hackerrun 0.1.10 → 0.1.11

package/dist/index.js

@@ -537,17 +537,592 @@ var TunnelManager = class {
   }
 };
 
+// src/lib/uncloud-runner.ts
+import { execSync as execSync3, spawnSync as spawnSync3 } from "child_process";
+
+// src/lib/vpn.ts
+import { execSync as execSync2, spawnSync as spawnSync2 } from "child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, unlinkSync } from "fs";
+import { homedir as homedir2, platform } from "os";
+import { join as join3 } from "path";
+import chalk2 from "chalk";
+function detectOS() {
+  const os = platform();
+  if (os === "darwin") {
+    return { type: "macos" };
+  }
+  if (os === "win32") {
+    return { type: "windows" };
+  }
+  if (os === "linux") {
+    try {
+      if (existsSync3("/etc/os-release")) {
+        const osRelease = readFileSync3("/etc/os-release", "utf-8");
+        const idMatch = osRelease.match(/^ID=(.*)$/m);
+        if (idMatch) {
+          const distro = idMatch[1].replace(/"/g, "").toLowerCase();
+          return { type: "linux", distro };
+        }
+      }
+    } catch {
+    }
+    return { type: "linux" };
+  }
+  return { type: "unknown" };
+}
+function getWireGuardInstallInstructions() {
+  const os = detectOS();
+  switch (os.type) {
+    case "macos":
+      return `  ${chalk2.cyan("macOS:")} brew install wireguard-tools`;
+    case "windows":
+      return `  ${chalk2.cyan("Windows:")} Download from https://www.wireguard.com/install/
+            Or using winget: winget install WireGuard.WireGuard`;
+    case "linux":
+      switch (os.distro) {
+        case "arch":
+        case "manjaro":
+        case "endeavouros":
+        case "artix":
+          return `  ${chalk2.cyan("Arch Linux:")} sudo pacman -S wireguard-tools`;
+        case "ubuntu":
+        case "debian":
+        case "linuxmint":
+        case "pop":
+        case "elementary":
+        case "zorin":
+          return `  ${chalk2.cyan("Ubuntu/Debian:")} sudo apt install wireguard`;
+        case "fedora":
+          return `  ${chalk2.cyan("Fedora:")} sudo dnf install wireguard-tools`;
+        case "rhel":
+        case "centos":
+        case "rocky":
+        case "almalinux":
+          return `  ${chalk2.cyan("RHEL/CentOS:")} sudo dnf install wireguard-tools
+               (may need EPEL: sudo dnf install epel-release)`;
+        case "opensuse":
+        case "opensuse-leap":
+        case "opensuse-tumbleweed":
+          return `  ${chalk2.cyan("openSUSE:")} sudo zypper install wireguard-tools`;
+        case "gentoo":
+          return `  ${chalk2.cyan("Gentoo:")} sudo emerge net-vpn/wireguard-tools`;
+        case "void":
+          return `  ${chalk2.cyan("Void Linux:")} sudo xbps-install wireguard-tools`;
+        case "alpine":
+          return `  ${chalk2.cyan("Alpine:")} sudo apk add wireguard-tools`;
+        case "nixos":
+          return `  ${chalk2.cyan("NixOS:")} Add wireguard-tools to environment.systemPackages`;
+        default:
+          return `  ${chalk2.cyan("Linux:")} Install wireguard-tools using your package manager:
+    Arch:          sudo pacman -S wireguard-tools
+    Ubuntu/Debian: sudo apt install wireguard
+    Fedora:        sudo dnf install wireguard-tools
+    openSUSE:      sudo zypper install wireguard-tools`;
+      }
+    default:
+      return `  Visit https://www.wireguard.com/install/ for installation instructions`;
+  }
+}
+var CONFIG_DIR = join3(homedir2(), ".config", "hackerrun");
+var PRIVATE_KEY_FILE = join3(CONFIG_DIR, "wg-private-key");
+var WG_INTERFACE = "hackerrun";
+var WG_CONFIG_PATH = `/etc/wireguard/${WG_INTERFACE}.conf`;
+function isWireGuardInstalled() {
+  try {
+    execSync2("which wg", { stdio: "ignore" });
+    execSync2("which wg-quick", { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function ensureConfigDir() {
+  if (!existsSync3(CONFIG_DIR)) {
+    mkdirSync2(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+}
+function generateKeyPair() {
+  const privateKey = execSync2("wg genkey", { encoding: "utf-8" }).trim();
+  const publicKey = execSync2("wg pubkey", {
+    input: privateKey,
+    encoding: "utf-8"
+  }).trim();
+  return { privateKey, publicKey };
+}
+function getOrCreateKeyPair() {
+  ensureConfigDir();
+  if (existsSync3(PRIVATE_KEY_FILE)) {
+    const privateKey2 = readFileSync3(PRIVATE_KEY_FILE, "utf-8").trim();
+    const publicKey2 = execSync2("wg pubkey", {
+      input: privateKey2,
+      encoding: "utf-8"
+    }).trim();
+    return { privateKey: privateKey2, publicKey: publicKey2, isNew: false };
+  }
+  const { privateKey, publicKey } = generateKeyPair();
+  writeFileSync3(PRIVATE_KEY_FILE, privateKey + "\n", { mode: 384 });
+  return { privateKey, publicKey, isNew: true };
+}
+function getPublicKey() {
+  if (!existsSync3(PRIVATE_KEY_FILE)) {
+    return null;
+  }
+  const privateKey = readFileSync3(PRIVATE_KEY_FILE, "utf-8").trim();
+  return execSync2("wg pubkey", {
+    input: privateKey,
+    encoding: "utf-8"
+  }).trim();
+}
+function isVPNUp() {
+  try {
+    const result = execSync2(`ip link show ${WG_INTERFACE}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return result.includes(WG_INTERFACE);
+  } catch {
+    return false;
+  }
+}
+function isRoutedViaVPN(ipv6Address) {
+  if (!isVPNUp()) {
+    return false;
+  }
+  try {
+    const result = execSync2(`ip -6 route get ${ipv6Address}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return result.includes(`dev ${WG_INTERFACE}`);
+  } catch {
+    return false;
+  }
+}
+function getVPNStatus() {
+  if (!isVPNUp()) {
+    return { connected: false };
+  }
+  try {
+    const output = execSync2(`sudo wg show ${WG_INTERFACE}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const lines = output.split("\n");
+    let endpoint;
+    let latestHandshake;
+    let transferRx;
+    let transferTx;
+    for (const line of lines) {
+      if (line.includes("endpoint:")) {
+        endpoint = line.split("endpoint:")[1]?.trim();
+      }
+      if (line.includes("latest handshake:")) {
+        latestHandshake = line.split("latest handshake:")[1]?.trim();
+      }
+      if (line.includes("transfer:")) {
+        const transfer = line.split("transfer:")[1]?.trim();
+        const parts = transfer?.split(",");
+        transferRx = parts?.[0]?.trim();
+        transferTx = parts?.[1]?.trim();
+      }
+    }
+    return {
+      connected: true,
+      interface: WG_INTERFACE,
+      endpoint,
+      latestHandshake,
+      transferRx,
+      transferTx
+    };
+  } catch {
+    return { connected: isVPNUp(), interface: WG_INTERFACE };
+  }
+}
+function generateWireGuardConfig(config) {
+  return `# HackerRun VPN - Auto-generated
+# Do not edit manually
+
+[Interface]
+PrivateKey = ${config.privateKey}
+Address = ${config.address}
+
+[Peer]
+PublicKey = ${config.gatewayPublicKey}
+Endpoint = ${config.gatewayEndpoint}
+AllowedIPs = ${config.allowedIPs}
+PersistentKeepalive = 25
+`;
+}
+function writeWireGuardConfig(config) {
+  const configContent = generateWireGuardConfig(config);
+  const tempFile = join3(CONFIG_DIR, "wg-temp.conf");
+  writeFileSync3(tempFile, configContent, { mode: 384 });
+  try {
+    execSync2("sudo mkdir -p /etc/wireguard", { stdio: "inherit" });
+    execSync2(`sudo mv ${tempFile} ${WG_CONFIG_PATH}`, { stdio: "inherit" });
+    execSync2(`sudo chmod 600 ${WG_CONFIG_PATH}`, { stdio: "inherit" });
+  } catch (error) {
+    if (existsSync3(tempFile)) {
+      unlinkSync(tempFile);
+    }
+    throw error;
+  }
+}
+function vpnUp() {
+  if (isVPNUp()) {
+    return;
+  }
+  const result = spawnSync2("sudo", ["wg-quick", "up", WG_INTERFACE], {
+    stdio: "inherit"
+  });
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring up VPN interface (exit code ${result.status})`);
+  }
+}
+function vpnDown() {
+  if (!isVPNUp()) {
+    return;
+  }
+  const result = spawnSync2("sudo", ["wg-quick", "down", WG_INTERFACE], {
+    stdio: "inherit"
+  });
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring down VPN interface (exit code ${result.status})`);
+  }
+}
+function testIPv6Connectivity2(ipv6Address, timeoutSeconds = 3) {
+  try {
+    execSync2(`ping -6 -c 1 -W ${timeoutSeconds} ${ipv6Address}`, {
+      stdio: "ignore",
+      timeout: (timeoutSeconds + 2) * 1e3
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+var VPNManager = class {
+  wasConnectedByUs = false;
+  /**
+   * Ensure VPN is connected if IPv6 is not available
+   * Returns true if VPN was established (and should be torn down later)
+   */
+  async ensureConnected(targetIPv6, getVPNConfig) {
+    if (testIPv6Connectivity2(targetIPv6)) {
+      console.log(chalk2.green("\u2713 Direct IPv6 connectivity available"));
+      return false;
+    }
+    console.log(chalk2.yellow("IPv6 not available, checking VPN..."));
+    if (isVPNUp()) {
+      if (testIPv6Connectivity2(targetIPv6)) {
+        console.log(chalk2.green("\u2713 VPN already connected"));
+        return false;
+      }
+      console.log(chalk2.yellow("VPN is up but cannot reach target, reconnecting..."));
+      vpnDown();
+    }
+    if (!isWireGuardInstalled()) {
+      const instructions = getWireGuardInstallInstructions();
+      throw new Error(
+        "WireGuard is not installed.\n\nWireGuard is needed for IPv6 connectivity to your app VMs.\nPlease install it and try again:\n\n" + instructions
+      );
+    }
+    console.log(chalk2.cyan("Establishing VPN tunnel (requires sudo)..."));
+    const { publicKey, isNew } = getOrCreateKeyPair();
+    if (isNew) {
+      console.log(chalk2.dim("Generated new WireGuard keypair"));
+    }
+    const vpnConfig = await getVPNConfig();
+    writeWireGuardConfig(vpnConfig);
+    vpnUp();
+    if (!testIPv6Connectivity2(targetIPv6)) {
+      vpnDown();
+      throw new Error("VPN established but cannot reach target. Please try again.");
+    }
+    console.log(chalk2.green("\u2713 VPN connected"));
+    this.wasConnectedByUs = true;
+    return true;
+  }
+  /**
+   * Disconnect VPN if we established it
+   */
+  disconnect() {
+    if (this.wasConnectedByUs && isVPNUp()) {
+      console.log(chalk2.dim("Disconnecting VPN..."));
+      try {
+        vpnDown();
+        console.log(chalk2.green("\u2713 VPN disconnected"));
+      } catch (error) {
+        console.log(chalk2.yellow(`Warning: Failed to disconnect VPN: ${error.message}`));
+      }
+      this.wasConnectedByUs = false;
+    }
+  }
+};
+
+// src/lib/uncloud-runner.ts
+import chalk3 from "chalk";
+var UncloudRunner = class {
+  constructor(platformClient) {
+    this.platformClient = platformClient;
+    this.certManager = new SSHCertManager(platformClient);
+  }
+  certManager;
+  gatewayCache = /* @__PURE__ */ new Map();
+  tunnelManager = new TunnelManager();
+  vpnManager = new VPNManager();
+  tempConfigPath = null;
+  vpnEstablishedByUs = false;
+  /**
+   * Get the connection URL for an app's primary VM
+   * Handles IPv6 direct connection, VPN, or gateway SSH tunnel fallback
+   */
+  async getConnectionInfo(appName) {
+    const app = await this.platformClient.getApp(appName);
+    if (!app) {
+      throw new Error(`App '${appName}' not found`);
+    }
+    const primaryNode = app.nodes.find((n) => n.isPrimary);
+    if (!primaryNode?.ipv6) {
+      throw new Error(`App '${appName}' has no primary node with IPv6 address`);
+    }
+    const vmIp = primaryNode.ipv6;
+    await this.certManager.getSession(appName, vmIp);
+    const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+    if (canConnectDirect) {
+      const viaVPN = isRoutedViaVPN(vmIp);
+      return {
+        url: `ssh://root@${vmIp}`,
+        vmIp,
+        viaGateway: false,
+        viaVPN
+      };
+    }
+    const vpnAvailable = isWireGuardInstalled();
+    if (vpnAvailable) {
+      console.log(chalk3.yellow("Direct IPv6 not available, trying VPN..."));
+      try {
+        if (isVPNUp() && testIPv6Connectivity2(vmIp, 3)) {
+          console.log(chalk3.green("\u2713 VPN already connected"));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true
+          };
+        }
+        this.vpnEstablishedByUs = await this.vpnManager.ensureConnected(
+          vmIp,
+          async () => this.getVPNConfig(app.location)
+        );
+        if (testIPv6Connectivity2(vmIp, 5)) {
+          console.log(chalk3.green("\u2713 Connected via VPN"));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true
+          };
+        }
+      } catch (error) {
+        console.log(chalk3.yellow(`VPN setup failed: ${error.message}`));
+        console.log(chalk3.dim("Falling back to SSH tunnel..."));
+      }
+    } else {
+      console.log(chalk3.yellow("Direct IPv6 not available on your network."));
+      console.log(chalk3.dim("For faster deploys, install WireGuard:"));
+      console.log(chalk3.dim(getWireGuardInstallInstructions()));
+      console.log();
+    }
+    console.log(chalk3.yellow("Using SSH tunnel (may be slower for large transfers)..."));
+    const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
+    return {
+      url: `ssh://root@localhost:${tunnelInfo.localPort}`,
+      vmIp,
+      viaGateway: true,
+      viaVPN: false,
+      localPort: tunnelInfo.localPort
+    };
+  }
+  /**
+   * Get VPN configuration from platform
+   */
+  async getVPNConfig(location) {
+    const { privateKey, publicKey } = getOrCreateKeyPair();
+    const vpnConfigResponse = await this.platformClient.registerVPNPeer(publicKey, location);
+    return {
+      privateKey,
+      publicKey,
+      address: vpnConfigResponse.address,
+      gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
+      gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
+      allowedIPs: vpnConfigResponse.allowedIPs
+    };
+  }
+  /**
+   * Pre-accept a host's SSH key by running ssh-keyscan
+   * This prevents "Host key verification failed" errors from uncloud
+   */
+  preAcceptHostKey(host, port) {
+    try {
+      const portArg = port ? `-p ${port}` : "";
+      execSync3(
+        `ssh-keyscan ${portArg} -H ${host} >> ~/.ssh/known_hosts 2>/dev/null`,
+        { stdio: "pipe", timeout: 1e4 }
+      );
+    } catch {
+    }
+  }
+  /**
+   * Ensure an SSH tunnel exists for gateway fallback
+   */
+  async ensureTunnel(appName, vmIp, location) {
+    const gateway = await this.getGateway(location);
+    if (!gateway) {
+      throw new Error(`No gateway found for location ${location}`);
+    }
+    return this.tunnelManager.ensureTunnel(appName, vmIp, gateway.ipv4);
+  }
+  /**
+   * Run an uncloud command on the app's VM
+   */
+  async run(appName, command, args = [], options = {}) {
+    const connInfo = await this.getConnectionInfo(appName);
+    if (connInfo.viaGateway) {
+      console.log(chalk3.dim(`Connecting via gateway...`));
+    }
+    const fullArgs = ["--connect", connInfo.url, command, ...args];
+    if (options.stdio === "inherit") {
+      const result = spawnSync3("uc", fullArgs, {
+        cwd: options.cwd,
+        stdio: "inherit",
+        timeout: options.timeout
+      });
+      if (result.status !== 0) {
+        throw new Error(`Uncloud command failed with exit code ${result.status}`);
+      }
+    } else {
+      const result = execSync3(`uc ${fullArgs.map((a) => `"${a}"`).join(" ")}`, {
+        cwd: options.cwd,
+        encoding: "utf-8",
+        timeout: options.timeout
+      });
+      return result;
+    }
+  }
+  /**
+   * Run 'uc deploy' for an app
+   */
+  async deploy(appName, cwd) {
+    await this.run(appName, "deploy", ["--yes"], { cwd, stdio: "inherit" });
+  }
+  /**
+   * Run 'uc service logs' for an app
+   */
+  async logs(appName, serviceName, options = {}) {
+    const args = [serviceName];
+    if (options.follow) args.push("-f");
+    if (options.tail) args.push("--tail", String(options.tail));
+    await this.run(appName, "service", ["logs", ...args], { stdio: "inherit" });
+  }
+  /**
+   * Run 'uc service ls' for an app
+   */
+  async serviceList(appName) {
+    const result = await this.run(appName, "service", ["ls"], { stdio: "pipe" });
+    return result;
+  }
+  /**
+   * Run 'uc machine token' on remote VM via SSH
+   * This is different - it runs on the VM directly, not via uncloud connector
+   */
+  async getMachineToken(appName) {
+    const connInfo = await this.getConnectionInfo(appName);
+    let sshCmd2;
+    if (connInfo.viaGateway && connInfo.localPort) {
+      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
+    } else {
+      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
+    }
+    const token = execSync3(`${sshCmd2} "uc machine token"`, { encoding: "utf-8" }).trim();
+    return token;
+  }
+  /**
+   * Execute an SSH command on the VM
+   */
+  async sshExec(appName, command) {
+    const connInfo = await this.getConnectionInfo(appName);
+    let sshCmd2;
+    if (connInfo.viaGateway && connInfo.localPort) {
+      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
+    } else {
+      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
+    }
+    return execSync3(`${sshCmd2} "${command}"`, { encoding: "utf-8" }).trim();
+  }
+  /**
+   * Remove a node from the uncloud cluster
+   * Uses 'uc machine rm' to drain containers and remove from cluster
+   */
+  async removeNode(appName, nodeName) {
+    const connInfo = await this.getConnectionInfo(appName);
+    const result = spawnSync3("uc", ["--connect", connInfo.url, "machine", "rm", nodeName, "--yes"], {
+      stdio: "inherit",
+      timeout: 3e5
+      // 5 minute timeout for container drainage
+    });
+    if (result.status !== 0) {
+      throw new Error(`Failed to remove node '${nodeName}' from cluster (exit code ${result.status})`);
+    }
+  }
+  /**
+   * List machines in the uncloud cluster
+   */
+  async listMachines(appName) {
+    const result = await this.run(appName, "machine", ["ls"], { stdio: "pipe" });
+    return result;
+  }
+  /**
+   * Get gateway info (cached)
+   */
+  async getGateway(location) {
+    if (this.gatewayCache.has(location)) {
+      return this.gatewayCache.get(location) || null;
+    }
+    const gateway = await this.platformClient.getGateway(location);
+    if (gateway) {
+      this.gatewayCache.set(location, { ipv4: gateway.ipv4, ipv6: gateway.ipv6 });
+      return { ipv4: gateway.ipv4, ipv6: gateway.ipv6 };
+    }
+    this.gatewayCache.set(location, null);
+    return null;
+  }
+  /**
+   * Clean up all SSH sessions, tunnels, and VPN
+   */
+  cleanup() {
+    this.tunnelManager.closeAll();
+    this.certManager.cleanupAll();
+    if (this.vpnEstablishedByUs) {
+      this.vpnManager.disconnect();
+      this.vpnEstablishedByUs = false;
+    }
+  }
+};
+
 // src/lib/cluster.ts
-import { execSync as execSync2 } from "child_process";
+import { execSync as execSync4 } from "child_process";
 import ora2 from "ora";
-import chalk2 from "chalk";
+import chalk4 from "chalk";
 var platformKeysCache = null;
 var ClusterManager = class {
-  constructor(platformClient) {
+  constructor(platformClient, uncloudRunner) {
     this.platformClient = platformClient;
     this.sshCertManager = new SSHCertManager(platformClient);
+    this.uncloudRunner = uncloudRunner || new UncloudRunner(platformClient);
   }
   sshCertManager;
+  uncloudRunner;
   /**
    * Get platform SSH keys (cached for the session)
    * Returns CA public key and platform public key for VM creation
@@ -600,7 +1175,7 @@ var ClusterManager = class {
       });
       spinner.text = `Waiting for VM to be ready...`;
       spinner.stop();
-      console.log(chalk2.cyan("\nWaiting for VM to get an IPv6 address..."));
+      console.log(chalk4.cyan("\nWaiting for VM to get an IPv6 address..."));
       const vmWithIp = await this.waitForVM(location, vmName, 600, false);
       spinner = ora2("Setting up VM...").start();
       spinner.text = "Waiting for SSH to be ready...";
@@ -623,17 +1198,17 @@ var ClusterManager = class {
       const savedCluster = await this.platformClient.saveApp(cluster);
       spinner.text = "Installing Docker and Uncloud...";
       spinner.stop();
-      console.log(chalk2.cyan("\nInitializing uncloud (this may take a few minutes)..."));
+      console.log(chalk4.cyan("\nInitializing uncloud (this may take a few minutes)..."));
       await this.initializeUncloud(vmWithIp.ip6, appName, gateway?.ipv4);
       spinner = ora2("Configuring Docker for NAT64...").start();
       await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
       spinner.text = "Waiting for uncloud services to be ready...";
       await this.waitForUncloudReady(vmWithIp.ip6, gateway?.ipv4);
       this.sshCertManager.cleanupAll();
-      spinner.succeed(chalk2.green(`Cluster initialized successfully`));
+      spinner.succeed(chalk4.green(`Cluster initialized successfully`));
       return savedCluster;
     } catch (error) {
-      spinner.fail(chalk2.red("Failed to initialize cluster"));
+      spinner.fail(chalk4.red("Failed to initialize cluster"));
       throw error;
     }
   }
@@ -669,7 +1244,7 @@ var ClusterManager = class {
       });
       spinner.text = `Waiting for VM to be ready...`;
       spinner.stop();
-      console.log(chalk2.cyan("\nWaiting for VM to get an IPv6 address..."));
+      console.log(chalk4.cyan("\nWaiting for VM to get an IPv6 address..."));
       const vmWithIp = await this.waitForVM(cluster.location, vmName, 600, false);
       spinner = ora2("Setting up VM...").start();
       await this.sleep(3e4);
@@ -677,11 +1252,11 @@ var ClusterManager = class {
       await this.platformClient.setupVM(vmWithIp.ip6, cluster.location, appName);
       spinner.text = "Joining uncloud cluster...";
       spinner.stop();
-      console.log(chalk2.cyan("\nJoining uncloud cluster..."));
-      await this.joinUncloudCluster(vmWithIp.ip6, existingNode.ipv6, appName);
+      console.log(chalk4.cyan("\nJoining uncloud cluster..."));
+      await this.joinUncloudCluster(vmWithIp.ip6, appName);
       spinner = ora2("Configuring Docker for NAT64...").start();
       await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
-      spinner.succeed(chalk2.green(`Node '${vmName}' added successfully`));
+      spinner.succeed(chalk4.green(`Node '${vmName}' added successfully`));
       const newNode = {
         name: vmName,
         id: vm.id,
@@ -692,7 +1267,7 @@ var ClusterManager = class {
       await this.platformClient.saveApp(cluster);
       return newNode;
     } catch (error) {
-      spinner.fail(chalk2.red("Failed to add node"));
+      spinner.fail(chalk4.red("Failed to add node"));
       throw error;
     }
   }
@@ -716,32 +1291,32 @@ var ClusterManager = class {
         if (!gatewayIp) {
           throw new Error("No direct IPv6 connectivity and no gateway available");
         }
-        console.log(chalk2.dim("No direct IPv6 connectivity, tunneling through gateway..."));
+        console.log(chalk4.dim("No direct IPv6 connectivity, tunneling through gateway..."));
         tunnel = await createTunnel(vmIp, gatewayIp);
         targetHost = `localhost:${tunnel.localPort}`;
       }
       let initSucceeded = false;
       try {
-        execSync2(`uc machine init -c "${contextName}" --no-dns root@${targetHost}`, {
+        execSync4(`uc machine init -c "${contextName}" --no-dns root@${targetHost}`, {
           stdio: "inherit",
           timeout: 6e5
           // 10 min timeout
         });
         initSucceeded = true;
       } catch (error) {
-        console.log(chalk2.yellow("\nInitial setup had errors, will attempt to recover..."));
+        console.log(chalk4.yellow("\nInitial setup had errors, will attempt to recover..."));
       }
       if (!initSucceeded) {
         const maxCaddyAttempts = 5;
         for (let attempt = 1; attempt <= maxCaddyAttempts; attempt++) {
-          console.log(chalk2.dim(`Waiting for machine to be ready (attempt ${attempt}/${maxCaddyAttempts})...`));
+          console.log(chalk4.dim(`Waiting for machine to be ready (attempt ${attempt}/${maxCaddyAttempts})...`));
           await new Promise((resolve) => setTimeout(resolve, 1e4));
           try {
-            execSync2(`yes | uc -c "${contextName}" caddy deploy`, {
+            execSync4(`yes | uc -c "${contextName}" caddy deploy`, {
               stdio: "inherit",
               timeout: 12e4
             });
-            console.log(chalk2.green("Caddy deployed successfully"));
+            console.log(chalk4.green("Caddy deployed successfully"));
             break;
           } catch (caddyError) {
             if (attempt >= maxCaddyAttempts) {
@@ -750,7 +1325,7 @@ var ClusterManager = class {
           }
         }
       }
-      console.log(chalk2.dim("Uncloud initialization complete."));
+      console.log(chalk4.dim("Uncloud initialization complete."));
     } catch (error) {
       throw new Error(`Failed to initialize uncloud: ${error.message}`);
     } finally {
@@ -761,20 +1336,15 @@ var ClusterManager = class {
   }
   /**
    * Join a new node to an existing uncloud cluster
-   * Uses --connect ssh:// to avoid local context dependency
+   * Uses `uc machine add` which handles:
+   * - SSH to the new machine
+   * - Installing uncloudd if needed
+   * - Getting token from new machine via gRPC
+   * - Registering machine in cluster
    */
-  async joinUncloudCluster(newVmIp, primaryVmIp, contextName) {
+  async joinUncloudCluster(newVmIp, appName) {
     try {
-      await this.sshCertManager.getSession(contextName, primaryVmIp);
-      await this.sshCertManager.getSession(contextName, newVmIp);
-      const token = execSync2(`uc --connect ssh://root@${primaryVmIp} machine token`, {
-        encoding: "utf-8",
-        timeout: 3e4
-      }).trim();
-      if (!token) {
-        throw new Error("Failed to get join token from primary node");
-      }
-      execSync2(`uc --connect ssh://root@${primaryVmIp} machine add root@${newVmIp} --token "${token}"`, {
+      await this.uncloudRunner.run(appName, "machine", ["add", `root@${newVmIp}`, "--no-caddy"], {
         stdio: "inherit",
         timeout: 6e5
         // 10 min timeout
@@ -868,7 +1438,7 @@ echo "Docker NAT64 configuration complete"
         sshHost = "localhost";
         sshPortArgs = `-p ${tunnel.localPort}`;
       }
-      execSync2(`ssh ${sshPortArgs} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${sshHost} 'bash -s' << 'REMOTESCRIPT'
+      execSync4(`ssh ${sshPortArgs} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${sshHost} 'bash -s' << 'REMOTESCRIPT'
 ${setupScript}
 REMOTESCRIPT`, {
         stdio: "inherit",
@@ -894,13 +1464,13 @@ REMOTESCRIPT`, {
     while (Date.now() - startTime < timeoutMs) {
       const vm = await this.platformClient.getVM(location, vmName);
       if (vm.status && vm.status !== lastStatus) {
-        console.log(chalk2.dim(`  Status: ${vm.status}`));
+        console.log(chalk4.dim(`  Status: ${vm.status}`));
         lastStatus = vm.status;
       }
       const hasRequiredIp = requireIpv4 ? vm.ip4 : vm.ip6;
       if (hasRequiredIp) {
         const ipDisplay = requireIpv4 ? vm.ip4 : vm.ip6;
-        console.log(chalk2.green(`  IP assigned: ${ipDisplay}`));
+        console.log(chalk4.green(`  IP assigned: ${ipDisplay}`));
         return vm;
       }
       const elapsed = Math.floor((Date.now() - startTime) / 1e3);
@@ -929,27 +1499,27 @@ The VM may still be provisioning. You can:
     const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
     const proxyJump = !canConnectDirect && gatewayIp ? `-J root@${gatewayIp}` : "";
     const sshBase = `ssh ${proxyJump} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=10 root@${vmIp}`;
-    console.log(chalk2.dim("  Waiting for uncloud services..."));
+    console.log(chalk4.dim("  Waiting for uncloud services..."));
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
       try {
-        const result = execSync2(
+        const result = execSync4(
           `${sshBase} "curl -sf --max-time 5 http://10.210.0.1:5000/v2/ >/dev/null 2>&1 && echo ready || echo notready"`,
           { encoding: "utf-8", timeout: 2e4, stdio: ["pipe", "pipe", "pipe"] }
         ).trim();
         if (result.includes("ready")) {
-          console.log(chalk2.dim("  Uncloud services ready"));
+          console.log(chalk4.dim("  Uncloud services ready"));
           return;
         }
       } catch (error) {
       }
       if (attempt % 5 === 0) {
-        console.log(chalk2.dim(`  Still waiting for unregistry... (attempt ${attempt}/${maxAttempts})`));
+        console.log(chalk4.dim(`  Still waiting for unregistry... (attempt ${attempt}/${maxAttempts})`));
       }
       if (attempt < maxAttempts) {
         await this.sleep(checkInterval);
       }
     }
-    console.log(chalk2.yellow("  Warning: Timeout waiting for unregistry, continuing anyway..."));
+    console.log(chalk4.yellow("  Warning: Timeout waiting for unregistry, continuing anyway..."));
   }
   /**
    * Generate a sequential node name: appName-1, appName-2, etc.
@@ -978,21 +1548,21 @@ The VM may still be provisioning. You can:
 };
 
 // src/lib/platform.ts
-import { platform } from "os";
-import chalk3 from "chalk";
+import { platform as platform2 } from "os";
+import chalk5 from "chalk";
 var PlatformDetector = class {
   /**
    * Check if running on Windows
    */
   static isWindows() {
-    return platform() === "win32";
+    return platform2() === "win32";
   }
   /**
    * Check if running inside WSL (Windows Subsystem for Linux)
    */
   static isWSL() {
     if (!this.isWindows()) {
-      if (platform() === "linux") {
+      if (platform2() === "linux") {
         try {
           const fs = __require("fs");
           const procVersion = fs.readFileSync("/proc/version", "utf8").toLowerCase();
@@ -1009,40 +1579,40 @@ var PlatformDetector = class {
    * Check if platform is supported for hackerrun
    */
   static isSupported() {
-    return platform() === "darwin" || platform() === "linux" || this.isWSL();
+    return platform2() === "darwin" || platform2() === "linux" || this.isWSL();
   }
   /**
    * Get platform name for display
    */
   static getPlatformName() {
     if (this.isWSL()) return "WSL (Windows Subsystem for Linux)";
-    if (platform() === "win32") return "Windows";
-    if (platform() === "darwin") return "macOS";
-    if (platform() === "linux") return "Linux";
-    return platform();
+    if (platform2() === "win32") return "Windows";
+    if (platform2() === "darwin") return "macOS";
+    if (platform2() === "linux") return "Linux";
+    return platform2();
   }
   /**
    * Ensure platform is supported, exit with helpful message if not
    */
   static ensureSupported() {
     if (this.isWindows() && !this.isWSL()) {
-      console.log(chalk3.yellow("\n\u26A0\uFE0F  Windows detected\n"));
+      console.log(chalk5.yellow("\n\u26A0\uFE0F  Windows detected\n"));
       console.log("Hackerrun requires WSL (Windows Subsystem for Linux) to run.");
       console.log("Uncloud and SSH tools work best in a Linux environment.\n");
-      console.log(chalk3.cyan("How to set up WSL:\n"));
+      console.log(chalk5.cyan("How to set up WSL:\n"));
       console.log("1. Open PowerShell as Administrator and run:");
-      console.log(chalk3.bold("   wsl --install\n"));
+      console.log(chalk5.bold("   wsl --install\n"));
       console.log("2. Restart your computer\n");
       console.log("3. Install Ubuntu from Microsoft Store (or use default Linux)\n");
       console.log("4. Open WSL terminal and install hackerrun:");
-      console.log(chalk3.bold("   npm install -g hackerrun\n"));
+      console.log(chalk5.bold("   npm install -g hackerrun\n"));
       console.log("Learn more: https://docs.microsoft.com/en-us/windows/wsl/install\n");
-      console.log(chalk3.red("Please install WSL and run hackerrun from WSL terminal.\n"));
+      console.log(chalk5.red("Please install WSL and run hackerrun from WSL terminal.\n"));
       process.exit(1);
     }
     if (!this.isSupported()) {
-      console.log(chalk3.red(`
-\u274C Platform '${platform()}' is not supported
+      console.log(chalk5.red(`
+\u274C Platform '${platform2()}' is not supported
 `));
       console.log("Hackerrun supports:");
       console.log("  - macOS");
@@ -1054,9 +1624,9 @@ var PlatformDetector = class {
 };
 
 // src/lib/uncloud.ts
-import { execSync as execSync3 } from "child_process";
-import { platform as platform2 } from "os";
-import chalk4 from "chalk";
+import { execSync as execSync5 } from "child_process";
+import { platform as platform3 } from "os";
+import chalk6 from "chalk";
 import ora3 from "ora";
 var UncloudManager = class {
   /**
@@ -1064,7 +1634,7 @@ var UncloudManager = class {
    */
   static isInstalled() {
     try {
-      execSync3("uc --version", { stdio: "pipe" });
+      execSync5("uc --version", { stdio: "pipe" });
       return true;
     } catch {
       return false;
@@ -1075,7 +1645,7 @@ var UncloudManager = class {
    */
   static getVersion() {
     try {
-      const version = execSync3("uc --version", { encoding: "utf-8" }).trim();
+      const version = execSync5("uc --version", { encoding: "utf-8" }).trim();
       return version;
     } catch {
       return null;
@@ -1090,34 +1660,34 @@ var UncloudManager = class {
       return;
     }
     if (options?.nonInteractive) {
-      console.error(chalk4.red("\n\u274C Uncloud CLI (uc) not found\n"));
+      console.error(chalk6.red("\n\u274C Uncloud CLI (uc) not found\n"));
       console.error("The uncloud CLI must be installed on the build VM.");
       console.error("This is a build infrastructure issue - the uc binary should be pre-installed.\n");
       process.exit(1);
     }
-    console.log(chalk4.yellow("\n\u26A0\uFE0F  Uncloud CLI not found\n"));
+    console.log(chalk6.yellow("\n\u26A0\uFE0F  Uncloud CLI not found\n"));
     console.log("Uncloud is required to deploy and manage your apps.");
     console.log("Learn more: https://uncloud.run\n");
-    const os = platform2();
+    const os = platform3();
     if (os === "darwin" || os === "linux") {
       this.showInstallInstructions();
-      console.log(chalk4.cyan("Would you like to install uncloud now? (Y/n): "));
+      console.log(chalk6.cyan("Would you like to install uncloud now? (Y/n): "));
       const answer = await this.promptUser();
       if (answer === "y" || answer === "yes" || answer === "") {
         try {
           await this.autoInstall();
           return;
         } catch (error) {
-          console.log(chalk4.red("\nAuto-installation failed. Please install manually.\n"));
+          console.log(chalk6.red("\nAuto-installation failed. Please install manually.\n"));
           process.exit(1);
         }
       } else {
-        console.log(chalk4.yellow("\nPlease install uncloud manually and run hackerrun again.\n"));
+        console.log(chalk6.yellow("\nPlease install uncloud manually and run hackerrun again.\n"));
         process.exit(1);
       }
     } else {
       this.showInstallInstructions();
-      console.log(chalk4.red("Please install uncloud and run hackerrun again.\n"));
+      console.log(chalk6.red("Please install uncloud and run hackerrun again.\n"));
       process.exit(1);
     }
   }
@@ -1125,20 +1695,20 @@ var UncloudManager = class {
    * Show installation instructions based on platform
    */
   static showInstallInstructions() {
-    const os = platform2();
-    console.log(chalk4.cyan("Installation instructions:\n"));
+    const os = platform3();
+    console.log(chalk6.cyan("Installation instructions:\n"));
     if (os === "darwin" || os === "linux") {
-      console.log(chalk4.bold("Option 1: Automated install (Recommended)"));
-      console.log(chalk4.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
-      console.log(chalk4.bold("Option 2: Homebrew"));
-      console.log(chalk4.green("  brew install psviderski/tap/uncloud\n"));
-      console.log(chalk4.bold("Option 3: Manual download"));
+      console.log(chalk6.bold("Option 1: Automated install (Recommended)"));
+      console.log(chalk6.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
+      console.log(chalk6.bold("Option 2: Homebrew"));
+      console.log(chalk6.green("  brew install psviderski/tap/uncloud\n"));
+      console.log(chalk6.bold("Option 3: Manual download"));
       console.log("  Download from: https://github.com/psviderski/uncloud/releases/latest");
       console.log("  Extract and move to /usr/local/bin\n");
     } else if (os === "win32") {
-      console.log(chalk4.bold("For Windows (via WSL):"));
+      console.log(chalk6.bold("For Windows (via WSL):"));
       console.log("  Open your WSL terminal and run:");
-      console.log(chalk4.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
+      console.log(chalk6.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
     }
     console.log("Documentation: https://uncloud.run/docs/getting-started/install-cli\n");
   }
@@ -1163,27 +1733,27 @@ var UncloudManager = class {
   static async autoInstall() {
     const spinner = ora3("Installing uncloud...").start();
     try {
-      execSync3("curl -fsS https://get.uncloud.run/install.sh | sh", {
+      execSync5("curl -fsS https://get.uncloud.run/install.sh | sh", {
         stdio: "inherit"
       });
-      spinner.succeed(chalk4.green("Uncloud installed successfully!"));
+      spinner.succeed(chalk6.green("Uncloud installed successfully!"));
       if (this.isInstalled()) {
         const version = this.getVersion();
-        console.log(chalk4.cyan(`\u2713 Uncloud ${version} is ready to use
+        console.log(chalk6.cyan(`\u2713 Uncloud ${version} is ready to use
 `));
       } else {
-        spinner.warn(chalk4.yellow("Installation completed but uc command not found in PATH"));
-        console.log(chalk4.yellow("\nYou may need to:"));
+        spinner.warn(chalk6.yellow("Installation completed but uc command not found in PATH"));
+        console.log(chalk6.yellow("\nYou may need to:"));
         console.log("  1. Restart your terminal");
         console.log("  2. Or run: source ~/.bashrc (or ~/.zshrc)\n");
         throw new Error("Please restart your terminal and try again");
       }
     } catch (error) {
-      spinner.fail(chalk4.red("Failed to install uncloud"));
-      console.log(chalk4.red(`
+      spinner.fail(chalk6.red("Failed to install uncloud"));
+      console.log(chalk6.red(`
 Error: ${error.message}
 `));
-      console.log(chalk4.yellow("Please try manual installation:"));
+      console.log(chalk6.yellow("Please try manual installation:"));
       console.log("  curl -fsS https://get.uncloud.run/install.sh | sh\n");
       throw error;
     }
@@ -1191,16 +1761,16 @@ Error: ${error.message}
 };
 
 // src/lib/platform-auth.ts
-import chalk5 from "chalk";
+import chalk7 from "chalk";
 function getPlatformToken() {
   const configManager = new ConfigManager();
   try {
     const config = configManager.load();
     return config.apiToken;
   } catch (error) {
-    console.error(chalk5.red("\n Not logged in"));
-    console.log(chalk5.cyan("\nPlease login first:\n"));
-    console.log(`  ${chalk5.bold("hackerrun login")}
+    console.error(chalk7.red("\n Not logged in"));
+    console.log(chalk7.cyan("\nPlease login first:\n"));
+    console.log(`  ${chalk7.bold("hackerrun login")}
 `);
     process.exit(1);
   }
@@ -1412,243 +1982,12 @@ var PlatformClient = class {
     await this.request("POST", "/api/uncloud/config", { config: configYaml });
   }
   /**
-   * Download uncloud config from platform
-   */
-  async downloadUncloudConfig() {
-    try {
-      const { config } = await this.request("GET", "/api/uncloud/config");
-      return config;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
-      }
-      throw error;
-    }
-  }
-  // ==================== Gateway Management ====================
-  /**
-   * Get gateway info for a location
-   */
-  async getGateway(location) {
-    try {
-      const { gateway } = await this.request("GET", `/api/gateway?location=${encodeURIComponent(location)}`, void 0, { operation: `Get gateway for '${location}'` });
-      return gateway;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
-      }
-      throw error;
-    }
-  }
-  // ==================== Route Management ====================
-  /**
-   * Register a route for an app (maps hostname to VM IPv6)
-   */
-  async registerRoute(appName, backendIpv6, backendPort = 443) {
-    const { route } = await this.request("POST", "/api/routes", {
-      appName,
-      backendIpv6,
-      backendPort
-    }, { operation: `Register route for '${appName}'` });
-    return route;
-  }
-  /**
-   * Delete routes for an app
-   */
-  async deleteRoute(appName) {
-    await this.request("DELETE", `/api/routes/${encodeURIComponent(appName)}`);
-  }
-  // ==================== Gateway Route Sync ====================
-  /**
-   * Sync gateway Caddy configuration for a location
-   * This updates the gateway's reverse proxy config with current routes
-   */
-  async syncGatewayRoutes(location) {
-    const result = await this.request("POST", "/api/gateway/sync", { location }, { operation: `Sync gateway routes for '${location}'` });
-    return { routeCount: result.routeCount };
-  }
-  // ==================== SSH Certificate Management ====================
-  /**
-   * Get platform SSH keys (CA public key + platform public key for VM creation)
-   */
-  async getPlatformSSHKeys() {
-    return this.request("GET", "/api/platform/ssh-keys", void 0, { operation: "Get platform SSH keys" });
-  }
-  /**
-   * Initialize platform SSH keys (creates them if they don't exist)
-   */
-  async initPlatformSSHKeys() {
-    return this.request("POST", "/api/platform/ssh-keys");
-  }
-  /**
-   * Request a signed SSH certificate for accessing an app's VMs
-   * Returns a short-lived certificate (5 min) signed by the platform CA
-   */
-  async requestSSHCertificate(appName, publicKey) {
-    return this.request("POST", `/api/apps/${appName}/ssh-certificate`, { publicKey }, { operation: `Request SSH certificate for '${appName}'` });
-  }
-  // ==================== VM Setup ====================
-  /**
-   * Setup a newly created VM (DNS64, NAT64, SSH CA, Docker, uncloud)
-   * This runs all configuration using the platform SSH key
-   */
-  async setupVM(vmIp, location, appName) {
-    await this.request("POST", "/api/vms/setup", {
-      vmIp,
-      location,
-      appName
-    }, { operation: `Setup VM for '${appName}'`, retries: 5, retryDelay: 3e3 });
-  }
-  // ==================== Environment Variables ====================
-  /**
-   * Set a single environment variable
-   */
-  async setEnvVar(appName, key, value) {
-    await this.request("POST", `/api/apps/${appName}/env`, { key, value });
-  }
-  /**
-   * Set multiple environment variables at once
-   */
-  async setEnvVars(appName, vars) {
-    await this.request("POST", `/api/apps/${appName}/env`, { vars });
-  }
-  /**
-   * List environment variables (values are masked)
-   */
-  async listEnvVars(appName) {
-    const { envVars } = await this.request("GET", `/api/apps/${appName}/env`);
-    return envVars;
-  }
-  /**
-   * Remove an environment variable
-   */
-  async unsetEnvVar(appName, key) {
-    await this.request("DELETE", `/api/apps/${appName}/env/${encodeURIComponent(key)}`);
-  }
-  // ==================== GitHub Connection ====================
-  /**
-   * Create app metadata without creating VM (for connect-before-deploy flow)
-   */
-  async createAppMetadata(appName, location) {
-    const { app } = await this.request("POST", "/api/apps", {
-      appName,
-      location: location || "eu-central-h1",
-      metadataOnly: true
-      // Signal that we don't want to create VM yet
-    });
-    return app;
-  }
-  /**
-   * Initiate GitHub App installation flow
-   */
-  async initiateGitHubConnect() {
-    return this.request("POST", "/api/github/connect");
-  }
-  /**
-   * Poll for GitHub App installation completion
-   */
-  async pollGitHubConnect(stateToken) {
-    return this.request("GET", `/api/github/connect/poll?state=${encodeURIComponent(stateToken)}`);
-  }
-  /**
-   * Get current user's GitHub App installation
-   */
-  async getGitHubInstallation() {
-    try {
-      const { installation } = await this.request("GET", "/api/github/installation");
-      return installation;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
-      }
-      throw error;
-    }
-  }
-  /**
-   * Delete current user's GitHub App installation record
-   * Used when the installation becomes stale/invalid
-   */
-  async deleteGitHubInstallation() {
-    await this.request("DELETE", "/api/github/installation");
-  }
-  /**
-   * List repositories accessible via GitHub App installation
-   */
-  async listAccessibleRepos() {
-    const { repos } = await this.request("GET", "/api/github/repos");
-    return repos;
-  }
-  /**
-   * Connect a repository to an app
-   */
-  async connectRepo(appName, repoFullName, branch) {
-    await this.request("POST", `/api/apps/${appName}/repo`, {
-      repoFullName,
-      branch: branch || "main"
-    });
-  }
-  /**
-   * Get connected repository for an app
-   */
-  async getConnectedRepo(appName) {
-    try {
-      const { repo } = await this.request("GET", `/api/apps/${appName}/repo`);
-      return repo;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
-      }
-      throw error;
-    }
-  }
-  /**
-   * Disconnect repository from an app
-   */
-  async disconnectRepo(appName) {
-    await this.request("DELETE", `/api/apps/${appName}/repo`);
-  }
-  // ==================== Builds ====================
-  /**
-   * List builds for an app
-   */
-  async listBuilds(appName, limit = 10) {
-    const { builds } = await this.request("GET", `/api/apps/${appName}/builds?limit=${limit}`);
-    return builds;
-  }
-  /**
-   * Get build details
-   */
-  async getBuild(appName, buildId) {
-    const { build } = await this.request("GET", `/api/apps/${appName}/builds/${buildId}`);
-    return build;
-  }
-  /**
-   * Get build events (for live streaming)
-   */
-  async getBuildEvents(appName, buildId, after) {
-    let url = `/api/apps/${appName}/builds/${buildId}/events`;
-    if (after) {
-      url += `?after=${encodeURIComponent(after.toISOString())}`;
-    }
-    const { events } = await this.request("GET", url);
-    return events;
-  }
-  // ==================== VPN Management ====================
-  /**
-   * Register VPN peer with the platform
-   * This is idempotent - if already registered, returns existing config
-   */
-  async registerVPNPeer(publicKey, location) {
-    const { vpnConfig } = await this.request("POST", "/api/vpn/register", { publicKey, location }, { operation: "Register VPN peer" });
-    return vpnConfig;
-  }
-  /**
-   * Get existing VPN config if registered
+   * Download uncloud config from platform
    */
-  async getVPNConfig(location) {
+  async downloadUncloudConfig() {
     try {
-      const { vpnConfig } = await this.request("GET", `/api/vpn/config?location=${encodeURIComponent(location)}`);
-      return vpnConfig;
+      const { config } = await this.request("GET", "/api/uncloud/config");
+      return config;
     } catch (error) {
       if (error.message.includes("404") || error.message.includes("not found")) {
         return null;
@@ -1656,631 +1995,289 @@ var PlatformClient = class {
       throw error;
     }
   }
+  // ==================== Gateway Management ====================
   /**
-   * Unregister VPN peer
+   * Get gateway info for a location
    */
-  async unregisterVPNPeer() {
-    await this.request("DELETE", "/api/vpn/unregister");
-  }
-};
-
-// src/lib/app-config.ts
-import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
-import { join as join3 } from "path";
-import { parse, stringify } from "yaml";
-var CONFIG_FILENAME = "hackerrun.yaml";
-function getConfigPath(directory = process.cwd()) {
-  return join3(directory, CONFIG_FILENAME);
-}
-function hasAppConfig(directory = process.cwd()) {
-  return existsSync3(getConfigPath(directory));
-}
-function readAppConfig(directory = process.cwd()) {
-  const configPath = getConfigPath(directory);
-  if (!existsSync3(configPath)) {
-    return null;
-  }
-  try {
-    const content = readFileSync3(configPath, "utf-8");
-    const config = parse(content);
-    if (!config.appName) {
-      return null;
-    }
-    return config;
-  } catch (error) {
-    console.error(`Failed to parse ${CONFIG_FILENAME}:`, error);
-    return null;
-  }
-}
-function writeAppConfig(config, directory = process.cwd()) {
-  const configPath = getConfigPath(directory);
-  const content = stringify(config);
-  writeFileSync3(configPath, content, "utf-8");
-}
-function getAppName(directory = process.cwd()) {
-  const config = readAppConfig(directory);
-  if (config?.appName) {
-    return config.appName;
-  }
-  const folderName = directory.split("/").pop() || "app";
-  return folderName.toLowerCase().replace(/[^a-z0-9_-]/g, "-");
-}
-function linkApp(appName, directory = process.cwd()) {
-  writeAppConfig({ appName }, directory);
-}
-
-// src/lib/uncloud-runner.ts
-import { execSync as execSync5, spawnSync as spawnSync3 } from "child_process";
-
-// src/lib/vpn.ts
-import { execSync as execSync4, spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync2, unlinkSync } from "fs";
-import { homedir as homedir2, platform as platform3 } from "os";
-import { join as join4 } from "path";
-import chalk6 from "chalk";
-function detectOS() {
-  const os = platform3();
-  if (os === "darwin") {
-    return { type: "macos" };
-  }
-  if (os === "win32") {
-    return { type: "windows" };
-  }
-  if (os === "linux") {
+  async getGateway(location) {
     try {
-      if (existsSync4("/etc/os-release")) {
-        const osRelease = readFileSync4("/etc/os-release", "utf-8");
-        const idMatch = osRelease.match(/^ID=(.*)$/m);
-        if (idMatch) {
-          const distro = idMatch[1].replace(/"/g, "").toLowerCase();
-          return { type: "linux", distro };
-        }
+      const { gateway } = await this.request("GET", `/api/gateway?location=${encodeURIComponent(location)}`, void 0, { operation: `Get gateway for '${location}'` });
+      return gateway;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
       }
-    } catch {
+      throw error;
     }
-    return { type: "linux" };
-  }
-  return { type: "unknown" };
-}
-function getWireGuardInstallInstructions() {
-  const os = detectOS();
-  switch (os.type) {
-    case "macos":
-      return `  ${chalk6.cyan("macOS:")} brew install wireguard-tools`;
-    case "windows":
-      return `  ${chalk6.cyan("Windows:")} Download from https://www.wireguard.com/install/
-            Or using winget: winget install WireGuard.WireGuard`;
-    case "linux":
-      switch (os.distro) {
-        case "arch":
-        case "manjaro":
-        case "endeavouros":
-        case "artix":
-          return `  ${chalk6.cyan("Arch Linux:")} sudo pacman -S wireguard-tools`;
-        case "ubuntu":
-        case "debian":
-        case "linuxmint":
-        case "pop":
-        case "elementary":
-        case "zorin":
-          return `  ${chalk6.cyan("Ubuntu/Debian:")} sudo apt install wireguard`;
-        case "fedora":
-          return `  ${chalk6.cyan("Fedora:")} sudo dnf install wireguard-tools`;
-        case "rhel":
-        case "centos":
-        case "rocky":
-        case "almalinux":
-          return `  ${chalk6.cyan("RHEL/CentOS:")} sudo dnf install wireguard-tools
-               (may need EPEL: sudo dnf install epel-release)`;
-        case "opensuse":
-        case "opensuse-leap":
-        case "opensuse-tumbleweed":
-          return `  ${chalk6.cyan("openSUSE:")} sudo zypper install wireguard-tools`;
-        case "gentoo":
-          return `  ${chalk6.cyan("Gentoo:")} sudo emerge net-vpn/wireguard-tools`;
-        case "void":
-          return `  ${chalk6.cyan("Void Linux:")} sudo xbps-install wireguard-tools`;
-        case "alpine":
-          return `  ${chalk6.cyan("Alpine:")} sudo apk add wireguard-tools`;
-        case "nixos":
-          return `  ${chalk6.cyan("NixOS:")} Add wireguard-tools to environment.systemPackages`;
-        default:
-          return `  ${chalk6.cyan("Linux:")} Install wireguard-tools using your package manager:
-    Arch:          sudo pacman -S wireguard-tools
-    Ubuntu/Debian: sudo apt install wireguard
-    Fedora:        sudo dnf install wireguard-tools
-    openSUSE:      sudo zypper install wireguard-tools`;
-      }
-    default:
-      return `  Visit https://www.wireguard.com/install/ for installation instructions`;
-  }
-}
-var CONFIG_DIR = join4(homedir2(), ".config", "hackerrun");
-var PRIVATE_KEY_FILE = join4(CONFIG_DIR, "wg-private-key");
-var WG_INTERFACE = "hackerrun";
-var WG_CONFIG_PATH = `/etc/wireguard/${WG_INTERFACE}.conf`;
-function isWireGuardInstalled() {
-  try {
-    execSync4("which wg", { stdio: "ignore" });
-    execSync4("which wg-quick", { stdio: "ignore" });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function ensureConfigDir() {
-  if (!existsSync4(CONFIG_DIR)) {
-    mkdirSync2(CONFIG_DIR, { recursive: true, mode: 448 });
-  }
-}
-function generateKeyPair() {
-  const privateKey = execSync4("wg genkey", { encoding: "utf-8" }).trim();
-  const publicKey = execSync4("wg pubkey", {
-    input: privateKey,
-    encoding: "utf-8"
-  }).trim();
-  return { privateKey, publicKey };
-}
-function getOrCreateKeyPair() {
-  ensureConfigDir();
-  if (existsSync4(PRIVATE_KEY_FILE)) {
-    const privateKey2 = readFileSync4(PRIVATE_KEY_FILE, "utf-8").trim();
-    const publicKey2 = execSync4("wg pubkey", {
-      input: privateKey2,
-      encoding: "utf-8"
-    }).trim();
-    return { privateKey: privateKey2, publicKey: publicKey2, isNew: false };
-  }
-  const { privateKey, publicKey } = generateKeyPair();
-  writeFileSync4(PRIVATE_KEY_FILE, privateKey + "\n", { mode: 384 });
-  return { privateKey, publicKey, isNew: true };
-}
-function getPublicKey() {
-  if (!existsSync4(PRIVATE_KEY_FILE)) {
-    return null;
-  }
-  const privateKey = readFileSync4(PRIVATE_KEY_FILE, "utf-8").trim();
-  return execSync4("wg pubkey", {
-    input: privateKey,
-    encoding: "utf-8"
-  }).trim();
-}
-function isVPNUp() {
-  try {
-    const result = execSync4(`ip link show ${WG_INTERFACE}`, {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    return result.includes(WG_INTERFACE);
-  } catch {
-    return false;
-  }
-}
-function isRoutedViaVPN(ipv6Address) {
-  if (!isVPNUp()) {
-    return false;
-  }
-  try {
-    const result = execSync4(`ip -6 route get ${ipv6Address}`, {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    return result.includes(`dev ${WG_INTERFACE}`);
-  } catch {
-    return false;
-  }
-}
-function getVPNStatus() {
-  if (!isVPNUp()) {
-    return { connected: false };
   }
-  try {
-    const output = execSync4(`sudo wg show ${WG_INTERFACE}`, {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    const lines = output.split("\n");
-    let endpoint;
-    let latestHandshake;
-    let transferRx;
-    let transferTx;
-    for (const line of lines) {
-      if (line.includes("endpoint:")) {
-        endpoint = line.split("endpoint:")[1]?.trim();
-      }
-      if (line.includes("latest handshake:")) {
-        latestHandshake = line.split("latest handshake:")[1]?.trim();
-      }
-      if (line.includes("transfer:")) {
-        const transfer = line.split("transfer:")[1]?.trim();
-        const parts = transfer?.split(",");
-        transferRx = parts?.[0]?.trim();
-        transferTx = parts?.[1]?.trim();
-      }
-    }
-    return {
-      connected: true,
-      interface: WG_INTERFACE,
-      endpoint,
-      latestHandshake,
-      transferRx,
-      transferTx
-    };
-  } catch {
-    return { connected: isVPNUp(), interface: WG_INTERFACE };
+  // ==================== Route Management ====================
+  /**
+   * Register a route for an app (maps hostname to VM IPv6)
+   */
+  async registerRoute(appName, backendIpv6, backendPort = 443) {
+    const { route } = await this.request("POST", "/api/routes", {
+      appName,
+      backendIpv6,
+      backendPort
+    }, { operation: `Register route for '${appName}'` });
+    return route;
   }
-}
-function generateWireGuardConfig(config) {
-  return `# HackerRun VPN - Auto-generated
-# Do not edit manually
-
-[Interface]
-PrivateKey = ${config.privateKey}
-Address = ${config.address}
-
-[Peer]
-PublicKey = ${config.gatewayPublicKey}
-Endpoint = ${config.gatewayEndpoint}
-AllowedIPs = ${config.allowedIPs}
-PersistentKeepalive = 25
-`;
-}
-function writeWireGuardConfig(config) {
-  const configContent = generateWireGuardConfig(config);
-  const tempFile = join4(CONFIG_DIR, "wg-temp.conf");
-  writeFileSync4(tempFile, configContent, { mode: 384 });
-  try {
-    execSync4("sudo mkdir -p /etc/wireguard", { stdio: "inherit" });
-    execSync4(`sudo mv ${tempFile} ${WG_CONFIG_PATH}`, { stdio: "inherit" });
-    execSync4(`sudo chmod 600 ${WG_CONFIG_PATH}`, { stdio: "inherit" });
-  } catch (error) {
-    if (existsSync4(tempFile)) {
-      unlinkSync(tempFile);
-    }
-    throw error;
+  /**
+   * Delete routes for an app
+   */
+  async deleteRoute(appName) {
+    await this.request("DELETE", `/api/routes/${encodeURIComponent(appName)}`);
   }
-}
-function vpnUp() {
-  if (isVPNUp()) {
-    return;
+  // ==================== Gateway Route Sync ====================
+  /**
+   * Sync gateway Caddy configuration for a location
+   * This updates the gateway's reverse proxy config with current routes
+   */
+  async syncGatewayRoutes(location) {
+    const result = await this.request("POST", "/api/gateway/sync", { location }, { operation: `Sync gateway routes for '${location}'` });
+    return { routeCount: result.routeCount };
   }
-  const result = spawnSync2("sudo", ["wg-quick", "up", WG_INTERFACE], {
-    stdio: "inherit"
-  });
-  if (result.status !== 0) {
-    throw new Error(`Failed to bring up VPN interface (exit code ${result.status})`);
+  // ==================== SSH Certificate Management ====================
+  /**
+   * Get platform SSH keys (CA public key + platform public key for VM creation)
+   */
+  async getPlatformSSHKeys() {
+    return this.request("GET", "/api/platform/ssh-keys", void 0, { operation: "Get platform SSH keys" });
   }
-}
-function vpnDown() {
-  if (!isVPNUp()) {
-    return;
+  /**
+   * Initialize platform SSH keys (creates them if they don't exist)
+   */
+  async initPlatformSSHKeys() {
+    return this.request("POST", "/api/platform/ssh-keys");
   }
-  const result = spawnSync2("sudo", ["wg-quick", "down", WG_INTERFACE], {
-    stdio: "inherit"
-  });
-  if (result.status !== 0) {
-    throw new Error(`Failed to bring down VPN interface (exit code ${result.status})`);
+  /**
+   * Request a signed SSH certificate for accessing an app's VMs
+   * Returns a short-lived certificate (5 min) signed by the platform CA
+   */
+  async requestSSHCertificate(appName, publicKey) {
+    return this.request("POST", `/api/apps/${appName}/ssh-certificate`, { publicKey }, { operation: `Request SSH certificate for '${appName}'` });
   }
-}
-function testIPv6Connectivity2(ipv6Address, timeoutSeconds = 3) {
-  try {
-    execSync4(`ping -6 -c 1 -W ${timeoutSeconds} ${ipv6Address}`, {
-      stdio: "ignore",
-      timeout: (timeoutSeconds + 2) * 1e3
-    });
-    return true;
-  } catch {
-    return false;
+  // ==================== VM Setup ====================
+  /**
+   * Setup a newly created VM (DNS64, NAT64, SSH CA, Docker, uncloud)
+   * This runs all configuration using the platform SSH key
+   */
+  async setupVM(vmIp, location, appName) {
+    await this.request("POST", "/api/vms/setup", {
+      vmIp,
+      location,
+      appName
+    }, { operation: `Setup VM for '${appName}'`, retries: 5, retryDelay: 3e3 });
   }
-}
-var VPNManager = class {
-  wasConnectedByUs = false;
+  // ==================== Environment Variables ====================
   /**
-   * Ensure VPN is connected if IPv6 is not available
-   * Returns true if VPN was established (and should be torn down later)
+   * Set a single environment variable
    */
-  async ensureConnected(targetIPv6, getVPNConfig) {
-    if (testIPv6Connectivity2(targetIPv6)) {
-      console.log(chalk6.green("\u2713 Direct IPv6 connectivity available"));
-      return false;
-    }
-    console.log(chalk6.yellow("IPv6 not available, checking VPN..."));
-    if (isVPNUp()) {
-      if (testIPv6Connectivity2(targetIPv6)) {
-        console.log(chalk6.green("\u2713 VPN already connected"));
-        return false;
-      }
-      console.log(chalk6.yellow("VPN is up but cannot reach target, reconnecting..."));
-      vpnDown();
-    }
-    if (!isWireGuardInstalled()) {
-      const instructions = getWireGuardInstallInstructions();
-      throw new Error(
-        "WireGuard is not installed.\n\nWireGuard is needed for IPv6 connectivity to your app VMs.\nPlease install it and try again:\n\n" + instructions
-      );
-    }
-    console.log(chalk6.cyan("Establishing VPN tunnel (requires sudo)..."));
-    const { publicKey, isNew } = getOrCreateKeyPair();
-    if (isNew) {
-      console.log(chalk6.dim("Generated new WireGuard keypair"));
-    }
-    const vpnConfig = await getVPNConfig();
-    writeWireGuardConfig(vpnConfig);
-    vpnUp();
-    if (!testIPv6Connectivity2(targetIPv6)) {
-      vpnDown();
-      throw new Error("VPN established but cannot reach target. Please try again.");
-    }
-    console.log(chalk6.green("\u2713 VPN connected"));
-    this.wasConnectedByUs = true;
-    return true;
+  async setEnvVar(appName, key, value) {
+    await this.request("POST", `/api/apps/${appName}/env`, { key, value });
   }
   /**
-   * Disconnect VPN if we established it
+   * Set multiple environment variables at once
    */
-  disconnect() {
-    if (this.wasConnectedByUs && isVPNUp()) {
-      console.log(chalk6.dim("Disconnecting VPN..."));
-      try {
-        vpnDown();
-        console.log(chalk6.green("\u2713 VPN disconnected"));
-      } catch (error) {
-        console.log(chalk6.yellow(`Warning: Failed to disconnect VPN: ${error.message}`));
-      }
-      this.wasConnectedByUs = false;
-    }
+  async setEnvVars(appName, vars) {
+    await this.request("POST", `/api/apps/${appName}/env`, { vars });
   }
-};
-
-// src/lib/uncloud-runner.ts
-import chalk7 from "chalk";
-var UncloudRunner = class {
-  constructor(platformClient) {
-    this.platformClient = platformClient;
-    this.certManager = new SSHCertManager(platformClient);
+  /**
+   * List environment variables (values are masked)
+   */
+  async listEnvVars(appName) {
+    const { envVars } = await this.request("GET", `/api/apps/${appName}/env`);
+    return envVars;
   }
-  certManager;
-  gatewayCache = /* @__PURE__ */ new Map();
-  tunnelManager = new TunnelManager();
-  vpnManager = new VPNManager();
-  tempConfigPath = null;
-  vpnEstablishedByUs = false;
   /**
-   * Get the connection URL for an app's primary VM
-   * Handles IPv6 direct connection, VPN, or gateway SSH tunnel fallback
+   * Remove an environment variable
    */
-  async getConnectionInfo(appName) {
-    const app = await this.platformClient.getApp(appName);
-    if (!app) {
-      throw new Error(`App '${appName}' not found`);
-    }
-    const primaryNode = app.nodes.find((n) => n.isPrimary);
-    if (!primaryNode?.ipv6) {
-      throw new Error(`App '${appName}' has no primary node with IPv6 address`);
-    }
-    const vmIp = primaryNode.ipv6;
-    await this.certManager.getSession(appName, vmIp);
-    const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
-    if (canConnectDirect) {
-      const viaVPN = isRoutedViaVPN(vmIp);
-      return {
-        url: `ssh://root@${vmIp}`,
-        vmIp,
-        viaGateway: false,
-        viaVPN
-      };
-    }
-    const vpnAvailable = isWireGuardInstalled();
-    if (vpnAvailable) {
-      console.log(chalk7.yellow("Direct IPv6 not available, trying VPN..."));
-      try {
-        if (isVPNUp() && testIPv6Connectivity2(vmIp, 3)) {
-          console.log(chalk7.green("\u2713 VPN already connected"));
-          return {
-            url: `ssh://root@${vmIp}`,
-            vmIp,
-            viaGateway: false,
-            viaVPN: true
-          };
-        }
-        this.vpnEstablishedByUs = await this.vpnManager.ensureConnected(
-          vmIp,
-          async () => this.getVPNConfig(app.location)
-        );
-        if (testIPv6Connectivity2(vmIp, 5)) {
-          console.log(chalk7.green("\u2713 Connected via VPN"));
-          return {
-            url: `ssh://root@${vmIp}`,
-            vmIp,
-            viaGateway: false,
-            viaVPN: true
-          };
-        }
-      } catch (error) {
-        console.log(chalk7.yellow(`VPN setup failed: ${error.message}`));
-        console.log(chalk7.dim("Falling back to SSH tunnel..."));
-      }
-    } else {
-      console.log(chalk7.yellow("Direct IPv6 not available on your network."));
-      console.log(chalk7.dim("For faster deploys, install WireGuard:"));
-      console.log(chalk7.dim(getWireGuardInstallInstructions()));
-      console.log();
-    }
-    console.log(chalk7.yellow("Using SSH tunnel (may be slower for large transfers)..."));
-    const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
-    return {
-      url: `ssh://root@localhost:${tunnelInfo.localPort}`,
-      vmIp,
-      viaGateway: true,
-      viaVPN: false,
-      localPort: tunnelInfo.localPort
-    };
+  async unsetEnvVar(appName, key) {
+    await this.request("DELETE", `/api/apps/${appName}/env/${encodeURIComponent(key)}`);
   }
+  // ==================== GitHub Connection ====================
   /**
-   * Get VPN configuration from platform
+   * Create app metadata without creating VM (for connect-before-deploy flow)
    */
-  async getVPNConfig(location) {
-    const { privateKey, publicKey } = getOrCreateKeyPair();
-    const vpnConfigResponse = await this.platformClient.registerVPNPeer(publicKey, location);
-    return {
-      privateKey,
-      publicKey,
-      address: vpnConfigResponse.address,
-      gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
-      gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
-      allowedIPs: vpnConfigResponse.allowedIPs
-    };
+  async createAppMetadata(appName, location) {
+    const { app } = await this.request("POST", "/api/apps", {
+      appName,
+      location: location || "eu-central-h1",
+      metadataOnly: true
+      // Signal that we don't want to create VM yet
+    });
+    return app;
   }
   /**
-   * Pre-accept a host's SSH key by running ssh-keyscan
-   * This prevents "Host key verification failed" errors from uncloud
+   * Initiate GitHub App installation flow
    */
-  preAcceptHostKey(host, port) {
+  async initiateGitHubConnect() {
+    return this.request("POST", "/api/github/connect");
+  }
+  /**
+   * Poll for GitHub App installation completion
+   */
+  async pollGitHubConnect(stateToken) {
+    return this.request("GET", `/api/github/connect/poll?state=${encodeURIComponent(stateToken)}`);
+  }
+  /**
+   * Get current user's GitHub App installation
+   */
+  async getGitHubInstallation() {
     try {
-      const portArg = port ? `-p ${port}` : "";
-      execSync5(
-        `ssh-keyscan ${portArg} -H ${host} >> ~/.ssh/known_hosts 2>/dev/null`,
-        { stdio: "pipe", timeout: 1e4 }
-      );
-    } catch {
+      const { installation } = await this.request("GET", "/api/github/installation");
+      return installation;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
+      }
+      throw error;
     }
   }
   /**
-   * Ensure an SSH tunnel exists for gateway fallback
+   * Delete current user's GitHub App installation record
+   * Used when the installation becomes stale/invalid
+   */
+  async deleteGitHubInstallation() {
+    await this.request("DELETE", "/api/github/installation");
+  }
+  /**
+   * List repositories accessible via GitHub App installation
    */
-  async ensureTunnel(appName, vmIp, location) {
-    const gateway = await this.getGateway(location);
-    if (!gateway) {
-      throw new Error(`No gateway found for location ${location}`);
-    }
-    return this.tunnelManager.ensureTunnel(appName, vmIp, gateway.ipv4);
+  async listAccessibleRepos() {
+    const { repos } = await this.request("GET", "/api/github/repos");
+    return repos;
   }
   /**
-   * Run an uncloud command on the app's VM
+   * Connect a repository to an app
    */
-  async run(appName, command, args = [], options = {}) {
-    const connInfo = await this.getConnectionInfo(appName);
-    if (connInfo.viaGateway) {
-      console.log(chalk7.dim(`Connecting via gateway...`));
-    }
-    const fullArgs = ["--connect", connInfo.url, command, ...args];
-    if (options.stdio === "inherit") {
-      const result = spawnSync3("uc", fullArgs, {
-        cwd: options.cwd,
-        stdio: "inherit",
-        timeout: options.timeout
-      });
-      if (result.status !== 0) {
-        throw new Error(`Uncloud command failed with exit code ${result.status}`);
+  async connectRepo(appName, repoFullName, branch) {
+    await this.request("POST", `/api/apps/${appName}/repo`, {
+      repoFullName,
+      branch: branch || "main"
+    });
+  }
+  /**
+   * Get connected repository for an app
+   */
+  async getConnectedRepo(appName) {
+    try {
+      const { repo } = await this.request("GET", `/api/apps/${appName}/repo`);
+      return repo;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
       }
-    } else {
-      const result = execSync5(`uc ${fullArgs.map((a) => `"${a}"`).join(" ")}`, {
-        cwd: options.cwd,
-        encoding: "utf-8",
-        timeout: options.timeout
-      });
-      return result;
+      throw error;
     }
   }
   /**
-   * Run 'uc deploy' for an app
+   * Disconnect repository from an app
    */
-  async deploy(appName, cwd) {
-    await this.run(appName, "deploy", ["--yes"], { cwd, stdio: "inherit" });
+  async disconnectRepo(appName) {
+    await this.request("DELETE", `/api/apps/${appName}/repo`);
   }
+  // ==================== Builds ====================
   /**
-   * Run 'uc service logs' for an app
+   * List builds for an app
    */
-  async logs(appName, serviceName, options = {}) {
-    const args = [serviceName];
-    if (options.follow) args.push("-f");
-    if (options.tail) args.push("--tail", String(options.tail));
-    await this.run(appName, "service", ["logs", ...args], { stdio: "inherit" });
+  async listBuilds(appName, limit = 10) {
+    const { builds } = await this.request("GET", `/api/apps/${appName}/builds?limit=${limit}`);
+    return builds;
   }
   /**
-   * Run 'uc service ls' for an app
+   * Get build details
    */
-  async serviceList(appName) {
-    const result = await this.run(appName, "service", ["ls"], { stdio: "pipe" });
-    return result;
+  async getBuild(appName, buildId) {
+    const { build } = await this.request("GET", `/api/apps/${appName}/builds/${buildId}`);
+    return build;
   }
   /**
-   * Run 'uc machine token' on remote VM via SSH
-   * This is different - it runs on the VM directly, not via uncloud connector
+   * Get build events (for live streaming)
    */
-  async getMachineToken(appName) {
-    const connInfo = await this.getConnectionInfo(appName);
-    let sshCmd2;
-    if (connInfo.viaGateway && connInfo.localPort) {
-      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
-    } else {
-      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
+  async getBuildEvents(appName, buildId, after) {
+    let url = `/api/apps/${appName}/builds/${buildId}/events`;
+    if (after) {
+      url += `?after=${encodeURIComponent(after.toISOString())}`;
     }
-    const token = execSync5(`${sshCmd2} "uc machine token"`, { encoding: "utf-8" }).trim();
-    return token;
+    const { events } = await this.request("GET", url);
+    return events;
   }
+  // ==================== VPN Management ====================
   /**
-   * Execute an SSH command on the VM
+   * Register VPN peer with the platform
+   * This is idempotent - if already registered, returns existing config
    */
-  async sshExec(appName, command) {
-    const connInfo = await this.getConnectionInfo(appName);
-    let sshCmd2;
-    if (connInfo.viaGateway && connInfo.localPort) {
-      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
-    } else {
-      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
-    }
-    return execSync5(`${sshCmd2} "${command}"`, { encoding: "utf-8" }).trim();
+  async registerVPNPeer(publicKey, location) {
+    const { vpnConfig } = await this.request("POST", "/api/vpn/register", { publicKey, location }, { operation: "Register VPN peer" });
+    return vpnConfig;
   }
   /**
-   * Remove a node from the uncloud cluster
-   * Uses 'uc machine rm' to drain containers and remove from cluster
+   * Get existing VPN config if registered
    */
-  async removeNode(appName, nodeName) {
-    const connInfo = await this.getConnectionInfo(appName);
-    const result = spawnSync3("uc", ["--connect", connInfo.url, "machine", "rm", nodeName, "--yes"], {
-      stdio: "inherit",
-      timeout: 3e5
-      // 5 minute timeout for container drainage
-    });
-    if (result.status !== 0) {
-      throw new Error(`Failed to remove node '${nodeName}' from cluster (exit code ${result.status})`);
+  async getVPNConfig(location) {
+    try {
+      const { vpnConfig } = await this.request("GET", `/api/vpn/config?location=${encodeURIComponent(location)}`);
+      return vpnConfig;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
+      }
+      throw error;
     }
   }
   /**
-   * List machines in the uncloud cluster
+   * Unregister VPN peer
    */
-  async listMachines(appName) {
-    const result = await this.run(appName, "machine", ["ls"], { stdio: "pipe" });
-    return result;
+  async unregisterVPNPeer() {
+    await this.request("DELETE", "/api/vpn/unregister");
   }
-  /**
-   * Get gateway info (cached)
-   */
-  async getGateway(location) {
-    if (this.gatewayCache.has(location)) {
-      return this.gatewayCache.get(location) || null;
-    }
-    const gateway = await this.platformClient.getGateway(location);
-    if (gateway) {
-      this.gatewayCache.set(location, { ipv4: gateway.ipv4, ipv6: gateway.ipv6 });
-      return { ipv4: gateway.ipv4, ipv6: gateway.ipv6 };
-    }
-    this.gatewayCache.set(location, null);
+};
+
+// src/lib/app-config.ts
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
+import { join as join4 } from "path";
+import { parse, stringify } from "yaml";
+var CONFIG_FILENAME = "hackerrun.yaml";
+function getConfigPath(directory = process.cwd()) {
+  return join4(directory, CONFIG_FILENAME);
+}
+function hasAppConfig(directory = process.cwd()) {
+  return existsSync4(getConfigPath(directory));
+}
+function readAppConfig(directory = process.cwd()) {
+  const configPath = getConfigPath(directory);
+  if (!existsSync4(configPath)) {
     return null;
   }
-  /**
-   * Clean up all SSH sessions, tunnels, and VPN
-   */
-  cleanup() {
-    this.tunnelManager.closeAll();
-    this.certManager.cleanupAll();
-    if (this.vpnEstablishedByUs) {
-      this.vpnManager.disconnect();
-      this.vpnEstablishedByUs = false;
+  try {
+    const content = readFileSync4(configPath, "utf-8");
+    const config = parse(content);
+    if (!config.appName) {
+      return null;
     }
+    return config;
+  } catch (error) {
+    console.error(`Failed to parse ${CONFIG_FILENAME}:`, error);
+    return null;
   }
-};
+}
+function writeAppConfig(config, directory = process.cwd()) {
+  const configPath = getConfigPath(directory);
+  const content = stringify(config);
+  writeFileSync4(configPath, content, "utf-8");
+}
+function getAppName(directory = process.cwd()) {
+  const config = readAppConfig(directory);
+  if (config?.appName) {
+    return config.appName;
+  }
+  const folderName = directory.split("/").pop() || "app";
+  return folderName.toLowerCase().replace(/[^a-z0-9_-]/g, "-");
+}
+function linkApp(appName, directory = process.cwd()) {
+  writeAppConfig({ appName }, directory);
+}
 
 // src/commands/deploy.ts
 var DEFAULT_LOCATION = "eu-central-h1";
@@ -3730,19 +3727,33 @@ Error: ${error.message}
 import { Command as Command10 } from "commander";
 import chalk16 from "chalk";
 import ora10 from "ora";
-import { confirm } from "@inquirer/prompts";
-var DEFAULT_VM_SIZE = "standard-2";
+import { select as select2, confirm } from "@inquirer/prompts";
+var DEFAULT_VM_SIZE = "burstable-1";
 var DEFAULT_BOOT_IMAGE = "ubuntu-noble";
+function parseServiceList(output) {
+  const lines = output.trim().split("\n");
+  const services = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("NAME") || trimmed.startsWith("Connecting") || trimmed.startsWith("Connected")) {
+      continue;
+    }
+    const svcName = trimmed.split(/\s+/)[0];
+    if (svcName) {
+      services.push(svcName);
+    }
+  }
+  return services;
+}
 function createScaleCommand() {
   const cmd = new Command10("scale");
-  cmd.description("Scale an app by adding or removing nodes").argument("[count]", "Target node count, or +N/-N to add/remove nodes").option("--app <app>", "App name (uses hackerrun.yaml if not specified)").option("--size <size>", `VM size for new nodes (default: ${DEFAULT_VM_SIZE})`).option("--force", "Skip confirmation when removing nodes").action(async (countArg, options) => {
+  cmd.description("Scale a service in your app").argument("<app>", "App name").argument("[service]", "Service name (optional - will prompt if not provided)").argument("[replicas]", "Number of replicas").option("--add-machines", "Automatically add machines if needed").option("--no-add-machine", "Scale on existing machines only").option("--size <size>", `VM size for new machines (default: ${DEFAULT_VM_SIZE})`).action(async (appName, serviceArg, replicasArg, options) => {
     let uncloudRunner = null;
     try {
-      const appName = options.app || getAppName();
       const platformToken = getPlatformToken();
       const platformClient = new PlatformClient(platformToken);
-      const clusterManager = new ClusterManager(platformClient);
       uncloudRunner = new UncloudRunner(platformClient);
+      const clusterManager = new ClusterManager(platformClient, uncloudRunner);
       const app = await platformClient.getApp(appName);
       if (!app) {
         console.log(chalk16.red(`
@@ -3752,146 +3763,122 @@ App '${appName}' not found
 `);
         process.exit(1);
       }
-      const currentNodeCount = app.nodes.length;
-      if (!countArg) {
+      let services;
+      const spinner = ora10("Fetching services...").start();
+      try {
+        const output = await uncloudRunner.serviceList(appName);
+        services = parseServiceList(output);
+        spinner.stop();
+      } catch (error) {
+        spinner.fail("Failed to fetch services");
+        console.log(chalk16.yellow("\nMake sure the app is deployed and running.\n"));
+        process.exit(1);
+      }
+      if (services.length === 0) {
+        console.log(chalk16.yellow(`
+No services found in app '${appName}'`));
+        console.log(`Run ${chalk16.bold("hackerrun deploy")} to deploy your app first.
+`);
+        process.exit(1);
+      }
+      let serviceName;
+      let replicas;
+      if (!serviceArg) {
         console.log(chalk16.cyan(`
-App '${appName}' Scale Info:
+Services in '${appName}':
 `));
-        console.log(`  Current nodes: ${chalk16.bold(currentNodeCount.toString())}`);
-        console.log();
-        app.nodes.forEach((node, index) => {
-          const primaryLabel = node.isPrimary ? chalk16.yellow(" (primary)") : "";
-          console.log(`  ${index + 1}. ${chalk16.bold(node.name)}${primaryLabel}`);
-          console.log(`     IPv6: ${node.ipv6 || "pending"}`);
-          console.log();
+        serviceName = await select2({
+          message: "Which service would you like to scale?",
+          choices: services.map((s) => ({ name: s, value: s }))
         });
-        console.log(chalk16.dim("Usage:"));
-        console.log(chalk16.dim(`  hackerrun scale 3         # Scale to 3 nodes`));
-        console.log(chalk16.dim(`  hackerrun scale +1        # Add 1 node`));
-        console.log(chalk16.dim(`  hackerrun scale -1        # Remove 1 node`));
-        console.log();
-        return;
-      }
-      let targetCount;
-      if (countArg.startsWith("+")) {
-        const delta = parseInt(countArg.slice(1), 10);
-        if (isNaN(delta) || delta <= 0) {
-          console.log(chalk16.red(`
-Invalid count: ${countArg}
+        if (!replicasArg) {
+          console.log(chalk16.red("\nPlease specify the number of replicas.\n"));
+          console.log(chalk16.dim(`Usage: hackerrun scale ${appName} ${serviceName} <replicas>
 `));
           process.exit(1);
         }
-        targetCount = currentNodeCount + delta;
-      } else if (countArg.startsWith("-")) {
-        const delta = parseInt(countArg.slice(1), 10);
-        if (isNaN(delta) || delta <= 0) {
-          console.log(chalk16.red(`
-Invalid count: ${countArg}
+        replicas = parseInt(replicasArg, 10);
+      } else if (!replicasArg) {
+        const maybeReplicas = parseInt(serviceArg, 10);
+        if (!isNaN(maybeReplicas)) {
+          replicas = maybeReplicas;
+          console.log(chalk16.cyan(`
+Services in '${appName}':
+`));
+          serviceName = await select2({
+            message: "Which service would you like to scale?",
+            choices: services.map((s) => ({ name: s, value: s }))
+          });
+        } else {
+          console.log(chalk16.red("\nPlease specify the number of replicas.\n"));
+          console.log(chalk16.dim(`Usage: hackerrun scale ${appName} ${serviceArg} <replicas>
 `));
           process.exit(1);
         }
-        targetCount = currentNodeCount - delta;
       } else {
-        targetCount = parseInt(countArg, 10);
-        if (isNaN(targetCount)) {
+        serviceName = serviceArg;
+        replicas = parseInt(replicasArg, 10);
+        if (!services.includes(serviceName)) {
           console.log(chalk16.red(`
-Invalid count: ${countArg}
+Service '${serviceName}' not found in app '${appName}'.
 `));
+          console.log(chalk16.cyan("Available services:"));
+          services.forEach((s) => console.log(`  - ${s}`));
+          console.log();
           process.exit(1);
         }
       }
-      if (targetCount < 1) {
-        console.log(chalk16.red(`
-Cannot scale below 1 node. Use 'hackerrun destroy' to remove the app.
-`));
+      if (isNaN(replicas) || replicas < 1) {
+        console.log(chalk16.red("\nReplicas must be a positive number.\n"));
         process.exit(1);
       }
-      if (targetCount === currentNodeCount) {
-        console.log(chalk16.yellow(`
-App already has ${currentNodeCount} node(s). Nothing to do.
+      const currentMachineCount = app.nodes.length;
+      console.log(chalk16.cyan(`
+Scaling '${serviceName}' to ${replicas} replica(s)...`));
+      console.log(chalk16.dim(`Current machines: ${currentMachineCount}
 `));
-        return;
-      }
-      const vmSize = options.size || DEFAULT_VM_SIZE;
-      if (targetCount > currentNodeCount) {
-        const nodesToAdd = targetCount - currentNodeCount;
-        console.log(chalk16.cyan(`
-Scaling '${appName}' from ${currentNodeCount} to ${targetCount} nodes (+${nodesToAdd})
+      let shouldAddMachines = false;
+      if (replicas > currentMachineCount) {
+        if (options.addMachines) {
+          shouldAddMachines = true;
+        } else if (options.addMachine === false) {
+          shouldAddMachines = false;
+          console.log(chalk16.yellow(`Scaling ${replicas} replicas across ${currentMachineCount} machine(s).
 `));
-        for (let i = 0; i < nodesToAdd; i++) {
-          console.log(chalk16.cyan(`
-Adding node ${i + 1} of ${nodesToAdd}...`));
-          const newNode = await clusterManager.addNode(appName, vmSize, DEFAULT_BOOT_IMAGE);
-          console.log(chalk16.green(`  Added: ${newNode.name} (${newNode.ipv6})`));
-        }
-        const updatedApp = await platformClient.getApp(appName);
-        const syncSpinner = ora10("Syncing gateway routes...").start();
-        try {
-          await platformClient.syncGatewayRoutes(app.location);
-          syncSpinner.succeed("Gateway routes synced");
-        } catch (error) {
-          syncSpinner.warn(`Gateway sync failed: ${error.message}`);
-        }
-        console.log(chalk16.green(`
-\u2713 Scaled to ${updatedApp?.nodes.length} nodes
-`));
-        console.log(chalk16.dim("To deploy to specific nodes, use x-machines in your compose file:"));
-        console.log(chalk16.dim("  services:"));
-        console.log(chalk16.dim("    web:"));
-        console.log(chalk16.dim("      x-machines:"));
-        updatedApp?.nodes.forEach((node) => {
-          console.log(chalk16.dim(`        - ${node.name}`));
-        });
-        console.log();
-      } else {
-        const nodesToRemove = currentNodeCount - targetCount;
-        const sortedNodes = [...app.nodes].sort((a, b) => {
-          const numA = parseInt(a.name.split("-").pop() || "0", 10);
-          const numB = parseInt(b.name.split("-").pop() || "0", 10);
-          return numB - numA;
-        });
-        const nodesToRemoveList = sortedNodes.slice(0, nodesToRemove);
-        console.log(chalk16.yellow(`
-Scaling '${appName}' from ${currentNodeCount} to ${targetCount} nodes (-${nodesToRemove})
+        } else {
+          console.log(chalk16.yellow(`You want ${replicas} replicas but only have ${currentMachineCount} machine(s).`));
+          console.log(chalk16.dim(`You can either:`));
+          console.log(chalk16.dim(`  \u2022 Add ${replicas - currentMachineCount} new machine(s) for dedicated capacity`));
+          console.log(chalk16.dim(`  \u2022 Run ${replicas} replicas on your existing ${currentMachineCount} machine(s)
 `));
-        console.log(chalk16.yellow("The following nodes will be removed:"));
-        nodesToRemoveList.forEach((node) => {
-          console.log(`  - ${node.name} (${node.ipv6})`);
-        });
-        console.log();
-        if (!options.force) {
-          console.log(chalk16.yellow("Warning: All containers on these nodes will be stopped and the VMs deleted."));
-          console.log(chalk16.yellow("Data on these nodes will be lost.\n"));
-          const confirmed = await confirm({
-            message: "Are you sure you want to remove these nodes?",
+          shouldAddMachines = await confirm({
+            message: `Add ${replicas - currentMachineCount} new machine(s)?`,
             default: false
           });
-          if (!confirmed) {
-            console.log(chalk16.dim("\nScale cancelled.\n"));
-            return;
+          if (!shouldAddMachines) {
+            console.log(chalk16.dim(`
+Scaling ${replicas} replicas across ${currentMachineCount} existing machine(s).
+`));
           }
         }
-        for (const node of nodesToRemoveList) {
-          console.log(chalk16.cyan(`
-Removing node '${node.name}'...`));
+      }
+      if (shouldAddMachines && replicas > currentMachineCount) {
+        const machinesToAdd = replicas - currentMachineCount;
+        const vmSize = options.size || DEFAULT_VM_SIZE;
+        console.log(chalk16.cyan(`
+Adding ${machinesToAdd} machine(s)...
+`));
+        for (let i = 0; i < machinesToAdd; i++) {
+          console.log(chalk16.cyan(`Adding machine ${i + 1} of ${machinesToAdd}...`));
           try {
-            const spinner = ora10("Removing from uncloud cluster...").start();
-            await uncloudRunner.removeNode(appName, node.name);
-            spinner.succeed("Removed from cluster");
-            spinner.start("Deleting VM...");
-            await platformClient.deleteVM(app.location, node.name);
-            spinner.succeed("VM deleted");
-            spinner.start("Updating app state...");
-            const updatedNodes = app.nodes.filter((n) => n.name !== node.name);
-            app.nodes = updatedNodes;
-            await platformClient.saveApp(app);
-            spinner.succeed("App state updated");
-            console.log(chalk16.green(`  Removed: ${node.name}`));
+            const newNode = await clusterManager.addNode(appName, vmSize, DEFAULT_BOOT_IMAGE);
+            console.log(chalk16.green(`  Added: ${newNode.name} (${newNode.ipv6})`));
           } catch (error) {
-            console.log(chalk16.red(`  Failed to remove ${node.name}: ${error.message}`));
+            console.log(chalk16.red(`  Failed to add machine: ${error.message}`));
+            console.log(chalk16.yellow("  Continuing with available machines...\n"));
+            break;
           }
         }
-        const updatedApp = await platformClient.getApp(appName);
         const syncSpinner = ora10("Syncing gateway routes...").start();
         try {
           await platformClient.syncGatewayRoutes(app.location);
@@ -3899,10 +3886,22 @@ Removing node '${node.name}'...`));
         } catch (error) {
           syncSpinner.warn(`Gateway sync failed: ${error.message}`);
         }
-        console.log(chalk16.green(`
-\u2713 Scaled to ${updatedApp?.nodes.length} nodes
-`));
       }
+      const scaleSpinner = ora10(`Scaling ${serviceName} to ${replicas} replicas...`).start();
+      try {
+        await uncloudRunner.run(appName, "scale", [serviceName, String(replicas)], { stdio: "pipe" });
+        scaleSpinner.succeed(chalk16.green(`Scaled '${serviceName}' to ${replicas} replica(s)`));
+      } catch (error) {
+        scaleSpinner.fail(`Failed to scale service: ${error.message}`);
+        process.exit(1);
+      }
+      const updatedApp = await platformClient.getApp(appName);
+      console.log(chalk16.cyan("\nScale Summary:\n"));
+      console.log(`  App:       ${chalk16.bold(appName)}`);
+      console.log(`  Service:   ${chalk16.bold(serviceName)}`);
+      console.log(`  Replicas:  ${chalk16.bold(String(replicas))}`);
+      console.log(`  Machines:  ${chalk16.bold(String(updatedApp?.nodes.length || currentMachineCount))}`);
+      console.log();
     } catch (error) {
       console.error(chalk16.red(`
 Error: ${error.message}