thinkwork-cli 0.9.0 → 0.9.1

package/dist/cli.js

@@ -196,7 +196,7 @@ async function ensureWorkspace(cwd, stage) {
   }
 }
 function runTerraformRaw(cwd, args) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const proc = spawn("terraform", args, {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
@@ -206,13 +206,13 @@ function runTerraformRaw(cwd, args) {
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve3(stdout);
+      if (code === 0) resolve4(stdout);
       else reject(new Error(`terraform ${args.join(" ")} failed (exit ${code}): ${stderr}`));
     });
   });
 }
 function runTerraform(cwd, args) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     console.log(`
   \u2192 terraform ${args.join(" ")}
 `);
@@ -220,7 +220,7 @@ function runTerraform(cwd, args) {
       cwd,
       stdio: "inherit"
     });
-    proc.on("close", (code) => resolve3(code ?? 1));
+    proc.on("close", (code) => resolve4(code ?? 1));
   });
 }
 async function ensureInit(cwd) {
@@ -427,6 +427,12 @@ function registerPlanCommand(program2) {
   });
 }
 
+// src/commands/deploy.ts
+import { spawn as spawn2 } from "child_process";
+import { existsSync as existsSync3 } from "fs";
+import { dirname as dirname2, resolve as pathResolve } from "path";
+import { fileURLToPath } from "url";
+
 // src/prompt.ts
 import { createInterface } from "readline";
 async function confirm(message) {
@@ -434,69 +440,125 @@ async function confirm(message) {
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve3(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve4(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
 
 // src/commands/deploy.ts
 function registerDeployCommand(program2) {
-  program2.command("deploy").description("Run terraform apply for a stage. Prompts for stage in a TTY when omitted.").option("-p, --profile <name>", "AWS profile").option("-s, --stage <name>", "Deployment stage").option("-c, --component <tier>", "Component tier (foundation|data|app|all)", "all").option("-y, --yes", "Skip interactive confirmation (for CI)").action(async (opts) => {
-    const startTime = Date.now();
-    try {
-      const stage = await resolveStage({ flag: opts.stage });
-      const compCheck = validateComponent(opts.component);
-      if (!compCheck.valid) {
-        printError(compCheck.error);
-        process.exit(1);
-      }
-      const identity = getAwsIdentity();
-      printHeader("deploy", stage, identity);
-      if (!identity) {
-        printWarning("Could not resolve AWS identity. Is the AWS CLI configured?");
-      }
-      if (isProdLike(stage) && !opts.yes) {
-        const ok = await confirm(`  Stage "${stage}" is production-like. Deploy?`);
-        if (!ok) {
-          console.log("  Aborted.");
-          process.exit(0);
+  program2.command("deploy").description(
+    "Run terraform apply for a stage. Prompts for stage in a TTY when omitted."
+  ).option("-p, --profile <name>", "AWS profile").option("-s, --stage <name>", "Deployment stage").option(
+    "-c, --component <tier>",
+    "Component tier (foundation|data|app|all)",
+    "all"
+  ).option("-y, --yes", "Skip interactive confirmation (for CI)").action(
+    async (opts) => {
+      const startTime = Date.now();
+      try {
+        const stage = await resolveStage({ flag: opts.stage });
+        const compCheck = validateComponent(opts.component);
+        if (!compCheck.valid) {
+          printError(compCheck.error);
+          process.exit(1);
         }
-      } else if (!opts.yes) {
-        const ok = await confirm(`  Deploy to stage "${stage}"?`);
-        if (!ok) {
-          console.log("  Aborted.");
-          process.exit(0);
+        const identity = getAwsIdentity();
+        printHeader("deploy", stage, identity);
+        if (!identity) {
+          printWarning(
+            "Could not resolve AWS identity. Is the AWS CLI configured?"
+          );
         }
-      }
-      const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
-      const tiers = expandComponent(opts.component);
-      for (let i = 0; i < tiers.length; i++) {
-        const tier = tiers[i];
-        printTierHeader(tier, i, tiers.length);
-        const cwd = resolveTierDir(terraformDir, stage, tier);
-        await ensureInit(cwd);
-        await ensureWorkspace(cwd, stage);
-        const code = await runTerraform(cwd, [
-          "apply",
-          "-auto-approve",
-          `-var=stage=${stage}`
-        ]);
-        if (code !== 0) {
-          printError(`Deploy failed for ${tier} (exit ${code})`);
-          process.exit(code);
+        if (isProdLike(stage) && !opts.yes) {
+          const ok = await confirm(
+            `  Stage "${stage}" is production-like. Deploy?`
+          );
+          if (!ok) {
+            console.log("  Aborted.");
+            process.exit(0);
+          }
+        } else if (!opts.yes) {
+          const ok = await confirm(`  Deploy to stage "${stage}"?`);
+          if (!ok) {
+            console.log("  Aborted.");
+            process.exit(0);
+          }
+        }
+        const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+        const tiers = expandComponent(opts.component);
+        for (let i = 0; i < tiers.length; i++) {
+          const tier = tiers[i];
+          printTierHeader(tier, i, tiers.length);
+          const cwd = resolveTierDir(terraformDir, stage, tier);
+          await ensureInit(cwd);
+          await ensureWorkspace(cwd, stage);
+          const code = await runTerraform(cwd, [
+            "apply",
+            "-auto-approve",
+            `-var=stage=${stage}`
+          ]);
+          if (code !== 0) {
+            printError(`Deploy failed for ${tier} (exit ${code})`);
+            process.exit(code);
+          }
         }
+        printSuccess("Deploy complete");
+        await runPostDeployProbe(stage);
+        printSummary("deploy", stage, tiers, startTime);
+      } catch (err) {
+        if (isCancellation(err)) return;
+        throw err;
       }
-      printSuccess("Deploy complete");
-      printSummary("deploy", stage, tiers, startTime);
-    } catch (err) {
-      if (isCancellation(err)) return;
-      throw err;
     }
+  );
+}
+async function runPostDeployProbe(stage) {
+  const scriptPath = locatePostDeployScript();
+  if (!scriptPath) {
+    printWarning(
+      "post-deploy probe script not found \u2014 skipping AgentCore drift check"
+    );
+    return;
+  }
+  await new Promise((resolve4) => {
+    const proc = spawn2("bash", [scriptPath, "--stage", stage], {
+      stdio: "inherit",
+      env: process.env
+    });
+    proc.on("close", (code) => {
+      if (code !== 0) {
+        printWarning(
+          `post-deploy probe exited ${code} \u2014 deploy not rolled back`
+        );
+      }
+      resolve4();
+    });
+    proc.on("error", (err) => {
+      printWarning(`post-deploy probe spawn failed: ${err.message}`);
+      resolve4();
+    });
   });
 }
+function locatePostDeployScript() {
+  const here = dirname2(fileURLToPath(import.meta.url));
+  const candidates = [
+    pathResolve(here, "..", "..", "..", "..", "scripts", "post-deploy.sh"),
+    pathResolve(process.cwd(), "scripts", "post-deploy.sh"),
+    pathResolve(
+      process.env.THINKWORK_TERRAFORM_DIR || ".",
+      "scripts",
+      "post-deploy.sh"
+    )
+  ];
+  for (const candidate of candidates) {
+    if (existsSync3(candidate)) return candidate;
+  }
+  return null;
+}
 
 // src/commands/destroy.ts
 function registerDestroyCommand(program2) {
@@ -687,17 +749,17 @@ function registerOutputsCommand(program2) {
 }
 
 // src/commands/config.ts
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4 } from "fs";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync5 } from "fs";
 import chalk4 from "chalk";
 
 // src/environments.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2, readFileSync as readFileSync2, readdirSync } from "fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2, readFileSync as readFileSync2, readdirSync } from "fs";
 import { join as join2 } from "path";
 import { homedir as homedir2 } from "os";
 var THINKWORK_HOME = join2(homedir2(), ".thinkwork");
 var ENVIRONMENTS_DIR = join2(THINKWORK_HOME, "environments");
 function ensureDir(dir) {
-  if (!existsSync3(dir)) mkdirSync2(dir, { recursive: true });
+  if (!existsSync4(dir)) mkdirSync2(dir, { recursive: true });
 }
 function saveEnvironment(config) {
   ensureDir(ENVIRONMENTS_DIR);
@@ -710,13 +772,13 @@ function saveEnvironment(config) {
 }
 function loadEnvironment(stage) {
   const configPath = join2(ENVIRONMENTS_DIR, stage, "config.json");
-  if (!existsSync3(configPath)) return null;
+  if (!existsSync4(configPath)) return null;
   return JSON.parse(readFileSync2(configPath, "utf-8"));
 }
 function listEnvironments() {
-  if (!existsSync3(ENVIRONMENTS_DIR)) return [];
+  if (!existsSync4(ENVIRONMENTS_DIR)) return [];
   return readdirSync(ENVIRONMENTS_DIR).filter((name) => {
-    return existsSync3(join2(ENVIRONMENTS_DIR, name, "config.json"));
+    return existsSync4(join2(ENVIRONMENTS_DIR, name, "config.json"));
   }).map((name) => {
     return JSON.parse(
       readFileSync2(join2(ENVIRONMENTS_DIR, name, "config.json"), "utf-8")
@@ -725,19 +787,19 @@ function listEnvironments() {
 }
 function resolveTerraformDir(stage) {
   const env = loadEnvironment(stage);
-  if (env?.terraformDir && existsSync3(env.terraformDir)) {
+  if (env?.terraformDir && existsSync4(env.terraformDir)) {
     return env.terraformDir;
   }
   const envVar = process.env.THINKWORK_TERRAFORM_DIR;
-  if (envVar && existsSync3(envVar)) return envVar;
+  if (envVar && existsSync4(envVar)) return envVar;
   const cwdTf = join2(process.cwd(), "terraform");
-  if (existsSync3(join2(cwdTf, "main.tf"))) return cwdTf;
+  if (existsSync4(join2(cwdTf, "main.tf"))) return cwdTf;
   return null;
 }
 
 // src/commands/config.ts
 function readTfVar(tfvarsPath, key) {
-  if (!existsSync4(tfvarsPath)) return null;
+  if (!existsSync5(tfvarsPath)) return null;
   const content = readFileSync3(tfvarsPath, "utf-8");
   const quoted = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
   if (quoted) return quoted[1];
@@ -746,7 +808,7 @@ function readTfVar(tfvarsPath, key) {
 }
 var BARE_KEYS = /* @__PURE__ */ new Set(["enable_hindsight"]);
 function setTfVar(tfvarsPath, key, value) {
-  if (!existsSync4(tfvarsPath)) {
+  if (!existsSync5(tfvarsPath)) {
     throw new Error(`terraform.tfvars not found at ${tfvarsPath}`);
   }
   let content = readFileSync3(tfvarsPath, "utf-8");
@@ -766,7 +828,7 @@ function resolveTfvarsPath(stage) {
   const tfDir = resolveTerraformDir(stage);
   if (tfDir) {
     const direct = `${tfDir}/terraform.tfvars`;
-    if (existsSync4(direct)) return direct;
+    if (existsSync5(direct)) return direct;
   }
   const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
   const cwd = resolveTierDir(terraformDir, stage, "app");
@@ -793,7 +855,7 @@ function registerConfigCommand(program2) {
       console.log(`  ${chalk4.bold("Updated:")}         ${env.updatedAt}`);
       console.log(chalk4.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
       const tfvarsPath = `${env.terraformDir}/terraform.tfvars`;
-      if (existsSync4(tfvarsPath)) {
+      if (existsSync5(tfvarsPath)) {
         console.log("");
         console.log(chalk4.dim("  terraform.tfvars:"));
         const content = readFileSync3(tfvarsPath, "utf-8");
@@ -914,28 +976,28 @@ function registerConfigCommand(program2) {
 }
 
 // src/commands/bootstrap.ts
-import { spawn as spawn2 } from "child_process";
+import { spawn as spawn3 } from "child_process";
 import { resolve } from "path";
 function getTerraformOutput(cwd, key) {
-  return new Promise((resolve3, reject) => {
-    const proc = spawn2("terraform", ["output", "-raw", key], {
+  return new Promise((resolve4, reject) => {
+    const proc = spawn3("terraform", ["output", "-raw", key], {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
     });
     let stdout = "";
     proc.stdout.on("data", (d) => stdout += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve3(stdout.trim());
+      if (code === 0) resolve4(stdout.trim());
       else reject(new Error(`terraform output ${key} failed (exit ${code})`));
     });
   });
 }
 function runScript(scriptPath, args) {
-  return new Promise((resolve3) => {
-    const proc = spawn2("bash", [scriptPath, ...args], {
+  return new Promise((resolve4) => {
+    const proc = spawn3("bash", [scriptPath, ...args], {
       stdio: "inherit"
     });
-    proc.on("close", (code) => resolve3(code ?? 1));
+    proc.on("close", (code) => resolve4(code ?? 1));
   });
 }
 function registerBootstrapCommand(program2) {
@@ -990,7 +1052,7 @@ import { select as select2, Separator } from "@inquirer/prompts";
 import chalk7 from "chalk";
 
 // src/aws-profiles.ts
-import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
 import { homedir as homedir3 } from "os";
 import { join as join3 } from "path";
 var CREDENTIALS_PATH = join3(homedir3(), ".aws", "credentials");
@@ -1033,7 +1095,7 @@ function classify(fields) {
 }
 function listAwsProfiles() {
   const byName = /* @__PURE__ */ new Map();
-  if (existsSync5(CREDENTIALS_PATH)) {
+  if (existsSync6(CREDENTIALS_PATH)) {
     const sections = parseIni(readFileSync4(CREDENTIALS_PATH, "utf-8"));
     for (const [section, fields] of Object.entries(sections)) {
       byName.set(section, {
@@ -1043,7 +1105,7 @@ function listAwsProfiles() {
       });
     }
   }
-  if (existsSync5(CONFIG_PATH)) {
+  if (existsSync6(CONFIG_PATH)) {
     const sections = parseIni(readFileSync4(CONFIG_PATH, "utf-8"));
     for (const [section, fields] of Object.entries(sections)) {
       const name = normalizeConfigSection(section);
@@ -1271,7 +1333,7 @@ function discoverCognitoConfig(stage, region) {
 // src/cognito-oauth.ts
 import { createServer } from "http";
 import { randomBytes } from "crypto";
-import { spawn as spawn3 } from "child_process";
+import { spawn as spawn4 } from "child_process";
 import chalk6 from "chalk";
 var CLI_LOOPBACK_PORT = 42010;
 var CALLBACK_PATH = "/callback";
@@ -1310,7 +1372,7 @@ function buildAuthorizeUrl(cognito, redirectUri, state) {
   return `${cognito.domainUrl}/oauth2/authorize?${params.toString()}`;
 }
 function waitForCallbackCode(opts) {
-  return new Promise((resolve3, reject) => {
+  return new Promise((resolve4, reject) => {
     const server = createServer((req, res) => handleRequest(req, res));
     let finished = false;
     const finish = (err, code) => {
@@ -1321,7 +1383,7 @@ function waitForCallbackCode(opts) {
       closer.closeAllConnections?.();
       server.close(() => {
         if (err) reject(err);
-        else resolve3(code);
+        else resolve4(code);
       });
     };
     const timer = setTimeout(() => {
@@ -1450,7 +1512,7 @@ function openInBrowser(url) {
   const cmd = platform2 === "darwin" ? "open" : platform2 === "win32" ? "cmd" : "xdg-open";
   const args = platform2 === "win32" ? ["/c", "start", "", url] : [url];
   try {
-    spawn3(cmd, args, { stdio: "ignore", detached: true }).unref();
+    spawn4(cmd, args, { stdio: "ignore", detached: true }).unref();
   } catch {
   }
 }
@@ -1512,10 +1574,10 @@ function escapeHtml(s) {
 // src/commands/login.ts
 function ask(prompt) {
   const rl = createInterface2({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     rl.question(prompt, (answer) => {
       rl.close();
-      resolve3(answer.trim());
+      resolve4(answer.trim());
     });
   });
 }
@@ -1994,20 +2056,20 @@ Examples:
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync7, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, cpSync } from "fs";
-import { resolve as resolve2, join as join5, dirname as dirname2 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, cpSync } from "fs";
+import { resolve as resolve2, join as join5, dirname as dirname3 } from "path";
 import { execSync as execSync7 } from "child_process";
-import { fileURLToPath } from "url";
+import { fileURLToPath as fileURLToPath2 } from "url";
 import { createInterface as createInterface3 } from "readline";
 import chalk8 from "chalk";
-var __dirname = dirname2(fileURLToPath(import.meta.url));
+var __dirname = dirname3(fileURLToPath2(import.meta.url));
 function ask2(prompt, defaultVal = "") {
   const rl = createInterface3({ input: process.stdin, output: process.stdout });
   const suffix = defaultVal ? chalk8.dim(` [${defaultVal}]`) : "";
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     rl.question(`  ${prompt}${suffix}: `, (answer) => {
       rl.close();
-      resolve3(answer.trim() || defaultVal);
+      resolve4(answer.trim() || defaultVal);
     });
   });
 }
@@ -2025,9 +2087,9 @@ function generateSecret(length = 32) {
 }
 function findBundledTerraform() {
   const bundled = resolve2(__dirname, "terraform");
-  if (existsSync7(join5(bundled, "modules"))) return bundled;
+  if (existsSync8(join5(bundled, "modules"))) return bundled;
   const repoTf = resolve2(__dirname, "..", "..", "..", "terraform");
-  if (existsSync7(join5(repoTf, "modules"))) return repoTf;
+  if (existsSync8(join5(repoTf, "modules"))) return repoTf;
   throw new Error(
     "Terraform modules not found. The CLI package may be incomplete.\nTry reinstalling: npm install -g thinkwork-cli@latest"
   );
@@ -2087,9 +2149,9 @@ function registerInitCommand(program2) {
         printError("Stage name is required. Pass -s <name> or re-run in an interactive terminal.");
         process.exit(1);
       }
-      const { input: input5 } = await import("@inquirer/prompts");
+      const { input: input4 } = await import("@inquirer/prompts");
       try {
-        stage = await input5({
+        stage = await input4({
           message: "Stage name (e.g. dev, staging, prod):",
           validate: (v) => validateStage(v).error ?? true
         });
@@ -2119,7 +2181,7 @@ function registerInitCommand(program2) {
     const targetDir = resolve2(opts.dir);
     const tfDir = join5(targetDir, "terraform");
     const tfvarsPath = join5(tfDir, "terraform.tfvars");
-    if (existsSync7(tfvarsPath)) {
+    if (existsSync8(tfvarsPath)) {
       printWarning(`terraform.tfvars already exists at ${tfvarsPath}`);
       const overwrite = await ask2("Overwrite?", "N");
       if (overwrite.toLowerCase() !== "y") {
@@ -2189,18 +2251,18 @@ function registerInitCommand(program2) {
     for (const dir of copyDirs) {
       const src = join5(bundledTf, dir);
       const dst = join5(tfDir, dir);
-      if (existsSync7(src) && !existsSync7(dst)) {
+      if (existsSync8(src) && !existsSync8(dst)) {
         cpSync(src, dst, { recursive: true });
       }
     }
     const schemaPath = join5(bundledTf, "schema.graphql");
-    if (existsSync7(schemaPath) && !existsSync7(join5(tfDir, "schema.graphql"))) {
+    if (existsSync8(schemaPath) && !existsSync8(join5(tfDir, "schema.graphql"))) {
       cpSync(schemaPath, join5(tfDir, "schema.graphql"));
     }
     const tfvars = buildTfvars(config);
     writeFileSync4(tfvarsPath, tfvars);
     const mainTfPath = join5(tfDir, "main.tf");
-    if (!existsSync7(mainTfPath)) {
+    if (!existsSync8(mainTfPath)) {
       writeFileSync4(mainTfPath, `################################################################################
 # Thinkwork \u2014 ${config.stage}
 # Generated by: thinkwork init -s ${config.stage}
@@ -2628,12 +2690,13 @@ and AgentCore for per-stage detail.
 
 // src/commands/mcp.ts
 import chalk10 from "chalk";
+import { createClient, adminKeys, AdminOpsError } from "@thinkwork/admin-ops";
 
 // src/api-client.ts
-import { readFileSync as readFileSync5, existsSync as existsSync8 } from "fs";
+import { readFileSync as readFileSync5, existsSync as existsSync9 } from "fs";
 import { execSync as execSync9 } from "child_process";
 function readTfVar2(tfvarsPath, key) {
-  if (!existsSync8(tfvarsPath)) return null;
+  if (!existsSync9(tfvarsPath)) return null;
   const content = readFileSync5(tfvarsPath, "utf-8");
   const match = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
   return match ? match[1] : null;
@@ -2642,7 +2705,7 @@ function resolveTfvarsPath2(stage) {
   const tfDir = resolveTerraformDir(stage);
   if (tfDir) {
     const direct = `${tfDir}/terraform.tfvars`;
-    if (existsSync8(direct)) return direct;
+    if (existsSync9(direct)) return direct;
   }
   const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
   const cwd = resolveTierDir(terraformDir, stage, "app");
@@ -2949,14 +3012,14 @@ Examples:
   $ thinkwork mcp add my-tools --url https://mcp.example.com/crm \\
       --auth-type tenant_api_key --api-key sk-abc -s dev -t acme
 
-  # OAuth connector (users connect from the mobile app)
-  $ thinkwork mcp add lastmile --url https://dev-mcp.lastmile-tei.com/crm \\
-      --auth-type per_user_oauth --oauth-provider lastmile -s dev -t acme
+  # OAuth-backed MCP integration (users connect from the mobile app)
+  $ thinkwork mcp add crm-tools --url https://mcp.example.com/crm \\
+      --auth-type per_user_oauth --oauth-provider crm_provider -s dev -t acme
 `
   ).action(
     async (nameArg, opts) => {
       try {
-        const { input: input5 } = await import("@inquirer/prompts");
+        const { input: input4 } = await import("@inquirer/prompts");
         const { stage, api, tenant } = await resolveMcpContext(opts);
         let name = nameArg;
         if (!name) {
@@ -2964,7 +3027,7 @@ Examples:
             printError("Name is required. Pass it as a positional arg.");
             process.exit(1);
           }
-          name = await input5({ message: "Server name:" });
+          name = await input4({ message: "Server name:" });
         }
         let url = opts.url;
         if (!url) {
@@ -2972,7 +3035,7 @@ Examples:
             printError("--url is required. Pass it as a flag.");
             process.exit(1);
           }
-          url = await input5({
+          url = await input4({
             message: "MCP server URL:",
             validate: (v) => v.startsWith("http://") || v.startsWith("https://") ? true : "URL must start with http:// or https://"
           });
@@ -3006,13 +3069,13 @@ Examples:
     `
 Examples:
   # Change URL in place (preserves agent assignments, unlike remove + re-add)
-  $ thinkwork mcp update lastmile-routing --url https://dev-mcp.lastmile-tei.com/routing
+  $ thinkwork mcp update routing-server --url https://mcp.example.com/routing
 
   # Disable without deleting
-  $ thinkwork mcp update lastmile-routing --disable
+  $ thinkwork mcp update routing-server --disable
 
   # Rename + change transport
-  $ thinkwork mcp update 629dcee1-1e14-4b83-9907-cb529e6035f6 --name "LastMile Routing" --transport sse
+  $ thinkwork mcp update 629dcee1-1e14-4b83-9907-cb529e6035f6 --name "Routing Server" --transport sse
 
   # Interactive \u2014 pick the server from a list
   $ thinkwork mcp update
@@ -3065,7 +3128,7 @@ Examples:
   $ thinkwork mcp remove
 
   # By slug (case-insensitive)
-  $ thinkwork mcp remove lastmile-routing
+  $ thinkwork mcp remove routing-server
 
   # By UUID (from \`mcp list\` or --json)
   $ thinkwork mcp remove 629dcee1-1e14-4b83-9907-cb529e6035f6
@@ -3132,7 +3195,7 @@ Examples:
   ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--agent <id>", "Agent ID").action(
     async (mcpServerArg, opts) => {
       try {
-        const { input: input5 } = await import("@inquirer/prompts");
+        const { input: input4 } = await import("@inquirer/prompts");
         const { api, tenant } = await resolveMcpContext(opts);
         const server = await resolveServer(mcpServerArg, api, tenant.slug);
         let agent = opts.agent;
@@ -3141,7 +3204,7 @@ Examples:
             printError("--agent is required. Pass it as a flag.");
             process.exit(1);
           }
-          agent = await input5({ message: "Agent ID:" });
+          agent = await input4({ message: "Agent ID:" });
         }
         const result = await apiFetch(
           api.apiUrl,
@@ -3164,7 +3227,7 @@ Examples:
   ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--agent <id>", "Agent ID").action(
     async (mcpServerArg, opts) => {
       try {
-        const { input: input5 } = await import("@inquirer/prompts");
+        const { input: input4 } = await import("@inquirer/prompts");
         const { api, tenant } = await resolveMcpContext(opts);
         const server = await resolveServer(mcpServerArg, api, tenant.slug);
         let agent = opts.agent;
@@ -3173,7 +3236,7 @@ Examples:
             printError("--agent is required. Pass it as a flag.");
             process.exit(1);
           }
-          agent = await input5({ message: "Agent ID:" });
+          agent = await input4({ message: "Agent ID:" });
         }
         await apiFetch(
           api.apiUrl,
@@ -3189,6 +3252,175 @@ Examples:
       }
     }
   );
+  const key = mcp.command("key").alias("keys").description("Manage per-tenant Bearer tokens for the admin-ops MCP server.");
+  key.command("create").description(
+    "Generate a new MCP admin token. Prints the raw token ONCE \u2014 save it immediately."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug or UUID").option("--name <label>", 'Human label for the key (default "default")').addHelpText(
+    "after",
+    `
+Examples:
+  $ thinkwork mcp key create -t acme --name ci
+  $ thinkwork mcp key create -t acme --json   # token surfaces under .token
+
+The token is shown ONCE. Hand it to the MCP client immediately; the server
+stores only the SHA-256 hash. To rotate, create a new one and revoke the
+old one.
+`
+  ).action(async (opts) => {
+    try {
+      const ctx = await resolveMcpContext(opts);
+      const client = createClient({
+        apiUrl: ctx.api.apiUrl,
+        authSecret: ctx.api.authSecret
+      });
+      const created = await adminKeys.createAdminKey(client, ctx.tenant.slug, {
+        name: opts.name
+      });
+      printJson(created);
+      printWarning("This token will NOT be shown again. Copy it now.");
+      printSuccess(`MCP admin key created: ${chalk10.bold(created.name)} (${created.id})`);
+      console.log(`  ${chalk10.dim("Token:")} ${chalk10.cyan(created.token)}`);
+    } catch (err) {
+      if (isCancellation(err)) return;
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+  key.command("list").alias("ls").description("List MCP admin keys for a tenant (metadata only, never the raw token).").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug or UUID").option("--all", "Include revoked keys").action(async (opts) => {
+    try {
+      const ctx = await resolveMcpContext(opts);
+      const client = createClient({
+        apiUrl: ctx.api.apiUrl,
+        authSecret: ctx.api.authSecret
+      });
+      const all = await adminKeys.listAdminKeys(client, ctx.tenant.slug);
+      const rows = opts.all ? all : all.filter((k) => !k.revoked_at);
+      printJson(rows);
+      printTable(rows, [
+        { key: "name", header: "NAME" },
+        { key: "id", header: "ID" },
+        { key: "created_at", header: "CREATED" },
+        { key: "last_used_at", header: "LAST USED" },
+        { key: "revoked_at", header: "REVOKED" }
+      ]);
+    } catch (err) {
+      if (isCancellation(err)) return;
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+  key.command("revoke <id>").description("Revoke an MCP admin key. Idempotent \u2014 revoking an already-revoked key is a no-op.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug or UUID").action(async (keyId, opts) => {
+    try {
+      const ctx = await resolveMcpContext(opts);
+      const client = createClient({
+        apiUrl: ctx.api.apiUrl,
+        authSecret: ctx.api.authSecret
+      });
+      await adminKeys.revokeAdminKey(client, ctx.tenant.slug, keyId);
+      printSuccess(`MCP admin key revoked: ${keyId}`);
+    } catch (err) {
+      if (err instanceof AdminOpsError && err.status === 404) {
+        printError(`Key ${keyId} not found for tenant ${opts.tenant ?? ""}`);
+        process.exit(2);
+      }
+      if (isCancellation(err)) return;
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+  mcp.command("provision").description(
+    "Provision the admin-ops MCP for a tenant: mint a new key + store in Secrets Manager + register in tenant_mcp_servers."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug or UUID (omit with --all)").option(
+    "--url <url>",
+    "Override the MCP endpoint URL (defaults to the stage's execute-api or MCP_CUSTOM_DOMAIN)"
+  ).option("--all", "Provision for every tenant the caller can see (backfill mode)").addHelpText(
+    "after",
+    `
+Examples:
+  # One tenant (interactive picker or -t)
+  $ thinkwork mcp provision -t acme
+
+  # Explicit custom-domain URL
+  $ thinkwork mcp provision -t acme --url https://mcp.thinkwork.ai/mcp/admin
+
+  # Backfill every tenant at once
+  $ thinkwork mcp provision --all
+
+The raw token is stored in Secrets Manager and duplicated into
+tenant_mcp_servers.auth_config \u2014 it is NOT printed on stdout. After
+provisioning, each agent still needs the server assigned via the admin
+SPA (or a future \`thinkwork mcp assign\` CLI pass).
+`
+  ).action(async (opts) => {
+    try {
+      if (opts.all && opts.tenant) {
+        printError("--all and --tenant are mutually exclusive.");
+        process.exit(1);
+      }
+      const stage = await resolveStage({ flag: opts.stage });
+      const api = resolveApiConfig(stage);
+      if (!api) process.exit(1);
+      async function provisionOne(tenantIdOrSlug, label) {
+        const res = await apiFetch(
+          api.apiUrl,
+          api.authSecret,
+          `/api/tenants/${encodeURIComponent(tenantIdOrSlug)}/mcp-admin-provision`,
+          {
+            method: "POST",
+            body: JSON.stringify(opts.url ? { url: opts.url } : {})
+          }
+        );
+        printSuccess(
+          `${label}: ${res.provisioned} (tenant_mcp_servers.id=${res.tenantMcpServerId}, url=${res.url})`
+        );
+        return res;
+      }
+      if (opts.all) {
+        const tenantRows = await apiFetch(
+          api.apiUrl,
+          api.authSecret,
+          "/api/tenants",
+          {}
+        );
+        if (!Array.isArray(tenantRows) || tenantRows.length === 0) {
+          printWarning("No tenants found.");
+          return;
+        }
+        printHeader("mcp provision --all", stage);
+        const results = [];
+        for (const t of tenantRows) {
+          try {
+            await provisionOne(t.slug, `${t.name} (${t.slug})`);
+            results.push({ slug: t.slug, ok: true });
+          } catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            printError(`  \u2717 ${t.slug}: ${msg}`);
+            results.push({ slug: t.slug, ok: false, reason: msg });
+          }
+        }
+        const ok = results.filter((r) => r.ok).length;
+        const bad = results.length - ok;
+        if (bad === 0) {
+          printSuccess(`All ${ok} tenants provisioned.`);
+        } else {
+          printWarning(`${ok}/${results.length} succeeded; ${bad} failed.`);
+          process.exit(1);
+        }
+        return;
+      }
+      const tenant = await resolveTenantRest({
+        flag: opts.tenant,
+        stage,
+        apiUrl: api.apiUrl,
+        authSecret: api.authSecret
+      });
+      await provisionOne(tenant.slug, tenant.slug);
+    } catch (err) {
+      if (isCancellation(err)) return;
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
 }
 
 // src/commands/tools.ts
@@ -3463,11 +3695,11 @@ function registerUpdateCommand(program2) {
 }
 
 // src/commands/user.ts
-import { spawn as spawn4 } from "child_process";
+import { spawn as spawn5 } from "child_process";
 import { input as input2, select as select7 } from "@inquirer/prompts";
 function getTerraformOutput2(cwd, key) {
-  return new Promise((resolve3, reject) => {
-    const proc = spawn4("terraform", ["output", "-raw", key], {
+  return new Promise((resolve4, reject) => {
+    const proc = spawn5("terraform", ["output", "-raw", key], {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
     });
@@ -3476,7 +3708,7 @@ function getTerraformOutput2(cwd, key) {
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve3(stdout.trim());
+      if (code === 0) resolve4(stdout.trim());
       else
         reject(
           new Error(
@@ -3487,7 +3719,7 @@ function getTerraformOutput2(cwd, key) {
   });
 }
 function runAwsCognitoReset(userPoolId, username, region) {
-  return new Promise((resolve3) => {
+  return new Promise((resolve4) => {
     const args = [
       "cognito-idp",
       "admin-reset-user-password",
@@ -3499,12 +3731,12 @@ function runAwsCognitoReset(userPoolId, username, region) {
       "json"
     ];
     if (region) args.push("--region", region);
-    const proc = spawn4("aws", args, { stdio: ["ignore", "pipe", "pipe"] });
+    const proc = spawn5("aws", args, { stdio: ["ignore", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
-    proc.on("close", (code) => resolve3({ code: code ?? 1, stdout, stderr }));
+    proc.on("close", (code) => resolve4({ code: code ?? 1, stdout, stderr }));
   });
 }
 function requireTty2(label) {
@@ -3785,9 +4017,8 @@ import { gql } from "@urql/core";
 
 // src/lib/gql-client.ts
 import {
-  Client,
-  cacheExchange,
-  fetchExchange
+  CombinedError,
+  stringifyDocument
 } from "@urql/core";
 
 // src/lib/resolve-auth.ts
@@ -3883,20 +4114,7 @@ async function getGqlClient(opts) {
   }
   const url = `${baseUrl.replace(/\/+$/, "")}/graphql`;
   const auth = await resolveAuth({ stage: opts.stage, region });
-  const client = new Client({
-    url,
-    exchanges: [cacheExchange, fetchExchange],
-    fetchOptions: () => ({
-      method: "POST",
-      headers: {
-        "content-type": "application/json",
-        ...auth.headers
-      }
-    }),
-    // CLI calls are short-lived and we want server truth on every run —
-    // bypass the in-memory cache to avoid stale reads between quick commands.
-    requestPolicy: "network-only"
-  });
+  const client = createCliGqlClient(url, auth.headers);
   return {
     client,
     url,
@@ -3904,14 +4122,95 @@ async function getGqlClient(opts) {
     tenantSlug: auth.tenantSlug
   };
 }
+function createCliGqlClient(url, headers) {
+  return {
+    query: (doc, variables) => ({
+      toPromise: () => executeGraphql(url, headers, doc, variables)
+    }),
+    mutation: (doc, variables) => ({
+      toPromise: () => executeGraphql(url, headers, doc, variables)
+    })
+  };
+}
 async function gqlQuery(client, doc, variables) {
-  const res = await client.query(doc, variables).toPromise();
+  const res = await client.query(serializeDocument(doc), variables).toPromise();
   return unwrap(res);
 }
 async function gqlMutate(client, doc, variables) {
-  const res = await client.mutation(doc, variables).toPromise();
+  const res = await client.mutation(serializeDocument(doc), variables).toPromise();
   return unwrap(res);
 }
+function serializeDocument(doc) {
+  return stringifyDocument(doc);
+}
+async function executeGraphql(url, headers, doc, variables) {
+  const query = serializeDocument(doc);
+  try {
+    const response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...headers
+      },
+      body: JSON.stringify({ query, variables })
+    });
+    const text = await response.text();
+    let payload = {};
+    if (text) {
+      try {
+        payload = JSON.parse(text);
+      } catch {
+        return makeNetworkErrorResult(
+          `GraphQL request failed with non-JSON response: ${text}`,
+          response
+        );
+      }
+    }
+    if (payload.errors?.length) {
+      return {
+        data: payload.data,
+        error: new CombinedError({
+          graphQLErrors: payload.errors,
+          response
+        }),
+        extensions: payload.extensions,
+        stale: false,
+        hasNext: false
+      };
+    }
+    if (!response.ok) {
+      return makeNetworkErrorResult(
+        `GraphQL request failed with HTTP ${response.status}`,
+        response
+      );
+    }
+    return {
+      data: payload.data,
+      error: void 0,
+      extensions: payload.extensions,
+      stale: false,
+      hasNext: false
+    };
+  } catch (err) {
+    return {
+      error: new CombinedError({
+        networkError: err instanceof Error ? err : new Error(String(err))
+      }),
+      stale: false,
+      hasNext: false
+    };
+  }
+}
+function makeNetworkErrorResult(message, response) {
+  return {
+    error: new CombinedError({
+      networkError: new Error(message),
+      response
+    }),
+    stale: false,
+    hasNext: false
+  };
+}
 function unwrap(res) {
   if (res.error) {
     const msg = res.error.graphQLErrors.map((e) => e.message).filter(Boolean).join("; ") || res.error.networkError?.message || "GraphQL request failed";
@@ -4012,20 +4311,20 @@ function notYetImplemented(commandPath, phase) {
 // src/commands/thread.ts
 function registerThreadCommand(program2) {
   const thread = program2.command("thread").alias("threads").description(
-    "Create, list, update, and comment on threads (tasks, chats, bugs, questions) in a tenant."
+    "Create, list, update, and comment on threads in a tenant."
   );
-  thread.command("list").alias("ls").description("List threads in a tenant with optional filters.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--status <status>", "Filter: BACKLOG | TODO | IN_PROGRESS | IN_REVIEW | BLOCKED | DONE | CANCELLED").option("--priority <p>", "Filter: LOW | MEDIUM | HIGH | URGENT").option("--assignee <id>", "Filter by assignee (user or agent ID). Use `me` to match the caller.").option("--agent <id>", "Filter threads worked on by a specific agent").option("--search <q>", "Full-text search over title/body").option("--limit <n>", "Max rows (default 50)", "50").option("--archived", "Include archived threads").addHelpText(
+  thread.command("list").alias("ls").description("List threads in a tenant with optional filters.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--assignee <id>", "Filter by assignee (user or agent ID). Use `me` to match the caller.").option("--agent <id>", "Filter threads worked on by a specific agent").option("--search <q>", "Full-text search over thread titles").option("--limit <n>", "Max rows (default 50)", "50").option("--archived", "Include archived threads").addHelpText(
     "after",
     `
 Examples:
-  # Open work on the default stage/tenant
-  $ thinkwork thread list --status IN_PROGRESS
-
-  # Pipe to jq
-  $ thinkwork thread list --json | jq '.[] | select(.priority=="URGENT")'
-
   # Everything assigned to me
   $ thinkwork thread list --assignee me
+
+  # Limit + JSON for piping
+  $ thinkwork thread list --limit 100 --json | jq '.[] | .title'
+
+  # Archived threads only
+  $ thinkwork thread list --archived
 `
   ).action(() => notYetImplemented("thread list", 1));
   thread.command("get <idOrNumber>").description("Fetch one thread by ID or by its tenant-scoped issue number.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").addHelpText(
@@ -4037,38 +4336,29 @@ Examples:
   $ thinkwork thread get 42 --json | jq .assignee
 `
   ).action(() => notYetImplemented("thread get", 1));
-  thread.command("create [title]").description("Create a new thread. Prompts for missing fields when running in a TTY.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--type <type>", "TASK | CHAT | BUG | QUESTION", "TASK").option("--priority <p>", "LOW | MEDIUM | HIGH | URGENT", "MEDIUM").option("--assignee <id>", "Assign on create (user or agent ID)").option("--body <text>", "Description body (markdown)").option("--due <iso>", "Due date as ISO-8601").option("--label <name...>", "Attach label(s) by name (repeatable)").addHelpText(
+  thread.command("create [title]").description("Create a new thread. Prompts for missing fields when running in a TTY.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--assignee <id>", "Assign on create (user or agent ID)").option("--due <iso>", "Due date as ISO-8601").option("--label <name...>", "Attach label(s) by name (repeatable)").addHelpText(
     "after",
     `
 Examples:
-  # Fully interactive \u2014 walkthrough prompts for title, type, priority, assignee.
+  # Fully interactive \u2014 walkthrough prompts for title and assignee.
   $ thinkwork thread create
 
   # Scripted
   $ thinkwork thread create "Investigate latency spike" \\
-      --priority HIGH --assignee agt-obs-1 --label ops --label oncall
+      --assignee agt-obs-1 --label ops --label oncall
 
   # Mix: pass the title, prompt for the rest.
   $ thinkwork thread create "Investigate latency spike"
 `
   ).action(() => notYetImplemented("thread create", 1));
-  thread.command("update <id>").description("Update a thread's title, status, priority, assignee, labels, or due date.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--title <t>", "Rename").option("--status <s>", "Move to a new status").option("--priority <p>", "LOW | MEDIUM | HIGH | URGENT").option("--assignee <id>", "Reassign (user or agent ID)").option("--due <iso>", "Due date").option("--body <text>", "Replace description body").addHelpText(
+  thread.command("update <id>").description("Update a thread's title, assignee, labels, or due date.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--title <t>", "Rename").option("--assignee <id>", "Reassign (user or agent ID)").option("--due <iso>", "Due date").addHelpText(
     "after",
     `
 Examples:
-  $ thinkwork thread update thr-abc --status IN_REVIEW
-  $ thinkwork thread update thr-abc --assignee agt-ops --priority URGENT
+  $ thinkwork thread update thr-abc --title "New title"
+  $ thinkwork thread update thr-abc --assignee agt-ops
 `
   ).action(() => notYetImplemented("thread update", 1));
-  thread.command("close <id>").description("Mark a thread DONE. Shortcut for `thread update <id> --status DONE`.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--comment <text>", "Add a closing comment").addHelpText(
-    "after",
-    `
-Examples:
-  $ thinkwork thread close thr-abc
-  $ thinkwork thread close thr-abc --comment "fixed in #124"
-`
-  ).action(() => notYetImplemented("thread close", 1));
-  thread.command("reopen <id>").description("Move a thread from DONE/CANCELLED back to TODO.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").action(() => notYetImplemented("thread reopen", 1));
   thread.command("checkout <id>").description("Claim a thread so an agent can work it (locks other agents out).").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--agent <id>", "Agent to check it out to (defaults to the caller)").addHelpText(
     "after",
     `
@@ -4076,7 +4366,7 @@ Examples:
   $ thinkwork thread checkout thr-abc --agent agt-fixer
 `
   ).action(() => notYetImplemented("thread checkout", 1));
-  thread.command("release <id>").description("Release a checked-out thread, optionally moving it to a new status.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--status <s>", "Status to release into").action(() => notYetImplemented("thread release", 1));
+  thread.command("release <id>").description("Release a checked-out thread (unlocks it so another agent can claim it).").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").action(() => notYetImplemented("thread release", 1));
   thread.command("comment <id> [content]").description("Add a comment to a thread. Prompts for content if omitted and TTY.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--file <path>", "Read comment content from a file (markdown)").addHelpText(
     "after",
     `
@@ -4262,6 +4552,216 @@ Examples:
   version.command("rollback <agentId> <versionId>").description("Restore an agent to a prior version. Creates a new version pointing at the old config.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(() => notYetImplemented("agent version rollback", 2));
 }
 
+// src/commands/computer.ts
+import chalk14 from "chalk";
+async function resolveComputerContext(opts) {
+  const stage = await resolveStage({ flag: opts.stage });
+  const api = resolveApiConfig(stage);
+  if (!api) process.exit(1);
+  return { stage, api };
+}
+function resolveTenantId(opts) {
+  const tenantId = opts.tenant ?? opts.tenantId;
+  if (!tenantId) {
+    printError(
+      "Tenant ID is required. Pass --tenant <uuid> or --tenant-id <uuid>."
+    );
+    process.exit(1);
+  }
+  return tenantId;
+}
+function resolveComputerId(opts) {
+  const computerId = opts.computer ?? opts.computerId;
+  if (!computerId) {
+    printError(
+      "Computer ID is required. Pass --computer <uuid> or --computer-id <uuid>."
+    );
+    process.exit(1);
+  }
+  return computerId;
+}
+function resolveTaskType(opts) {
+  if (!opts.type?.trim()) {
+    printError("Task type is required. Pass --type <task-type>.");
+    process.exit(1);
+  }
+  return opts.type.trim().toLowerCase();
+}
+function printMigrationReport(response) {
+  printJson(response);
+  if (isJsonMode()) return;
+  if (!response.report) return;
+  const summary = response.report.summary ?? {};
+  console.log("");
+  console.log(chalk14.bold("  Summary"));
+  for (const [status, count] of Object.entries(summary)) {
+    if (!count) continue;
+    console.log(`  ${status.padEnd(28)} ${count}`);
+  }
+  const rows = (response.report.groups ?? []).map((group) => ({
+    owner: group.owner?.name ?? group.owner?.email ?? group.ownerUserId ?? "unpaired",
+    source: group.primaryAgent?.name ?? group.primaryAgentId ?? "\u2014",
+    template: group.primaryAgent?.templateName ?? "\u2014",
+    status: group.status,
+    action: group.recommendedAction ?? "\u2014",
+    reason: group.reasons?.[0] ?? "\u2014"
+  }));
+  console.log("");
+  printTable(rows, [
+    { key: "owner", header: "Owner" },
+    { key: "source", header: "Source Agent" },
+    { key: "template", header: "Template" },
+    { key: "status", header: "Status" },
+    { key: "action", header: "Action" },
+    { key: "reason", header: "Reason" }
+  ]);
+}
+function registerComputerCommand(program2) {
+  const computer = program2.command("computer").alias("computers").description("Manage ThinkWork Computers and migration operations");
+  const migration = computer.command("migration").description("Dry-run or apply Agent-to-Computer migration");
+  migration.command("dry-run").description("Inspect Agent-to-Computer migration candidates").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <uuid>", "Tenant ID").option("--tenant-id <uuid>", "Tenant ID").action(
+    async (opts) => {
+      const { stage, api } = await resolveComputerContext(opts);
+      const tenantId = resolveTenantId(opts);
+      if (!isJsonMode()) printHeader("computer migration dry-run", stage);
+      const response = await apiFetchRaw(
+        api.apiUrl,
+        api.authSecret,
+        "/api/migrations/agents-to-computers",
+        {
+          method: "POST",
+          body: JSON.stringify({ tenantId, mode: "dry-run" })
+        }
+      );
+      if (!response.ok) {
+        printJson(response.body);
+        printError(response.body.error ?? `HTTP ${response.status}`);
+        process.exit(1);
+      }
+      printMigrationReport(response.body);
+      if (!isJsonMode()) printSuccess("Computer migration dry-run complete");
+    }
+  );
+  migration.command("apply").description(
+    "Apply Agent-to-Computer migration after reviewing dry-run output"
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <uuid>", "Tenant ID").option("--tenant-id <uuid>", "Tenant ID").option("--confirm", "Confirm the migration apply operation").option("--idempotency-key <key>", "Operator-supplied migration run key").action(
+    async (opts) => {
+      const { stage, api } = await resolveComputerContext(opts);
+      const tenantId = resolveTenantId(opts);
+      if (!opts.confirm) {
+        printWarning(
+          "Apply is intentionally gated. Re-run with --confirm after reviewing dry-run output."
+        );
+        process.exit(1);
+      }
+      if (!isJsonMode()) printHeader("computer migration apply", stage);
+      const response = await apiFetchRaw(
+        api.apiUrl,
+        api.authSecret,
+        "/api/migrations/agents-to-computers",
+        {
+          method: "POST",
+          body: JSON.stringify({
+            tenantId,
+            mode: "apply",
+            idempotencyKey: opts.idempotencyKey
+          })
+        }
+      );
+      if (!response.ok) {
+        printJson(response.body);
+        printError(response.body.error ?? `HTTP ${response.status}`);
+        if (response.status === 409 && response.body.blockers) {
+          if (!isJsonMode()) {
+            console.log("");
+            console.log(chalk14.bold("  Blockers"));
+            console.log(JSON.stringify(response.body.blockers, null, 2));
+          }
+        }
+        process.exit(1);
+      }
+      printMigrationReport(response.body);
+      if (!isJsonMode()) {
+        printSuccess(
+          `Computer migration applied: ${response.body.created?.length ?? 0} created, ${response.body.skipped?.length ?? 0} skipped`
+        );
+      }
+    }
+  );
+  const runtime = computer.command("runtime").description("Provision and control ECS-backed Computer runtimes");
+  for (const action of [
+    "provision",
+    "start",
+    "stop",
+    "restart",
+    "status"
+  ]) {
+    runtime.command(action).description(`${action} a Computer runtime`).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <uuid>", "Tenant ID").option("--tenant-id <uuid>", "Tenant ID").option("-c, --computer <uuid>", "Computer ID").option("--computer-id <uuid>", "Computer ID").action(
+      async (opts) => {
+        const { stage, api } = await resolveComputerContext(opts);
+        const tenantId = resolveTenantId(opts);
+        const computerId = resolveComputerId(opts);
+        if (!isJsonMode()) {
+          printHeader(`computer runtime ${action}`, stage);
+        }
+        const response = await apiFetchRaw(
+          api.apiUrl,
+          api.authSecret,
+          "/api/computers/manager",
+          {
+            method: "POST",
+            body: JSON.stringify({ action, tenantId, computerId })
+          }
+        );
+        printJson(response.body);
+        if (!response.ok) {
+          printError(response.body.error ?? `HTTP ${response.status}`);
+          process.exit(1);
+        }
+        if (!isJsonMode()) {
+          printSuccess(`Computer runtime ${action} complete`);
+        }
+      }
+    );
+  }
+  const task = computer.command("task").description("Enqueue work for a ThinkWork Computer runtime");
+  task.command("enqueue").description("Enqueue a Computer runtime task").option("--type <type>", "Task type").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <uuid>", "Tenant ID").option("--tenant-id <uuid>", "Tenant ID").option("-c, --computer <uuid>", "Computer ID").option("--computer-id <uuid>", "Computer ID").option("--path <path>", "Workspace-relative path for file-write tasks").option("--content <content>", "UTF-8 content for file-write tasks").option("--idempotency-key <key>", "Operator-supplied idempotency key").action(
+    async (opts) => {
+      const { stage, api } = await resolveComputerContext(opts);
+      const tenantId = resolveTenantId(opts);
+      const computerId = resolveComputerId(opts);
+      const taskType = resolveTaskType(opts);
+      const input4 = taskType === "workspace_file_write" ? { path: opts.path, content: opts.content } : void 0;
+      if (!isJsonMode()) printHeader("computer task enqueue", stage);
+      const response = await apiFetchRaw(
+        api.apiUrl,
+        api.authSecret,
+        "/api/computers/runtime/tasks",
+        {
+          method: "POST",
+          body: JSON.stringify({
+            tenantId,
+            computerId,
+            taskType,
+            input: input4,
+            idempotencyKey: opts.idempotencyKey
+          })
+        }
+      );
+      printJson(response.body);
+      if (!response.ok) {
+        printError(response.body.error ?? `HTTP ${response.status}`);
+        process.exit(1);
+      }
+      if (!isJsonMode()) {
+        printSuccess(
+          `Queued Computer task ${response.body.task?.id ?? taskType}`
+        );
+      }
+    }
+  );
+}
+
 // src/commands/template.ts
 function registerTemplateCommand(program2) {
   const tpl = program2.command("template").alias("templates").description("Manage agent templates \u2014 reusable configs you spawn agents from.");
@@ -4299,10 +4799,70 @@ Examples:
 }
 
 // src/commands/tenant.ts
+import { createClient as createClient2, tenants as tenantOps, AdminOpsError as AdminOpsError2 } from "@thinkwork/admin-ops";
 function registerTenantCommand(program2) {
   const tenant = program2.command("tenant").alias("tenants").description("Manage tenants (workspaces) \u2014 create, rename, and configure plans / defaults.");
-  tenant.command("list").alias("ls").description("List tenants the caller can see.").option("-s, --stage <name>", "Deployment stage").action(() => notYetImplemented("tenant list", 2));
-  tenant.command("get <idOrSlug>").description("Fetch one tenant by ID or slug.").option("-s, --stage <name>", "Deployment stage").action(() => notYetImplemented("tenant get", 2));
+  tenant.command("list").alias("ls").description("List tenants the caller can see.").option("-s, --stage <name>", "Deployment stage").addHelpText(
+    "after",
+    `
+Examples:
+  $ thinkwork tenant list
+  $ thinkwork tenant list -s dev
+  $ thinkwork tenant list --json | jq '.[].slug'
+`
+  ).action(async (opts) => {
+    try {
+      const stage = await resolveStage({ flag: opts.stage });
+      const api = resolveApiConfig(stage);
+      if (!api) process.exit(1);
+      const client = createClient2({ apiUrl: api.apiUrl, authSecret: api.authSecret });
+      const rows = await tenantOps.listTenants(client);
+      printJson(rows);
+      printTable(rows, [
+        { key: "slug", header: "SLUG" },
+        { key: "name", header: "NAME" },
+        { key: "plan", header: "PLAN" },
+        { key: "id", header: "ID" }
+      ]);
+    } catch (err) {
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
+  tenant.command("get <idOrSlug>").description("Fetch one tenant by ID or slug.").option("-s, --stage <name>", "Deployment stage").addHelpText(
+    "after",
+    `
+Examples:
+  $ thinkwork tenant get acme
+  $ thinkwork tenant get 0a2b... --json
+`
+  ).action(async (idOrSlug, opts) => {
+    try {
+      const stage = await resolveStage({ flag: opts.stage });
+      const api = resolveApiConfig(stage);
+      if (!api) process.exit(1);
+      const client = createClient2({ apiUrl: api.apiUrl, authSecret: api.authSecret });
+      const isUuid2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(
+        idOrSlug
+      );
+      const tenant2 = isUuid2 ? await tenantOps.getTenant(client, idOrSlug) : await tenantOps.getTenantBySlug(client, idOrSlug);
+      printJson(tenant2);
+      printTable([tenant2], [
+        { key: "slug", header: "SLUG" },
+        { key: "name", header: "NAME" },
+        { key: "plan", header: "PLAN" },
+        { key: "issue_prefix", header: "PREFIX" },
+        { key: "id", header: "ID" }
+      ]);
+    } catch (err) {
+      if (err instanceof AdminOpsError2 && err.status === 404) {
+        printError(`Tenant "${idOrSlug}" not found`);
+        process.exit(2);
+      }
+      printError(err instanceof Error ? err.message : String(err));
+      process.exit(1);
+    }
+  });
   tenant.command("create [name]").description("Create a new tenant. The caller becomes its first owner.").option("-s, --stage <name>", "Deployment stage").option("--slug <slug>", "URL-safe slug (lowercase, hyphens). Generated from name if omitted.").option("--plan <plan>", "Plan tier (free, team, enterprise, \u2026)", "team").option("--issue-prefix <prefix>", "Issue-number prefix for thread numbers (e.g. ACME)").addHelpText(
     "after",
     `
@@ -4492,29 +5052,218 @@ Examples:
   wh.command("deliveries <id>").description("Show recent delivery attempts (success/failure, response status).").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--limit <n>", "Max rows", "25").action(() => notYetImplemented("webhook deliveries", 3));
 }
 
-// src/commands/connector.ts
-function registerConnectorCommand(program2) {
-  const conn = program2.command("connector").alias("connectors").description("Manage third-party integrations (Slack, GitHub, Linear, \u2026).");
-  conn.command("list").alias("ls").description("List available connectors and which are enabled for this tenant.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--enabled-only", "Only show tenant-enabled connectors").action(() => notYetImplemented("connector list", 3));
-  conn.command("get <slug>").description("Fetch one connector with its config schema + current status.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").action(() => notYetImplemented("connector get", 3));
-  conn.command("enable <slug>").description("Enable a connector. Opens the OAuth flow in your browser when required.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--config <json>", "Inline config JSON (for API-key style connectors)").option("--config-file <path>", "Load config from a file").addHelpText(
-    "after",
-    `
-Examples:
-  # OAuth connector (Slack)
-  $ thinkwork connector enable slack
+// src/lib/plugin-zip.ts
+import { createReadStream, promises as fsp, statSync } from "fs";
+import { basename, join as join6, relative, resolve as resolve3, sep } from "path";
+import JSZip from "jszip";
+var PluginZipError = class extends Error {
+  constructor(message, kind) {
+    super(message);
+    this.kind = kind;
+    this.name = "PluginZipError";
+  }
+  kind;
+};
+async function buildPluginZip(pluginDir) {
+  const root = resolve3(pluginDir);
+  let stat;
+  try {
+    stat = await fsp.stat(root);
+  } catch {
+    throw new PluginZipError(
+      `Plugin directory not found: ${pluginDir}`,
+      "missing-directory"
+    );
+  }
+  if (!stat.isDirectory()) {
+    throw new PluginZipError(
+      `Plugin path must be a directory: ${pluginDir}`,
+      "missing-directory"
+    );
+  }
+  const manifestPath = join6(root, "plugin.json");
+  let manifestRaw;
+  try {
+    manifestRaw = await fsp.readFile(manifestPath, "utf8");
+  } catch {
+    throw new PluginZipError(
+      `plugin.json is required at the root of the plugin folder (expected ${manifestPath}).`,
+      "missing-plugin-json"
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(manifestRaw);
+  } catch (err) {
+    throw new PluginZipError(
+      `plugin.json is not valid JSON: ${err.message}`,
+      "invalid-plugin-json"
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new PluginZipError(
+      `plugin.json must be a JSON object with a "name" field.`,
+      "invalid-plugin-json"
+    );
+  }
+  const manifest = parsed;
+  if (typeof manifest.name !== "string" || manifest.name.trim() === "") {
+    throw new PluginZipError(
+      `plugin.json must declare a non-empty "name" string.`,
+      "invalid-plugin-json"
+    );
+  }
+  const zip = new JSZip();
+  const entries = await walkDir(root, root);
+  for (const entry of entries) {
+    if (entry.isSymbolicLink) {
+      throw new PluginZipError(
+        `Refusing to zip symlink: ${entry.relPath} (would be rejected server-side).`,
+        "unsafe-entry"
+      );
+    }
+    if (hasParentSegment(entry.relPath)) {
+      throw new PluginZipError(
+        `Refusing to zip path with traversal segment: ${entry.relPath}`,
+        "unsafe-entry"
+      );
+    }
+    const archivePath = entry.relPath.split(sep).join("/");
+    zip.file(archivePath, createReadStream(entry.absPath));
+  }
+  let buffer;
+  try {
+    buffer = await zip.generateAsync({
+      type: "nodebuffer",
+      compression: "DEFLATE",
+      compressionOptions: { level: 6 }
+    });
+  } catch (err) {
+    throw new PluginZipError(
+      `Failed to compress plugin: ${err.message}`,
+      "io"
+    );
+  }
+  const metadata = {
+    name: manifest.name.trim(),
+    version: typeof manifest.version === "string" && manifest.version.trim() !== "" ? manifest.version.trim() : void 0,
+    description: typeof manifest.description === "string" ? manifest.description.trim() || void 0 : void 0
+  };
+  return {
+    buffer,
+    plugin: metadata,
+    fileCount: entries.length,
+    zipFileName: `${basename(root)}.zip`
+  };
+}
+async function walkDir(rootDir, currentDir) {
+  const out = [];
+  const dirents = await fsp.readdir(currentDir, { withFileTypes: true });
+  for (const ent of dirents) {
+    const abs = join6(currentDir, ent.name);
+    const rel = relative(rootDir, abs);
+    if (ent.name === ".git" || ent.name === ".DS_Store" || ent.name === "node_modules") {
+      continue;
+    }
+    if (ent.isSymbolicLink()) {
+      out.push({ absPath: abs, relPath: rel, isSymbolicLink: true });
+      continue;
+    }
+    if (ent.isDirectory()) {
+      out.push(...await walkDir(rootDir, abs));
+      continue;
+    }
+    if (ent.isFile()) {
+      try {
+        statSync(abs);
+      } catch {
+        continue;
+      }
+      out.push({ absPath: abs, relPath: rel, isSymbolicLink: false });
+    }
+  }
+  return out.sort(
+    (a, b) => a.relPath < b.relPath ? -1 : a.relPath > b.relPath ? 1 : 0
+  );
+}
+function hasParentSegment(relPath) {
+  const parts = relPath.split(sep);
+  return parts.some((p) => p === "..");
+}
 
-  # API-key connector (inline)
-  $ thinkwork connector enable linear --config '{"apiKey":"lin_\u2026"}'
-`
-  ).action(() => notYetImplemented("connector enable", 3));
-  conn.command("disable <slug>").description("Disable a connector. Stored credentials are cleared.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(() => notYetImplemented("connector disable", 3));
-  conn.command("test <slug>").description("Round-trip the connector's credentials against its API. Prints pass/fail + latency.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").action(() => notYetImplemented("connector test", 3));
+// src/lib/plugin-push.ts
+async function pushPluginZip(input4) {
+  const base = input4.apiUrl.replace(/\/+$/, "");
+  const presignRes = await fetch(`${base}/api/plugins/presign`, {
+    method: "POST",
+    headers: withJson(input4.headers),
+    body: JSON.stringify({ fileName: input4.fileName })
+  });
+  if (!presignRes.ok) {
+    throw new Error(`presign failed: ${await describeHttpError(presignRes)}`);
+  }
+  const presign = await presignRes.json();
+  if (!presign.uploadUrl || !presign.s3Key) {
+    throw new Error(
+      `presign returned invalid response: ${JSON.stringify(presign)}`
+    );
+  }
+  const putRes = await fetch(presign.uploadUrl, {
+    method: "PUT",
+    headers: { "Content-Type": "application/zip" },
+    body: new Uint8Array(input4.zipBuffer)
+  });
+  if (!putRes.ok) {
+    throw new Error(`S3 PUT failed: HTTP ${putRes.status}`);
+  }
+  const installRes = await fetch(`${base}/api/plugins/upload`, {
+    method: "POST",
+    headers: withJson(input4.headers),
+    body: JSON.stringify({ s3Key: presign.s3Key })
+  });
+  const installBody = await installRes.json().catch(() => ({}));
+  if (installRes.status === 400 && installBody && installBody.valid === false) {
+    return {
+      status: "validation-failed",
+      errors: installBody.errors ?? [],
+      warnings: installBody.warnings ?? []
+    };
+  }
+  if (!installRes.ok) {
+    const uploadId = typeof installBody.uploadId === "string" ? installBody.uploadId : "";
+    return {
+      status: "failed",
+      uploadId,
+      phase: typeof installBody.phase === "string" ? installBody.phase : void 0,
+      errorMessage: typeof installBody.errorMessage === "string" && installBody.errorMessage || typeof installBody.error === "string" && installBody.error || `HTTP ${installRes.status}`
+    };
+  }
+  const plugin = installBody.plugin;
+  if (!plugin || typeof installBody.uploadId !== "string") {
+    throw new Error(
+      `install response missing uploadId/plugin: ${JSON.stringify(installBody)}`
+    );
+  }
+  return {
+    status: "installed",
+    uploadId: installBody.uploadId,
+    plugin,
+    warnings: Array.isArray(installBody.warnings) ? installBody.warnings : []
+  };
+}
+function withJson(headers) {
+  return { "Content-Type": "application/json", ...headers };
+}
+async function describeHttpError(res) {
+  const text = await res.text().catch(() => "");
+  return `HTTP ${res.status} ${text.slice(0, 200)}`;
 }
 
 // src/commands/skill.ts
 function registerSkillCommand(program2) {
-  const skill = program2.command("skill").alias("skills").description("Browse the catalog, install, upgrade, or publish custom skills.");
+  const skill = program2.command("skill").alias("skills").description(
+    "Browse the catalog, install, upgrade, or publish custom skills."
+  );
   skill.command("catalog").description("Browse the public skill catalog (not tenant-scoped).").option("-s, --stage <name>", "Deployment stage").option("--search <q>", "Filter by keyword").option("--tag <t>", "Filter by tag").action(() => notYetImplemented("skill catalog", 3));
   skill.command("list").alias("ls").description("List skills installed / published in the current tenant.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--custom-only", "Only show tenant-owned custom skills").action(() => notYetImplemented("skill list", 3));
   skill.command("install <slug>").description("Install a public skill into the tenant. Idempotent.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--version <v>", "Pin to a specific version (default: latest)").addHelpText(
@@ -4526,7 +5275,9 @@ Examples:
 `
   ).action(() => notYetImplemented("skill install", 3));
   skill.command("upgrade <slug>").description("Upgrade an installed skill to the latest catalog version.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").action(() => notYetImplemented("skill upgrade", 3));
-  skill.command("create [slug]").description("Publish a custom tenant-scoped skill (walkthrough for missing fields in TTY).").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--name <n>").option("--description <text>").option("--manifest-file <path>", "Path to the MCP server manifest JSON").option("--endpoint <url>", "MCP server HTTP/SSE endpoint").addHelpText(
+  skill.command("create [slug]").description(
+    "Publish a custom tenant-scoped skill (walkthrough for missing fields in TTY)."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--name <n>").option("--description <text>").option("--manifest-file <path>", "Path to the MCP server manifest JSON").option("--endpoint <url>", "MCP server HTTP/SSE endpoint").addHelpText(
     "after",
     `
 Examples:
@@ -4535,7 +5286,103 @@ Examples:
 `
   ).action(() => notYetImplemented("skill create", 3));
   skill.command("update <slug>").description("Update a custom skill's manifest, endpoint, or description.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--name <n>").option("--description <text>").option("--manifest-file <path>").option("--endpoint <url>").action(() => notYetImplemented("skill update", 3));
-  skill.command("delete <slug>").description("Delete a custom skill. Public catalog skills are uninstalled via this too.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(() => notYetImplemented("skill delete", 3));
+  skill.command("delete <slug>").description(
+    "Delete a custom skill. Public catalog skills are uninstalled via this too."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(() => notYetImplemented("skill delete", 3));
+  skill.command("push <folder>").description(
+    "Zip a local plugin folder and upload it to the tenant as a pending plugin."
+  ).option("-s, --stage <name>", "Deployment stage").option("--region <name>", "AWS region", "us-east-1").addHelpText(
+    "after",
+    `
+Examples:
+  $ thinkwork skill push ./my-plugin
+  $ thinkwork skill push ./my-plugin --stage dev
+
+The folder must contain a plugin.json manifest. MCP servers shipped
+inside the plugin will land as 'pending' and need admin approval
+under Capabilities \u2192 MCP Servers before agents can invoke them.
+`
+  ).action(
+    async (folder, opts) => {
+      await runPushCommand(folder, opts);
+    }
+  );
+}
+async function runPushCommand(folder, opts) {
+  const region = opts.region ?? "us-east-1";
+  const stage = await resolveStage({ flag: opts.stage, region });
+  let zipped;
+  try {
+    zipped = await buildPluginZip(folder);
+  } catch (err) {
+    if (err instanceof PluginZipError) {
+      printError(err.message);
+      process.exit(1);
+    }
+    throw err;
+  }
+  const auth = await resolveAuth({ stage, region, requireCognito: true });
+  if (auth.mode !== "cognito") {
+    printError(
+      `skill push requires a Cognito session. Run \`thinkwork login --stage ${stage}\`.`
+    );
+    process.exit(1);
+  }
+  const apiUrl = getApiEndpoint(stage, region);
+  if (!apiUrl) {
+    printError(
+      `Could not discover API endpoint for stage "${stage}" in ${region}. Is the stack deployed?`
+    );
+    process.exit(1);
+  }
+  printSuccess(
+    `Prepared plugin "${zipped.plugin.name}" \u2014 ${zipped.fileCount} file(s), ${formatBytes(zipped.buffer.length)}`
+  );
+  let result;
+  try {
+    result = await pushPluginZip({
+      apiUrl,
+      headers: auth.headers,
+      zipBuffer: zipped.buffer,
+      fileName: zipped.zipFileName
+    });
+  } catch (err) {
+    printError(`Upload failed: ${err.message}`);
+    process.exit(1);
+  }
+  if (result.status === "validation-failed") {
+    printError("Plugin validation failed");
+    for (const e of result.errors) console.log(`    - ${e}`);
+    for (const w of result.warnings) printWarning(w);
+    process.exit(1);
+  }
+  if (result.status === "failed") {
+    printError(
+      `Install failed${result.phase ? ` at phase ${result.phase}` : ""}: ${result.errorMessage}`
+    );
+    if (result.uploadId) {
+      console.log(`    upload id: ${result.uploadId}`);
+    }
+    process.exit(1);
+  }
+  const skillCount = result.plugin.skills.length;
+  const mcpCount = result.plugin.mcpServers.length;
+  printSuccess(
+    `Installed "${result.plugin.name}" \u2014 ${skillCount} skill(s)` + (mcpCount > 0 ? `, ${mcpCount} MCP server(s) pending admin approval` : "")
+  );
+  console.log(`    upload id: ${result.uploadId}`);
+  if (mcpCount > 0) {
+    console.log(
+      `    approve at: admin SPA \u2192 Capabilities \u2192 MCP Servers (filter: status=pending)`
+    );
+  }
+  for (const w of result.warnings) printWarning(w);
+}
+function formatBytes(bytes) {
+  if (bytes < 1024) return `${bytes} B`;
+  const kb = bytes / 1024;
+  if (kb < 1024) return `${kb.toFixed(1)} KB`;
+  return `${(kb / 1024).toFixed(2)} MB`;
 }
 
 // src/commands/memory.ts
@@ -4669,7 +5516,7 @@ Examples:
 }
 
 // src/commands/eval/run.ts
-import { select as select8, checkbox, confirm as confirm2, input as input3 } from "@inquirer/prompts";
+import { checkbox, confirm as confirm2 } from "@inquirer/prompts";
 import ora2 from "ora";
 
 // src/gql/graphql.ts
@@ -4678,6 +5525,7 @@ var CliEvalRunDocument = { "kind": "Document", "definitions": [{ "kind": "Operat
 var CliEvalRunResultsDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliEvalRunResults" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "runId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "evalRunResults" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "runId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "runId" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "testCaseId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "testCaseName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "category" } }, { "kind": "Field", "name": { "kind": "Name", "value": "status" } }, { "kind": "Field", "name": { "kind": "Name", "value": "score" } }, { "kind": "Field", "name": { "kind": "Name", "value": "durationMs" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentSessionId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "input" } }, { "kind": "Field", "name": { "kind": "Name", "value": "expected" } }, { "kind": "Field", "name": { "kind": "Name", "value": "actualOutput" } }, { "kind": "Field", "name": { "kind": "Name", "value": "evaluatorResults" } }, { "kind": "Field", "name": { "kind": "Name", "value": "assertions" } }, { "kind": "Field", "name": { "kind": "Name", "value": "errorMessage" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }] } }] } }] };
 var CliEvalTestCasesDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliEvalTestCases" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "category" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "search" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "evalTestCases" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "tenantId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "category" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "category" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "search" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "search" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "category" } }, { "kind": "Field", "name": { "kind": "Name", "value": "query" } }, { "kind": "Field", "name": { "kind": "Name", "value": "systemPrompt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentTemplateId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentTemplateName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentcoreEvaluatorIds" } }, { "kind": "Field", "name": { "kind": "Name", "value": "tags" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "source" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "updatedAt" } }] } }] } }] };
 var CliEvalTestCaseDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliEvalTestCase" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "evalTestCase" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "tenantId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "category" } }, { "kind": "Field", "name": { "kind": "Name", "value": "query" } }, { "kind": "Field", "name": { "kind": "Name", "value": "systemPrompt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentTemplateId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentTemplateName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "assertions" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentcoreEvaluatorIds" } }, { "kind": "Field", "name": { "kind": "Name", "value": "tags" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "source" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "updatedAt" } }] } }] } }] };
+var CliComputersForEvalDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliComputersForEval" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "computers" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "tenantId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "slug" } }, { "kind": "Field", "name": { "kind": "Name", "value": "runtimeStatus" } }] } }] } }] };
 var CliAgentTemplatesForEvalDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliAgentTemplatesForEval" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "agentTemplates" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "tenantId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "slug" } }, { "kind": "Field", "name": { "kind": "Name", "value": "model" } }, { "kind": "Field", "name": { "kind": "Name", "value": "isPublished" } }] } }] } }] };
 var CliTenantBySlugDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliTenantBySlug" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "tenantBySlug" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "slug" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "slug" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }] } }] } }] };
 var CliStartEvalRunDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliStartEvalRun" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "StartEvalRunInput" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "startEvalRun" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "tenantId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "input" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "status" } }, { "kind": "Field", "name": { "kind": "Name", "value": "model" } }, { "kind": "Field", "name": { "kind": "Name", "value": "categories" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentTemplateId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentTemplateName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "totalTests" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }] } }] } }] };
@@ -4696,17 +5544,18 @@ var CliWikiCompileJobsDocument = { "kind": "Document", "definitions": [{ "kind":
 
 // src/gql/gql.ts
 var documents = {
-  "\n  query CliEvalRuns($tenantId: ID!, $agentId: ID, $limit: Int, $offset: Int) {\n    evalRuns(tenantId: $tenantId, agentId: $agentId, limit: $limit, offset: $offset) {\n      totalCount\n      items {\n        id\n        status\n        model\n        categories\n        agentId\n        agentName\n        agentTemplateId\n        agentTemplateName\n        totalTests\n        passed\n        failed\n        passRate\n        regression\n        costUsd\n        errorMessage\n        startedAt\n        completedAt\n        createdAt\n      }\n    }\n  }\n": CliEvalRunsDocument,
+  "\n  query CliEvalRuns($tenantId: ID!, $agentId: ID, $limit: Int, $offset: Int) {\n    evalRuns(\n      tenantId: $tenantId\n      agentId: $agentId\n      limit: $limit\n      offset: $offset\n    ) {\n      totalCount\n      items {\n        id\n        status\n        model\n        categories\n        agentId\n        agentName\n        agentTemplateId\n        agentTemplateName\n        totalTests\n        passed\n        failed\n        passRate\n        regression\n        costUsd\n        errorMessage\n        startedAt\n        completedAt\n        createdAt\n      }\n    }\n  }\n": CliEvalRunsDocument,
   "\n  query CliEvalRun($id: ID!) {\n    evalRun(id: $id) {\n      id\n      status\n      model\n      categories\n      agentId\n      agentName\n      agentTemplateId\n      agentTemplateName\n      totalTests\n      passed\n      failed\n      passRate\n      regression\n      costUsd\n      errorMessage\n      startedAt\n      completedAt\n      createdAt\n    }\n  }\n": CliEvalRunDocument,
   "\n  query CliEvalRunResults($runId: ID!) {\n    evalRunResults(runId: $runId) {\n      id\n      testCaseId\n      testCaseName\n      category\n      status\n      score\n      durationMs\n      agentSessionId\n      input\n      expected\n      actualOutput\n      evaluatorResults\n      assertions\n      errorMessage\n      createdAt\n    }\n  }\n": CliEvalRunResultsDocument,
   "\n  query CliEvalTestCases($tenantId: ID!, $category: String, $search: String) {\n    evalTestCases(tenantId: $tenantId, category: $category, search: $search) {\n      id\n      name\n      category\n      query\n      systemPrompt\n      agentTemplateId\n      agentTemplateName\n      agentcoreEvaluatorIds\n      tags\n      enabled\n      source\n      createdAt\n      updatedAt\n    }\n  }\n": CliEvalTestCasesDocument,
   "\n  query CliEvalTestCase($id: ID!) {\n    evalTestCase(id: $id) {\n      id\n      tenantId\n      name\n      category\n      query\n      systemPrompt\n      agentTemplateId\n      agentTemplateName\n      assertions\n      agentcoreEvaluatorIds\n      tags\n      enabled\n      source\n      createdAt\n      updatedAt\n    }\n  }\n": CliEvalTestCaseDocument,
+  "\n  query CliComputersForEval($tenantId: ID!) {\n    computers(tenantId: $tenantId) {\n      id\n      name\n      slug\n      runtimeStatus\n    }\n  }\n": CliComputersForEvalDocument,
   "\n  query CliAgentTemplatesForEval($tenantId: ID!) {\n    agentTemplates(tenantId: $tenantId) {\n      id\n      name\n      slug\n      model\n      isPublished\n    }\n  }\n": CliAgentTemplatesForEvalDocument,
   "\n  query CliTenantBySlug($slug: String!) {\n    tenantBySlug(slug: $slug) {\n      id\n      slug\n      name\n    }\n  }\n": CliTenantBySlugDocument,
   "\n  mutation CliStartEvalRun($tenantId: ID!, $input: StartEvalRunInput!) {\n    startEvalRun(tenantId: $tenantId, input: $input) {\n      id\n      status\n      model\n      categories\n      agentTemplateId\n      agentTemplateName\n      totalTests\n      createdAt\n    }\n  }\n": CliStartEvalRunDocument,
   "\n  mutation CliCancelEvalRun($id: ID!) {\n    cancelEvalRun(id: $id) {\n      id\n      status\n      completedAt\n    }\n  }\n": CliCancelEvalRunDocument,
   "\n  mutation CliDeleteEvalRun($id: ID!) {\n    deleteEvalRun(id: $id)\n  }\n": CliDeleteEvalRunDocument,
-  "\n  mutation CliCreateEvalTestCase($tenantId: ID!, $input: CreateEvalTestCaseInput!) {\n    createEvalTestCase(tenantId: $tenantId, input: $input) {\n      id\n      name\n      category\n    }\n  }\n": CliCreateEvalTestCaseDocument,
+  "\n  mutation CliCreateEvalTestCase(\n    $tenantId: ID!\n    $input: CreateEvalTestCaseInput!\n  ) {\n    createEvalTestCase(tenantId: $tenantId, input: $input) {\n      id\n      name\n      category\n    }\n  }\n": CliCreateEvalTestCaseDocument,
   "\n  mutation CliUpdateEvalTestCase($id: ID!, $input: UpdateEvalTestCaseInput!) {\n    updateEvalTestCase(id: $id, input: $input) {\n      id\n      name\n      category\n      enabled\n    }\n  }\n": CliUpdateEvalTestCaseDocument,
   "\n  mutation CliDeleteEvalTestCase($id: ID!) {\n    deleteEvalTestCase(id: $id)\n  }\n": CliDeleteEvalTestCaseDocument,
   "\n  mutation CliSeedEvalTestCases($tenantId: ID!, $categories: [String!]) {\n    seedEvalTestCases(tenantId: $tenantId, categories: $categories)\n  }\n": CliSeedEvalTestCasesDocument,
@@ -4724,7 +5573,12 @@ function graphql(source) {
 // src/commands/eval/gql.ts
 var EvalRunsDoc = graphql(`
   query CliEvalRuns($tenantId: ID!, $agentId: ID, $limit: Int, $offset: Int) {
-    evalRuns(tenantId: $tenantId, agentId: $agentId, limit: $limit, offset: $offset) {
+    evalRuns(
+      tenantId: $tenantId
+      agentId: $agentId
+      limit: $limit
+      offset: $offset
+    ) {
       totalCount
       items {
         id
@@ -4834,6 +5688,16 @@ var EvalTestCaseDoc = graphql(`
     }
   }
 `);
+var ComputersForEvalDoc = graphql(`
+  query CliComputersForEval($tenantId: ID!) {
+    computers(tenantId: $tenantId) {
+      id
+      name
+      slug
+      runtimeStatus
+    }
+  }
+`);
 var AgentTemplatesForEvalDoc = graphql(`
   query CliAgentTemplatesForEval($tenantId: ID!) {
     agentTemplates(tenantId: $tenantId) {
@@ -4883,7 +5747,10 @@ var DeleteEvalRunDoc = graphql(`
   }
 `);
 var CreateEvalTestCaseDoc = graphql(`
-  mutation CliCreateEvalTestCase($tenantId: ID!, $input: CreateEvalTestCaseInput!) {
+  mutation CliCreateEvalTestCase(
+    $tenantId: ID!
+    $input: CreateEvalTestCaseInput!
+  ) {
     createEvalTestCase(tenantId: $tenantId, input: $input) {
       id
       name
@@ -4981,123 +5848,75 @@ function isTerminalStatus(status) {
 }
 
 // src/commands/eval/run.ts
+var DEFAULT_EVAL_MODEL_ID = "moonshotai.kimi-k2.5";
 async function runEvalRun(opts) {
   const ctx = await resolveEvalContext(opts);
   const interactive = isInteractive();
-  let agentTemplateId = opts.agentTemplate ?? null;
+  const deprecatedComputerId = opts.computer ?? null;
   let categories = opts.category ?? null;
   let testCaseIds = opts.testCase ?? null;
+  if (deprecatedComputerId) {
+    printError(
+      "--computer is no longer supported for eval runs. Evals run directly against the default Agent template."
+    );
+    process.exit(1);
+  }
+  if (opts.model && opts.model !== DEFAULT_EVAL_MODEL_ID) {
+    printError(
+      `--model is no longer configurable for eval runs. Evals use ${DEFAULT_EVAL_MODEL_ID}.`
+    );
+    process.exit(1);
+  }
   const scopeSatisfied = testCaseIds && testCaseIds.length > 0 || categories && categories.length > 0 || opts.all === true;
-  if (!agentTemplateId || !scopeSatisfied) {
+  if (!scopeSatisfied) {
     if (!interactive) {
       const missing = [];
-      if (!agentTemplateId) missing.push("--agent-template");
-      if (!scopeSatisfied) missing.push("one of --all | --category | --test-case");
+      if (!scopeSatisfied)
+        missing.push("one of --all | --category | --test-case");
       printError(
         `Missing required flag(s) in non-interactive session: ${missing.join(", ")}.`
       );
       process.exit(1);
     }
   }
-  if (!agentTemplateId) {
-    const data = await gqlQuery(ctx.client, AgentTemplatesForEvalDoc, {
+  if (!scopeSatisfied) {
+    const tcData = await gqlQuery(ctx.client, EvalTestCasesDoc, {
       tenantId: ctx.tenantId
     });
-    const templates = data.agentTemplates ?? [];
-    if (templates.length === 0) {
-      printError("No agent templates defined for this tenant. Create one first.");
+    const distinctCategories = Array.from(
+      new Set(
+        (tcData.evalTestCases ?? []).filter((tc) => tc.enabled).map((tc) => tc.category)
+      )
+    ).sort();
+    if (distinctCategories.length === 0) {
+      printError(
+        "No enabled test cases exist for this tenant yet. Run `thinkwork eval seed` to load the starter pack."
+      );
       process.exit(1);
     }
-    requireTty("Agent template");
-    agentTemplateId = await promptOrExit(
-      () => select8({
-        message: "Agent template to run against?",
-        choices: templates.map((t) => ({
-          name: `${t.name}${t.model ? `  (${t.model})` : ""}${t.isPublished ? "" : "  [draft]"}`,
-          value: t.id
-        })),
-        loop: false
-      })
-    );
-  }
-  if (!scopeSatisfied) {
-    const scope = await promptOrExit(
-      () => select8({
-        message: "How should we pick test cases?",
-        choices: [
-          { name: "All enabled test cases", value: "all" },
-          { name: "Filter by category", value: "category" },
-          { name: "Pick specific test cases", value: "specific" }
-        ],
+    const picked = await promptOrExit(
+      () => checkbox({
+        message: "Which categories? (space to toggle, enter to confirm)",
+        choices: distinctCategories.map((c) => ({ name: c, value: c })),
+        required: true,
         loop: false
       })
     );
-    if (scope === "all") {
-      categories = null;
-      testCaseIds = null;
-      opts.all = true;
-    } else if (scope === "category") {
-      const tcData = await gqlQuery(ctx.client, EvalTestCasesDoc, {
-        tenantId: ctx.tenantId
-      });
-      const distinctCategories = Array.from(
-        new Set((tcData.evalTestCases ?? []).map((tc) => tc.category))
-      ).sort();
-      if (distinctCategories.length === 0) {
-        printError(
-          "No test cases exist for this tenant yet. Run `thinkwork eval seed` to load the starter pack."
-        );
-        process.exit(1);
-      }
-      const picked = await promptOrExit(
-        () => checkbox({
-          message: "Which categories? (space to toggle, enter to confirm)",
-          choices: distinctCategories.map((c) => ({ name: c, value: c })),
-          required: true,
-          loop: false
-        })
-      );
-      categories = picked;
-    } else {
-      const tcData = await gqlQuery(ctx.client, EvalTestCasesDoc, {
-        tenantId: ctx.tenantId
-      });
-      const options = (tcData.evalTestCases ?? []).filter((tc) => tc.enabled);
-      if (options.length === 0) {
-        printError("No enabled test cases to pick from.");
-        process.exit(1);
-      }
-      const picked = await promptOrExit(
-        () => checkbox({
-          message: "Which test cases?",
-          choices: options.map((tc) => ({
-            name: `${tc.name}  (${tc.category})`,
-            value: tc.id
-          })),
-          required: true,
-          loop: false
-        })
-      );
-      testCaseIds = picked;
-    }
-  }
-  if (!opts.model && interactive) {
-    const entered = await promptOrExit(
-      () => input3({
-        message: "Model override? (blank for template default)",
-        default: ""
-      })
-    );
-    if (entered.trim()) opts.model = entered.trim();
+    categories = picked;
   }
+  const requestedModel = opts.model ?? null;
+  opts.model = DEFAULT_EVAL_MODEL_ID;
   if (interactive && !isJsonMode()) {
     const summaryLines = [
       ["Stage", ctx.stage],
       ["Tenant", ctx.tenantSlug],
-      ["Agent template", agentTemplateId]
+      ["Target", "Default Agent template"]
     ];
+    if (requestedModel && requestedModel !== DEFAULT_EVAL_MODEL_ID)
+      summaryLines.push(["Ignored Model", requestedModel]);
     if (opts.model) summaryLines.push(["Model", opts.model]);
-    if (categories && categories.length) summaryLines.push(["Categories", categories.join(", ")]);
+    if (categories && categories.length)
+      summaryLines.push(["Categories", categories.join(", ")]);
     if (testCaseIds && testCaseIds.length)
       summaryLines.push(["Test cases", `${testCaseIds.length} picked`]);
     if (opts.all && !categories?.length && !testCaseIds?.length)
@@ -5114,8 +5933,6 @@ async function runEvalRun(opts) {
   const mutRes = await gqlMutate(ctx.client, StartEvalRunDoc, {
     tenantId: ctx.tenantId,
     input: {
-      agentTemplateId,
-      agentId: opts.agent ?? null,
       model: opts.model ?? null,
       categories: categories ?? null,
       testCaseIds: testCaseIds ?? null
@@ -5123,7 +5940,12 @@ async function runEvalRun(opts) {
   });
   const run2 = mutRes.startEvalRun;
   if (isJsonMode()) {
-    printJson({ runId: run2.id, status: run2.status, model: run2.model, categories: run2.categories });
+    printJson({
+      runId: run2.id,
+      status: run2.status,
+      model: run2.model,
+      categories: run2.categories
+    });
   } else {
     printSuccess(`Started eval run ${run2.id} (status: ${run2.status}).`);
   }
@@ -5147,8 +5969,12 @@ async function pollUntilTerminal(client, runId, intervalSec, timeoutSec) {
       }
       if (isTerminalStatus(run2.status)) {
         if (spinner) {
-          if (run2.status === "completed") spinner.succeed(`completed \u2014 ${run2.passed}/${run2.totalTests} (${fmtPercent(run2.passRate)})`);
-          else if (run2.status === "failed") spinner.fail(`failed \u2014 ${run2.errorMessage ?? "unknown error"}`);
+          if (run2.status === "completed")
+            spinner.succeed(
+              `completed \u2014 ${run2.passed}/${run2.totalTests} (${fmtPercent(run2.passRate)})`
+            );
+          else if (run2.status === "failed")
+            spinner.fail(`failed \u2014 ${run2.errorMessage ?? "unknown error"}`);
           else spinner.warn("cancelled");
         }
         if (isJsonMode()) {
@@ -5466,7 +6292,7 @@ async function runEvalTestCaseGet(id, opts) {
 
 // src/commands/eval/test-case/create.ts
 import { readFileSync as readFileSync6 } from "fs";
-import { input as input4, select as select9, checkbox as checkbox2 } from "@inquirer/prompts";
+import { input as input3, select as select8, checkbox as checkbox2 } from "@inquirer/prompts";
 var DEFAULT_EVALUATORS = [
   "Builtin.Helpfulness",
   "Builtin.Correctness",
@@ -5496,17 +6322,17 @@ async function runEvalTestCaseCreate(opts) {
   if (!name) {
     requireTty("Name");
     name = await promptOrExit(
-      () => input4({ message: "Test case name?", validate: (v) => v.trim().length > 0 || "Required" })
+      () => input3({ message: "Test case name?", validate: (v) => v.trim().length > 0 || "Required" })
     );
   }
   if (!category) {
     category = await promptOrExit(
-      () => input4({ message: "Category (free-form label)?", validate: (v) => v.trim().length > 0 || "Required" })
+      () => input3({ message: "Category (free-form label)?", validate: (v) => v.trim().length > 0 || "Required" })
     );
   }
   if (!query) {
     query = await promptOrExit(
-      () => input4({ message: "Query the agent under test will receive?", validate: (v) => v.trim().length > 0 || "Required" })
+      () => input3({ message: "Query the agent under test will receive?", validate: (v) => v.trim().length > 0 || "Required" })
     );
   }
   if (interactive && agentTemplateId === null) {
@@ -5514,7 +6340,7 @@ async function runEvalTestCaseCreate(opts) {
     const templates = tpls.agentTemplates ?? [];
     if (templates.length > 0) {
       const choice = await promptOrExit(
-        () => select9({
+        () => select8({
           message: "Pin to an agent template? (Enter for none)",
           choices: [
             { name: "\u2014 none \u2014 (runner picks)", value: "" },
@@ -5572,28 +6398,28 @@ async function runEvalTestCaseCreate(opts) {
 import { readFileSync as readFileSync7 } from "fs";
 async function runEvalTestCaseUpdate(id, opts) {
   const ctx = await resolveEvalContext(opts);
-  const input5 = {};
-  if (opts.name !== void 0) input5.name = opts.name;
-  if (opts.category !== void 0) input5.category = opts.category;
-  if (opts.query !== void 0) input5.query = opts.query;
-  if (opts.systemPrompt !== void 0) input5.systemPrompt = opts.systemPrompt;
-  if (opts.agentTemplate !== void 0) input5.agentTemplateId = opts.agentTemplate;
-  if (opts.evaluator !== void 0) input5.agentcoreEvaluatorIds = opts.evaluator;
-  if (opts.tag !== void 0) input5.tags = opts.tag;
-  if (opts.enabled !== void 0) input5.enabled = opts.enabled;
+  const input4 = {};
+  if (opts.name !== void 0) input4.name = opts.name;
+  if (opts.category !== void 0) input4.category = opts.category;
+  if (opts.query !== void 0) input4.query = opts.query;
+  if (opts.systemPrompt !== void 0) input4.systemPrompt = opts.systemPrompt;
+  if (opts.agentTemplate !== void 0) input4.agentTemplateId = opts.agentTemplate;
+  if (opts.evaluator !== void 0) input4.agentcoreEvaluatorIds = opts.evaluator;
+  if (opts.tag !== void 0) input4.tags = opts.tag;
+  if (opts.enabled !== void 0) input4.enabled = opts.enabled;
   if (opts.assertionsFile) {
     const parsed = JSON.parse(readFileSync7(opts.assertionsFile, "utf8"));
     if (!Array.isArray(parsed)) {
       printError(`--assertions-file must contain a JSON array.`);
       process.exit(1);
     }
-    input5.assertions = parsed;
+    input4.assertions = parsed;
   }
-  if (Object.keys(input5).length === 0) {
+  if (Object.keys(input4).length === 0) {
     printError("No fields to update. Pass at least one --<field>.");
     process.exit(1);
   }
-  const res = await gqlMutate(ctx.client, UpdateEvalTestCaseDoc, { id, input: input5 });
+  const res = await gqlMutate(ctx.client, UpdateEvalTestCaseDoc, { id, input: input4 });
   if (isJsonMode()) {
     printJson(res.updateEvalTestCase);
     return;
@@ -5631,38 +6457,84 @@ async function runEvalTestCaseDelete(id, opts) {
 // src/commands/eval.ts
 function registerEvalCommand(program2) {
   const evals = program2.command("eval").alias("evals").description(
-    "Run evaluations against your agents and manage eval test cases. Integrates with the Evaluations Studio in the admin UI."
-  );
+    "Run evaluations against the default AgentCore agent template and manage eval test cases. Integrates with the Evaluations Studio in the admin UI."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option(
+    "--computer <id>",
+    "Deprecated; evals now run directly against AgentCore"
+  ).option("--model <id>", "Deprecated; evals always use Kimi K2.5").option("--category <name...>", "Only run these categories (repeatable)").option(
+    "--test-case <id...>",
+    "Only run these specific test case IDs (repeatable)"
+  ).option("--all", "Run all enabled test cases for the tenant").option("--watch", "Block and poll until the run reaches a terminal status").option(
+    "--timeout <seconds>",
+    "Max wait seconds for --watch (default 900)",
+    "900"
+  ).addHelpText(
+    "after",
+    `
+Default action:
+  $ thinkwork evals
+
+Equivalent explicit action:
+  $ thinkwork eval run
+`
+  ).action(runEvalRun);
   evals.command("run").description(
     "Start an evaluation run. Prompts for missing values in a TTY; fails fast in non-interactive sessions."
-  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--agent-template <id>", "Run-level agent template ID").option("--agent <id>", "Optional agent under test").option("--model <id>", "Optional model override").option("--category <name...>", "Only run these categories (repeatable)").option("--test-case <id...>", "Only run these specific test case IDs (repeatable)").option("--all", "Run all enabled test cases for the tenant").option("--watch", "Block and poll until the run reaches a terminal status").option("--timeout <seconds>", "Max wait seconds for --watch (default 900)", "900").addHelpText(
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option(
+    "--computer <id>",
+    "Deprecated; evals now run directly against AgentCore"
+  ).option("--model <id>", "Deprecated; evals always use Kimi K2.5").option("--category <name...>", "Only run these categories (repeatable)").option(
+    "--test-case <id...>",
+    "Only run these specific test case IDs (repeatable)"
+  ).option("--all", "Run all enabled test cases for the tenant").option("--watch", "Block and poll until the run reaches a terminal status").option(
+    "--timeout <seconds>",
+    "Max wait seconds for --watch (default 900)",
+    "900"
+  ).addHelpText(
     "after",
     `
 Examples:
   # Fire and return \u2014 prints the runId; view results in the admin UI
-  $ thinkwork eval run --agent-template tpl-abc --category tool-safety
+  $ thinkwork eval run --category red-team-safety-scope
 
-  # Pick categories + test cases interactively
+  # Pick categories interactively
   $ thinkwork eval run
 
   # Block until done
-  $ thinkwork eval run --agent-template tpl-abc --all --watch --timeout 1800
+  $ thinkwork eval run --all --watch --timeout 1800
 `
   ).action(runEvalRun);
   evals.command("list").alias("ls").description("List recent eval runs for the tenant.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--agent <id>", "Filter by agent under test").option("--limit <n>", "Max rows (default 25)", "25").option("--offset <n>", "Skip N rows", "0").action(runEvalList);
-  evals.command("get <runId>").description("Show one eval run with its per-test-case results.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--results", "Also fetch per-test-case results (default: true)", true).option("--no-results", "Skip fetching per-test-case results").action(runEvalGet);
+  evals.command("get <runId>").description("Show one eval run with its per-test-case results.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option(
+    "--results",
+    "Also fetch per-test-case results (default: true)",
+    true
+  ).option("--no-results", "Skip fetching per-test-case results").action(runEvalGet);
   evals.command("watch <runId>").description("Poll an eval run until it reaches a terminal status.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--interval <seconds>", "Poll interval (default 3)", "3").option("--timeout <seconds>", "Max wait seconds (default 900)", "900").action(runEvalWatch);
   evals.command("cancel <runId>").description("Cancel a running or pending eval run.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").action(runEvalCancel);
-  evals.command("delete <runId>").description("Delete an eval run and its results. Requires confirmation unless --yes.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("-y, --yes", "Skip the confirmation prompt").action(runEvalDelete);
-  evals.command("categories").description("List distinct categories present across the tenant's test cases.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").action(runEvalCategories);
+  evals.command("delete <runId>").description(
+    "Delete an eval run and its results. Requires confirmation unless --yes."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("-y, --yes", "Skip the confirmation prompt").action(runEvalDelete);
+  evals.command("categories").description(
+    "List distinct categories present across the tenant's test cases."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").action(runEvalCategories);
   evals.command("seed").description(
-    "Idempotently seed the maniflow starter pack (96 test cases across 9 categories). Safe to re-run."
+    "Idempotently seed the ThinkWork RedTeam starter pack (189 test cases across 4 categories). Safe to re-run."
   ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--category <name...>", "Only seed these categories (repeatable)").action(runEvalSeed);
   const tc = evals.command("test-case").alias("test-cases").description("Manage individual eval test cases (CRUD).");
   tc.command("list").alias("ls").description("List test cases, optionally filtered by category or search.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--category <name>", "Filter by a single category").option("--search <q>", "Substring match on test case name").action(runEvalTestCaseList);
   tc.command("get <id>").description("Show a single test case.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").action(runEvalTestCaseGet);
-  tc.command("create").description("Create a new test case. Prompts for missing values in a TTY.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--name <text>", "Human-readable name").option("--category <name>", "Category label (e.g. tool-safety, red-team)").option("--query <text>", "The user-facing query this agent will receive").option("--system-prompt <text>", "Optional system-prompt override").option("--agent-template <id>", "Pin to a specific agent template").option("--evaluator <id...>", "AgentCore evaluator IDs (repeatable)").option("--tag <name...>", "Tags (repeatable)").option("--enabled", "Mark enabled (default)", true).option("--no-enabled", "Mark disabled").option("--assertions-file <path>", "JSON file containing an array of assertions").action(runEvalTestCaseCreate);
-  tc.command("update <id>").description("Update a test case. Only supplied fields are changed.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--name <text>").option("--category <name>").option("--query <text>").option("--system-prompt <text>").option("--agent-template <id>").option("--evaluator <id...>", "Replace AgentCore evaluator IDs (repeatable)").option("--tag <name...>", "Replace tags (repeatable)").option("--enabled", "Mark enabled").option("--no-enabled", "Mark disabled").option("--assertions-file <path>", "JSON file containing an array of assertions (replaces all)").action(runEvalTestCaseUpdate);
+  tc.command("create").description("Create a new test case. Prompts for missing values in a TTY.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--name <text>", "Human-readable name").option("--category <name>", "Category label (e.g. tool-safety, red-team)").option("--query <text>", "The user-facing query this agent will receive").option("--system-prompt <text>", "Optional system-prompt override").option("--agent-template <id>", "Pin to a specific agent template").option("--evaluator <id...>", "AgentCore evaluator IDs (repeatable)").option("--tag <name...>", "Tags (repeatable)").option("--enabled", "Mark enabled (default)", true).option("--no-enabled", "Mark disabled").option(
+    "--assertions-file <path>",
+    "JSON file containing an array of assertions"
+  ).action(runEvalTestCaseCreate);
+  tc.command("update <id>").description("Update a test case. Only supplied fields are changed.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--name <text>").option("--category <name>").option("--query <text>").option("--system-prompt <text>").option("--agent-template <id>").option(
+    "--evaluator <id...>",
+    "Replace AgentCore evaluator IDs (repeatable)"
+  ).option("--tag <name...>", "Replace tags (repeatable)").option("--enabled", "Mark enabled").option("--no-enabled", "Mark disabled").option(
+    "--assertions-file <path>",
+    "JSON file containing an array of assertions (replaces all)"
+  ).action(runEvalTestCaseUpdate);
   tc.command("delete <id>").description("Delete a test case. Requires confirmation unless --yes.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("-y, --yes", "Skip the confirmation prompt").action(runEvalTestCaseDelete);
 }
 
@@ -5735,7 +6607,7 @@ var WikiCompileJobsDoc = graphql(`
 `);
 
 // src/commands/wiki/helpers.ts
-import { select as select10 } from "@inquirer/prompts";
+import { select as select9 } from "@inquirer/prompts";
 async function resolveWikiContext(opts) {
   const region = opts.region ?? "us-east-1";
   const stage = await resolveStage({ flag: opts.stage, region });
@@ -5875,7 +6747,7 @@ async function resolveAgentScope(ctx, opts, config = {}) {
     choices.push({ name: `${label}${slugPart}  [${a.id}]`, value: a.id });
   }
   const pick = await promptOrExit(
-    () => select10({
+    () => select9({
       message: "Which agent?",
       choices,
       loop: false
@@ -6571,6 +7443,7 @@ registerMessageCommand(program);
 registerLabelCommand(program);
 registerInboxCommand(program);
 registerAgentCommand(program);
+registerComputerCommand(program);
 registerTemplateCommand(program);
 registerTenantCommand(program);
 registerMemberCommand(program);
@@ -6581,7 +7454,6 @@ registerScheduledJobCommand(program);
 registerTurnCommand(program);
 registerWakeupCommand(program);
 registerWebhookCommand(program);
-registerConnectorCommand(program);
 registerSkillCommand(program);
 registerMemoryCommand(program);
 registerRecipeCommand(program);