@vm0/cli 9.20.2 → 9.22.0

package/index.js

@@ -1,5 +1,76 @@
 #!/usr/bin/env node
 
+// src/instrument.ts
+import * as Sentry from "@sentry/node";
+import * as os from "os";
+var DSN = process.env.SENTRY_DSN ?? "https://268d9b4cd051531805af76a5b3934dca@o4510583739777024.ingest.us.sentry.io/4510832047947776";
+var OPERATIONAL_ERROR_PATTERNS = [
+  // Authentication errors (user needs to login)
+  /not authenticated/i,
+  // Resource not found (user typo or deleted resource)
+  /not found/i,
+  /agent not found/i,
+  /version not found/i,
+  /checkpoint not found/i,
+  /session not found/i,
+  // File errors (user provided wrong path)
+  /file not found/i,
+  /environment file not found/i,
+  // Validation errors (user input issues)
+  /invalid format/i,
+  /invalid.*config/i,
+  // Rate limiting (expected operational condition)
+  /rate limit/i,
+  /concurrent run limit/i,
+  // Network issues (transient, not bugs)
+  /network error/i,
+  /network issue/i,
+  /connection refused/i,
+  /timeout/i,
+  /ECONNREFUSED/i,
+  /ETIMEDOUT/i,
+  // Permission/access errors (operational, not bugs)
+  /forbidden/i,
+  /access denied/i
+];
+function isOperationalError(error) {
+  if (!(error instanceof Error)) {
+    return false;
+  }
+  const message = error.message;
+  return OPERATIONAL_ERROR_PATTERNS.some((pattern) => pattern.test(message));
+}
+if (DSN) {
+  Sentry.init({
+    dsn: DSN,
+    sendDefaultPii: false,
+    tracesSampleRate: 0,
+    shutdownTimeout: 500,
+    initialScope: {
+      tags: {
+        app: "cli"
+      }
+    },
+    // Filter out operational errors - only send programmer errors (bugs)
+    beforeSend(event, hint) {
+      const error = hint.originalException;
+      if (isOperationalError(error)) {
+        return null;
+      }
+      return event;
+    }
+  });
+  Sentry.setContext("cli", {
+    version: "9.22.0",
+    command: process.argv.slice(2).join(" ")
+  });
+  Sentry.setContext("runtime", {
+    node_version: process.version,
+    os_platform: os.platform(),
+    os_release: os.release()
+  });
+}
+
 // src/index.ts
 import { Command as Command68 } from "commander";
 
@@ -2092,26 +2163,26 @@ var c13 = initContract();
 var MODEL_PROVIDER_TYPES = {
   "claude-code-oauth-token": {
     framework: "claude-code",
-    credentialName: "CLAUDE_CODE_OAUTH_TOKEN",
+    secretName: "CLAUDE_CODE_OAUTH_TOKEN",
     label: "Claude Code (OAuth Token)",
-    credentialLabel: "OAuth token",
+    secretLabel: "OAuth token",
     helpText: "To get your OAuth token, run: claude setup-token\n(Requires Claude Pro or Max subscription)"
   },
   "anthropic-api-key": {
     framework: "claude-code",
-    credentialName: "ANTHROPIC_API_KEY",
+    secretName: "ANTHROPIC_API_KEY",
     label: "Anthropic API Key",
-    credentialLabel: "API key",
+    secretLabel: "API key",
     helpText: "Get your API key at: https://console.anthropic.com/settings/keys"
   },
   "openrouter-api-key": {
     framework: "claude-code",
-    credentialName: "OPENROUTER_API_KEY",
+    secretName: "OPENROUTER_API_KEY",
     label: "OpenRouter",
-    credentialLabel: "API key",
+    secretLabel: "API key",
     helpText: "Get your API key at: https://openrouter.ai/settings/keys",
     environmentMapping: {
-      ANTHROPIC_AUTH_TOKEN: "$credential",
+      ANTHROPIC_AUTH_TOKEN: "$secret",
       ANTHROPIC_BASE_URL: "https://openrouter.ai/api",
       ANTHROPIC_API_KEY: "",
       ANTHROPIC_MODEL: "$model",
@@ -2129,12 +2200,12 @@ var MODEL_PROVIDER_TYPES = {
   },
   "moonshot-api-key": {
     framework: "claude-code",
-    credentialName: "MOONSHOT_API_KEY",
+    secretName: "MOONSHOT_API_KEY",
     label: "Moonshot (Kimi)",
-    credentialLabel: "API key",
+    secretLabel: "API key",
     helpText: "Get your API key at: https://platform.moonshot.ai/console/api-keys",
     environmentMapping: {
-      ANTHROPIC_AUTH_TOKEN: "$credential",
+      ANTHROPIC_AUTH_TOKEN: "$secret",
       ANTHROPIC_BASE_URL: "https://api.moonshot.ai/anthropic",
       ANTHROPIC_MODEL: "$model",
       ANTHROPIC_DEFAULT_OPUS_MODEL: "$model",
@@ -2151,12 +2222,12 @@ var MODEL_PROVIDER_TYPES = {
   },
   "minimax-api-key": {
     framework: "claude-code",
-    credentialName: "MINIMAX_API_KEY",
+    secretName: "MINIMAX_API_KEY",
     label: "MiniMax",
-    credentialLabel: "API key",
+    secretLabel: "API key",
     helpText: "Get your API key at: https://platform.minimax.io/user-center/basic-information/interface-key",
     environmentMapping: {
-      ANTHROPIC_AUTH_TOKEN: "$credential",
+      ANTHROPIC_AUTH_TOKEN: "$secret",
       ANTHROPIC_BASE_URL: "https://api.minimax.io/anthropic",
       ANTHROPIC_MODEL: "$model",
       ANTHROPIC_DEFAULT_OPUS_MODEL: "$model",
@@ -2171,12 +2242,12 @@ var MODEL_PROVIDER_TYPES = {
   },
   "deepseek-api-key": {
     framework: "claude-code",
-    credentialName: "DEEPSEEK_API_KEY",
+    secretName: "DEEPSEEK_API_KEY",
     label: "DeepSeek",
-    credentialLabel: "API key",
+    secretLabel: "API key",
     helpText: "Get your API key at: https://platform.deepseek.com/api_keys",
     environmentMapping: {
-      ANTHROPIC_AUTH_TOKEN: "$credential",
+      ANTHROPIC_AUTH_TOKEN: "$secret",
       ANTHROPIC_BASE_URL: "https://api.deepseek.com/anthropic",
       ANTHROPIC_MODEL: "$model",
       ANTHROPIC_DEFAULT_OPUS_MODEL: "$model",
@@ -2191,12 +2262,12 @@ var MODEL_PROVIDER_TYPES = {
   },
   "zai-api-key": {
     framework: "claude-code",
-    credentialName: "ZAI_API_KEY",
+    secretName: "ZAI_API_KEY",
     label: "Z.AI (GLM)",
-    credentialLabel: "API key",
+    secretLabel: "API key",
     helpText: "Get your API key at: https://z.ai/model-api",
     environmentMapping: {
-      ANTHROPIC_AUTH_TOKEN: "$credential",
+      ANTHROPIC_AUTH_TOKEN: "$secret",
       ANTHROPIC_BASE_URL: "https://api.z.ai/api/anthropic",
       ANTHROPIC_MODEL: "$model",
       ANTHROPIC_DEFAULT_OPUS_MODEL: "$model",
@@ -2216,7 +2287,7 @@ var MODEL_PROVIDER_TYPES = {
       "api-key": {
         label: "API Key",
         helpText: "Use an Azure Foundry API key for authentication",
-        credentials: {
+        secrets: {
           ANTHROPIC_FOUNDRY_API_KEY: {
             label: "ANTHROPIC_FOUNDRY_API_KEY",
             required: true,
@@ -2234,8 +2305,8 @@ var MODEL_PROVIDER_TYPES = {
     defaultAuthMethod: "api-key",
     environmentMapping: {
       CLAUDE_CODE_USE_FOUNDRY: "1",
-      ANTHROPIC_FOUNDRY_API_KEY: "$credentials.ANTHROPIC_FOUNDRY_API_KEY",
-      ANTHROPIC_FOUNDRY_RESOURCE: "$credentials.ANTHROPIC_FOUNDRY_RESOURCE",
+      ANTHROPIC_FOUNDRY_API_KEY: "$secrets.ANTHROPIC_FOUNDRY_API_KEY",
+      ANTHROPIC_FOUNDRY_RESOURCE: "$secrets.ANTHROPIC_FOUNDRY_RESOURCE",
       ANTHROPIC_MODEL: "$model"
     },
     models: [],
@@ -2246,12 +2317,12 @@ var MODEL_PROVIDER_TYPES = {
   "aws-bedrock": {
     framework: "claude-code",
     label: "AWS Bedrock",
-    helpText: "Run Claude on AWS Bedrock.\nSetup guide: https://docs.anthropic.com/en/docs/claude-code/bedrock",
+    helpText: "Run Claude on AWS Bedrock.\nSetup guide: https://code.claude.com/docs/en/amazon-bedrock",
     authMethods: {
       "api-key": {
         label: "Bedrock API Key",
         helpText: "Use a Bedrock API key for authentication",
-        credentials: {
+        secrets: {
           AWS_BEARER_TOKEN_BEDROCK: {
             label: "AWS_BEARER_TOKEN_BEDROCK",
             required: true,
@@ -2267,8 +2338,8 @@ var MODEL_PROVIDER_TYPES = {
       },
       "access-keys": {
         label: "IAM Access Keys",
-        helpText: "Use IAM access key credentials",
-        credentials: {
+        helpText: "Use IAM access key secrets",
+        secrets: {
           AWS_ACCESS_KEY_ID: {
             label: "AWS_ACCESS_KEY_ID",
             required: true,
@@ -2282,7 +2353,7 @@ var MODEL_PROVIDER_TYPES = {
           AWS_SESSION_TOKEN: {
             label: "AWS_SESSION_TOKEN",
             required: false,
-            helpText: "Optional, for temporary credentials"
+            helpText: "Optional, for temporary secrets"
           },
           AWS_REGION: {
             label: "AWS_REGION",
@@ -2296,11 +2367,11 @@ var MODEL_PROVIDER_TYPES = {
     defaultAuthMethod: "api-key",
     environmentMapping: {
       CLAUDE_CODE_USE_BEDROCK: "1",
-      AWS_REGION: "$credentials.AWS_REGION",
-      AWS_BEARER_TOKEN_BEDROCK: "$credentials.AWS_BEARER_TOKEN_BEDROCK",
-      AWS_ACCESS_KEY_ID: "$credentials.AWS_ACCESS_KEY_ID",
-      AWS_SECRET_ACCESS_KEY: "$credentials.AWS_SECRET_ACCESS_KEY",
-      AWS_SESSION_TOKEN: "$credentials.AWS_SESSION_TOKEN",
+      AWS_REGION: "$secrets.AWS_REGION",
+      AWS_BEARER_TOKEN_BEDROCK: "$secrets.AWS_BEARER_TOKEN_BEDROCK",
+      AWS_ACCESS_KEY_ID: "$secrets.AWS_ACCESS_KEY_ID",
+      AWS_SECRET_ACCESS_KEY: "$secrets.AWS_SECRET_ACCESS_KEY",
+      AWS_SESSION_TOKEN: "$secrets.AWS_SESSION_TOKEN",
       ANTHROPIC_MODEL: "$model"
     },
     models: [],
@@ -2333,13 +2404,13 @@ function getDefaultAuthMethod(type) {
   const config = MODEL_PROVIDER_TYPES[type];
   return "defaultAuthMethod" in config ? config.defaultAuthMethod : void 0;
 }
-function getCredentialsForAuthMethod(type, authMethod) {
+function getSecretsForAuthMethod(type, authMethod) {
   const authMethods = getAuthMethodsForType(type);
   if (!authMethods || !(authMethod in authMethods)) {
     return void 0;
   }
   const method = authMethods[authMethod];
-  return method?.credentials;
+  return method?.secrets;
 }
 function getModels(type) {
   const config = MODEL_PROVIDER_TYPES[type];
@@ -2365,11 +2436,11 @@ var modelProviderResponseSchema = z16.object({
   id: z16.string().uuid(),
   type: modelProviderTypeSchema,
   framework: modelProviderFrameworkSchema,
-  credentialName: z16.string().nullable(),
-  // Legacy single-credential (deprecated for multi-auth)
+  secretName: z16.string().nullable(),
+  // Legacy single-secret (deprecated for multi-auth)
   authMethod: z16.string().nullable(),
   // For multi-auth providers
-  credentialNames: z16.array(z16.string()).nullable(),
+  secretNames: z16.array(z16.string()).nullable(),
   // For multi-auth providers
   isDefault: z16.boolean(),
   selectedModel: z16.string().nullable(),
@@ -2381,23 +2452,21 @@ var modelProviderListResponseSchema = z16.object({
 });
 var upsertModelProviderRequestSchema = z16.object({
   type: modelProviderTypeSchema,
-  credential: z16.string().min(1).optional(),
-  // Legacy single credential
+  secret: z16.string().min(1).optional(),
+  // Legacy single secret
   authMethod: z16.string().optional(),
   // For multi-auth providers
-  credentials: z16.record(z16.string(), z16.string()).optional(),
+  secrets: z16.record(z16.string(), z16.string()).optional(),
   // For multi-auth providers
-  convert: z16.boolean().optional(),
   selectedModel: z16.string().optional()
 });
 var upsertModelProviderResponseSchema = z16.object({
   provider: modelProviderResponseSchema,
   created: z16.boolean()
 });
-var checkCredentialResponseSchema = z16.object({
+var checkSecretResponseSchema = z16.object({
   exists: z16.boolean(),
-  credentialName: z16.string(),
-  currentType: z16.enum(["user", "model-provider"]).optional()
+  secretName: z16.string()
 });
 var modelProvidersMainContract = c13.router({
   list: {
@@ -2436,11 +2505,11 @@ var modelProvidersCheckContract = c13.router({
       type: modelProviderTypeSchema
     }),
     responses: {
-      200: checkCredentialResponseSchema,
+      200: checkSecretResponseSchema,
       401: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Check if credential exists for a model provider type"
+    summary: "Check if secret exists for a model provider type"
   }
 });
 var modelProvidersByTypeContract = c13.router({
@@ -2476,7 +2545,7 @@ var modelProvidersConvertContract = c13.router({
       404: apiErrorSchema,
       500: apiErrorSchema
     },
-    summary: "Convert existing user credential to model provider"
+    summary: "Convert existing user secret to model provider"
   }
 });
 var modelProvidersSetDefaultContract = c13.router({
@@ -3627,13 +3696,14 @@ function getSkillStorageName(fullPath) {
 
 // ../../packages/core/src/github-url.ts
 function parseGitHubTreeUrl(url) {
-  const fullPathMatch = url.match(/^https:\/\/github\.com\/(.+)$/);
+  const normalizedUrl = url.replace(/\/+$/, "");
+  const fullPathMatch = normalizedUrl.match(/^https:\/\/github\.com\/(.+)$/);
   if (!fullPathMatch) {
     return null;
   }
   const fullPath = fullPathMatch[1];
   const regex = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)\/(.+)$/;
-  const match = url.match(regex);
+  const match = normalizedUrl.match(regex);
   if (!match) {
     return null;
   }
@@ -3649,6 +3719,39 @@ function parseGitHubTreeUrl(url) {
     fullPath
   };
 }
+function parseGitHubUrl(url) {
+  const normalizedUrl = url.replace(/\/+$/, "");
+  const fullPathMatch = normalizedUrl.match(/^https:\/\/github\.com\/(.+)$/);
+  if (!fullPathMatch) {
+    return null;
+  }
+  const fullPath = fullPathMatch[1];
+  const plainMatch = normalizedUrl.match(
+    /^https:\/\/github\.com\/([^/]+)\/([^/]+)$/
+  );
+  if (plainMatch) {
+    return {
+      owner: plainMatch[1],
+      repo: plainMatch[2],
+      branch: null,
+      path: null,
+      fullPath
+    };
+  }
+  const treeMatch = normalizedUrl.match(
+    /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)(?:\/(.+))?$/
+  );
+  if (treeMatch) {
+    return {
+      owner: treeMatch[1],
+      repo: treeMatch[2],
+      branch: treeMatch[3],
+      path: treeMatch[4] ?? null,
+      fullPath
+    };
+  }
+  return null;
+}
 
 // ../../packages/core/src/frameworks.ts
 var SUPPORTED_FRAMEWORKS = ["claude-code", "codex"];
@@ -3710,9 +3813,10 @@ var FEATURE_SWITCHES = {
 
 // src/lib/api/core/client-factory.ts
 var ApiRequestError = class extends Error {
-  constructor(message, code) {
+  constructor(message, code, status) {
     super(message);
     this.code = code;
+    this.status = status;
     this.name = "ApiRequestError";
   }
 };
@@ -3742,11 +3846,27 @@ async function getClientConfig() {
   const baseHeaders = await getHeaders();
   return { baseUrl, baseHeaders, jsonQuery: true };
 }
-function handleError(result, defaultMessage) {
+function handleError(result, defaultMessage, options) {
+  if (!options?.useServerMessage) {
+    if (result.status === 401) {
+      throw new ApiRequestError(
+        "Not authenticated. Run: vm0 auth login",
+        "UNAUTHORIZED",
+        401
+      );
+    }
+    if (result.status === 403) {
+      throw new ApiRequestError(
+        "An unexpected network issue occurred",
+        "FORBIDDEN",
+        403
+      );
+    }
+  }
   const errorBody = result.body;
   const message = errorBody.error?.message || defaultMessage;
   const code = errorBody.error?.code || "UNKNOWN";
-  throw new ApiRequestError(message, code);
+  throw new ApiRequestError(message, code, result.status);
 }
 
 // src/lib/api/core/http.ts
@@ -3931,7 +4051,7 @@ async function getScope() {
   if (result.status === 200) {
     return result.body;
   }
-  handleError(result, "Failed to get scope");
+  handleError(result, "Failed to get scope", { useServerMessage: true });
 }
 async function createScope(body) {
   const config = await getClientConfig();
@@ -3940,7 +4060,7 @@ async function createScope(body) {
   if (result.status === 201) {
     return result.body;
   }
-  handleError(result, "Failed to create scope");
+  handleError(result, "Failed to create scope", { useServerMessage: true });
 }
 async function updateScope(body) {
   const config = await getClientConfig();
@@ -3949,7 +4069,7 @@ async function updateScope(body) {
   if (result.status === 200) {
     return result.body;
   }
-  handleError(result, "Failed to update scope");
+  handleError(result, "Failed to update scope", { useServerMessage: true });
 }
 
 // src/lib/api/domains/storages.ts
@@ -4187,7 +4307,7 @@ async function upsertModelProvider(body) {
   }
   handleError(result, "Failed to set model provider");
 }
-async function checkModelProviderCredential(type) {
+async function checkModelProviderSecret(type) {
   const config = await getClientConfig();
   const client = initClient9(modelProvidersCheckContract, config);
   const result = await client.check({
@@ -4196,7 +4316,7 @@ async function checkModelProviderCredential(type) {
   if (result.status === 200) {
     return result.body;
   }
-  handleError(result, "Failed to check credential");
+  handleError(result, "Failed to check secret");
 }
 async function deleteModelProvider(type) {
   const config = await getClientConfig();
@@ -4209,17 +4329,6 @@ async function deleteModelProvider(type) {
   }
   handleError(result, `Model provider "${type}" not found`);
 }
-async function convertModelProviderCredential(type) {
-  const config = await getClientConfig();
-  const client = initClient9(modelProvidersConvertContract, config);
-  const result = await client.convert({
-    params: { type }
-  });
-  if (result.status === 200) {
-    return result.body;
-  }
-  handleError(result, "Failed to convert credential");
-}
 async function setModelProviderDefault(type) {
   const config = await getClientConfig();
   const client = initClient9(modelProvidersSetDefaultContract, config);
@@ -4450,7 +4559,7 @@ function validateAgentCompose(config) {
 // src/lib/domain/github-skills.ts
 import * as fs from "fs/promises";
 import * as path from "path";
-import * as os from "os";
+import * as os2 from "os";
 import { exec } from "child_process";
 import { promisify } from "util";
 import { parse as parseYaml } from "yaml";
@@ -4470,7 +4579,7 @@ function getSkillStorageName2(parsed) {
 async function downloadGitHubSkill(parsed, destDir) {
   const repoUrl = `https://github.com/${parsed.owner}/${parsed.repo}.git`;
   const skillDir = path.join(destDir, parsed.skillName);
-  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "vm0-skill-"));
+  const tempDir = await fs.mkdtemp(path.join(os2.tmpdir(), "vm0-skill-"));
   try {
     await execAsync(`git init`, { cwd: tempDir });
     await execAsync(`git remote add origin "${repoUrl}"`, { cwd: tempDir });
@@ -4489,10 +4598,41 @@ async function downloadGitHubSkill(parsed, destDir) {
     await fs.rm(tempDir, { recursive: true, force: true });
   }
 }
+async function getDefaultBranch(owner, repo) {
+  const repoUrl = `https://github.com/${owner}/${repo}.git`;
+  try {
+    const { stdout } = await execAsync(
+      `git ls-remote --symref "${repoUrl}" HEAD`
+    );
+    const match = stdout.match(/ref: refs\/heads\/([^\s]+)/);
+    if (!match) {
+      throw new Error(
+        `Could not determine default branch for ${owner}/${repo}`
+      );
+    }
+    return match[1];
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes("not found") || message.includes("Repository not found")) {
+      throw new Error(`Repository not found: ${owner}/${repo}`);
+    }
+    if (message.includes("Authentication failed") || message.includes("could not read Username")) {
+      throw new Error(
+        `Cannot access repository ${owner}/${repo}. Is it private?`
+      );
+    }
+    throw error;
+  }
+}
 async function downloadGitHubDirectory(url) {
-  const parsed = parseGitHubTreeUrl2(url);
+  const parsed = parseGitHubUrl(url);
+  if (!parsed) {
+    throw new Error(
+      `Invalid GitHub URL: ${url}. Expected format: https://github.com/{owner}/{repo}[/tree/{branch}[/path]]`
+    );
+  }
   const repoUrl = `https://github.com/${parsed.owner}/${parsed.repo}.git`;
-  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "vm0-github-"));
+  const tempDir = await fs.mkdtemp(path.join(os2.tmpdir(), "vm0-github-"));
   try {
     try {
       await execAsync("git --version");
@@ -4501,13 +4641,15 @@ async function downloadGitHubDirectory(url) {
         "git command not found. Please install git to use GitHub URLs."
       );
     }
+    const branch = parsed.branch ?? await getDefaultBranch(parsed.owner, parsed.repo);
     await execAsync(`git init`, { cwd: tempDir });
     await execAsync(`git remote add origin "${repoUrl}"`, { cwd: tempDir });
     await execAsync(`git config core.sparseCheckout true`, { cwd: tempDir });
+    const sparsePattern = parsed.path ?? "/*";
     const sparseFile = path.join(tempDir, ".git", "info", "sparse-checkout");
-    await fs.writeFile(sparseFile, parsed.path + "\n");
+    await fs.writeFile(sparseFile, sparsePattern + "\n");
     try {
-      await execAsync(`git fetch --depth 1 origin "${parsed.branch}"`, {
+      await execAsync(`git fetch --depth 1 origin "${branch}"`, {
         cwd: tempDir
       });
     } catch (error) {
@@ -4516,15 +4658,14 @@ async function downloadGitHubDirectory(url) {
         throw new Error(`Cannot access repository. Is it private? URL: ${url}`);
       }
       if (message.includes("couldn't find remote ref")) {
-        throw new Error(
-          `Branch "${parsed.branch}" not found in repository: ${url}`
-        );
+        throw new Error(`Branch "${branch}" not found in repository: ${url}`);
       }
       throw error;
     }
-    await execAsync(`git checkout "${parsed.branch}"`, { cwd: tempDir });
+    await execAsync(`git checkout "${branch}"`, { cwd: tempDir });
+    const downloadedDir = parsed.path ? path.join(tempDir, parsed.path) : tempDir;
     return {
-      dir: path.join(tempDir, parsed.path),
+      dir: downloadedDir,
       tempRoot: tempDir
     };
   } catch (error) {
@@ -4577,13 +4718,13 @@ async function readSkillFrontmatter(skillDir) {
 // src/lib/storage/system-storage.ts
 import * as fs4 from "fs/promises";
 import * as path4 from "path";
-import * as os3 from "os";
+import * as os4 from "os";
 
 // src/lib/storage/direct-upload.ts
 import { createHash } from "crypto";
 import * as fs3 from "fs";
 import * as path3 from "path";
-import * as os2 from "os";
+import * as os3 from "os";
 import * as tar2 from "tar";
 
 // src/lib/utils/file-utils.ts
@@ -4746,7 +4887,7 @@ async function collectFileMetadata(cwd, files, onProgress) {
   return fileEntries;
 }
 async function createArchive(cwd, files) {
-  const tmpDir = fs3.mkdtempSync(path3.join(os2.tmpdir(), "vm0-"));
+  const tmpDir = fs3.mkdtempSync(path3.join(os3.tmpdir(), "vm0-"));
   const tarPath = path3.join(tmpDir, "archive.tar.gz");
   try {
     const relativePaths = files.map((file) => path3.relative(cwd, file));
@@ -4903,7 +5044,7 @@ async function uploadInstructions(agentName, instructionsFilePath, basePath, fra
   const storageName = getInstructionsStorageName(agentName.toLowerCase());
   const absolutePath = path4.isAbsolute(instructionsFilePath) ? instructionsFilePath : path4.join(basePath, instructionsFilePath);
   const content = await fs4.readFile(absolutePath, "utf8");
-  const tmpDir = await fs4.mkdtemp(path4.join(os3.tmpdir(), "vm0-instructions-"));
+  const tmpDir = await fs4.mkdtemp(path4.join(os4.tmpdir(), "vm0-instructions-"));
   const instructionsDir = path4.join(tmpDir, "instructions");
   await fs4.mkdir(instructionsDir);
   const filename = getInstructionsFilename(framework);
@@ -4922,7 +5063,7 @@ async function uploadInstructions(agentName, instructionsFilePath, basePath, fra
 async function uploadSkill(skillUrl) {
   const parsed = parseGitHubTreeUrl2(skillUrl);
   const storageName = getSkillStorageName2(parsed);
-  const tmpDir = await fs4.mkdtemp(path4.join(os3.tmpdir(), "vm0-skill-"));
+  const tmpDir = await fs4.mkdtemp(path4.join(os4.tmpdir(), "vm0-skill-"));
   try {
     const skillDir = await downloadGitHubSkill(parsed, tmpDir);
     await validateSkillDirectory(skillDir);
@@ -5207,17 +5348,23 @@ async function silentUpgradeAfterCommand(currentVersion) {
 
 // src/commands/compose/index.ts
 var DEFAULT_CONFIG_FILE = "vm0.yaml";
-function isGitHubTreeUrl(input) {
-  return input.startsWith("https://github.com/") && input.includes("/tree/");
+function isGitHubUrl(input) {
+  return /^https:\/\/github\.com\/[^/]+\/[^/]+/.test(input);
 }
 function getSecretsFromComposeContent(content) {
   const refs = extractVariableReferences(content);
   const grouped = groupVariablesBySource(refs);
   return new Set(grouped.secrets.map((r) => r.name));
 }
-async function loadAndValidateConfig(configFile) {
+async function loadAndValidateConfig(configFile, porcelainMode) {
   if (!existsSync4(configFile)) {
-    console.error(chalk4.red(`\u2717 Config file not found: ${configFile}`));
+    if (porcelainMode) {
+      console.log(
+        JSON.stringify({ error: `Config file not found: ${configFile}` })
+      );
+    } else {
+      console.error(chalk4.red(`\u2717 Config file not found: ${configFile}`));
+    }
     process.exit(1);
   }
   const content = await readFile4(configFile, "utf8");
@@ -5225,15 +5372,22 @@ async function loadAndValidateConfig(configFile) {
   try {
     config = parseYaml2(content);
   } catch (error) {
-    console.error(chalk4.red("\u2717 Invalid YAML format"));
-    if (error instanceof Error) {
-      console.error(chalk4.dim(`  ${error.message}`));
+    const message = error instanceof Error ? error.message : "Unknown error";
+    if (porcelainMode) {
+      console.log(JSON.stringify({ error: `Invalid YAML format: ${message}` }));
+    } else {
+      console.error(chalk4.red("\u2717 Invalid YAML format"));
+      console.error(chalk4.dim(`  ${message}`));
     }
     process.exit(1);
   }
   const validation = validateAgentCompose(config);
   if (!validation.valid) {
-    console.error(chalk4.red(`\u2717 ${validation.error}`));
+    if (porcelainMode) {
+      console.log(JSON.stringify({ error: validation.error }));
+    } else {
+      console.error(chalk4.red(`\u2717 ${validation.error}`));
+    }
     process.exit(1);
   }
   const cfg = config;
@@ -5269,33 +5423,43 @@ function checkLegacyImageFormat(config) {
     }
   }
 }
-async function uploadAssets(agentName, agent, basePath) {
+async function uploadAssets(agentName, agent, basePath, porcelainMode) {
   if (agent.instructions) {
-    console.log(`Uploading instructions: ${agent.instructions}`);
+    if (!porcelainMode) {
+      console.log(`Uploading instructions: ${agent.instructions}`);
+    }
     const result = await uploadInstructions(
       agentName,
       agent.instructions,
       basePath,
       agent.framework
     );
-    console.log(
-      chalk4.green(
-        `\u2713 Instructions ${result.action === "deduplicated" ? "(unchanged)" : "uploaded"}: ${result.versionId.slice(0, 8)}`
-      )
-    );
+    if (!porcelainMode) {
+      console.log(
+        chalk4.green(
+          `\u2713 Instructions ${result.action === "deduplicated" ? "(unchanged)" : "uploaded"}: ${result.versionId.slice(0, 8)}`
+        )
+      );
+    }
   }
   const skillResults = [];
   if (agent.skills && Array.isArray(agent.skills)) {
-    console.log(`Uploading ${agent.skills.length} skill(s)...`);
+    if (!porcelainMode) {
+      console.log(`Uploading ${agent.skills.length} skill(s)...`);
+    }
     for (const skillUrl of agent.skills) {
-      console.log(chalk4.dim(`  Downloading: ${skillUrl}`));
+      if (!porcelainMode) {
+        console.log(chalk4.dim(`  Downloading: ${skillUrl}`));
+      }
       const result = await uploadSkill(skillUrl);
       skillResults.push(result);
-      console.log(
-        chalk4.green(
-          `  \u2713 Skill ${result.action === "deduplicated" ? "(unchanged)" : "uploaded"}: ${result.skillName} (${result.versionId.slice(0, 8)})`
-        )
-      );
+      if (!porcelainMode) {
+        console.log(
+          chalk4.green(
+            `  \u2713 Skill ${result.action === "deduplicated" ? "(unchanged)" : "uploaded"}: ${result.skillName} (${result.versionId.slice(0, 8)})`
+          )
+        );
+      }
     }
   }
   return skillResults;
@@ -5341,36 +5505,48 @@ async function displayAndConfirmVariables(variables, options) {
   if (newSecrets.length === 0 && newVars.length === 0) {
     return true;
   }
-  console.log();
-  console.log(
-    chalk4.bold("Skills require the following environment variables:")
-  );
-  console.log();
-  if (newSecrets.length > 0) {
-    console.log(chalk4.cyan("  Secrets:"));
-    for (const [name, skills] of newSecrets) {
-      const isNew = trulyNewSecrets.includes(name);
-      const newMarker = isNew ? chalk4.yellow(" (new)") : "";
-      console.log(`    ${name.padEnd(24)}${newMarker} <- ${skills.join(", ")}`);
+  if (!options.porcelain) {
+    console.log();
+    console.log(
+      chalk4.bold("Skills require the following environment variables:")
+    );
+    console.log();
+    if (newSecrets.length > 0) {
+      console.log(chalk4.cyan("  Secrets:"));
+      for (const [name, skills] of newSecrets) {
+        const isNew = trulyNewSecrets.includes(name);
+        const newMarker = isNew ? chalk4.yellow(" (new)") : "";
+        console.log(
+          `    ${name.padEnd(24)}${newMarker} <- ${skills.join(", ")}`
+        );
+      }
     }
-  }
-  if (newVars.length > 0) {
-    console.log(chalk4.cyan("  Vars:"));
-    for (const [name, skills] of newVars) {
-      console.log(`    ${name.padEnd(24)} <- ${skills.join(", ")}`);
+    if (newVars.length > 0) {
+      console.log(chalk4.cyan("  Vars:"));
+      for (const [name, skills] of newVars) {
+        console.log(`    ${name.padEnd(24)} <- ${skills.join(", ")}`);
+      }
     }
+    console.log();
   }
-  console.log();
   if (trulyNewSecrets.length > 0 && !options.yes) {
     if (!isInteractive()) {
-      console.error(
-        chalk4.red(`\u2717 New secrets detected: ${trulyNewSecrets.join(", ")}`)
-      );
-      console.error(
-        chalk4.dim(
-          "  Use --yes flag to approve new secrets in non-interactive mode."
-        )
-      );
+      if (options.porcelain) {
+        console.log(
+          JSON.stringify({
+            error: `New secrets detected: ${trulyNewSecrets.join(", ")}. Use --yes flag to approve.`
+          })
+        );
+      } else {
+        console.error(
+          chalk4.red(`\u2717 New secrets detected: ${trulyNewSecrets.join(", ")}`)
+        );
+        console.error(
+          chalk4.dim(
+            "  Use --yes flag to approve new secrets in non-interactive mode."
+          )
+        );
+      }
       process.exit(1);
     }
     const confirmed = await promptConfirm(
@@ -5378,7 +5554,9 @@ async function displayAndConfirmVariables(variables, options) {
       true
     );
     if (!confirmed) {
-      console.log(chalk4.yellow("Compose cancelled"));
+      if (!options.porcelain) {
+        console.log(chalk4.yellow("Compose cancelled"));
+      }
       return false;
     }
   }
@@ -5406,57 +5584,94 @@ async function finalizeCompose(config, agent, variables, options) {
     process.exit(0);
   }
   mergeSkillVariables(agent, variables);
-  console.log("Uploading compose...");
+  if (!options.porcelain) {
+    console.log("Uploading compose...");
+  }
   const response = await createOrUpdateCompose({ content: config });
   const scopeResponse = await getScope();
   const shortVersionId = response.versionId.slice(0, 8);
   const displayName = `${scopeResponse.slug}/${response.name}`;
-  if (response.action === "created") {
-    console.log(chalk4.green(`\u2713 Compose created: ${displayName}`));
-  } else {
-    console.log(chalk4.green(`\u2713 Compose version exists: ${displayName}`));
+  const result = {
+    composeId: response.composeId,
+    composeName: response.name,
+    versionId: response.versionId,
+    action: response.action,
+    displayName
+  };
+  if (!options.porcelain) {
+    if (response.action === "created") {
+      console.log(chalk4.green(`\u2713 Compose created: ${displayName}`));
+    } else {
+      console.log(chalk4.green(`\u2713 Compose version exists: ${displayName}`));
+    }
+    console.log(chalk4.dim(`  Version: ${shortVersionId}`));
+    console.log();
+    console.log("  Run your agent:");
+    console.log(
+      chalk4.cyan(
+        `    vm0 run ${displayName}:${shortVersionId} --artifact-name <artifact> "your prompt"`
+      )
+    );
   }
-  console.log(chalk4.dim(`  Version: ${shortVersionId}`));
-  console.log();
-  console.log("  Run your agent:");
-  console.log(
-    chalk4.cyan(
-      `    vm0 run ${displayName}:${shortVersionId} --artifact-name <artifact> "your prompt"`
-    )
-  );
   if (options.autoUpdate !== false) {
-    await silentUpgradeAfterCommand("9.20.2");
+    await silentUpgradeAfterCommand("9.22.0");
   }
+  return result;
 }
 async function handleGitHubCompose(url, options) {
-  console.log(`Downloading from GitHub: ${url}`);
+  if (!options.porcelain) {
+    console.log(`Downloading from GitHub: ${url}`);
+  }
   const { dir: downloadedDir, tempRoot } = await downloadGitHubDirectory(url);
   const configFile = join6(downloadedDir, "vm0.yaml");
   try {
     if (!existsSync4(configFile)) {
-      console.error(chalk4.red(`\u2717 vm0.yaml not found in the GitHub directory`));
-      console.error(chalk4.dim(`  URL: ${url}`));
+      if (options.porcelain) {
+        console.log(
+          JSON.stringify({
+            error: "vm0.yaml not found in the GitHub directory"
+          })
+        );
+      } else {
+        console.error(
+          chalk4.red(`\u2717 vm0.yaml not found in the GitHub directory`)
+        );
+        console.error(chalk4.dim(`  URL: ${url}`));
+      }
       process.exit(1);
     }
-    const { config, agentName, agent, basePath } = await loadAndValidateConfig(configFile);
+    const { config, agentName, agent, basePath } = await loadAndValidateConfig(
+      configFile,
+      options.porcelain
+    );
     const existingCompose = await getComposeByName(agentName);
     if (existingCompose) {
-      console.log();
-      console.log(
-        chalk4.yellow(`\u26A0 An agent named "${agentName}" already exists.`)
-      );
+      if (!options.porcelain) {
+        console.log();
+        console.log(
+          chalk4.yellow(`\u26A0 An agent named "${agentName}" already exists.`)
+        );
+      }
       if (!isInteractive()) {
         if (!options.yes) {
-          console.error(
-            chalk4.red(
-              `\u2717 Cannot overwrite existing agent in non-interactive mode`
-            )
-          );
-          console.error(
-            chalk4.dim(
-              `  Use --yes flag to confirm overwriting the existing agent.`
-            )
-          );
+          if (options.porcelain) {
+            console.log(
+              JSON.stringify({
+                error: "Cannot overwrite existing agent in non-interactive mode"
+              })
+            );
+          } else {
+            console.error(
+              chalk4.red(
+                `\u2717 Cannot overwrite existing agent in non-interactive mode`
+              )
+            );
+            console.error(
+              chalk4.dim(
+                `  Use --yes flag to confirm overwriting the existing agent.`
+              )
+            );
+          }
           process.exit(1);
         }
       } else {
@@ -5465,31 +5680,48 @@ async function handleGitHubCompose(url, options) {
           false
         );
         if (!confirmed) {
-          console.log(chalk4.yellow("Compose cancelled."));
+          if (!options.porcelain) {
+            console.log(chalk4.yellow("Compose cancelled."));
+          }
           process.exit(0);
         }
       }
     }
     if (hasVolumes(config)) {
-      console.error(
-        chalk4.red(`\u2717 Volumes are not supported for GitHub URL compose`)
-      );
-      console.error(
-        chalk4.dim(
-          `  Clone the repository locally and run: vm0 compose ./path/to/vm0.yaml`
-        )
-      );
+      if (options.porcelain) {
+        console.log(
+          JSON.stringify({
+            error: "Volumes are not supported for GitHub URL compose"
+          })
+        );
+      } else {
+        console.error(
+          chalk4.red(`\u2717 Volumes are not supported for GitHub URL compose`)
+        );
+        console.error(
+          chalk4.dim(
+            `  Clone the repository locally and run: vm0 compose ./path/to/vm0.yaml`
+          )
+        );
+      }
       process.exit(1);
     }
-    checkLegacyImageFormat(config);
-    const skillResults = await uploadAssets(agentName, agent, basePath);
+    if (!options.porcelain) {
+      checkLegacyImageFormat(config);
+    }
+    const skillResults = await uploadAssets(
+      agentName,
+      agent,
+      basePath,
+      options.porcelain
+    );
     const environment = agent.environment || {};
     const variables = await collectSkillVariables(
       skillResults,
       environment,
       agentName
     );
-    await finalizeCompose(config, agent, variables, options);
+    return await finalizeCompose(config, agent, variables, options);
   } finally {
     await rm3(tempRoot, { recursive: true, force: true });
   }
@@ -5500,42 +5732,73 @@ var composeCommand = new Command7().name("compose").description("Create or updat
 ).option("-y, --yes", "Skip confirmation prompts for skill requirements").option(
   "--experimental-shared-compose",
   "Enable GitHub URL compose (experimental)"
+).option(
+  "--porcelain",
+  "Output stable JSON for scripts (suppresses interactive output)"
 ).addOption(new Option("--no-auto-update").hideHelp()).action(
   async (configFile, options) => {
     const resolvedConfigFile = configFile ?? DEFAULT_CONFIG_FILE;
+    if (options.porcelain) {
+      options.yes = true;
+      options.autoUpdate = false;
+    }
     try {
-      if (isGitHubTreeUrl(resolvedConfigFile)) {
+      let result;
+      if (isGitHubUrl(resolvedConfigFile)) {
         if (!options.experimentalSharedCompose) {
-          console.error(
-            chalk4.red(
-              "\u2717 Composing shared agents requires --experimental-shared-compose flag"
-            )
-          );
-          console.error();
-          console.error(
-            chalk4.dim(
-              "  Composing agents from other users carries security risks."
-            )
-          );
-          console.error(
-            chalk4.dim("  Only compose agents from users you trust.")
-          );
+          if (options.porcelain) {
+            console.log(
+              JSON.stringify({
+                error: "Composing shared agents requires --experimental-shared-compose flag"
+              })
+            );
+          } else {
+            console.error(
+              chalk4.red(
+                "\u2717 Composing shared agents requires --experimental-shared-compose flag"
+              )
+            );
+            console.error();
+            console.error(
+              chalk4.dim(
+                "  Composing agents from other users carries security risks."
+              )
+            );
+            console.error(
+              chalk4.dim("  Only compose agents from users you trust.")
+            );
+          }
           process.exit(1);
         }
-        await handleGitHubCompose(resolvedConfigFile, options);
+        result = await handleGitHubCompose(resolvedConfigFile, options);
       } else {
-        const { config, agentName, agent, basePath } = await loadAndValidateConfig(resolvedConfigFile);
-        checkLegacyImageFormat(config);
-        const skillResults = await uploadAssets(agentName, agent, basePath);
+        const { config, agentName, agent, basePath } = await loadAndValidateConfig(resolvedConfigFile, options.porcelain);
+        if (!options.porcelain) {
+          checkLegacyImageFormat(config);
+        }
+        const skillResults = await uploadAssets(
+          agentName,
+          agent,
+          basePath,
+          options.porcelain
+        );
         const environment = agent.environment || {};
         const variables = await collectSkillVariables(
           skillResults,
           environment,
           agentName
         );
-        await finalizeCompose(config, agent, variables, options);
+        result = await finalizeCompose(config, agent, variables, options);
+      }
+      if (options.porcelain) {
+        console.log(JSON.stringify(result));
       }
     } catch (error) {
+      if (options.porcelain) {
+        const message = error instanceof Error ? error.message : "An unexpected error occurred";
+        console.log(JSON.stringify({ error: message }));
+        process.exit(1);
+      }
       if (error instanceof Error) {
         if (error.message.includes("Not authenticated")) {
           console.error(
@@ -7793,7 +8056,7 @@ var mainRunCommand = new Command8().name("run").description("Run an agent").argu
       }
       showNextSteps(result);
       if (options.autoUpdate !== false) {
-        await silentUpgradeAfterCommand("9.20.2");
+        await silentUpgradeAfterCommand("9.22.0");
       }
     } catch (error) {
       handleRunError(error, identifier);
@@ -8238,7 +8501,7 @@ import { Command as Command15 } from "commander";
 import chalk17 from "chalk";
 import path7 from "path";
 import * as fs6 from "fs";
-import * as os4 from "os";
+import * as os5 from "os";
 import * as tar3 from "tar";
 
 // src/lib/storage/pull-utils.ts
@@ -8290,7 +8553,7 @@ var pullCommand = new Command15().name("pull").description("Pull cloud files to
     const arrayBuffer = await s3Response.arrayBuffer();
     const tarBuffer = Buffer.from(arrayBuffer);
     console.log(chalk17.green(`\u2713 Downloaded ${formatBytes(tarBuffer.length)}`));
-    const tmpDir = fs6.mkdtempSync(path7.join(os4.tmpdir(), "vm0-"));
+    const tmpDir = fs6.mkdtempSync(path7.join(os5.tmpdir(), "vm0-"));
     const tarPath = path7.join(tmpDir, "volume.tar.gz");
     await fs6.promises.writeFile(tarPath, tarBuffer);
     console.log(chalk17.dim("Syncing local files..."));
@@ -8439,7 +8702,7 @@ import chalk21 from "chalk";
 import chalk20 from "chalk";
 import path8 from "path";
 import * as fs7 from "fs";
-import * as os5 from "os";
+import * as os6 from "os";
 import * as tar4 from "tar";
 async function cloneStorage(name, type, destination, options = {}) {
   const typeLabel = type === "artifact" ? "artifact" : "volume";
@@ -8479,7 +8742,7 @@ async function cloneStorage(name, type, destination, options = {}) {
   const arrayBuffer = await s3Response.arrayBuffer();
   const tarBuffer = Buffer.from(arrayBuffer);
   console.log(chalk20.green(`\u2713 Downloaded ${formatBytes(tarBuffer.length)}`));
-  const tmpDir = fs7.mkdtempSync(path8.join(os5.tmpdir(), "vm0-clone-"));
+  const tmpDir = fs7.mkdtempSync(path8.join(os6.tmpdir(), "vm0-clone-"));
   const tarPath = path8.join(tmpDir, "archive.tar.gz");
   await fs7.promises.writeFile(tarPath, tarBuffer);
   const files = await listTarFiles(tarPath);
@@ -8680,7 +8943,7 @@ import { Command as Command22 } from "commander";
 import chalk24 from "chalk";
 import path10 from "path";
 import * as fs8 from "fs";
-import * as os6 from "os";
+import * as os7 from "os";
 import * as tar5 from "tar";
 var pullCommand2 = new Command22().name("pull").description("Pull cloud artifact to local directory").argument("[versionId]", "Version ID to pull (default: latest)").action(async (versionId) => {
   try {
@@ -8727,7 +8990,7 @@ var pullCommand2 = new Command22().name("pull").description("Pull cloud artifact
     const arrayBuffer = await s3Response.arrayBuffer();
     const tarBuffer = Buffer.from(arrayBuffer);
     console.log(chalk24.green(`\u2713 Downloaded ${formatBytes(tarBuffer.length)}`));
-    const tmpDir = fs8.mkdtempSync(path10.join(os6.tmpdir(), "vm0-"));
+    const tmpDir = fs8.mkdtempSync(path10.join(os7.tmpdir(), "vm0-"));
     const tarPath = path10.join(tmpDir, "artifact.tar.gz");
     await fs8.promises.writeFile(tarPath, tarBuffer);
     console.log(chalk24.dim("Syncing local files..."));
@@ -9300,7 +9563,7 @@ var cookAction = new Command27().name("cook").description("Quick start: prepare,
 ).option("-y, --yes", "Skip confirmation prompts").option("-v, --verbose", "Show full tool inputs and outputs").addOption(new Option5("--debug-no-mock-claude").hideHelp()).addOption(new Option5("--no-auto-update").hideHelp()).action(
   async (prompt, options) => {
     if (options.autoUpdate !== false) {
-      const shouldExit = await checkAndUpgrade("9.20.2", prompt);
+      const shouldExit = await checkAndUpgrade("9.22.0", prompt);
       if (shouldExit) {
         process.exit(0);
       }
@@ -10049,7 +10312,7 @@ import chalk38 from "chalk";
 // src/lib/domain/source-derivation.ts
 import * as fs9 from "fs/promises";
 import * as path14 from "path";
-import * as os7 from "os";
+import * as os8 from "os";
 async function fetchSkillFrontmatter(skillUrl, tempDir) {
   try {
     const parsed = parseGitHubTreeUrl2(skillUrl);
@@ -10089,7 +10352,7 @@ async function deriveAgentVariableSources(agent, options) {
     };
   }
   const tempDir = await fs9.mkdtemp(
-    path14.join(os7.tmpdir(), "vm0-source-derivation-")
+    path14.join(os8.tmpdir(), "vm0-source-derivation-")
   );
   try {
     const skillResults = await Promise.all(
@@ -11840,7 +12103,7 @@ var listCommand6 = new Command53().name("list").alias("ls").description("List al
       console.log(chalk53.dim("No secrets found"));
       console.log();
       console.log("To add a secret:");
-      console.log(chalk53.cyan("  vm0 secret set MY_API_KEY <value>"));
+      console.log(chalk53.cyan("  vm0 secret set MY_API_KEY --body <value>"));
       return;
     }
     console.log(chalk53.bold("Secrets:"));
@@ -11874,9 +12137,32 @@ var listCommand6 = new Command53().name("list").alias("ls").description("List al
 // src/commands/secret/set.ts
 import { Command as Command54 } from "commander";
 import chalk54 from "chalk";
-var setCommand2 = new Command54().name("set").description("Create or update a secret").argument("<name>", "Secret name (uppercase, e.g., MY_API_KEY)").argument("<value>", "Secret value").option("-d, --description <description>", "Optional description").action(
-  async (name, value, options) => {
+var setCommand2 = new Command54().name("set").description("Create or update a secret").argument("<name>", "Secret name (uppercase, e.g., MY_API_KEY)").option(
+  "-b, --body <value>",
+  "Secret value (required in non-interactive mode)"
+).option("-d, --description <description>", "Optional description").action(
+  async (name, options) => {
     try {
+      let value;
+      if (options.body !== void 0) {
+        value = options.body;
+      } else if (isInteractive()) {
+        const prompted = await promptPassword("Enter secret value:");
+        if (prompted === void 0) {
+          process.exit(0);
+        }
+        value = prompted;
+      } else {
+        console.error(
+          chalk54.red("\u2717 --body is required in non-interactive mode")
+        );
+        console.log();
+        console.log("Usage:");
+        console.log(
+          chalk54.cyan(`  vm0 secret set ${name} --body "your-secret-value"`)
+        );
+        process.exit(1);
+      }
       const secret = await setSecret({
         name,
         value,
@@ -12203,63 +12489,61 @@ function validateAuthMethod(type, authMethodStr) {
   }
   return authMethodStr;
 }
-function parseCredentials(type, authMethod, credentialArgs) {
-  const credentialsConfig = getCredentialsForAuthMethod(type, authMethod);
-  if (!credentialsConfig) {
+function parseSecrets(type, authMethod, secretArgs) {
+  const secretsConfig = getSecretsForAuthMethod(type, authMethod);
+  if (!secretsConfig) {
     console.error(chalk60.red(`\u2717 Invalid auth method "${authMethod}"`));
     process.exit(1);
   }
-  const credentialNames = Object.keys(credentialsConfig);
-  const firstArg = credentialArgs[0];
-  if (credentialArgs.length === 1 && firstArg && !firstArg.includes("=")) {
-    if (credentialNames.length !== 1) {
+  const secretNames = Object.keys(secretsConfig);
+  const firstArg = secretArgs[0];
+  if (secretArgs.length === 1 && firstArg && !firstArg.includes("=")) {
+    if (secretNames.length !== 1) {
       console.error(
-        chalk60.red(
-          "\u2717 Must use KEY=VALUE format for multi-credential auth methods"
-        )
+        chalk60.red("\u2717 Must use KEY=VALUE format for multi-secret auth methods")
       );
       console.log();
-      console.log("Required credentials:");
-      for (const [name, fieldConfig] of Object.entries(credentialsConfig)) {
+      console.log("Required secrets:");
+      for (const [name, fieldConfig] of Object.entries(secretsConfig)) {
         const requiredNote = fieldConfig.required ? " (required)" : "";
         console.log(`  ${chalk60.cyan(name)}${requiredNote}`);
       }
       process.exit(1);
     }
-    const firstCredentialName = credentialNames[0];
-    if (!firstCredentialName) {
-      console.error(chalk60.red("\u2717 No credentials defined for this auth method"));
+    const firstSecretName = secretNames[0];
+    if (!firstSecretName) {
+      console.error(chalk60.red("\u2717 No secrets defined for this auth method"));
       process.exit(1);
     }
-    return { [firstCredentialName]: firstArg };
+    return { [firstSecretName]: firstArg };
   }
-  const credentials = {};
-  for (const arg of credentialArgs) {
+  const secrets = {};
+  for (const arg of secretArgs) {
     const eqIndex = arg.indexOf("=");
     if (eqIndex === -1) {
-      console.error(chalk60.red(`\u2717 Invalid credential format "${arg}"`));
+      console.error(chalk60.red(`\u2717 Invalid secret format "${arg}"`));
       console.log();
       console.log("Use KEY=VALUE format (e.g., AWS_REGION=us-east-1)");
       process.exit(1);
     }
     const key = arg.slice(0, eqIndex);
     const value = arg.slice(eqIndex + 1);
-    credentials[key] = value;
+    secrets[key] = value;
   }
-  return credentials;
+  return secrets;
 }
-function validateCredentials(type, authMethod, credentials) {
-  const credentialsConfig = getCredentialsForAuthMethod(type, authMethod);
-  if (!credentialsConfig) {
+function validateSecrets(type, authMethod, secrets) {
+  const secretsConfig = getSecretsForAuthMethod(type, authMethod);
+  if (!secretsConfig) {
     console.error(chalk60.red(`\u2717 Invalid auth method "${authMethod}"`));
     process.exit(1);
   }
-  for (const [name, fieldConfig] of Object.entries(credentialsConfig)) {
-    if (fieldConfig.required && !credentials[name]) {
-      console.error(chalk60.red(`\u2717 Missing required credential: ${name}`));
+  for (const [name, fieldConfig] of Object.entries(secretsConfig)) {
+    if (fieldConfig.required && !secrets[name]) {
+      console.error(chalk60.red(`\u2717 Missing required secret: ${name}`));
       console.log();
-      console.log("Required credentials:");
-      for (const [n, fc] of Object.entries(credentialsConfig)) {
+      console.log("Required secrets:");
+      for (const [n, fc] of Object.entries(secretsConfig)) {
         if (fc.required) {
           console.log(`  ${chalk60.cyan(n)} - ${fc.label}`);
         }
@@ -12267,12 +12551,12 @@ function validateCredentials(type, authMethod, credentials) {
       process.exit(1);
     }
   }
-  for (const name of Object.keys(credentials)) {
-    if (!(name in credentialsConfig)) {
-      console.error(chalk60.red(`\u2717 Unknown credential: ${name}`));
+  for (const name of Object.keys(secrets)) {
+    if (!(name in secretsConfig)) {
+      console.error(chalk60.red(`\u2717 Unknown secret: ${name}`));
       console.log();
-      console.log("Valid credentials:");
-      for (const [n, fc] of Object.entries(credentialsConfig)) {
+      console.log("Valid secrets:");
+      for (const [n, fc] of Object.entries(secretsConfig)) {
         const requiredNote = fc.required ? " (required)" : " (optional)";
         console.log(`  ${chalk60.cyan(n)}${requiredNote}`);
       }
@@ -12321,37 +12605,37 @@ function handleNonInteractiveMode(options) {
         console.log("Example:");
         console.log(
           chalk60.cyan(
-            `  vm0 model-provider setup --type ${type} --auth-method ${authMethodNames[0]} --credential KEY=VALUE`
+            `  vm0 model-provider setup --type ${type} --auth-method ${authMethodNames[0]} --secret KEY=VALUE`
           )
         );
         process.exit(1);
       }
     }
-    const credentials = parseCredentials(type, authMethod, options.credential);
-    validateCredentials(type, authMethod, credentials);
+    const secrets = parseSecrets(type, authMethod, options.secret);
+    validateSecrets(type, authMethod, secrets);
     return {
       type,
       authMethod,
-      credentials,
+      secrets,
       selectedModel,
       isInteractiveMode: false
     };
   }
-  const credentialArgs = options.credential;
-  const firstArg = credentialArgs[0];
+  const secretArgs = options.secret;
+  const firstArg = secretArgs[0];
   if (!firstArg) {
-    console.error(chalk60.red("\u2717 Credential is required"));
+    console.error(chalk60.red("\u2717 Secret is required"));
     process.exit(1);
   }
-  let credential;
+  let secret;
   if (firstArg.includes("=")) {
-    credential = firstArg.slice(firstArg.indexOf("=") + 1);
+    secret = firstArg.slice(firstArg.indexOf("=") + 1);
   } else {
-    credential = firstArg;
+    secret = firstArg;
   }
   return {
     type,
-    credential,
+    secret,
     selectedModel,
     isInteractiveMode: false
   };
@@ -12425,29 +12709,29 @@ async function promptForAuthMethod(type) {
   );
   return response.authMethod;
 }
-function isSecretCredential(name) {
+function isSensitiveSecret(name) {
   const nonSecretPatterns = ["REGION", "ENDPOINT", "URL"];
   return !nonSecretPatterns.some(
     (pattern) => name.toUpperCase().includes(pattern)
   );
 }
-async function promptForCredentials(type, authMethod) {
-  const credentialsConfig = getCredentialsForAuthMethod(type, authMethod);
-  if (!credentialsConfig) {
+async function promptForSecrets(type, authMethod) {
+  const secretsConfig = getSecretsForAuthMethod(type, authMethod);
+  if (!secretsConfig) {
     console.error(chalk60.red(`\u2717 Invalid auth method "${authMethod}"`));
     process.exit(1);
   }
-  const credentials = {};
-  for (const [name, fieldConfig] of Object.entries(credentialsConfig)) {
+  const secrets = {};
+  for (const [name, fieldConfig] of Object.entries(secretsConfig)) {
     if (fieldConfig.helpText) {
       console.log(chalk60.dim(fieldConfig.helpText));
     }
-    const isSecret = isSecretCredential(name);
+    const isSensitive = isSensitiveSecret(name);
     const placeholder = "placeholder" in fieldConfig ? fieldConfig.placeholder : "";
     if (fieldConfig.required) {
       const response = await prompts2(
         {
-          type: isSecret ? "password" : "text",
+          type: isSensitive ? "password" : "text",
           name: "value",
           message: `${fieldConfig.label}:`,
           initial: placeholder ? "" : void 0,
@@ -12455,11 +12739,11 @@ async function promptForCredentials(type, authMethod) {
         },
         { onCancel: () => process.exit(0) }
       );
-      credentials[name] = response.value;
+      secrets[name] = response.value;
     } else {
       const response = await prompts2(
         {
-          type: isSecret ? "password" : "text",
+          type: isSensitive ? "password" : "text",
           name: "value",
           message: `${fieldConfig.label} (optional):`
         },
@@ -12467,11 +12751,11 @@ async function promptForCredentials(type, authMethod) {
       );
       const value = response.value;
       if (value && value.trim()) {
-        credentials[name] = value.trim();
+        secrets[name] = value.trim();
       }
     }
   }
-  return credentials;
+  return secrets;
 }
 async function handleInteractiveMode() {
   if (!isInteractive()) {
@@ -12479,9 +12763,7 @@ async function handleInteractiveMode() {
     console.log();
     console.log("Use non-interactive mode:");
     console.log(
-      chalk60.cyan(
-        '  vm0 model-provider setup --type <type> --credential "<value>"'
-      )
+      chalk60.cyan('  vm0 model-provider setup --type <type> --secret "<value>"')
     );
     process.exit(1);
   }
@@ -12514,32 +12796,8 @@ async function handleInteractiveMode() {
     { onCancel: () => process.exit(0) }
   );
   const type = typeResponse.type;
-  const checkResult = await checkModelProviderCredential(type);
-  if (checkResult.exists && checkResult.currentType === "user") {
-    const convertResponse = await prompts2(
-      {
-        type: "confirm",
-        name: "convert",
-        message: `Credential "${checkResult.credentialName}" already exists. Convert to model provider?`,
-        initial: true
-      },
-      { onCancel: () => process.exit(0) }
-    );
-    if (convertResponse.convert) {
-      const provider = await convertModelProviderCredential(type);
-      const defaultNote = provider.isDefault ? ` (default for ${provider.framework})` : "";
-      console.log(
-        chalk60.green(
-          `\u2713 Converted "${checkResult.credentialName}" to model provider${defaultNote}`
-        )
-      );
-      await promptSetAsDefault(type, provider.framework, provider.isDefault);
-      return null;
-    }
-    console.log(chalk60.dim("Aborted"));
-    process.exit(0);
-  }
-  if (checkResult.exists && checkResult.currentType === "model-provider") {
+  const checkResult = await checkModelProviderSecret(type);
+  if (checkResult.exists) {
     console.log();
     console.log(`"${type}" is already configured.`);
     console.log();
@@ -12549,8 +12807,8 @@ async function handleInteractiveMode() {
         name: "action",
         message: "",
         choices: [
-          { title: "Keep existing credential", value: "keep" },
-          { title: "Update credential", value: "update" }
+          { title: "Keep existing secret", value: "keep" },
+          { title: "Update secret", value: "update" }
         ]
       },
       { onCancel: () => process.exit(0) }
@@ -12559,7 +12817,7 @@ async function handleInteractiveMode() {
       const selectedModel2 = await promptForModelSelection(type);
       return {
         type,
-        keepExistingCredential: true,
+        keepExistingSecret: true,
         selectedModel: selectedModel2,
         isInteractiveMode: true
       };
@@ -12571,38 +12829,33 @@ async function handleInteractiveMode() {
   console.log();
   if (hasAuthMethods(type)) {
     const authMethod = await promptForAuthMethod(type);
-    const credentials = await promptForCredentials(type, authMethod);
+    const secrets = await promptForSecrets(type, authMethod);
     const selectedModel2 = await promptForModelSelection(type);
     return {
       type,
       authMethod,
-      credentials,
+      secrets,
       selectedModel: selectedModel2,
       isInteractiveMode: true
     };
   }
-  const credentialLabel = "credentialLabel" in config ? config.credentialLabel : "credential";
-  const credentialResponse = await prompts2(
+  const secretLabel = "secretLabel" in config ? config.secretLabel : "secret";
+  const secretResponse = await prompts2(
     {
       type: "password",
-      name: "credential",
-      message: `Enter your ${credentialLabel}:`,
-      validate: (value) => value.length > 0 || `${credentialLabel} is required`
+      name: "secret",
+      message: `Enter your ${secretLabel}:`,
+      validate: (value) => value.length > 0 || `${secretLabel} is required`
     },
     { onCancel: () => process.exit(0) }
   );
-  const credential = credentialResponse.credential;
+  const secret = secretResponse.secret;
   const selectedModel = await promptForModelSelection(type);
-  return { type, credential, selectedModel, isInteractiveMode: true };
+  return { type, secret, selectedModel, isInteractiveMode: true };
 }
 function handleSetupError2(error) {
   if (error instanceof Error) {
-    if (error.message.includes("already exists")) {
-      console.error(chalk60.red(`\u2717 ${error.message}`));
-      console.log();
-      console.log("To convert the existing credential, run:");
-      console.log(chalk60.cyan("  vm0 model-provider setup --convert"));
-    } else if (error.message.includes("Not authenticated")) {
+    if (error.message.includes("Not authenticated")) {
       console.error(chalk60.red("\u2717 Not authenticated. Run: vm0 auth login"));
     } else {
       console.error(chalk60.red(`\u2717 ${error.message}`));
@@ -12628,34 +12881,31 @@ async function promptSetAsDefault(type, framework, isDefault) {
     console.log(chalk60.green(`\u2713 Default for ${framework} set to "${type}"`));
   }
 }
-function collectCredentials(value, previous) {
+function collectSecrets(value, previous) {
   return previous.concat([value]);
 }
 var setupCommand2 = new Command62().name("setup").description("Configure a model provider").option("-t, --type <type>", "Provider type (for non-interactive mode)").option(
-  "-c, --credential <value>",
-  "Credential value (can be used multiple times, supports VALUE or KEY=VALUE format)",
-  collectCredentials,
+  "-s, --secret <value>",
+  "Secret value (can be used multiple times, supports VALUE or KEY=VALUE format)",
+  collectSecrets,
   []
 ).option(
   "-a, --auth-method <method>",
   "Auth method (required for multi-auth providers like aws-bedrock)"
-).option("-m, --model <model>", "Model selection (for non-interactive mode)").option("--convert", "Convert existing user credential to model provider").action(
+).option("-m, --model <model>", "Model selection (for non-interactive mode)").action(
   async (options) => {
     try {
       let input;
-      const shouldConvert = options.convert ?? false;
-      const credentialArgs = options.credential ?? [];
-      if (options.type && credentialArgs.length > 0) {
+      const secretArgs = options.secret ?? [];
+      if (options.type && secretArgs.length > 0) {
         input = handleNonInteractiveMode({
           type: options.type,
-          credential: credentialArgs,
+          secret: secretArgs,
           authMethod: options.authMethod,
           model: options.model
         });
-      } else if (options.type || credentialArgs.length > 0) {
-        console.error(
-          chalk60.red("\u2717 Both --type and --credential are required")
-        );
+      } else if (options.type || secretArgs.length > 0) {
+        console.error(chalk60.red("\u2717 Both --type and --secret are required"));
         process.exit(1);
       } else {
         const result = await handleInteractiveMode();
@@ -12664,7 +12914,7 @@ var setupCommand2 = new Command62().name("setup").description("Configure a model
         }
         input = result;
       }
-      if (input.keepExistingCredential) {
+      if (input.keepExistingSecret) {
         const provider2 = await updateModelProviderModel(
           input.type,
           input.selectedModel
@@ -12693,10 +12943,9 @@ var setupCommand2 = new Command62().name("setup").description("Configure a model
       }
       const { provider, created } = await upsertModelProvider({
         type: input.type,
-        credential: input.credential,
+        secret: input.secret,
         authMethod: input.authMethod,
-        credentials: input.credentials,
-        convert: shouldConvert,
+        secrets: input.secrets,
         selectedModel: input.selectedModel
       });
       const action = created ? "created" : "updated";
@@ -13030,17 +13279,16 @@ function getProviderChoices() {
       type,
       label: config.label,
       helpText: config.helpText,
-      credentialLabel: "credentialLabel" in config ? config.credentialLabel : "",
+      secretLabel: "secretLabel" in config ? config.secretLabel : "",
       models: getModels(type),
       defaultModel: getDefaultModel(type)
     };
   });
 }
-async function setupModelProvider(type, credential, options) {
+async function setupModelProvider(type, secret, options) {
   const response = await upsertModelProvider({
     type,
-    credential,
-    convert: options?.convert,
+    secret,
     selectedModel: options?.selectedModel
   });
   return {
@@ -13231,12 +13479,10 @@ async function handleModelProvider(ctx) {
         step.detail(chalk66.dim(line));
       }
     }
-    const credential = await step.prompt(
-      () => promptPassword(
-        `Enter your ${selectedChoice?.credentialLabel ?? "credential"}:`
-      )
+    const secret = await step.prompt(
+      () => promptPassword(`Enter your ${selectedChoice?.secretLabel ?? "secret"}:`)
     );
-    if (!credential) {
+    if (!secret) {
       console.log(chalk66.dim("Cancelled"));
       process.exit(0);
     }
@@ -13261,7 +13507,7 @@ async function handleModelProvider(ctx) {
       }
       selectedModel = modelSelection === "" ? void 0 : modelSelection;
     }
-    const result = await setupModelProvider(providerType, credential, {
+    const result = await setupModelProvider(providerType, secret, {
       selectedModel
     });
     const modelNote = result.provider.selectedModel ? ` with model: ${result.provider.selectedModel}` : "";
@@ -13415,7 +13661,7 @@ var setupClaudeCommand = new Command67().name("setup-claude").description("Insta
 
 // src/index.ts
 var program = new Command68();
-program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.20.2");
+program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.22.0");
 program.addCommand(authCommand);
 program.addCommand(infoCommand);
 program.addCommand(composeCommand);