npm - @vendian/cli - Versions diffs - 0.0.41 → 0.0.43 - Mend

@vendian/cli 0.0.41 → 0.0.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli-wrapper.mjs CHANGED Viewed

@@ -33,611 +33,256 @@ var init_constants = __esm({
   }
 });
-// src/auth.js
-var auth_exports = {};
-__export(auth_exports, {
-  activateCloudProfile: () => activateCloudProfile,
-  activeCloudAuthStatus: () => activeCloudAuthStatus,
-  buildLinuxOpenCommand: () => buildLinuxOpenCommand,
-  buildMacOpenCommand: () => buildMacOpenCommand,
-  buildWindowsOpenCommand: () => buildWindowsOpenCommand,
-  cloudAuthStatus: () => cloudAuthStatus,
-  cloudConfigPath: () => cloudConfigPath,
-  defaultOAuthRedirectUri: () => defaultOAuthRedirectUri,
-  fetchPackageCredentials: () => fetchPackageCredentials,
-  formatOAuthError: () => formatOAuthError,
-  loadCloudConfig: () => loadCloudConfig,
-  loginWithVendianOAuth: () => loginWithVendianOAuth,
-  resolveApiUrl: () => resolveApiUrl,
-  saveCloudToken: () => saveCloudToken
-});
-import crypto from "node:crypto";
-import http from "node:http";
-import fs6 from "node:fs";
-import path5 from "node:path";
-import { spawnSync as spawnSync3 } from "node:child_process";
-function resolveApiUrl({ backend, apiUrl, env = process.env } = {}) {
-  if (apiUrl) {
-    return apiUrl.replace(/\/$/, "");
+// src/paths.js
+import os from "node:os";
+import path from "node:path";
+function pathApi(platform) {
+  return platform === "win32" ? path.win32 : path.posix;
+}
+function homeDir(env, platform) {
+  if (platform === "win32") {
+    return env.USERPROFILE || os.homedir();
   }
-  if (env.VENDIAN_API_URL) {
-    return env.VENDIAN_API_URL.replace(/\/$/, "");
+  return env.HOME || os.homedir();
+}
+function vendianHome(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_HOME) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_HOME);
   }
-  const target = backend || "prod";
-  const resolved = BACKEND_TARGETS[target];
-  if (!resolved) {
-    throw new Error(`Unknown Vendian backend '${target}'. Use local, dev, staging, prod, or --api-url.`);
+  if (platform === "win32") {
+    const root = env.LOCALAPPDATA || path.win32.join(homeDir(env, platform), "AppData", "Local");
+    return path.win32.join(root, "Vendian", "cli");
   }
-  return resolved;
+  return path.posix.join(homeDir(env, platform), ".vendian", "cli");
 }
-async function loginWithVendianOAuth({ backend, apiUrl, noBrowser = false, env = process.env } = {}) {
-  const resolvedApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const callback = await createCallbackServer(env);
-  try {
-    const config = await getOAuthConfig(resolvedApiUrl, callback.redirectUri);
-    const codeVerifier = crypto.randomBytes(48).toString("base64url");
-    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
-    const state = crypto.randomBytes(18).toString("base64url");
-    const authorizationUrl = authorizationUrlFor(config, { state, codeChallenge });
-    if (noBrowser) {
-      console.error(`Open this URL to authenticate the CLI: ${authorizationUrl}`);
-    } else {
-      openBrowser(authorizationUrl);
-    }
-    const callbackResult = await callback.wait();
-    if (callbackResult.state !== state) {
-      throw new Error("OAuth state mismatch");
-    }
-    const clerkToken = await exchangeCodeForClerkToken(config, callbackResult.code, codeVerifier, callback.redirectUri);
-    const exchange = await postJson(`${resolvedApiUrl}/api/v1/cli/auth/oauth/exchange`, {
-      clerkToken
-    });
-    return { apiUrl: resolvedApiUrl, ...exchange };
-  } catch (error) {
-    throw new Error(formatOAuthError(error, {
-      apiUrl: resolvedApiUrl,
-      redirectUri: callback.redirectUri
-    }), { cause: error });
-  } finally {
-    await callback.close();
+function configPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_CONFIG) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_CONFIG);
   }
+  return pathApi(platform).join(vendianHome(env, platform), "config.json");
 }
-async function fetchPackageCredentials({ apiUrl, accessToken }) {
-  if (!apiUrl || !accessToken) {
-    return void 0;
+function managedVenvPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLI_VENV) {
+    return pathApi(platform).resolve(env.VENDIAN_CLI_VENV);
   }
-  const payload = await getJson(`${String(apiUrl).replace(/\/$/, "")}/api/v1/cli/package-credentials`, {
-    Authorization: `Bearer ${accessToken}`
-  });
-  return payload.packageCredentials;
+  return pathApi(platform).join(vendianHome(env, platform), ".venv");
 }
-function loadCloudConfig(env = process.env, platform = process.platform) {
-  const file = cloudConfigPath(env, platform);
+function venvPython(venvPath, platform = process.platform) {
+  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "python.exe") : path.posix.join(venvPath, "bin", "python");
+}
+function venvVendian(venvPath, platform = process.platform) {
+  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "vendian.exe") : path.posix.join(venvPath, "bin", "vendian");
+}
+var init_paths = __esm({
+  "src/paths.js"() {
+  }
+});
+// src/config.js
+import fs from "node:fs";
+import path2 from "node:path";
+function loadConfig(env = process.env, platform = process.platform) {
+  const file = configPath(env, platform);
   try {
-    const parsed = JSON.parse(fs6.readFileSync(file, "utf8"));
-    return parsed && typeof parsed === "object" ? parsed : {};
-  } catch {
+    const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
+    return typeof parsed === "object" && parsed !== null ? parsed : {};
+  } catch (error) {
+    if (error && error.code === "ENOENT") {
+      return {};
+    }
     return {};
   }
 }
-function cloudAuthStatus({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
-  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const profile = profiles[targetApiUrl];
-  return {
-    apiUrl: targetApiUrl,
-    activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
-    profile: profile && typeof profile === "object" ? profile : void 0,
-    authenticated: Boolean(profile?.access_token),
-    email: typeof profile?.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
-  };
-}
-function activeCloudAuthStatus({ env = process.env, platform = process.platform } = {}) {
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const apiUrl = typeof config.active_api_url === "string" ? config.active_api_url : void 0;
-  const profile = apiUrl ? profiles[apiUrl] : void 0;
-  return {
-    apiUrl,
-    activeApiUrl: apiUrl,
-    profile: profile && typeof profile === "object" ? profile : void 0,
-    authenticated: Boolean(profile?.access_token),
-    email: typeof profile?.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
-  };
+function saveConfig(config, env = process.env, platform = process.platform) {
+  const file = configPath(env, platform);
+  fs.mkdirSync(path2.dirname(file), { recursive: true });
+  const next = { version: CONFIG_VERSION, ...config };
+  fs.writeFileSync(file, `${JSON.stringify(next, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    fs.chmodSync(file, 384);
+  } catch {
+  }
+  return file;
 }
-function activateCloudProfile({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
-  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
-  const config = loadCloudConfig(env, platform);
-  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
-  const profile = profiles[targetApiUrl];
-  if (!profile || typeof profile !== "object" || !profile.access_token) {
-    return {
-      apiUrl: targetApiUrl,
-      activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
-      authenticated: false,
-      activated: false,
-      profiles
-    };
+var init_config = __esm({
+  "src/config.js"() {
+    init_constants();
+    init_paths();
   }
-  const next = {
-    ...config,
-    version: config.version || 2,
-    profiles,
-    active_api_url: targetApiUrl
-  };
-  writeCloudConfig(next, { env, platform });
+});
+// src/process.js
+import { spawn, spawnSync } from "node:child_process";
+function commandExists(command) {
+  const result = spawnSync(command, ["--version"], { stdio: "ignore", shell: false });
+  return result.status === 0;
+}
+function runCapture(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    encoding: "utf8",
+    shell: false,
+    ...options
+  });
+  const errorMessage = result.error && typeof result.error.message === "string" ? result.error.message : "";
   return {
-    apiUrl: targetApiUrl,
-    activeApiUrl: targetApiUrl,
-    profile,
-    authenticated: true,
-    activated: true,
-    email: typeof profile.email === "string" ? profile.email : void 0,
-    expiresAt: typeof profile.expires_at === "string" ? profile.expires_at : void 0,
-    profiles
+    ok: !result.error && result.status === 0,
+    status: result.status ?? 1,
+    stdout: result.stdout || "",
+    stderr: result.stderr || errorMessage
   };
 }
-function defaultOAuthRedirectUri(env = process.env) {
-  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
-  return `http://127.0.0.1:${port}/callback`;
-}
-function formatOAuthError(error, { apiUrl, redirectUri } = {}) {
-  const message = error && typeof error.message === "string" ? error.message : String(error || "OAuth login failed");
-  const hint = oauthRedirectHint(message, { apiUrl, redirectUri });
-  return hint ? `${message}
-${hint}` : message;
-}
-async function getOAuthConfig(apiUrl, redirectUri) {
-  const url = new URL(`${apiUrl}/api/v1/cli/auth/oauth/config`);
-  url.searchParams.set("redirectUri", redirectUri);
-  return getJson(url);
-}
-function authorizationUrlFor(config, { state, codeChallenge }) {
-  const url = new URL(String(config.authorizationUrl));
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("client_id", String(config.clientId));
-  url.searchParams.set("redirect_uri", String(config.redirectUri));
-  url.searchParams.set("scope", String(config.scopes || "email profile"));
-  url.searchParams.set("state", state);
-  url.searchParams.set("code_challenge", codeChallenge);
-  url.searchParams.set("code_challenge_method", "S256");
-  return url.toString();
-}
-async function exchangeCodeForClerkToken(config, code, codeVerifier, redirectUri) {
-  const body = new URLSearchParams({
-    grant_type: "authorization_code",
-    client_id: String(config.clientId),
-    code,
-    redirect_uri: redirectUri,
-    code_verifier: codeVerifier
+function runInherit(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    stdio: "inherit",
+    shell: false,
+    ...options
   });
-  const payload = await postForm(String(config.tokenUrl), body);
-  const token = payload.access_token || payload.id_token;
-  if (!token) {
-    throw new Error("OAuth token exchange did not return a Clerk token");
+  if (result.error) {
+    throw result.error;
   }
-  return String(token);
+  return result.status ?? 1;
 }
-async function getJson(url, headers = {}) {
-  const response = await fetch(url, { headers: { Accept: "application/json", ...headers } });
-  return decodeResponse(response);
-}
-async function postJson(url, body) {
-  const response = await fetch(url, {
-    method: "POST",
-    headers: { Accept: "application/json", "Content-Type": "application/json" },
-    body: JSON.stringify(body)
+function spawnForward(command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      stdio: "inherit",
+      shell: false,
+      ...options
+    });
+    child.on("error", reject);
+    child.on("exit", (code, signal) => {
+      if (signal) {
+        reject(new Error(`command terminated by ${signal}`));
+        return;
+      }
+      resolve(code ?? 1);
+    });
   });
-  return decodeResponse(response);
 }
-async function postForm(url, body) {
-  const response = await fetch(url, {
-    method: "POST",
-    headers: { Accept: "application/json", "Content-Type": "application/x-www-form-urlencoded" },
-    body
-  });
-  return decodeResponse(response);
+function childProcessIsRunning(child) {
+  return Boolean(child) && child.exitCode == null && child.signalCode == null;
 }
-async function decodeResponse(response) {
-  const text = await response.text();
-  let payload = {};
-  if (text) {
+function killProcessTree(child, {
+  platform = process.platform,
+  signal = "SIGTERM",
+  spawnSyncFn = spawnSync
+} = {}) {
+  if (!childProcessIsRunning(child)) return false;
+  if (platform === "win32") {
     try {
-      payload = JSON.parse(text);
+      spawnSyncFn("taskkill", ["/F", "/T", "/PID", String(child.pid)], { stdio: "ignore" });
     } catch {
-      payload = { error: text };
     }
+    return true;
   }
-  if (!response.ok) {
-    throw new Error(payload.message || payload.error || `HTTP ${response.status}`);
+  try {
+    child.kill(signal);
+    return true;
+  } catch {
+    return false;
   }
-  return payload;
-}
-async function createCallbackServer(env) {
-  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
-  let server;
-  let settled = false;
-  let timeout;
-  const waitPromise = new Promise((resolve, reject) => {
-    timeout = setTimeout(() => {
-      settled = true;
-      reject(new Error("OAuth login timed out before callback completed"));
-    }, 3e5);
-    server = http.createServer((req, res) => {
-      const url = new URL(req.url || "/", `http://${req.headers.host || "127.0.0.1"}`);
-      const code = url.searchParams.get("code");
-      const state = url.searchParams.get("state");
-      const error = url.searchParams.get("error");
-      const errorDescription = url.searchParams.get("error_description");
-      const body = code ? "Vendian CLI authentication complete. You can close this window." : "Vendian CLI authentication failed. Return to the terminal.";
-      res.writeHead(code ? 200 : 400, {
-        "Content-Type": "text/plain; charset=utf-8",
-        "Content-Length": Buffer.byteLength(body)
-      });
-      res.end(body);
-      clearTimeout(timeout);
-      if (settled) {
-        return;
-      }
-      settled = true;
-      if (error) {
-        const details = errorDescription ? `${error} (${errorDescription})` : error;
-        reject(new Error(`OAuth login failed: ${details}`));
-        return;
-      }
-      if (!code) {
-        reject(new Error("OAuth callback did not include an authorization code"));
-        return;
-      }
-      resolve({ code, state });
-    });
-    server.on("error", reject);
-    server.listen(port, "127.0.0.1");
-  });
-  await new Promise((resolve, reject) => {
-    server.once("listening", resolve);
-    server.once("error", reject);
-  });
-  return {
-    redirectUri: `http://127.0.0.1:${server.address().port}/callback`,
-    wait: () => waitPromise,
-    close: () => new Promise((resolve) => server.close(resolve))
-  };
 }
-function oauthRedirectHint(message, { apiUrl, redirectUri } = {}) {
-  if (!redirectUri) {
-    return "";
-  }
-  const lower = String(message || "").toLowerCase();
-  const looksLikeRedirectMismatch = lower.includes("redirect_uri") || lower.includes("pre-registered redirect") || lower.includes("oauth login timed out before callback completed") || lower.includes("oauth callback did not include an authorization code");
-  if (!looksLikeRedirectMismatch) {
-    return "";
+var init_process = __esm({
+  "src/process.js"() {
   }
-  const target = apiUrl || "this backend";
-  return `If Clerk rejected the CLI callback for ${target}, add this redirect URL in Clerk: ${redirectUri}`;
-}
-function openBrowser(url) {
-  const platform = process.platform;
+});
+// src/python.js
+import fs2 from "node:fs";
+function pythonCandidates(platform = process.platform) {
   if (platform === "win32") {
-    spawnSync3(...buildWindowsOpenCommand(url), { stdio: "ignore", shell: false });
-    return;
+    return [
+      { command: "py", args: ["-3.11"] },
+      { command: "python", args: [] },
+      { command: "python3", args: [] }
+    ];
   }
   if (platform === "darwin") {
-    spawnSync3(...buildMacOpenCommand(url), { stdio: "ignore", shell: false });
-    return;
+    return [
+      { command: "/opt/homebrew/bin/python3.12", args: [] },
+      { command: "/opt/homebrew/bin/python3.11", args: [] },
+      { command: "/usr/local/bin/python3.12", args: [] },
+      { command: "/usr/local/bin/python3.11", args: [] },
+      { command: "python3.12", args: [] },
+      { command: "python3.11", args: [] },
+      { command: "python3", args: [] },
+      { command: "python", args: [] }
+    ];
   }
-  spawnSync3(...buildLinuxOpenCommand(url), { stdio: "ignore", shell: false });
-}
-function buildWindowsOpenCommand(url) {
-  return ["rundll32.exe", ["url.dll,FileProtocolHandler", String(url)]];
-}
-function buildMacOpenCommand(url) {
-  return ["open", [String(url)]];
+  return [
+    { command: "python3.12", args: [] },
+    { command: "python3.11", args: [] },
+    { command: "python3", args: [] },
+    { command: "python", args: [] }
+  ];
 }
-function buildLinuxOpenCommand(url) {
-  return ["xdg-open", [String(url)]];
+function findPython(platform = process.platform) {
+  const candidates = pythonCandidates(platform);
+  for (const candidate of candidates) {
+    const version = runCapture(candidate.command, [
+      ...candidate.args,
+      "-c",
+      'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
+    ]);
+    if (!version.ok) {
+      continue;
+    }
+    const match = version.stdout.trim().match(/^(\d+)\.(\d+)\./);
+    if (!match) {
+      continue;
+    }
+    const major = Number(match[1]);
+    const minor = Number(match[2]);
+    if (major > 3 || major === 3 && minor >= 11) {
+      return candidate;
+    }
+  }
+  return null;
 }
-function cloudConfigPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLOUD_CONFIG) {
-    return path5.resolve(env.VENDIAN_CLOUD_CONFIG);
+function ensureVenv(venvPath, pythonCandidate, platform = process.platform) {
+  const pythonPath = venvPython(venvPath, platform);
+  if (fs2.existsSync(pythonPath)) {
+    return pythonPath;
   }
-  if (platform === "win32") {
-    const root2 = env.APPDATA || path5.join(process.env.USERPROFILE || "", "AppData", "Roaming");
-    return path5.win32.join(root2, "Vendian", "cloud-auth.json");
+  fs2.mkdirSync(venvPath, { recursive: true });
+  const status = runInherit(pythonCandidate.command, [
+    ...pythonCandidate.args,
+    "-m",
+    "venv",
+    venvPath
+  ]);
+  if (status !== 0) {
+    throw new Error("Could not create the managed Vendian Python environment.");
   }
-  const root = env.XDG_CONFIG_HOME || path5.join(process.env.HOME || "", ".config");
-  return path5.posix.join(root, "vendian", "cloud-auth.json");
+  return pythonPath;
 }
-function saveCloudToken(token, { env = process.env, platform = process.platform } = {}) {
-  const tokenApiUrl = String(token.apiUrl || "").replace(/\/$/, "");
-  let raw = { version: 2, profiles: {}, active_api_url: token.apiUrl };
-  try {
-    const existing = loadCloudConfig(env, platform);
-    if (existing && typeof existing === "object" && existing.profiles && typeof existing.profiles === "object") {
-      raw.profiles = existing.profiles;
-    }
-  } catch {
-  }
-  raw.active_api_url = tokenApiUrl;
-  raw.profiles[tokenApiUrl] = {
-    api_url: tokenApiUrl,
-    access_token: token.accessToken,
-    user_id: token.userId,
-    email: token.email,
-    expires_at: token.expiresAt,
-    scopes: token.scopes,
-    tooling_eligible: token.toolingEligible
-  };
-  return writeCloudConfig(raw, { env, platform });
+function hasUv() {
+  return commandExists("uv");
 }
-function writeCloudConfig(raw, { env = process.env, platform = process.platform } = {}) {
-  const file = cloudConfigPath(env, platform);
-  fs6.mkdirSync(path5.dirname(file), { recursive: true });
-  fs6.writeFileSync(file, `${JSON.stringify(raw, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    fs6.chmodSync(file, 384);
-  } catch {
-  }
-  return file;
+function pythonVersion(pythonPath) {
+  const result = runCapture(pythonPath, [
+    "-c",
+    'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
+  ]);
+  return result.ok ? result.stdout.trim() : null;
 }
-var DEFAULT_OAUTH_REDIRECT_PORT;
-var init_auth = __esm({
-  "src/auth.js"() {
-    init_constants();
-    DEFAULT_OAUTH_REDIRECT_PORT = 8765;
+function verifyVendianImports(pythonPath) {
+  const result = runCapture(pythonPath, [
+    "-c",
+    'import vendian_agents, vendian_agents_runtime; print("ok")'
+  ]);
+  return result.ok;
+}
+var init_python = __esm({
+  "src/python.js"() {
+    init_process();
+    init_paths();
   }
 });
-// src/doctor.js
-import fs4 from "node:fs";
-// src/config.js
-init_constants();
-import fs from "node:fs";
-import path2 from "node:path";
-// src/paths.js
-import os from "node:os";
-import path from "node:path";
-function pathApi(platform) {
-  return platform === "win32" ? path.win32 : path.posix;
-}
-function homeDir(env, platform) {
-  if (platform === "win32") {
-    return env.USERPROFILE || os.homedir();
-  }
-  return env.HOME || os.homedir();
-}
-function vendianHome(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_HOME) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_HOME);
-  }
-  if (platform === "win32") {
-    const root = env.LOCALAPPDATA || path.win32.join(homeDir(env, platform), "AppData", "Local");
-    return path.win32.join(root, "Vendian", "cli");
-  }
-  return path.posix.join(homeDir(env, platform), ".vendian", "cli");
-}
-function configPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_CONFIG) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_CONFIG);
-  }
-  return pathApi(platform).join(vendianHome(env, platform), "config.json");
-}
-function managedVenvPath(env = process.env, platform = process.platform) {
-  if (env.VENDIAN_CLI_VENV) {
-    return pathApi(platform).resolve(env.VENDIAN_CLI_VENV);
-  }
-  return pathApi(platform).join(vendianHome(env, platform), ".venv");
-}
-function venvPython(venvPath, platform = process.platform) {
-  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "python.exe") : path.posix.join(venvPath, "bin", "python");
-}
-function venvVendian(venvPath, platform = process.platform) {
-  return platform === "win32" ? path.win32.join(venvPath, "Scripts", "vendian.exe") : path.posix.join(venvPath, "bin", "vendian");
-}
-// src/config.js
-function loadConfig(env = process.env, platform = process.platform) {
-  const file = configPath(env, platform);
-  try {
-    const parsed = JSON.parse(fs.readFileSync(file, "utf8"));
-    return typeof parsed === "object" && parsed !== null ? parsed : {};
-  } catch (error) {
-    if (error && error.code === "ENOENT") {
-      return {};
-    }
-    return {};
-  }
-}
-function saveConfig(config, env = process.env, platform = process.platform) {
-  const file = configPath(env, platform);
-  fs.mkdirSync(path2.dirname(file), { recursive: true });
-  const next = { version: CONFIG_VERSION, ...config };
-  fs.writeFileSync(file, `${JSON.stringify(next, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    fs.chmodSync(file, 384);
-  } catch {
-  }
-  return file;
-}
-// src/install.js
-init_constants();
-import fs3 from "node:fs";
-import path3 from "node:path";
-// src/process.js
-import { spawn, spawnSync } from "node:child_process";
-function commandExists(command) {
-  const result = spawnSync(command, ["--version"], { stdio: "ignore", shell: false });
-  return result.status === 0;
-}
-function runCapture(command, args, options = {}) {
-  const result = spawnSync(command, args, {
-    encoding: "utf8",
-    shell: false,
-    ...options
-  });
-  const errorMessage = result.error && typeof result.error.message === "string" ? result.error.message : "";
-  return {
-    ok: !result.error && result.status === 0,
-    status: result.status ?? 1,
-    stdout: result.stdout || "",
-    stderr: result.stderr || errorMessage
-  };
-}
-function runInherit(command, args, options = {}) {
-  const result = spawnSync(command, args, {
-    stdio: "inherit",
-    shell: false,
-    ...options
-  });
-  if (result.error) {
-    throw result.error;
-  }
-  return result.status ?? 1;
-}
-function spawnForward(command, args, options = {}) {
-  return new Promise((resolve, reject) => {
-    const child = spawn(command, args, {
-      stdio: "inherit",
-      shell: false,
-      ...options
-    });
-    child.on("error", reject);
-    child.on("exit", (code, signal) => {
-      if (signal) {
-        reject(new Error(`command terminated by ${signal}`));
-        return;
-      }
-      resolve(code ?? 1);
-    });
-  });
-}
-function childProcessIsRunning(child) {
-  return Boolean(child) && child.exitCode == null && child.signalCode == null;
-}
-function killProcessTree(child, {
-  platform = process.platform,
-  signal = "SIGTERM",
-  spawnSyncFn = spawnSync
-} = {}) {
-  if (!childProcessIsRunning(child)) return false;
-  if (platform === "win32") {
-    try {
-      spawnSyncFn("taskkill", ["/F", "/T", "/PID", String(child.pid)], { stdio: "ignore" });
-    } catch {
-    }
-    return true;
-  }
-  try {
-    child.kill(signal);
-    return true;
-  } catch {
-    return false;
-  }
-}
-// src/python.js
-import fs2 from "node:fs";
-function pythonCandidates(platform = process.platform) {
-  if (platform === "win32") {
-    return [
-      { command: "py", args: ["-3.11"] },
-      { command: "python", args: [] },
-      { command: "python3", args: [] }
-    ];
-  }
-  if (platform === "darwin") {
-    return [
-      { command: "/opt/homebrew/bin/python3.12", args: [] },
-      { command: "/opt/homebrew/bin/python3.11", args: [] },
-      { command: "/usr/local/bin/python3.12", args: [] },
-      { command: "/usr/local/bin/python3.11", args: [] },
-      { command: "python3.12", args: [] },
-      { command: "python3.11", args: [] },
-      { command: "python3", args: [] },
-      { command: "python", args: [] }
-    ];
-  }
-  return [
-    { command: "python3.12", args: [] },
-    { command: "python3.11", args: [] },
-    { command: "python3", args: [] },
-    { command: "python", args: [] }
-  ];
-}
-function findPython(platform = process.platform) {
-  const candidates = pythonCandidates(platform);
-  for (const candidate of candidates) {
-    const version = runCapture(candidate.command, [
-      ...candidate.args,
-      "-c",
-      'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
-    ]);
-    if (!version.ok) {
-      continue;
-    }
-    const match = version.stdout.trim().match(/^(\d+)\.(\d+)\./);
-    if (!match) {
-      continue;
-    }
-    const major = Number(match[1]);
-    const minor = Number(match[2]);
-    if (major > 3 || major === 3 && minor >= 11) {
-      return candidate;
-    }
-  }
-  return null;
-}
-function ensureVenv(venvPath, pythonCandidate, platform = process.platform) {
-  const pythonPath = venvPython(venvPath, platform);
-  if (fs2.existsSync(pythonPath)) {
-    return pythonPath;
-  }
-  fs2.mkdirSync(venvPath, { recursive: true });
-  const status = runInherit(pythonCandidate.command, [
-    ...pythonCandidate.args,
-    "-m",
-    "venv",
-    venvPath
-  ]);
-  if (status !== 0) {
-    throw new Error("Could not create the managed Vendian Python environment.");
-  }
-  return pythonPath;
-}
-function hasUv() {
-  return commandExists("uv");
-}
-function pythonVersion(pythonPath) {
-  const result = runCapture(pythonPath, [
-    "-c",
-    'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}")'
-  ]);
-  return result.ok ? result.stdout.trim() : null;
-}
-function verifyVendianImports(pythonPath) {
-  const result = runCapture(pythonPath, [
-    "-c",
-    'import vendian_agents, vendian_agents_runtime; print("ok")'
-  ]);
-  return result.ok;
-}
 // src/secret-store.js
 import { spawnSync as spawnSync2 } from "node:child_process";
-var SERVICE = "Vendian CLI";
-var PACKAGE_TOKEN_ACCOUNT = "gitlab-package-token";
-var SECRET_STORE_TIMEOUT_MS = 5e3;
 function run(command, args, options = {}) {
   return spawnSync2(command, args, {
     encoding: "utf8",
@@ -734,8 +379,18 @@ function loadPackageTokenSecret(config = {}, platform = process.platform) {
   }
   return "";
 }
+var SERVICE, PACKAGE_TOKEN_ACCOUNT, SECRET_STORE_TIMEOUT_MS;
+var init_secret_store = __esm({
+  "src/secret-store.js"() {
+    SERVICE = "Vendian CLI";
+    PACKAGE_TOKEN_ACCOUNT = "gitlab-package-token";
+    SECRET_STORE_TIMEOUT_MS = 5e3;
+  }
+});
 // src/install.js
+import fs3 from "node:fs";
+import path3 from "node:path";
 function registryConfig(config = {}, env = process.env, platform = process.platform) {
   const gitlabHost = env.GITLAB_HOST || config.gitlabHost || DEFAULT_GITLAB_HOST;
   const username = env.GITLAB_USERNAME || config.gitlabUsername || "__token__";
@@ -794,31 +449,671 @@ function installVendianPackages({ pythonPath, venvPath, config, env = process.en
   if (hasUv()) {
     status = runInherit("uv", ["pip", ...installArgs, "--python", pythonPath]);
   } else {
-    status = runInherit(pythonPath, ["-m", "pip", ...installArgs]);
+    status = runInherit(pythonPath, ["-m", "pip", ...installArgs]);
+  }
+  if (status !== 0) {
+    throw new Error("Could not install Vendian runtime packages. Check package access and try again.");
+  }
+  writeInstallMarker(venvPath, {
+    gitlabHost: registry.gitlabHost,
+    gitlabUsername: registry.username,
+    sdkProjectId: registry.sdkProjectId,
+    runtimeProjectId: registry.runtimeProjectId,
+    vendianAgentsVersion: registry.vendianAgentsVersion || "latest",
+    vendianAgentsRuntimeVersion: registry.vendianRuntimeVersion || "latest"
+  });
+}
+function writeInstallMarker(venvPath, marker) {
+  fs3.mkdirSync(venvPath, { recursive: true });
+  fs3.writeFileSync(
+    path3.join(venvPath, ".vendian-bootstrap.json"),
+    `${JSON.stringify({ version: 1, ...marker }, null, 2)}
+`,
+    "utf8"
+  );
+}
+var init_install = __esm({
+  "src/install.js"() {
+    init_constants();
+    init_process();
+    init_python();
+    init_secret_store();
+  }
+});
+// src/auth.js
+var auth_exports = {};
+__export(auth_exports, {
+  activateCloudProfile: () => activateCloudProfile,
+  activeCloudAuthStatus: () => activeCloudAuthStatus,
+  buildLinuxOpenCommand: () => buildLinuxOpenCommand,
+  buildMacOpenCommand: () => buildMacOpenCommand,
+  buildWindowsOpenCommand: () => buildWindowsOpenCommand,
+  cloudAuthStatus: () => cloudAuthStatus,
+  cloudConfigPath: () => cloudConfigPath,
+  defaultOAuthRedirectUri: () => defaultOAuthRedirectUri,
+  fetchPackageCredentials: () => fetchPackageCredentials,
+  formatOAuthError: () => formatOAuthError,
+  loadCloudConfig: () => loadCloudConfig,
+  loginWithVendianOAuth: () => loginWithVendianOAuth,
+  resolveApiUrl: () => resolveApiUrl,
+  saveCloudToken: () => saveCloudToken
+});
+import crypto from "node:crypto";
+import http from "node:http";
+import fs6 from "node:fs";
+import path5 from "node:path";
+import { spawnSync as spawnSync3 } from "node:child_process";
+function resolveApiUrl({ backend, apiUrl, env = process.env } = {}) {
+  if (apiUrl) {
+    return apiUrl.replace(/\/$/, "");
+  }
+  if (env.VENDIAN_API_URL) {
+    return env.VENDIAN_API_URL.replace(/\/$/, "");
+  }
+  const target = backend || "prod";
+  const resolved = BACKEND_TARGETS[target];
+  if (!resolved) {
+    throw new Error(`Unknown Vendian backend '${target}'. Use local, dev, staging, prod, or --api-url.`);
+  }
+  return resolved;
+}
+async function loginWithVendianOAuth({ backend, apiUrl, noBrowser = false, env = process.env } = {}) {
+  const resolvedApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const callback = await createCallbackServer(env);
+  try {
+    const config = await getOAuthConfig(resolvedApiUrl, callback.redirectUri);
+    const codeVerifier = crypto.randomBytes(48).toString("base64url");
+    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
+    const state = crypto.randomBytes(18).toString("base64url");
+    const authorizationUrl = authorizationUrlFor(config, { state, codeChallenge });
+    if (noBrowser) {
+      console.error(`Open this URL to authenticate the CLI: ${authorizationUrl}`);
+    } else {
+      openBrowser(authorizationUrl);
+    }
+    const callbackResult = await callback.wait();
+    if (callbackResult.state !== state) {
+      throw new Error("OAuth state mismatch");
+    }
+    const clerkToken = await exchangeCodeForClerkToken(config, callbackResult.code, codeVerifier, callback.redirectUri);
+    const exchange = await postJson(`${resolvedApiUrl}/api/v1/cli/auth/oauth/exchange`, {
+      clerkToken
+    });
+    return { apiUrl: resolvedApiUrl, ...exchange };
+  } catch (error) {
+    throw new Error(formatOAuthError(error, {
+      apiUrl: resolvedApiUrl,
+      redirectUri: callback.redirectUri
+    }), { cause: error });
+  } finally {
+    await callback.close();
+  }
+}
+async function fetchPackageCredentials({ apiUrl, accessToken }) {
+  if (!apiUrl || !accessToken) {
+    return void 0;
+  }
+  const payload = await getJson(`${String(apiUrl).replace(/\/$/, "")}/api/v1/cli/package-credentials`, {
+    Authorization: `Bearer ${accessToken}`
+  });
+  return payload.packageCredentials;
+}
+function loadCloudConfig(env = process.env, platform = process.platform) {
+  const file = cloudConfigPath(env, platform);
+  try {
+    const parsed = JSON.parse(fs6.readFileSync(file, "utf8"));
+    return parsed && typeof parsed === "object" ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function cloudAuthStatus({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
+  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const profile = profiles[targetApiUrl];
+  return {
+    apiUrl: targetApiUrl,
+    activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
+    profile: profile && typeof profile === "object" ? profile : void 0,
+    authenticated: Boolean(profile?.access_token),
+    email: typeof profile?.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
+}
+function activeCloudAuthStatus({ env = process.env, platform = process.platform } = {}) {
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const apiUrl = typeof config.active_api_url === "string" ? config.active_api_url : void 0;
+  const profile = apiUrl ? profiles[apiUrl] : void 0;
+  return {
+    apiUrl,
+    activeApiUrl: apiUrl,
+    profile: profile && typeof profile === "object" ? profile : void 0,
+    authenticated: Boolean(profile?.access_token),
+    email: typeof profile?.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile?.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
+}
+function activateCloudProfile({ backend, apiUrl, env = process.env, platform = process.platform } = {}) {
+  const targetApiUrl = resolveApiUrl({ backend, apiUrl, env });
+  const config = loadCloudConfig(env, platform);
+  const profiles = config.profiles && typeof config.profiles === "object" ? config.profiles : {};
+  const profile = profiles[targetApiUrl];
+  if (!profile || typeof profile !== "object" || !profile.access_token) {
+    return {
+      apiUrl: targetApiUrl,
+      activeApiUrl: typeof config.active_api_url === "string" ? config.active_api_url : void 0,
+      authenticated: false,
+      activated: false,
+      profiles
+    };
+  }
+  const next = {
+    ...config,
+    version: config.version || 2,
+    profiles,
+    active_api_url: targetApiUrl
+  };
+  writeCloudConfig(next, { env, platform });
+  return {
+    apiUrl: targetApiUrl,
+    activeApiUrl: targetApiUrl,
+    profile,
+    authenticated: true,
+    activated: true,
+    email: typeof profile.email === "string" ? profile.email : void 0,
+    expiresAt: typeof profile.expires_at === "string" ? profile.expires_at : void 0,
+    profiles
+  };
+}
+function defaultOAuthRedirectUri(env = process.env) {
+  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
+  return `http://127.0.0.1:${port}/callback`;
+}
+function formatOAuthError(error, { apiUrl, redirectUri } = {}) {
+  const message = error && typeof error.message === "string" ? error.message : String(error || "OAuth login failed");
+  const hint = oauthRedirectHint(message, { apiUrl, redirectUri });
+  return hint ? `${message}
+${hint}` : message;
+}
+async function getOAuthConfig(apiUrl, redirectUri) {
+  const url = new URL(`${apiUrl}/api/v1/cli/auth/oauth/config`);
+  url.searchParams.set("redirectUri", redirectUri);
+  return getJson(url);
+}
+function authorizationUrlFor(config, { state, codeChallenge }) {
+  const url = new URL(String(config.authorizationUrl));
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", String(config.clientId));
+  url.searchParams.set("redirect_uri", String(config.redirectUri));
+  url.searchParams.set("scope", String(config.scopes || "email profile"));
+  url.searchParams.set("state", state);
+  url.searchParams.set("code_challenge", codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  return url.toString();
+}
+async function exchangeCodeForClerkToken(config, code, codeVerifier, redirectUri) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: String(config.clientId),
+    code,
+    redirect_uri: redirectUri,
+    code_verifier: codeVerifier
+  });
+  const payload = await postForm(String(config.tokenUrl), body);
+  const token = payload.access_token || payload.id_token;
+  if (!token) {
+    throw new Error("OAuth token exchange did not return a Clerk token");
+  }
+  return String(token);
+}
+async function getJson(url, headers = {}) {
+  const response = await fetch(url, { headers: { Accept: "application/json", ...headers } });
+  return decodeResponse(response);
+}
+async function postJson(url, body) {
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { Accept: "application/json", "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  return decodeResponse(response);
+}
+async function postForm(url, body) {
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { Accept: "application/json", "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+  return decodeResponse(response);
+}
+async function decodeResponse(response) {
+  const text = await response.text();
+  let payload = {};
+  if (text) {
+    try {
+      payload = JSON.parse(text);
+    } catch {
+      payload = { error: text };
+    }
+  }
+  if (!response.ok) {
+    throw new Error(payload.message || payload.error || `HTTP ${response.status}`);
+  }
+  return payload;
+}
+async function createCallbackServer(env) {
+  const port = Number(env.VENDIAN_CLI_OAUTH_REDIRECT_PORT || DEFAULT_OAUTH_REDIRECT_PORT);
+  let server;
+  let settled = false;
+  let timeout;
+  const waitPromise = new Promise((resolve, reject) => {
+    timeout = setTimeout(() => {
+      settled = true;
+      reject(new Error("OAuth login timed out before callback completed"));
+    }, 3e5);
+    server = http.createServer((req, res) => {
+      const url = new URL(req.url || "/", `http://${req.headers.host || "127.0.0.1"}`);
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      const body = code ? "Vendian CLI authentication complete. You can close this window." : "Vendian CLI authentication failed. Return to the terminal.";
+      res.writeHead(code ? 200 : 400, {
+        "Content-Type": "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(body)
+      });
+      res.end(body);
+      clearTimeout(timeout);
+      if (settled) {
+        return;
+      }
+      settled = true;
+      if (error) {
+        const details = errorDescription ? `${error} (${errorDescription})` : error;
+        reject(new Error(`OAuth login failed: ${details}`));
+        return;
+      }
+      if (!code) {
+        reject(new Error("OAuth callback did not include an authorization code"));
+        return;
+      }
+      resolve({ code, state });
+    });
+    server.on("error", reject);
+    server.listen(port, "127.0.0.1");
+  });
+  await new Promise((resolve, reject) => {
+    server.once("listening", resolve);
+    server.once("error", reject);
+  });
+  return {
+    redirectUri: `http://127.0.0.1:${server.address().port}/callback`,
+    wait: () => waitPromise,
+    close: () => new Promise((resolve) => server.close(resolve))
+  };
+}
+function oauthRedirectHint(message, { apiUrl, redirectUri } = {}) {
+  if (!redirectUri) {
+    return "";
+  }
+  const lower = String(message || "").toLowerCase();
+  const looksLikeRedirectMismatch = lower.includes("redirect_uri") || lower.includes("pre-registered redirect") || lower.includes("oauth login timed out before callback completed") || lower.includes("oauth callback did not include an authorization code");
+  if (!looksLikeRedirectMismatch) {
+    return "";
+  }
+  const target = apiUrl || "this backend";
+  return `If Clerk rejected the CLI callback for ${target}, add this redirect URL in Clerk: ${redirectUri}`;
+}
+function openBrowser(url) {
+  const platform = process.platform;
+  if (platform === "win32") {
+    spawnSync3(...buildWindowsOpenCommand(url), { stdio: "ignore", shell: false });
+    return;
+  }
+  if (platform === "darwin") {
+    spawnSync3(...buildMacOpenCommand(url), { stdio: "ignore", shell: false });
+    return;
+  }
+  spawnSync3(...buildLinuxOpenCommand(url), { stdio: "ignore", shell: false });
+}
+function buildWindowsOpenCommand(url) {
+  return ["rundll32.exe", ["url.dll,FileProtocolHandler", String(url)]];
+}
+function buildMacOpenCommand(url) {
+  return ["open", [String(url)]];
+}
+function buildLinuxOpenCommand(url) {
+  return ["xdg-open", [String(url)]];
+}
+function cloudConfigPath(env = process.env, platform = process.platform) {
+  if (env.VENDIAN_CLOUD_CONFIG) {
+    return path5.resolve(env.VENDIAN_CLOUD_CONFIG);
+  }
+  if (platform === "win32") {
+    const root2 = env.APPDATA || path5.join(process.env.USERPROFILE || "", "AppData", "Roaming");
+    return path5.win32.join(root2, "Vendian", "cloud-auth.json");
+  }
+  const root = env.XDG_CONFIG_HOME || path5.join(process.env.HOME || "", ".config");
+  return path5.posix.join(root, "vendian", "cloud-auth.json");
+}
+function saveCloudToken(token, { env = process.env, platform = process.platform } = {}) {
+  const tokenApiUrl = String(token.apiUrl || "").replace(/\/$/, "");
+  let raw = { version: 2, profiles: {}, active_api_url: token.apiUrl };
+  try {
+    const existing = loadCloudConfig(env, platform);
+    if (existing && typeof existing === "object" && existing.profiles && typeof existing.profiles === "object") {
+      raw.profiles = existing.profiles;
+    }
+  } catch {
+  }
+  raw.active_api_url = tokenApiUrl;
+  raw.profiles[tokenApiUrl] = {
+    api_url: tokenApiUrl,
+    access_token: token.accessToken,
+    user_id: token.userId,
+    email: token.email,
+    expires_at: token.expiresAt,
+    scopes: token.scopes,
+    tooling_eligible: token.toolingEligible
+  };
+  return writeCloudConfig(raw, { env, platform });
+}
+function writeCloudConfig(raw, { env = process.env, platform = process.platform } = {}) {
+  const file = cloudConfigPath(env, platform);
+  fs6.mkdirSync(path5.dirname(file), { recursive: true });
+  fs6.writeFileSync(file, `${JSON.stringify(raw, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    fs6.chmodSync(file, 384);
+  } catch {
+  }
+  return file;
+}
+var DEFAULT_OAUTH_REDIRECT_PORT;
+var init_auth = __esm({
+  "src/auth.js"() {
+    init_constants();
+    DEFAULT_OAUTH_REDIRECT_PORT = 8765;
+  }
+});
+// src/docs.js
+import fs7 from "node:fs";
+import path6 from "node:path";
+function pathApi2(platform) {
+  return platform === "win32" ? path6.win32 : path6.posix;
+}
+function commandWritesAgentDocs(args = []) {
+  return args[0] === "init";
+}
+function initOutputDir(args = []) {
+  for (let index = 1; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "--output-dir" || arg === "-o") {
+      return args[index + 1] || ".";
+    }
+    if (arg.startsWith("--output-dir=")) {
+      return arg.slice("--output-dir=".length) || ".";
+    }
+  }
+  return ".";
+}
+function resolveWorkspacePath(outputDir, { cwd = process.cwd(), platform = process.platform } = {}) {
+  const api = pathApi2(platform);
+  const raw = outputDir || ".";
+  return api.isAbsolute(raw) ? api.normalize(raw) : api.resolve(cwd, raw);
+}
+function recordAgentDocsWorkspace(outputDir, {
+  env = process.env,
+  platform = process.platform,
+  cwd = process.cwd(),
+  now = /* @__PURE__ */ new Date()
+} = {}) {
+  const workspacePath = resolveWorkspacePath(outputDir, { cwd, platform });
+  const config = loadConfig(env, platform);
+  const existing = Array.isArray(config[DOC_WORKSPACES_KEY]) ? config[DOC_WORKSPACES_KEY] : [];
+  const workspaces = [workspacePath, ...existing.filter((entry) => entry !== workspacePath)];
+  const next = {
+    ...config,
+    [DOC_WORKSPACES_KEY]: workspaces,
+    lastAgentDocsInitAt: now.toISOString()
+  };
+  saveConfig(next, env, platform);
+  return next;
+}
+function recordForwardedDocsCommand(args, code, options = {}) {
+  if (code !== 0 || !commandWritesAgentDocs(args)) {
+    return false;
+  }
+  recordAgentDocsWorkspace(initOutputDir(args), options);
+  return true;
+}
+function refreshAgentDocsWorkspaces({
+  config,
+  venvPath,
+  env = process.env,
+  platform = process.platform,
+  run: run2 = runInherit,
+  now = /* @__PURE__ */ new Date()
+} = {}) {
+  const currentConfig = config || loadConfig(env, platform);
+  const workspaces = Array.isArray(currentConfig[DOC_WORKSPACES_KEY]) ? [...new Set(currentConfig[DOC_WORKSPACES_KEY].filter((entry) => typeof entry === "string" && entry.trim()))] : [];
+  if (workspaces.length === 0) {
+    saveConfig(currentConfig, env, platform);
+    return { config: currentConfig, refreshed: 0, failed: 0 };
+  }
+  const vendianPath = venvVendian(venvPath, platform);
+  let refreshed = 0;
+  let failed = 0;
+  for (const workspace of workspaces) {
+    if (!fs7.existsSync(workspace)) {
+      continue;
+    }
+    const status = run2(vendianPath, ["init", "--output-dir", workspace, "--yes"]);
+    if (status === 0) {
+      refreshed += 1;
+    } else {
+      failed += 1;
+      console.error(`[vendian] Could not refresh SDK docs in ${workspace}`);
+    }
+  }
+  const next = {
+    ...currentConfig,
+    [DOC_WORKSPACES_KEY]: workspaces,
+    lastAgentDocsRefreshAt: now.toISOString()
+  };
+  saveConfig(next, env, platform);
+  return { config: next, refreshed, failed };
+}
+var DOC_WORKSPACES_KEY;
+var init_docs = __esm({
+  "src/docs.js"() {
+    init_config();
+    init_paths();
+    init_process();
+    DOC_WORKSPACES_KEY = "agentDocWorkspaces";
+  }
+});
+// src/setup.js
+var setup_exports = {};
+__export(setup_exports, {
+  refreshPackageAccessFromCloudAuth: () => refreshPackageAccessFromCloudAuth,
+  savePackageCredentials: () => savePackageCredentials,
+  setup: () => setup,
+  setupCompletionLines: () => setupCompletionLines
+});
+import fs8 from "node:fs";
+async function setup({
+  nonInteractive = false,
+  backend = void 0,
+  apiUrl = void 0,
+  noBrowser = false,
+  forceAuth = false,
+  env = process.env,
+  platform = process.platform
+} = {}) {
+  const existing = loadConfig(env, platform);
+  const registry = registryConfig(existing, env, platform);
+  const auth = cloudAuthStatus({ backend, apiUrl, env, platform });
+  const next = {
+    ...existing,
+    gitlabHost: registry.gitlabHost || DEFAULT_GITLAB_HOST,
+    gitlabUsername: registry.username || "__token__",
+    sdkPublicProjectId: registry.sdkProjectId || DEFAULT_SDK_PUBLIC_PROJECT_ID,
+    sdkRuntimeProjectId: registry.runtimeProjectId || DEFAULT_SDK_RUNTIME_PROJECT_ID
+  };
+  let cloudAuthApiUrl = auth.authenticated ? auth.apiUrl : void 0;
+  console.log("Vendian login");
+  console.log("This signs in to Vendian and prepares the local runtime.");
+  console.log("Agent requirements.txt files stay reserved for agent-owned dependencies.");
+  console.log("");
+  if ((!auth.authenticated || forceAuth) && !nonInteractive) {
+    console.log(`Opening Vendian sign-in for ${auth.apiUrl}...`);
+    const login = await loginWithVendianOAuth({ backend, apiUrl, noBrowser, env });
+    saveCloudToken(login, { env, platform });
+    cloudAuthApiUrl = login.apiUrl;
+    const packageCredentials = login.packageCredentials;
+    if (!registry.token && !packageCredentials?.token) {
+      throw new Error("Vendian login succeeded, but the backend did not return package credentials. Configure CLI_PACKAGE_REGISTRY_TOKEN on the backend.");
+    }
+    if (packageCredentials) {
+      savePackageCredentials(next, packageCredentials, { platform });
+    }
+  } else if (auth.authenticated) {
+    activateCloudProfile({ backend, apiUrl, env, platform });
+    console.log(`Cloud authentication already saved for ${auth.apiUrl}${auth.email ? ` (${auth.email})` : ""}.`);
+    const refreshed = await refreshPackageAccessFromCloudAuth({ config: next, auth, env, platform });
+    Object.assign(next, refreshed.config);
+  } else if (registry.token) {
+    if (registry.tokenSource !== "secret-store") {
+      next.gitlabToken = registry.token;
+    }
+    console.log("Using saved package access.");
+  }
+  const installRegistry = registryConfig(next, env, platform);
+  if (!installRegistry.token) {
+    throw new Error("Package access is missing. Run interactive `vendian login` to sign in.");
+  }
+  const python = findPython(platform);
+  if (!python) {
+    throw new Error("Python 3.11+ was not found. Install Python 3.11 or newer, then rerun `vendian login`.");
+  }
+  const venvPath = managedVenvPath(env, platform);
+  console.log(`Managed environment: ${venvPath}`);
+  const pythonPath = ensureVenv(venvPath, python, platform);
+  console.log(`Python: ${pythonVersion(pythonPath) || pythonPath}`);
+  saveConfig(next, env, platform);
+  installVendianPackages({ pythonPath, venvPath, config: next, env, platform });
+  const updated = { ...next, lastManagedUpdateAt: (/* @__PURE__ */ new Date()).toISOString() };
+  refreshAgentDocsWorkspaces({ config: updated, venvPath, env, platform });
+  if (!verifyVendianImports(pythonPath)) {
+    throw new Error("Vendian packages installed, but import verification failed.");
+  }
+  const vendianPath = venvVendian(venvPath, platform);
+  if (!fs8.existsSync(vendianPath)) {
+    throw new Error("Vendian executable was not found after install.");
+  }
+  console.log("");
+  for (const line of setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl })) {
+    console.log(line);
+  }
+}
+function savePackageCredentials(config, packageCredentials, { platform = process.platform } = {}) {
+  if (!packageCredentials?.token) {
+    return false;
+  }
+  config.gitlabHost = packageCredentials.gitlabHost || config.gitlabHost;
+  config.gitlabUsername = packageCredentials.username || config.gitlabUsername;
+  config.sdkPublicProjectId = packageCredentials.sdkProjectId || config.sdkPublicProjectId;
+  config.sdkRuntimeProjectId = packageCredentials.runtimeProjectId || config.sdkRuntimeProjectId;
+  config.vendianAgentsVersion = packageCredentials.vendianAgentsVersion || config.vendianAgentsVersion;
+  config.vendianAgentsRuntimeVersion = packageCredentials.vendianAgentsRuntimeVersion || config.vendianAgentsRuntimeVersion;
+  const secret = savePackageTokenSecret(packageCredentials.token, config, platform);
+  if (secret.ok) {
+    Object.assign(config, secret.config || {});
+    delete config.gitlabToken;
+    console.log("Package access saved.");
+  } else {
+    config.gitlabToken = packageCredentials.token;
+    console.log("Package access saved in the local Vendian CLI config file.");
   }
-  if (status !== 0) {
-    throw new Error("Could not install Vendian runtime packages. Check package access and try again.");
+  return true;
+}
+async function refreshPackageAccessFromCloudAuth({
+  config,
+  auth,
+  env = process.env,
+  platform = process.platform,
+  save = true
+} = {}) {
+  const currentConfig = config || loadConfig(env, platform);
+  const registry = registryConfig(currentConfig, env, platform);
+  if (registry.token) {
+    return { config: currentConfig, refreshed: false };
   }
-  writeInstallMarker(venvPath, {
-    gitlabHost: registry.gitlabHost,
-    gitlabUsername: registry.username,
-    sdkProjectId: registry.sdkProjectId,
-    runtimeProjectId: registry.runtimeProjectId,
-    vendianAgentsVersion: registry.vendianAgentsVersion || "latest",
-    vendianAgentsRuntimeVersion: registry.vendianRuntimeVersion || "latest"
+  const status = auth || activeCloudAuthStatus({ env, platform });
+  if (!status.authenticated || !status.apiUrl || !status.profile?.access_token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const packageCredentials = await fetchPackageCredentials({
+    apiUrl: status.apiUrl,
+    accessToken: status.profile.access_token
   });
+  if (!packageCredentials?.token) {
+    return { config: currentConfig, refreshed: false };
+  }
+  const next = { ...currentConfig };
+  const stored = savePackageCredentials(next, packageCredentials, { platform });
+  if (stored && save) {
+    saveConfig(next, env, platform);
+  }
+  return { config: next, refreshed: stored };
 }
-function writeInstallMarker(venvPath, marker) {
-  fs3.mkdirSync(venvPath, { recursive: true });
-  fs3.writeFileSync(
-    path3.join(venvPath, ".vendian-bootstrap.json"),
-    `${JSON.stringify({ version: 1, ...marker }, null, 2)}
-`,
-    "utf8"
-  );
+function setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl } = {}) {
+  const lines = ["Vendian login complete."];
+  if (cloudAuthApiUrl) {
+    lines.push(`Connected to ${cloudAuthApiUrl}.`);
+    lines.push("Next: vendian cloud local serve --agents-dir ./agents");
+    return lines;
+  }
+  lines.push(`Next: ${cloudAuthLoginCommand({ backend, apiUrl })}`);
+  lines.push("Then: vendian cloud local serve --agents-dir ./agents");
+  return lines;
+}
+function cloudAuthLoginCommand({ backend, apiUrl } = {}) {
+  if (apiUrl) {
+    return `vendian cloud auth login --api-url ${apiUrl}`;
+  }
+  if (backend) {
+    return `vendian cloud auth login --backend ${backend}`;
+  }
+  return "vendian cloud auth login";
 }
+var init_setup = __esm({
+  "src/setup.js"() {
+    init_auth();
+    init_constants();
+    init_config();
+    init_docs();
+    init_install();
+    init_paths();
+    init_python();
+    init_secret_store();
+  }
+});
 // src/doctor.js
+init_config();
+init_install();
+init_paths();
+init_python();
+import fs4 from "node:fs";
 function doctor({ env = process.env, platform = process.platform } = {}) {
   const config = loadConfig(env, platform);
   const venvPath = managedVenvPath(env, platform);
@@ -971,351 +1266,115 @@ function findManifestFiles(root, { maxDepth, maxDirs, limit }) {
         if (manifests.length >= limit) {
           break;
         }
-      }
-    }
-    if (depth >= maxDepth) {
-      continue;
-    }
-    for (const entry of entries) {
-      if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
-        continue;
-      }
-      stack.push({ dir: path4.join(resolved, entry.name), depth: depth + 1 });
-    }
-  }
-  return manifests;
-}
-function nearestAgentsAncestor(manifestPath, root) {
-  let current = path4.dirname(manifestPath);
-  const stop = path4.resolve(root);
-  while (current.startsWith(stop)) {
-    if (path4.basename(current).toLowerCase() === "agents") {
-      return current;
-    }
-    const parent = path4.dirname(current);
-    if (parent === current) {
-      break;
-    }
-    current = parent;
-  }
-  return null;
-}
-function hasDirectManifest(root) {
-  return [...MANIFEST_NAMES].some((name) => fs5.existsSync(path4.join(root, name)));
-}
-function displayPath(target, cwd) {
-  const relative = path4.relative(cwd, target);
-  if (!relative) {
-    return ".";
-  }
-  if (relative.startsWith("..") || path4.isAbsolute(relative)) {
-    return target;
-  }
-  return relative.startsWith(".") ? relative : `.${path4.sep}${relative}`;
-}
-function commonSearchRoots(home) {
-  if (!home) {
-    return [];
-  }
-  return [
-    "agents",
-    "Projects",
-    "Code",
-    "Developer",
-    "Documents",
-    "Desktop"
-  ].map((name) => path4.join(home, name));
-}
-function uniqueExistingDirs(paths) {
-  const result = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const item of paths) {
-    const resolved = safeResolve(item);
-    if (!resolved || seen.has(resolved)) {
-      continue;
-    }
-    try {
-      if (!fs5.statSync(resolved).isDirectory()) {
-        continue;
-      }
-    } catch {
-      continue;
-    }
-    seen.add(resolved);
-    result.push(resolved);
-  }
-  return result;
-}
-function parentDirs(start, limit) {
-  const parents = [];
-  let current = path4.resolve(start);
-  for (let index = 0; index < limit; index += 1) {
-    const parent = path4.dirname(current);
-    if (!parent || parent === current) {
-      break;
-    }
-    parents.push(parent);
-    current = parent;
-  }
-  return parents;
-}
-function safeResolve(candidate) {
-  try {
-    return path4.resolve(candidate);
-  } catch {
-    return null;
-  }
-}
-// src/dev-server.js
-init_auth();
-init_constants();
-// src/forward.js
-import fs9 from "node:fs";
-// src/docs.js
-import fs7 from "node:fs";
-import path6 from "node:path";
-var DOC_WORKSPACES_KEY = "agentDocWorkspaces";
-function pathApi2(platform) {
-  return platform === "win32" ? path6.win32 : path6.posix;
-}
-function commandWritesAgentDocs(args = []) {
-  return args[0] === "init";
-}
-function initOutputDir(args = []) {
-  for (let index = 1; index < args.length; index += 1) {
-    const arg = args[index];
-    if (arg === "--output-dir" || arg === "-o") {
-      return args[index + 1] || ".";
-    }
-    if (arg.startsWith("--output-dir=")) {
-      return arg.slice("--output-dir=".length) || ".";
-    }
-  }
-  return ".";
-}
-function resolveWorkspacePath(outputDir, { cwd = process.cwd(), platform = process.platform } = {}) {
-  const api = pathApi2(platform);
-  const raw = outputDir || ".";
-  return api.isAbsolute(raw) ? api.normalize(raw) : api.resolve(cwd, raw);
-}
-function recordAgentDocsWorkspace(outputDir, {
-  env = process.env,
-  platform = process.platform,
-  cwd = process.cwd(),
-  now = /* @__PURE__ */ new Date()
-} = {}) {
-  const workspacePath = resolveWorkspacePath(outputDir, { cwd, platform });
-  const config = loadConfig(env, platform);
-  const existing = Array.isArray(config[DOC_WORKSPACES_KEY]) ? config[DOC_WORKSPACES_KEY] : [];
-  const workspaces = [workspacePath, ...existing.filter((entry) => entry !== workspacePath)];
-  const next = {
-    ...config,
-    [DOC_WORKSPACES_KEY]: workspaces,
-    lastAgentDocsInitAt: now.toISOString()
-  };
-  saveConfig(next, env, platform);
-  return next;
-}
-function recordForwardedDocsCommand(args, code, options = {}) {
-  if (code !== 0 || !commandWritesAgentDocs(args)) {
-    return false;
-  }
-  recordAgentDocsWorkspace(initOutputDir(args), options);
-  return true;
-}
-function refreshAgentDocsWorkspaces({
-  config,
-  venvPath,
-  env = process.env,
-  platform = process.platform,
-  run: run2 = runInherit,
-  now = /* @__PURE__ */ new Date()
-} = {}) {
-  const currentConfig = config || loadConfig(env, platform);
-  const workspaces = Array.isArray(currentConfig[DOC_WORKSPACES_KEY]) ? [...new Set(currentConfig[DOC_WORKSPACES_KEY].filter((entry) => typeof entry === "string" && entry.trim()))] : [];
-  if (workspaces.length === 0) {
-    saveConfig(currentConfig, env, platform);
-    return { config: currentConfig, refreshed: 0, failed: 0 };
-  }
-  const vendianPath = venvVendian(venvPath, platform);
-  let refreshed = 0;
-  let failed = 0;
-  for (const workspace of workspaces) {
-    if (!fs7.existsSync(workspace)) {
+      }
+    }
+    if (depth >= maxDepth) {
       continue;
     }
-    const status = run2(vendianPath, ["init", "--output-dir", workspace, "--yes"]);
-    if (status === 0) {
-      refreshed += 1;
-    } else {
-      failed += 1;
-      console.error(`[vendian] Could not refresh SDK docs in ${workspace}`);
+    for (const entry of entries) {
+      if (!entry.isDirectory() || SKIP_DIRS.has(entry.name)) {
+        continue;
+      }
+      stack.push({ dir: path4.join(resolved, entry.name), depth: depth + 1 });
     }
   }
-  const next = {
-    ...currentConfig,
-    [DOC_WORKSPACES_KEY]: workspaces,
-    lastAgentDocsRefreshAt: now.toISOString()
-  };
-  saveConfig(next, env, platform);
-  return { config: next, refreshed, failed };
+  return manifests;
 }
-// src/setup.js
-init_auth();
-init_constants();
-import fs8 from "node:fs";
-async function setup({
-  nonInteractive = false,
-  backend = void 0,
-  apiUrl = void 0,
-  noBrowser = false,
-  forceAuth = false,
-  env = process.env,
-  platform = process.platform
-} = {}) {
-  const existing = loadConfig(env, platform);
-  const registry = registryConfig(existing, env, platform);
-  const auth = cloudAuthStatus({ backend, apiUrl, env, platform });
-  const next = {
-    ...existing,
-    gitlabHost: registry.gitlabHost || DEFAULT_GITLAB_HOST,
-    gitlabUsername: registry.username || "__token__",
-    sdkPublicProjectId: registry.sdkProjectId || DEFAULT_SDK_PUBLIC_PROJECT_ID,
-    sdkRuntimeProjectId: registry.runtimeProjectId || DEFAULT_SDK_RUNTIME_PROJECT_ID
-  };
-  let cloudAuthApiUrl = auth.authenticated ? auth.apiUrl : void 0;
-  console.log("Vendian login");
-  console.log("This signs in to Vendian and prepares the local runtime.");
-  console.log("Agent requirements.txt files stay reserved for agent-owned dependencies.");
-  console.log("");
-  if ((!auth.authenticated || forceAuth) && !nonInteractive) {
-    console.log(`Opening Vendian sign-in for ${auth.apiUrl}...`);
-    const login = await loginWithVendianOAuth({ backend, apiUrl, noBrowser, env });
-    saveCloudToken(login, { env, platform });
-    cloudAuthApiUrl = login.apiUrl;
-    const packageCredentials = login.packageCredentials;
-    if (!registry.token && !packageCredentials?.token) {
-      throw new Error("Vendian login succeeded, but the backend did not return package credentials. Configure CLI_PACKAGE_REGISTRY_TOKEN on the backend.");
-    }
-    if (packageCredentials) {
-      savePackageCredentials(next, packageCredentials, { platform });
+function nearestAgentsAncestor(manifestPath, root) {
+  let current = path4.dirname(manifestPath);
+  const stop = path4.resolve(root);
+  while (current.startsWith(stop)) {
+    if (path4.basename(current).toLowerCase() === "agents") {
+      return current;
     }
-  } else if (auth.authenticated) {
-    activateCloudProfile({ backend, apiUrl, env, platform });
-    console.log(`Cloud authentication already saved for ${auth.apiUrl}${auth.email ? ` (${auth.email})` : ""}.`);
-    const refreshed = await refreshPackageAccessFromCloudAuth({ config: next, auth, env, platform });
-    Object.assign(next, refreshed.config);
-  } else if (registry.token) {
-    if (registry.tokenSource !== "secret-store") {
-      next.gitlabToken = registry.token;
+    const parent = path4.dirname(current);
+    if (parent === current) {
+      break;
     }
-    console.log("Using saved package access.");
-  }
-  const installRegistry = registryConfig(next, env, platform);
-  if (!installRegistry.token) {
-    throw new Error("Package access is missing. Run interactive `vendian login` to sign in.");
-  }
-  const python = findPython(platform);
-  if (!python) {
-    throw new Error("Python 3.11+ was not found. Install Python 3.11 or newer, then rerun `vendian login`.");
-  }
-  const venvPath = managedVenvPath(env, platform);
-  console.log(`Managed environment: ${venvPath}`);
-  const pythonPath = ensureVenv(venvPath, python, platform);
-  console.log(`Python: ${pythonVersion(pythonPath) || pythonPath}`);
-  saveConfig(next, env, platform);
-  installVendianPackages({ pythonPath, venvPath, config: next, env, platform });
-  const updated = { ...next, lastManagedUpdateAt: (/* @__PURE__ */ new Date()).toISOString() };
-  refreshAgentDocsWorkspaces({ config: updated, venvPath, env, platform });
-  if (!verifyVendianImports(pythonPath)) {
-    throw new Error("Vendian packages installed, but import verification failed.");
-  }
-  const vendianPath = venvVendian(venvPath, platform);
-  if (!fs8.existsSync(vendianPath)) {
-    throw new Error("Vendian executable was not found after install.");
-  }
-  console.log("");
-  for (const line of setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl })) {
-    console.log(line);
+    current = parent;
   }
+  return null;
 }
-function savePackageCredentials(config, packageCredentials, { platform = process.platform } = {}) {
-  if (!packageCredentials?.token) {
-    return false;
-  }
-  config.gitlabHost = packageCredentials.gitlabHost || config.gitlabHost;
-  config.gitlabUsername = packageCredentials.username || config.gitlabUsername;
-  config.sdkPublicProjectId = packageCredentials.sdkProjectId || config.sdkPublicProjectId;
-  config.sdkRuntimeProjectId = packageCredentials.runtimeProjectId || config.sdkRuntimeProjectId;
-  config.vendianAgentsVersion = packageCredentials.vendianAgentsVersion || config.vendianAgentsVersion;
-  config.vendianAgentsRuntimeVersion = packageCredentials.vendianAgentsRuntimeVersion || config.vendianAgentsRuntimeVersion;
-  const secret = savePackageTokenSecret(packageCredentials.token, config, platform);
-  if (secret.ok) {
-    Object.assign(config, secret.config || {});
-    delete config.gitlabToken;
-    console.log("Package access saved.");
-  } else {
-    config.gitlabToken = packageCredentials.token;
-    console.log("Package access saved in the local Vendian CLI config file.");
-  }
-  return true;
+function hasDirectManifest(root) {
+  return [...MANIFEST_NAMES].some((name) => fs5.existsSync(path4.join(root, name)));
 }
-async function refreshPackageAccessFromCloudAuth({
-  config,
-  auth,
-  env = process.env,
-  platform = process.platform,
-  save = true
-} = {}) {
-  const currentConfig = config || loadConfig(env, platform);
-  const registry = registryConfig(currentConfig, env, platform);
-  if (registry.token) {
-    return { config: currentConfig, refreshed: false };
-  }
-  const status = auth || activeCloudAuthStatus({ env, platform });
-  if (!status.authenticated || !status.apiUrl || !status.profile?.access_token) {
-    return { config: currentConfig, refreshed: false };
+function displayPath(target, cwd) {
+  const relative = path4.relative(cwd, target);
+  if (!relative) {
+    return ".";
   }
-  const packageCredentials = await fetchPackageCredentials({
-    apiUrl: status.apiUrl,
-    accessToken: status.profile.access_token
-  });
-  if (!packageCredentials?.token) {
-    return { config: currentConfig, refreshed: false };
+  if (relative.startsWith("..") || path4.isAbsolute(relative)) {
+    return target;
   }
-  const next = { ...currentConfig };
-  const stored = savePackageCredentials(next, packageCredentials, { platform });
-  if (stored && save) {
-    saveConfig(next, env, platform);
+  return relative.startsWith(".") ? relative : `.${path4.sep}${relative}`;
+}
+function commonSearchRoots(home) {
+  if (!home) {
+    return [];
   }
-  return { config: next, refreshed: stored };
+  return [
+    "agents",
+    "Projects",
+    "Code",
+    "Developer",
+    "Documents",
+    "Desktop"
+  ].map((name) => path4.join(home, name));
 }
-function setupCompletionLines({ cloudAuthApiUrl, backend, apiUrl } = {}) {
-  const lines = ["Vendian login complete."];
-  if (cloudAuthApiUrl) {
-    lines.push(`Connected to ${cloudAuthApiUrl}.`);
-    lines.push("Next: vendian cloud local serve --agents-dir ./agents");
-    return lines;
+function uniqueExistingDirs(paths) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const item of paths) {
+    const resolved = safeResolve(item);
+    if (!resolved || seen.has(resolved)) {
+      continue;
+    }
+    try {
+      if (!fs5.statSync(resolved).isDirectory()) {
+        continue;
+      }
+    } catch {
+      continue;
+    }
+    seen.add(resolved);
+    result.push(resolved);
   }
-  lines.push(`Next: ${cloudAuthLoginCommand({ backend, apiUrl })}`);
-  lines.push("Then: vendian cloud local serve --agents-dir ./agents");
-  return lines;
+  return result;
 }
-function cloudAuthLoginCommand({ backend, apiUrl } = {}) {
-  if (apiUrl) {
-    return `vendian cloud auth login --api-url ${apiUrl}`;
+function parentDirs(start, limit) {
+  const parents = [];
+  let current = path4.resolve(start);
+  for (let index = 0; index < limit; index += 1) {
+    const parent = path4.dirname(current);
+    if (!parent || parent === current) {
+      break;
+    }
+    parents.push(parent);
+    current = parent;
   }
-  if (backend) {
-    return `vendian cloud auth login --backend ${backend}`;
+  return parents;
+}
+function safeResolve(candidate) {
+  try {
+    return path4.resolve(candidate);
+  } catch {
+    return null;
   }
-  return "vendian cloud auth login";
 }
+// src/dev-server.js
+init_auth();
+init_constants();
+init_config();
 // src/forward.js
+init_config();
+init_docs();
+init_install();
+init_paths();
+init_process();
+init_setup();
+import fs9 from "node:fs";
 var AUTO_UPDATE_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 async function forwardToPythonVendian(args, { env = process.env, platform = process.platform } = {}) {
   const invocation = await preparePythonVendianInvocation(args, { env, platform });
@@ -1446,7 +1505,12 @@ function reportProgress(onProgress, message) {
   }
 }
+// src/dev-server.js
+init_process();
+init_paths();
 // src/workspaces.js
+init_process();
 async function listCloudWorkspaces({
   env = process.env,
   platform = process.platform,
@@ -2296,6 +2360,7 @@ function formatSeconds(value) {
 }
 // src/serve-log-store.js
+init_paths();
 import crypto2 from "node:crypto";
 import fs10 from "node:fs";
 import path7 from "node:path";
@@ -2435,7 +2500,7 @@ function buildLocalServeEventStreamArgs({ agentsDir: agentsDir2 = "./agents", co
 }
 // src/version.js
-var CLI_VERSION = true ? "0.0.41" : process.env.npm_package_version || "0.0.0-dev";
+var CLI_VERSION = true ? "0.0.43" : process.env.npm_package_version || "0.0.0-dev";
 // src/dev-server.js
 var __dirname = path8.dirname(fileURLToPath(import.meta.url));
@@ -2448,6 +2513,7 @@ var logStore = null;
 var agentsDir = "";
 var activeServeAgentsDir = "";
 var collectionId = "";
+var activeAuthLogin = null;
 async function startDevServer({
   port = 3859,
   agents = "",
@@ -2572,6 +2638,8 @@ async function handleApi(req, res, pathname, parsed) {
           return apiServeStop(req, res);
         case "/api/create":
           return await apiCreate(req, res, body);
+        case "/api/auth/login":
+          return await apiAuthLogin(req, res, body);
         case "/api/auth/switch":
           return await apiAuthSwitch(req, res, body);
         default:
@@ -2738,6 +2806,55 @@ async function apiAuthSwitch(req, res, body) {
     jsonResponse(res, { ok: false, error: err.message });
   }
 }
+async function loginOrActivateBackend({ backend, env, setupFn, statusFn, activateFn } = {}) {
+  if (!backend || !BACKEND_TARGETS[backend]) {
+    return { ok: false, error: `Unknown backend: ${backend}` };
+  }
+  const authEnv = { ...env || process.env, VENDIAN_API_URL: "" };
+  const readStatus = statusFn || cloudAuthStatus;
+  const activate = activateFn || activateCloudProfile;
+  const status = readStatus({ backend, env: authEnv });
+  if (status.authenticated) {
+    const result = activate({ backend, env: authEnv });
+    if (result?.activated) {
+      return { ok: true, switched: true, backend };
+    }
+  }
+  const runSetup = setupFn || (async (options) => {
+    const { setup: setup2 } = await Promise.resolve().then(() => (init_setup(), setup_exports));
+    return setup2(options);
+  });
+  await runSetup({ backend, forceAuth: true });
+  return { ok: true, loggedIn: true, backend };
+}
+async function apiAuthLogin(req, res, body) {
+  try {
+    const result = await runSingleAuthLogin({ backend: body.backend });
+    const status = result.ok ? 200 : 400;
+    jsonResponse(res, result, status);
+  } catch (err) {
+    jsonResponse(res, { ok: false, error: err.message || "Login failed" }, 500);
+  }
+}
+async function runSingleAuthLogin({ backend, loginFn } = {}) {
+  if (activeAuthLogin?.promise) {
+    if (activeAuthLogin.backend !== backend) {
+      return {
+        ok: false,
+        error: `A Vendian sign-in is already in progress for ${activeAuthLogin.backend}. Finish that browser flow or wait for it to close, then try ${backend} again.`
+      };
+    }
+    return activeAuthLogin.promise;
+  }
+  const executeLogin = loginFn || loginOrActivateBackend;
+  const promise = Promise.resolve().then(() => executeLogin({ backend })).finally(() => {
+    if (activeAuthLogin?.promise === promise) {
+      activeAuthLogin = null;
+    }
+  });
+  activeAuthLogin = { backend, promise };
+  return promise;
+}
 async function apiValidate(req, res, body) {
   const targetPath = body.path || agentsDir;
   const invocation = await preparePythonVendianInvocation(
@@ -3026,16 +3143,27 @@ function openUrl(url) {
   spawn3(shell || cmd, shell ? args : [url], { detached: true, stdio: "ignore" }).unref();
 }
+// src/main.js
+init_setup();
 // src/tui.js
 init_constants();
 init_auth();
+init_config();
 import fs12 from "node:fs";
 import path9 from "node:path";
 import readline from "node:readline";
+init_install();
 // src/npm-update.js
+init_config();
 var NPM_CHECK_INTERVAL_MS = 30 * 60 * 1e3;
+// src/tui.js
+init_paths();
+init_setup();
+init_process();
 // src/ui/figures.js
 var supportsUnicode = process.platform !== "win32" || Boolean(
   process.env.WT_SESSION || // Windows Terminal