@orchagent/cli 0.3.119 → 0.3.120

package/AGENT_GUIDE.md

@@ -0,0 +1,34 @@
+---
+name: orchagent-cli
+discovery:
+  full_context: "orch context"
+  command_contract: "orch describe <command> --json"
+output:
+  preferred: --json
+  non_tty_behavior: commands with --json auto-enable JSON when stdout is non-TTY
+---
+
+# orchagent CLI Agent Guide
+
+Use this file as an entry point for AI agents and automation tools.
+
+## Discovery
+
+- Run `orch context` to get a full, machine-readable command index in YAML-frontmatter markdown format.
+- Run `orch describe <command> --json` to get argument, flag, mutation, and example metadata for one command.
+
+## Auth
+
+- Set `ORCHAGENT_API_KEY` in the environment.
+- Use `orch login` to create or store credentials locally.
+
+## I/O Conventions
+
+- Prefer `--json` for stable parsing.
+- For JSON payloads, prefer `--data @file.json` or `--data @-` (stdin) for reliability.
+- Use explicit agent references (`org/name@version`) when possible.
+
+## Safety
+
+- Prefer `--dry-run` for mutating commands when available.
+- Inspect command contracts with `orch describe` before executing side effects.

package/dist/commands/agents.js

@@ -42,6 +42,7 @@ const chalk_1 = __importDefault(require("chalk"));
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const output_1 = require("../lib/output");
+const list_options_1 = require("../lib/list-options");
 /**
  * Given a list of agents, return only the latest version of each agent name.
  * "Latest" = highest created_at timestamp (most recently published).
@@ -73,6 +74,9 @@ function registerAgentsCommand(program) {
         .option('--filter <text>', 'Filter by name')
         .option('--all-versions', 'Show all versions (default: latest only)')
         .option('--json', 'Output raw JSON')
+        .option('--fields <fields>', 'Comma-separated fields to include in JSON output (implies --json)')
+        .option('--limit <n>', 'Maximum number of items to return')
+        .option('--offset <n>', 'Number of items to skip')
         .action(async (options) => {
         const config = await (0, config_1.getResolvedConfig)();
         // Resolve workspace context
@@ -95,8 +99,17 @@ function registerAgentsCommand(program) {
             displayAgents = grouped.agents;
             versionCounts = grouped.versionCounts;
         }
-        if (options.json) {
-            (0, output_1.printJson)(displayAgents);
+        // Apply client-side limit/offset
+        const limit = (0, list_options_1.parseIntOption)(options.limit);
+        const offset = (0, list_options_1.parseIntOption)(options.offset);
+        if (limit != null || offset != null) {
+            displayAgents = (0, list_options_1.applyLimitOffset)(displayAgents, limit, offset);
+        }
+        // --fields implies --json
+        const useJson = options.json || !!options.fields;
+        if (useJson) {
+            const fields = options.fields ? (0, list_options_1.parseFields)(options.fields) : undefined;
+            (0, output_1.printJson)(fields ? (0, list_options_1.filterFields)(displayAgents, fields) : displayAgents);
             return;
         }
         if (displayAgents.length === 0) {

package/dist/commands/context.js

@@ -0,0 +1,76 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildContextDocument = buildContextDocument;
+exports.registerContextCommand = registerContextCommand;
+const yaml_1 = __importDefault(require("yaml"));
+const package_json_1 = __importDefault(require("../../package.json"));
+const command_introspection_1 = require("../lib/command-introspection");
+function toContextCommands(program) {
+    return (0, command_introspection_1.buildCliCommandMetadata)(program).map((command) => ({
+        name: command.name,
+        description: command.description,
+        flags: (0, command_introspection_1.collectFlagNames)(command),
+        mutations: command.mutations,
+        ...(command.dryRun ? { dry_run: true } : {}),
+    }));
+}
+function buildGuideBody(commands) {
+    const commandIndex = commands
+        .map((command) => `- \`${command.name}\` - ${command.description || 'No description available'}`)
+        .join('\n');
+    const mutatingCommands = commands
+        .filter((command) => command.mutations)
+        .map((command) => `- \`${command.name}\`${command.dry_run ? ' (supports --dry-run)' : ''}`)
+        .join('\n');
+    return `# orchagent CLI - Agent Guide
+
+## Authentication
+Set \`ORCHAGENT_API_KEY\` in the environment. You can create a key with \`orch login\` or in the orchagent dashboard.
+
+## Discovery
+- Use \`orch context\` for a full command index plus machine-readable frontmatter.
+- Use \`orch describe <command> --json\` for detailed metadata on one command.
+
+## Output Conventions
+- Prefer \`--json\` when your caller needs structured output.
+- Commands that support \`--json\` automatically switch to JSON in non-TTY output.
+- For JSON inputs, prefer \`--data @file.json\` or \`--data @-\` (stdin) over shell-escaped inline blobs.
+
+## Common Patterns
+- Use explicit agent references when possible: \`org/name@version\`.
+- Use \`--dry-run\` before mutating operations whenever available.
+- For large automation flows, inspect command contracts with \`orch describe\` before execution.
+
+## Top-Level Commands
+${commandIndex}
+
+## Mutating Commands
+${mutatingCommands || '- None detected'}
+`;
+}
+function buildContextDocument(program) {
+    const commands = toContextCommands(program);
+    const version = program.version() || package_json_1.default.version;
+    const frontmatter = {
+        name: 'orchagent-cli',
+        version,
+        commands,
+    };
+    const body = buildGuideBody(commands).trim();
+    return `---\n${yaml_1.default.stringify(frontmatter).trim()}\n---\n\n${body}\n`;
+}
+function registerContextCommand(program) {
+    program
+        .command('context')
+        .description('Print an embedded CLI guide for AI agents (YAML frontmatter + markdown)')
+        .addHelpText('after', `
+Examples:
+  orch context
+`)
+        .action(() => {
+        process.stdout.write(buildContextDocument(program));
+    });
+}

package/dist/commands/describe.js

@@ -0,0 +1,131 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerDescribeCommand = registerDescribeCommand;
+const command_introspection_1 = require("../lib/command-introspection");
+const errors_1 = require("../lib/errors");
+const output_1 = require("../lib/output");
+function toDescribeOutput(command) {
+    return {
+        command: command.path,
+        description: command.description,
+        usage: `orch ${command.usage}`,
+        arguments: command.arguments.map((argument) => ({
+            name: argument.name,
+            required: argument.required,
+            variadic: argument.variadic,
+            format: argument.format,
+            ...(argument.description ? { description: argument.description } : {}),
+        })),
+        flags: command.flags.map((flag) => ({
+            name: flag.name,
+            type: flag.type,
+            required: flag.required,
+            ...(flag.valueRequired ? { value_required: true } : {}),
+            description: flag.description,
+            ...(flag.short ? { short: flag.short } : {}),
+            ...(flag.alias ? { alias: flag.alias } : {}),
+            ...(flag.choices ? { choices: flag.choices } : {}),
+            ...(flag.defaultValue !== undefined ? { default: flag.defaultValue } : {}),
+        })),
+        mutations: command.mutations,
+        dry_run: command.dryRun,
+        examples: command.examples,
+        aliases: command.aliases,
+        ...(command.subcommands.length > 0
+            ? {
+                subcommands: command.subcommands.map((subcommand) => ({
+                    command: subcommand.path,
+                    description: subcommand.description,
+                    usage: `orch ${subcommand.usage}`,
+                    mutations: subcommand.mutations,
+                    dry_run: subcommand.dryRun,
+                })),
+            }
+            : {}),
+    };
+}
+function renderMarkdown(command) {
+    const argumentLines = command.arguments.length > 0
+        ? command.arguments
+            .map((argument) => `- \`${argument.name}\` (${argument.required ? 'required' : 'optional'}, ${argument.format})${argument.description ? ` - ${argument.description}` : ''}`)
+            .join('\n')
+        : '- None';
+    const flagLines = command.flags.length > 0
+        ? command.flags
+            .map((flag) => {
+            const parts = [`\`${flag.name}\``];
+            if (flag.alias)
+                parts.push(`alias: \`${flag.alias}\``);
+            if (flag.short)
+                parts.push(`short: \`${flag.short}\``);
+            parts.push(`type: ${flag.type}`);
+            return `- ${parts.join(', ')} - ${flag.description}`;
+        })
+            .join('\n')
+        : '- None';
+    const subcommandLines = command.subcommands.length > 0
+        ? command.subcommands
+            .map((subcommand) => `- \`${subcommand.path}\` - ${subcommand.description}`)
+            .join('\n')
+        : '- None';
+    const exampleLines = command.examples.length > 0
+        ? command.examples.map((example) => `- \`${example}\``).join('\n')
+        : '- None';
+    return `# orch describe: ${command.path}
+
+## Description
+${command.description || 'No description available'}
+
+## Usage
+\`orch ${command.usage}\`
+
+## Mutations
+${command.mutations ? 'Yes' : 'No'}
+
+## Dry Run
+${command.dryRun ? 'Supported' : 'Not supported'}
+
+## Arguments
+${argumentLines}
+
+## Flags
+${flagLines}
+
+## Subcommands
+${subcommandLines}
+
+## Examples
+${exampleLines}
+`;
+}
+function resolveCommand(program, commandPath) {
+    const allCommands = (0, command_introspection_1.buildCliCommandMetadata)(program);
+    const match = (0, command_introspection_1.findCommandMetadata)(allCommands, commandPath);
+    if (match)
+        return match;
+    const query = commandPath.join(' ');
+    const err = new errors_1.CliError(`Unknown command "${query}"`, errors_1.ExitCodes.NOT_FOUND);
+    err.code = errors_1.ErrorCodes.NOT_FOUND;
+    err.hint = 'Run "orch context" to list available commands.';
+    throw err;
+}
+function registerDescribeCommand(program) {
+    program
+        .command('describe <command...>')
+        .description('Show machine-readable metadata for a single command')
+        .option('--json', 'Output machine-readable JSON (default)')
+        .option('--markdown', 'Output markdown instead of JSON')
+        .addHelpText('after', `
+Examples:
+  orch describe run --json
+  orch describe schedule create --json
+`)
+        .action((commandPath, options) => {
+        const command = resolveCommand(program, commandPath);
+        if (options.markdown) {
+            process.stdout.write(renderMarkdown(command));
+            return;
+        }
+        (0, output_1.printJson)(toDescribeOutput(command));
+    });
+}

package/dist/commands/index.js

@@ -46,6 +46,9 @@ const dag_1 = require("./dag");
 const completion_1 = require("./completion");
 const validate_1 = require("./validate");
 const storage_1 = require("./storage");
+const schema_1 = require("./schema");
+const context_1 = require("./context");
+const describe_1 = require("./describe");
 function registerCommands(program) {
     (0, login_1.registerLoginCommand)(program);
     (0, logout_1.registerLogoutCommand)(program);
@@ -92,4 +95,7 @@ function registerCommands(program) {
     (0, completion_1.registerCompletionCommand)(program);
     (0, validate_1.registerValidateCommand)(program);
     (0, storage_1.registerStorageCommand)(program);
+    (0, schema_1.registerSchemaCommand)(program);
+    (0, context_1.registerContextCommand)(program);
+    (0, describe_1.registerDescribeCommand)(program);
 }

package/dist/commands/info.js

@@ -3,12 +3,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAgentInfo = getAgentInfo;
 exports.registerInfoCommand = registerInfoCommand;
 const chalk_1 = __importDefault(require("chalk"));
 const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const agent_ref_1 = require("../lib/agent-ref");
 const errors_1 = require("../lib/errors");
+const list_options_1 = require("../lib/list-options");
 function formatSchema(schema, indent = '  ') {
     const lines = [];
     const props = schema.properties || {};
@@ -150,6 +152,7 @@ function registerInfoCommand(program) {
         .command('info <agent>')
         .description('Show agent details including inputs and outputs')
         .option('--json', 'Output as JSON')
+        .option('--fields <fields>', 'Comma-separated fields to include in JSON output (implies --json)')
         .action(async (agentArg, options) => {
         const config = await (0, config_1.getResolvedConfig)();
         const parsed = (0, agent_ref_1.parseAgentRef)(agentArg);
@@ -163,13 +166,16 @@ function registerInfoCommand(program) {
         const workspaceId = await (0, api_1.resolveWorkspaceIdForOrg)(config, org);
         // Fetch agent metadata
         const agentData = await getAgentInfo(config, org, agent, version, workspaceId);
-        if (options.json) {
+        // --fields implies --json
+        if (options.json || options.fields) {
             // Don't expose internal routing URLs in JSON output
             const output = { ...agentData };
             if (output.url?.includes('.internal')) {
                 delete output.url;
             }
-            process.stdout.write(JSON.stringify(output, null, 2) + '\n');
+            const fields = options.fields ? (0, list_options_1.parseFields)(options.fields) : undefined;
+            const data = fields ? (0, list_options_1.filterFields)(output, fields) : output;
+            process.stdout.write(JSON.stringify(data, null, 2) + '\n');
             return;
         }
         // Display agent info

package/dist/commands/login.js

@@ -27,10 +27,12 @@ function registerLoginCommand(program) {
         .option('--key <key>', 'API key (for CI/CD, non-interactive)')
         .option('--port <port>', `Localhost port for browser callback (default: ${DEFAULT_AUTH_PORT})`, String(DEFAULT_AUTH_PORT))
         .action(async (options) => {
-        const providedKey = options.key || process.env.ORCHAGENT_API_KEY;
-        // If key provided via flag or env var, use existing key-based flow
-        if (providedKey) {
-            await keyBasedLogin(providedKey);
+        // If key provided via --key flag, use key-based flow (for CI/CD)
+        // Note: ORCHAGENT_API_KEY env var is intentionally NOT checked here —
+        // it's for runtime API auth, not for login. Otherwise `orch login`
+        // can never reach the browser flow when the env var is set.
+        if (options.key) {
+            await keyBasedLogin(options.key);
             return;
         }
         // Check if running in non-interactive mode (no TTY)
@@ -61,13 +63,18 @@ async function keyBasedLogin(apiKey) {
         ...existing,
         api_key: apiKey,
         api_url: resolved.apiUrl,
-        default_org: existing.default_org ?? org.slug,
+        default_org: org.slug,
     };
     // Clear workspace from previous account — workspaces are account-specific
     delete nextConfig.workspace;
     await (0, config_1.saveConfig)(nextConfig);
     await (0, analytics_1.track)('cli_login', { method: 'key' });
     process.stdout.write(`✓ Logged in to ${org.slug}\n`);
+    if (process.env.ORCHAGENT_API_KEY) {
+        process.stderr.write('\nWarning: ORCHAGENT_API_KEY is set in your environment.\n' +
+            'The env var overrides your login credentials. Unset it with:\n' +
+            '  unset ORCHAGENT_API_KEY\n');
+    }
     if (isFirstLogin) {
         process.stdout.write('\n  Tip: Run `orch doctor` to verify your setup.\n\n');
     }
@@ -86,13 +93,18 @@ async function browserBasedLogin(port) {
             ...existing,
             api_key: result.apiKey,
             api_url: resolved.apiUrl,
-            default_org: existing.default_org ?? result.orgSlug,
+            default_org: result.orgSlug,
         };
         // Clear workspace from previous account — workspaces are account-specific
         delete nextConfig.workspace;
         await (0, config_1.saveConfig)(nextConfig);
         await (0, analytics_1.track)('cli_login', { method: 'browser' });
         process.stdout.write(`\n✓ Logged in to ${result.orgSlug}\n`);
+        if (process.env.ORCHAGENT_API_KEY) {
+            process.stderr.write('\nWarning: ORCHAGENT_API_KEY is set in your environment.\n' +
+                'The env var overrides your login credentials. Unset it with:\n' +
+                '  unset ORCHAGENT_API_KEY\n');
+        }
         if (isFirstLogin) {
             process.stdout.write('\n  Tip: Run `orch doctor` to verify your setup.\n\n');
         }

package/dist/commands/logs.js

@@ -10,6 +10,7 @@ const config_1 = require("../lib/config");
 const api_1 = require("../lib/api");
 const errors_1 = require("../lib/errors");
 const output_1 = require("../lib/output");
+const list_options_1 = require("../lib/list-options");
 // ============================================
 // HELPERS
 // ============================================
@@ -102,6 +103,16 @@ async function findServiceForAgent(config, workspaceId, agentName) {
         return null;
     }
 }
+/** Find all active (non-deleted) always-on services in the workspace. */
+async function findActiveServices(config, workspaceId) {
+    try {
+        const result = await (0, api_1.request)(config, 'GET', `/workspaces/${workspaceId}/services?limit=100`);
+        return result.services.filter((s) => s.current_state !== 'deleted');
+    }
+    catch {
+        return [];
+    }
+}
 /** Fetch and display logs from an always-on service. */
 async function showServiceLogs(config, workspaceId, service, limit, json) {
     const params = new URLSearchParams();
@@ -140,8 +151,10 @@ function registerLogsCommand(program) {
         .option('--workspace <slug>', 'Workspace slug (default: current workspace)')
         .option('--status <status>', 'Filter by status: running, completed, failed, timeout')
         .option('--limit <n>', 'Number of runs to show (default: 20)', '20')
+        .option('--offset <n>', 'Number of runs to skip')
         .option('--live', 'Show live logs from always-on service (skips run history)')
         .option('--json', 'Output as JSON')
+        .option('--fields <fields>', 'Comma-separated fields to include in JSON output (implies --json)')
         .action(async (target, options) => {
         const config = await (0, config_1.getResolvedConfig)();
         if (!config.apiKey) {
@@ -208,12 +221,19 @@ async function listRuns(config, workspaceId, agentName, options) {
         params.set('status', options.status);
     const limit = parseInt(options.limit ?? '20', 10);
     params.set('limit', String(Math.min(Math.max(1, limit), 200)));
+    if (options.offset) {
+        const offset = parseInt(options.offset, 10);
+        if (!isNaN(offset) && offset > 0)
+            params.set('offset', String(offset));
+    }
     const qs = params.toString() ? `?${params.toString()}` : '';
     const [result, service] = await Promise.all([
         (0, api_1.request)(config, 'GET', `/workspaces/${workspaceId}/runs${qs}`),
         servicePromise,
     ]);
-    if (options.json) {
+    // --fields implies --json
+    const useJson = options.json || !!options.fields;
+    if (useJson) {
         const payload = { ...result };
         if (service) {
             payload.service = {
@@ -223,15 +243,29 @@ async function listRuns(config, workspaceId, agentName, options) {
                 health_status: service.health_status,
             };
         }
+        if (options.fields) {
+            const fields = (0, list_options_1.parseFields)(options.fields);
+            payload.runs = (0, list_options_1.filterFields)(payload.runs, fields);
+        }
         (0, output_1.printJson)(payload);
         return;
     }
     if (result.runs.length === 0 && !service) {
         if (agentName) {
             process.stdout.write(`No runs found for agent '${agentName}'.\n`);
+            process.stdout.write(chalk_1.default.gray(`\nIf this is an always-on service, try: orch logs ${agentName} --live\n`));
         }
         else {
             process.stdout.write('No runs found in this workspace.\n');
+            // Check if the workspace has active services the user might want logs for
+            const activeServices = await findActiveServices(config, workspaceId);
+            if (activeServices.length > 0) {
+                process.stdout.write(chalk_1.default.yellow('\nThis workspace has always-on services. To view service logs:\n'));
+                for (const svc of activeServices) {
+                    process.stdout.write(`  ${chalk_1.default.cyan('orch logs ' + svc.agent_name + ' --live')}  (${svc.service_name})\n`);
+                }
+                process.stdout.write(chalk_1.default.gray('\nOr use: orch service logs <service-id>\n'));
+            }
         }
         return;
     }

package/dist/commands/publish.js

@@ -43,6 +43,8 @@ exports.scanReservedPort = scanReservedPort;
 exports.detectSdkCompatible = detectSdkCompatible;
 exports.checkDependencies = checkDependencies;
 exports.checkWorkspaceLlmKeys = checkWorkspaceLlmKeys;
+exports.prePublishSecretsCheck = prePublishSecretsCheck;
+exports.checkRequiredSecrets = checkRequiredSecrets;
 exports.batchPublish = batchPublish;
 exports.registerPublishCommand = registerPublishCommand;
 const promises_1 = __importDefault(require("fs/promises"));
@@ -58,6 +60,7 @@ const analytics_1 = require("../lib/analytics");
 const bundle_1 = require("../lib/bundle");
 const key_store_1 = require("../lib/key-store");
 const batch_publish_1 = require("../lib/batch-publish");
+const llm_1 = require("../lib/llm");
 /**
  * Extract template placeholders from a prompt template.
  * Matches double-brace patterns like {{variable}}.
@@ -517,6 +520,97 @@ async function checkWorkspaceLlmKeys(config, workspaceId, workspaceSlug, executi
         `  Cloud runs will fail until you add keys.\n` +
         `  Add a key: ${chalk_1.default.cyan(`orch secrets set ${exampleSecretName} <key>`)}\n`);
 }
+/**
+ * Pre-publish check: verify that all required_secrets exist in the workspace
+ * BEFORE publishing. This lets users set missing secrets before wasting time
+ * on the publish step (DX-3).
+ *
+ * In TTY mode: warns and asks for confirmation to continue.
+ * In non-TTY mode: warns but does not block (for CI/CD pipelines).
+ * API errors are silently swallowed (non-fatal).
+ *
+ * Returns the list of missing secret names (empty if all present or check failed).
+ */
+async function prePublishSecretsCheck(config, workspaceId, workspaceSlug, requiredSecrets) {
+    if (!requiredSecrets.length)
+        return [];
+    let secrets;
+    try {
+        const result = await (0, api_1.request)(config, 'GET', `/workspaces/${workspaceId}/secrets`);
+        secrets = result.secrets;
+        if (!Array.isArray(secrets))
+            return [];
+    }
+    catch {
+        return []; // Can't reach API — skip pre-check, gateway will catch at runtime
+    }
+    const existingNames = new Set(secrets.map(s => s.name));
+    const missing = requiredSecrets.filter(name => !existingNames.has(name));
+    if (missing.length === 0)
+        return [];
+    // Show prominent warning about missing secrets
+    process.stderr.write(chalk_1.default.yellow.bold(`\n⚠ ${missing.length} required secret${missing.length === 1 ? '' : 's'} missing from workspace '${workspaceSlug}':\n`));
+    for (const name of missing) {
+        process.stderr.write(`  ${chalk_1.default.yellow('•')} ${chalk_1.default.bold(name)}\n`);
+    }
+    process.stderr.write(`\n  Set them now:\n`);
+    for (const name of missing) {
+        process.stderr.write(`  ${chalk_1.default.cyan(`orch secrets set ${name} <value>`)}\n`);
+    }
+    process.stderr.write(chalk_1.default.gray(`\n  Without these secrets, the agent will fail at runtime.\n`));
+    // In TTY mode, ask user to confirm they want to continue publishing
+    if (process.stdin.isTTY && process.stderr.isTTY) {
+        const readline = await Promise.resolve().then(() => __importStar(require('readline/promises')));
+        const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+        const answer = await rl.question(chalk_1.default.yellow('\n  Publish anyway? (y/N): '));
+        rl.close();
+        if (answer.toLowerCase() !== 'y' && answer.toLowerCase() !== 'yes') {
+            process.stderr.write('\nPublish cancelled. Set the missing secrets first.\n');
+            process.exit(0);
+        }
+    }
+    else {
+        process.stderr.write(chalk_1.default.gray(`  (non-interactive — continuing with publish)\n\n`));
+    }
+    return missing;
+}
+/**
+ * After a successful publish, check whether the workspace has all the secrets
+ * declared in required_secrets. Warns about any missing ones so the user can
+ * set them before running the agent.
+ *
+ * Best-effort: API errors are silently swallowed (the agent is already published).
+ */
+async function checkRequiredSecrets(config, workspaceId, workspaceSlug, requiredSecrets) {
+    if (!requiredSecrets.length)
+        return;
+    let secrets;
+    try {
+        const result = await (0, api_1.request)(config, 'GET', `/workspaces/${workspaceId}/secrets`);
+        secrets = result.secrets;
+        if (!Array.isArray(secrets))
+            return;
+    }
+    catch {
+        return; // Can't reach API — fall back to showing all secrets as instructions
+    }
+    const existingNames = new Set(secrets.map(s => s.name));
+    const missing = requiredSecrets.filter(name => !existingNames.has(name));
+    if (missing.length === 0) {
+        // All secrets present — brief confirmation
+        process.stderr.write(chalk_1.default.green(`\n✓ All ${requiredSecrets.length} required secret${requiredSecrets.length === 1 ? '' : 's'} found in workspace '${workspaceSlug}'\n`));
+        return;
+    }
+    // Some secrets missing — warn with set commands
+    process.stderr.write(chalk_1.default.yellow(`\n⚠ ${missing.length} required secret${missing.length === 1 ? '' : 's'} not set in workspace '${workspaceSlug}':\n`));
+    for (const name of missing) {
+        process.stderr.write(`  ${chalk_1.default.yellow(name)}\n`);
+    }
+    process.stderr.write(`\n  Set before running:\n`);
+    for (const name of missing) {
+        process.stderr.write(`  ${chalk_1.default.cyan(`orch secrets set ${name} <value>`)}\n`);
+    }
+}
 /**
  * Batch publish all agents found in subdirectories, in dependency order.
  * Discovers orchagent.json/SKILL.md in immediate subdirectories,
@@ -883,6 +977,13 @@ function registerPublishCommand(program) {
                 `  ${chalk_1.default.cyan(`"default_models": { "anthropic": "${modelVal}" }`)}\n\n` +
                 `  The model resolution order is: caller --model flag → agent default_models → platform default.\n\n`));
         }
+        // DX-17: Validate model IDs in default_models
+        if (manifest.default_models && typeof manifest.default_models === 'object') {
+            const modelWarnings = (0, llm_1.validateModelIds)(manifest.default_models);
+            for (const w of modelWarnings) {
+                process.stderr.write(chalk_1.default.yellow(`Warning: ${w.message}\n`));
+            }
+        }
         // Auto-migrate inline schemas to schema.json
         const schemaPath = path_1.default.join(cwd, 'schema.json');
         let schemaFileExists = false;
@@ -1336,6 +1437,9 @@ function registerPublishCommand(program) {
                     `  env var to detect the reserved port.\n\n`);
             }
         }
+        // Pre-publish: check required secrets exist in workspace (DX-3)
+        // Fail fast — warn before spending time on the publish API call
+        await prePublishSecretsCheck(config, workspaceId || org.id, org.slug, manifest.required_secrets || []);
         // Create the agent (server auto-assigns version)
         let result;
         try {
@@ -1542,18 +1646,9 @@ function registerPublishCommand(program) {
         }
         // Warn if workspace has no LLM vault keys for this agent's providers (UX-13-01)
         await checkWorkspaceLlmKeys(config, workspaceId || org.id, org.slug, executionEngine, supportedProviders);
-        // Show required secrets with setup instructions (F-18)
-        if (manifest.required_secrets?.length) {
-            process.stdout.write(`\nRequired secrets:\n`);
-            for (const secret of manifest.required_secrets) {
-                process.stdout.write(`  ${secret}\n`);
-            }
-            process.stdout.write(`\nSet secrets before running:\n`);
-            for (const secret of manifest.required_secrets) {
-                process.stdout.write(`  orch secrets set ${secret} <value>\n`);
-            }
-            process.stdout.write(`\nView existing secrets: ${chalk_1.default.cyan('orch secrets list')}\n`);
-        }
+        // Post-publish: confirm secrets status (DX-13, DX-3)
+        // Shows green check when all present, yellow warning when missing
+        await checkRequiredSecrets(config, workspaceId || org.id, org.slug, manifest.required_secrets || []);
         // Show security review result if available
         const secReview = result.security_review;
         if (secReview?.verdict) {