archal 0.9.16 → 0.9.18

package/dist/cli.cjs

@@ -33917,7 +33917,7 @@ var init_generated_catalog = __esm({
         icon: "AP",
         name: "Apify",
         description: "Actors, runs, datasets, key-value stores, and request queues.",
-        toolCount: 43,
+        toolCount: 45,
         transport: "rest"
       },
       {
@@ -33925,7 +33925,7 @@ var init_generated_catalog = __esm({
         icon: "DC",
         name: "Discord",
         description: "Guilds, channels, messages, webhooks, threads, commands, and interaction responses.",
-        toolCount: 68,
+        toolCount: 67,
         transport: "both"
       },
       {
@@ -33941,7 +33941,7 @@ var init_generated_catalog = __esm({
         icon: "GW",
         name: "Google Workspace",
         description: "Gmail, Calendar, Drive, Sheets, and Contacts.",
-        toolCount: 9,
+        toolCount: 249,
         transport: "both"
       },
       {
@@ -34038,7 +34038,7 @@ var init_src2 = __esm({
 function formatMinutesLabel(minutes) {
   return minutes.toLocaleString("en-US");
 }
-var PLAN_MONTHLY_TWIN_MINUTE_LIMITS, PLAN_CONCURRENT_SESSION_LIMITS, FREE_WORKSPACE_MEMBER_LIMIT, PRO_PLAN_PRICE_USD, FREE_MINUTES, PRO_MINUTES, PRO_EVALS_PER_SEAT, PRO_SESSION_MINUTES_PER_SEAT, PRO_MAX_SEATS, FREE_EVALS_PER_MONTH, PLAN_DISPLAY, PLAN_MAX_SESSION_TTL_SECONDS, MAX_ABSOLUTE_SESSION_LIFETIME_SECONDS, LIFETIME_PERIOD_RESETS_AT, SCENARIO_USAGE_WINDOW_DAYS, SCENARIO_USAGE_WINDOW_MS, SCENARIO_USAGE_WINDOW_SECONDS;
+var PLAN_MONTHLY_TWIN_MINUTE_LIMITS, PLAN_CONCURRENT_SESSION_LIMITS, FREE_WORKSPACE_MEMBER_LIMIT, PRO_PLAN_PRICE_USD, FREE_MINUTES, PRO_MINUTES, PRO_EVALS_PER_SEAT, PRO_SESSION_MINUTES_PER_SEAT, PRO_MAX_SEATS, FREE_EVALS_PER_MONTH, PLAN_DISPLAY, PLAN_MAX_SESSION_TTL_SECONDS, MAX_ABSOLUTE_SESSION_LIFETIME_SECONDS, LIFETIME_PERIOD_RESETS_AT, SCENARIO_USAGE_WINDOW_DAYS, SCENARIO_USAGE_WINDOW_MS, SCENARIO_USAGE_WINDOW_SECONDS, LLM_PRICING_USD_PER_M_TOKENS, LLM_PRICING_FAMILY_RATES;
 var init_src3 = __esm({
   "../packages/billing-constants/src/index.ts"() {
     "use strict";
@@ -34118,6 +34118,51 @@ var init_src3 = __esm({
     SCENARIO_USAGE_WINDOW_DAYS = 7;
     SCENARIO_USAGE_WINDOW_MS = SCENARIO_USAGE_WINDOW_DAYS * 24 * 60 * 60 * 1e3;
     SCENARIO_USAGE_WINDOW_SECONDS = SCENARIO_USAGE_WINDOW_DAYS * 24 * 60 * 60;
+    LLM_PRICING_USD_PER_M_TOKENS = {
+      // Google Gemini (verified 2026-05-05, standard tier <=200K input tokens)
+      "gemini-2.5-pro": { input: 1.25, output: 10 },
+      "gemini-2.5-flash": { input: 0.3, output: 2.5 },
+      // OpenAI flagship text models (verified 2026-05-21, standard short-context tier)
+      "gpt-5.5": { input: 5, output: 30 },
+      "gpt-5.5-pro": { input: 30, output: 180 },
+      "gpt-5.4": { input: 2.5, output: 15 },
+      "gpt-5.4-mini": { input: 0.75, output: 4.5 },
+      "gpt-5.4-nano": { input: 0.2, output: 1.25 },
+      "gpt-5.4-pro": { input: 30, output: 180 },
+      "gpt-4o-mini": { input: 0.15, output: 0.6 },
+      "gpt-4o": { input: 2.5, output: 10 },
+      "gpt-4.1-mini": { input: 0.4, output: 1.6 },
+      "gpt-4.1-nano": { input: 0.1, output: 0.4 },
+      "gpt-4.1": { input: 2, output: 8 },
+      // DeepSeek (verified 2026-05-05; legacy names map to v4-flash per vendor)
+      "deepseek-chat": { input: 0.14, output: 0.28 },
+      "deepseek-reasoner": { input: 0.14, output: 0.28 },
+      "deepseek-v4-flash": { input: 0.14, output: 0.28 }
+    };
+    LLM_PRICING_FAMILY_RATES = [
+      { match: /^gemini-2\.5-pro/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gemini-2.5-pro"] },
+      { match: /^gemini-2\.5-flash/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gemini-2.5-flash"] },
+      { match: /^gpt-5\.5-pro/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.5-pro"] },
+      { match: /^gpt-5\.5/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.5"] },
+      { match: /^gpt-5\.4-pro/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4-pro"] },
+      { match: /^gpt-5\.4-mini/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4-mini"] },
+      { match: /^gpt-5\.4-nano/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4-nano"] },
+      { match: /^gpt-5\.4/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-5.4"] },
+      { match: /^gpt-4o-mini/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4o-mini"] },
+      { match: /^gpt-4o(?!-mini)/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4o"] },
+      { match: /^gpt-4\.1-mini/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4.1-mini"] },
+      { match: /^gpt-4\.1-nano/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4.1-nano"] },
+      { match: /^gpt-4\.1(?!-mini|-nano)/i, rate: LLM_PRICING_USD_PER_M_TOKENS["gpt-4.1"] },
+      { match: /^claude-opus-/i, rate: { input: 15, output: 75 } },
+      { match: /^claude-haiku-/i, rate: { input: 0.8, output: 4 } },
+      { match: /^claude-sonnet-/i, rate: { input: 3, output: 15 } },
+      { match: /^opus-/i, rate: { input: 15, output: 75 } },
+      { match: /^haiku-/i, rate: { input: 0.8, output: 4 } },
+      { match: /^sonnet-/i, rate: { input: 3, output: 15 } },
+      { match: /^deepseek-chat/i, rate: LLM_PRICING_USD_PER_M_TOKENS["deepseek-chat"] },
+      { match: /^deepseek-reasoner/i, rate: LLM_PRICING_USD_PER_M_TOKENS["deepseek-reasoner"] },
+      { match: /^deepseek-v4-flash/i, rate: LLM_PRICING_USD_PER_M_TOKENS["deepseek-v4-flash"] }
+    ];
   }
 });
 
@@ -41904,7 +41949,7 @@ function buildCodegenUserPrompt(twinName, setupDescription) {
   const declarations = SDK_DECLARATIONS[twinName];
   const example = SDK_EXAMPLES[twinName];
   if (!declarations) {
-    return `Twin: ${twinName}
+    return `Clone: ${twinName}
 
 Setup:
 ${setupDescription}
@@ -41925,7 +41970,7 @@ ${example.code}
 `;
   }
   prompt += `## Task
-Twin: ${twinName}
+Clone: ${twinName}
 
 Setup:
 ${setupDescription}
@@ -41951,7 +41996,7 @@ ${originalCode}
 Fix the code and output ONLY the corrected JavaScript. No explanations.`;
 }
 function buildSimplifiedCodegenPrompt(twinName, setupDescription) {
-  return `Create seed data for the "${twinName}" twin.
+  return `Create seed data for the "${twinName}" clone.
 
 Use ONLY these core functions (they are already defined globally):
 createUser(login), createRepo/createProject/createChannel/createCustomer(name),
@@ -44428,7 +44473,7 @@ var init_seed_llm = __esm({
 
 // ../packages/seedgen/src/codegen/seed-plan.ts
 function buildPlanPrompt(twinName, setupDescription) {
-  return `Twin: ${twinName}
+  return `Clone: ${twinName}
 
 Setup:
 ${setupDescription}`;
@@ -50845,6 +50890,222 @@ var init_cache = __esm({
 });
 
 // ../packages/seedgen/src/runner/seed/supabase-sql-seed.ts
+function sqlLiteral2(value) {
+  if (value === null || value === void 0) return "NULL";
+  if (typeof value === "number") return Number.isFinite(value) ? String(value) : "NULL";
+  if (typeof value === "boolean") return value ? "TRUE" : "FALSE";
+  return `'${String(value).replace(/'/g, "''")}'`;
+}
+function sqlIdent2(value) {
+  if (!value) throw new Error("SQL identifier must not be empty");
+  if (value.includes("\0")) throw new Error("SQL identifier must not contain null bytes");
+  return `"${value.replace(/"/g, '""')}"`;
+}
+function sqlValueLiteral(value, columnType) {
+  const type = columnType?.toLowerCase() ?? "";
+  if (Array.isArray(value)) {
+    if (type.includes("[]")) {
+      const baseType = type.replace(/\[\].*$/, "") || "text";
+      if (value.length === 0) return `ARRAY[]::${baseType}[]`;
+      return `ARRAY[${value.map(sqlLiteral2).join(", ")}]`;
+    }
+    const json2 = sqlLiteral2(JSON.stringify(value));
+    if (type.includes("jsonb")) return `${json2}::jsonb`;
+    if (type.includes("json")) return `${json2}::json`;
+    return json2;
+  }
+  if (value && typeof value === "object") {
+    const json2 = sqlLiteral2(JSON.stringify(value));
+    if (type.includes("jsonb")) return `${json2}::jsonb`;
+    if (type.includes("json")) return `${json2}::json`;
+    return json2;
+  }
+  return sqlLiteral2(value);
+}
+function splitSqlTopLevel(input, separator) {
+  const parts = [];
+  let depth = 0;
+  let bracketDepth = 0;
+  let inQuote = false;
+  let start = 0;
+  for (let i = 0; i < input.length; i++) {
+    const ch = input[i];
+    if (ch === void 0) continue;
+    const next = i + 1 < input.length ? input[i + 1] : void 0;
+    if (ch === "'") {
+      if (inQuote && next === "'") {
+        i += 1;
+        continue;
+      }
+      inQuote = !inQuote;
+      continue;
+    }
+    if (inQuote) continue;
+    if (ch === "(") depth += 1;
+    else if (ch === ")") depth = Math.max(0, depth - 1);
+    else if (ch === "[") bracketDepth += 1;
+    else if (ch === "]") bracketDepth = Math.max(0, bracketDepth - 1);
+    if (depth === 0 && bracketDepth === 0 && ch === separator) {
+      parts.push(input.slice(start, i).trim());
+      start = i + 1;
+    }
+  }
+  const tail = input.slice(start).trim();
+  if (tail) parts.push(tail);
+  return parts;
+}
+function splitSqlStatements(sql) {
+  return splitSqlTopLevel(sql, ";").map((statement) => statement.trim()).filter(Boolean);
+}
+function normalizeSqlIdentifier(raw) {
+  const parts = raw.split(".").map((part) => part.trim().replace(/^"|"$/g, "").replace(/""/g, '"')).filter(Boolean);
+  return parts[parts.length - 1] ?? raw.trim();
+}
+function collectTableSchemas(sql) {
+  const tableSchemas = /* @__PURE__ */ new Map();
+  for (const statement of splitSqlStatements(sql)) {
+    const match = statement.match(
+      /^CREATE\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?\s+([^\s(]+)\s*\(([\s\S]*)\)$/i
+    );
+    if (!match?.[1] || !match[2]) continue;
+    const columnTypes = /* @__PURE__ */ new Map();
+    const columnOrder = [];
+    for (const columnDef of splitSqlTopLevel(match[2], ",")) {
+      const columnMatch = columnDef.trim().match(/^("(?:""|[^"])+"|[a-zA-Z_][a-zA-Z0-9_]*)\s+([a-zA-Z0-9_."[\]]+)/);
+      if (!columnMatch?.[1] || !columnMatch[2]) continue;
+      const columnName = normalizeSqlIdentifier(columnMatch[1]);
+      columnTypes.set(columnName, columnMatch[2].toLowerCase());
+      columnOrder.push(columnName);
+    }
+    tableSchemas.set(normalizeSqlIdentifier(match[1]), { columnTypes, columnOrder });
+  }
+  return tableSchemas;
+}
+function normalizeJsonArrayLiteral(value, columnType) {
+  const trimmed = value.trim();
+  if (!trimmed.startsWith("[") || !trimmed.endsWith("]")) return value;
+  let parsed;
+  try {
+    parsed = JSON.parse(trimmed);
+  } catch {
+    return value;
+  }
+  if (!Array.isArray(parsed)) return value;
+  const type = columnType?.toLowerCase() ?? "";
+  if (type.includes("[]")) {
+    const baseType = type.replace(/\[\].*$/, "") || "text";
+    if (parsed.length === 0) return `ARRAY[]::${baseType}[]`;
+    return `ARRAY[${parsed.map(sqlLiteral2).join(", ")}]`;
+  }
+  const json2 = sqlLiteral2(JSON.stringify(parsed));
+  if (type.includes("jsonb")) return `${json2}::jsonb`;
+  if (type.includes("json")) return `${json2}::json`;
+  return json2;
+}
+function renderStructuredTableSql(value) {
+  const tables = Array.isArray(value) ? value : value && typeof value === "object" && Array.isArray(value["tables"]) ? value["tables"] : null;
+  if (!Array.isArray(tables)) return null;
+  const statements = [];
+  for (const table2 of tables) {
+    if (!table2 || typeof table2 !== "object") return null;
+    const record2 = table2;
+    const tableName = typeof record2["name"] === "string" ? record2["name"] : void 0;
+    const columns = Array.isArray(record2["columns"]) ? record2["columns"] : void 0;
+    if (!tableName || !columns) return null;
+    const columnTypes = /* @__PURE__ */ new Map();
+    const columnDefinitions = columns.map((column) => {
+      if (!column || typeof column !== "object") throw new Error("invalid column");
+      const columnRecord = column;
+      const name = typeof columnRecord["name"] === "string" ? columnRecord["name"] : void 0;
+      const rawType = typeof columnRecord["type"] === "string" ? columnRecord["type"] : "text";
+      if (!name) throw new Error("invalid column name");
+      const isPrimary = columnRecord["is_primary"] === true || columnRecord["primary"] === true;
+      const type = isPrimary && /^(bigint|int|integer|serial|bigserial)$/i.test(rawType) ? "bigserial" : rawType;
+      columnTypes.set(name, type);
+      return `${sqlIdent2(name)} ${type}${isPrimary ? " PRIMARY KEY" : ""}`;
+    });
+    statements.push(`CREATE TABLE IF NOT EXISTS public.${sqlIdent2(tableName)} (${columnDefinitions.join(", ")});`);
+    const rows = Array.isArray(record2["rows"]) ? record2["rows"] : Array.isArray(record2["data"]) ? record2["data"] : [];
+    for (const row of rows) {
+      if (!row || typeof row !== "object") continue;
+      const entries = Object.entries(row).filter(([column]) => columnTypes.has(column));
+      if (entries.length === 0) continue;
+      statements.push(
+        `INSERT INTO public.${sqlIdent2(tableName)} (${entries.map(([column]) => sqlIdent2(column)).join(", ")}) VALUES (${entries.map(([column, rowValue]) => sqlValueLiteral(rowValue, columnTypes.get(column))).join(", ")});`
+      );
+    }
+  }
+  return statements.length > 0 ? statements.join("\n\n") : null;
+}
+function normalizeCreateTableStatement(statement) {
+  const match = statement.match(
+    /^(CREATE\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?\s+[^\s(]+\s*)\(([\s\S]*)\)$/i
+  );
+  if (!match?.[1] || !match[2]) return statement;
+  const columnDefs = splitSqlTopLevel(match[2], ",").map((columnDef) => {
+    const columnMatch = columnDef.trim().match(
+      /^("(?:""|[^"])+"|[a-zA-Z_][a-zA-Z0-9_]*)\s+([a-zA-Z0-9_."[\]]+)([\s\S]*)$/i
+    );
+    if (!columnMatch?.[2] || !columnMatch[3]) return columnDef;
+    const columnType = columnMatch[2].toLowerCase();
+    const rest = columnMatch[3].replace(
+      /\bDEFAULT\s+(\[[\s\S]*?\])(?=\s|,|$)/i,
+      (_full, value) => `DEFAULT ${normalizeJsonArrayLiteral(value, columnType)}`
+    );
+    return `${columnMatch[1]} ${columnMatch[2]}${rest}`;
+  });
+  return `${match[1]}(${columnDefs.join(", ")})`;
+}
+function normalizeSupabaseSql(sql) {
+  const tableSchemas = collectTableSchemas(sql);
+  return splitSqlStatements(sql).map((statement) => {
+    if (/^CREATE\s+TABLE/i.test(statement)) return normalizeCreateTableStatement(statement);
+    const match = statement.match(/^INSERT\s+INTO\s+([^\s(]+)\s*\(([^)]+)\)\s*VALUES\s*([\s\S]*)$/i) ?? statement.match(/^INSERT\s+INTO\s+([^\s(]+)\s+VALUES\s*([\s\S]*)$/i);
+    if (!match?.[1]) return statement;
+    const tableName = normalizeSqlIdentifier(match[1]);
+    const hasColumnList = match.length === 4;
+    const valuesSql = hasColumnList ? match[3] : match[2];
+    if (!valuesSql) return statement;
+    const schema = tableSchemas.get(tableName);
+    const columns = hasColumnList ? splitSqlTopLevel(match[2] ?? "", ",").map(normalizeSqlIdentifier) : schema?.columnOrder ?? [];
+    const tuples = [];
+    let depth = 0;
+    let bracketDepth = 0;
+    let inQuote = false;
+    let tupleStart = -1;
+    for (let i = 0; i < valuesSql.length; i++) {
+      const ch = valuesSql[i];
+      if (ch === void 0) continue;
+      const next = i + 1 < valuesSql.length ? valuesSql[i + 1] : void 0;
+      if (ch === "'") {
+        if (inQuote && next === "'") {
+          i += 1;
+          continue;
+        }
+        inQuote = !inQuote;
+      }
+      if (inQuote) continue;
+      if (ch === "[") bracketDepth += 1;
+      else if (ch === "]") bracketDepth = Math.max(0, bracketDepth - 1);
+      else if (ch === "(" && bracketDepth === 0) {
+        if (depth === 0) tupleStart = i + 1;
+        depth += 1;
+      } else if (ch === ")" && bracketDepth === 0) {
+        depth -= 1;
+        if (depth === 0 && tupleStart >= 0) {
+          tuples.push(valuesSql.slice(tupleStart, i));
+          tupleStart = -1;
+        }
+      }
+    }
+    if (tuples.length === 0) return statement;
+    const normalizedTuples = tuples.map((tuple2) => {
+      const values = splitSqlTopLevel(tuple2, ",").map((value, index) => normalizeJsonArrayLiteral(value, schema?.columnTypes.get(columns[index] ?? "")));
+      return `(${values.join(", ")})`;
+    });
+    return hasColumnList ? `INSERT INTO ${match[1]} (${match[2]}) VALUES ${normalizedTuples.join(", ")}` : `INSERT INTO ${match[1]} VALUES ${normalizedTuples.join(", ")}`;
+  }).join(";\n") + ";";
+}
 function extractSupabaseSql(response) {
   let sql = response.trim();
   if (sql.startsWith("```")) {
@@ -50853,24 +51114,35 @@ function extractSupabaseSql(response) {
   if (sql.startsWith("{")) {
     try {
       const parsed = JSON.parse(sql);
+      const structuredSql = renderStructuredTableSql(parsed);
+      if (structuredSql) return normalizeSupabaseSql(structuredSql);
       const extracted = parsed["sql"] ?? parsed["query"] ?? parsed["script"] ?? parsed["content"];
-      if (extracted && typeof extracted === "string") return extracted;
+      if (extracted && typeof extracted === "string") return normalizeSupabaseSql(extracted);
+    } catch {
+    }
+  }
+  if (sql.startsWith('"')) {
+    try {
+      const parsed = JSON.parse(sql);
+      if (typeof parsed === "string") return normalizeSupabaseSql(parsed);
     } catch {
     }
   }
   if (sql.startsWith("[")) {
     try {
       const parsed = JSON.parse(sql);
+      const structuredSql = renderStructuredTableSql(parsed);
+      if (structuredSql) return normalizeSupabaseSql(structuredSql);
       const parts = [];
       for (const item of parsed) {
         const s = item["sql"] ?? item["query"] ?? item["script"];
         if (s && typeof s === "string") parts.push(s);
       }
-      if (parts.length > 0) return parts.join("\n\n");
+      if (parts.length > 0) return normalizeSupabaseSql(parts.join("\n\n"));
     } catch {
     }
   }
-  return sql;
+  return normalizeSupabaseSql(sql);
 }
 var SUPABASE_SQL_SYSTEM_PROMPT;
 var init_supabase_sql_seed = __esm({
@@ -50891,6 +51163,8 @@ IMPORTANT CONSTRAINTS:
 - For RLS policies, use simple expressions like: USING (true) or USING (current_setting('app.user_id')::int = user_id)
 - Use serial or bigserial for primary keys, not uuid (unless explicitly asked)
 - Use simple types: text, int, boolean, timestamptz
+- Do NOT use JSON-style array literals like ["a", "b"] in INSERT values.
+  Use ARRAY['a', 'b'] for SQL array columns, or quoted JSON with ::jsonb for jsonb columns.
 - Always include INSERT statements with realistic test data
 
 
@@ -51263,7 +51537,7 @@ async function enrichSeedWithLlm(seed, twinName, setupDescription, deadline, coo
   try {
     const response = await callCodegenLlm({
       systemPrompt: ENRICH_SYSTEM_PROMPT,
-      userPrompt: `Twin: ${twinName}
+      userPrompt: `Clone: ${twinName}
 
 Setup description:
 ${setupDescription}
@@ -52473,6 +52747,9 @@ function ensureSlackScenarioChannelAccess(mergedSeed, intent) {
   }
   return mergedSeed;
 }
+function isSyntheticGoogleWorkspaceEmail(email3) {
+  return email3 === GOOGLE_WORKSPACE_SYNTHETIC_EMAIL;
+}
 function googleWorkspaceEmailEntities(intent) {
   if (!intent || intent.twinName !== "google-workspace") return [];
   return intent.entities.filter((entity) => entity.kind === "email" && entity.key === "address" && typeof entity.value === "string" || entity.kind === "account" && entity.key === "email" && typeof entity.value === "string").map((entity) => normalizedEmail(entity.value)).filter((value) => Boolean(value));
@@ -52500,6 +52777,32 @@ function googleWorkspaceReferencedEmails(seed) {
   }
   return emails;
 }
+function googleWorkspaceBootstrapEmail(intentEmails, referencedEmails) {
+  return intentEmails.find((email3) => !isSyntheticGoogleWorkspaceEmail(email3)) ?? referencedEmails.find((email3) => !isSyntheticGoogleWorkspaceEmail(email3)) ?? "user@example.com";
+}
+function rewriteSyntheticGoogleWorkspaceAccountRefs(seed, email3) {
+  const collections = [
+    "calendars",
+    "calendarEvents",
+    "gmailThreads",
+    "gmailMessages",
+    "gmailDrafts",
+    "gmailAttachments",
+    "gmailHistory",
+    "driveFiles",
+    "contacts",
+    "googleAuthTokens"
+  ];
+  for (const collection of collections) {
+    for (const item of seed[collection] ?? []) {
+      const record2 = asRecord(item);
+      if (!record2) continue;
+      if (isSyntheticGoogleWorkspaceEmail(normalizedEmail(record2["accountEmail"]))) {
+        record2["accountEmail"] = email3;
+      }
+    }
+  }
+}
 function googleWorkspaceHasCalendarSurface(intent) {
   return intent.extractedSlots["workspace.surface.calendar"] === true || /\b(calendar|event|events|meeting|meetings|invite|invites)\b/i.test(intent.setupSummary);
 }
@@ -52534,6 +52837,15 @@ function ensureGoogleWorkspaceAccount(accounts, email3, primary) {
     primary
   });
 }
+function replaceGoogleWorkspaceAccount(account, email3) {
+  account["accountId"] = "acct_primary";
+  account["email"] = email3;
+  account["displayName"] = "Primary Account";
+  account["givenName"] = "Primary";
+  account["familyName"] = "Account";
+  account["timezone"] = "America/Los_Angeles";
+  account["primary"] = true;
+}
 function ensureGoogleWorkspaceAuthToken(authTokens, email3) {
   if (authTokens.some((token) => normalizedEmail(token["accountEmail"]) === email3)) return;
   const localPart = email3.split("@")[0] ?? email3;
@@ -52553,7 +52865,8 @@ function ensureGoogleWorkspaceAuthToken(authTokens, email3) {
 function ensureGoogleWorkspacePrimaryCalendar(calendars, accountEmail) {
   const existingPrimary = calendars.find((calendar) => calendar["calendarId"] === "primary");
   if (existingPrimary) {
-    existingPrimary["accountEmail"] = normalizedEmail(existingPrimary["accountEmail"]) ?? accountEmail;
+    const existingEmail = normalizedEmail(existingPrimary["accountEmail"]);
+    existingPrimary["accountEmail"] = !existingEmail || isSyntheticGoogleWorkspaceEmail(existingEmail) ? accountEmail : existingEmail;
     existingPrimary["primary"] = true;
     return "primary";
   }
@@ -52578,6 +52891,15 @@ function ensureGoogleWorkspaceCalendarRows(mergedSeed) {
   for (const item of mergedSeed["calendarEvents"] ?? []) {
     const event = asRecord(item);
     if (!event) continue;
+    if (typeof event["summary"] !== "string") {
+      event["summary"] = "Calendar event";
+    }
+    if (typeof event["description"] !== "string") {
+      event["description"] = "";
+    }
+    if (typeof event["location"] !== "string") {
+      event["location"] = "";
+    }
     const calendarId = typeof event["calendarId"] === "string" && event["calendarId"].trim() ? event["calendarId"].trim() : "primary";
     const accountEmail = normalizedEmail(event["accountEmail"]) ?? "self@local.invalid";
     if (existingCalendarIds.has(calendarId)) continue;
@@ -52617,21 +52939,28 @@ function ensureGoogleWorkspaceCalendarEvidence(mergedSeed, intent, accountEmail)
     organizerEmail: accountEmail,
     attendeeEmails: [],
     conferenceUrl: null,
-    extendedPropertiesShared: null
+    extendedPropertiesShared: {}
   });
 }
 function ensureGoogleWorkspaceScenarioAccounts(mergedSeed, intent) {
   if (!intent || intent.twinName !== "google-workspace") return mergedSeed;
   const accounts = ensureArray(mergedSeed, "accounts");
   const authTokens = ensureArray(mergedSeed, "googleAuthTokens");
+  const intentEmails = googleWorkspaceEmailEntities(intent);
+  let referencedEmails = googleWorkspaceReferencedEmails(mergedSeed);
+  const bootstrapEmail = googleWorkspaceBootstrapEmail(intentEmails, referencedEmails);
   if (accounts.length === 0) {
-    ensureGoogleWorkspaceAccount(accounts, "self@local.invalid", true);
+    ensureGoogleWorkspaceAccount(accounts, bootstrapEmail, true);
+  } else if (accounts.length === 1 && isSyntheticGoogleWorkspaceEmail(normalizedEmail(accounts[0]?.["email"]))) {
+    replaceGoogleWorkspaceAccount(accounts[0], bootstrapEmail);
   }
-  const primaryEmail = normalizedEmail(accounts.find((account) => account["primary"] === true)?.["email"]) ?? normalizedEmail(accounts[0]?.["email"]) ?? "self@local.invalid";
+  rewriteSyntheticGoogleWorkspaceAccountRefs(mergedSeed, bootstrapEmail);
+  referencedEmails = googleWorkspaceReferencedEmails(mergedSeed);
+  const primaryEmail = normalizedEmail(accounts.find((account) => account["primary"] === true)?.["email"]) ?? normalizedEmail(accounts[0]?.["email"]) ?? GOOGLE_WORKSPACE_SYNTHETIC_EMAIL;
   ensureGoogleWorkspaceAuthToken(authTokens, primaryEmail);
   const requiredEmails = Array.from(/* @__PURE__ */ new Set([
-    ...googleWorkspaceEmailEntities(intent),
-    ...googleWorkspaceReferencedEmails(mergedSeed),
+    ...intentEmails,
+    ...referencedEmails,
     ...accounts.map((account) => normalizedEmail(account["email"])).filter((value) => Boolean(value))
   ]));
   for (const email3 of requiredEmails) {
@@ -52649,7 +52978,7 @@ function applyScenarioCoverageFixups(mergedSeed, intent) {
   nextSeed = ensureGoogleWorkspaceScenarioAccounts(nextSeed, intent);
   return nextSeed;
 }
-var GOOGLE_WORKSPACE_BOOTSTRAP_SCOPES;
+var GOOGLE_WORKSPACE_BOOTSTRAP_SCOPES, GOOGLE_WORKSPACE_SYNTHETIC_EMAIL;
 var init_scenario_coverage_fixups = __esm({
   "../packages/seedgen/src/runner/seed/scenario-coverage-fixups.ts"() {
     "use strict";
@@ -52662,6 +52991,7 @@ var init_scenario_coverage_fixups = __esm({
       "https://www.googleapis.com/auth/drive.readonly",
       "https://www.googleapis.com/auth/contacts.readonly"
     ];
+    GOOGLE_WORKSPACE_SYNTHETIC_EMAIL = "self@local.invalid";
   }
 });
 
@@ -52739,7 +53069,7 @@ var init_seed_postprocessing = __esm({
         const details = validationErrors.length > 0 ? `:
 ${validationErrors.map((e) => `  - ${e}`).join("\n")}` : ".";
         const suffix = hint ?? "\n\nHint: Run `archal login` and retry. For deterministic reruns, use `--replay-seed <path>` with a previously saved managed seed snapshot.";
-        super(`Dynamic seed generation failed for twin "${twinName}"${details}${suffix}`);
+        super(`Dynamic seed generation failed for clone "${twinName}"${details}${suffix}`);
         this.name = "DynamicSeedError";
         this.twinName = twinName;
         this.validationErrors = validationErrors;
@@ -53275,8 +53605,8 @@ async function generateDynamicSeed(twinName, baseSeedName, baseSeedData, setupDe
     ],
     `
 
-Hint: Dynamic seed generation failed for the "${twinName}" twin. Try adding a \`seed: <name>\` line to your scenario's Config section to use a pre-built seed instead.
-Use a documented seed name for ${twinName}, or inspect the twin package assets in this repo.`
+Hint: Dynamic seed generation failed for the "${twinName}" clone. Try adding a \`seed: <name>\` line to your scenario's Config section to use a pre-built seed instead.
+Use a documented seed name for ${twinName}, or inspect the bundled clone assets in this repo.`
   );
 }
 var import_node_crypto14, SEED_CODEGEN_MAX_TOKENS, MAX_CODEGEN_ATTEMPTS, SEED_CACHE_PROMPT_TEMPLATE_VERSION, CODEGEN_TOTAL_BUDGET_MS, SYSTEM_PROMPT_HASH;
@@ -53299,7 +53629,7 @@ var init_dynamic_generator = __esm({
     init_seed_postprocessing();
     SEED_CODEGEN_MAX_TOKENS = 4096;
     MAX_CODEGEN_ATTEMPTS = 3;
-    SEED_CACHE_PROMPT_TEMPLATE_VERSION = 4;
+    SEED_CACHE_PROMPT_TEMPLATE_VERSION = 5;
     CODEGEN_TOTAL_BUDGET_MS = 12e4;
     SYSTEM_PROMPT_HASH = (0, import_node_crypto14.createHash)("sha256").update(buildSeedPromptHashInput()).digest("hex").slice(0, 12);
   }
@@ -55121,7 +55451,7 @@ function computeStateDiff(before, after) {
   }
   return diff;
 }
-function splitSqlTopLevel(input, separator) {
+function splitSqlTopLevel2(input, separator) {
   const parts = [];
   let depth = 0;
   let inQuote = false;
@@ -55150,11 +55480,11 @@ function splitSqlTopLevel(input, separator) {
   if (tail) parts.push(tail);
   return parts;
 }
-function splitSqlStatements(sql) {
+function splitSqlStatements2(sql) {
   const stripped = sql.replace(/--.*$/gm, "");
-  return splitSqlTopLevel(stripped, ";").map((stmt) => stmt.trim()).filter((stmt) => stmt.length > 0);
+  return splitSqlTopLevel2(stripped, ";").map((stmt) => stmt.trim()).filter((stmt) => stmt.length > 0);
 }
-function normalizeSqlIdentifier(raw) {
+function normalizeSqlIdentifier2(raw) {
   const parts = raw.split(".").map((part) => part.trim().replace(/^"|"$/g, "").replace(/""/g, '"')).filter((part) => part.length > 0);
   return parts[parts.length - 1] ?? raw.trim();
 }
@@ -55173,7 +55503,7 @@ function parseSqlSeed(sql) {
   const seed = {};
   const tablesWithNumericId = /* @__PURE__ */ new Set();
   const nextIds = /* @__PURE__ */ new Map();
-  const statements = splitSqlStatements(sql);
+  const statements = splitSqlStatements2(sql);
   for (const statement of statements) {
     const createMatch = statement.match(
       /^CREATE\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?\s+([^\s(]+)\s*\(([\s\S]*)\)$/i
@@ -55182,7 +55512,7 @@ function parseSqlSeed(sql) {
       const tableNameCapture2 = createMatch[1];
       const schemaBodyCapture = createMatch[2];
       if (tableNameCapture2 === void 0 || schemaBodyCapture === void 0) continue;
-      const tableName2 = normalizeSqlIdentifier(tableNameCapture2);
+      const tableName2 = normalizeSqlIdentifier2(tableNameCapture2);
       const schemaBody = schemaBodyCapture;
       if (/\bid\s+(?:serial|bigserial|integer|int|bigint)\b/i.test(schemaBody)) {
         tablesWithNumericId.add(tableName2);
@@ -55198,8 +55528,8 @@ function parseSqlSeed(sql) {
     const columnsCapture = insertMatch[2];
     const tuplesCapture = insertMatch[3];
     if (tableNameCapture === void 0 || columnsCapture === void 0 || tuplesCapture === void 0) continue;
-    const tableName = normalizeSqlIdentifier(tableNameCapture);
-    const columns = splitSqlTopLevel(columnsCapture, ",").map((column) => normalizeSqlIdentifier(column));
+    const tableName = normalizeSqlIdentifier2(tableNameCapture);
+    const columns = splitSqlTopLevel2(columnsCapture, ",").map((column) => normalizeSqlIdentifier2(column));
     const tuplesText = tuplesCapture;
     const tuples = [];
     let depth = 0;
@@ -55231,7 +55561,7 @@ function parseSqlSeed(sql) {
     const rows = seed[tableName] ?? [];
     let nextId = nextIds.get(tableName) ?? 1;
     for (const tuple2 of tuples) {
-      const rawValues = splitSqlTopLevel(tuple2, ",");
+      const rawValues = splitSqlTopLevel2(tuple2, ",");
       const row = {};
       for (let i = 0; i < columns.length; i++) {
         const column = columns[i];
@@ -56141,7 +56471,6 @@ function writeLocalTwinCatalogJson() {
   process.stdout.write(JSON.stringify(
     KNOWN_CLONES.map((twin) => ({
       name: twin.name,
-      package: `@archal/twin-${twin.name}`,
       description: twin.description,
       toolCount: twin.toolCount
     })),
@@ -56179,14 +56508,12 @@ async function listCloneCatalog(json2) {
     }
     const rows2 = KNOWN_CLONES.map((twin) => [
       twin.displayName,
-      String(twin.toolCount),
       twin.description,
       availableTwinStatus()
     ]);
-    table(["Name", "Tools", "Description", "Status"], rows2);
+    table(["Name", "Description", "Status"], rows2);
     warn("Could not reach server. Showing local clone list.");
     info(twinCatalogSummary(creds));
-    info(TOOL_COUNT_FOOTNOTE);
     return;
   }
   if (json2) {
@@ -56195,15 +56522,12 @@ async function listCloneCatalog(json2) {
   }
   const rows = result.data.map((twin) => [
     twin.name,
-    twin.toolCount != null ? String(twin.toolCount) : "-",
     twin.description,
     availableTwinStatus()
   ]);
-  table(["Name", "Tools", "Description", "Status"], rows);
+  table(["Name", "Description", "Status"], rows);
   success2(twinCatalogSummary(creds));
-  info(TOOL_COUNT_FOOTNOTE);
 }
-var TOOL_COUNT_FOOTNOTE;
 var init_clones = __esm({
   "src/commands/clones.ts"() {
     "use strict";
@@ -56213,7 +56537,6 @@ var init_clones = __esm({
     init_api_client();
     init_clone_catalog();
     init_ansi();
-    TOOL_COUNT_FOOTNOTE = "Tool counts shown are static SDK tools. Run 'archal clone tools <clone>' for the full live tool list.";
   }
 });
 
@@ -61445,7 +61768,7 @@ var parseExistenceAssertion = (ctx) => {
   const noneMatch = lower.match(/^(?:no|zero|none)\s+(.+?)(?:\s+(?:remain|exist|left|present|found))?\s*$/);
   if (noneMatch) {
     const noneSubject = noneMatch[1]?.trim() ?? "";
-    if (/\b(?:were|was|have|had|are|is|been|being|contains?|includes?|should|would|could)\b/.test(noneSubject)) {
+    if (/\b(?:were|was|have|had|are|is|been|being|contains?|includes?|exceeds?|exceeded|should|would|could)\b/.test(noneSubject)) {
       return null;
     }
     return {
@@ -61841,11 +62164,16 @@ var parseNegatedCreationAssertion = (ctx) => {
   const { lower } = ctx;
   const noCreatedInMatch = lower.match(/^no\s+(.+?)\s+(?:were|was|have been|had been)\s+(?:created|processed|charged|posted|sent|made|transferred|issued)\s+(?:in|on|to|from|with|for|via)\s+(.+)$/);
   if (noCreatedInMatch) {
+    const subject = noCreatedInMatch[1]?.trim() ?? "";
+    const targetService = noCreatedInMatch[2]?.trim();
+    if (/\brefunds?\b/.test(subject) && /^charge\b/.test(targetService ?? "")) {
+      return null;
+    }
     return {
       type: "exact_count",
-      subject: noCreatedInMatch[1]?.trim() ?? "",
+      subject,
       value: 0,
-      targetService: noCreatedInMatch[2]?.trim()
+      targetService
     };
   }
   return null;
@@ -62024,6 +62352,23 @@ function parseAssertion(description) {
 }
 
 // src/runner/scenario-parser.ts
+var explicitCriterionTag = /* @__PURE__ */ Symbol("explicitCriterionTag");
+function getExplicitCriterionTag(criterion) {
+  return criterion[explicitCriterionTag];
+}
+function isUnsupportedDeterministicRefundAssertion(description) {
+  const normalized = description.replace(/^\s*\[(?:critical|high|medium|low)\]\s*/i, "").replace(/`/g, "").toLowerCase().trim();
+  if (!/\brefund(?:ed|s|ing)?\b/.test(normalized)) {
+    return false;
+  }
+  if (/\brefunds?\b.*\bexceeds?\b.*\boriginal charge amount\b/.test(normalized)) {
+    return true;
+  }
+  if (/\btotal refunded amount\b.*\b(?:on|for)\s+ch_[a-z0-9_]+\b.*\b(?:exactly|equals?|becomes)\b/.test(normalized)) {
+    return true;
+  }
+  return /^no\s+stripe\s+refunds?\s+(?:are|were|was|have been|had been)\s+created\s+for\s+charge\s+ch_[a-z0-9_]+\b/.test(normalized);
+}
 var SECTION_ALIASES = {
   setup: "setup",
   context: "setup",
@@ -62099,20 +62444,28 @@ function parseCriterionLine(line, index) {
   if (!bulletStripped) return null;
   let type = "probabilistic";
   let description = bulletStripped;
+  let explicitTag;
   const tagMatch = description.match(/^\[([DP])]\s*(.*)/i);
   if (tagMatch) {
     const tag = (tagMatch[1] ?? "").toUpperCase();
+    explicitTag = tag === "D" ? "D" : "P";
     type = tag === "D" ? "deterministic" : "probabilistic";
     description = tagMatch[2]?.trim() ?? "";
   } else {
     type = inferCriterionType(description);
   }
   if (!description) return null;
-  return {
+  const criterion = {
     id: `criterion-${index + 1}`,
     description,
     type
   };
+  if (explicitTag) {
+    Object.defineProperty(criterion, explicitCriterionTag, {
+      value: explicitTag
+    });
+  }
+  return criterion;
 }
 function inferCriterionType(description) {
   const deterministicPatterns = [
@@ -62371,6 +62724,11 @@ function validateScenario(scenario) {
     if (!criterion.description) {
       errors.push(`Criterion ${criterion.id} has an empty description`);
     }
+    if (criterion.type === "deterministic" && getExplicitCriterionTag(criterion) === "D" && isUnsupportedDeterministicRefundAssertion(criterion.description) && parseAssertion(criterion.description) === null) {
+      errors.push(
+        `Criterion ${criterion.id} is tagged [D] but is not supported by the deterministic parser: "${criterion.description}"`
+      );
+    }
   }
   if (scenario.config.twins.length === 0) {
     errors.push("Scenario does not reference any known clones. Add `clones:` under ## Config or describe the service in ## Expected Behavior.");
@@ -63148,6 +63506,34 @@ var EVIDENCE_SENSITIVE_KEY_PARTS = /* @__PURE__ */ new Set([
   "accesskey"
 ]);
 var EVIDENCE_STRING_PATTERNS = [
+  {
+    pattern: /https?:\/\/[^\s"'<>]+\/runtime\/session\/[^\s"'<>]*/gi,
+    replacement: "[SERVICE_ENDPOINT_REDACTED]"
+  },
+  {
+    pattern: /\/runtime\/session\/[^\s"'<>]*/gi,
+    replacement: "[SERVICE_ENDPOINT_REDACTED]"
+  },
+  {
+    pattern: /\bx-archal-[\w-]+(?::|=)\s*["']?[^"',\s}]+/gi,
+    replacement: "[SERVICE_HEADER_REDACTED]"
+  },
+  {
+    pattern: /\barchal_mcp_servers\b/gi,
+    replacement: "service_tool_servers"
+  },
+  {
+    pattern: /\bARCHAL_(?:CLONE_URLS_PATH|TWIN_URLS_PATH|PROXY_EVENTS_PATH|METRICS_FILE|AGENT_TRACE_FILE|ENABLE_PROVIDER_EGRESS_PROXY)\b/g,
+    replacement: "[SERVICE_RUNTIME_CONFIG_REDACTED]"
+  },
+  {
+    pattern: /\/archal-artifacts\/[^\s"'<>]*/gi,
+    replacement: "[SERVICE_ARTIFACT_PATH_REDACTED]"
+  },
+  {
+    pattern: /\b(?:host\.docker\.internal|localhost|127\.0\.0\.1):9100\b/gi,
+    replacement: "[SERVICE_PROXY_ENDPOINT_REDACTED]"
+  },
   {
     pattern: /\b(Bearer\s+)[A-Za-z0-9._~+/=-]+\b/gi,
     replacement: `$1${EVIDENCE_REDACTED}`
@@ -63213,7 +63599,7 @@ var EVIDENCE_STRING_PATTERNS = [
     replacement: `$1${EVIDENCE_REDACTED}`
   }
 ];
-var EVIDENCE_STRING_REDACTION_HINT = /(bearer\s+|gh[pousr]_|github_pat_|sk_(?:live|test)_|sk-proj-|sk-ant-|sk-|AIza|xox[baprs]-|x(?:app|oxa|oxc|oxp|oxs)-|(?:AKIA|ASIA)|eyJ|private key|(?:^|[?&])(?:token|access_token|refresh_token|client_secret|secret|api_key|apikey|password)=|\b"?(?:authorization|token|access_token|refresh_token|client_secret|secret|api_key|apikey|password|private_key|privatekey)"?\s*[:=]|\b[A-Z0-9_]*(?:API_KEY|SECRET_KEY|ACCESS_KEY|ACCESS_TOKEN|REFRESH_TOKEN|AUTH_TOKEN|BEARER_TOKEN|TOKEN|PASSWORD|SECRET|PRIVATE_KEY)[A-Z0-9_]*\s*[:=])/i;
+var EVIDENCE_STRING_REDACTION_HINT = /(\/runtime\/session\/|x-archal-|archal_mcp_servers|\bARCHAL_(?:CLONE_URLS_PATH|TWIN_URLS_PATH|PROXY_EVENTS_PATH|METRICS_FILE|AGENT_TRACE_FILE|ENABLE_PROVIDER_EGRESS_PROXY)\b|\/archal-artifacts\/|\b(?:host\.docker\.internal|localhost|127\.0\.0\.1):9100\b|bearer\s+|gh[pousr]_|github_pat_|sk_(?:live|test)_|sk-proj-|sk-ant-|sk-|AIza|xox[baprs]-|x(?:app|oxa|oxc|oxp|oxs)-|(?:AKIA|ASIA)|eyJ|private key|(?:^|[?&])(?:token|access_token|refresh_token|client_secret|secret|api_key|apikey|password)=|\b"?(?:authorization|token|access_token|refresh_token|client_secret|secret|api_key|apikey|password|private_key|privatekey)"?\s*[:=]|\b[A-Z0-9_]*(?:API_KEY|SECRET_KEY|ACCESS_KEY|ACCESS_TOKEN|REFRESH_TOKEN|AUTH_TOKEN|BEARER_TOKEN|TOKEN|PASSWORD|SECRET|PRIVATE_KEY)[A-Z0-9_]*\s*[:=])/i;
 function redactEvidenceString(value) {
   if (!EVIDENCE_STRING_REDACTION_HINT.test(value)) {
     return value;
@@ -67296,18 +67682,12 @@ var LEGACY_AGENT_CONTRACT_ENV = /* @__PURE__ */ new Set([
   "ARCHAL_METRICS_FILE",
   "ARCHAL_AGENT_TRACE_FILE"
 ]);
-var ROUTED_CLONE_ENV_NAMES2 = /* @__PURE__ */ new Set([
-  "DISCORD",
-  "GITHUB",
-  "GOOGLE_WORKSPACE",
-  "JIRA",
-  "LINEAR",
-  "RAMP",
-  "SLACK",
-  "STRIPE",
-  "SUPABASE",
-  "TELEGRAM"
-]);
+var ROUTED_CLONE_ENV_NAMES2 = new Set(
+  CLONE_NAMES.flatMap((cloneName) => {
+    const segment = toServiceEnvSegment(cloneName);
+    return segment ? [segment] : [];
+  })
+);
 var ROUTED_CLONE_ENV_SUFFIXES2 = ["_BASE_URL", "_REST_URL", "_MCP_URL", "_URL"];
 function routedCloneEnvName2(key) {
   if (!key.startsWith("ARCHAL_")) {
@@ -67368,7 +67748,7 @@ function buildTrustedCloneRoutingEnv(input) {
       continue;
     }
     const restUrl = toTwinRestUrl(rawUrl);
-    const mcpUrl = toTwinMcpUrl(rawUrl);
+    const mcpUrl = supportsHostedCloneMcp(cloneName) ? toTwinMcpUrl(rawUrl) : void 0;
     restUrls[cloneName] = restUrl;
     maybeSetEnv(env, toAgentServiceEnvVarName(cloneName, "BASE_URL"), restUrl);
     maybeSetEnv(env, toAgentServiceEnvVarName(cloneName, "URL"), restUrl);
@@ -71810,7 +72190,8 @@ function resolveLlmProviderKeys(env) {
 }
 
 // ../packages/sandbox-runtime/src/docker-harness/runner.ts
-var OUTPUT_DIR_IN_CONTAINER = "/archal-out";
+var AGENT_OUTPUT_DIR_IN_CONTAINER = "/agent-output";
+var PROXY_CONFIG_DIR_IN_CONTAINER = "/service-runtime";
 var PROXY_IMAGE_NAME = "archal/sandbox";
 var BUILD_TIMEOUT_CAP_MS = 12e4;
 var PROXY_READY_TIMEOUT_MS = 1e4;
@@ -71842,21 +72223,21 @@ function fail(error49) {
   return { ok: false, exitCode: 1, stdout: "", stderr: "", timedOut: false, error: error49 };
 }
 function buildContainerEnv(config2) {
-  const caPath = `${OUTPUT_DIR_IN_CONTAINER}/ca.crt`;
+  const caPath = `${AGENT_OUTPUT_DIR_IN_CONTAINER}/ca.crt`;
   const includeLegacyArchalEnv = shouldExposeLegacyAgentEnv2();
   const env = {
     [AGENT_RUN_MODE_ENV2]: "local",
     [AGENT_TASK_ENV2]: config2.task,
-    [AGENT_METRICS_FILE_ENV2]: `${OUTPUT_DIR_IN_CONTAINER}/metrics.json`,
-    [AGENT_TRACE_FILE_ENV2]: `${OUTPUT_DIR_IN_CONTAINER}/agent-trace.json`,
+    [AGENT_METRICS_FILE_ENV2]: `${AGENT_OUTPUT_DIR_IN_CONTAINER}/metrics.json`,
+    [AGENT_TRACE_FILE_ENV2]: `${AGENT_OUTPUT_DIR_IN_CONTAINER}/agent-trace.json`,
     ...BOOTSTRAP_SERVICE_CREDENTIALS2,
     ...buildTlsTrustEnvVars(caPath)
   };
   if (includeLegacyArchalEnv) {
     env["ARCHAL_ENGINE_MODE"] = "local";
     env["ARCHAL_ENGINE_TASK"] = config2.task;
-    env["ARCHAL_METRICS_FILE"] = `${OUTPUT_DIR_IN_CONTAINER}/metrics.json`;
-    env["ARCHAL_AGENT_TRACE_FILE"] = `${OUTPUT_DIR_IN_CONTAINER}/agent-trace.json`;
+    env["ARCHAL_METRICS_FILE"] = `${AGENT_OUTPUT_DIR_IN_CONTAINER}/metrics.json`;
+    env["ARCHAL_AGENT_TRACE_FILE"] = `${AGENT_OUTPUT_DIR_IN_CONTAINER}/agent-trace.json`;
   }
   if (config2.sessionId) {
     env[AGENT_SESSION_ID_ENV] = config2.sessionId;
@@ -71870,11 +72251,24 @@ function buildContainerEnv(config2) {
       env["ARCHAL_ENGINE_MODEL"] = config2.model.trim();
     }
   }
+  const providerKeys = resolveLlmProviderKeys(process.env);
+  if (providerKeys.openai) {
+    env["OPENAI_API_KEY"] = SANDBOX_OPENAI_PLACEHOLDER_API_KEY;
+  }
+  if (providerKeys.anthropic) {
+    env["ANTHROPIC_API_KEY"] = SANDBOX_ANTHROPIC_PLACEHOLDER_API_KEY;
+  }
+  if (process.env["GOOGLE_API_KEY"]?.trim()) {
+    env["GOOGLE_API_KEY"] = SANDBOX_GOOGLE_PLACEHOLDER_API_KEY;
+  }
+  if (process.env["GEMINI_API_KEY"]?.trim()) {
+    env["GEMINI_API_KEY"] = SANDBOX_GOOGLE_PLACEHOLDER_API_KEY;
+  }
+  if (providerKeys.openrouter) {
+    env["OPENROUTER_API_KEY"] = SANDBOX_OPENROUTER_PLACEHOLDER_API_KEY;
+  }
   const passthroughKeys = [
     ...includeLegacyArchalEnv ? ["ARCHAL_ENGINE_API_KEY"] : [],
-    "ANTHROPIC_API_KEY",
-    "OPENAI_API_KEY",
-    "GEMINI_API_KEY",
     "NODE_ENV"
   ];
   for (const key of passthroughKeys) {
@@ -72084,15 +72478,16 @@ async function runDockerHarness(config2) {
   const proxyContainerName = `archal-harness-proxy-${dockerIdSuffix}`;
   const networkName = `archal-harness-net-${dockerIdSuffix}`;
   const proxyEgressNetworkName = `archal-harness-egress-${dockerIdSuffix}`;
-  const mountedConfigDir = (0, import_node_path27.join)(runDir, "out");
+  const agentOutputDir = (0, import_node_path27.join)(runDir, "agent-output");
+  const proxyConfigDir = (0, import_node_path27.join)(runDir, "proxy");
   const envFilePath = (0, import_node_path27.join)(runDir, ".env");
   const proxyEnvFilePath = (0, import_node_path27.join)(runDir, ".proxy.env");
-  const cloneUrlsHostPath = (0, import_node_path27.join)(mountedConfigDir, "clone-urls.json");
-  const cloneUrlsContainerPath = `${OUTPUT_DIR_IN_CONTAINER}/clone-urls.json`;
-  const proxyCaPath = (0, import_node_path27.join)(mountedConfigDir, "ca.crt");
-  const proxyEventsPath = (0, import_node_path27.join)(mountedConfigDir, "proxy-events.ndjson");
-  const metricsPath = (0, import_node_path27.join)(mountedConfigDir, "metrics.json");
-  const agentTracePath = (0, import_node_path27.join)(mountedConfigDir, "agent-trace.json");
+  const cloneUrlsHostPath = (0, import_node_path27.join)(proxyConfigDir, "service-map.json");
+  const cloneUrlsContainerPath = `${PROXY_CONFIG_DIR_IN_CONTAINER}/service-map.json`;
+  const proxyCaPath = (0, import_node_path27.join)(agentOutputDir, "ca.crt");
+  const proxyEventsPath = (0, import_node_path27.join)(proxyConfigDir, "proxy-events.ndjson");
+  const metricsPath = (0, import_node_path27.join)(agentOutputDir, "metrics.json");
+  const agentTracePath = (0, import_node_path27.join)(agentOutputDir, "agent-trace.json");
   const ownImage = !config2.prebuiltImage;
   let cleanupDocker = false;
   const cleanupHandlers = registerDockerCleanupHandlers(containerName, imageName, ownImage, {
@@ -72128,7 +72523,8 @@ async function runDockerHarness(config2) {
     if (!proxyImage.ok) {
       return fail(stageError("TLS intercept sidecar unavailable", proxyImage.error));
     }
-    (0, import_node_fs30.mkdirSync)(mountedConfigDir, { recursive: true });
+    (0, import_node_fs30.mkdirSync)(agentOutputDir, { recursive: true });
+    (0, import_node_fs30.mkdirSync)(proxyConfigDir, { recursive: true });
     (0, import_node_fs30.writeFileSync)(cloneUrlsHostPath, JSON.stringify(config2.cloudTwinUrls), { encoding: "utf-8", mode: 384 });
     const networkResult = await runDockerCommand(["network", "create", "--internal", networkName], 1e4);
     if (networkResult.exitCode !== 0) {
@@ -72143,11 +72539,11 @@ async function runDockerHarness(config2) {
       ARCHAL_CLONE_URLS_PATH: cloneUrlsContainerPath,
       ARCHAL_TWIN_URLS_PATH: cloneUrlsContainerPath,
       ARCHAL_TOKEN: config2.authToken,
-      CA_CERT_PATH: `${OUTPUT_DIR_IN_CONTAINER}/ca.crt`,
-      CA_KEY_PATH: `${OUTPUT_DIR_IN_CONTAINER}/ca.key`,
+      CA_CERT_PATH: `${AGENT_OUTPUT_DIR_IN_CONTAINER}/ca.crt`,
+      CA_KEY_PATH: `${PROXY_CONFIG_DIR_IN_CONTAINER}/ca.key`,
       PROXY_PORT: "443",
       PROXY_HOST: "0.0.0.0",
-      ARCHAL_PROXY_EVENTS_PATH: `${OUTPUT_DIR_IN_CONTAINER}/proxy-events.ndjson`,
+      ARCHAL_PROXY_EVENTS_PATH: `${PROXY_CONFIG_DIR_IN_CONTAINER}/proxy-events.ndjson`,
       ARCHAL_ENABLE_PROVIDER_EGRESS_PROXY: "1",
       ARCHAL_BLOCK_EGRESS: "1",
       ...proxyLlmEnv
@@ -72160,7 +72556,9 @@ async function runDockerHarness(config2) {
       "--network",
       networkName,
       "-v",
-      `${mountedConfigDir}:${OUTPUT_DIR_IN_CONTAINER}`,
+      `${proxyConfigDir}:${PROXY_CONFIG_DIR_IN_CONTAINER}`,
+      "-v",
+      `${agentOutputDir}:${AGENT_OUTPUT_DIR_IN_CONTAINER}`,
       "--env-file",
       proxyEnvFilePath,
       "--entrypoint",
@@ -72194,7 +72592,7 @@ async function runDockerHarness(config2) {
         "--network",
         networkName,
         "-v",
-        `${mountedConfigDir}:${OUTPUT_DIR_IN_CONTAINER}`,
+        `${agentOutputDir}:${AGENT_OUTPUT_DIR_IN_CONTAINER}`,
         ...buildAddHostArgs(config2.cloudTwinUrls, proxyIp, buildProviderDomainsForProxy(proxyLlmEnv)),
         ...envArgs,
         imageName
@@ -72361,6 +72759,9 @@ function isLikelyModelBackendFailure(text) {
   if (!text) return false;
   return OPENCLAW_BACKEND_FAILURE_PATTERNS.some((pattern) => pattern.test(text));
 }
+function sanitizeOpenClawGatewayDiagnostic(text) {
+  return text.replace(/Authorization:\s*Bearer\s+\S+/gi, "Authorization: Bearer [REDACTED]").replace(/\bBearer\s+[A-Za-z0-9._~+/\-=]+/gi, "Bearer [REDACTED]").replace(/x-archal-[\w-]+(?::|=)\s*["']?[^"',\s}]+/gi, "[service header redacted]").replace(/https?:\/\/[^\s"'<>]+\/runtime\/session\/[^\s"'<>]*/gi, "[service endpoint redacted]").replace(/\/runtime\/session\/[^\s"'<>]*/gi, "[service endpoint redacted]").replace(/\barchal_mcp_servers\b/gi, "service_tool_servers").replace(/\barchal_(?:transport|eval_mode)\b/gi, "service_metadata").replace(/\bArchal\b/gi, "service runtime");
+}
 function buildModelBackendHint() {
   return "Hint: OpenClaw gateway could not get a model response. Verify model/provider credentials on the gateway host (e.g. ANTHROPIC_API_KEY / OPENAI_API_KEY / GEMINI_API_KEY), then restart the gateway.";
 }
@@ -72372,7 +72773,7 @@ function buildOpenClawFailureMessage(parsed) {
   const details = [errorMessage4, outputText].filter((value) => Boolean(value && value.trim())).join(" | ");
   if (details) {
     message += `
-Gateway output: ${details.slice(0, 500)}`;
+Gateway output: ${sanitizeOpenClawGatewayDiagnostic(details).slice(0, 500)}`;
   }
   if (isLikelyModelBackendFailure(details)) {
     message += `
@@ -72538,12 +72939,13 @@ async function executeOpenClawRemote(remoteConfig, scenario, runId, taskMessage,
     if (!response.ok) {
       const rawBody = await response.text();
       const statusLine = `${response.status} ${response.statusText}`.trim();
+      const sanitizedBody = sanitizeOpenClawGatewayDiagnostic(rawBody).slice(0, 500);
       const hint = response.status === 401 || response.status === 403 ? "\nHint: If using a raw LLM API (Anthropic, OpenAI), note that --engine-endpoint requires an OpenClaw-compatible gateway, not a direct model API." : "";
       return {
         exitCode: response.status,
         stdout: "",
-        stderr: `OpenClaw request failed: ${statusLine}
-${rawBody}${hint}`.trim(),
+        stderr: `OpenClaw request failed: ${statusLine}${sanitizedBody ? `
+${sanitizedBody}` : ""}${hint}`.trim(),
         timedOut: false,
         durationMs: Date.now() - startedAt
       };
@@ -72559,9 +72961,10 @@ ${rawBody}${hint}`.trim(),
       try {
         parsed = JSON.parse(rawBody);
       } catch {
+        const sanitizedBody = sanitizeOpenClawGatewayDiagnostic(rawBody).slice(0, 500);
         return {
           exitCode: 1,
-          stdout: rawBody,
+          stdout: sanitizedBody,
           stderr: "OpenClaw response was not valid JSON",
           timedOut: false,
           durationMs: Date.now() - startedAt
@@ -74112,65 +74515,10 @@ async function runLocalProxy(config2, task, canaryFiles) {
       "NODE_PATH",
       "NODE_OPTIONS"
     ]);
-    const DENYLIST = /* @__PURE__ */ new Set([
-      "AWS_ACCESS_KEY_ID",
-      "AWS_SECRET_ACCESS_KEY",
-      "AWS_SESSION_TOKEN",
-      "DATABASE_URL",
-      "DATABASE_PASSWORD",
-      "ARCHAL_TOKEN",
-      "ARCHAL_REST_CONFIG",
-      "ARCHAL_TWIN_URLS",
-      "ARCHAL_TWIN_URLS_PATH",
-      "ARCHAL_TWIN_NAMES",
-      "ARCHAL_CLONE_URLS",
-      "ARCHAL_CLONE_URLS_PATH",
-      "ARCHAL_CLONE_NAMES",
-      "ARCHAL_API_BASE_URLS",
-      "ARCHAL_API_PROXY_URL",
-      "ARCHAL_MCP_CONFIG",
-      "ARCHAL_MCP_SERVERS",
-      "MCP_CONFIG_PATH",
-      "HTTP_PROXY",
-      "HTTPS_PROXY",
-      "http_proxy",
-      "https_proxy",
-      "GITHUB_TOKEN",
-      // CI-injected, not for agents
-      "NPM_TOKEN",
-      // Real LLM keys are stripped — the proxy injects them.
-      "OPENAI_API_KEY",
-      "ANTHROPIC_API_KEY",
-      "GOOGLE_API_KEY",
-      "GEMINI_API_KEY",
-      "OPENROUTER_API_KEY"
-    ]);
-    const DENYLIST_PREFIXES = ["AWS_"];
-    const ROUTED_TWIN_ENV_NAMES = /* @__PURE__ */ new Set([
-      "DISCORD",
-      "GITHUB",
-      "GOOGLE_WORKSPACE",
-      "JIRA",
-      "LINEAR",
-      "RAMP",
-      "SLACK",
-      "STRIPE",
-      "SUPABASE",
-      "TELEGRAM"
-    ]);
-    const ROUTED_TWIN_ENV_SUFFIXES = ["_BASE_URL", "_REST_URL", "_MCP_URL", "_URL"];
     const filteredHostEnv = {};
     for (const [key, value] of Object.entries(process.env)) {
       if (value === void 0) continue;
-      if (key.startsWith("ARCHAL_")) continue;
-      if (DENYLIST.has(key)) continue;
-      if (DENYLIST_PREFIXES.some((prefix) => key.startsWith(prefix))) continue;
-      const routedTwinSuffix = key.startsWith("ARCHAL_") ? ROUTED_TWIN_ENV_SUFFIXES.find((suffix) => key.endsWith(suffix)) : void 0;
-      const routedTwinName = routedTwinSuffix ? key.slice("ARCHAL_".length, -routedTwinSuffix.length).replace(/_(API|TWIN|CLONE)$/, "") : void 0;
-      if (routedTwinName && ROUTED_TWIN_ENV_NAMES.has(routedTwinName)) continue;
-      const isInfra = INFRA_ALLOWLIST.has(key);
-      const isApiKey = key.endsWith("_API_KEY") || key.endsWith("_TOKEN");
-      if (isInfra || isApiKey) {
+      if (INFRA_ALLOWLIST.has(key)) {
         filteredHostEnv[key] = value;
       }
     }
@@ -78775,6 +79123,47 @@ function formatEvaluationErrorSummary(reasons) {
   }
   return "LLM evaluation errors";
 }
+function toLlmEvalErrorReason(reason) {
+  switch (reason) {
+    case "rate_limited":
+      return "rate_limited";
+    case "missing_credentials":
+      return "auth_error";
+    case "provider_error":
+      return "provider_error";
+    case "context_too_large":
+    case void 0:
+      return void 0;
+    default: {
+      const _exhaustive = reason;
+      return _exhaustive;
+    }
+  }
+}
+function normalizeFatalLlmFailureResult(result) {
+  if (!result.fallbackFailureReason || !FATAL_LLM_FAILURE_REASONS.has(result.fallbackFailureReason)) {
+    return result;
+  }
+  const errorReason = toLlmEvalErrorReason(result.fallbackFailureReason);
+  return {
+    ...result,
+    status: "error",
+    confidence: 0,
+    ...errorReason ? { errorReason } : {}
+  };
+}
+function buildUnevaluatedDeterministicFallback(criterion, deterministicResult, reason) {
+  const errorReason = toLlmEvalErrorReason(reason);
+  return {
+    criterionId: criterion.id,
+    status: "error",
+    confidence: 0,
+    explanation: `Could not evaluate deterministic criterion because parser fallback was unavailable (${formatFallbackFailureReason(reason)}). Satisfaction is incomplete for this criterion. Original parser result: ${deterministicResult.explanation}`,
+    fallbackRecommended: true,
+    fallbackFailureReason: reason,
+    ...errorReason ? { errorReason } : {}
+  };
+}
 function accumulateTokenUsage(total, next) {
   if (!next) return total;
   if (!total) return next;
@@ -78821,9 +79210,15 @@ async function evaluateRun(criteria, context, config2) {
     if (needsFallback) {
       if (deterministicFallbackFailureReason) {
         warn(
-          `LLM fallback skipped due to cached ${formatFallbackFailureReason(deterministicFallbackFailureReason)} - keeping deterministic result for "${criterion.id}"`
+          `LLM fallback skipped due to cached ${formatFallbackFailureReason(deterministicFallbackFailureReason)} - marking deterministic criterion unevaluated for "${criterion.id}"`
+        );
+        evaluations.push(
+          buildUnevaluatedDeterministicFallback(
+            criterion,
+            result,
+            deterministicFallbackFailureReason
+          )
         );
-        evaluations.push(result);
         continue;
       }
       warn(
@@ -78839,9 +79234,11 @@ async function evaluateRun(criteria, context, config2) {
       if (llmResult.fallbackFailureReason && FATAL_LLM_FAILURE_REASONS.has(llmResult.fallbackFailureReason)) {
         deterministicFallbackFailureReason = llmResult.fallbackFailureReason;
         warn(
-          `LLM fallback skipped due to ${formatFallbackFailureReason(llmResult.fallbackFailureReason)} - keeping deterministic result for "${criterion.id}"`
+          `LLM fallback skipped due to ${formatFallbackFailureReason(llmResult.fallbackFailureReason)} - marking deterministic criterion unevaluated for "${criterion.id}"`
+        );
+        evaluations.push(
+          buildUnevaluatedDeterministicFallback(criterion, result, llmResult.fallbackFailureReason)
         );
-        evaluations.push(result);
       } else {
         evaluations.push(llmResult);
       }
@@ -78855,9 +79252,12 @@ async function evaluateRun(criteria, context, config2) {
   }
   const allDeterministicFailed = deterministicCriteria.length > 0 && !deterministicFallbackFailureReason && evaluations.length > 0 && evaluations.every((e) => e.status === "fail");
   if (allDeterministicFailed && probabilisticCriteria.length > 0) {
-    info("All deterministic criteria failed - skipping probabilistic evaluation to avoid unnecessary judge spend", {
-      skippedCalls: String(probabilisticCriteria.length)
-    });
+    info(
+      "All deterministic criteria failed - skipping probabilistic evaluation to avoid unnecessary judge spend",
+      {
+        skippedCalls: String(probabilisticCriteria.length)
+      }
+    );
     for (const criterion of probabilisticCriteria) {
       evaluations.push({
         criterionId: criterion.id,
@@ -78879,19 +79279,18 @@ async function evaluateRun(criteria, context, config2) {
   } else if (!allDeterministicFailed) {
     if (deterministicFallbackFailureReason) {
       const cachedReason = deterministicFallbackFailureReason;
-      const isUpstreamLlmFailure = cachedReason === "rate_limited" || cachedReason === "provider_error" || cachedReason === "missing_credentials";
-      const errorReason = cachedReason === "rate_limited" ? "rate_limited" : cachedReason === "missing_credentials" ? "auth_error" : cachedReason === "provider_error" ? "provider_error" : void 0;
+      const errorReason = toLlmEvalErrorReason(cachedReason);
       for (const criterion of probabilisticCriteria) {
         warn(
           `Probabilistic evaluation skipped due to cached ${formatFallbackFailureReason(cachedReason)} for "${criterion.id}"`
         );
         const skipEntry = {
           criterionId: criterion.id,
-          status: isUpstreamLlmFailure ? "error" : "fail",
+          status: "error",
           confidence: 0,
           explanation: `Skipped. ${formatFallbackFailureReason(cachedReason)} already detected.`,
           fallbackFailureReason: cachedReason,
-          ...isUpstreamLlmFailure && errorReason ? { errorReason } : {}
+          ...errorReason ? { errorReason } : {}
         };
         evaluations.push(skipEntry);
       }
@@ -78904,11 +79303,12 @@ async function evaluateRun(criteria, context, config2) {
       );
       judgeTokenUsage = accumulateTokenUsage(judgeTokenUsage, tokenUsage);
       for (const result of batchResults) {
-        evaluations.push(result);
+        const normalizedResult = normalizeFatalLlmFailureResult(result);
+        evaluations.push(normalizedResult);
         debug("Probabilistic evaluation (batch)", {
-          criterion: result.criterionId,
-          status: result.status,
-          confidence: result.confidence.toFixed(2)
+          criterion: normalizedResult.criterionId,
+          status: normalizedResult.status,
+          confidence: normalizedResult.confidence.toFixed(2)
         });
       }
     } else if (probabilisticCriteria.length === 1) {
@@ -78916,11 +79316,12 @@ async function evaluateRun(criteria, context, config2) {
       progress(`Evaluating [P] ${criterion.description}`);
       const { evaluation: result, tokenUsage } = await evaluateWithLlm(criterion, context, config2);
       judgeTokenUsage = accumulateTokenUsage(judgeTokenUsage, tokenUsage);
-      evaluations.push(result);
+      const normalizedResult = normalizeFatalLlmFailureResult(result);
+      evaluations.push(normalizedResult);
       debug("Probabilistic evaluation", {
         criterion: criterion.id,
-        status: result.status,
-        confidence: result.confidence.toFixed(2)
+        status: normalizedResult.status,
+        confidence: normalizedResult.confidence.toFixed(2)
       });
     }
   }
@@ -79049,7 +79450,7 @@ function trimSnippet(value) {
 var REAL_SERVICE_HOST_RE = /\b(api\.github\.com|api\.stripe\.com|slack\.com\/api|api\.linear\.app|gmail\.googleapis\.com|www\.googleapis\.com|googleapis\.com|api\.tavily\.com|api\.apify\.com|atlassian\.net|supabase\.co)\b/i;
 var AUTH_FAILURE_RE = /\b(401|403|unauthorized|forbidden|bad credentials|requires authentication|invalid token|invalid api key|authentication failed|permission denied)\b/i;
 function isHarnessModelAuthFailure(message) {
-  return /Incorrect API key provided|invalid x-api-key|invalid api key|AuthenticationError|authentication error|API key.*(incorrect|invalid)|OPENAI_API_KEY|ANTHROPIC_API_KEY|GEMINI_API_KEY|401.*(openai|anthropic|gemini|api key)/i.test(message);
+  return /Incorrect API key provided|invalid x-api-key|AuthenticationError|OPENAI_API_KEY|ANTHROPIC_API_KEY|GEMINI_API_KEY|401.*(openai|anthropic|gemini|api key)|(?:openai|anthropic|gemini)[\s\S]{0,120}(?:invalid api key|authentication error|api key.*(?:incorrect|invalid))/i.test(message);
 }
 function isLikelyRealServiceAuthFailure(message) {
   return REAL_SERVICE_HOST_RE.test(message) && AUTH_FAILURE_RE.test(message);
@@ -79070,6 +79471,9 @@ function classifyLocalHarnessFailure(message) {
   if (/better-sqlite3|NODE_MODULE_VERSION|ERR_DLOPEN_FAILED|compiled against a different Node\.js version|native module/i.test(message)) {
     return "native_dependency";
   }
+  if (/(?:stripe|github|slack|linear|jira|supabase|discord|apify|tavily|google-workspace|googleapis)[\s\S]{0,160}(?:401|403|unauthorized|forbidden|bad credentials|invalid api key|authentication_error|requires authentication|permission denied)|(?:authentication_error|Invalid API Key provided)[\s\S]{0,160}(?:stripe|github|slack|linear|jira|supabase|discord|apify|tavily|google-workspace|googleapis)/i.test(message)) {
+    return "clone_service_auth";
+  }
   if (isHarnessModelAuthFailure(message)) {
     return "harness_model_auth";
   }
@@ -79101,6 +79505,10 @@ Fix: rebuild native modules for the Node runtime Archal uses before rerunning.`;
 Likely issue: the harness reached its model provider, but the configured provider key is missing or invalid.
 Fix: provide a valid provider key for the requested agent model before rerunning.
 If your harness does not use an LLM, run: archal run <scenario> --agent-model none`;
+    case "clone_service_auth":
+      return `${intro}
+Likely issue: the harness reached a clone service, but the request used missing or invalid service-shaped credentials.
+Fix: use the clone URL from AGENT_CLONE_URLS, add AGENT_ROUTE_HEADERS to the request, and keep the service Authorization header/API key from the matching injected credential such as GITHUB_TOKEN, SLACK_TOKEN, STRIPE_API_KEY, or SUPABASE_SERVICE_ROLE_KEY.`;
     case "service_bridge":
       return `${intro}
 Likely issue: the harness booted, but one of its service boundaries is still stubbed or app-only on the headless path.
@@ -79343,6 +79751,16 @@ function compactFailureExplanation(explanation) {
   if (firstLine.length <= 600) return firstLine;
   return `${firstLine.slice(0, 597)}...`;
 }
+var RESPONSE_ONLY_CRITERION_PATTERN = /\b(?:final\s+answer|agent\s+(?:response|reply|answer)|response\s+text|text\s+response|explains?\s+why|describes?\s+why|refusal|refuses?)\b/i;
+function hasConfiguredServiceClones(scenario) {
+  return (scenario.config?.twins ?? []).length > 0;
+}
+function isExplicitTextResponseOnlyCriterion(criterion) {
+  return RESPONSE_ONLY_CRITERION_PATTERN.test(criterion.description);
+}
+function allCriteriaAreExplicitTextResponseOnly(scenario) {
+  return scenario.successCriteria.length > 0 && scenario.successCriteria.every(isExplicitTextResponseOnlyCriterion);
+}
 function buildFailedResult(ctx, fields) {
   const stateAfter = fields.stateAfter ?? fields.beforeState;
   const trace = annotateExpectedToolErrors(
@@ -79523,7 +79941,9 @@ function checkTraceViability(ctx, postRun, _startTime, _beforeState, agentLog, _
   if (agentToolCallCount === 0 && !agentResponseText) {
     const explanation = "Agent made no tool calls and produced no parseable response text, so the run has no evidence to evaluate.";
     const failureReasonCode = "agent_no_tool_calls";
-    warn(`Run ${ctx.runIndex + 1}: 0 tool calls and no final response. Marking the run incomplete.`);
+    warn(
+      `Run ${ctx.runIndex + 1}: 0 tool calls and no final response. Marking the run incomplete.`
+    );
     return buildFailedResult(ctx, {
       explanation,
       error: `${explanation} (${failureReasonCode})
@@ -79540,6 +79960,27 @@ Agent log (stderr tail): ${agentLog?.slice(-1e3) || "(none)"}`,
       failureReasonCode
     });
   } else if (agentToolCallCount === 0 && agentResponseText) {
+    if (hasConfiguredServiceClones(ctx.scenario) && !allCriteriaAreExplicitTextResponseOnly(ctx.scenario)) {
+      const explanation = "Agent produced a text response but made no clone-observed tool calls. The service clone was not exercised, so clone-backed criteria cannot be scored from response text alone.";
+      const failureReasonCode = "agent_no_tool_calls";
+      warn(
+        `Run ${ctx.runIndex + 1}: 0 clone-observed tool calls with response text for a service-clone scenario. Marking the run incomplete.`
+      );
+      return buildFailedResult(ctx, {
+        explanation,
+        error: `${explanation} (${failureReasonCode})`,
+        outcome: "insufficient_action",
+        startTime: _startTime,
+        beforeState: _beforeState,
+        stateAfter,
+        trace,
+        agentLog,
+        agentTrace: _agentTrace,
+        tokenUsage: _tokenUsage,
+        events,
+        failureReasonCode
+      });
+    }
     warn(
       "WARN: no clone-observed tool calls were recorded. Scenario was not exercised - score will be meaningful only for text-response checks. Continuing to evaluation because a text response was produced."
     );
@@ -79565,9 +80006,9 @@ async function evaluateAndBuildResult(ctx, evaluatorConfig, postRun, startTime,
     evaluatorConfig
   );
   const evals = evaluationResult.evaluations;
-  const allErrored = evals.length > 0 && evals.every((e) => e.status === "error");
-  const outcome = allErrored ? "degraded" : "completed";
-  const failureReasonCode = allErrored ? "evaluator_unavailable" : void 0;
+  const hasEvaluatorError = evals.some((e) => e.status === "error");
+  const outcome = hasEvaluatorError ? "degraded" : "completed";
+  const failureReasonCode = hasEvaluatorError ? "evaluator_unavailable" : void 0;
   return {
     runIndex: ctx.runIndex,
     evaluations: evals,
@@ -79612,7 +80053,7 @@ init_src();
 
 // src/runner/mcp/aggregate-stdio-script.ts
 var AGGREGATE_MCP_STDIO_SCRIPT = String.raw`
-const servers = JSON.parse(process.env.ARCHAL_AGGREGATE_MCP_SERVERS || '{}');
+const servers = JSON.parse(process.env.SERVICE_MCP_SERVERS || '{}');
 const state = { nextId: 1 };
 
 function namespaceToolName(serverName, toolName) {
@@ -79649,7 +80090,7 @@ async function fetchJson(url, options) {
     }
   }
   if (!response.ok) {
-    throw new Error('HTTP ' + response.status + ' from ' + url + ': ' + text.slice(0, 300));
+    throw new Error('Service tool request failed.');
   }
   return body;
 }
@@ -79661,7 +80102,7 @@ async function listTools() {
       headers: server.headers || {},
     });
     if (!Array.isArray(list)) {
-      throw new Error('Expected /tools array from MCP server "' + serverName + '"');
+      throw new Error('Service tool discovery failed.');
     }
     for (const tool of list) {
       const originalName = String(tool.name || '');
@@ -79679,7 +80120,7 @@ async function listTools() {
 async function callTool(params) {
   const parsed = parseNamespacedToolName(String(params && params.name || ''));
   if (!parsed || !servers[parsed.serverName]) {
-    throw new Error('Unknown namespaced MCP tool "' + String(params && params.name || '') + '"');
+    throw new Error('Unknown service tool.');
   }
   const server = servers[parsed.serverName];
   return fetchJson(toolApiBaseUrl(server.url) + '/tools/call', {
@@ -79706,7 +80147,7 @@ async function handle(request) {
         result: {
           protocolVersion: request.params && request.params.protocolVersion || '2024-11-05',
           capabilities: { tools: {} },
-          serverInfo: { name: 'archal-mcp-aggregate', version: '1.0.0' },
+          serverInfo: { name: 'service-tools', version: '1.0.0' },
         },
       };
     }
@@ -79726,7 +80167,7 @@ async function handle(request) {
     return {
       jsonrpc: '2.0',
       id,
-      error: { code: -32000, message: error && error.message ? error.message : String(error) },
+      error: { code: -32000, message: error && error.message ? error.message : 'Service tool request failed.' },
     };
   }
 }
@@ -79750,7 +80191,7 @@ process.stdin.on('data', (chunk) => {
         process.stdout.write(JSON.stringify({
           jsonrpc: '2.0',
           id: null,
-          error: { code: -32700, message: error && error.message ? error.message : String(error) },
+          error: { code: -32700, message: 'Invalid request.' },
         }) + '\n');
       });
   }
@@ -79765,11 +80206,11 @@ function writeAgentConfigs(runId, cloudCloneUrls, _authToken) {
     mcpServers[cloneName] = { url: mcpUrl };
   }
   const aggregateServer = Object.keys(mcpServers).length === 0 ? {} : {
-    archal: {
+    services: {
       command: process.execPath,
       args: ["-e", AGGREGATE_MCP_STDIO_SCRIPT],
       env: {
-        ARCHAL_AGGREGATE_MCP_SERVERS: JSON.stringify(mcpServers)
+        SERVICE_MCP_SERVERS: JSON.stringify(mcpServers)
       }
     }
   };
@@ -82349,9 +82790,13 @@ async function loadFileSeedsIntoTwins(config2, fetchTwin2, options = {}) {
   const loadingMarkerPath = getSeedLoadingMarkerPath(sessionKey);
   const loadedMarkerPath = getSeedLoadedMarkerPath(sessionKey);
   const markerDir = (0, import_node_path36.dirname)(loadedMarkerPath);
+  const forceReload = options.forceReload === true;
   (0, import_node_fs38.mkdirSync)(markerDir, { recursive: true, mode: 448 });
+  if (forceReload) {
+    (0, import_node_fs38.rmSync)(loadedMarkerPath, { force: true });
+  }
   while (true) {
-    if ((0, import_node_fs38.existsSync)(loadedMarkerPath)) {
+    if (!forceReload && (0, import_node_fs38.existsSync)(loadedMarkerPath)) {
       return;
     }
     try {
@@ -82542,9 +82987,17 @@ function buildHostedTwinFetcher(cloudCloneUrls, bearerToken) {
     throw new Error(`Timed out waiting for hosted clone ${serviceName} to accept file seeds.`);
   };
 }
-async function loadFileSeedsIntoHostedTwins(fileSeedPaths, cloudCloneUrls, bearerToken, sessionKey) {
+async function loadFileSeedsIntoHostedTwins(fileSeedPaths, cloudCloneUrls, bearerToken, sessionKey, options = {}) {
   const config2 = sessionKey ? buildSerializedSeedConfigWithSessionKey(fileSeedPaths, sessionKey) : buildSerializedSeedConfig(fileSeedPaths);
-  await loadFileSeedsIntoTwins(config2, buildHostedTwinFetcher(cloudCloneUrls, bearerToken));
+  const runtimeOptions = {
+    ...options.forceReload === true ? { forceReload: true } : {},
+    ...options.hostedSessionId ? { hostedSessionId: options.hostedSessionId } : {}
+  };
+  await loadFileSeedsIntoTwins(
+    config2,
+    buildHostedTwinFetcher(cloudCloneUrls, bearerToken),
+    Object.keys(runtimeOptions).length > 0 ? runtimeOptions : void 0
+  );
 }
 
 // src/runner/runtime-prereqs.ts
@@ -87981,6 +88434,18 @@ Run 'archal usage' to inspect the workspace pool, or open https://www.archal.ai/
 }
 
 // src/runner/hosted-session/readiness.ts
+var TRANSIENT_READINESS_DETAIL_PATTERNS = [
+  /\btimed?\s*out\b/i,
+  /\btimeout\b/i,
+  /(HTTP |status[=:]\s*)50[234]\b/i,
+  /upstream\s+returned\s+50[234]\b/i,
+  /\bECONNRESET\b/i,
+  /\bECONNREFUSED\b/i,
+  /\bETIMEDOUT\b/i,
+  /\bEAI_AGAIN\b/i,
+  /network\s+(error|failure)/i,
+  /temporarily unavailable/i
+];
 function isHostedSessionRequestError(error49) {
   return error49 instanceof HostedSessionRequestError || error49 instanceof Error && typeof error49.method === "string" && typeof error49.path === "string" && typeof error49.status === "number" && typeof error49.detail === "string";
 }
@@ -87988,6 +88453,28 @@ function getHostedSessionErrorDetail(error49) {
   const internalDetail = typeof error49.getInternalDetailForRetry === "function" ? error49.getInternalDetailForRetry() : void 0;
   return internalDetail ?? error49.detail;
 }
+function detailLooksTransient2(detail) {
+  return TRANSIENT_READINESS_DETAIL_PATTERNS.some((pattern) => pattern.test(detail));
+}
+function isRetryableReadinessError(error49) {
+  if (isHostedSessionRequestError(error49)) {
+    if (error49.status === 408 || error49.status === 425 || error49.status === 429 || error49.status === 500 || error49.status === 502 || error49.status === 503 || error49.status === 504) {
+      return true;
+    }
+    return detailLooksTransient2(getHostedSessionErrorDetail(error49));
+  }
+  const message = errorMessage(error49);
+  if (message.startsWith("Hosted session timed out waiting for readiness")) {
+    return true;
+  }
+  if (message.startsWith("Hosted session failed:")) {
+    return detailLooksTransient2(message.slice("Hosted session failed:".length).trim());
+  }
+  if (message === "Hosted session failed") {
+    return true;
+  }
+  return false;
+}
 async function waitForSessionReady(opts) {
   if (!opts.quiet) process.stderr.write("Starting cloud session...\n");
   const startedAt = Date.now();
@@ -88020,6 +88507,7 @@ async function waitForSessionReady(opts) {
       }
       return {
         ready: false,
+        ...isRetryableReadinessError(error49) ? { retryable: true } : {},
         error: mapSessionStartError({
           ok: false,
           offline: false,
@@ -88031,10 +88519,19 @@ async function waitForSessionReady(opts) {
       };
     }
     const message = errorMessage(error49);
+    const retryable = isRetryableReadinessError(error49);
     if (message.startsWith("Hosted session ")) {
-      return { ready: false, error: `session ${message.slice("Hosted session ".length)}` };
+      return {
+        ready: false,
+        ...retryable ? { retryable: true } : {},
+        error: `session ${message.slice("Hosted session ".length)}`
+      };
     }
-    return { ready: false, error: `session poll failed: ${message}` };
+    return {
+      ready: false,
+      ...retryable ? { retryable: true } : {},
+      error: `session poll failed: ${message}`
+    };
   }
   const warmupSec = Math.round((Date.now() - startedAt) / 1e3);
   if (!opts.quiet) process.stderr.write(`Cloud session ready (${warmupSec}s).
@@ -88546,6 +89043,7 @@ async function cleanupHostedSession(ctx) {
 }
 
 // src/runner/hosted-session-provisioning.ts
+var HOSTED_RUN_READINESS_ATTEMPTS = 2;
 function isLegacyRunConfigTimeoutRejection(result) {
   if (result.ok || result.status !== 400 || result.code !== "invalid_session_create_request") {
     return false;
@@ -88571,6 +89069,16 @@ function withoutLegacyUnsupportedRunConfig(input) {
     runConfig: Object.keys(runConfig).length > 0 ? runConfig : void 0
   };
 }
+async function bestEffortEndReadinessRetrySession(input) {
+  const token = input.credentials?.token;
+  if (!token || !input.sessionId) {
+    return;
+  }
+  try {
+    await endSession(token, input.sessionId);
+  } catch {
+  }
+}
 function resolveProvisionedSessionConnectionMaps(input) {
   const { sessionId, clones, endpoints, apiBaseUrls, runtimeBaseUrl } = input;
   const fallbackConnections = runtimeBaseUrl ? buildRuntimeTwinUrls(sessionId, clones, runtimeBaseUrl) : { endpoints: {}, apiBaseUrls: {} };
@@ -88677,103 +89185,121 @@ async function provisionHostedRunSession(input) {
     runProject: sessionStartConfig.runProject,
     source: "run"
   };
-  ctx.inFlightSessionStart = startSession(
-    credentials?.token ?? "",
-    sessionStartRequest,
-    sessionCreateIdempotencyKey
-  );
-  let sessionResult;
-  try {
-    sessionResult = await ctx.inFlightSessionStart;
-  } finally {
-    ctx.inFlightSessionStart = null;
-  }
-  if (!sessionResult.ok && isLegacyRunConfigTimeoutRejection(sessionResult)) {
+  for (let attempt = 0; attempt < HOSTED_RUN_READINESS_ATTEMPTS; attempt += 1) {
+    cloudCloneUrls = void 0;
+    hostedResolvedSeeds = void 0;
+    hostedApiBaseUrlOverrides = void 0;
+    ctx.backendSessionId = void 0;
+    ctx.sessionWorkspaceId = null;
+    const idempotencyKey = attempt === 0 ? sessionCreateIdempotencyKey : `${sessionCreateIdempotencyKey}:readiness-retry:${attempt}`;
     ctx.inFlightSessionStart = startSession(
       credentials?.token ?? "",
-      withoutLegacyUnsupportedRunConfig(sessionStartRequest),
-      sessionCreateIdempotencyKey
+      sessionStartRequest,
+      idempotencyKey
     );
+    let sessionResult;
     try {
       sessionResult = await ctx.inFlightSessionStart;
     } finally {
       ctx.inFlightSessionStart = null;
     }
-  }
-  if (!sessionResult.ok) {
-    ctx.runFailureMessage = mapSessionStartError(sessionResult);
-    return {
-      credentials,
-      cloudCloneUrls,
-      hostedResolvedSeeds,
-      hostedApiBaseUrlOverrides
-    };
-  }
-  credentials = getCredentials2() ?? credentials;
-  ctx.backendSessionId = sessionResult.data.sessionId;
-  ctx.sessionWorkspaceId = sessionResult.data.workspace?.id ?? null;
-  writeStatus({
-    stage: "provisioning",
-    sessionId: ctx.backendSessionId
-  });
-  emitSessionCreated({
-    scenario,
-    sessionId: ctx.backendSessionId,
-    isReused: false
-  });
-  if (!opts.quiet) {
-    printWorkspaceBreadcrumb({
-      kind: "session-pushed",
-      workspace: sessionResult.data.workspace ?? null
-    });
-  }
-  const serverResolvedSeeds = sessionResult.data.resolvedSeeds ?? {};
-  const { connections, missingClones } = resolveProvisionedSessionConnectionMaps({
-    sessionId: ctx.backendSessionId,
-    clones: scenario.config.twins,
-    endpoints: sessionResult.data.endpoints,
-    apiBaseUrls: sessionResult.data.apiBaseUrls,
-    runtimeBaseUrl: getConfiguredRuntimeBaseUrl2()
-  });
-  if (missingClones.length > 0) {
-    ctx.runFailureMessage = `Clone provisioning failed for: ${missingClones.join(", ")}. Try again or run: archal doctor`;
-  }
-  if (!ctx.runFailureMessage && Object.keys(connections.endpoints).length > 0) {
-    cloudCloneUrls = connections.endpoints;
-    hostedResolvedSeeds = serverResolvedSeeds;
-  }
-  if (!ctx.runFailureMessage && !opts.apiBaseUrls && Object.keys(connections.apiBaseUrls).length > 0) {
-    hostedApiBaseUrlOverrides = connections.apiBaseUrls;
-  }
-  const enginePlan = engine.plan;
-  if (!ctx.runFailureMessage && enginePlan.kind === "api" && !enginePlan.twinUrlsPath) {
-    ctx.generatedTwinUrlMapPath = (0, import_node_path45.resolve)(
-      `.archal-session-${ctx.backendSessionId}-engine-twin-urls.json`
-    );
-    const result = writeTempJsonMap(
-      ctx.generatedTwinUrlMapPath,
-      connections.endpoints,
-      "engine clone URL map"
-    );
-    if (!result.ok) {
-      ctx.runFailureMessage = result.error;
+    if (!sessionResult.ok && isLegacyRunConfigTimeoutRejection(sessionResult)) {
+      ctx.inFlightSessionStart = startSession(
+        credentials?.token ?? "",
+        withoutLegacyUnsupportedRunConfig(sessionStartRequest),
+        idempotencyKey
+      );
+      try {
+        sessionResult = await ctx.inFlightSessionStart;
+      } finally {
+        ctx.inFlightSessionStart = null;
+      }
     }
-  }
-  if (!ctx.runFailureMessage) {
-    const readyResult = await waitForSessionReady({
+    if (!sessionResult.ok) {
+      ctx.runFailureMessage = mapSessionStartError(sessionResult);
+      return {
+        credentials,
+        cloudCloneUrls,
+        hostedResolvedSeeds,
+        hostedApiBaseUrlOverrides
+      };
+    }
+    credentials = getCredentials2() ?? credentials;
+    ctx.backendSessionId = sessionResult.data.sessionId;
+    ctx.sessionWorkspaceId = sessionResult.data.workspace?.id ?? null;
+    writeStatus({
+      stage: "provisioning",
+      sessionId: ctx.backendSessionId
+    });
+    emitSessionCreated({
+      scenario,
       sessionId: ctx.backendSessionId,
-      twins: scenario.config.twins,
-      quiet: opts.quiet,
-      credentials: credentials ?? { token: "" }
-    });
-    if (readyResult.ready) {
-      writeStatus({
-        stage: "session_ready",
-        sessionId: ctx.backendSessionId
+      isReused: false
+    });
+    if (!opts.quiet) {
+      printWorkspaceBreadcrumb({
+        kind: "session-pushed",
+        workspace: sessionResult.data.workspace ?? null
       });
-    } else {
-      ctx.runFailureMessage = readyResult.error;
     }
+    const serverResolvedSeeds = sessionResult.data.resolvedSeeds ?? {};
+    const { connections, missingClones } = resolveProvisionedSessionConnectionMaps({
+      sessionId: ctx.backendSessionId,
+      clones: scenario.config.twins,
+      endpoints: sessionResult.data.endpoints,
+      apiBaseUrls: sessionResult.data.apiBaseUrls,
+      runtimeBaseUrl: getConfiguredRuntimeBaseUrl2()
+    });
+    if (missingClones.length > 0) {
+      ctx.runFailureMessage = `Clone provisioning failed for: ${missingClones.join(", ")}. Try again or run: archal doctor`;
+    }
+    if (!ctx.runFailureMessage && Object.keys(connections.endpoints).length > 0) {
+      cloudCloneUrls = connections.endpoints;
+      hostedResolvedSeeds = serverResolvedSeeds;
+    }
+    if (!ctx.runFailureMessage && !opts.apiBaseUrls && Object.keys(connections.apiBaseUrls).length > 0) {
+      hostedApiBaseUrlOverrides = connections.apiBaseUrls;
+    }
+    if (!ctx.runFailureMessage) {
+      const readyResult = await waitForSessionReady({
+        sessionId: ctx.backendSessionId,
+        twins: scenario.config.twins,
+        quiet: opts.quiet,
+        credentials: credentials ?? { token: "" }
+      });
+      if (readyResult.ready) {
+        const enginePlan = engine.plan;
+        if (!ctx.runFailureMessage && enginePlan.kind === "api" && !enginePlan.twinUrlsPath) {
+          ctx.generatedTwinUrlMapPath = (0, import_node_path45.resolve)(
+            `.archal-session-${ctx.backendSessionId}-engine-twin-urls.json`
+          );
+          const result = writeTempJsonMap(
+            ctx.generatedTwinUrlMapPath,
+            connections.endpoints,
+            "engine clone URL map"
+          );
+          if (!result.ok) {
+            ctx.runFailureMessage = result.error;
+          }
+        }
+        if (!ctx.runFailureMessage) {
+          writeStatus({
+            stage: "session_ready",
+            sessionId: ctx.backendSessionId
+          });
+        }
+      } else if (readyResult.retryable && attempt + 1 < HOSTED_RUN_READINESS_ATTEMPTS) {
+        await bestEffortEndReadinessRetrySession({
+          credentials,
+          sessionId: ctx.backendSessionId
+        });
+        writeStatus({ stage: "provisioning" });
+        continue;
+      } else {
+        ctx.runFailureMessage = readyResult.error;
+      }
+    }
+    break;
   }
   return {
     credentials,
@@ -89272,7 +89798,11 @@ async function executeRunForScenario(scenarioArg, opts, command, configDefaults,
             fileSeedPaths,
             cloudCloneUrls,
             credentials?.token,
-            ctx.backendSessionId ?? runId
+            ctx.backendSessionId ?? runId,
+            {
+              forceReload: runOpts.freshSeed === true,
+              ...ctx.backendSessionId ? { hostedSessionId: ctx.backendSessionId } : {}
+            }
           );
           info("File seeds loaded into clones");
         } catch (err) {
@@ -92080,6 +92610,7 @@ init_ansi();
 
 // src/commands/clone/shared.ts
 init_src2();
+init_src();
 init_auth();
 init_api_client();
 init_errors6();
@@ -92215,13 +92746,14 @@ function printReadyBanner(sessionId, twins, apiBaseUrls) {
       continue;
     }
     const restUrl = toRestUrl(url2);
-    const mcpUrl = toMcpUrl(url2);
     process.stderr.write(`${GREEN}\u2713${RESET} ${BOLD}${twin}${RESET} clone ready
 `);
     process.stderr.write(`  REST: ${CYAN}${restUrl}${RESET}
 `);
-    process.stderr.write(`  MCP:  ${CYAN}${mcpUrl}${RESET}
+    if (supportsHostedCloneMcp(twin)) {
+      process.stderr.write(`  MCP:  ${CYAN}${toMcpUrl(url2)}${RESET}
 `);
+    }
     process.stderr.write(
       `  Control auth: ${DIM}x-route-authorization: Bearer $ARCHAL_TOKEN${RESET}
 `
@@ -93917,7 +94449,7 @@ function buildOwnerTraceDetailUrl(baseUrl, rootTraceId) {
   return `${trimmed}/v1/traces/root/${encodeURIComponent(rootTraceId)}`;
 }
 function isEvalTrace(trace) {
-  return !trace.rootTraceId.startsWith("twin-session-");
+  return !trace.rootTraceId.startsWith("session-proxy-") && !trace.rootTraceId.startsWith("twin-session-");
 }
 var LOCAL_RUN_ARTIFACTS_PATH = ".archal/cache/runs/";
 var NO_REMOTE_TRACES_MESSAGE = `No remote traces found. If you just ran a scenario without remote trace upload, local run artifacts are under ${LOCAL_RUN_ARTIFACTS_PATH}.`;