@general-input/cli 0.1.2 → 0.2.0

package/dist/cli.js

@@ -315,7 +315,7 @@ function buildClientLabel() {
   return `geni CLI on ${hostname()}`;
 }
 function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
+  return new Promise((resolve20) => setTimeout(resolve20, ms));
 }
 
 // src/services/WorkspaceService.ts
@@ -384,7 +384,7 @@ import chalk4 from "chalk";
 // package.json
 var package_default = {
   name: "@general-input/cli",
-  version: "0.1.2",
+  version: "0.2.0",
   type: "module",
   description: "The agent-facing CLI for General Input. Authenticate, manage workflows, run bash with operator credentials injected by the cloud.",
   license: "SEE LICENSE IN LICENSE",
@@ -416,8 +416,10 @@ var package_default = {
     build: "tsup",
     clean: "rm -rf dist",
     typecheck: "tsc --noEmit",
-    lint: "eslint . --fix --max-warnings 0",
+    lint: "eslint . --max-warnings 0",
+    "lint:fix": "eslint . --fix --max-warnings 0",
     format: "prettier --write . --ignore-path=../../.prettierignore",
+    "format:check": "prettier --check . --ignore-path=../../.prettierignore",
     test: "vitest run",
     "test:watch": "vitest",
     prepublishOnly: "pnpm build"
@@ -824,8 +826,10 @@ var DiscoveryService = class {
   /**
    * Validate the service slug against the integration catalog (404
    * surfaces the same way `integration get` does, mapped to exit 4
-   * by the command), then return the dashboard connect URL the
-   * operator should be sent to.
+   * by the command), then return the dashboard integration-detail
+   * URL the operator should be sent to. That page already hosts the
+   * connect UI for every integration kind (OAuth start, API-key
+   * dialog, etc.), so we don't need a dedicated CLI-side route.
    *
    * Side effect: if `printUrlOnly` is false, opens the URL in the
    * operator's default browser. The CLI always prints the URL too,
@@ -835,7 +839,8 @@ var DiscoveryService = class {
   async connectCredential(args) {
     const { session, client } = await this.sessionContext.requireAuthed();
     await client.integrations.get(args.service);
-    const url = `${this.configService.resolveDashboardUrl(session.server)}/credentials/connect?service=${encodeURIComponent(args.service)}`;
+    const dashboardUrl = this.configService.resolveDashboardUrl(session.server);
+    const url = `${dashboardUrl}/${encodeURIComponent(session.workspace.slug)}/integrations/${encodeURIComponent(args.service)}`;
     if (args.printUrlOnly) return { kind: "print-url", url };
     this.browserOpener.open(url);
     return { kind: "open-browser", url };
@@ -1054,6 +1059,270 @@ var ConfigService = class {
   }
 };
 
+// src/services/WorkflowAuthoringService.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { basename } from "path";
+
+// src/lib/resourceFiles.ts
+import {
+  readdirSync,
+  readFileSync,
+  writeFileSync,
+  mkdirSync,
+  existsSync,
+  statSync
+} from "fs";
+import { join, dirname, relative, sep } from "path";
+var RESOURCE_MARKER_FILE = ".geni-resource.json";
+var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", ".turbo"]);
+function readMarker(dir) {
+  const path = join(dir, RESOURCE_MARKER_FILE);
+  if (!existsSync(path)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync(path, "utf-8"));
+    if (parsed && typeof parsed.resourceId === "string" && typeof parsed.resourceType === "string") {
+      return {
+        resourceId: parsed.resourceId,
+        resourceType: parsed.resourceType
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function writeMarker(dir, marker) {
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(
+    join(dir, RESOURCE_MARKER_FILE),
+    JSON.stringify(marker, null, 2) + "\n"
+  );
+}
+function resolveResourceId(args) {
+  if (args.id) return args.id;
+  const marker = readMarker(args.dir);
+  if (marker) return marker.resourceId;
+  printError(
+    `No resource id given and no ${RESOURCE_MARKER_FILE} found in ${args.dir}. Pass the id (\`geni resource <cmd> <id>\`) or run from a resource directory (one created by \`geni resource create\` / \`geni resource pull\`).`
+  );
+  exit(ExitCode.InvalidArgs);
+}
+function readLocalFiles(dir) {
+  if (!existsSync(dir)) {
+    printError(`Directory not found: ${dir}`);
+    exit(ExitCode.InvalidArgs);
+  }
+  const files = [];
+  walk(dir, dir, files);
+  return files;
+}
+function walk(root, current, out) {
+  for (const entry of readdirSync(current)) {
+    if (entry.startsWith(".")) continue;
+    const full = join(current, entry);
+    const stat = statSync(full);
+    if (stat.isDirectory()) {
+      if (SKIP_DIRS.has(entry)) continue;
+      walk(root, full, out);
+      continue;
+    }
+    if (!stat.isFile()) continue;
+    const rel = relative(root, full).split(sep).join("/");
+    out.push(bufferToCliFile(rel, readFileSync(full)));
+  }
+}
+function writeLocalFiles(dir, files) {
+  for (const file of files) {
+    const target = join(dir, file.path);
+    mkdirSync(dirname(target), { recursive: true });
+    writeFileSync(target, cliFileBytes(file));
+  }
+}
+function bufferToCliFile(path, buf) {
+  const asUtf8 = buf.toString("utf-8");
+  if (Buffer.from(asUtf8, "utf-8").equals(buf)) {
+    return { path, content: asUtf8, encoding: "utf8" };
+  }
+  return { path, content: buf.toString("base64"), encoding: "base64" };
+}
+function cliFileBytes(file) {
+  return file.encoding === "base64" ? Buffer.from(file.content, "base64") : file.content;
+}
+var MIME_BY_EXT = {
+  json: "application/json",
+  csv: "text/csv",
+  txt: "text/plain",
+  md: "text/markdown",
+  pdf: "application/pdf",
+  docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  png: "image/png",
+  jpg: "image/jpeg",
+  jpeg: "image/jpeg",
+  gif: "image/gif",
+  html: "text/html",
+  xml: "application/xml",
+  zip: "application/zip"
+};
+function guessMimeType(path) {
+  const ext = path.split(".").pop()?.toLowerCase() ?? "";
+  return MIME_BY_EXT[ext] ?? "application/octet-stream";
+}
+function dirHasResourceFiles(dir) {
+  if (!existsSync(dir)) return false;
+  return readdirSync(dir).some(
+    (entry) => !entry.startsWith(".") && !SKIP_DIRS.has(entry)
+  );
+}
+
+// src/services/WorkflowAuthoringService.ts
+var WorkflowAuthoringService = class {
+  constructor(sessionContext) {
+    this.sessionContext = sessionContext;
+  }
+  sessionContext;
+  /** Create a workflow in the cloud, then pull its scaffold files into `dir`. */
+  async create(args) {
+    const { client } = await this.sessionContext.requireAuthed();
+    const detail = await client.workflows.create({
+      workflowType: args.workflowType,
+      name: args.name
+    });
+    const filesResponse = await client.workflows.files(detail.id);
+    writeLocalFiles(args.dir, filesResponse.files);
+    writeMarker(args.dir, {
+      resourceId: detail.id,
+      resourceType: detail.workflowType
+    });
+    return { detail, fileCount: filesResponse.files.length };
+  }
+  async list() {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.list();
+  }
+  async get(id) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.get(id);
+  }
+  async setType(id, workflowType) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.setType(id, { workflowType });
+  }
+  /** Download a workflow's live files into `dir` + write its marker. */
+  async pull(args) {
+    const { client } = await this.sessionContext.requireAuthed();
+    const response = await client.workflows.files(args.id);
+    writeLocalFiles(args.dir, response.files);
+    writeMarker(args.dir, {
+      resourceId: args.id,
+      resourceType: response.workflowType
+    });
+    return {
+      fileCount: response.files.length,
+      workflowType: response.workflowType
+    };
+  }
+  async validate(args) {
+    const { client } = await this.sessionContext.requireAuthed();
+    const files = readLocalFiles(args.dir);
+    return client.workflows.validate(args.id, { files });
+  }
+  async publish(args) {
+    const { client } = await this.sessionContext.requireAuthed();
+    const files = readLocalFiles(args.dir);
+    return client.workflows.publish(args.id, {
+      files,
+      changeSummary: args.changeSummary
+    });
+  }
+  async getConfig(id) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.getConfig(id);
+  }
+  async updateConfig(id, partial) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.updateConfig(id, partial);
+  }
+  async test(id, triggerPayload) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.test(id, { triggerPayload });
+  }
+  async getExecution(id, executionId) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.getExecution(id, executionId);
+  }
+  async getExecutionLogs(id, executionId) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.getExecutionLogs(id, executionId);
+  }
+  async getExecutionTrace(id, executionId) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.getExecutionTrace(id, executionId);
+  }
+  async listExecutions(id, limit) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.listExecutions(id, limit);
+  }
+  async triggerSample(id) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.triggerSample(id);
+  }
+  /**
+   * Upload a local file as a file-type test input: presign, PUT the
+   * bytes, return the `store://` URI to pass in a test payload.
+   */
+  async stageInput(args) {
+    const { client } = await this.sessionContext.requireAuthed();
+    const bytes = readFileSync2(args.localPath);
+    const filename = basename(args.localPath);
+    const mimeType = guessMimeType(args.localPath);
+    const { uploadUrl, storageUri } = await client.workflows.inputUploadUrl(
+      args.id,
+      { filename, mimeType }
+    );
+    const response = await fetch(uploadUrl, {
+      method: "PUT",
+      headers: { "Content-Type": mimeType },
+      body: new Uint8Array(bytes)
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Upload failed (HTTP ${response.status}) for ${filename}.`
+      );
+    }
+    return { storageUri, filename };
+  }
+  async appBuildStatus(id) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.appBuildStatus(id);
+  }
+  async appInvocations(id, opts) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.appInvocations(id, opts);
+  }
+  async runHandler(id, body) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.runHandler(id, body);
+  }
+  async appErrors(id, opts) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.appErrors(id, opts);
+  }
+  async clearHandlerCache(id) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.clearHandlerCache(id);
+  }
+  async spec(type) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.spec(type);
+  }
+  async listTriggers(query) {
+    const { client } = await this.sessionContext.requireAuthed();
+    return client.workflows.listTriggers(query);
+  }
+};
+
 // src/clients/AuthApiClient.ts
 var AuthApiClient = class {
   constructor(http) {
@@ -1173,6 +1442,157 @@ var OperationsApiClient = class {
   }
 };
 
+// src/clients/WorkflowsApiClient.ts
+var WorkflowsApiClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  async list() {
+    this.http.requireAuthed();
+    return this.http.fetch("/cli/workflows");
+  }
+  async create(body) {
+    this.http.requireAuthed();
+    return this.http.fetch("/cli/workflows", { method: "POST", body });
+  }
+  async get(id) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/${encodeURIComponent(id)}`);
+  }
+  async setType(id, body) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/${encodeURIComponent(id)}/type`, {
+      method: "PATCH",
+      body
+    });
+  }
+  async files(id) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/${encodeURIComponent(id)}/files`);
+  }
+  async validate(id, body) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/validate`,
+      {
+        method: "POST",
+        body
+      }
+    );
+  }
+  async publish(id, body) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/${encodeURIComponent(id)}/publish`, {
+      method: "POST",
+      body
+    });
+  }
+  async getConfig(id) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/${encodeURIComponent(id)}/config`);
+  }
+  async updateConfig(id, body) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/${encodeURIComponent(id)}/config`, {
+      method: "PATCH",
+      body
+    });
+  }
+  async test(id, body) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/${encodeURIComponent(id)}/test`, {
+      method: "POST",
+      body
+    });
+  }
+  async listExecutions(id, limit) {
+    this.http.requireAuthed();
+    const query = limit ? `?limit=${limit}` : "";
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/executions${query}`
+    );
+  }
+  async getExecution(id, executionId) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/executions/${encodeURIComponent(executionId)}`
+    );
+  }
+  async getExecutionLogs(id, executionId) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/executions/${encodeURIComponent(executionId)}/logs`
+    );
+  }
+  async getExecutionTrace(id, executionId) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/executions/${encodeURIComponent(executionId)}/trace`
+    );
+  }
+  async triggerSample(id) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/trigger-sample`
+    );
+  }
+  async inputUploadUrl(id, body) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/input-upload-url`,
+      { method: "POST", body }
+    );
+  }
+  async appBuildStatus(id) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/app/build-status`
+    );
+  }
+  async appInvocations(id, opts) {
+    this.http.requireAuthed();
+    const params = new URLSearchParams();
+    if (opts.handler) params.set("handler", opts.handler);
+    if (opts.errors) params.set("errors", "true");
+    if (opts.limit) params.set("limit", String(opts.limit));
+    const query = params.toString();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/app/invocations${query ? `?${query}` : ""}`
+    );
+  }
+  async runHandler(id, body) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/app/run-handler`,
+      { method: "POST", body }
+    );
+  }
+  async appErrors(id, opts) {
+    this.http.requireAuthed();
+    const query = opts.limit ? `?limit=${opts.limit}` : "";
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/app/errors${query}`
+    );
+  }
+  async clearHandlerCache(id) {
+    this.http.requireAuthed();
+    return this.http.fetch(
+      `/cli/workflows/${encodeURIComponent(id)}/app/clear-cache`,
+      { method: "POST" }
+    );
+  }
+  async spec(type) {
+    this.http.requireAuthed();
+    return this.http.fetch(`/cli/workflows/spec/${encodeURIComponent(type)}`);
+  }
+  async listTriggers(query) {
+    this.http.requireAuthed();
+    const suffix = query ? `?q=${encodeURIComponent(query)}` : "";
+    return this.http.fetch(`/cli/triggers${suffix}`);
+  }
+};
+
 // src/clients/ApiClientFactory.ts
 var ApiClientFactory = class {
   build(args) {
@@ -1183,7 +1603,8 @@ var ApiClientFactory = class {
       exec: new ExecApiClient(http),
       credentials: new CredentialsApiClient(http),
       integrations: new IntegrationsApiClient(http),
-      operations: new OperationsApiClient(http)
+      operations: new OperationsApiClient(http),
+      workflows: new WorkflowsApiClient(http)
     };
   }
 };
@@ -1297,9 +1718,9 @@ function isErrnoCode(err, expected) {
 }
 
 // src/clients/ConfigStore.ts
-import { readFileSync } from "fs";
+import { readFileSync as readFileSync3 } from "fs";
 import { mkdir as mkdir2, writeFile as writeFile2, unlink as unlink2 } from "fs/promises";
-import { dirname } from "path";
+import { dirname as dirname2 } from "path";
 var ConfigStore = class {
   constructor(filePath) {
     this.filePath = filePath;
@@ -1313,7 +1734,7 @@ var ConfigStore = class {
   loadSync() {
     let raw;
     try {
-      raw = readFileSync(this.filePath, "utf8");
+      raw = readFileSync3(this.filePath, "utf8");
     } catch {
       return null;
     }
@@ -1331,7 +1752,7 @@ var ConfigStore = class {
    * config is non-secret, unlike the session file.
    */
   async save(config) {
-    await mkdir2(dirname(this.filePath), { recursive: true });
+    await mkdir2(dirname2(this.filePath), { recursive: true });
     await writeFile2(this.filePath, JSON.stringify(config, null, 2) + "\n", {
       mode: 420
     });
@@ -1413,11 +1834,11 @@ var ChildProcessSpawner = class {
     process.on("SIGINT", forwardSignal);
     process.on("SIGTERM", forwardSignal);
     try {
-      const exitCode = await new Promise((resolve, reject) => {
+      const exitCode = await new Promise((resolve20, reject) => {
         child.once("exit", (code, signal) => {
-          if (code !== null) resolve(code);
-          else if (signal !== null) resolve(128 + signalNumber(signal));
-          else resolve(1);
+          if (code !== null) resolve20(code);
+          else if (signal !== null) resolve20(128 + signalNumber(signal));
+          else resolve20(1);
         });
         child.once("error", (err) => reject(err));
       });
@@ -1430,7 +1851,7 @@ var ChildProcessSpawner = class {
   }
 };
 function pipeWithScrubbing(source, dest, scrubber, onChunk) {
-  return new Promise((resolve) => {
+  return new Promise((resolve20) => {
     let flushed = false;
     const emit = (chunk) => {
       if (chunk.length === 0) return;
@@ -1441,13 +1862,13 @@ function pipeWithScrubbing(source, dest, scrubber, onChunk) {
       if (flushed) return;
       flushed = true;
       emit(scrubber.redact("", { final: true }));
-      resolve();
+      resolve20();
     };
     source.on("end", finishOnce);
     source.on("close", finishOnce);
     source.on("error", () => {
       flushed = true;
-      resolve();
+      resolve20();
     });
     source.setEncoding("utf8");
     source.on("data", (chunk) => {
@@ -1468,15 +1889,15 @@ function signalNumber(signal) {
 
 // src/lib/paths.ts
 import { homedir } from "os";
-import { join } from "path";
+import { join as join2 } from "path";
 function configDir() {
-  return process.env.GENI_CONFIG_DIR ?? join(homedir(), ".config", "geni");
+  return process.env.GENI_CONFIG_DIR ?? join2(homedir(), ".config", "geni");
 }
 function sessionFilePath() {
-  return join(configDir(), "runner-session.json");
+  return join2(configDir(), "runner-session.json");
 }
 function configFilePath() {
-  return join(configDir(), "config.json");
+  return join2(configDir(), "config.json");
 }
 
 // src/dependencyInjection/clients.ts
@@ -1511,6 +1932,9 @@ var discoveryService = new DiscoveryService(
   browserOpener,
   configService
 );
+var workflowAuthoringService = new WorkflowAuthoringService(
+  sessionContextService
+);
 
 // src/lib/cliErrors.ts
 function exitOnApiError(error, opts = {}) {
@@ -2132,10 +2556,10 @@ function registerCredentialConnect(parent) {
         return;
       }
       printInfo(`Opening ${chalk6.cyan(intent.url)}`);
-      printInfo("\u21B3 approve in your browser");
+      printInfo(`\u21B3 connect ${service} in your browser, then come back here`);
       process.stdout.write(
         `
-When you're done, re-run: geni credential list --service ${service}
+Once it's connected, re-run: geni credential list --service ${service}
 `
       );
     } catch (error) {
@@ -2416,52 +2840,1176 @@ function registerIntegrationCommands(program2) {
   registerIntegrationOperation(integration);
 }
 
-// src/commands/config/get.ts
-var UNSET_PLACEHOLDER = "(unset)";
-function executeConfigGet(args) {
-  const file = configService.fileValues();
-  if (args.key) {
-    if (!isSettableConfigKey(args.key)) {
+// src/commands/resource/create.ts
+import { resolve } from "path";
+function registerResourceCreate(parent) {
+  parent.command("create").description(
+    "Create a resource (code or agent workflow, or app) and scaffold its starting files locally. Edit them, then validate and publish. Read the contract first with `geni resource spec <type>`."
+  ).requiredOption(
+    "--type <type>",
+    'Resource type: "code" (deterministic, fixed steps), "agent" (LLM-driven, variable-length tasks), or "app" (interactive React mini-app with server-side handlers).'
+  ).option(
+    "--name <name>",
+    'Human-friendly name in Title Case (e.g. "Daily Lead Finder"). Defaults to a generated name.'
+  ).option(
+    "--dir <path>",
+    "Directory to scaffold the files into. Defaults to the current directory."
+  ).option("--json", "Machine-readable output.").action(async (opts) => {
+    if (opts.type !== "code" && opts.type !== "agent" && opts.type !== "app") {
       printError(
-        `Unknown config key "${args.key}". Valid keys: ${SETTABLE_CONFIG_KEYS.join(", ")}.`
+        `--type must be "code", "agent", or "app" (got "${opts.type ?? ""}").`
       );
       exit(ExitCode.InvalidArgs);
     }
-    const value = file[args.key];
-    if (args.json) {
-      printJson({ [args.key]: value ?? null });
+    const dir = resolve(opts.dir ?? ".");
+    if (readMarker(dir)) {
+      printError(
+        `${dir} is already a resource directory (${RESOURCE_MARKER_FILE} present). Pick a fresh directory with --dir, or pull/edit the existing one.`
+      );
+      exit(ExitCode.InvalidArgs);
+    }
+    try {
+      const { detail, fileCount } = await workflowAuthoringService.create({
+        workflowType: opts.type,
+        name: opts.name,
+        dir
+      });
+      if (opts.json) {
+        printJson({ resource: detail, dir, fileCount });
+        return;
+      }
+      printSuccess(`Created ${detail.workflowType} resource "${detail.name}"`);
+      printInfo(`id: ${detail.id}`);
+      printInfo(`Scaffolded ${fileCount} file(s) into ${dir}`);
+      printInfo(
+        "Next: edit the files, then `geni resource validate`. See the contract with `geni resource spec " + detail.workflowType + "`."
+      );
+    } catch (error) {
+      exitOnApiError(error);
+    }
+  });
+}
+
+// src/commands/resource/list.ts
+async function executeResourceList(opts) {
+  try {
+    const { workflows } = await workflowAuthoringService.list();
+    if (opts.json) {
+      printJson({ workflows });
       return;
     }
-    process.stdout.write((value ?? UNSET_PLACEHOLDER) + "\n");
-    return;
-  }
-  if (args.json) {
-    const payload = {};
-    for (const k of SETTABLE_CONFIG_KEYS) payload[k] = file[k] ?? null;
-    printJson(payload);
-    return;
+    if (workflows.length === 0) {
+      process.stdout.write(
+        'No resources yet. Create one with `geni resource create --type code --name "..."`.\n'
+      );
+      return;
+    }
+    printTable(
+      ["ID", "NAME", "TYPE", "ENABLED", "VALID"],
+      workflows.map((workflow) => [
+        workflow.id,
+        workflow.name,
+        workflow.workflowType,
+        workflow.isEnabled ? "yes" : "no",
+        workflow.isValid ? "yes" : "no"
+      ]),
+      { colorFn: dimColumn(0) }
+    );
+  } catch (error) {
+    exitOnApiError(error);
   }
-  printTable(
-    ["KEY", "VALUE"],
-    SETTABLE_CONFIG_KEYS.map((k) => [k, file[k] ?? UNSET_PLACEHOLDER])
-  );
 }
-function registerConfigGet(parent) {
-  parent.command("get").argument(
-    "[key]",
-    `Specific key to read (${SETTABLE_CONFIG_KEYS.join(" | ")}). Omit to list every settable key with its value.`
-  ).description(
-    "Print what's written to the persistent config file. Symmetric with `geni config set` \u2014 whatever you wrote is what you read. Unset keys render as `(unset)` in table output and `null` in --json. For the URL the CLI is actually hitting at runtime (which can differ if a runner-session is bound to a different server), run `geni auth status`."
-  ).option(
-    "--json",
-    "Machine-readable output. Unset keys are emitted as JSON `null`."
-  ).action(
-    (key, opts) => executeConfigGet({ key, json: opts.json })
-  );
+function registerResourceList(parent) {
+  parent.command("list").description(
+    "List the resources (workflows and apps) you can access in this workspace."
+  ).option("--json", "Machine-readable output.").action((opts) => executeResourceList(opts));
 }
 
-// src/commands/config/set.ts
+// src/commands/resource/get.ts
+import { resolve as resolve2 } from "path";
+function registerResourceGet(parent) {
+  parent.command("get [id]").description(
+    "Show a resource detail (type, enabled, valid). Omit the id to use the .geni-resource.json marker in --dir."
+  ).option(
+    "--dir <path>",
+    "Resource directory for id resolution. Defaults to cwd."
+  ).option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve2(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    try {
+      const detail = await workflowAuthoringService.get(workflowId);
+      if (opts.json) {
+        printJson(detail);
+        return;
+      }
+      printInfo(`id: ${detail.id}`);
+      printInfo(`name: ${detail.name}`);
+      printInfo(`type: ${detail.workflowType}`);
+      printInfo(`enabled: ${detail.isEnabled ? "yes" : "no"}`);
+      printInfo(`valid: ${detail.isValid ? "yes" : "no"}`);
+      printInfo(`updated: ${detail.updatedAt}`);
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Resource "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/resource/pull.ts
+import { resolve as resolve3 } from "path";
+function registerResourcePull(parent) {
+  parent.command("pull <id>").description(
+    "Download a workflow's live files into a directory (default cwd) and write its .geni-resource.json marker."
+  ).option("--dir <path>", "Destination directory. Defaults to cwd.").option("--force", "Overwrite existing files in the directory.").action(async (id, opts) => {
+    const dir = resolve3(opts.dir ?? ".");
+    if (!opts.force && dirHasResourceFiles(dir)) {
+      printError(
+        `${dir} already contains files. Re-run with --force to overwrite, or pull into an empty --dir.`
+      );
+      exit(ExitCode.InvalidArgs);
+    }
+    try {
+      const { fileCount, workflowType } = await workflowAuthoringService.pull(
+        {
+          id,
+          dir
+        }
+      );
+      printSuccess(
+        `Pulled ${fileCount} file(s) for ${workflowType} workflow ${id}`
+      );
+      printInfo(`into ${dir}`);
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Resource "${id}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/resource/validate.ts
+import { resolve as resolve4 } from "path";
+
+// src/lib/printValidationErrors.ts
+import chalk8 from "chalk";
+function printValidationErrors(errors) {
+  for (const error of errors) {
+    const where = error.path ? chalk8.dim(`${error.path}: `) : "";
+    process.stderr.write(`${chalk8.red("\u2717")} ${where}${error.message}
+`);
+  }
+}
+
+// src/commands/resource/validate.ts
+function registerResourceValidate(parent) {
+  parent.command("validate [id]").description(
+    "Validate the local files against the spec, credential/const wiring, and (code) TypeScript, without publishing. Exit 9 on validation failure."
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve4(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    try {
+      const result = await workflowAuthoringService.validate({
+        id: workflowId,
+        dir
+      });
+      if (opts.json) {
+        printJson(result);
+        if (!result.valid) exit(ExitCode.ValidationFailed);
+        return;
+      }
+      if (result.valid) {
+        printSuccess("Valid. Ready to publish.");
+        return;
+      }
+      printValidationErrors(result.errors);
+      exit(ExitCode.ValidationFailed);
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Resource "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/resource/config/get.ts
+import { resolve as resolve5 } from "path";
+function registerConfigGet(parent) {
+  parent.command("get [id]").description("Show the current credential / const / trigger bindings.").option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve5(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    try {
+      const snapshot = await workflowAuthoringService.getConfig(workflowId);
+      if (opts.json) {
+        printJson(snapshot);
+        return;
+      }
+      printConfig(snapshot);
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Resource "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+function printConfig(snapshot) {
+  printInfo("credentials:");
+  const creds = Object.entries(snapshot.credentials);
+  if (creds.length === 0) process.stdout.write("  (none)\n");
+  for (const [service, credId] of creds) {
+    process.stdout.write(`  ${service} = ${credId}
+`);
+  }
+  printInfo("consts:");
+  const vars = Object.entries(snapshot.variables);
+  if (vars.length === 0) process.stdout.write("  (none)\n");
+  for (const [key, value] of vars) {
+    process.stdout.write(`  ${key} = ${JSON.stringify(value)}
+`);
+  }
+  printInfo("triggers:");
+  const triggers = Object.entries(snapshot.triggers);
+  if (triggers.length === 0) process.stdout.write("  (none)\n");
+  for (const [triggerId, entry] of triggers) {
+    process.stdout.write(`  ${triggerId}: ${JSON.stringify(entry)}
+`);
+  }
+}
+
+// src/commands/resource/config/set.ts
+import { resolve as resolve6 } from "path";
 function registerConfigSet(parent) {
+  parent.command("set [id]").description(
+    "Wire config. Repeat each flag as needed. Credentials: --cred <service>=<credentialId>. Consts: --const <key>=<value> (value JSON-parsed, else string). Schedules: --schedule <triggerId>=<cron>, --timezone <triggerId>=<tz>."
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option(
+    "--cred <service=credentialId>",
+    "Assign a credential to a service slot. Repeatable.",
+    collect2,
+    []
+  ).option(
+    "--cred-clear <service>",
+    "Clear a service slot. Repeatable.",
+    collect2,
+    []
+  ).option(
+    "--const <key=value>",
+    "Set a const value (value is JSON-parsed when possible, else a string). Repeatable.",
+    collect2,
+    []
+  ).option(
+    "--schedule <triggerId=cron>",
+    "Set a cron trigger schedule. Repeatable.",
+    collect2,
+    []
+  ).option(
+    "--timezone <triggerId=tz>",
+    "Set a trigger timezone (IANA, e.g. America/New_York). Repeatable.",
+    collect2,
+    []
+  ).option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve6(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    const partial = buildPartial(opts);
+    if (!partial.credentials && !partial.variables && !partial.triggers) {
+      printError(
+        "Nothing to set. Pass at least one of --cred, --cred-clear, --const, --schedule, --timezone."
+      );
+      exit(ExitCode.InvalidArgs);
+    }
+    try {
+      const result = await workflowAuthoringService.updateConfig(
+        workflowId,
+        partial
+      );
+      if (opts.json) {
+        printJson(result);
+        if (!result.ok) exit(ExitCode.ValidationFailed);
+        return;
+      }
+      if (!result.ok) {
+        printValidationErrors(result.errors);
+        exit(ExitCode.ValidationFailed);
+      }
+      printSuccess(`Updated config (${result.applied.length} change(s))`);
+      for (const path of result.applied) printInfo(path);
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Resource "${workflowId}" not found, or you lack edit access.`
+      });
+    }
+  });
+}
+function buildPartial(opts) {
+  const partial = {};
+  const credentials = {};
+  for (const pair of opts.cred) {
+    const { key, value } = splitPair(pair, "--cred");
+    credentials[key] = value;
+  }
+  for (const service of opts.credClear) {
+    credentials[service] = null;
+  }
+  if (Object.keys(credentials).length > 0) partial.credentials = credentials;
+  const variables = {};
+  for (const pair of opts.const) {
+    const { key, value } = splitPair(pair, "--const");
+    variables[key] = coerceValue(value);
+  }
+  if (Object.keys(variables).length > 0) partial.variables = variables;
+  const triggers = {};
+  for (const pair of opts.schedule) {
+    const { key, value } = splitPair(pair, "--schedule");
+    triggers[key] = { ...triggers[key], schedule: value };
+  }
+  for (const pair of opts.timezone) {
+    const { key, value } = splitPair(pair, "--timezone");
+    triggers[key] = { ...triggers[key], timezone: value };
+  }
+  if (Object.keys(triggers).length > 0) partial.triggers = triggers;
+  return partial;
+}
+function collect2(value, prev) {
+  return [...prev, value];
+}
+function splitPair(pair, flag) {
+  const index = pair.indexOf("=");
+  if (index <= 0) {
+    printError(`${flag} expects <key>=<value> (got "${pair}").`);
+    exit(ExitCode.InvalidArgs);
+  }
+  return { key: pair.slice(0, index), value: pair.slice(index + 1) };
+}
+function coerceValue(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return raw;
+  }
+}
+
+// src/commands/resource/config/index.ts
+function registerResourceConfig(parent) {
+  const config = parent.command("config").description(
+    "Read or wire a workflow config: credentials, const values, trigger schedules."
+  );
+  registerConfigGet(config);
+  registerConfigSet(config);
+}
+
+// src/commands/resource/publish.ts
+import { resolve as resolve7 } from "path";
+function registerResourcePublish(parent) {
+  parent.command("publish [id]").description(
+    "Validate and promote the local files to the live version. Required before a test (`geni workflow test`) or handler run (`geni app run-handler`) reflects your edits. Exit 9 on validation failure (nothing published)."
+  ).requiredOption(
+    "--summary <text>",
+    'One plain-language sentence describing the change, shown to the user (e.g. "Now also posts to Slack when an invoice is paid"). No file names or jargon.'
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve7(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    try {
+      const result = await workflowAuthoringService.publish({
+        id: workflowId,
+        dir,
+        changeSummary: opts.summary
+      });
+      if (opts.json) {
+        printJson(result);
+        if (!result.ok) exit(ExitCode.ValidationFailed);
+        return;
+      }
+      if (!result.ok) {
+        printValidationErrors(result.errors);
+        exit(ExitCode.ValidationFailed);
+      }
+      printSuccess(
+        `Published ${result.filesPersisted} file(s) to ${workflowId}`
+      );
+      for (const url of result.webhookUrls) {
+        printInfo(`webhook: ${url}`);
+      }
+      printInfo(
+        "Verify it: `geni workflow test` (workflows) or `geni app run-handler` (apps)."
+      );
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Resource "${workflowId}" not found, or you lack edit access.`
+      });
+    }
+  });
+}
+
+// src/commands/resource/spec.ts
+function registerResourceSpec(parent) {
+  parent.command("spec <type>").description(
+    "Print the resource-type contract (code | agent | app): required files, runtime API, allowed/forbidden patterns. Read this before editing files."
+  ).action(async (type) => {
+    try {
+      const result = await workflowAuthoringService.spec(type);
+      process.stdout.write(
+        result.spec.endsWith("\n") ? result.spec : result.spec + "\n"
+      );
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Unknown resource type "${type}". Use code, agent, or app.`
+      });
+    }
+  });
+}
+
+// src/commands/resource/index.ts
+function registerResourceCommands(program2) {
+  const resource = program2.command("resource").alias("resources").description(
+    "Author resources (workflows and apps) locally against the cloud: scaffold and pull files, edit them, then validate, wire credentials, and publish. Run `geni resource spec <type>` to learn a type contract."
+  ).action(() => executeResourceList({}));
+  registerResourceCreate(resource);
+  registerResourceList(resource);
+  registerResourceGet(resource);
+  registerResourcePull(resource);
+  registerResourceValidate(resource);
+  registerResourceConfig(resource);
+  registerResourcePublish(resource);
+  registerResourceSpec(resource);
+  resource.addHelpText(
+    "after",
+    `
+Build loop (run \`geni resource spec <type>\` first):
+  1. geni resource create --type code --name "My Resource"   scaffold files + the cloud resource
+  2. (edit the files with your editor)
+  3. geni resource validate            spec + type check, no publish
+  4. geni resource config set ...       wire credentials, consts, schedules
+  5. geni resource publish --summary "..."   promote your files to live
+  6. geni workflow test  (workflows)  or  geni app run-handler  (apps)   verify it
+
+Commands accept the resource id as a positional, or infer it from the
+.geni-resource.json marker when run inside a resource directory.`
+  );
+}
+
+// src/commands/workflow/setType.ts
+import { resolve as resolve8 } from "path";
+function registerWorkflowSetType(parent) {
+  parent.command("set-type <type> [id]").description(
+    "Switch a workflow's execution type (code <-> agent). Then rewrite the files for the new type and delete the old type's. Read `geni resource spec <type>`."
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(
+    async (type, id, opts) => {
+      if (type !== "code" && type !== "agent") {
+        printError(`type must be "code" or "agent" (got "${type}").`);
+        exit(ExitCode.InvalidArgs);
+      }
+      const dir = resolve8(opts.dir ?? ".");
+      const workflowId = resolveResourceId({ id, dir });
+      try {
+        const result = await workflowAuthoringService.setType(
+          workflowId,
+          type
+        );
+        if (readMarker(dir)) {
+          writeMarker(dir, { resourceId: workflowId, resourceType: type });
+        }
+        if (opts.json) {
+          printJson(result);
+          return;
+        }
+        printSuccess(`Switched ${workflowId} to ${type}`);
+        if (result.forbiddenFiles.length > 0) {
+          printInfo(
+            `Delete any leftover files from the previous type: ${result.forbiddenFiles.join(", ")}`
+          );
+        }
+        printInfo(
+          `Write the ${type} files, then validate. Read the contract: \`geni resource spec ${type}\`.`
+        );
+      } catch (error) {
+        exitOnApiError(error, {
+          notFoundMessage: `Workflow "${workflowId}" not found, or you lack edit access.`
+        });
+      }
+    }
+  );
+}
+
+// src/commands/workflow/test.ts
+import { resolve as resolve9 } from "path";
+import { z as z3 } from "zod";
+var TERMINAL = /* @__PURE__ */ new Set(["completed", "failed", "cancelled", "awaiting_input"]);
+var POLL_INTERVAL_MS = 2e3;
+function registerWorkflowTest(parent) {
+  parent.command("test [id]").description(
+    "Run a cloud test execution of the published version, with an optional trigger payload, and wait for the result. Publish first to test your latest edits."
+  ).option(
+    "--payload <json>",
+    `Trigger payload as a JSON object (e.g. '{"days":7}'). Defaults to {}.`
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option(
+    "--timeout <seconds>",
+    "How long to wait for the run to finish before giving up. Default 180."
+  ).option("--json", "Machine-readable output (final execution + logs).").action(async (id, opts) => {
+    const dir = resolve9(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    const payload = parsePayload(opts.payload);
+    const timeoutMs = parseTimeout(opts.timeout);
+    try {
+      const scheduled = await workflowAuthoringService.test(
+        workflowId,
+        payload
+      );
+      if (scheduled.blockers && scheduled.blockers.length > 0) {
+        printError("Workflow isn't ready to run:");
+        printValidationErrors(scheduled.blockers);
+        printError(
+          "Wire the missing credentials / set the schedule with `geni resource config set`, then retry."
+        );
+        exit(ExitCode.ValidationFailed);
+      }
+      if (!scheduled.executionId) {
+        printError(
+          "No execution was scheduled. Retry, or check the workflow config."
+        );
+        exit(ExitCode.InternalError);
+      }
+      const executionId = scheduled.executionId;
+      if (!opts.json) printInfo(`Running test execution ${executionId} ...`);
+      const detail = await pollUntilDone(workflowId, executionId, timeoutMs);
+      const logs = await workflowAuthoringService.getExecutionLogs(
+        workflowId,
+        executionId
+      );
+      if (opts.json) {
+        printJson({ execution: detail, logs: logs.logs });
+      } else {
+        printDetail(detail, logs.logs);
+      }
+      if (detail.status !== "completed") {
+        exit(
+          detail.status === "awaiting_input" ? ExitCode.Ok : ExitCode.GenericError
+        );
+      }
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Workflow "${workflowId}" not found, or you lack run access.`
+      });
+    }
+  });
+}
+async function pollUntilDone(workflowId, executionId, timeoutMs) {
+  const deadline = Date.now() + timeoutMs;
+  let detail = await workflowAuthoringService.getExecution(
+    workflowId,
+    executionId
+  );
+  while (!TERMINAL.has(detail.status)) {
+    if (Date.now() > deadline) {
+      printError(
+        `Timed out after ${Math.round(timeoutMs / 1e3)}s waiting for ${executionId} (last status: ${detail.status}). It may still finish. Check \`geni workflow executions\`.`
+      );
+      exit(ExitCode.Timeout);
+    }
+    await sleep2(POLL_INTERVAL_MS);
+    detail = await workflowAuthoringService.getExecution(
+      workflowId,
+      executionId
+    );
+  }
+  return detail;
+}
+function printDetail(detail, logs) {
+  if (detail.status === "completed") {
+    printSuccess(`Execution ${detail.id} completed`);
+  } else {
+    printError(`Execution ${detail.id} ${detail.status}`);
+  }
+  if (detail.sandboxRuntimeMs !== null) {
+    printInfo(`runtime: ${detail.sandboxRuntimeMs}ms`);
+  }
+  if (detail.error) printError(`error: ${detail.error}`);
+  if (detail.run !== null && detail.run !== void 0) {
+    process.stdout.write("--- output ---\n");
+    process.stdout.write(JSON.stringify(detail.run, null, 2) + "\n");
+  }
+  if (logs && logs.trim().length > 0) {
+    process.stdout.write("--- logs ---\n");
+    process.stdout.write(logs.endsWith("\n") ? logs : logs + "\n");
+  }
+}
+function parsePayload(raw) {
+  if (!raw) return {};
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    printError(`--payload must be valid JSON. Got: ${raw}`);
+    exit(ExitCode.InvalidArgs);
+  }
+  if (Array.isArray(parsed)) {
+    printError("--payload must be a JSON object, not an array.");
+    exit(ExitCode.InvalidArgs);
+  }
+  const result = z3.record(z3.string(), z3.unknown()).safeParse(parsed);
+  if (!result.success) {
+    printError(`--payload must be a JSON object (e.g. '{"days":7}').`);
+    exit(ExitCode.InvalidArgs);
+  }
+  return result.data;
+}
+function parseTimeout(raw) {
+  if (!raw) return 18e4;
+  const seconds = Number.parseInt(raw, 10);
+  if (!Number.isFinite(seconds) || seconds <= 0) {
+    printError("--timeout must be a positive number of seconds.");
+    exit(ExitCode.InvalidArgs);
+  }
+  return seconds * 1e3;
+}
+function sleep2(ms) {
+  return new Promise((resolve20) => setTimeout(resolve20, ms));
+}
+
+// src/commands/workflow/triggerSample.ts
+import { resolve as resolve10 } from "path";
+function registerWorkflowTriggerSample(parent) {
+  parent.command("trigger-sample [id]").description(
+    "Fetch live sample data from the workflow's configured poll trigger (the exact shape `input` receives). Wire the trigger's credential + inputs with `geni resource config set` first."
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve10(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    try {
+      const result = await workflowAuthoringService.triggerSample(workflowId);
+      if (opts.json) {
+        printJson(result);
+        return;
+      }
+      process.stdout.write(
+        result.result.endsWith("\n") ? result.result : result.result + "\n"
+      );
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Workflow "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/workflow/stageInput.ts
+import { resolve as resolve11 } from "path";
+import { existsSync as existsSync2, statSync as statSync2 } from "fs";
+function registerWorkflowStageInput(parent) {
+  parent.command("stage-input <file>").description(
+    "Upload a local file as a file-type input test value. Prints a store:// URI to use as that field's value in `geni workflow test --payload`."
+  ).option("--workflow <id>", "Workflow id (else resolved from --dir marker).").option(
+    "--dir <path>",
+    "Resource directory for id resolution. Defaults to cwd."
+  ).option("--json", "Machine-readable output.").action(async (file, opts) => {
+    const localPath = resolve11(file);
+    if (!existsSync2(localPath) || !statSync2(localPath).isFile()) {
+      printError(`File not found: ${localPath}`);
+      exit(ExitCode.InvalidArgs);
+    }
+    const dir = resolve11(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id: opts.workflow, dir });
+    try {
+      const { storageUri, filename } = await workflowAuthoringService.stageInput({
+        id: workflowId,
+        localPath
+      });
+      if (opts.json) {
+        printJson({ storageUri, filename });
+        return;
+      }
+      printSuccess(`Staged ${filename}`);
+      printInfo(`store URI: ${storageUri}`);
+      printInfo(
+        `Pass it as the file field's value, e.g. \`geni workflow test --payload '{"<field>":"${storageUri}"}'\`.`
+      );
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Workflow "${workflowId}" not found, or you lack run access.`
+      });
+    }
+  });
+}
+
+// src/commands/workflow/executions.ts
+import { resolve as resolve12 } from "path";
+function registerWorkflowExecutions(parent) {
+  parent.command("executions [id]").description("List a workflow recent executions (id, status, when).").option("--dir <path>", "Resource directory. Defaults to cwd.").option("--limit <n>", "Max rows (default 20, max 100).").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve12(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    const limit = opts.limit ? Number.parseInt(opts.limit, 10) : void 0;
+    try {
+      const { executions } = await workflowAuthoringService.listExecutions(
+        workflowId,
+        Number.isFinite(limit) ? limit : void 0
+      );
+      if (opts.json) {
+        printJson({ executions });
+        return;
+      }
+      if (executions.length === 0) {
+        process.stdout.write("No executions yet. Run `geni workflow test`.\n");
+        return;
+      }
+      printTable(
+        ["ID", "STATUS", "TEST", "WHEN", "LABEL"],
+        executions.map((execution) => [
+          execution.id,
+          execution.status,
+          execution.isTest ? "yes" : "no",
+          execution.createdAt,
+          execution.name ?? execution.eventDescription
+        ]),
+        { colorFn: dimColumn(0) }
+      );
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Workflow "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/workflow/execution.ts
+import { resolve as resolve14 } from "path";
+
+// src/lib/executionTrace.ts
+import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "fs";
+import { join as join3, resolve as resolve13 } from "path";
+function writeExecutionTraceBundle(args) {
+  const { baseDir, trace } = args;
+  const dir = resolve13(baseDir, trace.id);
+  mkdirSync2(dir, { recursive: true });
+  const files = [];
+  const write = (name, content) => {
+    const path = join3(dir, name);
+    writeFileSync2(path, content);
+    files.push(path);
+  };
+  if (trace.run !== null && trace.run !== void 0) {
+    write("run.json", JSON.stringify(trace.run, null, 2));
+  }
+  if (trace.logs !== null) {
+    write("logs.txt", trace.logs);
+  }
+  if (trace.input !== null && trace.input !== void 0) {
+    write("input.json", JSON.stringify(trace.input, null, 2));
+  }
+  if (trace.thread.length > 0) {
+    write("thread.json", JSON.stringify(trace.thread, null, 2));
+  }
+  return { dir, files };
+}
+
+// src/commands/workflow/execution.ts
+function registerWorkflowExecution(parent) {
+  parent.command("execution <executionId>").description(
+    "Inspect one execution. Default shows status and output; add --logs, --input, or --thread for more, or --download to write the full trace to disk."
+  ).option("--workflow <id>", "Workflow id (else resolved from --dir marker).").option(
+    "--dir <path>",
+    "Resource directory for id resolution. Defaults to cwd."
+  ).option("--logs", "Include the execution logs.").option("--input", "Include the trigger input payload.").option(
+    "--thread",
+    "Include the step-by-step execution thread (every step the run took)."
+  ).option(
+    "--download [dir]",
+    'Write the full trace (run, logs, input, thread) to <dir>/<id>/. Defaults to "executions".'
+  ).option("--json", "Machine-readable output.").action(async (executionId, opts) => {
+    const dir = resolve14(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id: opts.workflow, dir });
+    const wantsTrace = opts.input || opts.thread || opts.download !== void 0;
+    try {
+      if (wantsTrace) {
+        await runTraceMode({ workflowId, executionId, opts });
+        return;
+      }
+      const detail = await workflowAuthoringService.getExecution(
+        workflowId,
+        executionId
+      );
+      const logs = opts.logs ? (await workflowAuthoringService.getExecutionLogs(
+        workflowId,
+        executionId
+      )).logs : null;
+      if (opts.json) {
+        printJson({ execution: detail, logs });
+        return;
+      }
+      printInfo(`id: ${detail.id}`);
+      printInfo(`status: ${detail.status}`);
+      printInfo(`test: ${detail.isTest ? "yes" : "no"}`);
+      if (detail.sandboxRuntimeMs !== null) {
+        printInfo(`runtime: ${detail.sandboxRuntimeMs}ms`);
+      }
+      if (detail.error) printError(`error: ${detail.error}`);
+      printOutput(detail.run);
+      if (opts.logs) printSection("logs", logs ?? "(no logs)");
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `Execution "${executionId}" not found for that workflow.`
+      });
+    }
+  });
+}
+async function runTraceMode(args) {
+  const { workflowId, executionId, opts } = args;
+  const trace = await workflowAuthoringService.getExecutionTrace(
+    workflowId,
+    executionId
+  );
+  const download = opts.download !== void 0 ? writeExecutionTraceBundle({
+    baseDir: typeof opts.download === "string" ? opts.download : "executions",
+    trace
+  }) : null;
+  if (opts.json) {
+    printJson({ execution: trace, download });
+    return;
+  }
+  printInfo(`id: ${trace.id}`);
+  printInfo(`status: ${trace.status}`);
+  if (trace.error) printError(`error: ${trace.error}`);
+  printOutput(trace.run);
+  if (opts.input) {
+    printSection("input", JSON.stringify(trace.input ?? null, null, 2));
+  }
+  if (opts.thread) {
+    printSection(
+      "thread",
+      trace.thread.length > 0 ? JSON.stringify(trace.thread, null, 2) : "(no thread)"
+    );
+  }
+  if (opts.logs) printSection("logs", trace.logs ?? "(no logs)");
+  if (download) {
+    printSuccess(
+      `Wrote ${download.files.length} trace file(s) to ${download.dir}`
+    );
+    for (const file of download.files) printInfo(file);
+  }
+}
+function printOutput(run2) {
+  if (run2 === null || run2 === void 0) return;
+  printSection("output", JSON.stringify(run2, null, 2));
+}
+function printSection(label, content) {
+  process.stdout.write(`--- ${label} ---
+`);
+  process.stdout.write(content + "\n");
+}
+
+// src/commands/workflow/index.ts
+function registerWorkflowCommands(program2) {
+  const workflow = program2.command("workflow").alias("workflows").description(
+    "Workflow-only tools: run cloud test executions, sample triggers, switch type, inspect runs. Shared lifecycle (create / validate / publish / config) is under `geni resource`."
+  );
+  registerWorkflowSetType(workflow);
+  registerWorkflowTest(workflow);
+  registerWorkflowTriggerSample(workflow);
+  registerWorkflowStageInput(workflow);
+  registerWorkflowExecutions(workflow);
+  registerWorkflowExecution(workflow);
+}
+
+// src/commands/app/buildStatus.ts
+import { resolve as resolve15 } from "path";
+function registerAppBuildStatus(parent) {
+  parent.command("build-status [id]").description(
+    "Read the live app Vite build state: status, error, last built."
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve15(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    try {
+      const result = await workflowAuthoringService.appBuildStatus(workflowId);
+      if (opts.json) {
+        printJson(result);
+        return;
+      }
+      printInfo(`status: ${result.buildStatus}`);
+      printInfo(`last built: ${result.lastBuiltAt ?? "(never)"}`);
+      if (result.buildError) printError(`error: ${result.buildError}`);
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `App "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/app/runHandler.ts
+import { resolve as resolve16 } from "path";
+import { z as z4 } from "zod";
+function registerAppRunHandler(parent) {
+  parent.command("run-handler <name> [id]").description(
+    "Dispatch a handler against the live app with --input JSON (bypasses cache) and print the result. Publish first. Exits nonzero on handler error."
+  ).option("--input <json>", "Handler input as a JSON object. Defaults to {}.").option(
+    "--timeout <seconds>",
+    "Server-side wait before timing out. Default 60, max 300."
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(
+    async (name, id, opts) => {
+      const dir = resolve16(opts.dir ?? ".");
+      const workflowId = resolveResourceId({ id, dir });
+      const input = parseInput(opts.input);
+      const timeoutSeconds = parseTimeout2(opts.timeout);
+      try {
+        const result = await workflowAuthoringService.runHandler(workflowId, {
+          handlerName: name,
+          input,
+          timeoutSeconds
+        });
+        if (opts.json) {
+          printJson(result);
+          if (!result.ok) exit(ExitCode.GenericError);
+          return;
+        }
+        if (result.ok) {
+          printSuccess(`Handler "${name}" ran`);
+          process.stdout.write("--- result ---\n");
+          process.stdout.write(JSON.stringify(result.result, null, 2) + "\n");
+          return;
+        }
+        printError(
+          `Handler "${name}" failed (${result.status}): ${result.message}`
+        );
+        exit(ExitCode.GenericError);
+      } catch (error) {
+        exitOnApiError(error, {
+          notFoundMessage: `App "${workflowId}" not found, or you lack run access.`
+        });
+      }
+    }
+  );
+}
+function parseInput(raw) {
+  if (!raw) return {};
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    printError(`--input must be valid JSON. Got: ${raw}`);
+    exit(ExitCode.InvalidArgs);
+  }
+  if (Array.isArray(parsed)) {
+    printError("--input must be a JSON object, not an array.");
+    exit(ExitCode.InvalidArgs);
+  }
+  const result = z4.record(z4.string(), z4.unknown()).safeParse(parsed);
+  if (!result.success) {
+    printError(`--input must be a JSON object (e.g. '{"limit":50}').`);
+    exit(ExitCode.InvalidArgs);
+  }
+  return result.data;
+}
+function parseTimeout2(raw) {
+  if (!raw) return void 0;
+  const seconds = Number.parseInt(raw, 10);
+  if (!Number.isFinite(seconds) || seconds <= 0) {
+    printError("--timeout must be a positive number of seconds.");
+    exit(ExitCode.InvalidArgs);
+  }
+  return seconds;
+}
+
+// src/commands/app/invocations.ts
+import { resolve as resolve17 } from "path";
+function registerAppInvocations(parent) {
+  parent.command("invocations [id]").description(
+    "Recent handler invocations: status, timing, cache hits, errors."
+  ).option("--handler <name>", "Filter to one handler.").option("--errors", "Only failed invocations.").option("--limit <n>", "Max rows (default 20).").option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve17(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    const limit = opts.limit ? Number.parseInt(opts.limit, 10) : void 0;
+    try {
+      const { invocations } = await workflowAuthoringService.appInvocations(
+        workflowId,
+        {
+          handler: opts.handler,
+          errors: opts.errors,
+          limit: Number.isFinite(limit) ? limit : void 0
+        }
+      );
+      if (opts.json) {
+        printJson({ invocations });
+        return;
+      }
+      if (invocations.length === 0) {
+        process.stdout.write("No matching invocations.\n");
+        return;
+      }
+      printTable(
+        ["WHEN", "HANDLER", "STATUS", "MS", "CACHED", "ERROR"],
+        invocations.map((invocation) => [
+          invocation.createdAt,
+          invocation.handlerName,
+          invocation.status,
+          String(invocation.durationMs),
+          invocation.cacheHit ? "yes" : "no",
+          invocation.errorMessage ?? ""
+        ]),
+        { colorFn: dimColumn(0) }
+      );
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `App "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/app/errors.ts
+import { resolve as resolve18 } from "path";
+function registerAppErrors(parent) {
+  parent.command("errors [id]").description(
+    "Recent browser-side errors the iframe reported (render/rejection/load)."
+  ).option("--limit <n>", "Max rows (default 20).").option("--dir <path>", "Resource directory. Defaults to cwd.").option("--json", "Machine-readable output.").action(async (id, opts) => {
+    const dir = resolve18(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    const limit = opts.limit ? Number.parseInt(opts.limit, 10) : void 0;
+    try {
+      const { errors } = await workflowAuthoringService.appErrors(
+        workflowId,
+        {
+          limit: Number.isFinite(limit) ? limit : void 0
+        }
+      );
+      if (opts.json) {
+        printJson({ errors });
+        return;
+      }
+      if (errors.length === 0) {
+        process.stdout.write("No errors reported from the iframe.\n");
+        return;
+      }
+      for (const event of errors) {
+        process.stdout.write(
+          `[${event.eventTs}] ${event.kind}: ${event.message}
+`
+        );
+        if (event.stack) process.stdout.write(event.stack + "\n");
+      }
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `App "${workflowId}" not found in this workspace.`
+      });
+    }
+  });
+}
+
+// src/commands/app/clearCache.ts
+import { resolve as resolve19 } from "path";
+function registerAppClearCache(parent) {
+  parent.command("clear-cache [id]").description(
+    "Clear the live app handler response cache (republishing also does this)."
+  ).option("--dir <path>", "Resource directory. Defaults to cwd.").action(async (id, opts) => {
+    const dir = resolve19(opts.dir ?? ".");
+    const workflowId = resolveResourceId({ id, dir });
+    try {
+      await workflowAuthoringService.clearHandlerCache(workflowId);
+      printSuccess("Handler cache cleared.");
+    } catch (error) {
+      exitOnApiError(error, {
+        notFoundMessage: `App "${workflowId}" not found, or you lack edit access.`
+      });
+    }
+  });
+}
+
+// src/commands/app/index.ts
+function registerAppCommands(program2) {
+  const app = program2.command("app").alias("apps").description(
+    "App-only tools: build status, run/inspect handlers, browser errors, handler cache. Run against the live (published) app. Shared lifecycle is under `geni resource`."
+  );
+  registerAppBuildStatus(app);
+  registerAppRunHandler(app);
+  registerAppInvocations(app);
+  registerAppErrors(app);
+  registerAppClearCache(app);
+}
+
+// src/commands/trigger/list.ts
+async function executeTriggerList(opts) {
+  try {
+    const { triggers } = await workflowAuthoringService.listTriggers(opts.query);
+    if (opts.json) {
+      printJson({ triggers });
+      return;
+    }
+    if (triggers.length === 0) {
+      process.stdout.write("No trigger providers match.\n");
+      return;
+    }
+    printTable(
+      ["TRIGGER ID", "TYPE", "SERVICE", "NAME"],
+      triggers.map((trigger) => [
+        trigger.type === "poll" ? trigger.triggerId : `(${trigger.type})`,
+        trigger.type,
+        trigger.service,
+        trigger.name
+      ]),
+      { colorFn: dimColumn(0) }
+    );
+  } catch (error) {
+    exitOnApiError(error);
+  }
+}
+function registerTriggerList(parent) {
+  parent.command("list").description(
+    "List trigger providers. Poll triggers show a copyable triggerId; webhook/cron are built in and take no triggerId."
+  ).option(
+    "-q, --query <text>",
+    'Filter by name / service / description (e.g. "email", "reddit", "schedule").'
+  ).option("--json", "Machine-readable output.").action((opts) => executeTriggerList(opts));
+}
+
+// src/commands/trigger/index.ts
+function registerTriggerCommands(program2) {
+  const trigger = program2.command("trigger").alias("triggers").description(
+    "Discover trigger providers (webhook / cron / poll) that can start a workflow. Use a poll trigger id in workflow.json."
+  ).action(() => executeTriggerList({}));
+  registerTriggerList(trigger);
+}
+
+// src/commands/config/get.ts
+var UNSET_PLACEHOLDER = "(unset)";
+function executeConfigGet(args) {
+  const file = configService.fileValues();
+  if (args.key) {
+    if (!isSettableConfigKey(args.key)) {
+      printError(
+        `Unknown config key "${args.key}". Valid keys: ${SETTABLE_CONFIG_KEYS.join(", ")}.`
+      );
+      exit(ExitCode.InvalidArgs);
+    }
+    const value = file[args.key];
+    if (args.json) {
+      printJson({ [args.key]: value ?? null });
+      return;
+    }
+    process.stdout.write((value ?? UNSET_PLACEHOLDER) + "\n");
+    return;
+  }
+  if (args.json) {
+    const payload = {};
+    for (const k of SETTABLE_CONFIG_KEYS) payload[k] = file[k] ?? null;
+    printJson(payload);
+    return;
+  }
+  printTable(
+    ["KEY", "VALUE"],
+    SETTABLE_CONFIG_KEYS.map((k) => [k, file[k] ?? UNSET_PLACEHOLDER])
+  );
+}
+function registerConfigGet2(parent) {
+  parent.command("get").argument(
+    "[key]",
+    `Specific key to read (${SETTABLE_CONFIG_KEYS.join(" | ")}). Omit to list every settable key with its value.`
+  ).description(
+    "Print what's written to the persistent config file. Symmetric with `geni config set` \u2014 whatever you wrote is what you read. Unset keys render as `(unset)` in table output and `null` in --json. For the URL the CLI is actually hitting at runtime (which can differ if a runner-session is bound to a different server), run `geni auth status`."
+  ).option(
+    "--json",
+    "Machine-readable output. Unset keys are emitted as JSON `null`."
+  ).action(
+    (key, opts) => executeConfigGet({ key, json: opts.json })
+  );
+}
+
+// src/commands/config/set.ts
+function registerConfigSet2(parent) {
   parent.command("set").argument("<key>", `Config key (${SETTABLE_CONFIG_KEYS.join(" | ")}).`).argument(
     "<value>",
     "New value. URL keys must be valid http:// or https:// URLs (validated on write)."
@@ -2537,8 +4085,8 @@ function registerConfigCommands(program2) {
   const config = program2.command("config").description(
     "Read and write the persistent CLI config (`~/.config/geni/config.json` by default; honors $GENI_CONFIG_DIR). Holds defaults the resolver consults when nothing more specific is set, useful for pointing the CLI at a self-hosted or local-dev server without re-passing `--server` or exporting an env var on every shell."
   ).action(() => executeConfigGet({}));
-  registerConfigGet(config);
-  registerConfigSet(config);
+  registerConfigGet2(config);
+  registerConfigSet2(config);
   registerConfigUnset(config);
   registerConfigPath(config);
   config.addHelpText(
@@ -2568,38 +4116,38 @@ logout (or use \`geni login --server <url>\`) to switch in one step.
 
 // src/lib/skills.ts
 import { homedir as homedir2 } from "os";
-import { join as join2 } from "path";
+import { join as join4 } from "path";
 import {
-  mkdirSync,
-  writeFileSync,
-  existsSync,
-  readFileSync as readFileSync2,
+  mkdirSync as mkdirSync3,
+  writeFileSync as writeFileSync3,
+  existsSync as existsSync3,
+  readFileSync as readFileSync4,
   unlinkSync,
   rmSync
 } from "fs";
 
 // src/skills/geni.md
-var geni_default = "---\nname: geni\ndescription: Use the operator's connected services (Slack, Gmail, GitHub, Stripe, anything they've authorized in General Input) to fulfill their request. Load this whenever the user wants you to take an action on their behalf against an external SaaS account, fetch data from one of their tools, or wire something up that crosses service boundaries.\n---\n\n# geni\n\n`geni` is a CLI that gives you credentialed access to the operator's\nconnected accounts. The cloud injects their tokens into a fresh bash\nsubprocess as env vars; you write the `curl`, you never see the\nsecret. Run `geni --help` for the full command surface.\n\n## How to talk about geni\n\nTreat geni as a teammate \u2014 the integration specialist who picks the\nright operation and runs the credentialed call. You're the one\nsynthesizing and replying.\n\nIn summaries of multi-step work, credit geni naturally: \"Geni pulled\nthe last 30 days of charges from Stripe; I rolled them into the report\nbelow.\" Skip the credit on trivial single calls; don't manufacture\nteam language (\"with geni's help\u2026\") to fill space. Lowercase `geni`\nin commands; capitalize \"Geni\" when personifying.\n\n## Request flow\n\nDiscovery first. Don't guess URLs, params, or env var names \u2014 the\noperation docs have them.\n\n1. `geni credential list [--service <slug>]` \u2014 find a connected\n   credential id. If nothing's connected for the service, run\n   `geni integration list -q \"<keyword>\"` and `geni credential\nconnect <service>` to prompt the operator to authorize.\n2. `geni integration operations <service> [-q \"<keyword>\"]` \u2014 find\n   the operation you need.\n3. `geni integration operation <id> --format markdown` \u2014 read the\n   HTTP shape, params, and **exact env var names** this call will set.\n4. `geni exec bash --cred <cred_id> --reason \"<what + why>\" -- '<curl>'`\n\n## Env vars\n\nRead the names off the operation docs; never derive them. Two flavors\nemitted per credential:\n\n- **Suffixed**: `<SERVICE>_<FIELD>_<id>` (e.g. `$SLACK_BOT_TOKEN_ABC`,\n  `$SALESFORCE_INSTANCE_URL_KG`). The `<id>` is the credential id with\n  `cred_` stripped, uppercased. Use these when fanning out across\n  multiple credentials of the same service in one call.\n- **Canonical aliases**: well-known SDK names (`$GH_TOKEN`,\n  `$SLACK_BOT_TOKEN`, `$OPENAI_API_KEY`, `$STRIPE_API_KEY`, \u2026) for\n  tools that hardcode them.\n\nPlus `$PLATFORM_API_KEY` and `$PLATFORM_BASE_URL` on every exec \u2014 use\nthem to call General Input's first-party services (web search, image\ngen, weather, send-email) without `--cred`.\n\n## --reason is per-call\n\nEvery `geni exec bash --cred ...` requires `--reason`. It lands in\nthe operator's audit log and is shown to them. Be specific\n(\"Posting daily digest to #engineering\"), not generic (\"Slack call\").\nRe-state it on every call \u2014 the log is per-call, not per-session.\n\n## Output is scrubbed\n\nstdout and stderr pass through a streaming scrubber that replaces\nevery registered secret with `[REDACTED:credential_<id>]`. Don't try\nto exfiltrate via `echo $TOKEN | base64`; common encodings are\ncaught too. You don't need to see the secret to use it \u2014 the\nsubprocess can.\n\n## Exit codes worth knowing\n\n- `0` \u2014 success; `1\u2013125` \u2014 subprocess's own exit (curl, jq, etc.)\n- `4` \u2014 resource not found (bad cred id, slug, operation id)\n- `77` \u2014 server refused to resolve a credential. Don't retry; surface\n  to the operator.\n- `78` \u2014 session expired. Tell the operator to run `geni login`.\n\n## Don't\n\n- Don't construct a curl without reading the operation docs first.\n  Guessing at URLs and env var names is the most common failure mode.\n- Don't promise scheduled or recurring jobs. Workflows are coming\n  soon but not shipped; offer the one-off equivalent now.\n- Use `--json` on list/get commands when you're going to parse the\n  output. Table output is for humans.\n";
+var geni_default = "---\nname: geni\ndescription: Use the operator's connected services (Slack, Gmail, GitHub, Stripe, anything they've authorized in General Input) to fulfill their request, or build them a saved workflow (scheduled or event-driven automation). Load this whenever the user wants you to take an action on their behalf against an external SaaS account, fetch data from one of their tools, wire something up that crosses service boundaries, or set up a recurring/triggered automation.\n---\n\n# geni\n\n`geni` is a CLI that gives you credentialed access to the operator's\nconnected accounts. The cloud injects their tokens into a fresh bash\nsubprocess as env vars; you write the `curl`, you never see the\nsecret. Run `geni --help` for the full command surface.\n\n## How to talk about geni\n\nTreat geni as a teammate \u2014 the integration specialist who picks the\nright operation and runs the credentialed call. You're the one\nsynthesizing and replying.\n\nIn summaries of multi-step work, credit geni naturally: \"Geni pulled\nthe last 30 days of charges from Stripe; I rolled them into the report\nbelow.\" Skip the credit on trivial single calls; don't manufacture\nteam language (\"with geni's help\u2026\") to fill space. Lowercase `geni`\nin commands; capitalize \"Geni\" when personifying.\n\n## Request flow\n\nDiscovery first. Don't guess URLs, params, or env var names \u2014 the\noperation docs have them.\n\n1. `geni credential list [--service <slug>]` \u2014 find a connected\n   credential id. If nothing's connected for the service, run\n   `geni integration list -q \"<keyword>\"` to confirm the slug, then\n   `geni credential connect <service>` (see \"Connecting a missing\n   credential\" below).\n2. `geni integration operations <service> [-q \"<keyword>\"]` \u2014 find\n   the operation you need.\n3. `geni integration operation <id> --format markdown` \u2014 read the\n   HTTP shape, params, and **exact env var names** this call will set.\n4. `geni exec bash --cred <cred_id> --reason \"<what + why>\" -- '<curl>'`\n\n## Connecting a missing credential\n\n`geni credential connect <service>` opens the integration's\ndashboard page in the operator's browser. Tell the operator to\nfinish the connection there and come back \u2014 then re-run `geni\ncredential list --service <service>` to pick up the new id. Don't\npoll, don't loop. In non-interactive shells, add `--print-url` so\nthe URL prints to stdout instead.\n\n## Env vars\n\nRead the names off the operation docs; never derive them. Two flavors\nemitted per credential:\n\n- **Suffixed**: `<SERVICE>_<FIELD>_<id>` (e.g. `$SLACK_BOT_TOKEN_ABC`,\n  `$SALESFORCE_INSTANCE_URL_KG`). The `<id>` is the credential id with\n  `cred_` stripped, uppercased. Use these when fanning out across\n  multiple credentials of the same service in one call.\n- **Canonical aliases**: well-known SDK names (`$GH_TOKEN`,\n  `$SLACK_BOT_TOKEN`, `$OPENAI_API_KEY`, `$STRIPE_API_KEY`, \u2026) for\n  tools that hardcode them.\n\nPlus `$PLATFORM_API_KEY` and `$PLATFORM_BASE_URL` on every exec \u2014 use\nthem to call General Input's first-party services (web search, image\ngen, weather, send-email) without `--cred`.\n\n## --reason is per-call\n\nEvery `geni exec bash --cred ...` requires `--reason`. It lands in\nthe operator's audit log and is shown to them. Be specific\n(\"Posting daily digest to #engineering\"), not generic (\"Slack call\").\nRe-state it on every call \u2014 the log is per-call, not per-session.\n\n## Output is scrubbed\n\nstdout and stderr pass through a streaming scrubber that replaces\nevery registered secret with `[REDACTED:credential_<id>]`. Don't try\nto exfiltrate via `echo $TOKEN | base64`; common encodings are\ncaught too. You don't need to see the secret to use it \u2014 the\nsubprocess can.\n\n## Building resources (workflows and apps)\n\n`geni exec bash` is for one-off actions. When the user wants something\nsaved and reusable, build a **resource**. A resource is one of three\ntypes: a `code` **workflow** (deterministic, fixed steps, runs on a\nschedule or trigger), an `agent` **workflow** (LLM-driven, variable-length\ntasks like research or triage), or an `app` (an interactive React mini-app\nwith server-side handlers, like a dashboard or internal tool). An app is\nnot a workflow, so the shared lifecycle lives under `geni resource` and\nthe type-specific tools under `geni workflow` and `geni app`.\n\nYou author the files locally with your own editor; the cloud validates,\nconfigures, publishes, and runs them. This is the same build loop as the\ngeni chat, just on the user's machine with your brain driving it. Same\nloop for all three types; apps add a build step and handler tools (see\n\"Building apps\" below).\n\n**Read the spec first.** `geni resource spec code` (or `agent`) prints\nthe full contract: required files, the runtime API, allowed and\nforbidden patterns. Don't write a single file before reading it.\n\nThe loop:\n\n1. `geni resource create --type code --name \"Daily Digest\"`: creates the\n   resource in the cloud and scaffolds its files into the current\n   directory, with a `.geni-resource.json` marker so later commands here\n   resolve the id automatically.\n2. Edit the files (`workflow.json`, `main.ts`, `package.json`) with your\n   normal Read/Write/Edit tools. **Don't run `npm install`, `tsc`, or\n   `bun` locally**: `@general-input/core` only resolves server-side, so\n   a local compile always fails on the missing module. That's not a real\n   error.\n3. `geni resource validate`: server-side spec + wiring + TypeScript\n   check. Exit 9 means invalid; fix what it reports and re-run. A green\n   validate is the compile gate.\n4. `geni resource config set`: wire what the workflow needs. Find\n   credential ids with `geni credential list`; set them with\n   `--cred <service>=<credentialId>`. Set consts with `--const k=v`,\n   schedules with `--schedule <triggerId>=<cron>`. `geni resource config\nget` shows the current state. Find trigger providers with\n   `geni trigger list`.\n5. `geni resource publish --summary \"<one plain sentence>\"`: promote\n   your local files to the live version. Required before a test reflects\n   your latest edits.\n6. `geni workflow test --payload '{...}'`: run a real cloud test\n   execution and wait for the result, output, and logs. Iterate from\n   step 2 until it does what the user asked.\n\nWhen a run misbehaves, `geni workflow execution <id> --download` writes\nits full trace to `executions/<id>/` (run.json, logs.txt, input.json, and\nthread.json). For an agent workflow, read `thread.json` to see every step\nthe agent took. Use `--thread` or `--input` to print those inline instead.\n\nUse the same discovery tools as exec: `geni integration operations\n<service>` and `geni integration operation <id>` to learn an API's shape\nbefore you write the `fetch` call in `main.ts`.\n\nFor a poll-triggered workflow, `geni workflow trigger-sample` returns\nlive sample records so you see the exact shape `input` receives before\nwriting `main.ts` (wire the trigger's credential and inputs with\n`config set` first). To test a file-type input, `geni workflow\nstage-input <file>` uploads a local file and prints a `store://` URI to\npass as that field's value in `--payload`.\n\n## Building apps\n\nAn `app` workflow is a React SPA (rendered in the dashboard's iframe)\nthat calls server-side handlers. Create it with `geni resource create\n--type app`; read the contract with `geni resource spec app`. The shared\ncommands work the same (validate, config set for credential slots,\npublish), with these differences:\n\n- The scaffold is a whole Vite project. Edit only `app.json`, `src/App.tsx`,\n  `src/pages/*`, your own `src/components/*`, and `handlers/*.ts`. Leave\n  the platform-owned files alone.\n- `geni resource publish` builds the app; the result's `build` reports\n  whether the Vite build passed. You can't preview the UI from the CLI,\n  so drive correctness through handlers and the build.\n- `geni app run-handler <name> --input '{...}'` runs a handler\n  against the live app (publish first). `geni app invocations`\n  shows recent handler runs, `geni app errors` shows browser\n  errors the iframe reported, `geni app build-status` shows the\n  build, and `geni app clear-cache` flushes the handler cache.\n\nThe loop: create --type app -> edit handlers + pages -> validate ->\nconfig set (wire credential slots) -> publish (builds) -> app run-handler\nto verify -> tell the user to open it in their dashboard.\n\nWhen it works, tell the user it's in their dashboard, where they can see\nruns and turn its triggers on. Commands accept the workflow id as a\npositional or infer it from the marker in the current directory.\n\n## Exit codes worth knowing\n\n- `0` \u2014 success; `1\u2013125` \u2014 subprocess's own exit (curl, jq, etc.)\n- `4` \u2014 resource not found (bad cred id, slug, operation id)\n- `77` \u2014 server refused to resolve a credential. Don't retry; surface\n  to the operator.\n- `78` \u2014 session expired. Tell the operator to run `geni login`.\n\n## Don't\n\n- Don't construct a curl without reading the operation docs first.\n  Guessing at URLs and env var names is the most common failure mode.\n- Don't hand-write workflow files before reading `geni resource spec\n<type>`. Don't try to compile or `npm install` them locally; let\n  `geni resource validate` be the gate.\n- Use `--json` on list/get commands when you're going to parse the\n  output. Table output is for humans.\n";
 
 // src/lib/skills.ts
 var GENI_SKILL_NAME = "geni";
 var GENI_SKILL_MD = geni_default;
 var home = homedir2();
-var claudeSkillsDir = join2(home, ".claude", "skills");
-var claudeGeniDir = join2(claudeSkillsDir, GENI_SKILL_NAME);
-var agentSkillsDir = join2(home, ".agents", "skills");
-var agentSkillsGeniDir = join2(agentSkillsDir, GENI_SKILL_NAME);
+var claudeSkillsDir = join4(home, ".claude", "skills");
+var claudeGeniDir = join4(claudeSkillsDir, GENI_SKILL_NAME);
+var agentSkillsDir = join4(home, ".agents", "skills");
+var agentSkillsGeniDir = join4(agentSkillsDir, GENI_SKILL_NAME);
 var TARGETS = [
   {
     name: "Claude Code",
-    detect: () => existsSync(join2(home, ".claude")),
+    detect: () => existsSync3(join4(home, ".claude")),
     skillDir: claudeGeniDir,
-    skillPath: join2(claudeGeniDir, "SKILL.md"),
+    skillPath: join4(claudeGeniDir, "SKILL.md"),
     // Earlier versions of `geni skills install` wrote a loose .md file
     // at `~/.claude/skills/geni.md`, which Claude Code silently ignores.
     // Clean it up on install/uninstall so upgraders aren't left with a
     // stale sibling that confuses `doctor`.
-    legacyPaths: [join2(claudeSkillsDir, `${GENI_SKILL_NAME}.md`)]
+    legacyPaths: [join4(claudeSkillsDir, `${GENI_SKILL_NAME}.md`)]
   },
   {
     name: "Codex CLI / Gemini CLI / VS Code Copilot",
@@ -2609,9 +4157,9 @@ var TARGETS = [
     // because it lives inside VS Code's user data with no clean
     // home-dir signal — Copilot users typically have one of the CLIs
     // installed too, and the install is idempotent if they don't.
-    detect: () => existsSync(join2(home, ".codex")) || existsSync(join2(home, ".gemini")) || existsSync(join2(home, ".agents")),
+    detect: () => existsSync3(join4(home, ".codex")) || existsSync3(join4(home, ".gemini")) || existsSync3(join4(home, ".agents")),
     skillDir: agentSkillsGeniDir,
-    skillPath: join2(agentSkillsGeniDir, "SKILL.md"),
+    skillPath: join4(agentSkillsGeniDir, "SKILL.md"),
     legacyPaths: []
   }
 ];
@@ -2629,12 +4177,12 @@ function installSkills() {
     if (!target.detect()) continue;
     const path = target.skillPath;
     try {
-      mkdirSync(target.skillDir, { recursive: true });
-      const previous = existsSync(path) ? readFileSync2(path, "utf-8") : null;
+      mkdirSync3(target.skillDir, { recursive: true });
+      const previous = existsSync3(path) ? readFileSync4(path, "utf-8") : null;
       const changed = previous !== GENI_SKILL_MD;
-      writeFileSync(path, GENI_SKILL_MD);
+      writeFileSync3(path, GENI_SKILL_MD);
       for (const legacy of target.legacyPaths) {
-        if (existsSync(legacy)) unlinkSync(legacy);
+        if (existsSync3(legacy)) unlinkSync(legacy);
       }
       results.push({
         name: target.name,
@@ -2658,8 +4206,8 @@ function uninstallSkills() {
     if (!target.detect()) continue;
     const dir = target.skillDir;
     const path = target.skillPath;
-    const legacies = target.legacyPaths.filter((p2) => existsSync(p2));
-    if (!existsSync(dir) && legacies.length === 0) {
+    const legacies = target.legacyPaths.filter((p2) => existsSync3(p2));
+    if (!existsSync3(dir) && legacies.length === 0) {
       results.push({ name: target.name, path, status: "absent" });
       continue;
     }
@@ -2744,10 +4292,10 @@ function registerSkillsCommands(program2) {
 }
 
 // src/commands/doctor.ts
-import chalk8 from "chalk";
+import chalk9 from "chalk";
 
 // src/lib/preflight.ts
-import { delimiter, join as join3 } from "path";
+import { delimiter, join as join5 } from "path";
 import { accessSync, constants } from "fs";
 var REQUIRED_RUNTIME_DEPS = ["bash", "curl", "jq"];
 function findOnPath(name) {
@@ -2755,7 +4303,7 @@ function findOnPath(name) {
   if (!path) return null;
   for (const dir of path.split(delimiter)) {
     if (dir.length === 0) continue;
-    const candidate = join3(dir, name);
+    const candidate = join5(dir, name);
     try {
       accessSync(candidate, constants.X_OK);
       return candidate;
@@ -2795,7 +4343,7 @@ function installHint(deps) {
 }
 
 // src/commands/doctor.ts
-import { existsSync as existsSync2, readFileSync as readFileSync3 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync5 } from "fs";
 function registerDoctorCommand(program2) {
   program2.command("doctor").description(
     "Diagnose your geni setup: required system tools, active session, network reach to the cloud, and skill installation across detected AI agents. Prints a checklist with \u2713/\u2717 for each."
@@ -2898,7 +4446,7 @@ function skillsCheck() {
   }
   const out = [];
   for (const target of targets) {
-    if (!existsSync2(target.path)) {
+    if (!existsSync4(target.path)) {
       out.push({
         label: `${target.name} skill installed`,
         status: "fail",
@@ -2906,7 +4454,7 @@ function skillsCheck() {
       });
       continue;
     }
-    const onDisk = readFileSync3(target.path, "utf-8");
+    const onDisk = readFileSync5(target.path, "utf-8");
     if (onDisk === GENI_SKILL_MD) {
       out.push({
         label: `${target.name} skill installed`,
@@ -2925,17 +4473,17 @@ function skillsCheck() {
 }
 function printReport(checks) {
   for (const check of checks) {
-    const mark = check.status === "pass" ? chalk8.green("\u2713") : check.status === "warn" ? chalk8.yellow("!") : chalk8.red("\u2717");
+    const mark = check.status === "pass" ? chalk9.green("\u2713") : check.status === "warn" ? chalk9.yellow("!") : chalk9.red("\u2717");
     process.stdout.write(`${mark} ${check.label}
 `);
-    process.stdout.write(`  ${chalk8.dim(check.detail)}
+    process.stdout.write(`  ${chalk9.dim(check.detail)}
 `);
   }
   const fails = checks.filter((c) => c.status === "fail").length;
   const warns = checks.filter((c) => c.status === "warn").length;
   process.stdout.write("\n");
   if (fails === 0 && warns === 0) {
-    process.stdout.write(chalk8.green("All checks passed.\n"));
+    process.stdout.write(chalk9.green("All checks passed.\n"));
   } else {
     process.stdout.write(
       `${fails} failure${fails === 1 ? "" : "s"}, ${warns} warning${warns === 1 ? "" : "s"}.
@@ -2957,6 +4505,10 @@ registerWorkspaceCommands(program);
 registerExecCommands(program);
 registerCredentialCommands(program);
 registerIntegrationCommands(program);
+registerResourceCommands(program);
+registerWorkflowCommands(program);
+registerAppCommands(program);
+registerTriggerCommands(program);
 registerConfigCommands(program);
 registerSkillsCommands(program);
 registerDoctorCommand(program);