sealos-cli 0.1.0

package/dist/main.mjs

@@ -0,0 +1,2045 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/main.ts
+import { Command as Command13 } from "commander";
+
+// src/commands/auth/index.ts
+import { Command as Command4 } from "commander";
+
+// src/commands/auth/login.ts
+import { Command } from "commander";
+
+// src/lib/auth.ts
+import { execFileSync } from "child_process";
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "fs";
+import { homedir, platform } from "os";
+import { join } from "path";
+var SEALOS_AUTH_CLIENT_ID = "af993c98-d19d-4bdc-b338-79b80dc4f8bf";
+var DEFAULT_SEALOS_REGION = "https://usw-1.sealos.io";
+var AUTH_METHOD_DEVICE_GRANT = "oauth2_device_grant";
+var AUTH_METHOD_TOKEN = "token";
+var DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+function getAuthPaths(sealosDir = join(homedir(), ".sealos")) {
+  return {
+    sealosDir,
+    authPath: join(sealosDir, "auth.json"),
+    kubeconfigPath: join(sealosDir, "kubeconfig")
+  };
+}
+__name(getAuthPaths, "getAuthPaths");
+function normalizeRegion(region) {
+  return (region || process.env.SEALOS_REGION || DEFAULT_SEALOS_REGION).replace(/\/+$/, "");
+}
+__name(normalizeRegion, "normalizeRegion");
+function createDefaultAuthDependencies() {
+  return {
+    fetch,
+    sleep: /* @__PURE__ */ __name(async (ms) => await new Promise((resolve) => setTimeout(resolve, ms)), "sleep"),
+    openBrowser,
+    now: /* @__PURE__ */ __name(() => /* @__PURE__ */ new Date(), "now"),
+    paths: getAuthPaths(),
+    stderr: process.stderr
+  };
+}
+__name(createDefaultAuthDependencies, "createDefaultAuthDependencies");
+function withDeps(deps = {}) {
+  return {
+    ...createDefaultAuthDependencies(),
+    ...deps
+  };
+}
+__name(withDeps, "withDeps");
+function ensureSealosDir(paths) {
+  mkdirSync(paths.sealosDir, { recursive: true });
+}
+__name(ensureSealosDir, "ensureSealosDir");
+function saveAuth(auth, deps = {}) {
+  const { paths } = withDeps(deps);
+  ensureSealosDir(paths);
+  writeFileSync(paths.authPath, JSON.stringify(auth, null, 2), { mode: 384 });
+}
+__name(saveAuth, "saveAuth");
+function loadAuth(deps = {}) {
+  const { paths } = withDeps(deps);
+  if (!existsSync(paths.authPath)) {
+    throw new Error("Not authenticated. Please run: sealos login");
+  }
+  return JSON.parse(readFileSync(paths.authPath, "utf-8"));
+}
+__name(loadAuth, "loadAuth");
+function getToken(deps = {}) {
+  try {
+    return loadAuth(deps).regional_token || null;
+  } catch {
+    return null;
+  }
+}
+__name(getToken, "getToken");
+function getAuthHeaders(deps = {}) {
+  const token = getToken(deps);
+  return token ? { Authorization: token } : null;
+}
+__name(getAuthHeaders, "getAuthHeaders");
+function requireAuth(deps = {}) {
+  const headers = getAuthHeaders(deps);
+  if (!headers) {
+    throw new Error('Authentication required. Please run "sealos login" first.');
+  }
+  return headers;
+}
+__name(requireAuth, "requireAuth");
+function saveKubeconfig(kubeconfig, deps = {}) {
+  const { paths } = withDeps(deps);
+  ensureSealosDir(paths);
+  writeFileSync(paths.kubeconfigPath, kubeconfig, { mode: 384 });
+}
+__name(saveKubeconfig, "saveKubeconfig");
+function clearAuth(deps = {}) {
+  const { paths } = withDeps(deps);
+  rmSync(paths.authPath, { force: true });
+  rmSync(paths.kubeconfigPath, { force: true });
+}
+__name(clearAuth, "clearAuth");
+function checkAuth(deps = {}) {
+  const { paths } = withDeps(deps);
+  if (!existsSync(paths.kubeconfigPath)) {
+    return { authenticated: false };
+  }
+  try {
+    const kubeconfig = readFileSync(paths.kubeconfigPath, "utf-8");
+    if (!kubeconfig.includes("server:") || !kubeconfig.includes("token:") && !kubeconfig.includes("client-certificate")) {
+      return { authenticated: false };
+    }
+    const auth = existsSync(paths.authPath) ? JSON.parse(readFileSync(paths.authPath, "utf-8")) : {};
+    return {
+      authenticated: true,
+      kubeconfig_path: paths.kubeconfigPath,
+      region: auth.region || "unknown",
+      workspace: auth.current_workspace?.id || "unknown"
+    };
+  } catch {
+    return { authenticated: false };
+  }
+}
+__name(checkAuth, "checkAuth");
+function getAuthInfo(deps = {}) {
+  const { paths } = withDeps(deps);
+  const status = checkAuth(deps);
+  if (!status.authenticated) {
+    return { authenticated: false };
+  }
+  const auth = existsSync(paths.authPath) ? JSON.parse(readFileSync(paths.authPath, "utf-8")) : {};
+  return {
+    ...status,
+    auth_method: auth.auth_method || "unknown",
+    authenticated_at: auth.authenticated_at || "unknown",
+    current_workspace: auth.current_workspace || null
+  };
+}
+__name(getAuthInfo, "getAuthInfo");
+async function parseResponse(res) {
+  return await res.json();
+}
+__name(parseResponse, "parseResponse");
+async function readErrorBody(res) {
+  return await res.text().catch(() => "");
+}
+__name(readErrorBody, "readErrorBody");
+async function requestDeviceAuthorization(region, deps = {}) {
+  const { fetch: fetchImpl } = withDeps(deps);
+  const res = await fetchImpl(`${region}/api/auth/oauth2/device`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      client_id: SEALOS_AUTH_CLIENT_ID,
+      grant_type: DEVICE_GRANT_TYPE
+    })
+  });
+  if (!res.ok) {
+    const body = await readErrorBody(res);
+    throw new Error(`Device authorization request failed (${res.status}): ${body || res.statusText}`);
+  }
+  return await parseResponse(res);
+}
+__name(requestDeviceAuthorization, "requestDeviceAuthorization");
+async function pollForToken(region, deviceCode, interval, expiresIn, deps = {}) {
+  const { fetch: fetchImpl, sleep, now, stderr } = withDeps(deps);
+  const maxWait = Math.min(expiresIn, 600) * 1e3;
+  const deadline = now().getTime() + maxWait;
+  let pollInterval = interval * 1e3;
+  let lastLoggedMinute = -1;
+  while (now().getTime() < deadline) {
+    await sleep(pollInterval);
+    const remaining = Math.ceil((deadline - now().getTime()) / 6e4);
+    if (remaining !== lastLoggedMinute && remaining > 0) {
+      lastLoggedMinute = remaining;
+      stderr.write(`  Waiting for authorization... (${remaining} min remaining)
+`);
+    }
+    const res = await fetchImpl(`${region}/api/auth/oauth2/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        client_id: SEALOS_AUTH_CLIENT_ID,
+        grant_type: DEVICE_GRANT_TYPE,
+        device_code: deviceCode
+      })
+    });
+    if (res.ok) {
+      return await parseResponse(res);
+    }
+    const body = await res.json().catch(() => ({}));
+    switch (body.error) {
+      case "authorization_pending":
+        break;
+      case "slow_down":
+        pollInterval += 5e3;
+        break;
+      case "access_denied":
+        throw new Error("Authorization denied by user");
+      case "expired_token":
+        throw new Error("Device code expired. Please run login again.");
+      default:
+        throw new Error(`Token request failed: ${body.error || res.statusText}`);
+    }
+  }
+  throw new Error("Authorization timed out (10 minutes). Please run login again.");
+}
+__name(pollForToken, "pollForToken");
+async function getRegionToken(region, globalToken, deps = {}) {
+  const { fetch: fetchImpl } = withDeps(deps);
+  const res = await fetchImpl(`${region}/api/auth/regionToken`, {
+    method: "POST",
+    headers: {
+      Authorization: globalToken,
+      "Content-Type": "application/json"
+    }
+  });
+  if (!res.ok) {
+    const body = await readErrorBody(res);
+    throw new Error(`Region token exchange failed (${res.status}): ${body || res.statusText}`);
+  }
+  return await parseResponse(res);
+}
+__name(getRegionToken, "getRegionToken");
+function normalizeWorkspaces(data) {
+  const namespaces = Array.isArray(data.data) ? data.data : data.data?.namespaces;
+  return Array.isArray(namespaces) ? namespaces : [];
+}
+__name(normalizeWorkspaces, "normalizeWorkspaces");
+async function listRemoteWorkspaces(region, regionalToken, deps = {}) {
+  const { fetch: fetchImpl } = withDeps(deps);
+  const res = await fetchImpl(`${region}/api/auth/namespace/list`, {
+    headers: { Authorization: regionalToken }
+  });
+  if (!res.ok) {
+    const body = await readErrorBody(res);
+    throw new Error(`List workspaces failed (${res.status}): ${body || res.statusText}`);
+  }
+  return normalizeWorkspaces(await parseResponse(res));
+}
+__name(listRemoteWorkspaces, "listRemoteWorkspaces");
+async function switchRemoteWorkspace(region, regionalToken, nsUid, deps = {}) {
+  const { fetch: fetchImpl } = withDeps(deps);
+  const res = await fetchImpl(`${region}/api/auth/namespace/switch`, {
+    method: "POST",
+    headers: {
+      Authorization: regionalToken,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ ns_uid: nsUid })
+  });
+  if (!res.ok) {
+    const body = await readErrorBody(res);
+    throw new Error(`Switch workspace failed (${res.status}): ${body || res.statusText}`);
+  }
+  return await parseResponse(res);
+}
+__name(switchRemoteWorkspace, "switchRemoteWorkspace");
+async function getKubeconfig(region, regionalToken, deps = {}) {
+  const { fetch: fetchImpl } = withDeps(deps);
+  const res = await fetchImpl(`${region}/api/auth/getKubeconfig`, {
+    headers: { Authorization: regionalToken }
+  });
+  if (!res.ok) {
+    const body = await readErrorBody(res);
+    throw new Error(`Get kubeconfig failed (${res.status}): ${body || res.statusText}`);
+  }
+  return await parseResponse(res);
+}
+__name(getKubeconfig, "getKubeconfig");
+function openBrowser(url) {
+  const command = platform() === "darwin" ? "open" : platform() === "win32" ? "cmd" : "xdg-open";
+  const args = platform() === "win32" ? ["/c", "start", "", url] : [url];
+  execFileSync(command, args, { stdio: "ignore" });
+}
+__name(openBrowser, "openBrowser");
+async function loginWithToken(region, token, deps = {}) {
+  const { now } = withDeps(deps);
+  const normalizedRegion = normalizeRegion(region);
+  saveAuth({
+    region: normalizedRegion,
+    regional_token: token,
+    authenticated_at: now().toISOString(),
+    auth_method: AUTH_METHOD_TOKEN
+  }, deps);
+  return {
+    region: normalizedRegion,
+    workspace: "unknown",
+    limited: true
+  };
+}
+__name(loginWithToken, "loginWithToken");
+async function loginWithDeviceFlow(region, deps = {}) {
+  const fullDeps = withDeps(deps);
+  const normalizedRegion = normalizeRegion(region);
+  const deviceAuth = await requestDeviceAuthorization(normalizedRegion, fullDeps);
+  const {
+    device_code: deviceCode,
+    user_code: userCode,
+    verification_uri: verificationUri,
+    verification_uri_complete: verificationUriComplete,
+    expires_in: expiresIn,
+    interval = 5
+  } = deviceAuth;
+  const url = verificationUriComplete || verificationUri;
+  fullDeps.stderr.write(`
+Please open the following URL in your browser to authorize:
+
+  ${url}
+
+Authorization code: ${userCode}
+Expires in: ${Math.floor(expiresIn / 60)} minutes
+
+Waiting for authorization...
+`);
+  if (url) {
+    try {
+      fullDeps.openBrowser(url);
+      fullDeps.stderr.write("Browser opened automatically.\n");
+    } catch {
+      fullDeps.stderr.write("Could not open browser automatically. Please open the URL manually.\n");
+    }
+  }
+  const tokenResponse = await pollForToken(normalizedRegion, deviceCode, interval, expiresIn, fullDeps);
+  const accessToken = tokenResponse.access_token;
+  if (!accessToken) {
+    throw new Error("Token response missing access_token");
+  }
+  fullDeps.stderr.write("Authorization received. Exchanging for regional token...\n");
+  const regionData = await getRegionToken(normalizedRegion, accessToken, fullDeps);
+  const regionalToken = regionData.data?.token;
+  const kubeconfig = regionData.data?.kubeconfig;
+  if (!regionalToken) {
+    throw new Error("Region token response missing data.token field");
+  }
+  if (!kubeconfig) {
+    throw new Error("Region token response missing data.kubeconfig field");
+  }
+  let currentWorkspace;
+  try {
+    const workspaces = await listRemoteWorkspaces(normalizedRegion, regionalToken, fullDeps);
+    currentWorkspace = workspaces.find((workspace) => workspace.nstype === "private") || workspaces[0];
+  } catch {
+    currentWorkspace = void 0;
+  }
+  saveKubeconfig(kubeconfig, fullDeps);
+  saveAuth({
+    region: normalizedRegion,
+    access_token: accessToken,
+    regional_token: regionalToken,
+    authenticated_at: fullDeps.now().toISOString(),
+    auth_method: AUTH_METHOD_DEVICE_GRANT,
+    ...currentWorkspace ? {
+      current_workspace: {
+        uid: currentWorkspace.uid,
+        id: currentWorkspace.id,
+        teamName: currentWorkspace.teamName
+      }
+    } : {}
+  }, fullDeps);
+  fullDeps.stderr.write("Authentication successful!\n");
+  return {
+    kubeconfig_path: fullDeps.paths.kubeconfigPath,
+    region: normalizedRegion,
+    workspace: currentWorkspace?.id || "default"
+  };
+}
+__name(loginWithDeviceFlow, "loginWithDeviceFlow");
+async function listWorkspaces(deps = {}) {
+  const auth = loadAuth(deps);
+  if (!auth.regional_token) {
+    throw new Error("No regional_token found. Please run: sealos login");
+  }
+  const workspaces = await listRemoteWorkspaces(auth.region, auth.regional_token, deps);
+  return {
+    current: auth.current_workspace?.id || null,
+    workspaces: workspaces.map((workspace) => ({
+      uid: workspace.uid,
+      id: workspace.id,
+      teamName: workspace.teamName,
+      role: workspace.role,
+      nstype: workspace.nstype
+    }))
+  };
+}
+__name(listWorkspaces, "listWorkspaces");
+async function switchWorkspace(target, deps = {}) {
+  if (!target) {
+    throw new Error("Usage: sealos auth switch <namespace-id-or-uid>");
+  }
+  const fullDeps = withDeps(deps);
+  const auth = loadAuth(fullDeps);
+  if (!auth.regional_token) {
+    throw new Error("No regional_token found. Please run: sealos login");
+  }
+  const workspaces = await listRemoteWorkspaces(auth.region, auth.regional_token, fullDeps);
+  if (workspaces.length === 0) {
+    throw new Error("No workspaces found");
+  }
+  const targetLower = target.toLowerCase();
+  const match = workspaces.find(
+    (workspace) => workspace.id === target || workspace.uid === target || workspace.id?.toLowerCase().includes(targetLower) || workspace.teamName?.toLowerCase().includes(targetLower)
+  );
+  if (!match?.uid) {
+    const available = workspaces.map((workspace) => `  ${workspace.id || "unknown"} (${workspace.teamName || "unknown"})`).join("\n");
+    throw new Error(`No workspace matching "${target}". Available:
+${available}`);
+  }
+  fullDeps.stderr.write(`Switching to workspace: ${match.id || match.uid} (${match.teamName || "unknown"})...
+`);
+  const switchData = await switchRemoteWorkspace(auth.region, auth.regional_token, match.uid, fullDeps);
+  const newToken = switchData.data?.token;
+  if (!newToken) {
+    throw new Error("Switch response missing data.token");
+  }
+  const kubeconfigData = await getKubeconfig(auth.region, newToken, fullDeps);
+  const kubeconfig = kubeconfigData.data?.kubeconfig;
+  if (!kubeconfig) {
+    throw new Error("Kubeconfig response missing data.kubeconfig");
+  }
+  const nextAuth = {
+    ...auth,
+    regional_token: newToken,
+    current_workspace: {
+      uid: match.uid,
+      id: match.id,
+      teamName: match.teamName
+    }
+  };
+  saveAuth(nextAuth, fullDeps);
+  saveKubeconfig(kubeconfig, fullDeps);
+  fullDeps.stderr.write(`Switched to workspace: ${match.id || match.uid}
+`);
+  return {
+    workspace: {
+      uid: match.uid,
+      id: match.id,
+      teamName: match.teamName
+    },
+    kubeconfig_path: fullDeps.paths.kubeconfigPath
+  };
+}
+__name(switchWorkspace, "switchWorkspace");
+
+// src/lib/output.ts
+import chalk from "chalk";
+import { table } from "table";
+import ora from "ora";
+function outputJson(data) {
+  console.log(JSON.stringify(data, null, 2));
+}
+__name(outputJson, "outputJson");
+function outputYaml(data) {
+  console.log("YAML output not implemented yet");
+  console.log(data);
+}
+__name(outputYaml, "outputYaml");
+function outputTable(data) {
+  console.log(table(data));
+}
+__name(outputTable, "outputTable");
+function formatOutput(data, format = "table") {
+  switch (format) {
+    case "json":
+      outputJson(data);
+      break;
+    case "yaml":
+      outputYaml(data);
+      break;
+    case "table":
+      if (Array.isArray(data)) {
+        outputTable(data);
+      } else {
+        console.log(data);
+      }
+      break;
+    default:
+      console.log(data);
+  }
+}
+__name(formatOutput, "formatOutput");
+function success(message) {
+  console.log(chalk.green("\u2713"), message);
+}
+__name(success, "success");
+function warn(message) {
+  console.warn(chalk.yellow("\u26A0"), message);
+}
+__name(warn, "warn");
+function info(message) {
+  console.log(chalk.blue("\u2139"), message);
+}
+__name(info, "info");
+function spinner(text) {
+  return ora(text).start();
+}
+__name(spinner, "spinner");
+
+// src/lib/errors.ts
+import chalk2 from "chalk";
+var CliError = class extends Error {
+  constructor(message, exitCode = 1) {
+    super(message);
+    this.exitCode = exitCode;
+    this.name = "CliError";
+  }
+  exitCode;
+  static {
+    __name(this, "CliError");
+  }
+};
+var AuthError = class extends CliError {
+  static {
+    __name(this, "AuthError");
+  }
+  constructor(message = 'Authentication required. Please run "sealos login" first.') {
+    super(message, 1);
+    this.name = "AuthError";
+  }
+};
+var ConfigError = class extends CliError {
+  static {
+    __name(this, "ConfigError");
+  }
+  constructor(message) {
+    super(message, 1);
+    this.name = "ConfigError";
+  }
+};
+var ApiError = class extends CliError {
+  constructor(message, statusCode, code, details) {
+    super(message, 1);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.details = details;
+    this.name = "ApiError";
+  }
+  statusCode;
+  code;
+  details;
+  static {
+    __name(this, "ApiError");
+  }
+};
+function mapApiError(status, body) {
+  const message = body?.error?.message || `API request failed with status ${status}`;
+  if (status === 401) {
+    return new AuthError(message);
+  }
+  return new ApiError(message, status, body?.error?.code, body?.error?.details);
+}
+__name(mapApiError, "mapApiError");
+function handleError(error) {
+  if (error instanceof ApiError) {
+    console.error(chalk2.red("Error:"), error.message);
+    if (error.details) {
+      if (Array.isArray(error.details)) {
+        for (const d of error.details) {
+          console.error(chalk2.yellow(`  ${d.field}:`), d.message);
+        }
+      } else {
+        console.error(chalk2.yellow("  Details:"), error.details);
+      }
+    }
+    process.exit(error.exitCode);
+  }
+  if (error instanceof CliError) {
+    console.error(chalk2.red("Error:"), error.message);
+    process.exit(error.exitCode);
+  }
+  if (error instanceof Error) {
+    console.error(chalk2.red("Error:"), error.message);
+    if (process.env.DEBUG) {
+      console.error(error.stack);
+    }
+    process.exit(1);
+  }
+  console.error(chalk2.red("Error:"), "An unknown error occurred");
+  process.exit(1);
+}
+__name(handleError, "handleError");
+
+// src/commands/auth/login.ts
+function createLoginCommand() {
+  return new Command("login").description("Login to Sealos Cloud").argument("[region]", "Sealos region URL (e.g., https://usw-1.sealos.io)").option("-t, --token <token>", "Store a regional token without OAuth device login").option("-o, --output <format>", "Output format: json, table", "table").action(async (region, options) => {
+    try {
+      const result = options.token ? await loginWithToken(region, options.token) : await loginWithDeviceFlow(region);
+      if (options.token) {
+        warn("Token login is limited: kubeconfig is not generated. Use device login for full auth.");
+      }
+      if (options.output === "json") {
+        outputJson(result);
+      } else {
+        success(`Logged in to ${result.region}`);
+        info(`Workspace: ${result.workspace}`);
+        if (result.kubeconfig_path) {
+          info(`Kubeconfig: ${result.kubeconfig_path}`);
+        }
+      }
+    } catch (error) {
+      handleError(error);
+    }
+  });
+}
+__name(createLoginCommand, "createLoginCommand");
+
+// src/commands/auth/logout.ts
+import { Command as Command2 } from "commander";
+function createLogoutCommand() {
+  return new Command2("logout").description("Logout from Sealos Cloud").action(async () => {
+    try {
+      const status = checkAuth();
+      if (!status.authenticated) {
+        warn("You are not logged in");
+        return;
+      }
+      clearAuth();
+      success("Logged out from Sealos Cloud");
+    } catch (error) {
+      handleError(error);
+    }
+  });
+}
+__name(createLogoutCommand, "createLogoutCommand");
+
+// src/commands/auth/whoami.ts
+import { Command as Command3 } from "commander";
+function createWhoamiCommand() {
+  return new Command3("whoami").description("Display current user information").option("-o, --output <format>", "Output format: json, table", "table").action(async (options) => {
+    try {
+      const authInfo = getAuthInfo();
+      if (!authInfo.authenticated) {
+        throw new AuthError();
+      }
+      if (options.output === "json") {
+        outputJson(authInfo);
+        return;
+      }
+      const data = [
+        ["Field", "Value"],
+        ["Authenticated", "true"],
+        ["Region", authInfo.region || "unknown"],
+        ["Auth Method", authInfo.auth_method || "unknown"],
+        ["Workspace", authInfo.current_workspace?.id || authInfo.workspace || "unknown"],
+        ["Team", authInfo.current_workspace?.teamName || "unknown"],
+        ["Kubeconfig", authInfo.kubeconfig_path || "unknown"],
+        ["Authenticated At", authInfo.authenticated_at || "unknown"]
+      ];
+      outputTable(data);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+}
+__name(createWhoamiCommand, "createWhoamiCommand");
+
+// src/commands/auth/index.ts
+function registerAuthCommands(program) {
+  program.addCommand(createLoginCommand());
+  program.addCommand(createLogoutCommand());
+  program.addCommand(createWhoamiCommand());
+  program.addCommand(createAuthCommand());
+}
+__name(registerAuthCommands, "registerAuthCommands");
+function createAuthCommand() {
+  const authCmd = new Command4("auth").description("Manage Sealos authentication");
+  authCmd.command("check").description("Check authentication status").option("-o, --output <format>", "Output format: json, table", "json").action(async (options) => {
+    try {
+      const status = checkAuth();
+      if (options.output === "table") {
+        outputTable([
+          ["Field", "Value"],
+          ["Authenticated", String(status.authenticated)],
+          ["Region", status.region || "unknown"],
+          ["Workspace", status.workspace || "unknown"],
+          ["Kubeconfig", status.kubeconfig_path || "unknown"]
+        ]);
+      } else {
+        outputJson(status);
+      }
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  authCmd.command("info").description("Show current auth details").option("-o, --output <format>", "Output format: json, table", "json").action(async (options) => {
+    try {
+      const info2 = getAuthInfo();
+      if (!info2.authenticated) {
+        throw new AuthError();
+      }
+      if (options.output === "table") {
+        outputTable([
+          ["Field", "Value"],
+          ["Authenticated", String(info2.authenticated)],
+          ["Region", info2.region || "unknown"],
+          ["Auth Method", info2.auth_method || "unknown"],
+          ["Workspace", info2.current_workspace?.id || info2.workspace || "unknown"],
+          ["Team", info2.current_workspace?.teamName || "unknown"],
+          ["Kubeconfig", info2.kubeconfig_path || "unknown"],
+          ["Authenticated At", info2.authenticated_at || "unknown"]
+        ]);
+      } else {
+        outputJson(info2);
+      }
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  authCmd.command("list").description("List all workspaces").option("-o, --output <format>", "Output format: json, table", "table").action(async (options) => {
+    try {
+      const result = await listWorkspaces();
+      if (options.output === "json") {
+        outputJson(result);
+        return;
+      }
+      outputTable([
+        ["UID", "ID", "TEAM", "ROLE", "TYPE", "CURRENT"],
+        ...result.workspaces.map((workspace) => [
+          workspace.uid || "",
+          workspace.id || "",
+          workspace.teamName || "",
+          workspace.role || "",
+          workspace.nstype || "",
+          workspace.id === result.current ? "*" : ""
+        ])
+      ]);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  authCmd.command("switch").description("Switch workspace").argument("<namespace>", "Workspace id, uid, or team name").option("-o, --output <format>", "Output format: json, table", "table").action(async (namespace, options) => {
+    try {
+      const result = await switchWorkspace(namespace);
+      if (options.output === "json") {
+        outputJson(result);
+        return;
+      }
+      success(`Switched to workspace: ${result.workspace.id || result.workspace.uid || namespace}`);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  return authCmd;
+}
+__name(createAuthCommand, "createAuthCommand");
+
+// src/commands/workspace/index.ts
+import { Command as Command5 } from "commander";
+
+// src/lib/config.ts
+import { homedir as homedir2 } from "os";
+import { join as join2 } from "path";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
+var CONFIG_DIR = join2(homedir2(), ".sealos");
+var CONFIG_FILE = join2(CONFIG_DIR, "config.json");
+function ensureConfigDir() {
+  if (!existsSync2(CONFIG_DIR)) {
+    mkdirSync2(CONFIG_DIR, { recursive: true });
+  }
+}
+__name(ensureConfigDir, "ensureConfigDir");
+function readConfig() {
+  ensureConfigDir();
+  if (!existsSync2(CONFIG_FILE)) {
+    const defaultConfig = {
+      currentContext: "",
+      contexts: []
+    };
+    return defaultConfig;
+  }
+  try {
+    const content = readFileSync2(CONFIG_FILE, "utf-8");
+    return JSON.parse(content);
+  } catch (error) {
+    throw new Error(`Failed to read config file: ${error}`);
+  }
+}
+__name(readConfig, "readConfig");
+function writeConfig(config) {
+  ensureConfigDir();
+  try {
+    writeFileSync2(CONFIG_FILE, JSON.stringify(config, null, 2), "utf-8");
+  } catch (error) {
+    throw new Error(`Failed to write config file: ${error}`);
+  }
+}
+__name(writeConfig, "writeConfig");
+function getCurrentContext() {
+  const config = readConfig();
+  if (!config.currentContext) {
+    return null;
+  }
+  const context = config.contexts.find((ctx) => ctx.name === config.currentContext);
+  return context || null;
+}
+__name(getCurrentContext, "getCurrentContext");
+function getConfigValue(key) {
+  const config = readConfig();
+  return config[key];
+}
+__name(getConfigValue, "getConfigValue");
+function setConfigValue(key, value) {
+  const config = readConfig();
+  config[key] = value;
+  writeConfig(config);
+}
+__name(setConfigValue, "setConfigValue");
+
+// src/commands/workspace/index.ts
+function createWorkspaceCommand() {
+  const workspaceCmd = new Command5("workspace").alias("ws").description("Manage workspaces");
+  workspaceCmd.command("switch").description("Switch to another workspace").argument("<name>", "Workspace name").action(async (name) => {
+    try {
+      const context = getCurrentContext();
+      if (context) {
+        context.workspace = name;
+      }
+      success(`Switched to workspace: ${name}`);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  workspaceCmd.command("list").description("List all workspaces").action(async () => {
+    try {
+      const context = getCurrentContext();
+      if (!context) {
+        throw new AuthError();
+      }
+      const data = [
+        ["NAME", "STATUS", "CURRENT"],
+        ["default", "Active", context.workspace === "default" ? "*" : ""],
+        ["production", "Active", context.workspace === "production" ? "*" : ""]
+      ];
+      outputTable(data);
+      info("API integration needed for real data");
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  workspaceCmd.command("current").description("Show current workspace").action(async () => {
+    try {
+      const context = getCurrentContext();
+      if (!context) {
+        throw new AuthError();
+      }
+      const data = [
+        ["Field", "Value"],
+        ["Workspace", context.workspace],
+        ["Context", context.name]
+      ];
+      outputTable(data);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  return workspaceCmd;
+}
+__name(createWorkspaceCommand, "createWorkspaceCommand");
+
+// src/commands/devbox/index.ts
+import { Command as Command6 } from "commander";
+function createDevboxCommand() {
+  const devboxCmd = new Command6("devbox").alias("dev").description("Manage devbox instances");
+  devboxCmd.command("create").description("Create a new devbox").argument("[path]", "Project path", ".").option("--name <name>", "Devbox name").option("--template <template>", "Template to use", "default").option("--cpu <cpu>", "CPU configuration", "1c").option("--memory <memory>", "Memory configuration", "2g").option("--port <port>", "Port number").option("--config <config>", "Config file path").action(async (path, options) => {
+    try {
+      const context = getCurrentContext();
+      if (!context) {
+        throw new AuthError();
+      }
+      const spin = spinner("Creating devbox...");
+      spin.succeed("Devbox created successfully");
+      success("Devbox URL: https://example.sealos.run");
+      info(`Run "sealos devbox connect ${options.name || "devbox"}" to connect`);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  devboxCmd.command("list").description("List all devboxes").option("-o, --output <format>", "Output format: json, yaml, table", "table").option("--selector <selector>", "Label selector").action(async (options) => {
+    try {
+      const context = getCurrentContext();
+      if (!context) {
+        throw new AuthError();
+      }
+      const data = [
+        ["NAME", "STATUS", "CPU", "MEMORY", "CREATED"],
+        ["my-devbox", "Running", "2c", "4g", "2h ago"],
+        ["test-box", "Stopped", "1c", "2g", "1d ago"]
+      ];
+      if (options.output === "json") {
+        formatOutput({ items: data.slice(1) }, "json");
+      } else if (options.output === "yaml") {
+        formatOutput({ items: data.slice(1) }, "yaml");
+      } else {
+        outputTable(data);
+      }
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  devboxCmd.command("get").description("Get devbox details").argument("<name>", "Devbox name").action(async (name) => {
+    try {
+      const context = getCurrentContext();
+      if (!context) {
+        throw new AuthError();
+      }
+      const data = [
+        ["Field", "Value"],
+        ["Name", name],
+        ["Status", "Running"],
+        ["CPU", "2c"],
+        ["Memory", "4g"],
+        ["URL", "https://example.sealos.run"]
+      ];
+      outputTable(data);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  const actions = ["start", "stop", "restart", "delete"];
+  actions.forEach((action) => {
+    const cmd = devboxCmd.command(action).description(`${action.charAt(0).toUpperCase() + action.slice(1)} a devbox`).argument("<name>", "Devbox name");
+    if (action === "delete") {
+      cmd.option("-f, --force", "Force delete without confirmation");
+    }
+    cmd.action(async (name, options) => {
+      try {
+        const context = getCurrentContext();
+        if (!context) {
+          throw new AuthError();
+        }
+        const spin = spinner(`${action}ing devbox...`);
+        spin.succeed(`Devbox ${action}ed successfully`);
+      } catch (error) {
+        handleError(error);
+      }
+    });
+  });
+  devboxCmd.command("connect").description("Connect to a devbox").argument("<name>", "Devbox name").option("--ide <ide>", "IDE type: vscode, cursor", "vscode").action(async (name, options) => {
+    try {
+      const context = getCurrentContext();
+      if (!context) {
+        throw new AuthError();
+      }
+      info(`Opening ${name} in ${options.ide}...`);
+      success(`Connect URL: ${options.ide}://remote-ssh/devbox-${name}`);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  devboxCmd.command("publish").description("Publish a devbox").argument("<name>", "Devbox name").action(async (name) => {
+    try {
+      const context = getCurrentContext();
+      if (!context) {
+        throw new AuthError();
+      }
+      const spin = spinner("Publishing devbox...");
+      spin.succeed("Devbox published successfully");
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  const templateCmd = devboxCmd.command("template").description("Manage devbox templates");
+  templateCmd.command("build").description("Build a devbox template").option("--name <name>", "Template name").action(async (options) => {
+    try {
+      info("Building template...");
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  templateCmd.command("list").description("List devbox templates").action(async () => {
+    try {
+      const data = [
+        ["NAME", "DESCRIPTION", "VERSION"],
+        ["nextjs", "Next.js development environment", "1.0.0"],
+        ["python", "Python 3.11 environment", "1.0.0"]
+      ];
+      outputTable(data);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  return devboxCmd;
+}
+__name(createDevboxCommand, "createDevboxCommand");
+
+// src/commands/s3/index.ts
+import { Command as Command7 } from "commander";
+function createS3Command() {
+  const s3Cmd = new Command7("s3").description("Manage S3 object storage");
+  s3Cmd.command("upload").description("Upload files to S3").argument("<source>", "Source file or directory").argument("[destination]", "Destination path").option("--bucket <bucket>", "Bucket name").option("--acl <acl>", "Access control: private, public-read").action(async (source, destination, options) => {
+    try {
+      console.log("TODO: Implement s3 upload", { source, destination, options });
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  return s3Cmd;
+}
+__name(createS3Command, "createS3Command");
+
+// src/commands/database/index.ts
+import { Command as Command8 } from "commander";
+import chalk3 from "chalk";
+
+// src/lib/api-client.ts
+import createClient from "openapi-fetch";
+function resolveHost(options) {
+  let authRegion;
+  try {
+    authRegion = loadAuth().region;
+  } catch {
+    authRegion = void 0;
+  }
+  const host = options?.baseUrl || process.env.SEALOS_REGION || authRegion || DEFAULT_SEALOS_REGION;
+  if (!host) {
+    throw new ConfigError('No Sealos Cloud host configured. Run "sealos login <host>" first.');
+  }
+  return host.replace(/\/+$/, "");
+}
+__name(resolveHost, "resolveHost");
+function resolveDbproviderHost(host) {
+  return resolvePrefixedHost(host, "dbprovider");
+}
+__name(resolveDbproviderHost, "resolveDbproviderHost");
+function resolveTemplateProviderHost(host) {
+  return resolvePrefixedHost(host, "template");
+}
+__name(resolveTemplateProviderHost, "resolveTemplateProviderHost");
+function resolvePrefixedHost(host, prefix) {
+  const url = new URL(host);
+  if (url.hostname === "localhost" || url.hostname === "127.0.0.1" || url.hostname.startsWith(`${prefix}.`)) {
+    return url.toString().replace(/\/+$/, "");
+  }
+  url.hostname = `${prefix}.${url.hostname}`;
+  return url.toString().replace(/\/+$/, "");
+}
+__name(resolvePrefixedHost, "resolvePrefixedHost");
+function resolveDatabaseHost(options) {
+  const override = process.env.SEALOS_DATABASE_HOST?.trim();
+  if (override) {
+    return override.replace(/\/+$/, "");
+  }
+  return resolveDbproviderHost(resolveHost(options));
+}
+__name(resolveDatabaseHost, "resolveDatabaseHost");
+function resolveTemplateHost(options) {
+  return resolveTemplateProviderHost(resolveHost(options));
+}
+__name(resolveTemplateHost, "resolveTemplateHost");
+function createTemplateClient(options) {
+  return createClient({ baseUrl: `${resolveTemplateHost(options)}/api/v2alpha` });
+}
+__name(createTemplateClient, "createTemplateClient");
+function createDatabaseClient(options) {
+  return createClient({ baseUrl: `${resolveDatabaseHost(options)}/api/v2alpha` });
+}
+__name(createDatabaseClient, "createDatabaseClient");
+
+// src/lib/with-auth.ts
+function withAuth(options, fn) {
+  return async (...args) => {
+    const spin = spinner(options.spinnerText);
+    try {
+      const auth = requireAuth();
+      await fn({ auth, spinner: spin }, ...args);
+    } catch (error) {
+      spin.fail();
+      handleError(error);
+    }
+  };
+}
+__name(withAuth, "withAuth");
+function withErrorHandling(options, fn) {
+  return async (...args) => {
+    const spin = spinner(options.spinnerText);
+    try {
+      await fn({ spinner: spin }, ...args);
+    } catch (error) {
+      spin.fail();
+      handleError(error);
+    }
+  };
+}
+__name(withErrorHandling, "withErrorHandling");
+
+// src/commands/database/index.ts
+var SUPPORTED_DATABASE_TYPES = [
+  "postgresql",
+  "mongodb",
+  "apecloud-mysql",
+  "mysql",
+  "redis",
+  "kafka",
+  "qdrant",
+  "nebula",
+  "weaviate",
+  "milvus",
+  "pulsar",
+  "clickhouse"
+];
+var SUPPORTED_LOG_DB_TYPES = [
+  "postgresql",
+  "mongodb",
+  "mysql",
+  "redis"
+];
+var SUPPORTED_LOG_TYPES = [
+  "runtimeLog",
+  "slowQuery",
+  "errorLog"
+];
+function collectOption(value, previous) {
+  return [...previous, value];
+}
+__name(collectOption, "collectOption");
+function parseKeyValueArgs(pairs) {
+  const values = {};
+  for (const pair of pairs) {
+    const index = pair.indexOf("=");
+    if (index === -1) {
+      throw new Error(`Invalid KEY=VALUE format: "${pair}"`);
+    }
+    values[pair.slice(0, index)] = pair.slice(index + 1);
+  }
+  return values;
+}
+__name(parseKeyValueArgs, "parseKeyValueArgs");
+function normalizeDatabaseType(type) {
+  const normalized = type.trim().toLowerCase();
+  const aliases = {
+    postgres: "postgresql",
+    postgresql: "postgresql",
+    mongo: "mongodb",
+    mongodb: "mongodb"
+  };
+  const resolved = aliases[normalized] || normalized;
+  if (!SUPPORTED_DATABASE_TYPES.includes(resolved)) {
+    throw new Error(`Unsupported database type "${type}"`);
+  }
+  return resolved;
+}
+__name(normalizeDatabaseType, "normalizeDatabaseType");
+function normalizeLogDbType(type) {
+  const normalized = normalizeDatabaseType(type);
+  if (!SUPPORTED_LOG_DB_TYPES.includes(normalized)) {
+    throw new Error(`Logs API only supports db types: ${SUPPORTED_LOG_DB_TYPES.join(", ")}`);
+  }
+  return normalized;
+}
+__name(normalizeLogDbType, "normalizeLogDbType");
+function normalizeLogType(type) {
+  const normalized = type.trim();
+  if (!SUPPORTED_LOG_TYPES.includes(normalized)) {
+    throw new Error(`Unsupported log type "${type}". Use one of: ${SUPPORTED_LOG_TYPES.join(", ")}`);
+  }
+  return normalized;
+}
+__name(normalizeLogType, "normalizeLogType");
+function parseNumericValue(value, field) {
+  const normalized = value.trim().toLowerCase();
+  let raw = normalized;
+  if (field === "cpu" && normalized.endsWith("c")) {
+    raw = normalized.slice(0, -1);
+  }
+  if ((field === "memory" || field === "storage") && /gi?$|gb$|g$/i.test(normalized)) {
+    raw = normalized.replace(/gi?$|gb$|g$/i, "");
+  }
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed)) {
+    throw new Error(`Invalid ${field} value "${value}"`);
+  }
+  return parsed;
+}
+__name(parseNumericValue, "parseNumericValue");
+function parseIntegerValue(value, field) {
+  const parsed = parseNumericValue(value, field);
+  if (!Number.isInteger(parsed)) {
+    throw new Error(`${field} must be an integer`);
+  }
+  return parsed;
+}
+__name(parseIntegerValue, "parseIntegerValue");
+function buildQuota(options) {
+  const quota = {};
+  if (options.cpu !== void 0) quota.cpu = parseNumericValue(options.cpu, "cpu");
+  if (options.memory !== void 0) quota.memory = parseNumericValue(options.memory, "memory");
+  if (options.storage !== void 0) quota.storage = parseNumericValue(options.storage, "storage");
+  if (options.replicas !== void 0) quota.replicas = parseIntegerValue(options.replicas, "replicas");
+  return quota;
+}
+__name(buildQuota, "buildQuota");
+function buildAutoBackup(options) {
+  const autoBackup = {};
+  if (options.backupStart) autoBackup.start = true;
+  if (options.backupType) autoBackup.type = options.backupType;
+  if (options.backupWeek.length > 0) autoBackup.week = options.backupWeek;
+  if (options.backupHour) autoBackup.hour = options.backupHour;
+  if (options.backupMinute) autoBackup.minute = options.backupMinute;
+  if (options.backupSaveTime) autoBackup.saveTime = parseIntegerValue(options.backupSaveTime, "backup-save-time");
+  if (options.backupSaveType) autoBackup.saveType = options.backupSaveType;
+  return Object.keys(autoBackup).length > 0 ? autoBackup : void 0;
+}
+__name(buildAutoBackup, "buildAutoBackup");
+function formatValue(value) {
+  if (value === void 0 || value === null || value === "") return "-";
+  return String(value);
+}
+__name(formatValue, "formatValue");
+function summarizeVersions(versions) {
+  if (versions.length <= 3) return versions.join(", ");
+  return `${versions.slice(0, 3).join(", ")} ... (${versions.length} total)`;
+}
+__name(summarizeVersions, "summarizeVersions");
+function extractVersionsMap(payload) {
+  if (payload && typeof payload === "object" && !Array.isArray(payload)) {
+    if (payload.data && typeof payload.data === "object" && !Array.isArray(payload.data)) {
+      return payload.data;
+    }
+    return payload;
+  }
+  throw new Error("Unexpected versions response shape");
+}
+__name(extractVersionsMap, "extractVersionsMap");
+function printDatabaseDetail(database) {
+  console.log(chalk3.bold(`
+  ${database.name}
+`));
+  console.log(`  ${chalk3.dim("Type:")}                ${formatValue(database.type)}`);
+  console.log(`  ${chalk3.dim("Version:")}             ${formatValue(database.version)}`);
+  console.log(`  ${chalk3.dim("Status:")}              ${formatValue(database.status)}`);
+  console.log(`  ${chalk3.dim("Created:")}             ${formatValue(database.createdAt)}`);
+  console.log(`  ${chalk3.dim("Termination policy:")}  ${formatValue(database.terminationPolicy)}`);
+  console.log(`  ${chalk3.dim("UID:")}                 ${formatValue(database.uid)}`);
+  console.log(`  ${chalk3.dim("Resource type:")}       ${formatValue(database.resourceType)}`);
+  if (database.quota) {
+    console.log(`
+  ${chalk3.dim("Resources:")}`);
+    console.log(`    CPU:       ${formatValue(database.quota.cpu)} core(s)`);
+    console.log(`    Memory:    ${formatValue(database.quota.memory)} GB`);
+    console.log(`    Storage:   ${formatValue(database.quota.storage)} GB`);
+    console.log(`    Replicas:  ${formatValue(database.quota.replicas)}`);
+  }
+  if (database.connection) {
+    const privateReady = database.connection.privateConnection != null;
+    const publicReady = database.connection.publicConnection != null;
+    console.log(`
+  ${chalk3.dim("Connectivity:")}`);
+    console.log(`    Private:   ${privateReady ? "available" : "not ready"}`);
+    console.log(`    Public:    ${publicReady ? "enabled" : "disabled"}`);
+  }
+  if (database.autoBackup) {
+    console.log(`
+  ${chalk3.dim("Auto backup:")}`);
+    console.log(`    Enabled:   ${database.autoBackup.start ? "yes" : "no"}`);
+    if (database.autoBackup.type) {
+      console.log(`    Schedule:  ${database.autoBackup.type}`);
+    }
+    if (database.autoBackup.week?.length) {
+      console.log(`    Weekdays:  ${database.autoBackup.week.join(", ")}`);
+    }
+    if (database.autoBackup.hour || database.autoBackup.minute) {
+      console.log(`    Time:      ${formatValue(database.autoBackup.hour)}:${formatValue(database.autoBackup.minute)}`);
+    }
+    if (database.autoBackup.saveTime || database.autoBackup.saveType) {
+      console.log(`    Retention: ${formatValue(database.autoBackup.saveTime)} ${formatValue(database.autoBackup.saveType)}`);
+    }
+  }
+  const params = database.parameterConfig ? Object.entries(database.parameterConfig).filter(([, value]) => value !== void 0 && value !== null && value !== "") : [];
+  if (params.length > 0) {
+    console.log(`
+  ${chalk3.dim("Parameters:")}`);
+    const rows = [[chalk3.bold("Key"), chalk3.bold("Value")]];
+    for (const [key, value] of params) {
+      rows.push([key, formatValue(value)]);
+    }
+    outputTable(rows);
+  }
+  if (database.pods?.length > 0) {
+    console.log(`
+  ${chalk3.dim("Pods:")}`);
+    const rows = [[chalk3.bold("Name"), chalk3.bold("Status")]];
+    for (const pod of database.pods) {
+      rows.push([formatValue(pod.name), formatValue(pod.status)]);
+    }
+    outputTable(rows);
+  }
+}
+__name(printDatabaseDetail, "printDatabaseDetail");
+function printConnectionDetail(connection) {
+  const rows = [[chalk3.bold("Field"), chalk3.bold("Value")]];
+  const privateConnection = connection?.privateConnection;
+  const publicConnection = connection?.publicConnection;
+  if (privateConnection && typeof privateConnection === "object") {
+    rows.push(["Private endpoint", formatValue(privateConnection.endpoint)]);
+    rows.push(["Private host", formatValue(privateConnection.host)]);
+    rows.push(["Private port", formatValue(privateConnection.port)]);
+    rows.push(["Username", formatValue(privateConnection.username)]);
+    rows.push(["Password", formatValue(privateConnection.password)]);
+    rows.push(["Connection string", formatValue(privateConnection.connectionString)]);
+  }
+  if (publicConnection !== void 0 && publicConnection !== null) {
+    rows.push(["Public connection", formatValue(publicConnection)]);
+  }
+  if (rows.length === 1) {
+    console.log("Connection information is not available yet.");
+    return;
+  }
+  outputTable(rows);
+}
+__name(printConnectionDetail, "printConnectionDetail");
+function createDatabaseCommand() {
+  const dbCmd = new Command8("database").alias("db").description("Manage databases");
+  dbCmd.command("list").description("List databases").option("-o, --output <format>", "Output format (json|table)", "table").action(withAuth({ spinnerText: "Loading databases..." }, async (ctx, options) => {
+    const client = createDatabaseClient();
+    const { data, error, response } = await client.GET("/databases", {
+      headers: ctx.auth
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      outputJson(data);
+      return;
+    }
+    if (data.length === 0) {
+      console.log("No databases found.");
+      return;
+    }
+    const rows = [[
+      chalk3.bold("Name"),
+      chalk3.bold("Type"),
+      chalk3.bold("Version"),
+      chalk3.bold("Status"),
+      chalk3.bold("CPU"),
+      chalk3.bold("Memory"),
+      chalk3.bold("Storage"),
+      chalk3.bold("Replicas")
+    ]];
+    for (const database of data) {
+      rows.push([
+        formatValue(database.name),
+        formatValue(database.type),
+        formatValue(database.version),
+        formatValue(database.status),
+        formatValue(database.quota?.cpu),
+        formatValue(database.quota?.memory),
+        formatValue(database.quota?.storage),
+        formatValue(database.quota?.replicas)
+      ]);
+    }
+    outputTable(rows);
+  }));
+  dbCmd.command("versions").description("List supported database versions (public endpoint)").option("-o, --output <format>", "Output format (json|table)", "table").option("--host <host>", "Sealos region host for public version lookup, e.g. https://gzg.sealos.run").option("--type <type>", "Filter versions by database type").action(withErrorHandling({ spinnerText: "Loading versions..." }, async (ctx, options) => {
+    const client = createDatabaseClient({ baseUrl: options.host });
+    const { data, error, response } = await client.GET("/databases/versions");
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      if (!options.type) {
+        outputJson(data);
+        return;
+      }
+      const versionsMap2 = extractVersionsMap(data);
+      const databaseType = normalizeDatabaseType(options.type);
+      outputJson({ [databaseType]: versionsMap2[databaseType] ?? [] });
+      return;
+    }
+    const versionsMap = extractVersionsMap(data);
+    if (options.type) {
+      const databaseType = normalizeDatabaseType(options.type);
+      const versions = versionsMap[databaseType] ?? [];
+      if (versions.length === 0) {
+        console.log(`No versions found for database type "${databaseType}".`);
+        return;
+      }
+      const rows2 = [[chalk3.bold("Type"), chalk3.bold("Version")]];
+      for (const version of versions) {
+        rows2.push([databaseType, version]);
+      }
+      outputTable(rows2);
+      return;
+    }
+    const rows = [[chalk3.bold("Type"), chalk3.bold("Versions")]];
+    for (const [type, versions] of Object.entries(versionsMap)) {
+      rows.push([type, summarizeVersions(versions)]);
+    }
+    outputTable(rows);
+  }));
+  dbCmd.command("create <type>").description("Create a database").requiredOption("--name <name>", "Database name").option("--version <version>", "Database version").option("--cpu <cpu>", "CPU cores per replica", "1").option("--memory <memory>", "Memory in GB per replica", "1").option("--storage <storage>", "Storage in GB per replica", "3").option("--replicas <replicas>", "Replica count", "1").option("--termination-policy <policy>", "Termination policy (delete|wipeout)").option("--backup-start", "Enable automatic backups").option("--backup-type <type>", "Automatic backup frequency (day|hour|week)").option("--backup-week <day>", "Weekday for weekly backups", collectOption, []).option("--backup-hour <hour>", "Backup hour (00-23)").option("--backup-minute <minute>", "Backup minute (00-59)").option("--backup-save-time <count>", "Retention count").option("--backup-save-type <type>", "Retention unit (days|hours|weeks|months)").option("--param <KEY=VALUE>", "Database parameter override", collectOption, []).option("-o, --output <format>", "Output format (json|table)", "table").action(withAuth({
+    spinnerText: "Creating database..."
+  }, async (ctx, type, options) => {
+    const client = createDatabaseClient();
+    const quota = {
+      cpu: parseNumericValue(options.cpu, "cpu"),
+      memory: parseNumericValue(options.memory, "memory"),
+      storage: parseNumericValue(options.storage, "storage"),
+      replicas: parseIntegerValue(options.replicas, "replicas")
+    };
+    const autoBackup = buildAutoBackup(options);
+    const parameterConfig = options.param.length > 0 ? parseKeyValueArgs(options.param) : void 0;
+    const body = {
+      name: options.name,
+      type: normalizeDatabaseType(type),
+      quota
+    };
+    if (options.version) Object.assign(body, { version: options.version });
+    if (options.terminationPolicy) Object.assign(body, { terminationPolicy: options.terminationPolicy });
+    if (autoBackup) Object.assign(body, { autoBackup });
+    if (parameterConfig) Object.assign(body, { parameterConfig });
+    const { data, error, response } = await client.POST("/databases", {
+      headers: ctx.auth,
+      body
+    });
+    if (error) throw mapApiError(response.status, error);
+    if (options.output === "json") {
+      ctx.spinner.stop();
+      outputJson(data);
+      return;
+    }
+    ctx.spinner.succeed(`Database "${data.name}" created successfully`);
+    console.log(chalk3.dim(`  Provisioning status: ${data.status}`));
+    console.log(chalk3.dim(`  Next: sealos database get ${data.name}`));
+  }));
+  dbCmd.command("get <name>").alias("describe").description("Get database details").option("-o, --output <format>", "Output format (json|table)", "table").action(withAuth({ spinnerText: "Loading database..." }, async (ctx, name, options) => {
+    const client = createDatabaseClient();
+    const { data, error, response } = await client.GET("/databases/{databaseName}", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      outputJson(data);
+      return;
+    }
+    printDatabaseDetail(data);
+  }));
+  dbCmd.command("connection <name>").description("Show database connection details").option("-o, --output <format>", "Output format (json|table)", "table").action(withAuth({ spinnerText: "Loading connection details..." }, async (ctx, name, options) => {
+    const client = createDatabaseClient();
+    const { data, error, response } = await client.GET("/databases/{databaseName}", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      outputJson(data.connection ?? null);
+      return;
+    }
+    printConnectionDetail(data.connection);
+  }));
+  dbCmd.command("update <name>").description("Update database resources").option("--cpu <cpu>", "CPU cores per replica").option("--memory <memory>", "Memory in GB per replica").option("--storage <storage>", "Storage in GB per replica").option("--replicas <replicas>", "Replica count").action(withAuth({
+    spinnerText: "Updating database..."
+  }, async (ctx, name, options) => {
+    const quota = buildQuota(options);
+    if (Object.keys(quota).length === 0) {
+      throw new Error("Provide at least one of --cpu, --memory, --storage, or --replicas.");
+    }
+    const client = createDatabaseClient();
+    const { error, response } = await client.PATCH("/databases/{databaseName}", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      },
+      body: { quota }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Database "${name}" update requested`);
+  }));
+  dbCmd.command("start <name>").description("Start a database").action(withAuth({ spinnerText: "Starting database..." }, async (ctx, name) => {
+    const client = createDatabaseClient();
+    const { error, response } = await client.POST("/databases/{databaseName}/start", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Database "${name}" start requested`);
+  }));
+  dbCmd.command("pause <name>").alias("stop").description("Pause a database").action(withAuth({ spinnerText: "Pausing database..." }, async (ctx, name) => {
+    const client = createDatabaseClient();
+    const { error, response } = await client.POST("/databases/{databaseName}/pause", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Database "${name}" pause requested`);
+  }));
+  dbCmd.command("restart <name>").description("Restart a database").action(withAuth({ spinnerText: "Restarting database..." }, async (ctx, name) => {
+    const client = createDatabaseClient();
+    const { error, response } = await client.POST("/databases/{databaseName}/restart", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Database "${name}" restart requested`);
+  }));
+  dbCmd.command("delete <name>").description("Delete a database").option("-f, --force", "Delete without confirmation").action(withAuth({ spinnerText: "Deleting database..." }, async (ctx, name) => {
+    const client = createDatabaseClient();
+    const { error, response } = await client.DELETE("/databases/{databaseName}", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Database "${name}" delete requested`);
+  }));
+  dbCmd.command("backups <name>").description("List backups for a database").option("-o, --output <format>", "Output format (json|table)", "table").action(withAuth({ spinnerText: "Loading backups..." }, async (ctx, name, options) => {
+    const client = createDatabaseClient();
+    const { data, error, response } = await client.GET("/databases/{databaseName}/backups", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      outputJson(data);
+      return;
+    }
+    if (data.length === 0) {
+      console.log("No backups found.");
+      return;
+    }
+    const rows = [[
+      chalk3.bold("Name"),
+      chalk3.bold("Status"),
+      chalk3.bold("Created"),
+      chalk3.bold("Description")
+    ]];
+    for (const backup of data) {
+      rows.push([
+        formatValue(backup.name),
+        formatValue(backup.status),
+        formatValue(backup.createdAt),
+        formatValue(backup.description)
+      ]);
+    }
+    outputTable(rows);
+  }));
+  dbCmd.command("backup <name>").description("Create a database backup").option("--name <backupName>", "Backup name").option("--description <description>", "Backup description").action(withAuth({
+    spinnerText: "Creating backup..."
+  }, async (ctx, name, options) => {
+    const client = createDatabaseClient();
+    const body = {};
+    if (options.name) body.name = options.name;
+    if (options.description) body.description = options.description;
+    const { error, response } = await client.POST("/databases/{databaseName}/backups", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      },
+      body
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Backup requested for database "${name}"`);
+  }));
+  dbCmd.command("backup-delete <databaseName> <backupName>").description("Delete a database backup").action(withAuth({
+    spinnerText: "Deleting backup..."
+  }, async (ctx, databaseName, backupName) => {
+    const client = createDatabaseClient();
+    const { error, response } = await client.DELETE("/databases/{databaseName}/backups/{backupName}", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName, backupName }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Backup "${backupName}" deleted`);
+  }));
+  dbCmd.command("restore <databaseName>").description("Restore a database from a backup").requiredOption("--from <backupName>", "Backup name to restore from").option("--name <name>", "Name for the restored database").option("--replicas <replicas>", "Replica count for the restored database").action(withAuth({
+    spinnerText: "Restoring database..."
+  }, async (ctx, databaseName, options) => {
+    const client = createDatabaseClient();
+    const body = {};
+    if (options.name) body.name = options.name;
+    if (options.replicas) body.replicas = parseIntegerValue(options.replicas, "replicas");
+    const { error, response } = await client.POST("/databases/{databaseName}/backups/{backupName}/restore", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName, backupName: options.from }
+      },
+      body
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Restore requested from backup "${options.from}"`);
+  }));
+  dbCmd.command("enable-public <name>").description("Enable public access for a database").action(withAuth({ spinnerText: "Enabling public access..." }, async (ctx, name) => {
+    const client = createDatabaseClient();
+    const { error, response } = await client.POST("/databases/{databaseName}/enable-public", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Public access enabled for "${name}"`);
+  }));
+  dbCmd.command("disable-public <name>").description("Disable public access for a database").action(withAuth({ spinnerText: "Disabling public access..." }, async (ctx, name) => {
+    const client = createDatabaseClient();
+    const { error, response } = await client.POST("/databases/{databaseName}/disable-public", {
+      headers: ctx.auth,
+      params: {
+        path: { databaseName: name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.succeed(`Public access disabled for "${name}"`);
+  }));
+  dbCmd.command("logs <podName>").description("Get parsed database logs for a pod").requiredOption("--db-type <type>", "Database type used by the log service").requiredOption("--log-type <type>", "Log type used by the log service").requiredOption("--log-path <path>", 'Log path to read. Use "log-files" first to discover valid paths').option("--page <page>", "Page number", "1").option("--page-size <pageSize>", "Page size", "200").option("-o, --output <format>", "Output format (plain|json|table)", "plain").action(withAuth({
+    spinnerText: "Loading logs..."
+  }, async (ctx, podName, options) => {
+    const client = createDatabaseClient();
+    const { data, error, response } = await client.GET("/logs", {
+      headers: ctx.auth,
+      params: {
+        query: {
+          podName,
+          dbType: normalizeLogDbType(options.dbType),
+          logType: normalizeLogType(options.logType),
+          logPath: options.logPath,
+          page: parseIntegerValue(options.page, "page"),
+          pageSize: parseIntegerValue(options.pageSize, "page-size")
+        }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      outputJson(data);
+      return;
+    }
+    if (options.output === "table") {
+      const rows = [[chalk3.bold("Timestamp"), chalk3.bold("Level"), chalk3.bold("Content")]];
+      for (const log of data.data.logs) {
+        rows.push([formatValue(log.timestamp), formatValue(log.level), formatValue(log.content)]);
+      }
+      outputTable(rows);
+      return;
+    }
+    for (const log of data.data.logs) {
+      console.log(`${log.timestamp} [${log.level}] ${log.content}`);
+    }
+    console.log(chalk3.dim(`
+page=${data.data.metadata.page} total=${data.data.metadata.total} hasMore=${String(data.data.metadata.hasMore)}`));
+  }));
+  dbCmd.command("log-files <podName>").description("List database log files for a pod").requiredOption("--db-type <type>", "Database type used by the log service").requiredOption("--log-type <type>", "Log type used by the log service").option("-o, --output <format>", "Output format (json|table)", "table").action(withAuth({
+    spinnerText: "Loading log files..."
+  }, async (ctx, podName, options) => {
+    const client = createDatabaseClient();
+    const { data, error, response } = await client.GET("/logs/files", {
+      headers: ctx.auth,
+      params: {
+        query: {
+          podName,
+          dbType: normalizeLogDbType(options.dbType),
+          logType: normalizeLogType(options.logType)
+        }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      outputJson(data);
+      return;
+    }
+    if (data.data.length === 0) {
+      console.log("No log files found.");
+      return;
+    }
+    const rows = [[
+      chalk3.bold("Name"),
+      chalk3.bold("Path"),
+      chalk3.bold("Kind"),
+      chalk3.bold("Size"),
+      chalk3.bold("Updated"),
+      chalk3.bold("Processed")
+    ]];
+    for (const file of data.data) {
+      rows.push([
+        formatValue(file.name),
+        formatValue(file.path),
+        formatValue(file.kind),
+        formatValue(file.size),
+        formatValue(file.updateTime),
+        formatValue(file.processed)
+      ]);
+    }
+    outputTable(rows);
+  }));
+  return dbCmd;
+}
+__name(createDatabaseCommand, "createDatabaseCommand");
+
+// src/commands/template/index.ts
+import { Command as Command9 } from "commander";
+import chalk4 from "chalk";
+import { readFileSync as readFileSync3 } from "fs";
+function parseSetArgs(sets) {
+  const args = {};
+  for (const s of sets) {
+    const idx = s.indexOf("=");
+    if (idx === -1) {
+      throw new Error(`Invalid --set format: "${s}". Expected KEY=VALUE`);
+    }
+    args[s.slice(0, idx)] = s.slice(idx + 1);
+  }
+  return args;
+}
+__name(parseSetArgs, "parseSetArgs");
+function readStdin() {
+  return new Promise((resolve, reject) => {
+    if (process.stdin.isTTY) {
+      reject(new Error("No input provided. Use --file, --yaml, or pipe YAML via stdin."));
+      return;
+    }
+    const chunks = [];
+    process.stdin.on("data", (chunk) => chunks.push(chunk));
+    process.stdin.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8").trim()));
+    process.stdin.on("error", reject);
+  });
+}
+__name(readStdin, "readStdin");
+async function resolveYaml(options, spinner2) {
+  if (options.file) {
+    return readFileSync3(options.file, "utf-8");
+  }
+  if (options.yaml) {
+    return options.yaml;
+  }
+  spinner2.stop();
+  const content = await readStdin();
+  spinner2.start("Deploying template...");
+  return content;
+}
+__name(resolveYaml, "resolveYaml");
+function resolveTemplateDeployMode(template, options, stdinIsTTY = process.stdin.isTTY) {
+  const isRaw = !!(options.file || options.yaml || !stdinIsTTY);
+  if (template && isRaw) {
+    throw new Error("Cannot specify both a template name and --file/--yaml/stdin. Use one or the other.");
+  }
+  if (!template && !isRaw) {
+    throw new Error("Provide a template name or use --file/--yaml/stdin to supply raw YAML.");
+  }
+  if (template) {
+    if (!options.name) {
+      throw new Error("--name is required when deploying from the template catalog.");
+    }
+    if (options.dryRun) {
+      throw new Error("--dry-run is only supported for raw template deploys (--file, --yaml, or stdin).");
+    }
+    return "catalog";
+  }
+  return "raw";
+}
+__name(resolveTemplateDeployMode, "resolveTemplateDeployMode");
+function buildCatalogTemplateDeployBody(template, options) {
+  const body = {
+    name: options.name,
+    template
+  };
+  if (options.set.length > 0) {
+    body.args = parseSetArgs(options.set);
+  }
+  return body;
+}
+__name(buildCatalogTemplateDeployBody, "buildCatalogTemplateDeployBody");
+function buildRawTemplateDeployBody(yaml, options) {
+  const body = {
+    yaml
+  };
+  if (options.set.length > 0) {
+    body.args = parseSetArgs(options.set);
+  }
+  if (options.dryRun) {
+    body.dryRun = true;
+  }
+  return body;
+}
+__name(buildRawTemplateDeployBody, "buildRawTemplateDeployBody");
+function createTemplateCommand() {
+  const tplCmd = new Command9("template").alias("tpl").description("Manage templates");
+  const deployTemplate = withAuth({
+    spinnerText: "Deploying template..."
+  }, async (ctx, catalogTemplate, deployOptions, deployMode) => {
+    const client = createTemplateClient();
+    if (deployMode === "catalog") {
+      const body2 = buildCatalogTemplateDeployBody(catalogTemplate, deployOptions);
+      const { data: data2, error: error2, response: response2 } = await client.POST("/templates/instances", {
+        headers: ctx.auth,
+        body: body2
+      });
+      if (error2) throw mapApiError(response2.status, error2);
+      ctx.spinner.succeed(`Instance "${data2.name}" created successfully from catalog template "${catalogTemplate}"`);
+      console.log(chalk4.dim(`  UID:     ${data2.uid}`));
+      console.log(chalk4.dim(`  Created: ${data2.createdAt}`));
+      if (data2.resources && data2.resources.length > 0) {
+        console.log(chalk4.dim("\n  Resources:"));
+        const rows = [
+          [chalk4.bold("Name"), chalk4.bold("Type"), chalk4.bold("CPU"), chalk4.bold("Memory"), chalk4.bold("Storage")]
+        ];
+        for (const r of data2.resources) {
+          rows.push([
+            r.name,
+            r.resourceType,
+            r.quota?.cpu != null ? `${r.quota.cpu} vCPU` : "-",
+            r.quota?.memory != null ? `${r.quota.memory} GiB` : "-",
+            r.quota?.storage != null ? `${r.quota.storage} GiB` : "-"
+          ]);
+        }
+        outputTable(rows);
+      }
+      return;
+    }
+    const yamlContent = await resolveYaml(deployOptions, ctx.spinner);
+    const body = buildRawTemplateDeployBody(yamlContent, deployOptions);
+    const { data, error, response } = await client.POST("/templates/raw", {
+      headers: ctx.auth,
+      body
+    });
+    if (error) throw mapApiError(response.status, error);
+    if (deployOptions.dryRun) {
+      ctx.spinner.succeed("Raw template validation passed; no resources were created");
+      console.log(chalk4.dim(`  Name: ${data.name}`));
+      if (data.resources && data.resources.length > 0) {
+        console.log(chalk4.dim("\n  Resources that would be created:"));
+        for (const r of data.resources) {
+          console.log(chalk4.dim(`    - ${r.resourceType}: ${r.name}`));
+        }
+      }
+      return;
+    }
+    ctx.spinner.succeed(`Raw template deployed as "${data.name}"`);
+    if ("uid" in data) {
+      console.log(chalk4.dim(`  UID:     ${data.uid}`));
+    }
+    if ("createdAt" in data) {
+      console.log(chalk4.dim(`  Created: ${data.createdAt}`));
+    }
+  });
+  tplCmd.command("list").description("List available templates").option("-c, --category <category>", "Filter by category").option("-o, --output <format>", "Output format (json|table)", "table").action(withErrorHandling({ spinnerText: "Loading templates..." }, async (ctx, options) => {
+    const client = createTemplateClient();
+    const { data, error, response } = await client.GET("/templates", {
+      params: { query: {} }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    let templates = data;
+    if (options.category) {
+      templates = templates.filter((tpl) => tpl.category.includes(options.category));
+    }
+    if (options.output === "json") {
+      outputJson(templates);
+      return;
+    }
+    const rows = [
+      [chalk4.bold("Name"), chalk4.bold("Description"), chalk4.bold("Category"), chalk4.bold("Deploys")]
+    ];
+    for (const tpl of templates) {
+      rows.push([
+        tpl.name,
+        tpl.description.length > 50 ? tpl.description.slice(0, 47) + "..." : tpl.description,
+        tpl.category.join(", "),
+        String(tpl.deployCount)
+      ]);
+    }
+    outputTable(rows);
+  }));
+  tplCmd.command("get <name>").alias("describe").description("Get template details").option("-o, --output <format>", "Output format (json|table)", "table").action(withErrorHandling({ spinnerText: "Loading template..." }, async (ctx, name, options) => {
+    const client = createTemplateClient();
+    const { data, error, response } = await client.GET("/templates/{name}", {
+      params: {
+        path: { name }
+      }
+    });
+    if (error) throw mapApiError(response.status, error);
+    ctx.spinner.stop();
+    if (options.output === "json") {
+      outputJson(data);
+      return;
+    }
+    console.log(chalk4.bold(`
+  ${data.name}
+`));
+    console.log(`  ${chalk4.dim("Description:")}  ${data.description}`);
+    console.log(`  ${chalk4.dim("Category:")}     ${data.category.join(", ")}`);
+    console.log(`  ${chalk4.dim("Git Repo:")}     ${data.gitRepo}`);
+    console.log(`  ${chalk4.dim("Deploys:")}      ${data.deployCount}`);
+    if (data.quota) {
+      console.log(`
+  ${chalk4.dim("Resources:")}`);
+      console.log(`    CPU:       ${data.quota.cpu} vCPU`);
+      console.log(`    Memory:    ${data.quota.memory} GiB`);
+      console.log(`    Storage:   ${data.quota.storage} GiB`);
+      console.log(`    NodePort:  ${data.quota.nodeport}`);
+    }
+    const argEntries = Object.entries(data.args);
+    if (argEntries.length > 0) {
+      console.log(`
+  ${chalk4.dim("Arguments:")}`);
+      const argRows = [
+        [chalk4.bold("Name"), chalk4.bold("Type"), chalk4.bold("Required"), chalk4.bold("Default"), chalk4.bold("Description")]
+      ];
+      for (const [key, arg] of argEntries) {
+        argRows.push([
+          key,
+          arg.type,
+          arg.required ? chalk4.red("yes") : "no",
+          arg.default || chalk4.dim("-"),
+          arg.description
+        ]);
+      }
+      outputTable(argRows);
+    }
+  }));
+  tplCmd.command("deploy [template]").description("Deploy a template (from catalog or raw YAML)").option("--name <name>", "Instance name (required when deploying from catalog)").option("--file <path>", "Path to template YAML file").option("--yaml <yaml>", "Template YAML string").option("--set <KEY=VALUE...>", "Set template arguments", (val, prev) => [...prev, val], []).option("--dry-run", "Validate raw template YAML without creating resources").addHelpText("after", `
+Examples:
+  Catalog:
+    sealos template deploy perplexica --name my-app --set OPENAI_API_KEY=xxx
+
+  Raw:
+    sealos template deploy --file ./template.yaml --dry-run
+    sealos template deploy --yaml 'apiVersion: app.sealos.io/v1
+kind: Template
+...'
+    cat template.yaml | sealos template deploy --dry-run
+`).action(async (template, options) => {
+    const mode = resolveTemplateDeployMode(template, options);
+    await deployTemplate(template, options, mode);
+  });
+  return tplCmd;
+}
+__name(createTemplateCommand, "createTemplateCommand");
+
+// src/commands/quota/index.ts
+import { Command as Command10 } from "commander";
+function createQuotaCommand() {
+  const quotaCmd = new Command10("quota").description("View resource quotas");
+  quotaCmd.command("get").description("Get quota information").action(async () => {
+    try {
+      console.log("TODO: Implement quota get");
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  return quotaCmd;
+}
+__name(createQuotaCommand, "createQuotaCommand");
+
+// src/commands/app/index.ts
+import { Command as Command11 } from "commander";
+function createAppCommand() {
+  const appCmd = new Command11("app").description("Manage applications");
+  appCmd.command("list").description("List all applications").action(async () => {
+    try {
+      console.log("TODO: Implement app list");
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  return appCmd;
+}
+__name(createAppCommand, "createAppCommand");
+
+// src/commands/config/index.ts
+import { Command as Command12 } from "commander";
+function createConfigCommand() {
+  const configCmd = new Command12("config").description("Manage CLI configuration");
+  configCmd.command("set").description("Set a config value").argument("<key>", "Config key").argument("<value>", "Config value").action(async (key, value) => {
+    try {
+      setConfigValue(key, value);
+      success(`Config ${key} set to ${value}`);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  configCmd.command("get").description("Get a config value").argument("<key>", "Config key").action(async (key) => {
+    try {
+      const value = getConfigValue(key);
+      if (value) {
+        console.log(value);
+      } else {
+        console.log(`Config key "${key}" not found`);
+      }
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  configCmd.command("list").description("List all config values").action(async () => {
+    try {
+      const config = readConfig();
+      outputJson(config);
+    } catch (error) {
+      handleError(error);
+    }
+  });
+  return configCmd;
+}
+__name(createConfigCommand, "createConfigCommand");
+
+// src/main.ts
+function createProgram() {
+  const program = new Command13();
+  program.name("sealos").description("Official CLI tool for Sealos Cloud - Manage devbox, applications, databases, and object storage").version("0.0.1");
+  registerAuthCommands(program);
+  program.addCommand(createWorkspaceCommand());
+  program.addCommand(createDevboxCommand());
+  program.addCommand(createS3Command());
+  program.addCommand(createDatabaseCommand());
+  program.addCommand(createTemplateCommand());
+  program.addCommand(createQuotaCommand());
+  program.addCommand(createAppCommand());
+  program.addCommand(createConfigCommand());
+  return program;
+}
+__name(createProgram, "createProgram");
+function runCLI() {
+  const program = createProgram();
+  program.exitOverride();
+  try {
+    program.parse(process.argv);
+  } catch (error) {
+    if (error instanceof Error && "code" in error && typeof error.code === "string" && error.code.startsWith("commander.")) {
+      process.exit(0);
+    }
+    handleError(error);
+  }
+}
+__name(runCLI, "runCLI");
+export {
+  createProgram,
+  runCLI
+};