demian-cli 1.0.7 → 1.0.8

package/dist/cli.mjs

@@ -2,7 +2,7 @@
 import { createRequire } from 'node:module'; const require = createRequire(import.meta.url);
 
 // src/cli.ts
-import path31 from "node:path";
+import path35 from "node:path";
 
 // src/agents/types.ts
 function normalizeAgent(input2) {
@@ -96,7 +96,7 @@ var claudeCodeAgent = {
   name: "claudecode",
   description: "Claude Code external coding agent for focused delegated workspace tasks.",
   mode: "subagent",
-  provider: { profile: "claudecode-subagent", permissionProfile: "build" },
+  provider: { profile: "claudecode", permissionProfile: "build" },
   tools: [],
   systemPrompt: [
     "You are demian claudecode, a Claude Code external runtime working as a sub agent for Demian.",
@@ -141,7 +141,7 @@ var claudeCodeExplorerAgent = {
   name: "claudecode-explorer",
   description: "Claude Code external read-only explorer for cowork repository inspection.",
   mode: "subagent",
-  provider: { profile: "claudecode-subagent", permissionProfile: "explore" },
+  provider: { profile: "claudecode", permissionProfile: "explore" },
   tools: [],
   systemPrompt: [
     "You are demian claudecode-explorer, a Claude Code external runtime working as a read-only cowork sub agent for Demian.",
@@ -176,7 +176,7 @@ var claudeCodeBuilderAgent = {
   name: "claudecode-builder",
   description: "Claude Code-backed builder for bounded cowork implementation tasks.",
   mode: "subagent",
-  provider: { profile: "claudecode-subagent", permissionProfile: "build" },
+  provider: { profile: "claudecode", permissionProfile: "build" },
   tools: [],
   systemPrompt: [
     "You are demian claudecode-builder, a Claude Code external runtime working as a writer cowork sub agent for Demian.",
@@ -481,7 +481,7 @@ import { readFile as readFile6 } from "node:fs/promises";
 import crypto4 from "node:crypto";
 import fs7 from "node:fs";
 import os7 from "node:os";
-import path12 from "node:path";
+import path13 from "node:path";
 
 // src/providers/retry.ts
 var RETRY_STATUS = /* @__PURE__ */ new Set([408, 409, 425, 429, 500, 502, 503, 504]);
@@ -874,12 +874,14 @@ var dynamicImport = new Function("specifier", "return import(specifier)");
 var AnthropicProvider = class {
   id = "anthropic";
   #apiKey;
+  #baseURL;
   #defaultModel;
   #defaultMaxTokens;
   #client;
   #onRetry;
   constructor(config) {
     this.#apiKey = config.apiKey;
+    this.#baseURL = config.baseURL;
     this.#defaultModel = config.defaultModel;
     this.#defaultMaxTokens = config.defaultMaxTokens ?? 4096;
     this.#client = config.client;
@@ -924,7 +926,7 @@ var AnthropicProvider = class {
     if (this.#client) return this.#client;
     if (!this.#apiKey) throw new Error("AnthropicProvider requires apiKey");
     const Anthropic = await loadAnthropicConstructor();
-    this.#client = new Anthropic({ apiKey: this.#apiKey });
+    this.#client = new Anthropic({ apiKey: this.#apiKey, baseURL: this.#baseURL });
     return this.#client;
   }
 };
@@ -1157,19 +1159,56 @@ import { execFile } from "node:child_process";
 import { promisify } from "node:util";
 import fs2 from "node:fs";
 import { chmod, mkdir as mkdir2, readFile as readFile2, rename, writeFile as writeFile2 } from "node:fs/promises";
-import path2 from "node:path";
+import path3 from "node:path";
 
 // src/providers/codex-state.ts
 import crypto from "node:crypto";
 import fs from "node:fs";
 import { mkdir, readFile, writeFile } from "node:fs/promises";
+import os2 from "node:os";
+import path2 from "node:path";
+
+// src/path-expansion.ts
 import os from "node:os";
 import path from "node:path";
+function expandPathReferences(value) {
+  let expanded = expandTilde(value);
+  expanded = expanded.replace(/\$\{([A-Za-z_][A-Za-z0-9_]*)\}|\$([A-Za-z_][A-Za-z0-9_]*)/g, (match, braced, bare) => envPathValue(braced ?? bare) ?? match);
+  expanded = expanded.replace(/%([A-Za-z_][A-Za-z0-9_]*)%/g, (match, name) => envPathValue(name) ?? match);
+  return expanded;
+}
+function resolveExpandedPath(value) {
+  return path.resolve(expandPathReferences(value));
+}
+function expandTilde(value) {
+  if (value === "~") return os.homedir();
+  if (value.startsWith("~/") || value.startsWith("~\\")) return path.join(os.homedir(), value.slice(2));
+  return value;
+}
+function envPathValue(name) {
+  if (!name) return void 0;
+  const value = processEnvValue(name);
+  if (value !== void 0) return value;
+  const upper = name.toUpperCase();
+  if (upper === "HOME" || upper === "USERPROFILE") return os.homedir();
+  if (process.platform === "win32" && upper === "HOMEDRIVE") return path.win32.parse(os.homedir()).root.replace(/[\\/]$/, "");
+  if (process.platform === "win32" && upper === "HOMEPATH") return os.homedir().replace(/^[A-Za-z]:/, "");
+  return void 0;
+}
+function processEnvValue(name) {
+  if (process.env[name] !== void 0) return process.env[name];
+  if (process.platform !== "win32") return void 0;
+  const upper = name.toUpperCase();
+  const key = Object.keys(process.env).find((item) => item.toUpperCase() === upper);
+  return key ? process.env[key] : void 0;
+}
+
+// src/providers/codex-state.ts
 function resolveCodexHome(configured) {
-  return path.resolve(expandCodexPath(configured ?? process.env.CODEX_HOME ?? path.join(os.homedir(), ".codex")));
+  return resolveExpandedPath(configured ?? process.env.CODEX_HOME ?? path2.join(os2.homedir(), ".codex"));
 }
 async function loadOrCreateInstallationId(codexHome) {
-  const filePath = path.join(codexHome, "installation_id");
+  const filePath = path2.join(codexHome, "installation_id");
   try {
     const existing = (await readFile(filePath, "utf8")).trim();
     if (isUuid(existing)) return existing;
@@ -1191,15 +1230,6 @@ function isNodeError(error, code) {
 function fileExists(filePath) {
   return fs.existsSync(filePath);
 }
-function expandCodexPath(value) {
-  let expanded = value;
-  if (expanded === "~") return os.homedir();
-  if (expanded.startsWith("~/")) expanded = path.join(os.homedir(), expanded.slice(2));
-  return expanded.replace(/\$\{([A-Z_][A-Z0-9_]*)\}|\$([A-Z_][A-Z0-9_]*)/gi, (match, braced, bare) => {
-    const name = braced ?? bare;
-    return name && process.env[name] !== void 0 ? process.env[name] : match;
-  });
-}
 
 // src/providers/codex-auth.ts
 var execFileAsync = promisify(execFile);
@@ -1422,10 +1452,10 @@ var CodexAuthStore = class {
   }
 };
 function authFilePath(codexHome) {
-  return path2.join(codexHome, "auth.json");
+  return path3.join(codexHome, "auth.json");
 }
 function codexKeyringAccount(codexHome) {
-  const resolved = path2.resolve(codexHome);
+  const resolved = path3.resolve(codexHome);
   const canonical = fs2.existsSync(resolved) ? fs2.realpathSync.native(resolved) : resolved;
   const hash = crypto2.createHash("sha256").update(canonical).digest("hex").slice(0, 16);
   return `cli|${hash}`;
@@ -1854,8 +1884,8 @@ import { randomUUID } from "node:crypto";
 import { execFile as execFile2 } from "node:child_process";
 import fs3 from "node:fs";
 import { chmod as chmod2, mkdir as mkdir3, readFile as readFile3, rename as rename2, writeFile as writeFile3 } from "node:fs/promises";
-import os2 from "node:os";
-import path3 from "node:path";
+import os3 from "node:os";
+import path4 from "node:path";
 import { promisify as promisify2 } from "node:util";
 var execFileAsync2 = promisify2(execFile2);
 var CLAUDE_CODE_KEYRING_SERVICE = "Claude Code-credentials";
@@ -1888,7 +1918,7 @@ function getSharedClaudeCodeAuthStore(options = {}) {
     proactiveRefreshMinutes: options.proactiveRefreshMinutes ?? 30,
     refreshCache: options.refreshCache ?? "claude-store",
     refreshTokenURL: options.refreshTokenURL ?? DEFAULT_CLAUDE_CODE_REFRESH_TOKEN_URL,
-    keychainAccount: options.keychainAccount ?? os2.userInfo().username
+    keychainAccount: options.keychainAccount ?? os3.userInfo().username
   });
   const existing = sharedAuthStores2.get(key);
   if (existing) return existing;
@@ -1917,7 +1947,7 @@ var ClaudeCodeAuthStore = class {
     this.#proactiveRefreshMinutes = options.proactiveRefreshMinutes ?? 30;
     this.#refreshCache = options.refreshCache ?? "claude-store";
     this.#refreshTokenURL = options.refreshTokenURL ?? DEFAULT_CLAUDE_CODE_REFRESH_TOKEN_URL;
-    this.#keychainAccount = options.keychainAccount ?? os2.userInfo().username;
+    this.#keychainAccount = options.keychainAccount ?? os3.userInfo().username;
     this.#fetch = options.fetch ?? fetch;
     this.#keyring = options.keyring ?? new MacOSSecurityKeyring2();
   }
@@ -2118,10 +2148,10 @@ var ClaudeCodeAuthStore = class {
   }
 };
 function resolveClaudeConfigDir(configured) {
-  return path3.resolve(expandClaudePath(configured ?? process.env.CLAUDE_CONFIG_DIR ?? path3.join(os2.homedir(), ".claude")));
+  return resolveExpandedPath(configured ?? process.env.CLAUDE_CONFIG_DIR ?? path4.join(os3.homedir(), ".claude"));
 }
 function claudeCodeAuthFilePath(claudeConfigDir) {
-  return path3.join(claudeConfigDir, ".credentials.json");
+  return path4.join(claudeConfigDir, ".credentials.json");
 }
 function oauthPayload(auth) {
   const raw = auth.claudeAiOauth;
@@ -2180,15 +2210,6 @@ async function writeClaudeCodeAuthFileAtomic(claudeConfigDir, auth) {
   await chmod2(tempPath, 384);
   await rename2(tempPath, filePath);
 }
-function expandClaudePath(value) {
-  let expanded = value;
-  if (expanded === "~") return os2.homedir();
-  if (expanded.startsWith("~/")) expanded = path3.join(os2.homedir(), expanded.slice(2));
-  return expanded.replace(/\$\{([A-Z_][A-Z0-9_]*)\}|\$([A-Z_][A-Z0-9_]*)/gi, (match, braced, bare) => {
-    const name = braced ?? bare;
-    return name && process.env[name] !== void 0 ? process.env[name] : match;
-  });
-}
 var MacOSSecurityKeyring2 = class {
   async load(service, account) {
     if (process.platform !== "darwin") return void 0;
@@ -2425,6 +2446,111 @@ function parseClaudeCodeErrorBody(body) {
   }
 }
 
+// src/providers/ollama.ts
+var OllamaProvider = class {
+  id = "ollama";
+  #baseURL;
+  #apiKey;
+  #defaultModel;
+  #fetch;
+  #onRetry;
+  constructor(config) {
+    this.#baseURL = config.baseURL.replace(/\/+$/, "");
+    this.#apiKey = config.apiKey;
+    this.#defaultModel = config.defaultModel;
+    this.#fetch = config.fetch ?? fetch;
+    this.#onRetry = config.onRetry;
+  }
+  async chat(req) {
+    return chatWithRetry(() => this.#rawChat(req), {
+      signal: req.signal,
+      onRetry: this.#onRetry
+    });
+  }
+  async #rawChat(req) {
+    const response = await this.#fetch(`${this.#baseURL}/chat`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...this.#authHeaders()
+      },
+      body: JSON.stringify({
+        model: req.model || this.#defaultModel,
+        messages: req.messages.map(toOllamaMessage),
+        ...req.tools.length > 0 ? { tools: req.tools.map(toOpenAITool) } : {},
+        stream: false,
+        ...req.temperature !== void 0 ? { options: { temperature: req.temperature } } : {}
+      }),
+      signal: req.signal
+    });
+    const text = await response.text();
+    if (!response.ok) throw new ProviderHttpError(response.status, text, parseRetryAfter(response.headers.get("retry-after")));
+    return normalizeOllamaResponse(text ? JSON.parse(text) : {});
+  }
+  #authHeaders() {
+    return this.#apiKey ? { authorization: `Bearer ${this.#apiKey}` } : {};
+  }
+};
+function toOllamaMessage(message) {
+  if (message.role === "tool") {
+    return {
+      role: "tool",
+      content: message.content,
+      tool_name: message.name
+    };
+  }
+  const out = {
+    role: message.role,
+    content: typeof message.content === "string" ? message.content : JSON.stringify(message.content ?? "")
+  };
+  if (message.role === "assistant" && message.toolCalls?.length) {
+    out.tool_calls = message.toolCalls.map((call) => ({
+      function: {
+        name: call.name,
+        arguments: call.input ?? {}
+      }
+    }));
+  }
+  return out;
+}
+function normalizeOllamaResponse(raw) {
+  const data = raw;
+  const toolCalls = [];
+  for (const call of data.message?.tool_calls ?? []) {
+    const name = call.function?.name;
+    if (!name) continue;
+    toolCalls.push({
+      id: call.id ?? `call_${toolCalls.length + 1}`,
+      name,
+      input: normalizeToolArguments(call.function?.arguments)
+    });
+  }
+  const message = {
+    role: "assistant",
+    content: data.message?.content ?? null,
+    ...toolCalls.length ? { toolCalls } : {}
+  };
+  return {
+    message,
+    toolCalls,
+    stopReason: toolCalls.length ? "tool_use" : data.done_reason === "length" ? "max_tokens" : "end_turn",
+    usage: data.prompt_eval_count !== void 0 || data.eval_count !== void 0 ? {
+      inputTokens: data.prompt_eval_count,
+      outputTokens: data.eval_count,
+      totalTokens: (data.prompt_eval_count ?? 0) + (data.eval_count ?? 0)
+    } : void 0,
+    raw
+  };
+}
+function normalizeToolArguments(value) {
+  if (typeof value !== "string") return value ?? {};
+  try {
+    return JSON.parse(value);
+  } catch {
+    return {};
+  }
+}
+
 // src/external-runtime/claudecode-cli.ts
 import { spawn as spawn3 } from "node:child_process";
 import readline from "node:readline";
@@ -2432,7 +2558,7 @@ import readline from "node:readline";
 // src/external-runtime/claudecode-attachments.ts
 import crypto3 from "node:crypto";
 import fs4 from "node:fs";
-import path4 from "node:path";
+import path5 from "node:path";
 async function resolveClaudeCodeAttachmentPrompt(runtimeLabel, config, req) {
   const attachments = req.attachments ?? [];
   if (attachments.length === 0) return req.prompt;
@@ -2474,7 +2600,7 @@ function unsupportedAttachmentError(runtimeLabel, count, detail) {
 }
 function formatAttachmentReference(value, cwd) {
   if (isUrl(value)) return imageMimeFromPath(value) ? `[image: ${value} (${imageMimeFromPath(value)}, remote)]` : `[attachment: ${value}]`;
-  const target = path4.isAbsolute(value) ? value : path4.resolve(cwd, value);
+  const target = path5.isAbsolute(value) ? value : path5.resolve(cwd, value);
   try {
     const stats = fs4.statSync(target);
     if (!stats.isFile()) return `[attachment: ${value} (${stats.size} bytes)]`;
@@ -2491,7 +2617,7 @@ function isUrl(value) {
 }
 function imageMimeFromPath(value) {
   const pathname = isUrl(value) ? new URL(value).pathname : value;
-  const ext = path4.extname(pathname).toLowerCase();
+  const ext = path5.extname(pathname).toLowerCase();
   if (ext === ".png") return "image/png";
   if (ext === ".jpg" || ext === ".jpeg") return "image/jpeg";
   if (ext === ".gif") return "image/gif";
@@ -2523,15 +2649,14 @@ function hasAnthropicApiKeyEnv(env = process.env) {
 
 // src/external-runtime/claudecode-paths.ts
 import fs5 from "node:fs";
-import os3 from "node:os";
-import path5 from "node:path";
+import path6 from "node:path";
 function resolveClaudeCodeCliPath(configured) {
   if (configured) return expandHome(configured);
   if (process.env.CLAUDE_CODE_CLI) return expandHome(process.env.CLAUDE_CODE_CLI);
   const candidates = ["~/.local/bin/claude", "claude"];
   for (const candidate of candidates) {
     const expanded = expandHome(candidate);
-    if (path5.isAbsolute(expanded)) {
+    if (path6.isAbsolute(expanded)) {
       if (isExecutableFile(expanded)) return expanded;
       continue;
     }
@@ -2540,9 +2665,7 @@ function resolveClaudeCodeCliPath(configured) {
   return void 0;
 }
 function expandHome(value) {
-  if (value === "~") return os3.homedir();
-  if (value.startsWith("~/")) return path5.join(os3.homedir(), value.slice(2));
-  return value;
+  return expandPathReferences(value);
 }
 function isExecutableFile(filePath) {
   try {
@@ -2808,14 +2931,14 @@ function numberValue2(value) {
 // src/external-runtime/session-lock.ts
 import { mkdir as mkdir4, open, readFile as readFile4, unlink } from "node:fs/promises";
 import os4 from "node:os";
-import path6 from "node:path";
+import path7 from "node:path";
 var DEFAULT_STALE_MS = 30 * 60 * 1e3;
 async function acquireClaudeCodeSessionLock(sessionId, options = {}) {
-  const dir = options.dir ?? path6.join(os4.homedir(), ".demian", "claude-sessions");
+  const dir = options.dir ?? path7.join(os4.homedir(), ".demian", "claude-sessions");
   const staleMs = options.staleMs ?? DEFAULT_STALE_MS;
   const now2 = options.now ?? (() => Date.now());
   await mkdir4(dir, { recursive: true });
-  const lockPath = path6.join(dir, `${encodeURIComponent(sessionId)}.lock`);
+  const lockPath = path7.join(dir, `${encodeURIComponent(sessionId)}.lock`);
   for (let attempt = 0; attempt < 2; attempt++) {
     try {
       const handle = await open(lockPath, "wx");
@@ -2879,14 +3002,14 @@ function isAlreadyExists(error) {
 // src/external-runtime/usage-ledger.ts
 import { mkdir as mkdir5, readFile as readFile5, rename as rename3, writeFile as writeFile4 } from "node:fs/promises";
 import os5 from "node:os";
-import path7 from "node:path";
+import path8 from "node:path";
 var processLedger = /* @__PURE__ */ new Map();
 var ClaudeCodeUsageLedger = class {
   #scope;
   #filePath;
   constructor(options = {}) {
     this.#scope = options.scope ?? "process";
-    this.#filePath = options.filePath ?? path7.join(os5.homedir(), ".demian", "usage-ledger.json");
+    this.#filePath = options.filePath ?? path8.join(os5.homedir(), ".demian", "usage-ledger.json");
   }
   async spentUsd(key, now2 = /* @__PURE__ */ new Date()) {
     if (this.#scope === "process") return processLedger.get(processKey(key)) ?? 0;
@@ -2917,7 +3040,7 @@ var ClaudeCodeUsageLedger = class {
     return { version: 1, buckets: {} };
   }
   async #write(file) {
-    await mkdir5(path7.dirname(this.#filePath), { recursive: true });
+    await mkdir5(path8.dirname(this.#filePath), { recursive: true });
     const temp = `${this.#filePath}.${process.pid}.tmp`;
     await writeFile4(temp, `${JSON.stringify(file, null, 2)}
 `, "utf8");
@@ -22578,10 +22701,10 @@ function now() {
 }
 
 // src/permissions/engine.ts
-import path10 from "node:path";
+import path11 from "node:path";
 
 // src/permissions/grants.ts
-import path8 from "node:path";
+import path9 from "node:path";
 
 // src/util.ts
 function stableStringify(value) {
@@ -22636,8 +22759,8 @@ function grantKeyFor(tool, input2, cwd) {
   }
   if (tool === "write_file" || tool === "edit_file") {
     const filePath = typeof object2.path === "string" ? object2.path : "";
-    const parent = filePath ? path8.dirname(path8.resolve(cwd, filePath)) : cwd;
-    return `${tool}:${path8.relative(cwd, parent) || "."}`;
+    const parent = filePath ? path9.dirname(path9.resolve(cwd, filePath)) : cwd;
+    return `${tool}:${path9.relative(cwd, parent) || "."}`;
   }
   return `${tool}:${stableStringify(input2)}`;
 }
@@ -22664,30 +22787,30 @@ function firstCommandTokens(command, count) {
 }
 
 // src/workspace/paths.ts
-import path9 from "node:path";
+import path10 from "node:path";
 function normalizePathForMatch(value) {
-  return value.split(path9.sep).join("/");
+  return value.split(path10.sep).join("/");
 }
 function isInsidePath(root, candidate) {
-  const relative = path9.relative(path9.resolve(root), path9.resolve(candidate));
-  return relative === "" || !relative.startsWith("..") && !path9.isAbsolute(relative);
+  const relative = path10.relative(path10.resolve(root), path10.resolve(candidate));
+  return relative === "" || !relative.startsWith("..") && !path10.isAbsolute(relative);
 }
 function resolveInsideCwd(cwd, inputPath) {
   if (typeof inputPath !== "string" || inputPath.length === 0) {
     throw new Error("path must be a non-empty string");
   }
-  const resolved = path9.resolve(cwd, inputPath);
+  const resolved = path10.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     throw new Error(`Path is outside the workspace: ${inputPath}`);
   }
   return resolved;
 }
 function relativeToCwd(cwd, absolutePath) {
-  const relative = path9.relative(cwd, absolutePath);
+  const relative = path10.relative(cwd, absolutePath);
   return normalizePathForMatch(relative || ".");
 }
 function isEnvFile(filePath) {
-  const base = path9.basename(filePath);
+  const base = path10.basename(filePath);
   if (base === ".env.example") return false;
   return base === ".env" || base.startsWith(".env.");
 }
@@ -22794,7 +22917,7 @@ var PermissionEngine = class {
   #hardDeny(tool, input2, grantKey) {
     const paths = inputPaths(tool, input2);
     for (const item of paths) {
-      const resolved = path10.resolve(this.#cwd, item);
+      const resolved = path11.resolve(this.#cwd, item);
       if (!isInsidePath(this.#cwd, resolved)) {
         return {
           decision: "deny",
@@ -22848,7 +22971,7 @@ function matchesRule(rule, tool, input2, cwd) {
   if (rule.match.pathGlob) {
     const paths = inputPaths(tool, input2);
     if (paths.length === 0) return false;
-    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path10.resolve(cwd, item))))) {
+    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path11.resolve(cwd, item))))) {
       return false;
     }
   }
@@ -22895,7 +23018,7 @@ function rulePriority(rule, ref) {
 }
 function matchesPathRule(pattern, relativePath) {
   if (!pattern) return true;
-  if (path10.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
+  if (path11.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
   return matchGlob(pattern, relativePath);
 }
 function mostSpecificRule(rules, input2, cwd, ref) {
@@ -22973,13 +23096,13 @@ function permissionLabel(req) {
   if ((req.tool === "write_file" || req.tool === "edit_file" || req.tool === "read_file") && typeof inputObject.path === "string") {
     return `${req.tool}: ${inputObject.path}`;
   }
-  const path32 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
-  if (path32) return `${tool}: ${path32}`;
+  const path36 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
+  if (path36) return `${tool}: ${path36}`;
   return tool;
 }
 
 // src/workspace/write-scope.ts
-import path11 from "node:path";
+import path12 from "node:path";
 var WRITE_TOOLS = /* @__PURE__ */ new Set(["write_file", "edit_file", "Write", "Edit", "MultiEdit", "NotebookEdit"]);
 var WORKSPACE_SCOPE = "**";
 function normalizeWriteScope(cwd, scope) {
@@ -23001,7 +23124,7 @@ function enforceToolWriteScope(input2) {
   if (paths.length === 0) return { ok: true, paths: [] };
   const checked = [];
   for (const target of paths) {
-    const resolved = path11.resolve(input2.cwd, target);
+    const resolved = path12.resolve(input2.cwd, target);
     const relative = relativeToCwd(input2.cwd, resolved);
     checked.push(relative);
     const allowed = isPathAllowedByWriteScope(input2.cwd, target, input2.writeScope);
@@ -23025,7 +23148,7 @@ function outOfScopeDiffFiles(cwd, summary, writeScope) {
   return out;
 }
 function isPathAllowedByWriteScope(cwd, inputPath, writeScope) {
-  const resolved = path11.resolve(cwd, inputPath);
+  const resolved = path12.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     return { ok: false, error: "path is outside the workspace", paths: [inputPath] };
   }
@@ -23044,9 +23167,9 @@ function normalizeScopePattern(cwd, raw) {
   if (!value) return { ok: false, error: "writeScope entries must be non-empty." };
   if (value.includes("\0")) return { ok: false, error: "writeScope entries must not contain NUL bytes." };
   const hasGlob2 = /[*?[\]{}]/.test(value);
-  if (path11.isAbsolute(value)) {
+  if (path12.isAbsolute(value)) {
     if (hasGlob2) return { ok: false, error: `writeScope absolute globs are not supported: ${raw}` };
-    const resolved = path11.resolve(value);
+    const resolved = path12.resolve(value);
     if (!isInsidePath(cwd, resolved)) return { ok: false, error: `writeScope path is outside the workspace: ${raw}` };
     value = relativeToCwd(cwd, resolved);
   }
@@ -23423,6 +23546,7 @@ function claudeCodePreviewEnabled(config = {}, env = process.env) {
 }
 
 // src/config.ts
+var BUILTIN_PROVIDER_ORDER = ["openai", "anthropic", "gemini", "groq", "azure", "lmstudio", "ollama-local", "ollama-cloud", "llamacpp", "vllm", "codex", "claudecode"];
 var CLAUDE_CODE_SONNET_MODEL = "claude-sonnet-4-6";
 var CLAUDE_CODE_OPUS_MODEL = "claude-opus-4-7";
 var CLAUDE_CODE_MODELS = [CLAUDE_CODE_SONNET_MODEL, CLAUDE_CODE_OPUS_MODEL];
@@ -23460,7 +23584,7 @@ var defaultConfig = {
     maxConcurrentExpensive: 1,
     maxConcurrentWriters: 1,
     maxConcurrentPerProvider: {
-      "claudecode-subagent": 1
+      claudecode: 1
     },
     tokenBudget: null,
     defaultMergeStrategy: "synthesize",
@@ -23582,73 +23706,102 @@ var defaultConfig = {
   providers: {
     openai: {
       type: "openai-compatible",
-      model: "openai-model-name",
       baseURL: "https://api.openai.com/v1",
-      apiKeyEnv: "OPENAI_API_KEY"
+      apiKeyEnv: "OPENAI_API_KEY",
+      catalog: {
+        type: "openai-models",
+        endpoint: "https://api.openai.com/v1/models"
+      }
+    },
+    anthropic: {
+      type: "anthropic",
+      baseURL: "https://api.anthropic.com/v1",
+      apiKeyEnv: "ANTHROPIC_API_KEY",
+      catalog: {
+        type: "anthropic-models",
+        endpoint: "https://api.anthropic.com/v1/models"
+      }
     },
     gemini: {
       type: "openai-compatible",
-      model: "gemini-model-name",
       baseURL: "https://generativelanguage.googleapis.com/v1beta/openai/",
-      apiKeyEnv: "GOOGLE_API_KEY"
+      apiKeyEnv: "GEMINI_API_KEY",
+      apiKeyEnvAliases: ["GOOGLE_API_KEY"],
+      catalog: {
+        type: "gemini-openai-models",
+        endpoint: "https://generativelanguage.googleapis.com/v1beta/openai/models"
+      }
     },
-    ollama: {
+    groq: {
       type: "openai-compatible",
-      model: "local-coder-model",
-      baseURL: "http://localhost:11434/v1",
-      apiKey: "ollama",
-      quirks: { omitTemperature: true }
+      baseURL: "https://api.groq.com/openai/v1",
+      apiKeyEnv: "GROQ_API_KEY",
+      catalog: {
+        type: "groq-models",
+        endpoint: "https://api.groq.com/openai/v1/models"
+      }
+    },
+    azure: {
+      type: "openai-compatible",
+      auth: { type: "api-key", header: "api-key" },
+      modelProfiles: [
+        {
+          name: "azure-example",
+          displayName: "Azure example",
+          model: "azure-deployment-name",
+          baseURL: "https://example.openai.azure.com/openai/v1",
+          apiKeyEnv: "AZURE_OPENAI_API_KEY"
+        }
+      ]
     },
     lmstudio: {
       type: "openai-compatible",
-      model: "local-coder-model",
       baseURL: "http://localhost:1234/v1",
-      apiKey: "lm-studio"
+      apiKey: "lm-studio",
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:1234/v1/models"
+      }
     },
-    vllm: {
+    "ollama-local": {
       type: "openai-compatible",
-      model: "local-coder-model",
-      baseURL: "http://localhost:8000/v1",
-      apiKey: "vllm"
+      baseURL: "http://localhost:11434/v1",
+      apiKey: "ollama",
+      quirks: { omitTemperature: true },
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:11434/v1/models"
+      }
+    },
+    "ollama-cloud": {
+      type: "ollama",
+      baseURL: "https://ollama.com/api",
+      apiKeyEnv: "OLLAMA_API_KEY",
+      catalog: {
+        type: "ollama-tags",
+        endpoint: "https://ollama.com/api/tags"
+      }
     },
     llamacpp: {
       type: "openai-compatible",
-      model: "local-coder-model",
       baseURL: "http://localhost:8080/v1",
-      apiKey: "llama.cpp"
-    },
-    openrouter: {
-      type: "openai-compatible",
-      model: "provider/model-name",
-      baseURL: "https://openrouter.ai/api/v1",
-      apiKeyEnv: "OPENROUTER_API_KEY"
-    },
-    together: {
-      type: "openai-compatible",
-      model: "provider/model-name",
-      baseURL: "https://api.together.xyz/v1",
-      apiKeyEnv: "TOGETHER_API_KEY"
-    },
-    groq: {
-      type: "openai-compatible",
-      model: "provider/model-name",
-      baseURL: "https://api.groq.com/openai/v1",
-      apiKeyEnv: "GROQ_API_KEY"
+      apiKey: "llama.cpp",
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:8080/v1/models"
+      }
     },
-    azure: {
+    vllm: {
       type: "openai-compatible",
-      model: "azure-deployment-name",
-      baseURL: "https://example.openai.azure.com/openai/v1",
-      apiKeyEnv: "AZURE_OPENAI_API_KEY"
-    },
-    anthropic: {
-      type: "anthropic",
-      model: "anthropic-model-name",
-      apiKeyEnv: "ANTHROPIC_API_KEY"
+      baseURL: "http://localhost:8000/v1",
+      apiKey: "vllm",
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:8000/v1/models"
+      }
     },
     codex: {
       type: "codex",
-      model: "gpt-5.1-codex",
       baseURL: "https://chatgpt.com/backend-api/codex",
       authStore: "auto",
       allowApiKeyFallback: false,
@@ -23660,6 +23813,9 @@ var defaultConfig = {
           effort: "medium",
           summary: "auto"
         }
+      },
+      catalog: {
+        type: "codex-oauth-models"
       }
     },
     claudecode: {
@@ -23678,67 +23834,37 @@ var defaultConfig = {
       useBareMode: false,
       usageLedgerScope: "process",
       sessionLock: true,
-      abortPolicy: "record-only"
-    },
-    "claudecode-plan": {
-      type: "claudecode",
-      runtime: "agent-sdk",
-      model: CLAUDE_CODE_SONNET_MODEL,
-      models: [...CLAUDE_CODE_MODELS],
-      permissionProfile: "plan",
-      cliPath: "~/.local/bin/claude",
-      cwdMode: "session",
-      historyPolicy: "passthrough-resume",
-      onInvalidResume: "fresh",
-      attachmentFallback: "block",
-      allowSubagents: false,
-      sanitizeApiKeyEnv: true,
-      authPreflight: true,
-      useBareMode: false,
-      usageLedgerScope: "process",
-      sessionLock: true,
-      abortPolicy: "record-only",
-      hidden: true
-    },
-    "claudecode-subagent": {
-      type: "claudecode",
-      runtime: "agent-sdk",
-      model: CLAUDE_CODE_SONNET_MODEL,
-      models: [...CLAUDE_CODE_MODELS],
-      permissionProfile: "build",
-      cliPath: "~/.local/bin/claude",
-      cwdMode: "session",
-      historyPolicy: "passthrough-resume",
-      onInvalidResume: "fresh",
-      attachmentFallback: "block",
-      allowSubagents: false,
-      sanitizeApiKeyEnv: true,
-      authPreflight: true,
-      useBareMode: false,
-      usageLedgerScope: "process",
-      sessionLock: true,
       abortPolicy: "record-only",
-      hidden: true
+      catalog: {
+        type: "claudecode-supported-models"
+      }
     }
   }
 };
 async function loadConfig(options) {
   const configs = [];
-  const userConfigDir = path12.join(os7.homedir(), ".demian");
-  const projectConfigDir = path12.join(options.cwd, ".demian");
-  const configPaths = [
-    path12.join(userConfigDir, "config.json"),
-    path12.join(userConfigDir, "config.jsond"),
-    path12.join(projectConfigDir, "config.json"),
-    path12.join(projectConfigDir, "config.jsond"),
-    options.configPath
-  ].filter(Boolean);
+  const userConfigDir = path13.join(os7.homedir(), ".demian");
+  const configPaths = [path13.join(userConfigDir, "config.json"), path13.join(userConfigDir, "config.jsond"), options.configPath].filter(Boolean);
   for (const filePath of configPaths) {
     if (!fs7.existsSync(filePath)) continue;
-    configs.push(parseConfigText(await readFile6(filePath, "utf8"), filePath));
+    const parsed = parseConfigText(await readFile6(filePath, "utf8"), filePath);
+    warnIfV1Config(parsed, filePath);
+    configs.push(parsed);
   }
   return configs.reduce((acc, item) => mergeConfig(acc, item), structuredClone(defaultConfig));
 }
+function warnIfV1Config(parsed, filePath) {
+  if (parsed.version === 2) return;
+  const providers = parsed.providers ?? {};
+  const hasLegacyShape = Object.values(providers).some((provider) => {
+    const candidate = provider;
+    return (typeof candidate.model === "string" || Array.isArray(candidate.models)) && !Array.isArray(candidate.modelProfiles);
+  });
+  if (!hasLegacyShape && parsed.version === void 0 && Object.keys(providers).length === 0) return;
+  if (!hasLegacyShape) return;
+  process.stderr.write(`[demian] warning: ${filePath} uses the v1 schema (provider.model/models). v2 expects modelProfiles. Run \`demian config init\` to scaffold a v2 template.
+`);
+}
 function parseConfigText(text, filePath) {
   try {
     return JSON.parse(filePath.endsWith(".jsond") ? stripJsonD(text) : text);
@@ -23945,7 +24071,127 @@ function mergeConfig(base, overlay) {
   };
 }
 function normalizeProviderAlias(providerName) {
-  return providerName === "claudecode-plan" ? "claudecode" : providerName;
+  if (providerName === "claudecode-plan" || providerName === "claudecode-subagent") return "claudecode";
+  if (providerName === "ollama") return "ollama-local";
+  return providerName;
+}
+function sortProviderNames(names) {
+  const order = new Map(BUILTIN_PROVIDER_ORDER.map((name, index) => [name, index]));
+  return [...names].sort((left, right) => {
+    const leftIndex = order.get(left);
+    const rightIndex = order.get(right);
+    if (leftIndex !== void 0 && rightIndex !== void 0) return leftIndex - rightIndex;
+    if (leftIndex !== void 0) return -1;
+    if (rightIndex !== void 0) return 1;
+    return left.localeCompare(right);
+  });
+}
+function providerModelProfiles(providerName, providerConfig) {
+  const explicit = Array.isArray(providerConfig.modelProfiles) ? providerConfig.modelProfiles.filter((profile) => typeof profile?.model === "string" && profile.model.trim()).map((profile) => ({
+    ...profile,
+    name: profile.name?.trim() || profile.displayName?.trim() || profile.model.trim(),
+    displayName: profile.displayName?.trim() || profile.name?.trim() || profile.model.trim(),
+    model: profile.model.trim()
+  })) : [];
+  const seenNames = /* @__PURE__ */ new Set();
+  const seenDisplayNames = /* @__PURE__ */ new Set();
+  const seenModels = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const profile of explicit) {
+    if (seenNames.has(profile.name)) {
+      process.stderr.write(`[demian] warning: provider ${providerName} has duplicate modelProfile name "${profile.name}". Later entry ignored.
+`);
+      continue;
+    }
+    if (profile.displayName && seenDisplayNames.has(profile.displayName)) {
+      process.stderr.write(`[demian] warning: provider ${providerName} has duplicate modelProfile displayName "${profile.displayName}". Later entry ignored.
+`);
+      continue;
+    }
+    seenNames.add(profile.name);
+    if (profile.displayName) seenDisplayNames.add(profile.displayName);
+    seenModels.add(profile.model);
+    out.push(profile);
+  }
+  const legacy = [...typeof providerConfig.model === "string" && providerConfig.model.trim() ? [providerConfig.model.trim()] : [], ...(providerConfig.models ?? []).filter((model) => typeof model === "string" && model.trim())];
+  for (const model of legacy) {
+    const trimmed = model.trim();
+    if (!trimmed || seenModels.has(trimmed)) continue;
+    seenModels.add(trimmed);
+    const name = trimmed;
+    if (!seenNames.has(name)) seenNames.add(name);
+    out.push({ name, displayName: name, model: trimmed });
+  }
+  const fallback = fallbackModelForProvider(providerName, providerConfig);
+  if (out.length === 0 && fallback) out.push({ name: fallback, displayName: fallback, model: fallback });
+  return out;
+}
+function providerModelOptions(providerName, providerConfig) {
+  return providerModelProfiles(providerName, providerConfig).filter((profile) => !profile.hidden).map((profile) => profile.displayName ?? profile.name ?? profile.model);
+}
+function defaultModelForProvider(providerName, providerConfig) {
+  return providerModelProfiles(providerName, providerConfig)[0]?.model ?? "";
+}
+function resolveConfiguredApiKey(providerConfig) {
+  if (providerConfig.apiKey) return { value: providerConfig.apiKey };
+  for (const envName of [providerConfig.apiKeyEnv, ...providerConfig.apiKeyEnvAliases ?? []]) {
+    if (!envName) continue;
+    const value = process.env[envName];
+    if (value) return { value, envName };
+  }
+  return { envName: providerConfig.apiKeyEnv ?? providerConfig.apiKeyEnvAliases?.[0] };
+}
+function resolveProviderRuntimeConfig(config, selection) {
+  const providerName = normalizeProviderAlias(selection.providerName);
+  const providerConfig = resolveProviderConfig(config, providerName);
+  const profiles = providerModelProfiles(providerName, providerConfig);
+  let profile;
+  if (selection.modelProfileName) profile = profiles.find((item) => item.name === selection.modelProfileName);
+  if (!profile && selection.model) profile = profiles.find((item) => item.displayName === selection.model);
+  if (!profile && selection.model) profile = profiles.find((item) => item.model === selection.model);
+  if (!profile) profile = profiles[0];
+  if (!profile) {
+    const model = selection.model ?? defaultModelForProvider(providerName, providerConfig);
+    if (!model) throw new Error(`Provider ${providerName} has no model. Run \`demian config models ${providerName} --refresh\` or add a model profile.`);
+    return { providerName, providerConfig, model };
+  }
+  const merged = mergeModelProfile(providerConfig, profile);
+  return {
+    providerName,
+    providerConfig: merged,
+    model: profile.model,
+    modelProfileName: profile.name
+  };
+}
+function mergeModelProfile(providerConfig, profile) {
+  const merged = {
+    ...providerConfig,
+    ...definedOnly({
+      baseURL: profile.baseURL,
+      apiKey: profile.apiKey,
+      apiKeyEnv: profile.apiKeyEnv,
+      apiKeyEnvAliases: profile.apiKeyEnvAliases,
+      auth: profile.auth,
+      headers: profile.headers,
+      quirks: profile.quirks,
+      maxTokens: profile.maxTokens
+    }),
+    model: profile.model
+  };
+  return merged;
+}
+function definedOnly(input2) {
+  return Object.fromEntries(Object.entries(input2).filter(([, value]) => value !== void 0));
+}
+function fallbackModelForProvider(providerName, providerConfig) {
+  if (typeof providerConfig.model === "string" && providerConfig.model.trim()) return providerConfig.model.trim();
+  if (providerName === "openai") return "gpt-5.5";
+  if (providerName === "anthropic") return CLAUDE_CODE_SONNET_MODEL;
+  if (providerName === "codex" || providerConfig.type === "codex") return "gpt-5.5";
+  if (providerName === "claudecode") return CLAUDE_CODE_SONNET_MODEL;
+  if (providerName === "gemini") return "gemini-2.5-pro";
+  if (providerName === "groq") return "openai/gpt-oss-120b";
+  return void 0;
 }
 function migrateProviderConfig(provider, baseProvider) {
   if (isLegacyClaudeCodeShape(provider)) {
@@ -24027,12 +24273,14 @@ function resolveAgentMode(config, flagMode) {
   return "single-agent";
 }
 function resolveProviderConfig(config, providerName) {
-  const provider = config.providers[providerName];
+  const normalized = normalizeProviderAlias(providerName);
+  const provider = config.providers[normalized];
   if (!provider) throw new Error(`Unknown provider: ${providerName}`);
   return provider;
 }
 function resolveProvider(providerConfig, options = {}) {
   const model = options.model ?? providerConfig.model;
+  if (!model) throw new Error("Provider has no selected model. Choose a model or add a model profile.");
   if (providerConfig.type === "claudecode") {
     throw new Error("claudecode is an external agent runtime. Use resolveExecutionBackend().");
   }
@@ -24079,12 +24327,28 @@ function resolveProvider(providerConfig, options = {}) {
     };
   }
   if (providerConfig.type === "anthropic") {
-    const apiKey2 = providerConfig.apiKey ?? (providerConfig.apiKeyEnv ? process.env[providerConfig.apiKeyEnv] : void 0);
+    const apiKey2 = resolveConfiguredApiKey(providerConfig).value;
     if (!apiKey2) {
       throw new Error(`Missing API key for provider. Set ${providerConfig.apiKeyEnv ?? "apiKey"} or configure apiKey.`);
     }
     return {
       provider: new AnthropicProvider({
+        apiKey: apiKey2,
+        baseURL: providerConfig.baseURL,
+        defaultModel: model,
+        onRetry: options.onRetry
+      }),
+      model
+    };
+  }
+  if (providerConfig.type === "ollama") {
+    const apiKey2 = resolveConfiguredApiKey(providerConfig).value;
+    if (!apiKey2) {
+      throw new Error(`Missing API key for provider. Set ${providerConfig.apiKeyEnv ?? "apiKey"} or configure apiKey.`);
+    }
+    return {
+      provider: new OllamaProvider({
+        baseURL: providerConfig.baseURL,
         apiKey: apiKey2,
         defaultModel: model,
         onRetry: options.onRetry
@@ -24092,7 +24356,7 @@ function resolveProvider(providerConfig, options = {}) {
       model
     };
   }
-  const apiKey = providerConfig.apiKey ?? (providerConfig.apiKeyEnv ? process.env[providerConfig.apiKeyEnv] : void 0);
+  const apiKey = resolveConfiguredApiKey(providerConfig).value;
   if (!apiKey) {
     throw new Error(`Missing API key for provider. Set ${providerConfig.apiKeyEnv ?? "apiKey"} or configure apiKey.`);
   }
@@ -24111,6 +24375,7 @@ function resolveProvider(providerConfig, options = {}) {
 }
 function resolveExecutionBackend(providerConfig, options = {}) {
   const model = options.model ?? providerConfig.model;
+  if (!model) throw new Error("Provider has no selected model. Choose a model or add a model profile.");
   if (providerConfig.type === "claudecode") {
     const runtimeConfig = options.config || providerConfig.permissionProfile ? resolveClaudeCodeRuntimeConfig(providerConfig, options.config ?? defaultConfig, options.agent) : providerConfig;
     return {
@@ -24152,44 +24417,1128 @@ function claudeCodeRuntimePolicyHash(config) {
 }
 var CLAUDE_CODE_PERMISSION_PROFILE_KEYS = ["permissionMode", "defaultDecision", "allowedTools", "disallowedTools", "tools", "allowSubagents"];
 
-// src/doctor/policies.ts
-import { existsSync as existsSync2 } from "node:fs";
-import { readFile as readFile7, writeFile as writeFile5 } from "node:fs/promises";
+// src/config-command.ts
+import { spawn as spawn4 } from "node:child_process";
+import { stat as stat4 } from "node:fs/promises";
+import os10 from "node:os";
+import path16 from "node:path";
+import readline3 from "node:readline/promises";
+
+// src/config-scaffold.ts
+import { chmod as chmod3, mkdir as mkdir6, readFile as readFile7, rename as rename4, stat as stat3, writeFile as writeFile5 } from "node:fs/promises";
 import os8 from "node:os";
-import path13 from "node:path";
-function isDoctorCommand(argv) {
-  return argv[0] === "doctor";
-}
-async function maybeRunDoctorCommand(argv, options = {}) {
-  if (!isDoctorCommand(argv)) return void 0;
-  return runDoctorCommand(argv.slice(1), options);
+import path14 from "node:path";
+function defaultUserConfigPath() {
+  return path14.join(os8.homedir(), ".demian", "config.json");
 }
-async function runDoctorCommand(argv, options = {}) {
-  const stdout = options.stdout ?? process.stdout;
-  const stderr = options.stderr ?? process.stderr;
-  const flags = parseDoctorFlags(argv);
-  if (flags.help) {
-    stdout.write(doctorHelp());
-    return 0;
-  }
-  if (argv[0] !== "policies" || !argv.includes("--upgrade-namespaces")) {
-    stderr.write("Unsupported doctor command. Run `demian doctor policies --upgrade-namespaces [--write]`.\n");
-    return 1;
-  }
-  const cwd = path13.resolve(flags.cwd ?? options.cwd ?? process.cwd());
-  const filePaths = resolvePolicyConfigPaths(cwd, flags.configPaths);
-  if (filePaths.length === 0) {
-    stdout.write("No demian config files found to inspect.\n");
+function defaultUserConfig(defaultProvider = detectDefaultProvider()) {
+  return {
+    version: 2,
+    defaultProvider,
+    providers: {
+      openai: {
+        type: "openai-compatible",
+        baseURL: "https://api.openai.com/v1",
+        apiKeyEnv: "OPENAI_API_KEY",
+        catalog: { type: "openai-models", endpoint: "https://api.openai.com/v1/models" }
+      },
+      anthropic: {
+        type: "anthropic",
+        baseURL: "https://api.anthropic.com/v1",
+        apiKeyEnv: "ANTHROPIC_API_KEY",
+        catalog: { type: "anthropic-models", endpoint: "https://api.anthropic.com/v1/models" }
+      },
+      gemini: {
+        type: "openai-compatible",
+        baseURL: "https://generativelanguage.googleapis.com/v1beta/openai/",
+        apiKeyEnv: "GEMINI_API_KEY",
+        apiKeyEnvAliases: ["GOOGLE_API_KEY"],
+        catalog: { type: "gemini-openai-models", endpoint: "https://generativelanguage.googleapis.com/v1beta/openai/models" }
+      },
+      groq: {
+        type: "openai-compatible",
+        baseURL: "https://api.groq.com/openai/v1",
+        apiKeyEnv: "GROQ_API_KEY",
+        catalog: { type: "groq-models", endpoint: "https://api.groq.com/openai/v1/models" }
+      },
+      azure: {
+        type: "openai-compatible",
+        auth: { type: "api-key", header: "api-key" },
+        modelProfiles: [
+          {
+            name: "azure-example",
+            displayName: "Azure example",
+            model: "azure-deployment-name",
+            baseURL: "https://example.openai.azure.com/openai/v1",
+            apiKeyEnv: "AZURE_OPENAI_API_KEY"
+          }
+        ]
+      },
+      lmstudio: {
+        type: "openai-compatible",
+        baseURL: "http://localhost:1234/v1",
+        apiKey: "lm-studio",
+        catalog: { type: "openai-compatible-models", endpoint: "http://localhost:1234/v1/models" }
+      },
+      "ollama-local": {
+        type: "openai-compatible",
+        baseURL: "http://localhost:11434/v1",
+        apiKey: "ollama",
+        quirks: { omitTemperature: true },
+        catalog: { type: "openai-compatible-models", endpoint: "http://localhost:11434/v1/models" }
+      },
+      "ollama-cloud": {
+        type: "ollama",
+        baseURL: "https://ollama.com/api",
+        apiKeyEnv: "OLLAMA_API_KEY",
+        catalog: { type: "ollama-tags", endpoint: "https://ollama.com/api/tags" }
+      },
+      llamacpp: {
+        type: "openai-compatible",
+        baseURL: "http://localhost:8080/v1",
+        apiKey: "llama.cpp",
+        catalog: { type: "openai-compatible-models", endpoint: "http://localhost:8080/v1/models" }
+      },
+      vllm: {
+        type: "openai-compatible",
+        baseURL: "http://localhost:8000/v1",
+        apiKey: "vllm",
+        catalog: { type: "openai-compatible-models", endpoint: "http://localhost:8000/v1/models" }
+      },
+      codex: {
+        type: "codex",
+        baseURL: "https://chatgpt.com/backend-api/codex",
+        authStore: "auto",
+        allowApiKeyFallback: false,
+        promptCacheKey: "root-session",
+        catalog: { type: "codex-oauth-models" }
+      },
+      claudecode: {
+        type: "claudecode",
+        runtime: "agent-sdk",
+        cliPath: "~/.local/bin/claude",
+        cwdMode: "session",
+        historyPolicy: "passthrough-resume",
+        onInvalidResume: "fresh",
+        attachmentFallback: "block",
+        allowSubagents: false,
+        sanitizeApiKeyEnv: true,
+        authPreflight: true,
+        useBareMode: false,
+        usageLedgerScope: "process",
+        sessionLock: true,
+        abortPolicy: "record-only",
+        catalog: { type: "claudecode-supported-models" }
+      }
+    }
+  };
+}
+async function createUserConfig(options = {}) {
+  const filePath = expandHome2(options.path ?? defaultUserConfigPath());
+  const content = `${JSON.stringify(defaultUserConfig(options.defaultProvider), null, 2)}
+`;
+  if (options.print) return { path: filePath, created: false, content };
+  const existed = await exists(filePath);
+  if (existed && !options.force) return { path: filePath, created: false, content: await readFile7(filePath, "utf8"), existed: true };
+  await writeJsonAtomic(filePath, content);
+  return { path: filePath, created: true, content, existed };
+}
+async function addProvider(options) {
+  const filePath = expandHome2(options.path ?? defaultUserConfigPath());
+  const config = await readConfigObject(filePath);
+  const providers = objectValue(config.providers);
+  const name = options.name;
+  if (providers[name] && !options.force) throw new Error(`Provider ${name} already exists. Use --force to overwrite it.`);
+  providers[name] = providerPreset(options);
+  config.providers = providers;
+  const content = `${JSON.stringify(config, null, 2)}
+`;
+  await writeJsonAtomic(filePath, content);
+  return { path: filePath, created: true, content };
+}
+async function addModelProfile(options) {
+  const filePath = expandHome2(options.path ?? defaultUserConfigPath());
+  const config = await readConfigObject(filePath);
+  const providers = objectValue(config.providers);
+  const provider = objectValue(providers[options.provider]);
+  const profiles = Array.isArray(provider.modelProfiles) ? [...provider.modelProfiles] : [];
+  const displayName = options.displayName ?? options.name;
+  const existingByName = profiles.findIndex((entry) => entry.name === options.name);
+  const existingByDisplay = profiles.findIndex((entry) => entry.displayName === displayName);
+  if (existingByName >= 0 && !options.force) throw new Error(`Profile name "${options.name}" already exists on provider ${options.provider}. Use --force to overwrite it.`);
+  if (existingByDisplay >= 0 && existingByDisplay !== existingByName && !options.force) {
+    throw new Error(`Profile displayName "${displayName}" already exists on provider ${options.provider} (profile name: ${profiles[existingByDisplay].name}). Use --force or pick a different --display-name.`);
+  }
+  const next = {
+    name: options.name,
+    displayName,
+    model: options.model,
+    ...options.baseURL ? { baseURL: options.baseURL } : {},
+    ...options.apiKey ? { apiKey: options.apiKey } : {},
+    ...options.apiKeyEnv ? { apiKeyEnv: options.apiKeyEnv } : {}
+  };
+  if (existingByName >= 0) profiles[existingByName] = next;
+  else profiles.push(next);
+  provider.modelProfiles = profiles;
+  providers[options.provider] = provider;
+  config.providers = providers;
+  const content = `${JSON.stringify(config, null, 2)}
+`;
+  await writeJsonAtomic(filePath, content);
+  return { path: filePath, created: true, content };
+}
+async function readConfigObject(filePath) {
+  if (!await exists(filePath)) await createUserConfig({ path: filePath });
+  const raw = JSON.parse(await readFile7(filePath, "utf8"));
+  raw.version ??= 2;
+  raw.providers = objectValue(raw.providers);
+  return raw;
+}
+function providerPreset(options) {
+  const preset = options.preset ?? options.name;
+  const auth = {
+    ...options.apiKey ? { apiKey: options.apiKey } : {},
+    ...options.apiKeyEnv ? { apiKeyEnv: options.apiKeyEnv } : {}
+  };
+  const openAIAuth = options.authHeader ? { auth: { type: "api-key", header: options.authHeader } } : {};
+  if (preset === "openai") return { type: "openai-compatible", baseURL: options.baseURL ?? "https://api.openai.com/v1", apiKeyEnv: "OPENAI_API_KEY", ...auth, ...openAIAuth, catalog: { type: "openai-models", endpoint: `${(options.baseURL ?? "https://api.openai.com/v1").replace(/\/+$/, "")}/models` } };
+  if (preset === "anthropic") return { type: "anthropic", baseURL: options.baseURL ?? "https://api.anthropic.com/v1", apiKeyEnv: "ANTHROPIC_API_KEY", ...auth, catalog: { type: "anthropic-models", endpoint: `${(options.baseURL ?? "https://api.anthropic.com/v1").replace(/\/+$/, "")}/models` } };
+  if (preset === "gemini") {
+    const geminiBase = options.baseURL ?? "https://generativelanguage.googleapis.com/v1beta/openai/";
+    return { type: "openai-compatible", baseURL: geminiBase, apiKeyEnv: "GEMINI_API_KEY", apiKeyEnvAliases: ["GOOGLE_API_KEY"], ...auth, ...openAIAuth, catalog: { type: "gemini-openai-models", endpoint: `${geminiBase.replace(/\/+$/, "")}/models` } };
+  }
+  if (preset === "groq") return { type: "openai-compatible", baseURL: options.baseURL ?? "https://api.groq.com/openai/v1", apiKeyEnv: "GROQ_API_KEY", ...auth, ...openAIAuth, catalog: { type: "groq-models", endpoint: `${(options.baseURL ?? "https://api.groq.com/openai/v1").replace(/\/+$/, "")}/models` } };
+  if (preset === "azure") {
+    return {
+      type: "openai-compatible",
+      auth: { type: "api-key", header: options.authHeader ?? "api-key" },
+      ...auth,
+      modelProfiles: [
+        {
+          name: "azure-example",
+          displayName: "Azure example",
+          model: "azure-deployment-name",
+          baseURL: options.baseURL ?? "https://example.openai.azure.com/openai/v1",
+          apiKeyEnv: options.apiKeyEnv ?? "AZURE_OPENAI_API_KEY"
+        }
+      ]
+    };
+  }
+  if (preset === "lmstudio") return { type: "openai-compatible", baseURL: options.baseURL ?? "http://localhost:1234/v1", apiKey: options.apiKey ?? "lm-studio", catalog: { type: "openai-compatible-models", endpoint: `${(options.baseURL ?? "http://localhost:1234/v1").replace(/\/+$/, "")}/models` } };
+  if (preset === "ollama-local" || preset === "ollama") return { type: "openai-compatible", baseURL: options.baseURL ?? "http://localhost:11434/v1", apiKey: options.apiKey ?? "ollama", quirks: { omitTemperature: true }, catalog: { type: "openai-compatible-models", endpoint: `${(options.baseURL ?? "http://localhost:11434/v1").replace(/\/+$/, "")}/models` } };
+  if (preset === "ollama-cloud") return { type: "ollama", baseURL: options.baseURL ?? "https://ollama.com/api", ...auth, catalog: { type: "ollama-tags", endpoint: `${(options.baseURL ?? "https://ollama.com/api").replace(/\/+$/, "")}/tags` } };
+  if (preset === "llamacpp") return { type: "openai-compatible", baseURL: options.baseURL ?? "http://localhost:8080/v1", apiKey: options.apiKey ?? "llama.cpp", catalog: { type: "openai-compatible-models", endpoint: `${(options.baseURL ?? "http://localhost:8080/v1").replace(/\/+$/, "")}/models` } };
+  if (preset === "vllm") return { type: "openai-compatible", baseURL: options.baseURL ?? "http://localhost:8000/v1", apiKey: options.apiKey ?? "vllm", catalog: { type: "openai-compatible-models", endpoint: `${(options.baseURL ?? "http://localhost:8000/v1").replace(/\/+$/, "")}/models` } };
+  if (preset === "codex") return { type: "codex", baseURL: options.baseURL ?? "https://chatgpt.com/backend-api/codex", authStore: "auto", allowApiKeyFallback: false, promptCacheKey: "root-session", catalog: { type: "codex-oauth-models" } };
+  if (preset === "claudecode") return { type: "claudecode", runtime: "agent-sdk", cliPath: "~/.local/bin/claude", cwdMode: "session", historyPolicy: "passthrough-resume", onInvalidResume: "fresh", attachmentFallback: "block", allowSubagents: false, sanitizeApiKeyEnv: true, authPreflight: true, useBareMode: false, usageLedgerScope: "process", sessionLock: true, abortPolicy: "record-only", catalog: { type: "claudecode-supported-models" } };
+  if ((options.type ?? preset) === "openai-compatible") {
+    const baseURL = options.baseURL;
+    if (!baseURL) throw new Error("openai-compatible provider requires --base-url.");
+    return {
+      type: "openai-compatible",
+      baseURL,
+      ...options.apiKey ? { apiKey: options.apiKey } : {},
+      ...options.apiKeyEnv ? { apiKeyEnv: options.apiKeyEnv } : {},
+      ...openAIAuth,
+      catalog: { type: "openai-compatible-models", endpoint: `${baseURL.replace(/\/+$/, "")}/models` }
+    };
+  }
+  throw new Error(`Unknown provider preset: ${preset}`);
+}
+async function writeJsonAtomic(filePath, content) {
+  await mkdir6(path14.dirname(filePath), { recursive: true, mode: 448 });
+  const temp = `${filePath}.${process.pid}.${Date.now()}.tmp`;
+  await writeFile5(temp, content, { mode: 384 });
+  await rename4(temp, filePath);
+  await chmod3(filePath, 384).catch(() => void 0);
+}
+function detectDefaultProvider() {
+  if (process.env.OPENAI_API_KEY) return "openai";
+  if (process.env.ANTHROPIC_API_KEY) return "anthropic";
+  if (process.env.GEMINI_API_KEY || process.env.GOOGLE_API_KEY) return "gemini";
+  if (process.env.GROQ_API_KEY) return "groq";
+  return "openai";
+}
+function objectValue(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? { ...value } : {};
+}
+async function exists(filePath) {
+  try {
+    await stat3(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function expandHome2(value) {
+  return resolveExpandedPath(value);
+}
+
+// src/models/catalog.ts
+import crypto5 from "node:crypto";
+import { mkdir as mkdir7, readFile as readFile8, rename as rename5, writeFile as writeFile6 } from "node:fs/promises";
+import os9 from "node:os";
+import path15 from "node:path";
+var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
+var PING_TIMEOUT_MS = 1500;
+var DEFAULT_CODEX_CLIENT_VERSION = "0.0.0";
+var dynamicImport2 = new Function("specifier", "return import(specifier)");
+var inflight = /* @__PURE__ */ new Map();
+var pingCache = /* @__PURE__ */ new Map();
+var PING_CACHE_TTL_MS = 30 * 1e3;
+var packageVersionPromise;
+async function listProviderModelCatalog(providerName, providerConfig, options = {}) {
+  const key = `${catalogCacheKey(providerName, providerConfig)}:${options.refresh ? "refresh" : "default"}`;
+  const existing = inflight.get(key);
+  if (existing) return existing;
+  const promise = doListProviderModelCatalog(providerName, providerConfig, options).finally(() => inflight.delete(key));
+  inflight.set(key, promise);
+  return promise;
+}
+async function doListProviderModelCatalog(providerName, providerConfig, options) {
+  const staticModels = staticModelEntries(providerName, providerConfig);
+  const catalog = providerConfig.catalog;
+  if (!catalog || catalog.type === "static") {
+    return { status: staticModels.length ? "ready" : "unavailable", providerName, models: staticModels, source: "config" };
+  }
+  const missingAuthEnv = missingCatalogAuth(providerConfig);
+  if (missingAuthEnv) {
+    return {
+      status: "missing-auth",
+      providerName,
+      models: staticModels,
+      source: staticModels.length ? "config" : "fallback",
+      message: `missing-auth:${missingAuthEnv}`
+    };
+  }
+  const cacheKey = catalogCacheKey(providerName, providerConfig);
+  const ttlMs = catalog.refreshTtlMs ?? DEFAULT_CACHE_TTL_MS;
+  const cached = await readCatalogCache(cacheKey, ttlMs, options.refresh !== true);
+  if (cached && !options.refresh) return { ...cached, models: mergeCatalogWithStatic(staticModels, cached.models) };
+  if (catalog.endpoint) {
+    const reachable = await pingEndpoint(catalog.endpoint, options.fetch);
+    if (!reachable) {
+      const stale = await readCatalogCache(cacheKey, Number.POSITIVE_INFINITY, true);
+      if (stale) return { ...stale, models: mergeCatalogWithStatic(staticModels, stale.models), message: `endpoint ${catalog.endpoint} unreachable; using cached models` };
+      if (staticModels.length) return { status: "ready", providerName, models: staticModels, source: "config", message: `endpoint ${catalog.endpoint} unreachable; using configured profiles` };
+      return { status: "unavailable", providerName, models: [], source: "fallback", message: `endpoint ${catalog.endpoint} unreachable` };
+    }
+  }
+  try {
+    const remote = await fetchCatalog(providerName, providerConfig, options);
+    const merged = mergeCatalogWithStatic(staticModels, remote.models);
+    const result = { ...remote, models: merged };
+    if (result.status === "ready") await writeCatalogCache(cacheKey, result);
+    return result;
+  } catch (error) {
+    const authMissing = isMissingAuthError(error);
+    const stale = await readCatalogCache(cacheKey, Number.POSITIVE_INFINITY, true);
+    if (stale) return { ...stale, status: authMissing ? "missing-auth" : stale.status, models: mergeCatalogWithStatic(staticModels, stale.models), message: errorMessage2(error) };
+    if (staticModels.length) return { status: authMissing ? "missing-auth" : "ready", providerName, models: staticModels, source: "config", message: errorMessage2(error) };
+    return { status: authMissing ? "missing-auth" : "unavailable", providerName, models: [], source: "fallback", message: errorMessage2(error) };
+  }
+}
+async function pingEndpoint(endpoint, fetcher) {
+  const now2 = Date.now();
+  const cached = pingCache.get(endpoint);
+  if (cached && cached.expiresAt > now2) return cached.ok;
+  const ok2 = await tryPing(endpoint, fetcher);
+  pingCache.set(endpoint, { ok: ok2, expiresAt: now2 + PING_CACHE_TTL_MS });
+  return ok2;
+}
+async function tryPing(endpoint, fetcher) {
+  const fn = fetcher ?? fetch;
+  try {
+    const response = await fn(endpoint, { method: "HEAD", signal: AbortSignal.timeout(PING_TIMEOUT_MS) });
+    if (response.status < 500) return true;
+  } catch {
+  }
+  try {
+    const response = await fn(endpoint, { method: "GET", signal: AbortSignal.timeout(PING_TIMEOUT_MS), headers: { range: "bytes=0-0" } });
+    return response.status < 500;
+  } catch {
+    return false;
+  }
+}
+async function fetchCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type === "codex" || providerConfig.catalog?.type === "codex-oauth-models") return fetchCodexCatalog(providerName, providerConfig, options);
+  if (providerConfig.type === "claudecode" || providerConfig.catalog?.type === "claudecode-supported-models") return fetchClaudeCodeCatalog(providerName, providerConfig, options);
+  if (providerConfig.catalog?.type === "anthropic-models") return fetchAnthropicCatalog(providerName, providerConfig, options);
+  if (providerConfig.catalog?.type === "ollama-tags") return fetchOllamaTagsCatalog(providerName, providerConfig, options);
+  return fetchOpenAIStyleCatalog(providerName, providerConfig, options);
+}
+async function fetchOpenAIStyleCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "openai-compatible") throw new Error(`Provider ${providerName} is not OpenAI-compatible.`);
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  if (!apiKey.value) throw missingAuth(providerConfig.apiKeyEnv ?? "apiKey");
+  const endpoint = providerConfig.catalog?.endpoint ?? `${providerConfig.baseURL.replace(/\/+$/, "")}/models`;
+  const response = await fetchJson(endpoint, {
+    fetcher: options.fetch,
+    timeoutMs: options.timeoutMs,
+    headers: {
+      ...authHeadersForOpenAICompatible(providerConfig, apiKey.value),
+      ...providerConfig.headers ?? {}
+    }
+  });
+  return {
+    status: "ready",
+    providerName,
+    models: normalizeOpenAIModels(response).map((entry) => ({ ...entry, source: "api" })),
+    source: "api"
+  };
+}
+async function fetchAnthropicCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "anthropic") throw new Error(`Provider ${providerName} is not Anthropic.`);
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  if (!apiKey.value) throw missingAuth(providerConfig.apiKeyEnv ?? "apiKey");
+  const base = providerConfig.baseURL ?? "https://api.anthropic.com/v1";
+  const endpoint = providerConfig.catalog?.endpoint ?? `${base.replace(/\/+$/, "")}/models`;
+  const models = [];
+  let afterId;
+  for (; ; ) {
+    const url = new URL(endpoint);
+    if (afterId) url.searchParams.set("after_id", afterId);
+    url.searchParams.set("limit", "100");
+    const response = await fetchJson(url.toString(), {
+      fetcher: options.fetch,
+      timeoutMs: options.timeoutMs,
+      headers: {
+        "x-api-key": apiKey.value,
+        "anthropic-version": "2023-06-01"
+      }
+    });
+    const page = normalizeAnthropicModels(response);
+    models.push(...page);
+    if (!response.has_more || !response.last_id) break;
+    afterId = response.last_id;
+  }
+  return { status: "ready", providerName, models, source: "api" };
+}
+async function fetchOllamaTagsCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "ollama") throw new Error(`Provider ${providerName} is not Ollama native.`);
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  if (!apiKey.value) throw missingAuth(providerConfig.apiKeyEnv ?? "apiKey");
+  const endpoint = providerConfig.catalog?.endpoint ?? `${providerConfig.baseURL.replace(/\/+$/, "")}/tags`;
+  const response = await fetchJson(endpoint, {
+    fetcher: options.fetch,
+    timeoutMs: options.timeoutMs,
+    headers: { authorization: `Bearer ${apiKey.value}` }
+  });
+  return {
+    status: "ready",
+    providerName,
+    models: normalizeOllamaTags(response).map((entry) => ({ ...entry, source: "api" })),
+    source: "api"
+  };
+}
+async function fetchCodexCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "codex") throw new Error(`Provider ${providerName} is not Codex.`);
+  const fetcher = options.fetch ?? fetch;
+  const baseURL = (providerConfig.baseURL ?? "https://chatgpt.com/backend-api/codex").replace(/\/+$/, "");
+  const installationId = await loadOrCreateInstallationId(resolveCodexHome(providerConfig.codexHome));
+  const auth = getSharedCodexAuthStore({
+    codexHome: providerConfig.codexHome,
+    authStore: providerConfig.authStore,
+    allowApiKeyFallback: providerConfig.allowApiKeyFallback,
+    proactiveRefreshMinutes: providerConfig.refresh?.proactiveRefreshMinutes,
+    refreshCache: providerConfig.refresh?.cache,
+    fetch: fetcher
+  });
+  const headers = await auth.requestHeaders(installationId);
+  const url = new URL(`${baseURL}/models`);
+  url.searchParams.set("client_version", await codexClientVersion(options.clientVersion));
+  const response = await fetchJson(url.toString(), {
+    fetcher,
+    timeoutMs: options.timeoutMs,
+    headers
+  });
+  return {
+    status: "ready",
+    providerName,
+    models: normalizeCodexModels(response).map((entry) => ({ ...entry, source: "oauth" })),
+    source: "oauth"
+  };
+}
+async function fetchClaudeCodeCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "claudecode") throw new Error(`Provider ${providerName} is not Claude Code.`);
+  const fallback = staticModelEntries(providerName, providerConfig);
+  try {
+    const module = await dynamicImport2("@anthropic-ai/claude-agent-sdk");
+    if (!module.query) throw new Error("Claude Agent SDK query export is unavailable.");
+    const query = module.query({
+      prompt: "",
+      options: {
+        model: defaultModelForProvider(providerName, providerConfig),
+        maxTurns: 0,
+        pathToClaudeCodeExecutable: resolveClaudeCodeCliPath(providerConfig.cliPath),
+        env: sanitizedClaudeCodeEnv(providerConfig.env, providerConfig.sanitizeApiKeyEnv ?? true)
+      }
+    });
+    try {
+      if (typeof query.supportedModels !== "function") throw new Error("Claude Agent SDK supportedModels is unavailable.");
+      const models = await withTimeout(query.supportedModels(), options.timeoutMs ?? 5e3);
+      return {
+        status: "ready",
+        providerName,
+        models: models.map((model, index) => ({
+          name: model.displayName || model.value,
+          displayName: model.displayName || model.value,
+          model: model.value,
+          description: model.description,
+          isDefault: index === 0,
+          source: "oauth"
+        })),
+        source: "oauth"
+      };
+    } finally {
+      query.close?.();
+    }
+  } catch (error) {
+    if (fallback.length) return { status: "ready", providerName, models: fallback, source: "fallback", message: errorMessage2(error) };
+    throw error;
+  }
+}
+function staticModelEntries(providerName, providerConfig) {
+  return providerModelProfiles(providerName, providerConfig).filter((profile) => !profile.hidden).map((profile, index) => ({
+    name: profile.displayName ?? profile.name,
+    displayName: profile.displayName ?? profile.name,
+    model: profile.model,
+    description: profile.description,
+    isDefault: index === 0,
+    source: "config"
+  }));
+}
+function mergeCatalogWithStatic(staticModels, remoteModels) {
+  const byModel = /* @__PURE__ */ new Map();
+  for (const model of remoteModels) byModel.set(model.model, model);
+  for (const model of staticModels) byModel.set(model.model, { ...byModel.get(model.model), ...model, source: model.source });
+  return [...byModel.values()];
+}
+function normalizeOpenAIModels(raw) {
+  const items = Array.isArray(raw.data) ? raw.data : Array.isArray(raw.models) ? raw.models : [];
+  return items.map((item) => {
+    const object2 = item;
+    const id = stringValue4(object2.id) ?? stringValue4(object2.name) ?? stringValue4(object2.model);
+    if (!id) return void 0;
+    return {
+      name: id,
+      displayName: stringValue4(object2.display_name) ?? stringValue4(object2.displayName) ?? id,
+      model: id,
+      description: stringValue4(object2.description)
+    };
+  }).filter(Boolean);
+}
+function normalizeAnthropicModels(raw) {
+  return (raw.data ?? []).map((item) => {
+    const object2 = item;
+    const id = stringValue4(object2.id);
+    if (!id) return void 0;
+    return {
+      name: stringValue4(object2.display_name) ?? id,
+      displayName: stringValue4(object2.display_name) ?? id,
+      model: id,
+      description: stringValue4(object2.description),
+      source: "api"
+    };
+  }).filter(Boolean);
+}
+function normalizeOllamaTags(raw) {
+  const items = Array.isArray(raw.models) ? raw.models : [];
+  return items.map((item) => {
+    const object2 = item;
+    const id = stringValue4(object2.name) ?? stringValue4(object2.model);
+    if (!id) return void 0;
+    return { name: id, displayName: id, model: id };
+  }).filter(Boolean);
+}
+function normalizeCodexModels(raw) {
+  const items = Array.isArray(raw.models) ? raw.models : [];
+  return items.map((item, index) => {
+    const object2 = item;
+    const id = stringValue4(object2.slug) ?? stringValue4(object2.id) ?? stringValue4(object2.model);
+    if (!id) return void 0;
+    return {
+      name: stringValue4(object2.display_name) ?? id,
+      displayName: stringValue4(object2.display_name) ?? id,
+      model: id,
+      description: stringValue4(object2.description),
+      isDefault: index === 0
+    };
+  }).filter(Boolean);
+}
+function authHeadersForOpenAICompatible(providerConfig, apiKey) {
+  const auth = inferOpenAICompatibleAuth(providerConfig.baseURL, providerConfig.auth);
+  const type = auth.type ?? "bearer";
+  const header = auth.header ?? (type === "api-key" ? "api-key" : "authorization");
+  return { [header]: type === "bearer" ? `Bearer ${apiKey}` : apiKey };
+}
+async function fetchJson(url, options) {
+  const response = await (options.fetcher ?? fetch)(url, {
+    method: "GET",
+    headers: {
+      accept: "application/json",
+      ...options.headers ?? {}
+    },
+    signal: AbortSignal.timeout(options.timeoutMs ?? 5e3)
+  });
+  const text = await response.text();
+  if (!response.ok) throw new Error(`HTTP ${response.status}: ${text}`);
+  return text ? JSON.parse(text) : {};
+}
+function cachePath(cacheKey) {
+  return path15.join(os9.homedir(), ".demian", "cache", "models", `${safeCacheName(cacheKey)}.json`);
+}
+async function readCatalogCache(cacheKey, ttlMs, allow) {
+  if (!allow) return void 0;
+  try {
+    const raw = JSON.parse(await readFile8(cachePath(cacheKey), "utf8"));
+    if (!raw.result) return void 0;
+    if (ttlMs !== Number.POSITIVE_INFINITY && Date.now() - (raw.savedAt ?? 0) > ttlMs) return void 0;
+    return { ...raw.result, source: "cache", models: raw.result.models.map((model) => ({ ...model, source: "cache" })) };
+  } catch {
+    return void 0;
+  }
+}
+async function writeCatalogCache(cacheKey, result) {
+  const filePath = cachePath(cacheKey);
+  await mkdir7(path15.dirname(filePath), { recursive: true, mode: 448 });
+  const temp = `${filePath}.${process.pid}.${Date.now()}.tmp`;
+  await writeFile6(temp, JSON.stringify({ savedAt: Date.now(), result }, null, 2), { mode: 384 });
+  await rename5(temp, filePath);
+}
+function safeCacheName(providerName) {
+  return providerName.replace(/[^a-zA-Z0-9_.-]+/g, "_");
+}
+function catalogCacheKey(providerName, providerConfig) {
+  const identity = {
+    providerName,
+    type: providerConfig.type,
+    catalogType: providerConfig.catalog?.type,
+    endpoint: providerConfig.catalog?.endpoint,
+    baseURL: "baseURL" in providerConfig ? providerConfig.baseURL : void 0,
+    apiKeyEnv: "apiKeyEnv" in providerConfig ? providerConfig.apiKeyEnv : void 0,
+    apiKeyEnvAliases: "apiKeyEnvAliases" in providerConfig ? providerConfig.apiKeyEnvAliases : void 0,
+    auth: "auth" in providerConfig ? providerConfig.auth : void 0
+  };
+  const digest = crypto5.createHash("sha256").update(JSON.stringify(identity)).digest("hex").slice(0, 16);
+  return `${providerName}-${digest}`;
+}
+function missingCatalogAuth(providerConfig) {
+  if (providerConfig.type !== "openai-compatible" && providerConfig.type !== "anthropic" && providerConfig.type !== "ollama") return void 0;
+  if (providerConfig.catalog?.requiresAuth === false) return void 0;
+  const expectsAuth = providerConfig.catalog?.requiresAuth === true || !!providerConfig.apiKey || !!providerConfig.apiKeyEnv || !!providerConfig.apiKeyEnvAliases?.length;
+  if (!expectsAuth) return void 0;
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  return apiKey.value ? void 0 : apiKey.envName ?? "apiKey";
+}
+function stringValue4(value) {
+  return typeof value === "string" && value.trim() ? value.trim() : void 0;
+}
+function missingAuth(envName) {
+  const error = new Error(`missing-auth:${envName}`);
+  return error;
+}
+function isMissingAuthError(error) {
+  if (error instanceof CodexAuthError) {
+    return error.code === "missing_auth" || error.code === "missing_chatgpt_tokens" || error.code === "refresh_unavailable" || error.code === "keyring_write_unsupported" || error.code === "refresh_expired" || error.code === "refresh_invalidated" || error.code === "refresh_reused" || error.code === "refresh_other";
+  }
+  return error instanceof Error && error.message.startsWith("missing-auth:");
+}
+function errorMessage2(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+async function codexClientVersion(override) {
+  const normalized = semverLike(override);
+  if (normalized) return normalized;
+  packageVersionPromise ??= readPackageVersion();
+  return packageVersionPromise;
+}
+async function readPackageVersion() {
+  try {
+    const raw = JSON.parse(await readFile8(new URL("../package.json", import.meta.url), "utf8"));
+    return semverLike(raw.version) ?? DEFAULT_CODEX_CLIENT_VERSION;
+  } catch {
+    return DEFAULT_CODEX_CLIENT_VERSION;
+  }
+}
+function semverLike(value) {
+  if (typeof value !== "string") return void 0;
+  const trimmed = value.trim();
+  return /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/.test(trimmed) ? trimmed : void 0;
+}
+function withTimeout(promise, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => reject(new Error(`Timed out after ${timeoutMs}ms`)), timeoutMs);
+    promise.then(
+      (value) => {
+        clearTimeout(timer);
+        resolve(value);
+      },
+      (error) => {
+        clearTimeout(timer);
+        reject(error);
+      }
+    );
+  });
+}
+
+// src/config-command.ts
+async function maybeRunConfigCommand(argv) {
+  if (argv[0] === "config") return runConfigCommand(argv.slice(1));
+  if (argv[0] === "auth") return runAuthCommand(argv.slice(1));
+  return void 0;
+}
+async function runConfigCommand(argv) {
+  const [command, ...rest] = argv;
+  try {
+    if (!command || command === "help" || command === "--help" || command === "-h") {
+      printConfigHelp();
+      return 0;
+    }
+    if (command === "init") {
+      const flags = parseFlags(rest);
+      const force = boolFlag(flags, "force") || await confirmOverwriteIfExists(stringFlag(flags, "path"), boolFlag(flags, "print"));
+      const result = await createUserConfig({
+        path: stringFlag(flags, "path"),
+        force,
+        print: boolFlag(flags, "print"),
+        defaultProvider: stringFlag(flags, "provider")
+      });
+      if (boolFlag(flags, "print")) {
+        process.stdout.write(result.content);
+      } else if (result.existed && !result.created) {
+        process.stdout.write(`Config already exists: ${result.path}
+`);
+      } else {
+        process.stdout.write(`Created config: ${result.path}
+`);
+      }
+      return 0;
+    }
+    if (command === "path") {
+      process.stdout.write(`${defaultUserConfigPath()}
+`);
+      return 0;
+    }
+    if (command === "setup") {
+      return runSetupWizard();
+    }
+    if (command === "list") {
+      const flags = parseFlags(rest);
+      const config = await loadConfig({ cwd: process.cwd(), configPath: stringFlag(flags, "config") });
+      process.stdout.write(`defaultProvider: ${config.defaultProvider}
+`);
+      for (const name of Object.keys(config.providers)) {
+        const provider = config.providers[name];
+        if (provider.hidden) continue;
+        process.stdout.write(`- ${name} (${provider.type})
+`);
+      }
+      return 0;
+    }
+    if (command === "models") {
+      const providerName = rest.find((item) => !item.startsWith("-"));
+      if (!providerName) throw new Error("config models requires a provider name.");
+      const flags = parseFlags(rest.filter((item) => item !== providerName));
+      const config = await loadConfig({ cwd: process.cwd(), configPath: stringFlag(flags, "config") });
+      const provider = resolveProviderConfig(config, providerName);
+      const result = await listProviderModelCatalog(providerName, provider, { refresh: boolFlag(flags, "refresh") });
+      if (result.status !== "ready") {
+        process.stdout.write(`${providerName}: ${result.status}${result.message ? ` (${result.message})` : ""}
+`);
+        return result.status === "missing-auth" ? 2 : 1;
+      }
+      for (const model of result.models) {
+        const label = model.displayName && model.displayName !== model.model ? `${model.displayName} (${model.model})` : model.model;
+        process.stdout.write(`${model.isDefault ? "* " : "  "}${label}
+`);
+      }
+      return 0;
+    }
+    if (command === "add-provider") {
+      const [presetOrName, ...tail2] = rest;
+      if (!presetOrName) throw new Error("config add-provider requires a provider name or preset.");
+      const flags = parseFlags(tail2);
+      const name = stringFlag(flags, "name") ?? presetOrName;
+      const force = await ensureOverwriteForProvider(stringFlag(flags, "path"), name, boolFlag(flags, "force"));
+      const result = await addProvider({
+        path: stringFlag(flags, "path"),
+        name,
+        preset: presetOrName,
+        type: stringFlag(flags, "type") ?? presetOrName,
+        baseURL: stringFlag(flags, "base-url"),
+        apiKey: await apiKeyFromFlags(flags),
+        apiKeyEnv: stringFlag(flags, "api-key-env"),
+        authHeader: stringFlag(flags, "auth-header"),
+        force
+      });
+      process.stdout.write(`Updated config: ${result.path}
+`);
+      return 0;
+    }
+    if (command === "add-model") {
+      const [provider, ...tail2] = rest;
+      if (!provider) throw new Error("config add-model requires a provider name.");
+      const flags = parseFlags(tail2);
+      const name = requiredStringFlag(flags, "name");
+      const model = requiredStringFlag(flags, "model");
+      const displayName = stringFlag(flags, "display-name");
+      const force = await ensureOverwriteForModel(stringFlag(flags, "path"), provider, name, displayName, boolFlag(flags, "force"));
+      const result = await addModelProfile({
+        path: stringFlag(flags, "path"),
+        provider,
+        name,
+        displayName,
+        model,
+        baseURL: stringFlag(flags, "base-url"),
+        apiKey: await apiKeyFromFlags(flags),
+        apiKeyEnv: stringFlag(flags, "api-key-env"),
+        force
+      });
+      process.stdout.write(`Updated config: ${result.path}
+`);
+      return 0;
+    }
+    throw new Error(`Unknown config command: ${command}`);
+  } catch (error) {
+    process.stderr.write(`${errorMessage3(error)}
+`);
+    return 1;
+  }
+}
+async function runAuthCommand(argv) {
+  const [command, provider] = argv;
+  try {
+    if (!command || command === "help" || command === "--help" || command === "-h") {
+      printAuthHelp();
+      return 0;
+    }
+    if (command === "status") {
+      const claude = await preflightClaudeCodeAuth({ sanitizeApiKeyEnv: true }).catch((error) => ({ ok: false, source: "unknown", warning: errorMessage3(error) }));
+      process.stdout.write(`claudecode: ${claude.ok ? "ok" : "not ready"} (${claude.source})${claude.warning ? ` - ${claude.warning}` : ""}
+`);
+      const codex = await checkCodexAuth();
+      process.stdout.write(`codex: ${codex.ok ? "ok" : "not ready"} (${codex.source})${codex.message ? ` - ${codex.message}` : ""}
+`);
+      return claude.ok && codex.ok ? 0 : 1;
+    }
+    if (command !== "login") throw new Error(`Unknown auth command: ${command}`);
+    return runProviderLogin(provider);
+  } catch (error) {
+    process.stderr.write(`${errorMessage3(error)}
+`);
+    return 1;
+  }
+}
+async function runProviderLogin(provider) {
+  if (provider === "codex") {
+    if (!await commandExists("codex")) {
+      process.stderr.write("Codex CLI not found in PATH. Install it from https://github.com/openai/codex first, then re-run `demian auth login codex`.\n");
+      return 1;
+    }
+    return runLogin("codex", ["login"]);
+  }
+  if (provider === "claudecode") {
+    const cli = resolveClaudeCodeCliPath();
+    if (!cli && !await commandExists("claude")) {
+      process.stderr.write("Claude Code CLI not found. Install it from https://docs.claude.com/en/docs/agents-and-tools/claude-code first, then re-run `demian auth login claudecode`.\n");
+      return 1;
+    }
+    return runLogin(cli ?? "claude", ["setup-token"]);
+  }
+  throw new Error("auth login requires provider codex or claudecode.");
+}
+function runLogin(command, args) {
+  process.stdout.write(`Starting ${[command, ...args].join(" ")}...
+`);
+  const opened = /* @__PURE__ */ new Set();
+  return new Promise((resolve) => {
+    const child = spawn4(command, args, { stdio: ["inherit", "pipe", "pipe"], env: process.env });
+    const onText = (stream) => (chunk) => {
+      const text = chunk.toString();
+      stream.write(text);
+      for (const url of urlsInText(text)) {
+        if (opened.has(url)) continue;
+        opened.add(url);
+        void openUrl(url);
+      }
+    };
+    child.stdout.on("data", onText(process.stdout));
+    child.stderr.on("data", onText(process.stderr));
+    child.on("error", (error) => {
+      process.stderr.write(`${error.message}
+`);
+      resolve(1);
+    });
+    child.on("close", (code) => resolve(code ?? 1));
+  });
+}
+function parseFlags(argv) {
+  const flags = /* @__PURE__ */ new Map();
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (!arg.startsWith("--")) continue;
+    const key = arg.slice(2);
+    const next = argv[i + 1];
+    if (!next || next.startsWith("--")) {
+      flags.set(key, true);
+    } else {
+      flags.set(key, next);
+      i++;
+    }
+  }
+  return flags;
+}
+function stringFlag(flags, name) {
+  const value = flags.get(name);
+  return typeof value === "string" && value.trim() ? value : void 0;
+}
+function requiredStringFlag(flags, name) {
+  const value = stringFlag(flags, name);
+  if (!value) throw new Error(`--${name} is required.`);
+  return value;
+}
+function boolFlag(flags, name) {
+  return flags.get(name) === true;
+}
+async function apiKeyFromFlags(flags) {
+  const inline = stringFlag(flags, "api-key");
+  if (inline) return inline;
+  if (!boolFlag(flags, "api-key-stdin")) return void 0;
+  return (await readStdin()).trim();
+}
+async function readStdin() {
+  let value = "";
+  for await (const chunk of process.stdin) value += Buffer.isBuffer(chunk) ? chunk.toString("utf8") : String(chunk);
+  return value;
+}
+function urlsInText(text) {
+  return [...text.matchAll(/https?:\/\/[^\s)>"']+/g)].map((match) => match[0]);
+}
+function openUrl(url) {
+  const command = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open";
+  const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+  return new Promise((resolve) => {
+    const child = spawn4(command, args, { stdio: "ignore", detached: true });
+    child.on("error", () => resolve());
+    child.on("spawn", () => {
+      child.unref();
+      resolve();
+    });
+  });
+}
+function printConfigHelp() {
+  process.stdout.write(`demian config
+
+Usage:
+  demian config init [--path <path>] [--force] [--print] [--provider <name>]
+  demian config setup                 interactive multi-step provider wizard
+  demian config add-provider <preset|openai-compatible> [--name <name>] [--base-url <url>] [--api-key-env <env>] [--api-key-stdin] [--auth-header <header>] [--force]
+  demian config add-model <provider> --name <name> --model <model> [--display-name <label>] [--base-url <url>] [--api-key-env <env>] [--api-key-stdin] [--force]
+  demian config models <provider> [--refresh] [--config <path>]
+  demian config list [--config <path>]
+  demian config path
+`);
+}
+function printAuthHelp() {
+  process.stdout.write(`demian auth
+
+Usage:
+  demian auth login codex
+  demian auth login claudecode
+  demian auth status
+`);
+}
+function errorMessage3(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+async function confirmOverwriteIfExists(customPath, isPrint) {
+  if (isPrint) return false;
+  const filePath = customPath ?? defaultUserConfigPath();
+  if (!await fileExists2(filePath)) return false;
+  return promptYesNo(`Overwrite existing config at ${filePath}? (y/N): `, false);
+}
+async function ensureOverwriteForProvider(customPath, providerName, force) {
+  if (force) return true;
+  const filePath = customPath ?? defaultUserConfigPath();
+  if (!await fileExists2(filePath)) return false;
+  const config = await readJsonSafe(filePath);
+  const provider = config?.providers?.[providerName];
+  if (!provider) return false;
+  return promptYesNo(`Provider "${providerName}" already exists. Overwrite? (y/N): `, false);
+}
+async function ensureOverwriteForModel(customPath, providerName, profileName, displayName, force) {
+  if (force) return true;
+  const filePath = customPath ?? defaultUserConfigPath();
+  if (!await fileExists2(filePath)) return false;
+  const config = await readJsonSafe(filePath);
+  const profiles = Array.isArray(config?.providers?.[providerName]?.modelProfiles) ? config.providers[providerName].modelProfiles : [];
+  const sameName = profiles.find((entry) => entry.name === profileName);
+  const sameDisplay = displayName ? profiles.find((entry) => entry.displayName === displayName && entry.name !== profileName) : void 0;
+  if (!sameName && !sameDisplay) return false;
+  const which = sameName ? `name "${profileName}"` : `displayName "${displayName}"`;
+  return promptYesNo(`Profile with ${which} already exists on provider ${providerName}. Overwrite? (y/N): `, false);
+}
+async function fileExists2(filePath) {
+  try {
+    await stat4(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function readJsonSafe(filePath) {
+  try {
+    const { readFile: readFile18 } = await import("node:fs/promises");
+    const text = await readFile18(filePath, "utf8");
+    return JSON.parse(text);
+  } catch {
+    return void 0;
+  }
+}
+async function promptYesNo(question, defaultYes) {
+  if (!process.stdin.isTTY) {
+    process.stderr.write(`${question.replace(/\(y\/N\)|\(Y\/n\)/, "").trim()} (non-interactive; pass --force to overwrite).
+`);
+    return false;
+  }
+  const rl2 = readline3.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const answer = (await rl2.question(question)).trim().toLowerCase();
+    if (!answer) return defaultYes;
+    return answer === "y" || answer === "yes";
+  } finally {
+    rl2.close();
+  }
+}
+async function commandExists(command) {
+  return new Promise((resolve) => {
+    const child = spawn4(process.platform === "win32" ? "where" : "which", [command], { stdio: "ignore" });
+    child.on("close", (code) => resolve(code === 0));
+    child.on("error", () => resolve(false));
+  });
+}
+async function runFirstRunWizard() {
+  const filePath = defaultUserConfigPath();
+  if (await fileExists2(filePath)) return void 0;
+  if (!process.stdin.isTTY) {
+    process.stderr.write(`No Demian config at ${filePath}. Run \`demian config init\` to create one.
+`);
+    return void 0;
+  }
+  process.stdout.write(`
+Welcome to Demian.
+No config found at ${filePath}.
+`);
+  const ok2 = await promptYesNo("Create a default v2 config now? (Y/n): ", true);
+  if (!ok2) {
+    process.stdout.write("Skipped. Run `demian config init` later to set up.\n");
+    return void 0;
+  }
+  const result = await createUserConfig({});
+  process.stdout.write(`Created ${result.path}.
+`);
+  const walkProviders = await promptYesNo("Walk through provider setup now? (y/N): ", false);
+  if (walkProviders) await walkProviderSetup();
+  else {
+    process.stdout.write("Next steps:\n");
+    process.stdout.write("  - Set API key env vars (e.g. OPENAI_API_KEY)\n");
+    process.stdout.write("  - `demian config models <provider> --refresh` to inspect catalogs\n");
+    process.stdout.write("  - `demian auth login codex|claudecode` for OAuth providers\n");
+    process.stdout.write("  - `demian config setup` to re-enter this wizard\n\n");
+  }
+  return { created: true, configPath: result.path };
+}
+async function runSetupWizard() {
+  if (!process.stdin.isTTY) {
+    process.stderr.write("config setup requires an interactive terminal.\n");
+    return 1;
+  }
+  const filePath = defaultUserConfigPath();
+  if (!await fileExists2(filePath)) {
+    const wizard = await runFirstRunWizard();
+    return wizard?.created ? 0 : 1;
+  }
+  await walkProviderSetup();
+  return 0;
+}
+async function walkProviderSetup() {
+  const builtinPresets = [
+    { name: "openai", description: "OpenAI ChatGPT API", defaultEnv: "OPENAI_API_KEY" },
+    { name: "anthropic", description: "Anthropic Claude API", defaultEnv: "ANTHROPIC_API_KEY" },
+    { name: "gemini", description: "Google Gemini (OpenAI-compatible)", defaultEnv: "GEMINI_API_KEY" },
+    { name: "groq", description: "Groq Cloud", defaultEnv: "GROQ_API_KEY" },
+    { name: "codex", description: "ChatGPT Codex (OAuth)", oauth: "codex" },
+    { name: "claudecode", description: "Claude Code external runtime (OAuth)", oauth: "claudecode" }
+  ];
+  process.stdout.write("\nProvider setup. Press Enter to skip a provider.\n");
+  for (const preset of builtinPresets) {
+    const want = await promptYesNo(`Configure ${preset.name} (${preset.description})? (y/N): `, false);
+    if (!want) continue;
+    if (preset.oauth) {
+      const login = await promptYesNo(`Run \`demian auth login ${preset.oauth}\` now? (Y/n): `, true);
+      if (login) await runProviderLogin(preset.oauth).catch(() => void 0);
+      continue;
+    }
+    if (preset.defaultEnv) {
+      const envSet = !!process.env[preset.defaultEnv];
+      process.stdout.write(`  env ${preset.defaultEnv}: ${envSet ? "set" : "not set"}
+`);
+      if (!envSet) process.stdout.write(`  \u2192 export ${preset.defaultEnv}=... before running demian.
+`);
+    }
+  }
+  process.stdout.write("\nSetup complete. Run `demian` to start a session.\n\n");
+}
+async function checkCodexAuth() {
+  const candidates = [path16.join(process.env.HOME ?? os10.homedir(), ".codex", "auth.json"), path16.join(process.env.HOME ?? os10.homedir(), ".codex", "credentials.json")];
+  for (const candidate of candidates) {
+    if (await fileExists2(candidate)) {
+      return { ok: true, source: "codex-store", message: candidate };
+    }
+  }
+  if (process.env.OPENAI_API_KEY) return { ok: true, source: "api-key-fallback", message: "OPENAI_API_KEY set" };
+  return { ok: false, source: "none", message: "no codex auth file or OPENAI_API_KEY; run `demian auth login codex`" };
+}
+
+// src/doctor/policies.ts
+import { existsSync as existsSync2 } from "node:fs";
+import { readFile as readFile9, writeFile as writeFile7 } from "node:fs/promises";
+import os11 from "node:os";
+import path17 from "node:path";
+function isDoctorCommand(argv) {
+  return argv[0] === "doctor";
+}
+async function maybeRunDoctorCommand(argv, options = {}) {
+  if (!isDoctorCommand(argv)) return void 0;
+  return runDoctorCommand(argv.slice(1), options);
+}
+async function runDoctorCommand(argv, options = {}) {
+  const stdout = options.stdout ?? process.stdout;
+  const stderr = options.stderr ?? process.stderr;
+  const flags = parseDoctorFlags(argv);
+  if (flags.help) {
+    stdout.write(doctorHelp());
+    return 0;
+  }
+  if (argv[0] !== "policies" || !argv.includes("--upgrade-namespaces")) {
+    stderr.write("Unsupported doctor command. Run `demian doctor policies --upgrade-namespaces [--write]`.\n");
+    return 1;
+  }
+  const cwd = path17.resolve(flags.cwd ?? options.cwd ?? process.cwd());
+  const filePaths = resolvePolicyConfigPaths(cwd, flags.configPaths);
+  if (filePaths.length === 0) {
+    stdout.write("No demian config files found to inspect.\n");
     return 0;
   }
   const allChanges = [];
   let updatedFiles = 0;
   for (const filePath of filePaths) {
-    const original = await readFile7(filePath, "utf8");
+    const original = await readFile9(filePath, "utf8");
     const upgraded = upgradePolicyNamespacesInText(original, filePath);
     allChanges.push(...upgraded.changes);
     if (flags.write && upgraded.changes.length > 0) {
-      await writeFile5(filePath, upgraded.text, "utf8");
+      await writeFile7(filePath, upgraded.text, "utf8");
       updatedFiles++;
     }
   }
@@ -24277,11 +25626,11 @@ function parseDoctorFlags(argv) {
   return flags;
 }
 function resolvePolicyConfigPaths(cwd, explicitPaths) {
-  const candidates = explicitPaths.length > 0 ? explicitPaths.map((item) => path13.resolve(cwd, item)) : [
-    path13.join(os8.homedir(), ".demian", "config.json"),
-    path13.join(os8.homedir(), ".demian", "config.jsond"),
-    path13.join(cwd, ".demian", "config.json"),
-    path13.join(cwd, ".demian", "config.jsond")
+  const candidates = explicitPaths.length > 0 ? explicitPaths.map((item) => path17.resolve(cwd, item)) : [
+    path17.join(os11.homedir(), ".demian", "config.json"),
+    path17.join(os11.homedir(), ".demian", "config.jsond"),
+    path17.join(cwd, ".demian", "config.json"),
+    path17.join(cwd, ".demian", "config.jsond")
   ];
   return [...new Set(candidates)].filter((item) => existsSync2(item));
 }
@@ -24377,8 +25726,9 @@ Flags:
 }
 
 // src/transcript.ts
-import { mkdir as mkdir6, appendFile, writeFile as writeFile6 } from "node:fs/promises";
-import path14 from "node:path";
+import { mkdir as mkdir8, appendFile, writeFile as writeFile8 } from "node:fs/promises";
+import os12 from "node:os";
+import path18 from "node:path";
 var TranscriptWriter = class {
   filePath;
   #enabled;
@@ -24386,9 +25736,9 @@ var TranscriptWriter = class {
   #queue = Promise.resolve();
   constructor(options) {
     this.#enabled = options.enabled !== false;
-    const dir = path14.join(options.cwd, ".demian", "transcripts", options.sessionId);
-    this.filePath = path14.join(dir, "session.jsonl");
-    this.#ready = this.#enabled ? mkdir6(dir, { recursive: true }).then(() => writeFile6(this.filePath, "", { flag: "a" })) : Promise.resolve();
+    const dir = path18.join(options.storageDir ?? defaultDemianStorageDir(), "transcripts", options.sessionId);
+    this.filePath = path18.join(dir, "session.jsonl");
+    this.#ready = this.#enabled ? mkdir8(dir, { recursive: true }).then(() => writeFile8(this.filePath, "", { flag: "a" })) : Promise.resolve();
   }
   write(event) {
     if (!this.#enabled) return Promise.resolve();
@@ -24403,12 +25753,15 @@ var TranscriptWriter = class {
     await this.#queue;
   }
 };
+function defaultDemianStorageDir() {
+  return path18.join(os12.homedir(), ".demian");
+}
 
 // src/external-runtime/snapshot-diff.ts
 import { createHash as createHash2 } from "node:crypto";
 import { createReadStream } from "node:fs";
-import { readdir, readFile as readFile8, stat as stat3 } from "node:fs/promises";
-import path15 from "node:path";
+import { readdir, readFile as readFile10, stat as stat5 } from "node:fs/promises";
+import path19 from "node:path";
 
 // src/workspace/diff.ts
 var CONTEXT_LINES = 3;
@@ -24618,7 +25971,7 @@ async function diffWorkspaceSnapshot(before) {
 }
 async function walk(root, relativeDir, entries, options) {
   if (entries.size >= options.maxFiles) return;
-  const absoluteDir = path15.join(root, relativeDir);
+  const absoluteDir = path19.join(root, relativeDir);
   let items;
   try {
     items = await readdir(absoluteDir, { withFileTypes: true });
@@ -24629,8 +25982,8 @@ async function walk(root, relativeDir, entries, options) {
     if (entries.size >= options.maxFiles) return;
     if (item.name.startsWith(".") && item.name !== ".env.example" && SKIP_DIRS.has(item.name)) continue;
     if (SKIP_DIRS.has(item.name)) continue;
-    const relativePath = normalizeRelativePath(path15.join(relativeDir, item.name));
-    const absolutePath = path15.join(root, relativePath);
+    const relativePath = normalizeRelativePath(path19.join(relativeDir, item.name));
+    const absolutePath = path19.join(root, relativePath);
     if (item.isDirectory()) {
       await walk(root, relativePath, entries, options);
       continue;
@@ -24641,7 +25994,7 @@ async function walk(root, relativeDir, entries, options) {
   }
 }
 async function snapshotFile(filePath, relativePath, maxTextBytes) {
-  const info = await stat3(filePath);
+  const info = await stat5(filePath);
   const sha2562 = await sha256File(filePath);
   const content = info.size <= maxTextBytes ? await readTextContent(filePath) : void 0;
   return { path: relativePath, size: info.size, sha256: sha2562, content };
@@ -24652,7 +26005,7 @@ function snapshotDiffText(entry) {
 `;
 }
 async function readTextContent(filePath) {
-  const buffer = await readFile8(filePath);
+  const buffer = await readFile10(filePath);
   if (buffer.includes(0)) return void 0;
   return buffer.toString("utf8");
 }
@@ -24666,7 +26019,7 @@ function sha256File(filePath) {
   });
 }
 function normalizeRelativePath(value) {
-  return value.split(path15.sep).join("/");
+  return value.split(path19.sep).join("/");
 }
 
 // src/external-runtime/session-runner.ts
@@ -25101,15 +26454,15 @@ function safeJson(value) {
 }
 
 // src/hooks/dispatcher.ts
-import path17 from "node:path";
+import path21 from "node:path";
 
 // src/hooks/command.ts
-import { spawn as spawn4 } from "node:child_process";
+import { spawn as spawn5 } from "node:child_process";
 async function runCommandHook(hook, ctx) {
   if (!hook.command) return void 0;
   const timeoutMs = hook.timeoutMs ?? 1e4;
   return new Promise((resolve, reject) => {
-    const child = spawn4(hook.command, {
+    const child = spawn5(hook.command, {
       cwd: ctx.cwd,
       env: process.env,
       shell: true,
@@ -25194,7 +26547,7 @@ var blockDangerousBashHook = {
 };
 
 // src/hooks/builtin/protect-env-files.ts
-import path16 from "node:path";
+import path20 from "node:path";
 var protectEnvFilesHook = {
   name: "protect-env-files",
   event: "PreToolUse",
@@ -25202,7 +26555,7 @@ var protectEnvFilesHook = {
   run(ctx) {
     if (ctx.toolName !== "write_file" && ctx.toolName !== "edit_file") return { decision: "allow" };
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
-    const filePath = typeof input2.path === "string" ? path16.resolve(ctx.cwd, input2.path) : "";
+    const filePath = typeof input2.path === "string" ? path20.resolve(ctx.cwd, input2.path) : "";
     if (filePath && isEnvFile(filePath)) {
       return {
         decision: "block",
@@ -25239,7 +26592,7 @@ var maskSecretsHook = {
 };
 
 // src/hooks/builtin/inject-env-info.ts
-import os9 from "node:os";
+import os13 from "node:os";
 var injectEnvInfoHook = {
   name: "inject-env-info",
   event: "SessionStart",
@@ -25248,7 +26601,7 @@ var injectEnvInfoHook = {
       decision: "allow",
       patch: {
         systemNote: [
-          `Environment: ${os9.type()} ${os9.release()} (${os9.platform()}/${os9.arch()})`,
+          `Environment: ${os13.type()} ${os13.release()} (${os13.platform()}/${os13.arch()})`,
           `cwd: ${ctx.cwd}`,
           `provider: ${ctx.provider ?? "unknown"}`,
           `model: ${ctx.model ?? "unknown"}`,
@@ -25317,14 +26670,14 @@ function matchesHook(match, ctx) {
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
     const filePath = typeof input2.path === "string" ? input2.path : typeof input2.workdir === "string" ? input2.workdir : void 0;
     if (!filePath) return false;
-    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path17.resolve(ctx.cwd, filePath)))) return false;
+    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path21.resolve(ctx.cwd, filePath)))) return false;
   }
   return true;
 }
 
 // src/multimodal.ts
-import { readFile as readFile9, stat as stat4 } from "node:fs/promises";
-import path18 from "node:path";
+import { readFile as readFile11, stat as stat6 } from "node:fs/promises";
+import path22 from "node:path";
 var DEFAULT_MAX_IMAGE_BYTES = 8 * 1024 * 1024;
 async function buildUserContent(prompt, images = [], options) {
   if (images.length === 0) return prompt;
@@ -25343,16 +26696,16 @@ async function buildUserContent(prompt, images = [], options) {
 async function imageToUrl(input2, options) {
   if (/^https?:\/\//i.test(input2) || /^data:image\//i.test(input2)) return input2;
   const filePath = resolveInsideCwd(options.cwd, input2);
-  const info = await stat4(filePath);
+  const info = await stat6(filePath);
   if (!info.isFile()) throw new Error(`Image input is not a file: ${input2}`);
   const maxImageBytes = options.maxImageBytes ?? DEFAULT_MAX_IMAGE_BYTES;
   if (info.size > maxImageBytes) throw new Error(`Image is larger than ${maxImageBytes} bytes: ${input2}`);
   const mime = mimeFromPath(filePath);
-  const bytes = await readFile9(filePath);
+  const bytes = await readFile11(filePath);
   return `data:${mime};base64,${bytes.toString("base64")}`;
 }
 function mimeFromPath(filePath) {
-  switch (path18.extname(filePath).toLowerCase()) {
+  switch (path22.extname(filePath).toLowerCase()) {
     case ".jpg":
     case ".jpeg":
       return "image/jpeg";
@@ -25363,15 +26716,15 @@ function mimeFromPath(filePath) {
     case ".webp":
       return "image/webp";
     default:
-      throw new Error(`Unsupported image extension: ${path18.extname(filePath) || "(none)"}`);
+      throw new Error(`Unsupported image extension: ${path22.extname(filePath) || "(none)"}`);
   }
 }
 
 // src/permissions/persistent-grants.ts
-import { mkdir as mkdir7, readFile as readFile10, writeFile as writeFile7 } from "node:fs/promises";
+import { mkdir as mkdir9, readFile as readFile12, writeFile as writeFile9 } from "node:fs/promises";
 import fs8 from "node:fs";
-import os10 from "node:os";
-import path19 from "node:path";
+import os14 from "node:os";
+import path23 from "node:path";
 var DEFAULT_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
 var PersistentGrantStore = class {
   filePath;
@@ -25402,22 +26755,22 @@ var PersistentGrantStore = class {
   }
   async #read() {
     if (!fs8.existsSync(this.filePath)) return { version: 1, grants: [] };
-    const data = JSON.parse(await readFile10(this.filePath, "utf8"));
+    const data = JSON.parse(await readFile12(this.filePath, "utf8"));
     return {
       version: 1,
       grants: Array.isArray(data.grants) ? data.grants.filter(isGrantRecord) : []
     };
   }
   async #write(file) {
-    await mkdir7(path19.dirname(this.filePath), { recursive: true });
-    await writeFile7(this.filePath, `${JSON.stringify(file, null, 2)}
+    await mkdir9(path23.dirname(this.filePath), { recursive: true });
+    await writeFile9(this.filePath, `${JSON.stringify(file, null, 2)}
 `, { mode: 384 });
   }
 };
 function resolveGrantPath(cwd, config) {
-  if (config.path) return path19.resolve(cwd, config.path);
-  if ((config.scope ?? "project") === "user") return path19.join(os10.homedir(), ".demian", "grants.json");
-  return path19.join(cwd, ".demian", "grants.json");
+  if (config.path) return path23.resolve(cwd, config.path);
+  if ((config.scope ?? "project") === "user") return path23.join(os14.homedir(), ".demian", "grants.json");
+  return path23.join(cwd, ".demian", "grants.json");
 }
 function isGrantRecord(value) {
   if (!value || typeof value !== "object") return false;
@@ -25850,25 +27203,25 @@ function fail(content, metadata) {
 }
 
 // src/tools/output.ts
-import { mkdir as mkdir8, writeFile as writeFile8 } from "node:fs/promises";
-import path20 from "node:path";
+import { mkdir as mkdir10, writeFile as writeFile10 } from "node:fs/promises";
+import path24 from "node:path";
 var DEFAULT_CAP_BYTES = 32 * 1024;
 var HALF_PREVIEW_BYTES = 16 * 1024;
 async function capToolOutput(result, options) {
   const capBytes = options.capBytes ?? DEFAULT_CAP_BYTES;
   const bytes = Buffer.byteLength(result.content, "utf8");
   if (bytes <= capBytes) return result;
-  const dir = path20.join(options.cwd, ".demian", "tmp");
-  await mkdir8(dir, { recursive: true });
-  const outputPath = path20.join(dir, `output-${safeCallId(options.callId)}.txt`);
-  await writeFile8(outputPath, result.content, "utf8");
+  const dir = path24.join(options.cwd, ".demian", "tmp");
+  await mkdir10(dir, { recursive: true });
+  const outputPath = path24.join(dir, `output-${safeCallId(options.callId)}.txt`);
+  await writeFile10(outputPath, result.content, "utf8");
   return {
     ...result,
     content: [
       sliceUtf8(result.content, 0, HALF_PREVIEW_BYTES),
       `
 
-[Full output saved to ${path20.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
+[Full output saved to ${path24.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
 
 `,
       sliceUtf8(result.content, Math.max(0, bytes - HALF_PREVIEW_BYTES), bytes)
@@ -25893,8 +27246,8 @@ function sliceUtf8(text, startByte, endByte) {
 }
 
 // src/tools/read-file.ts
-import { open as open2, stat as stat5 } from "node:fs/promises";
-import path21 from "node:path";
+import { open as open2, stat as stat7 } from "node:fs/promises";
+import path25 from "node:path";
 
 // src/tools/validation.ts
 function assertObject(input2, toolName) {
@@ -25964,7 +27317,7 @@ var readFileTool = {
     const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
     const offset = positiveInteger(optionalNumberField(object2, "offset"), 1, "offset");
     const limit = positiveInteger(optionalNumberField(object2, "limit"), DEFAULT_LIMIT, "limit");
-    const info = await stat5(filePath);
+    const info = await stat7(filePath);
     if (info.isDirectory()) throw new Error(`read_file expected a file but got a directory: ${relativeToCwd(ctx.cwd, filePath)}`);
     if (info.size > MAX_BYTES) throw new Error(`File is larger than ${MAX_BYTES} bytes: ${relativeToCwd(ctx.cwd, filePath)}`);
     const sample = await readBytes(filePath, Math.min(SAMPLE_BYTES, info.size));
@@ -25978,7 +27331,7 @@ var readFileTool = {
     const truncated = start + sliced.length < lines.length;
     return ok(content + (truncated ? `
 ... (${lines.length - start - sliced.length} more lines)` : ""), {
-      path: path21.relative(ctx.cwd, filePath),
+      path: path25.relative(ctx.cwd, filePath),
       lines: sliced.length,
       totalLines: lines.length,
       truncated
@@ -26016,8 +27369,8 @@ function looksBinary(buffer) {
 }
 
 // src/tools/write-file.ts
-import { mkdir as mkdir9, readFile as readFile11, writeFile as writeFile9 } from "node:fs/promises";
-import path22 from "node:path";
+import { mkdir as mkdir11, readFile as readFile13, writeFile as writeFile11 } from "node:fs/promises";
+import path26 from "node:path";
 var writeFileTool = {
   name: "write_file",
   description: "Create or replace a text file inside the workspace.",
@@ -26035,8 +27388,8 @@ var writeFileTool = {
     const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
     const content = stringField(object2, "content", { allowEmpty: true });
     const before = await readOptionalTextFile(filePath);
-    await mkdir9(path22.dirname(filePath), { recursive: true });
-    await writeFile9(filePath, content, "utf8");
+    await mkdir11(path26.dirname(filePath), { recursive: true });
+    await writeFile11(filePath, content, "utf8");
     const relative = relativeToCwd(ctx.cwd, filePath);
     const diff = createTextDiff(before, content, relative);
     return ok(`Wrote ${relativeToCwd(ctx.cwd, filePath)} (${Buffer.byteLength(content, "utf8")} bytes).`, {
@@ -26049,7 +27402,7 @@ var writeFileTool = {
 };
 async function readOptionalTextFile(filePath) {
   try {
-    return await readFile11(filePath, "utf8");
+    return await readFile13(filePath, "utf8");
   } catch (error) {
     if (isNotFound(error)) return void 0;
     throw error;
@@ -26060,7 +27413,7 @@ function isNotFound(error) {
 }
 
 // src/tools/edit-file.ts
-import { readFile as readFile12, writeFile as writeFile10 } from "node:fs/promises";
+import { readFile as readFile14, writeFile as writeFile12 } from "node:fs/promises";
 var editFileTool = {
   name: "edit_file",
   description: "Replace an exact string in a text file inside the workspace.",
@@ -26082,12 +27435,12 @@ var editFileTool = {
     const newString = stringField(object2, "newString", { allowEmpty: true });
     const replaceAll = optionalBooleanField(object2, "replaceAll") ?? false;
     if (oldString === newString) throw new Error("oldString and newString must be different");
-    const before = await readFile12(filePath, "utf8");
+    const before = await readFile14(filePath, "utf8");
     const matches = countMatches(before, oldString);
     if (matches === 0) throw new Error("oldString was not found");
     if (matches > 1 && !replaceAll) throw new Error(`oldString matched ${matches} times; set replaceAll=true to replace all matches`);
     const after = replaceAll ? before.split(oldString).join(newString) : before.replace(oldString, newString);
-    await writeFile10(filePath, after, "utf8");
+    await writeFile12(filePath, after, "utf8");
     const relative = relativeToCwd(ctx.cwd, filePath);
     const diff = createTextDiff(before, after, relative);
     return ok(`Edited ${relative} (${replaceAll ? matches : 1} replacement${matches === 1 ? "" : "s"}).`, {
@@ -26110,8 +27463,8 @@ function countMatches(text, needle) {
 }
 
 // src/tools/bash.ts
-import { spawn as spawn5 } from "node:child_process";
-import path24 from "node:path";
+import { spawn as spawn6 } from "node:child_process";
+import path28 from "node:path";
 
 // src/sandbox/env-only.ts
 function buildEnvOnlyLaunch(command, config) {
@@ -26171,7 +27524,7 @@ function bwrapPath() {
 
 // src/sandbox/macos.ts
 import { existsSync as existsSync4 } from "node:fs";
-import path23 from "node:path";
+import path27 from "node:path";
 function canUseMacOSSandbox() {
   return process.platform === "darwin" && existsSync4("/usr/bin/sandbox-exec");
 }
@@ -26197,7 +27550,7 @@ function macosProfile(cwd, config) {
   }
   if (mode === "workspace-write") {
     lines.push("(deny file-write*)");
-    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path23.resolve(cwd))}"))`);
+    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path27.resolve(cwd))}"))`);
     lines.push('(allow file-write* (subpath "/tmp"))');
     lines.push('(allow file-write* (subpath "/private/tmp"))');
     lines.push('(allow file-write* (subpath "/private/var/folders"))');
@@ -26259,7 +27612,7 @@ ${result.stderr}` : ""
     ].filter(Boolean).join("\n");
     return ok(content, {
       command,
-      workdir: path24.relative(ctx.cwd, workdir) || ".",
+      workdir: path28.relative(ctx.cwd, workdir) || ".",
       exitCode: result.exitCode,
       signal: result.signal,
       timedOut: result.timedOut,
@@ -26270,7 +27623,7 @@ ${result.stderr}` : ""
 function runCommand(command, cwd, timeoutMs, signal, sandbox = { mode: "workspace-write" }) {
   return new Promise((resolve, reject) => {
     const launch = buildSandboxLaunch(command, cwd, sandbox);
-    const child = spawn5(launch.command, launch.args, {
+    const child = spawn6(launch.command, launch.args, {
       cwd,
       env: { ...process.env, ...launch.env },
       stdio: ["ignore", "pipe", "pipe"]
@@ -26310,9 +27663,9 @@ function runCommand(command, cwd, timeoutMs, signal, sandbox = { mode: "workspac
 }
 
 // src/tools/grep.ts
-import { spawn as spawn6 } from "node:child_process";
-import { readdir as readdir2, readFile as readFile13, stat as stat6 } from "node:fs/promises";
-import path25 from "node:path";
+import { spawn as spawn7 } from "node:child_process";
+import { readdir as readdir2, readFile as readFile15, stat as stat8 } from "node:fs/promises";
+import path29 from "node:path";
 var MAX_MATCHES = 200;
 var grepTool = {
   name: "grep",
@@ -26362,7 +27715,7 @@ function runRg(cwd, base, pattern, glob, signal) {
     ];
     if (glob) args.push("--glob", glob);
     args.push(pattern, base);
-    const child = spawn6("rg", args, { cwd, stdio: ["ignore", "pipe", "pipe"] });
+    const child = spawn7("rg", args, { cwd, stdio: ["ignore", "pipe", "pipe"] });
     const stdout = [];
     const stderr = [];
     const abort = () => child.kill("SIGTERM");
@@ -26387,7 +27740,7 @@ function runRg(cwd, base, pattern, glob, signal) {
 }
 function rewriteRgPath(cwd, line) {
   const [file, rest] = splitFirst(line, ":");
-  if (!path25.isAbsolute(file)) return line;
+  if (!path29.isAbsolute(file)) return line;
   return `${relativeToCwd(cwd, file)}:${rest}`;
 }
 function splitFirst(value, delimiter) {
@@ -26402,13 +27755,13 @@ async function fallbackSearch(cwd, base, pattern, glob) {
     if (out.length > MAX_MATCHES) return;
     const relative = relativeToCwd(cwd, item);
     if (isIgnoredPath(relative)) return;
-    const info = await stat6(item);
+    const info = await stat8(item);
     if (info.isDirectory()) {
-      for (const entry of await readdir2(item)) await walk2(path25.join(item, entry));
+      for (const entry of await readdir2(item)) await walk2(path29.join(item, entry));
       return;
     }
     if (glob && !matchGlob(glob, relative)) return;
-    const buffer = await readFile13(item);
+    const buffer = await readFile15(item);
     if (buffer.includes(0)) return;
     const lines = buffer.toString("utf8").split(/\r?\n/);
     for (let i = 0; i < lines.length; i++) {
@@ -26422,8 +27775,8 @@ async function fallbackSearch(cwd, base, pattern, glob) {
 }
 
 // src/tools/glob.ts
-import { readdir as readdir3, stat as stat7 } from "node:fs/promises";
-import path26 from "node:path";
+import { readdir as readdir3, stat as stat9 } from "node:fs/promises";
+import path30 from "node:path";
 var MAX_PATHS = 1e3;
 var globTool = {
   name: "glob",
@@ -26455,10 +27808,10 @@ async function collectPaths(cwd, root, pattern) {
   async function walk2(dir) {
     const entries = await readdir3(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const absolute = path26.join(dir, entry.name);
+      const absolute = path30.join(dir, entry.name);
       const relative = relativeToCwd(cwd, absolute);
       if (isIgnoredPath(relative)) continue;
-      const info = await stat7(absolute);
+      const info = await stat9(absolute);
       if (matchGlob(pattern, relative)) out.push({ relative, mtimeMs: info.mtimeMs });
       if (entry.isDirectory()) await walk2(absolute);
     }
@@ -26596,7 +27949,7 @@ async function runBraveSearch(config, options) {
   if (config.country) url.searchParams.set("country", config.country);
   if (config.searchLang) url.searchParams.set("search_lang", config.searchLang);
   if (config.safeSearch) url.searchParams.set("safesearch", config.safeSearch);
-  const json = await fetchJson(url, {
+  const json = await fetchJson2(url, {
     method: "GET",
     headers: {
       accept: "application/json",
@@ -26615,7 +27968,7 @@ async function runTavilySearch(config, options) {
   if (!apiKey.ok) return apiKey;
   const maxResults = Math.min(positiveInteger(options.maxResults, config.maxResults ?? 5, "maxResults"), TAVILY_MAX_RESULTS);
   const endpoint = config.endpoint ?? defaultConfig.webSearch.providers.tavily.endpoint ?? "https://api.tavily.com/search";
-  const json = await fetchJson(endpoint, {
+  const json = await fetchJson2(endpoint, {
     method: "POST",
     headers: {
       "content-type": "application/json",
@@ -26641,7 +27994,7 @@ async function runExaSearch(config, options) {
   if (!apiKey.ok) return apiKey;
   const numResults = Math.min(positiveInteger(options.maxResults, config.numResults ?? 5, "maxResults"), EXA_MAX_RESULTS);
   const endpoint = config.endpoint ?? defaultConfig.webSearch.providers.exa.endpoint ?? "https://api.exa.ai/search";
-  const json = await fetchJson(endpoint, {
+  const json = await fetchJson2(endpoint, {
     method: "POST",
     headers: {
       "content-type": "application/json",
@@ -26670,7 +28023,7 @@ function resolveApiKey(provider, config) {
   if (value) return { ok: true, value };
   return toolFail(`Missing API key for web_search provider "${provider}". Set webSearch.providers.${provider}.apiKey or set ${config.apiKeyEnv ?? "the configured apiKeyEnv"}.`);
 }
-async function fetchJson(url, options) {
+async function fetchJson2(url, options) {
   const { fetcher, provider, ...init } = options;
   const response = await fetcher(url, init);
   const text = await response.text();
@@ -26688,10 +28041,10 @@ function normalizeBraveResults(raw, limit) {
   return (data.web?.results ?? []).slice(0, limit).map((item) => {
     const result = item;
     return {
-      title: stringValue4(result.title) ?? "Untitled",
-      url: stringValue4(result.url) ?? "",
-      snippet: cleanSnippet(stringValue4(result.description) ?? stringValue4(result.snippet)),
-      publishedDate: stringValue4(result.age)
+      title: stringValue5(result.title) ?? "Untitled",
+      url: stringValue5(result.url) ?? "",
+      snippet: cleanSnippet(stringValue5(result.description) ?? stringValue5(result.snippet)),
+      publishedDate: stringValue5(result.age)
     };
   }).filter((item) => item.url.length > 0);
 }
@@ -26700,9 +28053,9 @@ function normalizeTavilyResults(raw, limit) {
   return (data.results ?? []).slice(0, limit).map((item) => {
     const result = item;
     return {
-      title: stringValue4(result.title) ?? "Untitled",
-      url: stringValue4(result.url) ?? "",
-      snippet: cleanSnippet(stringValue4(result.content) ?? stringValue4(result.raw_content)),
+      title: stringValue5(result.title) ?? "Untitled",
+      url: stringValue5(result.url) ?? "",
+      snippet: cleanSnippet(stringValue5(result.content) ?? stringValue5(result.raw_content)),
       score: numberValue3(result.score)
     };
   }).filter((item) => item.url.length > 0);
@@ -26712,10 +28065,10 @@ function normalizeExaResults(raw, limit) {
   return (data.results ?? []).slice(0, limit).map((item) => {
     const result = item;
     return {
-      title: stringValue4(result.title) ?? "Untitled",
-      url: stringValue4(result.url) ?? "",
+      title: stringValue5(result.title) ?? "Untitled",
+      url: stringValue5(result.url) ?? "",
       snippet: exaSnippet(result),
-      publishedDate: stringValue4(result.publishedDate),
+      publishedDate: stringValue5(result.publishedDate),
       score: numberValue3(result.score)
     };
   }).filter((item) => item.url.length > 0);
@@ -26726,7 +28079,7 @@ function exaSnippet(result) {
     const joined = highlights.map((item) => typeof item === "string" ? item : "").filter(Boolean).join(" ");
     if (joined) return cleanSnippet(joined);
   }
-  return cleanSnippet(stringValue4(result.text) ?? stringValue4(result.summary));
+  return cleanSnippet(stringValue5(result.text) ?? stringValue5(result.summary));
 }
 function searchResult(provider, query, results, raw) {
   const content = [
@@ -26750,7 +28103,7 @@ function formatResult(index, result) {
   if (result.snippet) lines.push(`   Snippet: ${result.snippet}`);
   return lines.join("\n");
 }
-function stringValue4(value) {
+function stringValue5(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
 function numberValue3(value) {
@@ -27457,14 +28810,14 @@ async function runExecutionSession(options) {
 }
 
 // src/goals/lock.ts
-import { mkdir as mkdir11, open as open3, rm as rm2 } from "node:fs/promises";
-import path28 from "node:path";
+import { mkdir as mkdir13, open as open3, rm as rm2 } from "node:fs/promises";
+import path32 from "node:path";
 
 // src/goals/storage.ts
 import { createHash as createHash3 } from "node:crypto";
-import { mkdir as mkdir10, readFile as readFile14, rename as rename4, writeFile as writeFile11 } from "node:fs/promises";
+import { mkdir as mkdir12, readFile as readFile16, rename as rename6, writeFile as writeFile13 } from "node:fs/promises";
 import fs9 from "node:fs";
-import path27 from "node:path";
+import path31 from "node:path";
 var GoalStore = class {
   cwd;
   dir;
@@ -27475,12 +28828,12 @@ var GoalStore = class {
     this.cwd = cwd;
     this.scope = normalizeGoalStoreScope(options.scope);
     this.dir = goalStoreDir(cwd, this.scope);
-    this.activePath = path27.join(this.dir, "active.json");
-    this.archiveDir = path27.join(this.dir, "archive");
+    this.activePath = path31.join(this.dir, "active.json");
+    this.archiveDir = path31.join(this.dir, "archive");
   }
   async loadActive() {
     if (!fs9.existsSync(this.activePath)) return void 0;
-    const text = await readFile14(this.activePath, "utf8");
+    const text = await readFile16(this.activePath, "utf8");
     try {
       return JSON.parse(text);
     } catch {
@@ -27489,36 +28842,36 @@ var GoalStore = class {
     }
   }
   async saveActive(state) {
-    await mkdir10(this.dir, { recursive: true });
-    const tmp = path27.join(this.dir, `active.${process.pid}.${Date.now()}.tmp`);
-    await writeFile11(tmp, `${JSON.stringify(state, null, 2)}
+    await mkdir12(this.dir, { recursive: true });
+    const tmp = path31.join(this.dir, `active.${process.pid}.${Date.now()}.tmp`);
+    await writeFile13(tmp, `${JSON.stringify(state, null, 2)}
 `, "utf8");
-    await rename4(tmp, this.activePath);
+    await rename6(tmp, this.activePath);
   }
   async archiveActive(status = "cleared") {
     const state = await this.loadActive();
     if (!state) return void 0;
-    await mkdir10(this.archiveDir, { recursive: true });
+    await mkdir12(this.archiveDir, { recursive: true });
     const archived = {
       ...state,
       status,
       updatedAt: Date.now()
     };
-    await writeFile11(path27.join(this.archiveDir, `${archived.id}.json`), `${JSON.stringify(archived, null, 2)}
+    await writeFile13(path31.join(this.archiveDir, `${archived.id}.json`), `${JSON.stringify(archived, null, 2)}
 `, "utf8");
     await fs9.promises.rm(this.activePath, { force: true });
     return archived;
   }
   async backupCorrupted(text) {
-    await mkdir10(this.dir, { recursive: true });
-    const backup = path27.join(this.dir, `active.corrupt.${Date.now()}.json`);
-    await writeFile11(backup, text, "utf8");
+    await mkdir12(this.dir, { recursive: true });
+    const backup = path31.join(this.dir, `active.corrupt.${Date.now()}.json`);
+    await writeFile13(backup, text, "utf8");
     await fs9.promises.rm(this.activePath, { force: true });
   }
 };
 function goalStoreDir(cwd, scope) {
   const safeScope = normalizeGoalStoreScope(scope);
-  return safeScope ? path27.join(cwd, ".demian", "goals", "sessions", safeScope) : path27.join(cwd, ".demian", "goals");
+  return safeScope ? path31.join(cwd, ".demian", "goals", "sessions", safeScope) : path31.join(cwd, ".demian", "goals");
 }
 function normalizeGoalStoreScope(scope) {
   const trimmed = scope?.trim();
@@ -27532,10 +28885,10 @@ function normalizeGoalStoreScope(scope) {
 var GoalLock = class {
   path;
   constructor(cwd, scope) {
-    this.path = path28.join(goalStoreDir(cwd, scope), "active.lock");
+    this.path = path32.join(goalStoreDir(cwd, scope), "active.lock");
   }
   async acquire() {
-    await mkdir11(path28.dirname(this.path), { recursive: true });
+    await mkdir13(path32.dirname(this.path), { recursive: true });
     const handle = await open3(this.path, "wx").catch((error) => {
       const code = typeof error === "object" && error && "code" in error ? String(error.code) : "";
       if (code === "EEXIST") throw new Error("Another goal is already active in this workspace.");
@@ -28065,7 +29418,7 @@ function readString(input2, key) {
 }
 
 // src/external-runtime/session-map.ts
-import crypto5 from "node:crypto";
+import crypto6 from "node:crypto";
 var ClaudeCodeSessionMap = class {
   #sessions = /* @__PURE__ */ new Map();
   get(key) {
@@ -28118,13 +29471,13 @@ function normalizeInstruction(value) {
   return value.replace(/\r\n/g, "\n").trim().split("\n").map((line) => line.replace(/[ \t]+$/g, "")).join("\n");
 }
 function sha256(value) {
-  return crypto5.createHash("sha256").update(value).digest("hex").slice(0, 16);
+  return crypto6.createHash("sha256").update(value).digest("hex").slice(0, 16);
 }
 
 // src/root-session.ts
 import { cp, mkdtemp, rm as rm3 } from "node:fs/promises";
-import os11 from "node:os";
-import path29 from "node:path";
+import os15 from "node:os";
+import path33 from "node:path";
 
 // src/permissions/presets.ts
 var PERMISSION_PRESETS = ["deny", "ask", "auto", "full"];
@@ -28968,8 +30321,8 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
   }
   async createCoworkIsolatedWorkspace(groupId, memberId) {
-    const root = await mkdtemp(path29.join(os11.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
-    const cwd = path29.join(root, "workspace");
+    const root = await mkdtemp(path33.join(os15.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
+    const cwd = path33.join(root, "workspace");
     await cp(this.#options.cwd, cwd, {
       recursive: true,
       filter: (source) => shouldCopyIntoCoworkWorkspace(this.#options.cwd, source)
@@ -29117,7 +30470,7 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     const denyTools = ["write_file", "edit_file", "bash", "claudecode.Edit", "claudecode.Write", "claudecode.MultiEdit", "claudecode.Bash"];
     return this.withPermissionPreset({
       ...agent,
-      provider: agent.provider?.profile === "claudecode-subagent" ? { ...agent.provider, permissionProfile: "explore" } : agent.provider,
+      provider: agent.provider?.profile === "claudecode" && agent.name === "claudecode-explorer" ? { ...agent.provider, permissionProfile: "explore" } : agent.provider,
       tools: agent.tools.filter((tool) => readTools.has(tool)),
       permissions: [
         ...agent.permissions.filter((rule) => !denyTools.includes(rule.tool)),
@@ -29164,13 +30517,14 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     return lines.join("\n");
   }
   resolveInvocationBackend(profileName, modelOverride, agent) {
-    const providerConfig = resolveProviderConfig(this.#options.config, profileName);
+    const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName, model: modelOverride });
+    const providerConfig = runtime.providerConfig;
     if (this.#options.resolveExecutionBackend) return this.#options.resolveExecutionBackend(profileName, providerConfig, modelOverride);
     if (this.#options.resolveProvider) {
-      const resolved = this.#options.resolveProvider(profileName, providerConfig, modelOverride);
+      const resolved = this.#options.resolveProvider(profileName, providerConfig, runtime.model);
       return { kind: "provider", ...resolved };
     }
-    return resolveExecutionBackend(providerConfig, { model: modelOverride, config: this.#options.config, agent });
+    return resolveExecutionBackend(providerConfig, { model: runtime.model, config: this.#options.config, agent });
   }
   loadAgentSession(agent, providerProfile, model, sessionScope, cwd = this.#options.cwd) {
     const key = `${this.id}:${sessionScope ?? "delegate"}:${agent.name}:${providerProfile}:${model}:${cwd}`;
@@ -29272,17 +30626,17 @@ function findDependencyCycle(group) {
   const byId = new Map(group.map((member) => [member.memberId, member]));
   const visiting = /* @__PURE__ */ new Set();
   const visited = /* @__PURE__ */ new Set();
-  const path32 = [];
+  const path36 = [];
   const visit = (id) => {
-    if (visiting.has(id)) return [...path32.slice(path32.indexOf(id)), id];
+    if (visiting.has(id)) return [...path36.slice(path36.indexOf(id)), id];
     if (visited.has(id)) return void 0;
     visiting.add(id);
-    path32.push(id);
+    path36.push(id);
     for (const dep of byId.get(id)?.dependsOn ?? []) {
       const cycle = visit(dep);
       if (cycle) return cycle;
     }
-    path32.pop();
+    path36.pop();
     visiting.delete(id);
     visited.add(id);
     return void 0;
@@ -29323,7 +30677,7 @@ function scopeStaticPrefix(pattern) {
   return prefix.replace(/\/+$/, "").split("/").filter(Boolean).join("/") || ".";
 }
 function shouldCopyIntoCoworkWorkspace(root, source) {
-  const relative = path29.relative(root, source).split(path29.sep).join("/");
+  const relative = path33.relative(root, source).split(path33.sep).join("/");
   if (!relative) return true;
   const parts = relative.split("/");
   return !parts.includes(".git") && !parts.includes("node_modules") && !parts.includes(".demian");
@@ -29718,52 +31072,114 @@ function finitePositiveInteger(value) {
 }
 
 // src/ui/plain/interactive.ts
-import readline3 from "node:readline";
+import readline4 from "node:readline";
 
 // src/ui/settings.ts
-function providerOptions(config) {
-  return Object.entries(config.providers).filter(([, provider]) => !provider.hidden && !(provider.type === "claudecode" && provider.runtime === "cli")).map(([name, provider]) => ({
-    name,
-    model: provider.model,
-    models: provider.models?.length ? [...new Set([provider.model, ...provider.models].filter((item) => typeof item === "string" && item.trim()))] : [provider.model],
-    type: provider.type,
-    runtime: provider.type === "claudecode" ? provider.runtime : void 0,
-    permissionMode: provider.type === "claudecode" ? provider.permissionMode : void 0,
-    ga: provider.type === "claudecode" ? claudeCodeGaEnabled(provider) : void 0
-  }));
+function providerOptions(config, catalogs = {}) {
+  const orderedNames = sortProviderNames(Object.keys(config.providers));
+  const order = new Map(orderedNames.map((name, index) => [name, index]));
+  return orderedNames.map((name) => [name, config.providers[name]]).filter(([, provider]) => provider && !provider.hidden && !(provider.type === "claudecode" && provider.runtime === "cli")).map(([name, provider]) => {
+    const catalog = catalogs[name];
+    const available = providerCatalogAvailable(catalog);
+    const profiles = catalog?.models.length ? catalog.models.map((model) => ({
+      name: model.name,
+      displayName: model.displayName ?? model.name,
+      model: model.model,
+      description: model.description,
+      source: model.source,
+      isDefault: model.isDefault
+    })) : providerModelProfiles(name, provider);
+    const modelProfiles = profiles.map((profile) => {
+      const displayName = profile.displayName ?? profile.name ?? profile.model;
+      return {
+        ...profile,
+        label: available ? displayName : unavailableLabel(displayName),
+        available
+      };
+    });
+    const models = modelProfiles.length ? [...new Set(modelProfiles.map((item) => item.model).filter((item) => typeof item === "string" && item.trim()))] : providerModelOptions(name, provider);
+    const defaultModel = defaultModelForProvider(name, provider);
+    return {
+      name,
+      label: available ? name : unavailableLabel(name),
+      model: defaultModel,
+      modelLabel: available || !defaultModel ? defaultModel : unavailableLabel(defaultModel),
+      models,
+      modelProfiles,
+      type: provider.type,
+      runtime: provider.type === "claudecode" ? provider.runtime : void 0,
+      permissionMode: provider.type === "claudecode" ? provider.permissionMode : void 0,
+      ga: provider.type === "claudecode" ? claudeCodeGaEnabled(provider) : void 0,
+      available,
+      catalog: catalog ? { status: catalog.status, source: catalog.source, message: catalog.message } : void 0
+    };
+  }).sort((left, right) => {
+    if (left.available !== right.available) return left.available ? -1 : 1;
+    return (order.get(left.name) ?? 0) - (order.get(right.name) ?? 0);
+  });
 }
+var MISSING_SELECTION_PLACEHOLDER = "-";
 function createInteractiveModelSelection(config, flags = {}, saved) {
   const savedProviderName = saved?.providerName === "claudecode-plan" ? "claudecode" : saved?.providerName;
-  const savedProviderConfig = savedProviderName ? config.providers[savedProviderName] : void 0;
-  const savedProvider = savedProviderName && savedProviderConfig && !savedProviderConfig.hidden ? savedProviderName : void 0;
-  const providerName = flags.provider ?? savedProvider ?? config.defaultProvider;
-  const providerConfig = resolveProviderConfig(config, providerName);
-  const usesSavedProvider = !flags.provider && providerName === savedProvider;
+  const savedProviderExists = savedProviderName && config.providers[savedProviderName] && !config.providers[savedProviderName]?.hidden;
+  if (saved?.providerName && !flags.provider && !savedProviderExists) {
+    return {
+      providerName: saved.providerName,
+      providerSource: "saved",
+      model: MISSING_SELECTION_PLACEHOLDER,
+      modelSource: "saved"
+    };
+  }
+  const providerName = flags.provider ?? (savedProviderExists ? savedProviderName : config.defaultProvider);
+  let providerConfig;
+  try {
+    providerConfig = resolveProviderConfig(config, providerName);
+  } catch {
+    return {
+      providerName,
+      providerSource: flags.provider ? "flag" : "config",
+      model: MISSING_SELECTION_PLACEHOLDER,
+      modelSource: "config"
+    };
+  }
+  const usesSavedProvider = !flags.provider && savedProviderExists && providerName === savedProviderName;
   const savedModel = usesSavedProvider && saved?.model ? saved.model : void 0;
+  const model = flags.model ?? savedModel ?? defaultModelForProvider(providerName, providerConfig);
   return {
     providerName,
     providerSource: flags.provider ? "flag" : usesSavedProvider ? "saved" : "config",
-    model: flags.model ?? savedModel ?? providerConfig.model,
-    modelSource: flags.model ? "flag" : savedModel ? "saved" : "config"
+    model,
+    modelSource: flags.model ? "flag" : savedModel ? "saved" : "config",
+    modelProfileName: providerModelProfiles(providerName, providerConfig).find((profile) => profile.model === model || profile.displayName === model || profile.name === model)?.name
   };
 }
 function selectProvider(config, selection, providerName) {
   const providerConfig = resolveProviderConfig(config, providerName);
+  const profiles = providerModelProfiles(providerName, providerConfig);
+  const profile = profiles[0];
   return {
     ...selection,
     providerName,
     providerSource: "interactive",
-    model: providerConfig.model,
-    modelSource: "config"
+    model: profile?.model ?? defaultModelForProvider(providerName, providerConfig),
+    modelSource: "config",
+    modelProfileName: profile?.name
   };
 }
 function selectModel(selection, model) {
   return {
     ...selection,
     model,
-    modelSource: "interactive"
+    modelSource: "interactive",
+    modelProfileName: void 0
   };
 }
+function providerCatalogAvailable(catalog) {
+  return catalog ? catalog.status === "ready" && catalog.models.length > 0 : true;
+}
+function unavailableLabel(value) {
+  return `(n/a) ${value}`;
+}
 
 // src/ui/plain/interactive.ts
 var PlainInteractivePrompt = class {
@@ -29775,7 +31191,7 @@ var PlainInteractivePrompt = class {
   #exitRequested = false;
   constructor(input2 = process.stdin, output2 = process.stderr) {
     this.#output = output2;
-    this.#rl = readline3.createInterface({ input: input2, output: output2 });
+    this.#rl = readline4.createInterface({ input: input2, output: output2 });
     this.#rl.on("line", (line) => this.#handleLine(line));
   }
   get exitRequested() {
@@ -29872,13 +31288,13 @@ async function askModel(promptUi, selection) {
 }
 
 // src/ui/preferences.ts
-import { mkdir as mkdir12, readFile as readFile15, writeFile as writeFile12 } from "node:fs/promises";
+import { mkdir as mkdir14, readFile as readFile17, writeFile as writeFile14 } from "node:fs/promises";
 import fs10 from "node:fs";
-import path30 from "node:path";
+import path34 from "node:path";
 var UiPreferenceStore = class {
   filePath;
   constructor(cwd, filePath) {
-    this.filePath = filePath ? path30.resolve(cwd, filePath) : path30.join(cwd, ".demian", "preferences.json");
+    this.filePath = filePath ? path34.resolve(cwd, filePath) : path34.join(cwd, ".demian", "preferences.json");
   }
   async load() {
     if (!fs10.existsSync(this.filePath)) return void 0;
@@ -29896,13 +31312,13 @@ var UiPreferenceStore = class {
       model: selection.model,
       updatedAt: Date.now()
     };
-    await mkdir12(path30.dirname(this.filePath), { recursive: true });
-    await writeFile12(this.filePath, `${JSON.stringify(file, null, 2)}
+    await mkdir14(path34.dirname(this.filePath), { recursive: true });
+    await writeFile14(this.filePath, `${JSON.stringify(file, null, 2)}
 `, { mode: 384 });
   }
   async #read() {
     try {
-      return JSON.parse(await readFile15(this.filePath, "utf8"));
+      return JSON.parse(await readFile17(this.filePath, "utf8"));
     } catch {
       return void 0;
     }
@@ -29918,6 +31334,8 @@ function preferenceKey(selection) {
 
 // src/cli.ts
 async function main(argv = process.argv.slice(2)) {
+  const configCommandResult = await maybeRunConfigCommand(argv);
+  if (configCommandResult !== void 0) return configCommandResult;
   const doctorResult = await maybeRunDoctorCommand(argv);
   if (doctorResult !== void 0) return doctorResult;
   const flags = parseArgs(argv);
@@ -29925,7 +31343,8 @@ async function main(argv = process.argv.slice(2)) {
     printHelp();
     return 0;
   }
-  const cwd = path31.resolve(flags.cwd ?? process.cwd());
+  if (!flags.noWizard) await runFirstRunWizard().catch(() => void 0);
+  const cwd = path35.resolve(flags.cwd ?? process.cwd());
   const config = await loadConfig({ cwd, configPath: flags.configPath });
   const agentName = flags.agent ?? config.defaultAgent;
   const preferenceStore = new UiPreferenceStore(cwd);
@@ -30014,9 +31433,9 @@ async function runPlainTask(options) {
     config: config.goals,
     eventBus,
     titleGenerator: async (input2) => {
-      const providerConfig2 = resolveProviderConfig(config, selection.providerName);
-      const resolved = resolveExecutionBackend(providerConfig2, {
-        model: selection.model,
+      const runtime2 = resolveProviderRuntimeConfig(config, selection);
+      const resolved = resolveExecutionBackend(runtime2.providerConfig, {
+        model: runtime2.model,
         onRetry: (event) => eventBus.emit({
           type: "provider.retry",
           sessionId: "goal-title",
@@ -30106,10 +31525,10 @@ async function runPlainTask(options) {
 `);
     return { history: interactiveHistoryFromRunMessages(result2.messages), lastExternalSessionKey: options.lastExternalSessionKey };
   }
-  const providerConfig = resolveProviderConfig(config, providerName);
   const runtimeAgent = activeGoal ? withGoalTools(agent) : agent;
-  const backend = resolveExecutionBackend(providerConfig, {
-    model: selection.model,
+  const runtime = resolveProviderRuntimeConfig(config, selection);
+  const backend = resolveExecutionBackend(runtime.providerConfig, {
+    model: runtime.model,
     config,
     agent: runtimeAgent,
     onRetry: (event) => eventBus.emit({
@@ -30213,6 +31632,10 @@ function parseArgs(argv) {
       out.transcript = false;
       continue;
     }
+    if (arg === "--no-wizard") {
+      out.noWizard = true;
+      continue;
+    }
     if (arg === "--goal") {
       out.goal = true;
       continue;
@@ -30287,6 +31710,10 @@ function printHelp() {
 
 Usage:
   demian-plain [flags]
+  demian-plain config init [--force]
+  demian-plain config add-provider <preset|openai-compatible> [--name <name>]
+  demian-plain config add-model <provider> --name <name> --model <model>
+  demian-plain auth login <codex|claudecode>
   demian-plain doctor policies --upgrade-namespaces [--write]
 
 Default:
@@ -30305,7 +31732,7 @@ Flags:
   --single-agent      force the current single-agent runtime
   --multi-agent       enable root-owned delegate_agent runtime
   --agent <name>       general, build, plan, execute, or a configured custom agent
-  --provider <name>    openai, gemini, ollama, lmstudio, vllm, llamacpp, openrouter, together, groq, azure, anthropic, codex, claudecode
+  --provider <name>    openai, anthropic, gemini, groq, azure, lmstudio, ollama-local, ollama-cloud, llamacpp, vllm, codex, claudecode
   --model <name>       override configured model
   --max-turns <n>      maximum model/tool loop turns
   --cwd <path>         workspace directory
@@ -30318,7 +31745,8 @@ Flags:
   --persistent-grants  persist "always" permission grants
   --no-persistent-grants
                        keep "always" grants session-local
-  --no-transcript      disable .demian transcript writes
+  --no-transcript      disable ~/.demian transcript writes
+  --no-wizard          skip the first-run config wizard
   --goal               run the prompt as an explicit /goal objective
                        /ralph-loop --fresh-context is single-agent only
   --config <path>      load an additional config file
@@ -30327,6 +31755,13 @@ Flags:
 Doctor:
   doctor policies --upgrade-namespaces
                        rewrite prefix-less permission rules as demian.<tool>
+
+Config:
+  config init          create ~/.demian/config.json
+  config models <provider> [--refresh]
+                       list configured or remote provider models
+  auth login codex|claudecode
+                       start the external OAuth login flow
 `);
 }
 if (import.meta.url === `file://${process.argv[1]}`) {