@tarout/cli 0.7.2 → 0.10.0

package/dist/{api-QVUO7EWV.js → api-YFXACHOB.js}

@@ -2,9 +2,9 @@ import {
   createApiClient,
   getApiClient,
   resetApiClient
-} from "./chunk-Y6TWR3XZ.js";
+} from "./chunk-CZPJYUNC.js";
 import "./chunk-5DAFGMBH.js";
-import "./chunk-K7JK5HIL.js";
+import "./chunk-WKITMZ4U.js";
 export {
   createApiClient,
   getApiClient,

package/dist/{chunk-Y6TWR3XZ.js → chunk-CZPJYUNC.js}

@@ -10,7 +10,7 @@ import {
   isJsonMode,
   jsonError,
   outputJson
-} from "./chunk-K7JK5HIL.js";
+} from "./chunk-WKITMZ4U.js";
 
 // src/lib/api.ts
 import { createTRPCProxyClient, httpBatchLink } from "@trpc/client";

package/dist/{chunk-DI66W4S5.js → chunk-OPPZGNJX.js}

@@ -4,7 +4,7 @@ import {
   isJsonMode,
   isNonInteractiveMode,
   outputNeedsInput
-} from "./chunk-K7JK5HIL.js";
+} from "./chunk-WKITMZ4U.js";
 
 // src/utils/prompts.ts
 import inquirer from "inquirer";

package/dist/{chunk-K7JK5HIL.js → chunk-WKITMZ4U.js}

@@ -106,6 +106,11 @@ function success(message) {
     console.log(colors.success(`\u2713 ${message}`));
   }
 }
+function warn(message) {
+  if (!globalOptions.json) {
+    console.log(colors.warn(`\u26A0 ${message}`));
+  }
+}
 function error(message, suggestions) {
   if (globalOptions.json) {
     outputJson(jsonError("ERROR", message, suggestions));
@@ -197,6 +202,7 @@ export {
   getStatusBadge,
   log,
   success,
+  warn,
   error,
   table,
   outputData,

package/dist/index.js

@@ -13,7 +13,7 @@ import {
   handleError,
   platformFetch,
   resetApiClient
-} from "./chunk-Y6TWR3XZ.js";
+} from "./chunk-CZPJYUNC.js";
 import {
   clearConfig,
   getApiUrl,
@@ -34,7 +34,7 @@ import {
   password,
   promptOrEmit,
   select
-} from "./chunk-DI66W4S5.js";
+} from "./chunk-OPPZGNJX.js";
 import {
   ExitCode,
   box,
@@ -52,8 +52,9 @@ import {
   setGlobalOptions,
   shouldSkipConfirmation,
   success,
-  table
-} from "./chunk-K7JK5HIL.js";
+  table,
+  warn
+} from "./chunk-WKITMZ4U.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -61,7 +62,7 @@ import { Command } from "commander";
 // package.json
 var package_default = {
   name: "@tarout/cli",
-  version: "0.7.2",
+  version: "0.10.0",
   description: "Tarout CLI \u2014 the Saudi cloud platform for coding agents",
   type: "module",
   bin: {
@@ -632,7 +633,7 @@ Root access: ${hasAccess ? colors.success("yes") : colors.error("no")}
     try {
       if (!isLoggedIn()) throw new AuthError();
       if (!shouldSkipConfirmation()) {
-        const { confirm: confirmFn } = await import("./prompts-JH6YBHHV.js");
+        const { confirm: confirmFn } = await import("./prompts-D72VJYWE.js");
         const ok = await confirmFn(
           `Remove user "${userId}" from the organization?`,
           false,
@@ -659,7 +660,7 @@ Root access: ${hasAccess ? colors.success("yes") : colors.error("no")}
   account.command("assign-permissions").argument("<user-id>", "User ID").option("--role <role>", "Role: admin, member").description("Assign permissions/role to a member (org owner only)").action(async (userId, options) => {
     try {
       if (!isLoggedIn()) throw new AuthError();
-      const { select: selectFn } = await import("./prompts-JH6YBHHV.js");
+      const { select: selectFn } = await import("./prompts-D72VJYWE.js");
       const role = options.role || await selectFn(
         "Role:",
         [
@@ -724,6 +725,205 @@ Root access: ${hasAccess ? colors.success("yes") : colors.error("no")}
   });
 }
 
+// src/commands/agent.ts
+import { resolve } from "path";
+
+// src/lib/agent-scaffold.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { join } from "path";
+var AGENT_TYPES = [
+  "claude",
+  "codex",
+  "cursor",
+  "other"
+];
+var TAROUT_ALLOW_ENTRY = "Bash(tarout:*)";
+var BLOCK_BEGIN = "<!-- BEGIN TAROUT -->";
+var BLOCK_END = "<!-- END TAROUT -->";
+var TAROUT_AGENT_BLOCK = `${BLOCK_BEGIN}
+## Tarout
+
+This project deploys to [Tarout](https://tarout.sa) (PaaS). Use the **Tarout CLI**
+for all deployment, database, storage, environment-variable, and domain operations \u2014
+don't hand-edit infrastructure.
+
+- **Deploy** the current folder: \`tarout up --json --yes\` (inspects \u2192 builds \u2192 deploys;
+  read the final JSON envelope's \`success\` and \`data.url\`).
+- **Re-deploy** a linked app: \`tarout deploy --wait\`.
+- **Run locally** with cloud env vars: \`tarout dev\`.
+- **Full agent guide:** https://tarout.sa/docs/for-ai/onboarding
+
+Run Tarout commands with \`--json\` for machine-readable output. On a \`NEEDS_UPGRADE\`
+error, surface it to the user and follow the upgrade flow instead of auto-retrying.
+Ask before destructive actions (delete, rollback, revealing secrets).
+${BLOCK_END}`;
+function markdownTargetFor(agent) {
+  return agent === "claude" ? "CLAUDE.md" : "AGENTS.md";
+}
+function hasMarkers(content) {
+  return content.includes(BLOCK_BEGIN) && content.includes(BLOCK_END);
+}
+function replaceBlock(content, block) {
+  const begin = content.indexOf(BLOCK_BEGIN);
+  const end = content.indexOf(BLOCK_END);
+  if (begin === -1 || end === -1 || end < begin) return content;
+  return `${content.slice(0, begin)}${block}${content.slice(end + BLOCK_END.length)}`;
+}
+function upsertMarkdownBlock(filePath, block) {
+  if (!existsSync(filePath)) {
+    writeFileSync(filePath, `${block}
+`, "utf-8");
+    return "created";
+  }
+  const existing = readFileSync(filePath, "utf-8");
+  if (hasMarkers(existing)) {
+    const replaced = replaceBlock(existing, block);
+    if (replaced === existing) return "unchanged";
+    writeFileSync(filePath, replaced, "utf-8");
+    return "updated";
+  }
+  const separator = existing.endsWith("\n") ? "\n" : "\n\n";
+  writeFileSync(filePath, `${existing}${separator}${block}
+`, "utf-8");
+  return "appended";
+}
+function hasTaroutAllowlist(cwd) {
+  const settingsPath = join(cwd, ".claude", "settings.local.json");
+  if (!existsSync(settingsPath)) return false;
+  try {
+    const settings = JSON.parse(
+      readFileSync(settingsPath, "utf-8")
+    );
+    const allow = settings?.permissions?.allow;
+    return Array.isArray(allow) && allow.includes(TAROUT_ALLOW_ENTRY);
+  } catch {
+    return false;
+  }
+}
+function mergeClaudeSettings(claudeDir) {
+  const settingsPath = join(claudeDir, "settings.local.json");
+  const relPath = join(".claude", "settings.local.json");
+  if (!existsSync(settingsPath)) {
+    mkdirSync(claudeDir, { recursive: true });
+    const settings2 = {
+      permissions: { allow: [TAROUT_ALLOW_ENTRY] }
+    };
+    writeFileSync(settingsPath, `${JSON.stringify(settings2, null, 2)}
+`, "utf-8");
+    return { path: relPath, action: "created" };
+  }
+  let settings;
+  try {
+    settings = JSON.parse(readFileSync(settingsPath, "utf-8"));
+  } catch {
+    return {
+      path: relPath,
+      action: "skipped",
+      reason: "existing settings.local.json is not valid JSON; left untouched"
+    };
+  }
+  if (typeof settings !== "object" || settings === null) {
+    return {
+      path: relPath,
+      action: "skipped",
+      reason: "existing settings.local.json is not a JSON object; left untouched"
+    };
+  }
+  const permissions = settings.permissions ??= {};
+  const allow = Array.isArray(permissions.allow) ? permissions.allow : [];
+  if (allow.includes(TAROUT_ALLOW_ENTRY)) {
+    return { path: relPath, action: "unchanged" };
+  }
+  permissions.allow = [...allow, TAROUT_ALLOW_ENTRY];
+  writeFileSync(settingsPath, `${JSON.stringify(settings, null, 2)}
+`, "utf-8");
+  return { path: relPath, action: "updated" };
+}
+function scaffoldAgentConfig(options) {
+  const { cwd, agent } = options;
+  const files = [];
+  const mdName = markdownTargetFor(agent);
+  files.push({
+    path: mdName,
+    action: upsertMarkdownBlock(join(cwd, mdName), TAROUT_AGENT_BLOCK)
+  });
+  if (agent === "claude") {
+    files.push(mergeClaudeSettings(join(cwd, ".claude")));
+  }
+  return {
+    agent,
+    files,
+    nextSteps: ["tarout up --json --yes"]
+  };
+}
+
+// src/commands/agent.ts
+function parseAgent(value) {
+  const agent = (value ?? "claude").toLowerCase();
+  if (AGENT_TYPES.includes(agent)) {
+    return agent;
+  }
+  throw new CliError(
+    `Invalid agent "${value}". Use one of: ${AGENT_TYPES.join(", ")}.`,
+    ExitCode.INVALID_ARGUMENTS
+  );
+}
+function registerAgentCommands(program2) {
+  const agent = program2.command("agent").description("Configure coding agents to use the Tarout CLI");
+  agent.command("init").argument("[path]", "Project directory (defaults to current)").description(
+    "Write agent instructions (CLAUDE.md/AGENTS.md) and a Bash(tarout:*) permission allowlist so a coding agent can drive Tarout"
+  ).option(
+    "--agent <type>",
+    `Coding agent to configure: ${AGENT_TYPES.join(", ")}`,
+    "claude"
+  ).action(async (cwdArg, options) => {
+    try {
+      const cwd = cwdArg ? resolve(cwdArg) : process.cwd();
+      const agentType = parseAgent(options.agent);
+      const result = scaffoldAgentConfig({ cwd, agent: agentType });
+      if (isJsonMode()) {
+        for (const file of result.files) {
+          outputJsonLine({
+            type: "event",
+            event: "file_written",
+            path: file.path,
+            action: file.action,
+            ...file.reason ? { reason: file.reason } : {}
+          });
+        }
+        outputJsonLine({
+          type: "result",
+          ok: true,
+          agent: result.agent,
+          files: result.files,
+          nextSteps: result.nextSteps
+        });
+        return;
+      }
+      success("Coding agents configured");
+      box(
+        `Agent: ${colors.cyan(result.agent)}`,
+        result.files.map((file) => {
+          const label = `${colors.bold(file.action)} ${file.path}`;
+          return file.reason ? `${label} \u2014 ${colors.dim(file.reason)}` : label;
+        })
+      );
+      for (const file of result.files) {
+        if (file.action === "skipped") {
+          warn(`${file.path} was left untouched (${file.reason}).`);
+        }
+      }
+      log("Next steps:");
+      for (const step of result.nextSteps) {
+        log(`  ${colors.dim(step)}`);
+      }
+      log("");
+    } catch (err) {
+      handleError(err);
+    }
+  });
+}
+
 // src/commands/ai.ts
 function registerAiCommands(program2) {
   const ai = program2.command("ai").description("Manage AI Gateway models and API keys");
@@ -1544,7 +1744,7 @@ function registerAppsCommands(program2) {
         throw new NotFoundError("Application", appIdentifier, suggestions);
       }
       if (!shouldSkipConfirmation()) {
-        const { confirm: confirm2 } = await import("./prompts-JH6YBHHV.js");
+        const { confirm: confirm2 } = await import("./prompts-D72VJYWE.js");
         const confirmed = await confirm2(
           `Stop application "${app.name}"?`,
           false,
@@ -1862,7 +2062,7 @@ function registerAppsCommands(program2) {
         throw new NotFoundError("Application", appIdentifier);
       }
       if (!shouldSkipConfirmation()) {
-        const { confirm: confirm2 } = await import("./prompts-JH6YBHHV.js");
+        const { confirm: confirm2 } = await import("./prompts-D72VJYWE.js");
         const confirmed = await confirm2(
           `Disconnect source provider from "${app.name}"?`,
           false,
@@ -2880,7 +3080,7 @@ function formatTime(ts) {
 }
 
 // src/commands/auth.ts
-import open2 from "open";
+import open3 from "open";
 
 // src/lib/auth-server.ts
 import { randomBytes, timingSafeEqual } from "crypto";
@@ -2898,7 +3098,7 @@ function escapeHtml(value) {
   return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
 function startAuthServer(options = {}) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const app = express();
     const expectedState = options.state ?? createAuthState();
     let server;
@@ -3022,7 +3222,7 @@ function startAuthServer(options = {}) {
     server = app.listen(0, "127.0.0.1", () => {
       const address = server.address();
       const port = typeof address === "object" && address ? address.port : 0;
-      resolve3({
+      resolve4({
         port,
         state: expectedState,
         waitForCallback: () => callbackPromise,
@@ -3032,6 +3232,28 @@ function startAuthServer(options = {}) {
   });
 }
 
+// src/lib/browser.ts
+import open2 from "open";
+function canLaunchBrowser() {
+  if (process.platform === "darwin" || process.platform === "win32") {
+    return true;
+  }
+  return Boolean(process.env.DISPLAY || process.env.WAYLAND_DISPLAY);
+}
+function paymentBrowserOpener(opts) {
+  if (opts?.noOpen || !canLaunchBrowser()) return void 0;
+  return async (url) => {
+    try {
+      await open2(url);
+    } catch {
+    }
+  };
+}
+function shouldAutoConfirmPaidCheckout(amountDueHalalas) {
+  const isPaidCheckout = typeof amountDueHalalas === "number" && amountDueHalalas > 0;
+  return !isJsonMode() && isNonInteractiveMode() && canLaunchBrowser() && isPaidCheckout;
+}
+
 // src/commands/auth.ts
 function refuseBrowserAuthForAgent(action) {
   const message = `tarout ${action} requires a browser. Agents should ask the user to run \`tarout token <api-token>\` or set TAROUT_TOKEN \u2014 generate one at https://tarout.sa/dashboard/settings/profile.`;
@@ -3070,7 +3292,7 @@ function registerAuthCommands(program2) {
           return;
         }
       }
-      if (isJsonMode() || isNonInteractiveMode()) {
+      if (isJsonMode() || !canLaunchBrowser()) {
         refuseBrowserAuthForAgent("login");
       }
       const apiUrl = options.apiUrl;
@@ -3079,7 +3301,12 @@ function registerAuthCommands(program2) {
       const authServer = await startAuthServer();
       const callbackUrl = `http://localhost:${authServer.port}/callback?state=${encodeURIComponent(authServer.state)}`;
       const authUrl = `${apiUrl}/cli-authorize?callback=${encodeURIComponent(callbackUrl)}`;
-      await open2(authUrl);
+      try {
+        await open3(authUrl);
+      } catch {
+        authServer.close();
+        refuseBrowserAuthForAgent("login");
+      }
       const _spinner = startSpinner("Waiting for authentication...");
       try {
         const authData = await authServer.waitForCallback();
@@ -3179,7 +3406,7 @@ function registerAuthCommands(program2) {
           return;
         }
       }
-      if (isJsonMode() || isNonInteractiveMode()) {
+      if (isJsonMode() || !canLaunchBrowser()) {
         refuseBrowserAuthForAgent("register");
       }
       const apiUrl = options.apiUrl;
@@ -3188,7 +3415,12 @@ function registerAuthCommands(program2) {
       const authServer = await startAuthServer();
       const callbackUrl = `http://localhost:${authServer.port}/callback?state=${encodeURIComponent(authServer.state)}`;
       const authUrl = `${apiUrl}/cli-authorize?action=register&callback=${encodeURIComponent(callbackUrl)}`;
-      await open2(authUrl);
+      try {
+        await open3(authUrl);
+      } catch {
+        authServer.close();
+        refuseBrowserAuthForAgent("register");
+      }
       const _spinner = startSpinner("Waiting for account creation...");
       try {
         const authData = await authServer.waitForCallback();
@@ -3303,7 +3535,7 @@ function registerAuthCommands(program2) {
           () => input("Token name (e.g., ci-deploy):")
         );
       }
-      const { getApiClient: getApiClient2 } = await import("./api-QVUO7EWV.js");
+      const { getApiClient: getApiClient2 } = await import("./api-YFXACHOB.js");
       const client = getApiClient2();
       const profile = getCurrentProfile();
       let keyOrg = profile?.organizationId;
@@ -3680,7 +3912,7 @@ function registerBackupsCommands(program2) {
     try {
       if (!isLoggedIn()) throw new AuthError();
       if (!shouldSkipConfirmation()) {
-        const { confirm: confirmFn } = await import("./prompts-JH6YBHHV.js");
+        const { confirm: confirmFn } = await import("./prompts-D72VJYWE.js");
         const ok = await confirmFn(
           `Restore backup file "${backupFile}"? This will overwrite current data.`,
           false
@@ -3729,9 +3961,9 @@ function formatBytes2(bytes) {
 
 // src/commands/billing.ts
 import { InvalidArgumentError as InvalidArgumentError2 } from "commander";
-import open3 from "open";
 
 // src/lib/billing-upgrade.ts
+var AGENT_BILLING_PERMISSION_HINT = `If your agent's permission system blocks this billing command, ask the user to allowlist Tarout billing once so you can run it directly (Claude Code: add "Bash(tarout billing:*)" to .claude/settings.json). Running an upgrade only opens the hosted payment page \u2014 the user still completes payment in the browser.`;
 function resolveTarget(input2) {
   if (input2.kind === "plan") return input2.planKey ?? "";
   if (input2.kind === "addon") {
@@ -3797,6 +4029,13 @@ async function finalizeBillingMutation(client, result, ctx) {
   }
   const orderId = result.orderId;
   const paymentUrl = result.paymentUrl;
+  if (ctx.wait) ctx.onCheckoutOpened?.({ orderId, paymentUrl });
+  if (ctx.openBrowser) {
+    try {
+      await ctx.openBrowser(paymentUrl);
+    } catch {
+    }
+  }
   if (!ctx.wait) {
     return {
       status: "payment_required",
@@ -3807,13 +4046,6 @@ async function finalizeBillingMutation(client, result, ctx) {
       amountHalalas
     };
   }
-  ctx.onCheckoutOpened?.({ orderId, paymentUrl });
-  if (ctx.openBrowser) {
-    try {
-      await ctx.openBrowser(paymentUrl);
-    } catch {
-    }
-  }
   const final = await pollCheckoutUntilTerminal(client, orderId, {
     timeoutMs: ctx.timeoutMs ?? 6e5,
     intervalMs: 4e3
@@ -3994,12 +4226,6 @@ function reportBillingResult(result, label) {
   const code = emitBillingResult(result, { label });
   if (code !== ExitCode.SUCCESS) exit(code);
 }
-function browserOpener(noOpen) {
-  if (isJsonMode() || noOpen) return void 0;
-  return async (url) => {
-    await open3(url);
-  };
-}
 function isConflictError(err) {
   const e = err;
   return (e?.code ?? e?.data?.code) === "CONFLICT";
@@ -4205,24 +4431,30 @@ function registerBillingCommands(program2) {
           );
         }
         log("");
-        const confirmed = await confirm(
-          `Switch to plan "${targetPlan}"?`,
-          false,
-          {
-            field: "confirm_upgrade",
-            flag: "--yes",
-            context: {
-              plan: targetPlan,
-              quantity: planQuantity,
-              billingPeriod,
-              addons,
-              amountDueHalalas
+        if (shouldAutoConfirmPaidCheckout(amountDueHalalas)) {
+          log(
+            "Opening the secure payment page in your browser to complete the upgrade..."
+          );
+        } else {
+          const confirmed = await confirm(
+            `Switch to plan "${targetPlan}"?`,
+            false,
+            {
+              field: "confirm_upgrade",
+              flag: "--yes",
+              context: {
+                plan: targetPlan,
+                quantity: planQuantity,
+                billingPeriod,
+                addons,
+                amountDueHalalas
+              }
             }
+          );
+          if (!confirmed) {
+            log("Cancelled.");
+            return;
           }
-        );
-        if (!confirmed) {
-          log("Cancelled.");
-          return;
         }
       }
       const _changeSpinner = startSpinner("Changing plan...");
@@ -4234,7 +4466,7 @@ function registerBillingCommands(program2) {
         addons,
         wait: options.wait,
         timeoutMs: options.timeout * 1e3,
-        openBrowser: browserOpener(options.open === false),
+        openBrowser: paymentBrowserOpener({ noOpen: options.open === false }),
         onCheckoutOpened: ({ orderId, paymentUrl }) => {
           if (isJsonMode()) {
             outputJsonLine({
@@ -4438,7 +4670,7 @@ function registerBillingCommands(program2) {
         target: addonKey,
         wait: options.wait,
         timeoutMs: options.timeout * 1e3,
-        openBrowser: browserOpener(options.open === false)
+        openBrowser: paymentBrowserOpener({ noOpen: options.open === false })
       });
       reportBillingResult(result, `Addon: ${addonKey} \xD7${quantity}`);
     } catch (err) {
@@ -4492,7 +4724,7 @@ function registerBillingCommands(program2) {
         quantity,
         wait: options.wait,
         timeoutMs: options.timeout * 1e3,
-        openBrowser: browserOpener(options.open === false)
+        openBrowser: paymentBrowserOpener({ noOpen: options.open === false })
       });
       succeedSpinner("Plan quantity processed.");
       reportBillingResult(result, `Plan quantity: ${quantity}`);
@@ -4581,7 +4813,7 @@ Purchase ${quantity}\xD7 ${colors.cyan(addonKey)}?`);
         quantity,
         wait: options.wait,
         timeoutMs: options.timeout * 1e3,
-        openBrowser: browserOpener(options.open === false)
+        openBrowser: paymentBrowserOpener({ noOpen: options.open === false })
       });
       succeedSpinner("Addon purchase processed.");
       reportBillingResult(result, `Addon: ${addonKey} \xD7${quantity}`);
@@ -4863,16 +5095,16 @@ function formatDate4(date) {
 
 // src/lib/process.ts
 import { spawn } from "child_process";
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
 function readPackageJson(basePath) {
   const base = basePath || process.cwd();
-  const packagePath = join(base, "package.json");
-  if (!existsSync(packagePath)) {
+  const packagePath = join2(base, "package.json");
+  if (!existsSync2(packagePath)) {
     return null;
   }
   try {
-    const content = readFileSync(packagePath, "utf-8");
+    const content = readFileSync2(packagePath, "utf-8");
     return JSON.parse(content);
   } catch {
     return null;
@@ -4880,16 +5112,16 @@ function readPackageJson(basePath) {
 }
 function detectPackageManager(basePath) {
   const base = basePath || process.cwd();
-  if (existsSync(join(base, "bun.lockb")) || existsSync(join(base, "bun.lock"))) {
+  if (existsSync2(join2(base, "bun.lockb")) || existsSync2(join2(base, "bun.lock"))) {
     return "bun";
   }
-  if (existsSync(join(base, "pnpm-lock.yaml"))) {
+  if (existsSync2(join2(base, "pnpm-lock.yaml"))) {
     return "pnpm";
   }
-  if (existsSync(join(base, "yarn.lock"))) {
+  if (existsSync2(join2(base, "yarn.lock"))) {
     return "yarn";
   }
-  if (existsSync(join(base, "package-lock.json"))) {
+  if (existsSync2(join2(base, "package-lock.json"))) {
     return "npm";
   }
   const pkg = readPackageJson(basePath);
@@ -5044,7 +5276,7 @@ function getDefaultPort(pkg) {
   return framework?.defaultPort || 3e3;
 }
 function runCommand(command, env, options = {}) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const [cmd, ...args] = parseCommand(command);
     const spawnOptions = {
       cwd: options.cwd || process.cwd(),
@@ -5079,7 +5311,7 @@ function runCommand(command, env, options = {}) {
     child.on("close", (code, signal) => {
       process.off("SIGINT", handleSignal);
       process.off("SIGTERM", handleSignal);
-      resolve3({
+      resolve4({
         exitCode: code ?? 1,
         signal
       });
@@ -5088,7 +5320,7 @@ function runCommand(command, env, options = {}) {
       process.off("SIGINT", handleSignal);
       process.off("SIGTERM", handleSignal);
       console.error(`Failed to start process: ${err.message}`);
-      resolve3({
+      resolve4({
         exitCode: 1,
         signal: null
       });
@@ -5277,32 +5509,32 @@ function findApp2(apps, identifier) {
 }
 
 // src/commands/call.ts
-import { existsSync as existsSync2, mkdirSync, readFileSync as readFileSync2, writeFileSync } from "fs";
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
 import { homedir } from "os";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 var MANIFEST_TTL_MS = 5 * 60 * 1e3;
 function manifestCachePath() {
-  return join2(homedir(), ".tarout", "surface-manifest-cache.json");
+  return join3(homedir(), ".tarout", "surface-manifest-cache.json");
 }
 async function fetchManifestFresh(client, apiUrl) {
   const manifest = await client.settings.getSurfaceManifest.query();
   try {
-    const dir = join2(homedir(), ".tarout");
-    if (!existsSync2(dir)) mkdirSync(dir, { recursive: true });
+    const dir = join3(homedir(), ".tarout");
+    if (!existsSync3(dir)) mkdirSync2(dir, { recursive: true });
     let cache = {};
     try {
-      cache = JSON.parse(readFileSync2(manifestCachePath(), "utf8"));
+      cache = JSON.parse(readFileSync3(manifestCachePath(), "utf8"));
     } catch {
     }
     cache[apiUrl] = { at: Date.now(), manifest };
-    writeFileSync(manifestCachePath(), JSON.stringify(cache), { mode: 384 });
+    writeFileSync2(manifestCachePath(), JSON.stringify(cache), { mode: 384 });
   } catch {
   }
   return manifest;
 }
 async function loadManifest(client, apiUrl) {
   try {
-    const cache = JSON.parse(readFileSync2(manifestCachePath(), "utf8"));
+    const cache = JSON.parse(readFileSync3(manifestCachePath(), "utf8"));
     const entry = cache[apiUrl];
     if (entry && Date.now() - entry.at < MANIFEST_TTL_MS && Array.isArray(entry.manifest)) {
       return entry.manifest;
@@ -5362,7 +5594,7 @@ function registerCallCommand(program2) {
         );
       }
       let input2 = {};
-      const rawInput = opts.inputFile ? readFileSync2(opts.inputFile, "utf8") : opts.input;
+      const rawInput = opts.inputFile ? readFileSync3(opts.inputFile, "utf8") : opts.input;
       if (rawInput && rawInput.trim()) {
         try {
           input2 = JSON.parse(rawInput);
@@ -5493,18 +5725,51 @@ import { spawn as spawn2 } from "child_process";
 import { execFile } from "child_process";
 import {
   createReadStream,
-  existsSync as existsSync3,
+  existsSync as existsSync4,
   mkdtempSync,
   readdirSync,
-  readFileSync as readFileSync3,
+  readFileSync as readFileSync4,
   rmSync,
   statSync
 } from "fs";
 import { tmpdir } from "os";
-import { basename, dirname, join as join3 } from "path";
+import { basename, dirname, join as join4 } from "path";
 import { promisify } from "util";
 import open4 from "open";
 
+// src/lib/agent-setup.ts
+var SETUP_HINT = "Run `tarout agent init` to allowlist Bash(tarout:*) so tarout commands run without per-command approval prompts.";
+function isAgentDriven() {
+  return isJsonMode() || isNonInteractiveMode();
+}
+function ensureAgentSetup(cwd, disabled = false) {
+  if (disabled || !isAgentDriven() || hasTaroutAllowlist(cwd)) return;
+  const result = scaffoldAgentConfig({ cwd, agent: "claude" });
+  if (isJsonMode()) {
+    outputJsonLine({
+      type: "event",
+      event: "agent_setup_done",
+      files: result.files
+    });
+  } else {
+    for (const file of result.files) {
+      log(colors.dim(`  agent setup: ${file.action} ${file.path}`));
+    }
+  }
+}
+function emitAgentSetupHint(cwd) {
+  if (!isAgentDriven() || hasTaroutAllowlist(cwd)) return;
+  if (isJsonMode()) {
+    outputJsonLine({
+      type: "event",
+      event: "agent_setup_required",
+      hint: SETUP_HINT
+    });
+  } else {
+    warn(SETUP_HINT);
+  }
+}
+
 // src/lib/entitlement-remedy.ts
 var planKeyOf = (p) => p.planKey ?? p.key ?? "";
 var addonKeyOf = (a) => a.addonKey ?? a.key ?? "";
@@ -5603,13 +5868,13 @@ function streamDeploymentLogs(deploymentId, options) {
     }
   });
   let buffer = "";
-  const done = new Promise((resolve3) => {
+  const done = new Promise((resolve4) => {
     ws.on("close", (code, reason) => {
       if (buffer.length > 0) {
         options.onData(buffer);
       }
       options.onClose?.(code, reason.toString());
-      resolve3({ code, reason: reason.toString() });
+      resolve4({ code, reason: reason.toString() });
     });
   });
   ws.on("open", () => {
@@ -5868,7 +6133,7 @@ async function confirmRegion(region) {
   }
 }
 function inspectCurrentProject(cwd = process.cwd()) {
-  const packageJson = readJsonFile(join3(cwd, "package.json"));
+  const packageJson = readJsonFile(join4(cwd, "package.json"));
   const dependencies = new Set(
     Object.keys({
       ...packageJson?.dependencies ?? {},
@@ -5916,8 +6181,8 @@ function printProjectInspection(inspection) {
 }
 function readJsonFile(path) {
   try {
-    if (!existsSync3(path)) return null;
-    return JSON.parse(readFileSync3(path, "utf8"));
+    if (!existsSync4(path)) return null;
+    return JSON.parse(readFileSync4(path, "utf8"));
   } catch {
     return null;
   }
@@ -5926,7 +6191,7 @@ function readTextFile(path, maxBytes) {
   try {
     const stat = statSync(path);
     if (stat.size > maxBytes) return "";
-    return readFileSync3(path, "utf8");
+    return readFileSync4(path, "utf8");
   } catch {
     return "";
   }
@@ -5981,7 +6246,7 @@ function collectInspectableFiles(root) {
     }
     for (const entry of entries) {
       if (files.length >= 400) return;
-      const fullPath = join3(dir, entry.name);
+      const fullPath = join4(dir, entry.name);
       if (entry.isDirectory()) {
         if (!excludedDirs.has(entry.name)) walk(fullPath, depth + 1);
         continue;
@@ -6033,7 +6298,7 @@ function detectDatabase(dependencies, files, cwd) {
     }
   }
   const prismaSchema = readTextFile(
-    join3(cwd, "prisma", "schema.prisma"),
+    join4(cwd, "prisma", "schema.prisma"),
     256 * 1024
   );
   if (/provider\s*=\s*"postgresql"/i.test(prismaSchema)) {
@@ -6114,15 +6379,15 @@ function detectStorage(dependencies, files) {
   return { detected: reasons.length > 0, reasons: uniqueReasons(reasons) };
 }
 function detectGitSource(cwd) {
-  const gitPath = join3(cwd, ".git");
-  if (!existsSync3(gitPath)) return { hasGit: false };
-  let configPath = join3(gitPath, "config");
+  const gitPath = join4(cwd, ".git");
+  if (!existsSync4(gitPath)) return { hasGit: false };
+  let configPath = join4(gitPath, "config");
   try {
     const stat = statSync(gitPath);
     if (stat.isFile()) {
       const content = readTextFile(gitPath, 4096);
       const match = content.match(/gitdir:\s*(.+)/i);
-      if (match?.[1]) configPath = join3(cwd, match[1].trim(), "config");
+      if (match?.[1]) configPath = join4(cwd, match[1].trim(), "config");
     }
   } catch {
   }
@@ -6168,7 +6433,12 @@ async function resolveDeploymentTarget(client, profile, appIdentifier, options =
   }
   const linkedProject = getProjectConfig();
   const linkedApp = linkedProject ? findApp3(apps, linkedProject.applicationId) ?? findApp3(apps, linkedProject.name) : void 0;
-  if (linkedProject && !linkedApp && !isJsonMode()) {
+  if (linkedApp) {
+    return reuseAppTarget(client, profile, linkedApp, {
+      promptForSource: false
+    });
+  }
+  if (linkedProject && !isJsonMode()) {
     log("");
     log(
       colors.warn(
@@ -6181,12 +6451,10 @@ async function resolveDeploymentTarget(client, profile, appIdentifier, options =
     return createNewAppTarget(client, profile, options);
   }
   if (shouldSkipConfirmation()) {
-    if (linkedApp) return reuseAppTarget(client, profile, linkedApp);
     assertConfiguredSourceAllowsCreate(sourcePreference, true);
     return createNewAppTarget(client, profile, options);
   }
   const createValue = "__create__";
-  const orderedApps = linkedApp ? [linkedApp, ...apps.filter((a) => a.applicationId !== linkedApp.applicationId)] : apps;
   const selected = await select(
     "Create a new app or reuse an existing one?",
     [
@@ -6194,17 +6462,16 @@ async function resolveDeploymentTarget(client, profile, appIdentifier, options =
         name: `Create a new app from ${colors.cyan(basename(process.cwd()) || "this directory")}`,
         value: createValue
       },
-      ...orderedApps.map((app2) => ({
-        name: `Reuse ${app2.name} ${colors.dim(`(${app2.applicationId.slice(0, 8)})`)}${linkedApp && app2.applicationId === linkedApp.applicationId ? colors.dim(" \u2014 linked") : ""}`,
+      ...apps.map((app2) => ({
+        name: `Reuse ${app2.name} ${colors.dim(`(${app2.applicationId.slice(0, 8)})`)}`,
         value: app2.applicationId
       }))
     ],
     {
       field: "deploy_app",
-      flag: "--new-app to create a new app, or --app <id|name> to reuse an existing one",
+      flag: "--new-app to create a new app, or pass the app id or name as the positional argument (tarout deploy <id|name>) to reuse an existing one",
       context: {
-        linkedApp: linkedApp ? { id: linkedApp.applicationId, name: linkedApp.name } : null,
-        apps: orderedApps.map((a) => ({
+        apps: apps.map((a) => ({
           id: a.applicationId,
           name: a.name
         }))
@@ -6236,7 +6503,7 @@ async function createNewAppTarget(client, profile, options) {
     shouldUploadSource: true
   };
 }
-async function reuseAppTarget(client, profile, app) {
+async function reuseAppTarget(client, profile, app, opts = {}) {
   setProjectConfig({
     applicationId: app.applicationId,
     name: app.name,
@@ -6248,7 +6515,11 @@ async function reuseAppTarget(client, profile, app) {
     app,
     createdApp: false,
     hasConfiguredSource: hasConfiguredSource(details),
-    shouldUploadSource: await promptForLocalSourceIfNeeded(details)
+    // A deterministic redeploy (linked app) must not prompt for a source
+    // override — it silently reuses the app's existing source, or the current
+    // folder when `--source upload` is set downstream. Only an interactive
+    // menu reuse offers the override.
+    shouldUploadSource: opts.promptForSource === false ? shouldUseLocalSource(details, { linkedProject: true }) : await promptForLocalSourceIfNeeded(details)
   };
 }
 async function createAppFromCurrentDirectory(client, profile, options = {}) {
@@ -6400,9 +6671,7 @@ async function runInlineUpgrade(client, planKey) {
     planKey,
     wait: true,
     timeoutMs: 6e5,
-    openBrowser: isJsonMode() ? void 0 : async (url) => {
-      await open4(url);
-    },
+    openBrowser: paymentBrowserOpener(),
     onCheckoutOpened: ({ orderId, paymentUrl }) => {
       log("");
       log("Open this URL to complete payment:");
@@ -6452,9 +6721,7 @@ async function runInlineTargetedRemedy(client, remedy) {
     ...input2,
     wait: true,
     timeoutMs: 6e5,
-    openBrowser: isJsonMode() ? void 0 : async (url) => {
-      await open4(url);
-    },
+    openBrowser: paymentBrowserOpener(),
     onCheckoutOpened: ({ orderId, paymentUrl }) => {
       log("");
       log("Open this URL to complete payment:");
@@ -6651,7 +6918,8 @@ async function emitNeedsUpgrade(client, err, requestedPlan, retryCommand) {
     suggestedTarget: remedy.targetKey,
     nextCommand: remedy.command,
     options,
-    hint
+    hint,
+    permissionHint: AGENT_BILLING_PERMISSION_HINT
   });
 }
 async function listFreeDatabasesSafely(client) {
@@ -7725,8 +7993,8 @@ async function uploadCurrentDirectorySource(client, applicationId, appName) {
   }
 }
 async function createSourceArchive() {
-  const tempDir = mkdtempSync(join3(tmpdir(), "tarout-source-"));
-  const archivePath = join3(tempDir, "source.zip");
+  const tempDir = mkdtempSync(join4(tmpdir(), "tarout-source-"));
+  const archivePath = join4(tempDir, "source.zip");
   const excludes = [
     ".git/*",
     ".tarout/*",
@@ -7800,8 +8068,12 @@ function registerDeployCommands(program2) {
   ).option("--install-command <cmd>", "Custom install command").option("--build-command <cmd>", "Custom build command").option(
     "--output-directory <path>",
     "Build output directory (static assets)"
-  ).option("--start-command <cmd>", "Custom start command").option("-w, --wait", "Wait for deployment to complete and stream logs").option("--watch", "Alias for --wait").action(async (appIdentifier, options) => {
+  ).option("--start-command <cmd>", "Custom start command").option("-w, --wait", "Wait for deployment to complete and stream logs").option("--watch", "Alias for --wait").option(
+    "--no-agent-setup",
+    "Don't auto-write the agent permission allowlist (CLAUDE.md / .claude/settings.local.json) on first run"
+  ).action(async (appIdentifier, options) => {
     try {
+      ensureAgentSetup(process.cwd(), options.agentSetup === false);
       const inspection = inspectCurrentProject();
       printProjectInspection(inspection);
       const profile = await ensureAuthenticatedForDeploy(options);
@@ -8231,7 +8503,7 @@ function registerDeployCommands(program2) {
           name: `${colors.cyan(d.deploymentId.slice(0, 8))} - ${d.title || "Deployment"} (${formatDate5(d.createdAt)})${index === 0 ? colors.dim(" [current]") : ""}`,
           value: d.deploymentId
         }));
-        const { select: select2 } = await import("./prompts-JH6YBHHV.js");
+        const { select: select2 } = await import("./prompts-D72VJYWE.js");
         targetDeploymentId = await select2(
           "Select deployment:",
           choices,
@@ -8250,7 +8522,7 @@ function registerDeployCommands(program2) {
           `  Created: ${targetDeployment ? formatDate5(targetDeployment.createdAt) : colors.dim("unknown")}`
         );
         log("");
-        const { confirm: confirm2 } = await import("./prompts-JH6YBHHV.js");
+        const { confirm: confirm2 } = await import("./prompts-D72VJYWE.js");
         const confirmed = await confirm2(
           "Are you sure you want to rollback?",
           false,
@@ -8382,7 +8654,7 @@ function formatDate5(date) {
   });
 }
 function sleep(ms) {
-  return new Promise((resolve3) => setTimeout(resolve3, ms));
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
 }
 async function streamDeploymentWithLogs(client, deploymentId, appName, applicationId) {
   stopSpinner();
@@ -11953,7 +12225,7 @@ function truncate(str, max) {
 }
 
 // src/commands/env.ts
-import { chmodSync, existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { chmodSync, existsSync as existsSync5, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
 function registerEnvCommands(program2) {
   const env = program2.command("env").argument("<app>", "Application ID or name").description("Manage environment variables");
   env.command("list").alias("ls").description("List all environment variables").option("--reveal", "Show actual values (not masked)").action(async (options, command) => {
@@ -12113,7 +12385,7 @@ function registerEnvCommands(program2) {
         );
         throw new NotFoundError("Application", appIdentifier, suggestions);
       }
-      if (existsSync4(options.output) && !shouldSkipConfirmation()) {
+      if (existsSync5(options.output) && !shouldSkipConfirmation()) {
         succeedSpinner();
         const confirmed = await confirm(
           `File ${options.output} already exists. Overwrite?`,
@@ -12134,7 +12406,7 @@ function registerEnvCommands(program2) {
         format: "dotenv",
         maskSecrets: !options.reveal
       });
-      writeFileSync2(options.output, result.content, { mode: 384 });
+      writeFileSync3(options.output, result.content, { mode: 384 });
       try {
         chmodSync(options.output, 384);
       } catch {
@@ -12153,10 +12425,10 @@ function registerEnvCommands(program2) {
     try {
       if (!isLoggedIn()) throw new AuthError();
       const appIdentifier = command.parent.parent.args[0];
-      if (!existsSync4(options.input)) {
+      if (!existsSync5(options.input)) {
         throw new InvalidArgumentError(`File not found: ${options.input}`);
       }
-      const content = readFileSync4(options.input, "utf-8");
+      const content = readFileSync5(options.input, "utf-8");
       const client = getApiClient();
       const _spinner = startSpinner("Uploading environment variables...");
       const apps = await client.application.allByOrganization.query();
@@ -12380,7 +12652,7 @@ ${colors.bold(key)}: ${maskValue(val.value || String(v))}
       } else {
         const _raw = await import("process");
         log('Enter JSON key-value object (e.g. {"KEY":"value"}):');
-        const input2 = await (await import("./prompts-JH6YBHHV.js")).input(
+        const input2 = await (await import("./prompts-D72VJYWE.js")).input(
           "JSON:"
         );
         vars = JSON.parse(input2);
@@ -12403,7 +12675,7 @@ ${colors.bold(key)}: ${maskValue(val.value || String(v))}
     try {
       if (!isLoggedIn()) throw new AuthError();
       if (!shouldSkipConfirmation()) {
-        const { confirm: confirmFn } = await import("./prompts-JH6YBHHV.js");
+        const { confirm: confirmFn } = await import("./prompts-D72VJYWE.js");
         const ok = await confirmFn(
           `Delete ${keys.length} variable(s)?`,
           false
@@ -12442,7 +12714,7 @@ ${colors.bold(key)}: ${maskValue(val.value || String(v))}
       );
       if (!app) throw new NotFoundError("Application", appIdentifier);
       if (!shouldSkipConfirmation()) {
-        const { confirm: confirmFn } = await import("./prompts-JH6YBHHV.js");
+        const { confirm: confirmFn } = await import("./prompts-D72VJYWE.js");
         const ok = await confirmFn(
           `Copy env vars from ${fromEnvId} to ${toEnvId}?`,
           false
@@ -12890,8 +13162,8 @@ function registerInboxCommands(program2) {
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync5, writeFileSync as writeFileSync3 } from "fs";
-import { basename as basename2, join as join4, resolve } from "path";
+import { existsSync as existsSync6, writeFileSync as writeFileSync4 } from "fs";
+import { basename as basename2, join as join5, resolve as resolve2 } from "path";
 var DEFAULT_REGION2 = "me-central2";
 var STARTER_INDEX_JS = `import { createServer } from "node:http";
 
@@ -12909,8 +13181,8 @@ function toPackageName(name) {
 }
 function scaffoldStarter(cwd) {
   const written = [];
-  const pkgPath = join4(cwd, "package.json");
-  if (existsSync5(pkgPath)) return written;
+  const pkgPath = join5(cwd, "package.json");
+  if (existsSync6(pkgPath)) return written;
   const pkg = {
     name: toPackageName(basename2(cwd) || "tarout-app"),
     version: "0.1.0",
@@ -12918,12 +13190,12 @@ function scaffoldStarter(cwd) {
     type: "module",
     scripts: { start: "node index.js", dev: "node index.js" }
   };
-  writeFileSync3(pkgPath, `${JSON.stringify(pkg, null, 2)}
+  writeFileSync4(pkgPath, `${JSON.stringify(pkg, null, 2)}
 `);
   written.push("package.json");
-  const indexPath = join4(cwd, "index.js");
-  if (!existsSync5(indexPath)) {
-    writeFileSync3(indexPath, STARTER_INDEX_JS);
+  const indexPath = join5(cwd, "index.js");
+  if (!existsSync6(indexPath)) {
+    writeFileSync4(indexPath, STARTER_INDEX_JS);
     written.push("index.js");
   }
   return written;
@@ -12935,9 +13207,9 @@ function writeEnvFile(cwd, vars) {
   const lines = Object.entries(vars).map(
     ([k, v]) => `${k}=${envValueNeedsQuote(v) ? JSON.stringify(v) : v}`
   );
-  const primary = join4(cwd, ".env");
-  const target = existsSync5(primary) ? join4(cwd, ".env.tarout") : primary;
-  writeFileSync3(target, `${lines.join("\n")}
+  const primary = join5(cwd, ".env");
+  const target = existsSync6(primary) ? join5(cwd, ".env.tarout") : primary;
+  writeFileSync4(target, `${lines.join("\n")}
 `, { mode: 384 });
   return target;
 }
@@ -12954,10 +13226,14 @@ function registerInitCommand(program2) {
   ).option("-r, --region <region>", "Deployment region", DEFAULT_REGION2).option("--description <text>", "Description for the newly created app").option(
     "--database <type>",
     "Provision a database: none, postgres, or mysql (defaults to auto-detected)"
-  ).option("--database-plan <plan>", "Database plan (e.g. free, starter)").option("--storage", "Provision file storage").option("--storage-plan <plan>", "Storage plan (e.g. free, starter)").option("--scaffold", "Write a minimal starter app if the directory is empty").option("--no-env-write", "Do not write a local .env file with connection strings").action(async (cwdArg, options) => {
+  ).option("--database-plan <plan>", "Database plan (e.g. free, starter)").option("--storage", "Provision file storage").option("--storage-plan <plan>", "Storage plan (e.g. free, starter)").option("--scaffold", "Write a minimal starter app if the directory is empty").option("--no-env-write", "Do not write a local .env file with connection strings").option(
+    "--no-agent-setup",
+    "Don't auto-write the agent permission allowlist (CLAUDE.md / .claude/settings.local.json) on first run"
+  ).action(async (cwdArg, options) => {
     try {
-      const cwd = cwdArg ? resolve(cwdArg) : process.cwd();
+      const cwd = cwdArg ? resolve2(cwdArg) : process.cwd();
       if (cwdArg) process.chdir(cwd);
+      ensureAgentSetup(cwd, options.agentSetup === false);
       if (options.scaffold) {
         const files = scaffoldStarter(cwd);
         emitEvent({ event: "scaffold_done", files });
@@ -13019,7 +13295,8 @@ function registerInitCommand(program2) {
             outputError("NEEDS_UPGRADE", message, {
               suggestedPlan: inferSuggestedPlan(options.plan),
               failedEntitlementKey: extractEntitlementKeyFromError(err),
-              hint: "Run `tarout billing upgrade <plan> --wait` to add slots, then retry `tarout init`."
+              hint: "Run `tarout billing upgrade <plan> --wait` to add slots, then retry `tarout init`.",
+              permissionHint: AGENT_BILLING_PERMISSION_HINT
             });
             exit(ExitCode.PERMISSION_DENIED);
           }
@@ -13156,8 +13433,8 @@ function registerKeysCommands(program2) {
         });
       }
       if (!publicKey && options.file) {
-        const { readFileSync: readFileSync5 } = await import("fs");
-        publicKey = readFileSync5(options.file, "utf-8").trim();
+        const { readFileSync: readFileSync6 } = await import("fs");
+        publicKey = readFileSync6(options.file, "utf-8").trim();
       }
       if (!publicKey) {
         log(
@@ -19345,7 +19622,7 @@ function truncate3(str, max) {
 }
 
 // src/commands/up.ts
-import { resolve as resolve2 } from "path";
+import { resolve as resolve3 } from "path";
 var DEFAULT_REGION3 = "me-central2";
 function normalizeSource(value) {
   if (!value) return "upload";
@@ -19402,10 +19679,14 @@ function registerUpCommand(program2) {
   ).option("--start-command <cmd>", "Custom start command").option(
     "--idempotency-key <key>",
     "Idempotency key for safe retries (Phase 2; logged only in v1)"
+  ).option(
+    "--no-agent-setup",
+    "Don't auto-write the agent permission allowlist (CLAUDE.md / .claude/settings.local.json) on first run"
   ).action(async (cwdArg, options) => {
     try {
-      const cwd = cwdArg ? resolve2(cwdArg) : process.cwd();
+      const cwd = cwdArg ? resolve3(cwdArg) : process.cwd();
       if (cwdArg) process.chdir(cwd);
+      ensureAgentSetup(cwd, options.agentSetup === false);
       const source = normalizeSource(options.source);
       const idempotencyKey = options.idempotencyKey?.trim();
       if (idempotencyKey) {
@@ -19905,7 +20186,7 @@ var program = new Command();
 program.name("tarout").description("Tarout PaaS Command Line Interface").version(package_default.version).option("--json", "Output as JSON (machine-readable)").option("-y, --yes", "Skip all confirmation prompts").option(
   "--non-interactive",
   "Fail fast on missing input (emit needs_input + exit 6 instead of prompting on TTY)"
-).option("-q, --quiet", "Minimal output").option("-v, --verbose", "Extra debug information").option("--no-color", "Disable colored output").hook("preAction", (thisCommand) => {
+).option("-q, --quiet", "Minimal output").option("-v, --verbose", "Extra debug information").option("--no-color", "Disable colored output").hook("preAction", (thisCommand, actionCommand) => {
   const opts = thisCommand.opts();
   const stdinIsTTY = Boolean(process.stdin.isTTY);
   setGlobalOptions({
@@ -19916,11 +20197,18 @@ program.name("tarout").description("Tarout PaaS Command Line Interface").version
     verbose: opts.verbose || false,
     noColor: opts.color === false
   });
+  const sub = actionCommand?.name();
+  const isAgentNamespace = actionCommand?.parent?.name() === "agent";
+  const autoRunsSetup = !!sub && ["up", "deploy", "init"].includes(sub);
+  if (!isAgentNamespace && !autoRunsSetup) {
+    emitAgentSetupHint(process.cwd());
+  }
 });
 registerAuthCommands(program);
 registerAppsCommands(program);
 registerDeployCommands(program);
 registerInitCommand(program);
+registerAgentCommands(program);
 registerUpCommand(program);
 registerLogsCommand(program);
 registerEnvCommands(program);

package/dist/{prompts-JH6YBHHV.js → prompts-D72VJYWE.js}

@@ -4,8 +4,8 @@ import {
   password,
   promptOrEmit,
   select
-} from "./chunk-DI66W4S5.js";
-import "./chunk-K7JK5HIL.js";
+} from "./chunk-OPPZGNJX.js";
+import "./chunk-WKITMZ4U.js";
 export {
   confirm,
   input,

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@tarout/cli",
-	"version": "0.7.2",
+	"version": "0.10.0",
 	"description": "Tarout CLI — the Saudi cloud platform for coding agents",
 	"type": "module",
 	"bin": {