@controlvector/cv-agent 1.3.0 → 1.5.0

package/dist/bundle.cjs

@@ -960,7 +960,7 @@ var require_command = __commonJS({
     var EventEmitter = require("node:events").EventEmitter;
     var childProcess = require("node:child_process");
     var path = require("node:path");
-    var fs2 = require("node:fs");
+    var fs3 = require("node:fs");
     var process3 = require("node:process");
     var { Argument: Argument2, humanReadableArgName } = require_argument();
     var { CommanderError: CommanderError2 } = require_error();
@@ -1893,10 +1893,10 @@ Expecting one of '${allowedValues.join("', '")}'`);
         const sourceExt = [".js", ".ts", ".tsx", ".mjs", ".cjs"];
         function findFile(baseDir, baseName) {
           const localBin = path.resolve(baseDir, baseName);
-          if (fs2.existsSync(localBin)) return localBin;
+          if (fs3.existsSync(localBin)) return localBin;
           if (sourceExt.includes(path.extname(baseName))) return void 0;
           const foundExt = sourceExt.find(
-            (ext) => fs2.existsSync(`${localBin}${ext}`)
+            (ext) => fs3.existsSync(`${localBin}${ext}`)
           );
           if (foundExt) return `${localBin}${foundExt}`;
           return void 0;
@@ -1908,7 +1908,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         if (this._scriptPath) {
           let resolvedScriptPath;
           try {
-            resolvedScriptPath = fs2.realpathSync(this._scriptPath);
+            resolvedScriptPath = fs3.realpathSync(this._scriptPath);
           } catch (err) {
             resolvedScriptPath = this._scriptPath;
           }
@@ -3037,7 +3037,7 @@ var {
 } = import_index.default;
 
 // src/commands/agent.ts
-var import_node_child_process2 = require("node:child_process");
+var import_node_child_process4 = require("node:child_process");
 
 // node_modules/chalk/source/vendor/ansi-styles/index.js
 var ANSI_BACKGROUND_OFFSET = 10;
@@ -3697,12 +3697,13 @@ async function failTask(creds, executorId, taskId, error) {
   const res = await apiCall(creds, "POST", `/api/v1/executors/${executorId}/tasks/${taskId}/fail`, { error });
   if (!res.ok) throw new Error(`Fail failed: ${res.status}`);
 }
-async function sendHeartbeat(creds, executorId, taskId, message) {
-  await apiCall(creds, "POST", `/api/v1/executors/${executorId}/heartbeat`).catch(() => {
+async function sendHeartbeat(creds, executorId, taskId, message, authStatus2) {
+  const body = authStatus2 ? { auth_status: authStatus2 } : void 0;
+  await apiCall(creds, "POST", `/api/v1/executors/${executorId}/heartbeat`, body).catch(() => {
   });
   if (taskId) {
-    const body = message ? { message, log_type: "heartbeat" } : void 0;
-    await apiCall(creds, "POST", `/api/v1/executors/${executorId}/tasks/${taskId}/heartbeat`, body).catch(() => {
+    const taskBody = message ? { message, log_type: "heartbeat" } : void 0;
+    await apiCall(creds, "POST", `/api/v1/executors/${executorId}/tasks/${taskId}/heartbeat`, taskBody).catch(() => {
     });
   }
 }
@@ -4067,7 +4068,366 @@ ${source_default.yellow("\u26A0")} ${label} failed, retrying in ${delay}s... (${
   throw new Error("unreachable");
 }
 
+// src/utils/config.ts
+var import_fs2 = require("fs");
+var import_os2 = require("os");
+var import_path2 = require("path");
+function getConfigPath() {
+  return (0, import_path2.join)((0, import_os2.homedir)(), ".config", "cva", "config.json");
+}
+async function readConfig() {
+  try {
+    const content = await import_fs2.promises.readFile(getConfigPath(), "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return {};
+  }
+}
+async function writeConfig(config) {
+  const configPath = getConfigPath();
+  await import_fs2.promises.mkdir((0, import_path2.dirname)(configPath), { recursive: true });
+  await import_fs2.promises.writeFile(configPath, JSON.stringify(config, null, 2) + "\n", { mode: 384 });
+}
+
+// src/commands/git-safety.ts
+var import_node_child_process2 = require("node:child_process");
+function git(cmd, cwd) {
+  return (0, import_node_child_process2.execSync)(cmd, { cwd, encoding: "utf8", timeout: 3e4 }).trim();
+}
+function gitSafetyNet(workspaceRoot, taskTitle, taskId, branch) {
+  const targetBranch = branch || "main";
+  try {
+    let statusOutput;
+    try {
+      statusOutput = git("git status --porcelain", workspaceRoot);
+    } catch {
+      return { hadChanges: false, filesAdded: 0, filesModified: 0, filesDeleted: 0, pushed: false, error: "git status failed" };
+    }
+    const lines = statusOutput.split("\n").filter(Boolean);
+    if (lines.length === 0) {
+      try {
+        const unpushed = git(`git log origin/${targetBranch}..HEAD --oneline 2>/dev/null`, workspaceRoot);
+        if (unpushed) {
+          console.log(`  [git-safety] Found unpushed commits \u2014 pushing now`);
+          git(`git push origin ${targetBranch}`, workspaceRoot);
+          return { hadChanges: false, filesAdded: 0, filesModified: 0, filesDeleted: 0, pushed: true };
+        }
+      } catch {
+      }
+      return { hadChanges: false, filesAdded: 0, filesModified: 0, filesDeleted: 0, pushed: false };
+    }
+    let added = 0, modified = 0, deleted = 0;
+    for (const line of lines) {
+      const code = line.substring(0, 2);
+      if (code.includes("?")) added++;
+      else if (code.includes("D")) deleted++;
+      else if (code.includes("M") || code.includes("A")) modified++;
+      else added++;
+    }
+    console.log(
+      `  [git-safety] ${lines.length} uncommitted changes (${added} new, ${modified} modified, ${deleted} deleted) \u2014 committing now`
+    );
+    git("git add -A", workspaceRoot);
+    const shortId = taskId.substring(0, 8);
+    const commitMsg = `task: ${taskTitle} [${shortId}]
+
+Auto-committed by cv-agent git safety net.
+Task ID: ${taskId}
+Files: ${added} added, ${modified} modified, ${deleted} deleted`;
+    let commitSha;
+    try {
+      const commitOutput = git(`git commit -m ${JSON.stringify(commitMsg)}`, workspaceRoot);
+      const shaMatch = commitOutput.match(/\[[\w/]+ ([a-f0-9]+)\]/);
+      commitSha = shaMatch ? shaMatch[1] : void 0;
+    } catch (e) {
+      if (!e.message?.includes("nothing to commit")) {
+        return {
+          hadChanges: true,
+          filesAdded: added,
+          filesModified: modified,
+          filesDeleted: deleted,
+          pushed: false,
+          error: `Commit failed: ${e.message}`
+        };
+      }
+    }
+    try {
+      git(`git push origin ${targetBranch}`, workspaceRoot);
+      console.log(`  [git-safety] Committed and pushed: ${commitSha || "ok"}`);
+    } catch (pushErr) {
+      console.log(`  [git-safety] Push failed: ${pushErr.message}`);
+      return {
+        hadChanges: true,
+        filesAdded: added,
+        filesModified: modified,
+        filesDeleted: deleted,
+        commitSha,
+        pushed: false,
+        error: `Push failed: ${pushErr.message}`
+      };
+    }
+    return {
+      hadChanges: true,
+      filesAdded: added,
+      filesModified: modified,
+      filesDeleted: deleted,
+      commitSha,
+      pushed: true
+    };
+  } catch (err) {
+    return {
+      hadChanges: false,
+      filesAdded: 0,
+      filesModified: 0,
+      filesDeleted: 0,
+      pushed: false,
+      error: err.message
+    };
+  }
+}
+
+// src/commands/deploy-manifest.ts
+var import_node_child_process3 = require("node:child_process");
+var import_node_fs = require("node:fs");
+var import_node_path = require("node:path");
+function exec(cmd, cwd, timeoutMs = 3e5, env2) {
+  try {
+    const stdout = (0, import_node_child_process3.execSync)(cmd, {
+      cwd,
+      encoding: "utf8",
+      timeout: timeoutMs,
+      env: env2 ? { ...process.env, ...env2 } : void 0,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return { ok: true, stdout, stderr: "" };
+  } catch (err) {
+    return { ok: false, stdout: err.stdout || "", stderr: err.stderr || err.message || "" };
+  }
+}
+async function httpStatus(url, timeoutMs = 1e4) {
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const res = await fetch(url, { signal: controller.signal });
+    clearTimeout(timer);
+    return res.status;
+  } catch {
+    return 0;
+  }
+}
+async function checkHealth(url, timeoutSeconds) {
+  const deadline = Date.now() + timeoutSeconds * 1e3;
+  while (Date.now() < deadline) {
+    const status = await httpStatus(url);
+    if (status >= 200 && status < 500) return true;
+    await new Promise((r) => setTimeout(r, 2e3));
+  }
+  return false;
+}
+function getHeadCommit(cwd) {
+  try {
+    return (0, import_node_child_process3.execSync)("git rev-parse HEAD", { cwd, encoding: "utf8", timeout: 5e3 }).trim();
+  } catch {
+    return null;
+  }
+}
+function loadDeployManifest(workspaceRoot) {
+  const manifestPath = (0, import_node_path.join)(workspaceRoot, ".cva", "deploy.json");
+  if (!(0, import_node_fs.existsSync)(manifestPath)) return null;
+  try {
+    const raw = (0, import_node_fs.readFileSync)(manifestPath, "utf8");
+    const manifest = JSON.parse(raw);
+    if (!manifest.version || manifest.version < 1) {
+      console.log("  [deploy] Invalid manifest version");
+      return null;
+    }
+    return manifest;
+  } catch (err) {
+    console.log(`  [deploy] Failed to read .cva/deploy.json: ${err.message}`);
+    return null;
+  }
+}
+async function postTaskDeploy(workspaceRoot, taskId, log) {
+  const manifest = loadDeployManifest(workspaceRoot);
+  if (!manifest) {
+    return { deployed: false, steps: [{ step: "manifest", status: "skipped", message: "No .cva/deploy.json" }] };
+  }
+  const steps = [];
+  const preDeployCommit = getHeadCommit(workspaceRoot);
+  if (manifest.build?.steps) {
+    for (const buildStep of manifest.build.steps) {
+      const stepName = `build:${buildStep.name}`;
+      console.log(`  [deploy] Building: ${buildStep.name}`);
+      log("lifecycle", `Building: ${buildStep.name}`);
+      const start = Date.now();
+      const cwd = (0, import_node_path.join)(workspaceRoot, buildStep.working_dir || ".");
+      const timeoutMs = (buildStep.timeout_seconds || 300) * 1e3;
+      const result = exec(buildStep.command, cwd, timeoutMs);
+      if (!result.ok) {
+        const msg = `Build failed: ${buildStep.name}
+${result.stderr.slice(-500)}`;
+        steps.push({ step: stepName, status: "failed", message: msg, durationMs: Date.now() - start });
+        log("error", msg);
+        return { deployed: false, steps, error: msg };
+      }
+      steps.push({ step: stepName, status: "ok", durationMs: Date.now() - start });
+    }
+  }
+  if (manifest.migrate?.command) {
+    console.log("  [deploy] Running migration...");
+    log("lifecycle", "Applying database migration");
+    const start = Date.now();
+    const env2 = manifest.migrate.env || {};
+    const result = exec(manifest.migrate.command, workspaceRoot, 6e4, env2);
+    if (!result.ok) {
+      const msg = `Migration failed:
+${result.stderr.slice(-500)}`;
+      steps.push({ step: "migrate", status: "failed", message: msg, durationMs: Date.now() - start });
+      log("error", msg);
+      return { deployed: false, steps, error: msg };
+    }
+    steps.push({ step: "migrate", status: "ok", durationMs: Date.now() - start });
+  }
+  if (manifest.service && manifest.service.type !== "none" && manifest.service.restart_command) {
+    console.log(`  [deploy] Restarting service: ${manifest.service.name || "default"}`);
+    log("lifecycle", `Restarting service: ${manifest.service.name || "default"}`);
+    const start = Date.now();
+    const result = exec(manifest.service.restart_command, workspaceRoot, 3e4);
+    if (!result.ok) {
+      const msg = `Restart failed:
+${result.stderr.slice(-300)}`;
+      steps.push({ step: "restart", status: "failed", message: msg, durationMs: Date.now() - start });
+    } else {
+      steps.push({ step: "restart", status: "ok", durationMs: Date.now() - start });
+    }
+    const waitMs = (manifest.service.startup_wait_seconds || 5) * 1e3;
+    await new Promise((r) => setTimeout(r, waitMs));
+  }
+  if (manifest.verify) {
+    console.log("  [deploy] Verifying deployment...");
+    log("lifecycle", "Verifying deployment");
+    const timeoutSec = manifest.verify.timeout_seconds || 30;
+    if (manifest.verify.health_url) {
+      const healthy = await checkHealth(manifest.verify.health_url, timeoutSec);
+      if (!healthy) {
+        const msg = `Health check failed: ${manifest.verify.health_url} did not respond within ${timeoutSec}s`;
+        steps.push({ step: "verify:health", status: "failed", message: msg });
+        log("error", msg);
+        if (manifest.rollback?.auto_rollback_on_verify_failure && preDeployCommit) {
+          await rollback(workspaceRoot, preDeployCommit, manifest, log);
+          return { deployed: false, steps, error: msg, rolledBack: true };
+        }
+        return { deployed: false, steps, error: msg };
+      }
+      steps.push({ step: "verify:health", status: "ok" });
+    }
+    for (const test of manifest.verify.smoke_tests || []) {
+      const status = await httpStatus(test.url);
+      if (!test.expected_status.includes(status)) {
+        const msg = `Smoke test "${test.name}" failed: got ${status}, expected ${test.expected_status.join("|")}`;
+        steps.push({ step: `verify:${test.name}`, status: "failed", message: msg });
+        log("error", msg);
+        if (manifest.rollback?.auto_rollback_on_verify_failure && preDeployCommit) {
+          await rollback(workspaceRoot, preDeployCommit, manifest, log);
+          return { deployed: false, steps, error: msg, rolledBack: true };
+        }
+        return { deployed: false, steps, error: msg };
+      }
+      steps.push({ step: `verify:${test.name}`, status: "ok" });
+    }
+  }
+  console.log("  [deploy] Deployment verified");
+  log("lifecycle", "Deployment verified successfully");
+  return { deployed: true, steps };
+}
+async function rollback(workspaceRoot, targetCommit, manifest, log) {
+  console.log(`  [deploy] Rolling back to ${targetCommit.substring(0, 8)}`);
+  log("lifecycle", `Rolling back to ${targetCommit.substring(0, 8)}`);
+  try {
+    exec(`git checkout ${targetCommit}`, workspaceRoot, 1e4);
+  } catch {
+    log("error", "Rollback: git checkout failed");
+    return;
+  }
+  if (manifest.build?.steps) {
+    for (const step of manifest.build.steps) {
+      exec(step.command, (0, import_node_path.join)(workspaceRoot, step.working_dir || "."), (step.timeout_seconds || 300) * 1e3);
+    }
+  }
+  if (manifest.service?.restart_command) {
+    exec(manifest.service.restart_command, workspaceRoot, 3e4);
+  }
+  log("lifecycle", "Rollback complete");
+}
+
 // src/commands/agent.ts
+var AUTH_ERROR_PATTERNS = [
+  "Not logged in",
+  "Please run /login",
+  "authentication required",
+  "unauthorized",
+  "expired token",
+  "not authenticated",
+  "login required"
+];
+function containsAuthError(text) {
+  const lower = text.toLowerCase();
+  for (const pattern of AUTH_ERROR_PATTERNS) {
+    if (lower.includes(pattern.toLowerCase())) {
+      return pattern;
+    }
+  }
+  return null;
+}
+async function checkClaudeAuth() {
+  try {
+    const output = (0, import_node_child_process4.execSync)("claude --version 2>&1", {
+      encoding: "utf8",
+      timeout: 1e4,
+      env: { ...process.env }
+    });
+    const authError = containsAuthError(output);
+    if (authError) {
+      return { status: "expired", error: authError };
+    }
+    return { status: "authenticated" };
+  } catch (err) {
+    const output = (err.stdout || "") + (err.stderr || "") + (err.message || "");
+    const authError = containsAuthError(output);
+    if (authError) {
+      return { status: "expired", error: authError };
+    }
+    return { status: "not_configured", error: output.slice(0, 500) };
+  }
+}
+async function getClaudeEnv() {
+  const env2 = { ...process.env };
+  let usingApiKey = false;
+  if (!env2.ANTHROPIC_API_KEY) {
+    try {
+      const config = await readConfig();
+      if (config.anthropic_api_key) {
+        env2.ANTHROPIC_API_KEY = config.anthropic_api_key;
+        usingApiKey = true;
+      }
+    } catch {
+    }
+  }
+  return { env: env2, usingApiKey };
+}
+function buildAuthFailureMessage(errorString, machineName, hasApiKeyFallback) {
+  let msg = `CLAUDE_AUTH_REQUIRED: ${errorString}
+`;
+  msg += `Machine: ${machineName}
+`;
+  msg += `Fix: SSH into ${machineName} and run: claude /login
+`;
+  if (!hasApiKeyFallback) {
+    msg += `Alternative: Set an API key fallback with: cva auth set-api-key sk-ant-...
+`;
+  }
+  return msg;
+}
 function buildClaudePrompt(task) {
   let prompt = "";
   prompt += `You are executing a task dispatched via CV-Hub.
@@ -4232,14 +4592,16 @@ async function launchAutoApproveMode(prompt, options) {
       if (sessionId && !isContinue) {
         args.push("--session-id", sessionId);
       }
-      const child = (0, import_node_child_process2.spawn)("claude", args, {
+      const child = (0, import_node_child_process4.spawn)("claude", args, {
         cwd: options.cwd,
         stdio: ["inherit", "pipe", "pipe"],
-        env: { ...process.env }
+        env: options.spawnEnv || { ...process.env }
       });
       _activeChild = child;
       let stderr = "";
       let lineBuffer = "";
+      let authFailure = false;
+      const spawnTime = Date.now();
       child.stdout?.on("data", (data) => {
         const text = data.toString();
         process.stdout.write(data);
@@ -4247,6 +4609,23 @@ async function launchAutoApproveMode(prompt, options) {
         if (fullOutput.length > MAX_OUTPUT_BYTES) {
           fullOutput = fullOutput.slice(-MAX_OUTPUT_BYTES);
         }
+        if (Date.now() - spawnTime < 1e4) {
+          const authError = containsAuthError(fullOutput + stderr);
+          if (authError) {
+            authFailure = true;
+            console.log(`
+${source_default.red("!")} Claude Code auth failure detected: "${authError}"`);
+            console.log(source_default.yellow(`  Killing process \u2014 it won't recover without re-authentication.`));
+            if (options.machineName) {
+              console.log(source_default.cyan(`  Fix: SSH into ${options.machineName} and run: claude /login`));
+            }
+            try {
+              child.kill("SIGTERM");
+            } catch {
+            }
+            return;
+          }
+        }
         if (options.creds && options.taskId) {
           lineBuffer += text;
           const lines = lineBuffer.split("\n");
@@ -4289,12 +4668,30 @@ async function launchAutoApproveMode(prompt, options) {
         }
       });
       child.stderr?.on("data", (data) => {
-        stderr += data.toString();
+        const text = data.toString();
+        stderr += text;
         process.stderr.write(data);
+        if (Date.now() - spawnTime < 1e4 && !authFailure) {
+          const authError = containsAuthError(text);
+          if (authError) {
+            authFailure = true;
+            console.log(`
+${source_default.red("!")} Claude Code auth failure (stderr): "${authError}"`);
+            try {
+              child.kill("SIGTERM");
+            } catch {
+            }
+          }
+        }
       });
       child.on("close", (code, signal) => {
         _activeChild = null;
-        resolve({ exitCode: signal === "SIGKILL" ? 137 : code ?? 1, stderr, output: fullOutput });
+        resolve({
+          exitCode: signal === "SIGKILL" ? 137 : code ?? 1,
+          stderr,
+          output: fullOutput,
+          authFailure
+        });
       });
       child.on("error", (err) => {
         _activeChild = null;
@@ -4329,16 +4726,18 @@ async function launchAutoApproveMode(prompt, options) {
 }
 async function launchRelayMode(prompt, options) {
   return new Promise((resolve, reject) => {
-    const child = (0, import_node_child_process2.spawn)("claude", [], {
+    const child = (0, import_node_child_process4.spawn)("claude", [], {
       cwd: options.cwd,
       stdio: ["pipe", "pipe", "pipe"],
-      env: { ...process.env }
+      env: options.spawnEnv || { ...process.env }
     });
     _activeChild = child;
     let stderr = "";
     let stdoutBuffer = "";
     let fullOutput = "";
     let lastProgressBytes = 0;
+    let authFailure = false;
+    const spawnTime = Date.now();
     child.stdin?.write(prompt + "\n");
     let lastRedirectCheck = Date.now();
     let lineBuffer = "";
@@ -4350,6 +4749,19 @@ async function launchRelayMode(prompt, options) {
       if (fullOutput.length > MAX_OUTPUT_BYTES) {
         fullOutput = fullOutput.slice(-MAX_OUTPUT_BYTES);
       }
+      if (Date.now() - spawnTime < 1e4 && !authFailure) {
+        const authError = containsAuthError(fullOutput + stderr);
+        if (authError) {
+          authFailure = true;
+          console.log(`
+${source_default.red("!")} Claude Code auth failure detected: "${authError}"`);
+          try {
+            child.kill("SIGTERM");
+          } catch {
+          }
+          return;
+        }
+      }
       lineBuffer += text;
       const lines = lineBuffer.split("\n");
       lineBuffer = lines.pop() ?? "";
@@ -4490,13 +4902,25 @@ async function launchRelayMode(prompt, options) {
       const text = data.toString();
       stderr += text;
       process.stderr.write(data);
+      if (Date.now() - spawnTime < 1e4 && !authFailure) {
+        const authError = containsAuthError(text);
+        if (authError) {
+          authFailure = true;
+          console.log(`
+${source_default.red("!")} Claude Code auth failure (stderr): "${authError}"`);
+          try {
+            child.kill("SIGTERM");
+          } catch {
+          }
+        }
+      }
     });
     child.on("close", (code, signal) => {
       _activeChild = null;
       if (signal === "SIGKILL") {
-        resolve({ exitCode: 137, stderr, output: fullOutput });
+        resolve({ exitCode: 137, stderr, output: fullOutput, authFailure });
       } else {
-        resolve({ exitCode: code ?? 1, stderr, output: fullOutput });
+        resolve({ exitCode: code ?? 1, stderr, output: fullOutput, authFailure });
       }
     });
     child.on("error", (err) => {
@@ -4528,19 +4952,19 @@ async function handleSelfUpdate(task, state, creds) {
     let output = "";
     if (source === "npm" || source.startsWith("npm:")) {
       const pkg = source === "npm" ? "@controlvector/cv-agent@latest" : source.replace("npm:", "");
-      output = (0, import_node_child_process2.execSync)(`npm install -g ${pkg} 2>&1`, { encoding: "utf8", timeout: 12e4 });
+      output = (0, import_node_child_process4.execSync)(`npm install -g ${pkg} 2>&1`, { encoding: "utf8", timeout: 12e4 });
     } else if (source.startsWith("git:")) {
       const repoPath = source.replace("git:", "");
-      output = (0, import_node_child_process2.execSync)(`cd ${repoPath} && git pull && npm install && npm run build && npm link 2>&1`, {
+      output = (0, import_node_child_process4.execSync)(`cd ${repoPath} && git pull && npm install && npm run build && npm link 2>&1`, {
         encoding: "utf8",
         timeout: 3e5
       });
     } else {
-      output = (0, import_node_child_process2.execSync)(`npm install -g @controlvector/cv-agent@latest 2>&1`, { encoding: "utf8", timeout: 12e4 });
+      output = (0, import_node_child_process4.execSync)(`npm install -g @controlvector/cv-agent@latest 2>&1`, { encoding: "utf8", timeout: 12e4 });
     }
     let newVersion = "unknown";
     try {
-      newVersion = (0, import_node_child_process2.execSync)("cva --version 2>/dev/null || echo unknown", { encoding: "utf8" }).trim();
+      newVersion = (0, import_node_child_process4.execSync)("cva --version 2>/dev/null || echo unknown", { encoding: "utf8" }).trim();
     } catch {
     }
     postTaskEvent(creds, task.id, {
@@ -4566,7 +4990,7 @@ async function handleSelfUpdate(task, state, creds) {
     if (task.input?.constraints?.includes("restart")) {
       console.log(source_default.yellow("Restarting agent with updated binary..."));
       const args = process.argv.slice(1).join(" ");
-      (0, import_node_child_process2.execSync)(`nohup cva ${args} > /tmp/cva-restart.log 2>&1 &`, { stdio: "ignore" });
+      (0, import_node_child_process4.execSync)(`nohup cva ${args} > /tmp/cva-restart.log 2>&1 &`, { stdio: "ignore" });
       process.exit(0);
     }
   } catch (err) {
@@ -4598,7 +5022,7 @@ async function runAgent(options) {
     process.exit(1);
   }
   try {
-    (0, import_node_child_process2.execSync)("claude --version", { stdio: "pipe", timeout: 5e3 });
+    (0, import_node_child_process4.execSync)("claude --version", { stdio: "pipe", timeout: 5e3 });
   } catch {
     console.log();
     console.log(source_default.red("Claude Code CLI not found.") + " Install it first:");
@@ -4606,8 +5030,28 @@ async function runAgent(options) {
     console.log();
     process.exit(1);
   }
+  const { env: claudeEnv, usingApiKey } = await getClaudeEnv();
+  const authCheck = await checkClaudeAuth();
+  let currentAuthStatus = authCheck.status;
+  if (authCheck.status === "expired") {
+    if (usingApiKey) {
+      console.log(source_default.yellow("!") + " Claude Code OAuth expired, but API key fallback is configured.");
+      currentAuthStatus = "api_key_fallback";
+    } else {
+      console.log();
+      console.log(source_default.red("Claude Code auth expired: ") + source_default.yellow(authCheck.error || "unknown"));
+      console.log(`   Fix: Run ${source_default.cyan("claude /login")} to re-authenticate.`);
+      console.log(`   Alternative: ${source_default.cyan("cva auth set-api-key sk-ant-...")} for API key fallback.`);
+      console.log();
+      console.log(source_default.gray("Agent will start but pause task claims until auth is resolved."));
+      console.log();
+    }
+  } else if (usingApiKey) {
+    console.log(source_default.gray("   Using Anthropic API key from config as fallback."));
+    currentAuthStatus = "api_key_fallback";
+  }
   try {
-    (0, import_node_child_process2.execSync)("cv --version", { stdio: "pipe", timeout: 5e3 });
+    (0, import_node_child_process4.execSync)("cv --version", { stdio: "pipe", timeout: 5e3 });
   } catch {
     console.log(source_default.yellow("!") + " cv-git CLI not found. Claude Code will fall back to raw git commands.");
     console.log(`  Install it: ${source_default.cyan("npm install -g @controlvector/cv-git")}`);
@@ -4627,7 +5071,7 @@ async function runAgent(options) {
   }
   let detectedRepoId;
   try {
-    const remoteUrl = (0, import_node_child_process2.execSync)("git remote get-url origin 2>/dev/null", {
+    const remoteUrl = (0, import_node_child_process4.execSync)("git remote get-url origin 2>/dev/null", {
       cwd: workingDir,
       encoding: "utf8",
       timeout: 5e3
@@ -4672,7 +5116,9 @@ async function runAgent(options) {
     failedCount: 0,
     lastPoll: Date.now(),
     lastTaskEnd: Date.now(),
-    running: true
+    running: true,
+    authStatus: currentAuthStatus,
+    machineName
   };
   installSignalHandlers(
     () => state,
@@ -4683,13 +5129,26 @@ async function runAgent(options) {
   );
   while (state.running) {
     try {
+      if (state.authStatus === "expired") {
+        const recheck = await checkClaudeAuth();
+        if (recheck.status === "authenticated") {
+          state.authStatus = "authenticated";
+          console.log(`
+${source_default.green("\u2713")} Claude Code auth restored. Resuming task claims.`);
+        } else {
+          sendHeartbeat(creds, state.executorId, void 0, void 0, state.authStatus).catch(() => {
+          });
+          await new Promise((r) => setTimeout(r, pollInterval));
+          continue;
+        }
+      }
       const task = await withRetry(
         () => pollForTask(creds, state.executorId),
         "Task poll"
       );
       state.lastPoll = Date.now();
       if (task) {
-        await executeTask(task, state, creds, options);
+        await executeTask(task, state, creds, options, claudeEnv);
       } else {
         updateStatusLine(
           formatDuration(Date.now() - state.lastTaskEnd),
@@ -4705,7 +5164,7 @@ ${source_default.red("!")} Error: ${err.message}`);
     await new Promise((r) => setTimeout(r, pollInterval));
   }
 }
-async function executeTask(task, state, creds, options) {
+async function executeTask(task, state, creds, options, claudeEnv) {
   const startTime = Date.now();
   state.currentTaskId = task.id;
   if (task.task_type === "_system_update") {
@@ -4733,7 +5192,7 @@ async function executeTask(task, state, creds, options) {
     try {
       const elapsed = formatDuration(Date.now() - startTime);
       setTerminalTitle(`cva: ${task.title} (${elapsed})`);
-      await sendHeartbeat(creds, state.executorId, task.id, `Claude Code running (${elapsed} elapsed)`);
+      await sendHeartbeat(creds, state.executorId, task.id, `Claude Code running (${elapsed} elapsed)`, state.authStatus);
     } catch {
     }
   }, 3e4);
@@ -4767,17 +5226,48 @@ ${source_default.red("Timeout")} Task timed out after ${formatDuration(timeoutMs
         cwd: options.workingDir,
         creds,
         taskId: task.id,
-        executorId: state.executorId
+        executorId: state.executorId,
+        spawnEnv: claudeEnv,
+        machineName: state.machineName
       });
     } else {
       result = await launchRelayMode(prompt, {
         cwd: options.workingDir,
         creds,
         executorId: state.executorId,
-        taskId: task.id
+        taskId: task.id,
+        spawnEnv: claudeEnv,
+        machineName: state.machineName
       });
     }
     console.log(source_default.gray("\n" + "-".repeat(60)));
+    if (result.exitCode === 0 || result.exitCode === 1) {
+      try {
+        const gitSafety = gitSafetyNet(
+          options.workingDir,
+          task.title,
+          task.id,
+          task.branch
+        );
+        if (gitSafety.hadChanges) {
+          sendTaskLog(
+            creds,
+            state.executorId,
+            task.id,
+            "git",
+            `Safety net: committed ${gitSafety.filesAdded + gitSafety.filesModified} files (${gitSafety.commitSha || "ok"})`,
+            { added: gitSafety.filesAdded, modified: gitSafety.filesModified, deleted: gitSafety.filesDeleted }
+          );
+        } else if (gitSafety.pushed) {
+          sendTaskLog(creds, state.executorId, task.id, "git", "Safety net: pushed unpushed commits");
+        }
+        if (gitSafety.error) {
+          sendTaskLog(creds, state.executorId, task.id, "info", `Git safety warning: ${gitSafety.error}`);
+        }
+      } catch (gitErr) {
+        sendTaskLog(creds, state.executorId, task.id, "info", `Git safety net error: ${gitErr.message}`);
+      }
+    }
     const postGitState = capturePostTaskState(options.workingDir, preGitState);
     const payload = buildCompletionPayload(result.exitCode, preGitState, postGitState, startTime, result.output);
     const elapsed = formatDuration(Date.now() - startTime);
@@ -4786,6 +5276,28 @@ ${source_default.red("Timeout")} Task timed out after ${formatDuration(timeoutMs
       ...postGitState.filesModified,
       ...postGitState.filesDeleted
     ];
+    let deployResult;
+    if (result.exitCode === 0) {
+      try {
+        const logFn = (type, msg) => {
+          sendTaskLog(creds, state.executorId, task.id, type, msg);
+        };
+        deployResult = await postTaskDeploy(options.workingDir, task.id, logFn);
+        if (deployResult.deployed) {
+          sendTaskLog(creds, state.executorId, task.id, "lifecycle", "Post-task deploy: verified");
+        } else if (deployResult.error) {
+          sendTaskLog(
+            creds,
+            state.executorId,
+            task.id,
+            "error",
+            `Post-task deploy failed: ${deployResult.error}${deployResult.rolledBack ? " (rolled back)" : ""}`
+          );
+        }
+      } catch (deployErr) {
+        sendTaskLog(creds, state.executorId, task.id, "info", `Deploy manifest error: ${deployErr.message}`);
+      }
+    }
     postTaskEvent(creds, task.id, {
       event_type: "completed",
       content: {
@@ -4849,6 +5361,31 @@ ${source_default.red("Timeout")} Task timed out after ${formatDuration(timeoutMs
       } catch {
       }
       state.failedCount++;
+    } else if (result.authFailure) {
+      const authErrorStr = containsAuthError(result.output + result.stderr) || "auth failure";
+      const hasApiKey = !!claudeEnv?.ANTHROPIC_API_KEY;
+      const authMsg = buildAuthFailureMessage(authErrorStr, state.machineName, hasApiKey);
+      sendTaskLog(creds, state.executorId, task.id, "error", authMsg);
+      console.log();
+      console.log(`\u{1F511} ${source_default.bold.red("AUTH FAILED")} \u2014 Claude Code is not authenticated`);
+      console.log(source_default.yellow(`   ${authMsg.replace(/\n/g, "\n   ")}`));
+      postTaskEvent(creds, task.id, {
+        event_type: "auth_failure",
+        content: {
+          error: authErrorStr,
+          machine: state.machineName,
+          fix_command: `claude /login`,
+          api_key_configured: hasApiKey
+        }
+      }).catch(() => {
+      });
+      await withRetry(
+        () => failTask(creds, state.executorId, task.id, authMsg),
+        "Report auth failure"
+      );
+      state.failedCount++;
+      state.authStatus = "expired";
+      console.log(source_default.yellow("   Pausing task claims until auth is restored."));
     } else {
       const stderrTail = result.stderr.trim().slice(-500);
       sendTaskLog(
@@ -4978,16 +5515,40 @@ async function authStatus() {
     console.log(`Status: ${source_default.red("unreachable")} (${err.message})`);
   }
 }
+async function authSetApiKey(key) {
+  if (!key.startsWith("sk-ant-")) {
+    console.log(source_default.red("Invalid API key.") + " Anthropic API keys start with sk-ant-");
+    process.exit(1);
+  }
+  const config = await readConfig();
+  config.anthropic_api_key = key;
+  await writeConfig(config);
+  const masked = key.substring(0, 10) + "..." + key.slice(-4);
+  console.log(source_default.green("API key saved") + ` (${masked})`);
+  console.log(source_default.gray("This key will be used as fallback when Claude Code OAuth expires."));
+}
+async function authRemoveApiKey() {
+  const config = await readConfig();
+  if (!config.anthropic_api_key) {
+    console.log(source_default.yellow("No API key configured."));
+    return;
+  }
+  delete config.anthropic_api_key;
+  await writeConfig(config);
+  console.log(source_default.green("API key removed."));
+}
 function authCommand() {
   const cmd = new Command("auth");
   cmd.description("Manage CV-Hub authentication");
   cmd.command("login").description("Authenticate with CV-Hub using a PAT token").option("--token <token>", "PAT token (or enter interactively)").option("--api-url <url>", "CV-Hub API URL", "https://api.hub.controlvector.io").action(authLogin);
   cmd.command("status").description("Show current authentication status").action(authStatus);
+  cmd.command("set-api-key").description("Set Anthropic API key as fallback for Claude Code OAuth").argument("<key>", "Anthropic API key (sk-ant-...)").action(authSetApiKey);
+  cmd.command("remove-api-key").description("Remove stored Anthropic API key").action(authRemoveApiKey);
   return cmd;
 }
 
 // src/commands/remote.ts
-var import_node_child_process3 = require("node:child_process");
+var import_node_child_process5 = require("node:child_process");
 function getGitHost(apiUrl) {
   return apiUrl.replace(/^https?:\/\//, "").replace(/^api\./, "git.");
 }
@@ -5002,16 +5563,16 @@ async function remoteAdd(ownerRepo) {
   }
   const remoteUrl = `https://${gitHost}/${owner}/${repo}.git`;
   try {
-    const existing = (0, import_node_child_process3.execSync)("git remote get-url cvhub", { encoding: "utf-8", timeout: 5e3 }).trim();
+    const existing = (0, import_node_child_process5.execSync)("git remote get-url cvhub", { encoding: "utf-8", timeout: 5e3 }).trim();
     if (existing === remoteUrl) {
       console.log(source_default.gray(`Remote 'cvhub' already set to ${remoteUrl}`));
       return;
     }
-    (0, import_node_child_process3.execSync)(`git remote set-url cvhub ${remoteUrl}`, { timeout: 5e3 });
+    (0, import_node_child_process5.execSync)(`git remote set-url cvhub ${remoteUrl}`, { timeout: 5e3 });
     console.log(source_default.green("Updated") + ` remote 'cvhub' -> ${remoteUrl}`);
   } catch {
     try {
-      (0, import_node_child_process3.execSync)(`git remote add cvhub ${remoteUrl}`, { timeout: 5e3 });
+      (0, import_node_child_process5.execSync)(`git remote add cvhub ${remoteUrl}`, { timeout: 5e3 });
       console.log(source_default.green("Added") + ` remote 'cvhub' -> ${remoteUrl}`);
     } catch (err) {
       console.log(source_default.red("Failed to add remote:") + ` ${err.message}`);
@@ -5203,7 +5764,7 @@ function statusCommand() {
 
 // src/index.ts
 var program2 = new Command();
-program2.name("cva").description("CV-Hub Agent \u2014 bridges Claude Code with CV-Hub task dispatch").version(true ? "1.3.0" : "1.1.0");
+program2.name("cva").description("CV-Hub Agent \u2014 bridges Claude Code with CV-Hub task dispatch").version(true ? "1.5.0" : "1.1.0");
 program2.addCommand(agentCommand());
 program2.addCommand(authCommand());
 program2.addCommand(remoteCommand());