kadi-deploy 0.19.0

package/src/commands/deploy.ts

@@ -0,0 +1,1342 @@
+/**
+ * Deploy Command - Akash Network Integration
+ *
+ * Main deployment command that uses deploy-ability library for Akash deployments.
+ * Handles the UX (QR codes, spinners, confirmations) while deploy-ability does the work.
+ *
+ * @module commands/deploy
+ */
+
+// Polyfill localStorage for WalletConnect (requires browser API in Node.js)
+import { LocalStorage } from 'node-localstorage';
+import os from 'node:os';
+import path from 'node:path';
+
+const kadiHome = path.join(os.homedir(), '.kadi');
+(globalThis as any).localStorage = new LocalStorage(kadiHome);
+
+import {
+  deployToAkash,
+  connectWallet,
+  disconnectWallet,
+  AkashClient,
+  type EnhancedBid,
+  type BidFilterCriteria,
+  type SecretsProvider,
+} from '@kadi.build/deploy-ability/akash';
+import type { AkashDeploymentData, AkashDryRunData, AutonomousDeploymentConfig } from '@kadi.build/deploy-ability/types';
+
+import { loadAgentConfig, getProfile, getFirstProfile } from '../config/agent-loader.js';
+import {
+  waitForSecretRequest,
+  shareSecrets,
+  sendRejection,
+  readSecretsFromCli,
+  readSecretFromCli,
+  prepareSecretsForDeployment,
+  performSecretHandshake,
+  type WaitForSecretsResult,
+} from '../secrets/index.js';
+import { normalizeSecrets, hasAnySecrets, type NormalizedVaultSource } from '../secrets/normalize.js';
+import { startSpinner, succeedSpinner, failSpinner } from '../cli/spinners.js';
+import { confirmPrompt, selectPrompt, textPrompt } from '../cli/prompts.js';
+import { error as errorColor, warning, success as successColor, dim, bold, highlight } from '../cli/colors.js';
+import { selectBidInteractively, sortBidsByQuality } from '../cli/bid-selector.js';
+import { fetchAktPriceUSD } from '../utils/akt-price.js';
+import fs from 'node:fs/promises';
+import { readFileSync } from 'node:fs';
+import {
+  displayDeploymentInfo,
+  displayDeploymentSummary,
+  displayDryRunInfo,
+  displayProfileInfo
+} from '../display/deployment-info.js';
+import { setupRegistryIfNeeded } from '../infrastructure/registry.js';
+import { buildAkashLock, writeLockFile } from './lock.js';
+
+import QRCode from 'qrcode-terminal';
+import type { DeploymentContext } from '../types.js';
+
+/**
+ * Executes Akash Network deployment using deploy-ability
+ *
+ * Flow mirrors old kadi-deploy but uses deploy-ability library:
+ * 1. Load profile
+ * 2. Connect wallet (WalletConnect QR code)
+ * 3. Get signing client
+ * 4. Ensure certificate exists
+ * 5. Deploy (deploy-ability does the heavy lifting)
+ * 6. Display results
+ *
+ * @param ctx - Deployment context from CLI
+ */
+export async function executeAkashDeployment(ctx: DeploymentContext): Promise<void> {
+  const { logger, projectRoot, flags } = ctx;
+
+  // Track exit code to force process exit after cleanup (0 = success, 1 = failure, null = don't exit)
+  // This is necessary because background timers in the registry keep Node.js alive
+  let exitCode: number | null = null;
+
+  // ----------------------------------------------------------------
+  // 1. Load agent configuration
+  // ----------------------------------------------------------------
+  let spinner = startSpinner('Loading agent configuration...');
+
+  let agentConfig;
+  try {
+    agentConfig = await loadAgentConfig(projectRoot);
+    succeedSpinner(spinner, `Loaded agent: ${agentConfig.name}`);
+  } catch (err) {
+    failSpinner(spinner, 'Failed to load agent.json');
+    logger.error(errorColor((err as Error).message));
+    return;
+  }
+
+  // ----------------------------------------------------------------
+  // 2. Resolve profile
+  // ----------------------------------------------------------------
+  const profileName = flags.profile || getFirstProfile(agentConfig);
+
+  if (!profileName) {
+    logger.error('No deploy profiles found in agent.json');
+    logger.log('Add a deploy profile under the "deploy" field in agent.json');
+    return;
+  }
+
+  const profile = getProfile(agentConfig, profileName);
+  if (!profile) {
+    logger.error(`Profile "${profileName}" not found in agent.json`);
+    return;
+  }
+
+  // Validate it's an Akash profile
+  if (profile.target !== 'akash') {
+    logger.error(`Profile "${profileName}" is not an Akash profile (target: ${profile.target})`);
+    return;
+  }
+
+  // TypeScript type narrowing: profile is now AkashProfile
+  type AkashProfileType = typeof profile & { target: 'akash' };
+  const akashProfile = profile as AkashProfileType;
+
+  const network = akashProfile.network || (flags.network as 'mainnet' | 'testnet') || 'testnet';
+  logger.log(successColor(`✓ Using profile: ${profileName} (${network})`));
+
+  // ----------------------------------------------------------------
+  // 2.5. SECRETS INJECTION
+  // If profile declares secrets, inject KADI_* env vars into all services
+  // Supports both legacy single-vault and multi-vault configurations.
+  // ----------------------------------------------------------------
+  const normalizedSecrets = normalizeSecrets(akashProfile.secrets as any);
+  const hasSecrets = hasAnySecrets(normalizedSecrets);
+
+  let deployNonce: string | undefined;
+  let brokerUrl: string | null = null;
+  let secretsVault: string | undefined;
+  let secretsSources: NormalizedVaultSource[] = [];
+
+  if (hasSecrets) {
+    const result = prepareSecretsForDeployment({
+      profile: akashProfile,
+      agentConfig,
+      projectRoot,
+      logger,
+      colors: { dim, success: successColor, error: errorColor },
+    });
+
+    if (!result) return;
+
+    deployNonce = result.deployNonce;
+    brokerUrl = result.brokerUrl;
+    secretsVault = result.secretsVault;
+    secretsSources = result.secretsSources;
+  }
+
+  // ----------------------------------------------------------------
+  // 2.6. START LISTENING FOR SECRET REQUESTS EARLY
+  // We start listening BEFORE deploying to avoid a race condition where
+  // the agent requests secrets before we're subscribed to the broker.
+  // ----------------------------------------------------------------
+  let secretsPromise: Promise<WaitForSecretsResult> | null = null;
+
+  if (hasSecrets && deployNonce && brokerUrl && !flags.dryRun) {
+    logger.log(dim(`\nConnecting to broker to listen for secret requests...`));
+
+    // Start listening NOW (don't await - let it run in background)
+    // This just captures the request silently - we'll prompt after deployment
+    secretsPromise = waitForSecretRequest({
+      brokerUrl,
+      expectedNonce: deployNonce,
+      timeout: flags.secretTimeout || 5 * 60 * 1000, // Default 5 minutes
+      logger: {
+        log: (msg: string) => logger.log(dim(msg)),
+        error: (msg: string) => logger.error(errorColor(msg)),
+      },
+    });
+
+    // Wait for broker subscription before starting deployment
+    await new Promise(resolve => setTimeout(resolve, 1000));
+  }
+
+  // ----------------------------------------------------------------
+  // 3. LOCAL IMAGE HANDLING
+  // If profile uses local images (e.g., "my-app" instead of "docker.io/nginx"),
+  // we need to make them accessible to Akash providers:
+  // - Start temporary registry (localhost:3000)
+  // - Push local images to it
+  // - Expose publicly via kadi/ngrok/serveo/localtunnel
+  // - Rewrite profile to use public URLs
+  // ----------------------------------------------------------------
+
+  // Validate tunnel service if provided
+  const validTunnelServices = ['kadi', 'ngrok', 'serveo', 'localtunnel'] as const;
+  let tunnelService: 'kadi' | 'ngrok' | 'serveo' | 'localtunnel' | undefined = undefined;
+
+  if (flags.tunnelService) {
+    if (!validTunnelServices.includes(flags.tunnelService as 'kadi' | 'ngrok' | 'serveo' | 'localtunnel')) {
+      logger.error(`Invalid tunnel service: ${flags.tunnelService}`);
+      logger.log(`Valid options: ${validTunnelServices.join(', ')}`);
+      return;
+    }
+    tunnelService = flags.tunnelService as 'kadi' | 'ngrok' | 'serveo' | 'localtunnel';
+  }
+
+  // Type assertion: kadi-deploy's AkashProfileType is runtime-compatible with deploy-ability's AkashDeploymentProfile
+  // Both have the same structure (services with image/env/expose), but TypeScript types differ slightly
+  const registryContext = await setupRegistryIfNeeded(akashProfile as any, logger, {
+    useRemoteRegistry: flags.useRemoteRegistry,
+    registryDuration: flags.registryDuration,
+    tunnelService,
+    containerEngine: (flags.engine || akashProfile.engine) as 'docker' | 'podman' | undefined
+  });
+
+  // Wrap transformed profile in LoadedProfile structure for deploy-ability
+  // Type assertion: Our Zod-validated profile is compatible with deploy-ability's expected type
+  // The runtime structure is correct even though TypeScript types differ slightly
+  const loadedProfile = {
+    name: profileName,
+    profile: registryContext.deployableProfile,
+    agent: agentConfig,
+    projectRoot
+  } as any; // TODO: Align types between kadi-deploy and deploy-ability
+
+  // ----------------------------------------------------------------
+  // 3.5. AUTONOMOUS MODE - Fully automated deployment path
+  // When --autonomous flag is set, bypass all interactive prompts and use
+  // deploy-ability's autonomous mode with secrets vault for wallet credentials.
+  // ----------------------------------------------------------------
+  if (flags.autonomous) {
+    await executeAutonomousDeployment(ctx, {
+      akashProfile,
+      profileName,
+      network,
+      loadedProfile,
+      registryContext,
+      hasSecrets,
+      deployNonce,
+      brokerUrl,
+      secretsVault,
+      secretsSources,
+      agentConfig,
+    });
+    return;
+  }
+
+  // ----------------------------------------------------------------
+  // 4. Dry run check
+  // ----------------------------------------------------------------
+  if (flags.dryRun) {
+    logger.log('\n' + warning('⚠️  DRY RUN MODE - No deployment will be created'));
+    logger.log(dim('Skipping wallet connection and certificate checks'));
+    logger.log('');
+  }
+
+  // ----------------------------------------------------------------
+  // Resource management: wallet, akash client, and registry cleanup
+  // All resources are cleaned up in the finally block, ensuring proper
+  // cleanup on success, error, and early returns
+  // ----------------------------------------------------------------
+  let walletResult;
+  let akashClient: AkashClient | undefined;
+
+  try {
+    // ----------------------------------------------------------------
+    // 5. Connect wallet (WalletConnect with QR code)
+    // ----------------------------------------------------------------
+
+  if (!flags.dryRun) {
+    spinner = startSpinner('Initializing WalletConnect...');
+
+    const projectId = akashProfile.walletConnectProjectId || 'ef0fd1c783f5ef70fbb102f5e5dd2c43'; // Default KADI project ID
+
+    try {
+      // deploy-ability provides URI via callback, we display QR code
+      walletResult = await connectWallet(
+        projectId,
+        network as 'mainnet' | 'testnet',
+        {
+          onUriGenerated: (uri: string) => {
+            succeedSpinner(spinner, 'QR Code generated');
+            logger.log('');
+            logger.log('📱 Scan this QR code with your Keplr mobile wallet:');
+            logger.log('');
+            QRCode.generate(uri, { small: true });  // kadi-deploy displays it
+            logger.log('');
+            spinner = startSpinner('Waiting for wallet approval...');
+          }
+        }
+      );
+
+      if (!walletResult.success) {
+        failSpinner(spinner, 'Wallet connection failed');
+        logger.error(errorColor(walletResult.error.message));
+        return;
+      }
+
+      succeedSpinner(spinner, `Wallet connected: ${walletResult.data.address}`);
+    } catch (err) {
+      failSpinner(spinner, 'Wallet connection failed');
+      logger.error(errorColor((err as Error).message));
+      return;
+    }
+  }
+
+  // ----------------------------------------------------------------
+  // 6. Create Akash blockchain client
+  // ----------------------------------------------------------------
+  if (!flags.dryRun && walletResult) {
+    spinner = startSpinner('Creating Akash client...');
+
+    try {
+      // Create AkashClient with signer from wallet
+      akashClient = new AkashClient({
+        network: network as 'mainnet' | 'testnet',
+        signer: walletResult.data.signer
+      });
+
+      succeedSpinner(spinner, 'Akash client ready');
+    } catch (err) {
+      failSpinner(spinner, 'Failed to create Akash client');
+      logger.error(errorColor((err as Error).message));
+      return;
+    }
+  }
+
+  // ----------------------------------------------------------------
+  // 7. Load existing certificate if specified in profile
+  // ----------------------------------------------------------------
+  let existingCert;
+
+  if (!flags.dryRun && akashProfile.cert) {
+    const certPath = akashProfile.cert;
+
+    try {
+      const certData = await fs.readFile(certPath, 'utf-8');
+      existingCert = JSON.parse(certData);
+      logger.log(dim(`Loaded certificate from: ${certPath}`));
+    } catch (err) {
+      logger.error(errorColor(`Failed to load certificate from ${certPath}`));
+      logger.error(errorColor((err as Error).message));
+      return;
+    }
+  }
+
+  // ----------------------------------------------------------------
+  // 8. Ensure certificate exists
+  // ----------------------------------------------------------------
+  let certResult;
+  const defaultCertPath = path.join(os.homedir(), '.kadi', 'certificate.json');
+
+  if (!flags.dryRun && walletResult && akashClient) {
+    spinner = startSpinner('Checking certificate...');
+
+    try {
+      // Get certificate manager from AkashClient
+      const certManager = akashClient.getCertificateManager();
+
+      // Check if certificate exists on-chain (before calling getOrCreate)
+      const onChainCert = await certManager.query(walletResult.data.address);
+
+      // If cert exists on-chain but we don't have it locally, offer interactive options
+      if (onChainCert.success && onChainCert.data?.exists && !existingCert) {
+        succeedSpinner(spinner, 'Certificate check complete');
+
+        // Check if default cert file exists
+        let defaultCertExists = false;
+        try {
+          await fs.access(defaultCertPath);
+          defaultCertExists = true;
+        } catch {
+          defaultCertExists = false;
+        }
+
+        logger.log('');
+
+        if (defaultCertExists) {
+          // Scenario A: Cert file found at default location
+          logger.log(bold('This wallet has an active certificate on Akash.'));
+          logger.log(successColor(`Found certificate file at ${defaultCertPath}`));
+          logger.log('');
+
+          const useExisting = await confirmPrompt(
+            'Use this certificate?',
+            true
+          );
+
+          if (useExisting) {
+            // Load the certificate
+            try {
+              const certData = await fs.readFile(defaultCertPath, 'utf-8');
+              existingCert = JSON.parse(certData);
+              logger.log(dim(`Loaded certificate from: ${defaultCertPath}`));
+            } catch (err) {
+              logger.error(errorColor(`Failed to load certificate: ${(err as Error).message}`));
+              exitCode = 1;
+              return;
+            }
+          } else {
+            // User said no, show the 3-option menu
+            const choice = await selectPrompt(
+              'How would you like to proceed?',
+              [
+                'Revoke existing and create new certificate (Recommended)',
+                'Enter path to certificate file',
+                'Cancel deployment'
+              ],
+              0
+            );
+
+            if (choice.includes('Revoke')) {
+              // Revoke and create new
+              spinner = startSpinner('Revoking existing certificate(s)...');
+              const revokeResult = await certManager.revoke(walletResult.data.address);
+
+              if (!revokeResult.success) {
+                failSpinner(spinner, 'Failed to revoke certificate');
+                logger.error(errorColor(revokeResult.error.message));
+                exitCode = 1;
+                return;
+              }
+
+              succeedSpinner(spinner, `Revoked ${revokeResult.data.revokedCount} certificate(s)`);
+              // existingCert stays undefined, getOrCreate will make a new one
+
+            } else if (choice.includes('Enter path')) {
+              // Prompt for custom path
+              const customPath = await textPrompt('Enter certificate file path:');
+              try {
+                const certData = await fs.readFile(customPath, 'utf-8');
+                existingCert = JSON.parse(certData);
+                logger.log(dim(`Loaded certificate from: ${customPath}`));
+              } catch (err) {
+                logger.error(errorColor(`Failed to load certificate: ${(err as Error).message}`));
+                exitCode = 1;
+                return;
+              }
+
+            } else {
+              // Cancel
+              logger.log('Deployment cancelled');
+              exitCode = 0;
+              return;
+            }
+          }
+        } else {
+          // Scenario B: Cert file NOT found - show 3-option menu directly
+          logger.log(warning('This wallet has an active certificate on Akash, but we couldn\'t find'));
+          logger.log(warning('the certificate file locally.'));
+          logger.log('');
+          logger.log(dim(`Checked ${defaultCertPath}...`), dim('not found'));
+          logger.log('');
+
+          const choice = await selectPrompt(
+            'How would you like to proceed?',
+            [
+              'Revoke existing and create new certificate (Recommended)',
+              'Enter path to certificate file',
+              'Cancel deployment'
+            ],
+            0
+          );
+
+          if (choice.includes('Revoke')) {
+            // Revoke and create new
+            spinner = startSpinner('Revoking existing certificate(s)...');
+            const revokeResult = await certManager.revoke(walletResult.data.address);
+
+            if (!revokeResult.success) {
+              failSpinner(spinner, 'Failed to revoke certificate');
+              logger.error(errorColor(revokeResult.error.message));
+              exitCode = 1;
+              return;
+            }
+
+            succeedSpinner(spinner, `Revoked ${revokeResult.data.revokedCount} certificate(s)`);
+            // existingCert stays undefined, getOrCreate will make a new one
+
+          } else if (choice.includes('Enter path')) {
+            // Prompt for custom path
+            const customPath = await textPrompt('Enter certificate file path:');
+            try {
+              const certData = await fs.readFile(customPath, 'utf-8');
+              existingCert = JSON.parse(certData);
+              logger.log(dim(`Loaded certificate from: ${customPath}`));
+            } catch (err) {
+              logger.error(errorColor(`Failed to load certificate: ${(err as Error).message}`));
+              exitCode = 1;
+              return;
+            }
+
+          } else {
+            // Cancel
+            logger.log('Deployment cancelled');
+            exitCode = 0;
+            return;
+          }
+        }
+
+        // Restart spinner for the next step
+        spinner = startSpinner('Checking certificate...');
+      }
+
+      // Now proceed with getOrCreate (will create new cert if needed, or validate existing)
+      certResult = await certManager.getOrCreate(
+        walletResult.data.address,
+        existingCert ? { existingCertificate: existingCert } : undefined
+      );
+
+      if (!certResult.success) {
+        failSpinner(spinner, 'Certificate check failed');
+        // Extract error message properly (avoid [object Object])
+        // TODO: The error message may still show "[object Object]" when wallet rejects
+        // a transaction. This needs to be fixed in deploy-ability's broadcast() method
+        // where `${error}` should be `${error?.message || String(error)}` instead.
+        const errMsg = certResult.error?.message || String(certResult.error) || 'Unknown error';
+        logger.error(errorColor(errMsg));
+        exitCode = 1;
+        return;
+      }
+
+      succeedSpinner(spinner, 'Certificate ready');
+
+      // Save certificate for future use if newly generated
+      if (!existingCert && !akashProfile.cert) {
+        try {
+          await fs.mkdir(path.dirname(defaultCertPath), { recursive: true });
+          await fs.writeFile(defaultCertPath, JSON.stringify(certResult.data, null, 2), 'utf-8');
+          logger.log(successColor(`\nCertificate saved to: ${defaultCertPath}`));
+          logger.log(dim(`Tip: Add ${highlight('"cert": "~/.kadi/certificate.json"')} to your profile to skip this step`));
+        } catch (saveErr) {
+          logger.log(warning('Could not save certificate to disk'));
+        }
+      }
+    } catch (err) {
+      failSpinner(spinner, 'Certificate check failed');
+      logger.error(errorColor((err as Error).message));
+      exitCode = 1;
+      return;
+    }
+  }
+
+  // ----------------------------------------------------------------
+  // 8. Confirm deployment
+  // ----------------------------------------------------------------
+  if (!flags.dryRun && !flags.yes) {
+    const proceed = await confirmPrompt(
+      `Deploy to ${network}?`,
+      true
+    );
+
+    if (!proceed) {
+      logger.log('Deployment cancelled');
+      // Finally block will handle cleanup
+      return;
+    }
+  }
+
+  // ----------------------------------------------------------------
+  // 9. Deploy using deploy-ability
+  // ----------------------------------------------------------------
+  spinner = startSpinner('Deploying to Akash Network...');
+
+  try {
+    // For non-dry-run, wallet and certificate are required
+    if (!flags.dryRun && (!walletResult || !certResult)) {
+      failSpinner(spinner, 'Missing wallet or certificate');
+      logger.error('Wallet and certificate are required for deployment');
+      // Finally block will handle cleanup
+      return;
+    }
+
+    const result = await deployToAkash({
+      projectRoot,
+      profile: profileName,
+      loadedProfile, // Pass transformed profile with registry URLs
+      network: network as 'mainnet' | 'testnet',
+      dryRun: flags.dryRun,
+      verbose: flags.verbose,
+      blacklist: akashProfile.blacklist as readonly string[] | undefined, // Provider blacklist from profile
+
+      // Wait for containers to be ready before returning
+      // This ensures providers have time to pull images from temporary registry
+      containerTimeout: 600000, // 10 minutes
+
+      // Wallet and certificate optional for dry-run, required otherwise
+      wallet: walletResult?.data,
+      certificate: certResult?.data,
+
+      // Interactive bid selector - prompts user to choose provider
+      bidSelector: async (bids: EnhancedBid[]) => {
+        // Sort bids by quality (audited + high uptime first)
+        const sortedBids = sortBidsByQuality(bids);
+
+        // Stop spinner to allow enquirer to take over terminal
+        spinner.stop();
+
+        // Fetch AKT price for USD conversion
+        // Fails gracefully - if unavailable, we just show AKT pricing
+        const aktPriceUsd = await fetchAktPriceUSD();
+
+        // Show interactive selection prompt with USD pricing if available
+        const selected = await selectBidInteractively(sortedBids, aktPriceUsd);
+
+        // Restart spinner after selection
+        if (selected) {
+          spinner = startSpinner('Creating lease with selected provider...');
+        }
+
+        return selected;
+      },
+
+      // Custom logger that updates spinner text with progress
+      logger: {
+        log: (msg: string) => {
+          // Update spinner text to show current progress
+          spinner.text = msg;
+        },
+        error: (msg: string) => logger.error(msg),
+        warn: (msg: string) => {
+          spinner.text = msg;
+        },
+        debug: flags.verbose ? (msg: string) => {
+          spinner.text = msg;
+        } : () => {}
+      }
+    });
+
+    if (!result.success) {
+      failSpinner(spinner, 'Deployment failed');
+      logger.error(errorColor(result.error.message));
+
+      if (flags.verbose && result.error.cause) {
+        logger.error('\nCause:', result.error.cause);
+      }
+
+      // Set exit code and return (finally block will handle cleanup and exit)
+      exitCode = 1;
+      return;
+    }
+
+    succeedSpinner(spinner, 'Deployment complete!');
+
+    // ----------------------------------------------------------------
+    // 9. Display results
+    // ----------------------------------------------------------------
+    const data = result.data;
+
+    if ('dryRun' in data && data.dryRun) {
+      // Dry run result
+      displayDryRunInfo(profileName, data.sdl);
+
+      // Set exit code (finally block will handle cleanup and exit)
+      exitCode = 0;
+    } else {
+      // Actual deployment result
+      const deploymentData = data as AkashDeploymentData;
+
+      // Fetch AKT price for USD display (fails gracefully)
+      const aktPriceUsd = await fetchAktPriceUSD();
+
+      if (flags.verbose) {
+        displayDeploymentInfo(deploymentData, aktPriceUsd);
+      } else {
+        displayDeploymentSummary(deploymentData, aktPriceUsd);
+      }
+
+      // Show endpoints if available
+      if (deploymentData.endpoints && Object.keys(deploymentData.endpoints).length > 0) {
+        logger.log(successColor('\nService Endpoints:'));
+        for (const [serviceName, endpoint] of Object.entries(deploymentData.endpoints)) {
+          logger.log(`  ${serviceName}: ${endpoint}`);
+        }
+        logger.log('');
+      }
+
+      // ----------------------------------------------------------------
+      // 9.5. Write deployment lock file for `kadi deploy down`
+      // ----------------------------------------------------------------
+      try {
+        const lock = buildAkashLock(profileName, deploymentData, flags.label);
+        const instanceId = await writeLockFile(projectRoot, lock);
+        logger.log(dim(`  Instance: ${instanceId}  (profile: ${profileName}${flags.label ? `, label: ${flags.label}` : ''})`));
+        logger.log(dim(`  Use \`kadi deploy down --instance ${instanceId}\` to tear down.`));
+        if (flags.verbose) {
+          logger.log(dim('Lock file written: .kadi-deploy.lock'));
+        }
+      } catch (lockErr) {
+        // Non-fatal: deployment succeeded even if lock write fails
+        logger.log(warning(`Could not write lock file: ${(lockErr as Error).message}`));
+      }
+
+      // ----------------------------------------------------------------
+      // 10. Wait for secret request result (we started listening earlier)
+      // ----------------------------------------------------------------
+      if (secretsPromise && brokerUrl && secretsVault) {
+        logger.log(dim('\n─────────────────────────────────────────────────────────────────'));
+        logger.log(bold('Waiting for agent to request secrets...'));
+        logger.log(dim(`Broker: ${brokerUrl}`));
+        logger.log(dim('Press Ctrl+C to skip (agent will not receive secrets)'));
+        logger.log(dim('─────────────────────────────────────────────────────────────────\n'));
+
+        // Handle Ctrl+C during secret wait - force exit cleanly
+        const sigintHandler = () => {
+          logger.log(warning('\n\nSkipping secret sharing (Ctrl+C)'));
+          exitCode = 0;
+          process.exit(0);
+        };
+        process.on('SIGINT', sigintHandler);
+
+        const waitResult = await secretsPromise;
+
+        // Remove handler after secrets are done
+        process.off('SIGINT', sigintHandler);
+
+        if (waitResult.success && waitResult.request) {
+          const request = waitResult.request;
+
+          // Display request info
+          logger.log('');
+          logger.log(successColor('Agent connected and requesting secrets!'));
+          logger.log('');
+          logger.log(`  Agent ID: ${request.agentId}`);
+          logger.log(`  Required: ${request.required.join(', ')}`);
+          if (request.optional?.length) {
+            logger.log(`  Optional: ${request.optional.join(', ')}`);
+          }
+          logger.log('');
+
+          // Prompt for approval (auto-approve with --yes or --auto-approve-secrets flag)
+          const approved = flags.yes || flags.autoApproveSecrets || await confirmPrompt('Share these secrets with the agent?', true);
+
+          if (!approved) {
+            logger.log(warning('\nSecret sharing declined.'));
+            // Notify agent so it can fail immediately instead of timing out
+            await sendRejection({
+              brokerUrl,
+              agentId: request.agentId,
+              reason: 'User declined to share secrets',
+              logger: {
+                log: (msg: string) => logger.log(dim(msg)),
+                error: (msg: string) => logger.error(errorColor(msg)),
+              },
+            });
+          } else {
+            const allRequestedKeys = [
+              ...request.required,
+              ...(request.optional || []),
+            ];
+
+            // Multi-vault: read from each vault source
+            const secrets: Record<string, string> = {};
+            for (const source of secretsSources) {
+              const sourceKeys = [...source.required, ...source.optional]
+                .filter(k => allRequestedKeys.includes(k));
+              if (sourceKeys.length === 0) continue;
+
+              logger.log(dim(`\nReading secrets from vault '${source.vault}'...`));
+              const vaultSecrets = readSecretsFromCli({
+                keys: sourceKeys,
+                vault: source.vault,
+                cwd: projectRoot,
+                onError: (key, error) => {
+                  logger.log(dim(`  Failed to read '${key}' from vault '${source.vault}': ${error}`));
+                },
+              });
+              Object.assign(secrets, vaultSecrets);
+            }
+            const foundKeys = Object.keys(secrets);
+
+            const missingRequired = request.required.filter(
+              (key) => !secrets[key]
+            );
+
+            if (missingRequired.length > 0) {
+              const vaultNames = secretsSources.map(s => s.vault).join(', ');
+              logger.log(warning(`\nMissing required secrets in vault(s) '${vaultNames}': ${missingRequired.join(', ')}`));
+              logger.log(dim(`Use "kadi secret set <key> <value> -v <vault>" to add them.`));
+            } else if (foundKeys.length === 0) {
+              const vaultNames = secretsSources.map(s => s.vault).join(', ');
+              logger.log(warning(`\nNo secrets found in vault(s) '${vaultNames}'.`));
+            } else if (!request.publicKey) {
+              logger.log(warning('\nAgent did not provide public key for encryption.'));
+            } else {
+              logger.log(successColor(`\nSharing ${foundKeys.length} secret(s) with agent (encrypted)...`));
+
+              try {
+                await shareSecrets({
+                  brokerUrl,
+                  agentId: request.agentId,
+                  agentPublicKey: request.publicKey,
+                  secrets,
+                  logger: {
+                    log: (msg: string) => logger.log(dim(msg)),
+                    error: (msg: string) => logger.error(errorColor(msg)),
+                  },
+                });
+
+                logger.log(successColor('Secrets shared successfully!'));
+                logger.log(dim(`  Shared: ${foundKeys.join(', ')}`));
+              } catch (shareErr) {
+                logger.log(warning(`\nFailed to share secrets: ${(shareErr as Error).message}`));
+              }
+            }
+          }
+        } else if (waitResult.timedOut) {
+          logger.log(warning('\nTimeout waiting for agent to request secrets.'));
+        } else if (waitResult.error) {
+          logger.log(warning(`\nSecret handshake failed: ${waitResult.error}`));
+        }
+
+        logger.log('');
+      }
+
+      // Set exit code (finally block will handle cleanup and exit)
+      exitCode = 0;
+    }
+
+  } catch (err) {
+    failSpinner(spinner, 'Deployment failed');
+    logger.error(errorColor((err as Error).message));
+
+    if (flags.verbose) {
+      console.error(err);
+    }
+
+    // Set exit code (finally block will handle cleanup and exit)
+    exitCode = 1;
+  }
+  } finally {
+    // ----------------------------------------------------------------
+    // Guaranteed cleanup: wallet, akash client, and registry
+    // ----------------------------------------------------------------
+    // This block runs on ALL exit paths: success, error, and early returns
+    // Ensures Node.js event loop can exit by closing all open connections
+
+    // 1. Disconnect Akash client (closes RPC connection and SDK resources)
+    if (akashClient) {
+      try {
+        await akashClient.disconnect();
+      } catch (err) {
+        // Silently ignore cleanup errors
+      }
+    }
+
+    // 2. Disconnect wallet (closes WalletConnect session)
+    if (walletResult?.success) {
+      try {
+        await disconnectWallet(walletResult.data);
+      } catch (err) {
+        // Silently ignore cleanup errors
+      }
+    }
+
+    // 3. Cleanup registry (if it was started)
+    // Note: This is idempotent, safe to call multiple times
+    try {
+      await registryContext.cleanup();
+    } catch (err) {
+      // Silently ignore cleanup errors
+    }
+
+    // Force process exit after cleanup completes
+    // This is necessary because phantom handles in Node.js keep the event loop alive
+    // Even after all real resources are cleaned up, stale handle references remain
+    if (exitCode !== null) {
+      process.exit(exitCode);
+    }
+  }
+}
+
+// =============================================================================
+// Autonomous Deployment
+// =============================================================================
+
+/**
+ * Options passed to the autonomous deployment function from the main flow
+ */
+interface AutonomousDeploymentParams {
+  akashProfile: any;
+  profileName: string;
+  network: string;
+  loadedProfile: any;
+  registryContext: any;
+  hasSecrets: boolean;
+  deployNonce?: string;
+  brokerUrl: string | null;
+  secretsVault?: string;
+  secretsSources: NormalizedVaultSource[];
+  agentConfig: any;
+}
+
+/**
+ * Execute a fully autonomous Akash deployment with no human interaction.
+ *
+ * This function:
+ * 1. Creates a SecretsProvider from the local vault (or uses a simple mnemonic provider)
+ * 2. Calls deployToAkash() in autonomous mode (wallet from vault, auto-cert, algorithmic bid selection)
+ * 3. Auto-approves and performs secret handshake if profile declares secrets
+ * 4. Displays results and exits
+ *
+ * No prompts, no QR codes, no confirmation dialogs. Pure automation.
+ *
+ * @param ctx - Deployment context from CLI
+ * @param params - Pre-resolved profile and config from main flow
+ */
+async function executeAutonomousDeployment(
+  ctx: DeploymentContext,
+  params: AutonomousDeploymentParams
+): Promise<void> {
+  const { logger, projectRoot, flags } = ctx;
+  const {
+    akashProfile,
+    profileName,
+    network,
+    loadedProfile,
+    registryContext,
+    hasSecrets,
+    deployNonce,
+    brokerUrl,
+    secretsVault,
+    secretsSources,
+    agentConfig,
+  } = params;
+
+  let exitCode: number | null = null;
+
+  logger.log('');
+  logger.log(bold('🤖 AUTONOMOUS DEPLOYMENT MODE'));
+  logger.log(dim('   No human interaction required — fully automated'));
+  logger.log('');
+
+  // ----------------------------------------------------------------
+  // 1. Build SecretsProvider for wallet credentials
+  // Uses deploy-ability's createSecretsProvider with secret-ability vault
+  // ----------------------------------------------------------------
+  const bidStrategy = (flags.bidStrategy as 'cheapest' | 'most-reliable' | 'balanced') || 'cheapest';
+
+  logger.log(dim(`Bid strategy: ${bidStrategy}`));
+  if (flags.bidMaxPrice) {
+    logger.log(dim(`Max bid price: ${flags.bidMaxPrice} uAKT/block`));
+  }
+  if (flags.requireAudited) {
+    logger.log(dim(`Requiring audited providers only`));
+  }
+  logger.log('');
+
+  // Build bid filter from CLI flags
+  const bidFilter: Record<string, unknown> = {};
+  if (flags.bidMaxPrice) {
+    bidFilter.maxPricePerBlock = flags.bidMaxPrice;
+  }
+  if (flags.requireAudited) {
+    bidFilter.requireAudited = true;
+  }
+
+  // ----------------------------------------------------------------
+  // 2. Start listening for secret requests early (same as interactive mode)
+  // ----------------------------------------------------------------
+  let secretsPromise: Promise<WaitForSecretsResult> | null = null;
+
+  if (hasSecrets && deployNonce && brokerUrl && !flags.dryRun) {
+    logger.log(dim(`Connecting to broker for automated secret sharing...`));
+
+    secretsPromise = waitForSecretRequest({
+      brokerUrl,
+      expectedNonce: deployNonce,
+      timeout: flags.secretTimeout || 5 * 60 * 1000,
+      logger: {
+        log: (msg: string) => logger.log(dim(msg)),
+        error: (msg: string) => logger.error(errorColor(msg)),
+      },
+    });
+
+    // Wait for broker subscription before starting deployment
+    await new Promise(resolve => setTimeout(resolve, 1000));
+  }
+
+  // ----------------------------------------------------------------
+  // 3. Deploy using deploy-ability in autonomous mode
+  // ----------------------------------------------------------------
+  let spinner = startSpinner('Starting autonomous deployment...');
+
+  try {
+    // Dry run path
+    if (flags.dryRun) {
+      spinner.text = 'Generating deployment preview...';
+
+      const result = await deployToAkash({
+        projectRoot,
+        profile: profileName,
+        loadedProfile,
+        network: network as 'mainnet' | 'testnet',
+        dryRun: true,
+        verbose: flags.verbose,
+        logger: {
+          log: (msg: string) => { spinner.text = msg; },
+          error: (msg: string) => logger.error(msg),
+          warn: (msg: string) => { spinner.text = msg; },
+          debug: flags.verbose ? (msg: string) => { spinner.text = msg; } : () => {},
+        },
+      });
+
+      if (!result.success) {
+        failSpinner(spinner, 'Dry run failed');
+        logger.error(errorColor(result.error.message));
+        exitCode = 1;
+        return;
+      }
+
+      succeedSpinner(spinner, 'Dry run complete');
+      const data = result.data as AkashDryRunData;
+      displayDryRunInfo(profileName, data.sdl);
+      exitCode = 0;
+      return;
+    }
+
+    // Build the SecretsProvider for wallet credentials (mnemonic + certificate)
+    // The wallet vault defaults to 'global' — it's separate from the deployment
+    // secrets vault (profile.secrets.vault) which holds app secrets like DB_PASSWORD.
+    // --secrets-vault overrides ONLY the wallet vault, not deployment secrets.
+    spinner.text = 'Setting up wallet from secrets vault...';
+
+    const walletVault = flags.secretsVault || 'global';
+    const secretsProvider = createCliSecretsProvider(walletVault, projectRoot);
+
+    // Full autonomous deployment
+    const autonomousConfig: AutonomousDeploymentConfig = {
+      secrets: secretsProvider,
+      bidStrategy,
+      bidFilter: Object.keys(bidFilter).length > 0 ? bidFilter as BidFilterCriteria : undefined,
+    };
+
+    const result = await deployToAkash({
+      projectRoot,
+      profile: profileName,
+      loadedProfile,
+      network: network as 'mainnet' | 'testnet',
+      dryRun: false,
+      verbose: flags.verbose,
+      blacklist: akashProfile.blacklist as readonly string[] | undefined,
+      containerTimeout: 600000, // 10 minutes
+
+      // Autonomous mode config — deploy-ability handles everything
+      autonomous: autonomousConfig,
+
+      // Logger that updates spinner
+      // warn/debug persist-print so diagnostic info isn't lost
+      logger: {
+        log: (msg: string) => { spinner.text = msg; },
+        error: (msg: string) => logger.error(msg),
+        warn: (msg: string) => {
+          const saved = spinner.text;
+          spinner.stop();
+          logger.log(warning(msg));
+          spinner.start(saved);
+        },
+        debug: flags.verbose ? (msg: string) => {
+          const saved = spinner.text;
+          spinner.stop();
+          logger.log(dim(msg));
+          spinner.start(saved);
+        } : () => {},
+      },
+    });
+
+    if (!result.success) {
+      failSpinner(spinner, 'Autonomous deployment failed');
+      logger.error(errorColor(result.error.message));
+
+      if (flags.verbose && result.error.cause) {
+        logger.error('\nCause:', result.error.cause);
+      }
+
+      // Provide helpful hints for common autonomous errors
+      const errorCode = (result.error as any).code;
+      if (errorCode === 'SECRETS_ERROR') {
+        logger.log('');
+        logger.log(warning('Hint: Make sure your wallet mnemonic is stored in the vault:'));
+        logger.log(dim(`  kadi secrets set --vault ${walletVault} --key AKASH_WALLET --value "your mnemonic"`));
+      }
+
+      exitCode = 1;
+      return;
+    }
+
+    succeedSpinner(spinner, 'Autonomous deployment complete!');
+
+    // ----------------------------------------------------------------
+    // 4. Display results
+    // ----------------------------------------------------------------
+    const data = result.data;
+
+    if ('dryRun' in data && data.dryRun) {
+      displayDryRunInfo(profileName, (data as AkashDryRunData).sdl);
+      exitCode = 0;
+    } else {
+      const deploymentData = data as AkashDeploymentData;
+
+      // Fetch AKT price for USD display
+      const aktPriceUsd = await fetchAktPriceUSD();
+
+      if (flags.verbose) {
+        displayDeploymentInfo(deploymentData, aktPriceUsd);
+      } else {
+        displayDeploymentSummary(deploymentData, aktPriceUsd);
+      }
+
+      // Show endpoints
+      if (deploymentData.endpoints && Object.keys(deploymentData.endpoints).length > 0) {
+        logger.log(successColor('\nService Endpoints:'));
+        for (const [serviceName, endpoint] of Object.entries(deploymentData.endpoints)) {
+          logger.log(`  ${serviceName}: ${endpoint}`);
+        }
+        logger.log('');
+      }
+
+      // ----------------------------------------------------------------
+      // 4.5. Write deployment lock file for `kadi deploy down`
+      // ----------------------------------------------------------------
+      try {
+        const lock = buildAkashLock(profileName, deploymentData, flags.label);
+        const instanceId = await writeLockFile(projectRoot, lock);
+        logger.log(dim(`  Instance: ${instanceId}  (profile: ${profileName}${flags.label ? `, label: ${flags.label}` : ''})`));
+        logger.log(dim(`  Use \`kadi deploy down --instance ${instanceId}\` to tear down.`));
+        if (flags.verbose) {
+          logger.log(dim('Lock file written: .kadi-deploy.lock'));
+        }
+      } catch (lockErr) {
+        // Non-fatal: deployment succeeded even if lock write fails
+        logger.log(warning(`Could not write lock file: ${(lockErr as Error).message}`));
+      }
+
+      // ----------------------------------------------------------------
+      // 5. Automated secret sharing (no prompts)
+      // ----------------------------------------------------------------
+      if (secretsPromise && brokerUrl && secretsVault) {
+        logger.log(dim('\n─────────────────────────────────────────────────────────────────'));
+        logger.log(bold('Automated secret sharing in progress...'));
+        logger.log(dim(`Broker: ${brokerUrl}`));
+        logger.log(dim('─────────────────────────────────────────────────────────────────\n'));
+
+        const waitResult = await secretsPromise;
+
+        if (waitResult.success && waitResult.request) {
+          const request = waitResult.request;
+
+          logger.log(successColor('Agent connected and requesting secrets.'));
+          logger.log(dim(`  Agent ID: ${request.agentId}`));
+          logger.log(dim(`  Required: ${request.required.join(', ')}`));
+          if (request.optional?.length) {
+            logger.log(dim(`  Optional: ${request.optional.join(', ')}`));
+          }
+
+          // Auto-approve: no prompting in autonomous mode
+          logger.log(successColor('\nAuto-approving secret sharing (autonomous mode)...'));
+
+          const allRequestedKeys = [
+            ...request.required,
+            ...(request.optional || []),
+          ];
+
+          // Multi-vault: read from each vault source
+          const secrets: Record<string, string> = {};
+          for (const source of secretsSources) {
+            const sourceKeys = [...source.required, ...source.optional]
+              .filter(k => allRequestedKeys.includes(k));
+            if (sourceKeys.length === 0) continue;
+
+            logger.log(dim(`Reading secrets from vault '${source.vault}'...`));
+            const vaultSecrets = readSecretsFromCli({
+              keys: sourceKeys,
+              vault: source.vault,
+              cwd: projectRoot,
+              onError: (key, error) => {
+                logger.log(dim(`  Failed to read '${key}' from vault '${source.vault}': ${error}`));
+              },
+            });
+            Object.assign(secrets, vaultSecrets);
+          }
+          const foundKeys = Object.keys(secrets);
+
+          const missingRequired = request.required.filter(
+            (key) => !secrets[key]
+          );
+
+          if (missingRequired.length > 0) {
+            const vaultNames = secretsSources.map(s => s.vault).join(', ');
+            logger.log(warning(`Missing required secrets in vault(s) '${vaultNames}': ${missingRequired.join(', ')}`));
+            logger.log(dim(`Use "kadi secret set <key> <value> -v <vault>" to add them.`));
+          } else if (foundKeys.length === 0) {
+            const vaultNames = secretsSources.map(s => s.vault).join(', ');
+            logger.log(warning(`No secrets found in vault(s) '${vaultNames}'.`));
+          } else if (!request.publicKey) {
+            logger.log(warning('Agent did not provide public key for encryption.'));
+          } else {
+            logger.log(successColor(`Sharing ${foundKeys.length} secret(s) with agent (encrypted)...`));
+
+            try {
+              await shareSecrets({
+                brokerUrl,
+                agentId: request.agentId,
+                agentPublicKey: request.publicKey,
+                secrets,
+                logger: {
+                  log: (msg: string) => logger.log(dim(msg)),
+                  error: (msg: string) => logger.error(errorColor(msg)),
+                },
+              });
+
+              logger.log(successColor('✓ Secrets shared successfully!'));
+              logger.log(dim(`  Shared: ${foundKeys.join(', ')}`));
+            } catch (shareErr) {
+              logger.log(warning(`Failed to share secrets: ${(shareErr as Error).message}`));
+            }
+          }
+        } else if (waitResult.timedOut) {
+          logger.log(warning('Timeout waiting for agent to request secrets.'));
+          logger.log(dim('The agent may not have started yet, or may not require secrets.'));
+        } else if (waitResult.error) {
+          logger.log(warning(`Secret handshake failed: ${waitResult.error}`));
+        }
+
+        logger.log('');
+      }
+
+      exitCode = 0;
+    }
+
+  } catch (err) {
+    failSpinner(spinner, 'Autonomous deployment failed');
+    logger.error(errorColor((err as Error).message));
+
+    if (flags.verbose) {
+      console.error(err);
+    }
+
+    exitCode = 1;
+  } finally {
+    // Cleanup registry (if it was started)
+    try {
+      await registryContext.cleanup();
+    } catch (err) {
+      // Silently ignore cleanup errors
+    }
+
+    if (exitCode !== null) {
+      process.exit(exitCode);
+    }
+  }
+}
+
+// =============================================================================
+// CLI Secrets Provider Shim
+// =============================================================================
+
+/**
+ * Create a SecretsProvider that reads from the local kadi-secret CLI vault.
+ *
+ * This bridges deploy-ability's SecretsProvider interface with kadi-deploy's
+ * existing CLI-based secret vault access. It reads the wallet mnemonic from
+ * the specified vault using `kadi secret get` commands.
+ *
+ * For certificate caching, it stores certificates in the vault alongside the mnemonic.
+ *
+ * @param vaultName - Name of the vault to read from (e.g., 'global')
+ * @param cwd - Working directory for CLI execution
+ * @returns SecretsProvider compatible with deploy-ability's autonomous mode
+ */
+function createCliSecretsProvider(vaultName: string, cwd: string): SecretsProvider {
+  return {
+    async getMnemonic(): Promise<string> {
+      // Read the wallet mnemonic from the local kadi-secret vault
+      const mnemonic = readSecretFromCli({
+        key: 'AKASH_WALLET',
+        vault: vaultName,
+        cwd,
+      });
+
+      if (!mnemonic) {
+        throw new Error(
+          `Wallet mnemonic not found in vault '${vaultName}' (key: AKASH_WALLET).\n\n` +
+          `Store your mnemonic with:\n` +
+          `  kadi secret set AKASH_WALLET "your 12 or 24 word mnemonic" -v ${vaultName}\n\n` +
+          `Or create the vault first:\n` +
+          `  kadi secret create ${vaultName}`
+        );
+      }
+
+      return mnemonic;
+    },
+
+    async getCertificate(): Promise<any | null> {
+      // 1. Try the default filesystem path (where interactive mode saves it)
+      const defaultCertPath = path.join(os.homedir(), '.kadi', 'certificate.json');
+      try {
+        const certData = readFileSync(defaultCertPath, 'utf-8');
+        const cert = JSON.parse(certData);
+        if (cert && cert.cert && cert.privateKey && cert.publicKey) {
+          return cert;
+        }
+      } catch {
+        // File doesn't exist or isn't valid JSON — fall through
+      }
+
+      // 2. Try to read cached certificate from secrets vault
+      try {
+        const certJson = readSecretFromCli({
+          key: 'akash-tls-certificate',
+          vault: vaultName,
+          cwd,
+        });
+        if (certJson) {
+          const cert = JSON.parse(certJson);
+          if (cert) {
+            return cert;
+          }
+        }
+      } catch {
+        // Vault read failed — fall through
+      }
+
+      return null;
+    },
+
+    async storeCertificate(cert: any): Promise<void> {
+      // Store certificate in vault for future use
+      // Use execSync to call kadi secret set
+      try {
+        const { execSync } = await import('node:child_process');
+        execSync(
+          `kadi secret set akash-tls-certificate '${JSON.stringify(cert).replace(/'/g, "\\'")}' -v "${vaultName}"`,
+          {
+            encoding: 'utf-8',
+            cwd,
+            stdio: ['pipe', 'pipe', 'pipe'],
+          }
+        );
+      } catch {
+        // Non-fatal: certificate is already on blockchain
+      }
+    },
+  };
+}