openthrottle 0.0.1 → 0.1.0

package/index.mjs

@@ -0,0 +1,346 @@
+#!/usr/bin/env node
+// =============================================================================
+// openthrottle — CLI for Open Throttle.
+//
+// Usage: npx openthrottle <command>
+//
+// Commands:
+//   ship <file.md> [--base <branch>]   Ship a prompt to a Daytona sandbox
+//   status                             Show running, queued, and completed tasks
+//   logs                               Show recent GitHub Actions workflow runs
+// =============================================================================
+
+import { readFileSync, existsSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+// ---------------------------------------------------------------------------
+// 1. Constants + helpers
+// ---------------------------------------------------------------------------
+
+const EXIT_OK = 0;
+const EXIT_USER_ERROR = 1;
+const EXIT_MISSING_DEP = 2;
+
+function die(message, code = EXIT_USER_ERROR) {
+  console.error(`error: ${message}`);
+  process.exit(code);
+}
+
+function gh(args, { quiet = false } = {}) {
+  try {
+    return execFileSync('gh', args, {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+  } catch (err) {
+    const stderr = err.stderr?.toString().trim() || '';
+    if (stderr.includes('auth login')) {
+      die('gh auth expired -- run: gh auth login', EXIT_MISSING_DEP);
+    }
+    if (quiet) {
+      // Exit code 1 with no stderr = no matching results (expected)
+      if (err.status === 1 && !stderr) return '';
+      // Real failure — warn but don't crash
+      console.error(`warning: gh ${args.slice(0, 2).join(' ')} failed: ${stderr || err.message}`);
+      return '';
+    }
+    throw err;
+  }
+}
+
+function preflight() {
+  try {
+    execFileSync('gh', ['auth', 'status'], { stdio: 'pipe' });
+  } catch {
+    die(
+      'gh CLI not found or not authenticated.\n  Install: https://cli.github.com\n  Auth:    gh auth login',
+      EXIT_MISSING_DEP,
+    );
+  }
+}
+
+function detectRepo() {
+  try {
+    const url = execFileSync('git', ['remote', 'get-url', 'origin'], {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+    const match = url.match(/github\.com[:/](.+?\/.+?)(?:\.git)?$/);
+    if (match) return match[1];
+  } catch {}
+  die('Could not detect GitHub repo. Run from a git repo with a github.com remote.');
+}
+
+function readConfig() {
+  const configPath = join(process.cwd(), '.openthrottle.yml');
+  if (!existsSync(configPath)) {
+    return { baseBranch: 'main', snapshot: 'openthrottle' };
+  }
+  let content;
+  try {
+    content = readFileSync(configPath, 'utf8');
+  } catch (err) {
+    die(`Could not read .openthrottle.yml: ${err.message}`);
+  }
+  const get = (key) => {
+    const match = content.match(new RegExp(`^${key}:\\s*(.+)`, 'm'));
+    if (!match) return undefined;
+    return match[1].replace(/#.*$/, '').trim().replace(/^["']|["']$/g, '');
+  };
+  return {
+    baseBranch: get('base_branch') || 'main',
+    snapshot: get('snapshot') || 'openthrottle',
+  };
+}
+
+// ---------------------------------------------------------------------------
+// 2. Command: ship
+// ---------------------------------------------------------------------------
+
+function cmdShip(args) {
+  let file = null;
+  let baseBranch = null;
+
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--base' && args[i + 1]) {
+      baseBranch = args[++i];
+    } else if (!file) {
+      file = args[i];
+    }
+  }
+
+  if (!file) die('Usage: openthrottle ship <file.md> [--base <branch>]');
+
+  file = resolve(file);
+  if (!existsSync(file)) die(`File not found: ${file}`);
+  if (!file.endsWith('.md')) die(`Expected a markdown file, got: ${file}`);
+
+  const config = readConfig();
+  const base = baseBranch || config.baseBranch;
+  const repo = detectRepo();
+
+  // Extract title from first markdown heading
+  const content = readFileSync(file, 'utf8');
+  const headingMatch = content.match(/^#{1,6}\s+(.+)/m);
+  let title = headingMatch ? headingMatch[1].trim() : file.replace(/\.md$/, '');
+  if (!title.startsWith('PRD:')) title = `PRD: ${title}`;
+
+  // Ensure labels exist (idempotent)
+  const labels = [
+    'prd-queued', 'prd-running', 'prd-complete', 'prd-failed',
+    'needs-review', 'reviewing',
+    'bug-queued', 'bug-running', 'bug-complete', 'bug-failed',
+  ];
+  for (const label of labels) {
+    try {
+      gh(['label', 'create', label, '--repo', repo, '--force']);
+    } catch (err) {
+      const stderr = err.stderr?.toString().trim() || err.message;
+      console.error(`warning: failed to create label "${label}": ${stderr}`);
+    }
+  }
+
+  // Build label list
+  let issueLabels = 'prd-queued';
+  if (base !== 'main') issueLabels += `,base:${base}`;
+
+  // Create the issue
+  let issueUrl;
+  try {
+    issueUrl = gh([
+      'issue', 'create',
+      '--repo', repo,
+      '--title', title,
+      '--body-file', file,
+      '--label', issueLabels,
+    ]);
+  } catch (err) {
+    const msg = err.stderr?.toString().trim() || err.message;
+    die(`Failed to create issue: ${msg}`);
+  }
+
+  // Show queue position
+  let queueCount = 0;
+  try {
+    const raw = gh([
+      'issue', 'list', '--repo', repo,
+      '--label', 'prd-queued', '--state', 'open',
+      '--json', 'number', '--jq', 'length',
+    ]);
+    queueCount = parseInt(raw, 10) || 0;
+  } catch {}
+
+  let runningInfo = '';
+  try {
+    runningInfo = gh([
+      'issue', 'list', '--repo', repo,
+      '--label', 'prd-running', '--state', 'open',
+      '--json', 'number,title',
+      '--jq', '.[0] | "#\\(.number) -- \\(.title)"',
+    ]);
+  } catch {}
+
+  console.log(`Shipped: ${issueUrl}`);
+  if (queueCount > 1) {
+    console.log(`Queue: ${queueCount} queued`);
+  } else {
+    console.log('Status: starting');
+  }
+  if (runningInfo) {
+    console.log(`Running: ${runningInfo}`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// 3. Command: status
+// ---------------------------------------------------------------------------
+
+function cmdStatus() {
+  const repo = detectRepo();
+
+  console.log('RUNNING');
+  const running = gh([
+    'issue', 'list', '--repo', repo,
+    '--label', 'prd-running', '--state', 'open',
+    '--json', 'number,title',
+    '--jq', '.[] | "  #\\(.number) -- \\(.title)"',
+  ], { quiet: true });
+  console.log(running || '  (none)');
+
+  console.log('\nQUEUE');
+  const queued = gh([
+    'issue', 'list', '--repo', repo,
+    '--label', 'prd-queued', '--state', 'open',
+    '--json', 'number,title',
+    '--jq', '.[] | "  #\\(.number) -- \\(.title)"',
+  ], { quiet: true });
+  console.log(queued || '  (none)');
+
+  console.log('\nREVIEW');
+  const pending = gh([
+    'pr', 'list', '--repo', repo,
+    '--label', 'needs-review',
+    '--json', 'number,title',
+    '--jq', '.[] | "  pending: #\\(.number) -- \\(.title)"',
+  ], { quiet: true });
+  const reviewing = gh([
+    'pr', 'list', '--repo', repo,
+    '--label', 'reviewing',
+    '--json', 'number,title',
+    '--jq', '.[] | "  active:  #\\(.number) -- \\(.title)"',
+  ], { quiet: true });
+  const fixes = gh([
+    'pr', 'list', '--repo', repo,
+    '--search', 'review:changes_requested',
+    '--json', 'number,title',
+    '--jq', '.[] | "  fixes:   #\\(.number) -- \\(.title)"',
+  ], { quiet: true });
+  const reviewOutput = [pending, reviewing, fixes].filter(Boolean).join('\n');
+  console.log(reviewOutput || '  (none)');
+
+  console.log('\nCOMPLETED (recent)');
+  const completed = gh([
+    'issue', 'list', '--repo', repo,
+    '--label', 'prd-complete', '--state', 'closed',
+    '--limit', '5',
+    '--json', 'number,title',
+    '--jq', '.[] | "  #\\(.number) -- \\(.title)"',
+  ], { quiet: true });
+  console.log(completed || '  (none)');
+}
+
+// ---------------------------------------------------------------------------
+// 4. Command: logs
+// ---------------------------------------------------------------------------
+
+function cmdLogs() {
+  const repo = detectRepo();
+
+  let output;
+  try {
+    output = gh([
+      'run', 'list',
+      '--repo', repo,
+      '--workflow', 'Wake Sandbox',
+      '--limit', '10',
+    ]);
+  } catch {
+    try {
+      output = gh([
+        'run', 'list',
+        '--repo', repo,
+        '--limit', '10',
+      ]);
+    } catch (err) {
+      die(`Failed to list workflow runs: ${err.stderr?.toString().trim() || err.message}`);
+    }
+  }
+
+  if (!output) {
+    console.log('No workflow runs found.');
+    return;
+  }
+
+  console.log(output);
+}
+
+// ---------------------------------------------------------------------------
+// 5. Main
+// ---------------------------------------------------------------------------
+
+const HELP = `Usage: openthrottle <command>
+
+Commands:
+  init                               Set up Open Throttle in your project
+  ship <file.md> [--base <branch>]   Create a GitHub issue to trigger a sandbox
+  status                             Show running, queued, and completed tasks
+  logs                               Show recent GitHub Actions workflow runs
+
+Options:
+  --help, -h                         Show this help message
+  --version, -v                      Show version`;
+
+async function main() {
+  const args = process.argv.slice(2);
+  const command = args[0];
+
+  if (!command || command === '--help' || command === '-h') {
+    console.log(HELP);
+    process.exit(EXIT_OK);
+  }
+
+  if (command === '--version' || command === '-v') {
+    const pkg = JSON.parse(readFileSync(new URL('./package.json', import.meta.url), 'utf8'));
+    console.log(pkg.version);
+    process.exit(EXIT_OK);
+  }
+
+  if (command === 'init') {
+    const { default: init } = await import('./init.mjs');
+    await init();
+    return;
+  }
+
+  preflight();
+
+  switch (command) {
+    case 'ship':
+      cmdShip(args.slice(1));
+      break;
+    case 'status':
+      cmdStatus();
+      break;
+    case 'logs':
+      cmdLogs();
+      break;
+    default:
+      die(`Unknown command: ${command}\n  Run "openthrottle --help" for usage.`);
+  }
+}
+
+main().catch((err) => {
+  console.error(`error: ${err.message}`);
+  process.exit(1);
+});

package/init.mjs

@@ -0,0 +1,479 @@
+// =============================================================================
+// openthrottle init — Set up Open Throttle in any Node.js project.
+//
+// Detects the project, prompts for config, generates .openthrottle.yml +
+// wake-sandbox.yml, creates a Daytona snapshot, and prints next steps.
+// =============================================================================
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync, statSync } from 'node:fs';
+import { join, dirname, relative } from 'node:path';
+import { execFileSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import prompts from 'prompts';
+import { stringify } from 'yaml';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const cwd = process.cwd();
+
+// ---------------------------------------------------------------------------
+// 1. Detect project
+// ---------------------------------------------------------------------------
+
+function detectProject() {
+  const pkgPath = join(cwd, 'package.json');
+  if (!existsSync(pkgPath)) {
+    console.error('No package.json found. openthrottle init currently supports Node.js projects only.');
+    process.exit(1);
+  }
+
+  let pkg;
+  try {
+    pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+  } catch {
+    console.error('Could not parse package.json. Is it valid JSON?');
+    process.exit(1);
+  }
+  const scripts = pkg.scripts || {};
+  const rawName = pkg.name?.replace(/^@[^/]+\//, '') || 'project';
+  const name = rawName.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-');
+
+  // Detect package manager
+  let pm = 'npm';
+  if (pkg.packageManager?.startsWith('pnpm')) pm = 'pnpm';
+  else if (pkg.packageManager?.startsWith('yarn')) pm = 'yarn';
+  else if (existsSync(join(cwd, 'pnpm-lock.yaml'))) pm = 'pnpm';
+  else if (existsSync(join(cwd, 'yarn.lock'))) pm = 'yarn';
+  else if (existsSync(join(cwd, 'package-lock.json'))) pm = 'npm';
+
+  // Detect base branch
+  let baseBranch = 'main';
+  try {
+    const head = execFileSync('git', ['remote', 'show', 'origin'], { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const match = head.match(/HEAD branch:\s*(\S+)/);
+    if (match) baseBranch = match[1];
+  } catch {
+    // Not a git repo or no remote — default to main
+  }
+
+  return {
+    name,
+    pm,
+    baseBranch,
+    test: scripts.test ? `${pm} test` : '',
+    build: scripts.build ? `${pm} build` : '',
+    lint: scripts.lint ? `${pm} lint` : '',
+    format: scripts.format ? `${pm} run format` : (pkg.devDependencies?.prettier ? 'npx prettier --write .' : ''),
+    dev: scripts.dev ? `${pm} dev --port 8080 --hostname 0.0.0.0` : '',
+  };
+}
+
+// ---------------------------------------------------------------------------
+// 1b. Detect .env files and extract key names
+// ---------------------------------------------------------------------------
+
+function detectEnvFiles() {
+  const envFiles = {};
+  const seen = new Set();
+
+  function scan(dir) {
+    let entries;
+    try { entries = readdirSync(dir); } catch { return; }
+    for (const entry of entries) {
+      if (entry === 'node_modules' || entry === '.git' || entry === '.next' || entry === 'dist') continue;
+      const full = join(dir, entry);
+      let stat;
+      try { stat = statSync(full); } catch { continue; }
+      if (stat.isDirectory()) { scan(full); continue; }
+      if (!entry.startsWith('.env')) continue;
+      // Skip .env.example, .env.sample, .env.template
+      if (/\.(example|sample|template)$/i.test(entry)) continue;
+
+      const relPath = relative(cwd, full);
+      const keys = [];
+      try {
+        const content = readFileSync(full, 'utf8');
+        for (const line of content.split('\n')) {
+          const trimmed = line.trim();
+          if (!trimmed || trimmed.startsWith('#')) continue;
+          const match = trimmed.replace(/^export\s+/, '').match(/^([a-zA-Z_][a-zA-Z0-9_]*)=/);
+          if (match) keys.push(match[1]);
+        }
+      } catch (err) {
+        console.error(`warning: could not read ${relPath}: ${err.message}`);
+        continue;
+      }
+
+      if (keys.length > 0) {
+        envFiles[relPath] = keys;
+        keys.forEach(k => seen.add(k));
+      }
+    }
+  }
+
+  scan(cwd);
+  return { envFiles, allKeys: [...seen].sort() };
+}
+
+// ---------------------------------------------------------------------------
+// 2. Prompt for config
+// ---------------------------------------------------------------------------
+
+async function promptConfig(detected) {
+  console.log(`\n  Detected: package.json (${detected.pm})\n`);
+
+  const response = await prompts([
+    { type: 'text', name: 'baseBranch', message: 'Base branch', initial: detected.baseBranch },
+    { type: 'text', name: 'test', message: 'Test command', initial: detected.test },
+    { type: 'text', name: 'build', message: 'Build command', initial: detected.build },
+    { type: 'text', name: 'lint', message: 'Lint command', initial: detected.lint },
+    { type: 'text', name: 'format', message: 'Format command', initial: detected.format },
+    { type: 'text', name: 'dev', message: 'Dev command', initial: detected.dev },
+    { type: 'text', name: 'postBootstrap', message: 'Post-bootstrap command', initial: `${detected.pm} install` },
+    {
+      type: 'select', name: 'agent', message: 'Agent runtime',
+      choices: [
+        { title: 'Claude', value: 'claude' },
+        { title: 'Codex', value: 'codex' },
+        { title: 'Aider', value: 'aider' },
+      ],
+      initial: 0,
+    },
+    {
+      type: 'select', name: 'notifications', message: 'Notifications',
+      choices: [
+        { title: 'Telegram', value: 'telegram' },
+        { title: 'None', value: 'none' },
+      ],
+      initial: 0,
+    },
+    { type: 'number', name: 'maxTurns', message: 'Max turns per agent run', initial: 200, min: 1 },
+    { type: 'number', name: 'maxBudgetUsd', message: 'Max budget per run in USD (API only)', initial: 5, min: 0 },
+    { type: 'confirm', name: 'reviewEnabled', message: 'Enable automated PR review?', initial: true },
+    {
+      type: (prev) => prev ? 'number' : null,
+      name: 'maxRounds', message: 'Max review rounds', initial: 3, min: 1, max: 10,
+    },
+    { type: 'text', name: 'snapshotName', message: 'Daytona snapshot name', initial: 'openthrottle' },
+  ], { onCancel: () => { console.log('\nCancelled.'); process.exit(0); } });
+
+  return { ...detected, ...response };
+}
+
+// ---------------------------------------------------------------------------
+// 3. Generate .openthrottle.yml
+// ---------------------------------------------------------------------------
+
+function generateConfig(config) {
+  const doc = {
+    base_branch: config.baseBranch,
+    test: config.test || undefined,
+    dev: config.dev || undefined,
+    format: config.format || undefined,
+    lint: config.lint || undefined,
+    build: config.build || undefined,
+    notifications: config.notifications === 'none' ? undefined : config.notifications,
+    agent: config.agent,
+    snapshot: config.snapshotName || 'openthrottle',
+    post_bootstrap: [config.postBootstrap],
+    mcp_servers: {},
+    env_files: config.envFiles && Object.keys(config.envFiles).length > 0
+      ? config.envFiles
+      : undefined,
+    limits: {
+      max_turns: config.maxTurns ?? 200,
+      max_budget_usd: config.maxBudgetUsd ?? 5,
+    },
+    review: {
+      enabled: config.reviewEnabled,
+      max_rounds: config.maxRounds ?? 3,
+    },
+  };
+
+  // Remove undefined fields
+  for (const key of Object.keys(doc)) {
+    if (doc[key] === undefined) delete doc[key];
+  }
+
+  const header = [
+    '# openthrottle.yml — project config for Open Throttle (Daytona runtime)',
+    '# Generated by openthrottle init. Committed to the repo so the',
+    '# sandbox knows how to work with this project.',
+    '',
+  ].join('\n');
+
+  return header + stringify(doc);
+}
+
+// ---------------------------------------------------------------------------
+// 4. Copy wake-sandbox.yml
+// ---------------------------------------------------------------------------
+
+function copyWorkflow(config) {
+  const src = join(__dirname, 'templates', 'wake-sandbox.yml');
+  const destDir = join(cwd, '.github', 'workflows');
+  const dest = join(destDir, 'wake-sandbox.yml');
+  mkdirSync(destDir, { recursive: true });
+
+  let content = readFileSync(src, 'utf8');
+
+  // Inject project-specific secrets into the workflow
+  const allKeys = config.envAllKeys || [];
+  if (allKeys.length > 0) {
+    // Add env: entries for secrets
+    const envSecrets = allKeys
+      .map(k => `          ${k}: \${{ secrets.${k} }}`)
+      .join('\n');
+    content = content.replace(
+      /          # @@ENV_SECRETS@@ — scaffolder inserts project-specific secrets here/,
+      envSecrets
+    );
+
+    // Add --env flags for daytona create
+    const envFlags = allKeys
+      .map(k => `            --env ${k}=\${${k}} \\`)
+      .join('\n');
+    content = content.replace(
+      /            # @@ENV_FLAGS@@ — scaffolder inserts --env flags for project secrets here/,
+      envFlags
+    );
+  } else {
+    // No project secrets — remove the placeholder comments
+    content = content.replace(/          # @@ENV_SECRETS@@ — scaffolder inserts project-specific secrets here\n/, '');
+    content = content.replace(/            # @@ENV_FLAGS@@ — scaffolder inserts --env flags for project secrets here\n/, '');
+  }
+
+  writeFileSync(dest, content);
+  return dest;
+}
+
+// ---------------------------------------------------------------------------
+// 5. Create Daytona snapshot from pre-built image
+// ---------------------------------------------------------------------------
+
+function setupDaytona(config) {
+  const snapshotName = config.snapshotName || 'openthrottle';
+  const image = 'knoxgraeme/openthrottle:v1';
+
+  // Check daytona CLI is available
+  try {
+    execFileSync('daytona', ['--version'], { stdio: 'pipe' });
+  } catch {
+    console.log(`\n  daytona CLI not found. Install it, then run:`);
+    console.log(`    daytona snapshot create ${snapshotName} --image ${image} --cpu 2 --memory 4 --disk 10\n`);
+    return { snapshotName, skipped: true };
+  }
+
+  // Create snapshot from pre-built image
+  try {
+    execFileSync('daytona', [
+      'snapshot', 'create', snapshotName,
+      '--image', image,
+      '--cpu', '2', '--memory', '4', '--disk', '10',
+    ], { stdio: ['pipe', 'pipe', 'pipe'], encoding: 'utf8' });
+    console.log(`  Created Daytona snapshot: ${snapshotName}`);
+  } catch (err) {
+    if (err.stderr?.toString().includes('already exists')) {
+      console.log(`  Snapshot already exists: ${snapshotName}`);
+    } else {
+      console.log(`  Snapshot creation failed. You can create it manually:`);
+      console.log(`    daytona snapshot create ${snapshotName} --image ${image} --cpu 2 --memory 4 --disk 10`);
+    }
+  }
+
+  return { snapshotName };
+}
+
+// ---------------------------------------------------------------------------
+// 6. Push .env secrets to GitHub repo secrets
+// ---------------------------------------------------------------------------
+
+async function pushSecrets(config) {
+  const envFiles = config.envFiles || {};
+  const paths = Object.keys(envFiles);
+  if (paths.length === 0) return;
+
+  // Check gh is available and authenticated
+  try {
+    execFileSync('gh', ['auth', 'status'], { stdio: 'pipe' });
+  } catch {
+    console.log('\n  gh CLI not authenticated — skipping secret push.');
+    console.log('  Run "gh auth login" then set secrets manually.\n');
+    return;
+  }
+
+  // Detect repo
+  let repo;
+  try {
+    repo = execFileSync('gh', ['repo', 'view', '--json', 'nameWithOwner', '--jq', '.nameWithOwner'], {
+      encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+  } catch {
+    console.log('\n  Could not detect GitHub repo — skipping secret push.\n');
+    return;
+  }
+
+  // Show what we'd push
+  console.log(`\n  Push .env secrets to GitHub repo secrets? (${repo})`);
+  console.log('  Values are encrypted at rest — not readable after upload.\n');
+  for (const [path, keys] of Object.entries(envFiles)) {
+    console.log(`    ${path} (${keys.length} keys): ${keys.join(', ')}`);
+  }
+  console.log('');
+
+  const { confirm } = await prompts({
+    type: 'confirm', name: 'confirm',
+    message: `Push ${config.envAllKeys.length} secret(s) to ${repo}?`, initial: false,
+  }, { onCancel: () => {} });
+
+  if (!confirm) {
+    console.log('  Skipped secret push.');
+    return;
+  }
+
+  let pushed = 0;
+  let failed = 0;
+  for (const [path, keys] of Object.entries(envFiles)) {
+    const fullPath = join(cwd, path);
+    let content;
+    try {
+      content = readFileSync(fullPath, 'utf8');
+    } catch {
+      console.log(`  Could not read ${path} — skipping`);
+      failed += keys.length;
+      continue;
+    }
+
+    // Parse key=value pairs
+    for (const line of content.split('\n')) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith('#')) continue;
+      const cleaned = trimmed.replace(/^export\s+/, '');
+      const eqIdx = cleaned.indexOf('=');
+      if (eqIdx === -1) continue;
+      const key = cleaned.slice(0, eqIdx);
+      let value = cleaned.slice(eqIdx + 1);
+      // Strip surrounding quotes
+      if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+        value = value.slice(1, -1);
+      }
+      if (!keys.includes(key)) continue;
+
+      try {
+        execFileSync('gh', ['secret', 'set', key, '--repo', repo], {
+          input: value,
+          stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        pushed++;
+      } catch (err) {
+        const stderr = err.stderr?.toString().trim() || err.message;
+        console.log(`  Failed to set ${key}: ${stderr}`);
+        failed++;
+      }
+    }
+  }
+
+  console.log(`  Pushed ${pushed} secret(s) to ${repo}${failed > 0 ? ` (${failed} failed)` : ''}`);
+}
+
+// ---------------------------------------------------------------------------
+// 7. Print next steps
+// ---------------------------------------------------------------------------
+
+function printNextSteps(config) {
+  const agentSecret =
+    config.agent === 'claude'
+      ? '     ANTHROPIC_API_KEY            <- option a: pay-per-use API key\n     CLAUDE_CODE_OAUTH_TOKEN      <- option b: subscription token (claude setup-token)'
+      : config.agent === 'codex'
+        ? '     OPENAI_API_KEY               <- required for Codex'
+        : '     OPENAI_API_KEY               <- or ANTHROPIC_API_KEY (depends on your Aider model)';
+  const secrets = [
+    '     DAYTONA_API_KEY              <- required',
+    agentSecret,
+  ];
+
+  // Project-specific secrets from env_files
+  const projectKeys = config.envAllKeys || [];
+  const projectSecrets = projectKeys.length > 0
+    ? '\n\n     Project secrets (from .env files):\n' +
+      projectKeys.map(k => `     ${k}`).join('\n')
+    : '';
+
+  console.log(`
+  Next steps:
+
+  1. Set GitHub repo secrets:
+${secrets.join('\n')}
+     TELEGRAM_BOT_TOKEN            <- optional (notifications)
+     TELEGRAM_CHAT_ID              <- optional (notifications)${projectSecrets}
+
+  2. Commit and push:
+     git add .openthrottle.yml .github/workflows/wake-sandbox.yml
+     git commit -m "feat: add openthrottle config"
+     git push
+
+  3. Ship your first prompt:
+     npx openthrottle ship docs/prds/my-feature.md
+`);
+}
+
+// ---------------------------------------------------------------------------
+// Main (exported for use by index.mjs)
+// ---------------------------------------------------------------------------
+
+export default async function init() {
+  console.log('\n  openthrottle init\n');
+
+  // Step 1: Detect
+  const detected = detectProject();
+  const { envFiles, allKeys: envAllKeys } = detectEnvFiles();
+
+  if (Object.keys(envFiles).length > 0) {
+    console.log(`  Found ${Object.keys(envFiles).length} .env file(s):`);
+    for (const [path, keys] of Object.entries(envFiles)) {
+      console.log(`    ${path} (${keys.length} keys)`);
+    }
+    console.log('');
+  }
+
+  // Step 2: Prompt
+  const config = await promptConfig(detected);
+  config.envFiles = envFiles;
+  config.envAllKeys = envAllKeys;
+
+  // Step 3: Generate config
+  const configPath = join(cwd, '.openthrottle.yml');
+  if (existsSync(configPath)) {
+    const { overwrite } = await prompts({
+      type: 'confirm', name: 'overwrite',
+      message: '.openthrottle.yml already exists. Overwrite?', initial: false,
+    }, { onCancel: () => { console.log('\nCancelled.'); process.exit(0); } });
+    if (!overwrite) { console.log('  Skipped .openthrottle.yml'); }
+    else { writeFileSync(configPath, generateConfig(config)); console.log('  Generated .openthrottle.yml'); }
+  } else {
+    writeFileSync(configPath, generateConfig(config));
+    console.log('  Generated .openthrottle.yml');
+  }
+
+  // Step 4: Copy workflow
+  const workflowPath = join(cwd, '.github', 'workflows', 'wake-sandbox.yml');
+  if (existsSync(workflowPath)) {
+    const { overwrite } = await prompts({
+      type: 'confirm', name: 'overwrite',
+      message: 'wake-sandbox.yml already exists. Overwrite?', initial: false,
+    }, { onCancel: () => { console.log('\nCancelled.'); process.exit(0); } });
+    if (!overwrite) { console.log('  Skipped wake-sandbox.yml'); }
+    else { copyWorkflow(config); console.log('  Copied .github/workflows/wake-sandbox.yml'); }
+  } else {
+    copyWorkflow(config);
+    console.log('  Copied .github/workflows/wake-sandbox.yml');
+  }
+
+  // Step 5: Create Daytona snapshot
+  setupDaytona(config);
+
+  // Step 6: Push secrets
+  await pushSecrets(config);
+
+  // Step 7: Next steps
+  printNextSteps(config);
+}

package/package.json

@@ -1,15 +1,32 @@
 {
   "name": "openthrottle",
-  "version": "0.0.1",
-  "description": "OpenThrottle CLI — coming soon.",
+  "version": "0.1.0",
+  "description": "CLI for Open Throttle — ship prompts to Daytona sandboxes.",
+  "type": "module",
+  "bin": {
+    "openthrottle": "./index.mjs"
+  },
+  "files": [
+    "index.mjs",
+    "init.mjs",
+    "templates/"
+  ],
+  "dependencies": {
+    "prompts": "^2.4.2",
+    "yaml": "^2.4.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/knoxgraeme/sodaprompts"
+    "url": "https://github.com/knoxgraeme/openthrottle"
   },
   "keywords": [
     "openthrottle",
     "daytona",
-    "agent"
+    "agent",
+    "cli"
   ]
 }

package/templates/wake-sandbox.yml

@@ -0,0 +1,150 @@
+# Wake Daytona sandbox when work arrives on GitHub.
+#
+# Triggers:
+#   - Issue labeled prd-queued or bug-queued → builder sandbox
+#   - PR labeled needs-review               → reviewer sandbox
+#   - PR review with changes_requested      → review-fix sandbox
+#
+# Each trigger creates a fresh ephemeral sandbox — no polling, no long-lived state.
+# Multiple triggers fire in parallel (one sandbox per task).
+#
+# Required repository secrets:
+#   DAYTONA_API_KEY          — API key from daytona.io
+#   ANTHROPIC_API_KEY        — (option a) or
+#   CLAUDE_CODE_OAUTH_TOKEN  — (option b) for Claude Code auth
+#   TELEGRAM_BOT_TOKEN       — optional, for notifications
+#   TELEGRAM_CHAT_ID         — optional, for notifications
+#   SUPABASE_ACCESS_TOKEN    — optional, for Supabase MCP
+
+name: Wake Sandbox
+
+on:
+  issues:
+    types: [labeled]
+  pull_request:
+    types: [labeled]
+  pull_request_review:
+    types: [submitted]
+
+concurrency:
+  group: openthrottle-${{ github.event.issue.number || github.event.pull_request.number }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+  run-task:
+    if: >-
+      contains(fromJSON('["prd-queued", "bug-queued", "needs-review", "needs-investigation"]'), github.event.label.name) ||
+      (github.event.review.state == 'changes_requested')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Resolve work item
+        id: work
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          EVENT_LABEL: ${{ github.event.label.name }}
+          EVENT_REVIEW_STATE: ${{ github.event.review.state }}
+          EVENT_ISSUE_NUM: ${{ github.event.issue.number }}
+          EVENT_PR_NUM: ${{ github.event.pull_request.number }}
+        run: |
+          # Determine work item number
+          WORK_ITEM="${EVENT_ISSUE_NUM}"
+          if [[ -z "$WORK_ITEM" ]]; then
+            WORK_ITEM="${EVENT_PR_NUM}"
+          fi
+          if [[ -z "$WORK_ITEM" ]]; then
+            echo "::error::Could not determine work item number from event payload"
+            exit 1
+          fi
+          echo "item=$WORK_ITEM" >> "$GITHUB_OUTPUT"
+
+          # Determine task type (using env vars, not inline ${{ }} expressions)
+          TASK_TYPE="prd"
+          if [[ "$EVENT_LABEL" == "bug-queued" ]]; then
+            TASK_TYPE="bug"
+          elif [[ "$EVENT_LABEL" == "needs-review" ]]; then
+            TASK_TYPE="review"
+          elif [[ "$EVENT_LABEL" == "needs-investigation" ]]; then
+            TASK_TYPE="investigation"
+          elif [[ "$EVENT_REVIEW_STATE" == "changes_requested" ]]; then
+            TASK_TYPE="review-fix"
+          fi
+          echo "task_type=$TASK_TYPE" >> "$GITHUB_OUTPUT"
+
+          # Extract session ID for review fixes
+          RESUME_SESSION=""
+          if [[ "$TASK_TYPE" == "review-fix" ]]; then
+            RESUME_SESSION=$(gh pr view "$EVENT_PR_NUM" --json comments \
+              --jq '[.comments[].body | capture("session-id: (?<id>[^ ]+)") | .id] | last // empty') || true
+          fi
+          echo "resume_session=$RESUME_SESSION" >> "$GITHUB_OUTPUT"
+
+      - name: Validate config
+        id: config
+        run: |
+          SNAPSHOT=$(yq '.snapshot // ""' .openthrottle.yml)
+          if [[ -z "$SNAPSHOT" || "$SNAPSHOT" == "null" ]]; then
+            echo "::error::Missing 'snapshot' key in .openthrottle.yml — cannot create sandbox"
+            exit 1
+          fi
+          echo "snapshot=$SNAPSHOT" >> "$GITHUB_OUTPUT"
+
+      - name: Activate snapshot (reactivates if idle >2 weeks)
+        env:
+          DAYTONA_API_KEY: ${{ secrets.DAYTONA_API_KEY }}
+        run: |
+          daytona snapshot activate "${{ steps.config.outputs.snapshot }}" 2>/dev/null || true
+
+      - name: Create and run sandbox
+        env:
+          DAYTONA_API_KEY: ${{ secrets.DAYTONA_API_KEY }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
+          # @@ENV_SECRETS@@ — scaffolder inserts project-specific secrets here
+        run: |
+          # Create ephemeral sandbox
+          OUTPUT=$(daytona create \
+            --snapshot "${{ steps.config.outputs.snapshot }}" \
+            --auto-delete 0 \
+            --auto-stop 60 \
+            --cpu 2 --memory 4096 --disk 10 \
+            --label project=${{ github.event.repository.name }} \
+            --label task_type="${{ steps.work.outputs.task_type }}" \
+            --label issue="${{ steps.work.outputs.item }}" \
+            --volume openthrottle-${{ github.repository_id }}:/home/daytona/.claude \
+            --env GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
+            --env GITHUB_REPO=${{ github.repository }} \
+            --env ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY} \
+            --env CLAUDE_CODE_OAUTH_TOKEN=${CLAUDE_CODE_OAUTH_TOKEN} \
+            --env OPENAI_API_KEY=${OPENAI_API_KEY} \
+            --env SUPABASE_ACCESS_TOKEN=${SUPABASE_ACCESS_TOKEN} \
+            --env TELEGRAM_BOT_TOKEN=${{ secrets.TELEGRAM_BOT_TOKEN }} \
+            --env TELEGRAM_CHAT_ID=${{ secrets.TELEGRAM_CHAT_ID }} \
+            --env WORK_ITEM="${{ steps.work.outputs.item }}" \
+            --env TASK_TYPE="${{ steps.work.outputs.task_type }}" \
+            --env RESUME_SESSION="${{ steps.work.outputs.resume_session }}" \
+            # @@ENV_FLAGS@@ — scaffolder inserts --env flags for project secrets here
+            2>&1) || {
+              # Redact secrets from error output
+              SAFE_OUTPUT=$(echo "$OUTPUT" | sed \
+                -e "s/${ANTHROPIC_API_KEY:-___}/[REDACTED]/g" \
+                -e "s/${CLAUDE_CODE_OAUTH_TOKEN:-___}/[REDACTED]/g" \
+                -e "s/${OPENAI_API_KEY:-___}/[REDACTED]/g" \
+                -e "s/${SUPABASE_ACCESS_TOKEN:-___}/[REDACTED]/g" \
+                -e "s/${GH_TOKEN:-___}/[REDACTED]/g")
+              echo "::error::Sandbox creation failed: $SAFE_OUTPUT"
+              exit 1
+            }
+          SANDBOX_ID="$OUTPUT"
+
+          echo "Sandbox created: $SANDBOX_ID"
+          echo "Task: ${{ steps.work.outputs.task_type }} #${{ steps.work.outputs.item }}"