@pleri/olam-cli 0.1.170 → 0.1.174

package/dist/index.js

@@ -8314,6 +8314,21 @@ CREATE TABLE IF NOT EXISTS meta (
         const row = this.db.prepare("SELECT * FROM worlds WHERE id = ?").get(worldId);
         return row ? rowToMetadata(row) : void 0;
       }
+      /**
+       * Find all worlds with a given `name`. Returns rows of every lifecycle
+       * status — callers filter as needed (e.g. active-only for dedup, error-
+       * only for cleanup).
+       *
+       * The schema has UNIQUE on `id` but NOT on `name`, so a single name can
+       * legitimately have multiple rows (e.g. one destroyed + one new). Issue
+       * #962: `olam create <name>` was generating fresh ids without checking
+       * for an existing row, accumulating orphan error rows under the same
+       * name. This is the registry-level primitive the manager's dedup uses.
+       */
+      findByName(name) {
+        const rows = this.db.prepare("SELECT * FROM worlds WHERE name = ? ORDER BY created_at DESC").all(name);
+        return rows.map(rowToMetadata);
+      }
       list(filter2) {
         if (filter2?.status) {
           const rows2 = this.db.prepare("SELECT * FROM worlds WHERE status = ? ORDER BY created_at DESC").all(filter2.status);
@@ -8769,6 +8784,8 @@ function stripMcpServers(mcpServers) {
         stripped.type = value;
       } else if (key === "url" && typeof value === "string") {
         stripped.url = value;
+      } else if (key === "alwaysLoad" && typeof value === "boolean") {
+        stripped.alwaysLoad = value;
       }
     }
     out[svc] = stripped;
@@ -8861,8 +8878,8 @@ function copyDirRecursive(src, dest, depth = 0, skipFiles = /* @__PURE__ */ new
   }
 }
 async function copyClaudeConfigIntoContainer(containerName) {
-  const { execSync: execSync15 } = await import("node:child_process");
-  const dockerExec = (cmd) => execSync15(`docker exec ${containerName} sh -c '${cmd}'`, { stdio: "pipe" });
+  const { execSync: execSync16 } = await import("node:child_process");
+  const dockerExec = (cmd) => execSync16(`docker exec ${containerName} sh -c '${cmd}'`, { stdio: "pipe" });
   dockerExec("mkdir -p $HOME/.claude");
   dockerExec("test -f /home/olam/workspace/.claude-host-config/settings.json && cp /home/olam/workspace/.claude-host-config/settings.json $HOME/.claude/settings.json || true");
   dockerExec("test -f /home/olam/workspace/.claude-host-config/CLAUDE.md && cp /home/olam/workspace/.claude-host-config/CLAUDE.md $HOME/.claude/CLAUDE.md || true");
@@ -8878,7 +8895,7 @@ async function copyClaudeConfigIntoContainer(containerName) {
   await sanitizeContainerClaudeHooks(containerName);
 }
 async function sanitizeContainerClaudeHooks(containerName) {
-  const { execSync: execSync15 } = await import("node:child_process");
+  const { execSync: execSync16 } = await import("node:child_process");
   const script = `
 const fs = require('fs');
 const p = (process.env.HOME || '/home/olam') + '/.claude/settings.json';
@@ -8922,7 +8939,7 @@ if (changed) {
 }
 `;
   try {
-    execSync15(`docker exec ${containerName} /usr/local/bin/node -e ${shQuote(script)}`, { stdio: "pipe" });
+    execSync16(`docker exec ${containerName} /usr/local/bin/node -e ${shQuote(script)}`, { stdio: "pipe" });
   } catch {
   }
 }
@@ -9086,7 +9103,8 @@ var init_env_setup = __esm({
       "command",
       "args",
       "type",
-      "url"
+      "url",
+      "alwaysLoad"
     ]);
     SKIP_FILES = /* @__PURE__ */ new Set([
       ".credentials.json",
@@ -11712,6 +11730,60 @@ var init_bootstrap_hooks = __esm({
   }
 });
 
+// ../core/dist/world/create-dedup.js
+import { execSync as execSync5 } from "node:child_process";
+function resolveCreateDedup(opts) {
+  const { registry, name } = opts;
+  const probe2 = opts.probeContainer ?? defaultContainerProbe;
+  const containerName = `olam-${name}-devbox`;
+  const existing = registry.findByName(name);
+  const active = existing.find((w) => ACTIVE_STATUSES.has(w.status));
+  if (active) {
+    return { action: "reuse", world: active };
+  }
+  const errorRows = existing.filter((w) => w.status === "error");
+  for (const er of errorRows) {
+    registry.remove(er.id);
+  }
+  if (probe2(containerName)) {
+    return {
+      action: "container-orphan",
+      containerName,
+      remediation: `A container '${containerName}' is running on this host but no worlds.db row exists for it. Either destroy the orphan with 'docker rm -f ${containerName}' and re-run, or wait for the reconciler (issue #963) to insert a row.`
+    };
+  }
+  return { action: "fresh", cleanedErrorRows: errorRows.length };
+}
+var ACTIVE_STATUSES, defaultContainerProbe, ContainerOrphanError;
+var init_create_dedup = __esm({
+  "../core/dist/world/create-dedup.js"() {
+    "use strict";
+    ACTIVE_STATUSES = /* @__PURE__ */ new Set([
+      "creating",
+      "running",
+      "paused",
+      "crystallizing"
+    ]);
+    defaultContainerProbe = (containerName) => {
+      try {
+        const out = execSync5(`docker ps --filter name=^/${containerName}$ --format '{{.Names}}'`, { stdio: ["pipe", "pipe", "pipe"], timeout: 5e3 }).toString().trim();
+        return out.length > 0;
+      } catch {
+        return false;
+      }
+    };
+    ContainerOrphanError = class extends Error {
+      containerName;
+      kind = "container-orphan";
+      constructor(message, containerName) {
+        super(message);
+        this.containerName = containerName;
+        this.name = "ContainerOrphanError";
+      }
+    };
+  }
+});
+
 // ../core/dist/world/tmux-supervisor.js
 function injectBindAll(start) {
   let result = start;
@@ -11849,6 +11921,7 @@ var manager_exports = {};
 __export(manager_exports, {
   AuthPreflightError: () => AuthPreflightError,
   BotIdentityError: () => BotIdentityError,
+  ContainerOrphanError: () => ContainerOrphanError,
   TaskDispatchError: () => TaskDispatchError,
   WorkspaceNotFoundError: () => WorkspaceNotFoundError,
   WorldManager: () => WorldManager,
@@ -11868,12 +11941,12 @@ __export(manager_exports, {
   runManifestRuntime: () => runManifestRuntime
 });
 import * as crypto5 from "node:crypto";
-import { execSync as execSync5, spawnSync as spawnSync5 } from "node:child_process";
+import { execSync as execSync6, spawnSync as spawnSync5 } from "node:child_process";
 import * as fs23 from "node:fs";
 import * as os13 from "node:os";
 import * as path25 from "node:path";
 import YAML3 from "yaml";
-function getTokenScopes(ghToken, _exec = execSync5) {
+function getTokenScopes(ghToken, _exec = execSync6) {
   try {
     const out = _exec("gh auth status 2>&1", {
       encoding: "utf-8",
@@ -11890,13 +11963,13 @@ function getTokenScopes(ghToken, _exec = execSync5) {
   }
 }
 async function setupContainerGit(containerName, repos, branch) {
-  const dockerExec = (cmd) => execSync5(`docker exec ${containerName} sh -c '${cmd.replace(/'/g, "'\\''")}'`, {
+  const dockerExec = (cmd) => execSync6(`docker exec ${containerName} sh -c '${cmd.replace(/'/g, "'\\''")}'`, {
     stdio: "pipe",
     timeout: 6e4
   }).toString();
   let ghToken = "";
   try {
-    ghToken = execSync5("gh auth token 2>/dev/null", { encoding: "utf-8", timeout: 5e3 }).trim();
+    ghToken = execSync6("gh auth token 2>/dev/null", { encoding: "utf-8", timeout: 5e3 }).trim();
   } catch {
   }
   const actorName = process.env.OLAM_BOT_NAME ?? "Claude Code (olam)";
@@ -11916,7 +11989,7 @@ async function setupContainerGit(containerName, repos, branch) {
         continue;
       const ownerRepo = ghMatch[1];
       try {
-        execSync5(`gh api repos/${ownerRepo} --silent`, {
+        execSync6(`gh api repos/${ownerRepo} --silent`, {
           stdio: "pipe",
           timeout: 5e3,
           env: { ...process.env, GH_TOKEN: ghToken }
@@ -11964,7 +12037,7 @@ ${stderr.split("\n").slice(0, 3).join(" ")}`);
     if (!olamUserPresent) {
       const imageName = (() => {
         try {
-          return execSync5(`docker inspect ${containerName} --format '{{.Config.Image}}'`, {
+          return execSync6(`docker inspect ${containerName} --format '{{.Config.Image}}'`, {
             encoding: "utf8",
             timeout: 5e3
           }).trim() || "(unknown)";
@@ -12007,7 +12080,7 @@ ${stderr.split("\n").slice(0, 3).join(" ")}`);
 function makeHostExecFn() {
   return async (cmd) => {
     try {
-      const stdout = execSync5(cmd, { encoding: "utf-8", timeout: 5e3 });
+      const stdout = execSync6(cmd, { encoding: "utf-8", timeout: 5e3 });
       return { stdout, stderr: "", exitCode: 0 };
     } catch {
       return { stdout: "", stderr: "", exitCode: 1 };
@@ -12017,7 +12090,7 @@ function makeHostExecFn() {
 function makeContainerExecFn(containerName) {
   return async (cmd) => {
     try {
-      const result = execSync5(`docker exec ${containerName} sh -c '${cmd.replace(/'/g, "'\\''")}'`, { stdio: "pipe", timeout: 6e5 });
+      const result = execSync6(`docker exec ${containerName} sh -c '${cmd.replace(/'/g, "'\\''")}'`, { stdio: "pipe", timeout: 6e5 });
       return { stdout: result.toString(), stderr: "", exitCode: 0 };
     } catch (err) {
       const execErr = err;
@@ -12031,7 +12104,7 @@ function makeContainerExecFn(containerName) {
 }
 function defaultDockerExec2() {
   return (containerName, cmd) => {
-    const result = execSync5(
+    const result = execSync6(
       `docker exec ${containerName} sh -c '${cmd.replace(/'/g, "'\\''")}'`,
       // Phase E E5 raise: 10min was too tight on cold-boot for atlas-core's
       // `rails db:create` chain (Rails 7 boot + initializer load + first
@@ -12211,7 +12284,7 @@ function buildManifestRuntime(worldId, repos) {
   }
   return { worldId, repos: runtimeRepos };
 }
-function exposeWorldOverTailscale(appPortUrls, worldId, registry, _exec = execSync5) {
+function exposeWorldOverTailscale(appPortUrls, worldId, registry, _exec = execSync6) {
   if (process.env["OLAM_TAILSCALE_SERVE"] !== "true")
     return;
   if (appPortUrls.length === 0)
@@ -12239,7 +12312,7 @@ function exposeWorldOverTailscale(appPortUrls, worldId, registry, _exec = execSy
     registry.storeTailscalePaths(worldId, registeredPaths);
   }
 }
-function cleanupWorldTailscale(worldId, registry, _exec = execSync5) {
+function cleanupWorldTailscale(worldId, registry, _exec = execSync6) {
   const paths = registry.loadTailscalePaths(worldId);
   if (paths.length === 0)
     return;
@@ -12258,7 +12331,7 @@ function cleanupWorldTailscale(worldId, registry, _exec = execSync5) {
     }
   }
 }
-function resolveTailscaleBin(_exec = execSync5) {
+function resolveTailscaleBin(_exec = execSync6) {
   const candidates2 = [
     process.env["TAILSCALE_BIN"],
     "/Applications/Tailscale.app/Contents/MacOS/Tailscale",
@@ -12657,6 +12730,8 @@ var init_manager = __esm({
     init_runbook_resolver();
     init_port_validator();
     init_bootstrap_hooks();
+    init_create_dedup();
+    init_create_dedup();
     init_tmux_supervisor();
     BotIdentityError = class extends Error {
       constructor(message) {
@@ -12691,19 +12766,38 @@ var init_manager = __esm({
       dashboardManager;
       pleriClient;
       dockerExec;
+      containerProbe;
       manifestRuntimes = /* @__PURE__ */ new Map();
-      constructor(config, provider, registry, dashboardManager, pleriClient, dockerExec) {
+      constructor(config, provider, registry, dashboardManager, pleriClient, dockerExec, containerProbe) {
         this.config = config;
         this.provider = provider;
         this.registry = registry;
         this.dashboardManager = dashboardManager;
         this.pleriClient = pleriClient;
         this.dockerExec = dockerExec ?? defaultDockerExec2();
+        this.containerProbe = containerProbe;
       }
       // -----------------------------------------------------------------------
       // createWorld
       // -----------------------------------------------------------------------
       async createWorld(opts) {
+        {
+          const dedupOpts = {
+            registry: this.registry,
+            name: opts.name,
+            ...this.containerProbe ? { probeContainer: this.containerProbe } : {}
+          };
+          const dedup = resolveCreateDedup(dedupOpts);
+          if (dedup.action === "reuse") {
+            return dedup.world;
+          }
+          if (dedup.action === "container-orphan") {
+            throw new ContainerOrphanError(dedup.remediation, dedup.containerName);
+          }
+          if (dedup.cleanedErrorRows > 0) {
+            console.log(`[manager] removed ${dedup.cleanedErrorRows} stale error row(s) for world name "${opts.name}" before fresh create (issue #962)`);
+          }
+        }
         if (!opts.noAuth) {
           const preflight2 = await runAuthPreflight({ autoStart: true });
           if (preflight2.verdict !== "ok") {
@@ -13387,7 +13481,7 @@ ${detail}`);
             const escapedDir = `/home/olam/workspace/${repo.name.replace(/["$`\\]/g, "\\$&")}`;
             for (const cmd of repo.setup_commands) {
               try {
-                execSync5(`docker exec ${containerName} sh -c 'cd "${escapedDir}" && ${cmd.replace(/'/g, "'\\''")}'`, { stdio: "pipe", timeout: 6e5 });
+                execSync6(`docker exec ${containerName} sh -c 'cd "${escapedDir}" && ${cmd.replace(/'/g, "'\\''")}'`, { stdio: "pipe", timeout: 6e5 });
               } catch (err) {
                 const msg = err instanceof Error ? err.message : String(err);
                 console.warn(`[WorldManager] setup command failed for ${repo.name}: ${msg}`);
@@ -13408,11 +13502,11 @@ ${detail}`);
           });
           if (allPolicies.length > 0) {
             try {
-              execSync5(`docker exec ${containerName} mkdir -p /home/olam/.olam/policies`, { stdio: "pipe", timeout: 1e4 });
+              execSync6(`docker exec ${containerName} mkdir -p /home/olam/.olam/policies`, { stdio: "pipe", timeout: 1e4 });
               for (const repo of repos) {
                 const policiesDir = path25.join(workspacePath, repo.name, ".olam", "policies");
                 if (fs23.existsSync(policiesDir)) {
-                  execSync5(`docker cp "${policiesDir}/." "${containerName}:/home/olam/.olam/policies/"`, { stdio: "pipe", timeout: 15e3 });
+                  execSync6(`docker cp "${policiesDir}/." "${containerName}:/home/olam/.olam/policies/"`, { stdio: "pipe", timeout: 15e3 });
                 }
               }
             } catch (err) {
@@ -14900,10 +14994,10 @@ var init_state2 = __esm({
 });
 
 // ../core/dist/dashboard/tunnel.js
-import { spawn as spawn3, execSync as execSync6 } from "node:child_process";
+import { spawn as spawn3, execSync as execSync7 } from "node:child_process";
 function isCloudflaredAvailable() {
   try {
-    execSync6("which cloudflared", { stdio: "ignore" });
+    execSync7("which cloudflared", { stdio: "ignore" });
     return true;
   } catch {
     return false;
@@ -16235,6 +16329,69 @@ var init_registry_allowlist = __esm({
   }
 });
 
+// src/from-manifest.ts
+var from_manifest_exports = {};
+__export(from_manifest_exports, {
+  defaultNameFromManifest: () => defaultNameFromManifest,
+  parseForkManifest: () => parseForkManifest,
+  provenanceLine: () => provenanceLine
+});
+import { readFileSync as readFileSync30 } from "node:fs";
+function parseForkManifest(path96) {
+  let raw;
+  try {
+    raw = readFileSync30(path96, "utf8");
+  } catch (err) {
+    const reason = err?.code === "ENOENT" ? "file does not exist" : err.message;
+    throw new Error(`--from-manifest: cannot read ${path96} (${reason})`);
+  }
+  let json;
+  try {
+    json = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`--from-manifest: ${path96} is not valid JSON (${err.message})`);
+  }
+  if (!isPlainObject2(json)) {
+    throw new Error(`--from-manifest: ${path96} root must be a JSON object`);
+  }
+  const originalWorldId = json.originalWorldId;
+  if (typeof originalWorldId !== "string" || originalWorldId.trim().length === 0) {
+    throw new Error(`--from-manifest: ${path96} missing required string "originalWorldId"`);
+  }
+  const newPrompt = json.newPrompt;
+  if (typeof newPrompt !== "string" || newPrompt.trim().length === 0) {
+    throw new Error(
+      `--from-manifest: ${path96} has no "newPrompt" \u2014 re-run trace-replay with --with-prompt "<alternate dispatch>"`
+    );
+  }
+  const fp = isPlainObject2(json.forkPoint) ? json.forkPoint : {};
+  const resolvedPhase = typeof fp.resolvedPhase === "string" ? fp.resolvedPhase : null;
+  const resolvedSpanId = typeof fp.resolvedSpanId === "string" ? fp.resolvedSpanId : null;
+  const resolvedAt = typeof fp.resolvedAt === "number" ? fp.resolvedAt : 0;
+  return {
+    originalWorldId: originalWorldId.trim(),
+    forkPoint: { resolvedPhase, resolvedSpanId, resolvedAt },
+    newPrompt,
+    manifestPath: path96
+  };
+}
+function defaultNameFromManifest(manifest) {
+  const base = `fork-${manifest.originalWorldId}`.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  return (base || "fork").slice(0, 40);
+}
+function provenanceLine(manifest) {
+  const phase = manifest.forkPoint.resolvedPhase ?? "end-of-trace";
+  return `Forking from ${manifest.originalWorldId} @ phase=${phase} (manifest: ${manifest.manifestPath})`;
+}
+function isPlainObject2(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+var init_from_manifest = __esm({
+  "src/from-manifest.ts"() {
+    "use strict";
+  }
+});
+
 // src/spawn/home-override.ts
 var home_override_exports = {};
 __export(home_override_exports, {
@@ -18146,13 +18303,13 @@ var init_file_lock = __esm({
 });
 
 // ../core/dist/lib/min-version-filter.js
-import { existsSync as existsSync73, readFileSync as readFileSync60 } from "node:fs";
+import { existsSync as existsSync73, readFileSync as readFileSync61 } from "node:fs";
 function readOlamMinVersion(filepath) {
   if (!existsSync73(filepath))
     return void 0;
   let text;
   try {
-    text = readFileSync60(filepath, "utf8");
+    text = readFileSync61(filepath, "utf8");
   } catch {
     return void 0;
   }
@@ -18800,7 +18957,7 @@ var init_meta_hook_injector = __esm({
 
 // ../core/dist/lib/markdown-merger.js
 import { createHash as createHash8 } from "node:crypto";
-import { readFileSync as readFileSync64, existsSync as existsSync76, statSync as statSync22 } from "node:fs";
+import { readFileSync as readFileSync65, existsSync as existsSync76, statSync as statSync22 } from "node:fs";
 function parseFrontmatter3(text) {
   const match2 = FM_RE2.exec(text);
   if (match2 === null)
@@ -18922,7 +19079,7 @@ function mergeMarkdown(upstreamText, overlayText, labelForError, upstreamPath, o
 function sha256OfPath(p) {
   if (!existsSync76(p) || !statSync22(p).isFile())
     return "MISSING";
-  return createHash8("sha256").update(readFileSync64(p)).digest("hex");
+  return createHash8("sha256").update(readFileSync65(p)).digest("hex");
 }
 var FM_RE2, H2_RE;
 var init_markdown_merger = __esm({
@@ -19174,7 +19331,7 @@ var init_prefix_deploy = __esm({
 });
 
 // ../core/dist/skill-sync/resolve-source-config.js
-import { readFileSync as readFileSync66, existsSync as existsSync77 } from "node:fs";
+import { readFileSync as readFileSync67, existsSync as existsSync77 } from "node:fs";
 import { join as join76 } from "node:path";
 import { parse as parseYaml6 } from "yaml";
 function sourceConfigPath(clonePath) {
@@ -19186,7 +19343,7 @@ function readSourceConfig(clonePath, sourceId) {
     return void 0;
   let raw;
   try {
-    raw = readFileSync66(path96, "utf-8");
+    raw = readFileSync67(path96, "utf-8");
   } catch (err) {
     emitMalformedWarning(sourceId, `read failed: ${errToMsg(err)}`);
     return void 0;
@@ -23373,6 +23530,7 @@ var MCP_AUTH_CONTAINER = "olam-mcp-auth";
 var MCP_AUTH_LOCAL_TAG = "olam-mcp-auth:local";
 var MCP_AUTH_PUBLISHED_TAG = "ghcr.io/pleri/olam-mcp-auth:latest";
 var MCP_AUTH_HEALTH_URL = `http://127.0.0.1:${MCP_AUTH_PORT}/health`;
+var SOCAT_IMAGE = "alpine/socat:latest";
 var MCP_AUTH_HEALTH_TIMEOUT_MS = 6e4;
 var McpAuthContainerController = class {
   imageTag = MCP_AUTH_LOCAL_TAG;
@@ -23596,6 +23754,40 @@ async function servicesRestartKubernetes(name, deps = {}) {
   printSuccess(`${deploymentName}: rollout restart triggered`);
   return { exitCode: 0 };
 }
+function pullSocatImage(deps = {}) {
+  const spawnImpl = deps.spawnImpl ?? ((cmd, args, opts) => {
+    const r = spawnSync16(cmd, [...args], { encoding: "utf-8", ...opts });
+    return {
+      status: r.status,
+      stdout: r.stdout ?? "",
+      stderr: r.stderr ?? ""
+    };
+  });
+  const info = spawnImpl("docker", ["info"], { encoding: "utf-8", timeout: 5e3 });
+  if (info.status !== 0) {
+    return { dockerAvailable: false, alreadyPresent: false, pulled: false };
+  }
+  const inspect = spawnImpl("docker", ["image", "inspect", SOCAT_IMAGE], {
+    encoding: "utf-8",
+    timeout: 5e3
+  });
+  if (inspect.status === 0) {
+    return { dockerAvailable: true, alreadyPresent: true, pulled: false };
+  }
+  const pull = spawnImpl("docker", ["pull", SOCAT_IMAGE], {
+    encoding: "utf-8",
+    timeout: 6e4
+  });
+  if (pull.status === 0) {
+    return { dockerAvailable: true, alreadyPresent: false, pulled: true };
+  }
+  return {
+    dockerAvailable: true,
+    alreadyPresent: false,
+    pulled: false,
+    error: pull.stderr.trim() || pull.stdout.trim() || "docker pull failed"
+  };
+}
 function dumpContainerLogs(container, tail = 40) {
   try {
     const result = spawnSync16("docker", ["logs", "--tail", String(tail), container], {
@@ -23620,6 +23812,21 @@ async function servicesUp() {
   const mcpAuth = new McpAuthContainerController();
   const kgService = new KgServiceContainerController();
   const memoryService = new MemoryServiceContainerController();
+  const socatResult = pullSocatImage();
+  if (!socatResult.dockerAvailable) {
+    printWarning(
+      "docker daemon not reachable \u2014 skipped alpine/socat:latest preflight; olam_port_expose will fail until docker is available"
+    );
+  } else if (socatResult.error !== void 0) {
+    printWarning(
+      `alpine/socat:latest preflight pull failed: ${socatResult.error}
+  olam_port_expose will attempt a fallback pull on first call`
+    );
+  } else if (socatResult.pulled) {
+    printSuccess("alpine/socat:latest pulled");
+  } else {
+    printInfo("alpine/socat:latest", "already cached");
+  }
   const authStatus = auth.status();
   if (authStatus.state === "running") {
     printSuccess(`olam-auth already running on :${authStatus.port}`);
@@ -24201,7 +24408,7 @@ function appendAuditEntry(entry, auditLogPath, writeFileSyncImpl) {
 async function runManifestRefresh(manifestsDir, acceptRegression, deps = {}, peripheral) {
   const auditLogPath = deps.auditLogPath ?? MANIFEST_REFRESH_AUDIT_LOG;
   const readdirSync33 = deps.readdirSync ?? fs31.readdirSync;
-  const readFileSync95 = deps.readFileSync ?? fs31.readFileSync;
+  const readFileSync96 = deps.readFileSync ?? fs31.readFileSync;
   const writeFileSyncImpl = deps.writeFileSync ?? fs31.writeFileSync;
   const existsSync113 = deps.existsSync ?? fs31.existsSync;
   const now = deps.now ? deps.now() : /* @__PURE__ */ new Date();
@@ -24227,7 +24434,7 @@ async function runManifestRefresh(manifestsDir, acceptRegression, deps = {}, per
     const filePath = path32.join(targetDir, file);
     let content;
     try {
-      content = readFileSync95(filePath, "utf8");
+      content = readFileSync96(filePath, "utf8");
     } catch {
       continue;
     }
@@ -24478,11 +24685,11 @@ async function checkSecretPreCondition(context, deps) {
 }
 async function applyConfigMapSubstitution(context, manifestsDir, deps) {
   const wrap = deps.kubectlWrapImpl ?? kubectlWrap;
-  const readFileSync95 = deps.readFileSyncImpl ?? fs32.readFileSync;
+  const readFileSync96 = deps.readFileSyncImpl ?? fs32.readFileSync;
   const configMapPath = path33.join(manifestsDir, "30-configmap.yaml");
   let rawYaml;
   try {
-    rawYaml = readFileSync95(configMapPath, "utf8");
+    rawYaml = readFileSync96(configMapPath, "utf8");
   } catch (err) {
     return `Failed to read ConfigMap at ${configMapPath}: ${err instanceof Error ? err.message : String(err)}`;
   }
@@ -25034,6 +25241,223 @@ async function applyK8sAuthRefresh(pinnedContext, deps = {}) {
   return 0;
 }
 
+// src/lib/auth-remote.ts
+function normalizeBase(url2) {
+  return url2.replace(/\/+$/, "");
+}
+function buildHeaders(cookie) {
+  const headers = {
+    "Content-Type": "application/json",
+    Accept: "application/json"
+  };
+  if (cookie) {
+    headers["Cookie"] = `CF_Authorization=${cookie}`;
+  }
+  return headers;
+}
+async function remoteHealth(opts) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/health`;
+  const res = await fetchFn(url2, {
+    method: "GET",
+    headers: buildHeaders(cfAuthCookie)
+  });
+  if (!res.ok) {
+    throw new Error(`Health check failed: HTTP ${res.status}`);
+  }
+  return res.json();
+}
+async function remoteOAuthStart(opts) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/oauth/start`;
+  const res = await fetchFn(url2, {
+    method: "POST",
+    headers: buildHeaders(cfAuthCookie),
+    body: JSON.stringify({})
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`OAuth start failed: HTTP ${res.status}${body ? ` \u2014 ${body}` : ""}`);
+  }
+  return res.json();
+}
+async function remoteListServiceTokens(opts) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/service-tokens`;
+  const res = await fetchFn(url2, {
+    method: "GET",
+    headers: buildHeaders(cfAuthCookie)
+  });
+  if (!res.ok) {
+    throw new Error(`List service-tokens failed: HTTP ${res.status}`);
+  }
+  return res.json();
+}
+async function remoteListAccounts(opts) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/accounts`;
+  const res = await fetchFn(url2, {
+    method: "GET",
+    headers: buildHeaders(cfAuthCookie)
+  });
+  if (!res.ok) {
+    throw new Error(`List accounts failed: HTTP ${res.status}`);
+  }
+  return res.json();
+}
+async function remoteBindServiceToken(opts, payload) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/service-tokens/bind`;
+  const res = await fetchFn(url2, {
+    method: "POST",
+    headers: buildHeaders(cfAuthCookie),
+    body: JSON.stringify(payload)
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Bind service-token failed: HTTP ${res.status}${body ? ` \u2014 ${body}` : ""}`);
+  }
+  return { ok: true };
+}
+async function remoteDeleteServiceToken(opts, clientId) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/service-tokens/${encodeURIComponent(clientId)}`;
+  const res = await fetchFn(url2, {
+    method: "DELETE",
+    headers: buildHeaders(cfAuthCookie)
+  });
+  if (!res.ok) {
+    throw new Error(`Delete service-token failed: HTTP ${res.status}`);
+  }
+  return { ok: true };
+}
+async function remoteIssueAnthropicToken(opts, label) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/anthropic-tokens/issue`;
+  const res = await fetchFn(url2, {
+    method: "POST",
+    headers: buildHeaders(cfAuthCookie),
+    body: JSON.stringify({ label })
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Issue anthropic-token failed: HTTP ${res.status}${body ? ` \u2014 ${body}` : ""}`);
+  }
+  return res.json();
+}
+async function remoteListAnthropicTokens(opts) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/anthropic-tokens`;
+  const res = await fetchFn(url2, {
+    method: "GET",
+    headers: buildHeaders(cfAuthCookie)
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`List anthropic-tokens failed: HTTP ${res.status}${body ? ` \u2014 ${body}` : ""}`);
+  }
+  return res.json();
+}
+async function remoteRevokeAnthropicToken(opts, tokenHash) {
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const url2 = `${normalizeBase(baseUrl)}/v1/anthropic-tokens/${encodeURIComponent(tokenHash)}`;
+  const res = await fetchFn(url2, {
+    method: "DELETE",
+    headers: buildHeaders(cfAuthCookie)
+  });
+  if (res.status === 404) return false;
+  if (!res.ok) {
+    throw new Error(`Revoke anthropic-token failed: HTTP ${res.status}`);
+  }
+  return true;
+}
+async function runDoctorChecks(opts) {
+  const results = [];
+  const { baseUrl, cfAuthCookie, fetchFn = fetch } = opts;
+  const base = normalizeBase(baseUrl);
+  try {
+    const h = await remoteHealth({ baseUrl, cfAuthCookie, fetchFn });
+    results.push({
+      probe: "worker-health",
+      status: "pass",
+      message: `Worker alive${h.version ? ` (version=${h.version})` : ""}`
+    });
+  } catch (err) {
+    results.push({
+      probe: "worker-health",
+      status: "fail",
+      message: err instanceof Error ? err.message : "Health check failed",
+      remedy: `Verify the worker is deployed and reachable at ${base}`
+    });
+  }
+  let jwksUrl;
+  try {
+    const parsed = new URL(baseUrl);
+    const parts = parsed.hostname.split(".");
+    const team = parts.length >= 3 ? parts[parts.length - 3] : parts[0];
+    jwksUrl = `https://${team}.cloudflareaccess.com/cdn-cgi/access/certs`;
+  } catch {
+    jwksUrl = `${base}/.well-known/jwks.json`;
+  }
+  try {
+    const res = await fetchFn(jwksUrl, { method: "GET" });
+    if (res.ok) {
+      results.push({
+        probe: "cf-access-jwks",
+        status: "pass",
+        message: `CF Access JWKS reachable at ${jwksUrl}`
+      });
+    } else {
+      results.push({
+        probe: "cf-access-jwks",
+        status: "warn",
+        message: `CF Access JWKS returned HTTP ${res.status}`,
+        remedy: `Verify Cloudflare Access is configured for your zone. JWKS checked: ${jwksUrl}`
+      });
+    }
+  } catch (err) {
+    results.push({
+      probe: "cf-access-jwks",
+      status: "warn",
+      message: `CF Access JWKS unreachable: ${err instanceof Error ? err.message : String(err)}`,
+      remedy: `Check network access to ${jwksUrl}. CF Access may not be configured for this zone.`
+    });
+  }
+  try {
+    await remoteOAuthStart({ baseUrl, cfAuthCookie, fetchFn });
+    results.push({
+      probe: "oauth-start",
+      status: "pass",
+      message: "OAuth start endpoint is reachable"
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    const status2 = msg.includes("HTTP 403") ? "warn" : "fail";
+    results.push({
+      probe: "oauth-start",
+      status: status2,
+      message: `OAuth start: ${msg}`,
+      remedy: status2 === "warn" ? "Open the worker URL in a browser to complete CF Access SSO, then re-run with --cookie." : `Check that /v1/oauth/start is deployed at ${base}`
+    });
+  }
+  const clientId = process.env["ANTHROPIC_OAUTH_CLIENT_ID"];
+  if (clientId) {
+    results.push({
+      probe: "env-client-id",
+      status: "pass",
+      message: `ANTHROPIC_OAUTH_CLIENT_ID is set (length=${clientId.length})`
+    });
+  } else {
+    results.push({
+      probe: "env-client-id",
+      status: "warn",
+      message: "ANTHROPIC_OAUTH_CLIENT_ID is not set in the environment",
+      remedy: "Set ANTHROPIC_OAUTH_CLIENT_ID in your shell profile (the Anthropic OAuth app client ID)."
+    });
+  }
+  return results;
+}
+
 // src/commands/auth.ts
 function openBrowser(url2) {
   const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
@@ -25068,36 +25492,6 @@ function registerAuth(program2) {
     printWarning("`olam auth status` is deprecated. Use `olam services status` instead.");
     servicesStatus();
   });
-  auth.command("list").description("List all stored credentials with state, usage, and rate-limit status").action(async () => {
-    const client = new AuthClient();
-    const status2 = await client.status();
-    if (!status2.reachable) {
-      printError("Auth container is not reachable. Run `olam auth up` first.");
-      process.exitCode = 1;
-      return;
-    }
-    printHeader(`Credentials (${status2.accounts.length})`);
-    if (status2.accounts.length === 0) {
-      console.log(`  ${pc12.dim("No credentials \u2014 run: olam auth login --label primary")}`);
-      return;
-    }
-    const stateColor = (s) => {
-      if (s === "active") return pc12.green("active");
-      if (s === "cooldown") return pc12.yellow("cooldown");
-      if (s === "expired") return pc12.red("expired");
-      if (s === "disabled") return pc12.dim("disabled");
-      return pc12.dim(s ?? "unknown");
-    };
-    for (const a of status2.accounts) {
-      const label = a.accountLabel ?? a.id;
-      const reqs = a.usage?.requestCount5h ?? 0;
-      const last429 = a.usage?.last429At ? `last429=${a.usage.last429At}` : "last429=never";
-      const reset = a.rateLimitResetsAt ? `resets=${a.rateLimitResetsAt}` : "";
-      console.log(
-        `  ${pc12.bold(label.padEnd(18))} ${stateColor(a.state).padEnd(18)} ${pc12.dim(`req5h=${reqs}`)}  ${pc12.dim(`exp=${a.expiresIn}`)} ${pc12.dim(last429)} ${pc12.yellow(reset)}`
-      );
-    }
-  });
   auth.command("disable").description("Take a credential out of rotation (manual cooldown)").argument("<label>", "Credential label or id").action(async (label) => {
     const client = new AuthClient();
     try {
@@ -25128,7 +25522,68 @@ function registerAuth(program2) {
       process.exitCode = 1;
     }
   });
-  auth.command("login").description("Run the OAuth PKCE flow to store a Claude account in the auth container").option("--label <label>", 'Account label (e.g. primary, burner-1). Defaults to "primary" for the first account, "burner-N" thereafter.').action(async (opts) => {
+  auth.command("login").description("Run the OAuth PKCE flow to store a Claude account in the auth container, or print a remote OAuth URL (--remote)").option("--label <label>", 'Account label (e.g. primary, burner-1). Defaults to "primary" for the first account, "burner-N" thereafter.').option("--remote <url>", "Auth-worker base URL. Prints the OAuth start URL for browser completion (v1 dogfood).").option("--print-url", "Print the OAuth URL without attempting to open a browser (implied by --remote).").option("--service-token <client_id:secret>", "Delegate to bind-service-token flow instead (use with --remote).").action(async (opts) => {
+    if (opts.remote) {
+      const baseUrl = opts.remote;
+      if (opts.serviceToken) {
+        const parts = opts.serviceToken.split(":");
+        if (parts.length < 2) {
+          printError("--service-token must be in format <client_id>:<secret>");
+          process.exitCode = 1;
+          return;
+        }
+        const [clientId] = parts;
+        const label2 = opts.label ?? clientId ?? "service-token";
+        printHeader("Auth worker \u2014 bind service token");
+        console.log(`
+  ${pc12.bold("Step 1:")} Open ${pc12.cyan(baseUrl + "/v1/oauth/start")} in a browser.`);
+        console.log(`          Complete CF Access SSO. You may see a JSON response or "no credentials" \u2014 that is normal.`);
+        const rawCookie = await promptLine(`
+  ${pc12.dim("Paste CF_Authorization cookie value (from DevTools > Application > Cookies):")} `);
+        if (!rawCookie) {
+          printError("No cookie provided. Aborting.");
+          process.exitCode = 1;
+          return;
+        }
+        const clientIdStr = clientId ?? "";
+        try {
+          await remoteBindServiceToken({ baseUrl, cfAuthCookie: rawCookie }, { client_id: clientIdStr, label: label2 });
+          printSuccess(`Service token bound: ${clientIdStr} (label=${label2})`);
+          console.log(`
+${pc12.dim("Set ANTHROPIC_BASE_URL=" + baseUrl + "/v1/proxy in your shell to route Claude API calls through this worker.")}`);
+        } catch (err) {
+          printError(err instanceof Error ? err.message : "bind failed");
+          process.exitCode = 1;
+        }
+        return;
+      }
+      let startUrl;
+      try {
+        const r = await remoteOAuthStart({ baseUrl });
+        startUrl = r.authorize_url;
+      } catch {
+        startUrl = `${baseUrl.replace(/\/+$/, "")}/v1/oauth/start`;
+      }
+      printHeader("Auth worker \u2014 OAuth login (v1 dogfood)");
+      console.log(`
+  ${pc12.bold("1.")} Open this URL in your browser to authenticate via CF Access + Anthropic OAuth:`);
+      console.log(`
+     ${pc12.cyan(startUrl)}
+`);
+      console.log(`  ${pc12.bold("2.")} Complete the CF Access SSO and Anthropic OAuth consent.`);
+      console.log(`         The worker stores your tokens on callback \u2014 the browser lands on a success page.`);
+      console.log(`
+  ${pc12.bold("3.")} Confirm your credentials are stored:
+`);
+      console.log(`         ${pc12.dim("olam auth list --remote " + baseUrl)}
+`);
+      console.log(`  ${pc12.dim("Note: full CLI-orchestrated browser SSO flow is deferred to v2 (cookie-bridging complexity).")}
+`);
+      if (!opts.printUrl) {
+        openBrowser(startUrl);
+      }
+      return;
+    }
     const preflight2 = await runAuthPreflight({ autoStart: true });
     if (preflight2.verdict !== "ok" && preflight2.verdict !== "no-accounts") {
       printError(preflight2.message);
@@ -25230,6 +25685,297 @@ ${pc12.dim("Next: olam create --name my-world")}`);
       }
     }
   });
+  auth.command("bind-service-token").description("Bind a Cloudflare service token to your CF Access user sub on the remote auth-worker").requiredOption("--remote <url>", "Auth-worker base URL").requiredOption("--token <client_id:secret>", "CF service token in format <client_id>:<secret>").option("--label <name>", "Friendly label for this token (defaults to client_id)").action(async (opts) => {
+    const baseUrl = opts.remote;
+    const parts = opts.token.split(":");
+    if (parts.length < 2) {
+      printError("--token must be in format <client_id>:<secret>");
+      process.exitCode = 1;
+      return;
+    }
+    const [clientId] = parts;
+    const clientIdStr = clientId ?? "";
+    const label = opts.label ?? clientIdStr;
+    printHeader("Auth worker \u2014 bind service token");
+    console.log(`
+  ${pc12.bold("Step 1:")} Open the URL below in your browser to authenticate via CF Access SSO:`);
+    console.log(`
+          ${pc12.cyan(baseUrl.replace(/\/+$/, "") + "/v1/oauth/start")}
+`);
+    console.log(`          You may see a JSON response or a "no credentials" page \u2014 that is normal.`);
+    console.log(`          This establishes the session that associates your user sub with the binding.
+`);
+    await promptLine(`  ${pc12.dim("Press Enter once you have completed the CF Access SSO step...")}`);
+    const rawCookie = await promptLine(
+      `
+  ${pc12.dim("Paste your CF_Authorization cookie value (DevTools > Application > Cookies > CF_Authorization):")} `
+    );
+    if (!rawCookie) {
+      printError("No cookie provided. Aborting.");
+      process.exitCode = 1;
+      return;
+    }
+    try {
+      await remoteBindServiceToken(
+        { baseUrl, cfAuthCookie: rawCookie },
+        { client_id: clientIdStr, label }
+      );
+      printSuccess(`Service token bound: ${clientIdStr} (label=${label})`);
+      console.log(
+        `
+${pc12.dim("Tip: set ANTHROPIC_BASE_URL=" + baseUrl.replace(/\/+$/, "") + "/v1/proxy")}`
+      );
+      console.log(`${pc12.dim("     to route Claude API calls through this worker.")}
+`);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : "bind failed");
+      process.exitCode = 1;
+    }
+  });
+  auth.command("list").description("List credentials (local by default; --remote to query a remote auth-worker)").option("--remote <url>", "Auth-worker base URL").option("--cookie <value>", "CF_Authorization cookie for authenticated requests").action(async (opts) => {
+    if (opts.remote) {
+      const baseUrl = opts.remote;
+      const clientOpts = { baseUrl, cfAuthCookie: opts.cookie };
+      let accounts = [];
+      let tokens = [];
+      try {
+        accounts = await remoteListAccounts(clientOpts);
+      } catch (err) {
+        printWarning(`Could not fetch accounts: ${err instanceof Error ? err.message : String(err)}`);
+      }
+      try {
+        tokens = await remoteListServiceTokens(clientOpts);
+      } catch (err) {
+        printWarning(`Could not fetch service tokens: ${err instanceof Error ? err.message : String(err)}`);
+      }
+      printHeader(`Remote accounts (${accounts.length})`);
+      if (accounts.length === 0) {
+        console.log(`  ${pc12.dim("No accounts \u2014 run: olam auth login --remote " + baseUrl)}`);
+      } else {
+        for (const a of accounts) {
+          const label = a.label ?? a.id;
+          const state = a.state ?? "unknown";
+          const exp = a.expiresIn ?? "";
+          console.log(`  ${pc12.bold(label.padEnd(20))} ${pc12.green(state).padEnd(16)} ${pc12.dim(exp)}`);
+        }
+      }
+      printHeader(`Remote service tokens (${tokens.length})`);
+      if (tokens.length === 0) {
+        console.log(`  ${pc12.dim("No service tokens \u2014 run: olam auth bind-service-token --remote " + baseUrl)}`);
+      } else {
+        for (const t of tokens) {
+          const label = t.label ?? t.client_id;
+          const created = t.created_at ?? "";
+          console.log(`  ${pc12.bold(label.padEnd(20))} ${pc12.dim(t.client_id)}  ${pc12.dim(created)}`);
+        }
+      }
+      return;
+    }
+    const client = new AuthClient();
+    const status2 = await client.status();
+    if (!status2.reachable) {
+      printError("Auth container is not reachable. Run `olam auth up` first.");
+      process.exitCode = 1;
+      return;
+    }
+    printHeader(`Credentials (${status2.accounts.length})`);
+    if (status2.accounts.length === 0) {
+      console.log(`  ${pc12.dim("No credentials \u2014 run: olam auth login --label primary")}`);
+      return;
+    }
+    const stateColor = (s) => {
+      if (s === "active") return pc12.green("active");
+      if (s === "cooldown") return pc12.yellow("cooldown");
+      if (s === "expired") return pc12.red("expired");
+      if (s === "disabled") return pc12.dim("disabled");
+      return pc12.dim(s ?? "unknown");
+    };
+    for (const a of status2.accounts) {
+      const label = a.accountLabel ?? a.id;
+      const reqs = a.usage?.requestCount5h ?? 0;
+      const last429 = a.usage?.last429At ? `last429=${a.usage.last429At}` : "last429=never";
+      const reset = a.rateLimitResetsAt ? `resets=${a.rateLimitResetsAt}` : "";
+      console.log(
+        `  ${pc12.bold(label.padEnd(18))} ${stateColor(a.state).padEnd(18)} ${pc12.dim(`req5h=${reqs}`)}  ${pc12.dim(`exp=${a.expiresIn}`)} ${pc12.dim(last429)} ${pc12.yellow(reset)}`
+      );
+    }
+  });
+  auth.command("migrate-to-remote").description("Print guidance for re-authenticating local credentials against the remote auth-worker (v1: no auto-migration of secrets)").requiredOption("--url <url>", "Auth-worker base URL").action(async (opts) => {
+    const baseUrl = opts.url;
+    let accountLabels = [];
+    try {
+      const client = new AuthClient();
+      const status2 = await client.status();
+      accountLabels = status2.accounts.map((a) => a.accountLabel ?? a.id);
+    } catch {
+    }
+    printHeader("Migrate local credentials to remote auth-worker");
+    console.log(`
+  Remote URL: ${pc12.cyan(baseUrl)}
+`);
+    console.log(
+      `  ${pc12.dim("V1 note: secrets cannot be migrated automatically. Each account must re-authenticate via OAuth.")}
+`
+    );
+    if (accountLabels.length === 0) {
+      console.log(`  No local accounts found. Run:`);
+      console.log(`
+    ${pc12.cyan("olam auth login --remote " + baseUrl)}
+`);
+    } else {
+      console.log(`  Found ${accountLabels.length} local account(s). For each, run:
+`);
+      for (const label of accountLabels) {
+        console.log(`    ${pc12.cyan("olam auth login --remote " + baseUrl + " --label " + label)}`);
+      }
+      console.log();
+    }
+  });
+  auth.command("rotate-service-token").description("Revoke a service token and guide through re-binding a replacement").requiredOption("--url <url>", "Auth-worker base URL").requiredOption("--client-id <id>", "CF service token client_id to revoke").option("--cookie <value>", "CF_Authorization cookie for the DELETE request").action(async (opts) => {
+    const baseUrl = opts.url;
+    const clientId = opts.clientId;
+    printHeader("Auth worker \u2014 rotate service token");
+    console.log(`
+  Revoking service token: ${pc12.yellow(clientId)}
+`);
+    try {
+      await remoteDeleteServiceToken({ baseUrl, cfAuthCookie: opts.cookie }, clientId);
+      printSuccess(`Revoked: ${clientId}`);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : "revoke failed");
+      process.exitCode = 1;
+      return;
+    }
+    console.log(`
+  ${pc12.bold("Next steps:")}`);
+    console.log(`  1. Mint a new service token in the Cloudflare Zero Trust dashboard.`);
+    console.log(`  2. Bind it:
+`);
+    console.log(`     ${pc12.cyan("olam auth bind-service-token --remote " + baseUrl + " --token <new_client_id>:<secret>")}
+`);
+  });
+  auth.command("doctor").description("Run 4 diagnostic probes against the remote auth-worker").requiredOption("--auth-worker <url>", "Auth-worker base URL").option("--cookie <value>", "CF_Authorization cookie (optional, for authenticated probes)").option("--json", "Emit JSON output").action(async (opts) => {
+    const checks = await runDoctorChecks({
+      baseUrl: opts.authWorker,
+      cfAuthCookie: opts.cookie
+    });
+    if (opts.json) {
+      console.log(JSON.stringify(checks, null, 2));
+      const failed = checks.filter((c) => c.status === "fail").length;
+      if (failed > 0) process.exitCode = 1;
+      return;
+    }
+    printHeader(`Auth-worker diagnostics (${opts.authWorker})`);
+    let hasFailure = false;
+    for (const c of checks) {
+      const icon = c.status === "pass" ? pc12.green("\u2713") : c.status === "warn" ? pc12.yellow("\u26A0") : pc12.red("\u2717");
+      console.log(`  ${icon}  ${pc12.bold(c.probe.padEnd(20))} ${c.message}`);
+      if (c.remedy) {
+        console.log(`       ${pc12.dim("\u21B3 " + c.remedy)}`);
+      }
+      if (c.status === "fail") hasFailure = true;
+    }
+    console.log();
+    if (hasFailure) {
+      printError("One or more probes failed \u2014 see remediation steps above.");
+      process.exitCode = 1;
+    } else {
+      printSuccess("All probes passed (warnings are non-blocking).");
+    }
+  });
+  auth.command("issue-anthropic-token").description("Mint a new Anthropic proxy token via the remote auth-worker (g4)").requiredOption("--remote <url>", "Auth-worker base URL").requiredOption("--label <name>", "Friendly label for this token (e.g. my-laptop)").action(async (opts) => {
+    const baseUrl = opts.remote;
+    printHeader("Auth worker \u2014 issue Anthropic proxy token");
+    console.log(`
+  Open ${pc12.cyan(baseUrl.replace(/\/+$/, "") + "/v1/oauth/start")} in a browser to authenticate via CF Access SSO.`);
+    console.log(`  Once you've completed SSO, paste your CF_Authorization cookie below`);
+    console.log(`  (from browser DevTools \u2192 Application \u2192 Cookies \u2192 CF_Authorization).
+`);
+    const rawCookie = await promptLine(`  ${pc12.dim("CF_Authorization cookie:")} `);
+    if (!rawCookie) {
+      printError("No cookie provided. Aborting.");
+      process.exitCode = 1;
+      return;
+    }
+    try {
+      const result = await remoteIssueAnthropicToken({ baseUrl, cfAuthCookie: rawCookie }, opts.label);
+      printSuccess(`Anthropic proxy token issued (label: ${result.label})`);
+      console.log(`
+  Set this in your Claude Code environment:`);
+      const exportHint = `export ANTHROPIC_BASE_URL='${result.anthropic_base_url_hint}'`;
+      console.log(`    ${pc12.cyan(exportHint)}`);
+      console.log(`
+  ${pc12.yellow("WARNING: the secret above is shown ONCE. Save it now \u2014 you cannot retrieve it later.")}`);
+      console.log(`  Secret:     ${pc12.bold(result.secret)}`);
+      console.log(`  Token hash (for revocation): ${pc12.dim(result.token_hash)}
+`);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : "issue failed");
+      process.exitCode = 1;
+    }
+  });
+  auth.command("list-anthropic-tokens").description("List Anthropic proxy tokens from the remote auth-worker (g4)").requiredOption("--remote <url>", "Auth-worker base URL").action(async (opts) => {
+    const baseUrl = opts.remote;
+    printHeader("Auth worker \u2014 list Anthropic proxy tokens");
+    console.log(`
+  Open ${pc12.cyan(baseUrl.replace(/\/+$/, "") + "/v1/oauth/start")} in a browser to authenticate via CF Access SSO.`);
+    console.log(`  Once you've completed SSO, paste your CF_Authorization cookie below.
+`);
+    const rawCookie = await promptLine(`  ${pc12.dim("CF_Authorization cookie:")} `);
+    if (!rawCookie) {
+      printError("No cookie provided. Aborting.");
+      process.exitCode = 1;
+      return;
+    }
+    try {
+      const tokens = await remoteListAnthropicTokens({ baseUrl, cfAuthCookie: rawCookie });
+      if (tokens.length === 0) {
+        console.log(`
+  ${pc12.dim("No Anthropic proxy tokens found. Run: olam auth issue-anthropic-token --remote " + baseUrl + " --label <name>")}
+`);
+        return;
+      }
+      const col = (s, w) => s.padEnd(w);
+      console.log(`
+  ${"Label".padEnd(20)} ${"Issued".padEnd(22)} ${"Last Used".padEnd(22)} ${"Token Hash (prefix)"}`);
+      console.log(`  ${"-".repeat(20)} ${"-".repeat(22)} ${"-".repeat(22)} ${"-".repeat(10)}`);
+      for (const t of tokens) {
+        const issued = t.issued_at ?? "\u2014";
+        const lastUsed = t.last_used_at ?? "\u2014";
+        const hashPrefix = t.token_hash.slice(0, 8);
+        console.log(`  ${col(t.label, 20)} ${col(issued, 22)} ${col(lastUsed, 22)} ${pc12.dim(hashPrefix)}`);
+      }
+      console.log();
+    } catch (err) {
+      printError(err instanceof Error ? err.message : "list failed");
+      process.exitCode = 1;
+    }
+  });
+  auth.command("revoke-anthropic-token").description("Revoke an Anthropic proxy token on the remote auth-worker (g4)").requiredOption("--remote <url>", "Auth-worker base URL").requiredOption("--token-hash <hash>", "Token hash to revoke (from issue or list output)").action(async (opts) => {
+    const baseUrl = opts.remote;
+    printHeader("Auth worker \u2014 revoke Anthropic proxy token");
+    console.log(`
+  Open ${pc12.cyan(baseUrl.replace(/\/+$/, "") + "/v1/oauth/start")} in a browser to authenticate via CF Access SSO.`);
+    console.log(`  Once you've completed SSO, paste your CF_Authorization cookie below.
+`);
+    const rawCookie = await promptLine(`  ${pc12.dim("CF_Authorization cookie:")} `);
+    if (!rawCookie) {
+      printError("No cookie provided. Aborting.");
+      process.exitCode = 1;
+      return;
+    }
+    try {
+      const revoked = await remoteRevokeAnthropicToken({ baseUrl, cfAuthCookie: rawCookie }, opts.tokenHash);
+      if (revoked) {
+        printSuccess(`Token ${opts.tokenHash} revoked.`);
+      } else {
+        printWarning(`Token ${opts.tokenHash} not found (may already be revoked).`);
+      }
+    } catch (err) {
+      printError(err instanceof Error ? err.message : "revoke failed");
+      process.exitCode = 1;
+    }
+  });
   registerAuthUpgrade(auth);
 }
 
@@ -25242,7 +25988,7 @@ import ora5 from "ora";
 import pc13 from "picocolors";
 
 // ../core/dist/world/devbox-freshness.js
-import { execSync as execSync7 } from "node:child_process";
+import { execSync as execSync8 } from "node:child_process";
 import { existsSync as existsSync36, statSync as statSync9 } from "node:fs";
 import { join as join43 } from "node:path";
 var DEFAULT_DEVBOX_IMAGE = "olam-devbox:base";
@@ -25326,7 +26072,7 @@ function formatFreshnessWarning(result, image = DEFAULT_DEVBOX_IMAGE) {
 }
 function defaultDockerInspect(image) {
   try {
-    const out = execSync7(`docker inspect ${image} --format '{{.Created}}'`, { encoding: "utf-8", timeout: 5e3, stdio: ["ignore", "pipe", "pipe"] }).trim();
+    const out = execSync8(`docker inspect ${image} --format '{{.Created}}'`, { encoding: "utf-8", timeout: 5e3, stdio: ["ignore", "pipe", "pipe"] }).trim();
     return out.length > 0 ? out : null;
   } catch {
     return null;
@@ -25708,7 +26454,7 @@ async function readHostCpTokenForCreate() {
   }
 }
 function registerCreate(program2) {
-  program2.command("create").description("Create a new development world").option("--name <name>", "World name (required unless --from-prompt is set; auto-derived in that case)").option("--repos <repos...>", "Repos to include (names from .olam/config.yaml; wins over --workspace)").option("--workspace <name>", "Named workspace from the host catalog (~/.olam/workspaces/<name>.yaml)").option("--task <task>", "Initial task to dispatch").option("--branch <branch>", "Override default branch name").option("--plan <file>", "Path to a plan file to inject").option("--no-auth", "Skip auto-injecting host credentials").option("--no-host-cp", 'Suppress the host CP "you might want to start it" hint').option("--auto-codex-review", "Spawn a parallel codex-review lane that critiques main as it works").option("--no-open", "Suppress auto-opening the Host CP UI in the browser on success").option("--rebuild-base", "Rebuild olam-devbox:latest before creating (slow)").option("--no-freshness-check", "Skip the devbox image freshness check").option("--from-prompt <prompt>", "NL prompt \u2192 infer workspace + dispatch (CLI parity for olam_create_from_prompt MCP tool)").option("--keep-after-merge", "Disable auto-destroy when the world's PR merges (useful for inspection/debugging)").option("--carry-uncommitted", "Preserve operator's uncommitted edits in the world's worktree").option(
+  program2.command("create").description("Create a new development world").option("--name <name>", "World name (required unless --from-prompt is set; auto-derived in that case)").option("--repos <repos...>", "Repos to include (names from .olam/config.yaml; wins over --workspace)").option("--workspace <name>", "Named workspace from the host catalog (~/.olam/workspaces/<name>.yaml)").option("--task <task>", "Initial task to dispatch").option("--branch <branch>", "Override default branch name").option("--plan <file>", "Path to a plan file to inject").option("--no-auth", "Skip auto-injecting host credentials").option("--no-host-cp", 'Suppress the host CP "you might want to start it" hint').option("--auto-codex-review", "Spawn a parallel codex-review lane that critiques main as it works").option("--no-open", "Suppress auto-opening the Host CP UI in the browser on success").option("--rebuild-base", "Rebuild olam-devbox:latest before creating (slow)").option("--no-freshness-check", "Skip the devbox image freshness check").option("--from-prompt <prompt>", "NL prompt \u2192 infer workspace + dispatch (CLI parity for olam_create_from_prompt MCP tool)").option("--from-manifest <path>", "Spawn a world from a trace-replay fork manifest (ADR 044)").option("--keep-after-merge", "Disable auto-destroy when the world's PR merges (useful for inspection/debugging)").option("--carry-uncommitted", "Preserve operator's uncommitted edits in the world's worktree").option(
     "--allow-bootstrap-failure",
     "Treat bootstrap step failures as warnings instead of destroying the world (dogfood escape hatch for cross-repo seed coupling)"
   ).option("--devbox-image <ref>", "Override the default devbox image (full registry/name:tag or @sha256: ref)").option("--allow-custom-registry", "Allow --devbox-image refs outside ghcr.io/pleri/* (logs a warning)").option("--runbook <name>", "Named runbook profile from ~/.olam/config.json").option(
@@ -25753,6 +26499,32 @@ function registerCreate(program2) {
     let resolvedWorkspace = opts.workspace;
     let resolvedRepos = opts.repos;
     let resolvedTask = opts.task;
+    if (opts.fromManifest) {
+      if (opts.task) {
+        printError("--from-manifest and --task are mutually exclusive (the manifest carries the task).");
+        process.exitCode = 1;
+        return;
+      }
+      if (opts.fromPrompt) {
+        printError("--from-manifest and --from-prompt are mutually exclusive.");
+        process.exitCode = 1;
+        return;
+      }
+      const { parseForkManifest: parseForkManifest2, defaultNameFromManifest: defaultNameFromManifest2, provenanceLine: provenanceLine2 } = await Promise.resolve().then(() => (init_from_manifest(), from_manifest_exports));
+      let manifest;
+      try {
+        manifest = parseForkManifest2(opts.fromManifest);
+      } catch (err) {
+        printError(err.message);
+        process.exitCode = 1;
+        return;
+      }
+      resolvedTask = manifest.newPrompt;
+      if (!resolvedName) {
+        resolvedName = defaultNameFromManifest2(manifest);
+      }
+      printInfo("Replay", provenanceLine2(manifest));
+    }
     if (opts.fromPrompt) {
       if (opts.task) {
         printError("--from-prompt and --task are mutually exclusive (the prompt IS the task).");
@@ -26138,6 +26910,8 @@ ${pc13.cyan("Host CP UI:")} ${worldUrl}`);
       if (err instanceof AuthPreflightError) {
         printError(err.message);
         if (err.remedy) console.log(`  ${pc13.dim(err.remedy)}`);
+      } else if (err instanceof ContainerOrphanError) {
+        printError(err.message);
       } else {
         printError(err instanceof Error ? err.message : String(err));
       }
@@ -27299,7 +28073,7 @@ async function runImplode(opts) {
 // src/commands/enter.ts
 init_context();
 init_output();
-import { execSync as execSync8 } from "node:child_process";
+import { execSync as execSync9 } from "node:child_process";
 import pc18 from "picocolors";
 var SAFE_IDENT3 = /^[a-z0-9][a-z0-9-]{0,63}$/;
 function buildStartClaudeCommands(containerName, sessionName, task) {
@@ -27396,7 +28170,7 @@ function registerEnter(program2) {
       if (opts.exec) {
         for (const step2 of steps) {
           try {
-            execSync8(step2.command, {
+            execSync9(step2.command, {
               stdio: step2.stdin !== void 0 ? ["pipe", "inherit", "inherit"] : "inherit",
               input: step2.stdin
             });
@@ -27436,7 +28210,7 @@ function registerEnter(program2) {
     }
     if (opts.exec) {
       try {
-        execSync8(result.command, { stdio: "inherit" });
+        execSync9(result.command, { stdio: "inherit" });
       } catch (err) {
         printError(
           err instanceof Error ? err.message : `Command failed: ${result.command}`
@@ -28211,7 +28985,7 @@ function registerLanes(program2) {
 
 // src/commands/policy-check.ts
 init_loader2();
-import { execSync as execSync9 } from "node:child_process";
+import { execSync as execSync10 } from "node:child_process";
 import pc20 from "picocolors";
 
 // ../../node_modules/balanced-match/dist/esm/index.js
@@ -30049,7 +30823,7 @@ function enforcePolicies(policies, diff) {
 function getDiff(base, cwd) {
   for (const range2 of [`${base}...HEAD`, `${base}..HEAD`]) {
     try {
-      return execSync9(`git diff --name-only ${range2}`, {
+      return execSync10(`git diff --name-only ${range2}`, {
         cwd,
         encoding: "utf8",
         stdio: ["pipe", "pipe", "pipe"]
@@ -30058,7 +30832,7 @@ function getDiff(base, cwd) {
     }
   }
   try {
-    return execSync9("git diff --name-only HEAD", {
+    return execSync10("git diff --name-only HEAD", {
       cwd,
       encoding: "utf8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -30096,7 +30870,7 @@ function registerPolicyCheck(program2) {
 }
 
 // src/commands/worldspec/compile.ts
-import { existsSync as existsSync44, mkdirSync as mkdirSync28, readFileSync as readFileSync33, writeFileSync as writeFileSync22 } from "node:fs";
+import { existsSync as existsSync44, mkdirSync as mkdirSync28, readFileSync as readFileSync34, writeFileSync as writeFileSync22 } from "node:fs";
 import { resolve as resolvePath } from "node:path";
 import YAML5 from "yaml";
 
@@ -30905,7 +31679,7 @@ function registerWorldspecCompile(parent) {
       }
       let yaml;
       try {
-        yaml = YAML5.parse(readFileSync33(abs, "utf8"));
+        yaml = YAML5.parse(readFileSync34(abs, "utf8"));
       } catch (err) {
         printError(
           `${p}: YAML parse error: ${err.message}`
@@ -30990,8 +31764,8 @@ function getPkgVersion() {
 // src/commands/worldspec/init.ts
 init_exit_codes();
 init_output();
-import { existsSync as existsSync45, mkdirSync as mkdirSync29, readFileSync as readFileSync34, writeFileSync as writeFileSync23 } from "node:fs";
-import { execSync as execSync10 } from "node:child_process";
+import { existsSync as existsSync45, mkdirSync as mkdirSync29, readFileSync as readFileSync35, writeFileSync as writeFileSync23 } from "node:fs";
+import { execSync as execSync11 } from "node:child_process";
 import { basename as basename3, resolve as resolvePath2 } from "node:path";
 function registerWorldspecInit(parent) {
   parent.command("init").description(
@@ -31049,7 +31823,7 @@ function detectProjectShape(root, useAdbYaml) {
   const rubyVersionPath = resolvePath2(root, ".ruby-version");
   if (existsSync45(rubyVersionPath)) {
     try {
-      const raw = readFileSync34(rubyVersionPath, "utf8").trim();
+      const raw = readFileSync35(rubyVersionPath, "utf8").trim();
       const match2 = raw.match(/(\d+\.\d+\.\d+)/);
       if (match2) rubyVersion = match2[1] ?? null;
     } catch {
@@ -31066,7 +31840,7 @@ function detectProjectShape(root, useAdbYaml) {
 }
 function getRepoName2(root) {
   try {
-    const url2 = execSync10("git remote get-url origin", {
+    const url2 = execSync11("git remote get-url origin", {
       cwd: root,
       encoding: "utf-8",
       stdio: ["ignore", "pipe", "ignore"]
@@ -32459,7 +33233,7 @@ function registerWorldspecSchema(parent) {
 }
 
 // src/commands/worldspec/validate.ts
-import { existsSync as existsSync46, readFileSync as readFileSync35 } from "node:fs";
+import { existsSync as existsSync46, readFileSync as readFileSync36 } from "node:fs";
 import { resolve as resolvePath4 } from "node:path";
 init_exit_codes();
 init_output();
@@ -32482,7 +33256,7 @@ function registerWorldspecValidate(parent) {
     }
     let yamlSource;
     try {
-      yamlSource = readFileSync35(absPath, "utf8");
+      yamlSource = readFileSync36(absPath, "utf8");
     } catch (err) {
       printError(
         `failed to read ${absPath}: ${err.message}`
@@ -34401,7 +35175,7 @@ init_snapshot();
 init_output();
 import * as fs45 from "node:fs";
 import * as path48 from "node:path";
-import { execSync as execSync11 } from "node:child_process";
+import { execSync as execSync12 } from "node:child_process";
 import pc24 from "picocolors";
 
 // src/commands/world.ts
@@ -34537,7 +35311,7 @@ async function captureGems(worldId, workspacePath, repo) {
   const containerName = `olam-${worldId}-devbox`;
   let bundlePath;
   try {
-    bundlePath = execSync11(
+    bundlePath = execSync12(
       `docker exec ${containerName} sh -c 'bundle config get path 2>/dev/null || echo ~/.bundle'`,
       { encoding: "utf-8", timeout: 1e4 }
     ).trim();
@@ -34547,13 +35321,13 @@ async function captureGems(worldId, workspacePath, repo) {
   }
   try {
     const tmpTar = `/tmp/olam-snap-gems-${repo}-${fingerprint}.tar.gz`;
-    execSync11(
+    execSync12(
       `docker exec ${containerName} sh -c 'mkdir -p "$(dirname ${tmpTar})" && tar -czf ${tmpTar}.tmp -C ${bundlePath} . && mv ${tmpTar}.tmp ${tmpTar}'`,
       { stdio: "pipe", timeout: 12e4 }
     );
     fs45.mkdirSync(path48.dirname(tarPath), { recursive: true });
-    execSync11(`docker cp ${containerName}:${tmpTar} "${tarPath}"`, { stdio: "pipe", timeout: 12e4 });
-    execSync11(`docker exec ${containerName} rm -f ${tmpTar}`, { stdio: "pipe" });
+    execSync12(`docker cp ${containerName}:${tmpTar} "${tarPath}"`, { stdio: "pipe", timeout: 12e4 });
+    execSync12(`docker exec ${containerName} rm -f ${tmpTar}`, { stdio: "pipe" });
     const stat = fs45.statSync(tarPath);
     const manifest = {
       kind: "gems",
@@ -34609,18 +35383,18 @@ async function capturePg(worldId, workspacePath, repoNames) {
   const containerName = `olam-${worldId}-postgres`;
   const volumeName2 = `olam-${worldId}-postgres-data`;
   try {
-    execSync11(`docker inspect ${containerName}`, { stdio: "pipe", timeout: 5e3 });
+    execSync12(`docker inspect ${containerName}`, { stdio: "pipe", timeout: 5e3 });
   } catch {
     return { ok: false, tarPath, msg: "postgres container not found; world may not use postgres" };
   }
   try {
-    execSync11(`docker stop ${containerName}`, { stdio: "pipe", timeout: 3e4 });
+    execSync12(`docker stop ${containerName}`, { stdio: "pipe", timeout: 3e4 });
     fs45.mkdirSync(path48.dirname(tarPath), { recursive: true });
-    execSync11(
+    execSync12(
       `docker run --rm         -v "${volumeName2}:/pgdata:ro"         -v "${path48.dirname(tarPath)}:/dest"         alpine         sh -c 'tar -czf /dest/${path48.basename(tarPath)}.tmp -C /pgdata . && mv /dest/${path48.basename(tarPath)}.tmp /dest/${path48.basename(tarPath)}'`,
       { stdio: "pipe", timeout: 18e4 }
     );
-    execSync11(`docker start ${containerName}`, { stdio: "pipe", timeout: 3e4 });
+    execSync12(`docker start ${containerName}`, { stdio: "pipe", timeout: 3e4 });
     const stat = fs45.statSync(tarPath);
     const manifest = {
       kind: "pg",
@@ -34634,7 +35408,7 @@ async function capturePg(worldId, workspacePath, repoNames) {
     return { ok: true, tarPath };
   } catch (err) {
     try {
-      execSync11(`docker start ${containerName}`, { stdio: "pipe", timeout: 1e4 });
+      execSync12(`docker start ${containerName}`, { stdio: "pipe", timeout: 1e4 });
     } catch {
     }
     return { ok: false, tarPath, msg: `pg capture failed: ${String(err)}` };
@@ -35065,7 +35839,7 @@ function registerRestart(program2) {
 import * as fs48 from "node:fs";
 import * as os26 from "node:os";
 import * as path51 from "node:path";
-import { execFileSync as execFileSync13, execSync as execSync12 } from "node:child_process";
+import { execFileSync as execFileSync13, execSync as execSync13 } from "node:child_process";
 import pc25 from "picocolors";
 
 // ../core/dist/diagnose/secret-stripper.js
@@ -35105,7 +35879,7 @@ var CACHE_DIR = path51.join(os26.homedir(), ".olam", "cache");
 var LOG_TAIL_LINES = 200;
 function safeExec(cmd) {
   try {
-    return execSync12(cmd, { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] });
+    return execSync13(cmd, { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] });
   } catch {
     return "";
   }
@@ -35231,7 +36005,7 @@ init_health_probes();
 
 // src/lib/bundle-freshness.ts
 import { createHash as createHash4 } from "node:crypto";
-import { existsSync as existsSync56, readFileSync as readFileSync42, statSync as statSync17 } from "node:fs";
+import { existsSync as existsSync56, readFileSync as readFileSync43, statSync as statSync17 } from "node:fs";
 import { join as join58, resolve as resolve16 } from "node:path";
 var BUNDLE_FILES = [
   "driver-runner.js",
@@ -35276,7 +36050,7 @@ async function probeBundleFreshness(deps = {}) {
   for (const f of BUNDLE_FILES) {
     const p = join58(hostDistDir, f);
     if (!existsSync56(p)) continue;
-    const buf = readFileSync42(p);
+    const buf = readFileSync43(p);
     const sha = createHash4("sha256").update(buf).digest("hex");
     const mtimeMs = statSync17(p).mtimeMs;
     hostShas.set(f, { sha, mtimeMs });
@@ -36185,7 +36959,7 @@ function registerSubstrate(program2) {
 }
 
 // ../cli-plugin-tasks/dist/client.js
-import { readFileSync as readFileSync46 } from "node:fs";
+import { readFileSync as readFileSync47 } from "node:fs";
 import { homedir as homedir31 } from "node:os";
 import { join as join61 } from "node:path";
 var TasksClient = class {
@@ -36197,7 +36971,7 @@ var TasksClient = class {
     this.baseUrl = (opts.hostCpUrl ?? process.env.OLAM_HOST_CP_URL ?? "http://localhost:19000").replace(/\/$/, "");
     const tokenPath2 = opts.tokenPath ?? join61(homedir31(), ".olam", "host-cp.token");
     try {
-      this.token = readFileSync46(tokenPath2, "utf8").trim();
+      this.token = readFileSync47(tokenPath2, "utf8").trim();
     } catch (e) {
       throw new Error(`cli-plugin-tasks: cannot read host-cp token at ${tokenPath2} (${e instanceof Error ? e.message : "unknown"}). Bootstrap host-cp first.`);
     }
@@ -36224,7 +36998,7 @@ var TasksClient = class {
 };
 
 // ../cli-plugin-tasks/dist/tracker-parser.js
-import { readFileSync as readFileSync47 } from "node:fs";
+import { readFileSync as readFileSync48 } from "node:fs";
 import { createHash as createHash6 } from "node:crypto";
 function contentHash(parts) {
   const normalized = parts.map((p) => (p ?? "").trim()).join("|");
@@ -36258,7 +37032,7 @@ function parseFrontmatter2(raw) {
   return { frontmatter: fm, body };
 }
 function parseTracker(path96) {
-  const raw = readFileSync47(path96, "utf8");
+  const raw = readFileSync48(path96, "utf8");
   const { frontmatter, body } = parseFrontmatter2(raw);
   const lines = body.split("\n");
   const tasks = [];
@@ -36651,7 +37425,7 @@ function registerCompletion(program2) {
 init_cli_version();
 init_health_probes();
 import { spawn as spawn7, spawnSync as spawnSync27 } from "node:child_process";
-import { existsSync as existsSync85, readFileSync as readFileSync70 } from "node:fs";
+import { existsSync as existsSync85, readFileSync as readFileSync71 } from "node:fs";
 import { homedir as homedir45 } from "node:os";
 import path77 from "node:path";
 import { createInterface as createInterface3 } from "node:readline";
@@ -36718,14 +37492,14 @@ function discoverOfferableContexts(deps = {}) {
 }
 
 // src/lib/shell-rc.ts
-import { copyFileSync as copyFileSync5, existsSync as existsSync60, readFileSync as readFileSync48, renameSync as renameSync8, writeFileSync as writeFileSync29 } from "node:fs";
+import { copyFileSync as copyFileSync5, existsSync as existsSync60, readFileSync as readFileSync49, renameSync as renameSync8, writeFileSync as writeFileSync29 } from "node:fs";
 import path54 from "node:path";
 function appendIdempotent(opts) {
   const { rcPath, marker, contentLine, clock = () => /* @__PURE__ */ new Date() } = opts;
   if (!existsSync60(rcPath)) {
     return { status: "no-rc-file", backupPath: null };
   }
-  const content = readFileSync48(rcPath, "utf-8");
+  const content = readFileSync49(rcPath, "utf-8");
   if (content.includes(marker)) {
     return { status: "already-present", backupPath: null };
   }
@@ -37098,7 +37872,7 @@ function resolveSubstrate(opts, deps) {
   const configPath = deps.configPath ?? OLAM_CONFIG_PATH;
   if (existsSync85(configPath)) {
     try {
-      const raw = readFileSync70(configPath, "utf8");
+      const raw = readFileSync71(configPath, "utf8");
       const parsed = JSON.parse(raw);
       const host = parsed.host;
       if (host?.substrate === "kubernetes") return "kubernetes";
@@ -37778,11 +38552,11 @@ function registerSetupMetrics(program2) {
 
 // ../core/dist/setup/linux-gate.js
 init_trust_audit_log();
-import { execSync as execSync13 } from "node:child_process";
+import { execSync as execSync14 } from "node:child_process";
 var GH_LABEL = "linux-platform-request";
 var LINUX_INVOCATION_THRESHOLD = 3;
 function defaultExecGhIssueList(label) {
-  return execSync13(`gh issue list --label ${label} --json number,title --state all`, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+  return execSync14(`gh issue list --label ${label} --json number,title --state all`, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
 }
 function countLinuxInvocations(readLog) {
   const { entries } = readLog();
@@ -37857,7 +38631,7 @@ function registerSetupLinuxGate(program2) {
 import * as fs78 from "node:fs";
 import * as os42 from "node:os";
 import * as path80 from "node:path";
-import { execSync as execSync14 } from "node:child_process";
+import { execSync as execSync15 } from "node:child_process";
 import pc28 from "picocolors";
 
 // src/lib/symlink-reconcile.ts
@@ -37925,7 +38699,7 @@ var LOG_DIR2 = path80.join(os42.homedir(), ".olam", "log");
 var LAST_STABLE_FILE = path80.join(CACHE_DIR2, "last-stable.txt");
 function defaultExec(cmd) {
   try {
-    const stdout = execSync14(cmd, { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] });
+    const stdout = execSync15(cmd, { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] });
     return { exitCode: 0, stdout, stderr: "" };
   } catch (err) {
     const e = err;
@@ -38450,7 +39224,7 @@ import * as readline2 from "node:readline";
 import pc32 from "picocolors";
 
 // src/commands/flywheel/install-shims.ts
-import { copyFileSync as copyFileSync9, existsSync as existsSync89, mkdirSync as mkdirSync53, readFileSync as readFileSync74, writeFileSync as writeFileSync44 } from "node:fs";
+import { copyFileSync as copyFileSync9, existsSync as existsSync89, mkdirSync as mkdirSync53, readFileSync as readFileSync75, writeFileSync as writeFileSync44 } from "node:fs";
 import { homedir as homedir48 } from "node:os";
 import { dirname as dirname48, join as join87 } from "node:path";
 
@@ -38554,7 +39328,7 @@ function installOne(spec, targetDir, opts) {
     }
     return { basename: spec.basename, action: "written", targetPath };
   }
-  const existing = readFileSync74(targetPath, "utf8");
+  const existing = readFileSync75(targetPath, "utf8");
   if (existing === newContent) {
     return { basename: spec.basename, action: "unchanged", targetPath };
   }
@@ -39214,7 +39988,7 @@ import {
   lstatSync as lstatSync8,
   mkdirSync as mkdirSync54,
   readdirSync as readdirSync27,
-  readFileSync as readFileSync75,
+  readFileSync as readFileSync76,
   readlinkSync as readlinkSync4,
   rmSync as rmSync9,
   statSync as statSync27,
@@ -39321,8 +40095,8 @@ function postMergeSanitize(mergedText, label) {
   return { ok: false, reason: `[post-merge-sanitize] ${label} merged output failed sanitizer: ${result.reason}` };
 }
 function mergeOne(upstreamPath, overlayPath, destPath2, label, dryRun, messages) {
-  const upstreamText = readFileSync75(upstreamPath, "utf8");
-  const overlayText = readFileSync75(overlayPath, "utf8");
+  const upstreamText = readFileSync76(upstreamPath, "utf8");
+  const overlayText = readFileSync76(overlayPath, "utf8");
   const result = mergeMarkdown(upstreamText, overlayText, label, upstreamPath, overlayPath);
   if ("error" in result) {
     messages.push(`ERROR ${result.error.reason}`);
@@ -39342,7 +40116,7 @@ function mergeOne(upstreamPath, overlayPath, destPath2, label, dryRun, messages)
 }
 function isNewAgentOverlay(overlayPath) {
   try {
-    const text = readFileSync75(overlayPath, "utf8");
+    const text = readFileSync76(overlayPath, "utf8");
     const { fm } = parseFrontmatter3(text);
     return fm["overlay-intent"] === "new-agent";
   } catch {
@@ -42120,7 +42894,7 @@ function registerMcp(program2) {
 init_output();
 
 // src/lib/memory-host-process-migration.ts
-import { existsSync as existsSync101, readFileSync as readFileSync83, unlinkSync as unlinkSync23 } from "node:fs";
+import { existsSync as existsSync101, readFileSync as readFileSync84, unlinkSync as unlinkSync23 } from "node:fs";
 import { spawnSync as spawnSync30 } from "node:child_process";
 
 // src/commands/memory/_paths.ts
@@ -42189,7 +42963,7 @@ function migrateFromHostProcess(opts = {}) {
 }
 function readPidFromFile(pidPath2) {
   try {
-    const raw = readFileSync83(pidPath2, "utf8").trim();
+    const raw = readFileSync84(pidPath2, "utf8").trim();
     const pid = parseInt(raw, 10);
     if (!Number.isFinite(pid) || pid <= 0) return null;
     return pid;
@@ -42622,7 +43396,7 @@ function registerMemoryUninstall(cmd) {
 // src/commands/memory/mode.ts
 init_schema2();
 init_output();
-import { existsSync as existsSync104, readFileSync as readFileSync84, writeFileSync as writeFileSync51 } from "node:fs";
+import { existsSync as existsSync104, readFileSync as readFileSync85, writeFileSync as writeFileSync51 } from "node:fs";
 import { join as join96 } from "node:path";
 import * as readline7 from "node:readline/promises";
 import { parse as parseYaml8, stringify as stringifyYaml6 } from "yaml";
@@ -42637,7 +43411,7 @@ function locateConfig(cwd) {
   return { absPath };
 }
 function readConfigYaml(absPath) {
-  const raw = readFileSync84(absPath, "utf-8");
+  const raw = readFileSync85(absPath, "utf-8");
   const parsed = parseYaml8(raw) ?? {};
   if (typeof parsed !== "object" || parsed === null) {
     throw new Error(`${absPath} is not a YAML object`);
@@ -43124,7 +43898,7 @@ function registerMemoryStats(cmd) {
 }
 
 // src/commands/memory/install-hooks.ts
-import { copyFileSync as copyFileSync12, existsSync as existsSync106, mkdirSync as mkdirSync60, readFileSync as readFileSync85, writeFileSync as writeFileSync52 } from "node:fs";
+import { copyFileSync as copyFileSync12, existsSync as existsSync106, mkdirSync as mkdirSync60, readFileSync as readFileSync86, writeFileSync as writeFileSync52 } from "node:fs";
 import { homedir as homedir54 } from "node:os";
 import { dirname as dirname56, join as join98, resolve as resolve25 } from "node:path";
 import { fileURLToPath as fileURLToPath9 } from "node:url";
@@ -43147,7 +43921,7 @@ function installOne2(basename16, sourceDir, targetDir, opts) {
   if (!existsSync106(sourcePath)) {
     throw new Error(`canonical hook source missing at ${sourcePath} \u2014 olam install corrupt or sourceDir is wrong`);
   }
-  const newContent = readFileSync85(sourcePath, "utf8");
+  const newContent = readFileSync86(sourcePath, "utf8");
   if (!existsSync106(targetPath)) {
     if (opts.dryRun !== true) {
       mkdirSync60(dirname56(targetPath), { recursive: true });
@@ -43155,7 +43929,7 @@ function installOne2(basename16, sourceDir, targetDir, opts) {
     }
     return { basename: basename16, action: "written", targetPath };
   }
-  const existing = readFileSync85(targetPath, "utf8");
+  const existing = readFileSync86(targetPath, "utf8");
   if (existing === newContent) {
     return { basename: basename16, action: "unchanged", targetPath };
   }
@@ -44633,7 +45407,7 @@ function registerFlywheelK5Score(parent) {
 }
 
 // src/commands/flywheel/k5-validate.ts
-import { readFileSync as readFileSync89, statSync as statSync30 } from "node:fs";
+import { readFileSync as readFileSync90, statSync as statSync30 } from "node:fs";
 import { parse as parseYAML } from "yaml";
 var K5_DIMS = ["direction", "approach", "open_questions", "constraints", "reuse"];
 var MAX_PLAN_BYTES = 1048576;
@@ -44703,7 +45477,7 @@ function validatePlan(path96) {
   }
   let text;
   try {
-    text = readFileSync89(path96, "utf8");
+    text = readFileSync90(path96, "utf8");
   } catch (err) {
     return { ok: false, message: `FAIL cannot read ${path96}: ${err instanceof Error ? err.message : "unknown"}` };
   }
@@ -44785,7 +45559,7 @@ function registerFlywheelK5Validate(parent) {
 }
 
 // src/commands/flywheel/k10-measure.ts
-import { readFileSync as readFileSync90 } from "node:fs";
+import { readFileSync as readFileSync91 } from "node:fs";
 
 // ../core/dist/lib/k10-budget.js
 var K10_TOKEN_CAP = 5500;
@@ -44842,7 +45616,7 @@ function registerFlywheelK10Measure(parent) {
   parent.command("k10-measure").description("Measure K10 token budget for upstream + optional overlay; emit PASS/REJECT verdict").requiredOption("--upstream <path>", "path to upstream file (e.g. persona prompt)").option("--overlay <path>", "path to overlay file (omit if none \u2014 PASS without enforcement)").option("--json", "emit verdict as JSON instead of human-readable").action((opts) => {
     let upstreamText;
     try {
-      upstreamText = readFileSync90(opts.upstream, "utf8");
+      upstreamText = readFileSync91(opts.upstream, "utf8");
     } catch (err) {
       process.stderr.write(
         `[k10-measure-error] cannot read upstream ${opts.upstream}: ${err instanceof Error ? err.message : "unknown"}
@@ -44854,7 +45628,7 @@ function registerFlywheelK10Measure(parent) {
     let overlayTokens = null;
     if (opts.overlay !== void 0) {
       try {
-        const overlayText = readFileSync90(opts.overlay, "utf8");
+        const overlayText = readFileSync91(opts.overlay, "utf8");
         overlayTokens = tokensFromText(overlayText);
       } catch (err) {
         process.stderr.write(
@@ -44888,7 +45662,7 @@ function registerFlywheelK10Measure(parent) {
 }
 
 // src/commands/flywheel/check-persona-skeleton.ts
-import { existsSync as existsSync110, readFileSync as readFileSync91, statSync as statSync31 } from "node:fs";
+import { existsSync as existsSync110, readFileSync as readFileSync92, statSync as statSync31 } from "node:fs";
 import { homedir as homedir60 } from "node:os";
 import { basename as basename14, join as join103 } from "node:path";
 import { parse as parseYAML2 } from "yaml";
@@ -44937,7 +45711,7 @@ function checkFile(filepath) {
   if (!existsSync110(filepath) || !statSync31(filepath).isFile()) {
     return { passed: false, failures: [`file not found: ${filepath}`], tokens: 0, mergedSkipped: false };
   }
-  const text = readFileSync91(filepath, "utf8");
+  const text = readFileSync92(filepath, "utf8");
   const { fm, body } = parseFile(text);
   const failures = [];
   for (const key of REQUIRED_FRONTMATTER_KEYS) {
@@ -45003,7 +45777,7 @@ Results: ${passCount} passed, ${failCount} failed
 }
 
 // src/commands/flywheel/diversity-check.ts
-import { readFileSync as readFileSync92 } from "node:fs";
+import { readFileSync as readFileSync93 } from "node:fs";
 import { basename as basename15 } from "node:path";
 import { globSync as globSync2 } from "node:fs";
 
@@ -45112,7 +45886,7 @@ function registerFlywheelDiversityCheck(parent) {
     const personas = /* @__PURE__ */ new Map();
     for (const filepath of files) {
       try {
-        const body = readFileSync92(filepath, "utf8");
+        const body = readFileSync93(filepath, "utf8");
         if (body.trim().length > 0) {
           personas.set(basename15(filepath, ".md"), body);
         }
@@ -45205,7 +45979,7 @@ import {
   copyFileSync as copyFileSync15,
   existsSync as existsSync111,
   mkdirSync as mkdirSync65,
-  readFileSync as readFileSync93,
+  readFileSync as readFileSync94,
   readdirSync as readdirSync32,
   statSync as statSync32,
   writeFileSync as writeFileSync57
@@ -45291,7 +46065,7 @@ function resolveAtlasUser2(opts) {
   const claudeDir2 = opts._testClaudeDir ?? process.env["OLAM_CLAUDE_DIR"] ?? join105(homedir62(), ".claude");
   const f = join105(claudeDir2, ".atlas-user");
   if (existsSync111(f)) {
-    const v = readFileSync93(f, "utf-8").trim();
+    const v = readFileSync94(f, "utf-8").trim();
     if (v.length === 0) return null;
     assertValidAtlasUser(v);
     return v;
@@ -45433,7 +46207,7 @@ function pushOverlays(opts) {
       const basename16 = relPath.split("/").pop() ?? relPath;
       let content;
       try {
-        content = readFileSync93(srcFile);
+        content = readFileSync94(srcFile);
       } catch {
         continue;
       }
@@ -45481,12 +46255,12 @@ function pushOverlays(opts) {
       const targetFile = join105(targetDir, relPath);
       let srcBuf;
       try {
-        srcBuf = readFileSync93(srcFile);
+        srcBuf = readFileSync94(srcFile);
       } catch {
         continue;
       }
       if (existsSync111(targetFile)) {
-        const dstBuf = readFileSync93(targetFile);
+        const dstBuf = readFileSync94(targetFile);
         if (srcBuf.equals(dstBuf)) {
           wouldUnchange += 1;
           process.stdout.write(`  [skip] ${overlayKind}.overrides/${relPath} (unchanged)
@@ -45537,13 +46311,13 @@ function pushOverlays(opts) {
       const targetFile = join105(membersBase, `${overlayKind}.overrides`, relPath);
       let srcBuf;
       try {
-        srcBuf = readFileSync93(srcFile);
+        srcBuf = readFileSync94(srcFile);
       } catch {
         continue;
       }
       const targetExists = existsSync111(targetFile);
       if (targetExists) {
-        const dstBuf = readFileSync93(targetFile);
+        const dstBuf = readFileSync94(targetFile);
         if (srcBuf.equals(dstBuf)) {
           filesUnchanged += 1;
           continue;
@@ -45752,7 +46526,7 @@ function migrateOverlays(opts = {}) {
   for (const filePath of allFiles) {
     let original;
     try {
-      original = readFileSync93(filePath, "utf8");
+      original = readFileSync94(filePath, "utf8");
     } catch {
       continue;
     }