@vm0/cli 9.157.0 → 9.158.0

package/{chunk-D6CWF2IH.js → chunk-AUKY6FBC.js}

@@ -30012,7 +30012,7 @@ var require_proxy_agent = __commonJS({
         });
       }
       dispatch(opts, handler) {
-        const headers = buildHeaders4(opts.headers);
+        const headers = buildHeaders5(opts.headers);
         throwIfProxyAuthIsSent(headers);
         if (headers && !("host" in headers) && !("Host" in headers)) {
           const { host } = new URL3(opts.origin);
@@ -30048,7 +30048,7 @@ var require_proxy_agent = __commonJS({
         await this[kClient].destroy();
       }
     };
-    function buildHeaders4(headers) {
+    function buildHeaders5(headers) {
       if (Array.isArray(headers)) {
         const headersPair = {};
         for (let i = 0; i < headers.length; i += 2) {
@@ -74083,7 +74083,7 @@ if (DSN) {
   init2({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.157.0",
+    release: "9.158.0",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -74102,7 +74102,7 @@ if (DSN) {
     }
   });
   setContext("cli", {
-    version: "9.157.0",
+    version: "9.158.0",
     command: process.argv.slice(2).join(" ")
   });
   setContext("runtime", {
@@ -74342,7 +74342,8 @@ var FEATURE_SWITCHES = {
   ["pwaOfflineCache" /* PwaOfflineCache */]: {
     maintainer: "ethan@vm0.ai",
     description: "Enable PWA offline caching (static asset cache-first, offline fallback page, and service worker updateViaCache: none)",
-    enabled: false
+    enabled: false,
+    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
   },
   ["mailchimpConnector" /* MailchimpConnector */]: {
     maintainer: "ethan@vm0.ai",
@@ -74380,10 +74381,17 @@ var FEATURE_SWITCHES = {
     enabled: false,
     enabledOrgIdHashes: STAFF_ORG_ID_HASHES
   },
+  ["desktopLocalAgent" /* DesktopLocalAgent */]: {
+    maintainer: "lancy@vm0.ai",
+    description: "Enable the Desktop-owned Local Agent page, folder selection, and native host lifecycle",
+    enabled: false,
+    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+  },
   ["lab" /* Lab */]: {
     maintainer: "ethan@vm0.ai",
     description: "Show the Lab page for toggling experimental features",
-    enabled: false
+    enabled: false,
+    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
   },
   ["auditLink" /* AuditLink */]: {
     maintainer: "ethan@vm0.ai",
@@ -74408,8 +74416,7 @@ var FEATURE_SWITCHES = {
   ["chatHeaderNewButton" /* ChatHeaderNewButton */]: {
     maintainer: "ethan@vm0.ai",
     description: "Replace the Invite people button in the agent chat page header with a New button that creates a new chat thread",
-    enabled: false,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+    enabled: false
   },
   ["agentPhoneAppUi" /* AgentPhoneAppUi */]: {
     maintainer: "linghan@vm0.ai",
@@ -74420,8 +74427,7 @@ var FEATURE_SWITCHES = {
   ["chatMessageStartButton" /* ChatMessageStartButton */]: {
     maintainer: "linghan@vm0.ai",
     description: "Show an icon button in assistant message group actions that scrolls back to the start of that message group.",
-    enabled: false,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+    enabled: false
   },
   ["goal" /* Goal */]: {
     maintainer: "ethan@vm0.ai",
@@ -74432,8 +74438,7 @@ var FEATURE_SWITCHES = {
   ["chatThreadRename" /* ChatThreadRename */]: {
     maintainer: "ethan@vm0.ai",
     description: "Adds a Rename chat item to the sidebar thread kebab menu. When the user renames a thread, automated title generation is suppressed for that thread.",
-    enabled: false,
-    enabledOrgIdHashes: STAFF_ORG_ID_HASHES
+    enabled: false
   },
   ["docsSite" /* DocsSite */]: {
     maintainer: "linghan@vm0.ai",
@@ -74475,8 +74480,8 @@ var FEATURE_SWITCHES = {
   },
   ["storedSecretKmsRead" /* StoredSecretKmsRead */]: {
     maintainer: "ethan@vm0.ai",
-    description: "Prefer AWS KMS material when reading stored-secret envelopes. Disabled keeps reading the legacy AES branch during rollout. Read path is independent of StoredSecretKmsWrite \u2014 enable read only after dual-write has been on long enough to backfill existing rows.",
-    enabled: false
+    description: "Prefer AWS KMS material when reading stored-secret envelopes. Legacy AES remains as a fallback for old or explicitly legacy-only rows.",
+    enabled: true
   },
   ["storedSecretKmsWrite" /* StoredSecretKmsWrite */]: {
     maintainer: "ethan@vm0.ai",
@@ -97460,6 +97465,13 @@ var github = {
     oauth: {
       authorizationUrl: "https://github.com/login/oauth/authorize",
       tokenUrl: "https://github.com/login/oauth/access_token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GH_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GH_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["repo", "project", "workflow"]
     }
   }
@@ -97496,6 +97508,13 @@ var gmail = {
     oauth: {
       authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["https://www.googleapis.com/auth/gmail.modify"]
     }
   }
@@ -97532,6 +97551,13 @@ var notion = {
     oauth: {
       authorizationUrl: "https://api.notion.com/v1/oauth/authorize",
       tokenUrl: "https://api.notion.com/v1/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "NOTION_OAUTH_CLIENT_ID",
+        clientSecretEnv: "NOTION_OAUTH_CLIENT_SECRET"
+      },
       scopes: []
     }
   }
@@ -97567,6 +97593,13 @@ var x = {
     oauth: {
       authorizationUrl: "https://twitter.com/i/oauth2/authorize",
       tokenUrl: "https://api.twitter.com/2/oauth2/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "X_OAUTH_CLIENT_ID",
+        clientSecretEnv: "X_OAUTH_CLIENT_SECRET"
+      },
       // https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code
       scopes: [
         "tweet.read",
@@ -97648,6 +97681,13 @@ var googleDrive = {
     oauth: {
       authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "https://www.googleapis.com/auth/drive",
         "https://www.googleapis.com/auth/userinfo.email"
@@ -97683,6 +97723,13 @@ var slack = {
     oauth: {
       authorizationUrl: "https://slack.com/oauth/v2/authorize",
       tokenUrl: "https://slack.com/api/oauth.v2.access",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "SLACK_CLIENT_ID",
+        clientSecretEnv: "SLACK_CLIENT_SECRET"
+      },
       // Note: Slack does not approve `search:read` or user `*:history`
       // scopes outside of RTS / MCP applications. The personal connector
       // intentionally omits them. Bot-side history access is provided
@@ -97756,6 +97803,13 @@ var googleSheets = {
     oauth: {
       authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "https://www.googleapis.com/auth/spreadsheets",
         "https://www.googleapis.com/auth/userinfo.email"
@@ -97795,6 +97849,13 @@ var googleCalendar = {
     oauth: {
       authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "https://www.googleapis.com/auth/calendar",
         "https://www.googleapis.com/auth/userinfo.email"
@@ -97833,6 +97894,13 @@ var googleDocs = {
     oauth: {
       authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "https://www.googleapis.com/auth/documents",
         "https://www.googleapis.com/auth/userinfo.email"
@@ -97872,6 +97940,13 @@ var linear = {
     oauth: {
       authorizationUrl: "https://linear.app/oauth/authorize",
       tokenUrl: "https://api.linear.app/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "LINEAR_OAUTH_CLIENT_ID",
+        clientSecretEnv: "LINEAR_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "read",
         "write",
@@ -97909,6 +97984,13 @@ var intervalsIcu = {
     oauth: {
       authorizationUrl: "https://intervals.icu/oauth/authorize",
       tokenUrl: "https://intervals.icu/api/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "INTERVALS_ICU_OAUTH_CLIENT_ID",
+        clientSecretEnv: "INTERVALS_ICU_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["ACTIVITY", "WELLNESS", "CALENDAR", "SETTINGS", "LIBRARY"]
     }
   }
@@ -97939,6 +98021,13 @@ var vercel = {
     defaultAuthMethod: "oauth",
     oauth: {
       tokenUrl: "https://api.vercel.com/v2/oauth/access_token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "VERCEL_OAUTH_CLIENT_ID",
+        clientSecretEnv: "VERCEL_OAUTH_CLIENT_SECRET"
+      },
       scopes: []
     }
   }
@@ -97974,6 +98063,13 @@ var strava = {
     oauth: {
       authorizationUrl: "https://www.strava.com/oauth/authorize",
       tokenUrl: "https://www.strava.com/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "STRAVA_OAUTH_CLIENT_ID",
+        clientSecretEnv: "STRAVA_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "read",
         "profile:read_all",
@@ -98014,6 +98110,13 @@ var googleMeet = {
     oauth: {
       authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "https://www.googleapis.com/auth/meetings.space.created",
         // Use meetings.space.readonly (not meetings.conferencerecords.readonly) — confirmed
@@ -98057,6 +98160,13 @@ var hubspot = {
     oauth: {
       authorizationUrl: "https://app.hubspot.com/oauth/authorize",
       tokenUrl: "https://api.hubapi.com/oauth/v1/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "HUBSPOT_OAUTH_CLIENT_ID",
+        clientSecretEnv: "HUBSPOT_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "crm.objects.contacts.read",
         "crm.objects.contacts.write",
@@ -98125,6 +98235,13 @@ var sentry = {
     oauth: {
       authorizationUrl: "https://sentry.io/oauth/authorize/",
       tokenUrl: "https://sentry.io/oauth/token/",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "SENTRY_OAUTH_CLIENT_ID",
+        clientSecretEnv: "SENTRY_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "org:read",
         "project:read",
@@ -98163,6 +98280,13 @@ var todoist = {
     oauth: {
       authorizationUrl: "https://todoist.com/oauth/authorize",
       tokenUrl: "https://todoist.com/oauth/access_token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "TODOIST_OAUTH_CLIENT_ID",
+        clientSecretEnv: "TODOIST_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["data:read_write", "data:delete", "project:delete"]
     }
   }
@@ -98198,6 +98322,13 @@ var xero = {
     oauth: {
       authorizationUrl: "https://login.xero.com/identity/connect/authorize",
       tokenUrl: "https://identity.xero.com/connect/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "XERO_OAUTH_CLIENT_ID",
+        clientSecretEnv: "XERO_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "openid",
         "profile",
@@ -98256,6 +98387,13 @@ var airtable = {
     oauth: {
       authorizationUrl: "https://airtable.com/oauth2/v1/authorize",
       tokenUrl: "https://airtable.com/oauth2/v1/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "AIRTABLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "AIRTABLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "data.records:read",
         "data.records:write",
@@ -98300,6 +98438,13 @@ var docusign = {
     oauth: {
       authorizationUrl: "https://account-d.docusign.com/oauth/auth",
       tokenUrl: "https://account-d.docusign.com/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "DOCUSIGN_OAUTH_CLIENT_ID",
+        clientSecretEnv: "DOCUSIGN_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["signature", "extended", "openid"]
     }
   }
@@ -98337,6 +98482,13 @@ var googleAds = {
     oauth: {
       authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
       tokenUrl: "https://oauth2.googleapis.com/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GOOGLE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GOOGLE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "https://www.googleapis.com/auth/adwords",
         "https://www.googleapis.com/auth/userinfo.email"
@@ -98410,6 +98562,13 @@ var gumroad = {
     oauth: {
       authorizationUrl: "https://gumroad.com/oauth/authorize",
       tokenUrl: "https://gumroad.com/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GUMROAD_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GUMROAD_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "view_profile",
         "edit_products",
@@ -98452,6 +98611,13 @@ var spotify = {
     oauth: {
       authorizationUrl: "https://accounts.spotify.com/authorize",
       tokenUrl: "https://accounts.spotify.com/api/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "SPOTIFY_OAUTH_CLIENT_ID",
+        clientSecretEnv: "SPOTIFY_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "ugc-image-upload",
         "user-read-playback-state",
@@ -98593,6 +98759,13 @@ var ahrefs = {
     oauth: {
       authorizationUrl: "https://app.ahrefs.com/api/auth",
       tokenUrl: "https://app.ahrefs.com/api/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "AHREFS_OAUTH_CLIENT_ID",
+        clientSecretEnv: "AHREFS_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["api"]
     }
   }
@@ -98778,6 +98951,13 @@ var asana = {
     oauth: {
       authorizationUrl: "https://app.asana.com/-/oauth_authorize",
       tokenUrl: "https://app.asana.com/-/oauth_token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "ASANA_OAUTH_CLIENT_ID",
+        clientSecretEnv: "ASANA_OAUTH_CLIENT_SECRET"
+      },
       scopes: []
     }
   }
@@ -99363,6 +99543,13 @@ var canva = {
     oauth: {
       authorizationUrl: "https://www.canva.com/api/oauth/authorize",
       tokenUrl: "https://api.canva.com/rest/v1/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "CANVA_OAUTH_CLIENT_ID",
+        clientSecretEnv: "CANVA_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "asset:read",
         "asset:write",
@@ -99551,6 +99738,13 @@ var close2 = {
     oauth: {
       authorizationUrl: "https://app.close.com/oauth2/authorize/",
       tokenUrl: "https://api.close.com/oauth2/token/",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "CLOSE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "CLOSE_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["all.full_access", "offline_access"]
     }
   }
@@ -99809,6 +100003,13 @@ var deel = {
     oauth: {
       authorizationUrl: "https://app.deel.com/oauth2/authorize",
       tokenUrl: "https://app.deel.com/oauth2/tokens",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "DEEL_OAUTH_CLIENT_ID",
+        clientSecretEnv: "DEEL_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "contracts:read",
         "people:read",
@@ -100111,6 +100312,13 @@ var dropbox = {
     oauth: {
       authorizationUrl: "https://www.dropbox.com/oauth2/authorize",
       tokenUrl: "https://api.dropboxapi.com/oauth2/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "DROPBOX_OAUTH_CLIENT_ID",
+        clientSecretEnv: "DROPBOX_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "account_info.read",
         "files.metadata.read",
@@ -100416,6 +100624,13 @@ var figma = {
     oauth: {
       authorizationUrl: "https://www.figma.com/oauth",
       tokenUrl: "https://api.figma.com/v1/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "FIGMA_OAUTH_CLIENT_ID",
+        clientSecretEnv: "FIGMA_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "current_user:read",
         "file_content:read",
@@ -100577,6 +100792,13 @@ var garminConnect = {
     oauth: {
       authorizationUrl: "https://connect.garmin.com/oauth2Confirm",
       tokenUrl: "https://diauth.garmin.com/di-oauth2-service/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "GARMIN_CONNECT_OAUTH_CLIENT_ID",
+        clientSecretEnv: "GARMIN_CONNECT_OAUTH_CLIENT_SECRET"
+      },
       scopes: []
     }
   }
@@ -101525,6 +101747,13 @@ var mailchimp = {
     oauth: {
       authorizationUrl: "https://login.mailchimp.com/oauth2/authorize",
       tokenUrl: "https://login.mailchimp.com/oauth2/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "MAILCHIMP_OAUTH_CLIENT_ID",
+        clientSecretEnv: "MAILCHIMP_OAUTH_CLIENT_SECRET"
+      },
       scopes: []
     }
   }
@@ -101736,6 +101965,13 @@ var mercury = {
     oauth: {
       authorizationUrl: "https://oauth2.mercury.com/oauth2/auth",
       tokenUrl: "https://oauth2.mercury.com/oauth2/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "MERCURY_OAUTH_CLIENT_ID",
+        clientSecretEnv: "MERCURY_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["offline_access"]
     }
   }
@@ -101768,6 +102004,13 @@ var metaAds = {
     oauth: {
       authorizationUrl: "https://www.facebook.com/v22.0/dialog/oauth",
       tokenUrl: "https://graph.facebook.com/v22.0/oauth/access_token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "META_ADS_OAUTH_CLIENT_ID",
+        clientSecretEnv: "META_ADS_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["ads_management", "ads_read", "business_management"]
     }
   }
@@ -101971,6 +102214,13 @@ var monday = {
     oauth: {
       authorizationUrl: "https://auth.monday.com/oauth2/authorize",
       tokenUrl: "https://auth.monday.com/oauth2/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "MONDAY_OAUTH_CLIENT_ID",
+        clientSecretEnv: "MONDAY_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "me:read",
         "boards:read",
@@ -102128,6 +102378,13 @@ var neon = {
     oauth: {
       authorizationUrl: "https://oauth2.neon.tech/oauth2/auth",
       tokenUrl: "https://oauth2.neon.tech/oauth2/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "NEON_OAUTH_CLIENT_ID",
+        clientSecretEnv: "NEON_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "openid",
         "offline_access",
@@ -102312,6 +102569,13 @@ var outlookCalendar = {
     oauth: {
       authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "MICROSOFT_OAUTH_CLIENT_ID",
+        clientSecretEnv: "MICROSOFT_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["Calendars.ReadWrite", "User.Read", "offline_access"]
     }
   }
@@ -102348,6 +102612,13 @@ var outlookMail = {
     oauth: {
       authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "MICROSOFT_OAUTH_CLIENT_ID",
+        clientSecretEnv: "MICROSOFT_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["Mail.ReadWrite", "Mail.Send", "User.Read", "offline_access"]
     }
   }
@@ -102695,6 +102966,13 @@ var posthog = {
     oauth: {
       authorizationUrl: "https://us.posthog.com/oauth/authorize",
       tokenUrl: "https://us.posthog.com/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "POSTHOG_OAUTH_CLIENT_ID",
+        clientSecretEnv: "POSTHOG_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "openid",
         "profile",
@@ -102992,6 +103270,13 @@ var reddit = {
     oauth: {
       authorizationUrl: "https://www.reddit.com/api/v1/authorize",
       tokenUrl: "https://www.reddit.com/api/v1/access_token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "REDDIT_OAUTH_CLIENT_ID",
+        clientSecretEnv: "REDDIT_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["identity", "read"]
     }
   }
@@ -103742,6 +104027,13 @@ var stripe = {
     oauth: {
       authorizationUrl: "https://connect.stripe.com/oauth/authorize",
       tokenUrl: "https://connect.stripe.com/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "STRIPE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "STRIPE_OAUTH_CLIENT_SECRET"
+      },
       scopes: ["read_write"]
     }
   }
@@ -103789,6 +104081,13 @@ var supabase = {
     oauth: {
       authorizationUrl: "https://api.supabase.com/v1/oauth/authorize",
       tokenUrl: "https://api.supabase.com/v1/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "SUPABASE_OAUTH_CLIENT_ID",
+        clientSecretEnv: "SUPABASE_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "organizations:read",
         "projects:read",
@@ -103920,6 +104219,13 @@ var testOauth = {
       // the preview-URL host changes per deploy.
       authorizationUrl: "/api/test/oauth-provider/authorize",
       tokenUrl: "/api/test/oauth-provider/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientId: "test-oauth-client",
+        clientSecret: "test-oauth-secret"
+      },
       scopes: ["read"]
     }
   }
@@ -104199,6 +104505,13 @@ var webflow = {
     oauth: {
       authorizationUrl: "https://webflow.com/oauth/authorize",
       tokenUrl: "https://api.webflow.com/oauth/access_token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_post",
+        clientIdEnv: "WEBFLOW_OAUTH_CLIENT_ID",
+        clientSecretEnv: "WEBFLOW_OAUTH_CLIENT_SECRET"
+      },
       scopes: [
         "authorized_user:read",
         "sites:read",
@@ -104504,6 +104817,13 @@ var zoom = {
     oauth: {
       authorizationUrl: "https://zoom.us/oauth/authorize",
       tokenUrl: "https://zoom.us/oauth/token",
+      client: {
+        clientRegistration: "static",
+        clientType: "confidential",
+        tokenEndpointAuthMethod: "client_secret_basic",
+        clientIdEnv: "ZOOM_OAUTH_CLIENT_ID",
+        clientSecretEnv: "ZOOM_OAUTH_CLIENT_SECRET"
+      },
       // Granular scopes (Zoom's "resource:action:target" format). Covers the
       // core read/write flows documented in the zoom skill: users, meetings,
       // past-meeting data, cloud recordings, and webinars.
@@ -105945,6 +106265,8 @@ init_esm_shims();
 // ../../packages/api-contracts/src/contracts/runners.ts
 init_esm_shims();
 var c20 = initContract();
+var MIN_EPOCH_MS_TIMESTAMP = 1e12;
+var apiStartTimeSchema = external_exports.number().int().min(MIN_EPOCH_MS_TIMESTAMP);
 var runnerGroupSchema = external_exports.string().regex(
   /^[a-z0-9-]+\/[a-z0-9-]+$/,
   "Runner group must be in vm0/<name> format (e.g., vm0/production)"
@@ -106030,8 +106352,8 @@ var storedExecutionContextSchema = external_exports.object({
   debugNoMockCodex: external_exports.boolean().optional(),
   // Capture HTTP request headers, request bodies, and response bodies in network logs
   captureNetworkBodies: external_exports.boolean().optional(),
-  // Dispatch timestamp for E2E timing metrics
-  apiStartTime: external_exports.number().optional(),
+  // Dispatch timestamp for E2E timing metrics, as Unix epoch milliseconds
+  apiStartTime: apiStartTimeSchema.optional(),
   // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
   userTimezone: external_exports.string().optional(),
   // Firewall for proxy-side token replacement (complete config, all permissions)
@@ -106078,8 +106400,8 @@ var executionContextSchema = external_exports.object({
   debugNoMockCodex: external_exports.boolean().optional(),
   // Capture HTTP request headers, request bodies, and response bodies in network logs
   captureNetworkBodies: external_exports.boolean().optional(),
-  // Dispatch timestamp for E2E timing metrics
-  apiStartTime: external_exports.number().optional(),
+  // Dispatch timestamp for E2E timing metrics, as Unix epoch milliseconds
+  apiStartTime: apiStartTimeSchema.optional(),
   // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
   userTimezone: external_exports.string().optional(),
   // Firewall for proxy-side token replacement (complete config, all permissions)
@@ -107667,92 +107989,586 @@ init_esm_shims();
 // ../../packages/api-contracts/src/contracts/zero-computer-use.ts
 init_esm_shims();
 var c25 = initContract();
-var registerResponseSchema = external_exports.object({
+var computerUseHostStatusSchema = external_exports.enum(["online", "offline"]);
+var computerUseReadCommandKindSchema = external_exports.enum([
+  "apps.list",
+  "app.state"
+]);
+var computerUseWriteCommandKindSchema = external_exports.enum([
+  "app.open",
+  "element.click",
+  "element.scroll",
+  "element.set_value",
+  "element.perform_action",
+  "keyboard.type_text",
+  "keyboard.press_key"
+]);
+var computerUseCommandKindSchema = external_exports.enum([
+  ...computerUseReadCommandKindSchema.options,
+  ...computerUseWriteCommandKindSchema.options
+]);
+var computerUseCommandStatusSchema = external_exports.enum([
+  "pending_approval",
+  "queued",
+  "running",
+  "succeeded",
+  "failed"
+]);
+var computerUseCommandErrorCodeSchema = external_exports.enum([
+  "no_host",
+  "permission_denied",
+  "accessibility_unavailable",
+  "screen_recording_unavailable",
+  "unsupported_command",
+  "timeout"
+]);
+var hostNameSchema = external_exports.string().trim().min(1).max(128);
+var hostVersionSchema = external_exports.string().trim().min(1).max(64);
+var hostOsVersionSchema = external_exports.string().trim().min(1).max(128);
+var hostIdPathParamsSchema = external_exports.object({
+  hostId: external_exports.string().min(1)
+});
+var commandIdPathParamsSchema = external_exports.object({
+  commandId: external_exports.string().min(1)
+});
+var supportedCapabilitiesSchema = external_exports.array(external_exports.string().trim().min(1).max(128)).max(50);
+var appNameSchema = external_exports.string().trim().min(1).max(256);
+var snapshotIdSchema = external_exports.string().trim().min(1).max(256);
+var elementIdSchema = external_exports.string().trim().min(1).max(256);
+var computerUsePermissionsSchema = external_exports.object({
+  accessibility: external_exports.boolean(),
+  screenRecording: external_exports.boolean()
+});
+var computerUseRuntimeBodySchema = external_exports.object({
+  hostName: hostNameSchema,
+  appVersion: hostVersionSchema,
+  osVersion: hostOsVersionSchema,
+  supportedCapabilities: supportedCapabilitiesSchema.default([]),
+  permissions: computerUsePermissionsSchema
+});
+var computerUseCommandTargetShape = {
+  hostId: external_exports.string().min(1).optional(),
+  hostName: hostNameSchema.optional(),
+  timeoutMs: external_exports.number().int().min(1e3).max(6e4).default(15e3)
+};
+var computerUseCommandPayloadShape = {
+  app: appNameSchema.optional(),
+  snapshotId: snapshotIdSchema.optional(),
+  elementId: elementIdSchema.optional(),
+  x: external_exports.number().int().min(0).optional(),
+  y: external_exports.number().int().min(0).optional(),
+  button: external_exports.enum(["left", "right", "middle"]).optional(),
+  clickCount: external_exports.number().int().min(1).max(3).optional(),
+  direction: external_exports.enum(["up", "down", "left", "right"]).optional(),
+  pages: external_exports.number().positive().max(25).optional(),
+  value: external_exports.string().min(1).max(64e3).optional(),
+  text: external_exports.string().min(1).max(64e3).optional(),
+  key: external_exports.string().trim().min(1).max(256).optional(),
+  action: external_exports.string().trim().min(1).max(256).optional()
+};
+var computerUseCommandCreateBodySchema = external_exports.object({
+  kind: computerUseReadCommandKindSchema,
+  ...computerUseCommandTargetShape,
+  ...computerUseCommandPayloadShape
+}).superRefine((body, ctx) => {
+  if (body.kind === "app.state" && !body.app) {
+    ctx.addIssue({
+      code: "custom",
+      path: ["app"],
+      message: "app.state requires app"
+    });
+  }
+});
+var computerUseWriteCommandCreateBaseSchema = external_exports.object({
+  kind: computerUseWriteCommandKindSchema,
+  ...computerUseCommandTargetShape,
+  ...computerUseCommandPayloadShape
+});
+function requireComputerUseField(ctx, field, message) {
+  ctx.addIssue({ code: "custom", path: [field], message });
+}
+function validateElementClickCommand(body, ctx) {
+  const hasPoint = body.x !== void 0 && body.y !== void 0;
+  if (!body.elementId && !hasPoint) {
+    requireComputerUseField(
+      ctx,
+      "elementId",
+      "element.click requires elementId or x/y"
+    );
+  }
+  if (body.x === void 0 !== (body.y === void 0)) {
+    requireComputerUseField(
+      ctx,
+      "x",
+      "element.click coordinates require both x and y"
+    );
+  }
+}
+function validateElementScrollCommand(body, ctx) {
+  if (!body.elementId) {
+    requireComputerUseField(
+      ctx,
+      "elementId",
+      "element.scroll requires elementId"
+    );
+  }
+  if (!body.direction) {
+    requireComputerUseField(
+      ctx,
+      "direction",
+      "element.scroll requires direction"
+    );
+  }
+}
+function validateElementSetValueCommand(body, ctx) {
+  if (!body.elementId) {
+    requireComputerUseField(
+      ctx,
+      "elementId",
+      "element.set_value requires elementId"
+    );
+  }
+  if (!body.value) {
+    requireComputerUseField(ctx, "value", "element.set_value requires value");
+  }
+}
+function validateElementActionCommand(body, ctx) {
+  if (!body.elementId) {
+    requireComputerUseField(
+      ctx,
+      "elementId",
+      "element.perform_action requires elementId"
+    );
+  }
+  if (!body.action) {
+    requireComputerUseField(
+      ctx,
+      "action",
+      "element.perform_action requires action"
+    );
+  }
+}
+function validateComputerUseWriteCommand(body, ctx) {
+  if (!body.app) {
+    requireComputerUseField(ctx, "app", `${body.kind} requires app`);
+    return;
+  }
+  switch (body.kind) {
+    case "app.open":
+      return;
+    case "element.click":
+      validateElementClickCommand(body, ctx);
+      return;
+    case "element.scroll":
+      validateElementScrollCommand(body, ctx);
+      return;
+    case "element.set_value":
+      validateElementSetValueCommand(body, ctx);
+      return;
+    case "element.perform_action":
+      validateElementActionCommand(body, ctx);
+      return;
+    case "keyboard.type_text":
+      if (!body.text) {
+        requireComputerUseField(
+          ctx,
+          "text",
+          "keyboard.type_text requires text"
+        );
+      }
+      return;
+    case "keyboard.press_key":
+      if (!body.key) {
+        requireComputerUseField(ctx, "key", "keyboard.press_key requires key");
+      }
+  }
+}
+var computerUseWriteCommandCreateBodySchema = computerUseWriteCommandCreateBaseSchema.superRefine(
+  validateComputerUseWriteCommand
+);
+var computerUseCommandErrorSchema = external_exports.object({
+  code: computerUseCommandErrorCodeSchema,
+  message: external_exports.string()
+});
+var computerUseCommandResultSchema = external_exports.record(external_exports.string(), external_exports.unknown());
+var computerUseHostSchema = external_exports.object({
   id: external_exports.string(),
-  domain: external_exports.string(),
-  token: external_exports.string(),
-  ngrokToken: external_exports.string(),
-  endpointPrefix: external_exports.string()
+  displayName: external_exports.string(),
+  appVersion: external_exports.string(),
+  osVersion: external_exports.string(),
+  supportedCapabilities: external_exports.array(external_exports.string()),
+  permissions: computerUsePermissionsSchema,
+  status: computerUseHostStatusSchema,
+  lastSeenAt: external_exports.string(),
+  createdAt: external_exports.string()
 });
-var hostResponseSchema = external_exports.object({
-  domain: external_exports.string(),
-  token: external_exports.string()
+var computerUseHostStartResponseSchema = external_exports.object({
+  hostId: external_exports.string(),
+  hostToken: external_exports.string()
 });
-var zeroComputerUseRegisterContract = c25.router({
-  register: {
+var computerUseHeartbeatResponseSchema = external_exports.object({
+  ok: external_exports.literal(true),
+  hostId: external_exports.string()
+});
+var computerUseHostListResponseSchema = external_exports.object({
+  hosts: external_exports.array(computerUseHostSchema)
+});
+var computerUseHostDeleteResponseSchema = external_exports.object({
+  ok: external_exports.literal(true)
+});
+var computerUseCommandCreateResponseSchema = external_exports.object({
+  commandId: external_exports.string(),
+  status: external_exports.enum(["queued", "pending_approval"])
+});
+var computerUseCommandResponseSchema = external_exports.object({
+  id: external_exports.string(),
+  kind: computerUseCommandKindSchema,
+  status: computerUseCommandStatusSchema,
+  hostId: external_exports.string().nullable(),
+  hostName: external_exports.string().nullable(),
+  payload: external_exports.record(external_exports.string(), external_exports.unknown()),
+  result: computerUseCommandResultSchema.optional(),
+  error: computerUseCommandErrorSchema.optional(),
+  timeoutMs: external_exports.number().int().nullable(),
+  createdAt: external_exports.string(),
+  claimedAt: external_exports.string().nullable(),
+  completedAt: external_exports.string().nullable()
+});
+var computerUseCommandApprovalBodySchema = external_exports.object({
+  decision: external_exports.enum(["approve", "deny"]),
+  message: external_exports.string().max(512).optional()
+});
+var computerUseCommandApprovalResponseSchema = external_exports.object({
+  commandId: external_exports.string(),
+  status: external_exports.enum(["queued", "failed"])
+});
+var computerUseHostCommandNextBodySchema = external_exports.object({
+  supportedCapabilities: supportedCapabilitiesSchema.default([])
+});
+var computerUseHostCommandNextResponseSchema = external_exports.discriminatedUnion(
+  "status",
+  [
+    external_exports.object({ status: external_exports.literal("idle") }),
+    external_exports.object({
+      status: external_exports.literal("command"),
+      command: computerUseCommandResponseSchema
+    })
+  ]
+);
+var computerUseHostCommandCompleteBodySchema = external_exports.discriminatedUnion(
+  "status",
+  [
+    external_exports.object({
+      status: external_exports.literal("succeeded"),
+      result: computerUseCommandResultSchema
+    }),
+    external_exports.object({
+      status: external_exports.literal("failed"),
+      error: computerUseCommandErrorSchema
+    })
+  ]
+);
+var computerUseCommandCompleteResponseSchema = external_exports.object({
+  ok: external_exports.literal(true)
+});
+var computerUseAuditEventSchema = external_exports.object({
+  id: external_exports.string(),
+  commandId: external_exports.string(),
+  runId: external_exports.string().nullable(),
+  hostId: external_exports.string().nullable(),
+  kind: computerUseWriteCommandKindSchema,
+  app: external_exports.string().nullable(),
+  event: external_exports.enum(["created", "approved", "denied", "completed"]),
+  approvalOutcome: external_exports.enum(["approved", "denied"]).nullable(),
+  redactedResult: external_exports.record(external_exports.string(), external_exports.unknown()).nullable(),
+  error: external_exports.record(external_exports.string(), external_exports.unknown()).nullable(),
+  createdAt: external_exports.string()
+});
+var computerUseAuditEventListResponseSchema = external_exports.object({
+  auditEvents: external_exports.array(computerUseAuditEventSchema)
+});
+var zeroComputerUseHostsContract = c25.router({
+  start: {
     method: "POST",
-    path: "/api/zero/computer-use/register",
+    path: "/api/zero/computer-use/hosts/start",
     headers: authHeadersSchema,
-    body: c25.noBody(),
+    body: computerUseRuntimeBodySchema,
     responses: {
-      200: registerResponseSchema,
+      200: computerUseHostStartResponseSchema,
       401: apiErrorSchema,
-      403: apiErrorSchema,
-      409: apiErrorSchema
+      403: apiErrorSchema
     },
-    summary: "Register a computer-use host"
-  }
-});
-var zeroComputerUseUnregisterContract = c25.router({
-  unregister: {
+    summary: "Start or reactivate a desktop computer-use host"
+  },
+  list: {
+    method: "GET",
+    path: "/api/zero/computer-use/hosts",
+    headers: authHeadersSchema,
+    responses: {
+      200: computerUseHostListResponseSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema
+    },
+    summary: "List linked desktop computer-use hosts"
+  },
+  delete: {
     method: "DELETE",
-    path: "/api/zero/computer-use/unregister",
+    path: "/api/zero/computer-use/hosts/:hostId",
     headers: authHeadersSchema,
-    body: c25.noBody(),
+    pathParams: hostIdPathParamsSchema,
     responses: {
-      204: c25.noBody(),
+      200: computerUseHostDeleteResponseSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema
     },
-    summary: "Unregister a computer-use host"
+    summary: "Delete a desktop computer-use host"
+  }
+});
+var zeroComputerUseHeartbeatContract = c25.router({
+  heartbeat: {
+    method: "POST",
+    path: "/api/zero/computer-use/heartbeat",
+    headers: authHeadersSchema,
+    body: computerUseRuntimeBodySchema,
+    responses: {
+      200: computerUseHeartbeatResponseSchema,
+      401: apiErrorSchema
+    },
+    summary: "Refresh a desktop computer-use host heartbeat"
   }
 });
-var zeroComputerUseHostContract = c25.router({
-  getHost: {
+var zeroComputerUseCommandContract = c25.router({
+  create: {
+    method: "POST",
+    path: "/api/zero/computer-use/commands",
+    headers: authHeadersSchema,
+    body: computerUseCommandCreateBodySchema,
+    responses: {
+      200: computerUseCommandCreateResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema,
+      404: apiErrorSchema,
+      409: apiErrorSchema
+    },
+    summary: "Create a read-only desktop computer-use command"
+  },
+  get: {
     method: "GET",
-    path: "/api/zero/computer-use/host",
+    path: "/api/zero/computer-use/commands/:commandId",
     headers: authHeadersSchema,
+    pathParams: commandIdPathParamsSchema,
     responses: {
-      200: hostResponseSchema,
+      200: computerUseCommandResponseSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema
     },
-    summary: "Get computer-use host for the current user"
+    summary: "Get a desktop computer-use command result"
+  }
+});
+var zeroComputerUseWriteCommandContract = c25.router({
+  create: {
+    method: "POST",
+    path: "/api/zero/computer-use/write-commands",
+    headers: authHeadersSchema,
+    body: computerUseWriteCommandCreateBodySchema,
+    responses: {
+      200: computerUseCommandCreateResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema,
+      404: apiErrorSchema,
+      409: apiErrorSchema
+    },
+    summary: "Create an approved-write desktop computer-use command"
+  }
+});
+var zeroComputerUseCommandApprovalContract = c25.router({
+  decide: {
+    method: "POST",
+    path: "/api/zero/computer-use/commands/:commandId/approval",
+    headers: authHeadersSchema,
+    pathParams: commandIdPathParamsSchema,
+    body: computerUseCommandApprovalBodySchema,
+    responses: {
+      200: computerUseCommandApprovalResponseSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema,
+      404: apiErrorSchema,
+      409: apiErrorSchema
+    },
+    summary: "Approve or deny a pending desktop computer-use write command"
+  }
+});
+var zeroComputerUseHostCommandsContract = c25.router({
+  next: {
+    method: "POST",
+    path: "/api/zero/computer-use/host/commands/next",
+    headers: authHeadersSchema,
+    body: computerUseHostCommandNextBodySchema,
+    responses: {
+      200: computerUseHostCommandNextResponseSchema,
+      401: apiErrorSchema
+    },
+    summary: "Claim the next approved desktop computer-use command"
+  },
+  complete: {
+    method: "POST",
+    path: "/api/zero/computer-use/host/commands/:commandId/complete",
+    headers: authHeadersSchema,
+    pathParams: commandIdPathParamsSchema,
+    body: computerUseHostCommandCompleteBodySchema,
+    responses: {
+      200: computerUseCommandCompleteResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      409: apiErrorSchema
+    },
+    summary: "Complete a desktop computer-use command"
+  }
+});
+var zeroComputerUseAuditEventsContract = c25.router({
+  list: {
+    method: "GET",
+    path: "/api/zero/computer-use/audit-events",
+    headers: authHeadersSchema,
+    query: external_exports.object({
+      limit: external_exports.coerce.number().int().positive().max(200).default(50),
+      commandId: external_exports.string().optional(),
+      hostId: external_exports.string().optional(),
+      runId: external_exports.string().optional()
+    }),
+    responses: {
+      200: computerUseAuditEventListResponseSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema
+    },
+    summary: "List desktop computer-use write command audit events"
   }
 });
 
 // src/lib/api/domains/zero-computer-use.ts
-async function registerComputerUseHost() {
-  const config4 = await getClientConfig();
-  const client = initClient(zeroComputerUseRegisterContract, config4);
-  const result = await client.register({});
+function normalizeConfiguredUrl(value) {
+  return value.startsWith("http") ? value : `https://${value}`;
+}
+function resolveComputerUseApiBaseUrl(baseUrl) {
+  const override = process.env.VM0_API_BACKEND_URL;
+  if (override) {
+    return normalizeConfiguredUrl(override).replace(/\/$/, "");
+  }
+  const url2 = new URL(baseUrl);
+  if (url2.hostname === "www.vm0.ai" || url2.hostname === "app.vm0.ai") {
+    url2.hostname = "api.vm0.ai";
+  }
+  return url2.toString().replace(/\/$/, "");
+}
+function buildHeaders2(token) {
+  const headers = {};
+  if (token) {
+    headers.Authorization = `Bearer ${token}`;
+  }
+  const bypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET;
+  if (bypassSecret) {
+    headers["x-vercel-protection-bypass"] = bypassSecret;
+  }
+  return headers;
+}
+async function getComputerUseClientConfig() {
+  const baseUrl = resolveComputerUseApiBaseUrl(await getBaseUrl());
+  const token = await getActiveToken();
+  if (!token) {
+    throw new ApiRequestError("Not authenticated", "UNAUTHORIZED", 401);
+  }
+  return {
+    baseUrl,
+    baseHeaders: buildHeaders2(token),
+    jsonQuery: false
+  };
+}
+function commandBody(params) {
+  return {
+    kind: params.kind,
+    timeoutMs: params.timeoutMs ?? 15e3,
+    ...params.hostId ? { hostId: params.hostId } : {},
+    ...params.hostName ? { hostName: params.hostName } : {},
+    ...params.app ? { app: params.app } : {},
+    ...params.snapshotId ? { snapshotId: params.snapshotId } : {},
+    ...params.elementId ? { elementId: params.elementId } : {},
+    ...params.x !== void 0 ? { x: params.x } : {},
+    ...params.y !== void 0 ? { y: params.y } : {},
+    ...params.button ? { button: params.button } : {},
+    ...params.clickCount !== void 0 ? { clickCount: params.clickCount } : {},
+    ...params.direction ? { direction: params.direction } : {},
+    ...params.pages !== void 0 ? { pages: params.pages } : {},
+    ...params.value !== void 0 ? { value: params.value } : {},
+    ...params.text !== void 0 ? { text: params.text } : {},
+    ...params.key ? { key: params.key } : {},
+    ...params.action ? { action: params.action } : {}
+  };
+}
+async function createComputerUseReadCommand(params) {
+  const config4 = await getComputerUseClientConfig();
+  const client = initClient(zeroComputerUseCommandContract, config4);
+  const result = await client.create({ body: commandBody(params) });
   if (result.status === 200) {
     return result.body;
   }
-  handleError(result, "Failed to register computer-use host");
+  handleError(result, "Failed to create computer-use command");
 }
-async function unregisterComputerUseHost() {
-  const config4 = await getClientConfig();
-  const client = initClient(zeroComputerUseUnregisterContract, config4);
-  const result = await client.unregister({});
-  if (result.status === 204) {
-    return;
+async function createComputerUseWriteCommand(params) {
+  const config4 = await getComputerUseClientConfig();
+  const client = initClient(zeroComputerUseWriteCommandContract, config4);
+  const result = await client.create({ body: commandBody(params) });
+  if (result.status === 200) {
+    return result.body;
   }
-  handleError(result, "Failed to unregister computer-use host");
+  handleError(result, "Failed to create computer-use write command");
 }
-async function getComputerUseHost() {
-  const config4 = await getClientConfig();
-  const client = initClient(zeroComputerUseHostContract, config4);
-  const result = await client.getHost({ headers: {} });
+async function getComputerUseCommand(commandId) {
+  const config4 = await getComputerUseClientConfig();
+  const client = initClient(zeroComputerUseCommandContract, config4);
+  const result = await client.get({ params: { commandId } });
   if (result.status === 200) {
     return result.body;
   }
-  if (result.status === 404) {
-    return null;
+  handleError(result, "Failed to get computer-use command");
+}
+async function listComputerUseHosts() {
+  const config4 = await getComputerUseClientConfig();
+  const client = initClient(zeroComputerUseHostsContract, config4);
+  const result = await client.list({ headers: {} });
+  if (result.status === 200) {
+    return result.body;
   }
-  handleError(result, "Failed to get computer-use host");
+  handleError(result, "Failed to list computer-use hosts");
+}
+async function deleteComputerUseHost(hostId) {
+  const config4 = await getComputerUseClientConfig();
+  const client = initClient(zeroComputerUseHostsContract, config4);
+  const result = await client.delete({ params: { hostId } });
+  if (result.status === 200) {
+    return result.body;
+  }
+  handleError(result, "Failed to revoke computer-use host");
+}
+async function listComputerUseAuditEvents(params) {
+  const config4 = await getComputerUseClientConfig();
+  const client = initClient(zeroComputerUseAuditEventsContract, config4);
+  const result = await client.list({
+    query: {
+      limit: params.limit ?? 50,
+      ...params.commandId ? { commandId: params.commandId } : {},
+      ...params.hostId ? { hostId: params.hostId } : {},
+      ...params.runId ? { runId: params.runId } : {}
+    }
+  });
+  if (result.status === 200) {
+    return result.body;
+  }
+  handleError(result, "Failed to list computer-use audit events");
 }
 
 // src/lib/api/domains/zero-local-agent.ts
@@ -107824,7 +108640,7 @@ var localAgentJobStatusSchema = external_exports.enum([
   "failed"
 ]);
 var localAgentHostStatusSchema = external_exports.enum(["online", "closed"]);
-var hostNameSchema = external_exports.string().trim().min(1).max(128);
+var hostNameSchema2 = external_exports.string().trim().min(1).max(128);
 var supportedBackendsSchema = external_exports.array(localAgentBackendSchema).min(1).max(2);
 var promptSchema = external_exports.string().trim().min(1).max(6e4);
 var localAgentRealtimeSubscriptionSchema = external_exports.object({
@@ -107926,7 +108742,7 @@ var zeroLocalAgentDeviceStartContract = c27.router({
     method: "POST",
     path: "/api/zero/local-agent/device/start",
     body: external_exports.object({
-      hostName: hostNameSchema,
+      hostName: hostNameSchema2,
       supportedBackends: supportedBackendsSchema
     }),
     responses: {
@@ -107976,7 +108792,7 @@ var zeroLocalAgentHeartbeatContract = c27.router({
     path: "/api/zero/local-agent/heartbeat",
     headers: authHeadersSchema,
     body: external_exports.object({
-      hostName: hostNameSchema,
+      hostName: hostNameSchema2,
       supportedBackends: supportedBackendsSchema,
       realtimeConnected: external_exports.boolean().optional()
     }),
@@ -108059,7 +108875,7 @@ var zeroLocalAgentHostsContract = c27.router({
     path: "/api/zero/local-agent/hosts/start",
     headers: authHeadersSchema,
     body: external_exports.object({
-      hostName: hostNameSchema,
+      hostName: hostNameSchema2,
       supportedBackends: supportedBackendsSchema,
       hostId: external_exports.string().min(1).optional()
     }),
@@ -108151,13 +108967,13 @@ var zeroLocalAgentHostJobsContract = c27.router({
 });
 
 // src/lib/api/domains/zero-local-agent.ts
-function normalizeConfiguredUrl(value) {
+function normalizeConfiguredUrl2(value) {
   return value.startsWith("http") ? value : `https://${value}`;
 }
 function resolveLocalAgentApiBaseUrl(baseUrl) {
   const override = process.env.VM0_API_BACKEND_URL;
   if (override) {
-    return normalizeConfiguredUrl(override).replace(/\/$/, "");
+    return normalizeConfiguredUrl2(override).replace(/\/$/, "");
   }
   const url2 = new URL(baseUrl);
   if (url2.hostname === "www.vm0.ai" || url2.hostname === "app.vm0.ai") {
@@ -108165,7 +108981,7 @@ function resolveLocalAgentApiBaseUrl(baseUrl) {
   }
   return url2.toString().replace(/\/$/, "");
 }
-function buildHeaders2(token) {
+function buildHeaders3(token) {
   const headers = {};
   if (token) {
     headers.Authorization = `Bearer ${token}`;
@@ -108189,7 +109005,7 @@ async function getLocalAgentClientConfig() {
   };
 }
 function buildBearerHeaders(token) {
-  return buildHeaders2(token);
+  return buildHeaders3(token);
 }
 async function sendLocalAgentHeartbeat(params) {
   const baseUrl = resolveLocalAgentApiBaseUrl(await getBaseUrl());
@@ -108377,7 +109193,7 @@ var localBrowserCommandErrorCodeSchema = external_exports.enum([
   "timeout",
   "unsupported_command"
 ]);
-var hostNameSchema2 = external_exports.string().trim().min(1).max(128);
+var hostNameSchema3 = external_exports.string().trim().min(1).max(128);
 var browserSchema = external_exports.string().trim().min(1).max(64);
 var extensionVersionSchema = external_exports.string().trim().min(1).max(64);
 var tabIdSchema = external_exports.string().trim().min(1).max(128);
@@ -108386,12 +109202,12 @@ var targetUrlSchema = external_exports.string().trim().url().max(2048).refine((v
   return protocol === "http:" || protocol === "https:";
 }, "URL must use http or https");
 var cssSelectorSchema = external_exports.string().trim().min(1).max(1024);
-var supportedCapabilitiesSchema = external_exports.array(external_exports.string().trim().min(1).max(128)).max(50);
+var supportedCapabilitiesSchema2 = external_exports.array(external_exports.string().trim().min(1).max(128)).max(50);
 var localBrowserRuntimeBodySchema = external_exports.object({
-  hostName: hostNameSchema2,
+  hostName: hostNameSchema3,
   browser: browserSchema,
   extensionVersion: extensionVersionSchema,
-  supportedCapabilities: supportedCapabilitiesSchema.default([])
+  supportedCapabilities: supportedCapabilitiesSchema2.default([])
 });
 var localBrowserRealtimeSubscriptionSchema = external_exports.object({
   channelName: external_exports.string(),
@@ -108466,7 +109282,7 @@ var localBrowserHostDeleteResponseSchema = external_exports.object({
 var localBrowserCommandTargetShape = {
   tabId: tabIdSchema.optional(),
   hostId: external_exports.string().min(1).optional(),
-  hostName: hostNameSchema2.optional(),
+  hostName: hostNameSchema3.optional(),
   timeoutMs: external_exports.number().int().min(1e3).max(6e4).default(15e3)
 };
 var localBrowserCommandCreateBodySchema = external_exports.object({
@@ -108865,7 +109681,7 @@ var zeroLocalBrowserHostCommandsContract = c28.router({
     path: "/api/zero/local-browser/host/commands/next",
     headers: authHeadersSchema,
     body: external_exports.object({
-      supportedCapabilities: supportedCapabilitiesSchema.default([])
+      supportedCapabilities: supportedCapabilitiesSchema2.default([])
     }),
     responses: {
       200: localBrowserHostCommandNextResponseSchema,
@@ -108894,13 +109710,13 @@ var zeroLocalBrowserHostCommandsContract = c28.router({
 });
 
 // src/lib/api/domains/zero-local-browser.ts
-function normalizeConfiguredUrl2(value) {
+function normalizeConfiguredUrl3(value) {
   return value.startsWith("http") ? value : `https://${value}`;
 }
 function resolveLocalBrowserApiBaseUrl(baseUrl) {
   const override = process.env.VM0_API_BACKEND_URL;
   if (override) {
-    return normalizeConfiguredUrl2(override).replace(/\/$/, "");
+    return normalizeConfiguredUrl3(override).replace(/\/$/, "");
   }
   const url2 = new URL(baseUrl);
   if (url2.hostname === "www.vm0.ai" || url2.hostname === "app.vm0.ai") {
@@ -108908,7 +109724,7 @@ function resolveLocalBrowserApiBaseUrl(baseUrl) {
   }
   return url2.toString().replace(/\/$/, "");
 }
-function buildHeaders3(token) {
+function buildHeaders4(token) {
   const headers = {};
   if (token) {
     headers.Authorization = `Bearer ${token}`;
@@ -108927,7 +109743,7 @@ async function getLocalBrowserClientConfig() {
   }
   return {
     baseUrl,
-    baseHeaders: buildHeaders3(token),
+    baseHeaders: buildHeaders4(token),
     jsonQuery: false
   };
 }
@@ -124915,16 +125731,27 @@ var healthAuthContract = c29.router({
 // ../../packages/api-contracts/src/contracts/desktop-auth.ts
 init_esm_shims();
 var c30 = initContract();
+var desktopAuthCallbackSchemes = [
+  "ai.vm0.zero.desktop",
+  "ai.vm0.zero.desktop.dev"
+];
+var defaultDesktopAuthCallbackScheme = desktopAuthCallbackSchemes[0];
+var desktopAuthCallbackSchemeSchema = external_exports.enum(
+  desktopAuthCallbackSchemes
+);
 var desktopAuthHandoffContract = c30.router({
   create: {
     method: "POST",
     path: "/api/desktop-auth/handoff",
     headers: authHeadersSchema,
-    body: external_exports.object({}).optional(),
+    body: external_exports.object({
+      callbackScheme: desktopAuthCallbackSchemeSchema.optional()
+    }).optional(),
     responses: {
       200: external_exports.object({
         callbackUrl: external_exports.string()
       }),
+      400: apiErrorSchema,
       401: apiErrorSchema,
       403: apiErrorSchema,
       500: apiErrorSchema
@@ -131213,9 +132040,12 @@ export {
   searchLogs,
   requestDeveloperSupportConsent,
   submitDeveloperSupport,
-  registerComputerUseHost,
-  unregisterComputerUseHost,
-  getComputerUseHost,
+  createComputerUseReadCommand,
+  createComputerUseWriteCommand,
+  getComputerUseCommand,
+  listComputerUseHosts,
+  deleteComputerUseHost,
+  listComputerUseAuditEvents,
   createLocalBrowserReadCommand,
   createLocalBrowserWriteCommand,
   getLocalBrowserReadCommand,
@@ -131279,4 +132109,4 @@ undici/lib/web/fetch/body.js:
 undici/lib/web/websocket/frame.js:
   (*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> *)
 */
-//# sourceMappingURL=chunk-D6CWF2IH.js.map
+//# sourceMappingURL=chunk-AUKY6FBC.js.map