relight-cli 0.1.0

package/README.md

@@ -0,0 +1,199 @@
+# Relight
+
+Deploy Docker containers to your cloud with scale-to-zero. Apps sleep when idle and wake on the next request.
+
+```
+$ relight deploy myapp . --compute gcp
+  Building image...
+  Pushing to gcr.io/my-project/myapp:v1...
+  Deploying to Cloud Run (us-east1)...
+
+--> Live at https://myapp-abc123.run.app
+    Sleeps after 30s idle. $0 when sleeping.
+```
+
+## What this is
+
+Relight is a CLI that deploys and manages Docker containers across multiple cloud providers. It talks directly to each cloud's API using your own credentials. No vendor infrastructure gets installed in your account.
+
+Supported compute backends:
+
+| Cloud | Backend | Scale to zero |
+|---|---|---|
+| GCP | Cloud Run | Yes |
+| AWS | App Runner | Yes |
+| Cloudflare | Containers (Workers + Durable Objects) | Yes |
+
+More backends planned: Azure Container Apps.
+
+## Install
+
+```sh
+npm install -g relight
+```
+
+Requires Node.js 20+ and Docker.
+
+## Quick start
+
+```sh
+# Authenticate with a cloud provider
+relight auth --compute gcp
+
+# Deploy from a Dockerfile
+relight deploy myapp .
+
+# Check your apps
+relight apps
+
+# Stream logs
+relight logs myapp
+
+# Open in browser
+relight open myapp
+```
+
+The first deploy links the current directory to the app name. After that, `relight deploy` is enough.
+
+## Commands
+
+```
+relight auth                         Authenticate with a cloud provider
+relight deploy [name] [path]         Deploy an app from a Dockerfile
+relight apps                         List all deployed apps across all clouds
+relight apps info [name]             Show detailed app info
+relight apps destroy [name]          Destroy an app and its cloud resources
+relight ps [name]                    Show running containers and resource usage
+relight logs [name]                  Stream live logs
+relight open [name]                  Open app URL in browser
+relight config show [name]           Show environment variables
+relight config set KEY=VALUE         Set env vars (applied live, no redeploy)
+relight config unset KEY             Remove an env var
+relight config import -f .env        Import from .env file
+relight scale [name]                 Show or adjust instance count and resources
+relight domains list [name]          List custom domains
+relight domains add [domain]         Add a custom domain with DNS setup
+relight domains remove [domain]      Remove a custom domain
+relight regions [--compute <cloud>]  List available regions for a cloud
+relight cost [name]                  Show estimated costs
+relight doctor                       Check local setup and cloud connectivity
+```
+
+Config changes (`config set`, `config unset`, `scale`, `domains`) are applied live without redeploying the container image.
+
+## How it works
+
+1. `relight auth` stores a scoped API token locally at `~/.relight/config.json`. One token per cloud provider. No cross-account IAM roles, no OAuth flows, no vendor access to your account.
+
+2. `relight deploy` builds a Docker image locally, pushes it to the cloud's container registry (GCR, Cloudflare Registry, ECR), and deploys it using the cloud's native container service.
+
+3. The deployed app sleeps after a configurable idle period (default 30s). The next incoming request wakes it. Cold starts are typically 1-5 seconds depending on the cloud and image size.
+
+4. All app state (config, scaling, domains) lives in the cloud provider's API. The only local files are your auth token and a `.relight` link file in your project directory. You can manage your apps from any machine.
+
+## Fleet view
+
+When you authenticate with multiple clouds, `relight apps` shows everything in one table:
+
+```
+$ relight apps
+
+NAME         CLOUD    STATUS     INSTANCES  COST/MTD   LAST ACTIVE
+myapi        gcp      sleeping   0/3        $0.12      2h ago
+frontend     cf       active     2/5        $1.84      now
+dashboard    gcp      sleeping   0/1        $0.00      3d ago
+───────────────────────────────────────────────────────────────
+                                 TOTAL      $1.96
+```
+
+## BYOC model
+
+Relight deploys to cloud accounts you own. You pay the cloud provider directly at their published rates. Relight itself is free for individual use.
+
+What this means in practice:
+
+- **Your credentials stay local.** The API token is stored on your machine. Relight has no backend service that holds your cloud credentials.
+- **Nothing is installed in your account.** No Kubernetes clusters, no CloudFormation stacks, no VPCs, no agent processes. Relight uses the cloud's existing container services.
+- **You can stop using Relight anytime.** Your apps are standard Cloud Run services / App Runner services / CF Workers. They continue running without Relight. There's nothing to uninstall.
+
+## Scaling
+
+```sh
+# Set instance count
+relight scale myapp -i 4
+
+# Set resources
+relight scale myapp --vcpu 1 --memory 512
+
+# Set idle timeout
+relight deploy myapp . --sleep-after 60
+
+# Multi-region (cloud support varies)
+relight deploy myapp . --regions us-east1,europe-west1
+```
+
+Relight does not autoscale. You set the maximum instance count and the cloud provider handles scaling between 0 and that limit based on traffic.
+
+## Custom domains
+
+```sh
+relight domains add myapp.example.com
+
+# Relight creates the DNS record if your domain's DNS is on a supported provider
+# Otherwise it prints the record for you to create manually
+```
+
+## What Relight doesn't do
+
+- **Not a general infrastructure tool.** Relight deploys Docker containers with scale-to-zero. It doesn't manage databases, queues, cron jobs, or other infrastructure. Use Terraform, Pulumi, or cloud consoles for those.
+- **No autoscaling.** You set max instances. The cloud scales between 0 and your max based on traffic. There's no custom autoscaling logic.
+- **No CI/CD.** Relight is a deployment tool, not a build pipeline. Integrate it into your CI by running `relight deploy` in your workflow.
+- **Cold starts.** Sleeping apps take 1-5 seconds to respond to the first request. This is inherent to scale-to-zero and varies by cloud and image size.
+
+## Cloud-specific notes
+
+### GCP (Cloud Run)
+
+- Requires a GCP project with Cloud Run and Artifact Registry APIs enabled.
+- Token: service account key or `gcloud auth print-access-token`.
+- Regions: any Cloud Run region. Run `relight regions --compute gcp` to list.
+- Scale-to-zero is native. Minimum instances can be set to 0.
+
+### AWS (App Runner)
+
+- Requires an AWS account with App Runner and ECR access.
+- Token: IAM access key with `apprunner:*` and `ecr:*` permissions, or use `aws configure`.
+- Regions: any App Runner region. Run `relight regions --compute aws` to list.
+- Scale-to-zero is native. Services pause when idle and resume on the next request.
+
+### Cloudflare (Containers)
+
+- Requires a Cloudflare account with Containers access (paid Workers plan).
+- Token: Cloudflare API token with `workers_scripts:edit` and `containers:edit` permissions.
+- Each app is a Worker backed by Durable Objects running your container. The CLI bundles and uploads the Worker template automatically.
+- Regions use Durable Object `locationHints` — placement is best-effort, not guaranteed.
+
+## Configuration
+
+Auth config is stored at `~/.relight/config.json`:
+
+```json
+{
+  "clouds": {
+    "gcp": { "token": "...", "project": "my-project" },
+    "aws": { "accessKeyId": "...", "secretAccessKey": "...", "region": "us-east-1" },
+    "cf": { "token": "...", "accountId": "..." }
+  },
+  "default_compute": "gcp"
+}
+```
+
+Per-project app linking is stored in a `.relight` file in your project directory:
+
+```json
+{ "app": "myapp", "compute": "gcp" }
+```
+
+## License
+
+MIT

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "relight-cli",
+  "version": "0.1.0",
+  "description": "Deploy and manage Docker containers across clouds with scale-to-zero",
+  "bin": {
+    "relight": "./src/cli.js"
+  },
+  "type": "module",
+  "license": "MIT",
+  "files": [
+    "src"
+  ],
+  "keywords": [
+    "docker",
+    "deploy",
+    "paas",
+    "cloudflare",
+    "gcp",
+    "aws",
+    "scale-to-zero",
+    "multi-cloud"
+  ],
+  "dependencies": {
+    "commander": "^13.0.0",
+    "kleur": "^4.1.5"
+  }
+}

package/src/cli.js

@@ -0,0 +1,32 @@
+#!/usr/bin/env node
+
+import { Command } from "commander";
+import { auth } from "./commands/auth.js";
+import { doctor } from "./commands/doctor.js";
+
+var program = new Command();
+
+program
+  .name("relight")
+  .description("Deploy and manage Docker containers across clouds with scale-to-zero")
+  .version("0.1.0");
+
+// --- Auth ---
+
+program
+  .command("auth")
+  .description("Authenticate with a cloud provider")
+  .option(
+    "-c, --cloud <cloud>",
+    "Cloud provider (cf, gcp, aws)"
+  )
+  .action(auth);
+
+// --- Doctor ---
+
+program
+  .command("doctor")
+  .description("Check system setup and cloud connectivity")
+  .action(doctor);
+
+program.parse();

package/src/commands/auth.js

@@ -0,0 +1,302 @@
+import { createInterface } from "readline";
+import { execSync } from "child_process";
+import { existsSync } from "fs";
+import { resolve } from "path";
+import { success, fatal, hint, fmt } from "../lib/output.js";
+import {
+  tryGetConfig,
+  saveConfig,
+  CLOUD_NAMES,
+  CLOUD_IDS,
+} from "../lib/config.js";
+import { TOKEN_URL, verifyToken, listAccounts } from "../lib/clouds/cf.js";
+import {
+  readKeyFile,
+  mintAccessToken,
+  verifyProject,
+} from "../lib/clouds/gcp.js";
+import { verifyCredentials as awsVerify } from "../lib/clouds/aws.js";
+import kleur from "kleur";
+
+function prompt(rl, question) {
+  return new Promise((resolve) => rl.question(question, resolve));
+}
+
+export async function auth(options) {
+  var compute = options.cloud;
+
+  var rl = createInterface({ input: process.stdin, output: process.stderr });
+
+  if (!compute) {
+    process.stderr.write(`\n${kleur.bold("Authenticate with a cloud provider")}\n\n`);
+    for (var i = 0; i < CLOUD_IDS.length; i++) {
+      process.stderr.write(
+        `  ${kleur.bold(`[${i + 1}]`)} ${CLOUD_NAMES[CLOUD_IDS[i]]}\n`
+      );
+    }
+    process.stderr.write("\n");
+
+    var choice = await prompt(rl, `Select cloud [1-${CLOUD_IDS.length}]: `);
+    var idx = parseInt(choice, 10) - 1;
+
+    if (isNaN(idx) || idx < 0 || idx >= CLOUD_IDS.length) {
+      rl.close();
+      fatal("Invalid selection.");
+    }
+
+    compute = CLOUD_IDS[idx];
+  }
+
+  compute = normalizeCompute(compute);
+  if (!CLOUD_NAMES[compute]) {
+    rl.close();
+    fatal(
+      `Unknown cloud: ${compute}`,
+      `Supported: ${CLOUD_IDS.join(", ")}`
+    );
+  }
+
+  process.stderr.write(
+    `\n${kleur.bold(`Authenticate with ${CLOUD_NAMES[compute]}`)}\n`
+  );
+
+  var cloudConfig;
+
+  switch (compute) {
+    case "cf":
+      cloudConfig = await authCloudflare(rl);
+      break;
+    case "gcp":
+      cloudConfig = await authGCP(rl);
+      break;
+    case "aws":
+      cloudConfig = await authAWS(rl);
+      break;
+  }
+
+  rl.close();
+
+  // Merge into existing config
+  var config = tryGetConfig() || { clouds: {} };
+  if (!config.clouds) config.clouds = {};
+  config.clouds[compute] = cloudConfig;
+
+  if (!config.default_cloud) {
+    config.default_cloud = compute;
+  }
+
+  saveConfig(config);
+
+  success(`Authenticated with ${CLOUD_NAMES[compute]}!`);
+
+  if (config.default_cloud === compute) {
+    hint("Default", `${CLOUD_NAMES[compute]} is your default cloud`);
+  }
+  hint("Next", `relight deploy <name> .`);
+}
+
+function normalizeCompute(input) {
+  var aliases = {
+    cloudflare: "cf",
+    cf: "cf",
+    gcp: "gcp",
+    "google-cloud": "gcp",
+    "cloud-run": "gcp",
+    aws: "aws",
+    amazon: "aws",
+    "app-runner": "aws",
+  };
+  return aliases[input.toLowerCase()] || input.toLowerCase();
+}
+
+// --- Cloudflare ---
+
+async function authCloudflare(rl) {
+  process.stderr.write(`\n  ${kleur.bold("Setup")}\n\n`);
+  process.stderr.write(`  1. Log in to the Cloudflare dashboard\n`);
+  process.stderr.write(`  2. Open this link to create a pre-filled API token:\n\n`);
+  process.stderr.write(`     ${fmt.url(TOKEN_URL)}\n\n`);
+  process.stderr.write(`  3. Click ${kleur.bold("Continue to summary")} then ${kleur.bold("Create Token")}\n`);
+  process.stderr.write(`  4. Copy the token\n\n`);
+
+  var apiToken = await prompt(rl, "Paste your API token: ");
+  apiToken = (apiToken || "").trim();
+  if (!apiToken) fatal("No token provided.");
+
+  process.stderr.write("\nVerifying...\n");
+  try {
+    await verifyToken(apiToken);
+  } catch (e) {
+    fatal("Token verification failed.", e.message);
+  }
+
+  var accounts = await listAccounts(apiToken);
+  if (accounts.length === 0) {
+    fatal("No accounts found for this token.");
+  }
+
+  var account;
+  if (accounts.length === 1) {
+    account = accounts[0];
+  } else {
+    process.stderr.write("\nMultiple accounts found:\n\n");
+    for (var i = 0; i < accounts.length; i++) {
+      process.stderr.write(
+        `  ${kleur.bold(`[${i + 1}]`)} ${accounts[i].name} ${fmt.dim(`(${accounts[i].id})`)}\n`
+      );
+    }
+    process.stderr.write("\n");
+
+    var choice = await prompt(rl, `Select account [1-${accounts.length}]: `);
+    var idx = parseInt(choice, 10) - 1;
+    if (isNaN(idx) || idx < 0 || idx >= accounts.length) {
+      fatal("Invalid selection.");
+    }
+    account = accounts[idx];
+  }
+
+  process.stderr.write(
+    `  Account: ${fmt.bold(account.name)} ${fmt.dim(`(${account.id})`)}\n`
+  );
+
+  return { token: apiToken, accountId: account.id };
+}
+
+// --- GCP ---
+
+async function authGCP(rl) {
+  var SA_URL =
+    "https://console.cloud.google.com/iam-admin/serviceaccounts/create";
+  var ENABLE_APIS =
+    "https://console.cloud.google.com/apis/enableflow?apiid=run.googleapis.com,artifactregistry.googleapis.com";
+
+  process.stderr.write(`\n  ${kleur.bold("Setup")}\n\n`);
+  process.stderr.write(`  1. Enable the Cloud Run and Artifact Registry APIs:\n`);
+  process.stderr.write(`     ${fmt.url(ENABLE_APIS)}\n\n`);
+  process.stderr.write(`  2. Create a service account:\n`);
+  process.stderr.write(`     ${fmt.url(SA_URL)}\n\n`);
+  process.stderr.write(`     Name it ${fmt.val("relight")} and grant these roles:\n`);
+  process.stderr.write(`       ${fmt.val("Cloud Run Admin")}\n`);
+  process.stderr.write(`       ${fmt.val("Artifact Registry Admin")}\n`);
+  process.stderr.write(`       ${fmt.val("Service Account User")}\n\n`);
+  process.stderr.write(`  3. Go to the service account → ${kleur.bold("Keys")} tab\n`);
+  process.stderr.write(`  4. ${kleur.bold("Add Key")} → ${kleur.bold("Create new key")} → ${kleur.bold("JSON")}\n`);
+  process.stderr.write(`  5. Save the downloaded file\n\n`);
+
+  var keyPath = await prompt(rl, "Path to service account key JSON: ");
+  keyPath = (keyPath || "").trim();
+  if (!keyPath) fatal("No key file provided.");
+
+  keyPath = resolve(keyPath.replace(/^~\//, process.env.HOME + "/"));
+  if (!existsSync(keyPath)) {
+    fatal(`File not found: ${keyPath}`);
+  }
+
+  var key;
+  try {
+    key = readKeyFile(keyPath);
+  } catch (e) {
+    fatal("Failed to read key file.", e.message);
+  }
+
+  var project = key.project;
+  if (!project) {
+    project = await prompt(rl, "GCP project ID: ");
+    project = (project || "").trim();
+    if (!project) fatal("No project provided.");
+  }
+
+  process.stderr.write("\nVerifying...\n");
+
+  var token;
+  try {
+    token = await mintAccessToken(key.clientEmail, key.privateKey);
+  } catch (e) {
+    fatal("Failed to mint access token.", e.message);
+  }
+
+  try {
+    await verifyProject(token, project);
+  } catch (e) {
+    fatal("Project verification failed.", e.message);
+  }
+
+  process.stderr.write(`  Project: ${fmt.bold(project)}\n`);
+  process.stderr.write(`  Service account: ${fmt.dim(key.clientEmail)}\n`);
+
+  return { clientEmail: key.clientEmail, privateKey: key.privateKey, project };
+}
+
+// --- AWS ---
+
+async function authAWS(rl) {
+  var IAM_CONSOLE = "https://console.aws.amazon.com/iam/home#/users";
+
+  process.stderr.write(`\n  ${kleur.bold("Setup")}\n\n`);
+  process.stderr.write(`  1. Open the IAM console:\n`);
+  process.stderr.write(`     ${fmt.url(IAM_CONSOLE)}\n\n`);
+  process.stderr.write(`  2. Create a user and attach these policies:\n`);
+  process.stderr.write(`     ${fmt.val("AWSAppRunnerFullAccess")}\n`);
+  process.stderr.write(`     ${fmt.val("AmazonEC2ContainerRegistryFullAccess")}\n\n`);
+  process.stderr.write(`  3. Go to the user's ${kleur.bold("Security credentials")} tab\n`);
+  process.stderr.write(`  4. Click ${kleur.bold("Create access key")} → choose ${kleur.bold("Command Line Interface")}\n`);
+  process.stderr.write(`  5. Copy the Access Key ID and Secret Access Key\n\n`);
+
+  // Detect from env vars as fallback
+  var detectedKeyId = process.env.AWS_ACCESS_KEY_ID || null;
+  var detectedSecret = process.env.AWS_SECRET_ACCESS_KEY || null;
+  var detectedRegion =
+    process.env.AWS_DEFAULT_REGION || process.env.AWS_REGION || null;
+
+  var accessKeyId;
+  if (detectedKeyId) {
+    var input = await prompt(
+      rl,
+      `AWS Access Key ID [${detectedKeyId.slice(0, 8)}...]: `
+    );
+    accessKeyId = (input || "").trim() || detectedKeyId;
+  } else {
+    accessKeyId = await prompt(rl, "AWS Access Key ID: ");
+    accessKeyId = (accessKeyId || "").trim();
+    if (!accessKeyId) fatal("No access key provided.");
+  }
+
+  var secretAccessKey;
+  if (detectedSecret && accessKeyId === detectedKeyId) {
+    var input = await prompt(rl, "AWS Secret Access Key [detected]: ");
+    secretAccessKey = (input || "").trim() || detectedSecret;
+  } else {
+    secretAccessKey = await prompt(rl, "AWS Secret Access Key: ");
+    secretAccessKey = (secretAccessKey || "").trim();
+    if (!secretAccessKey) fatal("No secret key provided.");
+  }
+
+  var defaultRegion = detectedRegion || "us-east-1";
+  var region = await prompt(rl, `AWS Region [${defaultRegion}]: `);
+  region = (region || "").trim() || defaultRegion;
+
+  process.stderr.write("\nVerifying...\n");
+  try {
+    await awsVerify({ accessKeyId, secretAccessKey }, region);
+  } catch (e) {
+    fatal("Credential verification failed.", e.message);
+  }
+
+  process.stderr.write(`  Region: ${fmt.bold(region)}\n`);
+
+  return { accessKeyId, secretAccessKey, region };
+}
+
+// --- Helpers ---
+
+function tryExec(cmd) {
+  try {
+    return execSync(cmd + " 2>/dev/null", {
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf-8",
+      timeout: 5000,
+    }).trim() || null;
+  } catch {
+    return null;
+  }
+}

package/src/commands/doctor.js

@@ -0,0 +1,197 @@
+import { execSync } from "child_process";
+import { existsSync } from "fs";
+import {
+  tryGetConfig,
+  CONFIG_PATH,
+  CLOUD_NAMES,
+} from "../lib/config.js";
+import { verifyToken as cfVerify, getWorkersSubdomain } from "../lib/clouds/cf.js";
+import { mintAccessToken, verifyProject as gcpVerifyProject, listRegions as gcpListRegions } from "../lib/clouds/gcp.js";
+import { verifyCredentials as awsVerify, checkAppRunner } from "../lib/clouds/aws.js";
+import kleur from "kleur";
+
+var PASS = kleur.green("[ok]");
+var FAIL = kleur.red("[!!]");
+var SKIP = kleur.yellow("[--]");
+
+export async function doctor() {
+  process.stderr.write(`\n${kleur.bold("relight doctor")}\n`);
+  process.stderr.write(`${kleur.dim("─".repeat(50))}\n\n`);
+  var allGood = true;
+
+  // --- General checks ---
+
+  process.stderr.write(kleur.bold("  System\n"));
+
+  allGood =
+    check("Docker installed", () => {
+      execSync("docker --version", { stdio: "pipe" });
+    }) && allGood;
+
+  allGood =
+    check("Docker daemon running", () => {
+      execSync("docker info", { stdio: "pipe", timeout: 5000 });
+    }) && allGood;
+
+  check("Node.js >= 20", () => {
+    var major = parseInt(process.version.slice(1), 10);
+    if (major < 20) throw new Error(`Node ${process.version} (need >= 20)`);
+  });
+
+  allGood =
+    check("Auth config exists", () => {
+      if (!existsSync(CONFIG_PATH)) throw new Error("Not found");
+    }) && allGood;
+
+  var config = tryGetConfig();
+  var clouds = config && config.clouds ? config.clouds : {};
+  var authenticatedClouds = Object.keys(clouds).filter(
+    (id) => clouds[id] && Object.keys(clouds[id]).length > 0
+  );
+
+  if (authenticatedClouds.length === 0) {
+    process.stderr.write(
+      `\n  ${SKIP}  No clouds configured. Run ${kleur.bold().cyan("relight auth")} to get started.\n`
+    );
+  }
+
+  // --- Per-cloud checks ---
+
+  for (var cloudId of authenticatedClouds) {
+    process.stderr.write(`\n${kleur.bold(`  ${CLOUD_NAMES[cloudId] || cloudId}`)}\n`);
+
+    switch (cloudId) {
+      case "cf":
+        allGood = (await checkCloudflare(clouds.cf)) && allGood;
+        break;
+      case "gcp":
+        allGood = (await checkGCP(clouds.gcp)) && allGood;
+        break;
+      case "aws":
+        allGood = (await checkAWS(clouds.aws)) && allGood;
+        break;
+    }
+  }
+
+  // --- Summary ---
+
+  process.stderr.write(`\n${kleur.dim("─".repeat(50))}\n`);
+  if (allGood) {
+    process.stderr.write(kleur.green("All checks passed.\n\n"));
+  } else {
+    process.stderr.write(
+      kleur.yellow("Some checks failed. Fix the issues above and re-run.\n\n")
+    );
+  }
+}
+
+// --- Cloudflare checks ---
+
+async function checkCloudflare(cfg) {
+  var ok = true;
+
+  ok =
+    (await asyncCheck("API token valid", async () => {
+      await cfVerify(cfg.token);
+    })) && ok;
+
+  ok =
+    (await asyncCheck("Account accessible", async () => {
+      var { listAccounts } = await import("../lib/clouds/cf.js");
+      var accounts = await listAccounts(cfg.token);
+      if (!accounts.length) throw new Error("No accounts");
+      var match = accounts.find((a) => a.id === cfg.accountId);
+      if (!match) throw new Error(`Account ${cfg.accountId} not found`);
+    })) && ok;
+
+  ok =
+    (await asyncCheck("Workers subdomain configured", async () => {
+      var sub = await getWorkersSubdomain(cfg.accountId, cfg.token);
+      if (!sub) throw new Error("Not configured");
+    })) && ok;
+
+  return ok;
+}
+
+// --- GCP checks ---
+
+async function checkGCP(cfg) {
+  var ok = true;
+
+  var token;
+  ok =
+    (await asyncCheck("Service account key valid", async () => {
+      token = await mintAccessToken(cfg.clientEmail, cfg.privateKey);
+    })) && ok;
+
+  if (token) {
+    ok =
+      (await asyncCheck("Project accessible", async () => {
+        await gcpVerifyProject(token, cfg.project);
+      })) && ok;
+
+    ok =
+      (await asyncCheck("Cloud Run API reachable", async () => {
+        await gcpListRegions(token, cfg.project);
+      })) && ok;
+  }
+
+  return ok;
+}
+
+// --- AWS checks ---
+
+async function checkAWS(cfg) {
+  var ok = true;
+
+  ok =
+    (await asyncCheck("Credentials valid (STS)", async () => {
+      await awsVerify(
+        { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey },
+        cfg.region
+      );
+    })) && ok;
+
+  ok =
+    (await asyncCheck("App Runner accessible", async () => {
+      await checkAppRunner(
+        { accessKeyId: cfg.accessKeyId, secretAccessKey: cfg.secretAccessKey },
+        cfg.region
+      );
+    })) && ok;
+
+  return ok;
+}
+
+// --- Check helpers ---
+
+function check(label, fn) {
+  try {
+    fn();
+    process.stderr.write(`  ${PASS}  ${label}\n`);
+    return true;
+  } catch (e) {
+    process.stderr.write(`  ${FAIL}  ${label}`);
+    if (e.message) process.stderr.write(kleur.dim(` — ${e.message}`));
+    process.stderr.write("\n");
+    return false;
+  }
+}
+
+async function asyncCheck(label, fn) {
+  try {
+    await fn();
+    process.stderr.write(`  ${PASS}  ${label}\n`);
+    return true;
+  } catch (e) {
+    process.stderr.write(`  ${FAIL}  ${label}`);
+    if (e.message) process.stderr.write(kleur.dim(` — ${truncate(e.message, 80)}`));
+    process.stderr.write("\n");
+    return false;
+  }
+}
+
+function truncate(str, max) {
+  if (str.length <= max) return str;
+  return str.slice(0, max - 3) + "...";
+}

package/src/lib/clouds/aws.js

@@ -0,0 +1,223 @@
+import { createHmac, createHash } from "crypto";
+
+// AWS Signature V4 signing
+
+function sha256(data) {
+  return createHash("sha256").update(data).digest("hex");
+}
+
+function hmac(key, data) {
+  return createHmac("sha256", key).update(data).digest();
+}
+
+function getSignatureKey(secretKey, dateStamp, region, service) {
+  var kDate = hmac("AWS4" + secretKey, dateStamp);
+  var kRegion = hmac(kDate, region);
+  var kService = hmac(kRegion, service);
+  return hmac(kService, "aws4_request");
+}
+
+export async function awsApi(method, service, host, path, body, credentials, region) {
+  var now = new Date();
+  var amzDate = now.toISOString().replace(/[-:]/g, "").replace(/\.\d+/, "");
+  var dateStamp = amzDate.slice(0, 8);
+
+  var bodyStr = body ? JSON.stringify(body) : "";
+  var payloadHash = sha256(bodyStr);
+
+  var canonicalHeaders =
+    `content-type:application/x-amz-json-1.0\n` +
+    `host:${host}\n` +
+    `x-amz-date:${amzDate}\n`;
+  var signedHeaders = "content-type;host;x-amz-date";
+
+  var canonicalRequest = [
+    method,
+    path,
+    "", // query string
+    canonicalHeaders,
+    signedHeaders,
+    payloadHash,
+  ].join("\n");
+
+  var credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+  var stringToSign = [
+    "AWS4-HMAC-SHA256",
+    amzDate,
+    credentialScope,
+    sha256(canonicalRequest),
+  ].join("\n");
+
+  var signingKey = getSignatureKey(
+    credentials.secretAccessKey,
+    dateStamp,
+    region,
+    service
+  );
+  var signature = createHmac("sha256", signingKey)
+    .update(stringToSign)
+    .digest("hex");
+
+  var authHeader =
+    `AWS4-HMAC-SHA256 ` +
+    `Credential=${credentials.accessKeyId}/${credentialScope}, ` +
+    `SignedHeaders=${signedHeaders}, ` +
+    `Signature=${signature}`;
+
+  var res = await fetch(`https://${host}${path}`, {
+    method,
+    headers: {
+      "Content-Type": "application/x-amz-json-1.0",
+      "X-Amz-Date": amzDate,
+      Authorization: authHeader,
+      Host: host,
+    },
+    body: method === "GET" ? undefined : bodyStr || undefined,
+  });
+
+  if (!res.ok) {
+    var text = await res.text();
+    throw new Error(`AWS ${service} ${method} ${path}: ${res.status} ${text}`);
+  }
+
+  var ct = res.headers.get("content-type") || "";
+  if (ct.includes("json")) {
+    return res.json();
+  }
+  return res.text();
+}
+
+export async function verifyCredentials(credentials, region) {
+  // Use STS GetCallerIdentity to verify credentials
+  var host = "sts.amazonaws.com";
+  var now = new Date();
+  var amzDate = now.toISOString().replace(/[-:]/g, "").replace(/\.\d+/, "");
+  var dateStamp = amzDate.slice(0, 8);
+
+  var queryParams = new URLSearchParams({
+    Action: "GetCallerIdentity",
+    Version: "2011-06-15",
+  });
+  var queryString = queryParams.toString();
+
+  var payloadHash = sha256("");
+  var canonicalHeaders = `host:${host}\nx-amz-date:${amzDate}\n`;
+  var signedHeaders = "host;x-amz-date";
+
+  var canonicalRequest = [
+    "GET",
+    "/",
+    queryString,
+    canonicalHeaders,
+    signedHeaders,
+    payloadHash,
+  ].join("\n");
+
+  var credentialScope = `${dateStamp}/us-east-1/sts/aws4_request`;
+  var stringToSign = [
+    "AWS4-HMAC-SHA256",
+    amzDate,
+    credentialScope,
+    sha256(canonicalRequest),
+  ].join("\n");
+
+  var signingKey = getSignatureKey(
+    credentials.secretAccessKey,
+    dateStamp,
+    "us-east-1",
+    "sts"
+  );
+  var signature = createHmac("sha256", signingKey)
+    .update(stringToSign)
+    .digest("hex");
+
+  var authHeader =
+    `AWS4-HMAC-SHA256 ` +
+    `Credential=${credentials.accessKeyId}/${credentialScope}, ` +
+    `SignedHeaders=${signedHeaders}, ` +
+    `Signature=${signature}`;
+
+  var res = await fetch(`https://${host}/?${queryString}`, {
+    method: "GET",
+    headers: {
+      "X-Amz-Date": amzDate,
+      Authorization: authHeader,
+    },
+  });
+
+  if (!res.ok) {
+    var text = await res.text();
+    throw new Error(`STS GetCallerIdentity failed: ${res.status} ${text}`);
+  }
+
+  return res.text();
+}
+
+export async function checkAppRunner(credentials, region) {
+  var host = `apprunner.${region}.amazonaws.com`;
+  var now = new Date();
+  var amzDate = now.toISOString().replace(/[-:]/g, "").replace(/\.\d+/, "");
+  var dateStamp = amzDate.slice(0, 8);
+
+  var bodyStr = JSON.stringify({});
+  var payloadHash = sha256(bodyStr);
+
+  var target = "AppRunner.ListServices";
+  var canonicalHeaders =
+    `content-type:application/x-amz-json-1.0\n` +
+    `host:${host}\n` +
+    `x-amz-date:${amzDate}\n` +
+    `x-amz-target:${target}\n`;
+  var signedHeaders = "content-type;host;x-amz-date;x-amz-target";
+
+  var canonicalRequest = [
+    "POST",
+    "/",
+    "",
+    canonicalHeaders,
+    signedHeaders,
+    payloadHash,
+  ].join("\n");
+
+  var credentialScope = `${dateStamp}/${region}/apprunner/aws4_request`;
+  var stringToSign = [
+    "AWS4-HMAC-SHA256",
+    amzDate,
+    credentialScope,
+    sha256(canonicalRequest),
+  ].join("\n");
+
+  var signingKey = getSignatureKey(
+    credentials.secretAccessKey,
+    dateStamp,
+    region,
+    "apprunner"
+  );
+  var signature = createHmac("sha256", signingKey)
+    .update(stringToSign)
+    .digest("hex");
+
+  var authHeader =
+    `AWS4-HMAC-SHA256 ` +
+    `Credential=${credentials.accessKeyId}/${credentialScope}, ` +
+    `SignedHeaders=${signedHeaders}, ` +
+    `Signature=${signature}`;
+
+  var res = await fetch(`https://${host}/`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-amz-json-1.0",
+      "X-Amz-Date": amzDate,
+      "X-Amz-Target": target,
+      Authorization: authHeader,
+    },
+    body: bodyStr,
+  });
+
+  if (!res.ok) {
+    var text = await res.text();
+    throw new Error(`App Runner ListServices failed: ${res.status} ${text}`);
+  }
+
+  return res.json();
+}

package/src/lib/clouds/cf.js

@@ -0,0 +1,65 @@
+var CF_API = "https://api.cloudflare.com/client/v4";
+
+export var TOKEN_URL =
+  "https://dash.cloudflare.com/profile/api-tokens?" +
+  "permissionGroupKeys=" +
+  encodeURIComponent(
+    JSON.stringify([
+      { key: "workers_scripts", type: "edit" },
+      { key: "containers", type: "edit" },
+      { key: "zone", type: "read" },
+      { key: "dns", type: "edit" },
+    ])
+  ) +
+  "&name=relight-cli";
+
+export async function cfApi(method, path, body, apiToken) {
+  var headers = {
+    Authorization: `Bearer ${apiToken}`,
+  };
+
+  if (body && typeof body === "object") {
+    headers["Content-Type"] = "application/json";
+    body = JSON.stringify(body);
+  }
+
+  var res = await fetch(`${CF_API}${path}`, {
+    method,
+    headers,
+    body: method === "GET" ? undefined : body,
+  });
+
+  if (!res.ok) {
+    var text = await res.text();
+    throw new Error(`CF API ${method} ${path}: ${res.status} ${text}`);
+  }
+
+  var ct = res.headers.get("content-type") || "";
+  if (ct.includes("application/json")) {
+    return res.json();
+  }
+  return res.text();
+}
+
+export async function verifyToken(apiToken) {
+  return cfApi("GET", "/user/tokens/verify", null, apiToken);
+}
+
+export async function listAccounts(apiToken) {
+  var res = await cfApi("GET", "/accounts", null, apiToken);
+  return res.result || [];
+}
+
+export async function getWorkersSubdomain(accountId, apiToken) {
+  try {
+    var res = await cfApi(
+      "GET",
+      `/accounts/${accountId}/workers/subdomain`,
+      null,
+      apiToken
+    );
+    return res.result?.subdomain || null;
+  } catch {
+    return null;
+  }
+}

package/src/lib/clouds/gcp.js

@@ -0,0 +1,120 @@
+import { createSign } from "crypto";
+import { readFileSync } from "fs";
+
+var RUN_API = "https://run.googleapis.com/v2";
+var CRM_API = "https://cloudresourcemanager.googleapis.com/v1";
+var TOKEN_URI = "https://oauth2.googleapis.com/token";
+var SCOPE = "https://www.googleapis.com/auth/cloud-platform";
+
+// --- Service account key file ---
+
+export function readKeyFile(path) {
+  var raw = readFileSync(path, "utf-8");
+  var key = JSON.parse(raw);
+
+  if (!key.client_email || !key.private_key) {
+    throw new Error(
+      "Invalid service account key file. Expected client_email and private_key fields."
+    );
+  }
+
+  return {
+    clientEmail: key.client_email,
+    privateKey: key.private_key,
+    project: key.project_id || null,
+  };
+}
+
+// --- JWT → access token ---
+
+export async function mintAccessToken(clientEmail, privateKey) {
+  var now = Math.floor(Date.now() / 1000);
+
+  var header = { alg: "RS256", typ: "JWT" };
+  var payload = {
+    iss: clientEmail,
+    scope: SCOPE,
+    aud: TOKEN_URI,
+    iat: now,
+    exp: now + 3600,
+  };
+
+  var segments = [
+    base64url(JSON.stringify(header)),
+    base64url(JSON.stringify(payload)),
+  ];
+
+  var sign = createSign("RSA-SHA256");
+  sign.update(segments.join("."));
+  var signature = sign.sign(privateKey, "base64url");
+
+  var jwt = segments.join(".") + "." + signature;
+
+  var res = await fetch(TOKEN_URI, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: `grant_type=${encodeURIComponent("urn:ietf:params:oauth:grant_type:jwt-bearer")}&assertion=${encodeURIComponent(jwt)}`,
+  });
+
+  if (!res.ok) {
+    var text = await res.text();
+    throw new Error(`Token exchange failed: ${res.status} ${text}`);
+  }
+
+  var data = await res.json();
+  return data.access_token;
+}
+
+function base64url(str) {
+  return Buffer.from(str).toString("base64url");
+}
+
+// --- GCP API ---
+
+export async function gcpApi(method, url, body, token) {
+  var headers = {
+    Authorization: `Bearer ${token}`,
+  };
+
+  if (body && typeof body === "object") {
+    headers["Content-Type"] = "application/json";
+    body = JSON.stringify(body);
+  }
+
+  var res = await fetch(url, {
+    method,
+    headers,
+    body: method === "GET" ? undefined : body,
+  });
+
+  if (!res.ok) {
+    var text = await res.text();
+    throw new Error(`GCP API ${method} ${url}: ${res.status} ${text}`);
+  }
+
+  return res.json();
+}
+
+export async function verifyProject(token, project) {
+  return gcpApi("GET", `${CRM_API}/projects/${project}`, null, token);
+}
+
+export async function listRegions(token, project) {
+  var res = await gcpApi(
+    "GET",
+    `${RUN_API}/projects/${project}/locations`,
+    null,
+    token
+  );
+  return res.locations || [];
+}
+
+export async function listServices(token, project, region) {
+  var res = await gcpApi(
+    "GET",
+    `${RUN_API}/projects/${project}/locations/${region}/services`,
+    null,
+    token
+  );
+  return res.services || [];
+}

package/src/lib/config.js

@@ -0,0 +1,58 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+
+var CONFIG_DIR = join(homedir(), ".relight");
+var CONFIG_PATH = join(CONFIG_DIR, "config.json");
+
+export { CONFIG_DIR, CONFIG_PATH };
+
+export var CLOUD_NAMES = {
+  cf: "Cloudflare",
+  gcp: "GCP",
+  aws: "AWS",
+};
+
+export var CLOUD_IDS = Object.keys(CLOUD_NAMES);
+
+export function getConfig() {
+  if (!existsSync(CONFIG_PATH)) {
+    console.error("Not authenticated. Run `relight auth` first.");
+    process.exit(1);
+  }
+  return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+}
+
+export function tryGetConfig() {
+  if (!existsSync(CONFIG_PATH)) return null;
+  try {
+    return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+
+export function saveConfig(config) {
+  if (!existsSync(CONFIG_DIR)) mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + "\n");
+}
+
+export function getCloudConfig(cloudId) {
+  var config = getConfig();
+  var cloud = config.clouds && config.clouds[cloudId];
+  if (!cloud) {
+    console.error(
+      `Not authenticated with ${CLOUD_NAMES[cloudId] || cloudId}. Run \`relight auth --cloud ${cloudId}\` first.`
+    );
+    process.exit(1);
+  }
+  return cloud;
+}
+
+export function getAuthenticatedClouds() {
+  var config = tryGetConfig();
+  if (!config || !config.clouds) return [];
+  return Object.keys(config.clouds).filter(
+    (id) => config.clouds[id] && Object.keys(config.clouds[id]).length > 0
+  );
+}

package/src/lib/link.js

@@ -0,0 +1,40 @@
+import { readFileSync, writeFileSync, unlinkSync } from "fs";
+import { fatal, fmt } from "./output.js";
+
+var LINK_FILE = ".relight";
+
+export function readLink() {
+  try {
+    var data = JSON.parse(readFileSync(LINK_FILE, "utf-8"));
+    return data;
+  } catch {
+    return null;
+  }
+}
+
+export function linkApp(name, cloud) {
+  writeFileSync(LINK_FILE, JSON.stringify({ app: name, cloud }) + "\n");
+}
+
+export function unlinkApp() {
+  try {
+    unlinkSync(LINK_FILE);
+  } catch {}
+}
+
+export function resolveAppName(name) {
+  if (name) return name;
+  var linked = readLink();
+  if (linked && linked.app) return linked.app;
+  fatal(
+    "No app specified.",
+    `Provide an app name or run ${fmt.cmd("relight deploy")} in this directory first.`
+  );
+}
+
+export function resolveCloud(cloud) {
+  if (cloud) return cloud;
+  var linked = readLink();
+  if (linked && linked.cloud) return linked.cloud;
+  return null;
+}

package/src/lib/output.js

@@ -0,0 +1,103 @@
+import kleur from "kleur";
+
+export function phase(msg) {
+  process.stderr.write(`\n${kleur.bold().cyan("==>")} ${kleur.bold(msg)}\n`);
+}
+
+export function status(msg) {
+  process.stderr.write(`    ${msg}\n`);
+}
+
+export function error(msg, fix) {
+  process.stderr.write(`\n${kleur.red("Error:")} ${msg}\n`);
+  if (fix) process.stderr.write(`  ${fix}\n`);
+}
+
+export function fatal(msg, fix) {
+  error(msg, fix);
+  process.exit(1);
+}
+
+export function success(msg) {
+  process.stderr.write(`\n${kleur.green("-->")} ${msg}\n`);
+}
+
+export function hint(label, msg) {
+  process.stderr.write(`\n${kleur.dim(label + ":")} ${msg}\n`);
+}
+
+export var fmt = {
+  app: (name) => kleur.cyan(name),
+  cmd: (cmd) => kleur.bold().cyan(cmd),
+  key: (k) => kleur.green(k),
+  val: (v) => kleur.yellow(v),
+  dim: (t) => kleur.dim(t),
+  bold: (t) => kleur.bold(t),
+  url: (u) => kleur.underline().cyan(u),
+  cloud: (c) => kleur.magenta(c),
+};
+
+function stripAnsi(str) {
+  return String(str).replace(/\x1B\[[0-9;]*m/g, "");
+}
+
+function padEnd(str, len) {
+  var visible = stripAnsi(str).length;
+  return str + " ".repeat(Math.max(0, len - visible));
+}
+
+var ADJECTIVES = [
+  "autumn", "bold", "calm", "crimson", "dawn", "dark", "dry", "dusk",
+  "fading", "flat", "floral", "fragrant", "frosty", "gentle", "green",
+  "hazy", "hidden", "icy", "lively", "long", "misty", "morning", "muddy",
+  "nameless", "old", "patient", "plain", "polished", "proud", "purple",
+  "quiet", "rapid", "red", "restless", "rough", "shy", "silent", "small",
+  "snowy", "solitary", "sparkling", "spring", "still", "summer", "twilight",
+  "wandering", "weathered", "white", "wild", "winter", "withered", "young",
+];
+
+var NOUNS = [
+  "bird", "brook", "bush", "cloud", "creek", "dew", "dream", "dust",
+  "field", "fire", "flower", "fog", "forest", "frost", "gale", "gate",
+  "glacier", "grass", "grove", "haze", "hill", "lake", "leaf", "light",
+  "meadow", "moon", "moss", "night", "paper", "path", "peak", "pine",
+  "pond", "rain", "reef", "ridge", "river", "rock", "rose", "sea",
+  "shadow", "shore", "sky", "smoke", "snow", "sound", "star", "stone",
+  "stream", "sun", "surf", "thunder", "tree", "violet", "water", "wave",
+  "wind", "wood",
+];
+
+export function generateAppName() {
+  var adj = ADJECTIVES[Math.floor(Math.random() * ADJECTIVES.length)];
+  var noun = NOUNS[Math.floor(Math.random() * NOUNS.length)];
+  var num = Math.floor(1000 + Math.random() * 9000);
+  return `${adj}-${noun}-${num}`;
+}
+
+export function table(headers, rows) {
+  if (rows.length === 0) return "";
+
+  var allRows = [headers, ...rows];
+  var widths = [];
+  for (var row of allRows) {
+    for (var i = 0; i < row.length; i++) {
+      var len = stripAnsi(String(row[i] || "")).length;
+      if (!widths[i] || len > widths[i]) widths[i] = len;
+    }
+  }
+
+  var lines = [];
+  lines.push(
+    headers
+      .map((h, i) => kleur.bold(padEnd(String(h), widths[i] + 2)))
+      .join("")
+  );
+  lines.push(kleur.dim(widths.map((w) => "─".repeat(w)).join("  ")));
+  for (var row of rows) {
+    lines.push(
+      row.map((cell, i) => padEnd(String(cell || ""), widths[i] + 2)).join("")
+    );
+  }
+
+  return lines.join("\n");
+}