   });
-  console.log(chalk4.bold("\n  VM Resources\n"));
-  const vmRam = Number(
-    await input({
-      message: "VM RAM in GB:",
-      default: "4",
-      validate: (v) => {
-        const n = Number(v);
-        if (!Number.isInteger(n) || n < 2 || n > 256) return "Must be a whole number between 2 and 256";
-        return true;
-      }
-    })
-  );
-  const vmCpus = Number(
-    await input({
-      message: "VM CPUs:",
-      default: "2",
-      validate: (v) => {
-        const n = Number(v);
-        if (!Number.isInteger(n) || n < 1 || n > 64) return "Must be a whole number between 1 and 64";
-        return true;
-      }
-    })
-  );
-  const vmDisk = Number(
-    await input({
-      message: "VM Disk in GB:",
-      default: "20",
-      validate: (v) => {
-        const n = Number(v);
-        if (!Number.isInteger(n) || n < 10 || n > 2048) return "Must be a whole number between 10 and 2048";
-        return true;
-      }
-    })
-  );
-  console.log(chalk4.bold("\n  Configuration\n"));
-  const enableTunnel = await confirm({
+  const enableTunnel = await confirm2({
     message: "Enable Cloudflare tunnel for remote access?",
     default: true
   });
@@ -894,303 +1632,102 @@ async function promptInitConfig() {
     anthropicKey,
     openaiKey,
     googleKey,
-    vmRam,
-    vmCpus,
-    vmDisk,
     enableTunnel
   };
 }
 
-// src/core/platform.ts
-import os from "os";
-function detectPlatform() {
-  const platform = os.platform();
-  const arch = os.arch();
-  if (platform === "darwin") {
-    return {
-      os: "mac",
-      arch: arch === "arm64" ? "arm64" : "x64",
-      qemuBinary: "qemu-system-aarch64",
-      qemuCpuFlag: "-accel hvf -cpu host",
-      ubuntuImage: "jammy-server-cloudimg-arm64.img",
-      biosPath: "/opt/homebrew/share/qemu/edk2-aarch64-code.fd"
-    };
-  }
-  if (platform === "linux") {
-    return {
-      os: "linux",
-      arch: arch === "arm64" ? "arm64" : "x64",
-      qemuBinary: arch === "arm64" ? "qemu-system-aarch64" : "qemu-system-x86_64",
-      qemuCpuFlag: "-cpu host -enable-kvm",
-      ubuntuImage: arch === "arm64" ? "jammy-server-cloudimg-arm64.img" : "jammy-server-cloudimg-amd64.img",
-      biosPath: arch === "arm64" ? "/usr/share/qemu-efi-aarch64/QEMU_EFI.fd" : "/usr/share/OVMF/OVMF_CODE.fd"
-    };
-  }
-  if (platform === "win32") {
-    return {
-      os: "windows",
-      arch: "x64",
-      qemuBinary: "qemu-system-x86_64",
-      qemuCpuFlag: "-cpu qemu64",
-      ubuntuImage: "jammy-server-cloudimg-amd64.img",
-      biosPath: "C:\\Program Files\\qemu\\share\\edk2-x86_64-code.fd"
-    };
-  }
-  throw new Error(`Unsupported platform: ${platform} ${arch}`);
+// src/core/secrets.ts
+import fs3 from "fs";
+import path4 from "path";
+import crypto2 from "crypto";
+var NEXUS_HOME2 = process.env.NEXUS_HOME || path4.join(process.env.HOME || "~", ".buildwithnexus");
+var CONFIG_PATH = process.env.NEXUS_CONFIG_PATH || path4.join(NEXUS_HOME2, "config.json");
+var KEYS_PATH = process.env.NEXUS_KEYS_PATH || path4.join(NEXUS_HOME2, ".env.keys");
+function ensureHome() {
+  fs3.mkdirSync(NEXUS_HOME2, { recursive: true, mode: 448 });
+  fs3.mkdirSync(path4.join(NEXUS_HOME2, "vm", "images"), { recursive: true, mode: 448 });
+  fs3.mkdirSync(path4.join(NEXUS_HOME2, "vm", "configs"), { recursive: true, mode: 448 });
+  fs3.mkdirSync(path4.join(NEXUS_HOME2, "vm", "logs"), { recursive: true, mode: 448 });
+  fs3.mkdirSync(path4.join(NEXUS_HOME2, "ssh"), { recursive: true, mode: 448 });
 }
-
-// src/commands/init.ts
-init_secrets();
-init_qemu();
-init_ssh();
-
-// src/core/cloudinit.ts
-init_secrets();
-init_dlp();
-import fs5 from "fs";
-import path5 from "path";
-import ejs from "ejs";
-import { execa as execa3 } from "execa";
-var CONFIGS_DIR = path5.join(NEXUS_HOME2, "vm", "configs");
-var IMAGES_DIR2 = path5.join(NEXUS_HOME2, "vm", "images");
-async function renderCloudInit(data, templateContent) {
-  const trimmedPubKey = data.sshPubKey.trim();
-  if (!/^(ssh-ed25519|ssh-rsa|ecdsa-sha2-nistp\d+) [A-Za-z0-9+/=]+ ?\S*$/.test(trimmedPubKey)) {
-    throw new DlpViolation("SSH public key has unexpected format \u2014 possible injection attempt");
-  }
-  const safeKeys = {};
-  for (const [k, v] of Object.entries(data.keys)) {
-    if (v) safeKeys[k] = yamlEscape(v);
-  }
-  const safeData = { ...data, sshPubKey: yamlEscape(trimmedPubKey), keys: safeKeys };
-  const rendered = ejs.render(templateContent, safeData);
-  const outputPath = path5.join(CONFIGS_DIR, "user-data.yaml");
-  fs5.writeFileSync(outputPath, rendered, { mode: 384 });
-  audit("cloudinit_rendered", "user-data.yaml written");
-  return outputPath;
-}
-async function createCloudInitIso(userDataPath) {
-  const metaDataPath = path5.join(CONFIGS_DIR, "meta-data.yaml");
-  fs5.writeFileSync(metaDataPath, "instance-id: nexus-vm-1\nlocal-hostname: nexus-vm\n", { mode: 384 });
-  const isoPath = path5.join(IMAGES_DIR2, "init.iso");
-  const env = scrubEnv();
-  try {
-    let created = false;
-    for (const tool of ["mkisofs", "genisoimage"]) {
-      if (created) break;
-      try {
-        await execa3(tool, [
-          "-output",
-          isoPath,
-          "-volid",
-          "cidata",
-          "-joliet",
-          "-rock",
-          userDataPath,
-          metaDataPath
-        ], { env });
-        created = true;
-      } catch {
-      }
-    }
-    if (!created) {
-      try {
-        const stagingDir = path5.join(CONFIGS_DIR, "cidata-staging");
-        fs5.mkdirSync(stagingDir, { recursive: true, mode: 448 });
-        fs5.copyFileSync(userDataPath, path5.join(stagingDir, "user-data"));
-        fs5.copyFileSync(metaDataPath, path5.join(stagingDir, "meta-data"));
-        await execa3("hdiutil", [
-          "makehybrid",
-          "-o",
-          isoPath,
-          "-joliet",
-          "-iso",
-          "-default-volume-name",
-          "cidata",
-          stagingDir
-        ], { env });
-        fs5.rmSync(stagingDir, { recursive: true, force: true });
-        created = true;
-      } catch {
-      }
-    }
-    if (!created) {
-      throw new Error(
-        "Cannot create cloud-init ISO: none of mkisofs, genisoimage, or hdiutil are available. On macOS, install cdrtools: brew install cdrtools. On Linux: sudo apt install genisoimage"
-      );
-    }
-    fs5.chmodSync(isoPath, 384);
-    audit("cloudinit_iso_created", "init.iso created");
-    return isoPath;
-  } finally {
-    try {
-      fs5.unlinkSync(userDataPath);
-    } catch {
-    }
-    try {
-      fs5.unlinkSync(metaDataPath);
-    } catch {
-    }
-    audit("cloudinit_plaintext_deleted", "user-data.yaml and meta-data.yaml removed");
-  }
+function generateMasterSecret() {
+  return crypto2.randomBytes(32).toString("base64url");
 }
-
-// src/core/health.ts
-init_ssh();
-async function checkHealth(port, vmRunning) {
-  const status = {
-    vmRunning,
-    sshReady: false,
-    dockerReady: false,
-    serverHealthy: false,
-    tunnelUrl: null,
-    dockerVersion: null,
-    serverVersion: null,
-    diskUsagePercent: null,
-    uptimeSeconds: null,
-    lastChecked: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  if (!vmRunning) return status;
-  try {
-    const { code } = await sshExec(port, "echo ok");
-    status.sshReady = code === 0;
-  } catch {
-    return status;
-  }
-  try {
-    const { stdout, code } = await sshExec(port, "docker version --format '{{.Server.Version}}'");
-    status.dockerReady = code === 0 && stdout.trim().length > 0;
-    if (status.dockerReady) status.dockerVersion = stdout.trim();
-  } catch {
-  }
-  try {
-    const { stdout, code } = await sshExec(port, "curl -sf http://localhost:4200/health");
-    status.serverHealthy = code === 0 && stdout.includes("ok");
-    if (status.serverHealthy) {
-      try {
-        const parsed = JSON.parse(stdout);
-        if (typeof parsed.version === "string") status.serverVersion = parsed.version;
-      } catch {
-      }
-    }
-  } catch {
-  }
-  try {
-    const { stdout } = await sshExec(port, "df / --output=pcent | tail -1 | tr -dc '0-9'");
-    const pct = parseInt(stdout.trim(), 10);
-    if (!isNaN(pct)) status.diskUsagePercent = pct;
-  } catch {
-  }
-  try {
-    const { stdout } = await sshExec(port, "awk '{print int($1)}' /proc/uptime 2>/dev/null");
-    const up = parseInt(stdout.trim(), 10);
-    if (!isNaN(up)) status.uptimeSeconds = up;
-  } catch {
-  }
-  try {
-    const { stdout } = await sshExec(port, "cat /home/nexus/.nexus/tunnel-url.txt 2>/dev/null");
-    if (stdout.includes("https://")) {
-      status.tunnelUrl = stdout.trim();
-    }
-  } catch {
-  }
-  return status;
+function saveConfig(config) {
+  const { masterSecret: _secret, ...safeConfig } = config;
+  fs3.writeFileSync(CONFIG_PATH, JSON.stringify(safeConfig, null, 2), { mode: 384 });
 }
-async function waitForServer(port, timeoutMs = 9e5) {
-  const start = Date.now();
-  let lastLog = 0;
-  let attempt = 0;
-  const backoffMs = (n) => Math.min(3e3 * Math.pow(2, n), 3e4);
-  while (Date.now() - start < timeoutMs) {
-    try {
-      const { stdout, code } = await sshExec(port, "curl -sf http://localhost:4200/health");
-      if (code === 0 && stdout.includes("ok")) return true;
-    } catch {
-    }
-    const elapsed = Date.now() - start;
-    if (elapsed - lastLog >= 3e4) {
-      lastLog = elapsed;
-      try {
-        const { stdout } = await sshExec(port, "systemctl is-active nexus 2>/dev/null || echo 'starting...'");
-        process.stderr.write(`
-  [server ${Math.round(elapsed / 1e3)}s] ${stdout.trim().slice(0, 120)}
-`);
-      } catch {
-      }
-    }
-    const delay = backoffMs(attempt++);
-    const remaining = timeoutMs - (Date.now() - start);
-    if (remaining <= 0) break;
-    await new Promise((r) => setTimeout(r, Math.min(delay, remaining)));
+function loadConfig() {
+  if (!fs3.existsSync(CONFIG_PATH)) return null;
+  return JSON.parse(fs3.readFileSync(CONFIG_PATH, "utf-8"));
+}
+function saveKeys(keys) {
+  const violations = validateAllKeys(keys);
+  if (violations.length > 0) {
+    throw new DlpViolation(`Key validation failed: ${violations.join("; ")}`);
   }
-  return false;
+  const lines = Object.entries(keys).filter(([, v]) => v).map(([k, v]) => `${k}=${v}`);
+  fs3.writeFileSync(KEYS_PATH, lines.join("\n") + "\n", { mode: 384 });
+  sealKeysFile(KEYS_PATH, keys.NEXUS_MASTER_SECRET);
+  audit("keys_saved", `${Object.keys(keys).filter((k) => keys[k]).length} keys saved`);
 }
-async function waitForCloudInit(port, timeoutMs = 18e5) {
-  const start = Date.now();
-  let lastLog = 0;
-  let attempt = 0;
-  const backoffMs = (n) => Math.min(3e3 * Math.pow(2, n), 3e4);
-  while (Date.now() - start < timeoutMs) {
-    try {
-      const { code } = await sshExec(port, "test -f /var/lib/cloud/instance/boot-finished");
-      if (code === 0) return true;
-    } catch {
-    }
-    const elapsed = Date.now() - start;
-    if (elapsed - lastLog >= 6e4) {
-      lastLog = elapsed;
-      try {
-        const { stdout } = await sshExec(port, "tail -1 /var/log/cloud-init-output.log 2>/dev/null || echo 'waiting...'");
-        process.stderr.write(`
-  [cloud-init ${Math.round(elapsed / 1e3)}s] ${stdout.trim().slice(0, 120)}
-`);
-      } catch {
-      }
-    }
-    const delay = backoffMs(attempt++);
-    const remaining = timeoutMs - (Date.now() - start);
-    if (remaining <= 0) break;
-    await new Promise((r) => setTimeout(r, Math.min(delay, remaining)));
+function loadKeys() {
+  if (!fs3.existsSync(KEYS_PATH)) return null;
+  const content = fs3.readFileSync(KEYS_PATH, "utf-8");
+  const keys = {};
+  for (const line of content.split("\n")) {
+    const eq = line.indexOf("=");
+    if (eq > 0) keys[line.slice(0, eq)] = line.slice(eq + 1);
   }
-  return false;
+  const result = keys;
+  if (result.NEXUS_MASTER_SECRET && !verifyKeysFile(KEYS_PATH, result.NEXUS_MASTER_SECRET)) {
+    audit("keys_tampered", "HMAC mismatch on .env.keys");
+    throw new DlpViolation(
+      ".env.keys has been modified outside of buildwithnexus. Run 'buildwithnexus keys set' to re-enter your keys, or 'buildwithnexus destroy' to start fresh."
+    );
+  }
+  audit("keys_loaded", `${Object.keys(keys).length} keys loaded`);
+  return result;
+}
+function maskKey(key) {
+  if (key.length <= 8) return "***";
+  const reveal = Math.min(4, Math.floor(key.length * 0.1));
+  return key.slice(0, reveal) + "..." + key.slice(-reveal);
 }
 
 // src/core/tunnel.ts
-init_ssh();
-init_dlp();
 var CLOUDFLARED_VERSION = "2024.12.2";
 var CLOUDFLARED_SHA256 = {
   amd64: "40ec9a0f5b58e3b04183aaf01c4ddd4dbc6af39b0f06be4b7ce8b1011d0a07ab",
   arm64: "5a6c5881743fc84686f23048940ec844848c0f20363e8f76a99bc47e19777de6"
 };
-async function installCloudflared(sshPort, arch) {
+async function installCloudflared(arch) {
   const debArch = arch === "arm64" ? "arm64" : "amd64";
   const url = `https://github.com/cloudflare/cloudflared/releases/download/${CLOUDFLARED_VERSION}/cloudflared-linux-${debArch}.deb`;
   const sha = CLOUDFLARED_SHA256[debArch];
   const shaCheck = `${sha}  /tmp/cloudflared.deb`;
-  await sshExec(sshPort, [
+  await dockerExec([
     shellCommand`curl -sL ${url} -o /tmp/cloudflared.deb`,
     shellCommand`echo ${shaCheck} | sha256sum -c -`,
     "sudo dpkg -i /tmp/cloudflared.deb",
     "rm -f /tmp/cloudflared.deb"
   ].join(" && "));
 }
-async function startTunnel(sshPort) {
-  await sshExec(
-    sshPort,
+async function startTunnel() {
+  await dockerExec(
     "install -m 600 /dev/null /home/nexus/.nexus/tunnel.log && bash -c 'nohup cloudflared tunnel --no-autoupdate --url http://localhost:4200 > /home/nexus/.nexus/tunnel.log 2>&1 &'"
   );
   const start = Date.now();
   while (Date.now() - start < 12e4) {
     try {
-      const { stdout } = await sshExec(sshPort, "grep -oE 'https://[a-z0-9-]+\\.trycloudflare\\.com' /home/nexus/.nexus/tunnel.log 2>/dev/null | head -1");
+      const { stdout } = await dockerExec("grep -oE 'https://[a-z0-9-]+\\.trycloudflare\\.com' /home/nexus/.nexus/tunnel.log 2>/dev/null | head -1");
       if (stdout.includes("https://")) {
         const url = stdout.trim();
         if (!/^https:\/\/[a-z0-9-]+\.trycloudflare\.com$/.test(url)) {
           audit("tunnel_url_rejected", `Invalid URL format: ${url.slice(0, 80)}`);
           return null;
         }
-        await sshExec(sshPort, shellCommand`printf '%s\n' ${url} > /home/nexus/.nexus/tunnel-url.txt && chmod 600 /home/nexus/.nexus/tunnel-url.txt`);
+        await dockerExec(shellCommand`printf '%s\n' ${url} > /home/nexus/.nexus/tunnel-url.txt && chmod 600 /home/nexus/.nexus/tunnel-url.txt`);
         audit("tunnel_url_captured", url);
         return url;
       }
@@ -1200,40 +1737,8 @@ async function startTunnel(sshPort) {
   }
   return null;
 }
-async function stopTunnel(sshPort) {
-  await sshExec(sshPort, "pkill -f cloudflared || true");
-}
 
 // src/commands/init.ts
-init_dlp();
-init_ssh();
-import fs6 from "fs";
-import path6 from "path";
-import os2 from "os";
-import crypto4 from "crypto";
-import { fileURLToPath as fileURLToPath2 } from "url";
-function getReleaseTarball() {
-  const dir = path6.dirname(fileURLToPath2(import.meta.url));
-  const possiblePaths = [
-    // Current directory (dev)
-    path6.join(dir, "nexus-release.tar.gz"),
-    // dist folder (when built)
-    path6.resolve(dir, "..", "dist", "nexus-release.tar.gz"),
-    // node_modules location (when installed from npm)
-    path6.resolve(dir, "..", "nexus-release.tar.gz")
-  ];
-  for (const tarballPath of possiblePaths) {
-    if (fs6.existsSync(tarballPath)) return tarballPath;
-  }
-  throw new Error("nexus-release.tar.gz not found. Run: npm install buildwithnexus@latest");
-}
-function getCloudInitTemplate() {
-  const dir = path6.dirname(fileURLToPath2(import.meta.url));
-  const templatePath = path6.join(dir, "templates", "cloud-init.yaml.ejs");
-  if (fs6.existsSync(templatePath)) return fs6.readFileSync(templatePath, "utf-8");
-  const srcPath = path6.resolve(dir, "..", "src", "templates", "cloud-init.yaml.ejs");
-  return fs6.readFileSync(srcPath, "utf-8");
-}
 async function withSpinner(spinner, label, fn) {
   spinner.text = label;
   spinner.start();
@@ -1241,24 +1746,39 @@ async function withSpinner(spinner, label, fn) {
   succeed(spinner, label);
   return result;
 }
+async function waitForHealthy(port, timeoutMs = 12e4) {
+  const start = Date.now();
+  let attempt = 0;
+  const backoffMs = (n) => Math.min(2e3 * Math.pow(2, n), 1e4);
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const res = await fetch(`http://localhost:${port}/health`);
+      if (res.ok) {
+        const body = await res.text();
+        if (body.includes("ok")) return true;
+      }
+    } catch {
+    }
+    const delay = backoffMs(attempt++);
+    const remaining = timeoutMs - (Date.now() - start);
+    if (remaining <= 0) break;
+    await new Promise((r) => setTimeout(r, Math.min(delay, remaining)));
+  }
+  return false;
+}
 var phases = [
-  // Phase 1 — Configuration
+  // Phase 1 — Configuration (~30s)
   {
     name: "Configuration",
     run: async (ctx) => {
       showBanner();
       const platform = detectPlatform();
       log.detail("Platform", `${platform.os} ${platform.arch}`);
-      log.detail("QEMU", platform.qemuBinary);
       const userConfig = await promptInitConfig();
       ensureHome();
       const masterSecret = generateMasterSecret();
       const config = {
-        vmRam: userConfig.vmRam,
-        vmCpus: userConfig.vmCpus,
-        vmDisk: userConfig.vmDisk,
         enableTunnel: userConfig.enableTunnel,
-        sshPort: 2222,
         httpPort: 4200,
         httpsPort: 8443,
         masterSecret
@@ -1277,185 +1797,107 @@ var phases = [
       saveConfig(config);
       saveKeys(keys);
       log.success("Configuration saved");
-      ctx.platform = platform;
       ctx.config = config;
-      ctx.keys = keys;
-    }
-  },
-  // Phase 2 — QEMU
-  {
-    name: "QEMU Installation",
-    run: async (ctx, spinner) => {
-      const { platform } = ctx;
-      await withSpinner(spinner, "Checking QEMU...", async () => {
-        const hasQemu = await isQemuInstalled(platform);
-        if (!hasQemu) {
-          spinner.text = "Installing QEMU...";
-          await installQemu(platform);
-        }
-      });
-      succeed(spinner, hasQemuLabel(await isQemuInstalled(ctx.platform)));
-    }
-  },
-  // Phase 3 — SSH Keys
-  {
-    name: "SSH Key Setup",
-    run: async (ctx, spinner) => {
-      const { config } = ctx;
-      await withSpinner(spinner, "Generating SSH key...", async () => {
-        await generateSshKey();
-        const pinFile = path6.join(path6.dirname(getKeyPath()), "vm_host_key.pin");
-        try {
-          fs6.unlinkSync(pinFile);
-        } catch {
-        }
-        addSshConfig(config.sshPort);
-      });
+      ctx.keys = keys;
     }
   },
-  // Phase 4 — Ubuntu Image
+  // Phase 2 — Docker Check (install is handled by `buildwithnexus install`)
   {
-    name: "VM Image Download",
-    run: async (ctx, spinner) => {
-      const { platform } = ctx;
-      const imagePath = await withSpinner(
-        spinner,
-        `Downloading Ubuntu 24.04 (${platform.ubuntuImage})...`,
-        () => downloadImage(platform)
+    name: "Docker Check",
+    run: async (_ctx, spinner) => {
+      spinner.text = "Checking Docker...";
+      spinner.start();
+      const installed = await isDockerInstalled();
+      if (installed) {
+        succeed(spinner, "Docker is installed and running");
+        return;
+      }
+      fail(spinner, "Docker is not installed or not running");
+      throw new Error(
+        "Docker is required but not available.\n\n  Run the following command to install Docker:\n    buildwithnexus install\n\n  Then re-run:\n    buildwithnexus init"
       );
-      ctx.imagePath = imagePath;
-    }
-  },
-  // Phase 5 — Cloud-Init
-  {
-    name: "Cloud-Init Generation",
-    run: async (ctx, spinner) => {
-      const { keys, config } = ctx;
-      const tarballPath = await withSpinner(spinner, "Locating release tarball...", async () => {
-        return getReleaseTarball();
-      });
-      ctx.tarballPath = tarballPath;
-      const isoPath = await withSpinner(spinner, "Rendering cloud-init...", async () => {
-        const pubKey = getPubKey();
-        const template = getCloudInitTemplate();
-        const userDataPath = await renderCloudInit({ sshPubKey: pubKey, keys, config }, template);
-        return createCloudInitIso(userDataPath);
-      });
-      ctx.isoPath = isoPath;
     }
   },
-  // Phase 6 — VM Boot
+  // Phase 3 — Pull Image (~1-2 min)
   {
-    name: "VM Launch",
-    run: async (ctx, spinner) => {
-      const { platform, imagePath, isoPath, config } = ctx;
-      spinner.text = "Checking port availability...";
+    name: "Pull Image",
+    run: async (_ctx, spinner) => {
+      spinner.text = "Checking for buildwithnexus/nexus:latest...";
       spinner.start();
+      const localExists = await imageExistsLocally("buildwithnexus/nexus", "latest");
+      if (localExists) {
+        succeed(spinner, "Image found locally: buildwithnexus/nexus:latest (skipping pull)");
+        return;
+      }
       spinner.stop();
-      spinner.clear();
-      const requestedPorts = { ssh: config.sshPort, http: config.httpPort, https: config.httpsPort };
-      const resolvedPorts = await resolvePortConflicts(requestedPorts);
-      const diskPath = await withSpinner(spinner, "Creating disk and launching VM...", async () => {
-        const disk = await createDisk(imagePath, config.vmDisk);
-        await launchVm(platform, disk, isoPath, config.vmRam, config.vmCpus, resolvedPorts);
-        return disk;
-      });
-      config.sshPort = resolvedPorts.ssh;
-      config.httpPort = resolvedPorts.http;
-      config.httpsPort = resolvedPorts.https;
-      saveConfig(config);
-      const portNote = resolvedPorts.ssh !== 2222 || resolvedPorts.http !== 4200 || resolvedPorts.https !== 8443 ? ` (ports: SSH=${resolvedPorts.ssh}, HTTP=${resolvedPorts.http}, HTTPS=${resolvedPorts.https})` : "";
-      succeed(spinner, `VM launched (daemonized)${portNote}`);
-      ctx.diskPath = diskPath;
-      ctx.resolvedPorts = resolvedPorts;
-      ctx.vmLaunched = true;
+      try {
+        await pullImage("buildwithnexus/nexus", "latest");
+        succeed(spinner, "Image pulled: buildwithnexus/nexus:latest");
+      } catch (err) {
+        fail(spinner, "Failed to pull buildwithnexus/nexus:latest");
+        throw new Error(
+          "Could not pull buildwithnexus/nexus:latest from registry.\n\n  If you have built the image locally, you can build it with:\n    docker build -f Dockerfile.nexus -t buildwithnexus/nexus:latest .\n\n  Then re-run:\n    buildwithnexus init"
+        );
+      }
     }
   },
-  // Phase 7 — VM Provisioning
+  // Phase 4 — Launch Container (~10s)
   {
-    name: "VM Provisioning",
+    name: "Launch",
     run: async (ctx, spinner) => {
-      const { config, keys, tarballPath } = ctx;
-      spinner.text = "Waiting for SSH...";
-      spinner.start();
-      const sshReady = await waitForSsh(config.sshPort);
-      if (!sshReady) {
-        fail(spinner, "SSH connection timed out");
-        throw new Error("SSH connection timed out");
-      }
-      succeed(spinner, "SSH connected");
-      await withSpinner(
-        spinner,
-        "Uploading NEXUS release tarball...",
-        () => sshUploadFile(config.sshPort, tarballPath, "/tmp/nexus-release.tar.gz")
-      );
-      await withSpinner(spinner, "Staging API keys...", async () => {
-        const keysContent = Object.entries(keys).filter(([, v]) => v).map(([k, v]) => `${k}=${v}`).join("\n") + "\n";
-        const tmpKeysPath = path6.join(os2.tmpdir(), `.nexus-keys-${crypto4.randomBytes(8).toString("hex")}`);
-        fs6.writeFileSync(tmpKeysPath, keysContent, { mode: 384 });
-        try {
-          await sshUploadFile(config.sshPort, tmpKeysPath, "/tmp/.nexus-env-keys");
-          await sshExec(config.sshPort, "chmod 600 /tmp/.nexus-env-keys");
-        } finally {
-          try {
-            fs6.writeFileSync(tmpKeysPath, "0".repeat(keysContent.length));
-            fs6.unlinkSync(tmpKeysPath);
-          } catch {
-          }
-        }
-      });
-      spinner.text = "Cloud-init provisioning \u2014 this takes 10-20 min (extracting NEXUS, building Docker, installing deps)...";
-      spinner.start();
-      const cloudInitDone = await waitForCloudInit(config.sshPort);
-      if (!cloudInitDone) {
-        fail(spinner, "Cloud-init timed out after 30 minutes");
-        log.warn("Check progress: buildwithnexus ssh  \u2192  tail -f /var/log/cloud-init-output.log");
-        throw new Error("Cloud-init timed out");
+      const { config, keys } = ctx;
+      const alreadyRunning = await isNexusRunning();
+      if (alreadyRunning) {
+        await withSpinner(spinner, "Stopping existing NEXUS container...", () => stopNexus());
       }
-      succeed(spinner, "VM fully provisioned");
       await withSpinner(
         spinner,
-        "Delivering API keys...",
-        () => sshExec(
-          config.sshPort,
-          "mkdir -p /home/nexus/.nexus && mv /tmp/.nexus-env-keys /home/nexus/.nexus/.env.keys && chown -R nexus:nexus /home/nexus/.nexus && chmod 600 /home/nexus/.nexus/.env.keys"
+        "Starting NEXUS container...",
+        () => startNexus(
+          {
+            anthropic: keys.ANTHROPIC_API_KEY,
+            openai: keys.OPENAI_API_KEY || ""
+          },
+          { port: config.httpPort }
         )
       );
+      ctx.containerStarted = true;
     }
   },
-  // Phase 8 — Server Health
+  // Phase 5 — Health Check (~10s)
   {
-    name: "NEXUS Server Startup",
+    name: "Health Check",
     run: async (ctx, spinner) => {
       const { config } = ctx;
-      spinner.text = "Waiting for NEXUS server...";
+      spinner.text = `Waiting for NEXUS server on port ${config.httpPort}...`;
       spinner.start();
-      const serverReady = await waitForServer(config.sshPort);
-      if (!serverReady) {
-        fail(spinner, "Server failed to start");
-        log.warn("Check logs: buildwithnexus logs");
-        throw new Error("NEXUS server failed to start");
+      const healthy = await waitForHealthy(config.httpPort);
+      if (!healthy) {
+        fail(spinner, "Server failed to start within 120s");
+        log.warn("Check logs: docker logs nexus");
+        throw new Error("NEXUS server failed to respond to health checks");
       }
-      succeed(spinner, "NEXUS server healthy on port 4200");
+      succeed(spinner, `NEXUS server healthy on port ${config.httpPort}`);
     }
   },
-  // Phase 9 — Cloudflare Tunnel
+  // Phase 6 — Cloudflare Tunnel (optional)
   {
     name: "Cloudflare Tunnel",
     run: async (ctx, spinner) => {
-      const { config, platform } = ctx;
+      const { config } = ctx;
       if (!config.enableTunnel) {
         log.dim("Skipped (not enabled)");
         return;
       }
+      const platform = detectPlatform();
       await withSpinner(
         spinner,
         "Installing cloudflared...",
-        () => installCloudflared(config.sshPort, platform.arch)
+        () => installCloudflared(config.httpPort, platform.arch)
       );
       spinner.text = "Starting tunnel...";
       spinner.start();
-      const url = await startTunnel(config.sshPort);
+      const url = await startTunnel(config.httpPort);
       if (url) {
         ctx.tunnelUrl = url;
         succeed(spinner, `Tunnel active: ${url}`);
@@ -1464,28 +1906,24 @@ var phases = [
       }
     }
   },
-  // Phase 10 — Complete
+  // Phase 7 — Complete
   {
     name: "Complete",
     run: async (ctx) => {
-      showCompletion({ remote: ctx.tunnelUrl, ssh: "buildwithnexus ssh" });
+      showCompletion({
+        remote: ctx.tunnelUrl,
+        ssh: `http://localhost:${ctx.config?.httpPort || 4200}`
+      });
     }
   }
 ];
-function hasQemuLabel(installed) {
-  return installed ? "QEMU ready" : "QEMU installed";
-}
 var TOTAL_PHASES = phases.length;
 async function runInit() {
-  const ctx = { vmLaunched: false, tunnelUrl: void 0 };
+  const ctx = { containerStarted: false, tunnelUrl: void 0 };
   const spinner = createSpinner("");
   for (let i = 0; i < phases.length; i++) {
     const phase = phases[i];
     showPhase(i + 1, TOTAL_PHASES, phase.name);
-    if (phase.skip?.(ctx)) {
-      log.dim("Skipped");
-      continue;
-    }
     try {
       await phase.run(ctx, spinner);
     } catch (err) {
@@ -1493,10 +1931,10 @@ async function runInit() {
         spinner.stop();
       } catch {
       }
-      if (ctx.vmLaunched) {
-        process.stderr.write(chalk6.dim("\n  Stopping VM due to init failure...\n"));
+      if (ctx.containerStarted) {
+        process.stderr.write(chalk7.dim("\n  Stopping container due to init failure...\n"));
         try {
-          stopVm();
+          await stopNexus();
         } catch {
         }
       }
@@ -1504,7 +1942,7 @@ async function runInit() {
     }
   }
 }
-var initCommand = new Command("init").description("Scaffold and launch a new NEXUS runtime").action(async () => {
+var initCommand = new Command2("init").description("Scaffold and launch a new NEXUS runtime (Docker)").action(async () => {
   try {
     await runInit();
   } catch (err) {
@@ -1515,45 +1953,64 @@ var initCommand = new Command("init").description("Scaffold and launch a new NEX
 });
 
 // src/commands/start.ts
-import { Command as Command2 } from "commander";
-init_secrets();
-init_qemu();
-init_ssh();
-init_secrets();
-import path7 from "path";
-var startCommand = new Command2("start").description("Start the NEXUS runtime").action(async () => {
+import { Command as Command3 } from "commander";
+
+// src/core/health.ts
+async function waitForServer(timeoutMs = 9e5) {
+  const start = Date.now();
+  let lastLog = 0;
+  let attempt = 0;
+  const backoffMs = (n) => Math.min(3e3 * Math.pow(2, n), 3e4);
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const { stdout, code } = await dockerExec("curl -sf http://localhost:4200/health");
+      if (code === 0 && stdout.includes("ok")) return true;
+    } catch {
+    }
+    const elapsed = Date.now() - start;
+    if (elapsed - lastLog >= 3e4) {
+      lastLog = elapsed;
+      try {
+        const { stdout } = await dockerExec("systemctl is-active nexus 2>/dev/null || echo 'starting...'");
+        process.stderr.write(`
+  [server ${Math.round(elapsed / 1e3)}s] ${stdout.trim().slice(0, 120)}
+`);
+      } catch {
+      }
+    }
+    const delay = backoffMs(attempt++);
+    const remaining = timeoutMs - (Date.now() - start);
+    if (remaining <= 0) break;
+    await new Promise((r) => setTimeout(r, Math.min(delay, remaining)));
+  }
+  return false;
+}
+
+// src/commands/start.ts
+var startCommand = new Command3("start").description("Start the NEXUS runtime").action(async () => {
   const config = loadConfig();
   if (!config) {
     log.error("No NEXUS configuration found. Run: buildwithnexus init");
     process.exit(1);
   }
-  if (isVmRunning()) {
-    log.success("VM is already running");
+  if (await isNexusRunning()) {
+    log.success("NEXUS is already running");
     return;
   }
-  const platform = detectPlatform();
-  const diskPath = path7.join(NEXUS_HOME2, "vm", "images", "nexus-vm-disk.qcow2");
-  const isoPath = path7.join(NEXUS_HOME2, "vm", "images", "init.iso");
-  let spinner = createSpinner("Starting VM...");
+  let spinner = createSpinner("Pulling NEXUS image...");
   spinner.start();
-  await launchVm(platform, diskPath, isoPath, config.vmRam, config.vmCpus, {
-    ssh: config.sshPort,
-    http: config.httpPort,
-    https: config.httpsPort
-  });
-  succeed(spinner, "VM started");
-  spinner = createSpinner("Waiting for SSH...");
+  await pullImage("buildwithnexus/nexus", "latest");
+  succeed(spinner, "Image ready");
+  spinner = createSpinner("Starting NEXUS container...");
   spinner.start();
-  const sshOk = await waitForSsh(config.sshPort, 12e4);
-  if (!sshOk) {
-    fail(spinner, "SSH timed out");
-    process.exit(1);
-  }
-  succeed(spinner, "SSH connected");
-  spinner = createSpinner("Starting NEXUS server...");
+  await startNexus(
+    { anthropic: config.anthropicKey, openai: config.openaiKey },
+    { port: config.httpPort }
+  );
+  succeed(spinner, "Container started");
+  spinner = createSpinner("Waiting for NEXUS server...");
   spinner.start();
-  await sshExec(config.sshPort, "sudo systemctl start nexus");
-  const ok = await waitForServer(config.sshPort, 6e4);
+  const ok = await waitForServer(6e4);
   if (ok) {
     succeed(spinner, "NEXUS server running");
   } else {
@@ -1562,7 +2019,7 @@ var startCommand = new Command2("start").description("Start the NEXUS runtime").
   if (config.enableTunnel) {
     spinner = createSpinner("Starting tunnel...");
     spinner.start();
-    const url = await startTunnel(config.sshPort);
+    const url = await startTunnel();
     if (url) {
       succeed(spinner, `Tunnel: ${url}`);
     } else {
@@ -1573,127 +2030,167 @@ var startCommand = new Command2("start").description("Start the NEXUS runtime").
 });
 
 // src/commands/stop.ts
-import { Command as Command3 } from "commander";
-init_secrets();
-init_qemu();
-init_ssh();
-var stopCommand = new Command3("stop").description("Gracefully shut down the NEXUS runtime").action(async () => {
-  const config = loadConfig();
-  if (!config) {
-    log.error("No NEXUS configuration found. Run: buildwithnexus init");
-    process.exit(1);
+import { Command as Command4 } from "commander";
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+async function containerExists() {
+  try {
+    const { stdout } = await execFileAsync("docker", [
+      "ps",
+      "-a",
+      "--filter",
+      "name=^nexus$",
+      "--format",
+      "{{.Names}}"
+    ]);
+    return stdout.trim() === "nexus";
+  } catch {
+    return false;
+  }
+}
+async function isContainerRunning() {
+  try {
+    const { stdout } = await execFileAsync("docker", [
+      "ps",
+      "--filter",
+      "name=^nexus$",
+      "--filter",
+      "status=running",
+      "--format",
+      "{{.Names}}"
+    ]);
+    return stdout.trim() === "nexus";
+  } catch {
+    return false;
   }
-  if (!isVmRunning()) {
-    log.warn("VM is not running");
+}
+var stopCommand = new Command4("stop").description("Gracefully shut down the NEXUS runtime").action(async () => {
+  if (!await containerExists()) {
+    log.warn("NEXUS container does not exist");
     return;
   }
-  const spinner = createSpinner("Shutting down...");
+  const spinner = createSpinner("Shutting down NEXUS container...");
   spinner.start();
   try {
-    if (config.enableTunnel) {
-      spinner.text = "Stopping tunnel...";
-      await stopTunnel(config.sshPort);
-    }
-    spinner.text = "Stopping NEXUS server...";
-    await sshExec(config.sshPort, "sudo systemctl stop nexus");
-    spinner.text = "Shutting down VM...";
-    await sshExec(config.sshPort, "sudo shutdown -h now").catch(() => {
-    });
-    await new Promise((r) => setTimeout(r, 5e3));
-    if (isVmRunning()) {
-      stopVm();
+    if (await isContainerRunning()) {
+      spinner.text = "Stopping container...";
+      await execFileAsync("docker", ["stop", "nexus"]);
     }
-    succeed(spinner, "NEXUS runtime stopped");
-  } catch {
-    stopVm();
-    succeed(spinner, "VM force-stopped");
+    spinner.text = "Removing container...";
+    await execFileAsync("docker", ["rm", "nexus"]);
+    succeed(spinner, "NEXUS container stopped and removed");
+  } catch (err) {
+    fail(spinner, "Failed to stop NEXUS container");
+    log.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
   }
 });
 
 // src/commands/status.ts
-import { Command as Command4 } from "commander";
-import chalk7 from "chalk";
-init_secrets();
-init_qemu();
-var statusCommand = new Command4("status").description("Check NEXUS runtime health").option("--json", "Output as JSON").action(async (opts) => {
+import { Command as Command5 } from "commander";
+import chalk8 from "chalk";
+async function checkHttpHealth(port) {
+  try {
+    const res = await fetch(`http://localhost:${port}/health`, { signal: AbortSignal.timeout(5e3) });
+    if (!res.ok) return { healthy: false, version: null, uptimeSeconds: null };
+    const text = await res.text();
+    let version2 = null;
+    let uptimeSeconds = null;
+    try {
+      const parsed = JSON.parse(text);
+      if (typeof parsed.version === "string") version2 = parsed.version;
+      if (typeof parsed.uptime === "number") uptimeSeconds = parsed.uptime;
+    } catch {
+    }
+    const healthy = text.includes("ok") || res.status === 200;
+    return { healthy, version: version2, uptimeSeconds };
+  } catch {
+    return { healthy: false, version: null, uptimeSeconds: null };
+  }
+}
+function formatUptime(seconds) {
+  if (seconds < 60) return `${seconds}s`;
+  if (seconds < 3600) return `${Math.floor(seconds / 60)}m ${seconds % 60}s`;
+  const h = Math.floor(seconds / 3600);
+  const m = Math.floor(seconds % 3600 / 60);
+  return `${h}h ${m}m`;
+}
+var statusCommand = new Command5("status").description("Check NEXUS runtime health").option("--json", "Output as JSON").action(async (opts) => {
   const config = loadConfig();
   if (!config) {
     log.error("No NEXUS configuration found. Run: buildwithnexus init");
     process.exit(1);
   }
-  const vmRunning = isVmRunning();
-  const health = await checkHealth(config.sshPort, vmRunning);
+  const containerRunning = await isNexusRunning();
+  const { healthy, version: version2, uptimeSeconds } = containerRunning ? await checkHttpHealth(config.httpPort) : { healthy: false, version: null, uptimeSeconds: null };
   if (opts.json) {
-    console.log(JSON.stringify({ ...health, pid: getVmPid(), ports: { ssh: config.sshPort, http: config.httpPort, https: config.httpsPort } }, null, 2));
+    console.log(
+      JSON.stringify(
+        {
+          containerRunning,
+          healthy,
+          version: version2,
+          uptimeSeconds,
+          port: config.httpPort,
+          lastChecked: (/* @__PURE__ */ new Date()).toISOString()
+        },
+        null,
+        2
+      )
+    );
     return;
   }
-  const check = (ok) => ok ? chalk7.green("\u25CF") : chalk7.red("\u25CB");
+  const check = (ok) => ok ? chalk8.green("\u25CF") : chalk8.red("\u25CB");
   console.log("");
-  console.log(chalk7.bold("  NEXUS Runtime Status"));
+  console.log(chalk8.bold("  NEXUS Runtime Status"));
   console.log("");
-  console.log(`  ${check(health.vmRunning)}  VM         ${health.vmRunning ? chalk7.green("running") + chalk7.dim(` (PID ${getVmPid()})`) : chalk7.red("stopped")}`);
-  console.log(`  ${check(health.sshReady)}  SSH        ${health.sshReady ? chalk7.green("connected") + chalk7.dim(` (port ${config.sshPort})`) : chalk7.red("unreachable")}`);
-  console.log(`  ${check(health.dockerReady)}  Docker     ${health.dockerReady ? chalk7.green("ready") + (health.dockerVersion ? chalk7.dim(` v${health.dockerVersion}`) : "") : chalk7.red("not ready")}`);
-  console.log(`  ${check(health.serverHealthy)}  Server     ${health.serverHealthy ? chalk7.green("healthy") + chalk7.dim(` (port ${config.httpPort})`) + (health.serverVersion ? chalk7.dim(` v${health.serverVersion}`) : "") : chalk7.red("unhealthy")}`);
-  console.log(`  ${check(!!health.tunnelUrl)}  Tunnel     ${health.tunnelUrl ? chalk7.green(health.tunnelUrl) : chalk7.dim("not active")}`);
-  if (health.diskUsagePercent !== null) {
-    const diskOk = health.diskUsagePercent < 85;
-    console.log(`  ${check(diskOk)}  Disk       ${diskOk ? chalk7.green(`${health.diskUsagePercent}% used`) : chalk7.yellow(`${health.diskUsagePercent}% used \u2014 consider cleanup`)}`);
-  }
+  console.log(
+    `  ${check(containerRunning)}  Container  ${containerRunning ? chalk8.green("running") : chalk8.red("stopped")}`
+  );
+  console.log(
+    `  ${check(healthy)}  Health     ${healthy ? chalk8.green("healthy") + chalk8.dim(` (port ${config.httpPort})`) + (version2 ? chalk8.dim(` v${version2}`) : "") + (uptimeSeconds !== null ? chalk8.dim(` up ${formatUptime(uptimeSeconds)}`) : "") : chalk8.red("unhealthy")}`
+  );
   console.log("");
-  if (health.serverHealthy) {
-    log.success(`NEXUS CLI ready \u2014 connect via: buildwithnexus ssh`);
+  if (healthy) {
+    log.success("NEXUS is running and healthy");
+  } else if (containerRunning) {
+    log.warn("Container is running but health check failed");
+  } else {
+    log.error("NEXUS container is not running. Start with: buildwithnexus start");
   }
 });
 
 // src/commands/doctor.ts
-import { Command as Command5 } from "commander";
-import chalk8 from "chalk";
-import fs7 from "fs";
-init_qemu();
-init_secrets();
-import path8 from "path";
-import { execa as execa4 } from "execa";
-var doctorCommand = new Command5("doctor").description("Diagnose NEXUS runtime environment").action(async () => {
+import { Command as Command6 } from "commander";
+import chalk9 from "chalk";
+import fs4 from "fs";
+import path5 from "path";
+var doctorCommand = new Command6("doctor").description("Diagnose NEXUS runtime environment").action(async () => {
   const platform = detectPlatform();
-  const check = (ok) => ok ? chalk8.green("\u2713") : chalk8.red("\u2717");
+  const check = (ok) => ok ? chalk9.green("\u2713") : chalk9.red("\u2717");
   console.log("");
-  console.log(chalk8.bold("  NEXUS Doctor"));
+  console.log(chalk9.bold("  NEXUS Doctor"));
   console.log("");
   const nodeOk = Number(process.versions.node.split(".")[0]) >= 18;
-  console.log(`  ${check(nodeOk)}  Node.js ${process.versions.node} ${nodeOk ? "" : chalk8.red("(need >= 18)")}`);
+  console.log(`  ${check(nodeOk)}  Node.js ${process.versions.node} ${nodeOk ? "" : chalk9.red("(need >= 18)")}`);
   console.log(`  ${check(true)}  Platform: ${platform.os} ${platform.arch}`);
-  const qemuOk = await isQemuInstalled(platform);
-  if (qemuOk) {
-    const { stdout } = await execa4(platform.qemuBinary, ["--version"]);
-    console.log(`  ${check(true)}  ${stdout.split("\n")[0]}`);
+  const dockerOk = await isDockerInstalled();
+  if (dockerOk) {
+    console.log(`  ${check(true)}  Docker installed and running`);
   } else {
-    console.log(`  ${check(false)}  QEMU not installed`);
-  }
-  let isoTool = false;
-  try {
-    await execa4("mkisofs", ["--version"]);
-    isoTool = true;
-  } catch {
+    console.log(`  ${check(false)}  Docker not installed`);
   }
-  if (!isoTool) try {
-    await execa4("genisoimage", ["--version"]);
-    isoTool = true;
-  } catch {
-  }
-  console.log(`  ${check(isoTool)}  ISO tool (mkisofs/genisoimage)`);
-  const keyExists = fs7.existsSync(path8.join(NEXUS_HOME2, "ssh", "id_nexus_vm"));
+  const keyExists = fs4.existsSync(path5.join(NEXUS_HOME2, "ssh", "id_nexus_vm"));
   console.log(`  ${check(keyExists)}  SSH key`);
   const config = loadConfig();
   console.log(`  ${check(!!config)}  Configuration`);
-  const diskExists = fs7.existsSync(path8.join(NEXUS_HOME2, "vm", "images", "nexus-vm-disk.qcow2"));
-  console.log(`  ${check(diskExists)}  VM disk image`);
   if (config) {
-    for (const [name, port] of [["SSH", config.sshPort], ["HTTP", config.httpPort], ["HTTPS", config.httpsPort]]) {
+    for (const [name, port] of [["HTTP", config.httpPort], ["HTTPS", config.httpsPort]]) {
       try {
-        const net2 = await import("net");
+        const net = await import("net");
         const available = await new Promise((resolve) => {
-          const server = net2.createServer();
+          const server = net.createServer();
           server.once("error", () => resolve(false));
           server.once("listening", () => {
             server.close();
@@ -1701,115 +2198,104 @@ var doctorCommand = new Command5("doctor").description("Diagnose NEXUS runtime e
           });
           server.listen(port);
         });
-        console.log(`  ${check(available)}  Port ${port} (${name}) ${available ? "available" : chalk8.red("in use")}`);
+        console.log(`  ${check(available)}  Port ${port} (${name}) ${available ? "available" : chalk9.red("in use")}`);
       } catch {
         console.log(`  ${check(false)}  Port ${port} (${name}) \u2014 check failed`);
       }
     }
   }
-  const biosOk = fs7.existsSync(platform.biosPath);
-  console.log(`  ${check(biosOk)}  UEFI firmware ${biosOk ? "" : chalk8.dim(platform.biosPath)}`);
   console.log("");
-  if (qemuOk && isoTool && biosOk) {
+  if (dockerOk) {
     log.success("Environment ready for NEXUS");
   } else {
-    log.warn("Some prerequisites missing \u2014 fix the items marked \u2717 above");
+    log.warn("Docker is required \u2014 install it from https://docs.docker.com/get-docker/");
   }
 });
 
 // src/commands/logs.ts
-import { Command as Command6 } from "commander";
-init_secrets();
-init_qemu();
-init_ssh();
-init_dlp();
-import { execa as execa5 } from "execa";
-var logsCommand = new Command6("logs").description("View NEXUS server logs").option("-f, --follow", "Follow log output").option("-n, --lines <n>", "Number of lines to show", "50").action(async (opts) => {
-  const config = loadConfig();
-  if (!config) {
-    log.error("No NEXUS configuration found. Run: buildwithnexus init");
+import { Command as Command7 } from "commander";
+import { execa as execa3 } from "execa";
+var logsCommand = new Command7("logs").description("View NEXUS server logs").action(async () => {
+  let containerExists2 = false;
+  try {
+    const { stdout } = await execa3("docker", [
+      "ps",
+      "-a",
+      "--filter",
+      "name=nexus",
+      "--format",
+      "{{.Names}}"
+    ]);
+    containerExists2 = stdout.trim().split("\n").some((name) => name === "nexus");
+  } catch {
+    log.error("Failed to query Docker. Is Docker running?");
     process.exit(1);
   }
-  if (!isVmRunning()) {
-    log.error("VM is not running. Start with: buildwithnexus start");
+  if (!containerExists2) {
+    log.error("NEXUS container not found. Start with: buildwithnexus start");
     process.exit(1);
   }
-  if (opts.follow) {
-    const proc = execa5("ssh", [
-      "nexus-vm",
-      "tail -f /home/nexus/.nexus/logs/server.log"
-    ], { stdout: "pipe", stderr: "pipe", env: scrubEnv() });
-    proc.stdout?.on("data", (chunk) => process.stdout.write(redact(chunk.toString())));
-    proc.stderr?.on("data", (chunk) => process.stderr.write(redact(chunk.toString())));
-    await proc;
-  } else {
-    const lines = /^\d+$/.test(opts.lines) ? parseInt(opts.lines, 10) : 50;
-    if (lines < 1 || lines > 1e4) {
-      log.error("--lines must be between 1 and 10000");
-      process.exit(1);
-    }
-    const { stdout } = await sshExec(
-      config.sshPort,
-      `tail -n ${lines} /home/nexus/.nexus/logs/server.log 2>/dev/null || echo "No logs yet"`
-    );
-    console.log(redact(stdout));
-  }
+  const proc = execa3("docker", ["logs", "-f", "nexus"], {
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  proc.stdout?.on("data", (chunk) => process.stdout.write(chunk));
+  proc.stderr?.on("data", (chunk) => process.stderr.write(chunk));
+  await proc;
 });
 
 // src/commands/update.ts
-import { Command as Command7 } from "commander";
-import path9 from "path";
-import fs8 from "fs";
+import { Command as Command8 } from "commander";
+import path6 from "path";
+import fs5 from "fs";
 import { fileURLToPath as fileURLToPath3 } from "url";
-init_secrets();
-init_qemu();
-init_ssh();
-function getReleaseTarball2() {
-  const dir = path9.dirname(fileURLToPath3(import.meta.url));
-  const tarballPath = path9.join(dir, "nexus-release.tar.gz");
-  if (fs8.existsSync(tarballPath)) return tarballPath;
-  const rootPath = path9.resolve(dir, "..", "dist", "nexus-release.tar.gz");
-  if (fs8.existsSync(rootPath)) return rootPath;
+import { execa as execa4 } from "execa";
+function getReleaseTarball() {
+  const dir = path6.dirname(fileURLToPath3(import.meta.url));
+  const tarballPath = path6.join(dir, "nexus-release.tar.gz");
+  if (fs5.existsSync(tarballPath)) return tarballPath;
+  const rootPath = path6.resolve(dir, "..", "dist", "nexus-release.tar.gz");
+  if (fs5.existsSync(rootPath)) return rootPath;
   throw new Error("nexus-release.tar.gz not found. Reinstall buildwithnexus to get the latest release.");
 }
-var updateCommand = new Command7("update").description("Update NEXUS to the latest bundled release and restart").action(async () => {
+var updateCommand = new Command8("update").description("Update NEXUS to the latest bundled release and restart").action(async () => {
   const config = loadConfig();
   if (!config) {
     log.error("No NEXUS configuration found. Run: buildwithnexus init");
     process.exit(1);
   }
-  if (!isVmRunning()) {
-    log.error("VM is not running. Start with: buildwithnexus start");
+  if (!await isNexusRunning()) {
+    log.error("NEXUS is not running. Start with: buildwithnexus start");
     process.exit(1);
   }
   let spinner = createSpinner("Uploading release tarball...");
   spinner.start();
-  const tarballPath = getReleaseTarball2();
-  await sshUploadFile(config.sshPort, tarballPath, "/tmp/nexus-release.tar.gz");
+  const tarballPath = getReleaseTarball();
+  await execa4("docker", ["cp", tarballPath, "nexus:/tmp/nexus-release.tar.gz"]);
   succeed(spinner, "Tarball uploaded");
   spinner = createSpinner("Stopping NEXUS server...");
   spinner.start();
-  await sshExec(config.sshPort, "sudo systemctl stop nexus");
+  await dockerExec("sudo systemctl stop nexus");
   succeed(spinner, "Server stopped");
   spinner = createSpinner("Extracting new release...");
   spinner.start();
-  await sshExec(config.sshPort, "rm -rf /home/nexus/nexus/src /home/nexus/nexus/docker");
-  await sshExec(config.sshPort, "tar xzf /tmp/nexus-release.tar.gz -C /home/nexus/nexus");
-  await sshExec(config.sshPort, "rm -f /tmp/nexus-release.tar.gz");
+  await dockerExec("rm -rf /home/nexus/nexus/src /home/nexus/nexus/docker");
+  await dockerExec("tar xzf /tmp/nexus-release.tar.gz -C /home/nexus/nexus");
+  await dockerExec("rm -f /tmp/nexus-release.tar.gz");
   succeed(spinner, "Release extracted");
   spinner = createSpinner("Installing dependencies...");
   spinner.start();
-  await sshExec(config.sshPort, "cd /home/nexus/nexus && .venv/bin/pip install -r requirements.txt -q");
+  await dockerExec("cd /home/nexus/nexus && .venv/bin/pip install -r requirements.txt -q");
   succeed(spinner, "Dependencies installed");
   spinner = createSpinner("Rebuilding Docker sandbox...");
   spinner.start();
-  await sshExec(config.sshPort, "docker build -t nexus-cli-sandbox /home/nexus/nexus/docker/cli-sandbox/");
+  await dockerExec("docker build -t nexus-cli-sandbox /home/nexus/nexus/docker/cli-sandbox/");
   succeed(spinner, "Docker image rebuilt");
   spinner = createSpinner("Restarting NEXUS server...");
   spinner.start();
-  await sshExec(config.sshPort, "sudo systemctl start nexus");
+  await dockerExec("sudo systemctl start nexus");
   await new Promise((r) => setTimeout(r, 3e3));
-  const health = await sshExec(config.sshPort, "curl -sf http://localhost:4200/health");
+  const health = await dockerExec("curl -sf http://localhost:4200/health");
   if (health.code === 0) {
     succeed(spinner, "NEXUS server restarted and healthy");
   } else {
@@ -1818,43 +2304,40 @@ var updateCommand = new Command7("update").description("Update NEXUS to the late
 });
 
 // src/commands/destroy.ts
-import { Command as Command8 } from "commander";
-import chalk9 from "chalk";
-import fs9 from "fs";
+import { Command as Command9 } from "commander";
+import chalk10 from "chalk";
+import fs6 from "fs";
 import { input as input2 } from "@inquirer/prompts";
-init_secrets();
-init_qemu();
-import path10 from "path";
-var destroyCommand = new Command8("destroy").description("Remove NEXUS VM and all data").option("--force", "Skip confirmation").action(async (opts) => {
+import path7 from "path";
+var destroyCommand = new Command9("destroy").description("Remove NEXUS VM and all data").option("--force", "Skip confirmation").action(async (opts) => {
   const config = loadConfig();
   if (!opts.force) {
     console.log("");
-    console.log(chalk9.red.bold("  This will permanently delete:"));
-    console.log(chalk9.red("  - NEXUS VM and all data inside it"));
-    console.log(chalk9.red("  - VM disk images"));
-    console.log(chalk9.red("  - SSH keys"));
-    console.log(chalk9.red("  - Configuration and API keys"));
+    console.log(chalk10.red.bold("  This will permanently delete:"));
+    console.log(chalk10.red("  - NEXUS container and all data inside it"));
+    console.log(chalk10.red("  - SSH keys"));
+    console.log(chalk10.red("  - Configuration and API keys"));
     console.log("");
-    const confirm2 = await input2({
+    const confirm3 = await input2({
       message: 'Type "destroy" to confirm:'
     });
-    if (confirm2 !== "destroy") {
+    if (confirm3 !== "destroy") {
       log.warn("Aborted");
       return;
     }
   }
   const spinner = createSpinner("Destroying NEXUS runtime...");
   spinner.start();
-  if (config && isVmRunning()) {
+  if (config && await isNexusRunning()) {
     try {
-      await stopTunnel(config.sshPort);
+      await dockerExec("pkill -f cloudflared || true");
     } catch {
     }
-    stopVm();
+    await stopNexus();
   }
-  const sshConfigPath = path10.join(process.env.HOME || "~", ".ssh", "config");
-  if (fs9.existsSync(sshConfigPath)) {
-    const content = fs9.readFileSync(sshConfigPath, "utf-8");
+  const sshConfigPath = path7.join(process.env.HOME || "~", ".ssh", "config");
+  if (fs6.existsSync(sshConfigPath)) {
+    const content = fs6.readFileSync(sshConfigPath, "utf-8");
     const lines = content.split("\n");
     const filtered = [];
     let skip = false;
@@ -1867,30 +2350,28 @@ var destroyCommand = new Command8("destroy").description("Remove NEXUS VM and al
       skip = false;
       filtered.push(line);
     }
-    fs9.writeFileSync(sshConfigPath, filtered.join("\n"));
+    fs6.writeFileSync(sshConfigPath, filtered.join("\n"));
   }
-  fs9.rmSync(NEXUS_HOME2, { recursive: true, force: true });
+  fs6.rmSync(NEXUS_HOME2, { recursive: true, force: true });
   succeed(spinner, "NEXUS runtime destroyed");
   log.dim("Run 'buildwithnexus init' to set up again");
 });
 
 // src/commands/keys.ts
-import { Command as Command9 } from "commander";
+import { Command as Command10 } from "commander";
 import { password as password2 } from "@inquirer/prompts";
-import chalk10 from "chalk";
-init_secrets();
-init_dlp();
-var keysCommand = new Command9("keys").description("Manage API keys");
+import chalk11 from "chalk";
+var keysCommand = new Command10("keys").description("Manage API keys");
 keysCommand.command("list").description("Show configured API keys (masked)").action(() => {
   const keys = loadKeys();
   if (!keys) {
     log.error("No keys configured. Run: buildwithnexus init");
     process.exit(1);
   }
-  console.log(chalk10.bold("\n  Configured Keys\n"));
+  console.log(chalk11.bold("\n  Configured Keys\n"));
   for (const [name, value] of Object.entries(keys)) {
     if (value) {
-      console.log(`  ${chalk10.cyan(name.padEnd(24))} ${maskKey(value)}`);
+      console.log(`  ${chalk11.cyan(name.padEnd(24))} ${maskKey(value)}`);
     }
   }
   console.log("");
@@ -1935,87 +2416,80 @@ keysCommand.command("set <key>").description("Set or update an API key (e.g. ANT
 });
 
 // src/commands/ssh.ts
-import { Command as Command10 } from "commander";
-init_secrets();
-init_qemu();
-init_ssh();
-var sshCommand = new Command10("ssh").description("Open an SSH session into the NEXUS VM").action(async () => {
-  const config = loadConfig();
-  if (!config) {
-    log.error("No NEXUS configuration found. Run: buildwithnexus init");
-    process.exit(1);
-  }
-  if (!isVmRunning()) {
-    log.error("VM is not running. Start it with: buildwithnexus start");
+import { Command as Command11 } from "commander";
+import { execa as execa5 } from "execa";
+var sshCommand = new Command11("ssh").description("Open an interactive shell inside the NEXUS container").action(async () => {
+  const running = await isNexusRunning();
+  if (!running) {
+    log.error("NEXUS container is not running. Start it with: buildwithnexus start");
     process.exit(1);
   }
-  log.dim(`Connecting to nexus-vm (port ${config.sshPort})...`);
-  await openInteractiveSsh(config.sshPort);
+  log.dim("Opening shell in NEXUS container...");
+  await execa5("docker", ["exec", "-it", "nexus", "/bin/bash"], { stdio: "inherit" });
 });
 
 // src/commands/brainstorm.ts
-import { Command as Command11 } from "commander";
-import chalk11 from "chalk";
+import { Command as Command12 } from "commander";
+import chalk12 from "chalk";
 import { input as input3 } from "@inquirer/prompts";
-init_secrets();
-init_qemu();
-init_ssh();
-init_dlp();
-var COS_PREFIX = chalk11.bold.cyan("  Chief of Staff");
-var YOU_PREFIX = chalk11.bold.white("  You");
-var DIVIDER = chalk11.dim("  " + "\u2500".repeat(56));
+var COS_PREFIX = chalk12.bold.cyan("  Chief of Staff");
+var YOU_PREFIX = chalk12.bold.white("  You");
+var DIVIDER = chalk12.dim("  " + "\u2500".repeat(56));
 function formatResponse(text) {
   const lines = text.split("\n");
-  return lines.map((line) => chalk11.white("  " + line)).join("\n");
+  return lines.map((line) => chalk12.white("  " + line)).join("\n");
 }
-async function sendMessage(sshPort, message, source) {
-  const payload = JSON.stringify({ message, source });
-  const escaped = shellEscape(payload);
-  const { stdout, code } = await sshExec(
-    sshPort,
-    `curl -sf -X POST http://localhost:4200/message -H 'Content-Type: application/json' -d ${escaped}`
-  );
-  if (code !== 0) {
-    throw new Error("Server returned a non-zero exit code");
+async function sendMessage(httpPort, message, source) {
+  const res = await fetch(`http://localhost:${httpPort}/message`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ message, source })
+  });
+  if (!res.ok) {
+    throw new Error(`Server returned status ${res.status}`);
   }
+  const text = await res.text();
   try {
-    const parsed = JSON.parse(stdout);
-    return parsed.response ?? parsed.message ?? stdout;
+    const parsed = JSON.parse(text);
+    return parsed.response ?? parsed.message ?? text;
   } catch {
-    return stdout;
+    return text;
   }
 }
-var brainstormCommand = new Command11("brainstorm").description("Brainstorm an idea with the NEXUS Chief of Staff").argument("[idea...]", "Your idea or question").action(async (ideaWords) => {
+var brainstormCommand = new Command12("brainstorm").description("Brainstorm an idea with the NEXUS Chief of Staff").argument("[idea...]", "Your idea or question").action(async (ideaWords) => {
   try {
     const config = loadConfig();
     if (!config) {
       log.error("No NEXUS configuration found. Run: buildwithnexus init");
       process.exit(1);
     }
-    if (!isVmRunning()) {
-      log.error("VM is not running. Start it with: buildwithnexus start");
+    if (!await isNexusRunning()) {
+      log.error("NEXUS is not running. Start it with: buildwithnexus start");
       process.exit(1);
     }
     const spinner = createSpinner("Connecting to NEXUS...");
     spinner.start();
-    const { stdout: healthCheck, code: healthCode } = await sshExec(
-      config.sshPort,
-      "curl -sf http://localhost:4200/health"
-    );
-    if (healthCode !== 0 || !healthCheck.includes("ok")) {
+    let healthOk = false;
+    try {
+      const healthRes = await fetch(`http://localhost:${config.httpPort}/health`);
+      const healthText = await healthRes.text();
+      healthOk = healthRes.ok && healthText.includes("ok");
+    } catch {
+    }
+    if (!healthOk) {
       fail(spinner, "NEXUS server is not healthy");
       log.warn("Check status: buildwithnexus status");
       process.exit(1);
     }
     succeed(spinner, "Connected to NEXUS");
     console.log("");
-    console.log(chalk11.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
-    console.log(chalk11.bold("  \u2551  ") + chalk11.bold.cyan("NEXUS Brainstorm Session") + chalk11.bold("                                \u2551"));
-    console.log(chalk11.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
-    console.log(chalk11.bold("  \u2551  ") + chalk11.dim("The Chief of Staff will discuss your idea with the".padEnd(55)) + chalk11.bold("\u2551"));
-    console.log(chalk11.bold("  \u2551  ") + chalk11.dim("NEXUS team and share their recommendations.".padEnd(55)) + chalk11.bold("\u2551"));
-    console.log(chalk11.bold("  \u2551  ") + chalk11.dim("Type 'exit' or 'quit' to end the session.".padEnd(55)) + chalk11.bold("\u2551"));
-    console.log(chalk11.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+    console.log(chalk12.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+    console.log(chalk12.bold("  \u2551  ") + chalk12.bold.cyan("NEXUS Brainstorm Session") + chalk12.bold("                                \u2551"));
+    console.log(chalk12.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
+    console.log(chalk12.bold("  \u2551  ") + chalk12.dim("The Chief of Staff will discuss your idea with the".padEnd(55)) + chalk12.bold("\u2551"));
+    console.log(chalk12.bold("  \u2551  ") + chalk12.dim("NEXUS team and share their recommendations.".padEnd(55)) + chalk12.bold("\u2551"));
+    console.log(chalk12.bold("  \u2551  ") + chalk12.dim("Type 'exit' or 'quit' to end the session.".padEnd(55)) + chalk12.bold("\u2551"));
+    console.log(chalk12.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
     console.log("");
     let idea = ideaWords.length > 0 ? ideaWords.join(" ") : "";
     if (!idea) {
@@ -2032,7 +2506,7 @@ var brainstormCommand = new Command11("brainstorm").description("Brainstorm an i
     while (true) {
       turn++;
       if (turn === 1) {
-        console.log(`${YOU_PREFIX}: ${chalk11.white(idea)}`);
+        console.log(`${YOU_PREFIX}: ${chalk12.white(idea)}`);
       }
       console.log(DIVIDER);
       const thinking = createSpinner(
@@ -2040,7 +2514,7 @@ var brainstormCommand = new Command11("brainstorm").description("Brainstorm an i
       );
       thinking.start();
       const response = await sendMessage(
-        config.sshPort,
+        config.httpPort,
         currentMessage,
         "brainstorm"
       );
@@ -2050,17 +2524,17 @@ var brainstormCommand = new Command11("brainstorm").description("Brainstorm an i
       console.log(formatResponse(redact(response)));
       console.log(DIVIDER);
       const followUp = await input3({
-        message: chalk11.bold("You:")
+        message: chalk12.bold("You:")
       });
       const trimmed = followUp.trim().toLowerCase();
       if (!trimmed || trimmed === "exit" || trimmed === "quit" || trimmed === "q") {
         console.log("");
         log.success("Brainstorm session ended");
-        console.log(chalk11.dim("    Run again anytime: buildwithnexus brainstorm"));
+        console.log(chalk12.dim("    Run again anytime: buildwithnexus brainstorm"));
         console.log("");
         return;
       }
-      console.log(`${YOU_PREFIX}: ${chalk11.white(followUp)}`);
+      console.log(`${YOU_PREFIX}: ${chalk12.white(followUp)}`);
       currentMessage = `[BRAINSTORM FOLLOW-UP] The CEO responds: ${followUp}`;
     }
   } catch (err) {
@@ -2076,19 +2550,15 @@ var brainstormCommand = new Command11("brainstorm").description("Brainstorm an i
 });
 
 // src/commands/ninety-nine.ts
-import { Command as Command12 } from "commander";
-import chalk12 from "chalk";
+import { Command as Command13 } from "commander";
+import chalk13 from "chalk";
 import { input as input4 } from "@inquirer/prompts";
-init_secrets();
-init_qemu();
-init_ssh();
-init_dlp();
-var AGENT_PREFIX = chalk12.bold.green("  99 \u276F");
-var YOU_PREFIX2 = chalk12.bold.white("  You");
-var DIVIDER2 = chalk12.dim("  " + "\u2500".repeat(56));
+var AGENT_PREFIX = chalk13.bold.green("  99 \u276F");
+var YOU_PREFIX2 = chalk13.bold.white("  You");
+var DIVIDER2 = chalk13.dim("  " + "\u2500".repeat(56));
 function formatAgentActivity(text) {
   const lines = text.split("\n");
-  return lines.map((line) => chalk12.white("  " + line)).join("\n");
+  return lines.map((line) => chalk13.white("  " + line)).join("\n");
 }
 function parsePrefixes(instruction) {
   const files = [];
@@ -2106,7 +2576,7 @@ function parsePrefixes(instruction) {
   }
   return { cleaned: remaining.join(" "), files, rules };
 }
-async function sendToNexus(sshPort, instruction, files, rules, cwd) {
+async function sendToNexus(instruction, files, rules, cwd) {
   const message = `[99] ${instruction}`;
   const payload = JSON.stringify({
     message,
@@ -2114,8 +2584,7 @@ async function sendToNexus(sshPort, instruction, files, rules, cwd) {
     context: { files, rules, cwd }
   });
   const escaped = shellEscape(payload);
-  const { stdout, code } = await sshExec(
-    sshPort,
+  const { stdout, code } = await dockerExec(
     `curl -sf -X POST http://localhost:4200/message -H 'Content-Type: application/json' -d ${escaped}`
   );
   if (code !== 0) {
@@ -2128,21 +2597,20 @@ async function sendToNexus(sshPort, instruction, files, rules, cwd) {
     return stdout;
   }
 }
-var ninetyNineCommand = new Command12("99").description("AI pair-programming session backed by the full NEXUS agent engine").argument("[instruction...]", "What to build, edit, or debug").option("--edit <file>", "AI-assisted edit for a specific file").option("--search <query>", "Contextual codebase search").option("--debug", "Debug current issue with NEXUS agent assistance").action(async (instructionWords, opts) => {
+var ninetyNineCommand = new Command13("99").description("AI pair-programming session backed by the full NEXUS agent engine").argument("[instruction...]", "What to build, edit, or debug").option("--edit <file>", "AI-assisted edit for a specific file").option("--search <query>", "Contextual codebase search").option("--debug", "Debug current issue with NEXUS agent assistance").action(async (instructionWords, opts) => {
   try {
     const config = loadConfig();
     if (!config) {
       log.error("No NEXUS configuration found. Run: buildwithnexus init");
       process.exit(1);
     }
-    if (!isVmRunning()) {
-      log.error("VM is not running. Start it with: buildwithnexus start");
+    if (!await isNexusRunning()) {
+      log.error("NEXUS is not running. Start it with: buildwithnexus start");
       process.exit(1);
     }
     const spinner = createSpinner("Connecting to NEXUS...");
     spinner.start();
-    const { stdout: healthCheck, code: healthCode } = await sshExec(
-      config.sshPort,
+    const { stdout: healthCheck, code: healthCode } = await dockerExec(
       "curl -sf http://localhost:4200/health"
     );
     if (healthCode !== 0 || !healthCheck.includes("ok")) {
@@ -2152,14 +2620,14 @@ var ninetyNineCommand = new Command12("99").description("AI pair-programming ses
     }
     succeed(spinner, "Connected to NEXUS");
     console.log("");
-    console.log(chalk12.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
-    console.log(chalk12.bold("  \u2551  ") + chalk12.bold.green("/99 Pair Programming") + chalk12.dim(" \u2014 powered by NEXUS") + chalk12.bold("           \u2551"));
-    console.log(chalk12.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
-    console.log(chalk12.bold("  \u2551  ") + chalk12.dim("Describe what you want changed. NEXUS engineers".padEnd(55)) + chalk12.bold("\u2551"));
-    console.log(chalk12.bold("  \u2551  ") + chalk12.dim("analyze and modify your code in real time.".padEnd(55)) + chalk12.bold("\u2551"));
-    console.log(chalk12.bold("  \u2551  ") + chalk12.dim("Use @file to attach context, #rule to load rules.".padEnd(55)) + chalk12.bold("\u2551"));
-    console.log(chalk12.bold("  \u2551  ") + chalk12.dim("Type 'exit' or 'quit' to end the session.".padEnd(55)) + chalk12.bold("\u2551"));
-    console.log(chalk12.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+    console.log(chalk13.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+    console.log(chalk13.bold("  \u2551  ") + chalk13.bold.green("/99 Pair Programming") + chalk13.dim(" \u2014 powered by NEXUS") + chalk13.bold("           \u2551"));
+    console.log(chalk13.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
+    console.log(chalk13.bold("  \u2551  ") + chalk13.dim("Describe what you want changed. NEXUS engineers".padEnd(55)) + chalk13.bold("\u2551"));
+    console.log(chalk13.bold("  \u2551  ") + chalk13.dim("analyze and modify your code in real time.".padEnd(55)) + chalk13.bold("\u2551"));
+    console.log(chalk13.bold("  \u2551  ") + chalk13.dim("Use @file to attach context, #rule to load rules.".padEnd(55)) + chalk13.bold("\u2551"));
+    console.log(chalk13.bold("  \u2551  ") + chalk13.dim("Type 'exit' or 'quit' to end the session.".padEnd(55)) + chalk13.bold("\u2551"));
+    console.log(chalk13.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
     console.log("");
     const cwd = process.cwd();
     if (opts.edit) {
@@ -2168,11 +2636,11 @@ var ninetyNineCommand = new Command12("99").description("AI pair-programming ses
       });
       const { cleaned, files, rules } = parsePrefixes(instruction);
       const fullInstruction = `Edit file ${opts.edit}: ${cleaned}`;
-      console.log(`${YOU_PREFIX2}: ${chalk12.white(fullInstruction)}`);
+      console.log(`${YOU_PREFIX2}: ${chalk13.white(fullInstruction)}`);
       console.log(DIVIDER2);
       const thinking = createSpinner("NEXUS engineers analyzing the file...");
       thinking.start();
-      const response = await sendToNexus(config.sshPort, fullInstruction, [opts.edit, ...files], rules, cwd);
+      const response = await sendToNexus(fullInstruction, [opts.edit, ...files], rules, cwd);
       thinking.stop();
       thinking.clear();
       console.log(`${AGENT_PREFIX}`);
@@ -2182,11 +2650,11 @@ var ninetyNineCommand = new Command12("99").description("AI pair-programming ses
     }
     if (opts.search) {
       const fullInstruction = `Search the codebase for: ${opts.search}`;
-      console.log(`${YOU_PREFIX2}: ${chalk12.white(fullInstruction)}`);
+      console.log(`${YOU_PREFIX2}: ${chalk13.white(fullInstruction)}`);
       console.log(DIVIDER2);
       const thinking = createSpinner("Searching with NEXUS context...");
       thinking.start();
-      const response = await sendToNexus(config.sshPort, fullInstruction, [], [], cwd);
+      const response = await sendToNexus(fullInstruction, [], [], cwd);
       thinking.stop();
       thinking.clear();
       console.log(`${AGENT_PREFIX}`);
@@ -2196,11 +2664,11 @@ var ninetyNineCommand = new Command12("99").description("AI pair-programming ses
     }
     if (opts.debug) {
       const fullInstruction = "Debug the current issue \u2014 analyze recent errors, identify the root cause, and propose a fix";
-      console.log(`${YOU_PREFIX2}: ${chalk12.white(fullInstruction)}`);
+      console.log(`${YOU_PREFIX2}: ${chalk13.white(fullInstruction)}`);
       console.log(DIVIDER2);
       const thinking = createSpinner("NEXUS debugger agent analyzing...");
       thinking.start();
-      const response = await sendToNexus(config.sshPort, fullInstruction, [], [], cwd);
+      const response = await sendToNexus(fullInstruction, [], [], cwd);
       thinking.stop();
       thinking.clear();
       console.log(`${AGENT_PREFIX}`);
@@ -2211,7 +2679,7 @@ var ninetyNineCommand = new Command12("99").description("AI pair-programming ses
     let initialInstruction = instructionWords.length > 0 ? instructionWords.join(" ") : "";
     if (!initialInstruction) {
       initialInstruction = await input4({
-        message: chalk12.green("99 \u276F")
+        message: chalk13.green("99 \u276F")
       });
       if (!initialInstruction.trim()) {
         log.warn("No instruction provided");
@@ -2226,37 +2694,37 @@ var ninetyNineCommand = new Command12("99").description("AI pair-programming ses
       const display = currentInstruction;
       const nexusInstruction = cleaned || currentInstruction;
       if (turn === 1) {
-        console.log(`${YOU_PREFIX2}: ${chalk12.white(display)}`);
+        console.log(`${YOU_PREFIX2}: ${chalk13.white(display)}`);
       }
       if (files.length > 0) {
-        console.log(chalk12.dim(`  Attaching: ${files.join(", ")}`));
+        console.log(chalk13.dim(`  Attaching: ${files.join(", ")}`));
       }
       if (rules.length > 0) {
-        console.log(chalk12.dim(`  Rules: ${rules.join(", ")}`));
+        console.log(chalk13.dim(`  Rules: ${rules.join(", ")}`));
       }
       console.log(DIVIDER2);
       const thinking = createSpinner(
         turn === 1 ? "NEXUS agents analyzing and implementing..." : "NEXUS agents processing..."
       );
       thinking.start();
-      const response = await sendToNexus(config.sshPort, nexusInstruction, files, rules, cwd);
+      const response = await sendToNexus(nexusInstruction, files, rules, cwd);
       thinking.stop();
       thinking.clear();
       console.log(`${AGENT_PREFIX}`);
       console.log(formatAgentActivity(redact(response)));
       console.log(DIVIDER2);
       const followUp = await input4({
-        message: chalk12.green("99 \u276F")
+        message: chalk13.green("99 \u276F")
       });
       const trimmed = followUp.trim().toLowerCase();
       if (!trimmed || trimmed === "exit" || trimmed === "quit" || trimmed === "q") {
         console.log("");
         log.success("/99 session ended");
-        console.log(chalk12.dim("    Run again: buildwithnexus 99"));
+        console.log(chalk13.dim("    Run again: buildwithnexus 99"));
         console.log("");
         return;
       }
-      console.log(`${YOU_PREFIX2}: ${chalk12.white(followUp)}`);
+      console.log(`${YOU_PREFIX2}: ${chalk13.white(followUp)}`);
       currentInstruction = followUp;
     }
   } catch (err) {
@@ -2272,20 +2740,15 @@ var ninetyNineCommand = new Command12("99").description("AI pair-programming ses
 });
 
 // src/commands/shell.ts
-import { Command as Command13 } from "commander";
-import chalk15 from "chalk";
-init_secrets();
-init_qemu();
-init_ssh();
-init_dlp();
+import { Command as Command14 } from "commander";
+import chalk16 from "chalk";
 
 // src/ui/repl.ts
-init_secrets();
-import readline from "readline";
-import fs10 from "fs";
-import path11 from "path";
-import chalk13 from "chalk";
-var HISTORY_FILE = path11.join(NEXUS_HOME2, "shell_history");
+import readline2 from "readline";
+import fs7 from "fs";
+import path8 from "path";
+import chalk14 from "chalk";
+var HISTORY_FILE = path8.join(NEXUS_HOME2, "shell_history");
 var MAX_HISTORY = 1e3;
 var Repl = class {
   rl = null;
@@ -2301,25 +2764,25 @@ var Repl = class {
   }
   loadHistory() {
     try {
-      if (fs10.existsSync(HISTORY_FILE)) {
-        this.history = fs10.readFileSync(HISTORY_FILE, "utf-8").split("\n").filter(Boolean).slice(-MAX_HISTORY);
+      if (fs7.existsSync(HISTORY_FILE)) {
+        this.history = fs7.readFileSync(HISTORY_FILE, "utf-8").split("\n").filter(Boolean).slice(-MAX_HISTORY);
       }
     } catch {
     }
   }
   saveHistory() {
     try {
-      const dir = path11.dirname(HISTORY_FILE);
-      fs10.mkdirSync(dir, { recursive: true });
-      fs10.writeFileSync(HISTORY_FILE, this.history.slice(-MAX_HISTORY).join("\n") + "\n", { mode: 384 });
+      const dir = path8.dirname(HISTORY_FILE);
+      fs7.mkdirSync(dir, { recursive: true });
+      fs7.writeFileSync(HISTORY_FILE, this.history.slice(-MAX_HISTORY).join("\n") + "\n", { mode: 384 });
     } catch {
     }
   }
   async start() {
-    this.rl = readline.createInterface({
+    this.rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout,
-      prompt: chalk13.bold.cyan("nexus") + chalk13.dim(" \u276F "),
+      prompt: chalk14.bold.cyan("nexus") + chalk14.dim(" \u276F "),
       history: this.history,
       historySize: MAX_HISTORY,
       terminal: true
@@ -2349,25 +2812,25 @@ var Repl = class {
           try {
             await cmd.handler();
           } catch (err) {
-            console.log(chalk13.red(`  \u2717 Command failed: ${err.message}`));
+            console.log(chalk14.red(`  \u2717 Command failed: ${err.message}`));
           }
           this.rl?.prompt();
           return;
         }
-        console.log(chalk13.yellow(`  Unknown command: /${cmdName}. Type /help for available commands.`));
+        console.log(chalk14.yellow(`  Unknown command: /${cmdName}. Type /help for available commands.`));
         this.rl?.prompt();
         return;
       }
       try {
         await this.onMessage(trimmed);
       } catch (err) {
-        console.log(chalk13.red(`  \u2717 ${err.message}`));
+        console.log(chalk14.red(`  \u2717 ${err.message}`));
       }
       this.rl?.prompt();
     });
     this.rl.on("close", () => {
       this.saveHistory();
-      console.log(chalk13.dim("\n  Session ended."));
+      console.log(chalk14.dim("\n  Session ended."));
       process.exit(0);
     });
     this.rl.on("SIGINT", () => {
@@ -2376,21 +2839,21 @@ var Repl = class {
   }
   showHelp() {
     console.log("");
-    console.log(chalk13.bold("  Available Commands:"));
-    console.log(chalk13.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    console.log(chalk14.bold("  Available Commands:"));
+    console.log(chalk14.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     for (const [name, cmd] of this.commands) {
-      console.log(`  ${chalk13.cyan("/" + name.padEnd(14))} ${chalk13.dim(cmd.description)}`);
+      console.log(`  ${chalk14.cyan("/" + name.padEnd(14))} ${chalk14.dim(cmd.description)}`);
     }
-    console.log(`  ${chalk13.cyan("/help".padEnd(15))} ${chalk13.dim("Show this help message")}`);
-    console.log(`  ${chalk13.cyan("/exit".padEnd(15))} ${chalk13.dim("Exit the shell")}`);
-    console.log(chalk13.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-    console.log(chalk13.dim("  Type anything else to chat with NEXUS"));
+    console.log(`  ${chalk14.cyan("/help".padEnd(15))} ${chalk14.dim("Show this help message")}`);
+    console.log(`  ${chalk14.cyan("/exit".padEnd(15))} ${chalk14.dim("Exit the shell")}`);
+    console.log(chalk14.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    console.log(chalk14.dim("  Type anything else to chat with NEXUS"));
     console.log("");
   }
   write(text) {
     if (this.rl) {
-      readline.clearLine(process.stdout, 0);
-      readline.cursorTo(process.stdout, 0);
+      readline2.clearLine(process.stdout, 0);
+      readline2.cursorTo(process.stdout, 0);
       console.log(text);
       this.rl.prompt(true);
     } else {
@@ -2407,20 +2870,17 @@ var Repl = class {
 };
 
 // src/core/event-stream.ts
-init_ssh();
-init_secrets();
-init_dlp();
-import chalk14 from "chalk";
+import chalk15 from "chalk";
 var ROLE_COLORS = {
-  "Chief of Staff": chalk14.bold.cyan,
-  "VP Engineering": chalk14.bold.blue,
-  "VP Product": chalk14.bold.magenta,
-  "Senior Engineer": chalk14.bold.green,
-  "Engineer": chalk14.green,
-  "QA Lead": chalk14.bold.yellow,
-  "Security Engineer": chalk14.bold.red,
-  "DevOps Engineer": chalk14.bold.hex("#FF8C00"),
-  "default": chalk14.bold.white
+  "Chief of Staff": chalk15.bold.cyan,
+  "VP Engineering": chalk15.bold.blue,
+  "VP Product": chalk15.bold.magenta,
+  "Senior Engineer": chalk15.bold.green,
+  "Engineer": chalk15.green,
+  "QA Lead": chalk15.bold.yellow,
+  "Security Engineer": chalk15.bold.red,
+  "DevOps Engineer": chalk15.bold.hex("#FF8C00"),
+  "default": chalk15.bold.white
 };
 function getColor(role) {
   if (!role) return ROLE_COLORS["default"];
@@ -2431,15 +2891,15 @@ function formatEvent(event) {
   const prefix = event.role ? color(`  [${event.role}]`) : "";
   switch (event.type) {
     case "agent_thinking":
-      return `${prefix} ${chalk14.dim("thinking...")}`;
+      return `${prefix} ${chalk15.dim("thinking...")}`;
     case "agent_response":
       return `${prefix} ${redact(event.content ?? "")}`;
     case "task_delegated":
-      return `${prefix} ${chalk14.dim("\u2192")} delegated to ${chalk14.bold(event.target ?? "agent")}`;
+      return `${prefix} ${chalk15.dim("\u2192")} delegated to ${chalk15.bold(event.target ?? "agent")}`;
     case "agent_complete":
-      return `${prefix} ${chalk14.green("\u2713")} ${chalk14.dim("complete")}`;
+      return `${prefix} ${chalk15.green("\u2713")} ${chalk15.dim("complete")}`;
     case "error":
-      return `  ${chalk14.red("\u2717")} ${redact(event.content ?? "Unknown error")}`;
+      return `  ${chalk15.red("\u2717")} ${redact(event.content ?? "Unknown error")}`;
     case "heartbeat":
       return null;
     default:
@@ -2490,8 +2950,7 @@ var EventStream = class {
     this.pollInterval = setInterval(async () => {
       if (!this.active) return;
       try {
-        const { stdout, code } = await sshExec(
-          config.sshPort,
+        const { stdout, code } = await dockerExec(
           `curl -sf -H 'Last-Event-ID: ${this.lastId}' http://localhost:4200/events?timeout=1 2>/dev/null || true`
         );
         if (code === 0 && stdout.trim()) {
@@ -2525,51 +2984,66 @@ var EventStream = class {
 };
 
 // src/commands/shell.ts
-async function sendMessage2(sshPort, message) {
-  const payload = JSON.stringify({ message, source: "shell" });
-  const escaped = shellEscape(payload);
-  const { stdout, code } = await sshExec(
-    sshPort,
-    `curl -sf -X POST http://localhost:4200/message -H 'Content-Type: application/json' -d ${escaped}`
-  );
-  if (code !== 0) throw new Error("Server returned a non-zero exit code");
+async function httpPost(httpPort, path10, body) {
+  const res = await fetch(`http://localhost:${httpPort}${path10}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(6e4)
+  });
+  if (!res.ok) throw new Error(`Server returned ${res.status}`);
+  const text = await res.text();
   try {
-    const parsed = JSON.parse(stdout);
-    return parsed.response ?? parsed.message ?? stdout;
+    const parsed = JSON.parse(text);
+    return parsed.response ?? parsed.message ?? text;
   } catch {
-    return stdout;
+    return text;
+  }
+}
+async function httpGet(httpPort, path10) {
+  try {
+    const res = await fetch(`http://localhost:${httpPort}${path10}`, {
+      signal: AbortSignal.timeout(1e4)
+    });
+    const text = await res.text();
+    return { ok: res.ok, text };
+  } catch {
+    return { ok: false, text: "" };
   }
 }
+async function sendMessage2(httpPort, message) {
+  return httpPost(httpPort, "/message", { message, source: "shell" });
+}
 function showShellBanner(health) {
-  const check = chalk15.green("\u2713");
-  const cross = chalk15.red("\u2717");
+  const check = chalk16.green("\u2713");
+  const cross = chalk16.red("\u2717");
   console.log("");
-  console.log(chalk15.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
-  console.log(chalk15.bold("  \u2551  ") + chalk15.bold.cyan("NEXUS Interactive Shell") + chalk15.bold("                                 \u2551"));
-  console.log(chalk15.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
-  console.log(chalk15.bold("  \u2551  ") + `${health.vmRunning ? check : cross} VM    ${health.sshReady ? check : cross} SSH    ${health.dockerReady ? check : cross} Docker    ${health.serverHealthy ? check : cross} Engine`.padEnd(55) + chalk15.bold("\u2551"));
+  console.log(chalk16.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  console.log(chalk16.bold("  \u2551  ") + chalk16.bold.cyan("NEXUS Interactive Shell") + chalk16.bold("                                 \u2551"));
+  console.log(chalk16.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
+  console.log(chalk16.bold("  \u2551  ") + `${health.containerRunning ? check : cross} Container    ${health.serverHealthy ? check : cross} Engine`.padEnd(55) + chalk16.bold("\u2551"));
   if (health.tunnelUrl) {
-    console.log(chalk15.bold("  \u2551  ") + chalk15.dim(`Tunnel: ${health.tunnelUrl}`.padEnd(55)) + chalk15.bold("\u2551"));
+    console.log(chalk16.bold("  \u2551  ") + chalk16.dim(`Tunnel: ${health.tunnelUrl}`.padEnd(55)) + chalk16.bold("\u2551"));
   }
-  console.log(chalk15.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
-  console.log(chalk15.bold("  \u2551  ") + chalk15.dim("Type naturally to chat \xB7 /help for commands".padEnd(55)) + chalk15.bold("\u2551"));
-  console.log(chalk15.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  console.log(chalk16.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
+  console.log(chalk16.bold("  \u2551  ") + chalk16.dim("Type naturally to chat \xB7 /help for commands".padEnd(55)) + chalk16.bold("\u2551"));
+  console.log(chalk16.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
   console.log("");
 }
-async function getAgentList(sshPort) {
+async function getAgentList(httpPort) {
   try {
-    const { stdout, code } = await sshExec(sshPort, "curl -sf http://localhost:4200/agents");
-    if (code !== 0) return "Could not retrieve agent list";
-    const agents = JSON.parse(stdout);
-    if (!Array.isArray(agents)) return stdout;
+    const { ok, text } = await httpGet(httpPort, "/agents");
+    if (!ok) return "  Could not retrieve agent list";
+    const agents = JSON.parse(text);
+    if (!Array.isArray(agents)) return text;
     const lines = [""];
-    lines.push(chalk15.bold("  Registered Agents:"));
-    lines.push(chalk15.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    lines.push(chalk16.bold("  Registered Agents:"));
+    lines.push(chalk16.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     for (const agent of agents) {
       const name = agent.name ?? agent.id ?? "unknown";
       const role = agent.role ?? "";
-      const status = agent.status === "active" ? chalk15.green("\u25CF") : chalk15.dim("\u25CB");
-      lines.push(`  ${status} ${chalk15.bold(name.padEnd(24))} ${chalk15.dim(role)}`);
+      const status = agent.status === "active" ? chalk16.green("\u25CF") : chalk16.dim("\u25CB");
+      lines.push(`  ${status} ${chalk16.bold(name.padEnd(24))} ${chalk16.dim(role)}`);
     }
     lines.push("");
     return lines.join("\n");
@@ -2577,21 +3051,28 @@ async function getAgentList(sshPort) {
     return "  Could not retrieve agent list";
   }
 }
-async function getStatus(sshPort) {
+async function getStatus(httpPort) {
   try {
-    const vmRunning = isVmRunning();
-    const health = await checkHealth(sshPort, vmRunning);
-    const check = chalk15.green("\u2713");
-    const cross = chalk15.red("\u2717");
+    const containerRunning = await isNexusRunning();
+    let serverHealthy = false;
+    let tunnelUrl = null;
+    if (containerRunning) {
+      const { ok, text } = await httpGet(httpPort, "/health");
+      serverHealthy = ok && (text.includes("ok") || true);
+      const tunnelRes = await httpGet(httpPort, "/tunnel-url");
+      if (tunnelRes.ok && tunnelRes.text.includes("https://")) {
+        tunnelUrl = tunnelRes.text.trim();
+      }
+    }
+    const check = chalk16.green("\u2713");
+    const cross = chalk16.red("\u2717");
     const lines = [""];
-    lines.push(chalk15.bold("  System Status:"));
-    lines.push(chalk15.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-    lines.push(`  ${health.vmRunning ? check : cross} Virtual Machine`);
-    lines.push(`  ${health.sshReady ? check : cross} SSH Connection`);
-    lines.push(`  ${health.dockerReady ? check : cross} Docker Engine`);
-    lines.push(`  ${health.serverHealthy ? check : cross} NEXUS Engine`);
-    if (health.tunnelUrl) {
-      lines.push(`  ${check} Tunnel: ${health.tunnelUrl}`);
+    lines.push(chalk16.bold("  System Status:"));
+    lines.push(chalk16.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    lines.push(`  ${containerRunning ? check : cross} NEXUS Container`);
+    lines.push(`  ${serverHealthy ? check : cross} NEXUS Engine`);
+    if (tunnelUrl) {
+      lines.push(`  ${check} Tunnel: ${tunnelUrl}`);
     } else {
       lines.push(`  ${cross} Tunnel: not active`);
     }
@@ -2601,23 +3082,23 @@ async function getStatus(sshPort) {
     return "  Could not check status";
   }
 }
-async function getCost(sshPort) {
+async function getCost(httpPort) {
   try {
-    const { stdout, code } = await sshExec(sshPort, "curl -sf http://localhost:4200/cost");
-    if (code !== 0) return "  Could not retrieve cost data";
-    const data = JSON.parse(stdout);
+    const { ok, text } = await httpGet(httpPort, "/cost");
+    if (!ok) return "  Could not retrieve cost data";
+    const data = JSON.parse(text);
     const lines = [""];
-    lines.push(chalk15.bold("  Token Costs:"));
-    lines.push(chalk15.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    lines.push(chalk16.bold("  Token Costs:"));
+    lines.push(chalk16.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     if (data.total !== void 0) {
-      lines.push(`  Total: ${chalk15.bold.green("$" + Number(data.total).toFixed(4))}`);
+      lines.push(`  Total: ${chalk16.bold.green("$" + Number(data.total).toFixed(4))}`);
     }
     if (data.today !== void 0) {
-      lines.push(`  Today: ${chalk15.bold("$" + Number(data.today).toFixed(4))}`);
+      lines.push(`  Today: ${chalk16.bold("$" + Number(data.today).toFixed(4))}`);
     }
     if (data.by_agent && typeof data.by_agent === "object") {
       lines.push("");
-      lines.push(chalk15.dim("  By Agent:"));
+      lines.push(chalk16.dim("  By Agent:"));
       for (const [agent, cost] of Object.entries(data.by_agent)) {
         lines.push(`    ${agent.padEnd(20)} $${Number(cost).toFixed(4)}`);
       }
@@ -2628,27 +3109,32 @@ async function getCost(sshPort) {
     return "  Could not retrieve cost data";
   }
 }
-var shellCommand2 = new Command13("shell").description("Launch the interactive NEXUS shell").action(async () => {
+var shellCommand2 = new Command14("shell").description("Launch the interactive NEXUS shell").action(async () => {
   try {
     const config = loadConfig();
     if (!config) {
       log.error("No NEXUS configuration found. Run: buildwithnexus init");
       process.exit(1);
     }
-    if (!isVmRunning()) {
-      log.error("VM is not running. Start it with: buildwithnexus start");
+    if (!await isNexusRunning()) {
+      log.error("NEXUS is not running. Start it with: buildwithnexus start");
       process.exit(1);
     }
     const spinner = createSpinner("Connecting to NEXUS...");
     spinner.start();
-    const health = await checkHealth(config.sshPort, true);
-    if (!health.serverHealthy) {
+    const { ok: serverHealthy, text: healthText } = await httpGet(config.httpPort, "/health");
+    if (!serverHealthy) {
       fail(spinner, "NEXUS engine is not responding");
       log.warn("Check status: buildwithnexus status");
       process.exit(1);
     }
     succeed(spinner, "Connected to NEXUS engine");
-    showShellBanner(health);
+    let tunnelUrl = null;
+    const tunnelRes = await httpGet(config.httpPort, "/tunnel-url");
+    if (tunnelRes.ok && tunnelRes.text.includes("https://")) {
+      tunnelUrl = tunnelRes.text.trim();
+    }
+    showShellBanner({ containerRunning: true, serverHealthy: true, tunnelUrl });
     const eventStream = new EventStream((event) => {
       const formatted = formatEvent(event);
       if (formatted) repl.write(formatted);
@@ -2658,14 +3144,14 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
       const thinkingSpinner = createSpinner("Processing...");
       thinkingSpinner.start();
       try {
-        const response = await sendMessage2(config.sshPort, text);
+        const response = await sendMessage2(config.httpPort, text);
         thinkingSpinner.stop();
         thinkingSpinner.clear();
         console.log("");
-        console.log(chalk15.bold.cyan("  Chief of Staff:"));
+        console.log(chalk16.bold.cyan("  Chief of Staff:"));
         const lines = redact(response).split("\n");
         for (const line of lines) {
-          console.log(chalk15.white("  " + line));
+          console.log(chalk16.white("  " + line));
         }
         console.log("");
       } catch (err) {
@@ -2679,14 +3165,14 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
       description: "Brainstorm with the full NEXUS org (led by Chief of Staff)",
       handler: async () => {
         console.log("");
-        console.log(chalk15.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
-        console.log(chalk15.bold("  \u2551  ") + chalk15.bold.cyan("NEXUS Brainstorm Session") + chalk15.bold("                                \u2551"));
-        console.log(chalk15.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
-        console.log(chalk15.bold("  \u2551  ") + chalk15.dim("The Chief of Staff will facilitate a discussion with".padEnd(55)) + chalk15.bold("\u2551"));
-        console.log(chalk15.bold("  \u2551  ") + chalk15.dim("the full NEXUS org to refine your idea. When ready,".padEnd(55)) + chalk15.bold("\u2551"));
-        console.log(chalk15.bold("  \u2551  ") + chalk15.dim("NEXUS will draft an execution plan for your review.".padEnd(55)) + chalk15.bold("\u2551"));
-        console.log(chalk15.bold("  \u2551  ") + chalk15.dim("Type 'exit' to end brainstorm. Type 'plan' to hand off.".padEnd(55)) + chalk15.bold("\u2551"));
-        console.log(chalk15.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+        console.log(chalk16.bold("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+        console.log(chalk16.bold("  \u2551  ") + chalk16.bold.cyan("NEXUS Brainstorm Session") + chalk16.bold("                                \u2551"));
+        console.log(chalk16.bold("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563"));
+        console.log(chalk16.bold("  \u2551  ") + chalk16.dim("The Chief of Staff will facilitate a discussion with".padEnd(55)) + chalk16.bold("\u2551"));
+        console.log(chalk16.bold("  \u2551  ") + chalk16.dim("the full NEXUS org to refine your idea. When ready,".padEnd(55)) + chalk16.bold("\u2551"));
+        console.log(chalk16.bold("  \u2551  ") + chalk16.dim("NEXUS will draft an execution plan for your review.".padEnd(55)) + chalk16.bold("\u2551"));
+        console.log(chalk16.bold("  \u2551  ") + chalk16.dim("Type 'exit' to end brainstorm. Type 'plan' to hand off.".padEnd(55)) + chalk16.bold("\u2551"));
+        console.log(chalk16.bold("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
         console.log("");
         const { input: input5 } = await import("@inquirer/prompts");
         const idea = await input5({ message: "What would you like to brainstorm?" });
@@ -2695,16 +3181,16 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
         while (true) {
           const brainstormSpinner = createSpinner("NEXUS team is discussing...");
           brainstormSpinner.start();
-          const response = await sendMessage2(config.sshPort, currentMessage);
+          const response = await sendMessage2(config.httpPort, currentMessage);
           brainstormSpinner.stop();
           brainstormSpinner.clear();
           console.log("");
-          console.log(chalk15.bold.cyan("  Chief of Staff:"));
+          console.log(chalk16.bold.cyan("  Chief of Staff:"));
           for (const line of redact(response).split("\n")) {
-            console.log(chalk15.white("  " + line));
+            console.log(chalk16.white("  " + line));
           }
           console.log("");
-          const followUp = await input5({ message: chalk15.bold("You:") });
+          const followUp = await input5({ message: chalk16.bold("You:") });
           const trimmed = followUp.trim().toLowerCase();
           if (!trimmed || trimmed === "exit" || trimmed === "quit") {
             console.log("");
@@ -2714,13 +3200,13 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
           if (trimmed === "plan" || trimmed === "execute" || trimmed === "go") {
             const planSpinner = createSpinner("Handing off to NEXUS for execution planning...");
             planSpinner.start();
-            const planResponse = await sendMessage2(config.sshPort, `[BRAINSTORM\u2192PLAN] The CEO approves this direction from the brainstorm session. Draft a detailed execution plan with task assignments, timelines, and dependencies. Previous discussion context: ${idea}`);
+            const planResponse = await sendMessage2(config.httpPort, `[BRAINSTORM\u2192PLAN] The CEO approves this direction from the brainstorm session. Draft a detailed execution plan with task assignments, timelines, and dependencies. Previous discussion context: ${idea}`);
             planSpinner.stop();
             planSpinner.clear();
             console.log("");
-            console.log(chalk15.bold.green("  Execution Plan:"));
+            console.log(chalk16.bold.green("  Execution Plan:"));
             for (const line of redact(planResponse).split("\n")) {
-              console.log(chalk15.white("  " + line));
+              console.log(chalk16.white("  " + line));
             }
             console.log("");
             log.success("Plan drafted. Use the shell to refine or approve.");
@@ -2734,7 +3220,7 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
       name: "status",
       description: "Show system health status",
       handler: async () => {
-        const result = await getStatus(config.sshPort);
+        const result = await getStatus(config.httpPort);
         console.log(result);
       }
     });
@@ -2742,7 +3228,7 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
       name: "agents",
       description: "List registered agents",
       handler: async () => {
-        const result = await getAgentList(config.sshPort);
+        const result = await getAgentList(config.httpPort);
         console.log(result);
       }
     });
@@ -2750,31 +3236,39 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
       name: "cost",
       description: "Show token usage and costs",
       handler: async () => {
-        const result = await getCost(config.sshPort);
+        const result = await getCost(config.httpPort);
         console.log(result);
       }
     });
     repl.registerCommand({
       name: "logs",
-      description: "Show recent server logs",
+      description: "Show recent container logs",
       handler: async () => {
-        const { stdout } = await sshExec(config.sshPort, "tail -30 /home/nexus/.nexus/logs/server.log 2>/dev/null");
+        const { execa: execa6 } = await import("execa");
         console.log("");
-        console.log(chalk15.bold("  Recent Logs:"));
-        console.log(chalk15.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-        for (const line of redact(stdout).split("\n")) {
-          console.log(chalk15.dim("  " + line));
+        console.log(chalk16.bold("  Recent Logs:"));
+        console.log(chalk16.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+        try {
+          const { stdout } = await execa6("docker", ["logs", "--tail", "30", "nexus"]);
+          for (const line of redact(stdout).split("\n")) {
+            console.log(chalk16.dim("  " + line));
+          }
+        } catch {
+          console.log(chalk16.dim("  Could not retrieve logs"));
         }
         console.log("");
       }
     });
     repl.registerCommand({
-      name: "ssh",
-      description: "Drop into the VM for debugging/inspection",
+      name: "exec",
+      description: "Drop into the container shell for debugging/inspection",
       handler: async () => {
-        const { openInteractiveSsh: openInteractiveSsh2 } = await Promise.resolve().then(() => (init_ssh(), ssh_exports));
+        const { execa: execa6 } = await import("execa");
         eventStream.stop();
-        await openInteractiveSsh2(config.sshPort);
+        try {
+          await execa6("docker", ["exec", "-it", "nexus", "/bin/sh"], { stdio: "inherit" });
+        } catch {
+        }
         eventStream.start();
       }
     });
@@ -2783,24 +3277,24 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
       description: "Display the NEXUS organizational hierarchy",
       handler: async () => {
         console.log("");
-        console.log(chalk15.bold("  NEXUS Organizational Hierarchy"));
-        console.log(chalk15.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-        console.log(`  ${chalk15.bold.white("You")} ${chalk15.dim("(CEO)")}`);
-        console.log(`  \u2514\u2500\u2500 ${chalk15.bold.cyan("Chief of Staff")} ${chalk15.dim("\u2014 orchestrates all work, your direct interface")}`);
-        console.log(`      \u251C\u2500\u2500 ${chalk15.bold.blue("VP Engineering")} ${chalk15.dim("\u2014 owns technical execution")}`);
-        console.log(`      \u2502   \u251C\u2500\u2500 ${chalk15.green("Senior Engineer")} ${chalk15.dim("\xD7 8 \u2014 implementation, refactoring")}`);
-        console.log(`      \u2502   \u251C\u2500\u2500 ${chalk15.green("Engineer")} ${chalk15.dim("\xD7 12 \u2014 feature work, bug fixes")}`);
-        console.log(`      \u2502   \u2514\u2500\u2500 ${chalk15.hex("#FF8C00")("DevOps Engineer")} ${chalk15.dim("\xD7 4 \u2014 CI/CD, Docker, infra")}`);
-        console.log(`      \u251C\u2500\u2500 ${chalk15.bold.magenta("VP Product")} ${chalk15.dim("\u2014 owns roadmap and priorities")}`);
-        console.log(`      \u2502   \u251C\u2500\u2500 ${chalk15.magenta("Product Manager")} ${chalk15.dim("\xD7 3 \u2014 specs, requirements")}`);
-        console.log(`      \u2502   \u2514\u2500\u2500 ${chalk15.magenta("Designer")} ${chalk15.dim("\xD7 2 \u2014 UI/UX, prototyping")}`);
-        console.log(`      \u251C\u2500\u2500 ${chalk15.bold.yellow("QA Lead")} ${chalk15.dim("\u2014 owns quality assurance")}`);
-        console.log(`      \u2502   \u2514\u2500\u2500 ${chalk15.yellow("QA Engineer")} ${chalk15.dim("\xD7 6 \u2014 testing, coverage, validation")}`);
-        console.log(`      \u251C\u2500\u2500 ${chalk15.bold.red("Security Engineer")} ${chalk15.dim("\xD7 4 \u2014 auth, scanning, compliance")}`);
-        console.log(`      \u2514\u2500\u2500 ${chalk15.bold.white("Knowledge Manager")} ${chalk15.dim("\u2014 RAG, documentation, learning")}`);
+        console.log(chalk16.bold("  NEXUS Organizational Hierarchy"));
+        console.log(chalk16.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+        console.log(`  ${chalk16.bold.white("You")} ${chalk16.dim("(CEO)")}`);
+        console.log(`  \u2514\u2500\u2500 ${chalk16.bold.cyan("Chief of Staff")} ${chalk16.dim("\u2014 orchestrates all work, your direct interface")}`);
+        console.log(`      \u251C\u2500\u2500 ${chalk16.bold.blue("VP Engineering")} ${chalk16.dim("\u2014 owns technical execution")}`);
+        console.log(`      \u2502   \u251C\u2500\u2500 ${chalk16.green("Senior Engineer")} ${chalk16.dim("\xD7 8 \u2014 implementation, refactoring")}`);
+        console.log(`      \u2502   \u251C\u2500\u2500 ${chalk16.green("Engineer")} ${chalk16.dim("\xD7 12 \u2014 feature work, bug fixes")}`);
+        console.log(`      \u2502   \u2514\u2500\u2500 ${chalk16.hex("#FF8C00")("DevOps Engineer")} ${chalk16.dim("\xD7 4 \u2014 CI/CD, Docker, infra")}`);
+        console.log(`      \u251C\u2500\u2500 ${chalk16.bold.magenta("VP Product")} ${chalk16.dim("\u2014 owns roadmap and priorities")}`);
+        console.log(`      \u2502   \u251C\u2500\u2500 ${chalk16.magenta("Product Manager")} ${chalk16.dim("\xD7 3 \u2014 specs, requirements")}`);
+        console.log(`      \u2502   \u2514\u2500\u2500 ${chalk16.magenta("Designer")} ${chalk16.dim("\xD7 2 \u2014 UI/UX, prototyping")}`);
+        console.log(`      \u251C\u2500\u2500 ${chalk16.bold.yellow("QA Lead")} ${chalk16.dim("\u2014 owns quality assurance")}`);
+        console.log(`      \u2502   \u2514\u2500\u2500 ${chalk16.yellow("QA Engineer")} ${chalk16.dim("\xD7 6 \u2014 testing, coverage, validation")}`);
+        console.log(`      \u251C\u2500\u2500 ${chalk16.bold.red("Security Engineer")} ${chalk16.dim("\xD7 4 \u2014 auth, scanning, compliance")}`);
+        console.log(`      \u2514\u2500\u2500 ${chalk16.bold.white("Knowledge Manager")} ${chalk16.dim("\u2014 RAG, documentation, learning")}`);
         console.log("");
-        console.log(chalk15.dim("  56 agents total \xB7 Self-learning ML pipeline"));
-        console.log(chalk15.dim("  Full details: https://buildwithnexus.dev/overview"));
+        console.log(chalk16.dim("  56 agents total \xB7 Self-learning ML pipeline"));
+        console.log(chalk16.dim("  Full details: https://buildwithnexus.dev/overview"));
         console.log("");
       }
     });
@@ -2875,11 +3369,11 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
           {
             title: "Monitoring & Control",
             content: [
-              "  /status   \u2014 System health (VM, SSH, Docker, Engine)",
+              "  /status   \u2014 System health (Container, Engine)",
               "  /agents   \u2014 List all 56 registered agents",
               "  /cost     \u2014 Token usage and spend tracking",
-              "  /logs     \u2014 Server logs for debugging",
-              "  /ssh      \u2014 Drop into the VM directly",
+              "  /logs     \u2014 Container logs for debugging",
+              "  /exec     \u2014 Drop into the container shell",
               "  /security \u2014 View the security posture",
               "",
               "You're in control. NEXUS executes."
@@ -2889,14 +3383,14 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
         for (let i = 0; i < steps.length; i++) {
           const step = steps[i];
           console.log("");
-          console.log(chalk15.bold(`  \u2500\u2500 ${chalk15.cyan(`Step ${i + 1}/${steps.length}`)} \u2500\u2500 ${step.title} \u2500\u2500`));
+          console.log(chalk16.bold(`  \u2500\u2500 ${chalk16.cyan(`Step ${i + 1}/${steps.length}`)} \u2500\u2500 ${step.title} \u2500\u2500`));
           console.log("");
           for (const line of step.content) {
-            console.log(chalk15.white("  " + line));
+            console.log(chalk16.white("  " + line));
           }
           console.log("");
           if (i < steps.length - 1) {
-            const next = await input5({ message: chalk15.dim("Press Enter to continue (or 'skip' to exit)") });
+            const next = await input5({ message: chalk16.dim("Press Enter to continue (or 'skip' to exit)") });
             if (next.trim().toLowerCase() === "skip") {
               log.success("Tutorial ended. Type /help to see all commands.");
               return;
@@ -2928,15 +3422,16 @@ var shellCommand2 = new Command13("shell").description("Launch the interactive N
 // src/cli.ts
 function getVersionStatic() {
   try {
-    const __dirname = dirname2(fileURLToPath4(import.meta.url));
-    const packagePath = join2(__dirname, "..", "package.json");
+    const __dirname2 = dirname2(fileURLToPath4(import.meta.url));
+    const packagePath = join2(__dirname2, "..", "package.json");
     const packageJson = JSON.parse(readFileSync2(packagePath, "utf-8"));
     return packageJson.version;
   } catch {
-    return "0.5.16";
+    return true ? "0.6.0" : "0.0.0-unknown";
   }
 }
-var cli = new Command14().name("buildwithnexus").description("Auto-scaffold and launch a fully autonomous NEXUS runtime").version(getVersionStatic());
+var cli = new Command15().name("buildwithnexus").description("Auto-scaffold and launch a fully autonomous NEXUS runtime").version(getVersionStatic());
+cli.addCommand(installCommand);
 cli.addCommand(initCommand);
 cli.addCommand(startCommand);
 cli.addCommand(stopCommand);
@@ -2950,33 +3445,23 @@ cli.addCommand(sshCommand);
 cli.addCommand(brainstormCommand);
 cli.addCommand(ninetyNineCommand);
 cli.addCommand(shellCommand2);
-cli.action(async () => {
-  try {
-    const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_secrets(), secrets_exports));
-    const { isVmRunning: isVmRunning2 } = await Promise.resolve().then(() => (init_qemu(), qemu_exports));
-    const config = loadConfig2();
-    if (config && isVmRunning2()) {
-      await shellCommand2.parseAsync([], { from: "user" });
-      return;
-    }
-  } catch {
-  }
+cli.action(() => {
   cli.help();
 });
 
 // src/core/update-notifier.ts
-import fs11 from "fs";
-import path12 from "path";
-import os3 from "os";
+import fs8 from "fs";
+import path9 from "path";
+import os2 from "os";
 import https from "https";
-import chalk16 from "chalk";
+import chalk17 from "chalk";
 var PACKAGE_NAME = "buildwithnexus";
 var CHECK_INTERVAL_MS = 4 * 60 * 60 * 1e3;
-var STATE_DIR = path12.join(os3.homedir(), ".buildwithnexus");
-var STATE_FILE = path12.join(STATE_DIR, ".update-check.json");
+var STATE_DIR = path9.join(os2.homedir(), ".buildwithnexus");
+var STATE_FILE = path9.join(STATE_DIR, ".update-check.json");
 function readState() {
   try {
-    const raw = fs11.readFileSync(STATE_FILE, "utf-8");
+    const raw = fs8.readFileSync(STATE_FILE, "utf-8");
     return JSON.parse(raw);
   } catch {
     return { lastCheck: 0, latestVersion: null };
@@ -2984,8 +3469,8 @@ function readState() {
 }
 function writeState(state) {
   try {
-    fs11.mkdirSync(STATE_DIR, { recursive: true, mode: 448 });
-    fs11.writeFileSync(STATE_FILE, JSON.stringify(state), { mode: 384 });
+    fs8.mkdirSync(STATE_DIR, { recursive: true, mode: 448 });
+    fs8.writeFileSync(STATE_FILE, JSON.stringify(state), { mode: 384 });
   } catch {
   }
 }
@@ -3050,13 +3535,53 @@ async function checkForUpdates(currentVersion) {
 function printUpdateBanner(current, latest) {
   const msg = [
     "",
-    chalk16.yellow(`  Update available: ${current} \u2192 ${latest}`),
-    chalk16.cyan(`  Run: npm update -g buildwithnexus`),
+    chalk17.yellow(`  Update available: ${current} \u2192 ${latest}`),
+    chalk17.cyan(`  Run: npm update -g buildwithnexus`),
     ""
   ].join("\n");
   process.stderr.write(msg + "\n");
 }
 
 // src/bin.ts
-checkForUpdates(cli.version() ?? "0.0.0");
-cli.parse(process.argv);
+import dotenv from "dotenv";
+dotenv.config({ path: ".env.local" });
+var version = true ? "0.6.0" : "0.5.17";
+checkForUpdates(version);
+program.name("buildwithnexus").description("Deep Agents - AI-Powered Task Execution").version(version);
+program.command("da-init").description("Initialize Deep Agents (set up API keys and .env.local)").action(deepAgentsInitCommand);
+program.command("run <task>").description("Run a task with Deep Agents").option("-a, --agent <name>", "Agent role (engineer, researcher, etc)", "engineer").option("-g, --goal <goal>", "Agent goal").option("-m, --model <model>", "LLM model", "claude-sonnet-4-20250514").action(runCommand);
+program.command("dashboard").description("Start the Deep Agents dashboard server").option("-p, --port <port>", "Dashboard port", "4201").action(dashboardCommand);
+program.command("da-status").description("Check Deep Agents backend status").action(async () => {
+  const backendUrl = process.env.BACKEND_URL || "http://localhost:4200";
+  try {
+    const response = await fetch(`${backendUrl}/health`);
+    if (response.ok) {
+      console.log("Backend: Running");
+      console.log(`   URL: ${backendUrl}`);
+    } else {
+      console.log("Backend: Not responding (status " + response.status + ")");
+    }
+  } catch {
+    console.log("Backend: Not accessible");
+    console.log(`   URL: ${backendUrl}`);
+    console.log("\n   Start backend with:");
+    console.log("   cd ~/Projects/nexus && python -m src.deep_agents_server");
+  }
+});
+for (const cmd of cli.commands) {
+  const name = cmd.name();
+  if (!["da-init", "run", "dashboard", "da-status"].includes(name)) {
+    program.addCommand(cmd);
+  }
+}
+if (!process.argv.slice(2).length) {
+  interactiveMode().catch((err) => {
+    console.error(err);
+    process.exit(1);
+  });
+} else {
+  program.parse();
+}
+if (!process.argv.slice(2).length) {
+  program.outputHelp();
+}