creek 0.3.0-alpha.2 → 0.3.0-alpha.3

package/dist/commands/claim.d.ts

@@ -0,0 +1,8 @@
+export declare const claimCommand: import("citty").CommandDef<{
+    sandboxId: {
+        type: "positional";
+        description: string;
+        required: true;
+    };
+}>;
+//# sourceMappingURL=claim.d.ts.map

package/dist/commands/claim.js

@@ -0,0 +1,84 @@
+import { defineCommand } from "citty";
+import consola from "consola";
+import { CreekClient } from "@solcreek/sdk";
+import { getToken, getApiUrl, getSandboxApiUrl } from "../utils/config.js";
+export const claimCommand = defineCommand({
+    meta: {
+        name: "claim",
+        description: "Claim a sandbox deployment as a permanent project",
+    },
+    args: {
+        sandboxId: {
+            type: "positional",
+            description: "Sandbox ID to claim (shown after sandbox deploy)",
+            required: true,
+        },
+    },
+    async run({ args }) {
+        const token = getToken();
+        if (!token) {
+            consola.error("You need to be logged in to claim a sandbox.");
+            consola.info("Run `creek login` first, then `creek claim` again.");
+            process.exit(1);
+        }
+        const sandboxId = args.sandboxId;
+        // 1. Fetch sandbox info
+        consola.start("Looking up sandbox...");
+        const sandboxApiUrl = getSandboxApiUrl();
+        const statusRes = await fetch(`${sandboxApiUrl}/api/sandbox/${sandboxId}/status`);
+        if (!statusRes.ok) {
+            consola.error("Sandbox not found. It may have expired.");
+            process.exit(1);
+        }
+        const sandbox = (await statusRes.json());
+        if (!sandbox.claimable) {
+            if (sandbox.status === "expired") {
+                consola.error("This sandbox has expired and can no longer be claimed.");
+                consola.info("Run `creek deploy` to deploy your project permanently.");
+            }
+            else {
+                consola.error(`Sandbox is in '${sandbox.status}' state and cannot be claimed.`);
+            }
+            process.exit(1);
+        }
+        // 2. Create permanent project
+        consola.start("Creating permanent project...");
+        const client = new CreekClient(getApiUrl(), token);
+        const slug = sandbox.templateId ?? sandboxId;
+        let project;
+        try {
+            const res = await client.createProject({
+                slug,
+                framework: sandbox.framework,
+            });
+            project = res.project;
+        }
+        catch {
+            // Slug might conflict, try with sandbox ID suffix
+            const res = await client.createProject({
+                slug: `${slug}-${sandboxId}`,
+                framework: sandbox.framework,
+            });
+            project = res.project;
+        }
+        consola.success(`Created project: ${project.slug}`);
+        // 3. Mark sandbox as claimed
+        try {
+            await fetch(`${sandboxApiUrl}/api/sandbox/${sandboxId}/claim`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ projectId: project.id }),
+            });
+        }
+        catch {
+            // Best effort — claim status update is non-critical
+        }
+        consola.success("Sandbox claimed!");
+        consola.info("");
+        consola.info("Next steps:");
+        consola.info(`  cd your-project`);
+        consola.info(`  creek init`);
+        consola.info(`  creek deploy    # deploy permanently`);
+    },
+});
+//# sourceMappingURL=claim.js.map

package/dist/commands/deploy.d.ts

@@ -4,5 +4,10 @@ export declare const deployCommand: import("citty").CommandDef<{
         description: string;
         default: false;
     };
+    template: {
+        type: "string";
+        description: string;
+        required: false;
+    };
 }>;
 //# sourceMappingURL=deploy.d.ts.map

package/dist/commands/deploy.js

@@ -1,12 +1,13 @@
 import { defineCommand } from "citty";
 import consola from "consola";
-import { existsSync, readFileSync } from "node:fs";
-import { join, resolve } from "node:path";
-import { execSync } from "node:child_process";
-import { parseConfig, CreekClient, isSSRFramework, getSSRServerEntry, getClientAssetsDir, } from "@solcreek/sdk";
+import { existsSync, readFileSync, rmSync } from "node:fs";
+import { join, resolve, basename } from "node:path";
+import { execSync, execFileSync } from "node:child_process";
+import { parseConfig, CreekClient, CreekAuthError, isSSRFramework, getSSRServerEntry, getClientAssetsDir, getDefaultBuildOutput, detectFramework, } from "@solcreek/sdk";
 import { getToken, getApiUrl } from "../utils/config.js";
 import { collectAssets } from "../utils/bundle.js";
 import { bundleSSRServer } from "../utils/ssr-bundle.js";
+import { sandboxDeploy, pollSandboxStatus, printSandboxSuccess } from "../utils/sandbox.js";
 export const deployCommand = defineCommand({
     meta: {
         name: "deploy",
@@ -18,21 +19,200 @@ export const deployCommand = defineCommand({
             description: "Skip the build step",
             default: false,
         },
+        template: {
+            type: "string",
+            description: "Deploy a template (e.g., react-dashboard, astro-landing)",
+            required: false,
+        },
     },
     async run({ args }) {
+        // --- Template deploy ---
+        if (args.template) {
+            return await deployTemplate(args.template);
+        }
+        // --- Check if user has an account ---
+        const token = getToken();
         const cwd = process.cwd();
         const configPath = join(cwd, "creek.toml");
-        if (!existsSync(configPath)) {
-            consola.error("No creek.toml found. Run `creek init` first.");
-            process.exit(1);
+        const hasConfig = existsSync(configPath);
+        if (!hasConfig) {
+            // No creek.toml → sandbox mode (works with or without account)
+            return await deploySandbox(cwd, args["skip-build"]);
         }
-        const config = parseConfig(readFileSync(configPath, "utf-8"));
-        consola.info(`Project: ${config.project.name}`);
-        const token = getToken();
         if (!token) {
             consola.error("Not authenticated. Run `creek login` first.");
+            consola.info("Or deploy without an account: remove creek.toml and run `creek deploy` again.");
+            process.exit(1);
+        }
+        // --- Regular deploy (authenticated, creek.toml present) ---
+        return await deployAuthenticated(cwd, configPath, token, args["skip-build"]);
+    },
+});
+// ============================================================================
+// Sandbox deploy — no account, auto-detect framework
+// ============================================================================
+async function deploySandbox(cwd, skipBuild) {
+    consola.info("No account found. Deploying to sandbox (60 min preview).");
+    consola.info("");
+    // Auto-detect framework
+    const pkgPath = join(cwd, "package.json");
+    if (!existsSync(pkgPath)) {
+        consola.error("No package.json found. Make sure you're in a project directory.");
+        process.exit(1);
+    }
+    const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+    const framework = detectFramework(pkg);
+    const projectName = pkg.name ?? basename(cwd);
+    if (framework) {
+        consola.info(`Detected: ${framework}`);
+    }
+    else {
+        consola.info("Framework: auto (static site)");
+    }
+    // Build
+    const buildCommand = pkg.scripts?.build ? "npm run build" : null;
+    const outputDir = resolve(cwd, getDefaultBuildOutput(framework));
+    if (!skipBuild) {
+        if (!buildCommand) {
+            consola.error("No build script found in package.json.");
+            consola.info("Add a 'build' script or use --skip-build if already built.");
             process.exit(1);
         }
+        consola.start(`Building with: ${buildCommand}`);
+        try {
+            execSync(buildCommand, { cwd, stdio: "inherit" });
+        }
+        catch {
+            consola.error("Build failed");
+            consola.info("");
+            consola.info("Common fixes:");
+            consola.info("  • npm install (missing dependencies?)");
+            consola.info("  • Check for TypeScript errors");
+            consola.info(`  • Verify build works: ${buildCommand}`);
+            process.exit(1);
+        }
+        consola.success("Build complete");
+    }
+    if (!existsSync(outputDir)) {
+        consola.error(`Build output not found: ${outputDir}`);
+        if (framework) {
+            consola.info(`Expected output for ${framework}: ${getDefaultBuildOutput(framework)}`);
+        }
+        process.exit(1);
+    }
+    // Collect assets
+    const isSSR = isSSRFramework(framework);
+    const renderMode = isSSR ? "ssr" : "spa";
+    let clientAssetsDir = outputDir;
+    if (isSSR && framework) {
+        const subdir = getClientAssetsDir(framework);
+        if (subdir)
+            clientAssetsDir = resolve(outputDir, subdir);
+    }
+    consola.start("Collecting assets...");
+    const { assets: clientAssets, fileList } = collectAssets(clientAssetsDir);
+    consola.info(`Found ${fileList.length} assets`);
+    let serverFiles;
+    if (isSSR && framework) {
+        const serverEntry = getSSRServerEntry(framework);
+        if (serverEntry) {
+            const serverEntryPath = resolve(outputDir, serverEntry);
+            if (existsSync(serverEntryPath)) {
+                consola.start("Bundling SSR server...");
+                const bundled = await bundleSSRServer(serverEntryPath);
+                serverFiles = { "server.js": Buffer.from(bundled).toString("base64") };
+                consola.success(`SSR bundled (${Math.round(bundled.length / 1024)}KB)`);
+            }
+        }
+    }
+    // Deploy to sandbox
+    consola.start("Deploying to sandbox...");
+    try {
+        const result = await sandboxDeploy({
+            manifest: { assets: fileList, hasWorker: isSSR, entrypoint: null, renderMode },
+            assets: clientAssets,
+            serverFiles,
+            framework: framework ?? undefined,
+            source: "cli",
+        });
+        consola.start("Waiting for deployment...");
+        const status = await pollSandboxStatus(result.statusUrl);
+        printSandboxSuccess(status.previewUrl, result.expiresAt, result.sandboxId);
+    }
+    catch (err) {
+        consola.error(err instanceof Error ? err.message : "Sandbox deploy failed");
+        process.exit(1);
+    }
+}
+// ============================================================================
+// Template deploy — clone + build + deploy to sandbox
+// ============================================================================
+async function deployTemplate(templateId) {
+    // Validate template ID — alphanumeric, hyphens, underscores only (no path traversal)
+    if (!/^[a-zA-Z0-9_-]+$/.test(templateId)) {
+        consola.error("Invalid template name. Use only letters, numbers, hyphens, and underscores.");
+        process.exit(1);
+    }
+    consola.info(`Deploying template: ${templateId}`);
+    // Clone template to temp dir
+    const tmpDir = join(process.env.TMPDIR ?? "/tmp", `creek-template-${Date.now()}`);
+    const repoUrl = "https://github.com/solcreek/templates";
+    consola.start("Cloning template...");
+    try {
+        execFileSync("git", [
+            "clone", "--depth", "1", "--filter=blob:none", "--sparse", repoUrl, tmpDir,
+        ], { stdio: "pipe" });
+        execFileSync("git", [
+            "sparse-checkout", "set", templateId,
+        ], { cwd: tmpDir, stdio: "pipe" });
+    }
+    catch {
+        consola.error(`Template '${templateId}' not found.`);
+        consola.info("Available templates: creek deploy --template");
+        cleanupDir(tmpDir);
+        process.exit(1);
+    }
+    const templateDir = join(tmpDir, templateId);
+    // Verify resolved path is still within tmpDir (prevent path traversal)
+    if (!resolve(templateDir).startsWith(resolve(tmpDir))) {
+        consola.error("Invalid template path.");
+        cleanupDir(tmpDir);
+        process.exit(1);
+    }
+    if (!existsSync(templateDir)) {
+        consola.error(`Template directory not found: ${templateId}`);
+        cleanupDir(tmpDir);
+        process.exit(1);
+    }
+    consola.start("Installing dependencies...");
+    try {
+        execFileSync("npm", ["install"], { cwd: templateDir, stdio: "pipe" });
+    }
+    catch {
+        consola.error("Failed to install dependencies");
+        cleanupDir(tmpDir);
+        process.exit(1);
+    }
+    // Deploy as sandbox (reuse sandbox flow)
+    await deploySandbox(templateDir, false);
+    // Cleanup
+    cleanupDir(tmpDir);
+}
+function cleanupDir(dir) {
+    try {
+        rmSync(dir, { recursive: true, force: true });
+    }
+    catch {
+        // ignore
+    }
+}
+// ============================================================================
+// Authenticated deploy — existing flow
+// ============================================================================
+async function deployAuthenticated(cwd, configPath, token, skipBuild) {
+    try {
+        const config = parseConfig(readFileSync(configPath, "utf-8"));
+        consola.info(`Project: ${config.project.name}`);
         const client = new CreekClient(getApiUrl(), token);
         // Ensure project exists
         let project;
@@ -48,11 +228,16 @@ export const deployCommand = defineCommand({
             project = res.project;
             consola.success(`Created project: ${project.slug}`);
         }
-        // Build
-        if (!args["skip-build"]) {
-            consola.start(`Building with: ${config.build.command}`);
+        // Build — creek.toml build.command is user-defined, analogous to npm scripts
+        if (!skipBuild) {
+            const buildCmd = config.build.command;
+            if (!buildCmd || typeof buildCmd !== "string" || buildCmd.length > 500) {
+                consola.error("Invalid build command in creek.toml");
+                process.exit(1);
+            }
+            consola.start(`Building with: ${buildCmd}`);
             try {
-                execSync(config.build.command, { cwd, stdio: "inherit" });
+                execSync(buildCmd, { cwd, stdio: "inherit" });
             }
             catch {
                 consola.error("Build failed");
@@ -68,7 +253,6 @@ export const deployCommand = defineCommand({
         const framework = config.project.framework ?? null;
         const isSSR = isSSRFramework(framework);
         const renderMode = isSSR ? "ssr" : "spa";
-        // Collect client assets
         let clientAssetsDir = outputDir;
         if (isSSR && framework) {
             const clientSubdir = getClientAssetsDir(framework);
@@ -79,7 +263,6 @@ export const deployCommand = defineCommand({
         consola.start("Collecting assets...");
         const { assets: clientAssets, fileList } = collectAssets(clientAssetsDir);
         consola.info(`Found ${fileList.length} client assets`);
-        // Bundle server files for SSR
         let serverFiles;
         if (isSSR && framework) {
             const serverEntry = getSSRServerEntry(framework);
@@ -88,7 +271,6 @@ export const deployCommand = defineCommand({
                 if (existsSync(serverEntryPath)) {
                     consola.start("Bundling SSR server...");
                     const bundled = await bundleSSRServer(serverEntryPath);
-                    // Send as base64-encoded single file
                     serverFiles = {
                         "server.js": Buffer.from(bundled).toString("base64"),
                     };
@@ -96,10 +278,8 @@ export const deployCommand = defineCommand({
                 }
             }
         }
-        // Create deployment
         consola.start("Creating deployment...");
         const { deployment } = await client.createDeployment(project.id);
-        // Upload bundle
         consola.start("Uploading...");
         const bundle = {
             manifest: {
@@ -111,36 +291,61 @@ export const deployCommand = defineCommand({
             workerScript: null,
             assets: clientAssets,
             serverFiles,
+            resources: config.resources,
         };
-        const result = await client.uploadDeploymentBundle(project.id, deployment.id, bundle);
-        if (result.url) {
-            consola.success(`Deployed! ${result.url}`);
-            if (result.previewUrl) {
-                consola.info(`Preview:  ${result.previewUrl}`);
-            }
-        }
-        else {
-            let status = deployment.status;
-            let url = null;
-            for (let i = 0; i < 30; i++) {
-                const res = await client.getDeploymentStatus(project.id, deployment.id);
-                status = res.deployment.status;
-                url = res.url;
-                if (status === "active" || status === "failed")
-                    break;
-                await new Promise((r) => setTimeout(r, 1000));
+        await client.uploadDeploymentBundle(project.id, deployment.id, bundle);
+        // Poll for async deploy progress
+        const POLL_INTERVAL = 1000;
+        const POLL_TIMEOUT = 120_000;
+        const TERMINAL = new Set(["active", "failed", "cancelled"]);
+        const STEP_LABELS = {
+            queued: "Waiting...",
+            uploading: "Uploading bundle...",
+            provisioning: "Provisioning resources...",
+            deploying: "Deploying to edge...",
+        };
+        let lastStatus = "";
+        const start = Date.now();
+        while (Date.now() - start < POLL_TIMEOUT) {
+            const res = await client.getDeploymentStatus(project.id, deployment.id);
+            const { status, failed_step, error_message } = res.deployment;
+            if (status !== lastStatus) {
+                if (lastStatus && STEP_LABELS[lastStatus]) {
+                    consola.success(STEP_LABELS[lastStatus].replace("...", ""));
+                }
+                if (!TERMINAL.has(status) && STEP_LABELS[status]) {
+                    consola.start(STEP_LABELS[status]);
+                }
+                lastStatus = status;
             }
-            if (status === "active" && url) {
-                consola.success(`Deployed! ${url}`);
+            if (status === "active") {
+                consola.success(`Deployed! ${res.url ?? res.previewUrl}`);
+                if (res.url && res.previewUrl) {
+                    consola.info(`Preview:  ${res.previewUrl}`);
+                }
+                return;
             }
-            else if (status === "failed") {
-                consola.error("Deployment failed");
+            if (status === "failed") {
+                const step = failed_step ? ` at ${failed_step}` : "";
+                const msg = error_message ?? "Unknown error";
+                consola.error(`Deploy failed${step}: ${msg}`);
                 process.exit(1);
             }
-            else {
-                consola.warn(`Deployment status: ${status}`);
+            if (status === "cancelled") {
+                consola.warn("Deploy was cancelled");
+                process.exit(1);
             }
+            await new Promise((r) => setTimeout(r, POLL_INTERVAL));
         }
-    },
-});
+        consola.error("Deploy timed out after 2 minutes");
+        process.exit(1);
+    }
+    catch (err) {
+        if (err instanceof CreekAuthError) {
+            consola.error("Authentication failed. Run `creek login` to re-authenticate.");
+            process.exit(1);
+        }
+        throw err;
+    }
+}
 //# sourceMappingURL=deploy.js.map

package/dist/commands/env.d.ts

@@ -0,0 +1,2 @@
+export declare const envCommand: import("citty").CommandDef<import("citty").ArgsDef>;
+//# sourceMappingURL=env.d.ts.map

package/dist/commands/env.js

@@ -0,0 +1,87 @@
+import { defineCommand } from "citty";
+import consola from "consola";
+import { CreekClient } from "@solcreek/sdk";
+import { getToken, getApiUrl } from "../utils/config.js";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { parseConfig } from "@solcreek/sdk";
+function getProjectSlug() {
+    const configPath = join(process.cwd(), "creek.toml");
+    if (!existsSync(configPath)) {
+        consola.error("No creek.toml found. Run `creek init` first.");
+        process.exit(1);
+    }
+    return parseConfig(readFileSync(configPath, "utf-8")).project.name;
+}
+function getClient() {
+    const token = getToken();
+    if (!token) {
+        consola.error("Not authenticated. Run `creek login` first.");
+        process.exit(1);
+    }
+    return new CreekClient(getApiUrl(), token);
+}
+const envSet = defineCommand({
+    meta: { name: "set", description: "Set an environment variable" },
+    args: {
+        key: { type: "positional", description: "Variable name (e.g. DATABASE_URL)", required: true },
+        value: { type: "positional", description: "Variable value", required: true },
+    },
+    async run({ args }) {
+        const client = getClient();
+        const slug = getProjectSlug();
+        await client.setEnvVar(slug, args.key, args.value);
+        consola.success(`Set ${args.key}`);
+    },
+});
+function redact(value) {
+    if (value.length <= 4)
+        return "••••";
+    return value.slice(0, 2) + "•".repeat(Math.min(value.length - 4, 20)) + value.slice(-2);
+}
+const envGet = defineCommand({
+    meta: { name: "ls", description: "List environment variables" },
+    args: {
+        show: { type: "boolean", description: "Show values in plaintext (default: redacted)", default: false },
+    },
+    async run({ args }) {
+        const client = getClient();
+        const slug = getProjectSlug();
+        const vars = await client.listEnvVars(slug);
+        if (vars.length === 0) {
+            consola.info("No environment variables set.");
+            return;
+        }
+        for (const v of vars) {
+            const displayed = args.show ? v.value : redact(v.value);
+            consola.log(`  ${v.key} = ${displayed}`);
+        }
+        if (!args.show) {
+            consola.info("  (use --show to reveal values)");
+        }
+    },
+});
+const envRm = defineCommand({
+    meta: { name: "rm", description: "Remove an environment variable" },
+    args: {
+        key: { type: "positional", description: "Variable name to remove", required: true },
+    },
+    async run({ args }) {
+        const client = getClient();
+        const slug = getProjectSlug();
+        await client.deleteEnvVar(slug, args.key);
+        consola.success(`Removed ${args.key}`);
+    },
+});
+export const envCommand = defineCommand({
+    meta: {
+        name: "env",
+        description: "Manage environment variables",
+    },
+    subCommands: {
+        set: envSet,
+        ls: envGet,
+        rm: envRm,
+    },
+});
+//# sourceMappingURL=env.js.map

package/dist/commands/login.d.ts

@@ -4,5 +4,10 @@ export declare const loginCommand: import("citty").CommandDef<{
         description: string;
         required: false;
     };
+    headless: {
+        type: "boolean";
+        description: string;
+        default: false;
+    };
 }>;
 //# sourceMappingURL=login.d.ts.map

package/dist/commands/login.js

@@ -1,32 +1,111 @@
 import { defineCommand } from "citty";
 import consola from "consola";
-import { writeCliConfig, readCliConfig } from "../utils/config.js";
+import { execFileSync } from "node:child_process";
+import { CreekClient } from "@solcreek/sdk";
+import { writeCliConfig, readCliConfig, getApiUrl } from "../utils/config.js";
+import { startAuthServer } from "../utils/auth-server.js";
+function getDashboardUrl() {
+    const apiUrl = getApiUrl();
+    // http://localhost:8787 → http://localhost:3000
+    // https://api.creek.dev → https://app.creek.dev
+    return apiUrl
+        .replace("api.", "app.")
+        .replace(":8787", ":3000");
+}
+function openBrowser(url) {
+    try {
+        const cmd = process.platform === "darwin"
+            ? "open"
+            : process.platform === "win32"
+                ? "start"
+                : "xdg-open";
+        execFileSync(cmd, [url], { stdio: "ignore" });
+    }
+    catch {
+        // Browser open failed — user will need to copy the URL manually
+    }
+}
 export const loginCommand = defineCommand({
     meta: {
         name: "login",
-        description: "Authenticate with Creek using an API token",
+        description: "Authenticate with Creek",
     },
     args: {
         token: {
             type: "string",
-            description: "API token",
+            description: "API key (for CI/CD, skips interactive prompt)",
             required: false,
         },
+        headless: {
+            type: "boolean",
+            description: "Use headless mode (paste API key manually, for SSH/remote)",
+            default: false,
+        },
     },
     async run({ args }) {
-        let token = args.token;
-        if (!token) {
-            token = await consola.prompt("Enter your API token:", {
-                type: "text",
-            });
+        // Mode 1: --token (CI/CD)
+        if (args.token) {
+            return await saveAndVerify(args.token);
         }
-        if (!token || typeof token !== "string") {
-            consola.error("No token provided");
-            process.exit(1);
+        // Mode 2: --headless (SSH/remote — prompt for API key)
+        if (args.headless) {
+            return await headlessLogin();
         }
-        const config = readCliConfig();
-        writeCliConfig({ ...config, token });
-        consola.success("Token saved successfully");
+        // Mode 3: Default — localhost redirect (best UX)
+        return await browserLogin();
     },
 });
+/**
+ * Default login: open browser → dashboard creates API key → redirect to localhost callback.
+ */
+async function browserLogin() {
+    const { port, state, waitForCallback, close } = startAuthServer();
+    const dashboardUrl = getDashboardUrl();
+    const authUrl = `${dashboardUrl}/cli-auth?port=${port}&state=${state}`;
+    consola.info("Opening browser to authenticate...");
+    consola.info(`If the browser doesn't open, visit: ${authUrl}`);
+    consola.info("");
+    openBrowser(authUrl);
+    consola.start("Waiting for authentication...");
+    try {
+        const key = await waitForCallback();
+        await saveAndVerify(key);
+    }
+    catch (err) {
+        close();
+        consola.error(err instanceof Error ? err.message : "Authentication failed");
+        consola.info("Try `creek login --headless` if browser login isn't working.");
+        process.exit(1);
+    }
+}
+/**
+ * Headless login: prompt user to paste API key from dashboard.
+ */
+async function headlessLogin() {
+    const dashboardUrl = getDashboardUrl();
+    consola.info("Create an API key in the Creek dashboard:");
+    consola.info(`  ${dashboardUrl}/api-keys`);
+    consola.info("");
+    const apiKey = await consola.prompt("Paste your API key:", { type: "text" });
+    if (!apiKey || typeof apiKey !== "string") {
+        consola.error("No API key provided");
+        process.exit(1);
+    }
+    await saveAndVerify(apiKey.trim());
+}
+/**
+ * Validate key against API, save to config, print success.
+ */
+async function saveAndVerify(apiKey) {
+    consola.start("Verifying...");
+    const client = new CreekClient(getApiUrl(), apiKey);
+    const session = await client.getSession();
+    if (!session?.user) {
+        consola.error("Invalid API key. Please check and try again.");
+        process.exit(1);
+    }
+    const config = readCliConfig();
+    writeCliConfig({ ...config, token: apiKey });
+    consola.success(`Logged in as ${session.user.name} (${session.user.email})`);
+}
 //# sourceMappingURL=login.js.map

package/dist/commands/whoami.d.ts

@@ -0,0 +1,2 @@
+export declare const whoamiCommand: import("citty").CommandDef<import("citty").ArgsDef>;
+//# sourceMappingURL=whoami.d.ts.map

package/dist/commands/whoami.js

@@ -0,0 +1,27 @@
+import { defineCommand } from "citty";
+import consola from "consola";
+import { CreekClient } from "@solcreek/sdk";
+import { getToken, getApiUrl } from "../utils/config.js";
+export const whoamiCommand = defineCommand({
+    meta: {
+        name: "whoami",
+        description: "Show the currently authenticated user",
+    },
+    async run() {
+        const token = getToken();
+        if (!token) {
+            consola.error("Not authenticated. Run `creek login` first.");
+            process.exit(1);
+        }
+        const client = new CreekClient(getApiUrl(), token);
+        const session = await client.getSession();
+        if (!session?.user) {
+            consola.error("Session expired or invalid. Run `creek login` to re-authenticate.");
+            process.exit(1);
+        }
+        consola.log(`  User:  ${session.user.name}`);
+        consola.log(`  Email: ${session.user.email}`);
+        consola.log(`  API:   ${getApiUrl()}`);
+    },
+});
+//# sourceMappingURL=whoami.js.map

package/dist/index.js

@@ -1,8 +1,11 @@
 #!/usr/bin/env node
 import { defineCommand, runMain } from "citty";
 import { loginCommand } from "./commands/login.js";
+import { whoamiCommand } from "./commands/whoami.js";
 import { initCommand } from "./commands/init.js";
 import { deployCommand } from "./commands/deploy.js";
+import { claimCommand } from "./commands/claim.js";
+import { envCommand } from "./commands/env.js";
 const main = defineCommand({
     meta: {
         name: "creek",
@@ -11,8 +14,11 @@ const main = defineCommand({
     },
     subCommands: {
         login: loginCommand,
+        whoami: whoamiCommand,
         init: initCommand,
         deploy: deployCommand,
+        claim: claimCommand,
+        env: envCommand,
     },
 });
 runMain(main);

package/dist/utils/auth-server.d.ts

@@ -0,0 +1,22 @@
+export interface AuthCallbackResult {
+    key: string;
+    state: string;
+}
+/**
+ * Start a temporary local HTTP server to receive the OAuth-style callback
+ * from the dashboard after CLI auth.
+ *
+ * Flow:
+ * 1. Server starts on a random available port
+ * 2. CLI opens browser to dashboard /cli-auth?port=X&state=Y
+ * 3. Dashboard creates API key, redirects to http://localhost:X/callback?key=...&state=...
+ * 4. This server receives the callback, validates state, resolves the promise
+ * 5. Server auto-closes
+ */
+export declare function startAuthServer(): {
+    port: number;
+    state: string;
+    waitForCallback: () => Promise<string>;
+    close: () => void;
+};
+//# sourceMappingURL=auth-server.d.ts.map

package/dist/utils/auth-server.js

@@ -0,0 +1,91 @@
+import { createServer } from "node:http";
+import { randomBytes } from "node:crypto";
+/**
+ * Start a temporary local HTTP server to receive the OAuth-style callback
+ * from the dashboard after CLI auth.
+ *
+ * Flow:
+ * 1. Server starts on a random available port
+ * 2. CLI opens browser to dashboard /cli-auth?port=X&state=Y
+ * 3. Dashboard creates API key, redirects to http://localhost:X/callback?key=...&state=...
+ * 4. This server receives the callback, validates state, resolves the promise
+ * 5. Server auto-closes
+ */
+export function startAuthServer() {
+    const state = randomBytes(16).toString("hex");
+    let resolveCallback;
+    let rejectCallback;
+    const callbackPromise = new Promise((resolve, reject) => {
+        resolveCallback = resolve;
+        rejectCallback = reject;
+    });
+    const server = createServer((req, res) => {
+        const url = new URL(req.url ?? "/", `http://localhost`);
+        if (url.pathname === "/callback") {
+            const key = url.searchParams.get("key");
+            const returnedState = url.searchParams.get("state");
+            if (returnedState !== state) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end(htmlPage("Authentication Failed", "Invalid state parameter. Please try again."));
+                rejectCallback(new Error("State mismatch — possible CSRF attack"));
+                return;
+            }
+            if (!key) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end(htmlPage("Authentication Failed", "No API key received. Please try again."));
+                rejectCallback(new Error("No API key in callback"));
+                return;
+            }
+            res.writeHead(200, { "Content-Type": "text/html" });
+            res.end(htmlPage("Authenticated!", "You can close this window and return to the terminal."));
+            resolveCallback(key);
+            setTimeout(() => server.close(), 500);
+            return;
+        }
+        res.writeHead(404);
+        res.end("Not found");
+    });
+    // Listen on port 0 = OS picks a random available port
+    server.listen(0, "localhost");
+    const address = server.address();
+    const port = typeof address === "object" && address ? address.port : 0;
+    // Timeout after 2 minutes
+    const timeout = setTimeout(() => {
+        rejectCallback(new Error("Login timed out after 2 minutes"));
+        server.close();
+    }, 120_000);
+    return {
+        port,
+        state,
+        waitForCallback: () => callbackPromise.finally(() => clearTimeout(timeout)),
+        close: () => {
+            clearTimeout(timeout);
+            server.close();
+        },
+    };
+}
+function escapeHtml(s) {
+    return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+function htmlPage(title, message) {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Creek CLI - ${escapeHtml(title)}</title>
+  <style>
+    body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #0a0a0a; color: #eee; }
+    .card { text-align: center; padding: 2rem; }
+    h1 { font-size: 1.5rem; margin-bottom: 0.5rem; }
+    p { color: #888; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>${escapeHtml(title)}</h1>
+    <p>${escapeHtml(message)}</p>
+  </div>
+</body>
+</html>`;
+}
+//# sourceMappingURL=auth-server.js.map

package/dist/utils/config.d.ts

@@ -7,5 +7,6 @@ export declare function readCliConfig(): CliConfig;
 export declare function writeCliConfig(config: CliConfig): void;
 export declare function getToken(): string | undefined;
 export declare function getApiUrl(): string;
+export declare function getSandboxApiUrl(): string;
 export {};
 //# sourceMappingURL=config.d.ts.map

package/dist/utils/config.js

@@ -18,9 +18,9 @@ export function readCliConfig() {
 }
 export function writeCliConfig(config) {
     if (!existsSync(CONFIG_DIR)) {
-        mkdirSync(CONFIG_DIR, { recursive: true });
+        mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
-    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
+    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
 }
 export function getToken() {
     return process.env.CREEK_TOKEN ?? readCliConfig().token;
@@ -30,4 +30,8 @@ export function getApiUrl() {
         readCliConfig().apiUrl ??
         "https://api.creek.dev");
 }
+export function getSandboxApiUrl() {
+    return (process.env.CREEK_SANDBOX_API_URL ??
+        "https://sandbox-api.creek.dev");
+}
 //# sourceMappingURL=config.js.map

package/dist/utils/sandbox.d.ts

@@ -0,0 +1,43 @@
+interface SandboxDeployResponse {
+    sandboxId: string;
+    status: string;
+    statusUrl: string;
+    previewUrl: string;
+    expiresAt: string;
+}
+interface SandboxStatusResponse {
+    sandboxId: string;
+    status: string;
+    previewUrl: string;
+    expiresAt: string;
+    expiresInSeconds: number;
+    claimable: boolean;
+    failedStep?: string;
+    errorMessage?: string;
+}
+/**
+ * Deploy a bundle to the sandbox API (no auth required).
+ */
+export declare function sandboxDeploy(bundle: {
+    manifest: {
+        assets: string[];
+        hasWorker: boolean;
+        entrypoint: string | null;
+        renderMode: string;
+    };
+    assets: Record<string, string>;
+    serverFiles?: Record<string, string>;
+    framework?: string;
+    templateId?: string;
+    source: string;
+}): Promise<SandboxDeployResponse>;
+/**
+ * Poll sandbox status until terminal state.
+ */
+export declare function pollSandboxStatus(statusUrl: string): Promise<SandboxStatusResponse>;
+/**
+ * Print sandbox success message with claim instructions.
+ */
+export declare function printSandboxSuccess(previewUrl: string, expiresAt: string, sandboxId: string): void;
+export {};
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/utils/sandbox.js

@@ -0,0 +1,56 @@
+import consola from "consola";
+import { getSandboxApiUrl } from "./config.js";
+/**
+ * Deploy a bundle to the sandbox API (no auth required).
+ */
+export async function sandboxDeploy(bundle) {
+    const apiUrl = getSandboxApiUrl();
+    const res = await fetch(`${apiUrl}/api/sandbox/deploy`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(bundle),
+    });
+    if (!res.ok) {
+        const err = await res.json().catch(() => ({ message: res.statusText }));
+        throw new Error(err.message ?? `Sandbox deploy failed (${res.status})`);
+    }
+    return res.json();
+}
+/**
+ * Poll sandbox status until terminal state.
+ */
+export async function pollSandboxStatus(statusUrl) {
+    const POLL_INTERVAL = 1000;
+    const POLL_TIMEOUT = 60_000;
+    const start = Date.now();
+    while (Date.now() - start < POLL_TIMEOUT) {
+        const res = await fetch(statusUrl);
+        if (!res.ok)
+            throw new Error(`Status check failed (${res.status})`);
+        const status = (await res.json());
+        if (status.status === "active")
+            return status;
+        if (status.status === "failed") {
+            const step = status.failedStep ? ` at ${status.failedStep}` : "";
+            throw new Error(`Sandbox deploy failed${step}: ${status.errorMessage ?? "Unknown error"}`);
+        }
+        if (status.status === "expired") {
+            throw new Error("Sandbox expired before activation");
+        }
+        await new Promise((r) => setTimeout(r, POLL_INTERVAL));
+    }
+    throw new Error("Sandbox deploy timed out");
+}
+/**
+ * Print sandbox success message with claim instructions.
+ */
+export function printSandboxSuccess(previewUrl, expiresAt, sandboxId) {
+    consola.success(`Deployed! ${previewUrl}`);
+    consola.info("");
+    consola.info("This is a free sandbox preview — it will be available for 60 minutes.");
+    consola.info("");
+    consola.info("Want to keep it? Make it permanent:");
+    consola.info(`  creek login`);
+    consola.info(`  creek claim ${sandboxId}`);
+}
+//# sourceMappingURL=sandbox.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "creek",
-  "version": "0.3.0-alpha.2",
+  "version": "0.3.0-alpha.3",
   "description": "CLI for the Creek deployment platform",
   "type": "module",
   "bin": {