npm - @hasna/loops - Versions diffs - 0.3.14 → 0.3.16 - Mend

@hasna/loops 0.3.14 → 0.3.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -328,6 +328,17 @@ function optionalPositiveInteger(value, label) {
     throw new Error(`${label} must be a positive integer`);
   return value;
 }
+function optionalStringArray(value, label) {
+  if (value === undefined)
+    return;
+  if (!Array.isArray(value))
+    throw new Error(`${label} must be an array`);
+  const values = value.map((entry, index) => {
+    assertString(entry, `${label}[${index}]`);
+    return entry.trim();
+  }).filter(Boolean);
+  return values.length ? values : undefined;
+}
 function normalizeGoalSpec(value, label = "goal") {
   if (value === undefined)
     return;
@@ -399,6 +410,14 @@ function validateTarget(value, label) {
         throw new Error(`${label}.sandbox is currently supported only for provider codewith, codex, or cursor`);
       }
     }
+    if (value.allowlist !== undefined) {
+      assertObject(value.allowlist, `${label}.allowlist`);
+      optionalStringArray(value.allowlist.tools, `${label}.allowlist.tools`);
+      optionalStringArray(value.allowlist.commands, `${label}.allowlist.commands`);
+      if (value.allowlist.enforcement !== undefined && value.allowlist.enforcement !== "metadata_only") {
+        throw new Error(`${label}.allowlist.enforcement must be metadata_only`);
+      }
+    }
     return value;
   }
   throw new Error(`${label}.type must be command or agent`);
@@ -482,6 +501,8 @@ function rowToLoop(row) {
     name: row.name,
     description: row.description ?? undefined,
     status: row.status,
+    archivedAt: row.archived_at ?? undefined,
+    archivedFromStatus: row.archived_from_status ? row.archived_from_status : undefined,
     schedule: JSON.parse(row.schedule_json),
     target: JSON.parse(row.target_json),
     goal: row.goal_json ? JSON.parse(row.goal_json) : undefined,
@@ -691,6 +712,8 @@ class Store {
         name TEXT NOT NULL,
         description TEXT,
         status TEXT NOT NULL,
+        archived_at TEXT,
+        archived_from_status TEXT,
         schedule_json TEXT NOT NULL,
         target_json TEXT NOT NULL,
         goal_json TEXT,
@@ -891,6 +914,8 @@ class Store {
     `);
     this.addColumnIfMissing("loops", "machine_json", "TEXT");
     this.addColumnIfMissing("loops", "goal_json", "TEXT");
+    this.addColumnIfMissing("loops", "archived_at", "TEXT");
+    this.addColumnIfMissing("loops", "archived_from_status", "TEXT");
     this.addColumnIfMissing("loop_runs", "goal_run_id", "TEXT");
     this.addColumnIfMissing("workflow_specs", "goal_json", "TEXT");
     this.addColumnIfMissing("workflow_runs", "goal_run_id", "TEXT");
@@ -899,6 +924,7 @@ class Store {
     this.db.query("INSERT OR IGNORE INTO schema_migrations (id, applied_at) VALUES (?, ?)").run("0001_initial_and_workflows", nowIso());
     this.db.query("INSERT OR IGNORE INTO schema_migrations (id, applied_at) VALUES (?, ?)").run("0002_loop_machines", nowIso());
     this.db.query("INSERT OR IGNORE INTO schema_migrations (id, applied_at) VALUES (?, ?)").run("0003_goals", nowIso());
+    this.db.query("INSERT OR IGNORE INTO schema_migrations (id, applied_at) VALUES (?, ?)").run("0004_loop_archive_metadata", nowIso());
   }
   addColumnIfMissing(table, column, definition) {
     const columns = this.db.query(`PRAGMA table_info(${table})`).all();
@@ -975,12 +1001,26 @@ class Store {
   }
   listLoops(opts = {}) {
     const limit = opts.limit ?? 200;
-    const rows = opts.status ? this.db.query("SELECT * FROM loops WHERE status = ? ORDER BY next_run_at ASC LIMIT ?").all(opts.status, limit) : this.db.query("SELECT * FROM loops ORDER BY status ASC, next_run_at ASC LIMIT ?").all(limit);
+    let rows;
+    if (opts.status && opts.archived) {
+      rows = this.db.query("SELECT * FROM loops WHERE status = ? AND archived_at IS NOT NULL ORDER BY next_run_at ASC LIMIT ?").all(opts.status, limit);
+    } else if (opts.status && opts.includeArchived) {
+      rows = this.db.query("SELECT * FROM loops WHERE status = ? ORDER BY next_run_at ASC LIMIT ?").all(opts.status, limit);
+    } else if (opts.status) {
+      rows = this.db.query("SELECT * FROM loops WHERE status = ? AND archived_at IS NULL ORDER BY next_run_at ASC LIMIT ?").all(opts.status, limit);
+    } else if (opts.archived) {
+      rows = this.db.query("SELECT * FROM loops WHERE archived_at IS NOT NULL ORDER BY archived_at DESC LIMIT ?").all(limit);
+    } else if (opts.includeArchived) {
+      rows = this.db.query("SELECT * FROM loops ORDER BY status ASC, next_run_at ASC LIMIT ?").all(limit);
+    } else {
+      rows = this.db.query("SELECT * FROM loops WHERE archived_at IS NULL ORDER BY status ASC, next_run_at ASC LIMIT ?").all(limit);
+    }
     return rows.map(rowToLoop);
   }
   dueLoops(now) {
     const rows = this.db.query(`SELECT * FROM loops
          WHERE status = 'active'
+           AND archived_at IS NULL
            AND next_run_at IS NOT NULL
            AND next_run_at <= ?
          ORDER BY next_run_at ASC`).all(now.toISOString());
@@ -1012,6 +1052,44 @@ class Store {
       throw new Error(`loop not found after update: ${id}`);
     return after;
   }
+  archiveLoop(idOrName) {
+    const loop = this.requireLoop(idOrName);
+    if (loop.archivedAt)
+      return loop;
+    const updated = nowIso();
+    const archivedStatus = loop.status === "active" ? "paused" : loop.status;
+    this.db.query(`UPDATE loops
+         SET status=$status, archived_at=$archivedAt, archived_from_status=$archivedFromStatus, updated_at=$updated
+         WHERE id=$id`).run({
+      $id: loop.id,
+      $status: archivedStatus,
+      $archivedAt: updated,
+      $archivedFromStatus: loop.status,
+      $updated: updated
+    });
+    const archived = this.getLoop(loop.id);
+    if (!archived)
+      throw new Error(`loop not found after archive: ${loop.id}`);
+    return archived;
+  }
+  unarchiveLoop(idOrName) {
+    const loop = this.requireLoop(idOrName);
+    if (!loop.archivedAt)
+      return loop;
+    const updated = nowIso();
+    const restoredStatus = loop.archivedFromStatus ?? loop.status;
+    this.db.query(`UPDATE loops
+         SET status=$status, archived_at=NULL, archived_from_status=NULL, updated_at=$updated
+         WHERE id=$id`).run({
+      $id: loop.id,
+      $status: restoredStatus,
+      $updated: updated
+    });
+    const unarchived = this.getLoop(loop.id);
+    if (!unarchived)
+      throw new Error(`loop not found after unarchive: ${loop.id}`);
+    return unarchived;
+  }
   deleteLoop(idOrName) {
     const loop = this.requireLoop(idOrName);
     const res = this.db.query("DELETE FROM loops WHERE id = ?").run(loop.id);
@@ -1786,10 +1864,16 @@ class Store {
   }
   claimRun(loop, scheduledFor, runnerId, now = new Date, opts = {}) {
     const startedAt = now.toISOString();
-    const leaseExpiresAt = new Date(now.getTime() + loop.leaseMs).toISOString();
     this.db.exec("BEGIN IMMEDIATE");
     try {
       this.assertDaemonLeaseFence(opts, startedAt);
+      const currentLoop = this.getLoop(loop.id);
+      if (!currentLoop || currentLoop.archivedAt) {
+        this.db.exec("COMMIT");
+        return;
+      }
+      loop = currentLoop;
+      const leaseExpiresAt = new Date(now.getTime() + loop.leaseMs).toISOString();
       const existing = this.getRunBySlot(loop.id, scheduledFor);
       if (existing) {
         if (existing.status === "running") {
@@ -2007,7 +2091,7 @@ class Store {
     return recovered;
   }
   expireLoops(now = new Date, opts = {}) {
-    const rows = this.db.query("SELECT * FROM loops WHERE status = 'active' AND expires_at IS NOT NULL AND expires_at <= ?").all(now.toISOString());
+    const rows = this.db.query("SELECT * FROM loops WHERE status = 'active' AND archived_at IS NULL AND expires_at IS NOT NULL AND expires_at <= ?").all(now.toISOString());
     const expired = [];
     for (const row of rows) {
       const updated = this.updateLoop(row.id, { status: "expired", nextRunAt: undefined }, opts);
@@ -2016,8 +2100,21 @@ class Store {
     }
     return expired;
   }
-  countLoops(status) {
-    const row = status ? this.db.query("SELECT COUNT(*) AS count FROM loops WHERE status = ?").get(status) : this.db.query("SELECT COUNT(*) AS count FROM loops").get();
+  countLoops(status, opts = {}) {
+    let row;
+    if (status && opts.archived) {
+      row = this.db.query("SELECT COUNT(*) AS count FROM loops WHERE status = ? AND archived_at IS NOT NULL").get(status);
+    } else if (status && opts.includeArchived) {
+      row = this.db.query("SELECT COUNT(*) AS count FROM loops WHERE status = ?").get(status);
+    } else if (status) {
+      row = this.db.query("SELECT COUNT(*) AS count FROM loops WHERE status = ? AND archived_at IS NULL").get(status);
+    } else if (opts.archived) {
+      row = this.db.query("SELECT COUNT(*) AS count FROM loops WHERE archived_at IS NOT NULL").get();
+    } else if (opts.includeArchived) {
+      row = this.db.query("SELECT COUNT(*) AS count FROM loops").get();
+    } else {
+      row = this.db.query("SELECT COUNT(*) AS count FROM loops WHERE archived_at IS NULL").get();
+    }
     return row?.count ?? 0;
   }
   countRuns(status) {
@@ -2074,7 +2171,7 @@ class Store {
 }
 // src/cli/index.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 import { Command } from "commander";
@@ -2493,6 +2590,16 @@ function metadataEnv(metadata) {
     env.LOOPS_GOAL_NODE_KEY = metadata.goalNodeKey;
   return env;
 }
+function allowlistEnv(allowlist) {
+  const env = {};
+  if (allowlist?.tools?.length)
+    env.LOOPS_AGENT_ALLOWED_TOOLS = allowlist.tools.join(",");
+  if (allowlist?.commands?.length)
+    env.LOOPS_AGENT_ALLOWED_COMMANDS = allowlist.commands.join(",");
+  if (allowlist?.tools?.length || allowlist?.commands?.length)
+    env.LOOPS_AGENT_ALLOWLIST_ENFORCEMENT = "metadata_only";
+  return env;
+}
 function providerCommand(provider) {
   switch (provider) {
     case "claude":
@@ -2700,7 +2807,8 @@ function commandSpec(target) {
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
-    stdin: agentTarget.prompt
+    stdin: agentTarget.prompt,
+    allowlist: agentTarget.allowlist
   };
 }
 function executionEnv(spec, metadata, opts) {
@@ -2712,6 +2820,7 @@ function executionEnv(spec, metadata, opts) {
     Object.assign(env, accountEnv);
   }
   Object.assign(env, spec.env ?? {});
+  Object.assign(env, allowlistEnv(spec.allowlist));
   env.PATH = normalizeExecutionPath(env);
   Object.assign(env, metadataEnv(metadata));
   return env;
@@ -2750,6 +2859,9 @@ function remoteBootstrapLines(spec, metadata) {
       continue;
     lines.push(`export ${key}=${shellQuote(value)}`);
   }
+  for (const [key, value] of Object.entries(allowlistEnv(spec.allowlist))) {
+    lines.push(`export ${key}=${shellQuote(value)}`);
+  }
   return lines;
 }
 function remoteScript(spec, metadata) {
@@ -3703,12 +3815,16 @@ async function executeLoopTarget(store, loop, run, opts = {}) {
 // src/lib/scheduler.ts
 function manualRunScheduledFor(loop, now = new Date) {
+  if (loop.archivedAt)
+    return now.toISOString();
   if (loop.status === "active" && loop.nextRunAt && new Date(loop.nextRunAt).getTime() <= now.getTime()) {
     return loop.retryScheduledFor ?? loop.nextRunAt;
   }
   return now.toISOString();
 }
 function shouldAdvanceManualRun(loop, scheduledFor, now = new Date) {
+  if (loop.archivedAt)
+    return false;
   if (loop.status !== "active")
     return false;
   if (!loop.nextRunAt || new Date(loop.nextRunAt).getTime() > now.getTime())
@@ -3716,6 +3832,8 @@ function shouldAdvanceManualRun(loop, scheduledFor, now = new Date) {
   return scheduledFor === (loop.retryScheduledFor ?? loop.nextRunAt);
 }
 function manualRunSource(loop, scheduledFor, now = new Date) {
+  if (loop.archivedAt)
+    return "ad_hoc";
   if (loop.status !== "active")
     return "ad_hoc";
   if (!loop.nextRunAt || new Date(loop.nextRunAt).getTime() > now.getTime())
@@ -3734,7 +3852,7 @@ function advanceLoop(store, loop, run, finishedAt, succeeded, opts = {}) {
   if (run.status === "running")
     return;
   const current = store.getLoop(loop.id);
-  if (!current || current.status !== "active")
+  if (!current || current.status !== "active" || current.archivedAt)
     return;
   if (current.retryScheduledFor && current.retryScheduledFor !== run.scheduledFor)
     return;
@@ -4069,7 +4187,8 @@ function daemonStatus(store, path = pidFilePath()) {
       active: store.countLoops("active"),
       paused: store.countLoops("paused"),
       stopped: store.countLoops("stopped"),
-      expired: store.countLoops("expired")
+      expired: store.countLoops("expired"),
+      archived: store.countLoops(undefined, { archived: true })
     },
     runs: {
       total: store.countRuns(),
@@ -4492,10 +4611,220 @@ function runDoctor(store) {
     checks
   };
 }
+// src/lib/health.ts
+import { createHash } from "crypto";
+var EVIDENCE_CHARS = 2000;
+var CLASSIFICATIONS = [
+  "rate_limit",
+  "auth",
+  "model_not_found",
+  "context_length",
+  "schema_response_format",
+  "node_init",
+  "timeout",
+  "sigsegv",
+  "skipped_previous_active",
+  "unknown"
+];
+function bounded(value, limit = EVIDENCE_CHARS) {
+  if (!value)
+    return;
+  if (value.length <= limit)
+    return value;
+  return `${value.slice(0, limit)}
+[truncated ${value.length - limit} chars]`;
+}
+function searchableText(run) {
+  return [run.error, run.stderr, run.stdout].filter(Boolean).join(`
+`).toLowerCase();
+}
+function stableFingerprint(parts) {
+  return createHash("sha256").update(parts.join(`
+`)).digest("hex").slice(0, 16);
+}
+function healthRun(run) {
+  return {
+    ...run,
+    error: bounded(run.error),
+    stdout: bounded(run.stdout),
+    stderr: bounded(run.stderr)
+  };
+}
+function classifyRunFailure(run) {
+  if (run.status === "succeeded" || run.status === "running")
+    return;
+  const text = searchableText(run);
+  let classification = "unknown";
+  if (run.status === "timed_out")
+    classification = "timeout";
+  else if (run.status === "skipped" && /previous run still active/.test(text))
+    classification = "skipped_previous_active";
+  else if (/rate limit|too many requests|429\b|quota exceeded/.test(text))
+    classification = "rate_limit";
+  else if (/unauthorized|authentication|auth\b|api key|invalid token|permission denied|401\b|403\b/.test(text))
+    classification = "auth";
+  else if (/model .*not found|model_not_found|unknown model|invalid model|404.*model/.test(text))
+    classification = "model_not_found";
+  else if (/context length|context_length|context window|maximum context|token limit|too many tokens/.test(text))
+    classification = "context_length";
+  else if (/response_format|json schema|schema validation|invalid schema|structured output/.test(text))
+    classification = "schema_response_format";
+  else if (/cannot find module|module not found|node:internal|bun: command not found|node: command not found|npm err!|err_module_not_found/.test(text))
+    classification = "node_init";
+  else if (/sigsegv|segmentation fault|signal 11/.test(text))
+    classification = "sigsegv";
+  return {
+    classification,
+    fingerprint: stableFingerprint([
+      run.loopId,
+      run.loopName,
+      run.status,
+      classification,
+      String(run.exitCode ?? ""),
+      (run.error ?? run.stderr ?? run.stdout ?? "").slice(0, 500)
+    ]),
+    evidence: {
+      error: bounded(run.error),
+      stdout: bounded(run.stdout),
+      stderr: bounded(run.stderr),
+      exitCode: run.exitCode
+    }
+  };
+}
+function targetRoute(loop) {
+  if (loop.target.type === "agent") {
+    return {
+      source: "openloops",
+      kind: "loop_expectation",
+      loopId: loop.id,
+      loopName: loop.name,
+      cwd: loop.target.cwd,
+      provider: loop.target.provider
+    };
+  }
+  if (loop.target.type === "command") {
+    return {
+      source: "openloops",
+      kind: "loop_expectation",
+      loopId: loop.id,
+      loopName: loop.name,
+      cwd: loop.target.cwd
+    };
+  }
+  return {
+    source: "openloops",
+    kind: "loop_expectation",
+    loopId: loop.id,
+    loopName: loop.name
+  };
+}
+function recommendedTask(loop, run, failure, route) {
+  const title = `BUG: open-loops loop failure - ${loop.name}`;
+  const description = [
+    `OpenLoops expectation failed for loop ${loop.name} (${loop.id}).`,
+    `Run: ${run.id}`,
+    `Status: ${run.status}`,
+    `Classification: ${failure.classification}`,
+    `Fingerprint: ${failure.fingerprint}`,
+    route.cwd ? `Route cwd: ${route.cwd}` : undefined,
+    route.provider ? `Provider: ${route.provider}` : undefined,
+    failure.evidence.error ? `Error:
+${failure.evidence.error}` : undefined,
+    failure.evidence.stderr ? `Stderr:
+${failure.evidence.stderr}` : undefined
+  ].filter(Boolean).join(`
+`);
+  const dedupeKey = `openloops:${loop.id}:${failure.fingerprint}`;
+  const tags = ["bug", "openloops", "loop-health", failure.classification];
+  const priority = failure.classification === "auth" || failure.classification === "rate_limit" ? "high" : "medium";
+  return {
+    title,
+    description,
+    priority,
+    tags,
+    dedupeKey,
+    search: { query: dedupeKey },
+    compatibilityFallback: {
+      search: ["todos", "search", dedupeKey, "--json"],
+      add: ["todos", "add", title, "--description", description, "--tag", tags.join(","), "--priority", priority],
+      comment: ["todos", "comment", "<task-id>", description]
+    },
+    futureNativeUpsert: {
+      command: "todos upsert",
+      fields: {
+        title,
+        description,
+        priority,
+        tags,
+        dedupeKey,
+        routeSource: route.source,
+        routeKind: route.kind,
+        routeLoopId: route.loopId,
+        routeLoopName: route.loopName
+      }
+    }
+  };
+}
+function expectationForLoop(store, loop) {
+  const latestRun = store.listRuns({ loopId: loop.id, limit: 1 })[0];
+  const route = targetRoute(loop);
+  if (!latestRun) {
+    return {
+      loop: { id: loop.id, name: loop.name, status: loop.status, nextRunAt: loop.nextRunAt },
+      ok: true,
+      check: { id: "latest-run-succeeded", status: "warn", message: "loop has no recorded runs yet" },
+      route
+    };
+  }
+  if (latestRun.status === "succeeded") {
+    return {
+      loop: { id: loop.id, name: loop.name, status: loop.status, nextRunAt: loop.nextRunAt },
+      ok: true,
+      check: { id: "latest-run-succeeded", status: "pass", message: "latest run succeeded" },
+      latestRun: healthRun(latestRun),
+      route
+    };
+  }
+  const failure = classifyRunFailure(latestRun);
+  return {
+    loop: { id: loop.id, name: loop.name, status: loop.status, nextRunAt: loop.nextRunAt },
+    ok: false,
+    check: { id: "latest-run-succeeded", status: "fail", message: `latest run is ${latestRun.status}` },
+    latestRun: healthRun(latestRun),
+    failure,
+    route,
+    recommendedTask: failure ? recommendedTask(loop, latestRun, failure, route) : undefined
+  };
+}
+function buildHealthReport(store, opts = {}) {
+  const loops = store.listLoops({ includeArchived: opts.includeArchived, limit: opts.limit ?? 200 });
+  const expectations = loops.map((loop) => expectationForLoop(store, loop));
+  const classifications = Object.fromEntries(CLASSIFICATIONS.map((key) => [key, 0]));
+  for (const expectation of expectations) {
+    if (expectation.failure)
+      classifications[expectation.failure.classification] += 1;
+  }
+  const unhealthy = expectations.filter((expectation) => !expectation.ok).length;
+  const warnings = expectations.filter((expectation) => expectation.check.status === "warn").length;
+  return {
+    ok: unhealthy === 0,
+    generatedAt: new Date().toISOString(),
+    summary: {
+      loops: expectations.length,
+      healthy: expectations.length - unhealthy,
+      unhealthy,
+      warnings
+    },
+    classifications,
+    expectations
+  };
+}
 // package.json
 var package_default = {
   name: "@hasna/loops",
-  version: "0.3.14",
+  version: "0.3.16",
   description: "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   type: "module",
   main: "dist/index.js",
@@ -4598,6 +4927,10 @@ var TEMPLATE_SUMMARIES = [
       { name: "projectPath", required: true, description: "Repository or project working directory." },
       { name: "provider", default: "codewith", description: "Agent provider: codewith, claude, cursor, opencode, aicopilot, or codex." },
       { name: "authProfile", description: "Provider-native auth profile, currently Codewith." },
+      { name: "authProfilePool", description: "Comma-separated provider-native auth profiles; worker/verifier are selected deterministically." },
+      { name: "workerAuthProfile", description: "Provider-native auth profile for the worker step." },
+      { name: "verifierAuthProfile", description: "Provider-native auth profile for the verifier step." },
+      { name: "accountPool", description: "Comma-separated OpenAccounts profiles; worker/verifier are selected deterministically." },
       { name: "model", description: "Provider model." },
       { name: "variant", description: "Provider reasoning/model effort variant." },
       { name: "permissionMode", default: "bypass", description: "Provider permission mode: default, plan, auto, or bypass." },
@@ -4617,6 +4950,10 @@ var TEMPLATE_SUMMARIES = [
       { name: "projectPath", required: true, description: "Repository or project working directory." },
       { name: "provider", default: "codewith", description: "Agent provider: codewith, claude, cursor, opencode, aicopilot, or codex." },
       { name: "authProfile", description: "Provider-native auth profile, currently Codewith." },
+      { name: "authProfilePool", description: "Comma-separated provider-native auth profiles; worker/verifier are selected deterministically." },
+      { name: "workerAuthProfile", description: "Provider-native auth profile for the worker step." },
+      { name: "verifierAuthProfile", description: "Provider-native auth profile for the verifier step." },
+      { name: "accountPool", description: "Comma-separated OpenAccounts profiles; worker/verifier are selected deterministically." },
       { name: "model", description: "Provider model." },
       { name: "variant", description: "Provider reasoning/model effort variant." },
       { name: "permissionMode", default: "bypass", description: "Provider permission mode: default, plan, auto, or bypass." },
@@ -4631,7 +4968,37 @@ function taskLabel(input) {
   const head = input.taskTitle?.trim() || input.taskId;
   return head.length > 160 ? `${head.slice(0, 157)}...` : head;
 }
-function agentTarget(input, prompt) {
+function stableIndex(seed, size) {
+  let hash = 2166136261;
+  for (let i = 0;i < seed.length; i += 1) {
+    hash ^= seed.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return Math.abs(hash >>> 0) % size;
+}
+function rolePoolValue(pool, seed, role) {
+  if (!pool?.length)
+    return;
+  const workerIndex = stableIndex(seed, pool.length);
+  if (role === "worker" || pool.length === 1)
+    return pool[workerIndex];
+  return pool[(workerIndex + 1) % pool.length];
+}
+function authProfileForRole(input, role, seed) {
+  if (role === "worker" && input.workerAuthProfile)
+    return input.workerAuthProfile;
+  if (role === "verifier" && input.verifierAuthProfile)
+    return input.verifierAuthProfile;
+  return rolePoolValue(input.authProfilePool, seed, role) ?? input.authProfile;
+}
+function accountForRole(input, role, seed) {
+  if (role === "worker" && input.workerAccount)
+    return input.workerAccount;
+  if (role === "verifier" && input.verifierAccount)
+    return input.verifierAccount;
+  return rolePoolValue(input.accountPool, seed, role) ?? input.account;
+}
+function agentTarget(input, prompt, role, seed) {
   const provider = input.provider ?? "codewith";
   const sandbox = input.sandbox ?? (provider === "codewith" || provider === "codex" ? "danger-full-access" : provider === "cursor" ? "disabled" : undefined);
   return {
@@ -4642,11 +5009,11 @@ function agentTarget(input, prompt) {
     model: input.model,
     variant: input.variant,
     agent: input.agent,
-    authProfile: provider === "codewith" ? input.authProfile : undefined,
+    authProfile: provider === "codewith" ? authProfileForRole(input, role, seed) : undefined,
     configIsolation: "safe",
     permissionMode: input.permissionMode ?? "bypass",
     sandbox,
-    account: input.account,
+    account: accountForRole(input, role, seed),
     timeoutMs: 45 * 60000
   };
 }
@@ -4700,7 +5067,7 @@ function renderTodosTaskWorkerVerifierWorkflow(input) {
         id: "worker",
         name: "Worker",
         description: "Implement the todos task and record evidence.",
-        target: agentTarget(input, workerPrompt),
+        target: agentTarget(input, workerPrompt, "worker", input.taskId),
         timeoutMs: 45 * 60000
       },
       {
@@ -4708,7 +5075,7 @@ function renderTodosTaskWorkerVerifierWorkflow(input) {
         name: "Verifier",
         description: "Adversarially verify worker output and update todos.",
         dependsOn: ["worker"],
-        target: agentTarget(input, verifierPrompt),
+        target: agentTarget(input, verifierPrompt, "verifier", input.taskId),
         timeoutMs: 30 * 60000
       }
     ]
@@ -4764,7 +5131,7 @@ function renderEventWorkerVerifierWorkflow(input) {
         id: "worker",
         name: "Worker",
         description: "Handle the Hasna event and record evidence.",
-        target: agentTarget(input, workerPrompt),
+        target: agentTarget(input, workerPrompt, "worker", `${input.eventSource}:${input.eventType}:${input.eventId}`),
         timeoutMs: 45 * 60000
       },
       {
@@ -4772,7 +5139,7 @@ function renderEventWorkerVerifierWorkflow(input) {
         name: "Verifier",
         description: "Adversarially verify event handling.",
         dependsOn: ["worker"],
-        target: agentTarget(input, verifierPrompt),
+        target: agentTarget(input, verifierPrompt, "verifier", `${input.eventSource}:${input.eventType}:${input.eventId}`),
         timeoutMs: 30 * 60000
       }
     ]
@@ -4787,7 +5154,11 @@ function renderLoopTemplate(id, values) {
       projectPath: values.projectPath ?? values.cwd ?? process.cwd(),
       provider: values.provider,
       authProfile: values.authProfile,
+      authProfilePool: listVar(values.authProfilePool),
+      workerAuthProfile: values.workerAuthProfile,
+      verifierAuthProfile: values.verifierAuthProfile,
       account: values.account ? { profile: values.account, tool: values.accountTool } : undefined,
+      accountPool: accountPoolVar(values.accountPool, values.accountTool),
       model: values.model,
       variant: values.variant,
       agent: values.agent,
@@ -4808,7 +5179,11 @@ function renderLoopTemplate(id, values) {
       projectPath: values.projectPath ?? values.cwd ?? process.cwd(),
       provider: values.provider,
       authProfile: values.authProfile,
+      authProfilePool: listVar(values.authProfilePool),
+      workerAuthProfile: values.workerAuthProfile,
+      verifierAuthProfile: values.verifierAuthProfile,
       account: values.account ? { profile: values.account, tool: values.accountTool } : undefined,
+      accountPool: accountPoolVar(values.accountPool, values.accountTool),
       model: values.model,
       variant: values.variant,
       agent: values.agent,
@@ -4818,6 +5193,13 @@ function renderLoopTemplate(id, values) {
   }
   throw new Error(`unknown template: ${id}`);
 }
+function listVar(value) {
+  const values = value?.split(",").map((entry) => entry.trim()).filter(Boolean);
+  return values?.length ? values : undefined;
+}
+function accountPoolVar(value, tool) {
+  return listVar(value)?.map((profile) => ({ profile, tool }));
+}
 // src/cli/index.ts
 var program = new Command;
@@ -4933,10 +5315,32 @@ function goalFromOpts(opts) {
   }, "goal");
 }
 function accountFromOpts(opts) {
-  if (!opts.account && opts.accountTool)
-    throw new Error("--account-tool requires --account");
+  if (!opts.account && opts.accountTool && !opts.accountPool && !opts.workerAccount && !opts.verifierAccount) {
+    throw new Error("--account-tool requires --account, --account-pool, --worker-account, or --verifier-account");
+  }
   return opts.account ? { profile: opts.account, tool: opts.accountTool } : undefined;
 }
+function splitList(value) {
+  const values = value?.split(",").map((entry) => entry.trim()).filter(Boolean);
+  return values?.length ? values : undefined;
+}
+function allowlistFromOpts(opts) {
+  const tools = (opts.allowTool ?? []).flatMap((entry) => splitList(entry) ?? []);
+  const commands = (opts.allowCommand ?? []).flatMap((entry) => splitList(entry) ?? []);
+  if (!tools.length && !commands.length)
+    return;
+  return {
+    tools: tools.length ? tools : undefined,
+    commands: commands.length ? commands : undefined,
+    enforcement: "metadata_only"
+  };
+}
+function accountPoolFromOpts(opts) {
+  return splitList(opts.accountPool)?.map((profile) => ({ profile, tool: opts.accountTool }));
+}
+function roleAccountFromOpts(opts, profile) {
+  return profile ? { profile, tool: opts.accountTool } : undefined;
+}
 function parseVars(values) {
   const vars = {};
   for (const value of values ?? []) {
@@ -4970,7 +5374,7 @@ function slugSegment(value, fallback = "event") {
   return value.toLowerCase().replace(/[^a-z0-9._:-]+/g, "-").replace(/^-|-$/g, "").slice(0, 80) || fallback;
 }
 function stableSuffix(value) {
-  return createHash("sha256").update(value).digest("hex").slice(0, 12);
+  return createHash2("sha256").update(value).digest("hex").slice(0, 12);
 }
 function taskEventField(data, keys) {
   for (const key of keys) {
@@ -4996,6 +5400,85 @@ function taskEventField(data, keys) {
   }
   return;
 }
+function objectField(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : undefined;
+}
+function nestedObject(input, key) {
+  return objectField(input[key]);
+}
+function taskEventRecords(data, metadata) {
+  const records = [data];
+  const dataTask = nestedObject(data, "task");
+  if (dataTask)
+    records.push(dataTask);
+  const dataPayload = nestedObject(data, "payload");
+  if (dataPayload) {
+    records.push(dataPayload);
+    const payloadTask = nestedObject(dataPayload, "task");
+    if (payloadTask)
+      records.push(payloadTask);
+  }
+  const dataMetadata = nestedObject(data, "metadata");
+  if (dataMetadata)
+    records.push(dataMetadata);
+  records.push(metadata);
+  const metadataTask = nestedObject(metadata, "task");
+  if (metadataTask)
+    records.push(metadataTask);
+  const metadataAutomation = nestedObject(metadata, "automation");
+  if (metadataAutomation)
+    records.push(metadataAutomation);
+  return records;
+}
+function booleanLike(value) {
+  return value === true || value === "true" || value === "1" || value === 1;
+}
+function hasTruthyField(records, keys) {
+  return records.some((record) => keys.some((key) => booleanLike(record[key])));
+}
+function tagsFromValue(value) {
+  if (Array.isArray(value))
+    return value.map((entry) => String(entry).trim()).filter(Boolean);
+  if (typeof value === "string")
+    return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+  return [];
+}
+function taskEventTags(records) {
+  const tags = new Set;
+  for (const record of records) {
+    for (const tag of tagsFromValue(record.tags ?? record.task_tags ?? record.taskTags))
+      tags.add(tag);
+  }
+  return [...tags];
+}
+function taskRouteEligibility(data, metadata) {
+  const records = taskEventRecords(data, metadata);
+  const tags = taskEventTags(records);
+  const hasRouteOptIn = tags.includes("auto:route") || hasTruthyField(records, ["route_enabled", "routeEnabled", "automation_allowed", "automationAllowed", "allowed"]);
+  if (!hasRouteOptIn)
+    return { eligible: false, reason: "missing explicit route opt-in", tags };
+  const status = taskEventField(data, ["status", "task_status", "taskStatus"])?.toLowerCase();
+  if (status && ["blocked", "completed", "done", "cancelled", "canceled", "failed", "archived"].includes(status)) {
+    return { eligible: false, reason: `task status is not routable: ${status}`, tags };
+  }
+  const disallowedTags = tags.filter((tag) => ["no-auto", "manual", "manual-required", "approval-required"].includes(tag));
+  if (disallowedTags.length)
+    return { eligible: false, reason: `task has disallowed tag: ${disallowedTags[0]}`, tags };
+  if (hasTruthyField(records, [
+    "no_auto",
+    "noAuto",
+    "manual",
+    "manual_required",
+    "manualRequired",
+    "requires_approval",
+    "requiresApproval",
+    "approval_required",
+    "approvalRequired"
+  ])) {
+    return { eligible: false, reason: "task metadata requires manual or approval-gated handling", tags };
+  }
+  return { eligible: true, tags };
+}
 async function readEventEnvelopeFromStdin() {
   const raw = process.env.HASNA_EVENT_JSON || await Bun.stdin.text();
   const event = JSON.parse(raw);
@@ -5068,7 +5551,7 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
     store.close();
   }
 });
-addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--config-isolation <mode>", "safe or none", "safe"))))).action((name, opts) => {
+addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--allow-tool <name>", "advisory per-session tool allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--allow-command <name>", "advisory per-session command allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--config-isolation <mode>", "safe or none", "safe"))))).action((name, opts) => {
   const provider = opts.provider;
   if (!["claude", "cursor", "codewith", "aicopilot", "opencode", "codex"].includes(provider)) {
     throw new Error("unsupported provider");
@@ -5091,6 +5574,7 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
       configIsolation: opts.configIsolation,
       permissionMode: permissionModeFromOpts(opts, provider),
       sandbox: sandboxFromOpts(opts, provider),
+      allowlist: allowlistFromOpts(opts),
       account: accountFromOpts(opts)
     };
     const loop = store.createLoop(baseCreateInput(name, opts, target));
@@ -5149,13 +5633,18 @@ templates.command("create-workflow <id>").description("render and store a templa
   }
 });
 var eventsHandle = events.command("handle").description("handle a Hasna event envelope");
-eventsHandle.command("todos-task").description("create a one-shot worker/verifier workflow loop for a todos task event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--account <profile>", "OpenAccounts profile name").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:todos-task").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
+eventsHandle.command("todos-task").description("create a one-shot worker/verifier workflow loop for a todos task event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--auth-profile-pool <profiles>", "comma-separated provider-native auth profile pool").option("--worker-auth-profile <profile>", "provider-native auth profile for worker step").option("--verifier-auth-profile <profile>", "provider-native auth profile for verifier step").option("--account <profile>", "OpenAccounts profile name").option("--account-pool <profiles>", "comma-separated OpenAccounts profile pool").option("--worker-account <profile>", "OpenAccounts profile for worker step").option("--verifier-account <profile>", "OpenAccounts profile for verifier step").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:todos-task").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
   const event = await readEventEnvelopeFromStdin();
   const data = eventData(event);
   const metadata = eventMetadata(event);
   const taskId = taskEventField(data, ["id", "task_id", "taskId"]);
   if (!taskId)
     throw new Error("todos task event is missing task id in data.id, data.task_id, data.task.id, or data.payload.id");
+  const eligibility = taskRouteEligibility(data, metadata);
+  if (!eligibility.eligible) {
+    print({ skipped: true, reason: eligibility.reason, event, taskId, eligibility }, `skipped task ${taskId}: ${eligibility.reason}`);
+    return;
+  }
   const taskTitle = taskEventField(data, ["title", "task_title", "taskTitle"]);
   const taskDescription = taskEventField(data, ["description", "body"]);
   const dataProjectPath = taskEventField(data, ["working_dir", "workingDir", "project_path", "projectPath", "cwd"]);
@@ -5182,7 +5671,13 @@ eventsHandle.command("todos-task").description("create a one-shot worker/verifie
     projectPath,
     provider,
     authProfile,
+    authProfilePool: splitList(opts.authProfilePool),
+    workerAuthProfile: opts.workerAuthProfile,
+    verifierAuthProfile: opts.verifierAuthProfile,
     account: accountFromOpts(opts),
+    accountPool: accountPoolFromOpts(opts),
+    workerAccount: roleAccountFromOpts(opts, opts.workerAccount),
+    verifierAccount: roleAccountFromOpts(opts, opts.verifierAccount),
     model: opts.model,
     variant: opts.variant,
     agent: opts.agent,
@@ -5236,7 +5731,7 @@ eventsHandle.command("todos-task").description("create a one-shot worker/verifie
     store.close();
   }
 });
-eventsHandle.command("generic").description("create a one-shot worker/verifier workflow loop for any Hasna event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--account <profile>", "OpenAccounts profile name").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:generic").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
+eventsHandle.command("generic").description("create a one-shot worker/verifier workflow loop for any Hasna event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--auth-profile-pool <profiles>", "comma-separated provider-native auth profile pool").option("--worker-auth-profile <profile>", "provider-native auth profile for worker step").option("--verifier-auth-profile <profile>", "provider-native auth profile for verifier step").option("--account <profile>", "OpenAccounts profile name").option("--account-pool <profiles>", "comma-separated OpenAccounts profile pool").option("--worker-account <profile>", "OpenAccounts profile for worker step").option("--verifier-account <profile>", "OpenAccounts profile for verifier step").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:generic").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
   const event = await readEventEnvelopeFromStdin();
   const data = eventData(event);
   const projectPath = opts.projectPath ?? taskEventField(data, ["working_dir", "workingDir", "project_path", "projectPath", "cwd", "repo_path", "repoPath"]) ?? process.cwd();
@@ -5256,7 +5751,13 @@ eventsHandle.command("generic").description("create a one-shot worker/verifier w
     projectPath,
     provider,
     authProfile,
+    authProfilePool: splitList(opts.authProfilePool),
+    workerAuthProfile: opts.workerAuthProfile,
+    verifierAuthProfile: opts.verifierAuthProfile,
     account: accountFromOpts(opts),
+    accountPool: accountPoolFromOpts(opts),
+    workerAccount: roleAccountFromOpts(opts, opts.workerAccount),
+    verifierAccount: roleAccountFromOpts(opts, opts.verifierAccount),
     model: opts.model,
     variant: opts.variant,
     agent: opts.agent,
@@ -5523,16 +6024,19 @@ workflows.command("archive <idOrName>").action((idOrName) => {
     store.close();
   }
 });
-program.command("list").alias("ls").option("--status <status>", "filter by status").action((opts) => {
+program.command("list").alias("ls").option("--status <status>", "filter by status").option("--archived", "show only archived loops").option("--all", "include archived loops").action((opts) => {
+  if (opts.archived && opts.all)
+    throw new Error("use either --archived or --all, not both");
   const store = new Store;
   try {
-    const loops = store.listLoops({ status: opts.status });
+    const loops = store.listLoops({ status: opts.status, archived: opts.archived, includeArchived: opts.all });
     if (isJson())
       print(loops.map(publicLoop));
     else {
       for (const loop of loops) {
         const machine = loop.machine ? `  machine=${loop.machine.id}` : "";
-        console.log(`${loop.id}  ${loop.status.padEnd(7)}  next=${loop.nextRunAt ?? "-"}  ${loop.name}${machine}`);
+        const archive = loop.archivedAt ? `  archived=${loop.archivedAt} from=${loop.archivedFromStatus ?? "-"}` : "";
+        console.log(`${loop.id}  ${loop.status.padEnd(7)}  next=${loop.nextRunAt ?? "-"}  ${loop.name}${machine}${archive}`);
       }
     }
   } finally {
@@ -5565,6 +6069,44 @@ program.command("runs [idOrName]").option("--limit <n>", "limit", "50").option("
     store.close();
   }
 });
+program.command("expectations [idOrName]").description("evaluate deterministic loop expectations without mutating external task systems").option("--limit <n>", "maximum loops to inspect when no loop is specified", "200").option("--json", "print JSON").action((idOrName, opts) => {
+  const store = new Store;
+  try {
+    const loops = idOrName ? [store.requireLoop(idOrName)] : store.listLoops({ limit: Number(opts.limit) });
+    const values = loops.map((loop) => expectationForLoop(store, loop));
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(idOrName ? values[0] : values, null, 2));
+    else {
+      for (const value of values) {
+        console.log(`${value.ok ? "ok" : "fail"}  ${value.loop.name}  ${value.check.message}`);
+        if (value.failure)
+          console.log(`  classification=${value.failure.classification} fingerprint=${value.failure.fingerprint}`);
+      }
+    }
+    if (values.some((value) => !value.ok))
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
+program.command("health").description("summarize loop health and latest-run expectation status").option("--json", "print JSON").action((opts) => {
+  const store = new Store;
+  try {
+    const report = buildHealthReport(store);
+    if (isJson() || opts.json)
+      console.log(JSON.stringify(report, null, 2));
+    else {
+      console.log(`loops=${report.summary.loops} healthy=${report.summary.healthy} unhealthy=${report.summary.unhealthy} warnings=${report.summary.warnings}`);
+      for (const expectation of report.expectations.filter((entry) => !entry.ok)) {
+        console.log(`fail  ${expectation.loop.name}  ${expectation.failure?.classification ?? "unknown"}  ${expectation.failure?.fingerprint ?? "-"}`);
+      }
+    }
+    if (!report.ok)
+      process.exitCode = 1;
+  } finally {
+    store.close();
+  }
+});
 program.command("pause <idOrName>").action((idOrName) => updateStatus(idOrName, "paused"));
 program.command("resume <idOrName>").action((idOrName) => updateStatus(idOrName, "active"));
 program.command("stop <idOrName>").action((idOrName) => updateStatus(idOrName, "stopped"));
@@ -5572,6 +6114,8 @@ function updateStatus(idOrName, status) {
   const store = new Store;
   try {
     const loop = store.requireLoop(idOrName);
+    if (loop.archivedAt)
+      throw new Error(`loop is archived; run 'loops unarchive ${idOrName}' first`);
     const updated = store.updateLoop(loop.id, { status, nextRunAt: status === "stopped" ? undefined : loop.nextRunAt });
     print(publicLoop(updated), `${updated.id} ${updated.status}`);
   } finally {
@@ -5587,10 +6131,30 @@ program.command("remove <idOrName>").alias("rm").action((idOrName) => {
     store.close();
   }
 });
+program.command("archive <idOrName>").description("archive a loop without deleting history").action((idOrName) => {
+  const store = new Store;
+  try {
+    const loop = store.archiveLoop(idOrName);
+    print(publicLoop(loop), `${loop.id} archived`);
+  } finally {
+    store.close();
+  }
+});
+program.command("unarchive <idOrName>").alias("restore").description("restore an archived loop").action((idOrName) => {
+  const store = new Store;
+  try {
+    const loop = store.unarchiveLoop(idOrName);
+    print(publicLoop(loop), `${loop.id} ${loop.status}`);
+  } finally {
+    store.close();
+  }
+});
 program.command("run-now <idOrName>").option("--show-output", "show stdout/stderr").action(async (idOrName, opts) => {
   const store = new Store;
   try {
     const loop = store.requireLoop(idOrName);
+    if (loop.archivedAt)
+      throw new Error(`loop is archived; run 'loops unarchive ${idOrName}' before running it`);
     const runnerId = `manual:${process.pid}`;
     const now = new Date;
     let scheduledFor = manualRunScheduledFor(loop, now);