@poncho-ai/cli 0.2.0 → 0.3.0

package/dist/chunk-GOSKILLU.js

@@ -0,0 +1,1994 @@
+import {
+  LoginRateLimiter,
+  SessionStore,
+  consumeFirstRunIntro,
+  getRequestIp,
+  inferConversationTitle,
+  initializeOnboardingMarker,
+  parseCookies,
+  renderIconSvg,
+  renderManifest,
+  renderServiceWorker,
+  renderWebUiHtml,
+  setCookie,
+  verifyPassphrase
+} from "./chunk-3BEWSRFW.js";
+
+// src/index.ts
+import { spawn } from "child_process";
+import { access, cp, mkdir, readFile, writeFile } from "fs/promises";
+import { existsSync } from "fs";
+import {
+  createServer
+} from "http";
+import { dirname, relative, resolve } from "path";
+import { createRequire } from "module";
+import { fileURLToPath } from "url";
+import {
+  AgentHarness,
+  LocalMcpBridge,
+  TelemetryEmitter,
+  createConversationStore,
+  loadPonchoConfig,
+  resolveStateConfig
+} from "@poncho-ai/harness";
+import { Command } from "commander";
+import dotenv from "dotenv";
+import YAML from "yaml";
+import { createInterface } from "readline/promises";
+
+// src/init-onboarding.ts
+import { stdin, stdout } from "process";
+import { input, password, select } from "@inquirer/prompts";
+import {
+  fieldsForScope
+} from "@poncho-ai/sdk";
+var C = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  cyan: "\x1B[36m"
+};
+var dim = (s) => `${C.dim}${s}${C.reset}`;
+var bold = (s) => `${C.bold}${s}${C.reset}`;
+var INPUT_CARET = "\xBB";
+var shouldAskField = (field, answers) => {
+  if (!field.dependsOn) {
+    return true;
+  }
+  const value = answers[field.dependsOn.fieldId];
+  if (typeof field.dependsOn.equals !== "undefined") {
+    return value === field.dependsOn.equals;
+  }
+  if (field.dependsOn.oneOf) {
+    return field.dependsOn.oneOf.includes(value);
+  }
+  return true;
+};
+var parsePromptValue = (field, answer) => {
+  if (field.kind === "boolean") {
+    const normalized = answer.trim().toLowerCase();
+    if (normalized === "y" || normalized === "yes" || normalized === "true") {
+      return true;
+    }
+    if (normalized === "n" || normalized === "no" || normalized === "false") {
+      return false;
+    }
+    return Boolean(field.defaultValue);
+  }
+  if (field.kind === "number") {
+    const parsed = Number.parseInt(answer.trim(), 10);
+    if (Number.isFinite(parsed)) {
+      return parsed;
+    }
+    return Number(field.defaultValue);
+  }
+  if (field.kind === "select") {
+    const trimmed2 = answer.trim();
+    if (field.options && field.options.some((option) => option.value === trimmed2)) {
+      return trimmed2;
+    }
+    const asNumber = Number.parseInt(trimmed2, 10);
+    if (Number.isFinite(asNumber) && field.options && asNumber >= 1 && asNumber <= field.options.length) {
+      return field.options[asNumber - 1]?.value ?? String(field.defaultValue);
+    }
+    return String(field.defaultValue);
+  }
+  const trimmed = answer.trim();
+  if (trimmed.length === 0) {
+    return String(field.defaultValue);
+  }
+  return trimmed;
+};
+var askSecret = async (field) => {
+  if (!stdin.isTTY) {
+    return void 0;
+  }
+  const hint = field.placeholder ? dim(` (${field.placeholder})`) : "";
+  const message = `${field.prompt}${hint}`;
+  const value = await password(
+    {
+      message,
+      // true invisible input while typing/pasting
+      mask: false,
+      theme: {
+        prefix: {
+          idle: dim(INPUT_CARET),
+          done: dim("\u2713")
+        },
+        style: {
+          help: () => ""
+        }
+      }
+    },
+    { input: stdin, output: stdout }
+  );
+  return value ?? "";
+};
+var askSelectWithArrowKeys = async (field) => {
+  if (!field.options || field.options.length === 0) {
+    return void 0;
+  }
+  if (!stdin.isTTY) {
+    return void 0;
+  }
+  const selected = await select(
+    {
+      message: field.prompt,
+      choices: field.options.map((option) => ({
+        name: option.label,
+        value: option.value
+      })),
+      default: String(field.defaultValue),
+      theme: {
+        prefix: {
+          idle: dim(INPUT_CARET),
+          done: dim("\u2713")
+        }
+      }
+    },
+    { input: stdin, output: stdout }
+  );
+  return selected;
+};
+var askBooleanWithArrowKeys = async (field) => {
+  if (!stdin.isTTY) {
+    return void 0;
+  }
+  const selected = await select(
+    {
+      message: field.prompt,
+      choices: [
+        { name: "Yes", value: "true" },
+        { name: "No", value: "false" }
+      ],
+      default: field.defaultValue ? "true" : "false",
+      theme: {
+        prefix: {
+          idle: dim(INPUT_CARET),
+          done: dim("\u2713")
+        }
+      }
+    },
+    { input: stdin, output: stdout }
+  );
+  return selected;
+};
+var askTextInput = async (field) => {
+  if (!stdin.isTTY) {
+    return void 0;
+  }
+  const answer = await input(
+    {
+      message: field.prompt,
+      default: String(field.defaultValue ?? ""),
+      theme: {
+        prefix: {
+          idle: dim(INPUT_CARET),
+          done: dim("\u2713")
+        }
+      }
+    },
+    { input: stdin, output: stdout }
+  );
+  return answer;
+};
+var buildDefaultAnswers = () => {
+  const answers = {};
+  for (const field of fieldsForScope("light")) {
+    answers[field.id] = field.defaultValue;
+  }
+  return answers;
+};
+var askOnboardingQuestions = async (options) => {
+  const answers = buildDefaultAnswers();
+  const interactive = options.yes === true ? false : options.interactive ?? (stdin.isTTY === true && stdout.isTTY === true);
+  if (!interactive) {
+    return answers;
+  }
+  stdout.write("\n");
+  stdout.write(`  ${bold("Poncho")} ${dim("\xB7 quick setup")}
+`);
+  stdout.write("\n");
+  const fields = fieldsForScope("light");
+  for (const field of fields) {
+    if (!shouldAskField(field, answers)) {
+      continue;
+    }
+    stdout.write("\n");
+    let value;
+    if (field.secret) {
+      value = await askSecret(field);
+    } else if (field.kind === "select") {
+      value = await askSelectWithArrowKeys(field);
+    } else if (field.kind === "boolean") {
+      value = await askBooleanWithArrowKeys(field);
+    } else {
+      value = await askTextInput(field);
+    }
+    if (!value || value.trim().length === 0) {
+      continue;
+    }
+    answers[field.id] = parsePromptValue(field, value);
+  }
+  return answers;
+};
+var getProviderModelName = (provider) => provider === "openai" ? "gpt-4.1" : "claude-opus-4-5";
+var maybeSet = (target, key, value) => {
+  if (typeof value === "string" && value.trim().length === 0) {
+    return;
+  }
+  if (typeof value === "undefined") {
+    return;
+  }
+  target[key] = value;
+};
+var buildConfigFromOnboardingAnswers = (answers) => {
+  const storageProvider = String(answers["storage.provider"] ?? "local");
+  const memoryEnabled = Boolean(answers["storage.memory.enabled"] ?? true);
+  const maxRecallConversations = Number(
+    answers["storage.memory.maxRecallConversations"] ?? 20
+  );
+  const storage = {
+    provider: storageProvider,
+    memory: {
+      enabled: memoryEnabled,
+      maxRecallConversations
+    }
+  };
+  maybeSet(storage, "url", answers["storage.url"]);
+  maybeSet(storage, "token", answers["storage.token"]);
+  maybeSet(storage, "table", answers["storage.table"]);
+  maybeSet(storage, "region", answers["storage.region"]);
+  const authRequired = Boolean(answers["auth.required"] ?? false);
+  const authType = answers["auth.type"] ?? "bearer";
+  const auth = {
+    required: authRequired,
+    type: authType
+  };
+  if (authType === "header") {
+    maybeSet(auth, "headerName", answers["auth.headerName"]);
+  }
+  const telemetryEnabled = Boolean(answers["telemetry.enabled"] ?? true);
+  const telemetry = {
+    enabled: telemetryEnabled
+  };
+  maybeSet(telemetry, "otlp", answers["telemetry.otlp"]);
+  return {
+    mcp: [],
+    auth,
+    storage,
+    telemetry
+  };
+};
+var collectEnvVars = (answers) => {
+  const envVars = /* @__PURE__ */ new Set();
+  const provider = String(answers["model.provider"] ?? "anthropic");
+  if (provider === "openai") {
+    envVars.add("OPENAI_API_KEY=sk-...");
+  } else {
+    envVars.add("ANTHROPIC_API_KEY=sk-ant-...");
+  }
+  const storageProvider = String(answers["storage.provider"] ?? "local");
+  if (storageProvider === "redis") {
+    envVars.add("REDIS_URL=redis://localhost:6379");
+  }
+  if (storageProvider === "upstash") {
+    envVars.add("UPSTASH_REDIS_REST_URL=https://...");
+    envVars.add("UPSTASH_REDIS_REST_TOKEN=...");
+  }
+  if (storageProvider === "dynamodb") {
+    envVars.add("PONCHO_DYNAMODB_TABLE=poncho-conversations");
+    envVars.add("AWS_REGION=us-east-1");
+  }
+  const authRequired = Boolean(answers["auth.required"] ?? false);
+  if (authRequired) {
+    envVars.add("PONCHO_AUTH_TOKEN=...");
+  }
+  return Array.from(envVars);
+};
+var collectEnvFileLines = (answers) => {
+  const lines = [
+    "# Poncho environment configuration",
+    "# Fill in empty values before running `poncho dev` or `poncho run --interactive`.",
+    "# Tip: keep secrets in `.env` only (never commit them).",
+    ""
+  ];
+  const modelProvider = String(answers["model.provider"] ?? "anthropic");
+  const modelEnvKey = modelProvider === "openai" ? "env.OPENAI_API_KEY" : "env.ANTHROPIC_API_KEY";
+  const modelEnvVar = modelProvider === "openai" ? "OPENAI_API_KEY" : "ANTHROPIC_API_KEY";
+  const modelEnvValue = String(answers[modelEnvKey] ?? "");
+  lines.push("# Model");
+  if (modelEnvValue.length === 0) {
+    lines.push(
+      modelProvider === "openai" ? "# OpenAI: create an API key at https://platform.openai.com/api-keys" : "# Anthropic: create an API key at https://console.anthropic.com/settings/keys"
+    );
+  }
+  lines.push(`${modelEnvVar}=${modelEnvValue}`);
+  lines.push("");
+  const authRequired = Boolean(answers["auth.required"] ?? false);
+  const authType = answers["auth.type"] ?? "bearer";
+  const authHeaderName = String(answers["auth.headerName"] ?? "x-poncho-key");
+  if (authRequired) {
+    lines.push("# Auth (API request authentication)");
+    if (authType === "bearer") {
+      lines.push("# Requests should include: Authorization: Bearer <token>");
+    } else if (authType === "header") {
+      lines.push(`# Requests should include: ${authHeaderName}: <token>`);
+    } else {
+      lines.push("# Custom auth mode: read this token in your auth.validate function.");
+    }
+    lines.push("PONCHO_AUTH_TOKEN=");
+    lines.push("");
+  }
+  const storageProvider = String(answers["storage.provider"] ?? "local");
+  if (storageProvider === "redis") {
+    lines.push("# Storage (Redis)");
+    lines.push("# Run local Redis: docker run -p 6379:6379 redis:7");
+    lines.push("# Or use a managed Redis URL from your cloud provider.");
+    lines.push("REDIS_URL=");
+    lines.push("");
+  } else if (storageProvider === "upstash") {
+    lines.push("# Storage (Upstash)");
+    lines.push("# Create a Redis database at https://console.upstash.com/");
+    lines.push("# Copy REST URL + REST TOKEN from the Upstash dashboard.");
+    lines.push("UPSTASH_REDIS_REST_URL=");
+    lines.push("UPSTASH_REDIS_REST_TOKEN=");
+    lines.push("");
+  } else if (storageProvider === "dynamodb") {
+    lines.push("# Storage (DynamoDB)");
+    lines.push("# Create a DynamoDB table for Poncho conversation/state storage.");
+    lines.push("# Ensure AWS credentials are configured (AWS_PROFILE or access keys).");
+    lines.push("PONCHO_DYNAMODB_TABLE=");
+    lines.push("AWS_REGION=");
+    lines.push("");
+  } else if (storageProvider === "local" || storageProvider === "memory") {
+    lines.push(
+      storageProvider === "local" ? "# Storage (Local file): no extra env vars required." : "# Storage (In-memory): no extra env vars required, data resets on restart."
+    );
+    lines.push("");
+  }
+  const telemetryEnabled = Boolean(answers["telemetry.enabled"] ?? true);
+  if (telemetryEnabled) {
+    lines.push("# Telemetry (optional)");
+    lines.push("# Latitude telemetry setup: https://docs.latitude.so/");
+    lines.push("# If not using Latitude yet, you can leave these empty.");
+    lines.push("LATITUDE_API_KEY=");
+    lines.push("LATITUDE_PROJECT_ID=");
+    lines.push("LATITUDE_PATH=");
+    lines.push("");
+  }
+  while (lines.length > 0 && lines[lines.length - 1] === "") {
+    lines.pop();
+  }
+  return lines;
+};
+var runInitOnboarding = async (options) => {
+  const answers = await askOnboardingQuestions(options);
+  const provider = String(answers["model.provider"] ?? "anthropic");
+  const config = buildConfigFromOnboardingAnswers(answers);
+  const envExampleLines = collectEnvVars(answers);
+  const envFileLines = collectEnvFileLines(answers);
+  const envNeedsUserInput = envFileLines.some(
+    (line) => line.includes("=") && !line.startsWith("#") && line.endsWith("=")
+  );
+  return {
+    answers,
+    config,
+    envExample: `${envExampleLines.join("\n")}
+`,
+    envFile: envFileLines.length > 0 ? `${envFileLines.join("\n")}
+` : "",
+    envNeedsUserInput,
+    agentModel: {
+      provider: provider === "openai" ? "openai" : "anthropic",
+      name: getProviderModelName(provider)
+    }
+  };
+};
+
+// src/index.ts
+var __dirname = dirname(fileURLToPath(import.meta.url));
+var require2 = createRequire(import.meta.url);
+var writeJson = (response, statusCode, payload) => {
+  response.writeHead(statusCode, { "Content-Type": "application/json" });
+  response.end(JSON.stringify(payload));
+};
+var writeHtml = (response, statusCode, payload) => {
+  response.writeHead(statusCode, { "Content-Type": "text/html; charset=utf-8" });
+  response.end(payload);
+};
+var readRequestBody = async (request) => {
+  const chunks = [];
+  for await (const chunk of request) {
+    chunks.push(Buffer.from(chunk));
+  }
+  const body = Buffer.concat(chunks).toString("utf8");
+  return body.length > 0 ? JSON.parse(body) : {};
+};
+var resolveHarnessEnvironment = () => {
+  const value = (process.env.PONCHO_ENV ?? process.env.NODE_ENV ?? "development").toLowerCase();
+  if (value === "production" || value === "staging") {
+    return value;
+  }
+  return "development";
+};
+var listenOnAvailablePort = async (server, preferredPort) => await new Promise((resolveListen, rejectListen) => {
+  let currentPort = preferredPort;
+  const tryListen = () => {
+    const onListening = () => {
+      server.off("error", onError);
+      const address = server.address();
+      if (address && typeof address === "object" && typeof address.port === "number") {
+        resolveListen(address.port);
+        return;
+      }
+      resolveListen(currentPort);
+    };
+    const onError = (error) => {
+      server.off("listening", onListening);
+      if (typeof error === "object" && error !== null && "code" in error && error.code === "EADDRINUSE") {
+        currentPort += 1;
+        if (currentPort > 65535) {
+          rejectListen(
+            new Error(
+              "No available ports found from the requested port up to 65535."
+            )
+          );
+          return;
+        }
+        setImmediate(tryListen);
+        return;
+      }
+      rejectListen(error);
+    };
+    server.once("listening", onListening);
+    server.once("error", onError);
+    server.listen(currentPort);
+  };
+  tryListen();
+});
+var parseParams = (values) => {
+  const params = {};
+  for (const value of values) {
+    const [key, ...rest] = value.split("=");
+    if (!key) {
+      continue;
+    }
+    params[key] = rest.join("=");
+  }
+  return params;
+};
+var AGENT_TEMPLATE = (name, options) => `---
+name: ${name}
+description: A helpful Poncho assistant
+model:
+  provider: ${options.modelProvider}
+  name: ${options.modelName}
+  temperature: 0.2
+limits:
+  maxSteps: 50
+  timeout: 300
+---
+
+# {{name}}
+
+You are **{{name}}**, a helpful assistant built with Poncho.
+
+Working directory: {{runtime.workingDir}}
+Environment: {{runtime.environment}}
+
+## Task Guidance
+
+- Use tools when needed
+- Explain your reasoning clearly
+- Ask clarifying questions when requirements are ambiguous
+- For setup/configuration/skills/MCP questions, proactively read \`README.md\` with \`read_file\` before answering.
+- Prefer concrete commands and examples from \`README.md\` over assumptions.
+- Never claim a file/tool change unless the corresponding tool call actually succeeded
+
+## Default Capabilities in a Fresh Project
+
+- Built-in tools: \`list_directory\` and \`read_file\`
+- \`write_file\` is available in development, and disabled by default in production
+- A starter local skill is included (\`starter-echo\`)
+- Bash/shell commands are **not** available unless you install and enable a shell tool/skill
+- Git operations are only available if a git-capable tool/skill is configured
+`;
+var resolveLocalPackagesRoot = () => {
+  const candidate = resolve(__dirname, "..", "..", "harness", "package.json");
+  if (existsSync(candidate)) {
+    return resolve(__dirname, "..", "..");
+  }
+  return null;
+};
+var resolveCoreDeps = (projectDir) => {
+  const packagesRoot = resolveLocalPackagesRoot();
+  if (packagesRoot) {
+    const harnessAbs = resolve(packagesRoot, "harness");
+    const sdkAbs = resolve(packagesRoot, "sdk");
+    return {
+      harness: `link:${relative(projectDir, harnessAbs)}`,
+      sdk: `link:${relative(projectDir, sdkAbs)}`
+    };
+  }
+  return { harness: "^0.1.0", sdk: "^0.1.0" };
+};
+var PACKAGE_TEMPLATE = (name, projectDir) => {
+  const deps = resolveCoreDeps(projectDir);
+  return JSON.stringify(
+    {
+      name,
+      private: true,
+      type: "module",
+      dependencies: {
+        "@poncho-ai/harness": deps.harness,
+        "@poncho-ai/sdk": deps.sdk
+      }
+    },
+    null,
+    2
+  );
+};
+var README_TEMPLATE = (name) => `# ${name}
+
+An AI agent built with [Poncho](https://github.com/cesr/poncho-ai).
+
+## Prerequisites
+
+- Node.js 20+
+- npm (or pnpm/yarn)
+- Anthropic or OpenAI API key
+
+## Quick Start
+
+\`\`\`bash
+npm install
+# If you didn't enter an API key during init:
+cp .env.example .env
+# Then edit .env and add your API key
+poncho dev
+\`\`\`
+
+Open \`http://localhost:3000\` for the web UI.
+
+On your first interactive session, the agent introduces its configurable capabilities.
+
+## Common Commands
+
+\`\`\`bash
+# Local web UI + API server
+poncho dev
+
+# Local interactive CLI
+poncho run --interactive
+
+# One-off run
+poncho run "Your task here"
+
+# Run tests
+poncho test
+
+# List available tools
+poncho tools
+\`\`\`
+
+## Add Skills
+
+Install skills from a local path or remote repository, then verify discovery:
+
+\`\`\`bash
+# Install skills into ./skills
+poncho add <repo-or-path>
+
+# Verify loaded tools
+poncho tools
+\`\`\`
+
+After adding skills, run \`poncho dev\` or \`poncho run --interactive\` and ask the agent to use them.
+
+## Configure MCP Servers (Remote)
+
+Connect remote MCP servers and expose their tools to the agent:
+
+\`\`\`bash
+# Add remote MCP server
+poncho mcp add --url https://mcp.example.com/github --name github --env GITHUB_TOKEN
+
+# List configured servers
+poncho mcp list
+
+# Remove a server
+poncho mcp remove github
+\`\`\`
+
+Set required secrets in \`.env\` (for example, \`GITHUB_TOKEN=...\`).
+
+## Configuration
+
+Core files:
+
+- \`AGENT.md\`: behavior, model selection, runtime guidance
+- \`poncho.config.js\`: runtime config (storage, auth, telemetry, MCP, tools)
+- \`.env\`: secrets and environment variables
+
+Example \`poncho.config.js\`:
+
+\`\`\`javascript
+export default {
+  storage: {
+    provider: "local", // local | memory | redis | upstash | dynamodb
+    memory: {
+      enabled: true,
+      maxRecallConversations: 20,
+    },
+  },
+  auth: {
+    required: false,
+  },
+  telemetry: {
+    enabled: true,
+  },
+  tools: {
+    defaults: {
+      list_directory: true,
+      read_file: true,
+      write_file: true, // still gated by environment/policy
+    },
+    byEnvironment: {
+      production: {
+        read_file: false, // example override
+      },
+    },
+  },
+};
+\`\`\`
+
+## Project Structure
+
+\`\`\`
+${name}/
+\u251C\u2500\u2500 AGENT.md           # Agent definition and system prompt
+\u251C\u2500\u2500 poncho.config.js   # Configuration (MCP servers, auth, etc.)
+\u251C\u2500\u2500 package.json       # Dependencies
+\u251C\u2500\u2500 .env.example       # Environment variables template
+\u251C\u2500\u2500 tests/
+\u2502   \u2514\u2500\u2500 basic.yaml     # Test suite
+\u2514\u2500\u2500 skills/
+    \u2514\u2500\u2500 starter/
+        \u251C\u2500\u2500 SKILL.md
+        \u2514\u2500\u2500 scripts/
+            \u2514\u2500\u2500 starter-echo.ts
+\`\`\`
+
+## Deployment
+
+\`\`\`bash
+# Build for Vercel
+poncho build vercel
+cd .poncho-build/vercel && vercel deploy --prod
+
+# Build for Docker
+poncho build docker
+docker build -t ${name} .
+\`\`\`
+
+For full reference:
+https://github.com/cesr/poncho-ai
+`;
+var ENV_TEMPLATE = "ANTHROPIC_API_KEY=sk-ant-...\n";
+var GITIGNORE_TEMPLATE = ".env\nnode_modules\ndist\n.poncho-build\n.poncho/\ninteractive-session.json\n";
+var VERCEL_RUNTIME_DEPENDENCIES = {
+  "@anthropic-ai/sdk": "^0.74.0",
+  "@aws-sdk/client-dynamodb": "^3.988.0",
+  "@latitude-data/telemetry": "^2.0.2",
+  commander: "^12.0.0",
+  dotenv: "^16.4.0",
+  jiti: "^2.6.1",
+  mustache: "^4.2.0",
+  openai: "^6.3.0",
+  redis: "^5.10.0",
+  yaml: "^2.8.1"
+};
+var TEST_TEMPLATE = `tests:
+  - name: "Basic sanity"
+    task: "What is 2 + 2?"
+    expect:
+      contains: "4"
+`;
+var SKILL_TEMPLATE = `---
+name: starter-skill
+description: Starter local skill template
+---
+
+# Starter Skill
+
+This is a starter local skill created by \`poncho init\`.
+
+## Authoring Notes
+
+- Put executable JavaScript/TypeScript files in \`scripts/\`.
+- Ask the agent to call \`run_skill_script\` with \`skill\`, \`script\`, and optional \`input\`.
+`;
+var SKILL_TOOL_TEMPLATE = `export default async function run(input) {
+  const message = typeof input?.message === "string" ? input.message : "";
+  return { echoed: message };
+}
+`;
+var ensureFile = async (path, content) => {
+  await mkdir(dirname(path), { recursive: true });
+  await writeFile(path, content, { encoding: "utf8", flag: "wx" });
+};
+var copyIfExists = async (sourcePath, destinationPath) => {
+  try {
+    await access(sourcePath);
+  } catch {
+    return;
+  }
+  await mkdir(dirname(destinationPath), { recursive: true });
+  await cp(sourcePath, destinationPath, { recursive: true });
+};
+var resolveCliEntrypoint = async () => {
+  const sourceEntrypoint = resolve(packageRoot, "src", "index.ts");
+  try {
+    await access(sourceEntrypoint);
+    return sourceEntrypoint;
+  } catch {
+    return resolve(packageRoot, "dist", "index.js");
+  }
+};
+var buildVercelHandlerBundle = async (outDir) => {
+  const { build: esbuild } = await import("esbuild");
+  const cliEntrypoint = await resolveCliEntrypoint();
+  const tempEntry = resolve(outDir, "api", "_entry.js");
+  await writeFile(
+    tempEntry,
+    `import { createRequestHandler } from ${JSON.stringify(cliEntrypoint)};
+let handlerPromise;
+export default async function handler(req, res) {
+  try {
+    if (!handlerPromise) {
+      handlerPromise = createRequestHandler({ workingDir: process.cwd() });
+    }
+    const requestHandler = await handlerPromise;
+    await requestHandler(req, res);
+  } catch (error) {
+    console.error("Handler error:", error);
+    if (!res.headersSent) {
+      res.writeHead(500, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Internal server error", message: error?.message || "Unknown error" }));
+    }
+  }
+}
+`,
+    "utf8"
+  );
+  await esbuild({
+    entryPoints: [tempEntry],
+    bundle: true,
+    platform: "node",
+    format: "esm",
+    target: "node20",
+    outfile: resolve(outDir, "api", "index.js"),
+    sourcemap: false,
+    legalComments: "none",
+    external: [
+      ...Object.keys(VERCEL_RUNTIME_DEPENDENCIES),
+      "@anthropic-ai/sdk/*",
+      "child_process",
+      "fs",
+      "fs/promises",
+      "http",
+      "https",
+      "path",
+      "module",
+      "url",
+      "readline",
+      "readline/promises",
+      "crypto",
+      "stream",
+      "events",
+      "util",
+      "os",
+      "zlib",
+      "net",
+      "tls",
+      "dns",
+      "assert",
+      "buffer",
+      "timers",
+      "timers/promises",
+      "node:child_process",
+      "node:fs",
+      "node:fs/promises",
+      "node:http",
+      "node:https",
+      "node:path",
+      "node:module",
+      "node:url",
+      "node:readline",
+      "node:readline/promises",
+      "node:crypto",
+      "node:stream",
+      "node:events",
+      "node:util",
+      "node:os",
+      "node:zlib",
+      "node:net",
+      "node:tls",
+      "node:dns",
+      "node:assert",
+      "node:buffer",
+      "node:timers",
+      "node:timers/promises"
+    ]
+  });
+};
+var renderConfigFile = (config) => `export default ${JSON.stringify(config, null, 2)}
+`;
+var writeConfigFile = async (workingDir, config) => {
+  const serialized = renderConfigFile(config);
+  await writeFile(resolve(workingDir, "poncho.config.js"), serialized, "utf8");
+};
+var gitInit = (cwd) => new Promise((resolve2) => {
+  const child = spawn("git", ["init"], { cwd, stdio: "ignore" });
+  child.on("error", () => resolve2(false));
+  child.on("close", (code) => resolve2(code === 0));
+});
+var initProject = async (projectName, options) => {
+  const baseDir = options?.workingDir ?? process.cwd();
+  const projectDir = resolve(baseDir, projectName);
+  await mkdir(projectDir, { recursive: true });
+  const onboardingOptions = options?.onboarding ?? {
+    yes: true,
+    interactive: false
+  };
+  const onboarding = await runInitOnboarding(onboardingOptions);
+  const G = "\x1B[32m";
+  const D = "\x1B[2m";
+  const B = "\x1B[1m";
+  const CY = "\x1B[36m";
+  const YW = "\x1B[33m";
+  const R = "\x1B[0m";
+  process.stdout.write("\n");
+  const scaffoldFiles = [
+    { path: "AGENT.md", content: AGENT_TEMPLATE(projectName, { modelProvider: onboarding.agentModel.provider, modelName: onboarding.agentModel.name }) },
+    { path: "poncho.config.js", content: renderConfigFile(onboarding.config) },
+    { path: "package.json", content: PACKAGE_TEMPLATE(projectName, projectDir) },
+    { path: "README.md", content: README_TEMPLATE(projectName) },
+    { path: ".env.example", content: options?.envExampleOverride ?? onboarding.envExample ?? ENV_TEMPLATE },
+    { path: ".gitignore", content: GITIGNORE_TEMPLATE },
+    { path: "tests/basic.yaml", content: TEST_TEMPLATE },
+    { path: "skills/starter/SKILL.md", content: SKILL_TEMPLATE },
+    { path: "skills/starter/scripts/starter-echo.ts", content: SKILL_TOOL_TEMPLATE }
+  ];
+  if (onboarding.envFile) {
+    scaffoldFiles.push({ path: ".env", content: onboarding.envFile });
+  }
+  for (const file of scaffoldFiles) {
+    await ensureFile(resolve(projectDir, file.path), file.content);
+    process.stdout.write(`  ${D}+${R} ${D}${file.path}${R}
+`);
+  }
+  await initializeOnboardingMarker(projectDir, {
+    allowIntro: !(onboardingOptions.yes ?? false)
+  });
+  process.stdout.write("\n");
+  try {
+    await runPnpmInstall(projectDir);
+    process.stdout.write(`  ${G}\u2713${R} ${D}Installed dependencies${R}
+`);
+  } catch {
+    process.stdout.write(
+      `  ${YW}!${R} Could not install dependencies \u2014 run ${D}pnpm install${R} manually
+`
+    );
+  }
+  const gitOk = await gitInit(projectDir);
+  if (gitOk) {
+    process.stdout.write(`  ${G}\u2713${R} ${D}Initialized git${R}
+`);
+  }
+  process.stdout.write(`  ${G}\u2713${R} ${B}${projectName}${R} is ready
+`);
+  process.stdout.write("\n");
+  process.stdout.write(`  ${B}Get started${R}
+`);
+  process.stdout.write("\n");
+  process.stdout.write(`    ${D}$${R} cd ${projectName}
+`);
+  process.stdout.write("\n");
+  process.stdout.write(`    ${CY}Web UI${R}          ${D}$${R} poncho dev
+`);
+  process.stdout.write(`    ${CY}CLI interactive${R}  ${D}$${R} poncho run --interactive
+`);
+  process.stdout.write("\n");
+  if (onboarding.envNeedsUserInput) {
+    process.stdout.write(
+      `  ${YW}!${R} Make sure you add your keys to the ${B}.env${R} file.
+`
+    );
+  }
+  process.stdout.write(`  ${D}The agent will introduce itself on your first session.${R}
+`);
+  process.stdout.write("\n");
+};
+var updateAgentGuidance = async (workingDir) => {
+  const agentPath = resolve(workingDir, "AGENT.md");
+  const content = await readFile(agentPath, "utf8");
+  const guidanceSectionPattern = /\n## Configuration Assistant Context[\s\S]*?(?=\n## |\n# |$)|\n## Skill Authoring Guidance[\s\S]*?(?=\n## |\n# |$)/g;
+  const normalized = content.replace(/\s+$/g, "");
+  const updated = normalized.replace(guidanceSectionPattern, "").replace(/\n{3,}/g, "\n\n");
+  if (updated === normalized) {
+    process.stdout.write("AGENT.md does not contain deprecated embedded local guidance.\n");
+    return false;
+  }
+  await writeFile(agentPath, `${updated}
+`, "utf8");
+  process.stdout.write("Removed deprecated embedded local guidance from AGENT.md.\n");
+  return true;
+};
+var formatSseEvent = (event) => `event: ${event.type}
+data: ${JSON.stringify(event)}
+
+`;
+var createRequestHandler = async (options) => {
+  const workingDir = options?.workingDir ?? process.cwd();
+  dotenv.config({ path: resolve(workingDir, ".env") });
+  const config = await loadPonchoConfig(workingDir);
+  let agentName = "Agent";
+  let agentModelProvider = "anthropic";
+  let agentModelName = "claude-opus-4-5";
+  try {
+    const agentMd = await readFile(resolve(workingDir, "AGENT.md"), "utf8");
+    const nameMatch = agentMd.match(/^name:\s*(.+)$/m);
+    const providerMatch = agentMd.match(/^\s{2}provider:\s*(.+)$/m);
+    const modelMatch = agentMd.match(/^\s{2}name:\s*(.+)$/m);
+    if (nameMatch?.[1]) {
+      agentName = nameMatch[1].trim().replace(/^["']|["']$/g, "");
+    }
+    if (providerMatch?.[1]) {
+      agentModelProvider = providerMatch[1].trim().replace(/^["']|["']$/g, "");
+    }
+    if (modelMatch?.[1]) {
+      agentModelName = modelMatch[1].trim().replace(/^["']|["']$/g, "");
+    }
+  } catch {
+  }
+  const harness = new AgentHarness({ workingDir });
+  await harness.initialize();
+  const telemetry = new TelemetryEmitter(config?.telemetry);
+  const conversationStore = createConversationStore(resolveStateConfig(config), { workingDir });
+  const sessionStore = new SessionStore();
+  const loginRateLimiter = new LoginRateLimiter();
+  const passphrase = process.env.AGENT_UI_PASSPHRASE ?? "";
+  const isProduction = resolveHarnessEnvironment() === "production";
+  const requireUiAuth = passphrase.length > 0;
+  const secureCookies = isProduction;
+  return async (request, response) => {
+    if (!request.url || !request.method) {
+      writeJson(response, 404, { error: "Not found" });
+      return;
+    }
+    const [pathname] = request.url.split("?");
+    if (request.method === "GET" && (pathname === "/" || pathname.startsWith("/c/"))) {
+      writeHtml(response, 200, renderWebUiHtml({ agentName }));
+      return;
+    }
+    if (pathname === "/manifest.json" && request.method === "GET") {
+      response.writeHead(200, { "Content-Type": "application/manifest+json" });
+      response.end(renderManifest({ agentName }));
+      return;
+    }
+    if (pathname === "/sw.js" && request.method === "GET") {
+      response.writeHead(200, {
+        "Content-Type": "application/javascript",
+        "Service-Worker-Allowed": "/"
+      });
+      response.end(renderServiceWorker());
+      return;
+    }
+    if (pathname === "/icon.svg" && request.method === "GET") {
+      response.writeHead(200, { "Content-Type": "image/svg+xml" });
+      response.end(renderIconSvg({ agentName }));
+      return;
+    }
+    if ((pathname === "/icon-192.png" || pathname === "/icon-512.png") && request.method === "GET") {
+      response.writeHead(302, { Location: "/icon.svg" });
+      response.end();
+      return;
+    }
+    if (pathname === "/health" && request.method === "GET") {
+      writeJson(response, 200, { status: "ok" });
+      return;
+    }
+    const cookies = parseCookies(request);
+    const sessionId = cookies.poncho_session;
+    const session = sessionId ? sessionStore.get(sessionId) : void 0;
+    const ownerId = session?.ownerId ?? "local-owner";
+    const requiresCsrfValidation = request.method !== "GET" && request.method !== "HEAD" && request.method !== "OPTIONS";
+    if (pathname === "/api/auth/session" && request.method === "GET") {
+      if (!requireUiAuth) {
+        writeJson(response, 200, { authenticated: true, csrfToken: "" });
+        return;
+      }
+      if (!session) {
+        writeJson(response, 200, { authenticated: false });
+        return;
+      }
+      writeJson(response, 200, {
+        authenticated: true,
+        sessionId: session.sessionId,
+        ownerId: session.ownerId,
+        csrfToken: session.csrfToken
+      });
+      return;
+    }
+    if (pathname === "/api/auth/login" && request.method === "POST") {
+      if (!requireUiAuth) {
+        writeJson(response, 200, { authenticated: true, csrfToken: "" });
+        return;
+      }
+      const ip = getRequestIp(request);
+      const canAttempt = loginRateLimiter.canAttempt(ip);
+      if (!canAttempt.allowed) {
+        writeJson(response, 429, {
+          code: "AUTH_RATE_LIMIT",
+          message: "Too many failed login attempts. Try again later.",
+          retryAfterSeconds: canAttempt.retryAfterSeconds
+        });
+        return;
+      }
+      const body = await readRequestBody(request);
+      const provided = body.passphrase ?? "";
+      if (!verifyPassphrase(provided, passphrase)) {
+        const failure = loginRateLimiter.registerFailure(ip);
+        writeJson(response, 401, {
+          code: "AUTH_ERROR",
+          message: "Invalid passphrase",
+          retryAfterSeconds: failure.retryAfterSeconds
+        });
+        return;
+      }
+      loginRateLimiter.registerSuccess(ip);
+      const createdSession = sessionStore.create(ownerId);
+      setCookie(response, "poncho_session", createdSession.sessionId, {
+        httpOnly: true,
+        secure: secureCookies,
+        sameSite: "Lax",
+        path: "/",
+        maxAge: 60 * 60 * 8
+      });
+      writeJson(response, 200, {
+        authenticated: true,
+        csrfToken: createdSession.csrfToken
+      });
+      return;
+    }
+    if (pathname === "/api/auth/logout" && request.method === "POST") {
+      if (session?.sessionId) {
+        sessionStore.delete(session.sessionId);
+      }
+      setCookie(response, "poncho_session", "", {
+        httpOnly: true,
+        secure: secureCookies,
+        sameSite: "Lax",
+        path: "/",
+        maxAge: 0
+      });
+      writeJson(response, 200, { ok: true });
+      return;
+    }
+    if (pathname.startsWith("/api/")) {
+      if (requireUiAuth && !session) {
+        writeJson(response, 401, {
+          code: "AUTH_ERROR",
+          message: "Authentication required"
+        });
+        return;
+      }
+      if (requireUiAuth && requiresCsrfValidation && pathname !== "/api/auth/login" && request.headers["x-csrf-token"] !== session?.csrfToken) {
+        writeJson(response, 403, {
+          code: "CSRF_ERROR",
+          message: "Invalid CSRF token"
+        });
+        return;
+      }
+    }
+    if (pathname === "/api/conversations" && request.method === "GET") {
+      const conversations = await conversationStore.list(ownerId);
+      writeJson(response, 200, {
+        conversations: conversations.map((conversation) => ({
+          conversationId: conversation.conversationId,
+          title: conversation.title,
+          runtimeRunId: conversation.runtimeRunId,
+          ownerId: conversation.ownerId,
+          tenantId: conversation.tenantId,
+          createdAt: conversation.createdAt,
+          updatedAt: conversation.updatedAt,
+          messageCount: conversation.messages.length
+        }))
+      });
+      return;
+    }
+    if (pathname === "/api/conversations" && request.method === "POST") {
+      const body = await readRequestBody(request);
+      const conversation = await conversationStore.create(ownerId, body.title);
+      const introMessage = await consumeFirstRunIntro(workingDir, {
+        agentName,
+        provider: agentModelProvider,
+        model: agentModelName,
+        config
+      });
+      if (introMessage) {
+        conversation.messages = [{ role: "assistant", content: introMessage }];
+        await conversationStore.update(conversation);
+      }
+      writeJson(response, 201, { conversation });
+      return;
+    }
+    const conversationPathMatch = pathname.match(/^\/api\/conversations\/([^/]+)$/);
+    if (conversationPathMatch) {
+      const conversationId = decodeURIComponent(conversationPathMatch[1] ?? "");
+      const conversation = await conversationStore.get(conversationId);
+      if (!conversation || conversation.ownerId !== ownerId) {
+        writeJson(response, 404, {
+          code: "CONVERSATION_NOT_FOUND",
+          message: "Conversation not found"
+        });
+        return;
+      }
+      if (request.method === "GET") {
+        writeJson(response, 200, { conversation });
+        return;
+      }
+      if (request.method === "PATCH") {
+        const body = await readRequestBody(request);
+        if (!body.title || body.title.trim().length === 0) {
+          writeJson(response, 400, {
+            code: "VALIDATION_ERROR",
+            message: "title is required"
+          });
+          return;
+        }
+        const updated = await conversationStore.rename(conversationId, body.title);
+        writeJson(response, 200, { conversation: updated });
+        return;
+      }
+      if (request.method === "DELETE") {
+        await conversationStore.delete(conversationId);
+        writeJson(response, 200, { ok: true });
+        return;
+      }
+    }
+    const conversationMessageMatch = pathname.match(/^\/api\/conversations\/([^/]+)\/messages$/);
+    if (conversationMessageMatch && request.method === "POST") {
+      const conversationId = decodeURIComponent(conversationMessageMatch[1] ?? "");
+      const conversation = await conversationStore.get(conversationId);
+      if (!conversation || conversation.ownerId !== ownerId) {
+        writeJson(response, 404, {
+          code: "CONVERSATION_NOT_FOUND",
+          message: "Conversation not found"
+        });
+        return;
+      }
+      const body = await readRequestBody(request);
+      const messageText = body.message?.trim() ?? "";
+      if (!messageText) {
+        writeJson(response, 400, {
+          code: "VALIDATION_ERROR",
+          message: "message is required"
+        });
+        return;
+      }
+      if (conversation.messages.length === 0 && (conversation.title === "New conversation" || conversation.title.trim().length === 0)) {
+        conversation.title = inferConversationTitle(messageText);
+      }
+      response.writeHead(200, {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        Connection: "keep-alive"
+      });
+      let latestRunId = conversation.runtimeRunId ?? "";
+      let assistantResponse = "";
+      const toolTimeline = [];
+      try {
+        const recallCorpus = (await conversationStore.list(ownerId)).filter((item) => item.conversationId !== conversationId).slice(0, 20).map((item) => ({
+          conversationId: item.conversationId,
+          title: item.title,
+          updatedAt: item.updatedAt,
+          content: item.messages.slice(-6).map((message) => `${message.role}: ${message.content}`).join("\n").slice(0, 2e3)
+        })).filter((item) => item.content.length > 0);
+        for await (const event of harness.run({
+          task: messageText,
+          parameters: {
+            ...body.parameters ?? {},
+            __conversationRecallCorpus: recallCorpus,
+            __activeConversationId: conversationId
+          },
+          messages: conversation.messages
+        })) {
+          if (event.type === "run:started") {
+            latestRunId = event.runId;
+          }
+          if (event.type === "model:chunk") {
+            assistantResponse += event.content;
+          }
+          if (event.type === "tool:started") {
+            toolTimeline.push(`- start \`${event.tool}\``);
+          }
+          if (event.type === "tool:completed") {
+            toolTimeline.push(`- done \`${event.tool}\` (${event.duration}ms)`);
+          }
+          if (event.type === "tool:error") {
+            toolTimeline.push(`- error \`${event.tool}\`: ${event.error}`);
+          }
+          if (event.type === "tool:approval:required") {
+            toolTimeline.push(`- approval required \`${event.tool}\``);
+          }
+          if (event.type === "tool:approval:granted") {
+            toolTimeline.push(`- approval granted (${event.approvalId})`);
+          }
+          if (event.type === "tool:approval:denied") {
+            toolTimeline.push(`- approval denied (${event.approvalId})`);
+          }
+          if (event.type === "run:completed" && assistantResponse.length === 0 && event.result.response) {
+            assistantResponse = event.result.response;
+          }
+          await telemetry.emit(event);
+          response.write(formatSseEvent(event));
+        }
+        conversation.messages = [
+          ...conversation.messages,
+          { role: "user", content: messageText },
+          {
+            role: "assistant",
+            content: assistantResponse,
+            metadata: toolTimeline.length > 0 ? { toolActivity: toolTimeline } : void 0
+          }
+        ];
+        conversation.runtimeRunId = latestRunId || conversation.runtimeRunId;
+        conversation.updatedAt = Date.now();
+        await conversationStore.update(conversation);
+      } catch (error) {
+        response.write(
+          formatSseEvent({
+            type: "run:error",
+            runId: latestRunId || "run_unknown",
+            error: {
+              code: "RUN_ERROR",
+              message: error instanceof Error ? error.message : "Unknown error"
+            }
+          })
+        );
+      } finally {
+        response.end();
+      }
+      return;
+    }
+    writeJson(response, 404, { error: "Not found" });
+  };
+};
+var startDevServer = async (port, options) => {
+  const handler = await createRequestHandler(options);
+  const server = createServer(handler);
+  const actualPort = await listenOnAvailablePort(server, port);
+  if (actualPort !== port) {
+    process.stdout.write(`Port ${port} is in use, switched to ${actualPort}.
+`);
+  }
+  process.stdout.write(`Poncho dev server running at http://localhost:${actualPort}
+`);
+  const shutdown = () => {
+    server.close();
+    server.closeAllConnections?.();
+    process.exit(0);
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+  return server;
+};
+var runOnce = async (task, options) => {
+  const workingDir = options.workingDir ?? process.cwd();
+  dotenv.config({ path: resolve(workingDir, ".env") });
+  const config = await loadPonchoConfig(workingDir);
+  const harness = new AgentHarness({ workingDir });
+  const telemetry = new TelemetryEmitter(config?.telemetry);
+  await harness.initialize();
+  const fileBlobs = await Promise.all(
+    options.filePaths.map(async (path) => {
+      const content = await readFile(resolve(workingDir, path), "utf8");
+      return `# File: ${path}
+${content}`;
+    })
+  );
+  const input2 = {
+    task: fileBlobs.length > 0 ? `${task}
+
+${fileBlobs.join("\n\n")}` : task,
+    parameters: options.params
+  };
+  if (options.json) {
+    const output = await harness.runToCompletion(input2);
+    for (const event of output.events) {
+      await telemetry.emit(event);
+    }
+    process.stdout.write(`${JSON.stringify(output, null, 2)}
+`);
+    return;
+  }
+  for await (const event of harness.run(input2)) {
+    await telemetry.emit(event);
+    if (event.type === "model:chunk") {
+      process.stdout.write(event.content);
+    }
+    if (event.type === "run:error") {
+      process.stderr.write(`
+Error: ${event.error.message}
+`);
+    }
+    if (event.type === "run:completed") {
+      process.stdout.write("\n");
+    }
+  }
+};
+var runInteractive = async (workingDir, params) => {
+  dotenv.config({ path: resolve(workingDir, ".env") });
+  const config = await loadPonchoConfig(workingDir);
+  let pendingApproval = null;
+  let onApprovalRequest = null;
+  const approvalHandler = async (request) => {
+    return new Promise((resolveApproval) => {
+      const req = {
+        tool: request.tool,
+        input: request.input,
+        approvalId: request.approvalId,
+        resolve: resolveApproval
+      };
+      pendingApproval = req;
+      if (onApprovalRequest) {
+        onApprovalRequest(req);
+      }
+    });
+  };
+  const harness = new AgentHarness({
+    workingDir,
+    environment: resolveHarnessEnvironment(),
+    approvalHandler
+  });
+  await harness.initialize();
+  try {
+    const { runInteractiveInk } = await import("./run-interactive-ink-4EKHIHGU.js");
+    await runInteractiveInk({
+      harness,
+      params,
+      workingDir,
+      config,
+      conversationStore: createConversationStore(resolveStateConfig(config), { workingDir }),
+      onSetApprovalCallback: (cb) => {
+        onApprovalRequest = cb;
+        if (pendingApproval) {
+          cb(pendingApproval);
+        }
+      }
+    });
+  } finally {
+    await harness.shutdown();
+  }
+};
+var listTools = async (workingDir) => {
+  dotenv.config({ path: resolve(workingDir, ".env") });
+  const harness = new AgentHarness({ workingDir });
+  await harness.initialize();
+  const tools = harness.listTools();
+  if (tools.length === 0) {
+    process.stdout.write("No tools registered.\n");
+    return;
+  }
+  process.stdout.write("Available tools:\n");
+  for (const tool of tools) {
+    process.stdout.write(`- ${tool.name}: ${tool.description}
+`);
+  }
+};
+var runPnpmInstall = async (workingDir) => await new Promise((resolveInstall, rejectInstall) => {
+  const child = spawn("pnpm", ["install"], {
+    cwd: workingDir,
+    stdio: "inherit",
+    env: process.env
+  });
+  child.on("exit", (code) => {
+    if (code === 0) {
+      resolveInstall();
+      return;
+    }
+    rejectInstall(new Error(`pnpm install failed with exit code ${code ?? -1}`));
+  });
+});
+var runInstallCommand = async (workingDir, packageNameOrPath) => await new Promise((resolveInstall, rejectInstall) => {
+  const child = spawn("pnpm", ["add", packageNameOrPath], {
+    cwd: workingDir,
+    stdio: "inherit",
+    env: process.env
+  });
+  child.on("exit", (code) => {
+    if (code === 0) {
+      resolveInstall();
+      return;
+    }
+    rejectInstall(new Error(`pnpm add failed with exit code ${code ?? -1}`));
+  });
+});
+var resolveInstalledPackageName = (packageNameOrPath) => {
+  if (packageNameOrPath.startsWith(".") || packageNameOrPath.startsWith("/")) {
+    return null;
+  }
+  if (packageNameOrPath.startsWith("@")) {
+    return packageNameOrPath;
+  }
+  if (packageNameOrPath.includes("/")) {
+    return packageNameOrPath.split("/").pop() ?? packageNameOrPath;
+  }
+  return packageNameOrPath;
+};
+var resolveSkillRoot = (workingDir, packageNameOrPath) => {
+  if (packageNameOrPath.startsWith(".") || packageNameOrPath.startsWith("/")) {
+    return resolve(workingDir, packageNameOrPath);
+  }
+  const moduleName = resolveInstalledPackageName(packageNameOrPath) ?? packageNameOrPath;
+  try {
+    const packageJsonPath = require2.resolve(`${moduleName}/package.json`, {
+      paths: [workingDir]
+    });
+    return resolve(packageJsonPath, "..");
+  } catch {
+    const candidate = resolve(workingDir, "node_modules", moduleName);
+    if (existsSync(candidate)) {
+      return candidate;
+    }
+    throw new Error(
+      `Could not locate installed package "${moduleName}" in ${workingDir}`
+    );
+  }
+};
+var findSkillManifest = async (dir, depth = 2) => {
+  try {
+    await access(resolve(dir, "SKILL.md"));
+    return true;
+  } catch {
+  }
+  if (depth <= 0) return false;
+  try {
+    const { readdir } = await import("fs/promises");
+    const entries = await readdir(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.isDirectory() && !entry.name.startsWith(".") && entry.name !== "node_modules") {
+        const found = await findSkillManifest(resolve(dir, entry.name), depth - 1);
+        if (found) return true;
+      }
+    }
+  } catch {
+  }
+  return false;
+};
+var validateSkillPackage = async (workingDir, packageNameOrPath) => {
+  const skillRoot = resolveSkillRoot(workingDir, packageNameOrPath);
+  const hasSkill = await findSkillManifest(skillRoot);
+  if (!hasSkill) {
+    throw new Error(`Skill validation failed: no SKILL.md found in ${skillRoot}`);
+  }
+};
+var addSkill = async (workingDir, packageNameOrPath) => {
+  await runInstallCommand(workingDir, packageNameOrPath);
+  await validateSkillPackage(workingDir, packageNameOrPath);
+  process.stdout.write(`Added skill: ${packageNameOrPath}
+`);
+};
+var runTests = async (workingDir, filePath) => {
+  dotenv.config({ path: resolve(workingDir, ".env") });
+  const testFilePath = filePath ?? resolve(workingDir, "tests", "basic.yaml");
+  const content = await readFile(testFilePath, "utf8");
+  const parsed = YAML.parse(content);
+  const tests = parsed.tests ?? [];
+  const harness = new AgentHarness({ workingDir });
+  await harness.initialize();
+  let passed = 0;
+  let failed = 0;
+  for (const testCase of tests) {
+    try {
+      const output = await harness.runToCompletion({ task: testCase.task });
+      const response = output.result.response ?? "";
+      const events = output.events;
+      const expectation = testCase.expect ?? {};
+      const checks = [];
+      if (expectation.contains) {
+        checks.push(response.includes(expectation.contains));
+      }
+      if (typeof expectation.maxSteps === "number") {
+        checks.push(output.result.steps <= expectation.maxSteps);
+      }
+      if (typeof expectation.maxTokens === "number") {
+        checks.push(
+          output.result.tokens.input + output.result.tokens.output <= expectation.maxTokens
+        );
+      }
+      if (expectation.refusal) {
+        checks.push(
+          response.toLowerCase().includes("can't") || response.toLowerCase().includes("cannot")
+        );
+      }
+      if (expectation.toolCalled) {
+        checks.push(
+          events.some(
+            (event) => event.type === "tool:started" && event.tool === expectation.toolCalled
+          )
+        );
+      }
+      const ok = checks.length === 0 ? output.result.status === "completed" : checks.every(Boolean);
+      if (ok) {
+        passed += 1;
+        process.stdout.write(`PASS ${testCase.name}
+`);
+      } else {
+        failed += 1;
+        process.stdout.write(`FAIL ${testCase.name}
+`);
+      }
+    } catch (error) {
+      failed += 1;
+      process.stdout.write(
+        `FAIL ${testCase.name} (${error instanceof Error ? error.message : "Unknown test error"})
+`
+      );
+    }
+  }
+  process.stdout.write(`
+Test summary: ${passed} passed, ${failed} failed
+`);
+  return { passed, failed };
+};
+var buildTarget = async (workingDir, target) => {
+  const outDir = resolve(workingDir, ".poncho-build", target);
+  await mkdir(outDir, { recursive: true });
+  const serverEntrypoint = `import { startDevServer } from "@poncho-ai/cli";
+
+const port = Number.parseInt(process.env.PORT ?? "3000", 10);
+await startDevServer(Number.isNaN(port) ? 3000 : port, { workingDir: process.cwd() });
+`;
+  const runtimePackageJson = JSON.stringify(
+    {
+      name: "poncho-runtime-bundle",
+      private: true,
+      type: "module",
+      scripts: {
+        start: "node server.js"
+      },
+      dependencies: {
+        "@poncho-ai/cli": "^0.1.0"
+      }
+    },
+    null,
+    2
+  );
+  if (target === "vercel") {
+    await mkdir(resolve(outDir, "api"), { recursive: true });
+    await copyIfExists(resolve(workingDir, "AGENT.md"), resolve(outDir, "AGENT.md"));
+    await copyIfExists(
+      resolve(workingDir, "poncho.config.js"),
+      resolve(outDir, "poncho.config.js")
+    );
+    await copyIfExists(resolve(workingDir, "skills"), resolve(outDir, "skills"));
+    await copyIfExists(resolve(workingDir, "tests"), resolve(outDir, "tests"));
+    await writeFile(
+      resolve(outDir, "vercel.json"),
+      JSON.stringify(
+        {
+          version: 2,
+          functions: {
+            "api/index.js": {
+              includeFiles: "{AGENT.md,poncho.config.js,skills/**,tests/**}"
+            }
+          },
+          routes: [{ src: "/(.*)", dest: "/api/index.js" }]
+        },
+        null,
+        2
+      ),
+      "utf8"
+    );
+    await buildVercelHandlerBundle(outDir);
+    await writeFile(
+      resolve(outDir, "package.json"),
+      JSON.stringify(
+        {
+          private: true,
+          type: "module",
+          engines: {
+            node: "20.x"
+          },
+          dependencies: VERCEL_RUNTIME_DEPENDENCIES
+        },
+        null,
+        2
+      ),
+      "utf8"
+    );
+  } else if (target === "docker") {
+    await writeFile(
+      resolve(outDir, "Dockerfile"),
+      `FROM node:20-slim
+WORKDIR /app
+COPY package.json package.json
+COPY AGENT.md AGENT.md
+COPY poncho.config.js poncho.config.js
+COPY skills skills
+COPY tests tests
+COPY .env.example .env.example
+RUN corepack enable && npm install -g @poncho-ai/cli
+COPY server.js server.js
+EXPOSE 3000
+CMD ["node","server.js"]
+`,
+      "utf8"
+    );
+    await writeFile(resolve(outDir, "server.js"), serverEntrypoint, "utf8");
+    await writeFile(resolve(outDir, "package.json"), runtimePackageJson, "utf8");
+  } else if (target === "lambda") {
+    await writeFile(
+      resolve(outDir, "lambda-handler.js"),
+      `import { startDevServer } from "@poncho-ai/cli";
+let serverPromise;
+export const handler = async (event = {}) => {
+  if (!serverPromise) {
+    serverPromise = startDevServer(0, { workingDir: process.cwd() });
+  }
+  const body = JSON.stringify({
+    status: "ready",
+    route: event.rawPath ?? event.path ?? "/",
+  });
+  return { statusCode: 200, headers: { "content-type": "application/json" }, body };
+};
+`,
+      "utf8"
+    );
+    await writeFile(resolve(outDir, "package.json"), runtimePackageJson, "utf8");
+  } else if (target === "fly") {
+    await writeFile(
+      resolve(outDir, "fly.toml"),
+      `app = "poncho-app"
+[env]
+  PORT = "3000"
+[http_service]
+  internal_port = 3000
+  force_https = true
+  auto_start_machines = true
+  auto_stop_machines = "stop"
+  min_machines_running = 0
+`,
+      "utf8"
+    );
+    await writeFile(
+      resolve(outDir, "Dockerfile"),
+      `FROM node:20-slim
+WORKDIR /app
+COPY package.json package.json
+COPY AGENT.md AGENT.md
+COPY poncho.config.js poncho.config.js
+COPY skills skills
+COPY tests tests
+RUN npm install -g @poncho-ai/cli
+COPY server.js server.js
+EXPOSE 3000
+CMD ["node","server.js"]
+`,
+      "utf8"
+    );
+    await writeFile(resolve(outDir, "server.js"), serverEntrypoint, "utf8");
+    await writeFile(resolve(outDir, "package.json"), runtimePackageJson, "utf8");
+  } else {
+    throw new Error(`Unsupported build target: ${target}`);
+  }
+  process.stdout.write(`Build artifacts generated at ${outDir}
+`);
+};
+var normalizeMcpName = (entry) => entry.name ?? entry.url ?? `mcp_${Date.now()}`;
+var mcpAdd = async (workingDir, options) => {
+  const config = await loadPonchoConfig(workingDir) ?? { mcp: [] };
+  const mcp = [...config.mcp ?? []];
+  if (!options.url) {
+    throw new Error("Remote MCP only: provide --url for a remote MCP server.");
+  }
+  if (options.url.startsWith("ws://") || options.url.startsWith("wss://")) {
+    throw new Error("WebSocket MCP URLs are no longer supported. Use an HTTP MCP endpoint.");
+  }
+  if (!options.url.startsWith("http://") && !options.url.startsWith("https://")) {
+    throw new Error("Invalid MCP URL. Expected http:// or https://.");
+  }
+  mcp.push({
+    name: options.name ?? normalizeMcpName({ url: options.url }),
+    url: options.url,
+    env: options.envVars ?? [],
+    auth: options.authBearerEnv ? {
+      type: "bearer",
+      tokenEnv: options.authBearerEnv
+    } : void 0
+  });
+  await writeConfigFile(workingDir, { ...config, mcp });
+  process.stdout.write("MCP server added.\n");
+};
+var mcpList = async (workingDir) => {
+  const config = await loadPonchoConfig(workingDir);
+  const mcp = config?.mcp ?? [];
+  if (mcp.length === 0) {
+    process.stdout.write("No MCP servers configured.\n");
+    return;
+  }
+  process.stdout.write("Configured MCP servers:\n");
+  for (const entry of mcp) {
+    const auth = entry.auth?.type === "bearer" ? `auth=bearer:${entry.auth.tokenEnv}` : "auth=none";
+    const mode = entry.tools?.mode ?? "all";
+    process.stdout.write(
+      `- ${entry.name ?? entry.url} (remote: ${entry.url}, ${auth}, mode=${mode})
+`
+    );
+  }
+};
+var mcpRemove = async (workingDir, name) => {
+  const config = await loadPonchoConfig(workingDir) ?? { mcp: [] };
+  const before = config.mcp ?? [];
+  const filtered = before.filter((entry) => normalizeMcpName(entry) !== name);
+  await writeConfigFile(workingDir, { ...config, mcp: filtered });
+  process.stdout.write(`Removed MCP server: ${name}
+`);
+};
+var resolveMcpEntry = async (workingDir, serverName) => {
+  const config = await loadPonchoConfig(workingDir) ?? { mcp: [] };
+  const entries = config.mcp ?? [];
+  const index = entries.findIndex((entry) => normalizeMcpName(entry) === serverName);
+  if (index < 0) {
+    throw new Error(`MCP server "${serverName}" is not configured.`);
+  }
+  return { config, index };
+};
+var discoverMcpTools = async (workingDir, serverName) => {
+  const { config, index } = await resolveMcpEntry(workingDir, serverName);
+  const entry = (config.mcp ?? [])[index];
+  const bridge = new LocalMcpBridge({ mcp: [entry] });
+  try {
+    await bridge.startLocalServers();
+    await bridge.discoverTools();
+    return bridge.listDiscoveredTools(normalizeMcpName(entry));
+  } finally {
+    await bridge.stopLocalServers();
+  }
+};
+var mcpToolsList = async (workingDir, serverName) => {
+  const discovered = await discoverMcpTools(workingDir, serverName);
+  if (discovered.length === 0) {
+    process.stdout.write(`No tools discovered for MCP server "${serverName}".
+`);
+    return;
+  }
+  process.stdout.write(`Discovered tools for "${serverName}":
+`);
+  for (const tool of discovered) {
+    process.stdout.write(`- ${tool}
+`);
+  }
+};
+var mcpToolsSelect = async (workingDir, serverName, options) => {
+  const discovered = await discoverMcpTools(workingDir, serverName);
+  if (discovered.length === 0) {
+    process.stdout.write(`No tools discovered for MCP server "${serverName}".
+`);
+    return;
+  }
+  let selected = [];
+  if (options.all) {
+    selected = [...discovered];
+  } else if (options.toolsCsv && options.toolsCsv.trim().length > 0) {
+    const requested = options.toolsCsv.split(",").map((part) => part.trim()).filter((part) => part.length > 0);
+    selected = discovered.filter((tool) => requested.includes(tool));
+  } else {
+    process.stdout.write(`Discovered tools for "${serverName}":
+`);
+    discovered.forEach((tool, idx) => {
+      process.stdout.write(`${idx + 1}. ${tool}
+`);
+    });
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await rl.question(
+      "Enter comma-separated tool numbers/names to allow (or * for all): "
+    );
+    rl.close();
+    const raw = answer.trim();
+    if (raw === "*") {
+      selected = [...discovered];
+    } else {
+      const tokens = raw.split(",").map((part) => part.trim()).filter((part) => part.length > 0);
+      const fromIndex = tokens.map((token) => Number.parseInt(token, 10)).filter((value) => !Number.isNaN(value)).map((index2) => discovered[index2 - 1]).filter((value) => typeof value === "string");
+      const byName = discovered.filter((tool) => tokens.includes(tool));
+      selected = [.../* @__PURE__ */ new Set([...fromIndex, ...byName])];
+    }
+  }
+  if (selected.length === 0) {
+    throw new Error("No valid tools selected.");
+  }
+  const { config, index } = await resolveMcpEntry(workingDir, serverName);
+  const mcp = [...config.mcp ?? []];
+  const existing = mcp[index];
+  mcp[index] = {
+    ...existing,
+    tools: {
+      ...existing.tools ?? {},
+      mode: "allowlist",
+      include: selected.sort()
+    }
+  };
+  await writeConfigFile(workingDir, { ...config, mcp });
+  process.stdout.write(
+    `Updated ${serverName} to allowlist ${selected.length} tools in poncho.config.js.
+`
+  );
+  process.stdout.write(
+    "\nDeclare selected MCP tools explicitly in AGENT.md and/or SKILL.md:\n"
+  );
+  process.stdout.write(
+    "AGENT.md frontmatter snippet:\n---\ntools:\n  mcp:\n" + selected.map((tool) => `    - ${tool}`).join("\n") + "\n---\n"
+  );
+  process.stdout.write(
+    "SKILL.md frontmatter snippet:\n---\ntools:\n  mcp:\n" + selected.map((tool) => `    - ${tool}`).join("\n") + "\n---\n"
+  );
+};
+var buildCli = () => {
+  const program = new Command();
+  program.name("poncho").description("CLI for building and running Poncho agents").version("0.1.0");
+  program.command("init").argument("<name>", "project name").option("--yes", "accept defaults and skip prompts", false).description("Scaffold a new Poncho project").action(async (name, options) => {
+    await initProject(name, {
+      onboarding: {
+        yes: options.yes,
+        interactive: !options.yes && process.stdin.isTTY === true && process.stdout.isTTY === true
+      }
+    });
+  });
+  program.command("dev").description("Run local development server").option("--port <port>", "server port", "3000").action(async (options) => {
+    const port = Number.parseInt(options.port, 10);
+    await startDevServer(Number.isNaN(port) ? 3e3 : port);
+  });
+  program.command("run").argument("[task]", "task to run").description("Execute the agent once").option("--param <keyValue>", "parameter key=value", (value, all) => {
+    all.push(value);
+    return all;
+  }, []).option("--file <path>", "include file contents", (value, all) => {
+    all.push(value);
+    return all;
+  }, []).option("--json", "output json", false).option("--interactive", "run in interactive mode", false).action(
+    async (task, options) => {
+      const params = parseParams(options.param);
+      if (options.interactive) {
+        await runInteractive(process.cwd(), params);
+        return;
+      }
+      if (!task) {
+        throw new Error("Task is required unless --interactive is used.");
+      }
+      await runOnce(task, {
+        params,
+        json: options.json,
+        filePaths: options.file
+      });
+    }
+  );
+  program.command("tools").description("List all tools available to the agent").action(async () => {
+    await listTools(process.cwd());
+  });
+  program.command("add").argument("<packageOrPath>", "skill package name/path").description("Add a skill package and validate SKILL.md").action(async (packageOrPath) => {
+    await addSkill(process.cwd(), packageOrPath);
+  });
+  program.command("update-agent").description("Remove deprecated embedded local guidance from AGENT.md").action(async () => {
+    await updateAgentGuidance(process.cwd());
+  });
+  program.command("test").argument("[file]", "test file path (yaml)").description("Run yaml-defined agent tests").action(async (file) => {
+    const testFile = file ? resolve(process.cwd(), file) : void 0;
+    const result = await runTests(process.cwd(), testFile);
+    if (result.failed > 0) {
+      process.exitCode = 1;
+    }
+  });
+  program.command("build").argument("<target>", "vercel|docker|lambda|fly").description("Generate build artifacts for deployment target").action(async (target) => {
+    await buildTarget(process.cwd(), target);
+  });
+  const mcpCommand = program.command("mcp").description("Manage MCP servers");
+  mcpCommand.command("add").requiredOption("--url <url>", "remote MCP url").option("--name <name>", "server name").option(
+    "--auth-bearer-env <name>",
+    "env var name containing bearer token for this MCP server"
+  ).option("--env <name>", "env variable (repeatable)", (value, all) => {
+    all.push(value);
+    return all;
+  }, []).action(
+    async (options) => {
+      await mcpAdd(process.cwd(), {
+        url: options.url,
+        name: options.name,
+        envVars: options.env,
+        authBearerEnv: options.authBearerEnv
+      });
+    }
+  );
+  mcpCommand.command("list").description("List configured MCP servers").action(async () => {
+    await mcpList(process.cwd());
+  });
+  mcpCommand.command("remove").argument("<name>", "server name").description("Remove an MCP server by name").action(async (name) => {
+    await mcpRemove(process.cwd(), name);
+  });
+  const mcpToolsCommand = mcpCommand.command("tools").description("Discover and curate tools for a configured MCP server");
+  mcpToolsCommand.command("list").argument("<name>", "server name").description("Discover and list tools from a configured MCP server").action(async (name) => {
+    await mcpToolsList(process.cwd(), name);
+  });
+  mcpToolsCommand.command("select").argument("<name>", "server name").description("Select MCP tools and store as config allowlist").option("--all", "select all discovered tools", false).option("--tools <csv>", "comma-separated discovered tool names").action(
+    async (name, options) => {
+      await mcpToolsSelect(process.cwd(), name, {
+        all: options.all,
+        toolsCsv: options.tools
+      });
+    }
+  );
+  return program;
+};
+var main = async (argv = process.argv) => {
+  try {
+    await buildCli().parseAsync(argv);
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "EADDRINUSE") {
+      const message = "Port is already in use. Try `poncho dev --port 3001` or stop the process using port 3000.";
+      process.stderr.write(`${message}
+`);
+      process.exitCode = 1;
+      return;
+    }
+    process.stderr.write(`${error instanceof Error ? error.message : "Unknown CLI error"}
+`);
+    process.exitCode = 1;
+  }
+};
+var packageRoot = resolve(__dirname, "..");
+
+export {
+  initProject,
+  updateAgentGuidance,
+  createRequestHandler,
+  startDevServer,
+  runOnce,
+  runInteractive,
+  listTools,
+  addSkill,
+  runTests,
+  buildTarget,
+  mcpAdd,
+  mcpList,
+  mcpRemove,
+  mcpToolsList,
+  mcpToolsSelect,
+  buildCli,
+  main,
+  packageRoot
+};