openmates 0.11.0-alpha.22 → 0.11.0-alpha.23

package/dist/{chunk-C6N5GXSK.js → chunk-Z7CD2LI4.js}

@@ -12,9 +12,14 @@ import qrcode from "qrcode-terminal";
 
 // src/crypto.ts
 import { webcrypto, createHash } from "crypto";
+import nacl from "tweetnacl";
 var cryptoApi = globalThis.crypto ?? webcrypto;
 var PAIR_KDF_ITERATIONS = 1e5;
+var SIGNUP_KDF_ITERATIONS = 1e5;
 var AES_GCM_IV_LENGTH = 12;
+var EMAIL_SALT_LENGTH = 16;
+var MASTER_KEY_LENGTH = 32;
+var NACL_NONCE_LENGTH = 24;
 var CIPHERTEXT_MAGIC_0 = 79;
 var CIPHERTEXT_MAGIC_1 = 77;
 var FINGERPRINT_LENGTH = 4;
@@ -30,6 +35,136 @@ function toArrayBuffer(input) {
   new Uint8Array(output).set(input);
   return output;
 }
+function generateSalt(length = EMAIL_SALT_LENGTH) {
+  return cryptoApi.getRandomValues(new Uint8Array(length));
+}
+function generateSecureRecoveryKey(length = 24) {
+  const uppercaseChars = "ABCDEFGHJKLMNPQRSTUVWXYZ";
+  const lowercaseChars = "abcdefghijkmnopqrstuvwxyz";
+  const numberChars = "23456789";
+  const specialChars = "#-=+_&%$";
+  const allChars = uppercaseChars + lowercaseChars + numberChars + specialChars;
+  const result = new Array(length);
+  const requiredSets = [uppercaseChars, lowercaseChars, numberChars, specialChars];
+  for (let index = 0; index < requiredSets.length && index < length; index += 1) {
+    const randomByte = cryptoApi.getRandomValues(new Uint8Array(1))[0];
+    const chars = requiredSets[index];
+    result[index] = chars.charAt(randomByte % chars.length);
+  }
+  const randomBytes3 = cryptoApi.getRandomValues(new Uint8Array(length));
+  for (let index = requiredSets.length; index < length; index += 1) {
+    result[index] = allChars.charAt(randomBytes3[index] % allChars.length);
+  }
+  for (let index = result.length - 1; index > 0; index -= 1) {
+    const randomByte = cryptoApi.getRandomValues(new Uint8Array(1))[0];
+    const swapIndex = Math.floor(randomByte / 256 * (index + 1));
+    [result[index], result[swapIndex]] = [result[swapIndex], result[index]];
+  }
+  return result.join("");
+}
+async function hashEmail(email) {
+  const hashBuffer = await cryptoApi.subtle.digest(
+    "SHA-256",
+    new TextEncoder().encode(email)
+  );
+  return bytesToBase64(new Uint8Array(hashBuffer));
+}
+async function hashKey(key, salt) {
+  const keyBytes = new TextEncoder().encode(key);
+  const dataToHash = salt ? new Uint8Array(keyBytes.length + salt.length) : keyBytes;
+  if (salt) {
+    dataToHash.set(keyBytes);
+    dataToHash.set(salt, keyBytes.length);
+  }
+  const hashBuffer = await cryptoApi.subtle.digest("SHA-256", toArrayBuffer(dataToHash));
+  return bytesToBase64(new Uint8Array(hashBuffer));
+}
+async function deriveKeyFromPassword(password, salt) {
+  const keyMaterial = await cryptoApi.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const derivedBits = await cryptoApi.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      salt: toArrayBuffer(salt),
+      iterations: SIGNUP_KDF_ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    256
+  );
+  return new Uint8Array(derivedBits);
+}
+async function encryptEmail(email, key) {
+  if (key.length !== MASTER_KEY_LENGTH) {
+    throw new Error(`Email encryption key must be 32 bytes, got ${key.length}`);
+  }
+  const nonce = nacl.randomBytes(NACL_NONCE_LENGTH);
+  const ciphertext = nacl.secretbox(new TextEncoder().encode(email), nonce, key);
+  const combined = new Uint8Array(nonce.length + ciphertext.length);
+  combined.set(nonce);
+  combined.set(ciphertext, nonce.length);
+  return bytesToBase64(combined);
+}
+async function encryptRawKeyWithAesGcm(rawKey, wrappingKeyBytes) {
+  const iv = cryptoApi.getRandomValues(new Uint8Array(AES_GCM_IV_LENGTH));
+  const wrappingKey = await cryptoApi.subtle.importKey(
+    "raw",
+    toArrayBuffer(wrappingKeyBytes),
+    { name: "AES-GCM" },
+    false,
+    ["encrypt"]
+  );
+  const encrypted = await cryptoApi.subtle.encrypt(
+    { name: "AES-GCM", iv: toArrayBuffer(iv) },
+    wrappingKey,
+    toArrayBuffer(rawKey)
+  );
+  return {
+    wrapped: bytesToBase64(new Uint8Array(encrypted)),
+    iv: bytesToBase64(iv)
+  };
+}
+async function createSignupCryptoMaterial(email, password) {
+  const normalizedEmail = email.trim().toLowerCase();
+  const emailSalt = generateSalt(EMAIL_SALT_LENGTH);
+  const passwordSalt = generateSalt(EMAIL_SALT_LENGTH);
+  const masterKey = generateSalt(MASTER_KEY_LENGTH);
+  const emailEncryptionKeyB64 = await deriveEmailEncryptionKeyB64(normalizedEmail, bytesToBase64(emailSalt));
+  const emailEncryptionKey = base64ToBytes(emailEncryptionKeyB64);
+  const wrappingKey = await deriveKeyFromPassword(password, passwordSalt);
+  const encryptedMasterKey = await encryptRawKeyWithAesGcm(masterKey, wrappingKey);
+  return {
+    hashedEmail: await hashEmail(normalizedEmail),
+    encryptedEmail: await encryptEmail(normalizedEmail, emailEncryptionKey),
+    encryptedEmailWithMasterKey: await encryptWithAesGcmCombined(normalizedEmail, masterKey),
+    userEmailSaltB64: bytesToBase64(emailSalt),
+    emailEncryptionKeyB64,
+    masterKeyB64: bytesToBase64(masterKey),
+    encryptedMasterKey: encryptedMasterKey.wrapped,
+    keyIv: encryptedMasterKey.iv,
+    saltB64: bytesToBase64(passwordSalt),
+    lookupHash: await hashKey(password, emailSalt)
+  };
+}
+async function createRecoveryKeyMaterial(masterKeyB64, userEmailSaltB64) {
+  const recoveryKey = generateSecureRecoveryKey();
+  const userEmailSalt = base64ToBytes(userEmailSaltB64);
+  const wrappingSalt = generateSalt(EMAIL_SALT_LENGTH);
+  const wrappingKey = await deriveKeyFromPassword(recoveryKey, wrappingSalt);
+  const encryptedMasterKey = await encryptRawKeyWithAesGcm(base64ToBytes(masterKeyB64), wrappingKey);
+  return {
+    recoveryKey,
+    lookupHash: await hashKey(recoveryKey, userEmailSalt),
+    wrappedMasterKey: encryptedMasterKey.wrapped,
+    keyIv: encryptedMasterKey.iv,
+    saltB64: bytesToBase64(wrappingSalt)
+  };
+}
 async function derivePairKey(pin, upperToken) {
   const encoder = new TextEncoder();
   const keyMaterial = await cryptoApi.subtle.importKey(
@@ -778,14 +913,14 @@ var OpenMatesWsClient = class {
     });
   }
   async open(timeoutMs = 1e4) {
-    await new Promise((resolve4, reject) => {
+    await new Promise((resolve5, reject) => {
       const timeout = setTimeout(
         () => reject(new Error("WebSocket open timeout")),
         timeoutMs
       );
       this.socket.once("open", () => {
         clearTimeout(timeout);
-        resolve4();
+        resolve5();
       });
       this.socket.once("error", (error) => {
         clearTimeout(timeout);
@@ -814,15 +949,15 @@ var OpenMatesWsClient = class {
     this.socket.send(JSON.stringify({ type, payload }));
   }
   sendAsync(type, payload) {
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve5, reject) => {
       this.socket.send(JSON.stringify({ type, payload }), (error) => {
         if (error) reject(error);
-        else resolve4();
+        else resolve5();
       });
     });
   }
   waitForMessage(expectedType, predicate, timeoutMs = 2e4) {
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve5, reject) => {
       const onMessage = (rawData) => {
         try {
           const parsed = JSON.parse(rawData.toString());
@@ -833,7 +968,7 @@ var OpenMatesWsClient = class {
             return;
           }
           cleanup();
-          resolve4(parsed);
+          resolve5(parsed);
         } catch {
         }
       };
@@ -866,14 +1001,14 @@ var OpenMatesWsClient = class {
    * Used by ensureSynced to consume the full phased-sync event stream.
    */
   collectMessages(terminatorType, timeoutMs = 9e4) {
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve5, reject) => {
       const collected = [];
       const onMessage = (rawData) => {
         try {
           const parsed = JSON.parse(rawData.toString());
           if (parsed.type === terminatorType) {
             cleanup();
-            resolve4(collected);
+            resolve5(collected);
             return;
           }
           collected.push(parsed);
@@ -886,7 +1021,7 @@ var OpenMatesWsClient = class {
       };
       const onClose = () => {
         cleanup();
-        resolve4(collected);
+        resolve5(collected);
       };
       const timeout = setTimeout(() => {
         cleanup();
@@ -924,7 +1059,7 @@ var OpenMatesWsClient = class {
     const timeoutMs = options?.timeoutMs ?? 9e4;
     const onStream = options?.onStream;
     const asyncEmbedWaitMs = options?.asyncEmbedWaitMs ?? 12e4;
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve5, reject) => {
       let latestContent = "";
       let messageId = null;
       let taskId = null;
@@ -980,7 +1115,7 @@ var OpenMatesWsClient = class {
         if (processingEmbedIds.size > 0 && !asyncEmbedTimer) {
           asyncEmbedTimer = setTimeout(() => {
             cleanup();
-            resolve4({
+            resolve5({
               messageId,
               taskId,
               content: latestContent,
@@ -995,7 +1130,7 @@ var OpenMatesWsClient = class {
         }
         if (processingEmbedIds.size > 0) return;
         cleanup();
-        resolve4({
+        resolve5({
           messageId,
           taskId,
           content: latestContent,
@@ -1164,7 +1299,7 @@ var OpenMatesWsClient = class {
       const onClose = () => {
         if (aiResponseDone) {
           cleanup();
-          resolve4({
+          resolve5({
             messageId,
             taskId,
             content: latestContent,
@@ -1261,6 +1396,20 @@ function fuzzyScore(query, candidate) {
   return Math.round(matched / Math.max(q.length, 1) * 40);
 }
 function resolveToken(token, context) {
+  const wireFocusMatch = token.match(/^focus:([a-z0-9_-]+):([a-z0-9_-]+)$/i);
+  if (wireFocusMatch) {
+    const [, appId, focusModeId] = wireFocusMatch;
+    const app = context.apps.find((candidate) => candidate.id === appId);
+    const focusMode = app?.focus_modes?.find((candidate) => candidate.id === focusModeId);
+    if (app && focusMode) {
+      return {
+        original: `@${token}`,
+        type: "focus_mode",
+        wireSyntax: `@focus:${app.id}:${focusMode.id}`,
+        displayName: `@${capitalize(app.name)}-${capitalize(focusMode.name).replace(/\s+/g, "-")}`
+      };
+    }
+  }
   const normalized = normalize(token);
   if (MODEL_ALIASES[normalized]) {
     return {
@@ -1666,7 +1815,7 @@ async function deriveKeyFromId(id) {
     ["encrypt"]
   );
 }
-async function deriveKeyFromPassword(password, id) {
+async function deriveKeyFromPassword2(password, id) {
   const material = await crypto.subtle.importKey(
     "raw",
     new TextEncoder().encode(password),
@@ -1692,7 +1841,7 @@ async function generateChatShareBlob(chatId, chatKeyBytes, durationSeconds = 0,
   let keyForBlob = Buffer.from(chatKeyBytes).toString("base64");
   let pwdFlag = 0;
   if (password && password.length > 0) {
-    const pwdKey = await deriveKeyFromPassword(password, chatId);
+    const pwdKey = await deriveKeyFromPassword2(password, chatId);
     keyForBlob = await encryptAESGCM(enc.encode(keyForBlob), pwdKey);
     pwdFlag = 1;
   }
@@ -1710,7 +1859,7 @@ async function generateEmbedShareBlob(embedId, embedKeyBytes, durationSeconds =
   let keyForBlob = Buffer.from(embedKeyBytes).toString("base64");
   let pwdFlag = 0;
   if (password && password.length > 0) {
-    const pwdKey = await deriveKeyFromPassword(password, embedId);
+    const pwdKey = await deriveKeyFromPassword2(password, embedId);
     keyForBlob = await encryptAESGCM(enc.encode(keyForBlob), pwdKey);
     pwdFlag = 1;
   }
@@ -2275,6 +2424,168 @@ var OpenMatesClient = class _OpenMatesClient {
     }
     clearSession();
   }
+  async requestSignupEmailCode(params) {
+    const hashedEmail = await hashEmail(params.email.trim().toLowerCase());
+    const response = await this.http.post(
+      "/v1/auth/request_confirm_email_code",
+      {
+        email: params.email.trim().toLowerCase(),
+        hashed_email: hashedEmail,
+        invite_code: params.inviteCode ?? "",
+        language: params.language ?? "en",
+        darkmode: params.darkmode ?? false
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || response.data.success === false) {
+      throw new Error(response.data.message ?? `Email code request failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async verifySignupEmailCode(params) {
+    const response = await this.http.post(
+      "/v1/auth/check_confirm_email_code",
+      {
+        code: params.code,
+        email: params.email.trim().toLowerCase(),
+        username: params.username,
+        invite_code: params.inviteCode ?? "",
+        language: params.language ?? "en",
+        darkmode: params.darkmode ?? false
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || response.data.success === false) {
+      throw new Error(response.data.message ?? `Email code verification failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async setupPasswordAccount(params) {
+    const material = await createSignupCryptoMaterial(params.email, params.password);
+    const response = await this.http.post(
+      "/v1/auth/setup_password",
+      {
+        hashed_email: material.hashedEmail,
+        encrypted_email: material.encryptedEmail,
+        user_email_salt: material.userEmailSaltB64,
+        username: params.username,
+        invite_code: params.inviteCode ?? "",
+        encrypted_master_key: material.encryptedMasterKey,
+        key_iv: material.keyIv,
+        salt: material.saltB64,
+        lookup_hash: material.lookupHash,
+        language: params.language ?? "en",
+        darkmode: params.darkmode ?? false
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || !response.data.success) {
+      throw new Error(response.data.message ?? `Password signup failed (HTTP ${response.status})`);
+    }
+    const session = {
+      apiUrl: this.apiUrl,
+      sessionId: randomUUID2(),
+      wsToken: null,
+      cookies: this.http.getCookieMap(),
+      masterKeyExportedB64: material.masterKeyB64,
+      emailEncryptionKeyB64: material.emailEncryptionKeyB64,
+      hashedEmail: material.hashedEmail,
+      userEmailSalt: material.userEmailSaltB64,
+      createdAt: Date.now(),
+      authorizerDeviceName: null,
+      autoLogoutMinutes: null
+    };
+    saveSession(session);
+    this.session = session;
+    return {
+      success: true,
+      message: response.data.message ?? "Account created.",
+      user: response.data.user,
+      crypto: material
+    };
+  }
+  async startTotpSetup() {
+    const session = this.requireSession();
+    const emailEncryptionKey = await this.ensureEmailEncryptionKey(session);
+    const response = await this.http.post(
+      "/v1/auth/2fa/setup/initiate",
+      { email_encryption_key: emailEncryptionKey },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || !response.data.success) {
+      throw new Error(response.data.message ?? `2FA setup failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  renderTotpQrCode(otpauthUrl) {
+    qrcode.generate(otpauthUrl, { small: true });
+  }
+  async verifyTotpSetup(code) {
+    this.requireSession();
+    const response = await this.http.post(
+      "/v1/auth/2fa/setup/verify-signup",
+      { code },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || response.data.success === false) {
+      throw new Error(response.data.message ?? `2FA verification failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async setTotpProvider(provider) {
+    this.requireSession();
+    const response = await this.http.post(
+      "/v1/auth/2fa/setup/provider",
+      { provider },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || response.data.success === false) {
+      throw new Error(response.data.message ?? `2FA provider save failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async requestBackupCodes() {
+    this.requireSession();
+    const response = await this.http.get(
+      "/v1/auth/2fa/setup/request-backup-codes",
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || !response.data.success) {
+      throw new Error(response.data.message ?? `Backup-code request failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async confirmBackupCodesStored() {
+    this.requireSession();
+    const response = await this.http.post(
+      "/v1/auth/2fa/setup/confirm-codes-stored",
+      { confirmed: true },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || response.data.success === false) {
+      throw new Error(response.data.message ?? `Backup-code confirmation failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async createAndConfirmRecoveryKey() {
+    const session = this.requireSession();
+    const material = await createRecoveryKeyMaterial(session.masterKeyExportedB64, session.userEmailSalt);
+    const response = await this.http.post(
+      "/v1/auth/recovery-key/confirm-stored",
+      {
+        confirmed: true,
+        lookup_hash: material.lookupHash,
+        wrapped_master_key: material.wrappedMasterKey,
+        key_iv: material.keyIv,
+        salt: material.saltB64
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || response.data.success === false) {
+      throw new Error(response.data.message ?? `Recovery-key confirmation failed (HTTP ${response.status})`);
+    }
+    return material;
+  }
   // -------------------------------------------------------------------------
   // Chats
   // -------------------------------------------------------------------------
@@ -3176,7 +3487,7 @@ var OpenMatesClient = class _OpenMatesClient {
       if (response.data.status === "failed") {
         throw new Error(response.data.error ?? "Task failed");
       }
-      await new Promise((resolve4) => setTimeout(resolve4, SKILL_TASK_POLL_INTERVAL_MS));
+      await new Promise((resolve5) => setTimeout(resolve5, SKILL_TASK_POLL_INTERVAL_MS));
     }
     throw new Error(`Task ${taskId} did not complete within ${SKILL_TASK_POLL_TIMEOUT_MS / 1e3}s`);
   }
@@ -3328,6 +3639,24 @@ var OpenMatesClient = class _OpenMatesClient {
     }
     return this.resolveAsyncSkillResponse(response.data, headers);
   }
+  getCodeRunStreamAuth() {
+    const session = this.session;
+    if (!session) return null;
+    const token = session.wsToken || session.cookies.auth_refresh_token;
+    if (!token) return null;
+    return { sessionId: session.sessionId, token };
+  }
+  async getCodeRunStatus(path, apiKey) {
+    const headers = {
+      ...this.getCliRequestHeaders()
+    };
+    if (apiKey) headers.Authorization = `Bearer ${apiKey}`;
+    const response = await this.http.get(path, headers);
+    if (!response.ok) {
+      throw new Error(`Code Run status request failed with HTTP ${response.status}`);
+    }
+    return response.data;
+  }
   // -------------------------------------------------------------------------
   // Travel: booking link resolution
   // -------------------------------------------------------------------------
@@ -3375,7 +3704,7 @@ var OpenMatesClient = class _OpenMatesClient {
         `Rate limited by settings API; retrying in ${Math.ceil(SETTINGS_GET_RATE_LIMIT_RETRY_MS / 1e3)}s...
 `
       );
-      await new Promise((resolve4) => setTimeout(resolve4, SETTINGS_GET_RATE_LIMIT_RETRY_MS));
+      await new Promise((resolve5) => setTimeout(resolve5, SETTINGS_GET_RATE_LIMIT_RETRY_MS));
       response = await this.http.get(normalizedPath, this.getCliRequestHeaders());
     }
     if (!response.ok) {
@@ -3435,10 +3764,11 @@ var OpenMatesClient = class _OpenMatesClient {
   // Gift cards (under /v1/payments, not /v1/settings)
   // -------------------------------------------------------------------------
   async redeemGiftCard(code) {
-    this.requireSession();
+    const session = this.requireSession();
+    const emailEncryptionKey = await this.ensureEmailEncryptionKey(session);
     const response = await this.http.post(
       "/v1/payments/redeem-gift-card",
-      { code },
+      { code, email_encryption_key: emailEncryptionKey },
       this.getCliRequestHeaders()
     );
     if (!response.ok) {
@@ -3459,6 +3789,86 @@ var OpenMatesClient = class _OpenMatesClient {
     }
     return response.data;
   }
+  async listPurchasedGiftCards() {
+    this.requireSession();
+    const response = await this.http.get(
+      "/v1/payments/purchased-gift-cards",
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(
+        `Failed to fetch purchased gift cards (HTTP ${response.status})`
+      );
+    }
+    return response.data;
+  }
+  async createBankTransferOrder(creditsAmount) {
+    const session = this.requireSession();
+    const emailEncryptionKey = await this.ensureEmailEncryptionKey(session);
+    const response = await this.http.post(
+      "/v1/payments/create-bank-transfer-order",
+      {
+        credits_amount: creditsAmount,
+        currency: "eur",
+        email_encryption_key: emailEncryptionKey
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Bank transfer order failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async createGiftCardBankTransferOrder(creditsAmount) {
+    const session = this.requireSession();
+    const emailEncryptionKey = await this.ensureEmailEncryptionKey(session);
+    const response = await this.http.post(
+      "/v1/payments/create-gift-card-bank-transfer-order",
+      {
+        credits_amount: creditsAmount,
+        currency: "eur",
+        email_encryption_key: emailEncryptionKey
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Gift card bank transfer order failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async getBankTransferStatus(orderId) {
+    this.requireSession();
+    const response = await this.http.get(
+      `/v1/payments/bank-transfer-status/${encodeURIComponent(orderId)}`,
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch bank transfer status (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async listBankTransferOrders() {
+    this.requireSession();
+    const response = await this.http.get(
+      "/v1/payments/bank-transfer-pending",
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch bank transfer orders (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async getGiftCardPurchaseStatus(orderId) {
+    this.requireSession();
+    const response = await this.http.get(
+      `/v1/payments/gift-card-purchase-status/${encodeURIComponent(orderId)}`,
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch gift card purchase status (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
   async listInvoices() {
     this.requireSession();
     const response = await this.http.get(
@@ -3495,6 +3905,63 @@ var OpenMatesClient = class _OpenMatesClient {
     }
     return response.data;
   }
+  async getAuthMethodsStatus() {
+    this.requireSession();
+    const response = await this.http.get(
+      "/v1/payments/user-auth-methods",
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch auth methods (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async requestDeleteAccountEmailCode() {
+    const session = this.requireSession();
+    const emailEncryptionKey = await this.ensureEmailEncryptionKey(session);
+    const response = await this.http.post(
+      "/v1/settings/request-action-verification",
+      { action: "delete_account", email_encryption_key: emailEncryptionKey },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to request account deletion email code (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async verifyDeleteAccountEmailCode(code) {
+    this.requireSession();
+    const response = await this.http.post(
+      "/v1/settings/verify-action-code",
+      { action: "delete_account", code },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Account deletion email code verification failed (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
+  async deleteAccountWithCliVerification(totpCode) {
+    const session = this.requireSession();
+    const emailEncryptionKey = await this.ensureEmailEncryptionKey(session);
+    const response = await this.http.post(
+      "/v1/settings/delete-account",
+      {
+        confirm_data_deletion: true,
+        auth_method: totpCode ? "2fa_otp" : "email_otp",
+        auth_code: totpCode,
+        email_encryption_key: emailEncryptionKey,
+        require_email_verification: true
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok) {
+      throw new Error(`Account deletion failed (HTTP ${response.status})`);
+    }
+    clearSession();
+    clearSyncCache();
+    return response.data;
+  }
   async updateUsername(username) {
     return this.settingsPost("user/username", { username });
   }
@@ -4490,7 +4957,7 @@ function filenameFromContentDisposition(header2) {
   return plain?.trim() ?? null;
 }
 function sleep(ms) {
-  return new Promise((resolve4) => setTimeout(resolve4, ms));
+  return new Promise((resolve5) => setTimeout(resolve5, ms));
 }
 function printLogo() {
   const W = "\x1B[1;37m";
@@ -4506,6 +4973,7 @@ function printLogo() {
 
 // src/cli.ts
 import { createInterface as createInterface3 } from "readline/promises";
+import WebSocket2 from "ws";
 
 // ../secret-scanner/src/registry.ts
 import { createRequire as createRequire2 } from "module";
@@ -6883,9 +7351,9 @@ function exec(cmd, cwd) {
   return execSync(cmd, { cwd, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim();
 }
 function runInteractive(cmd, args, cwd) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve5, reject) => {
     const child = nodeSpawn(cmd, args, { cwd, stdio: "inherit", shell: false });
-    child.on("close", (code) => resolve4(code ?? 1));
+    child.on("close", (code) => resolve5(code ?? 1));
     child.on("error", reject);
   });
 }
@@ -7057,10 +7525,10 @@ function warnIfMissingLlmCredentials(installPath) {
 }
 async function confirmDestructive(phrase) {
   const rl = createInterface2({ input: process.stdin, output: process.stderr });
-  return new Promise((resolve4) => {
+  return new Promise((resolve5) => {
     rl.question(`Type "${phrase}" to confirm: `, (answer) => {
       rl.close();
-      resolve4(answer.trim() === phrase);
+      resolve5(answer.trim() === phrase);
     });
   });
 }
@@ -7593,6 +8061,214 @@ async function handleServer(subcommand, rest, flags) {
   }
 }
 
+// src/codeRunInput.ts
+import { readdir, readFile, stat } from "fs/promises";
+import { basename as basename2, relative, resolve as resolve4 } from "path";
+var CODE_RUN_MAX_FILES = 50;
+var CODE_RUN_MAX_FILE_BYTES = 1e6;
+var CODE_RUN_MAX_TOTAL_BYTES = 1e7;
+var DEFAULT_IGNORES = [".git", "node_modules", "__pycache__", ".venv", "dist", "build"];
+async function buildCodeRunRequestsFromFlags(flags) {
+  if (flags.chat || flags.targetEmbed) {
+    if (!flags.chat || !flags.targetEmbed) {
+      throw new Error("Chat-bound Code Run requires both --chat and --target-embed.");
+    }
+    return [{
+      mode: "chat_bound",
+      chat_id: flags.chat,
+      target_embed_id: flags.targetEmbed,
+      enable_internet: flags.noInternet !== true,
+      files: []
+    }];
+  }
+  const files = [];
+  const seen = /* @__PURE__ */ new Set();
+  const entry = flags.entry ? normalizeCodeRunPath(flags.entry) : void 0;
+  let totalBytes = 0;
+  const addFile = (file, byteLength) => {
+    const path = normalizeCodeRunPath(file.path);
+    if (seen.has(path)) throw new Error(`Duplicate Code Run file path: ${path}`);
+    seen.add(path);
+    totalBytes += byteLength;
+    if (files.length + 1 > CODE_RUN_MAX_FILES) throw new Error(`Code Run supports at most ${CODE_RUN_MAX_FILES} files.`);
+    if (byteLength > CODE_RUN_MAX_FILE_BYTES) throw new Error(`Code Run file is too large: ${path}`);
+    if (totalBytes > CODE_RUN_MAX_TOTAL_BYTES) throw new Error("Code Run file bundle is too large.");
+    files.push({ ...file, path });
+  };
+  if (flags.code !== void 0) {
+    const filename = normalizeCodeRunPath(flags.filename || entry || defaultFilename(flags.language));
+    const buffer = Buffer.from(flags.code, "utf8");
+    addFile({
+      path: filename,
+      content_base64: buffer.toString("base64"),
+      language: flags.language || inferLanguage(filename),
+      mime_type: "text/plain",
+      is_target: true
+    }, buffer.byteLength);
+  }
+  for (const filePath of toList(flags.file)) {
+    const absolute = resolve4(filePath);
+    const buffer = await readFile(absolute);
+    const sandboxPath = normalizeCodeRunPath(basename2(filePath));
+    addFile({
+      path: sandboxPath,
+      content_base64: buffer.toString("base64"),
+      language: inferLanguage(sandboxPath),
+      mime_type: "text/plain",
+      is_target: entry ? sandboxPath === entry : files.length === 0
+    }, buffer.byteLength);
+  }
+  for (const dirPath of toList(flags.dir)) {
+    const root = resolve4(dirPath);
+    const dirFiles = await collectDirectoryFiles(root, flags.include, flags.exclude);
+    for (const absolute of dirFiles) {
+      const sandboxPath = normalizeCodeRunPath(relative(root, absolute).replace(/\\/g, "/"));
+      const buffer = await readFile(absolute);
+      addFile({
+        path: sandboxPath,
+        content_base64: buffer.toString("base64"),
+        language: inferLanguage(sandboxPath),
+        mime_type: "text/plain",
+        is_target: entry ? sandboxPath === entry : files.length === 0
+      }, buffer.byteLength);
+    }
+  }
+  for (const url of toList(flags.url)) {
+    const response = await fetch(url);
+    if (!response.ok) throw new Error(`Failed to download Code Run URL ${redactUrl(url)} (HTTP ${response.status})`);
+    const text = await response.text();
+    const urlPath = new URL(url).pathname;
+    const sandboxPath = normalizeCodeRunPath(entry || basename2(urlPath) || "main.txt");
+    const buffer = Buffer.from(text, "utf8");
+    addFile({
+      path: sandboxPath,
+      content_base64: buffer.toString("base64"),
+      language: inferLanguage(sandboxPath),
+      mime_type: "text/plain",
+      is_target: true
+    }, buffer.byteLength);
+  }
+  if (flags.repo) {
+    await addGithubRepoFiles(flags.repo, toList(flags.include), async (path, text) => {
+      const sandboxPath = normalizeCodeRunPath(path);
+      const buffer = Buffer.from(text, "utf8");
+      addFile({
+        path: sandboxPath,
+        content_base64: buffer.toString("base64"),
+        language: inferLanguage(sandboxPath),
+        mime_type: "text/plain",
+        is_target: entry ? sandboxPath === entry : files.length === 0
+      }, buffer.byteLength);
+    });
+  }
+  if (files.length === 0) throw new Error("Code Run requires --code, --file, --dir, --url, --repo, or --chat/--target-embed.");
+  const entryPath = entry || files.find((file) => file.is_target)?.path || files[0].path;
+  if (!files.some((file) => file.path === entryPath)) throw new Error(`Code Run entry file was not included: ${entryPath}`);
+  for (const file of files) file.is_target = file.path === entryPath;
+  return [{
+    mode: "direct",
+    entry_path: entryPath,
+    enable_internet: flags.noInternet !== true,
+    files
+  }];
+}
+function buildCodeRunStreamUrl(params) {
+  const base = params.apiUrl.replace(/\/$/, "").replace(/^http:/, "ws:").replace(/^https:/, "wss:");
+  const query = new URLSearchParams({ sessionId: params.sessionId, token: params.token });
+  return `${base}/v1/code/run/${encodeURIComponent(params.executionId)}/stream?${query.toString()}`;
+}
+function normalizeCodeRunPath(rawPath) {
+  const path = rawPath.trim().replace(/\\/g, "/");
+  if (!path || path.includes("\0") || path.startsWith("/") || path.startsWith("~/") || /^[A-Za-z]:\//.test(path)) {
+    throw new Error(`Unsafe Code Run path: ${rawPath}`);
+  }
+  const parts = path.split("/");
+  if (parts.some((part) => !part || part === "." || part === "..")) {
+    throw new Error(`Unsafe Code Run path: ${rawPath}`);
+  }
+  return parts.join("/");
+}
+async function collectDirectoryFiles(root, include, exclude) {
+  const includes = toList(include);
+  const excludes = [...DEFAULT_IGNORES, ...toList(exclude)];
+  const files = [];
+  async function walk(directory) {
+    for (const entry of await readdir(directory, { withFileTypes: true })) {
+      const absolute = resolve4(directory, entry.name);
+      const rel = relative(root, absolute).replace(/\\/g, "/");
+      if (matchesAny(rel, excludes) || matchesAny(entry.name, excludes)) continue;
+      if (entry.isDirectory()) {
+        await walk(absolute);
+      } else if (entry.isFile()) {
+        if (includes.length === 0 || matchesAny(rel, includes)) files.push(absolute);
+      }
+    }
+  }
+  const rootStat = await stat(root);
+  if (!rootStat.isDirectory()) throw new Error(`Code Run --dir is not a directory: ${root}`);
+  await walk(root);
+  return files.sort();
+}
+async function addGithubRepoFiles(repoUrl, includes, add) {
+  if (includes.length === 0) throw new Error("Code Run --repo requires at least one --include path in v1.");
+  const parsed = parseGithubRepoUrl(repoUrl);
+  for (const includePath of includes) {
+    const path = normalizeCodeRunPath(includePath);
+    const rawUrl = `https://raw.githubusercontent.com/${parsed.owner}/${parsed.repo}/${parsed.ref}/${path}`;
+    const response = await fetch(rawUrl);
+    if (!response.ok) throw new Error(`Failed to download GitHub file ${path} (HTTP ${response.status})`);
+    await add(path, await response.text());
+  }
+}
+function parseGithubRepoUrl(repoUrl) {
+  const url = new URL(repoUrl);
+  if (url.hostname !== "github.com") throw new Error("Code Run --repo supports public github.com URLs in v1.");
+  const parts = url.pathname.split("/").filter(Boolean);
+  if (parts.length < 2) throw new Error("Invalid GitHub repository URL.");
+  return { owner: parts[0], repo: parts[1].replace(/\.git$/, ""), ref: "main" };
+}
+function toList(value) {
+  if (Array.isArray(value)) return value.flatMap((item) => item.split("\n")).filter(Boolean);
+  if (typeof value === "string") return value.split("\n").filter(Boolean);
+  return [];
+}
+function matchesAny(path, patterns) {
+  return patterns.some((pattern) => matchesPattern(path, pattern));
+}
+function matchesPattern(path, pattern) {
+  if (!pattern) return false;
+  if (pattern.includes("*")) {
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`).test(path) || new RegExp(`(^|/)${escaped}$`).test(path);
+  }
+  return path === pattern || path.startsWith(`${pattern}/`) || path.endsWith(`/${pattern}`);
+}
+function inferLanguage(path) {
+  const ext = path.split(".").pop()?.toLowerCase();
+  if (ext === "py") return "python";
+  if (ext === "js" || ext === "mjs" || ext === "cjs") return "javascript";
+  if (ext === "ts") return "typescript";
+  if (ext === "sh") return "bash";
+  if (ext === "go") return "go";
+  if (ext === "rs") return "rust";
+  if (ext === "c") return "c";
+  if (ext === "cc" || ext === "cpp" || ext === "cxx") return "cpp";
+  return "";
+}
+function defaultFilename(language) {
+  if (language === "python" || language === "py") return "main.py";
+  if (language === "javascript" || language === "js" || language === "node") return "main.js";
+  if (language === "typescript" || language === "ts") return "main.ts";
+  if (language === "bash" || language === "sh") return "main.sh";
+  return "main.txt";
+}
+function redactUrl(rawUrl) {
+  const url = new URL(rawUrl);
+  url.search = "";
+  url.hash = "";
+  return url.toString();
+}
+
 // src/cli.ts
 async function main() {
   const parsed = parseArgs(process.argv.slice(2));
@@ -7625,6 +8301,14 @@ async function main() {
       printSettingsHelp(client);
       return;
     }
+    if (command === "signup") {
+      printSignupHelp();
+      return;
+    }
+    if (command === "e2e") {
+      printE2EHelp();
+      return;
+    }
     if (command === "mentions") {
       printMentionsHelp();
       return;
@@ -7665,6 +8349,14 @@ async function main() {
     console.log("Login successful.");
     return;
   }
+  if (command === "signup") {
+    await handleSignup(client, parsed.flags);
+    return;
+  }
+  if (command === "e2e") {
+    await handleE2E(client, subcommand, rest, parsed.flags);
+    return;
+  }
   if (command === "logout") {
     await client.logout();
     console.log("Logged out.");
@@ -7916,10 +8608,10 @@ Run 'openmates chats show ` + chatId + "' to check if suggestions have been save
         input: process.stdin,
         output: process.stdout
       });
-      const answer = await new Promise((resolve4) => {
+      const answer = await new Promise((resolve5) => {
         iface.question(
           `Delete ${resolved.length} chat(s)? This cannot be undone. [y/N] `,
-          resolve4
+          resolve5
         );
       });
       iface.close();
@@ -8473,6 +9165,10 @@ The booking_token is shown in the output of:
     }
     return;
   }
+  if (subcommand === "code" && rest[0] === "run") {
+    await handleCodeRun(client, flags, apiKey);
+    return;
+  }
   const app = subcommand;
   const skill = rest[0];
   if (app && skill) {
@@ -8588,6 +9284,100 @@ Usage:
   printAppsHelp();
   process.exit(1);
 }
+async function handleCodeRun(client, flags, apiKey) {
+  const requests = await buildCodeRunRequestsFromFlags({
+    code: typeof flags.code === "string" ? flags.code : void 0,
+    language: typeof flags.language === "string" ? flags.language : void 0,
+    filename: typeof flags.filename === "string" ? flags.filename : void 0,
+    entry: typeof flags.entry === "string" ? flags.entry : void 0,
+    file: typeof flags.file === "string" ? flags.file : void 0,
+    dir: typeof flags.dir === "string" ? flags.dir : void 0,
+    url: typeof flags.url === "string" ? flags.url : void 0,
+    repo: typeof flags.repo === "string" ? flags.repo : void 0,
+    include: typeof flags.include === "string" ? flags.include : void 0,
+    exclude: typeof flags.exclude === "string" ? flags.exclude : void 0,
+    noInternet: flags["no-internet"] === true,
+    chat: typeof flags.chat === "string" ? flags.chat : void 0,
+    targetEmbed: typeof flags["target-embed"] === "string" ? flags["target-embed"] : void 0
+  });
+  if (flags.json !== true) {
+    const first = requests[0];
+    if (first.mode === "direct") {
+      process.stderr.write(`Starting Code Run for ${first.entry_path} (${first.files.length} file${first.files.length === 1 ? "" : "s"})...
+`);
+    }
+  }
+  const response = await client.runSkill({
+    app: "code",
+    skill: "run",
+    inputData: { requests },
+    apiKey
+  });
+  const result = response.data?.results?.[0];
+  if (!result?.execution_id || !result.status_path) {
+    throw new Error("Code Run did not return an execution id.");
+  }
+  const streamAuth = apiKey ? null : client.getCodeRunStreamAuth();
+  let finalStatus;
+  if (streamAuth && result.stream_path) {
+    const url = buildCodeRunStreamUrl({
+      apiUrl: client.apiUrl,
+      executionId: result.execution_id,
+      sessionId: streamAuth.sessionId,
+      token: streamAuth.token
+    });
+    finalStatus = await streamCodeRunToTerminal(url, flags.json === true);
+  } else {
+    finalStatus = await pollCodeRunStatus(client, result.status_path, apiKey, flags.json === true);
+  }
+  if (flags.json === true) {
+    printJson2({ ...result, final: finalStatus });
+  }
+}
+async function streamCodeRunToTerminal(url, jsonMode) {
+  return await new Promise((resolve5, reject) => {
+    const ws = new WebSocket2(url);
+    let lastStatus = {};
+    ws.on("message", (data) => {
+      try {
+        const message = JSON.parse(String(data));
+        const payload = message.payload ?? {};
+        if (message.type === "code_run_event") {
+          const kind = String(payload.kind ?? "status");
+          const text = String(payload.text ?? "");
+          if (!jsonMode) {
+            if (kind === "stdout") process.stdout.write(text);
+            else process.stderr.write(text);
+          }
+        } else if (message.type === "code_run_update") {
+          lastStatus = { ...lastStatus, ...payload };
+          const status = String(payload.status ?? "");
+          if (["finished", "failed", "timeout", "cancelled"].includes(status)) {
+            ws.close();
+            resolve5(lastStatus);
+          }
+        }
+      } catch (err) {
+        ws.close();
+        reject(err);
+      }
+    });
+    ws.on("error", () => reject(new Error("Code Run stream failed.")));
+    ws.on("close", () => {
+      if (Object.keys(lastStatus).length > 0) resolve5(lastStatus);
+    });
+  });
+}
+async function pollCodeRunStatus(client, statusPath, apiKey, jsonMode) {
+  for (; ; ) {
+    const status = await client.getCodeRunStatus(statusPath, apiKey);
+    const value = String(status.status ?? "");
+    if (!jsonMode && value) process.stderr.write(`Code Run status: ${value}
+`);
+    if (["finished", "failed", "timeout", "cancelled"].includes(value)) return status;
+    await new Promise((resolve5) => setTimeout(resolve5, 1e3));
+  }
+}
 function buildSkillInput(flags, inlineTokens, schemaParams) {
   if (typeof flags.input === "string") {
     return JSON.parse(flags.input);
@@ -8742,6 +9532,7 @@ var SETTINGS_EXECUTABLE_COMMANDS = [
   { path: ["account", "profile-picture", "set"], description: "Upload a profile picture", examples: ["openmates settings account profile-picture set ./avatar.jpg"] },
   { path: ["account", "chats", "stats"], description: "Show chat statistics", examples: ["openmates settings account chats stats"] },
   { path: ["account", "delete", "preview"], description: "Preview account deletion impact", examples: ["openmates settings account delete preview"] },
+  { path: ["account", "delete"], description: "Delete your account with email code plus 2FA when configured", examples: ["openmates settings account delete --yes"] },
   { path: ["account", "storage", "overview"], description: "Show storage overview", examples: ["openmates settings account storage overview"] },
   { path: ["account", "storage", "files"], description: "List stored files", examples: ["openmates settings account storage files --category images"] },
   { path: ["account", "storage", "delete"], description: "Delete one stored file by file ID", examples: ["openmates settings account storage delete <file-id> --yes"] },
@@ -8756,12 +9547,18 @@ var SETTINGS_EXECUTABLE_COMMANDS = [
   { path: ["billing", "usage", "summaries"], description: "Show usage summaries", examples: ["openmates settings billing usage summaries"] },
   { path: ["billing", "usage", "daily"], description: "Show daily usage overview", examples: ["openmates settings billing usage daily"] },
   { path: ["billing", "usage", "export"], description: "Export usage data", examples: ["openmates settings billing usage export --json"] },
+  { path: ["billing", "buy-credits", "bank-transfer"], description: "Buy credits by SEPA bank transfer", examples: ["openmates settings billing buy-credits bank-transfer --credits 110000"] },
+  { path: ["billing", "bank-transfer", "status"], description: "Show bank-transfer order status", examples: ["openmates settings billing bank-transfer status <order-id>"] },
+  { path: ["billing", "bank-transfer", "list"], description: "List pending bank-transfer orders", examples: ["openmates settings billing bank-transfer list"] },
   { path: ["billing", "invoices", "list"], description: "List invoices", examples: ["openmates settings billing invoices list --json"] },
   { path: ["billing", "invoices", "download"], description: "Download an invoice PDF", examples: ["openmates settings billing invoices download <invoice-id> --output ./invoices"] },
   { path: ["billing", "invoices", "credit-note"], description: "Download a credit note PDF", examples: ["openmates settings billing invoices credit-note <invoice-id> --output ./invoices"] },
   { path: ["billing", "invoices", "refund"], description: "Request a refund for an invoice", examples: ["openmates settings billing invoices refund <invoice-id> --yes"] },
   { path: ["billing", "gift-card", "redeem"], description: "Redeem a gift card", examples: ["openmates settings billing gift-card redeem ABCD-1234"] },
   { path: ["billing", "gift-card", "list"], description: "List redeemed gift cards", examples: ["openmates settings billing gift-card list"] },
+  { path: ["billing", "gift-card", "buy", "bank-transfer"], description: "Buy a gift card by SEPA bank transfer", examples: ["openmates settings billing gift-card buy bank-transfer --credits 21000"] },
+  { path: ["billing", "gift-card", "purchase-status"], description: "Show gift-card bank-transfer purchase status", examples: ["openmates settings billing gift-card purchase-status <order-id>"] },
+  { path: ["billing", "gift-card", "purchased"], description: "List purchased unused gift cards", examples: ["openmates settings billing gift-card purchased"] },
   { path: ["billing", "auto-topup", "low-balance", "set"], description: "Configure low-balance auto top-up", examples: ["openmates settings billing auto-topup low-balance set --enabled true --amount 1000 --currency eur --email you@example.com"] },
   { path: ["notifications", "status"], description: "Show notification settings", examples: ["openmates settings notifications status --json"] },
   { path: ["notifications", "list"], description: "List recent notification events", examples: ["openmates settings notifications list --limit 20 --json"] },
@@ -8787,7 +9584,6 @@ var SETTINGS_EXECUTABLE_COMMANDS = [
 ];
 var SETTINGS_INFO_COMMANDS = [
   { path: ["account", "email"], description: "Email changes are web-only", webPath: "account/email", reason: "Email changes require a guided identity verification flow.", examples: ["openmates settings account email"] },
-  { path: ["account", "delete"], description: "Account deletion is web-only", webPath: "account/delete", reason: "Account deletion requires browser-based reauthentication and explicit confirmation.", examples: ["openmates settings account delete"] },
   { path: ["security"], description: "Security settings are web-only", webPath: "account/security", reason: "Security settings require browser APIs or high-risk reauthentication.", examples: ["openmates settings security"] },
   { path: ["security", "passkeys"], description: "Passkeys are web-only", webPath: "account/security/passkeys", reason: "Passkeys require WebAuthn browser APIs.", examples: ["openmates settings security passkeys"] },
   { path: ["security", "password"], description: "Password changes are web-only", webPath: "account/security/password", reason: "The CLI never asks for account credentials.", examples: ["openmates settings security password"] },
@@ -8969,9 +9765,9 @@ function parseYamlScalar(value) {
 }
 async function saveDownloadedDocument(document, output) {
   const { mkdir, writeFile } = await import("fs/promises");
-  const { join: join4, basename: basename2, dirname } = await import("path");
+  const { join: join4, basename: basename3, dirname } = await import("path");
   const target = typeof output === "string" ? output : ".";
-  const filename = basename2(document.filename || "document.pdf");
+  const filename = basename3(document.filename || "document.pdf");
   const filePath = target.endsWith(".pdf") ? target : join4(target, filename);
   await mkdir(dirname(filePath), { recursive: true });
   await writeFile(filePath, document.data);
@@ -9001,13 +9797,274 @@ function printMateInfo(mateId, json) {
 async function confirmOrExit(question) {
   const rl = await import("readline");
   const iface = rl.createInterface({ input: process.stdin, output: process.stdout });
-  const answer = await new Promise((resolve4) => iface.question(question, resolve4));
+  const answer = await new Promise((resolve5) => iface.question(question, resolve5));
   iface.close();
   if (answer.trim().toLowerCase() !== "y") {
     console.log("Aborted.");
     process.exit(0);
   }
 }
+async function promptLine(question) {
+  const rl = await import("readline");
+  const iface = rl.createInterface({ input: process.stdin, output: process.stdout });
+  const answer = await new Promise((resolve5) => iface.question(question, resolve5));
+  iface.close();
+  return answer.trim();
+}
+async function promptSecret(question) {
+  if (!process.stdin.isTTY) {
+    return promptLine(question);
+  }
+  return new Promise((resolve5) => {
+    const stdin2 = process.stdin;
+    const wasRaw = stdin2.isRaw;
+    let value = "";
+    process.stdout.write(question);
+    stdin2.setRawMode(true);
+    stdin2.resume();
+    const onData = (chunk) => {
+      const char = chunk.toString("utf8");
+      if (char === "\r" || char === "\n") {
+        stdin2.off("data", onData);
+        stdin2.setRawMode(wasRaw);
+        process.stdout.write("\n");
+        resolve5(value);
+        return;
+      }
+      if (char === "") {
+        stdin2.off("data", onData);
+        stdin2.setRawMode(wasRaw);
+        process.stdout.write("\n");
+        process.exit(130);
+      }
+      if (char === "\x7F" || char === "\b") {
+        value = value.slice(0, -1);
+        return;
+      }
+      value += char;
+    };
+    stdin2.on("data", onData);
+  });
+}
+async function writeSecretFile(filePath, content, force = false) {
+  const { mkdir, writeFile, stat: stat2 } = await import("fs/promises");
+  const { dirname } = await import("path");
+  try {
+    await stat2(filePath);
+    if (!force) throw new Error(`${filePath} already exists. Use --force to overwrite.`);
+  } catch (error) {
+    if (error instanceof Error && "code" in error && error.code !== "ENOENT") {
+      throw error;
+    }
+    if (error instanceof Error && !("code" in error)) throw error;
+  }
+  await mkdir(dirname(filePath), { recursive: true });
+  await writeFile(filePath, content, { mode: 384 });
+  return filePath;
+}
+async function generateProvisioningPassword() {
+  const { randomBytes: randomBytes3 } = await import("crypto");
+  return `OM-${randomBytes3(18).toString("base64url")}-aA2#`;
+}
+function decodeBase32(input) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const cleaned = input.toUpperCase().replace(/[^A-Z2-7]/g, "");
+  let bits = "";
+  for (const char of cleaned) {
+    const value = alphabet.indexOf(char);
+    if (value >= 0) bits += value.toString(2).padStart(5, "0");
+  }
+  const bytes = [];
+  for (let index = 0; index + 8 <= bits.length; index += 8) {
+    bytes.push(Number.parseInt(bits.slice(index, index + 8), 2));
+  }
+  return Buffer.from(bytes);
+}
+async function generateTotpCode(secret) {
+  const { createHmac } = await import("crypto");
+  const counter = Math.floor(Date.now() / 1e3 / 30);
+  const counterBuffer = Buffer.alloc(8);
+  counterBuffer.writeBigUInt64BE(BigInt(counter));
+  const hmac = createHmac("sha1", decodeBase32(secret)).update(counterBuffer).digest();
+  const offset = hmac[hmac.length - 1] & 15;
+  const code = (hmac.readUInt32BE(offset) & 2147483647) % 1e6;
+  return String(code).padStart(6, "0");
+}
+async function runSecuritySetup(client, flags, options = {}) {
+  const result = {};
+  if (flags["skip-2fa"] === true) {
+    if (flags.yes !== true) await confirmOrExit("Skip 2FA setup? This weakens account protection. [y/N] ");
+  } else {
+    const setup = await client.startTotpSetup();
+    result.otpSecret = setup.secret ?? null;
+    if (setup.otpauth_url) client.renderTotpQrCode(setup.otpauth_url);
+    if (setup.secret) console.log(`Manual TOTP secret: ${setup.secret}`);
+    const code = typeof process.env.OPENMATES_CLI_SIGNUP_TOTP_CODE === "string" ? process.env.OPENMATES_CLI_SIGNUP_TOTP_CODE : options.autoGenerateTotp && setup.secret ? await generateTotpCode(setup.secret) : await promptLine("Enter current 2FA code: ");
+    await client.verifyTotpSetup(code);
+    const provider = typeof flags.provider === "string" ? flags.provider : "Authenticator app";
+    await client.setTotpProvider(provider);
+    const backup = await client.requestBackupCodes();
+    result.backupCodes = backup.backup_codes;
+    const backupOutput = typeof flags["backup-codes-output"] === "string" ? flags["backup-codes-output"] : void 0;
+    if (backupOutput) {
+      result.backupCodesPath = await writeSecretFile(backupOutput, `${backup.backup_codes.join("\n")}
+`, flags.force === true);
+      await client.confirmBackupCodesStored();
+    } else if (flags.yes === true) {
+      await client.confirmBackupCodesStored();
+    } else {
+      console.log("Backup codes:");
+      for (const backupCode of backup.backup_codes) console.log(`  ${backupCode}`);
+      await confirmOrExit("I stored these backup codes safely. Continue? [y/N] ");
+      await client.confirmBackupCodesStored();
+    }
+  }
+  if (flags["skip-recovery-key"] === true) {
+    if (flags.yes !== true) await confirmOrExit("Skip recovery-key setup? You may lose access to encrypted data. [y/N] ");
+  } else {
+    const recovery = await client.createAndConfirmRecoveryKey();
+    result.recoveryKey = recovery.recoveryKey;
+    const recoveryOutput = typeof flags["recovery-key-output"] === "string" ? flags["recovery-key-output"] : void 0;
+    if (recoveryOutput) {
+      result.recoveryKeyPath = await writeSecretFile(recoveryOutput, `${recovery.recoveryKey}
+`, flags.force === true);
+    } else {
+      console.log(`Recovery key: ${recovery.recoveryKey}`);
+      if (flags.yes !== true) await confirmOrExit("I stored this recovery key safely. Continue? [y/N] ");
+    }
+  }
+  return result;
+}
+async function handleSignup(client, flags, options = {}) {
+  if (flags.password !== void 0) {
+    throw new Error("Passwords must be entered through hidden prompts, not command-line flags.");
+  }
+  const email = typeof flags.email === "string" ? flags.email : await promptLine("Email: ");
+  const username = typeof flags.username === "string" ? flags.username : await promptLine("Username: ");
+  const inviteCode = typeof flags["invite-code"] === "string" ? flags["invite-code"] : "";
+  const language = typeof flags.language === "string" ? flags.language : "en";
+  const password = process.env.OPENMATES_CLI_SIGNUP_PASSWORD ?? await promptSecret("Password: ");
+  if (!process.env.OPENMATES_CLI_SIGNUP_PASSWORD) {
+    const confirmPassword = await promptSecret("Confirm password: ");
+    if (password !== confirmPassword) throw new Error("Passwords do not match.");
+  }
+  await client.requestSignupEmailCode({ email, inviteCode, language });
+  const emailCode = process.env.OPENMATES_CLI_SIGNUP_EMAIL_CODE ?? await promptLine("Email verification code: ");
+  await client.verifySignupEmailCode({ email, username, inviteCode, code: emailCode, language });
+  const signup = await client.setupPasswordAccount({ email, username, password, inviteCode, language });
+  const security = await runSecuritySetup(client, flags, options);
+  let giftCardResult = null;
+  if (typeof flags["gift-card-code"] === "string") {
+    giftCardResult = await client.redeemGiftCard(flags["gift-card-code"]);
+  }
+  const response = {
+    success: true,
+    user: signup.user ?? null,
+    backup_codes_path: security.backupCodesPath ?? null,
+    recovery_key_path: security.recoveryKeyPath ?? null,
+    gift_card: giftCardResult
+  };
+  if (flags.json === true) {
+    printJson2(response);
+  } else {
+    console.log("\x1B[32m\u2713\x1B[0m Account created and CLI session saved.");
+    if (security.backupCodesPath) console.log(`Backup codes saved to ${security.backupCodesPath}`);
+    if (security.recoveryKeyPath) console.log(`Recovery key saved to ${security.recoveryKeyPath}`);
+    console.log("Buy credits or redeem a gift card:");
+    console.log("  openmates settings billing buy-credits bank-transfer --credits 110000");
+    console.log("  openmates settings billing gift-card redeem <CODE>");
+  }
+  return {
+    user: signup.user ?? null,
+    backupCodesPath: security.backupCodesPath,
+    recoveryKeyPath: security.recoveryKeyPath,
+    security,
+    giftCard: giftCardResult
+  };
+}
+async function handleE2E(client, subcommand, rest, flags) {
+  if (subcommand !== "provision-auth-accounts") {
+    printE2EHelp();
+    return;
+  }
+  if (client.apiUrl.includes("api.openmates.org") && !client.apiUrl.includes("api.dev.openmates.org")) {
+    throw new Error("E2E provisioning refuses production API URLs.");
+  }
+  if (flags.password !== void 0) throw new Error("Use generated passwords or OPENMATES_CLI_SIGNUP_PASSWORD, not --password.");
+  const slot = parseRequiredNumber(flags.slot, "--slot");
+  if (![15, 17].includes(slot)) throw new Error("Only reserved slots 15 and 17 are supported.");
+  const artifact = typeof flags.artifact === "string" ? flags.artifact : `test-results/credential-updates/slot-${slot}.env`;
+  const domain = typeof flags.domain === "string" ? flags.domain : process.env.OPENMATES_CLI_E2E_EMAIL_DOMAIN;
+  const email = typeof flags.email === "string" ? flags.email : domain ? `cli-e2e-slot-${slot}-${Date.now()}@${domain}` : await promptLine("E2E account email: ");
+  const username = typeof flags.username === "string" ? flags.username : `cli_e2e_slot_${slot}_${Date.now()}`;
+  const generatedPassword = process.env.OPENMATES_CLI_SIGNUP_PASSWORD ?? await generateProvisioningPassword();
+  const originalSignupPassword = process.env.OPENMATES_CLI_SIGNUP_PASSWORD;
+  process.env.OPENMATES_CLI_SIGNUP_PASSWORD = generatedPassword;
+  let signup = null;
+  try {
+    signup = await handleSignup(client, {
+      ...flags,
+      email,
+      username,
+      yes: true,
+      json: false,
+      "backup-codes-output": typeof flags["backup-codes-output"] === "string" ? flags["backup-codes-output"] : `${artifact}.backup-codes`,
+      "recovery-key-output": typeof flags["recovery-key-output"] === "string" ? flags["recovery-key-output"] : `${artifact}.recovery-key`
+    }, { autoGenerateTotp: true });
+  } finally {
+    if (originalSignupPassword === void 0) delete process.env.OPENMATES_CLI_SIGNUP_PASSWORD;
+    else process.env.OPENMATES_CLI_SIGNUP_PASSWORD = originalSignupPassword;
+  }
+  if (!signup.security.otpSecret) throw new Error("Provisioning did not create a TOTP secret.");
+  const artifactBody = [
+    `OPENMATES_TEST_ACCOUNT_${slot}_EMAIL=${email}`,
+    `OPENMATES_TEST_ACCOUNT_${slot}_PASSWORD=${generatedPassword}`,
+    `OPENMATES_TEST_ACCOUNT_${slot}_OTP_KEY=${signup.security.otpSecret}`,
+    `# Backup codes: ${artifact}.backup-codes`,
+    `# Recovery key: ${artifact}.recovery-key`,
+    ""
+  ].join("\n");
+  const path = await writeSecretFile(artifact, artifactBody, flags.force === true);
+  if (flags.json === true) printJson2({ success: true, artifact: path, slot, email });
+  else console.log(`Provisioning artifact written to ${path}. Upload secrets through the trusted manual process.`);
+}
+function printBankTransferOrder(order, giftCard) {
+  header(giftCard ? "Gift Card Bank Transfer" : "Bank Transfer");
+  console.log(`Order ID: ${order.order_id}`);
+  console.log(`Credits: ${order.credits_amount}`);
+  console.log(`Amount: EUR ${order.amount_eur}`);
+  console.log(`Reference: ${order.reference}`);
+  console.log(`IBAN: ${order.iban}`);
+  console.log(`BIC: ${order.bic}`);
+  console.log(`Bank: ${order.bank_name}`);
+  console.log(`Account holder: ${order.account_holder_name}`);
+  if (order.account_holder_address_line1) console.log(`Address: ${order.account_holder_address_line1}`);
+  if (order.account_holder_address_line2) console.log(`         ${order.account_holder_address_line2}`);
+  if (order.account_holder_postal_code || order.account_holder_city) {
+    console.log(`         ${[order.account_holder_postal_code, order.account_holder_city].filter(Boolean).join(" ")}`);
+  }
+  if (order.account_holder_country) console.log(`         ${order.account_holder_country}`);
+  console.log(`Expires: ${order.expires_at}`);
+  console.log("\nInclude the exact reference in your bank transfer. Missing or changed references require manual review.");
+  if (giftCard) {
+    console.log(`Gift-card code appears after payment is matched: openmates settings billing gift-card purchase-status ${order.order_id}`);
+  } else {
+    console.log(`Check status: openmates settings billing bank-transfer status ${order.order_id}`);
+  }
+}
+function printBankTransferStatus(status, giftCard) {
+  header(giftCard ? "Gift Card Purchase Status" : "Bank Transfer Status");
+  console.log(`Order ID: ${status.order_id}`);
+  console.log(`Status: ${status.status}`);
+  console.log(`Credits: ${status.credits_amount}`);
+  console.log(`Amount: EUR ${status.amount_eur}`);
+  console.log(`Reference: ${status.reference}`);
+  console.log(`Expires: ${status.expires_at}`);
+  if (giftCard) {
+    const code = status.gift_card_code;
+    console.log(`Gift-card code: ${code || "available after payment is matched"}`);
+  }
+}
 function printSettingsInfoCommand(client, command, json) {
   const appUrl = deriveAppUrl(client.apiUrl);
   const webUrl = command.webPath ? `${appUrl}/#settings/${command.webPath}` : null;
@@ -9074,8 +10131,8 @@ async function handleSettings(client, subcommand, rest, flags) {
   if (matches(tokens, ["account", "import-chat"])) {
     const file = rest[1];
     if (!file) throw new Error("Missing import file. Example: openmates settings account import-chat ./chat.yml");
-    const { readFile } = await import("fs/promises");
-    const content = await readFile(file, "utf-8");
+    const { readFile: readFile2 } = await import("fs/promises");
+    const content = await readFile2(file, "utf-8");
     await printSettingsMutationResult(
       client.settingsPost("import-chat", parseChatImportPayload(content)),
       flags
@@ -9102,6 +10159,28 @@ async function handleSettings(client, subcommand, rest, flags) {
     await printSettingsResult(client.settingsGet("delete-account-preview"), flags);
     return;
   }
+  if (matches(tokens, ["account", "delete"])) {
+    if (flags["email-code"] !== void 0 || flags["totp-code"] !== void 0) {
+      throw new Error("Deletion verification codes must be entered through interactive prompts, not command-line flags.");
+    }
+    const preview = await client.settingsGet("delete-account-preview");
+    if (flags.json !== true) {
+      header("Delete Account Preview");
+      printGenericObject(preview);
+    }
+    if (flags.yes !== true) {
+      await confirmOrExit("Delete this account and all associated data? [y/N] ");
+    }
+    await client.requestDeleteAccountEmailCode();
+    const emailCode = await promptLine("Enter email verification code: ");
+    await client.verifyDeleteAccountEmailCode(emailCode);
+    const authMethods = await client.getAuthMethodsStatus();
+    const totpCode = authMethods.has_2fa ? await promptLine("Enter 2FA code: ") : void 0;
+    const result = await client.deleteAccountWithCliVerification(totpCode);
+    if (flags.json === true) printJson2(result);
+    else console.log("\x1B[32m\u2713\x1B[0m Account deletion requested and local CLI session cleared");
+    return;
+  }
   if (matches(tokens, ["account", "storage", "overview"])) {
     await printSettingsResult(client.settingsGet("storage"), flags);
     return;
@@ -9190,6 +10269,23 @@ async function handleSettings(client, subcommand, rest, flags) {
     await printSettingsResult(client.settingsGet("usage"), flags);
     return;
   }
+  if (matches(tokens, ["billing", "buy-credits", "bank-transfer"])) {
+    const credits = parseRequiredNumber(flags.credits, "--credits");
+    const order = await client.createBankTransferOrder(credits);
+    flags.json === true ? printJson2(order) : printBankTransferOrder(order, false);
+    return;
+  }
+  if (matches(tokens, ["billing", "bank-transfer", "status"])) {
+    const orderId = rest[2];
+    if (!orderId) throw new Error("Missing order ID.");
+    const status = await client.getBankTransferStatus(orderId);
+    flags.json === true ? printJson2(status) : printBankTransferStatus(status, false);
+    return;
+  }
+  if (matches(tokens, ["billing", "bank-transfer", "list"])) {
+    await printSettingsResult(client.listBankTransferOrders(), flags);
+    return;
+  }
   if (matches(tokens, ["billing", "invoices", "list"])) {
     await printSettingsResult(client.listInvoices(), flags);
     return;
@@ -9240,6 +10336,23 @@ async function handleSettings(client, subcommand, rest, flags) {
     await printSettingsResult(client.listRedeemedGiftCards(), flags);
     return;
   }
+  if (matches(tokens, ["billing", "gift-card", "buy", "bank-transfer"])) {
+    const credits = parseRequiredNumber(flags.credits, "--credits");
+    const order = await client.createGiftCardBankTransferOrder(credits);
+    flags.json === true ? printJson2(order) : printBankTransferOrder(order, true);
+    return;
+  }
+  if (matches(tokens, ["billing", "gift-card", "purchase-status"])) {
+    const orderId = rest[3];
+    if (!orderId) throw new Error("Missing order ID.");
+    const status = await client.getGiftCardPurchaseStatus(orderId);
+    flags.json === true ? printJson2(status) : printBankTransferStatus(status, true);
+    return;
+  }
+  if (matches(tokens, ["billing", "gift-card", "purchased"])) {
+    await printSettingsResult(client.listPurchasedGiftCards(), flags);
+    return;
+  }
   if (matches(tokens, ["billing", "auto-topup", "low-balance", "set"])) {
     const enabled = parseOnOff(String(flags.enabled ?? ""), "low-balance auto top-up");
     const amount = parseRequiredNumber(flags.amount, "--amount");
@@ -9552,12 +10665,12 @@ function parseArgs(argv) {
     const key = keyValue[0];
     const valueFromEquals = keyValue[1];
     if (valueFromEquals !== void 0) {
-      flags[key] = valueFromEquals;
+      flags[key] = appendFlagValue(flags[key], valueFromEquals);
       continue;
     }
     const next = argv[i + 1];
     if (next && !next.startsWith("--")) {
-      flags[key] = next;
+      flags[key] = appendFlagValue(flags[key], next);
       i += 1;
     } else {
       flags[key] = true;
@@ -9565,6 +10678,11 @@ function parseArgs(argv) {
   }
   return { positionals, flags };
 }
+function appendFlagValue(existing, value) {
+  if (typeof existing === "string" && existing.length > 0) return `${existing}
+${value}`;
+  return value;
+}
 function resolveApiKey(flags) {
   if (typeof flags["api-key"] === "string" && flags["api-key"].length > 0) {
     return flags["api-key"];
@@ -11168,6 +12286,7 @@ function printHelp() {
 
 Commands:
   openmates login                            Pair-auth login
+  openmates signup                           Create an account from the terminal
   openmates logout                           Log out and clear session
   openmates whoami [--json]                  Show account info
   openmates chats [--help]                   Chat commands (list, search, show, ...)
@@ -11179,6 +12298,7 @@ Commands:
   openmates newchatsuggestions [--limit <n>] [--json]   Personalized new chat suggestions
   openmates server [--help]                   Server management (install, start, stop, ...)
   openmates docs [--help]                     Browse, search, and download documentation
+  openmates e2e provision-auth-accounts       Provision local E2E auth-account artifacts
 
 Flags:
   --json          Output raw JSON instead of formatted output
@@ -11186,6 +12306,40 @@ Flags:
   --api-key <key> Optional API key override (or set OPENMATES_API_KEY)
   --help          Show contextual help for any command`);
 }
+function printSignupHelp() {
+  console.log(`Signup command:
+  openmates signup --email <email> --username <name> --invite-code <code>
+
+Creates a password account using client-side encrypted signup crypto. Passwords
+are entered through hidden prompts and cannot be passed with --password.
+
+Options:
+  --email <email>                    Email address; prompted when omitted
+  --username <name>                  Username; prompted when omitted
+  --invite-code <code>               Invite code when required
+  --gift-card-code <code>            Redeem after account creation
+  --backup-codes-output <path>       Save backup codes to a 0600 file
+  --recovery-key-output <path>       Save recovery key to a 0600 file
+  --skip-2fa                         Explicitly skip 2FA setup after warning
+  --skip-recovery-key                Explicitly skip recovery key after warning
+  --yes                              Confirm warning prompts
+  --json                             Output non-secret JSON summary`);
+}
+function printE2EHelp() {
+  console.log(`E2E provisioning command:
+  openmates e2e provision-auth-accounts --slot 15 --artifact ./test-results/credential-updates/slot-15.env --api-url https://api.dev.openmates.org
+
+Creates local ignored credential artifacts for reserved E2E auth accounts. The
+command refuses production API URLs and does not upload GitHub secrets.
+
+Options:
+  --slot <15|17>                     Reserved auth-account slot
+  --artifact <path>                  Output .env artifact path
+  --email <email>                    Test email; prompted/generated when omitted
+  --domain <mail-domain>             Generate email at this domain
+  --force                            Overwrite local artifact files
+  --yes                              Confirm prompts where possible`);
+}
 function printChatsHelp() {
   console.log(`Chats commands:
   openmates chats list [--limit <n>] [--page <n>] [--json]
@@ -11281,6 +12435,9 @@ function printAppsHelp() {
   openmates apps skill-info <app-id> <skill-id> [--json]
   openmates apps <app-id> <skill-id> "<query>" [--json]
   openmates apps <app-id> <skill-id> --input '<json>' [--json]
+  openmates apps code run --language python --code 'print("Hello")'
+  openmates apps code run --entry main.py --file main.py [--file requirements.txt]
+  openmates apps code run --entry main.py --dir ./project [--exclude node_modules]
   openmates apps travel booking-link --token "<token>" [--context '<json>']
 
 Authentication:
@@ -11293,6 +12450,7 @@ Examples:
   openmates apps web search "latest AI news"
   openmates apps news search "climate change"
   openmates apps ai ask "Summarise this: ..."
+  openmates apps code run --language python --filename hello.py --code 'print("Hello from CLI")'
   openmates apps travel search_connections --input '{"requests":[{"legs":[{"origin":"BER","destination":"LHR","date":"2026-04-15"}]}]}'
   openmates apps travel booking-link --token "<booking_token from search result>"
   openmates apps skill-info web search`);