npm - gibil - Versions diffs - 0.1.0 - Mend

gibil 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1714 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+// src/utils/paths.ts
+import { homedir } from "os";
+import { join } from "path";
+var GIBIL_DIR, paths;
+var init_paths = __esm({
+  "src/utils/paths.ts"() {
+    "use strict";
+    GIBIL_DIR = join(homedir(), ".gibil");
+    paths = {
+      root: GIBIL_DIR,
+      instances: join(GIBIL_DIR, "instances"),
+      keys: join(GIBIL_DIR, "keys"),
+      instanceFile: (name) => join(GIBIL_DIR, "instances", `${name}.json`),
+      keyDir: (name) => join(GIBIL_DIR, "keys", name),
+      privateKey: (name) => join(GIBIL_DIR, "keys", name, "id_ed25519"),
+      publicKey: (name) => join(GIBIL_DIR, "keys", name, "id_ed25519.pub")
+    };
+  }
+});
+// src/utils/auth.ts
+var auth_exports = {};
+__export(auth_exports, {
+  clearApiKey: () => clearApiKey,
+  fetchUsage: () => fetchUsage,
+  getApiKey: () => getApiKey,
+  getApiUrl: () => getApiUrl,
+  getApiUrlFromConfig: () => getApiUrlFromConfig,
+  getHetznerToken: () => getHetznerToken,
+  saveApiKey: () => saveApiKey,
+  saveHetznerToken: () => saveHetznerToken,
+  trackUsage: () => trackUsage,
+  verifyApiKey: () => verifyApiKey
+});
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { existsSync } from "fs";
+import { join as join2 } from "path";
+async function readConfig() {
+  if (!existsSync(CONFIG_FILE)) return {};
+  const raw = await readFile(CONFIG_FILE, "utf-8");
+  return JSON.parse(raw);
+}
+async function writeConfig(config) {
+  await mkdir(paths.root, { recursive: true });
+  await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+async function saveApiKey(apiKey) {
+  const config = await readConfig();
+  config.api_key = apiKey;
+  await writeConfig(config);
+}
+async function getApiKey() {
+  if (process.env.GIBIL_API_KEY) return process.env.GIBIL_API_KEY;
+  const config = await readConfig();
+  return config.api_key ?? null;
+}
+async function clearApiKey() {
+  const config = await readConfig();
+  delete config.api_key;
+  await writeConfig(config);
+}
+function getApiUrl() {
+  return process.env.GIBIL_API_URL ?? DEFAULT_API_URL;
+}
+async function getApiUrlFromConfig() {
+  if (process.env.GIBIL_API_URL) return process.env.GIBIL_API_URL;
+  const config = await readConfig();
+  return config.api_url ?? DEFAULT_API_URL;
+}
+async function saveHetznerToken(token) {
+  const config = await readConfig();
+  config.hetzner_token = token;
+  await writeConfig(config);
+}
+async function getHetznerToken() {
+  if (process.env.HETZNER_API_TOKEN) return process.env.HETZNER_API_TOKEN;
+  const config = await readConfig();
+  return config.hetzner_token ?? null;
+}
+async function verifyApiKey(apiKey) {
+  const apiUrl = await getApiUrlFromConfig();
+  const res = await fetch(`${apiUrl}/auth-verify`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ api_key: apiKey })
+  });
+  if (res.status === 401) {
+    throw new Error("Invalid API key. Get one at https://gibil.dev");
+  }
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`API error (${res.status}): ${text}`);
+  }
+  return await res.json();
+}
+async function trackUsage(apiKey, event, instanceName, serverType) {
+  const apiUrl = await getApiUrlFromConfig();
+  const res = await fetch(`${apiUrl}/usage-track`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      api_key: apiKey,
+      event,
+      instance_name: instanceName,
+      server_type: serverType
+    })
+  });
+  if (res.status === 429) {
+    throw new Error(
+      "Plan limit reached. Upgrade at https://gibil.dev/pricing"
+    );
+  }
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Usage tracking failed (${res.status}): ${text}`);
+  }
+}
+async function fetchUsage(apiKey) {
+  const apiUrl = await getApiUrlFromConfig();
+  const res = await fetch(`${apiUrl}/usage-get`, {
+    headers: { Authorization: `Bearer ${apiKey}` }
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Failed to fetch usage (${res.status}): ${text}`);
+  }
+  return await res.json();
+}
+var CONFIG_FILE, DEFAULT_API_URL;
+var init_auth = __esm({
+  "src/utils/auth.ts"() {
+    "use strict";
+    init_paths();
+    CONFIG_FILE = join2(paths.root, "config.json");
+    DEFAULT_API_URL = "https://zopdxjruwktjyjunitrv.supabase.co/functions/v1";
+  }
+});
+// src/cli/index.ts
+import { Command } from "commander";
+// src/utils/logger.ts
+var currentLevel = "info";
+var jsonMode = false;
+var LEVEL_ORDER = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  silent: 4
+};
+function setJsonMode(enabled) {
+  jsonMode = enabled;
+}
+function shouldLog(level) {
+  if (jsonMode && level !== "error") return false;
+  return LEVEL_ORDER[level] >= LEVEL_ORDER[currentLevel];
+}
+var logger = {
+  debug(msg, ...args) {
+    if (shouldLog("debug")) console.debug(`[debug] ${msg}`, ...args);
+  },
+  info(msg, ...args) {
+    if (shouldLog("info")) console.log(msg, ...args);
+  },
+  warn(msg, ...args) {
+    if (shouldLog("warn")) console.warn(`\u26A0 ${msg}`, ...args);
+  },
+  error(msg, ...args) {
+    if (shouldLog("error")) console.error(`\u2716 ${msg}`, ...args);
+  },
+  /** Output JSON to stdout — always works regardless of log level */
+  json(data) {
+    console.log(JSON.stringify(data, null, 2));
+  }
+};
+// src/providers/hetzner.ts
+var API_BASE = "https://api.hetzner.cloud/v1";
+var HetznerProvider = class _HetznerProvider {
+  token;
+  constructor(token) {
+    this.token = token;
+  }
+  static async create(token) {
+    const { getHetznerToken: getHetznerToken2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
+    const t = token ?? await getHetznerToken2();
+    if (!t) {
+      throw new Error(
+        "HETZNER_API_TOKEN is required. Run 'gibil auth setup' or set it in your environment."
+      );
+    }
+    return new _HetznerProvider(t);
+  }
+  // ── Low-level HTTP ──
+  async request(method, path, body) {
+    const url = `${API_BASE}${path}`;
+    logger.debug(`${method} ${url}`);
+    const res = await fetch(url, {
+      method,
+      headers: {
+        Authorization: `Bearer ${this.token}`,
+        "Content-Type": "application/json"
+      },
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      let errorMsg;
+      try {
+        const parsed = JSON.parse(text);
+        errorMsg = parsed.error?.message ?? text;
+      } catch {
+        errorMsg = text;
+      }
+      throw new Error(`Hetzner API error (${res.status}): ${errorMsg}`);
+    }
+    if (res.status === 204) return {};
+    return await res.json();
+  }
+  // ── Server operations ──
+  async createServer(name, sshKeyId, userData, serverType = "cax11", location = "fsn1") {
+    const payload = {
+      name,
+      server_type: serverType,
+      image: "ubuntu-24.04",
+      ssh_keys: [sshKeyId],
+      labels: { gibil: "true", "gibil-name": name },
+      location
+    };
+    if (userData) {
+      payload.user_data = userData;
+    }
+    const res = await this.request(
+      "POST",
+      "/servers",
+      payload
+    );
+    return res.server;
+  }
+  async destroyServer(serverId) {
+    await this.request("DELETE", `/servers/${serverId}`);
+  }
+  async getServer(serverId) {
+    const res = await this.request(
+      "GET",
+      `/servers/${serverId}`
+    );
+    return res.server;
+  }
+  async listServers(labelSelector = "gibil=true") {
+    const res = await this.request(
+      "GET",
+      `/servers?label_selector=${encodeURIComponent(labelSelector)}&per_page=50`
+    );
+    return res.servers;
+  }
+  async waitForReady(serverId, timeoutMs = 12e4) {
+    const start = Date.now();
+    const pollInterval = 3e3;
+    while (Date.now() - start < timeoutMs) {
+      const server = await this.getServer(serverId);
+      if (server.status === "running" && server.public_net.ipv4.ip !== "0.0.0.0") {
+        return server;
+      }
+      logger.debug(
+        `Server ${serverId} status: ${server.status}, waiting...`
+      );
+      await new Promise((r) => setTimeout(r, pollInterval));
+    }
+    throw new Error(
+      `Server ${serverId} did not become ready within ${timeoutMs / 1e3}s`
+    );
+  }
+  // ── SSH key operations ──
+  async createSSHKey(name, publicKey) {
+    const res = await this.request(
+      "POST",
+      "/ssh_keys",
+      { name, public_key: publicKey }
+    );
+    return res.ssh_key;
+  }
+  async deleteSSHKey(keyId) {
+    await this.request("DELETE", `/ssh_keys/${keyId}`);
+  }
+};
+// src/ssh/keys.ts
+init_paths();
+import { mkdir as mkdir2, rm, readFile as readFile2, chmod } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+async function generateInstanceKeys(name) {
+  const keyDir = paths.keyDir(name);
+  if (existsSync2(keyDir)) {
+    await rm(keyDir, { recursive: true });
+  }
+  await mkdir2(keyDir, { recursive: true });
+  const privateKeyPath = paths.privateKey(name);
+  const publicKeyPath = paths.publicKey(name);
+  await execFileAsync("ssh-keygen", [
+    "-t",
+    "ed25519",
+    "-f",
+    privateKeyPath,
+    "-N",
+    "",
+    // no passphrase
+    "-C",
+    `gibil-${name}`
+  ]);
+  await chmod(privateKeyPath, 384);
+  const publicKeyContent = await readFile2(publicKeyPath, "utf-8");
+  return {
+    privateKeyPath,
+    publicKeyPath,
+    publicKey: publicKeyContent.trim()
+  };
+}
+async function deleteInstanceKeys(name) {
+  const keyDir = paths.keyDir(name);
+  if (existsSync2(keyDir)) {
+    await rm(keyDir, { recursive: true });
+  }
+}
+// src/ssh/exec.ts
+init_paths();
+import { Client } from "ssh2";
+import { readFile as readFile3 } from "fs/promises";
+async function sshExec(opts) {
+  const { instanceName, ip, command, stream = false, timeoutMs = 3e4 } = opts;
+  const privateKey = await readFile3(paths.privateKey(instanceName), "utf-8");
+  return new Promise((resolve, reject) => {
+    const conn = new Client();
+    let stdout = "";
+    let stderr = "";
+    conn.on("ready", () => {
+      logger.debug(`SSH connected to ${ip}`);
+      conn.exec(command, (err, channel) => {
+        if (err) {
+          conn.end();
+          return reject(err);
+        }
+        channel.on("data", (data) => {
+          const text = data.toString();
+          stdout += text;
+          if (stream) process.stdout.write(text);
+        });
+        channel.stderr.on("data", (data) => {
+          const text = data.toString();
+          stderr += text;
+          if (stream) process.stderr.write(text);
+        });
+        channel.on("close", (code) => {
+          conn.end();
+          resolve({ stdout, stderr, exitCode: code ?? 0 });
+        });
+      });
+    }).on("error", (err) => {
+      let hint = "";
+      if (err.code === "ECONNREFUSED") {
+        hint = " (instance may have been destroyed or is still booting)";
+      } else if (err.code === "EHOSTUNREACH") {
+        hint = " (IP unreachable \u2014 instance may not be running)";
+      } else if (err.code === "ETIMEDOUT") {
+        hint = " (connection timed out \u2014 check if instance is running with 'gibil list')";
+      }
+      reject(
+        new Error(`SSH connection to ${ip} failed: ${err.message}${hint}`)
+      );
+    }).connect({
+      host: ip,
+      port: 22,
+      username: "root",
+      privateKey,
+      readyTimeout: timeoutMs,
+      // Retry-friendly: don't reject on first attempt
+      hostVerifier: () => true,
+      // Forward local SSH agent for commit signing
+      agent: process.env.SSH_AUTH_SOCK,
+      agentForward: true
+    });
+  });
+}
+async function waitForSSH(instanceName, ip, timeoutMs = 12e4) {
+  const start = Date.now();
+  const retryInterval = 5e3;
+  while (Date.now() - start < timeoutMs) {
+    try {
+      await sshExec({
+        instanceName,
+        ip,
+        command: "echo ready",
+        timeoutMs: 1e4
+      });
+      return;
+    } catch {
+      logger.debug(`SSH not ready on ${ip}, retrying...`);
+      await new Promise((r) => setTimeout(r, retryInterval));
+    }
+  }
+  throw new Error(`SSH did not become available on ${ip} within ${timeoutMs / 1e3}s`);
+}
+// src/config/cloud-init.ts
+function generateCloudInit(opts) {
+  const { repo, config, ttlMinutes, githubToken, gitIdentity } = opts;
+  const lines = [
+    "#!/bin/bash",
+    "set -euo pipefail",
+    "",
+    "# \u2500\u2500 Gibil cloud-init \u2500\u2500",
+    "export HOME=/root",
+    "export DEBIAN_FRONTEND=noninteractive"
+  ];
+  if (githubToken) {
+    lines.push(`export GITHUB_TOKEN=${shellEscape(githubToken)}`);
+  }
+  lines.push(
+    "",
+    "# Base packages",
+    "apt-get update -qq",
+    "apt-get install -y -qq git curl wget build-essential unzip > /dev/null 2>&1",
+    "",
+    "# Install GitHub CLI",
+    "if ! type gh > /dev/null 2>&1; then",
+    "  curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg 2>/dev/null",
+    "  chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg",
+    "  ARCH=$(dpkg --print-architecture)",
+    '  echo "deb [arch=${ARCH} signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list',
+    "  apt-get update -qq && apt-get install -y -qq gh > /dev/null 2>&1",
+    "fi",
+    ""
+  );
+  const image = config?.image ?? "node:20";
+  lines.push(...runtimeInstallScript(image));
+  if (config?.services && config.services.length > 0) {
+    lines.push(...dockerInstallScript());
+    lines.push("");
+    for (const svc of config.services) {
+      lines.push(...serviceStartScript(svc));
+    }
+  }
+  if (config?.env) {
+    lines.push("# Environment variables");
+    for (const [key, value] of Object.entries(config.env)) {
+      lines.push(`export ${key}=${shellEscape(value)}`);
+      lines.push(`echo 'export ${key}=${shellEscape(value)}' >> /root/.bashrc`);
+    }
+    lines.push("");
+  }
+  lines.push("# Configure git");
+  if (gitIdentity) {
+    lines.push(`git config --global user.email ${shellEscape(gitIdentity.email)}`);
+    lines.push(`git config --global user.name ${shellEscape(gitIdentity.name)}`);
+    if (gitIdentity.signingKey) {
+      lines.push(`git config --global gpg.format ssh`);
+      lines.push(`git config --global user.signingkey ${shellEscape("key::" + gitIdentity.signingKey)}`);
+      lines.push(`git config --global commit.gpgsign true`);
+      lines.push(`git config --global tag.gpgsign true`);
+      lines.push(`mkdir -p /root/.ssh`);
+      lines.push(`echo ${shellEscape(gitIdentity.email + " " + gitIdentity.signingKey)} > /root/.ssh/allowed_signers`);
+      lines.push(`git config --global gpg.ssh.allowedSignersFile /root/.ssh/allowed_signers`);
+    }
+  } else {
+    lines.push("git config --global user.email 'gibil@bot.dev'");
+    lines.push("git config --global user.name 'Gibil Bot'");
+  }
+  lines.push("");
+  if (repo) {
+    const repoMatch = repo.match(/github\.com\/([^/]+\/[^/.]+)/);
+    lines.push("# Clone repository");
+    lines.push(`cd /root`);
+    if (repoMatch) {
+      lines.push('if [ -n "${GITHUB_TOKEN:-}" ]; then');
+      lines.push(`  CLONE_URL="https://x-access-token:\${GITHUB_TOKEN}@github.com/${repoMatch[1]}.git"`);
+      lines.push("else");
+      lines.push(`  CLONE_URL=${shellEscape(repo)}`);
+      lines.push("fi");
+      lines.push(`timeout 300 git clone "$CLONE_URL" /root/project || { echo "Git clone failed or timed out"; exit 1; }`);
+    } else {
+      lines.push(`timeout 300 git clone ${shellEscape(repo)} /root/project || { echo "Git clone failed or timed out"; exit 1; }`);
+    }
+    lines.push(`cd /root/project`);
+    lines.push("");
+    lines.push('if [ -n "${GITHUB_TOKEN:-}" ]; then');
+    lines.push('  echo "${GITHUB_TOKEN}" | gh auth login --with-token 2>/dev/null || true');
+    if (repoMatch) {
+      lines.push(`  git -C /root/project remote set-url origin "https://x-access-token:\${GITHUB_TOKEN}@github.com/${repoMatch[1]}.git"`);
+    }
+    lines.push("fi");
+    lines.push("");
+  }
+  if (ttlMinutes && ttlMinutes > 0) {
+    lines.push("# Auto-destroy after TTL");
+    lines.push(`echo "shutdown -h now" | at now + ${ttlMinutes} minutes 2>/dev/null || true`);
+    lines.push(
+      `(sleep ${ttlMinutes * 60} && shutdown -h now) &`
+    );
+    lines.push("");
+  }
+  lines.push("# Signal that infrastructure is ready");
+  lines.push("touch /root/.gibil-ready");
+  lines.push('echo "Gibil infrastructure ready"');
+  lines.push("");
+  if (repo && config?.tasks && config.tasks.length > 0) {
+    lines.push("# Run project tasks");
+    lines.push("cd /root/project");
+    for (const task of config.tasks) {
+      lines.push(`echo '\u25B6 Running task: '${shellEscape(task.name)}`);
+      lines.push(`if ! ${task.command}; then`);
+      lines.push(`  echo '\u2717 Task failed: '${shellEscape(task.name)}`);
+      lines.push(`  touch /root/.gibil-tasks-failed`);
+      lines.push(`fi`);
+    }
+    lines.push("");
+    lines.push("# Signal tasks complete");
+    lines.push("if [ ! -f /root/.gibil-tasks-failed ]; then");
+    lines.push("  touch /root/.gibil-tasks-done");
+    lines.push('  echo "Gibil tasks complete"');
+    lines.push("else");
+    lines.push('  echo "Gibil tasks finished with errors"');
+    lines.push("fi");
+  }
+  return lines.join("\n");
+}
+function runtimeInstallScript(image) {
+  const lines = [];
+  if (image.startsWith("node:")) {
+    const version = image.split(":")[1] ?? "20";
+    lines.push("# Install Node.js");
+    lines.push(
+      `curl -fsSL https://deb.nodesource.com/setup_${version}.x | bash - > /dev/null 2>&1`
+    );
+    lines.push("apt-get install -y -qq nodejs > /dev/null 2>&1");
+    lines.push("npm install -g pnpm@latest > /dev/null 2>&1");
+    lines.push("");
+  } else if (image.startsWith("python:")) {
+    const version = image.split(":")[1] ?? "3.12";
+    lines.push("# Install Python");
+    lines.push(
+      `apt-get install -y -qq python${version} python3-pip python3-venv > /dev/null 2>&1`
+    );
+    lines.push("");
+  } else if (image.startsWith("go:")) {
+    const version = image.split(":")[1] ?? "1.22";
+    lines.push("# Install Go");
+    lines.push(
+      `wget -q https://go.dev/dl/go${version}.linux-amd64.tar.gz -O /tmp/go.tar.gz`
+    );
+    lines.push("tar -C /usr/local -xzf /tmp/go.tar.gz");
+    lines.push("export PATH=$PATH:/usr/local/go/bin");
+    lines.push('echo "export PATH=\\$PATH:/usr/local/go/bin" >> /root/.bashrc');
+    lines.push("");
+  } else {
+    lines.push("# Install Node.js (default)");
+    lines.push(
+      "curl -fsSL https://deb.nodesource.com/setup_20.x | bash - > /dev/null 2>&1"
+    );
+    lines.push("apt-get install -y -qq nodejs > /dev/null 2>&1");
+    lines.push("npm install -g pnpm@latest > /dev/null 2>&1");
+    lines.push("");
+  }
+  return lines;
+}
+function dockerInstallScript() {
+  return [
+    "# Install Docker",
+    "curl -fsSL https://get.docker.com | sh > /dev/null 2>&1",
+    "systemctl enable docker --now"
+  ];
+}
+function serviceStartScript(svc) {
+  const lines = [];
+  lines.push(`# Start service: ${svc.name.replace(/[^a-zA-Z0-9_-]/g, "")}`);
+  const safeName = svc.name.replace(/[^a-zA-Z0-9_-]/g, "");
+  let dockerCmd = `docker run -d --name ${safeName}`;
+  if (svc.port) {
+    dockerCmd += ` -p ${svc.port}:${svc.port}`;
+  }
+  if (svc.env) {
+    for (const [key, value] of Object.entries(svc.env)) {
+      dockerCmd += ` -e ${key}=${shellEscape(value)}`;
+    }
+  }
+  dockerCmd += ` ${svc.image}`;
+  lines.push(dockerCmd);
+  lines.push("");
+  return lines;
+}
+function shellEscape(s) {
+  return `'${s.replace(/'/g, "'\\''")}'`;
+}
+// src/config/parser.ts
+import { readFile as readFile4 } from "fs/promises";
+import { existsSync as existsSync3, statSync } from "fs";
+import { join as join3 } from "path";
+import { parse as parseYaml } from "yaml";
+var CONFIG_FILENAME = ".gibil.yml";
+async function parseConfig(pathOrDir) {
+  let configPath;
+  if (existsSync3(pathOrDir) && statSync(pathOrDir).isFile()) {
+    configPath = pathOrDir;
+  } else {
+    configPath = join3(pathOrDir, CONFIG_FILENAME);
+  }
+  if (!existsSync3(configPath)) return null;
+  const raw = await readFile4(configPath, "utf-8");
+  const parsed = parseYaml(raw);
+  return validateConfig(parsed);
+}
+function parseConfigString(yamlContent) {
+  const parsed = parseYaml(yamlContent);
+  return validateConfig(parsed);
+}
+function validateConfig(raw) {
+  if (!raw || typeof raw !== "object") {
+    throw new Error("Invalid .gibil.yml: must be a YAML object");
+  }
+  const config = raw;
+  const result = {};
+  if (typeof config.name === "string") result.name = config.name;
+  if (typeof config.image === "string") result.image = config.image;
+  if (typeof config.server_type === "string")
+    result.server_type = config.server_type;
+  if (typeof config.location === "string") result.location = config.location;
+  if (Array.isArray(config.services)) {
+    result.services = config.services.map((s) => {
+      const svc = s;
+      if (typeof svc.name !== "string" || typeof svc.image !== "string") {
+        throw new Error(
+          "Each service must have a 'name' and 'image' field"
+        );
+      }
+      return {
+        name: svc.name,
+        image: svc.image,
+        port: typeof svc.port === "number" ? svc.port : void 0,
+        env: validateEnvRecord(svc.env, `service "${svc.name}"`)
+      };
+    });
+  }
+  if (Array.isArray(config.tasks)) {
+    result.tasks = config.tasks.map((t) => {
+      const task = t;
+      if (typeof task.name !== "string" || typeof task.command !== "string") {
+        throw new Error(
+          "Each task must have a 'name' and 'command' field"
+        );
+      }
+      return { name: task.name, command: task.command };
+    });
+  }
+  if (config.env !== void 0) {
+    result.env = validateEnvRecord(config.env, "top-level");
+  }
+  return result;
+}
+function validateEnvRecord(env, context) {
+  if (env === void 0 || env === null) return void 0;
+  if (typeof env !== "object" || Array.isArray(env)) {
+    throw new Error(`env in ${context} must be a key-value object`);
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(env)) {
+    if (typeof value === "string") {
+      result[key] = value;
+    } else if (typeof value === "number" || typeof value === "boolean") {
+      result[key] = String(value);
+    } else {
+      throw new Error(
+        `env.${key} in ${context} must be a string, number, or boolean \u2014 got ${typeof value}`
+      );
+    }
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+}
+// src/utils/store.ts
+init_paths();
+import { readFile as readFile5, writeFile as writeFile2, mkdir as mkdir3, rm as rm2, readdir } from "fs/promises";
+import { existsSync as existsSync4 } from "fs";
+import { join as join4 } from "path";
+var InstanceStore = class {
+  instancesDir;
+  keysDir;
+  constructor(baseDir) {
+    const root = baseDir ?? paths.root;
+    this.instancesDir = join4(root, "instances");
+    this.keysDir = join4(root, "keys");
+  }
+  async ensureDirectories() {
+    await mkdir3(this.instancesDir, { recursive: true });
+    await mkdir3(this.keysDir, { recursive: true });
+  }
+  instanceFile(name) {
+    return join4(this.instancesDir, `${name}.json`);
+  }
+  async save(meta) {
+    await this.ensureDirectories();
+    await writeFile2(this.instanceFile(meta.name), JSON.stringify(meta, null, 2));
+  }
+  async load(name) {
+    const filePath = this.instanceFile(name);
+    if (!existsSync4(filePath)) return null;
+    const raw = await readFile5(filePath, "utf-8");
+    return JSON.parse(raw);
+  }
+  async loadOrThrow(name) {
+    const meta = await this.load(name);
+    if (!meta) {
+      throw new Error(
+        `Instance "${name}" not found. Run "gibil list" to see active instances.`
+      );
+    }
+    return meta;
+  }
+  /** Load and verify the instance hasn't expired */
+  async loadActiveOrThrow(name) {
+    const meta = await this.loadOrThrow(name);
+    if (/* @__PURE__ */ new Date() > new Date(meta.expiresAt)) {
+      throw new Error(
+        `Instance "${name}" has expired (TTL was ${meta.ttlMinutes}m). Run "gibil destroy ${name}" to clean up.`
+      );
+    }
+    return meta;
+  }
+  async delete(name) {
+    const filePath = this.instanceFile(name);
+    if (existsSync4(filePath)) {
+      await rm2(filePath);
+    }
+  }
+  async list() {
+    await this.ensureDirectories();
+    const files = await readdir(this.instancesDir);
+    const instances = [];
+    for (const file of files) {
+      if (!file.endsWith(".json")) continue;
+      const name = file.replace(".json", "");
+      const meta = await this.load(name);
+      if (meta) instances.push(meta);
+    }
+    return instances;
+  }
+};
+var defaultStore = new InstanceStore();
+var saveInstance = (meta) => defaultStore.save(meta);
+var loadInstanceOrThrow = (name) => defaultStore.loadOrThrow(name);
+var loadActiveInstanceOrThrow = (name) => defaultStore.loadActiveOrThrow(name);
+var deleteInstance = (name) => defaultStore.delete(name);
+var listInstances = () => defaultStore.list();
+// src/utils/random.ts
+import { randomBytes } from "crypto";
+function randomSuffix(length = 6) {
+  return randomBytes(Math.ceil(length / 2)).toString("hex").slice(0, length);
+}
+function defaultInstanceName() {
+  return `gibil-${randomSuffix()}`;
+}
+function fleetId() {
+  return `fleet-${randomSuffix(8)}`;
+}
+// src/cli/commands/create.ts
+init_paths();
+// src/utils/validate.ts
+var INSTANCE_NAME_REGEX = /^[a-zA-Z0-9][a-zA-Z0-9_-]{0,62}$/;
+function validateInstanceName(name) {
+  if (!INSTANCE_NAME_REGEX.test(name)) {
+    throw new Error(
+      `Invalid instance name "${name}". Names must be 1-63 chars, start with alphanumeric, and contain only [a-zA-Z0-9_-].`
+    );
+  }
+  return name;
+}
+function parsePositiveInt(value, label) {
+  const parsed = parseInt(value, 10);
+  if (isNaN(parsed) || parsed <= 0) {
+    throw new Error(`${label} must be a positive integer, got "${value}"`);
+  }
+  return parsed;
+}
+// src/cli/commands/create.ts
+init_auth();
+import { execSync } from "child_process";
+import { readFileSync } from "fs";
+function getLocalGitIdentity() {
+  try {
+    const name = execSync("git config user.name", { encoding: "utf-8" }).trim();
+    const email = execSync("git config user.email", { encoding: "utf-8" }).trim();
+    if (!name || !email) return void 0;
+    let signingKey;
+    try {
+      const format = execSync("git config gpg.format", { encoding: "utf-8" }).trim();
+      if (format === "ssh") {
+        const keyPath = execSync("git config user.signingkey", { encoding: "utf-8" }).trim();
+        if (keyPath) {
+          try {
+            signingKey = readFileSync(keyPath, "utf-8").trim();
+          } catch {
+            if (keyPath.startsWith("ssh-") || keyPath.startsWith("key::")) {
+              signingKey = keyPath.replace(/^key::/, "");
+            }
+          }
+        }
+      }
+    } catch {
+    }
+    return { name, email, signingKey };
+  } catch {
+    return void 0;
+  }
+}
+async function createSingleInstance(provider, name, opts) {
+  logger.info(`  Generating SSH keys for "${name}"...`);
+  const keys = await generateInstanceKeys(name);
+  let sshKey;
+  try {
+    logger.info(`  Uploading SSH key to Hetzner...`);
+    sshKey = await provider.createSSHKey(`gibil-${name}`, keys.publicKey);
+    const gitIdentity = getLocalGitIdentity();
+    const userData = generateCloudInit({
+      repo: opts.repo,
+      config: opts.config ?? void 0,
+      ttlMinutes: opts.ttlMinutes,
+      githubToken: process.env.GITHUB_TOKEN,
+      gitIdentity
+    });
+    logger.info(`  Creating server...`);
+    const server = await provider.createServer(
+      name,
+      sshKey.id,
+      userData,
+      opts.config?.server_type ?? opts.serverType,
+      opts.config?.location ?? opts.location
+    );
+    logger.info(`  Waiting for server to be ready...`);
+    const readyServer = await provider.waitForReady(server.id);
+    const ip = readyServer.public_net.ipv4.ip;
+    const now = /* @__PURE__ */ new Date();
+    const meta = {
+      name,
+      serverId: server.id,
+      ip,
+      sshKeyId: sshKey.id,
+      keyPath: paths.privateKey(name),
+      status: "running",
+      createdAt: now.toISOString(),
+      ttlMinutes: opts.ttlMinutes,
+      expiresAt: new Date(
+        now.getTime() + opts.ttlMinutes * 6e4
+      ).toISOString(),
+      repo: opts.repo,
+      fleetId: opts.fleetId,
+      gitIdentity
+    };
+    await saveInstance(meta);
+    logger.info(`  Waiting for SSH on ${ip}...`);
+    await waitForSSH(name, ip);
+    logger.info(`  \u2713 Instance "${name}" is ready at ${ip}`);
+    return meta;
+  } catch (error) {
+    logger.error(`Failed to create instance "${name}", cleaning up...`);
+    await deleteInstanceKeys(name).catch(
+      (e) => logger.warn(`Could not clean up SSH keys: ${e instanceof Error ? e.message : String(e)}`)
+    );
+    if (sshKey) {
+      const keyId = sshKey.id;
+      await provider.deleteSSHKey(keyId).catch(
+        (e) => logger.warn(`Could not delete Hetzner SSH key ${keyId}: ${e instanceof Error ? e.message : String(e)}`)
+      );
+    }
+    throw error;
+  }
+}
+function metaToOutput(meta) {
+  const ttlRemaining = Math.max(
+    0,
+    Math.floor((new Date(meta.expiresAt).getTime() - Date.now()) / 1e3)
+  );
+  return {
+    name: meta.name,
+    ip: meta.ip,
+    ssh: `ssh -i ${meta.keyPath} -o StrictHostKeyChecking=no root@${meta.ip}`,
+    status: meta.status,
+    ttl_remaining: ttlRemaining,
+    created_at: meta.createdAt,
+    fleet_id: meta.fleetId
+  };
+}
+async function fetchRepoConfig(repoUrl) {
+  const match = repoUrl.match(
+    /github\.com\/([^/]+)\/([^/.]+)/
+  );
+  if (!match) {
+    logger.debug(`Cannot fetch config from non-GitHub repo: ${repoUrl}`);
+    return null;
+  }
+  const [, owner, repo] = match;
+  const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/HEAD/.gibil.yml`;
+  logger.debug(`Fetching config from ${rawUrl}`);
+  try {
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(1e4) });
+    if (!res.ok) {
+      logger.debug(`No .gibil.yml found in repo (${res.status})`);
+      return null;
+    }
+    const content = await res.text();
+    return parseConfigString(content);
+  } catch {
+    logger.debug("Failed to fetch repo config, continuing without it");
+    return null;
+  }
+}
+function registerCreateCommand(program2) {
+  program2.command("create").description("Spin up one or more ephemeral dev machines").option("-n, --name <name>", "Instance name").option(
+    "-f, --fleet <count>",
+    "Number of instances to create in parallel"
+  ).option("-r, --repo <git-url>", "Git repository to clone on startup").option("--json", "Output instance info as JSON").option("--ttl <minutes>", "Auto-destroy after N minutes", "60").option("-c, --config <path>", "Path to .gibil.yml config").option("--server-type <type>", "Hetzner server type (e.g. cpx11, cpx21)").option("--location <loc>", "Hetzner location (e.g. fsn1, nbg1)").option("-q, --quiet", "Suppress non-essential output").action(async (opts) => {
+    if (opts.json) setJsonMode(true);
+    const ttlMinutes = parsePositiveInt(opts.ttl ?? "60", "TTL");
+    if (ttlMinutes > 10080) {
+      throw new Error("TTL cannot exceed 7 days (10080 minutes).");
+    }
+    const fleetCount = parsePositiveInt(opts.fleet ?? "1", "Fleet count");
+    if (fleetCount > 20) {
+      throw new Error("Fleet size cannot exceed 20. Contact support for higher limits.");
+    }
+    if (opts.name) validateInstanceName(opts.name);
+    let config = null;
+    if (opts.config) {
+      config = await parseConfig(opts.config);
+    } else if (opts.repo) {
+      config = await fetchRepoConfig(opts.repo);
+    } else {
+      config = await parseConfig(process.cwd());
+    }
+    const apiKey = await getApiKey();
+    if (apiKey) {
+      logger.info("Verifying API key...");
+      const auth = await verifyApiKey(apiKey);
+      logger.info(`  Authenticated as ${auth.user.email} (${auth.user.plan})`);
+    }
+    const provider = await HetznerProvider.create();
+    if (fleetCount === 1) {
+      const name = opts.name ?? defaultInstanceName();
+      logger.info(`Creating instance "${name}"...`);
+      const meta = await createSingleInstance(provider, name, {
+        repo: opts.repo,
+        ttlMinutes,
+        config,
+        serverType: opts.serverType,
+        location: opts.location
+      });
+      if (apiKey) {
+        await trackUsage(apiKey, "create", meta.name, opts.serverType).catch(
+          (e) => logger.debug(`Usage tracking failed: ${e instanceof Error ? e.message : String(e)}`)
+        );
+      }
+      if (opts.json) {
+        logger.json(metaToOutput(meta));
+      } else {
+        logger.info("");
+        logger.info(`Instance ready:`);
+        logger.info(`  Name: ${meta.name}`);
+        logger.info(`  IP:   ${meta.ip}`);
+        logger.info(
+          `  SSH:  ssh -i ${meta.keyPath} -o StrictHostKeyChecking=no root@${meta.ip}`
+        );
+        logger.info(`  TTL:  ${ttlMinutes} minutes`);
+        logger.info("");
+        logger.info(`Quick connect: gibil ssh ${meta.name}`);
+      }
+    } else {
+      const fId = fleetId();
+      const baseName = opts.name ?? "gibil";
+      logger.info(`Creating fleet "${fId}" with ${fleetCount} instances...`);
+      const names = Array.from(
+        { length: fleetCount },
+        (_, i) => `${baseName}-${i + 1}-${fId.slice(6)}`
+      );
+      const results = await Promise.allSettled(
+        names.map(
+          (name) => createSingleInstance(provider, name, {
+            repo: opts.repo,
+            ttlMinutes,
+            config,
+            serverType: opts.serverType,
+            location: opts.location,
+            fleetId: fId
+          })
+        )
+      );
+      const succeeded = [];
+      const failed = [];
+      for (let i = 0; i < results.length; i++) {
+        const result = results[i];
+        if (result.status === "fulfilled") {
+          succeeded.push(result.value);
+        } else {
+          failed.push(
+            `${names[i]}: ${result.reason instanceof Error ? result.reason.message : String(result.reason)}`
+          );
+        }
+      }
+      if (apiKey) {
+        await Promise.all(
+          succeeded.map(
+            (m) => trackUsage(apiKey, "create", m.name, opts.serverType).catch(
+              (e) => logger.debug(`Usage tracking failed for ${m.name}: ${e instanceof Error ? e.message : String(e)}`)
+            )
+          )
+        );
+      }
+      if (opts.json) {
+        logger.json({
+          fleet_id: fId,
+          instances: succeeded.map(metaToOutput),
+          errors: failed
+        });
+      } else {
+        logger.info("");
+        logger.info(
+          `Fleet "${fId}": ${succeeded.length}/${fleetCount} instances created`
+        );
+        for (const meta of succeeded) {
+          logger.info(`  \u2713 ${meta.name} \u2192 ${meta.ip}`);
+        }
+        for (const err of failed) {
+          logger.error(`  \u2717 ${err}`);
+        }
+      }
+    }
+  });
+}
+// src/cli/commands/ssh.ts
+import { spawn } from "child_process";
+function registerSSHCommand(program2) {
+  program2.command("ssh <name>").description("SSH into a running ephemeral machine").action(async (name) => {
+    const meta = await loadActiveInstanceOrThrow(name);
+    const sshArgs = [
+      "-A",
+      "-i",
+      meta.keyPath,
+      "-o",
+      "StrictHostKeyChecking=no",
+      "-o",
+      "UserKnownHostsFile=/dev/null",
+      "-o",
+      "LogLevel=ERROR",
+      `root@${meta.ip}`
+    ];
+    const proc = spawn("ssh", sshArgs, {
+      stdio: "inherit"
+    });
+    proc.on("exit", (code) => {
+      process.exit(code ?? 0);
+    });
+  });
+}
+// src/cli/commands/run.ts
+function registerRunCommand(program2) {
+  program2.command("run <name> <command...>").description("Execute a command on a running instance").option("--json", "Output result as JSON").action(async (name, commandParts, opts) => {
+    if (opts.json) setJsonMode(true);
+    const meta = await loadActiveInstanceOrThrow(name);
+    const command = commandParts.join(" ");
+    logger.info(`Running on "${name}" (${meta.ip}): ${command}`);
+    const result = await sshExec({
+      instanceName: name,
+      ip: meta.ip,
+      command,
+      stream: !opts.json
+    });
+    if (opts.json) {
+      logger.json({
+        instance: name,
+        command,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        exit_code: result.exitCode
+      });
+    } else if (result.exitCode !== 0) {
+      logger.error(`Command exited with code ${result.exitCode}`);
+    }
+    process.exit(result.exitCode ?? 1);
+  });
+}
+// src/cli/commands/destroy.ts
+init_auth();
+async function destroySingle(provider, name) {
+  const meta = await loadInstanceOrThrow(name);
+  logger.info(`Destroying instance "${name}" (server ${meta.serverId})...`);
+  try {
+    await provider.destroyServer(meta.serverId);
+  } catch (error) {
+    logger.warn(
+      `Could not delete server ${meta.serverId}: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+  try {
+    await provider.deleteSSHKey(meta.sshKeyId);
+  } catch (error) {
+    logger.warn(
+      `Could not delete SSH key ${meta.sshKeyId}: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+  await deleteInstanceKeys(name);
+  await deleteInstance(name);
+  const apiKey = await getApiKey();
+  if (apiKey) {
+    await trackUsage(apiKey, "destroy", name).catch(
+      (e) => logger.warn(`Usage tracking failed (billing may be inaccurate): ${e instanceof Error ? e.message : String(e)}`)
+    );
+  }
+  logger.info(`  \u2713 Instance "${name}" destroyed`);
+}
+function registerDestroyCommand(program2) {
+  program2.command("destroy [name]").description("Destroy a running ephemeral machine").option("-a, --all", "Destroy all gibil instances").option("--json", "Output result as JSON").action(async (name, opts) => {
+    if (opts.json) setJsonMode(true);
+    if (opts.all) {
+      const instances = await listInstances();
+      if (instances.length === 0) {
+        if (opts.json) {
+          logger.json({ destroyed: [], failed: [] });
+        } else {
+          logger.info("No instances to destroy.");
+        }
+        return;
+      }
+      const provider = await HetznerProvider.create();
+      logger.info(`Destroying ${instances.length} instance(s)...`);
+      const results = await Promise.allSettled(
+        instances.map((inst) => destroySingle(provider, inst.name))
+      );
+      const destroyed = [];
+      const failed = [];
+      for (let i = 0; i < results.length; i++) {
+        if (results[i].status === "fulfilled") {
+          destroyed.push(instances[i].name);
+        } else {
+          const reason = results[i].reason;
+          failed.push(
+            `${instances[i].name}: ${reason instanceof Error ? reason.message : String(reason)}`
+          );
+        }
+      }
+      if (opts.json) {
+        logger.json({ destroyed, failed });
+      } else {
+        logger.info(
+          `
+${destroyed.length} destroyed, ${failed.length} failed`
+        );
+      }
+    } else {
+      if (!name) {
+        logger.error(
+          'Specify an instance name or use --all. Run "gibil list" to see instances.'
+        );
+        process.exit(1);
+      }
+      const provider = await HetznerProvider.create();
+      await destroySingle(provider, name);
+      if (opts.json) {
+        logger.json({ destroyed: [name] });
+      }
+    }
+  });
+}
+// src/cli/commands/list.ts
+function registerListCommand(program2) {
+  program2.command("list").alias("ls").description("List all active gibil instances").option("--json", "Output as JSON").action(async (opts) => {
+    if (opts.json) setJsonMode(true);
+    const instances = await listInstances();
+    if (instances.length === 0) {
+      if (opts.json) {
+        logger.json({ instances: [] });
+      } else {
+        logger.info("No active instances.");
+      }
+      return;
+    }
+    const outputs = instances.map((meta) => {
+      const ttlRemaining = Math.max(
+        0,
+        Math.floor(
+          (new Date(meta.expiresAt).getTime() - Date.now()) / 1e3
+        )
+      );
+      return {
+        name: meta.name,
+        ip: meta.ip,
+        ssh: `ssh -i ${meta.keyPath} -o StrictHostKeyChecking=no root@${meta.ip}`,
+        status: meta.status,
+        ttl_remaining: ttlRemaining,
+        created_at: meta.createdAt,
+        fleet_id: meta.fleetId
+      };
+    });
+    if (opts.json) {
+      logger.json({ instances: outputs });
+      return;
+    }
+    logger.info(
+      `${"NAME".padEnd(30)} ${"IP".padEnd(18)} ${"STATUS".padEnd(12)} ${"TTL".padEnd(10)} ${"AGE".padEnd(10)}`
+    );
+    logger.info("\u2500".repeat(80));
+    for (const inst of outputs) {
+      const ttl = formatDuration(inst.ttl_remaining);
+      const age = formatAge(inst.created_at);
+      logger.info(
+        `${inst.name.padEnd(30)} ${inst.ip.padEnd(18)} ${inst.status.padEnd(12)} ${ttl.padEnd(10)} ${age.padEnd(10)}`
+      );
+    }
+    logger.info(`
+${outputs.length} instance(s)`);
+  });
+}
+function formatDuration(seconds) {
+  if (seconds <= 0) return "expired";
+  const m = Math.floor(seconds / 60);
+  const s = seconds % 60;
+  if (m >= 60) {
+    const h = Math.floor(m / 60);
+    return `${h}h ${m % 60}m`;
+  }
+  return `${m}m ${s}s`;
+}
+function formatAge(createdAt) {
+  const diffMs = Date.now() - new Date(createdAt).getTime();
+  const seconds = Math.floor(diffMs / 1e3);
+  return formatDuration(seconds);
+}
+// src/cli/commands/extend.ts
+function registerExtendCommand(program2) {
+  program2.command("extend <name>").description("Extend the TTL of a running instance").requiredOption("--ttl <minutes>", "New TTL in minutes from now").option("--json", "Output result as JSON").action(async (name, opts) => {
+    if (opts.json) setJsonMode(true);
+    const meta = await loadActiveInstanceOrThrow(name);
+    const ttlMinutes = parseInt(opts.ttl, 10);
+    if (isNaN(ttlMinutes) || ttlMinutes <= 0) {
+      logger.error("TTL must be a positive number of minutes");
+      process.exit(1);
+    }
+    await sshExec({
+      instanceName: name,
+      ip: meta.ip,
+      command: [
+        // Kill any existing shutdown timers
+        "pkill -f 'sleep.*shutdown' || true",
+        // Set new timer
+        `(sleep ${ttlMinutes * 60} && shutdown -h now) &`
+      ].join(" && ")
+    });
+    const newExpiry = new Date(
+      Date.now() + ttlMinutes * 6e4
+    ).toISOString();
+    meta.ttlMinutes = ttlMinutes;
+    meta.expiresAt = newExpiry;
+    await saveInstance(meta);
+    if (opts.json) {
+      logger.json({
+        name: meta.name,
+        ttl_minutes: ttlMinutes,
+        expires_at: newExpiry
+      });
+    } else {
+      logger.info(
+        `\u2713 Extended "${name}" TTL to ${ttlMinutes} minutes (expires ${newExpiry})`
+      );
+    }
+  });
+}
+// src/cli/commands/exec-script.ts
+import { readFile as readFile6 } from "fs/promises";
+import { randomBytes as randomBytes2 } from "crypto";
+function registerExecScriptCommand(program2) {
+  program2.command("exec <name>").description("Upload and run a local script on an instance").requiredOption("-s, --script <path>", "Path to local script").option("--json", "Output result as JSON").action(async (name, opts) => {
+    if (opts.json) setJsonMode(true);
+    const meta = await loadActiveInstanceOrThrow(name);
+    const scriptContent = await readFile6(opts.script, "utf-8");
+    logger.info(
+      `Uploading and running script "${opts.script}" on "${name}"...`
+    );
+    const encoded = Buffer.from(scriptContent).toString("base64");
+    const remoteScript = `/tmp/gibil-script-${randomBytes2(4).toString("hex")}.sh`;
+    const result = await sshExec({
+      instanceName: name,
+      ip: meta.ip,
+      command: `echo '${encoded}' | base64 -d > ${remoteScript} && chmod +x ${remoteScript} && ${remoteScript}; EXIT=$?; rm -f ${remoteScript}; exit $EXIT`,
+      stream: !opts.json
+    });
+    if (opts.json) {
+      logger.json({
+        instance: name,
+        script: opts.script,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        exit_code: result.exitCode
+      });
+    } else if (result.exitCode !== 0) {
+      logger.error(`Script exited with code ${result.exitCode}`);
+    }
+    process.exit(result.exitCode ?? 1);
+  });
+}
+// src/cli/commands/auth.ts
+init_auth();
+import { createInterface } from "readline";
+function prompt(question) {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stderr
+    // stderr so stdout stays clean for --json
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+function registerAuthCommand(program2) {
+  const auth = program2.command("auth").description("Manage authentication");
+  auth.command("login").description("Log in with your Gibil API key").option("--key <api-key>", "API key (or enter interactively)").option("--json", "Output result as JSON").action(async (opts) => {
+    if (opts.json) setJsonMode(true);
+    let apiKey = opts.key ?? process.env.GIBIL_API_KEY;
+    if (!apiKey) {
+      apiKey = await prompt("Enter your API key: ");
+    }
+    if (!apiKey) {
+      logger.error("No API key provided.");
+      process.exit(1);
+    }
+    if (!apiKey.startsWith("pk_")) {
+      logger.error('Invalid key format. API keys start with "pk_".');
+      process.exit(1);
+    }
+    logger.info("Verifying API key...");
+    try {
+      const result = await verifyApiKey(apiKey);
+      await saveApiKey(apiKey);
+      if (opts.json) {
+        logger.json({
+          authenticated: true,
+          email: result.user.email,
+          plan: result.user.plan
+        });
+      } else {
+        logger.info(`\u2713 Logged in as ${result.user.email}`);
+        logger.info(`  Plan: ${result.user.plan}`);
+        logger.info(
+          `  Limits: ${result.limits.max_concurrent} concurrent VMs, ${result.limits.remaining_hours}h remaining`
+        );
+      }
+    } catch (error) {
+      logger.error(
+        error instanceof Error ? error.message : String(error)
+      );
+      process.exit(1);
+    }
+  });
+  auth.command("setup").description("Configure Hetzner API token (stored in ~/.gibil/config.json)").option("--token <token>", "Hetzner API token (or enter interactively)").action(async (opts) => {
+    let token = opts.token;
+    if (!token) {
+      token = await prompt("Enter your Hetzner API token: ");
+    }
+    if (!token) {
+      logger.error("No token provided.");
+      process.exit(1);
+    }
+    try {
+      const res = await fetch("https://api.hetzner.cloud/v1/servers", {
+        headers: { Authorization: `Bearer ${token}` }
+      });
+      const data = await res.json();
+      if (data.error) {
+        logger.error(`Invalid token: ${data.error.message}`);
+        process.exit(1);
+      }
+    } catch {
+      logger.error("Could not verify token with Hetzner API.");
+      process.exit(1);
+    }
+    await saveHetznerToken(token);
+    logger.info("\u2713 Hetzner token saved to ~/.gibil/config.json");
+  });
+  auth.command("logout").description("Clear stored API key").action(async () => {
+    await clearApiKey();
+    logger.info("\u2713 Logged out. API key removed from ~/.gibil/config.json");
+  });
+  auth.command("status").description("Show current authentication status").option("--json", "Output result as JSON").action(async (opts) => {
+    if (opts.json) setJsonMode(true);
+    const apiKey = await getApiKey();
+    if (!apiKey) {
+      if (opts.json) {
+        logger.json({ authenticated: false });
+      } else {
+        logger.info('Not logged in. Run "gibil auth login" to authenticate.');
+      }
+      return;
+    }
+    try {
+      const result = await verifyApiKey(apiKey);
+      if (opts.json) {
+        logger.json({
+          authenticated: true,
+          email: result.user.email,
+          plan: result.user.plan,
+          limits: result.limits
+        });
+      } else {
+        logger.info(`\u2713 Authenticated as ${result.user.email}`);
+        logger.info(`  Plan: ${result.user.plan}`);
+        logger.info(
+          `  Concurrent VMs: ${result.limits.max_concurrent}`
+        );
+        logger.info(
+          `  Hours remaining: ${result.limits.remaining_hours}`
+        );
+      }
+    } catch {
+      if (opts.json) {
+        logger.json({ authenticated: false, error: "Key verification failed" });
+      } else {
+        logger.error(
+          'Stored API key is invalid. Run "gibil auth login" to re-authenticate.'
+        );
+      }
+    }
+  });
+}
+// src/cli/commands/usage.ts
+init_auth();
+function registerUsageCommand(program2) {
+  program2.command("usage").description("Show current month's usage and plan limits").option("--json", "Output as JSON").action(async (opts) => {
+    if (opts.json) setJsonMode(true);
+    const apiKey = await getApiKey();
+    if (!apiKey) {
+      logger.error('Not logged in. Run "gibil auth login" first.');
+      process.exit(1);
+    }
+    try {
+      const usage = await fetchUsage(apiKey);
+      if (opts.json) {
+        logger.json(usage);
+      } else {
+        const hoursPercent = Math.round(
+          usage.vm_hours_used / usage.vm_hours_limit * 100
+        );
+        logger.info(`Plan: ${usage.plan}`);
+        logger.info(
+          `VM hours: ${usage.vm_hours_used.toFixed(1)} / ${usage.vm_hours_limit}h (${hoursPercent}%)`
+        );
+        logger.info(
+          `Active instances: ${usage.active_instances} / ${usage.max_concurrent}`
+        );
+        if (hoursPercent > 80) {
+          logger.warn(
+            "Running low on hours. Upgrade at https://gibil.dev/pricing"
+          );
+        }
+      }
+    } catch (error) {
+      logger.error(
+        error instanceof Error ? error.message : String(error)
+      );
+      process.exit(1);
+    }
+  });
+}
+// src/mcp/server.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+var instance;
+function exec(command, timeoutMs = 3e4) {
+  return sshExec({
+    instanceName: instance.name,
+    ip: instance.ip,
+    command,
+    stream: false,
+    timeoutMs
+  });
+}
+async function startMcpServer(instanceName) {
+  instance = await loadActiveInstanceOrThrow(instanceName);
+  if (instance.gitIdentity) {
+    const { name, email, signingKey } = instance.gitIdentity;
+    const cmds = [
+      `git config --global user.name '${name.replace(/'/g, "'\\''")}'`,
+      `git config --global user.email '${email.replace(/'/g, "'\\''")}'`
+    ];
+    if (signingKey) {
+      cmds.push(
+        `git config --global gpg.format ssh`,
+        `git config --global user.signingkey 'key::${signingKey.replace(/'/g, "'\\''")}'`,
+        `git config --global commit.gpgsign true`
+      );
+    }
+    exec(cmds.join(" && ")).catch(() => {
+    });
+  }
+  const server = new McpServer({
+    name: `gibil-${instanceName}`,
+    version: "0.1.0"
+  });
+  server.tool(
+    "vm_bash",
+    "Run a shell command on the remote VM. Use for: builds, tests, git, package managers, any shell operation.",
+    {
+      command: z.string().describe("Shell command to execute"),
+      working_dir: z.string().optional().describe("Working directory (default: /root/project)"),
+      timeout_ms: z.number().optional().describe("Timeout in ms (default: 30000)")
+    },
+    async ({ command, working_dir, timeout_ms }) => {
+      const cwd = working_dir ?? "/root/project";
+      const result = await exec(
+        `cd ${cwd} 2>/dev/null || cd /root && ${command}`,
+        timeout_ms ?? 3e4
+      );
+      const output = [result.stdout, result.stderr].filter(Boolean).join("\n");
+      return {
+        content: [
+          {
+            type: "text",
+            text: output || "(no output)"
+          }
+        ],
+        isError: result.exitCode !== 0
+      };
+    }
+  );
+  server.tool(
+    "vm_read",
+    "Read a file from the remote VM. Returns the file contents.",
+    {
+      path: z.string().describe("Absolute path on the VM (e.g. /root/project/src/app.ts)"),
+      offset: z.number().optional().describe("Start at line N (1-based)"),
+      limit: z.number().optional().describe("Max lines to return")
+    },
+    async ({ path, offset, limit }) => {
+      let cmd = `cat -n '${path.replace(/'/g, "'\\''")}'`;
+      if (offset && limit) {
+        cmd = `sed -n '${offset},${offset + limit - 1}p' '${path.replace(/'/g, "'\\''")}'  | cat -n`;
+      } else if (offset) {
+        cmd = `tail -n +${offset} '${path.replace(/'/g, "'\\''")}'  | cat -n`;
+      } else if (limit) {
+        cmd = `head -n ${limit} '${path.replace(/'/g, "'\\''")}'  | cat -n`;
+      }
+      const result = await exec(cmd);
+      if (result.exitCode !== 0) {
+        return {
+          content: [{ type: "text", text: `Error: ${result.stderr}` }],
+          isError: true
+        };
+      }
+      return {
+        content: [{ type: "text", text: result.stdout }]
+      };
+    }
+  );
+  server.tool(
+    "vm_write",
+    "Write content to a file on the remote VM. Creates parent directories if needed. Overwrites existing files.",
+    {
+      path: z.string().describe("Absolute path on the VM"),
+      content: z.string().describe("File content to write")
+    },
+    async ({ path, content }) => {
+      const encoded = Buffer.from(content).toString("base64");
+      const cmd = `mkdir -p "$(dirname '${path.replace(/'/g, "'\\''")}')" && echo '${encoded}' | base64 -d > '${path.replace(/'/g, "'\\''")}'`;
+      const result = await exec(cmd);
+      if (result.exitCode !== 0) {
+        return {
+          content: [{ type: "text", text: `Error: ${result.stderr}` }],
+          isError: true
+        };
+      }
+      return {
+        content: [{ type: "text", text: `Wrote ${path}` }]
+      };
+    }
+  );
+  server.tool(
+    "vm_ls",
+    "List files and directories on the remote VM.",
+    {
+      path: z.string().optional().describe("Directory path (default: /root/project)"),
+      glob: z.string().optional().describe("Glob pattern to filter (e.g. '**/*.ts')")
+    },
+    async ({ path, glob }) => {
+      const dir = path ?? "/root/project";
+      let cmd;
+      if (glob) {
+        cmd = `cd '${dir.replace(/'/g, "'\\''")}'  && find . -path './${glob}' -type f 2>/dev/null | sort | head -200`;
+      } else {
+        cmd = `ls -la '${dir.replace(/'/g, "'\\''")}'`;
+      }
+      const result = await exec(cmd);
+      if (result.exitCode !== 0) {
+        return {
+          content: [{ type: "text", text: `Error: ${result.stderr}` }],
+          isError: true
+        };
+      }
+      return {
+        content: [{ type: "text", text: result.stdout }]
+      };
+    }
+  );
+  server.tool(
+    "vm_grep",
+    "Search for a pattern in files on the remote VM. Uses ripgrep if available, falls back to grep.",
+    {
+      pattern: z.string().describe("Regex pattern to search for"),
+      path: z.string().optional().describe("Directory or file to search in (default: /root/project)"),
+      include: z.string().optional().describe("File glob to include (e.g. '*.ts')")
+    },
+    async ({ pattern, path, include }) => {
+      const dir = path ?? "/root/project";
+      const safePattern = pattern.replace(/'/g, "'\\''");
+      const safeDir = dir.replace(/'/g, "'\\''");
+      let cmd;
+      if (include) {
+        const safeInclude = include.replace(/'/g, "'\\''");
+        cmd = `cd '${safeDir}' && (rg -n --glob '${safeInclude}' '${safePattern}' 2>/dev/null || grep -rn --include='${safeInclude}' '${safePattern}' .) | head -100`;
+      } else {
+        cmd = `cd '${safeDir}' && (rg -n '${safePattern}' 2>/dev/null || grep -rn '${safePattern}' .) | head -100`;
+      }
+      const result = await exec(cmd);
+      const output = result.stdout || "(no matches)";
+      return {
+        content: [{ type: "text", text: output }]
+      };
+    }
+  );
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+// src/cli/commands/mcp.ts
+function registerMcpCommand(program2) {
+  program2.command("mcp <name>").description(
+    "Start an MCP server for a running instance (used by Claude Code)"
+  ).action(async (name) => {
+    try {
+      await startMcpServer(name);
+    } catch (error) {
+      logger.error(
+        error instanceof Error ? error.message : String(error)
+      );
+      process.exit(1);
+    }
+  });
+}
+// src/cli/index.ts
+try {
+  await import("dotenv/config");
+} catch {
+}
+var program = new Command();
+program.name("gibil").description("Ephemeral dev compute for humans and AI agents").version("0.1.0");
+registerCreateCommand(program);
+registerSSHCommand(program);
+registerRunCommand(program);
+registerDestroyCommand(program);
+registerListCommand(program);
+registerExtendCommand(program);
+registerExecScriptCommand(program);
+registerAuthCommand(program);
+registerUsageCommand(program);
+registerMcpCommand(program);
+async function main() {
+  try {
+    await program.parseAsync(process.argv);
+  } catch (error) {
+    if (error instanceof Error) {
+      logger.error(error.message);
+    }
+    process.exit(1);
+  }
+}
+main();
+//# sourceMappingURL=index.js.map