@vm0/cli 6.4.1 → 7.0.1

package/index.js

@@ -247,58 +247,63 @@ function groupVariablesBySource(refs) {
 }
 
 // ../../packages/core/src/contracts/base.ts
+import { z } from "zod";
 import { initContract } from "@ts-rest/core";
+var authHeadersSchema = z.object({
+  authorization: z.string().optional()
+});
 
 // ../../packages/core/src/contracts/errors.ts
-import { z } from "zod";
-var apiErrorSchema = z.object({
-  error: z.object({
-    message: z.string(),
-    code: z.string()
+import { z as z2 } from "zod";
+var apiErrorSchema = z2.object({
+  error: z2.object({
+    message: z2.string(),
+    code: z2.string()
   })
 });
 
 // ../../packages/core/src/contracts/composes.ts
-import { z as z3 } from "zod";
+import { z as z4 } from "zod";
 
 // ../../packages/core/src/contracts/runners.ts
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 var c = initContract();
-var firewallRuleSchema = z2.object({
-  domain: z2.string().optional(),
-  ip: z2.string().optional(),
+var firewallRuleSchema = z3.object({
+  domain: z3.string().optional(),
+  ip: z3.string().optional(),
   /** Terminal rule - value is the action (ALLOW or DENY) */
-  final: z2.enum(["ALLOW", "DENY"]).optional(),
+  final: z3.enum(["ALLOW", "DENY"]).optional(),
   /** Action for domain/ip rules */
-  action: z2.enum(["ALLOW", "DENY"]).optional()
+  action: z3.enum(["ALLOW", "DENY"]).optional()
 });
-var experimentalFirewallSchema = z2.object({
-  enabled: z2.boolean(),
-  rules: z2.array(firewallRuleSchema).optional(),
-  experimental_mitm: z2.boolean().optional(),
-  experimental_seal_secrets: z2.boolean().optional()
+var experimentalFirewallSchema = z3.object({
+  enabled: z3.boolean(),
+  rules: z3.array(firewallRuleSchema).optional(),
+  experimental_mitm: z3.boolean().optional(),
+  experimental_seal_secrets: z3.boolean().optional()
 });
-var runnerGroupSchema = z2.string().regex(
+var runnerGroupSchema = z3.string().regex(
   /^[a-z0-9-]+\/[a-z0-9-]+$/,
   "Runner group must be in scope/name format (e.g., acme/production)"
 );
-var jobSchema = z2.object({
-  runId: z2.string().uuid(),
-  prompt: z2.string(),
-  agentComposeVersionId: z2.string(),
-  vars: z2.record(z2.string(), z2.string()).nullable(),
-  secretNames: z2.array(z2.string()).nullable(),
-  checkpointId: z2.string().uuid().nullable()
+var jobSchema = z3.object({
+  runId: z3.string().uuid(),
+  prompt: z3.string(),
+  agentComposeVersionId: z3.string(),
+  vars: z3.record(z3.string(), z3.string()).nullable(),
+  secretNames: z3.array(z3.string()).nullable(),
+  checkpointId: z3.string().uuid().nullable()
 });
 var runnersPollContract = c.router({
   poll: {
     method: "POST",
     path: "/api/runners/poll",
-    body: z2.object({
+    headers: authHeadersSchema,
+    body: z3.object({
       group: runnerGroupSchema
     }),
     responses: {
-      200: z2.object({
+      200: z3.object({
         job: jobSchema.nullable()
       }),
       400: apiErrorSchema,
@@ -308,64 +313,65 @@ var runnersPollContract = c.router({
     summary: "Poll for pending jobs (long-polling with 30s timeout)"
   }
 });
-var storageEntrySchema = z2.object({
-  mountPath: z2.string(),
-  archiveUrl: z2.string().nullable()
+var storageEntrySchema = z3.object({
+  mountPath: z3.string(),
+  archiveUrl: z3.string().nullable()
 });
-var artifactEntrySchema = z2.object({
-  mountPath: z2.string(),
-  archiveUrl: z2.string().nullable(),
-  vasStorageName: z2.string(),
-  vasVersionId: z2.string()
+var artifactEntrySchema = z3.object({
+  mountPath: z3.string(),
+  archiveUrl: z3.string().nullable(),
+  vasStorageName: z3.string(),
+  vasVersionId: z3.string()
 });
-var storageManifestSchema = z2.object({
-  storages: z2.array(storageEntrySchema),
+var storageManifestSchema = z3.object({
+  storages: z3.array(storageEntrySchema),
   artifact: artifactEntrySchema.nullable()
 });
-var resumeSessionSchema = z2.object({
-  sessionId: z2.string(),
-  sessionHistory: z2.string()
+var resumeSessionSchema = z3.object({
+  sessionId: z3.string(),
+  sessionHistory: z3.string()
 });
-var storedExecutionContextSchema = z2.object({
-  workingDir: z2.string(),
+var storedExecutionContextSchema = z3.object({
+  workingDir: z3.string(),
   storageManifest: storageManifestSchema.nullable(),
-  environment: z2.record(z2.string(), z2.string()).nullable(),
+  environment: z3.record(z3.string(), z3.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
-  encryptedSecrets: z2.string().nullable(),
+  encryptedSecrets: z3.string().nullable(),
   // AES-256-GCM encrypted secrets
-  cliAgentType: z2.string(),
+  cliAgentType: z3.string(),
   experimentalFirewall: experimentalFirewallSchema.optional(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z2.boolean().optional()
-});
-var executionContextSchema = z2.object({
-  runId: z2.string().uuid(),
-  prompt: z2.string(),
-  agentComposeVersionId: z2.string(),
-  vars: z2.record(z2.string(), z2.string()).nullable(),
-  secretNames: z2.array(z2.string()).nullable(),
-  checkpointId: z2.string().uuid().nullable(),
-  sandboxToken: z2.string(),
+  debugNoMockClaude: z3.boolean().optional()
+});
+var executionContextSchema = z3.object({
+  runId: z3.string().uuid(),
+  prompt: z3.string(),
+  agentComposeVersionId: z3.string(),
+  vars: z3.record(z3.string(), z3.string()).nullable(),
+  secretNames: z3.array(z3.string()).nullable(),
+  checkpointId: z3.string().uuid().nullable(),
+  sandboxToken: z3.string(),
   // New fields for E2B parity:
-  workingDir: z2.string(),
+  workingDir: z3.string(),
   storageManifest: storageManifestSchema.nullable(),
-  environment: z2.record(z2.string(), z2.string()).nullable(),
+  environment: z3.record(z3.string(), z3.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
-  secretValues: z2.array(z2.string()).nullable(),
-  cliAgentType: z2.string(),
+  secretValues: z3.array(z3.string()).nullable(),
+  cliAgentType: z3.string(),
   // Experimental firewall configuration
   experimentalFirewall: experimentalFirewallSchema.optional(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z2.boolean().optional()
+  debugNoMockClaude: z3.boolean().optional()
 });
 var runnersJobClaimContract = c.router({
   claim: {
     method: "POST",
     path: "/api/runners/jobs/:id/claim",
-    pathParams: z2.object({
-      id: z2.string().uuid()
+    headers: authHeadersSchema,
+    pathParams: z3.object({
+      id: z3.string().uuid()
     }),
-    body: z2.object({}),
+    body: z3.object({}),
     responses: {
       200: executionContextSchema,
       400: apiErrorSchema,
@@ -383,85 +389,82 @@ var runnersJobClaimContract = c.router({
 
 // ../../packages/core/src/contracts/composes.ts
 var c2 = initContract();
-var composeVersionQuerySchema = z3.preprocess(
+var composeVersionQuerySchema = z4.preprocess(
   (val) => val === void 0 || val === null ? void 0 : String(val),
-  z3.string().min(1, "Missing version query parameter").regex(
+  z4.string().min(1, "Missing version query parameter").regex(
     /^[a-f0-9]{8,64}$|^latest$/i,
     "Version must be 8-64 hex characters or 'latest'"
   )
 );
-var agentNameSchema = z3.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
+var agentNameSchema = z4.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
   /^[a-zA-Z0-9][a-zA-Z0-9-]{1,62}[a-zA-Z0-9]$/,
   "Agent name must start and end with letter or number, and contain only letters, numbers, and hyphens"
 );
-var volumeConfigSchema = z3.object({
-  name: z3.string().min(1, "Volume name is required"),
-  version: z3.string().min(1, "Volume version is required")
+var volumeConfigSchema = z4.object({
+  name: z4.string().min(1, "Volume name is required"),
+  version: z4.string().min(1, "Volume version is required")
 });
 var SUPPORTED_APPS = ["github"];
 var SUPPORTED_APP_TAGS = ["latest", "dev"];
 var APP_NAME_REGEX = /^[a-z0-9-]+$/;
-var appStringSchema = z3.string().superRefine((val, ctx) => {
+var appStringSchema = z4.string().superRefine((val, ctx) => {
   const [appName, tag] = val.split(":");
   if (!appName || !APP_NAME_REGEX.test(appName)) {
     ctx.addIssue({
-      code: z3.ZodIssueCode.custom,
+      code: z4.ZodIssueCode.custom,
       message: "App name must contain only lowercase letters, numbers, and hyphens"
     });
     return;
   }
   if (!SUPPORTED_APPS.includes(appName)) {
     ctx.addIssue({
-      code: z3.ZodIssueCode.custom,
+      code: z4.ZodIssueCode.custom,
       message: `Invalid app: "${appName}". Supported apps: ${SUPPORTED_APPS.join(", ")}`
     });
     return;
   }
   if (tag !== void 0 && !SUPPORTED_APP_TAGS.includes(tag)) {
     ctx.addIssue({
-      code: z3.ZodIssueCode.custom,
+      code: z4.ZodIssueCode.custom,
       message: `Invalid app tag: "${tag}". Supported tags: ${SUPPORTED_APP_TAGS.join(", ")}`
     });
   }
 });
-var nonEmptyStringArraySchema = z3.array(
-  z3.string().min(1, "Array entries cannot be empty strings")
-);
-var agentDefinitionSchema = z3.object({
-  description: z3.string().optional(),
+var agentDefinitionSchema = z4.object({
+  description: z4.string().optional(),
   /**
    * @deprecated Use `apps` field instead for pre-installed tools.
    * This field will be removed in a future version.
    */
-  image: z3.string().optional(),
-  framework: z3.string().min(1, "Framework is required"),
+  image: z4.string().optional(),
+  framework: z4.string().min(1, "Framework is required"),
   /**
    * Array of pre-installed apps/tools for the agent environment.
    * Format: "app" or "app:tag" (e.g., "github", "github:dev", "github:latest")
    * Default tag is "latest" if not specified.
    * Currently supported apps: "github" (includes GitHub CLI)
    */
-  apps: z3.array(appStringSchema).optional(),
-  volumes: z3.array(z3.string()).optional(),
-  working_dir: z3.string().optional(),
+  apps: z4.array(appStringSchema).optional(),
+  volumes: z4.array(z4.string()).optional(),
+  working_dir: z4.string().optional(),
   // Optional when provider supports auto-config
-  environment: z3.record(z3.string(), z3.string()).optional(),
+  environment: z4.record(z4.string(), z4.string()).optional(),
   /**
    * Path to instructions file (e.g., AGENTS.md).
    * Auto-uploaded as volume and mounted at /home/user/.claude/CLAUDE.md
    */
-  instructions: z3.string().min(1, "Instructions path cannot be empty").optional(),
+  instructions: z4.string().min(1, "Instructions path cannot be empty").optional(),
   /**
    * Array of GitHub tree URLs for agent skills.
    * Each skill is auto-downloaded and mounted at /home/user/.claude/skills/{skillName}/
    */
-  skills: z3.array(z3.string()).optional(),
+  skills: z4.array(z4.string()).optional(),
   /**
    * Route this agent to a self-hosted runner instead of E2B.
    * When specified, runs will be queued for the specified runner group.
    */
-  experimental_runner: z3.object({
-    group: z3.string().regex(
+  experimental_runner: z4.object({
+    group: z4.string().regex(
       /^[a-z0-9-]+\/[a-z0-9-]+$/,
       "Runner group must be in scope/name format (e.g., acme/production)"
     )
@@ -471,37 +474,27 @@ var agentDefinitionSchema = z3.object({
    * Requires experimental_runner to be configured.
    * When enabled, filters outbound traffic by domain/IP rules.
    */
-  experimental_firewall: experimentalFirewallSchema.optional(),
-  /**
-   * Array of secret names to inject from the scope's secret store.
-   * Each entry must be a non-empty string.
-   */
-  experimental_secrets: nonEmptyStringArraySchema.optional(),
-  /**
-   * Array of variable names to inject from the scope's variable store.
-   * Each entry must be a non-empty string.
-   */
-  experimental_vars: nonEmptyStringArraySchema.optional()
+  experimental_firewall: experimentalFirewallSchema.optional()
 });
-var agentComposeContentSchema = z3.object({
-  version: z3.string().min(1, "Version is required"),
-  agents: z3.record(z3.string(), agentDefinitionSchema),
-  volumes: z3.record(z3.string(), volumeConfigSchema).optional()
+var agentComposeContentSchema = z4.object({
+  version: z4.string().min(1, "Version is required"),
+  agents: z4.record(z4.string(), agentDefinitionSchema),
+  volumes: z4.record(z4.string(), volumeConfigSchema).optional()
 });
-var composeResponseSchema = z3.object({
-  id: z3.string(),
-  name: z3.string(),
-  headVersionId: z3.string().nullable(),
+var composeResponseSchema = z4.object({
+  id: z4.string(),
+  name: z4.string(),
+  headVersionId: z4.string().nullable(),
   content: agentComposeContentSchema.nullable(),
-  createdAt: z3.string(),
-  updatedAt: z3.string()
+  createdAt: z4.string(),
+  updatedAt: z4.string()
 });
-var createComposeResponseSchema = z3.object({
-  composeId: z3.string(),
-  name: z3.string(),
-  versionId: z3.string(),
-  action: z3.enum(["created", "existing"]),
-  updatedAt: z3.string()
+var createComposeResponseSchema = z4.object({
+  composeId: z4.string(),
+  name: z4.string(),
+  versionId: z4.string(),
+  action: z4.enum(["created", "existing"]),
+  updatedAt: z4.string()
 });
 var composesMainContract = c2.router({
   /**
@@ -512,9 +505,10 @@ var composesMainContract = c2.router({
   getByName: {
     method: "GET",
     path: "/api/agent/composes",
-    query: z3.object({
-      name: z3.string().min(1, "Missing name query parameter"),
-      scope: z3.string().optional()
+    headers: authHeadersSchema,
+    query: z4.object({
+      name: z4.string().min(1, "Missing name query parameter"),
+      scope: z4.string().optional()
     }),
     responses: {
       200: composeResponseSchema,
@@ -533,7 +527,8 @@ var composesMainContract = c2.router({
   create: {
     method: "POST",
     path: "/api/agent/composes",
-    body: z3.object({
+    headers: authHeadersSchema,
+    body: z4.object({
       content: agentComposeContentSchema
     }),
     responses: {
@@ -553,8 +548,9 @@ var composesByIdContract = c2.router({
   getById: {
     method: "GET",
     path: "/api/agent/composes/:id",
-    pathParams: z3.object({
-      id: z3.string().min(1, "Compose ID is required")
+    headers: authHeadersSchema,
+    pathParams: z4.object({
+      id: z4.string().min(1, "Compose ID is required")
     }),
     responses: {
       200: composeResponseSchema,
@@ -572,14 +568,15 @@ var composesVersionsContract = c2.router({
   resolveVersion: {
     method: "GET",
     path: "/api/agent/composes/versions",
-    query: z3.object({
-      composeId: z3.string().min(1, "Missing composeId query parameter"),
+    headers: authHeadersSchema,
+    query: z4.object({
+      composeId: z4.string().min(1, "Missing composeId query parameter"),
       version: composeVersionQuerySchema
     }),
     responses: {
-      200: z3.object({
-        versionId: z3.string(),
-        tag: z3.string().optional()
+      200: z4.object({
+        versionId: z4.string(),
+        tag: z4.string().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -588,10 +585,10 @@ var composesVersionsContract = c2.router({
     summary: "Resolve version specifier to full version ID"
   }
 });
-var composeListItemSchema = z3.object({
-  name: z3.string(),
-  headVersionId: z3.string().nullable(),
-  updatedAt: z3.string()
+var composeListItemSchema = z4.object({
+  name: z4.string(),
+  headVersionId: z4.string().nullable(),
+  updatedAt: z4.string()
 });
 var composesListContract = c2.router({
   /**
@@ -602,12 +599,13 @@ var composesListContract = c2.router({
   list: {
     method: "GET",
     path: "/api/agent/composes/list",
-    query: z3.object({
-      scope: z3.string().optional()
+    headers: authHeadersSchema,
+    query: z4.object({
+      scope: z4.string().optional()
     }),
     responses: {
-      200: z3.object({
-        composes: z3.array(composeListItemSchema)
+      200: z4.object({
+        composes: z4.array(composeListItemSchema)
       }),
       400: apiErrorSchema,
       401: apiErrorSchema
@@ -617,85 +615,85 @@ var composesListContract = c2.router({
 });
 
 // ../../packages/core/src/contracts/runs.ts
-import { z as z4 } from "zod";
+import { z as z5 } from "zod";
 var c3 = initContract();
-var runStatusSchema = z4.enum([
+var runStatusSchema = z5.enum([
   "pending",
   "running",
   "completed",
   "failed",
   "timeout"
 ]);
-var unifiedRunRequestSchema = z4.object({
+var unifiedRunRequestSchema = z5.object({
   // High-level shortcuts (mutually exclusive with each other)
-  checkpointId: z4.string().optional(),
-  sessionId: z4.string().optional(),
+  checkpointId: z5.string().optional(),
+  sessionId: z5.string().optional(),
   // Base parameters (can be used directly or overridden after shortcut expansion)
-  agentComposeId: z4.string().optional(),
-  agentComposeVersionId: z4.string().optional(),
-  conversationId: z4.string().optional(),
-  artifactName: z4.string().optional(),
-  artifactVersion: z4.string().optional(),
-  vars: z4.record(z4.string(), z4.string()).optional(),
-  secrets: z4.record(z4.string(), z4.string()).optional(),
-  volumeVersions: z4.record(z4.string(), z4.string()).optional(),
+  agentComposeId: z5.string().optional(),
+  agentComposeVersionId: z5.string().optional(),
+  conversationId: z5.string().optional(),
+  artifactName: z5.string().optional(),
+  artifactVersion: z5.string().optional(),
+  vars: z5.record(z5.string(), z5.string()).optional(),
+  secrets: z5.record(z5.string(), z5.string()).optional(),
+  volumeVersions: z5.record(z5.string(), z5.string()).optional(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z4.boolean().optional(),
+  debugNoMockClaude: z5.boolean().optional(),
   // Model provider for automatic credential injection
-  modelProvider: z4.string().optional(),
+  modelProvider: z5.string().optional(),
   // Required
-  prompt: z4.string().min(1, "Missing prompt")
+  prompt: z5.string().min(1, "Missing prompt")
 });
-var createRunResponseSchema = z4.object({
-  runId: z4.string(),
+var createRunResponseSchema = z5.object({
+  runId: z5.string(),
   status: runStatusSchema,
-  sandboxId: z4.string().optional(),
-  output: z4.string().optional(),
-  error: z4.string().optional(),
-  executionTimeMs: z4.number().optional(),
-  createdAt: z4.string()
-});
-var getRunResponseSchema = z4.object({
-  runId: z4.string(),
-  agentComposeVersionId: z4.string(),
+  sandboxId: z5.string().optional(),
+  output: z5.string().optional(),
+  error: z5.string().optional(),
+  executionTimeMs: z5.number().optional(),
+  createdAt: z5.string()
+});
+var getRunResponseSchema = z5.object({
+  runId: z5.string(),
+  agentComposeVersionId: z5.string(),
   status: runStatusSchema,
-  prompt: z4.string(),
-  vars: z4.record(z4.string(), z4.string()).optional(),
-  sandboxId: z4.string().optional(),
-  result: z4.object({
-    output: z4.string(),
-    executionTimeMs: z4.number()
+  prompt: z5.string(),
+  vars: z5.record(z5.string(), z5.string()).optional(),
+  sandboxId: z5.string().optional(),
+  result: z5.object({
+    output: z5.string(),
+    executionTimeMs: z5.number()
   }).optional(),
-  error: z4.string().optional(),
-  createdAt: z4.string(),
-  startedAt: z4.string().optional(),
-  completedAt: z4.string().optional()
-});
-var runEventSchema = z4.object({
-  sequenceNumber: z4.number(),
-  eventType: z4.string(),
-  eventData: z4.unknown(),
-  createdAt: z4.string()
-});
-var runResultSchema = z4.object({
-  checkpointId: z4.string(),
-  agentSessionId: z4.string(),
-  conversationId: z4.string(),
-  artifact: z4.record(z4.string(), z4.string()).optional(),
+  error: z5.string().optional(),
+  createdAt: z5.string(),
+  startedAt: z5.string().optional(),
+  completedAt: z5.string().optional()
+});
+var runEventSchema = z5.object({
+  sequenceNumber: z5.number(),
+  eventType: z5.string(),
+  eventData: z5.unknown(),
+  createdAt: z5.string()
+});
+var runResultSchema = z5.object({
+  checkpointId: z5.string(),
+  agentSessionId: z5.string(),
+  conversationId: z5.string(),
+  artifact: z5.record(z5.string(), z5.string()).optional(),
   // optional when run has no artifact
-  volumes: z4.record(z4.string(), z4.string()).optional()
+  volumes: z5.record(z5.string(), z5.string()).optional()
 });
-var runStateSchema = z4.object({
+var runStateSchema = z5.object({
   status: runStatusSchema,
   result: runResultSchema.optional(),
-  error: z4.string().optional()
+  error: z5.string().optional()
 });
-var eventsResponseSchema = z4.object({
-  events: z4.array(runEventSchema),
-  hasMore: z4.boolean(),
-  nextSequence: z4.number(),
+var eventsResponseSchema = z5.object({
+  events: z5.array(runEventSchema),
+  hasMore: z5.boolean(),
+  nextSequence: z5.number(),
   run: runStateSchema,
-  framework: z4.string()
+  framework: z5.string()
 });
 var runsMainContract = c3.router({
   /**
@@ -705,6 +703,7 @@ var runsMainContract = c3.router({
   create: {
     method: "POST",
     path: "/api/agent/runs",
+    headers: authHeadersSchema,
     body: unifiedRunRequestSchema,
     responses: {
       201: createRunResponseSchema,
@@ -723,8 +722,9 @@ var runsByIdContract = c3.router({
   getById: {
     method: "GET",
     path: "/api/agent/runs/:id",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().min(1, "Run ID is required")
     }),
     responses: {
       200: getRunResponseSchema,
@@ -743,12 +743,13 @@ var runEventsContract = c3.router({
   getEvents: {
     method: "GET",
     path: "/api/agent/runs/:id/events",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().min(1, "Run ID is required")
     }),
-    query: z4.object({
-      since: z4.coerce.number().default(-1),
-      limit: z4.coerce.number().default(100)
+    query: z5.object({
+      since: z5.coerce.number().default(-1),
+      limit: z5.coerce.number().default(100)
     }),
     responses: {
       200: eventsResponseSchema,
@@ -758,50 +759,50 @@ var runEventsContract = c3.router({
     summary: "Get agent run events"
   }
 });
-var telemetryMetricSchema = z4.object({
-  ts: z4.string(),
-  cpu: z4.number(),
-  mem_used: z4.number(),
-  mem_total: z4.number(),
-  disk_used: z4.number(),
-  disk_total: z4.number()
+var telemetryMetricSchema = z5.object({
+  ts: z5.string(),
+  cpu: z5.number(),
+  mem_used: z5.number(),
+  mem_total: z5.number(),
+  disk_used: z5.number(),
+  disk_total: z5.number()
 });
-var systemLogResponseSchema = z4.object({
-  systemLog: z4.string(),
-  hasMore: z4.boolean()
+var systemLogResponseSchema = z5.object({
+  systemLog: z5.string(),
+  hasMore: z5.boolean()
 });
-var metricsResponseSchema = z4.object({
-  metrics: z4.array(telemetryMetricSchema),
-  hasMore: z4.boolean()
+var metricsResponseSchema = z5.object({
+  metrics: z5.array(telemetryMetricSchema),
+  hasMore: z5.boolean()
 });
-var agentEventsResponseSchema = z4.object({
-  events: z4.array(runEventSchema),
-  hasMore: z4.boolean(),
-  framework: z4.string()
+var agentEventsResponseSchema = z5.object({
+  events: z5.array(runEventSchema),
+  hasMore: z5.boolean(),
+  framework: z5.string()
 });
-var networkLogEntrySchema = z4.object({
-  timestamp: z4.string(),
+var networkLogEntrySchema = z5.object({
+  timestamp: z5.string(),
   // Common fields (all modes)
-  mode: z4.enum(["mitm", "sni"]).optional(),
-  action: z4.enum(["ALLOW", "DENY"]).optional(),
-  host: z4.string().optional(),
-  port: z4.number().optional(),
-  rule_matched: z4.string().nullable().optional(),
+  mode: z5.enum(["mitm", "sni"]).optional(),
+  action: z5.enum(["ALLOW", "DENY"]).optional(),
+  host: z5.string().optional(),
+  port: z5.number().optional(),
+  rule_matched: z5.string().nullable().optional(),
   // MITM-only fields (optional)
-  method: z4.string().optional(),
-  url: z4.string().optional(),
-  status: z4.number().optional(),
-  latency_ms: z4.number().optional(),
-  request_size: z4.number().optional(),
-  response_size: z4.number().optional()
+  method: z5.string().optional(),
+  url: z5.string().optional(),
+  status: z5.number().optional(),
+  latency_ms: z5.number().optional(),
+  request_size: z5.number().optional(),
+  response_size: z5.number().optional()
 });
-var networkLogsResponseSchema = z4.object({
-  networkLogs: z4.array(networkLogEntrySchema),
-  hasMore: z4.boolean()
+var networkLogsResponseSchema = z5.object({
+  networkLogs: z5.array(networkLogEntrySchema),
+  hasMore: z5.boolean()
 });
-var telemetryResponseSchema = z4.object({
-  systemLog: z4.string(),
-  metrics: z4.array(telemetryMetricSchema)
+var telemetryResponseSchema = z5.object({
+  systemLog: z5.string(),
+  metrics: z5.array(telemetryMetricSchema)
 });
 var runTelemetryContract = c3.router({
   /**
@@ -811,8 +812,9 @@ var runTelemetryContract = c3.router({
   getTelemetry: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().min(1, "Run ID is required")
     }),
     responses: {
       200: telemetryResponseSchema,
@@ -830,13 +832,14 @@ var runSystemLogContract = c3.router({
   getSystemLog: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/system-log",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().min(1, "Run ID is required")
     }),
-    query: z4.object({
-      since: z4.coerce.number().optional(),
-      limit: z4.coerce.number().min(1).max(100).default(5),
-      order: z4.enum(["asc", "desc"]).default("desc")
+    query: z5.object({
+      since: z5.coerce.number().optional(),
+      limit: z5.coerce.number().min(1).max(100).default(5),
+      order: z5.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: systemLogResponseSchema,
@@ -854,13 +857,14 @@ var runMetricsContract = c3.router({
   getMetrics: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/metrics",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().min(1, "Run ID is required")
     }),
-    query: z4.object({
-      since: z4.coerce.number().optional(),
-      limit: z4.coerce.number().min(1).max(100).default(5),
-      order: z4.enum(["asc", "desc"]).default("desc")
+    query: z5.object({
+      since: z5.coerce.number().optional(),
+      limit: z5.coerce.number().min(1).max(100).default(5),
+      order: z5.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: metricsResponseSchema,
@@ -878,13 +882,14 @@ var runAgentEventsContract = c3.router({
   getAgentEvents: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/agent",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().min(1, "Run ID is required")
     }),
-    query: z4.object({
-      since: z4.coerce.number().optional(),
-      limit: z4.coerce.number().min(1).max(100).default(5),
-      order: z4.enum(["asc", "desc"]).default("desc")
+    query: z5.object({
+      since: z5.coerce.number().optional(),
+      limit: z5.coerce.number().min(1).max(100).default(5),
+      order: z5.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: agentEventsResponseSchema,
@@ -902,13 +907,14 @@ var runNetworkLogsContract = c3.router({
   getNetworkLogs: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/network",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().min(1, "Run ID is required")
     }),
-    query: z4.object({
-      since: z4.coerce.number().optional(),
-      limit: z4.coerce.number().min(1).max(100).default(5),
-      order: z4.enum(["asc", "desc"]).default("desc")
+    query: z5.object({
+      since: z5.coerce.number().optional(),
+      limit: z5.coerce.number().min(1).max(100).default(5),
+      order: z5.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: networkLogsResponseSchema,
@@ -920,20 +926,20 @@ var runNetworkLogsContract = c3.router({
 });
 
 // ../../packages/core/src/contracts/storages.ts
-import { z as z5 } from "zod";
+import { z as z6 } from "zod";
 var c4 = initContract();
-var storageTypeSchema = z5.enum(["volume", "artifact"]);
-var versionQuerySchema = z5.preprocess(
+var storageTypeSchema = z6.enum(["volume", "artifact"]);
+var versionQuerySchema = z6.preprocess(
   (val) => val === void 0 || val === null ? void 0 : String(val),
-  z5.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional()
+  z6.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional()
 );
-var uploadStorageResponseSchema = z5.object({
-  name: z5.string(),
-  versionId: z5.string(),
-  size: z5.number(),
-  fileCount: z5.number(),
+var uploadStorageResponseSchema = z6.object({
+  name: z6.string(),
+  versionId: z6.string(),
+  size: z6.number(),
+  fileCount: z6.number(),
   type: storageTypeSchema,
-  deduplicated: z5.boolean()
+  deduplicated: z6.boolean()
 });
 var storagesContract = c4.router({
   /**
@@ -950,6 +956,7 @@ var storagesContract = c4.router({
   upload: {
     method: "POST",
     path: "/api/storages",
+    headers: authHeadersSchema,
     contentType: "multipart/form-data",
     body: c4.type(),
     responses: {
@@ -973,8 +980,9 @@ var storagesContract = c4.router({
   download: {
     method: "GET",
     path: "/api/storages",
-    query: z5.object({
-      name: z5.string().min(1, "Storage name is required"),
+    headers: authHeadersSchema,
+    query: z6.object({
+      name: z6.string().min(1, "Storage name is required"),
       version: versionQuerySchema
     }),
     responses: {
@@ -991,40 +999,41 @@ var storagesContract = c4.router({
     summary: "Download storage archive"
   }
 });
-var fileEntryWithHashSchema = z5.object({
-  path: z5.string().min(1, "File path is required"),
-  hash: z5.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
-  size: z5.number().int().min(0, "Size must be non-negative")
+var fileEntryWithHashSchema = z6.object({
+  path: z6.string().min(1, "File path is required"),
+  hash: z6.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
+  size: z6.number().int().min(0, "Size must be non-negative")
 });
-var storageChangesSchema = z5.object({
-  added: z5.array(z5.string()),
-  modified: z5.array(z5.string()),
-  deleted: z5.array(z5.string())
+var storageChangesSchema = z6.object({
+  added: z6.array(z6.string()),
+  modified: z6.array(z6.string()),
+  deleted: z6.array(z6.string())
 });
-var presignedUploadSchema = z5.object({
-  key: z5.string(),
-  presignedUrl: z5.string().url()
+var presignedUploadSchema = z6.object({
+  key: z6.string(),
+  presignedUrl: z6.string().url()
 });
 var storagesPrepareContract = c4.router({
   prepare: {
     method: "POST",
     path: "/api/storages/prepare",
-    body: z5.object({
-      storageName: z5.string().min(1, "Storage name is required"),
+    headers: authHeadersSchema,
+    body: z6.object({
+      storageName: z6.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z5.array(fileEntryWithHashSchema),
-      force: z5.boolean().optional(),
-      runId: z5.string().optional(),
+      files: z6.array(fileEntryWithHashSchema),
+      force: z6.boolean().optional(),
+      runId: z6.string().optional(),
       // For sandbox auth
-      baseVersion: z5.string().optional(),
+      baseVersion: z6.string().optional(),
       // For incremental uploads
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z5.object({
-        versionId: z5.string(),
-        existing: z5.boolean(),
-        uploads: z5.object({
+      200: z6.object({
+        versionId: z6.string(),
+        existing: z6.boolean(),
+        uploads: z6.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -1041,22 +1050,23 @@ var storagesCommitContract = c4.router({
   commit: {
     method: "POST",
     path: "/api/storages/commit",
-    body: z5.object({
-      storageName: z5.string().min(1, "Storage name is required"),
+    headers: authHeadersSchema,
+    body: z6.object({
+      storageName: z6.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z5.string().min(1, "Version ID is required"),
-      files: z5.array(fileEntryWithHashSchema),
-      runId: z5.string().optional(),
-      message: z5.string().optional()
+      versionId: z6.string().min(1, "Version ID is required"),
+      files: z6.array(fileEntryWithHashSchema),
+      runId: z6.string().optional(),
+      message: z6.string().optional()
     }),
     responses: {
-      200: z5.object({
-        success: z5.literal(true),
-        versionId: z5.string(),
-        storageName: z5.string(),
-        size: z5.number(),
-        fileCount: z5.number(),
-        deduplicated: z5.boolean().optional()
+      200: z6.object({
+        success: z6.literal(true),
+        versionId: z6.string(),
+        storageName: z6.string(),
+        size: z6.number(),
+        fileCount: z6.number(),
+        deduplicated: z6.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1072,26 +1082,27 @@ var storagesDownloadContract = c4.router({
   download: {
     method: "GET",
     path: "/api/storages/download",
-    query: z5.object({
-      name: z5.string().min(1, "Storage name is required"),
+    headers: authHeadersSchema,
+    query: z6.object({
+      name: z6.string().min(1, "Storage name is required"),
       type: storageTypeSchema,
       version: versionQuerySchema
     }),
     responses: {
       // Normal response with presigned URL
-      200: z5.union([
-        z5.object({
-          url: z5.string().url(),
-          versionId: z5.string(),
-          fileCount: z5.number(),
-          size: z5.number()
+      200: z6.union([
+        z6.object({
+          url: z6.string().url(),
+          versionId: z6.string(),
+          fileCount: z6.number(),
+          size: z6.number()
         }),
         // Empty artifact response
-        z5.object({
-          empty: z5.literal(true),
-          versionId: z5.string(),
-          fileCount: z5.literal(0),
-          size: z5.literal(0)
+        z6.object({
+          empty: z6.literal(true),
+          versionId: z6.string(),
+          fileCount: z6.literal(0),
+          size: z6.literal(0)
         })
       ]),
       400: apiErrorSchema,
@@ -1106,16 +1117,17 @@ var storagesListContract = c4.router({
   list: {
     method: "GET",
     path: "/api/storages/list",
-    query: z5.object({
+    headers: authHeadersSchema,
+    query: z6.object({
       type: storageTypeSchema
     }),
     responses: {
-      200: z5.array(
-        z5.object({
-          name: z5.string(),
-          size: z5.number(),
-          fileCount: z5.number(),
-          updatedAt: z5.string()
+      200: z6.array(
+        z6.object({
+          name: z6.string(),
+          size: z6.number(),
+          fileCount: z6.number(),
+          updatedAt: z6.string()
         })
       ),
       401: apiErrorSchema,
@@ -1126,18 +1138,18 @@ var storagesListContract = c4.router({
 });
 
 // ../../packages/core/src/contracts/webhooks.ts
-import { z as z6 } from "zod";
+import { z as z7 } from "zod";
 var c5 = initContract();
-var agentEventSchema = z6.object({
-  type: z6.string(),
-  sequenceNumber: z6.number().int().nonnegative()
+var agentEventSchema = z7.object({
+  type: z7.string(),
+  sequenceNumber: z7.number().int().nonnegative()
 }).passthrough();
-var artifactSnapshotSchema = z6.object({
-  artifactName: z6.string(),
-  artifactVersion: z6.string()
+var artifactSnapshotSchema = z7.object({
+  artifactName: z7.string(),
+  artifactVersion: z7.string()
 });
-var volumeVersionsSnapshotSchema = z6.object({
-  versions: z6.record(z6.string(), z6.string())
+var volumeVersionsSnapshotSchema = z7.object({
+  versions: z7.record(z7.string(), z7.string())
 });
 var webhookEventsContract = c5.router({
   /**
@@ -1147,15 +1159,16 @@ var webhookEventsContract = c5.router({
   send: {
     method: "POST",
     path: "/api/webhooks/agent/events",
-    body: z6.object({
-      runId: z6.string().min(1, "runId is required"),
-      events: z6.array(agentEventSchema).min(1, "events array cannot be empty")
+    headers: authHeadersSchema,
+    body: z7.object({
+      runId: z7.string().min(1, "runId is required"),
+      events: z7.array(agentEventSchema).min(1, "events array cannot be empty")
     }),
     responses: {
-      200: z6.object({
-        received: z6.number(),
-        firstSequence: z6.number(),
-        lastSequence: z6.number()
+      200: z7.object({
+        received: z7.number(),
+        firstSequence: z7.number(),
+        lastSequence: z7.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1173,15 +1186,16 @@ var webhookCompleteContract = c5.router({
   complete: {
     method: "POST",
     path: "/api/webhooks/agent/complete",
-    body: z6.object({
-      runId: z6.string().min(1, "runId is required"),
-      exitCode: z6.number(),
-      error: z6.string().optional()
+    headers: authHeadersSchema,
+    body: z7.object({
+      runId: z7.string().min(1, "runId is required"),
+      exitCode: z7.number(),
+      error: z7.string().optional()
     }),
     responses: {
-      200: z6.object({
-        success: z6.boolean(),
-        status: z6.enum(["completed", "failed"])
+      200: z7.object({
+        success: z7.boolean(),
+        status: z7.enum(["completed", "failed"])
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1199,21 +1213,22 @@ var webhookCheckpointsContract = c5.router({
   create: {
     method: "POST",
     path: "/api/webhooks/agent/checkpoints",
-    body: z6.object({
-      runId: z6.string().min(1, "runId is required"),
-      cliAgentType: z6.string().min(1, "cliAgentType is required"),
-      cliAgentSessionId: z6.string().min(1, "cliAgentSessionId is required"),
-      cliAgentSessionHistory: z6.string().min(1, "cliAgentSessionHistory is required"),
+    headers: authHeadersSchema,
+    body: z7.object({
+      runId: z7.string().min(1, "runId is required"),
+      cliAgentType: z7.string().min(1, "cliAgentType is required"),
+      cliAgentSessionId: z7.string().min(1, "cliAgentSessionId is required"),
+      cliAgentSessionHistory: z7.string().min(1, "cliAgentSessionHistory is required"),
       artifactSnapshot: artifactSnapshotSchema.optional(),
       volumeVersionsSnapshot: volumeVersionsSnapshotSchema.optional()
     }),
     responses: {
-      200: z6.object({
-        checkpointId: z6.string(),
-        agentSessionId: z6.string(),
-        conversationId: z6.string(),
+      200: z7.object({
+        checkpointId: z7.string(),
+        agentSessionId: z7.string(),
+        conversationId: z7.string(),
         artifact: artifactSnapshotSchema.optional(),
-        volumes: z6.record(z6.string(), z6.string()).optional()
+        volumes: z7.record(z7.string(), z7.string()).optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1231,12 +1246,13 @@ var webhookHeartbeatContract = c5.router({
   send: {
     method: "POST",
     path: "/api/webhooks/agent/heartbeat",
-    body: z6.object({
-      runId: z6.string().min(1, "runId is required")
+    headers: authHeadersSchema,
+    body: z7.object({
+      runId: z7.string().min(1, "runId is required")
     }),
     responses: {
-      200: z6.object({
-        ok: z6.boolean()
+      200: z7.object({
+        ok: z7.boolean()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1260,14 +1276,15 @@ var webhookStoragesContract = c5.router({
   upload: {
     method: "POST",
     path: "/api/webhooks/agent/storages",
+    headers: authHeadersSchema,
     contentType: "multipart/form-data",
     body: c5.type(),
     responses: {
-      200: z6.object({
-        versionId: z6.string(),
-        storageName: z6.string(),
-        size: z6.number(),
-        fileCount: z6.number()
+      200: z7.object({
+        versionId: z7.string(),
+        storageName: z7.string(),
+        size: z7.number(),
+        fileCount: z7.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1293,20 +1310,21 @@ var webhookStoragesIncrementalContract = c5.router({
   upload: {
     method: "POST",
     path: "/api/webhooks/agent/storages/incremental",
+    headers: authHeadersSchema,
     contentType: "multipart/form-data",
     body: c5.type(),
     responses: {
-      200: z6.object({
-        versionId: z6.string(),
-        storageName: z6.string(),
-        size: z6.number(),
-        fileCount: z6.number(),
-        incrementalStats: z6.object({
-          addedFiles: z6.number(),
-          modifiedFiles: z6.number(),
-          deletedFiles: z6.number(),
-          unchangedFiles: z6.number(),
-          bytesUploaded: z6.number()
+      200: z7.object({
+        versionId: z7.string(),
+        storageName: z7.string(),
+        size: z7.number(),
+        fileCount: z7.number(),
+        incrementalStats: z7.object({
+          addedFiles: z7.number(),
+          modifiedFiles: z7.number(),
+          deletedFiles: z7.number(),
+          unchangedFiles: z7.number(),
+          bytesUploaded: z7.number()
         }).optional()
       }),
       400: apiErrorSchema,
@@ -1317,36 +1335,36 @@ var webhookStoragesIncrementalContract = c5.router({
     summary: "Upload storage version incrementally from sandbox"
   }
 });
-var metricDataSchema = z6.object({
-  ts: z6.string(),
-  cpu: z6.number(),
-  mem_used: z6.number(),
-  mem_total: z6.number(),
-  disk_used: z6.number(),
-  disk_total: z6.number()
+var metricDataSchema = z7.object({
+  ts: z7.string(),
+  cpu: z7.number(),
+  mem_used: z7.number(),
+  mem_total: z7.number(),
+  disk_used: z7.number(),
+  disk_total: z7.number()
 });
-var sandboxOperationSchema = z6.object({
-  ts: z6.string(),
-  action_type: z6.string(),
-  duration_ms: z6.number(),
-  success: z6.boolean(),
-  error: z6.string().optional()
+var sandboxOperationSchema = z7.object({
+  ts: z7.string(),
+  action_type: z7.string(),
+  duration_ms: z7.number(),
+  success: z7.boolean(),
+  error: z7.string().optional()
 });
-var networkLogSchema = z6.object({
-  timestamp: z6.string(),
+var networkLogSchema = z7.object({
+  timestamp: z7.string(),
   // Common fields (all modes)
-  mode: z6.enum(["mitm", "sni"]).optional(),
-  action: z6.enum(["ALLOW", "DENY"]).optional(),
-  host: z6.string().optional(),
-  port: z6.number().optional(),
-  rule_matched: z6.string().nullable().optional(),
+  mode: z7.enum(["mitm", "sni"]).optional(),
+  action: z7.enum(["ALLOW", "DENY"]).optional(),
+  host: z7.string().optional(),
+  port: z7.number().optional(),
+  rule_matched: z7.string().nullable().optional(),
   // MITM-only fields (optional)
-  method: z6.string().optional(),
-  url: z6.string().optional(),
-  status: z6.number().optional(),
-  latency_ms: z6.number().optional(),
-  request_size: z6.number().optional(),
-  response_size: z6.number().optional()
+  method: z7.string().optional(),
+  url: z7.string().optional(),
+  status: z7.number().optional(),
+  latency_ms: z7.number().optional(),
+  request_size: z7.number().optional(),
+  response_size: z7.number().optional()
 });
 var webhookTelemetryContract = c5.router({
   /**
@@ -1356,17 +1374,18 @@ var webhookTelemetryContract = c5.router({
   send: {
     method: "POST",
     path: "/api/webhooks/agent/telemetry",
-    body: z6.object({
-      runId: z6.string().min(1, "runId is required"),
-      systemLog: z6.string().optional(),
-      metrics: z6.array(metricDataSchema).optional(),
-      networkLogs: z6.array(networkLogSchema).optional(),
-      sandboxOperations: z6.array(sandboxOperationSchema).optional()
+    headers: authHeadersSchema,
+    body: z7.object({
+      runId: z7.string().min(1, "runId is required"),
+      systemLog: z7.string().optional(),
+      metrics: z7.array(metricDataSchema).optional(),
+      networkLogs: z7.array(networkLogSchema).optional(),
+      sandboxOperations: z7.array(sandboxOperationSchema).optional()
     }),
     responses: {
-      200: z6.object({
-        success: z6.boolean(),
-        id: z6.string()
+      200: z7.object({
+        success: z7.boolean(),
+        id: z7.string()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1380,21 +1399,22 @@ var webhookStoragesPrepareContract = c5.router({
   prepare: {
     method: "POST",
     path: "/api/webhooks/agent/storages/prepare",
-    body: z6.object({
-      runId: z6.string().min(1, "runId is required"),
+    headers: authHeadersSchema,
+    body: z7.object({
+      runId: z7.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z6.string().min(1, "Storage name is required"),
+      storageName: z7.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z6.array(fileEntryWithHashSchema),
-      force: z6.boolean().optional(),
-      baseVersion: z6.string().optional(),
+      files: z7.array(fileEntryWithHashSchema),
+      force: z7.boolean().optional(),
+      baseVersion: z7.string().optional(),
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z6.object({
-        versionId: z6.string(),
-        existing: z6.boolean(),
-        uploads: z6.object({
+      200: z7.object({
+        versionId: z7.string(),
+        existing: z7.boolean(),
+        uploads: z7.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -1411,23 +1431,24 @@ var webhookStoragesCommitContract = c5.router({
   commit: {
     method: "POST",
     path: "/api/webhooks/agent/storages/commit",
-    body: z6.object({
-      runId: z6.string().min(1, "runId is required"),
+    headers: authHeadersSchema,
+    body: z7.object({
+      runId: z7.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z6.string().min(1, "Storage name is required"),
+      storageName: z7.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z6.string().min(1, "Version ID is required"),
-      files: z6.array(fileEntryWithHashSchema),
-      message: z6.string().optional()
+      versionId: z7.string().min(1, "Version ID is required"),
+      files: z7.array(fileEntryWithHashSchema),
+      message: z7.string().optional()
     }),
     responses: {
-      200: z6.object({
-        success: z6.literal(true),
-        versionId: z6.string(),
-        storageName: z6.string(),
-        size: z6.number(),
-        fileCount: z6.number(),
-        deduplicated: z6.boolean().optional()
+      200: z7.object({
+        success: z7.literal(true),
+        versionId: z7.string(),
+        storageName: z7.string(),
+        size: z7.number(),
+        fileCount: z7.number(),
+        deduplicated: z7.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1441,11 +1462,11 @@ var webhookStoragesCommitContract = c5.router({
 });
 
 // ../../packages/core/src/contracts/cli-auth.ts
-import { z as z7 } from "zod";
+import { z as z8 } from "zod";
 var c6 = initContract();
-var oauthErrorSchema = z7.object({
-  error: z7.string(),
-  error_description: z7.string()
+var oauthErrorSchema = z8.object({
+  error: z8.string(),
+  error_description: z8.string()
 });
 var cliAuthDeviceContract = c6.router({
   /**
@@ -1455,14 +1476,14 @@ var cliAuthDeviceContract = c6.router({
   create: {
     method: "POST",
     path: "/api/cli/auth/device",
-    body: z7.object({}).optional(),
+    body: z8.object({}).optional(),
     responses: {
-      200: z7.object({
-        device_code: z7.string(),
-        user_code: z7.string(),
-        verification_url: z7.string(),
-        expires_in: z7.number(),
-        interval: z7.number()
+      200: z8.object({
+        device_code: z8.string(),
+        user_code: z8.string(),
+        verification_url: z8.string(),
+        expires_in: z8.number(),
+        interval: z8.number()
       }),
       500: oauthErrorSchema
     },
@@ -1477,16 +1498,16 @@ var cliAuthTokenContract = c6.router({
   exchange: {
     method: "POST",
     path: "/api/cli/auth/token",
-    body: z7.object({
-      device_code: z7.string().min(1, "device_code is required")
+    body: z8.object({
+      device_code: z8.string().min(1, "device_code is required")
     }),
     responses: {
       // Success - token issued
-      200: z7.object({
-        access_token: z7.string(),
-        refresh_token: z7.string(),
-        token_type: z7.literal("Bearer"),
-        expires_in: z7.number()
+      200: z8.object({
+        access_token: z8.string(),
+        refresh_token: z8.string(),
+        token_type: z8.literal("Bearer"),
+        expires_in: z8.number()
       }),
       // Authorization pending
       202: oauthErrorSchema,
@@ -1499,7 +1520,7 @@ var cliAuthTokenContract = c6.router({
 });
 
 // ../../packages/core/src/contracts/auth.ts
-import { z as z8 } from "zod";
+import { z as z9 } from "zod";
 var c7 = initContract();
 var authContract = c7.router({
   /**
@@ -1509,10 +1530,11 @@ var authContract = c7.router({
   me: {
     method: "GET",
     path: "/api/auth/me",
+    headers: authHeadersSchema,
     responses: {
-      200: z8.object({
-        userId: z8.string(),
-        email: z8.string()
+      200: z9.object({
+        userId: z9.string(),
+        email: z9.string()
       }),
       401: apiErrorSchema,
       404: apiErrorSchema,
@@ -1523,18 +1545,18 @@ var authContract = c7.router({
 });
 
 // ../../packages/core/src/contracts/cron.ts
-import { z as z9 } from "zod";
+import { z as z10 } from "zod";
 var c8 = initContract();
-var cleanupResultSchema = z9.object({
-  runId: z9.string(),
-  sandboxId: z9.string().nullable(),
-  status: z9.enum(["cleaned", "error"]),
-  error: z9.string().optional()
+var cleanupResultSchema = z10.object({
+  runId: z10.string(),
+  sandboxId: z10.string().nullable(),
+  status: z10.enum(["cleaned", "error"]),
+  error: z10.string().optional()
 });
-var cleanupResponseSchema = z9.object({
-  cleaned: z9.number(),
-  errors: z9.number(),
-  results: z9.array(cleanupResultSchema)
+var cleanupResponseSchema = z10.object({
+  cleaned: z10.number(),
+  errors: z10.number(),
+  results: z10.array(cleanupResultSchema)
 });
 var cronCleanupSandboxesContract = c8.router({
   /**
@@ -1544,6 +1566,7 @@ var cronCleanupSandboxesContract = c8.router({
   cleanup: {
     method: "GET",
     path: "/api/cron/cleanup-sandboxes",
+    headers: authHeadersSchema,
     responses: {
       200: cleanupResponseSchema,
       401: apiErrorSchema,
@@ -1554,46 +1577,46 @@ var cronCleanupSandboxesContract = c8.router({
 });
 
 // ../../packages/core/src/contracts/proxy.ts
-import { z as z10 } from "zod";
-var proxyErrorSchema = z10.object({
-  error: z10.object({
-    message: z10.string(),
-    code: z10.enum([
+import { z as z11 } from "zod";
+var proxyErrorSchema = z11.object({
+  error: z11.object({
+    message: z11.string(),
+    code: z11.enum([
       "UNAUTHORIZED",
       "BAD_REQUEST",
       "BAD_GATEWAY",
       "INTERNAL_ERROR"
     ]),
-    targetUrl: z10.string().optional()
+    targetUrl: z11.string().optional()
   })
 });
 
 // ../../packages/core/src/contracts/scopes.ts
-import { z as z11 } from "zod";
+import { z as z12 } from "zod";
 var c9 = initContract();
-var scopeTypeSchema = z11.enum(["personal", "organization", "system"]);
-var scopeSlugSchema = z11.string().min(3, "Scope slug must be at least 3 characters").max(64, "Scope slug must be at most 64 characters").regex(
+var scopeTypeSchema = z12.enum(["personal", "organization", "system"]);
+var scopeSlugSchema = z12.string().min(3, "Scope slug must be at least 3 characters").max(64, "Scope slug must be at most 64 characters").regex(
   /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1,2}$/,
   "Scope slug must contain only lowercase letters, numbers, and hyphens, and must start and end with an alphanumeric character"
 ).refine(
   (slug) => !slug.startsWith("vm0"),
   "Scope slug cannot start with 'vm0' (reserved)"
 ).transform((s) => s.toLowerCase());
-var scopeResponseSchema = z11.object({
-  id: z11.string().uuid(),
-  slug: z11.string(),
+var scopeResponseSchema = z12.object({
+  id: z12.string().uuid(),
+  slug: z12.string(),
   type: scopeTypeSchema,
-  displayName: z11.string().nullable(),
-  createdAt: z11.string(),
-  updatedAt: z11.string()
+  displayName: z12.string().nullable(),
+  createdAt: z12.string(),
+  updatedAt: z12.string()
 });
-var createScopeRequestSchema = z11.object({
+var createScopeRequestSchema = z12.object({
   slug: scopeSlugSchema,
-  displayName: z11.string().max(128).optional()
+  displayName: z12.string().max(128).optional()
 });
-var updateScopeRequestSchema = z11.object({
+var updateScopeRequestSchema = z12.object({
   slug: scopeSlugSchema,
-  force: z11.boolean().optional().default(false)
+  force: z12.boolean().optional().default(false)
 });
 var scopeContract = c9.router({
   /**
@@ -1603,6 +1626,7 @@ var scopeContract = c9.router({
   get: {
     method: "GET",
     path: "/api/scope",
+    headers: authHeadersSchema,
     responses: {
       200: scopeResponseSchema,
       401: apiErrorSchema,
@@ -1618,6 +1642,7 @@ var scopeContract = c9.router({
   create: {
     method: "POST",
     path: "/api/scope",
+    headers: authHeadersSchema,
     body: createScopeRequestSchema,
     responses: {
       201: scopeResponseSchema,
@@ -1635,6 +1660,7 @@ var scopeContract = c9.router({
   update: {
     method: "PUT",
     path: "/api/scope",
+    headers: authHeadersSchema,
     body: updateScopeRequestSchema,
     responses: {
       200: scopeResponseSchema,
@@ -1650,28 +1676,28 @@ var scopeContract = c9.router({
 });
 
 // ../../packages/core/src/contracts/credentials.ts
-import { z as z12 } from "zod";
+import { z as z13 } from "zod";
 var c10 = initContract();
-var credentialNameSchema = z12.string().min(1, "Credential name is required").max(255, "Credential name must be at most 255 characters").regex(
+var credentialNameSchema = z13.string().min(1, "Credential name is required").max(255, "Credential name must be at most 255 characters").regex(
   /^[A-Z][A-Z0-9_]*$/,
   "Credential name must contain only uppercase letters, numbers, and underscores, and must start with a letter (e.g., MY_API_KEY)"
 );
-var credentialTypeSchema = z12.enum(["user", "model-provider"]);
-var credentialResponseSchema = z12.object({
-  id: z12.string().uuid(),
-  name: z12.string(),
-  description: z12.string().nullable(),
+var credentialTypeSchema = z13.enum(["user", "model-provider"]);
+var credentialResponseSchema = z13.object({
+  id: z13.string().uuid(),
+  name: z13.string(),
+  description: z13.string().nullable(),
   type: credentialTypeSchema,
-  createdAt: z12.string(),
-  updatedAt: z12.string()
+  createdAt: z13.string(),
+  updatedAt: z13.string()
 });
-var credentialListResponseSchema = z12.object({
-  credentials: z12.array(credentialResponseSchema)
+var credentialListResponseSchema = z13.object({
+  credentials: z13.array(credentialResponseSchema)
 });
-var setCredentialRequestSchema = z12.object({
+var setCredentialRequestSchema = z13.object({
   name: credentialNameSchema,
-  value: z12.string().min(1, "Credential value is required"),
-  description: z12.string().max(1e3).optional()
+  value: z13.string().min(1, "Credential value is required"),
+  description: z13.string().max(1e3).optional()
 });
 var credentialsMainContract = c10.router({
   /**
@@ -1681,6 +1707,7 @@ var credentialsMainContract = c10.router({
   list: {
     method: "GET",
     path: "/api/credentials",
+    headers: authHeadersSchema,
     responses: {
       200: credentialListResponseSchema,
       401: apiErrorSchema,
@@ -1695,6 +1722,7 @@ var credentialsMainContract = c10.router({
   set: {
     method: "PUT",
     path: "/api/credentials",
+    headers: authHeadersSchema,
     body: setCredentialRequestSchema,
     responses: {
       200: credentialResponseSchema,
@@ -1714,7 +1742,8 @@ var credentialsByNameContract = c10.router({
   get: {
     method: "GET",
     path: "/api/credentials/:name",
-    pathParams: z12.object({
+    headers: authHeadersSchema,
+    pathParams: z13.object({
       name: credentialNameSchema
     }),
     responses: {
@@ -1732,11 +1761,12 @@ var credentialsByNameContract = c10.router({
   delete: {
     method: "DELETE",
     path: "/api/credentials/:name",
-    pathParams: z12.object({
+    headers: authHeadersSchema,
+    pathParams: z13.object({
       name: credentialNameSchema
     }),
     responses: {
-      204: z12.undefined(),
+      204: z13.undefined(),
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
@@ -1746,7 +1776,7 @@ var credentialsByNameContract = c10.router({
 });
 
 // ../../packages/core/src/contracts/model-providers.ts
-import { z as z13 } from "zod";
+import { z as z14 } from "zod";
 var c11 = initContract();
 var MODEL_PROVIDER_TYPES = {
   "claude-code-oauth-token": {
@@ -1771,42 +1801,43 @@ var MODEL_PROVIDER_TYPES = {
     helpText: "Get your API key at: https://platform.openai.com/api-keys"
   }
 };
-var modelProviderTypeSchema = z13.enum([
+var modelProviderTypeSchema = z14.enum([
   "claude-code-oauth-token",
   "anthropic-api-key",
   "openai-api-key"
 ]);
-var modelProviderFrameworkSchema = z13.enum(["claude-code", "codex"]);
-var modelProviderResponseSchema = z13.object({
-  id: z13.string().uuid(),
+var modelProviderFrameworkSchema = z14.enum(["claude-code", "codex"]);
+var modelProviderResponseSchema = z14.object({
+  id: z14.string().uuid(),
   type: modelProviderTypeSchema,
   framework: modelProviderFrameworkSchema,
-  credentialName: z13.string(),
-  isDefault: z13.boolean(),
-  createdAt: z13.string(),
-  updatedAt: z13.string()
+  credentialName: z14.string(),
+  isDefault: z14.boolean(),
+  createdAt: z14.string(),
+  updatedAt: z14.string()
 });
-var modelProviderListResponseSchema = z13.object({
-  modelProviders: z13.array(modelProviderResponseSchema)
+var modelProviderListResponseSchema = z14.object({
+  modelProviders: z14.array(modelProviderResponseSchema)
 });
-var upsertModelProviderRequestSchema = z13.object({
+var upsertModelProviderRequestSchema = z14.object({
   type: modelProviderTypeSchema,
-  credential: z13.string().min(1, "Credential is required"),
-  convert: z13.boolean().optional()
+  credential: z14.string().min(1, "Credential is required"),
+  convert: z14.boolean().optional()
 });
-var upsertModelProviderResponseSchema = z13.object({
+var upsertModelProviderResponseSchema = z14.object({
   provider: modelProviderResponseSchema,
-  created: z13.boolean()
+  created: z14.boolean()
 });
-var checkCredentialResponseSchema = z13.object({
-  exists: z13.boolean(),
-  credentialName: z13.string(),
-  currentType: z13.enum(["user", "model-provider"]).optional()
+var checkCredentialResponseSchema = z14.object({
+  exists: z14.boolean(),
+  credentialName: z14.string(),
+  currentType: z14.enum(["user", "model-provider"]).optional()
 });
 var modelProvidersMainContract = c11.router({
   list: {
     method: "GET",
     path: "/api/model-providers",
+    headers: authHeadersSchema,
     responses: {
       200: modelProviderListResponseSchema,
       401: apiErrorSchema,
@@ -1817,6 +1848,7 @@ var modelProvidersMainContract = c11.router({
   upsert: {
     method: "PUT",
     path: "/api/model-providers",
+    headers: authHeadersSchema,
     body: upsertModelProviderRequestSchema,
     responses: {
       200: upsertModelProviderResponseSchema,
@@ -1833,7 +1865,8 @@ var modelProvidersCheckContract = c11.router({
   check: {
     method: "GET",
     path: "/api/model-providers/check/:type",
-    pathParams: z13.object({
+    headers: authHeadersSchema,
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
     responses: {
@@ -1848,11 +1881,12 @@ var modelProvidersByTypeContract = c11.router({
   delete: {
     method: "DELETE",
     path: "/api/model-providers/:type",
-    pathParams: z13.object({
+    headers: authHeadersSchema,
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
     responses: {
-      204: z13.undefined(),
+      204: z14.undefined(),
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
@@ -1864,10 +1898,11 @@ var modelProvidersConvertContract = c11.router({
   convert: {
     method: "POST",
     path: "/api/model-providers/:type/convert",
-    pathParams: z13.object({
+    headers: authHeadersSchema,
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
-    body: z13.undefined(),
+    body: z14.undefined(),
     responses: {
       200: modelProviderResponseSchema,
       400: apiErrorSchema,
@@ -1882,10 +1917,11 @@ var modelProvidersSetDefaultContract = c11.router({
   setDefault: {
     method: "POST",
     path: "/api/model-providers/:type/set-default",
-    pathParams: z13.object({
+    headers: authHeadersSchema,
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
-    body: z13.undefined(),
+    body: z14.undefined(),
     responses: {
       200: modelProviderResponseSchema,
       401: apiErrorSchema,
@@ -1897,40 +1933,40 @@ var modelProvidersSetDefaultContract = c11.router({
 });
 
 // ../../packages/core/src/contracts/sessions.ts
-import { z as z14 } from "zod";
+import { z as z15 } from "zod";
 var c12 = initContract();
-var sessionResponseSchema = z14.object({
-  id: z14.string(),
-  agentComposeId: z14.string(),
-  agentComposeVersionId: z14.string().nullable(),
-  conversationId: z14.string().nullable(),
-  artifactName: z14.string().nullable(),
-  vars: z14.record(z14.string(), z14.string()).nullable(),
-  secretNames: z14.array(z14.string()).nullable(),
-  volumeVersions: z14.record(z14.string(), z14.string()).nullable(),
-  createdAt: z14.string(),
-  updatedAt: z14.string()
+var sessionResponseSchema = z15.object({
+  id: z15.string(),
+  agentComposeId: z15.string(),
+  agentComposeVersionId: z15.string().nullable(),
+  conversationId: z15.string().nullable(),
+  artifactName: z15.string().nullable(),
+  vars: z15.record(z15.string(), z15.string()).nullable(),
+  secretNames: z15.array(z15.string()).nullable(),
+  volumeVersions: z15.record(z15.string(), z15.string()).nullable(),
+  createdAt: z15.string(),
+  updatedAt: z15.string()
 });
-var agentComposeSnapshotSchema = z14.object({
-  agentComposeVersionId: z14.string(),
-  vars: z14.record(z14.string(), z14.string()).optional(),
-  secretNames: z14.array(z14.string()).optional()
+var agentComposeSnapshotSchema = z15.object({
+  agentComposeVersionId: z15.string(),
+  vars: z15.record(z15.string(), z15.string()).optional(),
+  secretNames: z15.array(z15.string()).optional()
 });
-var artifactSnapshotSchema2 = z14.object({
-  artifactName: z14.string(),
-  artifactVersion: z14.string()
+var artifactSnapshotSchema2 = z15.object({
+  artifactName: z15.string(),
+  artifactVersion: z15.string()
 });
-var volumeVersionsSnapshotSchema2 = z14.object({
-  versions: z14.record(z14.string(), z14.string())
+var volumeVersionsSnapshotSchema2 = z15.object({
+  versions: z15.record(z15.string(), z15.string())
 });
-var checkpointResponseSchema = z14.object({
-  id: z14.string(),
-  runId: z14.string(),
-  conversationId: z14.string(),
+var checkpointResponseSchema = z15.object({
+  id: z15.string(),
+  runId: z15.string(),
+  conversationId: z15.string(),
   agentComposeSnapshot: agentComposeSnapshotSchema,
   artifactSnapshot: artifactSnapshotSchema2.nullable(),
   volumeVersionsSnapshot: volumeVersionsSnapshotSchema2.nullable(),
-  createdAt: z14.string()
+  createdAt: z15.string()
 });
 var sessionsByIdContract = c12.router({
   /**
@@ -1940,8 +1976,9 @@ var sessionsByIdContract = c12.router({
   getById: {
     method: "GET",
     path: "/api/agent/sessions/:id",
-    pathParams: z14.object({
-      id: z14.string().min(1, "Session ID is required")
+    headers: authHeadersSchema,
+    pathParams: z15.object({
+      id: z15.string().min(1, "Session ID is required")
     }),
     responses: {
       200: sessionResponseSchema,
@@ -1960,8 +1997,9 @@ var checkpointsByIdContract = c12.router({
   getById: {
     method: "GET",
     path: "/api/agent/checkpoints/:id",
-    pathParams: z14.object({
-      id: z14.string().min(1, "Checkpoint ID is required")
+    headers: authHeadersSchema,
+    pathParams: z15.object({
+      id: z15.string().min(1, "Checkpoint ID is required")
     }),
     responses: {
       200: checkpointResponseSchema,
@@ -1974,88 +2012,88 @@ var checkpointsByIdContract = c12.router({
 });
 
 // ../../packages/core/src/contracts/schedules.ts
-import { z as z15 } from "zod";
+import { z as z16 } from "zod";
 var c13 = initContract();
-var scheduleTriggerSchema = z15.object({
-  cron: z15.string().optional(),
-  at: z15.string().optional(),
-  timezone: z15.string().default("UTC")
+var scheduleTriggerSchema = z16.object({
+  cron: z16.string().optional(),
+  at: z16.string().optional(),
+  timezone: z16.string().default("UTC")
 }).refine((data) => data.cron && !data.at || !data.cron && data.at, {
   message: "Exactly one of 'cron' or 'at' must be specified"
 });
-var scheduleRunConfigSchema = z15.object({
-  agent: z15.string().min(1, "Agent reference required"),
-  prompt: z15.string().min(1, "Prompt required"),
-  vars: z15.record(z15.string(), z15.string()).optional(),
-  secrets: z15.record(z15.string(), z15.string()).optional(),
-  artifactName: z15.string().optional(),
-  artifactVersion: z15.string().optional(),
-  volumeVersions: z15.record(z15.string(), z15.string()).optional()
+var scheduleRunConfigSchema = z16.object({
+  agent: z16.string().min(1, "Agent reference required"),
+  prompt: z16.string().min(1, "Prompt required"),
+  vars: z16.record(z16.string(), z16.string()).optional(),
+  secrets: z16.record(z16.string(), z16.string()).optional(),
+  artifactName: z16.string().optional(),
+  artifactVersion: z16.string().optional(),
+  volumeVersions: z16.record(z16.string(), z16.string()).optional()
 });
-var scheduleDefinitionSchema = z15.object({
+var scheduleDefinitionSchema = z16.object({
   on: scheduleTriggerSchema,
   run: scheduleRunConfigSchema
 });
-var scheduleYamlSchema = z15.object({
-  version: z15.literal("1.0"),
-  schedules: z15.record(z15.string(), scheduleDefinitionSchema)
-});
-var deployScheduleRequestSchema = z15.object({
-  name: z15.string().min(1).max(64, "Schedule name max 64 chars"),
-  cronExpression: z15.string().optional(),
-  atTime: z15.string().optional(),
-  timezone: z15.string().default("UTC"),
-  prompt: z15.string().min(1, "Prompt required"),
-  vars: z15.record(z15.string(), z15.string()).optional(),
-  secrets: z15.record(z15.string(), z15.string()).optional(),
-  artifactName: z15.string().optional(),
-  artifactVersion: z15.string().optional(),
-  volumeVersions: z15.record(z15.string(), z15.string()).optional(),
+var scheduleYamlSchema = z16.object({
+  version: z16.literal("1.0"),
+  schedules: z16.record(z16.string(), scheduleDefinitionSchema)
+});
+var deployScheduleRequestSchema = z16.object({
+  name: z16.string().min(1).max(64, "Schedule name max 64 chars"),
+  cronExpression: z16.string().optional(),
+  atTime: z16.string().optional(),
+  timezone: z16.string().default("UTC"),
+  prompt: z16.string().min(1, "Prompt required"),
+  vars: z16.record(z16.string(), z16.string()).optional(),
+  secrets: z16.record(z16.string(), z16.string()).optional(),
+  artifactName: z16.string().optional(),
+  artifactVersion: z16.string().optional(),
+  volumeVersions: z16.record(z16.string(), z16.string()).optional(),
   // Resolved agent compose ID (CLI resolves scope/name:version → composeId)
-  composeId: z15.string().uuid("Invalid compose ID")
+  composeId: z16.string().uuid("Invalid compose ID")
 }).refine(
   (data) => data.cronExpression && !data.atTime || !data.cronExpression && data.atTime,
   {
     message: "Exactly one of 'cronExpression' or 'atTime' must be specified"
   }
 );
-var scheduleResponseSchema = z15.object({
-  id: z15.string().uuid(),
-  composeId: z15.string().uuid(),
-  composeName: z15.string(),
-  scopeSlug: z15.string(),
-  name: z15.string(),
-  cronExpression: z15.string().nullable(),
-  atTime: z15.string().nullable(),
-  timezone: z15.string(),
-  prompt: z15.string(),
-  vars: z15.record(z15.string(), z15.string()).nullable(),
+var scheduleResponseSchema = z16.object({
+  id: z16.string().uuid(),
+  composeId: z16.string().uuid(),
+  composeName: z16.string(),
+  scopeSlug: z16.string(),
+  name: z16.string(),
+  cronExpression: z16.string().nullable(),
+  atTime: z16.string().nullable(),
+  timezone: z16.string(),
+  prompt: z16.string(),
+  vars: z16.record(z16.string(), z16.string()).nullable(),
   // Secret names only (values are never returned)
-  secretNames: z15.array(z15.string()).nullable(),
-  artifactName: z15.string().nullable(),
-  artifactVersion: z15.string().nullable(),
-  volumeVersions: z15.record(z15.string(), z15.string()).nullable(),
-  enabled: z15.boolean(),
-  nextRunAt: z15.string().nullable(),
-  createdAt: z15.string(),
-  updatedAt: z15.string()
-});
-var runSummarySchema = z15.object({
-  id: z15.string().uuid(),
-  status: z15.enum(["pending", "running", "completed", "failed", "timeout"]),
-  createdAt: z15.string(),
-  completedAt: z15.string().nullable(),
-  error: z15.string().nullable()
-});
-var scheduleRunsResponseSchema = z15.object({
-  runs: z15.array(runSummarySchema)
-});
-var scheduleListResponseSchema = z15.object({
-  schedules: z15.array(scheduleResponseSchema)
-});
-var deployScheduleResponseSchema = z15.object({
+  secretNames: z16.array(z16.string()).nullable(),
+  artifactName: z16.string().nullable(),
+  artifactVersion: z16.string().nullable(),
+  volumeVersions: z16.record(z16.string(), z16.string()).nullable(),
+  enabled: z16.boolean(),
+  nextRunAt: z16.string().nullable(),
+  createdAt: z16.string(),
+  updatedAt: z16.string()
+});
+var runSummarySchema = z16.object({
+  id: z16.string().uuid(),
+  status: z16.enum(["pending", "running", "completed", "failed", "timeout"]),
+  createdAt: z16.string(),
+  completedAt: z16.string().nullable(),
+  error: z16.string().nullable()
+});
+var scheduleRunsResponseSchema = z16.object({
+  runs: z16.array(runSummarySchema)
+});
+var scheduleListResponseSchema = z16.object({
+  schedules: z16.array(scheduleResponseSchema)
+});
+var deployScheduleResponseSchema = z16.object({
   schedule: scheduleResponseSchema,
-  created: z15.boolean()
+  created: z16.boolean()
   // true if created, false if updated
 });
 var schedulesMainContract = c13.router({
@@ -2066,6 +2104,7 @@ var schedulesMainContract = c13.router({
   deploy: {
     method: "POST",
     path: "/api/agent/schedules",
+    headers: authHeadersSchema,
     body: deployScheduleRequestSchema,
     responses: {
       200: deployScheduleResponseSchema,
@@ -2087,6 +2126,7 @@ var schedulesMainContract = c13.router({
   list: {
     method: "GET",
     path: "/api/agent/schedules",
+    headers: authHeadersSchema,
     responses: {
       200: scheduleListResponseSchema,
       401: apiErrorSchema
@@ -2102,11 +2142,12 @@ var schedulesByNameContract = c13.router({
   getByName: {
     method: "GET",
     path: "/api/agent/schedules/:name",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    headers: authHeadersSchema,
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    query: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    query: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -2122,14 +2163,15 @@ var schedulesByNameContract = c13.router({
   delete: {
     method: "DELETE",
     path: "/api/agent/schedules/:name",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    headers: authHeadersSchema,
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    query: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    query: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
-      204: z15.undefined(),
+      204: z16.undefined(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
@@ -2144,11 +2186,12 @@ var schedulesEnableContract = c13.router({
   enable: {
     method: "POST",
     path: "/api/agent/schedules/:name/enable",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    headers: authHeadersSchema,
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    body: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    body: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -2164,11 +2207,12 @@ var schedulesEnableContract = c13.router({
   disable: {
     method: "POST",
     path: "/api/agent/schedules/:name/disable",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    headers: authHeadersSchema,
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    body: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    body: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -2186,12 +2230,13 @@ var scheduleRunsContract = c13.router({
   listRuns: {
     method: "GET",
     path: "/api/agent/schedules/:name/runs",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    headers: authHeadersSchema,
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    query: z15.object({
-      composeId: z15.string().uuid("Compose ID required"),
-      limit: z15.coerce.number().min(0).max(100).default(5)
+    query: z16.object({
+      composeId: z16.string().uuid("Compose ID required"),
+      limit: z16.coerce.number().min(0).max(100).default(5)
     }),
     responses: {
       200: scheduleRunsResponseSchema,
@@ -2203,16 +2248,16 @@ var scheduleRunsContract = c13.router({
 });
 
 // ../../packages/core/src/contracts/realtime.ts
-import { z as z16 } from "zod";
+import { z as z17 } from "zod";
 var c14 = initContract();
-var ablyTokenRequestSchema = z16.object({
-  keyName: z16.string(),
-  ttl: z16.number().optional(),
-  timestamp: z16.number(),
-  capability: z16.string(),
-  clientId: z16.string().optional(),
-  nonce: z16.string(),
-  mac: z16.string()
+var ablyTokenRequestSchema = z17.object({
+  keyName: z17.string(),
+  ttl: z17.number().optional(),
+  timestamp: z17.number(),
+  capability: z17.string(),
+  clientId: z17.string().optional(),
+  nonce: z17.string(),
+  mac: z17.string()
 });
 var realtimeTokenContract = c14.router({
   /**
@@ -2222,8 +2267,9 @@ var realtimeTokenContract = c14.router({
   create: {
     method: "POST",
     path: "/api/realtime/token",
-    body: z16.object({
-      runId: z16.string().uuid("runId must be a valid UUID")
+    headers: authHeadersSchema,
+    body: z17.object({
+      runId: z17.string().uuid("runId must be a valid UUID")
     }),
     responses: {
       200: ablyTokenRequestSchema,
@@ -2237,8 +2283,8 @@ var realtimeTokenContract = c14.router({
 });
 
 // ../../packages/core/src/contracts/public/common.ts
-import { z as z17 } from "zod";
-var publicApiErrorTypeSchema = z17.enum([
+import { z as z18 } from "zod";
+var publicApiErrorTypeSchema = z18.enum([
   "api_error",
   // Internal server error (5xx)
   "invalid_request_error",
@@ -2250,58 +2296,59 @@ var publicApiErrorTypeSchema = z17.enum([
   "conflict_error"
   // Resource conflict (409)
 ]);
-var publicApiErrorSchema = z17.object({
-  error: z17.object({
+var publicApiErrorSchema = z18.object({
+  error: z18.object({
     type: publicApiErrorTypeSchema,
-    code: z17.string(),
-    message: z17.string(),
-    param: z17.string().optional(),
-    doc_url: z17.string().url().optional()
+    code: z18.string(),
+    message: z18.string(),
+    param: z18.string().optional(),
+    doc_url: z18.string().url().optional()
   })
 });
-var paginationSchema = z17.object({
-  has_more: z17.boolean(),
-  next_cursor: z17.string().nullable()
+var paginationSchema = z18.object({
+  has_more: z18.boolean(),
+  next_cursor: z18.string().nullable()
 });
 function createPaginatedResponseSchema(dataSchema) {
-  return z17.object({
-    data: z17.array(dataSchema),
+  return z18.object({
+    data: z18.array(dataSchema),
     pagination: paginationSchema
   });
 }
-var listQuerySchema = z17.object({
-  cursor: z17.string().optional(),
-  limit: z17.coerce.number().min(1).max(100).default(20)
+var listQuerySchema = z18.object({
+  cursor: z18.string().optional(),
+  limit: z18.coerce.number().min(1).max(100).default(20)
 });
-var requestIdSchema = z17.string().uuid();
-var timestampSchema = z17.string().datetime();
+var requestIdSchema = z18.string().uuid();
+var timestampSchema = z18.string().datetime();
 
 // ../../packages/core/src/contracts/public/agents.ts
-import { z as z18 } from "zod";
+import { z as z19 } from "zod";
 var c15 = initContract();
-var publicAgentSchema = z18.object({
-  id: z18.string(),
-  name: z18.string(),
-  current_version_id: z18.string().nullable(),
+var publicAgentSchema = z19.object({
+  id: z19.string(),
+  name: z19.string(),
+  current_version_id: z19.string().nullable(),
   created_at: timestampSchema,
   updated_at: timestampSchema
 });
-var agentVersionSchema = z18.object({
-  id: z18.string(),
-  agent_id: z18.string(),
-  version_number: z18.number(),
+var agentVersionSchema = z19.object({
+  id: z19.string(),
+  agent_id: z19.string(),
+  version_number: z19.number(),
   created_at: timestampSchema
 });
 var publicAgentDetailSchema = publicAgentSchema;
 var paginatedAgentsSchema = createPaginatedResponseSchema(publicAgentSchema);
 var paginatedAgentVersionsSchema = createPaginatedResponseSchema(agentVersionSchema);
 var agentListQuerySchema = listQuerySchema.extend({
-  name: z18.string().optional()
+  name: z19.string().optional()
 });
 var publicAgentsListContract = c15.router({
   list: {
     method: "GET",
     path: "/v1/agents",
+    headers: authHeadersSchema,
     query: agentListQuerySchema,
     responses: {
       200: paginatedAgentsSchema,
@@ -2316,8 +2363,9 @@ var publicAgentByIdContract = c15.router({
   get: {
     method: "GET",
     path: "/v1/agents/:id",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Agent ID is required")
+    headers: authHeadersSchema,
+    pathParams: z19.object({
+      id: z19.string().min(1, "Agent ID is required")
     }),
     responses: {
       200: publicAgentDetailSchema,
@@ -2333,8 +2381,9 @@ var publicAgentVersionsContract = c15.router({
   list: {
     method: "GET",
     path: "/v1/agents/:id/versions",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Agent ID is required")
+    headers: authHeadersSchema,
+    pathParams: z19.object({
+      id: z19.string().min(1, "Agent ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -2349,9 +2398,9 @@ var publicAgentVersionsContract = c15.router({
 });
 
 // ../../packages/core/src/contracts/public/runs.ts
-import { z as z19 } from "zod";
+import { z as z20 } from "zod";
 var c16 = initContract();
-var publicRunStatusSchema = z19.enum([
+var publicRunStatusSchema = z20.enum([
   "pending",
   "running",
   "completed",
@@ -2359,52 +2408,52 @@ var publicRunStatusSchema = z19.enum([
   "timeout",
   "cancelled"
 ]);
-var publicRunSchema = z19.object({
-  id: z19.string(),
-  agent_id: z19.string(),
-  agent_name: z19.string(),
+var publicRunSchema = z20.object({
+  id: z20.string(),
+  agent_id: z20.string(),
+  agent_name: z20.string(),
   status: publicRunStatusSchema,
-  prompt: z19.string(),
+  prompt: z20.string(),
   created_at: timestampSchema,
   started_at: timestampSchema.nullable(),
   completed_at: timestampSchema.nullable()
 });
 var publicRunDetailSchema = publicRunSchema.extend({
-  error: z19.string().nullable(),
-  execution_time_ms: z19.number().nullable(),
-  checkpoint_id: z19.string().nullable(),
-  session_id: z19.string().nullable(),
-  artifact_name: z19.string().nullable(),
-  artifact_version: z19.string().nullable(),
-  volumes: z19.record(z19.string(), z19.string()).optional()
+  error: z20.string().nullable(),
+  execution_time_ms: z20.number().nullable(),
+  checkpoint_id: z20.string().nullable(),
+  session_id: z20.string().nullable(),
+  artifact_name: z20.string().nullable(),
+  artifact_version: z20.string().nullable(),
+  volumes: z20.record(z20.string(), z20.string()).optional()
 });
 var paginatedRunsSchema = createPaginatedResponseSchema(publicRunSchema);
-var createRunRequestSchema = z19.object({
+var createRunRequestSchema = z20.object({
   // Agent identification (one of: agent, agent_id, session_id, checkpoint_id)
-  agent: z19.string().optional(),
+  agent: z20.string().optional(),
   // Agent name
-  agent_id: z19.string().optional(),
+  agent_id: z20.string().optional(),
   // Agent ID
-  agent_version: z19.string().optional(),
+  agent_version: z20.string().optional(),
   // Version specifier (e.g., "latest", "v1", specific ID)
   // Continue session
-  session_id: z19.string().optional(),
+  session_id: z20.string().optional(),
   // Resume from checkpoint
-  checkpoint_id: z19.string().optional(),
+  checkpoint_id: z20.string().optional(),
   // Required
-  prompt: z19.string().min(1, "Prompt is required"),
+  prompt: z20.string().min(1, "Prompt is required"),
   // Optional configuration
-  variables: z19.record(z19.string(), z19.string()).optional(),
-  secrets: z19.record(z19.string(), z19.string()).optional(),
-  artifact_name: z19.string().optional(),
+  variables: z20.record(z20.string(), z20.string()).optional(),
+  secrets: z20.record(z20.string(), z20.string()).optional(),
+  artifact_name: z20.string().optional(),
   // Artifact name to mount
-  artifact_version: z19.string().optional(),
+  artifact_version: z20.string().optional(),
   // Artifact version (defaults to latest)
-  volumes: z19.record(z19.string(), z19.string()).optional()
+  volumes: z20.record(z20.string(), z20.string()).optional()
   // volume_name -> version
 });
 var runListQuerySchema = listQuerySchema.extend({
-  agent_id: z19.string().optional(),
+  agent_id: z20.string().optional(),
   status: publicRunStatusSchema.optional(),
   since: timestampSchema.optional()
 });
@@ -2412,6 +2461,7 @@ var publicRunsListContract = c16.router({
   list: {
     method: "GET",
     path: "/v1/runs",
+    headers: authHeadersSchema,
     query: runListQuerySchema,
     responses: {
       200: paginatedRunsSchema,
@@ -2424,6 +2474,7 @@ var publicRunsListContract = c16.router({
   create: {
     method: "POST",
     path: "/v1/runs",
+    headers: authHeadersSchema,
     body: createRunRequestSchema,
     responses: {
       202: publicRunDetailSchema,
@@ -2441,8 +2492,9 @@ var publicRunByIdContract = c16.router({
   get: {
     method: "GET",
     path: "/v1/runs/:id",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z20.object({
+      id: z20.string().min(1, "Run ID is required")
     }),
     responses: {
       200: publicRunDetailSchema,
@@ -2458,10 +2510,11 @@ var publicRunCancelContract = c16.router({
   cancel: {
     method: "POST",
     path: "/v1/runs/:id/cancel",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z20.object({
+      id: z20.string().min(1, "Run ID is required")
     }),
-    body: z19.undefined(),
+    body: z20.undefined(),
     responses: {
       200: publicRunDetailSchema,
       400: publicApiErrorSchema,
@@ -2474,26 +2527,27 @@ var publicRunCancelContract = c16.router({
     description: "Cancel a pending or running execution"
   }
 });
-var logEntrySchema = z19.object({
+var logEntrySchema = z20.object({
   timestamp: timestampSchema,
-  type: z19.enum(["agent", "system", "network"]),
-  level: z19.enum(["debug", "info", "warn", "error"]),
-  message: z19.string(),
-  metadata: z19.record(z19.string(), z19.unknown()).optional()
+  type: z20.enum(["agent", "system", "network"]),
+  level: z20.enum(["debug", "info", "warn", "error"]),
+  message: z20.string(),
+  metadata: z20.record(z20.string(), z20.unknown()).optional()
 });
 var paginatedLogsSchema = createPaginatedResponseSchema(logEntrySchema);
 var logsQuerySchema = listQuerySchema.extend({
-  type: z19.enum(["agent", "system", "network", "all"]).default("all"),
+  type: z20.enum(["agent", "system", "network", "all"]).default("all"),
   since: timestampSchema.optional(),
   until: timestampSchema.optional(),
-  order: z19.enum(["asc", "desc"]).default("asc")
+  order: z20.enum(["asc", "desc"]).default("asc")
 });
 var publicRunLogsContract = c16.router({
   getLogs: {
     method: "GET",
     path: "/v1/runs/:id/logs",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z20.object({
+      id: z20.string().min(1, "Run ID is required")
     }),
     query: logsQuerySchema,
     responses: {
@@ -2506,29 +2560,30 @@ var publicRunLogsContract = c16.router({
     description: "Get unified logs for a run. Combines agent, system, and network logs."
   }
 });
-var metricPointSchema = z19.object({
+var metricPointSchema = z20.object({
   timestamp: timestampSchema,
-  cpu_percent: z19.number(),
-  memory_used_mb: z19.number(),
-  memory_total_mb: z19.number(),
-  disk_used_mb: z19.number(),
-  disk_total_mb: z19.number()
-});
-var metricsSummarySchema = z19.object({
-  avg_cpu_percent: z19.number(),
-  max_memory_used_mb: z19.number(),
-  total_duration_ms: z19.number().nullable()
-});
-var metricsResponseSchema2 = z19.object({
-  data: z19.array(metricPointSchema),
+  cpu_percent: z20.number(),
+  memory_used_mb: z20.number(),
+  memory_total_mb: z20.number(),
+  disk_used_mb: z20.number(),
+  disk_total_mb: z20.number()
+});
+var metricsSummarySchema = z20.object({
+  avg_cpu_percent: z20.number(),
+  max_memory_used_mb: z20.number(),
+  total_duration_ms: z20.number().nullable()
+});
+var metricsResponseSchema2 = z20.object({
+  data: z20.array(metricPointSchema),
   summary: metricsSummarySchema
 });
 var publicRunMetricsContract = c16.router({
   getMetrics: {
     method: "GET",
     path: "/v1/runs/:id/metrics",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z20.object({
+      id: z20.string().min(1, "Run ID is required")
     }),
     responses: {
       200: metricsResponseSchema2,
@@ -2540,7 +2595,7 @@ var publicRunMetricsContract = c16.router({
     description: "Get CPU, memory, and disk metrics for a run"
   }
 });
-var sseEventTypeSchema = z19.enum([
+var sseEventTypeSchema = z20.enum([
   "status",
   // Run status change
   "output",
@@ -2552,25 +2607,26 @@ var sseEventTypeSchema = z19.enum([
   "heartbeat"
   // Keep-alive
 ]);
-var sseEventSchema = z19.object({
+var sseEventSchema = z20.object({
   event: sseEventTypeSchema,
-  data: z19.unknown(),
-  id: z19.string().optional()
+  data: z20.unknown(),
+  id: z20.string().optional()
   // For Last-Event-ID reconnection
 });
 var publicRunEventsContract = c16.router({
   streamEvents: {
     method: "GET",
     path: "/v1/runs/:id/events",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Run ID is required")
+    headers: authHeadersSchema,
+    pathParams: z20.object({
+      id: z20.string().min(1, "Run ID is required")
     }),
-    query: z19.object({
-      last_event_id: z19.string().optional()
+    query: z20.object({
+      last_event_id: z20.string().optional()
       // For reconnection
     }),
     responses: {
-      200: z19.any(),
+      200: z20.any(),
       // SSE stream - actual content is text/event-stream
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -2582,28 +2638,28 @@ var publicRunEventsContract = c16.router({
 });
 
 // ../../packages/core/src/contracts/public/artifacts.ts
-import { z as z20 } from "zod";
+import { z as z21 } from "zod";
 var c17 = initContract();
-var publicArtifactSchema = z20.object({
-  id: z20.string(),
-  name: z20.string(),
-  current_version_id: z20.string().nullable(),
-  size: z20.number(),
+var publicArtifactSchema = z21.object({
+  id: z21.string(),
+  name: z21.string(),
+  current_version_id: z21.string().nullable(),
+  size: z21.number(),
   // Total size in bytes
-  file_count: z20.number(),
+  file_count: z21.number(),
   created_at: timestampSchema,
   updated_at: timestampSchema
 });
-var artifactVersionSchema = z20.object({
-  id: z20.string(),
+var artifactVersionSchema = z21.object({
+  id: z21.string(),
   // SHA-256 content hash
-  artifact_id: z20.string(),
-  size: z20.number(),
+  artifact_id: z21.string(),
+  size: z21.number(),
   // Size in bytes
-  file_count: z20.number(),
-  message: z20.string().nullable(),
+  file_count: z21.number(),
+  message: z21.string().nullable(),
   // Optional commit message
-  created_by: z20.string(),
+  created_by: z21.string(),
   created_at: timestampSchema
 });
 var publicArtifactDetailSchema = publicArtifactSchema.extend({
@@ -2617,6 +2673,7 @@ var publicArtifactsListContract = c17.router({
   list: {
     method: "GET",
     path: "/v1/artifacts",
+    headers: authHeadersSchema,
     query: listQuerySchema,
     responses: {
       200: paginatedArtifactsSchema,
@@ -2631,8 +2688,9 @@ var publicArtifactByIdContract = c17.router({
   get: {
     method: "GET",
     path: "/v1/artifacts/:id",
-    pathParams: z20.object({
-      id: z20.string().min(1, "Artifact ID is required")
+    headers: authHeadersSchema,
+    pathParams: z21.object({
+      id: z21.string().min(1, "Artifact ID is required")
     }),
     responses: {
       200: publicArtifactDetailSchema,
@@ -2648,8 +2706,9 @@ var publicArtifactVersionsContract = c17.router({
   list: {
     method: "GET",
     path: "/v1/artifacts/:id/versions",
-    pathParams: z20.object({
-      id: z20.string().min(1, "Artifact ID is required")
+    headers: authHeadersSchema,
+    pathParams: z21.object({
+      id: z21.string().min(1, "Artifact ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -2666,15 +2725,16 @@ var publicArtifactDownloadContract = c17.router({
   download: {
     method: "GET",
     path: "/v1/artifacts/:id/download",
-    pathParams: z20.object({
-      id: z20.string().min(1, "Artifact ID is required")
+    headers: authHeadersSchema,
+    pathParams: z21.object({
+      id: z21.string().min(1, "Artifact ID is required")
     }),
-    query: z20.object({
-      version_id: z20.string().optional()
+    query: z21.object({
+      version_id: z21.string().optional()
       // Defaults to current version
     }),
     responses: {
-      302: z20.undefined(),
+      302: z21.undefined(),
       // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -2686,28 +2746,28 @@ var publicArtifactDownloadContract = c17.router({
 });
 
 // ../../packages/core/src/contracts/public/volumes.ts
-import { z as z21 } from "zod";
+import { z as z22 } from "zod";
 var c18 = initContract();
-var publicVolumeSchema = z21.object({
-  id: z21.string(),
-  name: z21.string(),
-  current_version_id: z21.string().nullable(),
-  size: z21.number(),
+var publicVolumeSchema = z22.object({
+  id: z22.string(),
+  name: z22.string(),
+  current_version_id: z22.string().nullable(),
+  size: z22.number(),
   // Total size in bytes
-  file_count: z21.number(),
+  file_count: z22.number(),
   created_at: timestampSchema,
   updated_at: timestampSchema
 });
-var volumeVersionSchema = z21.object({
-  id: z21.string(),
+var volumeVersionSchema = z22.object({
+  id: z22.string(),
   // SHA-256 content hash
-  volume_id: z21.string(),
-  size: z21.number(),
+  volume_id: z22.string(),
+  size: z22.number(),
   // Size in bytes
-  file_count: z21.number(),
-  message: z21.string().nullable(),
+  file_count: z22.number(),
+  message: z22.string().nullable(),
   // Optional commit message
-  created_by: z21.string(),
+  created_by: z22.string(),
   created_at: timestampSchema
 });
 var publicVolumeDetailSchema = publicVolumeSchema.extend({
@@ -2719,6 +2779,7 @@ var publicVolumesListContract = c18.router({
   list: {
     method: "GET",
     path: "/v1/volumes",
+    headers: authHeadersSchema,
     query: listQuerySchema,
     responses: {
       200: paginatedVolumesSchema,
@@ -2733,8 +2794,9 @@ var publicVolumeByIdContract = c18.router({
   get: {
     method: "GET",
     path: "/v1/volumes/:id",
-    pathParams: z21.object({
-      id: z21.string().min(1, "Volume ID is required")
+    headers: authHeadersSchema,
+    pathParams: z22.object({
+      id: z22.string().min(1, "Volume ID is required")
     }),
     responses: {
       200: publicVolumeDetailSchema,
@@ -2750,8 +2812,9 @@ var publicVolumeVersionsContract = c18.router({
   list: {
     method: "GET",
     path: "/v1/volumes/:id/versions",
-    pathParams: z21.object({
-      id: z21.string().min(1, "Volume ID is required")
+    headers: authHeadersSchema,
+    pathParams: z22.object({
+      id: z22.string().min(1, "Volume ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -2768,15 +2831,16 @@ var publicVolumeDownloadContract = c18.router({
   download: {
     method: "GET",
     path: "/v1/volumes/:id/download",
-    pathParams: z21.object({
-      id: z21.string().min(1, "Volume ID is required")
+    headers: authHeadersSchema,
+    pathParams: z22.object({
+      id: z22.string().min(1, "Volume ID is required")
     }),
-    query: z21.object({
-      version_id: z21.string().optional()
+    query: z22.object({
+      version_id: z22.string().optional()
       // Defaults to current version
     }),
     responses: {
-      302: z21.undefined(),
+      302: z22.undefined(),
       // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -2980,6 +3044,9 @@ async function getComposeByName(name, scope) {
   if (result.status === 200) {
     return result.body;
   }
+  if (result.status === 404) {
+    return null;
+  }
   handleError(result, `Compose not found: ${name}`);
 }
 async function getComposeById(id) {
@@ -3357,7 +3424,7 @@ async function getUsage(options) {
 }
 
 // src/lib/domain/yaml-validator.ts
-import { z as z22 } from "zod";
+import { z as z23 } from "zod";
 
 // src/lib/domain/framework-config.ts
 var FRAMEWORK_DEFAULTS = {
@@ -3424,7 +3491,7 @@ function getDefaultImageWithApps(framework, apps) {
 }
 
 // src/lib/domain/yaml-validator.ts
-var cliAgentNameSchema = z22.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
+var cliAgentNameSchema = z23.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
   /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,62}[a-zA-Z0-9])?$/,
   "Agent name must start and end with letter or number, and contain only letters, numbers, and hyphens"
 );
@@ -3437,14 +3504,14 @@ var cliAgentDefinitionSchema = agentDefinitionSchema.superRefine(
     const frameworkSupported = isFrameworkSupported(agent.framework);
     if (!agent.image && !frameworkSupported) {
       ctx.addIssue({
-        code: z22.ZodIssueCode.custom,
+        code: z23.ZodIssueCode.custom,
         message: "Missing agent.image (required when framework is not auto-configured)",
         path: ["image"]
       });
     }
     if (!agent.working_dir && !frameworkSupported) {
       ctx.addIssue({
-        code: z22.ZodIssueCode.custom,
+        code: z23.ZodIssueCode.custom,
         message: "Missing agent.working_dir (required when framework is not auto-configured)",
         path: ["working_dir"]
       });
@@ -3454,7 +3521,7 @@ var cliAgentDefinitionSchema = agentDefinitionSchema.superRefine(
         const skillUrl = agent.skills[i];
         if (skillUrl && !validateGitHubTreeUrl(skillUrl)) {
           ctx.addIssue({
-            code: z22.ZodIssueCode.custom,
+            code: z23.ZodIssueCode.custom,
             message: `Invalid skill URL: ${skillUrl}. Expected format: https://github.com/{owner}/{repo}/tree/{branch}/{path}`,
             path: ["skills", i]
           });
@@ -3463,15 +3530,15 @@ var cliAgentDefinitionSchema = agentDefinitionSchema.superRefine(
     }
   }
 );
-var cliComposeSchema = z22.object({
-  version: z22.string().min(1, "Missing config.version"),
-  agents: z22.record(cliAgentNameSchema, cliAgentDefinitionSchema),
-  volumes: z22.record(z22.string(), volumeConfigSchema).optional()
+var cliComposeSchema = z23.object({
+  version: z23.string().min(1, "Missing config.version"),
+  agents: z23.record(cliAgentNameSchema, cliAgentDefinitionSchema),
+  volumes: z23.record(z23.string(), volumeConfigSchema).optional()
 }).superRefine((config, ctx) => {
   const agentKeys = Object.keys(config.agents);
   if (agentKeys.length === 0) {
     ctx.addIssue({
-      code: z22.ZodIssueCode.custom,
+      code: z23.ZodIssueCode.custom,
       message: "agents must have at least one agent defined",
       path: ["agents"]
     });
@@ -3479,7 +3546,7 @@ var cliComposeSchema = z22.object({
   }
   if (agentKeys.length > 1) {
     ctx.addIssue({
-      code: z22.ZodIssueCode.custom,
+      code: z23.ZodIssueCode.custom,
       message: "Multiple agents not supported yet. Only one agent allowed.",
       path: ["agents"]
     });
@@ -3491,7 +3558,7 @@ var cliComposeSchema = z22.object({
   if (agentVolumes && agentVolumes.length > 0) {
     if (!config.volumes) {
       ctx.addIssue({
-        code: z22.ZodIssueCode.custom,
+        code: z23.ZodIssueCode.custom,
         message: "Agent references volumes but no volumes section defined. Each volume must have explicit name and version.",
         path: ["volumes"]
       });
@@ -3501,7 +3568,7 @@ var cliComposeSchema = z22.object({
       const parts = volDeclaration.split(":");
       if (parts.length !== 2) {
         ctx.addIssue({
-          code: z22.ZodIssueCode.custom,
+          code: z23.ZodIssueCode.custom,
           message: `Invalid volume declaration: ${volDeclaration}. Expected format: volume-key:/mount/path`,
           path: ["agents", agentName, "volumes"]
         });
@@ -3510,7 +3577,7 @@ var cliComposeSchema = z22.object({
       const volumeKey = parts[0].trim();
       if (!config.volumes[volumeKey]) {
         ctx.addIssue({
-          code: z22.ZodIssueCode.custom,
+          code: z23.ZodIssueCode.custom,
           message: `Volume "${volumeKey}" is not defined in volumes section. Each volume must have explicit name and version.`,
           path: ["volumes", volumeKey]
         });
@@ -4066,33 +4133,6 @@ function getSecretsFromComposeContent(content) {
   const grouped = groupVariablesBySource(refs);
   return new Set(grouped.secrets.map((r) => r.name));
 }
-function transformExperimentalShorthand(agent) {
-  const experimentalSecrets = agent.experimental_secrets;
-  const experimentalVars = agent.experimental_vars;
-  if (!experimentalSecrets && !experimentalVars) {
-    return;
-  }
-  const environment = agent.environment || {};
-  if (experimentalSecrets) {
-    for (const secretName of experimentalSecrets) {
-      if (!(secretName in environment)) {
-        environment[secretName] = "${{ secrets." + secretName + " }}";
-      }
-    }
-    delete agent.experimental_secrets;
-  }
-  if (experimentalVars) {
-    for (const varName of experimentalVars) {
-      if (!(varName in environment)) {
-        environment[varName] = "${{ vars." + varName + " }}";
-      }
-    }
-    delete agent.experimental_vars;
-  }
-  if (Object.keys(environment).length > 0) {
-    agent.environment = environment;
-  }
-}
 var composeCommand = new Command().name("compose").description("Create or update agent compose").argument("<config-file>", "Path to config YAML file").option("-y, --yes", "Skip confirmation prompts for skill requirements").action(async (configFile, options) => {
   try {
     if (!existsSync3(configFile)) {
@@ -4117,9 +4157,6 @@ var composeCommand = new Command().name("compose").description("Create or update
     }
     const cfg = config;
     const agentsConfig = cfg.agents;
-    for (const agentConfig of Object.values(agentsConfig)) {
-      transformExperimentalShorthand(agentConfig);
-    }
     for (const [name, agentConfig] of Object.entries(agentsConfig)) {
       const image = agentConfig.image;
       if (image) {
@@ -4216,12 +4253,9 @@ var composeCommand = new Command().name("compose").description("Create or update
       ([name]) => !(name in environment)
     );
     let headSecrets = /* @__PURE__ */ new Set();
-    try {
-      const existingCompose = await getComposeByName(agentName);
-      if (existingCompose.content) {
-        headSecrets = getSecretsFromComposeContent(existingCompose.content);
-      }
-    } catch {
+    const existingCompose = await getComposeByName(agentName);
+    if (existingCompose?.content) {
+      headSecrets = getSecretsFromComposeContent(existingCompose.content);
     }
     const trulyNewSecrets = newSecrets.map(([name]) => name).filter((name) => !headSecrets.has(name));
     if (newSecrets.length > 0 || newVars.length > 0) {
@@ -4469,16 +4503,14 @@ var EventRenderer = class {
   static renderToolResult(event, prefix, suffix) {
     const isError = Boolean(event.data.isError);
     const status = isError ? "Error" : "Completed";
-    const color = isError ? chalk3.red : chalk3.green;
-    console.log(prefix + color("[tool_result]") + suffix + " " + status);
+    console.log(prefix + "[tool_result]" + suffix + " " + status);
     const result = String(event.data.result || "");
     console.log(`  ${chalk3.dim(result)}`);
   }
   static renderResult(event, prefix, suffix) {
     const success = Boolean(event.data.success);
     const status = success ? "\u2713 completed successfully" : "\u2717 failed";
-    const color = success ? chalk3.green : chalk3.red;
-    console.log(prefix + color("[result]") + suffix + " " + status);
+    console.log(prefix + "[result]" + suffix + " " + status);
     const durationMs = Number(event.data.durationMs || 0);
     const durationSec = (durationMs / 1e3).toFixed(1);
     console.log(`  Duration: ${chalk3.dim(durationSec + "s")}`);
@@ -6189,6 +6221,15 @@ var mainRunCommand = new Command2().name("run").description("Execute an agent").
           console.log(chalk6.dim(`  Resolving agent: ${displayRef}`));
         }
         const compose = await getComposeByName(name, scope);
+        if (!compose) {
+          console.error(chalk6.red(`\u2717 Agent not found: ${identifier}`));
+          console.error(
+            chalk6.dim(
+              "  Make sure you've composed the agent with: vm0 compose"
+            )
+          );
+          process.exit(1);
+        }
         composeId = compose.id;
         composeContent = compose.content;
         if (verbose) {
@@ -7889,7 +7930,7 @@ cookCmd.argument("[prompt]", "Prompt for the agent").option("-y, --yes", "Skip c
   // eslint-disable-next-line complexity -- TODO: refactor complex function
   async (prompt, options) => {
     if (!options.noAutoUpdate) {
-      const shouldExit = await checkAndUpgrade("6.4.1", prompt);
+      const shouldExit = await checkAndUpgrade("7.0.1", prompt);
       if (shouldExit) {
         process.exit(0);
       }
@@ -8804,16 +8845,11 @@ var inspectCommand = new Command25().name("inspect").description("Inspect an age
         name = argument.slice(0, colonIndex);
         version = argument.slice(colonIndex + 1) || "latest";
       }
-      let compose;
-      try {
-        compose = await getComposeByName(name, options.scope);
-      } catch (error) {
-        if (error instanceof Error && error.message.includes("not found")) {
-          console.error(chalk29.red(`\u2717 Agent compose not found: ${name}`));
-          console.error(chalk29.dim("  Run: vm0 agent list"));
-          process.exit(1);
-        }
-        throw error;
+      const compose = await getComposeByName(name, options.scope);
+      if (!compose) {
+        console.error(chalk29.red(`\u2717 Agent compose not found: ${name}`));
+        console.error(chalk29.dim("  Run: vm0 agent list"));
+        process.exit(1);
       }
       let resolvedVersionId = compose.headVersionId;
       if (version !== "latest" && compose.headVersionId) {
@@ -9175,25 +9211,6 @@ function extractSecretsAndVars(config) {
   for (const ref of grouped.vars) {
     vars.add(ref.name);
   }
-  const cfg = config;
-  const agents = cfg.agents;
-  if (agents) {
-    const agentConfig = Object.values(agents)[0];
-    if (agentConfig) {
-      const expSecrets = agentConfig.experimental_secrets;
-      const expVars = agentConfig.experimental_vars;
-      if (expSecrets) {
-        for (const s of expSecrets) {
-          secrets.add(s);
-        }
-      }
-      if (expVars) {
-        for (const v of expVars) {
-          vars.add(v);
-        }
-      }
-    }
-  }
   secrets.add("VM0_TOKEN");
   return {
     secrets: Array.from(secrets).sort(),
@@ -9579,12 +9596,6 @@ function extractVarsAndSecrets() {
     if (!agent) {
       return result;
     }
-    if (agent.experimental_vars) {
-      result.vars.push(...agent.experimental_vars);
-    }
-    if (agent.experimental_secrets) {
-      result.secrets.push(...agent.experimental_secrets);
-    }
     if (agent.environment) {
       for (const value of Object.values(agent.environment)) {
         const varsMatches = value.matchAll(/\$\{\{\s*vars\.(\w+)\s*\}\}/g);
@@ -10077,17 +10088,15 @@ var deployCommand = new Command30().name("deploy").description("Deploy a schedul
     const [scheduleName, schedule] = scheduleEntries[0];
     console.log(`Deploying schedule ${chalk33.cyan(scheduleName)}...`);
     const agentRef = schedule.run.agent;
-    let composeId;
-    try {
-      const namePart = agentRef.includes("/") ? agentRef.split("/").pop() : agentRef;
-      const agentName = namePart.includes(":") ? namePart.split(":")[0] : namePart;
-      const compose = await getComposeByName(agentName);
-      composeId = compose.id;
-    } catch {
+    const namePart = agentRef.includes("/") ? agentRef.split("/").pop() : agentRef;
+    const agentName = namePart.includes(":") ? namePart.split(":")[0] : namePart;
+    const compose = await getComposeByName(agentName);
+    if (!compose) {
       console.error(chalk33.red(`\u2717 Agent not found: ${agentRef}`));
       console.error(chalk33.dim("  Make sure the agent is pushed first"));
       process.exit(1);
     }
+    const composeId = compose.id;
     const expandedVars = expandEnvVarsInObject(schedule.run.vars);
     const expandedSecrets = expandEnvVarsInObject(schedule.run.secrets);
     const atTime = schedule.on.at ? toISODateTime(schedule.on.at) : void 0;
@@ -10700,9 +10709,7 @@ var listCommand5 = new Command38().name("list").alias("ls").description("List al
       console.log(chalk40.dim("No credentials found."));
       console.log();
       console.log("To add a credential:");
-      console.log(
-        chalk40.cyan("  vm0 experimental-credential set MY_API_KEY <value>")
-      );
+      console.log(chalk40.cyan("  vm0 credential set MY_API_KEY <value>"));
       return;
     }
     console.log(chalk40.bold("Credentials:"));
@@ -10825,7 +10832,7 @@ var deleteCommand2 = new Command40().name("delete").description("Delete a creden
 });
 
 // src/commands/credential/index.ts
-var credentialCommand = new Command41().name("experimental-credential").description("[Experimental] Manage stored credentials for agent runs").addCommand(listCommand5).addCommand(setCommand2).addCommand(deleteCommand2);
+var credentialCommand = new Command41().name("credential").description("Manage stored credentials for agent runs").addCommand(listCommand5).addCommand(setCommand2).addCommand(deleteCommand2);
 
 // src/commands/model-provider/index.ts
 import { Command as Command46 } from "commander";
@@ -11089,7 +11096,7 @@ var modelProviderCommand = new Command46().name("model-provider").description("M
 
 // src/index.ts
 var program = new Command47();
-program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("6.4.1");
+program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("7.0.1");
 program.command("info").description("Display environment information").action(async () => {
   console.log(chalk47.bold("System Information:"));
   console.log(`Node Version: ${process.version}`);