@quireco/cli 0.0.2 → 0.0.3

package/dist/{cli-B7nQVYtL.mjs → cli-6V12Qvge.mjs}

@@ -1,31 +1,95 @@
-import { n as __require, r as __toESM, t as __commonJSMin } from "./chunk-e9Ob2GDo.mjs";
+import { a as __toCommonJS, i as __require, n as __esmMin, o as __toESM, r as __exportAll, t as __commonJSMin } from "./chunk-Vs_PY4HZ.mjs";
+import { createRequire } from "node:module";
 import { defineCommand, parseArgs, renderUsage, runCommand } from "citty";
-import { closeSync, constants, existsSync, fsyncSync, mkdirSync, openSync, readFileSync, readdirSync, renameSync, watch, writeFileSync } from "node:fs";
+import { createInterface } from "node:readline/promises";
+import { loginOpenAICodex } from "@earendil-works/pi-ai/oauth";
+import { AuthStorage, DefaultResourceLoader, ModelRegistry, SessionManager, SettingsManager, createAgentSession, defineTool, getAgentDir } from "@earendil-works/pi-coding-agent";
+import { exec, execFile, execFileSync, spawn } from "node:child_process";
+import os, { homedir, networkInterfaces, tmpdir } from "node:os";
 import { basename, delimiter, dirname, extname, join, relative, resolve, sep } from "node:path";
+import { calculateCost, createAssistantMessageEventStream } from "@earendil-works/pi-ai";
+import { convertMessages } from "@earendil-works/pi-ai/openai-completions";
+import { access, constants, mkdir, mkdtemp, readFile, readdir, rename, rm, stat, unlink, writeFile } from "node:fs/promises";
+import { closeSync, constants as constants$1, existsSync, fsyncSync, mkdirSync, openSync, readFileSync, readdirSync, renameSync, watch, writeFileSync } from "node:fs";
 import { Type } from "@sinclair/typebox";
 import { Value } from "@sinclair/typebox/value";
-import { exec, execFile, execFileSync, spawn } from "node:child_process";
-import { access, constants as constants$1, mkdir, mkdtemp, readFile, readdir, rename, rm, stat, unlink, writeFile } from "node:fs/promises";
 import { promisify } from "node:util";
-import { homedir, networkInterfaces, tmpdir } from "node:os";
 import { createHash, randomBytes } from "node:crypto";
 import * as net from "net";
 import { promisify as promisify$1 } from "util";
-import os from "os";
+import process$1 from "node:process";
+import tty from "node:tty";
 import { createServer } from "node:http";
 import { pathToFileURL } from "node:url";
 import path, { basename as basename$1 } from "path";
 import * as crypto$1 from "crypto";
 import crypto, { createHash as createHash$1 } from "crypto";
 import fs, { promises } from "fs";
+import os$1 from "os";
 import { Readable } from "stream";
 import * as zlib$1 from "zlib";
 import { execFile as execFile$1 } from "child_process";
 import { EventEmitter } from "events";
 import { pipeline } from "stream/promises";
-import { AuthStorage, DefaultResourceLoader, ModelRegistry, SessionManager, SettingsManager, createAgentSession, defineTool, getAgentDir } from "@mariozechner/pi-coding-agent";
-import { calculateCost, createAssistantMessageEventStream } from "@mariozechner/pi-ai";
-import { convertMessages } from "@mariozechner/pi-ai/openai-completions";
+//#region src/auth/open-browser.ts
+async function openBrowser(url) {
+	const command = browserCommand(url);
+	if (command === null) return false;
+	return new Promise((resolve) => {
+		const child = spawn(command.command, command.args, {
+			detached: true,
+			stdio: "ignore",
+			shell: false
+		});
+		child.once("error", () => resolve(false));
+		child.once("spawn", () => {
+			child.unref();
+			resolve(true);
+		});
+	});
+}
+function browserCommand(url) {
+	if (process.platform === "darwin") return {
+		command: "open",
+		args: [url]
+	};
+	if (process.platform === "win32") return {
+		command: "cmd",
+		args: [
+			"/c",
+			"start",
+			"",
+			url
+		]
+	};
+	return {
+		command: "xdg-open",
+		args: [url]
+	};
+}
+//#endregion
+//#region src/exit-codes.ts
+const ExitCode = {
+	Success: 0,
+	InternalError: 1,
+	InvalidInput: 2,
+	AuthFailure: 10,
+	NetworkFailure: 11
+};
+var CliError$1 = class extends Error {
+	constructor(message, exitCode = ExitCode.InternalError) {
+		super(message);
+		this.exitCode = exitCode;
+		this.name = "CliError";
+	}
+};
+function readExitCode(error) {
+	return error instanceof CliError$1 ? error.exitCode : ExitCode.InternalError;
+}
+function toOneLineError(error) {
+	return (error instanceof Error ? error.message : String(error)).replace(/\s+/g, " ").trim() || "unknown error";
+}
+//#endregion
 //#region src/output.ts
 function writeLine(output, message = "") {
 	output?.write(`${message}\n`);
@@ -34,6 +98,885 @@ function writeJson(output, value) {
 	writeLine(output, JSON.stringify(value));
 }
 //#endregion
+//#region src/auth/constants.ts
+const QUIRE_API_TOKEN_ENV = "QUIRE_API_TOKEN";
+const QUIRE_API_TOKEN_TYPE = "QuireApiKey";
+//#endregion
+//#region src/auth/api.ts
+const CLIENT_ID = "quire-cli";
+const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
+var HttpError = class extends CliError$1 {
+	constructor(message, status, body, code) {
+		super(message, status === 401 || status === 403 ? ExitCode.AuthFailure : ExitCode.NetworkFailure);
+		this.status = status;
+		this.body = body;
+		this.code = code;
+		this.name = "HttpError";
+	}
+};
+function readApiBaseUrl(value = process.env.QUIRE_API_URL ?? "https://quire.sh") {
+	return normalizeApiBaseUrl(value);
+}
+function normalizeApiBaseUrl(value) {
+	try {
+		const url = new URL(value);
+		url.pathname = url.pathname.replace(/\/+$/, "");
+		url.search = "";
+		url.hash = "";
+		return url.toString().replace(/\/$/, "");
+	} catch {
+		throw new CliError$1(`Invalid Quire API URL: ${value}`, ExitCode.InvalidInput);
+	}
+}
+async function requestDeviceCode(options) {
+	return parseDeviceCodeResponse((await requestJson$1({
+		url: authUrl(options.apiBaseUrl, "/device/code"),
+		fetchFn: options.fetchFn,
+		init: {
+			method: "POST",
+			headers: jsonHeaders(),
+			body: JSON.stringify({
+				client_id: CLIENT_ID,
+				...options.scope === void 0 ? {} : { scope: options.scope }
+			})
+		}
+	})).body);
+}
+async function requestDeviceToken(options) {
+	return parseDeviceTokenResponse((await requestJson$1({
+		url: authUrl(options.apiBaseUrl, "/device/token"),
+		fetchFn: options.fetchFn,
+		init: {
+			method: "POST",
+			headers: jsonHeaders(),
+			body: JSON.stringify({
+				grant_type: DEVICE_GRANT_TYPE,
+				device_code: options.deviceCode,
+				client_id: CLIENT_ID
+			})
+		}
+	})).body);
+}
+async function fetchCurrentSession(options) {
+	const response = await requestJson$1({
+		url: authUrl(options.apiBaseUrl, "/get-session"),
+		fetchFn: options.fetchFn,
+		init: {
+			method: "GET",
+			headers: {
+				Accept: "application/json",
+				...authHeaders(options)
+			}
+		}
+	});
+	const refreshedAccessToken = response.response.headers.get("set-auth-token") ?? void 0;
+	return {
+		data: parseCurrentSession(response.body),
+		...refreshedAccessToken === void 0 ? {} : { refreshedAccessToken }
+	};
+}
+async function fetchModelSourceBrokerStatus(options) {
+	return parseModelSourceBrokerStatus((await requestJson$1({
+		url: apiUrl(options.apiBaseUrl, "/api/model-sources"),
+		fetchFn: options.fetchFn,
+		init: {
+			method: "GET",
+			headers: {
+				Accept: "application/json",
+				...authHeaders(options),
+				"User-Agent": "quire-cli"
+			}
+		}
+	})).body);
+}
+function authUrl(apiBaseUrl, path) {
+	return apiUrl(apiBaseUrl, `/api/auth${path}`);
+}
+function apiUrl(apiBaseUrl, path) {
+	return new URL(path, apiBaseUrl).toString();
+}
+function jsonHeaders() {
+	return {
+		Accept: "application/json",
+		"Content-Type": "application/json",
+		"User-Agent": "quire-cli"
+	};
+}
+function authHeaders(credentials) {
+	if (credentials.tokenType === "QuireApiKey") return { "X-Quire-API-Key": credentials.accessToken };
+	return { Authorization: `Bearer ${credentials.accessToken}` };
+}
+async function requestJson$1(options) {
+	let response;
+	try {
+		response = await (options.fetchFn ?? fetch)(options.url, options.init);
+	} catch (error) {
+		throw new CliError$1(`Could not reach Quire API: ${error instanceof Error ? error.message : String(error)}`, ExitCode.NetworkFailure);
+	}
+	const body = await readResponseBody(response);
+	if (!response.ok) {
+		const { code, description } = readErrorBody(body);
+		throw new HttpError(description ?? `Quire API request failed with HTTP ${response.status}`, response.status, body, code);
+	}
+	return {
+		body,
+		response
+	};
+}
+async function readResponseBody(response) {
+	const text = await response.text();
+	if (!text) return null;
+	try {
+		return JSON.parse(text);
+	} catch {
+		return text;
+	}
+}
+function readErrorBody(body) {
+	if (!isRecord$21(body)) return {};
+	return {
+		code: typeof body.error === "string" ? body.error : void 0,
+		description: typeof body.error_description === "string" ? body.error_description : typeof body.message === "string" ? body.message : void 0
+	};
+}
+function parseDeviceCodeResponse(value) {
+	if (!isRecord$21(value)) throw new CliError$1("Quire API returned an invalid device code response", ExitCode.NetworkFailure);
+	const response = {
+		device_code: value.device_code,
+		user_code: value.user_code,
+		verification_uri: value.verification_uri,
+		verification_uri_complete: value.verification_uri_complete,
+		expires_in: value.expires_in,
+		interval: value.interval
+	};
+	if (typeof response.device_code !== "string" || typeof response.user_code !== "string" || typeof response.verification_uri !== "string" || typeof response.verification_uri_complete !== "string" || typeof response.expires_in !== "number" || typeof response.interval !== "number") throw new CliError$1("Quire API returned an invalid device code response", ExitCode.NetworkFailure);
+	return response;
+}
+function parseDeviceTokenResponse(value) {
+	if (!isRecord$21(value) || typeof value.access_token !== "string") throw new CliError$1("Quire API returned an invalid device token response", ExitCode.NetworkFailure);
+	if (value.expires_in !== void 0 && typeof value.expires_in !== "number") throw new CliError$1("Quire API returned an invalid device token response", ExitCode.NetworkFailure);
+	if (value.scope !== void 0 && typeof value.scope !== "string") throw new CliError$1("Quire API returned an invalid device token response", ExitCode.NetworkFailure);
+	return {
+		access_token: value.access_token,
+		token_type: typeof value.token_type === "string" ? value.token_type : "Bearer",
+		...value.expires_in === void 0 ? {} : { expires_in: value.expires_in },
+		...value.scope === void 0 ? {} : { scope: value.scope }
+	};
+}
+function parseCurrentSession(value) {
+	if (value === null) return null;
+	if (!isRecord$21(value) || !isRecord$21(value.session) || !isRecord$21(value.user)) throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
+	if (typeof value.session.id !== "string" || typeof value.user.id !== "string") throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
+	if (value.user.email !== void 0 && value.user.email !== null && typeof value.user.email !== "string") throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
+	if (value.user.name !== void 0 && value.user.name !== null && typeof value.user.name !== "string") throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
+	return {
+		session: {
+			id: value.session.id,
+			...typeof value.session.expiresAt === "string" ? { expiresAt: value.session.expiresAt } : {}
+		},
+		user: {
+			id: value.user.id,
+			...value.user.email === void 0 ? {} : { email: value.user.email },
+			...value.user.name === void 0 ? {} : { name: value.user.name }
+		}
+	};
+}
+function parseModelSourceBrokerStatus(value) {
+	if (!isRecord$21(value) || !Array.isArray(value.selectedOrder)) throw new CliError$1("Quire API returned an invalid model-source status response", ExitCode.NetworkFailure);
+	const resolvedAvailability = value.resolvedAvailability;
+	if (!isRecord$21(resolvedAvailability)) throw new CliError$1("Quire API returned an invalid model-source status response", ExitCode.NetworkFailure);
+	const status = resolvedAvailability.status;
+	const reason = resolvedAvailability.reason;
+	const selectedProviderMode = resolvedAvailability.mode;
+	const requiredNextAction = resolvedAvailability.nextAction;
+	if (status !== "available" && status !== "unavailable" || typeof reason !== "string" || selectedProviderMode !== null && typeof selectedProviderMode !== "string" || requiredNextAction !== null && typeof requiredNextAction !== "string" || !value.selectedOrder.every((mode) => typeof mode === "string")) throw new CliError$1("Quire API returned an invalid model-source status response", ExitCode.NetworkFailure);
+	const actor = readActor(value);
+	return {
+		...actor === void 0 ? {} : { actor },
+		available: status === "available",
+		status,
+		selectedProviderMode,
+		selectedOrder: value.selectedOrder,
+		reason,
+		requiredNextAction,
+		requiredBalance: readWalletRequiredBalance(value),
+		remainingBalance: readWalletRemainingBalance(value),
+		recentUsage: readRecentUsage(value)
+	};
+}
+function readActor(value) {
+	const actor = value.actor;
+	if (!isRecord$21(actor)) return;
+	const actorType = actor.actorType;
+	if (actorType !== "user_session" && actorType !== "api_key") return;
+	return {
+		actorType,
+		actorId: typeof actor.actorId === "string" ? actor.actorId : null,
+		environmentId: typeof actor.environmentId === "string" ? actor.environmentId : null,
+		environmentName: typeof actor.environmentName === "string" ? actor.environmentName : null,
+		triggerSource: typeof actor.triggerSource === "string" ? actor.triggerSource : null
+	};
+}
+function isRecord$21(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function readWalletRequiredBalance(value) {
+	const source = readFirstSource(value);
+	const requiredBalance = (isRecord$21(source?.wallet) ? source.wallet : null)?.requiredBalance;
+	return typeof requiredBalance === "number" && Number.isFinite(requiredBalance) ? requiredBalance : null;
+}
+function readWalletRemainingBalance(value) {
+	const source = readFirstSource(value);
+	const wallet = isRecord$21(source?.wallet) ? source.wallet : null;
+	const remaining = (isRecord$21(wallet?.balance) ? wallet.balance : null)?.remaining;
+	return typeof remaining === "number" && Number.isFinite(remaining) ? remaining : null;
+}
+function readFirstSource(value) {
+	if (!Array.isArray(value.sources)) return null;
+	const [source] = value.sources;
+	return isRecord$21(source) ? source : null;
+}
+function readRecentUsage(value) {
+	if (!Array.isArray(value.recentUsage)) return [];
+	return value.recentUsage.flatMap((event) => {
+		if (!isRecord$21(event)) return [];
+		if (typeof event.modelId !== "string" || typeof event.status !== "string" || typeof event.totalTokens !== "number" || typeof event.createdAt !== "string") return [];
+		return [{
+			modelId: event.modelId,
+			status: event.status,
+			totalTokens: event.totalTokens,
+			runId: typeof event.runId === "string" ? event.runId : null,
+			createdAt: event.createdAt
+		}];
+	});
+}
+//#endregion
+//#region src/auth/store.ts
+function defaultAuthPath(env = process.env) {
+	if (env.QUIRE_AUTH_FILE) return resolve(env.QUIRE_AUTH_FILE);
+	return join(resolve(env.QUIRE_HOME ?? join(homedir(), ".quire")), "auth.json");
+}
+function createAuthStore(path = defaultAuthPath()) {
+	async function get() {
+		try {
+			const contents = await readFile(path, "utf8");
+			return parseStoredCredentials(JSON.parse(contents));
+		} catch {
+			return null;
+		}
+	}
+	async function set(credentials) {
+		await mkdir(dirname(path), {
+			recursive: true,
+			mode: 448
+		});
+		await writeFile(path, `${JSON.stringify(credentials, null, 2)}\n`, { mode: 384 });
+	}
+	async function clear() {
+		try {
+			await unlink(path);
+		} catch {}
+	}
+	return {
+		path,
+		get,
+		set,
+		clear
+	};
+}
+const authStore = createAuthStore();
+async function resolveAuthCredentials(options = {}) {
+	const env = options.env ?? process.env;
+	const apiToken = env[QUIRE_API_TOKEN_ENV]?.trim();
+	if (apiToken) return createStoredCredentials({
+		apiBaseUrl: readApiBaseUrl(env.QUIRE_API_URL),
+		accessToken: apiToken,
+		tokenType: QUIRE_API_TOKEN_TYPE,
+		user: {
+			id: "api-token",
+			name: "API token"
+		}
+	});
+	return (options.store ?? authStore).get();
+}
+function createStoredCredentials(input) {
+	const now = input.now ?? /* @__PURE__ */ new Date();
+	const timestamp = now.toISOString();
+	const expiresAt = input.expiresAt ?? expiresAtFromSeconds(input.expiresIn, now);
+	return {
+		version: 1,
+		apiBaseUrl: input.apiBaseUrl,
+		accessToken: input.accessToken,
+		tokenType: input.tokenType ?? "Bearer",
+		...expiresAt === void 0 ? {} : { expiresAt },
+		...input.user === void 0 ? {} : { user: input.user },
+		createdAt: timestamp,
+		updatedAt: timestamp
+	};
+}
+function updateStoredCredentials(credentials, input) {
+	return {
+		...credentials,
+		accessToken: input.accessToken ?? credentials.accessToken,
+		tokenType: input.tokenType ?? credentials.tokenType,
+		...input.expiresAt === void 0 ? {} : { expiresAt: input.expiresAt },
+		...input.user === void 0 ? {} : { user: input.user },
+		updatedAt: (input.now ?? /* @__PURE__ */ new Date()).toISOString()
+	};
+}
+function expiresAtFromSeconds(expiresIn, now) {
+	return typeof expiresIn === "number" ? new Date(now.getTime() + expiresIn * 1e3).toISOString() : void 0;
+}
+function parseStoredCredentials(value) {
+	if (!isRecord$20(value)) return null;
+	if (value.version !== 1 || typeof value.apiBaseUrl !== "string" || typeof value.accessToken !== "string" || typeof value.tokenType !== "string" || typeof value.createdAt !== "string" || typeof value.updatedAt !== "string") return null;
+	if (value.expiresAt !== void 0 && typeof value.expiresAt !== "string") return null;
+	const user = parseStoredUser(value.user);
+	if (value.user !== void 0 && user === null) return null;
+	return {
+		version: 1,
+		apiBaseUrl: value.apiBaseUrl,
+		accessToken: value.accessToken,
+		tokenType: value.tokenType,
+		...value.expiresAt === void 0 ? {} : { expiresAt: value.expiresAt },
+		...user === void 0 || user === null ? {} : { user },
+		createdAt: value.createdAt,
+		updatedAt: value.updatedAt
+	};
+}
+function parseStoredUser(value) {
+	if (value === void 0) return;
+	if (!isRecord$20(value) || typeof value.id !== "string") return null;
+	if (value.email !== void 0 && value.email !== null && typeof value.email !== "string") return null;
+	if (value.name !== void 0 && value.name !== null && typeof value.name !== "string") return null;
+	return {
+		id: value.id,
+		...value.email === void 0 ? {} : { email: value.email },
+		...value.name === void 0 ? {} : { name: value.name }
+	};
+}
+function isRecord$20(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+//#endregion
+//#region src/pipeline/quire-model-provider.ts
+const QUIRE_MODEL_PROVIDER = "quire";
+const QUIRE_MODEL_ID = "gpt-5.1";
+const PI_CODEX_MODEL_PROVIDER = "openai-codex";
+const PI_CODEX_MODEL_ID = "gpt-5.5";
+const QUIRE_MODEL_API = "quire-chat-completions";
+const QUIRE_RUNTIME_AUTH_ENV = "QUIRE_RUNTIME_AUTH_TOKEN";
+const QUIRE_MODEL_AUTH_PATH_ENV = "QUIRE_MODEL_AUTH_PATH";
+const openAiCompletionCompat = {
+	supportsStore: false,
+	supportsDeveloperRole: false,
+	supportsReasoningEffort: true,
+	supportsUsageInStreaming: false,
+	maxTokensField: "max_completion_tokens",
+	requiresToolResultName: false,
+	requiresAssistantAfterToolResult: false,
+	requiresThinkingAsText: false,
+	requiresReasoningContentOnAssistantMessages: false,
+	thinkingFormat: "openai",
+	zaiToolStream: false,
+	supportsStrictMode: true,
+	sendSessionAffinityHeaders: false,
+	supportsLongCacheRetention: true
+};
+async function createQuireModelSessionDependencies({ runId, store = authStore, fetchFn }) {
+	const credentials = await readValidatedQuireCredentials({
+		store,
+		fetchFn
+	});
+	const authStorage = AuthStorage.inMemory();
+	authStorage.setRuntimeApiKey(QUIRE_MODEL_PROVIDER, credentials.accessToken);
+	const modelRegistry = ModelRegistry.inMemory(authStorage);
+	modelRegistry.registerProvider(QUIRE_MODEL_PROVIDER, {
+		name: "Quire Credits",
+		baseUrl: credentials.apiBaseUrl,
+		apiKey: QUIRE_RUNTIME_AUTH_ENV,
+		api: QUIRE_MODEL_API,
+		models: [quireModelDefinition()],
+		streamSimple: createQuireCreditsStream({
+			apiBaseUrl: credentials.apiBaseUrl,
+			tokenType: credentials.tokenType,
+			runId,
+			fetchFn
+		})
+	});
+	const model = modelRegistry.find(QUIRE_MODEL_PROVIDER, QUIRE_MODEL_ID);
+	if (!model) throw new Error(`Quire model not found: ${QUIRE_MODEL_PROVIDER}/${QUIRE_MODEL_ID}`);
+	return {
+		authStorage,
+		modelRegistry,
+		model,
+		source: "quire_credits"
+	};
+}
+async function createInvestigationModelSessionDependencies({ runId, store = authStore, fetchFn, localAuthStorage }) {
+	const localCodex = await createLocalCodexSessionDependencies(localAuthStorage);
+	if (localCodex) return localCodex;
+	return createQuireModelSessionDependencies({
+		runId,
+		store,
+		fetchFn
+	});
+}
+async function createLocalCodexSessionDependencies(localAuthStorage) {
+	const authStorages = localAuthStorage === void 0 ? [AuthStorage.create(readQuireModelAuthPath()), AuthStorage.create()] : [localAuthStorage];
+	for (const authStorage of authStorages) {
+		const modelRegistry = ModelRegistry.create(authStorage);
+		const model = modelRegistry.find(PI_CODEX_MODEL_PROVIDER, PI_CODEX_MODEL_ID);
+		if (!model || !modelRegistry.hasConfiguredAuth(model)) continue;
+		const auth = await modelRegistry.getApiKeyAndHeaders(model);
+		if (!auth.ok || !auth.apiKey && !auth.headers) continue;
+		return {
+			authStorage,
+			modelRegistry,
+			model,
+			source: "local_openai_codex"
+		};
+	}
+	return null;
+}
+function readQuireModelAuthPath() {
+	const envPath = process.env[QUIRE_MODEL_AUTH_PATH_ENV]?.trim();
+	return envPath && envPath.length > 0 ? envPath : join(homedir(), ".quire", "model-auth.json");
+}
+function quireModelDefinition() {
+	return {
+		id: QUIRE_MODEL_ID,
+		name: "Quire Credits GPT-5.1",
+		api: QUIRE_MODEL_API,
+		reasoning: true,
+		thinkingLevelMap: {
+			off: null,
+			xhigh: "high"
+		},
+		input: ["text"],
+		cost: {
+			input: 1.25,
+			output: 10,
+			cacheRead: .125,
+			cacheWrite: 0
+		},
+		contextWindow: 128e3,
+		maxTokens: 32e3
+	};
+}
+function createQuireCreditsStream(options) {
+	return (model, context, streamOptions) => {
+		const stream = createAssistantMessageEventStream();
+		(async () => {
+			const output = createEmptyAssistantMessage(model);
+			try {
+				const accessToken = streamOptions?.apiKey;
+				if (!accessToken) throw new CliError$1("Not logged in. Run `quire login` before `quire investigate` so Quire Credits can be checked.", ExitCode.AuthFailure);
+				stream.push({
+					type: "start",
+					partial: output
+				});
+				applyBrokerResponseToStream(stream, output, model, await requestBrokerChatCompletion({
+					apiBaseUrl: options.apiBaseUrl,
+					accessToken,
+					tokenType: options.tokenType,
+					runId: options.runId,
+					model,
+					context,
+					streamOptions,
+					fetchFn: options.fetchFn
+				}));
+			} catch (error) {
+				output.stopReason = streamOptions?.signal?.aborted ? "aborted" : "error";
+				output.errorMessage = error instanceof Error ? error.message : String(error);
+				stream.push({
+					type: "error",
+					reason: output.stopReason,
+					error: output
+				});
+				stream.end();
+			}
+		})();
+		return stream;
+	};
+}
+async function readValidatedQuireCredentials(options) {
+	const credentials = await resolveAuthCredentials({ store: options.store });
+	if (!credentials) throw new CliError$1("Not logged in. Run `quire login` or set QUIRE_API_TOKEN before `quire investigate` so Quire Credits can be checked.", ExitCode.AuthFailure);
+	if (credentials.tokenType === "QuireApiKey") return credentials;
+	const sessionLookup = await fetchCurrentSession({
+		apiBaseUrl: credentials.apiBaseUrl,
+		accessToken: credentials.accessToken,
+		tokenType: credentials.tokenType,
+		fetchFn: options.fetchFn
+	});
+	if (!sessionLookup.data) {
+		await options.store.clear();
+		throw new CliError$1("Stored Quire credentials are no longer valid. Run `quire login`.", ExitCode.AuthFailure);
+	}
+	if (!sessionLookup.refreshedAccessToken) return credentials;
+	const refreshedCredentials = updateStoredCredentials(credentials, {
+		accessToken: sessionLookup.refreshedAccessToken,
+		expiresAt: sessionLookup.data.session.expiresAt,
+		user: sessionLookup.data.user
+	});
+	await options.store.set(refreshedCredentials);
+	return refreshedCredentials;
+}
+async function requestBrokerChatCompletion(input) {
+	const response = await (input.fetchFn ?? fetch)(new URL("/api/model-broker/chat-completions", input.apiBaseUrl).toString(), {
+		method: "POST",
+		headers: {
+			Accept: "application/json",
+			...authHeaders(input),
+			"Content-Type": "application/json",
+			"User-Agent": "quire-cli"
+		},
+		signal: input.streamOptions?.signal,
+		body: JSON.stringify({
+			model: input.model.id,
+			messages: toBrokerMessages(input.model, input.context),
+			runId: input.runId,
+			stream: false,
+			agentContext: {
+				messages: [],
+				tools: toBrokerTools(input.context.tools)
+			},
+			agentOptions: {
+				reasoning: normalizeReasoning(input.streamOptions?.reasoning),
+				sessionId: input.streamOptions?.sessionId ?? null
+			}
+		})
+	});
+	const body = await readJsonBody(response);
+	if (!response.ok || body?.status !== "succeeded") throw brokerResponseError(response, body);
+	const rawResponse = body.data?.response;
+	if (!rawResponse || typeof rawResponse !== "object" || Array.isArray(rawResponse)) throw new Error("Quire model broker returned an invalid model response.");
+	return rawResponse;
+}
+function toBrokerMessages(model, context) {
+	return convertMessages(model, context, openAiCompletionCompat).map((message) => {
+		const record = message;
+		const role = normalizeRole(record.role);
+		const toolCalls = parseBrokerToolCalls(record.tool_calls);
+		return {
+			role,
+			content: normalizeMessageContent(record.content),
+			...typeof record.name === "string" ? { name: record.name } : {},
+			...typeof record.tool_call_id === "string" ? { tool_call_id: record.tool_call_id } : {},
+			...toolCalls.length > 0 ? { tool_calls: toolCalls } : {}
+		};
+	});
+}
+function toBrokerTools(tools) {
+	return (tools ?? []).map((tool) => ({
+		type: "function",
+		function: {
+			name: tool.name,
+			description: tool.description,
+			parameters: tool.parameters,
+			strict: false
+		}
+	}));
+}
+function applyBrokerResponseToStream(stream, output, model, response) {
+	output.responseId = typeof response.id === "string" ? response.id : void 0;
+	output.responseModel = typeof response.model === "string" ? response.model : void 0;
+	output.usage = readUsage(response.usage, model);
+	const choice = response.choices?.[0];
+	const message = choice?.message;
+	const content = typeof message?.content === "string" ? message.content : "";
+	if (content.length > 0) {
+		const textBlock = {
+			type: "text",
+			text: content
+		};
+		output.content.push(textBlock);
+		const contentIndex = output.content.length - 1;
+		stream.push({
+			type: "text_start",
+			contentIndex,
+			partial: output
+		});
+		stream.push({
+			type: "text_delta",
+			contentIndex,
+			delta: content,
+			partial: output
+		});
+		stream.push({
+			type: "text_end",
+			contentIndex,
+			content,
+			partial: output
+		});
+	}
+	const toolCalls = parseBrokerToolCalls(message?.tool_calls);
+	for (const toolCall of toolCalls) {
+		const block = {
+			type: "toolCall",
+			id: toolCall.id,
+			name: toolCall.function.name,
+			arguments: parseToolCallArguments(toolCall.function.arguments)
+		};
+		output.content.push(block);
+		const contentIndex = output.content.length - 1;
+		stream.push({
+			type: "toolcall_start",
+			contentIndex,
+			partial: output
+		});
+		stream.push({
+			type: "toolcall_delta",
+			contentIndex,
+			delta: toolCall.function.arguments,
+			partial: output
+		});
+		stream.push({
+			type: "toolcall_end",
+			contentIndex,
+			toolCall: block,
+			partial: output
+		});
+	}
+	output.stopReason = mapStopReason(choice?.finish_reason, toolCalls.length > 0);
+	stream.push({
+		type: "done",
+		reason: output.stopReason,
+		message: output
+	});
+	stream.end();
+}
+function createEmptyAssistantMessage(model) {
+	return {
+		role: "assistant",
+		content: [],
+		api: model.api,
+		provider: model.provider,
+		model: model.id,
+		usage: emptyUsage(),
+		stopReason: "stop",
+		timestamp: Date.now()
+	};
+}
+function emptyUsage() {
+	return {
+		input: 0,
+		output: 0,
+		cacheRead: 0,
+		cacheWrite: 0,
+		totalTokens: 0,
+		cost: {
+			input: 0,
+			output: 0,
+			cacheRead: 0,
+			cacheWrite: 0,
+			total: 0
+		}
+	};
+}
+function readUsage(rawUsage, model) {
+	const input = readNumber(rawUsage?.prompt_tokens ?? rawUsage?.promptTokens) ?? 0;
+	const output = readNumber(rawUsage?.completion_tokens ?? rawUsage?.completionTokens) ?? 0;
+	const usage = {
+		input,
+		output,
+		cacheRead: 0,
+		cacheWrite: 0,
+		totalTokens: readNumber(rawUsage?.total_tokens ?? rawUsage?.totalTokens) ?? input + output,
+		cost: {
+			input: 0,
+			output: 0,
+			cacheRead: 0,
+			cacheWrite: 0,
+			total: 0
+		}
+	};
+	calculateCost(model, usage);
+	return usage;
+}
+function mapStopReason(finishReason, hasToolCalls) {
+	if (finishReason === "length") return "length";
+	if (hasToolCalls || finishReason === "tool_calls" || finishReason === "function_call") return "toolUse";
+	return "stop";
+}
+function normalizeRole(value) {
+	if (value === "developer") return "system";
+	if (value === "system" || value === "user" || value === "assistant" || value === "tool") return value;
+	throw new Error(`Unsupported broker message role: ${String(value)}`);
+}
+function normalizeMessageContent(value) {
+	if (typeof value === "string") return value;
+	if (value === null || value === void 0) return "";
+	if (Array.isArray(value)) {
+		const text = value.map((part) => {
+			if (!part || typeof part !== "object" || Array.isArray(part)) return "";
+			const record = part;
+			return record.type === "text" && typeof record.text === "string" ? record.text : "[non-text content omitted]";
+		}).filter((part) => part.length > 0).join("\n");
+		return text.length > 0 ? text : "[non-text content omitted]";
+	}
+	if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") return String(value);
+	return "[non-text content omitted]";
+}
+function parseBrokerToolCalls(value) {
+	if (!Array.isArray(value)) return [];
+	return value.flatMap((toolCall, index) => {
+		if (!toolCall || typeof toolCall !== "object" || Array.isArray(toolCall)) return [];
+		const record = toolCall;
+		const fn = record.function;
+		if (!fn || typeof fn !== "object" || Array.isArray(fn)) return [];
+		const functionRecord = fn;
+		const name = typeof functionRecord.name === "string" ? functionRecord.name : "";
+		if (!name) return [];
+		return [{
+			id: typeof record.id === "string" ? record.id : `call_${index}`,
+			type: "function",
+			function: {
+				name,
+				arguments: typeof functionRecord.arguments === "string" ? functionRecord.arguments : "{}"
+			}
+		}];
+	});
+}
+function parseToolCallArguments(value) {
+	try {
+		const parsed = JSON.parse(value);
+		return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+	} catch {
+		return {};
+	}
+}
+async function readJsonBody(response) {
+	const text = await response.text();
+	if (!text) return null;
+	try {
+		return JSON.parse(text);
+	} catch {
+		return text;
+	}
+}
+function brokerResponseError(response, body) {
+	const code = body?.error?.code ?? `http_${response.status}`;
+	const message = body?.error?.message ?? `Quire model broker request failed with HTTP ${response.status}`;
+	const action = body?.error?.nextAction;
+	const billingDetail = formatBrokerBillingDetail(body);
+	return new Error([
+		`Quire model broker request failed (${code}): ${message}`,
+		billingDetail,
+		action === void 0 ? void 0 : `Next action: ${action}.`
+	].filter((part) => part !== void 0 && part.length > 0).join(" "));
+}
+function normalizeReasoning(reasoning) {
+	return reasoning === "minimal" || reasoning === "low" || reasoning === "medium" || reasoning === "high" || reasoning === "xhigh" ? reasoning : void 0;
+}
+function readNumber(value) {
+	return typeof value === "number" && Number.isFinite(value) ? value : null;
+}
+function formatBrokerBillingDetail(body) {
+	const requiredBalance = readNumber(body?.metadata?.wallet?.requiredBalance) ?? readNumber(body?.metadata?.billing?.wallet?.requiredBalance) ?? readNumber(body?.metadata?.billing?.wallet?.estimatedTotalTokens);
+	const remainingBalance = readNumber(body?.metadata?.wallet?.balance?.remaining);
+	if (requiredBalance === null && remainingBalance === null) return;
+	return `Wallet: ${[requiredBalance === null ? void 0 : `required=${requiredBalance}`, remainingBalance === null ? void 0 : `remaining=${remainingBalance}`].filter((part) => part !== void 0).join(", ")}.`;
+}
+//#endregion
+//#region src/commands/connect.ts
+const connectCommand = defineCommand({
+	meta: {
+		name: "connect",
+		description: "Connect local provider accounts used by Quire investigations."
+	},
+	subCommands: { chatgpt: defineCommand({
+		meta: {
+			name: "chatgpt",
+			description: "Connect ChatGPT/Codex subscription auth for local investigations."
+		},
+		args: {
+			"no-open": {
+				type: "boolean",
+				description: "Print the authorization URL without trying to open a browser."
+			},
+			json: {
+				type: "boolean",
+				description: "Print machine-readable connection state to stdout."
+			}
+		},
+		async run({ args }) {
+			await runConnectChatgpt({
+				noOpen: args["no-open"] === true,
+				json: args.json === true
+			});
+		}
+	}) }
+});
+async function runConnectChatgpt(options = {}) {
+	const stdout = options.io?.stdout ?? process.stdout;
+	const stderr = options.io?.stderr ?? process.stderr;
+	const modelAuthPath = options.modelAuthPath ?? readQuireModelAuthPath();
+	const modelAuthStorage = options.modelAuthStorage ?? AuthStorage.create(modelAuthPath);
+	const loginChatgpt = options.loginChatgpt ?? loginOpenAICodex;
+	if (options.json !== true) {
+		writeLine(stdout, "Connect ChatGPT for local Quire investigations");
+		writeLine(stdout, "Quire will store Pi-compatible OpenAI Codex auth locally and use it before Quire Credits.");
+	}
+	const credentials = await loginChatgpt({
+		originator: "quire",
+		onAuth: (info) => {
+			const authOutput = options.json === true ? stderr : stdout;
+			writeLine(authOutput, `Authorization URL: ${info.url}`);
+			if (info.instructions) writeLine(authOutput, info.instructions);
+			if (options.noOpen === true) return;
+			(async () => {
+				let opened = false;
+				try {
+					opened = await (options.opener ?? openBrowser)(info.url);
+				} catch {
+					opened = false;
+				}
+				writeLine(stderr, opened ? "Opened ChatGPT authorization in your browser." : "Could not open a browser automatically; open the authorization URL manually.");
+			})();
+		},
+		onPrompt: async (prompt) => {
+			const message = prompt.placeholder ? `${prompt.message} (${prompt.placeholder})` : prompt.message;
+			return (options.promptForLine ?? promptForLine)(message);
+		},
+		onProgress: (message) => {
+			writeLine(stderr, message);
+		}
+	});
+	modelAuthStorage.set(PI_CODEX_MODEL_PROVIDER, oauthCredential(credentials));
+	if (options.json === true) {
+		writeJson(stdout, {
+			connected: true,
+			provider: PI_CODEX_MODEL_PROVIDER,
+			authPath: modelAuthPath,
+			source: "quire_model_auth"
+		});
+		return;
+	}
+	writeLine(stdout, "ChatGPT connected for local Quire investigations.");
+	writeLine(stderr, `Credentials saved to ${modelAuthPath}.`);
+}
+function oauthCredential(credentials) {
+	return {
+		type: "oauth",
+		...credentials
+	};
+}
+async function promptForLine(message) {
+	const rl = createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	try {
+		return await rl.question(`${message} `);
+	} catch (error) {
+		throw new CliError$1(`Could not read authorization code: ${error instanceof Error ? error.message : String(error)}`, ExitCode.InvalidInput);
+	} finally {
+		rl.close();
+	}
+}
+//#endregion
 //#region src/doctor/render.ts
 const SECTION_TITLES = {
 	identity: "Identity",
@@ -152,352 +1095,6 @@ function normalizeFieldPath(path) {
 	return path;
 }
 //#endregion
-//#region src/exit-codes.ts
-const ExitCode = {
-	Success: 0,
-	InternalError: 1,
-	InvalidInput: 2,
-	AuthFailure: 10,
-	NetworkFailure: 11
-};
-var CliError$1 = class extends Error {
-	constructor(message, exitCode = ExitCode.InternalError) {
-		super(message);
-		this.exitCode = exitCode;
-		this.name = "CliError";
-	}
-};
-function readExitCode(error) {
-	return error instanceof CliError$1 ? error.exitCode : ExitCode.InternalError;
-}
-function toOneLineError(error) {
-	return (error instanceof Error ? error.message : String(error)).replace(/\s+/g, " ").trim() || "unknown error";
-}
-//#endregion
-//#region src/auth/api.ts
-const CLIENT_ID = "quire-cli";
-const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
-var HttpError = class extends CliError$1 {
-	constructor(message, status, body, code) {
-		super(message, status === 401 || status === 403 ? ExitCode.AuthFailure : ExitCode.NetworkFailure);
-		this.status = status;
-		this.body = body;
-		this.code = code;
-		this.name = "HttpError";
-	}
-};
-function readApiBaseUrl(value = process.env.QUIRE_API_URL ?? "https://quire.sh") {
-	return normalizeApiBaseUrl(value);
-}
-function normalizeApiBaseUrl(value) {
-	try {
-		const url = new URL(value);
-		url.pathname = url.pathname.replace(/\/+$/, "");
-		url.search = "";
-		url.hash = "";
-		return url.toString().replace(/\/$/, "");
-	} catch {
-		throw new CliError$1(`Invalid Quire API URL: ${value}`, ExitCode.InvalidInput);
-	}
-}
-async function requestDeviceCode(options) {
-	return parseDeviceCodeResponse((await requestJson$1({
-		url: authUrl(options.apiBaseUrl, "/device/code"),
-		fetchFn: options.fetchFn,
-		init: {
-			method: "POST",
-			headers: jsonHeaders(),
-			body: JSON.stringify({
-				client_id: CLIENT_ID,
-				...options.scope === void 0 ? {} : { scope: options.scope }
-			})
-		}
-	})).body);
-}
-async function requestDeviceToken(options) {
-	return parseDeviceTokenResponse((await requestJson$1({
-		url: authUrl(options.apiBaseUrl, "/device/token"),
-		fetchFn: options.fetchFn,
-		init: {
-			method: "POST",
-			headers: jsonHeaders(),
-			body: JSON.stringify({
-				grant_type: DEVICE_GRANT_TYPE,
-				device_code: options.deviceCode,
-				client_id: CLIENT_ID
-			})
-		}
-	})).body);
-}
-async function fetchCurrentSession(options) {
-	const response = await requestJson$1({
-		url: authUrl(options.apiBaseUrl, "/get-session"),
-		fetchFn: options.fetchFn,
-		init: {
-			method: "GET",
-			headers: {
-				Accept: "application/json",
-				Authorization: `Bearer ${options.accessToken}`
-			}
-		}
-	});
-	const refreshedAccessToken = response.response.headers.get("set-auth-token") ?? void 0;
-	return {
-		data: parseCurrentSession(response.body),
-		...refreshedAccessToken === void 0 ? {} : { refreshedAccessToken }
-	};
-}
-async function fetchModelSourceBrokerStatus(options) {
-	return parseModelSourceBrokerStatus((await requestJson$1({
-		url: apiUrl(options.apiBaseUrl, "/api/model-sources"),
-		fetchFn: options.fetchFn,
-		init: {
-			method: "GET",
-			headers: {
-				Accept: "application/json",
-				Authorization: `Bearer ${options.accessToken}`,
-				"User-Agent": "quire-cli"
-			}
-		}
-	})).body);
-}
-function authUrl(apiBaseUrl, path) {
-	return apiUrl(apiBaseUrl, `/api/auth${path}`);
-}
-function apiUrl(apiBaseUrl, path) {
-	return new URL(path, apiBaseUrl).toString();
-}
-function jsonHeaders() {
-	return {
-		Accept: "application/json",
-		"Content-Type": "application/json",
-		"User-Agent": "quire-cli"
-	};
-}
-async function requestJson$1(options) {
-	let response;
-	try {
-		response = await (options.fetchFn ?? fetch)(options.url, options.init);
-	} catch (error) {
-		throw new CliError$1(`Could not reach Quire API: ${error instanceof Error ? error.message : String(error)}`, ExitCode.NetworkFailure);
-	}
-	const body = await readResponseBody(response);
-	if (!response.ok) {
-		const { code, description } = readErrorBody(body);
-		throw new HttpError(description ?? `Quire API request failed with HTTP ${response.status}`, response.status, body, code);
-	}
-	return {
-		body,
-		response
-	};
-}
-async function readResponseBody(response) {
-	const text = await response.text();
-	if (!text) return null;
-	try {
-		return JSON.parse(text);
-	} catch {
-		return text;
-	}
-}
-function readErrorBody(body) {
-	if (!isRecord$21(body)) return {};
-	return {
-		code: typeof body.error === "string" ? body.error : void 0,
-		description: typeof body.error_description === "string" ? body.error_description : typeof body.message === "string" ? body.message : void 0
-	};
-}
-function parseDeviceCodeResponse(value) {
-	if (!isRecord$21(value)) throw new CliError$1("Quire API returned an invalid device code response", ExitCode.NetworkFailure);
-	const response = {
-		device_code: value.device_code,
-		user_code: value.user_code,
-		verification_uri: value.verification_uri,
-		verification_uri_complete: value.verification_uri_complete,
-		expires_in: value.expires_in,
-		interval: value.interval
-	};
-	if (typeof response.device_code !== "string" || typeof response.user_code !== "string" || typeof response.verification_uri !== "string" || typeof response.verification_uri_complete !== "string" || typeof response.expires_in !== "number" || typeof response.interval !== "number") throw new CliError$1("Quire API returned an invalid device code response", ExitCode.NetworkFailure);
-	return response;
-}
-function parseDeviceTokenResponse(value) {
-	if (!isRecord$21(value) || typeof value.access_token !== "string") throw new CliError$1("Quire API returned an invalid device token response", ExitCode.NetworkFailure);
-	if (value.expires_in !== void 0 && typeof value.expires_in !== "number") throw new CliError$1("Quire API returned an invalid device token response", ExitCode.NetworkFailure);
-	if (value.scope !== void 0 && typeof value.scope !== "string") throw new CliError$1("Quire API returned an invalid device token response", ExitCode.NetworkFailure);
-	return {
-		access_token: value.access_token,
-		token_type: typeof value.token_type === "string" ? value.token_type : "Bearer",
-		...value.expires_in === void 0 ? {} : { expires_in: value.expires_in },
-		...value.scope === void 0 ? {} : { scope: value.scope }
-	};
-}
-function parseCurrentSession(value) {
-	if (value === null) return null;
-	if (!isRecord$21(value) || !isRecord$21(value.session) || !isRecord$21(value.user)) throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
-	if (typeof value.session.id !== "string" || typeof value.user.id !== "string") throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
-	if (value.user.email !== void 0 && value.user.email !== null && typeof value.user.email !== "string") throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
-	if (value.user.name !== void 0 && value.user.name !== null && typeof value.user.name !== "string") throw new CliError$1("Quire API returned an invalid session response", ExitCode.NetworkFailure);
-	return {
-		session: {
-			id: value.session.id,
-			...typeof value.session.expiresAt === "string" ? { expiresAt: value.session.expiresAt } : {}
-		},
-		user: {
-			id: value.user.id,
-			...value.user.email === void 0 ? {} : { email: value.user.email },
-			...value.user.name === void 0 ? {} : { name: value.user.name }
-		}
-	};
-}
-function parseModelSourceBrokerStatus(value) {
-	if (!isRecord$21(value) || !Array.isArray(value.selectedOrder)) throw new CliError$1("Quire API returned an invalid model-source status response", ExitCode.NetworkFailure);
-	const resolvedAvailability = value.resolvedAvailability;
-	if (!isRecord$21(resolvedAvailability)) throw new CliError$1("Quire API returned an invalid model-source status response", ExitCode.NetworkFailure);
-	const status = resolvedAvailability.status;
-	const reason = resolvedAvailability.reason;
-	const selectedProviderMode = resolvedAvailability.mode;
-	const requiredNextAction = resolvedAvailability.nextAction;
-	if (status !== "available" && status !== "unavailable" || typeof reason !== "string" || selectedProviderMode !== null && typeof selectedProviderMode !== "string" || requiredNextAction !== null && typeof requiredNextAction !== "string" || !value.selectedOrder.every((mode) => typeof mode === "string")) throw new CliError$1("Quire API returned an invalid model-source status response", ExitCode.NetworkFailure);
-	return {
-		available: status === "available",
-		status,
-		selectedProviderMode,
-		selectedOrder: value.selectedOrder,
-		reason,
-		requiredNextAction,
-		requiredBalance: readWalletRequiredBalance(value),
-		remainingBalance: readWalletRemainingBalance(value),
-		recentUsage: readRecentUsage(value)
-	};
-}
-function isRecord$21(value) {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-function readWalletRequiredBalance(value) {
-	const source = readFirstSource(value);
-	const requiredBalance = (isRecord$21(source?.wallet) ? source.wallet : null)?.requiredBalance;
-	return typeof requiredBalance === "number" && Number.isFinite(requiredBalance) ? requiredBalance : null;
-}
-function readWalletRemainingBalance(value) {
-	const source = readFirstSource(value);
-	const wallet = isRecord$21(source?.wallet) ? source.wallet : null;
-	const remaining = (isRecord$21(wallet?.balance) ? wallet.balance : null)?.remaining;
-	return typeof remaining === "number" && Number.isFinite(remaining) ? remaining : null;
-}
-function readFirstSource(value) {
-	if (!Array.isArray(value.sources)) return null;
-	const [source] = value.sources;
-	return isRecord$21(source) ? source : null;
-}
-function readRecentUsage(value) {
-	if (!Array.isArray(value.recentUsage)) return [];
-	return value.recentUsage.flatMap((event) => {
-		if (!isRecord$21(event)) return [];
-		if (typeof event.modelId !== "string" || typeof event.status !== "string" || typeof event.totalTokens !== "number" || typeof event.createdAt !== "string") return [];
-		return [{
-			modelId: event.modelId,
-			status: event.status,
-			totalTokens: event.totalTokens,
-			runId: typeof event.runId === "string" ? event.runId : null,
-			createdAt: event.createdAt
-		}];
-	});
-}
-//#endregion
-//#region src/auth/store.ts
-function defaultAuthPath(env = process.env) {
-	if (env.QUIRE_AUTH_FILE) return resolve(env.QUIRE_AUTH_FILE);
-	return join(resolve(env.QUIRE_HOME ?? join(homedir(), ".quire")), "auth.json");
-}
-function createAuthStore(path = defaultAuthPath()) {
-	async function get() {
-		try {
-			const contents = await readFile(path, "utf8");
-			return parseStoredCredentials(JSON.parse(contents));
-		} catch {
-			return null;
-		}
-	}
-	async function set(credentials) {
-		await mkdir(dirname(path), {
-			recursive: true,
-			mode: 448
-		});
-		await writeFile(path, `${JSON.stringify(credentials, null, 2)}\n`, { mode: 384 });
-	}
-	async function clear() {
-		try {
-			await unlink(path);
-		} catch {}
-	}
-	return {
-		path,
-		get,
-		set,
-		clear
-	};
-}
-const authStore = createAuthStore();
-function createStoredCredentials(input) {
-	const now = input.now ?? /* @__PURE__ */ new Date();
-	const timestamp = now.toISOString();
-	const expiresAt = input.expiresAt ?? expiresAtFromSeconds(input.expiresIn, now);
-	return {
-		version: 1,
-		apiBaseUrl: input.apiBaseUrl,
-		accessToken: input.accessToken,
-		tokenType: input.tokenType ?? "Bearer",
-		...expiresAt === void 0 ? {} : { expiresAt },
-		...input.user === void 0 ? {} : { user: input.user },
-		createdAt: timestamp,
-		updatedAt: timestamp
-	};
-}
-function updateStoredCredentials(credentials, input) {
-	return {
-		...credentials,
-		accessToken: input.accessToken ?? credentials.accessToken,
-		tokenType: input.tokenType ?? credentials.tokenType,
-		...input.expiresAt === void 0 ? {} : { expiresAt: input.expiresAt },
-		...input.user === void 0 ? {} : { user: input.user },
-		updatedAt: (input.now ?? /* @__PURE__ */ new Date()).toISOString()
-	};
-}
-function expiresAtFromSeconds(expiresIn, now) {
-	return typeof expiresIn === "number" ? new Date(now.getTime() + expiresIn * 1e3).toISOString() : void 0;
-}
-function parseStoredCredentials(value) {
-	if (!isRecord$20(value)) return null;
-	if (value.version !== 1 || typeof value.apiBaseUrl !== "string" || typeof value.accessToken !== "string" || typeof value.tokenType !== "string" || typeof value.createdAt !== "string" || typeof value.updatedAt !== "string") return null;
-	if (value.expiresAt !== void 0 && typeof value.expiresAt !== "string") return null;
-	const user = parseStoredUser(value.user);
-	if (value.user !== void 0 && user === null) return null;
-	return {
-		version: 1,
-		apiBaseUrl: value.apiBaseUrl,
-		accessToken: value.accessToken,
-		tokenType: value.tokenType,
-		...value.expiresAt === void 0 ? {} : { expiresAt: value.expiresAt },
-		...user === void 0 || user === null ? {} : { user },
-		createdAt: value.createdAt,
-		updatedAt: value.updatedAt
-	};
-}
-function parseStoredUser(value) {
-	if (value === void 0) return;
-	if (!isRecord$20(value) || typeof value.id !== "string") return null;
-	if (value.email !== void 0 && value.email !== null && typeof value.email !== "string") return null;
-	if (value.name !== void 0 && value.name !== null && typeof value.name !== "string") return null;
-	return {
-		id: value.id,
-		...value.email === void 0 ? {} : { email: value.email },
-		...value.name === void 0 ? {} : { name: value.name }
-	};
-}
-function isRecord$20(value) {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-//#endregion
 //#region src/run-dir.ts
 function createRunDir(repoPath, options = {}) {
 	const workspaceKey = workspaceKeyForRepoPath(resolve(repoPath));
@@ -628,7 +1225,7 @@ function sanitizeWorkspaceName(value) {
 }
 function appendLineAtomically(filePath, line) {
 	mkdirSync(dirname(filePath), { recursive: true });
-	const file = openSync(filePath, constants.O_APPEND | constants.O_CREAT | constants.O_WRONLY, 384);
+	const file = openSync(filePath, constants$1.O_APPEND | constants$1.O_CREAT | constants$1.O_WRONLY, 384);
 	try {
 		writeFileSync(file, line, "utf8");
 		fsyncSync(file);
@@ -858,7 +1455,7 @@ async function defaultExecFn(file, args, options) {
 	};
 }
 async function checkAuthPresent(context) {
-	const credentials = await context.authStore.get();
+	const credentials = await resolveAuthCredentials({ store: context.authStore });
 	if (credentials === null) return { result: {
 		id: "auth.present",
 		section: "identity",
@@ -876,15 +1473,38 @@ async function checkAuthPresent(context) {
 		auth: {
 			apiBaseUrl: credentials.apiBaseUrl,
 			accessToken: credentials.accessToken,
+			tokenType: credentials.tokenType,
 			...credentials.user === void 0 ? {} : { user: credentials.user }
 		}
 	};
 }
 async function checkAuthValid(context, auth) {
+	if (auth.tokenType === "QuireApiKey") try {
+		return { result: {
+			id: "auth.valid",
+			section: "identity",
+			severity: "pass",
+			message: `API token valid for ${(await fetchModelSourceBrokerStatus({
+				apiBaseUrl: auth.apiBaseUrl,
+				accessToken: auth.accessToken,
+				tokenType: auth.tokenType,
+				fetchFn: context.fetchFn
+			})).actor?.environmentName ?? "remote agent environment"}.`
+		} };
+	} catch (error) {
+		return { result: {
+			id: "auth.valid",
+			section: "identity",
+			severity: "fail",
+			message: `Could not validate Quire API token: ${toMessage(error)}`,
+			fix: { command: "Set QUIRE_API_TOKEN to an active token from Quire settings" }
+		} };
+	}
 	try {
 		const lookup = await fetchCurrentSession({
 			apiBaseUrl: auth.apiBaseUrl,
 			accessToken: auth.accessToken,
+			tokenType: auth.tokenType,
 			fetchFn: context.fetchFn
 		});
 		if (lookup.data === null) return { result: {
@@ -919,6 +1539,7 @@ async function checkAuthBroker(context, auth) {
 		return brokerToCheckResult(await fetchModelSourceBrokerStatus({
 			apiBaseUrl: auth.apiBaseUrl,
 			accessToken: auth.accessToken,
+			tokenType: auth.tokenType,
 			fetchFn: context.fetchFn
 		}));
 	} catch (error) {
@@ -1174,7 +1795,7 @@ async function checkRunsRoot(context) {
 			recursive: true,
 			mode: 448
 		});
-		await access(context.runsRoot, constants$1.W_OK);
+		await access(context.runsRoot, constants.W_OK);
 		return {
 			id: "runs.rootWritable",
 			section: "runs",
@@ -7690,81 +8311,104 @@ var require_browser = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 	};
 }));
 //#endregion
-//#region ../../node_modules/.pnpm/has-flag@4.0.0/node_modules/has-flag/index.js
-var require_has_flag = /* @__PURE__ */ __commonJSMin(((exports, module) => {
-	module.exports = (flag, argv = process.argv) => {
-		const prefix = flag.startsWith("-") ? "" : flag.length === 1 ? "-" : "--";
-		const position = argv.indexOf(prefix + flag);
-		const terminatorPosition = argv.indexOf("--");
-		return position !== -1 && (terminatorPosition === -1 || position < terminatorPosition);
-	};
-}));
-//#endregion
-//#region ../../node_modules/.pnpm/supports-color@7.2.0/node_modules/supports-color/index.js
-var require_supports_color = /* @__PURE__ */ __commonJSMin(((exports, module) => {
-	const os$1 = __require("os");
-	const tty$1 = __require("tty");
-	const hasFlag = require_has_flag();
-	const { env } = process;
-	let forceColor;
-	if (hasFlag("no-color") || hasFlag("no-colors") || hasFlag("color=false") || hasFlag("color=never")) forceColor = 0;
-	else if (hasFlag("color") || hasFlag("colors") || hasFlag("color=true") || hasFlag("color=always")) forceColor = 1;
-	if ("FORCE_COLOR" in env) if (env.FORCE_COLOR === "true") forceColor = 1;
-	else if (env.FORCE_COLOR === "false") forceColor = 0;
-	else forceColor = env.FORCE_COLOR.length === 0 ? 1 : Math.min(parseInt(env.FORCE_COLOR, 10), 3);
-	function translateLevel(level) {
-		if (level === 0) return false;
-		return {
-			level,
-			hasBasic: true,
-			has256: level >= 2,
-			has16m: level >= 3
-		};
-	}
-	function supportsColor(haveStream, streamIsTTY) {
-		if (forceColor === 0) return 0;
+//#region ../../node_modules/.pnpm/supports-color@10.2.2/node_modules/supports-color/index.js
+var supports_color_exports = /* @__PURE__ */ __exportAll({
+	createSupportsColor: () => createSupportsColor,
+	default: () => supportsColor
+});
+function hasFlag(flag, argv = globalThis.Deno ? globalThis.Deno.args : process$1.argv) {
+	const prefix = flag.startsWith("-") ? "" : flag.length === 1 ? "-" : "--";
+	const position = argv.indexOf(prefix + flag);
+	const terminatorPosition = argv.indexOf("--");
+	return position !== -1 && (terminatorPosition === -1 || position < terminatorPosition);
+}
+function envForceColor() {
+	if (!("FORCE_COLOR" in env)) return;
+	if (env.FORCE_COLOR === "true") return 1;
+	if (env.FORCE_COLOR === "false") return 0;
+	if (env.FORCE_COLOR.length === 0) return 1;
+	const level = Math.min(Number.parseInt(env.FORCE_COLOR, 10), 3);
+	if (![
+		0,
+		1,
+		2,
+		3
+	].includes(level)) return;
+	return level;
+}
+function translateLevel(level) {
+	if (level === 0) return false;
+	return {
+		level,
+		hasBasic: true,
+		has256: level >= 2,
+		has16m: level >= 3
+	};
+}
+function _supportsColor(haveStream, { streamIsTTY, sniffFlags = true } = {}) {
+	const noFlagForceColor = envForceColor();
+	if (noFlagForceColor !== void 0) flagForceColor = noFlagForceColor;
+	const forceColor = sniffFlags ? flagForceColor : noFlagForceColor;
+	if (forceColor === 0) return 0;
+	if (sniffFlags) {
 		if (hasFlag("color=16m") || hasFlag("color=full") || hasFlag("color=truecolor")) return 3;
 		if (hasFlag("color=256")) return 2;
-		if (haveStream && !streamIsTTY && forceColor === void 0) return 0;
-		const min = forceColor || 0;
-		if (env.TERM === "dumb") return min;
-		if (process.platform === "win32") {
-			const osRelease = os$1.release().split(".");
-			if (Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) return Number(osRelease[2]) >= 14931 ? 3 : 2;
-			return 1;
-		}
-		if ("CI" in env) {
-			if ([
-				"TRAVIS",
-				"CIRCLECI",
-				"APPVEYOR",
-				"GITLAB_CI",
-				"GITHUB_ACTIONS",
-				"BUILDKITE"
-			].some((sign) => sign in env) || env.CI_NAME === "codeship") return 1;
-			return min;
-		}
-		if ("TEAMCITY_VERSION" in env) return /^(9\.(0*[1-9]\d*)\.|\d{2,}\.)/.test(env.TEAMCITY_VERSION) ? 1 : 0;
-		if (env.COLORTERM === "truecolor") return 3;
-		if ("TERM_PROGRAM" in env) {
-			const version = parseInt((env.TERM_PROGRAM_VERSION || "").split(".")[0], 10);
-			switch (env.TERM_PROGRAM) {
-				case "iTerm.app": return version >= 3 ? 3 : 2;
-				case "Apple_Terminal": return 2;
-			}
-		}
-		if (/-256(color)?$/i.test(env.TERM)) return 2;
-		if (/^screen|^xterm|^vt100|^vt220|^rxvt|color|ansi|cygwin|linux/i.test(env.TERM)) return 1;
-		if ("COLORTERM" in env) return 1;
-		return min;
 	}
-	function getSupportLevel(stream) {
-		return translateLevel(supportsColor(stream, stream && stream.isTTY));
+	if ("TF_BUILD" in env && "AGENT_NAME" in env) return 1;
+	if (haveStream && !streamIsTTY && forceColor === void 0) return 0;
+	const min = forceColor || 0;
+	if (env.TERM === "dumb") return min;
+	if (process$1.platform === "win32") {
+		const osRelease = os.release().split(".");
+		if (Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) return Number(osRelease[2]) >= 14931 ? 3 : 2;
+		return 1;
+	}
+	if ("CI" in env) {
+		if ([
+			"GITHUB_ACTIONS",
+			"GITEA_ACTIONS",
+			"CIRCLECI"
+		].some((key) => key in env)) return 3;
+		if ([
+			"TRAVIS",
+			"APPVEYOR",
+			"GITLAB_CI",
+			"BUILDKITE",
+			"DRONE"
+		].some((sign) => sign in env) || env.CI_NAME === "codeship") return 1;
+		return min;
 	}
-	module.exports = {
-		supportsColor: getSupportLevel,
-		stdout: translateLevel(supportsColor(true, tty$1.isatty(1))),
-		stderr: translateLevel(supportsColor(true, tty$1.isatty(2)))
+	if ("TEAMCITY_VERSION" in env) return /^(9\.(0*[1-9]\d*)\.|\d{2,}\.)/.test(env.TEAMCITY_VERSION) ? 1 : 0;
+	if (env.COLORTERM === "truecolor") return 3;
+	if (env.TERM === "xterm-kitty") return 3;
+	if (env.TERM === "xterm-ghostty") return 3;
+	if (env.TERM === "wezterm") return 3;
+	if ("TERM_PROGRAM" in env) {
+		const version = Number.parseInt((env.TERM_PROGRAM_VERSION || "").split(".")[0], 10);
+		switch (env.TERM_PROGRAM) {
+			case "iTerm.app": return version >= 3 ? 3 : 2;
+			case "Apple_Terminal": return 2;
+		}
+	}
+	if (/-256(color)?$/i.test(env.TERM)) return 2;
+	if (/^screen|^xterm|^vt100|^vt220|^rxvt|color|ansi|cygwin|linux/i.test(env.TERM)) return 1;
+	if ("COLORTERM" in env) return 1;
+	return min;
+}
+function createSupportsColor(stream, options = {}) {
+	return translateLevel(_supportsColor(stream, {
+		streamIsTTY: stream && stream.isTTY,
+		...options
+	}));
+}
+var env, flagForceColor, supportsColor;
+var init_supports_color = __esmMin((() => {
+	({env} = process$1);
+	if (hasFlag("no-color") || hasFlag("no-colors") || hasFlag("color=false") || hasFlag("color=never")) flagForceColor = 0;
+	else if (hasFlag("color") || hasFlag("colors") || hasFlag("color=true") || hasFlag("color=always")) flagForceColor = 1;
+	supportsColor = {
+		stdout: createSupportsColor({ isTTY: tty.isatty(1) }),
+		stderr: createSupportsColor({ isTTY: tty.isatty(2) })
 	};
 }));
 //#endregion
@@ -7773,7 +8417,7 @@ var require_node$1 = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 	/**
 	* Module dependencies.
 	*/
-	const tty = __require("tty");
+	const tty$1 = __require("tty");
 	const util$2 = __require("util");
 	/**
 	* This is the Node.js implementation of `debug()`.
@@ -7797,7 +8441,7 @@ var require_node$1 = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 		1
 	];
 	try {
-		const supportsColor = require_supports_color();
+		const supportsColor = (init_supports_color(), __toCommonJS(supports_color_exports));
 		if (supportsColor && (supportsColor.stderr || supportsColor).level >= 2) exports.colors = [
 			20,
 			21,
@@ -7900,7 +8544,7 @@ var require_node$1 = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 	* Is stdout a TTY? Colored output is enabled when `true`.
 	*/
 	function useColors() {
-		return "colors" in exports.inspectOpts ? Boolean(exports.inspectOpts.colors) : tty.isatty(process.stderr.fd);
+		return "colors" in exports.inspectOpts ? Boolean(exports.inspectOpts.colors) : tty$1.isatty(process.stderr.fd);
 	}
 	/**
 	* Adds ANSI color escape codes if enabled.
@@ -31411,7 +32055,7 @@ function isENOENT(err) {
 	return e?.code === "ENOENT" || e?.cause?.code === "ENOENT";
 }
 function concurrencyLimit() {
-	const cpu = os.cpus()?.length ?? 1;
+	const cpu = os$1.cpus()?.length ?? 1;
 	return Math.min(4, Math.max(1, cpu - 1));
 }
 async function mapLimit(items, limit, fn) {
@@ -31563,7 +32207,7 @@ async function collectAdditionalFiles(additionalFiles) {
 let xdelta3WasmReady = null;
 async function loadXdelta3Wasm() {
 	if (!xdelta3WasmReady) xdelta3WasmReady = (async () => {
-		const mod = await import("./dist-CW-Om7Oq.mjs").then((m) => /* @__PURE__ */ __toESM(m.default, 1));
+		const mod = await import("./dist-CF5hqugO.mjs").then((m) => /* @__PURE__ */ __toESM(m.default, 1));
 		await mod.init();
 		return mod;
 	})().catch((err) => {
@@ -31670,7 +32314,7 @@ async function syncFolderOnce(localFolderPath, opts, reason, attempt = 0) {
 		const basisPath = cacheGet(opts.basisCacheDir, f.path);
 		if (fs.existsSync(basisPath)) {
 			const basisSha = await sha256FileHex(basisPath);
-			const tmpDir = await fs.promises.mkdtemp(path.join(os.tmpdir(), "limulator-xdelta3-"));
+			const tmpDir = await fs.promises.mkdtemp(path.join(os$1.tmpdir(), "limulator-xdelta3-"));
 			const patchPath = path.join(tmpDir, "patch.xdelta3");
 			const encodeStart = nowMs();
 			const patchSize = await encodeXdelta3Patch(basisPath, f.absPath, patchPath, maxPatchBytes);
@@ -32144,7 +32788,7 @@ var XcodeInstances = class extends XcodeInstances$1 {
 			async sync(localCodePath, opts) {
 				const resolvedPath = path.resolve(localCodePath);
 				const cacheKey = `limsync-cache-${path.basename(resolvedPath)}-${crypto.createHash("sha1").update(resolvedPath).digest("hex").slice(0, 8)}`;
-				const basisCacheDir = opts?.basisCacheDir ?? path.join(os.tmpdir(), cacheKey);
+				const basisCacheDir = opts?.basisCacheDir ?? path.join(os$1.tmpdir(), cacheKey);
 				const additionalFiles = opts?.additionalFiles?.map((file) => ({
 					localPath: file.localPath,
 					remotePath: file.remotePath.startsWith("~/") ? `${sandboxInfo.homeDir}/${file.remotePath.slice(2)}` : file.remotePath
@@ -38275,7 +38919,7 @@ async function createInstanceClient(options) {
 			if (!cachedDeviceInfo) throw new Error("Device info not available yet; wait for client connection to be established.");
 			const resolvedPath = path.resolve(localAppBundlePath);
 			const cacheKey = `limsync-cache-${path.basename(resolvedPath)}-${crypto.createHash("sha1").update(resolvedPath).digest("hex").slice(0, 8)}`;
-			const basisCacheDir = opts?.basisCacheDir ?? path.join(os.tmpdir(), cacheKey);
+			const basisCacheDir = opts?.basisCacheDir ?? path.join(os$1.tmpdir(), cacheKey);
 			const syncLog = (level, msg) => {
 				switch (level) {
 					case "debug":
@@ -39603,7 +40247,7 @@ async function findExecutable$1(name) {
 	for (const pathEntry of paths) {
 		const candidate = join(pathEntry, name);
 		try {
-			await access(candidate, constants.X_OK);
+			await access(candidate, constants$1.X_OK);
 			return candidate;
 		} catch {
 			continue;
@@ -40386,7 +41030,7 @@ async function findExecutable(name) {
 	for (const pathEntry of paths) {
 		const candidate = join(pathEntry, name);
 		try {
-			await access(candidate, constants.X_OK);
+			await access(candidate, constants$1.X_OK);
 			return candidate;
 		} catch {
 			continue;
@@ -42775,11 +43419,12 @@ function quoteBatchArg(value) {
 }
 //#endregion
 //#region src/tools/browser.ts
+const requireFromHere = createRequire(import.meta.url);
 const BrowserToolInputSchema = Type.Object({
 	argv: Type.Array(Type.String(), { minItems: 1 }),
 	cwd: Type.Optional(Type.String({ minLength: 1 }))
 }, { additionalProperties: false });
-function makeBrowserTool({ runDir, sessionId, cwd: defaultCwd, headed = false }) {
+function makeBrowserTool({ runDir, sessionId, cwd: defaultCwd, headed = false, agentBrowserExecutableResolver = resolveAgentBrowserExecutable }) {
 	return {
 		name: "agent-browser",
 		label: "agent-browser",
@@ -42791,6 +43436,7 @@ function makeBrowserTool({ runDir, sessionId, cwd: defaultCwd, headed = false })
 				sessionId,
 				defaultCwd,
 				headed,
+				agentBrowserExecutableResolver,
 				input,
 				signal
 			});
@@ -42801,6 +43447,7 @@ function makeBrowserTool({ runDir, sessionId, cwd: defaultCwd, headed = false })
 				sessionId,
 				defaultCwd,
 				headed,
+				agentBrowserExecutableResolver,
 				input: parseBrowserToolInput(params),
 				signal
 			});
@@ -42814,11 +43461,18 @@ function makeBrowserTool({ runDir, sessionId, cwd: defaultCwd, headed = false })
 		}
 	};
 }
+function resolveAgentBrowserExecutable() {
+	const packageJsonPath = requireFromHere.resolve("agent-browser/package.json");
+	return {
+		command: process.execPath,
+		argsPrefix: [join(dirname(packageJsonPath), "bin", "agent-browser.js")]
+	};
+}
 function parseBrowserToolInput(input) {
 	if (!Value.Check(BrowserToolInputSchema, input)) throw new Error("Invalid agent-browser tool input");
 	return input;
 }
-async function runBrowserCommand({ runDir, sessionId, defaultCwd, headed, input, signal }) {
+async function runBrowserCommand({ runDir, sessionId, defaultCwd, headed, agentBrowserExecutableResolver, input, signal }) {
 	const [executable, ...args] = input.argv;
 	if (executable !== "agent-browser") throw new Error(`Refusing to spawn non-agent-browser executable: ${executable}`);
 	const cwd = input.cwd ?? defaultCwd ?? process.cwd();
@@ -42844,12 +43498,26 @@ async function runBrowserCommand({ runDir, sessionId, defaultCwd, headed, input,
 		sessionId,
 		cwd,
 		headed,
+		agentBrowserExecutableResolver,
 		signal
 	});
 }
-function spawnAgentBrowser({ args, sessionId, cwd, signal }) {
+function spawnAgentBrowser({ args, sessionId, cwd, agentBrowserExecutableResolver, signal }) {
 	return new Promise((resolve) => {
-		const child = spawn("agent-browser", [
+		let executable;
+		try {
+			executable = agentBrowserExecutableResolver();
+		} catch (error) {
+			resolve({
+				ok: false,
+				exitCode: null,
+				stdout: "",
+				stderr: `Unable to resolve bundled agent-browser: ${formatErrorMessage(error)}`
+			});
+			return;
+		}
+		const child = spawn(executable.command, [
+			...executable.argsPrefix,
 			...args,
 			"--session",
 			sessionId
@@ -42900,7 +43568,10 @@ function spawnAgentBrowser({ args, sessionId, cwd, signal }) {
 		});
 	});
 }
-async function runPlannedBrowserCommands({ commands, runDir, sessionId, cwd, headed, signal }) {
+function formatErrorMessage(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+async function runPlannedBrowserCommands({ commands, runDir, sessionId, cwd, headed, agentBrowserExecutableResolver, signal }) {
 	const stdout = [];
 	const stderr = [];
 	for (const command of commands) {
@@ -42916,6 +43587,7 @@ async function runPlannedBrowserCommands({ commands, runDir, sessionId, cwd, hea
 			args,
 			sessionId,
 			cwd,
+			agentBrowserExecutableResolver,
 			signal
 		});
 		stdout.push(result.stdout);
@@ -44378,423 +45050,6 @@ function truncateForLine(text) {
 function truncateForFile(text) {
 	return text.length <= 4e3 ? text : `${text.slice(0, 3997)}...`;
 }
-//#endregion
-//#region src/pipeline/quire-model-provider.ts
-const QUIRE_MODEL_PROVIDER = "quire";
-const QUIRE_MODEL_ID = "gpt-5.1";
-const PI_CODEX_MODEL_PROVIDER = "openai-codex";
-const PI_CODEX_MODEL_ID = "gpt-5.5";
-const QUIRE_MODEL_API = "quire-chat-completions";
-const QUIRE_RUNTIME_AUTH_ENV = "QUIRE_RUNTIME_AUTH_TOKEN";
-const QUIRE_MODEL_AUTH_PATH_ENV = "QUIRE_MODEL_AUTH_PATH";
-const openAiCompletionCompat = {
-	supportsStore: false,
-	supportsDeveloperRole: false,
-	supportsReasoningEffort: true,
-	supportsUsageInStreaming: false,
-	maxTokensField: "max_completion_tokens",
-	requiresToolResultName: false,
-	requiresAssistantAfterToolResult: false,
-	requiresThinkingAsText: false,
-	requiresReasoningContentOnAssistantMessages: false,
-	thinkingFormat: "openai",
-	zaiToolStream: false,
-	supportsStrictMode: true,
-	sendSessionAffinityHeaders: false,
-	supportsLongCacheRetention: true
-};
-async function createQuireModelSessionDependencies({ runId, store = authStore, fetchFn }) {
-	const credentials = await readValidatedQuireCredentials({
-		store,
-		fetchFn
-	});
-	const authStorage = AuthStorage.inMemory();
-	authStorage.setRuntimeApiKey(QUIRE_MODEL_PROVIDER, credentials.accessToken);
-	const modelRegistry = ModelRegistry.inMemory(authStorage);
-	modelRegistry.registerProvider(QUIRE_MODEL_PROVIDER, {
-		name: "Quire Credits",
-		baseUrl: credentials.apiBaseUrl,
-		apiKey: QUIRE_RUNTIME_AUTH_ENV,
-		api: QUIRE_MODEL_API,
-		models: [quireModelDefinition()],
-		streamSimple: createQuireCreditsStream({
-			apiBaseUrl: credentials.apiBaseUrl,
-			runId,
-			fetchFn
-		})
-	});
-	const model = modelRegistry.find(QUIRE_MODEL_PROVIDER, QUIRE_MODEL_ID);
-	if (!model) throw new Error(`Quire model not found: ${QUIRE_MODEL_PROVIDER}/${QUIRE_MODEL_ID}`);
-	return {
-		authStorage,
-		modelRegistry,
-		model,
-		source: "quire_credits"
-	};
-}
-async function createInvestigationModelSessionDependencies({ runId, store = authStore, fetchFn, localAuthStorage }) {
-	const localCodex = await createLocalCodexSessionDependencies(localAuthStorage);
-	if (localCodex) return localCodex;
-	return createQuireModelSessionDependencies({
-		runId,
-		store,
-		fetchFn
-	});
-}
-async function createLocalCodexSessionDependencies(localAuthStorage) {
-	const authStorages = localAuthStorage === void 0 ? [AuthStorage.create(readQuireModelAuthPath()), AuthStorage.create()] : [localAuthStorage];
-	for (const authStorage of authStorages) {
-		const modelRegistry = ModelRegistry.create(authStorage);
-		const model = modelRegistry.find(PI_CODEX_MODEL_PROVIDER, PI_CODEX_MODEL_ID);
-		if (!model || !modelRegistry.hasConfiguredAuth(model)) continue;
-		const auth = await modelRegistry.getApiKeyAndHeaders(model);
-		if (!auth.ok || !auth.apiKey && !auth.headers) continue;
-		return {
-			authStorage,
-			modelRegistry,
-			model,
-			source: "local_openai_codex"
-		};
-	}
-	return null;
-}
-function readQuireModelAuthPath() {
-	const envPath = process.env[QUIRE_MODEL_AUTH_PATH_ENV]?.trim();
-	return envPath && envPath.length > 0 ? envPath : join(homedir(), ".quire", "model-auth.json");
-}
-function quireModelDefinition() {
-	return {
-		id: QUIRE_MODEL_ID,
-		name: "Quire Credits GPT-5.1",
-		api: QUIRE_MODEL_API,
-		reasoning: true,
-		thinkingLevelMap: {
-			off: null,
-			xhigh: "high"
-		},
-		input: ["text"],
-		cost: {
-			input: 1.25,
-			output: 10,
-			cacheRead: .125,
-			cacheWrite: 0
-		},
-		contextWindow: 128e3,
-		maxTokens: 32e3
-	};
-}
-function createQuireCreditsStream(options) {
-	return (model, context, streamOptions) => {
-		const stream = createAssistantMessageEventStream();
-		(async () => {
-			const output = createEmptyAssistantMessage(model);
-			try {
-				const accessToken = streamOptions?.apiKey;
-				if (!accessToken) throw new CliError$1("Not logged in. Run `quire login` before `quire investigate` so Quire Credits can be checked.", ExitCode.AuthFailure);
-				stream.push({
-					type: "start",
-					partial: output
-				});
-				applyBrokerResponseToStream(stream, output, model, await requestBrokerChatCompletion({
-					apiBaseUrl: options.apiBaseUrl,
-					accessToken,
-					runId: options.runId,
-					model,
-					context,
-					streamOptions,
-					fetchFn: options.fetchFn
-				}));
-			} catch (error) {
-				output.stopReason = streamOptions?.signal?.aborted ? "aborted" : "error";
-				output.errorMessage = error instanceof Error ? error.message : String(error);
-				stream.push({
-					type: "error",
-					reason: output.stopReason,
-					error: output
-				});
-				stream.end();
-			}
-		})();
-		return stream;
-	};
-}
-async function readValidatedQuireCredentials(options) {
-	const credentials = await options.store.get();
-	if (!credentials) throw new CliError$1("Not logged in. Run `quire login` before `quire investigate` so Quire Credits can be checked.", ExitCode.AuthFailure);
-	const sessionLookup = await fetchCurrentSession({
-		apiBaseUrl: credentials.apiBaseUrl,
-		accessToken: credentials.accessToken,
-		fetchFn: options.fetchFn
-	});
-	if (!sessionLookup.data) {
-		await options.store.clear();
-		throw new CliError$1("Stored Quire credentials are no longer valid. Run `quire login`.", ExitCode.AuthFailure);
-	}
-	if (!sessionLookup.refreshedAccessToken) return credentials;
-	const refreshedCredentials = updateStoredCredentials(credentials, {
-		accessToken: sessionLookup.refreshedAccessToken,
-		expiresAt: sessionLookup.data.session.expiresAt,
-		user: sessionLookup.data.user
-	});
-	await options.store.set(refreshedCredentials);
-	return refreshedCredentials;
-}
-async function requestBrokerChatCompletion(input) {
-	const response = await (input.fetchFn ?? fetch)(new URL("/api/model-broker/chat-completions", input.apiBaseUrl).toString(), {
-		method: "POST",
-		headers: {
-			Accept: "application/json",
-			Authorization: `Bearer ${input.accessToken}`,
-			"Content-Type": "application/json",
-			"User-Agent": "quire-cli"
-		},
-		signal: input.streamOptions?.signal,
-		body: JSON.stringify({
-			model: input.model.id,
-			messages: toBrokerMessages(input.model, input.context),
-			runId: input.runId,
-			stream: false,
-			agentContext: {
-				messages: [],
-				tools: toBrokerTools(input.context.tools)
-			},
-			agentOptions: {
-				reasoning: normalizeReasoning(input.streamOptions?.reasoning),
-				sessionId: input.streamOptions?.sessionId ?? null
-			}
-		})
-	});
-	const body = await readJsonBody(response);
-	if (!response.ok || body?.status !== "succeeded") throw brokerResponseError(response, body);
-	const rawResponse = body.data?.response;
-	if (!rawResponse || typeof rawResponse !== "object" || Array.isArray(rawResponse)) throw new Error("Quire model broker returned an invalid model response.");
-	return rawResponse;
-}
-function toBrokerMessages(model, context) {
-	return convertMessages(model, context, openAiCompletionCompat).map((message) => {
-		const record = message;
-		const role = normalizeRole(record.role);
-		const toolCalls = parseBrokerToolCalls(record.tool_calls);
-		return {
-			role,
-			content: normalizeMessageContent(record.content),
-			...typeof record.name === "string" ? { name: record.name } : {},
-			...typeof record.tool_call_id === "string" ? { tool_call_id: record.tool_call_id } : {},
-			...toolCalls.length > 0 ? { tool_calls: toolCalls } : {}
-		};
-	});
-}
-function toBrokerTools(tools) {
-	return (tools ?? []).map((tool) => ({
-		type: "function",
-		function: {
-			name: tool.name,
-			description: tool.description,
-			parameters: tool.parameters,
-			strict: false
-		}
-	}));
-}
-function applyBrokerResponseToStream(stream, output, model, response) {
-	output.responseId = typeof response.id === "string" ? response.id : void 0;
-	output.responseModel = typeof response.model === "string" ? response.model : void 0;
-	output.usage = readUsage(response.usage, model);
-	const choice = response.choices?.[0];
-	const message = choice?.message;
-	const content = typeof message?.content === "string" ? message.content : "";
-	if (content.length > 0) {
-		const textBlock = {
-			type: "text",
-			text: content
-		};
-		output.content.push(textBlock);
-		const contentIndex = output.content.length - 1;
-		stream.push({
-			type: "text_start",
-			contentIndex,
-			partial: output
-		});
-		stream.push({
-			type: "text_delta",
-			contentIndex,
-			delta: content,
-			partial: output
-		});
-		stream.push({
-			type: "text_end",
-			contentIndex,
-			content,
-			partial: output
-		});
-	}
-	const toolCalls = parseBrokerToolCalls(message?.tool_calls);
-	for (const toolCall of toolCalls) {
-		const block = {
-			type: "toolCall",
-			id: toolCall.id,
-			name: toolCall.function.name,
-			arguments: parseToolCallArguments(toolCall.function.arguments)
-		};
-		output.content.push(block);
-		const contentIndex = output.content.length - 1;
-		stream.push({
-			type: "toolcall_start",
-			contentIndex,
-			partial: output
-		});
-		stream.push({
-			type: "toolcall_delta",
-			contentIndex,
-			delta: toolCall.function.arguments,
-			partial: output
-		});
-		stream.push({
-			type: "toolcall_end",
-			contentIndex,
-			toolCall: block,
-			partial: output
-		});
-	}
-	output.stopReason = mapStopReason(choice?.finish_reason, toolCalls.length > 0);
-	stream.push({
-		type: "done",
-		reason: output.stopReason,
-		message: output
-	});
-	stream.end();
-}
-function createEmptyAssistantMessage(model) {
-	return {
-		role: "assistant",
-		content: [],
-		api: model.api,
-		provider: model.provider,
-		model: model.id,
-		usage: emptyUsage(),
-		stopReason: "stop",
-		timestamp: Date.now()
-	};
-}
-function emptyUsage() {
-	return {
-		input: 0,
-		output: 0,
-		cacheRead: 0,
-		cacheWrite: 0,
-		totalTokens: 0,
-		cost: {
-			input: 0,
-			output: 0,
-			cacheRead: 0,
-			cacheWrite: 0,
-			total: 0
-		}
-	};
-}
-function readUsage(rawUsage, model) {
-	const input = readNumber(rawUsage?.prompt_tokens ?? rawUsage?.promptTokens) ?? 0;
-	const output = readNumber(rawUsage?.completion_tokens ?? rawUsage?.completionTokens) ?? 0;
-	const usage = {
-		input,
-		output,
-		cacheRead: 0,
-		cacheWrite: 0,
-		totalTokens: readNumber(rawUsage?.total_tokens ?? rawUsage?.totalTokens) ?? input + output,
-		cost: {
-			input: 0,
-			output: 0,
-			cacheRead: 0,
-			cacheWrite: 0,
-			total: 0
-		}
-	};
-	calculateCost(model, usage);
-	return usage;
-}
-function mapStopReason(finishReason, hasToolCalls) {
-	if (finishReason === "length") return "length";
-	if (hasToolCalls || finishReason === "tool_calls" || finishReason === "function_call") return "toolUse";
-	return "stop";
-}
-function normalizeRole(value) {
-	if (value === "developer") return "system";
-	if (value === "system" || value === "user" || value === "assistant" || value === "tool") return value;
-	throw new Error(`Unsupported broker message role: ${String(value)}`);
-}
-function normalizeMessageContent(value) {
-	if (typeof value === "string") return value;
-	if (value === null || value === void 0) return "";
-	if (Array.isArray(value)) {
-		const text = value.map((part) => {
-			if (!part || typeof part !== "object" || Array.isArray(part)) return "";
-			const record = part;
-			return record.type === "text" && typeof record.text === "string" ? record.text : "[non-text content omitted]";
-		}).filter((part) => part.length > 0).join("\n");
-		return text.length > 0 ? text : "[non-text content omitted]";
-	}
-	if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") return String(value);
-	return "[non-text content omitted]";
-}
-function parseBrokerToolCalls(value) {
-	if (!Array.isArray(value)) return [];
-	return value.flatMap((toolCall, index) => {
-		if (!toolCall || typeof toolCall !== "object" || Array.isArray(toolCall)) return [];
-		const record = toolCall;
-		const fn = record.function;
-		if (!fn || typeof fn !== "object" || Array.isArray(fn)) return [];
-		const functionRecord = fn;
-		const name = typeof functionRecord.name === "string" ? functionRecord.name : "";
-		if (!name) return [];
-		return [{
-			id: typeof record.id === "string" ? record.id : `call_${index}`,
-			type: "function",
-			function: {
-				name,
-				arguments: typeof functionRecord.arguments === "string" ? functionRecord.arguments : "{}"
-			}
-		}];
-	});
-}
-function parseToolCallArguments(value) {
-	try {
-		const parsed = JSON.parse(value);
-		return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
-	} catch {
-		return {};
-	}
-}
-async function readJsonBody(response) {
-	const text = await response.text();
-	if (!text) return null;
-	try {
-		return JSON.parse(text);
-	} catch {
-		return text;
-	}
-}
-function brokerResponseError(response, body) {
-	const code = body?.error?.code ?? `http_${response.status}`;
-	const message = body?.error?.message ?? `Quire model broker request failed with HTTP ${response.status}`;
-	const action = body?.error?.nextAction;
-	const billingDetail = formatBrokerBillingDetail(body);
-	return new Error([
-		`Quire model broker request failed (${code}): ${message}`,
-		billingDetail,
-		action === void 0 ? void 0 : `Next action: ${action}.`
-	].filter((part) => part !== void 0 && part.length > 0).join(" "));
-}
-function normalizeReasoning(reasoning) {
-	return reasoning === "minimal" || reasoning === "low" || reasoning === "medium" || reasoning === "high" || reasoning === "xhigh" ? reasoning : void 0;
-}
-function readNumber(value) {
-	return typeof value === "number" && Number.isFinite(value) ? value : null;
-}
-function formatBrokerBillingDetail(body) {
-	const requiredBalance = readNumber(body?.metadata?.wallet?.requiredBalance) ?? readNumber(body?.metadata?.billing?.wallet?.requiredBalance) ?? readNumber(body?.metadata?.billing?.wallet?.estimatedTotalTokens);
-	const remainingBalance = readNumber(body?.metadata?.wallet?.balance?.remaining);
-	if (requiredBalance === null && remainingBalance === null) return;
-	return `Wallet: ${[requiredBalance === null ? void 0 : `required=${requiredBalance}`, remainingBalance === null ? void 0 : `remaining=${remainingBalance}`].filter((part) => part !== void 0).join(", ")}.`;
-}
 const EXPLORE_THINKING_LEVEL = "xhigh";
 const EXPLORE_CODE_TOOL_NAMES = [
 	"read",
@@ -45431,6 +45686,7 @@ function syncConfigFromCredentials(credentials, options = {}) {
 	return {
 		apiBaseUrl: credentials.apiBaseUrl,
 		accessToken: credentials.accessToken,
+		tokenType: credentials.tokenType,
 		artifactMode: options.artifactMode ?? "evidence"
 	};
 }
@@ -45574,7 +45830,7 @@ var InvestigationSyncSession = class {
 			headers: {
 				Accept: "application/json",
 				"Content-Type": "application/json",
-				Authorization: `Bearer ${this.config.accessToken}`,
+				...authHeaders(this.config),
 				"User-Agent": "quire-cli",
 				...Object.fromEntries(new Headers(init.headers).entries())
 			}
@@ -45612,6 +45868,7 @@ async function syncExistingRun(options) {
 	await new InvestigationSyncSession(options.runDir, {
 		apiBaseUrl: options.credentials.apiBaseUrl,
 		accessToken: options.credentials.accessToken,
+		tokenType: options.credentials.tokenType,
 		artifactMode: options.artifactMode ?? "evidence",
 		fetchFn: options.fetchFn
 	}).syncFromDisk();
@@ -46172,7 +46429,7 @@ async function runInvestigationWorker(requestPath) {
 		pid: process.pid
 	});
 	try {
-		const credentials = await authStore.get();
+		const credentials = await resolveAuthCredentials({ store: authStore });
 		const result = await runLocalInvestigation({
 			cwd: request.cwd,
 			query: request.query,
@@ -46503,7 +46760,7 @@ async function listRuns(options = {}) {
 }
 async function syncRun(run, options = {}) {
 	const stdout = options.io?.stdout ?? process.stdout;
-	const credentials = await (options.store ?? authStore).get();
+	const credentials = await resolveAuthCredentials({ store: options.store ?? authStore });
 	if (credentials === null) throw new CliError$1("Run `quire login` before syncing runs.", ExitCode.AuthFailure);
 	const status = readFreshRunStatus(resolveRunPath(run, options));
 	await syncExistingRun({
@@ -46629,7 +46886,7 @@ async function runInvestigate(options) {
 	const stdout = options.io?.stdout ?? process.stdout;
 	const stderr = options.io?.stderr ?? process.stderr;
 	const stdinText = options.stdin === true ? await readAll(options.input ?? process.stdin) : void 0;
-	const credentials = await (options.store ?? authStore).get();
+	const credentials = await resolveAuthCredentials({ store: options.store ?? authStore });
 	if (options.foreground === true) {
 		const result = await (options.runner ?? runLocalInvestigation)({
 			query: options.query,
@@ -46754,43 +47011,6 @@ function defaultSleep(ms) {
 	return new Promise((resolve) => setTimeout(resolve, ms));
 }
 //#endregion
-//#region src/auth/open-browser.ts
-async function openBrowser(url) {
-	const command = browserCommand(url);
-	if (command === null) return false;
-	return new Promise((resolve) => {
-		const child = spawn(command.command, command.args, {
-			detached: true,
-			stdio: "ignore",
-			shell: false
-		});
-		child.once("error", () => resolve(false));
-		child.once("spawn", () => {
-			child.unref();
-			resolve(true);
-		});
-	});
-}
-function browserCommand(url) {
-	if (process.platform === "darwin") return {
-		command: "open",
-		args: [url]
-	};
-	if (process.platform === "win32") return {
-		command: "cmd",
-		args: [
-			"/c",
-			"start",
-			"",
-			url
-		]
-	};
-	return {
-		command: "xdg-open",
-		args: [url]
-	};
-}
-//#endregion
 //#region src/commands/login.ts
 const loginCommand = defineCommand({
 	meta: {
@@ -46843,6 +47063,7 @@ async function runLogin(options) {
 	const sessionLookup = await (options.getSession?.(token.access_token) ?? fetchCurrentSession({
 		apiBaseUrl: options.apiBaseUrl,
 		accessToken: token.access_token,
+		tokenType: token.token_type,
 		fetchFn: options.fetchFn
 	}));
 	const session = sessionLookup.data;
@@ -46946,14 +47167,38 @@ const whoamiCommand = defineCommand({
 async function runWhoami(options) {
 	const store = options.store ?? authStore;
 	const stdout = options.io?.stdout ?? process.stdout;
-	const credentials = await store.get();
+	const credentials = await resolveAuthCredentials({ store });
 	if (credentials === null) {
 		if (options.json === true) writeJson(stdout, { authenticated: false });
 		throw new CliError$1("Not logged in. Run `quire login`.", ExitCode.AuthFailure);
 	}
+	if (credentials.tokenType === "QuireApiKey") {
+		const modelSourceBroker = await readModelSourceBrokerStatus({
+			accessToken: credentials.accessToken,
+			tokenType: credentials.tokenType,
+			apiBaseUrl: credentials.apiBaseUrl,
+			fetchFn: options.fetchFn,
+			getModelSourceBrokerStatus: options.getModelSourceBrokerStatus
+		});
+		const actor = modelSourceBroker?.actor ?? null;
+		if (options.json === true) {
+			writeJson(stdout, {
+				authenticated: true,
+				authMethod: "api_token",
+				apiBaseUrl: credentials.apiBaseUrl,
+				actor,
+				modelSourceBroker
+			});
+			return;
+		}
+		writeLine(stdout, `Authenticated with API token for ${formatActor(actor)}.`);
+		writeLine(stdout, formatModelSourceBrokerStatus(modelSourceBroker));
+		return;
+	}
 	const sessionLookup = await (options.getSession?.(credentials.accessToken) ?? fetchCurrentSession({
 		apiBaseUrl: credentials.apiBaseUrl,
 		accessToken: credentials.accessToken,
+		tokenType: credentials.tokenType,
 		fetchFn: options.fetchFn
 	}));
 	const session = sessionLookup.data;
@@ -46969,6 +47214,7 @@ async function runWhoami(options) {
 	await store.set(refreshedCredentials);
 	const modelSourceBroker = await readModelSourceBrokerStatus({
 		accessToken: refreshedCredentials.accessToken,
+		tokenType: refreshedCredentials.tokenType,
 		apiBaseUrl: refreshedCredentials.apiBaseUrl,
 		fetchFn: options.fetchFn,
 		getModelSourceBrokerStatus: options.getModelSourceBrokerStatus
@@ -46991,12 +47237,16 @@ async function readModelSourceBrokerStatus(options) {
 		return await (options.getModelSourceBrokerStatus?.(options.accessToken, options.apiBaseUrl) ?? fetchModelSourceBrokerStatus({
 			apiBaseUrl: options.apiBaseUrl,
 			accessToken: options.accessToken,
+			tokenType: options.tokenType,
 			fetchFn: options.fetchFn
 		}));
 	} catch {
 		return null;
 	}
 }
+function formatActor(actor) {
+	return actor?.environmentName ?? actor?.triggerSource ?? "remote agent environment";
+}
 function formatUser(user) {
 	if (user.name && user.email && user.name !== user.email) return `${user.name} <${user.email}>`;
 	return user.email ?? user.name ?? user.id;
@@ -47011,13 +47261,14 @@ function formatModelSourceBrokerStatus(status) {
 }
 //#endregion
 //#region package.json
-var version$1 = "0.0.2";
+var version$1 = "0.0.3";
 //#endregion
 //#region src/cli.ts
 const subCommands = {
 	login: loginCommand,
 	logout: logoutCommand,
 	whoami: whoamiCommand,
+	connect: connectCommand,
 	doctor: doctorCommand,
 	env: envCommand,
 	investigate: investigateCommand,
@@ -47061,12 +47312,28 @@ function isHelpRequest(rawArgs) {
 	return rawArgs.some((arg) => arg === "--help" || arg === "-h");
 }
 async function renderHelp(rawArgs) {
-	const commandName = rawArgs.find(isSubCommandName);
-	if (commandName !== void 0) return renderUsage(subCommands[commandName], cli);
-	return renderUsage(cli);
+	const { command, parent } = resolveHelpCommand(rawArgs);
+	return renderUsage(command, parent);
+}
+function resolveHelpCommand(rawArgs) {
+	let command = cli;
+	let parent;
+	for (const arg of rawArgs) {
+		if (arg.startsWith("-")) continue;
+		const next = readSubCommand(command, arg);
+		if (next === void 0) break;
+		parent = command;
+		command = next;
+	}
+	return parent === void 0 ? { command } : {
+		command,
+		parent
+	};
 }
-function isSubCommandName(value) {
-	return Object.hasOwn(subCommands, value);
+function readSubCommand(command, name) {
+	const subCommandMap = command.subCommands;
+	if (subCommandMap === void 0 || !Object.hasOwn(subCommandMap, name)) return;
+	return subCommandMap[name];
 }
 async function runWorkerCommand(rawArgs) {
 	const requestFlagIndex = rawArgs.indexOf("--request");