sakuraai 0.0.8 → 0.0.10

package/dist/index.js

@@ -14,6 +14,13 @@ import os from "os";
 import path from "path";
 import fs from "fs";
 import { randomUUID } from "crypto";
+function readTsnetState() {
+  try {
+    return JSON.parse(fs.readFileSync(TSNET_PATH, "utf8"));
+  } catch {
+    return null;
+  }
+}
 function ensureDir(dir) {
   fs.mkdirSync(dir, { recursive: true });
 }
@@ -74,7 +81,7 @@ function ensureSakuraDirs() {
   ensureDir(SAKURA_DIR);
   ensureDir(LOG_DIR);
 }
-var SAKURA_DIR, CONFIG_PATH, AUTH_PATH, DAEMON_PATH, PID_PATH, LOG_DIR, LOG_PATH, DEFAULT_PORT, DEFAULT_HOST, _config;
+var SAKURA_DIR, CONFIG_PATH, AUTH_PATH, DAEMON_PATH, PID_PATH, LOG_DIR, LOG_PATH, DEFAULT_PORT, DEFAULT_HOST, TSNET_PATH, _config;
 var init_config = __esm({
   "src/config.ts"() {
     "use strict";
@@ -87,38 +94,134 @@ var init_config = __esm({
     LOG_PATH = path.join(LOG_DIR, "daemon.log");
     DEFAULT_PORT = Number(process.env.SAKURA_PORT ?? 4787);
     DEFAULT_HOST = process.env.SAKURA_HOST ?? "127.0.0.1";
+    TSNET_PATH = path.join(SAKURA_DIR, "tsnet.json");
     _config = null;
   }
 });
 
+// src/cloud.ts
+function apiBase() {
+  return (loadAuth().serverUrl || DEFAULT_API_URL).replace(/\/+$/, "");
+}
+async function postJson(base, path10, body, token) {
+  const res = await fetch(`${base}${path10}`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...token ? { Authorization: `Bearer ${token}` } : {}
+    },
+    body: JSON.stringify(body ?? {})
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`${path10} \u2192 ${res.status} ${res.statusText}${text ? `: ${text}` : ""}`);
+  }
+  return await res.json();
+}
+function deviceStart(base, machineName) {
+  return postJson(base, "/cli/device/start", { machineName });
+}
+function devicePoll(base, deviceCode) {
+  return postJson(base, "/cli/device/poll", { deviceCode });
+}
+function provisionTailnet(base, serverToken, hostname2) {
+  return postJson(base, "/tailnet/provision", { hostname: hostname2 }, serverToken);
+}
+var DEFAULT_API_URL;
+var init_cloud = __esm({
+  "src/cloud.ts"() {
+    "use strict";
+    init_config();
+    DEFAULT_API_URL = process.env.SAKURA_SERVER_URL || "https://api.sakura.mom";
+  }
+});
+
 // src/auth.ts
 var auth_exports = {};
 __export(auth_exports, {
+  getServerToken: () => getServerToken,
   getToken: () => getToken,
   isLoggedIn: () => isLoggedIn,
   login: () => login,
+  loginInteractive: () => loginInteractive,
   logout: () => logout,
   requireToken: () => requireToken
 });
 import { randomBytes } from "crypto";
+import { spawn } from "child_process";
 import os2 from "os";
 function getToken() {
   return process.env.SAKURA_AUTH || loadAuth().token;
 }
+function getServerToken() {
+  return process.env.SAKURA_SERVER_TOKEN || loadAuth().serverToken;
+}
 function isLoggedIn() {
   return !!getToken();
 }
 function generateToken() {
   return "sk_" + randomBytes(24).toString("hex");
 }
+function openBrowser(url) {
+  try {
+    if (process.platform === "darwin") {
+      spawn("open", [url], { stdio: "ignore", detached: true }).unref();
+    } else if (process.platform === "win32") {
+      spawn("cmd", ["/c", "start", "", url], { stdio: "ignore", detached: true }).unref();
+    } else {
+      spawn("xdg-open", [url], { stdio: "ignore", detached: true }).unref();
+    }
+  } catch {
+  }
+}
 function login(opts = {}) {
-  const token = opts.auth?.trim() || generateToken();
+  const existing = loadAuth();
   const machineName = opts.machineName?.trim() || os2.hostname();
   const state = {
-    token,
-    serverUrl: opts.serverUrl,
+    ...existing,
+    token: opts.auth?.trim() || existing.token || generateToken(),
+    serverUrl: opts.serverUrl || existing.serverUrl,
+    machineName,
+    login: existing.login || process.env.USER || machineName,
+    loggedInAt: Date.now()
+  };
+  saveAuth(state);
+  updateConfig((cfg) => {
+    cfg.machineName = machineName;
+  });
+  return state;
+}
+async function loginInteractive(opts = {}, cb = {}) {
+  const base = (opts.serverUrl || DEFAULT_API_URL).replace(/\/+$/, "");
+  const machineName = opts.machineName?.trim() || os2.hostname();
+  const start2 = await deviceStart(base, machineName);
+  cb.onPrompt?.({ verifyUrl: start2.verifyUrl, userCode: start2.userCode });
+  openBrowser(start2.verifyUrl);
+  const deadline = Date.now() + start2.expiresIn * 1e3;
+  const intervalMs = Math.max(1, start2.interval) * 1e3;
+  let approved = null;
+  while (Date.now() < deadline) {
+    await sleep(intervalMs);
+    const poll = await devicePoll(base, start2.deviceCode);
+    if (poll.status === "approved") {
+      approved = poll;
+      break;
+    }
+    if (poll.status === "expired" || poll.status === "unknown") {
+      throw new Error("login code expired \u2014 run `sakura login` again.");
+    }
+  }
+  if (!approved?.token) throw new Error("login timed out \u2014 run `sakura login` again.");
+  const existing = loadAuth();
+  const state = {
+    ...existing,
+    token: existing.token || generateToken(),
+    // keep the phone↔daemon secret
+    serverToken: approved.token,
+    serverUrl: base,
+    userId: approved.user?._id,
+    login: approved.user?.login || approved.user?.email || machineName,
     machineName,
-    login: process.env.USER || machineName,
     loggedInAt: Date.now()
   };
   saveAuth(state);
@@ -134,15 +237,18 @@ function requireToken() {
   const t = getToken();
   if (!t) {
     throw new Error(
-      "Not signed in. Run `sakuraai login` (or `sakuraai login --auth <token>`) first."
+      "Not signed in. Run `sakura login` first."
     );
   }
   return t;
 }
+var sleep;
 var init_auth = __esm({
   "src/auth.ts"() {
     "use strict";
     init_config();
+    init_cloud();
+    sleep = (ms) => new Promise((r) => setTimeout(r, ms));
   }
 });
 
@@ -296,7 +402,7 @@ var init_util = __esm({
 // src/runtime/claude.ts
 import fs3 from "fs";
 import path2 from "path";
-import { spawn } from "child_process";
+import { spawn as spawn2 } from "child_process";
 function* jsonlEntries(file) {
   let content;
   try {
@@ -440,7 +546,7 @@ function send(sessionId, message, onData, images) {
 
 ${refs}` : refs;
     }
-    const child = spawn(
+    const child2 = spawn2(
       bin,
       [
         "--resume",
@@ -460,7 +566,7 @@ ${refs}` : refs;
     let buf = "";
     let finalText = "";
     let err = "";
-    child.stdout.on("data", (d) => {
+    child2.stdout.on("data", (d) => {
       buf += d.toString();
       let nl;
       while ((nl = buf.indexOf("\n")) >= 0) {
@@ -477,9 +583,9 @@ ${refs}` : refs;
         }
       }
     });
-    child.stderr.on("data", (d) => err += d.toString());
-    child.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
-    child.on(
+    child2.stderr.on("data", (d) => err += d.toString());
+    child2.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
+    child2.on(
       "close",
       (code) => resolve({
         ok: code === 0,
@@ -508,7 +614,7 @@ var init_claude = __esm({
 // src/runtime/codex.ts
 import fs4 from "fs";
 import path3 from "path";
-import { spawn as spawn2 } from "child_process";
+import { spawn as spawn3 } from "child_process";
 function codexBin() {
   if (process.env.CODEX_BIN) return process.env.CODEX_BIN;
   if (fs4.existsSync(MAC_APP_BIN)) return MAC_APP_BIN;
@@ -620,19 +726,19 @@ function messages2(sessionId) {
 function send2(sessionId, message, onData, images) {
   return new Promise((resolve) => {
     const imageArgs = (images ?? []).flatMap((p) => ["-i", p]);
-    const child = spawn2(codexBin(), ["exec", "resume", sessionId, ...imageArgs, message], {
+    const child2 = spawn3(codexBin(), ["exec", "resume", sessionId, ...imageArgs, message], {
       stdio: ["ignore", "pipe", "pipe"],
       env: process.env
     });
     let out = "";
     let err = "";
-    child.stdout.on("data", (d) => {
+    child2.stdout.on("data", (d) => {
       out += d.toString();
       onData?.(d.toString());
     });
-    child.stderr.on("data", (d) => err += d.toString());
-    child.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
-    child.on(
+    child2.stderr.on("data", (d) => err += d.toString());
+    child2.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
+    child2.on(
       "close",
       (code) => resolve({
         ok: code === 0,
@@ -657,7 +763,7 @@ var init_codex = __esm({
 // src/runtime/opencode.ts
 import path4 from "path";
 import fs5 from "fs";
-import { spawn as spawn3 } from "child_process";
+import { spawn as spawn4 } from "child_process";
 function opencodeBin() {
   if (process.env.OPENCODE_BIN) return process.env.OPENCODE_BIN;
   if (fs5.existsSync(MAC_APP_BIN2)) return MAC_APP_BIN2;
@@ -767,19 +873,19 @@ async function messages3(sessionId) {
 function send3(sessionId, message, onData, images) {
   return new Promise((resolve) => {
     const fileArgs = (images ?? []).flatMap((p) => ["-f", p]);
-    const child = spawn3(opencodeBin(), ["run", "-s", sessionId, ...fileArgs, message], {
+    const child2 = spawn4(opencodeBin(), ["run", "-s", sessionId, ...fileArgs, message], {
       stdio: ["ignore", "pipe", "pipe"],
       env: process.env
     });
     let out = "";
     let err = "";
-    child.stdout.on("data", (d) => {
+    child2.stdout.on("data", (d) => {
       out += d.toString();
       onData?.(d.toString());
     });
-    child.stderr.on("data", (d) => err += d.toString());
-    child.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
-    child.on(
+    child2.stderr.on("data", (d) => err += d.toString());
+    child2.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
+    child2.on(
       "close",
       (code) => resolve({
         ok: code === 0,
@@ -837,7 +943,7 @@ var init_meta = __esm({
 });
 
 // src/runtime/sessions.ts
-import { spawn as spawn4 } from "child_process";
+import { spawn as spawn5 } from "child_process";
 async function list(opts = {}) {
   let sessions = [];
   if (!opts.agent || opts.agent === "claude") sessions.push(...listSessions());
@@ -918,16 +1024,16 @@ function create(prompt, opts = {}) {
   }
   return new Promise((resolve) => {
     const bin = process.env.CLAUDE_BIN || "claude";
-    const child = spawn4(bin, ["-p", prompt], {
+    const child2 = spawn5(bin, ["-p", prompt], {
       cwd: opts.cwd || process.cwd(),
       stdio: ["ignore", "pipe", "pipe"]
     });
     let out = "";
     let err = "";
-    child.stdout.on("data", (d) => out += d.toString());
-    child.stderr.on("data", (d) => err += d.toString());
-    child.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
-    child.on(
+    child2.stdout.on("data", (d) => out += d.toString());
+    child2.stderr.on("data", (d) => err += d.toString());
+    child2.on("error", (e) => resolve({ ok: false, output: "", error: e.message }));
+    child2.on(
       "close",
       (code) => resolve({
         ok: code === 0,
@@ -1289,7 +1395,7 @@ var init_fsops = __esm({
 
 // src/tailscale.ts
 import fs9 from "fs";
-import { spawn as spawn5 } from "child_process";
+import { spawn as spawn6 } from "child_process";
 function tsBin() {
   const macPath = "/Applications/Tailscale.app/Contents/MacOS/Tailscale";
   if (fs9.existsSync(macPath)) return macPath;
@@ -1297,11 +1403,11 @@ function tsBin() {
 }
 function runTs(args, timeoutMs = 6e4) {
   return new Promise((resolve) => {
-    const child = spawn5(tsBin(), args, { stdio: ["ignore", "pipe", "pipe"] });
+    const child2 = spawn6(tsBin(), args, { stdio: ["ignore", "pipe", "pipe"] });
     let out = "";
     let err = "";
     const timer = setTimeout(() => {
-      child.kill("SIGKILL");
+      child2.kill("SIGKILL");
       resolve({
         ok: false,
         data: null,
@@ -1310,9 +1416,9 @@ function runTs(args, timeoutMs = 6e4) {
         code: "timeout"
       });
     }, timeoutMs);
-    child.stdout.on("data", (d) => out += d.toString());
-    child.stderr.on("data", (d) => err += d.toString());
-    child.on("error", (e) => {
+    child2.stdout.on("data", (d) => out += d.toString());
+    child2.stderr.on("data", (d) => err += d.toString());
+    child2.on("error", (e) => {
       clearTimeout(timer);
       if (e.code === "ENOENT") {
         resolve({
@@ -1332,7 +1438,7 @@ function runTs(args, timeoutMs = 6e4) {
         });
       }
     });
-    child.on("close", (code) => {
+    child2.on("close", (code) => {
       clearTimeout(timer);
       const stdout = out.trim();
       const stderr = err.trim();
@@ -1506,7 +1612,7 @@ var init_stream = __esm({
 
 // src/daemon/terminal.ts
 import os6 from "os";
-import { spawn as spawn6 } from "child_process";
+import { spawn as spawn7 } from "child_process";
 function cleanOutput(t, chunk) {
   let s = t.buf + chunk;
   s = s.replace(OSC, "").replace(CSI, "").replace(ESC2, "");
@@ -1524,7 +1630,7 @@ function defaultShell() {
 }
 function openTerminal(ws, opts) {
   const shell = defaultShell();
-  const child = spawn6(shell, ["-i"], {
+  const child2 = spawn7(shell, ["-i"], {
     cwd: opts?.cwd && opts.cwd.trim() ? opts.cwd : os6.homedir(),
     env: {
       ...process.env,
@@ -1534,7 +1640,7 @@ function openTerminal(ws, opts) {
       ITERM_SHELL_INTEGRATION_INSTALLED: ""
     }
   });
-  const term = { child, buf: "" };
+  const term = { child: child2, buf: "" };
   terminals.set(ws, term);
   const sendOut = (raw) => {
     const data = cleanOutput(term, raw);
@@ -1544,15 +1650,15 @@ function openTerminal(ws, opts) {
     } catch {
     }
   };
-  child.stdout.on("data", (d) => sendOut(d.toString()));
-  child.stderr.on("data", (d) => sendOut(d.toString()));
-  child.on("exit", (code) => {
+  child2.stdout.on("data", (d) => sendOut(d.toString()));
+  child2.stderr.on("data", (d) => sendOut(d.toString()));
+  child2.on("exit", (code) => {
     try {
       ws.send(JSON.stringify({ type: "exit", code }));
     } catch {
     }
   });
-  child.on("error", (e) => sendOut(`
+  child2.on("error", (e) => sendOut(`
 [shell error: ${e.message}]
 `));
   try {
@@ -1597,10 +1703,10 @@ import os7 from "os";
 import path8 from "path";
 import { URL } from "url";
 import { WebSocketServer } from "ws";
-function add(method, path9, handler) {
+function add(method, path10, handler) {
   const keys = [];
   const pattern = new RegExp(
-    "^" + path9.replace(/:[^/]+/g, (m) => {
+    "^" + path10.replace(/:[^/]+/g, (m) => {
       keys.push(m.slice(1));
       return "([^/]+)";
     }) + "/?$"
@@ -2024,12 +2130,121 @@ var init_server = __esm({
   }
 });
 
-// src/daemon/manager.ts
+// src/daemon/tsnet.ts
 import fs11 from "fs";
-import { spawn as spawn7 } from "child_process";
+import path9 from "path";
+import { fileURLToPath } from "url";
+import { spawn as spawn8 } from "child_process";
+function resolveBinary() {
+  const envBin = process.env.SAKURA_TSNET_BIN;
+  if (envBin && fs11.existsSync(envBin)) return envBin;
+  const here = path9.dirname(fileURLToPath(import.meta.url));
+  const name = process.platform === "win32" ? "sakura-tsnet.exe" : "sakura-tsnet";
+  const candidates = [
+    path9.join(here, "..", "bin", name),
+    // package/bin (postinstall download / build-sidecar.sh)
+    path9.join(here, "bin", name),
+    path9.join(process.cwd(), "bin", name),
+    path9.join(SAKURA_DIR, name)
+    // user-dropped
+  ];
+  return candidates.find((p) => fs11.existsSync(p)) ?? null;
+}
+function startTsnet(port2) {
+  const cfg = loadConfig();
+  const ts = cfg.tailscale;
+  if (!ts?.controlUrl || !ts?.authKey) return;
+  if (child) return;
+  const bin = resolveBinary();
+  if (!bin) {
+    log.warn(
+      "embedded Tailscale is configured but the sakura-tsnet binary was not found \u2014 build it with modules/sakura-tailscale/scripts/build-sidecar.sh (LAN access still works)."
+    );
+    return;
+  }
+  stopping = false;
+  spawnSidecar(bin, ts.controlUrl, ts.authKey, ts.hostname || cfg.machineName, port2);
+}
+function spawnSidecar(bin, controlUrl, authKey, hostname2, port2) {
+  const env = {
+    ...process.env,
+    SAKURA_TS_CONTROL_URL: controlUrl,
+    SAKURA_TS_AUTH_KEY: authKey,
+    SAKURA_TS_HOSTNAME: hostname2,
+    SAKURA_TS_STATE_DIR: path9.join(SAKURA_DIR, "tsnet-state"),
+    SAKURA_TS_STATE_FILE: TSNET_PATH,
+    SAKURA_TS_PORT: String(port2)
+  };
+  log.info(`starting embedded Tailscale sidecar (${path9.basename(bin)})`);
+  const c = spawn8(bin, [], { stdio: ["ignore", "pipe", "pipe"], env });
+  child = c;
+  const pipe = (buf) => buf.toString().split("\n").filter(Boolean).forEach((line) => log.info(`[tsnet] ${line}`));
+  c.stdout?.on("data", pipe);
+  c.stderr?.on("data", pipe);
+  c.on("exit", (code) => {
+    child = null;
+    if (stopping) return;
+    log.warn(`tsnet sidecar exited (code ${code}); restarting in 5s`);
+    restartTimer = setTimeout(() => {
+      if (!stopping) spawnSidecar(bin, controlUrl, authKey, hostname2, port2);
+    }, 5e3);
+  });
+}
+function stopTsnet() {
+  stopping = true;
+  if (restartTimer) {
+    clearTimeout(restartTimer);
+    restartTimer = null;
+  }
+  if (child) {
+    try {
+      child.kill("SIGTERM");
+    } catch {
+    }
+    child = null;
+  }
+  try {
+    fs11.rmSync(TSNET_PATH, { force: true });
+  } catch {
+  }
+}
+var child, stopping, restartTimer;
+var init_tsnet = __esm({
+  "src/daemon/tsnet.ts"() {
+    "use strict";
+    init_config();
+    init_logger();
+    child = null;
+    stopping = false;
+    restartTimer = null;
+  }
+});
+
+// src/daemon/manager.ts
+import fs12 from "fs";
+import { spawn as spawn9 } from "child_process";
+async function ensureTailnetProvisioned() {
+  const serverToken = getServerToken();
+  if (!serverToken) return;
+  try {
+    const cfg = loadConfig();
+    const prov = await provisionTailnet(apiBase(), serverToken, cfg.machineName);
+    if (!prov?.controlUrl || !prov?.authKey) return;
+    updateConfig((c) => {
+      c.tailscale = {
+        controlUrl: prov.controlUrl,
+        authKey: prov.authKey,
+        hostname: prov.hostname || c.machineName
+      };
+    });
+    log.info("provisioned embedded-Tailscale credentials for this account");
+  } catch (e) {
+    log.warn(`tailnet provisioning skipped (${e.message}) \u2014 serving over LAN`);
+  }
+}
 function readDaemonInfo() {
   try {
-    return JSON.parse(fs11.readFileSync(DAEMON_PATH, "utf8"));
+    return JSON.parse(fs12.readFileSync(DAEMON_PATH, "utf8"));
   } catch {
     return null;
   }
@@ -2046,8 +2261,8 @@ function running() {
   const info2 = readDaemonInfo();
   if (info2 && pidAlive(info2.pid)) return info2;
   if (info2) {
-    fs11.rmSync(DAEMON_PATH, { force: true });
-    fs11.rmSync(PID_PATH, { force: true });
+    fs12.rmSync(DAEMON_PATH, { force: true });
+    fs12.rmSync(PID_PATH, { force: true });
   }
   return null;
 }
@@ -2070,17 +2285,20 @@ async function runServer(version) {
     url: `http://${host}:${port2}`,
     startedAt: Date.now()
   };
-  fs11.writeFileSync(DAEMON_PATH, JSON.stringify(info2, null, 2));
-  fs11.writeFileSync(PID_PATH, String(process.pid));
+  fs12.writeFileSync(DAEMON_PATH, JSON.stringify(info2, null, 2));
+  fs12.writeFileSync(PID_PATH, String(process.pid));
+  await ensureTailnetProvisioned();
+  startTsnet(port2);
   const tailnet = await discoverBaseUrl(port2).catch(() => null);
   log.info(`sakuraai runtime listening on http://0.0.0.0:${port2}`);
   if (tailnet) log.info(`reachable over Tailscale at ${tailnet}`);
   log.info("point the Sakura app at the tailnet URL above (Settings \u2192 Connectivity)");
   const shutdown = () => {
     log.info("shutting down");
+    stopTsnet();
     server.close();
-    fs11.rmSync(DAEMON_PATH, { force: true });
-    fs11.rmSync(PID_PATH, { force: true });
+    fs12.rmSync(DAEMON_PATH, { force: true });
+    fs12.rmSync(PID_PATH, { force: true });
     process.exit(0);
   };
   process.on("SIGINT", shutdown);
@@ -2091,14 +2309,14 @@ function start() {
   if (existing) return existing;
   ensureSakuraDirs();
   const entry = process.argv[1] ?? "";
-  const out = fs11.openSync(LOG_PATH, "a");
-  const err = fs11.openSync(LOG_PATH, "a");
-  const child = spawn7(process.execPath, [entry, "__run-daemon"], {
+  const out = fs12.openSync(LOG_PATH, "a");
+  const err = fs12.openSync(LOG_PATH, "a");
+  const child2 = spawn9(process.execPath, [entry, "__run-daemon"], {
     detached: true,
     stdio: ["ignore", out, err],
     env: process.env
   });
-  child.unref();
+  child2.unref();
   const deadline = Date.now() + 5e3;
   while (Date.now() < deadline) {
     const info2 = readDaemonInfo();
@@ -2114,8 +2332,8 @@ function stop() {
     process.kill(info2.pid, "SIGTERM");
   } catch {
   }
-  fs11.rmSync(DAEMON_PATH, { force: true });
-  fs11.rmSync(PID_PATH, { force: true });
+  fs12.rmSync(DAEMON_PATH, { force: true });
+  fs12.rmSync(PID_PATH, { force: true });
   return true;
 }
 function restart() {
@@ -2125,7 +2343,7 @@ function restart() {
 }
 function logs(lines = 50) {
   try {
-    const all2 = fs11.readFileSync(LOG_PATH, "utf8").split("\n");
+    const all2 = fs12.readFileSync(LOG_PATH, "utf8").split("\n");
     return all2.slice(-lines).join("\n");
   } catch {
     return "";
@@ -2138,6 +2356,9 @@ var init_manager = __esm({
     init_logger();
     init_server();
     init_tailscale();
+    init_tsnet();
+    init_auth();
+    init_cloud();
   }
 });
 
@@ -2148,10 +2369,23 @@ async function buildPairing() {
   const token = requireToken();
   const cfg = loadConfig();
   const port2 = Number(process.env.SAKURA_PORT || cfg.daemon.port);
-  const tailnet = await discoverBaseUrl(port2).catch(() => null);
-  const url = tailnet ?? `http://${localIp()}:${port2}`;
-  const deepLink = `sakura://pair?url=${encodeURIComponent(url)}&token=${encodeURIComponent(token)}`;
-  return { url, token, deepLink };
+  const tsnet = readTsnetState();
+  const tsnetUrl = tsnet?.tailscaleIp && tsnet.backendState === "Running" ? `http://${tsnet.tailscaleIp}:${port2}` : null;
+  const cliTailnet = tsnetUrl ? null : await discoverBaseUrl(port2).catch(() => null);
+  const url = tsnetUrl ?? cliTailnet ?? `http://${localIp()}:${port2}`;
+  const params = /* @__PURE__ */ new Map([
+    ["url", url],
+    ["token", token]
+  ]);
+  const ts = cfg.tailscale;
+  const embeddedTailscale = !!(ts?.controlUrl && ts?.authKey);
+  if (embeddedTailscale) {
+    params.set("cn", ts.controlUrl);
+    params.set("tskey", ts.authKey);
+  }
+  const query = [...params].map(([k, v]) => `${k}=${encodeURIComponent(v)}`).join("&");
+  const deepLink = `sakura://pair?${query}`;
+  return { url, token, deepLink, embeddedTailscale };
 }
 function renderQr(deepLink) {
   return new Promise((resolve) => {
@@ -2193,6 +2427,11 @@ async function showPairing(opts = {}) {
   info(`  URL:   ${pairing.url}`);
   info(`  Token: ${pairing.token}`);
   info("");
+  if (pairing.embeddedTailscale) {
+    info("Embedded Tailscale: the QR also carries the tailnet join key, so the");
+    info("phone connects privately over the tunnel with no Tailscale app needed.");
+    info("");
+  }
   info("Or paste the token into the app (Settings \u2192 Connect).");
 }
 function registerPair(program) {
@@ -2222,7 +2461,7 @@ var init_pair = __esm({
 import { Command } from "commander";
 
 // src/version.ts
-var VERSION = "0.0.6";
+var VERSION = "0.0.10";
 
 // src/index.ts
 init_config();
@@ -2232,21 +2471,39 @@ init_auth();
 init_config();
 init_output();
 function registerAuth(program) {
-  program.command("login").description("Sign in and register this machine (generates a CLI token to pair the app)").option("--auth <token>", "use a pre-created CLI token instead of generating one").option("--server-url <url>", "Sakura server / Convex URL to associate").option("--machine-name <name>", "override the machine name (defaults to hostname)").option("--json", "output as JSON").action((opts) => {
-    const state = login({
-      auth: opts.auth,
-      serverUrl: opts.serverUrl,
-      machineName: opts.machineName
-    });
-    if (opts.json) return printJson(state);
-    success(`Signed in as ${state.login} on "${state.machineName}".`);
-    info("");
-    info("Pair the Sakura mobile app with this token (Settings \u2192 Connectivity):");
-    info("");
-    info(`    ${state.token}`);
-    info("");
-    info("Then start the runtime so the app can reach this machine:");
-    info("    sakuraai daemon start");
+  program.command("login").description("Sign in with your Sakura account (opens a browser) so this machine can join your tailnet").option("--auth <token>", "headless: set a pre-created daemon token instead of signing in").option("--server-url <url>", "override the Sakura cloud API URL").option("--machine-name <name>", "override the machine name (defaults to hostname)").option("--json", "output as JSON").action(async (opts) => {
+    if (opts.auth) {
+      const state = login({ auth: opts.auth, serverUrl: opts.serverUrl, machineName: opts.machineName });
+      if (opts.json) return printJson(state);
+      success(`Daemon token set for "${state.machineName}".`);
+      info("Start the runtime:  sakura daemon start");
+      return;
+    }
+    try {
+      const state = await loginInteractive(
+        { serverUrl: opts.serverUrl, machineName: opts.machineName },
+        {
+          onPrompt: ({ verifyUrl, userCode }) => {
+            info("Opening your browser to finish sign-in\u2026");
+            info("");
+            info(`    ${verifyUrl}`);
+            info("");
+            info(`If it didn't open, visit the link above and confirm the code:  ${userCode}`);
+            info("");
+            info("Waiting for approval\u2026");
+          }
+        }
+      );
+      if (opts.json) return printJson(state);
+      success(`Signed in as ${state.login} on "${state.machineName}".`);
+      info("");
+      info("Start the runtime \u2014 it auto-joins your tailnet, then show the QR:");
+      info("    sakura daemon start");
+      info("    sakura pair");
+    } catch (e) {
+      warn(e?.message || "login failed");
+      process.exitCode = 1;
+    }
   });
   program.command("logout").description("Clear local credentials").action(() => {
     logout();
@@ -2265,7 +2522,25 @@ function registerAuth(program) {
 init_manager();
 init_tailscale();
 init_auth();
+init_config();
 init_output();
+var sleep2 = (ms) => new Promise((r) => setTimeout(r, ms));
+async function tunnelUrl(port2) {
+  const ts = readTsnetState();
+  if (ts?.tailscaleIp && ts.backendState === "Running") return `http://${ts.tailscaleIp}:${port2}`;
+  return await discoverBaseUrl(port2).catch(() => null);
+}
+async function waitForTunnel(timeoutMs) {
+  if (!getServerToken()) return false;
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    const cfg = loadConfig();
+    const ts = readTsnetState();
+    if (cfg.tailscale?.controlUrl && ts?.tailscaleIp && ts.backendState === "Running") return true;
+    await sleep2(500);
+  }
+  return false;
+}
 function registerRuntime(program, version) {
   program.command("start").description("Run the Sakura runtime in this terminal (foreground)").option("--auth <token>", "sign in with a CLI token before starting").action(async (opts) => {
     if (opts.auth) {
@@ -2282,9 +2557,11 @@ function registerRuntime(program, version) {
     if (!isLoggedIn()) die("Not signed in. Run `sakuraai login` first.");
     const info0 = start();
     success(`Daemon running (pid ${info0.pid}) on ${info0.url}`);
-    const tailnet = await discoverBaseUrl(info0.port).catch(() => null);
-    if (!tailnet) {
-      warn("Tailscale not detected. Run `sakuraai serve` after `tailscale up` for a private URL.");
+    const ready = await waitForTunnel(2e4);
+    if (ready) {
+      info("Embedded Tailscale tunnel up \u2014 the phone can connect from any network, no Tailscale app needed.");
+    } else if (getServerToken()) {
+      warn("Tunnel not up yet \u2014 pairing over LAN for now. Re-run `sakuraai pair` in a moment for the private URL.");
     }
     const { showPairing: showPairing2 } = await Promise.resolve().then(() => (init_pair(), pair_exports));
     await showPairing2();
@@ -2298,7 +2575,7 @@ function registerRuntime(program, version) {
   });
   d.command("status").description("Show runtime + connection status").option("--json", "output as JSON").action(async (opts) => {
     const i = running();
-    const tailnet = i ? await discoverBaseUrl(i.port).catch(() => null) : null;
+    const tailnet = i ? await tunnelUrl(i.port) : null;
     if (opts.json) return printJson({ running: !!i, daemon: i, tailnetBaseUrl: tailnet });
     if (!i) return warn("Daemon is not running. Start it with `sakuraai daemon start`.");
     success(`Daemon running (pid ${i.pid}) on ${i.url}`);
@@ -2313,7 +2590,7 @@ function registerRuntime(program, version) {
 // src/commands/session.ts
 init_sessions();
 init_output();
-import fs12 from "fs";
+import fs13 from "fs";
 function resolveSessionId(arg) {
   const id = arg || process.env.SAKURA_SESSION_ID;
   if (!id) die("Provide a sessionId (positional or via SAKURA_SESSION_ID).");
@@ -2322,7 +2599,7 @@ function resolveSessionId(arg) {
 async function resolvePrompt(positional, opts) {
   if (positional) return positional;
   if (opts.prompt) return opts.prompt;
-  if (opts.promptFile) return fs12.readFileSync(opts.promptFile, "utf8");
+  if (opts.promptFile) return fs13.readFileSync(opts.promptFile, "utf8");
   if (!process.stdin.isTTY) {
     const chunks = [];
     for await (const c of process.stdin) chunks.push(c);
@@ -2550,8 +2827,52 @@ init_output();
 function port() {
   return Number(process.env.SAKURA_PORT || loadConfig().daemon.port);
 }
+function maskKey(key) {
+  if (key.length <= 14) return "\u2022\u2022\u2022\u2022";
+  return `${key.slice(0, 12)}\u2026${key.slice(-4)}`;
+}
+function redact(cfg) {
+  if (!cfg) return cfg;
+  return { ...cfg, authKey: maskKey(cfg.authKey) };
+}
 function registerConnectivity(program) {
   const ts = program.command("tailscale").alias("ts").description("Tailscale connectivity for private PC \u2194 mobile access");
+  ts.command("init").description("Configure embedded Tailscale (Headscale control URL + reusable key)").requiredOption("--control-url <url>", "Headscale control-plane URL (https://headscale.\u2026)").requiredOption("--auth-key <key>", "reusable pre-auth key (tskey-auth-\u2026)").option("--hostname <name>", "tailnet hostname for this machine").action((opts) => {
+    const controlUrl = String(opts.controlUrl).trim();
+    const authKey = String(opts.authKey).trim();
+    if (!/^https?:\/\//i.test(controlUrl)) die("control URL must start with http(s)://");
+    if (!authKey) die("auth key is required");
+    updateConfig((cfg) => {
+      cfg.tailscale = {
+        controlUrl: controlUrl.replace(/\/+$/, ""),
+        authKey,
+        ...opts.hostname ? { hostname: String(opts.hostname).trim() } : {}
+      };
+    });
+    success("Embedded Tailscale configured.");
+    info(`Control URL: ${controlUrl}`);
+    info("Run `sakuraai daemon restart`, then `sakuraai pair` to show the QR.");
+  });
+  ts.command("config").description("Show the embedded-Tailscale config + live tsnet node state").option("--json", "output as JSON").action((opts) => {
+    const cfg = loadConfig().tailscale ?? null;
+    const node = readTsnetState();
+    if (opts.json) return printJson({ config: redact(cfg), node });
+    if (!cfg) {
+      warn("Embedded Tailscale is not configured. Run `sakuraai tailscale init`.");
+      return;
+    }
+    success("Embedded Tailscale configured.");
+    info(`Control URL: ${cfg.controlUrl}`);
+    info(`Auth key:    ${maskKey(cfg.authKey)}`);
+    if (cfg.hostname) info(`Hostname:    ${cfg.hostname}`);
+    if (node) {
+      info(`Node state:  ${node.backendState}`);
+      if (node.tailscaleIp) info(`Tailnet IP:  ${node.tailscaleIp}`);
+      if (node.dnsName) info(`DNS name:    ${node.dnsName}`);
+    } else {
+      warn("tsnet sidecar not running \u2014 start it with `sakuraai daemon start`.");
+    }
+  });
   ts.command("status").description("Show tailnet status + the base URL the app should use").option("--json", "output as JSON").action(async (opts) => {
     const r = await status(port());
     if (opts.json) return printJson(r);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sakuraai",
-  "version": "0.0.8",
+  "version": "0.0.10",
   "description": "Sakura Agent CLI + local runtime for managing AI coding sessions (Claude Code, Codex, OpenCode) and reaching them privately from the Sakura mobile app over Tailscale",
   "type": "module",
   "main": "dist/index.js",
@@ -27,6 +27,7 @@
   "files": [
     "dist",
     "!dist/**/*.map",
+    "scripts/download-tsnet.js",
     "README.md"
   ],
   "scripts": {
@@ -35,6 +36,7 @@
     "dev": "tsx src/index.ts",
     "clean": "rimraf dist",
     "typecheck": "tsc --noEmit",
+    "postinstall": "node scripts/download-tsnet.js",
     "prepublishOnly": "npm run clean && npm run build"
   },
   "dependencies": {

package/scripts/download-tsnet.js

@@ -0,0 +1,77 @@
+// postinstall: fetch the prebuilt `sakura-tsnet` sidecar for this OS/arch from
+// the GitHub Release matching this package version. Best-effort by design — if
+// anything fails (offline, unsupported platform, missing asset) we print a hint
+// and exit 0, so `npm install` never breaks. The daemon then serves over LAN and
+// `sakura daemon start` logs how to build the binary locally.
+//
+// Skips:  SAKURA_SKIP_TSNET_DOWNLOAD=1, SAKURA_TSNET_BIN set, or already present.
+// Override source:  SAKURA_TSNET_TAG, SAKURA_TSNET_BASE_URL.
+
+import fs from "node:fs";
+import path from "node:path";
+import https from "node:https";
+import { fileURLToPath } from "node:url";
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(fs.readFileSync(path.join(here, "..", "package.json"), "utf8"));
+
+const PLAT = { darwin: "darwin", linux: "linux", win32: "windows" }[process.platform];
+const ARCH = { x64: "amd64", arm64: "arm64" }[process.arch];
+const isWin = process.platform === "win32";
+
+const binDir = path.join(here, "..", "bin");
+const outPath = path.join(binDir, isWin ? "sakura-tsnet.exe" : "sakura-tsnet");
+
+function skip(msg) {
+  if (msg) console.warn(`[sakura] ${msg}`);
+  console.warn(
+    "[sakura] embedded-Tailscale sidecar not installed — the daemon will still " +
+      "work over your LAN. To enable cross-network access, build it with " +
+      "modules/sakura-tailscale/scripts/build-sidecar.sh, or set SAKURA_TSNET_BIN.",
+  );
+  process.exit(0);
+}
+
+if (process.env.SAKURA_SKIP_TSNET_DOWNLOAD === "1" || process.env.SAKURA_TSNET_BIN) process.exit(0);
+if (fs.existsSync(outPath)) process.exit(0);
+if (!PLAT || !ARCH) skip(`unsupported platform ${process.platform}/${process.arch}.`);
+
+const asset = `sakura-tsnet-${PLAT}-${ARCH}${isWin ? ".exe" : ""}`;
+const tag = process.env.SAKURA_TSNET_TAG || `v${pkg.version}`;
+const base = process.env.SAKURA_TSNET_BASE_URL || `https://github.com/Nishu0/sakura-tsnet/releases/download/${tag}`;
+const url = `${base}/${asset}`;
+
+function download(u, redirectsLeft = 5) {
+  return new Promise((resolve, reject) => {
+    https
+      .get(u, { headers: { "User-Agent": "sakuraai-postinstall" } }, (res) => {
+        if ([301, 302, 303, 307, 308].includes(res.statusCode) && res.headers.location) {
+          if (redirectsLeft <= 0) return reject(new Error("too many redirects"));
+          res.resume();
+          return resolve(download(res.headers.location, redirectsLeft - 1));
+        }
+        if (res.statusCode !== 200) {
+          res.resume();
+          return reject(new Error(`HTTP ${res.statusCode} for ${u}`));
+        }
+        fs.mkdirSync(binDir, { recursive: true });
+        const tmp = `${outPath}.download`;
+        const file = fs.createWriteStream(tmp);
+        res.pipe(file);
+        file.on("finish", () => file.close(() => {
+          fs.renameSync(tmp, outPath);
+          if (!isWin) fs.chmodSync(outPath, 0o755);
+          resolve();
+        }));
+        file.on("error", reject);
+      })
+      .on("error", reject);
+  });
+}
+
+try {
+  await download(url);
+  console.log(`[sakura] installed embedded-Tailscale sidecar (${asset}).`);
+} catch (e) {
+  skip(`could not download ${asset} (${e.message}).`);
+}