@vm0/cli 4.37.0 → 4.38.1

package/index.js

@@ -6,8 +6,8 @@ var __export = (target, all) => {
 };
 
 // src/index.ts
-import { Command as Command24 } from "commander";
-import chalk27 from "chalk";
+import { Command as Command27 } from "commander";
+import chalk29 from "chalk";
 
 // src/lib/auth.ts
 import chalk from "chalk";
@@ -984,10 +984,10 @@ function mergeDefs(...defs) {
 function cloneDef(schema) {
   return mergeDefs(schema._zod.def);
 }
-function getElementAtPath(obj, path15) {
-  if (!path15)
+function getElementAtPath(obj, path16) {
+  if (!path16)
     return obj;
-  return path15.reduce((acc, key) => acc?.[key], obj);
+  return path16.reduce((acc, key) => acc?.[key], obj);
 }
 function promiseAllObject(promisesObj) {
   const keys = Object.keys(promisesObj);
@@ -1346,11 +1346,11 @@ function aborted(x, startIndex = 0) {
   }
   return false;
 }
-function prefixIssues(path15, issues) {
+function prefixIssues(path16, issues) {
   return issues.map((iss) => {
     var _a;
     (_a = iss).path ?? (_a.path = []);
-    iss.path.unshift(path15);
+    iss.path.unshift(path16);
     return iss;
   });
 }
@@ -1518,7 +1518,7 @@ function treeifyError(error43, _mapper) {
     return issue2.message;
   };
   const result = { errors: [] };
-  const processError = (error44, path15 = []) => {
+  const processError = (error44, path16 = []) => {
     var _a, _b;
     for (const issue2 of error44.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
@@ -1528,7 +1528,7 @@ function treeifyError(error43, _mapper) {
       } else if (issue2.code === "invalid_element") {
         processError({ issues: issue2.issues }, issue2.path);
       } else {
-        const fullpath = [...path15, ...issue2.path];
+        const fullpath = [...path16, ...issue2.path];
         if (fullpath.length === 0) {
           result.errors.push(mapper(issue2));
           continue;
@@ -1560,8 +1560,8 @@ function treeifyError(error43, _mapper) {
 }
 function toDotPath(_path) {
   const segs = [];
-  const path15 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
-  for (const seg of path15) {
+  const path16 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
+  for (const seg of path16) {
     if (typeof seg === "number")
       segs.push(`[${seg}]`);
     else if (typeof seg === "symbol")
@@ -2760,7 +2760,7 @@ var $ZodBase64 = /* @__PURE__ */ $constructor("$ZodBase64", (inst, def) => {
 function isValidBase64URL(data) {
   if (!base64url.test(data))
     return false;
-  const base643 = data.replace(/[-_]/g, (c11) => c11 === "-" ? "+" : "/");
+  const base643 = data.replace(/[-_]/g, (c16) => c16 === "-" ? "+" : "/");
   const padded = base643.padEnd(Math.ceil(base643.length / 4) * 4, "=");
   return isValidBase64(padded);
 }
@@ -11672,9 +11672,9 @@ var ZodDate = /* @__PURE__ */ $constructor("ZodDate", (inst, def) => {
   ZodType.init(inst, def);
   inst.min = (value, params) => inst.check(_gte(value, params));
   inst.max = (value, params) => inst.check(_lte(value, params));
-  const c11 = inst._zod.bag;
-  inst.minDate = c11.minimum ? new Date(c11.minimum) : null;
-  inst.maxDate = c11.maximum ? new Date(c11.maximum) : null;
+  const c16 = inst._zod.bag;
+  inst.minDate = c16.minimum ? new Date(c16.minimum) : null;
+  inst.maxDate = c16.maximum ? new Date(c16.maximum) : null;
 });
 function date3(params) {
   return _date(ZodDate, params);
@@ -12267,8 +12267,123 @@ var apiErrorSchema = external_exports.object({
   })
 });
 
-// ../../packages/core/src/contracts/composes.ts
+// ../../packages/core/src/contracts/runners.ts
 var c = initContract();
+var firewallRuleSchema = external_exports.object({
+  domain: external_exports.string().optional(),
+  ip: external_exports.string().optional(),
+  /** Terminal rule - value is the action (ALLOW or DENY) */
+  final: external_exports.enum(["ALLOW", "DENY"]).optional(),
+  /** Action for domain/ip rules */
+  action: external_exports.enum(["ALLOW", "DENY"]).optional()
+});
+var experimentalFirewallSchema = external_exports.object({
+  enabled: external_exports.boolean(),
+  rules: external_exports.array(firewallRuleSchema).optional(),
+  experimental_mitm: external_exports.boolean().optional(),
+  experimental_seal_secrets: external_exports.boolean().optional()
+});
+var runnerGroupSchema = external_exports.string().regex(
+  /^[a-z0-9-]+\/[a-z0-9-]+$/,
+  "Runner group must be in scope/name format (e.g., acme/production)"
+);
+var jobSchema = external_exports.object({
+  runId: external_exports.string().uuid(),
+  prompt: external_exports.string(),
+  agentComposeVersionId: external_exports.string(),
+  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  secretNames: external_exports.array(external_exports.string()).nullable(),
+  checkpointId: external_exports.string().uuid().nullable()
+});
+var runnersPollContract = c.router({
+  poll: {
+    method: "POST",
+    path: "/api/runners/poll",
+    body: external_exports.object({
+      group: runnerGroupSchema
+    }),
+    responses: {
+      200: external_exports.object({
+        job: jobSchema.nullable()
+      }),
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Poll for pending jobs (long-polling with 30s timeout)"
+  }
+});
+var storageEntrySchema = external_exports.object({
+  mountPath: external_exports.string(),
+  archiveUrl: external_exports.string().nullable()
+});
+var artifactEntrySchema = external_exports.object({
+  mountPath: external_exports.string(),
+  archiveUrl: external_exports.string().nullable(),
+  vasStorageName: external_exports.string(),
+  vasVersionId: external_exports.string()
+});
+var storageManifestSchema = external_exports.object({
+  storages: external_exports.array(storageEntrySchema),
+  artifact: artifactEntrySchema.nullable()
+});
+var resumeSessionSchema = external_exports.object({
+  sessionId: external_exports.string(),
+  sessionHistory: external_exports.string()
+});
+var storedExecutionContextSchema = external_exports.object({
+  workingDir: external_exports.string(),
+  storageManifest: storageManifestSchema.nullable(),
+  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  resumeSession: resumeSessionSchema.nullable(),
+  encryptedSecrets: external_exports.string().nullable(),
+  // AES-256-GCM encrypted secrets
+  cliAgentType: external_exports.string(),
+  experimentalFirewall: experimentalFirewallSchema.optional()
+});
+var executionContextSchema = external_exports.object({
+  runId: external_exports.string().uuid(),
+  prompt: external_exports.string(),
+  agentComposeVersionId: external_exports.string(),
+  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  secretNames: external_exports.array(external_exports.string()).nullable(),
+  checkpointId: external_exports.string().uuid().nullable(),
+  sandboxToken: external_exports.string(),
+  // New fields for E2B parity:
+  workingDir: external_exports.string(),
+  storageManifest: storageManifestSchema.nullable(),
+  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  resumeSession: resumeSessionSchema.nullable(),
+  secretValues: external_exports.array(external_exports.string()).nullable(),
+  cliAgentType: external_exports.string(),
+  // Experimental firewall configuration
+  experimentalFirewall: experimentalFirewallSchema.optional()
+});
+var runnersJobClaimContract = c.router({
+  claim: {
+    method: "POST",
+    path: "/api/runners/jobs/:id/claim",
+    pathParams: external_exports.object({
+      id: external_exports.string().uuid()
+    }),
+    body: external_exports.object({}),
+    responses: {
+      200: executionContextSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema,
+      // Job does not belong to user
+      404: apiErrorSchema,
+      409: apiErrorSchema,
+      // Already claimed
+      500: apiErrorSchema
+    },
+    summary: "Claim a pending job for execution"
+  }
+});
+
+// ../../packages/core/src/contracts/composes.ts
+var c2 = initContract();
 var composeVersionQuerySchema = external_exports.preprocess(
   (val) => val === void 0 || val === null ? void 0 : String(val),
   external_exports.string().min(1, "Missing version query parameter").regex(
@@ -12341,7 +12456,13 @@ var agentDefinitionSchema = external_exports.object({
       /^[a-z0-9-]+\/[a-z0-9-]+$/,
       "Runner group must be in scope/name format (e.g., acme/production)"
     )
-  }).optional()
+  }).optional(),
+  /**
+   * Experimental firewall configuration for network egress control.
+   * Requires experimental_runner to be configured.
+   * When enabled, filters outbound traffic by domain/IP rules.
+   */
+  experimental_firewall: experimentalFirewallSchema.optional()
 });
 var agentComposeContentSchema = external_exports.object({
   version: external_exports.string().min(1, "Version is required"),
@@ -12363,7 +12484,7 @@ var createComposeResponseSchema = external_exports.object({
   action: external_exports.enum(["created", "existing"]),
   updatedAt: external_exports.string()
 });
-var composesMainContract = c.router({
+var composesMainContract = c2.router({
   /**
    * GET /api/agent/composes?name={name}&scope={scope}
    * Get agent compose by name with HEAD version content
@@ -12405,7 +12526,7 @@ var composesMainContract = c.router({
     summary: "Create or update agent compose version"
   }
 });
-var composesByIdContract = c.router({
+var composesByIdContract = c2.router({
   /**
    * GET /api/agent/composes/:id
    * Get agent compose by ID with HEAD version content
@@ -12424,7 +12545,7 @@ var composesByIdContract = c.router({
     summary: "Get agent compose by ID"
   }
 });
-var composesVersionsContract = c.router({
+var composesVersionsContract = c2.router({
   /**
    * GET /api/agent/composes/versions?composeId={id}&version={hash|tag}
    * Resolve a version specifier to a full version ID
@@ -12448,9 +12569,36 @@ var composesVersionsContract = c.router({
     summary: "Resolve version specifier to full version ID"
   }
 });
+var composeListItemSchema = external_exports.object({
+  name: external_exports.string(),
+  headVersionId: external_exports.string().nullable(),
+  updatedAt: external_exports.string()
+});
+var composesListContract = c2.router({
+  /**
+   * GET /api/agent/composes/list?scope={scope}
+   * List all agent composes for a scope
+   * If scope is not provided, uses the authenticated user's default scope
+   */
+  list: {
+    method: "GET",
+    path: "/api/agent/composes/list",
+    query: external_exports.object({
+      scope: external_exports.string().optional()
+    }),
+    responses: {
+      200: external_exports.object({
+        composes: external_exports.array(composeListItemSchema)
+      }),
+      400: apiErrorSchema,
+      401: apiErrorSchema
+    },
+    summary: "List all agent composes for a scope"
+  }
+});
 
 // ../../packages/core/src/contracts/runs.ts
-var c2 = initContract();
+var c3 = initContract();
 var runStatusSchema = external_exports.enum([
   "pending",
   "running",
@@ -12525,7 +12673,7 @@ var eventsResponseSchema = external_exports.object({
   run: runStateSchema,
   provider: external_exports.string()
 });
-var runsMainContract = c2.router({
+var runsMainContract = c3.router({
   /**
    * POST /api/agent/runs
    * Create and execute a new agent run
@@ -12543,7 +12691,7 @@ var runsMainContract = c2.router({
     summary: "Create and execute agent run"
   }
 });
-var runsByIdContract = c2.router({
+var runsByIdContract = c3.router({
   /**
    * GET /api/agent/runs/:id
    * Get agent run status and results
@@ -12563,7 +12711,7 @@ var runsByIdContract = c2.router({
     summary: "Get agent run by ID"
   }
 });
-var runEventsContract = c2.router({
+var runEventsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/events
    * Poll for agent run events with pagination
@@ -12624,7 +12772,7 @@ var telemetryResponseSchema = external_exports.object({
   systemLog: external_exports.string(),
   metrics: external_exports.array(telemetryMetricSchema)
 });
-var runTelemetryContract = c2.router({
+var runTelemetryContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry
    * Get aggregated telemetry data for a run (legacy combined format)
@@ -12643,7 +12791,7 @@ var runTelemetryContract = c2.router({
     summary: "Get run telemetry data"
   }
 });
-var runSystemLogContract = c2.router({
+var runSystemLogContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/system-log
    * Get system log with pagination
@@ -12667,7 +12815,7 @@ var runSystemLogContract = c2.router({
     summary: "Get system log with pagination"
   }
 });
-var runMetricsContract = c2.router({
+var runMetricsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/metrics
    * Get metrics with pagination
@@ -12691,7 +12839,7 @@ var runMetricsContract = c2.router({
     summary: "Get metrics with pagination"
   }
 });
-var runAgentEventsContract = c2.router({
+var runAgentEventsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/agent
    * Get agent events with pagination (for vm0 logs default)
@@ -12715,7 +12863,7 @@ var runAgentEventsContract = c2.router({
     summary: "Get agent events with pagination"
   }
 });
-var runNetworkLogsContract = c2.router({
+var runNetworkLogsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/network
    * Get network logs with pagination (for vm0 logs --network)
@@ -12741,7 +12889,7 @@ var runNetworkLogsContract = c2.router({
 });
 
 // ../../packages/core/src/contracts/storages.ts
-var c3 = initContract();
+var c4 = initContract();
 var storageTypeSchema = external_exports.enum(["volume", "artifact"]);
 var versionQuerySchema = external_exports.preprocess(
   (val) => val === void 0 || val === null ? void 0 : String(val),
@@ -12755,7 +12903,7 @@ var uploadStorageResponseSchema = external_exports.object({
   type: storageTypeSchema,
   deduplicated: external_exports.boolean()
 });
-var storagesContract = c3.router({
+var storagesContract = c4.router({
   /**
    * POST /api/storages
    * Upload a storage (tar.gz file)
@@ -12771,7 +12919,7 @@ var storagesContract = c3.router({
     method: "POST",
     path: "/api/storages",
     contentType: "multipart/form-data",
-    body: c3.type(),
+    body: c4.type(),
     responses: {
       200: uploadStorageResponseSchema,
       400: apiErrorSchema,
@@ -12799,9 +12947,9 @@ var storagesContract = c3.router({
     }),
     responses: {
       // Binary response - actual handling done at route level
-      200: c3.otherResponse({
+      200: c4.otherResponse({
         contentType: "application/gzip",
-        body: c3.type()
+        body: c4.type()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -12825,7 +12973,7 @@ var presignedUploadSchema = external_exports.object({
   key: external_exports.string(),
   presignedUrl: external_exports.string().url()
 });
-var storagesPrepareContract = c3.router({
+var storagesPrepareContract = c4.router({
   prepare: {
     method: "POST",
     path: "/api/storages/prepare",
@@ -12857,7 +13005,7 @@ var storagesPrepareContract = c3.router({
     summary: "Prepare for direct S3 upload"
   }
 });
-var storagesCommitContract = c3.router({
+var storagesCommitContract = c4.router({
   commit: {
     method: "POST",
     path: "/api/storages/commit",
@@ -12888,7 +13036,7 @@ var storagesCommitContract = c3.router({
     summary: "Commit uploaded storage"
   }
 });
-var storagesDownloadContract = c3.router({
+var storagesDownloadContract = c4.router({
   download: {
     method: "GET",
     path: "/api/storages/download",
@@ -12922,7 +13070,7 @@ var storagesDownloadContract = c3.router({
     summary: "Get presigned download URL"
   }
 });
-var storagesListContract = c3.router({
+var storagesListContract = c4.router({
   list: {
     method: "GET",
     path: "/api/storages/list",
@@ -12946,7 +13094,7 @@ var storagesListContract = c3.router({
 });
 
 // ../../packages/core/src/contracts/webhooks.ts
-var c4 = initContract();
+var c5 = initContract();
 var agentEventSchema = external_exports.object({
   type: external_exports.string(),
   sequenceNumber: external_exports.number().int().positive()
@@ -12958,7 +13106,7 @@ var artifactSnapshotSchema = external_exports.object({
 var volumeVersionsSnapshotSchema = external_exports.object({
   versions: external_exports.record(external_exports.string(), external_exports.string())
 });
-var webhookEventsContract = c4.router({
+var webhookEventsContract = c5.router({
   /**
    * POST /api/webhooks/agent/events
    * Receive agent events from E2B sandbox
@@ -12984,7 +13132,7 @@ var webhookEventsContract = c4.router({
     summary: "Receive agent events from sandbox"
   }
 });
-var webhookCompleteContract = c4.router({
+var webhookCompleteContract = c5.router({
   /**
    * POST /api/webhooks/agent/complete
    * Handle agent run completion (success or failure)
@@ -13010,7 +13158,7 @@ var webhookCompleteContract = c4.router({
     summary: "Handle agent run completion"
   }
 });
-var webhookCheckpointsContract = c4.router({
+var webhookCheckpointsContract = c5.router({
   /**
    * POST /api/webhooks/agent/checkpoints
    * Create checkpoint for completed agent run
@@ -13042,7 +13190,7 @@ var webhookCheckpointsContract = c4.router({
     summary: "Create checkpoint for agent run"
   }
 });
-var webhookHeartbeatContract = c4.router({
+var webhookHeartbeatContract = c5.router({
   /**
    * POST /api/webhooks/agent/heartbeat
    * Receive heartbeat signals from E2B sandbox
@@ -13065,7 +13213,7 @@ var webhookHeartbeatContract = c4.router({
     summary: "Receive heartbeat from sandbox"
   }
 });
-var webhookStoragesContract = c4.router({
+var webhookStoragesContract = c5.router({
   /**
    * POST /api/webhooks/agent/storages
    * Create a new version of a storage from sandbox
@@ -13080,7 +13228,7 @@ var webhookStoragesContract = c4.router({
     method: "POST",
     path: "/api/webhooks/agent/storages",
     contentType: "multipart/form-data",
-    body: c4.type(),
+    body: c5.type(),
     responses: {
       200: external_exports.object({
         versionId: external_exports.string(),
@@ -13096,7 +13244,7 @@ var webhookStoragesContract = c4.router({
     summary: "Upload storage version from sandbox"
   }
 });
-var webhookStoragesIncrementalContract = c4.router({
+var webhookStoragesIncrementalContract = c5.router({
   /**
    * POST /api/webhooks/agent/storages/incremental
    * Create a new version using incremental upload
@@ -13113,7 +13261,7 @@ var webhookStoragesIncrementalContract = c4.router({
     method: "POST",
     path: "/api/webhooks/agent/storages/incremental",
     contentType: "multipart/form-data",
-    body: c4.type(),
+    body: c5.type(),
     responses: {
       200: external_exports.object({
         versionId: external_exports.string(),
@@ -13153,7 +13301,7 @@ var networkLogSchema = external_exports.object({
   request_size: external_exports.number(),
   response_size: external_exports.number()
 });
-var webhookTelemetryContract = c4.router({
+var webhookTelemetryContract = c5.router({
   /**
    * POST /api/webhooks/agent/telemetry
    * Receive telemetry data (system log, metrics, and network logs) from sandbox
@@ -13180,7 +13328,7 @@ var webhookTelemetryContract = c4.router({
     summary: "Receive telemetry data from sandbox"
   }
 });
-var webhookStoragesPrepareContract = c4.router({
+var webhookStoragesPrepareContract = c5.router({
   prepare: {
     method: "POST",
     path: "/api/webhooks/agent/storages/prepare",
@@ -13211,7 +13359,7 @@ var webhookStoragesPrepareContract = c4.router({
     summary: "Prepare for direct S3 upload from sandbox"
   }
 });
-var webhookStoragesCommitContract = c4.router({
+var webhookStoragesCommitContract = c5.router({
   commit: {
     method: "POST",
     path: "/api/webhooks/agent/storages/commit",
@@ -13245,12 +13393,12 @@ var webhookStoragesCommitContract = c4.router({
 });
 
 // ../../packages/core/src/contracts/cli-auth.ts
-var c5 = initContract();
+var c6 = initContract();
 var oauthErrorSchema = external_exports.object({
   error: external_exports.string(),
   error_description: external_exports.string()
 });
-var cliAuthDeviceContract = c5.router({
+var cliAuthDeviceContract = c6.router({
   /**
    * POST /api/cli/auth/device
    * Initiate device authorization flow
@@ -13272,7 +13420,7 @@ var cliAuthDeviceContract = c5.router({
     summary: "Initiate device authorization flow"
   }
 });
-var cliAuthTokenContract = c5.router({
+var cliAuthTokenContract = c6.router({
   /**
    * POST /api/cli/auth/token
    * Exchange device code for access token
@@ -13302,8 +13450,8 @@ var cliAuthTokenContract = c5.router({
 });
 
 // ../../packages/core/src/contracts/auth.ts
-var c6 = initContract();
-var authContract = c6.router({
+var c7 = initContract();
+var authContract = c7.router({
   /**
    * GET /api/auth/me
    * Get current user information
@@ -13325,7 +13473,7 @@ var authContract = c6.router({
 });
 
 // ../../packages/core/src/contracts/cron.ts
-var c7 = initContract();
+var c8 = initContract();
 var cleanupResultSchema = external_exports.object({
   runId: external_exports.string(),
   sandboxId: external_exports.string().nullable(),
@@ -13337,7 +13485,7 @@ var cleanupResponseSchema = external_exports.object({
   errors: external_exports.number(),
   results: external_exports.array(cleanupResultSchema)
 });
-var cronCleanupSandboxesContract = c7.router({
+var cronCleanupSandboxesContract = c8.router({
   /**
    * GET /api/cron/cleanup-sandboxes
    * Cron job to cleanup sandboxes that have stopped sending heartbeats
@@ -13369,7 +13517,7 @@ var proxyErrorSchema = external_exports.object({
 });
 
 // ../../packages/core/src/contracts/scopes.ts
-var c8 = initContract();
+var c9 = initContract();
 var scopeTypeSchema = external_exports.enum(["personal", "organization", "system"]);
 var scopeSlugSchema = external_exports.string().min(3, "Scope slug must be at least 3 characters").max(64, "Scope slug must be at most 64 characters").regex(
   /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1,2}$/,
@@ -13394,7 +13542,7 @@ var updateScopeRequestSchema = external_exports.object({
   slug: scopeSlugSchema,
   force: external_exports.boolean().optional().default(false)
 });
-var scopeContract = c8.router({
+var scopeContract = c9.router({
   /**
    * GET /api/scope
    * Get current user's scope
@@ -13449,7 +13597,7 @@ var scopeContract = c8.router({
 });
 
 // ../../packages/core/src/contracts/sessions.ts
-var c9 = initContract();
+var c10 = initContract();
 var sessionResponseSchema = external_exports.object({
   id: external_exports.string(),
   agentComposeId: external_exports.string(),
@@ -13483,7 +13631,7 @@ var checkpointResponseSchema = external_exports.object({
   volumeVersionsSnapshot: volumeVersionsSnapshotSchema2.nullable(),
   createdAt: external_exports.string()
 });
-var sessionsByIdContract = c9.router({
+var sessionsByIdContract = c10.router({
   /**
    * GET /api/agent/sessions/:id
    * Get session by ID
@@ -13503,7 +13651,7 @@ var sessionsByIdContract = c9.router({
     summary: "Get session by ID"
   }
 });
-var checkpointsByIdContract = c9.router({
+var checkpointsByIdContract = c10.router({
   /**
    * GET /api/agent/checkpoints/:id
    * Get checkpoint by ID
@@ -13524,104 +13672,913 @@ var checkpointsByIdContract = c9.router({
   }
 });
 
-// ../../packages/core/src/contracts/runners.ts
-var c10 = initContract();
-var runnerGroupSchema = external_exports.string().regex(
-  /^[a-z0-9-]+\/[a-z0-9-]+$/,
-  "Runner group must be in scope/name format (e.g., acme/production)"
-);
-var jobSchema = external_exports.object({
-  runId: external_exports.string().uuid(),
-  prompt: external_exports.string(),
-  agentComposeVersionId: external_exports.string(),
-  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  secretNames: external_exports.array(external_exports.string()).nullable(),
-  checkpointId: external_exports.string().uuid().nullable()
+// ../../packages/core/src/contracts/public/common.ts
+var publicApiErrorTypeSchema = external_exports.enum([
+  "api_error",
+  // Internal server error (5xx)
+  "invalid_request_error",
+  // Bad parameters (400)
+  "authentication_error",
+  // Auth failure (401)
+  "not_found_error",
+  // Resource missing (404)
+  "conflict_error"
+  // Resource conflict (409)
+]);
+var publicApiErrorSchema = external_exports.object({
+  error: external_exports.object({
+    type: publicApiErrorTypeSchema,
+    code: external_exports.string(),
+    message: external_exports.string(),
+    param: external_exports.string().optional(),
+    doc_url: external_exports.string().url().optional()
+  })
 });
-var runnersPollContract = c10.router({
-  poll: {
+var paginationSchema = external_exports.object({
+  has_more: external_exports.boolean(),
+  next_cursor: external_exports.string().nullable()
+});
+function createPaginatedResponseSchema(dataSchema) {
+  return external_exports.object({
+    data: external_exports.array(dataSchema),
+    pagination: paginationSchema
+  });
+}
+var listQuerySchema = external_exports.object({
+  cursor: external_exports.string().optional(),
+  limit: external_exports.coerce.number().min(1).max(100).default(20)
+});
+var requestIdSchema = external_exports.string().uuid();
+var timestampSchema = external_exports.string().datetime();
+
+// ../../packages/core/src/contracts/public/agents.ts
+var c11 = initContract();
+var publicAgentSchema = external_exports.object({
+  id: external_exports.string(),
+  name: external_exports.string(),
+  current_version_id: external_exports.string().nullable(),
+  created_at: timestampSchema,
+  updated_at: timestampSchema
+});
+var agentVersionSchema = external_exports.object({
+  id: external_exports.string(),
+  agent_id: external_exports.string(),
+  version_number: external_exports.number(),
+  config: external_exports.unknown(),
+  // Agent YAML configuration
+  created_at: timestampSchema
+});
+var publicAgentDetailSchema = publicAgentSchema.extend({
+  config: external_exports.unknown().optional()
+});
+var paginatedAgentsSchema = createPaginatedResponseSchema(publicAgentSchema);
+var paginatedAgentVersionsSchema = createPaginatedResponseSchema(agentVersionSchema);
+var createAgentRequestSchema = external_exports.object({
+  name: external_exports.string().min(1).max(100).regex(
+    /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/,
+    "Name must be lowercase alphanumeric with hyphens, not starting or ending with hyphen"
+  ),
+  config: external_exports.unknown()
+  // Agent YAML configuration
+});
+var updateAgentRequestSchema = external_exports.object({
+  config: external_exports.unknown()
+  // New agent configuration (creates new version)
+});
+var agentListQuerySchema = listQuerySchema.extend({
+  name: external_exports.string().optional()
+});
+var publicAgentsListContract = c11.router({
+  list: {
+    method: "GET",
+    path: "/v1/agents",
+    query: agentListQuerySchema,
+    responses: {
+      200: paginatedAgentsSchema,
+      401: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "List agents",
+    description: "List all agents in the current scope with pagination. Use the `name` query parameter to filter by agent name."
+  },
+  create: {
     method: "POST",
-    path: "/api/runners/poll",
-    body: external_exports.object({
-      group: runnerGroupSchema
+    path: "/v1/agents",
+    body: createAgentRequestSchema,
+    responses: {
+      201: publicAgentDetailSchema,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      409: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Create agent",
+    description: "Create a new agent with the given configuration"
+  }
+});
+var publicAgentByIdContract = c11.router({
+  get: {
+    method: "GET",
+    path: "/v1/agents/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Agent ID is required")
     }),
     responses: {
-      200: external_exports.object({
-        job: jobSchema.nullable()
-      }),
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      500: apiErrorSchema
+      200: publicAgentDetailSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
     },
-    summary: "Poll for pending jobs (long-polling with 30s timeout)"
+    summary: "Get agent",
+    description: "Get agent details by ID"
+  },
+  update: {
+    method: "PUT",
+    path: "/v1/agents/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Agent ID is required")
+    }),
+    body: updateAgentRequestSchema,
+    responses: {
+      200: publicAgentDetailSchema,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Update agent",
+    description: "Update agent configuration. Creates a new version if config changes."
+  },
+  delete: {
+    method: "DELETE",
+    path: "/v1/agents/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Agent ID is required")
+    }),
+    body: external_exports.undefined(),
+    responses: {
+      204: external_exports.undefined(),
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Delete agent",
+    description: "Archive an agent (soft delete)"
   }
 });
-var storageEntrySchema = external_exports.object({
-  mountPath: external_exports.string(),
-  archiveUrl: external_exports.string().nullable()
+var publicAgentVersionsContract = c11.router({
+  list: {
+    method: "GET",
+    path: "/v1/agents/:id/versions",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Agent ID is required")
+    }),
+    query: listQuerySchema,
+    responses: {
+      200: paginatedAgentVersionsSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "List agent versions",
+    description: "List all versions of an agent with pagination"
+  }
 });
-var artifactEntrySchema = external_exports.object({
-  mountPath: external_exports.string(),
-  archiveUrl: external_exports.string().nullable(),
-  vasStorageName: external_exports.string(),
-  vasVersionId: external_exports.string()
+
+// ../../packages/core/src/contracts/public/runs.ts
+var c12 = initContract();
+var publicRunStatusSchema = external_exports.enum([
+  "pending",
+  "running",
+  "completed",
+  "failed",
+  "timeout",
+  "cancelled"
+]);
+var publicRunSchema = external_exports.object({
+  id: external_exports.string(),
+  agent_id: external_exports.string(),
+  agent_name: external_exports.string(),
+  status: publicRunStatusSchema,
+  prompt: external_exports.string(),
+  created_at: timestampSchema,
+  started_at: timestampSchema.nullable(),
+  completed_at: timestampSchema.nullable()
+});
+var publicRunDetailSchema = publicRunSchema.extend({
+  output: external_exports.string().nullable(),
+  error: external_exports.string().nullable(),
+  execution_time_ms: external_exports.number().nullable(),
+  checkpoint_id: external_exports.string().nullable(),
+  session_id: external_exports.string().nullable(),
+  artifacts: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  volumes: external_exports.record(external_exports.string(), external_exports.string()).optional()
 });
-var storageManifestSchema = external_exports.object({
-  storages: external_exports.array(storageEntrySchema),
-  artifact: artifactEntrySchema.nullable()
+var paginatedRunsSchema = createPaginatedResponseSchema(publicRunSchema);
+var createRunRequestSchema = external_exports.object({
+  // Agent identification (one of: agent, agent_id, session_id, checkpoint_id)
+  agent: external_exports.string().optional(),
+  // Agent name
+  agent_id: external_exports.string().optional(),
+  // Agent ID
+  agent_version: external_exports.string().optional(),
+  // Version specifier (e.g., "latest", "v1", specific ID)
+  // Continue session
+  session_id: external_exports.string().optional(),
+  // Resume from checkpoint
+  checkpoint_id: external_exports.string().optional(),
+  // Required
+  prompt: external_exports.string().min(1, "Prompt is required"),
+  // Optional configuration
+  variables: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  secrets: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  artifacts: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  // artifact_name -> version
+  volumes: external_exports.record(external_exports.string(), external_exports.string()).optional()
+  // volume_name -> version
 });
-var resumeSessionSchema = external_exports.object({
-  sessionId: external_exports.string(),
-  sessionHistory: external_exports.string()
+var runListQuerySchema = listQuerySchema.extend({
+  agent_id: external_exports.string().optional(),
+  status: publicRunStatusSchema.optional(),
+  since: timestampSchema.optional()
 });
-var storedExecutionContextSchema = external_exports.object({
-  workingDir: external_exports.string(),
-  storageManifest: storageManifestSchema.nullable(),
-  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  resumeSession: resumeSessionSchema.nullable(),
-  encryptedSecrets: external_exports.string().nullable(),
-  // AES-256-GCM encrypted secrets
-  cliAgentType: external_exports.string(),
-  experimentalNetworkSecurity: external_exports.boolean().optional()
+var publicRunsListContract = c12.router({
+  list: {
+    method: "GET",
+    path: "/v1/runs",
+    query: runListQuerySchema,
+    responses: {
+      200: paginatedRunsSchema,
+      401: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "List runs",
+    description: "List runs with optional filtering by agent, status, and time"
+  },
+  create: {
+    method: "POST",
+    path: "/v1/runs",
+    body: createRunRequestSchema,
+    responses: {
+      202: publicRunDetailSchema,
+      // Async operation
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Create run",
+    description: "Create and execute a new agent run. Returns 202 Accepted as runs execute asynchronously."
+  }
 });
-var executionContextSchema = external_exports.object({
-  runId: external_exports.string().uuid(),
-  prompt: external_exports.string(),
-  agentComposeVersionId: external_exports.string(),
-  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  secretNames: external_exports.array(external_exports.string()).nullable(),
-  checkpointId: external_exports.string().uuid().nullable(),
-  sandboxToken: external_exports.string(),
-  // New fields for E2B parity:
-  workingDir: external_exports.string(),
-  storageManifest: storageManifestSchema.nullable(),
-  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  resumeSession: resumeSessionSchema.nullable(),
-  secretValues: external_exports.array(external_exports.string()).nullable(),
-  cliAgentType: external_exports.string(),
-  // Network security mode flag
-  experimentalNetworkSecurity: external_exports.boolean().optional()
+var publicRunByIdContract = c12.router({
+  get: {
+    method: "GET",
+    path: "/v1/runs/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Run ID is required")
+    }),
+    responses: {
+      200: publicRunDetailSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Get run",
+    description: "Get run details by ID"
+  }
 });
-var runnersJobClaimContract = c10.router({
-  claim: {
+var publicRunCancelContract = c12.router({
+  cancel: {
     method: "POST",
-    path: "/api/runners/jobs/:id/claim",
+    path: "/v1/runs/:id/cancel",
     pathParams: external_exports.object({
-      id: external_exports.string().uuid()
+      id: external_exports.string().min(1, "Run ID is required")
     }),
-    body: external_exports.object({}),
+    body: external_exports.undefined(),
     responses: {
-      200: executionContextSchema,
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      403: apiErrorSchema,
-      // Job does not belong to user
-      404: apiErrorSchema,
-      409: apiErrorSchema,
-      // Already claimed
-      500: apiErrorSchema
+      200: publicRunDetailSchema,
+      400: publicApiErrorSchema,
+      // Run not in cancellable state
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
     },
-    summary: "Claim a pending job for execution"
+    summary: "Cancel run",
+    description: "Cancel a pending or running execution"
+  }
+});
+var logEntrySchema = external_exports.object({
+  timestamp: timestampSchema,
+  type: external_exports.enum(["agent", "system", "network"]),
+  level: external_exports.enum(["debug", "info", "warn", "error"]),
+  message: external_exports.string(),
+  metadata: external_exports.record(external_exports.string(), external_exports.unknown()).optional()
+});
+var paginatedLogsSchema = createPaginatedResponseSchema(logEntrySchema);
+var logsQuerySchema = listQuerySchema.extend({
+  type: external_exports.enum(["agent", "system", "network", "all"]).default("all"),
+  since: timestampSchema.optional(),
+  until: timestampSchema.optional(),
+  order: external_exports.enum(["asc", "desc"]).default("asc")
+});
+var publicRunLogsContract = c12.router({
+  getLogs: {
+    method: "GET",
+    path: "/v1/runs/:id/logs",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Run ID is required")
+    }),
+    query: logsQuerySchema,
+    responses: {
+      200: paginatedLogsSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Get run logs",
+    description: "Get unified logs for a run. Combines agent, system, and network logs."
+  }
+});
+var metricPointSchema = external_exports.object({
+  timestamp: timestampSchema,
+  cpu_percent: external_exports.number(),
+  memory_used_mb: external_exports.number(),
+  memory_total_mb: external_exports.number(),
+  disk_used_mb: external_exports.number(),
+  disk_total_mb: external_exports.number()
+});
+var metricsSummarySchema = external_exports.object({
+  avg_cpu_percent: external_exports.number(),
+  max_memory_used_mb: external_exports.number(),
+  total_duration_ms: external_exports.number().nullable()
+});
+var metricsResponseSchema2 = external_exports.object({
+  data: external_exports.array(metricPointSchema),
+  summary: metricsSummarySchema
+});
+var publicRunMetricsContract = c12.router({
+  getMetrics: {
+    method: "GET",
+    path: "/v1/runs/:id/metrics",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Run ID is required")
+    }),
+    responses: {
+      200: metricsResponseSchema2,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Get run metrics",
+    description: "Get CPU, memory, and disk metrics for a run"
+  }
+});
+var sseEventTypeSchema = external_exports.enum([
+  "status",
+  // Run status change
+  "output",
+  // Agent output
+  "error",
+  // Error occurred
+  "complete",
+  // Run completed
+  "heartbeat"
+  // Keep-alive
+]);
+var sseEventSchema = external_exports.object({
+  event: sseEventTypeSchema,
+  data: external_exports.unknown(),
+  id: external_exports.string().optional()
+  // For Last-Event-ID reconnection
+});
+var publicRunEventsContract = c12.router({
+  streamEvents: {
+    method: "GET",
+    path: "/v1/runs/:id/events",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Run ID is required")
+    }),
+    query: external_exports.object({
+      last_event_id: external_exports.string().optional()
+      // For reconnection
+    }),
+    responses: {
+      200: external_exports.any(),
+      // SSE stream - actual content is text/event-stream
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Stream run events",
+    description: "Stream real-time events for a run using Server-Sent Events (SSE). Set Accept: text/event-stream header."
+  }
+});
+
+// ../../packages/core/src/contracts/public/artifacts.ts
+var c13 = initContract();
+var publicArtifactSchema = external_exports.object({
+  id: external_exports.string(),
+  name: external_exports.string(),
+  current_version_id: external_exports.string().nullable(),
+  size: external_exports.number(),
+  // Total size in bytes
+  file_count: external_exports.number(),
+  created_at: timestampSchema,
+  updated_at: timestampSchema
+});
+var artifactVersionSchema = external_exports.object({
+  id: external_exports.string(),
+  // SHA-256 content hash
+  artifact_id: external_exports.string(),
+  size: external_exports.number(),
+  // Size in bytes
+  file_count: external_exports.number(),
+  message: external_exports.string().nullable(),
+  // Optional commit message
+  created_by: external_exports.string(),
+  created_at: timestampSchema
+});
+var publicArtifactDetailSchema = publicArtifactSchema.extend({
+  current_version: artifactVersionSchema.nullable()
+});
+var paginatedArtifactsSchema = createPaginatedResponseSchema(publicArtifactSchema);
+var paginatedArtifactVersionsSchema = createPaginatedResponseSchema(
+  artifactVersionSchema
+);
+var createArtifactRequestSchema = external_exports.object({
+  name: external_exports.string().min(1).max(100).regex(
+    /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/,
+    "Name must be lowercase alphanumeric with hyphens, not starting or ending with hyphen"
+  )
+});
+var fileEntrySchema = external_exports.object({
+  path: external_exports.string(),
+  size: external_exports.number(),
+  hash: external_exports.string().optional()
+  // SHA-256 hash of file content
+});
+var prepareUploadRequestSchema = external_exports.object({
+  files: external_exports.array(fileEntrySchema),
+  message: external_exports.string().optional()
+  // Optional commit message
+});
+var presignedUploadSchema2 = external_exports.object({
+  path: external_exports.string(),
+  upload_url: external_exports.string(),
+  // Presigned S3 URL
+  upload_id: external_exports.string()
+  // For multi-part uploads
+});
+var prepareUploadResponseSchema = external_exports.object({
+  upload_session_id: external_exports.string(),
+  files: external_exports.array(presignedUploadSchema2),
+  expires_at: timestampSchema
+});
+var commitUploadRequestSchema = external_exports.object({
+  upload_session_id: external_exports.string(),
+  message: external_exports.string().optional()
+});
+var downloadResponseSchema = external_exports.object({
+  version_id: external_exports.string(),
+  files: external_exports.array(
+    external_exports.object({
+      path: external_exports.string(),
+      size: external_exports.number(),
+      download_url: external_exports.string()
+      // Presigned S3 URL
+    })
+  ),
+  expires_at: timestampSchema
+});
+var publicArtifactsListContract = c13.router({
+  list: {
+    method: "GET",
+    path: "/v1/artifacts",
+    query: listQuerySchema,
+    responses: {
+      200: paginatedArtifactsSchema,
+      401: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "List artifacts",
+    description: "List all artifacts in the current scope with pagination"
+  },
+  create: {
+    method: "POST",
+    path: "/v1/artifacts",
+    body: createArtifactRequestSchema,
+    responses: {
+      201: publicArtifactDetailSchema,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      409: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Create artifact",
+    description: "Create a new empty artifact container"
+  }
+});
+var publicArtifactByIdContract = c13.router({
+  get: {
+    method: "GET",
+    path: "/v1/artifacts/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Artifact ID is required")
+    }),
+    responses: {
+      200: publicArtifactDetailSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Get artifact",
+    description: "Get artifact details by ID"
+  },
+  delete: {
+    method: "DELETE",
+    path: "/v1/artifacts/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Artifact ID is required")
+    }),
+    body: external_exports.undefined(),
+    responses: {
+      204: external_exports.undefined(),
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Delete artifact",
+    description: "Delete an artifact and all its versions"
+  }
+});
+var publicArtifactVersionsContract = c13.router({
+  list: {
+    method: "GET",
+    path: "/v1/artifacts/:id/versions",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Artifact ID is required")
+    }),
+    query: listQuerySchema,
+    responses: {
+      200: paginatedArtifactVersionsSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "List artifact versions",
+    description: "List all versions of an artifact with pagination"
+  }
+});
+var publicArtifactUploadContract = c13.router({
+  prepareUpload: {
+    method: "POST",
+    path: "/v1/artifacts/:id/upload",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Artifact ID is required")
+    }),
+    body: prepareUploadRequestSchema,
+    responses: {
+      200: prepareUploadResponseSchema,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Prepare artifact upload",
+    description: "Get presigned URLs for direct S3 upload. Returns upload URLs for each file."
+  }
+});
+var publicArtifactCommitContract = c13.router({
+  commitUpload: {
+    method: "POST",
+    path: "/v1/artifacts/:id/commit",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Artifact ID is required")
+    }),
+    body: commitUploadRequestSchema,
+    responses: {
+      200: artifactVersionSchema,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Commit artifact upload",
+    description: "Finalize an upload session and create a new artifact version."
+  }
+});
+var publicArtifactDownloadContract = c13.router({
+  download: {
+    method: "GET",
+    path: "/v1/artifacts/:id/download",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Artifact ID is required")
+    }),
+    query: external_exports.object({
+      version_id: external_exports.string().optional()
+      // Defaults to current version
+    }),
+    responses: {
+      200: downloadResponseSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Download artifact",
+    description: "Get presigned URLs for downloading artifact files. Defaults to current version."
+  }
+});
+
+// ../../packages/core/src/contracts/public/volumes.ts
+var c14 = initContract();
+var publicVolumeSchema = external_exports.object({
+  id: external_exports.string(),
+  name: external_exports.string(),
+  current_version_id: external_exports.string().nullable(),
+  size: external_exports.number(),
+  // Total size in bytes
+  file_count: external_exports.number(),
+  created_at: timestampSchema,
+  updated_at: timestampSchema
+});
+var volumeVersionSchema = external_exports.object({
+  id: external_exports.string(),
+  // SHA-256 content hash
+  volume_id: external_exports.string(),
+  size: external_exports.number(),
+  // Size in bytes
+  file_count: external_exports.number(),
+  message: external_exports.string().nullable(),
+  // Optional commit message
+  created_by: external_exports.string(),
+  created_at: timestampSchema
+});
+var publicVolumeDetailSchema = publicVolumeSchema.extend({
+  current_version: volumeVersionSchema.nullable()
+});
+var paginatedVolumesSchema = createPaginatedResponseSchema(publicVolumeSchema);
+var paginatedVolumeVersionsSchema = createPaginatedResponseSchema(volumeVersionSchema);
+var createVolumeRequestSchema = external_exports.object({
+  name: external_exports.string().min(1).max(100).regex(
+    /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/,
+    "Name must be lowercase alphanumeric with hyphens, not starting or ending with hyphen"
+  )
+});
+var fileEntrySchema2 = external_exports.object({
+  path: external_exports.string(),
+  size: external_exports.number(),
+  hash: external_exports.string().optional()
+  // SHA-256 hash of file content
+});
+var prepareUploadRequestSchema2 = external_exports.object({
+  files: external_exports.array(fileEntrySchema2),
+  message: external_exports.string().optional()
+  // Optional commit message
+});
+var presignedUploadSchema3 = external_exports.object({
+  path: external_exports.string(),
+  upload_url: external_exports.string(),
+  // Presigned S3 URL
+  upload_id: external_exports.string()
+  // For multi-part uploads
+});
+var prepareUploadResponseSchema2 = external_exports.object({
+  upload_session_id: external_exports.string(),
+  files: external_exports.array(presignedUploadSchema3),
+  expires_at: timestampSchema
+});
+var commitUploadRequestSchema2 = external_exports.object({
+  upload_session_id: external_exports.string(),
+  message: external_exports.string().optional()
+});
+var downloadResponseSchema2 = external_exports.object({
+  version_id: external_exports.string(),
+  files: external_exports.array(
+    external_exports.object({
+      path: external_exports.string(),
+      size: external_exports.number(),
+      download_url: external_exports.string()
+      // Presigned S3 URL
+    })
+  ),
+  expires_at: timestampSchema
+});
+var publicVolumesListContract = c14.router({
+  list: {
+    method: "GET",
+    path: "/v1/volumes",
+    query: listQuerySchema,
+    responses: {
+      200: paginatedVolumesSchema,
+      401: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "List volumes",
+    description: "List all volumes in the current scope with pagination"
+  },
+  create: {
+    method: "POST",
+    path: "/v1/volumes",
+    body: createVolumeRequestSchema,
+    responses: {
+      201: publicVolumeDetailSchema,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      409: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Create volume",
+    description: "Create a new empty volume container"
+  }
+});
+var publicVolumeByIdContract = c14.router({
+  get: {
+    method: "GET",
+    path: "/v1/volumes/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Volume ID is required")
+    }),
+    responses: {
+      200: publicVolumeDetailSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Get volume",
+    description: "Get volume details by ID"
+  },
+  delete: {
+    method: "DELETE",
+    path: "/v1/volumes/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Volume ID is required")
+    }),
+    body: external_exports.undefined(),
+    responses: {
+      204: external_exports.undefined(),
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Delete volume",
+    description: "Delete a volume and all its versions"
+  }
+});
+var publicVolumeVersionsContract = c14.router({
+  list: {
+    method: "GET",
+    path: "/v1/volumes/:id/versions",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Volume ID is required")
+    }),
+    query: listQuerySchema,
+    responses: {
+      200: paginatedVolumeVersionsSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "List volume versions",
+    description: "List all versions of a volume with pagination"
+  }
+});
+var publicVolumeUploadContract = c14.router({
+  prepareUpload: {
+    method: "POST",
+    path: "/v1/volumes/:id/upload",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Volume ID is required")
+    }),
+    body: prepareUploadRequestSchema2,
+    responses: {
+      200: prepareUploadResponseSchema2,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Prepare volume upload",
+    description: "Get presigned URLs for direct S3 upload. Returns upload URLs for each file."
+  }
+});
+var publicVolumeCommitContract = c14.router({
+  commitUpload: {
+    method: "POST",
+    path: "/v1/volumes/:id/commit",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Volume ID is required")
+    }),
+    body: commitUploadRequestSchema2,
+    responses: {
+      200: volumeVersionSchema,
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Commit volume upload",
+    description: "Finalize an upload session and create a new volume version."
+  }
+});
+var publicVolumeDownloadContract = c14.router({
+  download: {
+    method: "GET",
+    path: "/v1/volumes/:id/download",
+    pathParams: external_exports.object({
+      id: external_exports.string().min(1, "Volume ID is required")
+    }),
+    query: external_exports.object({
+      version_id: external_exports.string().optional()
+      // Defaults to current version
+    }),
+    responses: {
+      200: downloadResponseSchema2,
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema,
+      500: publicApiErrorSchema
+    },
+    summary: "Download volume",
+    description: "Get presigned URLs for downloading volume files. Defaults to current version."
+  }
+});
+
+// ../../packages/core/src/contracts/public/tokens.ts
+var c15 = initContract();
+var publicTokenSchema = external_exports.object({
+  id: external_exports.string(),
+  name: external_exports.string(),
+  token_prefix: external_exports.string(),
+  // First 12 chars for identification (e.g., "vm0_live_abc")
+  last_used_at: timestampSchema.nullable(),
+  expires_at: timestampSchema,
+  created_at: timestampSchema
+});
+var publicTokenDetailSchema = publicTokenSchema.extend({
+  token: external_exports.string().optional()
+  // Full token value, only returned on creation
+});
+var paginatedTokensSchema = createPaginatedResponseSchema(publicTokenSchema);
+var createTokenRequestSchema = external_exports.object({
+  name: external_exports.string().min(1, "Name is required").max(100, "Name too long"),
+  expires_in_days: external_exports.number().min(1).max(365).optional()
+  // null for no expiry (default 90 days)
+});
+var publicTokensListContract = c15.router({
+  list: {
+    method: "GET",
+    path: "/v1/tokens",
+    query: listQuerySchema,
+    responses: {
+      200: paginatedTokensSchema,
+      401: publicApiErrorSchema
+    },
+    summary: "List API tokens",
+    description: "List all API tokens for the authenticated user"
+  },
+  create: {
+    method: "POST",
+    path: "/v1/tokens",
+    body: createTokenRequestSchema,
+    responses: {
+      201: publicTokenDetailSchema,
+      // Includes full token value
+      400: publicApiErrorSchema,
+      401: publicApiErrorSchema
+    },
+    summary: "Create API token",
+    description: "Create a new API token. The token value is only returned once on creation."
+  }
+});
+var publicTokenByIdContract = c15.router({
+  get: {
+    method: "GET",
+    path: "/v1/tokens/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string()
+    }),
+    responses: {
+      200: publicTokenSchema,
+      // Does NOT include token value
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema
+    },
+    summary: "Get API token",
+    description: "Get details of an API token (does not include the token value)"
+  },
+  delete: {
+    method: "DELETE",
+    path: "/v1/tokens/:id",
+    pathParams: external_exports.object({
+      id: external_exports.string()
+    }),
+    responses: {
+      204: external_exports.undefined(),
+      401: publicApiErrorSchema,
+      404: publicApiErrorSchema
+    },
+    summary: "Revoke API token",
+    description: "Permanently revoke an API token. This action cannot be undone."
   }
 });
 
@@ -14067,7 +15024,7 @@ var ApiClient = class {
   /**
    * Generic GET request
    */
-  async get(path15) {
+  async get(path16) {
     const baseUrl = await this.getBaseUrl();
     const token = await getToken();
     if (!token) {
@@ -14080,7 +15037,7 @@ var ApiClient = class {
     if (bypassSecret) {
       headers["x-vercel-protection-bypass"] = bypassSecret;
     }
-    return fetch(`${baseUrl}${path15}`, {
+    return fetch(`${baseUrl}${path16}`, {
       method: "GET",
       headers
     });
@@ -14088,7 +15045,7 @@ var ApiClient = class {
   /**
    * Generic POST request
    */
-  async post(path15, options) {
+  async post(path16, options) {
     const baseUrl = await this.getBaseUrl();
     const token = await getToken();
     if (!token) {
@@ -14104,7 +15061,7 @@ var ApiClient = class {
     if (bypassSecret) {
       headers["x-vercel-protection-bypass"] = bypassSecret;
     }
-    return fetch(`${baseUrl}${path15}`, {
+    return fetch(`${baseUrl}${path16}`, {
       method: "POST",
       headers,
       body: options?.body
@@ -14113,7 +15070,7 @@ var ApiClient = class {
   /**
    * Generic DELETE request
    */
-  async delete(path15) {
+  async delete(path16) {
     const baseUrl = await this.getBaseUrl();
     const token = await getToken();
     if (!token) {
@@ -14126,7 +15083,7 @@ var ApiClient = class {
     if (bypassSecret) {
       headers["x-vercel-protection-bypass"] = bypassSecret;
     }
-    return fetch(`${baseUrl}${path15}`, {
+    return fetch(`${baseUrl}${path16}`, {
       method: "DELETE",
       headers
     });
@@ -15460,9 +16417,9 @@ var CodexEventParser = class {
       }
     }
     if (itemType === "file_change" && item.changes && item.changes.length > 0) {
-      const changes = item.changes.map((c11) => {
-        const action = c11.kind === "add" ? "Created" : c11.kind === "modify" ? "Modified" : "Deleted";
-        return `${action}: ${c11.path}`;
+      const changes = item.changes.map((c16) => {
+        const action = c16.kind === "add" ? "Created" : c16.kind === "modify" ? "Modified" : "Deleted";
+        return `${action}: ${c16.path}`;
       }).join("\n");
       return {
         type: "text",
@@ -15803,9 +16760,9 @@ var CodexEventRenderer = class {
       return;
     }
     if (itemType === "file_change" && item.changes && item.changes.length > 0) {
-      const summary = item.changes.map((c11) => {
-        const icon = c11.kind === "add" ? "+" : c11.kind === "delete" ? "-" : "~";
-        return `${icon}${c11.path}`;
+      const summary = item.changes.map((c16) => {
+        const icon = c16.kind === "add" ? "+" : c16.kind === "delete" ? "-" : "~";
+        return `${icon}${c16.path}`;
       }).join(", ");
       console.log(chalk4.green("[files]") + ` ${summary}`);
       return;
@@ -17694,7 +18651,7 @@ async function autoPullArtifact(runOutput, artifactDir) {
 }
 var cookCmd = new Command17().name("cook").description("One-click agent preparation and execution from vm0.yaml");
 cookCmd.argument("[prompt]", "Prompt for the agent").option("-y, --yes", "Skip confirmation prompts").action(async (prompt, options) => {
-  const shouldExit = await checkAndUpgrade("4.37.0", prompt);
+  const shouldExit = await checkAndUpgrade("4.38.1", prompt);
   if (shouldExit) {
     process.exit(0);
   }
@@ -18344,10 +19301,324 @@ var setCommand = new Command20().name("set").description("Set your scope slug").
 // src/commands/scope/index.ts
 var scopeCommand = new Command21().name("scope").description("Manage your scope (namespace for images)").addCommand(statusCommand3).addCommand(setCommand);
 
-// src/commands/init.ts
+// src/commands/agents/index.ts
+import { Command as Command24 } from "commander";
+
+// src/commands/agents/list.ts
 import { Command as Command22 } from "commander";
 import chalk25 from "chalk";
-import path13 from "path";
+var listCommand3 = new Command22().name("list").alias("ls").description("List all agent composes").option("-s, --scope <scope>", "Scope to list composes from").action(async (options) => {
+  try {
+    const url2 = options.scope ? `/api/agent/composes/list?scope=${encodeURIComponent(options.scope)}` : "/api/agent/composes/list";
+    const response = await apiClient.get(url2);
+    if (!response.ok) {
+      const error43 = await response.json();
+      throw new Error(error43.error?.message || "List failed");
+    }
+    const data = await response.json();
+    if (data.composes.length === 0) {
+      console.log(chalk25.dim("No agent composes found"));
+      console.log(
+        chalk25.dim("  Create one with: vm0 compose <agent-compose.yaml>")
+      );
+      return;
+    }
+    const nameWidth = Math.max(4, ...data.composes.map((c16) => c16.name.length));
+    const header = ["NAME".padEnd(nameWidth), "VERSION", "UPDATED"].join(
+      "  "
+    );
+    console.log(chalk25.dim(header));
+    for (const compose of data.composes) {
+      const versionShort = compose.headVersionId ? compose.headVersionId.slice(0, 8) : chalk25.dim("-");
+      const row = [
+        compose.name.padEnd(nameWidth),
+        versionShort,
+        formatRelativeTime(compose.updatedAt)
+      ].join("  ");
+      console.log(row);
+    }
+  } catch (error43) {
+    console.error(chalk25.red("\u2717 Failed to list agent composes"));
+    if (error43 instanceof Error) {
+      if (error43.message.includes("Not authenticated")) {
+        console.error(chalk25.dim("  Run: vm0 auth login"));
+      } else {
+        console.error(chalk25.dim(`  ${error43.message}`));
+      }
+    }
+    process.exit(1);
+  }
+});
+
+// src/commands/agents/inspect.ts
+import { Command as Command23 } from "commander";
+import chalk26 from "chalk";
+
+// src/lib/source-derivation.ts
+import * as fs9 from "fs/promises";
+import * as path13 from "path";
+import * as os7 from "os";
+function extractVariableReferences2(environment) {
+  const secrets = [];
+  const vars = [];
+  for (const value of Object.values(environment)) {
+    const matches = value.matchAll(/\$\{?([A-Z_][A-Z0-9_]*)\}?/g);
+    for (const match of matches) {
+      const varName = match[1];
+      if (!varName) continue;
+      if (varName.endsWith("_KEY") || varName.endsWith("_SECRET") || varName.endsWith("_TOKEN") || varName.endsWith("_PASSWORD") || varName.includes("API_KEY") || varName.includes("SECRET")) {
+        if (!secrets.includes(varName)) {
+          secrets.push(varName);
+        }
+      } else {
+        if (!vars.includes(varName)) {
+          vars.push(varName);
+        }
+      }
+    }
+  }
+  return { secrets: secrets.sort(), vars: vars.sort() };
+}
+async function fetchSkillFrontmatter(skillUrl, tempDir) {
+  try {
+    const parsed = parseGitHubTreeUrl2(skillUrl);
+    const skillDir = await downloadGitHubSkill(parsed, tempDir);
+    const frontmatter = await readSkillFrontmatter(skillDir);
+    return { skillName: parsed.skillName, frontmatter };
+  } catch {
+    return null;
+  }
+}
+async function deriveAgentVariableSources(agent, options) {
+  const { secrets: secretNames, vars: varNames } = agent.environment ? extractVariableReferences2(agent.environment) : { secrets: [], vars: [] };
+  const secretSources = /* @__PURE__ */ new Map();
+  const varSources = /* @__PURE__ */ new Map();
+  for (const name of secretNames) {
+    secretSources.set(name, { name, source: "agent environment" });
+  }
+  for (const name of varNames) {
+    varSources.set(name, { name, source: "agent environment" });
+  }
+  if (options?.skipNetwork || !agent.skills || agent.skills.length === 0) {
+    return {
+      secrets: Array.from(secretSources.values()),
+      vars: Array.from(varSources.values())
+    };
+  }
+  const tempDir = await fs9.mkdtemp(
+    path13.join(os7.tmpdir(), "vm0-source-derivation-")
+  );
+  try {
+    const skillResults = await Promise.all(
+      agent.skills.map((url2) => fetchSkillFrontmatter(url2, tempDir))
+    );
+    for (const result of skillResults) {
+      if (!result) continue;
+      const { skillName, frontmatter } = result;
+      if (frontmatter.vm0_secrets) {
+        for (const secretName of frontmatter.vm0_secrets) {
+          if (secretSources.has(secretName)) {
+            secretSources.set(secretName, {
+              name: secretName,
+              source: `skill: ${skillName}`,
+              skillName
+            });
+          }
+        }
+      }
+      if (frontmatter.vm0_vars) {
+        for (const varName of frontmatter.vm0_vars) {
+          if (varSources.has(varName)) {
+            varSources.set(varName, {
+              name: varName,
+              source: `skill: ${skillName}`,
+              skillName
+            });
+          }
+        }
+      }
+    }
+  } finally {
+    await fs9.rm(tempDir, { recursive: true, force: true });
+  }
+  return {
+    secrets: Array.from(secretSources.values()),
+    vars: Array.from(varSources.values())
+  };
+}
+async function deriveComposeVariableSources(content, options) {
+  const results = /* @__PURE__ */ new Map();
+  const entries = Object.entries(content.agents);
+  const sourcesPromises = entries.map(async ([agentName, agent]) => {
+    const sources = await deriveAgentVariableSources(agent, options);
+    return { agentName, sources };
+  });
+  const sourcesResults = await Promise.all(sourcesPromises);
+  for (const { agentName, sources } of sourcesResults) {
+    results.set(agentName, sources);
+  }
+  return results;
+}
+
+// src/commands/agents/inspect.ts
+function formatComposeOutput(name, versionId, content, variableSources) {
+  console.log(chalk26.bold("Name:") + `    ${name}`);
+  console.log(chalk26.bold("Version:") + ` ${versionId}`);
+  console.log();
+  console.log(chalk26.bold("Agents:"));
+  for (const [agentName, agent] of Object.entries(content.agents)) {
+    console.log(`  ${chalk26.cyan(agentName)}:`);
+    console.log(`    Provider: ${agent.provider}`);
+    if (agent.image) {
+      console.log(`    Image:    ${agent.image}`);
+    }
+    if (agent.apps && agent.apps.length > 0) {
+      console.log(`    Apps:`);
+      for (const app of agent.apps) {
+        console.log(`      - ${app}`);
+      }
+    }
+    if (agent.working_dir) {
+      console.log(`    Working Dir: ${agent.working_dir}`);
+    }
+    if (agent.volumes && agent.volumes.length > 0) {
+      console.log(`    Volumes:`);
+      for (const vol of agent.volumes) {
+        const volumeDef = content.volumes?.[vol];
+        if (volumeDef) {
+          console.log(`      - ${vol}:${volumeDef.version.slice(0, 8)}`);
+        } else {
+          console.log(`      - ${vol}`);
+        }
+      }
+    }
+    if (agent.skills && agent.skills.length > 0) {
+      console.log(`    Skills:`);
+      for (const skill of agent.skills) {
+        console.log(`      - ${skill}`);
+      }
+    }
+    const agentSources = variableSources?.get(agentName);
+    if (agentSources) {
+      if (agentSources.secrets.length > 0) {
+        console.log(`    Secrets:`);
+        for (const secret of agentSources.secrets) {
+          const sourceInfo = chalk26.dim(`(${secret.source})`);
+          console.log(`      - ${secret.name.padEnd(20)} ${sourceInfo}`);
+        }
+      }
+      if (agentSources.vars.length > 0) {
+        console.log(`    Vars:`);
+        for (const v of agentSources.vars) {
+          const sourceInfo = chalk26.dim(`(${v.source})`);
+          console.log(`      - ${v.name.padEnd(20)} ${sourceInfo}`);
+        }
+      }
+    }
+    if (agent.experimental_runner) {
+      console.log(`    Runner: ${agent.experimental_runner.group}`);
+    }
+    if (agent.experimental_network_security) {
+      console.log(`    Network Security: enabled`);
+    }
+  }
+}
+var inspectCommand = new Command23().name("inspect").description("Inspect an agent compose").argument(
+  "<name[:version]>",
+  "Agent name with optional version (e.g., my-agent:latest or my-agent:a1b2c3d4)"
+).option("-s, --scope <scope>", "Scope to look up the compose from").option("--no-sources", "Skip fetching skills to determine variable sources").action(
+  async (argument, options) => {
+    try {
+      const colonIndex = argument.lastIndexOf(":");
+      let name;
+      let version2;
+      if (colonIndex === -1) {
+        name = argument;
+        version2 = "latest";
+      } else {
+        name = argument.slice(0, colonIndex);
+        version2 = argument.slice(colonIndex + 1) || "latest";
+      }
+      let compose;
+      try {
+        compose = await apiClient.getComposeByName(name, options.scope);
+      } catch (error43) {
+        if (error43 instanceof Error && error43.message.includes("not found")) {
+          console.error(chalk26.red(`\u2717 Agent compose not found: ${name}`));
+          console.error(chalk26.dim("  Run: vm0 agents list"));
+          process.exit(1);
+        }
+        throw error43;
+      }
+      let resolvedVersionId = compose.headVersionId;
+      if (version2 !== "latest" && compose.headVersionId) {
+        if (version2.length < 64) {
+          try {
+            const versionInfo = await apiClient.getComposeVersion(
+              compose.id,
+              version2
+            );
+            resolvedVersionId = versionInfo.versionId;
+          } catch (error43) {
+            if (error43 instanceof Error && error43.message.includes("not found")) {
+              console.error(chalk26.red(`\u2717 Version not found: ${version2}`));
+              console.error(
+                chalk26.dim(
+                  `  HEAD version: ${compose.headVersionId?.slice(0, 8)}`
+                )
+              );
+              process.exit(1);
+            }
+            throw error43;
+          }
+        } else {
+          resolvedVersionId = version2;
+        }
+      }
+      if (!resolvedVersionId || !compose.content) {
+        console.error(chalk26.red(`\u2717 No version found for: ${name}`));
+        process.exit(1);
+      }
+      const content = compose.content;
+      let variableSources;
+      if (options.sources !== false) {
+        try {
+          variableSources = await deriveComposeVariableSources(content);
+        } catch {
+          console.error(
+            chalk26.yellow(
+              "\u26A0 Warning: Failed to fetch skill sources, showing basic info"
+            )
+          );
+        }
+      }
+      formatComposeOutput(
+        compose.name,
+        resolvedVersionId,
+        content,
+        variableSources
+      );
+    } catch (error43) {
+      console.error(chalk26.red("\u2717 Failed to inspect agent compose"));
+      if (error43 instanceof Error) {
+        if (error43.message.includes("Not authenticated")) {
+          console.error(chalk26.dim("  Run: vm0 auth login"));
+        } else {
+          console.error(chalk26.dim(`  ${error43.message}`));
+        }
+      }
+      process.exit(1);
+    }
+  }
+);
+
+// src/commands/agents/index.ts
+var agentsCommand = new Command24().name("agents").description("Manage agent composes").addCommand(listCommand3).addCommand(inspectCommand);
+
+// src/commands/init.ts
+import { Command as Command25 } from "commander";
+import chalk27 from "chalk";
+import path14 from "path";
 import { existsSync as existsSync9 } from "fs";
 import { writeFile as writeFile7 } from "fs/promises";
 var VM0_YAML_FILE = "vm0.yaml";
@@ -18387,14 +19658,14 @@ function checkExistingFiles() {
   if (existsSync9(AGENTS_MD_FILE)) existingFiles.push(AGENTS_MD_FILE);
   return existingFiles;
 }
-var initCommand3 = new Command22().name("init").description("Initialize a new VM0 project in the current directory").option("-f, --force", "Overwrite existing files").option("-n, --name <name>", "Agent name (required in non-interactive mode)").action(async (options) => {
+var initCommand3 = new Command25().name("init").description("Initialize a new VM0 project in the current directory").option("-f, --force", "Overwrite existing files").option("-n, --name <name>", "Agent name (required in non-interactive mode)").action(async (options) => {
   const existingFiles = checkExistingFiles();
   if (existingFiles.length > 0 && !options.force) {
     for (const file2 of existingFiles) {
-      console.log(chalk25.red(`\u2717 ${file2} already exists`));
+      console.log(chalk27.red(`\u2717 ${file2} already exists`));
     }
     console.log();
-    console.log(`To overwrite: ${chalk25.cyan("vm0 init --force")}`);
+    console.log(`To overwrite: ${chalk27.cyan("vm0 init --force")}`);
     process.exit(1);
   }
   let agentName;
@@ -18402,12 +19673,12 @@ var initCommand3 = new Command22().name("init").description("Initialize a new VM
     agentName = options.name.trim();
   } else if (!isInteractive()) {
     console.error(
-      chalk25.red("\u2717 --name flag is required in non-interactive mode")
+      chalk27.red("\u2717 --name flag is required in non-interactive mode")
     );
-    console.error(chalk25.dim("  Usage: vm0 init --name <agent-name>"));
+    console.error(chalk27.dim("  Usage: vm0 init --name <agent-name>"));
     process.exit(1);
   } else {
-    const dirName = path13.basename(process.cwd());
+    const dirName = path14.basename(process.cwd());
     const defaultName = validateAgentName(dirName) ? dirName : void 0;
     const name = await promptText(
       "Enter agent name",
@@ -18420,42 +19691,42 @@ var initCommand3 = new Command22().name("init").description("Initialize a new VM
       }
     );
     if (name === void 0) {
-      console.log(chalk25.dim("Cancelled"));
+      console.log(chalk27.dim("Cancelled"));
       return;
     }
     agentName = name;
   }
   if (!agentName || !validateAgentName(agentName)) {
-    console.log(chalk25.red("\u2717 Invalid agent name"));
+    console.log(chalk27.red("\u2717 Invalid agent name"));
     console.log(
-      chalk25.dim("  Must be 3-64 characters, alphanumeric and hyphens only")
+      chalk27.dim("  Must be 3-64 characters, alphanumeric and hyphens only")
     );
-    console.log(chalk25.dim("  Must start and end with letter or number"));
+    console.log(chalk27.dim("  Must start and end with letter or number"));
     process.exit(1);
   }
   await writeFile7(VM0_YAML_FILE, generateVm0Yaml(agentName));
   const vm0Status = existingFiles.includes(VM0_YAML_FILE) ? " (overwritten)" : "";
-  console.log(chalk25.green(`\u2713 Created ${VM0_YAML_FILE}${vm0Status}`));
+  console.log(chalk27.green(`\u2713 Created ${VM0_YAML_FILE}${vm0Status}`));
   await writeFile7(AGENTS_MD_FILE, generateAgentsMd());
   const agentsStatus = existingFiles.includes(AGENTS_MD_FILE) ? " (overwritten)" : "";
-  console.log(chalk25.green(`\u2713 Created ${AGENTS_MD_FILE}${agentsStatus}`));
+  console.log(chalk27.green(`\u2713 Created ${AGENTS_MD_FILE}${agentsStatus}`));
   console.log();
   console.log("Next steps:");
   console.log(
-    `  1. Get your Claude Code token: ${chalk25.cyan("claude setup-token")}`
+    `  1. Get your Claude Code token: ${chalk27.cyan("claude setup-token")}`
   );
   console.log(`  2. Set the environment variable (or add to .env file):`);
-  console.log(chalk25.dim(`     export CLAUDE_CODE_OAUTH_TOKEN=<your-token>`));
-  console.log(`  3. Run your agent: ${chalk25.cyan('vm0 cook "your prompt"')}`);
+  console.log(chalk27.dim(`     export CLAUDE_CODE_OAUTH_TOKEN=<your-token>`));
+  console.log(`  3. Run your agent: ${chalk27.cyan('vm0 cook "your prompt"')}`);
 });
 
 // src/commands/setup-github.ts
-import { Command as Command23 } from "commander";
-import chalk26 from "chalk";
+import { Command as Command26 } from "commander";
+import chalk28 from "chalk";
 import { existsSync as existsSync10 } from "fs";
 import { mkdir as mkdir7, readFile as readFile8, writeFile as writeFile8 } from "fs/promises";
 import { execSync, spawnSync } from "child_process";
-import path14 from "path";
+import path15 from "path";
 import { parse as parseYaml5 } from "yaml";
 function isGhInstalled() {
   try {
@@ -18487,74 +19758,74 @@ function getRelativeWorkingDir(gitRoot) {
   if (cwd === gitRoot) {
     return null;
   }
-  const relativePath = path14.relative(gitRoot, cwd);
+  const relativePath = path15.relative(gitRoot, cwd);
   return relativePath.replace(/\\/g, "/");
 }
 async function checkPrerequisites() {
   console.log("Checking prerequisites...");
   const gitRoot = getGitRoot();
   if (!gitRoot) {
-    console.log(chalk26.red("\u2717 Not in a git repository"));
+    console.log(chalk28.red("\u2717 Not in a git repository"));
     console.log();
     console.log("This command must be run from within a git repository.");
     console.log();
     console.log("To initialize a git repository, run:");
-    console.log(`  ${chalk26.cyan("git init")}`);
+    console.log(`  ${chalk28.cyan("git init")}`);
     process.exit(1);
   }
-  console.log(chalk26.green("\u2713 Git repository detected"));
+  console.log(chalk28.green("\u2713 Git repository detected"));
   if (!isGhInstalled()) {
-    console.log(chalk26.red("\u2717 GitHub CLI (gh) is not installed"));
+    console.log(chalk28.red("\u2717 GitHub CLI (gh) is not installed"));
     console.log();
     console.log("GitHub CLI is required for this command.");
     console.log();
-    console.log(`  macOS:  ${chalk26.cyan("brew install gh")}`);
-    console.log(`  Other:  ${chalk26.cyan("https://cli.github.com/")}`);
+    console.log(`  macOS:  ${chalk28.cyan("brew install gh")}`);
+    console.log(`  Other:  ${chalk28.cyan("https://cli.github.com/")}`);
     console.log();
     console.log("After installation, run:");
-    console.log(`  ${chalk26.cyan("gh auth login")}`);
+    console.log(`  ${chalk28.cyan("gh auth login")}`);
     console.log();
     console.log("Then try again:");
-    console.log(`  ${chalk26.cyan("vm0 setup-github")}`);
+    console.log(`  ${chalk28.cyan("vm0 setup-github")}`);
     process.exit(1);
   }
-  console.log(chalk26.green("\u2713 GitHub CLI (gh) is installed"));
+  console.log(chalk28.green("\u2713 GitHub CLI (gh) is installed"));
   if (!isGhAuthenticated()) {
-    console.log(chalk26.red("\u2717 GitHub CLI is not authenticated"));
+    console.log(chalk28.red("\u2717 GitHub CLI is not authenticated"));
     console.log();
     console.log("Please authenticate GitHub CLI first:");
-    console.log(`  ${chalk26.cyan("gh auth login")}`);
+    console.log(`  ${chalk28.cyan("gh auth login")}`);
     console.log();
     console.log("Then try again:");
-    console.log(`  ${chalk26.cyan("vm0 setup-github")}`);
+    console.log(`  ${chalk28.cyan("vm0 setup-github")}`);
     process.exit(1);
   }
-  console.log(chalk26.green("\u2713 GitHub CLI is authenticated"));
+  console.log(chalk28.green("\u2713 GitHub CLI is authenticated"));
   const token = await getToken();
   if (!token) {
-    console.log(chalk26.red("\u2717 VM0 not authenticated"));
+    console.log(chalk28.red("\u2717 VM0 not authenticated"));
     console.log();
     console.log("Please authenticate with VM0 first:");
-    console.log(`  ${chalk26.cyan("vm0 auth login")}`);
+    console.log(`  ${chalk28.cyan("vm0 auth login")}`);
     console.log();
     console.log("Then try again:");
-    console.log(`  ${chalk26.cyan("vm0 setup-github")}`);
+    console.log(`  ${chalk28.cyan("vm0 setup-github")}`);
     process.exit(1);
   }
-  console.log(chalk26.green("\u2713 VM0 authenticated"));
+  console.log(chalk28.green("\u2713 VM0 authenticated"));
   if (!existsSync10("vm0.yaml")) {
-    console.log(chalk26.red("\u2717 vm0.yaml not found"));
+    console.log(chalk28.red("\u2717 vm0.yaml not found"));
     console.log();
     console.log("This command requires a vm0.yaml configuration file.");
     console.log();
     console.log("To create one, run:");
-    console.log(`  ${chalk26.cyan("vm0 init")}`);
+    console.log(`  ${chalk28.cyan("vm0 init")}`);
     console.log();
     console.log("Then try again:");
-    console.log(`  ${chalk26.cyan("vm0 setup-github")}`);
+    console.log(`  ${chalk28.cyan("vm0 setup-github")}`);
     process.exit(1);
   }
-  console.log(chalk26.green("\u2713 vm0.yaml found"));
+  console.log(chalk28.green("\u2713 vm0.yaml found"));
   return { token, gitRoot };
 }
 function generatePublishYaml(workingDir) {
@@ -18711,7 +19982,7 @@ function displaySecretsTable(secretStatuses, varStatuses) {
   if (secretStatuses.length > 0) {
     console.log("\u2502 Secrets:                                                \u2502");
     for (const s of secretStatuses) {
-      const status = s.found ? chalk26.green("\u2713") : chalk26.red("\u2717");
+      const status = s.found ? chalk28.green("\u2713") : chalk28.red("\u2717");
       const source = s.found ? `(from ${s.source})` : "not found";
       const paddedName = (s.name + " ").padEnd(23, ".");
       console.log(`\u2502   ${status} ${paddedName} ${source.padEnd(19)}\u2502`);
@@ -18720,7 +19991,7 @@ function displaySecretsTable(secretStatuses, varStatuses) {
   if (varStatuses.length > 0) {
     console.log("\u2502 Variables:                                              \u2502");
     for (const v of varStatuses) {
-      const status = v.found ? chalk26.green("\u2713") : chalk26.red("\u2717");
+      const status = v.found ? chalk28.green("\u2713") : chalk28.red("\u2717");
       const source = v.found ? `(from ${v.source})` : "not found";
       const paddedName = (v.name + " ").padEnd(23, ".");
       console.log(`\u2502   ${status} ${paddedName} ${source.padEnd(19)}\u2502`);
@@ -18732,17 +20003,17 @@ function showManualSetupInstructions(secrets, vars) {
   console.log("Skipped automatic setup. Configure secrets manually:");
   console.log();
   console.log("  Step 1: Get your VM0 token");
-  console.log(`    ${chalk26.cyan("vm0 auth setup-token")}`);
+  console.log(`    ${chalk28.cyan("vm0 auth setup-token")}`);
   console.log();
   console.log("  Step 2: Set GitHub secrets");
   for (const s of secrets) {
-    console.log(`    ${chalk26.cyan(`gh secret set ${s}`)}`);
+    console.log(`    ${chalk28.cyan(`gh secret set ${s}`)}`);
   }
   if (vars.length > 0) {
     console.log();
     console.log("  Step 3: Set GitHub variables");
     for (const v of vars) {
-      console.log(`    ${chalk26.cyan(`gh variable set ${v}`)}`);
+      console.log(`    ${chalk28.cyan(`gh variable set ${v}`)}`);
     }
   }
 }
@@ -18785,7 +20056,7 @@ function showWorkflowsCreatedMessage() {
   console.log("\u2502   3. Push to main branch to trigger publish             \u2502");
   console.log("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
 }
-var setupGithubCommand = new Command23().name("setup-github").description("Initialize GitHub Actions workflows for agent deployment").option("-f, --force", "Overwrite existing workflow files").option("-y, --yes", "Auto-confirm all prompts").option("--skip-secrets", "Skip automatic secrets/variables setup").action(
+var setupGithubCommand = new Command26().name("setup-github").description("Initialize GitHub Actions workflows for agent deployment").option("-f, --force", "Overwrite existing workflow files").option("-y, --yes", "Auto-confirm all prompts").option("--skip-secrets", "Skip automatic secrets/variables setup").action(
   async (options) => {
     const prereqs = await checkPrerequisites();
     if (!prereqs) {
@@ -18799,23 +20070,23 @@ var setupGithubCommand = new Command23().name("setup-github").description("Initi
     const config2 = parseYaml5(content);
     const agents = config2.agents;
     const agentName = Object.keys(agents)[0];
-    console.log(chalk26.green(`\u2713 Agent: ${agentName}`));
+    console.log(chalk28.green(`\u2713 Agent: ${agentName}`));
     const { secrets, vars } = extractSecretsAndVars(config2);
     console.log(
-      chalk26.green(
+      chalk28.green(
         `\u2713 Found ${secrets.length} secrets, ${vars.length} variables`
       )
     );
     console.log();
-    const publishPath = path14.join(gitRoot, ".github/workflows/publish.yml");
-    const runPath = path14.join(gitRoot, ".github/workflows/run.yml");
+    const publishPath = path15.join(gitRoot, ".github/workflows/publish.yml");
+    const runPath = path15.join(gitRoot, ".github/workflows/run.yml");
     const displayPublishPath = ".github/workflows/publish.yml";
     const displayRunPath = ".github/workflows/run.yml";
     const existingFiles = [];
     if (existsSync10(publishPath)) existingFiles.push(displayPublishPath);
     if (existsSync10(runPath)) existingFiles.push(displayRunPath);
     if (existingFiles.length > 0 && !options.force) {
-      console.log(chalk26.yellow("\u26A0 Existing workflow files detected:"));
+      console.log(chalk28.yellow("\u26A0 Existing workflow files detected:"));
       for (const file2 of existingFiles) {
         console.log(`  \u2022 ${file2}`);
       }
@@ -18828,23 +20099,23 @@ var setupGithubCommand = new Command23().name("setup-github").description("Initi
         if (!overwrite) {
           console.log();
           console.log("Aborted. To force overwrite, run:");
-          console.log(`  ${chalk26.cyan("vm0 setup-github --force")}`);
+          console.log(`  ${chalk28.cyan("vm0 setup-github --force")}`);
           process.exit(0);
         }
       }
       console.log();
     }
     console.log("Creating workflow files...");
-    await mkdir7(path14.join(gitRoot, ".github/workflows"), { recursive: true });
+    await mkdir7(path15.join(gitRoot, ".github/workflows"), { recursive: true });
     await writeFile8(publishPath, generatePublishYaml(workingDir));
     const publishStatus = existingFiles.includes(displayPublishPath) ? "Overwrote" : "Created";
-    console.log(chalk26.green(`\u2713 ${publishStatus} ${displayPublishPath}`));
+    console.log(chalk28.green(`\u2713 ${publishStatus} ${displayPublishPath}`));
     await writeFile8(runPath, generateRunYaml(agentName, secrets, vars));
     const runStatus = existingFiles.includes(displayRunPath) ? "Overwrote" : "Created";
-    console.log(chalk26.green(`\u2713 ${runStatus} ${displayRunPath}`));
+    console.log(chalk28.green(`\u2713 ${runStatus} ${displayRunPath}`));
     console.log();
     if (options.skipSecrets) {
-      console.log(chalk26.green("\u2713 Done (secrets setup skipped)"));
+      console.log(chalk28.green("\u2713 Done (secrets setup skipped)"));
       return;
     }
     const { secretStatuses, varStatuses } = await detectSecretValues(
@@ -18884,14 +20155,14 @@ var setupGithubCommand = new Command23().name("setup-github").description("Initi
       if (s.found && s.value) {
         const success2 = setGitHubSecret(s.name, s.value);
         if (success2) {
-          console.log(`  ${chalk26.green("\u2713")} ${s.name}`);
+          console.log(`  ${chalk28.green("\u2713")} ${s.name}`);
         } else {
-          console.log(`  ${chalk26.red("\u2717")} ${s.name} (failed)`);
+          console.log(`  ${chalk28.red("\u2717")} ${s.name} (failed)`);
           failedSecrets.push(s.name);
         }
       } else {
         console.log(
-          `  ${chalk26.yellow("\u26A0")} ${s.name} (skipped - not found)`
+          `  ${chalk28.yellow("\u26A0")} ${s.name} (skipped - not found)`
         );
       }
     }
@@ -18903,14 +20174,14 @@ var setupGithubCommand = new Command23().name("setup-github").description("Initi
         if (v.found && v.value) {
           const success2 = setGitHubVariable(v.name, v.value);
           if (success2) {
-            console.log(`  ${chalk26.green("\u2713")} ${v.name}`);
+            console.log(`  ${chalk28.green("\u2713")} ${v.name}`);
           } else {
-            console.log(`  ${chalk26.red("\u2717")} ${v.name} (failed)`);
+            console.log(`  ${chalk28.red("\u2717")} ${v.name} (failed)`);
             failedVars.push(v.name);
           }
         } else {
           console.log(
-            `  ${chalk26.yellow("\u26A0")} ${v.name} (skipped - not found)`
+            `  ${chalk28.yellow("\u26A0")} ${v.name} (skipped - not found)`
           );
         }
       }
@@ -18933,10 +20204,10 @@ var setupGithubCommand = new Command23().name("setup-github").description("Initi
 );
 
 // src/index.ts
-var program = new Command24();
-program.name("vm0").description("VM0 CLI - A modern build tool").version("4.37.0");
+var program = new Command27();
+program.name("vm0").description("VM0 CLI - A modern build tool").version("4.38.1");
 program.command("info").description("Display environment information").action(async () => {
-  console.log(chalk27.bold("System Information:"));
+  console.log(chalk29.bold("System Information:"));
   console.log(`Node Version: ${process.version}`);
   console.log(`Platform: ${process.platform}`);
   console.log(`Architecture: ${process.arch}`);
@@ -18963,6 +20234,7 @@ program.addCommand(artifactCommand);
 program.addCommand(cookCommand);
 program.addCommand(logsCommand);
 program.addCommand(scopeCommand);
+program.addCommand(agentsCommand);
 program.addCommand(initCommand3);
 program.addCommand(setupGithubCommand);
 if (process.argv[1]?.endsWith("index.js") || process.argv[1]?.endsWith("index.ts") || process.argv[1]?.endsWith("vm0")) {