@hasna/loops 0.3.21 → 0.3.22

package/dist/cli/index.js

@@ -2833,6 +2833,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2914,6 +2915,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2929,6 +2933,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -3070,6 +3097,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -3111,6 +3139,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3767,11 +3808,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {
@@ -5092,7 +5143,7 @@ function buildScriptInventoryReport(store, opts = {}) {
 // package.json
 var package_default = {
   name: "@hasna/loops",
-  version: "0.3.21",
+  version: "0.3.22",
   description: "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   type: "module",
   main: "dist/index.js",
@@ -5576,6 +5627,41 @@ function print(value, human) {
   else
     console.log(human);
 }
+function printCreatedLoop(loop, human, preflight) {
+  if (preflight !== undefined)
+    print({ loop: publicLoop(loop), preflight }, human);
+  else
+    print(publicLoop(loop), human);
+}
+function preflightFailed(error, context) {
+  if (!isJson())
+    throw error;
+  const message = error instanceof Error ? error.message : String(error);
+  print({
+    ok: false,
+    created: false,
+    preflight: {
+      ok: false,
+      error: redact(message, 320)
+    },
+    ...context
+  });
+  process.exit(1);
+}
+function preflightLoopTarget(target, context, metadata, opts) {
+  try {
+    return preflightTarget(target, metadata, opts);
+  } catch (error) {
+    preflightFailed(error, context);
+  }
+}
+function preflightStoredWorkflow(workflow, context, opts) {
+  try {
+    return preflightWorkflow(workflow, opts);
+  } catch (error) {
+    preflightFailed(error, context);
+  }
+}
 function printTextOutput(value) {
   for (const line of textOutputBlocks(value, { indent: "  " }))
     console.log(line);
@@ -6020,7 +6106,7 @@ function permissionModeFromOpts(opts, provider) {
   return mode;
 }
 var create = program.command("create").description("create loops");
-addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("command <name>").description("create a deterministic shell command loop").requiredOption("--cmd <command>", "command string to execute").option("--cwd <dir>", "working directory").option("--timeout <duration>", "run timeout").option("--no-shell", "execute without a shell"))))).action((name, opts) => {
+addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("command <name>").description("create a deterministic shell command loop").requiredOption("--cmd <command>", "command string to execute").option("--cwd <dir>", "working directory").option("--timeout <duration>", "run timeout").option("--no-shell", "execute without a shell").option("--preflight", "check target executables/accounts before storing the loop"))))).action((name, opts) => {
   const store = new Store;
   try {
     const target = {
@@ -6031,13 +6117,15 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
       timeoutMs: opts.timeout ? parseDuration(opts.timeout) : undefined,
       account: accountFromOpts(opts)
     };
-    const loop = store.createLoop(baseCreateInput(name, opts, target));
-    print(publicLoop(loop), `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`);
+    const input = baseCreateInput(name, opts, target);
+    const preflight = opts.preflight ? preflightLoopTarget(input.target, { name, type: "command" }, { loopName: name }, { machine: input.machine }) : undefined;
+    const loop = store.createLoop(input);
+    printCreatedLoop(loop, `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`, preflight);
   } finally {
     store.close();
   }
 });
-addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--allow-tool <name>", "advisory per-session tool allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--allow-command <name>", "advisory per-session command allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--config-isolation <mode>", "safe or none", "safe"))))).action((name, opts) => {
+addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--allow-tool <name>", "advisory per-session tool allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--allow-command <name>", "advisory per-session command allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--config-isolation <mode>", "safe or none", "safe").option("--preflight", "check target executables/accounts before storing the loop"))))).action((name, opts) => {
   const provider = opts.provider;
   if (!["claude", "cursor", "codewith", "aicopilot", "opencode", "codex"].includes(provider)) {
     throw new Error("unsupported provider");
@@ -6063,13 +6151,15 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
       allowlist: allowlistFromOpts(opts),
       account: accountFromOpts(opts)
     };
-    const loop = store.createLoop(baseCreateInput(name, opts, target));
-    print(publicLoop(loop), `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`);
+    const input = baseCreateInput(name, opts, target);
+    const preflight = opts.preflight ? preflightLoopTarget(input.target, { name, type: "agent", provider }, { loopName: name }, { machine: input.machine }) : undefined;
+    const loop = store.createLoop(input);
+    printCreatedLoop(loop, `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`, preflight);
   } finally {
     store.close();
   }
 });
-addGoalOptions(addMachineOptions(addScheduleOptions(create.command("workflow <name>").description("schedule a stored workflow").requiredOption("--workflow <idOrName>", "workflow id or name")))).action((name, opts) => {
+addGoalOptions(addMachineOptions(addScheduleOptions(create.command("workflow <name>").description("schedule a stored workflow").requiredOption("--workflow <idOrName>", "workflow id or name").option("--preflight", "check workflow step executables/accounts before storing the loop")))).action((name, opts) => {
   const store = new Store;
   try {
     const workflow = store.requireWorkflow(opts.workflow);
@@ -6077,8 +6167,10 @@ addGoalOptions(addMachineOptions(addScheduleOptions(create.command("workflow <na
       type: "workflow",
       workflowId: workflow.id
     };
-    const loop = store.createLoop(baseCreateInput(name, opts, target));
-    print(publicLoop(loop), `created workflow loop ${loop.id} (${loop.name}) workflow=${workflow.name} next=${loop.nextRunAt}`);
+    const input = baseCreateInput(name, opts, target);
+    const preflight = opts.preflight ? preflightStoredWorkflow(workflow, { name, type: "workflow", workflow: workflow.name }, { machine: input.machine }) : undefined;
+    const loop = store.createLoop(input);
+    printCreatedLoop(loop, `created workflow loop ${loop.id} (${loop.name}) workflow=${workflow.name} next=${loop.nextRunAt}`, preflight);
   } finally {
     store.close();
   }

package/dist/daemon/index.js

@@ -2724,6 +2724,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2805,6 +2806,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2820,6 +2824,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -2961,6 +2988,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -3002,6 +3030,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3658,11 +3699,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {
@@ -4419,7 +4470,7 @@ function enableStartup(result) {
 // package.json
 var package_default = {
   name: "@hasna/loops",
-  version: "0.3.21",
+  version: "0.3.22",
   description: "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   type: "module",
   main: "dist/index.js",

package/dist/index.js

@@ -2714,6 +2714,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2795,6 +2796,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2810,6 +2814,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -2951,6 +2978,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -2992,6 +3020,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3648,11 +3689,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {

package/dist/sdk/index.js

@@ -2714,6 +2714,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2795,6 +2796,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2810,6 +2814,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -2951,6 +2978,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -2992,6 +3020,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3648,11 +3689,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {

package/docs/USAGE.md

@@ -49,6 +49,28 @@ Run a deterministic command every minute:
 loops create command repo-status --every 1m --cmd "git status --short" --cwd /path/to/repo
 ```
 
+Validate the target before storing the loop:
+
+```bash
+loops create command repo-status \
+  --every 1m \
+  --cmd git \
+  --no-shell \
+  --preflight
+```
+
+`--preflight` is available on `loops create command`, `loops create agent`, and
+`loops create workflow`. It checks target executables and configured account
+profiles before the loop row is stored, so a missing command, provider binary,
+OpenAccounts profile, or workflow step dependency fails without creating a
+scheduled loop. Use `--json` with `--preflight` to capture stable machine-readable
+preflight evidence.
+
+For shell command loops, preflight can only verify the shell plus configured
+accounts because the command string is interpreted later by the shell. Use
+`--no-shell` or workflow command `args` when you need executable-level
+validation before storing the loop.
+
 Run a Claude loop every morning:
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/loops",
-  "version": "0.3.21",
+  "version": "0.3.22",
   "description": "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   "type": "module",
   "main": "dist/index.js",