@vendian/cli 0.0.40 → 0.0.42

package/cli-wrapper.mjs

@@ -33,446 +33,115 @@ var init_constants = __esm({
   }
 });
 
-// src/auth.js
-var auth_exports = {};
-__export(auth_exports, {
-  activateCloudProfile: () => activateCloudProfile,
-  activeCloudAuthStatus: () => activeCloudAuthStatus,
-  buildLinuxOpenCommand: () => buildLinuxOpenCommand,
-  buildMacOpenCommand: () => buildMacOpenCommand,
-  buildWindowsOpenCommand: () => buildWindowsOpenCommand,
-  cloudAuthStatus: () => cloudAuthStatus,
-  cloudConfigPath: () => cloudConfigPath,
-  fetchPackageCredentials: () => fetchPackageCredentials,
-  loadCloudConfig: () => loadCloudConfig,
-  loginWithVendianOAuth: () => loginWithVendianOAuth,
-  resolveApiUrl: () => resolveApiUrl,
-  saveCloudToken: () => saveCloudToken
-});
-import crypto from "node:crypto";
-import http from "node:http";
-import fs6 from "node:fs";
-import path5 from "node:path";
-import { spawnSync as spawnSync3 } from "node:child_process";
-function resolveApiUrl({ backend, apiUrl, env = process.env } = {}) {
-  if (apiUrl) {
-    return apiUrl.replace(/\/$/, "");
+// src/paths.js
+import os from "node:os";
+import path from "node:path";
+function pathApi(platform) {
+  return platform === "win32" ? path.win32 : path.posix;
+}
+function homeDir(env, platform) {
+  if (platform === "win32") {
+    return env.USERPROFILE || os.homedir();
   }
-  if (env.VENDIAN_API_URL) {
-    return env.VENDIAN_API_URL.replace(/\/$/, "");
+  return env.HOME || os.homedir();
+}
+function vendianHome(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_HOME) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_HOME);
   }
-  const target = backend || "prod";
-  const resolved = BACKEND_TARGETS[target];
-  if (!resolved) {
-    throw new Error(`Unknown Vendian backend '${target}'. Use local, dev, staging, prod, or --api-url.`);
+  if (platform === "win32") {
+    const root = env.LOCALAPPDATA || path.win32.join(homeDir(env, platform), "AppData", "Local");
+    return path.win32.join(root, "Vendian", "cli");
   }
-  return resolved;
+  return path.posix.join(homeDir(env, platform), ".vendian", "cli");
 }
-async function loginWithVendianOAuth({ backend, apiUrl, noBrowser = false, env = process.env } = {}) {
-  const resolvedApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const callback = await createCallbackServer(env);
-  try {
-    const config = await getOAuthConfig(resolvedApiUrl, callback.redirectUri);
-    const codeVerifier = crypto.randomBytes(48).toString("base64url");
-    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
-    const state = crypto.randomBytes(18).toString("base64url");
-    const authorizationUrl = authorizationUrlFor(config, { state, codeChallenge });
-    if (noBrowser) {
-      console.error(`Open this URL to authenticate the CLI: ${authorizationUrl}`);
-    } else {
-      openBrowser(authorizationUrl);
-    }
-    const callbackResult = await callback.wait();
-    if (callbackResult.state !== state) {
-      throw new Error("OAuth state mismatch");
-    }
-    const clerkToken = await exchangeCodeForClerkToken(config, callbackResult.code, codeVerifier, callback.redirectUri);
-    const exchange = await postJson(`${resolvedApiUrl}/api/v1/cli/auth/oauth/exchange`, {
-      clerkToken
-    });
-    return { apiUrl: resolvedApiUrl, ...exchange };
-  } finally {
-    await callback.close();
+function configPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_CONFIG) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_CONFIG);
   }
+  return pathApi(platform).join(vendianHome(env, platform), "config.json");
 }
-async function fetchPackageCredentials({ apiUrl, accessToken }) {
-  if (!apiUrl || !accessToken) {
-    return void 0;
+function managedVenvPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_VENV) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_VENV);
   }
-  const payload = await getJson(`${String(apiUrl).replace(/\/$/, "")}/api/v1/cli/package-credentials`, {
-    Authorization: `Bearer ${accessToken}`
-  });
-  return payload.packageCredentials;
+  return pathApi(platform).join(vendianHome(env, platform), ".venv");
 }
-function loadCloudConfig(env = process.env, platform = process.platform) {
-  const file = cloudConfigPath(env, platform);
+function venvPython(venvPath, platform = process.platform) {
+  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "python.exe") : path.posix.join(venvPath, "bin", "python");
+}
+function venvVendian(venvPath, platform = process.platform) {
+  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "vendian.exe") : path.posix.join(venvPath, "bin", "vendian");
+}
+var init_paths = __esm({
+  "src/paths.js"() {
+  }
+});
+
+// src/config.js
+import fs from "node:fs";
+import path2 from "node:path";
+function loadConfig(env = process.env, platform = process.platform) {
+  const file = configPath(env, platform);
   try {
-    const parsed = JSON.parse(fs6.readFileSync(file, "utf8"));
-    return parsed && typeof parsed === "object" ? parsed : {};
-  } catch {
+    const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
+    return typeof parsed === "object" && parsed !== null ? parsed : {};
+  } catch (error) {
+    if (error && error.code === "ENOENT") {
+      return {};
+    }
     return {};
   }
 }
-function cloudAuthStatus({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
-  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const profile = profiles[targetApiUrl];
-  return {
-    apiUrl: targetApiUrl,
-    activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
-    profile: profile && typeof profile === "object" ? profile : void 0,
-    authenticated: Boolean(profile?.access_token),
-    email: typeof profile?.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
-  };
-}
-function activeCloudAuthStatus({ env = process.env, platform = process.platform } = {}) {
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const apiUrl = typeof config.active_api_url === "string" ? config.active_api_url : void 0;
-  const profile = apiUrl ? profiles[apiUrl] : void 0;
-  return {
-    apiUrl,
-    activeApiUrl: apiUrl,
-    profile: profile && typeof profile === "object" ? profile : void 0,
-    authenticated: Boolean(profile?.access_token),
-    email: typeof profile?.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
-  };
+function saveConfig(config, env = process.env, platform = process.platform) {
+  const file = configPath(env, platform);
+  fs.mkdirSync(path2.dirname(file), { recursive: true });
+  const next = { version: CONFIG_VERSION, ...config };
+  fs.writeFileSync(file, `${JSON.stringify(next, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    fs.chmodSync(file, 384);
+  } catch {
+  }
+  return file;
 }
-function activateCloudProfile({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
-  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const profile = profiles[targetApiUrl];
-  if (!profile || typeof profile !== "object" || !profile.access_token) {
-    return {
-      apiUrl: targetApiUrl,
-      activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
-      authenticated: false,
-      activated: false,
-      profiles
-    };
+var init_config = __esm({
+  "src/config.js"() {
+    init_constants();
+    init_paths();
   }
-  const next = {
-    ...config,
-    version: config.version || 2,
-    profiles,
-    active_api_url: targetApiUrl
-  };
-  writeCloudConfig(next, { env, platform });
+});
+
+// src/process.js
+import { spawn, spawnSync } from "node:child_process";
+function commandExists(command) {
+  const result = spawnSync(command, ["--version"], { stdio: "ignore", shell: false });
+  return result.status === 0;
+}
+function runCapture(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    encoding: "utf8",
+    shell: false,
+    ...options
+  });
+  const errorMessage = result.error && typeof result.error.message === "string" ? result.error.message : "";
   return {
-    apiUrl: targetApiUrl,
-    activeApiUrl: targetApiUrl,
-    profile,
-    authenticated: true,
-    activated: true,
-    email: typeof profile.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
+    ok: !result.error && result.status === 0,
+    status: result.status ?? 1,
+    stdout: result.stdout || "",
+    stderr: result.stderr || errorMessage
   };
 }
-async function getOAuthConfig(apiUrl, redirectUri) {
-  const url = new URL(`${apiUrl}/api/v1/cli/auth/oauth/config`);
-  url.searchParams.set("redirectUri", redirectUri);
-  return getJson(url);
-}
-function authorizationUrlFor(config, { state, codeChallenge }) {
-  const url = new URL(String(config.authorizationUrl));
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("client_id", String(config.clientId));
-  url.searchParams.set("redirect_uri", String(config.redirectUri));
-  url.searchParams.set("scope", String(config.scopes || "email profile"));
-  url.searchParams.set("state", state);
-  url.searchParams.set("code_challenge", codeChallenge);
-  url.searchParams.set("code_challenge_method", "S256");
-  return url.toString();
-}
-async function exchangeCodeForClerkToken(config, code, codeVerifier, redirectUri) {
-  const body = new URLSearchParams({
-    grant_type: "authorization_code",
-    client_id: String(config.clientId),
-    code,
-    redirect_uri: redirectUri,
-    code_verifier: codeVerifier
+function runInherit(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    stdio: "inherit",
+    shell: false,
+    ...options
   });
-  const payload = await postForm(String(config.tokenUrl), body);
-  const token = payload.access_token || payload.id_token;
-  if (!token) {
-    throw new Error("OAuth token exchange did not return a Clerk token");
+  if (result.error) {
+    throw result.error;
   }
-  return String(token);
-}
-async function getJson(url, headers = {}) {
-  const response = await fetch(url, { headers: { Accept: "application/json", ...headers } });
-  return decodeResponse(response);
-}
-async function postJson(url, body) {
-  const response = await fetch(url, {
-    method: "POST",
-    headers: { Accept: "application/json", "Content-Type": "application/json" },
-    body: JSON.stringify(body)
-  });
-  return decodeResponse(response);
-}
-async function postForm(url, body) {
-  const response = await fetch(url, {
-    method: "POST",
-    headers: { Accept: "application/json", "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  });
-  return decodeResponse(response);
-}
-async function decodeResponse(response) {
-  const text = await response.text();
-  let payload = {};
-  if (text) {
-    try {
-      payload = JSON.parse(text);
-    } catch {
-      payload = { error: text };
-    }
-  }
-  if (!response.ok) {
-    throw new Error(payload.message || payload.error || `HTTP ${response.status}`);
-  }
-  return payload;
-}
-async function createCallbackServer(env) {
-  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
-  let server;
-  let settled = false;
-  let timeout;
-  const waitPromise = new Promise((resolve, reject) => {
-    timeout = setTimeout(() => {
-      settled = true;
-      reject(new Error("OAuth login timed out before callback completed"));
-    }, 3e5);
-    server = http.createServer((req, res) => {
-      const url = new URL(req.url || "/", `http://${req.headers.host || "127.0.0.1"}`);
-      const code = url.searchParams.get("code");
-      const state = url.searchParams.get("state");
-      const error = url.searchParams.get("error");
-      const body = code ? "Vendian CLI authentication complete. You can close this window." : "Vendian CLI authentication failed. Return to the terminal.";
-      res.writeHead(code ? 200 : 400, {
-        "Content-Type": "text/plain; charset=utf-8",
-        "Content-Length": Buffer.byteLength(body)
-      });
-      res.end(body);
-      clearTimeout(timeout);
-      if (settled) {
-        return;
-      }
-      settled = true;
-      if (error) {
-        reject(new Error(`OAuth login failed: ${error}`));
-        return;
-      }
-      if (!code) {
-        reject(new Error("OAuth callback did not include an authorization code"));
-        return;
-      }
-      resolve({ code, state });
-    });
-    server.on("error", reject);
-    server.listen(port, "127.0.0.1");
-  });
-  await new Promise((resolve, reject) => {
-    server.once("listening", resolve);
-    server.once("error", reject);
-  });
-  return {
-    redirectUri: `http://127.0.0.1:${server.address().port}/callback`,
-    wait: () => waitPromise,
-    close: () => new Promise((resolve) => server.close(resolve))
-  };
-}
-function openBrowser(url) {
-  const platform = process.platform;
-  if (platform === "win32") {
-    spawnSync3(...buildWindowsOpenCommand(url), { stdio: "ignore", shell: false });
-    return;
-  }
-  if (platform === "darwin") {
-    spawnSync3(...buildMacOpenCommand(url), { stdio: "ignore", shell: false });
-    return;
-  }
-  spawnSync3(...buildLinuxOpenCommand(url), { stdio: "ignore", shell: false });
-}
-function buildWindowsOpenCommand(url) {
-  return ["rundll32.exe", ["url.dll,FileProtocolHandler", String(url)]];
-}
-function buildMacOpenCommand(url) {
-  return ["open", [String(url)]];
-}
-function buildLinuxOpenCommand(url) {
-  return ["xdg-open", [String(url)]];
-}
-function cloudConfigPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLOUD_CONFIG) {
-    return path5.resolve(env.VENDIAN_CLOUD_CONFIG);
-  }
-  if (platform === "win32") {
-    const root2 = env.APPDATA || path5.join(process.env.USERPROFILE || "", "AppData", "Roaming");
-    return path5.win32.join(root2, "Vendian", "cloud-auth.json");
-  }
-  const root = env.XDG_CONFIG_HOME || path5.join(process.env.HOME || "", ".config");
-  return path5.posix.join(root, "vendian", "cloud-auth.json");
-}
-function saveCloudToken(token, { env = process.env, platform = process.platform } = {}) {
-  const tokenApiUrl = String(token.apiUrl || "").replace(/\/$/, "");
-  let raw = { version: 2, profiles: {}, active_api_url: token.apiUrl };
-  try {
-    const existing = loadCloudConfig(env, platform);
-    if (existing && typeof existing === "object" && existing.profiles && typeof existing.profiles === "object") {
-      raw.profiles = existing.profiles;
-    }
-  } catch {
-  }
-  raw.active_api_url = tokenApiUrl;
-  raw.profiles[tokenApiUrl] = {
-    api_url: tokenApiUrl,
-    access_token: token.accessToken,
-    user_id: token.userId,
-    email: token.email,
-    expires_at: token.expiresAt,
-    scopes: token.scopes,
-    tooling_eligible: token.toolingEligible
-  };
-  return writeCloudConfig(raw, { env, platform });
-}
-function writeCloudConfig(raw, { env = process.env, platform = process.platform } = {}) {
-  const file = cloudConfigPath(env, platform);
-  fs6.mkdirSync(path5.dirname(file), { recursive: true });
-  fs6.writeFileSync(file, `${JSON.stringify(raw, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    fs6.chmodSync(file, 384);
-  } catch {
-  }
-  return file;
-}
-var DEFAULT_OAUTH_REDIRECT_PORT;
-var init_auth = __esm({
-  "src/auth.js"() {
-    init_constants();
-    DEFAULT_OAUTH_REDIRECT_PORT = 8765;
-  }
-});
-
-// src/doctor.js
-import fs4 from "node:fs";
-
-// src/config.js
-init_constants();
-import fs from "node:fs";
-import path2 from "node:path";
-
-// src/paths.js
-import os from "node:os";
-import path from "node:path";
-function pathApi(platform) {
-  return platform === "win32" ? path.win32 : path.posix;
-}
-function homeDir(env, platform) {
-  if (platform === "win32") {
-    return env.USERPROFILE || os.homedir();
-  }
-  return env.HOME || os.homedir();
-}
-function vendianHome(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_HOME) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_HOME);
-  }
-  if (platform === "win32") {
-    const root = env.LOCALAPPDATA || path.win32.join(homeDir(env, platform), "AppData", "Local");
-    return path.win32.join(root, "Vendian", "cli");
-  }
-  return path.posix.join(homeDir(env, platform), ".vendian", "cli");
-}
-function configPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_CONFIG) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_CONFIG);
-  }
-  return pathApi(platform).join(vendianHome(env, platform), "config.json");
-}
-function managedVenvPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_VENV) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_VENV);
-  }
-  return pathApi(platform).join(vendianHome(env, platform), ".venv");
-}
-function venvPython(venvPath, platform = process.platform) {
-  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "python.exe") : path.posix.join(venvPath, "bin", "python");
-}
-function venvVendian(venvPath, platform = process.platform) {
-  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "vendian.exe") : path.posix.join(venvPath, "bin", "vendian");
-}
-
-// src/config.js
-function loadConfig(env = process.env, platform = process.platform) {
-  const file = configPath(env, platform);
-  try {
-    const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
-    return typeof parsed === "object" && parsed !== null ? parsed : {};
-  } catch (error) {
-    if (error && error.code === "ENOENT") {
-      return {};
-    }
-    return {};
-  }
-}
-function saveConfig(config, env = process.env, platform = process.platform) {
-  const file = configPath(env, platform);
-  fs.mkdirSync(path2.dirname(file), { recursive: true });
-  const next = { version: CONFIG_VERSION, ...config };
-  fs.writeFileSync(file, `${JSON.stringify(next, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    fs.chmodSync(file, 384);
-  } catch {
-  }
-  return file;
-}
-
-// src/install.js
-init_constants();
-import fs3 from "node:fs";
-import path3 from "node:path";
-
-// src/process.js
-import { spawn, spawnSync } from "node:child_process";
-function commandExists(command) {
-  const result = spawnSync(command, ["--version"], { stdio: "ignore", shell: false });
-  return result.status === 0;
-}
-function runCapture(command, args, options = {}) {
-  const result = spawnSync(command, args, {
-    encoding: "utf8",
-    shell: false,
-    ...options
-  });
-  const errorMessage = result.error && typeof result.error.message === "string" ? result.error.message : "";
-  return {
-    ok: !result.error && result.status === 0,
-    status: result.status ?? 1,
-    stdout: result.stdout || "",
-    stderr: result.stderr || errorMessage
-  };
-}
-function runInherit(command, args, options = {}) {
-  const result = spawnSync(command, args, {
-    stdio: "inherit",
-    shell: false,
-    ...options
-  });
-  if (result.error) {
-    throw result.error;
-  }
-  return result.status ?? 1;
+  return result.status ?? 1;
 }
 function spawnForward(command, args, options = {}) {
   return new Promise((resolve, reject) => {
@@ -514,6 +183,10 @@ function killProcessTree(child, {
     return false;
   }
 }
+var init_process = __esm({
+  "src/process.js"() {
+  }
+});
 
 // src/python.js
 import fs2 from "node:fs";
@@ -601,12 +274,15 @@ function verifyVendianImports(pythonPath) {
   ]);
   return result.ok;
 }
+var init_python = __esm({
+  "src/python.js"() {
+    init_process();
+    init_paths();
+  }
+});
 
 // src/secret-store.js
 import { spawnSync as spawnSync2 } from "node:child_process";
-var SERVICE = "Vendian CLI";
-var PACKAGE_TOKEN_ACCOUNT = "gitlab-package-token";
-var SECRET_STORE_TIMEOUT_MS = 5e3;
 function run(command, args, options = {}) {
   return spawnSync2(command, args, {
     encoding: "utf8",
@@ -703,9 +379,19 @@ function loadPackageTokenSecret(config = {}, platform = process.platform) {
   }
   return "";
 }
+var SERVICE, PACKAGE_TOKEN_ACCOUNT, SECRET_STORE_TIMEOUT_MS;
+var init_secret_store = __esm({
+  "src/secret-store.js"() {
+    SERVICE = "Vendian CLI";
+    PACKAGE_TOKEN_ACCOUNT = "gitlab-package-token";
+    SECRET_STORE_TIMEOUT_MS = 5e3;
+  }
+});
 
 // src/install.js
-function registryConfig(config = {}, env = process.env, platform = process.platform) {
+import fs3 from "node:fs";
+import path3 from "node:path";
+function registryConfig(config = {}, env = process.env, platform = process.platform) {
   const gitlabHost = env.GITLAB_HOST || config.gitlabHost || DEFAULT_GITLAB_HOST;
   const username = env.GITLAB_USERNAME || config.gitlabUsername || "__token__";
   const sdkProjectId = env.SDK_PUBLIC_PROJECT_ID || config.sdkPublicProjectId || DEFAULT_SDK_PUBLIC_PROJECT_ID;
@@ -786,267 +472,379 @@ function writeInstallMarker(venvPath, marker) {
     "utf8"
   );
 }
+var init_install = __esm({
+  "src/install.js"() {
+    init_constants();
+    init_process();
+    init_python();
+    init_secret_store();
+  }
+});
 
-// src/doctor.js
-function doctor({ env = process.env, platform = process.platform } = {}) {
-  const config = loadConfig(env, platform);
-  const venvPath = managedVenvPath(env, platform);
-  const pythonPath = venvPython(venvPath, platform);
-  const vendianPath = venvVendian(venvPath, platform);
-  const registry = registryConfig(config, env, platform);
-  console.log("Vendian doctor");
-  console.log(`Home: ${venvPath}`);
-  console.log(`System Python 3.11+: ${findPython(platform) ? "yes" : "no"}`);
-  console.log(`uv: ${hasUv() ? "yes" : "no, will use pip fallback"}`);
-  console.log(`Managed Python: ${fs4.existsSync(pythonPath) ? pythonVersion(pythonPath) || "present" : "missing"}`);
-  console.log(`Vendian executable: ${fs4.existsSync(vendianPath) ? vendianPath : "missing"}`);
-  console.log(`Vendian imports: ${fs4.existsSync(pythonPath) && verifyVendianImports(pythonPath) ? "ok" : "missing"}`);
-  console.log(`Package access: ${registry.token ? `configured (${registry.tokenSource})` : "missing"}`);
+// src/auth.js
+var auth_exports = {};
+__export(auth_exports, {
+  activateCloudProfile: () => activateCloudProfile,
+  activeCloudAuthStatus: () => activeCloudAuthStatus,
+  buildLinuxOpenCommand: () => buildLinuxOpenCommand,
+  buildMacOpenCommand: () => buildMacOpenCommand,
+  buildWindowsOpenCommand: () => buildWindowsOpenCommand,
+  cloudAuthStatus: () => cloudAuthStatus,
+  cloudConfigPath: () => cloudConfigPath,
+  defaultOAuthRedirectUri: () => defaultOAuthRedirectUri,
+  fetchPackageCredentials: () => fetchPackageCredentials,
+  formatOAuthError: () => formatOAuthError,
+  loadCloudConfig: () => loadCloudConfig,
+  loginWithVendianOAuth: () => loginWithVendianOAuth,
+  resolveApiUrl: () => resolveApiUrl,
+  saveCloudToken: () => saveCloudToken
+});
+import crypto from "node:crypto";
+import http from "node:http";
+import fs6 from "node:fs";
+import path5 from "node:path";
+import { spawnSync as spawnSync3 } from "node:child_process";
+function resolveApiUrl({ backend, apiUrl, env = process.env } = {}) {
+  if (apiUrl) {
+    return apiUrl.replace(/\/$/, "");
+  }
+  if (env.VENDIAN_API_URL) {
+    return env.VENDIAN_API_URL.replace(/\/$/, "");
+  }
+  const target = backend || "prod";
+  const resolved = BACKEND_TARGETS[target];
+  if (!resolved) {
+    throw new Error(`Unknown Vendian backend '${target}'. Use local, dev, staging, prod, or --api-url.`);
+  }
+  return resolved;
 }
-
-// src/dev-server.js
-import http2 from "node:http";
-import fs11 from "node:fs";
-import path8 from "node:path";
-import { fileURLToPath } from "node:url";
-import { spawn as spawn3 } from "node:child_process";
-
-// src/agent-discovery.js
-import fs5 from "node:fs";
-import os2 from "node:os";
-import path4 from "node:path";
-var SKIP_DIRS = /* @__PURE__ */ new Set([
-  ".agents",
-  ".git",
-  ".hg",
-  ".mypy_cache",
-  ".pytest_cache",
-  ".ruff_cache",
-  ".svn",
-  ".venv",
-  "__pycache__",
-  "build",
-  "dist",
-  "node_modules",
-  "venv"
-]);
-var MANIFEST_NAMES = /* @__PURE__ */ new Set(["manifest.yaml", "manifest.yml"]);
-function findAgentDirectoryCandidates({
-  cwd = process.cwd(),
-  home = os2.homedir(),
-  maxDepth = 6,
-  maxDirs = 1e3,
-  limit = 12
-} = {}) {
-  const start = path4.resolve(cwd);
-  const candidates = [];
-  const seen = /* @__PURE__ */ new Set();
-  function addCandidate(candidatePath) {
-    const resolved = safeResolve(candidatePath);
-    if (!resolved || seen.has(resolved)) {
-      return;
+async function loginWithVendianOAuth({ backend, apiUrl, noBrowser = false, env = process.env } = {}) {
+  const resolvedApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const callback = await createCallbackServer(env);
+  try {
+    const config = await getOAuthConfig(resolvedApiUrl, callback.redirectUri);
+    const codeVerifier = crypto.randomBytes(48).toString("base64url");
+    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
+    const state = crypto.randomBytes(18).toString("base64url");
+    const authorizationUrl = authorizationUrlFor(config, { state, codeChallenge });
+    if (noBrowser) {
+      console.error(`Open this URL to authenticate the CLI: ${authorizationUrl}`);
+    } else {
+      openBrowser(authorizationUrl);
     }
-    const count = countAgentManifests(resolved, { maxDepth, maxDirs, limit: 100 });
-    if (count < 1) {
-      return;
+    const callbackResult = await callback.wait();
+    if (callbackResult.state !== state) {
+      throw new Error("OAuth state mismatch");
     }
-    seen.add(resolved);
-    candidates.push({
-      path: displayPath(resolved, start),
-      absolutePath: resolved,
-      agentCount: count
+    const clerkToken = await exchangeCodeForClerkToken(config, callbackResult.code, codeVerifier, callback.redirectUri);
+    const exchange = await postJson(`${resolvedApiUrl}/api/v1/cli/auth/oauth/exchange`, {
+      clerkToken
     });
+    return { apiUrl: resolvedApiUrl, ...exchange };
+  } catch (error) {
+    throw new Error(formatOAuthError(error, {
+      apiUrl: resolvedApiUrl,
+      redirectUri: callback.redirectUri
+    }), { cause: error });
+  } finally {
+    await callback.close();
   }
-  addCandidate(path4.join(start, "agents"));
-  if (hasDirectManifest(start)) {
-    addCandidate(start);
-  }
-  for (const parent of parentDirs(start, 3)) {
-    addCandidate(path4.join(parent, "agents"));
-  }
-  const roots = uniqueExistingDirs([
-    start,
-    ...commonSearchRoots(home)
-  ]);
-  for (const root of roots) {
-    for (const manifest of findManifestFiles(root, { maxDepth, maxDirs, limit: 250 })) {
-      const workspace = nearestAgentsAncestor(manifest, root);
-      addCandidate(workspace || path4.dirname(manifest));
-      if (candidates.length >= limit) {
-        return candidates.slice(0, limit);
-      }
-    }
+}
+async function fetchPackageCredentials({ apiUrl, accessToken }) {
+  if (!apiUrl || !accessToken) {
+    return void 0;
   }
-  return candidates.slice(0, limit);
+  const payload = await getJson(`${String(apiUrl).replace(/\/$/, "")}/api/v1/cli/package-credentials`, {
+    Authorization: `Bearer ${accessToken}`
+  });
+  return payload.packageCredentials;
 }
-function findAgentFolders(root, {
-  cwd = process.cwd(),
-  maxDepth = 6,
-  maxDirs = 1e3,
-  limit = 100
-} = {}) {
-  const start = path4.resolve(cwd);
-  const resolvedRoot = safeResolve(root || ".");
-  if (!resolvedRoot) {
-    return [];
+function loadCloudConfig(env = process.env, platform = process.platform) {
+  const file = cloudConfigPath(env, platform);
+  try {
+    const parsed = JSON.parse(fs6.readFileSync(file, "utf8"));
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
   }
-  const seen = /* @__PURE__ */ new Set();
-  const folders = [];
-  for (const manifest of findManifestFiles(resolvedRoot, { maxDepth, maxDirs, limit })) {
-    const folder = path4.dirname(manifest);
-    const resolved = safeResolve(folder);
-    if (!resolved || seen.has(resolved)) {
-      continue;
-    }
-    seen.add(resolved);
-    folders.push({
-      path: displayPath(resolved, start),
-      absolutePath: resolved,
-      name: path4.basename(resolved) || displayPath(resolved, start)
-    });
+}
+function cloudAuthStatus({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
+  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const profile = profiles[targetApiUrl];
+  return {
+    apiUrl: targetApiUrl,
+    activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
+    profile: profile && typeof profile === "object" ? profile : void 0,
+    authenticated: Boolean(profile?.access_token),
+    email: typeof profile?.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
+}
+function activeCloudAuthStatus({ env = process.env, platform = process.platform } = {}) {
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const apiUrl = typeof config.active_api_url === "string" ? config.active_api_url : void 0;
+  const profile = apiUrl ? profiles[apiUrl] : void 0;
+  return {
+    apiUrl,
+    activeApiUrl: apiUrl,
+    profile: profile && typeof profile === "object" ? profile : void 0,
+    authenticated: Boolean(profile?.access_token),
+    email: typeof profile?.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
+}
+function activateCloudProfile({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
+  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const profile = profiles[targetApiUrl];
+  if (!profile || typeof profile !== "object" || !profile.access_token) {
+    return {
+      apiUrl: targetApiUrl,
+      activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
+      authenticated: false,
+      activated: false,
+      profiles
+    };
   }
-  return folders.sort((a, b) => a.path.localeCompare(b.path)).slice(0, limit);
+  const next = {
+    ...config,
+    version: config.version || 2,
+    profiles,
+    active_api_url: targetApiUrl
+  };
+  writeCloudConfig(next, { env, platform });
+  return {
+    apiUrl: targetApiUrl,
+    activeApiUrl: targetApiUrl,
+    profile,
+    authenticated: true,
+    activated: true,
+    email: typeof profile.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
 }
-function countAgentManifests(root, { maxDepth = 6, maxDirs = 1e3, limit = 100 } = {}) {
-  let count = 0;
-  for (const _manifest of findManifestFiles(root, { maxDepth, maxDirs, limit })) {
-    count += 1;
-    if (count >= limit) {
-      return count;
-    }
+function defaultOAuthRedirectUri(env = process.env) {
+  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
+  return `http://127.0.0.1:${port}/callback`;
+}
+function formatOAuthError(error, { apiUrl, redirectUri } = {}) {
+  const message = error && typeof error.message === "string" ? error.message : String(error || "OAuth login failed");
+  const hint = oauthRedirectHint(message, { apiUrl, redirectUri });
+  return hint ? `${message}
+${hint}` : message;
+}
+async function getOAuthConfig(apiUrl, redirectUri) {
+  const url = new URL(`${apiUrl}/api/v1/cli/auth/oauth/config`);
+  url.searchParams.set("redirectUri", redirectUri);
+  return getJson(url);
+}
+function authorizationUrlFor(config, { state, codeChallenge }) {
+  const url = new URL(String(config.authorizationUrl));
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", String(config.clientId));
+  url.searchParams.set("redirect_uri", String(config.redirectUri));
+  url.searchParams.set("scope", String(config.scopes || "email profile"));
+  url.searchParams.set("state", state);
+  url.searchParams.set("code_challenge", codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  return url.toString();
+}
+async function exchangeCodeForClerkToken(config, code, codeVerifier, redirectUri) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: String(config.clientId),
+    code,
+    redirect_uri: redirectUri,
+    code_verifier: codeVerifier
+  });
+  const payload = await postForm(String(config.tokenUrl), body);
+  const token = payload.access_token || payload.id_token;
+  if (!token) {
+    throw new Error("OAuth token exchange did not return a Clerk token");
   }
-  return count;
+  return String(token);
 }
-function findManifestFiles(root, { maxDepth, maxDirs, limit }) {
-  const manifests = [];
-  const stack = [{ dir: root, depth: 0 }];
-  const seen = /* @__PURE__ */ new Set();
-  while (stack.length && manifests.length < limit && seen.size < maxDirs) {
-    const { dir, depth } = stack.pop();
-    const resolved = safeResolve(dir);
-    if (!resolved || seen.has(resolved)) {
-      continue;
-    }
-    seen.add(resolved);
-    let entries;
+async function getJson(url, headers = {}) {
+  const response = await fetch(url, { headers: { Accept: "application/json", ...headers } });
+  return decodeResponse(response);
+}
+async function postJson(url, body) {
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { Accept: "application/json", "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  return decodeResponse(response);
+}
+async function postForm(url, body) {
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { Accept: "application/json", "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  return decodeResponse(response);
+}
+async function decodeResponse(response) {
+  const text = await response.text();
+  let payload = {};
+  if (text) {
     try {
-      entries = fs5.readdirSync(resolved, { withFileTypes: true });
+      payload = JSON.parse(text);
     } catch {
-      continue;
-    }
-    for (const entry of entries) {
-      if (entry.isFile() && MANIFEST_NAMES.has(entry.name)) {
-        manifests.push(path4.join(resolved, entry.name));
-        if (manifests.length >= limit) {
-          break;
-        }
-      }
-    }
-    if (depth >= maxDepth) {
-      continue;
-    }
-    for (const entry of entries) {
-      if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
-        continue;
-      }
-      stack.push({ dir: path4.join(resolved, entry.name), depth: depth + 1 });
+      payload = { error: text };
     }
   }
-  return manifests;
-}
-function nearestAgentsAncestor(manifestPath, root) {
-  let current = path4.dirname(manifestPath);
-  const stop = path4.resolve(root);
-  while (current.startsWith(stop)) {
-    if (path4.basename(current).toLowerCase() === "agents") {
-      return current;
-    }
-    const parent = path4.dirname(current);
-    if (parent === current) {
-      break;
-    }
-    current = parent;
+  if (!response.ok) {
+    throw new Error(payload.message || payload.error || `HTTP ${response.status}`);
   }
-  return null;
+  return payload;
 }
-function hasDirectManifest(root) {
-  return [...MANIFEST_NAMES].some((name) => fs5.existsSync(path4.join(root, name)));
+async function createCallbackServer(env) {
+  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
+  let server;
+  let settled = false;
+  let timeout;
+  const waitPromise = new Promise((resolve, reject) => {
+    timeout = setTimeout(() => {
+      settled = true;
+      reject(new Error("OAuth login timed out before callback completed"));
+    }, 3e5);
+    server = http.createServer((req, res) => {
+      const url = new URL(req.url || "/", `http://${req.headers.host || "127.0.0.1"}`);
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      const body = code ? "Vendian CLI authentication complete. You can close this window." : "Vendian CLI authentication failed. Return to the terminal.";
+      res.writeHead(code ? 200 : 400, {
+        "Content-Type": "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(body)
+      });
+      res.end(body);
+      clearTimeout(timeout);
+      if (settled) {
+        return;
+      }
+      settled = true;
+      if (error) {
+        const details = errorDescription ? `${error} (${errorDescription})` : error;
+        reject(new Error(`OAuth login failed: ${details}`));
+        return;
+      }
+      if (!code) {
+        reject(new Error("OAuth callback did not include an authorization code"));
+        return;
+      }
+      resolve({ code, state });
+    });
+    server.on("error", reject);
+    server.listen(port, "127.0.0.1");
+  });
+  await new Promise((resolve, reject) => {
+    server.once("listening", resolve);
+    server.once("error", reject);
+  });
+  return {
+    redirectUri: `http://127.0.0.1:${server.address().port}/callback`,
+    wait: () => waitPromise,
+    close: () => new Promise((resolve) => server.close(resolve))
+  };
 }
-function displayPath(target, cwd) {
-  const relative = path4.relative(cwd, target);
-  if (!relative) {
-    return ".";
+function oauthRedirectHint(message, { apiUrl, redirectUri } = {}) {
+  if (!redirectUri) {
+    return "";
   }
-  if (relative.startsWith("..") || path4.isAbsolute(relative)) {
-    return target;
+  const lower = String(message || "").toLowerCase();
+  const looksLikeRedirectMismatch = lower.includes("redirect_uri") || lower.includes("pre-registered redirect") || lower.includes("oauth login timed out before callback completed") || lower.includes("oauth callback did not include an authorization code");
+  if (!looksLikeRedirectMismatch) {
+    return "";
   }
-  return relative.startsWith(".") ? relative : `.${path4.sep}${relative}`;
+  const target = apiUrl || "this backend";
+  return `If Clerk rejected the CLI callback for ${target}, add this redirect URL in Clerk: ${redirectUri}`;
 }
-function commonSearchRoots(home) {
-  if (!home) {
-    return [];
+function openBrowser(url) {
+  const platform = process.platform;
+  if (platform === "win32") {
+    spawnSync3(...buildWindowsOpenCommand(url), { stdio: "ignore", shell: false });
+    return;
   }
-  return [
-    "agents",
-    "Projects",
-    "Code",
-    "Developer",
-    "Documents",
-    "Desktop"
-  ].map((name) => path4.join(home, name));
-}
-function uniqueExistingDirs(paths) {
-  const result = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const item of paths) {
-    const resolved = safeResolve(item);
-    if (!resolved || seen.has(resolved)) {
-      continue;
-    }
-    try {
-      if (!fs5.statSync(resolved).isDirectory()) {
-        continue;
-      }
-    } catch {
-      continue;
-    }
-    seen.add(resolved);
-    result.push(resolved);
+  if (platform === "darwin") {
+    spawnSync3(...buildMacOpenCommand(url), { stdio: "ignore", shell: false });
+    return;
   }
-  return result;
+  spawnSync3(...buildLinuxOpenCommand(url), { stdio: "ignore", shell: false });
 }
-function parentDirs(start, limit) {
-  const parents = [];
-  let current = path4.resolve(start);
-  for (let index = 0; index < limit; index += 1) {
-    const parent = path4.dirname(current);
-    if (!parent || parent === current) {
-      break;
+function buildWindowsOpenCommand(url) {
+  return ["rundll32.exe", ["url.dll,FileProtocolHandler", String(url)]];
+}
+function buildMacOpenCommand(url) {
+  return ["open", [String(url)]];
+}
+function buildLinuxOpenCommand(url) {
+  return ["xdg-open", [String(url)]];
+}
+function cloudConfigPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLOUD_CONFIG) {
+    return path5.resolve(env.VENDIAN_CLOUD_CONFIG);
+  }
+  if (platform === "win32") {
+    const root2 = env.APPDATA || path5.join(process.env.USERPROFILE || "", "AppData", "Roaming");
+    return path5.win32.join(root2, "Vendian", "cloud-auth.json");
+  }
+  const root = env.XDG_CONFIG_HOME || path5.join(process.env.HOME || "", ".config");
+  return path5.posix.join(root, "vendian", "cloud-auth.json");
+}
+function saveCloudToken(token, { env = process.env, platform = process.platform } = {}) {
+  const tokenApiUrl = String(token.apiUrl || "").replace(/\/$/, "");
+  let raw = { version: 2, profiles: {}, active_api_url: token.apiUrl };
+  try {
+    const existing = loadCloudConfig(env, platform);
+    if (existing && typeof existing === "object" && existing.profiles && typeof existing.profiles === "object") {
+      raw.profiles = existing.profiles;
     }
-    parents.push(parent);
-    current = parent;
+  } catch {
   }
-  return parents;
+  raw.active_api_url = tokenApiUrl;
+  raw.profiles[tokenApiUrl] = {
+    api_url: tokenApiUrl,
+    access_token: token.accessToken,
+    user_id: token.userId,
+    email: token.email,
+    expires_at: token.expiresAt,
+    scopes: token.scopes,
+    tooling_eligible: token.toolingEligible
+  };
+  return writeCloudConfig(raw, { env, platform });
 }
-function safeResolve(candidate) {
+function writeCloudConfig(raw, { env = process.env, platform = process.platform } = {}) {
+  const file = cloudConfigPath(env, platform);
+  fs6.mkdirSync(path5.dirname(file), { recursive: true });
+  fs6.writeFileSync(file, `${JSON.stringify(raw, null, 2)}
+`, { encoding: "utf8", mode: 384 });
   try {
-    return path4.resolve(candidate);
+    fs6.chmodSync(file, 384);
   } catch {
-    return null;
   }
+  return file;
 }
-
-// src/dev-server.js
-init_auth();
-init_constants();
-
-// src/forward.js
-import fs9 from "node:fs";
+var DEFAULT_OAUTH_REDIRECT_PORT;
+var init_auth = __esm({
+  "src/auth.js"() {
+    init_constants();
+    DEFAULT_OAUTH_REDIRECT_PORT = 8765;
+  }
+});
 
 // src/docs.js
 import fs7 from "node:fs";
 import path6 from "node:path";
-var DOC_WORKSPACES_KEY = "agentDocWorkspaces";
 function pathApi2(platform) {
   return platform === "win32" ? path6.win32 : path6.posix;
 }
@@ -1132,10 +930,24 @@ function refreshAgentDocsWorkspaces({
   saveConfig(next, env, platform);
   return { config: next, refreshed, failed };
 }
+var DOC_WORKSPACES_KEY;
+var init_docs = __esm({
+  "src/docs.js"() {
+    init_config();
+    init_paths();
+    init_process();
+    DOC_WORKSPACES_KEY = "agentDocWorkspaces";
+  }
+});
 
 // src/setup.js
-init_auth();
-init_constants();
+var setup_exports = {};
+__export(setup_exports, {
+  refreshPackageAccessFromCloudAuth: () => refreshPackageAccessFromCloudAuth,
+  savePackageCredentials: () => savePackageCredentials,
+  setup: () => setup,
+  setupCompletionLines: () => setupCompletionLines
+});
 import fs8 from "node:fs";
 async function setup({
   nonInteractive = false,
@@ -1188,103 +1000,381 @@ async function setup({
   if (!installRegistry.token) {
     throw new Error("Package access is missing. Run interactive `vendian login` to sign in.");
   }
-  const python = findPython(platform);
-  if (!python) {
-    throw new Error("Python 3.11+ was not found. Install Python 3.11 or newer, then rerun `vendian login`.");
+  const python = findPython(platform);
+  if (!python) {
+    throw new Error("Python 3.11+ was not found. Install Python 3.11 or newer, then rerun `vendian login`.");
+  }
+  const venvPath = managedVenvPath(env, platform);
+  console.log(`Managed environment: ${venvPath}`);
+  const pythonPath = ensureVenv(venvPath, python, platform);
+  console.log(`Python: ${pythonVersion(pythonPath) || pythonPath}`);
+  saveConfig(next, env, platform);
+  installVendianPackages({ pythonPath, venvPath, config: next, env, platform });
+  const updated = { ...next, lastManagedUpdateAt: (/* @__PURE__ */ new Date()).toISOString() };
+  refreshAgentDocsWorkspaces({ config: updated, venvPath, env, platform });
+  if (!verifyVendianImports(pythonPath)) {
+    throw new Error("Vendian packages installed, but import verification failed.");
+  }
+  const vendianPath = venvVendian(venvPath, platform);
+  if (!fs8.existsSync(vendianPath)) {
+    throw new Error("Vendian executable was not found after install.");
+  }
+  console.log("");
+  for (const line of setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl })) {
+    console.log(line);
+  }
+}
+function savePackageCredentials(config, packageCredentials, { platform = process.platform } = {}) {
+  if (!packageCredentials?.token) {
+    return false;
+  }
+  config.gitlabHost = packageCredentials.gitlabHost || config.gitlabHost;
+  config.gitlabUsername = packageCredentials.username || config.gitlabUsername;
+  config.sdkPublicProjectId = packageCredentials.sdkProjectId || config.sdkPublicProjectId;
+  config.sdkRuntimeProjectId = packageCredentials.runtimeProjectId || config.sdkRuntimeProjectId;
+  config.vendianAgentsVersion = packageCredentials.vendianAgentsVersion || config.vendianAgentsVersion;
+  config.vendianAgentsRuntimeVersion = packageCredentials.vendianAgentsRuntimeVersion || config.vendianAgentsRuntimeVersion;
+  const secret = savePackageTokenSecret(packageCredentials.token, config, platform);
+  if (secret.ok) {
+    Object.assign(config, secret.config || {});
+    delete config.gitlabToken;
+    console.log("Package access saved.");
+  } else {
+    config.gitlabToken = packageCredentials.token;
+    console.log("Package access saved in the local Vendian CLI config file.");
+  }
+  return true;
+}
+async function refreshPackageAccessFromCloudAuth({
+  config,
+  auth,
+  env = process.env,
+  platform = process.platform,
+  save = true
+} = {}) {
+  const currentConfig = config || loadConfig(env, platform);
+  const registry = registryConfig(currentConfig, env, platform);
+  if (registry.token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const status = auth || activeCloudAuthStatus({ env, platform });
+  if (!status.authenticated || !status.apiUrl || !status.profile?.access_token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const packageCredentials = await fetchPackageCredentials({
+    apiUrl: status.apiUrl,
+    accessToken: status.profile.access_token
+  });
+  if (!packageCredentials?.token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const next = { ...currentConfig };
+  const stored = savePackageCredentials(next, packageCredentials, { platform });
+  if (stored && save) {
+    saveConfig(next, env, platform);
+  }
+  return { config: next, refreshed: stored };
+}
+function setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl } = {}) {
+  const lines = ["Vendian login complete."];
+  if (cloudAuthApiUrl) {
+    lines.push(`Connected to ${cloudAuthApiUrl}.`);
+    lines.push("Next: vendian cloud local serve --agents-dir ./agents");
+    return lines;
+  }
+  lines.push(`Next: ${cloudAuthLoginCommand({ backend, apiUrl })}`);
+  lines.push("Then: vendian cloud local serve --agents-dir ./agents");
+  return lines;
+}
+function cloudAuthLoginCommand({ backend, apiUrl } = {}) {
+  if (apiUrl) {
+    return `vendian cloud auth login --api-url ${apiUrl}`;
+  }
+  if (backend) {
+    return `vendian cloud auth login --backend ${backend}`;
+  }
+  return "vendian cloud auth login";
+}
+var init_setup = __esm({
+  "src/setup.js"() {
+    init_auth();
+    init_constants();
+    init_config();
+    init_docs();
+    init_install();
+    init_paths();
+    init_python();
+    init_secret_store();
+  }
+});
+
+// src/doctor.js
+init_config();
+init_install();
+init_paths();
+init_python();
+import fs4 from "node:fs";
+function doctor({ env = process.env, platform = process.platform } = {}) {
+  const config = loadConfig(env, platform);
+  const venvPath = managedVenvPath(env, platform);
+  const pythonPath = venvPython(venvPath, platform);
+  const vendianPath = venvVendian(venvPath, platform);
+  const registry = registryConfig(config, env, platform);
+  console.log("Vendian doctor");
+  console.log(`Home: ${venvPath}`);
+  console.log(`System Python 3.11+: ${findPython(platform) ? "yes" : "no"}`);
+  console.log(`uv: ${hasUv() ? "yes" : "no, will use pip fallback"}`);
+  console.log(`Managed Python: ${fs4.existsSync(pythonPath) ? pythonVersion(pythonPath) || "present" : "missing"}`);
+  console.log(`Vendian executable: ${fs4.existsSync(vendianPath) ? vendianPath : "missing"}`);
+  console.log(`Vendian imports: ${fs4.existsSync(pythonPath) && verifyVendianImports(pythonPath) ? "ok" : "missing"}`);
+  console.log(`Package access: ${registry.token ? `configured (${registry.tokenSource})` : "missing"}`);
+}
+
+// src/dev-server.js
+import http2 from "node:http";
+import fs11 from "node:fs";
+import path8 from "node:path";
+import { fileURLToPath } from "node:url";
+import { spawn as spawn3 } from "node:child_process";
+
+// src/agent-discovery.js
+import fs5 from "node:fs";
+import os2 from "node:os";
+import path4 from "node:path";
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  ".agents",
+  ".git",
+  ".hg",
+  ".mypy_cache",
+  ".pytest_cache",
+  ".ruff_cache",
+  ".svn",
+  ".venv",
+  "__pycache__",
+  "build",
+  "dist",
+  "node_modules",
+  "venv"
+]);
+var MANIFEST_NAMES = /* @__PURE__ */ new Set(["manifest.yaml", "manifest.yml"]);
+function findAgentDirectoryCandidates({
+  cwd = process.cwd(),
+  home = os2.homedir(),
+  maxDepth = 6,
+  maxDirs = 1e3,
+  limit = 12
+} = {}) {
+  const start = path4.resolve(cwd);
+  const candidates = [];
+  const seen = /* @__PURE__ */ new Set();
+  function addCandidate(candidatePath) {
+    const resolved = safeResolve(candidatePath);
+    if (!resolved || seen.has(resolved)) {
+      return;
+    }
+    const count = countAgentManifests(resolved, { maxDepth, maxDirs, limit: 100 });
+    if (count < 1) {
+      return;
+    }
+    seen.add(resolved);
+    candidates.push({
+      path: displayPath(resolved, start),
+      absolutePath: resolved,
+      agentCount: count
+    });
+  }
+  addCandidate(path4.join(start, "agents"));
+  if (hasDirectManifest(start)) {
+    addCandidate(start);
+  }
+  for (const parent of parentDirs(start, 3)) {
+    addCandidate(path4.join(parent, "agents"));
   }
-  const venvPath = managedVenvPath(env, platform);
-  console.log(`Managed environment: ${venvPath}`);
-  const pythonPath = ensureVenv(venvPath, python, platform);
-  console.log(`Python: ${pythonVersion(pythonPath) || pythonPath}`);
-  saveConfig(next, env, platform);
-  installVendianPackages({ pythonPath, venvPath, config: next, env, platform });
-  const updated = { ...next, lastManagedUpdateAt: (/* @__PURE__ */ new Date()).toISOString() };
-  refreshAgentDocsWorkspaces({ config: updated, venvPath, env, platform });
-  if (!verifyVendianImports(pythonPath)) {
-    throw new Error("Vendian packages installed, but import verification failed.");
+  const roots = uniqueExistingDirs([
+    start,
+    ...commonSearchRoots(home)
+  ]);
+  for (const root of roots) {
+    for (const manifest of findManifestFiles(root, { maxDepth, maxDirs, limit: 250 })) {
+      const workspace = nearestAgentsAncestor(manifest, root);
+      addCandidate(workspace || path4.dirname(manifest));
+      if (candidates.length >= limit) {
+        return candidates.slice(0, limit);
+      }
+    }
   }
-  const vendianPath = venvVendian(venvPath, platform);
-  if (!fs8.existsSync(vendianPath)) {
-    throw new Error("Vendian executable was not found after install.");
+  return candidates.slice(0, limit);
+}
+function findAgentFolders(root, {
+  cwd = process.cwd(),
+  maxDepth = 6,
+  maxDirs = 1e3,
+  limit = 100
+} = {}) {
+  const start = path4.resolve(cwd);
+  const resolvedRoot = safeResolve(root || ".");
+  if (!resolvedRoot) {
+    return [];
   }
-  console.log("");
-  for (const line of setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl })) {
-    console.log(line);
+  const seen = /* @__PURE__ */ new Set();
+  const folders = [];
+  for (const manifest of findManifestFiles(resolvedRoot, { maxDepth, maxDirs, limit })) {
+    const folder = path4.dirname(manifest);
+    const resolved = safeResolve(folder);
+    if (!resolved || seen.has(resolved)) {
+      continue;
+    }
+    seen.add(resolved);
+    folders.push({
+      path: displayPath(resolved, start),
+      absolutePath: resolved,
+      name: path4.basename(resolved) || displayPath(resolved, start)
+    });
   }
+  return folders.sort((a, b) => a.path.localeCompare(b.path)).slice(0, limit);
 }
-function savePackageCredentials(config, packageCredentials, { platform = process.platform } = {}) {
-  if (!packageCredentials?.token) {
-    return false;
+function countAgentManifests(root, { maxDepth = 6, maxDirs = 1e3, limit = 100 } = {}) {
+  let count = 0;
+  for (const _manifest of findManifestFiles(root, { maxDepth, maxDirs, limit })) {
+    count += 1;
+    if (count >= limit) {
+      return count;
+    }
   }
-  config.gitlabHost = packageCredentials.gitlabHost || config.gitlabHost;
-  config.gitlabUsername = packageCredentials.username || config.gitlabUsername;
-  config.sdkPublicProjectId = packageCredentials.sdkProjectId || config.sdkPublicProjectId;
-  config.sdkRuntimeProjectId = packageCredentials.runtimeProjectId || config.sdkRuntimeProjectId;
-  config.vendianAgentsVersion = packageCredentials.vendianAgentsVersion || config.vendianAgentsVersion;
-  config.vendianAgentsRuntimeVersion = packageCredentials.vendianAgentsRuntimeVersion || config.vendianAgentsRuntimeVersion;
-  const secret = savePackageTokenSecret(packageCredentials.token, config, platform);
-  if (secret.ok) {
-    Object.assign(config, secret.config || {});
-    delete config.gitlabToken;
-    console.log("Package access saved.");
-  } else {
-    config.gitlabToken = packageCredentials.token;
-    console.log("Package access saved in the local Vendian CLI config file.");
+  return count;
+}
+function findManifestFiles(root, { maxDepth, maxDirs, limit }) {
+  const manifests = [];
+  const stack = [{ dir: root, depth: 0 }];
+  const seen = /* @__PURE__ */ new Set();
+  while (stack.length && manifests.length < limit && seen.size < maxDirs) {
+    const { dir, depth } = stack.pop();
+    const resolved = safeResolve(dir);
+    if (!resolved || seen.has(resolved)) {
+      continue;
+    }
+    seen.add(resolved);
+    let entries;
+    try {
+      entries = fs5.readdirSync(resolved, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      if (entry.isFile() && MANIFEST_NAMES.has(entry.name)) {
+        manifests.push(path4.join(resolved, entry.name));
+        if (manifests.length >= limit) {
+          break;
+        }
+      }
+    }
+    if (depth >= maxDepth) {
+      continue;
+    }
+    for (const entry of entries) {
+      if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
+        continue;
+      }
+      stack.push({ dir: path4.join(resolved, entry.name), depth: depth + 1 });
+    }
   }
-  return true;
+  return manifests;
 }
-async function refreshPackageAccessFromCloudAuth({
-  config,
-  auth,
-  env = process.env,
-  platform = process.platform,
-  save = true
-} = {}) {
-  const currentConfig = config || loadConfig(env, platform);
-  const registry = registryConfig(currentConfig, env, platform);
-  if (registry.token) {
-    return { config: currentConfig, refreshed: false };
+function nearestAgentsAncestor(manifestPath, root) {
+  let current = path4.dirname(manifestPath);
+  const stop = path4.resolve(root);
+  while (current.startsWith(stop)) {
+    if (path4.basename(current).toLowerCase() === "agents") {
+      return current;
+    }
+    const parent = path4.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
   }
-  const status = auth || activeCloudAuthStatus({ env, platform });
-  if (!status.authenticated || !status.apiUrl || !status.profile?.access_token) {
-    return { config: currentConfig, refreshed: false };
+  return null;
+}
+function hasDirectManifest(root) {
+  return [...MANIFEST_NAMES].some((name) => fs5.existsSync(path4.join(root, name)));
+}
+function displayPath(target, cwd) {
+  const relative = path4.relative(cwd, target);
+  if (!relative) {
+    return ".";
   }
-  const packageCredentials = await fetchPackageCredentials({
-    apiUrl: status.apiUrl,
-    accessToken: status.profile.access_token
-  });
-  if (!packageCredentials?.token) {
-    return { config: currentConfig, refreshed: false };
+  if (relative.startsWith("..") || path4.isAbsolute(relative)) {
+    return target;
   }
-  const next = { ...currentConfig };
-  const stored = savePackageCredentials(next, packageCredentials, { platform });
-  if (stored && save) {
-    saveConfig(next, env, platform);
+  return relative.startsWith(".") ? relative : `.${path4.sep}${relative}`;
+}
+function commonSearchRoots(home) {
+  if (!home) {
+    return [];
   }
-  return { config: next, refreshed: stored };
+  return [
+    "agents",
+    "Projects",
+    "Code",
+    "Developer",
+    "Documents",
+    "Desktop"
+  ].map((name) => path4.join(home, name));
 }
-function setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl } = {}) {
-  const lines = ["Vendian login complete."];
-  if (cloudAuthApiUrl) {
-    lines.push(`Connected to ${cloudAuthApiUrl}.`);
-    lines.push("Next: vendian cloud local serve --agents-dir ./agents");
-    return lines;
+function uniqueExistingDirs(paths) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const item of paths) {
+    const resolved = safeResolve(item);
+    if (!resolved || seen.has(resolved)) {
+      continue;
+    }
+    try {
+      if (!fs5.statSync(resolved).isDirectory()) {
+        continue;
+      }
+    } catch {
+      continue;
+    }
+    seen.add(resolved);
+    result.push(resolved);
   }
-  lines.push(`Next: ${cloudAuthLoginCommand({ backend, apiUrl })}`);
-  lines.push("Then: vendian cloud local serve --agents-dir ./agents");
-  return lines;
+  return result;
 }
-function cloudAuthLoginCommand({ backend, apiUrl } = {}) {
-  if (apiUrl) {
-    return `vendian cloud auth login --api-url ${apiUrl}`;
+function parentDirs(start, limit) {
+  const parents = [];
+  let current = path4.resolve(start);
+  for (let index = 0; index < limit; index += 1) {
+    const parent = path4.dirname(current);
+    if (!parent || parent === current) {
+      break;
+    }
+    parents.push(parent);
+    current = parent;
   }
-  if (backend) {
-    return `vendian cloud auth login --backend ${backend}`;
+  return parents;
+}
+function safeResolve(candidate) {
+  try {
+    return path4.resolve(candidate);
+  } catch {
+    return null;
   }
-  return "vendian cloud auth login";
 }
 
+// src/dev-server.js
+init_auth();
+init_constants();
+init_config();
+
 // src/forward.js
+init_config();
+init_docs();
+init_install();
+init_paths();
+init_process();
+init_setup();
+import fs9 from "node:fs";
 var AUTO_UPDATE_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 async function forwardToPythonVendian(args, { env = process.env, platform = process.platform } = {}) {
   const invocation = await preparePythonVendianInvocation(args, { env, platform });
@@ -1415,7 +1505,12 @@ function reportProgress(onProgress, message) {
   }
 }
 
+// src/dev-server.js
+init_process();
+init_paths();
+
 // src/workspaces.js
+init_process();
 async function listCloudWorkspaces({
   env = process.env,
   platform = process.platform,
@@ -2265,6 +2360,7 @@ function formatSeconds(value) {
 }
 
 // src/serve-log-store.js
+init_paths();
 import crypto2 from "node:crypto";
 import fs10 from "node:fs";
 import path7 from "node:path";
@@ -2404,7 +2500,7 @@ function buildLocalServeEventStreamArgs({ agentsDir: agentsDir2 = "./agents", co
 }
 
 // src/version.js
-var CLI_VERSION = true ? "0.0.40" : process.env.npm_package_version || "0.0.0-dev";
+var CLI_VERSION = true ? "0.0.42" : process.env.npm_package_version || "0.0.0-dev";
 
 // src/dev-server.js
 var __dirname = path8.dirname(fileURLToPath(import.meta.url));
@@ -2541,6 +2637,8 @@ async function handleApi(req, res, pathname, parsed) {
           return apiServeStop(req, res);
         case "/api/create":
           return await apiCreate(req, res, body);
+        case "/api/auth/login":
+          return await apiAuthLogin(req, res, body);
         case "/api/auth/switch":
           return await apiAuthSwitch(req, res, body);
         default:
@@ -2707,6 +2805,36 @@ async function apiAuthSwitch(req, res, body) {
     jsonResponse(res, { ok: false, error: err.message });
   }
 }
+async function loginOrActivateBackend({ backend, env, setupFn, statusFn, activateFn } = {}) {
+  if (!backend || !BACKEND_TARGETS[backend]) {
+    return { ok: false, error: `Unknown backend: ${backend}` };
+  }
+  const authEnv = { ...env || process.env, VENDIAN_API_URL: "" };
+  const readStatus = statusFn || cloudAuthStatus;
+  const activate = activateFn || activateCloudProfile;
+  const status = readStatus({ backend, env: authEnv });
+  if (status.authenticated) {
+    const result = activate({ backend, env: authEnv });
+    if (result?.activated) {
+      return { ok: true, switched: true, backend };
+    }
+  }
+  const runSetup = setupFn || (async (options) => {
+    const { setup: setup2 } = await Promise.resolve().then(() => (init_setup(), setup_exports));
+    return setup2(options);
+  });
+  await runSetup({ backend, forceAuth: true });
+  return { ok: true, loggedIn: true, backend };
+}
+async function apiAuthLogin(req, res, body) {
+  try {
+    const result = await loginOrActivateBackend({ backend: body.backend });
+    const status = result.ok ? 200 : 400;
+    jsonResponse(res, result, status);
+  } catch (err) {
+    jsonResponse(res, { ok: false, error: err.message || "Login failed" }, 500);
+  }
+}
 async function apiValidate(req, res, body) {
   const targetPath = body.path || agentsDir;
   const invocation = await preparePythonVendianInvocation(
@@ -2995,16 +3123,27 @@ function openUrl(url) {
   spawn3(shell || cmd, shell ? args : [url], { detached: true, stdio: "ignore" }).unref();
 }
 
+// src/main.js
+init_setup();
+
 // src/tui.js
 init_constants();
 init_auth();
+init_config();
 import fs12 from "node:fs";
 import path9 from "node:path";
 import readline from "node:readline";
+init_install();
 
 // src/npm-update.js
+init_config();
 var NPM_CHECK_INTERVAL_MS = 30 * 60 * 1e3;
 
+// src/tui.js
+init_paths();
+init_setup();
+init_process();
+
 // src/ui/figures.js
 var supportsUnicode = process.platform !== "win32" || Boolean(
   process.env.WT_SESSION || // Windows Terminal