@anna-ai/cli 0.1.4 → 0.1.11

package/README.md

@@ -48,17 +48,62 @@ Layered fail-fast checks: JSON Schema → `ui` static → cross-file `tool_id`
 linter (with Levenshtein-1 typo detection) → `--strict` host_api ACL grep
 of bundle JS/TS.
 
-### `anna-app dev [--manifest …] [--bundle …] [--port 5180] [--matrix-nexus-root <path>]`
+### `anna-app dev [--manifest …] [--bundle …] [--port 5180] [--matrix-nexus-root <path>] [--executa <spec>…]`
 
 Boots the local harness:
 
 - Spawns the Python `anna-app-bridge` (production dispatcher reused via
   `WindowStoreProtocol`).
 - Serves a mock dashboard at `http://localhost:<port>/`.
-- Auto-discovers `<manifest-dir>/executas/<name>/pyproject.toml` and
-  registers them in the in-process `ExecutaPool`.
+- Auto-discovers `<manifest-dir>/executas/<name>/` plugins (Python /
+  Node.js / Go / pre-built binary) and registers them in the in-process
+  `ExecutaPool`. See "Multi-language executas" below.
 - Hot-reloads the bundle on disk changes (use `--no-watch` to disable).
 
+#### Multi-language executas
+
+Each subdirectory of `<manifest-dir>/executas/` is launched according to
+the first sentinel that matches:
+
+| # | Sentinel                | Type     | Default launch                                                |
+| - | ----------------------- | -------- | ------------------------------------------------------------- |
+| 0 | `executa.json`          | (any)    | `command` field, else type-specific default below             |
+| 1 | `pyproject.toml`        | `python` | `uv run --project <dir> <tool_id>`                            |
+| 2 | `package.json`          | `node`   | `node <bin[tool_id] \| bin \| main \| module>`                |
+| 3 | `go.mod` (alone)        | `go`     | requires `executa.json` declaring `type: "go"`                |
+| 4 | `bin/<dirname>` exec    | `binary` | runs the executable directly                                  |
+
+`executa.json` (recommended for clarity, required for Go and pre-built
+binary tools):
+
+```jsonc
+{
+  "tool_id": "tool-yourhandle-foo-abcd1234",
+  "type":    "python" | "node" | "go" | "binary",
+  "command": ["…"],          // optional; full override of type defaults
+  "enabled": true             // optional; default true. Set false to skip
+                              // (useful when shipping multiple language
+                              // flavours of the same tool_id).
+}
+```
+
+The `--executa <spec>` flag (repeatable) registers an out-of-tree
+executa, or fully overrides auto-discovery for the run. Spec syntax:
+
+```bash
+# Auto-detect from the dir (same rules as in-tree discovery):
+anna-app dev --executa dir=./vendor/external-tool
+
+# Force type when there's no executa.json:
+anna-app dev --executa dir=./executas/foo,type=go
+
+# Fully explicit:
+anna-app dev --executa dir=./executas/foo,tool_id=tool-h-foo-12345678,command="node plugin.js"
+```
+
+For the full discovery / `executa.json` reference, see
+[`anna-executa-examples/docs/multi-language-anna-apps.md`](https://github.com/openclaw/anna-executa-examples/blob/main/docs/multi-language-anna-apps.md).
+
 Two runtime modes (auto-selected):
 
 | Mode | When | Command |
@@ -130,6 +175,22 @@ public npm package [`@anna-ai/app-runtime`](https://www.npmjs.com/package/@anna-
 which is declared as a normal dependency. No vendored copy, no sync
 step.
 
+## Persistent storage (APS)
+
+Anna 1.2+ exposes a per-user JSON-RPC storage surface under the
+`storage/*` namespace. Plugins authored with this CLI can opt in by:
+
+1. Declaring `storage.user` (or `.app`/`.tool`) in the manifest's
+   `host_capabilities` array.
+2. Negotiating `client_capabilities.storage = {}` during `initialize`.
+3. Asking the user to grant storage in the Anna admin panel.
+
+See the protocol & best-practice guide at
+[anna-executa-examples/docs/persistent-storage.md](https://github.com/openclaw/anna-executa-examples/blob/main/docs/persistent-storage.md)
+for wire format, error codes, and a worked OCR-cache example. The
+local `dev` harness mocks APS by default so end-to-end tests do not
+need network access.
+
 ## Roadmap
 
 | Phase | Status | Scope |

package/dist/{bridge-BDBECvV1.js → bridge-BIO7ilgO.js}

@@ -1,3 +1,3 @@
-import { PINNED_RUNTIME_VERSION, PythonBridge } from "./bridge-CBcQUQGU.js";
+import { PINNED_RUNTIME_VERSION, PythonBridge } from "./bridge-Cpm3D2Wk.js";
 
 export { PINNED_RUNTIME_VERSION, PythonBridge };

package/dist/{bridge-CBcQUQGU.js → bridge-Cpm3D2Wk.js}

@@ -9,7 +9,7 @@ import { createInterface } from "node:readline";
 * `uvx <pkg>@<version>` so end users always run the dispatcher version
 * the CLI was tested against.
 */
-const PINNED_RUNTIME_VERSION = "0.2.0a1";
+const PINNED_RUNTIME_VERSION = "0.2.0a2";
 var PythonBridge = class {
 	proc = null;
 	nextId = 1;

package/dist/cli.js

@@ -1,9 +1,12 @@
 #!/usr/bin/env node
+import { dirname, extname, join, relative, resolve } from "node:path";
+import { createRequire } from "node:module";
 import { Command } from "commander";
 import { cpSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
-import { dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import kleur from "kleur";
+import Ajv from "ajv/dist/2020.js";
+import addFormats from "ajv-formats";
 
 //#region src/commands/init.ts
 const here = dirname(fileURLToPath(import.meta.url));
@@ -13,13 +16,14 @@ function templateRoot(template) {
 }
 function substitute(content, slug) {
 	const toolId = `tool-dev-${slug}`;
-	return content.replace(/__SLUG__/g, slug).replace(/__TOOL_ID__/g, toolId);
+	const slugPy = slug.replace(/-/g, "_");
+	return content.replace(/__SLUG_PY__/g, slugPy).replace(/__SLUG__/g, slug).replace(/__TOOL_ID__/g, toolId);
 }
 function copyDirWithSubst(src, dst, slug) {
 	mkdirSync(dst, { recursive: true });
 	for (const entry of readdirSync(src, { withFileTypes: true })) {
 		const s = join(src, entry.name);
-		const d = join(dst, entry.name);
+		const d = join(dst, substitute(entry.name, slug));
 		if (entry.isDirectory()) copyDirWithSubst(s, d, slug);
 		else if (entry.isFile()) {
 			const stat = statSync(s);
@@ -54,10 +58,371 @@ function runInit(opts) {
 	return 0;
 }
 
+//#endregion
+//#region src/schema-bundle.ts
+function resolveSchemaDir() {
+	if (process.env.ANNA_APP_SCHEMA_DIR) return process.env.ANNA_APP_SCHEMA_DIR;
+	const req = createRequire(import.meta.url);
+	const methodsAbs = req.resolve("@anna-ai/app-schema/methods");
+	return resolve(dirname(methodsAbs), "..");
+}
+function loadSchemaBundle() {
+	let dir;
+	try {
+		dir = resolveSchemaDir();
+	} catch (e) {
+		throw new Error(`Could not locate @anna-ai/app-schema: ${e.message}\nRun \`pnpm install\` (or set ANNA_APP_SCHEMA_DIR to a local checkout).`);
+	}
+	if (!existsSync(resolve(dir, "dispatcher_version.txt"))) throw new Error(`@anna-ai/app-schema bundle is missing expected files at ${dir}`);
+	const read = (rel) => readFileSync(resolve(dir, rel), "utf-8");
+	const readJson = (rel) => JSON.parse(read(rel));
+	const dispatcherVersion = read("dispatcher_version.txt").trim();
+	const appManifestSchema = readJson("manifest/AppManifest.json");
+	const uiSectionSchema = readJson("manifest/UiManifestSection.json");
+	const methodsTable = readJson("host_api/methods.json");
+	const eventsSchema = readJson("events/AnnaAppEvent.json");
+	return {
+		dir,
+		dispatcherVersion,
+		appManifestSchema,
+		uiSectionSchema,
+		methods: methodsTable.methods,
+		events: eventsSchema.properties.kind.enum
+	};
+}
+
+//#endregion
+//#region src/validate/manifest-schema.ts
+function validateManifestSchema(bundle, manifest) {
+	const ajv = new Ajv({
+		allErrors: true,
+		strict: false
+	});
+	addFormats(ajv);
+	const validate = ajv.compile(bundle.appManifestSchema);
+	const ok = validate(manifest);
+	if (ok) return [];
+	return (validate.errors ?? []).map((e) => ({
+		path: e.instancePath || "(root)",
+		message: `${e.message ?? "invalid"}${e.params ? " " + JSON.stringify(e.params) : ""}`
+	}));
+}
+const ANNA_CALL_RE = /\banna\.([a-z]+)\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\(/g;
+function scanHostApiCalls(files) {
+	const out = [];
+	for (const f of files) {
+		const lines = f.content.split("\n");
+		for (let i = 0; i < lines.length; i++) {
+			const line = lines[i];
+			ANNA_CALL_RE.lastIndex = 0;
+			let m;
+			while ((m = ANNA_CALL_RE.exec(line)) !== null) out.push({
+				file: f.path,
+				line: i + 1,
+				ns: m[1],
+				method: m[2]
+			});
+		}
+	}
+	return out;
+}
+/**
+* Mirror of `anna_app_runtime_service.host_api_allows` (matrix-nexus).
+* Keep these in sync — divergence here means the CLI lies about what
+* production accepts.
+*/
+function hostApiAllows(manifest, ns, method) {
+	if (!manifest.ui) return false;
+	if (ns === "window") return true;
+	const grants = manifest.ui.host_api ?? {};
+	const methods = grants[ns];
+	if (!methods || methods.length === 0) return false;
+	if (methods.includes("*")) return true;
+	if (methods.includes(method)) return true;
+	if (ns === "tools" && (method === "invoke" || method === "list")) return true;
+	return false;
+}
+function checkHostApiAllowance(usages, manifest, bundleMethods) {
+	const errors = [];
+	const noAuth = new Set(bundleMethods.filter((m) => m.no_auth).map((m) => `${m.namespace}.${m.method}`));
+	const known = new Set(bundleMethods.map((m) => `${m.namespace}.${m.method}`));
+	for (const u of usages) {
+		const fq = `${u.ns}.${u.method}`;
+		if (!known.has(fq)) continue;
+		if (noAuth.has(fq)) continue;
+		if (!hostApiAllows(manifest, u.ns, u.method)) errors.push(`${u.file}:${u.line} calls anna.${fq} but manifest.ui.host_api.${u.ns} does not grant it`);
+	}
+	return errors;
+}
+
+//#endregion
+//#region src/validate/ui-section.ts
+/**
+* Static validation of `manifest.ui` — direct port of
+* `src/services/anna_app_validator.py::validate_ui_section_static` from
+* matrix-nexus. Keep these algorithms byte-equivalent: any divergence here
+* means `anna-app validate` will lie about what production accepts.
+*/
+const VIEW_NAME_PATTERN = /^[a-z0-9_-]{1,40}$/;
+const BUNDLE_PATH_PATTERN = /^[A-Za-z0-9_./\-]+$/;
+const HOST_API_TOOL_REF_PATTERN = /^(?:required:\*|optional:\*|required:[A-Za-z0-9_.\-]+|optional:[A-Za-z0-9_.\-]+|[A-Za-z0-9_.\-]+)$/;
+const CSP_OVERRIDABLE_DIRECTIVES = new Set([
+	"connect-src",
+	"img-src",
+	"media-src",
+	"font-src",
+	"style-src",
+	"script-src"
+]);
+function validateUiSectionStatic(manifest) {
+	const ui = manifest.ui;
+	if (!ui) return [];
+	const errors = [];
+	const bundle = ui.bundle;
+	if (bundle.format && bundle.format !== "static-spa") errors.push(`ui.bundle.format 当前仅支持 'static-spa': ${bundle.format}`);
+	const entry = bundle.entry ?? "";
+	const entryClean = entry.split("#")[0].split("?")[0];
+	if (!BUNDLE_PATH_PATTERN.test(entryClean)) errors.push(`ui.bundle.entry 包含非法字符: ${entry}`);
+	if (entry.includes("..") || entry.includes("\\") || entry.includes("//")) errors.push(`ui.bundle.entry 路径穿越禁止: ${entry}`);
+	for (const origin of bundle.external_origins ?? []) if (!origin.startsWith("https://") || origin.includes("*")) errors.push(`ui.bundle.external_origins 必须为 https:// 前缀且不含 '*': ${origin}`);
+	const views = ui.views ?? [];
+	if (views.length < 1 || views.length > 16) errors.push("ui.views 数量必须在 1..16 之间");
+	const defaults = views.filter((v) => v.default).length;
+	if (defaults > 1) errors.push("ui.views 中只能有一个 default=true");
+	const seen = new Set();
+	for (const v of views) {
+		if (!VIEW_NAME_PATTERN.test(v.name)) errors.push(`非法 view name: ${v.name}`);
+		if (seen.has(v.name)) errors.push(`重复 view name: ${v.name}`);
+		seen.add(v.name);
+		if (v.min_size && v.default_size) {
+			if (v.default_size.w < v.min_size.w || v.default_size.h < v.min_size.h) errors.push(`view '${v.name}' default_size 小于 min_size`);
+		}
+		if (v.max_size && v.default_size) {
+			if (v.default_size.w > v.max_size.w || v.default_size.h > v.max_size.h) errors.push(`view '${v.name}' default_size 大于 max_size`);
+		}
+	}
+	const requiredIds = new Set((manifest.required_executas ?? []).map((r) => r.tool_id));
+	const optionalIds = new Set((manifest.optional_executas ?? []).map((r) => r.tool_id));
+	for (const ref of ui.host_api?.tools ?? []) {
+		if (!HOST_API_TOOL_REF_PATTERN.test(ref)) {
+			errors.push(`host_api.tools 非法引用: ${ref}`);
+			continue;
+		}
+		if (ref === "required:*" || ref === "optional:*") continue;
+		const bare = ref.includes(":") ? ref.split(":", 2)[1] : ref;
+		if (!requiredIds.has(bare) && !optionalIds.has(bare)) errors.push(`host_api.tools 引用未在 manifest 中声明的 tool_id: ${ref}`);
+	}
+	const cspOverrides = ui.csp_overrides ?? {};
+	const badDirectives = Object.keys(cspOverrides).filter((d) => !CSP_OVERRIDABLE_DIRECTIVES.has(d)).sort();
+	if (badDirectives.length) errors.push(`csp_overrides 含不允许的 directive: ${JSON.stringify(badDirectives)}`);
+	for (const d of ["script-src", "style-src"]) for (const v of cspOverrides[d] ?? []) if (v !== "'self'" && !v.startsWith("'sha256-") && !v.startsWith("'nonce-")) errors.push(`csp_overrides[${d}] 仅允许 'self' / 'sha256-...' / 'nonce-...': ${v}`);
+	return errors;
+}
+
+//#endregion
+//#region src/validate/tool-id-linter.ts
+const TOOL_ID_RE = /\b(?:tool|skill)-[a-z0-9][a-z0-9-]{1,80}\b/g;
+const SCAN_EXTENSIONS = new Set([
+	".py",
+	".toml",
+	".json",
+	".js",
+	".ts",
+	".jsx",
+	".tsx",
+	".mjs",
+	".cjs"
+]);
+const SCAN_SKIP_DIRS = new Set([
+	"node_modules",
+	"dist",
+	"build",
+	".git",
+	".venv",
+	"venv",
+	"__pycache__",
+	".pytest_cache",
+	"coverage",
+	"fixtures"
+]);
+function walkAndScan(rootDir, fs) {
+	const occurrences = [];
+	const stack = [rootDir];
+	while (stack.length) {
+		const current = stack.pop();
+		let entries;
+		try {
+			entries = fs.readdirSync(current);
+		} catch {
+			continue;
+		}
+		for (const entry of entries) {
+			const full = join(current, entry.name);
+			if (entry.isDirectory()) {
+				if (entry.name.startsWith(".") && entry.name !== ".github") continue;
+				if (SCAN_SKIP_DIRS.has(entry.name)) continue;
+				stack.push(full);
+			} else if (entry.isFile()) {
+				const ext = extname(entry.name);
+				if (!SCAN_EXTENSIONS.has(ext) && entry.name !== "pyproject.toml") continue;
+				let content;
+				try {
+					const st = statSync(full);
+					if (st.size > 1024 * 1024) continue;
+					content = readFileSync(full, "utf-8");
+				} catch {
+					continue;
+				}
+				const rel = relative(rootDir, full);
+				const lines = content.split("\n");
+				for (let i = 0; i < lines.length; i++) {
+					const line = lines[i];
+					TOOL_ID_RE.lastIndex = 0;
+					let m;
+					while ((m = TOOL_ID_RE.exec(line)) !== null) occurrences.push({
+						file: rel,
+						line: i + 1,
+						toolId: m[0]
+					});
+				}
+			}
+		}
+	}
+	return occurrences;
+}
+function levenshtein(a, b) {
+	if (a === b) return 0;
+	if (!a.length) return b.length;
+	if (!b.length) return a.length;
+	const prev = new Array(b.length + 1);
+	const curr = new Array(b.length + 1);
+	for (let j = 0; j <= b.length; j++) prev[j] = j;
+	for (let i = 1; i <= a.length; i++) {
+		curr[0] = i;
+		for (let j = 1; j <= b.length; j++) {
+			const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+			curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+		}
+		for (let j = 0; j <= b.length; j++) prev[j] = curr[j];
+	}
+	return prev[b.length];
+}
+function analyzeToolIds(input) {
+	const byId = new Map();
+	for (const o of input.occurrences) {
+		if (!byId.has(o.toolId)) byId.set(o.toolId, []);
+		byId.get(o.toolId).push(o);
+	}
+	const errors = [];
+	const warnings = [];
+	input.declaredManifestIds;
+	const ids = Array.from(byId.keys());
+	for (let i = 0; i < ids.length; i++) for (let j = i + 1; j < ids.length; j++) {
+		const a = ids[i];
+		const b = ids[j];
+		if (Math.abs(a.length - b.length) > 1) continue;
+		if (levenshtein(a, b) > 1) continue;
+		const aLocs = byId.get(a);
+		const bLocs = byId.get(b);
+		const aFiles = new Set(aLocs.map((o) => o.file));
+		const bFiles = new Set(bLocs.map((o) => o.file));
+		const isolated = aFiles.size === 1 || bFiles.size === 1;
+		if (isolated) {
+			const minor = aFiles.size === 1 ? aLocs : bLocs;
+			const major = aFiles.size === 1 ? bLocs : aLocs;
+			errors.push(`Likely typo: "${minor[0].toolId}" (only at ${minor.map((o) => `${o.file}:${o.line}`).join(", ")}) differs by ≤1 char from "${major[0].toolId}" (used in ${major.length} place(s))`);
+		}
+	}
+	return {
+		occurrences: input.occurrences,
+		byId,
+		errors,
+		warnings
+	};
+}
+
+//#endregion
+//#region src/commands/validate.ts
+function readManifest(path) {
+	if (!existsSync(path)) throw new Error(`manifest not found: ${path}`);
+	return JSON.parse(readFileSync(path, "utf-8"));
+}
+function readBundleSources(dir) {
+	if (!existsSync(dir)) return [];
+	const out = [];
+	const stack = [dir];
+	while (stack.length) {
+		const cur = stack.pop();
+		let entries;
+		try {
+			entries = readdirSync(cur, { withFileTypes: true });
+		} catch {
+			continue;
+		}
+		for (const e of entries) {
+			const full = `${cur}/${e.name}`;
+			if (e.isDirectory()) {
+				if (e.name === "node_modules" || e.name.startsWith(".")) continue;
+				stack.push(full);
+			} else if (/\.(js|ts|jsx|tsx|mjs|cjs)$/.test(e.name)) try {
+				out.push({
+					path: full,
+					content: readFileSync(full, "utf-8")
+				});
+			} catch {}
+		}
+	}
+	return out;
+}
+function runValidate(opts) {
+	const errors = [];
+	const warnings = [];
+	const bundle = loadSchemaBundle();
+	console.log(kleur.gray(`[validate] @anna-ai/app-schema dispatcher_version=${bundle.dispatcherVersion}  (${bundle.dir})`));
+	const manifest = readManifest(opts.manifestPath);
+	const schemaIssues = validateManifestSchema(bundle, manifest);
+	for (const i of schemaIssues) errors.push(`schema ${i.path}: ${i.message}`);
+	for (const e of validateUiSectionStatic(manifest)) errors.push(`ui: ${e}`);
+	const occ = walkAndScan(opts.cwd, { readdirSync: (p) => readdirSync(p, { withFileTypes: true }).map((e) => ({
+		name: e.name,
+		isDirectory: () => e.isDirectory(),
+		isFile: () => e.isFile()
+	})) });
+	const declared = [...(manifest.required_executas ?? []).map((r) => r.tool_id), ...(manifest.optional_executas ?? []).map((r) => r.tool_id)];
+	const idReport = analyzeToolIds({
+		occurrences: occ,
+		declaredManifestIds: declared
+	});
+	for (const e of idReport.errors) errors.push(`tool-id: ${e}`);
+	for (const w of idReport.warnings) warnings.push(`tool-id: ${w}`);
+	if (opts.strict) {
+		const bundleDir = opts.bundleDir ?? resolve(opts.cwd, "bundle");
+		const sources = readBundleSources(bundleDir);
+		const usages = scanHostApiCalls(sources);
+		const aclErrs = checkHostApiAllowance(usages, manifest, bundle.methods);
+		for (const e of aclErrs) errors.push(`host-api: ${e}`);
+	}
+	return {
+		errors,
+		warnings
+	};
+}
+function printResult(result) {
+	for (const w of result.warnings) console.warn(kleur.yellow(`⚠ ${w}`));
+	for (const e of result.errors) console.error(kleur.red(`✗ ${e}`));
+	if (result.errors.length === 0) {
+		console.log(kleur.green(`✓ validate passed${result.warnings.length ? ` (${result.warnings.length} warning(s))` : ""}`));
+		return 0;
+	}
+	console.error(kleur.red(`✗ validate failed: ${result.errors.length} error(s)`));
+	return 1;
+}
+
 //#endregion
 //#region src/cli.ts
+const pkg = createRequire(import.meta.url)("../package.json");
 const program = new Command();
-program.name("anna-app").description("Anna App developer CLI (scaffold, validate, harness)").version("0.1.0");
+program.name("anna-app").description("Anna App developer CLI (scaffold, validate, harness)").version(pkg.version);
 program.command("init <dir>").description("Scaffold a new Anna App project").option("--slug <slug>", "App slug (lowercase, hyphens)", "").option("--template <name>", "Template to use", "minimal").option("--force", "Overwrite existing dir if non-empty", false).action((dir, opts) => {
 	const slug = opts.slug || dir.split(/[\\/]/).pop() || "my-anna-app";
 	const code = runInit({
@@ -68,10 +433,34 @@ program.command("init <dir>").description("Scaffold a new Anna App project").opt
 	});
 	process.exit(code);
 });
-program.command("dev").description("Run a local harness (in-process dispatcher + iframe + SSE relay)").option("--manifest <path>", "manifest.json path", "manifest.json").option("--bundle <dir>", "bundle directory (default: ./bundle)").option("--slug <slug>", "App slug (overrides manifest.slug/name)").option("--view <name>", "View name to open (default: manifest default)").option("--matrix-nexus-root <path>", "matrix-nexus checkout (auto-detected if omitted; can also use $ANNA_NEXUS_ROOT)").option("--port <number>", "HTTP port", "5180").option("--user-id <id>", "Harness user_id", "1").option("--cwd <dir>", "Project root (default: cwd)").option("--no-watch", "Disable bundle file watcher (default: enabled)").action(async (opts) => {
-	const { runDev } = await import("./dev-DImwL-ql.js");
+program.command("validate").description("Run schema + ACL checks on a manifest+bundle").option("--manifest <path>", "manifest.json path", "manifest.json").option("--bundle <dir>", "bundle directory (default: ./bundle)").option("--strict", "Enable strict checks (host_api ACL grep)", false).action(async (opts) => {
+	const cwd = process.cwd();
+	const result = runValidate({
+		cwd,
+		manifestPath: resolve(cwd, opts.manifest),
+		bundleDir: opts.bundle ? resolve(cwd, opts.bundle) : null,
+		strict: opts.strict
+	});
+	const code = printResult(result);
+	process.exit(code);
+});
+program.command("dev").description("Run a local harness (in-process dispatcher + iframe + SSE relay)").option("--manifest <path>", "manifest.json path", "manifest.json").option("--bundle <dir>", "bundle directory (default: ./bundle)").option("--slug <slug>", "App slug (overrides manifest.slug/name)").option("--view <name>", "View name to open (default: manifest default)").option("--matrix-nexus-root <path>", "matrix-nexus checkout (auto-detected if omitted; can also use $ANNA_NEXUS_ROOT)").option("--port <number>", "HTTP port", "5180").option("--user-id <id>", "Harness user_id", "1").option("--cwd <dir>", "Project root (default: cwd)").option("--no-watch", "Disable bundle file watcher (default: enabled)").option("--executa <spec>", "Explicit executa registration; repeatable. Spec: comma-separated key=value (dir=<path>[,tool_id=<id>][,type=python|node|go|binary][,command=\"<argv>\"]). When only `dir=` is given, the executa is auto-detected from executa.json / pyproject.toml / package.json / go.mod. Overrides directory auto-discovery under <manifest-dir>/executas/.", (val, prev) => prev ? [...prev, val] : [val]).option("--no-llm", "Disable LLM bridge (anna.llm/agent return llm_disabled)", false).option("--mock-llm <fixture>", "Serve canned LLM responses from a JSONL fixture").option("--llm-account <host>", "Saved account host to use (default: current)").option("--llm-app-id <id>", "app_id passed to /dev/session/mint").action(async (opts) => {
+	const { runDev, parseExecutaSpec } = await import("./dev-BPIUX2Nh.js");
+	const cwd = opts.cwd ?? process.cwd();
+	let executas;
+	if (opts.executa && opts.executa.length > 0) {
+		executas = [];
+		for (const spec of opts.executa) {
+			const r = parseExecutaSpec(spec, cwd);
+			if (r instanceof Error) {
+				console.error(`✗ --executa: ${r.message}`);
+				process.exit(2);
+			}
+			executas.push(r);
+		}
+	}
 	const code = await runDev({
-		cwd: opts.cwd ?? process.cwd(),
+		cwd,
 		manifestPath: opts.manifest,
 		bundleDir: opts.bundle,
 		slug: opts.slug,
@@ -79,13 +468,18 @@ program.command("dev").description("Run a local harness (in-process dispatcher +
 		matrixNexusRoot: opts.matrixNexusRoot,
 		port: Number.parseInt(opts.port, 10),
 		userId: Number.parseInt(opts.userId, 10),
-		noWatch: opts.watch === false
+		noWatch: opts.watch === false,
+		executas,
+		noLlm: opts.llm === false,
+		mockLlm: opts.mockLlm,
+		llmAccount: opts.llmAccount,
+		llmAppId: opts.llmAppId ? Number.parseInt(opts.llmAppId, 10) : void 0
 	});
 	process.exit(code);
 });
 const fixture = program.command("fixture").description("Inspect / replay harness recordings (Phase 6)");
 fixture.command("verify <file>").description("Schema + invariant checks on a harness JSONL recording").option("--json", "Emit machine-readable JSON", false).action(async (file, opts) => {
-	const { runFixtureVerify } = await import("./fixture-BGjMtqWA.js");
+	const { runFixtureVerify } = await import("./fixture-RceUUd84.js");
 	const code = await runFixtureVerify({
 		file,
 		json: opts.json
@@ -93,7 +487,7 @@ fixture.command("verify <file>").description("Schema + invariant checks on a har
 	process.exit(code);
 });
 fixture.command("summarize <file>").description("Print a human-readable digest of a harness recording").option("--json", "Emit machine-readable JSON", false).action(async (file, opts) => {
-	const { runFixtureSummarize } = await import("./fixture-BGjMtqWA.js");
+	const { runFixtureSummarize } = await import("./fixture-RceUUd84.js");
 	const code = await runFixtureSummarize({
 		file,
 		json: opts.json
@@ -101,7 +495,7 @@ fixture.command("summarize <file>").description("Print a human-readable digest o
 	process.exit(code);
 });
 fixture.command("replay <file>").description("Dry-run replay of a harness recording (Phase 6 MVP)").option("--manifest <path>", "manifest.json path", "manifest.json").action(async (file, opts) => {
-	const { runFixtureReplay } = await import("./fixture-BGjMtqWA.js");
+	const { runFixtureReplay } = await import("./fixture-RceUUd84.js");
 	const code = await runFixtureReplay({
 		file,
 		manifest: opts.manifest
@@ -109,10 +503,31 @@ fixture.command("replay <file>").description("Dry-run replay of a harness record
 	process.exit(code);
 });
 program.command("doctor").description("Check environment for `anna-app dev` (uv, matrix-nexus, dev key)").option("--matrix-nexus-root <path>", "matrix-nexus checkout (optional)").action(async (opts) => {
-	const { runDoctor } = await import("./doctor-yxWmMSJc.js");
+	const { runDoctor } = await import("./doctor-R1pjmBDG.js");
 	const code = await runDoctor({ matrixNexusRoot: opts.matrixNexusRoot });
 	process.exit(code);
 });
+program.command("login").description("Device-flow login against a nexus host; saves a PAT to ~/.config/anna/credentials.json").requiredOption("--host <url>", "nexus base URL, e.g. https://nexus.example.com").option("--no-browser", "Do not open a browser window automatically", false).action(async (opts) => {
+	const { runLogin } = await import("./login-D8cmvBb6.js");
+	const code = await runLogin({
+		host: opts.host,
+		noBrowser: opts.browser === false
+	});
+	process.exit(code);
+});
+program.command("logout").description("Remove a saved PAT entry").option("--host <url>", "Account to remove (default: current)").option("--all", "Remove every saved account", false).action(async (opts) => {
+	const { runLogout } = await import("./logout-P6L9VU4W.js");
+	const code = await runLogout({
+		host: opts.host,
+		all: opts.all
+	});
+	process.exit(code);
+});
+program.command("whoami").description("Show the current account (and any others)").option("--json", "Emit machine-readable JSON", false).action(async (opts) => {
+	const { runWhoami } = await import("./whoami-jqlQwe7Z.js");
+	const code = await runWhoami({ json: opts.json });
+	process.exit(code);
+});
 program.parseAsync(process.argv).catch((e) => {
 	console.error(e);
 	process.exit(2);