sparkecoder 0.1.100 → 0.1.103

package/dist/cli.js

@@ -11575,6 +11575,83 @@ var init_scheduler = __esm({
   }
 });
 
+// src/cloudflare/api.ts
+var api_exports = {};
+__export(api_exports, {
+  createRemoteTunnel: () => createRemoteTunnel,
+  setTunnelConfig: () => setTunnelConfig,
+  upsertDnsCname: () => upsertDnsCname
+});
+async function cf(cfg, method, path, body) {
+  const res = await fetch(`${CF_API}${path}`, {
+    method,
+    headers: {
+      Authorization: `Bearer ${cfg.apiToken}`,
+      "Content-Type": "application/json"
+    },
+    body: body == null ? void 0 : JSON.stringify(body)
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || json?.success === false) {
+    const errMsg = json?.errors?.map((e) => `${e.code}: ${e.message}`).join("; ");
+    throw new Error(
+      `Cloudflare API ${method} ${path} failed (HTTP ${res.status}): ${errMsg ?? JSON.stringify(json).slice(0, 400)}`
+    );
+  }
+  return json.result ?? json;
+}
+async function createRemoteTunnel(cfg, name) {
+  const created = await cf(
+    cfg,
+    "POST",
+    `/accounts/${cfg.accountId}/cfd_tunnel`,
+    { name, config_src: "cloudflare" }
+  );
+  let token = created.token;
+  if (!token) {
+    token = await cf(cfg, "GET", `/accounts/${cfg.accountId}/cfd_tunnel/${created.id}/token`);
+  }
+  return { id: created.id, name: created.name, token };
+}
+async function setTunnelConfig(cfg, tunnelId, ingress) {
+  await cf(cfg, "PUT", `/accounts/${cfg.accountId}/cfd_tunnel/${tunnelId}/configurations`, {
+    config: { ingress: [...ingress, { service: "http_status:404" }] }
+  });
+}
+async function upsertDnsCname(cfg, hostname, tunnelId) {
+  if (!cfg.zoneId) throw new Error("zoneId required to manage DNS");
+  const target = `${tunnelId}.cfargotunnel.com`;
+  const existing = await cf(
+    cfg,
+    "GET",
+    `/zones/${cfg.zoneId}/dns_records?name=${encodeURIComponent(hostname)}`
+  );
+  if (Array.isArray(existing) && existing.length > 0) {
+    await cf(cfg, "PUT", `/zones/${cfg.zoneId}/dns_records/${existing[0].id}`, {
+      type: "CNAME",
+      name: hostname,
+      content: target,
+      proxied: true,
+      ttl: 1
+    });
+  } else {
+    await cf(cfg, "POST", `/zones/${cfg.zoneId}/dns_records`, {
+      type: "CNAME",
+      name: hostname,
+      content: target,
+      proxied: true,
+      ttl: 1
+    });
+  }
+}
+var CF_API;
+var init_api = __esm({
+  "src/cloudflare/api.ts"() {
+    "use strict";
+    CF_API = "https://api.cloudflare.com/client/v4";
+  }
+});
+
 // src/cli.ts
 import { Command } from "commander";
 import chalk from "chalk";
@@ -13104,7 +13181,11 @@ ${prompt}` });
           await writeSSE(JSON.stringify({ type: "reasoning-end", id: reasoningId }));
         }
         if (!isAborted) {
-          await result.saveResponseMessages();
+          try {
+            await result.saveResponseMessages();
+          } catch (err) {
+            console.error("saveResponseMessages failed (continuing):", err?.message ?? err);
+          }
         }
         if (isAborted) {
           await writeSSE(JSON.stringify({ type: "abort" }));
@@ -16828,53 +16909,360 @@ program.command("slack-setup").description("Interactively configure Slack integr
     process.exit(1);
   }
 });
-program.command("cloudflared-setup").description("Print a copy-paste recipe for exposing this sparkecoder via cloudflared + Cloudflare Access").option("--port <port>", "Local sparkecoder web UI port", "6969").option("--api-port <port>", "Local sparkecoder API port", "3141").option("--hostname <host>", "Public hostname you want to assign (e.g. sf-mac-1.example.com)").option("--team <team>", "Your Cloudflare Access team subdomain (e.g. studyfetch -> studyfetch.cloudflareaccess.com)").option("--allowed-emails <emails>", "Comma-separated allow-listed emails").action(async (options) => {
+program.command("cloudflared-setup").description("Auto-detect cloudflared + set up a tunnel to this sparkecoder (interactive)").option("--port <port>", "Local sparkecoder web UI port", "6969").option("--api-port <port>", "Local sparkecoder API port", "3141").option("--hostname <host>", "Public hostname you want to assign (e.g. sf-mac-1.example.com)").option("--tunnel-name <name>", "Tunnel name to reuse or create", "sparkecoder").option("--team <team>", "Your Cloudflare Access team subdomain (e.g. studyfetch -> studyfetch.cloudflareaccess.com)").option("--allowed-emails <emails>", "Comma-separated allow-listed emails").option("-y, --yes", "Skip confirmations and do everything non-interactively", false).option("--print-only", "Skip auto-setup and just print the copy/paste recipe", false).option("--cf-api-token <token>", "Cloudflare API token (Account: Cloudflare Tunnel: Edit + Zone: DNS: Edit). Or set CF_API_TOKEN env").option("--cf-account-id <id>", "Cloudflare account ID. Or set CF_ACCOUNT_ID env").option("--cf-zone-id <id>", "Cloudflare zone ID for the hostname. Or set CF_ZONE_ID env").option("--remote", "Provision the tunnel via the remote sparkecoder server (server holds the Cloudflare credentials)", false).option("--setup-secret <secret>", "Tunnel setup secret (required when server has TUNNEL_SETUP_SECRET set). Or set SPARKECODER_TUNNEL_SECRET env").action(async (options) => {
+  const { execSync: execSync2, spawnSync } = await import("child_process");
+  const { homedir: homedir2 } = await import("os");
+  const { copyFileSync } = await import("fs");
   const port = options.port || "6969";
   const apiPort = options.apiPort || "3141";
-  const hostname = options.hostname || "<your-public-hostname>";
+  const tunnelName = options.tunnelName || "sparkecoder";
   const team = options.team || "<your-team>";
   const emails = (options.allowedEmails || "").split(",").map((s) => s.trim()).filter(Boolean);
-  console.log(chalk.bold("Cloudflared + Cloudflare Access setup\n"));
-  console.log(chalk.dim("1. Install cloudflared:"));
-  console.log(chalk.cyan("   brew install cloudflared          # macOS"));
-  console.log(chalk.cyan("   # or download from https://github.com/cloudflare/cloudflared/releases\n"));
-  console.log(chalk.dim("2. Authenticate + create a named tunnel:"));
-  console.log(chalk.cyan("   cloudflared tunnel login"));
-  console.log(chalk.cyan("   cloudflared tunnel create sparkecoder"));
-  console.log(chalk.cyan(`   cloudflared tunnel route dns sparkecoder ${hostname}
-`));
-  console.log(chalk.dim("3. Create ~/.cloudflared/config.yml with:"));
-  console.log(chalk.cyan(`
-   tunnel: sparkecoder
-   credentials-file: /Users/$(whoami)/.cloudflared/<tunnel-id>.json
-   ingress:
-     - hostname: ${hostname}
-       service: http://localhost:${port}
-     - hostname: api-${hostname}
-       service: http://localhost:${apiPort}
-     - service: http_status:404
-`));
-  console.log(chalk.dim("4. Run the tunnel (or set it up as a system service):"));
-  console.log(chalk.cyan("   cloudflared tunnel run sparkecoder\n"));
-  console.log(chalk.dim("5. In Cloudflare Zero Trust > Access > Applications:"));
-  console.log(chalk.dim(`     - Add a self-hosted application for ${hostname}.`));
-  console.log(chalk.dim('     - Add an "Allow" policy with the emails you want.'));
-  console.log(chalk.dim(`     - Note the application AUD tag.
-`));
-  console.log(chalk.dim("6. Add an auth block to sparkecoder.config.json:"));
-  console.log(chalk.cyan(`
-   {
-     "auth": {
-       "cfAccess": {
-         "enabled": true,
-         "teamDomain": "${team}.cloudflareaccess.com",
-         "audTag": "<paste-aud-from-cf-dashboard>"
-       },
-       "allowedEmails": [${emails.length ? emails.map((e) => `"${e}"`).join(", ") : '"you@example.com"'}]
-     }
-   }
-`));
-  console.log(chalk.dim("7. Slack endpoint (/api/slack/events) and /health are exempt from CF Access automatically."));
+  const yes = !!options.yes;
+  const ensureCloudflared = () => {
+    try {
+      return execSync2("command -v cloudflared", { stdio: ["ignore", "pipe", "ignore"] }).toString().trim() || null;
+    } catch {
+      return null;
+    }
+  };
+  const installCloudflaredIfNeeded = async () => {
+    let cfPath = ensureCloudflared();
+    if (cfPath) return cfPath;
+    console.log(chalk.yellow("cloudflared is not installed."));
+    if (process.platform === "darwin") {
+      try {
+        execSync2("command -v brew", { stdio: "ignore" });
+      } catch {
+        return null;
+      }
+      console.log(chalk.dim("Installing via `brew install cloudflared`..."));
+      spawnSync("brew", ["install", "cloudflared"], { stdio: "inherit" });
+      cfPath = ensureCloudflared();
+    }
+    return cfPath;
+  };
+  const installAsService = (token) => {
+    let r = spawnSync("cloudflared", ["service", "install", token], { stdio: "inherit" });
+    if (r.status !== 0 && process.platform !== "win32") {
+      console.log(chalk.dim("Retrying with sudo..."));
+      r = spawnSync("sudo", ["cloudflared", "service", "install", token], { stdio: "inherit" });
+    }
+    return r.status === 0;
+  };
+  if (options.remote) {
+    try {
+      let config = loadConfig(options.config, process.cwd());
+      let remoteUrl = config.resolvedRemoteServer.url;
+      if (!remoteUrl) {
+        console.log(chalk.red("No remoteServer.url configured. Run `sparkecoder login` (or set remoteServer.url in your config) first."));
+        process.exitCode = 1;
+        return;
+      }
+      let authKey3 = config.resolvedRemoteServer.authKey;
+      if (!authKey3) {
+        authKey3 = await ensureRemoteAuthKey(remoteUrl);
+      }
+      const setupSecret = options.setupSecret || process.env.SPARKECODER_TUNNEL_SECRET;
+      const hostname = options.hostname;
+      console.log(chalk.bold(
+        hostname ? `Requesting tunnel for ${hostname} from remote server...` : "Requesting auto-generated tunnel from remote server..."
+      ));
+      const reqBody = {
+        port: Number(apiPort),
+        webPort: Number(port),
+        name: tunnelName
+      };
+      if (hostname) reqBody.hostname = hostname;
+      const res = await fetch(`${remoteUrl.replace(/\/$/, "")}/tunnels`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${authKey3}`,
+          ...setupSecret ? { "X-Tunnel-Setup-Secret": setupSecret } : {}
+        },
+        body: JSON.stringify(reqBody)
+      });
+      if (!res.ok) {
+        const body = await res.text();
+        console.log(chalk.red(`Server refused tunnel creation (HTTP ${res.status}): ${body}`));
+        process.exitCode = 1;
+        return;
+      }
+      const { tunnelToken, hostname: provisionedHost, apiHostname } = await res.json();
+      const cfPath = await installCloudflaredIfNeeded();
+      if (!cfPath) {
+        console.log(chalk.yellow("cloudflared not installed; run this once installed:"));
+        console.log(chalk.cyan(`  cloudflared service install ${tunnelToken}`));
+        return;
+      }
+      console.log(chalk.bold("\nInstalling cloudflared as a service..."));
+      const ok = installAsService(tunnelToken);
+      if (!ok) {
+        console.log(chalk.yellow("Service install failed; you can run it manually:"));
+        console.log(chalk.cyan(`  cloudflared tunnel run --token ${tunnelToken}`));
+      }
+      console.log("");
+      console.log(chalk.green("Done."), "Your sparkecoder will be reachable at:");
+      console.log("  Web:", chalk.cyan(`https://${provisionedHost}`));
+      console.log("  API:", chalk.cyan(`https://${apiHostname}`));
+      return;
+    } catch (err) {
+      console.error(chalk.red("Remote tunnel setup failed:"), err?.message || err);
+      process.exitCode = 1;
+      return;
+    }
+  }
+  const cfToken = options.cfApiToken || process.env.CF_API_TOKEN;
+  const cfAccount = options.cfAccountId || process.env.CF_ACCOUNT_ID;
+  const cfZone = options.cfZoneId || process.env.CF_ZONE_ID;
+  if (cfToken && cfAccount) {
+    try {
+      const hostname = options.hostname;
+      if (!hostname) {
+        console.log(chalk.red("--hostname is required in API mode."));
+        process.exitCode = 1;
+        return;
+      }
+      const cfPath = await installCloudflaredIfNeeded();
+      if (!cfPath) {
+        console.log(chalk.red("cloudflared is required. Install from https://github.com/cloudflare/cloudflared/releases and re-run."));
+        process.exitCode = 1;
+        return;
+      }
+      const { createRemoteTunnel: createRemoteTunnel2, setTunnelConfig: setTunnelConfig2, upsertDnsCname: upsertDnsCname2 } = await Promise.resolve().then(() => (init_api(), api_exports));
+      const cfg = { apiToken: cfToken, accountId: cfAccount, zoneId: cfZone };
+      console.log(chalk.bold("Creating tunnel via Cloudflare API..."));
+      const created = await createRemoteTunnel2(cfg, tunnelName || `sparkecoder-${hostname}`);
+      console.log(chalk.green("\u2713"), `tunnel created: ${created.id}`);
+      await setTunnelConfig2(cfg, created.id, [
+        { hostname, service: `http://localhost:${port}` },
+        { hostname: `api-${hostname}`, service: `http://localhost:${apiPort}` }
+      ]);
+      console.log(chalk.green("\u2713"), "ingress config set");
+      if (cfZone) {
+        await upsertDnsCname2(cfg, hostname, created.id);
+        await upsertDnsCname2(cfg, `api-${hostname}`, created.id);
+        console.log(chalk.green("\u2713"), `DNS routes: ${hostname}, api-${hostname}`);
+      } else {
+        console.log(chalk.yellow("Skipping DNS (no --cf-zone-id). Add CNAMEs manually:"));
+        console.log(chalk.dim(`  ${hostname}     CNAME -> ${created.id}.cfargotunnel.com (proxied)`));
+        console.log(chalk.dim(`  api-${hostname} CNAME -> ${created.id}.cfargotunnel.com (proxied)`));
+      }
+      console.log(chalk.bold("\nInstalling cloudflared as a service..."));
+      installAsService(created.token);
+      console.log("");
+      console.log(chalk.green("Done."), "Your sparkecoder will be reachable at:");
+      console.log("  Web:", chalk.cyan(`https://${hostname}`));
+      console.log("  API:", chalk.cyan(`https://api-${hostname}`));
+      return;
+    } catch (err) {
+      console.error(chalk.red("API-mode setup failed:"), err?.message || err);
+      process.exitCode = 1;
+      return;
+    }
+  }
+  if (options.printOnly) {
+    const hostname = options.hostname || "<your-public-hostname>";
+    console.log(chalk.bold("Cloudflared + Cloudflare Access setup (manual)\n"));
+    console.log(chalk.dim("1. brew install cloudflared"));
+    console.log(chalk.dim("2. cloudflared tunnel login"));
+    console.log(chalk.dim(`3. cloudflared tunnel create ${tunnelName}`));
+    console.log(chalk.dim(`4. cloudflared tunnel route dns ${tunnelName} ${hostname}`));
+    console.log(chalk.dim(`5. write ~/.cloudflared/config.yml pointing ${hostname} -> http://localhost:${port}, api-${hostname} -> http://localhost:${apiPort}`));
+    console.log(chalk.dim(`6. cloudflared tunnel run ${tunnelName}`));
+    console.log(chalk.dim("7. Cloudflare Zero Trust -> add a self-hosted Access app on the hostname"));
+    console.log(chalk.dim("8. Paste the AUD into sparkecoder.config.json under auth.cfAccess"));
+    return;
+  }
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const ask = (q, def) => new Promise((res) => {
+    const prompt = def ? `${q} ${chalk.dim(`[${def}]`)} ` : `${q} `;
+    rl.question(prompt, (a) => res((a || "").trim() || def || ""));
+  });
+  const confirm = async (q, def = true) => {
+    if (yes) return true;
+    const a = (await ask(`${q} ${chalk.dim(def ? "(Y/n)" : "(y/N)")}`)).toLowerCase();
+    if (!a) return def;
+    return a.startsWith("y");
+  };
+  const which = (bin) => {
+    try {
+      return execSync2(`command -v ${bin}`, { stdio: ["ignore", "pipe", "ignore"] }).toString().trim() || null;
+    } catch {
+      return null;
+    }
+  };
+  const run = (cmd, args, opts = {}) => {
+    const r = spawnSync(cmd, args, { stdio: opts.inheritIO ? "inherit" : ["ignore", "pipe", "pipe"], encoding: "utf8" });
+    if (opts.check && r.status !== 0) {
+      throw new Error(`${cmd} ${args.join(" ")} failed (${r.status}): ${r.stderr || r.stdout}`);
+    }
+    return r;
+  };
+  try {
+    console.log(chalk.bold("Cloudflared auto-setup\n"));
+    let cfPath = which("cloudflared");
+    if (!cfPath) {
+      console.log(chalk.yellow("cloudflared is not installed."));
+      if (process.platform === "darwin" && which("brew")) {
+        if (await confirm("Install it now via `brew install cloudflared`?", true)) {
+          run("brew", ["install", "cloudflared"], { inheritIO: true, check: true });
+          cfPath = which("cloudflared");
+        }
+      }
+      if (!cfPath) {
+        console.log(chalk.red("Install cloudflared from https://github.com/cloudflare/cloudflared/releases and re-run."));
+        rl.close();
+        return;
+      }
+    }
+    const verOut = run("cloudflared", ["--version"]).stdout?.toString().split("\n")[0] || "installed";
+    console.log(chalk.green("\u2713"), "cloudflared:", chalk.dim(verOut));
+    const cfDir = join16(homedir2(), ".cloudflared");
+    const certPath = join16(cfDir, "cert.pem");
+    if (!existsSync21(certPath)) {
+      console.log(chalk.yellow("No Cloudflare login cert found."));
+      if (await confirm("Run `cloudflared tunnel login` now (opens a browser)?", true)) {
+        run("cloudflared", ["tunnel", "login"], { inheritIO: true, check: true });
+      } else {
+        console.log(chalk.red("Login required to continue."));
+        rl.close();
+        return;
+      }
+    } else {
+      console.log(chalk.green("\u2713"), "logged in:", chalk.dim(certPath));
+    }
+    let tunnels = [];
+    try {
+      const out = run("cloudflared", ["tunnel", "list", "--output", "json"]).stdout || "[]";
+      tunnels = JSON.parse(out);
+    } catch {
+    }
+    let tunnel = tunnels.find((t) => t.name === tunnelName);
+    if (tunnel) {
+      console.log(chalk.green("\u2713"), `reusing existing tunnel "${tunnelName}":`, chalk.dim(tunnel.id));
+    } else {
+      if (!await confirm(`No tunnel named "${tunnelName}" found. Create it?`, true)) {
+        rl.close();
+        return;
+      }
+      const r = run("cloudflared", ["tunnel", "create", tunnelName], { inheritIO: true });
+      if (r.status !== 0) {
+        console.log(chalk.red("Tunnel create failed."));
+        rl.close();
+        return;
+      }
+      try {
+        const out = run("cloudflared", ["tunnel", "list", "--output", "json"]).stdout || "[]";
+        tunnels = JSON.parse(out);
+        tunnel = tunnels.find((t) => t.name === tunnelName);
+      } catch {
+      }
+      if (!tunnel) {
+        console.log(chalk.red("Could not locate freshly-created tunnel. Check `cloudflared tunnel list`."));
+        rl.close();
+        return;
+      }
+    }
+    const credsFile = tunnel.credentials_file || join16(cfDir, `${tunnel.id}.json`);
+    if (!existsSync21(credsFile)) {
+      console.log(chalk.yellow(`Credentials file not found at ${credsFile}. The tunnel may still work via cert.pem.`));
+    }
+    let hostname = options.hostname;
+    if (!hostname) {
+      hostname = await ask("Public hostname for this sparkecoder (e.g. sf-mac-1.example.com):");
+    }
+    if (!hostname) {
+      console.log(chalk.red("A hostname is required to route DNS."));
+      rl.close();
+      return;
+    }
+    const dnsR = run("cloudflared", ["tunnel", "route", "dns", tunnelName, hostname]);
+    if (dnsR.status === 0) {
+      console.log(chalk.green("\u2713"), `DNS routed: ${hostname} -> ${tunnelName}`);
+    } else {
+      const err = (dnsR.stderr || dnsR.stdout || "").toString();
+      if (/already exists|with the same/i.test(err)) {
+        console.log(chalk.green("\u2713"), `DNS already routed for ${hostname}`);
+      } else {
+        console.log(chalk.yellow("DNS route warning:"), err.trim().split("\n").slice(-2).join(" "));
+      }
+    }
+    const configPath = join16(cfDir, "config.yml");
+    const configBody = `tunnel: ${tunnel.id}
+credentials-file: ${credsFile}
+ingress:
+  - hostname: ${hostname}
+    service: http://localhost:${port}
+  - hostname: api-${hostname}
+    service: http://localhost:${apiPort}
+  - service: http_status:404
+`;
+    let wroteConfig = false;
+    if (existsSync21(configPath)) {
+      const existing = readFileSync10(configPath, "utf8");
+      if (existing.trim() === configBody.trim()) {
+        console.log(chalk.green("\u2713"), `config.yml already up to date: ${configPath}`);
+        wroteConfig = true;
+      } else if (await confirm(`A different ${configPath} exists. Overwrite (a backup will be saved)?`, false)) {
+        copyFileSync(configPath, `${configPath}.bak.${Date.now()}`);
+        writeFileSync6(configPath, configBody);
+        console.log(chalk.green("\u2713"), `wrote ${configPath} (previous saved as .bak.*)`);
+        wroteConfig = true;
+      } else {
+        console.log(chalk.dim("Skipping config write. Suggested contents:"));
+        console.log(chalk.cyan(configBody));
+      }
+    } else {
+      writeFileSync6(configPath, configBody);
+      console.log(chalk.green("\u2713"), `wrote ${configPath}`);
+      wroteConfig = true;
+    }
+    let alreadyRunning = false;
+    try {
+      const psOut = execSync2("ps -axo command", { stdio: ["ignore", "pipe", "ignore"] }).toString();
+      alreadyRunning = /cloudflared.*tunnel.*run/.test(psOut);
+    } catch {
+    }
+    if (alreadyRunning) {
+      console.log(chalk.green("\u2713"), "cloudflared tunnel process detected \u2014 you may need to restart it to pick up config changes.");
+    } else if (wroteConfig) {
+      if (await confirm("Install cloudflared as a background service (`sudo cloudflared service install`)?", false)) {
+        run("sudo", ["cloudflared", "service", "install"], { inheritIO: true });
+      } else {
+        console.log(chalk.dim("Start it manually with:"), chalk.cyan(`cloudflared tunnel run ${tunnelName}`));
+      }
+    }
+    console.log("");
+    console.log(chalk.bold("Cloudflare Access (one manual step)"));
+    console.log(chalk.dim(`  1. Open https://one.dash.cloudflare.com -> Access -> Applications -> Add an application.`));
+    console.log(chalk.dim(`  2. Self-hosted, application domain = ${hostname} (and api-${hostname} if you also want the API protected).`));
+    console.log(
+      chalk.dim('  3. Add an "Allow" policy with emails:'),
+      chalk.cyan(emails.length ? emails.join(", ") : "you@example.com")
+    );
+    console.log(chalk.dim("  4. Copy the application AUD tag from the dashboard."));
+    console.log(chalk.dim(`  5. Paste it into sparkecoder.config.json:`));
+    console.log(chalk.cyan(`     {
+       "auth": {
+         "cfAccess": {
+           "enabled": true,
+           "teamDomain": "${team}.cloudflareaccess.com",
+           "audTag": "<paste-aud-from-cf-dashboard>"
+         },
+         "allowedEmails": [${emails.length ? emails.map((e) => `"${e}"`).join(", ") : '"you@example.com"'}]
+       }
+     }`));
+    console.log(chalk.dim("  (/api/slack/events, /api/inbox/* and /health are exempt from CF Access automatically.)"));
+    console.log("");
+    console.log(chalk.green("Done."), `Your sparkecoder should now be reachable at`, chalk.cyan(`https://${hostname}`));
+  } catch (err) {
+    console.error(chalk.red("Setup failed:"), err?.message || err);
+    process.exitCode = 1;
+  } finally {
+    rl.close();
+  }
 });
 program.command("sessions").description("List all sessions").option("-l, --limit <limit>", "Number of sessions to show", "20").option("-p, --port <port>", "Server port", "3141").option("-H, --host <host>", "Server host", "127.0.0.1").action(async (options) => {
   const baseUrl = `http://${options.host}:${options.port}`;