@agentuity/cli 0.0.67 → 0.0.68

package/dist/keychain.js

@@ -0,0 +1,131 @@
+/**
+ * macOS Keychain integration for secure auth token storage
+ *
+ * Stores auth tokens encrypted in the macOS Keychain using a per-device AES-256 key.
+ * No user prompts required - fully automatic and secure.
+ */
+const SERVICE_PREFIX = "com.agentuity.cli";
+const KEY_ACCOUNT = "aes-encryption-key";
+/**
+ * Check if we're running on macOS
+ */
+export function isMacOS() {
+    return process.platform === 'darwin';
+}
+/**
+ * Get or create an AES encryption key stored in the macOS Keychain
+ */
+async function ensureEncryptionKey(service) {
+    // Try to read existing key
+    const find = Bun.spawn(['security', 'find-generic-password', '-s', service, '-a', KEY_ACCOUNT, '-w'], { stderr: 'ignore' });
+    const stdout = await new Response(find.stdout).text();
+    if (stdout.length > 0) {
+        const b64 = stdout.trim();
+        return Uint8Array.from(Buffer.from(b64, 'base64'));
+    }
+    // Create a new 32-byte (256-bit) AES key
+    const key = crypto.getRandomValues(new Uint8Array(32));
+    const b64 = Buffer.from(key).toString('base64');
+    // Store in macOS Keychain (no user prompts with -U flag)
+    const add = Bun.spawn([
+        'security',
+        'add-generic-password',
+        '-s',
+        service,
+        '-a',
+        KEY_ACCOUNT,
+        '-w',
+        b64,
+        '-U', // Update without user confirmation
+    ]);
+    await add.exited;
+    return key;
+}
+/**
+ * Encrypt data using AES-256-GCM
+ */
+async function encrypt(data, keyBytes) {
+    const key = await crypto.subtle.importKey('raw', keyBytes, 'AES-GCM', false, ['encrypt']);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const plaintext = new TextEncoder().encode(data);
+    const ciphertext = new Uint8Array(await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, plaintext));
+    // Combine IV + ciphertext
+    const combined = new Uint8Array(iv.length + ciphertext.length);
+    combined.set(iv, 0);
+    combined.set(ciphertext, iv.length);
+    return combined;
+}
+/**
+ * Decrypt data using AES-256-GCM
+ */
+async function decrypt(combined, keyBytes) {
+    const key = await crypto.subtle.importKey('raw', keyBytes, 'AES-GCM', false, ['decrypt']);
+    const iv = combined.slice(0, 12);
+    const ciphertext = combined.slice(12);
+    const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext);
+    return new TextDecoder().decode(plaintext);
+}
+/**
+ * Store auth data in macOS Keychain
+ */
+export async function saveAuthToKeychain(profileName, authData) {
+    const service = `${SERVICE_PREFIX}.${profileName}`;
+    const account = 'auth-token';
+    // Get or create encryption key
+    const key = await ensureEncryptionKey(service);
+    // Encrypt the auth data
+    const json = JSON.stringify(authData);
+    const encrypted = await encrypt(json, key);
+    const b64 = Buffer.from(encrypted).toString('base64');
+    // Store encrypted auth in keychain
+    // First try to delete if exists, then add
+    const del = Bun.spawn(['security', 'delete-generic-password', '-s', service, '-a', account], { stderr: 'ignore' });
+    await del.exited;
+    const add = Bun.spawn([
+        'security',
+        'add-generic-password',
+        '-s',
+        service,
+        '-a',
+        account,
+        '-w',
+        b64,
+        '-U',
+    ]);
+    await add.exited;
+}
+/**
+ * Retrieve auth data from macOS Keychain
+ */
+export async function getAuthFromKeychain(profileName) {
+    const service = `${SERVICE_PREFIX}.${profileName}`;
+    const account = 'auth-token';
+    try {
+        // Get the encrypted auth data
+        const find = Bun.spawn(['security', 'find-generic-password', '-s', service, '-a', account, '-w'], { stderr: 'ignore' });
+        const stdout = await new Response(find.stdout).text();
+        if (stdout.length === 0) {
+            return null;
+        }
+        const b64 = stdout.trim();
+        const encrypted = Uint8Array.from(Buffer.from(b64, 'base64'));
+        // Get the encryption key
+        const key = await ensureEncryptionKey(service);
+        // Decrypt the auth data
+        const json = await decrypt(encrypted, key);
+        return JSON.parse(json);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Delete auth data from macOS Keychain
+ */
+export async function deleteAuthFromKeychain(profileName) {
+    const service = `${SERVICE_PREFIX}.${profileName}`;
+    const account = 'auth-token';
+    const del = Bun.spawn(['security', 'delete-generic-password', '-s', service, '-a', account], { stderr: 'ignore' });
+    await del.exited;
+}
+//# sourceMappingURL=keychain.js.map

package/dist/keychain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../src/keychain.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,cAAc,GAAG,mBAAmB,CAAC;AAC3C,MAAM,WAAW,GAAG,oBAAoB,CAAC;AAEzC;;GAEG;AACH,MAAM,UAAU,OAAO;IACtB,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,mBAAmB,CAAC,OAAe;IACjD,2BAA2B;IAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CACrB,CAAC,UAAU,EAAE,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC,EAC7E,EAAE,MAAM,EAAE,QAAQ,EAAE,CACpB,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAEtD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,yCAAyC;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEhD,yDAAyD;IACzD,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC;QACrB,UAAU;QACV,sBAAsB;QACtB,IAAI;QACJ,OAAO;QACP,IAAI;QACJ,WAAW;QACX,IAAI;QACJ,GAAG;QACH,IAAI,EAAE,mCAAmC;KACzC,CAAC,CAAC;IACH,MAAM,GAAG,CAAC,MAAM,CAAC;IAEjB,OAAO,GAAG,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,OAAO,CAAC,IAAY,EAAE,QAAoB;IACxD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IAE1F,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAEjD,MAAM,UAAU,GAAG,IAAI,UAAU,CAChC,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CACpE,CAAC;IAEF,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAC/D,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACpB,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO,QAAQ,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,OAAO,CAAC,QAAoB,EAAE,QAAoB;IAChE,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IAE1F,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjC,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAEtC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC;IAExF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACvC,WAAmB,EACnB,QAA+D;IAE/D,MAAM,OAAO,GAAG,GAAG,cAAc,IAAI,WAAW,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,YAAY,CAAC;IAE7B,+BAA+B;IAC/B,MAAM,GAAG,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAE/C,wBAAwB;IACxB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEtD,mCAAmC;IACnC,0CAA0C;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CACpB,CAAC,UAAU,EAAE,yBAAyB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,EACrE,EAAE,MAAM,EAAE,QAAQ,EAAE,CACpB,CAAC;IACF,MAAM,GAAG,CAAC,MAAM,CAAC;IAEjB,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC;QACrB,UAAU;QACV,sBAAsB;QACtB,IAAI;QACJ,OAAO;QACP,IAAI;QACJ,OAAO;QACP,IAAI;QACJ,GAAG;QACH,IAAI;KACJ,CAAC,CAAC;IACH,MAAM,GAAG,CAAC,MAAM,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACxC,WAAmB;IAEnB,MAAM,OAAO,GAAG,GAAG,cAAc,IAAI,WAAW,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,YAAY,CAAC;IAE7B,IAAI,CAAC;QACJ,8BAA8B;QAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CACrB,CAAC,UAAU,EAAE,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EACzE,EAAE,MAAM,EAAE,QAAQ,EAAE,CACpB,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;QAE9D,yBAAyB;QACzB,MAAM,GAAG,GAAG,MAAM,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAE/C,wBAAwB;QACxB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,WAAmB;IAC/D,MAAM,OAAO,GAAG,GAAG,cAAc,IAAI,WAAW,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,YAAY,CAAC;IAE7B,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CACpB,CAAC,UAAU,EAAE,yBAAyB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,EACrE,EAAE,MAAM,EAAE,QAAQ,EAAE,CACpB,CAAC;IACF,MAAM,GAAG,CAAC,MAAM,CAAC;AAClB,CAAC"}

package/dist/utils/detectSubagent.d.ts

@@ -1,7 +1,7 @@
 /**
  * Detects if a file path represents a subagent based on path structure.
  *
- * Subagents follow the pattern: agents/parent/child/agent.ts or agents/parent/child/route.ts
+ * Subagents follow the pattern: agent/parent/child/agent.ts or agent/parent/child/route.ts
  * The path structure is currently hardcoded to 4 segments but could be made configurable later.
  *
  * @param filePath - The file path to analyze (can include leading './')

package/dist/utils/detectSubagent.js

@@ -1,7 +1,7 @@
 /**
  * Detects if a file path represents a subagent based on path structure.
  *
- * Subagents follow the pattern: agents/parent/child/agent.ts or agents/parent/child/route.ts
+ * Subagents follow the pattern: agent/parent/child/agent.ts or agent/parent/child/route.ts
  * The path structure is currently hardcoded to 4 segments but could be made configurable later.
  *
  * @param filePath - The file path to analyze (can include leading './')
@@ -16,9 +16,9 @@ export function detectSubagent(filePath, srcDir) {
     }
     // Strip leading './' and split into parts, filtering out empty segments
     const pathParts = normalizedPath.replace(/^\.\//, '').split('/').filter(Boolean);
-    // Path structure assumption: ['agents', 'parent', 'child', 'agent.ts' | 'route.ts' | 'route']
+    // Path structure assumption: ['agent', 'parent', 'child', 'agent.ts' | 'route.ts' | 'route']
     // Currently hardcoded to 4 segments - consider making configurable in the future
-    const isSubagent = pathParts.length === 4 && pathParts[0] === 'agents';
+    const isSubagent = pathParts.length === 4 && pathParts[0] === 'agent';
     const parentName = isSubagent ? pathParts[1] : null;
     return { isSubagent, parentName };
 }

package/dist/utils/detectSubagent.js.map

@@ -1 +1 @@
-{"version":3,"file":"detectSubagent.js","sourceRoot":"","sources":["../../src/utils/detectSubagent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAC7B,QAAgB,EAChB,MAAe;IAEf,IAAI,cAAc,GAAG,QAAQ,CAAC;IAE9B,2BAA2B;IAC3B,IAAI,MAAM,IAAI,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,wEAAwE;IACxE,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEjF,8FAA8F;IAC9F,iFAAiF;IACjF,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;IACvE,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEpD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AACnC,CAAC"}
+{"version":3,"file":"detectSubagent.js","sourceRoot":"","sources":["../../src/utils/detectSubagent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAC7B,QAAgB,EAChB,MAAe;IAEf,IAAI,cAAc,GAAG,QAAQ,CAAC;IAE9B,2BAA2B;IAC3B,IAAI,MAAM,IAAI,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,wEAAwE;IACxE,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEjF,6FAA6F;IAC7F,iFAAiF;IACjF,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC;IACtE,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEpD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AACnC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@agentuity/cli",
-	"version": "0.0.67",
+	"version": "0.0.68",
 	"license": "Apache-2.0",
 	"author": "Agentuity employees and contributors",
 	"type": "module",
@@ -35,8 +35,8 @@
 		"prepublishOnly": "bun run clean && bun run build"
 	},
 	"dependencies": {
-		"@agentuity/core": "0.0.67",
-		"@agentuity/server": "0.0.67",
+		"@agentuity/core": "0.0.68",
+		"@agentuity/server": "0.0.68",
 		"@datasert/cronjs-parser": "^1.4.0",
 		"@terascope/fetch-github-release": "^2.2.1",
 		"acorn-loose": "^8.5.2",

package/src/cmd/ai/prompt/agent.ts

@@ -27,7 +27,7 @@ Each agent folder must contain:
 
 Example structure:
 \`\`\`
-src/agents/
+src/agent/
 ├── hello/
 │   ├── agent.ts
 │   └── route.ts
@@ -211,7 +211,7 @@ Agents can have subagents organized one level deep. This is useful for grouping
 ### Directory Structure for Subagents
 
 \`\`\`
-src/agents/
+src/agent/
 └── team/              # Parent agent
     ├── agent.ts       # Parent agent
     ├── route.ts       # Parent routes

package/src/cmd/ai/prompt/api.ts

@@ -26,7 +26,7 @@ Each API folder must contain:
 
 Example structure:
 \`\`\`
-src/apis/
+src/web/
 ├── status/
 │   └── route.ts
 ├── users/

package/src/cmd/build/ast.ts

@@ -928,14 +928,14 @@ export async function parseRoute(
 
 	// Detect if this is a subagent route and build proper path
 	const relativePath = relative(rootDir, dir)
-		.replace(/^src\/agents\//, '')
-		.replace(/^src\/apis\//, '');
+		.replace(/^src\/agent\//, '')
+		.replace(/^src\/web\//, '');
 	const pathParts = relativePath.split('/').filter(Boolean);
-	const isSubagent = pathParts.length === 2 && filename.includes('src/agents');
+	const isSubagent = pathParts.length === 2 && filename.includes('src/agent');
 	const routeName = isSubagent ? pathParts.join('/') : name;
 
 	const routes: RouteDefinition = [];
-	const routePrefix = filename.includes('src/agents') ? '/agent' : '/api';
+	const routePrefix = filename.includes('src/agent') ? '/agent' : '/api';
 
 	try {
 		for (const body of ast.body) {

package/src/cmd/build/bundler.ts

@@ -85,10 +85,10 @@ export async function bundle({
 
 	const appEntrypoints: string[] = [];
 
-	for (const folder of ['apis', 'agents']) {
+	for (const folder of ['web', 'agent']) {
 		const dir = join(srcDir, folder);
 		if (!existsSync(dir)) {
-			if (folder === 'agents') {
+			if (folder === 'agent') {
 				throw new AgentsDirNotFoundError({ message: `Expected directory not found: ${dir}` });
 			}
 			continue;

package/src/cmd/build/plugin.ts

@@ -142,7 +142,7 @@ function generateAgentRegistry(srcDir: string, agentInfo: Array<Record<string, s
 		.map(({ name, path, parent }) => {
 			const fullName = parent ? `${parent}.${name}` : name;
 			const camelName = toCamelCase(fullName.replace('.', '_'));
-			const relativePath = path.replace(/^\.\/agents\//, './');
+			const relativePath = path.replace(/^\.\/agent\//, './');
 			return `import ${camelName}Agent from '${relativePath}';`;
 		})
 		.join('\n');
@@ -340,11 +340,11 @@ ${reactAgentTypes}
 }
 `;
 
-	const agentsDir = join(srcDir, 'agents');
+	const agentsDir = join(srcDir, 'agent');
 	const registryPath = join(agentsDir, 'registry.generated.ts');
 	const legacyTypesPath = join(agentsDir, 'types.generated.d.ts');
 
-	// Ensure agents directory exists
+	// Ensure agent directory exists
 	if (!existsSync(agentsDir)) {
 		mkdirSync(agentsDir, { recursive: true });
 	}
@@ -435,7 +435,7 @@ const AgentuityBundler: BunPlugin = {
 				newsource = ns;
 
 				// Detect if this is a subagent by checking path structure
-				// Note: Path structure assumption - 4 segments: agents/parent/child/agent.ts
+				// Note: Path structure assumption - 4 segments: agent/parent/child/agent.ts
 				const { isSubagent, parentName } = detectSubagent(args.path, srcDir);
 				if (isSubagent && parentName) {
 					md.set('parent', parentName);
@@ -521,14 +521,11 @@ const AgentuityBundler: BunPlugin = {
 
 					const agentPath = route
 						.replace(/\/route$/, '/*')
-						.replace('/agents', '/agent')
 						.replace('./', '/');
 					const routePath = route
 						.replace(/\/route$/, '')
-						.replace('/apis/', '/api/')
-						.replace('/apis', '/api')
-						.replace('/agents', '/agent')
-						.replace('/agents', '/agent')
+						.replace('/web/', '/api/')
+						.replace('/web', '/api')
 						.replace('./', '/');
 
 					const definitions = await parseRoute(
@@ -575,7 +572,7 @@ const AgentuityBundler: BunPlugin = {
 					if (hasAgent) {
 						const agentRegistrationName =
 							isSubagent && parentName ? `${parentName}.${name}` : name;
-						// Build evals path from agent path (e.g., 'agents/eval/agent' -> 'agents/eval/eval.ts')
+						// Build evals path from agent path (e.g., 'agent/eval/agent' -> 'agent/eval/eval.ts')
 						const agentDirPath = agent.replace(/\/agent$/, '');
 						const evalsPath = join(srcDir, agentDirPath, 'eval.ts');
 						const evalsImport = existsSync(evalsPath)
@@ -694,7 +691,7 @@ import { readFileSync, existsSync } from 'node:fs';
 							: join(rootDir, filename);
 
 						// Convert to path relative to srcDir like route-based agents
-						// e.g., /path/to/src/agents/lifecycle/agent.ts -> ./agents/lifecycle/agent
+						// e.g., /path/to/src/agent/lifecycle/agent.ts -> ./agent/lifecycle/agent
 						const agentPath = absolutePath.replace(srcDir, '.').replace('.ts', '');
 
 						// Extract folder name as agent name (same as route-based logic)

package/src/cmd/dev/index.ts

@@ -1002,10 +1002,10 @@ export const command = createCommand({
 						statSync(absPath).isDirectory() &&
 						readdirSync(absPath).length === 0
 					) {
-						if (changedFile?.startsWith('src/agents/')) {
+						if (changedFile?.startsWith('src/agent/')) {
 							logger.debug('agent directory created: %s', changedFile);
 							createAgentTemplates(absPath);
-						} else if (changedFile?.startsWith('src/apis/')) {
+						} else if (changedFile?.startsWith('src/web/')) {
 							logger.debug('api directory created: %s', changedFile);
 							createAPITemplates(absPath);
 						}

package/src/cmd/project/download.ts

@@ -281,22 +281,22 @@ export async function setupProject(options: SetupOptions): Promise<void> {
 	}
 
 	// generate and write AGENTS.md for each of the main folders
-	const agentsDir = join(dest, 'src', 'agents');
-	if (existsSync(agentsDir)) {
-		const agentsAPIFile = join(agentsDir, 'AGENTS.md');
-		await Bun.write(agentsAPIFile, generateAgentPrompt());
+	const agentDir = join(dest, 'src', 'agent');
+	if (existsSync(agentDir)) {
+		const agentAPIFile = join(agentDir, 'AGENTS.md');
+		await Bun.write(agentAPIFile, generateAgentPrompt());
 	}
 
-	const apisDir = join(dest, 'src', 'apis');
-	if (existsSync(apisDir)) {
-		const agentsAPIsFile = join(apisDir, 'AGENTS.md');
-		await Bun.write(agentsAPIsFile, generateAPIPrompt());
+	const apiDir = join(dest, 'src', 'api');
+	if (existsSync(apiDir)) {
+		const agentAPIFile = join(apiDir, 'AGENTS.md');
+		await Bun.write(agentAPIFile, generateAPIPrompt());
 	}
 
 	const webDir = join(dest, 'src', 'web');
 	if (existsSync(webDir)) {
-		const agentsWebFile = join(webDir, 'AGENTS.md');
-		await Bun.write(agentsWebFile, generateWebPrompt());
+		const webFile = join(webDir, 'AGENTS.md');
+		await Bun.write(webFile, generateWebPrompt());
 	}
 }
 

package/src/config.ts

@@ -15,6 +15,12 @@ import JSON5 from 'json5';
 import type { Config, Profile, AuthData } from './types';
 import { ConfigSchema, ProjectSchema } from './types';
 import * as tui from './tui';
+import {
+	isMacOS,
+	saveAuthToKeychain,
+	getAuthFromKeychain,
+	deleteAuthFromKeychain,
+} from './keychain';
 
 export const defaultProfileName = 'production';
 
@@ -233,11 +239,7 @@ export async function saveConfig(config: Config, customPath?: string): Promise<v
 	const configPath = customPath || (await getProfile());
 	await ensureConfigDir();
 
-	// Strip auth from config before saving (never store auth in config file)
-	const configToSave = { ...config };
-	delete configToSave.auth;
-
-	const content = formatYAML(configToSave);
+	const content = formatYAML(config);
 	await writeFile(configPath, content + '\n', { mode: 0o600 });
 	// Ensure existing files get correct permissions on upgrade
 	await chmod(configPath, 0o600);
@@ -264,47 +266,45 @@ export async function saveAuth(auth: AuthData): Promise<void> {
 		expires: auth.expires.getTime(),
 	};
 
-	// Try to store in Bun secrets API
-	try {
-		await Bun.secrets.set({
-			service: `agentuity.cli.${profileName}`,
-			name: 'auth',
-			value: JSON.stringify(authData),
-		});
-
-		// Successfully stored in secrets, ensure auth is removed from config file
-		if (config.auth) {
-			delete config.auth;
-			await saveConfig(config);
+	// On macOS, store in Keychain for better security
+	if (isMacOS()) {
+		try {
+			await saveAuthToKeychain(profileName, authData);
+			
+			// Successfully stored in keychain, remove from config if present
+			if (config.auth) {
+				delete config.auth;
+				await saveConfig(config);
+			}
+			return;
+		} catch (error) {
+			// Keychain failed, fall back to config file
+			console.warn('Failed to store auth in keychain, falling back to config file:', error);
 		}
-	} catch {
-		// Bun.secrets API not available or failed, fallback to config file
-		config.auth = authData;
-		config.preferences = config.preferences || {};
-		(config.preferences as Record<string, unknown>).orgId = '';
-
-		// Save with auth in config as fallback (saveConfig will try to strip it but we're setting it here)
-		const configPath = await getProfile();
-		await ensureConfigDir();
-		const content = formatYAML(config);
-		await writeFile(configPath, content + '\n', { mode: 0o600 });
-		await chmod(configPath, 0o600);
-		cachedConfig = config;
 	}
+
+	// Store in config file (non-macOS or keychain failed)
+	config.auth = authData;
+	config.preferences = config.preferences || {};
+	(config.preferences as Record<string, unknown>).orgId = '';
+
+	await saveConfig(config);
 }
 
 export async function clearAuth(): Promise<void> {
 	const config = await getOrInitConfig();
 	const profileName = config.name || defaultProfileName;
 
-	// Try to delete from Bun secrets API
-	try {
-		await Bun.secrets.delete({ service: `agentuity.cli.${profileName}`, name: 'auth' });
-	} catch {
-		// Bun.secrets API not available or failed
+	// On macOS, clear from Keychain
+	if (isMacOS()) {
+		try {
+			await deleteAuthFromKeychain(profileName);
+		} catch {
+			// Ignore errors - keychain entry may not exist
+		}
 	}
 
-	// Clear auth from config file (for backwards compatibility)
+	// Also clear from config file (for backwards compatibility)
 	if (config.auth) {
 		delete config.auth;
 		config.preferences = config.preferences || {};
@@ -328,59 +328,12 @@ export async function saveOrgId(orgId: string): Promise<void> {
 	await saveConfig(config);
 }
 
-async function migrateAuthToSecrets(
-	config: Config,
-	profileName: string,
-	auth: { api_key: string; user_id: string; expires: number }
-): Promise<boolean> {
-	try {
-		const authData = {
-			api_key: auth.api_key,
-			user_id: auth.user_id,
-			expires: auth.expires,
-		};
-
-		await Bun.secrets.set({
-			service: `agentuity.cli.${profileName}`,
-			name: 'auth',
-			value: JSON.stringify(authData),
-		});
-
-		// Successfully migrated, remove from config file
-		delete config.auth;
-		await saveConfig(config);
-
-		return true;
-	} catch {
-		// Migration failed, leave in config file
-		return false;
-	}
-}
 
 export async function getAuth(): Promise<AuthData | null> {
 	const config = await loadConfig();
 	const profileName = config?.name || defaultProfileName;
 
-	// Priority 1: Try Bun secrets API first (most secure)
-	try {
-		const authJson = await Bun.secrets.get({
-			service: `agentuity.cli.${profileName}`,
-			name: 'auth',
-		});
-
-		if (authJson) {
-			const auth = JSON.parse(authJson) as { api_key: string; user_id: string; expires: number };
-			return {
-				apiKey: auth.api_key,
-				userId: auth.user_id,
-				expires: new Date(auth.expires),
-			};
-		}
-	} catch {
-		// Bun.secrets API not available or failed, fallback to other methods
-	}
-
-	// Priority 2: Allow automated login from environment variables
+	// Priority 1: Allow automated login from environment variables
 	if (process.env.AGENTUITY_CLI_API_KEY && process.env.AGENTUITY_USER_ID) {
 		return {
 			apiKey: process.env.AGENTUITY_CLI_API_KEY,
@@ -389,7 +342,23 @@ export async function getAuth(): Promise<AuthData | null> {
 		};
 	}
 
-	// Priority 3: Fallback to config file (backwards compatibility + migration)
+	// Priority 2: On macOS, try to read from Keychain
+	if (isMacOS()) {
+		try {
+			const keychainAuth = await getAuthFromKeychain(profileName);
+			if (keychainAuth) {
+				return {
+					apiKey: keychainAuth.api_key,
+					userId: keychainAuth.user_id,
+					expires: new Date(keychainAuth.expires),
+				};
+			}
+		} catch {
+			// Keychain read failed, fall through to config file
+		}
+	}
+
+	// Priority 3: Read from config file (non-macOS or keychain failed)
 	if (!config) return null;
 	const auth = config.auth as { api_key?: string; user_id?: string; expires?: number } | undefined;
 
@@ -397,18 +366,7 @@ export async function getAuth(): Promise<AuthData | null> {
 		return null;
 	}
 
-	// Check if token is unexpired
 	const expiresDate = new Date(auth.expires || 0);
-	const isExpired = expiresDate.getTime() <= Date.now();
-
-	// If unexpired, attempt to migrate to Bun.secrets
-	if (!isExpired) {
-		await migrateAuthToSecrets(config, profileName, {
-			api_key: auth.api_key,
-			user_id: auth.user_id,
-			expires: auth.expires || 0,
-		});
-	}
 
 	return {
 		apiKey: auth.api_key,