clawdlets 0.2.2 → 0.3.0

package/dist/main.mjs

@@ -0,0 +1,4589 @@
+#!/usr/bin/env node
+import { defineCommand, runMain } from "citty";
+import process$1 from "node:process";
+import * as p from "@clack/prompts";
+import { findRepoRoot } from "@clawdlets/core/lib/repo";
+import { ClawdletsConfigSchema, SSH_EXPOSURE_MODES, assertSafeHostName, createDefaultClawdletsConfig, getSshExposureMode, getTailnetMode, loadClawdletsConfig, loadClawdletsConfigRaw, resolveHostName, writeClawdletsConfig } from "@clawdlets/core/lib/clawdlets-config";
+import fs from "node:fs";
+import path from "node:path";
+import { applyOpenTofuVars, destroyOpenTofuVars } from "@clawdlets/core/lib/opentofu";
+import { resolveGitRev } from "@clawdlets/core/lib/git";
+import { capture, run } from "@clawdlets/core/lib/run";
+import { checkGithubRepoVisibility, tryParseGithubFlakeUri } from "@clawdlets/core/lib/github";
+import { loadDeployCreds } from "@clawdlets/core/lib/deploy-creds";
+import { expandPath } from "@clawdlets/core/lib/path-expand";
+import { buildFleetSecretsPlan } from "@clawdlets/core/lib/fleet-secrets";
+import { withFlakesEnv } from "@clawdlets/core/lib/nix-flakes";
+import { resolveBaseFlake } from "@clawdlets/core/lib/base-flake";
+import { getHostEncryptedAgeKeyFile, getHostExtraFilesDir, getHostExtraFilesKeyPath, getHostExtraFilesSecretsDir, getHostOpenTofuDir, getHostRemoteSecretsDir, getHostSecretsDir, getLocalOperatorAgeKeyPath, getRepoLayout } from "@clawdlets/core/repo-layout";
+import { collectDoctorChecks } from "@clawdlets/core/doctor";
+import { resolveHostNameOrExit } from "@clawdlets/core/lib/host-resolve";
+import { ensureDir, writeFileAtomic } from "@clawdlets/core/lib/fs-safe";
+import { splitDotPath } from "@clawdlets/core/lib/dot-path";
+import { formatDotenvValue, parseDotenv } from "@clawdlets/core/lib/dotenv-file";
+import { looksLikeSshPrivateKey, parseSshPublicKeysFromText } from "@clawdlets/core/lib/ssh";
+import { shellQuote, sshCapture, sshRun, validateTargetHost } from "@clawdlets/core/lib/ssh-remote";
+import { loadHostContextOrExit } from "@clawdlets/core/lib/context";
+import { tmpdir } from "node:os";
+import { downloadTemplate } from "giget";
+import { fileURLToPath, pathToFileURL } from "node:url";
+import { normalizeTemplateSource } from "@clawdlets/core/lib/template-source";
+import { ageKeygen } from "@clawdlets/core/lib/age-keygen";
+import { parseAgeKeyFile } from "@clawdlets/core/lib/age";
+import { mkpasswdYescryptHash } from "@clawdlets/core/lib/mkpasswd";
+import { upsertSopsCreationRule } from "@clawdlets/core/lib/sops-config";
+import { sopsDecryptYamlFile, sopsEncryptYamlToFile } from "@clawdlets/core/lib/sops";
+import { getHostAgeKeySopsCreationRulePathRegex, getHostSecretsSopsCreationRulePathRegex } from "@clawdlets/core/lib/sops-rules";
+import { sanitizeOperatorId } from "@clawdlets/core/lib/identifiers";
+import { buildSecretsInitTemplate, isPlaceholderSecretValue, listSecretsInitPlaceholders, parseSecretsInitJson, resolveSecretsInitFromJsonArg, validateSecretsInitNonInteractive } from "@clawdlets/core/lib/secrets-init";
+import { readYamlScalarFromMapping } from "@clawdlets/core/lib/yaml-scalar";
+import { createSecretsTar } from "@clawdlets/core/lib/secrets-tar";
+import YAML from "yaml";
+
+//#region rolldown:runtime
+var __defProp = Object.defineProperty;
+var __exportAll = (all, symbols) => {
+	let target = {};
+	for (var name in all) {
+		__defProp(target, name, {
+			get: all[name],
+			enumerable: true
+		});
+	}
+	if (symbols) {
+		__defProp(target, Symbol.toStringTag, { value: "Module" });
+	}
+	return target;
+};
+
+//#endregion
+//#region src/lib/wizard.ts
+const NAV_BACK = Symbol("clawdlets.nav.back");
+const NAV_EXIT = Symbol("clawdlets.nav.exit");
+async function navOnCancel(params) {
+	const flow = params.flow.trim() || "setup";
+	const options = [];
+	if (params.canBack) options.push({
+		value: "back",
+		label: "Back"
+	});
+	options.push({
+		value: "exit",
+		label: `Exit ${flow}`
+	});
+	const choice = await p.select({
+		message: "Canceled. Next?",
+		initialValue: params.canBack ? "back" : "exit",
+		options
+	});
+	if (p.isCancel(choice) || choice === "exit") return NAV_EXIT;
+	return NAV_BACK;
+}
+function cancelFlow() {
+	p.cancel("canceled");
+}
+
+//#endregion
+//#region src/commands/bot.ts
+function validateBotId(value) {
+	const v = value.trim();
+	if (!v) return "bot id required";
+	if (!/^[a-z][a-z0-9_-]*$/.test(v)) return "use: [a-z][a-z0-9_-]*";
+}
+const list$1 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List bots (from fleet/clawdlets.json)."
+	},
+	args: {},
+	async run({ args }) {
+		const { config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		console.log((config$1.fleet.botOrder || []).join("\n"));
+	}
+});
+const add$2 = defineCommand({
+	meta: {
+		name: "add",
+		description: "Add a bot id to fleet/clawdlets.json."
+	},
+	args: {
+		bot: {
+			type: "string",
+			description: "Bot id (e.g. maren)."
+		},
+		interactive: {
+			type: "boolean",
+			description: "Prompt for missing inputs (requires TTY).",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const { configPath, config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		let botId = String(args.bot || "").trim();
+		if (!botId) {
+			if (!args.interactive) throw new Error("missing --bot (or pass --interactive)");
+			if (!process$1.stdout.isTTY) throw new Error("--interactive requires a TTY");
+			p.intro("clawdlets bot add");
+			const v = await p.text({
+				message: "Bot id",
+				placeholder: "maren",
+				validate: validateBotId
+			});
+			if (p.isCancel(v)) {
+				if (await navOnCancel({
+					flow: "bot add",
+					canBack: false
+				}) === NAV_EXIT) cancelFlow();
+				return;
+			}
+			botId = String(v).trim();
+		}
+		const err = validateBotId(botId);
+		if (err) throw new Error(err);
+		const existingBots = config$1.fleet.botOrder;
+		if (existingBots.includes(botId) || config$1.fleet.bots[botId]) {
+			console.log(`ok: already present: ${botId}`);
+			return;
+		}
+		const next = {
+			...config$1,
+			fleet: {
+				...config$1.fleet,
+				botOrder: [...existingBots, botId],
+				bots: {
+					...config$1.fleet.bots,
+					[botId]: {}
+				}
+			}
+		};
+		await writeClawdletsConfig({
+			configPath,
+			config: ClawdletsConfigSchema.parse(next)
+		});
+		console.log(`ok: added bot ${botId}`);
+	}
+});
+const rm$1 = defineCommand({
+	meta: {
+		name: "rm",
+		description: "Remove a bot id from fleet/clawdlets.json."
+	},
+	args: { bot: {
+		type: "string",
+		description: "Bot id to remove."
+	} },
+	async run({ args }) {
+		const { configPath, config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		const botId = String(args.bot || "").trim();
+		if (!botId) throw new Error("missing --bot");
+		const existingBots = config$1.fleet.botOrder;
+		if (!existingBots.includes(botId) && !config$1.fleet.bots[botId]) throw new Error(`bot not found: ${botId}`);
+		const nextBots = existingBots.filter((b) => b !== botId);
+		const nextBotsRecord = { ...config$1.fleet.bots };
+		delete nextBotsRecord[botId];
+		const next = {
+			...config$1,
+			fleet: {
+				...config$1.fleet,
+				botOrder: nextBots,
+				bots: nextBotsRecord
+			}
+		};
+		await writeClawdletsConfig({
+			configPath,
+			config: ClawdletsConfigSchema.parse(next)
+		});
+		console.log(`ok: removed bot ${botId}`);
+	}
+});
+const bot = defineCommand({
+	meta: {
+		name: "bot",
+		description: "Manage fleet bots."
+	},
+	subCommands: {
+		add: add$2,
+		list: list$1,
+		rm: rm$1
+	}
+});
+
+//#endregion
+//#region src/lib/doctor-render.ts
+const STATUS_ORDER = {
+	missing: 0,
+	warn: 1,
+	ok: 2
+};
+const SCOPE_ORDER = {
+	repo: 0,
+	bootstrap: 1,
+	"server-deploy": 2,
+	cattle: 3
+};
+function supportsColor(out) {
+	if (!out.isTTY) return false;
+	if (process$1.env.NO_COLOR != null) return false;
+	if (process$1.env.TERM === "dumb") return false;
+	return true;
+}
+function colorize(params) {
+	if (!params.enabled) return params.s;
+	return `\x1b[${params.code}m${params.s}\x1b[0m`;
+}
+function formatStatusTag(status, opts) {
+	if (status === "ok") return colorize({
+		enabled: opts.color,
+		code: 32,
+		s: "[OK]"
+	});
+	if (status === "warn") return colorize({
+		enabled: opts.color,
+		code: 33,
+		s: "[WARN]"
+	});
+	return colorize({
+		enabled: opts.color,
+		code: 31,
+		s: "[MISSING]"
+	});
+}
+function bold(s, opts) {
+	return colorize({
+		enabled: opts.color,
+		code: 1,
+		s
+	});
+}
+function categoryForLabel(label) {
+	const l = label.toLowerCase();
+	if (l.includes("public repo hygiene") || l.includes("inline scripting") || l.includes("docs index") || l.includes("bundled skills")) return "repo hygiene";
+	if (l.includes("fleet") || l.includes("guild") || l.includes("discord") || l.includes("routing")) return "fleet / discord";
+	if (l.includes("sops") || l.includes("secret") || l.includes("envsecrets") || l.includes("llm api")) return "secrets";
+	if (l.includes("deploy env file") || l.includes("env file")) return "infra";
+	if (l.includes("hetzner") || l.includes("provisioning") || l.includes("opentofu") || l.includes("hcloud") || l.includes("nixos-anywhere")) return "infra";
+	if (l.includes("github_token") || l.includes("base flake")) return "github";
+	if (l.includes("ssh") || l.includes("targethost") || l.includes("authorizedkeys")) return "ssh";
+	if (l.startsWith("nix")) return "nix";
+	return "other";
+}
+function groupChecks(params) {
+	const byKey = /* @__PURE__ */ new Map();
+	for (const c of params.checks) {
+		if (!params.showOk && c.status === "ok") continue;
+		const category = categoryForLabel(c.label);
+		const key = `${c.scope}:${category}`;
+		const existing = byKey.get(key);
+		if (existing) {
+			existing.checks.push(c);
+			continue;
+		}
+		byKey.set(key, {
+			scope: c.scope,
+			category,
+			checks: [c]
+		});
+	}
+	const groups = Array.from(byKey.values()).map((g) => {
+		const worst = g.checks.reduce((acc, c) => STATUS_ORDER[c.status] < STATUS_ORDER[acc] ? c.status : acc, "ok");
+		g.checks.sort((a, b) => {
+			const d = STATUS_ORDER[a.status] - STATUS_ORDER[b.status];
+			if (d !== 0) return d;
+			return a.label.localeCompare(b.label);
+		});
+		return {
+			...g,
+			worst
+		};
+	});
+	groups.sort((a, b) => {
+		const scopeOrder = SCOPE_ORDER[a.scope] - SCOPE_ORDER[b.scope];
+		if (scopeOrder !== 0) return scopeOrder;
+		const worstOrder = STATUS_ORDER[a.worst] - STATUS_ORDER[b.worst];
+		if (worstOrder !== 0) return worstOrder;
+		return a.category.localeCompare(b.category);
+	});
+	return groups;
+}
+function renderDoctorReport(params) {
+	const color = supportsColor(process$1.stdout);
+	const counts = params.checks.reduce((acc, c) => {
+		acc[c.status] += 1;
+		return acc;
+	}, {
+		ok: 0,
+		warn: 0,
+		missing: 0
+	});
+	const groups = groupChecks({
+		checks: params.checks,
+		showOk: params.showOk
+	});
+	const lines = [];
+	lines.push(`doctor: host=${params.host} scope=${params.scope}${params.strict ? " strict" : ""}`);
+	lines.push(`summary: ok=${counts.ok} warn=${counts.warn} missing=${counts.missing}${!params.showOk && counts.ok > 0 ? " (ok hidden; pass --show-ok)" : ""}`);
+	if (groups.length === 0) {
+		lines.push("ok: no issues found");
+		return lines.join("\n");
+	}
+	for (const g of groups) {
+		lines.push("");
+		lines.push(bold(`${g.scope} / ${g.category}`, { color }));
+		for (const c of g.checks) {
+			const tag = formatStatusTag(c.status, { color });
+			lines.push(`  ${tag} ${c.label}${c.detail ? ` (${c.detail})` : ""}`);
+		}
+	}
+	return lines.join("\n");
+}
+function renderDoctorGateFailure(params) {
+	const missing = params.checks.filter((c) => c.status === "missing");
+	const warn = params.checks.filter((c) => c.status === "warn");
+	const groups = groupChecks({
+		checks: params.strict ? [...missing, ...warn] : missing,
+		showOk: true
+	});
+	const lines = [];
+	lines.push(`doctor gate failed (${params.scope}${params.strict ? ", strict" : ""})`);
+	lines.push(`missing=${missing.length}${params.strict ? ` warn=${warn.length}` : ""}`);
+	const maxLines = 60;
+	for (const g of groups) {
+		if (lines.length >= maxLines) break;
+		lines.push("");
+		lines.push(`${g.scope} / ${g.category}`);
+		for (const c of g.checks) {
+			if (lines.length >= maxLines) break;
+			lines.push(`  ${c.status.toUpperCase()}: ${c.label}${c.detail ? ` (${c.detail})` : ""}`);
+		}
+	}
+	lines.push("");
+	lines.push(`hint: run clawdlets doctor --scope ${params.scope}${params.strict ? " --strict" : ""}`);
+	return lines.join("\n");
+}
+
+//#endregion
+//#region src/lib/deploy-gate.ts
+async function requireDeployGate(params) {
+	const checks = await collectDoctorChecks({
+		cwd: process$1.cwd(),
+		runtimeDir: params.runtimeDir,
+		envFile: params.envFile,
+		host: params.host,
+		scope: params.scope,
+		skipGithubTokenCheck: params.skipGithubTokenCheck
+	});
+	const missing = checks.filter((c) => c.status === "missing");
+	const warn = checks.filter((c) => c.status === "warn");
+	if (!(missing.length > 0 || params.strict && warn.length > 0)) return;
+	throw new Error(renderDoctorGateFailure({
+		checks,
+		scope: params.scope,
+		strict: params.strict
+	}));
+}
+
+//#endregion
+//#region src/commands/bootstrap.ts
+async function purgeKnownHosts(ipv4, opts) {
+	const rm$2 = async (host$1) => {
+		if (opts.dryRun) {
+			console.log(`ssh-keygen -R ${host$1}`);
+			return;
+		}
+		await run("ssh-keygen", ["-R", host$1]);
+	};
+	await rm$2(ipv4);
+	await rm$2(`[${ipv4}]:22`);
+}
+function resolveHostFromFlake(flakeBase) {
+	const hashIndex = flakeBase.indexOf("#");
+	if (hashIndex === -1) return null;
+	const host$1 = flakeBase.slice(hashIndex + 1).trim();
+	return host$1.length > 0 ? host$1 : null;
+}
+const bootstrap = defineCommand({
+	meta: {
+		name: "bootstrap",
+		description: "Provision Hetzner VM + install NixOS (nixos-anywhere or image)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		mode: {
+			type: "string",
+			description: "Bootstrap mode: nixos-anywhere|image.",
+			default: "nixos-anywhere"
+		},
+		flake: {
+			type: "string",
+			description: "Override base flake (default: clawdlets.json baseFlake or git origin)."
+		},
+		rev: {
+			type: "string",
+			description: "Git rev to pin (HEAD/sha/tag).",
+			default: "HEAD"
+		},
+		ref: {
+			type: "string",
+			description: "Git ref to pin (branch or tag)."
+		},
+		force: {
+			type: "boolean",
+			description: "Skip doctor gate (not recommended).",
+			default: false
+		},
+		dryRun: {
+			type: "boolean",
+			description: "Print commands without executing.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const repoRoot = findRepoRoot(cwd);
+		const hostName = resolveHostNameOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!hostName) return;
+		const { layout, config: clawdletsConfig } = loadClawdletsConfig({
+			repoRoot,
+			runtimeDir: args.runtimeDir
+		});
+		const hostCfg = clawdletsConfig.hosts[hostName];
+		if (!hostCfg) throw new Error(`missing host in fleet/clawdlets.json: ${hostName}`);
+		const sshExposureMode = getSshExposureMode(hostCfg);
+		const tailnetMode = getTailnetMode(hostCfg);
+		const modeRaw = String(args.mode || "nixos-anywhere").trim();
+		if (modeRaw !== "nixos-anywhere" && modeRaw !== "image") throw new Error(`invalid --mode: ${modeRaw} (expected nixos-anywhere|image)`);
+		const mode = modeRaw;
+		if (Boolean(args.force)) console.error("warn: skipping doctor gate (--force)");
+		else if (mode === "nixos-anywhere") await requireDeployGate({
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile,
+			host: hostName,
+			scope: "bootstrap",
+			strict: false
+		});
+		else console.error("warn: skipping doctor gate for image bootstrap");
+		const deployCreds = loadDeployCreds({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		if (deployCreds.envFile?.status === "invalid") throw new Error(`deploy env file rejected: ${deployCreds.envFile.path} (${deployCreds.envFile.error || "invalid"})`);
+		if (deployCreds.envFile?.status === "missing") throw new Error(`missing deploy env file: ${deployCreds.envFile.path}`);
+		const hcloudToken = String(deployCreds.values.HCLOUD_TOKEN || "").trim();
+		if (!hcloudToken) throw new Error("missing HCLOUD_TOKEN (set in .clawdlets/env or env var; run: clawdlets env init)");
+		const githubToken = String(deployCreds.values.GITHUB_TOKEN || "").trim();
+		const nixBin = String(deployCreds.values.NIX_BIN || "nix").trim() || "nix";
+		const opentofuDir = getHostOpenTofuDir(layout, hostName);
+		const serverType = String(hostCfg.hetzner.serverType || "").trim();
+		if (!serverType) throw new Error(`missing hetzner.serverType for ${hostName} (set via: clawdlets host set --server-type ...)`);
+		const image$1 = String(hostCfg.hetzner.image || "").trim();
+		const location = String(hostCfg.hetzner.location || "").trim();
+		if (mode === "image" && !image$1) throw new Error(`missing hetzner.image for ${hostName} (set via: clawdlets host set --hetzner-image <image_id>)`);
+		const adminCidr = String(hostCfg.provisioning.adminCidr || "").trim();
+		if (!adminCidr) throw new Error(`missing provisioning.adminCidr for ${hostName} (set via: clawdlets host set --admin-cidr ...)`);
+		const sshPubkeyFileRaw = String(hostCfg.provisioning.sshPubkeyFile || "").trim();
+		if (!sshPubkeyFileRaw) throw new Error(`missing provisioning.sshPubkeyFile for ${hostName} (set via: clawdlets host set --ssh-pubkey-file ...)`);
+		const sshPubkeyFileExpanded = expandPath(sshPubkeyFileRaw);
+		const sshPubkeyFile = path.isAbsolute(sshPubkeyFileExpanded) ? sshPubkeyFileExpanded : path.resolve(repoRoot, sshPubkeyFileExpanded);
+		if (!fs.existsSync(sshPubkeyFile)) throw new Error(`ssh pubkey file not found: ${sshPubkeyFile}`);
+		if (sshExposureMode === "tailnet") throw new Error(`sshExposure.mode=tailnet; bootstrap requires public SSH. Set: clawdlets host set --host ${hostName} --ssh-exposure bootstrap`);
+		await applyOpenTofuVars({
+			opentofuDir,
+			vars: {
+				hostName,
+				hcloudToken,
+				adminCidr,
+				adminCidrIsWorldOpen: Boolean(hostCfg.provisioning.adminCidrAllowWorldOpen),
+				sshPubkeyFile,
+				serverType,
+				image: image$1,
+				location,
+				sshExposureMode,
+				tailnetMode
+			},
+			nixBin,
+			dryRun: args.dryRun,
+			redact: [hcloudToken, githubToken].filter(Boolean)
+		});
+		const tofuEnvWithFlakes = withFlakesEnv({
+			...process$1.env,
+			HCLOUD_TOKEN: hcloudToken,
+			ADMIN_CIDR: adminCidr,
+			SSH_PUBKEY_FILE: sshPubkeyFile,
+			SERVER_TYPE: serverType
+		});
+		const ipv4 = args.dryRun ? "<opentofu-output:ipv4>" : await capture(nixBin, [
+			"run",
+			"--impure",
+			"nixpkgs#opentofu",
+			"--",
+			"output",
+			"-raw",
+			"ipv4"
+		], {
+			cwd: opentofuDir,
+			env: tofuEnvWithFlakes,
+			dryRun: args.dryRun
+		});
+		console.log(`Target IPv4: ${ipv4}`);
+		await purgeKnownHosts(ipv4, { dryRun: args.dryRun });
+		if (mode === "image") {
+			console.log("🎉 Bootstrap complete (image mode).");
+			console.log(`Host: ${hostName}`);
+			console.log(`IPv4: ${ipv4}`);
+			console.log(`SSH exposure: ${sshExposureMode}`);
+			console.log("");
+			console.log("Next:");
+			console.log(`1) Set targetHost for deploys:`);
+			console.log(`   clawdlets host set --host ${hostName} --target-host admin@${ipv4}`);
+			console.log("2) Deploy secrets + system:");
+			console.log(`   clawdlets server deploy --host ${hostName} --target-host admin@${ipv4} --manifest deploy-manifest.${hostName}.json`);
+			console.log("");
+			console.log("After tailnet is healthy, lock down SSH:");
+			console.log(`  clawdlets host set --host ${hostName} --ssh-exposure tailnet`);
+			console.log(`  clawdlets lockdown --host ${hostName}`);
+			return;
+		}
+		const baseResolved = await resolveBaseFlake({
+			repoRoot,
+			config: clawdletsConfig
+		});
+		const flakeBase = String(args.flake || baseResolved.flake || "").trim();
+		if (!flakeBase) throw new Error("missing base flake (set baseFlake in fleet/clawdlets.json, set git origin, or pass --flake)");
+		const rev = String(args.rev || "").trim();
+		const ref = String(args.ref || "").trim();
+		if (rev && ref) throw new Error("use either --rev or --ref (not both)");
+		const requestedHost = String(hostCfg.flakeHost || hostName).trim() || hostName;
+		const hostFromFlake = resolveHostFromFlake(flakeBase);
+		if (hostFromFlake && hostFromFlake !== requestedHost) throw new Error(`flake host mismatch: ${hostFromFlake} vs ${requestedHost}`);
+		const flakeWithHost = flakeBase.includes("#") ? flakeBase : `${flakeBase}#${requestedHost}`;
+		const hashIndex = flakeWithHost.indexOf("#");
+		const flakeBasePath = hashIndex === -1 ? flakeWithHost : flakeWithHost.slice(0, hashIndex);
+		const flakeFragment = hashIndex === -1 ? "" : flakeWithHost.slice(hashIndex);
+		if ((rev || ref) && /(^|[?&])(rev|ref)=/.test(flakeBasePath)) throw new Error("flake already includes ?rev/?ref; drop --rev/--ref");
+		let flakePinned = flakeWithHost;
+		if (rev) {
+			const resolved = await resolveGitRev(repoRoot, rev);
+			if (!resolved) throw new Error(`unable to resolve git rev: ${rev}`);
+			flakePinned = `${flakeBasePath}${flakeBasePath.includes("?") ? "&" : "?"}rev=${resolved}${flakeFragment}`;
+		} else if (ref) flakePinned = `${flakeBasePath}${flakeBasePath.includes("?") ? "&" : "?"}ref=${ref}${flakeFragment}`;
+		const githubRepo = tryParseGithubFlakeUri(flakeBasePath);
+		if (githubRepo && !args.dryRun) {
+			const check = await checkGithubRepoVisibility({
+				owner: githubRepo.owner,
+				repo: githubRepo.repo,
+				token: githubToken || void 0
+			});
+			if (check.ok && check.status === "private-or-missing" && !githubToken) throw new Error(`base flake repo appears private (404). Set GITHUB_TOKEN in your environment and retry.`);
+			if (check.ok && check.status === "unauthorized") throw new Error(`GITHUB_TOKEN rejected by GitHub (401).`);
+		}
+		const extraFiles = getHostExtraFilesDir(layout, hostName);
+		const requiredKey = getHostExtraFilesKeyPath(layout, hostName);
+		if (!fs.existsSync(requiredKey)) throw new Error(`missing extra-files key: ${requiredKey} (run: clawdlets secrets init)`);
+		const secretsPlan = buildFleetSecretsPlan({
+			config: clawdletsConfig,
+			hostName
+		});
+		const requiredSecrets = [
+			...tailnetMode === "tailscale" ? ["tailscale_auth_key"] : [],
+			"admin_password_hash",
+			...secretsPlan.secretNamesRequired
+		];
+		const extraFilesSecretsDir = getHostExtraFilesSecretsDir(layout, hostName);
+		if (!fs.existsSync(extraFilesSecretsDir)) throw new Error(`missing extra-files secrets dir: ${extraFilesSecretsDir} (run: clawdlets secrets init)`);
+		for (const secretName of requiredSecrets) {
+			const f = path.join(extraFilesSecretsDir, `${secretName}.yaml`);
+			if (!fs.existsSync(f)) throw new Error(`missing extra-files secret: ${f} (run: clawdlets secrets init)`);
+		}
+		const nixosAnywhereArgs = [
+			"run",
+			"--option",
+			"max-jobs",
+			"1",
+			"--option",
+			"cores",
+			"1",
+			"--option",
+			"keep-outputs",
+			"false",
+			"--option",
+			"keep-derivations",
+			"false",
+			"github:nix-community/nixos-anywhere",
+			"--",
+			"--option",
+			"tarball-ttl",
+			"0",
+			"--option",
+			"accept-flake-config",
+			"true",
+			"--option",
+			"extra-substituters",
+			"https://cache.garnix.io",
+			"--option",
+			"extra-trusted-public-keys",
+			"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=",
+			"--build-on-remote",
+			"--extra-files",
+			extraFiles,
+			...githubToken ? [
+				"--option",
+				"access-tokens",
+				`github.com=${githubToken}`
+			] : [],
+			"--flake",
+			flakePinned,
+			`root@${ipv4}`
+		];
+		const nixosAnywhereBaseEnv = withFlakesEnv(process$1.env);
+		await run(nixBin, nixosAnywhereArgs, {
+			cwd: repoRoot,
+			env: {
+				...nixosAnywhereBaseEnv,
+				NIX_CONFIG: [
+					nixosAnywhereBaseEnv.NIX_CONFIG,
+					"accept-flake-config = true",
+					"extra-substituters = https://cache.garnix.io",
+					"extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=",
+					githubToken ? `access-tokens = github.com=${githubToken}` : ""
+				].filter(Boolean).join("\n")
+			},
+			dryRun: args.dryRun,
+			redact: [hcloudToken, githubToken].filter(Boolean)
+		});
+		await purgeKnownHosts(ipv4, { dryRun: args.dryRun });
+		const publicSshStatus = "OPEN";
+		console.log("🎉 Bootstrap complete.");
+		console.log(`Host: ${hostName}`);
+		console.log(`IPv4: ${ipv4}`);
+		console.log(`SSH exposure: ${sshExposureMode}`);
+		console.log(`Public SSH (22): ${publicSshStatus}`);
+		console.log("");
+		console.log("⚠ SSH WILL REMAIN OPEN until you switch to tailnet and run lockdown:");
+		console.log(`  clawdlets host set --host ${hostName} --ssh-exposure tailnet`);
+		console.log(`  clawdlets lockdown --host ${hostName}`);
+		if (tailnetMode === "tailscale") {
+			console.log("");
+			console.log("Next (tailscale):");
+			console.log(`1) Wait for the host to appear in Tailscale, then copy its 100.x IP.`);
+			console.log("   tailscale status  # look for the 100.x address");
+			console.log(`2) Set future SSH target to tailnet:`);
+			console.log(`   clawdlets host set --host ${hostName} --target-host admin@<tailscale-ip>`);
+			console.log("3) Verify access:");
+			console.log("   ssh admin@<tailscale-ip> 'hostname; uptime'");
+			console.log("4) Switch SSH exposure to tailnet and lock down:");
+			console.log(`   clawdlets host set --host ${hostName} --ssh-exposure tailnet`);
+			console.log(`   clawdlets lockdown --host ${hostName}`);
+			console.log("5) Optional checks:");
+			console.log("   clawdlets server audit --host " + hostName);
+		} else {
+			console.log("");
+			console.log("Notes:");
+			console.log(`- SSH exposure is ${sshExposureMode}.`);
+			console.log("- If you want tailnet-only SSH, set tailnet.mode=tailscale, verify access, then:");
+			console.log(`  clawdlets host set --host ${hostName} --ssh-exposure tailnet`);
+			console.log(`  clawdlets lockdown --host ${hostName}`);
+		}
+	}
+});
+
+//#endregion
+//#region src/commands/config.ts
+function getAtPath(obj, parts) {
+	let cur = obj;
+	for (const k of parts) {
+		if (cur == null || typeof cur !== "object") return void 0;
+		cur = cur[k];
+	}
+	return cur;
+}
+function setAtPath(obj, parts, value) {
+	let cur = obj;
+	for (let i = 0; i < parts.length - 1; i++) {
+		const k = parts[i];
+		if (cur[k] == null || typeof cur[k] !== "object" || Array.isArray(cur[k])) cur[k] = {};
+		cur = cur[k];
+	}
+	cur[parts[parts.length - 1]] = value;
+}
+function deleteAtPath(obj, parts) {
+	let cur = obj;
+	for (let i = 0; i < parts.length - 1; i++) {
+		const k = parts[i];
+		if (cur == null || typeof cur !== "object") return false;
+		cur = cur[k];
+	}
+	const last = parts[parts.length - 1];
+	if (cur && typeof cur === "object" && Object.prototype.hasOwnProperty.call(cur, last)) {
+		delete cur[last];
+		return true;
+	}
+	return false;
+}
+const init = defineCommand({
+	meta: {
+		name: "init",
+		description: "Initialize fleet/clawdlets.json (canonical config)."
+	},
+	args: {
+		host: {
+			type: "string",
+			description: "Initial host name.",
+			default: "clawdbot-fleet-host"
+		},
+		force: {
+			type: "boolean",
+			description: "Overwrite existing clawdlets.json.",
+			default: false
+		},
+		"dry-run": {
+			type: "boolean",
+			description: "Print planned writes without writing.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const repoRoot = findRepoRoot(process$1.cwd());
+		const host$1 = String(args.host || "clawdbot-fleet-host").trim() || "clawdbot-fleet-host";
+		const configPath = getRepoLayout(repoRoot).clawdletsConfigPath;
+		if (fs.existsSync(configPath) && !args.force) throw new Error(`config already exists (pass --force to overwrite): ${configPath}`);
+		const config = createDefaultClawdletsConfig({ host: host$1 });
+		if (args["dry-run"]) {
+			console.log(`planned: write ${path.relative(repoRoot, configPath)}`);
+			return;
+		}
+		await ensureDir(path.dirname(configPath));
+		await writeClawdletsConfig({
+			configPath,
+			config
+		});
+		console.log(`ok: wrote ${path.relative(repoRoot, configPath)}`);
+	}
+});
+const show$1 = defineCommand({
+	meta: {
+		name: "show",
+		description: "Print fleet/clawdlets.json."
+	},
+	args: { pretty: {
+		type: "boolean",
+		description: "Pretty-print JSON.",
+		default: true
+	} },
+	async run({ args }) {
+		const { config } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		console.log(args.pretty ? JSON.stringify(config, null, 2) : JSON.stringify(config));
+	}
+});
+const validate = defineCommand({
+	meta: {
+		name: "validate",
+		description: "Validate fleet/clawdlets.json schema."
+	},
+	args: {},
+	async run() {
+		loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		console.log("ok");
+	}
+});
+const get = defineCommand({
+	meta: {
+		name: "get",
+		description: "Get a value from fleet/clawdlets.json (dot path)."
+	},
+	args: {
+		path: {
+			type: "string",
+			description: "Dot path (e.g. fleet.botOrder)."
+		},
+		json: {
+			type: "boolean",
+			description: "JSON output.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const { config } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		const parts = splitDotPath(String(args.path || ""));
+		const v = getAtPath(config, parts);
+		if (args.json) console.log(JSON.stringify({
+			path: parts.join("."),
+			value: v
+		}, null, 2));
+		else console.log(typeof v === "string" ? v : JSON.stringify(v, null, 2));
+	}
+});
+const set$2 = defineCommand({
+	meta: {
+		name: "set",
+		description: "Set a value in fleet/clawdlets.json (dot path)."
+	},
+	args: {
+		path: {
+			type: "string",
+			description: "Dot path (e.g. fleet.botOrder)."
+		},
+		value: {
+			type: "string",
+			description: "String value."
+		},
+		"value-json": {
+			type: "string",
+			description: "JSON value (parsed)."
+		},
+		delete: {
+			type: "boolean",
+			description: "Delete the key at path.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const { configPath, config } = loadClawdletsConfigRaw({ repoRoot: findRepoRoot(process$1.cwd()) });
+		const parts = splitDotPath(String(args.path || ""));
+		const next = structuredClone(config);
+		if (args.delete) {
+			if (!deleteAtPath(next, parts)) throw new Error(`path not found: ${parts.join(".")}`);
+		} else if (args["value-json"] !== void 0) {
+			let parsed;
+			try {
+				parsed = JSON.parse(String(args["value-json"]));
+			} catch {
+				throw new Error("invalid --value-json (must be valid JSON)");
+			}
+			setAtPath(next, parts, parsed);
+		} else if (args.value !== void 0) setAtPath(next, parts, String(args.value));
+		else throw new Error("set requires --value or --value-json (or --delete)");
+		try {
+			await writeClawdletsConfig({
+				configPath,
+				config: ClawdletsConfigSchema.parse(next)
+			});
+			console.log("ok");
+		} catch (err) {
+			let details = "";
+			if (Array.isArray(err?.errors)) details = err.errors.map((e) => (Array.isArray(e.path) ? e.path.join(".") : "") || e.message).filter(Boolean).join(", ");
+			const msg = details ? `config update failed; revert or fix validation errors: ${details}` : "config update failed; revert or fix validation errors";
+			throw new Error(msg);
+		}
+	}
+});
+const config = defineCommand({
+	meta: {
+		name: "config",
+		description: "Canonical config (fleet/clawdlets.json)."
+	},
+	subCommands: {
+		init,
+		show: show$1,
+		validate,
+		get,
+		set: set$2
+	}
+});
+
+//#endregion
+//#region src/commands/doctor.ts
+const doctor = defineCommand({
+	meta: {
+		name: "doctor",
+		description: "Validate repo + runtime inputs for deploying a host."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		scope: {
+			type: "string",
+			description: "Which checks to run: repo | bootstrap | server-deploy | cattle | all (default: all).",
+			default: "all"
+		},
+		json: {
+			type: "boolean",
+			description: "Output JSON.",
+			default: false
+		},
+		"show-ok": {
+			type: "boolean",
+			description: "Show ok checks too.",
+			default: false
+		},
+		strict: {
+			type: "boolean",
+			description: "Fail on warn too (deploy gating).",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const scopeRaw = String(args.scope || "all").trim();
+		if (scopeRaw !== "repo" && scopeRaw !== "bootstrap" && scopeRaw !== "server-deploy" && scopeRaw !== "cattle" && scopeRaw !== "all") throw new Error(`invalid --scope: ${scopeRaw} (expected repo|bootstrap|server-deploy|cattle|all)`);
+		const scope = scopeRaw;
+		if (scope === "repo") {
+			const repoRoot = findRepoRoot(cwd);
+			const templateSource = path.join(repoRoot, "config", "template-source.json");
+			const clawdletsConfig = path.join(repoRoot, "fleet", "clawdlets.json");
+			if (fs.existsSync(templateSource) && !fs.existsSync(clawdletsConfig)) {
+				console.log("note: CLI repo detected; run doctor in a project repo or via template-e2e.");
+				return;
+			}
+		}
+		const hostName = resolveHostNameOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!hostName) return;
+		const checks = await collectDoctorChecks({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile,
+			host: hostName,
+			scope
+		});
+		if (args.json) console.log(JSON.stringify({
+			scope: scopeRaw,
+			host: hostName,
+			checks
+		}, null, 2));
+		else console.log(renderDoctorReport({
+			checks,
+			host: hostName,
+			scope,
+			strict: args.strict,
+			showOk: Boolean(args["show-ok"])
+		}));
+		if (checks.some((c) => c.status === "missing")) process$1.exitCode = 1;
+		if (args.strict && checks.some((c) => c.status === "warn")) process$1.exitCode = 1;
+	}
+});
+
+//#endregion
+//#region src/commands/env.ts
+function resolveEnvFilePath(params) {
+	const repoRoot = findRepoRoot(params.cwd);
+	const explicit = String(params.envFileArg ?? "").trim();
+	if (explicit) {
+		const expanded = expandPath(explicit);
+		return {
+			path: path.isAbsolute(expanded) ? expanded : path.resolve(params.cwd, expanded),
+			origin: "explicit"
+		};
+	}
+	return {
+		path: getRepoLayout(repoRoot, params.runtimeDir).envFilePath,
+		origin: "default"
+	};
+}
+function renderEnvFile(keys) {
+	return [
+		"# clawdlets deploy creds (local-only; never commit)",
+		"# Used by: bootstrap, infra, lockdown, doctor",
+		"",
+		`HCLOUD_TOKEN=${formatDotenvValue(keys.HCLOUD_TOKEN)}`,
+		`GITHUB_TOKEN=${formatDotenvValue(keys.GITHUB_TOKEN)}`,
+		`NIX_BIN=${formatDotenvValue(keys.NIX_BIN)}`,
+		`SOPS_AGE_KEY_FILE=${formatDotenvValue(keys.SOPS_AGE_KEY_FILE)}`,
+		""
+	].join("\n");
+}
+function readEnvFileOrEmpty(filePath) {
+	if (!fs.existsSync(filePath)) return {
+		text: "",
+		parsed: {}
+	};
+	const st = fs.lstatSync(filePath);
+	if (st.isSymbolicLink()) throw new Error(`refusing to read env file symlink: ${filePath}`);
+	if (!st.isFile()) throw new Error(`refusing to read non-file env path: ${filePath}`);
+	const text = fs.readFileSync(filePath, "utf8");
+	return {
+		text,
+		parsed: parseDotenv(text)
+	};
+}
+const envInit = defineCommand({
+	meta: {
+		name: "init",
+		description: "Create/update <runtimeDir>/env for deploy creds (gitignored)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file path override (advanced; default: <runtimeDir>/env)."
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const repoRoot = findRepoRoot(cwd);
+		const layout = getRepoLayout(repoRoot, args.runtimeDir);
+		const resolved = resolveEnvFilePath({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFileArg: args.envFile
+		});
+		if (resolved.origin === "default") try {
+			fs.mkdirSync(layout.runtimeDir, { recursive: true });
+			fs.chmodSync(layout.runtimeDir, 448);
+		} catch {}
+		const existing = readEnvFileOrEmpty(resolved.path).parsed;
+		const keys = {
+			HCLOUD_TOKEN: String(existing.HCLOUD_TOKEN || "").trim(),
+			GITHUB_TOKEN: String(existing.GITHUB_TOKEN || "").trim(),
+			NIX_BIN: String(existing.NIX_BIN || "nix").trim() || "nix",
+			SOPS_AGE_KEY_FILE: String(existing.SOPS_AGE_KEY_FILE || "").trim()
+		};
+		await writeFileAtomic(resolved.path, renderEnvFile(keys), { mode: 384 });
+		console.log(`ok: wrote ${path.relative(repoRoot, resolved.path) || resolved.path}`);
+		if (resolved.origin === "explicit") console.log(`note: you must pass --env-file ${resolved.path} to deploy commands to use it`);
+		else console.log("next: edit this file and set HCLOUD_TOKEN (required)");
+	}
+});
+const envShow = defineCommand({
+	meta: {
+		name: "show",
+		description: "Show resolved deploy creds (redacted) + their sources (env/file/default)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		}
+	},
+	async run({ args }) {
+		const loaded = loadDeployCreds({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		if (loaded.envFile) {
+			const status = loaded.envFile.status;
+			const detail = loaded.envFile.error ? ` (${loaded.envFile.error})` : "";
+			console.log(`env file: ${status} (${loaded.envFile.origin}) ${loaded.envFile.path}${detail}`);
+		} else console.log("env file: (default missing; set vars via process env or run: clawdlets env init)");
+		const line = (k, redact) => {
+			const v = loaded.values[k];
+			const src = loaded.sources[k];
+			if (!v) return `${k}: unset (${src})`;
+			if (redact) return `${k}: set (${src})`;
+			return `${k}: ${v} (${src})`;
+		};
+		console.log(line("HCLOUD_TOKEN", true));
+		console.log(line("GITHUB_TOKEN", true));
+		console.log(line("NIX_BIN", false));
+		console.log(line("SOPS_AGE_KEY_FILE", false));
+	}
+});
+const env = defineCommand({
+	meta: {
+		name: "env",
+		description: "Local deploy credentials (.clawdlets/env)."
+	},
+	subCommands: {
+		init: envInit,
+		show: envShow
+	}
+});
+
+//#endregion
+//#region src/commands/host.ts
+function parseBoolOrUndefined(v) {
+	if (v === void 0 || v === null) return void 0;
+	const s = String(v).trim().toLowerCase();
+	if (s === "") return void 0;
+	if (s === "true" || s === "1" || s === "yes") return true;
+	if (s === "false" || s === "0" || s === "no") return false;
+	throw new Error(`invalid boolean: ${String(v)} (use true/false)`);
+}
+function readSshPublicKeysFromFile(filePath) {
+	const stat = fs.statSync(filePath);
+	if (!stat.isFile()) throw new Error(`not a file: ${filePath}`);
+	if (stat.size > 64 * 1024) throw new Error(`ssh key file too large (>64KB): ${filePath}`);
+	const raw = fs.readFileSync(filePath, "utf8");
+	if (looksLikeSshPrivateKey(raw)) throw new Error(`refusing to read ssh private key (expected .pub): ${filePath}`);
+	const keys = parseSshPublicKeysFromText(raw);
+	if (keys.length === 0) throw new Error(`no ssh public keys found in file: ${filePath}`);
+	return keys;
+}
+function readKnownHostsFromFile(filePath) {
+	const stat = fs.statSync(filePath);
+	if (!stat.isFile()) throw new Error(`not a file: ${filePath}`);
+	if (stat.size > 256 * 1024) throw new Error(`known_hosts file too large (>256KB): ${filePath}`);
+	const lines = fs.readFileSync(filePath, "utf8").split(/\r?\n/).map((line) => line.trim()).filter((line) => line && !line.startsWith("#"));
+	if (lines.length === 0) throw new Error(`no known_hosts entries found in file: ${filePath}`);
+	return lines;
+}
+function toStringArray(v) {
+	if (v == null) return [];
+	if (Array.isArray(v)) return v.map((x) => String(x));
+	return [String(v)];
+}
+const add$1 = defineCommand({
+	meta: {
+		name: "add",
+		description: "Add a host entry to fleet/clawdlets.json."
+	},
+	args: { host: {
+		type: "string",
+		description: "Host name."
+	} },
+	async run({ args }) {
+		const { configPath, config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		const hostName = String(args.host || "").trim();
+		if (!hostName) throw new Error("missing --host");
+		assertSafeHostName(hostName);
+		if (config$1.hosts[hostName]) throw new Error(`host already exists in clawdlets.json: ${hostName}`);
+		const nextHost = {
+			enable: false,
+			diskDevice: "/dev/sda",
+			sshAuthorizedKeys: [],
+			sshKnownHosts: [],
+			flakeHost: "",
+			targetHost: void 0,
+			hetzner: {
+				serverType: "cx43",
+				image: "",
+				location: "nbg1"
+			},
+			provisioning: {
+				adminCidr: "",
+				adminCidrAllowWorldOpen: false,
+				sshPubkeyFile: "~/.ssh/id_ed25519.pub"
+			},
+			sshExposure: { mode: "bootstrap" },
+			tailnet: { mode: "tailscale" },
+			cache: { garnix: { private: {
+				enable: false,
+				netrcSecret: "garnix_netrc",
+				netrcPath: "/etc/nix/netrc",
+				narinfoCachePositiveTtl: 3600
+			} } },
+			operator: { deploy: { enable: false } },
+			selfUpdate: {
+				enable: false,
+				manifestUrl: "",
+				interval: "30min",
+				publicKey: "",
+				signatureUrl: ""
+			},
+			agentModelPrimary: "zai/glm-4.7"
+		};
+		await writeClawdletsConfig({
+			configPath,
+			config: ClawdletsConfigSchema.parse({
+				...config$1,
+				defaultHost: config$1.defaultHost || hostName,
+				hosts: {
+					...config$1.hosts,
+					[hostName]: nextHost
+				}
+			})
+		});
+		console.log(`ok: added host ${hostName}`);
+	}
+});
+const setDefault = defineCommand({
+	meta: {
+		name: "set-default",
+		description: "Set config.defaultHost (default host used when --host is omitted)."
+	},
+	args: { host: {
+		type: "string",
+		description: "Host name (defaults to current defaultHost / sole host)."
+	} },
+	async run({ args }) {
+		const { configPath, config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		const resolved = resolveHostName({
+			config: config$1,
+			host: args.host
+		});
+		if (!resolved.ok) {
+			console.error(`warn: ${resolved.message}`);
+			for (const t of resolved.tips) console.error(`tip: ${t}`);
+			process$1.exitCode = 1;
+			return;
+		}
+		await writeClawdletsConfig({
+			configPath,
+			config: ClawdletsConfigSchema.parse({
+				...config$1,
+				defaultHost: resolved.host
+			})
+		});
+		console.log(`ok: defaultHost = ${resolved.host}`);
+	}
+});
+const set$1 = defineCommand({
+	meta: {
+		name: "set",
+		description: "Set host config fields (in fleet/clawdlets.json)."
+	},
+	args: {
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		enable: {
+			type: "string",
+			description: "Enable fleet services (true/false)."
+		},
+		"ssh-exposure": {
+			type: "string",
+			description: "SSH exposure mode: tailnet|bootstrap|public."
+		},
+		"disk-device": {
+			type: "string",
+			description: "Disk device (Hetzner Cloud: /dev/sda)."
+		},
+		"agent-model-primary": {
+			type: "string",
+			description: "Primary agent model (e.g. zai/glm-4.7)."
+		},
+		tailnet: {
+			type: "string",
+			description: "Tailnet mode: none|tailscale."
+		},
+		"garnix-private-cache": {
+			type: "string",
+			description: "Enable private Garnix cache access (true/false). Requires garnix netrc secret."
+		},
+		"garnix-netrc-secret": {
+			type: "string",
+			description: "Sops secret name containing /etc/nix/netrc (default: garnix_netrc)."
+		},
+		"garnix-netrc-path": {
+			type: "string",
+			description: "Filesystem path for netrc on host (default: /etc/nix/netrc)."
+		},
+		"garnix-narinfo-cache-positive-ttl": {
+			type: "string",
+			description: "narinfo-cache-positive-ttl when private cache enabled (default: 3600)."
+		},
+		"flake-host": {
+			type: "string",
+			description: "Flake output host name override (default: same as host name)."
+		},
+		"target-host": {
+			type: "string",
+			description: "SSH target (ssh config alias or user@host)."
+		},
+		"server-type": {
+			type: "string",
+			description: "Hetzner server type (e.g. cx43)."
+		},
+		"hetzner-image": {
+			type: "string",
+			description: "Hetzner image ID/name (custom image or snapshot)."
+		},
+		"hetzner-location": {
+			type: "string",
+			description: "Hetzner location (e.g. nbg1, fsn1)."
+		},
+		"admin-cidr": {
+			type: "string",
+			description: "ADMIN_CIDR (e.g. 1.2.3.4/32)."
+		},
+		"ssh-pubkey-file": {
+			type: "string",
+			description: "SSH_PUBKEY_FILE path (e.g. ~/.ssh/id_ed25519.pub)."
+		},
+		"clear-ssh-keys": {
+			type: "boolean",
+			description: "Clear sshAuthorizedKeys.",
+			default: false
+		},
+		"add-ssh-key": {
+			type: "string",
+			description: "Add SSH public key contents (repeatable).",
+			array: true
+		},
+		"add-ssh-key-file": {
+			type: "string",
+			description: "Add SSH public key from file (repeatable).",
+			array: true
+		},
+		"clear-ssh-known-hosts": {
+			type: "boolean",
+			description: "Clear sshKnownHosts.",
+			default: false
+		},
+		"add-ssh-known-host": {
+			type: "string",
+			description: "Add known_hosts entry (repeatable).",
+			array: true
+		},
+		"add-ssh-known-host-file": {
+			type: "string",
+			description: "Add known_hosts entries from file (repeatable).",
+			array: true
+		}
+	},
+	async run({ args }) {
+		const { configPath, config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		const resolved = resolveHostName({
+			config: config$1,
+			host: args.host
+		});
+		if (!resolved.ok) {
+			console.error(`warn: ${resolved.message}`);
+			for (const t of resolved.tips) console.error(`tip: ${t}`);
+			process$1.exitCode = 1;
+			return;
+		}
+		const hostName = resolved.host;
+		const existing = config$1.hosts[hostName];
+		if (!existing) {
+			console.error(`warn: unknown host in clawdlets.json: ${hostName}`);
+			console.error(`tip: available hosts: ${Object.keys(config$1.hosts).join(", ")}`);
+			process$1.exitCode = 1;
+			return;
+		}
+		const next = structuredClone(existing);
+		const enable = parseBoolOrUndefined(args.enable);
+		if (enable !== void 0) next.enable = enable;
+		if (args["ssh-exposure"] !== void 0) {
+			const mode = String(args["ssh-exposure"]).trim();
+			if (!SSH_EXPOSURE_MODES.includes(mode)) throw new Error("invalid --ssh-exposure (expected tailnet|bootstrap|public)");
+			next.sshExposure.mode = mode;
+		}
+		if (args["disk-device"] !== void 0) next.diskDevice = String(args["disk-device"]).trim();
+		if (args["agent-model-primary"] !== void 0) next.agentModelPrimary = String(args["agent-model-primary"]).trim();
+		if (args["garnix-private-cache"] !== void 0) {
+			const v = parseBoolOrUndefined(args["garnix-private-cache"]);
+			if (v !== void 0) next.cache.garnix.private.enable = v;
+		}
+		if (args["garnix-netrc-secret"] !== void 0) next.cache.garnix.private.netrcSecret = String(args["garnix-netrc-secret"]).trim();
+		if (args["garnix-netrc-path"] !== void 0) next.cache.garnix.private.netrcPath = String(args["garnix-netrc-path"]).trim();
+		if (args["garnix-narinfo-cache-positive-ttl"] !== void 0) {
+			const raw = String(args["garnix-narinfo-cache-positive-ttl"]).trim();
+			if (raw) {
+				const n = Number(raw);
+				if (!Number.isInteger(n) || n <= 0) throw new Error("invalid --garnix-narinfo-cache-positive-ttl (expected positive integer)");
+				next.cache.garnix.private.narinfoCachePositiveTtl = n;
+			}
+		}
+		if (args["flake-host"] !== void 0) next.flakeHost = String(args["flake-host"]).trim();
+		if (args["target-host"] !== void 0) {
+			const v = String(args["target-host"]).trim();
+			next.targetHost = v ? validateTargetHost(v) : void 0;
+		}
+		if (args["server-type"] !== void 0) next.hetzner.serverType = String(args["server-type"]).trim();
+		if (args["hetzner-image"] !== void 0) next.hetzner.image = String(args["hetzner-image"]).trim();
+		if (args["hetzner-location"] !== void 0) next.hetzner.location = String(args["hetzner-location"]).trim();
+		if (args["admin-cidr"] !== void 0) next.provisioning.adminCidr = String(args["admin-cidr"]).trim();
+		if (args["ssh-pubkey-file"] !== void 0) next.provisioning.sshPubkeyFile = String(args["ssh-pubkey-file"]).trim();
+		if (args.tailnet !== void 0) {
+			const mode = String(args.tailnet).trim();
+			if (mode !== "none" && mode !== "tailscale") throw new Error("invalid --tailnet (expected none|tailscale)");
+			next.tailnet.mode = mode;
+		}
+		if (args["clear-ssh-keys"]) next.sshAuthorizedKeys = [];
+		{
+			const keys = new Set(next.sshAuthorizedKeys || []);
+			for (const file of toStringArray(args["add-ssh-key-file"])) for (const k of readSshPublicKeysFromFile(file)) keys.add(k);
+			for (const raw of toStringArray(args["add-ssh-key"])) {
+				if (!raw.trim()) continue;
+				if (looksLikeSshPrivateKey(raw)) throw new Error("refusing to add ssh private key (expected public key contents)");
+				const parsed = parseSshPublicKeysFromText(raw);
+				if (parsed.length === 0) throw new Error("invalid --add-ssh-key (expected ssh public key contents)");
+				for (const k of parsed) keys.add(k);
+			}
+			next.sshAuthorizedKeys = Array.from(keys);
+		}
+		if (args["clear-ssh-known-hosts"]) next.sshKnownHosts = [];
+		{
+			const knownHosts = new Set(next.sshKnownHosts || []);
+			for (const file of toStringArray(args["add-ssh-known-host-file"])) for (const line of readKnownHostsFromFile(file)) knownHosts.add(line);
+			for (const raw of toStringArray(args["add-ssh-known-host"])) {
+				const trimmed = raw.trim();
+				if (!trimmed) continue;
+				if (trimmed.startsWith("#")) continue;
+				knownHosts.add(trimmed);
+			}
+			next.sshKnownHosts = Array.from(knownHosts);
+		}
+		await writeClawdletsConfig({
+			configPath,
+			config: ClawdletsConfigSchema.parse({
+				...config$1,
+				hosts: {
+					...config$1.hosts,
+					[hostName]: next
+				}
+			})
+		});
+		console.log(`ok: updated host ${hostName}`);
+	}
+});
+const host = defineCommand({
+	meta: {
+		name: "host",
+		description: "Manage host config (fleet/clawdlets.json)."
+	},
+	subCommands: {
+		add: add$1,
+		"set-default": setDefault,
+		set: set$1
+	}
+});
+
+//#endregion
+//#region src/commands/fleet.ts
+const show = defineCommand({
+	meta: {
+		name: "show",
+		description: "Print fleet config (from fleet/clawdlets.json)."
+	},
+	args: {},
+	async run() {
+		const { config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		console.log(JSON.stringify(config$1.fleet, null, 2));
+	}
+});
+const set = defineCommand({
+	meta: {
+		name: "set",
+		description: "Set fleet config fields (in fleet/clawdlets.json)."
+	},
+	args: {
+		"codex-enable": {
+			type: "string",
+			description: "Enable codex (true/false)."
+		},
+		"guild-id": {
+			type: "string",
+			description: "Discord guild ID."
+		},
+		"restic-enable": {
+			type: "string",
+			description: "Enable restic backups (true/false)."
+		},
+		"restic-repository": {
+			type: "string",
+			description: "Restic repository URL/path."
+		}
+	},
+	async run({ args }) {
+		const { configPath, config: config$1 } = loadClawdletsConfig({ repoRoot: findRepoRoot(process$1.cwd()) });
+		const next = structuredClone(config$1);
+		const parseBool = (v) => {
+			if (v === void 0 || v === null) return void 0;
+			const s = String(v).trim().toLowerCase();
+			if (s === "") return void 0;
+			if (s === "true" || s === "1" || s === "yes") return true;
+			if (s === "false" || s === "0" || s === "no") return false;
+			throw new Error(`invalid boolean: ${String(v)} (use true/false)`);
+		};
+		{
+			const v = parseBool(args["codex-enable"]);
+			if (v !== void 0) next.fleet.codex.enable = v;
+		}
+		{
+			const v = parseBool(args["restic-enable"]);
+			if (v !== void 0) next.fleet.backups.restic.enable = v;
+		}
+		if (args["guild-id"] !== void 0) next.fleet.guildId = String(args["guild-id"]).trim();
+		if (args["restic-repository"] !== void 0) next.fleet.backups.restic.repository = String(args["restic-repository"]).trim();
+		await writeClawdletsConfig({
+			configPath,
+			config: ClawdletsConfigSchema.parse(next)
+		});
+		console.log("ok");
+	}
+});
+const fleet = defineCommand({
+	meta: {
+		name: "fleet",
+		description: "Manage fleet config (fleet/clawdlets.json)."
+	},
+	subCommands: {
+		show,
+		set
+	}
+});
+
+//#endregion
+//#region src/commands/image.ts
+async function buildRawImage(params) {
+	if (process$1.platform !== "linux") throw new Error("image build requires Linux; run in CI or a Linux builder");
+	const attr = `.#packages.x86_64-linux.${params.host}-image`;
+	const out = await capture(params.nixBin, [
+		"build",
+		"--json",
+		"--no-link",
+		attr
+	], {
+		cwd: params.repoRoot,
+		env: withFlakesEnv(process$1.env)
+	});
+	let parsed;
+	try {
+		parsed = JSON.parse(out);
+	} catch (e) {
+		throw new Error(`nix build --json returned invalid JSON (${String(e?.message || e)})`);
+	}
+	const imagePath = parsed?.[0]?.outputs?.out;
+	if (!imagePath || typeof imagePath !== "string") throw new Error("nix build did not return an image store path");
+	if (!fs.existsSync(imagePath)) throw new Error(`image path missing: ${imagePath}`);
+	return imagePath;
+}
+const imageBuild = defineCommand({
+	meta: {
+		name: "build",
+		description: "Build a raw NixOS image for a host (nixos-generators)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		rev: {
+			type: "string",
+			description: "Git rev to name the image (HEAD/sha/tag).",
+			default: "HEAD"
+		},
+		out: {
+			type: "string",
+			description: "Output path (default: .clawdlets/images/<host>/clawdlets-<host>-<rev>.raw)."
+		},
+		nixBin: {
+			type: "string",
+			description: "Override nix binary (default: nix)."
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const ctx = loadHostContextOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { repoRoot, layout, hostName } = ctx;
+		const revRaw = String(args.rev || "").trim() || "HEAD";
+		const resolved = await resolveGitRev(repoRoot, revRaw);
+		if (!resolved) throw new Error(`unable to resolve git rev: ${revRaw}`);
+		const imagePath = await buildRawImage({
+			repoRoot,
+			nixBin: String(args.nixBin || process$1.env.NIX_BIN || "nix").trim() || "nix",
+			host: hostName
+		});
+		const outRaw = String(args.out || "").trim();
+		const outPath = outRaw ? path.isAbsolute(outRaw) ? outRaw : path.resolve(cwd, outRaw) : path.join(layout.runtimeDir, "images", hostName, `clawdlets-${hostName}-${resolved}.raw`);
+		fs.mkdirSync(path.dirname(outPath), { recursive: true });
+		fs.copyFileSync(imagePath, outPath);
+		console.log(`ok: built raw image ${outPath}`);
+	}
+});
+const imageUpload = defineCommand({
+	meta: {
+		name: "upload",
+		description: "Upload a raw image to Hetzner using hcloud-upload-image."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		"image-url": {
+			type: "string",
+			description: "Public URL for the raw image (Hetzner must reach it)."
+		},
+		compression: {
+			type: "string",
+			description: "Compression type (none|gz|bz2|xz).",
+			default: "none"
+		},
+		architecture: {
+			type: "string",
+			description: "Architecture (x86 or arm).",
+			default: "x86"
+		},
+		location: {
+			type: "string",
+			description: "Hetzner location (default: host hetzner.location)."
+		},
+		name: {
+			type: "string",
+			description: "Image name override (optional)."
+		},
+		dryRun: {
+			type: "boolean",
+			description: "Print commands without executing.",
+			default: false
+		},
+		bin: {
+			type: "string",
+			description: "Override hcloud-upload-image binary (default: hcloud-upload-image)."
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const ctx = loadHostContextOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const deployCreds = loadDeployCreds({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		const hcloudToken = String(deployCreds.values.HCLOUD_TOKEN || "").trim();
+		if (!hcloudToken) throw new Error("missing HCLOUD_TOKEN (set in .clawdlets/env or env var; run: clawdlets env init)");
+		const imageUrl = String(args["image-url"] || "").trim();
+		if (!imageUrl) throw new Error("missing --image-url");
+		const compression = String(args.compression || "").trim();
+		const compressionArg = compression === "none" ? "" : compression;
+		if (compressionArg && ![
+			"gz",
+			"bz2",
+			"xz"
+		].includes(compressionArg)) throw new Error("invalid --compression (expected none|gz|bz2|xz)");
+		const architecture = String(args.architecture || "").trim() || "x86";
+		if (!["x86", "arm"].includes(architecture)) throw new Error("invalid --architecture (expected x86|arm)");
+		const location = String(args.location || hostCfg.hetzner.location || "nbg1").trim() || "nbg1";
+		const name = String(args.name || "").trim();
+		const bin = String(args.bin || "hcloud-upload-image").trim() || "hcloud-upload-image";
+		const cmd = [
+			"upload",
+			"--image-url",
+			imageUrl,
+			"--architecture",
+			architecture,
+			"--location",
+			location
+		];
+		if (compressionArg) cmd.push("--compression", compressionArg);
+		if (name) cmd.push("--name", name);
+		await run(bin, cmd, {
+			env: {
+				...process$1.env,
+				HCLOUD_TOKEN: hcloudToken
+			},
+			dryRun: args.dryRun,
+			redact: [hcloudToken]
+		});
+		console.log(`ok: upload complete for ${hostName}`);
+		console.log(`hint: set hetzner.image in fleet/clawdlets.json to the new image ID/name`);
+	}
+});
+const image = defineCommand({
+	meta: {
+		name: "image",
+		description: "Image build/upload helpers (Hetzner custom images)."
+	},
+	subCommands: {
+		build: imageBuild,
+		upload: imageUpload
+	}
+});
+
+//#endregion
+//#region src/commands/infra.ts
+const infraApply = defineCommand({
+	meta: {
+		name: "apply",
+		description: "Apply Hetzner OpenTofu for a host (driven by fleet/clawdlets.json)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		dryRun: {
+			type: "boolean",
+			description: "Print commands without executing.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const repoRoot = findRepoRoot(cwd);
+		const hostName = resolveHostNameOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!hostName) return;
+		const { layout, config: clawdletsConfig } = loadClawdletsConfig({
+			repoRoot,
+			runtimeDir: args.runtimeDir
+		});
+		const hostCfg = clawdletsConfig.hosts[hostName];
+		if (!hostCfg) throw new Error(`missing host in fleet/clawdlets.json: ${hostName}`);
+		const opentofuDir = getHostOpenTofuDir(layout, hostName);
+		const deployCreds = loadDeployCreds({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		if (deployCreds.envFile?.status === "invalid") throw new Error(`deploy env file rejected: ${deployCreds.envFile.path} (${deployCreds.envFile.error || "invalid"})`);
+		if (deployCreds.envFile?.status === "missing") throw new Error(`missing deploy env file: ${deployCreds.envFile.path}`);
+		const hcloudToken = String(deployCreds.values.HCLOUD_TOKEN || "").trim();
+		if (!hcloudToken) throw new Error("missing HCLOUD_TOKEN (set in .clawdlets/env or env var; run: clawdlets env init)");
+		const adminCidr = String(hostCfg.provisioning.adminCidr || "").trim();
+		if (!adminCidr) throw new Error(`missing provisioning.adminCidr for ${hostName} (set via: clawdlets host set --admin-cidr ...)`);
+		const sshPubkeyFileRaw = String(hostCfg.provisioning.sshPubkeyFile || "").trim();
+		if (!sshPubkeyFileRaw) throw new Error(`missing provisioning.sshPubkeyFile for ${hostName} (set via: clawdlets host set --ssh-pubkey-file ...)`);
+		const sshPubkeyFileExpanded = expandPath(sshPubkeyFileRaw);
+		const sshPubkeyFile = path.isAbsolute(sshPubkeyFileExpanded) ? sshPubkeyFileExpanded : path.resolve(repoRoot, sshPubkeyFileExpanded);
+		if (!fs.existsSync(sshPubkeyFile)) throw new Error(`ssh pubkey file not found: ${sshPubkeyFile}`);
+		const image$1 = String(hostCfg.hetzner.image || "").trim();
+		const location = String(hostCfg.hetzner.location || "").trim();
+		await applyOpenTofuVars({
+			opentofuDir,
+			vars: {
+				hostName,
+				hcloudToken,
+				adminCidr,
+				adminCidrIsWorldOpen: Boolean(hostCfg.provisioning.adminCidrAllowWorldOpen),
+				sshPubkeyFile,
+				serverType: hostCfg.hetzner.serverType,
+				image: image$1,
+				location,
+				sshExposureMode: getSshExposureMode(hostCfg),
+				tailnetMode: getTailnetMode(hostCfg)
+			},
+			nixBin: String(deployCreds.values.NIX_BIN || "nix").trim() || "nix",
+			dryRun: args.dryRun,
+			redact: [hcloudToken, deployCreds.values.GITHUB_TOKEN].filter(Boolean)
+		});
+		console.log(`ok: provisioning applied for ${hostName}`);
+		console.log(`hint: outputs in ${opentofuDir}`);
+	}
+});
+const infraDestroy = defineCommand({
+	meta: {
+		name: "destroy",
+		description: "Destroy Hetzner OpenTofu resources for a host (DANGEROUS)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		force: {
+			type: "boolean",
+			description: "Skip confirmation prompt (non-interactive).",
+			default: false
+		},
+		dryRun: {
+			type: "boolean",
+			description: "Print commands without executing.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const repoRoot = findRepoRoot(cwd);
+		const hostName = resolveHostNameOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!hostName) return;
+		const { layout, config: clawdletsConfig } = loadClawdletsConfig({
+			repoRoot,
+			runtimeDir: args.runtimeDir
+		});
+		const hostCfg = clawdletsConfig.hosts[hostName];
+		if (!hostCfg) throw new Error(`missing host in fleet/clawdlets.json: ${hostName}`);
+		const opentofuDir = getHostOpenTofuDir(layout, hostName);
+		const deployCreds = loadDeployCreds({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		if (deployCreds.envFile?.status === "invalid") throw new Error(`deploy env file rejected: ${deployCreds.envFile.path} (${deployCreds.envFile.error || "invalid"})`);
+		if (deployCreds.envFile?.status === "missing") throw new Error(`missing deploy env file: ${deployCreds.envFile.path}`);
+		const hcloudToken = String(deployCreds.values.HCLOUD_TOKEN || "").trim();
+		if (!hcloudToken) throw new Error("missing HCLOUD_TOKEN (set in .clawdlets/env or env var; run: clawdlets env init)");
+		const adminCidr = String(hostCfg.provisioning.adminCidr || "").trim();
+		if (!adminCidr) throw new Error(`missing provisioning.adminCidr for ${hostName} (set via: clawdlets host set --admin-cidr ...)`);
+		const sshPubkeyFileRaw = String(hostCfg.provisioning.sshPubkeyFile || "").trim();
+		if (!sshPubkeyFileRaw) throw new Error(`missing provisioning.sshPubkeyFile for ${hostName} (set via: clawdlets host set --ssh-pubkey-file ...)`);
+		const sshPubkeyFileExpanded = expandPath(sshPubkeyFileRaw);
+		const sshPubkeyFile = path.isAbsolute(sshPubkeyFileExpanded) ? sshPubkeyFileExpanded : path.resolve(repoRoot, sshPubkeyFileExpanded);
+		if (!fs.existsSync(sshPubkeyFile)) throw new Error(`ssh pubkey file not found: ${sshPubkeyFile}`);
+		const image$1 = String(hostCfg.hetzner.image || "").trim();
+		const location = String(hostCfg.hetzner.location || "").trim();
+		const force = Boolean(args.force);
+		const interactive = process$1.stdin.isTTY && process$1.stdout.isTTY;
+		if (!force) {
+			if (!interactive) throw new Error("refusing to destroy without --force (no TTY)");
+			p.intro("clawdlets infra destroy");
+			const ok = await p.confirm({
+				message: `Destroy Hetzner resources for host ${hostName}?`,
+				initialValue: false
+			});
+			if (p.isCancel(ok) || !ok) {
+				p.cancel("canceled");
+				return;
+			}
+		}
+		await destroyOpenTofuVars({
+			opentofuDir,
+			vars: {
+				hostName,
+				hcloudToken,
+				adminCidr,
+				adminCidrIsWorldOpen: Boolean(hostCfg.provisioning.adminCidrAllowWorldOpen),
+				sshPubkeyFile,
+				serverType: hostCfg.hetzner.serverType,
+				image: image$1,
+				location,
+				sshExposureMode: getSshExposureMode(hostCfg),
+				tailnetMode: getTailnetMode(hostCfg)
+			},
+			nixBin: String(deployCreds.values.NIX_BIN || "nix").trim() || "nix",
+			dryRun: args.dryRun,
+			redact: [hcloudToken, deployCreds.values.GITHUB_TOKEN].filter(Boolean)
+		});
+		console.log(`ok: provisioning destroyed for ${hostName}`);
+		console.log(`hint: state in ${opentofuDir}`);
+	}
+});
+const infra = defineCommand({
+	meta: {
+		name: "infra",
+		description: "Infrastructure operations (Hetzner OpenTofu)."
+	},
+	subCommands: {
+		apply: infraApply,
+		destroy: infraDestroy
+	}
+});
+
+//#endregion
+//#region src/commands/lockdown.ts
+const lockdown = defineCommand({
+	meta: {
+		name: "lockdown",
+		description: "Remove public SSH from Hetzner firewall (OpenTofu only)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		skipTofu: {
+			type: "boolean",
+			description: "Skip provisioning apply.",
+			default: false
+		},
+		dryRun: {
+			type: "boolean",
+			description: "Print commands without executing.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const repoRoot = findRepoRoot(cwd);
+		const hostName = resolveHostNameOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!hostName) return;
+		const { layout, config: clawdletsConfig } = loadClawdletsConfig({
+			repoRoot,
+			runtimeDir: args.runtimeDir
+		});
+		const hostCfg = clawdletsConfig.hosts[hostName];
+		if (!hostCfg) throw new Error(`missing host in fleet/clawdlets.json: ${hostName}`);
+		const opentofuDir = getHostOpenTofuDir(layout, hostName);
+		const sshExposureMode = getSshExposureMode(hostCfg);
+		if (sshExposureMode !== "tailnet") throw new Error(`sshExposure.mode=${sshExposureMode}; set sshExposure.mode=tailnet before lockdown (clawdlets host set --host ${hostName} --ssh-exposure tailnet)`);
+		await requireDeployGate({
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile,
+			host: hostName,
+			scope: "server-deploy",
+			strict: true,
+			skipGithubTokenCheck: true
+		});
+		const deployCreds = loadDeployCreds({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		if (deployCreds.envFile?.status === "invalid") throw new Error(`deploy env file rejected: ${deployCreds.envFile.path} (${deployCreds.envFile.error || "invalid"})`);
+		if (deployCreds.envFile?.status === "missing") throw new Error(`missing deploy env file: ${deployCreds.envFile.path}`);
+		const hcloudToken = String(deployCreds.values.HCLOUD_TOKEN || "").trim();
+		const githubToken = String(deployCreds.values.GITHUB_TOKEN || "").trim();
+		if (!args.skipTofu) {
+			if (!hcloudToken) throw new Error("missing HCLOUD_TOKEN (set in .clawdlets/env or env var; run: clawdlets env init)");
+			const adminCidr = String(hostCfg.provisioning.adminCidr || "").trim();
+			if (!adminCidr) throw new Error(`missing provisioning.adminCidr for ${hostName} (set via: clawdlets host set --admin-cidr ...)`);
+			const sshPubkeyFileRaw = String(hostCfg.provisioning.sshPubkeyFile || "").trim();
+			if (!sshPubkeyFileRaw) throw new Error(`missing provisioning.sshPubkeyFile for ${hostName} (set via: clawdlets host set --ssh-pubkey-file ...)`);
+			const sshPubkeyFileExpanded = expandPath(sshPubkeyFileRaw);
+			const sshPubkeyFile = path.isAbsolute(sshPubkeyFileExpanded) ? sshPubkeyFileExpanded : path.resolve(repoRoot, sshPubkeyFileExpanded);
+			if (!fs.existsSync(sshPubkeyFile)) throw new Error(`ssh pubkey file not found: ${sshPubkeyFile}`);
+			const image$1 = String(hostCfg.hetzner.image || "").trim();
+			const location = String(hostCfg.hetzner.location || "").trim();
+			await applyOpenTofuVars({
+				opentofuDir,
+				vars: {
+					hostName,
+					hcloudToken,
+					adminCidr,
+					adminCidrIsWorldOpen: Boolean(hostCfg.provisioning.adminCidrAllowWorldOpen),
+					sshPubkeyFile,
+					serverType: hostCfg.hetzner.serverType,
+					image: image$1,
+					location,
+					sshExposureMode,
+					tailnetMode: getTailnetMode(hostCfg)
+				},
+				nixBin: String(deployCreds.values.NIX_BIN || "nix").trim() || "nix",
+				dryRun: args.dryRun,
+				redact: [hcloudToken, githubToken].filter(Boolean)
+			});
+		}
+	}
+});
+
+//#endregion
+//#region src/commands/plugin.ts
+async function loadPlugins() {
+	return await Promise.resolve().then(() => plugins_exports);
+}
+function resolveSlug(args) {
+	const raw = String(args.name || args._?.[0] || "").trim();
+	if (!raw) throw new Error("missing plugin name (pass --name or first arg)");
+	return raw;
+}
+const list = defineCommand({
+	meta: {
+		name: "list",
+		description: "List installed plugins."
+	},
+	args: {
+		json: {
+			type: "boolean",
+			description: "Output JSON.",
+			default: false
+		},
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		}
+	},
+	async run({ args }) {
+		const { listInstalledPlugins: listInstalledPlugins$1 } = await loadPlugins();
+		const errors = [];
+		const plugins = listInstalledPlugins$1({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			onError: (err) => errors.push(err)
+		});
+		const payload = {
+			plugins,
+			errors: errors.map((e) => ({
+				slug: e.slug,
+				error: e.error.message
+			}))
+		};
+		if (args.json) {
+			console.log(JSON.stringify(payload, null, 2));
+			return;
+		}
+		for (const err of errors) console.error(`warn: skipping plugin ${err.slug}: ${err.error.message}`);
+		if (plugins.length === 0) {
+			console.log("ok: no plugins installed");
+			return;
+		}
+		for (const p$1 of plugins) console.log(`${p$1.command}\t${p$1.packageName}@${p$1.version}`);
+	}
+});
+const add = defineCommand({
+	meta: {
+		name: "add",
+		description: "Install a plugin into .clawdlets/plugins."
+	},
+	args: {
+		name: {
+			type: "string",
+			description: "Plugin name (e.g. cattle)."
+		},
+		package: {
+			type: "string",
+			description: "Package to install (default: @clawdlets/plugin-<name>)."
+		},
+		version: {
+			type: "string",
+			description: "Package version/tag (default: latest)."
+		},
+		allowThirdParty: {
+			type: "boolean",
+			description: "Allow third-party plugins (unsafe).",
+			default: false
+		},
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		}
+	},
+	async run({ args }) {
+		const slug = resolveSlug(args);
+		const packageName = String(args.package || `@clawdlets/plugin-${slug}`).trim();
+		if (!args.allowThirdParty && !packageName.startsWith("@clawdlets/")) throw new Error("third-party plugins disabled (pass --allow-third-party to override)");
+		const { installPlugin: installPlugin$1 } = await loadPlugins();
+		const plugin = await installPlugin$1({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			slug,
+			packageName,
+			version: args.version,
+			allowThirdParty: args.allowThirdParty
+		});
+		console.log(`ok: installed ${plugin.command} (${plugin.packageName}@${plugin.version})`);
+	}
+});
+const rm = defineCommand({
+	meta: {
+		name: "rm",
+		description: "Remove an installed plugin."
+	},
+	args: {
+		name: {
+			type: "string",
+			description: "Plugin name (e.g. cattle)."
+		},
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		}
+	},
+	async run({ args }) {
+		const slug = resolveSlug(args);
+		const { removePlugin: removePlugin$1 } = await loadPlugins();
+		removePlugin$1({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			slug
+		});
+		console.log(`ok: removed ${slug}`);
+	}
+});
+const plugin = defineCommand({
+	meta: {
+		name: "plugin",
+		description: "Plugin manager (install/remove/list)."
+	},
+	subCommands: {
+		add,
+		list,
+		rm
+	}
+});
+
+//#endregion
+//#region src/lib/template-spec.ts
+function firstNonEmpty(...values) {
+	for (const value of values) {
+		const trimmed = String(value || "").trim();
+		if (trimmed) return trimmed;
+	}
+}
+function resolveTemplateSourcePath() {
+	const moduleDir = path.dirname(fileURLToPath(import.meta.url));
+	const packagedDistPath = path.resolve(moduleDir, "config", "template-source.json");
+	if (fs.existsSync(packagedDistPath)) return packagedDistPath;
+	const packagedPath = path.resolve(moduleDir, "..", "config", "template-source.json");
+	if (fs.existsSync(packagedPath)) return packagedPath;
+	const repoRootPath = path.resolve(moduleDir, "..", "..", "..", "..", "config", "template-source.json");
+	if (fs.existsSync(repoRootPath)) return repoRootPath;
+	const cwdPath = path.resolve(process.cwd(), "config", "template-source.json");
+	if (fs.existsSync(cwdPath)) return cwdPath;
+	throw new Error("template source config missing (expected config/template-source.json)");
+}
+function loadTemplateSourceDefaults() {
+	const configPath = resolveTemplateSourcePath();
+	const raw = fs.readFileSync(configPath, "utf8");
+	const parsed = JSON.parse(raw);
+	if (!parsed || typeof parsed !== "object") throw new Error(`template source config invalid: ${configPath}`);
+	return {
+		repo: String(parsed.repo || ""),
+		path: String(parsed.path || ""),
+		ref: String(parsed.ref || "")
+	};
+}
+function resolveTemplateSpec(args) {
+	const defaults = loadTemplateSourceDefaults();
+	const repo = firstNonEmpty(args.template, process.env["CLAWDLETS_TEMPLATE_REPO"], defaults.repo);
+	const tplPath = firstNonEmpty(args.templatePath, process.env["CLAWDLETS_TEMPLATE_PATH"], defaults.path);
+	const ref = firstNonEmpty(args.templateRef, process.env["CLAWDLETS_TEMPLATE_REF"], defaults.ref);
+	return normalizeTemplateSource({
+		repo: repo || "",
+		path: tplPath || "",
+		ref: ref || ""
+	});
+}
+
+//#endregion
+//#region src/commands/project.ts
+function wantsInteractive$1(flag) {
+	if (flag) return true;
+	const env$1 = String(process$1.env["CLAWDLETS_INTERACTIVE"] || "").trim();
+	return env$1 === "1" || env$1.toLowerCase() === "true";
+}
+function requireTtyIfInteractive(interactive) {
+	if (!interactive) return;
+	if (!process$1.stdout.isTTY) throw new Error("--interactive requires a TTY");
+}
+function applySubs(s, subs) {
+	let out = s;
+	for (const [k, v] of Object.entries(subs)) out = out.split(k).join(v);
+	return out;
+}
+function isProbablyText(file) {
+	const base = path.basename(file);
+	if (base === "Justfile" || base === "_gitignore") return true;
+	const ext = path.extname(file).toLowerCase();
+	return [
+		".md",
+		".nix",
+		".tf",
+		".hcl",
+		".json",
+		".yaml",
+		".yml",
+		".txt",
+		".lock",
+		".gitignore"
+	].includes(ext);
+}
+async function copyTree(params) {
+	const entries = await fs.promises.readdir(params.srcDir, { withFileTypes: true });
+	for (const ent of entries) {
+		const srcName = ent.name;
+		const srcPath = path.join(params.srcDir, srcName);
+		const renamed = srcName === "_gitignore" ? ".gitignore" : applySubs(srcName, params.subs);
+		const destPath = path.join(params.destDir, renamed);
+		if (ent.isDirectory()) {
+			await ensureDir(destPath);
+			await copyTree({
+				srcDir: srcPath,
+				destDir: destPath,
+				subs: params.subs
+			});
+			continue;
+		}
+		if (!ent.isFile()) continue;
+		const buf = await fs.promises.readFile(srcPath);
+		if (!isProbablyText(srcName)) {
+			await ensureDir(path.dirname(destPath));
+			await fs.promises.writeFile(destPath, buf);
+			continue;
+		}
+		await writeFileAtomic(destPath, applySubs(buf.toString("utf8"), params.subs));
+	}
+}
+async function dirHasAnyFiles(dir) {
+	try {
+		return (await fs.promises.readdir(dir)).length > 0;
+	} catch {
+		return false;
+	}
+}
+async function ensureHookExecutables(repoRoot) {
+	const hooksDir = path.join(repoRoot, ".githooks");
+	try {
+		const entries = await fs.promises.readdir(hooksDir, { withFileTypes: true });
+		let hasHooks = false;
+		for (const ent of entries) {
+			if (!ent.isFile()) continue;
+			const p$1 = path.join(hooksDir, ent.name);
+			await fs.promises.chmod(p$1, 493);
+			hasHooks = true;
+		}
+		return hasHooks;
+	} catch {
+		return false;
+	}
+}
+async function findTemplateRoot(dir) {
+	const direct = path.join(dir, "fleet", "clawdlets.json");
+	if (fs.existsSync(direct)) return dir;
+	const entries = await fs.promises.readdir(dir, { withFileTypes: true });
+	const candidates = [];
+	for (const ent of entries) {
+		if (!ent.isDirectory()) continue;
+		const candidate = path.join(dir, ent.name);
+		if (fs.existsSync(path.join(candidate, "fleet", "clawdlets.json"))) candidates.push(candidate);
+	}
+	if (candidates.length === 1) return candidates[0];
+	throw new Error(`template root missing fleet/clawdlets.json (searched: ${dir})`);
+}
+const projectInit = defineCommand({
+	meta: {
+		name: "init",
+		description: "Scaffold a new clawdlets infra repo (from clawdlets-template)."
+	},
+	args: {
+		dir: {
+			type: "string",
+			description: "Target directory (created if missing)."
+		},
+		host: {
+			type: "string",
+			description: "Host name placeholder (default: clawdbot-fleet-host).",
+			default: "clawdbot-fleet-host"
+		},
+		gitInit: {
+			type: "boolean",
+			description: "Run `git init` in the new directory.",
+			default: true
+		},
+		interactive: {
+			type: "boolean",
+			description: "Prompt for confirmation (requires TTY).",
+			default: false
+		},
+		dryRun: {
+			type: "boolean",
+			description: "Print planned files without writing.",
+			default: false
+		},
+		template: {
+			type: "string",
+			description: "Template repo (default: config/template-source.json)."
+		},
+		templatePath: {
+			type: "string",
+			description: "Template path inside repo (default: config/template-source.json)."
+		},
+		templateRef: {
+			type: "string",
+			description: "Template git ref (default: config/template-source.json)."
+		}
+	},
+	async run({ args }) {
+		const interactive = wantsInteractive$1(Boolean(args.interactive));
+		requireTtyIfInteractive(interactive);
+		const dirRaw = String(args.dir || "").trim();
+		if (!dirRaw) throw new Error("missing --dir");
+		const destDir = path.resolve(process$1.cwd(), dirRaw);
+		const host$1 = String(args.host || "clawdbot-fleet-host").trim() || "clawdbot-fleet-host";
+		assertSafeHostName(host$1);
+		const projectName = path.basename(destDir);
+		if (interactive) {
+			p.intro("clawdlets project init");
+			const ok = await p.confirm({
+				message: `Create project at ${destDir}?`,
+				initialValue: true
+			});
+			if (p.isCancel(ok)) {
+				if (await navOnCancel({
+					flow: "project init",
+					canBack: false
+				}) === NAV_EXIT) cancelFlow();
+				return;
+			}
+			if (!ok) {
+				cancelFlow();
+				return;
+			}
+		}
+		const templateSpec = resolveTemplateSpec({
+			template: args.template,
+			templatePath: args.templatePath,
+			templateRef: args.templateRef
+		});
+		if (fs.existsSync(destDir) && await dirHasAnyFiles(destDir)) throw new Error(`target dir not empty: ${destDir}`);
+		const subs = {
+			"__PROJECT_NAME__": projectName,
+			"clawdbot-fleet-host": host$1,
+			"clawdbot_fleet_host": host$1.replace(/-/g, "_")
+		};
+		const tempDir = await fs.promises.mkdtemp(path.join(tmpdir(), "clawdlets-template-"));
+		let templateDir = tempDir;
+		try {
+			templateDir = await findTemplateRoot((await downloadTemplate(templateSpec.spec, {
+				dir: tempDir,
+				force: true,
+				auth: String(process$1.env["GITHUB_TOKEN"] || process$1.env["CLAWDLETS_TEMPLATE_TOKEN"] || "").trim() || void 0
+			})).dir || tempDir);
+		} catch (e) {
+			await fs.promises.rm(tempDir, {
+				recursive: true,
+				force: true
+			});
+			throw e;
+		}
+		const planned = [];
+		const walk = async (srcDir, rel) => {
+			const entries = await fs.promises.readdir(srcDir, { withFileTypes: true });
+			for (const ent of entries) {
+				const srcName = ent.name;
+				const mapped = srcName === "_gitignore" ? ".gitignore" : applySubs(srcName, subs);
+				const nextRel = path.join(rel, mapped);
+				if (ent.isDirectory()) await walk(path.join(srcDir, srcName), nextRel);
+				else if (ent.isFile()) planned.push(nextRel);
+			}
+		};
+		await walk(templateDir, ".");
+		if (args.dryRun) {
+			p.note(planned.sort().join("\n"), "Planned files");
+			p.outro("dry-run");
+			await fs.promises.rm(tempDir, {
+				recursive: true,
+				force: true
+			});
+			return;
+		}
+		await ensureDir(destDir);
+		await copyTree({
+			srcDir: templateDir,
+			destDir,
+			subs
+		});
+		await fs.promises.rm(tempDir, {
+			recursive: true,
+			force: true
+		});
+		const hasHooks = await ensureHookExecutables(destDir);
+		{
+			const configPath = path.join(destDir, "fleet", "clawdlets.json");
+			const raw = await fs.promises.readFile(configPath, "utf8");
+			const parsed = JSON.parse(raw);
+			const hostCfg = parsed?.hosts?.[host$1];
+			if (hostCfg && typeof hostCfg === "object") {
+				hostCfg.cache = hostCfg.cache && typeof hostCfg.cache === "object" ? hostCfg.cache : {};
+				hostCfg.cache.garnix = hostCfg.cache.garnix && typeof hostCfg.cache.garnix === "object" ? hostCfg.cache.garnix : {};
+				hostCfg.cache.garnix.private = hostCfg.cache.garnix.private && typeof hostCfg.cache.garnix.private === "object" ? hostCfg.cache.garnix.private : {};
+				hostCfg.cache.garnix.private.enable = false;
+				await writeFileAtomic(configPath, `${JSON.stringify(parsed, null, 2)}\n`);
+			}
+		}
+		if (args.gitInit) try {
+			await capture("git", ["--version"], { cwd: destDir });
+			await run("git", ["init"], { cwd: destDir });
+			if (hasHooks) await run("git", [
+				"config",
+				"core.hooksPath",
+				".githooks"
+			], { cwd: destDir });
+		} catch {
+			if (interactive) p.note("git not available; skipped `git init`", "gitInit");
+		}
+		const next = [
+			"next:",
+			`- cd ${destDir}`,
+			"- create a git repo + set origin (recommended; enables blank base flake)",
+			"- clawdlets env init  # set HCLOUD_TOKEN in .clawdlets/env (required for provisioning)",
+			`- clawdlets host set --host ${host$1} --admin-cidr <your-ip>/32 --disk-device /dev/sda --add-ssh-key-file $HOME/.ssh/id_ed25519.pub`,
+			`- clawdlets host set --host ${host$1} --ssh-exposure bootstrap`,
+			`- clawdlets secrets init --host ${host$1}`,
+			`- clawdlets doctor --host ${host$1}`,
+			`- clawdlets bootstrap --host ${host$1}`,
+			`- clawdlets host set --host ${host$1} --target-host <ssh-alias|user@host>`,
+			`- clawdlets host set --host ${host$1} --ssh-exposure tailnet`,
+			`- clawdlets lockdown --host ${host$1}`
+		].join("\n");
+		if (interactive) p.outro(next);
+		else console.log(next);
+	}
+});
+const project = defineCommand({
+	meta: {
+		name: "project",
+		description: "Project scaffolding."
+	},
+	subCommands: { init: projectInit }
+});
+
+//#endregion
+//#region src/commands/ssh-target.ts
+function needsSudo(targetHost) {
+	return !/^root@/i.test(targetHost.trim());
+}
+function requireTargetHost(targetHost, hostName) {
+	const v = targetHost.trim();
+	if (v) return validateTargetHost(v);
+	throw new Error([
+		`missing target host for ${hostName}`,
+		"set it in fleet/clawdlets.json (hosts.<host>.targetHost) or pass --target-host",
+		"recommended: use an SSH config alias (e.g. botsmj)"
+	].join("; "));
+}
+
+//#endregion
+//#region src/commands/secrets/common.ts
+function quoteYamlString(value) {
+	return `"${value.replace(/\\/g, "\\\\").replace(/\r/g, "\\r").replace(/\n/g, "\\n").replace(/\t/g, "\\t").replace(/"/g, "\\\"")}"`;
+}
+function upsertYamlScalarLine(params) {
+	const { text, key, value } = params;
+	const escaped = key.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+	const rx = new RegExp(`^\\s*${escaped}\\s*:\\s*.*$`, "m");
+	const line = `${key}: ${quoteYamlString(value)}`;
+	if (rx.test(text)) return text.replace(rx, line);
+	return `${text.trimEnd()}\n${line}\n`;
+}
+
+//#endregion
+//#region src/commands/secrets/init.ts
+function wantsInteractive(flag) {
+	if (flag) return true;
+	const env$1 = String(process$1.env["CLAWDLETS_INTERACTIVE"] || "").trim();
+	return env$1 === "1" || env$1.toLowerCase() === "true";
+}
+function readSecretsInitJson(fromJson) {
+	const src = String(fromJson || "").trim();
+	if (!src) throw new Error("missing --from-json");
+	let raw;
+	if (src === "-") raw = fs.readFileSync(0, "utf8");
+	else {
+		const jsonPath = path.isAbsolute(src) ? src : path.resolve(process$1.cwd(), src);
+		if (!fs.existsSync(jsonPath)) throw new Error(`missing --from-json file: ${jsonPath}`);
+		raw = fs.readFileSync(jsonPath, "utf8");
+	}
+	return parseSecretsInitJson(raw);
+}
+const secretsInit = defineCommand({
+	meta: {
+		name: "init",
+		description: "Create/update secrets in /secrets (sops+age) and generate .clawdlets/extra-files/<host>/..."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		interactive: {
+			type: "boolean",
+			description: "Prompt for secret values (requires TTY).",
+			default: false
+		},
+		fromJson: {
+			type: "string",
+			description: "Read secret values from JSON file (or '-' for stdin) (non-interactive)."
+		},
+		allowPlaceholders: {
+			type: "boolean",
+			description: "Allow placeholders for missing tokens.",
+			default: false
+		},
+		operator: {
+			type: "string",
+			description: "Operator id for local age key name (default: $USER)."
+		},
+		yes: {
+			type: "boolean",
+			description: "Overwrite without prompt.",
+			default: false
+		},
+		dryRun: {
+			type: "boolean",
+			description: "Print actions without writing.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const a = args;
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: a.runtimeDir,
+			hostArg: a.host
+		});
+		if (!ctx) return;
+		const { layout, config: clawdletsConfig, hostName, hostCfg } = ctx;
+		const hasTty = Boolean(process$1.stdin.isTTY && process$1.stdout.isTTY);
+		let interactive = wantsInteractive(Boolean(a.interactive));
+		if (!interactive && hasTty && !a.fromJson) interactive = true;
+		if (interactive && !hasTty) throw new Error("--interactive requires a TTY");
+		const operatorId = sanitizeOperatorId(String(a.operator || process$1.env.USER || "operator"));
+		const sopsConfigPath = layout.sopsConfigPath;
+		const operatorKeyPath = getLocalOperatorAgeKeyPath(layout, operatorId);
+		const operatorPubPath = path.join(layout.localOperatorKeysDir, `${operatorId}.age.pub`);
+		const hostKeyFile = getHostEncryptedAgeKeyFile(layout, hostName);
+		const extraFilesKeyPath = getHostExtraFilesKeyPath(layout, hostName);
+		const extraFilesSecretsDir = getHostExtraFilesSecretsDir(layout, hostName);
+		const localSecretsDir = getHostSecretsDir(layout, hostName);
+		const bots = clawdletsConfig.fleet.botOrder;
+		if (bots.length === 0) throw new Error("fleet.botOrder is empty (set bots in fleet/clawdlets.json)");
+		const requiresTailscaleAuthKey = String(hostCfg.tailnet?.mode || "none") === "tailscale";
+		const garnixPrivate = hostCfg.cache?.garnix?.private;
+		const garnixPrivateEnabled = Boolean(garnixPrivate?.enable);
+		const garnixNetrcSecretName = garnixPrivateEnabled ? String(garnixPrivate?.netrcSecret || "garnix_netrc").trim() : "";
+		const garnixNetrcPath = garnixPrivateEnabled ? String(garnixPrivate?.netrcPath || "/etc/nix/netrc").trim() : "";
+		if (garnixPrivateEnabled && !garnixNetrcSecretName) throw new Error("cache.garnix.private.netrcSecret must be set when private cache is enabled");
+		const secretsPlan = buildFleetSecretsPlan({
+			config: clawdletsConfig,
+			hostName
+		});
+		if (secretsPlan.missingSecretConfig.length > 0) {
+			const first = secretsPlan.missingSecretConfig[0];
+			if (first.kind === "discord") throw new Error(`missing discordTokenSecret for bot=${first.bot} (set fleet.bots.${first.bot}.profile.discordTokenSecret)`);
+			throw new Error(`missing modelSecrets entry for provider=${first.provider} (bot=${first.bot}, model=${first.model}); set fleet.modelSecrets.${first.provider}`);
+		}
+		const requiredSecretNames = new Set(secretsPlan.secretNamesRequired);
+		const discordSecretByName = /* @__PURE__ */ new Map();
+		for (const [bot$1, secretName] of Object.entries(secretsPlan.discordSecretsByBot)) if (secretName) discordSecretByName.set(secretName, bot$1);
+		const discordBotsRequired = bots.filter((b) => {
+			const secretName = secretsPlan.discordSecretsByBot[b] || "";
+			return secretName && requiredSecretNames.has(secretName);
+		});
+		const requiredExtraSecretNames = new Set([...requiredSecretNames, ...garnixPrivateEnabled ? [garnixNetrcSecretName] : []]);
+		const templateExtraSecrets = {};
+		for (const secretName of secretsPlan.secretNamesAll) templateExtraSecrets[secretName] = requiredSecretNames.has(secretName) ? "<REPLACE_WITH_SECRET>" : "<OPTIONAL>";
+		if (garnixPrivateEnabled) templateExtraSecrets[garnixNetrcSecretName] = "<REPLACE_WITH_NETRC>";
+		const defaultSecretsJsonPath = path.join(layout.runtimeDir, "secrets.json");
+		const defaultSecretsJsonDisplay = path.relative(process$1.cwd(), defaultSecretsJsonPath) || defaultSecretsJsonPath;
+		let fromJson = resolveSecretsInitFromJsonArg({
+			fromJsonRaw: a.fromJson,
+			argv: process$1.argv,
+			stdinIsTTY: Boolean(process$1.stdin.isTTY)
+		});
+		if (!interactive && !fromJson) if (fs.existsSync(defaultSecretsJsonPath)) {
+			fromJson = defaultSecretsJsonPath;
+			if (!a.allowPlaceholders) {
+				const placeholders = listSecretsInitPlaceholders({
+					input: parseSecretsInitJson(fs.readFileSync(defaultSecretsJsonPath, "utf8")),
+					bots,
+					discordBots: discordBotsRequired,
+					requiresTailscaleAuthKey
+				});
+				if (placeholders.length > 0) {
+					console.error(`error: placeholders found in ${defaultSecretsJsonDisplay} (fill it or pass --allow-placeholders)`);
+					for (const p0 of placeholders) console.error(`- ${p0}`);
+					process$1.exitCode = 1;
+					return;
+				}
+			}
+		} else {
+			const template = buildSecretsInitTemplate({
+				bots,
+				discordBots: discordBotsRequired,
+				requiresTailscaleAuthKey,
+				secrets: templateExtraSecrets
+			});
+			if (!a.dryRun) {
+				await ensureDir(path.dirname(defaultSecretsJsonPath));
+				await writeFileAtomic(defaultSecretsJsonPath, `${JSON.stringify(template, null, 2)}\n`, { mode: 384 });
+			}
+			console.error(`${a.dryRun ? "would write" : "wrote"} secrets template: ${defaultSecretsJsonDisplay}`);
+			if (a.dryRun) console.error("run without --dry-run to write it");
+			else console.error(`fill it, then run: clawdlets secrets init --from-json ${defaultSecretsJsonDisplay}`);
+			process$1.exitCode = 1;
+			return;
+		}
+		validateSecretsInitNonInteractive({
+			interactive,
+			fromJson,
+			yes: Boolean(a.yes),
+			dryRun: Boolean(a.dryRun),
+			localSecretsDirExists: fs.existsSync(localSecretsDir)
+		});
+		if (interactive && fs.existsSync(localSecretsDir) && !a.yes) {
+			const ok = await p.confirm({
+				message: `Update existing secrets dir? (${localSecretsDir})`,
+				initialValue: true
+			});
+			if (p.isCancel(ok)) {
+				if (await navOnCancel({
+					flow: "secrets init",
+					canBack: false
+				}) === NAV_EXIT) cancelFlow();
+				return;
+			}
+			if (!ok) return;
+		}
+		const nix = {
+			nixBin: String(process$1.env.NIX_BIN || "nix").trim() || "nix",
+			cwd: layout.repoRoot,
+			dryRun: Boolean(a.dryRun)
+		};
+		const ensureAgePair = async (keyPath, pubPath) => {
+			if (fs.existsSync(keyPath) && fs.existsSync(pubPath)) {
+				const parsed = parseAgeKeyFile(fs.readFileSync(keyPath, "utf8"));
+				const publicKey = fs.readFileSync(pubPath, "utf8").trim();
+				if (!parsed.secretKey) throw new Error(`invalid age key: ${keyPath}`);
+				if (!publicKey) throw new Error(`invalid age public key: ${pubPath}`);
+				return {
+					secretKey: parsed.secretKey,
+					publicKey
+				};
+			}
+			const pair = await ageKeygen(nix);
+			if (!a.dryRun) {
+				await ensureDir(path.dirname(keyPath));
+				await writeFileAtomic(keyPath, pair.fileText, { mode: 384 });
+				await writeFileAtomic(pubPath, `${pair.publicKey}\n`, { mode: 420 });
+			}
+			return {
+				secretKey: pair.secretKey,
+				publicKey: pair.publicKey
+			};
+		};
+		const operatorKeys = await ensureAgePair(operatorKeyPath, operatorPubPath);
+		const withHostKeyRule = upsertSopsCreationRule({
+			existingYaml: fs.existsSync(sopsConfigPath) ? fs.readFileSync(sopsConfigPath, "utf8") : void 0,
+			pathRegex: getHostAgeKeySopsCreationRulePathRegex(layout, hostName),
+			ageRecipients: [operatorKeys.publicKey]
+		});
+		let hostKeys;
+		if (fs.existsSync(hostKeyFile)) if (a.dryRun) hostKeys = {
+			publicKey: "age1dryrundryrundryrundryrundryrundryrundryrundryrundryrun0l9p4",
+			secretKey: "AGE-SECRET-KEY-DRYRUNDRYRUNDRYRUNDRYRUNDRYRUNDRYRUNDRYRUNDRYRUN"
+		};
+		else {
+			const decrypted = await sopsDecryptYamlFile({
+				filePath: hostKeyFile,
+				ageKeyFile: operatorKeyPath,
+				nix
+			});
+			const secretKey = readYamlScalarFromMapping({
+				yamlText: decrypted,
+				key: "age_secret_key"
+			})?.trim() || "";
+			const publicKey = readYamlScalarFromMapping({
+				yamlText: decrypted,
+				key: "age_public_key"
+			})?.trim() || "";
+			if (!secretKey || !publicKey) throw new Error(`invalid host age key file: ${hostKeyFile}`);
+			hostKeys = {
+				secretKey,
+				publicKey
+			};
+		}
+		else {
+			const pair = await ageKeygen(nix);
+			hostKeys = {
+				secretKey: pair.secretKey,
+				publicKey: pair.publicKey
+			};
+			const plaintextYaml = upsertYamlScalarLine({
+				text: upsertYamlScalarLine({
+					text: "\n",
+					key: "age_public_key",
+					value: pair.publicKey
+				}),
+				key: "age_secret_key",
+				value: pair.secretKey
+			}) + "\n";
+			if (!a.dryRun) {
+				await ensureDir(path.dirname(sopsConfigPath));
+				await writeFileAtomic(sopsConfigPath, withHostKeyRule, { mode: 420 });
+				await sopsEncryptYamlToFile({
+					plaintextYaml,
+					outPath: hostKeyFile,
+					configPath: sopsConfigPath,
+					nix
+				});
+			}
+		}
+		const nextSops = upsertSopsCreationRule({
+			existingYaml: withHostKeyRule,
+			pathRegex: getHostSecretsSopsCreationRulePathRegex(layout, hostName),
+			ageRecipients: [hostKeys.publicKey, operatorKeys.publicKey]
+		});
+		if (!a.dryRun) {
+			await ensureDir(path.dirname(sopsConfigPath));
+			await writeFileAtomic(sopsConfigPath, nextSops, { mode: 420 });
+			await ensureDir(path.dirname(extraFilesKeyPath));
+			await writeFileAtomic(extraFilesKeyPath, `${hostKeys.secretKey}\n`, { mode: 384 });
+		}
+		const readExistingScalar = async (secretName) => {
+			const p0 = path.join(localSecretsDir, `${secretName}.yaml`);
+			if (!fs.existsSync(p0)) return null;
+			try {
+				return readYamlScalarFromMapping({
+					yamlText: await sopsDecryptYamlFile({
+						filePath: p0,
+						ageKeyFile: operatorKeyPath,
+						nix
+					}),
+					key: secretName
+				});
+			} catch {
+				return null;
+			}
+		};
+		const flowSecrets = "secrets init";
+		const values = {
+			adminPassword: "",
+			adminPasswordHash: "",
+			tailscaleAuthKey: "",
+			secrets: {},
+			discordTokens: {}
+		};
+		if (interactive) {
+			const discordSecretNames = new Set(Object.values(secretsPlan.discordSecretsByBot).filter(Boolean));
+			const requiredExtraSecrets = Array.from(requiredExtraSecretNames).filter((s) => !discordSecretNames.has(s)).sort();
+			const discordTokenBots = [];
+			const seenDiscordSecrets = /* @__PURE__ */ new Set();
+			for (const bot$1 of bots) {
+				const secretName = secretsPlan.discordSecretsByBot[bot$1] || "";
+				if (!secretName) continue;
+				if (!requiredSecretNames.has(secretName)) continue;
+				if (seenDiscordSecrets.has(secretName)) continue;
+				seenDiscordSecrets.add(secretName);
+				discordTokenBots.push({
+					bot: bot$1,
+					secretName
+				});
+			}
+			const allSteps = [
+				{ kind: "adminPassword" },
+				...requiresTailscaleAuthKey ? [{ kind: "tailscaleAuthKey" }] : [],
+				...requiredExtraSecrets.map((secretName) => garnixPrivateEnabled && secretName === garnixNetrcSecretName ? {
+					kind: "garnixNetrcFile",
+					secretName,
+					netrcPath: garnixNetrcPath || "/etc/nix/netrc"
+				} : {
+					kind: "secret",
+					secretName
+				}),
+				...discordTokenBots.map((b) => ({
+					kind: "discordToken",
+					bot: b.bot,
+					secretName: b.secretName
+				}))
+			];
+			for (let i = 0; i < allSteps.length;) {
+				const step = allSteps[i];
+				let v;
+				if (step.kind === "adminPassword") v = await p.password({ message: "Admin password (used to generate admin_password_hash; leave blank to keep existing/placeholder)" });
+				else if (step.kind === "tailscaleAuthKey") v = await p.password({ message: "Tailscale auth key (tailscale_auth_key) (required for non-interactive tailnet bootstrap)" });
+				else if (step.kind === "garnixNetrcFile") v = await p.text({
+					message: `Path to netrc file for private Garnix cache (${step.secretName} → ${step.netrcPath}) (required)`,
+					placeholder: `${layout.runtimeDir}/garnix.netrc`
+				});
+				else if (step.kind === "secret") v = await p.password({ message: `Secret value (${step.secretName}) (required)` });
+				else v = await p.password({ message: `Discord token for ${step.bot} (${step.secretName}) (required)` });
+				if (p.isCancel(v)) {
+					if (await navOnCancel({
+						flow: flowSecrets,
+						canBack: i > 0
+					}) === NAV_EXIT) {
+						cancelFlow();
+						return;
+					}
+					i = Math.max(0, i - 1);
+					continue;
+				}
+				const s = String(v ?? "");
+				if (step.kind === "adminPassword") values.adminPassword = s;
+				else if (step.kind === "tailscaleAuthKey") values.tailscaleAuthKey = s;
+				else if (step.kind === "garnixNetrcFile") {
+					const rawPath = s.trim();
+					if (!rawPath) values.secrets[step.secretName] = "";
+					else {
+						const expanded = expandPath(rawPath);
+						const abs = path.isAbsolute(expanded) ? expanded : path.resolve(layout.repoRoot, expanded);
+						const stat = fs.statSync(abs);
+						if (!stat.isFile()) throw new Error(`not a file: ${abs}`);
+						if (stat.size > 64 * 1024) throw new Error(`netrc file too large (>64KB): ${abs}`);
+						const netrc = fs.readFileSync(abs, "utf8").trimEnd();
+						if (!netrc) throw new Error(`netrc file is empty: ${abs}`);
+						values.secrets[step.secretName] = netrc;
+					}
+				} else if (step.kind === "secret") values.secrets[step.secretName] = s;
+				else {
+					values.discordTokens[step.bot] = s;
+					values.secrets[step.secretName] = s;
+				}
+				i += 1;
+			}
+		} else {
+			const input = readSecretsInitJson(String(fromJson));
+			values.adminPasswordHash = input.adminPasswordHash;
+			values.tailscaleAuthKey = input.tailscaleAuthKey || "";
+			values.secrets = input.secrets || {};
+			values.discordTokens = input.discordTokens || {};
+		}
+		const secretsToWrite = secretsPlan.secretNamesAll;
+		const requiredSecrets = Array.from(new Set([
+			...requiresTailscaleAuthKey ? ["tailscale_auth_key"] : [],
+			"admin_password_hash",
+			...garnixPrivateEnabled ? [garnixNetrcSecretName] : [],
+			...secretsToWrite
+		]));
+		const isOptionalMarker = (v) => String(v || "").trim() === "<OPTIONAL>";
+		const resolvedValues = {};
+		for (const secretName of requiredSecrets) {
+			const existing = await readExistingScalar(secretName);
+			if (secretName === "tailscale_auth_key") {
+				if (values.tailscaleAuthKey.trim()) resolvedValues[secretName] = values.tailscaleAuthKey.trim();
+				else if (existing && !isPlaceholderSecretValue(existing)) resolvedValues[secretName] = existing;
+				else if (a.allowPlaceholders) resolvedValues[secretName] = "<FILL_ME>";
+				else throw new Error("missing tailscale auth key (tailscale_auth_key); pass --allow-placeholders only if you intend to set it later");
+				continue;
+			}
+			if (secretName === "admin_password_hash") {
+				if (values.adminPasswordHash.trim()) resolvedValues[secretName] = values.adminPasswordHash.trim();
+				else if (values.adminPassword.trim()) resolvedValues[secretName] = a.dryRun ? "<admin_password_hash>" : await mkpasswdYescryptHash(String(values.adminPassword), nix);
+				else resolvedValues[secretName] = existing ?? "<FILL_ME>";
+				continue;
+			}
+			if (discordSecretByName.has(secretName)) {
+				const bot$1 = discordSecretByName.get(secretName) || "";
+				const required$1 = requiredSecretNames.has(secretName);
+				const vv$1 = (bot$1 ? values.discordTokens[bot$1]?.trim() : "") || values.secrets?.[secretName]?.trim() || "";
+				if (vv$1) resolvedValues[secretName] = vv$1;
+				else if (existing) resolvedValues[secretName] = existing;
+				else if (!required$1) resolvedValues[secretName] = "<OPTIONAL>";
+				else if (a.allowPlaceholders) resolvedValues[secretName] = "<FILL_ME>";
+				else throw new Error(`missing discord token for ${bot$1 || secretName} (provide it in --from-json.discordTokens or pass --allow-placeholders)`);
+				continue;
+			}
+			const vv = values.secrets?.[secretName]?.trim() || "";
+			const required = requiredExtraSecretNames.has(secretName);
+			if (vv && !(required && isOptionalMarker(vv))) {
+				resolvedValues[secretName] = vv;
+				continue;
+			}
+			if (existing && (!required || !isPlaceholderSecretValue(existing) && !isOptionalMarker(existing) && existing.trim())) {
+				resolvedValues[secretName] = existing;
+				continue;
+			}
+			if (required) {
+				if (a.allowPlaceholders) resolvedValues[secretName] = "<FILL_ME>";
+				else throw new Error(`missing required secret: ${secretName} (set it in --from-json.secrets or via interactive prompts)`);
+				continue;
+			}
+			resolvedValues[secretName] = "<OPTIONAL>";
+		}
+		if (!a.dryRun) {
+			await ensureDir(localSecretsDir);
+			await ensureDir(extraFilesSecretsDir);
+			for (const secretName of requiredSecrets) {
+				const outPath = path.join(localSecretsDir, `${secretName}.yaml`);
+				await sopsEncryptYamlToFile({
+					plaintextYaml: upsertYamlScalarLine({
+						text: "\n",
+						key: secretName,
+						value: resolvedValues[secretName] ?? ""
+					}),
+					outPath,
+					configPath: sopsConfigPath,
+					nix
+				});
+				const encrypted = fs.readFileSync(outPath, "utf8");
+				await writeFileAtomic(path.join(extraFilesSecretsDir, `${secretName}.yaml`), encrypted, { mode: 256 });
+			}
+		}
+		console.log(`ok: secrets ready at ${localSecretsDir}`);
+		console.log(`ok: sops config at ${sopsConfigPath}`);
+		console.log(`ok: operator age key at ${operatorKeyPath}`);
+		console.log(`ok: host age key (encrypted) at ${hostKeyFile}`);
+		console.log(`ok: extra-files key at ${extraFilesKeyPath}`);
+		console.log(`ok: extra-files secrets at ${extraFilesSecretsDir}`);
+	}
+});
+
+//#endregion
+//#region src/commands/secrets/path.ts
+const secretsPath = defineCommand({
+	meta: {
+		name: "path",
+		description: "Print local + remote secrets paths for a host."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { layout, hostName } = ctx;
+		console.log(`local: ${getHostSecretsDir(layout, hostName)}`);
+		console.log(`remote: ${getHostRemoteSecretsDir(hostName)}`);
+	}
+});
+
+//#endregion
+//#region src/commands/secrets/sync.ts
+const secretsSync = defineCommand({
+	meta: {
+		name: "sync",
+		description: "Copy local secrets to the server via the install-secrets allowlist."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		rev: {
+			type: "string",
+			description: "Git rev for secrets metadata (HEAD/sha/tag).",
+			default: "HEAD"
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { layout, hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const localDir = getHostSecretsDir(layout, hostName);
+		const remoteDir = getHostRemoteSecretsDir(hostName);
+		const revRaw = String(args.rev || "").trim() || "HEAD";
+		const resolved = await resolveGitRev(layout.repoRoot, revRaw);
+		if (!resolved) throw new Error(`unable to resolve git rev: ${revRaw}`);
+		const { tarPath: tarLocal, digest } = await createSecretsTar({
+			hostName,
+			localDir
+		});
+		const tarRemote = `/tmp/clawdlets-secrets.${hostName}.${process$1.pid}.tgz`;
+		try {
+			await run("scp", [tarLocal, `${targetHost}:${tarRemote}`], { redact: [] });
+		} finally {
+			try {
+				if (fs.existsSync(tarLocal)) fs.unlinkSync(tarLocal);
+			} catch {}
+		}
+		const sudo = needsSudo(targetHost);
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"/etc/clawdlets/bin/install-secrets",
+			"--host",
+			hostName,
+			"--tar",
+			tarRemote,
+			"--rev",
+			resolved,
+			"--digest",
+			digest
+		].map(shellQuote).join(" "), { tty: sudo && args.sshTty });
+		console.log(`ok: synced secrets to ${remoteDir}`);
+	}
+});
+
+//#endregion
+//#region src/commands/secrets/verify.ts
+const secretsVerify = defineCommand({
+	meta: {
+		name: "verify",
+		description: "Verify secrets decrypt correctly and contain no placeholders."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		operator: {
+			type: "string",
+			description: "Operator id for age key name (default: $USER). Used if SOPS_AGE_KEY_FILE is not set."
+		},
+		ageKeyFile: {
+			type: "string",
+			description: "Override SOPS_AGE_KEY_FILE path."
+		},
+		json: {
+			type: "boolean",
+			description: "Output JSON.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const ctx = loadHostContextOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { layout, config: config$1, hostName, hostCfg } = ctx;
+		const deployCreds = loadDeployCreds({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		if (deployCreds.envFile?.origin === "explicit" && deployCreds.envFile.status !== "ok") throw new Error(`deploy env file rejected: ${deployCreds.envFile.path} (${deployCreds.envFile.error || deployCreds.envFile.status})`);
+		const operatorId = sanitizeOperatorId(String(args.operator || process$1.env.USER || "operator"));
+		const operatorKeyPath = (args.ageKeyFile ? String(args.ageKeyFile).trim() : "") || (deployCreds.values.SOPS_AGE_KEY_FILE ? String(deployCreds.values.SOPS_AGE_KEY_FILE).trim() : "") || getLocalOperatorAgeKeyPath(layout, operatorId);
+		const nix = {
+			nixBin: String(deployCreds.values.NIX_BIN || "nix").trim() || "nix",
+			cwd: layout.repoRoot,
+			dryRun: false
+		};
+		const localDir = getHostSecretsDir(layout, hostName);
+		const secretsPlan = buildFleetSecretsPlan({
+			config: config$1,
+			hostName
+		});
+		const requiredSecretNames = new Set(secretsPlan.secretNamesRequired);
+		const tailnetMode = String(hostCfg.tailnet?.mode || "none");
+		const requiredSecrets = Array.from(new Set([...tailnetMode === "tailscale" ? ["tailscale_auth_key"] : [], "admin_password_hash"]));
+		const secretNames = secretsPlan.secretNamesAll;
+		const optionalSecrets = ["root_password_hash"];
+		const results = [];
+		if (!fs.existsSync(operatorKeyPath)) results.push({
+			secret: "SOPS_AGE_KEY_FILE",
+			status: "missing",
+			detail: operatorKeyPath
+		});
+		const verifyOne = async (secretName, optional, allowOptionalMarker) => {
+			const filePath = path.join(localDir, `${secretName}.yaml`);
+			if (!fs.existsSync(filePath)) {
+				results.push({
+					secret: secretName,
+					status: optional ? "warn" : "missing",
+					detail: `(missing: ${filePath})`
+				});
+				return;
+			}
+			try {
+				const decrypted = await sopsDecryptYamlFile({
+					filePath,
+					ageKeyFile: operatorKeyPath,
+					nix
+				});
+				const parsed = YAML.parse(decrypted) || {};
+				const keys = Object.keys(parsed).filter((k) => k !== "sops");
+				if (keys.length !== 1 || keys[0] !== secretName) {
+					results.push({
+						secret: secretName,
+						status: "missing",
+						detail: "(invalid: expected exactly 1 key matching filename)"
+					});
+					return;
+				}
+				const v = parsed[secretName];
+				const value = typeof v === "string" ? v : v == null ? "" : String(v);
+				if (!allowOptionalMarker && value.trim() === "<OPTIONAL>") {
+					results.push({
+						secret: secretName,
+						status: "missing",
+						detail: "(placeholder: <OPTIONAL>)"
+					});
+					return;
+				}
+				if (!optional && isPlaceholderSecretValue(value)) {
+					results.push({
+						secret: secretName,
+						status: "missing",
+						detail: `(placeholder: ${value.trim()})`
+					});
+					return;
+				}
+				if (optional && isPlaceholderSecretValue(value)) {
+					results.push({
+						secret: secretName,
+						status: "missing",
+						detail: `(placeholder: ${value.trim()})`
+					});
+					return;
+				}
+				if (!optional && !value.trim()) {
+					results.push({
+						secret: secretName,
+						status: "missing",
+						detail: "(empty)"
+					});
+					return;
+				}
+				results.push({
+					secret: secretName,
+					status: "ok"
+				});
+			} catch (e) {
+				results.push({
+					secret: secretName,
+					status: "missing",
+					detail: String(e?.message || e)
+				});
+			}
+		};
+		if (!fs.existsSync(localDir)) results.push({
+			secret: "secrets.localDir",
+			status: "missing",
+			detail: localDir
+		});
+		else {
+			for (const s of requiredSecrets) await verifyOne(s, false, false);
+			for (const s of secretNames) await verifyOne(s, false, !requiredSecretNames.has(s));
+			for (const s of optionalSecrets) await verifyOne(s, true, true);
+		}
+		if (args.json) console.log(JSON.stringify({
+			host: hostName,
+			localDir,
+			results
+		}, null, 2));
+		else for (const r of results) console.log(`${r.status}: ${r.secret}${r.detail ? ` (${r.detail})` : ""}`);
+		if (results.some((r) => r.status === "missing")) process$1.exitCode = 1;
+	}
+});
+
+//#endregion
+//#region src/commands/secrets.ts
+const secrets = defineCommand({
+	meta: {
+		name: "secrets",
+		description: "Secrets workflow (/secrets + extra-files + sync)."
+	},
+	subCommands: {
+		init: secretsInit,
+		verify: secretsVerify,
+		sync: secretsSync,
+		path: secretsPath
+	}
+});
+
+//#endregion
+//#region src/commands/server/github-sync.ts
+function normalizeKind(raw) {
+	const v = raw.trim();
+	if (v === "prs" || v === "issues") return v;
+	throw new Error(`invalid --kind: ${raw} (expected prs|issues)`);
+}
+const serverGithubSyncStatus = defineCommand({
+	meta: {
+		name: "status",
+		description: "Show GitHub sync timers (clawdbot-gh-sync-*.timer)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const sudo = needsSudo(targetHost);
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"systemctl",
+			"list-timers",
+			"--all",
+			"--no-pager",
+			shellQuote("clawdbot-gh-sync-*.timer")
+		].join(" "), { tty: sudo && args.sshTty });
+	}
+});
+const serverGithubSyncRun = defineCommand({
+	meta: {
+		name: "run",
+		description: "Run a GitHub sync now (oneshot)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		bot: {
+			type: "string",
+			description: "Bot id (default: all bots with sync enabled)."
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const bot$1 = String(args.bot || "").trim();
+		const unit = bot$1 ? `clawdbot-gh-sync-${bot$1}.service` : "clawdbot-gh-sync-*.service";
+		const sudo = needsSudo(targetHost);
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"systemctl",
+			"start",
+			shellQuote(unit)
+		].join(" "), { tty: sudo && args.sshTty });
+	}
+});
+const serverGithubSyncLogs = defineCommand({
+	meta: {
+		name: "logs",
+		description: "Show GitHub sync logs (journalctl)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		bot: {
+			type: "string",
+			description: "Bot id (required)."
+		},
+		follow: {
+			type: "boolean",
+			description: "Follow logs.",
+			default: false
+		},
+		lines: {
+			type: "string",
+			description: "Number of lines (default: 200).",
+			default: "200"
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const bot$1 = String(args.bot || "").trim();
+		if (!bot$1) throw new Error("missing --bot (example: --bot maren)");
+		const sudo = needsSudo(targetHost);
+		const unit = `clawdbot-gh-sync-${bot$1}.service`;
+		const n = String(args.lines || "200").trim() || "200";
+		if (!/^\d+$/.test(n) || Number(n) <= 0) throw new Error(`invalid --lines: ${n}`);
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"journalctl",
+			"-u",
+			shellQuote(unit),
+			"-n",
+			shellQuote(n),
+			...args.follow ? ["-f"] : [],
+			"--no-pager"
+		].join(" "), { tty: sudo && args.sshTty });
+	}
+});
+const serverGithubSyncShow = defineCommand({
+	meta: {
+		name: "show",
+		description: "Show the last synced snapshot (prs|issues) from bot workspace memory."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		bot: {
+			type: "string",
+			description: "Bot id (required)."
+		},
+		kind: {
+			type: "string",
+			description: "Snapshot kind: prs|issues.",
+			default: "prs"
+		},
+		lines: {
+			type: "string",
+			description: "Max lines to print (default: 200).",
+			default: "200"
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const bot$1 = String(args.bot || "").trim();
+		if (!bot$1) throw new Error("missing --bot (example: --bot maren)");
+		const kind = normalizeKind(String(args.kind || "prs"));
+		const n = String(args.lines || "200").trim() || "200";
+		if (!/^\d+$/.test(n) || Number(n) <= 0) throw new Error(`invalid --lines: ${n}`);
+		const sudo = needsSudo(targetHost);
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"/etc/clawdlets/bin/gh-sync-read",
+			shellQuote(bot$1),
+			shellQuote(kind),
+			shellQuote(n)
+		].join(" "), { tty: sudo && args.sshTty });
+	}
+});
+const serverGithubSync = defineCommand({
+	meta: {
+		name: "github-sync",
+		description: "GitHub inventory sync (systemd timers + logs + snapshots)."
+	},
+	subCommands: {
+		status: serverGithubSyncStatus,
+		run: serverGithubSyncRun,
+		logs: serverGithubSyncLogs,
+		show: serverGithubSyncShow
+	}
+});
+
+//#endregion
+//#region src/lib/deploy-manifest.ts
+const REV_RE = /^[0-9a-f]{40}$/;
+const DIGEST_RE = /^[0-9a-f]{64}$/;
+function requireRev(value) {
+	const v = value.trim();
+	if (!REV_RE.test(v)) throw new Error(`invalid rev (expected 40-char sha): ${v || "<empty>"}`);
+	return v;
+}
+function requireToplevel(value) {
+	const v = value.trim();
+	if (!v) throw new Error("missing toplevel store path");
+	if (/\s/.test(v)) throw new Error(`invalid toplevel (contains whitespace): ${v}`);
+	if (!v.startsWith("/nix/store/")) throw new Error(`invalid toplevel (expected /nix/store/...): ${v}`);
+	return v;
+}
+function parseDeployManifest(manifestPath) {
+	const raw = fs.readFileSync(manifestPath, "utf8");
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch (e) {
+		throw new Error(`invalid deploy manifest JSON: ${manifestPath} (${String(e?.message || e)})`);
+	}
+	if (!parsed || typeof parsed !== "object") throw new Error(`invalid deploy manifest: ${manifestPath}`);
+	const rev = requireRev(String(parsed.rev ?? ""));
+	const host$1 = String(parsed.host ?? "").trim();
+	if (!host$1) throw new Error(`invalid deploy manifest host: ${manifestPath}`);
+	const toplevel = requireToplevel(String(parsed.toplevel ?? ""));
+	const secretsDigestRaw = String(parsed.secretsDigest ?? "").trim();
+	const secretsDigest = secretsDigestRaw ? secretsDigestRaw : void 0;
+	if (secretsDigest && !DIGEST_RE.test(secretsDigest)) throw new Error(`invalid deploy manifest secretsDigest (expected sha256 hex): ${manifestPath}`);
+	return {
+		rev,
+		host: host$1,
+		toplevel,
+		secretsDigest
+	};
+}
+function formatDeployManifest(manifest) {
+	return `${JSON.stringify(manifest, null, 2)}\n`;
+}
+
+//#endregion
+//#region src/lib/manifest-signature.ts
+function resolveManifestSignaturePath(params) {
+	const sigArg = String(params.signaturePathArg || "").trim();
+	if (sigArg) return path.isAbsolute(sigArg) ? sigArg : path.resolve(params.cwd, sigArg);
+	const fallback = `${params.manifestPath}.minisig`;
+	if (fs.existsSync(fallback)) return fallback;
+	throw new Error("manifest signature missing (provide --manifest-signature or <manifest>.minisig)");
+}
+function resolveManifestPublicKey(params) {
+	const direct = String(params.publicKeyArg || "").trim();
+	if (direct) return direct;
+	const fileArg = String(params.publicKeyFileArg || "").trim();
+	if (fileArg) {
+		const content = fs.readFileSync(fileArg, "utf8").trim();
+		if (!content) throw new Error(`manifest public key file empty: ${fileArg}`);
+		return content;
+	}
+	const fallbackPath = String(params.defaultKeyPath || "").trim();
+	if (fallbackPath && fs.existsSync(fallbackPath)) {
+		const content = fs.readFileSync(fallbackPath, "utf8").trim();
+		if (!content) throw new Error(`manifest public key file empty: ${fallbackPath}`);
+		return content;
+	}
+	const fromHost = String(params.hostPublicKey || "").trim();
+	if (fromHost) return fromHost;
+	throw new Error("manifest public key missing (set hosts.<host>.selfUpdate.publicKey or --manifest-public-key)");
+}
+async function verifyManifestSignature(params) {
+	try {
+		await run("minisign", [
+			"-Vm",
+			params.manifestPath,
+			"-P",
+			params.publicKey,
+			"-x",
+			params.signaturePath
+		], { redact: [] });
+	} catch (e) {
+		const err = e;
+		const msg = String(err?.message || e);
+		if (err?.code === "ENOENT" || msg.includes("spawn minisign ENOENT")) throw new Error(`minisign not found (${msg}). Install minisign and retry.`);
+		throw new Error(`manifest signature invalid (${msg}). See minisign output above.`);
+	}
+}
+
+//#endregion
+//#region src/lib/linux-build.ts
+function linuxBuildRequiredError(params) {
+	const cmd = params.command.trim() || "this command";
+	return new Error([
+		`${cmd}: local NixOS builds require Linux.`,
+		"Use one of:",
+		"- CI: deploy-manifest.yml publishes signed deploy manifests, then deploy.yml (or selfUpdate) deploys by manifest over tailnet",
+		"- Linux builder: build the system on Linux and deploy with --manifest or --toplevel"
+	].join("\n"));
+}
+function requireLinuxForLocalNixosBuild(params) {
+	if (params.platform === "linux") return;
+	throw linuxBuildRequiredError({ command: params.command });
+}
+
+//#endregion
+//#region src/commands/server/deploy.ts
+async function buildLocalToplevel(params) {
+	requireLinuxForLocalNixosBuild({
+		platform: process$1.platform,
+		command: "clawdlets server deploy"
+	});
+	const attr = `.#nixosConfigurations.${params.host}.config.system.build.toplevel`;
+	const out = await capture(params.nixBin, [
+		"build",
+		"--json",
+		"--no-link",
+		attr
+	], {
+		cwd: params.repoRoot,
+		env: withFlakesEnv(process$1.env)
+	});
+	let parsed;
+	try {
+		parsed = JSON.parse(out);
+	} catch (e) {
+		throw new Error(`nix build --json returned invalid JSON (${String(e?.message || e)})`);
+	}
+	const toplevel = parsed?.[0]?.outputs?.out;
+	if (!toplevel || typeof toplevel !== "string") throw new Error("nix build did not return a toplevel store path");
+	return requireToplevel(toplevel);
+}
+const serverDeploy = defineCommand({
+	meta: {
+		name: "deploy",
+		description: "Deploy a prebuilt NixOS system + secrets by store path."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		envFile: {
+			type: "string",
+			description: "Env file for deploy creds (default: <runtimeDir>/env)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		rev: {
+			type: "string",
+			description: "Git rev to pin (HEAD/sha/tag).",
+			default: "HEAD"
+		},
+		toplevel: {
+			type: "string",
+			description: "NixOS system toplevel store path (CI mode)."
+		},
+		manifest: {
+			type: "string",
+			description: "Path to deploy manifest JSON (CI mode)."
+		},
+		manifestSignature: {
+			type: "string",
+			description: "Path to manifest minisign signature (.minisig)."
+		},
+		manifestPublicKey: {
+			type: "string",
+			description: "Minisign public key string (verify manifest)."
+		},
+		manifestPublicKeyFile: {
+			type: "string",
+			description: "Path to minisign public key (verify manifest)."
+		},
+		manifestOut: {
+			type: "string",
+			description: "Write deploy manifest JSON to this path."
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const ctx = loadHostContextOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { repoRoot, layout, hostName, hostCfg } = ctx;
+		await requireDeployGate({
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile,
+			host: hostName,
+			scope: "server-deploy",
+			strict: false,
+			skipGithubTokenCheck: true
+		});
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const sudo = needsSudo(targetHost);
+		const deployCreds = loadDeployCreds({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			envFile: args.envFile
+		});
+		if (deployCreds.envFile?.origin === "explicit" && deployCreds.envFile.status !== "ok") throw new Error(`deploy env file rejected: ${deployCreds.envFile.path} (${deployCreds.envFile.error || deployCreds.envFile.status})`);
+		const nixBin = String(deployCreds.values.NIX_BIN || "nix").trim() || "nix";
+		const manifestPath = String(args.manifest || "").trim();
+		const toplevelArg = String(args.toplevel || "").trim();
+		if (manifestPath && toplevelArg) throw new Error("use either --manifest or --toplevel (not both)");
+		let resolvedRev = "";
+		let toplevel = "";
+		let manifestDigest;
+		if (manifestPath) {
+			await verifyManifestSignature({
+				manifestPath,
+				signaturePath: resolveManifestSignaturePath({
+					cwd,
+					manifestPath,
+					signaturePathArg: args.manifestSignature
+				}),
+				publicKey: resolveManifestPublicKey({
+					publicKeyArg: args.manifestPublicKey,
+					publicKeyFileArg: args.manifestPublicKeyFile,
+					defaultKeyPath: path.join(repoRoot, "config", "manifest.minisign.pub"),
+					hostPublicKey: hostCfg?.selfUpdate?.publicKey
+				})
+			});
+			const manifest = parseDeployManifest(manifestPath);
+			if (manifest.host !== hostName) throw new Error(`manifest host mismatch: ${manifest.host} vs ${hostName}`);
+			const revArg = String(args.rev || "").trim();
+			if (revArg && revArg !== "HEAD" && revArg !== manifest.rev) throw new Error(`manifest rev mismatch: ${manifest.rev} vs ${revArg}`);
+			resolvedRev = manifest.rev;
+			toplevel = manifest.toplevel;
+			manifestDigest = manifest.secretsDigest;
+		} else {
+			const revRaw = String(args.rev || "").trim() || "HEAD";
+			const resolved = await resolveGitRev(layout.repoRoot, revRaw);
+			if (!resolved) throw new Error(`unable to resolve git rev: ${revRaw}`);
+			resolvedRev = resolved;
+			if (toplevelArg) toplevel = requireToplevel(toplevelArg);
+			else toplevel = await buildLocalToplevel({
+				repoRoot,
+				nixBin,
+				host: String(hostCfg.flakeHost || hostName).trim() || hostName
+			});
+		}
+		const { tarPath: tarLocal, digest } = await createSecretsTar({
+			hostName,
+			localDir: getHostSecretsDir(layout, hostName)
+		});
+		const tarRemote = `/tmp/clawdlets-secrets.${hostName}.${process$1.pid}.tgz`;
+		if (manifestDigest && manifestDigest !== digest) throw new Error(`secrets digest mismatch (manifest ${manifestDigest}, local ${digest}); regenerate or omit secretsDigest`);
+		try {
+			await run("scp", [tarLocal, `${targetHost}:${tarRemote}`], { redact: [] });
+		} finally {
+			try {
+				if (fs.existsSync(tarLocal)) fs.unlinkSync(tarLocal);
+			} catch {}
+		}
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"/etc/clawdlets/bin/install-secrets",
+			"--host",
+			hostName,
+			"--tar",
+			tarRemote,
+			"--rev",
+			resolvedRev,
+			"--digest",
+			digest
+		].map(shellQuote).join(" "), { tty: sudo && args.sshTty });
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"/etc/clawdlets/bin/switch-system",
+			"--toplevel",
+			toplevel,
+			"--rev",
+			resolvedRev
+		].map(shellQuote).join(" "), { tty: sudo && args.sshTty });
+		const manifestOutRaw = String(args.manifestOut || "").trim();
+		const manifestOut = manifestOutRaw ? path.isAbsolute(manifestOutRaw) ? manifestOutRaw : path.resolve(cwd, manifestOutRaw) : manifestPath ? "" : path.join(layout.runtimeDir, "deploy.json");
+		if (manifestOut) {
+			fs.mkdirSync(path.dirname(manifestOut), { recursive: true });
+			const manifest = {
+				rev: resolvedRev,
+				host: hostName,
+				toplevel,
+				secretsDigest: digest
+			};
+			fs.writeFileSync(manifestOut, formatDeployManifest(manifest), "utf8");
+			console.log(`ok: wrote deploy manifest ${manifestOut}`);
+		}
+		console.log(`ok: deployed ${hostName} (${resolvedRev})`);
+	}
+});
+
+//#endregion
+//#region src/commands/server/manifest.ts
+async function buildToplevel(params) {
+	const attr = `.#packages.x86_64-linux.${params.host}-system`;
+	const out = await capture(params.nixBin, [
+		"build",
+		"--json",
+		"--no-link",
+		attr
+	], {
+		cwd: params.repoRoot,
+		env: withFlakesEnv(process$1.env)
+	});
+	let parsed;
+	try {
+		parsed = JSON.parse(out);
+	} catch (e) {
+		throw new Error(`nix build --json returned invalid JSON (${String(e?.message || e)})`);
+	}
+	const toplevel = parsed?.[0]?.outputs?.out;
+	if (!toplevel || typeof toplevel !== "string") throw new Error("nix build did not return a toplevel store path");
+	return requireToplevel(toplevel);
+}
+const serverManifest = defineCommand({
+	meta: {
+		name: "manifest",
+		description: "Build a deploy manifest (rev + toplevel + secrets digest)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		rev: {
+			type: "string",
+			description: "Git rev to pin (HEAD/sha/tag).",
+			default: "HEAD"
+		},
+		toplevel: {
+			type: "string",
+			description: "NixOS system toplevel store path (skip build)."
+		},
+		out: {
+			type: "string",
+			description: "Output manifest path (default: deploy-manifest.<host>.json)."
+		},
+		nixBin: {
+			type: "string",
+			description: "Override nix binary (default: nix)."
+		}
+	},
+	async run({ args }) {
+		const cwd = process$1.cwd();
+		const ctx = loadHostContextOrExit({
+			cwd,
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { repoRoot, layout, hostName } = ctx;
+		const revRaw = String(args.rev || "").trim() || "HEAD";
+		const resolved = await resolveGitRev(layout.repoRoot, revRaw);
+		if (!resolved) throw new Error(`unable to resolve git rev: ${revRaw}`);
+		const rev = requireRev(resolved);
+		const nixBin = String(args.nixBin || process$1.env.NIX_BIN || "nix").trim() || "nix";
+		const toplevelArg = String(args.toplevel || "").trim();
+		if (!toplevelArg) requireLinuxForLocalNixosBuild({
+			platform: process$1.platform,
+			command: "clawdlets server manifest"
+		});
+		const toplevel = toplevelArg ? requireToplevel(toplevelArg) : await buildToplevel({
+			repoRoot,
+			nixBin,
+			host: hostName
+		});
+		const { tarPath: tarLocal, digest } = await createSecretsTar({
+			hostName,
+			localDir: getHostSecretsDir(layout, hostName)
+		});
+		try {
+			const manifest = {
+				rev,
+				host: hostName,
+				toplevel,
+				secretsDigest: digest
+			};
+			const outRaw = String(args.out || "").trim();
+			const outPath = outRaw ? path.isAbsolute(outRaw) ? outRaw : path.resolve(cwd, outRaw) : path.join(cwd, `deploy-manifest.${hostName}.json`);
+			fs.mkdirSync(path.dirname(outPath), { recursive: true });
+			fs.writeFileSync(outPath, formatDeployManifest(manifest), "utf8");
+			console.log(`ok: wrote deploy manifest ${outPath}`);
+		} finally {
+			try {
+				if (fs.existsSync(tarLocal)) fs.unlinkSync(tarLocal);
+			} catch {}
+		}
+	}
+});
+
+//#endregion
+//#region src/commands/server.ts
+function normalizeSince(value) {
+	const v = value.trim();
+	const m = v.match(/^(\d+)\s*([smhd])$/i);
+	if (!m) return v;
+	const n = Number(m[1]);
+	const unit = String(m[2]).toLowerCase();
+	if (!Number.isFinite(n) || n <= 0) return v;
+	if (unit === "s") return `${n} sec ago`;
+	if (unit === "m") return `${n} min ago`;
+	if (unit === "h") return `${n} hour ago`;
+	if (unit === "d") return `${n} day ago`;
+	return v;
+}
+function normalizeClawdbotUnit(value) {
+	const v = value.trim();
+	if (v === "clawdbot-*.service") return v;
+	if (/^clawdbot-[A-Za-z0-9._-]+$/.test(v)) return `${v}.service`;
+	if (/^clawdbot-[A-Za-z0-9._-]+\.service$/.test(v)) return v;
+	throw new Error(`invalid --unit: ${v} (expected clawdbot-<id>[.service] or clawdbot-*.service)`);
+}
+function parseSystemctlShow(output) {
+	const out = {};
+	for (const line of output.split("\n")) {
+		const idx = line.indexOf("=");
+		if (idx <= 0) continue;
+		const key = line.slice(0, idx);
+		if (key in out) continue;
+		out[key] = line.slice(idx + 1);
+	}
+	return out;
+}
+async function trySshCapture(targetHost, remoteCmd, opts = {}) {
+	try {
+		return {
+			ok: true,
+			out: await sshCapture(targetHost, remoteCmd, opts)
+		};
+	} catch (e) {
+		return {
+			ok: false,
+			out: String(e?.message || e)
+		};
+	}
+}
+const serverAudit = defineCommand({
+	meta: {
+		name: "audit",
+		description: "Audit host invariants over SSH (tailscale, clawdbot services)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		},
+		json: {
+			type: "boolean",
+			description: "Output JSON.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { config: config$1, hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const sudo = needsSudo(targetHost);
+		const bots = config$1.fleet.botOrder ?? [];
+		const checks = [];
+		const add$3 = (c) => checks.push(c);
+		const must = async (label, cmd) => {
+			const out = await trySshCapture(targetHost, cmd, { tty: sudo && args.sshTty });
+			if (!out.ok) {
+				add$3({
+					status: "missing",
+					label,
+					detail: out.out
+				});
+				return null;
+			}
+			return out.out;
+		};
+		if (hostCfg.tailnet?.mode === "tailscale") {
+			const tailscaled = await must("tailscale service", [
+				...sudo ? ["sudo"] : [],
+				"systemctl",
+				"show",
+				"tailscaled.service"
+			].join(" "));
+			if (tailscaled) {
+				const parsed = parseSystemctlShow(tailscaled);
+				add$3({
+					status: parsed.ActiveState === "active" ? "ok" : "missing",
+					label: "tailscale service state",
+					detail: `${parsed.ActiveState || "?"}/${parsed.SubState || "?"}`
+				});
+			}
+			const autoconnect = await must("tailscale autoconnect", [
+				...sudo ? ["sudo"] : [],
+				"systemctl",
+				"show",
+				"tailscaled-autoconnect.service"
+			].join(" "));
+			if (autoconnect) {
+				const parsed = parseSystemctlShow(autoconnect);
+				add$3({
+					status: parsed.ActiveState === "active" ? "ok" : "missing",
+					label: "tailscale autoconnect state",
+					detail: `${parsed.ActiveState || "?"}/${parsed.SubState || "?"}`
+				});
+			}
+		}
+		if (Array.isArray(bots) && bots.length > 0) add$3({
+			status: "ok",
+			label: "fleet bots list",
+			detail: bots.join(", ")
+		});
+		else add$3({
+			status: "warn",
+			label: "fleet bots list",
+			detail: "(empty)"
+		});
+		for (const bot$1 of bots) {
+			const unit = normalizeClawdbotUnit(`clawdbot-${String(bot$1).trim()}`);
+			const show$2 = await must(`systemctl show ${unit}`, [
+				...sudo ? ["sudo"] : [],
+				"systemctl",
+				"show",
+				shellQuote(unit)
+			].join(" "));
+			if (!show$2) continue;
+			const parsed = parseSystemctlShow(show$2);
+			const loadState = parsed.LoadState || "";
+			const activeState = parsed.ActiveState || "";
+			const subState = parsed.SubState || "";
+			if (loadState && loadState !== "loaded") add$3({
+				status: "missing",
+				label: `${unit} load state`,
+				detail: `LoadState=${loadState}`
+			});
+			else if (activeState === "active" && subState === "running") add$3({
+				status: "ok",
+				label: `${unit} state`,
+				detail: `${activeState}/${subState}`
+			});
+			else add$3({
+				status: "missing",
+				label: `${unit} state`,
+				detail: `${activeState || "?"}/${subState || "?"}`
+			});
+		}
+		if (args.json) console.log(JSON.stringify({
+			host: hostName,
+			targetHost,
+			checks
+		}, null, 2));
+		else for (const c of checks) console.log(`${c.status}: ${c.label}${c.detail ? ` (${c.detail})` : ""}`);
+		if (checks.some((c) => c.status === "missing")) process$1.exitCode = 1;
+	}
+});
+const serverStatus = defineCommand({
+	meta: {
+		name: "status",
+		description: "Show systemd status for Clawdbot services."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const sudo = needsSudo(targetHost);
+		const out = await sshCapture(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"systemctl",
+			"list-units",
+			"clawdbot-*.service",
+			"--no-pager"
+		].join(" "), { tty: sudo && args.sshTty });
+		console.log(out);
+	}
+});
+const serverLogs = defineCommand({
+	meta: {
+		name: "logs",
+		description: "Stream or print logs via journalctl."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		unit: {
+			type: "string",
+			description: "systemd unit (default: clawdbot-*.service).",
+			default: "clawdbot-*.service"
+		},
+		lines: {
+			type: "string",
+			description: "Number of lines (default: 200).",
+			default: "200"
+		},
+		since: {
+			type: "string",
+			description: "Time window (supports 5m/1h/2d or journalctl syntax)."
+		},
+		follow: {
+			type: "boolean",
+			description: "Follow logs.",
+			default: false
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const sudo = needsSudo(targetHost);
+		const unit = normalizeClawdbotUnit(String(args.unit || "clawdbot-*.service"));
+		const since = args.since ? normalizeSince(String(args.since)) : "";
+		const n = String(args.lines || "200").trim() || "200";
+		if (!/^\d+$/.test(n) || Number(n) <= 0) throw new Error(`invalid --lines: ${n}`);
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"journalctl",
+			"-u",
+			shellQuote(unit),
+			"-n",
+			shellQuote(n),
+			...since ? ["--since", shellQuote(since)] : [],
+			...args.follow ? ["-f"] : [],
+			"--no-pager"
+		].join(" "), { tty: sudo && args.sshTty });
+	}
+});
+const serverRestart = defineCommand({
+	meta: {
+		name: "restart",
+		description: "Restart a systemd unit (default: clawdbot-*.service)."
+	},
+	args: {
+		runtimeDir: {
+			type: "string",
+			description: "Runtime directory (default: .clawdlets)."
+		},
+		host: {
+			type: "string",
+			description: "Host name (defaults to clawdlets.json defaultHost / sole host)."
+		},
+		targetHost: {
+			type: "string",
+			description: "SSH target override (default: from clawdlets.json)."
+		},
+		unit: {
+			type: "string",
+			description: "systemd unit (default: clawdbot-*.service).",
+			default: "clawdbot-*.service"
+		},
+		sshTty: {
+			type: "boolean",
+			description: "Allocate TTY for sudo prompts.",
+			default: true
+		}
+	},
+	async run({ args }) {
+		const ctx = loadHostContextOrExit({
+			cwd: process$1.cwd(),
+			runtimeDir: args.runtimeDir,
+			hostArg: args.host
+		});
+		if (!ctx) return;
+		const { hostName, hostCfg } = ctx;
+		const targetHost = requireTargetHost(String(args.targetHost || hostCfg.targetHost || ""), hostName);
+		const unit = String(args.unit || "clawdbot-*.service").trim() || "clawdbot-*.service";
+		const sudo = needsSudo(targetHost);
+		await sshRun(targetHost, [
+			...sudo ? ["sudo"] : [],
+			"systemctl",
+			"restart",
+			shellQuote(unit)
+		].join(" "), { tty: sudo && args.sshTty });
+	}
+});
+const server = defineCommand({
+	meta: {
+		name: "server",
+		description: "Server operations via SSH (deploy/logs/status)."
+	},
+	subCommands: {
+		audit: serverAudit,
+		deploy: serverDeploy,
+		manifest: serverManifest,
+		status: serverStatus,
+		logs: serverLogs,
+		"github-sync": serverGithubSync,
+		restart: serverRestart
+	}
+});
+
+//#endregion
+//#region src/commands/registry.ts
+const baseCommands = {
+	bot,
+	bootstrap,
+	config,
+	doctor,
+	env,
+	host,
+	fleet,
+	image,
+	infra,
+	lockdown,
+	plugin,
+	project,
+	secrets,
+	server
+};
+const baseCommandNames = Object.freeze(Object.keys(baseCommands));
+
+//#endregion
+//#region src/lib/plugins.ts
+var plugins_exports = /* @__PURE__ */ __exportAll({
+	findPluginByCommand: () => findPluginByCommand,
+	installPlugin: () => installPlugin,
+	listInstalledPlugins: () => listInstalledPlugins,
+	listReservedCommands: () => listReservedCommands,
+	loadPluginCommand: () => loadPluginCommand,
+	removePlugin: () => removePlugin
+});
+const PLUGIN_MANIFEST = "clawdlets-plugin.json";
+const RESERVED_COMMANDS = new Set(baseCommandNames);
+const SAFE_SLUG_RE = /^[a-z][a-z0-9_-]*$/;
+const PACKAGE_NAME_RE = /^(?:@[a-z0-9][a-z0-9-._]*\/)?[a-z0-9][a-z0-9-._]*$/;
+function readJsonFile(filePath) {
+	const raw = fs.readFileSync(filePath, "utf8");
+	return JSON.parse(raw);
+}
+function writeJsonFile(filePath, data) {
+	const dir = path.dirname(filePath);
+	fs.mkdirSync(dir, { recursive: true });
+	const tmp = path.join(dir, `.${path.basename(filePath)}.tmp.${process.pid}`);
+	fs.writeFileSync(tmp, `${JSON.stringify(data, null, 2)}\n`, "utf8");
+	fs.renameSync(tmp, filePath);
+}
+function assertSafeSlug(value) {
+	if (!SAFE_SLUG_RE.test(value)) throw new Error(`invalid plugin command: ${value} (expected [a-z][a-z0-9_-]*)`);
+}
+function isReservedCommand(value) {
+	return RESERVED_COMMANDS.has(value);
+}
+function assertCommandName(value) {
+	assertSafeSlug(value);
+	if (isReservedCommand(value)) throw new Error(`plugin command reserved: ${value}`);
+}
+function resolvePluginsDir(params) {
+	return getRepoLayout(findRepoRoot(params.cwd), params.runtimeDir).pluginsDir;
+}
+function resolveInstallDir(params) {
+	return path.join(params.pluginsDir, params.slug);
+}
+function resolvePackageDir(params) {
+	return path.join(params.installDir, "node_modules", ...params.packageName.split("/"));
+}
+function readPluginPackageMeta(packageDir) {
+	const pkgPath = path.join(packageDir, "package.json");
+	if (!fs.existsSync(pkgPath)) throw new Error(`plugin package.json missing: ${pkgPath}`);
+	const pkg = readJsonFile(pkgPath);
+	const command = String(pkg?.clawdlets?.command || "").trim();
+	const entry = String(pkg?.clawdlets?.entry || "").trim();
+	if (!command) throw new Error(`plugin missing clawdlets.command in ${pkgPath}`);
+	if (!entry) throw new Error(`plugin missing clawdlets.entry in ${pkgPath}`);
+	assertCommandName(command);
+	return {
+		command,
+		entry
+	};
+}
+function assertPackageName(value) {
+	if (!PACKAGE_NAME_RE.test(value)) throw new Error(`invalid plugin package name: ${value}`);
+}
+function resolveManifestPath(installDir) {
+	return path.join(installDir, PLUGIN_MANIFEST);
+}
+function normalizeManifest(slug, manifest) {
+	if (!manifest || typeof manifest !== "object") throw new Error("plugin manifest invalid");
+	const packageName = String(manifest.packageName || "").trim();
+	const version = String(manifest.version || "").trim();
+	const command = String(manifest.command || "").trim();
+	const entry = String(manifest.entry || "").trim();
+	if (!packageName) throw new Error("plugin manifest missing packageName");
+	assertPackageName(packageName);
+	if (!version) throw new Error("plugin manifest missing version");
+	if (!command) throw new Error("plugin manifest missing command");
+	if (!entry) throw new Error("plugin manifest missing entry");
+	assertCommandName(command);
+	if (command !== slug) throw new Error(`plugin manifest command mismatch (expected ${slug}, got ${command})`);
+	return {
+		slug,
+		packageName,
+		version,
+		command,
+		entry
+	};
+}
+function readPluginManifest(installDir, slug) {
+	return normalizeManifest(slug, readJsonFile(resolveManifestPath(installDir)));
+}
+function writePluginManifest(installDir, manifest) {
+	writeJsonFile(resolveManifestPath(installDir), manifest);
+}
+function deriveManifestFromInstall(installDir, slug) {
+	const pkgPath = path.join(installDir, "package.json");
+	if (!fs.existsSync(pkgPath)) throw new Error(`plugin install missing package.json: ${pkgPath}`);
+	const pkg = readJsonFile(pkgPath);
+	const deps = Object.keys(pkg.dependencies || {});
+	if (deps.length !== 1) throw new Error(`plugin install must declare exactly one dependency (found ${deps.length})`);
+	const packageName = deps[0] || "";
+	if (!packageName) throw new Error("plugin dependency missing");
+	assertPackageName(packageName);
+	const packageDir = resolvePackageDir({
+		installDir,
+		packageName
+	});
+	const meta = readPluginPackageMeta(packageDir);
+	if (meta.command !== slug) throw new Error(`plugin command mismatch: expected ${slug} got ${meta.command}`);
+	const pluginPkgPath = path.join(packageDir, "package.json");
+	const pluginPkg = readJsonFile(pluginPkgPath);
+	const version = String(pluginPkg.version || "").trim();
+	if (!version) throw new Error(`plugin version missing in ${pluginPkgPath}`);
+	return {
+		slug,
+		packageName,
+		version,
+		command: meta.command,
+		entry: meta.entry
+	};
+}
+function listInstalledPlugins(params) {
+	const pluginsDir = resolvePluginsDir(params);
+	if (!fs.existsSync(pluginsDir)) return [];
+	const entries = fs.readdirSync(pluginsDir, { withFileTypes: true });
+	const out = [];
+	for (const ent of entries) {
+		if (!ent.isDirectory()) continue;
+		const slug = ent.name;
+		if (slug.startsWith(".")) continue;
+		try {
+			assertSafeSlug(slug);
+			const installDir = resolveInstallDir({
+				pluginsDir,
+				slug
+			});
+			let manifest;
+			try {
+				manifest = readPluginManifest(installDir, slug);
+			} catch {
+				manifest = deriveManifestFromInstall(installDir, slug);
+				writePluginManifest(installDir, manifest);
+			}
+			const packageDir = resolvePackageDir({
+				installDir,
+				packageName: manifest.packageName
+			});
+			out.push({
+				...manifest,
+				installDir,
+				packageDir
+			});
+		} catch (error) {
+			params.onError?.({
+				slug,
+				error: error instanceof Error ? error : new Error(String(error))
+			});
+			continue;
+		}
+	}
+	return out.sort((a, b) => a.command.localeCompare(b.command));
+}
+function findPluginByCommand(params) {
+	const cmd = params.command.trim();
+	if (!cmd || cmd.startsWith("-") || isReservedCommand(cmd)) return null;
+	return listInstalledPlugins(params).find((p$1) => p$1.command === cmd) || null;
+}
+async function loadPluginCommand(plugin$1) {
+	const entryRel = plugin$1.entry.trim();
+	if (!entryRel) throw new Error(`plugin entry empty for ${plugin$1.command}`);
+	if (path.isAbsolute(entryRel)) throw new Error(`plugin entry must be relative: ${entryRel}`);
+	if (entryRel.split(/[/\\\\]+/).includes("..")) throw new Error(`plugin entry must not contain .. segments: ${entryRel}`);
+	const entryPath = path.resolve(plugin$1.packageDir, entryRel);
+	const entryRelPath = path.relative(plugin$1.packageDir, entryPath);
+	if (entryRelPath.startsWith("..") || path.isAbsolute(entryRelPath)) throw new Error(`plugin entry escapes package: ${entryRel}`);
+	if (!fs.existsSync(entryPath)) throw new Error(`plugin entry missing: ${entryPath}`);
+	const mod = await import(pathToFileURL(entryPath).href);
+	const command = mod.command || mod.plugin?.command || mod.default?.command || mod.default;
+	if (!command) throw new Error(`plugin entry ${entryPath} does not export a command`);
+	return command;
+}
+async function installPlugin(params) {
+	const pluginsDir = resolvePluginsDir(params);
+	const slug = params.slug.trim();
+	if (!slug) throw new Error("plugin name required");
+	assertCommandName(slug);
+	const packageName = params.packageName.trim();
+	if (!packageName) throw new Error("package name required");
+	assertPackageName(packageName);
+	if (!params.allowThirdParty && !packageName.startsWith("@clawdlets/")) throw new Error("third-party plugins disabled (pass --allow-third-party to override)");
+	const installDir = resolveInstallDir({
+		pluginsDir,
+		slug
+	});
+	if (fs.existsSync(installDir) && fs.readdirSync(installDir).length > 0) throw new Error(`plugin already installed: ${slug} (${installDir})`);
+	fs.mkdirSync(installDir, { recursive: true });
+	const depVersion = params.version?.trim() || "latest";
+	const pkgJson = {
+		name: `clawdlets-plugin-${slug}`,
+		private: true,
+		type: "module",
+		description: `clawdlets plugin install (${slug})`,
+		dependencies: { [packageName]: depVersion }
+	};
+	writeJsonFile(path.join(installDir, "package.json"), pkgJson);
+	await run("npm", [
+		"install",
+		"--omit=dev",
+		"--no-audit",
+		"--no-fund"
+	], { cwd: installDir });
+	const manifest = deriveManifestFromInstall(installDir, slug);
+	writePluginManifest(installDir, manifest);
+	const packageDir = resolvePackageDir({
+		installDir,
+		packageName: manifest.packageName
+	});
+	return {
+		...manifest,
+		installDir,
+		packageDir
+	};
+}
+function removePlugin(params) {
+	const pluginsDir = resolvePluginsDir(params);
+	const slug = params.slug.trim();
+	if (!slug) throw new Error("plugin name required");
+	assertSafeSlug(slug);
+	const installDir = resolveInstallDir({
+		pluginsDir,
+		slug
+	});
+	const rel = path.relative(pluginsDir, installDir);
+	if (rel.startsWith("..") || path.isAbsolute(rel)) throw new Error(`plugin path escapes plugins dir: ${installDir}`);
+	if (!fs.existsSync(installDir)) throw new Error(`plugin not installed: ${slug}`);
+	fs.rmSync(installDir, {
+		recursive: true,
+		force: true
+	});
+}
+function listReservedCommands() {
+	return [...RESERVED_COMMANDS].sort();
+}
+
+//#endregion
+//#region src/lib/version.ts
+function resolvePackageRoot(fromUrl = import.meta.url) {
+	let dir = path.dirname(fileURLToPath(fromUrl));
+	for (let i = 0; i < 5; i += 1) {
+		const candidate = path.join(dir, "package.json");
+		if (fs.existsSync(candidate)) return dir;
+		const parent = path.dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return path.dirname(fileURLToPath(fromUrl));
+}
+function readCliVersion(rootDir = resolvePackageRoot()) {
+	const pkgPath = path.join(rootDir, "package.json");
+	const raw = fs.readFileSync(pkgPath, "utf8");
+	const parsed = JSON.parse(raw);
+	if (typeof parsed.version !== "string" || parsed.version.length === 0) throw new Error("missing version in package.json");
+	return parsed.version;
+}
+
+//#endregion
+//#region src/main.ts
+const main = defineCommand({
+	meta: {
+		name: "clawdlets",
+		description: "Clawdbot fleet helper (CLI-first; runtime state in .clawdlets/; secrets in /secrets)."
+	},
+	subCommands: baseCommands
+});
+function resolveRuntimeDir(rawArgs) {
+	for (let i = 0; i < rawArgs.length; i += 1) {
+		const arg = rawArgs[i] || "";
+		if (arg === "--runtime-dir" || arg === "--runtimeDir") {
+			const next = rawArgs[i + 1];
+			if (next) return String(next);
+		}
+		if (arg.startsWith("--runtime-dir=")) return arg.slice(14);
+		if (arg.startsWith("--runtimeDir=")) return arg.slice(13);
+	}
+}
+function findCommandToken(rawArgs) {
+	for (let i = 0; i < rawArgs.length; i += 1) {
+		const arg = rawArgs[i];
+		if (!arg) continue;
+		if (arg === "--") continue;
+		if (arg === "--runtime-dir" || arg === "--runtimeDir") {
+			i += 1;
+			continue;
+		}
+		if (arg.startsWith("--runtime-dir=") || arg.startsWith("--runtimeDir=")) continue;
+		if (arg.startsWith("-")) continue;
+		return {
+			index: i,
+			command: arg
+		};
+	}
+	return null;
+}
+async function mainEntry() {
+	const [nodeBin, script, ...rest] = process.argv;
+	const normalized = rest.filter((a) => a !== "--");
+	if (normalized.includes("--version") || normalized.includes("-v")) {
+		console.log(readCliVersion());
+		process.exit(0);
+		return;
+	}
+	process.argv = [
+		nodeBin,
+		script,
+		...normalized
+	];
+	const runtimeDir = resolveRuntimeDir(normalized);
+	const commandToken = findCommandToken(normalized);
+	const command = commandToken?.command ?? "";
+	const pluginMatch = findPluginByCommand({
+		cwd: process.cwd(),
+		runtimeDir,
+		command
+	});
+	if (pluginMatch) {
+		await runMain(await loadPluginCommand(pluginMatch), { rawArgs: commandToken ? normalized.slice(commandToken.index + 1) : [] });
+		return;
+	}
+	await runMain(main);
+}
+mainEntry();
+
+//#endregion
+export {  };