@archal/cli 0.9.6 → 0.9.7

package/dist/index.cjs

@@ -4092,15 +4092,15 @@ var init_parseUtil = __esm({
           message: issueData.message
         };
       }
-      let errorMessage2 = "";
+      let errorMessage3 = "";
       const maps = errorMaps.filter((m) => !!m).slice().reverse();
       for (const map2 of maps) {
-        errorMessage2 = map2(fullIssue, { data, defaultError: errorMessage2 }).message;
+        errorMessage3 = map2(fullIssue, { data, defaultError: errorMessage3 }).message;
       }
       return {
         ...issueData,
         path: fullPath,
-        message: errorMessage2
+        message: errorMessage3
       };
     };
     ParseStatus = class _ParseStatus {
@@ -31300,12 +31300,902 @@ var init_dist2 = __esm({
   }
 });
 
+// ../packages/node-auth/dist/index.js
+function isPlan(value) {
+  return value === "free" || value === "pro" || value === "enterprise";
+}
+function errorMessage2(error49) {
+  return error49 instanceof Error ? error49.message : String(error49);
+}
+function debug(message) {
+  if (process.env["ARCHAL_DEBUG"] !== "1") {
+    return;
+  }
+  process.stderr.write(`[archal-node-auth] ${message}
+`);
+}
+function getWarn(options) {
+  return options?.warn ?? console.warn;
+}
+function isExpired(expiresAt) {
+  return expiresAt <= Math.floor(Date.now() / 1e3);
+}
+function isRunningUnderTests() {
+  return process.env["VITEST"] === "true" || process.env["VITEST_WORKER_ID"] !== void 0 || process.env["JEST_WORKER_ID"] !== void 0 || process.env["NODE_TEST_CONTEXT"] !== void 0;
+}
+function getRealArchalDir() {
+  return (0, import_path.join)((0, import_os.homedir)(), ARCHAL_DIR_NAME);
+}
+function getTestSandboxDir() {
+  const workerId = process.env["VITEST_WORKER_ID"] ?? process.env["JEST_WORKER_ID"] ?? String(process.pid);
+  return (0, import_path.join)((0, import_os.tmpdir)(), `archal-test-sandbox-${workerId}`);
+}
+function seedSandboxFromRealHomeOnce(sandboxDir) {
+  try {
+    if (seededSandboxes.has(sandboxDir)) {
+      const credsIntact = (0, import_fs.existsSync)((0, import_path.join)(sandboxDir, CREDENTIALS_FILE));
+      if (credsIntact) return;
+      seededSandboxes.delete(sandboxDir);
+    }
+    const realDir = getRealArchalDir();
+    if (!(0, import_fs.existsSync)(realDir)) {
+      seededSandboxes.add(sandboxDir);
+      return;
+    }
+    if (!(0, import_fs.existsSync)(sandboxDir)) {
+      (0, import_fs.mkdirSync)(sandboxDir, { recursive: true, mode: 448 });
+    }
+    for (const filename of [CREDENTIALS_FILE, CREDENTIALS_KEY_FILE]) {
+      const realPath = (0, import_path.join)(realDir, filename);
+      const sandboxPath = (0, import_path.join)(sandboxDir, filename);
+      if (!(0, import_fs.existsSync)(realPath) || (0, import_fs.existsSync)(sandboxPath)) continue;
+      const contents = (0, import_fs.readFileSync)(realPath);
+      (0, import_fs.writeFileSync)(sandboxPath, contents, { mode: 384 });
+      try {
+        (0, import_fs.chmodSync)(sandboxPath, 384);
+      } catch {
+      }
+    }
+    seededSandboxes.add(sandboxDir);
+  } catch (err) {
+    debug(`Sandbox seed skipped: ${errorMessage2(err)}`);
+  }
+}
+function getArchalDir() {
+  const explicit = process.env["ARCHAL_HOME"];
+  if (explicit) {
+    return explicit;
+  }
+  if (isRunningUnderTests()) {
+    const sandbox = getTestSandboxDir();
+    seedSandboxFromRealHomeOnce(sandbox);
+    return sandbox;
+  }
+  return getRealArchalDir();
+}
+function ensureArchalDir() {
+  const dir = getArchalDir();
+  if (!(0, import_fs.existsSync)(dir)) {
+    (0, import_fs.mkdirSync)(dir, { recursive: true });
+    debug(`Created archal directory at ${dir}`);
+  }
+  return dir;
+}
+function getCredentialsPath() {
+  return (0, import_path.join)(ensureArchalDir(), CREDENTIALS_FILE);
+}
+function getCredentialsKeyPath() {
+  return (0, import_path.join)(ensureArchalDir(), CREDENTIALS_KEY_FILE);
+}
+function readCredentialsKeyFromEnv() {
+  const raw = process.env[CREDENTIALS_MASTER_KEY_ENV_VAR]?.trim();
+  if (!raw) {
+    return null;
+  }
+  if (/^[a-fA-F0-9]{64}$/.test(raw)) {
+    return Buffer.from(raw, "hex");
+  }
+  try {
+    const decoded = Buffer.from(raw, "base64");
+    if (decoded.length === 32) {
+      return decoded;
+    }
+  } catch (err) {
+    debug(`Base64 master key decode failed: ${errorMessage2(err)}`);
+  }
+  return (0, import_crypto2.createHash)("sha256").update(raw, "utf8").digest();
+}
+function readCredentialsKeyFromMacKeychain() {
+  if (process.platform !== "darwin") return null;
+  try {
+    const result = (0, import_child_process.spawnSync)(
+      "security",
+      ["find-generic-password", "-s", KEYCHAIN_SERVICE, "-a", KEYCHAIN_ACCOUNT, "-w"],
+      { encoding: "utf-8", timeout: KEYCHAIN_COMMAND_TIMEOUT_MS }
+    );
+    if (!result || result.error || result.status !== 0 || typeof result.stdout !== "string" || result.stdout.length === 0) {
+      if (result?.error) {
+        debug(`Keychain lookup failed: ${result.error.message}`);
+      }
+      return null;
+    }
+    const raw = result.stdout.trim();
+    if (!/^[a-fA-F0-9]{64}$/.test(raw)) {
+      return null;
+    }
+    return Buffer.from(raw, "hex");
+  } catch (err) {
+    debug(`Keychain lookup threw: ${errorMessage2(err)}`);
+    return null;
+  }
+}
+function readCredentialsKeyFromFile() {
+  const keyPath = getCredentialsKeyPath();
+  if (!(0, import_fs.existsSync)(keyPath)) {
+    return null;
+  }
+  try {
+    const raw = (0, import_fs.readFileSync)(keyPath, "utf-8").trim();
+    const key = Buffer.from(raw, "hex");
+    if (key.length === 32) {
+      return key;
+    }
+  } catch (err) {
+    debug(`Failed to read credentials key file: ${errorMessage2(err)}`);
+  }
+  return null;
+}
+function collectCredentialKeysForDecrypt() {
+  const keys = [];
+  for (const candidate of [
+    readCredentialsKeyFromEnv(),
+    readCredentialsKeyFromMacKeychain(),
+    readCredentialsKeyFromFile()
+  ]) {
+    if (!candidate) continue;
+    if (!keys.some((entry) => entry.equals(candidate))) {
+      keys.push(candidate);
+    }
+  }
+  return keys;
+}
+function writeCredentialsKeyToMacKeychain(key) {
+  if (process.platform !== "darwin") return false;
+  try {
+    const result = (0, import_child_process.spawnSync)(
+      "security",
+      [
+        "add-generic-password",
+        "-U",
+        "-s",
+        KEYCHAIN_SERVICE,
+        "-a",
+        KEYCHAIN_ACCOUNT,
+        "-w",
+        key.toString("hex")
+      ],
+      { encoding: "utf-8", timeout: KEYCHAIN_COMMAND_TIMEOUT_MS }
+    );
+    if (result?.error) {
+      debug(`Keychain write failed: ${result.error.message}`);
+    }
+    return !!result && !result.error && result.status === 0;
+  } catch (err) {
+    debug(`Keychain write threw: ${errorMessage2(err)}`);
+    return false;
+  }
+}
+function getOrCreateCredentialsKey() {
+  const envKey = readCredentialsKeyFromEnv();
+  if (envKey) {
+    return envKey;
+  }
+  const keychainKey = readCredentialsKeyFromMacKeychain();
+  if (keychainKey) {
+    return keychainKey;
+  }
+  const fileKey = readCredentialsKeyFromFile();
+  if (fileKey) {
+    if (writeCredentialsKeyToMacKeychain(fileKey)) {
+      try {
+        (0, import_fs.unlinkSync)(getCredentialsKeyPath());
+      } catch {
+      }
+    }
+    return fileKey;
+  }
+  const generated = (0, import_crypto2.randomBytes)(32);
+  if (!writeCredentialsKeyToMacKeychain(generated)) {
+    (0, import_fs.writeFileSync)(getCredentialsKeyPath(), `${generated.toString("hex")}
+`, {
+      encoding: "utf-8",
+      mode: 384
+    });
+  }
+  return generated;
+}
+function encryptToken(token) {
+  const key = getOrCreateCredentialsKey();
+  const iv = (0, import_crypto2.randomBytes)(12);
+  const cipher = (0, import_crypto2.createCipheriv)("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(token, "utf-8"), cipher.final()]);
+  return `${TOKEN_ENCRYPTION_PREFIX}:${iv.toString("hex")}:${cipher.getAuthTag().toString("hex")}:${encrypted.toString("hex")}`;
+}
+function decryptToken(ciphertext) {
+  const parts = ciphertext.split(":");
+  if (parts.length !== 4 || parts[0] !== TOKEN_ENCRYPTION_PREFIX) {
+    return null;
+  }
+  const [, ivHex, tagHex, dataHex] = parts;
+  if (!ivHex || !tagHex || !dataHex) {
+    return null;
+  }
+  const iv = Buffer.from(ivHex, "hex");
+  const tag = Buffer.from(tagHex, "hex");
+  const data = Buffer.from(dataHex, "hex");
+  const keys = collectCredentialKeysForDecrypt();
+  if (keys.length === 0) {
+    keys.push(getOrCreateCredentialsKey());
+  }
+  for (const key of keys) {
+    try {
+      const decipher = (0, import_crypto2.createDecipheriv)("aes-256-gcm", key, iv);
+      decipher.setAuthTag(tag);
+      return Buffer.concat([decipher.update(data), decipher.final()]).toString("utf-8");
+    } catch {
+    }
+  }
+  debug("Token decryption failed with all available credential keys.");
+  return null;
+}
+function decodeJwtPayload(token) {
+  try {
+    const payloadPart = token.split(".")[1];
+    if (!payloadPart) return null;
+    const normalized = payloadPart.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
+    return JSON.parse(Buffer.from(padded, "base64").toString("utf-8"));
+  } catch (err) {
+    debug(`JWT payload decode failed (expected for non-JWT tokens): ${errorMessage2(err)}`);
+    return null;
+  }
+}
+function hasValidSelectedTwins(value) {
+  return value === void 0 || Array.isArray(value) && value.every((twin) => typeof twin === "string");
+}
+function resolveStoredToken(parsed) {
+  if (typeof parsed.token === "string") {
+    const token = parsed.token.trim();
+    return { token: token.length > 0 ? token : null, source: "legacy" };
+  }
+  if (typeof parsed.accessToken === "string") {
+    const token = parsed.accessToken.trim();
+    return { token: token.length > 0 ? token : null, source: "legacy" };
+  }
+  if (typeof parsed.tokenEncrypted === "string") {
+    const token = decryptToken(parsed.tokenEncrypted)?.trim() || null;
+    return { token: token?.length ? token : null, source: "encrypted" };
+  }
+  return { token: null, source: "legacy" };
+}
+function resolveStoredRefreshToken(parsed) {
+  if (typeof parsed.refreshTokenEncrypted === "string") {
+    const refreshToken = decryptToken(parsed.refreshTokenEncrypted)?.trim() || null;
+    if (refreshToken !== null) {
+      return { refreshToken, source: "encrypted" };
+    }
+    if (typeof parsed.refreshToken === "string") {
+      return { refreshToken: parsed.refreshToken.trim(), source: "legacy" };
+    }
+    return { refreshToken: null, source: "encrypted" };
+  }
+  if (typeof parsed.refreshToken === "string") {
+    return { refreshToken: parsed.refreshToken.trim(), source: "legacy" };
+  }
+  return { refreshToken: "", source: "none" };
+}
+function buildStoredCredentials(parsed, path, warn3) {
+  const { token, source: tokenSource } = resolveStoredToken(parsed);
+  const { refreshToken, source: refreshTokenSource } = resolveStoredRefreshToken(parsed);
+  if (token === null || refreshToken === null || parsed.refreshToken !== void 0 && typeof parsed.refreshToken !== "string" || parsed.refreshTokenEncrypted !== void 0 && typeof parsed.refreshTokenEncrypted !== "string" || !hasValidSelectedTwins(parsed.selectedTwins)) {
+    warn3(
+      `Credentials file at ${path} has missing or invalid fields. Run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+  const { email: email3, plan, expiresAt } = parsed;
+  if (typeof email3 !== "string" || !isPlan(plan) || typeof expiresAt !== "number") {
+    warn3(
+      `Credentials file at ${path} has missing or invalid fields. Run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+  const creds = {
+    token,
+    refreshToken,
+    email: email3,
+    plan,
+    selectedTwins: parsed.selectedTwins ?? [],
+    expiresAt
+  };
+  if (tokenSource === "legacy" || refreshTokenSource === "legacy") {
+    try {
+      saveCredentials(creds);
+    } catch (err) {
+      debug(`Credential migration failed: ${errorMessage2(err)}`);
+    }
+  }
+  return creds;
+}
+function readCredentialsFile(options) {
+  const path = getCredentialsPath();
+  if (!(0, import_fs.existsSync)(path)) {
+    return null;
+  }
+  try {
+    const warn3 = getWarn(options);
+    const parsed = JSON.parse((0, import_fs.readFileSync)(path, "utf-8"));
+    return buildStoredCredentials(parsed, path, warn3);
+  } catch {
+    const warn3 = getWarn(options);
+    warn3(
+      `Credentials file at ${path} exists but could not be parsed. Delete it and run \`archal login\` to re-authenticate.`
+    );
+    return null;
+  }
+}
+function readCredentialsFromEnv(options) {
+  const raw = process.env[AUTH_TOKEN_ENV_VAR];
+  if (typeof raw !== "string") {
+    return null;
+  }
+  const token = raw.trim();
+  if (token.length === 0) {
+    return null;
+  }
+  const claims = decodeJwtPayload(token);
+  const nowSeconds = Math.floor(Date.now() / 1e3);
+  const email3 = claims !== null && typeof claims["email"] === "string" ? claims["email"] : "(from ARCHAL_TOKEN)";
+  let plan = claims !== null && isPlan(claims["plan"]) ? claims["plan"] : void 0;
+  if (!plan) {
+    if (claims !== null) {
+      getWarn(options)("JWT does not contain a valid plan claim - defaulting to free");
+    }
+    plan = "free";
+  }
+  const expiresAt = claims !== null && typeof claims["exp"] === "number" ? claims["exp"] : nowSeconds + ENV_TOKEN_FALLBACK_TTL_SECONDS;
+  if (expiresAt <= nowSeconds) {
+    if (options?.onExpiredEnvToken === "throw") {
+      throw new ExpiredEnvTokenError();
+    }
+    debug("Ignoring expired ARCHAL_TOKEN from environment.");
+    return null;
+  }
+  return {
+    token,
+    refreshToken: "",
+    email: email3,
+    plan,
+    selectedTwins: [],
+    expiresAt
+  };
+}
+function getCredentials(options) {
+  const creds = readCredentialsFromEnv(options) ?? getStoredCredentials(options);
+  if (!creds) {
+    return null;
+  }
+  return isExpired(creds.expiresAt) ? null : creds;
+}
+function getStoredCredentials(options) {
+  const creds = readCredentialsFile(options);
+  if (!creds) {
+    return null;
+  }
+  if (options?.includeExpired) {
+    return creds;
+  }
+  return isExpired(creds.expiresAt) ? null : creds;
+}
+function saveCredentials(creds) {
+  const credPath = getCredentialsPath();
+  const payload = {
+    email: creds.email,
+    plan: creds.plan,
+    selectedTwins: creds.selectedTwins,
+    expiresAt: creds.expiresAt,
+    tokenEncrypted: encryptToken(creds.token.trim()),
+    refreshTokenEncrypted: creds.refreshToken.trim().length > 0 ? encryptToken(creds.refreshToken.trim()) : void 0
+  };
+  const tmpPath = `${credPath}.${(0, import_crypto2.randomBytes)(4).toString("hex")}.tmp`;
+  (0, import_fs.writeFileSync)(tmpPath, `${JSON.stringify(payload, null, 2)}
+`, {
+    encoding: "utf-8",
+    mode: 384
+  });
+  (0, import_fs.renameSync)(tmpPath, credPath);
+}
+function deleteCredentials() {
+  const path = getCredentialsPath();
+  if (!(0, import_fs.existsSync)(path)) {
+    return false;
+  }
+  (0, import_fs.unlinkSync)(path);
+  return true;
+}
+function getWarn2(options) {
+  return options?.warn ?? console.warn;
+}
+function stripUrlCredentials(url2) {
+  try {
+    const parsed = new URL(url2);
+    parsed.username = "";
+    parsed.password = "";
+    return parsed.toString();
+  } catch {
+    const atIndex = url2.indexOf("@");
+    return atIndex >= 0 ? url2.slice(atIndex + 1) : url2;
+  }
+}
+function normalizeAuthUrl(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim().replace(/\/+$/, "");
+  if (trimmed.length === 0) {
+    return null;
+  }
+  const normalized = trimmed.endsWith("/api") ? trimmed.slice(0, -4) : trimmed;
+  if (normalized.length === 0) {
+    return null;
+  }
+  const parsed = new URL(normalized);
+  if (parsed.protocol === "https:") {
+    return normalized;
+  }
+  const isLocalHttp = parsed.protocol === "http:" && (parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1");
+  if (!isLocalHttp) {
+    throw new Error(
+      `Auth URL must use HTTPS (got ${stripUrlCredentials(normalized)}). HTTP is only allowed for localhost.`
+    );
+  }
+  return normalized;
+}
+function parseBooleanEnvFlag(value) {
+  if (typeof value !== "string") {
+    return false;
+  }
+  switch (value.trim().toLowerCase()) {
+    case "1":
+    case "true":
+    case "yes":
+    case "on":
+      return true;
+    default:
+      return false;
+  }
+}
+function isStrictEndpointModeEnabled() {
+  return parseBooleanEnvFlag(process.env[STRICT_ENDPOINTS_ENV_VAR]);
+}
+function readConfiguredUrl(options, ...envKeys) {
+  for (const key of envKeys) {
+    try {
+      const value = normalizeAuthUrl(process.env[key]);
+      if (value) {
+        return value;
+      }
+    } catch (err) {
+      getWarn2(options)(
+        `Ignoring invalid ${key}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  return null;
+}
+function getConfiguredAuthBaseUrl(options) {
+  const explicit = readConfiguredUrl(options, "ARCHAL_AUTH_URL", "ARCHAL_AUTH_BASE_URL");
+  if (explicit) {
+    return explicit;
+  }
+  return isStrictEndpointModeEnabled() ? null : HOSTED_DEFAULT_AUTH_BASE_URL;
+}
+function getConfiguredApiBaseUrl(options) {
+  const explicit = readConfiguredUrl(options, "ARCHAL_API_URL", "ARCHAL_API_BASE_URL");
+  if (explicit) {
+    return explicit;
+  }
+  return isStrictEndpointModeEnabled() ? null : HOSTED_DEFAULT_API_BASE_URL;
+}
+function buildAuthRequestHeaders(metadata, includeContentType = false) {
+  const headers = {};
+  if (includeContentType) {
+    headers["content-type"] = "application/json";
+  }
+  if (metadata?.userAgent) {
+    headers["user-agent"] = metadata.userAgent;
+  }
+  if (metadata?.cliVersion) {
+    headers["x-archal-cli-version"] = metadata.cliVersion;
+  }
+  return headers;
+}
+function isTokenDerivedIdentity(email3) {
+  return email3 === "(from ARCHAL_TOKEN)" || email3 === "(from token)";
+}
+function getWarn3(metadata) {
+  return metadata?.warn ?? console.warn;
+}
+function getAuthBaseUrl(metadata) {
+  const configured = metadata?.authBaseUrl?.trim();
+  if (configured) {
+    return configured.replace(/\/+$/, "");
+  }
+  return getConfiguredAuthBaseUrl();
+}
+function logRefreshFailure(creds, reason, authBaseUrl, metadata) {
+  const endpoint = `${authBaseUrl}/auth/me`;
+  const warn3 = getWarn3(metadata);
+  if (isTokenDerivedIdentity(creds.email)) {
+    warn3(
+      `Could not verify token with ${endpoint} (${reason}). Using token without refreshed account metadata.`
+    );
+    return;
+  }
+  warn3(
+    `Could not refresh account metadata from ${endpoint} (${reason}). Using cached credentials.`
+  );
+}
+async function readFailureDetail(response) {
+  const contentType = response.headers.get("content-type")?.toLowerCase() ?? "";
+  if (!contentType.includes("application/json")) {
+    return null;
+  }
+  try {
+    const payload = await response.json();
+    const error49 = typeof payload.error === "string" ? payload.error.trim() : "";
+    const message = typeof payload.message === "string" ? payload.message.trim() : "";
+    if (error49 && message) return `${error49}: ${message}`;
+    if (message) return message;
+    if (error49) return error49;
+  } catch {
+    return null;
+  }
+  return null;
+}
+async function validateTokenWithServer(creds, metadata) {
+  const authBaseUrl = getAuthBaseUrl(metadata);
+  if (!authBaseUrl) {
+    return {
+      ok: false,
+      code: "no_auth_url",
+      status: null,
+      reason: "no auth URL configured"
+    };
+  }
+  try {
+    const response = await fetch(`${authBaseUrl}/auth/me`, {
+      method: "GET",
+      headers: {
+        authorization: `Bearer ${creds.token}`,
+        ...buildAuthRequestHeaders(metadata, false)
+      },
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+    if (!response.ok) {
+      const detail = await readFailureDetail(response);
+      return {
+        ok: false,
+        code: response.status === 401 ? "auth_rejected" : "http_error",
+        status: response.status,
+        reason: detail ? `HTTP ${response.status} ${detail}` : `HTTP ${response.status}`
+      };
+    }
+    let data;
+    try {
+      data = await response.json();
+    } catch {
+      return {
+        ok: false,
+        code: "invalid_payload",
+        status: null,
+        reason: "invalid response payload"
+      };
+    }
+    if (typeof data.email !== "string" || !isPlan(data.plan)) {
+      return {
+        ok: false,
+        code: "invalid_payload",
+        status: null,
+        reason: "invalid response payload"
+      };
+    }
+    const selectedTwins = Array.isArray(data.selectedTwinIds) ? data.selectedTwinIds.filter((id) => typeof id === "string") : creds.selectedTwins;
+    const updated = {
+      ...creds,
+      email: data.email,
+      plan: data.plan,
+      selectedTwins
+    };
+    if ((updated.email !== creds.email || updated.plan !== creds.plan || JSON.stringify(updated.selectedTwins) !== JSON.stringify(creds.selectedTwins)) && !process.env[AUTH_TOKEN_ENV_VAR]) {
+      saveCredentials(updated);
+    }
+    return { ok: true, credentials: updated };
+  } catch (error49) {
+    return {
+      ok: false,
+      code: "network_error",
+      status: null,
+      reason: errorMessage2(error49)
+    };
+  }
+}
+async function refreshAuthFromServer(creds, metadata) {
+  const authBaseUrl = getAuthBaseUrl(metadata);
+  if (!authBaseUrl) return creds;
+  const result = await refreshAuthFromServerWithValidation(creds, metadata);
+  if (!result.validation.ok) {
+    logRefreshFailure(creds, result.validation.reason, authBaseUrl, metadata);
+    if (result.validation.code === "auth_rejected") {
+      throw new Error("Authentication failed. Your token may be expired or invalid. Run: archal login");
+    }
+  }
+  return result.credentials;
+}
+async function refreshAuthFromServerWithValidation(creds, metadata) {
+  const result = await validateTokenWithServer(creds, metadata);
+  if (result.ok) {
+    return {
+      credentials: result.credentials,
+      validation: result
+    };
+  }
+  return {
+    credentials: creds,
+    validation: result
+  };
+}
+async function resolveWhoamiAuthState(creds, metadata) {
+  if (!creds) {
+    return { loggedIn: false };
+  }
+  const refreshed = await refreshAuthFromServerWithValidation(creds, metadata);
+  return {
+    loggedIn: true,
+    credentials: refreshed.credentials,
+    validation: refreshed.validation
+  };
+}
+function isEntitled(creds, twinName) {
+  if (creds.plan === "pro" || creds.plan === "enterprise") return true;
+  if (creds.selectedTwins && creds.selectedTwins.length > 0) {
+    return creds.selectedTwins.includes(twinName);
+  }
+  return true;
+}
+function getJwtExpiry(token) {
+  const claims = decodeJwtPayload(token);
+  if (claims === null) return null;
+  return typeof claims["exp"] === "number" ? claims["exp"] : null;
+}
+function sleep2(ms, signal) {
+  if (!signal) {
+    return new Promise((resolve15) => {
+      setTimeout(resolve15, ms);
+    });
+  }
+  const abortSignal = signal;
+  if (abortSignal.aborted) {
+    return Promise.reject(abortSignal.reason instanceof Error ? abortSignal.reason : new DOMException("The operation was aborted.", "AbortError"));
+  }
+  return new Promise((resolve15, reject) => {
+    const timeout = setTimeout(() => {
+      abortSignal.removeEventListener("abort", onAbort);
+      resolve15();
+    }, ms);
+    function onAbort() {
+      clearTimeout(timeout);
+      reject(abortSignal.reason instanceof Error ? abortSignal.reason : new DOMException("The operation was aborted.", "AbortError"));
+    }
+    abortSignal.addEventListener("abort", onAbort, { once: true });
+  });
+}
+function resolveBackoffDelay(backoffMs, attempt, fallbackMs) {
+  const indexed = backoffMs[attempt];
+  if (typeof indexed === "number" && Number.isFinite(indexed) && indexed >= 0) {
+    return indexed;
+  }
+  const last = backoffMs.length > 0 ? backoffMs[backoffMs.length - 1] : void 0;
+  if (typeof last === "number" && Number.isFinite(last) && last >= 0) {
+    return last;
+  }
+  return fallbackMs;
+}
+async function fetchWithRetry(url2, init, options) {
+  const maxRetries = options?.maxRetries ?? AUTH_RETRY_OPTIONS.maxRetries;
+  const timeoutMs = options?.timeoutMs ?? AUTH_RETRY_OPTIONS.timeoutMs;
+  const retryableStatusCodes = options?.retryableStatusCodes instanceof Set ? options.retryableStatusCodes : new Set(options?.retryableStatusCodes ?? AUTH_RETRY_OPTIONS.retryableStatusCodes);
+  const backoffMs = options?.backoffMs ?? AUTH_RETRY_OPTIONS.backoffMs;
+  const fetchImpl = options?.fetchImpl ?? fetch;
+  const externalSignal = options?.signal;
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt += 1) {
+    if (externalSignal?.aborted) {
+      throw externalSignal.reason ?? new DOMException("The operation was aborted.", "AbortError");
+    }
+    try {
+      const requestSignal = externalSignal ? AbortSignal.any([externalSignal, AbortSignal.timeout(timeoutMs)]) : AbortSignal.timeout(timeoutMs);
+      const response = await fetchImpl(url2, {
+        ...init,
+        signal: requestSignal
+      });
+      if (response.ok || !retryableStatusCodes.has(response.status) || attempt >= maxRetries) {
+        return response;
+      }
+      lastError = new Error(`HTTP ${response.status}`);
+    } catch (error49) {
+      lastError = error49;
+      if (attempt >= maxRetries) {
+        break;
+      }
+    }
+    if (attempt < maxRetries) {
+      const delay = resolveBackoffDelay(backoffMs, attempt, 3e3);
+      await sleep2(delay, externalSignal);
+    }
+  }
+  throw lastError instanceof Error ? lastError : new Error(errorMessage2(lastError));
+}
+function isCliTokenExchangeResponse(value) {
+  if (!value || typeof value !== "object") return false;
+  const data = value;
+  return typeof data["accessToken"] === "string" && typeof data["refreshToken"] === "string" && typeof data["email"] === "string" && isPlan(data["plan"]) && typeof data["expiresAt"] === "number";
+}
+function isCliRefreshResponse(value) {
+  if (!value || typeof value !== "object") return false;
+  const data = value;
+  return typeof data["accessToken"] === "string" && typeof data["refreshToken"] === "string" && typeof data["expiresAt"] === "number";
+}
+function debug2(message) {
+  if (process.env["ARCHAL_DEBUG"] !== "1") {
+    return;
+  }
+  process.stderr.write(`[archal-node-auth] ${message}
+`);
+}
+function getAuthBaseUrl2(metadata) {
+  const configured = metadata?.authBaseUrl?.trim();
+  if (configured) {
+    return configured.replace(/\/+$/, "");
+  }
+  return getConfiguredAuthBaseUrl();
+}
+async function exchangeCliAuthCode(input, metadata) {
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    throw new Error(
+      "ARCHAL_AUTH_URL is required for browser login when ARCHAL_STRICT_ENDPOINTS=1. Set ARCHAL_AUTH_URL and run `archal login` again."
+    );
+  }
+  const response = await fetchWithRetry(
+    `${authBaseUrl}/auth/cli/token`,
+    {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, true),
+      body: JSON.stringify(input)
+    },
+    AUTH_RETRY_OPTIONS
+  );
+  if (!response.ok) {
+    throw new Error(`Login failed during code exchange (${response.status})`);
+  }
+  const payload = await response.json();
+  if (!isCliTokenExchangeResponse(payload)) {
+    throw new Error("Login failed: invalid token exchange response");
+  }
+  const selectedTwins = Array.isArray(payload.selectedTwinIds) ? payload.selectedTwinIds.filter((id) => typeof id === "string") : [];
+  return {
+    token: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    email: payload.email,
+    plan: payload.plan,
+    selectedTwins,
+    expiresAt: payload.expiresAt
+  };
+}
+async function refreshCliSession(creds, metadata) {
+  if (!creds.refreshToken) {
+    return null;
+  }
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    return null;
+  }
+  const response = await fetchWithRetry(
+    `${authBaseUrl}/auth/cli/refresh`,
+    {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, true),
+      body: JSON.stringify({ refreshToken: creds.refreshToken })
+    },
+    AUTH_RETRY_OPTIONS
+  );
+  if (!response.ok) {
+    return null;
+  }
+  const payload = await response.json();
+  if (!isCliRefreshResponse(payload)) {
+    return null;
+  }
+  return {
+    ...creds,
+    token: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    expiresAt: payload.expiresAt
+  };
+}
+async function revokeCliSession(refreshToken, metadata) {
+  const authBaseUrl = getAuthBaseUrl2(metadata);
+  if (!authBaseUrl) {
+    return;
+  }
+  try {
+    await fetch(`${authBaseUrl}/auth/cli/revoke`, {
+      method: "POST",
+      headers: buildAuthRequestHeaders(metadata, true),
+      body: JSON.stringify({ refreshToken }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+  } catch (error49) {
+    debug2(`Session revoke failed (best-effort): ${errorMessage2(error49)}`);
+  }
+}
+var import_child_process, import_crypto2, import_fs, import_os, import_path, CREDENTIALS_FILE, CREDENTIALS_KEY_FILE, AUTH_TOKEN_ENV_VAR, TOKEN_ENCRYPTION_PREFIX, CREDENTIALS_MASTER_KEY_ENV_VAR, KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, HOSTED_DEFAULT_AUTH_BASE_URL, HOSTED_DEFAULT_API_BASE_URL, STRICT_ENDPOINTS_ENV_VAR, REQUEST_TIMEOUT_MS, ENV_TOKEN_FALLBACK_TTL_SECONDS, AUTH_RETRY_OPTIONS, ExpiredEnvTokenError, KEYCHAIN_COMMAND_TIMEOUT_MS, ARCHAL_DIR_NAME, seededSandboxes;
+var init_dist3 = __esm({
+  "../packages/node-auth/dist/index.js"() {
+    "use strict";
+    import_child_process = require("child_process");
+    import_crypto2 = require("crypto");
+    import_fs = require("fs");
+    import_os = require("os");
+    import_path = require("path");
+    CREDENTIALS_FILE = "credentials.json";
+    CREDENTIALS_KEY_FILE = "credentials.key";
+    AUTH_TOKEN_ENV_VAR = "ARCHAL_TOKEN";
+    TOKEN_ENCRYPTION_PREFIX = "enc-v1";
+    CREDENTIALS_MASTER_KEY_ENV_VAR = "ARCHAL_CREDENTIALS_MASTER_KEY";
+    KEYCHAIN_SERVICE = "archal-cli";
+    KEYCHAIN_ACCOUNT = "credentials-master-key";
+    HOSTED_DEFAULT_AUTH_BASE_URL = "https://www.archal.ai";
+    HOSTED_DEFAULT_API_BASE_URL = "https://www.archal.ai";
+    STRICT_ENDPOINTS_ENV_VAR = "ARCHAL_STRICT_ENDPOINTS";
+    REQUEST_TIMEOUT_MS = 8e3;
+    ENV_TOKEN_FALLBACK_TTL_SECONDS = 24 * 60 * 60;
+    AUTH_RETRY_OPTIONS = {
+      maxRetries: 2,
+      timeoutMs: REQUEST_TIMEOUT_MS,
+      retryableStatusCodes: /* @__PURE__ */ new Set([429, 502, 503, 504]),
+      backoffMs: [500, 1500],
+      label: "auth"
+    };
+    ExpiredEnvTokenError = class extends Error {
+      constructor(envVar = AUTH_TOKEN_ENV_VAR) {
+        super(`${envVar} is expired. Remove it or replace it with a valid token.`);
+        this.name = "ExpiredEnvTokenError";
+        Object.setPrototypeOf(this, new.target.prototype);
+      }
+    };
+    KEYCHAIN_COMMAND_TIMEOUT_MS = 1500;
+    ARCHAL_DIR_NAME = ".archal";
+    seededSandboxes = /* @__PURE__ */ new Set();
+  }
+});
+
 // src/auth/types.ts
-var import_node_auth;
 var init_types3 = __esm({
   "src/auth/types.ts"() {
     "use strict";
-    import_node_auth = require("@archal/node-auth");
+    init_dist3();
   }
 });
 
@@ -31372,7 +32262,7 @@ function log(level, message, data) {
   const formatted = formatLogEntry(entry);
   process.stderr.write(formatted + "\n");
 }
-function debug(message, data) {
+function debug3(message, data) {
   log("debug", message, data);
 }
 function info(message, data) {
@@ -31481,34 +32371,34 @@ var init_logger = __esm({
 });
 
 // src/auth/url-resolver.ts
-function getConfiguredAuthBaseUrl() {
-  return (0, import_node_auth2.getConfiguredAuthBaseUrl)(READ_OPTIONS);
+function getConfiguredAuthBaseUrl2() {
+  return getConfiguredAuthBaseUrl(READ_OPTIONS);
 }
-function getConfiguredApiBaseUrl() {
-  return (0, import_node_auth2.getConfiguredApiBaseUrl)(READ_OPTIONS);
+function getConfiguredApiBaseUrl2() {
+  return getConfiguredApiBaseUrl(READ_OPTIONS);
 }
-var import_node_auth2, READ_OPTIONS;
+var READ_OPTIONS;
 var init_url_resolver = __esm({
   "src/auth/url-resolver.ts"() {
     "use strict";
-    import_node_auth2 = require("@archal/node-auth");
+    init_dist3();
     init_logger();
     READ_OPTIONS = { warn };
   }
 });
 
 // src/auth/credential-store.ts
-function getCredentials() {
-  return (0, import_node_auth3.getCredentials)(READ_OPTIONS2);
+function getCredentials2() {
+  return getCredentials(READ_OPTIONS2);
 }
-function getStoredCredentials() {
-  return (0, import_node_auth3.getStoredCredentials)(STORED_READ_OPTIONS);
+function getStoredCredentials2() {
+  return getStoredCredentials(STORED_READ_OPTIONS);
 }
-var import_node_auth3, READ_OPTIONS2, STORED_READ_OPTIONS;
+var READ_OPTIONS2, STORED_READ_OPTIONS;
 var init_credential_store = __esm({
   "src/auth/credential-store.ts"() {
     "use strict";
-    import_node_auth3 = require("@archal/node-auth");
+    init_dist3();
     init_logger();
     READ_OPTIONS2 = { onExpiredEnvToken: "throw", warn };
     STORED_READ_OPTIONS = { includeExpired: true, warn };
@@ -31544,12 +32434,12 @@ var init_errors4 = __esm({
 
 // src/auth/require-auth.ts
 function requireAuth(options = {}) {
-  const existing = getCredentials();
+  const existing = getCredentials2();
   if (existing) {
     return existing;
   }
   const canAutoLogin = process.env["ARCHAL_AUTO_LOGIN"] !== "0" && process.argv[2] !== "login" && !!process.stdin.isTTY && !!process.stdout.isTTY && !process.env["CI"];
-  const authBaseUrl = getConfiguredAuthBaseUrl();
+  const authBaseUrl = getConfiguredAuthBaseUrl2();
   if (canAutoLogin) {
     if (!authBaseUrl) {
       process.stderr.write(
@@ -31568,7 +32458,7 @@ function requireAuth(options = {}) {
           env: process.env
         });
         if (!result.error && result.status === 0) {
-          const loggedIn = getCredentials();
+          const loggedIn = getCredentials2();
           if (loggedIn) {
             return loggedIn;
           }
@@ -31676,20 +32566,20 @@ var init_version = __esm({
 });
 
 // src/auth/token-exchange.ts
-function exchangeCliAuthCode(input) {
-  return (0, import_node_auth4.exchangeCliAuthCode)(input, REQUEST_METADATA);
+function exchangeCliAuthCode2(input) {
+  return exchangeCliAuthCode(input, REQUEST_METADATA);
 }
-function refreshCliSession(creds) {
-  return (0, import_node_auth4.refreshCliSession)(creds, REQUEST_METADATA);
+function refreshCliSession2(creds) {
+  return refreshCliSession(creds, REQUEST_METADATA);
 }
-function revokeCliSession(refreshToken) {
-  return (0, import_node_auth4.revokeCliSession)(refreshToken, REQUEST_METADATA);
+function revokeCliSession2(refreshToken) {
+  return revokeCliSession(refreshToken, REQUEST_METADATA);
 }
-var import_node_auth4, REQUEST_METADATA;
+var REQUEST_METADATA;
 var init_token_exchange = __esm({
   "src/auth/token-exchange.ts"() {
     "use strict";
-    import_node_auth4 = require("@archal/node-auth");
+    init_dist3();
     init_version();
     REQUEST_METADATA = {
       userAgent: CLI_USER_AGENT,
@@ -31702,27 +32592,27 @@ var init_token_exchange = __esm({
 var auth_exports = {};
 __export(auth_exports, {
   REQUEST_METADATA: () => REQUEST_METADATA2,
-  decodeJwtPayload: () => import_node_auth3.decodeJwtPayload,
-  deleteCredentials: () => import_node_auth3.deleteCredentials,
-  exchangeCliAuthCode: () => exchangeCliAuthCode,
-  getArchalDir: () => import_node_auth3.getArchalDir,
-  getConfiguredApiBaseUrl: () => getConfiguredApiBaseUrl,
-  getConfiguredAuthBaseUrl: () => getConfiguredAuthBaseUrl,
-  getCredentials: () => getCredentials,
-  getJwtExpiry: () => import_node_auth5.getJwtExpiry,
-  getStoredCredentials: () => getStoredCredentials,
-  isEntitled: () => import_node_auth5.isEntitled,
-  isPlan: () => import_node_auth.isPlan,
-  refreshAuthFromServer: () => import_node_auth5.refreshAuthFromServer,
-  refreshAuthFromServerWithValidation: () => import_node_auth5.refreshAuthFromServerWithValidation,
-  refreshCliSession: () => refreshCliSession,
+  decodeJwtPayload: () => decodeJwtPayload,
+  deleteCredentials: () => deleteCredentials,
+  exchangeCliAuthCode: () => exchangeCliAuthCode2,
+  getArchalDir: () => getArchalDir,
+  getConfiguredApiBaseUrl: () => getConfiguredApiBaseUrl2,
+  getConfiguredAuthBaseUrl: () => getConfiguredAuthBaseUrl2,
+  getCredentials: () => getCredentials2,
+  getJwtExpiry: () => getJwtExpiry,
+  getStoredCredentials: () => getStoredCredentials2,
+  isEntitled: () => isEntitled,
+  isPlan: () => isPlan,
+  refreshAuthFromServer: () => refreshAuthFromServer,
+  refreshAuthFromServerWithValidation: () => refreshAuthFromServerWithValidation,
+  refreshCliSession: () => refreshCliSession2,
   requireAuth: () => requireAuth,
-  resolveWhoamiAuthState: () => import_node_auth5.resolveWhoamiAuthState,
-  revokeCliSession: () => revokeCliSession,
-  saveCredentials: () => import_node_auth3.saveCredentials,
-  validateTokenWithServer: () => import_node_auth5.validateTokenWithServer
+  resolveWhoamiAuthState: () => resolveWhoamiAuthState,
+  revokeCliSession: () => revokeCliSession2,
+  saveCredentials: () => saveCredentials,
+  validateTokenWithServer: () => validateTokenWithServer
 });
-var import_node_auth5, REQUEST_METADATA2;
+var REQUEST_METADATA2;
 var init_auth = __esm({
   "src/auth/index.ts"() {
     "use strict";
@@ -31731,7 +32621,7 @@ var init_auth = __esm({
     init_credential_store();
     init_require_auth();
     init_token_exchange();
-    import_node_auth5 = require("@archal/node-auth");
+    init_dist3();
     init_version();
     init_logger();
     REQUEST_METADATA2 = {
@@ -31810,7 +32700,7 @@ function spawnWithTimeout(options) {
       stdio: pipeStdio ? "inherit" : "pipe",
       shell: process.platform === "win32"
     };
-    debug("Spawning process", { command, args: args.join(" "), timeoutMs });
+    debug3("Spawning process", { command, args: args.join(" "), timeoutMs });
     let child;
     try {
       child = (0, import_node_child_process2.spawn)(command, args, spawnOpts);
@@ -31825,7 +32715,7 @@ function spawnWithTimeout(options) {
     });
     const timer = setTimeout(() => {
       timedOut = true;
-      debug("Process timed out, killing", { command, timeoutMs });
+      debug3("Process timed out, killing", { command, timeoutMs });
       child.kill("SIGTERM");
       setTimeout(() => {
         if (!exited) {
@@ -31868,7 +32758,7 @@ function spawnWithTimeout(options) {
     child.on("close", (exitCode) => {
       clearTimeout(timer);
       const durationMs = Date.now() - startTime;
-      debug("Process exited", { command, exitCode, durationMs, timedOut, stdoutTruncated, stderrTruncated });
+      debug3("Process exited", { command, exitCode, durationMs, timedOut, stdoutTruncated, stderrTruncated });
       resolve15({
         exitCode,
         stdout: stdoutBuf,
@@ -31910,7 +32800,7 @@ var init_process = __esm({
 });
 
 // src/utils/fetch-retry.ts
-function resolveBackoffDelay(backoffMs, attempt, fallbackMs) {
+function resolveBackoffDelay2(backoffMs, attempt, fallbackMs) {
   const indexed = backoffMs[attempt];
   if (typeof indexed === "number" && Number.isFinite(indexed) && indexed >= 0) {
     return indexed;
@@ -31921,7 +32811,7 @@ function resolveBackoffDelay(backoffMs, attempt, fallbackMs) {
   }
   return fallbackMs;
 }
-async function fetchWithRetry(url2, init, options) {
+async function fetchWithRetry2(url2, init, options) {
   const maxRetries = options?.maxRetries ?? DEFAULT_MAX_RETRIES;
   const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;
   const retryableStatusCodes = options?.retryableStatusCodes instanceof Set ? options.retryableStatusCodes : new Set(options?.retryableStatusCodes ?? DEFAULT_RETRYABLE_STATUS_CODES);
@@ -31944,19 +32834,19 @@ async function fetchWithRetry(url2, init, options) {
       if (response.ok || !retryableStatusCodes.has(response.status) || attempt >= maxRetries) {
         return response;
       }
-      debug(
+      debug3(
         `${label}: HTTP ${response.status} (attempt ${attempt + 1}/${maxRetries + 1}), retrying`
       );
       lastError = new Error(`HTTP ${response.status}`);
     } catch (err) {
       lastError = err;
       if (attempt >= maxRetries) break;
-      debug(
+      debug3(
         `${label}: fetch failed (attempt ${attempt + 1}/${maxRetries + 1}): ${errorMessage(err)}`
       );
     }
     if (attempt < maxRetries) {
-      const delay = resolveBackoffDelay(backoffMs, attempt, 3e3) + (jitter ? Math.floor(Math.random() * 500) : 0);
+      const delay = resolveBackoffDelay2(backoffMs, attempt, 3e3) + (jitter ? Math.floor(Math.random() * 500) : 0);
       await abortableSleep(delay, externalSignal);
     }
   }
@@ -32033,7 +32923,7 @@ function isRetryableNetworkError(error49) {
   return Boolean(causeCode && RETRYABLE_NETWORK_CODES.has(causeCode));
 }
 function resolveBaseUrl(_path) {
-  const apiBase = getConfiguredApiBaseUrl();
+  const apiBase = getConfiguredApiBaseUrl2();
   if (apiBase) {
     return { ok: true, baseUrl: apiBase };
   }
@@ -32060,7 +32950,7 @@ function parseErrorPayload(rawText) {
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return null;
     return parsed;
   } catch (err) {
-    debug(`parseErrorPayload: non-JSON body: ${errorMessage(err)}`);
+    debug3(`parseErrorPayload: non-JSON body: ${errorMessage(err)}`);
     return null;
   }
 }
@@ -32077,20 +32967,20 @@ function buildHttpError(status, rawText) {
 }
 async function tryRefreshToken() {
   try {
-    const creds = getStoredCredentials();
+    const creds = getStoredCredentials2();
     if (!creds || !creds.refreshToken) {
-      debug("Token refresh skipped: no stored credentials or refresh token");
+      debug3("Token refresh skipped: no stored credentials or refresh token");
       return null;
     }
-    const refreshed = await refreshCliSession(creds);
+    const refreshed = await refreshCliSession2(creds);
     if (!refreshed) {
       warn(
         "Token refresh failed: server returned no credentials (session may have expired \u2014 run `archal login`)"
       );
       return null;
     }
-    (0, import_node_auth3.saveCredentials)(refreshed);
-    debug("Token refreshed successfully");
+    saveCredentials(refreshed);
+    debug3("Token refreshed successfully");
     return refreshed.token;
   } catch (err) {
     const msg = errorMessage(err);
@@ -32140,7 +33030,7 @@ async function request(method, path, token, body, timeoutOrOptions) {
         method,
         headers,
         body: body ? JSON.stringify(body) : void 0,
-        signal: AbortSignal.timeout(options.timeoutMs ?? REQUEST_TIMEOUT_MS)
+        signal: AbortSignal.timeout(options.timeoutMs ?? REQUEST_TIMEOUT_MS2)
       });
       if (!response.ok) {
         if (response.status === 401 && token && !refreshAttempted) {
@@ -32154,7 +33044,7 @@ async function request(method, path, token, body, timeoutOrOptions) {
           }
           if (retriesAllowed && !softAuthRetryAttempted && getMaxRetries() > 0 && token) {
             softAuthRetryAttempted = true;
-            debug(`401 on ${method} ${path}: soft-retrying once after backoff`);
+            debug3(`401 on ${method} ${path}: soft-retrying once after backoff`);
             await sleep(retryDelayMs(1, response.headers.get("retry-after")));
             attempt -= 1;
             continue;
@@ -32267,7 +33157,7 @@ function requestLlmCompletion(token, body) {
     LLM_PROXY_TIMEOUT_MS
   );
 }
-var REQUEST_TIMEOUT_MS, LLM_PROXY_TIMEOUT_MS, ERROR_BODY_PREVIEW_LENGTH, RETRYABLE_STATUS_CODES, NON_RETRYABLE_ERROR_CODES, RETRYABLE_NETWORK_CODES;
+var REQUEST_TIMEOUT_MS2, LLM_PROXY_TIMEOUT_MS, ERROR_BODY_PREVIEW_LENGTH, RETRYABLE_STATUS_CODES, NON_RETRYABLE_ERROR_CODES, RETRYABLE_NETWORK_CODES;
 var init_api_client = __esm({
   "src/api-client.ts"() {
     "use strict";
@@ -32275,7 +33165,7 @@ var init_api_client = __esm({
     init_version();
     init_logger();
     init_auth();
-    REQUEST_TIMEOUT_MS = 8e3;
+    REQUEST_TIMEOUT_MS2 = 8e3;
     LLM_PROXY_TIMEOUT_MS = 9e4;
     ERROR_BODY_PREVIEW_LENGTH = 200;
     RETRYABLE_STATUS_CODES = /* @__PURE__ */ new Set([408, 425, 429, 500, 502, 503, 504]);
@@ -32430,7 +33320,7 @@ var init_config_schemas = __esm({
 
 // src/config/config-loader.ts
 function getArchalDir2() {
-  return process.env["ARCHAL_HOME"] ?? (0, import_node_path3.join)((0, import_node_os2.homedir)(), ARCHAL_DIR_NAME);
+  return process.env["ARCHAL_HOME"] ?? (0, import_node_path3.join)((0, import_node_os2.homedir)(), ARCHAL_DIR_NAME2);
 }
 function getConfigPath() {
   return (0, import_node_path3.join)(getArchalDir2(), CONFIG_FILE_NAME);
@@ -32438,18 +33328,18 @@ function getConfigPath() {
 function getProjectConfigPath(cwd = process.cwd()) {
   return (0, import_node_path3.join)(cwd, ".archal.json");
 }
-function ensureArchalDir() {
+function ensureArchalDir2() {
   const dir = getArchalDir2();
   if (!(0, import_node_fs5.existsSync)(dir)) {
     (0, import_node_fs5.mkdirSync)(dir, { recursive: true });
-    debug("Created archal directory", { path: dir });
+    debug3("Created archal directory", { path: dir });
   }
   return dir;
 }
 function loadConfigFile() {
   const configPath = getConfigPath();
   if (!(0, import_node_fs5.existsSync)(configPath)) {
-    debug("No config file found, using defaults", { path: configPath });
+    debug3("No config file found, using defaults", { path: configPath });
     return configFileSchema.parse({});
   }
   try {
@@ -32469,7 +33359,7 @@ Warning: evaluator.provider="${String(evaluator["provider"])}" in ${configPath}
       }
     }
     const config2 = configFileSchema.parse(parsed);
-    debug("Loaded config file", { path: configPath });
+    debug3("Loaded config file", { path: configPath });
     return config2;
   } catch (err) {
     const message = errorMessage(err);
@@ -32500,10 +33390,10 @@ function writeConfigFile(configPath, config2) {
     encoding: "utf-8",
     mode: 384
   });
-  debug("Saved config file", { path: configPath });
+  debug3("Saved config file", { path: configPath });
 }
 function saveConfig(config2) {
-  const dir = ensureArchalDir();
+  const dir = ensureArchalDir2();
   const configPath = (0, import_node_path3.join)(dir, CONFIG_FILE_NAME);
   let existing;
   if ((0, import_node_fs5.existsSync)(configPath)) {
@@ -32545,7 +33435,7 @@ function initConfig() {
     return configPath;
   }
   const defaultConfig = configFileSchema.parse({});
-  ensureArchalDir();
+  ensureArchalDir2();
   (0, import_node_fs5.writeFileSync)(configPath, JSON.stringify(defaultConfig, null, 2) + "\n", {
     encoding: "utf-8",
     mode: 384
@@ -32575,7 +33465,7 @@ function saveProjectConfig(config2, cwd = process.cwd()) {
   });
   return projectConfigPath;
 }
-var import_node_fs5, import_node_path3, import_node_os2, ARCHAL_DIR_NAME, CONFIG_FILE_NAME;
+var import_node_fs5, import_node_path3, import_node_os2, ARCHAL_DIR_NAME2, CONFIG_FILE_NAME;
 var init_config_loader = __esm({
   "src/config/config-loader.ts"() {
     "use strict";
@@ -32585,7 +33475,7 @@ var init_config_loader = __esm({
     init_dist2();
     init_logger();
     init_config_schemas();
-    ARCHAL_DIR_NAME = ".archal";
+    ARCHAL_DIR_NAME2 = ".archal";
     CONFIG_FILE_NAME = "config.json";
   }
 });
@@ -32863,7 +33753,7 @@ var init_config_display = __esm({
 var config_exports = {};
 __export(config_exports, {
   bindConfigToLogin: () => bindConfigToLogin,
-  ensureArchalDir: () => ensureArchalDir,
+  ensureArchalDir: () => ensureArchalDir2,
   formatConfiguredSecret: () => formatConfiguredSecret,
   getArchalDir: () => getArchalDir2,
   getConfigDisplay: () => getConfigDisplay,
@@ -32975,9 +33865,9 @@ function buildModelBackendHint() {
 function buildOpenClawFailureMessage(parsed) {
   const status = parsed.status?.trim() || "unknown";
   const outputText = collectResponseText(parsed);
-  const errorMessage2 = parsed.error?.message?.trim();
+  const errorMessage22 = parsed.error?.message?.trim();
   let message = `OpenClaw returned non-success status: ${status}`;
-  const details = [errorMessage2, outputText].filter((value) => Boolean(value && value.trim())).join(" | ");
+  const details = [errorMessage22, outputText].filter((value) => Boolean(value && value.trim())).join(" | ");
   if (details) {
     message += `
 Gateway output: ${details.slice(0, 500)}`;
@@ -33097,7 +33987,7 @@ ${buildModelBackendHint()}`);
     clearTimeout(timer);
   }
 }
-async function consumeSSEStream(body, signal, debug3) {
+async function consumeSSEStream(body, signal, debug5) {
   const decoder = new TextDecoder();
   const reader = body.getReader();
   let buffer = "";
@@ -33132,7 +34022,7 @@ async function consumeSSEStream(body, signal, debug3) {
           eventCount++;
           const eventType = typeof event["type"] === "string" ? event["type"] : "";
           if (eventType) {
-            debug3("SSE event", { type: eventType, count: eventCount });
+            debug5("SSE event", { type: eventType, count: eventCount });
           }
           if (eventType === "response.completed" && event["response"]) {
             lastResponse = event["response"];
@@ -33144,7 +34034,7 @@ async function consumeSSEStream(body, signal, debug3) {
             }
           }
         } catch {
-          debug3("SSE parse error", { data: jsonStr.slice(0, 200) });
+          debug5("SSE parse error", { data: jsonStr.slice(0, 200) });
         }
         boundary = buffer.indexOf("\n\n");
       }
@@ -33167,7 +34057,7 @@ async function consumeSSEStream(body, signal, debug3) {
   return lastResponse;
 }
 async function executeOpenClawRemote(remoteConfig, scenario, runId, taskMessage, twinUrls, apiRouting, openclawEvalMode, logger) {
-  const debug3 = logger?.debug ?? (() => {
+  const debug5 = logger?.debug ?? (() => {
   });
   const info2 = logger?.info ?? (() => {
   });
@@ -33201,11 +34091,11 @@ async function executeOpenClawRemote(remoteConfig, scenario, runId, taskMessage,
       timeout: `${remoteConfig.timeoutMs}ms`,
       ...remoteConfig.agentId ? { agentId: remoteConfig.agentId } : {}
     });
-    debug3("Task message being sent to OpenClaw:", {
+    debug5("Task message being sent to OpenClaw:", {
       taskMessage: taskMessage.replace(/x-archal-admin-token:\s*\S+/gi, "x-archal-admin-token: [REDACTED]").replace(/Authorization:\s*Bearer\s+\S+/gi, "Authorization: Bearer [REDACTED]").slice(0, 2e3)
     });
-    debug3("Twin URLs:", { twinUrls: JSON.stringify(twinUrls) });
-    debug3("API routing:", {
+    debug5("Twin URLs:", { twinUrls: JSON.stringify(twinUrls) });
+    debug5("API routing:", {
       apiRouting: JSON.stringify({
         ...apiRouting,
         bearerToken: apiRouting?.bearerToken ? "[REDACTED]" : void 0,
@@ -33236,7 +34126,7 @@ ${rawBody}${hint}`.trim(),
     let parsed;
     if (isSSE && response.body) {
       info2("OpenClaw streaming SSE response detected");
-      parsed = await consumeSSEStream(response.body, controller.signal, debug3);
+      parsed = await consumeSSEStream(response.body, controller.signal, debug5);
     } else {
       const rawBody = await response.text();
       try {
@@ -33303,7 +34193,7 @@ ${buildModelBackendHint()}` : `OpenClaw error: ${parsed.error.message}`,
   }
 }
 var OPENCLAW_SUCCESS_STATUSES, OPENCLAW_BACKEND_FAILURE_PATTERNS;
-var init_dist3 = __esm({
+var init_dist4 = __esm({
   "../packages/openclaw-runtime/dist/index.js"() {
     "use strict";
     init_dist2();
@@ -42823,7 +43713,7 @@ function executeSeedCode(code, twinName, baseSeed, timeoutMs = DEFAULT_TIMEOUT_M
     };
   }
 }
-function debug2(logger, message, fields) {
+function debug4(logger, message, fields) {
   logger?.debug?.(message, fields);
 }
 function warn2(logger, message, fields) {
@@ -42887,23 +43777,23 @@ async function runLegacySeedCodegen(options) {
   } = options;
   const initialResponse = await generateText(initialPrompt);
   if (!initialResponse) {
-    debug2(logger, "Codegen: LLM returned empty response");
+    debug4(logger, "Codegen: LLM returned empty response");
     return null;
   }
   let generatedCode = extractExecutableCode(initialResponse);
-  debug2(logger, "Codegen: LLM raw response", { response: initialResponse.slice(0, 500) });
-  debug2(logger, "Codegen: executing generated code", {
+  debug4(logger, "Codegen: LLM raw response", { response: initialResponse.slice(0, 500) });
+  debug4(logger, "Codegen: executing generated code", {
     length: String(generatedCode.length),
     code: generatedCode.slice(0, 500)
   });
   let execution = executeSeedCode(generatedCode, twinName, baseSeedData);
   for (let repair = 1; repair <= maxRepairAttempts && !execution.ok; repair += 1) {
-    debug2(logger, `Codegen: attempt failed (repair ${repair}/${maxRepairAttempts})`, {
+    debug4(logger, `Codegen: attempt failed (repair ${repair}/${maxRepairAttempts})`, {
       type: execution.type,
       message: execution.message.slice(0, 300)
     });
     if (execution.type === "timeout") {
-      debug2(logger, "Codegen: aborting repair loop \u2014 timeout indicates infinite loop");
+      debug4(logger, "Codegen: aborting repair loop \u2014 timeout indicates infinite loop");
       return null;
     }
     if (deadline !== void 0 && Date.now() >= deadline) {
@@ -42912,13 +43802,13 @@ async function runLegacySeedCodegen(options) {
     }
     const repairResponse = await generateText(buildRepairPrompt2(generatedCode, execution.message));
     if (!repairResponse) {
-      debug2(logger, `Codegen: repair ${repair} \u2014 LLM returned empty response`);
+      debug4(logger, `Codegen: repair ${repair} \u2014 LLM returned empty response`);
       break;
     }
     generatedCode = extractExecutableCode(repairResponse);
     execution = executeSeedCode(generatedCode, twinName, baseSeedData);
     if (execution.ok) {
-      debug2(logger, `Codegen: repair ${repair} succeeded`);
+      debug4(logger, `Codegen: repair ${repair} succeeded`);
     }
   }
   if (!execution.ok) {
@@ -42931,7 +43821,7 @@ async function runLegacySeedCodegen(options) {
     if (deadline !== void 0 && Date.now() >= deadline) {
       return null;
     }
-    debug2(logger, "Codegen: trying simplified prompt with core functions only");
+    debug4(logger, "Codegen: trying simplified prompt with core functions only");
     const simplifiedResponse = await generateText(simplifiedPrompt);
     if (!simplifiedResponse) {
       return null;
@@ -42939,12 +43829,12 @@ async function runLegacySeedCodegen(options) {
     generatedCode = extractExecutableCode(simplifiedResponse);
     execution = executeSeedCode(generatedCode, twinName, baseSeedData);
     if (!execution.ok) {
-      debug2(logger, "Codegen: simplified prompt also failed", {
+      debug4(logger, "Codegen: simplified prompt also failed", {
         error: execution.message.slice(0, 200)
       });
       return null;
     }
-    debug2(logger, "Codegen: simplified prompt succeeded");
+    debug4(logger, "Codegen: simplified prompt succeeded");
   }
   return {
     execution,
@@ -43020,7 +43910,7 @@ ${setupDescription}
 Write ONLY JavaScript function calls. No imports, no markdown, no prose.`;
 }
 function resolveManagedApiBaseUrl() {
-  const apiBase = (0, import_node_auth6.getConfiguredApiBaseUrl)() ?? (0, import_node_auth6.getConfiguredAuthBaseUrl)();
+  const apiBase = getConfiguredApiBaseUrl() ?? getConfiguredAuthBaseUrl();
   if (apiBase) {
     return apiBase;
   }
@@ -43097,16 +43987,16 @@ async function withRetry2(fn, label) {
   throw lastError ?? new Error(`${label}: all ${MAX_RETRIES2 + 1} attempts failed`);
 }
 async function tryRefreshToken2() {
-  const stored = (0, import_node_auth6.getStoredCredentials)();
+  const stored = getStoredCredentials();
   if (!stored?.refreshToken) {
     return null;
   }
   try {
-    const refreshed = await (0, import_node_auth6.refreshCliSession)(stored);
+    const refreshed = await refreshCliSession(stored);
     if (!refreshed) {
       return null;
     }
-    (0, import_node_auth6.saveCredentials)(refreshed);
+    saveCredentials(refreshed);
     return refreshed.token;
   } catch {
     return null;
@@ -43158,7 +44048,7 @@ async function requestManagedSeedCompletion(token, body) {
   }
 }
 async function callManagedSeedLlm(options) {
-  const creds = (0, import_node_auth6.getCredentials)();
+  const creds = getCredentials();
   const token = creds?.token;
   const runtimeAdminToken = process.env["ARCHAL_RUNTIME_ADMIN_TOKEN"]?.trim();
   if (!token && !runtimeAdminToken) {
@@ -43289,7 +44179,7 @@ async function callSeedLlm(options) {
   if (routing === "direct-only" || options.apiKey.trim()) {
     return callDirectSeedLlm(options);
   }
-  const creds = (0, import_node_auth6.getCredentials)();
+  const creds = getCredentials();
   if (creds?.token || process.env["ARCHAL_RUNTIME_ADMIN_TOKEN"]?.trim()) {
     try {
       return await callManagedSeedLlm(options);
@@ -43581,14 +44471,14 @@ function augmentPlanFromDescription(plan, description, twinName) {
     planTypes.add(rule.type);
   }
 }
-var import_vm, import_node_auth6, MS_PER_DAY, ISSUE_TITLES, ISSUE_BODIES, PR_TITLES, CHANNEL_PURPOSES, MESSAGE_TEXTS, DEFAULT_REACTIONS, MAX_BULK_COUNT, SeedCollector, TWIN_CONTEXT_BUILDERS, FORBIDDEN_PATTERN, OBFUSCATION_PATTERNS, DEFAULT_TIMEOUT_MS2, SDK_DECLARATIONS, SDK_EXAMPLES, CODEGEN_SYSTEM_PROMPT, GEMINI_API_BASE_URL2, ANTHROPIC_API_URL2, OPENAI_API_URL2, ANTHROPIC_API_VERSION2, MANAGED_SEED_TIMEOUT_MS, DIRECT_SEED_TIMEOUT_MS, ERROR_BODY_PREVIEW_LENGTH3, RETRYABLE_STATUS_CODES3, MAX_RETRIES2, INITIAL_BACKOFF_MS2, MAX_JITTER_MS2, SeedLlmApiError, PLAN_SYSTEM_PROMPT, ENTITY_TYPE_TO_COLLECTION;
-var init_dist4 = __esm({
+var import_vm, MS_PER_DAY, ISSUE_TITLES, ISSUE_BODIES, PR_TITLES, CHANNEL_PURPOSES, MESSAGE_TEXTS, DEFAULT_REACTIONS, MAX_BULK_COUNT, SeedCollector, TWIN_CONTEXT_BUILDERS, FORBIDDEN_PATTERN, OBFUSCATION_PATTERNS, DEFAULT_TIMEOUT_MS2, SDK_DECLARATIONS, SDK_EXAMPLES, CODEGEN_SYSTEM_PROMPT, GEMINI_API_BASE_URL2, ANTHROPIC_API_URL2, OPENAI_API_URL2, ANTHROPIC_API_VERSION2, MANAGED_SEED_TIMEOUT_MS, DIRECT_SEED_TIMEOUT_MS, ERROR_BODY_PREVIEW_LENGTH3, RETRYABLE_STATUS_CODES3, MAX_RETRIES2, INITIAL_BACKOFF_MS2, MAX_JITTER_MS2, SeedLlmApiError, PLAN_SYSTEM_PROMPT, ENTITY_TYPE_TO_COLLECTION;
+var init_dist5 = __esm({
   "../packages/seed-codegen-runtime/dist/index.js"() {
     "use strict";
     import_vm = __toESM(require("vm"), 1);
     init_dist2();
     init_dist2();
-    import_node_auth6 = require("@archal/node-auth");
+    init_dist3();
     MS_PER_DAY = 864e5;
     ISSUE_TITLES = [
       "Fix login redirect loop on Safari",
@@ -48600,14 +49490,14 @@ function applyPlanDrivenFill(seed, plan, forTwin) {
     filled += 6;
   }
   if (filled > 0) {
-    debug("Plan-driven fill: injected " + filled + " entities");
+    debug3("Plan-driven fill: injected " + filled + " entities");
   }
   return filled;
 }
 var init_plan_fill = __esm({
   "src/runner/seed/plan-fill.ts"() {
     "use strict";
-    init_dist4();
+    init_dist5();
     init_logger();
     init_fill_templates();
   }
@@ -49083,7 +49973,7 @@ function autoFillMissingFKs(seed, twinName) {
       if (needsFill) {
         if (rule.optional) {
           if (currentValue !== void 0 && currentValue !== null && !validTargetSet.has(String(currentValue))) {
-            debug(
+            debug3(
               `Auto-filling ${rule.sourceCollection}.${rule.sourceField} = null (was ${String(currentValue)} \u2014 invalid optional FK)`
             );
             e[rule.sourceField] = null;
@@ -49092,7 +49982,7 @@ function autoFillMissingFKs(seed, twinName) {
         }
         const fillValue = targetValues[fillIndex % targetValues.length];
         fillIndex++;
-        debug(
+        debug3(
           `Auto-filling ${rule.sourceCollection}.${rule.sourceField} = ${String(fillValue)} (from ${targetValues.length} ${rule.targetCollection})` + (currentValue != null ? ` (was ${String(currentValue)} \u2014 not in targets)` : "")
         );
         e[rule.sourceField] = fillValue;
@@ -49156,11 +50046,11 @@ function normalizeSeedData(seed, twinName) {
           if (wrongName in e) {
             if (!(correctName in e)) {
               e[correctName] = e[wrongName];
-              debug(
+              debug3(
                 `Seed normalization: renamed ${collection}.${wrongName} \u2192 ${correctName}`
               );
             } else {
-              debug(
+              debug3(
                 `Seed normalization: dropped duplicate ${collection}.${wrongName} (${correctName} already exists)`
               );
             }
@@ -49178,15 +50068,15 @@ function normalizeSeedData(seed, twinName) {
             const obj = e[field];
             const extracted = obj["login"] ?? obj["name"] ?? obj["value"] ?? obj["key"] ?? obj["id"] ?? obj["displayName"];
             if (typeof extracted === "string") {
-              debug(`Seed normalization: coerced ${collection}.${field} from object to string "${extracted}"`);
+              debug3(`Seed normalization: coerced ${collection}.${field} from object to string "${extracted}"`);
               e[field] = extracted;
             } else {
               const firstStr2 = Object.values(obj).find((v) => typeof v === "string");
               if (firstStr2) {
-                debug(`Seed normalization: coerced ${collection}.${field} from object to string "${firstStr2}" (fallback)`);
+                debug3(`Seed normalization: coerced ${collection}.${field} from object to string "${firstStr2}" (fallback)`);
                 e[field] = firstStr2;
               } else {
-                debug(`Seed normalization: could not coerce ${collection}.${field} from object to string, removing`);
+                debug3(`Seed normalization: could not coerce ${collection}.${field} from object to string, removing`);
                 delete e[field];
               }
             }
@@ -49212,7 +50102,7 @@ function normalizeSeedData(seed, twinName) {
       const e = entity;
       if ((!e["fullName"] || typeof e["fullName"] !== "string") && typeof e["owner"] === "string" && typeof e["name"] === "string") {
         e["fullName"] = `${e["owner"]}/${e["name"]}`;
-        debug(`Seed normalization: derived repos.fullName = "${e["fullName"]}"`);
+        debug3(`Seed normalization: derived repos.fullName = "${e["fullName"]}"`);
       }
     }
   }
@@ -51019,7 +51909,7 @@ function evictStaleEntries() {
       const age = now - (0, import_node_fs8.statSync)(filePath).mtimeMs;
       if (age > MAX_AGE_MS) {
         (0, import_node_fs8.unlinkSync)(filePath);
-        debug("Evicted stale cache entry", { file: file2 });
+        debug3("Evicted stale cache entry", { file: file2 });
       }
     }
   } catch (evictErr) {
@@ -51056,7 +51946,7 @@ function getCachedSeed(twinName, baseSeedName, setupText, scope) {
       }
       return null;
     }
-    debug("Seed cache hit", { twin: twinName, baseSeed: baseSeedName, key });
+    debug3("Seed cache hit", { twin: twinName, baseSeed: baseSeedName, key });
     return { seed: entry.seed, patch: entry.patch };
   } catch {
     warn("Failed to read seed cache entry");
@@ -51077,7 +51967,7 @@ function cacheSeed(twinName, baseSeedName, setupText, seed, patch, scope, genera
     } = cacheFilePathScoped(twinName, baseSeedName, setupText, scope);
     const mismatches = verifySeedCounts(setupText, seed);
     if (mismatches.length > 0) {
-      debug("Skipping cache write \u2014 seed failed count verification", {
+      debug3("Skipping cache write \u2014 seed failed count verification", {
         twin: twinName,
         mismatches: mismatches.map((m) => `${m.subject}: ${m.expected} vs ${m.actual}`).join("; ")
       });
@@ -51098,7 +51988,7 @@ function cacheSeed(twinName, baseSeedName, setupText, seed, patch, scope, genera
       ...generatedCode !== void 0 && { generatedCode }
     };
     (0, import_node_fs8.writeFileSync)(filePath, JSON.stringify(entry));
-    debug("Seed cached", { twin: twinName, baseSeed: baseSeedName, key });
+    debug3("Seed cached", { twin: twinName, baseSeed: baseSeedName, key });
   } catch {
     warn("Failed to write seed cache entry");
   }
@@ -51115,10 +52005,10 @@ function getNegativeSeed(twinName, baseSeedName, setupText, scope) {
     }
     const entry = JSON.parse(raw);
     if (entry.version !== NEGATIVE_CACHE_VERSION) {
-      debug("Negative seed cache version mismatch, ignoring cached entry");
+      debug3("Negative seed cache version mismatch, ignoring cached entry");
       return null;
     }
-    debug("Negative seed cache hit", { twin: twinName, baseSeed: baseSeedName, key });
+    debug3("Negative seed cache hit", { twin: twinName, baseSeed: baseSeedName, key });
     return { missingSlots: entry.missingSlots };
   } catch {
     warn("Failed to read negative seed cache entry");
@@ -51149,7 +52039,7 @@ function cacheNegativeSeed(twinName, baseSeedName, setupText, missingSlots, scop
       createdAt: (/* @__PURE__ */ new Date()).toISOString()
     };
     (0, import_node_fs8.writeFileSync)(filePath, JSON.stringify(entry));
-    debug("Negative seed cached", { twin: twinName, baseSeed: baseSeedName, key });
+    debug3("Negative seed cached", { twin: twinName, baseSeed: baseSeedName, key });
   } catch {
     warn("Failed to write negative seed cache entry");
   }
@@ -51163,7 +52053,7 @@ function clearSeedCache() {
         (0, import_node_fs8.unlinkSync)((0, import_node_path6.join)(CACHE_DIR, file2));
       }
     }
-    debug("Seed cache cleared");
+    debug3("Seed cache cleared");
   } catch {
     warn("Failed to clear seed cache");
   }
@@ -51349,7 +52239,7 @@ async function callCodegenLlm(options, cooldownKey = "__global__") {
         `ARCHAL_SEED_MODEL_OVERRIDE=${override} but ${keyEnv ?? `<unknown provider "${provider ?? ""}"`} is not set`
       );
     }
-    debug(`Using seed model override: ${provider ?? ""}/${model}`);
+    debug3(`Using seed model override: ${provider ?? ""}/${model}`);
     return callSeedLlm({
       ...options,
       provider: provider ?? "",
@@ -51360,7 +52250,7 @@ async function callCodegenLlm(options, cooldownKey = "__global__") {
   }
   const fallback = resolveDirectSeedFallback();
   if (fallback && isManagedSeedBackendCoolingDown(cooldownKey)) {
-    debug("Managed seed backend is cooling down; using direct fallback", {
+    debug3("Managed seed backend is cooling down; using direct fallback", {
       provider: fallback.provider,
       model: fallback.model
     });
@@ -51398,7 +52288,7 @@ var MANAGED_SEED_CODEGEN_MODEL, DIRECT_SEED_FALLBACK_OPENAI_MODEL, DIRECT_SEED_F
 var init_seed_codegen_llm = __esm({
   "src/runner/seed/seed-codegen-llm.ts"() {
     "use strict";
-    init_dist4();
+    init_dist5();
     init_logger();
     init_session_context();
     MANAGED_SEED_CODEGEN_MODEL = "claude-sonnet-4-6";
@@ -51548,15 +52438,15 @@ ${example}`;
 }
 async function enrichSeedWithLlm(seed, twinName, setupDescription, deadline, cooldownKey = "__global__") {
   if (Date.now() >= deadline) {
-    debug("Enrich: skipped \u2014 budget exhausted");
+    debug3("Enrich: skipped \u2014 budget exhausted");
     return 0;
   }
   const snapshot = buildEnrichableSnapshot(seed, twinName);
   if (!snapshot) {
-    debug("Enrich: skipped \u2014 no generic fields to enrich");
+    debug3("Enrich: skipped \u2014 no generic fields to enrich");
     return 0;
   }
-  debug("Enrich: calling LLM to replace generic values");
+  debug3("Enrich: calling LLM to replace generic values");
   try {
     const response = await callCodegenLlm({
       systemPrompt: ENRICH_SYSTEM_PROMPT,
@@ -51572,10 +52462,10 @@ ${snapshot}${buildFewShotExample(twinName)}`,
       responseFormat: "json"
     }, cooldownKey);
     const applied = applyEnrichments(seed, response);
-    debug("Enrich: applied " + applied + " field updates");
+    debug3("Enrich: applied " + applied + " field updates");
     return applied;
   } catch (error49) {
-    debug("Enrich: LLM call failed, continuing with generic values", {
+    debug3("Enrich: LLM call failed, continuing with generic values", {
       error: error49 instanceof Error ? error49.message : String(error49)
     });
     return 0;
@@ -51709,7 +52599,7 @@ function fixProjectKeys(seed, collectionName, issueCollectionName, fkField, issu
       alreadyMatched
     );
     if (!project) {
-      debug(`key-fixer: no project/team found to match prefix "${prefix}"`);
+      debug3(`key-fixer: no project/team found to match prefix "${prefix}"`);
       continue;
     }
     alreadyMatched.add(project["id"]);
@@ -51818,12 +52708,12 @@ function fixIssueKeys(seed, intent, twinName, options) {
   for (const [prefix, expectedNumbers] of issueKeysByPrefix) {
     const projectId = projectKeyToId.get(prefix);
     if (projectId === void 0) {
-      debug(`key-fixer: no project/team with key="${prefix}" found, skipping issue renumbering`);
+      debug3(`key-fixer: no project/team with key="${prefix}" found, skipping issue renumbering`);
       continue;
     }
     const projectIssues = issues.filter((issue2) => issue2[fkField] === projectId);
     if (projectIssues.length === 0 && !options?.fillMissing) {
-      debug(`key-fixer: no issues found for ${fkField}=${String(projectId)} (prefix="${prefix}")`);
+      debug3(`key-fixer: no issues found for ${fkField}=${String(projectId)} (prefix="${prefix}")`);
       continue;
     }
     projectIssues.sort((a, b) => {
@@ -51833,7 +52723,7 @@ function fixIssueKeys(seed, intent, twinName, options) {
     });
     const pairCount = Math.min(expectedNumbers.length, projectIssues.length);
     if (pairCount < expectedNumbers.length && !options?.fillMissing) {
-      debug(
+      debug3(
         `key-fixer: expected ${expectedNumbers.length} issues for prefix "${prefix}" but only found ${projectIssues.length} in seed`
       );
     }
@@ -51892,7 +52782,7 @@ function fixIssueKeys(seed, intent, twinName, options) {
   }
   cloned[issueCollectionName] = issues;
   if (fixes.length > 0) {
-    debug(`key-fixer: applied ${fixes.length} fix(es)`);
+    debug3(`key-fixer: applied ${fixes.length} fix(es)`);
   }
   return { seed: cloned, fixes };
 }
@@ -51961,7 +52851,7 @@ function patchStripeDollarsToCents(seed, setupText) {
     }
   }
   if (patches.length > 0) {
-    debug(`Numeric patcher: applied ${patches.length} dollar\u2192cents fix(es)`);
+    debug3(`Numeric patcher: applied ${patches.length} dollar\u2192cents fix(es)`);
   }
   return { seed: cloned, patches };
 }
@@ -52128,7 +53018,7 @@ function patchStripeAmountsByContext(seed, setupText) {
     }
   }
   if (patches.length > 0) {
-    debug(`Context patcher: applied ${patches.length} context-aware amount fix(es)`);
+    debug3(`Context patcher: applied ${patches.length} context-aware amount fix(es)`);
   }
   return { seed: cloned, patches };
 }
@@ -52223,7 +53113,7 @@ function patchIssueKeys(seed, setupText, twinName) {
     }
   }
   if (patches.length > 0) {
-    debug(`Numeric patcher: renumbered ${patches.length} issue key(s)`);
+    debug3(`Numeric patcher: renumbered ${patches.length} issue key(s)`);
   }
   return { seed: cloned, patches };
 }
@@ -52288,7 +53178,7 @@ function patchIssueStatuses(seed, setupText, twinName) {
   }
   if (patches.length > 0) {
     cloned["statuses"] = clonedStatuses;
-    debug(`Numeric patcher: applied ${patches.length} issue status fix(es)`);
+    debug3(`Numeric patcher: applied ${patches.length} issue status fix(es)`);
   }
   return { seed: cloned, patches };
 }
@@ -52368,7 +53258,7 @@ function patchGitHubPRNumbers(seed, setupText) {
     nextIdx++;
   }
   if (patches.length > 0) {
-    debug(`Numeric patcher: renumbered ${patches.length} GitHub PR(s)`);
+    debug3(`Numeric patcher: renumbered ${patches.length} GitHub PR(s)`);
   }
   return { seed: cloned, patches };
 }
@@ -52655,14 +53545,14 @@ ${fkDetails}
   if (countMismatches.length > 0) {
     const trimmed = trimSeedToExpectedCounts(finalSeed, countMismatches);
     if (trimmed > 0) {
-      debug(`${prefix}: trimmed ${trimmed} excess entities to match setup counts`);
+      debug3(`${prefix}: trimmed ${trimmed} excess entities to match setup counts`);
     }
   }
   if (intent) {
     const keyFixResult = fixIssueKeys(finalSeed, intent, twinName, { fillMissing: true });
     if (keyFixResult.fixes.length > 0) {
       finalSeed = keyFixResult.seed;
-      debug(`${prefix}: applied ${keyFixResult.fixes.length} key fix(es)`);
+      debug3(`${prefix}: applied ${keyFixResult.fixes.length} key fix(es)`);
       finalSeed = autoFillMissingFKs(finalSeed, twinName);
     }
   }
@@ -52675,7 +53565,7 @@ ${fkDetails}
     );
     if (numericPatches.length > 0) {
       finalSeed = patchedSeed;
-      debug(`Numeric patcher: ${numericPatches.length} fix(es) applied`);
+      debug3(`Numeric patcher: ${numericPatches.length} fix(es) applied`);
     }
   }
   const finalPatch = computeSeedPatch(baseSeedData, finalSeed);
@@ -52728,7 +53618,7 @@ function buildSeedCacheContext(twinName, systemPromptHash, intent, context) {
 async function tryCodegenPath(twinName, baseSeedData, setupDescription, intent, strictSeed, originalDescription, cooldownKey = "__global__") {
   const deadline = Date.now() + CODEGEN_TOTAL_BUDGET_MS;
   const planDescription = originalDescription ?? setupDescription;
-  debug("Plan+Fill: Phase 1 \u2014 planning entity creation");
+  debug3("Plan+Fill: Phase 1 \u2014 planning entity creation");
   let plan = null;
   try {
     const planResponse = await callCodegenLlm({
@@ -52739,13 +53629,13 @@ async function tryCodegenPath(twinName, baseSeedData, setupDescription, intent,
     }, cooldownKey);
     plan = parseSeedPlan(planResponse);
   } catch (error49) {
-    debug("Plan+Fill: Phase 1 failed, falling back to legacy", {
+    debug3("Plan+Fill: Phase 1 failed, falling back to legacy", {
       error: error49 instanceof Error ? error49.message : String(error49)
     });
   }
   if (!plan || plan.entities.length === 0) {
     if (twinName === "supabase") {
-      debug("Plan+Fill: Supabase \u2014 generating SQL directly from description (no plan)");
+      debug3("Plan+Fill: Supabase \u2014 generating SQL directly from description (no plan)");
       try {
         const sqlResponse = await callCodegenLlm({
           systemPrompt: SUPABASE_SQL_SYSTEM_PROMPT,
@@ -52764,16 +53654,16 @@ Generate the complete SQL script with CREATE TABLE, INSERT INTO, and any RLS pol
       }
       return { seed: {}, patch: { added: {}, removed: {}, modified: {} }, fromCache: false, source: "llm" };
     }
-    debug("Plan+Fill: No plan generated, falling back to legacy codegen");
+    debug3("Plan+Fill: No plan generated, falling back to legacy codegen");
     return tryCodegenPathLegacy(twinName, baseSeedData, setupDescription, intent, strictSeed, planDescription, deadline, cooldownKey);
   }
   augmentPlanFromDescription(plan, planDescription, twinName);
   plan = normalizePlan(plan);
-  debug("Plan+Fill: plan has " + plan.entities.length + " entity types", {
+  debug3("Plan+Fill: plan has " + plan.entities.length + " entity types", {
     types: plan.entities.map((e) => e.type).join(", ")
   });
   if (twinName === "supabase") {
-    debug("Plan+Fill: Supabase \u2014 generating SQL from plan");
+    debug3("Plan+Fill: Supabase \u2014 generating SQL from plan");
     try {
       const sqlPrompt = buildSupabaseSqlPrompt(plan, planDescription);
       const sqlResponse = await callCodegenLlm({
@@ -52784,7 +53674,7 @@ Generate the complete SQL script with CREATE TABLE, INSERT INTO, and any RLS pol
       }, cooldownKey);
       const sql = extractSupabaseSql(sqlResponse);
       if (sql.length > 50) {
-        debug("Plan+Fill: Supabase SQL generated (" + sql.length + " chars)");
+        debug3("Plan+Fill: Supabase SQL generated (" + sql.length + " chars)");
         return {
           seed: {},
           patch: { added: {}, removed: {}, modified: {} },
@@ -52794,7 +53684,7 @@ Generate the complete SQL script with CREATE TABLE, INSERT INTO, and any RLS pol
         };
       }
     } catch (error49) {
-      debug("Plan+Fill: Supabase SQL generation failed", {
+      debug3("Plan+Fill: Supabase SQL generation failed", {
         error: error49 instanceof Error ? error49.message : String(error49)
       });
     }
@@ -52812,7 +53702,7 @@ Generate the complete SQL script with CREATE TABLE, INSERT INTO, and any RLS pol
     }
   }
   const filled = applyPlanDrivenFill(finalSeed, plan, twinName);
-  debug("Plan+Fill: created " + filled + " entities deterministically");
+  debug3("Plan+Fill: created " + filled + " entities deterministically");
   finalSeed = normalizeSeedData(finalSeed, twinName);
   finalSeed = autoFillMissingFKs(finalSeed, twinName);
   await enrichSeedWithLlm(finalSeed, twinName, planDescription, deadline, cooldownKey);
@@ -52838,7 +53728,7 @@ async function tryCodegenPathLegacy(twinName, baseSeedData, setupDescription, in
     twinName,
     baseSeedData,
     initialPrompt: buildCodegenUserPrompt(twinName, setupDescription),
-    buildRepairPrompt: (generatedCode, errorMessage2) => buildRepairPrompt(twinName, generatedCode, errorMessage2),
+    buildRepairPrompt: (generatedCode, errorMessage3) => buildRepairPrompt(twinName, generatedCode, errorMessage3),
     simplifiedPrompt,
     deadline,
     generateText: async (userPrompt) => callCodegenLlm({
@@ -52848,7 +53738,7 @@ async function tryCodegenPathLegacy(twinName, baseSeedData, setupDescription, in
       responseFormat: "text"
     }, cooldownKey),
     logger: {
-      debug,
+      debug: debug3,
       warn
     }
   });
@@ -53051,7 +53941,7 @@ async function tryCodegenPathLegacy(twinName, baseSeedData, setupDescription, in
       }
     }
     if (needsFill) {
-      debug(`Codegen: deterministic fill \u2014 ${lines.length} supplementary calls`);
+      debug3(`Codegen: deterministic fill \u2014 ${lines.length} supplementary calls`);
       const fillResult = executeSeedCode(lines.join("\n"), twinName, baseSeedData);
       if (fillResult.ok) {
         let merged = 0;
@@ -53070,10 +53960,10 @@ async function tryCodegenPathLegacy(twinName, baseSeedData, setupDescription, in
             merged++;
           }
         }
-        debug(`Codegen: deterministic fill merged ${merged} entities`);
+        debug3(`Codegen: deterministic fill merged ${merged} entities`);
         finalSeed = autoFillMissingFKs(finalSeed, twinName);
       } else {
-        debug(`Codegen: deterministic fill failed: ${fillResult.message.slice(0, 200)}`);
+        debug3(`Codegen: deterministic fill failed: ${fillResult.message.slice(0, 200)}`);
       }
     }
   }
@@ -53107,7 +53997,7 @@ function buildSeedPromptHashInput() {
 async function generateDynamicSeed(twinName, baseSeedName, baseSeedData, setupDescription, config2, intent, context) {
   const scopedSetupDescription = config2.skipTwinScoping ? setupDescription : scopeSetupToTwin(twinName, setupDescription);
   if (scopedSetupDescription !== setupDescription) {
-    debug("Scoped setup description to twin context", {
+    debug3("Scoped setup description to twin context", {
       twin: twinName,
       originalLength: String(setupDescription.length),
       scopedLength: String(scopedSetupDescription.length)
@@ -53124,7 +54014,7 @@ async function generateDynamicSeed(twinName, baseSeedName, baseSeedData, setupDe
       return { seed: cached2.seed, patch: cached2.patch, fromCache: true, source: "cache" };
     }
   }
-  const creds = (0, import_node_auth7.getCredentials)();
+  const creds = getCredentials();
   const directFallback = resolveDirectSeedFallback();
   if (!creds?.token && !directFallback) {
     throw new DynamicSeedError(twinName, [
@@ -53194,13 +54084,13 @@ Hint: Dynamic seed generation failed for the "${twinName}" twin. Try adding a \`
 Use a documented seed name for ${twinName}, or inspect the twin package assets in this repo.`
   );
 }
-var import_node_crypto5, import_node_auth7, SEED_CODEGEN_MAX_TOKENS, MAX_CODEGEN_ATTEMPTS, SEED_CACHE_PROMPT_TEMPLATE_VERSION, CODEGEN_TOTAL_BUDGET_MS, SYSTEM_PROMPT_HASH;
+var import_node_crypto5, SEED_CODEGEN_MAX_TOKENS, MAX_CODEGEN_ATTEMPTS, SEED_CACHE_PROMPT_TEMPLATE_VERSION, CODEGEN_TOTAL_BUDGET_MS, SYSTEM_PROMPT_HASH;
 var init_dynamic_generator = __esm({
   "src/runner/seed/dynamic-generator.ts"() {
     "use strict";
     import_node_crypto5 = require("crypto");
-    import_node_auth7 = require("@archal/node-auth");
-    init_dist4();
+    init_dist3();
+    init_dist5();
     init_logger();
     init_plan_fill();
     init_patch();
@@ -53228,8 +54118,8 @@ __export(agent_http_exports, {
   collectTraceFromHttp: () => collectTraceFromHttp,
   pushStateToCloud: () => pushStateToCloud
 });
-async function fetchWithRetry2(url2, options, overrides) {
-  return fetchWithRetry(url2, options, {
+async function fetchWithRetry3(url2, options, overrides) {
+  return fetchWithRetry2(url2, options, {
     maxRetries: overrides?.retries ?? HTTP_COLLECT_RETRY.maxRetries,
     timeoutMs: overrides?.timeoutMs ?? HTTP_COLLECT_RETRY.timeoutMs,
     retryableStatusCodes: HTTP_RETRYABLE_STATUS_CODES,
@@ -53263,7 +54153,7 @@ async function collectStateFromHttp(twinUrls, bearerToken, adminAuth) {
   const headers = buildTwinHttpHeaders(bearerToken, adminAuth);
   for (const [name, baseUrl] of Object.entries(twinUrls)) {
     try {
-      const response = await fetchWithRetry2(`${twinBasePath(baseUrl)}/state`, { headers });
+      const response = await fetchWithRetry3(`${twinBasePath(baseUrl)}/state`, { headers });
       if (response.ok) {
         state[name] = await response.json();
       } else {
@@ -53296,7 +54186,7 @@ async function pushStateToCloud(twinUrls, seedSelections, bearerToken, adminAuth
       continue;
     }
     const url2 = `${twinBasePath(baseUrl)}/state`;
-    debug(`Pushing dynamic seed to ${sel.twinName}`, { url: url2 });
+    debug3(`Pushing dynamic seed to ${sel.twinName}`, { url: url2 });
     const payload = JSON.stringify(sel.seedData);
     let pushed = false;
     for (let warmupAttempt = 0; warmupAttempt <= HTTP_PUSH_WARMUP_RETRIES; warmupAttempt++) {
@@ -53305,7 +54195,7 @@ async function pushStateToCloud(twinUrls, seedSelections, bearerToken, adminAuth
           `Failed to push dynamic seed to twin "${sel.twinName}": run timeout exceeded during warmup`
         );
       }
-      const response = await fetchWithRetry2(
+      const response = await fetchWithRetry3(
         url2,
         {
           method: "PUT",
@@ -53326,7 +54216,7 @@ async function pushStateToCloud(twinUrls, seedSelections, bearerToken, adminAuth
       const text = await response.text().catch(() => "");
       const isWarmup = isTwinWorkerWarmupResponse(response.status, text);
       if (isWarmup && warmupAttempt < HTTP_PUSH_WARMUP_RETRIES) {
-        const delay = resolveBackoffDelay(
+        const delay = resolveBackoffDelay2(
           HTTP_PUSH_WARMUP_BACKOFF_MS,
           warmupAttempt,
           DEFAULT_WARMUP_BACKOFF_MS
@@ -53346,7 +54236,7 @@ async function pushStateToCloud(twinUrls, seedSelections, bearerToken, adminAuth
         `Failed to push dynamic seed to twin "${sel.twinName}": worker warmup did not complete in time`
       );
     }
-    debug(`Pushed dynamic seed to ${sel.twinName} successfully`);
+    debug3(`Pushed dynamic seed to ${sel.twinName} successfully`);
   }
 }
 async function collectTraceFromHttp(twinUrls, bearerToken, adminAuth, context) {
@@ -53356,7 +54246,7 @@ async function collectTraceFromHttp(twinUrls, bearerToken, adminAuth, context) {
   for (const [name, baseUrl] of Object.entries(twinUrls)) {
     const traceUrl = `${twinBasePath(baseUrl)}/trace`;
     try {
-      const response = await fetchWithRetry2(traceUrl, { headers });
+      const response = await fetchWithRetry3(traceUrl, { headers });
       if (response.ok) {
         const entries = await response.json();
         for (const entry of entries) {
@@ -53414,7 +54304,7 @@ async function collectEventsFromHttp(twinUrls, bearerToken, adminAuth) {
   for (const [name, baseUrl] of Object.entries(twinUrls)) {
     const eventsUrl = `${twinBasePath(baseUrl)}/events`;
     try {
-      const response = await fetchWithRetry2(eventsUrl, { headers });
+      const response = await fetchWithRetry3(eventsUrl, { headers });
       if (response.ok) {
         result[name] = await response.json();
       } else {
@@ -53433,7 +54323,7 @@ function cleanupTempFiles(mcpConfigPath) {
     } catch (err) {
       const code = err instanceof Error && "code" in err ? err.code : void 0;
       if (code !== "ENOENT") {
-        debug(`Failed to clean up temp file ${file2}: ${errorMessage(err)}`);
+        debug3(`Failed to clean up temp file ${file2}: ${errorMessage(err)}`);
       }
     }
   }
@@ -53506,8 +54396,8 @@ function isStringRecord(v) {
   return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 function readPackageJson(path) {
-  if (!(0, import_fs.existsSync)(path)) return void 0;
-  const content = (0, import_fs.readFileSync)(path, "utf-8");
+  if (!(0, import_fs2.existsSync)(path)) return void 0;
+  const content = (0, import_fs2.readFileSync)(path, "utf-8");
   let parsed;
   try {
     parsed = JSON.parse(content);
@@ -53532,7 +54422,7 @@ function readPackageJson(path) {
   };
 }
 function hasFile(repoPath, relativePath) {
-  return (0, import_fs.existsSync)((0, import_path.join)(repoPath, relativePath));
+  return (0, import_fs2.existsSync)((0, import_path2.join)(repoPath, relativePath));
 }
 function quoteJsonCommand(parts) {
   return `[${parts.map((part) => JSON.stringify(part)).join(", ")}]`;
@@ -53588,7 +54478,7 @@ function resolveNodeLaunchCommand(repoPath, pkg, packageManager) {
   return void 0;
 }
 function maybeGenerateNodeDockerfile(repoPath) {
-  const packageJsonPath = (0, import_path.join)(repoPath, "package.json");
+  const packageJsonPath = (0, import_path2.join)(repoPath, "package.json");
   const pkg = readPackageJson(packageJsonPath);
   if (!pkg) return void 0;
   const packageManager = detectPackageManager(pkg, repoPath);
@@ -53616,16 +54506,16 @@ function maybeGenerateNodeDockerfile(repoPath) {
   };
 }
 function maybeGenerateSharedLibNodeDockerfile(repoPath) {
-  const packageJsonPath = (0, import_path.join)(repoPath, "package.json");
+  const packageJsonPath = (0, import_path2.join)(repoPath, "package.json");
   const pkg = readPackageJson(packageJsonPath);
   if (!pkg) return void 0;
-  const harnessDirName = (0, import_path.basename)(repoPath);
-  const parentDir = (0, import_path.dirname)(repoPath);
-  const sharedLibDir = (0, import_path.join)(parentDir, "_lib");
-  if (!(0, import_fs.existsSync)(sharedLibDir)) return void 0;
+  const harnessDirName = (0, import_path2.basename)(repoPath);
+  const parentDir = (0, import_path2.dirname)(repoPath);
+  const sharedLibDir = (0, import_path2.join)(parentDir, "_lib");
+  if (!(0, import_fs2.existsSync)(sharedLibDir)) return void 0;
   let hasSharedLibFiles;
   try {
-    hasSharedLibFiles = (0, import_fs.readdirSync)(sharedLibDir).some((f) => f.endsWith(".mjs") || f.endsWith(".js"));
+    hasSharedLibFiles = (0, import_fs2.readdirSync)(sharedLibDir).some((f) => f.endsWith(".mjs") || f.endsWith(".js"));
   } catch {
     return void 0;
   }
@@ -53736,8 +54626,8 @@ function generateDockerfile(repoPath) {
 }
 function resolveExplicitDockerfile(repoPath, rawPath) {
   const trimmed = rawPath.trim();
-  const dockerfilePath = (0, import_path.resolve)(repoPath, trimmed);
-  if (!(0, import_fs.existsSync)(dockerfilePath) || !(0, import_fs.statSync)(dockerfilePath).isFile()) {
+  const dockerfilePath = (0, import_path2.resolve)(repoPath, trimmed);
+  if (!(0, import_fs2.existsSync)(dockerfilePath) || !(0, import_fs2.statSync)(dockerfilePath).isFile()) {
     throw new DockerfileError(
       "invalid_path",
       `Dockerfile path does not exist: ${dockerfilePath}`,
@@ -53747,7 +54637,7 @@ function resolveExplicitDockerfile(repoPath, rawPath) {
   return dockerfilePath;
 }
 function resolveDockerfile(repoPathInput, options) {
-  const repoPath = (0, import_path.resolve)(repoPathInput);
+  const repoPath = (0, import_path2.resolve)(repoPathInput);
   if (options?.explicitDockerfile?.trim()) {
     const dockerfilePath = resolveExplicitDockerfile(repoPath, options.explicitDockerfile);
     return {
@@ -53757,8 +54647,8 @@ function resolveDockerfile(repoPathInput, options) {
       summary: `using explicit Dockerfile ${dockerfilePath}`
     };
   }
-  const rootDockerfile = (0, import_path.join)(repoPath, "Dockerfile");
-  if ((0, import_fs.existsSync)(rootDockerfile) && (0, import_fs.statSync)(rootDockerfile).isFile()) {
+  const rootDockerfile = (0, import_path2.join)(repoPath, "Dockerfile");
+  if ((0, import_fs2.existsSync)(rootDockerfile) && (0, import_fs2.statSync)(rootDockerfile).isFile()) {
     return {
       source: "existing",
       path: rootDockerfile,
@@ -53781,8 +54671,8 @@ function resolveDockerfile(repoPathInput, options) {
       "Pass a generatedDockerfilePath to resolveDockerfile."
     );
   }
-  const generatedPath = (0, import_path.resolve)(options.generatedDockerfilePath);
-  (0, import_fs.writeFileSync)(generatedPath, generated.contents, "utf-8");
+  const generatedPath = (0, import_path2.resolve)(options.generatedDockerfilePath);
+  (0, import_fs2.writeFileSync)(generatedPath, generated.contents, "utf-8");
   return {
     source: "generated",
     path: generatedPath,
@@ -53792,29 +54682,29 @@ function resolveDockerfile(repoPathInput, options) {
   };
 }
 function generateCertAuthority() {
-  const { publicKey, privateKey } = (0, import_crypto2.generateKeyPairSync)("rsa", {
+  const { publicKey, privateKey } = (0, import_crypto3.generateKeyPairSync)("rsa", {
     modulusLength: 2048
   });
   const certPem = generateSelfSignedCert(publicKey, privateKey, CA_COMMON_NAME, true);
   const keyPem = privateKey.export({ type: "pkcs8", format: "pem" });
-  const dir = (0, import_fs3.mkdtempSync)((0, import_path3.join)((0, import_os2.tmpdir)(), "archal-sandbox-ca-"));
-  const certPath = (0, import_path3.join)(dir, "ca.crt");
-  const keyPath = (0, import_path3.join)(dir, "ca.key");
-  (0, import_fs3.writeFileSync)(certPath, certPem);
-  (0, import_fs3.writeFileSync)(keyPath, keyPem);
+  const dir = (0, import_fs4.mkdtempSync)((0, import_path4.join)((0, import_os3.tmpdir)(), "archal-sandbox-ca-"));
+  const certPath = (0, import_path4.join)(dir, "ca.crt");
+  const keyPath = (0, import_path4.join)(dir, "ca.key");
+  (0, import_fs4.writeFileSync)(certPath, certPem);
+  (0, import_fs4.writeFileSync)(keyPath, keyPem);
   return { certPem, keyPem, certPath, keyPath, dir };
 }
 function destroyCertAuthority(ca) {
-  (0, import_fs3.rmSync)(ca.dir, { recursive: true, force: true });
+  (0, import_fs4.rmSync)(ca.dir, { recursive: true, force: true });
 }
 function caFingerprint(ca) {
-  return (0, import_crypto2.createHash)("sha256").update(ca.certPem).digest("hex").slice(0, 16);
+  return (0, import_crypto3.createHash)("sha256").update(ca.certPem).digest("hex").slice(0, 16);
 }
 function getDomainCert(domain2, ca) {
   const cacheKey2 = `${caFingerprint(ca)}:${domain2}`;
   const cached2 = domainCertCache.get(cacheKey2);
   if (cached2) return cached2;
-  const { publicKey, privateKey } = (0, import_crypto2.generateKeyPairSync)("rsa", {
+  const { publicKey, privateKey } = (0, import_crypto3.generateKeyPairSync)("rsa", {
     modulusLength: 2048
   });
   const certPem = generateSignedCert(publicKey, privateKey, domain2, ca);
@@ -53827,12 +54717,12 @@ function generateSelfSignedCert(publicKey, privateKey, cn, isCA) {
   return buildMinimalX509(publicKey, privateKey, cn, isCA);
 }
 function generateSignedCert(publicKey, _privateKey, domain2, ca) {
-  const caKey = (0, import_crypto2.createPrivateKey)(ca.keyPem);
+  const caKey = (0, import_crypto3.createPrivateKey)(ca.keyPem);
   return buildMinimalX509(publicKey, caKey, domain2, false);
 }
 function buildMinimalX509(subjectPublicKey, signingKey, cn, isCA) {
   const spkiDer = subjectPublicKey.export({ type: "spki", format: "der" });
-  const serial = (0, import_crypto2.randomBytes)(16);
+  const serial = (0, import_crypto3.randomBytes)(16);
   serial[0] = serial[0] & 127;
   const now = /* @__PURE__ */ new Date();
   const notBefore = new Date(now.getTime() - 6e4);
@@ -53846,7 +54736,7 @@ function buildMinimalX509(subjectPublicKey, signingKey, cn, isCA) {
     spkiDer,
     isCA
   });
-  const signer = (0, import_crypto2.createSign)("SHA256");
+  const signer = (0, import_crypto3.createSign)("SHA256");
   signer.update(tbs);
   const signature = signer.sign(signingKey);
   const certDer = derSequence([
@@ -54726,7 +55616,7 @@ function generateHostsEntries(cloudTwinUrls) {
 }
 function isDockerAvailable() {
   try {
-    (0, import_child_process.execFileSync)("docker", ["info"], { stdio: "pipe", timeout: 1e4 });
+    (0, import_child_process2.execFileSync)("docker", ["info"], { stdio: "pipe", timeout: 1e4 });
     return true;
   } catch {
     return false;
@@ -54743,47 +55633,47 @@ function formatExecError(err) {
   return String(err);
 }
 function resolveLocalSandboxBuildTarget() {
-  const moduleDir = typeof import_meta3?.url === "string" ? (0, import_path4.dirname)((0, import_url.fileURLToPath)(import_meta3.url)) : typeof __dirname === "string" ? __dirname : process.cwd();
+  const moduleDir = typeof import_meta3?.url === "string" ? (0, import_path5.dirname)((0, import_url.fileURLToPath)(import_meta3.url)) : typeof __dirname === "string" ? __dirname : process.cwd();
   const candidates = [
     {
-      dockerfile: (0, import_path4.resolve)(process.cwd(), "packages/sandbox-runtime/docker/sandbox/Dockerfile"),
-      contextDir: (0, import_path4.resolve)(process.cwd(), "packages/sandbox-runtime")
+      dockerfile: (0, import_path5.resolve)(process.cwd(), "packages/sandbox-runtime/docker/sandbox/Dockerfile"),
+      contextDir: (0, import_path5.resolve)(process.cwd(), "packages/sandbox-runtime")
     },
     {
-      dockerfile: (0, import_path4.resolve)(process.cwd(), "cli/docker/sandbox/Dockerfile"),
-      contextDir: (0, import_path4.resolve)(process.cwd(), "cli")
+      dockerfile: (0, import_path5.resolve)(process.cwd(), "cli/docker/sandbox/Dockerfile"),
+      contextDir: (0, import_path5.resolve)(process.cwd(), "cli")
     },
     {
-      dockerfile: (0, import_path4.resolve)(process.cwd(), "docker/sandbox/Dockerfile"),
+      dockerfile: (0, import_path5.resolve)(process.cwd(), "docker/sandbox/Dockerfile"),
       contextDir: process.cwd()
     },
     {
-      dockerfile: (0, import_path4.resolve)(moduleDir, "../docker/sandbox/Dockerfile"),
-      contextDir: (0, import_path4.resolve)(moduleDir, "..")
+      dockerfile: (0, import_path5.resolve)(moduleDir, "../docker/sandbox/Dockerfile"),
+      contextDir: (0, import_path5.resolve)(moduleDir, "..")
     },
     {
-      dockerfile: (0, import_path4.resolve)(moduleDir, "../../docker/sandbox/Dockerfile"),
-      contextDir: (0, import_path4.resolve)(moduleDir, "../..")
+      dockerfile: (0, import_path5.resolve)(moduleDir, "../../docker/sandbox/Dockerfile"),
+      contextDir: (0, import_path5.resolve)(moduleDir, "../..")
     }
   ];
-  return candidates.find((candidate) => (0, import_fs4.existsSync)(candidate.dockerfile));
+  return candidates.find((candidate) => (0, import_fs5.existsSync)(candidate.dockerfile));
 }
 function getSandboxRuntimeDependencyPaths(target) {
   return [
     target.dockerfile,
-    (0, import_path4.resolve)(target.contextDir, "docker/sandbox/entrypoint.sh"),
-    (0, import_path4.resolve)(target.contextDir, "src/sandbox/proxy-entry.ts"),
-    (0, import_path4.resolve)(target.contextDir, "src/sandbox/proxy.ts"),
-    (0, import_path4.resolve)(target.contextDir, "src/sandbox/twins.ts"),
-    (0, import_path4.resolve)(target.contextDir, "src/sandbox/certs.ts")
-  ].filter((path) => (0, import_fs4.existsSync)(path));
+    (0, import_path5.resolve)(target.contextDir, "docker/sandbox/entrypoint.sh"),
+    (0, import_path5.resolve)(target.contextDir, "src/sandbox/proxy-entry.ts"),
+    (0, import_path5.resolve)(target.contextDir, "src/sandbox/proxy.ts"),
+    (0, import_path5.resolve)(target.contextDir, "src/sandbox/twins.ts"),
+    (0, import_path5.resolve)(target.contextDir, "src/sandbox/certs.ts")
+  ].filter((path) => (0, import_fs5.existsSync)(path));
 }
 function getNewestSandboxRuntimeMtimeMs(target) {
-  return getSandboxRuntimeDependencyPaths(target).map((path) => (0, import_fs4.statSync)(path).mtimeMs).reduce((max, mtimeMs) => Math.max(max, mtimeMs), 0);
+  return getSandboxRuntimeDependencyPaths(target).map((path) => (0, import_fs5.statSync)(path).mtimeMs).reduce((max, mtimeMs) => Math.max(max, mtimeMs), 0);
 }
 function getLocalImageCreatedAtMs(image) {
   try {
-    const created = (0, import_child_process.execFileSync)(
+    const created = (0, import_child_process2.execFileSync)(
       "docker",
       ["image", "inspect", image, "--format", "{{.Created}}"],
       { stdio: "pipe", timeout: 1e4 }
@@ -54826,7 +55716,7 @@ function buildSandboxImage(image, target, openclawVersion) {
   try {
     const effectiveVersion = openclawVersion?.trim() || inferOpenclawVersionFromImage(image);
     const buildArgs = effectiveVersion ? ["--build-arg", `OPENCLAW_VERSION=${effectiveVersion}`] : [];
-    (0, import_child_process.execFileSync)(
+    (0, import_child_process2.execFileSync)(
       "docker",
       ["build", ...buildArgs, "-f", target.dockerfile, "-t", image, target.contextDir],
       { stdio: "pipe", timeout: 6e5 }
@@ -54842,7 +55732,7 @@ async function ensureSandboxImage(image, openclawVersion) {
   const requiresVersionedBuild = resolvedImage !== image;
   const isManagedImage = isManagedSandboxImage(resolvedImage);
   try {
-    (0, import_child_process.execFileSync)("docker", ["image", "inspect", resolvedImage], { stdio: "pipe", timeout: 1e4 });
+    (0, import_child_process2.execFileSync)("docker", ["image", "inspect", resolvedImage], { stdio: "pipe", timeout: 1e4 });
     if (target && shouldRebuildManagedSandboxImage(resolvedImage, target)) {
       return buildSandboxImage(resolvedImage, target, openclawVersion);
     }
@@ -54859,7 +55749,7 @@ async function ensureSandboxImage(image, openclawVersion) {
     return buildSandboxImage(resolvedImage, target, openclawVersion);
   }
   try {
-    (0, import_child_process.execFileSync)("docker", ["pull", resolvedImage], { stdio: "pipe", timeout: 3e5 });
+    (0, import_child_process2.execFileSync)("docker", ["pull", resolvedImage], { stdio: "pipe", timeout: 3e5 });
     return { ok: true, source: "pull" };
   } catch (pullErr) {
     if (!isManagedImage) {
@@ -54876,8 +55766,8 @@ async function ensureSandboxImage(image, openclawVersion) {
 }
 function launchSandbox(config2) {
   const image = config2.image ?? DEFAULT_SANDBOX_IMAGE;
-  const artifactsDir = (0, import_fs4.mkdtempSync)((0, import_path4.join)((0, import_os3.tmpdir)(), "archal-sandbox-"));
-  const proxyEventsHostPath = (0, import_path4.join)(artifactsDir, "proxy-events.ndjson");
+  const artifactsDir = (0, import_fs5.mkdtempSync)((0, import_path5.join)((0, import_os4.tmpdir)(), "archal-sandbox-"));
+  const proxyEventsHostPath = (0, import_path5.join)(artifactsDir, "proxy-events.ndjson");
   const proxyEventsContainerPath = "/archal-artifacts/proxy-events.ndjson";
   const mounts = [];
   mounts.push("-v", `${artifactsDir}:/archal-artifacts`);
@@ -54927,7 +55817,7 @@ function spawnWithTimeout2(command, args, timeoutMs, artifacts) {
       const proxyEvents = artifacts ? readProxyEvents(artifacts.proxyEventsHostPath) : [];
       if (artifacts) {
         try {
-          (0, import_fs4.rmSync)(artifacts.cleanupPath, { recursive: true, force: true });
+          (0, import_fs5.rmSync)(artifacts.cleanupPath, { recursive: true, force: true });
         } catch {
         }
       }
@@ -54936,7 +55826,7 @@ function spawnWithTimeout2(command, args, timeoutMs, artifacts) {
         proxyEvents
       });
     };
-    const child = (0, import_child_process.spawn)(command, args, {
+    const child = (0, import_child_process2.spawn)(command, args, {
       stdio: ["ignore", "pipe", "pipe"]
     });
     child.stdout?.on("data", (chunk) => {
@@ -54980,7 +55870,7 @@ function spawnWithTimeout2(command, args, timeoutMs, artifacts) {
 }
 function readProxyEvents(path) {
   try {
-    const raw = (0, import_fs4.readFileSync)(path, "utf8").trim();
+    const raw = (0, import_fs5.readFileSync)(path, "utf8").trim();
     if (!raw) return [];
     return raw.split("\n").map((line) => {
       try {
@@ -54995,7 +55885,7 @@ function readProxyEvents(path) {
 }
 function runDockerCommand(args, timeoutMs) {
   return new Promise((resolveCommand) => {
-    const child = (0, import_child_process2.spawn)("docker", args, {
+    const child = (0, import_child_process3.spawn)("docker", args, {
       stdio: ["ignore", "pipe", "pipe"]
     });
     let stdout = "";
@@ -55051,7 +55941,7 @@ function runDockerCommand(args, timeoutMs) {
 }
 function getDockerBridgeGateway() {
   try {
-    const result = (0, import_child_process2.execSync)(
+    const result = (0, import_child_process3.execSync)(
       "docker network inspect bridge --format '{{(index .IPAM.Config 0).Gateway}}'",
       { encoding: "utf-8", timeout: 5e3 }
     ).trim();
@@ -55085,9 +55975,9 @@ function registerDockerCleanupHandlers(containerName, imageName, ownImage) {
     }
     cleaningUp = true;
     try {
-      (0, import_child_process2.spawnSync)("docker", ["rm", "-f", containerName], { stdio: "ignore", timeout: 5e3 });
+      (0, import_child_process3.spawnSync)("docker", ["rm", "-f", containerName], { stdio: "ignore", timeout: 5e3 });
       if (ownImage) {
-        (0, import_child_process2.spawnSync)("docker", ["image", "rm", "-f", imageName], { stdio: "ignore", timeout: 5e3 });
+        (0, import_child_process3.spawnSync)("docker", ["image", "rm", "-f", imageName], { stdio: "ignore", timeout: 5e3 });
       }
     } catch {
     }
@@ -55157,7 +56047,7 @@ function buildContainerEnv(config2, proxyPort) {
   return env;
 }
 function writeMountedConfigFiles(dir, cloudTwinUrls, authToken, caPath) {
-  (0, import_fs2.mkdirSync)(dir, { recursive: true });
+  (0, import_fs3.mkdirSync)(dir, { recursive: true });
   const restConfig = {
     restEndpoints: cloudTwinUrls,
     auth: {
@@ -55182,7 +56072,7 @@ function writeMountedConfigFiles(dir, cloudTwinUrls, authToken, caPath) {
       example: 'mcp__github__list_issues -> POST github-url/tools/call with { "name": "list_issues", "arguments": {} }'
     }
   };
-  (0, import_fs2.writeFileSync)((0, import_path2.join)(dir, "rest-config.json"), JSON.stringify(restConfig, null, 2) + "\n", "utf-8");
+  (0, import_fs3.writeFileSync)((0, import_path3.join)(dir, "rest-config.json"), JSON.stringify(restConfig, null, 2) + "\n", "utf-8");
   const mcpServers = {};
   for (const [twinName, baseUrl] of Object.entries(cloudTwinUrls)) {
     const trimmed = baseUrl.trim().replace(/\/+$/, "");
@@ -55192,9 +56082,9 @@ function writeMountedConfigFiles(dir, cloudTwinUrls, authToken, caPath) {
       headers: { Authorization: `Bearer ${authToken}` }
     };
   }
-  (0, import_fs2.writeFileSync)((0, import_path2.join)(dir, "mcp-config.json"), JSON.stringify({ mcpServers }, null, 2) + "\n", "utf-8");
-  (0, import_fs2.writeFileSync)((0, import_path2.join)(dir, "mcp-servers.json"), JSON.stringify(mcpServers), "utf-8");
-  (0, import_fs2.writeFileSync)((0, import_path2.join)(dir, "ca.crt"), (0, import_fs2.readFileSync)(caPath, "utf-8"), "utf-8");
+  (0, import_fs3.writeFileSync)((0, import_path3.join)(dir, "mcp-config.json"), JSON.stringify({ mcpServers }, null, 2) + "\n", "utf-8");
+  (0, import_fs3.writeFileSync)((0, import_path3.join)(dir, "mcp-servers.json"), JSON.stringify(mcpServers), "utf-8");
+  (0, import_fs3.writeFileSync)((0, import_path3.join)(dir, "ca.crt"), (0, import_fs3.readFileSync)(caPath, "utf-8"), "utf-8");
 }
 async function ensurePreparedImage(repoPath, dockerfilePath, image, timeoutMs) {
   const buildArgs = ["build", "-f", dockerfilePath, "-t", image, repoPath];
@@ -55217,12 +56107,12 @@ async function cleanupDockerImage(imageName) {
   await runDockerCommand(["image", "rm", "-f", imageName], 1e4);
 }
 async function buildDockerHarnessImage(repoPath, dockerfilePath, timeoutMs) {
-  const resolvedRepoPath = (0, import_path2.resolve)(repoPath);
+  const resolvedRepoPath = (0, import_path3.resolve)(repoPath);
   const dockerIdSuffix = `${Date.now().toString(36)}-${process.pid}`;
   const imageName = `archal/harness-${dockerIdSuffix}`;
-  const buildDir = (0, import_fs2.mkdtempSync)((0, import_path2.join)((0, import_os.tmpdir)(), "archal-harness-build-"));
+  const buildDir = (0, import_fs3.mkdtempSync)((0, import_path3.join)((0, import_os2.tmpdir)(), "archal-harness-build-"));
   try {
-    const generatedDockerfilePath = (0, import_path2.join)(buildDir, "Dockerfile.generated");
+    const generatedDockerfilePath = (0, import_path3.join)(buildDir, "Dockerfile.generated");
     let dockerfile;
     try {
       dockerfile = resolveDockerfile(resolvedRepoPath, {
@@ -55248,7 +56138,7 @@ async function buildDockerHarnessImage(repoPath, dockerfilePath, timeoutMs) {
     }
     return { ok: true, imageName };
   } finally {
-    (0, import_fs2.rmSync)(buildDir, { recursive: true, force: true });
+    (0, import_fs3.rmSync)(buildDir, { recursive: true, force: true });
   }
 }
 async function runDockerHarness(config2) {
@@ -55267,9 +56157,9 @@ async function runDockerHarness(config2) {
       "Install Docker Desktop or Docker Engine before using the Docker harness."
     ));
   }
-  const repoPath = (0, import_path2.resolve)(config2.repoPath);
-  const runDir = (0, import_fs2.mkdtempSync)((0, import_path2.join)((0, import_os.tmpdir)(), "archal-harness-"));
-  const generatedDockerfilePath = (0, import_path2.join)(runDir, "Dockerfile.generated");
+  const repoPath = (0, import_path3.resolve)(config2.repoPath);
+  const runDir = (0, import_fs3.mkdtempSync)((0, import_path3.join)((0, import_os2.tmpdir)(), "archal-harness-"));
+  const generatedDockerfilePath = (0, import_path3.join)(runDir, "Dockerfile.generated");
   const dockerIdSuffix = `${Date.now().toString(36)}-${process.pid}`;
   const imageName = config2.prebuiltImage ?? `archal/harness-${dockerIdSuffix}`;
   const containerName = `archal-harness-${dockerIdSuffix}`;
@@ -55318,24 +56208,24 @@ async function runDockerHarness(config2) {
       return fail(stageError("Docker harness attach failed", reason));
     }
     try {
-      const mountedConfigDir = (0, import_path2.join)(runDir, "out");
+      const mountedConfigDir = (0, import_path3.join)(runDir, "out");
       writeMountedConfigFiles(mountedConfigDir, config2.cloudTwinUrls, config2.authToken, ca.certPath);
       const env = buildContainerEnv(config2, proxy.port);
-      env["ARCHAL_MCP_SERVERS"] = (0, import_fs2.readFileSync)((0, import_path2.join)(mountedConfigDir, "mcp-servers.json"), "utf-8");
+      env["ARCHAL_MCP_SERVERS"] = (0, import_fs3.readFileSync)((0, import_path3.join)(mountedConfigDir, "mcp-servers.json"), "utf-8");
       const envFileLines = [];
       let multiLineIdx = 0;
       for (const [key, value] of Object.entries(env)) {
         if (value.includes("\n")) {
           const filename = `_env_${multiLineIdx++}_${key.toLowerCase()}`;
-          (0, import_fs2.writeFileSync)((0, import_path2.join)(mountedConfigDir, filename), value, { encoding: "utf-8", mode: 384 });
+          (0, import_fs3.writeFileSync)((0, import_path3.join)(mountedConfigDir, filename), value, { encoding: "utf-8", mode: 384 });
           envFileLines.push(`${key}_FILE=${OUTPUT_DIR_IN_CONTAINER}/${filename}`);
           envFileLines.push(`${key}=${OUTPUT_DIR_IN_CONTAINER}/${filename}`);
         } else {
           envFileLines.push(`${key}=${value}`);
         }
       }
-      const envFilePath = (0, import_path2.join)(runDir, ".env");
-      (0, import_fs2.writeFileSync)(envFilePath, envFileLines.join("\n") + "\n", { encoding: "utf-8", mode: 384 });
+      const envFilePath = (0, import_path3.join)(runDir, ".env");
+      (0, import_fs3.writeFileSync)(envFilePath, envFileLines.join("\n") + "\n", { encoding: "utf-8", mode: 384 });
       const args = [
         "run",
         "--rm",
@@ -55406,19 +56296,19 @@ async function runDockerHarness(config2) {
     }
     if (caDir) {
       try {
-        (0, import_fs2.rmSync)(caDir, { recursive: true, force: true });
+        (0, import_fs3.rmSync)(caDir, { recursive: true, force: true });
       } catch {
       }
     }
-    const envPath = (0, import_path2.join)(runDir, ".env");
+    const envPath = (0, import_path3.join)(runDir, ".env");
     try {
-      if ((0, import_fs2.existsSync)(envPath)) {
-        const size = (0, import_fs2.statSync)(envPath).size;
-        (0, import_fs2.writeFileSync)(envPath, Buffer.alloc(size, 0), { mode: 384 });
+      if ((0, import_fs3.existsSync)(envPath)) {
+        const size = (0, import_fs3.statSync)(envPath).size;
+        (0, import_fs3.writeFileSync)(envPath, Buffer.alloc(size, 0), { mode: 384 });
       }
     } catch {
     }
-    (0, import_fs2.rmSync)(runDir, { recursive: true, force: true });
+    (0, import_fs3.rmSync)(runDir, { recursive: true, force: true });
   }
 }
 async function runLocalProxy(config2, task, canaryFiles) {
@@ -55462,7 +56352,7 @@ async function runLocalProxy(config2, task, canaryFiles) {
     if (hostsEntries) {
       status("NOTE: For full interception in local mode, add these to /etc/hosts:\n" + hostsEntries);
     }
-    const workspace = config2.workspacePath ?? (0, import_path5.join)(process.env["HOME"] ?? "/root", ".openclaw");
+    const workspace = config2.workspacePath ?? (0, import_path6.join)(process.env["HOME"] ?? "/root", ".openclaw");
     const noProxyHosts = "127.0.0.1,localhost,.archal.ai";
     const env = {
       ...process.env,
@@ -55482,7 +56372,7 @@ async function runLocalProxy(config2, task, canaryFiles) {
       ...config2.openclawEvalMode === "isolated" ? { ARCHAL_SANDBOX_DISABLE_PLUGINS: "1" } : {},
       ...config2.openclawEvalMode ? { ARCHAL_OPENCLAW_EVAL_MODE: config2.openclawEvalMode } : {}
     };
-    if (canaryFiles && (0, import_fs5.existsSync)(workspace)) {
+    if (canaryFiles && (0, import_fs6.existsSync)(workspace)) {
       writeCanaryFiles(workspace, canaryFiles);
     }
     const result = await spawnAgent(workspace, task, env, config2.timeoutMs);
@@ -55497,24 +56387,24 @@ async function runLocalProxy(config2, task, canaryFiles) {
   }
 }
 function writeCanaryFiles(workspace, canaryFiles) {
-  const resolvedWorkspace = (0, import_path5.resolve)(workspace);
+  const resolvedWorkspace = (0, import_path6.resolve)(workspace);
   for (const [relativePath, content] of Object.entries(canaryFiles)) {
-    const filePath = (0, import_path5.resolve)(workspace, relativePath);
-    if (filePath !== resolvedWorkspace && !filePath.startsWith(resolvedWorkspace + import_path5.sep)) {
+    const filePath = (0, import_path6.resolve)(workspace, relativePath);
+    if (filePath !== resolvedWorkspace && !filePath.startsWith(resolvedWorkspace + import_path6.sep)) {
       throw new Error(`Canary path escapes sandbox root: ${relativePath}`);
     }
-    (0, import_fs5.mkdirSync)((0, import_path5.dirname)(filePath), { recursive: true });
-    (0, import_fs5.writeFileSync)(filePath, content);
+    (0, import_fs6.mkdirSync)((0, import_path6.dirname)(filePath), { recursive: true });
+    (0, import_fs6.writeFileSync)(filePath, content);
   }
 }
 function spawnAgent(workspace, task, env, timeoutMs) {
   return new Promise((resolve62) => {
     const agentName = env["ARCHAL_OPENCLAW_AGENT"] ?? "main";
-    const child = (0, import_child_process3.spawn)(
+    const child = (0, import_child_process4.spawn)(
       "openclaw",
       ["agent", "--agent", agentName, "--local", "--message", task, "--json"],
       {
-        cwd: (0, import_fs5.existsSync)(workspace) ? workspace : void 0,
+        cwd: (0, import_fs6.existsSync)(workspace) ? workspace : void 0,
         env,
         stdio: ["ignore", "pipe", "pipe"]
       }
@@ -55572,9 +56462,9 @@ function spawnAgent(workspace, task, env, timeoutMs) {
   });
 }
 function confinePath(root, relativePath) {
-  const resolvedRoot = (0, import_path6.resolve)(root);
-  const resolved = (0, import_path6.resolve)(root, relativePath);
-  if (resolved !== resolvedRoot && !resolved.startsWith(resolvedRoot + import_path6.sep)) {
+  const resolvedRoot = (0, import_path7.resolve)(root);
+  const resolved = (0, import_path7.resolve)(root, relativePath);
+  if (resolved !== resolvedRoot && !resolved.startsWith(resolvedRoot + import_path7.sep)) {
     throw new Error(`Canary path escapes sandbox root: ${relativePath}`);
   }
   return resolved;
@@ -55837,35 +56727,35 @@ async function runDockerSandbox(config2) {
     error: result.timedOut ? `Sandbox timed out after ${Math.round(config2.timeoutMs / 1e3)}s` : result.exitCode !== 0 ? `Sandbox exited with code ${result.exitCode}` : void 0
   };
 }
-var import_fs, import_path, import_fs2, import_os, import_path2, import_crypto2, import_fs3, import_path3, import_os2, import_http, import_https, import_tls, import_net, import_child_process, import_fs4, import_os3, import_path4, import_url, import_child_process2, import_child_process3, import_fs5, import_path5, import_path6, import_meta3, DockerfileError, NODE_SCRIPT_PRIORITY, CA_COMMON_NAME, CERT_VALIDITY_DAYS, domainCertCache, REQUEST_BODY_PREVIEW_HEAD_LIMIT, REQUEST_BODY_PREVIEW_TAIL_LIMIT, GITHUB_RESPONSE_HEADERS, PASSTHROUGH_CONNECT_TIMEOUT_MS, TWIN_DOMAINS, DEFAULT_SANDBOX_IMAGE, VERSIONED_SANDBOX_TAG_PREFIX, MAX_OUTPUT_BYTES, KILL_GRACE_MS, MAX_OUTPUT_BYTES2, OUTPUT_DIR_IN_CONTAINER, HOST_GATEWAY_NAME, BUILD_TIMEOUT_CAP_MS, SANDBOX_CANARY_TAG, CANARY_LEAK_ERROR_CODE, CANARY_VALUE_PATTERN, SANDBOX_FILES_BLOCK_PATTERN, SNIPPET_RADIUS, DOCKER_IMAGE_NAME;
-var init_dist5 = __esm({
+var import_fs2, import_path2, import_fs3, import_os2, import_path3, import_crypto3, import_fs4, import_path4, import_os3, import_http, import_https, import_tls, import_net, import_child_process2, import_fs5, import_os4, import_path5, import_url, import_child_process3, import_child_process4, import_fs6, import_path6, import_path7, import_meta3, DockerfileError, NODE_SCRIPT_PRIORITY, CA_COMMON_NAME, CERT_VALIDITY_DAYS, domainCertCache, REQUEST_BODY_PREVIEW_HEAD_LIMIT, REQUEST_BODY_PREVIEW_TAIL_LIMIT, GITHUB_RESPONSE_HEADERS, PASSTHROUGH_CONNECT_TIMEOUT_MS, TWIN_DOMAINS, DEFAULT_SANDBOX_IMAGE, VERSIONED_SANDBOX_TAG_PREFIX, MAX_OUTPUT_BYTES, KILL_GRACE_MS, MAX_OUTPUT_BYTES2, OUTPUT_DIR_IN_CONTAINER, HOST_GATEWAY_NAME, BUILD_TIMEOUT_CAP_MS, SANDBOX_CANARY_TAG, CANARY_LEAK_ERROR_CODE, CANARY_VALUE_PATTERN, SANDBOX_FILES_BLOCK_PATTERN, SNIPPET_RADIUS, DOCKER_IMAGE_NAME;
+var init_dist6 = __esm({
   "../packages/sandbox-runtime/dist/index.js"() {
     "use strict";
-    import_fs = require("fs");
-    import_path = require("path");
     import_fs2 = require("fs");
-    import_os = require("os");
     import_path2 = require("path");
-    init_dist2();
-    import_crypto2 = require("crypto");
     import_fs3 = require("fs");
-    import_path3 = require("path");
     import_os2 = require("os");
+    import_path3 = require("path");
+    init_dist2();
+    import_crypto3 = require("crypto");
+    import_fs4 = require("fs");
+    import_path4 = require("path");
+    import_os3 = require("os");
     import_http = require("http");
     import_https = require("https");
     import_tls = require("tls");
     import_net = require("net");
-    import_child_process = require("child_process");
-    import_fs4 = require("fs");
-    import_os3 = require("os");
-    import_path4 = require("path");
-    import_url = require("url");
     import_child_process2 = require("child_process");
-    import_child_process3 = require("child_process");
     import_fs5 = require("fs");
+    import_os4 = require("os");
     import_path5 = require("path");
+    import_url = require("url");
+    import_child_process3 = require("child_process");
+    import_child_process4 = require("child_process");
+    import_fs6 = require("fs");
     import_path6 = require("path");
-    init_dist3();
+    import_path7 = require("path");
+    init_dist4();
     import_meta3 = {};
     DockerfileError = class extends Error {
       kind;
@@ -56110,13 +57000,13 @@ function twinStatusForCredentials(creds, twinName) {
   if (!creds) {
     return "\x1B[32m\u2713 unlocked\x1B[0m";
   }
-  return (0, import_node_auth5.isEntitled)(creds, twinName) ? "\x1B[32m\u2713 unlocked\x1B[0m" : "\x1B[90m\u2022 locked\x1B[0m";
+  return isEntitled(creds, twinName) ? "\x1B[32m\u2713 unlocked\x1B[0m" : "\x1B[90m\u2022 locked\x1B[0m";
 }
 function twinCatalogSummary(creds) {
   return `All twins unlocked (${creds.plan} plan)`;
 }
 async function listTwinCatalog(json2) {
-  const creds = getCredentials();
+  const creds = getCredentials2();
   if (!creds) {
     if (json2) {
       writeLocalTwinCatalogJson();
@@ -56282,7 +57172,7 @@ function resolveManagedTraceUploadEndpoint() {
   if (explicit) {
     return explicit.replace(/\/+$/, "");
   }
-  const baseUrl = getConfiguredApiBaseUrl();
+  const baseUrl = getConfiguredApiBaseUrl2();
   if (!baseUrl) {
     return null;
   }
@@ -56293,7 +57183,7 @@ async function resolveManagedTraceUploadToken() {
   if (envToken) {
     return envToken;
   }
-  const creds = getCredentials();
+  const creds = getCredentials2();
   if (!creds) return null;
   try {
     const { refreshAuthFromServer: refreshAuthFromServer2, REQUEST_METADATA: REQUEST_METADATA3 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
@@ -56491,7 +57381,7 @@ async function uploadManagedTraceIfEnabled(report, options, config2, fetchImpl =
   const telemetryToken = resolveTelemetryIngestToken(options);
   let response;
   try {
-    response = await fetchWithRetry(endpoint, {
+    response = await fetchWithRetry2(endpoint, {
       method: "POST",
       headers: {
         authorization: `Bearer ${token}`,
@@ -56517,14 +57407,14 @@ async function uploadManagedTraceIfEnabled(report, options, config2, fetchImpl =
     const body = await response.text().catch(() => "");
     const telemetryAuthRequired = response.status === 403 && /invalid telemetry ingest token/i.test(body) && !telemetryToken;
     if (telemetryAuthRequired) {
-      debug("Managed trace upload skipped (telemetry ingest token required by endpoint)", {
+      debug3("Managed trace upload skipped (telemetry ingest token required by endpoint)", {
         status: response.status,
         endpoint
       });
       return { uploaded: false, reason: "telemetry_auth_required" };
     }
     if (response.status === 404) {
-      debug("Managed trace upload skipped (endpoint not found \u2014 expected on self-hosted instances)", {
+      debug3("Managed trace upload skipped (endpoint not found \u2014 expected on self-hosted instances)", {
         status: response.status,
         endpoint
       });
@@ -56537,7 +57427,7 @@ async function uploadManagedTraceIfEnabled(report, options, config2, fetchImpl =
     });
     return { uploaded: false, reason: `http_${response.status}` };
   }
-  debug("Managed trace upload succeeded", {
+  debug3("Managed trace upload succeeded", {
     endpoint,
     traceId: payload.traceId,
     entries: payload.entries.length
@@ -56749,7 +57639,7 @@ function resolveProviderApiKey(explicitKey, provider) {
   if (!normalizedExplicit) return providerEnvKey;
   const mismatch = validateKeyForProvider(normalizedExplicit, provider);
   if (mismatch && providerEnvKey) {
-    debug("Configured API key appears mismatched for provider; falling back to provider env key", {
+    debug3("Configured API key appears mismatched for provider; falling back to provider env key", {
       provider,
       providerEnvVar: PROVIDER_ENV_VARS[provider]
     });
@@ -56810,12 +57700,12 @@ function normalizeTokenUsage(inputTokens, outputTokens, totalTokens) {
   };
 }
 async function callLlmViaArchal(options) {
-  const creds = getCredentials();
+  const creds = getCredentials2();
   if (!creds?.token) {
     throw new Error("Archal auth required. Run `archal login` or set ARCHAL_TOKEN.");
   }
   const hostedSessionId = getRunSessionContext()?.hostedSessionId;
-  debug("Calling LLM via Archal backend", { intent: options.intent ?? "evaluate" });
+  debug3("Calling LLM via Archal backend", { intent: options.intent ?? "evaluate" });
   const result = await requestLlmCompletion(creds.token, {
     intent: options.intent ?? "evaluate",
     systemPrompt: options.systemPrompt,
@@ -56838,10 +57728,10 @@ async function callLlmViaArchal(options) {
   }
   llmState.lastKnownRemaining = result.data.remaining ?? null;
   const actualModel = result.data.model;
-  debug("Archal backend response", { model: actualModel, remaining: String(result.data.remaining ?? "unknown") });
+  debug3("Archal backend response", { model: actualModel, remaining: String(result.data.remaining ?? "unknown") });
   const isSeedGen = options.intent === "seed-generate";
   if (!llmState.modelMismatchWarned && !isSeedGen && options.model && actualModel && actualModel !== "unknown" && !actualModel.includes(options.model) && !options.model.includes(actualModel)) {
-    debug(`Archal backend used "${actualModel}" (requested "${options.model}"). To use a specific model, pass --api-key with your own API key.`);
+    debug3(`Archal backend used "${actualModel}" (requested "${options.model}"). To use a specific model, pass --api-key with your own API key.`);
     llmState.modelMismatchWarned = true;
   }
   return {
@@ -56881,10 +57771,10 @@ async function callLlmWithUsage(options) {
     return callLlmViaArchal(options);
   }
   if (routing === "direct-only" || directKey) {
-    debug("Calling LLM provider directly", { provider: options.provider, model: options.model });
+    debug3("Calling LLM provider directly", { provider: options.provider, model: options.model });
     return callLlmDirect({ ...options, apiKey: directKey });
   }
-  const creds = getCredentials();
+  const creds = getCredentials2();
   if (options.provider !== "openai-compatible" && creds?.token) {
     try {
       return await callLlmViaArchal(options);
@@ -57052,7 +57942,7 @@ async function callOpenAiCompatible(options) {
     );
   }
   const url2 = `${options.baseUrl.replace(/\/+$/, "")}/v1/chat/completions`;
-  debug("Calling OpenAI-compatible endpoint", { url: url2, model: options.model });
+  debug3("Calling OpenAI-compatible endpoint", { url: url2, model: options.model });
   const response = await fetch(url2, {
     method: "POST",
     headers: {
@@ -57981,7 +58871,7 @@ function parseScenarioMarkdown(markdown, sourcePath) {
     tags: parsedConfig.tags ?? [],
     difficulty: parsedConfig.difficulty
   };
-  debug("Parsed scenario", {
+  debug3("Parsed scenario", {
     title: sections.title,
     criteriaCount: successCriteria.length,
     deterministicCount: successCriteria.filter((c) => c.type === "deterministic").length,
@@ -58611,7 +59501,7 @@ function writeLastRunLog(report) {
 }
 
 // src/runner/openclaw/openclaw-adapter.ts
-init_dist3();
+init_dist4();
 
 // src/runner/preflight.ts
 init_auth();
@@ -58621,7 +59511,7 @@ function preflightCheck(scenario, apiKey, model, baseUrl, options) {
   if (hasProbabilistic && !options?.skipEvaluatorAuth) {
     const provider = detectProvider(model);
     const resolvedKey = resolveProviderApiKey(apiKey, provider);
-    const creds = getCredentials();
+    const creds = getCredentials2();
     if (provider === "openai-compatible" && !baseUrl) {
       errors.push({
         check: "evaluator.baseUrl",
@@ -58652,7 +59542,7 @@ function preflightCheck(scenario, apiKey, model, baseUrl, options) {
     }
   }
   if (!options?.skipSeedAuth) {
-    const creds = getCredentials();
+    const creds = getCredentials2();
     if (!creds?.token) {
       errors.push({
         check: "archal-auth-seed",
@@ -59260,7 +60150,7 @@ function selectSeedForTwin(twinName, setupDescription) {
     0
   );
   const confidence = maxPossibleScore > 0 ? Math.min(bestScore / maxPossibleScore, 1) : 0;
-  debug("Seed selection", {
+  debug3("Seed selection", {
     twin: twinName,
     seed: bestSeed,
     confidence: confidence.toFixed(2),
@@ -59280,7 +60170,7 @@ function overrideSeedSelection(selections, overrides) {
   return selections.map((sel) => {
     const override = overrides[sel.twinName];
     if (override) {
-      debug(`Seed override for ${sel.twinName}: ${override}`);
+      debug3(`Seed override for ${sel.twinName}: ${override}`);
       return {
         ...sel,
         seedName: override,
@@ -59720,7 +60610,7 @@ async function executeAgent(params) {
         generateCertAuthority: generateCertAuthority2,
         startProxy: startProxy2,
         buildCloudTwinMappings: buildCloudTwinMappings2
-      } = await Promise.resolve().then(() => (init_dist5(), dist_exports));
+      } = await Promise.resolve().then(() => (init_dist6(), dist_exports));
       info("Starting TLS proxy for transparent HTTP routing...");
       ca = generateCertAuthority2();
       const mappings = buildCloudTwinMappings2(twinUrls);
@@ -59731,10 +60621,10 @@ async function executeAgent(params) {
           ca,
           twinAuthHeaders: bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {},
           onIntercept: (event) => {
-            debug(`[proxy] ${event.method ?? "?"} ${event.domain}${event.path ?? "/"} \u2192 twin`);
+            debug3(`[proxy] ${event.method ?? "?"} ${event.domain}${event.path ?? "/"} \u2192 twin`);
           },
           onPassthrough: (event) => {
-            debug(`[proxy] ${event.method ?? "?"} ${event.domain}${event.path ?? "/"} \u2192 passthrough`);
+            debug3(`[proxy] ${event.method ?? "?"} ${event.domain}${event.path ?? "/"} \u2192 passthrough`);
           }
         });
         const noProxyHosts = "127.0.0.1,localhost,.archal.ai";
@@ -59783,10 +60673,10 @@ async function executeAgent(params) {
       cwd: agentConfig.cwd,
       env: agentEnv,
       onStdout: (chunk) => {
-        debug(`[agent stdout] ${chunk.trimEnd()}`);
+        debug3(`[agent stdout] ${chunk.trimEnd()}`);
       },
       onStderr: (chunk) => {
-        debug(`[agent stderr] ${chunk.trimEnd()}`);
+        debug3(`[agent stderr] ${chunk.trimEnd()}`);
       }
     });
   } finally {
@@ -59796,7 +60686,7 @@ async function executeAgent(params) {
     }
     if (ca) {
       try {
-        const { destroyCertAuthority: destroyCertAuthority2 } = await Promise.resolve().then(() => (init_dist5(), dist_exports));
+        const { destroyCertAuthority: destroyCertAuthority2 } = await Promise.resolve().then(() => (init_dist6(), dist_exports));
         destroyCertAuthority2(ca);
       } catch {
       }
@@ -59847,7 +60737,7 @@ ${stderrPreview}`);
     } catch (cleanupErr) {
       const code = getErrnoCode(cleanupErr);
       if (code !== "ENOENT") {
-        debug(`Failed to clean up metrics file ${metricsFilePath}: ${errorMessage(cleanupErr)}`);
+        debug3(`Failed to clean up metrics file ${metricsFilePath}: ${errorMessage(cleanupErr)}`);
       }
     }
   }
@@ -59873,7 +60763,7 @@ ${stderrPreview}`);
     } catch (cleanupErr) {
       const code = getErrnoCode(cleanupErr);
       if (code !== "ENOENT") {
-        debug(`Failed to clean up agent trace file ${agentTraceFilePath}: ${errorMessage(cleanupErr)}`);
+        debug3(`Failed to clean up agent trace file ${agentTraceFilePath}: ${errorMessage(cleanupErr)}`);
       }
     }
   }
@@ -60172,7 +61062,7 @@ ${scenario.seedState}` : scenario.setup;
       sel.seedName = entry.seedName;
       sel.seedData = entry.seedData;
     }
-    debug("Using managed seed snapshot replay", {
+    debug3("Using managed seed snapshot replay", {
       snapshotPath: options.seedSnapshotIn,
       twins: scenario.config.twins.join(", ")
     });
@@ -60995,7 +61885,7 @@ function resolveEngineConfiguration(scenario, options, timeoutSeconds, projectCo
       const openclawAgent = options.agent?.trim() || process.env["ARCHAL_OPENCLAW_AGENT"] || "main";
       const fallbackLocalAgentConfig = resolvedFallbackLocalAgentConfig ?? { command: "openclaw", args: ["--agent", openclawAgent] };
       if (!resolvedHarness.manifest && !resolvedHarness.localCommand) {
-        debug(
+        debug3(
           "Harness manifest not found for local mode; using agent command defaults.",
           { manifestPath: resolvedHarness.manifestPath }
         );
@@ -61119,7 +62009,7 @@ async function cleanupDockerImage2(..._args) {
 
 // src/runner/execution/run-executor.ts
 var import_node_fs17 = require("fs");
-init_dist5();
+init_dist6();
 init_logger();
 
 // src/runner/lifecycle/timeout-budget.ts
@@ -61299,7 +62189,7 @@ async function executeAgentPhase(params) {
     effectiveRemoteTwinUrls,
     apiRouting,
     openclawEvalMode,
-    { debug, info }
+    { debug: debug3, info }
   ) : await executeAgent({
     agentConfig,
     mcpConfigPath: configFiles.mcpConfigPath,
@@ -62212,7 +63102,7 @@ function buildUserPrompt(context) {
     expectedBehavior: context.expectedBehavior
   });
   const traceEvidence = renderTraceEvidenceForPrompt(traceEvidencePacket);
-  debug("LLM judge trace evidence selected", {
+  debug3("LLM judge trace evidence selected", {
     criterion: context.criterion.id,
     totalSpans: String(traceEvidencePacket.summary.totalSpans),
     selectedSpans: String(traceEvidencePacket.summary.selectedSpans),
@@ -62266,7 +63156,7 @@ function buildBatchUserPrompt(criteria, expectedBehavior, stateBefore, stateAfte
     expectedBehavior
   });
   const traceEvidence = renderTraceEvidenceForPrompt(traceEvidencePacket);
-  debug("LLM judge batch trace evidence selected", {
+  debug3("LLM judge batch trace evidence selected", {
     criteriaCount: String(criteria.length),
     totalSpans: String(traceEvidencePacket.summary.totalSpans),
     selectedSpans: String(traceEvidencePacket.summary.selectedSpans),
@@ -62352,7 +63242,7 @@ var BATCH_RESPONSE_SCHEMA = {
 async function evaluateBatchWithLlm(criteria, context, config2) {
   const provider = detectProvider(config2.model);
   const apiKey = resolveProviderApiKey(config2.apiKey, provider);
-  const credentials = getCredentials();
+  const credentials = getCredentials2();
   const canUseManagedRouting = provider !== "openai-compatible" && Boolean(credentials?.token);
   if (apiKey) {
     const mismatch = validateKeyForProvider(apiKey, provider);
@@ -62374,7 +63264,7 @@ async function evaluateBatchWithLlm(criteria, context, config2) {
       tokenUsage: null
     };
   }
-  debug("Calling LLM judge (batch)", {
+  debug3("Calling LLM judge (batch)", {
     criteriaCount: String(criteria.length),
     criteriaIds: criteria.map((c) => c.id).join(", "),
     model: config2.model,
@@ -62412,7 +63302,7 @@ async function evaluateBatchWithLlm(criteria, context, config2) {
       evaluations: criteria.map((c) => {
         const result = parsed.get(c.id);
         if (result) {
-          debug("LLM judge batch result", {
+          debug3("LLM judge batch result", {
             criterion: c.id,
             status: result.status,
             confidence: result.confidence.toFixed(2)
@@ -62482,7 +63372,7 @@ async function evaluateWithLlm(criterion, context, config2) {
   };
   const provider = detectProvider(config2.model);
   const apiKey = resolveProviderApiKey(config2.apiKey, provider);
-  const credentials = getCredentials();
+  const credentials = getCredentials2();
   const canUseManagedRouting = provider !== "openai-compatible" && Boolean(credentials?.token);
   if (apiKey) {
     const mismatch = validateKeyForProvider(apiKey, provider);
@@ -62504,7 +63394,7 @@ async function evaluateWithLlm(criterion, context, config2) {
       tokenUsage: null
     };
   }
-  debug("Calling LLM judge", {
+  debug3("Calling LLM judge", {
     criterion: criterion.id,
     model: config2.model,
     provider,
@@ -62526,7 +63416,7 @@ async function evaluateWithLlm(criterion, context, config2) {
     });
     const text = response.text;
     const judgeResult = parseJudgeResponse(text);
-    debug("LLM judge result", {
+    debug3("LLM judge result", {
       criterion: criterion.id,
       status: judgeResult.status,
       confidence: judgeResult.confidence.toFixed(2)
@@ -63729,7 +64619,7 @@ function stripMarkdownCodeFence(text) {
 }
 function isLlmParsingAvailable(config2) {
   if (config2.apiKey) return true;
-  const creds = getCredentials();
+  const creds = getCredentials2();
   if (creds?.token) return true;
   const model = config2.model ?? "claude-haiku-4-5-20251001";
   const provider = detectProvider(model);
@@ -63739,15 +64629,15 @@ function isLlmParsingAvailable(config2) {
 async function parseAssertionWithLlm(description, config2) {
   const cached2 = parseCache.get(description);
   if (cached2 !== void 0) {
-    debug("LLM assertion parser: cache hit", { description: description.slice(0, 60) });
+    debug3("LLM assertion parser: cache hit", { description: description.slice(0, 60) });
     return cached2;
   }
   const model = config2.model ?? "claude-haiku-4-5-20251001";
   const provider = detectProvider(model);
   const apiKey = resolveProviderApiKey(config2.apiKey ?? "", provider);
-  const canUseManagedRouting = provider !== "openai-compatible" && Boolean(getCredentials()?.token);
+  const canUseManagedRouting = provider !== "openai-compatible" && Boolean(getCredentials2()?.token);
   if (!apiKey && !canUseManagedRouting) {
-    debug("LLM assertion parser unavailable: no provider key or managed auth", {
+    debug3("LLM assertion parser unavailable: no provider key or managed auth", {
       model,
       provider
     });
@@ -63773,18 +64663,18 @@ Output:`,
     const result = await callLlmWithUsage(llmOptions);
     const text = stripMarkdownCodeFence(result.text);
     if (text === "null" || text === "{}") {
-      debug("LLM assertion parser: returned null for", { description: description.slice(0, 60) });
+      debug3("LLM assertion parser: returned null for", { description: description.slice(0, 60) });
       parseCache.set(description, null);
       return null;
     }
     const parsed = JSON.parse(text);
     const assertion = validateParsedAssertion(parsed);
     if (!assertion) {
-      debug("LLM assertion parser: invalid structure returned", { description: description.slice(0, 60), raw: text.slice(0, 200) });
+      debug3("LLM assertion parser: invalid structure returned", { description: description.slice(0, 60), raw: text.slice(0, 200) });
       parseCache.set(description, null);
       return null;
     }
-    debug("LLM assertion parser: success", {
+    debug3("LLM assertion parser: success", {
       description: description.slice(0, 60),
       type: assertion.type,
       subject: assertion.subject
@@ -63915,7 +64805,7 @@ function buildFallbackResult(criterion) {
 async function evaluateDeterministicWithLlmParsing(criterion, stateView, parserConfig) {
   const regexAssertion = parseAssertion(criterion.description);
   if (regexAssertion) {
-    debug("Parsed assertion (regex)", {
+    debug3("Parsed assertion (regex)", {
       type: regexAssertion.type,
       subject: regexAssertion.subject,
       value: String(regexAssertion.value ?? ""),
@@ -63929,7 +64819,7 @@ async function evaluateDeterministicWithLlmParsing(criterion, stateView, parserC
     info(`[D] regex failed for "${criterion.description}" \u2014 trying LLM structured parser`);
     const llmAssertion = await parseAssertionWithLlm(criterion.description, llmConfig);
     if (llmAssertion) {
-      debug("Parsed assertion (LLM)", {
+      debug3("Parsed assertion (LLM)", {
         type: llmAssertion.type,
         subject: llmAssertion.subject,
         value: String(llmAssertion.value ?? ""),
@@ -63940,7 +64830,7 @@ async function evaluateDeterministicWithLlmParsing(criterion, stateView, parserC
     info(`[D] LLM structured parser also failed for "${criterion.description}" \u2014 falling back to full LLM judge`);
   } else {
     info(`[D] criterion "${criterion.description}" could not be parsed deterministically \u2014 falling back to LLM judge`);
-    debug(`Unparseable assertion text: "${criterion.description}"`);
+    debug3(`Unparseable assertion text: "${criterion.description}"`);
   }
   return buildFallbackResult(criterion);
 }
@@ -64064,7 +64954,7 @@ async function evaluateRun(criteria, context, config2) {
     } else {
       evaluations.push(result);
     }
-    debug("Deterministic evaluation", {
+    debug3("Deterministic evaluation", {
       criterion: criterion.id,
       status: evaluations.at(-1)?.status ?? "fail"
     });
@@ -64101,7 +64991,7 @@ async function evaluateRun(criteria, context, config2) {
       judgeTokenUsage = accumulateTokenUsage(judgeTokenUsage, tokenUsage);
       for (const result of batchResults) {
         evaluations.push(result);
-        debug("Probabilistic evaluation (batch)", {
+        debug3("Probabilistic evaluation (batch)", {
           criterion: result.criterionId,
           status: result.status,
           confidence: result.confidence.toFixed(2)
@@ -64113,7 +65003,7 @@ async function evaluateRun(criteria, context, config2) {
       const { evaluation: result, tokenUsage } = await evaluateWithLlm(criterion, context, config2);
       judgeTokenUsage = accumulateTokenUsage(judgeTokenUsage, tokenUsage);
       evaluations.push(result);
-      debug("Probabilistic evaluation", {
+      debug3("Probabilistic evaluation", {
         criterion: criterion.id,
         status: result.status,
         confidence: result.confidence.toFixed(2)
@@ -64279,7 +65169,7 @@ ${sanitizeForPrompt(logTail, 800)}`);
 async function generateFailureAnalysisWithUsage(input, config2) {
   const provider = detectProvider(config2.model);
   const apiKey = resolveProviderApiKey(config2.apiKey, provider);
-  const credentials = getCredentials();
+  const credentials = getCredentials2();
   const canUseManagedRouting = provider !== "openai-compatible" && Boolean(credentials?.token);
   if (apiKey) {
     const mismatch = validateKeyForProvider(apiKey, provider);
@@ -64288,7 +65178,7 @@ async function generateFailureAnalysisWithUsage(input, config2) {
     }
   }
   if (!apiKey && !canUseManagedRouting) {
-    debug("Skipping failure analysis \u2014 no API key or Archal auth for evaluator model");
+    debug3("Skipping failure analysis \u2014 no API key or Archal auth for evaluator model");
     return { text: void 0, tokenUsage: null };
   }
   try {
@@ -64311,7 +65201,7 @@ async function generateFailureAnalysisWithUsage(input, config2) {
     if (error49 instanceof LlmApiError) {
       warn(`Failure analysis skipped: ${error49.message}`);
     } else {
-      debug("Failure analysis error", { error: String(error49) });
+      debug3("Failure analysis error", { error: String(error49) });
     }
     return { text: void 0, tokenUsage: null };
   }
@@ -64529,7 +65419,7 @@ async function syncCapabilityMissesToSessionEvents(token, sessionId, misses) {
       warn(`Failed to persist capability miss for session ${sessionId}: ${result.error}`);
       return;
     }
-    debug("Persisted capability miss session event", {
+    debug3("Persisted capability miss session event", {
       sessionId,
       eventIndex: String(result.data.eventIndex),
       fingerprint: miss.miss.fingerprint
@@ -64546,7 +65436,7 @@ async function collectAndExtractPostRunData(stdout, cloudTwinUrls, beforeState,
   const diff = computeStateDiff(beforeState, stateAfter);
   const agentResponseText = extractAgentResponseText(stdout);
   if (agentResponseText) {
-    debug("Extracted agent response text", { length: String(agentResponseText.length) });
+    debug3("Extracted agent response text", { length: String(agentResponseText.length) });
   }
   return { stateAfter, trace, events, diff, agentResponseText };
 }
@@ -64737,7 +65627,7 @@ async function executeSandboxPath(ctx, startTime, beforeState, cloudTwinUrls) {
   });
   const abortCapabilityMiss = findAbortCapabilityMiss(capabilityMisses);
   const hasTrace = postRun.trace.length > 0;
-  const logSandbox = hasTrace ? debug : warn;
+  const logSandbox = hasTrace ? debug3 : warn;
   logSandbox(`Sandbox stdout (agent output, run ${runIndex + 1}):
 ${sandboxResult.stdout.slice(0, 3e3) || "(empty)"}`);
   logSandbox(`Sandbox stderr (setup log, run ${runIndex + 1}, tail):
@@ -64852,7 +65742,7 @@ async function executeDockerHarnessPath(ctx, startTime, beforeState, cloudTwinUr
   });
   const abortCapabilityMiss = findAbortCapabilityMiss(capabilityMisses);
   const hasTrace = postRun.trace.length > 0;
-  const logResult = hasTrace ? debug : warn;
+  const logResult = hasTrace ? debug3 : warn;
   logResult(`Docker harness stdout (run ${runIndex + 1}):
 ${result.stdout.slice(0, 3e3) || "(empty)"}`);
   logResult(`Docker harness stderr (run ${runIndex + 1}, tail):
@@ -66730,7 +67620,7 @@ async function cleanupHostedSession(ctx) {
     return;
   }
   const sessionId = ctx.backendSessionId;
-  const freshCreds = getCredentials();
+  const freshCreds = getCredentials2();
   const credentials = freshCreds ?? ctx.credentials;
   if (!credentials) {
     process.stderr.write("Warning: unable to finalize hosted session evidence (missing auth token).\n");
@@ -66880,7 +67770,7 @@ async function waitForSessionReady(opts) {
       if (!opts.quiet) process.stderr.write(`  Still waiting for session to be ready (${elapsedSec}s)...
 `);
     }
-    const freshCreds = getCredentials();
+    const freshCreds = getCredentials2();
     if (freshCreds) credentials = freshCreds;
     let statusResult;
     let healthResult;
@@ -67293,7 +68183,7 @@ function validateHarnessConflicts(opts) {
   }
 }
 async function resolveCredentialsAndEntitlements(scenarioArg, scenario, opts) {
-  let credentials = getCredentials();
+  let credentials = getCredentials2();
   if (opts.preflightOnly && !credentials) {
     const userConfig = loadConfig();
     const hasProviderKey = Boolean(
@@ -67314,7 +68204,7 @@ async function resolveCredentialsAndEntitlements(scenarioArg, scenario, opts) {
       action: "run a scenario",
       nextCommand: `archal run ${scenarioArg}`
     });
-    credentials = required2 ?? getCredentials();
+    credentials = required2 ?? getCredentials2();
     if (!credentials) {
       validationError(
         "Not logged in.",
@@ -67323,9 +68213,9 @@ async function resolveCredentialsAndEntitlements(scenarioArg, scenario, opts) {
     }
   }
   if (credentials) {
-    credentials = await (0, import_node_auth5.refreshAuthFromServer)(credentials, REQUEST_METADATA2);
+    credentials = await refreshAuthFromServer(credentials, REQUEST_METADATA2);
     for (const twinName of scenario.config.twins) {
-      if (!(0, import_node_auth5.isEntitled)(credentials, twinName)) {
+      if (!isEntitled(credentials, twinName)) {
         validationError(
           `Your current plan does not have access to the "${twinName}" twin.`,
           "Run `archal list --twins` to see available twins."
@@ -67875,7 +68765,7 @@ async function executeRunForScenario(scenarioArg, opts, command, configDefaults)
       ctx.inFlightSessionStart = null;
     }
     if (sessionResult.ok) {
-      credentials = getCredentials() ?? credentials;
+      credentials = getCredentials2() ?? credentials;
       ctx.backendSessionId = sessionResult.data.sessionId;
       ctx.credentials = credentials;
       writeManagedRunStatus({
@@ -68279,7 +69169,7 @@ var import_node_http = require("http");
 init_dist2();
 
 // src/auth/constants.ts
-var import_node_auth8 = require("@archal/node-auth");
+init_dist3();
 
 // src/commands/login.ts
 init_auth();
@@ -68341,7 +69231,7 @@ function credentialsFromApiToken(token) {
     refreshToken: "",
     email: "(from token)",
     plan: "free",
-    expiresAt: (0, import_node_auth5.getJwtExpiry)(token) ?? nowSeconds + TOKEN_FALLBACK_TTL_SECONDS
+    expiresAt: getJwtExpiry(token) ?? nowSeconds + TOKEN_FALLBACK_TTL_SECONDS
   };
 }
 function buildDashboardLoginSuccessUrl(authBaseUrl) {
@@ -68350,7 +69240,7 @@ function buildDashboardLoginSuccessUrl(authBaseUrl) {
   return dashboardUrl.toString();
 }
 function persistLogin(credentials) {
-  (0, import_node_auth3.saveCredentials)(credentials);
+  saveCredentials(credentials);
   bindConfigToLogin(credentials);
   success2(`Logged in as ${credentials.email} (${credentials.plan} plan)`);
 }
@@ -68479,7 +69369,7 @@ function createLoginCommand() {
     const directToken = opts.token?.trim();
     if (directToken) {
       let credentials = credentialsFromApiToken(directToken);
-      credentials = await (0, import_node_auth5.refreshAuthFromServer)(credentials, REQUEST_METADATA2);
+      credentials = await refreshAuthFromServer(credentials, REQUEST_METADATA2);
       if (credentials.email === "(from token)") {
         throw new CliRuntimeError(
           "Token could not be verified. Check that the token is valid and try again."
@@ -68489,10 +69379,10 @@ function createLoginCommand() {
       await maybePromptForModelKey();
       return;
     }
-    const authBaseUrl = getConfiguredAuthBaseUrl();
+    const authBaseUrl = getConfiguredAuthBaseUrl2();
     const dashboardTokenUrl = new URL(
       "/dashboard",
-      `${authBaseUrl ?? import_node_auth8.HOSTED_DEFAULT_AUTH_BASE_URL}/`
+      `${authBaseUrl ?? HOSTED_DEFAULT_AUTH_BASE_URL}/`
     ).toString();
     if (isHeadlessEnvironment() && opts.browser !== false) {
       const lines = [
@@ -68583,7 +69473,7 @@ function createLoginCommand() {
               closeAndReject(new Error("Missing code in callback"));
               return;
             }
-            const credentials = await exchangeCliAuthCode({
+            const credentials = await exchangeCliAuthCode2({
               code,
               codeVerifier,
               redirectUri: redirectUrl
@@ -68627,7 +69517,7 @@ function createLoginCommand() {
 init_credential_store();
 function createLogoutCommand() {
   return new Command("logout").description("Log out of Archal and remove stored credentials").action(() => {
-    const deleted = (0, import_node_auth3.deleteCredentials)();
+    const deleted = deleteCredentials();
     if (deleted) {
       console.log("Logged out of Archal.");
     } else {
@@ -68858,7 +69748,7 @@ function parseSeeds(raw) {
   return seeds;
 }
 function requireToken() {
-  const token = getCredentials()?.token?.trim();
+  const token = getCredentials2()?.token?.trim();
   if (!token) {
     throw new CliRuntimeError("Not authenticated. Run 'archal login' first.");
   }
@@ -69521,10 +70411,10 @@ function suggestNextCommand(commandName, message) {
 init_errors4();
 
 // src/error-handling.ts
-var import_node_auth9 = require("@archal/node-auth");
+init_dist3();
 init_errors4();
 function isExpiredEnvTokenError(error49) {
-  return error49 instanceof import_node_auth9.ExpiredEnvTokenError || error49 instanceof Error && error49.name === "ExpiredEnvTokenError";
+  return error49 instanceof ExpiredEnvTokenError || error49 instanceof Error && error49.name === "ExpiredEnvTokenError";
 }
 
 // src/index.ts
@@ -69584,7 +70474,7 @@ Did you mean: ${close.map((c) => `archal ${c}`).join(", ")}?` : "";
     throw new CliUsageError(`unknown command '${guess}'${hint}
 Run: archal --help`);
   }
-  const creds = getCredentials();
+  const creds = getCredentials2();
   if (!creds) {
     process.stderr.write(
       "\x1B[36marchal\x1B[0m \x1B[2m\u2014 Pre-deployment testing for AI agents\x1B[0m\n\nGet started:\n  \x1B[36marchal login\x1B[0m              \x1B[2mAuthenticate with Archal\x1B[0m\n  \x1B[36marchal --help\x1B[0m             \x1B[2mSee all commands\x1B[0m\n\n"