sisyphi 1.1.24 → 1.1.25

package/dist/cli.js

@@ -111,6 +111,9 @@ function deployStatePath(provider) {
 function deployStateBackupPath(provider) {
   return join(deployProviderDir(provider), "terraform.tfstate.bak");
 }
+function deployRuntimePath(provider) {
+  return join(deployProviderDir(provider), "runtime.json");
+}
 function deployCredsPath(provider) {
   return join(deployDir(), `${provider}.env`);
 }
@@ -169,7 +172,7 @@ __export(creds_exports, {
   writeTailscaleEnv: () => writeTailscaleEnv
 });
 import { chmodSync as chmodSync3, existsSync as existsSync24, mkdirSync as mkdirSync12, readFileSync as readFileSync27 } from "fs";
-import { createInterface as createInterface3 } from "readline";
+import { createInterface as createInterface4 } from "readline";
 function ensureDeployDir() {
   const dir = deployDir();
   if (!existsSync24(dir)) mkdirSync12(dir, { recursive: true, mode: 448 });
@@ -207,7 +210,7 @@ function writeEnvFile(path, values) {
   chmodSync3(path, 384);
 }
 async function promptLine(question, hidden) {
-  const rl = createInterface3({ input: process.stdin, output: process.stdout, terminal: true });
+  const rl = createInterface4({ input: process.stdin, output: process.stdout, terminal: true });
   if (hidden) {
     const stdout = process.stdout;
     const originalWrite = stdout.write.bind(stdout);
@@ -293,7 +296,7 @@ var init_creds = __esm({
 
 // src/cli/index.ts
 import { Command } from "commander";
-import { existsSync as existsSync28, mkdirSync as mkdirSync14, readFileSync as readFileSync30 } from "fs";
+import { existsSync as existsSync29, mkdirSync as mkdirSync14, readFileSync as readFileSync31 } from "fs";
 import { dirname as dirname12, join as join26 } from "path";
 import { fileURLToPath as fileURLToPath5 } from "url";
 
@@ -354,6 +357,7 @@ import { execSync } from "child_process";
 import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync, unlinkSync } from "fs";
 import { homedir as homedir2 } from "os";
 import { join as join2 } from "path";
+import { createInterface } from "readline";
 
 // src/shared/keymap.ts
 function formatHelpForKeymap(km) {
@@ -1717,7 +1721,22 @@ function getExistingBinding(key, table = "root") {
 function isSisyphusBinding(binding) {
   return binding.includes("sisyphus");
 }
-function setupTmuxKeybind(cycleKey = DEFAULT_CYCLE_KEY, prefixKey = DEFAULT_PREFIX_KEY) {
+async function confirmConfAppend(userConf, line) {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) return false;
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve11) => {
+    const question = `
+Sisyphus needs to append one line to ${userConf} so its tmux keybindings persist:
+  ${line}
+
+Append it now? (y/N) `;
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve11(answer.trim().toLowerCase() === "y");
+    });
+  });
+}
+async function setupTmuxKeybind(cycleKey = DEFAULT_CYCLE_KEY, prefixKey = DEFAULT_PREFIX_KEY, opts = {}) {
   installAllScripts();
   if (!tmuxVersionAtLeast(3, 2)) {
     let version = "unknown";
@@ -1757,14 +1776,22 @@ ${bindings.join("\n")}
   const userConf = userTmuxConfPath();
   const markedSourceLine = `source-file ${confPath} ${SISYPHUS_CONF_MARKER}`;
   let persistedToConf = false;
+  let appendDeclined = false;
   if (userConf !== null) {
     const contents = readFileSync(userConf, "utf8");
-    if (!contents.includes(confPath)) {
-      const separator = contents.endsWith("\n") ? "" : "\n";
-      writeFileSync(userConf, `${contents}${separator}${markedSourceLine}
+    if (contents.includes(confPath)) {
+      persistedToConf = true;
+    } else {
+      const shouldAppend = opts.assumeYes ? true : await confirmConfAppend(userConf, markedSourceLine);
+      if (shouldAppend) {
+        const separator = contents.endsWith("\n") ? "" : "\n";
+        writeFileSync(userConf, `${contents}${separator}${markedSourceLine}
 `, "utf8");
+        persistedToConf = true;
+      } else {
+        appendDeclined = true;
+      }
     }
-    persistedToConf = true;
   }
   try {
     for (const b of bindings) {
@@ -1772,6 +1799,16 @@ ${bindings.join("\n")}
     }
   } catch {
   }
+  if (appendDeclined && userConf !== null) {
+    return {
+      status: "conf-modification-declined",
+      message: `Tmux keybindings applied to the live session, but not persisted.
+To persist them, add this line to ${userConf}:
+  ${markedSourceLine}`,
+      manualLine: markedSourceLine,
+      userConf
+    };
+  }
   if (getExistingBinding(cycleKey) !== null && isSisyphusBinding(getExistingBinding(cycleKey))) {
     return {
       status: "already-installed",
@@ -2061,7 +2098,7 @@ async function ensureDaemonInstalled() {
     const plist = generatePlist(nodePath, daemonPath, logPath);
     writeFileSync2(plistPath(), plist, "utf8");
     execSync3(`launchctl load -w ${plistPath()}`);
-    const keybindResult = setupTmuxKeybind();
+    const keybindResult = await setupTmuxKeybind();
     await ensureRequiredPlugins(process.cwd());
     printGettingStarted(keybindResult, sisyphusPlugin);
   }
@@ -2102,6 +2139,8 @@ function printGettingStarted(keybindResult, sisyphusPlugin) {
     lines.push(`Tmux keybind: ${keybindResult.message}`, "");
   } else if (keybindResult.status === "conflict") {
     lines.push(`Keybind: ${keybindResult.message}`, "");
+  } else if (keybindResult.status === "conf-modification-declined") {
+    lines.push(keybindResult.message, "");
   }
   if (sisyphusPlugin.installed && sisyphusPlugin.autoInstalled) {
     lines.push(`Sisyphus plugin installed: sisyphus@sisyphus \u2192 ${sisyphusPlugin.installPath}`, "");
@@ -3073,17 +3112,21 @@ function inlineBodyPath(deckPath, bodyPath) {
   const deckDir = dirname2(deckPath);
   const joined = resolve2(deckDir, bodyPath);
   if (!existsSync5(joined)) {
-    throw new Error(`bodyPath does not exist: ${bodyPath}`);
+    throw new Error(
+      `bodyPath does not exist: '${bodyPath}' (resolved against deck dir '${deckDir}'). bodyPath is interpreted relative to the deck JSON's directory; place the body file there and use a relative path (e.g. "completion-summary.md").`
+    );
   }
   const stat = lstatSync(joined);
   if (!stat.isFile()) {
-    throw new Error(`bodyPath must be a regular file: ${bodyPath}`);
+    throw new Error(`bodyPath must be a regular file (not a symlink, directory, or special file): ${bodyPath}`);
   }
   const realResolved = realpathSync(joined);
   const realDeckDir = realpathSync(deckDir);
   const prefix = realDeckDir + sep;
   if (realResolved !== realDeckDir && !realResolved.startsWith(prefix)) {
-    throw new Error(`bodyPath escapes deck directory (outside): ${bodyPath}`);
+    throw new Error(
+      `bodyPath '${bodyPath}' escapes the deck's directory ('${realDeckDir}'). bodyPath is resolved relative to the deck JSON file and must stay inside its directory (no '..', absolute paths pointing elsewhere, or symlinks out). Fix: write the deck JSON next to the body file (e.g. both inside $SISYPHUS_SESSION_DIR/context/) and use a relative path like "completion-summary.md".`
+    );
   }
   return readFileSync8(joined, "utf-8");
 }
@@ -3469,7 +3512,42 @@ The CLI always blocks until the user answers (which can take 10+ minutes).
 
 For guidance on when to use a deck, how to design options the user can actually choose between, and how to bundle related questions into one deck, read the \`humanloop\` skill before authoring.
 
-Deck JSON: an object with \`interactions: [{ id, title, options, kind?, allowFreetext?, body? | bodyPath?, ... }]\`. Validation errors at submit are precise \u2014 trust them.
+DECK JSON SCHEMA
+  { "title"?: string, "interactions": Interaction[] }    // interactions[] non-empty
+
+  Interaction:
+    id              string, /^[A-Za-z0-9_-]+$/, max 64 chars, unique within deck
+    title           string (required, non-empty)
+    subtitle?       string
+    body?           string                    // markdown rendered in dashboard
+    bodyPath?       string                    // path RELATIVE to the deck JSON's directory
+                                              // and must resolve INSIDE that directory
+                                              // (no '..', no symlinks out, no absolute
+                                              // paths pointing elsewhere). Mutually
+                                              // exclusive with 'body'. To use bodyPath,
+                                              // write the deck JSON next to the markdown
+                                              // file (e.g. both in
+                                              // $SISYPHUS_SESSION_DIR/context/) and pass
+                                              // a basename like "summary.md".
+    kind?           "notify" | "validation" | "decision" | "context" | "error"
+                                              // display hint for inbox icon/sort weight.
+                                              // No other values accepted.
+    options         Option[]                  // 2\u20134 options recommended (see humanloop)
+    allowFreetext?  boolean
+    freetextLabel?  string
+
+  Option:
+    id              string (required)
+    label           string (required)
+    description?    string
+    shortcut?       string
+
+OUTPUT
+  On answer, stdout is one line of JSON:
+    { "responses": [{ "id", "selectedOptionId"?, "freetext"? }, ...], "completedAt" }
+  Branch on each response by its interaction \`id\`.
+
+Validation errors at submit are precise \u2014 read them, don't guess.
 `).action(async (file, opts) => {
     if (!file) {
       ask.help();
@@ -4823,7 +4901,7 @@ function printResults(result, daemonOk, keybindMsg) {
   console.log("");
 }
 function registerSetup(program2) {
-  program2.command("setup").description("One-time setup: install dependencies, daemon, keybindings, and commands").action(async () => {
+  program2.command("setup").description("One-time setup: install dependencies, daemon, keybindings, and commands").option("-y, --yes", "Skip confirmation prompts (e.g. before modifying ~/.tmux.conf)").action(async (opts) => {
     const result = runOnboarding();
     let daemonOk = false;
     try {
@@ -4832,7 +4910,11 @@ function registerSetup(program2) {
     } catch {
       daemonOk = isInstalled();
     }
-    const keybindResult = setupTmuxKeybind();
+    const keybindResult = await setupTmuxKeybind(
+      DEFAULT_CYCLE_KEY,
+      DEFAULT_PREFIX_KEY,
+      { assumeYes: opts.yes }
+    );
     let keybindMsg;
     if (keybindResult.status === "installed" || keybindResult.status === "already-installed") {
       keybindMsg = `${DEFAULT_CYCLE_KEY} cycle, ${DEFAULT_PREFIX_KEY} prefix (h=dashboard, x=kill)`;
@@ -4845,9 +4927,9 @@ function registerSetup(program2) {
 
 // src/cli/commands/setup-keybind.ts
 function registerSetupKeybind(program2) {
-  program2.command("setup-keybind [cycle-key]").description("Install sisyphus tmux keybindings (default: M-s cycle, C-s prefix)").action(async (key) => {
+  program2.command("setup-keybind [cycle-key]").description("Install sisyphus tmux keybindings (default: M-s cycle, C-s prefix)").option("-y, --yes", "Skip confirmation prompt before modifying ~/.tmux.conf").action(async (key, opts) => {
     const resolvedKey = key ?? DEFAULT_CYCLE_KEY;
-    const result = setupTmuxKeybind(resolvedKey);
+    const result = await setupTmuxKeybind(resolvedKey, void 0, { assumeYes: opts.yes });
     switch (result.status) {
       case "installed":
         console.log(result.message);
@@ -4868,6 +4950,11 @@ function registerSetupKeybind(program2) {
       case "unsupported-tmux":
         console.log(result.message);
         break;
+      case "conf-modification-declined":
+        console.log(result.message);
+        console.log("");
+        console.log("Re-run with --yes to skip the prompt.");
+        break;
     }
   });
 }
@@ -5208,9 +5295,9 @@ function registerInit(program2) {
 }
 
 // src/cli/commands/uninstall.ts
-import { createInterface } from "readline";
+import { createInterface as createInterface2 } from "readline";
 async function confirm(question) {
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const rl = createInterface2({ input: process.stdin, output: process.stdout });
   return new Promise((resolve11) => {
     rl.question(question, (answer) => {
       rl.close();
@@ -5235,12 +5322,12 @@ function registerUninstall(program2) {
 // src/cli/commands/configure-upload.ts
 init_paths();
 import { chmodSync as chmodSync2, existsSync as existsSync17, mkdirSync as mkdirSync8, readFileSync as readFileSync19, writeFileSync as writeFileSync10 } from "fs";
-import { createInterface as createInterface2 } from "readline";
+import { createInterface as createInterface3 } from "readline";
 import { dirname as dirname6 } from "path";
 async function readUrlFromInput(interactive) {
   if (interactive) {
     return new Promise((resolve11) => {
-      const rl = createInterface2({ input: process.stdin, output: process.stdout });
+      const rl = createInterface3({ input: process.stdin, output: process.stdout });
       rl.question("Paste the upload URL (with embedded ?token=): ", (answer) => {
         rl.close();
         resolve11(answer.trim());
@@ -9366,7 +9453,7 @@ import { join as join25 } from "path";
 // src/cli/deploy/runner.ts
 init_paths();
 import { spawn as spawn2, spawnSync as spawnSync3 } from "child_process";
-import { copyFileSync as copyFileSync2, existsSync as existsSync26, mkdirSync as mkdirSync13, readFileSync as readFileSync28 } from "fs";
+import { copyFileSync as copyFileSync2, existsSync as existsSync27, mkdirSync as mkdirSync13, readFileSync as readFileSync29 } from "fs";
 init_creds();
 
 // src/cli/deploy/pricing.ts
@@ -9399,16 +9486,82 @@ function formatCostLine(provider, instanceType) {
   return `Estimated cost: ~$${cost.toFixed(2)}/mo (pricing last verified ${LAST_VERIFIED}; verify against your bill for current rates).`;
 }
 
+// src/cli/deploy/runtime.ts
+init_atomic();
+init_paths();
+import { existsSync as existsSync25, readFileSync as readFileSync28, unlinkSync as unlinkSync4 } from "fs";
+function readRuntimeState(provider) {
+  const path = deployRuntimePath(provider);
+  if (!existsSync25(path)) return null;
+  try {
+    return JSON.parse(readFileSync28(path, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writeRuntimeState(provider, state) {
+  atomicWrite(deployRuntimePath(provider), JSON.stringify(state, null, 2) + "\n");
+}
+function clearRuntimeState(provider) {
+  const path = deployRuntimePath(provider);
+  if (existsSync25(path)) unlinkSync4(path);
+}
+
+// src/cli/deploy/tailnet.ts
+function discoverNode(requestedName) {
+  const json = execSafe("tailscale status --json");
+  if (!json) return null;
+  let status;
+  try {
+    status = JSON.parse(json);
+  } catch {
+    return null;
+  }
+  const peers = status.Peer === void 0 ? [] : Object.values(status.Peer);
+  const candidates = peers.filter(
+    (p) => p.HostName === requestedName && p.Online === true
+  );
+  if (candidates.length === 0) return null;
+  candidates.sort((a, b) => {
+    const ac = a.Created === void 0 ? "" : a.Created;
+    const bc = b.Created === void 0 ? "" : b.Created;
+    return bc.localeCompare(ac);
+  });
+  const peer = candidates[0];
+  const dnsRaw = peer.DNSName === void 0 ? "" : peer.DNSName;
+  const dns = dnsRaw.replace(/\.$/, "");
+  if (!dns) return null;
+  const shortName = dns.split(".")[0];
+  const ips = peer.TailscaleIPs === void 0 ? [] : peer.TailscaleIPs;
+  const ipv4 = ips.find((ip) => /^\d+\.\d+\.\d+\.\d+$/.test(ip));
+  if (!ipv4) return null;
+  const ipv6 = ips.find((ip) => ip.includes(":")) ?? null;
+  return { shortName, magicDnsName: dns, ipv4, ipv6 };
+}
+async function discoverNodeWithRetry(requestedName, maxRetries = 30, intervalMs = 2e3) {
+  for (let i = 0; i < maxRetries; i++) {
+    const node = discoverNode(requestedName);
+    if (node) return node;
+    if (i < maxRetries - 1) {
+      await new Promise((resolve11) => setTimeout(resolve11, intervalMs));
+    }
+  }
+  return null;
+}
+function isTailscaleAvailable() {
+  return execSafe("tailscale version") !== null;
+}
+
 // src/cli/deploy/templates.ts
-import { existsSync as existsSync25 } from "fs";
+import { existsSync as existsSync26 } from "fs";
 import { dirname as dirname11, resolve as resolve10 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 function deployRoot() {
   const here = dirname11(fileURLToPath4(import.meta.url));
   const bundled = resolve10(here, "..", "deploy");
-  if (existsSync25(bundled)) return bundled;
+  if (existsSync26(bundled)) return bundled;
   const sourceRoot = resolve10(here, "..", "..", "..", "deploy");
-  if (existsSync25(sourceRoot)) return sourceRoot;
+  if (existsSync26(sourceRoot)) return sourceRoot;
   throw new Error(
     `Could not locate deploy/ templates. Looked at:
   ${bundled}
@@ -9445,9 +9598,10 @@ async function firstRunPrompt() {
   console.log("");
   console.log("Tailscale credentials not configured. Pick one:");
   console.log("");
-  console.log("  1) OAuth client (recommended) \u2014 mints fresh ephemeral keys per box.");
+  console.log("  1) OAuth client (recommended) \u2014 mints fresh ephemeral keys per box");
+  console.log("     and auto-cleans stale offline nodes so hostnames don't get suffixed.");
   console.log("     Create at https://login.tailscale.com/admin/settings/oauth");
-  console.log("     with scope `auth_keys:write` and tag `tag:sisyphus`.");
+  console.log("     with scopes `auth_keys:write` + `devices:write` and tag `tag:sisyphus`.");
   console.log("  2) Reusable auth key (simpler) \u2014 paste from");
   console.log("     https://login.tailscale.com/admin/settings/keys");
   console.log("");
@@ -9469,6 +9623,14 @@ async function firstRunPrompt() {
 }
 async function mintViaOAuth(clientId, clientSecret, tag, hostname) {
   const token = await fetchAccessToken(clientId, clientSecret);
+  try {
+    const removed = await deleteStaleDevicesForHostname(token, hostname);
+    if (removed > 0) {
+      console.log(`Tailscale: removed ${removed} stale offline node(s) named "${hostname}".`);
+    }
+  } catch (err) {
+    console.log(`Tailscale: skipped stale-node cleanup (${err.message}). Add 'devices:write' scope to clean up automatically.`);
+  }
   const body = {
     capabilities: {
       devices: {
@@ -9499,6 +9661,32 @@ async function mintViaOAuth(clientId, clientSecret, tag, hostname) {
   if (!data.key) throw new Error("Tailscale API returned no key.");
   return data.key;
 }
+async function deleteStaleDevicesForHostname(token, hostname) {
+  const res = await fetch(`${TS_API}/tailnet/-/devices`, {
+    headers: { Authorization: `Bearer ${token}` }
+  });
+  if (!res.ok) {
+    throw new Error(`HTTP ${res.status} listing devices`);
+  }
+  const data = await res.json();
+  const STALE_AFTER_MS = 5 * 60 * 1e3;
+  const now = Date.now();
+  const stale = data.devices.filter((d) => {
+    if (d.hostname !== hostname) return false;
+    const seen = Date.parse(d.lastSeen);
+    if (Number.isNaN(seen)) return false;
+    return now - seen > STALE_AFTER_MS;
+  });
+  let removed = 0;
+  for (const device of stale) {
+    const r = await fetch(`${TS_API}/device/${device.id}`, {
+      method: "DELETE",
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (r.ok) removed++;
+  }
+  return removed;
+}
 async function fetchAccessToken(clientId, clientSecret) {
   const credentials = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
   const res = await fetch(`${TS_API}/oauth/token`, {
@@ -9557,14 +9745,14 @@ function ensureTerraformInstalled() {
 function ensureProviderStateDir(provider) {
   ensureDeployDir();
   const dir = deployProviderDir(provider);
-  if (!existsSync26(dir)) mkdirSync13(dir, { recursive: true, mode: 448 });
+  if (!existsSync27(dir)) mkdirSync13(dir, { recursive: true, mode: 448 });
 }
 function backupState(provider) {
   const src = deployStatePath(provider);
-  if (existsSync26(src)) copyFileSync2(src, deployStateBackupPath(provider));
+  if (existsSync27(src)) copyFileSync2(src, deployStateBackupPath(provider));
 }
 function readSshPubkey(path) {
-  if (!existsSync26(path)) {
+  if (!existsSync27(path)) {
     const privateKeyPath = path.replace(/\.pub$/, "");
     throw new Error(
       `SSH pubkey not found at ${path}. Generate one with:
@@ -9572,7 +9760,7 @@ function readSshPubkey(path) {
 or pass --ssh-key <path>.`
     );
   }
-  return readFileSync28(path, "utf-8").trim();
+  return readFileSync29(path, "utf-8").trim();
 }
 function readOutputs(provider) {
   const result = spawnSync3("terraform", ["output", "-json", `-state=${deployStatePath(provider)}`], {
@@ -9599,10 +9787,13 @@ function readOutputs(provider) {
   }
 }
 function isProvisioned(provider) {
-  if (!existsSync26(deployStatePath(provider))) return false;
+  if (!existsSync27(deployStatePath(provider))) return false;
   return readOutputs(provider) !== null;
 }
 async function deployUp(provider, opts) {
+  if (isProvisioned(provider) && !await confirmReprovision(provider, opts.yes)) {
+    return;
+  }
   const sshPubkey = readSshPubkey(opts.sshKey);
   const creds = await loadProviderCreds(provider);
   const tsAuthKey = await mintTailscaleKey({ hostname: opts.name });
@@ -9650,16 +9841,39 @@ Applied \u2014 but could not parse outputs. Run \`sisyphus deploy ${provider} st
   console.log("");
   console.log("Box provisioned. Cloud-init will run for ~3\u20135 minutes before the daemon is reachable.");
   console.log("");
-  console.log(`  IP:                  ${outputs.ipv4}`);
-  console.log(`  Tailscale hostname:  ${outputs.tailscale_hostname}`);
-  console.log(`  SSH:                 ${outputs.ssh_command}`);
+  console.log(`  Public IP:           ${outputs.ipv4}`);
+  console.log(`  Requested hostname:  ${outputs.tailscale_hostname}`);
+  if (isTailscaleAvailable()) {
+    process.stdout.write("  Waiting for tailnet join...");
+    const node = await discoverNodeWithRetry(opts.name);
+    if (node) {
+      writeRuntimeState(provider, {
+        tailscaleHostname: node.shortName,
+        tailscaleFqdn: node.magicDnsName,
+        tailscaleIpv4: node.ipv4,
+        discoveredAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      process.stdout.write(` joined as ${node.shortName} (${node.ipv4})
+`);
+      if (node.shortName !== opts.name) {
+        console.log(`  Note: Tailscale suffixed the hostname because "${opts.name}" was already`);
+        console.log("        claimed by an offline node. Delete the stale node at");
+        console.log("        https://login.tailscale.com/admin/machines to reuse the original name.");
+      }
+    } else {
+      process.stdout.write(" no peer matched after 60s\n");
+      console.log("  (Cloud-init may still be installing Tailscale. Re-run `status` later.)");
+    }
+  } else {
+    console.log("  (Local `tailscale` CLI not on PATH \u2014 skipping tailnet discovery.)");
+  }
   console.log("");
   console.log(`  Tail provisioning:   sisyphus deploy ${provider} logs`);
   console.log(`  Verify daemon:       sisyphus deploy ${provider} ssh -- sisyphus admin doctor`);
   console.log("");
 }
 async function deployDown(provider, opts) {
-  if (!existsSync26(deployStatePath(provider))) {
+  if (!existsSync27(deployStatePath(provider))) {
     console.log(`No ${provider} state found at ${deployStatePath(provider)}. Nothing to destroy.`);
     return;
   }
@@ -9690,6 +9904,7 @@ async function deployDown(provider, opts) {
     creds
   );
   if (code !== 0) throw new Error(`terraform destroy failed (exit ${code})`);
+  clearRuntimeState(provider);
   console.log(`
 ${provider} box destroyed.`);
 }
@@ -9703,10 +9918,21 @@ function deployStatus(provider) {
     console.log(`${provider}: state present but outputs unreadable. Try \`sisyphus deploy ${provider} up\` to reconcile.`);
     return;
   }
+  const runtime = readRuntimeState(provider);
+  const effectiveHost = runtime ? runtime.tailscaleHostname : outputs.tailscale_hostname;
   console.log(`${provider}: provisioned`);
-  console.log(`  IP:                  ${outputs.ipv4}`);
-  console.log(`  Tailscale hostname:  ${outputs.tailscale_hostname}`);
-  console.log(`  SSH:                 ${outputs.ssh_command}`);
+  console.log(`  Public IP:           ${outputs.ipv4}`);
+  console.log(`  Tailscale hostname:  ${effectiveHost}`);
+  if (runtime) {
+    console.log(`  Tailscale IPv4:      ${runtime.tailscaleIpv4}`);
+    console.log(`  MagicDNS FQDN:       ${runtime.tailscaleFqdn}`);
+    if (runtime.tailscaleHostname !== outputs.tailscale_hostname) {
+      console.log(`  (Requested "${outputs.tailscale_hostname}" but Tailscale assigned "${runtime.tailscaleHostname}".)`);
+    }
+  } else {
+    console.log("  (No tailnet runtime state \u2014 re-run `up` or check that local tailscale is logged in.)");
+  }
+  console.log(`  SSH:                 ssh sisyphus@${effectiveHost}`);
   console.log(`  Instance type:       ${outputs.instance_type}`);
   console.log(`  ${formatCostLine(provider, outputs.instance_type)}`);
 }
@@ -9717,16 +9943,17 @@ function deployListProviders() {
     console.log(`  ${p.padEnd(10)} ${status}`);
   }
 }
-function requireOutputs(provider) {
-  const o = readOutputs(provider);
-  if (!o) {
+function effectiveSshTarget(provider) {
+  const runtime = readRuntimeState(provider);
+  if (runtime) return `sisyphus@${runtime.tailscaleHostname}`;
+  const outputs = readOutputs(provider);
+  if (!outputs) {
     throw new Error(`${provider} not provisioned. Run \`sisyphus deploy ${provider} up\`.`);
   }
-  return o;
+  return `sisyphus@${outputs.tailscale_hostname}`;
 }
 function deploySsh(provider, remoteCmd) {
-  const outputs = requireOutputs(provider);
-  const target = `sisyphus@${outputs.tailscale_hostname}`;
+  const target = effectiveSshTarget(provider);
   const moshAvailable = spawnSync3("mosh", ["--version"], { stdio: "pipe", env: EXEC_ENV }).status === 0;
   const bin = moshAvailable && remoteCmd.length === 0 ? "mosh" : "ssh";
   const args2 = remoteCmd.length > 0 ? [target, ...remoteCmd] : [target];
@@ -9734,15 +9961,13 @@ function deploySsh(provider, remoteCmd) {
   child.on("exit", (code) => process.exit(code === null ? 1 : code));
 }
 function deployLogs(provider) {
-  const outputs = requireOutputs(provider);
-  const target = `sisyphus@${outputs.tailscale_hostname}`;
+  const target = effectiveSshTarget(provider);
   const remoteCmd = "tail -F -n 200 /var/log/cloud-init-output.log ~/.sisyphus/daemon.log 2>/dev/null";
   const child = spawn2("ssh", [target, remoteCmd], { stdio: "inherit", env: EXEC_ENV });
   child.on("exit", (code) => process.exit(code === null ? 1 : code));
 }
 function deployUpdate(provider) {
-  const outputs = requireOutputs(provider);
-  const target = `sisyphus@${outputs.tailscale_hostname}`;
+  const target = effectiveSshTarget(provider);
   const remoteCmd = "sudo npm i -g sisyphi@latest && systemctl --user restart sisyphusd && sisyphusd --version || true";
   const child = spawn2("ssh", [target, remoteCmd], { stdio: "inherit", env: EXEC_ENV });
   child.on("exit", (code) => process.exit(code === null ? 1 : code));
@@ -9752,6 +9977,30 @@ async function confirm2(prompt) {
   const answer = await promptLine2(`${prompt} `, false);
   return answer.toLowerCase() === "yes";
 }
+async function confirmReprovision(provider, yes) {
+  const outputs = readOutputs(provider);
+  console.log("");
+  if (outputs) {
+    console.log(`${provider} is already provisioned: "${outputs.tailscale_hostname}" (${outputs.instance_type}, ${outputs.ipv4}).`);
+  } else {
+    console.log(`${provider} state already exists at ${deployStatePath(provider)}.`);
+  }
+  if (provider === "hetzner") {
+    console.log("Re-running `up` on Hetzner will DESTROY and RECREATE the box (user_data is ForceNew).");
+    console.log("All on-box state \u2014 daemon history, sessions, anything not in your repo \u2014 will be lost.");
+  } else {
+    console.log("Re-running `up` on AWS updates user_data in state but does NOT recreate the instance.");
+    console.log("Cloud-init won't re-run on the live box, and the freshly-minted Tailscale key will be wasted.");
+  }
+  console.log("");
+  console.log(`To push a new sisyphus version:  sisyphus deploy ${provider} update`);
+  console.log(`To rebuild from scratch:         sisyphus deploy ${provider} down && sisyphus deploy ${provider} up`);
+  console.log("");
+  if (yes) return true;
+  const confirmed = await confirm2('Type "yes" to proceed anyway:');
+  if (!confirmed) console.log("Aborted.");
+  return confirmed;
+}
 
 // src/cli/commands/deploy.ts
 var PROVIDERS = ["hetzner", "aws"];
@@ -9771,7 +10020,8 @@ function resolveUpOptions(provider, raw) {
   const size = raw.size === void 0 ? null : raw.size;
   const withChromium = raw.chromium !== false;
   const enableAutoUpdate = raw.autoUpdate !== false;
-  return { region, arch, size, sshKey: raw.sshKey, name: raw.name, withChromium, enableAutoUpdate };
+  const yes = raw.yes === true;
+  return { region, arch, size, sshKey: raw.sshKey, name: raw.name, withChromium, enableAutoUpdate, yes };
 }
 function registerDeploy(program2) {
   const deploy = program2.command("deploy").description("Provision a Tailscale-only sisyphus box on Hetzner or AWS via Terraform.");
@@ -9788,7 +10038,7 @@ function registerDeploy(program2) {
   });
   for (const provider of PROVIDERS) {
     const sub = deploy.command(provider).description(`${provider} commands.`);
-    sub.command("up").description(`Provision the ${provider} box (terraform init \u2192 plan \u2192 apply).`).option("--region <region>", `Provider region (defaults: hetzner=nbg1, aws=us-east-1).`).option("--arch <arch>", "'arm' (default) or 'x86'. Picks the default --size and image.", "arm").option("--size <size>", "Instance type override (defaults follow --arch).").option("--ssh-key <path>", "Path to SSH public key.", join25(homedir11(), ".ssh", "id_ed25519.pub")).option("--no-chromium", "Skip headless Chromium install.").option("--no-auto-update", "Skip the daily auto-update systemd timer.").option("--name <name>", "Box hostname / Tailscale node name.", "sisyphus").action(async (raw) => {
+    sub.command("up").description(`Provision the ${provider} box (terraform init \u2192 plan \u2192 apply).`).option("--region <region>", `Provider region (defaults: hetzner=nbg1, aws=us-east-1).`).option("--arch <arch>", "'arm' (default) or 'x86'. Picks the default --size and image.", "arm").option("--size <size>", "Instance type override (defaults follow --arch).").option("--ssh-key <path>", "Path to SSH public key.", join25(homedir11(), ".ssh", "id_ed25519.pub")).option("--no-chromium", "Skip headless Chromium install.").option("--no-auto-update", "Skip the daily auto-update systemd timer.").option("--name <name>", "Box hostname / Tailscale node name.", "sisyphus").option("-y, --yes", "Skip the re-provision confirmation prompt when state already exists.").action(async (raw) => {
       const opts = resolveUpOptions(provider, raw);
       await deployUp(provider, opts);
     });
@@ -9840,7 +10090,7 @@ function attachTmuxStatus(diagnostic2) {
 // src/cli/commands/tmux-sessions.ts
 init_paths();
 import { execSync as execSync15 } from "child_process";
-import { readFileSync as readFileSync29, existsSync as existsSync27 } from "fs";
+import { readFileSync as readFileSync30, existsSync as existsSync28 } from "fs";
 var DOT_MAP = {
   "orchestrator:processing": { icon: "\u25CF", color: "#d4ad6a" },
   "orchestrator:idle": { icon: "\u25CF", color: "#d47766" },
@@ -9851,9 +10101,9 @@ var DOT_MAP = {
 };
 function readManifest() {
   const p = sessionsManifestPath();
-  if (!existsSync27(p)) return null;
+  if (!existsSync28(p)) return null;
   try {
-    return JSON.parse(readFileSync29(p, "utf-8"));
+    return JSON.parse(readFileSync30(p, "utf-8"));
   } catch {
     return null;
   }
@@ -9899,7 +10149,7 @@ if (nodeVersion < 22) {
 var program = new Command();
 program.name("sisyphus").description("tmux-integrated orchestration daemon for Claude Code").version(
   JSON.parse(
-    readFileSync30(join26(dirname12(fileURLToPath5(import.meta.url)), "..", "package.json"), "utf-8")
+    readFileSync31(join26(dirname12(fileURLToPath5(import.meta.url)), "..", "package.json"), "utf-8")
   ).version
 );
 program.configureHelp({
@@ -9969,7 +10219,7 @@ Run 'sisyphus admin getting-started' for a complete usage guide.
 var args = process.argv.slice(2);
 var firstArg = args[0];
 var skipWelcome = ["admin", "help", "--help", "-h", "--version", "-V"];
-if (!existsSync28(globalDir()) && firstArg && !skipWelcome.includes(firstArg)) {
+if (!existsSync29(globalDir()) && firstArg && !skipWelcome.includes(firstArg)) {
   mkdirSync14(globalDir(), { recursive: true });
   console.log("");
   console.log("  Welcome to Sisyphus. Run 'sisyphus admin setup' to get started.");