npm - @workbench-ai/workbench - Versions diffs - 0.0.68 → 0.0.69 - Mend

@workbench-ai/workbench 0.0.68 → 0.0.69

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/dist/index.js CHANGED Viewed

@@ -4,61 +4,72 @@ import { createRequire } from "node:module";
 import os from "node:os";
 import path from "node:path";
 import { gzipSync } from "node:zlib";
-import { addWorkbenchCase, addWorkbenchRemote, addWorkbenchAgent, checkWorkbenchSkill, compareWorkbench, createWorkbenchAdapterAuthBundle, createWorkbenchInspectionSnapshot, diffWorkbenchVersions, evalWorkbenchSkill, filesForWorkbenchRef, improveWorkbenchSkill, initWorkbenchSkill, listWorkbenchCases, listWorkbenchRemotes, listWorkbenchAgents, listWorkbenchVersions, localWorkbenchAdapterAuthStore, parseWorkbenchAdapterAuthTarget, publishWorkbenchVersion, removeWorkbenchCase, removeWorkbenchAgent, setDefaultWorkbenchAgent, showWorkbenchCase, showWorkbenchRef, switchWorkbenchVersion, syncWorkbenchRemote, workbenchStatus, WorkbenchUserError, } from "@workbench-ai/workbench-core";
+import { addWorkbenchCase, addWorkbenchRemote, addWorkbenchAgent, checkWorkbenchSkill, compareWorkbench, createWorkbenchAdapterAuthBundle, createWorkbenchReadOnlyInspectionSnapshot, diffWorkbenchVersions, evalWorkbenchSkill, filesForWorkbenchRef, improveWorkbenchSkill, initWorkbenchSkill, listWorkbenchCases, listWorkbenchRemotes, listWorkbenchAgents, listWorkbenchVersions, localWorkbenchAdapterAuthStore, parseWorkbenchAdapterAuthTarget, publishWorkbenchVersion, removeWorkbenchCase, removeWorkbenchAgent, removeWorkbenchRemote, setDefaultWorkbenchAgent, showWorkbenchCase, showWorkbenchRef, switchWorkbenchVersion, syncWorkbenchRemote, workbenchJobEvidenceForSnapshot, workbenchStatusSnapshot, WorkbenchCodedError, WorkbenchUserError, } from "@workbench-ai/workbench-core";
+import { emitError, emitResult } from "./output.js";
+import { installSnapshotToTargets, installTargetsToJson, normalizeInstallSnapshotPath, resolveInstallTargets, supportedInstallTargets, } from "./install-targets.js";
 import { startWorkbenchOpenServer } from "./open-server.js";
 const require = createRequire(import.meta.url);
 const HELP = [
     "Usage:",
     "  workbench <command> [options]",
     "",
-    "Skill lifecycle:",
+    "Primary loop:",
     "  workbench init [DIR] [--json]",
-    "  workbench status [--dir DIR] [--json]",
     "  workbench check [--dir DIR] [--json]",
+    "  workbench eval [VERSION] [--skills all|LIST] [--agents all|LIST] [--samples N] [--rerun] [--json]",
+    "  workbench compare [--skills all|LIST] [--agents all|LIST] [--versions all|A..B|LIST] [--json]",
+    "  workbench improve [VERSION] [--skill SKILL] [--agent AGENT] [--budget N] [--samples N] [--json]",
+    "",
+    "Inspect:",
+    "  workbench status [--dir DIR] [--json]",
     "  workbench versions [--dir DIR] [--json]",
     "  workbench switch VERSION [--dir DIR] [--json]",
     "  workbench diff [A..B] [--dir DIR] [--json]",
-    "  workbench sync [REMOTE] [--dir DIR] [--json]",
-    "",
-    "Evaluate and improve:",
-    "  workbench eval [VERSION] [--skill SKILL|all] [--agent AGENT|all] [--samples N] [--rerun] [--json]",
-    "  workbench improve [VERSION] [--skill primary] [--agent AGENT] [--budget N] [--samples N] [--json]",
-    "  workbench compare [--skills all|LIST] [--agents all|LIST] [--versions all|A..B|LIST] [--json]",
-    "  workbench retry RUN_ID [--json]",
-    "",
-    "Evidence:",
     "  workbench show REF[:PATH] [--json]",
     "  workbench files REF [--json]",
-    "  workbench list runs|jobs|traces|artifacts|sessions|remotes [--json]",
+    "  workbench list runs|jobs|traces|artifacts|sessions [--json]",
     "  workbench trace RUN_ID|JOB_ID|TRACE_ID [--json]",
+    "  workbench open [--host HOST] [--port PORT] [--no-open] [--json]",
     "",
-    "Configuration and sync:",
+    "Configure:",
     "  workbench agent list|add|show|default|remove ...",
     "  workbench skills list",
     "  workbench case list|add|show|remove ...",
-    "  workbench remote add origin URL",
-    "  workbench remote list",
+    "",
+    "Share and auth:",
+    "  workbench remote add --name NAME --url URL [--replace] [--dry-run] [--dir DIR] [--json]",
+    "  workbench remote list [--dir DIR] [--json]",
+    "  workbench remote remove NAME [--dir DIR] [--json]",
+    "  workbench sync [REMOTE] [--dry-run] [--dir DIR] [--json]",
+    "  workbench publish [VERSION] [--remote REMOTE] [--visibility private|internal|public] [--dry-run] [--dir DIR] [--json]",
+    "  workbench install --source SOURCE [--agent codex|claude]... [--local] [--yes] [--list] [--dry-run] [--json]",
     "  workbench auth status [ADAPTER[/SLOT]] [--profile PROFILE] [--json]",
     "  workbench auth connect ADAPTER[/SLOT] [--method METHOD] [--profile PROFILE] [--profile-root DIR] [--local-only] [--json]",
     "  workbench auth disconnect ADAPTER[/SLOT] [--profile PROFILE] [--local-only] [--json]",
-    "  workbench login [--base-url URL] [--no-open] [--json]",
+    "  workbench login [--base-url URL] [--start-only|--wait] [--timeout N] [--no-open] [--json]",
     "  workbench logout [--json]",
-    "  workbench publish [VERSION] [--visibility private|public] [--json]",
-    "  workbench open [--host HOST] [--port PORT] [--no-open] [--json]",
+    "",
+    "Remote URLs:",
+    "  https://HOST/skills/OWNER/SKILL  Workbench Cloud skill remote",
+    "  file:///absolute/path            local file remote",
     "",
     "Examples:",
     "  workbench init ./earnings-prep",
-    "  workbench eval --agent default --samples 1",
-    "  workbench versions",
-    "  workbench switch v001",
-    "  workbench retry run_000002 --json",
-    "  workbench show trace_job_000002:stderr.log",
-    "  workbench auth connect codex --method api-key",
-    "  workbench publish --visibility public",
+    "  workbench check --dir ./earnings-prep",
+    "  workbench eval --agents default --samples 1",
+    "  workbench compare",
+    "  workbench status --json",
+    "  workbench remote add --name origin --url https://v2.workbench.ai/skills/acme/earnings-prep",
+    "  workbench publish --remote origin --visibility public --json",
+    "  workbench install --source https://v2.workbench.ai/skills/acme/earnings-prep --agent codex --yes",
     "",
     "Environment:",
     "  CODEX_HOME and CLAUDE_HOME override read-only session discovery roots.",
     "  WORKBENCH_API_URL selects a Workbench Cloud API base URL for login, auth, and HTTP remotes.",
+    "  WORKBENCH_API_TOKEN supplies a Workbench Cloud token without a login (WORKBENCH_SMOKE_BEARER_TOKEN is a fallback).",
+    "  WORKBENCH_CONFIG overrides the CLI config path (default ~/.workbench/config.json).",
+    "  WORKBENCH_DEVICE_AUTH overrides the pending device login record path.",
+    "  WORKBENCH_ADAPTER_AUTH_STORE overrides the local adapter auth store directory.",
 ].join("\n");
 const COMMAND_HELP = {
     auth: [
@@ -68,24 +79,62 @@ const COMMAND_HELP = {
         "  workbench auth disconnect ADAPTER[/SLOT] [--profile PROFILE] [--local-only] [--json]",
         "",
         "Stores adapter credentials locally and uploads them to Workbench Cloud when logged in unless --local-only is passed. Codex supports oauth and api-key. Claude supports oauth, api-key, and bedrock.",
+        "",
+        "Examples:",
+        "  workbench auth status --json",
+        "  workbench auth connect codex --method api-key",
+        "  workbench auth disconnect codex --json",
     ].join("\n"),
     eval: [
         "Usage:",
-        "  workbench eval [VERSION] [--skill SKILL|all] [--agent AGENT|all] [--samples N] [--rerun] [--json]",
+        "  workbench eval [VERSION] [--skills all|LIST] [--agents all|LIST] [--samples N] [--rerun] [--json]",
         "",
-        "Runs local eval jobs for the selected version, skill, and agent.",
+        "Runs eval jobs for the selected version, measured skills, and agents. Omitted selectors use manifest defaults.",
     ].join("\n"),
     improve: [
         "Usage:",
-        "  workbench improve [VERSION] [--agent AGENT] [--budget N] [--samples N] [--json]",
+        "  workbench improve [VERSION] [--skill SKILL] [--agent AGENT] [--budget N] [--samples N] [--json]",
         "",
-        "Creates an improved child version from evidence and switches to it when it beats the incumbent.",
+        "Creates one improved child version from evidence. Pass singular --skill and --agent when defaults expand to multiple entries.",
     ].join("\n"),
-    retry: [
+    install: [
         "Usage:",
-        "  workbench retry RUN_ID [--json]",
+        "  workbench install --source SOURCE [--agent codex|claude]... [--local] [--yes] [--list] [--dry-run] [--json]",
         "",
-        "Retries failed jobs from a prior run by replaying only their case/sample pairs locally.",
+        "Installs published Workbench Cloud source into explicit local agent targets.",
+        "",
+        "Example:",
+        "  workbench install --source https://v2.workbench.ai/skills/acme/earnings-prep --agent codex --yes",
+    ].join("\n"),
+    remote: [
+        "Usage:",
+        "  workbench remote add --name NAME --url URL [--replace] [--dry-run] [--dir DIR] [--json]",
+        "  workbench remote list [--dir DIR] [--json]",
+        "  workbench remote remove NAME [--dir DIR] [--json]",
+        "",
+        "Remotes exchange Workbench object packs. Only Workbench Cloud remotes can publish installable source.",
+        "",
+        "Examples:",
+        "  workbench remote add --name origin --url https://v2.workbench.ai/skills/acme/earnings-prep",
+        "  workbench remote add --name scratch --url file:///tmp/earnings-prep-remote --replace",
+    ].join("\n"),
+    status: [
+        "Usage:",
+        "  workbench status [--dir DIR] [--json]",
+        "",
+        "Reports project, worktree, run, per-remote sync/publication, and auth state. --json emits the workbench.status.v1 dashboard.",
+        "",
+        "Example:",
+        "  workbench status --json",
+    ].join("\n"),
+    logout: [
+        "Usage:",
+        "  workbench logout [--json]",
+        "",
+        "Revokes and removes the local Workbench Cloud token. Reports whether the token was revoked and whether local adapter auth records remain.",
+        "",
+        "Example:",
+        "  workbench logout --json",
     ].join("\n"),
     show: [
         "Usage:",
@@ -96,9 +145,9 @@ const COMMAND_HELP = {
     ].join("\n"),
     list: [
         "Usage:",
-        "  workbench list runs|jobs|traces|artifacts|sessions|remotes [--json]",
+        "  workbench list runs|jobs|traces|artifacts|sessions [--json]",
         "",
-        "Lists Workbench evidence, remotes, or read-only native Codex/Claude session files.",
+        "Lists Workbench evidence or read-only native Codex/Claude session files.",
     ].join("\n"),
     versions: [
         "Usage:",
@@ -114,30 +163,49 @@ const COMMAND_HELP = {
     ].join("\n"),
     sync: [
         "Usage:",
-        "  workbench sync [REMOTE] [--json]",
+        "  workbench sync [REMOTE] [--dry-run] [--dir DIR] [--json]",
+        "",
+        "Synchronizes local evidence and version objects with a Workbench remote. --dry-run reports what would be exchanged.",
         "",
-        "Synchronizes local evidence and version objects with a Workbench remote.",
+        "Examples:",
+        "  workbench sync origin --json",
+        "  workbench sync origin --dry-run --json",
     ].join("\n"),
     publish: [
         "Usage:",
-        "  workbench publish [VERSION] [--visibility private|public] [--json]",
+        "  workbench publish [VERSION] [--remote REMOTE] [--visibility private|internal|public] [--dry-run] [--dir DIR] [--json]",
         "",
-        "Publishes installable skill source from the selected version to a Workbench source remote.",
+        "Publishes installable skill source from the selected version to a Workbench Cloud remote.",
+        "",
+        "Examples:",
+        "  workbench publish --remote origin --visibility private --json",
+        "  workbench publish <version-id> --remote origin --dry-run --json",
     ].join("\n"),
     login: [
         "Usage:",
-        "  workbench login [--base-url URL] [--no-open] [--json]",
+        "  workbench login [--base-url URL] [--start-only|--wait] [--timeout N] [--no-open] [--json]",
         "  workbench logout [--json]",
         "",
         "Connects the CLI to Workbench Cloud with the device login flow.",
+        "",
+        "Examples:",
+        "  workbench login --start-only --json",
+        "  workbench login --wait --timeout 120 --json",
     ].join("\n"),
 };
 const BOOLEAN_FLAGS = new Set([
     "help",
+    "dry-run",
     "json",
+    "local",
     "local-only",
+    "list",
     "no-open",
+    "start-only",
+    "replace",
     "rerun",
+    "wait",
+    "yes",
 ]);
 const FLAG_DEFINITIONS = {
     adapter: "string",
@@ -145,18 +213,26 @@ const FLAG_DEFINITIONS = {
     budget: "positive-integer",
     dir: "string",
     from: "string",
+    "dry-run": "boolean",
     help: "boolean",
     host: "string",
     json: "boolean",
+    local: "boolean",
     "local-only": "boolean",
+    list: "boolean",
     method: "string",
     model: "string",
+    name: "string",
     "no-open": "boolean",
     port: "positive-integer",
     profile: "string",
     "profile-root": "string",
+    remote: "string",
+    replace: "boolean",
     rerun: "boolean",
     samples: "positive-integer",
+    source: "string",
+    "start-only": "boolean",
     agent: "string",
     agents: "string",
     skill: "string",
@@ -164,26 +240,30 @@ const FLAG_DEFINITIONS = {
     version: "boolean",
     versions: "string",
     visibility: "string",
+    timeout: "positive-integer",
+    url: "string",
+    wait: "boolean",
     with: "repeat-string",
+    yes: "boolean",
 };
 const COMMAND_FLAGS = {
     check: ["dir", "json"],
     compare: ["agents", "dir", "json", "skills", "versions"],
     diff: ["dir", "json"],
-    eval: ["agent", "dir", "json", "rerun", "samples", "skill"],
+    eval: ["agents", "dir", "json", "rerun", "samples", "skills"],
     files: ["dir", "json"],
     improve: ["agent", "budget", "dir", "json", "samples", "skill"],
     init: ["dir", "json"],
+    install: ["agent", "dry-run", "json", "list", "local", "source", "yes"],
     list: ["dir", "json"],
-    login: ["base-url", "json", "no-open"],
+    login: ["base-url", "json", "no-open", "start-only", "timeout", "wait"],
     logout: ["json"],
     open: ["dir", "host", "json", "no-open", "port"],
-    publish: ["dir", "json", "visibility"],
-    retry: ["dir", "json"],
+    publish: ["dir", "dry-run", "json", "remote", "visibility"],
     show: ["dir", "json"],
     status: ["dir", "json"],
     switch: ["dir", "json"],
-    sync: ["dir", "json"],
+    sync: ["dir", "dry-run", "json"],
     trace: ["dir", "json"],
     versions: ["dir", "json"],
 };
@@ -206,8 +286,9 @@ const SUBCOMMAND_FLAGS = {
     },
     remote: {
         flags: {
-            add: ["dir", "json"],
+            add: ["dir", "dry-run", "json", "name", "replace", "url"],
             list: ["dir", "json"],
+            remove: ["dir", "json"],
         },
     },
     skills: {
@@ -246,20 +327,31 @@ export async function runCli(argv, io = {
             return 0;
         }
         validateCommandFlags(parsed, command);
-        const core = await coreOptions(parsed);
         if (command === "login") {
             return await handleLogin(parsed, io);
         }
         if (command === "logout") {
             return await handleLogout(parsed, io);
         }
+        if (command === "install") {
+            return await handleInstall(parsed, io);
+        }
+        const core = await coreOptions(parsed);
         if (command === "init") {
             const status = await initWorkbenchSkill({ dir: parsed.positionals[1] ?? dirFlag(parsed) });
             return output(status, parsed, io, () => `Initialized Workbench skill at ${status.root}.`);
         }
         if (command === "status") {
-            const status = await workbenchStatus(core);
-            return output(status, parsed, io, () => formatStatus(status));
+            const status = await workbenchStatusSnapshot(core);
+            const auth = await workbenchCliAuthStatus();
+            return emitResult("workbench.status.v1", {
+                project: status.project,
+                worktree: status.worktree,
+                runs: status.runs,
+                remotes: status.remotes,
+                auth: auth,
+                next: status.next,
+            }, parsed, io, () => formatStatusSnapshot({ ...status, auth }));
         }
         if (command === "check") {
             const result = await checkWorkbenchSkill(core);
@@ -269,13 +361,17 @@ export async function runCli(argv, io = {
             const runs = await evalWorkbenchSkill({
                 ...core,
                 version: optionalPositional(parsed, 1),
-                skill: stringFlag(parsed, "skill"),
-                agent: stringFlag(parsed, "agent"),
+                skill: stringFlag(parsed, "skills"),
+                agent: stringFlag(parsed, "agents"),
                 samples: intFlag(parsed, "samples"),
                 rerun: parsed.flags.rerun === true,
             });
-            const code = output(runs, parsed, io, () => runs.map(formatRun).join("\n"));
-            return runs.some((run) => run.status === "failed" || run.status === "canceled") ? 1 : code;
+            const artifactIds = await artifactIdsByRunId(core, runs);
+            const failedRuns = runs.filter((run) => run.status === "failed" || run.status === "canceled");
+            if (failedRuns.length > 0) {
+                return emitEvalFailure(runs, failedRuns, artifactIds, parsed, io);
+            }
+            return output(runs.map((run) => runSummary(run, artifactIds.get(run.id) ?? [])), parsed, io, () => runs.map(formatRun).join("\n"));
         }
         if (command === "improve") {
             const result = await improveWorkbenchSkill({
@@ -286,7 +382,10 @@ export async function runCli(argv, io = {
                 budget: intFlag(parsed, "budget"),
                 samples: intFlag(parsed, "samples"),
             });
-            return output(result, parsed, io, () => formatImproveResult(result));
+            return output({
+                ...result,
+                version: versionSummary(result.version),
+            }, parsed, io, () => formatImproveResult(result));
         }
         if (command === "compare") {
             const comparison = await compareWorkbench({
@@ -297,35 +396,14 @@ export async function runCli(argv, io = {
             });
             return output(comparison, parsed, io, () => formatComparison(comparison));
         }
-        if (command === "retry") {
-            const runId = requiredPositional(parsed, 1, "workbench retry requires RUN_ID.");
-            const snapshot = await createWorkbenchInspectionSnapshot(core);
-            const run = snapshot.runs.find((entry) => entry.id === runId);
-            if (!run) {
-                throw new WorkbenchUserError(`Run not found: ${runId}`);
-            }
-            const retrySelection = retrySamplesForFailedJobs(snapshot.jobs, run);
-            const retry = await evalWorkbenchSkill({
-                ...core,
-                version: run.versionId,
-                skill: run.skillName,
-                agent: run.agentName,
-                kind: "retry",
-                parentRunId: run.id,
-                samples: retrySelection.samples,
-                selectedSamples: retrySelection.selectedSamples,
-            });
-            const code = output(retry, parsed, io, () => retry.map(formatRun).join("\n"));
-            return retry.some((entry) => entry.status === "failed" || entry.status === "canceled") ? 1 : code;
-        }
         if (command === "versions") {
             const versions = await listWorkbenchVersions(core);
-            return output(versions, parsed, io, () => versions.map(formatVersion).join("\n") || "No versions.");
+            return output(versions.map(versionSummary), parsed, io, () => versions.map(formatVersion).join("\n") || "No versions.");
         }
         if (command === "switch") {
             const versionRef = requiredPositional(parsed, 1, "workbench switch requires VERSION.");
             const version = await switchWorkbenchVersion(versionRef, core);
-            return output(version, parsed, io, () => `Switched to ${version.id}.`);
+            return output(versionSummary(version), parsed, io, () => `Switched to ${version.id}.`);
         }
         if (command === "diff") {
             const range = requiredPositional(parsed, 1, "workbench diff requires A..B.");
@@ -344,14 +422,20 @@ export async function runCli(argv, io = {
         if (command === "files") {
             const ref = requiredPositional(parsed, 1, "workbench files requires REF.");
             const files = await filesForWorkbenchRef(ref, core);
-            return output(files, parsed, io, () => files.map((file) => file.path).join("\n") || "No files.");
+            return output(files.map(fileSummary), parsed, io, () => files.map((file) => file.path).join("\n") || "No files.");
         }
         if (command === "list") {
             return await handleList(parsed, io);
         }
         if (command === "trace") {
-            const ref = requiredPositional(parsed, 1, "workbench trace requires RUN_ID or TRACE_ID.");
-            const snapshot = await createWorkbenchInspectionSnapshot(core);
+            const ref = optionalPositional(parsed, 1);
+            if (!ref) {
+                throw new WorkbenchCodedError("usage", "workbench trace requires RUN_ID, JOB_ID, or TRACE_ID.", {
+                    remediation: "Run workbench list runs --json or workbench list traces --json.",
+                    exitCode: 2,
+                });
+            }
+            const snapshot = await createWorkbenchReadOnlyInspectionSnapshot(core);
             const run = snapshot.runs.find((entry) => entry.id === ref);
             const job = snapshot.jobs.find((entry) => entry.id === ref);
             const traces = run
@@ -360,7 +444,27 @@ export async function runCli(argv, io = {
                     ? snapshot.traces.filter((trace) => job.traceIds.includes(trace.id))
                     : snapshot.traces.filter((trace) => trace.id === ref);
             if (traces.length === 0) {
-                throw new WorkbenchUserError(`Trace not found: ${ref}`);
+                const jobs = run
+                    ? snapshot.jobs.filter((entry) => entry.runId === run.id)
+                    : job ? [job] : [];
+                const details = jobs.flatMap((entry) => {
+                    const detail = workbenchJobEvidenceForSnapshot(snapshot, {
+                        runId: entry.runId,
+                        jobId: entry.id,
+                    });
+                    return detail ? [detail] : [];
+                }).filter((detail) => detail.executions.some((execution) => execution.sessions.length > 0 ||
+                    execution.trace.spans.length > 0 ||
+                    execution.trace.events.length > 0 ||
+                    execution.trace.summaries.length > 0));
+                if (details.length > 0) {
+                    return output(details, parsed, io, () => details.map(formatTraceDetail).join("\n"));
+                }
+                throw new WorkbenchCodedError("ref_not_found", `Trace not found: ${ref}`, {
+                    remediation: "Run workbench list runs --json, workbench list jobs --json, or workbench list traces --json.",
+                    subject: { ref },
+                    exitCode: 1,
+                });
             }
             return output(traces, parsed, io, () => traces.map(formatTrace).join("\n"));
         }
@@ -380,56 +484,74 @@ export async function runCli(argv, io = {
             const result = await syncWorkbenchRemote({
                 ...core,
                 remote: optionalPositional(parsed, 1),
+                dryRun: parsed.flags["dry-run"] === true,
             });
-            return output(result, parsed, io, () => `Synced ${result.remote.name}: pushed ${result.pushed}, pulled ${result.pulled}.`);
+            return emitResult("workbench.cli.sync.v1", {
+                remote: result.remote,
+                pushed: result.pushed,
+                pulled: result.pulled,
+                upToDate: result.upToDate,
+                publication: result.publication,
+                ...(result.dryRun ? { dryRun: true } : {}),
+            }, parsed, io, () => `${result.dryRun ? "Would sync" : "Synced"} ${result.remote.name}: pushed ${result.pushed}, pulled ${result.pulled}${result.upToDate ? " (up to date)" : ""}.`);
         }
         if (command === "publish") {
             const result = await publishWorkbenchVersion({
                 ...core,
                 version: optionalPositional(parsed, 1),
+                remote: stringFlag(parsed, "remote"),
+                dryRun: parsed.flags["dry-run"] === true,
                 visibility: parsePublishVisibility(stringFlag(parsed, "visibility")),
             });
-            return output(result, parsed, io, () => `Published ${result.version.id} to ${result.installUrl}.`);
+            return emitResult("workbench.cli.publish.v1", {
+                remote: result.remote,
+                version: versionSummary(result.version),
+                visibility: result.visibility,
+                installUrl: result.installUrl,
+                pinnedInstallUrl: result.pinnedInstallUrl,
+                ...(result.dryRun ? { dryRun: true } : {}),
+            }, parsed, io, () => [
+                `${result.dryRun ? "Would publish" : "Published"} ${result.version.id} to remote ${result.remote.name}.`,
+                `Visibility: ${result.visibility}`,
+                `Install: ${result.installUrl}`,
+                `Pinned: ${result.pinnedInstallUrl}`,
+            ].join("\n"));
         }
         if (command === "auth") {
             return await handleAuth(parsed, io);
         }
         if (command === "open") {
-            const snapshot = await createWorkbenchInspectionSnapshot(core);
-            if (parsed.flags.json !== true) {
-                const server = await startWorkbenchOpenServer({
-                    dir: dirFlag(parsed),
-                    authToken: core.authToken,
-                    host: stringFlag(parsed, "host"),
-                    port: intFlag(parsed, "port"),
-                });
-                io.stdout.write(`Workbench: ${server.url}\n`);
-                if (parsed.flags["no-open"] !== true) {
-                    await openBrowser(server.url).catch(() => undefined);
-                }
-                await new Promise(() => { });
+            if (parsed.flags.json === true) {
+                const snapshot = await createWorkbenchReadOnlyInspectionSnapshot(core);
+                return output(snapshot, parsed, io, () => "Read-only Workbench inspection data is available with --json.");
+            }
+            // The browser server serves committed object state through a read-only
+            // snapshot path, so long-running commands do not block page loads.
+            const server = await startWorkbenchOpenServer({
+                dir: dirFlag(parsed),
+                authToken: core.authToken,
+                host: stringFlag(parsed, "host"),
+                port: intFlag(parsed, "port"),
+            });
+            io.stdout.write(`Workbench: ${server.url}\n`);
+            if (parsed.flags["no-open"] !== true) {
+                await openBrowser(server.url).catch(() => undefined);
             }
-            return output(snapshot, parsed, io, () => "Read-only Workbench inspection data is available with --json.");
+            return await new Promise(() => { });
         }
         throw new WorkbenchUserError(`Unknown command: ${command}\n\n${HELP}`);
     }
     catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        if (parsed.flags.json === true) {
-            io.stdout.write(`${JSON.stringify({ ok: false, error: message }, null, 2)}\n`);
-            return error instanceof WorkbenchUserError ? 2 : 1;
-        }
-        io.stderr.write(`${message}\n`);
-        return error instanceof WorkbenchUserError ? 2 : 1;
+        return emitError(error, parsed, io);
     }
 }
 async function handleList(parsed, io) {
-    const kind = requiredPositional(parsed, 1, "workbench list requires runs|jobs|traces|artifacts|sessions|remotes.");
+    const kind = requiredPositional(parsed, 1, "workbench list requires runs|jobs|traces|artifacts|sessions.");
     if (kind === "sessions") {
         const sessions = await listLocalAgentSessions();
         return output(sessions, parsed, io, () => sessions.map(formatSession).join("\n") || "No local sessions.");
     }
-    const snapshot = await createWorkbenchInspectionSnapshot(await coreOptions(parsed));
+    const snapshot = await createWorkbenchReadOnlyInspectionSnapshot(await coreOptions(parsed));
     if (kind === "runs") {
         return output(snapshot.runs, parsed, io, () => snapshot.runs.map(formatRun).join("\n") || "No runs.");
     }
@@ -437,13 +559,10 @@ async function handleList(parsed, io) {
         return output(snapshot.jobs, parsed, io, () => snapshot.jobs.map(formatJob).join("\n") || "No jobs.");
     }
     if (kind === "traces") {
-        return output(snapshot.traces, parsed, io, () => snapshot.traces.map(formatTrace).join("\n") || "No traces.");
+        return output(snapshot.traces.map(traceSummary), parsed, io, () => snapshot.traces.map(formatTrace).join("\n") || "No traces.");
     }
     if (kind === "artifacts") {
-        return output(snapshot.artifacts, parsed, io, () => snapshot.artifacts.map(formatArtifact).join("\n") || "No artifacts.");
-    }
-    if (kind === "remotes") {
-        return output(snapshot.remotes, parsed, io, () => snapshot.remotes.map((remote) => `${remote.name}\t${remote.url}`).join("\n") || "No remotes.");
+        return output(snapshot.artifacts.map(artifactSummary), parsed, io, () => snapshot.artifacts.map(formatArtifact).join("\n") || "No artifacts.");
     }
     throw new WorkbenchUserError(`Unsupported list target: ${kind}`);
 }
@@ -472,13 +591,17 @@ async function handleAgent(parsed, io) {
         const name = requiredPositional(parsed, 2, "workbench agent show requires NAME.");
         const agent = (await listWorkbenchAgents(await coreOptions(parsed))).find((entry) => entry.name === name);
         if (!agent) {
-            throw new WorkbenchUserError(`Agent not found: ${name}`);
+            throw new WorkbenchCodedError("ref_not_found", `Agent not found: ${name}`, {
+                remediation: "Run workbench agent list.",
+                subject: { agent: name },
+                exitCode: 1,
+            });
         }
         return output(agent, parsed, io, () => formatAgent(agent));
     }
     if (subcommand === "default") {
-        const agent = await setDefaultWorkbenchAgent(requiredPositional(parsed, 2, "workbench agent default requires NAME."), await coreOptions(parsed));
-        return output(agent, parsed, io, () => `Default agent: ${agent.name}`);
+        const result = await setDefaultWorkbenchAgent(requiredPositional(parsed, 2, "workbench agent default requires NAME."), await coreOptions(parsed));
+        return output(result, parsed, io, () => `Default agent: ${result.defaultAgent}`);
     }
     if (subcommand === "remove") {
         const result = await removeWorkbenchAgent(requiredPositional(parsed, 2, "workbench agent remove requires NAME."), await coreOptions(parsed));
@@ -491,9 +614,13 @@ async function handleSkills(parsed, io) {
     if (subcommand !== "list") {
         throw new WorkbenchUserError(`Unsupported skills command: ${subcommand}`);
     }
-    const snapshot = await createWorkbenchInspectionSnapshot(await coreOptions(parsed));
+    const snapshot = await createWorkbenchReadOnlyInspectionSnapshot(await coreOptions(parsed));
     return output(snapshot.skillSources, parsed, io, () => snapshot.skillSources.map((source) => {
-        const where = source.kind === "remote" ? `${source.from}${source.ref ? `#${source.ref}` : ""}` : source.path;
+        const where = source.kind === "remote"
+            ? `${source.from}${source.ref ? `#${source.ref}` : ""}`
+            : source.kind === "none"
+                ? "baseline:none"
+                : source.path;
         return `${source.name}\t${source.kind}\t${where}\tincludes=${source.includes?.length ?? 0}`;
     }).join("\n") || "No skills.");
 }
@@ -518,14 +645,46 @@ async function handleCase(parsed, io) {
     throw new WorkbenchUserError(`Unsupported case command: ${subcommand}`);
 }
 async function handleRemote(parsed, io) {
-    const subcommand = requiredPositional(parsed, 1, "workbench remote requires add|list.");
+    const subcommand = requiredPositional(parsed, 1, "workbench remote requires add|list|remove.");
     if (subcommand === "add") {
-        const remote = await addWorkbenchRemote(requiredPositional(parsed, 2, "workbench remote add requires NAME."), requiredPositional(parsed, 3, "workbench remote add requires URL."), await coreOptions(parsed));
-        return output(remote, parsed, io, () => `Added remote ${remote.name}\t${remote.url}`);
+        const name = requiredFlag(parsed, {
+            flag: "name",
+            usage: "workbench remote add requires --name NAME.",
+            remediation: "Run workbench remote add --name origin --url https://HOST/skills/OWNER/SKILL.",
+        });
+        const url = requiredFlag(parsed, {
+            flag: "url",
+            usage: "workbench remote add requires --url URL.",
+            remediation: `Run workbench remote add --name ${name} --url https://HOST/skills/OWNER/SKILL.`,
+        });
+        rejectExtraInput(parsed, {
+            maxPositionals: 2,
+            message: "workbench remote add accepts --name NAME and --url URL, not positional NAME or URL.",
+            remediation: "Run workbench remote add --name origin --url https://HOST/skills/OWNER/SKILL.",
+        });
+        const result = await addWorkbenchRemote(name, url, {
+            ...(await coreOptions(parsed)),
+            replace: parsed.flags.replace === true,
+            dryRun: parsed.flags["dry-run"] === true,
+        });
+        return emitResult("workbench.cli.remote-add.v1", {
+            remote: result.remote,
+            operation: result.operation,
+            ...(result.dryRun ? { dryRun: true } : {}),
+        }, parsed, io, () => `${result.dryRun ? "Would update" : "Remote"} ${result.remote.name}: ${result.operation}\t${result.remote.kind}\t${result.remote.url}`);
     }
     if (subcommand === "list") {
         const remotes = await listWorkbenchRemotes(await coreOptions(parsed));
-        return output(remotes, parsed, io, () => remotes.map((remote) => `${remote.name}\t${remote.url}`).join("\n") || "No remotes.");
+        return emitResult("workbench.cli.remote-list.v1", {
+            remotes: remotes,
+        }, parsed, io, () => remotes.map((remote) => `${remote.name}\t${remote.kind}\t${remote.url}`).join("\n") || "No remotes.");
+    }
+    if (subcommand === "remove") {
+        const result = await removeWorkbenchRemote(requiredPositional(parsed, 2, "workbench remote remove requires NAME."), await coreOptions(parsed));
+        return emitResult("workbench.cli.remote-remove.v1", {
+            remote: result.remote,
+            removed: result.removed,
+        }, parsed, io, () => result.removed ? `Removed remote ${result.remote}.` : `Remote ${result.remote} was not configured.`);
     }
     throw new WorkbenchUserError(`Unsupported remote command: ${subcommand}`);
 }
@@ -535,13 +694,25 @@ async function handleAuth(parsed, io) {
         const targetRaw = optionalPositional(parsed, 2);
         const profile = authProfileFlag(parsed);
         const store = localWorkbenchAdapterAuthStore(adapterAuthStoreRoot());
+        const cliAuth = await workbenchCliAuthStatus();
         if (targetRaw) {
             const status = await store.status(parseAuthTarget(targetRaw, profile));
-            return output({ ok: true, command: "status", status }, parsed, io, () => formatAuthStatusRecord(status));
+            return emitResult("workbench.cli.auth-status.v1", {
+                workbenchCloud: cliAuth.workbenchCloud,
+                adapters: [authStatusRecordToJson(status)],
+            }, parsed, io, () => [
+                formatWorkbenchCloudAuthStatus(cliAuth.workbenchCloud),
+                "Adapter auth:",
+                formatAuthStatusRecord(status),
+            ].join("\n"));
         }
         const statuses = await store.listStatus();
         const required = await requiredAgentAuthStatuses(parsed, statuses);
-        return output({ ok: true, command: "status", adapterStatuses: statuses, required }, parsed, io, () => formatAuthStatusList(statuses, required));
+        return emitResult("workbench.cli.auth-status.v1", {
+            workbenchCloud: cliAuth.workbenchCloud,
+            adapters: cliAuth.adapters,
+            required: required,
+        }, parsed, io, () => formatAuthStatusList(cliAuth.workbenchCloud, statuses, required));
     }
     if (subcommand === "connect") {
         const targetRaw = requiredPositional(parsed, 2, "workbench auth connect requires ADAPTER[/SLOT].");
@@ -554,33 +725,33 @@ async function handleAuth(parsed, io) {
         });
         const saved = await localWorkbenchAdapterAuthStore(adapterAuthStoreRoot()).put(bundle);
         const remote = await uploadAdapterConnection(saved, parsed);
-        return output({
-            ok: true,
-            command: "connect",
-            adapter: saved.adapterId,
-            ...(saved.slot ? { slot: saved.slot } : {}),
-            profile: saved.profile,
-            method: saved.method,
-            status: saved.status,
-            version: saved.version,
-            updatedAt: saved.updatedAt,
-            remote,
-        }, parsed, io, () => `Connected ${formatAuthTarget(saved)} ${saved.method} auth v${saved.version}; remote: ${remote.status}${remote.reason ? ` (${remote.reason})` : ""}.`);
+        return emitResult("workbench.cli.auth-connect.v1", {
+            localAdapter: {
+                adapter: saved.adapterId,
+                ...(saved.slot ? { slot: saved.slot } : {}),
+                profile: saved.profile,
+                method: saved.method,
+                status: saved.status,
+                version: saved.version,
+                updatedAt: saved.updatedAt,
+            },
+            workbenchCloud: remote,
+        }, parsed, io, () => `Connected ${formatAuthTarget(saved)} ${saved.method} auth v${saved.version}; Workbench Cloud: ${remote.sync}${remote.reason ? ` (${remote.reason})` : ""}.`);
     }
     if (subcommand === "disconnect") {
         const targetRaw = requiredPositional(parsed, 2, "workbench auth disconnect requires ADAPTER[/SLOT].");
         const target = parseAuthTarget(targetRaw, authProfileFlag(parsed));
         await localWorkbenchAdapterAuthStore(adapterAuthStoreRoot()).disconnect(target);
         const remote = await deleteAdapterConnectionRemote(target, parsed);
-        return output({
-            ok: true,
-            command: "disconnect",
-            adapter: target.adapterId,
-            ...(target.slot ? { slot: target.slot } : {}),
-            profile: target.profile,
-            status: "disconnected",
-            remote,
-        }, parsed, io, () => `Disconnected ${formatAuthTarget(target)}; remote: ${remote.status}${remote.reason ? ` (${remote.reason})` : ""}.`);
+        return emitResult("workbench.cli.auth-disconnect.v1", {
+            localAdapter: {
+                adapter: target.adapterId,
+                ...(target.slot ? { slot: target.slot } : {}),
+                profile: target.profile,
+                status: "disconnected",
+            },
+            workbenchCloud: remote,
+        }, parsed, io, () => `Disconnected ${formatAuthTarget(target)}; Workbench Cloud: ${remote.sync}${remote.reason ? ` (${remote.reason})` : ""}.`);
     }
     throw new WorkbenchUserError(`Unsupported auth command: ${subcommand}`);
 }
@@ -604,7 +775,7 @@ function validateCommandFlags(parsed, command) {
         if (!allowedSet.has(name) && name !== "help" && name !== "version") {
             throw new WorkbenchUserError(`Unsupported flag --${name} for workbench ${command}.`);
         }
-        validateFlagValue(name, value);
+        validateFlagValue(name, value, command === "install" && (name === "agent" || name === "skill"));
     }
 }
 function allowedFlagsForCommand(parsed, command) {
@@ -615,11 +786,23 @@ function allowedFlagsForCommand(parsed, command) {
     const subcommand = parsed.positionals[1] ?? subcommands.defaultSubcommand;
     return subcommand ? subcommands.flags[subcommand] ?? ["json"] : ["json"];
 }
-function validateFlagValue(name, value) {
+function validateFlagValue(name, value, repeatString = false) {
     const kind = FLAG_DEFINITIONS[name];
     if (!kind) {
         return;
     }
+    if (repeatString) {
+        if (Array.isArray(value)) {
+            if (value.some((entry) => !entry.trim())) {
+                throw new WorkbenchUserError(`--${name} requires a non-empty value.`);
+            }
+            return;
+        }
+        if (typeof value === "string" && value.trim()) {
+            return;
+        }
+        throw new WorkbenchUserError(`--${name} requires a non-empty value.`);
+    }
     if (kind === "boolean") {
         if (value !== true) {
             throw new WorkbenchUserError(`--${name} does not accept a value.`);
@@ -649,30 +832,83 @@ async function handleLogin(parsed, io) {
     if (parsed.positionals.length > 1) {
         throw new WorkbenchUserError("workbench login accepts no positional arguments.");
     }
+    if (parsed.flags["start-only"] === true && parsed.flags.wait === true) {
+        throw new WorkbenchCodedError("usage", "workbench login accepts only one of --start-only or --wait.", {
+            remediation: "Run workbench login --start-only or workbench login --wait --timeout 120.",
+            exitCode: 2,
+        });
+    }
+    const startOnly = parsed.flags["start-only"] === true;
+    const waitOnly = parsed.flags.wait === true;
+    const timeoutSeconds = intFlag(parsed, "timeout");
+    if (startOnly && timeoutSeconds !== undefined) {
+        throw new WorkbenchCodedError("usage", "workbench login --timeout only applies with --wait.", {
+            remediation: "Run workbench login --start-only, then workbench login --wait --timeout 120.",
+            exitCode: 2,
+        });
+    }
+    if (waitOnly && timeoutSeconds === undefined) {
+        throw new WorkbenchCodedError("usage", "workbench login --wait requires --timeout N.", {
+            remediation: "Run workbench login --wait --timeout 120.",
+            exitCode: 2,
+        });
+    }
     const config = await loadConfig();
     const baseUrl = selectWorkbenchBaseUrl({
         explicitBaseUrl: stringFlag(parsed, "base-url"),
         configBaseUrl: config.baseUrl,
     });
-    const authorization = await requestDeviceAuthorization(baseUrl);
-    if (parsed.flags.json === true) {
-        io.stdout.write(`${JSON.stringify({ ok: true, status: "authorization_pending", ...authorization }, null, 2)}\n`);
-    }
-    else {
-        io.stdout.write(`Open ${authorization.verification_uri_complete}\nCode: ${authorization.user_code}\n`);
-    }
-    if (parsed.flags["no-open"] !== true) {
-        await openBrowser(authorization.verification_uri_complete).catch(() => undefined);
-    }
-    const token = await pollDeviceToken(baseUrl, authorization);
-    await writeConfig({ schema: CONFIG_SCHEMA, baseUrl, accessToken: token.access_token });
-    if (parsed.flags.json === true) {
-        io.stdout.write(`${JSON.stringify({ ok: true, baseUrl, expiresIn: token.expires_in ?? null }, null, 2)}\n`);
+    const pending = waitOnly ? await readPendingDeviceAuthorization(baseUrl) : null;
+    const record = pending ?? await startDeviceAuthorization(baseUrl);
+    const freshAuthorization = pending === null;
+    if (startOnly) {
+        await writePendingDeviceAuthorization(record);
+        if (parsed.flags["no-open"] !== true) {
+            await openBrowser(record.verification_uri_complete).catch(() => undefined);
+        }
+        return emitResult("workbench.cli.login.v1", {
+            status: "authorization_pending",
+            baseUrl,
+            verificationUri: record.verification_uri,
+            verificationUriComplete: record.verification_uri_complete,
+            userCode: record.user_code,
+            expiresAt: record.expiresAt,
+            resume: "workbench login --wait --timeout 120",
+        }, parsed, io, () => `Open ${record.verification_uri_complete}\nCode: ${record.user_code}\nResume: workbench login --wait --timeout 120`);
+    }
+    await writePendingDeviceAuthorization(record);
+    if (freshAuthorization && !parsed.flags.json) {
+        io.stdout.write(`Open ${record.verification_uri_complete}\nCode: ${record.user_code}\n`);
+    }
+    if (!waitOnly && parsed.flags["no-open"] !== true) {
+        await openBrowser(record.verification_uri_complete).catch(() => undefined);
+    }
+    let token;
+    try {
+        token = await pollDeviceToken(baseUrl, record, timeoutSeconds);
     }
-    else {
-        io.stdout.write(`Workbench API: ${baseUrl}\n`);
+    catch (error) {
+        const denied = error instanceof WorkbenchCodedError && error.code === "login_denied";
+        const expired = Date.parse(record.expiresAt) <= Date.now();
+        if (denied || expired) {
+            await clearPendingDeviceAuthorization();
+        }
+        throw error;
     }
-    return 0;
+    const username = await fetchWorkbenchUsername(baseUrl, token.access_token).catch(() => undefined);
+    await writeConfig({
+        schema: CONFIG_SCHEMA,
+        baseUrl,
+        accessToken: token.access_token,
+        ...(username ? { username } : {}),
+    });
+    await clearPendingDeviceAuthorization();
+    return emitResult("workbench.cli.login.v1", {
+        status: "authenticated",
+        baseUrl,
+        ...(username ? { username } : {}),
+        ...(token.expires_in !== undefined ? { expiresIn: token.expires_in } : {}),
+    }, parsed, io, () => `Workbench Cloud: authenticated${username ? ` as ${username}` : ""}\nWorkbench API: ${baseUrl}`);
 }
 async function handleLogout(parsed, io) {
     if (parsed.positionals.length > 1) {
@@ -680,18 +916,257 @@ async function handleLogout(parsed, io) {
     }
     const config = await loadConfig();
     const baseUrl = optionalWorkbenchBaseUrl({ configBaseUrl: config.baseUrl });
-    if (config.accessToken && !baseUrl) {
+    const tokenPresent = Boolean(config.accessToken);
+    if (tokenPresent && !baseUrl) {
         throw new WorkbenchUserError("Missing Workbench API URL. Set WORKBENCH_API_URL or run `workbench login --base-url URL`.");
     }
+    let revoke = "skipped";
     if (config.accessToken && baseUrl) {
-        await fetch(`${baseUrl}/api/oauth/revoke`, {
-            method: "POST",
-            headers: { "content-type": "application/json" },
-            body: JSON.stringify({ token: config.accessToken }),
-        }).catch(() => undefined);
+        try {
+            const response = await fetch(`${baseUrl}/api/oauth/revoke`, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({ token: config.accessToken }),
+            });
+            revoke = response.ok ? "revoked" : "failed";
+        }
+        catch {
+            revoke = "failed";
+        }
+    }
+    const configRemoved = tokenPresent;
+    if (tokenPresent) {
+        await writeConfig({ schema: CONFIG_SCHEMA, ...(baseUrl ? { baseUrl } : {}) });
+    }
+    const adapterStatuses = await localWorkbenchAdapterAuthStore(adapterAuthStoreRoot()).listStatus().catch(() => []);
+    const adapterAuthRetained = adapterStatuses.length > 0;
+    return emitResult("workbench.cli.logout.v1", {
+        ...(baseUrl ? { baseUrl } : {}),
+        tokenPresent,
+        revoke,
+        configRemoved,
+        adapterAuthRetained,
+    }, parsed, io, () => [
+        `Logged out of Workbench${baseUrl ? ` (${baseUrl})` : ""}.`,
+        `Token: ${tokenPresent ? "present" : "absent"}; revoke ${revoke}; config ${configRemoved ? "removed" : "unchanged"}.`,
+        adapterAuthRetained
+            ? "Local adapter auth records were retained; run workbench auth disconnect ADAPTER to remove them."
+            : "No local adapter auth records remain.",
+    ].join("\n"));
+}
+async function handleInstall(parsed, io) {
+    const source = requiredFlag(parsed, {
+        flag: "source",
+        usage: "workbench install requires --source SOURCE.",
+        remediation: "Run workbench install --source https://HOST/skills/OWNER/SKILL --agent codex.",
+    });
+    rejectExtraInput(parsed, {
+        maxPositionals: 1,
+        message: "workbench install accepts --source SOURCE, not positional SOURCE.",
+        remediation: "Run workbench install --source https://HOST/skills/OWNER/SKILL --agent codex.",
+    });
+    if (parsed.flags.list !== true && stringsFlag(parsed, "agent").length === 0 && parsed.flags.local !== true) {
+        throw new WorkbenchCodedError("install_target_required", "workbench install requires an explicit target.", {
+            remediation: "Run workbench install --source SOURCE --agent codex, workbench install --source SOURCE --agent claude, or workbench install --source SOURCE --local.",
+            exitCode: 2,
+        });
+    }
+    const workbenchSource = parseWorkbenchInstallSource(source);
+    if (!workbenchSource) {
+        throw new WorkbenchCodedError("usage", "workbench install requires a Workbench Cloud source URL.", {
+            remediation: "Run workbench install --source https://HOST/skills/OWNER/SKILL --agent codex.",
+            exitCode: 2,
+        });
+    }
+    const snapshot = await fetchWorkbenchInstallSourceSnapshot(workbenchSource, source);
+    const sourceSummary = workbenchInstallSourceSummary(workbenchSource, snapshot);
+    if (parsed.flags.list === true) {
+        return emitResult("workbench.cli.install.v1", {
+            source: sourceSummary,
+            skills: [snapshot.name],
+            fileCount: snapshot.files.length,
+            targets: installTargetsToJson(supportedInstallTargets()),
+        }, parsed, io, () => [
+            `${snapshot.name}\t${snapshot.versionId}\tfiles=${snapshot.files.length}`,
+            "Targets:",
+            ...supportedInstallTargets().map((target) => `  ${target.agent}\t${target.destination}`),
+        ].join("\n"));
+    }
+    const targets = resolveInstallTargets({
+        agents: stringsFlag(parsed, "agent"),
+        local: parsed.flags.local === true,
+        skillName: snapshot.name,
+    });
+    const result = await installSnapshotToTargets({
+        snapshot,
+        targets,
+        overwrite: parsed.flags.yes === true,
+        dryRun: parsed.flags["dry-run"] === true,
+    });
+    return emitResult("workbench.cli.install.v1", {
+        source: sourceSummary,
+        result: result.result,
+        targets: result.targets,
+        filesCopied: result.filesCopied,
+        ...(parsed.flags["dry-run"] === true ? { dryRun: true } : {}),
+    }, parsed, io, () => [
+        parsed.flags["dry-run"] === true
+            ? `Would install ${snapshot.name}: filesCopied=${result.filesCopied}`
+            : `Installed ${snapshot.name}: ${result.result}`,
+        ...result.targets.map((target) => `  ${target.agent}\t${target.previous}\t${target.destination}`),
+    ].join("\n"));
+}
+function workbenchInstallSourceSummary(source, snapshot) {
+    const installUrl = `${source.baseUrl}/skills/${encodeURIComponent(source.owner)}/${encodeURIComponent(source.skill)}`;
+    return {
+        kind: "workbench-cloud",
+        owner: snapshot.owner,
+        skill: snapshot.name,
+        versionId: snapshot.versionId,
+        installUrl,
+        pinnedInstallUrl: `${installUrl}/releases/${encodeURIComponent(snapshot.versionId)}`,
+    };
+}
+function parseWorkbenchInstallSource(source) {
+    let url;
+    try {
+        url = new URL(source);
+    }
+    catch {
+        return undefined;
+    }
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+        return undefined;
     }
-    await writeConfig({ schema: CONFIG_SCHEMA, ...(baseUrl ? { baseUrl } : {}) });
-    return output({ ok: true, ...(baseUrl ? { baseUrl } : {}) }, parsed, io, () => "Logged out of Workbench.");
+    const segments = url.pathname
+        .split("/")
+        .filter(Boolean)
+        .map((segment) => decodeURIComponent(segment));
+    if (segments[0] !== "skills") {
+        return undefined;
+    }
+    if (!segments[1] || !segments[2]) {
+        throw new WorkbenchUserError(`Invalid Workbench skill URL: ${source}`);
+    }
+    if (segments.length === 3) {
+        return {
+            baseUrl: url.origin,
+            owner: segments[1],
+            skill: segments[2],
+        };
+    }
+    if (segments.length === 5 && segments[3] === "releases" && segments[4]) {
+        return {
+            baseUrl: url.origin,
+            owner: segments[1],
+            skill: segments[2],
+            version: segments[4],
+        };
+    }
+    throw new WorkbenchUserError(`Invalid Workbench skill URL: ${source}`);
+}
+async function fetchWorkbenchInstallSourceSnapshot(source, displaySource) {
+    const token = await workbenchCloudToken({ baseUrl: source.baseUrl });
+    const apiPath = source.version
+        ? `/api/workbench/source/skills/${encodeURIComponent(source.owner)}/${encodeURIComponent(source.skill)}/releases/${encodeURIComponent(source.version)}/source`
+        : `/api/workbench/source/skills/${encodeURIComponent(source.owner)}/${encodeURIComponent(source.skill)}/source`;
+    const response = await fetch(`${source.baseUrl}${apiPath}`, {
+        headers: {
+            ...(token ? { authorization: `Bearer ${token}` } : {}),
+        },
+    });
+    const text = await response.text();
+    const cloudError = parseWorkbenchCloudErrorBody(text);
+    if (cloudError) {
+        throw new WorkbenchCodedError(cloudError.code, cloudError.message, {
+            retryable: cloudError.retryable,
+            ...(cloudError.remediation ? { remediation: cloudError.remediation } : {}),
+            ...(cloudError.subject ? { subject: cloudError.subject } : {}),
+            exitCode: response.status === 400 ? 2 : 1,
+        });
+    }
+    if (response.status === 401) {
+        throw new WorkbenchCodedError("auth_required", token
+            ? `Workbench Cloud rejected the provided token while installing ${displaySource}.`
+            : `Authentication is required to install ${displaySource}.`, {
+            remediation: `Run workbench login --base-url ${source.baseUrl}.`,
+            exitCode: 1,
+        });
+    }
+    if (!response.ok) {
+        throw new WorkbenchCodedError("install_failed", `Unable to download Workbench source ${displaySource}: ${response.status} ${readResponseError(text) ?? response.statusText}`, {
+            subject: { source: displaySource, status: response.status },
+            exitCode: 1,
+        });
+    }
+    let parsed;
+    try {
+        parsed = text ? JSON.parse(text) : null;
+    }
+    catch {
+        throw new WorkbenchCodedError("install_failed", `Workbench source ${displaySource} did not return JSON.`, {
+            subject: { source: displaySource },
+            exitCode: 1,
+        });
+    }
+    const snapshot = parseWorkbenchInstallSourceSnapshot(parsed, displaySource);
+    if (source.version && snapshot.versionId !== source.version) {
+        throw new WorkbenchCodedError("install_failed", `Workbench source ${displaySource} resolved ${snapshot.versionId} instead of requested release ${source.version}.`, {
+            subject: { source: displaySource, resolvedVersionId: snapshot.versionId, requestedVersionId: source.version },
+            exitCode: 1,
+        });
+    }
+    return snapshot;
+}
+function parseWorkbenchInstallSourceSnapshot(value, displaySource) {
+    const record = asRecord(value);
+    if (record?.schema !== "workbench.source.snapshot.v1") {
+        throw new WorkbenchCodedError("install_failed", `Workbench source ${displaySource} did not return a source snapshot.`, {
+            subject: { source: displaySource },
+            exitCode: 1,
+        });
+    }
+    const owner = typeof record.owner === "string" ? record.owner : "";
+    const name = typeof record.name === "string" ? record.name : "";
+    const versionId = typeof record.versionId === "string" ? record.versionId : "";
+    const files = Array.isArray(record.files) ? record.files.map((entry) => parseWorkbenchInstallSourceFile(entry, displaySource)) : [];
+    if (!owner || !name || !versionId || files.length === 0) {
+        throw new WorkbenchCodedError("install_failed", `Workbench source ${displaySource} returned an incomplete source snapshot.`, {
+            subject: { source: displaySource },
+            exitCode: 1,
+        });
+    }
+    return {
+        schema: "workbench.source.snapshot.v1",
+        owner,
+        name,
+        versionId,
+        files,
+    };
+}
+function parseWorkbenchInstallSourceFile(value, displaySource) {
+    const record = asRecord(value);
+    if (!record) {
+        throw new WorkbenchCodedError("install_failed", `Workbench source ${displaySource} returned an invalid file entry.`, {
+            subject: { source: displaySource },
+            exitCode: 1,
+        });
+    }
+    const filePath = typeof record?.path === "string" ? record.path : "";
+    const content = typeof record?.content === "string" ? record.content : undefined;
+    if (!filePath || content === undefined) {
+        throw new WorkbenchCodedError("install_failed", `Workbench source ${displaySource} returned an invalid file entry.`, {
+            subject: { source: displaySource },
+            exitCode: 1,
+        });
+    }
+    return {
+        path: normalizeInstallSnapshotPath(filePath),
+        ...(record.kind === "text" || record.kind === "binary" ? { kind: record.kind } : {}),
+        encoding: record.encoding === "base64" ? "base64" : "utf8",
+        executable: record.executable === true,
+        content,
+    };
 }
 async function loadConfig() {
     const parsed = await readConfigJson(configPath()) ?? {};
@@ -699,11 +1174,23 @@ async function loadConfig() {
         schema: CONFIG_SCHEMA,
         ...(typeof parsed.baseUrl === "string" ? { baseUrl: normalizeBaseUrl(parsed.baseUrl) } : {}),
         ...(typeof parsed.accessToken === "string" ? { accessToken: parsed.accessToken } : {}),
+        ...(typeof parsed.username === "string" ? { username: parsed.username } : {}),
     };
 }
-async function workbenchRemoteAuthToken() {
+// Single resolver for the Workbench Cloud token used by every authenticated
+// path: config accessToken first, then WORKBENCH_API_TOKEN, then
+// WORKBENCH_SMOKE_BEARER_TOKEN. When a target base URL is known, the config
+// token is only used if the config base URL matches it.
+async function workbenchCloudToken(options = {}) {
     const config = await loadConfig();
-    return config.accessToken ?? process.env.WORKBENCH_API_TOKEN?.trim() ?? undefined;
+    const configToken = config.accessToken &&
+        (!options.baseUrl || !config.baseUrl || normalizeBaseUrl(config.baseUrl) === normalizeBaseUrl(options.baseUrl))
+        ? config.accessToken
+        : undefined;
+    return configToken ?? workbenchCloudEnvToken();
+}
+function workbenchCloudEnvToken() {
+    return process.env.WORKBENCH_API_TOKEN?.trim() || process.env.WORKBENCH_SMOKE_BEARER_TOKEN?.trim() || undefined;
 }
 async function readConfigJson(filePath) {
     try {
@@ -723,6 +1210,9 @@ async function writeConfig(config) {
 function configPath() {
     return process.env.WORKBENCH_CONFIG?.trim() || path.join(os.homedir(), ".workbench", "config.json");
 }
+function deviceAuthPath() {
+    return process.env.WORKBENCH_DEVICE_AUTH?.trim() || path.join(path.dirname(configPath()), "device-auth.json");
+}
 function selectWorkbenchBaseUrl(input = {}) {
     const baseUrl = optionalWorkbenchBaseUrl(input);
     if (!baseUrl) {
@@ -742,13 +1232,41 @@ function normalizeBaseUrl(value) {
 }
 async function requestDeviceAuthorization(baseUrl) {
     const response = await fetch(`${baseUrl}/api/oauth/device/code`, { method: "POST" });
+    const text = await response.text();
+    const cloudError = parseWorkbenchCloudErrorBody(text);
+    if (cloudError) {
+        throw new WorkbenchCodedError(cloudError.code, cloudError.message, {
+            retryable: cloudError.retryable,
+            ...(cloudError.remediation ? { remediation: cloudError.remediation } : {}),
+            ...(cloudError.subject ? { subject: cloudError.subject } : {}),
+            exitCode: 1,
+        });
+    }
     if (!response.ok) {
-        throw new WorkbenchUserError(`Device login failed: ${readResponseError(await response.text()) ?? response.statusText}`);
+        throw new WorkbenchCodedError("login_denied", `Device login failed: ${readResponseError(text) ?? response.statusText}`, {
+            exitCode: 1,
+        });
     }
-    return await response.json();
+    return JSON.parse(text);
 }
-async function pollDeviceToken(baseUrl, authorization) {
-    const deadline = Date.now() + Math.max(1, authorization.expires_in) * 1000;
+async function startDeviceAuthorization(baseUrl) {
+    const authorization = await requestDeviceAuthorization(baseUrl);
+    return {
+        schema: "workbench.cli.device-auth.v1",
+        baseUrl,
+        device_code: authorization.device_code,
+        user_code: authorization.user_code,
+        verification_uri: authorization.verification_uri,
+        verification_uri_complete: authorization.verification_uri_complete,
+        expiresAt: new Date(Date.now() + Math.max(1, authorization.expires_in) * 1000).toISOString(),
+        ...(authorization.interval !== undefined ? { interval: authorization.interval } : {}),
+    };
+}
+async function pollDeviceToken(baseUrl, authorization, timeoutSeconds) {
+    const expiresAtMs = Date.parse(authorization.expiresAt);
+    const expiryDeadline = Number.isFinite(expiresAtMs) ? expiresAtMs : Date.now() + 15 * 60 * 1000;
+    const timeoutDeadline = timeoutSeconds ? Date.now() + timeoutSeconds * 1000 : Number.POSITIVE_INFINITY;
+    const deadline = Math.min(expiryDeadline, timeoutDeadline);
     let intervalMs = Math.max(1, authorization.interval ?? 5) * 1000;
     while (Date.now() < deadline) {
         const response = await fetch(`${baseUrl}/api/oauth/token`, {
@@ -768,17 +1286,87 @@ async function pollDeviceToken(baseUrl, authorization) {
             intervalMs += 5000;
         }
         else if (error !== "authorization_pending") {
-            throw new WorkbenchUserError(`Device login failed: ${error}`);
+            throw new WorkbenchCodedError("login_denied", `Device login failed: ${error}`, {
+                exitCode: 1,
+            });
         }
         await sleep(intervalMs);
     }
-    throw new WorkbenchUserError("Device login timed out before authorization completed.");
+    throw new WorkbenchCodedError("login_pending", "Device login is still waiting for browser authorization.", {
+        retryable: true,
+        remediation: "Authorize the device in the browser, then run workbench login --wait --timeout 120.",
+        subject: {
+            retryAfterSeconds: Math.max(1, Math.ceil(intervalMs / 1000)),
+            verificationUri: authorization.verification_uri,
+            verificationUriComplete: authorization.verification_uri_complete,
+            userCode: authorization.user_code,
+            expiresAt: authorization.expiresAt,
+        },
+        exitCode: 1,
+    });
+}
+async function fetchWorkbenchUsername(baseUrl, accessToken) {
+    const response = await fetch(`${baseUrl}/api/workbench/profile`, {
+        headers: { authorization: `Bearer ${accessToken}` },
+    });
+    if (!response.ok) {
+        return undefined;
+    }
+    const record = asRecord(await response.json());
+    const profile = asRecord(record?.profile);
+    return typeof profile?.username === "string" ? profile.username : undefined;
+}
+async function readPendingDeviceAuthorization(baseUrl) {
+    const record = await readDeviceAuthorizationJson(deviceAuthPath());
+    if (!record || record.baseUrl !== baseUrl || Date.parse(record.expiresAt) <= Date.now()) {
+        return null;
+    }
+    return record;
+}
+async function writePendingDeviceAuthorization(record) {
+    await fs.mkdir(path.dirname(deviceAuthPath()), { recursive: true });
+    await fs.writeFile(deviceAuthPath(), `${JSON.stringify(record, null, 2)}\n`);
+}
+async function clearPendingDeviceAuthorization() {
+    await fs.rm(deviceAuthPath(), { force: true });
+}
+async function readDeviceAuthorizationJson(filePath) {
+    try {
+        const record = asRecord(JSON.parse(await fs.readFile(filePath, "utf8")));
+        if (record?.schema !== "workbench.cli.device-auth.v1" ||
+            typeof record.baseUrl !== "string" ||
+            typeof record.device_code !== "string" ||
+            typeof record.user_code !== "string" ||
+            typeof record.verification_uri !== "string" ||
+            typeof record.verification_uri_complete !== "string" ||
+            typeof record.expiresAt !== "string" ||
+            !Number.isFinite(Date.parse(record.expiresAt))) {
+            return null;
+        }
+        return {
+            schema: "workbench.cli.device-auth.v1",
+            baseUrl: record.baseUrl,
+            device_code: record.device_code,
+            user_code: record.user_code,
+            verification_uri: record.verification_uri,
+            verification_uri_complete: record.verification_uri_complete,
+            expiresAt: record.expiresAt,
+            ...(typeof record.interval === "number" ? { interval: record.interval } : {}),
+        };
+    }
+    catch (error) {
+        if (error?.code === "ENOENT") {
+            return null;
+        }
+        throw error;
+    }
 }
 async function apiRequest(apiPath, options = {}, baseUrlOverride) {
     const config = await loadConfig();
     const baseUrl = baseUrlOverride !== undefined
         ? normalizeBaseUrl(baseUrlOverride)
         : selectWorkbenchBaseUrl({ configBaseUrl: config.baseUrl });
+    const token = await workbenchCloudToken({ baseUrl });
     const method = options.method ?? "GET";
     const canRetry = method === "GET";
     const requestBody = encodeJsonRequestBody(options.body);
@@ -790,7 +1378,7 @@ async function apiRequest(apiPath, options = {}, baseUrlOverride) {
                 method,
                 headers: {
                     ...requestBody.headers,
-                    ...(config.accessToken ? { authorization: `Bearer ${config.accessToken}` } : {}),
+                    ...(token ? { authorization: `Bearer ${token}` } : {}),
                 },
                 body: requestBody.body,
             });
@@ -805,6 +1393,21 @@ async function apiRequest(apiPath, options = {}, baseUrlOverride) {
         }
         if (!response.ok) {
             const text = await response.text();
+            const cloudError = parseWorkbenchCloudErrorBody(text);
+            if (cloudError) {
+                const requestError = new WorkbenchCodedError(cloudError.code, cloudError.message, {
+                    retryable: cloudError.retryable,
+                    ...(cloudError.remediation ? { remediation: cloudError.remediation } : {}),
+                    ...(cloudError.subject ? { subject: cloudError.subject } : {}),
+                    exitCode: response.status === 400 ? 2 : 1,
+                });
+                lastError = requestError;
+                if (canRetry && attempt < API_REQUEST_MAX_ATTEMPTS && cloudError.retryable) {
+                    await sleep(250 * attempt);
+                    continue;
+                }
+                throw requestError;
+            }
             const requestError = new WorkbenchApiRequestError(response.status, readResponseError(text) ?? `Request failed with status ${response.status}${response.statusText ? ` ${response.statusText}` : ""}.`, text);
             lastError = requestError;
             if (canRetry && attempt < API_REQUEST_MAX_ATTEMPTS && isTransientApiRequestError(requestError)) {
@@ -834,26 +1437,44 @@ function encodeJsonRequestBody(body) {
     };
 }
 async function uploadAdapterConnection(bundle, parsed) {
+    const token = await workbenchCloudToken();
     if (parsed.flags["local-only"] === true) {
-        return { status: "skipped", reason: "local_only" };
+        return {
+            status: token ? "authenticated" : "not_authenticated",
+            sync: "skipped",
+            reason: "local_only",
+        };
     }
-    const config = await loadConfig();
-    if (!config.accessToken) {
-        return { status: "skipped", reason: "not_authenticated" };
+    if (!token) {
+        return {
+            status: "not_authenticated",
+            sync: "skipped",
+            reason: "not_authenticated",
+            remediation: "Run workbench login.",
+        };
     }
     await apiRequest(adapterConnectionApiPath(bundle), { method: "PUT", body: { bundle } });
-    return { status: "connected" };
+    return { status: "authenticated", sync: "uploaded" };
 }
 async function deleteAdapterConnectionRemote(target, parsed) {
+    const token = await workbenchCloudToken();
     if (parsed.flags["local-only"] === true) {
-        return { status: "skipped", reason: "local_only" };
+        return {
+            status: token ? "authenticated" : "not_authenticated",
+            sync: "skipped",
+            reason: "local_only",
+        };
     }
-    const config = await loadConfig();
-    if (!config.accessToken) {
-        return { status: "skipped", reason: "not_authenticated" };
+    if (!token) {
+        return {
+            status: "not_authenticated",
+            sync: "skipped",
+            reason: "not_authenticated",
+            remediation: "Run workbench login.",
+        };
     }
     await apiRequest(adapterConnectionApiPath(target), { method: "DELETE" });
-    return { status: "disconnected" };
+    return { status: "authenticated", sync: "deleted" };
 }
 function adapterConnectionApiPath(target) {
     const params = new URLSearchParams({ profile: target.profile });
@@ -883,6 +1504,25 @@ function readResponseError(text) {
         return text.trim() || null;
     }
 }
+function parseWorkbenchCloudErrorBody(text) {
+    try {
+        const record = asRecord(JSON.parse(text));
+        if (record?.schema !== "workbench.cloud.error.v1" || typeof record.code !== "string" || typeof record.message !== "string") {
+            return null;
+        }
+        const subject = asRecord(record.subject);
+        return {
+            code: record.code,
+            message: record.message,
+            retryable: record.retryable === true,
+            ...(typeof record.remediation === "string" ? { remediation: record.remediation } : {}),
+            ...(subject ? { subject: subject } : {}),
+        };
+    }
+    catch {
+        return null;
+    }
+}
 function isTransientFetchError(error) {
     return /(?:fetch failed|socket hang up|ECONNRESET|EPIPE|UND_ERR_SOCKET|terminated)/iu.test(errorMessage(error));
 }
@@ -911,26 +1551,6 @@ async function openBrowser(url) {
         });
     });
 }
-function retrySamplesForFailedJobs(jobs, run) {
-    if (run.status === "running") {
-        throw new WorkbenchUserError(`Run ${run.id} is still running; wait for it to finish before retrying.`);
-    }
-    const failed = jobs
-        .filter((job) => job.runId === run.id && job.status !== "succeeded")
-        .map((job) => ({ caseId: job.caseId, sample: job.sample }));
-    if (failed.length === 0) {
-        throw new WorkbenchUserError(`Run ${run.id} has no failed jobs to retry; use workbench eval to intentionally run it again.`);
-    }
-    const byKey = new Map();
-    for (const sample of failed) {
-        byKey.set(`${sample.caseId}:${sample.sample}`, sample);
-    }
-    const selectedSamples = [...byKey.values()].sort((left, right) => left.caseId.localeCompare(right.caseId) || left.sample - right.sample);
-    return {
-        samples: Math.max(1, ...selectedSamples.map((entry) => entry.sample + 1)),
-        selectedSamples,
-    };
-}
 function adapterAuthStoreRoot() {
     return process.env.WORKBENCH_ADAPTER_AUTH_STORE?.trim() || undefined;
 }
@@ -1062,24 +1682,40 @@ async function requiredAgentAuthStatuses(parsed, statuses) {
         .filter((agent) => ["codex", "claude"].includes(agent.adapter.trim().toLowerCase()))
         .map(async (agent) => {
         const target = parseAuthTarget(agent.adapter.trim().toLowerCase(), "default");
+        const local = statusMap.get(`${target.adapterId}/${target.slot ?? "_"}/${target.profile}`) ??
+            await localWorkbenchAdapterAuthStore(adapterAuthStoreRoot()).status(target);
         return {
             agent: agent.name,
             adapter: agent.adapter,
-            local: statusMap.get(`${target.adapterId}/${target.slot ?? "_"}/${target.profile}`) ??
-                await localWorkbenchAdapterAuthStore(adapterAuthStoreRoot()).status(target),
+            local: local.status === "connected" ? "connected" : "missing",
         };
     }));
 }
 function formatAuthStatusRecord(status) {
     return `${formatAuthTarget(status)}\t${status.status}${status.method ? `\t${status.method}` : ""}${status.reason ? `\t${status.reason}` : ""}`;
 }
-function formatAuthStatusList(statuses, required) {
+function authStatusRecordToJson(status) {
+    return {
+        adapter: status.adapterId,
+        ...(status.slot ? { slot: status.slot } : {}),
+        profile: status.profile,
+        status: status.status,
+        ...(status.method ? { method: status.method } : {}),
+        ...(status.updatedAt ? { updatedAt: status.updatedAt } : {}),
+    };
+}
+function formatWorkbenchCloudAuthStatus(status) {
+    return `Workbench Cloud: ${status.status}${status.baseUrl ? `\tbaseUrl=${status.baseUrl}` : ""}${status.username ? `\tuser=${status.username}` : ""}`;
+}
+function formatAuthStatusList(workbenchCloud, statuses, required) {
     const lines = [
+        formatWorkbenchCloudAuthStatus(workbenchCloud),
+        "",
         ...(statuses.length > 0
             ? ["Adapter auth:", ...statuses.map(formatAuthStatusRecord)]
             : ["No local adapter auth records."]),
         ...(required.length > 0
-            ? ["", "Required by agents:", ...required.map((entry) => `${entry.agent}\t${entry.adapter}\t${entry.local.status}${entry.local.method ? `\t${entry.local.method}` : ""}`)]
+            ? ["", "Required by agents:", ...required.map((entry) => `${entry.agent}\t${entry.adapter}\t${entry.local}`)]
             : []),
     ];
     return lines.join("\n");
@@ -1108,7 +1744,7 @@ async function showLocalAgentSession(ref) {
     const sessions = await listLocalAgentSessions();
     const session = sessions.find((entry) => entry.id === ref);
     if (!session) {
-        throw new WorkbenchUserError(`Session not found: ${ref}`);
+        throw new WorkbenchCodedError("ref_not_found", `Session not found: ${ref}`, { exitCode: 1 });
     }
     return {
         ...session,
@@ -1264,6 +1900,15 @@ function addFlag(flags, name, value) {
                 : [String(existing), String(value)];
         return;
     }
+    if (name === "agent" || name === "skill") {
+        const existing = flags[name];
+        flags[name] = Array.isArray(existing)
+            ? [...existing, String(value)]
+            : existing === undefined
+                ? String(value)
+                : [String(existing), String(value)];
+        return;
+    }
     flags[name] = value;
 }
 function dirFlag(parsed) {
@@ -1272,13 +1917,21 @@ function dirFlag(parsed) {
 async function coreOptions(parsed) {
     return {
         dir: dirFlag(parsed),
-        authToken: await workbenchRemoteAuthToken(),
+        authToken: await workbenchCloudToken(),
     };
 }
 function stringFlag(parsed, name) {
     const value = parsed.flags[name];
     return typeof value === "string" ? value : undefined;
 }
+function stringsFlag(parsed, name) {
+    const value = parsed.flags[name];
+    return Array.isArray(value)
+        ? value
+        : typeof value === "string"
+            ? [value]
+            : [];
+}
 function intFlag(parsed, name) {
     const value = stringFlag(parsed, name);
     if (!value) {
@@ -1300,14 +1953,33 @@ function requiredPositional(parsed, index, message) {
     }
     return value;
 }
+function requiredFlag(parsed, input) {
+    const flagValue = stringFlag(parsed, input.flag);
+    if (!flagValue) {
+        throw new WorkbenchCodedError("usage", input.usage, {
+            remediation: input.remediation,
+            exitCode: 2,
+        });
+    }
+    return flagValue;
+}
+function rejectExtraInput(parsed, input) {
+    if (parsed.positionals.length <= input.maxPositionals) {
+        return;
+    }
+    throw new WorkbenchCodedError("usage", input.message, {
+        remediation: input.remediation,
+        exitCode: 2,
+    });
+}
 function parsePublishVisibility(value) {
     if (value === undefined) {
         return undefined;
     }
-    if (value === "private" || value === "public") {
+    if (value === "private" || value === "internal" || value === "public") {
         return value;
     }
-    throw new WorkbenchUserError("workbench publish --visibility must be private or public.");
+    throw new WorkbenchUserError("workbench publish --visibility must be private, internal, or public.");
 }
 function parseWithFlags(parsed) {
     const raw = parsed.flags.with;
@@ -1332,34 +2004,151 @@ function parseScalar(value) {
     }
     return value;
 }
-function output(value, parsed, io, text) {
-    if (parsed.flags.json === true) {
-        io.stdout.write(`${JSON.stringify(value, null, 2)}\n`);
+async function artifactIdsByRunId(core, runs) {
+    const runIds = new Set(runs.map((run) => run.id));
+    const byRun = new Map([...runIds].map((runId) => [runId, []]));
+    if (runIds.size === 0) {
+        return byRun;
     }
-    else {
-        io.stdout.write(`${text()}\n`);
+    const snapshot = await createWorkbenchReadOnlyInspectionSnapshot(core);
+    for (const job of snapshot.jobs) {
+        if (!runIds.has(job.runId)) {
+            continue;
+        }
+        const current = byRun.get(job.runId) ?? [];
+        byRun.set(job.runId, [...new Set([...current, ...job.artifactIds])]);
     }
-    return 0;
+    return byRun;
+}
+function emitEvalFailure(runs, failedRuns, artifactIds, parsed, io) {
+    const nextCommands = evalFailureNextCommands(failedRuns);
+    if (parsed.flags.json === true) {
+        io.stdout.write(`${JSON.stringify({
+            schema: "workbench.cli.eval.v1",
+            ok: false,
+            code: "eval_runs_failed",
+            message: "Eval failed; evidence was saved.",
+            retryable: false,
+            evidenceSaved: true,
+            runs: runs.map((run) => runFailureSummary(run, artifactIds.get(run.id) ?? [])),
+            failedRuns: failedRuns.map((run) => runFailureSummary(run, artifactIds.get(run.id) ?? [])),
+            nextCommands,
+        }, null, 2)}\n`);
+        return 1;
+    }
+    io.stdout.write([
+        "Eval failed; evidence was saved.",
+        ...failedRuns.map(formatRun),
+        ...(nextCommands.length > 0 ? ["next:", ...nextCommands.map((command) => `  ${command}`)] : []),
+    ].join("\n") + "\n");
+    return 1;
+}
+function runSummary(run, artifactIds) {
+    return {
+        id: run.id,
+        kind: run.kind,
+        status: run.status,
+        versionId: run.versionId,
+        skillName: run.skillName,
+        agentName: run.agentName,
+        ...(run.score !== undefined ? { score: run.score } : {}),
+        ...(run.latencyMs !== undefined ? { latencyMs: run.latencyMs } : {}),
+        ...(run.error ? { error: run.error } : {}),
+        ...(run.jobIds ? { jobIds: run.jobIds } : {}),
+        traceIds: run.traceIds,
+        artifactIds: [...artifactIds],
+    };
+}
+function runFailureSummary(run, artifactIds) {
+    return {
+        runId: run.id,
+        agent: run.agentName,
+        skill: run.skillName,
+        status: run.status,
+        versionId: run.versionId,
+        ...(run.score !== undefined ? { score: run.score } : {}),
+        ...(run.error ? { error: run.error } : {}),
+        traceIds: run.traceIds,
+        artifactIds: [...artifactIds],
+    };
 }
-function formatStatus(status) {
-    if (!status.initialized) {
-        return `Workbench: not initialized\nRoot: ${status.root}`;
+function evalFailureNextCommands(failedRuns) {
+    const first = failedRuns[0];
+    if (!first) {
+        return ["workbench compare --versions all"];
     }
+    const traceId = first.traceIds[0];
     return [
-        `Root: ${status.root}`,
-        `Current version: ${status.currentVersionId ?? "none"}`,
-        `Unversioned changes: ${status.hasUnversionedChanges ? "yes" : "no"}`,
-        `Default skill: ${status.defaultSkill ?? "none"}`,
-        `Default agent: ${status.defaultAgent ?? "none"}`,
-        `Versions: ${status.versionCount}`,
-        `Skills: ${status.skillCount}`,
-        `Agents: ${status.agentCount}`,
-        `Runs: ${status.runCount}`,
-        `Remotes: ${status.remoteCount}`,
-        ...(status.pendingSyncCount ? [`Pending sync: ${status.pendingSyncCount}`] : []),
-        ...(status.lastScore !== undefined ? [`Last score: ${status.lastScore}`] : []),
-        ...(status.automationReadiness ? [`Automation readiness: ${status.automationReadiness.label} - ${status.automationReadiness.reason}`] : []),
-    ].join("\n");
+        "workbench compare --versions all",
+        `workbench trace ${first.id}`,
+        ...(traceId ? [`workbench show ${traceId}:stderr.log`] : []),
+        `workbench improve --agent ${first.agentName} --budget 1 --samples 1`,
+    ];
+}
+function output(value, parsed, io, text) {
+    return emitResult(commandSchema(parsed), { result: value }, parsed, io, text);
+}
+function commandSchema(parsed) {
+    const command = parsed.positionals[0] ?? "result";
+    const subcommand = parsed.positionals[1];
+    const suffix = ["auth", "remote", "agent", "case", "skills"].includes(command) && subcommand
+        ? `${command}-${subcommand}`
+        : command;
+    return `workbench.cli.${suffix}.v1`;
+}
+async function workbenchCliAuthStatus() {
+    const config = await loadConfig();
+    const adapterStatuses = await localWorkbenchAdapterAuthStore(adapterAuthStoreRoot()).listStatus().catch(() => []);
+    const baseUrl = optionalWorkbenchBaseUrl({ configBaseUrl: config.baseUrl });
+    return {
+        workbenchCloud: {
+            status: config.accessToken || workbenchCloudEnvToken() ? "authenticated" : "not_authenticated",
+            ...(baseUrl ? { baseUrl } : {}),
+            ...(config.accessToken && config.username ? { username: config.username } : {}),
+        },
+        adapters: adapterStatuses.map((status) => ({
+            adapter: status.adapterId,
+            ...(status.slot ? { slot: status.slot } : {}),
+            profile: status.profile,
+            status: status.status,
+            ...(status.method ? { method: status.method } : {}),
+            ...(status.updatedAt ? { updatedAt: status.updatedAt } : {}),
+        })),
+    };
+}
+function formatStatusSnapshot(status) {
+    const lines = [
+        `Root: ${status.project.root}`,
+        `Initialized: ${status.project.initialized ? "yes" : "no"}`,
+        ...(status.project.currentVersionId ? [`Current version: ${status.project.currentVersionId}`] : []),
+        ...(status.project.defaultSkill ? [`Default skill: ${status.project.defaultSkill}`] : []),
+        ...(status.project.defaultAgent ? [`Default agent: ${status.project.defaultAgent}`] : []),
+        `Runs: ${status.runs.total}${status.runs.lastStatus ? ` (last ${status.runs.lastStatus})` : ""}`,
+        `Workbench Cloud: ${status.auth?.workbenchCloud.status ?? "not_authenticated"}${status.auth?.workbenchCloud.baseUrl ? ` ${status.auth.workbenchCloud.baseUrl}` : ""}`,
+        ...(status.remotes.length > 0 ? ["Remotes:", ...status.remotes.flatMap((remote) => {
+                const publication = remote.publication.status === "published"
+                    ? [
+                        "publication=published",
+                        remote.publication.visibility ? `visibility=${remote.publication.visibility}` : undefined,
+                        remote.publication.versionId ? `version=${remote.publication.versionId}` : undefined,
+                        remote.publication.installUrl ? `install=${remote.publication.installUrl}` : undefined,
+                        remote.publication.pinnedInstallUrl ? `pinned=${remote.publication.pinnedInstallUrl}` : undefined,
+                    ].filter(Boolean).join("\t")
+                    : "publication=unpublished";
+                return [
+                    `  ${remote.name}\tkind=${remote.kind}\tsync=${remote.sync.status}\turl=${remote.url}\t${publication}`,
+                    ...(remote.sync.status === "error" && remote.sync.lastError
+                        ? [
+                            `    error[${remote.sync.lastError.code}]: ${remote.sync.lastError.message}`,
+                            ...(remote.sync.lastAttemptAt ? [`    last attempt: ${remote.sync.lastAttemptAt}`] : []),
+                            ...(remote.sync.nextCommand ? [`    next: ${remote.sync.nextCommand}`] : []),
+                        ]
+                        : []),
+                ];
+            })] : ["Remotes: none"]),
+        ...(status.next.length > 0 ? ["Next:", ...status.next.map((command) => `  ${command}`)] : []),
+    ];
+    return lines.join("\n");
 }
 function formatCheck(result) {
     return [
@@ -1369,7 +2158,6 @@ function formatCheck(result) {
         `Agents: ${result.agents}`,
         `Skill files: ${result.plan.source.skillFiles}`,
         `Eval files: ${result.plan.source.evalFiles}`,
-        `Readiness: ${result.plan.readiness.label} - ${result.plan.readiness.reason}`,
         "",
         "Skill plan:",
         ...result.plan.skills.map((skill) => [
@@ -1397,6 +2185,16 @@ function formatCheck(result) {
 function formatVersion(version) {
     return `${version.id}\t${version.hash.slice(0, 12)}\t${version.message}`;
 }
+function versionSummary(version) {
+    return {
+        id: version.id,
+        hash: version.hash,
+        message: version.message,
+        parentIds: version.parentIds,
+        createdAt: version.createdAt,
+        fileCount: version.files.length,
+    };
+}
 function formatAgent(agent) {
     return `${agent.name}\t${agent.adapter}${agent.model ? `\t${agent.model}` : ""}`;
 }
@@ -1419,14 +2217,14 @@ function formatJob(job) {
     return `${job.id}\trun=${job.runId}\tcase=${job.caseId}\tsample=${job.sample}\t${job.status}\tscore=${score}\tduration=${duration}`;
 }
 function formatComparison(comparison) {
-    const lines = ["version\tskill\tagent\tscore\treadiness\tcost\tlatency\trun"];
+    const lines = ["version\tskill\tagent\tstatus\tscore\tcost\tlatency\trun"];
     for (const cell of comparison.cells) {
         lines.push([
             cell.versionId,
             cell.skillName,
-            cell.agentName,
+            `${cell.agentName}@${shortObjectId(cell.agentHash)}`,
+            cell.status ?? "not-run",
             cell.score === undefined ? "n/a" : cell.score.toFixed(3),
-            cell.automationReadiness?.label ?? "n/a",
             cell.costUsd === undefined ? "n/a" : `$${cell.costUsd.toFixed(4)}`,
             cell.latencyMs === undefined ? "n/a" : `${cell.latencyMs}ms`,
             cell.runId ?? "n/a",
@@ -1434,6 +2232,9 @@ function formatComparison(comparison) {
     }
     return lines.join("\n");
 }
+function shortObjectId(id) {
+    return id.length > 12 ? id.slice(0, 12) : id;
+}
 function formatTrace(trace) {
     const result = asRecord(trace.result);
     const status = typeof result?.status === "string" ? result.status : undefined;
@@ -1448,9 +2249,62 @@ function formatTrace(trace) {
         `files=${trace.files.length}${files ? ` (${files}${trace.files.length > 5 ? ",..." : ""})` : ""}`,
     ].filter(Boolean).join("\t");
 }
+function traceSummary(trace) {
+    const result = asRecord(trace.result);
+    return {
+        id: trace.id,
+        runId: trace.runId,
+        ...(trace.jobId ? { jobId: trace.jobId } : {}),
+        versionId: trace.versionId,
+        skillName: trace.skillName,
+        agentName: trace.agentName,
+        createdAt: trace.createdAt,
+        ...(typeof result?.status === "string" ? { status: result.status } : {}),
+        ...(typeof result?.score === "number" ? { score: result.score } : {}),
+        ...(typeof result?.error === "string" ? { error: singleLine(result.error) } : {}),
+        fileCount: trace.files.length,
+        files: trace.files.map(fileSummary),
+    };
+}
+function formatTraceDetail(detail) {
+    return detail.executions.map((execution) => {
+        const sessionLabels = execution.sessions.map((session) => session.label).join(",");
+        return [
+            `${execution.id}\trun=${detail.runId}\tjobs=${execution.jobIds.join(",")}\tstatus=${execution.status}`,
+            `events=${execution.trace.events.length}`,
+            `spans=${execution.trace.spans.length}`,
+            `summaries=${execution.trace.summaries.length}`,
+            sessionLabels ? `sessions=${sessionLabels}` : undefined,
+        ].filter(Boolean).join("\t");
+    }).join("\n");
+}
 function formatArtifact(artifact) {
     return `${artifact.id}\trun=${artifact.runId}\tjob=${artifact.jobId}\t${artifact.kind}\tfiles=${artifact.files.length}`;
 }
+function artifactSummary(artifact) {
+    return {
+        id: artifact.id,
+        runId: artifact.runId,
+        jobId: artifact.jobId,
+        kind: artifact.kind,
+        fileCount: artifact.files.length,
+        files: artifact.files.map(fileSummary),
+    };
+}
+function fileSummary(file) {
+    return {
+        path: file.path,
+        ...(file.kind ? { kind: file.kind } : {}),
+        ...(file.encoding ? { encoding: file.encoding } : {}),
+        ...(file.executable !== undefined ? { executable: file.executable } : {}),
+        bytes: surfaceFileByteLength(file),
+    };
+}
+function surfaceFileByteLength(file) {
+    return file.encoding === "base64"
+        ? Buffer.byteLength(file.content, "base64")
+        : Buffer.byteLength(file.content, "utf8");
+}
 function formatSession(session) {
     return `${session.id}\t${session.source}\t${session.updatedAt}\t${session.bytes}b\t${session.path}${session.title ? `\t${session.title}` : ""}`;
 }
@@ -1473,6 +2327,9 @@ function formatShow(value) {
 function isSurfaceFile(value) {
     return Boolean(value && typeof value === "object" && "content" in value && typeof value.content === "string");
 }
+function singleLine(value) {
+    return value.replace(/\s+/gu, " ").trim();
+}
 function asRecord(value) {
     return value && typeof value === "object" && !Array.isArray(value)
         ? value