npm - @vendian/cli - Versions diffs - 0.0.41 → 0.0.42 - Mend

@vendian/cli 0.0.41 → 0.0.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli-wrapper.mjs CHANGED Viewed

@@ -33,611 +33,256 @@ var init_constants = __esm({
   }
 });
-// src/auth.js
-var auth_exports = {};
-__export(auth_exports, {
-  activateCloudProfile: () => activateCloudProfile,
-  activeCloudAuthStatus: () => activeCloudAuthStatus,
-  buildLinuxOpenCommand: () => buildLinuxOpenCommand,
-  buildMacOpenCommand: () => buildMacOpenCommand,
-  buildWindowsOpenCommand: () => buildWindowsOpenCommand,
-  cloudAuthStatus: () => cloudAuthStatus,
-  cloudConfigPath: () => cloudConfigPath,
-  defaultOAuthRedirectUri: () => defaultOAuthRedirectUri,
-  fetchPackageCredentials: () => fetchPackageCredentials,
-  formatOAuthError: () => formatOAuthError,
-  loadCloudConfig: () => loadCloudConfig,
-  loginWithVendianOAuth: () => loginWithVendianOAuth,
-  resolveApiUrl: () => resolveApiUrl,
-  saveCloudToken: () => saveCloudToken
-});
-import crypto from "node:crypto";
-import http from "node:http";
-import fs6 from "node:fs";
-import path5 from "node:path";
-import { spawnSync as spawnSync3 } from "node:child_process";
-function resolveApiUrl({ backend, apiUrl, env = process.env } = {}) {
-  if (apiUrl) {
-    return apiUrl.replace(/\/$/, "");
+// src/paths.js
+import os from "node:os";
+import path from "node:path";
+function pathApi(platform) {
+  return platform === "win32" ? path.win32 : path.posix;
+}
+function homeDir(env, platform) {
+  if (platform === "win32") {
+    return env.USERPROFILE || os.homedir();
   }
-  if (env.VENDIAN_API_URL) {
-    return env.VENDIAN_API_URL.replace(/\/$/, "");
+  return env.HOME || os.homedir();
+}
+function vendianHome(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_HOME) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_HOME);
   }
-  const target = backend || "prod";
-  const resolved = BACKEND_TARGETS[target];
-  if (!resolved) {
-    throw new Error(`Unknown Vendian backend '${target}'. Use local, dev, staging, prod, or --api-url.`);
+  if (platform === "win32") {
+    const root = env.LOCALAPPDATA || path.win32.join(homeDir(env, platform), "AppData", "Local");
+    return path.win32.join(root, "Vendian", "cli");
   }
-  return resolved;
+  return path.posix.join(homeDir(env, platform), ".vendian", "cli");
 }
-async function loginWithVendianOAuth({ backend, apiUrl, noBrowser = false, env = process.env } = {}) {
-  const resolvedApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const callback = await createCallbackServer(env);
-  try {
-    const config = await getOAuthConfig(resolvedApiUrl, callback.redirectUri);
-    const codeVerifier = crypto.randomBytes(48).toString("base64url");
-    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
-    const state = crypto.randomBytes(18).toString("base64url");
-    const authorizationUrl = authorizationUrlFor(config, { state, codeChallenge });
-    if (noBrowser) {
-      console.error(`Open this URL to authenticate the CLI: ${authorizationUrl}`);
-    } else {
-      openBrowser(authorizationUrl);
-    }
-    const callbackResult = await callback.wait();
-    if (callbackResult.state !== state) {
-      throw new Error("OAuth state mismatch");
-    }
-    const clerkToken = await exchangeCodeForClerkToken(config, callbackResult.code, codeVerifier, callback.redirectUri);
-    const exchange = await postJson(`${resolvedApiUrl}/api/v1/cli/auth/oauth/exchange`, {
-      clerkToken
-    });
-    return { apiUrl: resolvedApiUrl, ...exchange };
-  } catch (error) {
-    throw new Error(formatOAuthError(error, {
-      apiUrl: resolvedApiUrl,
-      redirectUri: callback.redirectUri
-    }), { cause: error });
-  } finally {
-    await callback.close();
+function configPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_CONFIG) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_CONFIG);
   }
+  return pathApi(platform).join(vendianHome(env, platform), "config.json");
 }
-async function fetchPackageCredentials({ apiUrl, accessToken }) {
-  if (!apiUrl || !accessToken) {
-    return void 0;
+function managedVenvPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_VENV) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_VENV);
   }
-  const payload = await getJson(`${String(apiUrl).replace(/\/$/, "")}/api/v1/cli/package-credentials`, {
-    Authorization: `Bearer ${accessToken}`
-  });
-  return payload.packageCredentials;
+  return pathApi(platform).join(vendianHome(env, platform), ".venv");
 }
-function loadCloudConfig(env = process.env, platform = process.platform) {
-  const file = cloudConfigPath(env, platform);
+function venvPython(venvPath, platform = process.platform) {
+  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "python.exe") : path.posix.join(venvPath, "bin", "python");
+}
+function venvVendian(venvPath, platform = process.platform) {
+  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "vendian.exe") : path.posix.join(venvPath, "bin", "vendian");
+}
+var init_paths = __esm({
+  "src/paths.js"() {
+  }
+});
+// src/config.js
+import fs from "node:fs";
+import path2 from "node:path";
+function loadConfig(env = process.env, platform = process.platform) {
+  const file = configPath(env, platform);
   try {
-    const parsed = JSON.parse(fs6.readFileSync(file, "utf8"));
-    return parsed && typeof parsed === "object" ? parsed : {};
-  } catch {
+    const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
+    return typeof parsed === "object" && parsed !== null ? parsed : {};
+  } catch (error) {
+    if (error && error.code === "ENOENT") {
+      return {};
+    }
     return {};
   }
 }
-function cloudAuthStatus({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
-  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const profile = profiles[targetApiUrl];
-  return {
-    apiUrl: targetApiUrl,
-    activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
-    profile: profile && typeof profile === "object" ? profile : void 0,
-    authenticated: Boolean(profile?.access_token),
-    email: typeof profile?.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
-  };
-}
-function activeCloudAuthStatus({ env = process.env, platform = process.platform } = {}) {
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const apiUrl = typeof config.active_api_url === "string" ? config.active_api_url : void 0;
-  const profile = apiUrl ? profiles[apiUrl] : void 0;
-  return {
-    apiUrl,
-    activeApiUrl: apiUrl,
-    profile: profile && typeof profile === "object" ? profile : void 0,
-    authenticated: Boolean(profile?.access_token),
-    email: typeof profile?.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
-  };
+function saveConfig(config, env = process.env, platform = process.platform) {
+  const file = configPath(env, platform);
+  fs.mkdirSync(path2.dirname(file), { recursive: true });
+  const next = { version: CONFIG_VERSION, ...config };
+  fs.writeFileSync(file, `${JSON.stringify(next, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    fs.chmodSync(file, 384);
+  } catch {
+  }
+  return file;
 }
-function activateCloudProfile({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
-  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const profile = profiles[targetApiUrl];
-  if (!profile || typeof profile !== "object" || !profile.access_token) {
-    return {
-      apiUrl: targetApiUrl,
-      activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
-      authenticated: false,
-      activated: false,
-      profiles
-    };
+var init_config = __esm({
+  "src/config.js"() {
+    init_constants();
+    init_paths();
   }
-  const next = {
-    ...config,
-    version: config.version || 2,
-    profiles,
-    active_api_url: targetApiUrl
-  };
-  writeCloudConfig(next, { env, platform });
+});
+// src/process.js
+import { spawn, spawnSync } from "node:child_process";
+function commandExists(command) {
+  const result = spawnSync(command, ["--version"], { stdio: "ignore", shell: false });
+  return result.status === 0;
+}
+function runCapture(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    encoding: "utf8",
+    shell: false,
+    ...options
+  });
+  const errorMessage = result.error && typeof result.error.message === "string" ? result.error.message : "";
   return {
-    apiUrl: targetApiUrl,
-    activeApiUrl: targetApiUrl,
-    profile,
-    authenticated: true,
-    activated: true,
-    email: typeof profile.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
+    ok: !result.error && result.status === 0,
+    status: result.status ?? 1,
+    stdout: result.stdout || "",
+    stderr: result.stderr || errorMessage
   };
 }
-function defaultOAuthRedirectUri(env = process.env) {
-  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
-  return `http://127.0.0.1:${port}/callback`;
-}
-function formatOAuthError(error, { apiUrl, redirectUri } = {}) {
-  const message = error && typeof error.message === "string" ? error.message : String(error || "OAuth login failed");
-  const hint = oauthRedirectHint(message, { apiUrl, redirectUri });
-  return hint ? `${message}
-${hint}` : message;
-}
-async function getOAuthConfig(apiUrl, redirectUri) {
-  const url = new URL(`${apiUrl}/api/v1/cli/auth/oauth/config`);
-  url.searchParams.set("redirectUri", redirectUri);
-  return getJson(url);
-}
-function authorizationUrlFor(config, { state, codeChallenge }) {
-  const url = new URL(String(config.authorizationUrl));
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("client_id", String(config.clientId));
-  url.searchParams.set("redirect_uri", String(config.redirectUri));
-  url.searchParams.set("scope", String(config.scopes || "email profile"));
-  url.searchParams.set("state", state);
-  url.searchParams.set("code_challenge", codeChallenge);
-  url.searchParams.set("code_challenge_method", "S256");
-  return url.toString();
-}
-async function exchangeCodeForClerkToken(config, code, codeVerifier, redirectUri) {
-  const body = new URLSearchParams({
-    grant_type: "authorization_code",
-    client_id: String(config.clientId),
-    code,
-    redirect_uri: redirectUri,
-    code_verifier: codeVerifier
+function runInherit(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    stdio: "inherit",
+    shell: false,
+    ...options
   });
-  const payload = await postForm(String(config.tokenUrl), body);
-  const token = payload.access_token || payload.id_token;
-  if (!token) {
-    throw new Error("OAuth token exchange did not return a Clerk token");
+  if (result.error) {
+    throw result.error;
   }
-  return String(token);
+  return result.status ?? 1;
 }
-async function getJson(url, headers = {}) {
-  const response = await fetch(url, { headers: { Accept: "application/json", ...headers } });
-  return decodeResponse(response);
-}
-async function postJson(url, body) {
-  const response = await fetch(url, {
-    method: "POST",
-    headers: { Accept: "application/json", "Content-Type": "application/json" },
-    body: JSON.stringify(body)
+function spawnForward(command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      stdio: "inherit",
+      shell: false,
+      ...options
+    });
+    child.on("error", reject);
+    child.on("exit", (code, signal) => {
+      if (signal) {
+        reject(new Error(`command terminated by ${signal}`));
+        return;
+      }
+      resolve(code ?? 1);
+    });
   });
-  return decodeResponse(response);
 }
-async function postForm(url, body) {
-  const response = await fetch(url, {
-    method: "POST",
-    headers: { Accept: "application/json", "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  });
-  return decodeResponse(response);
+function childProcessIsRunning(child) {
+  return Boolean(child) && child.exitCode == null && child.signalCode == null;
 }
-async function decodeResponse(response) {
-  const text = await response.text();
-  let payload = {};
-  if (text) {
+function killProcessTree(child, {
+  platform = process.platform,
+  signal = "SIGTERM",
+  spawnSyncFn = spawnSync
+} = {}) {
+  if (!childProcessIsRunning(child)) return false;
+  if (platform === "win32") {
     try {
-      payload = JSON.parse(text);
+      spawnSyncFn("taskkill", ["/F", "/T", "/PID", String(child.pid)], { stdio: "ignore" });
     } catch {
-      payload = { error: text };
     }
+    return true;
   }
-  if (!response.ok) {
-    throw new Error(payload.message || payload.error || `HTTP ${response.status}`);
+  try {
+    child.kill(signal);
+    return true;
+  } catch {
+    return false;
   }
-  return payload;
-}
-async function createCallbackServer(env) {
-  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
-  let server;
-  let settled = false;
-  let timeout;
-  const waitPromise = new Promise((resolve, reject) => {
-    timeout = setTimeout(() => {
-      settled = true;
-      reject(new Error("OAuth login timed out before callback completed"));
-    }, 3e5);
-    server = http.createServer((req, res) => {
-      const url = new URL(req.url || "/", `http://${req.headers.host || "127.0.0.1"}`);
-      const code = url.searchParams.get("code");
-      const state = url.searchParams.get("state");
-      const error = url.searchParams.get("error");
-      const errorDescription = url.searchParams.get("error_description");
-      const body = code ? "Vendian CLI authentication complete. You can close this window." : "Vendian CLI authentication failed. Return to the terminal.";
-      res.writeHead(code ? 200 : 400, {
-        "Content-Type": "text/plain; charset=utf-8",
-        "Content-Length": Buffer.byteLength(body)
-      });
-      res.end(body);
-      clearTimeout(timeout);
-      if (settled) {
-        return;
-      }
-      settled = true;
-      if (error) {
-        const details = errorDescription ? `${error} (${errorDescription})` : error;
-        reject(new Error(`OAuth login failed: ${details}`));
-        return;
-      }
-      if (!code) {
-        reject(new Error("OAuth callback did not include an authorization code"));
-        return;
-      }
-      resolve({ code, state });
-    });
-    server.on("error", reject);
-    server.listen(port, "127.0.0.1");
-  });
-  await new Promise((resolve, reject) => {
-    server.once("listening", resolve);
-    server.once("error", reject);
-  });
-  return {
-    redirectUri: `http://127.0.0.1:${server.address().port}/callback`,
-    wait: () => waitPromise,
-    close: () => new Promise((resolve) => server.close(resolve))
-  };
 }
-function oauthRedirectHint(message, { apiUrl, redirectUri } = {}) {
-  if (!redirectUri) {
-    return "";
-  }
-  const lower = String(message || "").toLowerCase();
-  const looksLikeRedirectMismatch = lower.includes("redirect_uri") || lower.includes("pre-registered redirect") || lower.includes("oauth login timed out before callback completed") || lower.includes("oauth callback did not include an authorization code");
-  if (!looksLikeRedirectMismatch) {
-    return "";
+var init_process = __esm({
+  "src/process.js"() {
   }
-  const target = apiUrl || "this backend";
-  return `If Clerk rejected the CLI callback for ${target}, add this redirect URL in Clerk: ${redirectUri}`;
-}
-function openBrowser(url) {
-  const platform = process.platform;
+});
+// src/python.js
+import fs2 from "node:fs";
+function pythonCandidates(platform = process.platform) {
   if (platform === "win32") {
-    spawnSync3(...buildWindowsOpenCommand(url), { stdio: "ignore", shell: false });
-    return;
+    return [
+      { command: "py", args: ["-3.11"] },
+      { command: "python", args: [] },
+      { command: "python3", args: [] }
+    ];
   }
   if (platform === "darwin") {
-    spawnSync3(...buildMacOpenCommand(url), { stdio: "ignore", shell: false });
-    return;
+    return [
+      { command: "/opt/homebrew/bin/python3.12", args: [] },
+      { command: "/opt/homebrew/bin/python3.11", args: [] },
+      { command: "/usr/local/bin/python3.12", args: [] },
+      { command: "/usr/local/bin/python3.11", args: [] },
+      { command: "python3.12", args: [] },
+      { command: "python3.11", args: [] },
+      { command: "python3", args: [] },
+      { command: "python", args: [] }
+    ];
   }
-  spawnSync3(...buildLinuxOpenCommand(url), { stdio: "ignore", shell: false });
-}
-function buildWindowsOpenCommand(url) {
-  return ["rundll32.exe", ["url.dll,FileProtocolHandler", String(url)]];
-}
-function buildMacOpenCommand(url) {
-  return ["open", [String(url)]];
+  return [
+    { command: "python3.12", args: [] },
+    { command: "python3.11", args: [] },
+    { command: "python3", args: [] },
+    { command: "python", args: [] }
+  ];
 }
-function buildLinuxOpenCommand(url) {
-  return ["xdg-open", [String(url)]];
+function findPython(platform = process.platform) {
+  const candidates = pythonCandidates(platform);
+  for (const candidate of candidates) {
+    const version = runCapture(candidate.command, [
+      ...candidate.args,
+      "-c",
+      'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
+    ]);
+    if (!version.ok) {
+      continue;
+    }
+    const match = version.stdout.trim().match(/^(\d+)\.(\d+)\./);
+    if (!match) {
+      continue;
+    }
+    const major = Number(match[1]);
+    const minor = Number(match[2]);
+    if (major > 3 || major === 3 && minor >= 11) {
+      return candidate;
+    }
+  }
+  return null;
 }
-function cloudConfigPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLOUD_CONFIG) {
-    return path5.resolve(env.VENDIAN_CLOUD_CONFIG);
+function ensureVenv(venvPath, pythonCandidate, platform = process.platform) {
+  const pythonPath = venvPython(venvPath, platform);
+  if (fs2.existsSync(pythonPath)) {
+    return pythonPath;
   }
-  if (platform === "win32") {
-    const root2 = env.APPDATA || path5.join(process.env.USERPROFILE || "", "AppData", "Roaming");
-    return path5.win32.join(root2, "Vendian", "cloud-auth.json");
+  fs2.mkdirSync(venvPath, { recursive: true });
+  const status = runInherit(pythonCandidate.command, [
+    ...pythonCandidate.args,
+    "-m",
+    "venv",
+    venvPath
+  ]);
+  if (status !== 0) {
+    throw new Error("Could not create the managed Vendian Python environment.");
   }
-  const root = env.XDG_CONFIG_HOME || path5.join(process.env.HOME || "", ".config");
-  return path5.posix.join(root, "vendian", "cloud-auth.json");
+  return pythonPath;
 }
-function saveCloudToken(token, { env = process.env, platform = process.platform } = {}) {
-  const tokenApiUrl = String(token.apiUrl || "").replace(/\/$/, "");
-  let raw = { version: 2, profiles: {}, active_api_url: token.apiUrl };
-  try {
-    const existing = loadCloudConfig(env, platform);
-    if (existing && typeof existing === "object" && existing.profiles && typeof existing.profiles === "object") {
-      raw.profiles = existing.profiles;
-    }
-  } catch {
-  }
-  raw.active_api_url = tokenApiUrl;
-  raw.profiles[tokenApiUrl] = {
-    api_url: tokenApiUrl,
-    access_token: token.accessToken,
-    user_id: token.userId,
-    email: token.email,
-    expires_at: token.expiresAt,
-    scopes: token.scopes,
-    tooling_eligible: token.toolingEligible
-  };
-  return writeCloudConfig(raw, { env, platform });
+function hasUv() {
+  return commandExists("uv");
 }
-function writeCloudConfig(raw, { env = process.env, platform = process.platform } = {}) {
-  const file = cloudConfigPath(env, platform);
-  fs6.mkdirSync(path5.dirname(file), { recursive: true });
-  fs6.writeFileSync(file, `${JSON.stringify(raw, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    fs6.chmodSync(file, 384);
-  } catch {
-  }
-  return file;
+function pythonVersion(pythonPath) {
+  const result = runCapture(pythonPath, [
+    "-c",
+    'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
+  ]);
+  return result.ok ? result.stdout.trim() : null;
 }
-var DEFAULT_OAUTH_REDIRECT_PORT;
-var init_auth = __esm({
-  "src/auth.js"() {
-    init_constants();
-    DEFAULT_OAUTH_REDIRECT_PORT = 8765;
+function verifyVendianImports(pythonPath) {
+  const result = runCapture(pythonPath, [
+    "-c",
+    'import vendian_agents, vendian_agents_runtime; print("ok")'
+  ]);
+  return result.ok;
+}
+var init_python = __esm({
+  "src/python.js"() {
+    init_process();
+    init_paths();
   }
 });
-// src/doctor.js
-import fs4 from "node:fs";
-// src/config.js
-init_constants();
-import fs from "node:fs";
-import path2 from "node:path";
-// src/paths.js
-import os from "node:os";
-import path from "node:path";
-function pathApi(platform) {
-  return platform === "win32" ? path.win32 : path.posix;
-}
-function homeDir(env, platform) {
-  if (platform === "win32") {
-    return env.USERPROFILE || os.homedir();
-  }
-  return env.HOME || os.homedir();
-}
-function vendianHome(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_HOME) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_HOME);
-  }
-  if (platform === "win32") {
-    const root = env.LOCALAPPDATA || path.win32.join(homeDir(env, platform), "AppData", "Local");
-    return path.win32.join(root, "Vendian", "cli");
-  }
-  return path.posix.join(homeDir(env, platform), ".vendian", "cli");
-}
-function configPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_CONFIG) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_CONFIG);
-  }
-  return pathApi(platform).join(vendianHome(env, platform), "config.json");
-}
-function managedVenvPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_VENV) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_VENV);
-  }
-  return pathApi(platform).join(vendianHome(env, platform), ".venv");
-}
-function venvPython(venvPath, platform = process.platform) {
-  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "python.exe") : path.posix.join(venvPath, "bin", "python");
-}
-function venvVendian(venvPath, platform = process.platform) {
-  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "vendian.exe") : path.posix.join(venvPath, "bin", "vendian");
-}
-// src/config.js
-function loadConfig(env = process.env, platform = process.platform) {
-  const file = configPath(env, platform);
-  try {
-    const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
-    return typeof parsed === "object" && parsed !== null ? parsed : {};
-  } catch (error) {
-    if (error && error.code === "ENOENT") {
-      return {};
-    }
-    return {};
-  }
-}
-function saveConfig(config, env = process.env, platform = process.platform) {
-  const file = configPath(env, platform);
-  fs.mkdirSync(path2.dirname(file), { recursive: true });
-  const next = { version: CONFIG_VERSION, ...config };
-  fs.writeFileSync(file, `${JSON.stringify(next, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    fs.chmodSync(file, 384);
-  } catch {
-  }
-  return file;
-}
-// src/install.js
-init_constants();
-import fs3 from "node:fs";
-import path3 from "node:path";
-// src/process.js
-import { spawn, spawnSync } from "node:child_process";
-function commandExists(command) {
-  const result = spawnSync(command, ["--version"], { stdio: "ignore", shell: false });
-  return result.status === 0;
-}
-function runCapture(command, args, options = {}) {
-  const result = spawnSync(command, args, {
-    encoding: "utf8",
-    shell: false,
-    ...options
-  });
-  const errorMessage = result.error && typeof result.error.message === "string" ? result.error.message : "";
-  return {
-    ok: !result.error && result.status === 0,
-    status: result.status ?? 1,
-    stdout: result.stdout || "",
-    stderr: result.stderr || errorMessage
-  };
-}
-function runInherit(command, args, options = {}) {
-  const result = spawnSync(command, args, {
-    stdio: "inherit",
-    shell: false,
-    ...options
-  });
-  if (result.error) {
-    throw result.error;
-  }
-  return result.status ?? 1;
-}
-function spawnForward(command, args, options = {}) {
-  return new Promise((resolve, reject) => {
-    const child = spawn(command, args, {
-      stdio: "inherit",
-      shell: false,
-      ...options
-    });
-    child.on("error", reject);
-    child.on("exit", (code, signal) => {
-      if (signal) {
-        reject(new Error(`command terminated by ${signal}`));
-        return;
-      }
-      resolve(code ?? 1);
-    });
-  });
-}
-function childProcessIsRunning(child) {
-  return Boolean(child) && child.exitCode == null && child.signalCode == null;
-}
-function killProcessTree(child, {
-  platform = process.platform,
-  signal = "SIGTERM",
-  spawnSyncFn = spawnSync
-} = {}) {
-  if (!childProcessIsRunning(child)) return false;
-  if (platform === "win32") {
-    try {
-      spawnSyncFn("taskkill", ["/F", "/T", "/PID", String(child.pid)], { stdio: "ignore" });
-    } catch {
-    }
-    return true;
-  }
-  try {
-    child.kill(signal);
-    return true;
-  } catch {
-    return false;
-  }
-}
-// src/python.js
-import fs2 from "node:fs";
-function pythonCandidates(platform = process.platform) {
-  if (platform === "win32") {
-    return [
-      { command: "py", args: ["-3.11"] },
-      { command: "python", args: [] },
-      { command: "python3", args: [] }
-    ];
-  }
-  if (platform === "darwin") {
-    return [
-      { command: "/opt/homebrew/bin/python3.12", args: [] },
-      { command: "/opt/homebrew/bin/python3.11", args: [] },
-      { command: "/usr/local/bin/python3.12", args: [] },
-      { command: "/usr/local/bin/python3.11", args: [] },
-      { command: "python3.12", args: [] },
-      { command: "python3.11", args: [] },
-      { command: "python3", args: [] },
-      { command: "python", args: [] }
-    ];
-  }
-  return [
-    { command: "python3.12", args: [] },
-    { command: "python3.11", args: [] },
-    { command: "python3", args: [] },
-    { command: "python", args: [] }
-  ];
-}
-function findPython(platform = process.platform) {
-  const candidates = pythonCandidates(platform);
-  for (const candidate of candidates) {
-    const version = runCapture(candidate.command, [
-      ...candidate.args,
-      "-c",
-      'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
-    ]);
-    if (!version.ok) {
-      continue;
-    }
-    const match = version.stdout.trim().match(/^(\d+)\.(\d+)\./);
-    if (!match) {
-      continue;
-    }
-    const major = Number(match[1]);
-    const minor = Number(match[2]);
-    if (major > 3 || major === 3 && minor >= 11) {
-      return candidate;
-    }
-  }
-  return null;
-}
-function ensureVenv(venvPath, pythonCandidate, platform = process.platform) {
-  const pythonPath = venvPython(venvPath, platform);
-  if (fs2.existsSync(pythonPath)) {
-    return pythonPath;
-  }
-  fs2.mkdirSync(venvPath, { recursive: true });
-  const status = runInherit(pythonCandidate.command, [
-    ...pythonCandidate.args,
-    "-m",
-    "venv",
-    venvPath
-  ]);
-  if (status !== 0) {
-    throw new Error("Could not create the managed Vendian Python environment.");
-  }
-  return pythonPath;
-}
-function hasUv() {
-  return commandExists("uv");
-}
-function pythonVersion(pythonPath) {
-  const result = runCapture(pythonPath, [
-    "-c",
-    'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
-  ]);
-  return result.ok ? result.stdout.trim() : null;
-}
-function verifyVendianImports(pythonPath) {
-  const result = runCapture(pythonPath, [
-    "-c",
-    'import vendian_agents, vendian_agents_runtime; print("ok")'
-  ]);
-  return result.ok;
-}
 // src/secret-store.js
 import { spawnSync as spawnSync2 } from "node:child_process";
-var SERVICE = "Vendian CLI";
-var PACKAGE_TOKEN_ACCOUNT = "gitlab-package-token";
-var SECRET_STORE_TIMEOUT_MS = 5e3;
 function run(command, args, options = {}) {
   return spawnSync2(command, args, {
     encoding: "utf8",
@@ -734,8 +379,18 @@ function loadPackageTokenSecret(config = {}, platform = process.platform) {
   }
   return "";
 }
+var SERVICE, PACKAGE_TOKEN_ACCOUNT, SECRET_STORE_TIMEOUT_MS;
+var init_secret_store = __esm({
+  "src/secret-store.js"() {
+    SERVICE = "Vendian CLI";
+    PACKAGE_TOKEN_ACCOUNT = "gitlab-package-token";
+    SECRET_STORE_TIMEOUT_MS = 5e3;
+  }
+});
 // src/install.js
+import fs3 from "node:fs";
+import path3 from "node:path";
 function registryConfig(config = {}, env = process.env, platform = process.platform) {
   const gitlabHost = env.GITLAB_HOST || config.gitlabHost || DEFAULT_GITLAB_HOST;
   const username = env.GITLAB_USERNAME || config.gitlabUsername || "__token__";
@@ -817,267 +472,379 @@ function writeInstallMarker(venvPath, marker) {
     "utf8"
   );
 }
+var init_install = __esm({
+  "src/install.js"() {
+    init_constants();
+    init_process();
+    init_python();
+    init_secret_store();
+  }
+});
-// src/doctor.js
-function doctor({ env = process.env, platform = process.platform } = {}) {
-  const config = loadConfig(env, platform);
-  const venvPath = managedVenvPath(env, platform);
-  const pythonPath = venvPython(venvPath, platform);
-  const vendianPath = venvVendian(venvPath, platform);
-  const registry = registryConfig(config, env, platform);
-  console.log("Vendian doctor");
-  console.log(`Home: ${venvPath}`);
-  console.log(`System Python 3.11+: ${findPython(platform) ? "yes" : "no"}`);
-  console.log(`uv: ${hasUv() ? "yes" : "no, will use pip fallback"}`);
-  console.log(`Managed Python: ${fs4.existsSync(pythonPath) ? pythonVersion(pythonPath) || "present" : "missing"}`);
-  console.log(`Vendian executable: ${fs4.existsSync(vendianPath) ? vendianPath : "missing"}`);
-  console.log(`Vendian imports: ${fs4.existsSync(pythonPath) && verifyVendianImports(pythonPath) ? "ok" : "missing"}`);
-  console.log(`Package access: ${registry.token ? `configured (${registry.tokenSource})` : "missing"}`);
+// src/auth.js
+var auth_exports = {};
+__export(auth_exports, {
+  activateCloudProfile: () => activateCloudProfile,
+  activeCloudAuthStatus: () => activeCloudAuthStatus,
+  buildLinuxOpenCommand: () => buildLinuxOpenCommand,
+  buildMacOpenCommand: () => buildMacOpenCommand,
+  buildWindowsOpenCommand: () => buildWindowsOpenCommand,
+  cloudAuthStatus: () => cloudAuthStatus,
+  cloudConfigPath: () => cloudConfigPath,
+  defaultOAuthRedirectUri: () => defaultOAuthRedirectUri,
+  fetchPackageCredentials: () => fetchPackageCredentials,
+  formatOAuthError: () => formatOAuthError,
+  loadCloudConfig: () => loadCloudConfig,
+  loginWithVendianOAuth: () => loginWithVendianOAuth,
+  resolveApiUrl: () => resolveApiUrl,
+  saveCloudToken: () => saveCloudToken
+});
+import crypto from "node:crypto";
+import http from "node:http";
+import fs6 from "node:fs";
+import path5 from "node:path";
+import { spawnSync as spawnSync3 } from "node:child_process";
+function resolveApiUrl({ backend, apiUrl, env = process.env } = {}) {
+  if (apiUrl) {
+    return apiUrl.replace(/\/$/, "");
+  }
+  if (env.VENDIAN_API_URL) {
+    return env.VENDIAN_API_URL.replace(/\/$/, "");
+  }
+  const target = backend || "prod";
+  const resolved = BACKEND_TARGETS[target];
+  if (!resolved) {
+    throw new Error(`Unknown Vendian backend '${target}'. Use local, dev, staging, prod, or --api-url.`);
+  }
+  return resolved;
 }
-// src/dev-server.js
-import http2 from "node:http";
-import fs11 from "node:fs";
-import path8 from "node:path";
-import { fileURLToPath } from "node:url";
-import { spawn as spawn3 } from "node:child_process";
-// src/agent-discovery.js
-import fs5 from "node:fs";
-import os2 from "node:os";
-import path4 from "node:path";
-var SKIP_DIRS = /* @__PURE__ */ new Set([
-  ".agents",
-  ".git",
-  ".hg",
-  ".mypy_cache",
-  ".pytest_cache",
-  ".ruff_cache",
-  ".svn",
-  ".venv",
-  "__pycache__",
-  "build",
-  "dist",
-  "node_modules",
-  "venv"
-]);
-var MANIFEST_NAMES = /* @__PURE__ */ new Set(["manifest.yaml", "manifest.yml"]);
-function findAgentDirectoryCandidates({
-  cwd = process.cwd(),
-  home = os2.homedir(),
-  maxDepth = 6,
-  maxDirs = 1e3,
-  limit = 12
-} = {}) {
-  const start = path4.resolve(cwd);
-  const candidates = [];
-  const seen = /* @__PURE__ */ new Set();
-  function addCandidate(candidatePath) {
-    const resolved = safeResolve(candidatePath);
-    if (!resolved || seen.has(resolved)) {
-      return;
+async function loginWithVendianOAuth({ backend, apiUrl, noBrowser = false, env = process.env } = {}) {
+  const resolvedApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const callback = await createCallbackServer(env);
+  try {
+    const config = await getOAuthConfig(resolvedApiUrl, callback.redirectUri);
+    const codeVerifier = crypto.randomBytes(48).toString("base64url");
+    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
+    const state = crypto.randomBytes(18).toString("base64url");
+    const authorizationUrl = authorizationUrlFor(config, { state, codeChallenge });
+    if (noBrowser) {
+      console.error(`Open this URL to authenticate the CLI: ${authorizationUrl}`);
+    } else {
+      openBrowser(authorizationUrl);
     }
-    const count = countAgentManifests(resolved, { maxDepth, maxDirs, limit: 100 });
-    if (count < 1) {
-      return;
+    const callbackResult = await callback.wait();
+    if (callbackResult.state !== state) {
+      throw new Error("OAuth state mismatch");
     }
-    seen.add(resolved);
-    candidates.push({
-      path: displayPath(resolved, start),
-      absolutePath: resolved,
-      agentCount: count
+    const clerkToken = await exchangeCodeForClerkToken(config, callbackResult.code, codeVerifier, callback.redirectUri);
+    const exchange = await postJson(`${resolvedApiUrl}/api/v1/cli/auth/oauth/exchange`, {
+      clerkToken
     });
+    return { apiUrl: resolvedApiUrl, ...exchange };
+  } catch (error) {
+    throw new Error(formatOAuthError(error, {
+      apiUrl: resolvedApiUrl,
+      redirectUri: callback.redirectUri
+    }), { cause: error });
+  } finally {
+    await callback.close();
   }
-  addCandidate(path4.join(start, "agents"));
-  if (hasDirectManifest(start)) {
-    addCandidate(start);
-  }
-  for (const parent of parentDirs(start, 3)) {
-    addCandidate(path4.join(parent, "agents"));
-  }
-  const roots = uniqueExistingDirs([
-    start,
-    ...commonSearchRoots(home)
-  ]);
-  for (const root of roots) {
-    for (const manifest of findManifestFiles(root, { maxDepth, maxDirs, limit: 250 })) {
-      const workspace = nearestAgentsAncestor(manifest, root);
-      addCandidate(workspace || path4.dirname(manifest));
-      if (candidates.length >= limit) {
-        return candidates.slice(0, limit);
-      }
-    }
+}
+async function fetchPackageCredentials({ apiUrl, accessToken }) {
+  if (!apiUrl || !accessToken) {
+    return void 0;
   }
-  return candidates.slice(0, limit);
+  const payload = await getJson(`${String(apiUrl).replace(/\/$/, "")}/api/v1/cli/package-credentials`, {
+    Authorization: `Bearer ${accessToken}`
+  });
+  return payload.packageCredentials;
 }
-function findAgentFolders(root, {
-  cwd = process.cwd(),
-  maxDepth = 6,
-  maxDirs = 1e3,
-  limit = 100
-} = {}) {
-  const start = path4.resolve(cwd);
-  const resolvedRoot = safeResolve(root || ".");
-  if (!resolvedRoot) {
-    return [];
+function loadCloudConfig(env = process.env, platform = process.platform) {
+  const file = cloudConfigPath(env, platform);
+  try {
+    const parsed = JSON.parse(fs6.readFileSync(file, "utf8"));
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
   }
-  const seen = /* @__PURE__ */ new Set();
-  const folders = [];
-  for (const manifest of findManifestFiles(resolvedRoot, { maxDepth, maxDirs, limit })) {
-    const folder = path4.dirname(manifest);
-    const resolved = safeResolve(folder);
-    if (!resolved || seen.has(resolved)) {
-      continue;
-    }
-    seen.add(resolved);
-    folders.push({
-      path: displayPath(resolved, start),
-      absolutePath: resolved,
-      name: path4.basename(resolved) || displayPath(resolved, start)
-    });
+}
+function cloudAuthStatus({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
+  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const profile = profiles[targetApiUrl];
+  return {
+    apiUrl: targetApiUrl,
+    activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
+    profile: profile && typeof profile === "object" ? profile : void 0,
+    authenticated: Boolean(profile?.access_token),
+    email: typeof profile?.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
+}
+function activeCloudAuthStatus({ env = process.env, platform = process.platform } = {}) {
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const apiUrl = typeof config.active_api_url === "string" ? config.active_api_url : void 0;
+  const profile = apiUrl ? profiles[apiUrl] : void 0;
+  return {
+    apiUrl,
+    activeApiUrl: apiUrl,
+    profile: profile && typeof profile === "object" ? profile : void 0,
+    authenticated: Boolean(profile?.access_token),
+    email: typeof profile?.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
+}
+function activateCloudProfile({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
+  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const profile = profiles[targetApiUrl];
+  if (!profile || typeof profile !== "object" || !profile.access_token) {
+    return {
+      apiUrl: targetApiUrl,
+      activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
+      authenticated: false,
+      activated: false,
+      profiles
+    };
   }
-  return folders.sort((a, b) => a.path.localeCompare(b.path)).slice(0, limit);
+  const next = {
+    ...config,
+    version: config.version || 2,
+    profiles,
+    active_api_url: targetApiUrl
+  };
+  writeCloudConfig(next, { env, platform });
+  return {
+    apiUrl: targetApiUrl,
+    activeApiUrl: targetApiUrl,
+    profile,
+    authenticated: true,
+    activated: true,
+    email: typeof profile.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
 }
-function countAgentManifests(root, { maxDepth = 6, maxDirs = 1e3, limit = 100 } = {}) {
-  let count = 0;
-  for (const _manifest of findManifestFiles(root, { maxDepth, maxDirs, limit })) {
-    count += 1;
-    if (count >= limit) {
-      return count;
-    }
+function defaultOAuthRedirectUri(env = process.env) {
+  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
+  return `http://127.0.0.1:${port}/callback`;
+}
+function formatOAuthError(error, { apiUrl, redirectUri } = {}) {
+  const message = error && typeof error.message === "string" ? error.message : String(error || "OAuth login failed");
+  const hint = oauthRedirectHint(message, { apiUrl, redirectUri });
+  return hint ? `${message}
+${hint}` : message;
+}
+async function getOAuthConfig(apiUrl, redirectUri) {
+  const url = new URL(`${apiUrl}/api/v1/cli/auth/oauth/config`);
+  url.searchParams.set("redirectUri", redirectUri);
+  return getJson(url);
+}
+function authorizationUrlFor(config, { state, codeChallenge }) {
+  const url = new URL(String(config.authorizationUrl));
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", String(config.clientId));
+  url.searchParams.set("redirect_uri", String(config.redirectUri));
+  url.searchParams.set("scope", String(config.scopes || "email profile"));
+  url.searchParams.set("state", state);
+  url.searchParams.set("code_challenge", codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  return url.toString();
+}
+async function exchangeCodeForClerkToken(config, code, codeVerifier, redirectUri) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: String(config.clientId),
+    code,
+    redirect_uri: redirectUri,
+    code_verifier: codeVerifier
+  });
+  const payload = await postForm(String(config.tokenUrl), body);
+  const token = payload.access_token || payload.id_token;
+  if (!token) {
+    throw new Error("OAuth token exchange did not return a Clerk token");
   }
-  return count;
+  return String(token);
 }
-function findManifestFiles(root, { maxDepth, maxDirs, limit }) {
-  const manifests = [];
-  const stack = [{ dir: root, depth: 0 }];
-  const seen = /* @__PURE__ */ new Set();
-  while (stack.length && manifests.length < limit && seen.size < maxDirs) {
-    const { dir, depth } = stack.pop();
-    const resolved = safeResolve(dir);
-    if (!resolved || seen.has(resolved)) {
-      continue;
-    }
-    seen.add(resolved);
-    let entries;
+async function getJson(url, headers = {}) {
+  const response = await fetch(url, { headers: { Accept: "application/json", ...headers } });
+  return decodeResponse(response);
+}
+async function postJson(url, body) {
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { Accept: "application/json", "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  return decodeResponse(response);
+}
+async function postForm(url, body) {
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { Accept: "application/json", "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  return decodeResponse(response);
+}
+async function decodeResponse(response) {
+  const text = await response.text();
+  let payload = {};
+  if (text) {
     try {
-      entries = fs5.readdirSync(resolved, { withFileTypes: true });
+      payload = JSON.parse(text);
     } catch {
-      continue;
-    }
-    for (const entry of entries) {
-      if (entry.isFile() && MANIFEST_NAMES.has(entry.name)) {
-        manifests.push(path4.join(resolved, entry.name));
-        if (manifests.length >= limit) {
-          break;
-        }
-      }
-    }
-    if (depth >= maxDepth) {
-      continue;
-    }
-    for (const entry of entries) {
-      if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
-        continue;
-      }
-      stack.push({ dir: path4.join(resolved, entry.name), depth: depth + 1 });
+      payload = { error: text };
     }
   }
-  return manifests;
-}
-function nearestAgentsAncestor(manifestPath, root) {
-  let current = path4.dirname(manifestPath);
-  const stop = path4.resolve(root);
-  while (current.startsWith(stop)) {
-    if (path4.basename(current).toLowerCase() === "agents") {
-      return current;
-    }
-    const parent = path4.dirname(current);
-    if (parent === current) {
-      break;
-    }
-    current = parent;
+  if (!response.ok) {
+    throw new Error(payload.message || payload.error || `HTTP ${response.status}`);
   }
-  return null;
+  return payload;
 }
-function hasDirectManifest(root) {
-  return [...MANIFEST_NAMES].some((name) => fs5.existsSync(path4.join(root, name)));
+async function createCallbackServer(env) {
+  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
+  let server;
+  let settled = false;
+  let timeout;
+  const waitPromise = new Promise((resolve, reject) => {
+    timeout = setTimeout(() => {
+      settled = true;
+      reject(new Error("OAuth login timed out before callback completed"));
+    }, 3e5);
+    server = http.createServer((req, res) => {
+      const url = new URL(req.url || "/", `http://${req.headers.host || "127.0.0.1"}`);
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      const body = code ? "Vendian CLI authentication complete. You can close this window." : "Vendian CLI authentication failed. Return to the terminal.";
+      res.writeHead(code ? 200 : 400, {
+        "Content-Type": "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(body)
+      });
+      res.end(body);
+      clearTimeout(timeout);
+      if (settled) {
+        return;
+      }
+      settled = true;
+      if (error) {
+        const details = errorDescription ? `${error} (${errorDescription})` : error;
+        reject(new Error(`OAuth login failed: ${details}`));
+        return;
+      }
+      if (!code) {
+        reject(new Error("OAuth callback did not include an authorization code"));
+        return;
+      }
+      resolve({ code, state });
+    });
+    server.on("error", reject);
+    server.listen(port, "127.0.0.1");
+  });
+  await new Promise((resolve, reject) => {
+    server.once("listening", resolve);
+    server.once("error", reject);
+  });
+  return {
+    redirectUri: `http://127.0.0.1:${server.address().port}/callback`,
+    wait: () => waitPromise,
+    close: () => new Promise((resolve) => server.close(resolve))
+  };
 }
-function displayPath(target, cwd) {
-  const relative = path4.relative(cwd, target);
-  if (!relative) {
-    return ".";
+function oauthRedirectHint(message, { apiUrl, redirectUri } = {}) {
+  if (!redirectUri) {
+    return "";
   }
-  if (relative.startsWith("..") || path4.isAbsolute(relative)) {
-    return target;
+  const lower = String(message || "").toLowerCase();
+  const looksLikeRedirectMismatch = lower.includes("redirect_uri") || lower.includes("pre-registered redirect") || lower.includes("oauth login timed out before callback completed") || lower.includes("oauth callback did not include an authorization code");
+  if (!looksLikeRedirectMismatch) {
+    return "";
   }
-  return relative.startsWith(".") ? relative : `.${path4.sep}${relative}`;
+  const target = apiUrl || "this backend";
+  return `If Clerk rejected the CLI callback for ${target}, add this redirect URL in Clerk: ${redirectUri}`;
 }
-function commonSearchRoots(home) {
-  if (!home) {
-    return [];
+function openBrowser(url) {
+  const platform = process.platform;
+  if (platform === "win32") {
+    spawnSync3(...buildWindowsOpenCommand(url), { stdio: "ignore", shell: false });
+    return;
   }
-  return [
-    "agents",
-    "Projects",
-    "Code",
-    "Developer",
-    "Documents",
-    "Desktop"
-  ].map((name) => path4.join(home, name));
-}
-function uniqueExistingDirs(paths) {
-  const result = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const item of paths) {
-    const resolved = safeResolve(item);
-    if (!resolved || seen.has(resolved)) {
-      continue;
-    }
-    try {
-      if (!fs5.statSync(resolved).isDirectory()) {
-        continue;
-      }
-    } catch {
-      continue;
-    }
-    seen.add(resolved);
-    result.push(resolved);
+  if (platform === "darwin") {
+    spawnSync3(...buildMacOpenCommand(url), { stdio: "ignore", shell: false });
+    return;
   }
-  return result;
+  spawnSync3(...buildLinuxOpenCommand(url), { stdio: "ignore", shell: false });
 }
-function parentDirs(start, limit) {
-  const parents = [];
-  let current = path4.resolve(start);
-  for (let index = 0; index < limit; index += 1) {
-    const parent = path4.dirname(current);
-    if (!parent || parent === current) {
-      break;
+function buildWindowsOpenCommand(url) {
+  return ["rundll32.exe", ["url.dll,FileProtocolHandler", String(url)]];
+}
+function buildMacOpenCommand(url) {
+  return ["open", [String(url)]];
+}
+function buildLinuxOpenCommand(url) {
+  return ["xdg-open", [String(url)]];
+}
+function cloudConfigPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLOUD_CONFIG) {
+    return path5.resolve(env.VENDIAN_CLOUD_CONFIG);
+  }
+  if (platform === "win32") {
+    const root2 = env.APPDATA || path5.join(process.env.USERPROFILE || "", "AppData", "Roaming");
+    return path5.win32.join(root2, "Vendian", "cloud-auth.json");
+  }
+  const root = env.XDG_CONFIG_HOME || path5.join(process.env.HOME || "", ".config");
+  return path5.posix.join(root, "vendian", "cloud-auth.json");
+}
+function saveCloudToken(token, { env = process.env, platform = process.platform } = {}) {
+  const tokenApiUrl = String(token.apiUrl || "").replace(/\/$/, "");
+  let raw = { version: 2, profiles: {}, active_api_url: token.apiUrl };
+  try {
+    const existing = loadCloudConfig(env, platform);
+    if (existing && typeof existing === "object" && existing.profiles && typeof existing.profiles === "object") {
+      raw.profiles = existing.profiles;
     }
-    parents.push(parent);
-    current = parent;
+  } catch {
   }
-  return parents;
+  raw.active_api_url = tokenApiUrl;
+  raw.profiles[tokenApiUrl] = {
+    api_url: tokenApiUrl,
+    access_token: token.accessToken,
+    user_id: token.userId,
+    email: token.email,
+    expires_at: token.expiresAt,
+    scopes: token.scopes,
+    tooling_eligible: token.toolingEligible
+  };
+  return writeCloudConfig(raw, { env, platform });
 }
-function safeResolve(candidate) {
+function writeCloudConfig(raw, { env = process.env, platform = process.platform } = {}) {
+  const file = cloudConfigPath(env, platform);
+  fs6.mkdirSync(path5.dirname(file), { recursive: true });
+  fs6.writeFileSync(file, `${JSON.stringify(raw, null, 2)}
+`, { encoding: "utf8", mode: 384 });
   try {
-    return path4.resolve(candidate);
+    fs6.chmodSync(file, 384);
   } catch {
-    return null;
   }
+  return file;
 }
-// src/dev-server.js
-init_auth();
-init_constants();
-// src/forward.js
-import fs9 from "node:fs";
+var DEFAULT_OAUTH_REDIRECT_PORT;
+var init_auth = __esm({
+  "src/auth.js"() {
+    init_constants();
+    DEFAULT_OAUTH_REDIRECT_PORT = 8765;
+  }
+});
 // src/docs.js
 import fs7 from "node:fs";
 import path6 from "node:path";
-var DOC_WORKSPACES_KEY = "agentDocWorkspaces";
 function pathApi2(platform) {
   return platform === "win32" ? path6.win32 : path6.posix;
 }
@@ -1163,10 +930,24 @@ function refreshAgentDocsWorkspaces({
   saveConfig(next, env, platform);
   return { config: next, refreshed, failed };
 }
+var DOC_WORKSPACES_KEY;
+var init_docs = __esm({
+  "src/docs.js"() {
+    init_config();
+    init_paths();
+    init_process();
+    DOC_WORKSPACES_KEY = "agentDocWorkspaces";
+  }
+});
 // src/setup.js
-init_auth();
-init_constants();
+var setup_exports = {};
+__export(setup_exports, {
+  refreshPackageAccessFromCloudAuth: () => refreshPackageAccessFromCloudAuth,
+  savePackageCredentials: () => savePackageCredentials,
+  setup: () => setup,
+  setupCompletionLines: () => setupCompletionLines
+});
 import fs8 from "node:fs";
 async function setup({
   nonInteractive = false,
@@ -1219,103 +1000,381 @@ async function setup({
   if (!installRegistry.token) {
     throw new Error("Package access is missing. Run interactive `vendian login` to sign in.");
   }
-  const python = findPython(platform);
-  if (!python) {
-    throw new Error("Python 3.11+ was not found. Install Python 3.11 or newer, then rerun `vendian login`.");
+  const python = findPython(platform);
+  if (!python) {
+    throw new Error("Python 3.11+ was not found. Install Python 3.11 or newer, then rerun `vendian login`.");
+  }
+  const venvPath = managedVenvPath(env, platform);
+  console.log(`Managed environment: ${venvPath}`);
+  const pythonPath = ensureVenv(venvPath, python, platform);
+  console.log(`Python: ${pythonVersion(pythonPath) || pythonPath}`);
+  saveConfig(next, env, platform);
+  installVendianPackages({ pythonPath, venvPath, config: next, env, platform });
+  const updated = { ...next, lastManagedUpdateAt: (/* @__PURE__ */ new Date()).toISOString() };
+  refreshAgentDocsWorkspaces({ config: updated, venvPath, env, platform });
+  if (!verifyVendianImports(pythonPath)) {
+    throw new Error("Vendian packages installed, but import verification failed.");
+  }
+  const vendianPath = venvVendian(venvPath, platform);
+  if (!fs8.existsSync(vendianPath)) {
+    throw new Error("Vendian executable was not found after install.");
+  }
+  console.log("");
+  for (const line of setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl })) {
+    console.log(line);
+  }
+}
+function savePackageCredentials(config, packageCredentials, { platform = process.platform } = {}) {
+  if (!packageCredentials?.token) {
+    return false;
+  }
+  config.gitlabHost = packageCredentials.gitlabHost || config.gitlabHost;
+  config.gitlabUsername = packageCredentials.username || config.gitlabUsername;
+  config.sdkPublicProjectId = packageCredentials.sdkProjectId || config.sdkPublicProjectId;
+  config.sdkRuntimeProjectId = packageCredentials.runtimeProjectId || config.sdkRuntimeProjectId;
+  config.vendianAgentsVersion = packageCredentials.vendianAgentsVersion || config.vendianAgentsVersion;
+  config.vendianAgentsRuntimeVersion = packageCredentials.vendianAgentsRuntimeVersion || config.vendianAgentsRuntimeVersion;
+  const secret = savePackageTokenSecret(packageCredentials.token, config, platform);
+  if (secret.ok) {
+    Object.assign(config, secret.config || {});
+    delete config.gitlabToken;
+    console.log("Package access saved.");
+  } else {
+    config.gitlabToken = packageCredentials.token;
+    console.log("Package access saved in the local Vendian CLI config file.");
+  }
+  return true;
+}
+async function refreshPackageAccessFromCloudAuth({
+  config,
+  auth,
+  env = process.env,
+  platform = process.platform,
+  save = true
+} = {}) {
+  const currentConfig = config || loadConfig(env, platform);
+  const registry = registryConfig(currentConfig, env, platform);
+  if (registry.token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const status = auth || activeCloudAuthStatus({ env, platform });
+  if (!status.authenticated || !status.apiUrl || !status.profile?.access_token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const packageCredentials = await fetchPackageCredentials({
+    apiUrl: status.apiUrl,
+    accessToken: status.profile.access_token
+  });
+  if (!packageCredentials?.token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const next = { ...currentConfig };
+  const stored = savePackageCredentials(next, packageCredentials, { platform });
+  if (stored && save) {
+    saveConfig(next, env, platform);
+  }
+  return { config: next, refreshed: stored };
+}
+function setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl } = {}) {
+  const lines = ["Vendian login complete."];
+  if (cloudAuthApiUrl) {
+    lines.push(`Connected to ${cloudAuthApiUrl}.`);
+    lines.push("Next: vendian cloud local serve --agents-dir ./agents");
+    return lines;
+  }
+  lines.push(`Next: ${cloudAuthLoginCommand({ backend, apiUrl })}`);
+  lines.push("Then: vendian cloud local serve --agents-dir ./agents");
+  return lines;
+}
+function cloudAuthLoginCommand({ backend, apiUrl } = {}) {
+  if (apiUrl) {
+    return `vendian cloud auth login --api-url ${apiUrl}`;
+  }
+  if (backend) {
+    return `vendian cloud auth login --backend ${backend}`;
+  }
+  return "vendian cloud auth login";
+}
+var init_setup = __esm({
+  "src/setup.js"() {
+    init_auth();
+    init_constants();
+    init_config();
+    init_docs();
+    init_install();
+    init_paths();
+    init_python();
+    init_secret_store();
+  }
+});
+// src/doctor.js
+init_config();
+init_install();
+init_paths();
+init_python();
+import fs4 from "node:fs";
+function doctor({ env = process.env, platform = process.platform } = {}) {
+  const config = loadConfig(env, platform);
+  const venvPath = managedVenvPath(env, platform);
+  const pythonPath = venvPython(venvPath, platform);
+  const vendianPath = venvVendian(venvPath, platform);
+  const registry = registryConfig(config, env, platform);
+  console.log("Vendian doctor");
+  console.log(`Home: ${venvPath}`);
+  console.log(`System Python 3.11+: ${findPython(platform) ? "yes" : "no"}`);
+  console.log(`uv: ${hasUv() ? "yes" : "no, will use pip fallback"}`);
+  console.log(`Managed Python: ${fs4.existsSync(pythonPath) ? pythonVersion(pythonPath) || "present" : "missing"}`);
+  console.log(`Vendian executable: ${fs4.existsSync(vendianPath) ? vendianPath : "missing"}`);
+  console.log(`Vendian imports: ${fs4.existsSync(pythonPath) && verifyVendianImports(pythonPath) ? "ok" : "missing"}`);
+  console.log(`Package access: ${registry.token ? `configured (${registry.tokenSource})` : "missing"}`);
+}
+// src/dev-server.js
+import http2 from "node:http";
+import fs11 from "node:fs";
+import path8 from "node:path";
+import { fileURLToPath } from "node:url";
+import { spawn as spawn3 } from "node:child_process";
+// src/agent-discovery.js
+import fs5 from "node:fs";
+import os2 from "node:os";
+import path4 from "node:path";
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  ".agents",
+  ".git",
+  ".hg",
+  ".mypy_cache",
+  ".pytest_cache",
+  ".ruff_cache",
+  ".svn",
+  ".venv",
+  "__pycache__",
+  "build",
+  "dist",
+  "node_modules",
+  "venv"
+]);
+var MANIFEST_NAMES = /* @__PURE__ */ new Set(["manifest.yaml", "manifest.yml"]);
+function findAgentDirectoryCandidates({
+  cwd = process.cwd(),
+  home = os2.homedir(),
+  maxDepth = 6,
+  maxDirs = 1e3,
+  limit = 12
+} = {}) {
+  const start = path4.resolve(cwd);
+  const candidates = [];
+  const seen = /* @__PURE__ */ new Set();
+  function addCandidate(candidatePath) {
+    const resolved = safeResolve(candidatePath);
+    if (!resolved || seen.has(resolved)) {
+      return;
+    }
+    const count = countAgentManifests(resolved, { maxDepth, maxDirs, limit: 100 });
+    if (count < 1) {
+      return;
+    }
+    seen.add(resolved);
+    candidates.push({
+      path: displayPath(resolved, start),
+      absolutePath: resolved,
+      agentCount: count
+    });
+  }
+  addCandidate(path4.join(start, "agents"));
+  if (hasDirectManifest(start)) {
+    addCandidate(start);
+  }
+  for (const parent of parentDirs(start, 3)) {
+    addCandidate(path4.join(parent, "agents"));
   }
-  const venvPath = managedVenvPath(env, platform);
-  console.log(`Managed environment: ${venvPath}`);
-  const pythonPath = ensureVenv(venvPath, python, platform);
-  console.log(`Python: ${pythonVersion(pythonPath) || pythonPath}`);
-  saveConfig(next, env, platform);
-  installVendianPackages({ pythonPath, venvPath, config: next, env, platform });
-  const updated = { ...next, lastManagedUpdateAt: (/* @__PURE__ */ new Date()).toISOString() };
-  refreshAgentDocsWorkspaces({ config: updated, venvPath, env, platform });
-  if (!verifyVendianImports(pythonPath)) {
-    throw new Error("Vendian packages installed, but import verification failed.");
+  const roots = uniqueExistingDirs([
+    start,
+    ...commonSearchRoots(home)
+  ]);
+  for (const root of roots) {
+    for (const manifest of findManifestFiles(root, { maxDepth, maxDirs, limit: 250 })) {
+      const workspace = nearestAgentsAncestor(manifest, root);
+      addCandidate(workspace || path4.dirname(manifest));
+      if (candidates.length >= limit) {
+        return candidates.slice(0, limit);
+      }
+    }
   }
-  const vendianPath = venvVendian(venvPath, platform);
-  if (!fs8.existsSync(vendianPath)) {
-    throw new Error("Vendian executable was not found after install.");
+  return candidates.slice(0, limit);
+}
+function findAgentFolders(root, {
+  cwd = process.cwd(),
+  maxDepth = 6,
+  maxDirs = 1e3,
+  limit = 100
+} = {}) {
+  const start = path4.resolve(cwd);
+  const resolvedRoot = safeResolve(root || ".");
+  if (!resolvedRoot) {
+    return [];
   }
-  console.log("");
-  for (const line of setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl })) {
-    console.log(line);
+  const seen = /* @__PURE__ */ new Set();
+  const folders = [];
+  for (const manifest of findManifestFiles(resolvedRoot, { maxDepth, maxDirs, limit })) {
+    const folder = path4.dirname(manifest);
+    const resolved = safeResolve(folder);
+    if (!resolved || seen.has(resolved)) {
+      continue;
+    }
+    seen.add(resolved);
+    folders.push({
+      path: displayPath(resolved, start),
+      absolutePath: resolved,
+      name: path4.basename(resolved) || displayPath(resolved, start)
+    });
   }
+  return folders.sort((a, b) => a.path.localeCompare(b.path)).slice(0, limit);
 }
-function savePackageCredentials(config, packageCredentials, { platform = process.platform } = {}) {
-  if (!packageCredentials?.token) {
-    return false;
+function countAgentManifests(root, { maxDepth = 6, maxDirs = 1e3, limit = 100 } = {}) {
+  let count = 0;
+  for (const _manifest of findManifestFiles(root, { maxDepth, maxDirs, limit })) {
+    count += 1;
+    if (count >= limit) {
+      return count;
+    }
   }
-  config.gitlabHost = packageCredentials.gitlabHost || config.gitlabHost;
-  config.gitlabUsername = packageCredentials.username || config.gitlabUsername;
-  config.sdkPublicProjectId = packageCredentials.sdkProjectId || config.sdkPublicProjectId;
-  config.sdkRuntimeProjectId = packageCredentials.runtimeProjectId || config.sdkRuntimeProjectId;
-  config.vendianAgentsVersion = packageCredentials.vendianAgentsVersion || config.vendianAgentsVersion;
-  config.vendianAgentsRuntimeVersion = packageCredentials.vendianAgentsRuntimeVersion || config.vendianAgentsRuntimeVersion;
-  const secret = savePackageTokenSecret(packageCredentials.token, config, platform);
-  if (secret.ok) {
-    Object.assign(config, secret.config || {});
-    delete config.gitlabToken;
-    console.log("Package access saved.");
-  } else {
-    config.gitlabToken = packageCredentials.token;
-    console.log("Package access saved in the local Vendian CLI config file.");
+  return count;
+}
+function findManifestFiles(root, { maxDepth, maxDirs, limit }) {
+  const manifests = [];
+  const stack = [{ dir: root, depth: 0 }];
+  const seen = /* @__PURE__ */ new Set();
+  while (stack.length && manifests.length < limit && seen.size < maxDirs) {
+    const { dir, depth } = stack.pop();
+    const resolved = safeResolve(dir);
+    if (!resolved || seen.has(resolved)) {
+      continue;
+    }
+    seen.add(resolved);
+    let entries;
+    try {
+      entries = fs5.readdirSync(resolved, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      if (entry.isFile() && MANIFEST_NAMES.has(entry.name)) {
+        manifests.push(path4.join(resolved, entry.name));
+        if (manifests.length >= limit) {
+          break;
+        }
+      }
+    }
+    if (depth >= maxDepth) {
+      continue;
+    }
+    for (const entry of entries) {
+      if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
+        continue;
+      }
+      stack.push({ dir: path4.join(resolved, entry.name), depth: depth + 1 });
+    }
   }
-  return true;
+  return manifests;
 }
-async function refreshPackageAccessFromCloudAuth({
-  config,
-  auth,
-  env = process.env,
-  platform = process.platform,
-  save = true
-} = {}) {
-  const currentConfig = config || loadConfig(env, platform);
-  const registry = registryConfig(currentConfig, env, platform);
-  if (registry.token) {
-    return { config: currentConfig, refreshed: false };
+function nearestAgentsAncestor(manifestPath, root) {
+  let current = path4.dirname(manifestPath);
+  const stop = path4.resolve(root);
+  while (current.startsWith(stop)) {
+    if (path4.basename(current).toLowerCase() === "agents") {
+      return current;
+    }
+    const parent = path4.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
   }
-  const status = auth || activeCloudAuthStatus({ env, platform });
-  if (!status.authenticated || !status.apiUrl || !status.profile?.access_token) {
-    return { config: currentConfig, refreshed: false };
+  return null;
+}
+function hasDirectManifest(root) {
+  return [...MANIFEST_NAMES].some((name) => fs5.existsSync(path4.join(root, name)));
+}
+function displayPath(target, cwd) {
+  const relative = path4.relative(cwd, target);
+  if (!relative) {
+    return ".";
   }
-  const packageCredentials = await fetchPackageCredentials({
-    apiUrl: status.apiUrl,
-    accessToken: status.profile.access_token
-  });
-  if (!packageCredentials?.token) {
-    return { config: currentConfig, refreshed: false };
+  if (relative.startsWith("..") || path4.isAbsolute(relative)) {
+    return target;
   }
-  const next = { ...currentConfig };
-  const stored = savePackageCredentials(next, packageCredentials, { platform });
-  if (stored && save) {
-    saveConfig(next, env, platform);
+  return relative.startsWith(".") ? relative : `.${path4.sep}${relative}`;
+}
+function commonSearchRoots(home) {
+  if (!home) {
+    return [];
   }
-  return { config: next, refreshed: stored };
+  return [
+    "agents",
+    "Projects",
+    "Code",
+    "Developer",
+    "Documents",
+    "Desktop"
+  ].map((name) => path4.join(home, name));
 }
-function setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl } = {}) {
-  const lines = ["Vendian login complete."];
-  if (cloudAuthApiUrl) {
-    lines.push(`Connected to ${cloudAuthApiUrl}.`);
-    lines.push("Next: vendian cloud local serve --agents-dir ./agents");
-    return lines;
+function uniqueExistingDirs(paths) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const item of paths) {
+    const resolved = safeResolve(item);
+    if (!resolved || seen.has(resolved)) {
+      continue;
+    }
+    try {
+      if (!fs5.statSync(resolved).isDirectory()) {
+        continue;
+      }
+    } catch {
+      continue;
+    }
+    seen.add(resolved);
+    result.push(resolved);
   }
-  lines.push(`Next: ${cloudAuthLoginCommand({ backend, apiUrl })}`);
-  lines.push("Then: vendian cloud local serve --agents-dir ./agents");
-  return lines;
+  return result;
 }
-function cloudAuthLoginCommand({ backend, apiUrl } = {}) {
-  if (apiUrl) {
-    return `vendian cloud auth login --api-url ${apiUrl}`;
+function parentDirs(start, limit) {
+  const parents = [];
+  let current = path4.resolve(start);
+  for (let index = 0; index < limit; index += 1) {
+    const parent = path4.dirname(current);
+    if (!parent || parent === current) {
+      break;
+    }
+    parents.push(parent);
+    current = parent;
   }
-  if (backend) {
-    return `vendian cloud auth login --backend ${backend}`;
+  return parents;
+}
+function safeResolve(candidate) {
+  try {
+    return path4.resolve(candidate);
+  } catch {
+    return null;
   }
-  return "vendian cloud auth login";
 }
+// src/dev-server.js
+init_auth();
+init_constants();
+init_config();
 // src/forward.js
+init_config();
+init_docs();
+init_install();
+init_paths();
+init_process();
+init_setup();
+import fs9 from "node:fs";
 var AUTO_UPDATE_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 async function forwardToPythonVendian(args, { env = process.env, platform = process.platform } = {}) {
   const invocation = await preparePythonVendianInvocation(args, { env, platform });
@@ -1446,7 +1505,12 @@ function reportProgress(onProgress, message) {
   }
 }
+// src/dev-server.js
+init_process();
+init_paths();
 // src/workspaces.js
+init_process();
 async function listCloudWorkspaces({
   env = process.env,
   platform = process.platform,
@@ -2296,6 +2360,7 @@ function formatSeconds(value) {
 }
 // src/serve-log-store.js
+init_paths();
 import crypto2 from "node:crypto";
 import fs10 from "node:fs";
 import path7 from "node:path";
@@ -2435,7 +2500,7 @@ function buildLocalServeEventStreamArgs({ agentsDir: agentsDir2 = "./agents", co
 }
 // src/version.js
-var CLI_VERSION = true ? "0.0.41" : process.env.npm_package_version || "0.0.0-dev";
+var CLI_VERSION = true ? "0.0.42" : process.env.npm_package_version || "0.0.0-dev";
 // src/dev-server.js
 var __dirname = path8.dirname(fileURLToPath(import.meta.url));
@@ -2572,6 +2637,8 @@ async function handleApi(req, res, pathname, parsed) {
           return apiServeStop(req, res);
         case "/api/create":
           return await apiCreate(req, res, body);
+        case "/api/auth/login":
+          return await apiAuthLogin(req, res, body);
         case "/api/auth/switch":
           return await apiAuthSwitch(req, res, body);
         default:
@@ -2738,6 +2805,36 @@ async function apiAuthSwitch(req, res, body) {
     jsonResponse(res, { ok: false, error: err.message });
   }
 }
+async function loginOrActivateBackend({ backend, env, setupFn, statusFn, activateFn } = {}) {
+  if (!backend || !BACKEND_TARGETS[backend]) {
+    return { ok: false, error: `Unknown backend: ${backend}` };
+  }
+  const authEnv = { ...env || process.env, VENDIAN_API_URL: "" };
+  const readStatus = statusFn || cloudAuthStatus;
+  const activate = activateFn || activateCloudProfile;
+  const status = readStatus({ backend, env: authEnv });
+  if (status.authenticated) {
+    const result = activate({ backend, env: authEnv });
+    if (result?.activated) {
+      return { ok: true, switched: true, backend };
+    }
+  }
+  const runSetup = setupFn || (async (options) => {
+    const { setup: setup2 } = await Promise.resolve().then(() => (init_setup(), setup_exports));
+    return setup2(options);
+  });
+  await runSetup({ backend, forceAuth: true });
+  return { ok: true, loggedIn: true, backend };
+}
+async function apiAuthLogin(req, res, body) {
+  try {
+    const result = await loginOrActivateBackend({ backend: body.backend });
+    const status = result.ok ? 200 : 400;
+    jsonResponse(res, result, status);
+  } catch (err) {
+    jsonResponse(res, { ok: false, error: err.message || "Login failed" }, 500);
+  }
+}
 async function apiValidate(req, res, body) {
   const targetPath = body.path || agentsDir;
   const invocation = await preparePythonVendianInvocation(
@@ -3026,16 +3123,27 @@ function openUrl(url) {
   spawn3(shell || cmd, shell ? args : [url], { detached: true, stdio: "ignore" }).unref();
 }
+// src/main.js
+init_setup();
 // src/tui.js
 init_constants();
 init_auth();
+init_config();
 import fs12 from "node:fs";
 import path9 from "node:path";
 import readline from "node:readline";
+init_install();
 // src/npm-update.js
+init_config();
 var NPM_CHECK_INTERVAL_MS = 30 * 60 * 1e3;
+// src/tui.js
+init_paths();
+init_setup();
+init_process();
 // src/ui/figures.js
 var supportsUnicode = process.platform !== "win32" || Boolean(
   process.env.WT_SESSION || // Windows Terminal