@0dai-dev/cli 4.1.0 → 4.3.4

package/lib/utils/plan.js

@@ -9,6 +9,24 @@ const path = require("path");
 const os = require("os");
 
 const PLAN_LEVELS = { trial: 0, free: 0, essential: 1, pro: 2, team: 3, enterprise: 4 };
+const UPGRADE_URL = "https://0dai.dev/pricing";
+const TEAM_UPGRADE_MESSAGE = `This requires the Team tier. Upgrade at ${UPGRADE_URL}`;
+
+function _readAuthPlan() {
+  const authFile = path.join(os.homedir(), ".0dai", "auth.json");
+  if (!fs.existsSync(authFile)) return null;
+  try {
+    const auth = JSON.parse(fs.readFileSync(authFile, "utf8"));
+    const expiresAt = auth.expires_at || auth.plan_expires_at || "";
+    if (expiresAt) {
+      const expiryMs = Date.parse(expiresAt);
+      if (Number.isFinite(expiryMs) && expiryMs < Date.now()) return null;
+    }
+    const plan = String(auth.plan || "").toLowerCase();
+    if (PLAN_LEVELS[plan] !== undefined) return plan;
+  } catch {}
+  return null;
+}
 
 function _detectPlanLocal(target) {
   const projYaml = path.join(target, "ai", "manifest", "project.yaml");
@@ -16,8 +34,9 @@ function _detectPlanLocal(target) {
     try {
       const text = fs.readFileSync(projYaml, "utf8");
       for (const line of text.split("\n")) {
-        if (line.startsWith("plan:")) {
-          const plan = line.split(":")[1].trim().toLowerCase();
+        const match = line.match(/^\s*plan:\s*['"]?([^'"\n#]+)/);
+        if (match) {
+          const plan = match[1].trim().toLowerCase();
           if (PLAN_LEVELS[plan] !== undefined) return plan;
         }
       }
@@ -36,16 +55,29 @@ function _detectPlanLocal(target) {
       }
     } catch {}
   }
+  const authPlan = _readAuthPlan();
+  if (authPlan) return authPlan;
   return "free";
 }
 
 function requirePlan(requiredPlan, featureName, target) {
   const plan = _detectPlanLocal(target || process.cwd());
   if ((PLAN_LEVELS[plan] || 0) >= (PLAN_LEVELS[requiredPlan] || 0)) return null;
+  if (requiredPlan === "team") {
+    return {
+      error: TEAM_UPGRADE_MESSAGE,
+      hint: TEAM_UPGRADE_MESSAGE,
+      upgrade_url: UPGRADE_URL,
+      feature: featureName,
+      current_plan: plan,
+      required_plan: requiredPlan,
+    };
+  }
   return {
     error: `${featureName} requires ${requiredPlan.charAt(0).toUpperCase() + requiredPlan.slice(1)} plan ($15/mo).`,
     hint: "Run: 0dai upgrade",
     current_plan: plan,
+    required_plan: requiredPlan,
   };
 }
 
@@ -67,6 +99,9 @@ function getSwarmQuotaLocal(target) {
 
 module.exports = {
   PLAN_LEVELS,
+  UPGRADE_URL,
+  TEAM_UPGRADE_MESSAGE,
+  _readAuthPlan,
   _detectPlanLocal,
   requirePlan,
   getSwarmQuotaLocal,

package/lib/vault/cipher.js

@@ -0,0 +1,125 @@
+/**
+ * 0dai vault cipher — Phase 2a (Task #104 follow-up, F6 G2).
+ *
+ * Wraps `age` CLI subprocess to encrypt/decrypt secret payloads to/from
+ * the vault's local identity. Mirrors the design choice in ./identity.js:
+ * shell out to upstream `age` rather than re-implement X25519 in JS.
+ *
+ * Scope:
+ *   - encryptToFile(payload, recipient, outPath): age -r <recipient> -o <out>
+ *   - decryptFromFile(inPath, identityPath): age -d -i <identity> <in>
+ *
+ * Out of scope (Phase 2b+):
+ *   - Multi-recipient envelopes (team:* secrets)
+ *   - Hardware-key unwrap
+ *   - Cloud sync
+ *
+ * SECURITY:
+ *   - Payload passed via stdin; never written to disk in plaintext here.
+ *   - Output file written with 0600 mode.
+ *   - On any subprocess failure, the partially-written output (if any) is
+ *     removed so callers never see a half-encrypted file.
+ */
+
+"use strict";
+
+const fs = require("node:fs");
+const { spawnSync } = require("node:child_process");
+
+const SECRET_FILE_MODE = 0o600;
+const MAX_PAYLOAD_BYTES = 64 * 1024;  // 64 KiB — cap matches CLI input limits
+
+/**
+ * Encrypt `payload` to `outPath` for `recipient` (age1... public key).
+ *
+ * @param {Buffer|string} payload
+ * @param {string} recipient - age1... recipient string
+ * @param {string} outPath - destination path; written 0600
+ * @throws Error if payload too large, age binary missing, or encrypt fails
+ */
+function encryptToFile(payload, recipient, outPath) {
+  if (typeof recipient !== "string" || !recipient.startsWith("age1")) {
+    throw new Error("recipient must be an age1... public key");
+  }
+  const buf = Buffer.isBuffer(payload) ? payload : Buffer.from(payload, "utf8");
+  if (buf.length === 0) {
+    throw new Error("payload is empty");
+  }
+  if (buf.length > MAX_PAYLOAD_BYTES) {
+    throw new Error(
+      `payload ${buf.length} bytes exceeds cap ${MAX_PAYLOAD_BYTES}`,
+    );
+  }
+  const result = spawnSync(
+    "age",
+    ["-r", recipient, "-o", outPath],
+    { input: buf, stdio: ["pipe", "pipe", "pipe"] },
+  );
+  if (result.error) {
+    if (result.error.code === "ENOENT") {
+      throw new Error(
+        "age binary not found on PATH — install age (apt install age, brew install age)",
+      );
+    }
+    throw result.error;
+  }
+  if (result.status !== 0) {
+    // Best-effort cleanup so callers never see half-written ciphertext.
+    try { fs.unlinkSync(outPath); } catch (_) { /* ignore */ }
+    const stderr = (result.stderr || "").toString().trim();
+    throw new Error(`age encrypt failed (rc=${result.status}): ${stderr.slice(0, 200)}`);
+  }
+  // age writes the file with the process umask; tighten to 0600 explicitly.
+  try {
+    fs.chmodSync(outPath, SECRET_FILE_MODE);
+  } catch (e) {
+    // Non-fatal if filesystem doesn't support chmod (Windows over tmp), but
+    // surface the failure mode so tests can assert behaviour.
+    if (e.code !== "EPERM" && e.code !== "ENOTSUP") {
+      throw e;
+    }
+  }
+}
+
+/**
+ * Decrypt `inPath` with the identity file at `identityPath`.
+ *
+ * @param {string} inPath - ciphertext path
+ * @param {string} identityPath - identity.age path
+ * @returns {Buffer} plaintext
+ * @throws Error if age binary missing or decrypt fails
+ */
+function decryptFromFile(inPath, identityPath) {
+  if (!fs.existsSync(inPath)) {
+    const e = new Error(`secret file not found: ${inPath}`);
+    e.code = "VAULT_SECRET_NOT_FOUND";
+    throw e;
+  }
+  if (!fs.existsSync(identityPath)) {
+    throw new Error(`identity file not found: ${identityPath}`);
+  }
+  const result = spawnSync(
+    "age",
+    ["-d", "-i", identityPath, inPath],
+    { stdio: ["ignore", "pipe", "pipe"] },
+  );
+  if (result.error) {
+    if (result.error.code === "ENOENT") {
+      throw new Error(
+        "age binary not found on PATH — install age",
+      );
+    }
+    throw result.error;
+  }
+  if (result.status !== 0) {
+    const stderr = (result.stderr || "").toString().trim();
+    throw new Error(`age decrypt failed (rc=${result.status}): ${stderr.slice(0, 200)}`);
+  }
+  return result.stdout || Buffer.alloc(0);
+}
+
+module.exports = {
+  encryptToFile,
+  decryptFromFile,
+  _MAX_PAYLOAD_BYTES: MAX_PAYLOAD_BYTES,
+};

package/lib/vault/identity.js

@@ -0,0 +1,122 @@
+/**
+ * 0dai vault identity — Phase 1 SCAFFOLD.
+ *
+ * Wraps `age-keygen` to provision the local age identity under the vault
+ * directory. Phase 1 is intentionally minimal:
+ *
+ *   - ensureKeypair(dir): generate identity.age + identity.pub if absent.
+ *   - readPublicKey(dir): return the `age1...` recipient line or null.
+ *
+ * Phase 2 (operator P2 gated) will add: hardware-key unwrap, multi-recipient
+ * envelopes, and rotation. Do not extend this file beyond Phase 1 wiring
+ * without an SPEC update — see docs/runbooks/0dai-vault.md.
+ *
+ * `age-keygen` is shelled out (rather than re-implementing X25519) because
+ * the operator already trusts the upstream binary for the SOPS+age vault at
+ * ai/secrets/.
+ */
+
+"use strict";
+
+const fs = require("node:fs");
+const { spawnSync } = require("node:child_process");
+
+const storage = require("./storage");
+
+/**
+ * Generate identity.age + identity.pub if missing.
+ *
+ * Returns `true` if a new keypair was created, `false` if files already
+ * existed. Throws on unrecoverable error (age-keygen missing, write fail).
+ */
+function ensureKeypair(dir) {
+  const idPath = storage.identityPath(dir);
+  const pubPath = storage.publicKeyPath(dir);
+
+  if (fs.existsSync(idPath)) {
+    // identity already present — refuse to clobber, but make sure the
+    // .pub sidecar exists (cheap to regenerate from the secret key).
+    if (!fs.existsSync(pubPath)) {
+      const pub = derivePublicKey(idPath);
+      if (pub) writeFile(pubPath, pub + "\n");
+    }
+    return false;
+  }
+
+  const bin = locateAgeKeygen();
+  const result = spawnSync(bin, [], { encoding: "utf8", timeout: 15000 });
+  if (result.error) {
+    throw new Error(
+      `age-keygen failed: ${result.error.message} — install age (https://github.com/FiloSottile/age)`,
+    );
+  }
+  if (typeof result.status === "number" && result.status !== 0) {
+    throw new Error(`age-keygen exited ${result.status}: ${result.stderr || result.stdout}`);
+  }
+
+  const secret = (result.stdout || "").trim();
+  if (!secret.includes("AGE-SECRET-KEY-")) {
+    throw new Error("age-keygen produced unexpected output (missing AGE-SECRET-KEY marker)");
+  }
+
+  writeFile(idPath, secret + "\n");
+
+  // age-keygen prints the public recipient to stderr as `Public key: age1...`.
+  const pubLine = parsePublicKeyFromKeygenStderr(result.stderr);
+  if (pubLine) writeFile(pubPath, pubLine + "\n");
+  return true;
+}
+
+/**
+ * Read the public recipient from identity.pub, returning the trimmed
+ * `age1...` line or null if absent / malformed.
+ */
+function readPublicKey(dir) {
+  const pubPath = storage.publicKeyPath(dir);
+  if (!fs.existsSync(pubPath)) return null;
+  const contents = fs.readFileSync(pubPath, "utf8").trim();
+  if (!contents.startsWith("age1")) return null;
+  return contents.split(/\s+/)[0];
+}
+
+// ---- internals ----
+
+function writeFile(filePath, contents) {
+  fs.writeFileSync(filePath, contents, { mode: storage.VAULT_FILE_MODE });
+  try {
+    fs.chmodSync(filePath, storage.VAULT_FILE_MODE);
+  } catch {
+    // Best-effort.
+  }
+}
+
+function locateAgeKeygen() {
+  if (process.env.ODAI_VAULT_AGE_KEYGEN) return process.env.ODAI_VAULT_AGE_KEYGEN;
+  return "age-keygen";
+}
+
+function parsePublicKeyFromKeygenStderr(stderr) {
+  if (!stderr) return null;
+  const match = stderr.match(/Public key:\s+(age1[0-9a-zA-Z]+)/);
+  return match ? match[1] : null;
+}
+
+/**
+ * Phase 2 hook: derive the public key from an existing identity.age.
+ * Returns null in Phase 1 — the caller already has the .pub sidecar.
+ * Kept as a named export so doctor/diagnostic flows can probe it later.
+ */
+function derivePublicKey(/* identityFilePath */) {
+  // TODO(P2): shell out to `age-keygen -y <file>` to recover the public
+  // recipient if identity.pub was lost. Stubbed in Phase 1 to keep the
+  // CLI surface honest.
+  return null;
+}
+
+module.exports = {
+  ensureKeypair,
+  readPublicKey,
+  derivePublicKey,
+  // exposed for tests
+  _parsePublicKeyFromKeygenStderr: parsePublicKeyFromKeygenStderr,
+};

package/lib/vault/index.js

@@ -0,0 +1,184 @@
+/**
+ * 0dai vault — Phase 1 SCAFFOLD (Task #104, F6 G2).
+ *
+ * Public API surface for the local age-encrypted secrets vault. Phase 1
+ * only ships `init`; get/add/list/inject/rotate are stubbed and gated on
+ * operator P2 approval (see docs/runbooks/0dai-vault.md).
+ *
+ * Storage layout (managed in ./storage.js):
+ *
+ *   ~/.0dai/vault/
+ *     identity.age           — age secret key (created by `init` if absent)
+ *     identity.pub           — age public key (recipient line)
+ *     <scope>/               — per-scope secret bundles
+ *       <name>.age           — encrypted payload (Phase 2)
+ *
+ * SECURITY:
+ *   - Files inside ~/.0dai/vault/ are written with 0600 / dir 0700.
+ *   - identity.age MUST NEVER be transmitted off-host (Phase 1 is local-only).
+ *   - Phase 2 will add a hardware-key / KMS unwrap path; do not paper over
+ *     it with a software fallback here.
+ *
+ * Phase 1 acceptance: `0dai vault init` is idempotent and leaves the user
+ * with a usable age identity. Everything else throws NotImplemented so the
+ * CLI surface is wired but operator sees a clear "P2 deferred" message.
+ */
+
+"use strict";
+
+const storage = require("./storage");
+const identity = require("./identity");
+
+/**
+ * Initialize the local vault.
+ *
+ * Idempotent:
+ *   - Creates ~/.0dai/vault/ if missing (mode 0700).
+ *   - Generates an age keypair via `age-keygen` if identity.age is missing.
+ *   - Returns `{ created, vaultDir, publicKey }` so callers can print a
+ *     welcome banner or JSON.
+ *
+ * @param {object} [options]
+ * @param {string} [options.home] - Override HOME (used by tests).
+ * @returns {{created: boolean, vaultDir: string, publicKey: string|null,
+ *            identityPath: string, publicKeyPath: string}}
+ */
+function init(options = {}) {
+  const vaultDir = storage.ensureVaultDir(options);
+  const created = identity.ensureKeypair(vaultDir);
+  const publicKey = identity.readPublicKey(vaultDir);
+  return {
+    created,
+    vaultDir,
+    publicKey,
+    identityPath: storage.identityPath(vaultDir),
+    publicKeyPath: storage.publicKeyPath(vaultDir),
+  };
+}
+
+/**
+ * Resolve the canonical vault directory for the current environment.
+ *
+ * Exposed so callers (e.g. `0dai doctor`) can probe state without
+ * mutating the filesystem.
+ */
+function vaultDir(options = {}) {
+  return storage.vaultDir(options);
+}
+
+// ---- Phase 2a — get / add (Task #104 follow-up, F6 G2) ----
+// Implements local age-encrypted secret read + write under
+// <vaultDir>/<scope>/<name>.age. Out of Phase 2a: list/inject/rotate
+// (still throw NotImplemented below) + team:* / sync / share (no plan).
+
+const fs = require("node:fs");
+const path = require("node:path");
+const cipher = require("./cipher");
+
+const NAME_RE = /^[a-zA-Z0-9._-]{1,64}$/;
+
+function _validateName(name) {
+  if (typeof name !== "string" || !NAME_RE.test(name)) {
+    const err = new Error(
+      `invalid secret name: ${JSON.stringify(name)} — ` +
+      "must match /^[a-zA-Z0-9._-]{1,64}$/",
+    );
+    err.code = "VAULT_INVALID_NAME";
+    throw err;
+  }
+}
+
+function _secretPath(vaultDirPath, scope, name) {
+  const sdir = storage.scopeDir(vaultDirPath, scope);
+  return path.join(sdir, `${name}.age`);
+}
+
+/**
+ * Read + decrypt the secret at <scope>/<name> with the local identity.
+ *
+ * @returns {{value: string, scope: string, name: string, path: string}}
+ * @throws Error with code=VAULT_SECRET_NOT_FOUND if file absent
+ * @throws Error with code=VAULT_INVALID_NAME if name fails the regex
+ */
+function get(scope, name, options = {}) {
+  _validateName(name);
+  const vdir = storage.ensureVaultDir(options);
+  const sPath = _secretPath(vdir, scope, name);
+  const idPath = storage.identityPath(vdir);
+  const plaintext = cipher.decryptFromFile(sPath, idPath);
+  return {
+    value: plaintext.toString("utf8"),
+    scope,
+    name,
+    path: sPath,
+  };
+}
+
+/**
+ * Encrypt `value` to <scope>/<name>.age for the local recipient.
+ * Creates the scope dir (mode 0700) on first use. Idempotent: overwrites
+ * an existing secret (operator must rotate explicitly via Phase 2b).
+ *
+ * @returns {{path, scope, name, bytes, overwritten}}
+ * @throws Error with code=VAULT_INVALID_NAME if name fails the regex
+ * @throws Error with code=VAULT_NOT_INITIALIZED if identity missing
+ */
+function add(scope, name, value, options = {}) {
+  _validateName(name);
+  const vdir = storage.ensureVaultDir(options);
+  const recipient = identity.readPublicKey(vdir);
+  if (!recipient) {
+    const err = new Error(
+      "vault identity missing — run `0dai vault init` first",
+    );
+    err.code = "VAULT_NOT_INITIALIZED";
+    throw err;
+  }
+  const sdir = storage.scopeDir(vdir, scope);
+  fs.mkdirSync(sdir, { recursive: true, mode: 0o700 });
+  try { fs.chmodSync(sdir, 0o700); } catch (_) { /* best effort */ }
+  const outPath = _secretPath(vdir, scope, name);
+  const overwritten = fs.existsSync(outPath);
+  cipher.encryptToFile(value, recipient, outPath);
+  const stat = fs.statSync(outPath);
+  return {
+    path: outPath,
+    scope,
+    name,
+    bytes: stat.size,
+    overwritten,
+  };
+}
+
+function list(/* scope, options */) {
+  throw notImplemented("vault.list");
+}
+
+function inject(/* scope, options */) {
+  throw notImplemented("vault.inject");
+}
+
+function rotate(/* scope, name, options */) {
+  throw notImplemented("vault.rotate");
+}
+
+function notImplemented(symbol) {
+  const err = new Error(
+    `${symbol} is gated on operator P2 approval — see docs/runbooks/0dai-vault.md`,
+  );
+  err.code = "VAULT_PHASE2_DEFERRED";
+  return err;
+}
+
+module.exports = {
+  init,
+  vaultDir,
+  get,
+  add,
+  list,
+  inject,
+  rotate,
+  // re-exported for tests / advanced callers
+  _storage: storage,
+  _identity: identity,
+};

package/lib/vault/storage.js

@@ -0,0 +1,84 @@
+/**
+ * 0dai vault storage — Phase 1 SCAFFOLD.
+ *
+ * Owns path resolution and directory provisioning under ~/.0dai/vault/.
+ * No crypto here — that lives in ./identity.js (Phase 1) and a future
+ * ./cipher.js (Phase 2).
+ *
+ * Layout (see ./index.js header):
+ *   <vaultDir>/identity.age      0600
+ *   <vaultDir>/identity.pub      0600
+ *   <vaultDir>/<scope>/          0700  (Phase 2)
+ *   <vaultDir>/<scope>/<n>.age   0600  (Phase 2)
+ *
+ * All public functions accept an optional `{ home }` so unit tests can
+ * sandbox the vault location without touching the real $HOME.
+ */
+
+"use strict";
+
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+
+const VAULT_DIR_MODE = 0o700;
+const VAULT_FILE_MODE = 0o600;
+
+function resolveHome(options) {
+  if (options && typeof options.home === "string" && options.home) return options.home;
+  if (process.env.ODAI_VAULT_HOME) return process.env.ODAI_VAULT_HOME;
+  return os.homedir();
+}
+
+/**
+ * Canonical vault directory: $HOME/.0dai/vault/ (overridable via options.home
+ * or $ODAI_VAULT_HOME).
+ */
+function vaultDir(options = {}) {
+  return path.join(resolveHome(options), ".0dai", "vault");
+}
+
+/**
+ * Ensure the vault directory exists with 0700 perms. Idempotent.
+ * Returns the resolved path.
+ */
+function ensureVaultDir(options = {}) {
+  const dir = vaultDir(options);
+  fs.mkdirSync(dir, { recursive: true, mode: VAULT_DIR_MODE });
+  // mkdirSync respects umask, so re-chmod to be explicit.
+  try {
+    fs.chmodSync(dir, VAULT_DIR_MODE);
+  } catch {
+    // Best-effort on platforms that don't support chmod (e.g. Windows).
+  }
+  return dir;
+}
+
+function identityPath(dir) {
+  return path.join(dir, "identity.age");
+}
+
+function publicKeyPath(dir) {
+  return path.join(dir, "identity.pub");
+}
+
+/**
+ * Phase 2 helper: per-scope dir under the vault. Stubbed so callers can
+ * import it today; not exercised by Phase 1 tests.
+ */
+function scopeDir(dir, scope) {
+  if (!scope || typeof scope !== "string" || scope.includes("/") || scope.includes("\\")) {
+    throw new Error(`invalid vault scope: ${JSON.stringify(scope)}`);
+  }
+  return path.join(dir, scope);
+}
+
+module.exports = {
+  VAULT_DIR_MODE,
+  VAULT_FILE_MODE,
+  vaultDir,
+  ensureVaultDir,
+  identityPath,
+  publicKeyPath,
+  scopeDir,
+};

package/lib/wizard.js

@@ -9,6 +9,8 @@
 const fs = require("fs");
 const path = require("path");
 const readline = require("readline");
+const { writeFiles } = require("./shared");
+const { loadCanonicalCounts, mcpToolsLabel } = require("./utils/canonical-counts");
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -65,11 +67,12 @@ async function stepAgent(rl) {
 }
 
 async function stepAuth(rl) {
+  const counts = loadCanonicalCounts();
   console.log("");
   console.log("  0dai works in two modes:");
   console.log("");
   console.log("    Local mode  — generate configs offline, no account needed");
-  console.log("    Cloud mode  — full graph, swarm, roaming, 56 MCP tools");
+  console.log(`    Cloud mode  — full graph, swarm, roaming, ${mcpToolsLabel(counts)}`);
   console.log("");
 
   const answer = await ask(rl, "  Sign in now? [Y/n]: ", "y");
@@ -77,8 +80,7 @@ async function stepAuth(rl) {
     console.log("  → Local mode. Sign in later: 0dai auth login");
     return "local";
   }
-  console.log("  → Cloud mode. Run: 0dai auth login");
-  console.log("  (Authentication happens after wizard completes.)");
+  console.log("  → Cloud mode. Authentication continues in this init run.");
   return "cloud";
 }
 
@@ -158,7 +160,8 @@ function stepGenerate(target, agent, stack) {
   fs.mkdirSync(manifestDir, { recursive: true });
 
   // VERSION
-  fs.writeFileSync(path.join(aiDir, "VERSION"), "3.10.1\n");
+  const pkgVersion = require("../package.json").version;
+  fs.writeFileSync(path.join(aiDir, "VERSION"), `${pkgVersion}\n`);
 
   // Discovery
   const discovery = {
@@ -182,14 +185,14 @@ function stepGenerate(target, agent, stack) {
 
   // CLAUDE.md
   const claudeMd = `# ${discovery.project_name}\n\nStack: ${stack.join(", ") || "unknown"}\nGenerated by 0dai wizard.\n\n## Commands\n\nSee ai/manifest/ for full configuration.\n`;
-  fs.writeFileSync(path.join(target, "CLAUDE.md"), claudeMd);
+  const agentsMd = `# Agent Configuration\n\nProject: ${discovery.project_name}\nStack: ${stack.join(", ") || "unknown"}\n\nSee ai/manifest/ for configuration details.\n`;
+  writeFiles(target, {
+    "CLAUDE.md": claudeMd,
+    "AGENTS.md": agentsMd,
+  });
   console.log("  ✓ CLAUDE.md");
 
   // AGENTS.md
-  fs.writeFileSync(
-    path.join(target, "AGENTS.md"),
-    `# Agent Configuration\n\nProject: ${discovery.project_name}\nStack: ${stack.join(", ") || "unknown"}\n\nSee ai/manifest/ for configuration details.\n`,
-  );
   console.log("  ✓ AGENTS.md");
 
   // ai/manifest files
@@ -228,7 +231,8 @@ function stepNext(mode) {
 // Main wizard
 // ---------------------------------------------------------------------------
 
-async function runWizard(target) {
+async function runWizard(target, options = {}) {
+  const forceLocal = Boolean(options.forceLocal);
   if (!isInteractive()) {
     // Non-interactive: use defaults silently
     stepGenerate(target, "all", []);
@@ -252,8 +256,11 @@ async function runWizard(target) {
     const agent = await stepAgent(rl);
     if (aborted) return { completed: false };
 
-    const mode = await stepAuth(rl);
+    const mode = forceLocal ? "local" : await stepAuth(rl);
     if (aborted) return { completed: false };
+    if (mode === "cloud") {
+      return { completed: false, interactive: true, cloudRequested: true, agent, mode };
+    }
 
     const stack = await stepDetect(rl, target);
     if (aborted) return { completed: false };
@@ -267,7 +274,7 @@ async function runWizard(target) {
     if (err && err.code !== "ERR_USE_AFTER_CLOSE") {
       console.error(`\n  Wizard error: ${err.message || err}`);
     }
-    return { completed: false };
+    return { completed: false, cancelled: true };
   } finally {
     rl.close();
   }