@arkhera30/cli 0.7.1 → 0.8.0

package/dist/index.js

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command as Command14 } from "commander";
-import chalk14 from "chalk";
+import { Command as Command16 } from "commander";
+import chalk15 from "chalk";
 
 // src/commands/setup.ts
-import { Command as Command2 } from "commander";
-import chalk2 from "chalk";
+import { Command as Command3 } from "commander";
+import chalk3 from "chalk";
 import ora2 from "ora";
 import { execSync } from "child_process";
 import { existsSync as existsSync5, mkdirSync as mkdirSync3 } from "fs";
@@ -18,6 +18,7 @@ import { readFileSync as readFileSync2, writeFileSync, mkdirSync, existsSync as
 import { resolve, join as pathJoin, relative } from "path";
 import { homedir as homedir2 } from "os";
 import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+import { z } from "zod";
 
 // src/lib/constants.ts
 import { homedir } from "os";
@@ -52,7 +53,7 @@ var DEFAULT_PORTS = {
   vault_router: 8050,
   // internal routing layer
   ui: 8400,
-  // reader — Horus Reader SPA
+  // horus-ui — Horus unified UI
   forge: 8200,
   typesense: 8108,
   // Typesense search engine
@@ -64,11 +65,7 @@ var DEFAULT_PORTS = {
 var DEFAULT_DATA_DIR = join(homedir(), "Horus", "data");
 var SERVICES = [
   "anvil",
-  "vault-router",
-  // replaces 'vault'
-  "vault-mcp",
-  "forge",
-  "reader",
+  "horus-ui",
   "typesense",
   "neo4j"
 ];
@@ -88,8 +85,12 @@ function defaultConfig() {
     search: {
       api_key: "horus-local-key"
     },
+    control_plane_url: "",
+    token_provider: { kind: "", config: "" },
     ai: {
-      key: ""
+      key: "",
+      anthropic_api_key: "",
+      model: "claude-sonnet-4-6"
     },
     vaults: {},
     github_hosts: {},
@@ -101,6 +102,18 @@ function defaultConfig() {
 function ensureHorusDir() {
   mkdirSync(HORUS_DIR, { recursive: true });
 }
+function ensureFsLayout() {
+  ensureHorusDir();
+  const dirs = {
+    providers: pathJoin(HORUS_DIR, "providers"),
+    logs: pathJoin(HORUS_DIR, "logs"),
+    keys: pathJoin(HORUS_DIR, "keys")
+  };
+  for (const d of Object.values(dirs)) {
+    mkdirSync(d, { recursive: true });
+  }
+  return dirs;
+}
 function configExists() {
   return existsSync2(CONFIG_PATH);
 }
@@ -155,16 +168,68 @@ function buildConfigFromParsed(parsed) {
     search: {
       api_key: parsed.search?.api_key ?? defaults.search.api_key
     },
+    control_plane_url: parsed.control_plane_url ?? defaults.control_plane_url,
+    token_provider: {
+      kind: parsed.token_provider?.kind ?? defaults.token_provider.kind,
+      config: parsed.token_provider?.config ?? defaults.token_provider.config
+    },
     ai: {
-      key: parsed.ai?.key ?? defaults.ai.key
+      key: parsed.ai?.key ?? defaults.ai.key,
+      anthropic_api_key: parsed.ai?.anthropic_api_key ?? defaults.ai.anthropic_api_key,
+      model: parsed.ai?.model ?? defaults.ai.model
     },
     vaults: parsed.vaults ?? defaults.vaults,
     github_hosts: parsed.github_hosts ?? defaults.github_hosts,
     host_repos_path: parsed.host_repos_path ?? defaults.host_repos_path,
     host_repos_extra_scan_dirs: parsed.host_repos_extra_scan_dirs ?? defaults.host_repos_extra_scan_dirs,
-    enable_ui: parsed.enable_ui ?? defaults.enable_ui
+    enable_ui: parsed.enable_ui ?? defaults.enable_ui,
+    registry_git_url: parsed.registry_git_url,
+    registry_deploy_key: parsed.registry_deploy_key,
+    enterprise_registry_url: parsed.enterprise_registry_url
   };
 }
+var preprovisionedSchema = z.object({
+  version: z.string().optional(),
+  data_dir: z.string().optional(),
+  runtime: z.enum(["docker", "podman"]).optional(),
+  control_plane_url: z.string().optional(),
+  token_provider: z.object({ kind: z.string(), config: z.string() }).optional(),
+  ports: z.record(z.number()).optional(),
+  repos: z.object({ anvil_notes: z.string().optional(), forge_registry: z.string().optional() }).optional(),
+  vaults: z.record(z.any()).optional(),
+  github_hosts: z.record(z.any()).optional(),
+  ai: z.object({
+    key: z.string().optional(),
+    anthropic_api_key: z.string().optional(),
+    model: z.string().optional()
+  }).optional()
+}).passthrough();
+function loadPreprovisionedConfig(path2) {
+  if (!existsSync2(path2)) {
+    throw new Error(`Pre-provisioned config not found at ${path2}`);
+  }
+  const raw = readFileSync2(path2, "utf-8");
+  let parsed;
+  try {
+    parsed = parseYaml(raw);
+  } catch (e) {
+    throw new Error(`Pre-provisioned config is not valid YAML: ${e.message}`);
+  }
+  const result = preprovisionedSchema.safeParse(parsed);
+  if (!result.success) {
+    const issues = result.error.issues.map((i) => `  - ${i.path.join(".") || "(root)"}: ${i.message}`).join("\n");
+    throw new Error(`Pre-provisioned config failed validation:
+${issues}`);
+  }
+  return buildConfigFromParsed(result.data);
+}
+function detectPreprovisionedConfig() {
+  const candidates = [
+    pathJoin(process.cwd(), "config.yaml.preprovisioned"),
+    pathJoin(HORUS_DIR, "config.yaml.preprovisioned")
+  ];
+  return candidates.find((p) => existsSync2(p)) ?? null;
+}
 function saveConfig(config) {
   ensureHorusDir();
   const yaml = stringifyYaml(config, { lineWidth: 0 });
@@ -215,6 +280,7 @@ function discoverRepoDirs(rootDir, maxDepth = 4) {
 }
 function generateEnv(config) {
   const dataDir = resolvePath(config.data_dir);
+  const providersPath = pathJoin(HORUS_DIR, "providers");
   const hostReposPath = config.host_repos_path ? resolvePath(config.host_repos_path) : "";
   const baseScanPath = "/data/repos";
   let forgeScanPaths;
@@ -256,12 +322,22 @@ function generateEnv(config) {
     "# Search",
     `TYPESENSE_API_KEY=${config.search.api_key}`,
     "",
-    "# AI (required for NLP agent search in the Reader)",
+    "# Control plane (empty HORUS_CONTROL_PLANE_URL => local-only mode)",
+    `HORUS_CONTROL_PLANE_URL=${config.control_plane_url ?? ""}`,
+    `TOKEN_PROVIDER_KIND=${config.token_provider?.kind ?? ""}`,
+    `TOKEN_PROVIDER_CONFIG=${config.token_provider?.config ?? ""}`,
+    "",
+    "# Agent chat (Anthropic). Chat surface is disabled when the key is empty.",
+    `HORUS_ANTHROPIC_API_KEY=${config.ai.anthropic_api_key}`,
+    `HORUS_AGENT_MODEL=${config.ai.model}`,
+    "# Legacy Cursor key \u2014 retained for back-compat, unused by the alpha client.",
     `HORUS_AI_KEY=${config.ai.key}`,
     "",
-    "# Repository URLs (must be HTTPS \u2014 container services do not have SSH keys)",
+    "# Providers mount (read-only secrets/config dir for horus-ui)",
+    `HORUS_PROVIDERS_PATH=${providersPath}`,
+    "",
+    "# Anvil notes repo (must be HTTPS \u2014 container services do not have SSH keys)",
     `ANVIL_REPO_URL=${config.repos.anvil_notes}`,
-    `FORGE_REGISTRY_REPO_URL=${config.repos.forge_registry}`,
     ""
   ];
   return lines.join("\n");
@@ -286,6 +362,11 @@ var CONFIG_KEYS = [
   "repo.forge-registry",
   "search.api-key",
   "ai.key",
+  "ai.anthropic-key",
+  "ai.model",
+  "control-plane-url",
+  "token-provider-kind",
+  "token-provider-config",
   "enable-ui"
 ];
 function getConfigValue(config, key) {
@@ -318,6 +399,16 @@ function getConfigValue(config, key) {
       return config.search.api_key;
     case "ai.key":
       return config.ai.key;
+    case "ai.anthropic-key":
+      return config.ai.anthropic_api_key;
+    case "ai.model":
+      return config.ai.model;
+    case "control-plane-url":
+      return config.control_plane_url ?? "";
+    case "token-provider-kind":
+      return config.token_provider?.kind ?? "";
+    case "token-provider-config":
+      return config.token_provider?.config ?? "";
     case "enable-ui":
       return String(config.enable_ui);
   }
@@ -370,6 +461,21 @@ function setConfigValue(config, key, value) {
     case "ai.key":
       updated.ai = { ...updated.ai, key: value };
       break;
+    case "ai.anthropic-key":
+      updated.ai = { ...updated.ai, anthropic_api_key: value };
+      break;
+    case "ai.model":
+      updated.ai = { ...updated.ai, model: value };
+      break;
+    case "control-plane-url":
+      updated.control_plane_url = value;
+      break;
+    case "token-provider-kind":
+      updated.token_provider = { kind: value, config: updated.token_provider?.config ?? "" };
+      break;
+    case "token-provider-config":
+      updated.token_provider = { kind: updated.token_provider?.kind ?? "", config: value };
+      break;
     case "enable-ui":
       if (value !== "true" && value !== "false") {
         throw new Error(`Invalid value for enable-ui: ${value}. Must be "true" or "false".`);
@@ -596,7 +702,7 @@ Run '${runtime.name} compose logs <service>' from ~/Horus/ to investigate.`
 Run '${runtime.name} compose logs' from ~/Horus/ to investigate.`
       );
     }
-    await new Promise((resolve2) => setTimeout(resolve2, intervalMs));
+    await new Promise((resolve3) => setTimeout(resolve3, intervalMs));
   }
 }
 
@@ -653,67 +759,6 @@ var ANVIL_SERVICE = `  # \u2500\u2500 Anvil \u2500\u2500\u2500\u2500\u2500\u2500
       timeout: 5s
       start_period: 60s
       retries: 3`;
-var FORGE_SERVICE = `  # \u2500\u2500 Forge \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-  # Workspace manager and package registry MCP server.
-  forge:
-    image: ghcr.io/arjunkhera/horus/forge:latest
-    ports:
-      - "\${FORGE_PORT:-8200}:8200"
-    volumes:
-      - \${HORUS_DATA_PATH}/config:/data/config:rw
-      - \${HORUS_DATA_PATH}/registry:/data/registry:rw
-      - \${HORUS_DATA_PATH}/workspaces:/data/workspaces:rw
-      - \${HORUS_DATA_PATH}/repos:/data/horus-repos:rw
-      - \${HORUS_DATA_PATH}/sessions:/data/sessions:rw
-      - \${HOST_REPOS_PATH}:/data/repos:ro
-    environment:
-      - HORUS_RUNTIME=\${HORUS_RUNTIME:-docker}
-      - FORGE_PORT=8200
-      - FORGE_HOST=0.0.0.0
-      - FORGE_REGISTRY_PATH=/data/registry
-      - FORGE_WORKSPACES_PATH=/data/workspaces
-      - FORGE_CONFIG_PATH=/data/config
-      - FORGE_MANAGED_REPOS_PATH=/data/horus-repos
-      - FORGE_REGISTRY_REPO_URL=\${FORGE_REGISTRY_REPO_URL:-}
-      - FORGE_SYNC_INTERVAL=\${FORGE_SYNC_INTERVAL:-300}
-      - FORGE_ANVIL_URL=http://anvil:8100
-      - FORGE_VAULT_URL=http://vault-mcp:8300
-      - FORGE_HOST_WORKSPACES_PATH=\${HORUS_DATA_PATH}/workspaces
-      - FORGE_HOST_MANAGED_REPOS_PATH=\${HORUS_DATA_PATH}/repos
-      - FORGE_HOST_REPOS_PATH=\${HOST_REPOS_PATH}
-      - FORGE_HOST_MANAGED_REPOS_PATH=\${HORUS_DATA_PATH}/repos
-      - FORGE_HOST_ANVIL_URL=http://localhost:\${ANVIL_PORT:-8100}
-      - FORGE_HOST_VAULT_URL=http://localhost:\${VAULT_MCP_PORT:-8300}
-      - FORGE_HOST_FORGE_URL=http://localhost:\${FORGE_PORT:-8200}
-      - FORGE_SCAN_PATHS=\${FORGE_SCAN_PATHS:-/data/repos}
-      - FORGE_SESSION_TTL_MS=\${FORGE_SESSION_TTL_MS:-1800000}
-      - GITHUB_TOKEN=\${GITHUB_TOKEN:-}
-      - TYPESENSE_HOST=typesense
-      - TYPESENSE_PORT=8108
-      - TYPESENSE_API_KEY=\${TYPESENSE_API_KEY:-horus-local-key}
-    depends_on:
-      anvil:
-        condition: service_healthy
-      typesense:
-        condition: service_healthy
-      vault-router:
-        condition: service_healthy
-    networks:
-      - horus-net
-    restart: unless-stopped
-    stop_grace_period: 15s
-    deploy:
-      resources:
-        limits:
-          memory: 512m
-        reservations:
-          memory: 128m
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8200/health"]
-      interval: 30s
-      timeout: 5s
-      start_period: 60s
-      retries: 3`;
 var NEO4J_SERVICE = `  # \u2500\u2500 Neo4j \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
   # Graph database for relationship-aware knowledge queries.
   neo4j:
@@ -767,21 +812,33 @@ var TYPESENSE_SERVICE = `  # \u2500\u2500 Typesense \u2500\u2500\u2500\u2500\u25
       retries: 3
       start_period: 5s
     restart: unless-stopped`;
-var READER_SERVICE = `  # \u2500\u2500 Reader \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-  # Horus Reader \u2014 Express server + NLP agent search at port 8400.
-  # Serves Reader SPA, proxies /api/* to Anvil, hosts POST /api/ai/ask.
-  reader:
-    image: ghcr.io/arjunkhera/horus/reader:latest
+var HORUS_UI_SERVICE = `  # \u2500\u2500 Horus UI \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  # Unified Horus client. Serves the SPA, proxies /api/anvil/* to the local
+  # Anvil and (when connected) vault/forge/admin to the control plane, and hosts
+  # the agent chat at POST /api/ai/ask. Boots first \u2014 no depends_on. Connected
+  # vs local-only mode is config-driven: an empty HORUS_CONTROL_PLANE_URL is
+  # local-only.
+  horus-ui:
+    image: ghcr.io/arjunkhera/horus/ui:latest
     ports:
       - "\${UI_PORT:-8400}:8400"
     environment:
-      - CURSOR_API_KEY=\${HORUS_AI_KEY}
-      - HORUS_AGENT_MODEL=\${HORUS_AGENT_MODEL:-composer-2}
+      - HORUS_CONTROL_PLANE_URL=\${HORUS_CONTROL_PLANE_URL:-}
+      - TOKEN_PROVIDER_KIND=\${TOKEN_PROVIDER_KIND:-}
+      - TOKEN_PROVIDER_CONFIG=\${TOKEN_PROVIDER_CONFIG:-}
+      - HORUS_ANTHROPIC_API_KEY=\${HORUS_ANTHROPIC_API_KEY:-}
+      - HORUS_AGENT_MODEL=\${HORUS_AGENT_MODEL:-claude-sonnet-4-6}
       - ANVIL_HOST=anvil
       - ANVIL_PORT=8100
-    depends_on:
-      anvil:
-        condition: service_healthy
+      - FORGE_CONFIG_PATH=/horus/config
+      - FORGE_SESSIONS_ROOT=/horus/sessions
+      - FORGE_MANAGED_REPOS_PATH=/horus/repos
+      - FORGE_WORKSPACES_PATH=/horus/workspaces
+    volumes:
+      - \${HORUS_PROVIDERS_PATH}:/horus-providers:ro
+      - \${HORUS_DATA_PATH}/sessions:/horus/sessions:rw
+      - \${HORUS_DATA_PATH}/repos:/horus/repos:rw
+      - \${HORUS_DATA_PATH}/config:/horus/config:rw
     networks:
       - horus-net
     restart: unless-stopped
@@ -789,9 +846,9 @@ var READER_SERVICE = `  # \u2500\u2500 Reader \u2500\u2500\u2500\u2500\u2500\u25
     deploy:
       resources:
         limits:
-          memory: 256m
+          memory: 512m
         reservations:
-          memory: 128m
+          memory: 256m
     healthcheck:
       test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8400/health"]
       interval: 30s
@@ -854,7 +911,7 @@ services:
     volumes:
       - "\${TEST_DATA_PATH:-/tmp/horus-test}/typesense-data:/data"
 
-  reader:
+  horus-ui:
     ports:
       - "\${TEST_PORT_UI:-9260}:8400"
 
@@ -865,152 +922,37 @@ services:
     volumes:
       - "\${TEST_DATA_PATH:-/tmp/horus-test}/neo4j-data:/data"
       - "\${TEST_DATA_PATH:-/tmp/horus-test}/neo4j-logs:/logs"
-`;
-}
-function generateComposeFile(config, runtime) {
-  const vaultEntries = Object.entries(config.vaults).sort(([a], [b]) => a.localeCompare(b));
-  const vaultServices = vaultEntries.map(([name, vault], index) => {
-    const hostPort = `800${index + 1}`;
-    const envVarName = `VAULT_REST_PORT_${name.toUpperCase().replace(/-/g, "_")}`;
-    const githubHost = resolveGitHubHost(vault.repo, config.github_hosts);
-    const token = githubHost?.token ?? "";
-    const apiHost = githubHost?.host ?? "github.com";
-    return `  # \u2500\u2500 Vault: ${name} \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-  vault-${name}:
-    image: ghcr.io/arjunkhera/horus/vault:latest
+${config.registry_git_url ? `
+  forge-registry:
     ports:
-      - "\${${envVarName}:-${hostPort}}:8000"
+      - "\${TEST_PORT_FORGE_REGISTRY:-9270}:8744"
     volumes:
-      - \${HORUS_DATA_PATH}/vaults/${name}:/data/knowledge-repo:rw
-      - vault-${name}-workspace:/data/workspace
-    environment:
-      - HORUS_RUNTIME=\${HORUS_RUNTIME:-docker}
-      - KNOWLEDGE_REPO_PATH=/data/knowledge-repo
-      - WORKSPACE_PATH=/data/workspace
-      - VAULT_KNOWLEDGE_REPO_URL=${vault.repo}
-      - SYNC_INTERVAL=\${VAULT_SYNC_INTERVAL:-300}
-      - VAULT_SYNC_INTERVAL=\${VAULT_SYNC_INTERVAL:-300}
-      - LOG_LEVEL=\${LOG_LEVEL:-info}
-      - HOST=0.0.0.0
-      - PORT=8000
-      - GITHUB_TOKEN=${token}
-      - GITHUB_API_HOST=${apiHost}
-      - TYPESENSE_HOST=typesense
-      - TYPESENSE_PORT=8108
-      - TYPESENSE_API_KEY=\${TYPESENSE_API_KEY:-horus-local-key}
-      - NEO4J_URI=bolt://neo4j:7687
-      - NEO4J_USER=neo4j
-      - NEO4J_PASSWORD=horus-neo4j
-    depends_on:
-      typesense:
-        condition: service_healthy
-      neo4j:
-        condition: service_healthy
-    networks:
-      - horus-net
-    restart: unless-stopped
-    deploy:
-      resources:
-        limits:
-          memory: 512m
-        reservations:
-          memory: 256m
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
-      interval: 30s
-      timeout: 10s
-      start_period: 60s
-      retries: 3`;
-  });
-  const defaultVaultEntry = vaultEntries.find(([, v]) => v.default);
-  const defaultVaultName = defaultVaultEntry ? defaultVaultEntry[0] : vaultEntries[0]?.[0] ?? "";
-  const vaultEndpoints = vaultEntries.map(([name]) => `${name}=http://vault-${name}:8000`).join(",");
-  const vaultRouterDependsOn = vaultEntries.map(([name]) => `      vault-${name}:
-        condition: service_healthy`).join("\n");
-  const vaultRouterService = `  # \u2500\u2500 Vault Router \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-  # Routes requests to the appropriate vault instance by name.
-  vault-router:
-    image: ghcr.io/arjunkhera/horus/vault-router:latest
-    ports:
-      - "\${VAULT_ROUTER_PORT:-8050}:8400"
-    environment:
-${vaultEndpoints ? `      - VAULT_ENDPOINTS=${vaultEndpoints}
-` : ""}      - VAULT_DEFAULT=${defaultVaultName}
-${vaultRouterDependsOn ? `    depends_on:
-${vaultRouterDependsOn}
-` : ""}    networks:
-      - horus-net
-    restart: unless-stopped
-    deploy:
-      resources:
-        limits:
-          memory: 256m
-        reservations:
-          memory: 64m
-    healthcheck:
-      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8400/health')"]
-      interval: 30s
-      timeout: 10s
-      start_period: 30s
-      retries: 3`;
-  const vaultMcpService = `  # \u2500\u2500 Vault MCP \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
-  # Thin MCP adapter that translates MCP tool calls to Vault REST API calls.
-  vault-mcp:
-    image: ghcr.io/arjunkhera/horus/vault-mcp:latest
-    ports:
-      - "\${VAULT_MCP_PORT:-8300}:8300"
-    environment:
-      - VAULT_MCP_HTTP=true
-      - VAULT_MCP_PORT=8300
-      - VAULT_MCP_HOST=0.0.0.0
-      - KNOWLEDGE_SERVICE_URL=http://vault-router:8400
-    depends_on:
-      vault-router:
-        condition: service_healthy
-    networks:
-      - horus-net
-    restart: unless-stopped
-    stop_grace_period: 15s
-    deploy:
-      resources:
-        limits:
-          memory: 256m
-        reservations:
-          memory: 64m
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8300/health"]
-      interval: 30s
-      timeout: 5s
-      start_period: 30s
-      retries: 3`;
-  const vaultVolumeEntries = [
-    ...vaultEntries.map(([name]) => `  vault-${name}-workspace:`),
-    "  neo4j-data:",
-    "  neo4j-logs:"
-  ].join("\n");
+      - "\${TEST_DATA_PATH:-/tmp/horus-test}/registry:/data/registry:rw"
+` : ""}`;
+}
+function generateComposeFile(_config, runtime) {
   const sections = [
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     "# Horus \u2014 Generated Docker Compose",
     "# Managed by @arkhera30/cli. Do not edit manually.",
     "# Generated dynamically from ~/Horus/config.yaml by `horus setup`.",
+    "#",
+    "# Alpha client topology (\xA7C): horus-ui, anvil, typesense, neo4j only.",
+    "# Vault and Forge are remote behind the control plane. Connected vs",
+    "# local-only mode is config-driven (empty HORUS_CONTROL_PLANE_URL =",
+    "# local-only), NOT compose-driven \u2014 the service set is identical in both.",
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     "",
     "services:",
     "",
-    ANVIL_SERVICE,
+    HORUS_UI_SERVICE,
     "",
-    ...vaultServices.map((s) => s + "\n"),
-    vaultRouterService,
-    "",
-    vaultMcpService,
+    ANVIL_SERVICE,
     "",
-    FORGE_SERVICE,
+    TYPESENSE_SERVICE,
     "",
     NEO4J_SERVICE,
     "",
-    TYPESENSE_SERVICE,
-    "",
-    ...config.enable_ui !== false ? [READER_SERVICE, ""] : [],
     "# \u2500\u2500 Networks \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     "networks:",
     "  horus-net:",
@@ -1018,7 +960,8 @@ ${vaultRouterDependsOn}
     "",
     "# \u2500\u2500 Volumes \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     "volumes:",
-    vaultVolumeEntries
+    "  neo4j-data:",
+    "  neo4j-logs:"
   ];
   let content = sections.join("\n");
   if (runtime === "podman") {
@@ -1432,10 +1375,13 @@ function buildClaudeDesktopServers(config, host) {
   const npxPath = detectNpxPath();
   const npxDir = npxPath === "npx" ? "/usr/local/bin" : npxPath.substring(0, npxPath.lastIndexOf("/"));
   const envPath = `${npxDir}:/usr/local/bin:/usr/bin:/bin`;
+  const connectedMode = !!(config.control_plane_url && config.control_plane_url.trim());
+  const vaultUrl = connectedMode ? `http://${host}:${config.ports.ui}/vault/mcp` : `http://${host}:${config.ports.vault_mcp}/mcp`;
+  const forgeUrl = connectedMode ? `http://${host}:${config.ports.ui}/forge/mcp` : `http://${host}:${config.ports.forge}/mcp`;
   return {
     anvil: { command: npxPath, args: ["mcp-remote", `http://${host}:${config.ports.anvil}/mcp`], env: { PATH: envPath } },
-    vault: { command: npxPath, args: ["mcp-remote", `http://${host}:${config.ports.vault_mcp}/mcp`], env: { PATH: envPath } },
-    forge: { command: npxPath, args: ["mcp-remote", `http://${host}:${config.ports.forge}/mcp`], env: { PATH: envPath } }
+    vault: { command: npxPath, args: ["mcp-remote", vaultUrl], env: { PATH: envPath } },
+    forge: { command: npxPath, args: ["mcp-remote", forgeUrl], env: { PATH: envPath } }
   };
 }
 async function isClaudeCliAvailable() {
@@ -1529,7 +1475,12 @@ function printNextSteps(targets) {
   console.log("");
 }
 async function runConnect(config, runtime, targets, host = "localhost") {
-  const httpServers = {
+  const connectedMode = !!(config.control_plane_url && config.control_plane_url.trim());
+  const httpServers = connectedMode ? {
+    anvil: { url: `http://${host}:${config.ports.anvil}/mcp` },
+    vault: { url: `http://${host}:${config.ports.ui}/vault/mcp` },
+    forge: { url: `http://${host}:${config.ports.ui}/forge/mcp` }
+  } : {
     anvil: { url: `http://${host}:${config.ports.anvil}/mcp` },
     vault: { url: `http://${host}:${config.ports.vault_mcp}/mcp` },
     forge: { url: `http://${host}:${config.ports.forge}/mcp` }
@@ -1589,23 +1540,32 @@ async function runConnect(config, runtime, targets, host = "localhost") {
     }
   }
   if (targets.includes("claude-code")) {
-    const skillsSpinner = ora("Syncing horus-core skills...").start();
-    try {
-      await syncSkills(runtime);
-      skillsSpinner.succeed("horus-core skills synced to ~/.claude/skills/");
-    } catch (error) {
-      skillsSpinner.warn("Could not sync skills (Forge container may not be running)");
-      console.log(chalk.dim(error.message));
+    if (connectedMode) {
+      console.warn(chalk.yellow("[connect] Skipping skills sync \u2014 connected mode has no local forge container."));
+      console.log(chalk.dim("         TODO: fetch skills via the control plane when the skills API is available."));
+    } else {
+      const skillsSpinner = ora("Syncing horus-core skills...").start();
+      try {
+        await syncSkills(runtime);
+        skillsSpinner.succeed("horus-core skills synced to ~/.claude/skills/");
+      } catch (error) {
+        skillsSpinner.warn("Could not sync skills (Forge container may not be running)");
+        console.log(chalk.dim(error.message));
+      }
     }
   }
   if (targets.includes("cursor")) {
-    const cursorRulesSpinner = ora("Syncing horus-core rules for Cursor...").start();
-    try {
-      await syncSkillsForCursor(runtime);
-      cursorRulesSpinner.succeed("horus-core rules synced to ~/.cursor/rules/ and skills to ~/.cursor/skills-cursor/");
-    } catch (error) {
-      cursorRulesSpinner.warn("Could not sync Cursor rules (Forge container may not be running)");
-      console.log(chalk.dim(error.message));
+    if (connectedMode) {
+      console.warn(chalk.yellow("[connect] Skipping Cursor rules sync \u2014 connected mode has no local forge container."));
+    } else {
+      const cursorRulesSpinner = ora("Syncing horus-core rules for Cursor...").start();
+      try {
+        await syncSkillsForCursor(runtime);
+        cursorRulesSpinner.succeed("horus-core rules synced to ~/.cursor/rules/ and skills to ~/.cursor/skills-cursor/");
+      } catch (error) {
+        cursorRulesSpinner.warn("Could not sync Cursor rules (Forge container may not be running)");
+        console.log(chalk.dim(error.message));
+      }
     }
   }
   if (configured.length > 0) {
@@ -1674,321 +1634,220 @@ var connectCommand = new Command("connect").description("Configure Claude/Cursor
   await runConnect(config, runtime, targets, opts.host);
 });
 
-// src/commands/setup.ts
-function injectToken(url, token) {
-  if (!token) return url;
-  try {
-    const parsed = new URL(url);
-    parsed.username = "oauth2";
-    parsed.password = token;
-    return parsed.toString();
-  } catch {
-    return url;
+// src/commands/login.ts
+import { Command as Command2 } from "commander";
+import chalk2 from "chalk";
+async function runLogin(config) {
+  const cp = (config.control_plane_url ?? "").trim();
+  if (!cp) {
+    return { ok: true, deferred: false, message: "Local-only mode \u2014 no control plane to log into." };
   }
-}
-function extractHostname(url) {
+  let reachable = false;
   try {
-    return new URL(url).hostname;
+    const res = await fetch(cp.replace(/\/$/, "") + "/health", { signal: AbortSignal.timeout(8e3) });
+    reachable = res.ok;
   } catch {
-    return "github.com";
+    reachable = false;
+  }
+  if (!reachable) {
+    return {
+      ok: false,
+      deferred: true,
+      message: `Control plane at ${cp} is not reachable yet. Run \`horus login\` once it is available.`
+    };
+  }
+  const kind = config.token_provider?.kind ?? "";
+  if (kind === "static") {
+    const hasToken = !!(config.token_provider?.config ?? "").trim();
+    return hasToken ? { ok: true, deferred: false, message: "Static principal token configured \u2014 client is authenticated." } : {
+      ok: false,
+      deferred: true,
+      message: "Static token provider selected but no token is set. Run `horus config set token-provider-config <token>`."
+    };
   }
+  return {
+    ok: false,
+    deferred: true,
+    message: `Interactive login (${kind || "unconfigured"}) completes against the control plane. Run \`horus login\` once it is available.`
+  };
 }
-var setupCommand = new Command2("setup").description("Interactive first-run setup for Horus").option("-y, --yes", "Non-interactive mode (use defaults + env vars)").option("--runtime <runtime>", "Container runtime to use: docker or podman (non-interactive only)").option("--data-dir <path>", "Data directory path").option("--repos-path <path>", "Host repos path for Forge scanning").option("--anvil-repo <url>", "Anvil notes repository URL").option("--vault-name <name>", "Vault name (can be specified multiple times)").option("--vault-repo <url>", "Vault knowledge-base repository URL (matches positionally with --vault-name)").option("--forge-repo <url>", "Forge registry repository URL").option("--github-token <token>", "GitHub personal access token for private repos (primary host)").option("--claude-desktop", "Configure Claude Desktop MCP servers during setup (non-interactive opt-in)").action(async (opts) => {
+var loginCommand = new Command2("login").description("Authenticate the client against the configured control plane").action(async () => {
+  if (!configExists()) {
+    console.log(chalk2.red("Horus is not configured yet. Run `horus setup` first."));
+    process.exit(1);
+  }
+  const result = await runLogin(loadConfig());
+  if (result.ok) {
+    console.log(chalk2.green(result.message));
+  } else {
+    console.log(chalk2.yellow(result.message));
+  }
+});
+
+// src/commands/setup.ts
+var setupCommand = new Command3("setup").description("First-run setup for the Horus client").option("-y, --yes", "Non-interactive mode (use defaults + env vars)").option("--local-only", "Local-only mode: skip the control-plane / login prompts").option("--config <path>", "Provision from a pre-provisioned, zod-validated config.yaml bundle").option("--no-pull", "Skip pulling container images").option("--runtime <runtime>", "Container runtime to use: docker or podman").option("--data-dir <path>", "Data directory path").option("--anvil-repo <url>", "Anvil notes repository URL (HTTPS)").option("--control-plane <url>", "Control-plane base URL (connected mode)").option("--claude-desktop", "Configure Claude Desktop MCP servers during setup").action(async (opts) => {
   console.log("");
-  console.log(chalk2.bold("Horus Setup"));
-  console.log(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk3.bold("Horus Setup"));
+  console.log(chalk3.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
-  if (configExists()) {
-    if (opts.yes) {
-      console.log(chalk2.yellow("Existing configuration found. Merging with existing values in non-interactive mode."));
-    } else {
-      const proceed = await confirm({
-        message: "Horus is already configured. Reconfigure?",
-        default: false
-      });
-      if (!proceed) {
-        console.log(chalk2.dim("Setup cancelled."));
-        return;
-      }
+  const preprovisionedPath = opts.config ?? detectPreprovisionedConfig();
+  const isPreprovisioned = !!preprovisionedPath;
+  const isYes = !!opts.yes;
+  const isLocalOnly = !!opts.localOnly;
+  const interactive = !isPreprovisioned && !isYes;
+  if (configExists() && interactive) {
+    const proceed = await confirm({
+      message: "Horus is already configured. Reconfigure? (existing data is preserved)",
+      default: false
+    });
+    if (!proceed) {
+      console.log(chalk3.dim("Setup cancelled."));
+      return;
     }
   }
   const checkSpinner = ora2("Checking for container runtimes...").start();
-  const [hasDocker, hasPodman] = await Promise.all([
-    checkRuntime("docker"),
-    checkRuntime("podman")
-  ]);
+  const [hasDocker, hasPodman] = await Promise.all([checkRuntime("docker"), checkRuntime("podman")]);
   checkSpinner.stop();
   const available = [
     ...hasDocker ? ["docker"] : [],
     ...hasPodman ? ["podman"] : []
   ];
   if (available.length === 0) {
-    console.log(chalk2.red("No container runtime found."));
+    console.log(chalk3.red("No container runtime found."));
     console.log("");
     console.log("Horus requires Docker or Podman with the Compose plugin.");
-    console.log("");
-    console.log("Install one of:");
     console.log("  Docker Desktop: https://www.docker.com/products/docker-desktop/");
     console.log("  Podman Desktop: https://podman-desktop.io/");
     process.exit(1);
   }
+  let config;
   let selectedRuntime;
-  if (opts.yes) {
-    const requested = opts.runtime;
-    if (requested && !available.includes(requested)) {
-      console.log(chalk2.red(`Requested runtime "${requested}" is not installed.`));
-      console.log(chalk2.dim(`Available: ${available.join(", ")}`));
+  if (isPreprovisioned) {
+    const loadSpinner = ora2(`Loading pre-provisioned config: ${preprovisionedPath}`).start();
+    try {
+      config = loadPreprovisionedConfig(preprovisionedPath);
+      loadSpinner.succeed("Pre-provisioned config validated");
+    } catch (err) {
+      loadSpinner.fail("Pre-provisioned config is invalid");
+      console.log(chalk3.red(err.message));
       process.exit(1);
     }
-    selectedRuntime = requested ?? available[0];
-    console.log(`Using ${chalk2.cyan(selectedRuntime)}`);
-  } else {
-    selectedRuntime = await select({
-      message: "Which container runtime would you like to use?",
-      choices: available.map((r) => ({
-        value: r,
-        name: r === "docker" ? "Docker" : "Podman"
-      }))
-    });
-  }
-  const runtime = await detectRuntime(selectedRuntime);
-  let config;
-  if (opts.yes) {
+    const requested = opts.runtime ?? config.runtime;
+    selectedRuntime = available.includes(requested) ? requested : available[0];
+  } else if (isYes) {
     const existing = configExists() ? loadConfig() : null;
     const defaults = defaultConfig();
-    let vaults;
-    if (opts.vaultName || opts.vaultRepo) {
-      const vaultNames = opts.vaultName ? Array.isArray(opts.vaultName) ? opts.vaultName : [opts.vaultName] : ["default"];
-      const vaultRepos = opts.vaultRepo ? Array.isArray(opts.vaultRepo) ? opts.vaultRepo : [opts.vaultRepo] : [process.env.VAULT_KNOWLEDGE_REPO_URL ?? ""];
-      vaults = {};
-      vaultNames.forEach((name, i) => {
-        vaults[name] = {
-          repo: vaultRepos[i] ?? vaultRepos[0] ?? "",
-          default: i === 0
-        };
-      });
-    } else {
-      vaults = existing?.vaults ?? (process.env.VAULT_KNOWLEDGE_REPO_URL ? { default: { repo: process.env.VAULT_KNOWLEDGE_REPO_URL, default: true } } : defaults.vaults);
-    }
-    const primaryToken = opts.githubToken || process.env.GITHUB_TOKEN || "";
-    const anvilRepo = opts.anvilRepo || process.env.ANVIL_REPO_URL || existing?.repos.anvil_notes || defaults.repos.anvil_notes;
-    let github_hosts;
-    if (opts.githubToken || !existing || Object.keys(existing.github_hosts).length === 0) {
-      const allRepoUrls = [anvilRepo, ...Object.values(vaults).map((v) => v.repo)].filter(Boolean);
-      const seenHosts = /* @__PURE__ */ new Set();
-      github_hosts = {};
-      let hostIndex = 0;
-      for (const url of allRepoUrls) {
-        const hostname = extractHostname(url);
-        if (!seenHosts.has(hostname)) {
-          seenHosts.add(hostname);
-          const hostKey = hostIndex === 0 ? "default" : hostname;
-          github_hosts[hostKey] = {
-            host: hostname,
-            token: primaryToken
-          };
-          hostIndex++;
-        }
-      }
-      if (Object.keys(github_hosts).length === 0) {
-        github_hosts["default"] = { host: "github.com", token: primaryToken };
-      }
-    } else {
-      github_hosts = existing.github_hosts;
+    const requested = opts.runtime;
+    if (requested && !available.includes(requested)) {
+      console.log(chalk3.red(`Requested runtime "${requested}" is not installed.`));
+      process.exit(1);
     }
+    selectedRuntime = requested ?? existing?.runtime ?? available[0];
+    const controlPlane = opts.controlPlane || process.env.HORUS_CONTROL_PLANE_URL || existing?.control_plane_url || "";
     config = {
       ...defaults,
-      // Preserve all existing top-level fields first
       ...existing ?? {},
-      // Then apply runtime (always re-detected)
-      runtime: runtime.name,
-      // Apply field-level overrides: explicit flag > existing value > default
+      runtime: selectedRuntime,
       data_dir: opts.dataDir || existing?.data_dir || DEFAULT_DATA_DIR,
-      host_repos_path: opts.reposPath || existing?.host_repos_path || "",
+      control_plane_url: controlPlane,
+      token_provider: {
+        kind: process.env.TOKEN_PROVIDER_KIND || existing?.token_provider?.kind || (controlPlane ? "static" : ""),
+        config: process.env.TOKEN_PROVIDER_CONFIG || existing?.token_provider?.config || ""
+      },
       repos: {
-        anvil_notes: anvilRepo,
-        forge_registry: opts.forgeRepo || process.env.FORGE_REGISTRY_REPO_URL || existing?.repos.forge_registry || defaults.repos.forge_registry
+        anvil_notes: opts.anvilRepo || process.env.ANVIL_REPO_URL || existing?.repos.anvil_notes || "",
+        forge_registry: existing?.repos.forge_registry || ""
       },
-      vaults,
-      github_hosts,
       ai: {
-        key: process.env.HORUS_AI_KEY || existing?.ai.key || ""
+        key: process.env.HORUS_AI_KEY || existing?.ai.key || "",
+        anthropic_api_key: process.env.HORUS_ANTHROPIC_API_KEY || existing?.ai.anthropic_api_key || "",
+        model: process.env.HORUS_AGENT_MODEL || existing?.ai.model || defaults.ai.model
       }
     };
   } else {
-    const data_dir = await input({
-      message: "Data directory:",
-      default: DEFAULT_DATA_DIR
-    });
-    const host_repos_path = await input({
-      message: "Host repos path (for Forge repo scanning, leave empty to skip):",
-      default: ""
-    });
-    const host_repos_extra_scan_dirs = [];
-    const customize_ports = await confirm({
-      message: "Customize port assignments?",
-      default: false
-    });
-    let ports = { ...DEFAULT_PORTS };
-    if (customize_ports) {
-      const anvil = await number({
-        message: "Anvil port:",
-        default: DEFAULT_PORTS.anvil
-      });
-      const vault_rest = await number({
-        message: "Vault REST port (per-vault instances):",
-        default: DEFAULT_PORTS.vault_rest
-      });
-      const vault_mcp = await number({
-        message: "Vault MCP port:",
-        default: DEFAULT_PORTS.vault_mcp
-      });
-      const vault_router = await number({
-        message: "Vault Router port:",
-        default: DEFAULT_PORTS.vault_router
-      });
-      const forge = await number({
-        message: "Forge port:",
-        default: DEFAULT_PORTS.forge
-      });
-      ports = {
-        anvil: anvil ?? DEFAULT_PORTS.anvil,
-        vault_rest: vault_rest ?? DEFAULT_PORTS.vault_rest,
-        vault_mcp: vault_mcp ?? DEFAULT_PORTS.vault_mcp,
-        vault_router: vault_router ?? DEFAULT_PORTS.vault_router,
-        ui: DEFAULT_PORTS.ui,
-        forge: forge ?? DEFAULT_PORTS.forge,
-        typesense: DEFAULT_PORTS.typesense,
-        neo4j_http: DEFAULT_PORTS.neo4j_http,
-        neo4j_bolt: DEFAULT_PORTS.neo4j_bolt
-      };
-    }
-    console.log("");
-    console.log(chalk2.bold("Repository Configuration"));
-    console.log(chalk2.dim("Horus stores notes and knowledge in Git repos you own."));
-    console.log(chalk2.dim("Create empty repos on your Git server, then paste the URLs below."));
-    console.log("");
-    console.log(chalk2.yellow("  Use HTTPS URLs \u2014 container services do not have SSH keys."));
-    console.log(chalk2.dim("  SSH URLs (git@github.com:...) will fail at runtime inside Docker/Podman."));
-    console.log("");
-    const primaryHost = await input({
-      message: "Primary Git server hostname:",
-      default: "github.com"
-    });
-    const example = (repo) => chalk2.dim(`  e.g., https://${primaryHost}/<owner>/${repo}`);
-    console.log("");
-    const anvil_notes = await input({
-      message: `Anvil notes repo URL:
-${example("horus-notes")}
-`,
-      validate: (v) => v.trim().length > 0 || "Anvil needs a notes repo to store your data."
-    });
-    const forge_registry = await input({
-      message: `Forge registry repo URL:
-${example("forge-registry")}
-`,
-      validate: (v) => v.trim().length > 0 || "Forge needs a registry repo."
+    selectedRuntime = available.length === 1 ? available[0] : await select({
+      message: "Which container runtime would you like to use?",
+      choices: available.map((r) => ({ value: r, name: r === "docker" ? "Docker" : "Podman" }))
     });
-    console.log("");
-    console.log(chalk2.bold("Vault Configuration"));
-    console.log(chalk2.dim("Add one or more knowledge-base vaults. Each vault is a separate Git repo."));
-    console.log("");
-    const vaults = {};
-    let addingVaults = true;
-    let isFirstVault = true;
-    while (addingVaults) {
-      const vaultName = await input({
-        message: "Add vault name (e.g., personal):",
-        validate: (v) => {
-          const trimmed = v.trim();
-          if (!trimmed) return "Vault name cannot be empty.";
-          if (!/^[a-z0-9-]+$/.test(trimmed)) return "Vault name must be lowercase alphanumeric with hyphens only.";
-          if (trimmed in vaults) return `Vault "${trimmed}" already added.`;
-          return true;
+    const defaults = defaultConfig();
+    let control_plane_url = "";
+    let token_provider = { kind: "", config: "" };
+    if (!isLocalOnly) {
+      control_plane_url = (await input({
+        message: "Control-plane URL (leave empty for local-only):",
+        default: opts.controlPlane ?? ""
+      })).trim();
+      if (control_plane_url) {
+        const cpSpinner = ora2(`Checking control plane at ${control_plane_url}...`).start();
+        try {
+          const res = await fetch(control_plane_url.replace(/\/$/, "") + "/health", {
+            signal: AbortSignal.timeout(8e3)
+          });
+          if (res.ok) cpSpinner.succeed("Control plane reachable");
+          else cpSpinner.warn(`Control plane responded HTTP ${res.status} \u2014 continuing (login can be deferred)`);
+        } catch {
+          cpSpinner.warn("Control plane unreachable \u2014 continuing; run `horus login` later");
         }
-      });
-      const vaultRepo = await input({
-        message: `Vault repo URL:
-${example(`${vaultName.trim()}-knowledge`)}
-`,
-        validate: (v) => v.trim().length > 0 || "Vault repo URL cannot be empty."
-      });
-      let isDefault = isFirstVault;
-      if (!isFirstVault) {
-        isDefault = await confirm({
-          message: `Is "${vaultName.trim()}" the default vault?`,
-          default: false
+        const kind = await select({
+          message: "Principal token provider:",
+          choices: [
+            { value: "static", name: "Static token (paste a token)" },
+            { value: "oidc", name: "OIDC (issuer URL; login completes against the control plane)" },
+            { value: "none", name: "None (anonymous / configure later)" }
+          ]
         });
-      }
-      if (isDefault) {
-        for (const v of Object.values(vaults)) {
-          v.default = false;
+        let providerConfig = "";
+        if (kind === "static") {
+          providerConfig = (await password({ message: "Principal token:", mask: "*" })).trim();
+        } else if (kind === "oidc") {
+          providerConfig = (await input({ message: "OIDC issuer URL:" })).trim();
         }
+        token_provider = { kind, config: providerConfig };
       }
-      vaults[vaultName.trim()] = {
-        repo: vaultRepo.trim(),
-        default: isDefault || isFirstVault
-      };
-      isFirstVault = false;
-      addingVaults = await confirm({
-        message: "Add another vault?",
-        default: false
-      });
-    }
-    const defaultCount = Object.values(vaults).filter((v) => v.default).length;
-    if (defaultCount === 0 && Object.keys(vaults).length > 0) {
-      const firstKey = Object.keys(vaults)[0];
-      vaults[firstKey].default = true;
+    } else {
+      console.log(chalk3.dim("Local-only mode \u2014 skipping control-plane and login prompts."));
     }
-    console.log("");
-    console.log(chalk2.bold("Authentication"));
-    console.log(chalk2.dim("A personal access token is required per Git server for private repositories."));
-    console.log("");
-    const allRepoUrls = [anvil_notes.trim(), ...Object.values(vaults).map((v) => v.repo)].filter(Boolean);
-    const uniqueHostnames = [...new Set(allRepoUrls.map(extractHostname))];
-    const github_hosts = {};
-    for (let i = 0; i < uniqueHostnames.length; i++) {
-      const hostname = uniqueHostnames[i];
-      const token = await password({
-        message: `GitHub token for ${chalk2.cyan(hostname)} (leave empty to skip):`,
-        mask: "*"
-      });
-      const hostKey = i === 0 ? "default" : hostname;
-      github_hosts[hostKey] = {
-        host: hostname,
-        token: token.trim()
+    const anvil_notes = (await input({
+      message: "Anvil notes repo URL (HTTPS, optional \u2014 leave empty to start with an empty local notes dir):",
+      default: opts.anvilRepo ?? ""
+    })).trim();
+    const data_dir = await input({ message: "Data directory:", default: opts.dataDir ?? DEFAULT_DATA_DIR });
+    const anthropicKey = (await password({ message: "Anthropic API key for agent chat (leave empty to skip):", mask: "*" })).trim();
+    let ports = { ...DEFAULT_PORTS };
+    const customizePorts = await confirm({ message: "Customize port assignments?", default: false });
+    if (customizePorts) {
+      const anvil = await number({ message: "Anvil port:", default: DEFAULT_PORTS.anvil });
+      const ui = await number({ message: "Horus UI port:", default: DEFAULT_PORTS.ui });
+      const typesense = await number({ message: "Typesense port:", default: DEFAULT_PORTS.typesense });
+      const neo4j_http = await number({ message: "Neo4j HTTP port:", default: DEFAULT_PORTS.neo4j_http });
+      const neo4j_bolt = await number({ message: "Neo4j Bolt port:", default: DEFAULT_PORTS.neo4j_bolt });
+      ports = {
+        ...ports,
+        anvil: anvil ?? DEFAULT_PORTS.anvil,
+        ui: ui ?? DEFAULT_PORTS.ui,
+        typesense: typesense ?? DEFAULT_PORTS.typesense,
+        neo4j_http: neo4j_http ?? DEFAULT_PORTS.neo4j_http,
+        neo4j_bolt: neo4j_bolt ?? DEFAULT_PORTS.neo4j_bolt
       };
     }
-    console.log("");
-    console.log(chalk2.bold("NLP Agent Search"));
-    console.log(chalk2.dim("Required for the \u2726 Ask bar in the Horus Reader."));
-    console.log("");
-    const aiKey = await password({
-      message: "Horus AI key (leave empty to configure later):",
-      mask: "*"
-    });
     config = {
-      ...defaultConfig(),
+      ...defaults,
+      runtime: selectedRuntime,
       data_dir,
-      host_repos_path,
-      host_repos_extra_scan_dirs,
-      runtime: runtime.name,
       ports,
-      repos: {
-        anvil_notes: anvil_notes.trim(),
-        forge_registry: forge_registry.trim()
-      },
-      vaults,
-      github_hosts,
-      ai: {
-        key: aiKey.trim()
-      }
+      control_plane_url,
+      token_provider,
+      repos: { anvil_notes, forge_registry: "" },
+      ai: { key: "", anthropic_api_key: anthropicKey, model: defaults.ai.model }
     };
   }
+  const runtime = await detectRuntime(selectedRuntime);
+  config.runtime = runtime.name;
   const configSpinner = ora2("Saving configuration...").start();
   try {
     saveConfig(config);
-    configSpinner.succeed("Configuration saved to ~/Horus/config.yaml");
+    ensureFsLayout();
+    configSpinner.succeed("Configuration saved to ~/Horus/config.yaml (providers/, logs/, keys/ ready)");
   } catch (error) {
     configSpinner.fail("Failed to save configuration");
     console.error(error.message);
@@ -2013,108 +1872,57 @@ ${example(`${vaultName.trim()}-knowledge`)}
     process.exit(1);
   }
   const dataDir = resolvePath(config.data_dir);
-  const anvilToken = resolveGitHubHost(config.repos.anvil_notes, config.github_hosts)?.token ?? "";
-  const forgeToken = resolveGitHubHost(config.repos.forge_registry, config.github_hosts)?.token ?? "";
-  const reposToClone = [
-    {
-      url: config.repos.anvil_notes,
-      dest: join3(dataDir, "notes"),
-      label: "Anvil notes",
-      token: anvilToken
-    },
-    {
-      url: config.repos.forge_registry,
-      dest: join3(dataDir, "registry"),
-      label: "Forge registry",
-      token: forgeToken
-    }
-  ].filter((r) => r.url);
-  for (const [name, vault] of Object.entries(config.vaults)) {
-    if (vault.repo) {
-      const vaultToken = resolveGitHubHost(vault.repo, config.github_hosts)?.token ?? "";
-      reposToClone.push({
-        url: vault.repo,
-        dest: join3(dataDir, "vaults", name),
-        label: `Vault: ${name}`,
-        token: vaultToken
-      });
-    }
-  }
-  if (reposToClone.length > 0) {
-    console.log("");
-    console.log(chalk2.bold("Cloning repositories..."));
-    mkdirSync3(dataDir, { recursive: true });
-    for (const repo of reposToClone) {
-      const spinner = ora2(`Cloning ${repo.label}...`).start();
-      if (existsSync5(join3(repo.dest, ".git"))) {
-        spinner.succeed(`${repo.label} already cloned`);
-        continue;
-      }
+  mkdirSync3(dataDir, { recursive: true });
+  const notesDest = join3(dataDir, "notes");
+  if (config.repos.anvil_notes) {
+    const spinner = ora2("Cloning Anvil notes...").start();
+    if (existsSync5(join3(notesDest, ".git"))) {
+      spinner.succeed("Anvil notes already cloned");
+    } else {
       try {
-        mkdirSync3(repo.dest, { recursive: true });
-        const cloneUrl = injectToken(repo.url, repo.token);
-        execSync(`git clone "${cloneUrl}" "${repo.dest}"`, {
-          stdio: "pipe",
-          timeout: 6e4
-        });
-        spinner.succeed(`${repo.label} cloned`);
+        mkdirSync3(notesDest, { recursive: true });
+        execSync(`git clone "${config.repos.anvil_notes}" "${notesDest}"`, { stdio: "pipe", timeout: 6e4 });
+        spinner.succeed("Anvil notes cloned");
       } catch (error) {
-        spinner.fail(`Failed to clone ${repo.label}`);
-        const msg = error.message || "";
-        if (msg.includes("already exists and is not an empty directory")) {
-          console.log(chalk2.dim("  Directory exists but has no .git \u2014 check the path."));
-        } else {
-          console.log(chalk2.dim(`  ${msg.split("\n")[0]}`));
-        }
-        console.log(chalk2.dim(`  URL: ${repo.url}`));
-        if (!repo.token) {
-          console.log(chalk2.dim("  Tip: Re-run setup and provide a GitHub token if the repo is private."));
-        }
-        process.exit(1);
+        spinner.fail("Failed to clone Anvil notes (continuing with an empty notes dir)");
+        console.log(chalk3.dim(`  ${(error.message || "").split("\n")[0]}`));
+        console.log(chalk3.dim(`  URL: ${config.repos.anvil_notes}`));
+        mkdirSync3(notesDest, { recursive: true });
       }
     }
+  } else {
+    mkdirSync3(notesDest, { recursive: true });
   }
-  if (process.platform === "linux") {
-    const forgeDirs = ["config", "registry", "workspaces", "sessions"].map((d) => join3(dataDir, d));
-    for (const dir of forgeDirs) {
-      mkdirSync3(dir, { recursive: true });
-    }
-    const dirList = forgeDirs.map((d) => `"${d}"`).join(" ");
+  if (opts.pull !== false) {
+    console.log("");
+    console.log(chalk3.bold("Pulling container images..."));
     try {
-      execSync(`chown -R 1001:1001 ${dirList}`, { stdio: "pipe" });
-    } catch (error) {
-      console.log(chalk2.yellow("Warning: could not chown Forge data dirs to UID 1001."));
-      console.log(chalk2.dim("  Forge may fail to start if directory ownership is incorrect."));
-      console.log(chalk2.dim(`  Run manually: sudo chown -R 1001:1001 ${forgeDirs.join(" ")}`));
+      await composeStreaming(runtime, runtime.name === "podman" ? ["pull"] : ["pull", "--ignore-pull-failures"]);
+    } catch {
+      console.log(chalk3.yellow("Some images could not be pulled \u2014 continuing."));
     }
+  } else {
+    console.log(chalk3.dim("Skipping image pull (--no-pull)."));
   }
   console.log("");
-  console.log(chalk2.bold("Pulling container images..."));
-  try {
-    await composeStreaming(runtime, runtime.name === "podman" ? ["pull"] : ["pull", "--ignore-pull-failures"]);
-  } catch {
-    console.log(chalk2.yellow("Some images could not be pulled."));
-    console.log(chalk2.dim("Continuing \u2014 services will be built from source if build contexts are available."));
-  }
-  console.log("");
-  console.log(chalk2.bold("Starting Horus services..."));
+  console.log(chalk3.bold("Starting Horus services..."));
   try {
     await composeStreaming(runtime, ["up", "-d", "--remove-orphans"]);
   } catch (error) {
-    console.log(chalk2.red("Failed to start services."));
-    console.log(chalk2.dim(error.message));
+    console.log(chalk3.red("Failed to start services."));
+    console.log(chalk3.dim(error.message));
     process.exit(1);
   }
   console.log("");
   const healthSpinner = ora2("Waiting for services to become healthy...").start();
   let lastStates = [];
   try {
-    const states = await pollUntilHealthy(
+    lastStates = await pollUntilHealthy(
       runtime,
       (current) => {
         lastStates = current;
         const summary = current.map((s) => {
-          const icon = s.status === "healthy" ? chalk2.green("*") : s.status === "starting" ? chalk2.yellow("~") : chalk2.red("x");
+          const icon = s.status === "healthy" ? chalk3.green("*") : s.status === "starting" ? chalk3.yellow("~") : chalk3.red("x");
           return `${icon} ${s.name}`;
         }).join("  ");
         healthSpinner.text = `Waiting for services...  ${summary}`;
@@ -2123,76 +1931,75 @@ ${example(`${vaultName.trim()}-knowledge`)}
       5e3
     );
     healthSpinner.succeed("All services are healthy");
-    lastStates = states;
   } catch (error) {
     healthSpinner.fail("Some services did not become healthy");
-    console.log(chalk2.dim(error.message));
+    console.log(chalk3.dim(error.message));
+    console.log(chalk3.dim("Tip: check logs with `horus status` or `docker compose logs` from ~/Horus/"));
+  }
+  if (config.control_plane_url) {
     console.log("");
-    console.log(chalk2.dim("Tip: Check logs with `docker compose logs` from ~/Horus/"));
-    process.exit(1);
+    const loginSpinner = ora2("Logging in to the control plane...").start();
+    const result = await runLogin(config);
+    if (result.ok) loginSpinner.succeed(result.message);
+    else loginSpinner.warn(result.message);
   }
   console.log("");
   const detectedClients = detectInstalledClients();
   if (detectedClients.length > 0) {
-    console.log(chalk2.bold("Configuring AI clients..."));
+    console.log(chalk3.bold("Configuring AI clients..."));
     let clientsToConnect = [...detectedClients];
     if (clientsToConnect.includes("claude-desktop")) {
       let configureDesktop;
-      if (opts.yes) {
+      if (!interactive) {
         configureDesktop = opts.claudeDesktop === true;
-        if (!configureDesktop) {
-          console.log(chalk2.dim("Skipping Claude Desktop (pass --claude-desktop to configure it)."));
-        }
       } else {
         configureDesktop = opts.claudeDesktop === false ? false : await confirm({ message: "Setup for Claude Desktop?", default: true });
       }
-      if (!configureDesktop) {
-        clientsToConnect = clientsToConnect.filter((c) => c !== "claude-desktop");
-      }
+      if (!configureDesktop) clientsToConnect = clientsToConnect.filter((c) => c !== "claude-desktop");
     }
     if (clientsToConnect.length > 0) {
       try {
         await runConnect(config, runtime, clientsToConnect, "localhost");
-      } catch (error) {
-        console.log(chalk2.yellow("Could not configure AI clients automatically."));
-        console.log(chalk2.dim(`Run ${chalk2.cyan("horus connect")} to configure them manually.`));
+      } catch {
+        console.log(chalk3.yellow("Could not configure AI clients automatically."));
+        console.log(chalk3.dim(`Run ${chalk3.cyan("horus connect")} to configure them manually.`));
       }
     }
   } else {
-    console.log(chalk2.dim(`No AI clients detected. Run ${chalk2.cyan("horus connect")} after installing Claude Desktop, Claude Code, or Cursor.`));
+    console.log(chalk3.dim(`No AI clients detected. Run ${chalk3.cyan("horus connect")} after installing one.`));
   }
+  const mode = config.control_plane_url ? "connected" : "local-only";
   console.log("");
-  console.log(chalk2.bold.green("Setup complete!"));
-  console.log(chalk2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk3.bold.green("Setup complete!"));
+  console.log(chalk3.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
-  console.log(`  ${chalk2.bold("Runtime:")}    ${runtime.name}`);
-  console.log(`  ${chalk2.bold("Config:")}     ~/Horus/config.yaml`);
-  console.log(`  ${chalk2.bold("Data:")}       ${config.data_dir}`);
-  console.log("");
-  console.log(chalk2.bold("  Service URLs:"));
-  console.log(`    Anvil:        http://localhost:${config.ports.anvil}`);
-  console.log(`    Vault Router: http://localhost:${config.ports.vault_router}`);
-  console.log(`    Vault MCP:    http://localhost:${config.ports.vault_mcp}`);
-  console.log(`    Forge:        http://localhost:${config.ports.forge}`);
+  console.log(`  ${chalk3.bold("Mode:")}       ${mode}`);
+  console.log(`  ${chalk3.bold("Runtime:")}    ${runtime.name}`);
+  console.log(`  ${chalk3.bold("Config:")}     ~/Horus/config.yaml`);
+  console.log(`  ${chalk3.bold("Data:")}       ${config.data_dir}`);
+  if (config.control_plane_url) {
+    console.log(`  ${chalk3.bold("Control plane:")} ${config.control_plane_url}`);
+  }
   console.log("");
-  console.log(chalk2.bold("  Vault instances:"));
-  Object.entries(config.vaults).sort(([a], [b]) => a.localeCompare(b)).forEach(([name, vault], index) => {
-    const port = `800${index + 1}`;
-    const defaultLabel = vault.default ? chalk2.dim(" (default)") : "";
-    console.log(`    ${name}${defaultLabel}:  http://localhost:${port}`);
-  });
+  console.log(chalk3.bold("  Service URLs:"));
+  console.log(`    Horus UI:  http://localhost:${config.ports.ui}`);
+  console.log(`    Anvil:     http://localhost:${config.ports.anvil}`);
   console.log("");
+  if (mode === "local-only") {
+    console.log(chalk3.dim("  Vault, Forge, and Admin require a control plane \u2014 not available in local-only mode."));
+    console.log("");
+  }
   void lastStates;
 });
 
 // src/commands/up.ts
-import { Command as Command3 } from "commander";
-import chalk3 from "chalk";
+import { Command as Command4 } from "commander";
+import chalk4 from "chalk";
 import ora3 from "ora";
-var upCommand = new Command3("up").description("Start the Horus stack").option("--no-pull", "Skip pulling latest images before starting").action(async (opts) => {
+var upCommand = new Command4("up").description("Start the Horus stack").option("--no-pull", "Skip pulling latest images before starting").action(async (opts) => {
   if (!configExists() || !composeFileExists()) {
-    console.log(chalk3.red("Horus is not set up yet."));
-    console.log(chalk3.dim("Run `horus setup` first."));
+    console.log(chalk4.red("Horus is not set up yet."));
+    console.log(chalk4.dim("Run `horus setup` first."));
     process.exit(1);
   }
   const config = loadConfig();
@@ -2200,7 +2007,7 @@ var upCommand = new Command3("up").description("Start the Horus stack").option("
   let runtime;
   try {
     runtime = await detectRuntime(config.runtime);
-    spinner.succeed(`Using ${chalk3.cyan(runtime.name)}`);
+    spinner.succeed(`Using ${chalk4.cyan(runtime.name)}`);
   } catch (error) {
     spinner.fail("No container runtime found");
     console.log(error.message);
@@ -2208,25 +2015,25 @@ var upCommand = new Command3("up").description("Start the Horus stack").option("
   }
   if (opts.pull) {
     console.log("");
-    console.log(chalk3.bold("Pulling latest images..."));
+    console.log(chalk4.bold("Pulling latest images..."));
     try {
       await composeStreaming(runtime, ["pull"]);
       console.log("");
-      console.log(chalk3.green("\u2713 Pull complete"));
+      console.log(chalk4.green("\u2713 Pull complete"));
     } catch {
       console.log("");
-      console.log(chalk3.yellow("\u26A0  Warning: failed to pull one or more images \u2014 using cached versions."));
-      console.log(chalk3.dim("   Run `docker compose pull` to see which services failed."));
+      console.log(chalk4.yellow("\u26A0  Warning: failed to pull one or more images \u2014 using cached versions."));
+      console.log(chalk4.dim("   Run `docker compose pull` to see which services failed."));
     }
   }
   console.log("");
-  console.log(chalk3.bold("Starting Horus services..."));
+  console.log(chalk4.bold("Starting Horus services..."));
   try {
     const upArgs = opts.pull ? ["up", "-d", "--force-recreate", "--remove-orphans"] : ["up", "-d", "--remove-orphans"];
     await composeStreaming(runtime, upArgs);
   } catch (error) {
-    console.log(chalk3.red("Failed to start services."));
-    console.log(chalk3.dim(error.message));
+    console.log(chalk4.red("Failed to start services."));
+    console.log(chalk4.dim(error.message));
     process.exit(1);
   }
   console.log("");
@@ -2234,16 +2041,16 @@ var upCommand = new Command3("up").description("Start the Horus stack").option("
   try {
     const states = await checkAllHealth(runtime);
     statusSpinner.stop();
-    console.log(chalk3.bold("Service Status:"));
+    console.log(chalk4.bold("Service Status:"));
     for (const s of states) {
-      const color = s.status === "healthy" ? chalk3.green : s.status === "starting" ? chalk3.yellow : chalk3.red;
+      const color = s.status === "healthy" ? chalk4.green : s.status === "starting" ? chalk4.yellow : chalk4.red;
       console.log(`  ${color(s.status.padEnd(10))} ${s.name}`);
     }
     const allHealthy = states.every((s) => s.status === "healthy");
     if (!allHealthy) {
       console.log("");
       console.log(
-        chalk3.yellow("Some services are still starting. Run `horus status` to check progress.")
+        chalk4.yellow("Some services are still starting. Run `horus status` to check progress.")
       );
     }
   } catch {
@@ -2253,13 +2060,13 @@ var upCommand = new Command3("up").description("Start the Horus stack").option("
 });
 
 // src/commands/down.ts
-import { Command as Command4 } from "commander";
-import chalk4 from "chalk";
+import { Command as Command5 } from "commander";
+import chalk5 from "chalk";
 import ora4 from "ora";
-var downCommand = new Command4("down").description("Stop the Horus stack").action(async () => {
+var downCommand = new Command5("down").description("Stop the Horus stack").action(async () => {
   if (!configExists() || !composeFileExists()) {
-    console.log(chalk4.red("Horus is not set up yet."));
-    console.log(chalk4.dim("Run `horus setup` first."));
+    console.log(chalk5.red("Horus is not set up yet."));
+    console.log(chalk5.dim("Run `horus setup` first."));
     process.exit(1);
   }
   const config = loadConfig();
@@ -2267,35 +2074,35 @@ var downCommand = new Command4("down").description("Stop the Horus stack").actio
   let runtime;
   try {
     runtime = await detectRuntime(config.runtime);
-    spinner.succeed(`Using ${chalk4.cyan(runtime.name)}`);
+    spinner.succeed(`Using ${chalk5.cyan(runtime.name)}`);
   } catch (error) {
     spinner.fail("No container runtime found");
     console.log(error.message);
     process.exit(1);
   }
   console.log("");
-  console.log(chalk4.bold("Stopping Horus services..."));
+  console.log(chalk5.bold("Stopping Horus services..."));
   try {
     await composeStreaming(runtime, ["down"]);
   } catch (error) {
-    console.log(chalk4.red("Failed to stop services."));
-    console.log(chalk4.dim(error.message));
+    console.log(chalk5.red("Failed to stop services."));
+    console.log(chalk5.dim(error.message));
     process.exit(1);
   }
   console.log("");
-  console.log(chalk4.green("All services stopped."));
-  console.log(chalk4.dim("Data volumes have been preserved. Run `horus up` to restart."));
+  console.log(chalk5.green("All services stopped."));
+  console.log(chalk5.dim("Data volumes have been preserved. Run `horus up` to restart."));
   console.log("");
 });
 
 // src/commands/status.ts
-import { Command as Command5 } from "commander";
-import chalk5 from "chalk";
+import { Command as Command6 } from "commander";
+import chalk6 from "chalk";
 import ora5 from "ora";
-var statusCommand = new Command5("status").description("Show status of Horus services").action(async () => {
+var statusCommand = new Command6("status").description("Show status of Horus services").action(async () => {
   if (!configExists() || !composeFileExists()) {
-    console.log(chalk5.red("Horus is not set up yet."));
-    console.log(chalk5.dim("Run `horus setup` first."));
+    console.log(chalk6.red("Horus is not set up yet."));
+    console.log(chalk6.dim("Run `horus setup` first."));
     process.exit(1);
   }
   const config = loadConfig();
@@ -2317,28 +2124,28 @@ var statusCommand = new Command5("status").description("Show status of Horus ser
   }
   spinner.stop();
   console.log("");
-  console.log(chalk5.bold("Horus Status"));
-  console.log(chalk5.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log(`  ${chalk5.bold("Version:")}  ${CLI_VERSION}`);
-  console.log(`  ${chalk5.bold("Runtime:")}  ${runtime.name}`);
-  console.log(`  ${chalk5.bold("Config:")}   ~/Horus/config.yaml`);
+  console.log(chalk6.bold("Horus Status"));
+  console.log(chalk6.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(`  ${chalk6.bold("Version:")}  ${CLI_VERSION}`);
+  console.log(`  ${chalk6.bold("Runtime:")}  ${runtime.name}`);
+  console.log(`  ${chalk6.bold("Config:")}   ~/Horus/config.yaml`);
   console.log("");
   if (containers.length === 0) {
-    console.log(chalk5.yellow("  No services are running."));
-    console.log(chalk5.dim("  Run `horus up` to start the stack."));
+    console.log(chalk6.yellow("  No services are running."));
+    console.log(chalk6.dim("  Run `horus up` to start the stack."));
     console.log("");
     return;
   }
   const header = `  ${pad("SERVICE", 14)} ${pad("STATUS", 12)} ${pad("PORTS", 20)} ${pad("UPTIME", 20)}`;
-  console.log(chalk5.bold(header));
-  console.log(chalk5.dim("  " + "\u2500".repeat(66)));
+  console.log(chalk6.bold(header));
+  console.log(chalk6.dim("  " + "\u2500".repeat(66)));
   for (const service of SERVICES) {
     const container = containers.find(
       (c) => c.Service === service || c.Name?.includes(service)
     );
     if (!container) {
       console.log(
-        `  ${pad(service, 14)} ${chalk5.red(pad("stopped", 12))} ${pad("-", 20)} ${pad("-", 20)}`
+        `  ${pad(service, 14)} ${chalk6.red(pad("stopped", 12))} ${pad("-", 20)} ${pad("-", 20)}`
       );
       continue;
     }
@@ -2356,9 +2163,9 @@ function pad(str, width) {
 }
 function getStatusColor(status) {
   const lower = status.toLowerCase();
-  if (lower === "healthy" || lower === "running") return chalk5.green;
-  if (lower === "starting") return chalk5.yellow;
-  return chalk5.red;
+  if (lower === "healthy" || lower === "running") return chalk6.green;
+  if (lower === "starting") return chalk6.yellow;
+  return chalk6.red;
 }
 function formatPorts(publishers) {
   if (!publishers || publishers.length === 0) return "-";
@@ -2373,69 +2180,69 @@ function extractUptime(status) {
 }
 
 // src/commands/config.ts
-import { Command as Command6 } from "commander";
-import chalk6 from "chalk";
+import { Command as Command7 } from "commander";
+import chalk7 from "chalk";
 import { confirm as confirm2 } from "@inquirer/prompts";
-var configCommand = new Command6("config").description("View or modify Horus configuration").action(async () => {
+var configCommand = new Command7("config").description("View or modify Horus configuration").action(async () => {
   if (!configExists()) {
-    console.log(chalk6.red("Horus is not configured yet."));
-    console.log(chalk6.dim("Run `horus setup` first."));
+    console.log(chalk7.red("Horus is not configured yet."));
+    console.log(chalk7.dim("Run `horus setup` first."));
     process.exit(1);
   }
   const config = loadConfig();
   console.log("");
-  console.log(chalk6.bold("Horus Configuration"));
-  console.log(chalk6.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log(`  ${chalk6.bold("version:")}          ${config.version}`);
-  console.log(`  ${chalk6.bold("data-dir:")}         ${config.data_dir}`);
-  console.log(`  ${chalk6.bold("runtime:")}          ${config.runtime}`);
-  console.log(`  ${chalk6.bold("host-repos-path:")}             ${config.host_repos_path || chalk6.dim("(not set)")}`);
+  console.log(chalk7.bold("Horus Configuration"));
+  console.log(chalk7.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(`  ${chalk7.bold("version:")}          ${config.version}`);
+  console.log(`  ${chalk7.bold("data-dir:")}         ${config.data_dir}`);
+  console.log(`  ${chalk7.bold("runtime:")}          ${config.runtime}`);
+  console.log(`  ${chalk7.bold("host-repos-path:")}             ${config.host_repos_path || chalk7.dim("(not set)")}`);
   const extraDirs = (config.host_repos_extra_scan_dirs ?? []).join(", ");
-  console.log(`  ${chalk6.bold("host-repos-extra-scan-dirs:")}  ${extraDirs || chalk6.dim("(not set)")}`);
+  console.log(`  ${chalk7.bold("host-repos-extra-scan-dirs:")}  ${extraDirs || chalk7.dim("(not set)")}`);
   console.log("");
-  console.log(chalk6.bold("  Ports:"));
-  console.log(`    ${chalk6.bold("anvil:")}         ${config.ports.anvil}`);
-  console.log(`    ${chalk6.bold("vault-rest:")}    ${config.ports.vault_rest}`);
-  console.log(`    ${chalk6.bold("vault-mcp:")}     ${config.ports.vault_mcp}`);
-  console.log(`    ${chalk6.bold("vault-router:")}  ${config.ports.vault_router}`);
-  console.log(`    ${chalk6.bold("forge:")}         ${config.ports.forge}`);
+  console.log(chalk7.bold("  Ports:"));
+  console.log(`    ${chalk7.bold("anvil:")}         ${config.ports.anvil}`);
+  console.log(`    ${chalk7.bold("vault-rest:")}    ${config.ports.vault_rest}`);
+  console.log(`    ${chalk7.bold("vault-mcp:")}     ${config.ports.vault_mcp}`);
+  console.log(`    ${chalk7.bold("vault-router:")}  ${config.ports.vault_router}`);
+  console.log(`    ${chalk7.bold("forge:")}         ${config.ports.forge}`);
   console.log("");
-  console.log(chalk6.bold("  Repos:"));
-  console.log(`    ${chalk6.bold("anvil-notes:")}    ${config.repos.anvil_notes || chalk6.dim("(not set)")}`);
-  console.log(`    ${chalk6.bold("forge-registry:")} ${config.repos.forge_registry || chalk6.dim("(not set)")}`);
+  console.log(chalk7.bold("  Repos:"));
+  console.log(`    ${chalk7.bold("anvil-notes:")}    ${config.repos.anvil_notes || chalk7.dim("(not set)")}`);
+  console.log(`    ${chalk7.bold("forge-registry:")} ${config.repos.forge_registry || chalk7.dim("(not set)")}`);
   console.log("");
-  console.log(chalk6.bold("  Vaults:"));
+  console.log(chalk7.bold("  Vaults:"));
   if (Object.keys(config.vaults ?? {}).length === 0) {
-    console.log(chalk6.dim("    (none configured)"));
+    console.log(chalk7.dim("    (none configured)"));
   } else {
     for (const [name, vault] of Object.entries(config.vaults)) {
-      const defaultLabel = vault.default ? chalk6.dim(" (default)") : "";
-      console.log(`    ${chalk6.bold(name)}${defaultLabel}: ${vault.repo || chalk6.dim("(no repo)")}`);
+      const defaultLabel = vault.default ? chalk7.dim(" (default)") : "";
+      console.log(`    ${chalk7.bold(name)}${defaultLabel}: ${vault.repo || chalk7.dim("(no repo)")}`);
     }
   }
   console.log("");
-  console.log(chalk6.bold("  GitHub Hosts:"));
+  console.log(chalk7.bold("  GitHub Hosts:"));
   if (Object.keys(config.github_hosts ?? {}).length === 0) {
-    console.log(chalk6.dim("    (none configured)"));
+    console.log(chalk7.dim("    (none configured)"));
   } else {
     for (const [key, gh] of Object.entries(config.github_hosts)) {
-      console.log(`    ${chalk6.bold(key)}: ${gh.host}  token: ${gh.token ? maskApiKey(gh.token) : chalk6.dim("(not set)")}`);
+      console.log(`    ${chalk7.bold(key)}: ${gh.host}  token: ${gh.token ? maskApiKey(gh.token) : chalk7.dim("(not set)")}`);
     }
   }
   console.log("");
-  console.log(chalk6.dim(`  Config file: ~/Horus/config.yaml`));
-  console.log(chalk6.dim(`  Use 'horus config get <key>' or 'horus config set <key> <value>'`));
+  console.log(chalk7.dim(`  Config file: ~/Horus/config.yaml`));
+  console.log(chalk7.dim(`  Use 'horus config get <key>' or 'horus config set <key> <value>'`));
   console.log("");
 });
 configCommand.command("get <key>").description("Get a configuration value").action(async (key) => {
   if (!configExists()) {
-    console.log(chalk6.red("Horus is not configured yet."));
-    console.log(chalk6.dim("Run `horus setup` first."));
+    console.log(chalk7.red("Horus is not configured yet."));
+    console.log(chalk7.dim("Run `horus setup` first."));
     process.exit(1);
   }
   if (!isValidKey(key)) {
-    console.log(chalk6.red(`Unknown config key: ${key}`));
-    console.log(chalk6.dim(`Valid keys: ${CONFIG_KEYS.join(", ")}`));
+    console.log(chalk7.red(`Unknown config key: ${key}`));
+    console.log(chalk7.dim(`Valid keys: ${CONFIG_KEYS.join(", ")}`));
     process.exit(1);
   }
   const config = loadConfig();
@@ -2444,25 +2251,26 @@ configCommand.command("get <key>").description("Get a configuration value").acti
 });
 configCommand.command("set <key> <value>").description("Set a configuration value").action(async (key, value) => {
   if (!configExists()) {
-    console.log(chalk6.red("Horus is not configured yet."));
-    console.log(chalk6.dim("Run `horus setup` first."));
+    console.log(chalk7.red("Horus is not configured yet."));
+    console.log(chalk7.dim("Run `horus setup` first."));
     process.exit(1);
   }
   if (!isValidKey(key)) {
-    console.log(chalk6.red(`Unknown config key: ${key}`));
-    console.log(chalk6.dim(`Valid keys: ${CONFIG_KEYS.join(", ")}`));
+    console.log(chalk7.red(`Unknown config key: ${key}`));
+    console.log(chalk7.dim(`Valid keys: ${CONFIG_KEYS.join(", ")}`));
     process.exit(1);
   }
   let config = loadConfig();
   try {
     config = setConfigValue(config, key, value);
   } catch (error) {
-    console.log(chalk6.red(error.message));
+    console.log(chalk7.red(error.message));
     process.exit(1);
   }
   saveConfig(config);
   writeEnvFile(config);
-  console.log(chalk6.green(`Set ${key} and regenerated .env file.`));
+  installComposeFile(config, config.runtime === "podman" ? "podman" : "docker");
+  console.log(chalk7.green(`Set ${key} and regenerated .env + docker-compose.yml.`));
   const needsRestart = [
     "data-dir",
     "host-repos-path",
@@ -2475,17 +2283,17 @@ configCommand.command("set <key> <value>").description("Set a configuration valu
     "port.forge"
   ];
   if (needsRestart.includes(key)) {
-    console.log(chalk6.yellow("Restart required for changes to take effect."));
+    console.log(chalk7.yellow("Restart required for changes to take effect."));
     if (process.stdin.isTTY) {
       const restart = await confirm2({
         message: "Restart Horus now?",
         default: false
       });
       if (restart) {
-        console.log(chalk6.dim("Run `horus down && horus up` to restart."));
+        console.log(chalk7.dim("Run `horus down && horus up` to restart."));
       }
     } else {
-      console.log(chalk6.dim("Run `horus down && horus up` to restart."));
+      console.log(chalk7.dim("Run `horus down && horus up` to restart."));
     }
   }
 });
@@ -2494,8 +2302,8 @@ function isValidKey(key) {
 }
 
 // src/commands/update.ts
-import { Command as Command7 } from "commander";
-import chalk7 from "chalk";
+import { Command as Command8 } from "commander";
+import chalk8 from "chalk";
 import ora6 from "ora";
 import { select as select2, confirm as confirm3 } from "@inquirer/prompts";
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4, readdirSync as readdirSync2, existsSync as existsSync6 } from "fs";
@@ -2562,17 +2370,17 @@ async function fetchLatestVersion() {
     return null;
   }
 }
-var updateCommand = new Command7("update").description("Update Horus to the latest version").option("--rollback", "Roll back to the previous version").option("-y, --yes", "Skip confirmation prompts").action(async (opts) => {
+var updateCommand = new Command8("update").description("Update Horus to the latest version").option("--rollback", "Roll back to the previous version").option("-y, --yes", "Skip confirmation prompts").action(async (opts) => {
   console.log("");
-  console.log(chalk7.bold(opts.rollback ? "Horus Rollback" : "Horus Update"));
-  console.log(chalk7.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk8.bold(opts.rollback ? "Horus Rollback" : "Horus Update"));
+  console.log(chalk8.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
   const config = loadConfig();
   const runtimeSpinner = ora6("Detecting runtime...").start();
   let runtime;
   try {
     runtime = await detectRuntime(config.runtime);
-    runtimeSpinner.succeed(`Using ${chalk7.cyan(runtime.name)}`);
+    runtimeSpinner.succeed(`Using ${chalk8.cyan(runtime.name)}`);
   } catch (error) {
     runtimeSpinner.fail("No container runtime found");
     console.log(error.message);
@@ -2581,14 +2389,14 @@ var updateCommand = new Command7("update").description("Update Horus to the late
   if (opts.rollback) {
     const snapshots = listSnapshots();
     if (snapshots.length === 0) {
-      console.log(chalk7.red("No snapshots found. Cannot roll back."));
-      console.log(chalk7.dim(`Snapshots are stored in ${SNAPSHOTS_DIR}`));
+      console.log(chalk8.red("No snapshots found. Cannot roll back."));
+      console.log(chalk8.dim(`Snapshots are stored in ${SNAPSHOTS_DIR}`));
       process.exit(1);
     }
     let snapshotToRestore;
     if (opts.yes) {
       snapshotToRestore = snapshots[0].snapshot;
-      console.log(`Using most recent snapshot: ${chalk7.cyan(snapshotToRestore.timestamp)}`);
+      console.log(`Using most recent snapshot: ${chalk8.cyan(snapshotToRestore.timestamp)}`);
     } else {
       const choices = snapshots.map(({ snapshot }, i) => ({
         name: `${snapshot.timestamp}  (images: ${Object.keys(snapshot.images).length})`,
@@ -2606,7 +2414,7 @@ var updateCommand = new Command7("update").description("Update Horus to the late
         default: false
       });
       if (!confirmed) {
-        console.log(chalk7.dim("Rollback cancelled."));
+        console.log(chalk8.dim("Rollback cancelled."));
         return;
       }
     }
@@ -2616,16 +2424,16 @@ var updateCommand = new Command7("update").description("Update Horus to the late
       stopSpinner.succeed("Services stopped");
     } catch (error) {
       stopSpinner.fail("Failed to stop services");
-      console.log(chalk7.dim(error.message));
+      console.log(chalk8.dim(error.message));
       process.exit(1);
     }
     console.log("");
-    console.log(chalk7.bold("Restarting from snapshot (using cached images)..."));
+    console.log(chalk8.bold("Restarting from snapshot (using cached images)..."));
     try {
       await composeStreaming(runtime, ["up", "-d", "--remove-orphans"]);
     } catch (error) {
-      console.log(chalk7.red("Failed to restart services."));
-      console.log(chalk7.dim(error.message));
+      console.log(chalk8.red("Failed to restart services."));
+      console.log(chalk8.dim(error.message));
       process.exit(1);
     }
     console.log("");
@@ -2635,7 +2443,7 @@ var updateCommand = new Command7("update").description("Update Horus to the late
         runtime,
         (current) => {
           const summary = current.map((s) => {
-            const icon = s.status === "healthy" ? chalk7.green("*") : s.status === "starting" ? chalk7.yellow("~") : chalk7.red("x");
+            const icon = s.status === "healthy" ? chalk8.green("*") : s.status === "starting" ? chalk8.yellow("~") : chalk8.red("x");
             return `${icon} ${s.name}`;
           }).join("  ");
           healthSpinner2.text = `Waiting...  ${summary}`;
@@ -2646,11 +2454,11 @@ var updateCommand = new Command7("update").description("Update Horus to the late
       healthSpinner2.succeed("All services healthy after rollback");
     } catch (error) {
       healthSpinner2.fail("Some services did not become healthy");
-      console.log(chalk7.dim(error.message));
+      console.log(chalk8.dim(error.message));
       process.exit(1);
     }
     console.log("");
-    console.log(chalk7.bold.green("Rollback complete!"));
+    console.log(chalk8.bold.green("Rollback complete!"));
     console.log("");
     return;
   }
@@ -2661,14 +2469,14 @@ var updateCommand = new Command7("update").description("Update Horus to the late
   ]);
   versionSpinner.stop();
   if (latestVersion) {
-    console.log(`  Latest release: ${chalk7.cyan(latestVersion)}`);
+    console.log(`  Latest release: ${chalk8.cyan(latestVersion)}`);
   } else {
-    console.log(chalk7.dim("  Could not reach GitHub to check latest version."));
+    console.log(chalk8.dim("  Could not reach GitHub to check latest version."));
   }
   console.log("");
-  console.log(chalk7.dim("  Note: this updates the Horus container services only."));
-  console.log(chalk7.dim("  To update the Horus CLI itself, run:"));
-  console.log(`    ${chalk7.cyan("npm install -g @arkhera30/cli@latest")}`);
+  console.log(chalk8.dim("  Note: this updates the Horus container services only."));
+  console.log(chalk8.dim("  To update the Horus CLI itself, run:"));
+  console.log(`    ${chalk8.cyan("npm install -g @arkhera30/cli@latest")}`);
   console.log("");
   if (!opts.yes) {
     const confirmed = await confirm3({
@@ -2676,7 +2484,7 @@ var updateCommand = new Command7("update").description("Update Horus to the late
       default: true
     });
     if (!confirmed) {
-      console.log(chalk7.dim("Update cancelled."));
+      console.log(chalk8.dim("Update cancelled."));
       return;
     }
   }
@@ -2684,10 +2492,10 @@ var updateCommand = new Command7("update").description("Update Horus to the late
   let snapshotPath = "";
   try {
     snapshotPath = saveSnapshot(currentImages);
-    snapshotSpinner.succeed(`Snapshot saved: ${chalk7.dim(snapshotPath)}`);
+    snapshotSpinner.succeed(`Snapshot saved: ${chalk8.dim(snapshotPath)}`);
   } catch (error) {
     snapshotSpinner.warn("Could not save snapshot (update will proceed)");
-    console.log(chalk7.dim(error.message));
+    console.log(chalk8.dim(error.message));
   }
   const composeSpinner = ora6("Updating compose configuration...").start();
   try {
@@ -2696,23 +2504,23 @@ var updateCommand = new Command7("update").description("Update Horus to the late
     composeSpinner.succeed("Compose configuration updated");
   } catch (error) {
     composeSpinner.warn("Could not update compose configuration \u2014 using existing file");
-    console.log(chalk7.dim(error.message));
+    console.log(chalk8.dim(error.message));
   }
   console.log("");
-  console.log(chalk7.bold("Pulling latest images..."));
+  console.log(chalk8.bold("Pulling latest images..."));
   try {
     await composeStreaming(runtime, runtime.name === "podman" ? ["pull"] : ["pull", "--ignore-pull-failures"]);
   } catch {
-    console.log(chalk7.yellow("Some images could not be pulled."));
-    console.log(chalk7.dim("Continuing \u2014 services will be built from source if build contexts are available."));
+    console.log(chalk8.yellow("Some images could not be pulled."));
+    console.log(chalk8.dim("Continuing \u2014 services will be built from source if build contexts are available."));
   }
   console.log("");
-  console.log(chalk7.bold("Restarting services..."));
+  console.log(chalk8.bold("Restarting services..."));
   try {
     await composeStreaming(runtime, ["up", "-d", "--force-recreate", "--remove-orphans"]);
   } catch (error) {
-    console.log(chalk7.red("Failed to restart services."));
-    console.log(chalk7.dim(error.message));
+    console.log(chalk8.red("Failed to restart services."));
+    console.log(chalk8.dim(error.message));
     process.exit(1);
   }
   console.log("");
@@ -2723,7 +2531,7 @@ var updateCommand = new Command7("update").description("Update Horus to the late
       runtime,
       (current) => {
         const summary = current.map((s) => {
-          const icon = s.status === "healthy" ? chalk7.green("*") : s.status === "starting" ? chalk7.yellow("~") : chalk7.red("x");
+          const icon = s.status === "healthy" ? chalk8.green("*") : s.status === "starting" ? chalk8.yellow("~") : chalk8.red("x");
           return `${icon} ${s.name}`;
         }).join("  ");
         healthSpinner.text = `Waiting for services...  ${summary}`;
@@ -2734,55 +2542,55 @@ var updateCommand = new Command7("update").description("Update Horus to the late
     healthSpinner.succeed("All services healthy");
   } catch (error) {
     healthSpinner.fail("Some services did not become healthy");
-    console.log(chalk7.dim(error.message));
+    console.log(chalk8.dim(error.message));
     console.log("");
-    console.log(chalk7.dim(`Tip: Roll back with \`horus update --rollback\``));
+    console.log(chalk8.dim(`Tip: Roll back with \`horus update --rollback\``));
     process.exit(1);
   }
   console.log("");
-  console.log(chalk7.bold.green("Update complete!"));
-  console.log(chalk7.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk8.bold.green("Update complete!"));
+  console.log(chalk8.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   if (latestVersion) {
-    console.log(`  ${chalk7.bold("Version:")}  ${latestVersion}`);
+    console.log(`  ${chalk8.bold("Version:")}  ${latestVersion}`);
   }
   console.log("");
-  console.log(chalk7.bold("  Service Status:"));
+  console.log(chalk8.bold("  Service Status:"));
   for (const s of finalStates) {
-    const color = s.status === "healthy" ? chalk7.green : s.status === "starting" ? chalk7.yellow : chalk7.red;
+    const color = s.status === "healthy" ? chalk8.green : s.status === "starting" ? chalk8.yellow : chalk8.red;
     console.log(`    ${color(s.status.padEnd(10))} ${s.name}`);
   }
   if (snapshotPath) {
     console.log("");
-    console.log(chalk7.dim(`  Snapshot saved for rollback: ${snapshotPath}`));
-    console.log(chalk7.dim("  Run `horus update --rollback` to revert if needed."));
+    console.log(chalk8.dim(`  Snapshot saved for rollback: ${snapshotPath}`));
+    console.log(chalk8.dim("  Run `horus update --rollback` to revert if needed."));
   }
   console.log("");
 });
 
 // src/commands/doctor.ts
-import { Command as Command8 } from "commander";
-import chalk8 from "chalk";
+import { Command as Command9 } from "commander";
+import chalk9 from "chalk";
 import { execSync as execSync2 } from "child_process";
 import { existsSync as existsSync7, accessSync, statfsSync, constants } from "fs";
 import { join as join5 } from "path";
 function symbol(status) {
   switch (status) {
     case "pass":
-      return chalk8.green("  \u2713 ");
+      return chalk9.green("  \u2713 ");
     case "warn":
-      return chalk8.yellow("  \u26A0 ");
+      return chalk9.yellow("  \u26A0 ");
     case "fail":
-      return chalk8.red("  \u2717 ");
+      return chalk9.red("  \u2717 ");
   }
 }
 function colorMessage(status, msg) {
   switch (status) {
     case "pass":
-      return chalk8.white(msg);
+      return chalk9.white(msg);
     case "warn":
-      return chalk8.yellow(msg);
+      return chalk9.yellow(msg);
     case "fail":
-      return chalk8.red(msg);
+      return chalk9.red(msg);
   }
 }
 async function checkRuntimeAvailability(preferred) {
@@ -3007,10 +2815,10 @@ async function checkSyncHealth(serviceName, ports) {
     };
   }
 }
-var doctorCommand = new Command8("doctor").description("Diagnose common Horus issues").action(async () => {
+var doctorCommand = new Command9("doctor").description("Diagnose common Horus issues").action(async () => {
   console.log("");
-  console.log(chalk8.bold("Horus Doctor"));
-  console.log(chalk8.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk9.bold("Horus Doctor"));
+  console.log(chalk9.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   const allResults = [];
   const config = configExists() ? loadConfig() : null;
   allResults.push(await checkRuntimeAvailability(config?.runtime));
@@ -3052,20 +2860,20 @@ var doctorCommand = new Command8("doctor").description("Diagnose common Horus is
   }
   const errors = allResults.filter((r) => r.status === "fail");
   const warnings = allResults.filter((r) => r.status === "warn");
-  console.log(chalk8.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk9.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   if (errors.length === 0 && warnings.length === 0) {
-    console.log(chalk8.green("  All checks passed."));
+    console.log(chalk9.green("  All checks passed."));
   } else {
     const parts = [];
-    if (errors.length > 0) parts.push(chalk8.red(`${errors.length} error${errors.length > 1 ? "s" : ""}`));
-    if (warnings.length > 0) parts.push(chalk8.yellow(`${warnings.length} warning${warnings.length > 1 ? "s" : ""}`));
+    if (errors.length > 0) parts.push(chalk9.red(`${errors.length} error${errors.length > 1 ? "s" : ""}`));
+    if (warnings.length > 0) parts.push(chalk9.yellow(`${warnings.length} warning${warnings.length > 1 ? "s" : ""}`));
     console.log(`  ${parts.join(", ")}`);
     const withHints = [...errors, ...warnings].filter((r) => r.hint);
     if (withHints.length > 0) {
       console.log("");
       for (const r of withHints) {
-        const icon = r.status === "fail" ? chalk8.red("\u2717") : chalk8.yellow("\u26A0");
-        console.log(`  ${icon} ${chalk8.dim(r.hint)}`);
+        const icon = r.status === "fail" ? chalk9.red("\u2717") : chalk9.yellow("\u26A0");
+        console.log(`  ${icon} ${chalk9.dim(r.hint)}`);
       }
     }
   }
@@ -3076,8 +2884,8 @@ var doctorCommand = new Command8("doctor").description("Diagnose common Horus is
 });
 
 // src/commands/backup.ts
-import { Command as Command9 } from "commander";
-import chalk9 from "chalk";
+import { Command as Command10 } from "commander";
+import chalk10 from "chalk";
 import ora7 from "ora";
 import { confirm as confirm4 } from "@inquirer/prompts";
 import { mkdirSync as mkdirSync5, statSync as statSync2, existsSync as existsSync8, writeFileSync as writeFileSync5 } from "fs";
@@ -3096,15 +2904,15 @@ function formatBytes(bytes) {
 }
 async function createBackup(yes) {
   console.log("");
-  console.log(chalk9.bold("Horus Backup"));
-  console.log(chalk9.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk10.bold("Horus Backup"));
+  console.log(chalk10.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
   const config = loadConfig();
   const runtimeSpinner = ora7("Detecting runtime...").start();
   let runtime;
   try {
     runtime = await detectRuntime(config.runtime);
-    runtimeSpinner.succeed(`Using ${chalk9.cyan(runtime.name)}`);
+    runtimeSpinner.succeed(`Using ${chalk10.cyan(runtime.name)}`);
   } catch (error) {
     runtimeSpinner.fail("No container runtime found");
     console.log(error.message);
@@ -3116,7 +2924,7 @@ async function createBackup(yes) {
       default: true
     });
     if (!confirmed) {
-      console.log(chalk9.dim("Backup cancelled."));
+      console.log(chalk10.dim("Backup cancelled."));
       return;
     }
   }
@@ -3126,7 +2934,7 @@ async function createBackup(yes) {
     stopSpinner.succeed("Services stopped");
   } catch (error) {
     stopSpinner.fail("Failed to stop services");
-    console.log(chalk9.dim(error.message));
+    console.log(chalk10.dim(error.message));
     process.exit(1);
   }
   ensureBackupsDir();
@@ -3138,10 +2946,10 @@ async function createBackup(yes) {
     execSync3(`tar -czf "${tarFile}" -C "${HORUS_DIR}" data/`, {
       stdio: "pipe"
     });
-    backupSpinner.succeed(`Archive created: ${chalk9.dim(tarFile)}`);
+    backupSpinner.succeed(`Archive created: ${chalk10.dim(tarFile)}`);
   } catch (error) {
     backupSpinner.fail("Failed to create backup archive");
-    console.log(chalk9.dim(error.message));
+    console.log(chalk10.dim(error.message));
     await composeStreaming(runtime, ["start"]).catch(() => {
     });
     process.exit(1);
@@ -3164,25 +2972,25 @@ async function createBackup(yes) {
     startSpinner.succeed("Services restarted");
   } catch (error) {
     startSpinner.fail("Failed to restart services");
-    console.log(chalk9.dim(error.message));
-    console.log(chalk9.yellow("Run `horus up` to restart services manually."));
+    console.log(chalk10.dim(error.message));
+    console.log(chalk10.yellow("Run `horus up` to restart services manually."));
   }
   console.log("");
-  console.log(chalk9.bold.green("Backup complete!"));
-  console.log(chalk9.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log(`  ${chalk9.bold("File:")}  ${tarFile}`);
-  console.log(`  ${chalk9.bold("Size:")}  ${formatBytes(sizeBytes)}`);
+  console.log(chalk10.bold.green("Backup complete!"));
+  console.log(chalk10.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(`  ${chalk10.bold("File:")}  ${tarFile}`);
+  console.log(`  ${chalk10.bold("Size:")}  ${formatBytes(sizeBytes)}`);
   console.log("");
-  console.log(chalk9.dim("  Restore with: horus backup restore <file>"));
+  console.log(chalk10.dim("  Restore with: horus backup restore <file>"));
   console.log("");
 }
 async function restoreBackup(file, yes) {
   console.log("");
-  console.log(chalk9.bold("Horus Restore"));
-  console.log(chalk9.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk10.bold("Horus Restore"));
+  console.log(chalk10.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
   if (!existsSync8(file)) {
-    console.log(chalk9.red(`Backup file not found: ${file}`));
+    console.log(chalk10.red(`Backup file not found: ${file}`));
     process.exit(1);
   }
   const config = loadConfig();
@@ -3190,21 +2998,21 @@ async function restoreBackup(file, yes) {
   let runtime;
   try {
     runtime = await detectRuntime(config.runtime);
-    runtimeSpinner.succeed(`Using ${chalk9.cyan(runtime.name)}`);
+    runtimeSpinner.succeed(`Using ${chalk10.cyan(runtime.name)}`);
   } catch (error) {
     runtimeSpinner.fail("No container runtime found");
     console.log(error.message);
     process.exit(1);
   }
   if (!yes) {
-    console.log(chalk9.yellow(`  Warning: This will overwrite current data in ${config.data_dir}`));
+    console.log(chalk10.yellow(`  Warning: This will overwrite current data in ${config.data_dir}`));
     console.log("");
     const confirmed = await confirm4({
       message: `Restore from ${basename(file)}? Current data will be overwritten.`,
       default: false
     });
     if (!confirmed) {
-      console.log(chalk9.dim("Restore cancelled."));
+      console.log(chalk10.dim("Restore cancelled."));
       return;
     }
   }
@@ -3214,7 +3022,7 @@ async function restoreBackup(file, yes) {
     stopSpinner.succeed("Services stopped");
   } catch (error) {
     stopSpinner.fail("Failed to stop services");
-    console.log(chalk9.dim(error.message));
+    console.log(chalk10.dim(error.message));
     process.exit(1);
   }
   const extractSpinner = ora7("Extracting backup...").start();
@@ -3223,18 +3031,18 @@ async function restoreBackup(file, yes) {
     extractSpinner.succeed("Backup extracted");
   } catch (error) {
     extractSpinner.fail("Failed to extract backup");
-    console.log(chalk9.dim(error.message));
+    console.log(chalk10.dim(error.message));
     await composeStreaming(runtime, ["start"]).catch(() => {
     });
     process.exit(1);
   }
   console.log("");
-  console.log(chalk9.bold("Starting services..."));
+  console.log(chalk10.bold("Starting services..."));
   try {
     await composeStreaming(runtime, ["start"]);
   } catch (error) {
-    console.log(chalk9.red("Failed to start services."));
-    console.log(chalk9.dim(error.message));
+    console.log(chalk10.red("Failed to start services."));
+    console.log(chalk10.dim(error.message));
     process.exit(1);
   }
   console.log("");
@@ -3244,7 +3052,7 @@ async function restoreBackup(file, yes) {
       runtime,
       (current) => {
         const summary = current.map((s) => {
-          const icon = s.status === "healthy" ? chalk9.green("*") : s.status === "starting" ? chalk9.yellow("~") : chalk9.red("x");
+          const icon = s.status === "healthy" ? chalk10.green("*") : s.status === "starting" ? chalk10.yellow("~") : chalk10.red("x");
           return `${icon} ${s.name}`;
         }).join("  ");
         healthSpinner.text = `Waiting for services...  ${summary}`;
@@ -3255,14 +3063,14 @@ async function restoreBackup(file, yes) {
     healthSpinner.succeed("All services healthy");
   } catch (error) {
     healthSpinner.fail("Some services did not become healthy");
-    console.log(chalk9.dim(error.message));
+    console.log(chalk10.dim(error.message));
     process.exit(1);
   }
   console.log("");
-  console.log(chalk9.bold.green("Restore complete!"));
+  console.log(chalk10.bold.green("Restore complete!"));
   console.log("");
 }
-var backupCommand = new Command9("backup").description("Backup or restore Horus data").option("-y, --yes", "Skip confirmation prompts").action(async (opts) => {
+var backupCommand = new Command10("backup").description("Backup or restore Horus data").option("-y, --yes", "Skip confirmation prompts").action(async (opts) => {
   await createBackup(opts.yes);
 });
 backupCommand.command("restore <file>").description("Restore Horus data from a backup file").option("-y, --yes", "Skip confirmation prompts").action(async (file, opts) => {
@@ -3270,8 +3078,8 @@ backupCommand.command("restore <file>").description("Restore Horus data from a b
 });
 
 // src/commands/test-env.ts
-import { Command as Command10 } from "commander";
-import chalk10 from "chalk";
+import { Command as Command11 } from "commander";
+import chalk11 from "chalk";
 import ora8 from "ora";
 import { join as join8 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
@@ -3724,7 +3532,7 @@ function projectName(slot) {
 }
 
 // src/commands/test-env.ts
-var testEnvCommand = new Command10("test-env").description("Manage isolated shadow stacks for integration testing");
+var testEnvCommand = new Command11("test-env").description("Manage isolated shadow stacks for integration testing");
 testEnvCommand.command("acquire").description("Start a shadow stack on alternate ports with isolated data").option("--timeout <seconds>", "Max wait for health checks (default: 120)", "120").option("--image <overrides...>", "Override service images (format: service=image:tag)").option(
   "--standalone",
   "Generate a fully-projected compose file (no overlay-merge). Eliminates port-collision with a live stack. Required on fresh VMs."
@@ -3736,6 +3544,11 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   const mkSpinner = (text) => ora8({ text, stream: jsonMode ? process.stderr : process.stdout });
   const config = loadConfig();
   const dataDir = config.data_dir;
+  if (!config.vaults || Object.keys(config.vaults).length === 0) {
+    config.vaults = {
+      default: { repo: "", default: true }
+    };
+  }
   const testCfg = loadTestEnvConfig(dataDir);
   const vaultNames = Object.keys(config.vaults).sort();
   const defaultVaultEntry = Object.entries(config.vaults).find(([, v]) => v.default);
@@ -3744,7 +3557,7 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   let runtime;
   try {
     runtime = await detectRuntime(config.runtime);
-    spinner.succeed(`Using ${chalk10.cyan(runtime.name)}`);
+    spinner.succeed(`Using ${chalk11.cyan(runtime.name)}`);
   } catch (error) {
     spinner.fail("No container runtime found");
     console.error(error.message);
@@ -3752,8 +3565,8 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   }
   const slot = findFreeSlot(dataDir, testCfg);
   if (slot === null) {
-    console.error(chalk10.red(
-      `All ${testCfg.max_slots} slot(s) are in use. Run ${chalk10.bold("horus test-env status")} to see active slots, or ${chalk10.bold("horus test-env release")} to free one.`
+    console.error(chalk11.red(
+      `All ${testCfg.max_slots} slot(s) are in use. Run ${chalk11.bold("horus test-env status")} to see active slots, or ${chalk11.bold("horus test-env release")} to free one.`
     ));
     process.exit(1);
   }
@@ -3762,7 +3575,7 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   const project = projectName(slot);
   const dirSpinner = mkSpinner(`Creating slot-${slot} data directories...`).start();
   createSlotDirs(slotDataPath, vaultNames);
-  dirSpinner.succeed(`Data directory: ${chalk10.dim(slotDataPath)}`);
+  dirSpinner.succeed(`Data directory: ${chalk11.dim(slotDataPath)}`);
   const seedSpinner = mkSpinner("Pre-seeding git repos...").start();
   try {
     await preSeedNotesDir(dataDir, slotDataPath);
@@ -3787,7 +3600,7 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
     for (const entry of opts.image) {
       const eqIdx = entry.indexOf("=");
       if (eqIdx < 1) {
-        console.error(chalk10.red(`Invalid --image format: "${entry}". Expected: service=image:tag`));
+        console.error(chalk11.red(`Invalid --image format: "${entry}". Expected: service=image:tag`));
         process.exit(1);
       }
       imageOverrides[entry.slice(0, eqIdx)] = entry.slice(eqIdx + 1);
@@ -3796,7 +3609,7 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   const standaloneMode = Boolean(opts.standalone);
   const modeLabel = standaloneMode ? "standalone" : "overlay";
   const upSpinner = mkSpinner(
-    `Starting shadow stack (project ${chalk10.cyan(project)}, mode: ${chalk10.dim(modeLabel)})...`
+    `Starting shadow stack (project ${chalk11.cyan(project)}, mode: ${chalk11.dim(modeLabel)})...`
   ).start();
   try {
     if (standaloneMode) {
@@ -3816,7 +3629,7 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   const timeoutMs = parseInt(opts.timeout, 10) * 1e3;
   try {
     await waitForShadowStackHealthy(runtime, project, timeoutMs, 3e3, (statuses) => {
-      const parts = Object.entries(statuses).map(([svc, s]) => `${svc}:${s === "healthy" ? chalk10.green(s) : chalk10.yellow(s)}`).join("  ");
+      const parts = Object.entries(statuses).map(([svc, s]) => `${svc}:${s === "healthy" ? chalk11.green(s) : chalk11.yellow(s)}`).join("  ");
       healthSpinner.text = `Waiting for services... ${parts}`;
     });
     healthSpinner.succeed("All services healthy");
@@ -3844,22 +3657,22 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
     return;
   }
   console.log("");
-  console.log(chalk10.bold.green(`\u2713 Slot ${slot} acquired`));
+  console.log(chalk11.bold.green(`\u2713 Slot ${slot} acquired`));
   console.log("");
-  console.log(chalk10.bold("Connection info:"));
-  console.log(`  Slot:       ${chalk10.cyan(slot)}`);
-  console.log(`  Project:    ${chalk10.cyan(project)}`);
-  console.log(`  Data:       ${chalk10.dim(slotDataPath)}`);
+  console.log(chalk11.bold("Connection info:"));
+  console.log(`  Slot:       ${chalk11.cyan(slot)}`);
+  console.log(`  Project:    ${chalk11.cyan(project)}`);
+  console.log(`  Data:       ${chalk11.dim(slotDataPath)}`);
   console.log("");
-  console.log(chalk10.bold("Ports:"));
-  console.log(`  Anvil:        http://localhost:${chalk10.cyan(ports.anvil)}`);
-  console.log(`  Forge:        http://localhost:${chalk10.cyan(ports.forge)}`);
-  console.log(`  Vault MCP:    http://localhost:${chalk10.cyan(ports.vault_mcp)}`);
-  console.log(`  Vault Router: http://localhost:${chalk10.cyan(ports.vault_router)}`);
-  console.log(`  Typesense:    http://localhost:${chalk10.cyan(ports.typesense)}`);
-  console.log(`  UI:           http://localhost:${chalk10.cyan(ports.ui)}`);
+  console.log(chalk11.bold("Ports:"));
+  console.log(`  Anvil:        http://localhost:${chalk11.cyan(ports.anvil)}`);
+  console.log(`  Forge:        http://localhost:${chalk11.cyan(ports.forge)}`);
+  console.log(`  Vault MCP:    http://localhost:${chalk11.cyan(ports.vault_mcp)}`);
+  console.log(`  Vault Router: http://localhost:${chalk11.cyan(ports.vault_router)}`);
+  console.log(`  Typesense:    http://localhost:${chalk11.cyan(ports.typesense)}`);
+  console.log(`  UI:           http://localhost:${chalk11.cyan(ports.ui)}`);
   console.log("");
-  console.log(chalk10.bold("Environment:"));
+  console.log(chalk11.bold("Environment:"));
   console.log(`  export TEST_SLOT=${slot}`);
   console.log(`  export TEST_ANVIL_URL=http://localhost:${ports.anvil}`);
   console.log(`  export TEST_FORGE_URL=http://localhost:${ports.forge}`);
@@ -3867,16 +3680,21 @@ testEnvCommand.command("acquire").description("Start a shadow stack on alternate
   console.log(`  export TEST_DATA_PATH=${slotDataPath}`);
   console.log("");
   const settingsPath = join8(slotDataPath, "claude-settings.json");
-  console.log(chalk10.bold("Agent dev mode:"));
-  console.log(`  MCP config: ${chalk10.dim(settingsPath)}`);
-  console.log(`  Launch:     ${chalk10.cyan(`claude --mcp-config ${settingsPath}`)}`);
+  console.log(chalk11.bold("Agent dev mode:"));
+  console.log(`  MCP config: ${chalk11.dim(settingsPath)}`);
+  console.log(`  Launch:     ${chalk11.cyan(`claude --mcp-config ${settingsPath}`)}`);
   console.log("");
-  console.log(chalk10.dim(`Run ${chalk10.bold(`horus test-env seed --slot ${slot}`)} to populate with fixtures.`));
-  console.log(chalk10.dim(`Run ${chalk10.bold(`horus test-env release --slot ${slot}`)} when done.`));
+  console.log(chalk11.dim(`Run ${chalk11.bold(`horus test-env seed --slot ${slot}`)} to populate with fixtures.`));
+  console.log(chalk11.dim(`Run ${chalk11.bold(`horus test-env release --slot ${slot}`)} when done.`));
 });
 testEnvCommand.command("release").description("Tear down a shadow stack and remove its data").option("--slot <n>", "Slot number to release (default: auto-detect acquired slot)").action(async (opts) => {
   const config = loadConfig();
   const dataDir = config.data_dir;
+  if (!config.vaults || Object.keys(config.vaults).length === 0) {
+    config.vaults = {
+      default: { repo: "", default: true }
+    };
+  }
   const testCfg = loadTestEnvConfig(dataDir);
   const vaultNames = Object.keys(config.vaults).sort();
   const defaultVaultEntry = Object.entries(config.vaults).find(([, v]) => v.default);
@@ -3888,7 +3706,7 @@ testEnvCommand.command("release").description("Tear down a shadow stack and remo
     const statuses = getAllSlotStatuses(dataDir, testCfg);
     const acquired = statuses.find((s) => s.state === "acquired" || s.state === "expired");
     if (!acquired) {
-      console.log(chalk10.yellow("No active slots found."));
+      console.log(chalk11.yellow("No active slots found."));
       return;
     }
     slot = acquired.slot;
@@ -3901,13 +3719,13 @@ testEnvCommand.command("release").description("Tear down a shadow stack and remo
   let runtime;
   try {
     runtime = await detectRuntime(config.runtime);
-    spinner.succeed(`Using ${chalk10.cyan(runtime.name)}`);
+    spinner.succeed(`Using ${chalk11.cyan(runtime.name)}`);
   } catch (error) {
     spinner.fail("No container runtime found");
     console.error(error.message);
     process.exit(1);
   }
-  const downSpinner = ora8(`Stopping ${chalk10.cyan(project)}...`).start();
+  const downSpinner = ora8(`Stopping ${chalk11.cyan(project)}...`).start();
   try {
     const { existsSync: existsSync12 } = await import("fs");
     const { join: join11 } = await import("path");
@@ -3926,7 +3744,7 @@ testEnvCommand.command("release").description("Tear down a shadow stack and remo
   removeLock(dataDir, slot);
   cleanSpinner.succeed("Test data removed");
   console.log("");
-  console.log(chalk10.bold.green(`\u2713 Slot ${slot} released`));
+  console.log(chalk11.bold.green(`\u2713 Slot ${slot} released`));
 });
 testEnvCommand.command("status").description("Show active shadow stack slots").action(() => {
   const config = loadConfig();
@@ -3935,20 +3753,20 @@ testEnvCommand.command("status").description("Show active shadow stack slots").a
   const statuses = getAllSlotStatuses(dataDir, testCfg);
   const acquiredCount = statuses.filter((s) => s.state === "acquired").length;
   console.log("");
-  console.log(chalk10.bold("Test Environment Status"));
+  console.log(chalk11.bold("Test Environment Status"));
   console.log(`  Max slots:  ${testCfg.max_slots}`);
   console.log(`  In use:     ${acquiredCount} / ${testCfg.max_slots}`);
   console.log(`  Base port:  ${testCfg.base_port}`);
   console.log("");
   if (statuses.every((s) => s.state === "free")) {
-    console.log(chalk10.dim("  No active slots."));
+    console.log(chalk11.dim("  No active slots."));
     console.log("");
     return;
   }
   for (const s of statuses) {
     if (s.state === "free") continue;
-    const stateLabel = s.state === "expired" ? chalk10.yellow("EXPIRED") : chalk10.green("ACTIVE");
-    console.log(`  ${chalk10.bold(`Slot ${s.slot}`)}  ${stateLabel}`);
+    const stateLabel = s.state === "expired" ? chalk11.yellow("EXPIRED") : chalk11.green("ACTIVE");
+    console.log(`  ${chalk11.bold(`Slot ${s.slot}`)}  ${stateLabel}`);
     if (s.acquiredAt) {
       console.log(`    Acquired: ${s.acquiredAt} (${s.elapsedMinutes}m ago)`);
     }
@@ -3956,7 +3774,7 @@ testEnvCommand.command("status").description("Show active shadow stack slots").a
       console.log(`    Ports:    anvil=${s.ports.anvil}  forge=${s.ports.forge}  vault-mcp=${s.ports.vault_mcp}  typesense=${s.ports.typesense}`);
     }
     if (s.dataPath) {
-      console.log(`    Data:     ${chalk10.dim(s.dataPath)}`);
+      console.log(`    Data:     ${chalk11.dim(s.dataPath)}`);
     }
     console.log("");
   }
@@ -3972,7 +3790,7 @@ testEnvCommand.command("seed").description("Populate a slot with test fixtures (
     const statuses = getAllSlotStatuses(dataDir, testCfg);
     const acquired = statuses.find((s) => s.state === "acquired");
     if (!acquired) {
-      console.error(chalk10.red("No active slot found. Run `horus test-env acquire` first."));
+      console.error(chalk11.red("No active slot found. Run `horus test-env acquire` first."));
       process.exit(1);
     }
     slot = acquired.slot;
@@ -4003,12 +3821,12 @@ testEnvCommand.command("seed").description("Populate a slot with test fixtures (
     }
   }
   console.log("");
-  console.log(chalk10.dim("Services will re-index automatically. Allow ~10s before running tests."));
+  console.log(chalk11.dim("Services will re-index automatically. Allow ~10s before running tests."));
 });
 
 // src/commands/help.ts
-import { Command as Command11 } from "commander";
-import chalk11 from "chalk";
+import { Command as Command12 } from "commander";
+import chalk12 from "chalk";
 import { readFileSync as readFileSync7, existsSync as existsSync10 } from "fs";
 import { join as join9, dirname as dirname3 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
@@ -4185,47 +4003,47 @@ function stripFrontMatter(content) {
 }
 function printTopicIndex(index) {
   console.log("");
-  console.log(chalk11.bold("Horus Help \u2014 Available Guides"));
-  console.log(chalk11.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk12.bold("Horus Help \u2014 Available Guides"));
+  console.log(chalk12.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
   for (const g of index.guides) {
-    console.log(`  ${chalk11.cyan(g.slug.padEnd(20))} ${g.title}`);
-    console.log(`  ${" ".repeat(20)} ${chalk11.dim(g.description)}`);
+    console.log(`  ${chalk12.cyan(g.slug.padEnd(20))} ${g.title}`);
+    console.log(`  ${" ".repeat(20)} ${chalk12.dim(g.description)}`);
     console.log("");
   }
-  console.log(chalk11.dim("Example queries:"));
-  console.log(chalk11.dim("  horus help how do I start"));
-  console.log(chalk11.dim("  horus help what is a forge workspace"));
-  console.log(chalk11.dim("  horus help create my first anvil note"));
+  console.log(chalk12.dim("Example queries:"));
+  console.log(chalk12.dim("  horus help how do I start"));
+  console.log(chalk12.dim("  horus help what is a forge workspace"));
+  console.log(chalk12.dim("  horus help create my first anvil note"));
   console.log("");
-  console.log(chalk11.dim("To print a specific guide directly:"));
-  console.log(chalk11.dim("  horus guide <slug>"));
+  console.log(chalk12.dim("To print a specific guide directly:"));
+  console.log(chalk12.dim("  horus guide <slug>"));
   console.log("");
 }
 function printGuideBody(guidesDir, file) {
-  const path = join9(guidesDir, file);
-  const content = readFileSync7(path, "utf8");
+  const path2 = join9(guidesDir, file);
+  const content = readFileSync7(path2, "utf8");
   console.log(stripFrontMatter(content));
 }
 function printSeeAlso(alternates, guidesDir) {
   if (alternates.length === 0) return;
-  console.log(chalk11.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log(chalk11.bold("See also:"));
+  console.log(chalk12.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk12.bold("See also:"));
   for (const a of alternates) {
-    console.log(`  ${chalk11.cyan(a.slug.padEnd(20))} ${a.title}`);
-    console.log(`  ${" ".repeat(20)} ${chalk11.dim(join9(guidesDir, a.file))}`);
+    console.log(`  ${chalk12.cyan(a.slug.padEnd(20))} ${a.title}`);
+    console.log(`  ${" ".repeat(20)} ${chalk12.dim(join9(guidesDir, a.file))}`);
   }
   console.log("");
 }
 function printFooter() {
   console.log(
-    chalk11.dim(
+    chalk12.dim(
       "Run `horus guide <slug>` to print a specific guide without retrieval, or `horus guide` to list all."
     )
   );
   console.log("");
 }
-var helpCommand = new Command11("help").description("Search and print bundled Horus getting-started guides").argument("[query...]", "Natural-language query. Omit to see the topic index.").action((query) => {
+var helpCommand = new Command12("help").description("Search and print bundled Horus getting-started guides").argument("[query...]", "Natural-language query. Omit to see the topic index.").action((query) => {
   const guidesDir = findGuidesDir();
   const index = loadIndex(guidesDir);
   if (!query || query.length === 0) {
@@ -4236,15 +4054,15 @@ var helpCommand = new Command11("help").description("Search and print bundled Ho
   const result = retrieve(queryStr, index, 3);
   if (!result.primary) {
     console.log("");
-    console.log(chalk11.yellow(`No guide matched "${queryStr}".`));
+    console.log(chalk12.yellow(`No guide matched "${queryStr}".`));
     console.log("");
-    console.log(chalk11.dim("Try `horus help` with no arguments to see the full topic index,"));
-    console.log(chalk11.dim("or pick a slug directly with `horus guide <slug>`."));
+    console.log(chalk12.dim("Try `horus help` with no arguments to see the full topic index,"));
+    console.log(chalk12.dim("or pick a slug directly with `horus guide <slug>`."));
     console.log("");
     return;
   }
   console.log("");
-  console.log(chalk11.dim(`# ${result.primary.title}  (${result.primary.slug})`));
+  console.log(chalk12.dim(`# ${result.primary.title}  (${result.primary.slug})`));
   console.log("");
   printGuideBody(guidesDir, result.primary.file);
   console.log("");
@@ -4253,8 +4071,8 @@ var helpCommand = new Command11("help").description("Search and print bundled Ho
 });
 
 // src/commands/guide.ts
-import { Command as Command12 } from "commander";
-import chalk12 from "chalk";
+import { Command as Command13 } from "commander";
+import chalk13 from "chalk";
 import { readFileSync as readFileSync8, existsSync as existsSync11 } from "fs";
 import { join as join10, dirname as dirname4 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
@@ -4293,17 +4111,17 @@ function lookupTopic(topic, index) {
 }
 function printGuideList(index) {
   console.log("");
-  console.log(chalk12.bold("Bundled Horus Guides"));
-  console.log(chalk12.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk13.bold("Bundled Horus Guides"));
+  console.log(chalk13.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   console.log("");
   for (const g of index.guides) {
-    console.log(`  ${chalk12.cyan(g.slug.padEnd(20))} ${g.title}`);
-    console.log(`  ${" ".repeat(20)} ${chalk12.dim(g.description)}`);
+    console.log(`  ${chalk13.cyan(g.slug.padEnd(20))} ${g.title}`);
+    console.log(`  ${" ".repeat(20)} ${chalk13.dim(g.description)}`);
     console.log("");
   }
-  console.log(chalk12.dim("Print a guide:            horus guide <slug>"));
-  console.log(chalk12.dim("Print a guide file path:  horus guide <slug> --path"));
-  console.log(chalk12.dim("Print the guides root:    horus guide --path"));
+  console.log(chalk13.dim("Print a guide:            horus guide <slug>"));
+  console.log(chalk13.dim("Print a guide file path:  horus guide <slug> --path"));
+  console.log(chalk13.dim("Print the guides root:    horus guide --path"));
   console.log("");
 }
 function printGuideBody2(guidesDir, file) {
@@ -4312,16 +4130,16 @@ function printGuideBody2(guidesDir, file) {
 }
 function printDisambiguation(tier, matches) {
   console.log("");
-  console.log(chalk12.yellow(`Multiple guides matched (tier: ${tier}):`));
+  console.log(chalk13.yellow(`Multiple guides matched (tier: ${tier}):`));
   console.log("");
   for (const m of matches) {
-    console.log(`  ${chalk12.cyan(m.slug.padEnd(20))} ${m.title}`);
+    console.log(`  ${chalk13.cyan(m.slug.padEnd(20))} ${m.title}`);
   }
   console.log("");
-  console.log(chalk12.dim("Pick one: horus guide <slug>"));
+  console.log(chalk13.dim("Pick one: horus guide <slug>"));
   console.log("");
 }
-var guideCommand = new Command12("guide").description("Print a bundled Horus guide, or list all guides").argument("[topic]", "Slug, slug prefix, or search term. Omit to list all guides.").option("--path", "Print the file path instead of the body (or the guides dir root if no topic)").action((topic, opts) => {
+var guideCommand = new Command13("guide").description("Print a bundled Horus guide, or list all guides").argument("[topic]", "Slug, slug prefix, or search term. Omit to list all guides.").option("--path", "Print the file path instead of the body (or the guides dir root if no topic)").action((topic, opts) => {
   const guidesDir = findGuidesDir2();
   const index = loadIndex2(guidesDir);
   if (!topic) {
@@ -4335,9 +4153,9 @@ var guideCommand = new Command12("guide").description("Print a bundled Horus gui
   const result = lookupTopic(topic, index);
   if (result.matches.length === 0) {
     console.log("");
-    console.log(chalk12.yellow(`No guide matched "${topic}".`));
+    console.log(chalk13.yellow(`No guide matched "${topic}".`));
     console.log("");
-    console.log(chalk12.dim("Run `horus guide` to see all available guides."));
+    console.log(chalk13.dim("Run `horus guide` to see all available guides."));
     console.log("");
     process.exitCode = 1;
     return;
@@ -4356,14 +4174,88 @@ var guideCommand = new Command12("guide").description("Print a bundled Horus gui
 });
 
 // src/commands/repo.ts
-import { Command as Command13 } from "commander";
-import chalk13 from "chalk";
+import { Command as Command14 } from "commander";
+import chalk14 from "chalk";
 import ora9 from "ora";
-var repoCommand = new Command13("repo").description("Manage the Forge repository index");
+import { RepoRegistryClient } from "@forge/core";
+
+// src/lib/repo-migrate.ts
+import { promises as fs } from "fs";
+import os from "os";
+import path from "path";
+import { RepoExistsError } from "@forge/core";
+function inferOrg(remoteUrl) {
+  const sshMatch = remoteUrl.match(/git@[^:]+:([^/]+)\//);
+  if (sshMatch) return sshMatch[1];
+  const httpsMatch = remoteUrl.match(/https?:\/\/[^/]+\/([^/]+)\//);
+  if (httpsMatch) return httpsMatch[1];
+  return null;
+}
+function mapWorkflow(entry) {
+  if (!entry.workflow) return void 0;
+  const wf = entry.workflow;
+  return {
+    type: entry.workflow.type,
+    pushTo: entry.workflow.pushTo,
+    prTarget: entry.workflow.prTarget,
+    branchPattern: entry.workflow.branchPattern,
+    commitFormat: entry.workflow.commitFormat,
+    mergeStrategy: wf["mergeStrategy"]
+  };
+}
+async function migrateRepos(opts) {
+  const fromPath = opts.from ? opts.from : path.join(os.homedir(), "Horus", "data", "config", "repos.json");
+  const raw = await fs.readFile(fromPath, "utf8");
+  const index = JSON.parse(raw);
+  const entries = index.repos ?? [];
+  const result = { migrated: [], skipped: [], failed: [] };
+  for (const entry of entries) {
+    if (!entry.remoteUrl) {
+      result.skipped.push({ repo: entry.name, reason: "no remoteUrl" });
+      continue;
+    }
+    const org = inferOrg(entry.remoteUrl);
+    if (!org) {
+      result.skipped.push({ repo: entry.name, reason: "could not infer org from remoteUrl" });
+      continue;
+    }
+    const input2 = {
+      org,
+      name: entry.name,
+      canonicalUrl: entry.remoteUrl,
+      defaultBranch: entry.defaultBranch,
+      language: entry.language ?? void 0,
+      workflow: mapWorkflow(entry)
+    };
+    if (opts.dryRun) {
+      result.migrated.push(`${org}/${entry.name} (dry-run)`);
+      continue;
+    }
+    try {
+      await opts.client.register(input2);
+      result.migrated.push(`${org}/${entry.name}`);
+    } catch (err) {
+      if (err instanceof RepoExistsError) {
+        result.skipped.push({ repo: `${org}/${entry.name}`, reason: "already registered" });
+      } else {
+        const msg = err.message ?? String(err);
+        if (msg.includes("REPO_EXISTS") || err.code === "REPO_EXISTS") {
+          result.skipped.push({ repo: `${org}/${entry.name}`, reason: "already registered" });
+        } else {
+          result.failed.push({ repo: `${org}/${entry.name}`, error: msg });
+        }
+      }
+    }
+  }
+  return result;
+}
+
+// src/commands/repo.ts
+var repoCommand = new Command14("repo").description("Manage the Forge repository index");
 repoCommand.command("rindex").alias("scan").description("Trigger a full repository index rescan via Forge").action(async () => {
   if (!configExists()) {
-    console.log(chalk13.red("Horus is not set up yet."));
-    console.log(chalk13.dim("Run `horus setup` first."));
+    console.log(chalk14.red("Horus is not set up yet."));
+    console.log(chalk14.dim("Run `horus setup` first."));
     process.exit(1);
   }
   const config = loadConfig();
@@ -4385,13 +4277,13 @@ repoCommand.command("rindex").alias("scan").description("Trigger a full reposito
     body = await res.text();
     if (!res.ok) {
       spinner.fail(`Forge returned HTTP ${res.status}`);
-      console.error(chalk13.red(body));
+      console.error(chalk14.red(body));
       process.exit(1);
     }
   } catch (err) {
     spinner.fail("Could not reach Forge");
-    console.error(chalk13.red(`Is Horus running? (horus up)`));
-    console.error(chalk13.dim(err.message));
+    console.error(chalk14.red(`Is Horus running? (horus up)`));
+    console.error(chalk14.dim(err.message));
     process.exit(1);
   }
   let parsed;
@@ -4404,7 +4296,7 @@ repoCommand.command("rindex").alias("scan").description("Trigger a full reposito
   }
   if (parsed.error) {
     spinner.fail("Scan failed");
-    console.error(chalk13.red(parsed.error.message ?? JSON.stringify(parsed.error)));
+    console.error(chalk14.red(parsed.error.message ?? JSON.stringify(parsed.error)));
     process.exit(1);
   }
   let result = {};
@@ -4415,19 +4307,318 @@ repoCommand.command("rindex").alias("scan").description("Trigger a full reposito
   }
   spinner.succeed("Repository scan complete");
   console.log("");
-  console.log(`  ${chalk13.bold("Scan paths:")}  ${(result.scanPaths ?? []).length}`);
-  console.log(`  ${chalk13.bold("Repos found:")} ${result.reposFound ?? 0}`);
+  console.log(`  ${chalk14.bold("Scan paths:")}  ${(result.scanPaths ?? []).length}`);
+  console.log(`  ${chalk14.bold("Repos found:")} ${result.reposFound ?? 0}`);
   if (result.repos && result.repos.length > 0) {
     console.log("");
     for (const repo of result.repos) {
-      console.log(`  ${chalk13.green("\u2713")} ${chalk13.bold(repo.name)}  ${chalk13.dim(repo.localPath)}`);
+      console.log(`  ${chalk14.green("\u2713")} ${chalk14.bold(repo.name)}  ${chalk14.dim(repo.localPath)}`);
     }
   }
   console.log("");
 });
+repoCommand.command("migrate").description("Import existing repos.json entries into the shared repo registry").option("--from <path>", "Path to repos.json (default: ~/Horus/data/config/repos.json)").option("--registry <url>", "Shared registry base URL (overrides enterprise_registry_url)").option("--dry-run", "Preview what would be migrated without writing to the registry").action(async (opts) => {
+  console.log("");
+  console.log(chalk14.bold("Horus Repo Migrate"));
+  console.log(chalk14.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log("");
+  if (!configExists()) {
+    console.log(chalk14.red("Horus is not set up yet."));
+    console.log(chalk14.dim("Run `horus setup` first."));
+    process.exit(1);
+  }
+  const config = loadConfig();
+  const registryUrl = opts.registry ?? config.enterprise_registry_url ?? "http://localhost:8744";
+  const client = new RepoRegistryClient({ baseUrl: registryUrl });
+  if (opts.dryRun) {
+    console.log(chalk14.yellow("  Dry-run mode \u2014 no changes will be written to the registry."));
+    console.log("");
+  }
+  const spinner = ora9("Reading repos.json...").start();
+  let migrateResult;
+  try {
+    migrateResult = await migrateRepos({
+      from: opts.from,
+      dryRun: opts.dryRun,
+      client
+    });
+  } catch (err) {
+    spinner.fail("Migration failed");
+    console.error(chalk14.red(err.message));
+    process.exit(1);
+  }
+  spinner.stop();
+  const total = migrateResult.migrated.length + migrateResult.skipped.length + migrateResult.failed.length;
+  console.log(
+    `Migrated ${chalk14.bold(String(migrateResult.migrated.length))}/${total} repos:`
+  );
+  console.log("");
+  for (const repo of migrateResult.migrated) {
+    console.log(`  ${chalk14.green("\u2705")} ${repo}`);
+  }
+  for (const { repo, reason } of migrateResult.skipped) {
+    console.log(`  ${chalk14.yellow("\u26A0\uFE0F ")} ${repo} ${chalk14.dim(`(skipped \u2014 ${reason})`)}`);
+  }
+  for (const { repo, error } of migrateResult.failed) {
+    console.log(`  ${chalk14.red("\u274C")} ${repo} ${chalk14.dim(`(failed \u2014 ${error})`)}`);
+  }
+  console.log("");
+  if (migrateResult.failed.length > 0) {
+    process.exit(1);
+  }
+});
+
+// src/commands/operator.ts
+import { writeFileSync as writeFileSync8 } from "fs";
+import { resolve as resolve2 } from "path";
+import { Command as Command15 } from "commander";
+import { execa as execa4 } from "execa";
+
+// src/lib/bundle.ts
+import { stringify as stringifyYaml4 } from "yaml";
+var BUNDLE_VERSION = "1";
+function buildBundle(input2) {
+  const vaults = {};
+  for (const v of input2.vaults ?? []) {
+    vaults[v.namespace] = v.default ? { endpoint: v.endpoint, default: true } : { endpoint: v.endpoint };
+  }
+  const bundle = {
+    version: input2.version ?? BUNDLE_VERSION,
+    control_plane_url: input2.controlPlaneUrl,
+    token_provider: { kind: input2.tokenProviderKind ?? "static", config: input2.initialToken },
+    vaults
+  };
+  if (input2.dataDir) bundle.data_dir = input2.dataDir;
+  if (input2.runtime) bundle.runtime = input2.runtime;
+  return bundle;
+}
+function serializeBundle(bundle) {
+  return stringifyYaml4(bundle);
+}
+
+// src/commands/operator.ts
+async function connect(opts) {
+  const explicit = opts.operatorUrl ?? process.env.HORUS_OPERATOR_URL;
+  if (explicit) {
+    return { baseUrl: explicit.replace(/\/$/, ""), close: async () => {
+    } };
+  }
+  const localPort = Number(opts.port ?? "8090");
+  const ns = opts.namespace ?? "horus-system";
+  const proc = execa4(
+    "kubectl",
+    ["port-forward", "svc/operator-service", `${localPort}:8090`, "-n", ns],
+    { stdio: "ignore" }
+  );
+  await new Promise((r) => setTimeout(r, 1500));
+  return {
+    baseUrl: `http://127.0.0.1:${localPort}`,
+    close: async () => {
+      proc.kill();
+    }
+  };
+}
+async function api(baseUrl, method, path2, body) {
+  const res = await fetch(`${baseUrl}${path2}`, {
+    method,
+    headers: { "content-type": "application/json", "x-operator-role": "admin", "x-operator-user": "admin" },
+    body: body === void 0 ? void 0 : JSON.stringify(body)
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`operator-service ${method} ${path2} \u2192 ${res.status}: ${text}`);
+  }
+  return text ? JSON.parse(text) : {};
+}
+function collectVault(value, prev) {
+  const [namespace, endpoint] = value.split("=");
+  if (!namespace || !endpoint) {
+    throw new Error(`--vault must be "<owner/ns>=<endpoint>", got "${value}"`);
+  }
+  return [...prev, { namespace, endpoint }];
+}
+var operatorCommand = new Command15("operator").description(
+  "Control Plane admin: users, vaults, provisioning requests"
+);
+var userCmd = operatorCommand.command("user").description("User management");
+userCmd.command("add <userId>").description("Onboard a user and emit a pre-provisioned config bundle").requiredOption("--tenant <tenant>", "tenant the user belongs to").requiredOption("--cp-url <url>", "public Control Plane URL the client connects to").option("--role <role>", "user role", "user").option("--vault <ns=endpoint>", "assign a vault (repeatable)", collectVault, []).option("--ttl <seconds>", "initial token lifetime", "86400").option("--out <path>", "bundle output path").option("--operator-url <url>", "operator-service base URL (skip port-forward)").option("--namespace <ns>", "k8s namespace for port-forward", "horus-system").action(async (userId, opts) => {
+  const vaults = opts.vault;
+  const client = await connect(opts);
+  try {
+    await api(client.baseUrl, "POST", "/requests", {
+      kind: "onboard",
+      tenant: opts.tenant,
+      payload: { userId, role: opts.role, assignedVaults: vaults.map((v) => v.namespace) }
+    });
+    const minted = await api(client.baseUrl, "POST", "/tokens", {
+      userId,
+      ttlSeconds: Number(opts.ttl)
+    });
+    const bundle = buildBundle({
+      controlPlaneUrl: opts.cpUrl,
+      initialToken: minted.token,
+      vaults
+    });
+    const outPath = resolve2(opts.out ?? `./${userId}.bundle.yaml`);
+    writeFileSync8(outPath, serializeBundle(bundle), "utf8");
+    console.log(`Bundle written to ${outPath}`);
+    console.log(`Run: horus setup --config ${outPath}`);
+  } finally {
+    await client.close();
+  }
+});
+userCmd.command("list").description("List users").option("--operator-url <url>", "operator-service base URL").action(async (opts) => {
+  const client = await connect(opts);
+  try {
+    console.log(JSON.stringify(await api(client.baseUrl, "GET", "/users"), null, 2));
+  } finally {
+    await client.close();
+  }
+});
+var vaultCmd = operatorCommand.command("vault").description("Vault provisioning");
+function vaultRequest(kind) {
+  return async (opts) => {
+    const client = await connect(opts);
+    try {
+      const out = await api(client.baseUrl, "POST", "/requests", {
+        kind,
+        tenant: opts.tenant,
+        payload: {
+          namespace: opts.namespace,
+          target_router: opts.router,
+          backing_store_adapter: opts.adapter,
+          endpoint: opts.endpoint
+        }
+      });
+      console.log(JSON.stringify(out, null, 2));
+    } finally {
+      await client.close();
+    }
+  };
+}
+for (const [sub, kind] of [
+  ["create", "vault_create"],
+  ["attach", "vault_attach"],
+  ["delete", "vault_delete"]
+]) {
+  vaultCmd.command(`${sub}`).requiredOption("--namespace <owner/ns>", "vault namespace").requiredOption("--tenant <tenant>", "tenant").option("--router <name>", "target router", "vault-router").option("--adapter <adapter>", "backing-store adapter", "git-subdir").option("--endpoint <url>", "explicit upstream endpoint").option("--operator-url <url>", "operator-service base URL").action(vaultRequest(kind));
+}
+var reqCmd = operatorCommand.command("request").description("Provisioning requests");
+reqCmd.command("list").option("--operator-url <url>", "operator-service base URL").action(async (opts) => {
+  const client = await connect(opts);
+  try {
+    console.log(JSON.stringify(await api(client.baseUrl, "GET", "/requests"), null, 2));
+  } finally {
+    await client.close();
+  }
+});
+reqCmd.command("show <id>").option("--operator-url <url>", "operator-service base URL").action(async (id, opts) => {
+  const client = await connect(opts);
+  try {
+    console.log(JSON.stringify(await api(client.baseUrl, "GET", `/requests/${id}`), null, 2));
+  } finally {
+    await client.close();
+  }
+});
+for (const decision of ["approve", "reject"]) {
+  reqCmd.command(`${decision} <id>`).option("--operator-url <url>", "operator-service base URL").action(async (id, opts) => {
+    const client = await connect(opts);
+    try {
+      console.log(
+        JSON.stringify(await api(client.baseUrl, "POST", `/requests/${id}/${decision}`), null, 2)
+      );
+    } finally {
+      await client.close();
+    }
+  });
+}
+operatorCommand.command("login").description("Authenticate; forces bootstrap-admin credential rotation on first login (\xA7H)").option("--admin <id>", "admin user id", "admin").option("--operator-url <url>", "operator-service base URL").action(async (opts) => {
+  const client = await connect(opts);
+  try {
+    const adminId = opts.admin ?? "admin";
+    const users = await api(
+      client.baseUrl,
+      "GET",
+      "/users"
+    );
+    const admin = users.find((u) => u.userId === adminId);
+    if (admin?.mustRotate) {
+      await api(client.baseUrl, "POST", "/admin/rotate", { adminId });
+      console.log("Bootstrap admin credential rotated (forced on first login).");
+    } else {
+      console.log("Logged in. No rotation required.");
+    }
+  } finally {
+    await client.close();
+  }
+});
+function renderPrincipalSecrets(namespace, b) {
+  const clientJwks = JSON.stringify(b.clientJwks);
+  const internalSigningKey = JSON.stringify(b.internalSigningKey);
+  const pubJwk = JSON.stringify(b.internalPublicJwk);
+  return `apiVersion: v1
+kind: Secret
+metadata:
+  name: horus-service-secrets
+  namespace: ${namespace}
+type: Opaque
+stringData:
+  HORUS_CLIENT_JWKS_JSON: '${clientJwks}'
+  HORUS_INTERNAL_SIGNING_KEY_JSON: '${internalSigningKey}'
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: horus-principal-pub
+  namespace: ${namespace}
+type: Opaque
+stringData:
+  pub.jwk: '${pubJwk}'
+`;
+}
+operatorCommand.command("init").description(
+  "Derive horus-service-secrets + horus-principal-pub from operator-service keys and apply them"
+).option("--namespace <ns>", "k8s namespace", "horus-system").option("--operator-url <url>", "operator-service base URL (skip port-forward)").option("--port <port>", "local port for port-forward", "8090").option("--dry-run", "print the Secret manifests instead of applying", false).option("--out <path>", "write the Secret manifests to a file instead of applying").action(async (opts) => {
+  const client = await connect(opts);
+  try {
+    const bundle = await api(client.baseUrl, "GET", "/admin/principal-bundle");
+    const ns = opts.namespace ?? "horus-system";
+    const manifests = renderPrincipalSecrets(ns, bundle);
+    if (opts.out) {
+      writeFileSync8(resolve2(opts.out), manifests, "utf8");
+      console.log(`Principal Secrets written to ${resolve2(opts.out)}`);
+      return;
+    }
+    if (opts.dryRun) {
+      process.stdout.write(manifests);
+      return;
+    }
+    await execa4("kubectl", ["apply", "-n", ns, "-f", "-"], {
+      input: manifests,
+      stdio: ["pipe", "inherit", "inherit"]
+    });
+    console.log(`Applied horus-service-secrets + horus-principal-pub to namespace ${ns}.`);
+    console.log("horus-service can now mint X-Horus-Principal; Vault and forge-registry can verify it.");
+  } finally {
+    await client.close();
+  }
+});
+operatorCommand.command("status").option("--operator-url <url>", "operator-service base URL").action(async (opts) => {
+  const client = await connect(opts);
+  try {
+    const health = await api(client.baseUrl, "GET", "/health");
+    const requests = await api(client.baseUrl, "GET", "/requests");
+    const users = await api(client.baseUrl, "GET", "/users");
+    console.log(
+      JSON.stringify({ health, requests: requests.length, users: users.length }, null, 2)
+    );
+  } finally {
+    await client.close();
+  }
+});
 
 // src/index.ts
-var program = new Command14();
+var program = new Command16();
 program.name("horus").description("CLI for managing the Horus Docker Compose stack").version(CLI_VERSION);
 program.addCommand(setupCommand);
 program.addCommand(upCommand);
@@ -4435,6 +4626,7 @@ program.addCommand(downCommand);
 program.addCommand(statusCommand);
 program.addCommand(configCommand);
 program.addCommand(connectCommand);
+program.addCommand(loginCommand);
 program.addCommand(updateCommand);
 program.addCommand(doctorCommand);
 program.addCommand(backupCommand);
@@ -4442,6 +4634,7 @@ program.addCommand(testEnvCommand);
 program.addCommand(helpCommand);
 program.addCommand(guideCommand);
 program.addCommand(repoCommand);
+program.addCommand(operatorCommand);
 program.exitOverride();
 try {
   await program.parseAsync(process.argv);
@@ -4450,9 +4643,9 @@ try {
     process.exit(0);
   }
   if (error instanceof Error) {
-    console.error(chalk14.red(`Error: ${error.message}`));
+    console.error(chalk15.red(`Error: ${error.message}`));
   } else {
-    console.error(chalk14.red("An unexpected error occurred."));
+    console.error(chalk15.red("An unexpected error occurred."));
   }
   process.exit(1);
 }