@hasna/loops 0.3.21 → 0.3.23

package/dist/cli/index.js

@@ -2833,6 +2833,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2914,6 +2915,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2929,6 +2933,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -3070,6 +3097,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -3111,6 +3139,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3767,11 +3808,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {
@@ -5092,7 +5143,7 @@ function buildScriptInventoryReport(store, opts = {}) {
 // package.json
 var package_default = {
   name: "@hasna/loops",
-  version: "0.3.21",
+  version: "0.3.23",
   description: "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   type: "module",
   main: "dist/index.js",
@@ -5576,6 +5627,55 @@ function print(value, human) {
   else
     console.log(human);
 }
+function printCreatedLoop(loop, human, preflight) {
+  if (preflight !== undefined)
+    print({ loop: publicLoop(loop), preflight }, human);
+  else
+    print(publicLoop(loop), human);
+}
+function preflightFailed(error, context) {
+  if (!isJson())
+    throw error;
+  const message = error instanceof Error ? error.message : String(error);
+  print({
+    ok: false,
+    created: false,
+    preflight: {
+      ok: false,
+      error: redact(message, 320)
+    },
+    ...context
+  });
+  process.exit(1);
+}
+function preflightLoopTarget(target, context, metadata, opts) {
+  try {
+    return preflightTarget(target, metadata, opts);
+  } catch (error) {
+    preflightFailed(error, context);
+  }
+}
+function preflightStoredWorkflow(workflow, context, opts) {
+  try {
+    return preflightWorkflow(workflow, opts);
+  } catch (error) {
+    preflightFailed(error, context);
+  }
+}
+function workflowSpecForPreflight(body, id = "validation") {
+  const now = new Date().toISOString();
+  return {
+    id,
+    name: body.name,
+    description: body.description,
+    version: body.version ?? 1,
+    status: "active",
+    goal: body.goal,
+    steps: body.steps,
+    createdAt: now,
+    updatedAt: now
+  };
+}
 function printTextOutput(value) {
   for (const line of textOutputBlocks(value, { indent: "  " }))
     console.log(line);
@@ -6020,7 +6120,7 @@ function permissionModeFromOpts(opts, provider) {
   return mode;
 }
 var create = program.command("create").description("create loops");
-addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("command <name>").description("create a deterministic shell command loop").requiredOption("--cmd <command>", "command string to execute").option("--cwd <dir>", "working directory").option("--timeout <duration>", "run timeout").option("--no-shell", "execute without a shell"))))).action((name, opts) => {
+addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("command <name>").description("create a deterministic shell command loop").requiredOption("--cmd <command>", "command string to execute").option("--cwd <dir>", "working directory").option("--timeout <duration>", "run timeout").option("--no-shell", "execute without a shell").option("--preflight", "check target executables/accounts before storing the loop"))))).action((name, opts) => {
   const store = new Store;
   try {
     const target = {
@@ -6031,13 +6131,15 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
       timeoutMs: opts.timeout ? parseDuration(opts.timeout) : undefined,
       account: accountFromOpts(opts)
     };
-    const loop = store.createLoop(baseCreateInput(name, opts, target));
-    print(publicLoop(loop), `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`);
+    const input = baseCreateInput(name, opts, target);
+    const preflight = opts.preflight ? preflightLoopTarget(input.target, { name, type: "command" }, { loopName: name }, { machine: input.machine }) : undefined;
+    const loop = store.createLoop(input);
+    printCreatedLoop(loop, `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`, preflight);
   } finally {
     store.close();
   }
 });
-addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--allow-tool <name>", "advisory per-session tool allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--allow-command <name>", "advisory per-session command allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--config-isolation <mode>", "safe or none", "safe"))))).action((name, opts) => {
+addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.command("agent <name>").description("create a headless coding-agent loop").requiredOption("--provider <provider>", "claude, cursor, codewith, aicopilot, opencode, or codex").requiredOption("--prompt <prompt>", "agent prompt").option("--cwd <dir>", "working directory").option("--model <model>", "model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--timeout <duration>", "run timeout").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass").option("--sandbox <mode>", "provider sandbox: codewith/codex use read-only/workspace-write/danger-full-access; cursor uses enabled/disabled").option("--allow-tool <name>", "advisory per-session tool allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--allow-command <name>", "advisory per-session command allowlist metadata; may be repeated or comma-separated", collectValues, []).option("--config-isolation <mode>", "safe or none", "safe").option("--preflight", "check target executables/accounts before storing the loop"))))).action((name, opts) => {
   const provider = opts.provider;
   if (!["claude", "cursor", "codewith", "aicopilot", "opencode", "codex"].includes(provider)) {
     throw new Error("unsupported provider");
@@ -6063,13 +6165,15 @@ addGoalOptions(addAccountOptions(addMachineOptions(addScheduleOptions(create.com
       allowlist: allowlistFromOpts(opts),
       account: accountFromOpts(opts)
     };
-    const loop = store.createLoop(baseCreateInput(name, opts, target));
-    print(publicLoop(loop), `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`);
+    const input = baseCreateInput(name, opts, target);
+    const preflight = opts.preflight ? preflightLoopTarget(input.target, { name, type: "agent", provider }, { loopName: name }, { machine: input.machine }) : undefined;
+    const loop = store.createLoop(input);
+    printCreatedLoop(loop, `created loop ${loop.id} (${loop.name}) next=${loop.nextRunAt}`, preflight);
   } finally {
     store.close();
   }
 });
-addGoalOptions(addMachineOptions(addScheduleOptions(create.command("workflow <name>").description("schedule a stored workflow").requiredOption("--workflow <idOrName>", "workflow id or name")))).action((name, opts) => {
+addGoalOptions(addMachineOptions(addScheduleOptions(create.command("workflow <name>").description("schedule a stored workflow").requiredOption("--workflow <idOrName>", "workflow id or name").option("--preflight", "check workflow step executables/accounts before storing the loop")))).action((name, opts) => {
   const store = new Store;
   try {
     const workflow = store.requireWorkflow(opts.workflow);
@@ -6077,8 +6181,10 @@ addGoalOptions(addMachineOptions(addScheduleOptions(create.command("workflow <na
       type: "workflow",
       workflowId: workflow.id
     };
-    const loop = store.createLoop(baseCreateInput(name, opts, target));
-    print(publicLoop(loop), `created workflow loop ${loop.id} (${loop.name}) workflow=${workflow.name} next=${loop.nextRunAt}`);
+    const input = baseCreateInput(name, opts, target);
+    const preflight = opts.preflight ? preflightStoredWorkflow(workflow, { name, type: "workflow", workflow: workflow.name }, { machine: input.machine }) : undefined;
+    const loop = store.createLoop(input);
+    printCreatedLoop(loop, `created workflow loop ${loop.id} (${loop.name}) workflow=${workflow.name} next=${loop.nextRunAt}`, preflight);
   } finally {
     store.close();
   }
@@ -6119,7 +6225,7 @@ templates.command("create-workflow <id>").description("render and store a templa
   }
 });
 var eventsHandle = events.command("handle").description("handle a Hasna event envelope");
-eventsHandle.command("todos-task").description("create a one-shot worker/verifier workflow loop for a todos task event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--auth-profile-pool <profiles>", "comma-separated provider-native auth profile pool").option("--worker-auth-profile <profile>", "provider-native auth profile for worker step").option("--verifier-auth-profile <profile>", "provider-native auth profile for verifier step").option("--account <profile>", "OpenAccounts profile name").option("--account-pool <profiles>", "comma-separated OpenAccounts profile pool").option("--worker-account <profile>", "OpenAccounts profile for worker step").option("--verifier-account <profile>", "OpenAccounts profile for verifier step").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:todos-task").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
+eventsHandle.command("todos-task").description("create a one-shot worker/verifier workflow loop for a todos task event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--auth-profile-pool <profiles>", "comma-separated provider-native auth profile pool").option("--worker-auth-profile <profile>", "provider-native auth profile for worker step").option("--verifier-auth-profile <profile>", "provider-native auth profile for verifier step").option("--account <profile>", "OpenAccounts profile name").option("--account-pool <profiles>", "comma-separated OpenAccounts profile pool").option("--worker-account <profile>", "OpenAccounts profile for worker step").option("--verifier-account <profile>", "OpenAccounts profile for verifier step").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:todos-task").option("--preflight", "check generated workflow steps before storing the workflow loop").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
   const event = await readEventEnvelopeFromStdin();
   const data = eventData(event);
   const metadata = eventMetadata(event);
@@ -6188,7 +6294,12 @@ eventsHandle.command("todos-task").description("create a one-shot worker/verifie
     leaseMs: 90 * 60000
   };
   if (opts.dryRun) {
-    print({ deduped: false, idempotencyKey, event, workflow: workflowBody, loop: loopInput }, `dry-run ${loopName}`);
+    const preflight = opts.preflight ? preflightStoredWorkflow(workflowSpecForPreflight(workflowBody, "event-preflight"), {
+      name: workflowBody.name,
+      type: "todos-task-event-workflow",
+      event: event.id
+    }, {}) : undefined;
+    print({ deduped: false, idempotencyKey, event, workflow: workflowBody, loop: loopInput, preflight }, `dry-run ${loopName}`);
     return;
   }
   const store = new Store;
@@ -6207,17 +6318,23 @@ eventsHandle.command("todos-task").description("create a one-shot worker/verifie
       return;
     }
     const existingWorkflow = store.findWorkflowByName(workflowBody.name);
+    const workflowPreflightSpec = existingWorkflow ?? workflowSpecForPreflight(workflowBody, "event-preflight");
+    const preflight = opts.preflight ? preflightStoredWorkflow(workflowPreflightSpec, {
+      name: workflowBody.name,
+      type: "todos-task-event-workflow",
+      event: event.id
+    }, {}) : undefined;
     const workflow = existingWorkflow ?? store.createWorkflow(workflowBody);
     const loop = store.createLoop({
       ...loopInput,
       target: { type: "workflow", workflowId: workflow.id }
     });
-    print({ deduped: false, idempotencyKey, event, workflow: publicWorkflow(workflow), loop: publicLoop(loop) }, `created ${loop.id} (${loop.name}) workflow=${workflow.name} event=${event.id} idempotency=${idempotencyKey}`);
+    print({ deduped: false, idempotencyKey, event, workflow: publicWorkflow(workflow), loop: publicLoop(loop), preflight }, `created ${loop.id} (${loop.name}) workflow=${workflow.name} event=${event.id} idempotency=${idempotencyKey}`);
   } finally {
     store.close();
   }
 });
-eventsHandle.command("generic").description("create a one-shot worker/verifier workflow loop for any Hasna event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--auth-profile-pool <profiles>", "comma-separated provider-native auth profile pool").option("--worker-auth-profile <profile>", "provider-native auth profile for worker step").option("--verifier-auth-profile <profile>", "provider-native auth profile for verifier step").option("--account <profile>", "OpenAccounts profile name").option("--account-pool <profiles>", "comma-separated OpenAccounts profile pool").option("--worker-account <profile>", "OpenAccounts profile for worker step").option("--verifier-account <profile>", "OpenAccounts profile for verifier step").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:generic").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
+eventsHandle.command("generic").description("create a one-shot worker/verifier workflow loop for any Hasna event").option("--provider <provider>", "agent provider", "codewith").option("--auth-profile <profile>", "provider-native auth profile; currently supported for codewith").option("--auth-profile-pool <profiles>", "comma-separated provider-native auth profile pool").option("--worker-auth-profile <profile>", "provider-native auth profile for worker step").option("--verifier-auth-profile <profile>", "provider-native auth profile for verifier step").option("--account <profile>", "OpenAccounts profile name").option("--account-pool <profiles>", "comma-separated OpenAccounts profile pool").option("--worker-account <profile>", "OpenAccounts profile for worker step").option("--verifier-account <profile>", "OpenAccounts profile for verifier step").option("--account-tool <tool>", "OpenAccounts tool id").option("--model <model>", "provider model").option("--variant <variant>", "provider-specific model variant or reasoning effort").option("--agent <agent>", "provider-specific agent").option("--permission-mode <mode>", "provider permission mode: default, plan, auto, or bypass", "bypass").option("--sandbox <mode>", "provider sandbox").option("--project-path <path>", "fallback project/repo working directory").option("--name-prefix <prefix>", "workflow/loop name prefix", "event:generic").option("--preflight", "check generated workflow steps before storing the workflow loop").option("--dry-run", "print the workflow and loop input without storing anything").action(async (opts) => {
   const event = await readEventEnvelopeFromStdin();
   const data = eventData(event);
   const projectPath = opts.projectPath ?? taskEventField(data, ["working_dir", "workingDir", "project_path", "projectPath", "cwd", "repo_path", "repoPath"]) ?? process.cwd();
@@ -6267,7 +6384,12 @@ eventsHandle.command("generic").description("create a one-shot worker/verifier w
     leaseMs: 90 * 60000
   };
   if (opts.dryRun) {
-    print({ event, workflow: workflowBody, loop: loopInput }, `dry-run ${loopName}`);
+    const preflight = opts.preflight ? preflightStoredWorkflow(workflowSpecForPreflight(workflowBody, "event-preflight"), {
+      name: workflowBody.name,
+      type: "generic-event-workflow",
+      event: event.id
+    }, {}) : undefined;
+    print({ event, workflow: workflowBody, loop: loopInput, preflight }, `dry-run ${loopName}`);
     return;
   }
   const store = new Store;
@@ -6279,12 +6401,18 @@ eventsHandle.command("generic").description("create a one-shot worker/verifier w
       return;
     }
     const existingWorkflow = store.findWorkflowByName(workflowBody.name);
+    const workflowPreflightSpec = existingWorkflow ?? workflowSpecForPreflight(workflowBody, "event-preflight");
+    const preflight = opts.preflight ? preflightStoredWorkflow(workflowPreflightSpec, {
+      name: workflowBody.name,
+      type: "generic-event-workflow",
+      event: event.id
+    }, {}) : undefined;
     const workflow = existingWorkflow ?? store.createWorkflow(workflowBody);
     const loop = store.createLoop({
       ...loopInput,
       target: { type: "workflow", workflowId: workflow.id }
     });
-    print({ deduped: false, event, workflow: publicWorkflow(workflow), loop: publicLoop(loop) }, `created ${loop.id} (${loop.name}) workflow=${workflow.name}`);
+    print({ deduped: false, event, workflow: publicWorkflow(workflow), loop: publicLoop(loop), preflight }, `created ${loop.id} (${loop.name}) workflow=${workflow.name}`);
   } finally {
     store.close();
   }
@@ -6349,27 +6477,20 @@ machines.command("show <id>").description("resolve a machine assignment").action
 });
 workflows.command("validate <file>").description("validate a workflow JSON file without storing or running it").option("--name <name>", "override workflow name from the file").option("--preflight", "also check account env and target executables").action((file, opts) => {
   const body = workflowBodyFromJson(JSON.parse(readFileSync2(file, "utf8")), opts.name);
-  const now = new Date().toISOString();
-  const workflow = {
-    id: "validation",
-    name: body.name,
-    description: body.description,
-    version: body.version ?? 1,
-    status: "active",
-    goal: body.goal,
-    steps: body.steps,
-    createdAt: now,
-    updatedAt: now
-  };
+  const workflow = workflowSpecForPreflight(body);
   const preflight = opts.preflight ? preflightWorkflow(workflow) : undefined;
   print({ valid: true, workflow: publicWorkflow(workflow), preflight }, `valid workflow ${workflow.name} steps=${workflow.steps.length}`);
 });
-workflows.command("create <file>").description("validate and store a workflow JSON file").option("--name <name>", "override workflow name from the file").action((file, opts) => {
+workflows.command("create <file>").description("validate and store a workflow JSON file").option("--name <name>", "override workflow name from the file").option("--preflight", "also check account env and target executables before storing").action((file, opts) => {
   const store = new Store;
   try {
     const body = workflowBodyFromJson(JSON.parse(readFileSync2(file, "utf8")), opts.name);
+    const preflight = opts.preflight ? preflightStoredWorkflow(workflowSpecForPreflight(body, "creation-preflight"), { name: body.name, type: "workflow" }, {}) : undefined;
     const workflow = store.createWorkflow(body);
-    print(publicWorkflow(workflow), `created workflow ${workflow.id} (${workflow.name}) steps=${workflow.steps.length}`);
+    if (preflight !== undefined)
+      print({ workflow: publicWorkflow(workflow), preflight }, `created workflow ${workflow.id} (${workflow.name}) steps=${workflow.steps.length}`);
+    else
+      print(publicWorkflow(workflow), `created workflow ${workflow.id} (${workflow.name}) steps=${workflow.steps.length}`);
   } finally {
     store.close();
   }

package/dist/daemon/index.js

@@ -2724,6 +2724,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2805,6 +2806,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2820,6 +2824,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -2961,6 +2988,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -3002,6 +3030,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3658,11 +3699,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {
@@ -4419,7 +4470,7 @@ function enableStartup(result) {
 // package.json
 var package_default = {
   name: "@hasna/loops",
-  version: "0.3.21",
+  version: "0.3.23",
   description: "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   type: "module",
   main: "dist/index.js",

package/dist/index.js

@@ -2714,6 +2714,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2795,6 +2796,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2810,6 +2814,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -2951,6 +2978,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -2992,6 +3020,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3648,11 +3689,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {

package/dist/sdk/index.js

@@ -2714,6 +2714,7 @@ function commandSpec(target) {
     timeoutMs: agentTarget.timeoutMs ?? DEFAULT_TIMEOUT_MS,
     account: agentTarget.account,
     accountTool: agentTarget.account?.tool ?? accountToolForProvider(agentTarget.provider),
+    nativeAuthProfile: agentTarget.authProfile ? { provider: agentTarget.provider, profile: agentTarget.authProfile } : undefined,
     preflightAnyOf: agentTarget.provider === "cursor" ? ["cursor", "agent"] : undefined,
     stdin: agentTarget.prompt,
     allowlist: agentTarget.allowlist
@@ -2795,6 +2796,9 @@ function remotePreflightScript(spec, metadata) {
   if (spec.preflightAnyOf?.length) {
     lines.push(`if ! ${spec.preflightAnyOf.map((command) => `command -v ${shellQuote(command)} >/dev/null 2>&1`).join(" && ! ")}; then`, `  echo 'none of required executables found: ${spec.preflightAnyOf.join(", ")}' >&2`, "  exit 127", "fi");
   }
+  if (spec.nativeAuthProfile?.provider === "codewith") {
+    lines.push(`__OPENLOOPS_CODEWITH_PROFILES="$(${shellQuote(spec.command)} profile list)" || {`, `  printf '%s\\n' ${shellQuote("codewith auth profile preflight failed")} >&2`, "  exit 1", "}", `if ! printf '%s\\n' "$__OPENLOOPS_CODEWITH_PROFILES" | awk 'NR > 1 { print $1 }' | grep -Fx ${shellQuote(spec.nativeAuthProfile.profile)} >/dev/null; then`, `  printf '%s\\n' ${shellQuote(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`)} >&2`, "  exit 1", "fi");
+  }
   return lines.join(`
 `);
 }
@@ -2810,6 +2814,29 @@ function transportEnv(opts) {
   env.PATH = normalizeExecutionPath(env);
   return env;
 }
+function preflightNativeAuthProfile(spec, env) {
+  if (!spec.nativeAuthProfile)
+    return;
+  if (spec.nativeAuthProfile.provider !== "codewith")
+    return;
+  const result = spawnSync2(spec.command, ["profile", "list"], {
+    encoding: "utf8",
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    timeout: 15000
+  });
+  if (result.error) {
+    throw new Error(`codewith auth profile preflight failed: ${result.error.message}`);
+  }
+  if ((result.status ?? 1) !== 0) {
+    const detail = (result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`).trim();
+    throw new Error(`codewith auth profile preflight failed${detail ? `: ${detail}` : ""}`);
+  }
+  const profiles = new Set((result.stdout || "").split(/\r?\n/).slice(1).map((line) => line.trim().split(/\s+/)[0]).filter(Boolean));
+  if (!profiles.has(spec.nativeAuthProfile.profile)) {
+    throw new Error(`codewith auth profile not found: ${spec.nativeAuthProfile.profile}`);
+  }
+}
 function preflightRemoteSpec(spec, machine, metadata, opts) {
   const plan = (opts.machineCommandResolver ?? resolveMachineCommand)(machine.id, "bash -s");
   const result = spawnSync2(plan.command, plan.args, {
@@ -2951,6 +2978,7 @@ function preflightTarget(target, metadata = {}, opts = {}) {
   if (spec.preflightAnyOf?.length && !spec.preflightAnyOf.some((command) => executableExists(command, env))) {
     throw new Error(`none of required executables found: ${spec.preflightAnyOf.join(", ")}`);
   }
+  preflightNativeAuthProfile(spec, env);
   return {
     command: spec.command,
     accountProfile: spec.account?.profile,
@@ -2992,6 +3020,19 @@ async function executeTarget(target, metadata = {}, opts = {}) {
       durationMs: 0
     };
   }
+  try {
+    preflightNativeAuthProfile(spec, env);
+  } catch (err) {
+    return {
+      status: "failed",
+      stdout: "",
+      stderr: "",
+      error: err instanceof Error ? err.message : String(err),
+      startedAt,
+      finishedAt: nowIso(),
+      durationMs: 0
+    };
+  }
   const child = spawn(spec.command, spec.args, {
     cwd: spec.cwd,
     env,
@@ -3648,11 +3689,21 @@ async function executeWorkflow(store, workflow, opts = {}) {
   return workflowResult(finalRun, terminalStatus, startedAt, finishedAt, JSON.stringify({ workflowRun: finalRun, steps }, null, 2), blockingError);
 }
 function preflightWorkflow(workflow, opts = {}) {
-  return workflowExecutionOrder(workflow).map((step) => preflightTarget(targetWithStepAccount(step), {
-    workflowId: workflow.id,
-    workflowName: workflow.name,
-    workflowStepId: step.id
-  }, opts));
+  return workflowExecutionOrder(workflow).map((step) => {
+    try {
+      return {
+        workflowStepId: step.id,
+        ...preflightTarget(targetWithStepAccount(step), {
+          workflowId: workflow.id,
+          workflowName: workflow.name,
+          workflowStepId: step.id
+        }, opts)
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`workflow step ${step.id} preflight failed: ${message}`);
+    }
+  });
 }
 async function executeLoopTarget(store, loop, run, opts = {}) {
   if (loop.target.type !== "workflow") {

package/docs/USAGE.md

@@ -49,6 +49,30 @@ Run a deterministic command every minute:
 loops create command repo-status --every 1m --cmd "git status --short" --cwd /path/to/repo
 ```
 
+Validate the target before storing the loop:
+
+```bash
+loops create command repo-status \
+  --every 1m \
+  --cmd git \
+  --no-shell \
+  --preflight
+```
+
+`--preflight` is available on `loops create command`, `loops create agent`,
+`loops create workflow`, `loops workflows create`, and event-router commands such
+as `loops events handle todos-task` and `loops events handle generic`. It checks
+target executables and configured account profiles before loop or workflow rows
+are stored, so a missing command, provider binary, OpenAccounts profile, native
+Codewith auth profile, or workflow step dependency fails without creating a
+scheduled loop. Use `--json` with `--preflight` to capture stable machine-readable
+preflight evidence.
+
+For shell command loops, preflight can only verify the shell plus configured
+accounts because the command string is interpreted later by the shell. Use
+`--no-shell` or workflow command `args` when you need executable-level
+validation before storing the loop.
+
 Run a Claude loop every morning:
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/loops",
-  "version": "0.3.21",
+  "version": "0.3.23",
   "description": "Persistent local loop and workflow runner for deterministic commands and headless AI coding agents",
   "type": "module",
   "main": "dist/index.js",