zooid 0.5.0 → 0.6.0

package/dist/index.js

@@ -18,6 +18,9 @@ import {
   saveDirectoryToken,
   switchServer
 } from "./chunk-67ZRMVHO.js";
+import {
+  parseGitHubUrl
+} from "./chunk-AR456MHY.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -202,6 +205,285 @@ function runConfigGet(key) {
   );
 }
 
+// src/lib/workforce.ts
+import fs3 from "fs";
+import path3 from "path";
+
+// src/lib/project.ts
+import fs2 from "fs";
+import path2 from "path";
+function findProjectRoot(from) {
+  let dir = fs2.realpathSync(from ?? process.cwd());
+  while (true) {
+    if (fs2.existsSync(path2.join(dir, "zooid.json")) || fs2.existsSync(path2.join(dir, ".zooid"))) {
+      return dir;
+    }
+    const parent = path2.dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+function getZooidDir(from) {
+  const root = findProjectRoot(from);
+  if (!root) {
+    throw new Error(
+      "Not a Zooid project (no zooid.json or .zooid/ found). Run `npx zooid init` first."
+    );
+  }
+  return path2.join(root, ".zooid");
+}
+
+// src/lib/workforce.ts
+var WORKFORCE_FILENAME = "workforce.json";
+var SLUG_RE = /^[a-z0-9][a-z0-9-]{1,62}[a-z0-9]$/;
+function isValidSlug(s) {
+  return SLUG_RE.test(s);
+}
+function validateWorkforceFile(raw, filePath) {
+  if (raw.meta && typeof raw.meta === "object") {
+    const meta = raw.meta;
+    if (meta.slug !== void 0) {
+      if (typeof meta.slug !== "string" || !isValidSlug(meta.slug)) {
+        throw new Error(
+          `Invalid meta.slug in ${filePath}: "${meta.slug}" \u2014 must be a valid slug (lowercase alphanumeric + hyphens, 3-64 chars)`
+        );
+      }
+    }
+  }
+  if (raw.include) {
+    if (!Array.isArray(raw.include)) {
+      throw new Error(`"include" must be an array in ${filePath}`);
+    }
+    for (const p of raw.include) {
+      if (typeof p !== "string") {
+        throw new Error(`Include entries must be strings in ${filePath}`);
+      }
+      if (path3.isAbsolute(p)) {
+        throw new Error(`Include path must be relative in ${filePath}: ${p}`);
+      }
+    }
+  }
+  if (raw.channels && typeof raw.channels === "object") {
+    for (const [id, ch] of Object.entries(
+      raw.channels
+    )) {
+      if (!isValidSlug(id)) {
+        throw new Error(
+          `Invalid channel slug "${id}" in ${filePath} \u2014 must be lowercase alphanumeric + hyphens, 3-64 chars`
+        );
+      }
+      if (!ch || typeof ch !== "object" || !ch.visibility) {
+        throw new Error(
+          `Channel "${id}" in ${filePath} must have a "visibility" field`
+        );
+      }
+    }
+  }
+  if (raw.roles && typeof raw.roles === "object") {
+    for (const [id, role] of Object.entries(
+      raw.roles
+    )) {
+      if (!isValidSlug(id)) {
+        throw new Error(
+          `Invalid role slug "${id}" in ${filePath} \u2014 must be lowercase alphanumeric + hyphens, 3-64 chars`
+        );
+      }
+      if (!role || typeof role !== "object" || !Array.isArray(role.scopes)) {
+        throw new Error(
+          `Role "${id}" in ${filePath} must have a "scopes" array`
+        );
+      }
+    }
+  }
+}
+function resolveIncludes(filePath, ancestors, isRoot = false) {
+  const realPath = fs3.realpathSync(filePath);
+  if (ancestors.has(realPath)) {
+    const chain = [...ancestors, realPath].map((p) => path3.basename(p)).join(" \u2192 ");
+    throw new Error(`Circular include: ${chain}`);
+  }
+  const childAncestors = new Set(ancestors);
+  childAncestors.add(realPath);
+  const raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+  validateWorkforceFile(raw, filePath);
+  const wf = raw;
+  const baseDir = path3.dirname(filePath);
+  const result = {
+    channels: {},
+    roles: {},
+    agents: {},
+    provenance: { channels: {}, roles: {}, agents: {} }
+  };
+  if (wf.include) {
+    for (const includePath of wf.include) {
+      const resolved = path3.resolve(baseDir, includePath);
+      try {
+        const zooidDir = getZooidDir();
+        const realZooidDir = fs3.realpathSync(zooidDir);
+        if (!resolved.startsWith(realZooidDir + path3.sep) && resolved !== realZooidDir) {
+          throw new Error(
+            `Include path escapes .zooid/ in ${filePath}: ${includePath}`
+          );
+        }
+      } catch (e) {
+        if (e instanceof Error && e.message.includes("escapes")) throw e;
+      }
+      if (!fs3.existsSync(resolved)) {
+        throw new Error(
+          `Included file not found: ${includePath} (resolved to ${resolved})`
+        );
+      }
+      const included = resolveIncludes(resolved, childAncestors);
+      if (!isRoot) {
+        for (const id of Object.keys(included.channels)) {
+          if (id in result.channels) {
+            const prev = path3.basename(result.provenance.channels[id]);
+            const curr = path3.basename(included.provenance.channels[id]);
+            console.warn(
+              `\u26A0 Channel "${id}" defined in both ${prev} and ${curr} \u2014 using ${curr} (last wins)`
+            );
+          }
+        }
+        for (const id of Object.keys(included.roles)) {
+          if (id in result.roles) {
+            const prev = path3.basename(result.provenance.roles[id]);
+            const curr = path3.basename(included.provenance.roles[id]);
+            console.warn(
+              `\u26A0 Role "${id}" defined in both ${prev} and ${curr} \u2014 using ${curr} (last wins)`
+            );
+          }
+        }
+      }
+      Object.assign(result.channels, included.channels);
+      Object.assign(result.roles, included.roles);
+      Object.assign(result.agents, included.agents);
+      Object.assign(result.provenance.channels, included.provenance.channels);
+      Object.assign(result.provenance.roles, included.provenance.roles);
+      Object.assign(result.provenance.agents, included.provenance.agents);
+    }
+  }
+  if (wf.channels) {
+    for (const [id, def] of Object.entries(wf.channels)) {
+      result.channels[id] = def;
+      result.provenance.channels[id] = filePath;
+    }
+  }
+  if (wf.roles) {
+    for (const [id, def] of Object.entries(wf.roles)) {
+      result.roles[id] = def;
+      result.provenance.roles[id] = filePath;
+    }
+  }
+  if (wf.agents) {
+    for (const [id, def] of Object.entries(wf.agents)) {
+      result.agents[id] = def;
+      result.provenance.agents[id] = filePath;
+    }
+  }
+  return result;
+}
+function loadWorkforce() {
+  let zooidDir;
+  try {
+    zooidDir = getZooidDir();
+  } catch {
+    return {
+      channels: {},
+      roles: {},
+      provenance: { channels: {}, roles: {} }
+    };
+  }
+  const filePath = path3.join(zooidDir, WORKFORCE_FILENAME);
+  if (!fs3.existsSync(filePath)) {
+    return {
+      channels: {},
+      roles: {},
+      provenance: { channels: {}, roles: {} }
+    };
+  }
+  const resolved = resolveIncludes(filePath, /* @__PURE__ */ new Set(), true);
+  if (Object.keys(resolved.agents).length > 0) {
+    for (const agentId of Object.keys(resolved.agents)) {
+      if (agentId in resolved.roles) {
+        throw new Error(
+          `agent "${agentId}" collides with a role of the same name. Use one or the other.`
+        );
+      }
+    }
+    const derivedRoles = compileAgents(resolved.agents);
+    Object.assign(resolved.roles, derivedRoles);
+    for (const id of Object.keys(derivedRoles)) {
+      resolved.provenance.roles[id] = resolved.provenance.agents[id] ?? filePath;
+    }
+  }
+  return {
+    channels: resolved.channels,
+    roles: resolved.roles,
+    provenance: resolved.provenance
+  };
+}
+function saveWorkforce(data, options) {
+  let filePath;
+  if (options?.targetFile) {
+    filePath = options.targetFile;
+  } else {
+    let zooidDir;
+    try {
+      zooidDir = getZooidDir();
+    } catch {
+      zooidDir = path3.join(process.cwd(), ".zooid");
+    }
+    fs3.mkdirSync(zooidDir, { recursive: true });
+    filePath = path3.join(zooidDir, WORKFORCE_FILENAME);
+  }
+  let existing = {};
+  if (fs3.existsSync(filePath)) {
+    existing = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+  }
+  const output = {};
+  if (existing.$schema) output.$schema = existing.$schema;
+  if (existing.meta) output.meta = existing.meta;
+  if (existing.include) output.include = existing.include;
+  output.channels = data.channels;
+  output.roles = data.roles;
+  if (existing.agents) output.agents = existing.agents;
+  fs3.writeFileSync(filePath, JSON.stringify(output, null, 2) + "\n");
+}
+function updateInFile(filePath, section, id, def) {
+  const raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+  if (!raw[section]) raw[section] = {};
+  raw[section][id] = def;
+  fs3.writeFileSync(filePath, JSON.stringify(raw, null, 2) + "\n");
+}
+function removeFromFile(filePath, section, id) {
+  const raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+  if (raw[section]) {
+    delete raw[section][id];
+  }
+  fs3.writeFileSync(filePath, JSON.stringify(raw, null, 2) + "\n");
+}
+function compileAgents(agents) {
+  const roles = {};
+  for (const [id, agent] of Object.entries(agents)) {
+    const scopes = [];
+    if (agent.subscribes) {
+      for (const ch of agent.subscribes) {
+        scopes.push(`sub:${ch}`);
+      }
+    }
+    if (agent.publishes) {
+      for (const ch of agent.publishes) {
+        scopes.push(`pub:${ch}`);
+      }
+    }
+    const role = { scopes };
+    if (agent.name) role.name = agent.name;
+    if (agent.description) role.description = agent.description;
+    roles[id] = role;
+  }
+  return roles;
+}
+
 // src/commands/channel.ts
 async function runChannelCreate(id, options, client) {
   const c = client ?? createClient();
@@ -213,7 +495,7 @@ async function runChannelCreate(id, options, client) {
     id,
     name: options.name ?? id,
     description: options.description,
-    is_public: options.public ?? true,
+    is_public: options.public ?? false,
     config
   });
   if (!client) {
@@ -222,6 +504,19 @@ async function runChannelCreate(id, options, client) {
     channels[id] = { token: result.token };
     saveConfig({ channels });
   }
+  if (findProjectRoot()) {
+    try {
+      const wf = loadWorkforce();
+      wf.channels[id] = {
+        visibility: options.public ? "public" : "private",
+        ...options.name && { name: options.name },
+        ...options.description && { description: options.description },
+        ...config && { config }
+      };
+      saveWorkforce(wf);
+    } catch {
+    }
+  }
   return result;
 }
 async function runChannelList(client) {
@@ -230,7 +525,27 @@ async function runChannelList(client) {
 }
 async function runChannelUpdate(channelId, options, client) {
   const c = client ?? createClient();
-  return c.updateChannel(channelId, options);
+  const result = await c.updateChannel(channelId, options);
+  if (findProjectRoot()) {
+    try {
+      const wf = loadWorkforce();
+      const def = {
+        visibility: result.is_public ? "public" : "private",
+        ...result.name && result.name !== channelId && { name: result.name },
+        ...result.description && { description: result.description },
+        ...result.config && { config: result.config }
+      };
+      const targetFile = wf.provenance.channels[channelId];
+      if (targetFile) {
+        updateInFile(targetFile, "channels", channelId, def);
+      } else {
+        wf.channels[channelId] = def;
+        saveWorkforce(wf);
+      }
+    } catch {
+    }
+  }
+  return result;
 }
 async function runChannelDelete(channelId, client) {
   const c = client ?? createClient();
@@ -240,33 +555,311 @@ async function runChannelDelete(channelId, client) {
     const serverUrl = resolveServer();
     if (serverUrl && file.servers?.[serverUrl]?.channels?.[channelId]) {
       delete file.servers[serverUrl].channels[channelId];
-      const fs6 = await import("fs");
-      fs6.writeFileSync(getStatePath(), JSON.stringify(file, null, 2) + "\n");
+      const fs13 = await import("fs");
+      fs13.writeFileSync(getStatePath(), JSON.stringify(file, null, 2) + "\n");
+    }
+  }
+  if (findProjectRoot()) {
+    try {
+      const wf = loadWorkforce();
+      const targetFile = wf.provenance.channels[channelId];
+      if (targetFile) {
+        removeFromFile(targetFile, "channels", channelId);
+      } else {
+        delete wf.channels[channelId];
+        saveWorkforce(wf);
+      }
+    } catch {
+    }
+  }
+}
+
+// src/lib/zoon.ts
+var DEFAULT_PLATFORM_URL = "https://api.zooid.dev";
+function getPlatformUrl() {
+  return process.env.ZOON_PLATFORM_URL || DEFAULT_PLATFORM_URL;
+}
+function extractSubdomain(serverUrl) {
+  try {
+    const url = new URL(serverUrl);
+    const match = url.hostname.match(/^([^.]+)\.zoon\.eco$/);
+    return match ? match[1] : null;
+  } catch {
+    return null;
+  }
+}
+function isZoonHosted(serverUrl) {
+  return extractSubdomain(serverUrl) !== null;
+}
+function authHeaders(token) {
+  return {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json"
+  };
+}
+function platformUrl(subdomain, path10) {
+  return `${getPlatformUrl()}/api/v1/servers/${subdomain}${path10}`;
+}
+async function syncRolesToZoon(serverUrl, token, roles, options) {
+  const subdomain = extractSubdomain(serverUrl);
+  if (!subdomain) {
+    throw new Error(`${serverUrl} is not a Zoon-hosted server`);
+  }
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const res = await _fetch(platformUrl(subdomain, "/roles"), {
+    method: "PUT",
+    headers: authHeaders(token),
+    body: JSON.stringify(roles)
+  });
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({}));
+    throw new Error(
+      `Role sync failed: ${err.message || res.status}`
+    );
+  }
+  return res.json();
+}
+async function createCredential(serverUrl, token, name, roleNames, options) {
+  const subdomain = extractSubdomain(serverUrl);
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const rolesRes = await _fetch(platformUrl(subdomain, "/roles"), {
+    headers: authHeaders(token)
+  });
+  const roles = await rolesRes.json();
+  const roleSlugs = roleNames.map((n) => roles.find((r) => r.slug === n || r.name === n)?.slug).filter(Boolean);
+  if (roleSlugs.length === 0) {
+    throw new Error(`No matching roles found for: ${roleNames.join(", ")}`);
+  }
+  const res = await _fetch(platformUrl(subdomain, "/credentials"), {
+    method: "POST",
+    headers: authHeaders(token),
+    body: JSON.stringify({ name, role_slugs: roleSlugs })
+  });
+  if (!res.ok) {
+    const err = await res.json().catch(() => ({}));
+    throw new Error(
+      `Credential creation failed: ${err.message || res.status}`
+    );
+  }
+  return res.json();
+}
+async function listCredentials(serverUrl, token, options) {
+  const subdomain = extractSubdomain(serverUrl);
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const res = await _fetch(platformUrl(subdomain, "/credentials"), {
+    headers: authHeaders(token)
+  });
+  if (!res.ok) throw new Error(`Failed to list credentials: ${res.status}`);
+  return await res.json();
+}
+async function rotateCredential(serverUrl, token, clientId, options) {
+  const subdomain = extractSubdomain(serverUrl);
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const res = await _fetch(
+    platformUrl(subdomain, `/credentials/${clientId}/rotate`),
+    { method: "POST", headers: authHeaders(token) }
+  );
+  if (!res.ok) throw new Error(`Failed to rotate credential: ${res.status}`);
+  return res.json();
+}
+async function listRolesFromZoon(serverUrl, token, options) {
+  const subdomain = extractSubdomain(serverUrl);
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const res = await _fetch(platformUrl(subdomain, "/roles"), {
+    headers: authHeaders(token)
+  });
+  if (!res.ok) throw new Error(`Failed to list roles: ${res.status}`);
+  return res.json();
+}
+async function revokeCredential(serverUrl, token, clientId, options) {
+  const subdomain = extractSubdomain(serverUrl);
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const res = await _fetch(platformUrl(subdomain, `/credentials/${clientId}`), {
+    method: "DELETE",
+    headers: authHeaders(token)
+  });
+  if (!res.ok) throw new Error(`Failed to revoke credential: ${res.status}`);
+}
+
+// src/lib/output.ts
+function printSuccess(message) {
+  console.log(`\u2713 ${message}`);
+}
+function printError(message) {
+  console.error(`\u2717 ${message}`);
+}
+function printInfo(label, value) {
+  console.log(`  ${label}: ${value}`);
+}
+function printStep(message) {
+  console.log(`  ${message}`);
+}
+function formatRelative(isoString) {
+  const diff = Date.now() - new Date(isoString).getTime();
+  const minutes = Math.floor(diff / 6e4);
+  if (minutes < 1) return "just now";
+  if (minutes < 60) return `${minutes}m ago`;
+  const hours = Math.floor(minutes / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
+
+// src/commands/pull.ts
+async function runPull(client) {
+  const c = client ?? createClient();
+  const wf = loadWorkforce();
+  const written = [];
+  let newChannelsAdded = false;
+  const channels = await c.listChannels();
+  if (channels.length > 0) {
+    printStep("Pulling channels...");
+    for (const ch of channels) {
+      const def = {
+        visibility: ch.is_public ? "public" : "private"
+      };
+      if (ch.name && ch.name !== ch.id) def.name = ch.name;
+      if (ch.description) def.description = ch.description;
+      if (ch.config) def.config = ch.config;
+      const targetFile = wf.provenance.channels[ch.id];
+      if (targetFile) {
+        updateInFile(targetFile, "channels", ch.id, def);
+      } else {
+        wf.channels[ch.id] = def;
+        newChannelsAdded = true;
+      }
+      written.push(ch.id);
+    }
+  }
+  let newRolesAdded = false;
+  try {
+    const server = resolveServer();
+    const file = loadConfigFile();
+    const entry = server ? file.servers?.[server] : void 0;
+    let roles;
+    if (server && isZoonHosted(server) && entry?.platform_token) {
+      roles = await listRolesFromZoon(server, entry.platform_token);
+    } else {
+      roles = await c.listRoles();
     }
+    if (roles.length > 0) {
+      printStep("Pulling roles...");
+      for (const role of roles) {
+        const roleKey = role.slug ?? role.id;
+        const def = { scopes: role.scopes };
+        if (role.name) def.name = role.name;
+        if (role.description) def.description = role.description;
+        const targetFile = wf.provenance.roles[roleKey];
+        if (targetFile) {
+          updateInFile(targetFile, "roles", roleKey, def);
+        } else {
+          wf.roles[roleKey] = def;
+          newRolesAdded = true;
+        }
+      }
+    }
+  } catch {
   }
+  if (newChannelsAdded || newRolesAdded) {
+    saveWorkforce(wf);
+  }
+  if (written.length > 0 || Object.keys(wf.roles).length > 0) {
+    printSuccess(
+      `Pulled ${written.length} channel(s) and ${Object.keys(wf.roles).length} role(s) into .zooid/workforce.json`
+    );
+  } else {
+    printInfo("Nothing to pull", "no channels or roles on server");
+  }
+  return written;
 }
 
 // src/commands/publish.ts
-import fs2 from "fs";
-async function runPublish(channelId, options, client) {
+import fs4 from "fs";
+import readline from "readline";
+function parseJSON(raw, source) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    throw new Error(`Invalid JSON from ${source}: ${raw.slice(0, 100)}`);
+  }
+}
+function readStdin() {
+  return new Promise((resolve, reject) => {
+    if (process.stdin.isTTY) {
+      reject(
+        new Error(
+          "No data provided. Usage: zooid publish <channel> <json> or pipe via stdin"
+        )
+      );
+      return;
+    }
+    let data = "";
+    process.stdin.setEncoding("utf-8");
+    process.stdin.on("data", (chunk) => data += chunk);
+    process.stdin.on("end", () => resolve(data.trim()));
+    process.stdin.on("error", reject);
+  });
+}
+async function runPublish(channelId, options, client, dataArg) {
   const c = client ?? createPublishClient(channelId);
   let type;
   let data;
   if (options.file) {
-    const raw = fs2.readFileSync(options.file, "utf-8");
-    const parsed = JSON.parse(raw);
-    type = parsed.type;
-    data = parsed.data ?? parsed;
+    const raw = fs4.readFileSync(options.file, "utf-8");
+    const parsed = parseJSON(raw, options.file);
+    if (typeof parsed === "object" && parsed !== null && "type" in parsed) {
+      const obj = parsed;
+      type = obj.type;
+      data = obj.data ?? parsed;
+    } else {
+      data = parsed;
+    }
   } else if (options.data) {
-    data = JSON.parse(options.data);
+    data = parseJSON(options.data, "--data");
+    type = options.type;
+  } else if (dataArg) {
+    data = parseJSON(dataArg, "argument");
     type = options.type;
   } else {
-    throw new Error("Either --data or --file is required");
+    const raw = await readStdin();
+    data = parseJSON(raw, "stdin");
+    type = options.type;
   }
   const publishOpts = { data };
   if (type) publishOpts.type = type;
   return c.publish(channelId, publishOpts);
 }
+async function runPublishStream(channelId, options, client, onEvent) {
+  if (process.stdin.isTTY) {
+    throw new Error(
+      "--stream requires piped input (e.g. cat events.jsonl | zooid publish channel --stream)"
+    );
+  }
+  const c = client ?? createPublishClient(channelId);
+  const rl = readline.createInterface({ input: process.stdin });
+  let published = 0;
+  let errors = 0;
+  let lineNum = 0;
+  for await (const line of rl) {
+    lineNum++;
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const data = parseJSON(trimmed, `stdin line ${lineNum}`);
+    const publishOpts = { data };
+    if (options.type) publishOpts.type = options.type;
+    try {
+      const event = await c.publish(channelId, publishOpts);
+      published++;
+      onEvent?.(event, lineNum);
+    } catch (err) {
+      errors++;
+      const msg = err instanceof Error ? err.message : String(err);
+      process.stderr.write(`Line ${lineNum}: ${msg}
+`);
+    }
+  }
+  return { published, errors };
+}
 
 // src/commands/subscribe.ts
 async function runSubscribePoll(channelId, options = {}, client) {
@@ -367,31 +960,7 @@ function runHistory() {
 }
 
 // src/commands/share.ts
-import readline from "readline/promises";
-
-// src/lib/output.ts
-function printSuccess(message) {
-  console.log(`\u2713 ${message}`);
-}
-function printError(message) {
-  console.error(`\u2717 ${message}`);
-}
-function printInfo(label, value) {
-  console.log(`  ${label}: ${value}`);
-}
-function printStep(message) {
-  console.log(`  ${message}`);
-}
-function formatRelative(isoString) {
-  const diff = Date.now() - new Date(isoString).getTime();
-  const minutes = Math.floor(diff / 6e4);
-  if (minutes < 1) return "just now";
-  if (minutes < 60) return `${minutes}m ago`;
-  const hours = Math.floor(minutes / 60);
-  if (hours < 24) return `${hours}h ago`;
-  const days = Math.floor(hours / 24);
-  return `${days}d ago`;
-}
+import readline2 from "readline/promises";
 
 // src/lib/directory.ts
 var DIRECTORY_BASE_URL = "https://directory.zooid.dev";
@@ -424,10 +993,10 @@ async function deviceAuth() {
   printInfo("Authorize", verification_url);
   console.log("  Opening browser to complete GitHub sign-in...\n");
   try {
-    const { exec } = await import("child_process");
+    const { exec: exec2 } = await import("child_process");
     const platform = process.platform;
     const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open";
-    exec(`${cmd} "${verification_url}"`);
+    exec2(`${cmd} "${verification_url}"`);
   } catch {
     console.log(
       "  Could not open browser automatically. Please visit the URL above.\n"
@@ -454,13 +1023,13 @@ async function deviceAuth() {
     "Authorization timed out. You need your human to authorize you. Run `npx zooid share` again to retry."
   );
 }
-async function directoryFetch(path5, options = {}) {
+async function directoryFetch(path10, options = {}) {
   let token = await ensureDirectoryToken();
   const doFetch = (t) => {
     const headers = new Headers(options.headers);
     headers.set("Authorization", `Bearer ${t}`);
     headers.set("Content-Type", "application/json");
-    return fetch(`${DIRECTORY_BASE_URL}${path5}`, { ...options, headers });
+    return fetch(`${DIRECTORY_BASE_URL}${path10}`, { ...options, headers });
   };
   let res = await doFetch(token);
   if (res.status === 401) {
@@ -602,7 +1171,7 @@ async function promptChannelDetails(channels, skipPrompt) {
     }
     return result;
   }
-  const rl = readline.createInterface({
+  const rl = readline2.createInterface({
     input: process.stdin,
     output: process.stdout
   });
@@ -692,21 +1261,59 @@ async function runServerSet(fields, client) {
   return c.updateServerMeta(fields);
 }
 
+// src/lib/roles.ts
+function loadRoleDefs() {
+  const wf = loadWorkforce();
+  return new Map(Object.entries(wf.roles));
+}
+function rolesToScopeMapping(roles) {
+  const mapping = {};
+  for (const [id, def] of roles) {
+    mapping[id] = def.scopes;
+  }
+  return JSON.stringify(mapping);
+}
+
+// src/lib/resolve-roles.ts
+function resolveRoleScopes(roleNames) {
+  const roles = loadRoleDefs();
+  const allScopes = /* @__PURE__ */ new Set();
+  for (const name of roleNames) {
+    const role = roles.get(name);
+    if (!role) {
+      throw new Error(
+        `Role "${name}" not found in .zooid/workforce.json. Available: ${[...roles.keys()].join(", ") || "(none)"}`
+      );
+    }
+    for (const scope of role.scopes) {
+      allScopes.add(scope);
+    }
+  }
+  return [...allScopes];
+}
+
 // src/commands/token.ts
 async function runTokenMint(scopes, options) {
   const client = createClient();
+  if (options.role?.length && scopes.length) {
+    throw new Error("Cannot combine --role with explicit scopes");
+  }
+  if (options.role?.length) {
+    scopes = resolveRoleScopes(options.role);
+  }
   const body = { scopes };
   if (options.sub) body.sub = options.sub;
   if (options.name) body.name = options.name;
   if (options.expiresIn) body.expires_in = options.expiresIn;
+  if (options.role?.length) body.groups = options.role;
   return client.mintToken(body);
 }
 
 // src/commands/dev.ts
 import { execSync, spawn as spawn2 } from "child_process";
 import crypto2 from "crypto";
-import fs3 from "fs";
-import path2 from "path";
+import fs5 from "fs";
+import path4 from "path";
 import { fileURLToPath } from "url";
 
 // src/lib/crypto.ts
@@ -772,25 +1379,25 @@ async function createEdDSAAdminToken(privateKeyJwk, kid) {
 
 // src/commands/dev.ts
 function findServerDir() {
-  const cliDir = path2.dirname(fileURLToPath(import.meta.url));
-  return path2.resolve(cliDir, "../../server");
+  const cliDir = path4.dirname(fileURLToPath(import.meta.url));
+  return path4.resolve(cliDir, "../../server");
 }
 async function runDev(port = 8787) {
   const serverDir = findServerDir();
-  if (!fs3.existsSync(path2.join(serverDir, "wrangler.toml"))) {
+  if (!fs5.existsSync(path4.join(serverDir, "wrangler.toml"))) {
     throw new Error(
       `Server directory not found at ${serverDir}. Make sure you're running from the zooid monorepo.`
     );
   }
   const jwtSecret = crypto2.randomUUID();
-  const devVarsPath = path2.join(serverDir, ".dev.vars");
-  fs3.writeFileSync(devVarsPath, `ZOOID_JWT_SECRET=${jwtSecret}
+  const devVarsPath = path4.join(serverDir, ".dev.vars");
+  fs5.writeFileSync(devVarsPath, `ZOOID_JWT_SECRET=${jwtSecret}
 `);
   const adminToken = await createAdminToken(jwtSecret);
   const serverUrl = `http://localhost:${port}`;
   saveConfig({ admin_token: adminToken }, serverUrl);
-  const schemaPath = path2.join(serverDir, "src/db/schema.sql");
-  if (fs3.existsSync(schemaPath)) {
+  const schemaPath = path4.join(serverDir, "src/db/schema.sql");
+  if (fs5.existsSync(schemaPath)) {
     try {
       execSync(
         `npx wrangler d1 execute zooid-db --local --file=${schemaPath}`,
@@ -830,31 +1437,124 @@ async function runDev(port = 8787) {
 }
 
 // src/commands/init.ts
-import fs4 from "fs";
-import path3 from "path";
-import readline2 from "readline/promises";
+import fs7 from "fs";
+import path6 from "path";
+import readline3 from "readline/promises";
+
+// src/commands/use.ts
+import fs6 from "fs";
+import path5 from "path";
+var SLUG_RE2 = /^[a-z0-9][a-z0-9-]{1,62}[a-z0-9]$/;
+function deriveTemplateName(url) {
+  const parts = parseGitHubUrl(url);
+  if (!parts) throw new Error("Cannot derive template name from URL");
+  if (parts.path) {
+    const segments = parts.path.split("/").filter(Boolean);
+    return segments[segments.length - 1];
+  }
+  return parts.repo;
+}
+function resolveTemplateName(url, workforce) {
+  const meta = workforce.meta;
+  if (meta?.slug) {
+    const slug = meta.slug;
+    if (!SLUG_RE2.test(slug)) {
+      throw new Error(
+        `Invalid meta.slug "${slug}" \u2014 must be lowercase alphanumeric + hyphens, 3-64 chars`
+      );
+    }
+    return slug;
+  }
+  return deriveTemplateName(url);
+}
+function addToInclude(relativePath) {
+  const zooidDir = getZooidDir();
+  const workforcePath = path5.join(zooidDir, "workforce.json");
+  let raw;
+  if (fs6.existsSync(workforcePath)) {
+    raw = JSON.parse(fs6.readFileSync(workforcePath, "utf-8"));
+  } else {
+    raw = { channels: {}, roles: {} };
+  }
+  const include = raw.include ?? [];
+  if (!include.includes(relativePath)) {
+    include.push(relativePath);
+  }
+  raw.include = include;
+  fs6.writeFileSync(workforcePath, JSON.stringify(raw, null, 2) + "\n");
+}
+async function runUse(url, options) {
+  printStep("Fetching template...");
+  const zooidDir = getZooidDir();
+  const tmpDir = fs6.mkdtempSync(path5.join(zooidDir, ".tmp-template-"));
+  try {
+    const { fetchTemplate } = await import("./template-T5IB4YWC.js");
+    const result = await fetchTemplate(url, tmpDir, {
+      fetch: options?.fetch
+    });
+    const fetchedZooidDir = path5.join(tmpDir, ".zooid");
+    const fetchedWorkforce = path5.join(fetchedZooidDir, "workforce.json");
+    if (!fs6.existsSync(fetchedWorkforce)) {
+      throw new Error("Template has no .zooid/workforce.json");
+    }
+    const wfRaw = JSON.parse(fs6.readFileSync(fetchedWorkforce, "utf-8"));
+    const slug = resolveTemplateName(url, wfRaw);
+    const targetDir = path5.join(zooidDir, slug);
+    if (fs6.existsSync(targetDir)) {
+      fs6.rmSync(targetDir, { recursive: true });
+    }
+    fs6.cpSync(fetchedZooidDir, targetDir, { recursive: true });
+    addToInclude(`./${slug}/workforce.json`);
+    printSuccess(
+      `Saved .zooid/${slug}/ (${result.channelCount} channel(s), ${result.roleCount} role(s))`
+    );
+    printInfo("Added to include", "workforce.json");
+  } finally {
+    fs6.rmSync(tmpDir, { recursive: true, force: true });
+  }
+}
+
+// src/commands/init.ts
 var CONFIG_FILENAME = "zooid.json";
 function getConfigPath() {
-  return path3.join(process.cwd(), CONFIG_FILENAME);
+  return path6.join(process.cwd(), CONFIG_FILENAME);
 }
 function loadServerConfig() {
   const configPath = getConfigPath();
-  if (!fs4.existsSync(configPath)) return null;
-  const raw = fs4.readFileSync(configPath, "utf-8");
+  if (!fs7.existsSync(configPath)) return null;
+  const raw = fs7.readFileSync(configPath, "utf-8");
   return JSON.parse(raw);
 }
 function saveServerConfig(config) {
   const configPath = getConfigPath();
-  fs4.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+  fs7.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
 }
-async function runInit() {
+async function runInit(options) {
   const configPath = getConfigPath();
   const existing = loadServerConfig();
+  if (existing?.url && options?.use) {
+    const workforcePath = path6.join(process.cwd(), ".zooid", "workforce.json");
+    if (!fs7.existsSync(workforcePath)) {
+      fs7.mkdirSync(path6.join(process.cwd(), ".zooid"), { recursive: true });
+      fs7.writeFileSync(
+        workforcePath,
+        JSON.stringify({ channels: {}, roles: {} }, null, 2) + "\n"
+      );
+    }
+    await runUse(options.use);
+    console.log("");
+    printInfo("Server", existing.url);
+    printInfo("Workforce", ".zooid/workforce.json");
+    console.log("");
+    printSuccess("Ready to deploy. Run: npx zooid deploy");
+    console.log("");
+    return;
+  }
   if (existing) {
     printInfo("Found existing", configPath);
     console.log("");
   }
-  const rl = readline2.createInterface({
+  const rl = readline3.createInterface({
     input: process.stdin,
     output: process.stdout
   });
@@ -891,7 +1591,15 @@ async function runInit() {
       tags,
       url
     };
-    fs4.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    fs7.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+    const workforcePath = path6.join(process.cwd(), ".zooid", "workforce.json");
+    if (!fs7.existsSync(workforcePath)) {
+      fs7.mkdirSync(path6.join(process.cwd(), ".zooid"), { recursive: true });
+      fs7.writeFileSync(
+        workforcePath,
+        JSON.stringify({ channels: {}, roles: {} }, null, 2) + "\n"
+      );
+    }
     console.log("");
     printSuccess(`Saved ${CONFIG_FILENAME}`);
     console.log("");
@@ -905,30 +1613,155 @@ async function runInit() {
       config.tags.length > 0 ? config.tags.join(", ") : "(none)"
     );
     printInfo("URL", config.url || "(not set)");
+    printInfo("Workforce", ".zooid/workforce.json");
     console.log("");
   } finally {
     rl.close();
   }
+  if (options?.use) {
+    await runUse(options.use);
+  }
 }
 
 // src/commands/deploy.ts
 import { execSync as execSync2, spawnSync } from "child_process";
 import crypto3 from "crypto";
-import fs5 from "fs";
+import fs9 from "fs";
 import os from "os";
-import path4 from "path";
-import readline3 from "readline/promises";
+import path7 from "path";
+import readline5 from "readline/promises";
 import { createRequire } from "module";
 import { ZooidClient } from "@zooid/sdk";
+
+// src/lib/channels.ts
+function loadChannelDefs() {
+  const wf = loadWorkforce();
+  return new Map(Object.entries(wf.channels));
+}
+
+// src/lib/wrangler-vars.ts
+import fs8 from "fs";
+function setWranglerVar(tomlPath, key, value) {
+  const content = fs8.readFileSync(tomlPath, "utf-8");
+  const lines = content.split("\n");
+  let varsStart = -1;
+  let varsEnd = lines.length;
+  for (let i = 0; i < lines.length; i++) {
+    if (/^\[vars\]\s*$/.test(lines[i])) {
+      varsStart = i;
+      for (let j = i + 1; j < lines.length; j++) {
+        if (/^\[/.test(lines[j]) && !/^\[vars\]/.test(lines[j])) {
+          varsEnd = j;
+          break;
+        }
+      }
+      break;
+    }
+  }
+  const keyPattern = new RegExp(`^${key}\\s*=`);
+  let existingLine = -1;
+  const searchStart = varsStart >= 0 ? varsStart + 1 : 0;
+  const searchEnd = varsStart >= 0 ? varsEnd : lines.length;
+  for (let i = searchStart; i < searchEnd; i++) {
+    if (keyPattern.test(lines[i])) {
+      existingLine = i;
+      break;
+    }
+  }
+  if (value === null) {
+    if (existingLine >= 0) {
+      lines.splice(existingLine, 1);
+    }
+  } else {
+    const newLine = `${key} = '${value}'`;
+    if (existingLine >= 0) {
+      lines[existingLine] = newLine;
+    } else if (varsStart >= 0) {
+      lines.splice(varsStart + 1, 0, newLine);
+    } else {
+      lines.push("", "[vars]", newLine);
+    }
+  }
+  fs8.writeFileSync(tomlPath, lines.join("\n"));
+}
+
+// src/lib/channel-sync.ts
+import readline4 from "readline/promises";
+async function syncChannelsToServer(client, options = {}) {
+  const localDefs = loadChannelDefs();
+  const remoteChannels = await client.listChannels();
+  const remoteIds = new Set(remoteChannels.map((ch) => ch.id));
+  const localIds = new Set(localDefs.keys());
+  let created = 0;
+  let updated = 0;
+  let deleted = 0;
+  for (const [id, def] of localDefs) {
+    if (!remoteIds.has(id)) {
+      await client.createChannel({
+        id,
+        name: def.name ?? id,
+        description: def.description,
+        is_public: def.visibility === "public",
+        config: def.config
+      });
+      printSuccess(`Channel created: ${id}`);
+      created++;
+    }
+  }
+  for (const [id, def] of localDefs) {
+    if (remoteIds.has(id)) {
+      await client.updateChannel(id, {
+        name: def.name,
+        description: def.description,
+        is_public: def.visibility === "public",
+        config: def.config ?? {}
+      });
+      printSuccess(`Channel updated: ${id}`);
+      updated++;
+    }
+  }
+  const orphaned = remoteChannels.filter((ch) => !localIds.has(ch.id));
+  if (orphaned.length > 0) {
+    if (options.prune) {
+      for (const ch of orphaned) {
+        await client.deleteChannel(ch.id);
+        printSuccess(`Channel deleted: ${ch.id}`);
+        deleted++;
+      }
+    } else if (options.confirmDelete) {
+      const confirmed = await options.confirmDelete(orphaned);
+      if (confirmed) {
+        for (const ch of orphaned) {
+          await client.deleteChannel(ch.id);
+          printSuccess(`Channel deleted: ${ch.id}`);
+          deleted++;
+        }
+      } else {
+        printInfo("Skipped", "Remote-only channels left unchanged");
+      }
+    } else {
+      printInfo(
+        "Warning",
+        `${orphaned.length} channel(s) on server not in workforce.json (use --prune to remove)`
+      );
+      for (const ch of orphaned) {
+        printInfo("  -", `${ch.id}${ch.name ? ` (${ch.name})` : ""}`);
+      }
+    }
+  }
+  return { created, updated, deleted };
+}
+
+// src/commands/deploy.ts
 var require2 = createRequire(import.meta.url);
 function resolvePackageDir(packageName) {
   const pkgJson = require2.resolve(`${packageName}/package.json`);
-  return path4.dirname(pkgJson);
+  return path7.dirname(pkgJson);
 }
-var USER_WRANGLER_TOML = path4.join(process.cwd(), "wrangler.toml");
+var USER_WRANGLER_TOML = path7.join(process.cwd(), "wrangler.toml");
 function ejectWranglerToml(opts) {
   const serverDir = resolvePackageDir("@zooid/server");
-  let toml = fs5.readFileSync(path4.join(serverDir, "wrangler.toml"), "utf-8");
+  let toml = fs9.readFileSync(path7.join(serverDir, "wrangler.toml"), "utf-8");
   toml = toml.replace(/directory\s*=\s*"[^"]*"/, 'directory = "./web-dist/"');
   toml = toml.replace(/name = "[^"]*"/, `name = "${opts.workerName}"`);
   toml = toml.replace(
@@ -943,58 +1776,58 @@ function ejectWranglerToml(opts) {
     /ZOOID_SERVER_ID = "[^"]*"/,
     `ZOOID_SERVER_ID = "${opts.serverSlug}"`
   );
-  fs5.writeFileSync(USER_WRANGLER_TOML, toml);
+  fs9.writeFileSync(USER_WRANGLER_TOML, toml);
 }
 function prepareStagingDir() {
   const serverDir = resolvePackageDir("@zooid/server");
-  const serverRequire = createRequire(path4.join(serverDir, "package.json"));
-  const webDir = path4.dirname(serverRequire.resolve("@zooid/web/package.json"));
-  const webDistDir = path4.join(webDir, "dist");
-  if (!fs5.existsSync(webDistDir)) {
+  const serverRequire = createRequire(path7.join(serverDir, "package.json"));
+  const webDir = path7.dirname(serverRequire.resolve("@zooid/web/package.json"));
+  const webDistDir = path7.join(webDir, "dist");
+  if (!fs9.existsSync(webDistDir)) {
     throw new Error(`Web dashboard not built. Missing: ${webDistDir}`);
   }
-  const tmpDir = fs5.mkdtempSync(path4.join(os.tmpdir(), "zooid-deploy-"));
-  copyDirSync(path4.join(serverDir, "src"), path4.join(tmpDir, "src"));
-  copyDirSync(webDistDir, path4.join(tmpDir, "web-dist"));
-  if (fs5.existsSync(USER_WRANGLER_TOML)) {
-    fs5.copyFileSync(USER_WRANGLER_TOML, path4.join(tmpDir, "wrangler.toml"));
+  const tmpDir = fs9.mkdtempSync(path7.join(os.tmpdir(), "zooid-deploy-"));
+  copyDirSync(path7.join(serverDir, "src"), path7.join(tmpDir, "src"));
+  copyDirSync(webDistDir, path7.join(tmpDir, "web-dist"));
+  if (fs9.existsSync(USER_WRANGLER_TOML)) {
+    fs9.copyFileSync(USER_WRANGLER_TOML, path7.join(tmpDir, "wrangler.toml"));
   } else {
-    if (!fs5.existsSync(path4.join(serverDir, "wrangler.toml"))) {
+    if (!fs9.existsSync(path7.join(serverDir, "wrangler.toml"))) {
       throw new Error(`Server package missing wrangler.toml at ${serverDir}`);
     }
-    let toml = fs5.readFileSync(path4.join(serverDir, "wrangler.toml"), "utf-8");
+    let toml = fs9.readFileSync(path7.join(serverDir, "wrangler.toml"), "utf-8");
     toml = toml.replace(/directory\s*=\s*"[^"]*"/, 'directory = "./web-dist/"');
-    fs5.writeFileSync(path4.join(tmpDir, "wrangler.toml"), toml);
+    fs9.writeFileSync(path7.join(tmpDir, "wrangler.toml"), toml);
   }
   const nodeModules = findServerNodeModules(serverDir);
   if (nodeModules) {
-    fs5.symlinkSync(nodeModules, path4.join(tmpDir, "node_modules"), "junction");
+    fs9.symlinkSync(nodeModules, path7.join(tmpDir, "node_modules"), "junction");
   }
   return tmpDir;
 }
 function findServerNodeModules(serverDir) {
-  const local = path4.join(serverDir, "node_modules");
-  if (fs5.existsSync(path4.join(local, "hono"))) return local;
-  const storeNodeModules = path4.resolve(serverDir, "..", "..");
-  if (fs5.existsSync(path4.join(storeNodeModules, "hono")))
+  const local = path7.join(serverDir, "node_modules");
+  if (fs9.existsSync(path7.join(local, "hono"))) return local;
+  const storeNodeModules = path7.resolve(serverDir, "..", "..");
+  if (fs9.existsSync(path7.join(storeNodeModules, "hono")))
     return storeNodeModules;
   let dir = serverDir;
-  while (dir !== path4.dirname(dir)) {
-    dir = path4.dirname(dir);
-    const nm = path4.join(dir, "node_modules");
-    if (fs5.existsSync(path4.join(nm, "hono"))) return nm;
+  while (dir !== path7.dirname(dir)) {
+    dir = path7.dirname(dir);
+    const nm = path7.join(dir, "node_modules");
+    if (fs9.existsSync(path7.join(nm, "hono"))) return nm;
   }
   return null;
 }
 function copyDirSync(src, dest) {
-  fs5.mkdirSync(dest, { recursive: true });
-  for (const entry of fs5.readdirSync(src, { withFileTypes: true })) {
-    const srcPath = path4.join(src, entry.name);
-    const destPath = path4.join(dest, entry.name);
+  fs9.mkdirSync(dest, { recursive: true });
+  for (const entry of fs9.readdirSync(src, { withFileTypes: true })) {
+    const srcPath = path7.join(src, entry.name);
+    const destPath = path7.join(dest, entry.name);
     if (entry.isDirectory()) {
       copyDirSync(srcPath, destPath);
     } else {
-      fs5.copyFileSync(srcPath, destPath);
+      fs9.copyFileSync(srcPath, destPath);
     }
   }
 }
@@ -1048,9 +1881,9 @@ function parseDeployUrls(output) {
   };
 }
 function loadDotEnv() {
-  const envPath = path4.join(process.cwd(), ".env");
-  if (!fs5.existsSync(envPath)) return {};
-  const content = fs5.readFileSync(envPath, "utf-8");
+  const envPath = path7.join(process.cwd(), ".env");
+  if (!fs9.existsSync(envPath)) return {};
+  const content = fs9.readFileSync(envPath, "utf-8");
   const tokenMatch = content.match(/^CLOUDFLARE_API_TOKEN=(.+)$/m);
   const accountMatch = content.match(/^CLOUDFLARE_ACCOUNT_ID=(.+)$/m);
   return {
@@ -1069,7 +1902,7 @@ async function getCfCredentials() {
     printInfo("Using credentials from", ".env");
     return { apiToken: dotEnv.apiToken, accountId: dotEnv.accountId };
   }
-  const rl = readline3.createInterface({
+  const rl = readline5.createInterface({
     input: process.stdin,
     output: process.stdout
   });
@@ -1094,7 +1927,7 @@ async function getCfCredentials() {
     rl.close();
   }
 }
-async function runDeploy() {
+async function runDeploy(opts) {
   let config = loadServerConfig();
   if (!config) {
     printInfo("No zooid.json found", "starting setup...");
@@ -1106,6 +1939,11 @@ async function runDeploy() {
     printError("Failed to load zooid.json after init");
     process.exit(1);
   }
+  const serverUrl = config.url;
+  if (serverUrl && isZoonHosted(serverUrl)) {
+    await deployZoonHosted(config, serverUrl, opts);
+    return;
+  }
   let stagingDir;
   try {
     stagingDir = prepareStagingDir();
@@ -1156,12 +1994,12 @@ async function runDeploy() {
     const databaseId = dbIdMatch[1];
     printSuccess(`D1 database created (${databaseId})`);
     ejectWranglerToml({ workerName, dbName, databaseId, serverSlug });
-    fs5.copyFileSync(USER_WRANGLER_TOML, path4.join(stagingDir, "wrangler.toml"));
+    fs9.copyFileSync(USER_WRANGLER_TOML, path7.join(stagingDir, "wrangler.toml"));
     printSuccess(
       "Created wrangler.toml (edit to add vars, observability, etc.)"
     );
-    const schemaPath = path4.join(stagingDir, "src/db/schema.sql");
-    if (fs5.existsSync(schemaPath)) {
+    const schemaPath = path7.join(stagingDir, "src/db/schema.sql");
+    if (fs9.existsSync(schemaPath)) {
       printStep("Running database schema migration...");
       wrangler(
         `d1 execute ${dbName} --remote --file=${schemaPath}`,
@@ -1216,7 +2054,7 @@ async function runDeploy() {
     console.log("");
     printInfo("Deploy type", "Redeploying existing server");
     console.log("");
-    if (!fs5.existsSync(USER_WRANGLER_TOML)) {
+    if (!fs9.existsSync(USER_WRANGLER_TOML)) {
       printStep("Ejecting wrangler.toml...");
       let databaseId = "";
       try {
@@ -1231,9 +2069,9 @@ async function runDeploy() {
         "Created wrangler.toml (edit to add vars, observability, etc.)"
       );
     }
-    fs5.copyFileSync(USER_WRANGLER_TOML, path4.join(stagingDir, "wrangler.toml"));
-    const schemaPath = path4.join(stagingDir, "src/db/schema.sql");
-    if (fs5.existsSync(schemaPath)) {
+    fs9.copyFileSync(USER_WRANGLER_TOML, path7.join(stagingDir, "wrangler.toml"));
+    const schemaPath = path7.join(stagingDir, "src/db/schema.sql");
+    if (fs9.existsSync(schemaPath)) {
       printStep("Running schema migration...");
       wrangler(
         `d1 execute ${dbName} --remote --file=${schemaPath}`,
@@ -1242,11 +2080,11 @@ async function runDeploy() {
       );
       printSuccess("Schema up to date");
     }
-    const migrationsDir = path4.join(stagingDir, "src/db/migrations");
-    if (fs5.existsSync(migrationsDir)) {
-      const migrationFiles = fs5.readdirSync(migrationsDir).filter((f) => f.endsWith(".sql")).sort();
+    const migrationsDir = path7.join(stagingDir, "src/db/migrations");
+    if (fs9.existsSync(migrationsDir)) {
+      const migrationFiles = fs9.readdirSync(migrationsDir).filter((f) => f.endsWith(".sql")).sort();
       for (const file of migrationFiles) {
-        const migrationPath = path4.join(migrationsDir, file);
+        const migrationPath = path7.join(migrationsDir, file);
         try {
           wrangler(
             `d1 execute ${dbName} --remote --file=${migrationPath}`,
@@ -1326,6 +2164,17 @@ async function runDeploy() {
       process.exit(1);
     }
   }
+  const roles = loadRoleDefs();
+  if (roles.size > 0) {
+    printStep("Syncing roles to wrangler.toml...");
+    const mapping = rolesToScopeMapping(roles);
+    setWranglerVar(USER_WRANGLER_TOML, "ZOOID_SCOPE_MAPPING", mapping);
+    fs9.copyFileSync(USER_WRANGLER_TOML, path7.join(stagingDir, "wrangler.toml"));
+    printSuccess(`${roles.size} role(s) synced to ZOOID_SCOPE_MAPPING`);
+  } else {
+    setWranglerVar(USER_WRANGLER_TOML, "ZOOID_SCOPE_MAPPING", null);
+    fs9.copyFileSync(USER_WRANGLER_TOML, path7.join(stagingDir, "wrangler.toml"));
+  }
   printStep("Deploying worker...");
   const deployOutput = wranglerVerbose("deploy", stagingDir, creds);
   const { workerUrl, customDomain } = parseDeployUrls(deployOutput);
@@ -1388,6 +2237,32 @@ async function runDeploy() {
   }
   printInfo("Config", "~/.zooid/state.json");
   console.log("");
+  if (canonicalUrl && adminToken) {
+    const channelDefs = loadChannelDefs();
+    if (channelDefs.size > 0 || !isFirstDeploy) {
+      printStep("Syncing channels to server...");
+      try {
+        const client = new ZooidClient({
+          server: canonicalUrl,
+          token: adminToken
+        });
+        const result = await syncChannelsToServer(client, {
+          prune: opts?.prune
+        });
+        if (result.created || result.updated || result.deleted) {
+          printSuccess(
+            `Channels synced (${result.created} created, ${result.updated} updated, ${result.deleted} deleted)`
+          );
+        } else {
+          printSuccess("Channels up to date");
+        }
+      } catch (err) {
+        printError(
+          `Failed to sync channels: ${err instanceof Error ? err.message : err}`
+        );
+      }
+    }
+  }
   if (isFirstDeploy) {
     console.log("  Next steps:");
     console.log("    Edit wrangler.toml to add env vars, observability, etc.");
@@ -1407,8 +2282,738 @@ async function runDeploy() {
 }
 function cleanup(dir) {
   try {
-    fs5.rmSync(dir, { recursive: true, force: true });
+    fs9.rmSync(dir, { recursive: true, force: true });
+  } catch {
+  }
+}
+async function deployZoonHosted(config, serverUrl, opts) {
+  const file = loadConfigFile();
+  const entry = file.servers?.[serverUrl];
+  const adminToken = entry?.admin_token;
+  const platformToken = entry?.platform_token;
+  if (!platformToken) {
+    printError("Not authenticated with Zoon platform. Run: npx zooid login");
+    process.exit(1);
+  }
+  console.log("");
+  printInfo("Deploy type", `Zoon-hosted (${serverUrl})`);
+  console.log("");
+  const roles = loadRoleDefs();
+  const roleDefs = Array.from(roles.entries()).filter(([id]) => id !== "owner").map(([id, def]) => {
+    if (id === "public") {
+      printInfo(
+        "Deprecation",
+        'The "public" role has been renamed to "authenticated". Please update your workforce.json.'
+      );
+    }
+    return {
+      slug: id === "public" ? "authenticated" : id,
+      ...def.name ? { name: def.name } : {},
+      scopes: def.scopes,
+      ...def.description ? { description: def.description } : {}
+    };
+  });
+  if (roleDefs.length > 0) {
+    printStep("Syncing roles to Zoon...");
+    try {
+      const result = await syncRolesToZoon(serverUrl, platformToken, roleDefs);
+      printSuccess(
+        `Roles synced (${result.synced} synced, ${result.deleted} deleted)`
+      );
+    } catch (err) {
+      printError(
+        `Failed to sync roles: ${err instanceof Error ? err.message : err}`
+      );
+    }
+  }
+  if (adminToken) {
+    const channelDefs = loadChannelDefs();
+    if (channelDefs.size > 0) {
+      printStep("Syncing channels to server...");
+      try {
+        const client = new ZooidClient({
+          server: serverUrl,
+          token: adminToken
+        });
+        const result = await syncChannelsToServer(client, {
+          prune: opts?.prune
+        });
+        if (result.created || result.updated || result.deleted) {
+          printSuccess(
+            `Channels synced (${result.created} created, ${result.updated} updated, ${result.deleted} deleted)`
+          );
+        } else {
+          printSuccess("Channels up to date");
+        }
+      } catch (err) {
+        printError(
+          `Failed to sync channels: ${err instanceof Error ? err.message : err}`
+        );
+      }
+    }
+  }
+  console.log("");
+  printSuccess("Deploy complete (Zoon-hosted \u2014 no wrangler deploy needed)");
+  console.log("");
+}
+
+// src/commands/destroy.ts
+import fs10 from "fs";
+import path8 from "path";
+import readline6 from "readline/promises";
+import { ZooidClient as ZooidClient2 } from "@zooid/sdk";
+function parseWranglerToml(content) {
+  const nameMatch = content.match(/^name\s*=\s*"([^"]+)"/m);
+  const dbNameMatch = content.match(/database_name\s*=\s*"([^"]+)"/);
+  const dbIdMatch = content.match(/database_id\s*=\s*"([^"]+)"/);
+  return {
+    workerName: nameMatch?.[1] ?? null,
+    dbName: dbNameMatch?.[1] ?? null,
+    databaseId: dbIdMatch?.[1] ?? null
+  };
+}
+function removeServerFromState(serverUrl) {
+  const statePath = getStatePath();
+  if (!fs10.existsSync(statePath)) return;
+  const file = JSON.parse(fs10.readFileSync(statePath, "utf-8"));
+  if (file.servers) {
+    delete file.servers[serverUrl];
+  }
+  if (file.current === serverUrl) {
+    delete file.current;
+  }
+  fs10.writeFileSync(statePath, JSON.stringify(file, null, 2) + "\n");
+}
+async function cfApiFetch(apiPath, apiToken, opts) {
+  return fetch(`https://api.cloudflare.com/client/v4${apiPath}`, {
+    ...opts,
+    headers: {
+      Authorization: `Bearer ${apiToken}`,
+      "Content-Type": "application/json",
+      ...opts?.headers ?? {}
+    }
+  });
+}
+async function deleteD1Database(accountId, databaseId, apiToken) {
+  const res = await cfApiFetch(
+    `/accounts/${accountId}/d1/database/${databaseId}`,
+    apiToken,
+    { method: "DELETE" }
+  );
+  return res.ok;
+}
+async function deleteWorker(accountId, scriptName, apiToken) {
+  const res = await cfApiFetch(
+    `/accounts/${accountId}/workers/scripts/${scriptName}`,
+    apiToken,
+    { method: "DELETE" }
+  );
+  return res.ok;
+}
+function loadDotEnvValue(key) {
+  const envPath = path8.join(process.cwd(), ".env");
+  if (!fs10.existsSync(envPath)) return void 0;
+  const content = fs10.readFileSync(envPath, "utf-8");
+  const match = content.match(new RegExp(`^${key}=(.+)$`, "m"));
+  return match?.[1]?.trim();
+}
+async function runDestroy(opts = {}) {
+  const config = loadServerConfig();
+  if (!config) {
+    printError(
+      "No zooid.json found. Run this from your Zooid project directory."
+    );
+    process.exit(1);
+  }
+  const serverUrl = config.url;
+  if (serverUrl && isZoonHosted(serverUrl)) {
+    printError("Zoon-hosted server destroy is not yet supported.");
+    printInfo("Use the Zoon dashboard to delete your server", serverUrl);
+    process.exit(1);
+  }
+  const wranglerPath = path8.join(process.cwd(), "wrangler.toml");
+  if (!fs10.existsSync(wranglerPath)) {
+    printError("No wrangler.toml found. Is this a deployed Zooid project?");
+    process.exit(1);
+  }
+  const wranglerContent = fs10.readFileSync(wranglerPath, "utf-8");
+  const wrangler2 = parseWranglerToml(wranglerContent);
+  if (!wrangler2.workerName) {
+    printError("Could not determine Worker name from wrangler.toml");
+    process.exit(1);
+  }
+  const apiToken = process.env.CLOUDFLARE_API_TOKEN || loadDotEnvValue("CLOUDFLARE_API_TOKEN");
+  const accountId = process.env.CLOUDFLARE_ACCOUNT_ID || loadDotEnvValue("CLOUDFLARE_ACCOUNT_ID");
+  if (!apiToken) {
+    printError(
+      "Cloudflare credentials required. Set CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID."
+    );
+    process.exit(1);
+  }
+  if (!accountId) {
+    printError(
+      "CLOUDFLARE_ACCOUNT_ID required. Set it in environment or .env file."
+    );
+    process.exit(1);
+  }
+  const configFile = loadConfigFile();
+  const serverEntry = serverUrl ? configFile.servers?.[serverUrl] : void 0;
+  const adminToken = serverEntry?.admin_token;
+  let channelCount = 0;
+  if (adminToken && serverUrl) {
+    try {
+      const client = new ZooidClient2({
+        server: serverUrl,
+        token: adminToken
+      });
+      const channels = await client.listChannels();
+      channelCount = channels.length;
+    } catch {
+    }
+  }
+  if (!opts.force) {
+    console.log("");
+    console.log(
+      "  \u26A0  This will permanently delete your Zooid server and all its data."
+    );
+    console.log("");
+    printInfo("Worker", wrangler2.workerName);
+    if (wrangler2.dbName) printInfo("Database", wrangler2.dbName);
+    if (channelCount > 0) printInfo("Channels", `${channelCount}`);
+    console.log("");
+    console.log("  This action cannot be undone.");
+    console.log("");
+    const serverSlug = wrangler2.workerName.replace(/^zooid-/, "");
+    const rl = readline6.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    try {
+      const answer = await rl.question(
+        `  Type the server name to confirm (${serverSlug}): `
+      );
+      if (answer.trim() !== serverSlug) {
+        printError("Name does not match. Aborting.");
+        process.exit(1);
+      }
+    } finally {
+      rl.close();
+    }
+  }
+  if (adminToken && serverUrl) {
+    printStep("Destroying Durable Objects...");
+    try {
+      const res = await fetch(`${serverUrl}/api/v1/admin/destroy`, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${adminToken}` }
+      });
+      if (res.ok) {
+        const body = await res.json();
+        printSuccess(`${body.destroyed} Durable Object(s) destroyed`);
+      } else {
+        console.warn(
+          "  Warning: Could not destroy DOs \u2014 server may be unreachable."
+        );
+      }
+    } catch {
+      console.warn(
+        "  Warning: Server unreachable \u2014 Durable Objects may not be fully cleaned up."
+      );
+    }
+  }
+  if (wrangler2.databaseId) {
+    printStep("Deleting D1 database...");
+    const dbOk = await deleteD1Database(
+      accountId,
+      wrangler2.databaseId,
+      apiToken
+    );
+    if (dbOk) {
+      printSuccess(`Deleted ${wrangler2.dbName ?? wrangler2.databaseId}`);
+    } else {
+      console.warn(
+        "  Warning: Could not delete D1 database (may already be deleted)."
+      );
+    }
+  }
+  printStep("Deleting Worker...");
+  const workerOk = await deleteWorker(accountId, wrangler2.workerName, apiToken);
+  if (workerOk) {
+    printSuccess(`Deleted ${wrangler2.workerName}`);
+  } else {
+    console.warn(
+      "  Warning: Could not delete Worker (may already be deleted)."
+    );
+  }
+  if (!opts.keepLocal) {
+    printStep("Cleaning up local files...");
+    if (fs10.existsSync(wranglerPath)) {
+      fs10.unlinkSync(wranglerPath);
+      printSuccess("Removed wrangler.toml");
+    }
+    if (serverUrl) {
+      removeServerFromState(serverUrl);
+      printSuccess("Removed server entry from ~/.zooid/state.json");
+    }
+  }
+  console.log("");
+  printSuccess("Server destroyed.");
+  console.log(
+    "  If you configured a custom domain, remember to remove the DNS record."
+  );
+}
+
+// src/commands/login.ts
+import fs11 from "fs";
+import path9 from "path";
+
+// src/lib/device-auth.ts
+import { exec } from "child_process";
+function defaultOpenBrowser(url) {
+  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  try {
+    exec(`${cmd} ${JSON.stringify(url)}`);
+  } catch {
+  }
+}
+async function pollDeviceAuth(accountsUrl, options) {
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const openBrowser = options?.openBrowser ?? defaultOpenBrowser;
+  const initRes = await _fetch(`${accountsUrl}/api/auth/device/code`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ client_id: "zooid-cli" })
+  });
+  if (!initRes.ok) {
+    throw new Error(`Failed to initiate device auth: ${initRes.status}`);
+  }
+  const init = await initRes.json();
+  process.stderr.write(
+    `If the browser doesn't open, visit:
+  ${init.verification_uri_complete}
+`
+  );
+  openBrowser(init.verification_uri_complete);
+  const deadline = Date.now() + init.expires_in * 1e3;
+  const interval = (init.interval ?? 5) * 1e3;
+  return new Promise((resolve, reject) => {
+    const poll = async () => {
+      if (Date.now() > deadline) {
+        reject(new Error("Authentication timed out. Please try again."));
+        return;
+      }
+      try {
+        const res = await _fetch(`${accountsUrl}/api/auth/device/token`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+            device_code: init.device_code,
+            client_id: "zooid-cli"
+          })
+        });
+        if (res.status === 200) {
+          const data = await res.json();
+          const sessionRes = await _fetch(
+            `${accountsUrl}/api/auth/get-session`,
+            {
+              headers: { Authorization: `Bearer ${data.access_token}` }
+            }
+          );
+          let user = {
+            email: "unknown",
+            name: void 0
+          };
+          if (sessionRes.ok) {
+            const session = await sessionRes.json();
+            if (session.user) {
+              user = { email: session.user.email, name: session.user.name };
+            }
+          }
+          resolve({ sessionToken: data.access_token, user });
+          return;
+        }
+        if (res.status === 400) {
+          const error = await res.json();
+          if (error.error === "expired_token") {
+            reject(new Error("Device code expired. Please try again."));
+            return;
+          }
+        }
+      } catch {
+      }
+      setTimeout(poll, interval);
+    };
+    setTimeout(poll, interval);
+  });
+}
+async function exchangeToken(accountsUrl, sessionToken, serverUrl, options) {
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const res = await _fetch(`${accountsUrl}/api/auth/device-code/exchange`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${sessionToken}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ server_url: serverUrl })
+  });
+  if (!res.ok) {
+    const error = await res.json().catch(() => ({}));
+    throw new Error(
+      `Token exchange failed: ${error.message || error.error || res.status}`
+    );
+  }
+  return await res.json();
+}
+async function fetchServers(accountsUrl, sessionToken, options) {
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  const res = await _fetch(`${accountsUrl}/api/auth/device-code/servers`, {
+    headers: { Authorization: `Bearer ${sessionToken}` }
+  });
+  if (!res.ok) return [];
+  const data = await res.json();
+  return data.servers;
+}
+
+// src/commands/login.ts
+var ACCOUNTS_URL = "https://accounts.zooid.dev";
+function writeProjectConfig(serverUrl) {
+  const configPath = path9.join(process.cwd(), "zooid.json");
+  let existing = {};
+  try {
+    existing = JSON.parse(fs11.readFileSync(configPath, "utf-8"));
+  } catch {
+  }
+  existing.url = serverUrl;
+  fs11.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n");
+}
+async function runLogin(url, options) {
+  const _fetch = options?.fetch ?? globalThis.fetch;
+  if (url) {
+    return loginToServer(normalizeServerUrl(url), _fetch);
+  }
+  return loginToZoon(_fetch);
+}
+async function loginToZoon(_fetch) {
+  process.stderr.write("\nOpening browser to authenticate with Zoon...\n");
+  const result = await pollDeviceAuth(ACCOUNTS_URL, { fetch: _fetch });
+  process.stderr.write(
+    `
+Logged in as ${result.user.name || result.user.email}
+`
+  );
+  const servers = await fetchServers(ACCOUNTS_URL, result.sessionToken, {
+    fetch: _fetch
+  });
+  let targetServer;
+  try {
+    const fs13 = await import("fs");
+    const path10 = await import("path");
+    const configPath = path10.join(process.cwd(), "zooid.json");
+    if (fs13.existsSync(configPath)) {
+      const raw = JSON.parse(fs13.readFileSync(configPath, "utf-8"));
+      if (raw.url) {
+        const hasAccess = servers.some((s) => s.url === raw.url);
+        if (hasAccess) {
+          targetServer = raw.url;
+        } else {
+          printInfo(
+            "Note",
+            `zooid.json references ${raw.url} but you don't have access to it`
+          );
+        }
+      }
+    }
+  } catch {
+  }
+  if (!targetServer && servers.length > 0) {
+    targetServer = servers[0].url;
+  }
+  if (!targetServer) {
+    saveConfig(
+      {
+        platform_token: result.sessionToken,
+        auth_method: "oidc"
+      },
+      ACCOUNTS_URL,
+      { setCurrent: false }
+    );
+    printSuccess("Authenticated with Zoon");
+    printInfo("Note", "No servers found. Create one at app.zooid.dev");
+    process.stderr.write("\n");
+    return;
+  }
+  const exchangeResult = await exchangeToken(
+    ACCOUNTS_URL,
+    result.sessionToken,
+    targetServer,
+    { fetch: _fetch }
+  );
+  saveConfig(
+    {
+      admin_token: exchangeResult.token,
+      auth_method: "oidc"
+    },
+    targetServer,
+    { setCurrent: true }
+  );
+  writeProjectConfig(targetServer);
+  printSuccess(`Server: ${targetServer} (set as current)`);
+  printInfo("Project", `zooid.json \u2192 ${targetServer}`);
+  process.stderr.write("\n");
+}
+async function loginToServer(serverUrl, _fetch) {
+  const url = new URL(serverUrl);
+  if (url.hostname.endsWith(".zoon.eco")) {
+    process.stderr.write("\nOpening browser to authenticate with Zoon...\n");
+    const result = await pollDeviceAuth(ACCOUNTS_URL, { fetch: _fetch });
+    process.stderr.write(
+      `
+Logged in as ${result.user.name || result.user.email}
+`
+    );
+    const exchangeResult = await exchangeToken(
+      ACCOUNTS_URL,
+      result.sessionToken,
+      serverUrl,
+      { fetch: _fetch }
+    );
+    saveConfig(
+      {
+        admin_token: exchangeResult.token,
+        auth_method: "oidc"
+      },
+      serverUrl,
+      { setCurrent: true }
+    );
+    writeProjectConfig(serverUrl);
+    printSuccess(`Server: ${serverUrl} (set as current)`);
+    printInfo("Project", `zooid.json \u2192 ${serverUrl}`);
+    return;
+  }
+  throw new Error(
+    "CLI login for self-hosted servers with external OIDC is coming soon.\nFor now, use `npx zooid token mint` to create a token manually."
+  );
+}
+
+// src/commands/logout.ts
+import fs12 from "fs";
+async function runLogout(options) {
+  const file = loadConfigFile();
+  if (options.all) {
+    for (const url of Object.keys(file.servers ?? {})) {
+      clearServerAuth(file, url);
+    }
+    process.stderr.write("Logged out of all servers\n");
+  } else {
+    const server = resolveServer();
+    if (!server) {
+      throw new Error("No server configured.");
+    }
+    clearServerAuth(file, server);
+    process.stderr.write(`Logged out of ${server}
+`);
+  }
+  const dir = getConfigDir();
+  fs12.mkdirSync(dir, { recursive: true });
+  fs12.writeFileSync(getStatePath(), JSON.stringify(file, null, 2) + "\n");
+}
+function clearServerAuth(file, url) {
+  const entry = file.servers?.[url];
+  if (!entry) return;
+  delete entry.admin_token;
+  delete entry.refresh_token;
+  delete entry.auth_method;
+}
+
+// src/commands/whoami.ts
+async function runWhoami() {
+  const config = loadConfig();
+  const file = loadConfigFile();
+  if (!config.server) {
+    throw new Error("No server configured. Run: npx zooid login");
+  }
+  const client = createClient();
+  const claims = await client.getTokenClaims();
+  const entry = file.servers?.[config.server];
+  return {
+    server: config.server,
+    sub: claims.sub ?? "unknown",
+    name: claims.name,
+    scopes: claims.scopes ?? [],
+    exp: claims.exp,
+    authMethod: entry?.auth_method
+  };
+}
+
+// src/commands/credentials.ts
+function requireZoonServer() {
+  const server = resolveServer();
+  if (!server) {
+    throw new Error("No server configured. Run: npx zooid login");
+  }
+  if (!isZoonHosted(server)) {
+    throw new Error(
+      "Credentials are only available for Zoon-hosted servers (*.zoon.eco)"
+    );
+  }
+  const file = loadConfigFile();
+  const entry = file.servers?.[server];
+  if (!entry?.platform_token) {
+    throw new Error(
+      "Not authenticated with Zoon platform. Run: npx zooid login"
+    );
+  }
+  return { server, platformToken: entry.platform_token };
+}
+function formatEnv(server, clientId, clientSecret) {
+  return [
+    `ZOOID_SERVER=${server}`,
+    `ZOOID_CLIENT_ID=${clientId}`,
+    `ZOOID_CLIENT_SECRET=${clientSecret}`
+  ].join("\n");
+}
+async function runCredentialsCreate(name, options) {
+  const { server, platformToken } = requireZoonServer();
+  let roleNames = options.role;
+  if (!roleNames || roleNames.length === 0) {
+    const wf = loadWorkforce();
+    if (wf.roles[name]) {
+      roleNames = [name];
+    } else {
+      throw new Error(
+        `No roles specified and no matching agent/role "${name}" found in workforce.json`
+      );
+    }
+  }
+  const result = await createCredential(server, platformToken, name, roleNames);
+  process.stderr.write(
+    `
+  Created credential "${name}" on ${server} (roles: ${roleNames.join(", ")})
+
+`
+  );
+  return formatEnv(server, result.client_id, result.client_secret);
+}
+async function runCredentialsList() {
+  const { server, platformToken } = requireZoonServer();
+  return listCredentials(server, platformToken);
+}
+async function resolveClientId(nameOrId) {
+  const { server, platformToken } = requireZoonServer();
+  const creds = await listCredentials(server, platformToken);
+  const match = creds.find((c) => c.name === nameOrId) || creds.find((c) => c.client_id === nameOrId);
+  if (!match) {
+    throw new Error(
+      `Credential "${nameOrId}" not found. Run: npx zooid credentials list`
+    );
+  }
+  return { clientId: match.client_id, name: match.name };
+}
+async function runCredentialsRotate(nameOrId) {
+  const { server, platformToken } = requireZoonServer();
+  const { clientId, name } = await resolveClientId(nameOrId);
+  const result = await rotateCredential(server, platformToken, clientId);
+  process.stderr.write(`
+  Rotated credential "${name}" on ${server}
+
+`);
+  return formatEnv(server, result.client_id, result.client_secret);
+}
+async function runCredentialsRevoke(nameOrId) {
+  const { server, platformToken } = requireZoonServer();
+  const { clientId, name } = await resolveClientId(nameOrId);
+  await revokeCredential(server, platformToken, clientId);
+  process.stderr.write(`
+  Revoked credential "${name}" on ${server}
+`);
+}
+
+// src/lib/auto-refresh.ts
+function decodeJwtPayload(jwt) {
+  try {
+    const parts = jwt.split(".");
+    if (parts.length !== 3) return null;
+    const payload = atob(parts[1]);
+    return JSON.parse(payload);
   } catch {
+    return null;
+  }
+}
+async function maybeRefreshToken(serverConfig, _serverUrl, _options) {
+  if (serverConfig.auth_method !== "oidc") return;
+  if (!serverConfig.admin_token) return;
+  const payload = decodeJwtPayload(serverConfig.admin_token);
+  if (!payload?.exp) return;
+  const expiresAt = payload.exp * 1e3;
+  const twoMinutes = 2 * 60 * 1e3;
+  if (Date.now() < expiresAt - twoMinutes) return;
+  process.stderr.write(
+    "Session expired. Run `npx zooid login` to re-authenticate.\n"
+  );
+}
+
+// src/commands/role.ts
+function runRoleCreate(id, options) {
+  const wf = loadWorkforce();
+  if (id in wf.roles) {
+    throw new Error(
+      `Role "${id}" already exists. Use "zooid role update" to modify it.`
+    );
+  }
+  const def = { scopes: options.scopes };
+  if (options.name) def.name = options.name;
+  if (options.description) def.description = options.description;
+  wf.roles[id] = def;
+  saveWorkforce(wf);
+}
+function runRoleList() {
+  const wf = loadWorkforce();
+  return Object.keys(wf.roles);
+}
+function runRoleUpdate(id, fields) {
+  const wf = loadWorkforce();
+  const existing = wf.roles[id];
+  if (!existing) {
+    throw new Error(`Role "${id}" not found. Use "zooid role create" first.`);
+  }
+  if (fields.name !== void 0) {
+    if (fields.name === null) {
+      delete existing.name;
+    } else {
+      existing.name = fields.name;
+    }
+  }
+  if (fields.description !== void 0) {
+    if (fields.description === null) {
+      delete existing.description;
+    } else {
+      existing.description = fields.description;
+    }
+  }
+  if (fields.scopes !== void 0) {
+    existing.scopes = fields.scopes;
+  }
+  const targetFile = wf.provenance.roles[id];
+  if (targetFile) {
+    updateInFile(targetFile, "roles", id, existing);
+  } else {
+    wf.roles[id] = existing;
+    saveWorkforce(wf);
+  }
+  return existing;
+}
+function runRoleDelete(id) {
+  const wf = loadWorkforce();
+  if (!(id in wf.roles)) {
+    throw new Error(`Role "${id}" not found in .zooid/workforce.json`);
+  }
+  const targetFile = wf.provenance.roles[id];
+  if (targetFile) {
+    removeFromFile(targetFile, "roles", id);
+  } else {
+    delete wf.roles[id];
+    saveWorkforce(wf);
   }
 }
 
@@ -1435,7 +3040,7 @@ async function resolveAndRecord(channel, opts) {
   return result;
 }
 var program = new Command();
-program.name("zooid").description("\u{1FAB8} Pub/sub for AI agents").version("0.4.1");
+program.name("zooid").description("\u{1FAB8} Pub/sub for AI agents").version("0.6.0");
 var telemetryCtx = { startTime: 0 };
 function setTelemetryChannel(channelId) {
   telemetryCtx.channelId = channelId;
@@ -1459,11 +3064,22 @@ function handleError(commandName, err) {
   printError(message);
   process.exit(1);
 }
-program.hook("preAction", () => {
+program.hook("preAction", async () => {
   telemetryCtx.startTime = Date.now();
   if (isEnabled()) {
     showNoticeIfNeeded();
   }
+  try {
+    const file = loadConfigFile();
+    const server = resolveServer();
+    if (server && file.servers?.[server]) {
+      const entry = file.servers[server];
+      await maybeRefreshToken(entry, server, {
+        save: (partial) => saveConfig(partial, server)
+      });
+    }
+  } catch {
+  }
 });
 function sendTelemetry(commandName, exitCode, error) {
   if (!isEnabled()) return;
@@ -1502,20 +3118,65 @@ program.command("dev").description("Start local development server").option("--p
     handleError("dev", err);
   }
 });
-program.command("init").description("Create zooid-server.json with server identity").action(async () => {
+program.command("init").description("Create zooid.json with server identity").option("--use <url>", "Include a template from a GitHub URL").action(async (opts) => {
   try {
-    await runInit();
+    await runInit({ use: opts.use });
   } catch (err) {
     handleError("init", err);
   }
 });
-program.command("deploy").description("Deploy Zooid server to Cloudflare Workers").action(async () => {
+program.command("use <url>").description("Add a template to your workforce via include").action(async (url) => {
+  try {
+    await runUse(url);
+  } catch (err) {
+    handleError("use", err);
+  }
+});
+program.command("deploy").description("Deploy Zooid server to Cloudflare Workers").option("--prune", "Delete server resources not in workforce.json").action(async (opts) => {
   try {
-    await runDeploy();
+    await runDeploy(opts);
   } catch (err) {
     handleError("deploy", err);
   }
 });
+program.command("destroy").description("Destroy a deployed Zooid server and all its data").option("--force", "Skip confirmation prompt").option("--keep-local", "Keep wrangler.toml and state entries").action(async (options) => {
+  try {
+    await runDestroy({
+      force: options.force,
+      keepLocal: options.keepLocal
+    });
+  } catch (err) {
+    handleError("destroy", err);
+  }
+});
+program.command("login").argument("[url]", "Server URL (e.g., https://beno.zoon.eco)").description("Authenticate with Zoon or a specific server").action(async (url) => {
+  try {
+    await runLogin(url);
+  } catch (err) {
+    handleError("login", err);
+  }
+});
+program.command("logout").option("--all", "Log out of all servers").description("Clear authentication for the current server").action(async (opts) => {
+  try {
+    await runLogout(opts);
+  } catch (err) {
+    handleError("logout", err);
+  }
+});
+program.command("whoami").description("Show current identity and auth status").action(async () => {
+  try {
+    const result = await runWhoami();
+    console.log(`Server: ${result.server}`);
+    console.log(`User: ${result.name || result.sub}`);
+    console.log(`Scopes: ${result.scopes.join(", ")}`);
+    if (result.authMethod) {
+      const expStr = result.exp ? ` (expires ${new Date(result.exp * 1e3).toISOString()})` : "";
+      console.log(`Auth: ${result.authMethod}${expStr}`);
+    }
+  } catch (err) {
+    handleError("whoami", err);
+  }
+});
 var configCmd = program.command("config").description("Manage Zooid configuration");
 configCmd.command("set <key> <value>").description("Set a config value (server, admin-token, telemetry)").action((key, value) => {
   try {
@@ -1538,9 +3199,9 @@ configCmd.command("get <key>").description("Get a config value").action((key) =>
   }
 });
 var channelCmd = program.command("channel").description("Manage channels");
-channelCmd.command("create <id>").description("Create a new channel").option("--name <name>", "Display name (defaults to id)").option("--description <desc>", "Channel description").option("--public", "Make channel public (default)", true).option("--private", "Make channel private").option("--strict", "Enable strict schema validation on publish").option(
+channelCmd.command("create <id>").description("Create a new channel").option("--name <name>", "Display name (defaults to id)").option("--description <desc>", "Channel description").option("--public", "Make channel public").option("--private", "Make channel private (default)", true).option("--strict", "Enable strict schema validation on publish").option(
   "--config <file>",
-  "Path to channel config JSON file (display, types, storage)"
+  "Path to channel config JSON file (types, policies, storage)"
 ).option(
   "--schema <file>",
   "Path to JSON schema file (map of event types to JSON schemas)"
@@ -1548,12 +3209,12 @@ channelCmd.command("create <id>").description("Create a new channel").option("--
   try {
     let config;
     if (opts.config) {
-      const fs6 = await import("fs");
-      const raw = fs6.readFileSync(opts.config, "utf-8");
+      const fs13 = await import("fs");
+      const raw = fs13.readFileSync(opts.config, "utf-8");
       config = JSON.parse(raw);
     } else if (opts.schema) {
-      const fs6 = await import("fs");
-      const raw = fs6.readFileSync(opts.schema, "utf-8");
+      const fs13 = await import("fs");
+      const raw = fs13.readFileSync(opts.schema, "utf-8");
       const parsed = JSON.parse(raw);
       const types = {};
       for (const [eventType, schemaDef] of Object.entries(parsed)) {
@@ -1564,7 +3225,7 @@ channelCmd.command("create <id>").description("Create a new channel").option("--
     const result = await runChannelCreate(id, {
       name: opts.name,
       description: opts.description,
-      public: opts.private ? false : true,
+      public: opts.public ? true : false,
       strict: opts.strict,
       config
     });
@@ -1576,7 +3237,7 @@ channelCmd.command("create <id>").description("Create a new channel").option("--
 });
 channelCmd.command("update <id>").description("Update a channel").option("--name <name>", "Display name").option("--description <desc>", "Channel description").option("--tags <tags>", "Comma-separated tags").option("--public", "Make channel public").option("--private", "Make channel private").option("--strict", "Enable strict schema validation on publish").option("--no-strict", "Disable strict schema validation").option(
   "--config <file>",
-  "Path to channel config JSON file (display, types, storage)"
+  "Path to channel config JSON file (types, policies, storage)"
 ).option(
   "--schema <file>",
   "Path to JSON schema file (map of event types to JSON schemas)"
@@ -1590,12 +3251,12 @@ channelCmd.command("update <id>").description("Update a channel").option("--name
     if (opts.public) fields.is_public = true;
     if (opts.private) fields.is_public = false;
     if (opts.config) {
-      const fs6 = await import("fs");
-      const raw = fs6.readFileSync(opts.config, "utf-8");
+      const fs13 = await import("fs");
+      const raw = fs13.readFileSync(opts.config, "utf-8");
       fields.config = JSON.parse(raw);
     } else if (opts.schema) {
-      const fs6 = await import("fs");
-      const raw = fs6.readFileSync(opts.schema, "utf-8");
+      const fs13 = await import("fs");
+      const raw = fs13.readFileSync(opts.schema, "utf-8");
       const parsed = JSON.parse(raw);
       const types = {};
       for (const [eventType, schemaDef] of Object.entries(parsed)) {
@@ -1641,8 +3302,8 @@ channelCmd.command("list").description("List all channels").action(async () => {
 channelCmd.command("delete <id>").description("Delete a channel and all its data").option("-y, --yes", "Skip confirmation prompt").action(async (id, opts) => {
   try {
     if (!opts.yes) {
-      const readline4 = await import("readline");
-      const rl = readline4.createInterface({
+      const readline7 = await import("readline");
+      const rl = readline7.createInterface({
         input: process.stdin,
         output: process.stdout
       });
@@ -1664,7 +3325,21 @@ channelCmd.command("delete <id>").description("Delete a channel and all its data
     handleError("channel delete", err);
   }
 });
-program.command("publish <channel>").description("Publish an event to a channel").option("--type <type>", "Event type").option("--data <json>", "Event data as JSON string").option("--file <path>", "Read event from JSON file").option("--token <token>", "Auth token (for remote/private channels)").action(async (channel, opts) => {
+program.command("pull").description(
+  "Pull channel and role definitions from server into workforce.json"
+).action(async () => {
+  try {
+    await runPull();
+  } catch (err) {
+    handleError("pull", err);
+  }
+});
+program.command("publish <channel> [data]").description(
+  "Publish an event to a channel (accepts JSON arg, --data, --file, or stdin)"
+).option("--type <type>", "Event type").option("--data <json>", "Event data as JSON string").option("--file <path>", "Read event from JSON file").option(
+  "--stream",
+  "Stream mode: read newline-delimited JSON from stdin, publish each line"
+).option("--token <token>", "Auth token (for remote/private channels)").action(async (channel, dataArg, opts) => {
   try {
     const { client, channelId, tokenSaved } = resolveChannel(channel, {
       token: opts.token,
@@ -1677,8 +3352,19 @@ program.command("publish <channel>").description("Publish an event to a channel"
         `for ${channelId} \u2014 won't need --token next time`
       );
     }
-    const event = await runPublish(channelId, opts, client);
-    printSuccess(`Published event: ${event.id}`);
+    if (opts.stream) {
+      const { published, errors } = await runPublishStream(
+        channelId,
+        opts,
+        client,
+        (event) => printSuccess(`Published event: ${event.id}`)
+      );
+      const summary = `${published} published`;
+      printSuccess(errors ? `${summary}, ${errors} failed` : summary);
+    } else {
+      const event = await runPublish(channelId, opts, client, dataArg);
+      printSuccess(`Published event: ${event.id}`);
+    }
   } catch (err) {
     handleError("publish", err);
   }
@@ -1689,8 +3375,8 @@ program.command("delete-event <channel> <event-id>").description("Delete a singl
       tokenType: "publish"
     });
     if (!opts.yes) {
-      const readline4 = await import("readline");
-      const rl = readline4.createInterface({
+      const readline7 = await import("readline");
+      const rl = readline7.createInterface({
         input: process.stdin,
         output: process.stdout
       });
@@ -1873,21 +3559,32 @@ var tokenCmd = program.command("token").description("Manage tokens");
 tokenCmd.command("mint").description(
   "Mint a new token. Scopes: admin, pub:<channel>, sub:<channel>. Wildcards: pub:*, sub:prefix-*"
 ).argument(
-  "<scopes...>",
+  "[scopes...]",
   "Scopes to grant (e.g. admin, pub:my-channel, sub:*)"
+).option(
+  "--role <roles...>",
+  "Mint with scopes from named roles (reads workforce.json)"
 ).option("--sub <sub>", "Subject identifier (e.g. publisher ID)").option("--name <name>", "Display name (used for publisher identity)").option("--expires-in <duration>", "Token expiry (e.g. 5m, 1h, 7d, 30d)").action(async (scopes, opts) => {
   try {
-    for (const s of scopes) {
-      if (s !== "admin" && !s.startsWith("pub:") && !s.startsWith("sub:")) {
-        throw new Error(
-          `Invalid scope "${s}". Must be "admin", "pub:<channel>", or "sub:<channel>"`
-        );
+    if (!opts.role?.length && (!scopes || scopes.length === 0)) {
+      printError("Provide scopes or --role");
+      process.exit(1);
+    }
+    if (!opts.role?.length) {
+      for (const s of scopes) {
+        if (s !== "admin" && !s.startsWith("pub:") && !s.startsWith("sub:")) {
+          printError(
+            `Invalid scope "${s}". Must be "admin", "pub:<channel>", or "sub:<channel>"`
+          );
+          process.exit(1);
+        }
       }
     }
-    const result = await runTokenMint(scopes, {
+    const result = await runTokenMint(scopes ?? [], {
       sub: opts.sub,
       name: opts.name,
-      expiresIn: opts.expiresIn
+      expiresIn: opts.expiresIn,
+      role: opts.role
     });
     console.log(result.token);
   } catch (err) {
@@ -1965,6 +3662,130 @@ program.command("unshare <channel>").description("Remove a channel from the Zooi
     handleError("unshare", err);
   }
 });
+var roleCmd = program.command("role").description("Manage role definitions");
+roleCmd.command("create <id>").description("Create a role definition in workforce.json").option("--name <name>", "Display name").option("--description <desc>", "Role description").argument("<scopes...>", "Scopes to grant (e.g. pub:signals sub:market-data)").action((id, scopes, opts) => {
+  try {
+    for (const s of scopes) {
+      if (s !== "admin" && !s.startsWith("pub:") && !s.startsWith("sub:")) {
+        printError(
+          `Invalid scope "${s}". Must be "admin", "pub:<channel>", or "sub:<channel>"`
+        );
+        process.exit(1);
+      }
+    }
+    runRoleCreate(id, {
+      name: opts.name,
+      description: opts.description,
+      scopes
+    });
+    printSuccess(`Created role "${id}" in workforce.json`);
+    printInfo("Next", "Run `npx zooid deploy` to sync to server");
+  } catch (err) {
+    handleError("role create", err);
+  }
+});
+roleCmd.command("list").description("List role definitions in workforce.json").action(() => {
+  try {
+    const ids = runRoleList();
+    if (ids.length === 0) {
+      console.log(
+        "No roles defined. Create one with: npx zooid role create <id> <scopes...>"
+      );
+    } else {
+      for (const id of ids) {
+        console.log(`  ${id}`);
+      }
+    }
+  } catch (err) {
+    handleError("role list", err);
+  }
+});
+roleCmd.command("update <id>").description("Update a role definition in workforce.json").option("--name <name>", "Display name").option("--description <desc>", "Role description").option("--scopes <scopes...>", "Replace scopes").action((id, opts) => {
+  try {
+    const fields = {};
+    if (opts.name !== void 0) fields.name = opts.name;
+    if (opts.description !== void 0) fields.description = opts.description;
+    if (opts.scopes !== void 0) fields.scopes = opts.scopes;
+    if (Object.keys(fields).length === 0) {
+      throw new Error(
+        "No fields specified. Use --name, --description, or --scopes."
+      );
+    }
+    runRoleUpdate(id, fields);
+    printSuccess(`Updated role "${id}" in workforce.json`);
+    printInfo("Next", "Run `npx zooid deploy` to sync to server");
+  } catch (err) {
+    handleError("role update", err);
+  }
+});
+roleCmd.command("delete <id>").description("Delete a role definition from workforce.json").option("-y, --yes", "Skip confirmation prompt").action(async (id, opts) => {
+  try {
+    if (!opts.yes) {
+      const readline7 = await import("readline");
+      const rl = readline7.createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      const answer = await new Promise((resolve) => {
+        rl.question(
+          `Delete role "${id}" from workforce.json? [y/N] `,
+          resolve
+        );
+      });
+      rl.close();
+      if (answer.toLowerCase() !== "y") {
+        console.log("Aborted.");
+        return;
+      }
+    }
+    runRoleDelete(id);
+    printSuccess(`Deleted role "${id}" from workforce.json`);
+    printInfo("Next", "Run `npx zooid deploy` to sync to server");
+  } catch (err) {
+    handleError("role delete", err);
+  }
+});
+var credentialsCmd = program.command("credentials").description("Manage M2M agent credentials");
+credentialsCmd.command("create <name>").option("--role <role...>", "Role names to assign").description("Create a new credential (outputs .env to stdout)").action(async (name, opts) => {
+  try {
+    const env = await runCredentialsCreate(name, opts);
+    process.stdout.write(env + "\n");
+  } catch (err) {
+    handleError("credentials create", err);
+  }
+});
+credentialsCmd.command("list").description("List all credentials for the current server").action(async () => {
+  try {
+    const creds = await runCredentialsList();
+    if (creds.length === 0) {
+      printInfo("No credentials", "found for this server");
+      return;
+    }
+    for (const c of creds) {
+      const roleNames = c.roles.map((r) => r.name ?? r).join(", ");
+      console.log(
+        `  ${c.name.padEnd(20)} ${c.client_id.padEnd(35)} roles: ${roleNames}`
+      );
+    }
+  } catch (err) {
+    handleError("credentials list", err);
+  }
+});
+credentialsCmd.command("rotate <name>").description("Rotate credential secret (outputs .env to stdout)").action(async (name) => {
+  try {
+    const env = await runCredentialsRotate(name);
+    process.stdout.write(env + "\n");
+  } catch (err) {
+    handleError("credentials rotate", err);
+  }
+});
+credentialsCmd.command("revoke <name>").description("Revoke (delete) a credential").action(async (name) => {
+  try {
+    await runCredentialsRevoke(name);
+  } catch (err) {
+    handleError("credentials revoke", err);
+  }
+});
 program.parse();
 export {
   setTelemetryChannel