@ganakailabs/cloudeval-cli 0.19.3 → 0.19.4

package/dist/cli.js

@@ -1,10 +1,30 @@
 #!/usr/bin/env node
 import {
   buildFrontendUrl,
+  deleteSession,
+  exportSessions,
+  getActiveConfigProfile,
+  getCliConfigPath,
+  getCloudevalConfigDir,
   getFirstNameForDisplay,
+  getSession,
+  listCliConfigProfiles,
+  listSessions,
+  loadCliConfig,
+  normalizeCliMode,
+  normalizeConfigProfile,
   openExternalUrl,
-  resolveFrontendBaseUrl
-} from "./chunk-TA4WC462.js";
+  pruneSessions,
+  readCliConfigValue,
+  recordSessionTurn,
+  renameSession,
+  resolveFrontendBaseUrl,
+  resolveSessionReference,
+  saveCliConfig,
+  searchSessions,
+  unsetCliConfigValue,
+  writeCliConfigValue
+} from "./chunk-RCRNSEQS.js";
 import {
   getBundledAgentProfile,
   getBundledAgentProfiles,
@@ -13,10 +33,10 @@ import {
   normalizeApiBase,
   redactSensitiveSecrets,
   redactSensitiveText
-} from "./chunk-4QIKW5TJ.js";
+} from "./chunk-2D4BE3OS.js";
 import {
   CLI_VERSION
-} from "./chunk-SCKO2ZTZ.js";
+} from "./chunk-HUE4D6RO.js";
 
 // src/runtime/prepareInk.ts
 import fs from "fs";
@@ -116,8 +136,8 @@ ensureInkRuntimeEnvironment();
 import React from "react";
 import { Command } from "commander";
 import { promises as fs12 } from "fs";
-import os5 from "os";
-import path10 from "path";
+import os4 from "os";
+import path9 from "path";
 
 // src/shellCompletion.ts
 var normalizeCompletionShell = (shell) => {
@@ -452,6 +472,22 @@ var cliCommands = [
     ],
     workflows: ["recipes list", "recipes show", "recipes run"]
   },
+  {
+    name: "skills",
+    description: "List, inspect, and validate CloudEval agent skills",
+    domain: "skills",
+    options: [
+      "list",
+      "show",
+      "doctor",
+      "path",
+      "--format",
+      "--output",
+      "--profile",
+      "--help"
+    ],
+    workflows: ["skills list", "skills show", "skills doctor", "skills path"]
+  },
   {
     name: "projects",
     description: "Project utilities",
@@ -1568,7 +1604,7 @@ var resolveReportProjectId = async ({
   if (!token) {
     throw new Error("No project specified. Use --project <id> for report access.");
   }
-  const resolvedWorkspace = workspace ?? await import("./dist-I4IPYCRC.js").then((core) => ({
+  const resolvedWorkspace = workspace ?? await import("./dist-TBAQ5KOK.js").then((core) => ({
     checkUserStatus: core.checkUserStatus,
     getProjects: core.getProjects
   }));
@@ -1597,7 +1633,7 @@ var warnIfAccessKeyFromCliOption = (options, command) => {
 };
 var resolveAuthContext = async (options, command, deps) => {
   const baseUrl = await deps.resolveBaseUrl(options, command);
-  const core = await import("./dist-I4IPYCRC.js");
+  const core = await import("./dist-TBAQ5KOK.js");
   core.assertSecureBaseUrl(baseUrl);
   warnIfAccessKeyFromCliOption(options, command);
   let accessKey = options.accessKey;
@@ -1683,7 +1719,7 @@ var resolveToken = async (options, baseUrl, deps, command) => {
   if (options.accessKey) {
     return options.accessKey;
   }
-  const { getAuthToken } = await import("./dist-I4IPYCRC.js");
+  const { getAuthToken } = await import("./dist-TBAQ5KOK.js");
   try {
     return await getAuthToken({
       accessKey: options.accessKey,
@@ -1694,7 +1730,7 @@ var resolveToken = async (options, baseUrl, deps, command) => {
     if (!canLogin) {
       throw error;
     }
-    const { login } = await import("./dist-I4IPYCRC.js");
+    const { login } = await import("./dist-TBAQ5KOK.js");
     process.stderr.write("Authentication required. Starting login flow...\n");
     const token = await login(baseUrl, {
       headless: Boolean(process.env.SSH_TTY || process.env.CLOUDEVAL_HEADLESS_LOGIN)
@@ -1730,7 +1766,7 @@ var writeReport = async (report, options, tuiDefault) => {
     const [{ default: React2 }, { render }, { ReportDashboard }] = await Promise.all([
       import("react"),
       import("ink"),
-      import("./ReportDashboard-6JFJJVRW.js")
+      import("./ReportDashboard-T63UGA7M.js")
     ]);
     render(React2.createElement(ReportDashboard, {
       report,
@@ -1778,8 +1814,8 @@ var writeDownloadPayload = async (input) => {
     return [];
   }
   const fs13 = await import("fs/promises");
-  const path11 = await import("path");
-  await fs13.mkdir(path11.dirname(input.output), { recursive: true });
+  const path10 = await import("path");
+  await fs13.mkdir(path10.dirname(input.output), { recursive: true });
   const text = formatOutput({
     command: input.command,
     data: input.payload,
@@ -1860,7 +1896,7 @@ var registerReportsCommand = (program2, deps) => {
         token,
         requestedProjectId: options.project
       });
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const status = token ? await core.checkUserStatus(baseUrl, token) : void 0;
       const reports2 = await core.listReports({
         baseUrl,
@@ -1882,7 +1918,7 @@ var registerReportsCommand = (program2, deps) => {
     try {
       const baseUrl = await deps.resolveBaseUrl(options, command);
       const token = await resolveToken(options, baseUrl, deps, command);
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const status = token ? await core.checkUserStatus(baseUrl, token) : void 0;
       const projectId = await resolveReportProjectId({
         baseUrl,
@@ -1936,13 +1972,13 @@ var registerReportsCommand = (program2, deps) => {
       const data = reportTypes.length === 1 ? payload[reportTypes[0] === "architecture" ? "waf" : reportTypes[0]] : payload;
       if (options.output && reportTypes.length > 1) {
         const fs13 = await import("fs/promises");
-        const path11 = await import("path");
+        const path10 = await import("path");
         const stat = await fs13.stat(options.output).catch(() => void 0);
-        if (stat?.isDirectory() || !path11.extname(options.output)) {
+        if (stat?.isDirectory() || !path10.extname(options.output)) {
           await fs13.mkdir(options.output, { recursive: true });
           const files = [];
           for (const [key, value] of Object.entries(payload)) {
-            const file = path11.join(options.output, `${projectId}-${key}-report.json`);
+            const file = path10.join(options.output, `${projectId}-${key}-report.json`);
             files.push(
               ...await writeDownloadPayload({
                 command: "reports download",
@@ -1985,7 +2021,7 @@ var registerReportsCommand = (program2, deps) => {
       try {
         const baseUrl = await deps.resolveBaseUrl(options, command);
         const token = await resolveToken(options, baseUrl, deps, command);
-        const core = await import("./dist-I4IPYCRC.js");
+        const core = await import("./dist-TBAQ5KOK.js");
         const status = token ? await core.checkUserStatus(baseUrl, token) : void 0;
         const projectId = await resolveReportProjectId({
           baseUrl,
@@ -2055,7 +2091,7 @@ var registerReportsCommand = (program2, deps) => {
         token,
         requestedProjectId: options.project
       });
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const status = token ? await core.checkUserStatus(baseUrl, token) : void 0;
       const report = await core.getWafReport({
         baseUrl,
@@ -2094,7 +2130,7 @@ var registerReportsCommand = (program2, deps) => {
         token,
         requestedProjectId: options.project
       });
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const status = token ? await core.checkUserStatus(baseUrl, token) : void 0;
       const report = await core.getReport({
         baseUrl,
@@ -2122,7 +2158,7 @@ var registerReportsCommand = (program2, deps) => {
         token,
         requestedProjectId: options.project
       });
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const status = token ? await core.checkUserStatus(baseUrl, token) : void 0;
       const report = await core.getCostReport({
         baseUrl,
@@ -2151,7 +2187,7 @@ var registerReportsCommand = (program2, deps) => {
           token,
           requestedProjectId: options.project
         });
-        const core = await import("./dist-I4IPYCRC.js");
+        const core = await import("./dist-TBAQ5KOK.js");
         const status = token ? await core.checkUserStatus(baseUrl, token) : void 0;
         const report = await core.getWafReport({
           baseUrl,
@@ -2173,7 +2209,7 @@ var registerReportsCommand = (program2, deps) => {
 
 // src/recipesCommand.ts
 import { randomUUID } from "crypto";
-import fs4 from "fs/promises";
+import fs2 from "fs/promises";
 
 // src/askProgress.ts
 var ASK_PROGRESS_MODES = /* @__PURE__ */ new Set(["auto", "stderr", "ndjson", "none"]);
@@ -3346,725 +3382,6 @@ var renderRecipeMarkdown = (recipe) => {
   ].join("\n");
 };
 
-// src/cliConfig.ts
-import fs2 from "fs/promises";
-import os from "os";
-import path2 from "path";
-var CONFIG_PROFILE_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9_-]{0,63}$/;
-var SETTINGS_FILE = "settings.json";
-var normalizeConfigProfile = (profile) => {
-  const normalized = (profile || process.env.CLOUDEVAL_PROFILE || "default").trim() || "default";
-  if (!CONFIG_PROFILE_PATTERN.test(normalized)) {
-    throw new Error(
-      `Invalid profile '${normalized}'. Use letters, numbers, dashes, or underscores.`
-    );
-  }
-  return normalized;
-};
-var getActiveConfigProfile = (command) => {
-  const opts = typeof command?.optsWithGlobals === "function" ? command.optsWithGlobals() : command?.opts();
-  return normalizeConfigProfile(opts?.profile);
-};
-var getCloudevalConfigDir = () => path2.join(os.homedir(), ".config", "cloudeval");
-var getCliConfigPath = (profile) => {
-  const normalized = normalizeConfigProfile(profile);
-  if (normalized === "default") {
-    return path2.join(getCloudevalConfigDir(), SETTINGS_FILE);
-  }
-  return path2.join(getCloudevalConfigDir(), "profiles", normalized, SETTINGS_FILE);
-};
-var ensureConfigParent = async (filePath) => {
-  await fs2.mkdir(path2.dirname(filePath), { recursive: true, mode: 448 });
-};
-var loadCliConfig = async (profile) => {
-  const filePath = getCliConfigPath(profile);
-  try {
-    const raw = await fs2.readFile(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    return parsed && typeof parsed === "object" ? parsed : {};
-  } catch (error) {
-    if (error?.code === "ENOENT") {
-      return {};
-    }
-    throw error;
-  }
-};
-var saveCliConfig = async (config, profile) => {
-  const filePath = getCliConfigPath(profile);
-  await ensureConfigParent(filePath);
-  const tempPath = `${filePath}.${process.pid}.tmp`;
-  await fs2.writeFile(tempPath, `${JSON.stringify(config, null, 2)}
-`, {
-    encoding: "utf8",
-    mode: 384
-  });
-  await fs2.rename(tempPath, filePath);
-  return filePath;
-};
-var listCliConfigProfiles = async () => {
-  const profiles = /* @__PURE__ */ new Set(["default"]);
-  const profilesDir = path2.join(getCloudevalConfigDir(), "profiles");
-  try {
-    const entries = await fs2.readdir(profilesDir, { withFileTypes: true });
-    for (const entry of entries) {
-      if (entry.isDirectory() && CONFIG_PROFILE_PATTERN.test(entry.name)) {
-        profiles.add(entry.name);
-      }
-    }
-  } catch (error) {
-    if (error?.code !== "ENOENT") {
-      throw error;
-    }
-  }
-  return [...profiles].sort();
-};
-var keyAliases = {
-  project: "defaultProjectId",
-  projectId: "defaultProjectId",
-  defaultProject: "defaultProjectId",
-  defaultProjectId: "defaultProjectId",
-  model: "model",
-  mode: "mode",
-  chatMode: "mode",
-  defaultMode: "mode",
-  baseUrl: "baseUrl",
-  frontendUrl: "frontendUrl",
-  outputFormat: "outputFormat",
-  format: "outputFormat"
-};
-var normalizeCliMode = (value) => {
-  const normalized = value?.trim().toLowerCase();
-  if (!normalized) {
-    return void 0;
-  }
-  if (normalized === "ask" || normalized === "agent") {
-    return normalized;
-  }
-  throw new Error("mode must be one of: ask, agent");
-};
-var normalizeConfigKey = (key) => {
-  const normalized = key.trim();
-  const mapped = keyAliases[normalized];
-  if (!mapped) {
-    throw new Error(
-      `Unsupported config key '${key}'. Supported keys: baseUrl, frontendUrl, defaultProjectId, model, mode, outputFormat.`
-    );
-  }
-  return mapped;
-};
-var readCliConfigValue = (config, key) => {
-  const normalized = normalizeConfigKey(key);
-  const value = config[normalized];
-  return typeof value === "string" ? value : void 0;
-};
-var writeCliConfigValue = (config, key, value) => {
-  const normalized = normalizeConfigKey(key);
-  const normalizedValue = normalized === "mode" ? normalizeCliMode(value) : value;
-  return {
-    ...config,
-    [normalized]: normalizedValue
-  };
-};
-var unsetCliConfigValue = (config, key) => {
-  const normalized = normalizeConfigKey(key);
-  const next = { ...config };
-  delete next[normalized];
-  return next;
-};
-
-// src/sessionsStore.ts
-import fsSync from "fs";
-import fs3 from "fs/promises";
-import path3 from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-var SQLJS_WASM_ENV_VAR = "CLOUDEVAL_SQLJS_WASM";
-var legacySessionsDir = (profile) => {
-  const normalized = normalizeConfigProfile(profile);
-  if (normalized === "default") {
-    return path3.join(getCloudevalConfigDir(), "sessions");
-  }
-  return path3.join(getCloudevalConfigDir(), "profiles", normalized, "sessions");
-};
-var sessionsDatabasePath = (profile) => {
-  const normalized = normalizeConfigProfile(profile);
-  if (normalized === "default") {
-    return path3.join(getCloudevalConfigDir(), "sessions.sqlite");
-  }
-  return path3.join(getCloudevalConfigDir(), "profiles", normalized, "sessions.sqlite");
-};
-var legacySessionPath = (threadId, profile) => path3.join(legacySessionsDir(profile), `${sanitizeThreadId(threadId)}.json`);
-var sanitizeThreadId = (threadId) => threadId.replace(/[^a-zA-Z0-9_.-]/g, "_");
-var nowIso = () => (/* @__PURE__ */ new Date()).toISOString();
-var titleFromQuestion = (question) => {
-  const singleLine = question.replace(/[^\p{L}\p{N}\s'-]/gu, " ").replace(/\s+/g, " ").trim().replace(/^(can you|could you|please|help me|show me|tell me|what is|what are|how do i)\s+/i, "").replace(/^(review|investigate|triage|summarize|explain|analyze)\s+the\s+/i, "$1 ");
-  if (!singleLine) {
-    return "Untitled CloudEval session";
-  }
-  const words = singleLine.split(/\s+/).slice(0, 7);
-  const joined = words.join(" ");
-  const title = joined.charAt(0).toUpperCase() + joined.slice(1);
-  return title.length > 80 ? `${title.slice(0, 77)}...` : title;
-};
-var sanitizeTitle = (title) => {
-  const cleaned = title.replace(/[\u0000-\u001f\u007f]/g, " ").replace(/[\u200b-\u200f\u202a-\u202e]/g, "").replace(/\s+/g, " ").trim();
-  if (!cleaned) {
-    throw new Error("Session title cannot be empty.");
-  }
-  return cleaned.length > 100 ? cleaned.slice(0, 100) : cleaned;
-};
-var hasFile2 = (candidate) => {
-  try {
-    return fsSync.statSync(candidate).isFile();
-  } catch {
-    return false;
-  }
-};
-var findSqlJsWasmInNodeModules = (dir) => {
-  const nodeModulesDir = path3.join(dir, "node_modules");
-  const direct = path3.join(nodeModulesDir, "sql.js", "dist", "sql-wasm.wasm");
-  if (hasFile2(direct)) {
-    return direct;
-  }
-  const pnpmRoot = path3.join(nodeModulesDir, ".pnpm");
-  if (!fsSync.existsSync(pnpmRoot)) {
-    return void 0;
-  }
-  for (const entry of fsSync.readdirSync(pnpmRoot)) {
-    if (!entry.startsWith("sql.js@")) {
-      continue;
-    }
-    const candidate = path3.join(
-      pnpmRoot,
-      entry,
-      "node_modules",
-      "sql.js",
-      "dist",
-      "sql-wasm.wasm"
-    );
-    if (hasFile2(candidate)) {
-      return candidate;
-    }
-  }
-  return void 0;
-};
-var searchSqlJsWasmFrom = (start) => {
-  let current = path3.resolve(start);
-  while (true) {
-    const localCandidates = [
-      path3.join(current, "sql-wasm.wasm"),
-      path3.join(current, "dist", "sql-wasm.wasm")
-    ];
-    for (const candidate of localCandidates) {
-      if (hasFile2(candidate)) {
-        return candidate;
-      }
-    }
-    const nodeModulesMatch = findSqlJsWasmInNodeModules(current);
-    if (nodeModulesMatch) {
-      return nodeModulesMatch;
-    }
-    const parent = path3.dirname(current);
-    if (parent === current) {
-      return void 0;
-    }
-    current = parent;
-  }
-};
-var resolveSqlJsWasmPath = () => {
-  if (process.env[SQLJS_WASM_ENV_VAR]) {
-    return process.env[SQLJS_WASM_ENV_VAR];
-  }
-  const moduleDir = path3.dirname(fileURLToPath2(import.meta.url));
-  const seen = /* @__PURE__ */ new Set();
-  const roots = [process.cwd(), moduleDir, path3.dirname(process.execPath)];
-  for (const root of roots) {
-    const resolvedRoot = path3.resolve(root);
-    if (seen.has(resolvedRoot)) {
-      continue;
-    }
-    seen.add(resolvedRoot);
-    const match = searchSqlJsWasmFrom(resolvedRoot);
-    if (match) {
-      return match;
-    }
-  }
-  return void 0;
-};
-var isBunRuntime = () => typeof process.versions.bun === "string";
-var dynamicImport = new Function("specifier", "return import(specifier)");
-var openBunDatabase = async (dbPath) => {
-  if (!isBunRuntime()) {
-    return null;
-  }
-  try {
-    const { Database } = await dynamicImport("bun:sqlite");
-    await fs3.mkdir(path3.dirname(dbPath), { recursive: true, mode: 448 });
-    const db = new Database(dbPath, { create: true });
-    db.exec("PRAGMA foreign_keys = ON");
-    return {
-      rows(sql, params = []) {
-        const statement = db.query(sql);
-        return statement.all(...params);
-      },
-      run(sql, params = []) {
-        const statement = db.query(sql);
-        statement.run(...params);
-      },
-      async persist() {
-      },
-      close() {
-        db.close();
-      }
-    };
-  } catch {
-    return null;
-  }
-};
-var sqlJsFactoryPromise = null;
-var loadSqlJsFactory = async () => {
-  if (!sqlJsFactoryPromise) {
-    sqlJsFactoryPromise = (async () => {
-      const initSqlJs = (await import("sql.js")).default;
-      const wasmPath = resolveSqlJsWasmPath();
-      return initSqlJs({
-        locateFile: (file) => {
-          if (file === "sql-wasm.wasm" && wasmPath) {
-            return wasmPath;
-          }
-          return file;
-        }
-      });
-    })();
-  }
-  return sqlJsFactoryPromise;
-};
-var openSqlJsDatabase = async (dbPath) => {
-  await fs3.mkdir(path3.dirname(dbPath), { recursive: true, mode: 448 });
-  const SQL = await loadSqlJsFactory();
-  let bytes;
-  try {
-    bytes = await fs3.readFile(dbPath);
-  } catch (error) {
-    if (error?.code !== "ENOENT") {
-      throw error;
-    }
-  }
-  const db = bytes ? new SQL.Database(bytes) : new SQL.Database();
-  db.run("PRAGMA foreign_keys = ON");
-  let dirty = false;
-  return {
-    rows(sql, params = []) {
-      const statement = db.prepare(sql, params);
-      const rows = [];
-      try {
-        while (statement.step()) {
-          rows.push(statement.getAsObject());
-        }
-      } finally {
-        statement.free();
-      }
-      return rows;
-    },
-    run(sql, params = []) {
-      db.run(sql, params);
-      dirty = true;
-    },
-    async persist() {
-      if (!dirty) {
-        return;
-      }
-      const tempPath = `${dbPath}.${process.pid}.tmp`;
-      await fs3.writeFile(tempPath, Buffer.from(db.export()), { mode: 384 });
-      await fs3.rename(tempPath, dbPath);
-      dirty = false;
-    },
-    close() {
-      db.close();
-    }
-  };
-};
-var openSessionDatabase = async (profile) => {
-  const dbPath = sessionsDatabasePath(profile);
-  return await openBunDatabase(dbPath) ?? openSqlJsDatabase(dbPath);
-};
-var ensureSchema = (db) => {
-  db.run(`
-    CREATE TABLE IF NOT EXISTS sessions (
-      thread_id TEXT PRIMARY KEY,
-      title TEXT NOT NULL,
-      project_id TEXT,
-      project_name TEXT,
-      model TEXT,
-      profile TEXT NOT NULL,
-      created_at TEXT NOT NULL,
-      updated_at TEXT NOT NULL,
-      message_count INTEGER NOT NULL DEFAULT 0
-    )
-  `);
-  db.run(`
-    CREATE TABLE IF NOT EXISTS session_messages (
-      session_thread_id TEXT NOT NULL,
-      message_index INTEGER NOT NULL,
-      role TEXT NOT NULL CHECK (role IN ('user', 'assistant')),
-      content TEXT NOT NULL,
-      created_at TEXT NOT NULL,
-      PRIMARY KEY (session_thread_id, message_index),
-      FOREIGN KEY (session_thread_id) REFERENCES sessions(thread_id) ON DELETE CASCADE
-    )
-  `);
-  db.run("CREATE INDEX IF NOT EXISTS idx_sessions_updated_at ON sessions(updated_at DESC)");
-  db.run(
-    "CREATE INDEX IF NOT EXISTS idx_session_messages_thread ON session_messages(session_thread_id, message_index)"
-  );
-};
-var optionalString = (value) => typeof value === "string" && value.length > 0 ? value : void 0;
-var messageFromRow = (row) => {
-  const role = row.role;
-  const content = row.content;
-  const createdAt = row.created_at;
-  if (role !== "user" && role !== "assistant" || typeof content !== "string") {
-    return null;
-  }
-  return {
-    role,
-    content,
-    createdAt: typeof createdAt === "string" ? createdAt : nowIso()
-  };
-};
-var sessionFromRow = (db, row) => {
-  const threadId = row.thread_id;
-  const title = row.title;
-  const createdAt = row.created_at;
-  const updatedAt = row.updated_at;
-  if (typeof threadId !== "string" || typeof title !== "string" || typeof createdAt !== "string" || typeof updatedAt !== "string") {
-    return null;
-  }
-  const messages = db.rows(
-    `SELECT role, content, created_at
-       FROM session_messages
-       WHERE session_thread_id = ?
-       ORDER BY message_index ASC`,
-    [threadId]
-  ).map(messageFromRow).filter((message) => Boolean(message));
-  return {
-    threadId,
-    title,
-    projectId: optionalString(row.project_id),
-    projectName: optionalString(row.project_name),
-    model: optionalString(row.model),
-    profile: optionalString(row.profile),
-    createdAt,
-    updatedAt,
-    messageCount: Number(row.message_count) || messages.length,
-    messages
-  };
-};
-var getSessionFromDb = (db, threadId) => {
-  const row = db.rows("SELECT * FROM sessions WHERE thread_id = ?", [threadId])[0];
-  return row ? sessionFromRow(db, row) : null;
-};
-var runTransaction = (db, fn) => {
-  db.run("BEGIN IMMEDIATE");
-  try {
-    const result = fn();
-    db.run("COMMIT");
-    return result;
-  } catch (error) {
-    try {
-      db.run("ROLLBACK");
-    } catch {
-    }
-    throw error;
-  }
-};
-var upsertSession = (db, session) => {
-  runTransaction(db, () => {
-    db.run(
-      `INSERT INTO sessions (
-        thread_id,
-        title,
-        project_id,
-        project_name,
-        model,
-        profile,
-        created_at,
-        updated_at,
-        message_count
-      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-      ON CONFLICT(thread_id) DO UPDATE SET
-        title = excluded.title,
-        project_id = excluded.project_id,
-        project_name = excluded.project_name,
-        model = excluded.model,
-        profile = excluded.profile,
-        created_at = excluded.created_at,
-        updated_at = excluded.updated_at,
-        message_count = excluded.message_count`,
-      [
-        session.threadId,
-        session.title,
-        session.projectId ?? null,
-        session.projectName ?? null,
-        session.model ?? null,
-        session.profile ?? "default",
-        session.createdAt,
-        session.updatedAt,
-        session.messages.length
-      ]
-    );
-    db.run("DELETE FROM session_messages WHERE session_thread_id = ?", [session.threadId]);
-    session.messages.forEach((message, index) => {
-      db.run(
-        `INSERT INTO session_messages (
-          session_thread_id,
-          message_index,
-          role,
-          content,
-          created_at
-        ) VALUES (?, ?, ?, ?, ?)`,
-        [session.threadId, index, message.role, message.content, message.createdAt]
-      );
-    });
-  });
-};
-var readLegacySessionFile = async (filePath) => {
-  try {
-    const raw = await fs3.readFile(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    return parsed && typeof parsed === "object" ? normalizeLegacySession(parsed) : null;
-  } catch (error) {
-    if (error?.code === "ENOENT") {
-      return null;
-    }
-    throw error;
-  }
-};
-var normalizeLegacySession = (value) => {
-  if (!value || typeof value !== "object" || typeof value.threadId !== "string") {
-    return null;
-  }
-  const timestamp = nowIso();
-  const messages = Array.isArray(value.messages) ? value.messages.map((message) => {
-    if (!message || message.role !== "user" && message.role !== "assistant" || typeof message.content !== "string") {
-      return null;
-    }
-    return {
-      role: message.role,
-      content: message.content,
-      createdAt: typeof message.createdAt === "string" ? message.createdAt : timestamp
-    };
-  }).filter(
-    (message) => Boolean(message)
-  ) : [];
-  return {
-    threadId: value.threadId,
-    title: typeof value.title === "string" && value.title.trim() ? sanitizeTitle(value.title) : "Untitled CloudEval session",
-    projectId: optionalString(value.projectId),
-    projectName: optionalString(value.projectName),
-    model: optionalString(value.model),
-    profile: optionalString(value.profile),
-    createdAt: typeof value.createdAt === "string" ? value.createdAt : timestamp,
-    updatedAt: typeof value.updatedAt === "string" ? value.updatedAt : timestamp,
-    messageCount: messages.length,
-    messages
-  };
-};
-var readLegacySessions = async (profile) => {
-  try {
-    const dir = legacySessionsDir(profile);
-    const entries = await fs3.readdir(dir, { withFileTypes: true });
-    const sessions = await Promise.all(
-      entries.filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => readLegacySessionFile(path3.join(dir, entry.name)))
-    );
-    return sessions.filter((session) => Boolean(session));
-  } catch (error) {
-    if (error?.code === "ENOENT") {
-      return [];
-    }
-    throw error;
-  }
-};
-var migrateLegacyJsonSessions = async (db, profile) => {
-  const normalizedProfile = normalizeConfigProfile(profile);
-  const legacySessions = await readLegacySessions(normalizedProfile);
-  for (const session of legacySessions) {
-    if (getSessionFromDb(db, session.threadId)) {
-      continue;
-    }
-    upsertSession(db, {
-      ...session,
-      profile: session.profile ?? normalizedProfile,
-      messageCount: session.messages.length
-    });
-  }
-};
-var withSessionDatabase = async (profile, fn) => {
-  const normalizedProfile = normalizeConfigProfile(profile);
-  const db = await openSessionDatabase(normalizedProfile);
-  try {
-    ensureSchema(db);
-    await migrateLegacyJsonSessions(db, normalizedProfile);
-    const result = await fn(db, normalizedProfile);
-    await db.persist();
-    return result;
-  } finally {
-    db.close();
-  }
-};
-var recordSessionTurn = async ({
-  threadId,
-  question,
-  response,
-  project,
-  model,
-  profile
-}) => {
-  if (!threadId || !question.trim() && !response.trim()) {
-    return;
-  }
-  await withSessionDatabase(profile, (db, normalizedProfile) => {
-    const existing = getSessionFromDb(db, threadId);
-    const timestamp = nowIso();
-    const messages = [
-      ...existing?.messages ?? [],
-      ...question.trim() ? [{ role: "user", content: question.trim(), createdAt: timestamp }] : [],
-      ...response.trim() ? [{ role: "assistant", content: response.trim(), createdAt: timestamp }] : []
-    ];
-    upsertSession(db, {
-      threadId,
-      title: existing?.title ?? titleFromQuestion(question),
-      projectId: project?.id ?? existing?.projectId,
-      projectName: project?.name ?? existing?.projectName,
-      model: model ?? existing?.model,
-      profile: normalizedProfile,
-      createdAt: existing?.createdAt ?? timestamp,
-      updatedAt: timestamp,
-      messageCount: messages.length,
-      messages
-    });
-  });
-};
-var listSessions = async (limit = 20, profile) => withSessionDatabase(profile, (db) => {
-  const rows = db.rows(
-    `SELECT *
-       FROM sessions
-       ORDER BY updated_at DESC
-       LIMIT ?`,
-    [Math.max(1, limit)]
-  );
-  return rows.map((row) => sessionFromRow(db, row)).filter((session) => Boolean(session));
-});
-var getSession = async (threadId, profile) => withSessionDatabase(profile, (db) => getSessionFromDb(db, threadId));
-var renameSession = async (threadId, title, profile) => {
-  return withSessionDatabase(profile, (db) => {
-    const session = getSessionFromDb(db, threadId);
-    if (!session) {
-      return null;
-    }
-    const updated = {
-      ...session,
-      title: sanitizeTitle(title),
-      updatedAt: nowIso()
-    };
-    upsertSession(db, updated);
-    return updated;
-  });
-};
-var searchTerms = (query) => query.toLowerCase().split(/[^a-z0-9]+/i).map((term) => term.trim()).filter((term) => term.length > 1);
-var countTerm = (text, term) => {
-  if (!text || !term) return 0;
-  const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-  return text.match(new RegExp(escaped, "gi"))?.length ?? 0;
-};
-var previewFor = (session, terms) => {
-  const matched = session.messages.map((message) => ({
-    message,
-    score: terms.reduce((total, term) => total + countTerm(message.content, term), 0)
-  })).filter((entry) => entry.score > 0).sort((a, b) => b.score - a.score)[0]?.message;
-  const value = matched?.content ?? session.messages.at(-1)?.content ?? session.title;
-  const singleLine = value.replace(/\s+/g, " ").trim();
-  return singleLine.length > 180 ? `${singleLine.slice(0, 177)}...` : singleLine;
-};
-var scoreSession = (session, terms) => {
-  const title = session.title.toLowerCase();
-  const project = `${session.projectId ?? ""} ${session.projectName ?? ""}`.toLowerCase();
-  const messages = session.messages.map((message) => message.content).join("\n").toLowerCase();
-  return terms.reduce(
-    (score, term) => score + countTerm(title, term) * 8 + countTerm(project, term) * 4 + countTerm(messages, term),
-    0
-  );
-};
-var toSearchResult = (session, score, terms) => ({
-  threadId: session.threadId,
-  title: session.title,
-  projectId: session.projectId,
-  projectName: session.projectName,
-  model: session.model,
-  profile: session.profile,
-  createdAt: session.createdAt,
-  updatedAt: session.updatedAt,
-  messageCount: session.messageCount,
-  score,
-  preview: previewFor(session, terms)
-});
-var searchSessions = async (query, options = {}) => {
-  const terms = searchTerms(query);
-  const sessions = await exportSessions(options.profile);
-  if (!terms.length) {
-    return sessions.slice(0, Math.max(1, options.limit ?? 20)).map((session) => toSearchResult(session, 0, []));
-  }
-  return sessions.map((session) => ({
-    session,
-    score: scoreSession(session, terms)
-  })).filter((entry) => entry.score > 0).sort((a, b) => b.score - a.score || b.session.updatedAt.localeCompare(a.session.updatedAt)).slice(0, Math.max(1, options.limit ?? 20)).map((entry) => toSearchResult(entry.session, entry.score, terms));
-};
-var resolveSessionReference = async (reference, profile) => {
-  const trimmed = reference.trim();
-  if (!trimmed) {
-    return null;
-  }
-  const exact = await getSession(trimmed, profile);
-  if (exact) {
-    return exact;
-  }
-  const sessions = await exportSessions(profile);
-  const lower = trimmed.toLowerCase();
-  return sessions.find((session) => session.title.toLowerCase() === lower) ?? sessions.find((session) => session.threadId.startsWith(trimmed)) ?? sessions.find((session) => session.title.toLowerCase().includes(lower)) ?? null;
-};
-var deleteSession = async (threadId, profile) => {
-  const deleted = await withSessionDatabase(profile, (db) => {
-    const existing = getSessionFromDb(db, threadId);
-    if (!existing) {
-      return false;
-    }
-    db.run("DELETE FROM sessions WHERE thread_id = ?", [threadId]);
-    return true;
-  });
-  try {
-    await fs3.unlink(legacySessionPath(threadId, profile));
-  } catch (error) {
-    if (error?.code !== "ENOENT") {
-      throw error;
-    }
-  }
-  return deleted;
-};
-var exportSessions = async (profile) => listSessions(Number.MAX_SAFE_INTEGER, profile);
-var pruneSessions = async (olderThanDays, profile) => {
-  const cutoff = Date.now() - Math.max(1, olderThanDays) * 24 * 60 * 60 * 1e3;
-  const sessions = await exportSessions(profile);
-  let deleted = 0;
-  for (const session of sessions) {
-    const updatedAt = Date.parse(session.updatedAt);
-    if (Number.isFinite(updatedAt) && updatedAt < cutoff) {
-      if (await deleteSession(session.threadId, profile)) {
-        deleted++;
-      }
-    }
-  }
-  return deleted;
-};
-
 // src/recipesCommand.ts
 var STREAM_OUTPUT_NODES = /* @__PURE__ */ new Set([
   "generate_response",
@@ -4128,7 +3445,7 @@ var writeRecipeList = async (options) => {
   if (format === "table" || format === "text") {
     const text = renderRecipesTable();
     if (options.output) {
-      await fs4.writeFile(options.output, text, "utf8");
+      await fs2.writeFile(options.output, text, "utf8");
       return;
     }
     process.stdout.write(text);
@@ -4137,7 +3454,7 @@ var writeRecipeList = async (options) => {
   if (format === "markdown") {
     const text = renderRecipesMarkdown();
     if (options.output) {
-      await fs4.writeFile(options.output, text, "utf8");
+      await fs2.writeFile(options.output, text, "utf8");
       return;
     }
     process.stdout.write(text);
@@ -4155,7 +3472,7 @@ var writeRecipeShow = async (recipe, options) => {
   if (format === "markdown" || format === "text") {
     const text = renderRecipeMarkdown(recipe);
     if (options.output) {
-      await fs4.writeFile(options.output, text, "utf8");
+      await fs2.writeFile(options.output, text, "utf8");
       return;
     }
     process.stdout.write(text);
@@ -4212,7 +3529,7 @@ var runChatRecipe = async (recipe, prompt2, options, command, deps) => {
   });
   progressWriter.write({ type: "auth", step: "auth", message: "Resolving authentication" });
   const context = await resolveAuthContext(options, command, deps);
-  const core = await import("./dist-I4IPYCRC.js");
+  const core = await import("./dist-TBAQ5KOK.js");
   progressWriter.write({
     type: "request",
     step: "project",
@@ -4264,88 +3581,528 @@ var runChatRecipe = async (recipe, prompt2, options, command, deps) => {
       throw new Error(chunk.message || chunk.description || "CloudEval recipe failed.");
     }
   }
-  const finalMessage = [...chatState.messages].reverse().find((message) => message.role === "assistant");
-  const finalResponse = collapseRepeatedAssistantText(finalMessage?.content || responseText || "");
-  if (!finalResponse.trim()) {
-    throw new Error("No final response returned by CloudEval for this recipe.");
+  const finalMessage = [...chatState.messages].reverse().find((message) => message.role === "assistant");
+  const finalResponse = collapseRepeatedAssistantText(finalMessage?.content || responseText || "");
+  if (!finalResponse.trim()) {
+    throw new Error("No final response returned by CloudEval for this recipe.");
+  }
+  const frontendUrl = buildFrontendUrl({
+    baseUrl: resolveFrontendBaseUrl({
+      frontendUrl: selectedFrontendUrl,
+      apiBaseUrl: context.baseUrl
+    }),
+    target: "chat",
+    threadId: chatState.threadId
+  });
+  await recordSessionTurn({
+    threadId: chatState.threadId,
+    question: prompt2,
+    response: finalResponse,
+    project: { id: project.id, name: project.name },
+    model: selectedModel,
+    profile: selectedProfile
+  }).catch(() => void 0);
+  progressWriter.clear();
+  return {
+    recipeId: recipe.id,
+    title: recipe.title,
+    mode: recipe.mode,
+    prompt: prompt2,
+    response: finalResponse,
+    threadId: chatState.threadId,
+    project: { id: project.id, name: project.name },
+    commands: renderRecipeCommands(recipe, recipeContext(options)),
+    safety: recipe.safety,
+    frontendUrl
+  };
+};
+var buildGuideResult = (recipe, context) => ({
+  recipeId: recipe.id,
+  title: recipe.title,
+  mode: recipe.mode,
+  prompt: renderRecipePrompt(recipe, context),
+  commands: renderRecipeCommands(recipe, context),
+  inputs: context,
+  safety: recipe.safety,
+  expectedOutput: recipe.expectedOutput,
+  note: "This recipe requires explicit user-run commands for side effects; no project, file, billing, or MCP config mutation was performed."
+});
+var registerRecipesCommand = (program2, deps) => {
+  const command = program2.command("recipes").description("CloudEval reusable recipes and agent skills");
+  command.command("list").description("List CloudEval recipes").option("--format <format>", "Output format: table, text, json, ndjson, markdown", "table").option("--output <file>", "Output file").action((options) => writeRecipeList(options));
+  command.command("show").description("Show a CloudEval recipe").argument("<id>", "Recipe id").option("--format <format>", "Output format: text, json, ndjson, markdown", "markdown").option("--output <file>", "Output file").action(async (id, options) => {
+    const recipe = getRecipe(id);
+    if (!recipe) {
+      console.error(`Unknown recipe '${id}'. Run 'cloudeval recipes list' to see available recipes.`);
+      process.exit(1);
+    }
+    await writeRecipeShow(recipe, options);
+  });
+  addAuthOptions(
+    command.command("run").description("Run a CloudEval recipe or print explicit commands for side-effecting recipes").argument("<id>", "Recipe id"),
+    deps.defaultBaseUrl
+  ).option("--project <id>", "Project ID to use").option("--connection-id <id>", "Connection id for connection recipes").option("--credential-id <id>", "Credential id for credential recipes").option("--range <range>", "Usage/report range such as 7d, 30d, 90d, all", "30d").option("--template-file <path>", "Local JSON template file").option("--template-url <url>", "Template URL").option("--parameters-file <path>", "Local parameters file").option("--parameters-url <url>", "Parameters URL").option("--provider <provider>", "Cloud provider accepted by projects create").option("--name <name>", "Project or recipe display name").option("--output-path <path>", "Side-effect output path for guide recipes").option("--output-dir <path>", "Side-effect output directory for guide recipes").option("--client <name>", "MCP client name for setup recipes").option("--layout <layout>", "Visualization layout such as architecture or dependency").option("--model <name>", "Model name").option("--thread <id>", "Thread id to reuse").option("--format <format>", "Output format: text, json, ndjson, markdown", "text").option("--output <file>", "Output file").option("--progress <mode>", "Progress events: auto, stderr, ndjson, none", "auto").option("--quiet", "Suppress progress and warning messages", false).option("--frontend-url <url>", "Frontend base URL").action(async (id, options, actionCommand) => {
+    const recipe = getRecipe(id);
+    if (!recipe) {
+      console.error(`Unknown recipe '${id}'. Run 'cloudeval recipes list' to see available recipes.`);
+      process.exit(1);
+    }
+    try {
+      const context = recipeContext(options);
+      const prompt2 = renderRecipePrompt(recipe, context);
+      const result = recipe.mode === "guide" ? buildGuideResult(recipe, context) : await runChatRecipe(recipe, prompt2, options, actionCommand, deps);
+      const frontendUrl = "frontendUrl" in result ? result.frontendUrl : void 0;
+      await writeFormattedOutput({
+        command: "recipes run",
+        data: result,
+        format: options.format === "table" ? "text" : options.format,
+        output: options.output,
+        frontendUrl
+      });
+    } catch (error) {
+      console.error(`Failed to run recipe: ${error?.message ?? "Unknown error"}`);
+      process.exit(1);
+    }
+  });
+};
+
+// src/skillsCommand.ts
+import fs4 from "fs/promises";
+
+// src/skills/catalog.ts
+import fs3 from "fs/promises";
+import fsSync from "fs";
+import path2 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+var repoRoot = path2.resolve(fileURLToPath2(new URL("../../../../", import.meta.url)));
+var defaultSkillsPath = path2.join(repoRoot, "skills");
+var requiredSkillSections = [
+  "## WHEN",
+  "## DO NOT USE FOR",
+  "## Required CloudEval Context",
+  "## CLI Commands",
+  "## MCP Tools",
+  "## Safety Requirements",
+  "## Expected Output / Proof",
+  "## Failure Handling"
+];
+var bundledSkillMetadata = [
+  {
+    id: "cloudeval",
+    title: "CloudEval Skill Router",
+    description: "Routes CloudEval CLI and MCP work across projects, reports, billing, credentials, connections, diagnostics, recipes, and agent workflows."
+  },
+  {
+    id: "cloudeval-agent-ops",
+    title: "CloudEval Agent Ops",
+    description: "Runs CloudEval ask, agent, chat/TUI, model selection, recipes, and local session recovery."
+  },
+  {
+    id: "cloudeval-billing",
+    title: "CloudEval Billing",
+    description: "Inspects CloudEval credits, plans, usage, ledger, invoices, notifications, top-ups, and checkout links."
+  },
+  {
+    id: "cloudeval-connections",
+    title: "CloudEval Connections",
+    description: "Inspects CloudEval cloud/template connections, connection health, and connection frontend links."
+  },
+  {
+    id: "cloudeval-cost",
+    title: "CloudEval Cost",
+    description: "Triages CloudEval cost reports, billing usage, savings opportunities, anomalies, and credit impact."
+  },
+  {
+    id: "cloudeval-credentials",
+    title: "CloudEval Credentials",
+    description: "Manages CloudEval scoped access-key templates, creation, inspection, rotation, and revocation."
+  },
+  {
+    id: "cloudeval-graph-intelligence",
+    title: "CloudEval Graph Intelligence",
+    description: "Inspects project graphs, graph drift, sync history, dependency impact, critical paths, and graph-derived risk signals."
+  },
+  {
+    id: "cloudeval-mcp-diagnostics",
+    title: "CloudEval MCP Diagnostics",
+    description: "Sets up and diagnoses CloudEval MCP, config, auth, doctor, status, update, completion, banner, and deeplinks."
+  },
+  {
+    id: "cloudeval-projects",
+    title: "CloudEval Projects",
+    description: "Lists, inspects, creates, opens, and health-checks CloudEval projects and template project workflows."
+  },
+  {
+    id: "cloudeval-reports",
+    title: "CloudEval Reports",
+    description: "Lists, shows, generates, downloads, and summarizes CloudEval cost and Well-Architected reports."
+  },
+  {
+    id: "cloudeval-template-validation",
+    title: "CloudEval Template Validation",
+    description: "Validates, parses, tests, and release-gates CloudEval-supported cloud template files."
+  },
+  {
+    id: "cloudeval-visualizations",
+    title: "CloudEval Visualizations",
+    description: "Exports CloudEval architecture or dependency diagrams and prepares visual evidence for reviews."
+  },
+  {
+    id: "cloudeval-waf",
+    title: "CloudEval WAF",
+    description: "Triages CloudEval Well-Architected findings, failed rules, pillar risk, and remediation plans."
+  }
+];
+var metadataById = new Map(bundledSkillMetadata.map((skill) => [skill.id, skill]));
+var normalizeSkillId = (id) => {
+  const normalized = id.trim().toLowerCase();
+  if (metadataById.has(normalized)) {
+    return normalized;
+  }
+  const prefixed = `cloudeval-${normalized}`;
+  return metadataById.has(prefixed) ? prefixed : normalized;
+};
+var getSkillsPath = () => process.env.CLOUDEVAL_SKILLS_PATH ?? defaultSkillsPath;
+var skillFilePath = (id) => path2.join(getSkillsPath(), id, "SKILL.md");
+var fileExists = (filePath) => {
+  try {
+    return fsSync.statSync(filePath).isFile();
+  } catch {
+    return false;
+  }
+};
+var readSkillFile = async (id) => {
+  const filePath = skillFilePath(id);
+  if (fileExists(filePath)) {
+    return {
+      content: await fs3.readFile(filePath, "utf8"),
+      path: filePath,
+      source: "filesystem"
+    };
+  }
+  return {
+    content: synthesizeSkillContent(metadataById.get(id) ?? {
+      id,
+      title: id,
+      description: "CloudEval skill metadata."
+    }),
+    source: "embedded"
+  };
+};
+var recipesForSkill = (id) => recipes.filter((recipe) => recipe.skill === id);
+var unique = (values) => [...new Set(values)].filter(Boolean).sort();
+var summarizeSkill = async (metadata) => {
+  const file = await readSkillFile(metadata.id);
+  const skillRecipes = recipesForSkill(metadata.id);
+  return {
+    ...metadata,
+    path: file.path,
+    source: file.source,
+    recipes: skillRecipes.map((recipe) => recipe.id),
+    mcpTools: unique(skillRecipes.flatMap((recipe) => recipe.mcpTools))
+  };
+};
+var listSkills = async () => Promise.all(bundledSkillMetadata.map(summarizeSkill));
+var getSkill = async (id) => {
+  const normalized = normalizeSkillId(id);
+  const metadata = metadataById.get(normalized);
+  if (!metadata) {
+    return void 0;
+  }
+  const [summary, file] = await Promise.all([
+    summarizeSkill(metadata),
+    readSkillFile(metadata.id)
+  ]);
+  return {
+    ...summary,
+    content: file.content
+  };
+};
+var synthesizeSkillContent = (metadata) => `---
+name: ${metadata.id}
+description: ${metadata.description}
+---
+
+# ${metadata.title}
+
+## WHEN
+- Use this bundled CloudEval skill when source SKILL.md files are unavailable at runtime.
+
+## DO NOT USE FOR
+- Unsupported CloudEval capabilities or private backend internals.
+
+## Required CloudEval Context
+- Run \`cloudeval capabilities --format json\` and \`cloudeval recipes list\` to discover available commands.
+
+## CLI Commands
+- \`cloudeval skills show ${metadata.id}\`
+- \`cloudeval recipes list\`
+
+## MCP Tools
+- \`capabilities_get\`
+- \`recipes_list\`
+
+## Safety Requirements
+- Redact secrets, account identifiers, session identifiers, tenant identifiers, billing data, and raw report payloads by default.
+
+## Expected Output / Proof
+- State the command or MCP tool used and separate confirmed evidence from missing data.
+
+## Failure Handling
+- If the source skill file is needed, run from a CloudEval CLI checkout or inspect the public repository.
+`;
+var frontMatterNamePattern = (id) => new RegExp(`^---[\\s\\S]*?^name:\\s*${id.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*$[\\s\\S]*?^---`, "m");
+var sensitivePatterns = [
+  /sk-or-v1-[a-z0-9]{16,}/i,
+  /sk-[a-z0-9]{20,}/i,
+  /ghp_[a-z0-9]{20,}/i,
+  /xox[baprs]-[a-z0-9-]{20,}/i,
+  /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/
+];
+var unsupportedClaims = [
+  /\bterraform\b/i,
+  /\bpull request\b/i,
+  /\bgithub pr\b/i,
+  /\bpr integration\b/i
+];
+var validateSkillText = (id, text, file) => {
+  const checks = [];
+  checks.push({
+    id: `${id}:frontmatter-name`,
+    status: frontMatterNamePattern(id).test(text) ? "pass" : "fail",
+    message: `Skill ${id} declares matching frontmatter name.`,
+    file
+  });
+  for (const section of requiredSkillSections) {
+    checks.push({
+      id: `${id}:section:${section.replace(/^##\s+/, "").toLowerCase().replace(/[^a-z0-9]+/g, "-")}`,
+      status: text.includes(section) ? "pass" : "fail",
+      message: `Skill ${id} includes ${section}.`,
+      file
+    });
+  }
+  for (const pattern of sensitivePatterns) {
+    checks.push({
+      id: `${id}:no-sensitive-pattern:${pattern.source.slice(0, 24)}`,
+      status: pattern.test(text) ? "fail" : "pass",
+      message: `Skill ${id} does not contain obvious secret patterns.`,
+      file
+    });
+  }
+  for (const pattern of unsupportedClaims) {
+    checks.push({
+      id: `${id}:no-unsupported-claim:${pattern.source}`,
+      status: pattern.test(text) ? "fail" : "pass",
+      message: `Skill ${id} does not claim unsupported workflows.`,
+      file
+    });
+  }
+  return checks;
+};
+var validateSkills = async () => {
+  const skills = await listSkills();
+  const knownIds = new Set(skills.map((skill) => skill.id));
+  const checks = [];
+  for (const recipe of recipes) {
+    checks.push({
+      id: `recipe:${recipe.id}:skill-exists`,
+      status: knownIds.has(recipe.skill) ? "pass" : "fail",
+      message: `Recipe ${recipe.id} references implemented skill ${recipe.skill}.`
+    });
+  }
+  for (const skill of skills) {
+    const file = await readSkillFile(skill.id);
+    checks.push({
+      id: `${skill.id}:source`,
+      status: file.source === "filesystem" ? "pass" : "fail",
+      message: `Skill ${skill.id} has a public SKILL.md file.`,
+      file: file.path
+    });
+    checks.push(...validateSkillText(skill.id, file.content, file.path));
   }
-  const frontendUrl = buildFrontendUrl({
-    baseUrl: resolveFrontendBaseUrl({
-      frontendUrl: selectedFrontendUrl,
-      apiBaseUrl: context.baseUrl
-    }),
-    target: "chat",
-    threadId: chatState.threadId
-  });
-  await recordSessionTurn({
-    threadId: chatState.threadId,
-    question: prompt2,
-    response: finalResponse,
-    project: { id: project.id, name: project.name },
-    model: selectedModel,
-    profile: selectedProfile
-  }).catch(() => void 0);
-  progressWriter.clear();
   return {
-    recipeId: recipe.id,
-    title: recipe.title,
-    mode: recipe.mode,
-    prompt: prompt2,
-    response: finalResponse,
-    threadId: chatState.threadId,
-    project: { id: project.id, name: project.name },
-    commands: renderRecipeCommands(recipe, recipeContext(options)),
-    safety: recipe.safety,
-    frontendUrl
+    ok: checks.every((check) => check.status === "pass"),
+    skillsPath: getSkillsPath(),
+    skills,
+    checks
   };
 };
-var buildGuideResult = (recipe, context) => ({
-  recipeId: recipe.id,
-  title: recipe.title,
-  mode: recipe.mode,
-  prompt: renderRecipePrompt(recipe, context),
-  commands: renderRecipeCommands(recipe, context),
-  inputs: context,
-  safety: recipe.safety,
-  expectedOutput: recipe.expectedOutput,
-  note: "This recipe requires explicit user-run commands for side effects; no project, file, billing, or MCP config mutation was performed."
+var skillsResourceData = async () => ({
+  skillsPath: getSkillsPath(),
+  skills: await listSkills(),
+  requiredSections: [...requiredSkillSections]
 });
-var registerRecipesCommand = (program2, deps) => {
-  const command = program2.command("recipes").description("CloudEval reusable recipes and agent skills");
-  command.command("list").description("List CloudEval recipes").option("--format <format>", "Output format: table, text, json, ndjson, markdown", "table").option("--output <file>", "Output file").action((options) => writeRecipeList(options));
-  command.command("show").description("Show a CloudEval recipe").argument("<id>", "Recipe id").option("--format <format>", "Output format: text, json, ndjson, markdown", "markdown").option("--output <file>", "Output file").action(async (id, options) => {
-    const recipe = getRecipe(id);
-    if (!recipe) {
-      console.error(`Unknown recipe '${id}'. Run 'cloudeval recipes list' to see available recipes.`);
-      process.exit(1);
+
+// src/skillsCommand.ts
+var renderSkillsTable = (skills) => formatTextTable(
+  skills.map((skill) => ({
+    id: skill.id,
+    title: skill.title,
+    recipes: skill.recipes.length,
+    tools: skill.mcpTools.length,
+    source: skill.source
+  })),
+  [
+    { key: "id", header: "ID", width: 36 },
+    { key: "title", header: "Title", maxWidth: 40 },
+    { key: "recipes", header: "Recipes", align: "right" },
+    { key: "tools", header: "MCP Tools", align: "right" },
+    { key: "source", header: "Source", maxWidth: 12 }
+  ],
+  { emptyMessage: "No CloudEval skills found." }
+);
+var renderSkillsMarkdown = (skills) => [
+  "# CloudEval Skills",
+  "",
+  ...skills.map((skill) => [
+    `## ${skill.title}`,
+    "",
+    `- ID: ${skill.id}`,
+    `- Source: ${skill.source}`,
+    `- Recipes: ${skill.recipes.length ? skill.recipes.join(", ") : "none"}`,
+    `- MCP tools: ${skill.mcpTools.length ? skill.mcpTools.join(", ") : "none"}`,
+    "",
+    skill.description,
+    ""
+  ].join("\n"))
+].join("\n");
+var writeSkillList = async (options) => {
+  const skills = await listSkills();
+  const format = options.format ?? "table";
+  if (format === "table" || format === "text") {
+    const text = renderSkillsTable(skills);
+    if (options.output) {
+      await fs4.writeFile(options.output, text, "utf8");
+      return;
     }
-    await writeRecipeShow(recipe, options);
+    process.stdout.write(text);
+    return;
+  }
+  if (format === "markdown") {
+    const text = renderSkillsMarkdown(skills);
+    if (options.output) {
+      await fs4.writeFile(options.output, text, "utf8");
+      return;
+    }
+    process.stdout.write(text);
+    return;
+  }
+  await writeFormattedOutput({
+    command: "skills list",
+    data: { skills },
+    format,
+    output: options.output
   });
-  addAuthOptions(
-    command.command("run").description("Run a CloudEval recipe or print explicit commands for side-effecting recipes").argument("<id>", "Recipe id"),
-    deps.defaultBaseUrl
-  ).option("--project <id>", "Project ID to use").option("--connection-id <id>", "Connection id for connection recipes").option("--credential-id <id>", "Credential id for credential recipes").option("--range <range>", "Usage/report range such as 7d, 30d, 90d, all", "30d").option("--template-file <path>", "Local JSON template file").option("--template-url <url>", "Template URL").option("--parameters-file <path>", "Local parameters file").option("--parameters-url <url>", "Parameters URL").option("--provider <provider>", "Cloud provider accepted by projects create").option("--name <name>", "Project or recipe display name").option("--output-path <path>", "Side-effect output path for guide recipes").option("--output-dir <path>", "Side-effect output directory for guide recipes").option("--client <name>", "MCP client name for setup recipes").option("--layout <layout>", "Visualization layout such as architecture or dependency").option("--model <name>", "Model name").option("--thread <id>", "Thread id to reuse").option("--format <format>", "Output format: text, json, ndjson, markdown", "text").option("--output <file>", "Output file").option("--progress <mode>", "Progress events: auto, stderr, ndjson, none", "auto").option("--quiet", "Suppress progress and warning messages", false).option("--frontend-url <url>", "Frontend base URL").action(async (id, options, actionCommand) => {
-    const recipe = getRecipe(id);
-    if (!recipe) {
-      console.error(`Unknown recipe '${id}'. Run 'cloudeval recipes list' to see available recipes.`);
-      process.exit(1);
+};
+var writeSkillShow = async (id, options) => {
+  const skill = await getSkill(id);
+  if (!skill) {
+    process.stderr.write(`Unknown skill '${id}'. Run 'cloudeval skills list' to see available skills.
+`);
+    process.exit(1);
+  }
+  const format = options.format ?? "markdown";
+  if (format === "markdown" || format === "text") {
+    if (options.output) {
+      await fs4.writeFile(options.output, skill.content, "utf8");
+      return;
     }
-    try {
-      const context = recipeContext(options);
-      const prompt2 = renderRecipePrompt(recipe, context);
-      const result = recipe.mode === "guide" ? buildGuideResult(recipe, context) : await runChatRecipe(recipe, prompt2, options, actionCommand, deps);
-      const frontendUrl = "frontendUrl" in result ? result.frontendUrl : void 0;
-      await writeFormattedOutput({
-        command: "recipes run",
-        data: result,
-        format: options.format === "table" ? "text" : options.format,
-        output: options.output,
-        frontendUrl
-      });
-    } catch (error) {
-      console.error(`Failed to run recipe: ${error?.message ?? "Unknown error"}`);
-      process.exit(1);
+    process.stdout.write(skill.content);
+    if (!skill.content.endsWith("\n")) {
+      process.stdout.write("\n");
+    }
+    return;
+  }
+  await writeFormattedOutput({
+    command: "skills show",
+    data: skill,
+    format: format === "table" ? "text" : format,
+    output: options.output
+  });
+};
+var writeSkillDoctor = async (options) => {
+  const result = await validateSkills();
+  const format = options.format ?? "table";
+  if (format === "table" || format === "text") {
+    const failed = result.checks.filter((check) => check.status === "fail");
+    const text = [
+      formatTextTable(
+        [
+          {
+            ok: result.ok ? "yes" : "no",
+            skills: result.skills.length,
+            checks: result.checks.length,
+            failures: failed.length,
+            path: result.skillsPath
+          }
+        ],
+        [
+          { key: "ok", header: "OK", width: 4 },
+          { key: "skills", header: "Skills", align: "right" },
+          { key: "checks", header: "Checks", align: "right" },
+          { key: "failures", header: "Failures", align: "right" },
+          { key: "path", header: "Path", maxWidth: 72 }
+        ]
+      ).trimEnd(),
+      failed.length ? "\nFailures\n" + formatTextTable(
+        failed.map((check) => ({
+          check: check.id,
+          message: check.message,
+          file: check.file ?? ""
+        })),
+        [
+          { key: "check", header: "Check", maxWidth: 44 },
+          { key: "message", header: "Message", maxWidth: 72 },
+          { key: "file", header: "File", maxWidth: 64 }
+        ]
+      ).trimEnd() : "",
+      ""
+    ].filter(Boolean).join("\n");
+    if (options.output) {
+      await fs4.writeFile(options.output, `${text}
+`, "utf8");
+      return;
+    }
+    process.stdout.write(`${text}
+`);
+    if (!result.ok) {
+      process.exitCode = 1;
+    }
+    return;
+  }
+  await writeFormattedOutput({
+    command: "skills doctor",
+    data: result,
+    format,
+    output: options.output
+  });
+  if (!result.ok) {
+    process.exitCode = 1;
+  }
+};
+var registerSkillsCommand = (program2) => {
+  const command = program2.command("skills").description("List, inspect, and validate CloudEval agent skills");
+  command.command("list").description("List CloudEval skills").option("--format <format>", "Output format: table, text, json, ndjson, markdown", "table").option("--output <file>", "Output file").action((options) => writeSkillList(options));
+  command.command("show").description("Show a CloudEval skill").argument("<id>", "Skill id").option("--format <format>", "Output format: text, json, ndjson, markdown", "markdown").option("--output <file>", "Output file").action((id, options) => writeSkillShow(id, options));
+  command.command("doctor").description("Validate CloudEval skill files and recipe references").option("--format <format>", "Output format: table, text, json, ndjson, markdown", "table").option("--output <file>", "Output file").action((options) => writeSkillDoctor(options));
+  command.command("path").description("Print the CloudEval skills directory").option("--format <format>", "Output format: text, json, ndjson, markdown", "text").option("--output <file>", "Output file").action(async (options) => {
+    const skillsPath = getSkillsPath();
+    if (!options.format || options.format === "text" || options.format === "table") {
+      const text = `${skillsPath}
+`;
+      if (options.output) {
+        await fs4.writeFile(options.output, text, "utf8");
+        return;
+      }
+      process.stdout.write(text);
+      return;
     }
+    await writeFormattedOutput({
+      command: "skills path",
+      data: { skillsPath },
+      format: options.format,
+      output: options.output
+    });
   });
 };
 
@@ -4507,7 +4264,7 @@ var registerOpenCommand = (program2, deps) => {
 };
 
 // src/projectsCommand.ts
-import path4 from "path";
+import path3 from "path";
 import fs5 from "fs/promises";
 
 // src/projectDiagramImage.ts
@@ -4687,12 +4444,12 @@ var responseErrorMessage = async (response) => {
 var fetchCloudEvalJson = async ({
   baseUrl,
   authToken,
-  path: path11,
+  path: path10,
   method = "GET",
   query = {},
   body
 }) => {
-  const url = new URL(`${normalizeApiBase(baseUrl)}${path11}`);
+  const url = new URL(`${normalizeApiBase(baseUrl)}${path10}`);
   for (const [key, value] of Object.entries(query)) {
     if (value !== void 0 && value !== null && value !== "") {
       url.searchParams.set(key, String(value));
@@ -4880,11 +4637,11 @@ var fileBlob = async (filePath) => {
   const bytes = await fs5.readFile(filePath);
   return {
     blob: new Blob([bytes], { type: "application/json" }),
-    name: path4.basename(filePath)
+    name: path3.basename(filePath)
   };
 };
 var writeDiagramImageHeaders = async (outputPath, headers) => {
-  await fs5.mkdir(path4.dirname(outputPath), { recursive: true });
+  await fs5.mkdir(path3.dirname(outputPath), { recursive: true });
   const text = Object.entries(headers).sort(([left], [right]) => left.localeCompare(right)).map(([key, value]) => `${key}: ${value}`).join("\n");
   await fs5.writeFile(outputPath, `${text}
 `, "utf8");
@@ -5021,7 +4778,7 @@ var configureDiagramExportCommand = (command, deps) => addAuthOptions(command, d
       const context = requireAuthUser(
         await resolveAuthContext(options, actionCommand, deps)
       );
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const projects = await core.getProjects(
         context.baseUrl,
         context.token,
@@ -5049,9 +4806,9 @@ var configureDiagramExportCommand = (command, deps) => addAuthOptions(command, d
       publicGraph,
       syncVersion: options.syncVersion
     });
-    const outputPath = path4.resolve(options.output);
-    const headersOutputPath = options.headersOutput ? path4.resolve(options.headersOutput) : void 0;
-    await fs5.mkdir(path4.dirname(outputPath), { recursive: true });
+    const outputPath = path3.resolve(options.output);
+    const headersOutputPath = options.headersOutput ? path3.resolve(options.headersOutput) : void 0;
+    await fs5.mkdir(path3.dirname(outputPath), { recursive: true });
     await fs5.writeFile(outputPath, result.bytes);
     const filesWritten = [outputPath];
     if (headersOutputPath) {
@@ -5098,7 +4855,7 @@ var registerProjectsCommand = (program2, deps) => {
   addCommon(addAuthOptions(projects.command("list").description("List projects"), deps.defaultBaseUrl)).action(async (options, command) => {
     try {
       const context = await resolveAuthContext(options, command, deps);
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const data = await listProjectsForContext(core, context);
       const url = buildFrontendUrl({ baseUrl: frontendBase(context, options), target: "projects" });
       await writeProjectListOutput({ data, options, frontendUrl: url });
@@ -5116,7 +4873,7 @@ var registerProjectsCommand = (program2, deps) => {
   ).action(async (id, options, command) => {
     try {
       const context = await resolveAuthContext(options, command, deps);
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const list = await listProjectsForContext(core, context);
       const data = list.find((project) => project.id === id);
       if (!data) {
@@ -5180,10 +4937,10 @@ var registerProjectsCommand = (program2, deps) => {
   addCommon(addAuthOptions(projects.command("create").description("Create a quick template project"), deps.defaultBaseUrl)).option("--template-url <url>", "Template URL").option("--template-file <path>", "Local JSON template file").option("--parameters-file <path>", "Local JSON parameters file").option("--parameters-url <url>", "Parameters file URL").option("--name <name>", "Project name").option("--description <text>", "Project description").option("--provider <provider>", "Cloud provider: azure, aws, gcp").action(async (options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const template = await fileBlob(options.templateFile);
       const parameters = await fileBlob(options.parametersFile);
-      const inferredName = options.name || (options.templateFile ? path4.basename(options.templateFile, path4.extname(options.templateFile)) : void 0);
+      const inferredName = options.name || (options.templateFile ? path3.basename(options.templateFile, path3.extname(options.templateFile)) : void 0);
       const result = await core.createQuickProject({
         baseUrl: context.baseUrl,
         authToken: context.token,
@@ -5303,7 +5060,7 @@ var registerConnectionsCommand = (program2, deps) => {
   addCommon2(addAuthOptions(connections.command("list").description("List connections"), deps.defaultBaseUrl)).action(async (options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const data = await core.listConnections({
         baseUrl: context.baseUrl,
         authToken: context.token,
@@ -5328,7 +5085,7 @@ var registerConnectionsCommand = (program2, deps) => {
   ).action(async (id, options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const data = await core.getConnection({
         baseUrl: context.baseUrl,
         authToken: context.token,
@@ -5666,7 +5423,7 @@ var checkoutReturnUrl = (context, options) => options.returnTo || billingUrl(con
 var runTopUpCheckout = async (commandName, packId, options, command, deps) => {
   try {
     const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const returnTo = checkoutReturnUrl(context, options);
     const session = await core.createTopUpCheckoutSession({
       baseUrl: context.baseUrl,
@@ -5706,14 +5463,27 @@ var registerBillingCommands = (program2, deps) => {
   ).action(async (options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
-      const entitlement = await core.getBillingEntitlement({
-        baseUrl: context.baseUrl,
-        authToken: context.token
+      const core = await import("./dist-TBAQ5KOK.js");
+      const range = rangeToDates("30d");
+      const [entitlement, usageSummary] = await Promise.all([
+        core.getBillingEntitlement({
+          baseUrl: context.baseUrl,
+          authToken: context.token
+        }),
+        core.getBillingUsageSummary({
+          baseUrl: context.baseUrl,
+          authToken: context.token,
+          startAt: range.startAt,
+          endAt: range.endAt,
+          granularity: "day"
+        }).catch(() => null)
+      ]);
+      const usageCreditsUsed = core.getBillingUsageCreditsUsed(usageSummary);
+      const status = core.getCreditStatus(entitlement, {
+        reportedUsedCredits: usageCreditsUsed
       });
-      const status = core.getCreditStatus(entitlement);
       const url = billingUrl(context, { ...options, tab: "usage" });
-      await write("credits", { status, entitlement }, options, url);
+      await write("credits", { status, entitlement, usageCreditsUsed }, options, url);
       await maybeOpen3(url, options);
     } catch (error) {
       failBillingCommand("credits", "Failed to show credits", error, options);
@@ -5723,15 +5493,31 @@ var registerBillingCommands = (program2, deps) => {
   addCommon3(addAuthOptions(billing.command("summary").description("Show billing summary"), deps.defaultBaseUrl)).action(async (options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
-      const [entitlement, subscriptionStatus] = await Promise.all([
+      const core = await import("./dist-TBAQ5KOK.js");
+      const range = rangeToDates("30d");
+      const [entitlement, subscriptionStatus, usageSummary] = await Promise.all([
         core.getBillingEntitlement({ baseUrl: context.baseUrl, authToken: context.token }),
-        core.getSubscriptionStatus({ baseUrl: context.baseUrl, authToken: context.token })
+        core.getSubscriptionStatus({ baseUrl: context.baseUrl, authToken: context.token }),
+        core.getBillingUsageSummary({
+          baseUrl: context.baseUrl,
+          authToken: context.token,
+          startAt: range.startAt,
+          endAt: range.endAt,
+          granularity: "day"
+        }).catch(() => null)
       ]);
+      const usageCreditsUsed = core.getBillingUsageCreditsUsed(usageSummary);
       const url = billingUrl(context, { ...options, tab: "plans" });
       await write(
         "billing summary",
-        { creditStatus: core.getCreditStatus(entitlement), entitlement, subscriptionStatus },
+        {
+          creditStatus: core.getCreditStatus(entitlement, {
+            reportedUsedCredits: usageCreditsUsed
+          }),
+          entitlement,
+          subscriptionStatus,
+          usageCreditsUsed
+        },
         options,
         url
       );
@@ -5743,7 +5529,7 @@ var registerBillingCommands = (program2, deps) => {
   addCommon3(addAuthOptions(billing.command("plans").description("Show billing plans"), deps.defaultBaseUrl)).action(async (options, command) => {
     try {
       const context = await resolveAuthContext(options, command, deps);
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const data = await core.getBillingConfig({ baseUrl: context.baseUrl, authToken: context.token });
       const url = billingUrl(context, { ...options, tab: "plans" });
       await write("billing plans", data, options, url);
@@ -5755,7 +5541,7 @@ var registerBillingCommands = (program2, deps) => {
   addCommon3(addAuthOptions(billing.command("usage").description("Show billing usage summary"), deps.defaultBaseUrl)).option("--range <range>", "Usage range: 7d, 30d, 90d, all", "30d").option("--start-at <iso>", "Start timestamp").option("--end-at <iso>", "End timestamp").option("--granularity <value>", "Granularity: hour, day, month", "day").option("--action-type <type>", "Action type filter").option("--model <name>", "Model filter").option("--outcome <outcome>", "Outcome filter").option("--charge-status <status>", "Charge status filter").action(async (options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const range = rangeToDates(options.range);
       const data = await core.getBillingUsageSummary({
         baseUrl: context.baseUrl,
@@ -5778,7 +5564,7 @@ var registerBillingCommands = (program2, deps) => {
   addCommon3(addAuthOptions(billing.command("ledger").description("Show billing ledger"), deps.defaultBaseUrl)).option("--range <range>", "Usage range: 7d, 30d, 90d, all", "30d").option("--start-at <iso>", "Start timestamp").option("--end-at <iso>", "End timestamp").option("--action-type <type>", "Action type filter").option("--model <name>", "Model filter").option("--outcome <outcome>", "Outcome filter").option("--charge-status <status>", "Charge status filter").option("--limit <n>", "Page size", "25").option("--cursor <cursor>", "Pagination cursor").action(async (options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const range = rangeToDates(options.range);
       const data = await core.getBillingUsageLedger({
         baseUrl: context.baseUrl,
@@ -5806,7 +5592,7 @@ var registerBillingCommands = (program2, deps) => {
     addCommon3(addAuthOptions(billing.command(name).description(`Show billing ${name}`), deps.defaultBaseUrl)).option("--limit <n>", "Result limit", "25").action(async (options, command) => {
       try {
         const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-        const core = await import("./dist-I4IPYCRC.js");
+        const core = await import("./dist-TBAQ5KOK.js");
         const data = await core[getter]({
           baseUrl: context.baseUrl,
           authToken: context.token,
@@ -5824,7 +5610,7 @@ var registerBillingCommands = (program2, deps) => {
   addCommon3(addAuthOptions(topups, deps.defaultBaseUrl)).option("--limit <n>", "Result limit", "25").action(async (options, command) => {
     try {
       const context = requireAuthUser(await resolveAuthContext(options, command, deps));
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const data = await core.getTopUpPacks({
         baseUrl: context.baseUrl,
         authToken: context.token
@@ -5860,13 +5646,13 @@ var registerBillingCommands = (program2, deps) => {
 
 // src/mcpCommand.ts
 import fs8 from "fs/promises";
-import path6 from "path";
+import path5 from "path";
 import { randomUUID as randomUUID2 } from "crypto";
 
 // src/mcpSetupCommand.ts
 import fs6 from "fs/promises";
-import os2 from "os";
-import path5 from "path";
+import os from "os";
+import path4 from "path";
 var MCP_SETUP_CLIENTS = ["codex", "claude", "cursor", "vscode", "generic"];
 var CLIENTS = new Set(MCP_SETUP_CLIENTS);
 var TOOLSETS = /* @__PURE__ */ new Set([
@@ -5892,8 +5678,8 @@ var normalizeMcpSetupToolset = (value) => {
 };
 var defaultConfigPath = (client) => {
   if (client === "claude") {
-    return path5.join(
-      os2.homedir(),
+    return path4.join(
+      os.homedir(),
       "Library",
       "Application Support",
       "Claude",
@@ -5901,10 +5687,10 @@ var defaultConfigPath = (client) => {
     );
   }
   if (client === "cursor") {
-    return path5.join(os2.homedir(), ".cursor", "mcp.json");
+    return path4.join(os.homedir(), ".cursor", "mcp.json");
   }
   if (client === "vscode") {
-    return path5.join(process.cwd(), ".vscode", "mcp.json");
+    return path4.join(process.cwd(), ".vscode", "mcp.json");
   }
   return void 0;
 };
@@ -6039,7 +5825,7 @@ var writeMcpClientConfig = async (setup) => {
       cloudeval: nextServer
     }
   };
-  await fs6.mkdir(path5.dirname(setup.configPath), { recursive: true });
+  await fs6.mkdir(path4.dirname(setup.configPath), { recursive: true });
   await fs6.writeFile(setup.configPath, `${JSON.stringify(next, null, 2)}
 `, {
     encoding: "utf8",
@@ -8005,6 +7791,13 @@ var mcpResourceDefinitions = [
     title: "CloudEval Recipes",
     description: "CloudEval reusable recipes and agent skill metadata.",
     mimeType: "application/json"
+  },
+  {
+    uri: "cloudeval://skills",
+    name: "skills",
+    title: "CloudEval Skills",
+    description: "Public CloudEval SKILL.md catalog for agent reasoning.",
+    mimeType: "application/json"
   }
 ];
 var mcpPromptDefinitions = recipes.map((recipe) => ({
@@ -8022,7 +7815,8 @@ var MCP_RESOURCE_TOOL_REQUIREMENTS = {
   "cloudeval://projects": ["projects_list"],
   "cloudeval://billing/summary": ["billing_summary"],
   "cloudeval://reports/latest": ["reports_list"],
-  "cloudeval://recipes": ["recipes_list"]
+  "cloudeval://recipes": ["recipes_list"],
+  "cloudeval://skills": ["capabilities_get"]
 };
 var promptRequirementTools = (tools) => tools.filter((tool) => tool !== "ask" && tool !== "recipes_run");
 var MCP_PROMPT_TOOL_REQUIREMENTS = Object.fromEntries(
@@ -8180,7 +7974,7 @@ var isTerminalJobStatus3 = (value) => {
 };
 var sleep3 = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
 var writeHeaderFile = async (outputPath, headers) => {
-  await fs8.mkdir(path6.dirname(outputPath), { recursive: true });
+  await fs8.mkdir(path5.dirname(outputPath), { recursive: true });
   const text = Object.entries(headers).sort(([left], [right]) => left.localeCompare(right)).map(([key, value]) => `${key}: ${value}`).join("\n");
   await fs8.writeFile(outputPath, `${text}
 `, "utf8");
@@ -8214,7 +8008,7 @@ var reportsFrontendUrl = (config, input) => buildFrontendUrl({
   reportVerbosity: input.reportVerbosity
 });
 var resolveAuth = async (config, options = {}) => {
-  const core = await import("./dist-I4IPYCRC.js");
+  const core = await import("./dist-TBAQ5KOK.js");
   core.assertSecureBaseUrl(config.baseUrl);
   let token;
   try {
@@ -8314,7 +8108,7 @@ var assertModelAvailable = async (config, token) => {
   if (!config.model) {
     return;
   }
-  const core = await import("./dist-I4IPYCRC.js");
+  const core = await import("./dist-TBAQ5KOK.js");
   try {
     const response = await fetch(
       `${core.normalizeApiBase(config.baseUrl)}/models`,
@@ -8429,11 +8223,11 @@ var downloadReports = async (config, args, auth) => {
   if (outputPath) {
     if (reportTypes.length > 1) {
       const stat = await fs8.stat(outputPath).catch(() => void 0);
-      const outputIsDirectory = stat?.isDirectory() || !path6.extname(outputPath);
+      const outputIsDirectory = stat?.isDirectory() || !path5.extname(outputPath);
       if (outputIsDirectory) {
         await fs8.mkdir(outputPath, { recursive: true });
         for (const [key, value] of Object.entries(payload)) {
-          const file = path6.join(outputPath, `${projectId}-${key}-report.json`);
+          const file = path5.join(outputPath, `${projectId}-${key}-report.json`);
           await fs8.writeFile(
             file,
             `${JSON.stringify(value, null, 2)}
@@ -8443,7 +8237,7 @@ var downloadReports = async (config, args, auth) => {
           filesWritten.push(file);
         }
       } else {
-        await fs8.mkdir(path6.dirname(outputPath), { recursive: true });
+        await fs8.mkdir(path5.dirname(outputPath), { recursive: true });
         await fs8.writeFile(
           outputPath,
           `${JSON.stringify(data, null, 2)}
@@ -8453,7 +8247,7 @@ var downloadReports = async (config, args, auth) => {
         filesWritten.push(outputPath);
       }
     } else {
-      await fs8.mkdir(path6.dirname(outputPath), { recursive: true });
+      await fs8.mkdir(path5.dirname(outputPath), { recursive: true });
       await fs8.writeFile(
         outputPath,
         `${JSON.stringify(data, null, 2)}
@@ -8571,7 +8365,7 @@ var buildToolHandlers = (serverOptions) => {
   });
   handlers.set("agent_profiles_list", async (args) => {
     const config = await resolveInvocationConfig(serverOptions, args);
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const data = await listProfilesForDiscovery(core, config.baseUrl);
     return withEnvelope({
       command: "agents list",
@@ -8584,7 +8378,7 @@ var buildToolHandlers = (serverOptions) => {
       throw new Error("profileId is required.");
     }
     const config = await resolveInvocationConfig(serverOptions, args);
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const data = await getProfileForDiscovery(core, config.baseUrl, profileId);
     return withEnvelope({
       command: "agents show",
@@ -8764,7 +8558,7 @@ var buildToolHandlers = (serverOptions) => {
     if (!rawOutputPath) {
       throw new Error("outputPath is required.");
     }
-    const outputPath = path6.resolve(rawOutputPath);
+    const outputPath = path5.resolve(rawOutputPath);
     const publicGraph = booleanValue(args.public) ?? false;
     const auth = publicGraph ? void 0 : await resolveAuth(config, { requireUser: true });
     const layout = normalizeProjectDiagramImageLayout(stringValue(args.layout));
@@ -8785,11 +8579,11 @@ var buildToolHandlers = (serverOptions) => {
       publicGraph,
       syncVersion: stringValue(args.syncVersion)
     });
-    await fs8.mkdir(path6.dirname(outputPath), { recursive: true });
+    await fs8.mkdir(path5.dirname(outputPath), { recursive: true });
     await fs8.writeFile(outputPath, result.bytes);
     const filesWritten = [outputPath];
     const rawHeadersOutputPath = stringValue(args.headersOutputPath);
-    const headersOutputPath = rawHeadersOutputPath ? path6.resolve(rawHeadersOutputPath) : void 0;
+    const headersOutputPath = rawHeadersOutputPath ? path5.resolve(rawHeadersOutputPath) : void 0;
     if (headersOutputPath) {
       await writeHeaderFile(headersOutputPath, result.headers);
       filesWritten.push(headersOutputPath);
@@ -9221,7 +9015,7 @@ var buildToolHandlers = (serverOptions) => {
   });
   handlers.set("auth_status", async (args) => {
     const config = await resolveInvocationConfig(serverOptions, args);
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const data = await core.getAuthStatus(config.baseUrl, { validate: true });
     return withEnvelope({
       command: "auth status",
@@ -9230,7 +9024,7 @@ var buildToolHandlers = (serverOptions) => {
   });
   handlers.set("status", async (args) => {
     const config = await resolveInvocationConfig(serverOptions, args);
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const auth = await core.getAuthStatus(config.baseUrl, { validate: true });
     return withEnvelope({
       command: "status",
@@ -9261,7 +9055,7 @@ var buildToolHandlers = (serverOptions) => {
       }
     ];
     try {
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       core.assertSecureBaseUrl(config.baseUrl);
       checks.push({
         id: "base-url-secure",
@@ -9675,7 +9469,8 @@ var buildToolHandlers = (serverOptions) => {
   handlers.set("billing_summary", async (args) => {
     const config = await resolveInvocationConfig(serverOptions, args);
     const auth = await resolveAuth(config, { requireUser: true });
-    const [entitlement, subscriptionStatus] = await Promise.all([
+    const range = rangeToDates2("30d");
+    const [entitlement, subscriptionStatus, usageSummary] = await Promise.all([
       auth.core.getBillingEntitlement({
         baseUrl: config.baseUrl,
         authToken: auth.token
@@ -9683,19 +9478,30 @@ var buildToolHandlers = (serverOptions) => {
       auth.core.getSubscriptionStatus({
         baseUrl: config.baseUrl,
         authToken: auth.token
-      })
+      }),
+      auth.core.getBillingUsageSummary({
+        baseUrl: config.baseUrl,
+        authToken: auth.token,
+        startAt: range.startAt,
+        endAt: range.endAt,
+        granularity: "day"
+      }).catch(() => null)
     ]);
     const frontendUrl = buildFrontendUrl({
       baseUrl: frontendBase3(config),
       target: "billing",
       tab: "plans"
     });
+    const usageCreditsUsed = auth.core.getBillingUsageCreditsUsed(usageSummary);
     return withEnvelope({
       command: "billing summary",
       data: {
-        creditStatus: auth.core.getCreditStatus(entitlement),
+        creditStatus: auth.core.getCreditStatus(entitlement, {
+          reportedUsedCredits: usageCreditsUsed
+        }),
         entitlement,
-        subscriptionStatus
+        subscriptionStatus,
+        usageCreditsUsed
       },
       frontendUrl
     });
@@ -9769,7 +9575,7 @@ var buildToolHandlers = (serverOptions) => {
     } catch {
       token = config.accessKey;
     }
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const data = await core.getBillingConfig({
       baseUrl: config.baseUrl,
       authToken: token
@@ -9943,6 +9749,19 @@ var readMcpResource = async (uri, handlers, availableToolNames, toolset) => {
     const envelope = await handlers.get("capabilities_get")?.({});
     return { contents: [resourceText(uri, envelope?.data ?? {})] };
   }
+  if (uri === "cloudeval://skills") {
+    return {
+      contents: [
+        resourceText(
+          uri,
+          formatSuccessEnvelope({
+            command: "skills list",
+            data: await skillsResourceData()
+          })
+        )
+      ]
+    };
+  }
   const toolName = uri === "cloudeval://projects" ? "projects_list" : uri === "cloudeval://billing/summary" ? "billing_summary" : uri === "cloudeval://recipes" ? "recipes_list" : "reports_list";
   const handler = handlers.get(toolName);
   if (!handler) {
@@ -10590,7 +10409,7 @@ var registerCapabilitiesCommand = (program2, deps) => {
     warnIfAccessKeyFromCliOption(options, command);
     let data = capabilities;
     if (options.live) {
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const baseUrl = await deps.resolveBaseUrl(options, command);
       const accessKey = options.accessKeyStdin ? await deps.readStdinValue() : options.accessKey;
       const token = await core.getAuthToken({ accessKey, baseUrl });
@@ -10622,6 +10441,8 @@ Mode-specific commands:
   cloudeval recipes list          Discover reusable CloudEval workflows
   cloudeval recipes show <id>     Show skill-style commands, safety, and outputs
   cloudeval recipes run <id>      Run ask/agent recipes or print explicit commands for side-effecting recipes
+  cloudeval skills list           Discover portable CloudEval SKILL.md instructions
+  cloudeval skills doctor         Validate skill files and recipe references
 
 Progress:
   ask/agent show a live stderr loader and reasoning progress bar in interactive terminals, then write the final answer to stdout. In non-TTY logs this falls back to append-only stderr events. Use --progress none or --quiet to suppress progress, or --format ndjson --progress ndjson to stream progress on stdout.
@@ -10647,6 +10468,7 @@ Stable JSON envelope:
 Discovery:
   cloudeval capabilities --format json
   cloudeval recipes list
+  cloudeval skills list
   cloudeval mcp serve
   cloudeval doctor --format json
   cloudeval config show --format json
@@ -10725,7 +10547,7 @@ var writeCredentialOutput = async (input) => {
 };
 var resolveCoreAuth = async (options, command, deps) => {
   const context = await resolveAuthContext(options, command, deps);
-  const core = await import("./dist-I4IPYCRC.js");
+  const core = await import("./dist-TBAQ5KOK.js");
   return { ...context, core };
 };
 var parseCapabilities = (value) => value?.split(",").map((item) => item.trim()).filter(Boolean);
@@ -10833,8 +10655,8 @@ import { randomUUID as randomUUID4 } from "crypto";
 import { exec } from "child_process";
 import { randomUUID as randomUUID3 } from "crypto";
 import fs9 from "fs/promises";
-import os3 from "os";
-import path7 from "path";
+import os2 from "os";
+import path6 from "path";
 var normalizeHooks = (config, event) => {
   if (config.hooks?.enabled !== true) {
     return [];
@@ -10845,8 +10667,8 @@ var normalizeHooks = (config, event) => {
   ) : [];
 };
 var writeHookPayload = async (input, hook) => {
-  const filePath = path7.join(
-    os3.tmpdir(),
+  const filePath = path6.join(
+    os2.tmpdir(),
     `cloudeval-hook-${process.pid}-${randomUUID3()}.json`
   );
   await fs9.writeFile(
@@ -11042,7 +10864,7 @@ var registerAgentsCommand = (program2, deps) => {
   const agents = program2.command("agents").description("CloudEval Agent Profile utilities");
   addAgentOutputOptions(agents.command("list").description("List Agent Profiles"), deps).action(async (options, command) => {
     const baseUrl = await deps.resolveBaseUrl(options, command);
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     core.assertSecureBaseUrl(baseUrl);
     const data = await listProfilesForDiscovery2(core, baseUrl);
     await writeProfiles({
@@ -11058,7 +10880,7 @@ var registerAgentsCommand = (program2, deps) => {
     deps
   ).action(async (profileId, options, command) => {
     const baseUrl = await deps.resolveBaseUrl(options, command);
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     core.assertSecureBaseUrl(baseUrl);
     const data = await getProfileForDiscovery2(core, baseUrl, profileId);
     await writeProfiles({
@@ -11077,7 +10899,7 @@ var registerAgentsCommand = (program2, deps) => {
       const cliProfile = getActiveConfigProfile(command);
       const cliConfig = await loadCliConfig(cliProfile);
       const auth = await resolveAuthContext(options, command, deps);
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const profileResponse = await core.getAgentProfile({
         baseUrl: auth.baseUrl,
         authToken: auth.token,
@@ -11469,10 +11291,10 @@ var registerConfigCommand = (program2) => {
     const profile = resolveProfile(options, command);
     const current = await loadCliConfig(profile);
     const next = writeCliConfigValue(current, key, value);
-    const path11 = await saveCliConfig(next, profile);
+    const path10 = await saveCliConfig(next, profile);
     await writeFormattedOutput({
       command: "config set",
-      data: { profile, path: path11, config: next },
+      data: { profile, path: path10, config: next },
       format: options.format,
       output: options.output
     });
@@ -11483,10 +11305,10 @@ var registerConfigCommand = (program2) => {
     const profile = resolveProfile(options, command);
     const current = await loadCliConfig(profile);
     const next = unsetCliConfigValue(current, key);
-    const path11 = await saveCliConfig(next, profile);
+    const path10 = await saveCliConfig(next, profile);
     await writeFormattedOutput({
       command: "config unset",
-      data: { profile, path: path11, config: next },
+      data: { profile, path: path10, config: next },
       format: options.format,
       output: options.output
     });
@@ -11575,7 +11397,7 @@ var registerDiagnosticsCommands = (program2, deps) => {
     const baseUrl = await deps.resolveBaseUrl(options, command);
     const profile = getActiveConfigProfile(command);
     const config = await loadCliConfig(profile);
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const auth = await core.getAuthStatus(baseUrl, { validate: true });
     if (options.format === "text" || !options.format) {
       process.stdout.write(
@@ -11625,7 +11447,7 @@ var registerDiagnosticsCommands = (program2, deps) => {
       detail: getCliConfigPath(profile)
     });
     try {
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       core.assertSecureBaseUrl(baseUrl);
       checks.push({
         id: "base-url-secure",
@@ -11725,7 +11547,7 @@ var resolveToken2 = async (options, deps, baseUrl, command) => {
     return options.accessKey;
   }
   try {
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     return await core.getAuthToken({
       baseUrl
     });
@@ -11809,7 +11631,7 @@ var registerModelsCommand = (program2, deps) => {
     let source = "fallback";
     let modelList = fallbackModels;
     try {
-      const core = await import("./dist-I4IPYCRC.js");
+      const core = await import("./dist-TBAQ5KOK.js");
       const response = await fetch(`${core.normalizeApiBase(baseUrl)}/models`, {
         headers: {
           Accept: "application/json",
@@ -11850,10 +11672,10 @@ var registerModelsCommand = (program2, deps) => {
     const profile = options.profile || getActiveConfigProfile(command);
     const config = await loadCliConfig(profile);
     const next = { ...config, model };
-    const path11 = await saveCliConfig(next, profile);
+    const path10 = await saveCliConfig(next, profile);
     await writeFormattedOutput({
       command: "models default set",
-      data: { profile, path: path11, model },
+      data: { profile, path: path10, model },
       format: options.format,
       output: options.output
     });
@@ -12069,12 +11891,12 @@ var registerSetupCommand = (program2, defaultBaseUrl = CLOUD_BASE_URL) => {
         rl.close();
       }
     }
-    const path11 = await saveCliConfig(next, profile);
+    const path10 = await saveCliConfig(next, profile);
     await writeFormattedOutput({
       command: "setup",
       data: {
         profile,
-        path: path11,
+        path: path10,
         config: next,
         nextSteps: [
           "Run `cloudeval auth status` to inspect authentication.",
@@ -12091,7 +11913,7 @@ var registerSetupCommand = (program2, defaultBaseUrl = CLOUD_BASE_URL) => {
 // src/updateCommand.ts
 import { spawn } from "child_process";
 import fs10 from "fs/promises";
-import path8 from "path";
+import path7 from "path";
 import { createInterface as createInterface2 } from "readline/promises";
 var DEFAULT_LATEST_RELEASE_URL = "https://api.github.com/repos/ganakailabs/cloudeval-cli/releases/latest";
 var DEFAULT_INSTALLER_URL = "https://cli.cloudeval.ai/install.sh";
@@ -12256,7 +12078,7 @@ var runInstaller = async ({
     child.stdin.end(installerScript);
   });
 };
-var getUpdateCachePath = () => path8.join(getCloudevalConfigDir(), UPDATE_CACHE_FILE);
+var getUpdateCachePath = () => path7.join(getCloudevalConfigDir(), UPDATE_CACHE_FILE);
 var readCache = async (cachePath) => {
   try {
     const parsed = JSON.parse(await fs10.readFile(cachePath, "utf8"));
@@ -12271,7 +12093,7 @@ var readCache = async (cachePath) => {
   return void 0;
 };
 var writeCache = async (cachePath, status) => {
-  await fs10.mkdir(path8.dirname(cachePath), { recursive: true, mode: 448 });
+  await fs10.mkdir(path7.dirname(cachePath), { recursive: true, mode: 448 });
   await fs10.writeFile(
     cachePath,
     `${JSON.stringify(
@@ -12495,8 +12317,8 @@ var registerUpdateCommand = (program2) => {
 
 // src/uninstallCommand.ts
 import fs11 from "fs/promises";
-import os4 from "os";
-import path9 from "path";
+import os3 from "os";
+import path8 from "path";
 import { createInterface as createInterface3 } from "readline/promises";
 var pathExists = async (candidate) => {
   try {
@@ -12509,12 +12331,12 @@ var pathExists = async (candidate) => {
     throw error;
   }
 };
-var installerBinDir = (home) => path9.join(home, ".local", "bin");
+var installerBinDir = (home) => path8.join(home, ".local", "bin");
 var completionPaths = (home) => [
-  path9.join(home, ".local", "share", "bash-completion", "completions", "cloudeval"),
-  path9.join(home, ".zsh", "completions", "_cloudeval"),
-  path9.join(home, ".config", "fish", "completions", "cloudeval.fish"),
-  path9.join(home, ".config", "powershell", "cloudeval-completion.ps1")
+  path8.join(home, ".local", "share", "bash-completion", "completions", "cloudeval"),
+  path8.join(home, ".zsh", "completions", "_cloudeval"),
+  path8.join(home, ".config", "fish", "completions", "cloudeval.fish"),
+  path8.join(home, ".config", "powershell", "cloudeval-completion.ps1")
 ];
 var installerArtifactTargets = (home, platform) => {
   const binDir = installerBinDir(home);
@@ -12522,37 +12344,37 @@ var installerArtifactTargets = (home, platform) => {
   const targets = [
     {
       label: "cloudeval binary",
-      path: path9.join(binDir, executableName),
+      path: path8.join(binDir, executableName),
       kind: "file",
       status: "missing"
     },
     {
       label: "cloudeval binary",
-      path: path9.join(binDir, "cloudeval"),
+      path: path8.join(binDir, "cloudeval"),
       kind: "file",
       status: "missing"
     },
     {
       label: "eva alias",
-      path: path9.join(binDir, "eva"),
+      path: path8.join(binDir, "eva"),
       kind: "file",
       status: "missing"
     },
     {
       label: "cloud alias",
-      path: path9.join(binDir, "cloud"),
+      path: path8.join(binDir, "cloud"),
       kind: "file",
       status: "missing"
     },
     {
       label: "Ink runtime asset",
-      path: path9.join(binDir, "yoga.wasm"),
+      path: path8.join(binDir, "yoga.wasm"),
       kind: "file",
       status: "missing"
     },
     {
       label: "license notices",
-      path: path9.join(home, ".local", "share", "cloudeval", "licenses"),
+      path: path8.join(home, ".local", "share", "cloudeval", "licenses"),
       kind: "directory",
       status: "missing"
     },
@@ -12568,11 +12390,11 @@ var installerArtifactTargets = (home, platform) => {
   );
 };
 var shellProfilePaths = (home) => [
-  path9.join(home, ".bashrc"),
-  path9.join(home, ".bash_profile"),
-  path9.join(home, ".zshrc"),
-  path9.join(home, ".profile"),
-  path9.join(home, ".config", "fish", "config.fish")
+  path8.join(home, ".bashrc"),
+  path8.join(home, ".bash_profile"),
+  path8.join(home, ".zshrc"),
+  path8.join(home, ".profile"),
+  path8.join(home, ".config", "fish", "config.fish")
 ];
 var removeInstallerPathSnippet = (content, binDir) => {
   const exportLine = `export PATH="${binDir}:$PATH"`;
@@ -12652,7 +12474,7 @@ var confirmUninstall = async ({
   }
 };
 var handleUninstallCommand = async (options, deps = {}) => {
-  const home = deps.home ?? os4.homedir();
+  const home = deps.home ?? os3.homedir();
   const platform = deps.platform ?? process.platform;
   const dryRun = Boolean(options.dryRun);
   const removeConfig = Boolean(options.removeConfig);
@@ -12682,7 +12504,7 @@ var handleUninstallCommand = async (options, deps = {}) => {
   }
   const configTarget = {
     label: "config",
-    path: path9.join(home, ".config", "cloudeval"),
+    path: path8.join(home, ".config", "cloudeval"),
     kind: "directory",
     status: "kept"
   };
@@ -12887,21 +12709,21 @@ var assertNoLegacyApiKeyUsage = () => {
 };
 assertNoLegacyApiKeyUsage();
 var completionScriptPath = (shell) => {
-  const home = os5.homedir();
+  const home = os4.homedir();
   switch (shell) {
     case "bash":
-      return path10.join(home, ".local", "share", "bash-completion", "completions", "cloudeval");
+      return path9.join(home, ".local", "share", "bash-completion", "completions", "cloudeval");
     case "zsh":
-      return path10.join(home, ".zsh", "completions", "_cloudeval");
+      return path9.join(home, ".zsh", "completions", "_cloudeval");
     case "fish":
-      return path10.join(home, ".config", "fish", "completions", "cloudeval.fish");
+      return path9.join(home, ".config", "fish", "completions", "cloudeval.fish");
     case "powershell":
-      return path10.join(home, ".config", "powershell", "cloudeval-completion.ps1");
+      return path9.join(home, ".config", "powershell", "cloudeval-completion.ps1");
   }
 };
 var ZSH_FPATH_MARKER = "CloudEval CLI completions";
 var ensureZshCompletionFpath = async () => {
-  const zshrc = path10.join(os5.homedir(), ".zshrc");
+  const zshrc = path9.join(os4.homedir(), ".zshrc");
   let existing = "";
   try {
     existing = await fs12.readFile(zshrc, "utf8");
@@ -12919,7 +12741,7 @@ fpath=("$HOME/.zsh/completions" $fpath)
 };
 var installCompletionScript = async (shell, binaryName) => {
   const scriptPath = completionScriptPath(shell);
-  await fs12.mkdir(path10.dirname(scriptPath), { recursive: true });
+  await fs12.mkdir(path9.dirname(scriptPath), { recursive: true });
   await fs12.writeFile(scriptPath, buildCompletionScript(shell, binaryName), "utf8");
   if (shell === "zsh") {
     await ensureZshCompletionFpath();
@@ -12934,7 +12756,7 @@ var uninstallCompletionScript = async (shell) => {
 var runInteractiveLoginOnboarding = async (baseUrl, token) => {
   const [{ render }, { Onboarding }] = await Promise.all([
     import("ink"),
-    import("./Onboarding-HVCYIPTL.js")
+    import("./Onboarding-3NZCPBCO.js")
   ]);
   await new Promise((resolve) => {
     let app;
@@ -13168,7 +12990,7 @@ var resolveBaseUrl = async (options, command) => {
     });
   }
   try {
-    const { getAuthStatus } = await import("./dist-I4IPYCRC.js");
+    const { getAuthStatus } = await import("./dist-TBAQ5KOK.js");
     const status = await getAuthStatus();
     const storedBaseUrl = status.baseUrl;
     if (storedBaseUrl && shouldUseStoredBaseUrl(storedBaseUrl)) {
@@ -13239,7 +13061,7 @@ program.command("login").description("Authenticate with Cloudeval").option(
       checkUserStatus,
       ensurePlaygroundProject,
       login
-    } = await import("./dist-I4IPYCRC.js");
+    } = await import("./dist-TBAQ5KOK.js");
     assertSecureBaseUrl(options.baseUrl);
     const headlessEnvironment = isHeadlessEnvironment();
     const headlessLogin = options.headless || headlessEnvironment;
@@ -13303,7 +13125,7 @@ program.command("logout").description("Log out and clear stored authentication s
   DEFAULT_BASE_URL
 ).option("--all-devices", "Revoke sessions on all devices", false).action(async (options) => {
   try {
-    const { assertSecureBaseUrl, logout } = await import("./dist-I4IPYCRC.js");
+    const { assertSecureBaseUrl, logout } = await import("./dist-TBAQ5KOK.js");
     assertSecureBaseUrl(options.baseUrl);
     const result = await logout({
       baseUrl: options.baseUrl,
@@ -13327,7 +13149,7 @@ authCommand.command("status").description("Show current authentication status").
   DEFAULT_BASE_URL
 ).option("--format <format>", "Output format: text, json, ndjson, markdown", "text").option("--show-sensitive-ids", "Show full account/session identifiers in command output", false).option("-v, --verbose", "Enable verbose logging and show full non-token identifiers", false).action(async (options, command) => {
   try {
-    const { assertSecureBaseUrl, getAuthStatus } = await import("./dist-I4IPYCRC.js");
+    const { assertSecureBaseUrl, getAuthStatus } = await import("./dist-TBAQ5KOK.js");
     const effectiveBaseUrl = await resolveBaseUrl(options, command);
     assertSecureBaseUrl(effectiveBaseUrl);
     const status = await getAuthStatus(effectiveBaseUrl, { validate: true });
@@ -13379,6 +13201,7 @@ registerRecipesCommand(program, {
   readStdinValue,
   isHeadlessEnvironment
 });
+registerSkillsCommand(program);
 registerOpenCommand(program, {
   defaultBaseUrl: DEFAULT_BASE_URL,
   resolveBaseUrl
@@ -13508,14 +13331,15 @@ program.command("tui").description("Open the CloudEval Terminal UI").option(
   "--access-key <key>",
   "Access key for automation",
   process.env.CLOUDEVAL_ACCESS_KEY
-).option("--access-key-stdin", "Read access key from stdin (recommended for automation)", false).option("--model <name>", "Model name").option("--debug", "Log raw chunks", false).option("--health-check", "Enable health check (disabled by default)").option("--no-banner", "Disable ASCII banner").option("--animate", "Enable TUI animations").option("--no-anim", "Disable TUI animations").option("-v, --verbose", "Enable verbose logging", false).action(async (options, command) => {
-  const { assertSecureBaseUrl } = await import("./dist-I4IPYCRC.js");
+).option("--access-key-stdin", "Read access key from stdin (recommended for automation)", false).option("--model <name>", "Model name").option("--debug", "Log raw chunks", false).option("--health-check", "Enable health check (disabled by default)").option("--no-banner", "Disable ASCII banner").option("--animate", "Enable TUI animations (default)").option("--no-anim", "Disable TUI animations").option("-v, --verbose", "Enable verbose logging", false).action(async (options, command) => {
+  const { assertSecureBaseUrl } = await import("./dist-TBAQ5KOK.js");
   const [{ render }, { App }] = await Promise.all([
     import("ink"),
-    import("./App-PS547LKZ.js")
+    import("./App-AQAMCM4E.js")
   ]);
   const baseUrl = await resolveBaseUrl(options, command);
   assertSecureBaseUrl(baseUrl);
+  const selectedProfile = getActiveConfigProfile(command);
   const cliConfig = await resolveCliConfig(command);
   const initialMode = normalizeCliMode(options.mode ?? cliConfig.mode) ?? "ask";
   let accessKey = options.accessKey;
@@ -13540,6 +13364,7 @@ program.command("tui").description("Open the CloudEval Terminal UI").option(
         initialMode,
         initialTab: options.tab,
         initialProjectId: options.project ?? cliConfig.defaultProjectId,
+        configProfile: selectedProfile,
         frontendUrl: options.frontendUrl ?? cliConfig.frontendUrl,
         debug: options.debug,
         disableBanner: options.banner === false,
@@ -13558,11 +13383,11 @@ program.command("chat").description("Start an interactive chat session").option(
   "--access-key <key>",
   "Access key for automation",
   process.env.CLOUDEVAL_ACCESS_KEY
-).option("--access-key-stdin", "Read access key from stdin (recommended for automation)", false).option("--conversation <id>", "Conversation/thread id to resume").option("--continue", "Resume the most recent local chat session", false).option("--resume <id-or-title>", "Resume a local chat session by thread id or title").option("--model <name>", "Model name").option("--mode <mode>", "Initial chat mode: ask, agent").option("--debug", "Log raw chunks", false).option("--health-check", "Enable health check (disabled by default)").option("--no-banner", "Disable ASCII banner").option("--animate", "Enable TUI animations").option("--no-anim", "Disable TUI animations").option("-v, --verbose", "Enable verbose logging", false).action(async (options, command) => {
-  const { assertSecureBaseUrl } = await import("./dist-I4IPYCRC.js");
+).option("--access-key-stdin", "Read access key from stdin (recommended for automation)", false).option("--conversation <id>", "Conversation/thread id to resume").option("--continue", "Resume the most recent local chat session", false).option("--resume <id-or-title>", "Resume a local chat session by thread id or title").option("--model <name>", "Model name").option("--mode <mode>", "Initial chat mode: ask, agent").option("--debug", "Log raw chunks", false).option("--health-check", "Enable health check (disabled by default)").option("--no-banner", "Disable ASCII banner").option("--animate", "Enable TUI animations (default)").option("--no-anim", "Disable TUI animations").option("-v, --verbose", "Enable verbose logging", false).action(async (options, command) => {
+  const { assertSecureBaseUrl } = await import("./dist-TBAQ5KOK.js");
   const [{ render }, { App }] = await Promise.all([
     import("ink"),
-    import("./App-PS547LKZ.js")
+    import("./App-AQAMCM4E.js")
   ]);
   const baseUrl = await resolveBaseUrl(options, command);
   assertSecureBaseUrl(baseUrl);
@@ -13608,6 +13433,7 @@ program.command("chat").description("Start an interactive chat session").option(
         model: options.model ?? cliConfig.model,
         initialMode,
         initialProjectId: cliConfig.defaultProjectId,
+        configProfile: selectedProfile,
         frontendUrl: cliConfig.frontendUrl,
         debug: options.debug,
         disableBanner: options.banner === false,
@@ -13630,7 +13456,7 @@ program.command("ask").alias("agent").description("Ask a single question or run
   const question = Array.isArray(questionParts) ? questionParts.join(" ") : String(questionParts);
   const commandName = command.parent?.args?.[0] === "agent" ? "agent" : "ask";
   const selectedMode = commandName === "agent" ? "agent" : "ask";
-  const { assertSecureBaseUrl } = await import("./dist-I4IPYCRC.js");
+  const { assertSecureBaseUrl } = await import("./dist-TBAQ5KOK.js");
   const baseUrl = await resolveBaseUrl(options, command);
   assertSecureBaseUrl(baseUrl);
   const selectedProfile = getActiveConfigProfile(command);
@@ -13671,7 +13497,7 @@ program.command("ask").alias("agent").description("Ask a single question or run
     const fs13 = await import("fs");
     const fsPromises = await import("fs/promises");
     const { randomUUID: randomUUID5 } = await import("crypto");
-    const core = await import("./dist-I4IPYCRC.js");
+    const core = await import("./dist-TBAQ5KOK.js");
     const {
       streamChat,
       reduceChunk,
@@ -13681,7 +13507,8 @@ program.command("ask").alias("agent").description("Ask a single question or run
       checkUserStatus,
       extractEmailFromToken,
       initialChatState,
-      normalizeApiBase: normalizeApiBase2
+      normalizeApiBase: normalizeApiBase2,
+      isExpiredDeviceTokenStreamError
     } = core;
     const progressWriter = createAskProgressWriter({
       mode: progressMode,
@@ -13728,7 +13555,7 @@ program.command("ask").alias("agent").description("Ask a single question or run
             console.error("Authentication required. Starting login process...\n");
           }
           try {
-            const { login } = await import("./dist-I4IPYCRC.js");
+            const { login } = await import("./dist-TBAQ5KOK.js");
             verboseLog("Calling interactive login", { baseUrl });
             token = await login(baseUrl, {
               headless: isHeadlessEnvironment()
@@ -13941,6 +13768,7 @@ program.command("ask").alias("agent").description("Ask a single question or run
     try {
       let totalChunkCount = 0;
       let hitlResume;
+      let retriedAfterAuthRefresh = false;
       while (true) {
         let pendingHitlRequest;
         progressWriter.write({
@@ -13950,89 +13778,109 @@ program.command("ask").alias("agent").description("Ask a single question or run
           threadId,
           projectId: project.id
         });
-        for await (const chunk of streamChat({
-          baseUrl,
-          authToken: token,
-          message: hitlResume ? "" : question,
-          threadId,
-          user: { id: project.user_id ?? authenticatedUserId ?? "cli-user", name: userName },
-          project,
-          settings: streamSettings,
-          debug: options.debug,
-          completeAfterResponse: true,
-          responseCompletionGraceMs: 5e3,
-          streamIdleTimeoutMs: ASK_STREAM_IDLE_TIMEOUT_MS2,
-          hitlResume
-        })) {
-          totalChunkCount++;
-          if (options.verbose && totalChunkCount % 10 === 0) {
-            verboseLog(`Received ${totalChunkCount} chunks`);
-          }
-          if (options.debug || options.verbose) {
-            verboseLog("Chunk received:", {
-              type: chunk.type,
-              node: chunk.node,
-              hasContent: !!chunk.content,
-              contentLength: chunk.content?.length || 0
-            });
-          }
-          chatState = reduceChunk(chatState, chunk);
-          writeChunkProgressEvent(progressEventFromChunk(chunk, { verbose: options.verbose }));
-          if (chunk.type === "hitl_request") {
-            pendingHitlRequest = chunk;
-            if (ndjsonOutput) {
-              writeAskDataEvent({
-                type: "hitl_request",
-                threadId,
-                checkpointId: chunk.checkpoint_id,
-                pendingIntentId: chunk.pending_intent_id,
-                questions: chunk.questions ?? [],
-                frontendUrl
-              });
-            }
-            break;
-          }
-          const latestMessage = [...chatState.messages].reverse().find((m) => m.role === "assistant");
-          if (ndjsonOutput && chunk.type === "responding" && chunk.content && (!chunk.node || STREAM_OUTPUT_NODES3.has(chunk.node))) {
-            writeAskDataEvent({
-              type: "chunk",
-              content: chunk.content,
-              node: chunk.node,
-              threadId
-            });
-          }
-          if (streamTextOutput && chunk.type === "responding" && chunk.content && (!chunk.node || STREAM_OUTPUT_NODES3.has(chunk.node))) {
-            if (latestMessage?.content) {
-              responseText = latestMessage.content;
-              const delta = responseText.slice(emittedTextLength);
-              if (delta) {
-                progressWriter.clear();
-                if (!responseText.slice(0, emittedTextLength).endsWith(delta)) {
-                  outputStream.write(delta);
+        while (true) {
+          try {
+            for await (const chunk of streamChat({
+              baseUrl,
+              authToken: token,
+              message: hitlResume ? "" : question,
+              threadId,
+              user: { id: project.user_id ?? authenticatedUserId ?? "cli-user", name: userName },
+              project,
+              settings: streamSettings,
+              debug: options.debug,
+              completeAfterResponse: true,
+              responseCompletionGraceMs: 5e3,
+              streamIdleTimeoutMs: ASK_STREAM_IDLE_TIMEOUT_MS2,
+              hitlResume
+            })) {
+              totalChunkCount++;
+              if (options.verbose && totalChunkCount % 10 === 0) {
+                verboseLog(`Received ${totalChunkCount} chunks`);
+              }
+              if (options.debug || options.verbose) {
+                verboseLog("Chunk received:", {
+                  type: chunk.type,
+                  node: chunk.node,
+                  hasContent: !!chunk.content,
+                  contentLength: chunk.content?.length || 0
+                });
+              }
+              chatState = reduceChunk(chatState, chunk);
+              writeChunkProgressEvent(progressEventFromChunk(chunk, { verbose: options.verbose }));
+              if (chunk.type === "hitl_request") {
+                pendingHitlRequest = chunk;
+                if (ndjsonOutput) {
+                  writeAskDataEvent({
+                    type: "hitl_request",
+                    threadId,
+                    checkpointId: chunk.checkpoint_id,
+                    pendingIntentId: chunk.pending_intent_id,
+                    questions: chunk.questions ?? [],
+                    frontendUrl
+                  });
                 }
-                emittedTextLength = responseText.length;
+                break;
               }
-            }
-          }
-          if (chunk.type === "error") {
-            const errorMsg = chunk.message || chunk.description || "Unknown error";
-            verboseLog("Error chunk received:", {
-              message: errorMsg,
-              node: chunk.node,
-              status: chunk.status,
-              stack: chunk.stacktrace
-            });
-            progressWriter.clear();
-            if (jsonOutput) {
-              responseText = `Error: ${errorMsg}`;
-            } else if (ndjsonOutput) {
-              writeAskDataEvent({ type: "error", error: { message: errorMsg }, threadId });
-            } else {
-              outputStream.write(`
+              const latestMessage = [...chatState.messages].reverse().find((m) => m.role === "assistant");
+              if (ndjsonOutput && chunk.type === "responding" && chunk.content && (!chunk.node || STREAM_OUTPUT_NODES3.has(chunk.node))) {
+                writeAskDataEvent({
+                  type: "chunk",
+                  content: chunk.content,
+                  node: chunk.node,
+                  threadId
+                });
+              }
+              if (streamTextOutput && chunk.type === "responding" && chunk.content && (!chunk.node || STREAM_OUTPUT_NODES3.has(chunk.node))) {
+                if (latestMessage?.content) {
+                  responseText = latestMessage.content;
+                  const delta = responseText.slice(emittedTextLength);
+                  if (delta) {
+                    progressWriter.clear();
+                    if (!responseText.slice(0, emittedTextLength).endsWith(delta)) {
+                      outputStream.write(delta);
+                    }
+                    emittedTextLength = responseText.length;
+                  }
+                }
+              }
+              if (chunk.type === "error") {
+                const errorMsg = chunk.message || chunk.description || "Unknown error";
+                verboseLog("Error chunk received:", {
+                  message: errorMsg,
+                  node: chunk.node,
+                  status: chunk.status,
+                  stack: chunk.stacktrace
+                });
+                progressWriter.clear();
+                if (jsonOutput) {
+                  responseText = `Error: ${errorMsg}`;
+                } else if (ndjsonOutput) {
+                  writeAskDataEvent({ type: "error", error: { message: errorMsg }, threadId });
+                } else {
+                  outputStream.write(`
 Error: ${errorMsg}
 `);
+                }
+                break;
+              }
             }
             break;
+          } catch (error) {
+            if (!providedAccessKey && !retriedAfterAuthRefresh && isExpiredDeviceTokenStreamError(error)) {
+              retriedAfterAuthRefresh = true;
+              verboseLog("Stored device token expired during stream; refreshing and retrying once");
+              progressWriter.write({
+                type: "auth",
+                step: "auth",
+                message: "Refreshing expired session",
+                threadId,
+                projectId: project.id
+              });
+              token = await getAuthToken({ baseUrl, forceRefresh: true });
+              continue;
+            }
+            throw error;
           }
         }
         if (!pendingHitlRequest) {
@@ -14296,7 +14144,7 @@ Error: ${errorMsg}
 program.command("banner").description("Preview the startup banner and terminal capabilities").action(async () => {
   const { render } = await import("ink");
   const BannerPreview = React.lazy(async () => ({
-    default: (await import("./Banner-XZFAVVR2.js")).Banner
+    default: (await import("./Banner-64DOS5YB.js")).Banner
   }));
   render(
     /* @__PURE__ */ jsx(React.Suspense, { fallback: null, children: /* @__PURE__ */ jsx(BannerPreview, { disable: false }) })