hackerrun 0.1.10 → 0.1.12

package/dist/index.js

@@ -7,7 +7,7 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
 });
 
 // src/index.ts
-import { Command as Command11 } from "commander";
+import { Command as Command12 } from "commander";
 
 // src/commands/login.ts
 import { Command } from "commander";
@@ -537,1026 +537,1315 @@ var TunnelManager = class {
   }
 };
 
-// src/lib/cluster.ts
-import { execSync as execSync2 } from "child_process";
-import ora2 from "ora";
+// src/lib/uncloud-runner.ts
+import { execSync as execSync3, spawnSync as spawnSync3 } from "child_process";
+
+// src/lib/vpn.ts
+import { execSync as execSync2, spawnSync as spawnSync2 } from "child_process";
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, unlinkSync } from "fs";
+import { homedir as homedir2, platform } from "os";
+import { join as join3 } from "path";
 import chalk2 from "chalk";
-var platformKeysCache = null;
-var ClusterManager = class {
-  constructor(platformClient) {
-    this.platformClient = platformClient;
-    this.sshCertManager = new SSHCertManager(platformClient);
-  }
-  sshCertManager;
-  /**
-   * Get platform SSH keys (cached for the session)
-   * Returns CA public key and platform public key for VM creation
-   */
-  async getPlatformKeys() {
-    if (platformKeysCache) {
-      return platformKeysCache;
-    }
-    try {
-      platformKeysCache = await this.platformClient.getPlatformSSHKeys();
-      return platformKeysCache;
-    } catch (error) {
-      throw new Error(`Failed to get platform SSH keys: ${error.message}`);
-    }
-  }
-  /**
-   * Initialize a new cluster for an app (creates first VM and sets up uncloud)
-   *
-   * Flow:
-   * 1. Create VM with platform SSH key
-   * 2. Wait for VM to get IPv6 address
-   * 3. Call platform API to setup VM (DNS64, WireGuard, SSH CA)
-   * 4. Run `uc machine init` to install Docker + uncloud
-   * 5. Configure Docker for NAT64
-   * 6. Save app state to platform
-   *
-   * Users access VMs via SSH certificates signed by the platform CA.
-   */
-  async initializeCluster(options) {
-    const { appName, location, vmSize, storageSize, bootImage } = options;
-    const vmName = `${appName}-1`;
-    let spinner = ora2(`Creating VM '${vmName}' in ${location}...`).start();
-    try {
-      spinner.text = "Fetching platform SSH keys...";
-      const platformKeys = await this.getPlatformKeys();
-      const gateway = await this.platformClient.getGateway(location);
-      const privateSubnetId = gateway?.subnetId;
-      spinner.text = `Creating VM '${vmName}'...`;
-      const vm = await this.platformClient.createVM({
-        name: vmName,
-        location,
-        size: vmSize,
-        storage_size: storageSize,
-        boot_image: bootImage,
-        unix_user: "root",
-        public_key: platformKeys.platformPublicKey,
-        enable_ip4: !privateSubnetId,
-        // IPv6-only if we have a subnet for NAT64
-        private_subnet_id: privateSubnetId
-      });
-      spinner.text = `Waiting for VM to be ready...`;
-      spinner.stop();
-      console.log(chalk2.cyan("\nWaiting for VM to get an IPv6 address..."));
-      const vmWithIp = await this.waitForVM(location, vmName, 600, false);
-      spinner = ora2("Setting up VM...").start();
-      spinner.text = "Waiting for SSH to be ready...";
-      await this.sleep(3e4);
-      spinner.text = "Configuring VM (DNS64, NAT64, SSH CA)...";
-      await this.platformClient.setupVM(vmWithIp.ip6, location, appName);
-      const cluster = {
-        appName,
-        location,
-        nodes: [{
-          name: vmName,
-          id: vm.id,
-          ipv6: vmWithIp.ip6,
-          isPrimary: true
-        }],
-        uncloudContext: appName,
-        createdAt: (/* @__PURE__ */ new Date()).toISOString()
-      };
-      spinner.text = "Registering app...";
-      const savedCluster = await this.platformClient.saveApp(cluster);
-      spinner.text = "Installing Docker and Uncloud...";
-      spinner.stop();
-      console.log(chalk2.cyan("\nInitializing uncloud (this may take a few minutes)..."));
-      await this.initializeUncloud(vmWithIp.ip6, appName, gateway?.ipv4);
-      spinner = ora2("Configuring Docker for NAT64...").start();
-      await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
-      spinner.text = "Waiting for uncloud services to be ready...";
-      await this.waitForUncloudReady(vmWithIp.ip6, gateway?.ipv4);
-      this.sshCertManager.cleanupAll();
-      spinner.succeed(chalk2.green(`Cluster initialized successfully`));
-      return savedCluster;
-    } catch (error) {
-      spinner.fail(chalk2.red("Failed to initialize cluster"));
-      throw error;
-    }
+function detectOS() {
+  const os = platform();
+  if (os === "darwin") {
+    return { type: "macos" };
   }
-  /**
-   * Add a node to an existing cluster
-   */
-  async addNode(appName, vmSize, bootImage) {
-    const cluster = await this.platformClient.getApp(appName);
-    if (!cluster) {
-      throw new Error(`App '${appName}' not found`);
-    }
-    const existingNode = cluster.nodes.find((n) => n.ipv6);
-    if (!existingNode || !existingNode.ipv6) {
-      throw new Error(`No existing node with IPv6 address found to join`);
-    }
-    const gateway = await this.platformClient.getGateway(cluster.location);
-    const privateSubnetId = gateway?.subnetId;
-    const vmName = this.generateNodeName(appName, cluster.nodes);
-    let spinner = ora2(`Adding node '${vmName}' to cluster...`).start();
-    try {
-      spinner.text = "Fetching platform SSH keys...";
-      const platformKeys = await this.getPlatformKeys();
-      spinner.text = `Creating VM '${vmName}'...`;
-      const vm = await this.platformClient.createVM({
-        name: vmName,
-        location: cluster.location,
-        size: vmSize,
-        boot_image: bootImage,
-        unix_user: "root",
-        public_key: platformKeys.platformPublicKey,
-        enable_ip4: !privateSubnetId,
-        private_subnet_id: privateSubnetId
-      });
-      spinner.text = `Waiting for VM to be ready...`;
-      spinner.stop();
-      console.log(chalk2.cyan("\nWaiting for VM to get an IPv6 address..."));
-      const vmWithIp = await this.waitForVM(cluster.location, vmName, 600, false);
-      spinner = ora2("Setting up VM...").start();
-      await this.sleep(3e4);
-      spinner.text = "Configuring VM...";
-      await this.platformClient.setupVM(vmWithIp.ip6, cluster.location, appName);
-      spinner.text = "Joining uncloud cluster...";
-      spinner.stop();
-      console.log(chalk2.cyan("\nJoining uncloud cluster..."));
-      await this.joinUncloudCluster(vmWithIp.ip6, existingNode.ipv6, appName);
-      spinner = ora2("Configuring Docker for NAT64...").start();
-      await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
-      spinner.succeed(chalk2.green(`Node '${vmName}' added successfully`));
-      const newNode = {
-        name: vmName,
-        id: vm.id,
-        ipv6: vmWithIp.ip6,
-        isPrimary: false
-      };
-      cluster.nodes.push(newNode);
-      await this.platformClient.saveApp(cluster);
-      return newNode;
-    } catch (error) {
-      spinner.fail(chalk2.red("Failed to add node"));
-      throw error;
-    }
+  if (os === "win32") {
+    return { type: "windows" };
   }
-  /**
-   * Initialize uncloud on the VM using uc machine init
-   * Uses --no-dns because we manage our own domain via gateway
-   *
-   * Before running uc, we get an SSH certificate from the platform
-   * and add it to the ssh-agent. This allows uc to authenticate
-   * since the VM only accepts platform SSH key or signed certificates.
-   *
-   * If direct IPv6 connectivity is not available, tunnels through the gateway.
-   */
-  async initializeUncloud(vmIp, contextName, gatewayIp) {
-    let tunnel = null;
-    let targetHost = vmIp;
+  if (os === "linux") {
     try {
-      await this.sshCertManager.getSession(contextName, vmIp);
-      const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
-      if (!canConnectDirect) {
-        if (!gatewayIp) {
-          throw new Error("No direct IPv6 connectivity and no gateway available");
-        }
-        console.log(chalk2.dim("No direct IPv6 connectivity, tunneling through gateway..."));
-        tunnel = await createTunnel(vmIp, gatewayIp);
-        targetHost = `localhost:${tunnel.localPort}`;
-      }
-      let initSucceeded = false;
-      try {
-        execSync2(`uc machine init -c "${contextName}" --no-dns root@${targetHost}`, {
-          stdio: "inherit",
-          timeout: 6e5
-          // 10 min timeout
-        });
-        initSucceeded = true;
-      } catch (error) {
-        console.log(chalk2.yellow("\nInitial setup had errors, will attempt to recover..."));
-      }
-      if (!initSucceeded) {
-        const maxCaddyAttempts = 5;
-        for (let attempt = 1; attempt <= maxCaddyAttempts; attempt++) {
-          console.log(chalk2.dim(`Waiting for machine to be ready (attempt ${attempt}/${maxCaddyAttempts})...`));
-          await new Promise((resolve) => setTimeout(resolve, 1e4));
-          try {
-            execSync2(`yes | uc -c "${contextName}" caddy deploy`, {
-              stdio: "inherit",
-              timeout: 12e4
-            });
-            console.log(chalk2.green("Caddy deployed successfully"));
-            break;
-          } catch (caddyError) {
-            if (attempt >= maxCaddyAttempts) {
-              throw new Error(`Caddy deployment failed after ${maxCaddyAttempts} attempts. The machine may need more time to initialize.`);
-            }
-          }
+      if (existsSync3("/etc/os-release")) {
+        const osRelease = readFileSync3("/etc/os-release", "utf-8");
+        const idMatch = osRelease.match(/^ID=(.*)$/m);
+        if (idMatch) {
+          const distro = idMatch[1].replace(/"/g, "").toLowerCase();
+          return { type: "linux", distro };
         }
       }
-      console.log(chalk2.dim("Uncloud initialization complete."));
-    } catch (error) {
-      throw new Error(`Failed to initialize uncloud: ${error.message}`);
-    } finally {
-      if (tunnel) {
-        killTunnel(tunnel);
-      }
+    } catch {
     }
+    return { type: "linux" };
   }
-  /**
-   * Join a new node to an existing uncloud cluster
-   * Uses --connect ssh:// to avoid local context dependency
-   */
-  async joinUncloudCluster(newVmIp, primaryVmIp, contextName) {
-    try {
-      await this.sshCertManager.getSession(contextName, primaryVmIp);
-      await this.sshCertManager.getSession(contextName, newVmIp);
-      const token = execSync2(`uc --connect ssh://root@${primaryVmIp} machine token`, {
-        encoding: "utf-8",
-        timeout: 3e4
-      }).trim();
-      if (!token) {
-        throw new Error("Failed to get join token from primary node");
+  return { type: "unknown" };
+}
+function getWireGuardInstallInstructions() {
+  const os = detectOS();
+  switch (os.type) {
+    case "macos":
+      return `  ${chalk2.cyan("macOS:")} brew install wireguard-tools`;
+    case "windows":
+      return `  ${chalk2.cyan("Windows:")} Download from https://www.wireguard.com/install/
+            Or using winget: winget install WireGuard.WireGuard`;
+    case "linux":
+      switch (os.distro) {
+        case "arch":
+        case "manjaro":
+        case "endeavouros":
+        case "artix":
+          return `  ${chalk2.cyan("Arch Linux:")} sudo pacman -S wireguard-tools`;
+        case "ubuntu":
+        case "debian":
+        case "linuxmint":
+        case "pop":
+        case "elementary":
+        case "zorin":
+          return `  ${chalk2.cyan("Ubuntu/Debian:")} sudo apt install wireguard`;
+        case "fedora":
+          return `  ${chalk2.cyan("Fedora:")} sudo dnf install wireguard-tools`;
+        case "rhel":
+        case "centos":
+        case "rocky":
+        case "almalinux":
+          return `  ${chalk2.cyan("RHEL/CentOS:")} sudo dnf install wireguard-tools
+               (may need EPEL: sudo dnf install epel-release)`;
+        case "opensuse":
+        case "opensuse-leap":
+        case "opensuse-tumbleweed":
+          return `  ${chalk2.cyan("openSUSE:")} sudo zypper install wireguard-tools`;
+        case "gentoo":
+          return `  ${chalk2.cyan("Gentoo:")} sudo emerge net-vpn/wireguard-tools`;
+        case "void":
+          return `  ${chalk2.cyan("Void Linux:")} sudo xbps-install wireguard-tools`;
+        case "alpine":
+          return `  ${chalk2.cyan("Alpine:")} sudo apk add wireguard-tools`;
+        case "nixos":
+          return `  ${chalk2.cyan("NixOS:")} Add wireguard-tools to environment.systemPackages`;
+        default:
+          return `  ${chalk2.cyan("Linux:")} Install wireguard-tools using your package manager:
+    Arch:          sudo pacman -S wireguard-tools
+    Ubuntu/Debian: sudo apt install wireguard
+    Fedora:        sudo dnf install wireguard-tools
+    openSUSE:      sudo zypper install wireguard-tools`;
       }
-      execSync2(`uc --connect ssh://root@${primaryVmIp} machine add root@${newVmIp} --token "${token}"`, {
-        stdio: "inherit",
-        timeout: 6e5
-        // 10 min timeout
-      });
-    } catch (error) {
-      throw new Error(`Failed to join cluster: ${error.message}`);
-    }
+    default:
+      return `  Visit https://www.wireguard.com/install/ for installation instructions`;
   }
-  /**
-   * Configure Docker for NAT64 support on IPv6-only VMs
-   *
-   * Problem: DNS64 returns both A (IPv4) and AAAA (IPv6) records. Applications may try
-   * IPv4 first, which times out because there's no route to IPv4 internet.
-   *
-   * Solution:
-   * 1. Enable IPv6 on Docker networks so containers get IPv6 addresses
-   * 2. Block IPv4 forwarding from Docker to internet so IPv4 fails immediately
-   * 3. Applications then use IPv6 (NAT64) which works via the gateway
-   *
-   * If direct IPv6 connectivity is not available, tunnels through the gateway.
-   */
-  async configureDockerNAT64(vmIp, gatewayIp) {
-    const setupScript = `#!/bin/bash
-set -e
-
-# Step 1: Add IPv6 support to Docker daemon config
-DAEMON_JSON='/etc/docker/daemon.json'
-if [ -f "$DAEMON_JSON" ]; then
-  # Merge with existing config using jq
-  jq '. + {"ipv6": true, "fixed-cidr-v6": "fd00:d0c6:e4::/64"}' "$DAEMON_JSON" > /tmp/daemon.json
-  mv /tmp/daemon.json "$DAEMON_JSON"
-else
-  cat > "$DAEMON_JSON" << 'EOFJSON'
-{
-  "ipv6": true,
-  "fixed-cidr-v6": "fd00:d0c6:e4::/64"
 }
-EOFJSON
-fi
-
-# Step 2: Create systemd service to block IPv4 forwarding from Docker containers
-cat > /etc/systemd/system/docker-ipv6-nat64.service << 'EOFSVC'
-[Unit]
-Description=Block IPv4 forwarding from Docker containers (force NAT64)
-After=docker.service
-Requires=docker.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/sbin/iptables -I FORWARD -i br-+ -o ens3 -j REJECT --reject-with icmp-net-unreachable
-ExecStop=/sbin/iptables -D FORWARD -i br-+ -o ens3 -j REJECT --reject-with icmp-net-unreachable
-
-[Install]
-WantedBy=multi-user.target
-EOFSVC
-
-systemctl daemon-reload
-systemctl enable docker-ipv6-nat64
-
-# Step 3: Restart Docker to apply IPv6 config
-systemctl restart docker
-sleep 3
-
-# Step 4: Recreate uncloud network with IPv6 enabled
-CONTAINERS=$(docker ps -aq --filter network=uncloud 2>/dev/null || true)
-
-for container in $CONTAINERS; do
-  docker network disconnect uncloud "$container" 2>/dev/null || true
-done
-
-docker network rm uncloud 2>/dev/null || true
-docker network create --driver bridge   --subnet 10.210.0.0/24 --gateway 10.210.0.1   --ipv6 --subnet fd00:a10:210::/64 --gateway fd00:a10:210::1   uncloud
-
-for container in $CONTAINERS; do
-  docker network connect uncloud "$container" 2>/dev/null || true
-done
+var CONFIG_DIR = join3(homedir2(), ".config", "hackerrun");
+var PRIVATE_KEY_FILE = join3(CONFIG_DIR, "wg-private-key");
+var WG_INTERFACE = "hackerrun";
+var WG_CONFIG_PATH = `/etc/wireguard/${WG_INTERFACE}.conf`;
+function isWireGuardInstalled() {
+  try {
+    execSync2("which wg", { stdio: "ignore" });
+    execSync2("which wg-quick", { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function ensureConfigDir() {
+  if (!existsSync3(CONFIG_DIR)) {
+    mkdirSync2(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+}
+function generateKeyPair() {
+  const privateKey = execSync2("wg genkey", { encoding: "utf-8" }).trim();
+  const publicKey = execSync2("wg pubkey", {
+    input: privateKey,
+    encoding: "utf-8"
+  }).trim();
+  return { privateKey, publicKey };
+}
+function getOrCreateKeyPair() {
+  ensureConfigDir();
+  if (existsSync3(PRIVATE_KEY_FILE)) {
+    const privateKey2 = readFileSync3(PRIVATE_KEY_FILE, "utf-8").trim();
+    const publicKey2 = execSync2("wg pubkey", {
+      input: privateKey2,
+      encoding: "utf-8"
+    }).trim();
+    return { privateKey: privateKey2, publicKey: publicKey2, isNew: false };
+  }
+  const { privateKey, publicKey } = generateKeyPair();
+  writeFileSync3(PRIVATE_KEY_FILE, privateKey + "\n", { mode: 384 });
+  return { privateKey, publicKey, isNew: true };
+}
+function getPublicKey() {
+  if (!existsSync3(PRIVATE_KEY_FILE)) {
+    return null;
+  }
+  const privateKey = readFileSync3(PRIVATE_KEY_FILE, "utf-8").trim();
+  return execSync2("wg pubkey", {
+    input: privateKey,
+    encoding: "utf-8"
+  }).trim();
+}
+function isVPNUp() {
+  try {
+    const result = execSync2(`ip link show ${WG_INTERFACE}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return result.includes(WG_INTERFACE);
+  } catch {
+    return false;
+  }
+}
+function isRoutedViaVPN(ipv6Address) {
+  if (!isVPNUp()) {
+    return false;
+  }
+  try {
+    const result = execSync2(`ip -6 route get ${ipv6Address}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return result.includes(`dev ${WG_INTERFACE}`);
+  } catch {
+    return false;
+  }
+}
+function getVPNStatus() {
+  if (!isVPNUp()) {
+    return { connected: false };
+  }
+  try {
+    const output = execSync2(`sudo wg show ${WG_INTERFACE}`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const lines = output.split("\n");
+    let endpoint;
+    let latestHandshake;
+    let transferRx;
+    let transferTx;
+    for (const line of lines) {
+      if (line.includes("endpoint:")) {
+        endpoint = line.split("endpoint:")[1]?.trim();
+      }
+      if (line.includes("latest handshake:")) {
+        latestHandshake = line.split("latest handshake:")[1]?.trim();
+      }
+      if (line.includes("transfer:")) {
+        const transfer = line.split("transfer:")[1]?.trim();
+        const parts = transfer?.split(",");
+        transferRx = parts?.[0]?.trim();
+        transferTx = parts?.[1]?.trim();
+      }
+    }
+    return {
+      connected: true,
+      interface: WG_INTERFACE,
+      endpoint,
+      latestHandshake,
+      transferRx,
+      transferTx
+    };
+  } catch {
+    return { connected: isVPNUp(), interface: WG_INTERFACE };
+  }
+}
+function generateWireGuardConfig(config) {
+  return `# HackerRun VPN - Auto-generated
+# Do not edit manually
 
-# Step 5: Start the iptables service
-systemctl start docker-ipv6-nat64
+[Interface]
+PrivateKey = ${config.privateKey}
+Address = ${config.address}
 
-echo "Docker NAT64 configuration complete"
+[Peer]
+PublicKey = ${config.gatewayPublicKey}
+Endpoint = ${config.gatewayEndpoint}
+AllowedIPs = ${config.allowedIPs}
+PersistentKeepalive = 25
 `;
-    let tunnel = null;
-    let sshHost = vmIp;
-    let sshPortArgs = "";
-    try {
-      const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
-      if (!canConnectDirect && gatewayIp) {
-        tunnel = await createTunnel(vmIp, gatewayIp);
-        sshHost = "localhost";
-        sshPortArgs = `-p ${tunnel.localPort}`;
-      }
-      execSync2(`ssh ${sshPortArgs} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${sshHost} 'bash -s' << 'REMOTESCRIPT'
-${setupScript}
-REMOTESCRIPT`, {
-        stdio: "inherit",
-        timeout: 12e4
-        // 2 min timeout
-      });
-    } catch (error) {
-      throw new Error(`Failed to configure Docker for NAT64: ${error.message}`);
-    } finally {
-      if (tunnel) {
-        killTunnel(tunnel);
-      }
+}
+function writeWireGuardConfig(config) {
+  const configContent = generateWireGuardConfig(config);
+  const tempFile = join3(CONFIG_DIR, "wg-temp.conf");
+  writeFileSync3(tempFile, configContent, { mode: 384 });
+  try {
+    execSync2("sudo mkdir -p /etc/wireguard", { stdio: "inherit" });
+    execSync2(`sudo mv ${tempFile} ${WG_CONFIG_PATH}`, { stdio: "inherit" });
+    execSync2(`sudo chmod 600 ${WG_CONFIG_PATH}`, { stdio: "inherit" });
+  } catch (error) {
+    if (existsSync3(tempFile)) {
+      unlinkSync(tempFile);
     }
+    throw error;
+  }
+}
+function vpnUp() {
+  if (isVPNUp()) {
+    return;
+  }
+  const result = spawnSync2("sudo", ["wg-quick", "up", WG_INTERFACE], {
+    stdio: "inherit"
+  });
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring up VPN interface (exit code ${result.status})`);
+  }
+}
+function vpnDown() {
+  if (!isVPNUp()) {
+    return;
+  }
+  const result = spawnSync2("sudo", ["wg-quick", "down", WG_INTERFACE], {
+    stdio: "inherit"
+  });
+  if (result.status !== 0) {
+    throw new Error(`Failed to bring down VPN interface (exit code ${result.status})`);
+  }
+}
+function testIPv6Connectivity2(ipv6Address, timeoutSeconds = 3) {
+  try {
+    execSync2(`ping -6 -c 1 -W ${timeoutSeconds} ${ipv6Address}`, {
+      stdio: "ignore",
+      timeout: (timeoutSeconds + 2) * 1e3
+    });
+    return true;
+  } catch {
+    return false;
   }
+}
+var VPNManager = class {
+  wasConnectedByUs = false;
   /**
-   * Wait for VM to have an IP address
-   * @param requireIpv4 - If true, wait for IPv4 (for gateway VMs). Otherwise wait for IPv6.
+   * Ensure VPN is connected if IPv6 is not available
+   * Returns true if VPN was established (and should be torn down later)
    */
-  async waitForVM(location, vmName, timeoutSeconds, requireIpv4 = false) {
-    const startTime = Date.now();
-    const timeoutMs = timeoutSeconds * 1e3;
-    let lastStatus = "";
-    while (Date.now() - startTime < timeoutMs) {
-      const vm = await this.platformClient.getVM(location, vmName);
-      if (vm.status && vm.status !== lastStatus) {
-        console.log(chalk2.dim(`  Status: ${vm.status}`));
-        lastStatus = vm.status;
-      }
-      const hasRequiredIp = requireIpv4 ? vm.ip4 : vm.ip6;
-      if (hasRequiredIp) {
-        const ipDisplay = requireIpv4 ? vm.ip4 : vm.ip6;
-        console.log(chalk2.green(`  IP assigned: ${ipDisplay}`));
-        return vm;
+  async ensureConnected(targetIPv6, getVPNConfig) {
+    if (testIPv6Connectivity2(targetIPv6)) {
+      console.log(chalk2.green("\u2713 Direct IPv6 connectivity available"));
+      return false;
+    }
+    console.log(chalk2.yellow("IPv6 not available, checking VPN..."));
+    if (isVPNUp()) {
+      if (testIPv6Connectivity2(targetIPv6)) {
+        console.log(chalk2.green("\u2713 VPN already connected"));
+        return false;
       }
-      const elapsed = Math.floor((Date.now() - startTime) / 1e3);
-      const ipType = requireIpv4 ? "IPv4" : "IPv6";
-      process.stdout.write(`\r  Waiting for ${ipType}... (${elapsed}s / ${timeoutSeconds}s)`);
-      await this.sleep(5e3);
+      console.log(chalk2.yellow("VPN is up but cannot reach target, reconnecting..."));
+      vpnDown();
     }
-    process.stdout.write("\n");
-    throw new Error(
-      `Timeout waiting for VM to get IP address after ${timeoutSeconds}s.
-
-The VM may still be provisioning. You can:
-  1. Check VM status: hackerrun vm list
-  2. Delete and retry: hackerrun vm delete ${vmName}
-  3. Check Ubicloud console: https://console.ubicloud.com`
-    );
+    if (!isWireGuardInstalled()) {
+      const instructions = getWireGuardInstallInstructions();
+      throw new Error(
+        "WireGuard is not installed.\n\nWireGuard is needed for IPv6 connectivity to your app VMs.\nPlease install it and try again:\n\n" + instructions
+      );
+    }
+    console.log(chalk2.cyan("Establishing VPN tunnel (requires sudo)..."));
+    const { publicKey, isNew } = getOrCreateKeyPair();
+    if (isNew) {
+      console.log(chalk2.dim("Generated new WireGuard keypair"));
+    }
+    const vpnConfig = await getVPNConfig();
+    writeWireGuardConfig(vpnConfig);
+    vpnUp();
+    if (!testIPv6Connectivity2(targetIPv6)) {
+      vpnDown();
+      throw new Error("VPN established but cannot reach target. Please try again.");
+    }
+    console.log(chalk2.green("\u2713 VPN connected"));
+    this.wasConnectedByUs = true;
+    return true;
   }
   /**
-   * Wait for uncloud services to be ready on the VM
-   * Specifically checks that unregistry (Docker registry at 10.210.0.1:5000) is accepting connections
-   * This is critical for first deploy - push will fail if unregistry isn't ready
+   * Disconnect VPN if we established it
    */
-  async waitForUncloudReady(vmIp, gatewayIp) {
-    const maxAttempts = 30;
-    const checkInterval = 2e3;
-    const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
-    const proxyJump = !canConnectDirect && gatewayIp ? `-J root@${gatewayIp}` : "";
-    const sshBase = `ssh ${proxyJump} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=10 root@${vmIp}`;
-    console.log(chalk2.dim("  Waiting for uncloud services..."));
-    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+  disconnect() {
+    if (this.wasConnectedByUs && isVPNUp()) {
+      console.log(chalk2.dim("Disconnecting VPN..."));
       try {
-        const result = execSync2(
-          `${sshBase} "curl -sf --max-time 5 http://10.210.0.1:5000/v2/ >/dev/null 2>&1 && echo ready || echo notready"`,
-          { encoding: "utf-8", timeout: 2e4, stdio: ["pipe", "pipe", "pipe"] }
-        ).trim();
-        if (result.includes("ready")) {
-          console.log(chalk2.dim("  Uncloud services ready"));
-          return;
-        }
+        vpnDown();
+        console.log(chalk2.green("\u2713 VPN disconnected"));
       } catch (error) {
+        console.log(chalk2.yellow(`Warning: Failed to disconnect VPN: ${error.message}`));
       }
-      if (attempt % 5 === 0) {
-        console.log(chalk2.dim(`  Still waiting for unregistry... (attempt ${attempt}/${maxAttempts})`));
-      }
-      if (attempt < maxAttempts) {
-        await this.sleep(checkInterval);
-      }
+      this.wasConnectedByUs = false;
     }
-    console.log(chalk2.yellow("  Warning: Timeout waiting for unregistry, continuing anyway..."));
-  }
-  /**
-   * Generate a sequential node name: appName-1, appName-2, etc.
-   * Finds the next available number by checking existing node names
-   */
-  generateNodeName(appName, existingNodes) {
-    const existingNumbers = existingNodes.map((n) => {
-      const match = n.name.match(new RegExp(`^${appName}-(\\d+)$`));
-      return match ? parseInt(match[1], 10) : 0;
-    }).filter((n) => n > 0);
-    const maxNumber = existingNumbers.length > 0 ? Math.max(...existingNumbers) : 0;
-    return `${appName}-${maxNumber + 1}`;
-  }
-  /**
-   * Generate a random ID (used for legacy naming or fallback)
-   */
-  generateId() {
-    return Math.random().toString(36).substring(2, 9);
-  }
-  /**
-   * Sleep for specified milliseconds
-   */
-  sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
   }
 };
 
-// src/lib/platform.ts
-import { platform } from "os";
+// src/lib/uncloud-runner.ts
 import chalk3 from "chalk";
-var PlatformDetector = class {
-  /**
-   * Check if running on Windows
-   */
-  static isWindows() {
-    return platform() === "win32";
+var UncloudRunner = class {
+  constructor(platformClient) {
+    this.platformClient = platformClient;
+    this.certManager = new SSHCertManager(platformClient);
   }
+  certManager;
+  gatewayCache = /* @__PURE__ */ new Map();
+  tunnelManager = new TunnelManager();
+  vpnManager = new VPNManager();
+  tempConfigPath = null;
+  vpnEstablishedByUs = false;
   /**
-   * Check if running inside WSL (Windows Subsystem for Linux)
+   * Get the connection URL for an app's primary VM
+   * Handles IPv6 direct connection, VPN, or gateway SSH tunnel fallback
    */
-  static isWSL() {
-    if (!this.isWindows()) {
-      if (platform() === "linux") {
-        try {
-          const fs = __require("fs");
-          const procVersion = fs.readFileSync("/proc/version", "utf8").toLowerCase();
-          return procVersion.includes("microsoft") || procVersion.includes("wsl");
-        } catch {
-          return false;
+  async getConnectionInfo(appName) {
+    const app = await this.platformClient.getApp(appName);
+    if (!app) {
+      throw new Error(`App '${appName}' not found`);
+    }
+    const primaryNode = app.nodes.find((n) => n.isPrimary);
+    if (!primaryNode?.ipv6) {
+      throw new Error(`App '${appName}' has no primary node with IPv6 address`);
+    }
+    const vmIp = primaryNode.ipv6;
+    await this.certManager.getSession(appName, vmIp);
+    const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+    if (canConnectDirect) {
+      const viaVPN = isRoutedViaVPN(vmIp);
+      return {
+        url: `ssh://root@${vmIp}`,
+        vmIp,
+        viaGateway: false,
+        viaVPN
+      };
+    }
+    const vpnAvailable = isWireGuardInstalled();
+    if (vpnAvailable) {
+      console.log(chalk3.yellow("Direct IPv6 not available, trying VPN..."));
+      try {
+        if (isVPNUp() && testIPv6Connectivity2(vmIp, 3)) {
+          console.log(chalk3.green("\u2713 VPN already connected"));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true
+          };
         }
+        this.vpnEstablishedByUs = await this.vpnManager.ensureConnected(
+          vmIp,
+          async () => this.getVPNConfig(app.location)
+        );
+        if (testIPv6Connectivity2(vmIp, 5)) {
+          console.log(chalk3.green("\u2713 Connected via VPN"));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true
+          };
+        }
+      } catch (error) {
+        console.log(chalk3.yellow(`VPN setup failed: ${error.message}`));
+        console.log(chalk3.dim("Falling back to SSH tunnel..."));
       }
-      return false;
+    } else {
+      console.log(chalk3.yellow("Direct IPv6 not available on your network."));
+      console.log(chalk3.dim("For faster deploys, install WireGuard:"));
+      console.log(chalk3.dim(getWireGuardInstallInstructions()));
+      console.log();
     }
-    return false;
-  }
-  /**
-   * Check if platform is supported for hackerrun
-   */
-  static isSupported() {
-    return platform() === "darwin" || platform() === "linux" || this.isWSL();
-  }
-  /**
-   * Get platform name for display
-   */
-  static getPlatformName() {
-    if (this.isWSL()) return "WSL (Windows Subsystem for Linux)";
-    if (platform() === "win32") return "Windows";
-    if (platform() === "darwin") return "macOS";
-    if (platform() === "linux") return "Linux";
-    return platform();
+    console.log(chalk3.yellow("Using SSH tunnel (may be slower for large transfers)..."));
+    const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
+    return {
+      url: `ssh://root@localhost:${tunnelInfo.localPort}`,
+      vmIp,
+      viaGateway: true,
+      viaVPN: false,
+      localPort: tunnelInfo.localPort
+    };
   }
   /**
-   * Ensure platform is supported, exit with helpful message if not
+   * Get VPN configuration from platform
    */
-  static ensureSupported() {
-    if (this.isWindows() && !this.isWSL()) {
-      console.log(chalk3.yellow("\n\u26A0\uFE0F  Windows detected\n"));
-      console.log("Hackerrun requires WSL (Windows Subsystem for Linux) to run.");
-      console.log("Uncloud and SSH tools work best in a Linux environment.\n");
-      console.log(chalk3.cyan("How to set up WSL:\n"));
-      console.log("1. Open PowerShell as Administrator and run:");
-      console.log(chalk3.bold("   wsl --install\n"));
-      console.log("2. Restart your computer\n");
-      console.log("3. Install Ubuntu from Microsoft Store (or use default Linux)\n");
-      console.log("4. Open WSL terminal and install hackerrun:");
-      console.log(chalk3.bold("   npm install -g hackerrun\n"));
-      console.log("Learn more: https://docs.microsoft.com/en-us/windows/wsl/install\n");
-      console.log(chalk3.red("Please install WSL and run hackerrun from WSL terminal.\n"));
-      process.exit(1);
-    }
-    if (!this.isSupported()) {
-      console.log(chalk3.red(`
-\u274C Platform '${platform()}' is not supported
-`));
-      console.log("Hackerrun supports:");
-      console.log("  - macOS");
-      console.log("  - Linux");
-      console.log("  - Windows (via WSL)\n");
-      process.exit(1);
-    }
+  async getVPNConfig(location) {
+    const { privateKey, publicKey } = getOrCreateKeyPair();
+    const vpnConfigResponse = await this.platformClient.registerVPNPeer(publicKey, location);
+    return {
+      privateKey,
+      publicKey,
+      address: vpnConfigResponse.address,
+      gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
+      gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
+      allowedIPs: vpnConfigResponse.allowedIPs
+    };
   }
-};
-
-// src/lib/uncloud.ts
-import { execSync as execSync3 } from "child_process";
-import { platform as platform2 } from "os";
-import chalk4 from "chalk";
-import ora3 from "ora";
-var UncloudManager = class {
   /**
-   * Check if uncloud CLI is installed
+   * Pre-accept a host's SSH key by running ssh-keyscan
+   * This prevents "Host key verification failed" errors from uncloud
    */
-  static isInstalled() {
+  preAcceptHostKey(host, port) {
     try {
-      execSync3("uc --version", { stdio: "pipe" });
-      return true;
+      const portArg = port ? `-p ${port}` : "";
+      execSync3(
+        `ssh-keyscan ${portArg} -H ${host} >> ~/.ssh/known_hosts 2>/dev/null`,
+        { stdio: "pipe", timeout: 1e4 }
+      );
     } catch {
-      return false;
     }
   }
   /**
-   * Get uncloud version
+   * Ensure an SSH tunnel exists for gateway fallback
    */
-  static getVersion() {
-    try {
-      const version = execSync3("uc --version", { encoding: "utf-8" }).trim();
-      return version;
-    } catch {
-      return null;
+  async ensureTunnel(appName, vmIp, location) {
+    const gateway = await this.getGateway(location);
+    if (!gateway) {
+      throw new Error(`No gateway found for location ${location}`);
     }
+    return this.tunnelManager.ensureTunnel(appName, vmIp, gateway.ipv4);
   }
   /**
-   * Check if uncloud is installed, offer to install if not
-   * @param options.nonInteractive - If true, fail immediately without prompting (for CI/CD)
+   * Run an uncloud command on the app's VM
    */
-  static async ensureInstalled(options) {
-    if (this.isInstalled()) {
-      return;
-    }
-    if (options?.nonInteractive) {
-      console.error(chalk4.red("\n\u274C Uncloud CLI (uc) not found\n"));
-      console.error("The uncloud CLI must be installed on the build VM.");
-      console.error("This is a build infrastructure issue - the uc binary should be pre-installed.\n");
-      process.exit(1);
+  async run(appName, command, args = [], options = {}) {
+    const connInfo = await this.getConnectionInfo(appName);
+    if (connInfo.viaGateway) {
+      console.log(chalk3.dim(`Connecting via gateway...`));
     }
-    console.log(chalk4.yellow("\n\u26A0\uFE0F  Uncloud CLI not found\n"));
-    console.log("Uncloud is required to deploy and manage your apps.");
-    console.log("Learn more: https://uncloud.run\n");
-    const os = platform2();
-    if (os === "darwin" || os === "linux") {
-      this.showInstallInstructions();
-      console.log(chalk4.cyan("Would you like to install uncloud now? (Y/n): "));
-      const answer = await this.promptUser();
-      if (answer === "y" || answer === "yes" || answer === "") {
-        try {
-          await this.autoInstall();
-          return;
-        } catch (error) {
-          console.log(chalk4.red("\nAuto-installation failed. Please install manually.\n"));
-          process.exit(1);
-        }
-      } else {
-        console.log(chalk4.yellow("\nPlease install uncloud manually and run hackerrun again.\n"));
-        process.exit(1);
+    const fullArgs = ["--connect", connInfo.url, command, ...args];
+    if (options.stdio === "inherit") {
+      const result = spawnSync3("uc", fullArgs, {
+        cwd: options.cwd,
+        stdio: "inherit",
+        timeout: options.timeout
+      });
+      if (result.status !== 0) {
+        throw new Error(`Uncloud command failed with exit code ${result.status}`);
       }
     } else {
-      this.showInstallInstructions();
-      console.log(chalk4.red("Please install uncloud and run hackerrun again.\n"));
-      process.exit(1);
-    }
-  }
-  /**
-   * Show installation instructions based on platform
-   */
-  static showInstallInstructions() {
-    const os = platform2();
-    console.log(chalk4.cyan("Installation instructions:\n"));
-    if (os === "darwin" || os === "linux") {
-      console.log(chalk4.bold("Option 1: Automated install (Recommended)"));
-      console.log(chalk4.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
-      console.log(chalk4.bold("Option 2: Homebrew"));
-      console.log(chalk4.green("  brew install psviderski/tap/uncloud\n"));
-      console.log(chalk4.bold("Option 3: Manual download"));
-      console.log("  Download from: https://github.com/psviderski/uncloud/releases/latest");
-      console.log("  Extract and move to /usr/local/bin\n");
-    } else if (os === "win32") {
-      console.log(chalk4.bold("For Windows (via WSL):"));
-      console.log("  Open your WSL terminal and run:");
-      console.log(chalk4.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
+      const result = execSync3(`uc ${fullArgs.map((a) => `"${a}"`).join(" ")}`, {
+        cwd: options.cwd,
+        encoding: "utf-8",
+        timeout: options.timeout
+      });
+      return result;
     }
-    console.log("Documentation: https://uncloud.run/docs/getting-started/install-cli\n");
-  }
-  /**
-   * Prompt user for input from stdin
-   */
-  static async promptUser() {
-    return new Promise((resolve) => {
-      process.stdin.resume();
-      process.stdin.setEncoding("utf8");
-      const onData = (input) => {
-        process.stdin.pause();
-        process.stdin.removeListener("data", onData);
-        resolve(input.trim().toLowerCase());
-      };
-      process.stdin.on("data", onData);
-    });
   }
   /**
-   * Attempt to auto-install uncloud with user confirmation
+   * Run 'uc deploy' for an app
    */
-  static async autoInstall() {
-    const spinner = ora3("Installing uncloud...").start();
-    try {
-      execSync3("curl -fsS https://get.uncloud.run/install.sh | sh", {
-        stdio: "inherit"
-      });
-      spinner.succeed(chalk4.green("Uncloud installed successfully!"));
-      if (this.isInstalled()) {
-        const version = this.getVersion();
-        console.log(chalk4.cyan(`\u2713 Uncloud ${version} is ready to use
-`));
-      } else {
-        spinner.warn(chalk4.yellow("Installation completed but uc command not found in PATH"));
-        console.log(chalk4.yellow("\nYou may need to:"));
-        console.log("  1. Restart your terminal");
-        console.log("  2. Or run: source ~/.bashrc (or ~/.zshrc)\n");
-        throw new Error("Please restart your terminal and try again");
-      }
-    } catch (error) {
-      spinner.fail(chalk4.red("Failed to install uncloud"));
-      console.log(chalk4.red(`
-Error: ${error.message}
-`));
-      console.log(chalk4.yellow("Please try manual installation:"));
-      console.log("  curl -fsS https://get.uncloud.run/install.sh | sh\n");
-      throw error;
-    }
-  }
-};
-
-// src/lib/platform-auth.ts
-import chalk5 from "chalk";
-function getPlatformToken() {
-  const configManager = new ConfigManager();
-  try {
-    const config = configManager.load();
-    return config.apiToken;
-  } catch (error) {
-    console.error(chalk5.red("\n Not logged in"));
-    console.log(chalk5.cyan("\nPlease login first:\n"));
-    console.log(`  ${chalk5.bold("hackerrun login")}
-`);
-    process.exit(1);
-  }
-}
-
-// src/lib/platform-client.ts
-var PLATFORM_API_URL2 = process.env.HACKERRUN_API_URL || "http://localhost:3000";
-var DEFAULT_RETRIES = 3;
-var RETRY_DELAY_MS = 2e3;
-function sleep2(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-function isRetryableError(error, status) {
-  if (error?.cause?.code === "ECONNREFUSED" || error?.cause?.code === "ECONNRESET" || error?.cause?.code === "ETIMEDOUT" || error?.message?.includes("fetch failed") || error?.message?.includes("network") || error?.message?.includes("ECONNREFUSED")) {
-    return true;
-  }
-  if (status && status >= 500) {
-    return true;
-  }
-  return false;
-}
-var PlatformClient = class {
-  constructor(authToken) {
-    this.authToken = authToken;
-  }
-  async request(method, path, body, options = {}) {
-    const {
-      retries = DEFAULT_RETRIES,
-      retryDelay = RETRY_DELAY_MS,
-      operation = `${method} ${path}`
-    } = options;
-    const url = `${PLATFORM_API_URL2}${path}`;
-    let lastError = null;
-    for (let attempt = 1; attempt <= retries; attempt++) {
-      try {
-        const response = await fetch(url, {
-          method,
-          headers: {
-            Authorization: `Bearer ${this.authToken}`,
-            "Content-Type": "application/json"
-          },
-          body: body ? JSON.stringify(body) : void 0
-        });
-        if (!response.ok) {
-          const errorText = await response.text();
-          let errorMessage;
-          try {
-            const errorJson = JSON.parse(errorText);
-            errorMessage = errorJson.error || response.statusText;
-          } catch {
-            errorMessage = errorText || response.statusText;
-          }
-          const error = new Error(`API error (${response.status}): ${errorMessage}`);
-          if (isRetryableError(error, response.status) && attempt < retries) {
-            lastError = error;
-            await sleep2(retryDelay * attempt);
-            continue;
-          }
-          throw error;
-        }
-        return response.json();
-      } catch (error) {
-        lastError = error;
-        if (isRetryableError(error) && attempt < retries) {
-          await sleep2(retryDelay * attempt);
-          continue;
-        }
-        const errorMessage = error.message || "Unknown error";
-        throw new Error(`${operation} failed: ${errorMessage}`);
-      }
+  async deploy(appName, cwd) {
+    await this.run(appName, "deploy", ["--yes"], { cwd, stdio: "inherit" });
+  }
+  /**
+   * Run 'uc service logs' for an app
+   */
+  async logs(appName, serviceName, options = {}) {
+    const args = [serviceName];
+    if (options.follow) args.push("-f");
+    if (options.tail) args.push("--tail", String(options.tail));
+    await this.run(appName, "service", ["logs", ...args], { stdio: "inherit" });
+  }
+  /**
+   * Run 'uc service ls' for an app
+   */
+  async serviceList(appName) {
+    const result = await this.run(appName, "service", ["ls"], { stdio: "pipe" });
+    return result;
+  }
+  /**
+   * Run 'uc machine token' on remote VM via SSH
+   * This is different - it runs on the VM directly, not via uncloud connector
+   */
+  async getMachineToken(appName) {
+    const connInfo = await this.getConnectionInfo(appName);
+    let sshCmd2;
+    if (connInfo.viaGateway && connInfo.localPort) {
+      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
+    } else {
+      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
     }
-    throw lastError || new Error(`${operation} failed after ${retries} attempts`);
+    const token = execSync3(`${sshCmd2} "uc machine token"`, { encoding: "utf-8" }).trim();
+    return token;
   }
-  // ==================== App State Management ====================
   /**
-   * List all apps for the authenticated user
+   * Execute an SSH command on the VM
    */
-  async listApps() {
-    const { apps } = await this.request("GET", "/api/apps");
-    return apps;
+  async sshExec(appName, command) {
+    const connInfo = await this.getConnectionInfo(appName);
+    let sshCmd2;
+    if (connInfo.viaGateway && connInfo.localPort) {
+      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
+    } else {
+      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
+    }
+    return execSync3(`${sshCmd2} "${command}"`, { encoding: "utf-8" }).trim();
   }
   /**
-   * Get a specific app by name
+   * Remove a node from the uncloud cluster
+   * Uses 'uc machine rm' to drain containers and remove from cluster
    */
-  async getApp(appName) {
-    try {
-      const { app } = await this.request(
-        "GET",
-        `/api/apps/${appName}`,
-        void 0,
-        { operation: `Get app '${appName}'` }
-      );
-      return app;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
-      }
-      throw error;
+  async removeNode(appName, nodeName) {
+    const connInfo = await this.getConnectionInfo(appName);
+    const result = spawnSync3("uc", ["--connect", connInfo.url, "machine", "rm", nodeName, "--yes"], {
+      stdio: "inherit",
+      timeout: 3e5
+      // 5 minute timeout for container drainage
+    });
+    if (result.status !== 0) {
+      throw new Error(`Failed to remove node '${nodeName}' from cluster (exit code ${result.status})`);
     }
   }
   /**
-   * Create or update an app
-   * Returns the app with auto-generated domainName
+   * List machines in the uncloud cluster
    */
-  async saveApp(cluster) {
-    const { app } = await this.request(
-      "POST",
-      "/api/apps",
-      {
-        appName: cluster.appName,
-        location: cluster.location,
-        uncloudContext: cluster.uncloudContext,
-        nodes: cluster.nodes.map((node) => ({
-          name: node.name,
-          id: node.id,
-          ipv4: node.ipv4,
-          ipv6: node.ipv6,
-          isPrimary: node.isPrimary
-        }))
-      },
-      { operation: `Save app '${cluster.appName}'` }
-    );
-    return app;
+  async listMachines(appName) {
+    const result = await this.run(appName, "machine", ["ls"], { stdio: "pipe" });
+    return result;
   }
   /**
-   * Update app's last deployed timestamp
+   * Get gateway info (cached)
    */
-  async updateLastDeployed(appName) {
-    await this.request("PATCH", `/api/apps/${appName}`, {
-      lastDeployedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }, { operation: `Update last deployed for '${appName}'` });
+  async getGateway(location) {
+    if (this.gatewayCache.has(location)) {
+      return this.gatewayCache.get(location) || null;
+    }
+    const gateway = await this.platformClient.getGateway(location);
+    if (gateway) {
+      this.gatewayCache.set(location, { ipv4: gateway.ipv4, ipv6: gateway.ipv6 });
+      return { ipv4: gateway.ipv4, ipv6: gateway.ipv6 };
+    }
+    this.gatewayCache.set(location, null);
+    return null;
   }
   /**
-   * Rename an app (per-user unique)
+   * Clean up all SSH sessions, tunnels, and VPN
    */
-  async renameApp(currentAppName, newAppName) {
-    const { app } = await this.request("PATCH", `/api/apps/${currentAppName}`, {
-      newAppName
-    });
-    return app;
+  cleanup() {
+    this.tunnelManager.closeAll();
+    this.certManager.cleanupAll();
+    if (this.vpnEstablishedByUs) {
+      this.vpnManager.disconnect();
+      this.vpnEstablishedByUs = false;
+    }
   }
+};
+
+// src/lib/cluster.ts
+import { execSync as execSync4 } from "child_process";
+import ora2 from "ora";
+import chalk4 from "chalk";
+var platformKeysCache = null;
+var ClusterManager = class {
+  constructor(platformClient, uncloudRunner) {
+    this.platformClient = platformClient;
+    this.sshCertManager = new SSHCertManager(platformClient);
+    this.uncloudRunner = uncloudRunner || new UncloudRunner(platformClient);
+  }
+  sshCertManager;
+  uncloudRunner;
   /**
-   * Rename app's domain (globally unique)
+   * Get platform SSH keys (cached for the session)
+   * Returns CA public key and platform public key for VM creation
    */
-  async renameDomain(appName, newDomainName) {
-    const { app } = await this.request("PATCH", `/api/apps/${appName}`, {
-      newDomainName
-    });
-    return app;
+  async getPlatformKeys() {
+    if (platformKeysCache) {
+      return platformKeysCache;
+    }
+    try {
+      platformKeysCache = await this.platformClient.getPlatformSSHKeys();
+      return platformKeysCache;
+    } catch (error) {
+      throw new Error(`Failed to get platform SSH keys: ${error.message}`);
+    }
   }
   /**
-   * Delete an app
+   * Initialize a new cluster for an app (creates first VM and sets up uncloud)
+   *
+   * Flow:
+   * 1. Create VM with platform SSH key
+   * 2. Wait for VM to get IPv6 address
+   * 3. Call platform API to setup VM (DNS64, WireGuard, SSH CA)
+   * 4. Run `uc machine init` to install Docker + uncloud
+   * 5. Configure Docker for NAT64
+   * 6. Save app state to platform
+   *
+   * Users access VMs via SSH certificates signed by the platform CA.
    */
-  async deleteApp(appName) {
-    await this.request("DELETE", `/api/apps/${appName}`, void 0, { operation: `Delete app '${appName}'` });
+  async initializeCluster(options) {
+    const { appName, location, vmSize, storageSize, bootImage } = options;
+    let spinner = ora2(`Creating VM for '${appName}' in ${location}...`).start();
+    try {
+      spinner.text = "Fetching platform SSH keys...";
+      const platformKeys = await this.getPlatformKeys();
+      const gateway = await this.platformClient.getGateway(location);
+      const privateSubnetId = gateway?.subnetId;
+      spinner.text = "Creating VM...";
+      const vm = await this.platformClient.createAppVM(appName, {
+        location,
+        size: vmSize,
+        storage_size: storageSize,
+        boot_image: bootImage,
+        unix_user: "root",
+        public_key: platformKeys.platformPublicKey,
+        enable_ip4: !privateSubnetId,
+        // IPv6-only if we have a subnet for NAT64
+        private_subnet_id: privateSubnetId,
+        isPrimary: true
+      });
+      const vmName = vm.name;
+      spinner.text = `Waiting for VM '${vmName}' to be ready...`;
+      spinner.stop();
+      console.log(chalk4.cyan("\nWaiting for VM to get an IPv6 address..."));
+      const vmWithIp = await this.waitForVM(location, vmName, 600, false);
+      spinner = ora2("Setting up VM...").start();
+      spinner.text = "Waiting for SSH to be ready...";
+      await this.sleep(3e4);
+      spinner.text = "Configuring VM (DNS64, NAT64, SSH CA)...";
+      await this.platformClient.setupVM(vmWithIp.ip6, location, appName);
+      const cluster = {
+        appName,
+        location,
+        nodes: [{
+          name: vmName,
+          id: vm.id,
+          ipv6: vmWithIp.ip6,
+          isPrimary: true
+        }],
+        uncloudContext: appName,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      spinner.text = "Registering app...";
+      const savedCluster = await this.platformClient.saveApp(cluster);
+      spinner.text = "Installing Docker and Uncloud...";
+      spinner.stop();
+      console.log(chalk4.cyan("\nInitializing uncloud (this may take a few minutes)..."));
+      await this.initializeUncloud(vmWithIp.ip6, appName, gateway?.ipv4);
+      spinner = ora2("Configuring Docker for NAT64...").start();
+      await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
+      spinner.text = "Waiting for uncloud services to be ready...";
+      await this.waitForUncloudReady(vmWithIp.ip6, gateway?.ipv4);
+      this.sshCertManager.cleanupAll();
+      spinner.succeed(chalk4.green(`Cluster initialized successfully`));
+      return savedCluster;
+    } catch (error) {
+      spinner.fail(chalk4.red("Failed to initialize cluster"));
+      throw error;
+    }
   }
   /**
-   * Check if app exists
+   * Add a node to an existing cluster
    */
-  async hasApp(appName) {
-    const app = await this.getApp(appName);
-    return app !== null;
+  async addNode(appName, vmSize, bootImage) {
+    const cluster = await this.platformClient.getApp(appName);
+    if (!cluster) {
+      throw new Error(`App '${appName}' not found`);
+    }
+    const existingNode = cluster.nodes.find((n) => n.ipv6);
+    if (!existingNode || !existingNode.ipv6) {
+      throw new Error(`No existing node with IPv6 address found to join`);
+    }
+    const gateway = await this.platformClient.getGateway(cluster.location);
+    const privateSubnetId = gateway?.subnetId;
+    let spinner = ora2("Adding node to cluster...").start();
+    try {
+      spinner.text = "Fetching platform SSH keys...";
+      const platformKeys = await this.getPlatformKeys();
+      spinner.text = "Creating VM...";
+      const vm = await this.platformClient.createAppVM(appName, {
+        location: cluster.location,
+        size: vmSize,
+        boot_image: bootImage,
+        unix_user: "root",
+        public_key: platformKeys.platformPublicKey,
+        enable_ip4: !privateSubnetId,
+        private_subnet_id: privateSubnetId,
+        isPrimary: false
+      });
+      const vmName = vm.name;
+      spinner.text = `Waiting for VM '${vmName}' to be ready...`;
+      spinner.stop();
+      console.log(chalk4.cyan("\nWaiting for VM to get an IPv6 address..."));
+      const vmWithIp = await this.waitForVM(cluster.location, vmName, 600, false);
+      spinner = ora2("Setting up VM...").start();
+      await this.sleep(3e4);
+      spinner.text = "Configuring VM...";
+      await this.platformClient.setupVM(vmWithIp.ip6, cluster.location, appName);
+      spinner.text = "Joining uncloud cluster...";
+      spinner.stop();
+      console.log(chalk4.cyan("\nJoining uncloud cluster..."));
+      await this.joinUncloudCluster(vmWithIp.ip6, appName);
+      spinner = ora2("Configuring Docker for NAT64...").start();
+      await this.configureDockerNAT64(vmWithIp.ip6, gateway?.ipv4);
+      spinner.succeed(chalk4.green(`Node '${vmName}' added successfully`));
+      const newNode = {
+        name: vmName,
+        id: vm.id,
+        ipv6: vmWithIp.ip6,
+        isPrimary: false
+      };
+      cluster.nodes.push(newNode);
+      await this.platformClient.saveApp(cluster);
+      return newNode;
+    } catch (error) {
+      spinner.fail(chalk4.red("Failed to add node"));
+      throw error;
+    }
   }
   /**
-   * Get primary node for an app
+   * Initialize uncloud on the VM using uc machine init
+   * Uses --no-dns because we manage our own domain via gateway
+   *
+   * Before running uc, we get an SSH certificate from the platform
+   * and add it to the ssh-agent. This allows uc to authenticate
+   * since the VM only accepts platform SSH key or signed certificates.
+   *
+   * If direct IPv6 connectivity is not available, tunnels through the gateway.
    */
-  async getPrimaryNode(appName) {
-    const app = await this.getApp(appName);
-    return app?.nodes.find((node) => node.isPrimary) || null;
+  async initializeUncloud(vmIp, contextName, gatewayIp) {
+    let tunnel = null;
+    let targetHost = vmIp;
+    try {
+      await this.sshCertManager.getSession(contextName, vmIp);
+      const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+      if (!canConnectDirect) {
+        if (!gatewayIp) {
+          throw new Error("No direct IPv6 connectivity and no gateway available");
+        }
+        console.log(chalk4.dim("No direct IPv6 connectivity, tunneling through gateway..."));
+        tunnel = await createTunnel(vmIp, gatewayIp);
+        targetHost = `localhost:${tunnel.localPort}`;
+      }
+      let initSucceeded = false;
+      try {
+        execSync4(`uc machine init -c "${contextName}" --no-dns root@${targetHost}`, {
+          stdio: "inherit",
+          timeout: 6e5
+          // 10 min timeout
+        });
+        initSucceeded = true;
+      } catch (error) {
+        console.log(chalk4.yellow("\nInitial setup had errors, will attempt to recover..."));
+      }
+      if (!initSucceeded) {
+        const maxCaddyAttempts = 5;
+        for (let attempt = 1; attempt <= maxCaddyAttempts; attempt++) {
+          console.log(chalk4.dim(`Waiting for machine to be ready (attempt ${attempt}/${maxCaddyAttempts})...`));
+          await new Promise((resolve) => setTimeout(resolve, 1e4));
+          try {
+            execSync4(`yes | uc -c "${contextName}" caddy deploy`, {
+              stdio: "inherit",
+              timeout: 12e4
+            });
+            console.log(chalk4.green("Caddy deployed successfully"));
+            break;
+          } catch (caddyError) {
+            if (attempt >= maxCaddyAttempts) {
+              throw new Error(`Caddy deployment failed after ${maxCaddyAttempts} attempts. The machine may need more time to initialize.`);
+            }
+          }
+        }
+      }
+      console.log(chalk4.dim("Uncloud initialization complete."));
+    } catch (error) {
+      throw new Error(`Failed to initialize uncloud: ${error.message}`);
+    } finally {
+      if (tunnel) {
+        killTunnel(tunnel);
+      }
+    }
   }
-  // ==================== VM Operations (Proxied to Ubicloud) ====================
   /**
-   * List all VMs for the user's Ubicloud project
+   * Join a new node to an existing uncloud cluster
+   * Uses `uc machine add` which handles:
+   * - SSH to the new machine
+   * - Installing uncloudd if needed
+   * - Getting token from new machine via gRPC
+   * - Registering machine in cluster
    */
-  async listVMs() {
-    const { vms } = await this.request("GET", "/api/vms");
-    return vms;
+  async joinUncloudCluster(newVmIp, appName) {
+    try {
+      await this.uncloudRunner.run(appName, "machine", ["add", `root@${newVmIp}`, "--no-caddy"], {
+        stdio: "inherit",
+        timeout: 6e5
+        // 10 min timeout
+      });
+    } catch (error) {
+      throw new Error(`Failed to join cluster: ${error.message}`);
+    }
   }
   /**
-   * Create a new VM
+   * Configure Docker for NAT64 support on IPv6-only VMs
+   *
+   * Problem: DNS64 returns both A (IPv4) and AAAA (IPv6) records. Applications may try
+   * IPv4 first, which times out because there's no route to IPv4 internet.
+   *
+   * Solution:
+   * 1. Enable IPv6 on Docker networks so containers get IPv6 addresses
+   * 2. Block IPv4 forwarding from Docker to internet so IPv4 fails immediately
+   * 3. Applications then use IPv6 (NAT64) which works via the gateway
+   *
+   * If direct IPv6 connectivity is not available, tunnels through the gateway.
    */
-  async createVM(params) {
-    const { vm } = await this.request("POST", "/api/vms", params, { operation: `Create VM '${params.name}'` });
-    return vm;
+  async configureDockerNAT64(vmIp, gatewayIp) {
+    const setupScript = `#!/bin/bash
+set -e
+
+# Step 1: Add IPv6 support to Docker daemon config
+DAEMON_JSON='/etc/docker/daemon.json'
+if [ -f "$DAEMON_JSON" ]; then
+  # Merge with existing config using jq
+  jq '. + {"ipv6": true, "fixed-cidr-v6": "fd00:d0c6:e4::/64"}' "$DAEMON_JSON" > /tmp/daemon.json
+  mv /tmp/daemon.json "$DAEMON_JSON"
+else
+  cat > "$DAEMON_JSON" << 'EOFJSON'
+{
+  "ipv6": true,
+  "fixed-cidr-v6": "fd00:d0c6:e4::/64"
+}
+EOFJSON
+fi
+
+# Step 2: Create systemd service to block IPv4 forwarding from Docker containers
+cat > /etc/systemd/system/docker-ipv6-nat64.service << 'EOFSVC'
+[Unit]
+Description=Block IPv4 forwarding from Docker containers (force NAT64)
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/iptables -I FORWARD -i br-+ -o ens3 -j REJECT --reject-with icmp-net-unreachable
+ExecStop=/sbin/iptables -D FORWARD -i br-+ -o ens3 -j REJECT --reject-with icmp-net-unreachable
+
+[Install]
+WantedBy=multi-user.target
+EOFSVC
+
+systemctl daemon-reload
+systemctl enable docker-ipv6-nat64
+
+# Step 3: Restart Docker to apply IPv6 config
+systemctl restart docker
+sleep 3
+
+# Step 4: Recreate uncloud network with IPv6 enabled
+CONTAINERS=$(docker ps -aq --filter network=uncloud 2>/dev/null || true)
+
+for container in $CONTAINERS; do
+  docker network disconnect uncloud "$container" 2>/dev/null || true
+done
+
+docker network rm uncloud 2>/dev/null || true
+docker network create --driver bridge   --subnet 10.210.0.0/24 --gateway 10.210.0.1   --ipv6 --subnet fd00:a10:210::/64 --gateway fd00:a10:210::1   uncloud
+
+for container in $CONTAINERS; do
+  docker network connect uncloud "$container" 2>/dev/null || true
+done
+
+# Step 5: Start the iptables service
+systemctl start docker-ipv6-nat64
+
+echo "Docker NAT64 configuration complete"
+`;
+    let tunnel = null;
+    let sshHost = vmIp;
+    let sshPortArgs = "";
+    try {
+      const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+      if (!canConnectDirect && gatewayIp) {
+        tunnel = await createTunnel(vmIp, gatewayIp);
+        sshHost = "localhost";
+        sshPortArgs = `-p ${tunnel.localPort}`;
+      }
+      execSync4(`ssh ${sshPortArgs} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${sshHost} 'bash -s' << 'REMOTESCRIPT'
+${setupScript}
+REMOTESCRIPT`, {
+        stdio: "inherit",
+        timeout: 12e4
+        // 2 min timeout
+      });
+    } catch (error) {
+      throw new Error(`Failed to configure Docker for NAT64: ${error.message}`);
+    } finally {
+      if (tunnel) {
+        killTunnel(tunnel);
+      }
+    }
   }
   /**
-   * Get a specific VM
+   * Wait for VM to have an IP address
+   * @param requireIpv4 - If true, wait for IPv4 (for gateway VMs). Otherwise wait for IPv6.
    */
-  async getVM(location, vmName) {
-    const { vm } = await this.request(
-      "GET",
-      `/api/vms/${location}/${vmName}`,
-      void 0,
-      { operation: `Get VM '${vmName}'` }
+  async waitForVM(location, vmName, timeoutSeconds, requireIpv4 = false) {
+    const startTime = Date.now();
+    const timeoutMs = timeoutSeconds * 1e3;
+    let lastStatus = "";
+    while (Date.now() - startTime < timeoutMs) {
+      const vm = await this.platformClient.getVM(location, vmName);
+      if (vm.status && vm.status !== lastStatus) {
+        console.log(chalk4.dim(`  Status: ${vm.status}`));
+        lastStatus = vm.status;
+      }
+      const hasRequiredIp = requireIpv4 ? vm.ip4 : vm.ip6;
+      if (hasRequiredIp) {
+        const ipDisplay = requireIpv4 ? vm.ip4 : vm.ip6;
+        console.log(chalk4.green(`  IP assigned: ${ipDisplay}`));
+        return vm;
+      }
+      const elapsed = Math.floor((Date.now() - startTime) / 1e3);
+      const ipType = requireIpv4 ? "IPv4" : "IPv6";
+      process.stdout.write(`\r  Waiting for ${ipType}... (${elapsed}s / ${timeoutSeconds}s)`);
+      await this.sleep(5e3);
+    }
+    process.stdout.write("\n");
+    throw new Error(
+      `Timeout waiting for VM to get IP address after ${timeoutSeconds}s.
+
+The VM may still be provisioning. You can:
+  1. Check VM status: hackerrun vm list
+  2. Delete and retry: hackerrun vm delete ${vmName}
+  3. Check Ubicloud console: https://console.ubicloud.com`
     );
-    return vm;
-  }
-  /**
-   * Delete a VM
-   */
-  async deleteVM(location, vmName) {
-    await this.request("DELETE", `/api/vms/${location}/${vmName}`, void 0, { operation: `Delete VM '${vmName}'` });
-  }
-  // ==================== Uncloud Config Management ====================
-  /**
-   * Upload uncloud config to platform
-   */
-  async uploadUncloudConfig(configYaml) {
-    await this.request("POST", "/api/uncloud/config", { config: configYaml });
   }
   /**
-   * Download uncloud config from platform
+   * Wait for uncloud services to be ready on the VM
+   * Specifically checks that unregistry (Docker registry at 10.210.0.1:5000) is accepting connections
+   * This is critical for first deploy - push will fail if unregistry isn't ready
    */
-  async downloadUncloudConfig() {
-    try {
-      const { config } = await this.request("GET", "/api/uncloud/config");
-      return config;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
+  async waitForUncloudReady(vmIp, gatewayIp) {
+    const maxAttempts = 30;
+    const checkInterval = 2e3;
+    const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
+    const proxyJump = !canConnectDirect && gatewayIp ? `-J root@${gatewayIp}` : "";
+    const sshBase = `ssh ${proxyJump} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=10 root@${vmIp}`;
+    console.log(chalk4.dim("  Waiting for uncloud services..."));
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        const result = execSync4(
+          `${sshBase} "curl -sf --max-time 5 http://10.210.0.1:5000/v2/ >/dev/null 2>&1 && echo ready || echo notready"`,
+          { encoding: "utf-8", timeout: 2e4, stdio: ["pipe", "pipe", "pipe"] }
+        ).trim();
+        if (result.includes("ready")) {
+          console.log(chalk4.dim("  Uncloud services ready"));
+          return;
+        }
+      } catch (error) {
       }
-      throw error;
-    }
-  }
-  // ==================== Gateway Management ====================
-  /**
-   * Get gateway info for a location
-   */
-  async getGateway(location) {
-    try {
-      const { gateway } = await this.request("GET", `/api/gateway?location=${encodeURIComponent(location)}`, void 0, { operation: `Get gateway for '${location}'` });
-      return gateway;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
+      if (attempt % 5 === 0) {
+        console.log(chalk4.dim(`  Still waiting for unregistry... (attempt ${attempt}/${maxAttempts})`));
+      }
+      if (attempt < maxAttempts) {
+        await this.sleep(checkInterval);
       }
-      throw error;
     }
+    console.log(chalk4.yellow("  Warning: Timeout waiting for unregistry, continuing anyway..."));
   }
-  // ==================== Route Management ====================
   /**
-   * Register a route for an app (maps hostname to VM IPv6)
+   * Sleep for specified milliseconds
    */
-  async registerRoute(appName, backendIpv6, backendPort = 443) {
-    const { route } = await this.request("POST", "/api/routes", {
-      appName,
-      backendIpv6,
-      backendPort
-    }, { operation: `Register route for '${appName}'` });
-    return route;
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
   }
+};
+
+// src/lib/platform.ts
+import { platform as platform2 } from "os";
+import chalk5 from "chalk";
+var PlatformDetector = class {
   /**
-   * Delete routes for an app
+   * Check if running on Windows
    */
-  async deleteRoute(appName) {
-    await this.request("DELETE", `/api/routes/${encodeURIComponent(appName)}`);
+  static isWindows() {
+    return platform2() === "win32";
   }
-  // ==================== Gateway Route Sync ====================
   /**
-   * Sync gateway Caddy configuration for a location
-   * This updates the gateway's reverse proxy config with current routes
+   * Check if running inside WSL (Windows Subsystem for Linux)
    */
-  async syncGatewayRoutes(location) {
-    const result = await this.request("POST", "/api/gateway/sync", { location }, { operation: `Sync gateway routes for '${location}'` });
-    return { routeCount: result.routeCount };
+  static isWSL() {
+    if (!this.isWindows()) {
+      if (platform2() === "linux") {
+        try {
+          const fs = __require("fs");
+          const procVersion = fs.readFileSync("/proc/version", "utf8").toLowerCase();
+          return procVersion.includes("microsoft") || procVersion.includes("wsl");
+        } catch {
+          return false;
+        }
+      }
+      return false;
+    }
+    return false;
   }
-  // ==================== SSH Certificate Management ====================
   /**
-   * Get platform SSH keys (CA public key + platform public key for VM creation)
+   * Check if platform is supported for hackerrun
    */
-  async getPlatformSSHKeys() {
-    return this.request("GET", "/api/platform/ssh-keys", void 0, { operation: "Get platform SSH keys" });
+  static isSupported() {
+    return platform2() === "darwin" || platform2() === "linux" || this.isWSL();
   }
   /**
-   * Initialize platform SSH keys (creates them if they don't exist)
+   * Get platform name for display
    */
-  async initPlatformSSHKeys() {
-    return this.request("POST", "/api/platform/ssh-keys");
+  static getPlatformName() {
+    if (this.isWSL()) return "WSL (Windows Subsystem for Linux)";
+    if (platform2() === "win32") return "Windows";
+    if (platform2() === "darwin") return "macOS";
+    if (platform2() === "linux") return "Linux";
+    return platform2();
   }
   /**
-   * Request a signed SSH certificate for accessing an app's VMs
-   * Returns a short-lived certificate (5 min) signed by the platform CA
+   * Ensure platform is supported, exit with helpful message if not
    */
-  async requestSSHCertificate(appName, publicKey) {
-    return this.request("POST", `/api/apps/${appName}/ssh-certificate`, { publicKey }, { operation: `Request SSH certificate for '${appName}'` });
+  static ensureSupported() {
+    if (this.isWindows() && !this.isWSL()) {
+      console.log(chalk5.yellow("\n\u26A0\uFE0F  Windows detected\n"));
+      console.log("Hackerrun requires WSL (Windows Subsystem for Linux) to run.");
+      console.log("Uncloud and SSH tools work best in a Linux environment.\n");
+      console.log(chalk5.cyan("How to set up WSL:\n"));
+      console.log("1. Open PowerShell as Administrator and run:");
+      console.log(chalk5.bold("   wsl --install\n"));
+      console.log("2. Restart your computer\n");
+      console.log("3. Install Ubuntu from Microsoft Store (or use default Linux)\n");
+      console.log("4. Open WSL terminal and install hackerrun:");
+      console.log(chalk5.bold("   npm install -g hackerrun\n"));
+      console.log("Learn more: https://docs.microsoft.com/en-us/windows/wsl/install\n");
+      console.log(chalk5.red("Please install WSL and run hackerrun from WSL terminal.\n"));
+      process.exit(1);
+    }
+    if (!this.isSupported()) {
+      console.log(chalk5.red(`
+\u274C Platform '${platform2()}' is not supported
+`));
+      console.log("Hackerrun supports:");
+      console.log("  - macOS");
+      console.log("  - Linux");
+      console.log("  - Windows (via WSL)\n");
+      process.exit(1);
+    }
   }
-  // ==================== VM Setup ====================
+};
+
+// src/lib/uncloud.ts
+import { execSync as execSync5 } from "child_process";
+import { platform as platform3 } from "os";
+import chalk6 from "chalk";
+import ora3 from "ora";
+var UncloudManager = class {
   /**
-   * Setup a newly created VM (DNS64, NAT64, SSH CA, Docker, uncloud)
-   * This runs all configuration using the platform SSH key
+   * Check if uncloud CLI is installed
    */
-  async setupVM(vmIp, location, appName) {
-    await this.request("POST", "/api/vms/setup", {
-      vmIp,
-      location,
-      appName
-    }, { operation: `Setup VM for '${appName}'`, retries: 5, retryDelay: 3e3 });
+  static isInstalled() {
+    try {
+      execSync5("uc --version", { stdio: "pipe" });
+      return true;
+    } catch {
+      return false;
+    }
   }
-  // ==================== Environment Variables ====================
   /**
-   * Set a single environment variable
+   * Get uncloud version
    */
-  async setEnvVar(appName, key, value) {
-    await this.request("POST", `/api/apps/${appName}/env`, { key, value });
+  static getVersion() {
+    try {
+      const version = execSync5("uc --version", { encoding: "utf-8" }).trim();
+      return version;
+    } catch {
+      return null;
+    }
   }
   /**
-   * Set multiple environment variables at once
+   * Check if uncloud is installed, offer to install if not
+   * @param options.nonInteractive - If true, fail immediately without prompting (for CI/CD)
    */
-  async setEnvVars(appName, vars) {
-    await this.request("POST", `/api/apps/${appName}/env`, { vars });
+  static async ensureInstalled(options) {
+    if (this.isInstalled()) {
+      return;
+    }
+    if (options?.nonInteractive) {
+      console.error(chalk6.red("\n\u274C Uncloud CLI (uc) not found\n"));
+      console.error("The uncloud CLI must be installed on the build VM.");
+      console.error("This is a build infrastructure issue - the uc binary should be pre-installed.\n");
+      process.exit(1);
+    }
+    console.log(chalk6.yellow("\n\u26A0\uFE0F  Uncloud CLI not found\n"));
+    console.log("Uncloud is required to deploy and manage your apps.");
+    console.log("Learn more: https://uncloud.run\n");
+    const os = platform3();
+    if (os === "darwin" || os === "linux") {
+      this.showInstallInstructions();
+      console.log(chalk6.cyan("Would you like to install uncloud now? (Y/n): "));
+      const answer = await this.promptUser();
+      if (answer === "y" || answer === "yes" || answer === "") {
+        try {
+          await this.autoInstall();
+          return;
+        } catch (error) {
+          console.log(chalk6.red("\nAuto-installation failed. Please install manually.\n"));
+          process.exit(1);
+        }
+      } else {
+        console.log(chalk6.yellow("\nPlease install uncloud manually and run hackerrun again.\n"));
+        process.exit(1);
+      }
+    } else {
+      this.showInstallInstructions();
+      console.log(chalk6.red("Please install uncloud and run hackerrun again.\n"));
+      process.exit(1);
+    }
   }
   /**
-   * List environment variables (values are masked)
+   * Show installation instructions based on platform
    */
-  async listEnvVars(appName) {
-    const { envVars } = await this.request("GET", `/api/apps/${appName}/env`);
-    return envVars;
+  static showInstallInstructions() {
+    const os = platform3();
+    console.log(chalk6.cyan("Installation instructions:\n"));
+    if (os === "darwin" || os === "linux") {
+      console.log(chalk6.bold("Option 1: Automated install (Recommended)"));
+      console.log(chalk6.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
+      console.log(chalk6.bold("Option 2: Homebrew"));
+      console.log(chalk6.green("  brew install psviderski/tap/uncloud\n"));
+      console.log(chalk6.bold("Option 3: Manual download"));
+      console.log("  Download from: https://github.com/psviderski/uncloud/releases/latest");
+      console.log("  Extract and move to /usr/local/bin\n");
+    } else if (os === "win32") {
+      console.log(chalk6.bold("For Windows (via WSL):"));
+      console.log("  Open your WSL terminal and run:");
+      console.log(chalk6.green("  curl -fsS https://get.uncloud.run/install.sh | sh\n"));
+    }
+    console.log("Documentation: https://uncloud.run/docs/getting-started/install-cli\n");
   }
   /**
-   * Remove an environment variable
+   * Prompt user for input from stdin
    */
-  async unsetEnvVar(appName, key) {
-    await this.request("DELETE", `/api/apps/${appName}/env/${encodeURIComponent(key)}`);
+  static async promptUser() {
+    return new Promise((resolve) => {
+      process.stdin.resume();
+      process.stdin.setEncoding("utf8");
+      const onData = (input) => {
+        process.stdin.pause();
+        process.stdin.removeListener("data", onData);
+        resolve(input.trim().toLowerCase());
+      };
+      process.stdin.on("data", onData);
+    });
   }
-  // ==================== GitHub Connection ====================
   /**
-   * Create app metadata without creating VM (for connect-before-deploy flow)
+   * Attempt to auto-install uncloud with user confirmation
    */
-  async createAppMetadata(appName, location) {
-    const { app } = await this.request("POST", "/api/apps", {
-      appName,
-      location: location || "eu-central-h1",
-      metadataOnly: true
-      // Signal that we don't want to create VM yet
-    });
-    return app;
+  static async autoInstall() {
+    const spinner = ora3("Installing uncloud...").start();
+    try {
+      execSync5("curl -fsS https://get.uncloud.run/install.sh | sh", {
+        stdio: "inherit"
+      });
+      spinner.succeed(chalk6.green("Uncloud installed successfully!"));
+      if (this.isInstalled()) {
+        const version = this.getVersion();
+        console.log(chalk6.cyan(`\u2713 Uncloud ${version} is ready to use
+`));
+      } else {
+        spinner.warn(chalk6.yellow("Installation completed but uc command not found in PATH"));
+        console.log(chalk6.yellow("\nYou may need to:"));
+        console.log("  1. Restart your terminal");
+        console.log("  2. Or run: source ~/.bashrc (or ~/.zshrc)\n");
+        throw new Error("Please restart your terminal and try again");
+      }
+    } catch (error) {
+      spinner.fail(chalk6.red("Failed to install uncloud"));
+      console.log(chalk6.red(`
+Error: ${error.message}
+`));
+      console.log(chalk6.yellow("Please try manual installation:"));
+      console.log("  curl -fsS https://get.uncloud.run/install.sh | sh\n");
+      throw error;
+    }
+  }
+};
+
+// src/lib/platform-auth.ts
+import chalk7 from "chalk";
+function getPlatformToken() {
+  const configManager = new ConfigManager();
+  try {
+    const config = configManager.load();
+    return config.apiToken;
+  } catch (error) {
+    console.error(chalk7.red("\n Not logged in"));
+    console.log(chalk7.cyan("\nPlease login first:\n"));
+    console.log(`  ${chalk7.bold("hackerrun login")}
+`);
+    process.exit(1);
+  }
+}
+
+// src/lib/platform-client.ts
+var PLATFORM_API_URL2 = process.env.HACKERRUN_API_URL || "http://localhost:3000";
+var DEFAULT_RETRIES = 3;
+var RETRY_DELAY_MS = 2e3;
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isRetryableError(error, status) {
+  if (error?.cause?.code === "ECONNREFUSED" || error?.cause?.code === "ECONNRESET" || error?.cause?.code === "ETIMEDOUT" || error?.message?.includes("fetch failed") || error?.message?.includes("network") || error?.message?.includes("ECONNREFUSED")) {
+    return true;
+  }
+  if (status && status >= 500) {
+    return true;
+  }
+  return false;
+}
+var PlatformClient = class {
+  constructor(authToken) {
+    this.authToken = authToken;
   }
-  /**
-   * Initiate GitHub App installation flow
-   */
-  async initiateGitHubConnect() {
-    return this.request("POST", "/api/github/connect");
+  async request(method, path, body, options = {}) {
+    const {
+      retries = DEFAULT_RETRIES,
+      retryDelay = RETRY_DELAY_MS,
+      operation = `${method} ${path}`
+    } = options;
+    const url = `${PLATFORM_API_URL2}${path}`;
+    let lastError = null;
+    for (let attempt = 1; attempt <= retries; attempt++) {
+      try {
+        const response = await fetch(url, {
+          method,
+          headers: {
+            Authorization: `Bearer ${this.authToken}`,
+            "Content-Type": "application/json"
+          },
+          body: body ? JSON.stringify(body) : void 0
+        });
+        if (!response.ok) {
+          const errorText = await response.text();
+          let errorMessage;
+          try {
+            const errorJson = JSON.parse(errorText);
+            errorMessage = errorJson.error || response.statusText;
+          } catch {
+            errorMessage = errorText || response.statusText;
+          }
+          const error = new Error(`API error (${response.status}): ${errorMessage}`);
+          if (isRetryableError(error, response.status) && attempt < retries) {
+            lastError = error;
+            await sleep2(retryDelay * attempt);
+            continue;
+          }
+          throw error;
+        }
+        return response.json();
+      } catch (error) {
+        lastError = error;
+        if (isRetryableError(error) && attempt < retries) {
+          await sleep2(retryDelay * attempt);
+          continue;
+        }
+        const errorMessage = error.message || "Unknown error";
+        throw new Error(`${operation} failed: ${errorMessage}`);
+      }
+    }
+    throw lastError || new Error(`${operation} failed after ${retries} attempts`);
   }
+  // ==================== App State Management ====================
   /**
-   * Poll for GitHub App installation completion
+   * List all apps for the authenticated user
    */
-  async pollGitHubConnect(stateToken) {
-    return this.request("GET", `/api/github/connect/poll?state=${encodeURIComponent(stateToken)}`);
+  async listApps() {
+    const { apps } = await this.request("GET", "/api/apps");
+    return apps;
   }
   /**
-   * Get current user's GitHub App installation
+   * Get a specific app by name
    */
-  async getGitHubInstallation() {
+  async getApp(appName) {
     try {
-      const { installation } = await this.request("GET", "/api/github/installation");
-      return installation;
+      const { app } = await this.request(
+        "GET",
+        `/api/apps/${appName}`,
+        void 0,
+        { operation: `Get app '${appName}'` }
+      );
+      return app;
     } catch (error) {
       if (error.message.includes("404") || error.message.includes("not found")) {
         return null;
@@ -1565,722 +1854,425 @@ var PlatformClient = class {
     }
   }
   /**
-   * Delete current user's GitHub App installation record
-   * Used when the installation becomes stale/invalid
+   * Create or update an app
+   * Returns the app with auto-generated domainName
    */
-  async deleteGitHubInstallation() {
-    await this.request("DELETE", "/api/github/installation");
+  async saveApp(cluster) {
+    const { app } = await this.request(
+      "POST",
+      "/api/apps",
+      {
+        appName: cluster.appName,
+        location: cluster.location,
+        uncloudContext: cluster.uncloudContext,
+        nodes: cluster.nodes.map((node) => ({
+          name: node.name,
+          id: node.id,
+          ipv4: node.ipv4,
+          ipv6: node.ipv6,
+          isPrimary: node.isPrimary
+        }))
+      },
+      { operation: `Save app '${cluster.appName}'` }
+    );
+    return app;
   }
   /**
-   * List repositories accessible via GitHub App installation
+   * Update app's last deployed timestamp
    */
-  async listAccessibleRepos() {
-    const { repos } = await this.request("GET", "/api/github/repos");
-    return repos;
+  async updateLastDeployed(appName) {
+    await this.request("PATCH", `/api/apps/${appName}`, {
+      lastDeployedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }, { operation: `Update last deployed for '${appName}'` });
   }
   /**
-   * Connect a repository to an app
+   * Rename an app (per-user unique)
    */
-  async connectRepo(appName, repoFullName, branch) {
-    await this.request("POST", `/api/apps/${appName}/repo`, {
-      repoFullName,
-      branch: branch || "main"
+  async renameApp(currentAppName, newAppName) {
+    const { app } = await this.request("PATCH", `/api/apps/${currentAppName}`, {
+      newAppName
     });
+    return app;
   }
   /**
-   * Get connected repository for an app
-   */
-  async getConnectedRepo(appName) {
-    try {
-      const { repo } = await this.request("GET", `/api/apps/${appName}/repo`);
-      return repo;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
-      }
-      throw error;
-    }
-  }
-  /**
-   * Disconnect repository from an app
+   * Rename app's domain (globally unique)
    */
-  async disconnectRepo(appName) {
-    await this.request("DELETE", `/api/apps/${appName}/repo`);
+  async renameDomain(appName, newDomainName) {
+    const { app } = await this.request("PATCH", `/api/apps/${appName}`, {
+      newDomainName
+    });
+    return app;
   }
-  // ==================== Builds ====================
   /**
-   * List builds for an app
+   * Delete an app
    */
-  async listBuilds(appName, limit = 10) {
-    const { builds } = await this.request("GET", `/api/apps/${appName}/builds?limit=${limit}`);
-    return builds;
+  async deleteApp(appName) {
+    await this.request("DELETE", `/api/apps/${appName}`, void 0, { operation: `Delete app '${appName}'` });
   }
   /**
-   * Get build details
+   * Check if app exists
    */
-  async getBuild(appName, buildId) {
-    const { build } = await this.request("GET", `/api/apps/${appName}/builds/${buildId}`);
-    return build;
+  async hasApp(appName) {
+    const app = await this.getApp(appName);
+    return app !== null;
   }
   /**
-   * Get build events (for live streaming)
+   * Get primary node for an app
    */
-  async getBuildEvents(appName, buildId, after) {
-    let url = `/api/apps/${appName}/builds/${buildId}/events`;
-    if (after) {
-      url += `?after=${encodeURIComponent(after.toISOString())}`;
-    }
-    const { events } = await this.request("GET", url);
-    return events;
+  async getPrimaryNode(appName) {
+    const app = await this.getApp(appName);
+    return app?.nodes.find((node) => node.isPrimary) || null;
   }
-  // ==================== VPN Management ====================
+  // ==================== VM Operations (Proxied to Ubicloud) ====================
   /**
-   * Register VPN peer with the platform
-   * This is idempotent - if already registered, returns existing config
+   * List all VMs for the user's Ubicloud project
    */
-  async registerVPNPeer(publicKey, location) {
-    const { vpnConfig } = await this.request("POST", "/api/vpn/register", { publicKey, location }, { operation: "Register VPN peer" });
-    return vpnConfig;
+  async listVMs() {
+    const { vms } = await this.request("GET", "/api/vms");
+    return vms;
   }
   /**
-   * Get existing VPN config if registered
+   * Create a new VM
    */
-  async getVPNConfig(location) {
-    try {
-      const { vpnConfig } = await this.request("GET", `/api/vpn/config?location=${encodeURIComponent(location)}`);
-      return vpnConfig;
-    } catch (error) {
-      if (error.message.includes("404") || error.message.includes("not found")) {
-        return null;
-      }
-      throw error;
-    }
+  async createVM(params) {
+    const { vm } = await this.request("POST", "/api/vms", params, { operation: `Create VM '${params.name}'` });
+    return vm;
   }
   /**
-   * Unregister VPN peer
+   * Create a new VM for an app with auto-generated name
+   * Name format: u{userId}-{appName}-{nodeNum}
    */
-  async unregisterVPNPeer() {
-    await this.request("DELETE", "/api/vpn/unregister");
-  }
-};
-
-// src/lib/app-config.ts
-import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
-import { join as join3 } from "path";
-import { parse, stringify } from "yaml";
-var CONFIG_FILENAME = "hackerrun.yaml";
-function getConfigPath(directory = process.cwd()) {
-  return join3(directory, CONFIG_FILENAME);
-}
-function hasAppConfig(directory = process.cwd()) {
-  return existsSync3(getConfigPath(directory));
-}
-function readAppConfig(directory = process.cwd()) {
-  const configPath = getConfigPath(directory);
-  if (!existsSync3(configPath)) {
-    return null;
-  }
-  try {
-    const content = readFileSync3(configPath, "utf-8");
-    const config = parse(content);
-    if (!config.appName) {
-      return null;
-    }
-    return config;
-  } catch (error) {
-    console.error(`Failed to parse ${CONFIG_FILENAME}:`, error);
-    return null;
-  }
-}
-function writeAppConfig(config, directory = process.cwd()) {
-  const configPath = getConfigPath(directory);
-  const content = stringify(config);
-  writeFileSync3(configPath, content, "utf-8");
-}
-function getAppName(directory = process.cwd()) {
-  const config = readAppConfig(directory);
-  if (config?.appName) {
-    return config.appName;
-  }
-  const folderName = directory.split("/").pop() || "app";
-  return folderName.toLowerCase().replace(/[^a-z0-9_-]/g, "-");
-}
-function linkApp(appName, directory = process.cwd()) {
-  writeAppConfig({ appName }, directory);
-}
-
-// src/lib/uncloud-runner.ts
-import { execSync as execSync5, spawnSync as spawnSync3 } from "child_process";
-
-// src/lib/vpn.ts
-import { execSync as execSync4, spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4, mkdirSync as mkdirSync2, unlinkSync } from "fs";
-import { homedir as homedir2, platform as platform3 } from "os";
-import { join as join4 } from "path";
-import chalk6 from "chalk";
-function detectOS() {
-  const os = platform3();
-  if (os === "darwin") {
-    return { type: "macos" };
+  async createAppVM(appName, params) {
+    const { vm } = await this.request(
+      "POST",
+      `/api/apps/${appName}/vms`,
+      params,
+      { operation: `Create VM for app '${appName}'` }
+    );
+    return vm;
   }
-  if (os === "win32") {
-    return { type: "windows" };
+  /**
+   * Get a specific VM
+   */
+  async getVM(location, vmName) {
+    const { vm } = await this.request(
+      "GET",
+      `/api/vms/${location}/${vmName}`,
+      void 0,
+      { operation: `Get VM '${vmName}'` }
+    );
+    return vm;
   }
-  if (os === "linux") {
+  /**
+   * Delete a VM
+   */
+  async deleteVM(location, vmName) {
+    await this.request("DELETE", `/api/vms/${location}/${vmName}`, void 0, { operation: `Delete VM '${vmName}'` });
+  }
+  // ==================== Uncloud Config Management ====================
+  /**
+   * Upload uncloud config to platform
+   */
+  async uploadUncloudConfig(configYaml) {
+    await this.request("POST", "/api/uncloud/config", { config: configYaml });
+  }
+  /**
+   * Download uncloud config from platform
+   */
+  async downloadUncloudConfig() {
     try {
-      if (existsSync4("/etc/os-release")) {
-        const osRelease = readFileSync4("/etc/os-release", "utf-8");
-        const idMatch = osRelease.match(/^ID=(.*)$/m);
-        if (idMatch) {
-          const distro = idMatch[1].replace(/"/g, "").toLowerCase();
-          return { type: "linux", distro };
-        }
+      const { config } = await this.request("GET", "/api/uncloud/config");
+      return config;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
       }
-    } catch {
+      throw error;
     }
-    return { type: "linux" };
   }
-  return { type: "unknown" };
-}
-function getWireGuardInstallInstructions() {
-  const os = detectOS();
-  switch (os.type) {
-    case "macos":
-      return `  ${chalk6.cyan("macOS:")} brew install wireguard-tools`;
-    case "windows":
-      return `  ${chalk6.cyan("Windows:")} Download from https://www.wireguard.com/install/
-            Or using winget: winget install WireGuard.WireGuard`;
-    case "linux":
-      switch (os.distro) {
-        case "arch":
-        case "manjaro":
-        case "endeavouros":
-        case "artix":
-          return `  ${chalk6.cyan("Arch Linux:")} sudo pacman -S wireguard-tools`;
-        case "ubuntu":
-        case "debian":
-        case "linuxmint":
-        case "pop":
-        case "elementary":
-        case "zorin":
-          return `  ${chalk6.cyan("Ubuntu/Debian:")} sudo apt install wireguard`;
-        case "fedora":
-          return `  ${chalk6.cyan("Fedora:")} sudo dnf install wireguard-tools`;
-        case "rhel":
-        case "centos":
-        case "rocky":
-        case "almalinux":
-          return `  ${chalk6.cyan("RHEL/CentOS:")} sudo dnf install wireguard-tools
-               (may need EPEL: sudo dnf install epel-release)`;
-        case "opensuse":
-        case "opensuse-leap":
-        case "opensuse-tumbleweed":
-          return `  ${chalk6.cyan("openSUSE:")} sudo zypper install wireguard-tools`;
-        case "gentoo":
-          return `  ${chalk6.cyan("Gentoo:")} sudo emerge net-vpn/wireguard-tools`;
-        case "void":
-          return `  ${chalk6.cyan("Void Linux:")} sudo xbps-install wireguard-tools`;
-        case "alpine":
-          return `  ${chalk6.cyan("Alpine:")} sudo apk add wireguard-tools`;
-        case "nixos":
-          return `  ${chalk6.cyan("NixOS:")} Add wireguard-tools to environment.systemPackages`;
-        default:
-          return `  ${chalk6.cyan("Linux:")} Install wireguard-tools using your package manager:
-    Arch:          sudo pacman -S wireguard-tools
-    Ubuntu/Debian: sudo apt install wireguard
-    Fedora:        sudo dnf install wireguard-tools
-    openSUSE:      sudo zypper install wireguard-tools`;
+  // ==================== Gateway Management ====================
+  /**
+   * Get gateway info for a location
+   */
+  async getGateway(location) {
+    try {
+      const { gateway } = await this.request("GET", `/api/gateway?location=${encodeURIComponent(location)}`, void 0, { operation: `Get gateway for '${location}'` });
+      return gateway;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
       }
-    default:
-      return `  Visit https://www.wireguard.com/install/ for installation instructions`;
-  }
-}
-var CONFIG_DIR = join4(homedir2(), ".config", "hackerrun");
-var PRIVATE_KEY_FILE = join4(CONFIG_DIR, "wg-private-key");
-var WG_INTERFACE = "hackerrun";
-var WG_CONFIG_PATH = `/etc/wireguard/${WG_INTERFACE}.conf`;
-function isWireGuardInstalled() {
-  try {
-    execSync4("which wg", { stdio: "ignore" });
-    execSync4("which wg-quick", { stdio: "ignore" });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function ensureConfigDir() {
-  if (!existsSync4(CONFIG_DIR)) {
-    mkdirSync2(CONFIG_DIR, { recursive: true, mode: 448 });
-  }
-}
-function generateKeyPair() {
-  const privateKey = execSync4("wg genkey", { encoding: "utf-8" }).trim();
-  const publicKey = execSync4("wg pubkey", {
-    input: privateKey,
-    encoding: "utf-8"
-  }).trim();
-  return { privateKey, publicKey };
-}
-function getOrCreateKeyPair() {
-  ensureConfigDir();
-  if (existsSync4(PRIVATE_KEY_FILE)) {
-    const privateKey2 = readFileSync4(PRIVATE_KEY_FILE, "utf-8").trim();
-    const publicKey2 = execSync4("wg pubkey", {
-      input: privateKey2,
-      encoding: "utf-8"
-    }).trim();
-    return { privateKey: privateKey2, publicKey: publicKey2, isNew: false };
+      throw error;
+    }
   }
-  const { privateKey, publicKey } = generateKeyPair();
-  writeFileSync4(PRIVATE_KEY_FILE, privateKey + "\n", { mode: 384 });
-  return { privateKey, publicKey, isNew: true };
-}
-function getPublicKey() {
-  if (!existsSync4(PRIVATE_KEY_FILE)) {
-    return null;
+  // ==================== Route Management ====================
+  /**
+   * Register a route for an app (maps hostname to VM IPv6)
+   */
+  async registerRoute(appName, backendIpv6, backendPort = 443) {
+    const { route } = await this.request("POST", "/api/routes", {
+      appName,
+      backendIpv6,
+      backendPort
+    }, { operation: `Register route for '${appName}'` });
+    return route;
   }
-  const privateKey = readFileSync4(PRIVATE_KEY_FILE, "utf-8").trim();
-  return execSync4("wg pubkey", {
-    input: privateKey,
-    encoding: "utf-8"
-  }).trim();
-}
-function isVPNUp() {
-  try {
-    const result = execSync4(`ip link show ${WG_INTERFACE}`, {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    return result.includes(WG_INTERFACE);
-  } catch {
-    return false;
+  /**
+   * Delete routes for an app
+   */
+  async deleteRoute(appName) {
+    await this.request("DELETE", `/api/routes/${encodeURIComponent(appName)}`);
   }
-}
-function isRoutedViaVPN(ipv6Address) {
-  if (!isVPNUp()) {
-    return false;
+  // ==================== Gateway Route Sync ====================
+  /**
+   * Sync gateway Caddy configuration for a location
+   * This updates the gateway's reverse proxy config with current routes
+   */
+  async syncGatewayRoutes(location) {
+    const result = await this.request("POST", "/api/gateway/sync", { location }, { operation: `Sync gateway routes for '${location}'` });
+    return { routeCount: result.routeCount };
   }
-  try {
-    const result = execSync4(`ip -6 route get ${ipv6Address}`, {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    return result.includes(`dev ${WG_INTERFACE}`);
-  } catch {
-    return false;
+  // ==================== SSH Certificate Management ====================
+  /**
+   * Get platform SSH keys (CA public key + platform public key for VM creation)
+   */
+  async getPlatformSSHKeys() {
+    return this.request("GET", "/api/platform/ssh-keys", void 0, { operation: "Get platform SSH keys" });
   }
-}
-function getVPNStatus() {
-  if (!isVPNUp()) {
-    return { connected: false };
+  /**
+   * Initialize platform SSH keys (creates them if they don't exist)
+   */
+  async initPlatformSSHKeys() {
+    return this.request("POST", "/api/platform/ssh-keys");
   }
-  try {
-    const output = execSync4(`sudo wg show ${WG_INTERFACE}`, {
-      encoding: "utf-8",
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    const lines = output.split("\n");
-    let endpoint;
-    let latestHandshake;
-    let transferRx;
-    let transferTx;
-    for (const line of lines) {
-      if (line.includes("endpoint:")) {
-        endpoint = line.split("endpoint:")[1]?.trim();
-      }
-      if (line.includes("latest handshake:")) {
-        latestHandshake = line.split("latest handshake:")[1]?.trim();
-      }
-      if (line.includes("transfer:")) {
-        const transfer = line.split("transfer:")[1]?.trim();
-        const parts = transfer?.split(",");
-        transferRx = parts?.[0]?.trim();
-        transferTx = parts?.[1]?.trim();
-      }
-    }
-    return {
-      connected: true,
-      interface: WG_INTERFACE,
-      endpoint,
-      latestHandshake,
-      transferRx,
-      transferTx
-    };
-  } catch {
-    return { connected: isVPNUp(), interface: WG_INTERFACE };
+  /**
+   * Request a signed SSH certificate for accessing an app's VMs
+   * Returns a short-lived certificate (5 min) signed by the platform CA
+   */
+  async requestSSHCertificate(appName, publicKey) {
+    return this.request("POST", `/api/apps/${appName}/ssh-certificate`, { publicKey }, { operation: `Request SSH certificate for '${appName}'` });
   }
-}
-function generateWireGuardConfig(config) {
-  return `# HackerRun VPN - Auto-generated
-# Do not edit manually
-
-[Interface]
-PrivateKey = ${config.privateKey}
-Address = ${config.address}
-
-[Peer]
-PublicKey = ${config.gatewayPublicKey}
-Endpoint = ${config.gatewayEndpoint}
-AllowedIPs = ${config.allowedIPs}
-PersistentKeepalive = 25
-`;
-}
-function writeWireGuardConfig(config) {
-  const configContent = generateWireGuardConfig(config);
-  const tempFile = join4(CONFIG_DIR, "wg-temp.conf");
-  writeFileSync4(tempFile, configContent, { mode: 384 });
-  try {
-    execSync4("sudo mkdir -p /etc/wireguard", { stdio: "inherit" });
-    execSync4(`sudo mv ${tempFile} ${WG_CONFIG_PATH}`, { stdio: "inherit" });
-    execSync4(`sudo chmod 600 ${WG_CONFIG_PATH}`, { stdio: "inherit" });
-  } catch (error) {
-    if (existsSync4(tempFile)) {
-      unlinkSync(tempFile);
-    }
-    throw error;
+  // ==================== VM Setup ====================
+  /**
+   * Setup a newly created VM (DNS64, NAT64, SSH CA, Docker, uncloud)
+   * This runs all configuration using the platform SSH key
+   */
+  async setupVM(vmIp, location, appName) {
+    await this.request("POST", "/api/vms/setup", {
+      vmIp,
+      location,
+      appName
+    }, { operation: `Setup VM for '${appName}'`, retries: 5, retryDelay: 3e3 });
   }
-}
-function vpnUp() {
-  if (isVPNUp()) {
-    return;
+  // ==================== Environment Variables ====================
+  /**
+   * Set a single environment variable
+   */
+  async setEnvVar(appName, key, value) {
+    await this.request("POST", `/api/apps/${appName}/env`, { key, value });
   }
-  const result = spawnSync2("sudo", ["wg-quick", "up", WG_INTERFACE], {
-    stdio: "inherit"
-  });
-  if (result.status !== 0) {
-    throw new Error(`Failed to bring up VPN interface (exit code ${result.status})`);
+  /**
+   * Set multiple environment variables at once
+   */
+  async setEnvVars(appName, vars) {
+    await this.request("POST", `/api/apps/${appName}/env`, { vars });
   }
-}
-function vpnDown() {
-  if (!isVPNUp()) {
-    return;
+  /**
+   * List environment variables (values are masked)
+   */
+  async listEnvVars(appName) {
+    const { envVars } = await this.request("GET", `/api/apps/${appName}/env`);
+    return envVars;
   }
-  const result = spawnSync2("sudo", ["wg-quick", "down", WG_INTERFACE], {
-    stdio: "inherit"
-  });
-  if (result.status !== 0) {
-    throw new Error(`Failed to bring down VPN interface (exit code ${result.status})`);
+  /**
+   * Remove an environment variable
+   */
+  async unsetEnvVar(appName, key) {
+    await this.request("DELETE", `/api/apps/${appName}/env/${encodeURIComponent(key)}`);
   }
-}
-function testIPv6Connectivity2(ipv6Address, timeoutSeconds = 3) {
-  try {
-    execSync4(`ping -6 -c 1 -W ${timeoutSeconds} ${ipv6Address}`, {
-      stdio: "ignore",
-      timeout: (timeoutSeconds + 2) * 1e3
+  // ==================== GitHub Connection ====================
+  /**
+   * Create app metadata without creating VM (for connect-before-deploy flow)
+   */
+  async createAppMetadata(appName, location) {
+    const { app } = await this.request("POST", "/api/apps", {
+      appName,
+      location: location || "eu-central-h1",
+      metadataOnly: true
+      // Signal that we don't want to create VM yet
     });
-    return true;
-  } catch {
-    return false;
+    return app;
   }
-}
-var VPNManager = class {
-  wasConnectedByUs = false;
   /**
-   * Ensure VPN is connected if IPv6 is not available
-   * Returns true if VPN was established (and should be torn down later)
+   * Initiate GitHub App installation flow
    */
-  async ensureConnected(targetIPv6, getVPNConfig) {
-    if (testIPv6Connectivity2(targetIPv6)) {
-      console.log(chalk6.green("\u2713 Direct IPv6 connectivity available"));
-      return false;
-    }
-    console.log(chalk6.yellow("IPv6 not available, checking VPN..."));
-    if (isVPNUp()) {
-      if (testIPv6Connectivity2(targetIPv6)) {
-        console.log(chalk6.green("\u2713 VPN already connected"));
-        return false;
-      }
-      console.log(chalk6.yellow("VPN is up but cannot reach target, reconnecting..."));
-      vpnDown();
-    }
-    if (!isWireGuardInstalled()) {
-      const instructions = getWireGuardInstallInstructions();
-      throw new Error(
-        "WireGuard is not installed.\n\nWireGuard is needed for IPv6 connectivity to your app VMs.\nPlease install it and try again:\n\n" + instructions
-      );
-    }
-    console.log(chalk6.cyan("Establishing VPN tunnel (requires sudo)..."));
-    const { publicKey, isNew } = getOrCreateKeyPair();
-    if (isNew) {
-      console.log(chalk6.dim("Generated new WireGuard keypair"));
-    }
-    const vpnConfig = await getVPNConfig();
-    writeWireGuardConfig(vpnConfig);
-    vpnUp();
-    if (!testIPv6Connectivity2(targetIPv6)) {
-      vpnDown();
-      throw new Error("VPN established but cannot reach target. Please try again.");
-    }
-    console.log(chalk6.green("\u2713 VPN connected"));
-    this.wasConnectedByUs = true;
-    return true;
+  async initiateGitHubConnect() {
+    return this.request("POST", "/api/github/connect");
   }
   /**
-   * Disconnect VPN if we established it
+   * Poll for GitHub App installation completion
    */
-  disconnect() {
-    if (this.wasConnectedByUs && isVPNUp()) {
-      console.log(chalk6.dim("Disconnecting VPN..."));
-      try {
-        vpnDown();
-        console.log(chalk6.green("\u2713 VPN disconnected"));
-      } catch (error) {
-        console.log(chalk6.yellow(`Warning: Failed to disconnect VPN: ${error.message}`));
-      }
-      this.wasConnectedByUs = false;
-    }
-  }
-};
-
-// src/lib/uncloud-runner.ts
-import chalk7 from "chalk";
-var UncloudRunner = class {
-  constructor(platformClient) {
-    this.platformClient = platformClient;
-    this.certManager = new SSHCertManager(platformClient);
+  async pollGitHubConnect(stateToken) {
+    return this.request("GET", `/api/github/connect/poll?state=${encodeURIComponent(stateToken)}`);
   }
-  certManager;
-  gatewayCache = /* @__PURE__ */ new Map();
-  tunnelManager = new TunnelManager();
-  vpnManager = new VPNManager();
-  tempConfigPath = null;
-  vpnEstablishedByUs = false;
   /**
-   * Get the connection URL for an app's primary VM
-   * Handles IPv6 direct connection, VPN, or gateway SSH tunnel fallback
+   * Get current user's GitHub App installation
    */
-  async getConnectionInfo(appName) {
-    const app = await this.platformClient.getApp(appName);
-    if (!app) {
-      throw new Error(`App '${appName}' not found`);
-    }
-    const primaryNode = app.nodes.find((n) => n.isPrimary);
-    if (!primaryNode?.ipv6) {
-      throw new Error(`App '${appName}' has no primary node with IPv6 address`);
-    }
-    const vmIp = primaryNode.ipv6;
-    await this.certManager.getSession(appName, vmIp);
-    const canConnectDirect = await testIPv6Connectivity(vmIp, 3e3);
-    if (canConnectDirect) {
-      const viaVPN = isRoutedViaVPN(vmIp);
-      return {
-        url: `ssh://root@${vmIp}`,
-        vmIp,
-        viaGateway: false,
-        viaVPN
-      };
-    }
-    const vpnAvailable = isWireGuardInstalled();
-    if (vpnAvailable) {
-      console.log(chalk7.yellow("Direct IPv6 not available, trying VPN..."));
-      try {
-        if (isVPNUp() && testIPv6Connectivity2(vmIp, 3)) {
-          console.log(chalk7.green("\u2713 VPN already connected"));
-          return {
-            url: `ssh://root@${vmIp}`,
-            vmIp,
-            viaGateway: false,
-            viaVPN: true
-          };
-        }
-        this.vpnEstablishedByUs = await this.vpnManager.ensureConnected(
-          vmIp,
-          async () => this.getVPNConfig(app.location)
-        );
-        if (testIPv6Connectivity2(vmIp, 5)) {
-          console.log(chalk7.green("\u2713 Connected via VPN"));
-          return {
-            url: `ssh://root@${vmIp}`,
-            vmIp,
-            viaGateway: false,
-            viaVPN: true
-          };
-        }
-      } catch (error) {
-        console.log(chalk7.yellow(`VPN setup failed: ${error.message}`));
-        console.log(chalk7.dim("Falling back to SSH tunnel..."));
+  async getGitHubInstallation() {
+    try {
+      const { installation } = await this.request("GET", "/api/github/installation");
+      return installation;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
       }
-    } else {
-      console.log(chalk7.yellow("Direct IPv6 not available on your network."));
-      console.log(chalk7.dim("For faster deploys, install WireGuard:"));
-      console.log(chalk7.dim(getWireGuardInstallInstructions()));
-      console.log();
+      throw error;
     }
-    console.log(chalk7.yellow("Using SSH tunnel (may be slower for large transfers)..."));
-    const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
-    return {
-      url: `ssh://root@localhost:${tunnelInfo.localPort}`,
-      vmIp,
-      viaGateway: true,
-      viaVPN: false,
-      localPort: tunnelInfo.localPort
-    };
   }
   /**
-   * Get VPN configuration from platform
+   * Delete current user's GitHub App installation record
+   * Used when the installation becomes stale/invalid
    */
-  async getVPNConfig(location) {
-    const { privateKey, publicKey } = getOrCreateKeyPair();
-    const vpnConfigResponse = await this.platformClient.registerVPNPeer(publicKey, location);
-    return {
-      privateKey,
-      publicKey,
-      address: vpnConfigResponse.address,
-      gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
-      gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
-      allowedIPs: vpnConfigResponse.allowedIPs
-    };
+  async deleteGitHubInstallation() {
+    await this.request("DELETE", "/api/github/installation");
   }
   /**
-   * Pre-accept a host's SSH key by running ssh-keyscan
-   * This prevents "Host key verification failed" errors from uncloud
+   * List repositories accessible via GitHub App installation
    */
-  preAcceptHostKey(host, port) {
-    try {
-      const portArg = port ? `-p ${port}` : "";
-      execSync5(
-        `ssh-keyscan ${portArg} -H ${host} >> ~/.ssh/known_hosts 2>/dev/null`,
-        { stdio: "pipe", timeout: 1e4 }
-      );
-    } catch {
-    }
+  async listAccessibleRepos() {
+    const { repos } = await this.request("GET", "/api/github/repos");
+    return repos;
   }
   /**
-   * Ensure an SSH tunnel exists for gateway fallback
+   * Connect a repository to an app
    */
-  async ensureTunnel(appName, vmIp, location) {
-    const gateway = await this.getGateway(location);
-    if (!gateway) {
-      throw new Error(`No gateway found for location ${location}`);
-    }
-    return this.tunnelManager.ensureTunnel(appName, vmIp, gateway.ipv4);
+  async connectRepo(appName, repoFullName, branch) {
+    await this.request("POST", `/api/apps/${appName}/repo`, {
+      repoFullName,
+      branch: branch || "main"
+    });
   }
   /**
-   * Run an uncloud command on the app's VM
+   * Get connected repository for an app
    */
-  async run(appName, command, args = [], options = {}) {
-    const connInfo = await this.getConnectionInfo(appName);
-    if (connInfo.viaGateway) {
-      console.log(chalk7.dim(`Connecting via gateway...`));
-    }
-    const fullArgs = ["--connect", connInfo.url, command, ...args];
-    if (options.stdio === "inherit") {
-      const result = spawnSync3("uc", fullArgs, {
-        cwd: options.cwd,
-        stdio: "inherit",
-        timeout: options.timeout
-      });
-      if (result.status !== 0) {
-        throw new Error(`Uncloud command failed with exit code ${result.status}`);
+  async getConnectedRepo(appName) {
+    try {
+      const { repo } = await this.request("GET", `/api/apps/${appName}/repo`);
+      return repo;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
       }
-    } else {
-      const result = execSync5(`uc ${fullArgs.map((a) => `"${a}"`).join(" ")}`, {
-        cwd: options.cwd,
-        encoding: "utf-8",
-        timeout: options.timeout
-      });
-      return result;
+      throw error;
     }
   }
   /**
-   * Run 'uc deploy' for an app
+   * Disconnect repository from an app
    */
-  async deploy(appName, cwd) {
-    await this.run(appName, "deploy", ["--yes"], { cwd, stdio: "inherit" });
+  async disconnectRepo(appName) {
+    await this.request("DELETE", `/api/apps/${appName}/repo`);
   }
+  // ==================== Builds ====================
   /**
-   * Run 'uc service logs' for an app
+   * List builds for an app
    */
-  async logs(appName, serviceName, options = {}) {
-    const args = [serviceName];
-    if (options.follow) args.push("-f");
-    if (options.tail) args.push("--tail", String(options.tail));
-    await this.run(appName, "service", ["logs", ...args], { stdio: "inherit" });
+  async listBuilds(appName, limit = 10) {
+    const { builds } = await this.request("GET", `/api/apps/${appName}/builds?limit=${limit}`);
+    return builds;
   }
   /**
-   * Run 'uc service ls' for an app
+   * Get build details
    */
-  async serviceList(appName) {
-    const result = await this.run(appName, "service", ["ls"], { stdio: "pipe" });
-    return result;
+  async getBuild(appName, buildId) {
+    const { build } = await this.request("GET", `/api/apps/${appName}/builds/${buildId}`);
+    return build;
   }
   /**
-   * Run 'uc machine token' on remote VM via SSH
-   * This is different - it runs on the VM directly, not via uncloud connector
+   * Get build events (for live streaming)
    */
-  async getMachineToken(appName) {
-    const connInfo = await this.getConnectionInfo(appName);
-    let sshCmd2;
-    if (connInfo.viaGateway && connInfo.localPort) {
-      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
-    } else {
-      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
+  async getBuildEvents(appName, buildId, after) {
+    let url = `/api/apps/${appName}/builds/${buildId}/events`;
+    if (after) {
+      url += `?after=${encodeURIComponent(after.toISOString())}`;
     }
-    const token = execSync5(`${sshCmd2} "uc machine token"`, { encoding: "utf-8" }).trim();
-    return token;
+    const { events } = await this.request("GET", url);
+    return events;
   }
+  // ==================== VPN Management ====================
   /**
-   * Execute an SSH command on the VM
+   * Register VPN peer with the platform
+   * This is idempotent - if already registered, returns existing config
    */
-  async sshExec(appName, command) {
-    const connInfo = await this.getConnectionInfo(appName);
-    let sshCmd2;
-    if (connInfo.viaGateway && connInfo.localPort) {
-      sshCmd2 = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
-    } else {
-      sshCmd2 = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
-    }
-    return execSync5(`${sshCmd2} "${command}"`, { encoding: "utf-8" }).trim();
+  async registerVPNPeer(publicKey, location) {
+    const { vpnConfig } = await this.request("POST", "/api/vpn/register", { publicKey, location }, { operation: "Register VPN peer" });
+    return vpnConfig;
   }
   /**
-   * Remove a node from the uncloud cluster
-   * Uses 'uc machine rm' to drain containers and remove from cluster
+   * Get existing VPN config if registered
    */
-  async removeNode(appName, nodeName) {
-    const connInfo = await this.getConnectionInfo(appName);
-    const result = spawnSync3("uc", ["--connect", connInfo.url, "machine", "rm", nodeName, "--yes"], {
-      stdio: "inherit",
-      timeout: 3e5
-      // 5 minute timeout for container drainage
-    });
-    if (result.status !== 0) {
-      throw new Error(`Failed to remove node '${nodeName}' from cluster (exit code ${result.status})`);
+  async getVPNConfig(location) {
+    try {
+      const { vpnConfig } = await this.request("GET", `/api/vpn/config?location=${encodeURIComponent(location)}`);
+      return vpnConfig;
+    } catch (error) {
+      if (error.message.includes("404") || error.message.includes("not found")) {
+        return null;
+      }
+      throw error;
     }
   }
   /**
-   * List machines in the uncloud cluster
+   * Unregister VPN peer
    */
-  async listMachines(appName) {
-    const result = await this.run(appName, "machine", ["ls"], { stdio: "pipe" });
-    return result;
+  async unregisterVPNPeer() {
+    await this.request("DELETE", "/api/vpn/unregister");
   }
-  /**
-   * Get gateway info (cached)
-   */
-  async getGateway(location) {
-    if (this.gatewayCache.has(location)) {
-      return this.gatewayCache.get(location) || null;
-    }
-    const gateway = await this.platformClient.getGateway(location);
-    if (gateway) {
-      this.gatewayCache.set(location, { ipv4: gateway.ipv4, ipv6: gateway.ipv6 });
-      return { ipv4: gateway.ipv4, ipv6: gateway.ipv6 };
-    }
-    this.gatewayCache.set(location, null);
+};
+
+// src/lib/app-config.ts
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
+import { join as join4 } from "path";
+import { parse, stringify } from "yaml";
+var CONFIG_FILENAME = "hackerrun.yaml";
+function getConfigPath(directory = process.cwd()) {
+  return join4(directory, CONFIG_FILENAME);
+}
+function hasAppConfig(directory = process.cwd()) {
+  return existsSync4(getConfigPath(directory));
+}
+function readAppConfig(directory = process.cwd()) {
+  const configPath = getConfigPath(directory);
+  if (!existsSync4(configPath)) {
     return null;
   }
-  /**
-   * Clean up all SSH sessions, tunnels, and VPN
-   */
-  cleanup() {
-    this.tunnelManager.closeAll();
-    this.certManager.cleanupAll();
-    if (this.vpnEstablishedByUs) {
-      this.vpnManager.disconnect();
-      this.vpnEstablishedByUs = false;
+  try {
+    const content = readFileSync4(configPath, "utf-8");
+    const config = parse(content);
+    if (!config.appName) {
+      return null;
     }
+    return config;
+  } catch (error) {
+    console.error(`Failed to parse ${CONFIG_FILENAME}:`, error);
+    return null;
   }
-};
+}
+function writeAppConfig(config, directory = process.cwd()) {
+  const configPath = getConfigPath(directory);
+  const content = stringify(config);
+  writeFileSync4(configPath, content, "utf-8");
+}
+function getAppName(directory = process.cwd()) {
+  const config = readAppConfig(directory);
+  if (config?.appName) {
+    return config.appName;
+  }
+  const folderName = directory.split("/").pop() || "app";
+  return folderName.toLowerCase().replace(/[^a-z0-9_-]/g, "-");
+}
+function linkApp(appName, directory = process.cwd()) {
+  writeAppConfig({ appName }, directory);
+}
 
 // src/commands/deploy.ts
 var DEFAULT_LOCATION = "eu-central-h1";
@@ -3730,19 +3722,33 @@ Error: ${error.message}
 import { Command as Command10 } from "commander";
 import chalk16 from "chalk";
 import ora10 from "ora";
-import { confirm } from "@inquirer/prompts";
-var DEFAULT_VM_SIZE = "standard-2";
+import { select as select2, confirm } from "@inquirer/prompts";
+var DEFAULT_VM_SIZE = "burstable-1";
 var DEFAULT_BOOT_IMAGE = "ubuntu-noble";
+function parseServiceList(output) {
+  const lines = output.trim().split("\n");
+  const services = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("NAME") || trimmed.startsWith("Connecting") || trimmed.startsWith("Connected")) {
+      continue;
+    }
+    const svcName = trimmed.split(/\s+/)[0];
+    if (svcName) {
+      services.push(svcName);
+    }
+  }
+  return services;
+}
 function createScaleCommand() {
   const cmd = new Command10("scale");
-  cmd.description("Scale an app by adding or removing nodes").argument("[count]", "Target node count, or +N/-N to add/remove nodes").option("--app <app>", "App name (uses hackerrun.yaml if not specified)").option("--size <size>", `VM size for new nodes (default: ${DEFAULT_VM_SIZE})`).option("--force", "Skip confirmation when removing nodes").action(async (countArg, options) => {
+  cmd.description("Scale a service in your app").argument("<app>", "App name").argument("[service]", "Service name (optional - will prompt if not provided)").argument("[replicas]", "Number of replicas").option("--add-machines", "Automatically add machines if needed").option("--no-add-machine", "Scale on existing machines only").option("--size <size>", `VM size for new machines (default: ${DEFAULT_VM_SIZE})`).action(async (appName, serviceArg, replicasArg, options) => {
     let uncloudRunner = null;
     try {
-      const appName = options.app || getAppName();
       const platformToken = getPlatformToken();
       const platformClient = new PlatformClient(platformToken);
-      const clusterManager = new ClusterManager(platformClient);
       uncloudRunner = new UncloudRunner(platformClient);
+      const clusterManager = new ClusterManager(platformClient, uncloudRunner);
       const app = await platformClient.getApp(appName);
       if (!app) {
         console.log(chalk16.red(`
@@ -3752,146 +3758,122 @@ App '${appName}' not found
 `);
         process.exit(1);
       }
-      const currentNodeCount = app.nodes.length;
-      if (!countArg) {
+      let services;
+      const spinner = ora10("Fetching services...").start();
+      try {
+        const output = await uncloudRunner.serviceList(appName);
+        services = parseServiceList(output);
+        spinner.stop();
+      } catch (error) {
+        spinner.fail("Failed to fetch services");
+        console.log(chalk16.yellow("\nMake sure the app is deployed and running.\n"));
+        process.exit(1);
+      }
+      if (services.length === 0) {
+        console.log(chalk16.yellow(`
+No services found in app '${appName}'`));
+        console.log(`Run ${chalk16.bold("hackerrun deploy")} to deploy your app first.
+`);
+        process.exit(1);
+      }
+      let serviceName;
+      let replicas;
+      if (!serviceArg) {
         console.log(chalk16.cyan(`
-App '${appName}' Scale Info:
+Services in '${appName}':
 `));
-        console.log(`  Current nodes: ${chalk16.bold(currentNodeCount.toString())}`);
-        console.log();
-        app.nodes.forEach((node, index) => {
-          const primaryLabel = node.isPrimary ? chalk16.yellow(" (primary)") : "";
-          console.log(`  ${index + 1}. ${chalk16.bold(node.name)}${primaryLabel}`);
-          console.log(`     IPv6: ${node.ipv6 || "pending"}`);
-          console.log();
+        serviceName = await select2({
+          message: "Which service would you like to scale?",
+          choices: services.map((s) => ({ name: s, value: s }))
         });
-        console.log(chalk16.dim("Usage:"));
-        console.log(chalk16.dim(`  hackerrun scale 3         # Scale to 3 nodes`));
-        console.log(chalk16.dim(`  hackerrun scale +1        # Add 1 node`));
-        console.log(chalk16.dim(`  hackerrun scale -1        # Remove 1 node`));
-        console.log();
-        return;
-      }
-      let targetCount;
-      if (countArg.startsWith("+")) {
-        const delta = parseInt(countArg.slice(1), 10);
-        if (isNaN(delta) || delta <= 0) {
-          console.log(chalk16.red(`
-Invalid count: ${countArg}
+        if (!replicasArg) {
+          console.log(chalk16.red("\nPlease specify the number of replicas.\n"));
+          console.log(chalk16.dim(`Usage: hackerrun scale ${appName} ${serviceName} <replicas>
 `));
           process.exit(1);
         }
-        targetCount = currentNodeCount + delta;
-      } else if (countArg.startsWith("-")) {
-        const delta = parseInt(countArg.slice(1), 10);
-        if (isNaN(delta) || delta <= 0) {
-          console.log(chalk16.red(`
-Invalid count: ${countArg}
+        replicas = parseInt(replicasArg, 10);
+      } else if (!replicasArg) {
+        const maybeReplicas = parseInt(serviceArg, 10);
+        if (!isNaN(maybeReplicas)) {
+          replicas = maybeReplicas;
+          console.log(chalk16.cyan(`
+Services in '${appName}':
+`));
+          serviceName = await select2({
+            message: "Which service would you like to scale?",
+            choices: services.map((s) => ({ name: s, value: s }))
+          });
+        } else {
+          console.log(chalk16.red("\nPlease specify the number of replicas.\n"));
+          console.log(chalk16.dim(`Usage: hackerrun scale ${appName} ${serviceArg} <replicas>
 `));
           process.exit(1);
         }
-        targetCount = currentNodeCount - delta;
       } else {
-        targetCount = parseInt(countArg, 10);
-        if (isNaN(targetCount)) {
+        serviceName = serviceArg;
+        replicas = parseInt(replicasArg, 10);
+        if (!services.includes(serviceName)) {
           console.log(chalk16.red(`
-Invalid count: ${countArg}
+Service '${serviceName}' not found in app '${appName}'.
 `));
+          console.log(chalk16.cyan("Available services:"));
+          services.forEach((s) => console.log(`  - ${s}`));
+          console.log();
           process.exit(1);
         }
       }
-      if (targetCount < 1) {
-        console.log(chalk16.red(`
-Cannot scale below 1 node. Use 'hackerrun destroy' to remove the app.
-`));
+      if (isNaN(replicas) || replicas < 1) {
+        console.log(chalk16.red("\nReplicas must be a positive number.\n"));
         process.exit(1);
       }
-      if (targetCount === currentNodeCount) {
-        console.log(chalk16.yellow(`
-App already has ${currentNodeCount} node(s). Nothing to do.
+      const currentMachineCount = app.nodes.length;
+      console.log(chalk16.cyan(`
+Scaling '${serviceName}' to ${replicas} replica(s)...`));
+      console.log(chalk16.dim(`Current machines: ${currentMachineCount}
 `));
-        return;
-      }
-      const vmSize = options.size || DEFAULT_VM_SIZE;
-      if (targetCount > currentNodeCount) {
-        const nodesToAdd = targetCount - currentNodeCount;
-        console.log(chalk16.cyan(`
-Scaling '${appName}' from ${currentNodeCount} to ${targetCount} nodes (+${nodesToAdd})
+      let shouldAddMachines = false;
+      if (replicas > currentMachineCount) {
+        if (options.addMachines) {
+          shouldAddMachines = true;
+        } else if (options.addMachine === false) {
+          shouldAddMachines = false;
+          console.log(chalk16.yellow(`Scaling ${replicas} replicas across ${currentMachineCount} machine(s).
 `));
-        for (let i = 0; i < nodesToAdd; i++) {
-          console.log(chalk16.cyan(`
-Adding node ${i + 1} of ${nodesToAdd}...`));
-          const newNode = await clusterManager.addNode(appName, vmSize, DEFAULT_BOOT_IMAGE);
-          console.log(chalk16.green(`  Added: ${newNode.name} (${newNode.ipv6})`));
-        }
-        const updatedApp = await platformClient.getApp(appName);
-        const syncSpinner = ora10("Syncing gateway routes...").start();
-        try {
-          await platformClient.syncGatewayRoutes(app.location);
-          syncSpinner.succeed("Gateway routes synced");
-        } catch (error) {
-          syncSpinner.warn(`Gateway sync failed: ${error.message}`);
-        }
-        console.log(chalk16.green(`
-\u2713 Scaled to ${updatedApp?.nodes.length} nodes
-`));
-        console.log(chalk16.dim("To deploy to specific nodes, use x-machines in your compose file:"));
-        console.log(chalk16.dim("  services:"));
-        console.log(chalk16.dim("    web:"));
-        console.log(chalk16.dim("      x-machines:"));
-        updatedApp?.nodes.forEach((node) => {
-          console.log(chalk16.dim(`        - ${node.name}`));
-        });
-        console.log();
-      } else {
-        const nodesToRemove = currentNodeCount - targetCount;
-        const sortedNodes = [...app.nodes].sort((a, b) => {
-          const numA = parseInt(a.name.split("-").pop() || "0", 10);
-          const numB = parseInt(b.name.split("-").pop() || "0", 10);
-          return numB - numA;
-        });
-        const nodesToRemoveList = sortedNodes.slice(0, nodesToRemove);
-        console.log(chalk16.yellow(`
-Scaling '${appName}' from ${currentNodeCount} to ${targetCount} nodes (-${nodesToRemove})
+        } else {
+          console.log(chalk16.yellow(`You want ${replicas} replicas but only have ${currentMachineCount} machine(s).`));
+          console.log(chalk16.dim(`You can either:`));
+          console.log(chalk16.dim(`  \u2022 Add ${replicas - currentMachineCount} new machine(s) for dedicated capacity`));
+          console.log(chalk16.dim(`  \u2022 Run ${replicas} replicas on your existing ${currentMachineCount} machine(s)
 `));
-        console.log(chalk16.yellow("The following nodes will be removed:"));
-        nodesToRemoveList.forEach((node) => {
-          console.log(`  - ${node.name} (${node.ipv6})`);
-        });
-        console.log();
-        if (!options.force) {
-          console.log(chalk16.yellow("Warning: All containers on these nodes will be stopped and the VMs deleted."));
-          console.log(chalk16.yellow("Data on these nodes will be lost.\n"));
-          const confirmed = await confirm({
-            message: "Are you sure you want to remove these nodes?",
+          shouldAddMachines = await confirm({
+            message: `Add ${replicas - currentMachineCount} new machine(s)?`,
             default: false
           });
-          if (!confirmed) {
-            console.log(chalk16.dim("\nScale cancelled.\n"));
-            return;
+          if (!shouldAddMachines) {
+            console.log(chalk16.dim(`
+Scaling ${replicas} replicas across ${currentMachineCount} existing machine(s).
+`));
           }
         }
-        for (const node of nodesToRemoveList) {
-          console.log(chalk16.cyan(`
-Removing node '${node.name}'...`));
+      }
+      if (shouldAddMachines && replicas > currentMachineCount) {
+        const machinesToAdd = replicas - currentMachineCount;
+        const vmSize = options.size || DEFAULT_VM_SIZE;
+        console.log(chalk16.cyan(`
+Adding ${machinesToAdd} machine(s)...
+`));
+        for (let i = 0; i < machinesToAdd; i++) {
+          console.log(chalk16.cyan(`Adding machine ${i + 1} of ${machinesToAdd}...`));
           try {
-            const spinner = ora10("Removing from uncloud cluster...").start();
-            await uncloudRunner.removeNode(appName, node.name);
-            spinner.succeed("Removed from cluster");
-            spinner.start("Deleting VM...");
-            await platformClient.deleteVM(app.location, node.name);
-            spinner.succeed("VM deleted");
-            spinner.start("Updating app state...");
-            const updatedNodes = app.nodes.filter((n) => n.name !== node.name);
-            app.nodes = updatedNodes;
-            await platformClient.saveApp(app);
-            spinner.succeed("App state updated");
-            console.log(chalk16.green(`  Removed: ${node.name}`));
+            const newNode = await clusterManager.addNode(appName, vmSize, DEFAULT_BOOT_IMAGE);
+            console.log(chalk16.green(`  Added: ${newNode.name} (${newNode.ipv6})`));
           } catch (error) {
-            console.log(chalk16.red(`  Failed to remove ${node.name}: ${error.message}`));
+            console.log(chalk16.red(`  Failed to add machine: ${error.message}`));
+            console.log(chalk16.yellow("  Continuing with available machines...\n"));
+            break;
           }
         }
-        const updatedApp = await platformClient.getApp(appName);
         const syncSpinner = ora10("Syncing gateway routes...").start();
         try {
           await platformClient.syncGatewayRoutes(app.location);
@@ -3899,10 +3881,22 @@ Removing node '${node.name}'...`));
         } catch (error) {
           syncSpinner.warn(`Gateway sync failed: ${error.message}`);
         }
-        console.log(chalk16.green(`
-\u2713 Scaled to ${updatedApp?.nodes.length} nodes
-`));
       }
+      const scaleSpinner = ora10(`Scaling ${serviceName} to ${replicas} replicas...`).start();
+      try {
+        await uncloudRunner.run(appName, "scale", [serviceName, String(replicas)], { stdio: "pipe" });
+        scaleSpinner.succeed(chalk16.green(`Scaled '${serviceName}' to ${replicas} replica(s)`));
+      } catch (error) {
+        scaleSpinner.fail(`Failed to scale service: ${error.message}`);
+        process.exit(1);
+      }
+      const updatedApp = await platformClient.getApp(appName);
+      console.log(chalk16.cyan("\nScale Summary:\n"));
+      console.log(`  App:       ${chalk16.bold(appName)}`);
+      console.log(`  Service:   ${chalk16.bold(serviceName)}`);
+      console.log(`  Replicas:  ${chalk16.bold(String(replicas))}`);
+      console.log(`  Machines:  ${chalk16.bold(String(updatedApp?.nodes.length || currentMachineCount))}`);
+      console.log();
     } catch (error) {
       console.error(chalk16.red(`
 Error: ${error.message}
@@ -3917,8 +3911,75 @@ Error: ${error.message}
   return cmd;
 }
 
+// src/commands/services.ts
+import { Command as Command11 } from "commander";
+import chalk17 from "chalk";
+import ora11 from "ora";
+function createServicesCommand() {
+  const cmd = new Command11("services");
+  cmd.description("List services and their status for an app").argument("[app]", "App name (uses hackerrun.yaml if not specified)").action(async (appArg) => {
+    const platformToken = getPlatformToken();
+    const platformClient = new PlatformClient(platformToken);
+    const uncloudRunner = new UncloudRunner(platformClient);
+    try {
+      const appName = appArg || getAppName();
+      const app = await platformClient.getApp(appName);
+      if (!app) {
+        console.log(chalk17.red(`
+App '${appName}' not found
+`));
+        process.exit(1);
+      }
+      const spinner = ora11("Fetching services...").start();
+      try {
+        const output = await uncloudRunner.serviceList(appName);
+        spinner.stop();
+        console.log(chalk17.cyan(`
+Services in '${appName}':
+`));
+        const lines = output.trim().split("\n");
+        if (lines.length === 0 || lines.length === 1 && !lines[0].trim()) {
+          console.log(chalk17.yellow("  No services found.\n"));
+          console.log(`Run ${chalk17.bold("hackerrun deploy")} to deploy your app.
+`);
+          return;
+        }
+        for (const line of lines) {
+          const trimmed = line.trim();
+          if (trimmed.startsWith("Connecting") || trimmed.startsWith("Connected")) {
+            continue;
+          }
+          if (trimmed) {
+            if (trimmed.startsWith("NAME")) {
+              console.log(chalk17.bold(`  ${trimmed}`));
+            } else {
+              console.log(`  ${trimmed}`);
+            }
+          }
+        }
+        console.log();
+        console.log(chalk17.dim(`Machines: ${app.nodes.length}`));
+        console.log(chalk17.dim(`Scale a service: hackerrun scale ${appName} <service> <replicas>`));
+        console.log();
+      } catch (error) {
+        spinner.fail("Failed to fetch services");
+        console.log(chalk17.yellow("\nMake sure the app is deployed and running.\n"));
+        process.exit(1);
+      }
+    } catch (error) {
+      console.error(chalk17.red(`
+Error: ${error.message}
+`));
+      process.exit(1);
+    } finally {
+      uncloudRunner.cleanup();
+    }
+  });
+  return cmd;
+}
+
 // src/index.ts
-var program = new Command11();
+var program = new Command12();
 program.name("hackerrun").description("Deploy apps with full control over your infrastructure").version("0.1.0");
 program.addCommand(createLoginCommand());
 program.addCommand(createConfigCommand());
@@ -3930,6 +3991,7 @@ program.addCommand(createEnvCommand());
 program.addCommand(createBuildsCommand());
 program.addCommand(createVPNCommands());
 program.addCommand(createScaleCommand());
+program.addCommand(createServicesCommand());
 var { appsCmd, nodesCmd, sshCmd, destroyCmd, linkCmd, renameCmd, domainCmd } = createAppCommands();
 program.addCommand(appsCmd);
 program.addCommand(nodesCmd);