hackerrun 0.1.0 → 0.1.6

package/dist/index.js

@@ -7,7 +7,7 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
 });
 
 // src/index.ts
-import { Command as Command9 } from "commander";
+import { Command as Command11 } from "commander";
 
 // src/commands/login.ts
 import { Command } from "commander";
@@ -211,7 +211,7 @@ function sleep(ms) {
 
 // src/commands/deploy.ts
 import { Command as Command2 } from "commander";
-import chalk7 from "chalk";
+import chalk8 from "chalk";
 import ora4 from "ora";
 
 // src/lib/ssh-cert.ts
@@ -393,6 +393,150 @@ async function testIPv6Connectivity(vmIp, timeoutMs = 2e3) {
   return result;
 }
 
+// src/lib/gateway-tunnel.ts
+import { spawn } from "child_process";
+import * as net2 from "net";
+async function findAvailablePort() {
+  return new Promise((resolve, reject) => {
+    const server = net2.createServer();
+    server.listen(0, () => {
+      const addr = server.address();
+      const port = typeof addr === "object" && addr ? addr.port : 0;
+      server.close(() => resolve(port));
+    });
+    server.on("error", reject);
+  });
+}
+async function waitForTunnel(port, timeoutMs = 1e4) {
+  const startTime = Date.now();
+  while (Date.now() - startTime < timeoutMs) {
+    try {
+      await new Promise((resolve, reject) => {
+        const socket = net2.createConnection(port, "localhost", () => {
+          socket.destroy();
+          resolve();
+        });
+        socket.on("error", () => {
+          socket.destroy();
+          reject();
+        });
+        socket.setTimeout(500, () => {
+          socket.destroy();
+          reject();
+        });
+      });
+      return;
+    } catch {
+      await new Promise((r) => setTimeout(r, 200));
+    }
+  }
+  throw new Error(`Tunnel failed to establish on port ${port}`);
+}
+async function createTunnel(vmIp, gatewayIp, options = {}) {
+  const { timeoutMs = 15e3 } = options;
+  const localPort = await findAvailablePort();
+  const tunnelProcess = spawn("ssh", [
+    "-N",
+    // No remote command
+    "-L",
+    `${localPort}:[${vmIp}]:22`,
+    // Local port forward
+    "-o",
+    "StrictHostKeyChecking=no",
+    "-o",
+    "UserKnownHostsFile=/dev/null",
+    "-o",
+    "LogLevel=ERROR",
+    "-o",
+    "ExitOnForwardFailure=yes",
+    "-o",
+    "BatchMode=yes",
+    // No interactive prompts
+    "-o",
+    "ServerAliveInterval=5",
+    // Send keepalive every 5s (more aggressive)
+    "-o",
+    "ServerAliveCountMax=12",
+    // Allow 12 missed keepalives (60s) before disconnect
+    "-o",
+    "TCPKeepAlive=yes",
+    // Enable TCP keepalive
+    "-o",
+    "Compression=no",
+    // Disable compression for stability
+    "-o",
+    "IPQoS=throughput",
+    // Optimize for throughput
+    "-o",
+    "ConnectTimeout=30",
+    // Connection timeout
+    `root@${gatewayIp}`
+  ], {
+    detached: true,
+    stdio: ["ignore", "ignore", "ignore"]
+    // Ignore all stdio to prevent buffer issues
+  });
+  tunnelProcess.unref();
+  await waitForTunnel(localPort, timeoutMs);
+  return {
+    process: tunnelProcess,
+    localPort,
+    vmIp,
+    gatewayIp
+  };
+}
+function killTunnel(tunnel) {
+  try {
+    tunnel.process.kill();
+  } catch {
+  }
+}
+var TunnelManager = class {
+  activeTunnels = /* @__PURE__ */ new Map();
+  /**
+   * Get or create a tunnel for a VM
+   * Tunnels are cached by a key (e.g., appName or vmIp)
+   */
+  async ensureTunnel(key, vmIp, gatewayIp, options = {}) {
+    const existing = this.activeTunnels.get(key);
+    if (existing && !existing.process.killed) {
+      return existing;
+    }
+    const tunnel = await createTunnel(vmIp, gatewayIp, options);
+    this.activeTunnels.set(key, tunnel);
+    return tunnel;
+  }
+  /**
+   * Get an existing tunnel if available
+   */
+  getTunnel(key) {
+    const tunnel = this.activeTunnels.get(key);
+    if (tunnel && !tunnel.process.killed) {
+      return tunnel;
+    }
+    return void 0;
+  }
+  /**
+   * Close a specific tunnel
+   */
+  closeTunnel(key) {
+    const tunnel = this.activeTunnels.get(key);
+    if (tunnel) {
+      killTunnel(tunnel);
+      this.activeTunnels.delete(key);
+    }
+  }
+  /**
+   * Close all tunnels
+   */
+  closeAll() {
+    for (const tunnel of this.activeTunnels.values()) {
+      killTunnel(tunnel);
+    }
+    this.activeTunnels.clear();
+  }
+};
+
 // src/lib/cluster.ts
 import { execSync as execSync2 } from "child_process";
 import ora2 from "ora";
@@ -434,7 +578,7 @@ var ClusterManager = class {
    */
   async initializeCluster(options) {
     const { appName, location, vmSize, storageSize, bootImage } = options;
-    const vmName = `${appName}-vm-${this.generateId()}`;
+    const vmName = `${appName}-1`;
     let spinner = ora2(`Creating VM '${vmName}' in ${location}...`).start();
     try {
       spinner.text = "Fetching platform SSH keys...";
@@ -480,9 +624,12 @@ var ClusterManager = class {
       spinner.text = "Installing Docker and Uncloud...";
       spinner.stop();
       console.log(chalk2.cyan("\nInitializing uncloud (this may take a few minutes)..."));
-      await this.initializeUncloud(vmWithIp.ip6, appName);
+      await this.initializeUncloud(vmWithIp.ip6, appName, gateway?.ipv4);
       spinner = ora2("Configuring Docker for NAT64...").start();
-      await this.configureDockerNAT64(vmWithIp.ip6);
+      await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
+      spinner.text = "Waiting for uncloud services to be ready...";
+      await this.waitForUncloudReady(vmWithIp.ip6, gateway?.ipv4);
+      this.sshCertManager.cleanupAll();
       spinner.succeed(chalk2.green(`Cluster initialized successfully`));
       return savedCluster;
     } catch (error) {
@@ -498,13 +645,13 @@ var ClusterManager = class {
     if (!cluster) {
       throw new Error(`App '${appName}' not found`);
     }
-    const primaryNode = await this.platformClient.getPrimaryNode(appName);
-    if (!primaryNode || !primaryNode.ipv6) {
-      throw new Error(`Primary node not found or has no IPv6 address`);
+    const existingNode = cluster.nodes.find((n) => n.ipv6);
+    if (!existingNode || !existingNode.ipv6) {
+      throw new Error(`No existing node with IPv6 address found to join`);
     }
     const gateway = await this.platformClient.getGateway(cluster.location);
     const privateSubnetId = gateway?.subnetId;
-    const vmName = `${appName}-vm-${this.generateId()}`;
+    const vmName = this.generateNodeName(appName, cluster.nodes);
     let spinner = ora2(`Adding node '${vmName}' to cluster...`).start();
     try {
       spinner.text = "Fetching platform SSH keys...";
@@ -531,9 +678,9 @@ var ClusterManager = class {
       spinner.text = "Joining uncloud cluster...";
       spinner.stop();
       console.log(chalk2.cyan("\nJoining uncloud cluster..."));
-      await this.joinUncloudCluster(vmWithIp.ip6, primaryNode.ipv6, appName);
+      await this.joinUncloudCluster(vmWithIp.ip6, existingNode.ipv6, appName);
       spinner = ora2("Configuring Docker for NAT64...").start();
-      await this.configureDockerNAT64(vmWithIp.ip6);
+      await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
       spinner.succeed(chalk2.green(`Node '${vmName}' added successfully`));
       const newNode = {
         name: vmName,
@@ -556,17 +703,60 @@ var ClusterManager = class {
    * Before running uc, we get an SSH certificate from the platform
    * and add it to the ssh-agent. This allows uc to authenticate
    * since the VM only accepts platform SSH key or signed certificates.
+   *
+   * If direct IPv6 connectivity is not available, tunnels through the gateway.
    */
-  async initializeUncloud(vmIp, contextName) {
+  async initializeUncloud(vmIp, contextName, gatewayIp) {
+    let tunnel = null;
+    let targetHost = vmIp;
     try {
       await this.sshCertManager.getSession(contextName, vmIp);
-      execSync2(`uc machine init -c "${contextName}" --no-dns root@${vmIp}`, {
-        stdio: "inherit",
-        timeout: 6e5
-        // 10 min timeout
-      });
+      const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+      if (!canConnectDirect) {
+        if (!gatewayIp) {
+          throw new Error("No direct IPv6 connectivity and no gateway available");
+        }
+        console.log(chalk2.dim("No direct IPv6 connectivity, tunneling through gateway..."));
+        tunnel = await createTunnel(vmIp, gatewayIp);
+        targetHost = `localhost:${tunnel.localPort}`;
+      }
+      let initSucceeded = false;
+      try {
+        execSync2(`uc machine init -c "${contextName}" --no-dns root@${targetHost}`, {
+          stdio: "inherit",
+          timeout: 6e5
+          // 10 min timeout
+        });
+        initSucceeded = true;
+      } catch (error) {
+        console.log(chalk2.yellow("\nInitial setup had errors, will attempt to recover..."));
+      }
+      if (!initSucceeded) {
+        const maxCaddyAttempts = 5;
+        for (let attempt = 1; attempt <= maxCaddyAttempts; attempt++) {
+          console.log(chalk2.dim(`Waiting for machine to be ready (attempt ${attempt}/${maxCaddyAttempts})...`));
+          await new Promise((resolve) => setTimeout(resolve, 1e4));
+          try {
+            execSync2(`yes | uc -c "${contextName}" caddy deploy`, {
+              stdio: "inherit",
+              timeout: 12e4
+            });
+            console.log(chalk2.green("Caddy deployed successfully"));
+            break;
+          } catch (caddyError) {
+            if (attempt >= maxCaddyAttempts) {
+              throw new Error(`Caddy deployment failed after ${maxCaddyAttempts} attempts. The machine may need more time to initialize.`);
+            }
+          }
+        }
+      }
+      console.log(chalk2.dim("Uncloud initialization complete."));
     } catch (error) {
       throw new Error(`Failed to initialize uncloud: ${error.message}`);
+    } finally {
+      if (tunnel) {
+        killTunnel(tunnel);
+      }
     }
   }
   /**
@@ -603,11 +793,19 @@ var ClusterManager = class {
    * 1. Enable IPv6 on Docker networks so containers get IPv6 addresses
    * 2. Block IPv4 forwarding from Docker to internet so IPv4 fails immediately
    * 3. Applications then use IPv6 (NAT64) which works via the gateway
+   *
+   * If direct IPv6 connectivity is not available, tunnels through the gateway.
    */
-  async configureDockerNAT64(vmIp) {
+  async configureDockerNAT64(vmIp, gatewayIp) {
     const setupScript = `#!/bin/bash
 set -e
 
+# Install jq if not present (needed to merge Docker config)
+if ! command -v jq &> /dev/null; then
+  apt-get update -qq
+  apt-get install -y -qq jq
+fi
+
 # Step 1: Add IPv6 support to Docker daemon config
 DAEMON_JSON='/etc/docker/daemon.json'
 if [ -f "$DAEMON_JSON" ]; then
@@ -666,8 +864,17 @@ systemctl start docker-ipv6-nat64
 
 echo "Docker NAT64 configuration complete"
 `;
+    let tunnel = null;
+    let sshHost = vmIp;
+    let sshPortArgs = "";
     try {
-      execSync2(`ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${vmIp} 'bash -s' << 'REMOTESCRIPT'
+      const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+      if (!canConnectDirect && gatewayIp) {
+        tunnel = await createTunnel(vmIp, gatewayIp);
+        sshHost = "localhost";
+        sshPortArgs = `-p ${tunnel.localPort}`;
+      }
+      execSync2(`ssh ${sshPortArgs} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${sshHost} 'bash -s' << 'REMOTESCRIPT'
 ${setupScript}
 REMOTESCRIPT`, {
         stdio: "inherit",
@@ -676,6 +883,10 @@ REMOTESCRIPT`, {
       });
     } catch (error) {
       throw new Error(`Failed to configure Docker for NAT64: ${error.message}`);
+    } finally {
+      if (tunnel) {
+        killTunnel(tunnel);
+      }
     }
   }
   /**
@@ -714,7 +925,52 @@ The VM may still be provisioning. You can:
     );
   }
   /**
-   * Generate a random ID
+   * Wait for uncloud services to be ready on the VM
+   * Specifically checks that unregistry (Docker registry at 10.210.0.1:5000) is accepting connections
+   * This is critical for first deploy - push will fail if unregistry isn't ready
+   */
+  async waitForUncloudReady(vmIp, gatewayIp) {
+    const maxAttempts = 30;
+    const checkInterval = 2e3;
+    const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+    const proxyJump = !canConnectDirect && gatewayIp ? `-J root@${gatewayIp}` : "";
+    const sshBase = `ssh ${proxyJump} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=10 root@${vmIp}`;
+    console.log(chalk2.dim("  Waiting for uncloud services..."));
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        const result = execSync2(
+          `${sshBase} "curl -sf --max-time 5 http://10.210.0.1:5000/v2/ >/dev/null 2>&1 && echo ready || echo notready"`,
+          { encoding: "utf-8", timeout: 2e4, stdio: ["pipe", "pipe", "pipe"] }
+        ).trim();
+        if (result.includes("ready")) {
+          console.log(chalk2.dim("  Uncloud services ready"));
+          return;
+        }
+      } catch (error) {
+      }
+      if (attempt % 5 === 0) {
+        console.log(chalk2.dim(`  Still waiting for unregistry... (attempt ${attempt}/${maxAttempts})`));
+      }
+      if (attempt < maxAttempts) {
+        await this.sleep(checkInterval);
+      }
+    }
+    console.log(chalk2.yellow("  Warning: Timeout waiting for unregistry, continuing anyway..."));
+  }
+  /**
+   * Generate a sequential node name: appName-1, appName-2, etc.
+   * Finds the next available number by checking existing node names
+   */
+  generateNodeName(appName, existingNodes) {
+    const existingNumbers = existingNodes.map((n) => {
+      const match = n.name.match(new RegExp(`^${appName}-(\\d+)$`));
+      return match ? parseInt(match[1], 10) : 0;
+    }).filter((n) => n > 0);
+    const maxNumber = existingNumbers.length > 0 ? Math.max(...existingNumbers) : 0;
+    return `${appName}-${maxNumber + 1}`;
+  }
+  /**
+   * Generate a random ID (used for legacy naming or fallback)
    */
   generateId() {
     return Math.random().toString(36).substring(2, 9);
@@ -833,11 +1089,18 @@ var UncloudManager = class {
   }
   /**
    * Check if uncloud is installed, offer to install if not
+   * @param options.nonInteractive - If true, fail immediately without prompting (for CI/CD)
    */
-  static async ensureInstalled() {
+  static async ensureInstalled(options) {
     if (this.isInstalled()) {
       return;
     }
+    if (options?.nonInteractive) {
+      console.error(chalk4.red("\n\u274C Uncloud CLI (uc) not found\n"));
+      console.error("The uncloud CLI must be installed on the build VM.");
+      console.error("This is a build infrastructure issue - the uc binary should be pre-installed.\n");
+      process.exit(1);
+    }
     console.log(chalk4.yellow("\n\u26A0\uFE0F  Uncloud CLI not found\n"));
     console.log("Uncloud is required to deploy and manage your apps.");
     console.log("Learn more: https://uncloud.run\n");
@@ -951,49 +1214,71 @@ function getPlatformToken() {
 
 // src/lib/platform-client.ts
 var PLATFORM_API_URL2 = process.env.HACKERRUN_API_URL || "http://localhost:3000";
+var DEFAULT_RETRIES = 3;
+var RETRY_DELAY_MS = 2e3;
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isRetryableError(error, status) {
+  if (error?.cause?.code === "ECONNREFUSED" || error?.cause?.code === "ECONNRESET" || error?.cause?.code === "ETIMEDOUT" || error?.message?.includes("fetch failed") || error?.message?.includes("network") || error?.message?.includes("ECONNREFUSED")) {
+    return true;
+  }
+  if (status && status >= 500) {
+    return true;
+  }
+  return false;
+}
 var PlatformClient = class {
   constructor(authToken) {
     this.authToken = authToken;
   }
-  async request(method, path, body) {
+  async request(method, path, body, options = {}) {
+    const {
+      retries = DEFAULT_RETRIES,
+      retryDelay = RETRY_DELAY_MS,
+      operation = `${method} ${path}`
+    } = options;
     const url = `${PLATFORM_API_URL2}${path}`;
-    const headers = {
-      Authorization: `Bearer ${this.authToken}`,
-      "Content-Type": "application/json"
-      // FIX STALE CONNECTION: If retry logic below doesn't reliably fix
-      // "SocketError: other side closed" errors, uncomment this line and
-      // remove the retry logic in the catch block below.
-      // 'Connection': 'close',
-    };
-    const doFetch = () => fetch(url, {
-      method,
-      headers,
-      body: body ? JSON.stringify(body) : void 0
-    });
-    let response;
-    try {
-      response = await doFetch();
-    } catch (error) {
-      const isSocketError = error instanceof Error && error.cause?.code === "UND_ERR_SOCKET";
-      if (isSocketError) {
-        response = await doFetch();
-      } else {
-        const errMsg = error instanceof Error ? error.message : "Unknown error";
-        throw new Error(`Failed to connect to platform API (${url}): ${errMsg}`);
-      }
-    }
-    if (!response.ok) {
-      const errorText = await response.text();
-      let errorMessage;
+    let lastError = null;
+    for (let attempt = 1; attempt <= retries; attempt++) {
       try {
-        const errorJson = JSON.parse(errorText);
-        errorMessage = errorJson.error || response.statusText;
-      } catch {
-        errorMessage = errorText || response.statusText;
+        const response = await fetch(url, {
+          method,
+          headers: {
+            Authorization: `Bearer ${this.authToken}`,
+            "Content-Type": "application/json"
+          },
+          body: body ? JSON.stringify(body) : void 0
+        });
+        if (!response.ok) {
+          const errorText = await response.text();
+          let errorMessage;
+          try {
+            const errorJson = JSON.parse(errorText);
+            errorMessage = errorJson.error || response.statusText;
+          } catch {
+            errorMessage = errorText || response.statusText;
+          }
+          const error = new Error(`API error (${response.status}): ${errorMessage}`);
+          if (isRetryableError(error, response.status) && attempt < retries) {
+            lastError = error;
+            await sleep2(retryDelay * attempt);
+            continue;
+          }
+          throw error;
+        }
+        return response.json();
+      } catch (error) {
+        lastError = error;
+        if (isRetryableError(error) && attempt < retries) {
+          await sleep2(retryDelay * attempt);
+          continue;
+        }
+        const errorMessage = error.message || "Unknown error";
+        throw new Error(`${operation} failed: ${errorMessage}`);
       }
-      throw new Error(`API error (${response.status}): ${errorMessage}`);
     }
-    return response.json();
+    throw lastError || new Error(`${operation} failed after ${retries} attempts`);
   }
   // ==================== App State Management ====================
   /**
@@ -1008,7 +1293,12 @@ var PlatformClient = class {
    */
   async getApp(appName) {
     try {
-      const { app } = await this.request("GET", `/api/apps/${appName}`);
+      const { app } = await this.request(
+        "GET",
+        `/api/apps/${appName}`,
+        void 0,
+        { operation: `Get app '${appName}'` }
+      );
       return app;
     } catch (error) {
       if (error.message.includes("404") || error.message.includes("not found")) {
@@ -1022,18 +1312,23 @@ var PlatformClient = class {
    * Returns the app with auto-generated domainName
    */
   async saveApp(cluster) {
-    const { app } = await this.request("POST", "/api/apps", {
-      appName: cluster.appName,
-      location: cluster.location,
-      uncloudContext: cluster.uncloudContext,
-      nodes: cluster.nodes.map((node) => ({
-        name: node.name,
-        id: node.id,
-        ipv4: node.ipv4,
-        ipv6: node.ipv6,
-        isPrimary: node.isPrimary
-      }))
-    });
+    const { app } = await this.request(
+      "POST",
+      "/api/apps",
+      {
+        appName: cluster.appName,
+        location: cluster.location,
+        uncloudContext: cluster.uncloudContext,
+        nodes: cluster.nodes.map((node) => ({
+          name: node.name,
+          id: node.id,
+          ipv4: node.ipv4,
+          ipv6: node.ipv6,
+          isPrimary: node.isPrimary
+        }))
+      },
+      { operation: `Save app '${cluster.appName}'` }
+    );
     return app;
   }
   /**
@@ -1042,7 +1337,7 @@ var PlatformClient = class {
   async updateLastDeployed(appName) {
     await this.request("PATCH", `/api/apps/${appName}`, {
       lastDeployedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
+    }, { operation: `Update last deployed for '${appName}'` });
   }
   /**
    * Rename an app (per-user unique)
@@ -1066,7 +1361,7 @@ var PlatformClient = class {
    * Delete an app
    */
   async deleteApp(appName) {
-    await this.request("DELETE", `/api/apps/${appName}`);
+    await this.request("DELETE", `/api/apps/${appName}`, void 0, { operation: `Delete app '${appName}'` });
   }
   /**
    * Check if app exists
@@ -1094,7 +1389,7 @@ var PlatformClient = class {
    * Create a new VM
    */
   async createVM(params) {
-    const { vm } = await this.request("POST", "/api/vms", params);
+    const { vm } = await this.request("POST", "/api/vms", params, { operation: `Create VM '${params.name}'` });
     return vm;
   }
   /**
@@ -1103,7 +1398,9 @@ var PlatformClient = class {
   async getVM(location, vmName) {
     const { vm } = await this.request(
       "GET",
-      `/api/vms/${location}/${vmName}`
+      `/api/vms/${location}/${vmName}`,
+      void 0,
+      { operation: `Get VM '${vmName}'` }
     );
     return vm;
   }
@@ -1111,7 +1408,7 @@ var PlatformClient = class {
    * Delete a VM
    */
   async deleteVM(location, vmName) {
-    await this.request("DELETE", `/api/vms/${location}/${vmName}`);
+    await this.request("DELETE", `/api/vms/${location}/${vmName}`, void 0, { operation: `Delete VM '${vmName}'` });
   }
   // ==================== Uncloud Config Management ====================
   /**
@@ -1140,7 +1437,7 @@ var PlatformClient = class {
    */
   async getGateway(location) {
     try {
-      const { gateway } = await this.request("GET", `/api/gateway?location=${encodeURIComponent(location)}`);
+      const { gateway } = await this.request("GET", `/api/gateway?location=${encodeURIComponent(location)}`, void 0, { operation: `Get gateway for '${location}'` });
       return gateway;
     } catch (error) {
       if (error.message.includes("404") || error.message.includes("not found")) {
@@ -1158,7 +1455,7 @@ var PlatformClient = class {
       appName,
       backendIpv6,
       backendPort
-    });
+    }, { operation: `Register route for '${appName}'` });
     return route;
   }
   /**
@@ -1173,7 +1470,7 @@ var PlatformClient = class {
    * This updates the gateway's reverse proxy config with current routes
    */
   async syncGatewayRoutes(location) {
-    const result = await this.request("POST", "/api/gateway/sync", { location });
+    const result = await this.request("POST", "/api/gateway/sync", { location }, { operation: `Sync gateway routes for '${location}'` });
     return { routeCount: result.routeCount };
   }
   // ==================== SSH Certificate Management ====================
@@ -1181,7 +1478,7 @@ var PlatformClient = class {
    * Get platform SSH keys (CA public key + platform public key for VM creation)
    */
   async getPlatformSSHKeys() {
-    return this.request("GET", "/api/platform/ssh-keys");
+    return this.request("GET", "/api/platform/ssh-keys", void 0, { operation: "Get platform SSH keys" });
   }
   /**
    * Initialize platform SSH keys (creates them if they don't exist)
@@ -1194,7 +1491,7 @@ var PlatformClient = class {
    * Returns a short-lived certificate (5 min) signed by the platform CA
    */
   async requestSSHCertificate(appName, publicKey) {
-    return this.request("POST", `/api/apps/${appName}/ssh-certificate`, { publicKey });
+    return this.request("POST", `/api/apps/${appName}/ssh-certificate`, { publicKey }, { operation: `Request SSH certificate for '${appName}'` });
   }
   // ==================== VM Setup ====================
   /**
@@ -1206,7 +1503,7 @@ var PlatformClient = class {
       vmIp,
       location,
       appName
-    });
+    }, { operation: `Setup VM for '${appName}'`, retries: 5, retryDelay: 3e3 });
   }
   // ==================== Environment Variables ====================
   /**
@@ -1225,8 +1522,8 @@ var PlatformClient = class {
    * List environment variables (values are masked)
    */
   async listEnvVars(appName) {
-    const { vars } = await this.request("GET", `/api/apps/${appName}/env`);
-    return vars;
+    const { envVars } = await this.request("GET", `/api/apps/${appName}/env`);
+    return envVars;
   }
   /**
    * Remove an environment variable
@@ -1273,6 +1570,13 @@ var PlatformClient = class {
       throw error;
     }
   }
+  /**
+   * Delete current user's GitHub App installation record
+   * Used when the installation becomes stale/invalid
+   */
+  async deleteGitHubInstallation() {
+    await this.request("DELETE", "/api/github/installation");
+  }
   /**
    * List repositories accessible via GitHub App installation
    */
@@ -1335,6 +1639,35 @@ var PlatformClient = class {
     const { events } = await this.request("GET", url);
     return events;
   }
+  // ==================== VPN Management ====================
+  /**
+   * Register VPN peer with the platform
+   * This is idempotent - if already registered, returns existing config
+   */
+  async registerVPNPeer(publicKey, location) {
+    const { vpnConfig } = await this.request("POST", "/api/vpn/register", { publicKey, location }, { operation: "Register VPN peer" });
+    return vpnConfig;
+  }
+  /**
+   * Get existing VPN config if registered
+   */
+  async getVPNConfig(location) {
+    try {
+      const { vpnConfig } = await this.request("GET", `/api/vpn/config?location=${encodeURIComponent(location)}`);
+      return vpnConfig;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Unregister VPN peer
+   */
+  async unregisterVPNPeer() {
+    await this.request("DELETE", "/api/vpn/unregister");
+  }
 };
 
 // src/lib/app-config.ts
@@ -1383,9 +1716,330 @@ function linkApp(appName, directory = process.cwd()) {
 }
 
 // src/lib/uncloud-runner.ts
-import { execSync as execSync4, spawnSync as spawnSync2, spawn } from "child_process";
-import * as net2 from "net";
+import { execSync as execSync5, spawnSync as spawnSync3 } from "child_process";
+
+// src/lib/vpn.ts
+import { execSync as execSync4, spawnSync as spawnSync2 } from "child_process";
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync2, unlinkSync } from "fs";
+import { homedir as homedir2, platform as platform3 } from "os";
+import { join as join4 } from "path";
 import chalk6 from "chalk";
+function detectOS() {
+  const os = platform3();
+  if (os === "darwin") {
+    return { type: "macos" };
+  }
+  if (os === "win32") {
+    return { type: "windows" };
+  }
+  if (os === "linux") {
+    try {
+      if (existsSync4("/etc/os-release")) {
+        const osRelease = readFileSync4("/etc/os-release", "utf-8");
+        const idMatch = osRelease.match(/^ID=(.*)$/m);
+        if (idMatch) {
+          const distro = idMatch[1].replace(/"/g, "").toLowerCase();
+          return { type: "linux", distro };
+        }
+      }
+    } catch {
+    }
+    return { type: "linux" };
+  }
+  return { type: "unknown" };
+}
+function getWireGuardInstallInstructions() {
+  const os = detectOS();
+  switch (os.type) {
+    case "macos":
+      return `  ${chalk6.cyan("macOS:")} brew install wireguard-tools`;
+    case "windows":
+      return `  ${chalk6.cyan("Windows:")} Download from https://www.wireguard.com/install/
+            Or using winget: winget install WireGuard.WireGuard`;
+    case "linux":
+      switch (os.distro) {
+        case "arch":
+        case "manjaro":
+        case "endeavouros":
+        case "artix":
+          return `  ${chalk6.cyan("Arch Linux:")} sudo pacman -S wireguard-tools`;
+        case "ubuntu":
+        case "debian":
+        case "linuxmint":
+        case "pop":
+        case "elementary":
+        case "zorin":
+          return `  ${chalk6.cyan("Ubuntu/Debian:")} sudo apt install wireguard`;
+        case "fedora":
+          return `  ${chalk6.cyan("Fedora:")} sudo dnf install wireguard-tools`;
+        case "rhel":
+        case "centos":
+        case "rocky":
+        case "almalinux":
+          return `  ${chalk6.cyan("RHEL/CentOS:")} sudo dnf install wireguard-tools
+               (may need EPEL: sudo dnf install epel-release)`;
+        case "opensuse":
+        case "opensuse-leap":
+        case "opensuse-tumbleweed":
+          return `  ${chalk6.cyan("openSUSE:")} sudo zypper install wireguard-tools`;
+        case "gentoo":
+          return `  ${chalk6.cyan("Gentoo:")} sudo emerge net-vpn/wireguard-tools`;
+        case "void":
+          return `  ${chalk6.cyan("Void Linux:")} sudo xbps-install wireguard-tools`;
+        case "alpine":
+          return `  ${chalk6.cyan("Alpine:")} sudo apk add wireguard-tools`;
+        case "nixos":
+          return `  ${chalk6.cyan("NixOS:")} Add wireguard-tools to environment.systemPackages`;
+        default:
+          return `  ${chalk6.cyan("Linux:")} Install wireguard-tools using your package manager:
+    Arch:          sudo pacman -S wireguard-tools
+    Ubuntu/Debian: sudo apt install wireguard
+    Fedora:        sudo dnf install wireguard-tools
+    openSUSE:      sudo zypper install wireguard-tools`;
+      }
+    default:
+      return `  Visit https://www.wireguard.com/install/ for installation instructions`;
+  }
+}
+var CONFIG_DIR = join4(homedir2(), ".config", "hackerrun");
+var PRIVATE_KEY_FILE = join4(CONFIG_DIR, "wg-private-key");
+var WG_INTERFACE = "hackerrun";
+var WG_CONFIG_PATH = `/etc/wireguard/${WG_INTERFACE}.conf`;
+function isWireGuardInstalled() {
+  try {
+    execSync4("which wg", { stdio: "ignore" });
+    execSync4("which wg-quick", { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function ensureConfigDir() {
+  if (!existsSync4(CONFIG_DIR)) {
+    mkdirSync2(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+}
+function generateKeyPair() {
+  const privateKey = execSync4("wg genkey", { encoding: "utf-8" }).trim();
+  const publicKey = execSync4("wg pubkey", {
+    input: privateKey,
+    encoding: "utf-8"
+  }).trim();
+  return { privateKey, publicKey };
+}
+function getOrCreateKeyPair() {
+  ensureConfigDir();
+  if (existsSync4(PRIVATE_KEY_FILE)) {
+    const privateKey2 = readFileSync4(PRIVATE_KEY_FILE, "utf-8").trim();
+    const publicKey2 = execSync4("wg pubkey", {
+      input: privateKey2,
+      encoding: "utf-8"
+    }).trim();
+    return { privateKey: privateKey2, publicKey: publicKey2, isNew: false };
+  }
+  const { privateKey, publicKey } = generateKeyPair();
+  writeFileSync4(PRIVATE_KEY_FILE, privateKey + "\n", { mode: 384 });
+  return { privateKey, publicKey, isNew: true };
+}
+function getPublicKey() {
+  if (!existsSync4(PRIVATE_KEY_FILE)) {
+    return null;
+  }
+  const privateKey = readFileSync4(PRIVATE_KEY_FILE, "utf-8").trim();
+  return execSync4("wg pubkey", {
+    input: privateKey,
+    encoding: "utf-8"
+  }).trim();
+}
+function isVPNUp() {
+  try {
+    const result = execSync4(`ip link show ${WG_INTERFACE}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return result.includes(WG_INTERFACE);
+  } catch {
+    return false;
+  }
+}
+function isRoutedViaVPN(ipv6Address) {
+  if (!isVPNUp()) {
+    return false;
+  }
+  try {
+    const result = execSync4(`ip -6 route get ${ipv6Address}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return result.includes(`dev ${WG_INTERFACE}`);
+  } catch {
+    return false;
+  }
+}
+function getVPNStatus() {
+  if (!isVPNUp()) {
+    return { connected: false };
+  }
+  try {
+    const output = execSync4(`sudo wg show ${WG_INTERFACE}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const lines = output.split("\n");
+    let endpoint;
+    let latestHandshake;
+    let transferRx;
+    let transferTx;
+    for (const line of lines) {
+      if (line.includes("endpoint:")) {
+        endpoint = line.split("endpoint:")[1]?.trim();
+      }
+      if (line.includes("latest handshake:")) {
+        latestHandshake = line.split("latest handshake:")[1]?.trim();
+      }
+      if (line.includes("transfer:")) {
+        const transfer = line.split("transfer:")[1]?.trim();
+        const parts = transfer?.split(",");
+        transferRx = parts?.[0]?.trim();
+        transferTx = parts?.[1]?.trim();
+      }
+    }
+    return {
+      connected: true,
+      interface: WG_INTERFACE,
+      endpoint,
+      latestHandshake,
+      transferRx,
+      transferTx
+    };
+  } catch {
+    return { connected: isVPNUp(), interface: WG_INTERFACE };
+  }
+}
+function generateWireGuardConfig(config) {
+  return `# HackerRun VPN - Auto-generated
+# Do not edit manually
+
+[Interface]
+PrivateKey = ${config.privateKey}
+Address = ${config.address}
+
+[Peer]
+PublicKey = ${config.gatewayPublicKey}
+Endpoint = ${config.gatewayEndpoint}
+AllowedIPs = ${config.allowedIPs}
+PersistentKeepalive = 25
+`;
+}
+function writeWireGuardConfig(config) {
+  const configContent = generateWireGuardConfig(config);
+  const tempFile = join4(CONFIG_DIR, "wg-temp.conf");
+  writeFileSync4(tempFile, configContent, { mode: 384 });
+  try {
+    execSync4("sudo mkdir -p /etc/wireguard", { stdio: "inherit" });
+    execSync4(`sudo mv ${tempFile} ${WG_CONFIG_PATH}`, { stdio: "inherit" });
+    execSync4(`sudo chmod 600 ${WG_CONFIG_PATH}`, { stdio: "inherit" });
+  } catch (error) {
+    if (existsSync4(tempFile)) {
+      unlinkSync(tempFile);
+    }
+    throw error;
+  }
+}
+function vpnUp() {
+  if (isVPNUp()) {
+    return;
+  }
+  const result = spawnSync2("sudo", ["wg-quick", "up", WG_INTERFACE], {
+    stdio: "inherit"
+  });
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring up VPN interface (exit code ${result.status})`);
+  }
+}
+function vpnDown() {
+  if (!isVPNUp()) {
+    return;
+  }
+  const result = spawnSync2("sudo", ["wg-quick", "down", WG_INTERFACE], {
+    stdio: "inherit"
+  });
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring down VPN interface (exit code ${result.status})`);
+  }
+}
+function testIPv6Connectivity2(ipv6Address, timeoutSeconds = 3) {
+  try {
+    execSync4(`ping -6 -c 1 -W ${timeoutSeconds} ${ipv6Address}`, {
+      stdio: "ignore",
+      timeout: (timeoutSeconds + 2) * 1e3
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+var VPNManager = class {
+  wasConnectedByUs = false;
+  /**
+   * Ensure VPN is connected if IPv6 is not available
+   * Returns true if VPN was established (and should be torn down later)
+   */
+  async ensureConnected(targetIPv6, getVPNConfig) {
+    if (testIPv6Connectivity2(targetIPv6)) {
+      console.log(chalk6.green("\u2713 Direct IPv6 connectivity available"));
+      return false;
+    }
+    console.log(chalk6.yellow("IPv6 not available, checking VPN..."));
+    if (isVPNUp()) {
+      if (testIPv6Connectivity2(targetIPv6)) {
+        console.log(chalk6.green("\u2713 VPN already connected"));
+        return false;
+      }
+      console.log(chalk6.yellow("VPN is up but cannot reach target, reconnecting..."));
+      vpnDown();
+    }
+    if (!isWireGuardInstalled()) {
+      const instructions = getWireGuardInstallInstructions();
+      throw new Error(
+        "WireGuard is not installed.\n\nWireGuard is needed for IPv6 connectivity to your app VMs.\nPlease install it and try again:\n\n" + instructions
+      );
+    }
+    console.log(chalk6.cyan("Establishing VPN tunnel (requires sudo)..."));
+    const { publicKey, isNew } = getOrCreateKeyPair();
+    if (isNew) {
+      console.log(chalk6.dim("Generated new WireGuard keypair"));
+    }
+    const vpnConfig = await getVPNConfig();
+    writeWireGuardConfig(vpnConfig);
+    vpnUp();
+    if (!testIPv6Connectivity2(targetIPv6)) {
+      vpnDown();
+      throw new Error("VPN established but cannot reach target. Please try again.");
+    }
+    console.log(chalk6.green("\u2713 VPN connected"));
+    this.wasConnectedByUs = true;
+    return true;
+  }
+  /**
+   * Disconnect VPN if we established it
+   */
+  disconnect() {
+    if (this.wasConnectedByUs && isVPNUp()) {
+      console.log(chalk6.dim("Disconnecting VPN..."));
+      try {
+        vpnDown();
+        console.log(chalk6.green("\u2713 VPN disconnected"));
+      } catch (error) {
+        console.log(chalk6.yellow(`Warning: Failed to disconnect VPN: ${error.message}`));
+      }
+      this.wasConnectedByUs = false;
+    }
+  }
+};
+
+// src/lib/uncloud-runner.ts
+import chalk7 from "chalk";
 var UncloudRunner = class {
   constructor(platformClient) {
     this.platformClient = platformClient;
@@ -1393,11 +2047,13 @@ var UncloudRunner = class {
   }
   certManager;
   gatewayCache = /* @__PURE__ */ new Map();
-  activeTunnels = /* @__PURE__ */ new Map();
+  tunnelManager = new TunnelManager();
+  vpnManager = new VPNManager();
   tempConfigPath = null;
+  vpnEstablishedByUs = false;
   /**
    * Get the connection URL for an app's primary VM
-   * Handles IPv6 direct connection or gateway proxy fallback
+   * Handles IPv6 direct connection, VPN, or gateway SSH tunnel fallback
    */
   async getConnectionInfo(appName) {
     const app = await this.platformClient.getApp(appName);
@@ -1411,30 +2067,84 @@ var UncloudRunner = class {
     const vmIp = primaryNode.ipv6;
     await this.certManager.getSession(appName, vmIp);
     const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
-    const viaGateway = !canConnectDirect;
-    if (viaGateway) {
-      const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
+    if (canConnectDirect) {
+      const viaVPN = isRoutedViaVPN(vmIp);
       return {
-        url: `ssh://root@localhost:${tunnelInfo.localPort}`,
+        url: `ssh://root@${vmIp}`,
         vmIp,
-        viaGateway: true,
-        localPort: tunnelInfo.localPort
+        viaGateway: false,
+        viaVPN
       };
     }
+    const vpnAvailable = isWireGuardInstalled();
+    if (vpnAvailable) {
+      console.log(chalk7.yellow("Direct IPv6 not available, trying VPN..."));
+      try {
+        if (isVPNUp() && testIPv6Connectivity2(vmIp, 3)) {
+          console.log(chalk7.green("\u2713 VPN already connected"));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true
+          };
+        }
+        this.vpnEstablishedByUs = await this.vpnManager.ensureConnected(
+          vmIp,
+          async () => this.getVPNConfig(app.location)
+        );
+        if (testIPv6Connectivity2(vmIp, 5)) {
+          console.log(chalk7.green("\u2713 Connected via VPN"));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true
+          };
+        }
+      } catch (error) {
+        console.log(chalk7.yellow(`VPN setup failed: ${error.message}`));
+        console.log(chalk7.dim("Falling back to SSH tunnel..."));
+      }
+    } else {
+      console.log(chalk7.yellow("Direct IPv6 not available on your network."));
+      console.log(chalk7.dim("For faster deploys, install WireGuard:"));
+      console.log(chalk7.dim(getWireGuardInstallInstructions()));
+      console.log();
+    }
+    console.log(chalk7.yellow("Using SSH tunnel (may be slower for large transfers)..."));
+    const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
     return {
-      url: `ssh://root@${vmIp}`,
+      url: `ssh://root@localhost:${tunnelInfo.localPort}`,
       vmIp,
-      viaGateway: false
+      viaGateway: true,
+      viaVPN: false,
+      localPort: tunnelInfo.localPort
     };
   }
   /**
-   * Pre-accept a host's SSH key by running ssh-keyscan
-   * This prevents "Host key verification failed" errors from uncloud
+   * Get VPN configuration from platform
    */
-  preAcceptHostKey(host, port) {
+  async getVPNConfig(location) {
+    const { privateKey, publicKey } = getOrCreateKeyPair();
+    const vpnConfigResponse = await this.platformClient.registerVPNPeer(publicKey, location);
+    return {
+      privateKey,
+      publicKey,
+      address: vpnConfigResponse.address,
+      gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
+      gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
+      allowedIPs: vpnConfigResponse.allowedIPs
+    };
+  }
+  /**
+   * Pre-accept a host's SSH key by running ssh-keyscan
+   * This prevents "Host key verification failed" errors from uncloud
+   */
+  preAcceptHostKey(host, port) {
     try {
       const portArg = port ? `-p ${port}` : "";
-      execSync4(
+      execSync5(
         `ssh-keyscan ${portArg} -H ${host} >> ~/.ssh/known_hosts 2>/dev/null`,
         { stdio: "pipe", timeout: 1e4 }
       );
@@ -1445,81 +2155,11 @@ var UncloudRunner = class {
    * Ensure an SSH tunnel exists for gateway fallback
    */
   async ensureTunnel(appName, vmIp, location) {
-    const existing = this.activeTunnels.get(appName);
-    if (existing && !existing.process.killed) {
-      return existing;
-    }
     const gateway = await this.getGateway(location);
     if (!gateway) {
       throw new Error(`No gateway found for location ${location}`);
     }
-    const localPort = await this.findAvailablePort();
-    const tunnelProcess = spawn("ssh", [
-      "-N",
-      // No remote command
-      "-L",
-      `${localPort}:[${vmIp}]:22`,
-      // Local port forward
-      "-o",
-      "StrictHostKeyChecking=no",
-      "-o",
-      "UserKnownHostsFile=/dev/null",
-      "-o",
-      "LogLevel=ERROR",
-      "-o",
-      "ExitOnForwardFailure=yes",
-      "-o",
-      "ServerAliveInterval=30",
-      `root@${gateway.ipv4}`
-    ], {
-      detached: true,
-      stdio: "pipe"
-    });
-    await this.waitForTunnel(localPort);
-    const tunnelInfo = { process: tunnelProcess, localPort };
-    this.activeTunnels.set(appName, tunnelInfo);
-    return tunnelInfo;
-  }
-  /**
-   * Find an available local port
-   */
-  async findAvailablePort() {
-    return new Promise((resolve, reject) => {
-      const server = net2.createServer();
-      server.listen(0, () => {
-        const port = server.address().port;
-        server.close(() => resolve(port));
-      });
-      server.on("error", reject);
-    });
-  }
-  /**
-   * Wait for tunnel to be established
-   */
-  async waitForTunnel(port, timeoutMs = 1e4) {
-    const startTime = Date.now();
-    while (Date.now() - startTime < timeoutMs) {
-      try {
-        await new Promise((resolve, reject) => {
-          const socket = net2.createConnection(port, "localhost", () => {
-            socket.destroy();
-            resolve();
-          });
-          socket.on("error", () => {
-            socket.destroy();
-            reject();
-          });
-          socket.setTimeout(500, () => {
-            socket.destroy();
-            reject();
-          });
-        });
-        return;
-      } catch {
-        await new Promise((r) => setTimeout(r, 200));
-      }
-    }
-    throw new Error(`Tunnel failed to establish on port ${port}`);
+    return this.tunnelManager.ensureTunnel(appName, vmIp, gateway.ipv4);
   }
   /**
    * Run an uncloud command on the app's VM
@@ -1527,11 +2167,11 @@ var UncloudRunner = class {
   async run(appName, command, args = [], options = {}) {
     const connInfo = await this.getConnectionInfo(appName);
     if (connInfo.viaGateway) {
-      console.log(chalk6.dim(`Connecting via gateway...`));
+      console.log(chalk7.dim(`Connecting via gateway...`));
     }
     const fullArgs = ["--connect", connInfo.url, command, ...args];
     if (options.stdio === "inherit") {
-      const result = spawnSync2("uc", fullArgs, {
+      const result = spawnSync3("uc", fullArgs, {
         cwd: options.cwd,
         stdio: "inherit",
         timeout: options.timeout
@@ -1540,7 +2180,7 @@ var UncloudRunner = class {
         throw new Error(`Uncloud command failed with exit code ${result.status}`);
       }
     } else {
-      const result = execSync4(`uc ${fullArgs.map((a) => `"${a}"`).join(" ")}`, {
+      const result = execSync5(`uc ${fullArgs.map((a) => `"${a}"`).join(" ")}`, {
         cwd: options.cwd,
         encoding: "utf-8",
         timeout: options.timeout
@@ -1582,7 +2222,7 @@ var UncloudRunner = class {
     } else {
       sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
     }
-    const token = execSync4(`${sshCmd2} "uc machine token"`, { encoding: "utf-8" }).trim();
+    const token = execSync5(`${sshCmd2} "uc machine token"`, { encoding: "utf-8" }).trim();
     return token;
   }
   /**
@@ -1596,7 +2236,29 @@ var UncloudRunner = class {
     } else {
       sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
     }
-    return execSync4(`${sshCmd2} "${command}"`, { encoding: "utf-8" }).trim();
+    return execSync5(`${sshCmd2} "${command}"`, { encoding: "utf-8" }).trim();
+  }
+  /**
+   * Remove a node from the uncloud cluster
+   * Uses 'uc machine rm' to drain containers and remove from cluster
+   */
+  async removeNode(appName, nodeName) {
+    const connInfo = await this.getConnectionInfo(appName);
+    const result = spawnSync3("uc", ["--connect", connInfo.url, "machine", "rm", nodeName, "--yes"], {
+      stdio: "inherit",
+      timeout: 3e5
+      // 5 minute timeout for container drainage
+    });
+    if (result.status !== 0) {
+      throw new Error(`Failed to remove node '${nodeName}' from cluster (exit code ${result.status})`);
+    }
+  }
+  /**
+   * List machines in the uncloud cluster
+   */
+  async listMachines(appName) {
+    const result = await this.run(appName, "machine", ["ls"], { stdio: "pipe" });
+    return result;
   }
   /**
    * Get gateway info (cached)
@@ -1614,17 +2276,15 @@ var UncloudRunner = class {
     return null;
   }
   /**
-   * Clean up all SSH sessions and tunnels
+   * Clean up all SSH sessions, tunnels, and VPN
    */
   cleanup() {
-    for (const [appName, tunnel] of this.activeTunnels) {
-      try {
-        tunnel.process.kill();
-      } catch {
-      }
-    }
-    this.activeTunnels.clear();
+    this.tunnelManager.closeAll();
     this.certManager.cleanupAll();
+    if (this.vpnEstablishedByUs) {
+      this.vpnManager.disconnect();
+      this.vpnEstablishedByUs = false;
+    }
   }
 };
 
@@ -1636,11 +2296,12 @@ var DEFAULT_IMAGE = "ubuntu-noble";
 function createDeployCommand() {
   const cmd = new Command2("deploy");
   cmd.description("Deploy your application to hackerrun").option("-n, --name <name>", "App name (defaults to hackerrun.yaml or directory name)").option("--app <app>", "App name (alias for --name, for CI/CD compatibility)").option("-l, --location <location>", "VM location").option("-s, --size <size>", "VM size (default: burstable-1)").option("--storage <gb>", "Storage size in GB (default: 10)").option("-i, --image <image>", "Boot image").option("--build-token <token>", "Build token for CI/CD (bypasses normal auth)").action(async (options) => {
+    const deployStartTime = Date.now();
     try {
       PlatformDetector.ensureSupported();
-      await UncloudManager.ensureInstalled();
-      let platformToken;
       const isCIBuild = !!options.buildToken;
+      await UncloudManager.ensureInstalled({ nonInteractive: isCIBuild });
+      let platformToken;
       if (isCIBuild) {
         platformToken = options.buildToken;
       } else {
@@ -1654,14 +2315,19 @@ function createDeployCommand() {
       const vmSize = options.size || DEFAULT_SIZE;
       const storageSize = options.storage ? parseInt(options.storage) : DEFAULT_STORAGE_SIZE;
       const bootImage = options.image || DEFAULT_IMAGE;
-      console.log(chalk7.cyan(`
+      console.log(chalk8.cyan(`
 Deploying '${appName}' to hackerrun...
 `));
       let cluster = await platformClient.getApp(appName);
       let isFirstDeploy = false;
-      if (!cluster) {
+      const needsInfrastructure = !cluster || cluster.nodes.length === 0;
+      if (needsInfrastructure) {
         isFirstDeploy = true;
-        console.log(chalk7.yellow("First deployment - creating infrastructure...\n"));
+        if (cluster && cluster.nodes.length === 0) {
+          console.log(chalk8.yellow("App exists but has no infrastructure - creating VMs...\n"));
+        } else {
+          console.log(chalk8.yellow("First deployment - creating infrastructure...\n"));
+        }
         cluster = await clusterManager.initializeCluster({
           appName,
           location,
@@ -1669,67 +2335,105 @@ Deploying '${appName}' to hackerrun...
           storageSize,
           bootImage
         });
-        console.log(chalk7.cyan("\nWhat just happened:"));
-        console.log(`  ${chalk7.green("\u2713")} Created 1 IPv6-only VM (${vmSize})`);
-        console.log(`  ${chalk7.green("\u2713")} Installed Docker and Uncloud daemon`);
-        console.log(`  ${chalk7.green("\u2713")} Initialized uncloud cluster`);
-        console.log(`  ${chalk7.green("\u2713")} Assigned domain: ${cluster.domainName}.hackerrun.app`);
+        console.log(chalk8.cyan("\nWhat just happened:"));
+        console.log(`  ${chalk8.green("\u2713")} Created 1 IPv6-only VM (${vmSize})`);
+        console.log(`  ${chalk8.green("\u2713")} Installed Docker and Uncloud daemon`);
+        console.log(`  ${chalk8.green("\u2713")} Initialized uncloud cluster`);
+        console.log(`  ${chalk8.green("\u2713")} Assigned domain: ${cluster.domainName}.hackerrun.app`);
         console.log();
         if (!hasAppConfig()) {
           linkApp(appName);
-          console.log(chalk7.dim(`Created hackerrun.yaml for app linking
+          console.log(chalk8.dim(`Created hackerrun.yaml for app linking
 `));
         }
       } else {
-        console.log(chalk7.green(`Using existing infrastructure (${cluster.nodes.length} VM(s))
+        console.log(chalk8.green(`Using existing infrastructure (${cluster.nodes.length} VM(s))
 `));
       }
       const primaryNode = await platformClient.getPrimaryNode(appName);
       if (!primaryNode || !primaryNode.ipv6) {
         throw new Error("Primary node not found or has no IPv6 address");
       }
-      console.log(chalk7.cyan("\nRunning deployment...\n"));
+      console.log(chalk8.cyan("\nRunning deployment...\n"));
       try {
-        await uncloudRunner.deploy(appName, process.cwd());
-        console.log(chalk7.green("\nApp deployed successfully!"));
-        if (cluster.domainName) {
-          const spinner = ora4("Registering route...").start();
+        const maxDeployAttempts = 3;
+        let lastError = null;
+        for (let attempt = 1; attempt <= maxDeployAttempts; attempt++) {
           try {
-            const route = await platformClient.registerRoute(appName, primaryNode.ipv6, 80);
-            spinner.succeed(chalk7.green(`Route registered: ${route.fullUrl}`));
-            spinner.start("Syncing gateway routes...");
-            await platformClient.syncGatewayRoutes(cluster.location);
-            spinner.succeed(chalk7.green("Gateway routes synced"));
+            await uncloudRunner.deploy(appName, process.cwd());
+            lastError = null;
+            break;
           } catch (error) {
-            spinner.warn(chalk7.yellow(`Could not register route: ${error.message}`));
+            lastError = error;
+            const errorMsg = lastError.message.toLowerCase();
+            const isRetryableError2 = errorMsg.includes("connection reset") || errorMsg.includes("connection refused") || errorMsg.includes("broken pipe") || errorMsg.includes("network is unreachable") || errorMsg.includes("context deadline exceeded") || errorMsg.includes("exit code 1");
+            if (isRetryableError2 && attempt < maxDeployAttempts) {
+              console.log(chalk8.yellow(`
+Deploy failed, retrying (attempt ${attempt + 1}/${maxDeployAttempts})...
+`));
+              uncloudRunner.cleanup();
+              await new Promise((r) => setTimeout(r, 3e3));
+            } else {
+              throw lastError;
+            }
+          }
+        }
+        console.log(chalk8.green("\nApp deployed successfully!"));
+        if (cluster.domainName) {
+          const spinner = ora4("Registering route...").start();
+          let success = false;
+          for (let attempt = 1; attempt <= 5; attempt++) {
+            try {
+              if (attempt > 1) {
+                spinner.text = `Registering route (attempt ${attempt}/5)...`;
+                await new Promise((r) => setTimeout(r, 2e3));
+              }
+              const route = await platformClient.registerRoute(appName, primaryNode.ipv6, 80);
+              spinner.succeed(chalk8.green(`Route registered: ${route.fullUrl}`));
+              spinner.start("Syncing gateway routes...");
+              await platformClient.syncGatewayRoutes(cluster.location);
+              spinner.succeed(chalk8.green("Gateway routes synced"));
+              success = true;
+              break;
+            } catch (error) {
+              if (attempt === 5) {
+                spinner.warn(chalk8.yellow(`Could not register route: ${error.message}`));
+                console.log(chalk8.dim(`  Run 'hackerrun domain --app ${appName} ${cluster.domainName}' to retry`));
+              }
+            }
           }
         }
         await platformClient.updateLastDeployed(appName);
-        console.log(chalk7.cyan("\nDeployment Summary:\n"));
-        console.log(`  App Name:     ${chalk7.bold(appName)}`);
-        console.log(`  Domain:       ${chalk7.bold(`${cluster.domainName}.hackerrun.app`)}`);
-        console.log(`  URL:          ${chalk7.bold(`https://${cluster.domainName}.hackerrun.app`)}`);
+        const deployDurationMs = Date.now() - deployStartTime;
+        const deployMinutes = Math.floor(deployDurationMs / 6e4);
+        const deploySeconds = Math.floor(deployDurationMs % 6e4 / 1e3);
+        const deployTimeStr = deployMinutes > 0 ? `${deployMinutes}m ${deploySeconds}s` : `${deploySeconds}s`;
+        console.log(chalk8.cyan("\nDeployment Summary:\n"));
+        console.log(`  App Name:     ${chalk8.bold(appName)}`);
+        console.log(`  Domain:       ${chalk8.bold(`${cluster.domainName}.hackerrun.app`)}`);
+        console.log(`  URL:          ${chalk8.bold(`https://${cluster.domainName}.hackerrun.app`)}`);
         console.log(`  Location:     ${cluster.location}`);
         console.log(`  Nodes:        ${cluster.nodes.length}`);
-        console.log(chalk7.cyan("\nInfrastructure:\n"));
+        console.log(`  Deploy Time:  ${chalk8.bold(deployTimeStr)}`);
+        console.log(chalk8.cyan("\nInfrastructure:\n"));
         cluster.nodes.forEach((node, index) => {
-          const prefix = node.isPrimary ? chalk7.yellow("(primary)") : "         ";
+          const prefix = node.isPrimary ? chalk8.yellow("(primary)") : "         ";
           const ip = node.ipv6 || node.ipv4 || "pending";
           console.log(`  ${prefix} ${node.name} - ${ip}`);
         });
-        console.log(chalk7.cyan("\nNext steps:\n"));
-        console.log(`  View logs:     ${chalk7.bold(`hackerrun logs ${appName}`)}`);
-        console.log(`  SSH access:    ${chalk7.bold(`hackerrun ssh ${appName}`)}`);
-        console.log(`  Change domain: ${chalk7.bold(`hackerrun domain --app ${appName} <new-name>`)}`);
+        console.log(chalk8.cyan("\nNext steps:\n"));
+        console.log(`  View logs:     ${chalk8.bold(`hackerrun logs ${appName}`)}`);
+        console.log(`  SSH access:    ${chalk8.bold(`hackerrun ssh ${appName}`)}`);
+        console.log(`  Change domain: ${chalk8.bold(`hackerrun domain --app ${appName} <new-name>`)}`);
         console.log();
         uncloudRunner.cleanup();
       } catch (error) {
         uncloudRunner.cleanup();
-        console.log(chalk7.red("\nDeployment failed"));
+        console.log(chalk8.red("\nDeployment failed"));
         throw error;
       }
     } catch (error) {
-      console.error(chalk7.red(`
+      console.error(chalk8.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -1740,20 +2444,20 @@ Error: ${error.message}
 
 // src/commands/app.ts
 import { Command as Command3 } from "commander";
-import chalk8 from "chalk";
+import chalk9 from "chalk";
 import ora5 from "ora";
-import { execSync as execSync5 } from "child_process";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync4 } from "fs";
-import { homedir as homedir2 } from "os";
-import { join as join4 } from "path";
+import { execSync as execSync6 } from "child_process";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync5, existsSync as existsSync5 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join5 } from "path";
 import YAML from "yaml";
 function removeUncloudContext(contextName) {
-  const configPath = join4(homedir2(), ".config", "uncloud", "config.yaml");
-  if (!existsSync4(configPath)) {
+  const configPath = join5(homedir3(), ".config", "uncloud", "config.yaml");
+  if (!existsSync5(configPath)) {
     return false;
   }
   try {
-    const content = readFileSync4(configPath, "utf-8");
+    const content = readFileSync5(configPath, "utf-8");
     const config = YAML.parse(content);
     if (!config.contexts || !config.contexts[contextName]) {
       return false;
@@ -1763,7 +2467,7 @@ function removeUncloudContext(contextName) {
       const remainingContexts = Object.keys(config.contexts);
       config.current_context = remainingContexts.length > 0 ? remainingContexts[0] : "";
     }
-    writeFileSync4(configPath, YAML.stringify(config));
+    writeFileSync5(configPath, YAML.stringify(config));
     return true;
   } catch {
     return false;
@@ -1777,14 +2481,14 @@ function createAppCommands() {
       const platformClient = new PlatformClient(platformToken);
       const apps = await platformClient.listApps();
       if (apps.length === 0) {
-        console.log(chalk8.yellow("\nNo apps deployed yet.\n"));
-        console.log(`Run ${chalk8.bold("hackerrun deploy")} to deploy your first app!
+        console.log(chalk9.yellow("\nNo apps deployed yet.\n"));
+        console.log(`Run ${chalk9.bold("hackerrun deploy")} to deploy your first app!
 `);
         return;
       }
-      console.log(chalk8.cyan("\n Your Apps:\n"));
+      console.log(chalk9.cyan("\n Your Apps:\n"));
       apps.forEach((app) => {
-        console.log(chalk8.bold(`  ${app.appName}`));
+        console.log(chalk9.bold(`  ${app.appName}`));
         console.log(`    Domain:       ${app.domainName}.hackerrun.app`);
         console.log(`    URL:          https://${app.domainName}.hackerrun.app`);
         console.log(`    Location:     ${app.location}`);
@@ -1797,10 +2501,10 @@ function createAppCommands() {
         console.log(`    Primary Node: ${primaryNode?.ipv6 || primaryNode?.ipv4 || "N/A"}`);
         console.log();
       });
-      console.log(chalk8.green(`Total: ${apps.length} app(s)
+      console.log(chalk9.green(`Total: ${apps.length} app(s)
 `));
     } catch (error) {
-      console.error(chalk8.red(`
+      console.error(chalk9.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -1813,17 +2517,17 @@ Error: ${error.message}
       const platformClient = new PlatformClient(platformToken);
       const app = await platformClient.getApp(appName);
       if (!app) {
-        console.log(chalk8.red(`
+        console.log(chalk9.red(`
 App '${appName}' not found
 `));
         process.exit(1);
       }
-      console.log(chalk8.cyan(`
+      console.log(chalk9.cyan(`
 Nodes in '${appName}':
 `));
       app.nodes.forEach((node, index) => {
-        const primaryLabel = node.isPrimary ? chalk8.yellow(" (primary)") : "";
-        console.log(`  ${index + 1}. ${chalk8.bold(node.name)}${primaryLabel}`);
+        const primaryLabel = node.isPrimary ? chalk9.yellow(" (primary)") : "";
+        console.log(`  ${index + 1}. ${chalk9.bold(node.name)}${primaryLabel}`);
         console.log(`     IPv6: ${node.ipv6 || "pending"}`);
         if (node.ipv4) {
           console.log(`     IPv4: ${node.ipv4}`);
@@ -1831,10 +2535,10 @@ Nodes in '${appName}':
         console.log(`     ID:   ${node.id}`);
         console.log();
       });
-      console.log(chalk8.green(`Total: ${app.nodes.length} node(s)
+      console.log(chalk9.green(`Total: ${app.nodes.length} node(s)
 `));
     } catch (error) {
-      console.error(chalk8.red(`
+      console.error(chalk9.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -1848,7 +2552,7 @@ Error: ${error.message}
     try {
       const app = await platformClient.getApp(appName);
       if (!app) {
-        console.log(chalk8.red(`
+        console.log(chalk9.red(`
 App '${appName}' not found
 `));
         process.exit(1);
@@ -1862,7 +2566,7 @@ App '${appName}' not found
           targetNode = app.nodes.find((n) => n.name === options.node);
         }
         if (!targetNode) {
-          console.log(chalk8.red(`
+          console.log(chalk9.red(`
 Node '${options.node}' not found
 `));
           process.exit(1);
@@ -1872,34 +2576,34 @@ Node '${options.node}' not found
       }
       const nodeIp = targetNode?.ipv6 || targetNode?.ipv4;
       if (!targetNode || !nodeIp) {
-        console.log(chalk8.red(`
+        console.log(chalk9.red(`
 Target node not found or has no IP
 `));
         process.exit(1);
       }
       const connInfo = await uncloudRunner.getConnectionInfo(appName);
       if (connInfo.viaGateway) {
-        console.log(chalk8.cyan(`
+        console.log(chalk9.cyan(`
 Connecting to ${targetNode.name} via gateway...
 `));
       } else {
-        console.log(chalk8.cyan(`
+        console.log(chalk9.cyan(`
 Connecting to ${targetNode.name}...
 `));
       }
       if (connInfo.viaGateway && connInfo.localPort) {
-        execSync5(
+        execSync6(
           `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`,
           { stdio: "inherit" }
         );
       } else {
-        execSync5(
+        execSync6(
           `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${nodeIp}`,
           { stdio: "inherit" }
         );
       }
     } catch (error) {
-      console.error(chalk8.red(`
+      console.error(chalk9.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -1914,18 +2618,18 @@ Error: ${error.message}
       const platformClient = new PlatformClient(platformToken);
       const app = await platformClient.getApp(appName);
       if (!app) {
-        console.log(chalk8.red(`
+        console.log(chalk9.red(`
 \u274C App '${appName}' not found
 `));
         process.exit(1);
       }
       if (!options.force) {
-        console.log(chalk8.yellow(`
+        console.log(chalk9.yellow(`
 \u26A0\uFE0F  You are about to delete '${appName}' and all its infrastructure:`));
         console.log(`  - ${app.nodes.length} VM(s) will be deleted`);
         console.log(`  - All data will be lost
 `);
-        console.log(chalk8.red("Use --force flag to confirm deletion\n"));
+        console.log(chalk9.red("Use --force flag to confirm deletion\n"));
         process.exit(1);
       }
       const spinner = ora5("Deleting infrastructure...").start();
@@ -1935,18 +2639,25 @@ Error: ${error.message}
           await platformClient.deleteVM(app.location, node.name);
         }
         spinner.text = "Removing app from database...";
+        const appLocation = app.location;
         await platformClient.deleteApp(appName);
+        spinner.text = "Syncing gateway routes...";
+        try {
+          await platformClient.syncGatewayRoutes(appLocation);
+        } catch (error) {
+          console.log(chalk9.dim(`  Warning: Could not sync gateway: ${error.message}`));
+        }
         spinner.text = "Cleaning up local configuration...";
         const contextName = app.uncloudContext || appName;
         removeUncloudContext(contextName);
-        spinner.succeed(chalk8.green(`App '${appName}' destroyed successfully`));
-        console.log(chalk8.cyan("\n\u{1F4A1} All infrastructure has been deleted.\n"));
+        spinner.succeed(chalk9.green(`App '${appName}' destroyed successfully`));
+        console.log(chalk9.cyan("\n\u{1F4A1} All infrastructure has been deleted.\n"));
       } catch (error) {
-        spinner.fail(chalk8.red("Failed to destroy app"));
+        spinner.fail(chalk9.red("Failed to destroy app"));
         throw error;
       }
     } catch (error) {
-      console.error(chalk8.red(`
+      console.error(chalk9.red(`
 \u274C Error: ${error.message}
 `));
       process.exit(1);
@@ -1959,35 +2670,35 @@ Error: ${error.message}
       const platformClient = new PlatformClient(platformToken);
       const app = await platformClient.getApp(appName);
       if (!app) {
-        console.log(chalk8.red(`
+        console.log(chalk9.red(`
 App '${appName}' not found
 `));
-        console.log(`Run ${chalk8.bold("hackerrun apps")} to see your apps.
+        console.log(`Run ${chalk9.bold("hackerrun apps")} to see your apps.
 `);
         process.exit(1);
       }
       const existingConfig = readAppConfig();
       if (existingConfig) {
         if (existingConfig.appName === appName) {
-          console.log(chalk8.yellow(`
+          console.log(chalk9.yellow(`
 This directory is already linked to '${appName}'
 `));
           return;
         }
-        console.log(chalk8.yellow(`
+        console.log(chalk9.yellow(`
 This directory is currently linked to '${existingConfig.appName}'`));
         console.log(`Updating link to '${appName}'...
 `);
       }
       linkApp(appName);
-      console.log(chalk8.green(`
+      console.log(chalk9.green(`
 Linked to app '${appName}'
 `));
       console.log(`  Domain: https://${app.domainName}.hackerrun.app`);
-      console.log(`  Run ${chalk8.bold("hackerrun deploy")} to deploy changes.
+      console.log(`  Run ${chalk9.bold("hackerrun deploy")} to deploy changes.
 `);
     } catch (error) {
-      console.error(chalk8.red(`
+      console.error(chalk9.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2001,7 +2712,7 @@ Error: ${error.message}
       const currentName = options.app;
       const app = await platformClient.getApp(currentName);
       if (!app) {
-        console.log(chalk8.red(`
+        console.log(chalk9.red(`
 App '${currentName}' not found
 `));
         process.exit(1);
@@ -2009,7 +2720,7 @@ App '${currentName}' not found
       const spinner = ora5(`Renaming app '${currentName}' to '${newName}'...`).start();
       try {
         const updatedApp = await platformClient.renameApp(currentName, newName);
-        spinner.succeed(chalk8.green(`App renamed successfully`));
+        spinner.succeed(chalk9.green(`App renamed successfully`));
         console.log(`
   Old name: ${currentName}`);
         console.log(`  New name: ${updatedApp.appName}`);
@@ -2018,15 +2729,15 @@ App '${currentName}' not found
         const existingConfig = readAppConfig();
         if (existingConfig?.appName === currentName) {
           linkApp(newName);
-          console.log(chalk8.dim(`Updated local hackerrun.yaml
+          console.log(chalk9.dim(`Updated local hackerrun.yaml
 `));
         }
       } catch (error) {
-        spinner.fail(chalk8.red("Failed to rename app"));
+        spinner.fail(chalk9.red("Failed to rename app"));
         throw error;
       }
     } catch (error) {
-      console.error(chalk8.red(`
+      console.error(chalk9.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2040,7 +2751,7 @@ Error: ${error.message}
       const appName = options.app;
       const app = await platformClient.getApp(appName);
       if (!app) {
-        console.log(chalk8.red(`
+        console.log(chalk9.red(`
 App '${appName}' not found
 `));
         process.exit(1);
@@ -2048,22 +2759,32 @@ App '${appName}' not found
       const oldDomain = app.domainName;
       const spinner = ora5(`Changing domain from '${oldDomain}' to '${newDomain}'...`).start();
       try {
-        const updatedApp = await platformClient.renameDomain(appName, newDomain);
-        spinner.succeed(chalk8.green(`Domain changed successfully`));
+        let updatedApp = app;
+        if (oldDomain !== newDomain) {
+          updatedApp = await platformClient.renameDomain(appName, newDomain);
+          spinner.succeed(chalk9.green(`Domain changed successfully`));
+        } else {
+          spinner.succeed(chalk9.green(`Domain already set to '${newDomain}'`));
+        }
+        const primaryNode = app.nodes.find((n) => n.isPrimary);
+        if (primaryNode?.ipv6) {
+          spinner.start("Ensuring route exists...");
+          await platformClient.registerRoute(appName, primaryNode.ipv6, 80);
+          spinner.succeed(chalk9.green("Route registered"));
+        }
         spinner.start("Syncing gateway routes...");
         await platformClient.syncGatewayRoutes(app.location);
-        spinner.succeed(chalk8.green("Gateway routes synced"));
+        spinner.succeed(chalk9.green("Gateway routes synced"));
         console.log(`
   App:        ${updatedApp.appName}`);
-        console.log(`  Old domain: https://${oldDomain}.hackerrun.app`);
-        console.log(`  New domain: https://${updatedApp.domainName}.hackerrun.app
+        console.log(`  Domain:     https://${updatedApp.domainName}.hackerrun.app
 `);
       } catch (error) {
-        spinner.fail(chalk8.red("Failed to change domain"));
+        spinner.fail(chalk9.red("Failed to change domain"));
         throw error;
       }
     } catch (error) {
-      console.error(chalk8.red(`
+      console.error(chalk9.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2074,7 +2795,7 @@ Error: ${error.message}
 
 // src/commands/config.ts
 import { Command as Command4 } from "commander";
-import chalk9 from "chalk";
+import chalk10 from "chalk";
 function createConfigCommand() {
   const cmd = new Command4("config");
   cmd.description("Manage hackerrun configuration");
@@ -2082,20 +2803,20 @@ function createConfigCommand() {
     try {
       const configManager = new ConfigManager();
       if (key !== "apiToken") {
-        console.log(chalk9.red(`
+        console.log(chalk10.red(`
 \u274C Invalid key: ${key}
 `));
-        console.log(chalk9.cyan("Valid keys:"));
+        console.log(chalk10.cyan("Valid keys:"));
         console.log("  - apiToken    Platform API token\n");
         process.exit(1);
       }
       configManager.set(key, value);
       const displayValue = configManager.getAll(true).apiToken;
-      console.log(chalk9.green(`
+      console.log(chalk10.green(`
 \u2713 Set ${key} = ${displayValue}
 `));
     } catch (error) {
-      console.error(chalk9.red(`
+      console.error(chalk10.red(`
 \u274C Error: ${error.message}
 `));
       process.exit(1);
@@ -2105,24 +2826,24 @@ function createConfigCommand() {
     try {
       const configManager = new ConfigManager();
       if (key !== "apiToken") {
-        console.log(chalk9.red(`
+        console.log(chalk10.red(`
 \u274C Invalid key: ${key}
 `));
         process.exit(1);
       }
       const value = configManager.get(key);
       if (!value) {
-        console.log(chalk9.yellow(`
+        console.log(chalk10.yellow(`
 \u26A0\uFE0F  ${key} is not set
 `));
         process.exit(1);
       }
       const displayValue = options.showSecrets ? value : configManager.getAll(true).apiToken;
-      console.log(chalk9.cyan(`
+      console.log(chalk10.cyan(`
 ${key} = ${displayValue}
 `));
     } catch (error) {
-      console.error(chalk9.red(`
+      console.error(chalk10.red(`
 \u274C Error: ${error.message}
 `));
       process.exit(1);
@@ -2133,18 +2854,18 @@ ${key} = ${displayValue}
       const configManager = new ConfigManager();
       const config = configManager.getAll(!options.showSecrets);
       if (Object.keys(config).length === 0) {
-        console.log(chalk9.yellow("\n\u26A0\uFE0F  No configuration found\n"));
-        console.log(chalk9.cyan("Get started by logging in:\n"));
+        console.log(chalk10.yellow("\n\u26A0\uFE0F  No configuration found\n"));
+        console.log(chalk10.cyan("Get started by logging in:\n"));
         console.log("  hackerrun login\n");
         return;
       }
-      console.log(chalk9.cyan("\n\u{1F4DD} Configuration:\n"));
-      console.log(`  apiToken: ${config.apiToken || chalk9.red("not set")}`);
-      console.log(chalk9.dim(`
+      console.log(chalk10.cyan("\n\u{1F4DD} Configuration:\n"));
+      console.log(`  apiToken: ${config.apiToken || chalk10.red("not set")}`);
+      console.log(chalk10.dim(`
 Config file: ${configManager.getConfigPath()}
 `));
     } catch (error) {
-      console.error(chalk9.red(`
+      console.error(chalk10.red(`
 \u274C Error: ${error.message}
 `));
       process.exit(1);
@@ -2154,17 +2875,17 @@ Config file: ${configManager.getConfigPath()}
     try {
       const configManager = new ConfigManager();
       if (key !== "apiToken") {
-        console.log(chalk9.red(`
+        console.log(chalk10.red(`
 \u274C Invalid key: ${key}
 `));
         process.exit(1);
       }
       configManager.unset(key);
-      console.log(chalk9.green(`
+      console.log(chalk10.green(`
 \u2713 Removed ${key}
 `));
     } catch (error) {
-      console.error(chalk9.red(`
+      console.error(chalk10.red(`
 \u274C Error: ${error.message}
 `));
       process.exit(1);
@@ -2175,7 +2896,7 @@ Config file: ${configManager.getConfigPath()}
       const configManager = new ConfigManager();
       console.log(configManager.getConfigPath());
     } catch (error) {
-      console.error(chalk9.red(`
+      console.error(chalk10.red(`
 \u274C Error: ${error.message}
 `));
       process.exit(1);
@@ -2186,7 +2907,7 @@ Config file: ${configManager.getConfigPath()}
 
 // src/commands/logs.ts
 import { Command as Command5 } from "commander";
-import chalk10 from "chalk";
+import chalk11 from "chalk";
 function createLogsCommand() {
   const cmd = new Command5("logs");
   cmd.description("View logs for app services").argument("<app>", "App name").argument("[service]", "Service name (optional - lists services if omitted)").option("-f, --follow", "Follow log output").option("--tail <lines>", "Number of lines to show from the end of the logs").action(async (appName, serviceName, options) => {
@@ -2196,13 +2917,13 @@ function createLogsCommand() {
     try {
       const app = await platformClient.getApp(appName);
       if (!app) {
-        console.log(chalk10.red(`
+        console.log(chalk11.red(`
  App '${appName}' not found
 `));
-        console.log(chalk10.cyan("Available apps:"));
+        console.log(chalk11.cyan("Available apps:"));
         const apps = await platformClient.listApps();
         if (apps.length === 0) {
-          console.log(chalk10.yellow("  No apps deployed yet\n"));
+          console.log(chalk11.yellow("  No apps deployed yet\n"));
         } else {
           apps.forEach((a) => console.log(`  - ${a.appName}`));
           console.log();
@@ -2225,27 +2946,27 @@ function createLogsCommand() {
             }
           }
           if (services.length === 0) {
-            console.log(chalk10.yellow(`
+            console.log(chalk11.yellow(`
  No services found in app '${appName}'
 `));
             return;
           }
-          console.log(chalk10.cyan(`
+          console.log(chalk11.cyan(`
  Available services in '${appName}':
 `));
-          services.forEach((s) => console.log(`  ${chalk10.bold(s)}`));
-          console.log(chalk10.dim(`
+          services.forEach((s) => console.log(`  ${chalk11.bold(s)}`));
+          console.log(chalk11.dim(`
 Usage: hackerrun logs ${appName} <service>`));
-          console.log(chalk10.dim(`Example: hackerrun logs ${appName} ${services[0]}
+          console.log(chalk11.dim(`Example: hackerrun logs ${appName} ${services[0]}
 `));
           return;
         } catch (error) {
-          console.error(chalk10.red("\n Failed to list services"));
-          console.error(chalk10.yellow("Make sure the app is deployed and running\n"));
+          console.error(chalk11.red("\n Failed to list services"));
+          console.error(chalk11.yellow("Make sure the app is deployed and running\n"));
           process.exit(1);
         }
       }
-      console.log(chalk10.cyan(`
+      console.log(chalk11.cyan(`
  Viewing logs for '${serviceName}' in app '${appName}'...
 `));
       try {
@@ -2254,13 +2975,13 @@ Usage: hackerrun logs ${appName} <service>`));
           tail: options.tail ? parseInt(options.tail) : void 0
         });
       } catch (error) {
-        console.error(chalk10.red(`
+        console.error(chalk11.red(`
  Failed to fetch logs for service '${serviceName}'`));
-        console.error(chalk10.yellow("The service may not exist or may not be running\n"));
+        console.error(chalk11.yellow("The service may not exist or may not be running\n"));
         process.exit(1);
       }
     } catch (error) {
-      console.error(chalk10.red(`
+      console.error(chalk11.red(`
  Error: ${error.message}
 `));
       process.exit(1);
@@ -2273,10 +2994,10 @@ Usage: hackerrun logs ${appName} <service>`));
 
 // src/commands/env.ts
 import { Command as Command6 } from "commander";
-import chalk11 from "chalk";
+import chalk12 from "chalk";
 import ora6 from "ora";
 import { password } from "@inquirer/prompts";
-import { readFileSync as readFileSync5, existsSync as existsSync5 } from "fs";
+import { readFileSync as readFileSync6, existsSync as existsSync6 } from "fs";
 function parseEnvFile(content) {
   const vars = {};
   for (const line of content.split("\n")) {
@@ -2315,14 +3036,14 @@ function createEnvCommand() {
         });
       }
       if (!key) {
-        console.error(chalk11.red("\nError: Key cannot be empty\n"));
+        console.error(chalk12.red("\nError: Key cannot be empty\n"));
         process.exit(1);
       }
       const spinner = ora6(`Setting ${key}...`).start();
       await platformClient.setEnvVar(appName, key, value);
       spinner.succeed(`Set ${key}`);
     } catch (error) {
-      console.error(chalk11.red(`
+      console.error(chalk12.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2333,24 +3054,24 @@ Error: ${error.message}
       const appName = options.app || getAppName();
       const platformToken = getPlatformToken();
       const platformClient = new PlatformClient(platformToken);
-      if (!existsSync5(filePath)) {
-        console.error(chalk11.red(`
+      if (!existsSync6(filePath)) {
+        console.error(chalk12.red(`
 Error: File not found: ${filePath}
 `));
         process.exit(1);
       }
-      const content = readFileSync5(filePath, "utf-8");
+      const content = readFileSync6(filePath, "utf-8");
       const vars = parseEnvFile(content);
       const count = Object.keys(vars).length;
       if (count === 0) {
-        console.log(chalk11.yellow("\nNo environment variables found in file.\n"));
+        console.log(chalk12.yellow("\nNo environment variables found in file.\n"));
         return;
       }
       const spinner = ora6(`Uploading ${count} variable${count > 1 ? "s" : ""}...`).start();
       await platformClient.setEnvVars(appName, vars);
       spinner.succeed(`Uploaded ${count} environment variable${count > 1 ? "s" : ""}`);
     } catch (error) {
-      console.error(chalk11.red(`
+      console.error(chalk12.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2365,25 +3086,25 @@ Error: ${error.message}
       const vars = await platformClient.listEnvVars(appName);
       spinner.stop();
       if (vars.length === 0) {
-        console.log(chalk11.yellow(`
+        console.log(chalk12.yellow(`
 No environment variables set for '${appName}'.
 `));
-        console.log(chalk11.cyan("Set variables with:\n"));
+        console.log(chalk12.cyan("Set variables with:\n"));
         console.log(`  hackerrun env set KEY=value`);
         console.log(`  hackerrun env upload .env
 `);
         return;
       }
-      console.log(chalk11.cyan(`
+      console.log(chalk12.cyan(`
 Environment variables for '${appName}':
 `));
       for (const v of vars) {
         const masked = "*".repeat(Math.min(v.valueLength, 20));
-        console.log(`  ${chalk11.bold(v.key)}=${chalk11.dim(masked)}`);
+        console.log(`  ${chalk12.bold(v.key)}=${chalk12.dim(masked)}`);
       }
       console.log();
     } catch (error) {
-      console.error(chalk11.red(`
+      console.error(chalk12.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2398,7 +3119,7 @@ Error: ${error.message}
       await platformClient.unsetEnvVar(appName, key);
       spinner.succeed(`Removed ${key}`);
     } catch (error) {
-      console.error(chalk11.red(`
+      console.error(chalk12.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2409,16 +3130,16 @@ Error: ${error.message}
 
 // src/commands/connect.ts
 import { Command as Command7 } from "commander";
-import chalk12 from "chalk";
+import chalk13 from "chalk";
 import ora7 from "ora";
 import { select } from "@inquirer/prompts";
-function sleep2(ms) {
+function sleep3(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 async function pollForInstallation(platformClient, stateToken, spinner, maxAttempts = 60, intervalMs = 5e3) {
   let attempts = 0;
   while (attempts < maxAttempts) {
-    await sleep2(intervalMs);
+    await sleep3(intervalMs);
     attempts++;
     const result = await platformClient.pollGitHubConnect(stateToken);
     if (result.status === "complete" && result.installationId) {
@@ -2436,7 +3157,7 @@ function createConnectCommand() {
       const appName = options.app || getAppName();
       const platformToken = getPlatformToken();
       const platformClient = new PlatformClient(platformToken);
-      console.log(chalk12.cyan(`
+      console.log(chalk13.cyan(`
 Connecting GitHub repository to '${appName}'
 `));
       let app = await platformClient.getApp(appName);
@@ -2446,35 +3167,42 @@ Connecting GitHub repository to '${appName}'
         spinner.succeed(`Created app '${appName}'`);
         if (!hasAppConfig()) {
           linkApp(appName);
-          console.log(chalk12.dim(`  Created hackerrun.yaml`));
+          console.log(chalk13.dim(`  Created hackerrun.yaml`));
         }
       }
       const existingRepo = await platformClient.getConnectedRepo(appName);
       if (existingRepo) {
-        console.log(chalk12.yellow(`
+        console.log(chalk13.yellow(`
 App '${appName}' is already connected to:`));
-        console.log(`  ${chalk12.bold(existingRepo.repoFullName)} (branch: ${existingRepo.branch})
+        console.log(`  ${chalk13.bold(existingRepo.repoFullName)} (branch: ${existingRepo.branch})
 `);
         const action = await select({
           message: "What would you like to do?",
           choices: [
             { name: "Change repository", value: "change" },
-            { name: "Keep current connection", value: "keep" }
+            { name: "Keep current connection", value: "keep" },
+            { name: "Reconnect (delete and re-setup)", value: "reconnect" }
           ]
         });
         if (action === "keep") {
-          console.log(chalk12.green("\nConnection unchanged.\n"));
+          console.log(chalk13.green("\nConnection unchanged.\n"));
           return;
         }
+        if (action === "reconnect") {
+          const disconnectSpinner = ora7("Disconnecting existing repository...").start();
+          await platformClient.disconnectRepo(appName);
+          disconnectSpinner.succeed("Existing connection removed");
+          console.log(chalk13.cyan("\nReconnecting...\n"));
+        }
       }
       let installation = await platformClient.getGitHubInstallation();
       if (!installation) {
-        console.log(chalk12.cyan("First, install the HackerRun GitHub App:\n"));
+        console.log(chalk13.cyan("First, install the HackerRun GitHub App:\n"));
         const spinner = ora7("Initiating GitHub connection...").start();
         const flow = await platformClient.initiateGitHubConnect();
         spinner.succeed("GitHub connection initiated");
-        console.log(chalk12.cyan("\nPlease complete the following steps:\n"));
-        console.log(`  1. Visit: ${chalk12.bold.blue(flow.authUrl)}`);
+        console.log(chalk13.cyan("\nPlease complete the following steps:\n"));
+        console.log(`  1. Visit: ${chalk13.bold.blue(flow.authUrl)}`);
         console.log(`  2. Install the HackerRun app on your account`);
         console.log(`  3. Select the repositories you want to access
 `);
@@ -2487,23 +3215,56 @@ App '${appName}' is already connected to:`));
           process.exit(1);
         }
       } else {
-        console.log(chalk12.green(`\u2713 GitHub App already installed (${installation.accountLogin})
+        console.log(chalk13.green(`\u2713 GitHub App already installed (${installation.accountLogin})
 `));
       }
       const repoSpinner = ora7("Fetching accessible repositories...").start();
-      const repos = await platformClient.listAccessibleRepos();
+      let repos;
+      try {
+        repos = await platformClient.listAccessibleRepos();
+      } catch (error) {
+        repoSpinner.stop();
+        const isStaleInstallation = error.message.includes("create-an-installation-access-token") || error.message.includes("Bad credentials") || error.message.includes("installation") && error.message.includes("Not Found");
+        if (isStaleInstallation) {
+          console.log(chalk13.yellow("\nGitHub App installation is stale or was removed from GitHub."));
+          console.log(chalk13.cyan("Clearing stale record and prompting for reinstallation...\n"));
+          await platformClient.deleteGitHubInstallation();
+          console.log(chalk13.cyan("Please reinstall the HackerRun GitHub App:\n"));
+          const spinner = ora7("Initiating GitHub connection...").start();
+          const flow = await platformClient.initiateGitHubConnect();
+          spinner.succeed("GitHub connection initiated");
+          console.log(chalk13.cyan("\nPlease complete the following steps:\n"));
+          console.log(`  1. Visit: ${chalk13.bold.blue(flow.authUrl)}`);
+          console.log(`  2. Install the HackerRun app on your account`);
+          console.log(`  3. Select the repositories you want to access
+`);
+          const pollSpinner = ora7("Waiting for GitHub authorization...").start();
+          try {
+            await pollForInstallation(platformClient, flow.stateToken, pollSpinner);
+            pollSpinner.succeed("GitHub App installed");
+          } catch (pollError) {
+            pollSpinner.fail(pollError.message);
+            process.exit(1);
+          }
+          const retrySpinner = ora7("Fetching accessible repositories...").start();
+          repos = await platformClient.listAccessibleRepos();
+          retrySpinner.stop();
+        } else {
+          throw error;
+        }
+      }
       repoSpinner.stop();
       if (repos.length === 0) {
-        console.log(chalk12.yellow("\nNo repositories found."));
-        console.log(chalk12.cyan("Make sure you have given HackerRun access to your repositories.\n"));
-        console.log(`Visit ${chalk12.blue("https://github.com/settings/installations")} to manage access.
+        console.log(chalk13.yellow("\nNo repositories found."));
+        console.log(chalk13.cyan("Make sure you have given HackerRun access to your repositories.\n"));
+        console.log(`Visit ${chalk13.blue("https://github.com/settings/installations")} to manage access.
 `);
         process.exit(1);
       }
       const selectedRepo = await select({
         message: "Select repository to connect:",
         choices: repos.map((r) => ({
-          name: `${r.fullName}${r.private ? chalk12.dim(" (private)") : ""} [${r.defaultBranch}]`,
+          name: `${r.fullName}${r.private ? chalk13.dim(" (private)") : ""} [${r.defaultBranch}]`,
           value: r.fullName
         }))
       });
@@ -2512,17 +3273,17 @@ App '${appName}' is already connected to:`));
       const connectSpinner = ora7("Connecting repository...").start();
       await platformClient.connectRepo(appName, selectedRepo, branch);
       connectSpinner.succeed(`Connected ${selectedRepo}`);
-      console.log(chalk12.green(`
+      console.log(chalk13.green(`
 \u2713 Successfully connected!
 `));
-      console.log(chalk12.cyan("Auto-deploy is now enabled:"));
-      console.log(`  Repository: ${chalk12.bold(selectedRepo)}`);
-      console.log(`  Branch: ${chalk12.bold(branch)}`);
-      console.log(`  App: ${chalk12.bold(appName)}
+      console.log(chalk13.cyan("Auto-deploy is now enabled:"));
+      console.log(`  Repository: ${chalk13.bold(selectedRepo)}`);
+      console.log(`  Branch: ${chalk13.bold(branch)}`);
+      console.log(`  App: ${chalk13.bold(appName)}
 `);
-      console.log(chalk12.dim("Every push to this branch will trigger a build and deploy.\n"));
+      console.log(chalk13.dim("Every push to this branch will trigger a build and deploy.\n"));
     } catch (error) {
-      console.error(chalk12.red(`
+      console.error(chalk13.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2539,7 +3300,7 @@ function createDisconnectCommand() {
       const platformClient = new PlatformClient(platformToken);
       const existingRepo = await platformClient.getConnectedRepo(appName);
       if (!existingRepo) {
-        console.log(chalk12.yellow(`
+        console.log(chalk13.yellow(`
 No repository connected to '${appName}'.
 `));
         return;
@@ -2547,12 +3308,12 @@ No repository connected to '${appName}'.
       const spinner = ora7("Disconnecting repository...").start();
       await platformClient.disconnectRepo(appName);
       spinner.succeed("Repository disconnected");
-      console.log(chalk12.green(`
+      console.log(chalk13.green(`
 \u2713 Disconnected ${existingRepo.repoFullName} from '${appName}'
 `));
-      console.log(chalk12.dim("Auto-deploy is now disabled. Use `hackerrun connect` to reconnect.\n"));
+      console.log(chalk13.dim("Auto-deploy is now disabled. Use `hackerrun connect` to reconnect.\n"));
     } catch (error) {
-      console.error(chalk12.red(`
+      console.error(chalk13.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2563,9 +3324,9 @@ Error: ${error.message}
 
 // src/commands/builds.ts
 import { Command as Command8 } from "commander";
-import chalk13 from "chalk";
+import chalk14 from "chalk";
 import ora8 from "ora";
-function sleep3(ms) {
+function sleep4(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
 function formatDuration(startedAt, completedAt) {
@@ -2592,22 +3353,22 @@ function formatRelativeTime(dateStr) {
 function getStatusIcon(status) {
   switch (status) {
     case "success":
-      return chalk13.green("\u2713");
+      return chalk14.green("\u2713");
     case "failed":
-      return chalk13.red("\u2717");
+      return chalk14.red("\u2717");
     case "building":
-      return chalk13.yellow("\u25CF");
+      return chalk14.yellow("\u25CF");
     case "pending":
-      return chalk13.dim("\u25CB");
+      return chalk14.dim("\u25CB");
     default:
-      return chalk13.dim("?");
+      return chalk14.dim("?");
   }
 }
 function getStageIcon(stage, status) {
-  if (status === "completed") return chalk13.green("\u2713");
-  if (status === "failed") return chalk13.red("\u2717");
-  if (status === "started") return chalk13.yellow("\u25CF");
-  return chalk13.dim("\u25CB");
+  if (status === "completed") return chalk14.green("\u2713");
+  if (status === "failed") return chalk14.red("\u2717");
+  if (status === "started") return chalk14.yellow("\u25CF");
+  return chalk14.dim("\u25CB");
 }
 function formatEventTime(startTime, eventTime) {
   const diffMs = eventTime.getTime() - startTime.getTime();
@@ -2633,7 +3394,7 @@ function createBuildsCommand() {
         await listBuilds(platformClient, appName, parseInt(options.limit, 10));
       }
     } catch (error) {
-      console.error(chalk13.red(`
+      console.error(chalk14.red(`
 Error: ${error.message}
 `));
       process.exit(1);
@@ -2646,25 +3407,25 @@ async function listBuilds(platformClient, appName, limit) {
   const builds = await platformClient.listBuilds(appName, limit);
   spinner.stop();
   if (builds.length === 0) {
-    console.log(chalk13.yellow(`
+    console.log(chalk14.yellow(`
 No builds found for '${appName}'.
 `));
-    console.log(chalk13.cyan("Connect a GitHub repo to enable auto-deploy:\n"));
+    console.log(chalk14.cyan("Connect a GitHub repo to enable auto-deploy:\n"));
     console.log(`  hackerrun connect
 `);
     return;
   }
-  console.log(chalk13.cyan(`
+  console.log(chalk14.cyan(`
 Builds for '${appName}':
 `));
   for (const build of builds) {
     const icon = getStatusIcon(build.status);
     const sha = build.commitSha.substring(0, 7);
-    const msg = build.commitMsg ? build.commitMsg.length > 50 ? build.commitMsg.substring(0, 47) + "..." : build.commitMsg : chalk13.dim("No message");
+    const msg = build.commitMsg ? build.commitMsg.length > 50 ? build.commitMsg.substring(0, 47) + "..." : build.commitMsg : chalk14.dim("No message");
     const duration = formatDuration(build.startedAt, build.completedAt);
     const time = formatRelativeTime(build.createdAt);
-    console.log(`  ${icon} ${chalk13.bold(`#${build.id}`)} ${chalk13.dim(sha)} ${msg}`);
-    console.log(`    ${chalk13.dim(`${build.branch} \u2022 ${duration} \u2022 ${time}`)}`);
+    console.log(`  ${icon} ${chalk14.bold(`#${build.id}`)} ${chalk14.dim(sha)} ${msg}`);
+    console.log(`    ${chalk14.dim(`${build.branch} \u2022 ${duration} \u2022 ${time}`)}`);
     console.log();
   }
 }
@@ -2675,16 +3436,16 @@ async function showBuildDetails(platformClient, appName, buildId) {
   spinner.stop();
   const icon = getStatusIcon(build.status);
   const sha = build.commitSha.substring(0, 7);
-  console.log(chalk13.cyan(`
+  console.log(chalk14.cyan(`
 Build #${build.id}
 `));
   console.log(`  Status: ${icon} ${build.status}`);
-  console.log(`  Commit: ${chalk13.dim(sha)} ${build.commitMsg || chalk13.dim("No message")}`);
+  console.log(`  Commit: ${chalk14.dim(sha)} ${build.commitMsg || chalk14.dim("No message")}`);
   console.log(`  Branch: ${build.branch}`);
   console.log(`  Duration: ${formatDuration(build.startedAt, build.completedAt)}`);
   console.log(`  Created: ${formatRelativeTime(build.createdAt)}`);
   if (events.length > 0) {
-    console.log(chalk13.cyan("\nBuild Events:\n"));
+    console.log(chalk14.cyan("\nBuild Events:\n"));
     const startTime = new Date(events[0].timestamp);
     for (const event of events) {
       const eventTime = new Date(event.timestamp);
@@ -2694,29 +3455,29 @@ Build #${build.id}
     }
   }
   if (build.logs) {
-    console.log(chalk13.cyan("\nBuild Logs:\n"));
-    console.log(chalk13.dim(build.logs));
+    console.log(chalk14.cyan("\nBuild Logs:\n"));
+    console.log(chalk14.dim(build.logs));
   }
   console.log();
 }
 async function streamLatestBuild(platformClient, appName) {
-  console.log(chalk13.cyan(`
+  console.log(chalk14.cyan(`
 Watching latest build for '${appName}'...
 `));
-  console.log(chalk13.dim("Press Ctrl+C to stop\n"));
+  console.log(chalk14.dim("Press Ctrl+C to stop\n"));
   let currentBuildId = null;
   let lastEventTimestamp = null;
   let buildStartTime = null;
   process.on("SIGINT", () => {
-    console.log(chalk13.dim("\n\nStopped watching.\n"));
+    console.log(chalk14.dim("\n\nStopped watching.\n"));
     process.exit(0);
   });
   while (true) {
     try {
       const builds = await platformClient.listBuilds(appName, 1);
       if (builds.length === 0) {
-        console.log(chalk13.dim("Waiting for builds..."));
-        await sleep3(5e3);
+        console.log(chalk14.dim("Waiting for builds..."));
+        await sleep4(5e3);
         continue;
       }
       const latestBuild = builds[0];
@@ -2724,9 +3485,9 @@ Watching latest build for '${appName}'...
         currentBuildId = latestBuild.id;
         lastEventTimestamp = null;
         buildStartTime = latestBuild.startedAt ? new Date(latestBuild.startedAt) : /* @__PURE__ */ new Date();
-        console.log(chalk13.bold(`
-Build #${latestBuild.id}`) + ` - commit ${chalk13.dim(latestBuild.commitSha.substring(0, 7))} "${latestBuild.commitMsg || "No message"}"`);
-        console.log(chalk13.dim(`Branch: ${latestBuild.branch} | Started: ${formatRelativeTime(latestBuild.createdAt)}`));
+        console.log(chalk14.bold(`
+Build #${latestBuild.id}`) + ` - commit ${chalk14.dim(latestBuild.commitSha.substring(0, 7))} "${latestBuild.commitMsg || "No message"}"`);
+        console.log(chalk14.dim(`Branch: ${latestBuild.branch} | Started: ${formatRelativeTime(latestBuild.createdAt)}`));
         console.log();
       }
       const events = await platformClient.getBuildEvents(appName, currentBuildId, lastEventTimestamp || void 0);
@@ -2742,31 +3503,31 @@ Build #${latestBuild.id}`) + ` - commit ${chalk13.dim(latestBuild.commitSha.subs
         const icon = getStatusIcon(latestBuild.status);
         console.log();
         console.log(`${icon} Build #${latestBuild.id} ${latestBuild.status} in ${duration}`);
-        console.log(chalk13.dim("\nWaiting for next build...\n"));
+        console.log(chalk14.dim("\nWaiting for next build...\n"));
         currentBuildId = null;
       }
-      await sleep3(2e3);
+      await sleep4(2e3);
     } catch (error) {
-      await sleep3(5e3);
+      await sleep4(5e3);
     }
   }
 }
 async function watchBuilds(platformClient, appName) {
-  console.log(chalk13.cyan(`
+  console.log(chalk14.cyan(`
 Watching builds for '${appName}'...
 `));
-  console.log(chalk13.dim("Press Ctrl+C to stop\n"));
+  console.log(chalk14.dim("Press Ctrl+C to stop\n"));
   let lastBuildId = null;
   process.on("SIGINT", () => {
-    console.log(chalk13.dim("\n\nStopped watching.\n"));
+    console.log(chalk14.dim("\n\nStopped watching.\n"));
     process.exit(0);
   });
   while (true) {
     try {
       const builds = await platformClient.listBuilds(appName, 5);
       if (builds.length === 0) {
-        console.log(chalk13.dim("No builds yet. Waiting..."));
-        await sleep3(5e3);
+        console.log(chalk14.dim("No builds yet. Waiting..."));
+        await sleep4(5e3);
         continue;
       }
       const latestBuild = builds[0];
@@ -2774,25 +3535,396 @@ Watching builds for '${appName}'...
         if (lastBuildId !== null) {
           const icon = getStatusIcon(latestBuild.status);
           const sha = latestBuild.commitSha.substring(0, 7);
-          console.log(`${icon} New build #${latestBuild.id} ${chalk13.dim(sha)} "${latestBuild.commitMsg || "No message"}" [${latestBuild.status}]`);
+          console.log(`${icon} New build #${latestBuild.id} ${chalk14.dim(sha)} "${latestBuild.commitMsg || "No message"}" [${latestBuild.status}]`);
         }
         lastBuildId = latestBuild.id;
       }
       for (const build of builds) {
         if (build.status === "building") {
           const duration = formatDuration(build.startedAt, null);
-          console.log(chalk13.yellow(`  \u25CF Build #${build.id} in progress (${duration})...`));
+          console.log(chalk14.yellow(`  \u25CF Build #${build.id} in progress (${duration})...`));
         }
       }
-      await sleep3(5e3);
+      await sleep4(5e3);
     } catch (error) {
-      await sleep3(5e3);
+      await sleep4(5e3);
     }
   }
 }
 
+// src/commands/vpn.ts
+import { Command as Command9 } from "commander";
+import chalk15 from "chalk";
+import ora9 from "ora";
+var DEFAULT_LOCATION2 = "eu-central-h1";
+function createVPNCommands() {
+  const vpnCmd = new Command9("vpn");
+  vpnCmd.description("Manage VPN connection for IPv6 access to your apps");
+  vpnCmd.command("status").description("Show VPN connection status").action(async () => {
+    try {
+      if (!isWireGuardInstalled()) {
+        console.log(chalk15.yellow("\nWireGuard is not installed.\n"));
+        console.log("Install it with:");
+        console.log("  Ubuntu/Debian: sudo apt install wireguard");
+        console.log("  Fedora: sudo dnf install wireguard-tools");
+        console.log("  Arch: sudo pacman -S wireguard-tools");
+        console.log("  macOS: brew install wireguard-tools\n");
+        return;
+      }
+      const status = getVPNStatus();
+      console.log(chalk15.cyan("\nVPN Status\n"));
+      if (status.connected) {
+        console.log(`  Status:     ${chalk15.green("Connected")}`);
+        console.log(`  Interface:  ${status.interface}`);
+        if (status.endpoint) {
+          console.log(`  Endpoint:   ${status.endpoint}`);
+        }
+        if (status.latestHandshake) {
+          console.log(`  Handshake:  ${status.latestHandshake}`);
+        }
+        if (status.transferRx && status.transferTx) {
+          console.log(`  Transfer:   ${status.transferRx} received, ${status.transferTx} sent`);
+        }
+      } else {
+        console.log(`  Status:     ${chalk15.yellow("Disconnected")}`);
+      }
+      const publicKey = getPublicKey();
+      if (publicKey) {
+        console.log(`  Public Key: ${chalk15.dim(publicKey.substring(0, 20) + "...")}`);
+      }
+      console.log();
+    } catch (error) {
+      console.error(chalk15.red(`
+Error: ${error.message}
+`));
+      process.exit(1);
+    }
+  });
+  vpnCmd.command("connect").description("Establish VPN connection to gateway for IPv6 access").option("-l, --location <location>", "Gateway location", DEFAULT_LOCATION2).action(async (options) => {
+    try {
+      if (!isWireGuardInstalled()) {
+        console.error(chalk15.red("\nWireGuard is not installed.\n"));
+        console.log("Install it with:");
+        console.log("  Ubuntu/Debian: sudo apt install wireguard");
+        console.log("  Fedora: sudo dnf install wireguard-tools");
+        console.log("  Arch: sudo pacman -S wireguard-tools");
+        console.log("  macOS: brew install wireguard-tools\n");
+        process.exit(1);
+      }
+      if (isVPNUp()) {
+        console.log(chalk15.green("\nVPN is already connected.\n"));
+        const status2 = getVPNStatus();
+        if (status2.endpoint) {
+          console.log(`  Endpoint: ${status2.endpoint}`);
+        }
+        console.log();
+        return;
+      }
+      const platformToken = getPlatformToken();
+      const platformClient = new PlatformClient(platformToken);
+      console.log(chalk15.cyan("\nEstablishing VPN connection...\n"));
+      const spinner = ora9("Preparing WireGuard keypair...").start();
+      const { publicKey, isNew } = getOrCreateKeyPair();
+      if (isNew) {
+        spinner.succeed("Generated new WireGuard keypair");
+      } else {
+        spinner.succeed("Using existing WireGuard keypair");
+      }
+      spinner.start("Registering with gateway...");
+      const vpnConfigResponse = await platformClient.registerVPNPeer(publicKey, options.location);
+      spinner.succeed("Registered with gateway");
+      const { privateKey } = getOrCreateKeyPair();
+      const vpnConfig = {
+        privateKey,
+        publicKey,
+        address: vpnConfigResponse.address,
+        gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
+        gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
+        allowedIPs: vpnConfigResponse.allowedIPs
+      };
+      spinner.start("Writing WireGuard configuration...");
+      writeWireGuardConfig(vpnConfig);
+      spinner.succeed("WireGuard configuration written");
+      spinner.start("Starting VPN tunnel (requires sudo)...");
+      spinner.stop();
+      console.log(chalk15.dim("  Starting VPN tunnel (requires sudo)..."));
+      vpnUp();
+      console.log(chalk15.green("  \u2713 VPN tunnel started"));
+      spinner.start("Verifying connection...");
+      await new Promise((r) => setTimeout(r, 1e3));
+      const status = getVPNStatus();
+      if (status.connected) {
+        spinner.succeed("VPN connected successfully");
+      } else {
+        spinner.warn("VPN interface is up but connection not verified");
+      }
+      console.log(chalk15.green("\n\u2713 VPN connected!\n"));
+      console.log(`  Your IPv6:  ${chalk15.bold(vpnConfigResponse.address.split("/")[0])}`);
+      console.log(`  Gateway:    ${chalk15.bold(vpnConfigResponse.gatewayEndpoint)}`);
+      console.log();
+      console.log(chalk15.dim("You now have IPv6 connectivity to your app VMs."));
+      console.log(chalk15.dim(`Run ${chalk15.bold("hackerrun vpn disconnect")} to disconnect.
+`));
+    } catch (error) {
+      console.error(chalk15.red(`
+Error: ${error.message}
+`));
+      process.exit(1);
+    }
+  });
+  vpnCmd.command("disconnect").description("Disconnect VPN").action(async () => {
+    try {
+      if (!isVPNUp()) {
+        console.log(chalk15.yellow("\nVPN is not connected.\n"));
+        return;
+      }
+      console.log(chalk15.cyan("\nDisconnecting VPN...\n"));
+      console.log(chalk15.dim("  Stopping VPN tunnel (requires sudo)..."));
+      vpnDown();
+      console.log(chalk15.green("  \u2713 VPN tunnel stopped"));
+      console.log(chalk15.green("\n\u2713 VPN disconnected.\n"));
+    } catch (error) {
+      console.error(chalk15.red(`
+Error: ${error.message}
+`));
+      process.exit(1);
+    }
+  });
+  vpnCmd.command("test").description("Test IPv6 connectivity to an app VM").argument("<ipv6>", "IPv6 address to test").action(async (ipv6) => {
+    try {
+      console.log(chalk15.cyan(`
+Testing connectivity to ${ipv6}...
+`));
+      const spinner = ora9("Testing direct IPv6...").start();
+      const directOk = testIPv6Connectivity2(ipv6, 3);
+      if (directOk) {
+        spinner.succeed("Direct IPv6 connectivity works");
+        console.log(chalk15.green("\n\u2713 You can reach this address directly.\n"));
+      } else {
+        spinner.fail("Direct IPv6 not available");
+        if (isVPNUp()) {
+          spinner.start("VPN is up, testing through VPN...");
+          const vpnOk = testIPv6Connectivity2(ipv6, 5);
+          if (vpnOk) {
+            spinner.succeed("Connectivity works through VPN");
+            console.log(chalk15.green("\n\u2713 You can reach this address via VPN.\n"));
+          } else {
+            spinner.fail("Cannot reach address even through VPN");
+            console.log(chalk15.red("\n\u2717 Cannot reach this address.\n"));
+            console.log("Possible issues:");
+            console.log("  - The target VM may be down");
+            console.log("  - VPN routing may be misconfigured");
+            console.log("  - Firewall may be blocking traffic\n");
+          }
+        } else {
+          console.log(chalk15.yellow("\n\u2717 Cannot reach this address directly.\n"));
+          console.log(`Run ${chalk15.bold("hackerrun vpn connect")} to establish VPN and try again.
+`);
+        }
+      }
+    } catch (error) {
+      console.error(chalk15.red(`
+Error: ${error.message}
+`));
+      process.exit(1);
+    }
+  });
+  return vpnCmd;
+}
+
+// src/commands/scale.ts
+import { Command as Command10 } from "commander";
+import chalk16 from "chalk";
+import ora10 from "ora";
+import { confirm } from "@inquirer/prompts";
+var DEFAULT_VM_SIZE = "standard-2";
+var DEFAULT_BOOT_IMAGE = "ubuntu-noble";
+function createScaleCommand() {
+  const cmd = new Command10("scale");
+  cmd.description("Scale an app by adding or removing nodes").argument("[count]", "Target node count, or +N/-N to add/remove nodes").option("--app <app>", "App name (uses hackerrun.yaml if not specified)").option("--size <size>", `VM size for new nodes (default: ${DEFAULT_VM_SIZE})`).option("--force", "Skip confirmation when removing nodes").action(async (countArg, options) => {
+    let uncloudRunner = null;
+    try {
+      const appName = options.app || getAppName();
+      const platformToken = getPlatformToken();
+      const platformClient = new PlatformClient(platformToken);
+      const clusterManager = new ClusterManager(platformClient);
+      uncloudRunner = new UncloudRunner(platformClient);
+      const app = await platformClient.getApp(appName);
+      if (!app) {
+        console.log(chalk16.red(`
+App '${appName}' not found
+`));
+        console.log(`Run ${chalk16.bold("hackerrun deploy")} to create an app first.
+`);
+        process.exit(1);
+      }
+      const currentNodeCount = app.nodes.length;
+      if (!countArg) {
+        console.log(chalk16.cyan(`
+App '${appName}' Scale Info:
+`));
+        console.log(`  Current nodes: ${chalk16.bold(currentNodeCount.toString())}`);
+        console.log();
+        app.nodes.forEach((node, index) => {
+          const primaryLabel = node.isPrimary ? chalk16.yellow(" (primary)") : "";
+          console.log(`  ${index + 1}. ${chalk16.bold(node.name)}${primaryLabel}`);
+          console.log(`     IPv6: ${node.ipv6 || "pending"}`);
+          console.log();
+        });
+        console.log(chalk16.dim("Usage:"));
+        console.log(chalk16.dim(`  hackerrun scale 3         # Scale to 3 nodes`));
+        console.log(chalk16.dim(`  hackerrun scale +1        # Add 1 node`));
+        console.log(chalk16.dim(`  hackerrun scale -1        # Remove 1 node`));
+        console.log();
+        return;
+      }
+      let targetCount;
+      if (countArg.startsWith("+")) {
+        const delta = parseInt(countArg.slice(1), 10);
+        if (isNaN(delta) || delta <= 0) {
+          console.log(chalk16.red(`
+Invalid count: ${countArg}
+`));
+          process.exit(1);
+        }
+        targetCount = currentNodeCount + delta;
+      } else if (countArg.startsWith("-")) {
+        const delta = parseInt(countArg.slice(1), 10);
+        if (isNaN(delta) || delta <= 0) {
+          console.log(chalk16.red(`
+Invalid count: ${countArg}
+`));
+          process.exit(1);
+        }
+        targetCount = currentNodeCount - delta;
+      } else {
+        targetCount = parseInt(countArg, 10);
+        if (isNaN(targetCount)) {
+          console.log(chalk16.red(`
+Invalid count: ${countArg}
+`));
+          process.exit(1);
+        }
+      }
+      if (targetCount < 1) {
+        console.log(chalk16.red(`
+Cannot scale below 1 node. Use 'hackerrun destroy' to remove the app.
+`));
+        process.exit(1);
+      }
+      if (targetCount === currentNodeCount) {
+        console.log(chalk16.yellow(`
+App already has ${currentNodeCount} node(s). Nothing to do.
+`));
+        return;
+      }
+      const vmSize = options.size || DEFAULT_VM_SIZE;
+      if (targetCount > currentNodeCount) {
+        const nodesToAdd = targetCount - currentNodeCount;
+        console.log(chalk16.cyan(`
+Scaling '${appName}' from ${currentNodeCount} to ${targetCount} nodes (+${nodesToAdd})
+`));
+        for (let i = 0; i < nodesToAdd; i++) {
+          console.log(chalk16.cyan(`
+Adding node ${i + 1} of ${nodesToAdd}...`));
+          const newNode = await clusterManager.addNode(appName, vmSize, DEFAULT_BOOT_IMAGE);
+          console.log(chalk16.green(`  Added: ${newNode.name} (${newNode.ipv6})`));
+        }
+        const updatedApp = await platformClient.getApp(appName);
+        const syncSpinner = ora10("Syncing gateway routes...").start();
+        try {
+          await platformClient.syncGatewayRoutes(app.location);
+          syncSpinner.succeed("Gateway routes synced");
+        } catch (error) {
+          syncSpinner.warn(`Gateway sync failed: ${error.message}`);
+        }
+        console.log(chalk16.green(`
+\u2713 Scaled to ${updatedApp?.nodes.length} nodes
+`));
+        console.log(chalk16.dim("To deploy to specific nodes, use x-machines in your compose file:"));
+        console.log(chalk16.dim("  services:"));
+        console.log(chalk16.dim("    web:"));
+        console.log(chalk16.dim("      x-machines:"));
+        updatedApp?.nodes.forEach((node) => {
+          console.log(chalk16.dim(`        - ${node.name}`));
+        });
+        console.log();
+      } else {
+        const nodesToRemove = currentNodeCount - targetCount;
+        const sortedNodes = [...app.nodes].sort((a, b) => {
+          const numA = parseInt(a.name.split("-").pop() || "0", 10);
+          const numB = parseInt(b.name.split("-").pop() || "0", 10);
+          return numB - numA;
+        });
+        const nodesToRemoveList = sortedNodes.slice(0, nodesToRemove);
+        console.log(chalk16.yellow(`
+Scaling '${appName}' from ${currentNodeCount} to ${targetCount} nodes (-${nodesToRemove})
+`));
+        console.log(chalk16.yellow("The following nodes will be removed:"));
+        nodesToRemoveList.forEach((node) => {
+          console.log(`  - ${node.name} (${node.ipv6})`);
+        });
+        console.log();
+        if (!options.force) {
+          console.log(chalk16.yellow("Warning: All containers on these nodes will be stopped and the VMs deleted."));
+          console.log(chalk16.yellow("Data on these nodes will be lost.\n"));
+          const confirmed = await confirm({
+            message: "Are you sure you want to remove these nodes?",
+            default: false
+          });
+          if (!confirmed) {
+            console.log(chalk16.dim("\nScale cancelled.\n"));
+            return;
+          }
+        }
+        for (const node of nodesToRemoveList) {
+          console.log(chalk16.cyan(`
+Removing node '${node.name}'...`));
+          try {
+            const spinner = ora10("Removing from uncloud cluster...").start();
+            await uncloudRunner.removeNode(appName, node.name);
+            spinner.succeed("Removed from cluster");
+            spinner.start("Deleting VM...");
+            await platformClient.deleteVM(app.location, node.name);
+            spinner.succeed("VM deleted");
+            spinner.start("Updating app state...");
+            const updatedNodes = app.nodes.filter((n) => n.name !== node.name);
+            app.nodes = updatedNodes;
+            await platformClient.saveApp(app);
+            spinner.succeed("App state updated");
+            console.log(chalk16.green(`  Removed: ${node.name}`));
+          } catch (error) {
+            console.log(chalk16.red(`  Failed to remove ${node.name}: ${error.message}`));
+          }
+        }
+        const updatedApp = await platformClient.getApp(appName);
+        const syncSpinner = ora10("Syncing gateway routes...").start();
+        try {
+          await platformClient.syncGatewayRoutes(app.location);
+          syncSpinner.succeed("Gateway routes synced");
+        } catch (error) {
+          syncSpinner.warn(`Gateway sync failed: ${error.message}`);
+        }
+        console.log(chalk16.green(`
+\u2713 Scaled to ${updatedApp?.nodes.length} nodes
+`));
+      }
+    } catch (error) {
+      console.error(chalk16.red(`
+Error: ${error.message}
+`));
+      process.exit(1);
+    } finally {
+      if (uncloudRunner) {
+        uncloudRunner.cleanup();
+      }
+    }
+  });
+  return cmd;
+}
+
 // src/index.ts
-var program = new Command9();
+var program = new Command11();
 program.name("hackerrun").description("Deploy apps with full control over your infrastructure").version("0.1.0");
 program.addCommand(createLoginCommand());
 program.addCommand(createConfigCommand());
@@ -2802,6 +3934,8 @@ program.addCommand(createConnectCommand());
 program.addCommand(createDisconnectCommand());
 program.addCommand(createEnvCommand());
 program.addCommand(createBuildsCommand());
+program.addCommand(createVPNCommands());
+program.addCommand(createScaleCommand());
 var { appsCmd, nodesCmd, sshCmd, destroyCmd, linkCmd, renameCmd, domainCmd } = createAppCommands();
 program.addCommand(appsCmd);
 program.addCommand(nodesCmd);