diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
index bb01370e..65939d40 100644
--- a/.github/workflows/pytest.yml
+++ b/.github/workflows/pytest.yml
@@ -28,7 +28,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install pytest pytest-cov
+          pip install pytest pytest-cov jsonschema
           pip install -e .
 
       - name: Run tests
diff --git a/.github/workflows/ruff_check.yml b/.github/workflows/ruff_check.yml
index 34f022e7..fa9b5673 100644
--- a/.github/workflows/ruff_check.yml
+++ b/.github/workflows/ruff_check.yml
@@ -23,7 +23,7 @@ jobs:
       - name: install ruff
         run: |
           python -m pip install --upgrade pip
-          pip install ruff
+          pip install ruff==0.15.15
       - name: lint check and then format check with ruff
         run: |
           ruff check
diff --git a/.gitignore b/.gitignore
index c15d8457..1e542ddf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,21 @@
 __pycache__/
 *.py[cod]
 
+# Local agent / editor configs
+.claude/settings.local.json
+
+# Generated artifacts — comfy CLI convention dirs
+/workflows/
+/outputs/
+/output/
+/inputs/
+/variants/
+/stories
+
+# Local projects (creative work, demos, experiments)
+/projects/
+conda.listing.txt
+
 #COMMON CONFIGs
 .DS_Store
 .src_port
@@ -61,3 +76,4 @@ requirements.compiled
 override.txt
 .coverage
 coverage.xml
+
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b78a8268..18af67e9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
           (^.*\.(json|txt)$)
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.12.4
+    rev: v0.15.15
     hooks:
       # Run the linter.
       - id: ruff
diff --git a/README.md b/README.md
index 38c05daf..f238b13e 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,18 @@ workflows, and call hosted partner image models, all from your terminal.
 - 🎬 Run workflows against a local ComfyUI server, including auto-conversion of UI-format JSON
 - 🧪 Test ComfyUI and frontend pull requests with one flag
 - 💻 Cross-platform: Windows, macOS, Linux
+- ☁️  Route any workflow to **Comfy Cloud** with `--where cloud` (no GPU required)
+- 🤖 Agent-friendly: every command emits structured `--json` envelopes
+- 📚 Bundled skills teach Claude / Cursor to drive comfy natively
+
+## Quick Start
+
+```bash
+pip install comfy-cli
+comfy setup
+```
+
+`comfy setup` walks you through everything — local or cloud routing, authentication, and agent skill installation — in one interactive wizard. Pass `-y` for non-interactive (CI/scripted) installs.
 
 ## Installation
 
diff --git a/codecov.yml b/codecov.yml
new file mode 100644
index 00000000..0307b497
--- /dev/null
+++ b/codecov.yml
@@ -0,0 +1,19 @@
+# Codecov configuration.
+#
+# The default `project` status uses target `auto` with zero tolerance, i.e. a
+# hard ratchet that fails on any drop in total coverage. That doesn't suit a
+# repo that periodically lands large feature surfaces (new CLI command wrappers
+# are thin and lightly tested by design), so we replace the ratchet with an
+# explicit floor: total coverage must stay at/above 70%. This is still a real
+# gate — it just tolerates the small dips that come with adding command surface —
+# and can be raised over time as coverage backfills.
+coverage:
+  status:
+    project:
+      default:
+        target: 70%
+        threshold: 1%
+    # No patch (diff-coverage) status — avoid blocking on lightly-tested CLI glue.
+    patch: false
+
+comment: false
diff --git a/comfy_cli/auth/__init__.py b/comfy_cli/auth/__init__.py
new file mode 100644
index 00000000..16b08745
--- /dev/null
+++ b/comfy_cli/auth/__init__.py
@@ -0,0 +1,26 @@
+"""Local credential store for comfy-cli.
+
+Where keys live:
+
+    ${XDG_CONFIG_HOME or platform-equivalent}/comfy-cli/secrets.json
+
+Format::
+
+    {
+      "providers": {
+        "comfy-cloud": {"key": "sk-…", "updated_at": "2026-05-15T12:00:00Z"},
+        "civitai":     {"key": "...",  "updated_at": "..."}
+      }
+    }
+
+The file is created with mode ``0600``. Phase 5 will replace this plaintext
+JSON with an encrypted ``secrets.bin``; the API surface here is the
+forward-compatible interface, so call sites don't need to change.
+
+Local-only: this module never makes a network call.
+"""
+
+from comfy_cli.auth import store
+from comfy_cli.auth.store import SUPPORTED_PROVIDERS, AuthRecord
+
+__all__ = ["AuthRecord", "SUPPORTED_PROVIDERS", "store"]
diff --git a/comfy_cli/auth/command.py b/comfy_cli/auth/command.py
new file mode 100644
index 00000000..46aeea0a
--- /dev/null
+++ b/comfy_cli/auth/command.py
@@ -0,0 +1,157 @@
+"""``comfy auth`` — manage API tokens for third-party model hosts.
+
+Tokens here are used by ``comfy model download`` when fetching gated
+checkpoints / LoRAs / VAEs from Civitai or Hugging Face. Stored locally,
+never transmitted except to the issuing provider.
+
+Comfy Cloud sign-in lives in a separate namespace — see ``comfy cloud``.
+"""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.auth import store
+from comfy_cli.output import get_renderer, rprint
+
+app = typer.Typer(
+    no_args_is_help=True,
+    help="Manage API tokens for model hosts (Civitai, Hugging Face).",
+)
+
+
+@app.command("list", help="List third-party API-key providers (civitai, huggingface).")
+@tracking.track_command("auth")
+def list_cmd():
+    renderer = get_renderer()
+    records = store.list_records()
+    if renderer.is_pretty():
+        _render_pretty_list(records=records)
+    renderer.emit(
+        {
+            "providers": [r.to_dict(redact=True) for r in records],
+            "supported": list(store.SUPPORTED_PROVIDERS),
+            "path": str(store.secrets_path()),
+            "action": "list",
+        },
+        command="auth list",
+    )
+
+
+@app.command("set", help="Set or replace the API token for a third-party model host.")
+@tracking.track_command("auth")
+def set_cmd(
+    provider: Annotated[
+        str,
+        typer.Argument(help="Provider name — `civitai` or `huggingface`. Comfy Cloud uses `comfy cloud login`."),
+    ],
+    key: Annotated[
+        str,
+        typer.Option(
+            "--key",
+            show_default=False,
+            help="The API token. Stored locally; never sent except to the provider.",
+        ),
+    ],
+):
+    renderer = get_renderer()
+    if provider == "comfy-cloud":
+        renderer.error(
+            code="auth_use_login_for_cloud",
+            message="Comfy Cloud uses OAuth — `auth set --key` is not supported for `comfy-cloud`.",
+            hint="run: comfy cloud login   (or `comfy cloud set-key` for the API-key path)",
+            details={"provider": provider},
+        )
+        raise typer.Exit(code=1)
+    if not key:
+        renderer.error(code="auth_invalid_key", message="--key cannot be empty.")
+        raise typer.Exit(code=1)
+    try:
+        record = store.set(provider, key)
+    except ValueError as e:
+        renderer.error(code="auth_invalid_key", message=str(e))
+        raise typer.Exit(code=1)
+    if renderer.is_pretty():
+        rprint(f"[bold green]Stored token for {record.provider}[/bold green] ({record.to_dict()['key']})")
+        if provider not in store.SUPPORTED_PROVIDERS:
+            rprint(f"[yellow]Note:[/yellow] {provider!r} is not a well-known provider; stored anyway.")
+    renderer.emit(
+        {
+            "providers": [r.to_dict(redact=True) for r in store.list_records()],
+            "supported": list(store.SUPPORTED_PROVIDERS),
+            "path": str(store.secrets_path()),
+            "action": "set",
+        },
+        command="auth set",
+        changed=True,
+    )
+
+
+@app.command("remove", help="Remove a stored third-party API token.")
+@tracking.track_command("auth")
+def remove_cmd(
+    provider: Annotated[str, typer.Argument(help="Provider name.")],
+):
+    renderer = get_renderer()
+    if provider == "comfy-cloud":
+        renderer.error(
+            code="auth_use_logout_for_cloud",
+            message="Comfy Cloud uses OAuth — use `comfy cloud logout` to clear the session.",
+            hint="run: comfy cloud logout",
+            details={"provider": provider},
+        )
+        raise typer.Exit(code=1)
+    removed = store.remove(provider)
+    if not removed:
+        renderer.error(
+            code="auth_not_found",
+            message=f"No stored key for {provider!r}.",
+            hint="run: comfy auth list",
+            details={"provider": provider},
+        )
+        raise typer.Exit(code=1)
+    if renderer.is_pretty():
+        rprint(f"[bold]Removed token for {provider}[/bold]")
+    renderer.emit(
+        {
+            "providers": [r.to_dict(redact=True) for r in store.list_records()],
+            "supported": list(store.SUPPORTED_PROVIDERS),
+            "path": str(store.secrets_path()),
+            "action": "remove",
+        },
+        command="auth remove",
+        changed=True,
+    )
+
+
+# ---------------------------------------------------------------------------
+# helpers
+# ---------------------------------------------------------------------------
+
+
+def _render_pretty_list(*, records):
+    """Pretty-render the auth list (third-party provider tokens only)."""
+    from rich.console import Group
+    from rich.text import Text
+
+    from comfy_cli.config_manager import ConfigManager
+    from comfy_cli.output.branding import branded_panel
+    from comfy_cli.output.panels import auth_empty_panel, auth_list_table
+
+    renderer = get_renderer()
+    path = str(store.secrets_path())
+
+    if not records:
+        # Empty-state has its own panel; brand it via the canonical wrapper.
+        body = auth_empty_panel(supported=list(store.SUPPORTED_PROVIDERS), path=path)
+    else:
+        redacted = [r.to_dict(redact=True) for r in records]
+        body = auth_list_table(redacted, supported=list(store.SUPPORTED_PROVIDERS), path=path)
+
+    hint = Text("Comfy Cloud sign-in lives under `comfy cloud whoami`.", style="dim")
+    group = Group(body, Text(""), hint)
+
+    renderer.console().print(branded_panel(group, title="auth", version=ConfigManager().get_cli_version()))
diff --git a/comfy_cli/auth/store.py b/comfy_cli/auth/store.py
new file mode 100644
index 00000000..d415c426
--- /dev/null
+++ b/comfy_cli/auth/store.py
@@ -0,0 +1,350 @@
+"""Plaintext (Phase 4) secret store for comfy-cli.
+
+API:
+
+    list_records() -> list[AuthRecord]
+    get(provider) -> AuthRecord | None
+    set(provider, key) -> AuthRecord    # creates or updates
+    remove(provider) -> bool            # True if removed, False if absent
+
+Locking uses :mod:`comfy_cli.locking` so concurrent ``auth set`` calls don't
+clobber each other.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import secrets
+from collections.abc import Iterable
+from dataclasses import asdict, dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+from comfy_cli import constants, locking
+from comfy_cli.utils import get_os
+
+# Comfy Cloud is *not* listed here: it is authenticated via OAuth (see
+# `cloud_session` below and `comfy_cli.cloud.oauth`). Only providers whose
+# native authentication is an API key remain.
+SUPPORTED_PROVIDERS = ("civitai", "huggingface")
+
+
+@dataclass(frozen=True)
+class AuthRecord:
+    provider: str
+    key: str
+    updated_at: str
+
+    def to_dict(self, *, redact: bool = True) -> dict[str, Any]:
+        d = asdict(self)
+        if redact:
+            d["key"] = _redact(self.key)
+            d["key_redacted"] = True
+        else:
+            d["key_redacted"] = False
+        return d
+
+
+def _redact(key: str) -> str:
+    if len(key) <= 16:
+        return "***"
+    return f"{key[:4]}…{key[-4:]}"
+
+
+SECRETS_PATH_ENV = "COMFY_SECRETS_PATH"
+
+
+def secrets_path() -> Path:
+    override = os.environ.get(SECRETS_PATH_ENV)
+    if override:
+        return Path(override)
+    base = Path(constants.DEFAULT_CONFIG[get_os()])
+    return base / "secrets.json"
+
+
+def lock_path() -> Path:
+    """Stable sidecar path that all secret-store mutations serialize on.
+
+    The lock MUST NOT be the data file itself: ``_write_all`` persists via
+    ``os.replace(tmp, secrets.json)``, which swaps in a *new inode* on every
+    write. ``fcntl.flock`` is bound to the open file description (the inode),
+    so if processes locked ``secrets.json`` directly, a holder mid-refresh
+    would be flocking the now-unlinked old inode while a newcomer opens — and
+    flocks — the freshly-renamed inode. The two would run the critical section
+    simultaneously, replay the same rotated refresh token, and trip the auth
+    server's reuse-detection (wiping the whole token family). A dedicated
+    ``secrets.json.lock`` file is created once and never replaced, so every
+    process serializes on one stable inode regardless of how many times the
+    data file is atomically rewritten underneath it.
+    """
+    p = secrets_path()
+    return p.with_name(p.name + ".lock")
+
+
+_EMPTY: dict[str, Any] = {"providers": {}, "cloud_session": None}
+
+
+def _read_all(path: Path) -> dict[str, Any]:
+    if not path.exists():
+        return {"providers": {}, "cloud_session": None}
+    try:
+        raw = path.read_text(encoding="utf-8")
+    except OSError:
+        return {"providers": {}, "cloud_session": None}
+    if not raw.strip():
+        return {"providers": {}, "cloud_session": None}
+    try:
+        data = json.loads(raw)
+    except json.JSONDecodeError:
+        # Don't blow up on a corrupt store; return empty and let `set` rewrite.
+        return {"providers": {}, "cloud_session": None}
+    providers = data.get("providers") if isinstance(data, dict) else None
+    cloud_session = data.get("cloud_session") if isinstance(data, dict) else None
+    return {
+        "providers": providers if isinstance(providers, dict) else {},
+        "cloud_session": cloud_session if isinstance(cloud_session, dict) else None,
+    }
+
+
+def _write_all(path: Path, payload: dict[str, Any]) -> None:
+    """Atomic write with 0600 mode from inception.
+
+    The tmp file is opened with ``O_CREAT|O_EXCL`` and explicit mode 0o600 so
+    the secrets are never world-readable, even briefly, even on systems with a
+    permissive umask. A unique tmp name (`<basename>.<pid>.<rand>.tmp`) avoids
+    collisions with stale tmp files from killed processes.
+    """
+    path.parent.mkdir(parents=True, exist_ok=True, mode=0o700)
+    # Best-effort tighten parent directory if it already existed permissively.
+    try:
+        os.chmod(path.parent, 0o700)
+    except OSError:
+        pass
+    # Unique tmp name per writer; survives kill -9 (the orphan is harmless).
+    tmp_suffix = f".{os.getpid()}.{secrets.token_hex(4)}.tmp"
+    tmp = path.with_suffix(path.suffix + tmp_suffix)
+    flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
+    # Open-with-mode is atomic w.r.t. permissions on POSIX; on Windows the
+    # mode bit is mostly cosmetic but we still set it for consistency.
+    fd = os.open(tmp, flags, 0o600)
+    try:
+        with os.fdopen(fd, "w", encoding="utf-8") as f:
+            f.write(json.dumps(payload, indent=2, sort_keys=True))
+            f.flush()
+            try:
+                os.fsync(f.fileno())
+            except OSError:
+                pass
+        os.replace(tmp, path)
+    except Exception:
+        # Clean up the tmp file if we didn't make it to os.replace.
+        try:
+            os.unlink(tmp)
+        except OSError:
+            pass
+        raise
+    # Final defensive chmod in case the inode is being reused with looser perms.
+    try:
+        os.chmod(path, 0o600)
+    except OSError:
+        pass
+
+
+def list_records() -> list[AuthRecord]:
+    path = secrets_path()
+    with locking.file_lock(lock_path()):
+        data = _read_all(path)
+    out: list[AuthRecord] = []
+    for name, body in data["providers"].items():
+        if not isinstance(body, dict):
+            continue
+        key = body.get("key")
+        if not isinstance(key, str):
+            continue
+        out.append(AuthRecord(provider=name, key=key, updated_at=str(body.get("updated_at", ""))))
+    return sorted(out, key=lambda r: r.provider)
+
+
+def get(provider: str) -> AuthRecord | None:
+    path = secrets_path()
+    with locking.file_lock(lock_path()):
+        data = _read_all(path)
+    body = data["providers"].get(provider)
+    if not isinstance(body, dict):
+        return None
+    key = body.get("key")
+    if not isinstance(key, str) or not key:
+        return None
+    return AuthRecord(provider=provider, key=key, updated_at=str(body.get("updated_at", "")))
+
+
+_SAFE_PROVIDER = re.compile(r"^[a-zA-Z0-9_\-]{1,64}$")
+
+
+def set(provider: str, key: str) -> AuthRecord:
+    if not provider:
+        raise ValueError("provider name is required")
+    if not _SAFE_PROVIDER.match(provider):
+        raise ValueError(f"invalid provider name: {provider!r} (must be alphanumeric/dash/underscore, max 64 chars)")
+    if not key:
+        raise ValueError("key cannot be empty")
+    path = secrets_path()
+    now = datetime.now(timezone.utc).isoformat(timespec="seconds")
+    with locking.file_lock(lock_path()):
+        data = _read_all(path)
+        data["providers"][provider] = {"key": key, "updated_at": now}
+        _write_all(path, data)
+    return AuthRecord(provider=provider, key=key, updated_at=now)
+
+
+def remove(provider: str) -> bool:
+    path = secrets_path()
+    with locking.file_lock(lock_path()):
+        data = _read_all(path)
+        if provider not in data["providers"]:
+            return False
+        del data["providers"][provider]
+        _write_all(path, data)
+    return True
+
+
+def known_providers() -> Iterable[str]:
+    return SUPPORTED_PROVIDERS
+
+
+# ---------------------------------------------------------------------------
+# Cloud OAuth session
+# ---------------------------------------------------------------------------
+
+
+@dataclass(frozen=True)
+class CloudSession:
+    base_url: str
+    resource: str
+    client_id: str
+    scope: str
+    access_token: str
+    refresh_token: str | None
+    token_type: str
+    expires_at: int | None  # absolute epoch seconds
+    saved_at: str
+
+    def is_expired(self, *, leeway_s: int = 30) -> bool:
+        """True if the access token is past (or within `leeway_s` of) expiry."""
+        if self.expires_at is None:
+            return False
+        import time as _time
+
+        return _time.time() + leeway_s >= self.expires_at
+
+    def to_dict(self, *, redact: bool = True) -> dict[str, Any]:
+        data = {
+            "base_url": self.base_url,
+            "resource": self.resource,
+            "client_id": self.client_id,
+            "scope": self.scope,
+            "token_type": self.token_type,
+            "expires_at": self.expires_at,
+            "saved_at": self.saved_at,
+        }
+        if redact:
+            data["access_token"] = _redact(self.access_token) if self.access_token else None
+            data["refresh_token"] = _redact(self.refresh_token) if self.refresh_token else None
+            data["tokens_redacted"] = True
+        else:
+            data["access_token"] = self.access_token
+            data["refresh_token"] = self.refresh_token
+            data["tokens_redacted"] = False
+        return data
+
+
+def _session_from_dict(body: dict[str, Any]) -> CloudSession | None:
+    if not isinstance(body, dict):
+        return None
+    tokens = body.get("tokens")
+    if not isinstance(tokens, dict):
+        return None
+    access = tokens.get("access_token")
+    if not isinstance(access, str) or not access:
+        return None
+    refresh = tokens.get("refresh_token") if isinstance(tokens.get("refresh_token"), str) else None
+    return CloudSession(
+        base_url=str(body.get("base_url", "")),
+        resource=str(body.get("resource", "")),
+        client_id=str(body.get("client_id", "")),
+        scope=str(body.get("scope", "")),
+        access_token=access,
+        refresh_token=refresh,
+        token_type=str(tokens.get("token_type", "Bearer")),
+        expires_at=tokens.get("expires_at") if isinstance(tokens.get("expires_at"), int) else None,
+        saved_at=str(body.get("saved_at", "")),
+    )
+
+
+def get_cloud_session() -> CloudSession | None:
+    path = secrets_path()
+    with locking.file_lock(lock_path()):
+        data = _read_all(path)
+    session = data.get("cloud_session")
+    if not isinstance(session, dict):
+        return None
+    return _session_from_dict(session)
+
+
+def save_cloud_session(
+    *,
+    base_url: str,
+    resource: str,
+    client_id: str,
+    scope: str,
+    access_token: str,
+    refresh_token: str | None,
+    token_type: str,
+    expires_at: int | None,
+) -> CloudSession:
+    if not access_token:
+        raise ValueError("access_token cannot be empty")
+    path = secrets_path()
+    now = datetime.now(timezone.utc).isoformat(timespec="seconds")
+    payload = {
+        "base_url": base_url,
+        "resource": resource,
+        "client_id": client_id,
+        "scope": scope,
+        "saved_at": now,
+        "tokens": {
+            "access_token": access_token,
+            "refresh_token": refresh_token,
+            "token_type": token_type,
+            "expires_at": expires_at,
+        },
+    }
+    with locking.file_lock(lock_path()):
+        data = _read_all(path)
+        data["cloud_session"] = payload
+        _write_all(path, data)
+    return CloudSession(
+        base_url=base_url,
+        resource=resource,
+        client_id=client_id,
+        scope=scope,
+        access_token=access_token,
+        refresh_token=refresh_token,
+        token_type=token_type,
+        expires_at=expires_at,
+        saved_at=now,
+    )
+
+
+def clear_cloud_session() -> bool:
+    path = secrets_path()
+    with locking.file_lock(lock_path()):
+        data = _read_all(path)
+        if data.get("cloud_session") is None:
+            return False
+        data["cloud_session"] = None
+        _write_all(path, data)
+    return True
diff --git a/comfy_cli/caller.py b/comfy_cli/caller.py
new file mode 100644
index 00000000..0b8c4da9
--- /dev/null
+++ b/comfy_cli/caller.py
@@ -0,0 +1,71 @@
+"""Detect whether the CLI is being driven by a human or an agent.
+
+The detection flips three defaults:
+    - Output mode (agents → JSON, humans → pretty)
+    - Confirmation prompts (skipped for agents)
+    - Pretty banner (suppressed for agents)
+
+Signals (in priority order — most specific first):
+    1. ``COMFY_USER_AGENT=<label>`` → explicit override, agentic, label preserved.
+    2. ``AI_AGENT`` truthy → agentic, kind="agent".
+    3. ``CLAUDECODE`` truthy → Claude Code session, kind="claude-code".
+    4. stdout is not a TTY → agentic, kind="pipe".
+    5. otherwise → kind="user".
+
+Claude Code is checked after AI_AGENT because AI_AGENT is the generic
+contract any agent framework can set, while CLAUDECODE is Claude Code's
+own env var (set in every Bash subprocess it spawns). Checking it
+explicitly means analytics can distinguish "Claude Code" from "some
+other agent" without requiring Claude Code users to set AI_AGENT.
+
+Tested in ``tests/comfy_cli/output/test_caller.py``.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+from collections.abc import Mapping
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class Caller:
+    kind: str  # "user" | "claude-code" | "pipe" | "agent" | <custom>
+    agentic: bool
+    source_env: str | None  # which env var triggered the detection, for debug
+
+
+def _truthy(value: str | None) -> bool:
+    if value is None:
+        return False
+    return value.strip().lower() not in {"", "0", "false", "no", "off"}
+
+
+def detect_caller(
+    env: Mapping[str, str] | None = None,
+    *,
+    is_tty: bool | None = None,
+) -> Caller:
+    e = env if env is not None else os.environ
+    tty = is_tty if is_tty is not None else sys.stdout.isatty()
+
+    # 1. Explicit override — custom agent frameworks self-attribute here.
+    explicit = e.get("COMFY_USER_AGENT")
+    if explicit and _truthy(explicit):
+        return Caller(kind=explicit.strip().lower(), agentic=True, source_env="COMFY_USER_AGENT")
+
+    # 2. Generic agent marker — any framework can set this.
+    if _truthy(e.get("AI_AGENT")):
+        return Caller(kind="agent", agentic=True, source_env="AI_AGENT")
+
+    # 3. Claude Code — sets CLAUDECODE=1 in every shell it spawns.
+    if _truthy(e.get("CLAUDECODE")):
+        return Caller(kind="claude-code", agentic=True, source_env="CLAUDECODE")
+
+    # 4. Non-TTY — piped, backgrounded, or CI.
+    if not tty:
+        return Caller(kind="pipe", agentic=True, source_env=None)
+
+    # 5. Human at a terminal.
+    return Caller(kind="user", agentic=False, source_env=None)
diff --git a/comfy_cli/cancellation.py b/comfy_cli/cancellation.py
new file mode 100644
index 00000000..024b9f4e
--- /dev/null
+++ b/comfy_cli/cancellation.py
@@ -0,0 +1,125 @@
+"""Process-wide cancellation token tied to SIGINT.
+
+Why: long-running ops (workflow execution, cloud polling, partner generation)
+must cancel cleanly on Ctrl+C — close the WebSocket, post a cancel-job to the
+cloud, emit a final ``error.code = "cancelled"`` envelope, and exit with 130
+(POSIX SIGINT convention).
+
+Usage:
+    token = install_sigint_handler()
+    while not token.is_set():
+        ...
+    if token.is_set():
+        renderer.error("cancelled", "Cancelled by user", exit_code=130)
+
+The token is process-wide. `install_sigint_handler()` is idempotent.
+"""
+
+from __future__ import annotations
+
+import signal
+import threading
+from collections.abc import Callable
+from dataclasses import dataclass, field
+
+
+@dataclass
+class CancellationToken:
+    _event: threading.Event = field(default_factory=threading.Event)
+    _callbacks: list[Callable[[], None]] = field(default_factory=list)
+    _lock: threading.Lock = field(default_factory=threading.Lock)
+
+    def is_set(self) -> bool:
+        return self._event.is_set()
+
+    def wait(self, timeout: float | None = None) -> bool:
+        """Block until cancelled or timeout. Returns True if cancelled."""
+        return self._event.wait(timeout=timeout)
+
+    def cancel(self) -> None:
+        """Mark cancelled and fire all registered callbacks.
+
+        Callbacks run on the signal-handler thread (i.e., the main thread for
+        SIGINT). They should be quick and non-blocking — typically just
+        setting a flag or closing a socket.
+        """
+        with self._lock:
+            already = self._event.is_set()
+            self._event.set()
+            callbacks = list(self._callbacks)
+            self._callbacks.clear()
+        if already:
+            return
+        for cb in callbacks:
+            try:
+                cb()
+            except Exception:  # noqa: BLE001
+                # Cancellation must never raise — losing one cleanup is
+                # better than masking the original exit reason.
+                pass
+
+    def on_cancel(self, callback: Callable[[], None]) -> None:
+        """Register a one-shot cancel callback. If already cancelled, runs immediately."""
+        with self._lock:
+            if self._event.is_set():
+                fire = True
+            else:
+                self._callbacks.append(callback)
+                fire = False
+        if fire:
+            try:
+                callback()
+            except Exception:  # noqa: BLE001
+                pass
+
+
+_TOKEN: CancellationToken | None = None
+_INSTALLED = False
+_TOKEN_LOCK = threading.Lock()
+_PREVIOUS_SIGINT_HANDLER = None
+
+
+def get_token() -> CancellationToken:
+    global _TOKEN
+    if _TOKEN is None:
+        with _TOKEN_LOCK:
+            if _TOKEN is None:
+                _TOKEN = CancellationToken()
+    return _TOKEN
+
+
+def install_sigint_handler() -> CancellationToken:
+    """Idempotently install a SIGINT handler that cancels the token.
+
+    The previous handler is preserved and re-raised after the token fires, so
+    Python's default ``KeyboardInterrupt`` propagation still works.
+    """
+    global _INSTALLED, _PREVIOUS_SIGINT_HANDLER
+    token = get_token()
+    if _INSTALLED:
+        return token
+
+    previous = signal.getsignal(signal.SIGINT)
+    _PREVIOUS_SIGINT_HANDLER = previous
+
+    def _handler(signum: int, frame: object) -> None:
+        token.cancel()
+        # Chain to the previous handler so KeyboardInterrupt still raises.
+        if callable(previous) and previous not in (signal.SIG_DFL, signal.SIG_IGN):
+            previous(signum, frame)
+        else:
+            # Default: raise KeyboardInterrupt in the main thread.
+            raise KeyboardInterrupt()
+
+    signal.signal(signal.SIGINT, _handler)
+    _INSTALLED = True
+    return token
+
+
+def reset_for_testing() -> None:
+    global _TOKEN, _INSTALLED, _PREVIOUS_SIGINT_HANDLER
+    _TOKEN = None
+    _INSTALLED = False
+    if _PREVIOUS_SIGINT_HANDLER is not None:
+        signal.signal(signal.SIGINT, _PREVIOUS_SIGINT_HANDLER)
+        _PREVIOUS_SIGINT_HANDLER = None
diff --git a/comfy_cli/cloud/__init__.py b/comfy_cli/cloud/__init__.py
new file mode 100644
index 00000000..0a48d623
--- /dev/null
+++ b/comfy_cli/cloud/__init__.py
@@ -0,0 +1,140 @@
+"""Comfy Cloud client surface.
+
+Defaults to ``cloud.comfy.org`` (production). Override via
+``COMFY_CLOUD_BASE_URL`` — useful when a local frontend dev server (e.g.
+``ComfyUI_frontend`` running ``dev:cloud``) is proxying ``/oauth/*`` to a
+test env, or to pin a PR-preview environment for debugging.
+"""
+
+from __future__ import annotations
+
+import os
+
+_DEFAULT_BASE_URL = "https://cloud.comfy.org"
+
+
+CONFIG_KEY_BASE_URL = "cloud_base_url"
+
+
+def _resolve_base_url() -> str:
+    override = os.environ.get("COMFY_CLOUD_BASE_URL")
+    if override:
+        return override.rstrip("/")
+    # Persisted config (set via `comfy auth set-base-url <url>`).
+    try:
+        from comfy_cli.config_manager import ConfigManager
+
+        stored = ConfigManager().get(CONFIG_KEY_BASE_URL)
+        if stored:
+            return stored.rstrip("/")
+    except Exception:  # noqa: BLE001 — never fail base-url resolution on a bad config
+        pass
+    return _DEFAULT_BASE_URL
+
+
+def get_base_url() -> str:
+    """Resolve the cloud base URL fresh.
+
+    Precedence:
+    1. ``COMFY_CLOUD_BASE_URL`` env var (per-shell).
+    2. ``cloud_base_url`` in the persisted CLI config (one-time setup).
+    3. Default (``cloud.comfy.org``).
+
+    Called per-invocation so changes take effect without re-importing.
+    """
+    return _resolve_base_url()
+
+
+# Kept for backwards compatibility with call sites that captured this at
+# import time. New code should call ``get_base_url()`` instead.
+BASE_URL = _resolve_base_url()
+
+# Default OAuth resource path. Appended to the resolved base_url at runtime
+# so it works with any environment (production, PR preview, etc.).
+# The cloud seed migration provisions two resources:
+#   - resource_id "comfy-cloud", resource_uri "/api",  audience "comfy-cloud"
+#   - resource_id "comfy-mcp",   resource_uri "/mcp",  audience "comfy-cloud-mcp"
+# The CLI targets the comfy-cloud resource (/api) for workflow execution.
+_DEFAULT_RESOURCE_PATH = "/api"
+_DEFAULT_SCOPES = (
+    "comfy-cloud:workflows:read",
+    "comfy-cloud:workflows:write",
+    "comfy-cloud:jobs:read",
+    "comfy-cloud:jobs:write",
+    "comfy-cloud:files:read",
+    "comfy-cloud:files:write",
+    "comfy-cloud:assets:read",
+    "comfy-cloud:assets:write",
+    "comfy-cloud:hub:read",
+    "comfy-cloud:hub:write",
+    "comfy-cloud:user:read",
+    "comfy-cloud:settings:read",
+    "comfy-cloud:settings:write",
+    "comfy-cloud:billing:read",
+)
+
+CONFIG_KEY_RESOURCE_URL = "cloud_resource_url"
+CONFIG_KEY_SCOPES = "cloud_scopes"
+
+
+def _resolve_resource_url() -> str:
+    override = os.environ.get("COMFY_CLOUD_RESOURCE_URL")
+    if override:
+        return override
+    try:
+        from comfy_cli.config_manager import ConfigManager
+
+        stored = ConfigManager().get(CONFIG_KEY_RESOURCE_URL)
+        if stored:
+            return stored
+    except Exception:  # noqa: BLE001
+        pass
+    # Derive from the current base_url so PR-preview / staging envs work.
+    return _resolve_base_url() + _DEFAULT_RESOURCE_PATH
+
+
+def _resolve_scopes() -> tuple[str, ...]:
+    override = os.environ.get("COMFY_CLOUD_SCOPES")
+    if override:
+        return tuple(s for s in override.split() if s)
+    try:
+        from comfy_cli.config_manager import ConfigManager
+
+        stored = ConfigManager().get(CONFIG_KEY_SCOPES)
+        if stored:
+            return tuple(s for s in stored.split() if s)
+    except Exception:  # noqa: BLE001
+        pass
+    return _DEFAULT_SCOPES
+
+
+def get_resource_url() -> str:
+    """Resolve the OAuth resource URL fresh."""
+    return _resolve_resource_url()
+
+
+def get_scopes() -> tuple[str, ...]:
+    """Resolve the OAuth scopes fresh."""
+    return _resolve_scopes()
+
+
+# Backwards compat — captured once at import.
+RESOURCE_URL = _resolve_resource_url()
+DEFAULT_SCOPES = _resolve_scopes()
+
+# Pre-registered first-party client_id for the comfy CLI. Provisioned by the
+# cloud's seed migration (20260515000002_seed_oauth_clients_and_resources.sql):
+#
+#     INSERT INTO oauth_clients (
+#       client_id, display_name, redirect_uris, resource_grants, active
+#     ) VALUES (
+#       'comfy-cli', 'Comfy CLI',
+#       '["http://127.0.0.1/callback", "http://[::1]/callback"]'::jsonb,
+#       '{"comfy-cloud": ["comfy-cloud:workflows:read", ...]}'::jsonb, true);
+#
+# The cloud's `MatchRegisteredRedirectURI` honors RFC 8252 §7.3
+# (loopback port-variance) for native clients, so we can present any
+# ephemeral port at /callback and still match. The PATH must be byte-exact.
+CLIENT_ID = "comfy-cli"
+CLIENT_NAME = "Comfy CLI"
+CALLBACK_PATH = "/callback"
diff --git a/comfy_cli/cloud/command.py b/comfy_cli/cloud/command.py
new file mode 100644
index 00000000..936a4d3e
--- /dev/null
+++ b/comfy_cli/cloud/command.py
@@ -0,0 +1,361 @@
+"""``comfy cloud`` — sign in to Comfy Cloud (OAuth) and manage cloud routing config.
+
+The ``cloud`` namespace is the explicit prefix for everything that talks to
+Comfy Cloud:
+
+- ``cloud login``       — Authorization Code + PKCE flow against the cloud
+- ``cloud logout``      — clear the local OAuth session
+- ``cloud whoami``      — inspect the current session + base URL + auth path
+- ``cloud set-base-url`` — pin a non-prod env (PR preview, staging, …)
+- ``cloud set-key``     — testing path: persist a Comfy Cloud API key
+                            (canonical sign-in is ``cloud login``)
+
+Third-party API tokens (Civitai, Hugging Face) for ``comfy model download``
+live under ``comfy auth`` since they're not cloud-specific.
+"""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from typing import Annotated
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.auth import store
+from comfy_cli.cloud import CLIENT_ID, CLIENT_NAME, CONFIG_KEY_BASE_URL, get_base_url, get_resource_url, get_scopes
+from comfy_cli.cloud.oauth import OAuthError, run_login
+from comfy_cli.config_manager import ConfigManager
+from comfy_cli.output import get_renderer, rprint
+
+app = typer.Typer(
+    no_args_is_help=True,
+    help="Comfy Cloud — sign in, route commands, inspect session.",
+)
+
+
+# ---------------------------------------------------------------------------
+# login / logout / whoami
+# ---------------------------------------------------------------------------
+
+
+@app.command("login", help="Sign in to Comfy Cloud via your browser (OAuth + PKCE).")
+@tracking.track_command("cloud")
+def login_cmd(
+    no_browser: Annotated[
+        bool,
+        typer.Option(
+            "--no-browser",
+            help="Don't try to open the browser automatically — just print the URL.",
+        ),
+    ] = False,
+    timeout: Annotated[
+        int,
+        typer.Option(
+            "--timeout",
+            help="Seconds to wait for the browser callback before giving up.",
+        ),
+    ] = 300,
+):
+    renderer = get_renderer()
+    client_id = CLIENT_ID
+
+    base_url = get_base_url()
+    if renderer.is_pretty():
+        rprint(f"Signing in to [bold cyan]Comfy Cloud[/bold cyan] ([dim]{base_url}[/dim])")
+
+    def _on_url(url: str) -> None:
+        if not renderer.is_pretty():
+            return
+        if no_browser:
+            rprint("\nOpen this URL in your browser to sign in:")
+            rprint(f"  [cyan]{url}[/cyan]\n")
+        else:
+            rprint("[dim]Opening browser… (if it doesn't appear, copy this URL)[/dim]")
+            rprint(f"[dim]  {url}[/dim]")
+
+    try:
+        result = run_login(
+            base_url=base_url,
+            resource=get_resource_url(),
+            scopes=get_scopes(),
+            client_id=client_id,
+            client_name=CLIENT_NAME,
+            open_browser=not no_browser,
+            timeout_s=float(timeout),
+            on_url_ready=_on_url,
+        )
+    except OAuthError as e:
+        renderer.error(
+            code=e.code,
+            message=str(e),
+            hint=e.hint,
+            details=e.details,
+        )
+        raise typer.Exit(code=1)
+
+    session = store.save_cloud_session(
+        base_url=result.base_url,
+        resource=result.resource,
+        client_id=result.client_id,
+        scope=result.scope,
+        access_token=result.tokens.access_token,
+        refresh_token=result.tokens.refresh_token,
+        token_type=result.tokens.token_type,
+        expires_at=result.tokens.expires_at,
+    )
+
+    if renderer.is_pretty():
+        from comfy_cli.output.branding import welcome_banner
+
+        renderer.console().print("")
+        renderer.console().print(
+            welcome_banner(
+                base_url=session.base_url,
+                scope=session.scope,
+                client_id=session.client_id,
+                expires_at=session.expires_at,
+                cta="comfy run --workflow <path> --where cloud",
+            )
+        )
+
+    renderer.emit(
+        {
+            "session": session.to_dict(redact=True),
+            "action": "login",
+        },
+        command="cloud login",
+        changed=True,
+    )
+
+
+@app.command("logout", help="Sign out of Comfy Cloud (clears the local OAuth session).")
+@tracking.track_command("cloud")
+def logout_cmd():
+    renderer = get_renderer()
+    removed = store.clear_cloud_session()
+    if not removed:
+        renderer.error(
+            code="auth_not_signed_in",
+            message="No active Comfy Cloud session.",
+            hint="run: comfy cloud login",
+        )
+        raise typer.Exit(code=1)
+    if renderer.is_pretty():
+        rprint("[bold]Signed out of Comfy Cloud.[/bold]")
+    renderer.emit({"action": "logout"}, command="cloud logout", changed=True)
+
+
+@app.command("whoami", help="Show the current Comfy Cloud sign-in status.")
+@tracking.track_command("cloud")
+def whoami_cmd():
+    from comfy_cli.credentials import find_api_key, get_session
+
+    renderer = get_renderer()
+    # Refresh first so we report (and persist) a live token rather than a
+    # token that quietly lapsed since the last command.
+    session = get_session(refresh=True)
+    configured_base_url = get_base_url()
+
+    # Ambient API key (env / store), reported even when an OAuth session
+    # outranks it. ``Credential.source`` is "env:<VAR>" / "stored:<provider>";
+    # keep the short "env" / "store" labels the whoami envelope documents.
+    ambient_key = find_api_key(purpose="cloud")
+    api_key_source: str | None = None
+    if ambient_key is not None:
+        api_key_source = "env" if ambient_key.source.startswith("env:") else "store"
+
+    # `signed_in` reflects *any* valid auth path — OAuth session or API key.
+    # When both are present, OAuth wins (it's the credential the client sends);
+    # the API key is only used as a fallback when no live session exists.
+    has_api_key = api_key_source is not None
+    has_oauth = session is not None
+    expired = session.is_expired() if session else None
+    oauth_usable = has_oauth and not expired
+    # `signed_in` must reflect whether we can actually authenticate right now:
+    # a live (non-expired) OAuth session, or an API key. An expired,
+    # unrefreshable OAuth session is NOT signed in on its own.
+    signed_in = oauth_usable or has_api_key
+    auth_method: str | None
+    if oauth_usable:
+        auth_method = "oauth"
+    elif has_api_key:
+        auth_method = "api_key"
+    else:
+        auth_method = None
+    stale_base_url = (session.base_url != configured_base_url) if session else False
+
+    if renderer.is_pretty():
+        if has_oauth:
+            from comfy_cli.output.branding import whoami_banner
+
+            renderer.console().print(
+                whoami_banner(
+                    base_url=session.base_url,
+                    scope=session.scope,
+                    client_id=session.client_id,
+                    expires_at=session.expires_at,
+                    expired=bool(expired),
+                    version=ConfigManager().get_cli_version(),
+                )
+            )
+            if stale_base_url:
+                rprint(
+                    f"[yellow]Session was minted for [bold]{session.base_url}[/bold] "
+                    f"but current configured base URL is [bold]{configured_base_url}[/bold].[/yellow]"
+                )
+                rprint("[dim]→ run `comfy cloud login` to mint a fresh session against the new base URL.[/dim]")
+            if has_api_key:
+                if oauth_usable:
+                    rprint(
+                        f"[dim]OAuth session is preferred; X-API-Key from {api_key_source} present but unused.[/dim]"
+                    )
+                else:
+                    rprint(f"[dim]OAuth session expired — falling back to X-API-Key from {api_key_source}.[/dim]")
+        else:
+            from comfy_cli.output.branding import signed_out_banner
+
+            renderer.console().print(
+                signed_out_banner(
+                    base_url=configured_base_url,
+                    version=ConfigManager().get_cli_version(),
+                )
+            )
+            if has_api_key:
+                rprint(f"[dim]Authenticated via X-API-Key from {api_key_source}.[/dim]")
+
+    payload: dict[str, object | None] = {
+        "signed_in": signed_in,
+        "auth_method": auth_method,
+        "base_url": session.base_url if session else configured_base_url,
+        "configured_base_url": configured_base_url,
+        "api_key_source": api_key_source,
+    }
+    if session is not None:
+        payload["expired"] = expired
+        payload["session"] = session.to_dict(redact=True)
+        payload["stale_base_url"] = stale_base_url
+
+    renderer.emit(payload, command="cloud whoami")
+
+
+# ---------------------------------------------------------------------------
+# config
+# ---------------------------------------------------------------------------
+
+
+@app.command("set-base-url", help="Persist a custom Comfy Cloud base URL (e.g. a PR-preview env).")
+@tracking.track_command("cloud")
+def set_base_url_cmd(
+    url: Annotated[
+        str | None,
+        typer.Argument(
+            help="Base URL like 'https://fe-pr-12159.testenvs.comfy.org'. Pass '' or omit and use --clear to reset.",
+        ),
+    ] = None,
+    clear: Annotated[
+        bool,
+        typer.Option("--clear", help="Clear the persisted base URL (falls back to env var, then default)."),
+    ] = False,
+):
+    renderer = get_renderer()
+    config = ConfigManager()
+    if clear or not url:
+        if clear:
+            config.set(CONFIG_KEY_BASE_URL, "")
+        if renderer.is_pretty():
+            rprint(f"[bold]Cloud base URL[/bold] → [cyan]{get_base_url()}[/cyan] (config cleared)")
+        renderer.emit(
+            {"base_url": get_base_url(), "config_set": False},
+            command="cloud set-base-url",
+            changed=clear,
+        )
+        return
+    cleaned = url.rstrip("/")
+    config.set(CONFIG_KEY_BASE_URL, cleaned)
+
+    from comfy_cli.credentials import get_session
+
+    cleared_stale_session = False
+    session = get_session(refresh=False)
+    if session is not None and session.base_url != cleaned:
+        if session.is_expired():
+            store.clear_cloud_session()
+            cleared_stale_session = True
+
+    if renderer.is_pretty():
+        rprint(f"[bold green]Persisted cloud base URL[/bold green] → [cyan]{cleaned}[/cyan]")
+        if cleared_stale_session:
+            rprint("[dim]Cleared an expired session that was pinned to the old URL.[/dim]")
+        elif session is not None and session.base_url != cleaned:
+            rprint(
+                f"[yellow]Warning:[/yellow] an active session is still pinned to "
+                f"[bold]{session.base_url}[/bold]. Run `comfy cloud logout` then "
+                f"`comfy cloud login` to mint a fresh one against {cleaned}."
+            )
+        rprint("[dim]Next `comfy cloud login` will use this URL.[/dim]")
+    renderer.emit(
+        {
+            "base_url": cleaned,
+            "config_set": True,
+            "cleared_stale_session": cleared_stale_session,
+        },
+        command="cloud set-base-url",
+        changed=True,
+    )
+
+
+@app.command(
+    "set-key",
+    hidden=True,
+    help="Persist a Comfy Cloud API key (testing path; canonical sign-in is `comfy cloud login`).",
+)
+@tracking.track_command("cloud")
+def set_key_cmd(
+    key: Annotated[str, typer.Option("--key", help="The Comfy Cloud API key.")],
+):
+    """Store a Comfy Cloud API key.
+
+    The key is sent as ``X-API-Key`` on cloud requests and injected as
+    ``api_key_comfy_org`` into ``extra_data`` so partner-API nodes can use
+    it. Used as a fallback only — a live OAuth session takes precedence.
+    Stored at ``secrets.json`` mode 0600.
+    """
+    from comfy_cli.target import CLOUD_API_KEY_PROVIDER
+
+    renderer = get_renderer()
+    if not key.strip():
+        renderer.error(code="auth_invalid_key", message="--key cannot be empty.")
+        raise typer.Exit(code=1)
+    try:
+        record = store.set(CLOUD_API_KEY_PROVIDER, key.strip())
+    except ValueError as e:
+        renderer.error(code="auth_invalid_key", message=str(e))
+        raise typer.Exit(code=1) from e
+    if renderer.is_pretty():
+        rprint(f"[bold]Stored Comfy Cloud API key[/bold] [dim]({record.to_dict()['key']})[/dim]")
+        rprint("[dim]→ stored as a fallback; a live OAuth session takes precedence[/dim]")
+    renderer.emit(
+        {
+            "provider": CLOUD_API_KEY_PROVIDER,
+            "path": str(store.secrets_path()),
+            "action": "set-key",
+        },
+        command="cloud set-key",
+        changed=True,
+    )
+
+
+# ---------------------------------------------------------------------------
+# helpers
+# ---------------------------------------------------------------------------
+
+
+def _fmt_expiry(expires_at: int | None) -> str:
+    if expires_at is None:
+        return "unknown"
+    try:
+        dt = datetime.fromtimestamp(expires_at, tz=timezone.utc)
+    except (OSError, OverflowError, ValueError):
+        return "unknown"
+    return dt.isoformat(timespec="seconds")
diff --git a/comfy_cli/cloud/oauth.py b/comfy_cli/cloud/oauth.py
new file mode 100644
index 00000000..3c86ecf8
--- /dev/null
+++ b/comfy_cli/cloud/oauth.py
@@ -0,0 +1,908 @@
+"""OAuth 2.1 Authorization Code + PKCE flow for the comfy CLI.
+
+The cloud server (services/ingest/server/implementation/oauth/...) only
+supports two grant types — ``authorization_code`` and ``refresh_token`` —
+and requires PKCE with the S256 challenge method, plus a ``resource``
+parameter on every authorize request. There's no device-code flow.
+
+The CLI flow is therefore:
+
+  1. POST /oauth/register  — Dynamic Client Registration (RFC 7591). One-shot:
+     cache the returned ``client_id`` so subsequent logins reuse it.
+  2. Generate PKCE pair (code_verifier + code_challenge=S256).
+  3. Start a localhost HTTP server on a random 127.0.0.1:<port>.
+  4. Open the browser to GET /oauth/authorize?... with our redirect_uri
+     pointing at the local server.
+  5. User logs in / consents on the cloud frontend.
+  6. Cloud redirects to http://127.0.0.1:<port>/callback?code=...&state=...
+  7. POST /oauth/token  with grant_type=authorization_code + the
+     code_verifier. Receive { access_token, refresh_token, expires_in, ... }.
+
+Refresh:
+
+  8. POST /oauth/token  with grant_type=refresh_token. Server rotates the
+     refresh token; we always replace what we stored.
+
+No tokens or codes are logged. The browser URL is printed for users who can't
+auto-open (SSH, headless), with a clear caveat that it includes the PKCE
+challenge but not any secret.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import http.server
+import json
+import secrets
+import socket
+import threading
+import time
+import urllib.parse
+import urllib.request
+import webbrowser
+from dataclasses import dataclass, field
+from http.server import BaseHTTPRequestHandler
+from typing import Any
+from urllib.error import HTTPError, URLError
+
+from comfy_cli.cloud import (
+    CALLBACK_PATH,
+    CLIENT_ID,
+    CLIENT_NAME,
+    get_base_url,
+)
+
+# ---------------------------------------------------------------------------
+# Error types — caller maps these to renderer.error(code=...) codes.
+# ---------------------------------------------------------------------------
+
+
+class OAuthError(Exception):
+    """Base for OAuth flow failures. ``code`` is the error envelope code."""
+
+    code: str = "oauth_failed"
+
+    def __init__(self, message: str, *, hint: str | None = None, details: dict | None = None):
+        super().__init__(message)
+        self.hint = hint
+        self.details = details or {}
+
+
+class OAuthRegisterError(OAuthError):
+    code = "oauth_register_failed"
+
+
+class OAuthAuthorizeError(OAuthError):
+    code = "oauth_authorize_failed"
+
+
+class OAuthTokenError(OAuthError):
+    code = "oauth_token_failed"
+
+
+class OAuthRefreshError(OAuthError):
+    code = "oauth_refresh_failed"
+
+
+class OAuthCancelled(OAuthError):
+    code = "oauth_cancelled"
+
+
+class OAuthTimeout(OAuthError):
+    code = "oauth_timeout"
+
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+_LOOPBACK_HOST = "127.0.0.1"
+# Path must match the path registered for the first-party client. See the
+# note in comfy_cli/cloud/__init__.py about RFC 8252 §7.3 port-variance.
+_CALLBACK_PATH = CALLBACK_PATH
+_AUTH_DEFAULT_TIMEOUT_S = 300  # 5 minutes for the user to click through
+_HTTP_TIMEOUT_S = 30  # network timeout for token/register POSTs
+
+
+# ---------------------------------------------------------------------------
+# PKCE
+# ---------------------------------------------------------------------------
+
+
+def _b64url_no_pad(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+def generate_pkce_pair() -> tuple[str, str]:
+    """Return (code_verifier, code_challenge).
+
+    The cloud server requires S256 and a 43-char base64url challenge (see
+    request.go's ErrInvalidCodeChallenge). A 32-byte verifier yields exactly
+    that after SHA-256 + base64url-no-pad.
+    """
+    verifier = _b64url_no_pad(secrets.token_bytes(32))
+    digest = hashlib.sha256(verifier.encode("ascii")).digest()
+    challenge = _b64url_no_pad(digest)
+    assert len(challenge) == 43, "PKCE S256 challenge must be 43 chars"
+    return verifier, challenge
+
+
+def generate_state() -> str:
+    """CSRF token threaded through the redirect. Required by the server."""
+    return _b64url_no_pad(secrets.token_bytes(16))
+
+
+# ---------------------------------------------------------------------------
+# Dynamic Client Registration (RFC 7591)
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class RegisteredClient:
+    client_id: str
+    client_name: str
+    redirect_uris: tuple[str, ...]
+    issued_at: int | None = None
+
+
+def register_client(
+    *,
+    base_url: str | None = None,
+    client_name: str = CLIENT_NAME,
+    redirect_uris: tuple[str, ...] = (f"http://127.0.0.1:0{CALLBACK_PATH}",),
+) -> RegisteredClient:
+    base_url = base_url or get_base_url()
+    """Register the CLI as a public native client via DCR.
+
+    The redirect_uris field must be present at registration; for a CLI we
+    register a generic loopback placeholder. The actual port is decided at
+    login time and validated by the server policy (loopback-with-any-port).
+    """
+    body = {
+        "redirect_uris": list(redirect_uris),
+        "application_type": "native",
+        "client_name": client_name,
+        "token_endpoint_auth_method": "none",
+        "grant_types": ["authorization_code", "refresh_token"],
+        "response_types": ["code"],
+    }
+    try:
+        resp = _post_json(f"{base_url}/oauth/register", body)
+    except _HTTPFail as e:
+        raise OAuthRegisterError(
+            f"failed to register CLI as an OAuth client at {base_url}: {e}",
+            hint="check that the cloud server is reachable and accepts public-client registration",
+            details={"status": e.status, "body": e.body},
+        ) from None
+    if "client_id" not in resp:
+        raise OAuthRegisterError(
+            "oauth/register response did not include client_id",
+            details={"response": resp},
+        )
+    return RegisteredClient(
+        client_id=resp["client_id"],
+        client_name=resp.get("client_name", client_name),
+        redirect_uris=tuple(resp.get("redirect_uris", redirect_uris)),
+        issued_at=resp.get("client_id_issued_at"),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Localhost callback server
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class _CallbackCapture:
+    """Thread-shared bucket the HTTP handler fills, that ``run_oauth_login``
+    blocks on."""
+
+    code: str | None = None
+    state: str | None = None
+    error: str | None = None
+    error_description: str | None = None
+    received_event: threading.Event = field(default_factory=threading.Event)
+
+
+def _build_handler(
+    *,
+    expected_state: str,
+    capture: _CallbackCapture,
+    success_html: str,
+    failure_html: str,
+) -> type[BaseHTTPRequestHandler]:
+    class CallbackHandler(BaseHTTPRequestHandler):  # noqa: D401 - http server
+        # Suppress access-log noise to stderr; we have our own logging.
+        def log_message(self, format: str, *args: Any) -> None:  # noqa: ARG002
+            pass
+
+        def do_GET(self) -> None:  # noqa: N802 (stdlib name)
+            parsed = urllib.parse.urlsplit(self.path)
+            if parsed.path != _CALLBACK_PATH:
+                self.send_response(404)
+                self.end_headers()
+                return
+            qs = urllib.parse.parse_qs(parsed.query)
+            error = qs.get("error", [None])[0]
+            error_description = qs.get("error_description", [None])[0]
+            code = qs.get("code", [None])[0]
+            state = qs.get("state", [None])[0]
+
+            html_body: str
+            if error or not code or state != expected_state:
+                capture.error = error or "missing_code_or_state_mismatch"
+                capture.error_description = error_description
+                html_body = failure_html
+                self.send_response(400)
+            else:
+                capture.code = code
+                capture.state = state
+                html_body = success_html
+                self.send_response(200)
+            payload = html_body.encode("utf-8")
+            self.send_header("Content-Type", "text/html; charset=utf-8")
+            self.send_header("Content-Length", str(len(payload)))
+            # No caching — these are one-shot pages.
+            self.send_header("Cache-Control", "no-store")
+            self.end_headers()
+            try:
+                self.wfile.write(payload)
+            except OSError:
+                pass
+            finally:
+                capture.received_event.set()
+
+    return CallbackHandler
+
+
+def _pick_free_port() -> int:
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    s.bind((_LOOPBACK_HOST, 0))
+    port = s.getsockname()[1]
+    s.close()
+    return port
+
+
+_SUCCESS_HTML = """<!doctype html>
+<html><head><title>comfy CLI — signed in</title>
+<style>
+body{font:14px/1.5 -apple-system, system-ui, sans-serif;color:#222;background:#fafafa;display:flex;align-items:center;justify-content:center;height:100vh;margin:0}
+.card{background:#fff;border:1px solid #ddd;border-radius:8px;padding:32px 40px;text-align:center;box-shadow:0 1px 3px rgba(0,0,0,.04)}
+h1{font-size:18px;margin:0 0 8px}
+p{margin:4px 0;color:#555}
+.ok{color:#0a7f29;font-weight:600}
+.dim{color:#888;font-size:12px;margin-top:16px}
+</style></head><body>
+<div class="card">
+<h1><span class="ok">✓</span> Signed in to Comfy Cloud</h1>
+<p>You can close this tab and return to the terminal.</p>
+<p class="dim">comfy CLI · __HOST__</p>
+</div></body></html>"""
+
+_FAILURE_HTML = """<!doctype html>
+<html><head><title>comfy CLI — sign-in failed</title>
+<style>
+body{font:14px/1.5 -apple-system, system-ui, sans-serif;color:#222;background:#fafafa;display:flex;align-items:center;justify-content:center;height:100vh;margin:0}
+.card{background:#fff;border:1px solid #f0c0c0;border-radius:8px;padding:32px 40px;text-align:center;box-shadow:0 1px 3px rgba(0,0,0,.04)}
+h1{font-size:18px;margin:0 0 8px;color:#b32020}
+p{margin:4px 0;color:#555}
+.dim{color:#888;font-size:12px;margin-top:16px}
+</style></head><body>
+<div class="card">
+<h1>✗ Sign-in failed</h1>
+<p>Return to the terminal for details.</p>
+<p class="dim">comfy CLI</p>
+</div></body></html>"""
+
+
+# ---------------------------------------------------------------------------
+# Token result
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class TokenSet:
+    access_token: str
+    refresh_token: str | None
+    token_type: str
+    expires_in: int | None
+    expires_at: int | None  # absolute epoch seconds
+    scope: str | None
+
+    def to_dict(self) -> dict:
+        return {
+            "access_token": self.access_token,
+            "refresh_token": self.refresh_token,
+            "token_type": self.token_type,
+            "expires_in": self.expires_in,
+            "expires_at": self.expires_at,
+            "scope": self.scope,
+        }
+
+
+def _token_set_from_response(resp: dict) -> TokenSet:
+    access = resp.get("access_token")
+    if not access:
+        raise OAuthTokenError(
+            "token response missing access_token",
+            details={"response": _redact_token_response(resp)},
+        )
+    expires_in = resp.get("expires_in")
+    expires_at = int(time.time()) + int(expires_in) if isinstance(expires_in, (int, float)) else None
+    return TokenSet(
+        access_token=access,
+        refresh_token=resp.get("refresh_token"),
+        token_type=resp.get("token_type", "Bearer"),
+        expires_in=expires_in,
+        expires_at=expires_at,
+        scope=resp.get("scope"),
+    )
+
+
+def _redact_token_response(resp: dict) -> dict:
+    """Strip access_token / refresh_token before stuffing into error details."""
+    redacted = dict(resp)
+    for k in ("access_token", "refresh_token"):
+        if k in redacted and isinstance(redacted[k], str):
+            v = redacted[k]
+            redacted[k] = (v[:6] + "…") if len(v) > 6 else "…"
+    return redacted
+
+
+# ---------------------------------------------------------------------------
+# The full flow
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class LoginResult:
+    tokens: TokenSet
+    client_id: str
+    base_url: str
+    resource: str
+    scope: str
+    redirect_uri: str
+
+    def to_storage_record(self) -> dict:
+        return {
+            "kind": "oauth",
+            "base_url": self.base_url,
+            "resource": self.resource,
+            "client_id": self.client_id,
+            "scope": self.scope,
+            "tokens": self.tokens.to_dict(),
+        }
+
+
+def run_login(
+    *,
+    base_url: str | None = None,
+    resource: str | None = None,
+    scopes: tuple[str, ...] | None = None,
+    client_id: str = CLIENT_ID,
+    client_name: str = CLIENT_NAME,
+    open_browser: bool = True,
+    timeout_s: float = _AUTH_DEFAULT_TIMEOUT_S,
+    on_url_ready: Any = None,
+    register_if_missing: bool = False,
+) -> LoginResult:
+    """Run the full Authorization Code + PKCE flow.
+
+    ``client_id`` defaults to the first-party ``comfy-cli`` provisioned
+    in the cloud's seed migration. Pass ``register_if_missing=True`` to fall
+    back to RFC 7591 Dynamic Client Registration if the first-party client is
+    rejected (e.g., on a dev backend that hasn't been seeded).
+
+    ``on_url_ready`` is an optional callback invoked with the authorize URL
+    once it's been constructed but before the browser is opened. Used by the
+    pretty-mode renderer to print the URL for headless users.
+    """
+    from comfy_cli.cloud import get_resource_url, get_scopes
+
+    base_url = base_url or get_base_url()
+    resource = resource or get_resource_url()
+    scopes = scopes or get_scopes()
+
+    if not client_id and not register_if_missing:
+        raise OAuthAuthorizeError(
+            "no client_id and register_if_missing=False",
+            hint="pass an explicit client_id or set register_if_missing=True",
+        )
+    if not client_id and register_if_missing:
+        registered = register_client(base_url=base_url, client_name=client_name)
+        client_id = registered.client_id
+
+    # 2. PKCE + state.
+    verifier, challenge = generate_pkce_pair()
+    state = generate_state()
+
+    # 3. Stand up the loopback server before we send the URL. Bind to port 0
+    #    and read back the OS-assigned port to avoid a pick-then-bind TOCTOU race.
+    capture = _CallbackCapture()
+    success_html = _SUCCESS_HTML.replace("__HOST__", urllib.parse.urlsplit(base_url).netloc or base_url)
+    handler_cls = _build_handler(
+        expected_state=state,
+        capture=capture,
+        success_html=success_html,
+        failure_html=_FAILURE_HTML,
+    )
+    server = http.server.HTTPServer((_LOOPBACK_HOST, 0), handler_cls)
+    server.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    port = int(server.server_address[1])
+    redirect_uri = f"http://{_LOOPBACK_HOST}:{port}{_CALLBACK_PATH}"
+    server_thread = threading.Thread(target=server.handle_request, daemon=True)
+    server_thread.start()
+
+    try:
+        # 4. Build authorize URL.
+        authorize_url = _build_authorize_url(
+            base_url=base_url,
+            client_id=client_id,
+            redirect_uri=redirect_uri,
+            scopes=scopes,
+            state=state,
+            challenge=challenge,
+            resource=resource,
+        )
+        if on_url_ready is not None:
+            try:
+                on_url_ready(authorize_url)
+            except Exception:  # noqa: BLE001 — callback errors must not break login
+                pass
+
+        if open_browser:
+            # webbrowser.open returns True if it *thinks* it succeeded — but we
+            # still let the user click the link manually if they need to.
+            try:
+                webbrowser.open(authorize_url, new=2, autoraise=True)
+            except Exception:  # noqa: BLE001
+                pass
+
+        # 5. Wait for callback (or timeout).
+        got = capture.received_event.wait(timeout=timeout_s)
+        if not got:
+            raise OAuthTimeout(
+                f"timed out waiting for browser callback after {int(timeout_s)}s",
+                hint="re-run `comfy auth login` and complete the sign-in in your browser",
+            )
+        if capture.error or not capture.code:
+            raise OAuthAuthorizeError(
+                f"authorization failed: {capture.error or 'no code returned'}",
+                hint="re-run `comfy auth login` and check for typos or browser blockers",
+                details={
+                    "oauth_error": capture.error,
+                    "oauth_error_description": capture.error_description,
+                },
+            )
+    finally:
+        # Best-effort cleanup; the daemon thread will exit after handle_request returns.
+        try:
+            server.server_close()
+        except OSError:
+            pass
+
+    # 6. Exchange code for tokens. resource= must be echoed on the token
+    # request (RFC 8707) so the issuer can audience-bind the resulting JWT.
+    tokens = exchange_code(
+        base_url=base_url,
+        client_id=client_id,
+        code=capture.code,
+        redirect_uri=redirect_uri,
+        code_verifier=verifier,
+        resource=resource,
+    )
+
+    return LoginResult(
+        tokens=tokens,
+        client_id=client_id,
+        base_url=base_url,
+        resource=resource,
+        scope=" ".join(scopes),
+        redirect_uri=redirect_uri,
+    )
+
+
+def _build_authorize_url(
+    *,
+    base_url: str,
+    client_id: str,
+    redirect_uri: str,
+    scopes: tuple[str, ...],
+    state: str,
+    challenge: str,
+    resource: str,
+) -> str:
+    params = {
+        "response_type": "code",
+        "client_id": client_id,
+        "redirect_uri": redirect_uri,
+        "scope": " ".join(scopes),
+        "state": state,
+        "code_challenge": challenge,
+        "code_challenge_method": "S256",
+        "resource": resource,
+    }
+    return f"{base_url}/oauth/authorize?{urllib.parse.urlencode(params)}"
+
+
+def exchange_code(
+    *,
+    base_url: str,
+    client_id: str,
+    code: str,
+    redirect_uri: str,
+    code_verifier: str,
+    resource: str | None = None,
+) -> TokenSet:
+    body = {
+        "grant_type": "authorization_code",
+        "code": code,
+        "client_id": client_id,
+        "redirect_uri": redirect_uri,
+        "code_verifier": code_verifier,
+    }
+    # RFC 8707 resource indicator: must be echoed on the token request so the
+    # issuer can mint an audience-bound token. Skipping it makes
+    # audience-enforcing servers reject the exchange.
+    if resource:
+        body["resource"] = resource
+    try:
+        resp = _post_form(f"{base_url}/oauth/token", body)
+    except _HTTPFail as e:
+        raise OAuthTokenError(
+            f"token exchange failed: {e}",
+            hint="re-run `comfy auth login` to start a fresh authorization",
+            details={"status": e.status, "body": e.body},
+        ) from None
+    return _token_set_from_response(resp)
+
+
+def refresh_tokens(
+    *,
+    base_url: str,
+    client_id: str,
+    refresh_token: str,
+    resource: str | None = None,
+    scopes: tuple[str, ...] | None = None,
+) -> TokenSet:
+    body = {
+        "grant_type": "refresh_token",
+        "refresh_token": refresh_token,
+        "client_id": client_id,
+    }
+    if resource:
+        body["resource"] = resource
+    if scopes:
+        body["scope"] = " ".join(scopes)
+    try:
+        resp = _post_form(f"{base_url}/oauth/token", body)
+    except _HTTPFail as e:
+        raise OAuthRefreshError(
+            f"refresh failed: {e}",
+            hint="run `comfy auth login` to sign in again",
+            details={"status": e.status, "body": e.body},
+        ) from None
+    return _token_set_from_response(resp)
+
+
+# Upper bound on how long a waiter blocks for the refresh lock. The holder
+# only keeps it for one token POST (``_HTTP_TIMEOUT_S`` = 30s), so this leaves
+# headroom for that round-trip plus the read-modify-write. If it's ever
+# exceeded (a wedged peer) we fall back to whatever is persisted rather than
+# racing an in-flight refresh.
+_REFRESH_LOCK_TIMEOUT_S = 45.0
+
+# OAuth2 token-endpoint error codes that mean the refresh-token *family* is
+# truly dead — only a fresh ``comfy cloud login`` can recover, so we clear the
+# stored session. Everything else is deliberately NOT fatal (see below).
+_FATAL_TOKEN_ERROR_CODES = ("invalid_grant", "invalid_token")
+
+
+def _is_fatal_token_error(exc: OAuthRefreshError) -> bool:
+    """True only when a refresh failure means the whole token *family* is dead.
+
+    The auth server rotates refresh tokens and does reuse detection: a spent
+    (or replayed) refresh token comes back as ``invalid_grant`` ("refresh
+    token reuse detected") and the server invalidates the entire family. That,
+    and an explicit ``invalid_token`` / reuse signal, are the only failures that
+    justify wiping the login.
+
+    This is gated on the *error code in the response body*, NOT the bare HTTP
+    status. A previous version treated every 400/401 as fatal, which logged the
+    user out on recoverable failures: a 401 ``invalid_client`` (the
+    dynamically-registered client was GC'd server-side → re-register, don't
+    re-login) or a 400 ``invalid_request`` / ``invalid_scope`` (a config/audience
+    bug) would needlessly destroy a perfectly good session. A status of 0
+    (network/URLError) or a 5xx is transient and likewise never fatal.
+
+    Unknown / unparseable 4xx is treated as NON-fatal so a single odd response
+    can't wipe the login: the reactive path retries at most once and then
+    surfaces the 401, and the proactive path falls back to the local expiry
+    check — neither can loop on a dead token, so keeping the session is safe.
+    """
+    blob = f"{exc.details.get('body', '')} {exc}".lower()
+    if "reuse" in blob:
+        return True
+    return any(code in blob for code in _FATAL_TOKEN_ERROR_CODES)
+
+
+# The reason from the most recent fatal refresh, stashed per-thread so the
+# caller (which only sees ``ensure_fresh_session`` return ``None``) can surface
+# the auth server's *actual* error_description instead of a canned guess. The
+# refresh and the caller that reports it run in the same thread/call-stack, so a
+# thread-local is the right scope — and it can't leak a stale reason across
+# unrelated commands the way a module global would.
+_last_fatal = threading.local()
+
+
+def _describe_token_error(exc: OAuthRefreshError) -> str | None:
+    """Pull a short, human-facing reason out of an RFC 6749 §5.2 token-error
+    body — e.g. ``invalid_grant: workspace membership lost``. Returns ``None``
+    when the body carries nothing useful (network error, empty body)."""
+    body = exc.details.get("body", "")
+    err = desc = None
+    if isinstance(body, str) and body.strip():
+        try:
+            data = json.loads(body)
+        except (ValueError, TypeError):
+            data = None
+        if isinstance(data, dict):
+            err = data.get("error")
+            desc = data.get("error_description")
+    if err and desc:
+        return f"{err}: {desc}"
+    if err:
+        return str(err)
+    if desc:
+        return str(desc)
+    return None
+
+
+def _record_fatal_refresh(exc: OAuthRefreshError) -> None:
+    _last_fatal.reason = _describe_token_error(exc)
+
+
+def take_last_fatal_refresh_reason() -> str | None:
+    """Return (and clear) the reason recorded by the most recent fatal refresh
+    on this thread. One-shot: a second call returns ``None`` so a stale reason
+    can never attach to an unrelated later failure."""
+    reason = getattr(_last_fatal, "reason", None)
+    _last_fatal.reason = None
+    return reason
+
+
+def ensure_fresh_session(*, leeway_s: int = 60, force: bool = False, allow_clear: bool = True):
+    """Return the stored cloud session, refreshing it first when the access
+    token is expired (or within ``leeway_s`` of expiring) and a refresh token
+    is available.
+
+    The access-token lifetime is set by the auth server (short by design);
+    this spends the long-lived refresh token to keep the *session* alive, so a
+    user who keeps working within the refresh window never has to re-run
+    ``comfy cloud login``. Best-effort: on a *transient* refresh failure it
+    returns the existing (stale) session so the caller's own expiry check still
+    fires. Returns ``None`` when there is no session at all — or when a refresh
+    hit reuse-detection / ``invalid_grant`` (the family is dead, so the stored
+    session is cleared and the caller surfaces the ``cloud_unauthorized``
+    "run ``comfy cloud login``" guidance).
+
+    ``force=True`` refreshes regardless of the *local* expiry check. Use it on
+    the reactive path after a server 401 (which is authoritative): the access
+    token has been rejected even if our clock — skewed, or with no
+    ``expires_at`` recorded — still thinks it is valid. The refresh token is
+    still required; without one this is a no-op.
+
+    ``allow_clear=False`` keeps the stored session on disk even when a refresh
+    hits a fatal token error (reuse-detection / ``invalid_grant``). Background,
+    read-mostly callers (the detached ``comfy run`` watcher) pass this so a
+    single transient blip — or a *spurious* invalid_grant from a token replay —
+    can never wipe the login out from under the foreground command that owns the
+    session lifecycle. The refresh still returns ``None`` so the caller knows it
+    could not freshen the token; it just declines to destroy the shared session.
+
+    Concurrency: the auth server rotates the refresh token on every refresh and
+    invalidates the old one. A parallel ``comfy run`` fan-out (plus background
+    ``jobs watch`` processes) would otherwise have N processes each load the
+    same stored token and POST refresh concurrently — the first wins, the rest
+    replay a consumed token and trip reuse-detection, killing the whole family.
+    To prevent that, the *decide → POST → persist* sequence runs under a
+    cross-process file lock (the same lock the secret store uses) with a
+    double-check after acquisition: if a peer already rotated the token while
+    we waited, we use the freshly persisted one instead of spending ours again.
+    """
+    from comfy_cli.auth import store as auth_store
+
+    session = auth_store.get_cloud_session()
+    if session is None or not session.refresh_token:
+        return session
+    if not force and not session.is_expired(leeway_s=leeway_s):
+        # Fast path: token is comfortably valid. No lock, no network — keeps
+        # the proactive ``resolve_target`` leg cheap on the common case.
+        return session
+
+    # A refresh is indicated. Serialize the whole decide→refresh→persist across
+    # processes so concurrent callers coalesce into a single network refresh
+    # and a rotated refresh token is never replayed by a second waiter.
+    from comfy_cli import locking
+
+    observed_refresh_token = session.refresh_token
+    try:
+        with locking.file_lock(auth_store.lock_path(), timeout=_REFRESH_LOCK_TIMEOUT_S):
+            return _locked_refresh(
+                auth_store,
+                observed_refresh_token=observed_refresh_token,
+                leeway_s=leeway_s,
+                force=force,
+                allow_clear=allow_clear,
+            )
+    except TimeoutError:
+        # A peer has held the lock longer than a refresh should take. Don't
+        # race it (a refresh outside the lock could replay a token a peer is
+        # mid-rotation on) and don't re-read the store here — get_cloud_session
+        # re-acquires this same lock with no timeout and could block past our
+        # budget. Return the pre-lock session; the caller's own expiry check
+        # decides, and at worst one stale-token 401 surfaces — the session is
+        # preserved, never wiped.
+        return session
+
+
+def _locked_refresh(auth_store, *, observed_refresh_token: str, leeway_s: int, force: bool, allow_clear: bool = True):
+    """Decide → POST → persist, executed while holding the secrets lock.
+
+    Re-reads the persisted session first (double-checked locking): if a peer
+    rotated the refresh token while we waited for the lock, we adopt the new
+    one rather than spending the now-consumed token we observed before locking.
+    """
+    session = auth_store.get_cloud_session()
+    if session is None or not session.refresh_token:
+        return session
+
+    # Double-check after acquiring the lock. A peer may have refreshed while we
+    # blocked: if the stored refresh token rotated away from what we observed
+    # before locking, the family already advanced — use it, never re-send the
+    # consumed token (that is exactly what trips reuse-detection).
+    if session.refresh_token != observed_refresh_token:
+        return session
+    if not force and not session.is_expired(leeway_s=leeway_s):
+        # Peer advanced the access token's expiry without us noticing a token
+        # rotation (e.g. same token, fresh enough now). Nothing to do.
+        return session
+
+    from comfy_cli.cloud import CLIENT_ID, get_resource_url
+
+    try:
+        new_tokens = refresh_tokens(
+            base_url=session.base_url,
+            client_id=session.client_id or CLIENT_ID,
+            refresh_token=session.refresh_token,
+            resource=session.resource or get_resource_url(),
+        )
+    except OAuthRefreshError as e:
+        if _is_fatal_token_error(e):
+            # Reuse-detected / invalid_grant: as far as the token endpoint is
+            # concerned the family is dead. Drop the stored tokens so they're
+            # never replayed in a loop, and signal the caller (via ``None``) to
+            # surface the cloud_unauthorized guidance.
+            #
+            # Record the server's actual error_description (e.g. "workspace
+            # membership lost", "resource state changed", "refresh token reuse
+            # detected") so the caller can report *why* instead of a canned
+            # guess — these look identical to the user otherwise but point at
+            # very different root causes.
+            #
+            # ``allow_clear=False`` (background watcher) declines to wipe the
+            # shared session: the foreground command owns its lifecycle, and a
+            # spurious invalid_grant from a transient blip must not log the user
+            # off mid-run. We still return ``None`` so the watcher knows the
+            # refresh did not produce a usable token.
+            _record_fatal_refresh(e)
+            if allow_clear:
+                auth_store.clear_cloud_session()
+            return None
+        return session  # transient (network) — keep the stale session
+    except Exception:  # noqa: BLE001 — any other error is best-effort
+        return session
+
+    # Atomic persist of the rotated family before the lock is released, so the
+    # next process reads the new tokens (save_cloud_session writes tmp+rename).
+    #
+    # This server rotates the refresh token on every successful refresh and does
+    # reuse detection — the whole lock design above relies on that. So once the
+    # refresh succeeds the token we sent is *spent*; we must NOT fall back to
+    # re-persisting it if the response somehow omits a new one (an old
+    # ``... or session.refresh_token`` fallback). Re-saving the consumed token
+    # would guarantee an ``invalid_grant`` (and a forced logout) on the very
+    # next use. Persisting ``None`` instead keeps the user authenticated on the
+    # fresh access token and degrades to a clean re-login when it expires,
+    # rather than tripping reuse-detection mid-use.
+    _last_fatal.reason = None  # success — drop any reason from an earlier attempt
+    return auth_store.save_cloud_session(
+        base_url=session.base_url,
+        resource=session.resource,
+        client_id=session.client_id,
+        scope=session.scope,
+        access_token=new_tokens.access_token,
+        refresh_token=new_tokens.refresh_token,
+        token_type=new_tokens.token_type,
+        expires_at=new_tokens.expires_at,
+    )
+
+
+# ---------------------------------------------------------------------------
+# Tiny HTTP helpers (stdlib only — no external deps)
+# ---------------------------------------------------------------------------
+
+
+class _HTTPFail(Exception):
+    def __init__(self, status: int, body: str):
+        self.status = status
+        self.body = body
+        super().__init__(f"HTTP {status}: {body[:200]}")
+
+
+def _post_json(url: str, body: dict) -> dict:
+    data = json.dumps(body).encode("utf-8")
+    req = urllib.request.Request(
+        url,
+        data=data,
+        method="POST",
+        headers={"Content-Type": "application/json", "Accept": "application/json"},
+    )
+    return _send_and_parse(req)
+
+
+def _post_form(url: str, body: dict) -> dict:
+    data = urllib.parse.urlencode(body).encode("ascii")
+    req = urllib.request.Request(
+        url,
+        data=data,
+        method="POST",
+        headers={
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json",
+        },
+    )
+    return _send_and_parse(req)
+
+
+def _assert_https_or_loopback(url: str) -> None:
+    """OAuth carries client_secrets and authorization codes — refuse cleartext.
+
+    Loopback is exempt (no wire to sniff); everything else must be https.
+    """
+    parsed = urllib.parse.urlsplit(url)
+    if parsed.scheme == "https":
+        return
+    host = (parsed.hostname or "").lower()
+    if host in {"localhost", "127.0.0.1", "::1"}:
+        return
+    raise _HTTPFail(0, f"refusing plaintext HTTP for OAuth endpoint: {url}")
+
+
+# Refuse redirects: an evil 302 from the token endpoint to attacker.example
+# would replay the verifier + code at the redirect target.
+class _NoRedirect(urllib.request.HTTPRedirectHandler):
+    def http_error_301(self, req, fp, code, msg, headers):
+        raise HTTPError(req.full_url, code, "redirect refused", headers, fp)
+
+    http_error_302 = http_error_303 = http_error_307 = http_error_308 = http_error_301
+
+
+_OAUTH_OPENER = urllib.request.build_opener(_NoRedirect())
+
+
+def _send_and_parse(req: urllib.request.Request) -> dict:
+    _assert_https_or_loopback(req.full_url)
+    try:
+        with _OAUTH_OPENER.open(req, timeout=_HTTP_TIMEOUT_S) as resp:
+            raw = resp.read().decode("utf-8", errors="replace") or "{}"
+            return json.loads(raw)
+    except HTTPError as e:
+        body = e.read().decode("utf-8", errors="replace") if hasattr(e, "read") else ""
+        raise _HTTPFail(e.code, body) from None
+    except URLError as e:
+        raise _HTTPFail(0, str(e)) from None
+    except json.JSONDecodeError as e:
+        raise _HTTPFail(200, f"non-JSON response body: {e}") from None
diff --git a/comfy_cli/cmdline.py b/comfy_cli/cmdline.py
index e59c0450..c7a5202d 100644
--- a/comfy_cli/cmdline.py
+++ b/comfy_cli/cmdline.py
@@ -1,3 +1,4 @@
+import json
 import os
 import subprocess
 import sys
@@ -6,24 +7,51 @@
 
 import questionary
 import typer
-from rich import print as rprint
 from rich.console import Console
 
-from comfy_cli import constants, env_checker, logging, tracking, ui, utils
-from comfy_cli.command import code_search, custom_nodes, pr_command
+from comfy_cli import cancellation, constants, env_checker, logging, tracking, ui, utils
+from comfy_cli import where as where_module
+from comfy_cli.auth import command as auth_command
+from comfy_cli.cloud import command as cloud_command
+from comfy_cli.command import (
+    code_search,
+    custom_nodes,
+    pr_command,
+)
 from comfy_cli.command import generate as generate_command
 from comfy_cli.command import install as install_inner
+from comfy_cli.command import (
+    jobs as jobs_command,
+)
+from comfy_cli.command import (
+    nodes as nodes_command,
+)
+from comfy_cli.command import (
+    project as project_command,
+)
 from comfy_cli.command import run as run_inner
+from comfy_cli.command import run_cli as run_cli_inner
+from comfy_cli.command import (
+    templates as templates_command,
+)
+from comfy_cli.command import transfer as transfer_inner
+from comfy_cli.command import (
+    workflow as workflow_command,
+)
 from comfy_cli.command.install import validate_version
 from comfy_cli.command.launch import launch as launch_command
 from comfy_cli.command.models import models as models_command
+from comfy_cli.command.models import search as models_search_command
 from comfy_cli.config_manager import ConfigManager
 from comfy_cli.constants import GPU_OPTION, CUDAVersion, ROCmVersion
 from comfy_cli.cuda_detect import DEFAULT_CUDA_TAG, detect_cuda_driver_version, resolve_cuda_wheel
+from comfy_cli.discovery import build_discovery
 from comfy_cli.env_checker import EnvChecker
+from comfy_cli.help_json import build_help_json
+from comfy_cli.output import Renderer, get_renderer, rprint, set_renderer
 from comfy_cli.resolve_python import resolve_workspace_python
+from comfy_cli.skills import command as skill_command
 from comfy_cli.standalone import StandalonePython
-from comfy_cli.update import check_for_updates
 from comfy_cli.uv import DependencyCompiler
 from comfy_cli.workspace_manager import WorkspaceManager, check_comfy_repo
 
@@ -35,7 +63,42 @@
 
 
 def main():
-    app()
+    # Install the SIGINT handler BEFORE Typer parses argv and runs the
+    # subcommand. Otherwise a Ctrl-C during the first ~100ms (argv parsing,
+    # the lazy imports of auth/cql/cloud, ConfigManager construction) hits
+    # Python's default handler and the user sees a bare KeyboardInterrupt
+    # traceback instead of the documented `cancelled` envelope.
+    cancellation.install_sigint_handler()
+    # Run the Typer app. If the command path called renderer.error(...) and
+    # returned without raising typer.Exit, we still need to surface the
+    # non-zero exit code at the OS level — otherwise the envelope says
+    # ok:false but the shell sees 0 and downstream tools think we succeeded.
+    try:
+        app()
+    except KeyboardInterrupt:
+        # SIGINT path: emit a cancelled envelope if one hasn't been written yet.
+        try:
+            from comfy_cli.output import get_renderer
+
+            r = get_renderer()
+            if not r._envelope_emitted and r.is_json():
+                r.error(code="cancelled", message="Cancelled by user", exit_code=130)
+        except Exception:
+            pass
+        sys.exit(130)
+    except (typer.Exit, SystemExit):
+        raise
+    # No exception → command returned cleanly. If the renderer recorded a
+    # non-zero exit code (from a `renderer.error(...)` that forgot to also
+    # `raise typer.Exit(...)`), honor it.
+    try:
+        from comfy_cli.output import get_renderer
+
+        rc = get_renderer().exit_code
+    except Exception:  # noqa: BLE001 — never break the success path on renderer issues
+        rc = 0
+    if rc:
+        sys.exit(rc)
 
 
 class MutuallyExclusiveValidator:
@@ -112,18 +175,138 @@ def entry(
         "-v",
         help="Print version and exit",
     ),
+    json_output: Annotated[
+        bool,
+        typer.Option(
+            "--json",
+            show_default=False,
+            help="Emit a structured JSON envelope on stdout. Side messages go to stderr.",
+        ),
+    ] = False,
+    json_stream: Annotated[
+        bool,
+        typer.Option(
+            "--json-stream",
+            show_default=False,
+            help="Emit one NDJSON event per line; final line is the envelope.",
+        ),
+    ] = False,
+    no_json: Annotated[
+        bool,
+        typer.Option(
+            "--no-json",
+            show_default=False,
+            help="Force pretty output even when auto-detection would pick JSON.",
+        ),
+    ] = False,
+    help_json: Annotated[
+        bool,
+        typer.Option(
+            "--help-json",
+            show_default=False,
+            help="Print machine-readable help for the entire CLI and exit.",
+        ),
+    ] = False,
+    where: Annotated[
+        str | None,
+        typer.Option(
+            "--where",
+            show_default=False,
+            help="Routing mode for this invocation: 'local' or 'cloud'. "
+            "Overrides COMFY_WHERE and the persisted default (`comfy set-default --where`). "
+            "Subcommands inherit this — no need to repeat it on each one.",
+        ),
+    ] = None,
 ):
+    # 1. Resolve output mode and install the process-wide renderer. This must
+    #    happen before any rprint() call so all output is routed correctly.
+    cli_version = ConfigManager().get_cli_version()
+    renderer = Renderer.resolve(
+        json_flag=json_output or None,
+        json_stream_flag=json_stream or None,
+        no_json_flag=no_json,
+        command=ctx.invoked_subcommand or "",
+        version=cli_version,
+    )
+    set_renderer(renderer)
+
+    # Global `--where` is sugar over COMFY_WHERE. Setting the env var here so
+    # the existing precedence chain in ``where.resolve()`` picks it up for
+    # every subcommand without each one having to wire its own flag.
+    if where:
+        try:
+            where_module._parse(where)  # validate now — fail fast on `--where cloudy`
+        except ValueError as e:
+            get_renderer().error(code="where_invalid", message=str(e), hint="use --where local or --where cloud")
+            raise typer.Exit(code=1) from e
+        os.environ["COMFY_WHERE"] = where.strip().lower()
+
+    # 2. Install SIGINT → cancellation token. Idempotent; safe to call before
+    #    any long-running operation in subcommands.
+    cancellation.install_sigint_handler()
+
+    # 3. Agentic callers shouldn't get interactive prompts.
+    if renderer.caller.agentic:
+        skip_prompt = True
+
+    if help_json:
+        doc = build_help_json(app)
+        # In JSON mode, wrap in the standard envelope so consumers can parse
+        # the same shape they get from every other command. In pretty mode
+        # (rare for --help-json but possible), emit the raw doc — there's no
+        # envelope to compete with on stdout.
+        if renderer.is_json():
+            renderer.emit(doc, command="help")
+        else:
+            sys.stdout.write(json.dumps(doc, indent=2, default=str) + "\n")
+        ctx.exit(0)
+
     if version:
-        rprint(ConfigManager().get_cli_version())
+        if renderer.is_json():
+            renderer.emit({"version": cli_version}, command="version")
+        else:
+            rprint(cli_version)
         ctx.exit(0)
 
     workspace_manager.setup_workspace_manager(workspace, here, recent, skip_prompt)
 
-    tracking.prompt_tracking_consent(skip_prompt, default_value=enable_telemetry)
+    # `comfy setup` owns the telemetry consent decision as a branded wizard step
+    # (with full disclosure). Suppress the bare global prompt for that one command
+    # so the user is asked exactly once, in the right place — not pre-empted here.
+    if ctx.invoked_subcommand != "setup":
+        tracking.prompt_tracking_consent(skip_prompt, default_value=enable_telemetry)
 
     if ctx.invoked_subcommand is None:
-        rprint("[bold yellow]Welcome to Comfy CLI![/bold yellow]: https://github.com/Comfy-Org/comfy-cli")
-        rprint(ctx.get_help())
+        if renderer.is_json():
+            renderer.emit(
+                {
+                    "welcome": "Comfy CLI",
+                    "homepage": "https://github.com/Comfy-Org/comfy-cli",
+                    "hint": "run `comfy --help-json` for the full surface or `comfy --help` for human help.",
+                },
+                command="welcome",
+            )
+        else:
+            from comfy_cli.credentials import get_session as _get_session
+            from comfy_cli.output.branding import intro_banner
+            from comfy_cli.update import latest_upgrade_version
+
+            _session = _get_session(refresh=False)
+            _signed_in = _session is not None and not _session.is_expired()
+            _base_url = _session.base_url if _session else ""
+            if not _base_url:
+                from comfy_cli.cloud import get_base_url as _get_base_url
+
+                _base_url = _get_base_url()
+            _update_hint = latest_upgrade_version(cli_version, ConfigManager().get_config_path())
+            renderer.console().print(
+                intro_banner(
+                    version=ConfigManager().get_cli_version(),
+                    signed_in=_signed_in,
+                    base_url=_base_url,
+                    update_hint=_update_hint,
+                )
+            )
         ctx.exit()
 
     # TODO: Move this to proper place
@@ -279,7 +462,6 @@ def install(
         ),
     ] = None,
 ):
-    check_for_updates()
     checker = EnvChecker()
 
     comfy_path, _ = workspace_manager.get_workspace_path()
@@ -384,22 +566,29 @@ def install(
     rprint(f"ComfyUI is installed at: {comfy_path}")
 
 
-@app.command(help="Update ComfyUI Environment [all|comfy]")
+@app.command(help="Update ComfyUI Environment [all|comfy|cli]")
 @tracking.track_command()
 def update(
     target: str = typer.Argument(
         "comfy",
-        help="[all|comfy]",
-        autocompletion=utils.create_choice_completer(["all", "comfy"]),
+        help="[all|comfy|cli]",
+        autocompletion=utils.create_choice_completer(["all", "comfy", "cli"]),
     ),
 ):
-    if target not in ["all", "comfy"]:
+    if target not in ["all", "comfy", "cli"]:
         typer.echo(
-            f"Invalid target: {target}. Allowed targets are 'all', 'comfy'.",
+            f"Invalid target: {target}. Allowed targets are 'all', 'comfy', 'cli'.",
             err=True,
         )
         raise typer.Exit(code=1)
 
+    if "cli" == target:
+        from comfy_cli.update import upgrade_cli
+
+        rprint("Updating comfy-cli...")
+        upgrade_cli()
+        return
+
     comfy_path = workspace_manager.workspace_path
 
     if "all" == target:
@@ -423,13 +612,7 @@ def update(
         rprint(f"[yellow]Failed to update node id cache: {e}[/yellow]")
 
 
-@app.command(
-    help=(
-        "Run a workflow on the ComfyUI launched by `comfy launch --background`. "
-        "Accepts both ComfyUI API format and exported UI workflow JSON; "
-        "UI workflows are converted to API format client-side via /object_info."
-    )
-)
+@app.command(help="Run an API workflow. Submits and returns immediately by default; pass --wait to block.")
 def run(
     workflow: Annotated[
         str,
@@ -443,8 +626,20 @@ def run(
     ],
     wait: Annotated[
         bool,
-        typer.Option(help="If the command should wait until execution completes."),
-    ] = True,
+        typer.Option(
+            "--wait",
+            show_default=False,
+            help="Block until the workflow completes (old default). Without this, the command submits and exits.",
+        ),
+    ] = False,
+    notify: Annotated[
+        bool | None,
+        typer.Option(
+            "--notify/--no-notify",
+            show_default=False,
+            help="Fire a desktop notification when a background job completes. Default: on for humans, off for agents.",
+        ),
+    ] = None,
     verbose: Annotated[
         bool,
         typer.Option(help="Enables verbose output of the execution process."),
@@ -469,6 +664,14 @@ def run(
             ),
         ),
     ] = 120,
+    where: Annotated[
+        str | None,
+        typer.Option(
+            "--where",
+            show_default=False,
+            help="Routing target: 'local' or 'cloud'.",
+        ),
+    ] = None,
     api_key: Annotated[
         str | None,
         typer.Option(
@@ -487,8 +690,10 @@ def run(
         typer.Option(
             "--json",
             help=(
-                "Emit NDJSON events to stdout instead of human-readable output. "
-                "One JSON object per line, terminated by \\n. See docs/json-output.md "
+                "Stream NDJSON events to stdout instead of human-readable output: "
+                'one `{"schema": "event/1", "type": ...}` object per line, '
+                'with a final `type: "envelope"` line carrying ok/error. Same '
+                "dialect as the global --json-stream flag; see docs/json-output.md "
                 "for the event reference and stability contract. In this mode, "
                 "--verbose has no effect and Rich progress is suppressed. "
                 "Workflow input accepts both API and UI format JSON (UI input "
@@ -522,6 +727,46 @@ def run(
             api_key = api_key.strip() or None
 
         config = ConfigManager()
+        renderer = get_renderer()
+
+        # Command-local --json means "stream the run": upgrade the renderer
+        # (resolved once in the entry callback) into NDJSON mode so every
+        # renderer.event(...) line plus the final envelope reaches stdout.
+        # One dialect — same shape as the global --json-stream flag.
+        if json_output:
+            renderer.force_stream()
+
+        try:
+            decision = where_module.resolve(flag=where, config_value=config.get(where_module.CONFIG_KEY_WHERE_DEFAULT))
+        except ValueError as e:
+            renderer.error(code="where_invalid", message=str(e), hint="use --where local or --where cloud")
+            raise typer.Exit(code=1)
+
+        # Default for --notify: on when a human is at the terminal, off for
+        # agents (they shouldn't get surprise side-channel processes they didn't
+        # ask for). The user can override either way with --notify/--no-notify.
+        effective_notify = notify if notify is not None else (renderer.is_pretty() and not wait)
+
+        if decision.target is where_module.WhereTarget.CLOUD:
+            err = where_module.cloud_preflight()
+            if err is not None:
+                renderer.error(
+                    code=err.code,
+                    message=err.message,
+                    hint=err.hint,
+                    details=err.details,
+                )
+                raise typer.Exit(code=1)
+            # Cloud path uses HTTPS + Bearer auth; host/port aren't applicable.
+            run_inner.execute_cloud(
+                workflow,
+                wait=wait,
+                verbose=verbose,
+                timeout=timeout,
+                notify=effective_notify,
+                print_prompt=print_prompt,
+            )
+            return
 
         if host:
             s = host.split(":")
@@ -545,11 +790,11 @@ def run(
             workflow,
             host,
             port,
-            wait,
-            verbose,
-            timeout,
+            wait=wait,
+            verbose=verbose,
+            timeout=timeout,
+            notify=effective_notify,
             api_key=api_key,
-            json_mode=json_output,
             print_prompt=print_prompt,
         )
     except typer.Exit as e:
@@ -571,6 +816,214 @@ def run(
         tracking.track_event("execution_success", _track_props)
 
 
+@app.command(
+    help="Validate an API-format workflow without submitting. Checks class_types, input shapes, enum values, and edge wiring."
+)
+@tracking.track_command()
+def validate(
+    workflow: Annotated[
+        str,
+        typer.Option(help="Path to the API-format workflow JSON file."),
+    ],
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Routing target for object_info: 'local' or 'cloud'."),
+    ] = None,
+    host: Annotated[
+        str | None,
+        typer.Option(show_default=False, help="ComfyUI host (default 127.0.0.1)."),
+    ] = None,
+    port: Annotated[
+        int | None,
+        typer.Option(show_default=False, help="ComfyUI port (default 8188)."),
+    ] = None,
+    input_path: Annotated[
+        str | None,
+        typer.Option("--input", show_default=False, help="Path to a saved object_info JSON (offline mode)."),
+    ] = None,
+):
+    from pathlib import Path
+
+    from comfy_cli.cql.engine import Graph, LoadError
+
+    renderer = get_renderer()
+
+    # Load workflow
+    wf_path = Path(workflow).expanduser()
+    if not wf_path.is_file():
+        renderer.error(code="workflow_not_found", message=f"Workflow file not found: {workflow}", hint="check the path")
+        raise typer.Exit(code=1)
+    try:
+        wf_data = json.loads(wf_path.read_text(encoding="utf-8"))
+    except json.JSONDecodeError as e:
+        renderer.error(code="workflow_invalid_json", message=f"Invalid JSON: {e}", hint="re-export from ComfyUI")
+        raise typer.Exit(code=1) from e
+    if not isinstance(wf_data, dict):
+        renderer.error(
+            code="workflow_not_api_format", message="Workflow must be a JSON object", hint="use File > Export (API)"
+        )
+        raise typer.Exit(code=1)
+
+    # Load graph
+    mode = "local"
+    if where:
+        mode = where
+    else:
+        config = ConfigManager()
+        try:
+            decision = where_module.resolve(flag=None, config_value=config.get(where_module.CONFIG_KEY_WHERE_DEFAULT))
+            mode = decision.target.value
+        except Exception:
+            pass
+
+    try:
+        graph = Graph.load(mode=mode, input_path=input_path, host=host or "127.0.0.1", port=port or 8188)
+    except LoadError as e:
+        renderer.error(
+            code="cql_no_graph",
+            message=str(e),
+            hint=e.details.get("hint", "pass --input <object_info.json>, or start the server"),
+            details=e.details,
+        )
+        raise typer.Exit(code=1) from e
+
+    result = graph.validate_workflow(wf_data)
+
+    payload = {
+        "workflow": str(wf_path),
+        "valid": result["valid"],
+        "error_count": len(result["errors"]),
+        "warning_count": len(result["warnings"]),
+        "errors": result["errors"],
+        "warnings": result["warnings"],
+    }
+
+    if renderer.is_pretty():
+        if result["valid"]:
+            rprint(f"[bold green]✓[/bold green] workflow is valid ({len(wf_data)} nodes)")
+            for w in result["warnings"]:
+                rprint(f"  [yellow]⚠[/yellow] {w.get('message', '')}")
+        else:
+            rprint(f"[bold red]✗[/bold red] {len(result['errors'])} error(s)")
+            for e in result["errors"]:
+                msg = e.get("message", "")
+                suggestions = e.get("suggestions", [])
+                if suggestions:
+                    msg += f" (did you mean: {', '.join(suggestions[:3])}?)"
+                rprint(f"  [red]•[/red] node {e.get('node_id', '?')}: {msg}")
+            for w in result["warnings"]:
+                rprint(f"  [yellow]⚠[/yellow] {w.get('message', '')}")
+    renderer.emit(payload, command="validate", ok=result["valid"])
+
+    if not result["valid"]:
+        raise typer.Exit(code=1)
+
+
+@app.command(help="Upload files to the ComfyUI server's input directory.")
+@tracking.track_command()
+def upload(
+    files: Annotated[list[str], typer.Argument(help="Local file paths to upload.")],
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Routing target: 'local' or 'cloud'."),
+    ] = None,
+    overwrite: Annotated[
+        bool,
+        typer.Option("--overwrite/--no-overwrite", help="Overwrite existing files on the server."),
+    ] = True,
+):
+    config = ConfigManager()
+    renderer = get_renderer()
+    try:
+        decision = where_module.resolve(flag=where, config_value=config.get(where_module.CONFIG_KEY_WHERE_DEFAULT))
+    except ValueError as e:
+        renderer.error(code="where_invalid", message=str(e), hint="use --where local or --where cloud")
+        raise typer.Exit(code=1)
+
+    effective_where = "cloud" if decision.target is where_module.WhereTarget.CLOUD else "local"
+    if effective_where == "cloud":
+        err = where_module.cloud_preflight()
+        if err is not None:
+            renderer.error(code=err.code, message=err.message, hint=err.hint, details=err.details)
+            raise typer.Exit(code=1)
+
+    transfer_inner.execute_upload(files, where=effective_where, overwrite=overwrite)
+
+
+@app.command(help="Download outputs from a completed job. Reads prompt_id from argument or piped stdin.")
+@tracking.track_command()
+def download(
+    prompt_id: Annotated[
+        str | None,
+        typer.Argument(help="Prompt ID to download outputs for. Omit to read from piped stdin.", show_default=False),
+    ] = None,
+    out_dir: Annotated[
+        str,
+        typer.Option("--out-dir", "-o", help="Directory to save outputs to."),
+    ] = "./outputs",
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Routing target: 'local' or 'cloud'."),
+    ] = None,
+    url_only: Annotated[
+        bool,
+        typer.Option(
+            "--url-only",
+            show_default=False,
+            help="Emit output URLs without downloading files. Useful for agents that pass URLs to other tools.",
+        ),
+    ] = False,
+):
+    config = ConfigManager()
+    renderer = get_renderer()
+    try:
+        decision = where_module.resolve(flag=where, config_value=config.get(where_module.CONFIG_KEY_WHERE_DEFAULT))
+    except ValueError as e:
+        renderer.error(code="where_invalid", message=str(e), hint="use --where local or --where cloud")
+        raise typer.Exit(code=1)
+
+    effective_where = "cloud" if decision.target is where_module.WhereTarget.CLOUD else "local"
+    if effective_where == "cloud":
+        err = where_module.cloud_preflight()
+        if err is not None:
+            renderer.error(code=err.code, message=err.message, hint=err.hint, details=err.details)
+            raise typer.Exit(code=1)
+
+    transfer_inner.execute_download(prompt_id, out_dir=out_dir, where=effective_where, url_only=url_only)
+
+
+@app.command("run-cli", help="Walk through the CLI surface in realtime with a tiny no-model workflow.")
+@tracking.track_command()
+def run_cli(
+    pause_seconds: Annotated[
+        float,
+        typer.Option(
+            "--pause-seconds",
+            help="Seconds to pause between steps for readability. Use 0 for fast/CI runs.",
+        ),
+    ] = 3.0,
+    no_pause: Annotated[
+        bool,
+        typer.Option("--no-pause", help="Equivalent to --pause-seconds 0."),
+    ] = False,
+    show_agent: Annotated[
+        bool,
+        typer.Option(
+            "--show-agent/--no-show-agent",
+            help="Also show the --json envelope an agent would parse for each command. On by default.",
+        ),
+    ] = True,
+    no_cleanup: Annotated[
+        bool,
+        typer.Option("--no-cleanup", help="Keep the temporary demo workflow file after the run."),
+    ] = False,
+):
+    effective_pause = 0.0 if no_pause else pause_seconds
+    raise typer.Exit(
+        code=run_cli_inner.execute(pause_seconds=effective_pause, no_cleanup=no_cleanup, show_agent=show_agent)
+    )
+
+
 def validate_comfyui(_env_checker):
     if _env_checker.comfy_repo is None:
         rprint("[bold red]If ComfyUI is not installed, this feature cannot be used.[/bold red]")
@@ -615,67 +1068,277 @@ def launch(
     launch_command(background, extra, frontend_pr)
 
 
-@app.command("set-default", help="Set default ComfyUI path")
+@app.command("setup", help="Interactive setup wizard — routing, auth, and agent skills in one step.")
 @tracking.track_command()
-def set_default(
-    workspace_path: str,
-    launch_extras: Annotated[str, typer.Option(help="Specify extra options for launch")] = "",
+def setup(
+    where: Annotated[
+        str | None,
+        typer.Option(
+            "--where", show_default=False, help="Routing target: 'local' or 'cloud'. Skips the interactive prompt."
+        ),
+    ] = None,
+    api_key: Annotated[
+        str | None,
+        typer.Option("--api-key", show_default=False, help="Comfy Cloud API key. Implies --where cloud."),
+    ] = None,
+    project_dir: Annotated[
+        str | None,
+        typer.Option("--project-dir", show_default=False, help="Project directory for workflows, inputs, and outputs."),
+    ] = None,
+    non_interactive: Annotated[
+        bool,
+        typer.Option(
+            "--non-interactive",
+            "-y",
+            show_default=False,
+            help="No prompts — use flags for all choices. For CI, devcontainers, and scripted installs.",
+        ),
+    ] = False,
+    skip_skills: Annotated[
+        bool,
+        typer.Option("--skip-skills", show_default=False, help="Skip agent skill installation."),
+    ] = False,
+    skip_verify: Annotated[
+        bool,
+        typer.Option("--skip-verify", show_default=False, help="Skip connectivity verification."),
+    ] = False,
 ):
-    comfy_path = os.path.abspath(os.path.expanduser(workspace_path))
+    from comfy_cli.command import setup as setup_inner
+
+    setup_inner.execute(
+        where=where,
+        api_key=api_key,
+        project_dir=project_dir,
+        non_interactive=non_interactive,
+        skip_skills=skip_skills,
+        skip_verify=skip_verify,
+    )
 
-    if not os.path.exists(comfy_path):
-        rprint(
-            f"\nPath not found: {comfy_path}.\n",
-            file=sys.stderr,
-        )
-        raise typer.Exit(code=1)
 
-    is_comfy_repo, resolved_path = check_comfy_repo(comfy_path)
-    if not is_comfy_repo:
-        rprint(
-            f"\nSpecified path is not a ComfyUI path: {comfy_path}.\n",
-            file=sys.stderr,
+@app.command("set-default", help="Persist defaults: ComfyUI workspace path and/or `--where` mode.")
+@tracking.track_command()
+def set_default(
+    workspace_path: Annotated[
+        str | None,
+        typer.Argument(help="Path to ComfyUI workspace (optional — pass to set the default workspace)."),
+    ] = None,
+    launch_extras: Annotated[
+        str | None,
+        typer.Option(help="Extra options forwarded to `comfy launch`."),
+    ] = None,
+    where: Annotated[
+        str | None,
+        typer.Option(
+            "--where",
+            show_default=False,
+            help="Persist the default routing mode: 'local' or 'cloud'. "
+            "Once set, every command honors it without a per-invocation flag.",
+        ),
+    ] = None,
+    clear_where: Annotated[
+        bool,
+        typer.Option(
+            "--clear-where",
+            show_default=False,
+            help="Clear the persisted --where so commands fall back to env / local default.",
+        ),
+    ] = False,
+):
+    renderer = get_renderer()
+    config = ConfigManager()
+    changed_workspace = False
+    changed_where = False
+
+    if where is not None:
+        try:
+            where_module._parse(where)
+        except ValueError as e:
+            renderer.error(code="where_invalid", message=str(e), hint="use --where local or --where cloud")
+            raise typer.Exit(code=1) from e
+        config.set(where_module.CONFIG_KEY_WHERE_DEFAULT, where.strip().lower())
+        changed_where = True
+
+    if clear_where:
+        config.set(where_module.CONFIG_KEY_WHERE_DEFAULT, "")
+        changed_where = True
+
+    if workspace_path is not None:
+        comfy_path = os.path.abspath(os.path.expanduser(workspace_path))
+        if not os.path.exists(comfy_path):
+            renderer.error(
+                code="not_in_workspace", message=f"Path not found: {comfy_path}", hint="pass a real workspace path"
+            )
+            raise typer.Exit(code=1)
+        is_comfy_repo, resolved_path = check_comfy_repo(comfy_path)
+        if not is_comfy_repo:
+            renderer.error(
+                code="not_in_workspace",
+                message=f"Not a ComfyUI workspace: {comfy_path}",
+                hint="`comfy install` to scaffold one, or pass a different path",
+            )
+            raise typer.Exit(code=1)
+        assert resolved_path is not None
+        workspace_manager.set_default_workspace(resolved_path)
+        if launch_extras is not None:
+            workspace_manager.set_default_launch_extras(launch_extras)
+        changed_workspace = True
+
+    if not (changed_workspace or changed_where):
+        renderer.error(
+            code="missing_argument",
+            message="set-default needs at least one of: <workspace_path>, --where, or --clear-where.",
+            hint="example: `comfy set-default --where cloud`",
         )
         raise typer.Exit(code=1)
 
-    comfy_path = resolved_path
-
-    rprint(f"Specified path is set as default ComfyUI path: {comfy_path} ")
-    workspace_manager.set_default_workspace(comfy_path)
-    workspace_manager.set_default_launch_extras(launch_extras)
+    persisted_where = config.get(where_module.CONFIG_KEY_WHERE_DEFAULT) or None
+    workspace_value = config.get(constants.CONFIG_KEY_DEFAULT_WORKSPACE) if changed_workspace else None
+    if renderer.is_pretty():
+        if changed_workspace:
+            rprint(f"[bold green]✓[/bold green] Default workspace → [cyan]{workspace_value or '?'}[/cyan]")
+        if changed_where:
+            if clear_where:
+                rprint(
+                    "[bold green]✓[/bold green] Cleared persisted [bold]where[/bold] (falls back to env / local default)."
+                )
+            else:
+                rprint(f"[bold green]✓[/bold green] Default [bold]where[/bold] → [cyan]{persisted_where}[/cyan]")
+    renderer.emit(
+        {
+            "default_workspace": workspace_value,
+            "default_launch_extras": launch_extras if changed_workspace else None,
+            "default_where": persisted_where,
+        },
+        command="set-default",
+        changed=True,
+    )
 
 
 @app.command(help="Show which ComfyUI is selected.")
 @tracking.track_command()
 def which():
+    renderer = get_renderer()
     comfy_path = workspace_manager.workspace_path
     if comfy_path is None:
-        rprint(
-            "ComfyUI not found, please run 'comfy install', run 'comfy' in a ComfyUI directory, or specify the workspace path with '--workspace'."
+        renderer.error(
+            code="not_in_workspace",
+            message="ComfyUI not found, please run 'comfy install', run 'comfy' in a ComfyUI directory, or specify the workspace path with '--workspace'.",
+            hint="run: comfy install   (or pass --workspace /path/to/ComfyUI)",
         )
         raise typer.Exit(code=1)
 
-    rprint(f"Target ComfyUI path: {comfy_path}")
+    workspace_type_value = (
+        workspace_manager.workspace_type.value if workspace_manager.workspace_type is not None else None
+    )
+    if renderer.is_pretty():
+        import sys as _sys
 
+        from comfy_cli.output.panels import which_panel
 
-@app.command(help="Print out current environment variables.")
-@tracking.track_command()
-def env():
-    check_for_updates()
-    env_data = EnvChecker().fill_print_table()
-    workspace_data = workspace_manager.fill_print_table()
-    all_data = env_data + workspace_data
-    ui.display_table(
-        data=all_data,
-        column_names=[":laptop_computer: Environment", "Value"],
-        title="Environment Information",
+        cfg_bg = ConfigManager().background
+        if cfg_bg is not None:
+            host, port = cfg_bg[0], cfg_bg[1]
+        else:
+            host, port = "127.0.0.1", 8188
+        try:
+            server_running = env_checker.check_comfy_server_running(host=host, port=port, timeout=0.5)
+        except Exception:  # noqa: BLE001
+            server_running = False
+        renderer.console().print(
+            which_panel(
+                workspace_path=str(comfy_path),
+                workspace_type=workspace_type_value,
+                python_executable=_sys.executable,
+                python_version=f"{_sys.version_info.major}.{_sys.version_info.minor}.{_sys.version_info.micro}",
+                server_running=server_running,
+                server_url=f"http://{host}:{port}",
+                version=ConfigManager().get_cli_version(),
+            )
+        )
+    renderer.emit(
+        {
+            "workspace_path": str(comfy_path),
+            "workspace_type": workspace_type_value,
+        },
+        command="which",
     )
 
 
-@app.command(hidden=True)
+@app.command(help="Emit a self-describing surface (commands, schemas, error codes) for agents.")
 @tracking.track_command()
-def nodes():
-    rprint("\n[bold red] No such command, did you mean 'comfy node' instead?[/bold red]\n")
+def discover(
+    schemas_only: Annotated[
+        bool,
+        typer.Option(
+            "--schemas-only",
+            show_default=False,
+            help="Emit only the schemas bundle, omitting the command tree.",
+        ),
+    ] = False,
+):
+    renderer = get_renderer()
+    cli_version = ConfigManager().get_cli_version()
+    doc = build_discovery(app, version=cli_version)
+    if schemas_only:
+        doc = {
+            "prog": doc["prog"],
+            "version": doc["version"],
+            "schemas": doc["schemas"],
+            "command_schemas": doc["command_schemas"],
+            "stream_event_schemas": doc["stream_event_schemas"],
+            "capabilities": doc["capabilities"],
+        }
+    if renderer.is_json():
+        renderer.emit(doc, command="discover")
+        return
+    from comfy_cli.output.panels import discover_panel
+
+    renderer.console().print(discover_panel(doc, command_count=_count_commands(doc.get("commands", {}))))
+
+
+def _count_commands(tree: dict) -> int:
+    total = 0
+    for entry in tree.values():
+        total += 1
+        subs = entry.get("subcommands") if isinstance(entry, dict) else None
+        if subs:
+            total += _count_commands(subs)
+    return total
+
+
+@app.command(help="Print out current environment variables.")
+@tracking.track_command()
+def env():
+    renderer = get_renderer()
+    # Only do the upgrade-check side-effect in pretty mode; agents asking for
+    # a snapshot don't want a network call they didn't request.
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        from comfy_cli.output.branding import branded_panel
+
+        env_data = EnvChecker().fill_print_table()
+        workspace_data = workspace_manager.fill_print_table()
+        all_data = env_data + workspace_data
+
+        tbl = Table(
+            show_header=True,
+            header_style="bold magenta",
+            border_style="dim",
+            pad_edge=False,
+            expand=True,
+        )
+        tbl.add_column("Environment", style="bold cyan", no_wrap=True, overflow="fold")
+        tbl.add_column("Value", overflow="fold")
+        for label, value in all_data:
+            tbl.add_row(label, str(value))
+
+        renderer.console().print(branded_panel(tbl, title="env", version=ConfigManager().get_cli_version()))
+        return
+    # JSON path: collect structured data without printing the table.
+    data = EnvChecker().fill_data()
+    data["workspace"] = workspace_manager.fill_data()
+    renderer.emit(data, command="env")
 
 
 @app.command(hidden=True)
@@ -684,33 +1347,107 @@ def models():
     rprint("\n[bold red] No such command, did you mean 'comfy model' instead?[/bold red]\n")
 
 
-@app.command(help="Provide feedback on the Comfy CLI tool.")
+_FEEDBACK_DISABLED_NOTICE = (
+    "[yellow]Feedback not sent — telemetry is opted out via DO_NOT_TRACK / COMFY_NO_TELEMETRY.[/yellow]\n"
+    "Unset that to send, or open an issue: https://github.com/Comfy-Org/comfy-cli/issues/new/choose"
+)
+
+
+def _relay_feedback(renderer: Renderer, sent: bool, *, message: str) -> None:
+    """Surface the feedback outcome: JSON envelope for agents, a line for humans."""
+    if renderer.is_json():
+        renderer.emit({"sent": sent, "message": message}, command="feedback")
+        return
+    rprint("Thank you for your feedback!" if sent else _FEEDBACK_DISABLED_NOTICE)
+
+
+@app.command(help="Provide feedback on the Comfy CLI tool. Pass it inline to send in one shot.")
 @tracking.track_command()
-def feedback():
+def feedback(
+    message: Annotated[
+        str | None,
+        typer.Argument(
+            show_default=False,
+            help='Your feedback, e.g. comfy feedback "run is great but jobs watch needs an ETA". '
+            "Omit (interactive only) to answer a few quick questions.",
+        ),
+    ] = None,
+):
+    renderer = get_renderer()
+
+    # One-shot — the path agents (Claude, etc.) and scripts should use.
+    if message:
+        _relay_feedback(renderer, tracking.submit_feedback(message), message=message)
+        return
+
+    # No inline message: the interactive prompts need a human at a TTY. In
+    # JSON/agentic mode there's nobody to prompt — tell the caller to pass it inline.
+    if not renderer.is_pretty():
+        renderer.error(
+            code="feedback_message_required",
+            message="Feedback requires an inline message in JSON mode.",
+            hint='comfy feedback "your feedback here"',
+        )
+        raise typer.Exit(code=1)
+
     rprint("Feedback Collection for Comfy CLI Tool\n")
 
-    # General Satisfaction
     general_satisfaction_score = ui.prompt_select(
         question="On a scale of 1 to 5, how satisfied are you with the Comfy CLI tool? (1 being very dissatisfied and 5 being very satisfied)",
         choices=["1", "2", "3", "4", "5"],
         force_prompting=True,
     )
-    tracking.track_event("feedback_general_satisfaction", {"score": general_satisfaction_score})
-
-    # Usability and User Experience
     usability_satisfaction_score = ui.prompt_select(
         question="On a scale of 1 to 5,  how satisfied are you with the usability and user experience of the Comfy CLI tool? (1 being very dissatisfied and 5 being very satisfied)",
         choices=["1", "2", "3", "4", "5"],
         force_prompting=True,
     )
-    tracking.track_event("feedback_usability_satisfaction", {"score": usability_satisfaction_score})
+    free_text = ui.prompt_input(
+        question="Anything else you'd like to share? (optional — press Enter to skip)",
+        force_prompting=True,
+    )
 
-    # Additional Feature-Specific Feedback
-    if questionary.confirm("Do you want to provide additional feature-specific feedback on our GitHub page?").ask():
+    sent = tracking.submit_feedback(
+        free_text or "",
+        scores={
+            "general_satisfaction": None if general_satisfaction_score is None else str(general_satisfaction_score),
+            "usability_satisfaction": None
+            if usability_satisfaction_score is None
+            else str(usability_satisfaction_score),
+        },
+    )
+    if (
+        sent
+        and questionary.confirm("Do you want to provide additional feature-specific feedback on our GitHub page?").ask()
+    ):
         tracking.track_event("feedback_additional")
         webbrowser.open("https://github.com/Comfy-Org/comfy-cli/issues/new/choose")
 
-    rprint("Thank you for your feedback!")
+    _relay_feedback(renderer, sent, message=free_text or "")
+
+
+@app.command(
+    name="agent-review",
+    hidden=True,
+    help="For agents: submit a short summary of how the session went. Fully consent-gated.",
+)
+@tracking.track_command()
+def agent_review(
+    summary: Annotated[
+        str,
+        typer.Argument(help="A brief, factual summary of the session — your assessment, not the user's words."),
+    ],
+):
+    renderer = get_renderer()
+    sent = tracking.submit_agent_review(summary)
+    if renderer.is_json():
+        renderer.emit({"sent": sent, "summary": summary}, command="agent-review")
+        return
+    rprint(
+        "Session review recorded — thanks."
+        if sent
+        else "[yellow]Review not sent — telemetry is disabled or opted out.[/yellow]"
+    )
 
 
 @app.command(hidden=True)
@@ -782,7 +1519,15 @@ def standalone(
 
 generate_command.register_with(app)
 app.add_typer(models_command.app, name="model", help="Manage models.")
+app.add_typer(
+    models_search_command.app,
+    name="models",
+    help="Discover models — folders, files, and the cloud asset catalog.",
+)
 app.add_typer(custom_nodes.app, name="node", help="Manage custom nodes.")
+app.add_typer(nodes_command.app, name="nodes", help="Introspect ComfyUI node classes (inputs, outputs, categories).")
+app.add_typer(templates_command.app, name="templates", help="Browse the Comfy workflow-template gallery.")
+app.add_typer(workflow_command.app, name="workflow", help="Slot-based editing of frontend-format ComfyUI workflows.")
 app.add_typer(custom_nodes.manager_app, name="manager", help="Manage ComfyUI-Manager.")
 
 app.add_typer(pr_command.app, name="pr-cache", help="Manage PR cache.")
@@ -791,3 +1536,24 @@ def standalone(
 app.add_typer(code_search.app, name="cs", hidden=True)
 
 app.add_typer(tracking.app, name="tracking", help="Manage analytics tracking settings.")
+app.add_typer(cloud_command.app, name="cloud", help="Comfy Cloud — sign in, route commands, inspect session.")
+app.add_typer(auth_command.app, name="auth", help="Manage API tokens for model hosts (Civitai, Hugging Face).")
+app.add_typer(jobs_command.app, name="jobs", help="List, inspect, and live-watch ComfyUI prompts.")
+app.add_typer(project_command.app, name="project", help="Project conventions: init and status.")
+app.add_typer(
+    project_command.assets_app,
+    name="assets",
+    help="Push project assets to the run target (local or cloud) and track them in the lock.",
+)
+app.add_typer(
+    skill_command.app,
+    name="skills",
+    help="Install the bundled comfy agent skills into Claude Code, Cursor, and AGENTS.md.",
+)
+# Keep the singular alias for backward compat
+app.add_typer(skill_command.app, name="skill", hidden=True)
+
+# Hidden: the detached watcher subprocess spawned by `comfy run` when async.
+from comfy_cli.command import job_watcher as _job_watcher  # noqa: E402
+
+app.add_typer(_job_watcher.app, name="_watch", hidden=True)
diff --git a/comfy_cli/comfy_client.py b/comfy_cli/comfy_client.py
new file mode 100644
index 00000000..bcee551e
--- /dev/null
+++ b/comfy_cli/comfy_client.py
@@ -0,0 +1,609 @@
+"""Unified HTTP client for ComfyUI — local or cloud.
+
+A single class that takes a :class:`comfy_cli.target.Target` and exposes the
+shared REST surface (``submit_prompt``, ``get_history``, ``list_jobs``,
+``get_job_status``). Local and cloud differ in three small ways — path
+prefix, history endpoint name, and whether a Bearer token is added — all of
+which are encoded as Target fields.
+
+WebSocket-based live-watch stays in :mod:`comfy_cli.command.jobs` since it's
+local-only.
+"""
+
+from __future__ import annotations
+
+import json
+import random
+import re
+import time
+import urllib.error
+import urllib.parse
+import urllib.request
+from collections.abc import Callable
+from dataclasses import dataclass
+from typing import Any
+
+from comfy_cli.target import Target
+
+_LOOPBACK_HOSTS = {"localhost", "127.0.0.1", "::1", "[::1]"}
+
+# Transient HTTP failures during polling should back off and retry, not abort.
+# 429 (rate limit) is retried for any method — the request was rejected, not
+# processed, so even a POST is safe to repeat. Transient 5xx is retried for
+# GET only, since a 5xx on a POST may have partially applied (double-submit).
+_MAX_TRANSIENT_RETRIES = 4
+_RETRYABLE_5XX = {502, 503, 504}
+
+# Poll-level resilience for wait_for_completion: a sustained 429 storm (or a
+# plain 500, which the in-request layer never retries) must not abort a wait
+# for a job that is still running. Backoff doubles from 2s up to 60s with
+# jitter; only _MAX_POLL_FAILURES CONSECUTIVE failed polls give up and
+# surface the HTTPError to the caller's existing error path.
+_MAX_POLL_FAILURES = 5
+_POLL_BACKOFF_BASE = 2.0
+_POLL_BACKOFF_CAP = 60.0
+
+# Strip Bearer tokens out of any text we might carry into logs/exceptions.
+_BEARER_RE = re.compile(r"Bearer\s+[A-Za-z0-9._\-]+", re.IGNORECASE)
+_TOKEN_KEYS_RE = re.compile(
+    r'("(?:auth_token_comfy_org|api_key_comfy_org|access_token|refresh_token)"\s*:\s*")[^"]*(")',
+    re.IGNORECASE,
+)
+
+
+def _redact(text: str) -> str:
+    """Strip Bearer tokens and known token keys from a string."""
+    if not text:
+        return text
+    return _TOKEN_KEYS_RE.sub(r"\1***\2", _BEARER_RE.sub("Bearer ***", text))
+
+
+def _parse_retry_after(headers: Any) -> float | None:
+    """Parse a ``Retry-After`` header (seconds form) to a float, else None."""
+    if headers is None:
+        return None
+    value = headers.get("Retry-After")
+    if value is None:
+        return None
+    try:
+        return float(value)
+    except (TypeError, ValueError):
+        return None
+
+
+class HTTPError(Exception):
+    """Server returned a non-2xx response.
+
+    ``retry_after`` carries the server's ``Retry-After`` header (seconds)
+    when one was present, so retry layers above ``_request`` (e.g. the
+    wait_for_completion poll loop) can honor it.
+    """
+
+    def __init__(self, status: int, message: str, body: str = "", *, retry_after: float | None = None):
+        # Redact before super().__init__ so str(self) is safe to log.
+        message = _redact(message)
+        body = _redact(body)
+        super().__init__(f"HTTP {status}: {message}")
+        self.status = status
+        self.message = message
+        self.body = body
+        self.retry_after = retry_after
+
+
+class Unauthenticated(Exception):
+    """Target needs auth but no valid session is present."""
+
+
+class _NoRedirectHandler(urllib.request.HTTPRedirectHandler):
+    """Refuse to follow redirects.
+
+    Following redirects with `Authorization: Bearer …` in flight risks
+    replaying the token at the redirect target. ComfyUI gateways don't issue
+    redirects under normal operation; if we ever see one it's almost certainly
+    a misconfiguration or attack. Surface as a clear HTTPError instead.
+    """
+
+    def http_error_301(self, req, fp, code, msg, headers):
+        raise urllib.error.HTTPError(req.full_url, code, "redirect refused", headers, fp)
+
+    http_error_302 = http_error_303 = http_error_307 = http_error_308 = http_error_301
+
+
+_OPENER = urllib.request.build_opener(_NoRedirectHandler())
+
+
+def _assert_safe_url(url: str) -> None:
+    """Reject plaintext HTTP for non-loopback hosts.
+
+    Anything carrying a Bearer token over the wire must be HTTPS unless the
+    host is a loopback address (where there's no network to sniff).
+    """
+    parsed = urllib.parse.urlsplit(url)
+    if parsed.scheme == "https":
+        return
+    host = (parsed.hostname or "").lower()
+    if host in _LOOPBACK_HOSTS:
+        return
+    raise ValueError(
+        f"refusing to send request to non-https, non-loopback URL: {url} "
+        "(set COMFY_CLOUD_BASE_URL to an https:// endpoint)"
+    )
+
+
+@dataclass
+class SubmitResult:
+    prompt_id: str
+    number: int | None
+    node_errors: dict[str, Any]
+
+
+class Client:
+    """Single HTTP client across local + cloud ComfyUI."""
+
+    def __init__(self, target: Target, *, timeout: float = 30.0, clear_session_on_auth_failure: bool = True):
+        self.target = target
+        self.timeout = timeout
+        # Whether a fatal OAuth refresh failure (reuse-detection / invalid_grant)
+        # on the reactive 401 path may clear the stored session. Foreground,
+        # user-driven commands leave this True (they own the session lifecycle).
+        # The detached background watcher sets it False: it is read-mostly and
+        # must never log the user off the shared session over a transient blip.
+        self.clear_session_on_auth_failure = clear_session_on_auth_failure
+        if target.is_cloud and not (target.auth_token or target.api_key):
+            raise Unauthenticated(
+                "cloud target requires credentials — run `comfy cloud login` or set COMFY_CLOUD_API_KEY"
+            )
+
+    # ----- low-level -----
+
+    def _try_refresh_token(self) -> bool:
+        """Refresh the OAuth token after a server 401. Returns True if a new
+        access token was obtained and installed on the target.
+
+        This is the *reactive* leg and it shares the single, cross-process
+        locked + double-checked refresh in ``oauth.ensure_fresh_session`` (via
+        ``get_session(force=True)``) — there is no second refresh/persist code
+        path here. Coalescing matters: in a parallel fan-out the first caller
+        refreshes and the rest pick up the rotated token from the store without
+        a second network call, so a consumed refresh token is never replayed.
+
+        Raises ``Unauthenticated`` when the refresh hit reuse-detection /
+        ``invalid_grant``: the family is dead, the session has already been
+        cleared, and retrying is pointless — the caller surfaces the
+        ``cloud_unauthorized`` login guidance exactly once.
+        """
+        if not self.target.is_cloud or not self.target.auth_token:
+            return False
+        # Only refresh OAuth tokens, not API keys.
+        if self.target.api_key:
+            return False
+
+        from comfy_cli.credentials import get_session
+
+        old_token = self.target.auth_token
+        # Was there a stored OAuth session backing this token? If not (e.g. a
+        # bare token handed to the client directly), there's nothing to refresh
+        # and a cleared store doesn't mean "revoked" — just let the 401 stand.
+        had_session = get_session(refresh=False) is not None
+        # force=True: a server 401 is authoritative even if our local clock
+        # still thinks the access token is valid (skew / no recorded expiry).
+        # allow_clear: foreground commands may clear on a fatal token failure;
+        # the background watcher passes False so a transient/spurious
+        # invalid_grant can't wipe the shared session.
+        session = get_session(refresh=True, force=True, allow_clear=self.clear_session_on_auth_failure)
+        if session is not None and session.access_token and session.access_token != old_token:
+            # Frozen dataclass — install the rotated token for the retry + any
+            # subsequent requests (and the partner-API extra_data rebuild).
+            object.__setattr__(self.target, "auth_token", session.access_token)
+            return True
+        if had_session and session is None:
+            # The refresh hit a fatal token error. When
+            # ``clear_session_on_auth_failure`` is True the stored session has
+            # already been cleared; when False (watcher) it is deliberately
+            # preserved for the foreground command to manage. Either way, don't
+            # loop on a dead token — surface the failure once.
+            #
+            # Report the auth server's *actual* reason when we have it (e.g.
+            # "invalid_grant: workspace membership lost") instead of guessing
+            # "reuse detected" — these failures look identical to the user but
+            # have very different root causes.
+            from comfy_cli.cloud import oauth
+
+            reason = oauth.take_last_fatal_refresh_reason()
+            detail = reason or "refresh token reuse detected or expired"
+            raise Unauthenticated(f"Comfy Cloud session is no longer valid ({detail}) — run `comfy cloud login`")
+        # Same token back (a transient/network refresh failure kept the stale
+        # session), or no stored session to refresh: let the original 401
+        # propagate to the caller's HTTP-error handling.
+        return False
+
+    @staticmethod
+    def _retry_delay(exc: urllib.error.HTTPError, attempt: int) -> float:
+        """Seconds to wait before retrying a transient failure in-request.
+
+        Honors a server ``Retry-After`` (seconds) when present; otherwise uses
+        exponential backoff with jitter so concurrent waiters don't synchronize
+        into bursts.
+        """
+        retry_after = _parse_retry_after(getattr(exc, "headers", None))
+        if retry_after is not None:
+            return min(retry_after, 30.0)
+        base = min(2**attempt, 16)
+        return base + random.uniform(0, base * 0.5)
+
+    @staticmethod
+    def _poll_retry_delay(exc: HTTPError, attempt: int) -> float:
+        """Seconds to wait before the next poll after a transient poll failure.
+
+        Same shape as ``_retry_delay`` but tuned for the long-lived
+        wait_for_completion loop: ``Retry-After`` is honored (capped), else
+        exponential backoff from ``_POLL_BACKOFF_BASE`` up to
+        ``_POLL_BACKOFF_CAP`` with jitter.
+        """
+        if exc.retry_after is not None:
+            return min(exc.retry_after, _POLL_BACKOFF_CAP)
+        base = min(_POLL_BACKOFF_BASE * (2**attempt), _POLL_BACKOFF_CAP)
+        return base + random.uniform(0, base * 0.5)
+
+    def _request(
+        self,
+        method: str,
+        path_parts: tuple[str, ...],
+        *,
+        body: dict | None = None,
+        body_factory: Callable[[], dict] | None = None,
+        timeout: float | None = None,
+        _retried: bool = False,
+        _attempt: int = 0,
+    ) -> Any:
+        url = self.target.url(*path_parts)
+        # Only enforce https-or-loopback when we're carrying a bearer token.
+        if self.target.is_cloud and (self.target.auth_token or self.target.api_key):
+            _assert_safe_url(url)
+        if body_factory is not None:
+            body = body_factory()
+        data = json.dumps(body).encode("utf-8") if body is not None else None
+        req = urllib.request.Request(url, data=data, method=method)
+        req.add_header("Accept", "application/json")
+        # Usage-source attribution on every ComfyUI/cloud API request so the
+        # server can tell CLI-originated traffic apart from the web UI (#468).
+        req.add_header("Comfy-Usage-Source", "comfy-cli")
+        if data is not None:
+            req.add_header("Content-Type", "application/json")
+        # Cloud auth: the policy layer (`resolve_target`) is OAuth-first and
+        # populates at most one of api_key / auth_token, so this is just the
+        # mechanic — send whichever field is set. Only attached on cloud
+        # targets so a stray auth_token on a local target can't leak
+        # credentials to a plaintext server.
+        if self.target.is_cloud:
+            if self.target.auth_token:
+                req.add_header("Authorization", f"Bearer {self.target.auth_token}")
+            elif self.target.api_key:
+                req.add_header("X-API-Key", self.target.api_key)
+        try:
+            with _OPENER.open(req, timeout=timeout or self.timeout) as resp:
+                text = resp.read().decode("utf-8", errors="replace")
+                if not text:
+                    return None
+                return json.loads(text)
+        except urllib.error.HTTPError as e:
+            body_text = ""
+            try:
+                body_text = e.read().decode("utf-8", errors="replace")
+            except Exception:  # noqa: BLE001
+                pass
+            # Auto-refresh on 401 for OAuth cloud targets, retry once.
+            if (
+                e.code == 401
+                and not _retried
+                and self.target.is_cloud
+                and self.target.auth_token
+                and self._try_refresh_token()
+            ):
+                return self._request(
+                    method,
+                    path_parts,
+                    body=body,
+                    body_factory=body_factory,
+                    timeout=timeout,
+                    _retried=True,
+                )
+            # Transient: back off and retry. 429 for any method (rejected, not
+            # processed); 5xx for idempotent GETs only.
+            retryable = e.code == 429 or (e.code in _RETRYABLE_5XX and method == "GET")
+            if retryable and _attempt < _MAX_TRANSIENT_RETRIES:
+                time.sleep(self._retry_delay(e, _attempt))
+                return self._request(
+                    method,
+                    path_parts,
+                    body=body,
+                    body_factory=body_factory,
+                    timeout=timeout,
+                    _retried=_retried,
+                    _attempt=_attempt + 1,
+                )
+            raise HTTPError(
+                e.code,
+                e.reason or "HTTP error",
+                body_text,
+                retry_after=_parse_retry_after(getattr(e, "headers", None)),
+            ) from e
+
+    # ----- submit -----
+
+    def submit_prompt(
+        self,
+        workflow: dict,
+        client_id: str,
+        *,
+        timeout: float | None = None,
+        extra_data: dict | None = None,
+    ) -> SubmitResult:
+        """POST {prefix}/prompt — submit a workflow for execution.
+
+        Caller may pass ``extra_data`` (merged into the request, not overwritten).
+        For cloud submissions, the user's OAuth token is injected as
+        ``auth_token_comfy_org`` so partner-API nodes (BFL Flux Pro, Gemini
+        Nano Banana, etc.) can call out to comfy.org — matching what the web
+        UI sends. The token rides the body in addition to the ``Authorization``
+        header because comfy_api_nodes reads it from ``extra_data``; this is a
+        gateway-layer concern, not a header-vs-body choice.
+        """
+
+        def payload() -> dict[str, Any]:
+            request_payload: dict[str, Any] = {"prompt": workflow, "client_id": client_id}
+            merged_extra: dict[str, Any] = dict(extra_data or {})
+            # Usage-source attribution rides extra_data too — the execution
+            # record keeps it even when the HTTP header is dropped by proxies.
+            merged_extra.setdefault("comfy_usage_source", "comfy-cli")
+            # Partner-API nodes (BFL, Gemini, Bria, ByteDance, etc.) read the
+            # caller's comfy.org credential out of extra_data. Rebuild this at
+            # send time so an OAuth refresh updates both the header and body.
+            if self.target.is_cloud:
+                if self.target.auth_token:
+                    merged_extra.setdefault("auth_token_comfy_org", self.target.auth_token)
+                elif self.target.api_key:
+                    merged_extra.setdefault("api_key_comfy_org", self.target.api_key)
+            if merged_extra:
+                request_payload["extra_data"] = merged_extra
+            return request_payload
+
+        resp = self._request("POST", ("prompt",), body_factory=payload, timeout=timeout)
+        if not isinstance(resp, dict) or "prompt_id" not in resp:
+            raise HTTPError(200, "missing prompt_id in response", json.dumps(resp) if resp else "")
+        return SubmitResult(
+            prompt_id=resp["prompt_id"],
+            number=resp.get("number"),
+            node_errors=resp.get("node_errors", {}) or {},
+        )
+
+    # ----- history -----
+
+    def get_history(self, prompt_id: str, *, timeout: float | None = None) -> dict | None:
+        """GET {prefix}/{history_path}/<prompt_id>.
+
+        Returns the history record, or None if not yet present (404 is transient
+        right after submit — the record is created when execution starts).
+        """
+        try:
+            resp = self._request("GET", (self.target.history_path, prompt_id), timeout=timeout)
+        except HTTPError as e:
+            if e.status == 404:
+                return None
+            raise
+        if not isinstance(resp, dict):
+            return None
+        if prompt_id in resp:
+            return resp[prompt_id]
+        if "outputs" in resp or "status" in resp or "execution_status" in resp:
+            return resp
+        return None
+
+    # ----- jobs (cloud only has a dedicated endpoint; local synthesizes) -----
+
+    def list_jobs(self, *, limit: int = 10, timeout: float | None = None) -> list[dict]:
+        """List recent + running prompts.
+
+        Cloud → GET {prefix}/jobs.
+        Local → /queue (running+pending) merged with /history (recent completions).
+        """
+        if self.target.jobs_path:
+            qs = f"?limit={int(limit)}" if limit else ""
+            resp = self._request("GET", (f"{self.target.jobs_path}{qs}",), timeout=timeout)
+            if isinstance(resp, dict):
+                items = resp.get("jobs") or []
+                return [j for j in items if isinstance(j, dict)][:limit]
+            return []
+        # Local: fall through to caller — jobs.py already has the merging logic.
+        raise NotImplementedError("local list_jobs uses /queue + /history merge — call jobs._gather_jobs")
+
+    def get_job_status(self, prompt_id: str, *, timeout: float | None = None) -> dict | None:
+        """Cloud-only: GET {prefix}/job/<id>/status."""
+        try:
+            return self._request("GET", ("job", prompt_id, "status"), timeout=timeout)
+        except HTTPError as e:
+            if e.status == 404:
+                return None
+            raise
+
+    # ----- polling helpers -----
+
+    def wait_for_completion(
+        self,
+        prompt_id: str,
+        *,
+        poll_interval: float = 2.0,
+        timeout: float = 600.0,
+        progress_probe=None,
+    ) -> dict:
+        """Block until the prompt finishes; return the final history record.
+
+        ``timeout`` is a *silence* deadline: it resets every time
+        ``progress_probe()`` returns a value different from the previous one,
+        so a job that keeps reporting forward progress can run indefinitely
+        and only a server silent for ``timeout`` seconds aborts. When
+        ``progress_probe`` is None it degrades to a wall-clock deadline.
+
+        Polls ``get_history``. Quick transient blips are retried inside
+        ``_request``; on top of that the loop itself absorbs 429/5xx poll
+        failures (a rate-limit storm, or a plain 500 the in-request layer
+        never retries) with exponential backoff — base 2s, cap 60s, jitter,
+        ``Retry-After`` honored — and only ``_MAX_POLL_FAILURES`` CONSECUTIVE
+        failures re-raise to the caller's error path. A failed poll says
+        nothing about the job, which is usually still running. A little
+        jitter on the interval keeps concurrent waiters from synchronizing
+        into request bursts that trip cloud rate limits.
+        """
+        sentinel = object()
+        last_signal = sentinel
+        last_change = time.time()
+        consecutive_failures = 0
+        while True:
+            try:
+                record = self.get_history(prompt_id)
+            except HTTPError as e:
+                if e.status != 429 and not (500 <= e.status < 600):
+                    raise
+                consecutive_failures += 1
+                if consecutive_failures >= _MAX_POLL_FAILURES:
+                    raise
+                time.sleep(self._poll_retry_delay(e, consecutive_failures - 1))
+                continue
+            consecutive_failures = 0
+            if record and _looks_done(record):
+                return record
+            if progress_probe is not None:
+                try:
+                    signal = progress_probe()
+                except Exception:  # noqa: BLE001 — a flaky probe must not abort the wait
+                    signal = last_signal
+                if signal != last_signal:
+                    last_signal = signal
+                    last_change = time.time()
+            if time.time() - last_change >= timeout:
+                raise TimeoutError(f"workflow {prompt_id} reported no progress for {timeout}s")
+            nap = poll_interval + random.uniform(0, min(poll_interval, 1.0) * 0.5)
+            time.sleep(nap)
+
+    # ----- output URL helpers -----
+
+    def view_url(self, image_info: dict) -> str:
+        """Build a fetchable /view URL for an output image record."""
+        params = {
+            "filename": image_info.get("filename", ""),
+            "subfolder": image_info.get("subfolder", ""),
+            "type": image_info.get("type", "output"),
+        }
+        # Use the target's path_prefix so cloud goes to /api/view and local to /view.
+        return f"{self.target.url('view')}?{urllib.parse.urlencode(params)}"
+
+    def extract_outputs(self, record: dict) -> list[dict]:
+        """Flatten a node-keyed history record into one dict per artifact.
+
+        Each entry is ``{"node_id", "url", "filename", "type"}`` — the node
+        association that flat URL lists drop. The record half of the flatten
+        is the pure module-level :func:`extract_output_entries`; this method
+        adds the fetchable ``url`` (which needs the client's Target).
+        """
+        return [
+            {
+                "node_id": entry["node_id"],
+                "url": self.view_url(entry),
+                "filename": entry["filename"],
+                "type": entry["type"],
+            }
+            for entry in extract_output_entries(record)
+        ]
+
+    def extract_output_urls(self, record: dict) -> list[str]:
+        return [o["url"] for o in self.extract_outputs(record)]
+
+
+def extract_output_entries(record: dict) -> list[dict]:
+    """Flatten a node-keyed history record into one entry per artifact —
+    ``{"node_id", "filename", "subfolder", "type"}`` (all strings).
+
+    Pure function, no Target needed: consumers that already hold output URLs
+    (e.g. ``comfy download`` reading a state file) can join them back to
+    producing nodes on the (filename, subfolder, type) triple — the same one
+    :meth:`Client.view_url` encodes as query params. Ordering is stable:
+    record ``outputs`` insertion order, then media-key order, then item order.
+    """
+    results: list[dict] = []
+    outputs = record.get("outputs") or {}
+    if not isinstance(outputs, dict):
+        return results
+    for node_id, node_output in outputs.items():
+        if not isinstance(node_output, dict):
+            continue
+        for key in ("images", "gifs", "videos", "audio", "files"):
+            items = node_output.get(key) or []
+            if not isinstance(items, list):
+                continue
+            for item in items:
+                if isinstance(item, dict) and "filename" in item:
+                    results.append(
+                        {
+                            "node_id": str(node_id),
+                            "filename": str(item.get("filename", "")),
+                            "subfolder": str(item.get("subfolder", "")),
+                            "type": str(item.get("type", "output")),
+                        }
+                    )
+    return results
+
+
+def _group_outputs(outputs: list[dict], item_map: dict | None) -> tuple[dict[str, list[str]], dict[str, list[str]]]:
+    """Group ``Client.extract_outputs`` entries by node and by foreach item.
+
+    Returns ``(outputs_by_node, outputs_by_item)``. ``item_map`` is the
+    blueprint compose map ``{item: {"nodes": [ids], "save_node": id, …}}``
+    stashed on the job state; a node belongs to an item when it appears in
+    the item's ``nodes`` list or is its ``save_node``. When ``item_map`` is
+    falsy, ``outputs_by_item`` is ``{}``. Items that produced nothing keep an
+    explicit empty list — a pruned branch should be visible, not absent.
+    URL ordering follows ``outputs`` ordering in both groupings.
+    """
+    by_node: dict[str, list[str]] = {}
+    by_item: dict[str, list[str]] = {}
+
+    node_to_item: dict[str, str] = {}
+    if item_map:
+        for item_id, entry in item_map.items():
+            by_item[str(item_id)] = []
+            if not isinstance(entry, dict):
+                continue
+            members = list(entry.get("nodes") or [])
+            save_node = entry.get("save_node")
+            if save_node is not None:
+                members.append(save_node)
+            for node_id in members:
+                node_to_item[str(node_id)] = str(item_id)
+
+    for entry in outputs:
+        if not isinstance(entry, dict):
+            continue
+        node_id = entry.get("node_id")
+        url = entry.get("url")
+        if node_id is None or not url:
+            continue
+        node_id = str(node_id)
+        by_node.setdefault(node_id, []).append(url)
+        item = node_to_item.get(node_id)
+        if item is not None:
+            by_item[item].append(url)
+
+    return by_node, by_item
+
+
+def _looks_done(record: dict) -> bool:
+    status = record.get("status") or record.get("execution_status") or {}
+    if isinstance(status, dict):
+        if status.get("completed") is True:
+            return True
+        if status.get("status_str") in {"success", "error", "failed"}:
+            return True
+    # Older deployments don't surface a structured status — presence of
+    # outputs is enough to call it done.
+    outputs = record.get("outputs") or {}
+    return bool(outputs)
diff --git a/comfy_cli/command/__init__.py b/comfy_cli/command/__init__.py
index ca9548de..65b8c205 100644
--- a/comfy_cli/command/__init__.py
+++ b/comfy_cli/command/__init__.py
@@ -1,3 +1,50 @@
-from . import custom_nodes, install
+"""CLI subcommand modules.
 
-__all__ = ["custom_nodes", "install"]
+Every submodule is eagerly re-exported so ``from comfy_cli.command import
+X`` is resolved via attribute lookup, not via Python's lazy
+submodule-discovery path. The lazy path was observed to flake on the
+very first ``comfy run`` of a fresh session — ``ImportError: cannot
+import name 'transfer' from 'comfy_cli.command'`` — even though the file
+existed on disk. Eager imports here pin the contract and make
+``cmdline.py``'s many ``from comfy_cli.command import X as Y_inner``
+lines robust against that race.
+
+Adding a new subcommand? Add it here AND to
+``tests/comfy_cli/command/test_command_init.py:EXPECTED_SUBMODULES``.
+"""
+
+from . import (
+    code_search,
+    custom_nodes,
+    generate,
+    install,
+    job_watcher,
+    jobs,
+    launch,
+    nodes,
+    pr_command,
+    project,
+    run,
+    run_cli,
+    templates,
+    transfer,
+    workflow,
+)
+
+__all__ = [
+    "code_search",
+    "custom_nodes",
+    "generate",
+    "install",
+    "job_watcher",
+    "jobs",
+    "launch",
+    "nodes",
+    "pr_command",
+    "project",
+    "run",
+    "run_cli",
+    "templates",
+    "transfer",
+    "workflow",
+]
diff --git a/comfy_cli/command/custom_nodes/cm_cli_util.py b/comfy_cli/command/custom_nodes/cm_cli_util.py
index 5853bf2a..43894a79 100644
--- a/comfy_cli/command/custom_nodes/cm_cli_util.py
+++ b/comfy_cli/command/custom_nodes/cm_cli_util.py
@@ -152,6 +152,7 @@ def execute_cm_cli(
         stderr_lines: list[str] = []
 
         def _drain_stderr():
+            assert process.stderr is not None
             for line in process.stderr:
                 sys.stderr.write(line)
                 sys.stderr.flush()
@@ -160,6 +161,7 @@ def _drain_stderr():
         stderr_thread = threading.Thread(target=_drain_stderr, daemon=True)
         stderr_thread.start()
 
+        assert process.stdout is not None
         stdout_lines = []
         for line in process.stdout:
             sys.stdout.write(line)
diff --git a/comfy_cli/command/custom_nodes/command.py b/comfy_cli/command/custom_nodes/command.py
index 971d99af..7f4b1c80 100644
--- a/comfy_cli/command/custom_nodes/command.py
+++ b/comfy_cli/command/custom_nodes/command.py
@@ -9,7 +9,6 @@
 from typing import Annotated
 
 import typer
-from rich import print
 from rich.console import Console
 
 from comfy_cli import constants, logging, tracking, ui, utils
@@ -24,6 +23,7 @@
     upload_file_to_signed_url,
     zip_files,
 )
+from comfy_cli.output import rprint as print  # context-aware: stderr in JSON mode
 from comfy_cli.registry import (
     RegistryAPI,
     extract_node_configuration,
@@ -1143,12 +1143,12 @@ def display_all_nodes():
     Display all nodes in the registry.
     """
 
-    nodes = None
     try:
         nodes = registry_api.list_all_nodes()
     except Exception as e:
         logging.error(f"Failed to fetch nodes from the registry: {str(e)}")
         ui.display_error_message("Failed to fetch nodes from the registry.")
+        return
 
     # Map Node data class instances to tuples for display
     node_data = [
diff --git a/comfy_cli/command/generate/app.py b/comfy_cli/command/generate/app.py
index 350b35a6..48ae3142 100644
--- a/comfy_cli/command/generate/app.py
+++ b/comfy_cli/command/generate/app.py
@@ -25,7 +25,8 @@
 from rich.progress import Progress, SpinnerColumn, TextColumn, TimeElapsedColumn
 
 from comfy_cli import tracking, ui
-from comfy_cli.command.generate import adapters, client, output, poll, schema, spec, upload
+from comfy_cli.command.generate import adapters, client, emit, output, poll, schema, spec, upload
+from comfy_cli.output.renderer import get_renderer
 
 _HELP = "Generate images via ComfyUI partner nodes (Flux, Ideogram, DALL·E, Recraft, Stability, …)."
 
@@ -83,7 +84,7 @@ def _generate_entry(
 
 def _separate_meta_flags(extra_args: list[str]) -> tuple[list[str], dict[str, str | bool]]:
     """Pull run-level flags out of the user's argv tail."""
-    meta_names = {"download", "async", "json", "timeout", "api-key"}
+    meta_names = {"download", "async", "json", "timeout", "api-key", "emit-workflow", "output-prefix"}
     meta: dict[str, str | bool] = {}
     remaining: list[str] = []
     i = 0
@@ -210,9 +211,13 @@ def _track_error(error_kind: str, exc: BaseException) -> None:
         gen_props["async"] = do_async
         gen_props["has_download"] = bool(download)
 
+        emit_path = meta.get("emit-workflow") if isinstance(meta.get("emit-workflow"), str) else None
         flags = schema.flags_for(ep)
         try:
-            values = schema.parse_args(flags, remaining)
+            # In emit mode the partner node carries its own defaults, so don't
+            # force every proxy-required flag — let the user override only what
+            # they want.
+            values = schema.parse_args(flags, remaining, require_all=not emit_path)
         except schema.SchemaError as e:
             rprint(f"[bold red]{e}[/bold red]")
             name = gen_props["model_alias"] or ep.id
@@ -220,6 +225,37 @@ def _track_error(error_kind: str, exc: BaseException) -> None:
             _track_error("schema", e)
             raise typer.Exit(code=1)
 
+        if emit_path:
+            # Emit a runnable workflow that drives the partner *node* and return
+            # — no proxy call, no API key required. The artifact is the result.
+            name = gen_props["model_alias"] or ep.id
+            prefix = meta.get("output-prefix") if isinstance(meta.get("output-prefix"), str) else "generate"
+            renderer = get_renderer()
+            try:
+                workflow = emit.write_workflow(name, values, Path(emit_path).expanduser(), output_prefix=prefix)
+            except (emit.EmitError, OSError) as e:
+                _track_error("emit", e)
+                hint = (
+                    "check destination path permissions and parent directory"
+                    if isinstance(e, OSError)
+                    else "check the model name and that all required inputs are provided"
+                )
+                renderer.error(
+                    code="emit_workflow_failed",
+                    message=str(e),
+                    hint=hint,
+                )
+                raise typer.Exit(code=1) from e
+            tracking.track_event("generate:emit", {**gen_props, "node_count": len(workflow)})
+            if renderer.is_pretty():
+                rprint(f"[bold green]Wrote workflow:[/bold green] {emit_path}")
+                rprint(f"  run it: comfy run --workflow {emit_path}")
+            renderer.emit(
+                {"out": str(Path(emit_path).expanduser()), "model": name, "nodes": len(workflow)},
+                command="generate emit-workflow",
+            )
+            return
+
         try:
             api_key = client.resolve_api_key(meta.get("api-key") if isinstance(meta.get("api-key"), str) else None)
         except client.ApiError as e:
@@ -568,6 +604,10 @@ def _print_top_help() -> None:
         '  comfy generate ideogram-edit --image cat.png --mask m.png --prompt "add sunglasses" --rendering_speed TURBO'
     )
     rprint('  comfy generate dalle --prompt "a watercolor whale" --download whale.png')
+    rprint(
+        '  comfy generate flux-pro --prompt "a fox" --emit-workflow flux.json   '
+        "[dim]# write a runnable workflow instead of calling the proxy[/dim]"
+    )
     rprint("")
     rprint("[bold]Actions:[/bold]")
     rprint("  comfy generate list                    Browse available models")
@@ -576,4 +616,6 @@ def _print_top_help() -> None:
     rprint("  comfy generate upload <file-or-url>    Host a local file or remote URL and print its signed URL")
     rprint("  comfy generate resume <model> <job>    Resume an async job")
     rprint("")
-    rprint("[dim]Auth: set COMFY_API_KEY or pass --api-key. Get one at https://platform.comfy.org.[/dim]")
+    rprint(
+        "[dim]Auth: run `comfy cloud login` (session outranks env var), set COMFY_API_KEY, or pass --api-key. Get one at https://platform.comfy.org.[/dim]"
+    )
diff --git a/comfy_cli/command/generate/client.py b/comfy_cli/command/generate/client.py
index 93f01356..10664979 100644
--- a/comfy_cli/command/generate/client.py
+++ b/comfy_cli/command/generate/client.py
@@ -9,7 +9,6 @@
 
 from __future__ import annotations
 
-import os
 from pathlib import Path
 from typing import Any
 
@@ -27,17 +26,34 @@ def __init__(self, status: int, body: str, message: str | None = None) -> None:
 
 
 def resolve_api_key(explicit: str | None = None) -> str:
-    """Order: explicit flag → COMFY_API_KEY env var. Raise if neither set."""
-    key = explicit.strip() if isinstance(explicit, str) and explicit.strip() else os.environ.get("COMFY_API_KEY", "")
-    key = key.strip()
-    if not key:
-        raise ApiError(
-            401,
-            "",
-            "No API key. Pass --api-key or set COMFY_API_KEY in your environment. "
-            "Generate one at https://platform.comfy.org/api-keys.",
-        )
-    return key
+    """Resolve a credential for the partner-API proxy.
+
+    OAuth-first: when a live OAuth session is present it is preferred over
+    ambient API keys (``COMFY_API_KEY`` env / stored key), because OAuth is
+    the CLI's primary auth path and API keys are on a deprecation path. The
+    only thing that outranks the session is an explicit ``--api-key`` flag —
+    a deliberate per-call override. Resolution order (shared chain in
+    ``comfy_cli.credentials``, ``purpose="partner"``):
+    explicit flag → live OAuth session (refreshed if near expiry) →
+    ``COMFY_API_KEY`` env → stored key. Raise if none resolve.
+
+    The proxy validates a non-``comfyui-`` bearer token as a Firebase JWT
+    (see ``_auth_headers``), so the same session that powers
+    ``comfy run --where cloud`` authenticates partner-API calls too — no
+    separate API key required.
+    """
+    from comfy_cli.credentials import resolve_cloud_credential
+
+    cred = resolve_cloud_credential(purpose="partner", explicit=explicit, refresh=True)
+    if cred is not None:
+        return cred.value
+
+    raise ApiError(
+        401,
+        "",
+        "Not signed in. Run `comfy cloud login`, or pass --api-key / set "
+        "COMFY_API_KEY (get one at https://platform.comfy.org/api-keys).",
+    )
 
 
 def _split_payload(
diff --git a/comfy_cli/command/generate/emit.py b/comfy_cli/command/generate/emit.py
new file mode 100644
index 00000000..6ff0b152
--- /dev/null
+++ b/comfy_cli/command/generate/emit.py
@@ -0,0 +1,238 @@
+"""Emit a runnable API-format workflow that calls a partner *node* instead of
+the proxy endpoint.
+
+``comfy generate <model> …`` calls the partner through Comfy's HTTP proxy. That
+is convenient but leaves no reusable artifact: no workflow JSON you can re-run,
+edit, or drop into a fragment pipeline. The same partner models also exist as
+ComfyUI **API NODES**. ``--emit-workflow <path>`` takes the exact same
+``--param`` values the proxy path would consume and writes an API-format
+workflow that drives the partner node, plus a ``SaveImage``/``SaveVideo`` so the
+result lands on disk when run with ``comfy run``.
+
+The proxy-model → node-class mapping is intentionally small and explicit: it
+covers the common partner models and fails loudly (listing what *is* supported)
+for everything else, rather than guessing a node class that may not exist.
+"""
+
+from __future__ import annotations
+
+import json
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Any
+
+from comfy_cli.command.generate import spec
+
+
+class EmitError(RuntimeError):
+    """``--emit-workflow`` cannot map this model to a partner node."""
+
+
+@dataclass(frozen=True)
+class NodeSpec:
+    """How to render one partner model as a ComfyUI node.
+
+    ``param_map`` maps a ``comfy generate`` flag name → the partner node's input
+    key. ``image_params`` lists flag names whose value is a local image path
+    that must be materialized with a ``LoadImage`` node and wired into the
+    partner node's matching input. ``fixed`` are node inputs always set to a
+    constant (defaults the node requires but that ``generate`` doesn't surface).
+    ``output`` selects the save node (IMAGE → SaveImage, VIDEO → SaveVideo) and
+    the partner node's output port that carries the media.
+    """
+
+    node_class: str
+    param_map: dict[str, str]
+    output: str  # "IMAGE" | "VIDEO"
+    fixed: dict[str, Any] = field(default_factory=dict)
+    image_params: dict[str, str] = field(default_factory=dict)  # flag -> node input key
+    media_port: int = 0
+
+
+# proxy model alias → partner node spec. Param keys are the *generate* flag
+# names (the openapi property names a user already types today); values are the
+# real node input keys, taken from `comfy nodes show <ClassName>`.
+MODEL_NODE_MAP: dict[str, NodeSpec] = {
+    # Google Gemini Flash Image (nano-banana). Node: GeminiImageNode.
+    "nano-banana": NodeSpec(
+        node_class="GeminiImageNode",
+        param_map={
+            "prompt": "prompt",
+            "model": "model",
+            "seed": "seed",
+            "aspect_ratio": "aspect_ratio",
+        },
+        image_params={"image": "images", "images": "images"},
+        fixed={"model": "gemini-2.5-flash-image", "seed": 42},
+        output="IMAGE",
+    ),
+    # ByteDance Seedance image-to-video. Node: ByteDanceImageToVideoNode.
+    "seedance": NodeSpec(
+        node_class="ByteDanceImageToVideoNode",
+        param_map={
+            "prompt": "prompt",
+            "model": "model",
+            "resolution": "resolution",
+            "aspect_ratio": "aspect_ratio",
+            "duration": "duration",
+            "seed": "seed",
+        },
+        image_params={"image": "image"},
+        fixed={
+            "model": "seedance-1-0-pro-fast-251015",
+            "resolution": "720p",
+            "aspect_ratio": "16:9",
+            "duration": 5,
+        },
+        output="VIDEO",
+    ),
+    # BFL Flux (text-to-image). Node: Flux2ProImageNode.
+    "flux-pro": NodeSpec(
+        node_class="Flux2ProImageNode",
+        param_map={
+            "prompt": "prompt",
+            "width": "width",
+            "height": "height",
+            "seed": "seed",
+            "prompt_upsampling": "prompt_upsampling",
+        },
+        fixed={"width": 1024, "height": 768, "seed": 0, "prompt_upsampling": True},
+        output="IMAGE",
+    ),
+    "flux-2": NodeSpec(
+        node_class="Flux2ProImageNode",
+        param_map={
+            "prompt": "prompt",
+            "width": "width",
+            "height": "height",
+            "seed": "seed",
+            "prompt_upsampling": "prompt_upsampling",
+        },
+        fixed={"width": 1024, "height": 768, "seed": 0, "prompt_upsampling": True},
+        output="IMAGE",
+    ),
+    # Kling image-to-video. Node: KlingImage2VideoNode.
+    "kling-i2v": NodeSpec(
+        node_class="KlingImage2VideoNode",
+        param_map={
+            "prompt": "prompt",
+            "negative_prompt": "negative_prompt",
+            "model_name": "model_name",
+            "cfg_scale": "cfg_scale",
+            "mode": "mode",
+            "aspect_ratio": "aspect_ratio",
+            "duration": "duration",
+        },
+        image_params={"image": "start_frame", "start_frame": "start_frame"},
+        fixed={
+            "negative_prompt": "",
+            "model_name": "kling-v2-master",
+            "cfg_scale": 0.8,
+            "mode": "std",
+            "aspect_ratio": "16:9",
+            "duration": "5",
+        },
+        output="VIDEO",
+    ),
+}
+
+
+def supported_models() -> list[str]:
+    """Aliases that ``--emit-workflow`` knows how to render as a node."""
+    return sorted(MODEL_NODE_MAP)
+
+
+def _resolve_model(model: str) -> tuple[str, NodeSpec]:
+    """Map a user-typed model to a (alias, NodeSpec). Accepts an alias or the
+    canonical endpoint id that an alias resolves to."""
+    if model in MODEL_NODE_MAP:
+        return model, MODEL_NODE_MAP[model]
+    canonical = spec.resolve_alias(model)
+    pref = spec.preferred_alias(canonical)
+    if pref and pref in MODEL_NODE_MAP:
+        return pref, MODEL_NODE_MAP[pref]
+    raise EmitError(
+        f"--emit-workflow does not support model {model!r}.\n"
+        f"Supported models: {', '.join(supported_models())}.\n"
+        "These map to ComfyUI API nodes; other proxy models have no node mapping yet."
+    )
+
+
+def build_workflow(model: str, values: dict[str, Any], *, output_prefix: str = "generate") -> dict[str, Any]:
+    """Build an API-format workflow that drives the partner node for ``model``.
+
+    ``values`` are the parsed ``--param`` values (same dict the proxy client
+    receives). Local-file image params are materialized as ``LoadImage`` nodes
+    and wired into the partner node; scalar params override the node's fixed
+    defaults. A ``SaveImage``/``SaveVideo`` is appended so ``comfy run`` writes
+    the result to disk.
+    """
+    _alias, ns = _resolve_model(model)
+
+    node_inputs: dict[str, Any] = dict(ns.fixed)
+
+    next_id = 2  # the partner node is "1"; loaders/save get 2, 3, …
+
+    # Image-path params → LoadImage nodes wired into the partner node.
+    workflow: dict[str, Any] = {}
+    for flag, node_key in ns.image_params.items():
+        raw = values.get(flag)
+        if raw is None:
+            continue
+        if isinstance(raw, (list, tuple)):
+            raise EmitError(
+                f"--{flag} received multiple files, but emit-workflow currently "
+                "maps this input to a single LoadImage node."
+            )
+        path = str(Path(raw).expanduser())
+        loader_id = str(next_id)
+        next_id += 1
+        workflow[loader_id] = {
+            "class_type": "LoadImage",
+            "_meta": {"title": f"load {Path(path).name}"},
+            "inputs": {"image": path},
+        }
+        node_inputs[node_key] = [loader_id, 0]
+
+    # Scalar params → node inputs, honoring the explicit param_map.
+    for flag, node_key in ns.param_map.items():
+        if flag in values and values[flag] is not None:
+            node_inputs[node_key] = values[flag]
+
+    partner = {
+        "class_type": ns.node_class,
+        "_meta": {"title": f"{ns.node_class} ({model})"},
+        "inputs": node_inputs,
+    }
+    workflow["1"] = partner
+
+    save_id = str(next_id)
+    if ns.output == "VIDEO":
+        workflow[save_id] = {
+            "class_type": "SaveVideo",
+            "_meta": {"title": "save generated video"},
+            "inputs": {
+                "video": ["1", ns.media_port],
+                "filename_prefix": output_prefix,
+                "format": "mp4",
+                "codec": "h264",
+            },
+        }
+    else:
+        workflow[save_id] = {
+            "class_type": "SaveImage",
+            "_meta": {"title": "save generated image"},
+            "inputs": {"images": ["1", ns.media_port], "filename_prefix": output_prefix},
+        }
+    return workflow
+
+
+def write_workflow(
+    model: str, values: dict[str, Any], path: Path, *, output_prefix: str = "generate"
+) -> dict[str, Any]:
+    """Build the workflow for ``model`` and write it to ``path`` as JSON.
+    Returns the workflow dict. Raises ``EmitError`` on an unsupported model."""
+    workflow = build_workflow(model, values, output_prefix=output_prefix)
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(workflow, indent=2) + "\n", encoding="utf-8")
+    return workflow
diff --git a/comfy_cli/command/generate/output.py b/comfy_cli/command/generate/output.py
index 7210a66a..66eaedae 100644
--- a/comfy_cli/command/generate/output.py
+++ b/comfy_cli/command/generate/output.py
@@ -122,3 +122,9 @@ def print_saved(paths: list[Path]) -> None:
     rprint("[bold green]Saved:[/bold green]")
     for p in paths:
         rprint(f"  {p}")
+
+    # Show inline previews for human users
+    from comfy_cli.output.preview import preview
+
+    for p in paths:
+        preview(p)
diff --git a/comfy_cli/command/generate/schema.py b/comfy_cli/command/generate/schema.py
index fb6b3ed8..aaa67d61 100644
--- a/comfy_cli/command/generate/schema.py
+++ b/comfy_cli/command/generate/schema.py
@@ -164,7 +164,7 @@ def _coerce(flag: FlagDef, raw: str) -> Any:
     raise SchemaError(f"--{flag.name}: unknown kind {flag.kind!r}")  # unreachable
 
 
-def parse_args(flags: list[FlagDef], argv: list[str]) -> dict[str, Any]:
+def parse_args(flags: list[FlagDef], argv: list[str], *, require_all: bool = True) -> dict[str, Any]:
     """Parse ``argv`` against the given flag list. Returns {name: typed_value}.
 
     Recognized forms:
@@ -172,6 +172,10 @@ def parse_args(flags: list[FlagDef], argv: list[str]) -> dict[str, Any]:
       --name=value
       --name           (only for boolean flags; means True)
       --no-name        (only for boolean flags; means False)
+
+    ``require_all=False`` skips the required-argument check — used by
+    ``--emit-workflow``, where the partner node supplies its own defaults so the
+    user need only override what they care about.
     """
     by_name = {f.name: f for f in flags}
     # Also accept dash-separated aliases so `--no-X` matching can't collide with
@@ -216,7 +220,7 @@ def parse_args(flags: list[FlagDef], argv: list[str]) -> dict[str, Any]:
             i += 1
         values[flag.name] = _coerce(flag, raw)
 
-    missing = [f.name for f in flags if f.required and f.name not in values]
+    missing = [f.name for f in flags if f.required and f.name not in values] if require_all else []
     if missing:
         joined = ", ".join(f"--{m}" for m in missing)
         raise SchemaError(f"Missing required argument(s): {joined}")
@@ -256,7 +260,8 @@ def help_text(endpoint: Endpoint, flags: list[FlagDef]) -> str:
     lines.append("  --async            Submit and return job id without waiting.")
     lines.append("  --json             Emit raw JSON response instead of pretty output.")
     lines.append("  --timeout <sec>    Override sync-poll timeout (default 300).")
-    lines.append("  --api-key <key>    Override COMFY_API_KEY env var.")
+    lines.append("  --api-key <key>    Per-call override. Auth: --api-key > login session > COMFY_API_KEY env.")
+    lines.append("  --emit-workflow <path>  Write a runnable partner-node workflow instead of calling the proxy.")
     return "\n".join(line for line in lines if line is not None)
 
 
diff --git a/comfy_cli/command/generate/spec.py b/comfy_cli/command/generate/spec.py
index a0bd53c8..f0052e37 100644
--- a/comfy_cli/command/generate/spec.py
+++ b/comfy_cli/command/generate/spec.py
@@ -68,7 +68,7 @@ class Endpoint:
 
 # Short, creative-facing aliases mapping to the curated openapi paths below.
 # Aliases are what end users actually type: `comfy generate flux-pro --prompt …`.
-# The full openapi path remains accepted as a power-user escape hatch.
+# The full openapi path remains accepted as an escape hatch.
 _ALIASES: dict[str, str] = {
     # Flux / BFL
     "flux-pro": "bfl/flux-pro-1.1/generate",
diff --git a/comfy_cli/command/install.py b/comfy_cli/command/install.py
index a6d6ac52..579589ad 100755
--- a/comfy_cli/command/install.py
+++ b/comfy_cli/command/install.py
@@ -10,7 +10,6 @@
 import requests
 import semver
 import typer
-from rich import print as rprint
 from rich.console import Console
 from rich.panel import Panel
 from rich.prompt import Confirm
@@ -21,6 +20,7 @@
 from comfy_cli.constants import GPU_OPTION
 from comfy_cli.cuda_detect import DEFAULT_CUDA_TAG
 from comfy_cli.git_utils import checkout_pr, git_checkout_tag
+from comfy_cli.output import rprint
 from comfy_cli.resolve_python import ensure_workspace_python
 from comfy_cli.uv import DependencyCompiler
 from comfy_cli.workspace_manager import WorkspaceManager, check_comfy_repo
@@ -45,7 +45,7 @@ def _pip_install_torch(python: str, index_args: list[str]) -> subprocess.Complet
 
 def pip_install_comfyui_dependencies(
     repo_dir,
-    gpu: GPU_OPTION,
+    gpu: GPU_OPTION | None,
     plat: constants.OS,
     cuda_version: constants.CUDAVersion | None,
     skip_torch_or_directml: bool,
@@ -150,7 +150,7 @@ def execute(
     skip_manager: bool,
     version: str,
     commit: str | None = None,
-    gpu: constants.GPU_OPTION = None,
+    gpu: constants.GPU_OPTION | None = None,
     cuda_version: constants.CUDAVersion | None = None,
     cuda_tag: str | None = None,
     rocm_version: constants.ROCmVersion = constants.ROCmVersion.v6_3,
diff --git a/comfy_cli/command/job_watcher.py b/comfy_cli/command/job_watcher.py
new file mode 100644
index 00000000..926d7367
--- /dev/null
+++ b/comfy_cli/command/job_watcher.py
@@ -0,0 +1,302 @@
+"""Detached background watcher for an in-flight prompt.
+
+Invoked as ``comfy _watch-job <prompt_id> --where local|cloud …`` by
+``comfy run`` when the user submits a workflow without ``--wait``. Polls
+the server for status, mirrors the result into the on-disk state file
+(see :mod:`comfy_cli.jobs_state`), and fires a system notification when
+the prompt reaches a terminal state.
+
+Hidden from the public surface — agents address jobs via
+``comfy jobs status <id>`` or by reading the state file directly. This
+command is purely the worker that the foreground ``run`` detaches.
+"""
+
+from __future__ import annotations
+
+import os
+import shutil
+import subprocess
+import sys
+import time
+from typing import Annotated, Any
+
+import typer
+
+from comfy_cli import execution_errors, jobs_state
+
+app = typer.Typer(hidden=True)
+
+
+# How long to wait between polls. Cheap enough not to hammer the server,
+# fast enough that a 30s job completes within one poll of finishing.
+_POLL_INTERVAL_S = 2.0
+# Absolute ceiling. A job that hasn't moved in this long → give up and let
+# the file's last status stand. Equivalent to a stuck-process timeout.
+_MAX_RUNTIME_S = 60 * 60 * 6  # 6 hours
+# Statuses we recognize as legitimately in-flight: local snapshot values plus
+# raw cloud statuses that pass through _CLOUD_STATUS_MAP unmapped. Anything
+# else that is non-terminal is "unknown" — see the stall guard in watch_job.
+_KNOWN_INFLIGHT_STATUSES = {"queued", "pending", "running", "executing", "allocated", "uploading"}
+# An unknown status unchanged for this long → terminal error instead of
+# letting the watcher idle for the full 6h ceiling on a status we can't map.
+_UNKNOWN_STALL_S = 300.0
+
+
+@app.command("_watch-job")
+def watch_job(
+    prompt_id: Annotated[str, typer.Argument()],
+    where: Annotated[str, typer.Option("--where")],
+    host: Annotated[str | None, typer.Option("--host")] = None,
+    port: Annotated[int | None, typer.Option("--port")] = None,
+    notify: Annotated[bool, typer.Option("--notify/--no-notify")] = True,
+):
+    state = jobs_state.read(prompt_id)
+    if state is None:
+        # No state file → nothing to watch. Submit must always write the
+        # state file before spawning us, so this shouldn't happen in
+        # practice; exit quietly.
+        return
+
+    state.watcher_pid = os.getpid()
+    jobs_state.write(state)
+
+    cloud_client = None
+    if where == "cloud":
+        try:
+            from comfy_cli.comfy_client import Client
+            from comfy_cli.target import resolve_target
+
+            target = resolve_target(where="cloud")
+            # Watcher context: read-mostly background poller. A reactive refresh
+            # may freshen the access token, but a *fatal* refresh failure must
+            # never clear the shared session — the foreground command owns the
+            # session lifecycle, and a transient mid-run blip should not log the
+            # user off.
+            cloud_client = Client(target, timeout=30.0, clear_session_on_auth_failure=False)
+        except Exception:  # noqa: BLE001
+            pass
+
+    start = time.time()
+    # Unknown-status stall guard bookkeeping: the unrecognized status we are
+    # currently watching, and when we first saw it.
+    unknown_status: str | None = None
+    unknown_since = 0.0
+    while True:
+        if time.time() - start > _MAX_RUNTIME_S:
+            prior_status = state.status
+            state.status = "error"
+            state.error = {
+                "code": "watcher_timeout",
+                "message": f"Watcher gave up after {_MAX_RUNTIME_S}s without a terminal status.",
+                "details": {"last_status": prior_status},
+            }
+            jobs_state.write(state)
+            break
+
+        if where == "cloud":
+            terminal = _poll_cloud_once(state, client=cloud_client)
+        else:
+            terminal = _poll_local_once(state, host=host, port=port)
+
+        jobs_state.write(state)
+        if terminal:
+            break
+
+        # Stall guard: a non-terminal status we do not recognize (a future
+        # cloud status missing from _CLOUD_STATUS_MAP) must not hang the
+        # watcher for the full 6h ceiling. Unchanged for _UNKNOWN_STALL_S →
+        # declare a terminal error naming the raw status.
+        if state.status in _KNOWN_INFLIGHT_STATUSES:
+            unknown_status = None
+        else:
+            now = time.time()
+            if state.status != unknown_status:
+                unknown_status = state.status
+                unknown_since = now
+            elif now - unknown_since >= _UNKNOWN_STALL_S:
+                state.status = "error"
+                state.error = {
+                    "code": "unknown_status_stall",
+                    "message": (
+                        f"cloud reported unrecognized status {unknown_status!r} and it "
+                        f"did not change within {_UNKNOWN_STALL_S:.0f}s; giving up"
+                    ),
+                    "details": {"raw_status": unknown_status, "stall_window_s": _UNKNOWN_STALL_S},
+                }
+                jobs_state.write(state)
+                break
+
+        time.sleep(_POLL_INTERVAL_S)
+
+    if notify:
+        _notify(state)
+
+
+# ---------------------------------------------------------------------------
+# polling backends
+# ---------------------------------------------------------------------------
+
+
+def _poll_local_once(state: jobs_state.JobState, *, host: str | None, port: int | None) -> bool:
+    """Update ``state`` in-place from a local ComfyUI server. Return True if terminal."""
+    from comfy_cli.command import jobs as jobs_module
+
+    h = host or state.host or "127.0.0.1"
+    p = port or state.port or 8188
+    try:
+        snap = jobs_module._snapshot(h, p, state.prompt_id)
+    except Exception as e:  # noqa: BLE001 — never crash the watcher on transient errors
+        state.error = {"code": "watcher_poll_error", "message": str(e), "details": {}}
+        return False
+
+    if snap is None:
+        # No record yet — keep polling.
+        return False
+
+    # Clear any transient poll error from a previous cycle.
+    state.error = None
+    snap_status = str(snap.get("status") or "queued")
+    state.status = snap_status
+    if snap_status == "completed":
+        state.outputs = list(snap.get("outputs") or [])
+        return True
+    if snap_status == "error":
+        state.error = {
+            "code": "execution_error",
+            "message": "ComfyUI reported an execution error.",
+            "details": snap,
+        }
+        return True
+    if snap_status == "cancelled":
+        state.error = {
+            "code": "cancelled",
+            "message": "Job was interrupted/cancelled.",
+            "details": {},
+        }
+        return True
+    return False
+
+
+_CLOUD_STATUS_MAP = {
+    "success": "completed",
+    "completed": "completed",
+    "failed": "error",
+    "error": "error",
+    "non_retryable_error": "error",
+    "lost": "error",
+    "cancelled": "cancelled",
+    "canceled": "cancelled",
+}
+
+
+def _poll_cloud_once(state: jobs_state.JobState, *, client: Any = None) -> bool:
+    """Update ``state`` in-place from Comfy Cloud. Return True if terminal."""
+    try:
+        if client is None:
+            from comfy_cli.comfy_client import Client
+            from comfy_cli.target import resolve_target
+
+            target = resolve_target(where="cloud")
+            # Watcher context — never clear the shared session on a fatal
+            # refresh failure (see the note in ``watch_job``).
+            client = Client(target, timeout=30.0, clear_session_on_auth_failure=False)
+        record = client.get_job_status(state.prompt_id)
+    except Exception as e:  # noqa: BLE001
+        state.error = {"code": "watcher_poll_error", "message": str(e), "details": {}}
+        return False
+
+    if record is None:
+        return False
+
+    # Clear any transient poll error from a previous cycle.
+    state.error = None
+    raw = str(record.get("status") or "queued").lower()
+    state.status = _CLOUD_STATUS_MAP.get(raw, raw)
+
+    if state.status == "completed":
+        # Cloud's /api/job/<id>/status sometimes includes outputs directly;
+        # if not, fetch from history. Match the snapshot logic in jobs.py.
+        outputs = record.get("outputs")
+        if isinstance(outputs, list) and outputs:
+            state.outputs = list(outputs)
+        else:
+            try:
+                history = client.get_history(state.prompt_id)
+                if history:
+                    # Stash the full node-keyed record so downstream consumers
+                    # (grouped outputs, item-named downloads) need no extra call.
+                    state.record = history
+                    state.outputs = client.extract_output_urls(history)
+            except Exception:  # noqa: BLE001 — best effort, state already terminal
+                pass
+        return True
+    if state.status == "error":
+        verdict = execution_errors.classify(record.get("error_message"))
+        state.error = {
+            "code": verdict["code"],
+            "message": verdict["message"],
+            "hint": verdict["hint"],
+            "details": {
+                **verdict["details"],
+                **{k: record.get(k) for k in ("assigned_inference", "created_at", "updated_at")},
+            },
+        }
+        return True
+    if state.status == "cancelled":
+        state.error = {
+            "code": "cancelled",
+            "message": record.get("error_message") or "Cloud job was cancelled.",
+            "details": {k: record.get(k) for k in ("assigned_inference", "created_at", "updated_at")},
+        }
+        return True
+    return False
+
+
+# ---------------------------------------------------------------------------
+# notification
+# ---------------------------------------------------------------------------
+
+
+def _notify(state: jobs_state.JobState) -> None:
+    """Best-effort system notification. Silently no-ops if unavailable.
+
+    macOS: ``osascript -e 'display notification …'``
+    Linux: ``notify-send``
+    Fallback: write to stderr (and ring the terminal bell).
+    """
+    title = "comfy"
+    short_id = state.prompt_id[:8]
+    if state.status == "completed":
+        body = f"✓ {short_id} completed ({len(state.outputs)} output(s))"
+    elif state.status == "error":
+        body = f"✗ {short_id} failed: {(state.error or {}).get('message', 'unknown')[:120]}"
+    elif state.status == "cancelled":
+        body = f"⊘ {short_id} cancelled"
+    else:
+        body = f"{short_id} → {state.status}"
+
+    if sys.platform == "darwin" and shutil.which("osascript"):
+        _try_run(["osascript", "-e", f"display notification {_apple_quote(body)} with title {_apple_quote(title)}"])
+        return
+    if shutil.which("notify-send"):
+        _try_run(["notify-send", title, body])
+        return
+    # Fallback — write to stderr so a still-attached terminal sees it.
+    try:
+        sys.stderr.write(f"\a[{title}] {body}\n")
+        sys.stderr.flush()
+    except OSError:
+        pass
+
+
+def _try_run(argv: list[str]) -> None:
+    try:
+        subprocess.run(argv, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, check=False, timeout=5)
+    except (OSError, subprocess.SubprocessError):
+        pass
+
+
+def _apple_quote(s: str) -> str:
+    """Quote a string for AppleScript: wrap in double quotes, escape \\ and \"."""
+    escaped = s.replace("\\", "\\\\").replace('"', '\\"')
+    return f'"{escaped}"'
diff --git a/comfy_cli/command/jobs.py b/comfy_cli/command/jobs.py
new file mode 100644
index 00000000..28da07e4
--- /dev/null
+++ b/comfy_cli/command/jobs.py
@@ -0,0 +1,1395 @@
+"""``comfy jobs`` — list, status, and live-watch ComfyUI prompts.
+
+The ComfyUI server already speaks WebSocket: every node-execution event is
+pushed to every connected ``/ws?clientId=…`` client, tagged with the
+``prompt_id`` it belongs to. We use that channel as the live "push" feed —
+no daemon, no polling.
+
+Three subcommands:
+
+- ``comfy jobs ls``        — combine ``/queue`` (running + pending) and
+                              ``/history`` (recent completions) into one
+                              ordered list.
+- ``comfy jobs status``    — one-shot snapshot of a single prompt_id from
+                              ``/history``.
+- ``comfy jobs watch``     — live-tail the WS feed, filter on prompt_id,
+                              emit events as they arrive (pretty progress
+                              bar or NDJSON depending on mode).
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import time
+import urllib.error
+import urllib.parse
+import urllib.request
+import uuid
+from dataclasses import dataclass
+from datetime import datetime
+from typing import Annotated, Any
+
+import typer
+from websocket import WebSocket, WebSocketException, WebSocketTimeoutException
+
+from comfy_cli import cancellation, execution_errors, tracking
+from comfy_cli.config_manager import ConfigManager
+from comfy_cli.env_checker import check_comfy_server_running
+from comfy_cli.output import get_renderer
+
+app = typer.Typer(no_args_is_help=True, help="List, inspect, and live-watch ComfyUI prompts.")
+
+
+DEFAULT_HOST = "127.0.0.1"
+DEFAULT_PORT = 8188
+
+
+def _is_pid_alive(pid: int) -> bool:
+    """Check if a process with the given PID is still running."""
+    if pid <= 0:
+        return False
+    try:
+        os.kill(pid, 0)  # signal 0 = existence check, no actual signal sent
+        return True
+    except ProcessLookupError:
+        return False
+    except PermissionError:
+        # Process exists but we can't signal it — still alive.
+        return True
+
+
+# ---------------------------------------------------------------------------
+# Host/port resolution (reuse the same precedence as `comfy run`)
+# ---------------------------------------------------------------------------
+
+
+_UNSAFE_HOST_CHARS = frozenset("/@?#")
+
+
+def _validate_host(host: str) -> str:
+    """Reject host values that could cause URL injection."""
+    if any(c in host for c in _UNSAFE_HOST_CHARS):
+        raise typer.BadParameter(f"invalid host: {host!r} (contains URL-special characters)")
+    return host
+
+
+def _resolve_host_port(host: str | None, port: int | None) -> tuple[str, int]:
+    cfg = ConfigManager()
+    bg = cfg.background
+    if not host and bg is not None:
+        host = bg[0]
+    if not port and bg is not None:
+        port = bg[1]
+    h = _validate_host(host or DEFAULT_HOST)
+    # Bracket IPv6 literals so callers building "http://{host}:{port}" /
+    # "ws://{host}:{port}" produce valid URLs (e.g. "::1" -> "[::1]").
+    if ":" in h and not h.startswith("["):
+        h = f"[{h}]"
+    return (h, int(port or DEFAULT_PORT))
+
+
+def _server_or_error(host: str, port: int, *, raise_on_missing: bool = True) -> bool:
+    """Return True if the server is up. If ``raise_on_missing`` is True (the
+    default) we emit the error envelope and exit; if False, we return False so
+    the caller can fall back to a different source (e.g. on-disk state files).
+    """
+    if check_comfy_server_running(port, host):
+        return True
+    if not raise_on_missing:
+        return False
+    renderer = get_renderer()
+    renderer.error(
+        code="server_not_running",
+        message=f"ComfyUI not running on {host}:{port}",
+        hint="run: comfy launch",
+        details={"host": host, "port": port},
+    )
+    raise typer.Exit(code=1)
+
+
+def _http_get_json(url: str, *, timeout: float = 10.0) -> Any:
+    req = urllib.request.Request(url)
+    try:
+        with urllib.request.urlopen(req, timeout=timeout) as resp:
+            return json.loads(resp.read())
+    except urllib.error.URLError as e:
+        raise RuntimeError(f"failed to GET {url}: {e}") from e
+
+
+# ---------------------------------------------------------------------------
+# Terminal job verdict — shared helper for `jobs watch` (local + cloud)
+# ---------------------------------------------------------------------------
+
+# Terminal job status -> (ok, error_code, exit_code). A failed or cancelled job
+# must surface ok:false + non-zero exit so `comfy --json jobs watch $ID && next`
+# stops. Mirrors `run --wait` (command/run/__init__.py).
+_TERMINAL_VERDICT: dict[str, tuple[bool, str | None, int]] = {
+    "completed": (True, None, 0),
+    "error": (False, "execution_error", 1),
+    "cancelled": (False, "cancelled", 130),
+}
+
+
+def _emit_terminal(renderer, payload: dict, *, command: str, where: str | None = None) -> None:
+    """Emit a job's terminal envelope with ok/exit derived from its status.
+
+    completed -> ok:true exit 0; error -> ok:false exit 1; cancelled -> exit 130.
+    Unknown statuses default to ok:true exit 0 (non-terminal/best-effort).
+    """
+    status = str(payload.get("status") or "unknown")
+    ok, code, exit_code = _TERMINAL_VERDICT.get(status, (True, None, 0))
+    if ok:
+        renderer.emit(payload, command=command, where=where)
+        return
+    err = payload.get("error")
+    raw = err.get("message") if isinstance(err, dict) and err.get("message") else None
+    if not raw:
+        # Cloud snapshots (_cloud_status_snapshot) carry the failure text at
+        # top-level `error_message`; the local WS path carries the decoded
+        # execution_error event dict under `details`.
+        raw = payload.get("error_message") or payload.get("details")
+    message = raw if isinstance(raw, str) else None
+    hint = None
+    if status == "error":
+        verdict = execution_errors.classify(raw)
+        code, message, hint = verdict["code"], verdict["message"], verdict["hint"]
+        # The raw server text repeats the full traceback; keep the envelope to
+        # the one-line cause + structured tail and leave the full record to
+        # `jobs status`.
+        if payload.get("error_message"):
+            payload["error_message"] = verdict["message"]
+        if isinstance(payload.get("details"), dict) and "traceback" in payload["details"]:
+            payload["details"] = verdict["details"]
+        if isinstance(err, dict):
+            payload["error"] = {**err, "code": code, "message": verdict["message"], "details": verdict["details"]}
+    renderer.error(
+        code=code or "execution_error",
+        message=message or f"job {payload.get('prompt_id')} ended in status {status!r}",
+        hint=hint,
+        details=payload,
+        exit_code=exit_code,
+        command=command,
+    )
+    raise typer.Exit(code=exit_code)
+
+
+# ---------------------------------------------------------------------------
+# `jobs ls` — combine /queue + /history
+# ---------------------------------------------------------------------------
+
+
+@dataclass(frozen=True)
+class JobRow:
+    prompt_id: str
+    status: str  # "running" | "pending" | "completed" | "error" | "cancelled" | "allocated" | "executing"
+    queue_position: int | None
+    elapsed_seconds: float | None
+    workflow_size: int | None  # number of nodes
+    outputs: int
+    where: str = "local"  # "local" | "cloud"
+    workflow_path: str | None = None  # set when sourced from a state file
+    updated_at: str | None = None  # ISO timestamp, set for state-file rows
+
+
+def _gather_local_state_files(*, limit: int, orphaned_only: bool = False) -> list[JobRow]:
+    """Read every state file in the jobs state dir → JobRow.
+
+    This is the canonical "what did *I* submit via this CLI" view —
+    independent of whether the server is reachable. Surfaces async submits
+    that the user otherwise wouldn't see in `jobs ls`.
+
+    When ``orphaned_only`` is True, return only rows whose state file
+    has ``error.code == "watcher_crashed"`` — jobs where the
+    background watcher died and was reaped. Useful for cleanup.
+    """
+    import re as _re
+
+    from comfy_cli import jobs_state
+
+    # Reasonable prompt_ids are alphanumeric + dashes + underscores (UUIDs,
+    # short hex IDs). Anything wilder (e.g. legacy MagicMock leak from tests)
+    # is filtered so ``jobs ls`` stays clean.
+    _SANE_ID = _re.compile(r"^[A-Za-z0-9_-]{1,128}$")
+    rows: list[JobRow] = []
+    state_dir = jobs_state.state_dir()
+    for path in sorted(state_dir.glob("*.json"), key=lambda p: p.stat().st_mtime, reverse=True):
+        if not _SANE_ID.match(path.stem):
+            continue
+        state = jobs_state.read(path.stem)
+        if state is None:
+            continue
+        # Reap stale watchers: if the job is non-terminal and the watcher
+        # PID is recorded but dead, mark the job as errored so it doesn't
+        # sit as "running" forever.
+        if (
+            not state.is_terminal
+            and state.watcher_pid is not None
+            and state.watcher_pid > 0
+            and not _is_pid_alive(state.watcher_pid)
+        ):
+            state.status = "error"
+            state.error = {
+                "code": "watcher_crashed",
+                "message": f"Background watcher (pid {state.watcher_pid}) is no longer running.",
+                "hint": "re-submit the workflow, or check `comfy jobs status <id>` against the server",
+            }
+            state.watcher_pid = None
+            jobs_state.write(state)
+        if orphaned_only:
+            err = state.error or {}
+            if not (isinstance(err, dict) and err.get("code") == "watcher_crashed"):
+                continue
+        rows.append(
+            JobRow(
+                prompt_id=state.prompt_id,
+                status=state.status,
+                queue_position=None,
+                elapsed_seconds=None,
+                workflow_size=None,
+                outputs=len(state.outputs or []),
+                where=state.where,
+                workflow_path=state.workflow,
+                updated_at=state.updated_at,
+            )
+        )
+        if len(rows) >= limit:
+            break
+    return rows
+
+
+def _parse_epoch(ts: str | None) -> float:
+    """Parse an ISO ``updated_at`` to epoch seconds; 0.0 if missing/unparseable."""
+    if not ts:
+        return 0.0
+    try:
+        return datetime.fromisoformat(ts).timestamp()
+    except (ValueError, TypeError):
+        return 0.0
+
+
+def _merge_jobs(state_rows: list[JobRow], server_rows: list[JobRow]) -> list[JobRow]:
+    """Server's view wins for prompts it knows about (fresher status); state
+    files fill in everything else (jobs the server doesn't see, e.g. cloud
+    jobs viewed from a local-only `jobs ls`).
+    """
+    by_id: dict[str, JobRow] = {r.prompt_id: r for r in state_rows}
+    for r in server_rows:
+        by_id[r.prompt_id] = r
+
+    # Sort: non-terminal first (running/pending/allocated/executing), then
+    # terminal ones by updated_at desc (freshest completions first, so the
+    # caller's slice keeps the newest results).
+    def sort_key(r: JobRow) -> tuple[int, float | str]:
+        terminal = r.status in {"completed", "error", "cancelled"}
+        if terminal:
+            return (1, -_parse_epoch(r.updated_at))
+        return (0, "" if not r.updated_at else r.updated_at)
+
+    return sorted(by_id.values(), key=sort_key, reverse=False)
+
+
+def _gather_jobs(host: str, port: int, *, limit: int) -> list[JobRow]:
+    """Pull running + pending + recent history; merge into a single ordered list."""
+    rows: list[JobRow] = []
+    try:
+        queue = _http_get_json(f"http://{host}:{port}/queue")
+    except RuntimeError:
+        queue = {"queue_running": [], "queue_pending": []}
+
+    for i, entry in enumerate(queue.get("queue_running") or []):
+        prompt_id, wf = _safe_queue_entry(entry)
+        rows.append(
+            JobRow(
+                prompt_id=prompt_id,
+                status="running",
+                queue_position=None,
+                elapsed_seconds=None,
+                workflow_size=len(wf) if isinstance(wf, dict) else None,
+                outputs=0,
+            )
+        )
+    for i, entry in enumerate(queue.get("queue_pending") or []):
+        prompt_id, wf = _safe_queue_entry(entry)
+        rows.append(
+            JobRow(
+                prompt_id=prompt_id,
+                status="pending",
+                queue_position=i + 1,
+                elapsed_seconds=None,
+                workflow_size=len(wf) if isinstance(wf, dict) else None,
+                outputs=0,
+            )
+        )
+
+    try:
+        history = _http_get_json(f"http://{host}:{port}/history")
+    except RuntimeError:
+        history = {}
+    if not isinstance(history, dict):
+        history = {}
+
+    history_items = list(history.items())
+    # /history is keyed by prompt_id; values include prompt + outputs. Order
+    # isn't documented but recent entries are typically last — pull the tail.
+    history_items = history_items[-limit:]
+    for prompt_id, body in reversed(history_items):
+        if not isinstance(body, dict):
+            continue
+        status_obj = body.get("status") or {}
+        completed = status_obj.get("completed")
+        # error: status_str == "error" OR any message of type execution_error
+        status_str = "completed" if completed else "error"
+        messages = status_obj.get("messages") or []
+        for msg in messages:
+            if isinstance(msg, list) and msg and msg[0] == "execution_error":
+                status_str = "error"
+                break
+        outputs = body.get("outputs") or {}
+        output_count = sum(
+            len(items)
+            for v in outputs.values()
+            if isinstance(v, dict)
+            for key in ("images", "gifs", "videos", "audio", "files")
+            for items in [v.get(key) or []]
+            if isinstance(items, list)
+        )
+        wf = body.get("prompt") or [None, None, None, None]
+        wf_dict = wf[2] if isinstance(wf, list) and len(wf) > 2 else None
+        rows.append(
+            JobRow(
+                prompt_id=str(prompt_id),
+                status=status_str,
+                queue_position=None,
+                elapsed_seconds=None,
+                workflow_size=len(wf_dict) if isinstance(wf_dict, dict) else None,
+                outputs=output_count,
+            )
+        )
+    return rows
+
+
+def _safe_queue_entry(entry: Any) -> tuple[str, Any]:
+    """ComfyUI /queue rows are [<num>, <prompt_id>, <prompt_dict>, ...]."""
+    if isinstance(entry, list) and len(entry) >= 3:
+        return str(entry[1]), entry[2]
+    return ("?", None)
+
+
+@app.command("ls", help="List jobs: locally-tracked async submits + server queue/history.")
+@tracking.track_command("jobs")
+def ls_cmd(
+    host: Annotated[str | None, typer.Option(help="Server host (defaults to background or 127.0.0.1).")] = None,
+    port: Annotated[int | None, typer.Option(help="Server port (defaults to background or 8188).")] = None,
+    limit: Annotated[int, typer.Option(help="How many history entries to include.")] = 10,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", help="'local' (default) or 'cloud'. Cloud requires `comfy auth login`."),
+    ] = None,
+    local_only: Annotated[
+        bool,
+        typer.Option(
+            "--local-only",
+            show_default=False,
+            help="Only read the on-disk state files; skip the server query. Useful when offline.",
+        ),
+    ] = False,
+    orphaned: Annotated[
+        bool,
+        typer.Option(
+            "--orphaned",
+            show_default=False,
+            help=(
+                "Show only jobs whose background watcher died (error.code == "
+                "watcher_crashed). Implies --local-only because the server "
+                "doesn't track watcher liveness."
+            ),
+        ),
+    ] = False,
+    watch: Annotated[
+        bool,
+        typer.Option(
+            "--watch",
+            show_default=False,
+            help="Live-refresh the table every 2s (pretty mode only). Ctrl-C to exit.",
+        ),
+    ] = False,
+):
+    renderer = get_renderer()
+
+    if watch:
+        if not renderer.is_pretty():
+            renderer.error(
+                code="json_incompatible",
+                message="--watch requires pretty mode (TTY). For JSON, poll with a shell loop.",
+                hint="drop --json, or run `while true; do comfy --json jobs ls; sleep 2; done`",
+            )
+            raise typer.Exit(code=1)
+        _watch_ls(host=host, port=port, limit=limit, where=where, local_only=local_only)
+        return
+
+    state_rows = _gather_local_state_files(limit=limit, orphaned_only=orphaned)
+
+    # --orphaned only makes sense for state files (the server doesn't know
+    # whether a watcher crashed), so skip the server query in that mode.
+    if orphaned:
+        local_only = True
+
+    server_rows: list[JobRow] = []
+    h, p = _resolve_host_port(host, port)
+    if not local_only:
+        if _is_cloud(where):
+            try:
+                _cloud_preflight_or_exit()
+                client = _cloud_client()
+                server_rows = [_cloud_job_to_row(j) for j in client.list_jobs(limit=limit)]
+            except typer.Exit:
+                # Preflight surfaced an error envelope already. Fall through
+                # to state-only view; the local files are still useful.
+                pass
+        else:
+            try:
+                _server_or_error(h, p, raise_on_missing=False)
+                server_rows = _gather_jobs(h, p, limit=limit)
+            except RuntimeError:
+                # Server unreachable — that's fine, state files cover us.
+                pass
+
+    rows = _merge_jobs(state_rows, server_rows)[:limit]
+
+    if renderer.is_pretty():
+        _render_jobs_pretty(rows, host=h if not _is_cloud(where) else "cloud.comfy.org", port=p)
+    renderer.emit(
+        {
+            "host": h,
+            "port": p,
+            "where": "cloud" if _is_cloud(where) else "local",
+            "count": len(rows),
+            "jobs": [_row_to_dict(r) for r in rows],
+        },
+        command="jobs ls",
+    )
+
+
+def _watch_ls(*, host, port, limit, where, local_only):
+    """Rich Live refresh of the jobs table every 2s until Ctrl-C."""
+    import time
+
+    from rich.live import Live
+    from rich.table import Table
+
+    from comfy_cli.output.glyphs import status_glyph
+
+    renderer = get_renderer()
+    console = renderer.console()
+    h, p = _resolve_host_port(host, port)
+
+    def build_table() -> Table:
+        state_rows = _gather_local_state_files(limit=limit)
+        server_rows: list[JobRow] = []
+        if not local_only:
+            try:
+                if _is_cloud(where):
+                    client = _cloud_client()
+                    server_rows = [_cloud_job_to_row(j) for j in client.list_jobs(limit=limit)]
+                else:
+                    server_rows = _gather_jobs(h, p, limit=limit)
+            except (RuntimeError, Exception):  # noqa: BLE001 — best effort, keep refreshing
+                pass
+        rows = _merge_jobs(state_rows, server_rows)[:limit]
+
+        title_loc = "cloud.comfy.org" if _is_cloud(where) else f"{h}:{p}"
+        tbl = Table(
+            title=f"Jobs ({title_loc}) — refreshing every 2s · Ctrl-C to exit",
+            show_header=True,
+            header_style="bold magenta",
+            border_style="cyan",
+            pad_edge=False,
+        )
+        tbl.add_column("prompt_id", style="bold white", no_wrap=True, overflow="fold")
+        tbl.add_column("status", no_wrap=True)
+        tbl.add_column("where", style="dim", no_wrap=True)
+        tbl.add_column("outputs", no_wrap=True, justify="right")
+        tbl.add_column("workflow", style="dim", overflow="fold")
+        for r in rows:
+            wf_display = ""
+            if r.workflow_path:
+                from pathlib import Path
+
+                wf_display = Path(r.workflow_path).name
+            tbl.add_row(
+                r.prompt_id[:8] + "…" if len(r.prompt_id) > 8 else r.prompt_id,
+                status_glyph(r.status),
+                r.where,
+                str(r.outputs) if r.outputs else "—",
+                wf_display,
+            )
+        if not rows:
+            tbl.add_row("[dim]no jobs[/dim]", "", "", "", "")
+        return tbl
+
+    try:
+        with Live(build_table(), console=console, refresh_per_second=2) as live:
+            while True:
+                time.sleep(2)
+                live.update(build_table())
+    except KeyboardInterrupt:
+        # Clean exit — Rich Live tears down automatically.
+        return
+
+
+def _row_to_dict(r: JobRow) -> dict:
+    return {
+        "prompt_id": r.prompt_id,
+        "status": r.status,
+        "queue_position": r.queue_position,
+        "workflow_size": r.workflow_size,
+        "outputs": r.outputs,
+        "where": r.where,
+        "workflow_path": r.workflow_path,
+        "updated_at": r.updated_at,
+    }
+
+
+def _render_jobs_pretty(rows: list[JobRow], *, host: str, port: int) -> None:
+    from rich.table import Table
+
+    from comfy_cli.config_manager import ConfigManager
+    from comfy_cli.output.branding import branded_panel
+    from comfy_cli.output.glyphs import status_glyph
+
+    renderer = get_renderer()
+    is_cloud = str(host).startswith("http") or host == "cloud.comfy.org"
+    where_label = "cloud" if is_cloud else "local"
+    host_label = host if is_cloud else f"{host}:{port}"
+
+    if not rows:
+        empty = "[dim]No jobs.[/dim]\n[dim]→ comfy run --workflow X.json[/dim]"
+        renderer.console().print(
+            branded_panel(
+                empty,
+                title="jobs",
+                version=ConfigManager().get_cli_version(),
+                where=where_label,
+                host=host_label,
+            )
+        )
+        return
+
+    tbl = Table(
+        show_header=True,
+        header_style="bold magenta",
+        border_style="dim",
+        pad_edge=False,
+        expand=True,
+    )
+    tbl.add_column("prompt_id", style="bold white", no_wrap=True, overflow="fold")
+    tbl.add_column("status", no_wrap=True)
+    tbl.add_column("queue", no_wrap=True, justify="right")
+    tbl.add_column("nodes", no_wrap=True, justify="right")
+    tbl.add_column("outputs", no_wrap=True, justify="right")
+    for r in rows:
+        tbl.add_row(
+            r.prompt_id[:8] + "…" if len(r.prompt_id) > 8 else r.prompt_id,
+            status_glyph(r.status),
+            str(r.queue_position) if r.queue_position is not None else "—",
+            str(r.workflow_size) if r.workflow_size is not None else "—",
+            str(r.outputs) if r.outputs else "—",
+        )
+
+    renderer.console().print(
+        branded_panel(
+            tbl,
+            title="jobs",
+            version=ConfigManager().get_cli_version(),
+            where=where_label,
+            host=host_label,
+        )
+    )
+
+
+# ---------------------------------------------------------------------------
+# `jobs status` — single prompt_id from /history (or /queue if still in flight)
+# ---------------------------------------------------------------------------
+
+
+@app.command("status", help="Show the status of a single prompt_id (local or --where cloud).")
+@tracking.track_command("jobs")
+def status_cmd(
+    prompt_id: Annotated[str, typer.Argument(help="The prompt_id returned by `comfy run`.")],
+    host: Annotated[str | None, typer.Option()] = None,
+    port: Annotated[int | None, typer.Option()] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", help="'local' (default) or 'cloud'."),
+    ] = None,
+):
+    renderer = get_renderer()
+    if _is_cloud(where):
+        return _cloud_status(prompt_id)
+
+    h, p = _resolve_host_port(host, port)
+    _server_or_error(h, p)
+
+    snapshot = _snapshot(h, p, prompt_id)
+    if snapshot is None:
+        renderer.error(
+            code="prompt_not_found",
+            message=f"No prompt with id {prompt_id!r} on {h}:{p}.",
+            hint="check `comfy jobs ls`; very old prompts may have been pruned from /history",
+            details={"prompt_id": prompt_id, "host": h, "port": p},
+        )
+        raise typer.Exit(code=1)
+
+    if renderer.is_pretty():
+        _render_status_pretty(snapshot, host=h, port=p)
+    renderer.emit(snapshot, command="jobs status")
+
+
+def _snapshot(host: str, port: int, prompt_id: str) -> dict | None:
+    # First: is it in the queue?
+    try:
+        q = _http_get_json(f"http://{host}:{port}/queue")
+    except RuntimeError:
+        q = {}
+    for state, key in (("running", "queue_running"), ("pending", "queue_pending")):
+        for entry in q.get(key) or []:
+            pid, wf = _safe_queue_entry(entry)
+            if pid == prompt_id:
+                return {
+                    "prompt_id": prompt_id,
+                    "status": state,
+                    "workflow_size": len(wf) if isinstance(wf, dict) else None,
+                    "outputs": [],
+                    "outputs_by_node": {},
+                    "outputs_by_item": {},
+                    "host": host,
+                    "port": port,
+                }
+
+    # Then: history.
+    try:
+        h = _http_get_json(f"http://{host}:{port}/history/{prompt_id}")
+    except RuntimeError:
+        return None
+    if not isinstance(h, dict) or prompt_id not in h:
+        return None
+    body = h[prompt_id]
+    if not isinstance(body, dict):
+        return None
+    status_obj = body.get("status") or {}
+    completed = bool(status_obj.get("completed"))
+    error_detail = None
+    interrupted = False
+    for msg in status_obj.get("messages") or []:
+        if isinstance(msg, list) and msg:
+            if msg[0] == "execution_error":
+                error_detail = msg[1] if len(msg) > 1 else None
+            elif msg[0] == "execution_interrupted":
+                interrupted = True
+    # Flatten the node-keyed /history outputs into URL entries that keep
+    # their producing-node association — same flatten the cloud snapshot
+    # uses, so the grouped keys match the cloud envelope shape exactly.
+    from comfy_cli import jobs_state
+    from comfy_cli.comfy_client import _group_outputs, extract_output_entries
+
+    node_outputs: list[dict] = []
+    for entry in extract_output_entries(body):
+        q = urllib.parse.urlencode({k: entry[k] for k in ("filename", "subfolder", "type")})
+        node_outputs.append({**entry, "url": f"http://{host}:{port}/view?{q}"})
+    output_urls = [o["url"] for o in node_outputs]
+    # The compose item_map (foreach item -> node ids) lives on the job state
+    # file, written at submit time by `comfy run`.
+    try:
+        job = jobs_state.read(prompt_id)
+    except ValueError:  # unsafe prompt_id — no state file to join against
+        job = None
+    item_map = job.item_map if job is not None else None
+    outputs_by_node, outputs_by_item = _group_outputs(node_outputs, item_map)
+
+    return {
+        "prompt_id": prompt_id,
+        "status": ("error" if error_detail else "completed" if completed else "cancelled" if interrupted else "queued"),
+        "workflow_size": None,
+        "outputs": output_urls,
+        "outputs_by_node": outputs_by_node,
+        "outputs_by_item": outputs_by_item,
+        "error": error_detail,
+        "host": host,
+        "port": port,
+    }
+
+
+def _render_status_pretty(snap: dict, *, host: str, port: int) -> None:
+    from rich.console import Group
+    from rich.panel import Panel
+    from rich.table import Table
+    from rich.text import Text
+
+    renderer = get_renderer()
+    status = snap["status"]
+    badge = {
+        "running": Text.assemble(("● ", "bold green"), ("running", "bold green")),
+        "pending": Text.assemble(("◌ ", "bold yellow"), ("pending", "bold yellow")),
+        "completed": Text.assemble(("✓ ", "bold green"), ("completed", "bold green")),
+        "queued": Text.assemble(("◌ ", "dim"), ("queued", "dim")),
+        "error": Text.assemble(("✗ ", "bold red"), ("error", "bold red")),
+    }.get(status, Text(status))
+
+    tbl = Table.grid(padding=(0, 2), expand=False)
+    tbl.add_column(justify="right", style="dim", no_wrap=True)
+    tbl.add_column(overflow="fold")
+    tbl.add_row("prompt_id", snap["prompt_id"])
+    tbl.add_row("status", badge)
+    if snap.get("outputs"):
+        tbl.add_row("outputs", "\n".join(snap["outputs"]))
+    if snap.get("error"):
+        tbl.add_row("error", str(snap["error"])[:600])
+
+    renderer.console().print(
+        Panel(
+            Group(tbl),
+            title=Text(f"job on {host}:{port}", style="bold cyan"),
+            title_align="left",
+            border_style="cyan",
+            padding=(0, 1),
+        )
+    )
+
+
+# ---------------------------------------------------------------------------
+# `jobs cancel` — stop a running or pending prompt, locally or on cloud
+# ---------------------------------------------------------------------------
+
+
+@app.command(
+    "cancel",
+    help="Cancel a job. Idempotent — calling on an already-terminal prompt returns ok.",
+)
+@tracking.track_command("jobs")
+def cancel_cmd(
+    prompt_id: Annotated[str, typer.Argument(help="The prompt_id to cancel.")],
+    host: Annotated[str | None, typer.Option()] = None,
+    port: Annotated[int | None, typer.Option()] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", help="'local' (default) or 'cloud'."),
+    ] = None,
+):
+    if _is_cloud(where):
+        return _cloud_cancel(prompt_id)
+    h, p = _resolve_host_port(host, port)
+    _server_or_error(h, p)
+    return _local_cancel(prompt_id, h, p)
+
+
+def _local_cancel(prompt_id: str, host: str, port: int) -> None:
+    """Cancel a local prompt by removing it from the pending queue AND
+    interrupting any in-flight execution. ComfyUI splits these into two
+    endpoints; we hit both so the call works regardless of phase.
+
+    Returns 200 (ok) regardless of whether the prompt was actually
+    queued/running — mirrors cloud's idempotent behavior.
+    """
+    renderer = get_renderer()
+    base = f"http://{host}:{port}"
+
+    # 1. Remove from the pending queue (no-op if not pending).
+    queue_body = json.dumps({"delete": [prompt_id]}).encode("utf-8")
+    queue_req = urllib.request.Request(
+        f"{base}/queue", data=queue_body, method="POST", headers={"Content-Type": "application/json"}
+    )
+    queue_ok = True
+    try:
+        with urllib.request.urlopen(queue_req, timeout=10) as resp:
+            _ = resp.read()
+    except (urllib.error.HTTPError, urllib.error.URLError, OSError):
+        # Server refused the delete; common when the prompt isn't in queue.
+        # Don't fail the whole command — try the interrupt next.
+        queue_ok = False
+
+    # 2. Interrupt only if THIS prompt is the one currently executing.
+    #    /interrupt takes NO prompt_id — it kills whatever is running — so
+    #    blindly posting it after a pending-job delete would also abort an
+    #    unrelated running job ("cancel B" silently cancelling A). Gate on
+    #    /queue's queue_running list; the queue delete above already covers
+    #    pending jobs.
+    interrupt_ok = True
+    try:
+        queue = _http_get_json(f"{base}/queue")
+        queue_reachable = True
+    except RuntimeError:
+        queue = {}
+        queue_reachable = False
+    running_ids = {str(_safe_queue_entry(entry)[0]) for entry in (queue.get("queue_running") or [])}
+    if prompt_id in running_ids:
+        interrupt_req = urllib.request.Request(f"{base}/interrupt", method="POST")
+        try:
+            with urllib.request.urlopen(interrupt_req, timeout=10) as resp:
+                _ = resp.read()
+        except (urllib.error.HTTPError, urllib.error.URLError, OSError):
+            interrupt_ok = False
+
+    if not queue_ok and not queue_reachable:
+        renderer.error(
+            code="cancel_failed",
+            message=f"both /queue delete and /queue status failed on {host}:{port}",
+            hint="check the server is still reachable",
+            details={"host": host, "port": port, "prompt_id": prompt_id},
+        )
+        raise typer.Exit(code=1)
+
+    payload = {
+        "prompt_id": prompt_id,
+        "where": "local",
+        "host": host,
+        "port": port,
+        "queue_delete_ok": queue_ok,
+        "interrupt_ok": interrupt_ok,
+    }
+    from comfy_cli import jobs_state
+
+    existing = jobs_state.read(prompt_id)
+    if existing is not None:
+        existing.status = "cancelled"
+        jobs_state.write(existing)
+
+    if renderer.is_pretty():
+        from rich.text import Text
+
+        msg = Text.from_markup(f"  [bold green]✓[/bold green]  cancel sent for [cyan]{prompt_id[:8]}…[/cyan]")
+        renderer.console().print(msg)
+    renderer.emit(payload, command="jobs cancel")
+
+
+def _cloud_cancel(prompt_id: str) -> None:
+    """Cancel a cloud job via ``POST /api/jobs/<id>/cancel`` — idempotent."""
+    _cloud_preflight_or_exit()
+    renderer = get_renderer()
+
+    from comfy_cli.target import resolve_target
+
+    target = resolve_target(where="cloud")
+    # Quote prompt_id into the path segment so a hostile/malformed value can't
+    # escape (e.g. ``../foo`` → ``%2E%2E%2Ffoo``). Cloud rejects bad UUIDs
+    # upstream too; encoding here is defense in depth.
+    url = target.url("jobs", urllib.parse.quote(prompt_id, safe=""), "cancel")
+    req = urllib.request.Request(url, data=b"", method="POST")
+    if target.api_key:
+        req.add_header("X-API-Key", target.api_key)
+    elif target.auth_token:
+        req.add_header("Authorization", f"Bearer {target.auth_token}")
+
+    try:
+        with urllib.request.urlopen(req, timeout=15) as resp:
+            body = resp.read()
+    except urllib.error.HTTPError as e:
+        body_text = (e.read() or b"")[:1000].decode("utf-8", "replace")
+        if e.code == 404:
+            renderer.error(
+                code="prompt_not_found",
+                message=f"no cloud job with id {prompt_id!r}",
+                hint="check `comfy jobs ls --where cloud`",
+                details={"prompt_id": prompt_id},
+            )
+        else:
+            renderer.error(
+                code="cloud_http_error",
+                message=f"HTTP {e.code} cancelling {prompt_id}",
+                hint="check auth and that the job exists",
+                details={"status": e.code, "body": body_text, "prompt_id": prompt_id},
+            )
+        raise typer.Exit(code=1) from e
+    except (urllib.error.URLError, OSError) as e:
+        renderer.error(
+            code="cloud_http_error",
+            message=f"cancel failed: {e}",
+            hint="check network / `comfy auth whoami`",
+        )
+        raise typer.Exit(code=1) from e
+
+    parsed: dict | None
+    try:
+        parsed = json.loads(body) if body else None
+    except json.JSONDecodeError:
+        parsed = None
+    payload = {
+        "prompt_id": prompt_id,
+        "where": "cloud",
+        "base_url": target.base_url,
+        "response": parsed if isinstance(parsed, dict) else None,
+    }
+    if renderer.is_pretty():
+        from rich.text import Text
+
+        renderer.console().print(
+            Text.from_markup(f"  [bold green]✓[/bold green]  cancel sent for [cyan]{prompt_id[:8]}…[/cyan]")
+        )
+    renderer.emit(payload, command="jobs cancel", where="cloud")
+
+
+# ---------------------------------------------------------------------------
+# `jobs watch` — tail WS events live, filtered on prompt_id
+# ---------------------------------------------------------------------------
+
+
+@app.command("watch", help="Tail live execution events for a prompt_id (WS local / polling cloud).")
+@tracking.track_command("jobs")
+def watch_cmd(
+    prompt_id: Annotated[str, typer.Argument(help="The prompt_id returned by `comfy run`.")],
+    host: Annotated[str | None, typer.Option()] = None,
+    port: Annotated[int | None, typer.Option()] = None,
+    timeout: Annotated[int, typer.Option(help="Per-recv (or per-poll) timeout in seconds.")] = 30,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", help="'local' (WebSocket) or 'cloud' (HTTP polling)."),
+    ] = None,
+    poll_interval: Annotated[
+        float,
+        typer.Option("--poll-interval", help="Cloud-only: seconds between status polls."),
+    ] = 1.5,
+    max_wait: Annotated[
+        float,
+        typer.Option("--max-wait", help="Cloud-only: give up after this many seconds total."),
+    ] = 600.0,
+):
+    renderer = get_renderer()
+    if _is_cloud(where):
+        return _cloud_watch(prompt_id, poll_interval=poll_interval, max_wait=max_wait)
+
+    h, p = _resolve_host_port(host, port)
+    _server_or_error(h, p)
+
+    # If the job already finished, just print status and return — there will
+    # be no more WS events.
+    snap = _snapshot(h, p, prompt_id)
+    if snap and snap["status"] in {"completed", "error", "cancelled"}:
+        if renderer.is_pretty():
+            renderer.console().print(f"[dim]Prompt {prompt_id} already {snap['status']}; nothing more to watch.[/dim]")
+            _render_status_pretty(snap, host=h, port=p)
+        _emit_terminal(renderer, snap, command="jobs watch")
+        return
+
+    ws = WebSocket()
+    client_id = str(uuid.uuid4())
+    try:
+        ws.connect(f"ws://{h}:{p}/ws?clientId={client_id}")
+    except (WebSocketException, ConnectionError, OSError) as e:
+        renderer.error(
+            code="ws_disconnected",
+            message=f"Could not open WebSocket: {e}",
+            hint="check the server is reachable; try `comfy jobs status` instead",
+        )
+        raise typer.Exit(code=1)
+
+    token = cancellation.get_token()
+    token.on_cancel(lambda: _safe_close_ws(ws))
+
+    ws.settimeout(timeout)
+
+    completed_nodes: set[str] = set()
+    outputs: list[str] = []
+    saw_any_event = False
+    missing_deadline: float | None = None
+    end_reason: str | None = None
+    end_details: Any = None
+    start = time.time()
+
+    if renderer.is_pretty():
+        renderer.console().print(f"[bold]Watching prompt[/bold] {prompt_id} on {h}:{p}   [dim](Ctrl-C to stop)[/dim]")
+
+    try:
+        while True:
+            try:
+                raw = ws.recv()
+            except WebSocketTimeoutException:
+                # If the job moved to completed between recvs, exit cleanly.
+                snap = _snapshot(h, p, prompt_id)
+                if snap and snap["status"] in {"completed", "error", "cancelled"}:
+                    end_reason = snap["status"]
+                    end_details = snap
+                    outputs.extend(snap.get("outputs") or [])
+                    break
+                # Bounded wait for an unknown prompt: if the server has never
+                # heard of this prompt_id (no snapshot) and no events have
+                # arrived, don't loop forever on a typoed/already-pruned id —
+                # mirror the cloud path's deadline and surface prompt_not_found.
+                if snap is None and not saw_any_event:
+                    if missing_deadline is None:
+                        missing_deadline = time.time() + max(timeout, 1)
+                    elif time.time() >= missing_deadline:
+                        # The enclosing `finally` closes the socket.
+                        renderer.error(
+                            code="prompt_not_found",
+                            message=f"prompt {prompt_id} not found on {h}:{p}",
+                            hint="check the prompt_id; it may be a typo or already pruned",
+                            details={"prompt_id": prompt_id, "host": h, "port": p},
+                        )
+                        raise typer.Exit(code=1)
+                else:
+                    missing_deadline = None
+                continue
+            except (WebSocketException, ConnectionError, OSError) as e:
+                # Cancellation closes the socket out from under recv(). Check
+                # the token before classifying as "server disconnected".
+                if token.is_set():
+                    end_reason = "cancelled"
+                    break
+                renderer.error(
+                    code="ws_disconnected",
+                    message=f"Lost connection while watching {prompt_id}: {e}",
+                    hint="re-run `comfy jobs status` to check final state",
+                )
+                raise typer.Exit(code=1) from e
+            if not isinstance(raw, str):
+                continue
+            try:
+                msg = json.loads(raw)
+            except json.JSONDecodeError:
+                continue
+            data = msg.get("data") or {}
+            if data.get("prompt_id") != prompt_id:
+                continue
+            saw_any_event = True
+            t = msg.get("type")
+            if t == "executing":
+                node = data.get("node")
+                if node is None:
+                    end_reason = "completed"
+                    break
+                if renderer.is_pretty():
+                    renderer.console().print(f"[dim]→[/dim] executing node [bold]{node}[/bold]")
+                renderer.event("executing", node=str(node), prompt_id=prompt_id)
+            elif t == "execution_cached":
+                nodes = data.get("nodes") or []
+                for n in nodes:
+                    completed_nodes.add(str(n))
+                if renderer.is_pretty():
+                    renderer.console().print(f"[dim]✓[/dim] cached: {len(nodes)} node(s)")
+                renderer.event(
+                    "execution_cached",
+                    nodes=[str(n) for n in nodes],
+                    prompt_id=prompt_id,
+                )
+            elif t == "progress":
+                renderer.throttled_event(
+                    f"progress:{data.get('node')}",
+                    "progress",
+                    max_hz=10,
+                    node=str(data.get("node")),
+                    completed=data.get("value"),
+                    total=data.get("max"),
+                    prompt_id=prompt_id,
+                )
+            elif t == "executed":
+                node = str(data.get("node"))
+                completed_nodes.add(node)
+                output = data.get("output") or {}
+                for key in ("images", "gifs", "videos", "audio", "files"):
+                    for item in output.get(key) or []:
+                        if isinstance(item, dict) and "filename" in item:
+                            q = urllib.parse.urlencode(
+                                {k: item[k] for k in ("filename", "subfolder", "type") if k in item}
+                            )
+                            url = f"http://{h}:{p}/view?{q}"
+                            outputs.append(url)
+                            if renderer.is_pretty():
+                                renderer.console().print(f"[bold green]✓[/bold green] output: [cyan]{url}[/cyan]")
+                            renderer.event("output", url=url, prompt_id=prompt_id)
+                renderer.event("executed", node=node, prompt_id=prompt_id)
+            elif t == "execution_error":
+                end_reason = "error"
+                end_details = data
+                break
+    finally:
+        _safe_close_ws(ws)
+
+    elapsed = time.time() - start
+    final_status = end_reason or ("completed" if completed_nodes else "unknown")
+    if renderer.is_pretty():
+        from rich.text import Text
+
+        if final_status == "completed":
+            renderer.console().print(
+                Text.assemble(("\n✓ ", "bold green"), ("completed", "bold green"), (f"  in {elapsed:.1f}s", "dim"))
+            )
+        elif final_status == "error":
+            renderer.console().print(Text.assemble(("\n✗ ", "bold red"), ("error", "bold red")))
+        elif final_status == "cancelled":
+            renderer.console().print(Text.assemble(("\n⊘ ", "yellow"), ("cancelled", "yellow")))
+
+    payload = {
+        "prompt_id": prompt_id,
+        "status": final_status,
+        "outputs": outputs,
+        "completed_nodes": sorted(completed_nodes),
+        "elapsed_seconds": elapsed,
+        "host": h,
+        "port": p,
+    }
+    if end_details is not None:
+        payload["details"] = end_details if isinstance(end_details, dict) else {"raw": end_details}
+    if not saw_any_event and final_status == "unknown":
+        payload["hint"] = "watch returned without events; the prompt may already have completed"
+    _emit_terminal(renderer, payload, command="jobs watch")
+
+
+# ---------------------------------------------------------------------------
+# Cloud handlers — /api/jobs, /api/jobs/<id>, /api/history_v2/<id>
+# ---------------------------------------------------------------------------
+
+
+def _is_cloud(where: str | None) -> bool:
+    """Resolve the routing target using the same precedence as the rest of
+    the CLI: per-command ``--where`` flag > ``COMFY_WHERE`` env var >
+    persisted ``where_default`` config > default ``local``.
+
+    Honoring the env var matters because the top-level ``comfy --where
+    cloud`` flag is sugar for ``COMFY_WHERE=cloud``: ``cmdline.py`` sets
+    the env so every subcommand inherits the routing decision without
+    repeating the flag. A previous implementation looked only at the
+    per-command parameter, which silently dropped the top-level flag
+    for ``jobs ls/status/watch``.
+    """
+    from comfy_cli import where as where_module
+    from comfy_cli.config_manager import ConfigManager
+
+    try:
+        config_value = ConfigManager().get(where_module.CONFIG_KEY_WHERE_DEFAULT)
+    except Exception:  # noqa: BLE001 — never let a bad config break routing
+        config_value = None
+    try:
+        decision = where_module.resolve(flag=where, config_value=config_value)
+    except ValueError:
+        # Invalid value — fall back to local; the validating command
+        # (cmdline.py top-level option) will surface ``where_invalid``.
+        return False
+    return decision.target is where_module.WhereTarget.CLOUD
+
+
+def _cloud_preflight_or_exit() -> None:
+    """Surface a clean envelope if the user isn't signed in / is expired."""
+    from comfy_cli.where import cloud_preflight
+
+    err = cloud_preflight()
+    if err is None:
+        return
+    renderer = get_renderer()
+    renderer.error(code=err.code, message=err.message, hint=err.hint, details=err.details)
+    raise typer.Exit(code=1)
+
+
+def _cloud_job_to_row(j: dict) -> JobRow:
+    """Map a /api/jobs entry to our JobRow shape."""
+    status_map = {"completed": "completed", "success": "completed", "failed": "error", "error": "error"}
+    raw_status = (j.get("status") or "").lower()
+    status = status_map.get(raw_status, raw_status or "pending")
+    outputs = int(j.get("outputs_count") or 0)
+    return JobRow(
+        prompt_id=str(j.get("id") or ""),
+        status=status,
+        queue_position=None,
+        elapsed_seconds=None,
+        workflow_size=None,
+        outputs=outputs,
+    )
+
+
+def _cloud_client():
+    """Construct a unified Client targeting cloud. Raises if not signed in.
+
+    Observer commands (status/ls/watch snapshots) must never clear the shared
+    OAuth session on a fatal refresh error: batch workloads run dozens of these
+    concurrently, and one spurious invalid_grant wiping the login mid-run turns
+    a transient hiccup into a hard logout. Session lifecycle belongs to
+    login/logout and the foreground submit path.
+    """
+    from comfy_cli.comfy_client import Client, Unauthenticated
+    from comfy_cli.target import resolve_target
+
+    target = resolve_target(where="cloud")
+    try:
+        return Client(target, clear_session_on_auth_failure=False)
+    except Unauthenticated as e:
+        renderer = get_renderer()
+        renderer.error(code="cloud_unauthorized", message=str(e), hint="run: comfy auth login")
+        raise typer.Exit(code=1) from e
+
+
+def _cloud_ls(*, limit: int) -> None:
+    from comfy_cli.comfy_client import HTTPError
+
+    _cloud_preflight_or_exit()
+    renderer = get_renderer()
+    client = _cloud_client()
+    try:
+        jobs = client.list_jobs(limit=limit)
+    except HTTPError as e:
+        renderer.error(
+            code="cloud_http_error",
+            message=f"Cloud /api/jobs failed (HTTP {e.status}): {e.message}",
+            details={"status": e.status, "body": e.body[:1000]},
+        )
+        raise typer.Exit(code=1)
+
+    rows = [_cloud_job_to_row(j) for j in jobs[:limit]]
+    if renderer.is_pretty():
+        _render_jobs_pretty(rows, host=client.target.base_url, port=0)
+    renderer.emit(
+        {
+            "base_url": client.target.base_url,
+            "count": len(rows),
+            "jobs": [_row_to_dict(r) for r in rows],
+        },
+        command="jobs ls",
+        where="cloud",
+    )
+
+
+def _cloud_status_snapshot(prompt_id: str) -> dict | None:
+    """Compose a cloud snapshot from /api/job/<id>/status + /api/history_v2/<id>."""
+    from comfy_cli import jobs_state
+    from comfy_cli.comfy_client import _group_outputs
+
+    client = _cloud_client()
+    status = client.get_job_status(prompt_id)
+    if status is None:
+        return None
+    raw = (status.get("status") or "").lower()
+    state = {
+        "success": "completed",
+        "completed": "completed",
+        "failed": "error",
+        "error": "error",
+        "non_retryable_error": "error",
+        "lost": "error",
+    }.get(raw, raw or "pending")
+
+    outputs: list[str] = []
+    outputs_by_node: dict[str, list[str]] = {}
+    outputs_by_item: dict[str, list[str]] = {}
+    if state == "completed":
+        record = client.get_history(prompt_id)
+        if record:
+            node_outputs = client.extract_outputs(record)
+            outputs = [o["url"] for o in node_outputs]
+            # The compose item_map (foreach item -> node ids) lives on the
+            # job state file, written at submit time by `comfy run`.
+            job = jobs_state.read(prompt_id)
+            item_map = job.item_map if job is not None else None
+            outputs_by_node, outputs_by_item = _group_outputs(node_outputs, item_map)
+
+    return {
+        "prompt_id": prompt_id,
+        "status": state,
+        "outputs": outputs,
+        "outputs_by_node": outputs_by_node,
+        "outputs_by_item": outputs_by_item,
+        "assigned_inference": status.get("assigned_inference"),
+        "error_message": status.get("error_message"),
+        "created_at": status.get("created_at"),
+        "updated_at": status.get("updated_at"),
+        "base_url": client.target.base_url,
+    }
+
+
+def _cloud_status(prompt_id: str) -> None:
+    _cloud_preflight_or_exit()
+    renderer = get_renderer()
+    snap = _cloud_status_snapshot(prompt_id)
+    if snap is None:
+        renderer.error(
+            code="prompt_not_found",
+            message=f"No cloud prompt with id {prompt_id!r}.",
+            hint="check `comfy jobs ls --where cloud`",
+            details={"prompt_id": prompt_id},
+        )
+        raise typer.Exit(code=1)
+
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        tbl = Table(title=f"Cloud prompt {prompt_id[:8]}…", border_style="cyan", show_header=False)
+        tbl.add_column(style="bold cyan")
+        tbl.add_column()
+        tbl.add_row("status", snap["status"])
+        if snap.get("assigned_inference"):
+            tbl.add_row("inference", snap["assigned_inference"])
+        if snap.get("created_at"):
+            tbl.add_row("created", snap["created_at"])
+        if snap.get("updated_at"):
+            tbl.add_row("updated", snap["updated_at"])
+        if snap.get("error_message"):
+            tbl.add_row("error", snap["error_message"])
+        for u in snap.get("outputs") or []:
+            tbl.add_row("output", u)
+        renderer.console().print(tbl)
+    renderer.emit(snap, command="jobs status", where="cloud")
+
+
+def _cloud_watch(prompt_id: str, *, poll_interval: float, max_wait: float) -> None:
+    """Poll cloud's job status, emit NDJSON events on each transition."""
+    _cloud_preflight_or_exit()
+    renderer = get_renderer()
+    base_url = _cloud_client().target.base_url
+
+    cancel_token = cancellation.get_token()
+    deadline = time.time() + max_wait
+    last_state: str | None = None
+    start = time.time()
+
+    if renderer.is_pretty():
+        renderer.console().print(
+            f"[bold]Watching cloud prompt[/bold] {prompt_id}   [dim]({base_url}, Ctrl-C to stop)[/dim]"
+        )
+
+    final_snap: dict | None = None
+    while not cancel_token.is_set():
+        snap = _cloud_status_snapshot(prompt_id)
+        if snap is None:
+            # Not yet known to the cloud — wait briefly.
+            if time.time() >= deadline:
+                renderer.error(
+                    code="prompt_not_found",
+                    message=f"prompt {prompt_id} not found on cloud after {max_wait}s",
+                    details={"prompt_id": prompt_id, "base_url": base_url},
+                )
+                raise typer.Exit(code=1)
+            time.sleep(min(poll_interval, deadline - time.time()))
+            continue
+
+        if snap["status"] != last_state:
+            last_state = snap["status"]
+            if renderer.is_pretty():
+                renderer.console().print(f"[dim]→[/dim] state [bold]{last_state}[/bold]")
+            renderer.event("state", prompt_id=prompt_id, status=last_state)
+
+        if snap["status"] in {"completed", "error", "cancelled"}:
+            for u in snap.get("outputs") or []:
+                renderer.event("output", url=u, prompt_id=prompt_id)
+                if renderer.is_pretty():
+                    renderer.console().print(f"[bold green]✓[/bold green] output: [cyan]{u}[/cyan]")
+            final_snap = snap
+            break
+
+        if time.time() >= deadline:
+            renderer.error(
+                code="cloud_timeout",
+                message=f"prompt {prompt_id} still {snap['status']} after {max_wait}s",
+                hint="raise --max-wait or re-run with --where cloud",
+                details=snap,
+            )
+            raise typer.Exit(code=1)
+
+        time.sleep(min(poll_interval, deadline - time.time()))
+
+    payload = final_snap or {"prompt_id": prompt_id, "status": "cancelled"}
+    payload["elapsed_seconds"] = time.time() - start
+    _emit_terminal(renderer, payload, command="jobs watch", where="cloud")
+
+
+def _safe_close_ws(ws) -> None:
+    try:
+        ws.close()
+    except Exception:  # noqa: BLE001
+        pass
diff --git a/comfy_cli/command/launch.py b/comfy_cli/command/launch.py
index 07b1c928..0ebebf14 100644
--- a/comfy_cli/command/launch.py
+++ b/comfy_cli/command/launch.py
@@ -8,7 +8,6 @@
 import uuid
 
 import typer
-from rich import print
 from rich.console import Console
 from rich.panel import Panel
 
@@ -16,8 +15,8 @@
 from comfy_cli.command.custom_nodes.cm_cli_util import find_cm_cli, resolve_manager_gui_mode
 from comfy_cli.config_manager import ConfigManager
 from comfy_cli.env_checker import check_comfy_server_running
+from comfy_cli.output import rprint as print  # context-aware print: stderr in JSON mode
 from comfy_cli.resolve_python import resolve_workspace_python
-from comfy_cli.update import check_for_updates
 from comfy_cli.workspace_manager import WorkspaceManager, WorkspaceType
 
 workspace_manager = WorkspaceManager()
@@ -97,12 +96,12 @@ def launch_comfyui(extra, frontend_pr=None, python=sys.executable):
         # If running in background mode without using a popen, broken pipe errors may occur when flushing stdout/stderr.
         def redirector_stderr():
             while True:
-                if process is not None:
+                if process is not None and process.stderr is not None:
                     print(process.stderr.readline(), end="")
 
         def redirector_stdout():
             while True:
-                if process is not None:
+                if process is not None and process.stdout is not None:
                     print(process.stdout.readline(), end="")
 
         threading.Thread(target=redirector_stderr).start()
@@ -151,7 +150,6 @@ def launch(
     extra: list[str] | None = None,
     frontend_pr: str | None = None,
 ):
-    check_for_updates()
     resolved_workspace = workspace_manager.workspace_path
 
     if not resolved_workspace:
@@ -191,7 +189,7 @@ def launch(
 def background_launch(extra, frontend_pr=None):
     config_background = ConfigManager().background
     if config_background is not None and utils.is_running(config_background[2]):
-        console.print(
+        print(
             "[bold red]ComfyUI is already running in background.\nYou cannot start more than one background service.[/bold red]\n"
         )
         raise typer.Exit(code=1)
@@ -212,9 +210,7 @@ def background_launch(extra, frontend_pr=None):
         extra = []
 
     if check_comfy_server_running(port):
-        console.print(
-            f"[bold red]The {port} port is already in use. A new ComfyUI server cannot be launched.\n[bold red]\n"
-        )
+        print(f"[bold red]The {port} port is already in use. A new ComfyUI server cannot be launched.\n[bold red]\n")
         raise typer.Exit(code=1)
 
     cmd = [
@@ -233,7 +229,7 @@ def background_launch(extra, frontend_pr=None):
     log = loop.run_until_complete(launch_and_monitor(cmd, listen, port))
 
     if log is not None:
-        console.print(
+        print(
             Panel(
                 "".join(log),
                 title="[bold red]Error log during ComfyUI execution[/bold red]",
@@ -241,7 +237,7 @@ def background_launch(extra, frontend_pr=None):
             )
         )
 
-    console.print("\n[bold red]Execution error: failed to launch ComfyUI[/bold red]\n")
+    print("\n[bold red]Execution error: failed to launch ComfyUI[/bold red]\n")
     # NOTE: os.exit(0) doesn't work
     os._exit(1)
 
diff --git a/comfy_cli/command/models/models.py b/comfy_cli/command/models/models.py
index 2f02aadd..a654a18e 100644
--- a/comfy_cli/command/models/models.py
+++ b/comfy_cli/command/models/models.py
@@ -7,13 +7,13 @@
 
 import requests
 import typer
-from rich import print
 from rich.markup import escape
 
 from comfy_cli import constants, tracking, ui
 from comfy_cli.config_manager import ConfigManager
 from comfy_cli.constants import DEFAULT_COMFY_MODEL_PATH
 from comfy_cli.file_utils import DownloadException, check_unauthorized, download_file
+from comfy_cli.output import rprint as print  # context-aware: stderr in JSON mode
 from comfy_cli.workspace_manager import WorkspaceManager
 
 app = typer.Typer()
diff --git a/comfy_cli/command/models/search.py b/comfy_cli/command/models/search.py
new file mode 100644
index 00000000..5424f5ff
--- /dev/null
+++ b/comfy_cli/command/models/search.py
@@ -0,0 +1,602 @@
+"""``comfy models`` — live model discovery against local or cloud.
+
+Four subcommands, all routed by ``--where`` (cloud auto-detect by default):
+
+    comfy models list-folders           # GET /api/experiment/models  | /models
+    comfy models list-folder <folder>   # GET /api/experiment/models/<folder> | /models/<folder>
+    comfy models search [--text] [--type] [--limit]  # cloud: /api/assets; local: /models/<folder>
+    comfy models show <name>            # exact-match name across the catalog
+
+The search surface mirrors the asset→model extraction used by Comfy-Org's
+cloud tooling: prefer ``user_metadata`` over ``metadata`` for any given key,
+treat ``tags`` as the canonical type/role signal, and surface the
+densely-populated fields (``source_url``, ``preview_url``, ``size``) as
+first-class result columns. Sparse fields (``base_model``, ``trained_words``)
+ride along when present.
+
+Local-mode caveats:
+  * ``/models/<folder>`` returns ``[{name, pathIndex}, ...]`` — filenames only,
+    no enrichment. ``search`` on local degrades to substring on the listing
+    of the resolved folder.
+  * The cloud asset catalog (``/api/assets``) has no local equivalent —
+    local search is intentionally simpler.
+"""
+
+from __future__ import annotations
+
+import json
+import re
+import urllib.error
+import urllib.parse
+import urllib.request
+from typing import Annotated, Any
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.output import get_renderer, rprint
+
+app = typer.Typer(no_args_is_help=True, help="Discover models — folders, files, and the cloud asset catalog.")
+
+# Cap response reads from cloud/local. The largest legitimate response we see
+# in practice is `/api/object_info` (~9 MB on cloud), but the model endpoints
+# are far smaller. 64 MiB is generous headroom; anything beyond this is either
+# a misconfigured backend or hostile and would only serve to OOM the CLI.
+_MAX_RESPONSE_BYTES = 64 * 1024 * 1024
+
+# Folder + asset-name arguments are interpolated into URL paths or query
+# strings. We disallow path-traversal sequences and control characters so a
+# crafted argument can't escape the intended endpoint. The set of legitimate
+# folder names (loras, checkpoints, …) is alphanumeric + ``_``/`-`/`.`; the
+# regex below is permissive enough for real-world filenames while rejecting
+# the obvious attack shapes.
+_PATH_SAFE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9_.\-]*$")
+
+
+def _reject_unsafe_path_segment(value: str, *, kind: str, renderer) -> None:
+    """Exit with an `invalid_argument` error if ``value`` isn't safe as a path segment."""
+    if not value or ".." in value or "/" in value or "\\" in value or not _PATH_SAFE.match(value):
+        renderer.error(
+            code="invalid_argument",
+            message=f"{kind} {value!r} contains characters that aren't allowed in a path segment",
+            hint=f"valid {kind} names are alphanumeric with `_`, `-`, or `.`",
+        )
+        raise typer.Exit(code=1)
+
+
+# Maps a friendly --type to the folder used on both backends.
+_TYPE_TO_FOLDER = {
+    "checkpoint": "checkpoints",
+    "checkpoints": "checkpoints",
+    "lora": "loras",
+    "loras": "loras",
+    "vae": "vae",
+    "controlnet": "controlnet",
+    "upscale": "upscale_models",
+    "upscale_models": "upscale_models",
+    "clip": "clip",
+    "clip_vision": "clip_vision",
+    "unet": "diffusion_models",
+    "diffusion": "diffusion_models",
+    "diffusion_models": "diffusion_models",
+    "style": "style_models",
+    "style_models": "style_models",
+    "embeddings": "embeddings",
+    "hypernetworks": "hypernetworks",
+    "gligen": "gligen",
+}
+# Unknown values pass through verbatim — the backend rejects bad folder
+# names with 404, which the caller surfaces as `folder_not_found`.
+
+
+def _models_path_parts(target) -> tuple[str, ...]:
+    """Return the URL path parts for the model-listing endpoints.
+
+    Cloud uses the ``/api/experiment/models`` family (the legacy ``/api/models``
+    explicitly 404s by design). Local stays on ``/models``.
+    """
+    return ("experiment", "models") if target.is_cloud else ("models",)
+
+
+def _authed_request(url: str, target) -> urllib.request.Request:
+    req = urllib.request.Request(url)
+    if target.api_key:
+        req.add_header("X-API-Key", target.api_key)
+    elif target.auth_token:
+        req.add_header("Authorization", f"Bearer {target.auth_token}")
+    return req
+
+
+def _http_get_json(url: str, target, timeout: float = 30.0) -> Any:
+    """Issue an authenticated GET and decode JSON. Raises urllib/JSON errors verbatim.
+
+    Response body is capped at ``_MAX_RESPONSE_BYTES`` to bound memory use on a
+    misbehaving server. A ``ValueError`` is raised if the cap is exceeded.
+    """
+    req = _authed_request(url, target)
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        # ``read(N)`` returns up to N bytes; reading N+1 lets us distinguish
+        # "fits exactly" from "exceeds cap" without buffering the whole stream
+        # twice on the happy path.
+        body = resp.read(_MAX_RESPONSE_BYTES + 1)
+        if len(body) > _MAX_RESPONSE_BYTES:
+            raise ValueError(f"response from {url} exceeds {_MAX_RESPONSE_BYTES} byte cap")
+        return json.loads(body)
+
+
+# ---------------------------------------------------------------------------
+# list-folders / list-folder — runtime introspection
+# ---------------------------------------------------------------------------
+
+
+@app.command(
+    "list-folders",
+    help="List model folders available to the resolved backend (cloud: /api/experiment/models, local: /models).",
+)
+@tracking.track_command("models")
+def list_folders_cmd(
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Override the resolved routing mode."),
+    ] = None,
+):
+    from comfy_cli.target import resolve_target
+
+    renderer = get_renderer()
+    target = resolve_target(where=where)
+    url = target.url(*_models_path_parts(target))
+
+    try:
+        data = _http_get_json(url, target)
+    except urllib.error.HTTPError as e:
+        renderer.error(
+            code="cloud_http_error" if target.is_cloud else "server_not_running",
+            message=f"HTTP {e.code} from {url}",
+            hint="run `comfy auth whoami` to verify auth"
+            if target.is_cloud
+            else "run `comfy launch` to start a local server",
+            details={"status": e.code, "body": (e.read() or b"")[:1000].decode("utf-8", "replace")},
+        )
+        raise typer.Exit(code=1) from e
+    except (urllib.error.URLError, OSError, json.JSONDecodeError) as e:
+        renderer.error(
+            code="server_not_running" if not target.is_cloud else "cloud_http_error",
+            message=f"failed to fetch {url}: {e}",
+            hint="check `--where` and network connectivity",
+        )
+        raise typer.Exit(code=1) from e
+
+    # Cloud returns [{folders: [...], name: ...}, ...]; local returns a flat list of folder names.
+    # Normalize both into [{name, subfolders}] so the envelope shape is identical.
+    rows: list[dict[str, Any]] = []
+    if isinstance(data, list):
+        for entry in data:
+            if isinstance(entry, dict):
+                rows.append({"name": entry.get("name", ""), "subfolders": list(entry.get("folders") or [])})
+            elif isinstance(entry, str):
+                rows.append({"name": entry, "subfolders": []})
+    payload = {
+        "mode": "cloud" if target.is_cloud else "local",
+        "url": url,
+        "count": len(rows),
+        "folders": rows,
+    }
+
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        tbl = Table(show_header=True, header_style="bold")
+        tbl.add_column("folder")
+        tbl.add_column("subfolders", style="dim")
+        for r in rows[:200]:
+            tbl.add_row(r["name"], ", ".join(r["subfolders"]) if r["subfolders"] else "")
+        renderer.console().print(tbl)
+        rprint(f"[dim]{len(rows)} folders ({payload['mode']})[/dim]")
+    renderer.emit(payload, command="models list-folders")
+
+
+@app.command(
+    "list-folder",
+    help="List model files in a specific folder. Returns name + pathIndex per entry — no enrichment.",
+)
+@tracking.track_command("models")
+def list_folder_cmd(
+    folder: Annotated[str, typer.Argument(help="Folder name (e.g. 'loras', 'checkpoints').")],
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Override the resolved routing mode."),
+    ] = None,
+    limit: Annotated[
+        int | None,
+        typer.Option("--limit", show_default=False, help="Cap output to N rows."),
+    ] = None,
+):
+    from comfy_cli.target import resolve_target
+
+    renderer = get_renderer()
+    _reject_unsafe_path_segment(folder, kind="folder", renderer=renderer)
+    target = resolve_target(where=where)
+    url = target.url(*_models_path_parts(target), folder)
+
+    try:
+        data = _http_get_json(url, target)
+    except urllib.error.HTTPError as e:
+        if e.code == 404:
+            renderer.error(
+                code="folder_not_found",
+                message=f"HTTP 404 fetching {url}",
+                hint=f"try `comfy models list-folders --where {'cloud' if target.is_cloud else 'local'}`",
+                details={"status": 404, "folder": folder},
+            )
+        elif target.is_cloud:
+            renderer.error(
+                code="cloud_http_error",
+                message=f"HTTP {e.code} fetching {url}",
+                hint="check auth / connectivity",
+                details={"status": e.code, "folder": folder},
+            )
+        else:
+            renderer.error(
+                code="server_not_running",
+                message=f"HTTP {e.code} fetching {url}",
+                hint="run `comfy launch` to start a local server",
+                details={"status": e.code, "folder": folder},
+            )
+        raise typer.Exit(code=1) from e
+    except (urllib.error.URLError, OSError, json.JSONDecodeError) as e:
+        renderer.error(
+            code="cloud_http_error" if target.is_cloud else "server_not_running",
+            message=f"failed to fetch {url}: {e}",
+            hint="check `--where` and network connectivity",
+        )
+        raise typer.Exit(code=1) from e
+
+    files = []
+    if isinstance(data, list):
+        for entry in data:
+            if isinstance(entry, dict):
+                files.append({"name": entry.get("name", ""), "pathIndex": entry.get("pathIndex", 0)})
+            elif isinstance(entry, str):
+                files.append({"name": entry, "pathIndex": 0})
+    total = len(files)
+    if limit is not None:
+        files = files[: max(0, limit)]
+
+    payload = {
+        "mode": "cloud" if target.is_cloud else "local",
+        "url": url,
+        "folder": folder,
+        "total": total,
+        "shown": len(files),
+        "files": files,
+    }
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        tbl = Table(show_header=True, header_style="bold")
+        tbl.add_column("name")
+        tbl.add_column("pathIndex", style="dim", justify="right")
+        for f in files:
+            tbl.add_row(f["name"], str(f["pathIndex"]))
+        renderer.console().print(tbl)
+        tail = f" (of {total})" if total != len(files) else ""
+        rprint(f"[dim]{len(files)} files in {folder!r}{tail} ({payload['mode']})[/dim]")
+    renderer.emit(payload, command="models list-folder")
+
+
+# ---------------------------------------------------------------------------
+# search / show — enriched catalog (cloud), filename listing (local)
+# ---------------------------------------------------------------------------
+
+
+def _meta_str(asset: dict[str, Any], key: str) -> str | None:
+    """First-wins lookup across user_metadata then metadata. Returns None if absent."""
+    for bag_key in ("user_metadata", "metadata"):
+        bag = asset.get(bag_key) or {}
+        val = bag.get(key)
+        if isinstance(val, str) and val:
+            return val
+        if isinstance(val, list) and val:
+            joined = ", ".join(str(x) for x in val if x)
+            if joined:
+                return joined
+    return None
+
+
+def _meta_list(asset: dict[str, Any], key: str) -> list[str]:
+    """First-wins list lookup across user_metadata then metadata."""
+    for bag_key in ("user_metadata", "metadata"):
+        bag = asset.get(bag_key) or {}
+        val = bag.get(key)
+        if isinstance(val, list):
+            return [str(x) for x in val if x]
+        if isinstance(val, str) and val:
+            return [val]
+    return []
+
+
+def _asset_to_row(asset: dict[str, Any]) -> dict[str, Any]:
+    """Project an Asset dict into the agent-friendly model row.
+
+    ``name`` is the on-disk filename — what goes into a LoraLoader / UNETLoader
+    combo. ``display_name`` is the human-readable label kept as a separate
+    field so consumers can choose which to show.
+    """
+    tags = [t for t in (asset.get("tags") or []) if t not in ("models", "missing")]
+    type_ = tags[0] if tags else "unknown"
+    return {
+        "name": asset.get("name", ""),
+        "display_name": asset.get("display_name") or asset.get("name", ""),
+        "type": type_,
+        "tags": tags + _meta_list(asset, "additional_tags"),
+        "base_model": _meta_str(asset, "base_model"),
+        "trained_words": _meta_list(asset, "trained_words") or None,
+        "source_url": _meta_str(asset, "repo_url") or _meta_str(asset, "source_url") or _meta_str(asset, "source_arn"),
+        "preview_url": asset.get("preview_url"),
+        "size": asset.get("size"),
+        "is_public": asset.get("is_immutable") is True,
+        "id": asset.get("id"),
+    }
+
+
+def _cloud_search(
+    target,
+    *,
+    text: str | None,
+    type_: str | None,
+    limit: int,
+    include_public: bool,
+) -> tuple[list[dict[str, Any]], int]:
+    """Page through /api/assets, returning (rows, total).
+
+    The ``include_tags`` parameter is comma-separated, not repeated — cloud
+    rejects the repeated-key form (``include_tags=a&include_tags=b``) per its
+    OpenAPI spec (``style: form, explode: false``).
+    """
+    tags = ["models"]
+    if type_:
+        tags.append(_TYPE_TO_FOLDER.get(type_, type_))
+    params: dict[str, Any] = {
+        "include_tags": ",".join(tags),
+        "limit": min(max(limit, 1), 500),
+        "include_public": str(include_public).lower(),
+    }
+    if text:
+        params["name_contains"] = text
+
+    qs = urllib.parse.urlencode(params)
+    url = target.url("assets") + "?" + qs
+    body = _http_get_json(url, target)
+    assets = body.get("assets") or []
+    rows = [_asset_to_row(a) for a in assets if isinstance(a, dict)]
+    return rows, int(body.get("total") or len(rows))
+
+
+def _local_search(
+    target,
+    *,
+    text: str | None,
+    type_: str | None,
+    limit: int,
+) -> tuple[list[dict[str, Any]], int]:
+    """Filename listing from /models/<folder>. No enrichment available on local."""
+    if not type_:
+        # No tag-based filtering on local — pick a default that's almost always
+        # populated rather than scanning every folder (which would be slow).
+        folder = "checkpoints"
+    else:
+        folder = _TYPE_TO_FOLDER.get(type_, type_)
+    url = target.url(*_models_path_parts(target), folder)
+    data = _http_get_json(url, target)
+    items = []
+    if isinstance(data, list):
+        for entry in data:
+            name = entry.get("name", "") if isinstance(entry, dict) else (entry if isinstance(entry, str) else "")
+            if not name:
+                continue
+            if text and text.lower() not in name.lower():
+                continue
+            items.append(
+                {
+                    "name": name,
+                    "type": folder,
+                    "tags": [folder],
+                    "base_model": None,
+                    "trained_words": None,
+                    "source_url": None,
+                    "preview_url": None,
+                    "size": None,
+                    "is_public": False,
+                    "id": None,
+                }
+            )
+    total = len(items)
+    return items[:limit], total
+
+
+@app.command(
+    "search",
+    help="Search models. Cloud: enriched via /api/assets. Local: filename substring on /models/<folder>.",
+)
+@tracking.track_command("models")
+def search_cmd(
+    text: Annotated[
+        str | None,
+        typer.Option(
+            "--text", "-t", show_default=False, help="Substring on the model name (case-insensitive on cloud)."
+        ),
+    ] = None,
+    type_: Annotated[
+        str | None,
+        typer.Option("--type", show_default=False, help="Model type: lora, checkpoint, vae, controlnet, …"),
+    ] = None,
+    limit: Annotated[
+        int,
+        typer.Option("--limit", help="Cap results."),
+    ] = 20,
+    include_public: Annotated[
+        bool,
+        typer.Option(
+            "--include-public/--mine-only",
+            help="Cloud only: include public/shared assets (default true). On local this flag is ignored.",
+        ),
+    ] = True,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Override the resolved routing mode."),
+    ] = None,
+):
+    from comfy_cli.target import resolve_target
+
+    renderer = get_renderer()
+    if type_ is not None:
+        _reject_unsafe_path_segment(type_, kind="type", renderer=renderer)
+    target = resolve_target(where=where)
+
+    try:
+        if target.is_cloud:
+            rows, total = _cloud_search(target, text=text, type_=type_, limit=limit, include_public=include_public)
+        else:
+            rows, total = _local_search(target, text=text, type_=type_, limit=limit)
+    except urllib.error.HTTPError as e:
+        renderer.error(
+            code="cloud_http_error" if target.is_cloud else "server_not_running",
+            message=f"HTTP {e.code} during models search",
+            hint="check auth (`comfy auth whoami`) or network",
+            details={"status": e.code, "body": (e.read() or b"")[:1000].decode("utf-8", "replace")},
+        )
+        raise typer.Exit(code=1) from e
+    except (urllib.error.URLError, OSError, json.JSONDecodeError) as e:
+        renderer.error(
+            code="cloud_http_error" if target.is_cloud else "server_not_running",
+            message=f"models search failed: {e}",
+            hint="check connectivity / auth",
+        )
+        raise typer.Exit(code=1) from e
+
+    payload = {
+        "mode": "cloud" if target.is_cloud else "local",
+        "filters": {"text": text, "type": type_, "include_public": include_public if target.is_cloud else None},
+        "total": total,
+        "shown": len(rows),
+        "rows": rows,
+    }
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        tbl = Table(show_header=True, header_style="bold")
+        tbl.add_column("name")
+        tbl.add_column("type", style="dim")
+        tbl.add_column("base_model", style="dim")
+        tbl.add_column("source", style="dim")
+        for r in rows:
+            tbl.add_row(
+                r["name"][:60],
+                r["type"] or "",
+                r["base_model"] or "",
+                (r["source_url"] or "")[:48],
+            )
+        renderer.console().print(tbl)
+        tail = f" (of {total} total)" if total != len(rows) else ""
+        rprint(f"[dim]{len(rows)} model(s){tail} ({payload['mode']})[/dim]")
+    renderer.emit(payload, command="models search")
+
+
+@app.command(
+    "show",
+    help="Show one model by exact name. Surfaces both metadata bags verbatim alongside the projected row.",
+)
+@tracking.track_command("models")
+def show_cmd(
+    name: Annotated[str, typer.Argument(help="Exact model filename (e.g. 'wan2.2_vae.safetensors').")],
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Override the resolved routing mode."),
+    ] = None,
+):
+    from comfy_cli.target import resolve_target
+
+    renderer = get_renderer()
+    target = resolve_target(where=where)
+
+    if not target.is_cloud:
+        # On local there's no asset catalog. We can confirm the file exists by
+        # scanning the folders, but there's no enrichment to show. Surface that
+        # honestly rather than returning a misleadingly empty record.
+        renderer.error(
+            code="models_show_local_unsupported",
+            message="`models show` requires the cloud asset catalog and isn't available on local.",
+            hint="for filename-only listing on local, use `comfy models list-folder <folder>`",
+        )
+        raise typer.Exit(code=1)
+
+    # `name_contains` is a server-side substring filter, so for a common
+    # substring the requested exact name can land on page 2+. Page through the
+    # results (honoring the server's `has_more` flag) and run the exact-name
+    # check client-side on every page until we find it or the server runs out.
+    candidates: list[dict] = []
+    match = None
+    offset = 0
+    page_size = 200
+    max_pages = 50  # safety cap (10k results) so a misbehaving server can't loop forever
+    for _ in range(max_pages):
+        qs = urllib.parse.urlencode(
+            {"include_tags": "models", "name_contains": name, "limit": page_size, "offset": offset}
+        )
+        url = target.url("assets") + "?" + qs
+        try:
+            body = _http_get_json(url, target)
+        except urllib.error.HTTPError as e:
+            renderer.error(
+                code="cloud_http_error",
+                message=f"HTTP {e.code} from {url}",
+                hint="check auth and network",
+                details={"status": e.code},
+            )
+            raise typer.Exit(code=1) from e
+        except (urllib.error.URLError, OSError, json.JSONDecodeError) as e:
+            renderer.error(code="cloud_http_error", message=f"models show failed: {e}")
+            raise typer.Exit(code=1) from e
+
+        page = [a for a in (body.get("assets") or []) if isinstance(a, dict)]
+        candidates.extend(page)
+        # First exact match wins (name or display_name).
+        match = next((a for a in page if a.get("name") == name or a.get("display_name") == name), None)
+        if match is not None:
+            break
+        offset += len(page)
+        if not page or not body.get("has_more"):
+            break
+    if match is None:
+        renderer.error(
+            code="model_not_found",
+            message=f"no asset with exact name {name!r} ({len(candidates)} substring matches)",
+            hint="try `comfy models search --text <substring>` to find candidates",
+            details={
+                "close_matches": [a.get("name") for a in candidates[:10] if isinstance(a, dict)],
+            },
+        )
+        raise typer.Exit(code=1)
+
+    payload = {
+        "row": _asset_to_row(match),
+        "asset": match,  # full Asset object verbatim
+    }
+    if renderer.is_pretty():
+        row = payload["row"]
+        rprint(f"[bold]{row['name']}[/bold]")
+        rprint(f"  type:        {row['type']}")
+        if row.get("base_model"):
+            rprint(f"  base_model:  {row['base_model']}")
+        if row.get("tags"):
+            rprint(f"  tags:        {', '.join(row['tags'])}")
+        if row.get("source_url"):
+            rprint(f"  source:      {row['source_url']}")
+        if row.get("preview_url"):
+            rprint(f"  preview:     {row['preview_url']}")
+        if row.get("size"):
+            rprint(f"  size:        {row['size']:,} bytes")
+        trained = row.get("trained_words")
+        if trained:
+            rprint(f"  trained:     {', '.join(trained)}")
+    renderer.emit(payload, command="models show")
diff --git a/comfy_cli/command/nodes.py b/comfy_cli/command/nodes.py
new file mode 100644
index 00000000..d1565cea
--- /dev/null
+++ b/comfy_cli/command/nodes.py
@@ -0,0 +1,879 @@
+"""``comfy nodes`` — node-class introspection.
+
+Agent-facing wrappers over the same object_info source CQL consumes, but
+with flag-based interfaces an LLM can pattern-match without learning a
+grammar. Three primitives:
+
+    comfy nodes ls   [--produces T] [--accepts T] [--category PAT] [--limit N]
+    comfy nodes show <NodeClass>
+    comfy nodes search <text>
+
+All three resolve the graph in this order:
+    1. ``--input <path>`` to an object_info dump (offline mode)
+    2. ``--host:--port`` live ComfyUI server (default 127.0.0.1:8188)
+
+Backed by the pure-Python CQL engine (``comfy_cli.cql.engine.Graph``).
+"""
+
+from __future__ import annotations
+
+import difflib
+from typing import Annotated, Any
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.cql.engine import Graph, LoadError
+from comfy_cli.output import get_renderer, rprint
+
+app = typer.Typer(no_args_is_help=True, help="Introspect ComfyUI node classes (inputs, outputs, categories).")
+
+
+# ---------------------------------------------------------------------------
+# graph resolution — shared across ls/show/search
+# ---------------------------------------------------------------------------
+
+
+def _resolved_where(where: str | None) -> str:
+    """Apply the full precedence chain: per-command flag > env > config > default."""
+    from comfy_cli import where as where_module
+
+    # Mirror comfy_cli.target.resolve_target()'s defensive fallback: a corrupt
+    # config must not take the whole `comfy nodes *` surface down with a
+    # traceback before the structured renderer ever runs.
+    config_value: str | None = None
+    try:
+        from comfy_cli.config_manager import ConfigManager
+
+        config_value = ConfigManager().get(where_module.CONFIG_KEY_WHERE_DEFAULT)
+    except Exception:  # noqa: BLE001 — never break routing on a bad config
+        config_value = None
+
+    try:
+        decision = where_module.resolve(flag=where, config_value=config_value)
+    except ValueError:
+        # An invalid persisted where_default shouldn't be fatal; fall back to
+        # the flag (if valid) or auto-detect with the bad config value dropped.
+        decision = where_module.resolve(flag=where, config_value=None)
+    return decision.target.value  # "local" | "cloud"
+
+
+def _get_graph(
+    input_path: str | None,
+    host: str | None,
+    port: int | None,
+    where: str | None = None,
+    on_stale=None,
+) -> Graph:
+    """Load the Graph for ``comfy nodes`` commands.
+
+    Routing follows the standard precedence: explicit ``--where`` > env
+    (``COMFY_WHERE``) > config (``where_default``) > local default. The
+    ``--input <path>`` flag short-circuits everything (offline mode).
+
+    ``on_stale``, if provided, is forwarded to ``resilient_load_object_info``
+    and fired when a stale-cache fallback occurs (see loader for signature).
+    """
+    mode = _resolved_where(where)
+    try:
+        if input_path is not None:
+            # Explicit offline dump — let Graph.load read + annotate it.
+            return Graph.load(
+                mode=mode,
+                input_path=input_path,
+                host=host or "127.0.0.1",
+                port=port or 8188,
+            )
+        # Live fetch goes through the resilient loader: auto-cache on success,
+        # refresh-and-retry once, then fall back to the last cached dump (with
+        # a stderr warning) when the server/session is briefly unreachable.
+        from comfy_cli.cql.loader import resilient_load_object_info
+
+        raw = resilient_load_object_info(
+            mode=mode,
+            host=host or "127.0.0.1",
+            port=port or 8188,
+            on_stale=on_stale,
+        )
+        graph = Graph.from_object_info(raw)
+        graph._try_default_annotations()
+        return graph
+    except LoadError as e:
+        renderer = get_renderer()
+        renderer.error(
+            code="cql_no_graph",
+            message=str(e),
+            hint=e.details.get("hint", "pass --input <path>, or start the server with `comfy launch`"),
+            details=e.details,
+        )
+        raise typer.Exit(code=1) from e
+
+
+def _category_matches(category: str | None, pat: str) -> bool:
+    """Glob-style match on category: ``loaders%`` matches ``loaders/anything``."""
+    if not isinstance(category, str):
+        return False
+    # Support both SQL-style `%` and standard glob `*` so agents can use either.
+    pat_norm = pat.replace("%", "*")
+    import fnmatch
+
+    return fnmatch.fnmatchcase(category, pat_norm)
+
+
+# ---------------------------------------------------------------------------
+# ls
+# ---------------------------------------------------------------------------
+
+
+@app.command(
+    "ls",
+    help="List node classes. Filter via --produces/--accepts/--category/--pack/--label or boolean flags.",
+)
+@tracking.track_command("nodes")
+def ls_cmd(
+    produces: Annotated[
+        str | None,
+        typer.Option("--produces", help="Only nodes whose outputs include this type (e.g. MODEL, IMAGE)."),
+    ] = None,
+    accepts: Annotated[
+        str | None,
+        typer.Option("--accepts", help="Only nodes with at least one input of this type."),
+    ] = None,
+    category: Annotated[
+        str | None,
+        typer.Option("--category", help="Glob match on category path (e.g. 'loaders*', 'sampling/*')."),
+    ] = None,
+    pack: Annotated[
+        str | None,
+        typer.Option("--pack", help="Filter by custom-node pack name (e.g. 'core', 'comfyui-impact-pack')."),
+    ] = None,
+    label: Annotated[
+        str | None,
+        typer.Option("--label", help="Filter by behavioral label (e.g. 'WritesToDisk', 'NetworkAccess')."),
+    ] = None,
+    cloud_disabled: Annotated[
+        bool,
+        typer.Option("--cloud-disabled/--cloud-enabled", show_default=False, help="Filter by cloud availability."),
+    ] = False,
+    api_only: Annotated[
+        bool,
+        typer.Option("--api-only", show_default=False, help="Only partner API nodes."),
+    ] = False,
+    output_only: Annotated[
+        bool,
+        typer.Option("--output-only", show_default=False, help="Only terminal output nodes."),
+    ] = False,
+    exclude_deprecated: Annotated[
+        bool,
+        typer.Option("--exclude-deprecated", show_default=False, help="Exclude deprecated nodes."),
+    ] = False,
+    limit: Annotated[
+        int | None,
+        typer.Option(show_default=False, help="Cap output to N rows."),
+    ] = None,
+    input_path: Annotated[
+        str | None,
+        typer.Option("--input", show_default=False, help="Path to a local object_info JSON (offline mode)."),
+    ] = None,
+    host: Annotated[
+        str | None,
+        typer.Option(show_default=False, help="ComfyUI host (default 127.0.0.1)."),
+    ] = None,
+    port: Annotated[
+        int | None,
+        typer.Option(show_default=False, help="ComfyUI port (default 8188)."),
+    ] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+
+    produces_upper = produces.upper() if produces else None
+    accepts_upper = accepts.upper() if accepts else None
+
+    nodes = []
+    for m in graph.all_nodes():
+        if produces_upper and not m.has_output(produces_upper):
+            continue
+        if accepts_upper and not m.has_input(accepts_upper):
+            continue
+        if category and not _category_matches(m.category, category):
+            continue
+        if pack and m.pack.lower() != pack.lower():
+            continue
+        if label and label not in m.labels:
+            continue
+        if cloud_disabled and not m.cloud_disabled:
+            continue
+        if api_only and not m.is_api_node:
+            continue
+        if output_only and not m.is_output_node:
+            continue
+        if exclude_deprecated and m.deprecated:
+            continue
+        nodes.append(m)
+
+    nodes.sort(key=lambda m: m.id)
+
+    # Note: cloud servers pre-filter disabled nodes from object_info, so
+    # --cloud-disabled will always return 0 results against a cloud target.
+    cloud_note = None
+    if cloud_disabled and not nodes:
+        mode = _resolved_where(where)
+        if mode == "cloud":
+            cloud_note = "Cloud server pre-filters disabled nodes; query a local server to see what would be blocked."
+
+    total_matched = len(nodes)
+    if limit is not None:
+        nodes = nodes[: max(0, limit)]
+
+    payload = {
+        "filter": {
+            "produces": produces,
+            "accepts": accepts,
+            "category": category,
+            "pack": pack,
+            "label": label,
+            "cloud_disabled": cloud_disabled if cloud_disabled else None,
+            "api_only": api_only if api_only else None,
+            "output_only": output_only if output_only else None,
+            "exclude_deprecated": exclude_deprecated if exclude_deprecated else None,
+        },
+        "total": total_matched,
+        "count": len(nodes),
+        "rows": [
+            {
+                "name": m.id,
+                "category": m.category,
+                "display_name": m.display_name,
+                "output_types": m.output_types(),
+                "output_node": m.is_output_node,
+            }
+            for m in nodes
+        ],
+    }
+
+    if cloud_note:
+        payload["cloud_note"] = cloud_note
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        if not nodes:
+            rprint("[dim]0 nodes matched.[/dim]")
+            if cloud_note:
+                rprint(f"[yellow]{cloud_note}[/yellow]")
+        else:
+            from rich.table import Table
+
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("name")
+            tbl.add_column("category", style="dim")
+            tbl.add_column("outputs")
+            for m in nodes:
+                outs = ", ".join(m.output_types()) or "[dim]—[/dim]"
+                tbl.add_row(m.id, m.category or "", outs)
+            renderer.console().print(tbl)
+            rprint(f"[dim]{len(nodes)} node(s)[/dim]")
+    renderer.emit(payload, command="nodes ls")
+
+
+# ---------------------------------------------------------------------------
+# show
+# ---------------------------------------------------------------------------
+
+
+@app.command("show", help="Show the full schema for one node class: inputs, outputs, defaults, constraints.")
+@tracking.track_command("nodes")
+def show_cmd(
+    name: Annotated[str, typer.Argument(help="Node class name (case-sensitive), e.g. 'KSampler'.")],
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+    input_path: Annotated[
+        str | None,
+        typer.Option("--input", show_default=False, help="Path to a local object_info JSON (offline mode)."),
+    ] = None,
+    host: Annotated[
+        str | None,
+        typer.Option(show_default=False, help="ComfyUI host (default 127.0.0.1)."),
+    ] = None,
+    port: Annotated[
+        int | None,
+        typer.Option(show_default=False, help="ComfyUI port (default 8188)."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+
+    m = graph.node(name)
+    if m is None:
+        # Surface near-matches so the agent can self-correct from the error.
+        all_names = [n.id for n in graph.all_nodes()]
+        close = difflib.get_close_matches(name, all_names, n=5, cutoff=0.6)
+        renderer.error(
+            code="node_not_found",
+            message=f"Node class {name!r} not found in the loaded environment.",
+            hint=(
+                f"did you mean: {', '.join(close)}?"
+                if close
+                else "run `comfy nodes ls` or `comfy nodes search <text>` to find available classes."
+            ),
+            details={"requested": name, "close_matches": close},
+        )
+        raise typer.Exit(code=1)
+
+    payload = graph.morphism_to_dict(m)
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        rprint(
+            f"[bold]{payload['name']}[/bold]"
+            + (
+                f"  [dim]({payload['display_name']})[/dim]"
+                if payload["display_name"] and payload["display_name"] != payload["name"]
+                else ""
+            )
+        )
+        if payload["category"]:
+            rprint(f"[dim]category[/dim]  {payload['category']}")
+        if payload["description"]:
+            rprint(f"[dim]{payload['description']}[/dim]")
+        outs = ", ".join(payload["output_types"]) or "(none)"
+        rprint(f"[dim]outputs[/dim]   {outs}")
+        rprint("")
+        if payload["inputs"]:
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("input")
+            tbl.add_column("type")
+            tbl.add_column("section", style="dim")
+            tbl.add_column("default", style="dim")
+            for i in payload["inputs"]:
+                opts = i.get("options") or {}
+                default = opts.get("default")
+                tbl.add_row(
+                    str(i.get("name") or ""),
+                    str(i.get("type") or ""),
+                    str(i.get("section") or ""),
+                    "" if default is None else str(default),
+                )
+            renderer.console().print(tbl)
+    renderer.emit(payload, command="nodes show")
+
+
+# ---------------------------------------------------------------------------
+# search
+# ---------------------------------------------------------------------------
+
+
+@app.command("search", help="Fuzzy-search node classes by name, display name, or description.")
+@tracking.track_command("nodes")
+def search_cmd(
+    query: Annotated[str, typer.Argument(help="Text to search for (case-insensitive substring).")],
+    limit: Annotated[int, typer.Option(help="Cap output to N rows.")] = 20,
+    input_path: Annotated[
+        str | None,
+        typer.Option("--input", show_default=False, help="Path to a local object_info JSON (offline mode)."),
+    ] = None,
+    host: Annotated[
+        str | None,
+        typer.Option(show_default=False, help="ComfyUI host (default 127.0.0.1)."),
+    ] = None,
+    port: Annotated[
+        int | None,
+        typer.Option(show_default=False, help="ComfyUI port (default 8188)."),
+    ] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+
+    q = query.lower()
+    scored: list[tuple[int, Any]] = []
+    for m in graph.all_nodes():
+        name_l = m.id.lower()
+        display_l = m.display_name.lower()
+        desc_l = m.description.lower()
+        # Simple scoring: exact name hit > prefix > substring in name > display > description.
+        if name_l == q:
+            score = 0
+        elif name_l.startswith(q):
+            score = 1
+        elif q in name_l:
+            score = 2
+        elif q in display_l:
+            score = 3
+        elif q in desc_l:
+            score = 4
+        else:
+            continue
+        scored.append((score, m))
+
+    scored.sort(key=lambda x: (x[0], x[1].id))
+    total_matched = len(scored)
+    matched = [m for _, m in scored[: max(0, limit)]]
+
+    payload = {
+        "query": query,
+        "total": total_matched,
+        "count": len(matched),
+        "rows": [
+            {
+                "name": m.id,
+                "category": m.category,
+                "display_name": m.display_name,
+                "description": m.description,
+                "output_types": m.output_types(),
+            }
+            for m in matched
+        ],
+    }
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        if not matched:
+            rprint(f"[dim]No nodes match {query!r}.[/dim]")
+        else:
+            from rich.table import Table
+
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("name")
+            tbl.add_column("category", style="dim")
+            tbl.add_column("description", style="dim")
+            for m in matched:
+                desc = m.description[:60]
+                tbl.add_row(m.id, m.category or "", desc)
+            renderer.console().print(tbl)
+            rprint(f"[dim]{len(matched)} node(s)[/dim]")
+    renderer.emit(payload, command="nodes search")
+
+
+# ---------------------------------------------------------------------------
+# graph traversal: upstream / downstream / path
+# ---------------------------------------------------------------------------
+
+
+def _morphism_row(m) -> dict[str, Any]:
+    """Project a Morphism into our agent-friendly row shape."""
+    return {
+        "name": m.id,
+        "category": m.category,
+        "display_name": m.display_name,
+        "output_types": m.output_types(),
+    }
+
+
+@app.command("upstream", help="List nodes whose outputs can feed into <name>'s link inputs.")
+@tracking.track_command("nodes")
+def upstream_cmd(
+    name: Annotated[str, typer.Argument(help="Node class name, e.g. 'KSampler'.")],
+    limit: Annotated[int | None, typer.Option(show_default=False, help="Cap output to N rows.")] = None,
+    input_path: Annotated[str | None, typer.Option("--input", show_default=False)] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+    nodes = graph.upstream(name)
+
+    total_upstream = len(nodes)
+    if limit is not None:
+        nodes = nodes[: max(0, limit)]
+    rows = [_morphism_row(m) for m in nodes]
+    payload = {"name": name, "total": total_upstream, "count": len(rows), "rows": rows}
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        if not rows:
+            rprint(f"[dim]No upstream nodes for {name!r}.[/dim]")
+        else:
+            from rich.table import Table
+
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("name")
+            tbl.add_column("category", style="dim")
+            tbl.add_column("outputs")
+            for r in rows:
+                outs = ", ".join(r["output_types"]) or "[dim]—[/dim]"
+                tbl.add_row(r["name"] or "", r["category"] or "", outs)
+            renderer.console().print(tbl)
+            tail = f" of {total_upstream}" if total_upstream != len(rows) else ""
+            rprint(f"[dim]{len(rows)} upstream node(s){tail}[/dim]")
+    renderer.emit(payload, command="nodes upstream")
+
+
+@app.command("downstream", help="List nodes that accept any of <name>'s output types.")
+@tracking.track_command("nodes")
+def downstream_cmd(
+    name: Annotated[str, typer.Argument(help="Node class name, e.g. 'CheckpointLoaderSimple'.")],
+    limit: Annotated[int | None, typer.Option(show_default=False, help="Cap output to N rows.")] = None,
+    input_path: Annotated[str | None, typer.Option("--input", show_default=False)] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+    nodes = graph.downstream(name)
+
+    total_downstream = len(nodes)
+    if limit is not None:
+        nodes = nodes[: max(0, limit)]
+    rows = [_morphism_row(m) for m in nodes]
+    payload = {"name": name, "total": total_downstream, "count": len(rows), "rows": rows}
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        if not rows:
+            rprint(f"[dim]No downstream nodes for {name!r}.[/dim]")
+        else:
+            from rich.table import Table
+
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("name")
+            tbl.add_column("category", style="dim")
+            tbl.add_column("outputs")
+            for r in rows:
+                outs = ", ".join(r["output_types"]) or "[dim]—[/dim]"
+                tbl.add_row(r["name"] or "", r["category"] or "", outs)
+            renderer.console().print(tbl)
+            tail = f" of {total_downstream}" if total_downstream != len(rows) else ""
+            rprint(f"[dim]{len(rows)} downstream node(s){tail}[/dim]")
+    renderer.emit(payload, command="nodes downstream")
+
+
+@app.command("path", help="Routed paths from one type to another (e.g. MODEL -> IMAGE).")
+@tracking.track_command("nodes")
+def path_cmd(
+    from_type: Annotated[str, typer.Argument(metavar="FROM", help="Starting type, e.g. MODEL.")],
+    to_type: Annotated[str, typer.Argument(metavar="TO", help="Target type, e.g. IMAGE.")],
+    max_depth: Annotated[int, typer.Option("--max-depth", help="Maximum path length.")] = 6,
+    max_paths: Annotated[int, typer.Option("--max-paths", help="Maximum number of paths to return.")] = 10,
+    exact: Annotated[
+        bool,
+        typer.Option(
+            "--exact/--loose",
+            help="Exact: every step's required link inputs must be satisfiable from the path so far. Loose: any routed sequence.",
+        ),
+    ] = True,
+    input_path: Annotated[str | None, typer.Option("--input", show_default=False)] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+
+    finder = graph.exact_paths if exact else graph.find_paths
+    paths = finder(from_type, to_type, max_depth=max_depth, max_paths=max_paths)
+
+    payload = {
+        "from": from_type,
+        "to": to_type,
+        "exact": exact,
+        "max_depth": max_depth,
+        "max_paths": max_paths,
+        "count": len(paths),
+        "paths": [
+            {
+                "from": p.get("from"),
+                "to": p.get("to"),
+                "steps": [
+                    {
+                        "node": s.get("node"),
+                        "from_type": s.get("input_type"),
+                        "to_type": s.get("output_type"),
+                    }
+                    for s in (p.get("steps") or [])
+                ],
+            }
+            for p in paths
+        ],
+    }
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        if not paths:
+            rprint(
+                f"[dim]No {'exact' if exact else 'routed'} paths from {from_type} to {to_type} within depth {max_depth}.[/dim]"
+            )
+        else:
+            for p in paths:
+                chain = " [dim]→[/dim] ".join(f"[bold]{s.get('node')}[/bold]" for s in (p.get("steps") or []))
+                rprint(f"[cyan]{p.get('from')}[/cyan]  {chain}  [cyan]{p.get('to')}[/cyan]")
+            rprint(f"[dim]{len(paths)} path(s)[/dim]")
+    renderer.emit(payload, command="nodes path")
+
+
+# ---------------------------------------------------------------------------
+# browse: types / categories
+# ---------------------------------------------------------------------------
+
+
+@app.command("types", help="List all connection types in the loaded environment, ranked by connectivity.")
+@tracking.track_command("nodes")
+def types_cmd(
+    limit: Annotated[int | None, typer.Option(show_default=False, help="Cap output to N types.")] = None,
+    input_path: Annotated[str | None, typer.Option("--input", show_default=False)] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+    types = graph.list_types()
+
+    if limit is not None:
+        types = types[: max(0, limit)]
+    payload = {"count": len(types), "types": list(types)}
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        from rich.columns import Columns
+
+        renderer.console().print(Columns([f"[cyan]{t}[/cyan]" for t in types], expand=True))
+        rprint(f"[dim]{len(types)} type(s)[/dim]")
+    renderer.emit(payload, command="nodes types")
+
+
+def _flatten_category_tree(tree: dict[str, Any]) -> list[tuple[str, int]]:
+    """Walk the CategoryTree → flat [(full_path, count)].
+
+    Shape: every node has ``FullPath``, ``Count``, and ``Children`` (a dict
+    keyed by name). The root sits under ``Root``.
+    """
+    out: list[tuple[str, int]] = []
+    if not isinstance(tree, dict):
+        return out
+    root = tree.get("Root")
+    if not isinstance(root, dict):
+        return out
+
+    def walk(node: dict[str, Any]) -> None:
+        children = node.get("Children")
+        if not isinstance(children, dict):
+            return
+        for child in children.values():
+            if not isinstance(child, dict):
+                continue
+            full = str(child.get("FullPath") or "")
+            count = int(child.get("Count") or 0)
+            if full:
+                out.append((full, count))
+            walk(child)
+
+    walk(root)
+    return out
+
+
+@app.command("categories", help="Browse the category tree.")
+@tracking.track_command("nodes")
+def categories_cmd(
+    prefix: Annotated[
+        str | None,
+        typer.Option("--prefix", show_default=False, help="Only categories starting with this path."),
+    ] = None,
+    limit: Annotated[int | None, typer.Option(show_default=False, help="Cap output to N rows.")] = None,
+    input_path: Annotated[str | None, typer.Option("--input", show_default=False)] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="'cloud' to query Comfy Cloud's catalog; default is local."),
+    ] = None,
+):
+    renderer = get_renderer()
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path,
+        host,
+        port,
+        where=where,
+        on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err),
+    )
+    tree = graph.category_tree()
+
+    flat = _flatten_category_tree(tree)
+    if prefix:
+        flat = [(p, c) for p, c in flat if p.startswith(prefix)]
+    flat.sort(key=lambda x: x[0])
+    if limit is not None:
+        flat = flat[: max(0, limit)]
+
+    payload = {
+        "prefix": prefix,
+        "count": len(flat),
+        "rows": [{"category": p, "node_count": c} for p, c in flat],
+    }
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {
+                "code": "object_info_stale",
+                "message": f"served from cache ({_stale['source']}): {_stale['reason']}",
+            }
+        ]
+
+    if renderer.is_pretty():
+        if not flat:
+            rprint(f"[dim]No categories{' matching ' + prefix if prefix else ''}.[/dim]")
+        else:
+            from rich.table import Table
+
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("category")
+            tbl.add_column("nodes", justify="right", style="dim")
+            for p, c in flat:
+                tbl.add_row(p, str(c))
+            renderer.console().print(tbl)
+            rprint(f"[dim]{len(flat)} categories[/dim]")
+    renderer.emit(payload, command="nodes categories")
+
+
+# ---------------------------------------------------------------------------
+# refresh — object_info is fetched live; nothing to cache
+# ---------------------------------------------------------------------------
+
+
+@app.command(
+    "refresh",
+    help="object_info is fetched live from the server on each command — nothing to refresh.",
+)
+@tracking.track_command("nodes")
+def refresh_cmd(
+    where: Annotated[
+        str | None,
+        typer.Option("--where", show_default=False, help="Override the resolved routing mode."),
+    ] = None,
+):
+    """Explain that object_info is fetched live and exit."""
+    renderer = get_renderer()
+    rprint("[dim]object_info is fetched live from the server on each command — nothing to refresh.[/dim]")
+    renderer.emit({"refreshed": False, "reason": "live_fetch"}, command="nodes refresh")
diff --git a/comfy_cli/command/project.py b/comfy_cli/command/project.py
new file mode 100644
index 00000000..cb6f19dd
--- /dev/null
+++ b/comfy_cli/command/project.py
@@ -0,0 +1,367 @@
+"""``comfy project`` — the project/1 convention: init and status.
+
+A project is a directory with a ``comfy.yaml`` marker (``schema: project/1``)
+and five conventional dirs: ``assets/ fragments/ blueprints/ outputs/
+.comfy/`` (machine-owned). The convention is the contract — ``init`` lays it
+down, ``status`` is the queryable state agents read instead of hand-written
+manifests: blueprints, assets (joined against the push lock), the run
+journal, and layout warnings.
+
+Discovery/journaling logic lives in the pure :mod:`comfy_cli.project`; this
+module is only the Typer/renderer surface (template: ``auth/command.py``).
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import os
+import urllib.error
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Annotated
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.command.transfer import _upload_file
+from comfy_cli.output import get_renderer, rprint
+from comfy_cli.project import (
+    ASSETS_LOCK_SCHEMA,
+    CONVENTIONAL_DIRS,
+    PROJECT_MARKER,
+    PROJECT_SCHEMA,
+    Project,
+    find_project,
+    read_assets_lock,
+    read_journal,
+    unknown_dirs,
+)
+from comfy_cli.target import resolve_target
+
+app = typer.Typer(
+    no_args_is_help=True,
+    help="Project conventions: init and status.",
+)
+
+# `comfy assets` lives in this module too: assets are a project/1 concept
+# (the lock is project state under .comfy/), not a generic transfer.
+assets_app = typer.Typer(
+    no_args_is_help=True,
+    help="Project assets: push assets/ to the run target over its HTTP upload API.",
+)
+
+
+def _sha256_file(path: Path, chunk_size: int = 1024 * 1024) -> str:
+    """Stream a file through SHA-256 in fixed-size chunks so large assets don't
+    get loaded fully into memory."""
+    h = hashlib.sha256()
+    with path.open("rb") as f:
+        for chunk in iter(lambda: f.read(chunk_size), b""):
+            h.update(chunk)
+    return h.hexdigest()
+
+
+def _iter_asset_files(assets_dir: Path):
+    """Yield (path, relative-name) for real files under ``assets/``, skipping
+    dotfiles, symlinks, and anything whose resolved path escapes ``assets/``
+    (a symlink could otherwise leak files from outside the project)."""
+    assets_root = assets_dir.resolve()
+    for path in sorted(assets_dir.rglob("*")):
+        if path.is_symlink() or not path.is_file():
+            continue
+        if not path.resolve().is_relative_to(assets_root):
+            continue
+        rel = path.relative_to(assets_dir)
+        if any(part.startswith(".") for part in rel.parts):
+            continue
+        yield path, rel.as_posix()
+
+
+@assets_app.callback()
+def _assets_callback():
+    """Project assets — push and track.
+
+    (Also keeps Typer from collapsing the single-command group, so the
+    command stays ``comfy assets push``, not a bare ``comfy assets``.)
+    """
+
+
+# The marker `comfy project init` writes — deliberately literal and minimal.
+# The where default is resolved at init time (flag, else auto-detect) so a
+# local-only machine never gets a project that routes every command to cloud.
+MARKER_TEMPLATE = "schema: project/1\ndefaults:\n  where: {where}\n"
+
+
+@app.command("init", help="Initialize the project/1 convention here: comfy.yaml marker + conventional dirs.")
+@tracking.track_command("project")
+def init_cmd(
+    where: Annotated[
+        str | None,
+        typer.Option(
+            "--where",
+            help="Default backend for this project (local|cloud). Omitted: auto-detect "
+            "(cloud if cloud credentials are configured, else local).",
+        ),
+    ] = None,
+):
+    renderer = get_renderer()
+    cwd = Path.cwd().resolve()
+
+    from comfy_cli import where as where_module
+
+    try:
+        # project_value=None: a project can't govern its own init; resolve from
+        # flag → env → config → auto-detect, same chain every routed command uses.
+        decision = where_module.resolve(flag=where, project_value=None)
+    except ValueError as e:
+        renderer.error(code="invalid_argument", message=str(e))
+        raise typer.Exit(code=1) from e
+    default_where = decision.target.value
+
+    existing = find_project(cwd)
+    if existing is not None:
+        renderer.error(
+            code="project_already_exists",
+            message=f"This directory is already governed by the project at {existing.root}.",
+            hint="use the existing project (edit its comfy.yaml), or init outside it",
+            details={"root": str(existing.root)},
+        )
+        raise typer.Exit(code=1)
+
+    (cwd / PROJECT_MARKER).write_text(MARKER_TEMPLATE.format(where=default_where), encoding="utf-8")
+    created = [PROJECT_MARKER]
+    for d in CONVENTIONAL_DIRS:
+        (cwd / d).mkdir(exist_ok=True)
+        created.append(f"{d}/")
+
+    if renderer.is_pretty():
+        rprint(f"[bold green]Initialized project[/bold green] at {cwd}")
+        for name in created:
+            rprint(f"  [dim]created[/dim] {name}")
+    renderer.emit(
+        {"root": str(cwd), "created": created, "action": "init", "where_default": default_where},
+        command="project init",
+        changed=True,
+    )
+
+
+@app.command("status", help="Show the governing project: defaults, blueprints, assets vs lock, recent runs.")
+@tracking.track_command("project")
+def status_cmd():
+    renderer = get_renderer()
+    project = find_project()
+    if project is None:
+        renderer.error(
+            code="project_not_found",
+            message="No comfy.yaml project (schema project/1) governs this directory.",
+            hint="run: comfy project init",
+        )
+        raise typer.Exit(code=1)
+
+    data = {
+        "root": str(project.root),
+        "schema": PROJECT_SCHEMA,
+        "defaults": _defaults(project),
+        "blueprints": _blueprint_names(project),
+        "assets": _asset_entries(project),
+        "recent_runs": read_journal(project, limit=20),
+        "warnings": [f"unknown top-level directory: {d}" for d in unknown_dirs(project)],
+        "action": "status",
+    }
+    if renderer.is_pretty():
+        _render_status_pretty(data)
+    renderer.emit(data, command="project status")
+
+
+# ---------------------------------------------------------------------------
+# comfy assets push
+# ---------------------------------------------------------------------------
+
+
+@assets_app.command("push", help="Upload changed files under assets/ to the run target; record them in the lock.")
+@tracking.track_command("assets")
+def assets_push_cmd(
+    where: Annotated[
+        str | None,
+        typer.Option(
+            "--where",
+            show_default=False,
+            help="Push target (local|cloud). Omitted: the usual chain — env, project default, config, auto.",
+        ),
+    ] = None,
+    force: Annotated[
+        bool,
+        typer.Option("--force", help="Re-push every file, even when the lock says it is already current."),
+    ] = False,
+):
+    """Sync ``assets/`` to the resolved target's input directory.
+
+    Uploads go through the server's ``/upload/image`` HTTP API only — the CLI
+    never writes into a ComfyUI install's folders. Each pushed file is
+    recorded in ``.comfy/assets.lock.json`` with its sha256 and the
+    server-returned name; a file whose lock entry matches (same sha256 AND
+    same target) is skipped unless ``--force``.
+    """
+    renderer = get_renderer()
+    project = find_project()
+    if project is None:
+        renderer.error(
+            code="project_not_found",
+            message="No comfy.yaml project (schema project/1) governs this directory.",
+            hint="run: comfy project init",
+        )
+        raise typer.Exit(code=1)
+
+    try:
+        target = resolve_target(where=where)
+    except ValueError as e:
+        renderer.error(code="invalid_argument", message=str(e))
+        raise typer.Exit(code=1) from e
+    where_kind = target.kind
+
+    assets_dir = project.root / "assets"
+    lock_path = project.root / ".comfy" / "assets.lock.json"
+    lock_assets = read_assets_lock(project)
+
+    pushed: list[dict] = []
+    # Assets verified already-current on this target (lock hit). Listed in the
+    # envelope so a script can assert its files are on the server from the
+    # push result alone (pushed ∪ current) — a truthful `pushed: []` after a
+    # peer already pushed otherwise reads as failure.
+    current: list[str] = []
+    skipped = 0
+    for path, name in _iter_asset_files(assets_dir) if assets_dir.is_dir() else []:
+        sha = _sha256_file(path)
+        locked = lock_assets.get(name)
+        if not force and isinstance(locked, dict) and locked.get("sha256") == sha and locked.get("where") == where_kind:
+            skipped += 1
+            current.append(name)
+            continue
+        try:
+            result = _upload_file(path, target, overwrite=True)
+        except urllib.error.HTTPError as e:
+            renderer.error(
+                code="upload_failed",
+                message=f"Failed to push {name}: HTTP {e.code}",
+                hint="check the server is reachable (and `comfy cloud login` for cloud)",
+                details={"status": e.code, "name": name, "where": where_kind},
+            )
+            raise typer.Exit(code=1) from e
+        # `cloud_name` = the name on the push target (the server-returned
+        # name), whatever the target kind — the key project status joins on.
+        cloud_name = result.get("name", path.name)
+        size = path.stat().st_size
+        lock_assets[name] = {
+            "sha256": sha,
+            "cloud_name": cloud_name,
+            "size": size,
+            "pushed_at": datetime.now(timezone.utc).isoformat(timespec="seconds"),
+            "where": where_kind,
+        }
+        pushed.append({"name": name, "sha256": sha, "cloud_name": cloud_name, "size": size})
+
+    if pushed:
+        _write_assets_lock(lock_path, lock_assets)
+
+    if renderer.is_pretty():
+        for entry in pushed:
+            rprint(f"[green]✓[/green] pushed {entry['name']} → {entry['cloud_name']}")
+        rprint(f"[dim]{len(pushed)} pushed, {skipped} skipped ({where_kind}) → {lock_path}[/dim]")
+    renderer.emit(
+        {
+            "pushed": pushed,
+            "current": current,
+            "skipped": skipped,
+            "lock": str(lock_path),
+            "where": where_kind,
+        },
+        command="assets push",
+        changed=bool(pushed),
+    )
+
+
+def _write_assets_lock(path: Path, assets: dict) -> None:
+    """Atomically rewrite the lock (tmp + fsync + rename, the jobs_state
+    pattern) so a crash mid-push can't leave a torn JSON file."""
+    path.parent.mkdir(parents=True, exist_ok=True)
+    doc = {"schema": ASSETS_LOCK_SCHEMA, "assets": assets}
+    tmp = path.with_suffix(f".{os.getpid()}.tmp")
+    tmp.write_text(json.dumps(doc, indent=2, sort_keys=True), encoding="utf-8")
+    fd = os.open(str(tmp), os.O_RDONLY)
+    try:
+        os.fsync(fd)
+    finally:
+        os.close(fd)
+    os.replace(tmp, path)
+
+
+# ---------------------------------------------------------------------------
+# helpers
+# ---------------------------------------------------------------------------
+
+
+def _defaults(project: Project) -> dict:
+    defaults = project.config.get("defaults")
+    return defaults if isinstance(defaults, dict) else {}
+
+
+def _blueprint_names(project: Project) -> list[str]:
+    bp_dir = project.root / "blueprints"
+    if not bp_dir.is_dir():
+        return []
+    return sorted(p.name for p in bp_dir.glob("*.yaml") if p.is_file())
+
+
+def _asset_entries(project: Project) -> list[dict]:
+    """One entry per file under ``assets/`` (recursive, dotfiles skipped),
+    joined against the push lock: ``pushed`` = name present in the lock,
+    ``stale`` = pushed but the on-disk sha256 no longer matches it."""
+    assets_dir = project.root / "assets"
+    if not assets_dir.is_dir():
+        return []
+    lock = read_assets_lock(project)
+    entries: list[dict] = []
+    for path, name in _iter_asset_files(assets_dir):
+        sha = _sha256_file(path)
+        locked = lock.get(name)
+        pushed = isinstance(locked, dict)
+        stale = pushed and locked.get("sha256") != sha
+        entries.append(
+            {
+                "name": name,
+                "sha256": sha,
+                "size": path.stat().st_size,
+                "pushed": pushed,
+                "stale": stale,
+            }
+        )
+    return entries
+
+
+def _render_status_pretty(data: dict) -> None:
+    from rich.table import Table
+
+    renderer = get_renderer()
+    tbl = Table.grid(padding=(0, 2), expand=False)
+    tbl.add_column(justify="right", style="dim", no_wrap=True)
+    tbl.add_column(overflow="fold")
+    tbl.add_row("root", data["root"])
+    tbl.add_row("schema", data["schema"])
+    if data["defaults"]:
+        tbl.add_row("defaults", ", ".join(f"{k}={v}" for k, v in data["defaults"].items()))
+    tbl.add_row("blueprints", "\n".join(data["blueprints"]) or "[dim]none[/dim]")
+    if data["assets"]:
+        lines = []
+        for a in data["assets"]:
+            flag = "stale" if a["stale"] else ("pushed" if a["pushed"] else "not pushed")
+            lines.append(f"{a['name']}  [dim]({a['size']} B, {flag})[/dim]")
+        tbl.add_row("assets", "\n".join(lines))
+    else:
+        tbl.add_row("assets", "[dim]none[/dim]")
+    if data["recent_runs"]:
+        runs = [f"{r.get('ts', '?')}  {r.get('cmd', '?')}" for r in data["recent_runs"][-5:]]
+        tbl.add_row("recent runs", "\n".join(runs))
+    for w in data["warnings"]:
+        tbl.add_row("warning", f"[yellow]{w}[/yellow]")
+    renderer.console().print(tbl)
diff --git a/comfy_cli/command/run.py b/comfy_cli/command/run.py
deleted file mode 100644
index 9ccf1b84..00000000
--- a/comfy_cli/command/run.py
+++ /dev/null
@@ -1,957 +0,0 @@
-import json
-import os
-import sys
-import time
-import urllib.error
-import urllib.parse
-import uuid
-from datetime import timedelta
-from urllib import request
-
-import typer
-from rich import print as pprint
-from rich.progress import BarColumn, Column, Progress, Table, TimeElapsedColumn
-from websocket import WebSocket, WebSocketException, WebSocketTimeoutException
-
-from comfy_cli.env_checker import check_comfy_server_running
-from comfy_cli.workflow_to_api import WorkflowConversionError, convert_ui_to_api
-from comfy_cli.workspace_manager import WorkspaceManager
-
-workspace_manager = WorkspaceManager()
-
-# JSON output schema version. Bumped only for breaking changes per docs/json-output.md.
-SCHEMA_VERSION = 1
-
-# Maximum bytes of a server response body we surface to the user (or
-# embed in a `failed.error.body` field). Anything longer is truncated.
-_MAX_BODY_PREVIEW = 500
-
-
-def _node_errors_to_list(node_errors) -> list[dict]:
-    """Transform ComfyUI's dict-keyed `node_errors` payload into a list of self-contained records.
-    Each record carries `node_id` as a field, so agents can iterate the result
-    directly without indirecting through dict keys."""
-    if not isinstance(node_errors, dict):
-        return []
-    result = []
-    for node_id, record in node_errors.items():
-        if not isinstance(record, dict):
-            continue
-        entry = {"node_id": str(node_id)}
-        entry.update(record)
-        result.append(entry)
-    return result
-
-
-def is_ui_workflow(workflow) -> bool:
-    return (
-        isinstance(workflow, dict)
-        and isinstance(workflow.get("nodes"), list)
-        and isinstance(workflow.get("links"), list)
-    )
-
-
-def _classify_api_workflow(workflow):
-    """Classify a parsed JSON object as API workflow / empty / invalid.
-
-    Returns one of:
-        ("ok", workflow_dict)   — well-formed API workflow with ≥1 node
-        ("empty", None)         — empty dict (caller routes to workflow_empty)
-        ("invalid", None)       — not a dict, or first node lacks class_type
-    """
-    if not isinstance(workflow, dict):
-        return ("invalid", None)
-    if not workflow:
-        return ("empty", None)
-    first_key = next(iter(workflow))
-    node = workflow[first_key]
-    if not isinstance(node, dict) or "class_type" not in node:
-        return ("invalid", None)
-    return ("ok", workflow)
-
-
-class JsonEmitter:
-    """NDJSON event emitter for ``comfy run --json``.
-
-    Every ``emit_*`` method is a no-op when ``json_mode=False``, so the
-    same call sites work for both modes. See ``docs/json-output.md``.
-    """
-
-    def __init__(self, json_mode: bool):
-        self.json_mode = json_mode
-        self.start_time = time.monotonic()
-        self.client_id: str | None = None
-        self.prompt_id: str | None = None
-        self.workflow: dict | None = None
-        self.cached_node_ids: list[str] = []
-        self.executed_node_ids: list[str] = []
-        self.outputs: list[dict] = []
-
-    def set_workflow(self, workflow):
-        self.workflow = workflow
-
-    def set_client_id(self, client_id):
-        self.client_id = client_id
-
-    def _elapsed(self) -> float:
-        return time.monotonic() - self.start_time
-
-    def get_title(self, node_id):
-        if not isinstance(self.workflow, dict):
-            return str(node_id)
-        node = self.workflow.get(node_id)
-        if not isinstance(node, dict):
-            return str(node_id)
-        meta = node.get("_meta")
-        if isinstance(meta, dict):
-            title = meta.get("title")
-            if isinstance(title, str) and title:
-                return title
-        class_type = node.get("class_type")
-        return class_type if isinstance(class_type, str) and class_type else str(node_id)
-
-    def get_class_type(self, node_id):
-        if not isinstance(self.workflow, dict):
-            return ""
-        node = self.workflow.get(node_id)
-        if not isinstance(node, dict):
-            return ""
-        return node.get("class_type", "")
-
-    def _emit(self, event: dict) -> None:
-        if not self.json_mode:
-            return
-        line = json.dumps(event, ensure_ascii=True)
-        print(line, flush=True)
-
-    def emit_converted(self, node_count: int) -> None:
-        self._emit(
-            {
-                "event": "converted",
-                "schema_version": SCHEMA_VERSION,
-                "node_count": node_count,
-            }
-        )
-
-    def workflow_manifest(self) -> list[dict]:
-        """Build the `nodes` array for the `queued` event — one entry per
-        node in the submitted (post-conversion) workflow."""
-        if not isinstance(self.workflow, dict):
-            return []
-        manifest: list[dict] = []
-        for node_id, node in self.workflow.items():
-            if not isinstance(node, dict):
-                continue
-            class_type = node.get("class_type", "")
-            class_type = class_type if isinstance(class_type, str) else ""
-            manifest.append(
-                {
-                    "node_id": str(node_id),
-                    "class_type": class_type,
-                    "title": self.get_title(node_id),
-                }
-            )
-        return manifest
-
-    def emit_prompt_preview(self, prompt: dict) -> None:
-        self._emit(
-            {
-                "event": "prompt_preview",
-                "schema_version": SCHEMA_VERSION,
-                "prompt": prompt,
-            }
-        )
-
-    def emit_queued(self, prompt_id: str, validation_warnings: list[dict]) -> None:
-        self.prompt_id = prompt_id
-        self._emit(
-            {
-                "event": "queued",
-                "schema_version": SCHEMA_VERSION,
-                "prompt_id": prompt_id,
-                "client_id": self.client_id,
-                "validation_warnings": validation_warnings,
-                "nodes": self.workflow_manifest(),
-            }
-        )
-
-    def emit_node_cached(self, node_id) -> None:
-        node_id = str(node_id)
-        self.cached_node_ids.append(node_id)
-        self._emit(
-            {
-                "event": "node_cached",
-                "schema_version": SCHEMA_VERSION,
-                "node_id": node_id,
-                "class_type": self.get_class_type(node_id),
-                "title": self.get_title(node_id),
-            }
-        )
-
-    def emit_node_executing(self, node_id) -> None:
-        node_id = str(node_id)
-        # `executed_node_ids` aggregates everything the executor touched —
-        # including intermediate nodes that never fire a server-side `executed` WS event.
-        if node_id not in self.executed_node_ids:
-            self.executed_node_ids.append(node_id)
-        self._emit(
-            {
-                "event": "node_executing",
-                "schema_version": SCHEMA_VERSION,
-                "node_id": node_id,
-                "class_type": self.get_class_type(node_id),
-                "title": self.get_title(node_id),
-            }
-        )
-
-    def emit_node_progress(self, node_id, value, max_val) -> None:
-        node_id = str(node_id)
-        self._emit(
-            {
-                "event": "node_progress",
-                "schema_version": SCHEMA_VERSION,
-                "node_id": node_id,
-                "class_type": self.get_class_type(node_id),
-                "title": self.get_title(node_id),
-                "value": value,
-                "max": max_val,
-            }
-        )
-
-    def emit_node_executed(self, node_id, outputs: list[dict]) -> None:
-        node_id = str(node_id)
-        if node_id not in self.executed_node_ids:
-            self.executed_node_ids.append(node_id)
-        self.outputs.extend(outputs)
-        self._emit(
-            {
-                "event": "node_executed",
-                "schema_version": SCHEMA_VERSION,
-                "node_id": node_id,
-                "class_type": self.get_class_type(node_id),
-                "title": self.get_title(node_id),
-                "outputs": outputs,
-            }
-        )
-
-    def emit_completed(self) -> None:
-        self._emit(
-            {
-                "event": "completed",
-                "schema_version": SCHEMA_VERSION,
-                "prompt_id": self.prompt_id,
-                "client_id": self.client_id,
-                "elapsed_seconds": self._elapsed(),
-                "outputs": self.outputs,
-                "cached_node_ids": self.cached_node_ids,
-                "executed_node_ids": self.executed_node_ids,
-            }
-        )
-
-    def fail(self, kind: str, message: str, *, rich_message: str | None = None, **extras) -> typer.Exit:
-        """Emit a `failed` event (in JSON mode) or print a red text message
-        (otherwise), then return the `typer.Exit(code=1)` for the caller to
-        raise. Returning rather than raising keeps `raise ... from e`
-        chaining clean at call sites. `rich_message` overrides `message`
-        for the human-readable text only — it is auto-wrapped in
-        `[bold red]...[/bold red]`. Sites that need multi-colour Rich
-        markup should emit the failure event explicitly."""
-        self.emit_failed(kind, message, **extras)
-        if not self.json_mode:
-            pprint(f"[bold red]{rich_message if rich_message is not None else message}[/bold red]")
-        return typer.Exit(code=1)
-
-    def emit_failed(self, kind: str, message: str, **extras) -> None:
-        error = {"kind": kind, "message": message}
-        error.update(extras)
-        self._emit(
-            {
-                "event": "failed",
-                "schema_version": SCHEMA_VERSION,
-                "prompt_id": self.prompt_id,
-                "client_id": self.client_id,
-                "elapsed_seconds": self._elapsed(),
-                "error": error,
-            }
-        )
-
-
-def fetch_object_info(host, port, timeout, emitter=None):
-    """GET ``/object_info`` from the running ComfyUI server.
-
-    The response describes every loaded node class's input schema and is what
-    the converter uses to map widget values to input names, fill defaults, etc.
-
-    In JSON mode, failures emit a structured ``failed`` event via ``emitter``.
-    Either way, a ``typer.Exit(code=1)`` is raised.
-    """
-    url = f"http://{host}:{port}/object_info"
-    json_mode = bool(emitter and emitter.json_mode)
-    try:
-        with request.urlopen(url, timeout=timeout) as resp:
-            body = resp.read()
-    except urllib.error.HTTPError as e:
-        body_text = e.read().decode("utf-8", errors="replace").strip()
-        if json_mode:
-            emitter.emit_failed(
-                "object_info_unavailable",
-                f"Failed to fetch /object_info (HTTP {e.code})",
-                status_code=e.code,
-                body=body_text[:_MAX_BODY_PREVIEW],
-            )
-        else:
-            pprint(
-                f"[bold red]Failed to fetch /object_info (HTTP {e.code}): {body_text[:_MAX_BODY_PREVIEW]}[/bold red]"
-            )
-        raise typer.Exit(code=1) from e
-    except urllib.error.URLError as e:
-        msg = f"Failed to fetch /object_info from {host}:{port}: {e.reason} (override with --host / --port)"
-        if json_mode:
-            emitter.emit_failed("connection_error", msg)
-        else:
-            pprint(f"[bold red]{msg}[/bold red]")
-        raise typer.Exit(code=1) from e
-    except TimeoutError as e:
-        msg = f"Failed to fetch /object_info from {host}:{port}: timed out after {timeout}s (override with --host / --port)"
-        if json_mode:
-            emitter.emit_failed("connection_error", msg)
-        else:
-            pprint(f"[bold red]{msg}[/bold red]")
-        raise typer.Exit(code=1) from e
-    try:
-        return json.loads(body)
-    except json.JSONDecodeError as e:
-        if json_mode:
-            emitter.emit_failed(
-                "object_info_unavailable",
-                "Server returned invalid JSON for /object_info",
-                status_code=200,
-                body=body.decode("utf-8", errors="replace")[:_MAX_BODY_PREVIEW],
-            )
-        else:
-            pprint("[bold red]Failed to fetch /object_info: server returned invalid JSON[/bold red]")
-        raise typer.Exit(code=1) from e
-
-
-def execute(
-    workflow: str,
-    host,
-    port,
-    wait=True,
-    verbose=False,
-    timeout=120,
-    api_key: str | None = None,
-    json_mode: bool = False,
-    print_prompt: bool = False,
-):
-    # `0.0.0.0` is a wildcard bind, not a connect address. macOS / Windows
-    # clients can't reach it; on Linux it happens to resolve to a loopback.
-    # Substitute the canonical loopback so every downstream use (server
-    # probe, /prompt POST, emitted /view URLs) is portable.
-    if host == "0.0.0.0":
-        host = "127.0.0.1"
-
-    emitter = JsonEmitter(json_mode=json_mode)
-    workflow_name = os.path.abspath(os.path.expanduser(workflow))
-
-    if not os.path.isfile(workflow_name):
-        if json_mode:
-            emitter.emit_failed("workflow_not_found", f"Workflow file not found: {workflow_name}")
-        else:
-            pprint(
-                f"[bold red]Specified workflow file not found: {workflow_name}[/bold red]",
-                file=sys.stderr,
-            )
-        raise typer.Exit(code=1)
-
-    # Under --print-prompt we skip this pre-flight probe. API-format input
-    # makes no server calls downstream so it works fully offline; UI-format
-    # input still needs /object_info for the converter, but if it's
-    # unreachable, fetch_object_info() surfaces the same connection_error
-    # kind a few lines later.
-    if not print_prompt and not check_comfy_server_running(port, host, timeout=timeout):
-        raise emitter.fail(
-            "connection_error",
-            f"ComfyUI not running at {host}:{port} (override with --host / --port)",
-        )
-
-    try:
-        with open(workflow_name, encoding="utf-8") as f:
-            raw_workflow = json.load(f)
-    except (OSError, UnicodeDecodeError) as e:
-        raise emitter.fail("workflow_read_error", f"Unable to read workflow file: {e}") from e
-    except json.JSONDecodeError as e:
-        raise emitter.fail(
-            "workflow_invalid_json",
-            f"Specified workflow file is not valid JSON: {e}",
-        ) from e
-
-    if is_ui_workflow(raw_workflow):
-        if not json_mode:
-            pprint("[yellow]Detected UI-format workflow, converting to API format...[/yellow]")
-        object_info = fetch_object_info(host, port, timeout, emitter=emitter)
-        try:
-            workflow = convert_ui_to_api(raw_workflow, object_info)
-        except WorkflowConversionError as e:
-            raise emitter.fail("conversion_error", f"Workflow conversion failed: {e}") from e
-        except Exception as e:
-            if json_mode:
-                emitter.emit_failed(
-                    "conversion_crash",
-                    f"Workflow conversion crashed unexpectedly: {type(e).__name__}: {e}",
-                    exception_type=type(e).__name__,
-                )
-            else:
-                pprint(
-                    f"[bold red]Workflow conversion crashed unexpectedly: {type(e).__name__}: {e}[/bold red]\n"
-                    "[yellow]The UI-to-API converter is experimental. Please report this at[/yellow]\n"
-                    "[yellow]  https://github.com/Comfy-Org/comfy-cli/issues[/yellow]\n"
-                    "[yellow]and attach the workflow file if possible.[/yellow]"
-                )
-                if verbose:
-                    import traceback as _tb
-
-                    _tb.print_exc()
-            raise typer.Exit(code=1) from e
-        if not workflow:
-            raise emitter.fail("workflow_empty", "Workflow conversion produced no executable nodes")
-        emitter.set_workflow(workflow)
-        if json_mode:
-            emitter.emit_converted(len(workflow))
-    else:
-        kind, validated = _classify_api_workflow(raw_workflow)
-        if kind == "empty":
-            raise emitter.fail(
-                "workflow_empty",
-                "API workflow contains no nodes",
-                rich_message="Specified API workflow has no nodes",
-            )
-        if kind == "invalid":
-            raise emitter.fail(
-                "workflow_format_invalid",
-                "Workflow file is neither a ComfyUI API workflow nor an exported UI workflow",
-                rich_message=("Specified workflow is neither a ComfyUI API workflow nor an exported UI workflow"),
-            )
-        workflow = validated
-        emitter.set_workflow(workflow)
-
-    # In JSON mode, always emit the converted workflow graph so agents have
-    # a complete audit trail of what the CLI is about to submit. The event
-    # is non-terminal in normal flow and terminal under --print-prompt.
-    if json_mode:
-        emitter.emit_prompt_preview(workflow)
-
-    if print_prompt:
-        if not json_mode:
-            print(json.dumps(workflow, indent=2, ensure_ascii=False))
-        return
-
-    progress = None
-    start = time.time()
-    if wait and not json_mode:
-        pprint(f"Executing workflow: {workflow_name}")
-        progress = ExecutionProgress()
-        progress.start()
-    elif not wait and not json_mode:
-        print(f"Queuing workflow: {workflow_name}")
-
-    execution = WorkflowExecution(
-        workflow,
-        host,
-        port,
-        verbose,
-        progress,
-        timeout,
-        api_key=api_key,
-        emitter=emitter,
-    )
-    emitter.set_client_id(execution.client_id)
-
-    try:
-        if wait:
-            execution.connect()
-        execution.queue()
-        if wait:
-            execution.watch_execution()
-            end = time.time()
-            if progress is not None:
-                progress.stop()
-                progress = None
-
-            if json_mode:
-                emitter.emit_completed()
-            else:
-                if len(execution.outputs) > 0:
-                    pprint("[bold green]\nOutputs:[/bold green]")
-                    for f in execution.outputs:
-                        pprint(f)
-                elapsed = timedelta(seconds=end - start)
-                pprint(f"[bold green]\nWorkflow execution completed ({elapsed})[/bold green]")
-        else:
-            # --no-wait: queued was already emitted by execution.queue().
-            if not json_mode:
-                pprint("[bold green]Workflow queued[/bold green]")
-    except WebSocketTimeoutException:
-        # Not migrated to emitter.fail(): the text-mode message combines
-        # a red error line and a yellow remediation hint, which the
-        # single-colour auto-wrap in fail() can't express.
-        msg = f"WebSocket timed out after {timeout}s waiting for server response"
-        if json_mode:
-            emitter.emit_failed("timeout", msg, timeout_seconds=float(timeout))
-        else:
-            pprint(
-                f"[bold red]Error: {msg}.[/bold red]\n"
-                "[yellow]For long-running workflows, increase the timeout: comfy run --workflow <file> --timeout 300[/yellow]"
-            )
-        raise typer.Exit(code=1)
-    except (WebSocketException, ConnectionError, OSError) as e:
-        raise emitter.fail(
-            "connection_lost",
-            f"Lost connection to ComfyUI server: {e}",
-            rich_message=f"Error: Lost connection to ComfyUI server: {e}",
-        )
-    except KeyboardInterrupt:
-        raise emitter.fail("execution_interrupted", "Interrupted by user") from None
-    finally:
-        if progress is not None:
-            progress.stop()
-
-
-class ExecutionProgress(Progress):
-    def get_renderables(self):
-        table_columns = (
-            (Column(no_wrap=True) if isinstance(_column, str) else _column.get_table_column().copy())
-            for _column in self.columns
-        )
-
-        for task in self.tasks:
-            percent = "[progress.percentage]{task.percentage:>3.0f}%".format(task=task)  # noqa
-            if task.fields.get("progress_type") == "overall":
-                overall_table = Table.grid(*table_columns, padding=(0, 1), expand=self.expand)
-                overall_table.add_row(BarColumn().render(task), percent, TimeElapsedColumn().render(task))
-                yield overall_table
-            else:
-                yield self.make_tasks_table([task])
-
-
-class WorkflowExecution:
-    def __init__(
-        self,
-        workflow,
-        host,
-        port,
-        verbose,
-        progress,
-        timeout=120,
-        api_key: str | None = None,
-        emitter: JsonEmitter | None = None,
-    ):
-        self.workflow = workflow
-        self.host = host
-        self.port = port
-        self.verbose = verbose
-        self.client_id = str(uuid.uuid4())
-        self.outputs: list = []
-        self.progress = progress
-        self.remaining_nodes = set(self.workflow.keys())
-        self.total_nodes = len(self.remaining_nodes)
-        if progress is not None:
-            self.overall_task = self.progress.add_task("", total=self.total_nodes, progress_type="overall")
-        self.current_node = None
-        self.progress_task = None
-        self.progress_node = None
-        self.prompt_id = None
-        self.ws = None
-        self.timeout = timeout
-        self.api_key = api_key
-        # Default to a no-op emitter so internal call sites don't need to
-        # branch on whether json mode is active.
-        self.emitter = emitter if emitter is not None else JsonEmitter(json_mode=False)
-
-    def connect(self):
-        self.ws = WebSocket()
-        # Timeout on the handshake too: a server busy loading a model
-        # can otherwise leave the CLI hung with no terminal event.
-        self.ws.connect(
-            f"ws://{self.host}:{self.port}/ws?clientId={self.client_id}",
-            timeout=self.timeout,
-        )
-
-    def queue(self):
-        data: dict = {"prompt": self.workflow, "client_id": self.client_id}
-        data["extra_data"] = {"comfy_usage_source": "comfy-cli"}
-        if self.api_key:
-            data["extra_data"]["api_key_comfy_org"] = self.api_key
-        req = request.Request(
-            f"http://{self.host}:{self.port}/prompt",
-            json.dumps(data).encode("utf-8"),
-        )
-        req.add_header("Comfy-Usage-Source", "comfy-cli")
-        try:
-            resp = request.urlopen(req, timeout=self.timeout)
-            raw_body = resp.read()
-        except urllib.error.HTTPError as e:
-            self._handle_submit_http_error(e)
-            raise typer.Exit(code=1) from e
-        except urllib.error.URLError as e:
-            self._stop_progress()
-            raise self.emitter.fail(
-                "connection_error",
-                f"Cannot reach server at {self.host}:{self.port}: {e.reason}",
-            ) from e
-        except TimeoutError as e:
-            self._stop_progress()
-            raise self.emitter.fail(
-                "connection_error",
-                f"Connection to {self.host}:{self.port} timed out: {e}",
-            ) from e
-        except OSError as e:
-            self._stop_progress()
-            raise self.emitter.fail(
-                "connection_error",
-                f"Network error contacting {self.host}:{self.port}: {e}",
-            ) from e
-
-        try:
-            body = json.loads(raw_body) if raw_body else None
-        except (json.JSONDecodeError, UnicodeDecodeError) as e:
-            self._stop_progress()
-            body_str = raw_body.decode("utf-8", errors="replace")[:_MAX_BODY_PREVIEW]
-            raise self.emitter.fail(
-                "invalid_response",
-                "Server returned HTTP 200 with unparseable body",
-                rich_message=f"Server returned HTTP 200 with unparseable body: {body_str}",
-                status_code=200,
-                body=body_str,
-            ) from e
-
-        prompt_id = body.get("prompt_id") if isinstance(body, dict) else None
-        if not isinstance(prompt_id, str) or not prompt_id:
-            self._stop_progress()
-            body_str = json.dumps(body)[:_MAX_BODY_PREVIEW] if body is not None else ""
-            raise self.emitter.fail(
-                "invalid_response",
-                "Server returned HTTP 200 without a prompt_id",
-                rich_message=f"Server returned HTTP 200 without a prompt_id: {body_str}",
-                status_code=200,
-                body=body_str,
-            )
-
-        self.prompt_id = prompt_id
-
-        # 200 may still carry node_errors if some output chains failed
-        # validation but others passed — surface as warnings, not a failure.
-        node_errors = body.get("node_errors") if isinstance(body, dict) else None
-        validation_warnings = _node_errors_to_list(node_errors)
-
-        if self.emitter.json_mode:
-            self.emitter.emit_queued(prompt_id, validation_warnings)
-
-    def _handle_submit_http_error(self, e: urllib.error.HTTPError) -> None:
-        raw = b""
-        try:
-            raw = e.read()
-        except Exception:
-            pass
-        try:
-            body = json.loads(raw) if raw else None
-        except (json.JSONDecodeError, UnicodeDecodeError):
-            body = None
-        body_str = (raw or b"").decode("utf-8", errors="replace")
-        self._stop_progress()
-
-        code = e.code
-        if code == 400 and isinstance(body, dict) and isinstance(body.get("node_errors"), dict) and body["node_errors"]:
-            self._emit_validation_error(body["node_errors"])
-            return
-        if 400 <= code < 500:
-            kind = "client_error"
-        elif 500 <= code < 600:
-            kind = "server_error"
-        else:
-            kind = "client_error"
-
-        if self.emitter.json_mode:
-            self.emitter.emit_failed(
-                kind,
-                f"Server returned HTTP {code}",
-                status_code=code,
-                body=body_str[:_MAX_BODY_PREVIEW],
-            )
-        else:
-            if code == 500:
-                pprint(f"[bold red]Error running workflow\n{body_str}[/bold red]")
-            elif code == 400 and isinstance(body, dict):
-                pprint(f"[bold red]Error running workflow\n{json.dumps(body, indent=2)}[/bold red]")
-            else:
-                pprint(f"[bold red]Error running workflow (HTTP {code})\n{body_str[:_MAX_BODY_PREVIEW]}[/bold red]")
-
-    def _emit_validation_error(self, node_errors: dict) -> None:
-        if self.emitter.json_mode:
-            message = "Workflow failed validation"
-            try:
-                first_node = next(iter(node_errors.values()))
-                errs = first_node.get("errors") if isinstance(first_node, dict) else None
-                if isinstance(errs, list) and errs:
-                    first = errs[0]
-                    if isinstance(first, dict) and isinstance(first.get("message"), str):
-                        message = first["message"]
-            except StopIteration:
-                pass
-            self.emitter.emit_failed(
-                "validation_error",
-                message,
-                node_errors=_node_errors_to_list(node_errors),
-            )
-        else:
-            pprint(f"[bold red]Error running workflow\n{json.dumps(node_errors, indent=2)}[/bold red]")
-
-    def _stop_progress(self) -> None:
-        if self.progress is not None:
-            try:
-                self.progress.stop()
-            except Exception:
-                pass
-
-    def watch_execution(self):
-        self.ws.settimeout(self.timeout)
-        while True:
-            message = self.ws.recv()
-            if not isinstance(message, str):
-                continue
-            try:
-                parsed = json.loads(message)
-            except json.JSONDecodeError:
-                # Tolerate malformed frames from misbehaving proxies.
-                continue
-            if not self.on_message(parsed):
-                break
-
-    def update_overall_progress(self):
-        if self.progress is None:
-            return
-        self.progress.update(self.overall_task, completed=self.total_nodes - len(self.remaining_nodes))
-
-    def log_node(self, type, node_id):
-        if not self.verbose:
-            return
-        if self.emitter.json_mode:
-            # --verbose is a no-op in JSON mode; Rich output would corrupt the stream.
-            return
-
-        node = self.workflow.get(node_id)
-        if node is None:
-            pprint(f"{type} : [bright_black]({node_id})[/]")
-            return
-        class_type = node["class_type"]
-        title = self.emitter.get_title(node_id)
-
-        if title != class_type:
-            title += f"[bright_black] - {class_type}[/]"
-        title += f"[bright_black] ({node_id})[/]"
-
-        pprint(f"{type} : {title}")
-
-    def format_image_path(self, img):
-        """Build a single human-readable path string for the legacy text
-        output. Prefers a clickable absolute filesystem path when the
-        host is a known loopback, the workspace resolves, the path stays
-        inside the workspace's per-type output dir, and the file exists
-        on disk. Otherwise falls back to a /view URL."""
-        filename = img["filename"]
-        subfolder = img.get("subfolder") or ""
-        output_type = img.get("type") or "output"
-
-        if self.host in ("127.0.0.1", "localhost", "::1", "[::1]"):
-            ws_path = self._text_mode_workspace_path()
-            if ws_path:
-                parts = [subfolder, filename] if subfolder else [filename]
-                type_root = os.path.normpath(os.path.join(ws_path, output_type))
-                candidate = os.path.normpath(os.path.join(type_root, *parts))
-                if (candidate == type_root or candidate.startswith(type_root + os.sep)) and os.path.isfile(candidate):
-                    return candidate
-
-        return self._view_url(filename, subfolder, output_type)
-
-    def _view_url(self, filename: str, subfolder: str, file_type: str) -> str:
-        params = {"filename": filename, "subfolder": subfolder, "type": file_type}
-        return f"http://{self.host}:{self.port}/view?{urllib.parse.urlencode(params)}"
-
-    def _text_mode_workspace_path(self) -> str | None:
-        # workspace_manager.get_workspace_path() can print a warning and
-        # write config on the stale-recent path. Memoize so a workflow
-        # with N outputs doesn't repeat the side effects N times.
-        if not hasattr(self, "_ws_path_cached"):
-            try:
-                self._ws_path_cached = workspace_manager.get_workspace_path()[0]
-            except Exception:
-                self._ws_path_cached = None
-        return self._ws_path_cached
-
-    def _build_output_object(self, node_id, category, item) -> dict:
-        """Construct a structured Output dict for the JSON contract."""
-        node_id = str(node_id)
-        filename = item["filename"]
-        subfolder = item.get("subfolder") or ""
-        file_type = item.get("type") or "output"
-
-        return {
-            "category": category,
-            "node_id": node_id,
-            "class_type": self.emitter.get_class_type(node_id),
-            "title": self.emitter.get_title(node_id),
-            "filename": filename,
-            "subfolder": subfolder,
-            "type": file_type,
-            "url": self._view_url(filename, subfolder, file_type),
-        }
-
-    def on_message(self, message):
-        # Defensive: a malformed (non-object) JSON frame from the server
-        # must not raise out of the recv loop — that would tear down the
-        # run without a terminal `failed` event and break the contract.
-        if not isinstance(message, dict):
-            return True
-        data = message.get("data")
-        if not isinstance(data, dict):
-            return True
-        if data.get("prompt_id") != self.prompt_id:
-            return True
-
-        msg_type = message.get("type")
-        if msg_type == "executing":
-            return self.on_executing(data)
-        elif msg_type == "execution_cached":
-            self.on_cached(data)
-        elif msg_type == "progress":
-            self.on_progress(data)
-        elif msg_type == "executed":
-            self.on_executed(data)
-        elif msg_type == "execution_error":
-            self.on_error(data)
-        elif msg_type == "execution_interrupted":
-            self.on_interrupted(data)
-
-        return True
-
-    def on_executing(self, data):
-        if self.progress_task is not None and self.progress is not None:
-            self.progress.remove_task(self.progress_task)
-            self.progress_task = None
-
-        # `node: null` is the documented "execution done" signal. A
-        # missing key is a protocol violation — skip the frame and keep
-        # listening rather than prematurely terminating.
-        if "node" not in data:
-            return True
-        if data["node"] is None:
-            return False
-
-        node_id = data["node"]
-        if self.current_node:
-            self.remaining_nodes.discard(self.current_node)
-            self.update_overall_progress()
-        self.current_node = node_id
-        self.log_node("Executing", node_id)
-        if self.emitter.json_mode:
-            self.emitter.emit_node_executing(node_id)
-        return True
-
-    def on_cached(self, data):
-        nodes = data.get("nodes") or []
-        for n in nodes:
-            if n is None:
-                continue
-            self.remaining_nodes.discard(n)
-            self.log_node("Cached", n)
-            if self.emitter.json_mode:
-                self.emitter.emit_node_cached(n)
-        self.update_overall_progress()
-
-    def on_progress(self, data):
-        node = data.get("node")
-        if node is None:
-            return
-        value = data.get("value", 0)
-        max_val = data.get("max", 0)
-        if self.progress is not None:
-            if self.progress_node != node:
-                self.progress_node = node
-                if self.progress_task is not None:
-                    self.progress.remove_task(self.progress_task)
-                self.progress_task = self.progress.add_task(
-                    self.emitter.get_title(node), total=max_val, progress_type="node"
-                )
-            self.progress.update(self.progress_task, completed=value)
-        if self.emitter.json_mode:
-            self.emitter.emit_node_progress(node, value, max_val)
-
-    def on_executed(self, data):
-        node_id = data.get("node")
-        if node_id is None:
-            return
-        self.remaining_nodes.discard(node_id)
-        self.update_overall_progress()
-
-        # node_executed fires whenever the server emits `executed`, even
-        # when there are no file-shaped outputs (outputs=[] in that case).
-        structured_outputs: list[dict] = []
-        output = data.get("output")
-        if isinstance(output, dict):
-            for category, items in output.items():
-                if not isinstance(items, list):
-                    continue
-                for item in items:
-                    if not isinstance(item, dict) or "filename" not in item:
-                        continue
-                    obj = self._build_output_object(node_id, category, item)
-                    structured_outputs.append(obj)
-                    if not self.emitter.json_mode:
-                        # Legacy string list, only consumed by the Rich path.
-                        self.outputs.append(self.format_image_path(item))
-
-        if self.emitter.json_mode:
-            self.emitter.emit_node_executed(node_id, structured_outputs)
-
-    def on_error(self, data):
-        raw_node_id = data.get("node_id", "")
-        node_id = str(raw_node_id) if raw_node_id is not None else ""
-        class_type = data.get("node_type") or data.get("class_type") or ""
-        exception_type = data.get("exception_type", "")
-        raw_tb = data.get("traceback", "")
-        if isinstance(raw_tb, list):
-            traceback_str = "".join(str(x) for x in raw_tb)
-        elif isinstance(raw_tb, str):
-            traceback_str = raw_tb
-        else:
-            traceback_str = ""
-        message = data.get("exception_message") or "Workflow execution failed"
-
-        self._stop_progress()
-        if self.emitter.json_mode:
-            title = self.emitter.get_title(node_id) if node_id else ""
-            if not class_type and node_id:
-                class_type = self.emitter.get_class_type(node_id)
-            self.emitter.emit_failed(
-                "execution_error",
-                message,
-                node_id=node_id,
-                class_type=class_type,
-                title=title,
-                exception_type=exception_type,
-                traceback=traceback_str,
-            )
-        else:
-            pprint(f"[bold red]Error running workflow\n{json.dumps(data, indent=2)}[/bold red]")
-        raise typer.Exit(code=1)
-
-    def on_interrupted(self, data):
-        self._stop_progress()
-        if self.emitter.json_mode:
-            self.emitter.emit_failed(
-                "execution_interrupted",
-                "Workflow execution was interrupted",
-            )
-        else:
-            pprint("[yellow]Workflow execution was interrupted[/yellow]")
-        raise typer.Exit(code=1)
diff --git a/comfy_cli/command/run/__init__.py b/comfy_cli/command/run/__init__.py
new file mode 100644
index 00000000..e4c73950
--- /dev/null
+++ b/comfy_cli/command/run/__init__.py
@@ -0,0 +1,824 @@
+"""``comfy run`` — submit workflows to local or cloud.
+
+This module is the public surface (``execute``, ``execute_cloud``) plus a
+re-export hub for the helpers used by tests via
+``patch("comfy_cli.command.run.X")``. The implementation lives in the
+sibling submodules; nothing else should import from those directly so the
+patch surface stays stable.
+"""
+
+import json
+import time
+import uuid
+from datetime import timedelta
+from urllib import request  # noqa: F401 — patch target for tests (run.request.urlopen)
+
+import typer
+from websocket import (  # noqa: F401 — patch target for tests (run.WebSocket)
+    WebSocket,
+    WebSocketException,
+    WebSocketTimeoutException,
+)
+
+from comfy_cli import cancellation, execution_errors, jobs_state
+
+# Re-exports — names patched by tests live at this namespace.
+from comfy_cli.command.run.credentials import _resolve_partner_credential as _resolve_partner_credential
+from comfy_cli.command.run.execution import ExecutionProgress as ExecutionProgress
+from comfy_cli.command.run.execution import WorkflowExecution as WorkflowExecution
+from comfy_cli.command.run.execution import _safe_close as _safe_close
+from comfy_cli.command.run.loader import _MAX_BODY_PREVIEW as _MAX_BODY_PREVIEW
+from comfy_cli.command.run.loader import WorkflowLoadError as WorkflowLoadError
+from comfy_cli.command.run.loader import _classify_api_workflow as _classify_api_workflow
+from comfy_cli.command.run.loader import _load_workflow_file as _load_workflow_file
+from comfy_cli.command.run.loader import _node_errors_to_list as _node_errors_to_list
+from comfy_cli.command.run.loader import is_ui_workflow as is_ui_workflow
+from comfy_cli.command.run.loader import pop_compose_meta as pop_compose_meta
+from comfy_cli.command.run.preflight import PARTNER_NODE_CATEGORY_PREFIXES as PARTNER_NODE_CATEGORY_PREFIXES
+from comfy_cli.command.run.preflight import _detect_partner_nodes as _detect_partner_nodes
+from comfy_cli.command.run.preflight import _fetch_object_info as _fetch_object_info
+from comfy_cli.command.run.preflight import _preflight_validate as _preflight_validate
+from comfy_cli.command.run.preflight import fetch_object_info as fetch_object_info
+from comfy_cli.command.run.watcher import _spawn_watcher as _spawn_watcher
+from comfy_cli.command.run.watcher import _tail_state_file as _tail_state_file
+from comfy_cli.env_checker import check_comfy_server_running
+from comfy_cli.output import get_renderer
+from comfy_cli.output import rprint as pprint
+from comfy_cli.workflow_to_api import WorkflowConversionError, convert_ui_to_api
+from comfy_cli.workspace_manager import WorkspaceManager
+
+workspace_manager = WorkspaceManager()
+
+
+# Mapping from the deleted legacy `comfy run --json` dialect (JsonEmitter,
+# `{"event": …, "error": {"kind": …}}`) to the renderer dialect
+# (`{"schema": "event/1", "type": …}` events + final `type: "envelope"` line).
+#
+#   legacy event       → renderer event (type)
+#   ------------------   ------------------------------------------------------
+#   converted          → converted        {node_count}
+#   prompt_preview     → prompt_preview   {prompt}
+#   queued             → queued           {prompt_id, client_id,
+#                                          validation_warnings, nodes}
+#   node_executing     → executing        {node, class_type, title, prompt_id}
+#   node_cached        → execution_cached {node, class_type, title, prompt_id}
+#   node_progress      → progress         {node, completed, total, prompt_id}
+#   node_executed      → executed         {node, class_type, title, outputs,
+#                                          prompt_id} (+ one `output` {url}
+#                                          event per file output)
+#   completed          → envelope ok=true {data.prompt_id, data.outputs,
+#                                          data.cached_node_ids,
+#                                          data.executed_node_ids, …}
+#   failed             → envelope ok=false {error.code, error.message,
+#                                           error.hint, error.details}
+#
+#   legacy error.kind            → registered error.code      exit
+#   ---------------------------   -------------------------   ----
+#   workflow_not_found           → workflow_not_found          1
+#   workflow_invalid_json        → workflow_invalid_json       1
+#   workflow_read_error          → workflow_read_error         1
+#   workflow_format_invalid      → workflow_not_api_format     1
+#   workflow_empty               → workflow_empty              1
+#   conversion_error             → conversion_error            1
+#   conversion_crash             → conversion_crash            1
+#   connection_error (probe)     → server_not_running          1
+#   connection_error (network)   → connection_error            1
+#   object_info_unavailable      → object_info_unavailable     1
+#   validation_error             → prompt_rejected             1
+#   client_error                 → client_error                1
+#   server_error                 → server_error                1
+#   invalid_response             → invalid_response            1
+#   timeout                      → ws_timeout                  1
+#   connection_lost              → ws_disconnected             1
+#   execution_interrupted        → cancelled                   130
+#   execution_error              → execution_error             1
+def execute(
+    workflow: str,
+    host,
+    port,
+    *,
+    wait: bool = False,
+    verbose: bool = False,
+    local_paths: bool = False,
+    timeout: int = 30,
+    notify: bool = False,
+    api_key: str | None = None,
+    print_prompt: bool = False,
+):
+    # `0.0.0.0` is a wildcard bind, not a connect address. macOS / Windows
+    # clients can't reach it; on Linux it happens to resolve to a loopback.
+    # Substitute the canonical loopback so every downstream use (server
+    # probe, /prompt POST, emitted /view URLs) is portable.
+    if host == "0.0.0.0":
+        host = "127.0.0.1"
+
+    # Reject hosts with URL-special chars that could cause injection in
+    # f"http://{host}:{port}/..." URL construction.
+    _unsafe = frozenset("/@?#")
+    if any(c in host for c in _unsafe):
+        raise typer.BadParameter(f"invalid host: {host!r}")
+
+    renderer = get_renderer()
+
+    try:
+        raw_workflow, workflow_name, is_ui = _load_workflow_file(workflow)
+    except WorkflowLoadError as e:
+        renderer.error(code=e.code, message=str(e), hint=e.hint)
+        raise typer.Exit(code=1) from e
+
+    if not print_prompt and not check_comfy_server_running(port, host, timeout=timeout):
+        renderer.error(
+            code="server_not_running",
+            message=f"ComfyUI not running on specified address ({host}:{port})",
+            hint="run: comfy launch",
+            details={"host": host, "port": port},
+        )
+        raise typer.Exit(code=1)
+
+    compose_meta: dict | None = None
+    if is_ui:
+        if renderer.is_pretty():
+            pprint("[yellow]Detected UI-format workflow, converting to API format...[/yellow]")
+        object_info = fetch_object_info(host, port, timeout)
+        try:
+            workflow = convert_ui_to_api(raw_workflow, object_info)
+        except WorkflowConversionError as e:
+            renderer.error(
+                code="conversion_error",
+                message=f"Workflow conversion failed: {e}",
+                hint="use ComfyUI's 'File > Export (API)' to save as API format",
+            )
+            raise typer.Exit(code=1) from e
+        except Exception as e:
+            renderer.error(
+                code="conversion_crash",
+                message=f"Workflow conversion crashed unexpectedly: {type(e).__name__}: {e}",
+                hint="report this at https://github.com/Comfy-Org/comfy-cli/issues",
+                details={"exception_type": type(e).__name__},
+            )
+            raise typer.Exit(code=1) from e
+        if not workflow:
+            renderer.error(
+                code="workflow_empty",
+                message="Workflow conversion produced no executable nodes",
+            )
+            raise typer.Exit(code=1)
+        renderer.event("converted", node_count=len(workflow))
+    else:
+        kind, validated = _classify_api_workflow(raw_workflow)
+        if kind == "empty":
+            renderer.error(
+                code="workflow_empty",
+                message="API workflow contains no nodes",
+            )
+            raise typer.Exit(code=1)
+        if kind == "invalid":
+            renderer.error(
+                code="workflow_not_api_format",
+                message="Specified workflow does not appear to be an API workflow json file",
+                hint="use 'File > Export (API)' in the ComfyUI frontend",
+            )
+            raise typer.Exit(code=1)
+        workflow = validated
+        # Strip the compose/1 provenance block before preflight + submit; the
+        # server would reject (or warn on) a top-level non-node key. Keep its
+        # foreach item map to stash on the job state at submit time.
+        compose_meta = pop_compose_meta(workflow)
+
+    # Stream mode: emit the workflow graph so agents have a complete audit
+    # trail of what the CLI is about to submit (no-op otherwise).
+    renderer.event("prompt_preview", prompt=workflow)
+
+    # --print-prompt: emit/print the workflow and exit without submitting.
+    if print_prompt:
+        if renderer.is_pretty():
+            print(json.dumps(workflow, indent=2, ensure_ascii=False))
+        else:
+            renderer.emit(
+                {"workflow": workflow_name, "status": "preview", "prompt": workflow},
+                command="run",
+                where="local",
+            )
+        return
+
+    # Partner-API node preflight. Reject up-front when the workflow
+    # depends on a partner node (Veo/Kling/BFL/Gemini/…) and we have no
+    # credential to inject. If we DO have a credential, plumb it into
+    # extra_data so the partner node finds it server-side — same shape
+    # the cloud submit path uses.
+    object_info = _fetch_object_info(host, port)
+    partner_nodes = _detect_partner_nodes(workflow, object_info)
+    extra_data: dict | None = None
+    if api_key:
+        extra_data = {"api_key_comfy_org": api_key}
+    if partner_nodes:
+        cred = _resolve_partner_credential()
+        if cred is None and not extra_data:
+            msg = (
+                "Workflow uses partner-API node(s) that need an `api_key_comfy_org` "
+                "credential the local server doesn't have: " + ", ".join(partner_nodes) + "."
+            )
+            renderer.error(
+                code="partner_node_requires_credential",
+                message=msg,
+                hint=(
+                    "re-submit with `--where cloud` (the CLI auto-injects the key there), "
+                    "or store the key locally with `comfy auth set comfy-cloud-api-key --key …`"
+                ),
+                details={
+                    "partner_nodes": partner_nodes,
+                    "host": host,
+                    "port": port,
+                },
+            )
+            raise typer.Exit(code=1)
+        elif cred is not None and not extra_data:
+            extra_data = {cred[0]: cred[1]}
+
+    # Pre-submit validation via pure-Python CQL engine (checks class_types + input shapes).
+    _preflight_validate(renderer, workflow, object_info, target_label="server")
+
+    progress = None
+    start = time.time()
+    if wait and renderer.is_pretty():
+        pprint(f"[dim]▸[/dim] Executing [cyan]{workflow_name}[/cyan]")
+        progress = ExecutionProgress()
+        progress.start()
+
+    execution = WorkflowExecution(
+        workflow,
+        host,
+        port,
+        verbose,
+        progress,
+        local_paths,
+        timeout,
+        extra_data=extra_data,
+    )
+    # Wire SIGINT → close the WebSocket so the loop exits promptly.
+    token = cancellation.get_token()
+    token.on_cancel(lambda: _safe_close(execution))
+
+    try:
+        if wait:
+            execution.connect()
+        # Pretty + async: a brief spinner while the submit POST is in flight.
+        # Falls through cleanly in machine modes (no rendering at all).
+        if not wait and renderer.is_pretty():
+            with renderer.console().status("[cyan]Submitting workflow…", spinner="dots"):
+                execution.queue()
+        else:
+            execution.queue()
+        _journal_run(workflow_name, execution.prompt_id, "local")
+        if wait:
+            execution.watch_execution()
+            end = time.time()
+            if progress is not None:
+                progress.stop()
+                progress = None
+
+            if token.is_set():
+                renderer.error(
+                    code="cancelled",
+                    message="Cancelled by user",
+                    exit_code=130,
+                )
+                raise typer.Exit(code=130)
+
+            # Foreground (--wait) completion path also writes the state
+            # file so the on-disk record is consistent regardless of which
+            # mode the user ran in.
+            state = jobs_state.new(
+                prompt_id=execution.prompt_id,
+                client_id=execution.client_id,
+                workflow=workflow_name,
+                where="local",
+                host=host,
+                port=port,
+            )
+            state.status = "completed"
+            state.outputs = list(execution.outputs)
+            state.item_map = (compose_meta or {}).get("items")
+            state_file = jobs_state.write(state)
+
+            if renderer.is_pretty():
+                if len(execution.outputs) > 0:
+                    pprint("[bold green]\nOutputs:[/bold green]")
+                    for f in execution.outputs:
+                        pprint(f)
+                elapsed = timedelta(seconds=end - start)
+                pprint(f"[bold green]\nWorkflow execution completed ({elapsed})[/bold green]")
+
+            # Grouped views of the same artifacts — local parity with the
+            # cloud --wait envelope: by producing node always, and by
+            # blueprint foreach item when compose embedded an item map.
+            from comfy_cli.comfy_client import _group_outputs
+
+            outputs_by_node, outputs_by_item = _group_outputs(list(execution.output_entries), state.item_map)
+
+            renderer.emit(
+                {
+                    "workflow": workflow_name,
+                    "status": "completed",
+                    "prompt_id": execution.prompt_id,
+                    "client_id": execution.client_id,
+                    "outputs": list(execution.outputs),
+                    "outputs_by_node": outputs_by_node,
+                    "outputs_by_item": outputs_by_item,
+                    "cached_node_ids": list(execution.cached_node_ids),
+                    "executed_node_ids": list(execution.executed_node_ids),
+                    "elapsed_seconds": end - start,
+                    "host": host,
+                    "port": port,
+                    "state_file": str(state_file) if state_file else None,
+                },
+                command="run",
+                where="local",
+            )
+        else:
+            # Async path (the default). Write the initial state file and
+            # spawn a detached watcher to keep it updated; the foreground
+            # caller returns immediately with the prompt_id.
+            state = jobs_state.new(
+                prompt_id=execution.prompt_id,
+                client_id=execution.client_id,
+                workflow=workflow_name,
+                where="local",
+                host=host,
+                port=port,
+            )
+            state.item_map = (compose_meta or {}).get("items")
+            state_file = jobs_state.write(state)
+            watcher_spawned = _spawn_watcher(execution.prompt_id, where="local", host=host, port=port, notify=notify)
+
+            if renderer.is_pretty():
+                from comfy_cli.output.glyphs import status_glyph
+
+                pprint(
+                    f"{status_glyph('queued')} [dim]{execution.prompt_id}[/dim]\n"
+                    f"  [dim]workflow [/dim]{workflow_name}\n"
+                    f"  [dim]watch    [/dim][cyan]comfy jobs watch {execution.prompt_id}[/cyan]\n"
+                    f"  [dim]state    [/dim]{state_file}"
+                )
+                if not watcher_spawned:
+                    pprint(
+                        "[yellow]⚠ Background watcher could not start; poll manually with `comfy jobs status`[/yellow]"
+                    )
+            renderer.emit(
+                {
+                    "workflow": workflow_name,
+                    "status": "queued",
+                    "prompt_id": execution.prompt_id,
+                    "client_id": execution.client_id,
+                    "outputs": [],
+                    "elapsed_seconds": None,
+                    "host": host,
+                    "port": port,
+                    "state_file": str(state_file) if state_file else None,
+                    "watcher_spawned": watcher_spawned,
+                },
+                command="run",
+                where="local",
+            )
+            # Pretty mode: brief live tail so the user can see the job
+            # move through "allocated → executing → completed" without
+            # having to run `comfy jobs watch`. The background watcher
+            # keeps writing the state file after we return.
+            _tail_state_file(execution.prompt_id)
+    except KeyboardInterrupt:
+        if progress is not None:
+            progress.stop()
+            progress = None
+        if renderer.is_pretty():
+            pprint("[yellow]Workflow execution was interrupted[/yellow]")
+        renderer.error(
+            code="cancelled",
+            message="Workflow execution was interrupted",
+            exit_code=130,
+        )
+        raise typer.Exit(code=130)
+    except WebSocketTimeoutException:
+        if renderer.is_pretty():
+            pprint(
+                f"[bold red]Error: WebSocket timed out after {timeout}s waiting for server response.[/bold red]\n"
+                "[yellow]For long-running workflows, increase the timeout: comfy run --workflow <file> --timeout 300[/yellow]"
+            )
+        renderer.error(
+            code="ws_timeout",
+            message=f"WebSocket timed out after {timeout}s waiting for server response.",
+            hint="re-run with a larger --timeout (e.g. --timeout 300)",
+            details={"timeout": timeout},
+        )
+        raise typer.Exit(code=1)
+    except (WebSocketException, ConnectionError, OSError) as e:
+        # If we closed the WebSocket ourselves in response to Ctrl-C, the recv
+        # loop exits with a WebSocketException that *looks* like the server
+        # vanished. Check the cancellation token first so we emit the right
+        # error code (`cancelled`) instead of misleading users with
+        # "check the server is still running".
+        if token.is_set():
+            if progress is not None:
+                progress.stop()
+            renderer.error(
+                code="cancelled",
+                message="Cancelled by user",
+                exit_code=130,
+            )
+            raise typer.Exit(code=130) from e
+        if renderer.is_pretty():
+            pprint(f"[bold red]Error: Lost connection to ComfyUI server: {e}[/bold red]")
+        renderer.error(
+            code="ws_disconnected",
+            message=f"Lost connection to ComfyUI server: {e}",
+            hint="check the server is still running; re-run the command",
+        )
+        raise typer.Exit(code=1)
+    finally:
+        if progress is not None:
+            progress.stop()
+
+
+def _journal_run(workflow: str, prompt_id, where: str) -> None:
+    """Append the run-submit event to the governing project's run journal
+    (anchored at cwd). Wrapped end-to-end: a journaling failure can never
+    fail the run."""
+    try:
+        from comfy_cli import project as project_module
+
+        p = project_module.find_project()
+        if p is not None:
+            project_module.journal(p, cmd="run", workflow=str(workflow), prompt_id=prompt_id, where=where)
+    except Exception:  # noqa: BLE001 — best-effort by contract
+        pass
+
+
+def _count_output_nodes(workflow: dict, object_info: dict) -> int | None:
+    """Count nodes in ``workflow`` whose class is an output node, per
+    ``object_info``. Returns None when object_info is empty/unknown so callers
+    can skip the diff rather than reporting a bogus 0."""
+    if not object_info:
+        return None
+    count = 0
+    for node in workflow.values():
+        if not isinstance(node, dict):
+            continue
+        ct = node.get("class_type")
+        spec = object_info.get(ct) if isinstance(ct, str) else None
+        if isinstance(spec, dict) and spec.get("output_node") is True:
+            count += 1
+    return count
+
+
+def _returned_output_node_count(record: dict) -> int:
+    """How many distinct nodes actually produced outputs in the cloud history
+    record. The record's ``outputs`` map is keyed by node id."""
+    outputs = record.get("outputs") or {}
+    if not isinstance(outputs, dict):
+        return 0
+    return sum(1 for v in outputs.values() if isinstance(v, dict) and v)
+
+
+def execute_cloud(
+    workflow: str,
+    *,
+    wait: bool = False,
+    verbose: bool = False,
+    timeout: int = 600,
+    notify: bool = False,
+    print_prompt: bool = False,
+):
+    """Run a workflow against Comfy Cloud via the stored OAuth session.
+
+    Uses the unified :class:`comfy_cli.comfy_client.Client` — same surface as
+    local, just a different :class:`comfy_cli.target.Target`.
+    """
+    from comfy_cli.comfy_client import Client, HTTPError, Unauthenticated, _group_outputs
+    from comfy_cli.target import resolve_target
+
+    renderer = get_renderer()
+    try:
+        raw_workflow, workflow_name, is_ui = _load_workflow_file(workflow)
+    except WorkflowLoadError as e:
+        renderer.error(code=e.code, message=str(e), hint=e.hint)
+        raise typer.Exit(code=1) from e
+
+    if is_ui:
+        # Frontend-format workflows (the `nodes`+`links` shape from the canvas
+        # exporter and `comfy templates fetch`) have to be lowered to the API
+        # shape before submit. We do it client-side using the cloud snapshot
+        # of object_info — the cloud server has no /workflow/convert endpoint.
+        from comfy_cli.cql.engine import _load_from_target
+
+        if renderer.is_pretty():
+            pprint("[yellow]Detected UI-format workflow, converting to API format…[/yellow]")
+        try:
+            object_info = _load_from_target(mode="cloud")
+        except Exception as e:  # noqa: BLE001
+            renderer.error(
+                code="cql_no_graph",
+                message=f"could not load cloud object_info for conversion: {e}",
+                hint="run `comfy nodes refresh --where cloud` to populate the cache",
+            )
+            raise typer.Exit(code=1) from e
+        try:
+            raw_workflow = convert_ui_to_api(raw_workflow, object_info)
+        except WorkflowConversionError as e:
+            renderer.error(
+                code="conversion_error",
+                message=f"Workflow conversion failed: {e}",
+                hint="use ComfyUI's 'File > Export (API)' to save as API format and retry",
+            )
+            raise typer.Exit(code=1) from e
+        except Exception as e:  # noqa: BLE001
+            renderer.error(
+                code="conversion_crash",
+                message=f"Workflow conversion crashed unexpectedly: {type(e).__name__}: {e}",
+                hint="report this at https://github.com/Comfy-Org/comfy-cli/issues",
+            )
+            raise typer.Exit(code=1) from e
+        if not raw_workflow:
+            renderer.error(
+                code="workflow_empty",
+                message="Workflow conversion produced no executable nodes",
+            )
+            raise typer.Exit(code=1)
+
+    kind, parsed_workflow = _classify_api_workflow(raw_workflow)
+    if kind != "ok":
+        renderer.error(
+            code="workflow_not_api_format",
+            message="Specified workflow does not appear to be an API workflow json file",
+            hint="use 'File > Export (API)' in the ComfyUI frontend",
+        )
+        raise typer.Exit(code=1)
+
+    # Strip the compose/1 provenance block before preflight + submit, keeping
+    # its foreach item map to stash on the job state at submit time.
+    compose_meta = pop_compose_meta(parsed_workflow)
+
+    if print_prompt:
+        # Documented dry-run: show the API-format graph that WOULD be sent and
+        # exit WITHOUT POSTing. Mirrors local execute()'s print_prompt branch.
+        if renderer.is_pretty():
+            print(json.dumps(parsed_workflow, indent=2, ensure_ascii=False))
+        else:
+            renderer.event("prompt_preview", prompt=parsed_workflow)
+            renderer.emit(
+                {"workflow": workflow_name, "status": "preview", "prompt": parsed_workflow},
+                command="run",
+                where="cloud",
+            )
+        raise typer.Exit(code=0)
+
+    # Pre-submit validation via pure-Python CQL engine.
+    # Cloud path uses cached/bundled object_info (no live server needed).
+    try:
+        from comfy_cli.cql.engine import _load_from_target
+
+        cloud_object_info = _load_from_target(mode="cloud")
+    except Exception:  # noqa: BLE001
+        cloud_object_info = {}
+
+    _preflight_validate(renderer, parsed_workflow, cloud_object_info, target_label="cloud")
+
+    target = resolve_target(where="cloud")
+    try:
+        client = Client(target, timeout=float(timeout))
+    except Unauthenticated as e:
+        renderer.error(code="cloud_unauthorized", message=str(e), hint="run: comfy auth login")
+        raise typer.Exit(code=1) from e
+
+    client_id = str(uuid.uuid4())
+    start = time.time()
+
+    if wait:
+        if renderer.is_pretty():
+            pprint(f"[dim]▸[/dim] Executing [cyan]{workflow_name}[/cyan] on Comfy Cloud")
+            pprint(f"[dim]  base_url: {target.base_url}[/dim]")
+        else:
+            renderer.event("executing", workflow=workflow_name, base_url=target.base_url)
+    elif not renderer.is_pretty():
+        renderer.event("queued", workflow=workflow_name, base_url=target.base_url)
+
+    try:
+        if not wait and renderer.is_pretty():
+            with renderer.console().status("[cyan]Submitting to Comfy Cloud…", spinner="dots"):
+                submit = client.submit_prompt(parsed_workflow, client_id)
+        else:
+            submit = client.submit_prompt(parsed_workflow, client_id)
+    except Unauthenticated as e:
+        renderer.error(code="cloud_unauthorized", message=str(e), hint="run: comfy cloud login")
+        raise typer.Exit(code=1) from e
+    except HTTPError as e:
+        renderer.error(
+            code="cloud_http_error",
+            message=f"Cloud server rejected the workflow (HTTP {e.status}): {e.message}",
+            hint="check the workflow is valid and the cloud server has the required nodes",
+            details={"status": e.status, "body": e.body[:2000]},
+        )
+        raise typer.Exit(code=1) from e
+
+    if submit.node_errors:
+        # Parse per-node errors into readable hint lines
+        hint_lines = []
+        for nid, record in submit.node_errors.items():
+            if not isinstance(record, dict):
+                continue
+            ct = record.get("class_type", "unknown")
+            for err in record.get("errors") or []:
+                detail = err.get("details", "") or err.get("message", "")
+                hint_lines.append(f"node {nid} ({ct}): {detail}")
+        renderer.error(
+            code="prompt_rejected",
+            message=f"Cloud server rejected {len(submit.node_errors)} node(s)",
+            hint="\n".join(hint_lines) if hint_lines else "inspect node_errors in details",
+            details={"node_errors": submit.node_errors},
+        )
+        raise typer.Exit(code=1)
+
+    if not wait:
+        state = jobs_state.new(
+            prompt_id=submit.prompt_id,
+            client_id=client_id,
+            workflow=workflow_name,
+            where="cloud",
+            base_url=target.base_url,
+        )
+        state.item_map = (compose_meta or {}).get("items")
+        state_file = jobs_state.write(state)
+        _journal_run(workflow_name, submit.prompt_id, "cloud")
+        watcher_spawned = _spawn_watcher(submit.prompt_id, where="cloud", notify=notify)
+
+        if renderer.is_pretty():
+            from comfy_cli.output.glyphs import status_glyph
+
+            pprint(
+                f"{status_glyph('queued')} [dim]{submit.prompt_id}[/dim]\n"
+                f"  [dim]workflow [/dim]{workflow_name}\n"
+                f"  [dim]watch    [/dim][cyan]comfy jobs watch {submit.prompt_id} --where cloud[/cyan]\n"
+                f"  [dim]state    [/dim]{state_file}"
+            )
+            if not watcher_spawned:
+                pprint("[yellow]⚠ Background watcher could not start; poll manually with `comfy jobs status`[/yellow]")
+        renderer.emit(
+            {
+                "workflow": workflow_name,
+                "status": "queued",
+                "prompt_id": submit.prompt_id,
+                "client_id": client_id,
+                "outputs": [],
+                "elapsed_seconds": None,
+                "base_url": target.base_url,
+                "state_file": str(state_file) if state_file else None,
+            },
+            command="run",
+            where="cloud",
+        )
+        # Pretty mode only: short live tail of the state file so the human
+        # sees status transitions before the foreground exits.
+        _tail_state_file(submit.prompt_id)
+        return
+
+    # --wait: poll the cloud API directly from the foreground process.
+    # No watcher subprocess needed — simpler, no liveness/crash concerns,
+    # and the state file is written exactly once when the job finishes.
+    state = jobs_state.new(
+        prompt_id=submit.prompt_id,
+        client_id=client_id,
+        workflow=workflow_name,
+        where="cloud",
+        base_url=target.base_url,
+    )
+    state.item_map = (compose_meta or {}).get("items")
+    state_file = jobs_state.write(state)
+    _journal_run(workflow_name, submit.prompt_id, "cloud")
+
+    try:
+
+        def _probe():
+            st = client.get_job_status(submit.prompt_id)
+            if not st:
+                return None
+            return (st.get("status"), st.get("progress"), st.get("queue_position"))
+
+        record = client.wait_for_completion(submit.prompt_id, timeout=float(timeout), progress_probe=_probe)
+    except TimeoutError as e:
+        state.status = "error"
+        state.error = {"code": "cloud_timeout", "message": str(e)}
+        jobs_state.write(state)
+        renderer.error(
+            code="cloud_timeout",
+            message=str(e),
+            hint=f"the cloud job went silent for {timeout}s; raise --timeout or watch via `comfy jobs watch {submit.prompt_id} --where cloud`",
+            details={"prompt_id": submit.prompt_id},
+        )
+        raise typer.Exit(code=1) from e
+    except Unauthenticated as e:
+        state.status = "error"
+        state.error = {"code": "cloud_unauthorized", "message": str(e)}
+        jobs_state.write(state)
+        renderer.error(code="cloud_unauthorized", message=str(e), hint="run: comfy cloud login")
+        raise typer.Exit(code=1) from e
+    except HTTPError as e:
+        state.status = "error"
+        state.error = {"code": "cloud_http_error", "message": str(e)}
+        jobs_state.write(state)
+        renderer.error(
+            code="cloud_http_error",
+            message=f"Cloud server error while polling (HTTP {e.status}): {e.message}",
+            details={"status": e.status, "prompt_id": submit.prompt_id},
+        )
+        raise typer.Exit(code=1) from e
+    except KeyboardInterrupt:
+        state.status = "cancelled"
+        jobs_state.write(state)
+        renderer.error(code="cancelled", message="Cancelled by user", exit_code=130)
+        raise typer.Exit(code=130)
+
+    # Determine the terminal status from the record.
+    node_outputs = client.extract_outputs(record)
+    output_urls = [o["url"] for o in node_outputs]
+    exec_status = record.get("status") or record.get("execution_status") or {}
+    if isinstance(exec_status, dict):
+        status_str = exec_status.get("status_str", "")
+    else:
+        status_str = str(exec_status).lower()
+
+    if status_str in ("error", "failed"):
+        verdict = execution_errors.classify(record.get("error_message") or status_str)
+        state.status = "error"
+        state.error = {
+            "code": verdict["code"],
+            "message": verdict["message"],
+            "details": verdict["details"],
+        }
+        state_file = jobs_state.write(state)
+        renderer.error(
+            code=verdict["code"],
+            message=verdict["message"],
+            hint=verdict["hint"],
+            details={"prompt_id": submit.prompt_id, "status": status_str, **verdict["details"]},
+        )
+        raise typer.Exit(code=1)
+
+    # Success path.
+    state.status = "completed"
+    state.outputs = output_urls
+    # Stash the full node-keyed history record for downstream consumers
+    # (grouped outputs, item-named downloads).
+    state.record = record
+    state_file = jobs_state.write(state)
+
+    end = time.time()
+
+    # Silent-partial-execution guard: the cloud prunes branches that fail
+    # server-side validation and still reports `completed`. Diff the output
+    # nodes we submitted against the ones that actually returned outputs so a
+    # vanished branch surfaces instead of passing as a clean success.
+    warnings: list[dict] = []
+    submitted_outputs = _count_output_nodes(parsed_workflow, cloud_object_info)
+    returned_outputs = _returned_output_node_count(record)
+    if submitted_outputs is not None and returned_outputs < submitted_outputs:
+        warnings.append(
+            {
+                "code": "partial_execution",
+                "message": (
+                    f"submitted {submitted_outputs} output node(s) but the cloud returned outputs "
+                    f"for only {returned_outputs}; {submitted_outputs - returned_outputs} branch(es) "
+                    "were pruned server-side (likely failed validation) and produced nothing"
+                ),
+                "submitted_output_nodes": submitted_outputs,
+                "returned_output_nodes": returned_outputs,
+            }
+        )
+
+    if renderer.is_pretty():
+        if output_urls:
+            pprint("[bold green]\nOutputs:[/bold green]")
+            for u in output_urls:
+                pprint(u)
+        for w in warnings:
+            pprint(f"[yellow]⚠ {w['message']}[/yellow]")
+        pprint(f"[bold green]\nCloud workflow completed ({timedelta(seconds=end - start)})[/bold green]")
+
+    # Grouped views of the same artifacts: by producing node always, and by
+    # blueprint foreach item when compose stashed an item_map at submit.
+    outputs_by_node, outputs_by_item = _group_outputs(node_outputs, state.item_map)
+
+    renderer.emit(
+        {
+            "workflow": workflow_name,
+            "status": state.status,
+            "prompt_id": submit.prompt_id,
+            "client_id": client_id,
+            "outputs": output_urls,
+            "outputs_by_node": outputs_by_node,
+            "outputs_by_item": outputs_by_item,
+            "warnings": warnings,
+            "elapsed_seconds": end - start,
+            "base_url": target.base_url,
+            "state_file": str(state_file) if state_file else None,
+        },
+        command="run",
+        where="cloud",
+    )
diff --git a/comfy_cli/command/run/credentials.py b/comfy_cli/command/run/credentials.py
new file mode 100644
index 00000000..57bc575b
--- /dev/null
+++ b/comfy_cli/command/run/credentials.py
@@ -0,0 +1,36 @@
+"""Partner-API credential resolution for the local exec path.
+
+Cloud auto-injects credentials at submit time; local doesn't. This module
+finds the first usable credential (active OAuth session, env var, or stored
+API key) so the local exec can hand it to ``submit_prompt`` for nodes that
+talk to partner APIs.
+"""
+
+from __future__ import annotations
+
+
+def _resolve_partner_credential() -> tuple[str, str] | None:
+    """Locate an ``api_key_comfy_org`` credential to inject into a local
+    submit's ``extra_data`` so partner-API nodes can authenticate.
+
+    Returns ``(extra_data_key, value)`` so the caller can write the
+    correct field for the credential type. Delegates to the shared
+    OAuth-first chain (``comfy_cli.credentials``), same precedence as the
+    cloud target resolution:
+
+    1. Active (non-expired) OAuth session → ``auth_token_comfy_org``
+    2. ``COMFY_CLOUD_API_KEY`` env var → ``api_key_comfy_org``
+    3. Stored ``comfy-cloud-api-key`` provider record → ``api_key_comfy_org``
+
+    ``refresh=False`` preserves this chain's historical behavior: the session
+    is read as-is, never refreshed here. Returns ``None`` when nothing usable
+    is configured.
+    """
+    from comfy_cli.credentials import resolve_cloud_credential
+
+    cred = resolve_cloud_credential(purpose="cloud", refresh=False)
+    if cred is None:
+        return None
+    if cred.kind == "oauth":
+        return ("auth_token_comfy_org", cred.value)
+    return ("api_key_comfy_org", cred.value)
diff --git a/comfy_cli/command/run/execution.py b/comfy_cli/command/run/execution.py
new file mode 100644
index 00000000..88a987a0
--- /dev/null
+++ b/comfy_cli/command/run/execution.py
@@ -0,0 +1,572 @@
+"""WorkflowExecution — the local websocket execution loop.
+
+The class owns one workflow run end-to-end against a local ComfyUI server:
+HTTP submit to `/prompt`, then a WebSocket session translating server
+events into structured renderer calls. Also defines ``ExecutionProgress``
+(a Rich Progress subclass with a custom overall row) and ``_safe_close``
+for cancellation cleanup.
+
+Machine-output dialect (single source of truth — the renderer):
+
+    server WS message     renderer event (`schema: event/1`)
+    -----------------     -----------------------------------------------
+    executing             executing        {node, class_type, title, prompt_id}
+    execution_cached      execution_cached {node, class_type, title, prompt_id}
+    progress              progress         {node, completed, total, prompt_id}  (throttled)
+    executed              executed         {node, class_type, title, outputs, prompt_id}
+                          output           {url, prompt_id}  (one per file output)
+    execution_error       execution_error event + `execution_error` error envelope
+    execution_interrupted `cancelled` error envelope, exit 130
+
+These are the same event names `comfy jobs watch` emits, so the run stream
+and the watch stream speak one dialect. Failures go through
+``renderer.error(code=…)`` with codes from ``comfy_cli.error_codes``.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import urllib.error
+import urllib.parse
+import uuid
+from urllib import request
+
+import typer
+from rich.progress import BarColumn, Progress, TimeElapsedColumn
+from rich.table import Column, Table
+
+from comfy_cli import execution_errors
+from comfy_cli.command.run.loader import _MAX_BODY_PREVIEW, _node_errors_to_list
+from comfy_cli.output import get_renderer
+from comfy_cli.output import rprint as pprint
+from comfy_cli.workspace_manager import WorkspaceManager
+
+workspace_manager = WorkspaceManager()
+
+
+def _safe_close(execution: WorkflowExecution) -> None:
+    """Best-effort WebSocket close on cancellation."""
+    try:
+        if execution.ws is not None:
+            execution.ws.close()
+    except Exception:  # noqa: BLE001
+        pass
+
+
+class ExecutionProgress(Progress):
+    def get_renderables(self):
+        table_columns = (
+            (Column(no_wrap=True) if isinstance(_column, str) else _column.get_table_column().copy())
+            for _column in self.columns
+        )
+
+        for task in self.tasks:
+            percent = "[progress.percentage]{task.percentage:>3.0f}%".format(task=task)  # noqa
+            if task.fields.get("progress_type") == "overall":
+                overall_table = Table.grid(*table_columns, padding=(0, 1), expand=self.expand)
+                overall_table.add_row(BarColumn().render(task), percent, TimeElapsedColumn().render(task))
+                yield overall_table
+            else:
+                yield self.make_tasks_table([task])
+
+
+class WorkflowExecution:
+    def __init__(
+        self,
+        workflow,
+        host,
+        port,
+        verbose,
+        progress,
+        local_paths,
+        timeout=30,
+        *,
+        extra_data: dict | None = None,
+        api_key: str | None = None,
+    ):
+        self.workflow = workflow
+        self.host = host
+        self.port = port
+        self.verbose = verbose
+        self.client_id = str(uuid.uuid4())
+        self.outputs: list = []
+        # Node-keyed companion to the flat `outputs` URLs — one
+        # {"node_id", "url", "filename", "type"} entry per recorded URL, in
+        # the same order. Local parity with the cloud history record so
+        # `run --wait` can group outputs by node / foreach item.
+        self.output_entries: list[dict] = []
+        self.progress = progress
+        self.remaining_nodes = set(self.workflow.keys())
+        self.total_nodes = len(self.remaining_nodes)
+        if progress is not None:
+            self.overall_task = self.progress.add_task("", total=self.total_nodes, progress_type="overall")
+        self.current_node = None
+        self.progress_task = None
+        self.progress_node = None
+        self.prompt_id = None
+        self.ws = None
+        self.timeout = timeout
+        # Credentials injected into ``extra_data`` so partner-API nodes
+        # (partner/* category) can authenticate at execute time —
+        # mirrors what ``comfy_client.submit_prompt`` does for cloud.
+        self.extra_data = dict(extra_data) if extra_data else None
+        self.api_key = api_key
+        self.renderer = get_renderer()
+        # Aggregated node bookkeeping surfaced in the final envelope:
+        # `cached_node_ids` — server said the node came from cache;
+        # `executed_node_ids` — everything the executor *ran* (union of
+        # nodes seen in `executing` or `executed`), including intermediate
+        # compute nodes that never fire a server-side `executed` event.
+        self.cached_node_ids: list[str] = []
+        self.executed_node_ids: list[str] = []
+
+    def connect(self):
+        # Resolve via the package namespace so tests can patch
+        # ``comfy_cli.command.run.WebSocket`` and have it take effect here.
+        from comfy_cli.command import run as _run_pkg
+
+        self.ws = _run_pkg.WebSocket()
+        # The local executor POSTs to http://{host}:{port}/prompt (see queue()),
+        # so the websocket must use the matching plaintext ws:// scheme. Only
+        # upgrade to wss:// when the host is explicitly an https/wss URL.
+        scheme = "wss" if self.host.lower().startswith(("https://", "wss://")) else "ws"
+        bare_host = self.host.split("://", 1)[-1]
+        self.ws.connect(
+            f"{scheme}://{bare_host}:{self.port}/ws?clientId={self.client_id}",
+            timeout=self.timeout,
+        )
+
+    def workflow_manifest(self) -> list[dict]:
+        """Build the `nodes` array for the `queued` event — one entry per
+        node in the submitted (post-conversion) workflow."""
+        manifest: list[dict] = []
+        for node_id, node in self.workflow.items():
+            if not isinstance(node, dict):
+                continue
+            class_type = node.get("class_type", "")
+            class_type = class_type if isinstance(class_type, str) else ""
+            manifest.append(
+                {
+                    "node_id": str(node_id),
+                    "class_type": class_type,
+                    "title": self.get_node_title(node_id),
+                }
+            )
+        return manifest
+
+    def queue(self):
+        data: dict = {"prompt": self.workflow, "client_id": self.client_id}
+        # Usage-source attribution rides extra_data so the server can tell
+        # CLI-originated executions apart from web-UI ones (upstream #468).
+        data["extra_data"] = {"comfy_usage_source": "comfy-cli"}
+        if self.extra_data:
+            data["extra_data"].update(self.extra_data)
+        elif self.api_key:
+            data["extra_data"]["api_key_comfy_org"] = self.api_key
+        req = request.Request(f"http://{self.host}:{self.port}/prompt", json.dumps(data).encode("utf-8"))
+        req.add_header("Comfy-Usage-Source", "comfy-cli")
+        try:
+            resp = request.urlopen(req, timeout=self.timeout)
+            raw_body = resp.read()
+        except urllib.error.HTTPError as e:
+            body_bytes = e.read()
+            body_text = body_bytes.decode("utf-8", errors="replace").strip() if body_bytes else ""
+
+            if self.progress is not None:
+                self.progress.stop()
+
+            if e.status == 400:
+                try:
+                    parsed = json.loads(body_bytes) if body_bytes else {}
+                except (json.JSONDecodeError, ValueError):
+                    parsed = {}
+                node_errors_raw = parsed.get("node_errors", {}) if isinstance(parsed, dict) else {}
+                if isinstance(node_errors_raw, dict) and node_errors_raw:
+                    node_errors = _node_errors_to_list(node_errors_raw)
+                    if self.renderer.is_pretty():
+                        pprint(f"[bold red]Error running workflow\n{json.dumps(node_errors_raw, indent=2)}[/bold red]")
+                    self.renderer.error(
+                        code="prompt_rejected",
+                        message=f"Workflow has {len(node_errors_raw)} validation error(s)",
+                        hint="inspect `details.node_errors` and fix the workflow",
+                        details={"status": e.status, "node_errors": node_errors},
+                    )
+                    raise typer.Exit(code=1)
+
+            if self.renderer.is_pretty():
+                pprint(f"[bold red]Error running workflow (HTTP {e.status})\n{body_text}[/bold red]")
+            if e.status < 500:
+                self.renderer.error(
+                    code="client_error",
+                    message=f"Error running workflow (HTTP {e.status})",
+                    hint="check `details.body` for the server's message",
+                    details={"status": e.status, "body": body_text[:_MAX_BODY_PREVIEW]},
+                )
+            else:
+                self.renderer.error(
+                    code="server_error",
+                    message=f"Error running workflow (HTTP {e.status})",
+                    hint="check the ComfyUI server logs",
+                    details={"status": e.status, "body": body_text[:_MAX_BODY_PREVIEW]},
+                )
+            raise typer.Exit(code=1)
+        except (urllib.error.URLError, TimeoutError, OSError) as e:
+            if self.progress is not None:
+                self.progress.stop()
+            reason = str(e.reason) if isinstance(e, urllib.error.URLError) else str(e)
+            if self.renderer.is_pretty():
+                pprint(f"[bold red]Error: Failed to submit workflow: {reason}[/bold red]")
+            self.renderer.error(
+                code="connection_error",
+                message=f"Failed to submit workflow: {reason}",
+                hint="check the server is still running; re-run the command",
+            )
+            raise typer.Exit(code=1)
+
+        try:
+            body = json.loads(raw_body) if raw_body else None
+        except (json.JSONDecodeError, UnicodeDecodeError):
+            body = None
+
+        prompt_id = body.get("prompt_id") if isinstance(body, dict) else None
+        if not isinstance(prompt_id, str) or not prompt_id:
+            if self.progress is not None:
+                self.progress.stop()
+            if self.renderer.is_pretty():
+                pprint("[bold red]Error: Server returned HTTP 200 without a prompt_id[/bold red]")
+            self.renderer.error(
+                code="invalid_response",
+                message="Server returned HTTP 200 without a prompt_id",
+                hint="check that the host:port really is a ComfyUI server",
+                details={"status": 200},
+            )
+            raise typer.Exit(code=1)
+
+        self.prompt_id = prompt_id
+
+        # 200 may still carry node_errors if some output chains failed
+        # validation but others passed — surface as warnings, not a failure.
+        node_errors = body.get("node_errors") if isinstance(body, dict) else None
+        validation_warnings = _node_errors_to_list(node_errors)
+
+        self.renderer.event(
+            "queued",
+            prompt_id=prompt_id,
+            client_id=self.client_id,
+            validation_warnings=validation_warnings,
+            nodes=self.workflow_manifest(),
+        )
+
+    def watch_execution(self):
+        if self.ws is None:
+            raise RuntimeError("watch_execution called before the websocket was connected")
+        self.ws.settimeout(self.timeout)
+        while True:
+            message = self.ws.recv()
+            if not isinstance(message, str):
+                continue
+            try:
+                parsed = json.loads(message)
+            except json.JSONDecodeError:
+                # Tolerate malformed frames from misbehaving proxies.
+                continue
+            if not self.on_message(parsed):
+                break
+
+    def update_overall_progress(self):
+        if self.progress is None:
+            return
+        self.progress.update(self.overall_task, completed=self.total_nodes - len(self.remaining_nodes))
+
+    def get_node_title(self, node_id):
+        """Display label: ``_meta.title`` if present, else ``class_type``,
+        else the node id. Defensive against unknown ids and non-dict nodes."""
+        node = self.workflow.get(node_id)
+        if node is None and not isinstance(node_id, str):
+            node = self.workflow.get(str(node_id))
+        if not isinstance(node, dict):
+            return str(node_id)
+        meta = node.get("_meta")
+        if isinstance(meta, dict):
+            title = meta.get("title")
+            if isinstance(title, str) and title:
+                return title
+        class_type = node.get("class_type")
+        return class_type if isinstance(class_type, str) and class_type else str(node_id)
+
+    def _class_type(self, node_id):
+        node = self.workflow.get(node_id)
+        if node is None and not isinstance(node_id, str):
+            node = self.workflow.get(str(node_id))
+        if not isinstance(node, dict):
+            return ""
+        class_type = node.get("class_type")
+        return class_type if isinstance(class_type, str) else ""
+
+    def _track_executed(self, node_id) -> None:
+        node_id = str(node_id)
+        if node_id not in self.executed_node_ids:
+            self.executed_node_ids.append(node_id)
+
+    def log_node(self, type, node_id):
+        if not self.verbose:
+            return
+        if not self.renderer.is_pretty():
+            # --verbose is a no-op in machine modes; the event stream already
+            # carries the same information.
+            return
+
+        node = self.workflow.get(node_id)
+        if node is None:
+            pprint(f"{type} : [bright_black]({node_id})[/]")
+            return
+        class_type = node["class_type"]
+        title = self.get_node_title(node_id)
+
+        if title != class_type:
+            title += f"[bright_black] - {class_type}[/]"
+        title += f"[bright_black] ({node_id})[/]"
+
+        pprint(f"{type} : {title}")
+
+    def format_image_path(self, img):
+        """Build a single human-readable path string for the legacy text
+        output. Prefers a clickable absolute filesystem path when the
+        host is a known loopback, the workspace resolves, the path stays
+        inside the workspace's per-type output dir, and the file exists
+        on disk. Otherwise falls back to a /view URL."""
+        filename = img["filename"]
+        subfolder = img.get("subfolder") or ""
+        output_type = img.get("type") or "output"
+
+        if self.host in ("127.0.0.1", "localhost", "::1", "[::1]"):
+            ws_path = self._text_mode_workspace_path()
+            if ws_path:
+                parts = [subfolder, filename] if subfolder else [filename]
+                type_root = os.path.normpath(os.path.join(ws_path, output_type))
+                candidate = os.path.normpath(os.path.join(type_root, *parts))
+                if (candidate == type_root or candidate.startswith(type_root + os.sep)) and os.path.isfile(candidate):
+                    return candidate
+
+        return self._view_url(filename, subfolder, output_type)
+
+    def _view_url(self, filename: str, subfolder: str, file_type: str) -> str:
+        params = {"filename": filename, "subfolder": subfolder, "type": file_type}
+        return f"http://{self.host}:{self.port}/view?{urllib.parse.urlencode(params)}"
+
+    def _text_mode_workspace_path(self) -> str | None:
+        # workspace_manager.get_workspace_path() can print a warning and
+        # write config on the stale-recent path. Memoize so a workflow
+        # with N outputs doesn't repeat the side effects N times.
+        if not hasattr(self, "_ws_path_cached"):
+            try:
+                self._ws_path_cached = workspace_manager.get_workspace_path()[0]
+            except Exception:
+                self._ws_path_cached = None
+        return self._ws_path_cached
+
+    def _build_output_object(self, node_id, category, item) -> dict:
+        """Construct a structured Output dict carried on `executed` events."""
+        node_id = str(node_id)
+        filename = item["filename"]
+        subfolder = item.get("subfolder") or ""
+        file_type = item.get("type") or "output"
+
+        return {
+            "category": category,
+            "node_id": node_id,
+            "class_type": self._class_type(node_id),
+            "title": self.get_node_title(node_id),
+            "filename": filename,
+            "subfolder": subfolder,
+            "type": file_type,
+            "url": self._view_url(filename, subfolder, file_type),
+        }
+
+    def on_message(self, message):
+        # Defensive: a malformed (non-object) JSON frame from the server
+        # must not raise out of the recv loop — that would tear down the
+        # run without a terminal envelope and break the contract.
+        if not isinstance(message, dict):
+            return True
+        data = message.get("data")
+        if not isinstance(data, dict):
+            return True
+        if data.get("prompt_id") != self.prompt_id:
+            return True
+
+        msg_type = message.get("type")
+        if msg_type == "executing":
+            return self.on_executing(data)
+        elif msg_type == "execution_cached":
+            self.on_cached(data)
+        elif msg_type == "progress":
+            self.on_progress(data)
+        elif msg_type == "executed":
+            self.on_executed(data)
+        elif msg_type == "execution_error":
+            self.on_error(data)
+        elif msg_type == "execution_interrupted":
+            self.on_interrupted(data)
+
+        return True
+
+    def on_executing(self, data):
+        if self.progress_task is not None and self.progress is not None:
+            self.progress.remove_task(self.progress_task)
+            self.progress_task = None
+
+        # `node: null` is the documented "execution done" signal. A
+        # missing key is a protocol violation — skip the frame and keep
+        # listening rather than prematurely terminating.
+        if "node" not in data:
+            return True
+        if data["node"] is None:
+            return False
+        else:
+            if self.current_node:
+                self.remaining_nodes.discard(self.current_node)
+                self.update_overall_progress()
+            self.current_node = data["node"]
+            self.log_node("Executing", data["node"])
+            self._track_executed(data["node"])
+            self.renderer.event(
+                "executing",
+                node=str(data["node"]),
+                title=self.get_node_title(data["node"]),
+                class_type=self._class_type(data["node"]),
+                prompt_id=self.prompt_id,
+            )
+        return True
+
+    def on_cached(self, data):
+        nodes = data.get("nodes") or []
+        for n in nodes:
+            if n is None:
+                continue
+            self.remaining_nodes.discard(n)
+            self.log_node("Cached", n)
+            node_id = str(n)
+            if node_id not in self.cached_node_ids:
+                self.cached_node_ids.append(node_id)
+            self.renderer.event(
+                "execution_cached",
+                node=node_id,
+                title=self.get_node_title(n),
+                class_type=self._class_type(n),
+                prompt_id=self.prompt_id,
+            )
+        self.update_overall_progress()
+
+    def on_progress(self, data):
+        node = data.get("node")
+        if node is None:
+            return
+        if self.progress_node != node:
+            self.progress_node = node
+            if self.progress is not None:
+                if self.progress_task:
+                    self.progress.remove_task(self.progress_task)
+                self.progress_task = self.progress.add_task(
+                    self.get_node_title(node), total=data["max"], progress_type="node"
+                )
+        if self.progress is not None and self.progress_task is not None:
+            self.progress.update(self.progress_task, completed=data["value"])
+        # Throttle the NDJSON torrent (samplers can fire 30+/s).
+        self.renderer.throttled_event(
+            f"progress:{node}",
+            "progress",
+            max_hz=10,
+            node=str(node),
+            completed=data["value"],
+            total=data["max"],
+            prompt_id=self.prompt_id,
+        )
+
+    def on_executed(self, data):
+        node_id = data.get("node")
+        if node_id is None:
+            return
+        self.remaining_nodes.discard(node_id)
+        self.update_overall_progress()
+        self._track_executed(node_id)
+
+        structured_outputs: list[dict] = []
+        output = data.get("output")
+        if isinstance(output, dict):
+            for category, items in output.items():
+                if not isinstance(items, list):
+                    continue
+                for item in items:
+                    if not isinstance(item, dict) or "filename" not in item:
+                        continue
+                    obj = self._build_output_object(node_id, category, item)
+                    structured_outputs.append(obj)
+
+        self.renderer.event(
+            "executed",
+            node=str(node_id),
+            title=self.get_node_title(node_id),
+            class_type=self._class_type(node_id),
+            outputs=structured_outputs,
+            prompt_id=self.prompt_id,
+        )
+
+        for obj in structured_outputs:
+            url = self.format_image_path(
+                {"filename": obj["filename"], "subfolder": obj["subfolder"], "type": obj["type"]}
+            )
+            if url not in self.outputs:
+                # Always record for the state file; emit the NDJSON
+                # output event at the same point so json consumers see it.
+                self.outputs.append(url)
+                self.output_entries.append(
+                    {
+                        "node_id": obj["node_id"],
+                        "url": url,
+                        "filename": obj["filename"],
+                        "type": obj["type"],
+                    }
+                )
+                self.renderer.event("output", url=url, prompt_id=self.prompt_id)
+
+    def on_error(self, data):
+        self._stop_progress()
+        data = data if isinstance(data, dict) else {}
+        node_id = str(data.get("node_id", ""))
+        if self.renderer.is_pretty():
+            pprint(f"[bold red]Error running workflow\n{json.dumps(data, indent=2)}[/bold red]")
+        # The event keeps the full server payload (incl. complete traceback);
+        # the error envelope carries the classified one-line verdict.
+        self.renderer.event("execution_error", prompt_id=self.prompt_id, details=data)
+        verdict = execution_errors.classify(data)
+        self.renderer.error(
+            code=verdict["code"],
+            message=verdict["message"],
+            hint=verdict["hint"],
+            details={
+                **verdict["details"],
+                "class_type": data.get("node_type") or self._class_type(node_id),
+                "title": self.get_node_title(node_id),
+            },
+        )
+        raise typer.Exit(code=1)
+
+    def on_interrupted(self, data):
+        self._stop_progress()
+        if self.renderer.is_pretty():
+            pprint("[yellow]Workflow execution was interrupted[/yellow]")
+        self.renderer.error(
+            code="cancelled",
+            message="Workflow execution was interrupted",
+            exit_code=130,
+        )
+        raise typer.Exit(code=130)
+
+    def _stop_progress(self) -> None:
+        if self.progress is not None:
+            try:
+                self.progress.stop()
+            except Exception:
+                pass
diff --git a/comfy_cli/command/run/loader.py b/comfy_cli/command/run/loader.py
new file mode 100644
index 00000000..03bf093a
--- /dev/null
+++ b/comfy_cli/command/run/loader.py
@@ -0,0 +1,123 @@
+"""Workflow-file loading and shape classification.
+
+Pure functions over a single workflow JSON: detect format (UI vs API),
+validate the parsed shape, and load from disk with typed errors.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+
+# Maximum bytes of a server response body we surface to the user (or
+# embed in a `failed.error.body` field). Anything longer is truncated.
+_MAX_BODY_PREVIEW = 500
+
+
+def _node_errors_to_list(node_errors) -> list[dict]:
+    """Transform ComfyUI's dict-keyed `node_errors` payload into a list of self-contained records.
+    Each record carries `node_id` as a field, so agents can iterate the result
+    directly without indirecting through dict keys."""
+    if not isinstance(node_errors, dict):
+        return []
+    result = []
+    for node_id, record in node_errors.items():
+        if not isinstance(record, dict):
+            continue
+        entry = {"node_id": str(node_id)}
+        entry.update(record)
+        result.append(entry)
+    return result
+
+
+def is_ui_workflow(workflow) -> bool:
+    return (
+        isinstance(workflow, dict)
+        and isinstance(workflow.get("nodes"), list)
+        and isinstance(workflow.get("links"), list)
+    )
+
+
+def _classify_api_workflow(workflow):
+    """Classify a parsed JSON object as API workflow / empty / invalid.
+
+    Returns one of:
+        ("ok", workflow_dict)   — well-formed API workflow with ≥1 node
+        ("empty", None)         — empty dict (caller routes to workflow_empty)
+        ("invalid", None)       — not a dict, or no value has class_type
+    """
+    if not isinstance(workflow, dict):
+        return ("invalid", None)
+    if not workflow:
+        return ("empty", None)
+    for val in workflow.values():
+        if isinstance(val, dict) and "class_type" in val:
+            return ("ok", workflow)
+    return ("invalid", None)
+
+
+def pop_compose_meta(workflow: dict) -> dict | None:
+    """Pop and return the compose-embedded ``_meta`` provenance block.
+
+    ``comfy workflow compose`` writes ``workflow["_meta"] = {"schema":
+    "compose/1", "blueprint": …, "items": …}`` into the compiled JSON. The
+    server would treat that key as a (broken) node, so ``run`` strips it
+    before preflight validation and submit.
+
+    Only a dict WITHOUT a ``class_type`` key is stripped — a node that is
+    legitimately keyed ``"_meta"`` (i.e. has a class_type) is left alone.
+    Per-node ``_meta: {title}`` blocks live inside nodes and are never
+    touched. Returns the popped block, or ``None`` when nothing was popped.
+    """
+    if not isinstance(workflow, dict):
+        return None
+    meta = workflow.get("_meta")
+    if isinstance(meta, dict) and "class_type" not in meta:
+        del workflow["_meta"]
+        return meta
+    return None
+
+
+class WorkflowLoadError(Exception):
+    """Raised by ``_load_workflow_file`` for pre-flight file errors.
+
+    ``code`` is a registered ``error_codes`` value — callers pass it straight
+    to ``renderer.error(code=e.code, ...)``.
+    """
+
+    def __init__(self, *, code: str, message: str, hint: str | None = None):
+        super().__init__(message)
+        self.code = code
+        self.hint = hint
+
+
+def _load_workflow_file(path: str) -> tuple[dict, str, bool]:
+    """Load and validate a workflow JSON file.
+
+    Returns (raw_workflow_dict, absolute_path, is_ui_format).
+    Raises ``WorkflowLoadError`` on file-not-found, read error, or invalid JSON.
+    """
+    workflow_name = os.path.abspath(os.path.expanduser(path))
+    if not os.path.isfile(workflow_name):
+        raise WorkflowLoadError(
+            code="workflow_not_found",
+            message=f"Specified workflow file not found: {workflow_name}",
+            hint="check the path; pass the API-format JSON exported from ComfyUI",
+        )
+
+    try:
+        with open(workflow_name, encoding="utf-8") as f:
+            raw_workflow = json.load(f)
+    except (OSError, UnicodeDecodeError) as e:
+        raise WorkflowLoadError(
+            code="workflow_read_error",
+            message=f"Unable to read workflow file: {e}",
+        ) from e
+    except json.JSONDecodeError as e:
+        raise WorkflowLoadError(
+            code="workflow_invalid_json",
+            message=f"Specified workflow file is not valid JSON: {e}",
+            hint="re-export the workflow from ComfyUI (File > Export (API))",
+        ) from e
+
+    return raw_workflow, workflow_name, is_ui_workflow(raw_workflow)
diff --git a/comfy_cli/command/run/preflight.py b/comfy_cli/command/run/preflight.py
new file mode 100644
index 00000000..36fcf737
--- /dev/null
+++ b/comfy_cli/command/run/preflight.py
@@ -0,0 +1,157 @@
+"""Pre-submit checks: fetch the server's ``object_info`` and validate the
+workflow before we burn a queue slot.
+
+Three concerns live here: HTTP fetch with renderer-routed error reporting,
+pure-Python workflow validation (unknown class_types, shape drift), and
+partner-API node detection (used to inject the right credential into
+``extra_data`` for local submits — cloud handles this server-side).
+"""
+
+from __future__ import annotations
+
+import json
+import urllib.error
+from urllib import request
+
+import typer
+
+from comfy_cli.command.run.loader import _MAX_BODY_PREVIEW
+from comfy_cli.output import get_renderer
+from comfy_cli.output import rprint as pprint
+
+# Partner-API nodes live under `partner/...` in ComfyUI/cloud object_info
+# (e.g. `partner/video/ByteDance`). The category prefix is only the fallback —
+# the authoritative signal is the `api_node: true` flag.
+PARTNER_NODE_CATEGORY_PREFIXES = ("partner/",)
+
+
+def fetch_object_info(host, port, timeout):
+    """GET ``/object_info`` from the running ComfyUI server.
+
+    The response describes every loaded node class's input schema and is what
+    the converter uses to map widget values to input names, fill defaults, etc.
+
+    Failures go through ``renderer.error(...)`` (error envelope in JSON modes,
+    red panel in pretty mode) and raise ``typer.Exit(code=1)``.
+    """
+    renderer = get_renderer()
+    url = f"http://{host}:{port}/object_info"
+    try:
+        with request.urlopen(url, timeout=timeout) as resp:
+            body = resp.read(64 * 1024 * 1024)
+    except urllib.error.HTTPError as e:
+        body_text = e.read().decode("utf-8", errors="replace").strip()
+        renderer.error(
+            code="object_info_unavailable",
+            message=f"Failed to fetch /object_info (HTTP {e.code})",
+            hint="check the ComfyUI server logs; restart the server",
+            details={"status": e.code, "body": body_text[:_MAX_BODY_PREVIEW]},
+        )
+        raise typer.Exit(code=1) from e
+    except urllib.error.URLError as e:
+        renderer.error(
+            code="connection_error",
+            message=f"Failed to fetch /object_info from {host}:{port}: {e.reason}",
+            hint="override with --host / --port",
+        )
+        raise typer.Exit(code=1) from e
+    except TimeoutError as e:
+        renderer.error(
+            code="connection_error",
+            message=f"Failed to fetch /object_info from {host}:{port}: timed out after {timeout}s",
+            hint="override with --host / --port, or raise --timeout",
+        )
+        raise typer.Exit(code=1) from e
+    try:
+        return json.loads(body)
+    except json.JSONDecodeError as e:
+        renderer.error(
+            code="object_info_unavailable",
+            message="Server returned invalid JSON for /object_info",
+            hint="check that the host:port really is a ComfyUI server",
+            details={"status": 200, "body": body.decode("utf-8", errors="replace")[:_MAX_BODY_PREVIEW]},
+        )
+        raise typer.Exit(code=1) from e
+
+
+def _preflight_validate(renderer, workflow: dict, object_info: dict, *, target_label: str = "server") -> None:
+    """Pre-submit validation via the pure-Python CQL engine.
+
+    Checks unknown class_types, input shape mismatches, and catalog drift.
+    Raises typer.Exit(1) on hard errors. Prints warnings in pretty mode.
+    Skips silently when object_info is empty (server unreachable — fail open).
+    """
+    if not object_info:
+        return
+
+    from comfy_cli.cql.engine import Graph
+
+    graph = Graph.from_object_info(object_info)
+    validation = graph.validate_workflow(workflow)
+    if not validation.get("valid", True):
+        errors = validation.get("errors", [])
+        hint_parts = []
+        for e in errors[:5]:
+            line = f"node {e.get('node_id', '?')}: {e.get('message', '')}"
+            suggestions = e.get("suggestions") or []
+            if suggestions:
+                line += f" (did you mean: {', '.join(suggestions)}?)"
+            hint_parts.append(line)
+        renderer.error(
+            code="workflow_unknown_nodes",
+            message=f"Workflow has {len(errors)} validation error(s) against {target_label}",
+            hint="\n".join(hint_parts),
+            details={"errors": errors, "warnings": validation.get("warnings", [])},
+        )
+        raise typer.Exit(code=1)
+
+    warnings = validation.get("warnings", [])
+    if warnings and renderer.is_pretty():
+        for w in warnings:
+            pprint(f"[yellow]⚠ {w.get('field', '?')}: {w.get('message', '')}[/yellow]")
+
+
+def _fetch_object_info(host: str, port: int) -> dict:
+    """Fetch object_info for partner-node detection + validation. Fail open."""
+    try:
+        from comfy_cli.cql.engine import _load_from_target
+
+        return _load_from_target(mode="local", host=host, port=port)
+    except Exception:  # noqa: BLE001 — fail open
+        return {}
+
+
+def _detect_partner_nodes(workflow: dict, object_info: dict) -> list[str]:
+    """Return sorted unique class_types in ``workflow`` that are partner-API
+    nodes (Veo, Kling, BFL, Gemini, ByteDance, Bria, etc.). Pure function —
+    tests pass object_info directly.
+
+    Detection is primarily the authoritative ``api_node: true`` flag in
+    object_info, with a ``partner/...`` category-prefix fallback for servers
+    that don't surface the flag.
+
+    A partner-API node call requires an ``api_key_comfy_org`` (or the
+    OAuth-equivalent ``auth_token_comfy_org``) in ``extra_data`` at
+    submit time. Without it the local server happily accepts the
+    workflow at /prompt and then fails the actual node at execute time
+    with ``Unauthorized: Please login first to use this node`` — a
+    sharp edge observed during the Veo3 video run.
+    """
+    used: set[str] = set()
+    for node in workflow.values():
+        if isinstance(node, dict):
+            ct = node.get("class_type")
+            if isinstance(ct, str):
+                used.add(ct)
+    out: list[str] = []
+    for ct in used:
+        info = object_info.get(ct) or {}
+        if not isinstance(info, dict):
+            continue
+        if info.get("api_node") is True:
+            out.append(ct)
+            continue
+        category = info.get("category")
+        if isinstance(category, str) and category.startswith(PARTNER_NODE_CATEGORY_PREFIXES):
+            out.append(ct)
+    return sorted(out)
diff --git a/comfy_cli/command/run/watcher.py b/comfy_cli/command/run/watcher.py
new file mode 100644
index 00000000..9a8d3c4c
--- /dev/null
+++ b/comfy_cli/command/run/watcher.py
@@ -0,0 +1,108 @@
+"""Background-watcher subprocess + transient pretty-mode status tail.
+
+``_spawn_watcher`` detaches a Python subprocess that polls the server and
+updates the job's state file. ``_tail_state_file`` is the foreground
+companion — a short live-status display in pretty mode that exits cleanly
+once the watcher takes over.
+"""
+
+from __future__ import annotations
+
+import subprocess
+import sys
+
+from comfy_cli.output import get_renderer
+from comfy_cli.output import rprint as pprint
+
+
+def _tail_state_file(prompt_id: str, *, seconds: float = 8.0) -> None:
+    """Pretty-mode only: poll the state file for up to ``seconds`` showing
+    live status transitions, then return. The background watcher keeps
+    writing after we return — we just give the human a few seconds of
+    "alive" feedback before the foreground exits.
+
+    Always safe to call; no-ops if the renderer isn't pretty or the user
+    Ctrl-Cs out.
+    """
+    import time as _t
+
+    from rich.live import Live
+    from rich.text import Text
+
+    renderer = get_renderer()
+    if not renderer.is_pretty():
+        return
+
+    from comfy_cli import jobs_state
+    from comfy_cli.output.glyphs import status_glyph
+
+    def render(status: str, elapsed: float) -> Text:
+        return Text.from_markup(f"  {status_glyph(status)}  [dim]· {elapsed:.1f}s · {prompt_id[:8]}…[/dim]")
+
+    deadline = _t.time() + seconds
+    last_status = "queued"
+    start = _t.time()
+    try:
+        with Live(render(last_status, 0.0), console=renderer.console(), refresh_per_second=4, transient=True) as live:
+            while _t.time() < deadline:
+                state = jobs_state.read(prompt_id)
+                if state is not None:
+                    last_status = state.status
+                    live.update(render(last_status, _t.time() - start))
+                    if state.is_terminal:
+                        break
+                _t.sleep(0.25)
+    except KeyboardInterrupt:
+        pass
+
+    final_state = jobs_state.read(prompt_id)
+    if final_state is None:
+        return
+    elapsed = _t.time() - start
+    glyph = status_glyph(final_state.status)
+    if final_state.is_terminal:
+        pprint(f"  {glyph} [dim]· finished in {elapsed:.1f}s[/dim]")
+        for u in (final_state.outputs or [])[:3]:
+            pprint(f"  [dim]→[/dim] [cyan]{u}[/cyan]")
+    else:
+        pprint(f"  {glyph} [dim]· still in flight — track:[/dim] [cyan]comfy jobs ls --watch[/cyan]")
+
+
+def _spawn_watcher(
+    prompt_id: str,
+    *,
+    where: str,
+    host: str | None = None,
+    port: int | None = None,
+    notify: bool = False,
+) -> bool:
+    """Detach a watcher subprocess that polls + updates the state file.
+
+    Fully decoupled from the parent: stdio redirected to /dev/null, a new
+    session so a controlling terminal closing doesn't kill it. We don't
+    track the PID — the watcher writes its own PID into the state file so
+    callers can find it there if needed.
+
+    Returns ``True`` on success, ``False`` if the subprocess could not be
+    spawned.
+    """
+    argv = [sys.executable, "-m", "comfy_cli", "_watch", "_watch-job", prompt_id, "--where", where]
+    if host:
+        argv += ["--host", host]
+    if port:
+        argv += ["--port", str(port)]
+    argv += ["--notify"] if notify else ["--no-notify"]
+    try:
+        subprocess.Popen(
+            argv,
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+            stdin=subprocess.DEVNULL,
+            start_new_session=True,
+            close_fds=True,
+        )
+        return True
+    except OSError:
+        # Watcher spawn failed — the job still ran; the user just won't get
+        # a state-file update without manual polling. Don't bail the submit.
+        return False
diff --git a/comfy_cli/command/run_cli.py b/comfy_cli/command/run_cli.py
new file mode 100644
index 00000000..f05210ef
--- /dev/null
+++ b/comfy_cli/command/run_cli.py
@@ -0,0 +1,579 @@
+"""Guided realtime walkthrough of the comfy CLI surface.
+
+Invoked as ``comfy run-cli``. Subprocess-executes the CLI itself step by step
+so what the user sees is the real CLI, not a recording. For most commands the
+demo shows two views of the same call — the pretty terminal output and the
+``--json`` envelope an agent would parse. Toward the end the demo fires a
+fleet of jobs in parallel via ``--async`` to show background execution and
+queue inspection.
+"""
+
+from __future__ import annotations
+
+import concurrent.futures
+import json
+import os
+import shlex
+import subprocess
+import sys
+import tempfile
+import time
+from collections.abc import Callable
+from dataclasses import dataclass, field
+
+from comfy_cli.output import rprint as pprint
+
+# ---------- Demo workflows ---------------------------------------------------
+
+# Tiny workflow — completes in ~30 ms. Used for the single-job demos.
+DEMO_WORKFLOW: dict = {
+    "1": {
+        "inputs": {"width": 512, "height": 512, "batch_size": 1, "color": 16711680},
+        "class_type": "EmptyImage",
+        "_meta": {"title": "Red canvas"},
+    },
+    "2": {
+        "inputs": {"image": ["1", 0]},
+        "class_type": "ImageInvert",
+        "_meta": {"title": "Invert"},
+    },
+    "3": {
+        "inputs": {"filename_prefix": "comfy_run_cli_demo", "images": ["2", 0]},
+        "class_type": "SaveImage",
+        "_meta": {"title": "Save"},
+    },
+}
+
+
+def fleet_workflow(idx: int) -> dict:
+    """Heavier workflow used for the parallel-fleet demo.
+
+    4096×4096 canvas + a chained invert/scale pipeline so the server takes
+    ~1 second per job. With 5 in the queue processed serially, the queue is
+    clearly visible in ``jobs ls`` as running + pending. The ``color`` differs
+    per index so ComfyUI's per-node cache can't collapse them into one.
+    """
+    color = 0x110000 * (idx + 1)  # distinct color per job → no cache hits
+    return {
+        "1": {
+            "inputs": {"width": 4096, "height": 4096, "batch_size": 1, "color": color},
+            "class_type": "EmptyImage",
+            "_meta": {"title": f"Canvas #{idx}"},
+        },
+        "2": {
+            "inputs": {"image": ["1", 0]},
+            "class_type": "ImageInvert",
+        },
+        "3": {
+            "inputs": {"scale_by": 0.5, "upscale_method": "lanczos", "image": ["2", 0]},
+            "class_type": "ImageScaleBy",
+        },
+        "4": {
+            "inputs": {"scale_by": 2.0, "upscale_method": "lanczos", "image": ["3", 0]},
+            "class_type": "ImageScaleBy",
+        },
+        "5": {
+            "inputs": {"image": ["4", 0]},
+            "class_type": "ImageInvert",
+        },
+        "6": {
+            "inputs": {"filename_prefix": f"comfy_run_cli_fleet_{idx}", "images": ["5", 0]},
+            "class_type": "SaveImage",
+            "_meta": {"title": "Save"},
+        },
+    }
+
+
+FLEET_SIZE = 5
+
+
+# ---------- Step model -------------------------------------------------------
+
+
+@dataclass
+class Invocation:
+    """One subprocess invocation, labelled for the demo."""
+
+    argv: list[str]
+    label: str
+    capture: bool = False
+    on_output: Callable[[str], None] | None = None
+    optional: bool = False
+    extra_env: dict[str, str] = field(default_factory=dict)
+
+
+@dataclass
+class Step:
+    title: str
+    desc: str = ""  # one-line description, dim, optional
+    invocations: list[Invocation] = field(default_factory=list)
+    custom: Callable[[_DemoState, float, bool], int] | None = None  # for non-subprocess steps
+    skip_if: Callable[[], bool] | None = None
+
+
+# ---------- Runner -----------------------------------------------------------
+
+
+def _comfy_argv() -> list[str]:
+    return [sys.executable, "-m", "comfy_cli"]
+
+
+def _print_banner(text: str) -> None:
+    bar = "─" * max(8, min(72, len(text) + 4))
+    pprint(f"\n[bold cyan]{bar}[/bold cyan]")
+    pprint(f"[bold cyan]  {text}[/bold cyan]")
+    pprint(f"[bold cyan]{bar}[/bold cyan]")
+
+
+def _print_subhead(label: str, kind: str) -> None:
+    if kind == "human":
+        pprint(f"\n[bold green]▶ {label}[/bold green]  [dim](human view)[/dim]")
+    elif kind == "agent":
+        pprint(f"\n[bold magenta]▶ {label}[/bold magenta]  [dim](agent view, --json)[/dim]")
+    else:
+        pprint(f"\n[bold blue]▶ {label}[/bold blue]")
+
+
+def _print_command(argv: list[str]) -> None:
+    rendered = " ".join(shlex.quote(a) for a in argv)
+    rendered = rendered.replace(shlex.quote(sys.executable) + " -m comfy_cli", "comfy")
+    pprint(f"[bold]$[/bold] [yellow]{rendered}[/yellow]")
+
+
+def _classify(inv: Invocation) -> str:
+    if "--json-stream" in inv.argv or "--json" in inv.argv:
+        return "agent"
+    return "human"
+
+
+def _run_invocation(inv: Invocation, *, pause_seconds: float, show_header: bool = True) -> int:
+    if show_header:
+        _print_subhead(inv.label, _classify(inv))
+    _print_command(inv.argv)
+
+    env = {**os.environ, "COMFY_OUTPUT": "pretty", **inv.extra_env}
+
+    if inv.capture:
+        try:
+            result = subprocess.run(
+                inv.argv,
+                env=env,
+                check=False,
+                capture_output=True,
+                text=True,
+                timeout=120,
+            )
+        except subprocess.TimeoutExpired:
+            pprint("[bold red]invocation timed out[/bold red]")
+            return 1
+        sys.stdout.write(result.stdout)
+        sys.stdout.flush()
+        if result.stderr:
+            sys.stderr.write(result.stderr)
+            sys.stderr.flush()
+        if inv.on_output is not None and result.returncode == 0:
+            inv.on_output(result.stdout)
+        rc = result.returncode
+    else:
+        try:
+            rc = subprocess.run(inv.argv, env=env, check=False, timeout=120).returncode
+        except subprocess.TimeoutExpired:
+            pprint("[bold red]invocation timed out[/bold red]")
+            return 1
+
+    if rc != 0 and not inv.optional:
+        pprint(f"[bold red]Invocation exited with code {rc}[/bold red]")
+    elif rc != 0:
+        pprint(f"[dim](optional step exited {rc}, continuing)[/dim]")
+
+    if pause_seconds > 0:
+        time.sleep(pause_seconds)
+    return rc
+
+
+def _run_step(step: Step, state: _DemoState, *, pause_seconds: float, show_agent: bool) -> int:
+    if step.skip_if is not None and step.skip_if():
+        pprint(f"\n[bright_black](skipping: {step.title})[/bright_black]")
+        return 0
+
+    _print_banner(step.title)
+    if step.desc:
+        pprint(f"[dim]{step.desc}[/dim]")
+    if pause_seconds > 0:
+        time.sleep(min(pause_seconds, 1.5))
+
+    if step.custom is not None:
+        rc = step.custom(state, pause_seconds, show_agent)
+        if pause_seconds > 0:
+            time.sleep(pause_seconds)
+        return rc
+
+    first_error = 0
+    for inv in step.invocations:
+        if not show_agent and _classify(inv) == "agent":
+            pprint(f"\n[bright_black](skipping agent view of `{inv.label}` — use --show-agent)[/bright_black]")
+            continue
+        rc = _run_invocation(inv, pause_seconds=pause_seconds)
+        if rc != 0 and not inv.optional and first_error == 0:
+            first_error = rc
+
+    if pause_seconds > 0:
+        time.sleep(pause_seconds)
+    return first_error
+
+
+# ---------- Parallel fleet step ---------------------------------------------
+
+
+def _submit_one_async(argv: list[str], idx: int) -> tuple[int, str | None, float]:
+    """Submit one workflow with --async, return (idx, prompt_id, elapsed)."""
+    env = {**os.environ, "COMFY_OUTPUT": "pretty"}
+    t0 = time.time()
+    try:
+        result = subprocess.run(argv, env=env, check=False, capture_output=True, text=True, timeout=60)
+    except subprocess.TimeoutExpired:
+        return (idx, None, time.time() - t0)
+    elapsed = time.time() - t0
+    if result.returncode != 0:
+        return (idx, None, elapsed)
+    try:
+        doc = json.loads(result.stdout.strip().splitlines()[-1])
+        return (idx, doc.get("data", {}).get("prompt_id"), elapsed)
+    except (json.JSONDecodeError, IndexError):
+        return (idx, None, elapsed)
+
+
+def _fleet_step(state: _DemoState, pause_seconds: float, show_agent: bool) -> int:
+    """Submit FLEET_SIZE workflows concurrently, then watch the queue drain."""
+    comfy = _comfy_argv()
+
+    # Write per-job workflow files so we can show distinct prompt_ids and
+    # ComfyUI's cache treats them as separate jobs.
+    workflow_paths: list[str] = []
+    for i in range(FLEET_SIZE):
+        fd, path = tempfile.mkstemp(prefix=f"comfy_run_cli_fleet_{i}_", suffix=".json")
+        with os.fdopen(fd, "w") as f:
+            json.dump(fleet_workflow(i), f)
+        workflow_paths.append(path)
+    state.fleet_workflow_paths = workflow_paths
+
+    pprint(
+        f"[dim]Submitting {FLEET_SIZE} workflows concurrently with --async. "
+        "Each runs a 4096×4096 invert + scale pipeline (≈1s of CPU work). "
+        "ComfyUI processes them one at a time, so you'll see the queue with one "
+        "running and the rest pending in `jobs ls`.[/dim]"
+    )
+    _print_subhead(f"submit ×{FLEET_SIZE} in parallel", "agent")
+    example_argv = [*comfy, "--json", "run", "--workflow", workflow_paths[0], "--async"]
+    _print_command(example_argv)
+    pprint(f"[dim]…and {FLEET_SIZE - 1} more like it, in parallel via a thread pool.[/dim]")
+
+    submit_start = time.time()
+    prompt_ids: list[str | None] = [None] * FLEET_SIZE
+    elapsed: list[float] = [0.0] * FLEET_SIZE
+    with concurrent.futures.ThreadPoolExecutor(max_workers=FLEET_SIZE) as ex:
+        futures = []
+        for i, path in enumerate(workflow_paths):
+            argv = [*comfy, "--json", "run", "--workflow", path, "--async"]
+            futures.append(ex.submit(_submit_one_async, argv, i))
+        for fut in concurrent.futures.as_completed(futures):
+            idx, pid, el = fut.result()
+            prompt_ids[idx] = pid
+            elapsed[idx] = el
+            stamp = f"+{(time.time() - submit_start):0.2f}s"
+            if pid:
+                pprint(
+                    f"  [green]✓[/green] job #{idx} → [yellow]{pid}[/yellow]  [dim](submit took {el:0.2f}s, wall {stamp})[/dim]"
+                )
+            else:
+                pprint(f"  [red]✗[/red] job #{idx} submit failed  [dim](wall {stamp})[/dim]")
+
+    state.fleet_prompt_ids = [p for p in prompt_ids if p]
+    if not state.fleet_prompt_ids:
+        pprint("[bold red]No fleet jobs submitted; skipping queue inspection.[/bold red]")
+        return 1
+
+    submit_wall = time.time() - submit_start
+    pprint(
+        f"\n[bold]Submitted {len(state.fleet_prompt_ids)}/{FLEET_SIZE} jobs in {submit_wall:0.2f}s wall time.[/bold]"
+    )
+
+    # Immediate snapshot — server is still processing job 0. Expect one
+    # running + others pending (or already-completed if the box is fast).
+    _print_subhead("jobs ls — snapshot right after submit", "human")
+    _run_invocation(
+        Invocation(argv=[*comfy, "jobs", "ls"], label=""),
+        pause_seconds=0,
+        show_header=False,
+    )
+
+    if show_agent:
+        _print_subhead("jobs ls (--json) — same data, agent view", "agent")
+        _run_invocation(
+            Invocation(argv=[*comfy, "--json", "jobs", "ls"], label=""),
+            pause_seconds=0,
+            show_header=False,
+        )
+
+    # Parallel status check — fan out across all prompt_ids at once. This
+    # demonstrates the CLI is safe to invoke concurrently from agent code.
+    def _check_one(pid: str) -> tuple[str, str]:
+        r = subprocess.run(
+            [*comfy, "--json", "jobs", "status", pid],
+            env={**os.environ, "COMFY_OUTPUT": "pretty"},
+            check=False,
+            capture_output=True,
+            text=True,
+            timeout=30,
+        )
+        try:
+            return pid, json.loads(r.stdout).get("data", {}).get("status", "?")
+        except json.JSONDecodeError:
+            return pid, "error"
+
+    pprint("\n[bold]Parallel `jobs status` fan-out across the fleet (mid-flight):[/bold]")
+    with concurrent.futures.ThreadPoolExecutor(max_workers=len(state.fleet_prompt_ids)) as ex:
+        mid_results = list(ex.map(_check_one, state.fleet_prompt_ids))
+    for pid, status in mid_results:
+        color = {"completed": "green", "running": "yellow", "pending": "blue"}.get(status, "red")
+        pprint(f"  [{color}]●[/{color}] {pid}  [bold]{status}[/bold]")
+
+    # Watch one of the still-running jobs (if any) live; otherwise just
+    # replay events for the middle one.
+    pending_or_running = [pid for pid, s in mid_results if s in {"running", "pending"}]
+    target = pending_or_running[0] if pending_or_running else state.fleet_prompt_ids[len(state.fleet_prompt_ids) // 2]
+    _print_subhead(f"jobs watch {target[:8]}… — live NDJSON stream", "agent")
+    _run_invocation(
+        Invocation(argv=[*comfy, "--json-stream", "jobs", "watch", target], label="", optional=True),
+        pause_seconds=0,
+        show_header=False,
+    )
+
+    # Poll the queue once more to show drain progress, then a final snapshot.
+    time.sleep(0.5)
+    _print_subhead("jobs ls — after a brief wait", "human")
+    _run_invocation(
+        Invocation(argv=[*comfy, "jobs", "ls"], label=""),
+        pause_seconds=0,
+        show_header=False,
+    )
+    return 0
+
+
+# ---------- Demo composition -------------------------------------------------
+
+
+@dataclass
+class _DemoState:
+    workflow_path: str
+    async_prompt_id: str | None = None
+    fleet_workflow_paths: list[str] = field(default_factory=list)
+    fleet_prompt_ids: list[str] = field(default_factory=list)
+
+
+def _capture_prompt_id(state: _DemoState) -> Callable[[str], None]:
+    def handler(stdout: str) -> None:
+        try:
+            doc = json.loads(stdout.strip().splitlines()[-1])
+            pid = doc.get("data", {}).get("prompt_id")
+            if pid:
+                state.async_prompt_id = pid
+        except (json.JSONDecodeError, IndexError):
+            pass
+
+    return handler
+
+
+def _summarize_discover(stdout: str) -> None:
+    try:
+        doc = json.loads(stdout)
+        cmds = doc.get("data", {}).get("commands", {}) or {}
+        names = sorted(cmds.keys())
+        pprint(
+            f"\n[italic]({len(names)} top-level commands: "
+            f"{', '.join(names[:12])}{'…' if len(names) > 12 else ''})[/italic]"
+        )
+    except json.JSONDecodeError:
+        pass
+
+
+def _build_steps(state: _DemoState) -> list[Step]:
+    comfy = _comfy_argv()
+    wf = state.workflow_path
+
+    return [
+        Step(
+            title="env — interpreter, workspace, server",
+            invocations=[
+                Invocation(argv=[*comfy, "env"], label="comfy env"),
+                Invocation(argv=[*comfy, "--json", "env"], label="comfy --json env"),
+            ],
+        ),
+        Step(
+            title="which — resolved workspace",
+            invocations=[
+                Invocation(argv=[*comfy, "which"], label="comfy which"),
+                Invocation(argv=[*comfy, "--json", "which"], label="comfy --json which", optional=True),
+            ],
+        ),
+        Step(
+            title="discover — machine-readable surface",
+            desc="Agents read this once at startup to learn every command and error code.",
+            invocations=[
+                Invocation(
+                    argv=[*comfy, "--json", "discover"],
+                    label="comfy --json discover",
+                    capture=True,
+                    on_output=_summarize_discover,
+                ),
+            ],
+        ),
+        Step(
+            title="query — CQL against the live node graph",
+            invocations=[
+                Invocation(
+                    argv=[
+                        *comfy,
+                        "query",
+                        "-q",
+                        "from nodes where name in ('EmptyImage','ImageInvert','SaveImage') select name, category",
+                    ],
+                    label="comfy query",
+                ),
+                Invocation(
+                    argv=[
+                        *comfy,
+                        "--json",
+                        "query",
+                        "-q",
+                        "from nodes where name in ('EmptyImage','ImageInvert','SaveImage') select name, category",
+                    ],
+                    label="comfy --json query",
+                ),
+            ],
+        ),
+        Step(
+            title="run — synchronous, with progress bar",
+            invocations=[
+                Invocation(
+                    argv=[*comfy, "run", "--workflow", wf, "--verbose"],
+                    label="comfy run --verbose",
+                ),
+            ],
+        ),
+        Step(
+            title="run — same workflow, JSON envelope",
+            invocations=[
+                Invocation(
+                    argv=[*comfy, "--json", "run", "--workflow", wf],
+                    label="comfy --json run",
+                ),
+            ],
+        ),
+        Step(
+            title="run --async — single background submission",
+            invocations=[
+                Invocation(
+                    argv=[*comfy, "--json", "run", "--workflow", wf, "--async"],
+                    label="comfy --json run --async",
+                    capture=True,
+                    on_output=_capture_prompt_id(state),
+                ),
+            ],
+        ),
+        Step(
+            title="jobs ls — recent / running prompts",
+            invocations=[
+                Invocation(argv=[*comfy, "jobs", "ls"], label="comfy jobs ls"),
+                Invocation(argv=[*comfy, "--json", "jobs", "ls"], label="comfy --json jobs ls"),
+            ],
+        ),
+        Step(
+            title="jobs status — single prompt detail",
+            invocations=[
+                Invocation(argv=[*comfy, "jobs", "status", "PLACEHOLDER"], label="comfy jobs status"),
+                Invocation(
+                    argv=[*comfy, "--json", "jobs", "status", "PLACEHOLDER"],
+                    label="comfy --json jobs status",
+                ),
+            ],
+            skip_if=lambda: state.async_prompt_id is None,
+        ),
+        Step(
+            title="jobs watch — NDJSON event stream",
+            invocations=[
+                Invocation(
+                    argv=[*comfy, "--json-stream", "jobs", "watch", "PLACEHOLDER"],
+                    label="comfy --json-stream jobs watch",
+                    optional=True,
+                ),
+            ],
+            skip_if=lambda: state.async_prompt_id is None,
+        ),
+        Step(
+            title=f"FLEET — {FLEET_SIZE} jobs submitted in parallel, queue drains live",
+            desc="Concurrent --async submission via a thread pool, then jobs ls / status / watch on the fleet.",
+            custom=_fleet_step,
+        ),
+        Step(
+            title="auth whoami — Comfy Cloud sign-in state",
+            desc="Same commands work against Comfy Cloud via --where cloud (after `comfy auth login`).",
+            invocations=[
+                Invocation(argv=[*comfy, "auth", "whoami"], label="comfy auth whoami", optional=True),
+                Invocation(
+                    argv=[*comfy, "--json", "auth", "whoami"],
+                    label="comfy --json auth whoami",
+                    optional=True,
+                ),
+            ],
+        ),
+    ]
+
+
+# ---------- Entry point ------------------------------------------------------
+
+
+def execute(*, pause_seconds: float, no_cleanup: bool, show_agent: bool) -> int:
+    pprint("[bold]comfy run-cli[/bold] — capabilities walkthrough.\n")
+    pprint(
+        "[dim]Each step runs real `comfy` commands. For most steps you'll see two views "
+        "of the same call: the [green]human view[/green] (pretty terminal output) "
+        "and the [magenta]agent view[/magenta] (`--json` envelope). The fleet step "
+        f"submits {FLEET_SIZE} jobs in parallel to demonstrate background execution.[/dim]\n"
+    )
+
+    fd, wf_path = tempfile.mkstemp(prefix="comfy_run_cli_", suffix=".json")
+    with os.fdopen(fd, "w") as f:
+        json.dump(DEMO_WORKFLOW, f, indent=2)
+    pprint(f"[dim]Wrote single-job workflow → {wf_path}[/dim]")
+
+    state = _DemoState(workflow_path=wf_path)
+    steps = _build_steps(state)
+
+    first_error: int | None = None
+    for step in steps:
+        if state.async_prompt_id is not None:
+            for inv in step.invocations:
+                inv.argv = [a.replace("PLACEHOLDER", state.async_prompt_id) for a in inv.argv]
+        rc = _run_step(step, state, pause_seconds=pause_seconds, show_agent=show_agent)
+        if rc != 0 and first_error is None:
+            first_error = rc
+
+    _print_banner("Done")
+    pprint(
+        "[bold]Capabilities shown:[/bold] env · which · discover · query · "
+        "run (sync/verbose/json/async) · jobs (ls/status/watch) · "
+        f"parallel fleet ×{FLEET_SIZE} · auth whoami."
+    )
+
+    paths_to_clean = [wf_path, *state.fleet_workflow_paths]
+    if no_cleanup:
+        pprint(f"[dim]Kept {len(paths_to_clean)} workflow file(s) in /tmp for inspection.[/dim]")
+    else:
+        for p in paths_to_clean:
+            try:
+                os.unlink(p)
+            except OSError:
+                pass
+
+    return first_error or 0
diff --git a/comfy_cli/command/setup.py b/comfy_cli/command/setup.py
new file mode 100644
index 00000000..b1cedb02
--- /dev/null
+++ b/comfy_cli/command/setup.py
@@ -0,0 +1,666 @@
+"""``comfy setup`` — one-time wizard that gets you from zero to running.
+
+Orchestrates existing commands with a polished UX:
+
+1. Welcome banner (branded gradient wordmark)
+2. Choose routing: local or cloud
+3. Authenticate: browser OAuth or paste an API key
+4. Detect coding agent and install skills
+5. Verify connectivity
+6. Done — show next steps
+
+Supports both interactive (human at TTY) and non-interactive (CI, devcontainers,
+scripted installs) modes::
+
+    # Interactive (human)
+    comfy setup
+
+    # Non-interactive (CI / scripted)
+    comfy setup --non-interactive --where cloud --api-key sk-...
+    comfy setup -y --where local --skip-verify
+
+After setup, agents never need ``comfy discover`` (26K tokens). The skills
+teach them everything; routing and auth are already configured.
+"""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import typer
+
+from comfy_cli.output import get_renderer
+from comfy_cli.output import rprint as pprint
+
+
+def execute(
+    *,
+    where: str | None = None,
+    api_key: str | None = None,
+    project_dir: str | None = None,
+    non_interactive: bool = False,
+    skip_skills: bool = False,
+    skip_verify: bool = False,
+) -> None:
+    """Run the setup wizard — interactive or non-interactive."""
+    renderer = get_renderer()
+    console = renderer.console()
+
+    # api_key implies cloud
+    if api_key and not where:
+        where = "cloud"
+
+    # Non-interactive requires --where
+    if non_interactive and not where:
+        renderer.error(
+            code="setup_missing_where",
+            message="--non-interactive requires --where (local or cloud)",
+            hint="comfy setup --non-interactive --where cloud --api-key sk-...",
+        )
+        raise typer.Exit(code=1)
+
+    # Validate --where value early
+    if where:
+        from comfy_cli import where as where_module
+
+        try:
+            where_module._parse(where)
+        except ValueError as e:
+            renderer.error(code="where_invalid", message=str(e), hint="use --where local or --where cloud")
+            raise typer.Exit(code=1) from e
+        where = where.strip().lower()
+
+    # ------------------------------------------------------------------
+    # 1. Welcome
+    # ------------------------------------------------------------------
+    _print_welcome(console)
+
+    # ------------------------------------------------------------------
+    # 2. Routing — where will you run workflows?
+    # ------------------------------------------------------------------
+    if where is None:
+        console.print()
+        where = _ask_where()
+        if where is None:
+            raise typer.Exit(code=130)
+    else:
+        pprint(f"\n  [dim]Routing:[/dim] [bold cyan]{where}[/bold cyan]")
+
+    # ------------------------------------------------------------------
+    # 3. Authenticate (cloud only)
+    # ------------------------------------------------------------------
+    if where == "cloud":
+        console.print()
+        if api_key:
+            ok = _auth_api_key_direct(api_key)
+        elif non_interactive:
+            # Non-interactive cloud without api_key — check if already authed
+            ok = _check_existing_auth()
+            if not ok:
+                renderer.error(
+                    code="setup_no_auth",
+                    message="Cloud requires authentication in non-interactive mode",
+                    hint="pass --api-key sk-... or run `comfy cloud login` first",
+                )
+                raise typer.Exit(code=1)
+        else:
+            ok = _do_cloud_auth(console)
+        if not ok:
+            raise typer.Exit(code=1)
+
+    # Persist the routing default
+    from comfy_cli import where as where_module
+    from comfy_cli.config_manager import ConfigManager
+
+    ConfigManager().set(where_module.CONFIG_KEY_WHERE_DEFAULT, where)
+    pprint(f"\n  [bold green]✓[/bold green] Default routing → [bold cyan]{where}[/bold cyan]")
+
+    # ------------------------------------------------------------------
+    # 3. Project directory
+    # ------------------------------------------------------------------
+    console.print()
+    _do_project_dir(console, project_dir=project_dir, non_interactive=non_interactive)
+
+    # ------------------------------------------------------------------
+    # 4. Enable image/video previews
+    # ------------------------------------------------------------------
+    console.print()
+    _do_preview(console, non_interactive=non_interactive)
+
+    # ------------------------------------------------------------------
+    # 4b. Telemetry consent — the single explicit place the user decides.
+    # ------------------------------------------------------------------
+    console.print()
+    _do_consent(console, non_interactive=non_interactive)
+
+    # ------------------------------------------------------------------
+    # 5. Detect agent + install skills
+    # ------------------------------------------------------------------
+    if not skip_skills:
+        console.print()
+        _do_skills(console)
+
+    # ------------------------------------------------------------------
+    # 6. Verify connectivity
+    # ------------------------------------------------------------------
+    if not skip_verify:
+        console.print()
+        _do_verify(console, where)
+
+    # ------------------------------------------------------------------
+    # Done
+    # ------------------------------------------------------------------
+    _print_done(console, where)
+
+    # JSON envelope for agents
+    renderer.emit(
+        {
+            "where": where,
+            "skills_installed": not skip_skills,
+            "verified": not skip_verify,
+        },
+        command="setup",
+    )
+
+
+# ======================================================================
+# Step implementations
+# ======================================================================
+
+
+def _print_welcome(console) -> None:
+    from rich.align import Align
+    from rich.console import Group
+    from rich.panel import Panel
+    from rich.rule import Rule
+    from rich.text import Text
+
+    from comfy_cli.config_manager import ConfigManager
+    from comfy_cli.output.branding import (
+        _WORDMARK_ROWS,
+        BRAND_ACCENT,
+        BRAND_END,
+        BRAND_START,
+        gradient_block,
+    )
+
+    version = ConfigManager().get_cli_version()
+    wordmark = gradient_block(_WORDMARK_ROWS)
+    tagline = Text("setup", style=f"dim {BRAND_END}", justify="center")
+
+    steps = Text.assemble(
+        ("  1 ", f"bold {BRAND_ACCENT}"),
+        ("Choose where to run\n", "white"),
+        ("  2 ", f"bold {BRAND_ACCENT}"),
+        ("Sign in\n", "white"),
+        ("  3 ", f"bold {BRAND_ACCENT}"),
+        ("Set project directory\n", "white"),
+        ("  4 ", f"bold {BRAND_ACCENT}"),
+        ("Enable image previews\n", "white"),
+        ("  🔒 ", f"bold {BRAND_ACCENT}"),
+        ("Privacy & telemetry\n", "white"),
+        ("  5 ", f"bold {BRAND_ACCENT}"),
+        ("Install agent skills\n", "white"),
+        ("  6 ", f"bold {BRAND_ACCENT}"),
+        ("Verify connection", "white"),
+    )
+
+    body = Group(
+        Align.center(wordmark),
+        Align.center(tagline),
+        Text(""),
+        Rule(style=BRAND_END),
+        Text(""),
+        steps,
+    )
+
+    console.print(
+        Panel(
+            body,
+            subtitle=Text(f"comfy CLI v{version}", style="dim"),
+            subtitle_align="right",
+            border_style=BRAND_START,
+            padding=(1, 3),
+        )
+    )
+
+
+def _ask_where() -> str | None:
+    """Ask the user: local or cloud? (interactive only)"""
+    import questionary
+
+    from comfy_cli.output.branding import BRAND_ACCENT
+
+    pprint(f"  [bold {BRAND_ACCENT}]① Where will you run workflows?[/bold {BRAND_ACCENT}]")
+    pprint()
+
+    return questionary.select(
+        "",
+        choices=[
+            questionary.Choice("☁  Comfy Cloud", value="cloud"),
+            questionary.Choice("💻 Local ComfyUI (127.0.0.1:8188)", value="local"),
+        ],
+        instruction="(↑↓ to select, enter to confirm)",
+    ).ask()
+
+
+def _do_cloud_auth(console) -> bool:
+    """Interactive: choose between browser OAuth or pasting an API key."""
+    import questionary
+
+    from comfy_cli.output.branding import BRAND_ACCENT
+
+    pprint(f"  [bold {BRAND_ACCENT}]② Sign in to Comfy Cloud[/bold {BRAND_ACCENT}]")
+    pprint()
+
+    method = questionary.select(
+        "",
+        choices=[
+            questionary.Choice("🌐 Sign in with browser (OAuth)", value="browser"),
+            questionary.Choice("🔑 Paste an API key", value="key"),
+        ],
+        instruction="(↑↓ to select, enter to confirm)",
+    ).ask()
+
+    if method is None:
+        return False
+
+    if method == "key":
+        import questionary
+
+        key = questionary.password("  API key:").ask()
+        if not key or not key.strip():
+            pprint("  [bold red]✗[/bold red] No key provided")
+            return False
+        return _auth_api_key_direct(key.strip())
+    else:
+        return _auth_browser(console)
+
+
+def _auth_api_key_direct(key: str) -> bool:
+    """Store an API key directly (works for both interactive and non-interactive)."""
+    from comfy_cli.auth import store
+    from comfy_cli.target import CLOUD_API_KEY_PROVIDER
+
+    if not key.strip():
+        pprint("  [bold red]✗[/bold red] Empty API key")
+        return False
+
+    try:
+        store.set(CLOUD_API_KEY_PROVIDER, key.strip())
+    except ValueError as e:
+        pprint(f"  [bold red]✗[/bold red] {e}")
+        return False
+
+    pprint("  [bold green]✓[/bold green] API key saved")
+    return True
+
+
+def _check_existing_auth() -> bool:
+    """Check if cloud auth is already configured (for non-interactive without api_key)."""
+    from comfy_cli import where as where_module
+
+    err = where_module.cloud_preflight()
+    if err is None:
+        pprint("  [bold green]✓[/bold green] Cloud auth already configured")
+        return True
+    return False
+
+
+def _auth_browser(console) -> bool:
+    """Run the OAuth browser flow (same as ``comfy cloud login``)."""
+    from comfy_cli.auth import store
+    from comfy_cli.cloud import CLIENT_ID, CLIENT_NAME, get_base_url, get_resource_url, get_scopes
+    from comfy_cli.cloud.oauth import OAuthError, run_login
+
+    base_url = get_base_url()
+    pprint(f"  Opening browser for [bold cyan]{base_url}[/bold cyan]…")
+
+    def _on_url(url: str) -> None:
+        pprint("  [dim]If the browser doesn't open, visit:[/dim]")
+        pprint(f"  [cyan]{url}[/cyan]")
+
+    try:
+        result = run_login(
+            base_url=base_url,
+            resource=get_resource_url(),
+            scopes=get_scopes(),
+            client_id=CLIENT_ID,
+            client_name=CLIENT_NAME,
+            open_browser=True,
+            timeout_s=300.0,
+            on_url_ready=_on_url,
+        )
+    except OAuthError as e:
+        pprint(f"  [bold red]✗[/bold red] {e}")
+        if e.hint:
+            pprint(f"  [dim]{e.hint}[/dim]")
+        return False
+
+    store.save_cloud_session(
+        base_url=result.base_url,
+        resource=result.resource,
+        client_id=result.client_id,
+        scope=result.scope,
+        access_token=result.tokens.access_token,
+        refresh_token=result.tokens.refresh_token,
+        token_type=result.tokens.token_type,
+        expires_at=result.tokens.expires_at,
+    )
+
+    pprint("  [bold green]✓[/bold green] Signed in to Comfy Cloud")
+    return True
+
+
+def _do_project_dir(console, *, project_dir: str | None = None, non_interactive: bool = False) -> None:
+    """Ask the user for a project directory and create the folder structure."""
+    from comfy_cli.config_manager import ConfigManager
+    from comfy_cli.constants import CONFIG_KEY_DEFAULT_PROJECT_DIR
+    from comfy_cli.output.branding import BRAND_ACCENT
+
+    pprint(f"  [bold {BRAND_ACCENT}]③ Project directory[/bold {BRAND_ACCENT}]")
+    pprint()
+
+    # Check if already configured
+    existing = ConfigManager().get(CONFIG_KEY_DEFAULT_PROJECT_DIR)
+    if existing and Path(existing).is_dir() and project_dir is None:
+        pprint(f"  [bold green]✓[/bold green] Project directory: [bold cyan]{existing}[/bold cyan]")
+        return
+
+    default_dir = str(Path.home() / "comfy-projects")
+
+    if project_dir:
+        chosen = project_dir
+    elif non_interactive:
+        chosen = default_dir
+    else:
+        import questionary
+
+        pprint("  [dim]This is where workflows, inputs, and outputs are stored.[/dim]")
+        pprint()
+        chosen = questionary.text(
+            "  Project directory:",
+            default=default_dir,
+        ).ask()
+        if chosen is None:
+            chosen = default_dir
+
+    chosen = str(Path(chosen).expanduser().resolve())
+    project = Path(chosen)
+
+    # Create folder structure
+    for subdir in ("workflows", "inputs", "outputs"):
+        (project / subdir).mkdir(parents=True, exist_ok=True)
+
+    ConfigManager().set(CONFIG_KEY_DEFAULT_PROJECT_DIR, chosen)
+    pprint(f"  [bold green]✓[/bold green] Project directory: [bold cyan]{chosen}[/bold cyan]")
+    pprint("  [dim]  Created: workflows/ · inputs/ · outputs/[/dim]")
+
+
+def _do_preview(console, *, non_interactive: bool = False) -> None:
+    """Install term-image for inline image/video previews in the terminal."""
+    from comfy_cli.output.branding import BRAND_ACCENT
+
+    pprint(f"  [bold {BRAND_ACCENT}]🖼  Terminal image previews[/bold {BRAND_ACCENT}]")
+    pprint()
+
+    # Check if already installed (presence check only — don't import the module)
+    import importlib.util
+
+    if importlib.util.find_spec("term_image") is not None:
+        pprint("  [bold green]✓[/bold green] term-image already installed — previews enabled")
+        return
+
+    # Ask user (or auto-install in non-interactive mode)
+    if non_interactive:
+        want = True
+    else:
+        import questionary
+
+        want = questionary.confirm(
+            "  Install term-image for inline image/video previews?",
+            default=True,
+        ).ask()
+
+    if not want:
+        pprint("  [dim]Skipped — you can install later with: pip install term-image[/dim]")
+        return
+
+    # Install via pip
+    import subprocess
+    import sys
+
+    pprint("  Installing term-image…")
+    result = subprocess.run(  # noqa: S603
+        [sys.executable, "-m", "pip", "install", "term-image>=0.7,<0.8"],
+        capture_output=True,
+        text=True,
+    )
+    if result.returncode == 0:
+        pprint("  [bold green]✓[/bold green] Installed — image previews enabled")
+        pprint("  [dim]  Images will render inline after downloads (Kitty/iTerm2/half-blocks)[/dim]")
+    else:
+        pprint("  [dim yellow]⚠[/dim yellow] Install failed — previews will be skipped")
+        pprint(f"  [dim]{result.stderr.strip()[:200]}[/dim]")
+
+
+def _do_consent(console, *, non_interactive: bool = False) -> None:
+    """Ask for (or report) telemetry consent — the one explicit decision point.
+
+    Precedence: a hard env opt-out wins and is never overridden; an already
+    recorded choice is reported, not re-asked; non-interactive runs leave the
+    flag UNSET so a later interactive session still gets the chance to decide.
+    """
+    from comfy_cli import constants, tracking
+    from comfy_cli.config_manager import ConfigManager
+    from comfy_cli.output.branding import BRAND_ACCENT
+
+    pprint(f"  [bold {BRAND_ACCENT}]🔒 Privacy & telemetry[/bold {BRAND_ACCENT}]")
+    pprint()
+
+    if tracking._telemetry_disabled_by_env():
+        pprint("  [bold green]✓[/bold green] Telemetry disabled via environment (DO_NOT_TRACK)")
+        return
+
+    existing = ConfigManager().get_bool(constants.CONFIG_KEY_ENABLE_TRACKING)
+    if existing is not None:
+        state = "enabled" if existing else "disabled"
+        pprint(f"  [bold green]✓[/bold green] Telemetry already {state}")
+        pprint("  [dim]  Change anytime: comfy tracking enable | disable[/dim]")
+        return
+
+    pprint("  [dim]Anonymous usage data helps improve Comfy CLI.[/dim]")
+    pprint()
+
+    if non_interactive:
+        # No human to ask — leave the flag unset (don't silently opt in or out);
+        # a later interactive run will prompt via the global consent path.
+        pprint("  [dim]Skipped (non-interactive). Opt in anytime: comfy tracking enable[/dim]")
+        return
+
+    import questionary
+
+    agree = bool(questionary.confirm("  Share anonymous usage data to help improve Comfy CLI?", default=True).ask())
+    tracking.init_tracking(agree)
+    if agree:
+        pprint("  [bold green]✓[/bold green] Thanks! Enabled — disable anytime: comfy tracking disable")
+    else:
+        pprint("  [dim]No problem — telemetry stays off. Enable later: comfy tracking enable[/dim]")
+
+
+def _do_skills(console) -> None:
+    """Detect agent hosts and install skills."""
+    from comfy_cli.output.branding import BRAND_ACCENT
+    from comfy_cli.skills import TargetKind, install
+
+    pprint(f"  [bold {BRAND_ACCENT}]⑤ Install agent skills[/bold {BRAND_ACCENT}]")
+    pprint()
+
+    # Detect which agent targets exist
+    home = Path.home()
+    detected: list[TargetKind] = []
+    labels: list[str] = []
+
+    if (home / ".claude").is_dir():
+        detected.append("claude-code")
+        labels.append("Claude Code")
+    if (home / ".cursor").is_dir():
+        detected.append("cursor")
+        labels.append("Cursor")
+
+    # AGENTS.md is always an option
+    detected.append("agents-md")
+    labels.append("AGENTS.md")
+
+    if labels:
+        pprint(f"  Detected: [bold cyan]{' · '.join(labels)}[/bold cyan]")
+    pprint()
+
+    # Install all skills to all detected targets
+    results = install(scope="user", targets=detected if detected else None)
+
+    wrote = [r for r in results if r.action == "wrote"]
+    skipped = [r for r in results if r.action == "skipped"]
+
+    # Show installed skills (deduplicated by skill name)
+    installed_skills = sorted(set(r.skill for r in wrote))
+    for skill_name in installed_skills:
+        pprint(f"  [bold green]✓[/bold green] [cyan]{skill_name}[/cyan]")
+
+    skill_count = len(installed_skills)
+    target_names = sorted(set(r.kind for r in wrote))
+    target_str = " + ".join(_pretty_target(t) for t in target_names)
+
+    pprint()
+    pprint(f"  [dim]{skill_count} skills → {target_str}[/dim]")
+
+    if skipped:
+        for r in skipped[:3]:
+            pprint(f"  [dim yellow]⚠ skipped {r.skill}/{r.kind}: {r.reason}[/dim yellow]")
+
+
+def _pretty_target(kind: str) -> str:
+    return {
+        "claude-code": ".claude/skills/",
+        "cursor": ".cursor/rules/",
+        "agents-md": "AGENTS.md",
+    }.get(kind, kind)
+
+
+def _do_verify(console, where: str) -> None:
+    """Quick connectivity check."""
+    from comfy_cli.output.branding import BRAND_ACCENT
+
+    pprint(f"  [bold {BRAND_ACCENT}]⑥ Verify connection[/bold {BRAND_ACCENT}]")
+    pprint()
+
+    if where == "cloud":
+        _verify_cloud(console)
+    else:
+        _verify_local(console)
+
+
+def _verify_cloud(console) -> None:
+    """Check cloud auth + count available nodes."""
+    from comfy_cli.comfy_client import Client, Unauthenticated
+    from comfy_cli.target import resolve_target
+
+    try:
+        target = resolve_target(where="cloud")
+        client = Client(target)
+        client.get_job_status("00000000-0000-0000-0000-000000000000")
+        # If we get here (even 404), the cloud is reachable
+        pprint("  [bold green]✓[/bold green] Cloud reachable")
+    except Unauthenticated:
+        pprint("  [bold red]✗[/bold red] Not authenticated — run [cyan]comfy cloud login[/cyan]")
+        return
+    except Exception:
+        # Even an error means we connected
+        pprint("  [bold green]✓[/bold green] Cloud reachable")
+
+    # Count nodes
+    try:
+        import json
+        import subprocess
+        import sys
+
+        result = subprocess.run(
+            [sys.executable, "-m", "comfy_cli", "--where", "cloud", "--json", "nodes", "ls", "--limit", "1"],
+            capture_output=True,
+            text=True,
+            timeout=15,
+        )
+        if result.returncode == 0:
+            data = json.loads(result.stdout)
+            total = data.get("data", {}).get("total", "?")
+            pprint(f"  [bold green]✓[/bold green] {total} nodes available")
+    except Exception:
+        pass
+
+
+def _verify_local(console) -> None:
+    """Check if local ComfyUI server is running."""
+    from comfy_cli.env_checker import check_comfy_server_running
+
+    if check_comfy_server_running(8188, "127.0.0.1"):
+        pprint("  [bold green]✓[/bold green] Local server running on [cyan]127.0.0.1:8188[/cyan]")
+    else:
+        pprint("  [dim yellow]⚠[/dim yellow] Local server not running")
+        pprint("  [dim]  Start it with: [cyan]comfy launch[/cyan][/dim]")
+
+
+def _print_done(console, where: str) -> None:
+    """Final success screen with next steps."""
+    from rich.console import Group
+    from rich.panel import Panel
+    from rich.rule import Rule
+    from rich.text import Text
+
+    from comfy_cli.output.branding import (
+        BRAND_ACCENT,
+        BRAND_END,
+        BRAND_START,
+        gradient_text,
+    )
+
+    console.print()
+
+    header = gradient_text("You're all set!", bold=True)
+
+    if where == "cloud":
+        next_steps = Text.assemble(
+            ("  comfy run --workflow my.json", "bold white"),
+            ("     submit to cloud\n", "dim"),
+            ("  comfy nodes show KSampler", "bold white"),
+            ("      inspect any node\n", "dim"),
+            ("  comfy jobs ls", "bold white"),
+            ("                    track your jobs\n", "dim"),
+            ("  comfy upload photo.png", "bold white"),
+            ("           upload assets\n", "dim"),
+        )
+    else:
+        next_steps = Text.assemble(
+            ("  comfy launch", "bold white"),
+            ("                    start the server\n", "dim"),
+            ("  comfy run --workflow my.json", "bold white"),
+            ("     submit a workflow\n", "dim"),
+            ("  comfy nodes show KSampler", "bold white"),
+            ("      inspect any node\n", "dim"),
+        )
+
+    body = Group(
+        header,
+        Text(""),
+        Rule(style=BRAND_END),
+        Text(""),
+        Text("Next steps", style=f"bold {BRAND_ACCENT}"),
+        next_steps,
+    )
+
+    console.print(
+        Panel(
+            body,
+            border_style=BRAND_START,
+            padding=(1, 3),
+        )
+    )
diff --git a/comfy_cli/command/templates.py b/comfy_cli/command/templates.py
new file mode 100644
index 00000000..92b9a264
--- /dev/null
+++ b/comfy_cli/command/templates.py
@@ -0,0 +1,526 @@
+"""``comfy templates`` — workflow-template gallery introspection.
+
+Mirrors the shape of ``comfy nodes`` but queries the curated
+**workflow-template gallery** from ``Comfy-Org/workflow_templates``
+(the same content that drives comfy.org/workflows). Three primitives:
+
+    comfy templates ls   [--type T] [--category PAT] [--tag T] [--model M]
+                         [--provider P] [--name SUB] [--limit N]
+    comfy templates show <name>
+    comfy templates refresh                            # re-fetch index.json
+
+The gallery file ``templates/index.json`` is cached under
+``~/.cache/comfy-cli/gallery/index.json``. The CLI side here parses the
+index in Python (no WASM needed); for the full CQL grammar over templates
+use the flag-based filters for browsing.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import urllib.error
+import urllib.parse
+import urllib.request
+from pathlib import Path
+from typing import Annotated, Any
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.output import get_renderer, rprint
+
+app = typer.Typer(no_args_is_help=True, help="Browse the Comfy workflow-template gallery.")
+
+GALLERY_URL = "https://raw.githubusercontent.com/Comfy-Org/workflow_templates/main/templates/index.json"
+
+
+# ---------------------------------------------------------------------------
+# Gallery loading + caching
+# ---------------------------------------------------------------------------
+
+
+def _cache_path() -> Path:
+    """Where the gallery index lives on disk. XDG-respecting."""
+    base = os.environ.get("XDG_CACHE_HOME") or os.path.expanduser("~/.cache")
+    return Path(base) / "comfy-cli" / "gallery" / "index.json"
+
+
+def _fetch_gallery(url: str = GALLERY_URL, timeout: float = 15.0) -> bytes:
+    req = urllib.request.Request(url, headers={"User-Agent": "comfy-cli"})
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        if resp.status != 200:
+            raise RuntimeError(f"gallery fetch failed: HTTP {resp.status}")
+        return resp.read()
+
+
+def _load_gallery(
+    explicit_path: str | None,
+    *,
+    refresh: bool = False,
+) -> list[dict[str, Any]]:
+    """Resolve the gallery index. Precedence: explicit --gallery > cache > fetch.
+
+    Returns the raw decoded JSON (a list of category dicts). The CLI does
+    its own filtering on top.
+    """
+    if explicit_path:
+        return json.loads(Path(explicit_path).read_bytes())
+
+    cache = _cache_path()
+    if refresh or not cache.exists():
+        data = _fetch_gallery()
+        cache.parent.mkdir(parents=True, exist_ok=True)
+        cache.write_bytes(data)
+        return json.loads(data)
+    return json.loads(cache.read_bytes())
+
+
+def _flatten_templates(categories: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    """Walk the nested (category → templates) shape and flatten to a list.
+
+    Each row gets a few extras: ``category_title``, ``group_category``, and
+    ``output_type`` (from the parent category's ``type`` — the per-template
+    ``mediaType`` is actually the thumbnail format and is misleading).
+    Providers from ``logos[].provider`` are flattened to a flat string list
+    that tolerates the scalar-or-array variance in real data.
+    """
+    rows: list[dict[str, Any]] = []
+    for cat in categories:
+        if not isinstance(cat, dict):
+            continue
+        output_type = cat.get("type") or ""
+        for t in cat.get("templates", []) or []:
+            if not isinstance(t, dict):
+                continue
+            rows.append(
+                {
+                    "name": t.get("name") or "",
+                    "title": (t.get("title") or "").strip(),
+                    "description": t.get("description") or "",
+                    "output_type": output_type,
+                    "category_title": cat.get("title") or "",
+                    "group_category": cat.get("category") or "",
+                    "tags": list(t.get("tags") or []),
+                    "models": list(t.get("models") or []),
+                    "providers": _flatten_providers(t.get("logos") or []),
+                    "date": t.get("date") or "",
+                    "open_source": bool(t.get("openSource", False)),
+                    "usage": int(t.get("usage") or 0),
+                    "media_subtype": t.get("mediaSubtype") or "",
+                    "io": t.get("io") or {},
+                }
+            )
+    return rows
+
+
+def _flatten_providers(logos: list[Any]) -> list[str]:
+    """``logos[].provider`` may be a string or a list-of-strings. Coalesce."""
+    out: list[str] = []
+    seen: set[str] = set()
+    for logo in logos:
+        if not isinstance(logo, dict):
+            continue
+        prov = logo.get("provider")
+        if isinstance(prov, str):
+            if prov and prov not in seen:
+                seen.add(prov)
+                out.append(prov)
+        elif isinstance(prov, list):
+            for p in prov:
+                if isinstance(p, str) and p and p not in seen:
+                    seen.add(p)
+                    out.append(p)
+    return out
+
+
+# ---------------------------------------------------------------------------
+# Filters — Python equivalents of nodegraph/gallery_search.go predicates
+# ---------------------------------------------------------------------------
+
+
+def _matches(
+    row: dict[str, Any],
+    *,
+    type_: str | None,
+    category: str | None,
+    tag: str | None,
+    model: str | None,
+    provider: str | None,
+    name_sub: str | None,
+) -> bool:
+    if type_ and (row.get("output_type") or "").lower() != type_.lower():
+        return False
+    if category and (row.get("category_title") or "").lower() != category.lower():
+        return False
+    if tag and not any((t or "").lower() == tag.lower() for t in row.get("tags") or []):
+        return False
+    if model and not any(model.lower() in (m or "").lower() for m in row.get("models") or []):
+        return False
+    if provider and not any(provider.lower() in (p or "").lower() for p in row.get("providers") or []):
+        return False
+    if name_sub and name_sub.lower() not in (row.get("name") or "").lower():
+        return False
+    return True
+
+
+# ---------------------------------------------------------------------------
+# Commands
+# ---------------------------------------------------------------------------
+
+
+def _ls_via_query(
+    renderer,
+    query: str,
+    gallery_path: str | None,
+    refresh: bool,
+    limit: int | None,
+) -> None:
+    """CQL grammar queries over the template gallery are not available.
+    Emit an actionable error pointing the user at the flag-based filters instead.
+    """
+    renderer.error(
+        code="cql_query_invalid",
+        message="CQL grammar queries are not available. Use flag-based filtering instead.",
+        hint="comfy templates ls --type image --tag API --model Flux",
+    )
+    raise typer.Exit(code=1)
+
+
+@app.command(
+    "ls",
+    help="List gallery templates. Filter by type/category/tag/model/provider/name, or pass --query for the full CQL grammar.",
+)
+@tracking.track_command("templates")
+def ls_cmd(
+    type_: Annotated[
+        str | None,
+        typer.Option("--type", help="Output kind: image, video, audio, 3d."),
+    ] = None,
+    category: Annotated[
+        str | None,
+        typer.Option("--category", help="Exact category title (e.g. 'Image', 'Video')."),
+    ] = None,
+    tag: Annotated[
+        str | None,
+        typer.Option("--tag", help="Tag (case-insensitive exact match, e.g. 'API')."),
+    ] = None,
+    model: Annotated[
+        str | None,
+        typer.Option("--model", help="Model name substring (e.g. 'Flux')."),
+    ] = None,
+    provider: Annotated[
+        str | None,
+        typer.Option("--provider", help="Provider substring (e.g. 'Kling', 'Black Forest Labs')."),
+    ] = None,
+    name_sub: Annotated[
+        str | None,
+        typer.Option("--name", help="Substring match on template name."),
+    ] = None,
+    query: Annotated[
+        str | None,
+        typer.Option(
+            "--query",
+            "-q",
+            show_default=False,
+            help="A CQL grammar query (e.g. 'templates type video | sort name | limit 5'). Bypasses the flag filters.",
+        ),
+    ] = None,
+    limit: Annotated[
+        int | None,
+        typer.Option(show_default=False, help="Cap output to N rows."),
+    ] = None,
+    gallery_path: Annotated[
+        str | None,
+        typer.Option(
+            "--gallery",
+            show_default=False,
+            help="Path to a local templates/index.json (skips the cache + fetch).",
+        ),
+    ] = None,
+    refresh: Annotated[
+        bool,
+        typer.Option("--refresh", help="Re-fetch index.json from GitHub before listing."),
+    ] = False,
+):
+    renderer = get_renderer()
+
+    # CQL grammar path — routes through WASM with the gallery loaded.
+    if query is not None:
+        return _ls_via_query(renderer, query, gallery_path, refresh, limit)
+
+    try:
+        cats = _load_gallery(gallery_path, refresh=refresh)
+    except (urllib.error.URLError, OSError, json.JSONDecodeError) as e:
+        renderer.error(
+            code="gallery_load_failed",
+            message=str(e),
+            hint="check your network, or pass --gallery <path> to a local index.json",
+        )
+        raise typer.Exit(code=1) from e
+
+    rows = _flatten_templates(cats)
+    total = len(rows)
+    rows = [
+        r
+        for r in rows
+        if _matches(
+            r,
+            type_=type_,
+            category=category,
+            tag=tag,
+            model=model,
+            provider=provider,
+            name_sub=name_sub,
+        )
+    ]
+    matched = len(rows)
+    if limit is not None:
+        rows = rows[: max(0, limit)]
+
+    payload = {
+        "total_in_gallery": total,
+        "matched": matched,
+        "shown": len(rows),
+        "filters": {
+            "type": type_,
+            "category": category,
+            "tag": tag,
+            "model": model,
+            "provider": provider,
+            "name": name_sub,
+        },
+        "rows": [
+            {
+                "name": r["name"],
+                "title": r["title"],
+                "output_type": r["output_type"],
+                "category_title": r["category_title"],
+                "tags": r["tags"],
+                "models": r["models"],
+                "providers": r["providers"],
+                "description": r["description"][:120],
+            }
+            for r in rows
+        ],
+    }
+
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        if not rows:
+            rprint("[dim]0 templates matched.[/dim]")
+        else:
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("name")
+            tbl.add_column("type", style="dim")
+            tbl.add_column("title")
+            tbl.add_column("tags", style="dim")
+            for r in rows:
+                tbl.add_row(
+                    r["name"],
+                    r["output_type"],
+                    r["title"] or "(untitled)",
+                    ", ".join(r["tags"]),
+                )
+            renderer.console().print(tbl)
+            tail = f" (of {matched} matched, {total} in gallery)" if (matched != len(rows) or matched != total) else ""
+            rprint(f"[dim]{len(rows)} template(s){tail}[/dim]")
+    renderer.emit(payload, command="templates ls")
+
+
+@app.command(
+    "show",
+    help="Show full details for a single template by name.",
+)
+@tracking.track_command("templates")
+def show_cmd(
+    name: Annotated[str, typer.Argument(help="Template name (e.g. 'image_flux2').")],
+    gallery_path: Annotated[
+        str | None,
+        typer.Option("--gallery", show_default=False, help="Path to a local index.json."),
+    ] = None,
+    refresh: Annotated[
+        bool,
+        typer.Option("--refresh", help="Re-fetch from GitHub before showing."),
+    ] = False,
+):
+    renderer = get_renderer()
+    try:
+        cats = _load_gallery(gallery_path, refresh=refresh)
+    except (urllib.error.URLError, OSError, json.JSONDecodeError) as e:
+        renderer.error(code="gallery_load_failed", message=str(e))
+        raise typer.Exit(code=1) from e
+
+    rows = _flatten_templates(cats)
+    match = next((r for r in rows if r["name"] == name), None)
+    if match is None:
+        renderer.error(
+            code="template_not_found",
+            message=f"no template named {name!r}",
+            hint="try `comfy templates ls --name <substring>` to search",
+        )
+        raise typer.Exit(code=1)
+
+    if renderer.is_pretty():
+        rprint(f"[bold]{match['name']}[/bold]")
+        if match["title"]:
+            rprint(f"  [dim]{match['title']}[/dim]")
+        rprint(f"  type:        {match['output_type']}")
+        rprint(f"  category:    {match['category_title']} ({match['group_category']})")
+        if match["tags"]:
+            rprint(f"  tags:        {', '.join(match['tags'])}")
+        if match["models"]:
+            rprint(f"  models:      {', '.join(match['models'])}")
+        if match["providers"]:
+            rprint(f"  providers:   {', '.join(match['providers'])}")
+        if match["date"]:
+            rprint(f"  date:        {match['date']}")
+        if match["description"]:
+            rprint("")
+            rprint(match["description"])
+    renderer.emit({"template": match}, command="templates show")
+
+
+@app.command("refresh", help="Re-download templates/index.json into the local cache.")
+@tracking.track_command("templates")
+def refresh_cmd():
+    renderer = get_renderer()
+    try:
+        data = _fetch_gallery()
+    except (urllib.error.URLError, OSError) as e:
+        renderer.error(code="gallery_fetch_failed", message=str(e))
+        raise typer.Exit(code=1) from e
+    cache = _cache_path()
+    cache.parent.mkdir(parents=True, exist_ok=True)
+    cache.write_bytes(data)
+    payload = {"path": str(cache), "bytes": len(data)}
+    if renderer.is_pretty():
+        rprint(f"[green]✓[/green] cached gallery to {cache} ({len(data)} bytes)")
+    renderer.emit(payload, command="templates refresh")
+
+
+# Where the per-template workflow JSONs live on GitHub. The gallery index lists
+# each template by ``name``; the corresponding workflow is at
+# ``Comfy-Org/workflow_templates/templates/<name>.json``.
+_TEMPLATE_WORKFLOW_URL = "https://raw.githubusercontent.com/Comfy-Org/workflow_templates/main/templates/{name}.json"
+
+
+def _fetch_template_workflow(name: str, *, timeout: float = 15.0) -> bytes:
+    """Pull a single template's workflow JSON from the canonical GitHub raw URL."""
+    url = _TEMPLATE_WORKFLOW_URL.format(name=urllib.parse.quote(name, safe=""))
+    req = urllib.request.Request(url, headers={"User-Agent": "comfy-cli"})
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        if resp.status != 200:
+            raise RuntimeError(f"template workflow fetch failed: HTTP {resp.status}")
+        return resp.read()
+
+
+@app.command(
+    "fetch",
+    help=(
+        "Fetch a template's workflow JSON from the curated gallery. "
+        "Verifies the name against the gallery index first, then pulls "
+        "templates/<name>.json from Comfy-Org/workflow_templates."
+    ),
+)
+@tracking.track_command("templates")
+def fetch_cmd(
+    name: Annotated[str, typer.Argument(help="Template name (matches `comfy templates ls` rows).")],
+    out: Annotated[
+        str | None,
+        typer.Option("--out", "-o", show_default=False, help="Write to this file instead of stdout."),
+    ] = None,
+    gallery_path: Annotated[
+        str | None,
+        typer.Option("--gallery", show_default=False, help="Path to a local index.json (skips the cache + fetch)."),
+    ] = None,
+    refresh: Annotated[
+        bool,
+        typer.Option("--refresh", help="Re-fetch the gallery index from GitHub before resolving."),
+    ] = False,
+):
+    renderer = get_renderer()
+
+    # Resolve against the gallery index first so we surface "no such template"
+    # with the same close_matches affordance the rest of the CLI uses, instead
+    # of letting the user hit a raw GitHub 404.
+    try:
+        cats = _load_gallery(gallery_path, refresh=refresh)
+    except (urllib.error.URLError, OSError, json.JSONDecodeError) as e:
+        renderer.error(code="gallery_load_failed", message=str(e))
+        raise typer.Exit(code=1) from e
+
+    rows = _flatten_templates(cats)
+    match = next((r for r in rows if r["name"] == name), None)
+    if match is None:
+        # Build a small list of close matches so the agent can self-correct.
+        lower = name.lower()
+        close = [r["name"] for r in rows if lower in r["name"].lower()][:5]
+        renderer.error(
+            code="template_not_found",
+            message=f"no template named {name!r} in the gallery",
+            hint="try `comfy templates ls --name <substring>` to search",
+            details={"close_matches": close},
+        )
+        raise typer.Exit(code=1)
+
+    try:
+        body = _fetch_template_workflow(name)
+    except (urllib.error.HTTPError, urllib.error.URLError, OSError) as e:
+        status = getattr(e, "code", None)
+        renderer.error(
+            code="template_fetch_failed",
+            message=f"failed to fetch workflow for {name!r}: {e}",
+            hint=(
+                "the gallery index references a template whose workflow JSON "
+                "is missing upstream — report at "
+                "https://github.com/Comfy-Org/workflow_templates/issues"
+                if status == 404
+                else "check network connectivity"
+            ),
+            details={"status": status} if status else None,
+        )
+        raise typer.Exit(code=1) from e
+
+    # Parse so we (a) validate it's well-formed JSON and (b) can report the
+    # node count in the envelope without re-reading.
+    try:
+        wf = json.loads(body)
+    except json.JSONDecodeError as e:
+        renderer.error(
+            code="template_workflow_invalid_json",
+            message=f"upstream returned non-JSON for {name!r}: {e}",
+            hint="report at https://github.com/Comfy-Org/workflow_templates/issues",
+        )
+        raise typer.Exit(code=1) from e
+
+    if out:
+        out_path = Path(out).expanduser()
+        out_path.parent.mkdir(parents=True, exist_ok=True)
+        out_path.write_bytes(body)
+        target_repr = str(out_path)
+    else:
+        # In JSON mode, the renderer's emit() is the only thing on stdout — the
+        # raw workflow goes into the envelope under data.workflow. In pretty
+        # mode we print it to stdout so the user can pipe it.
+        if renderer.is_pretty():
+            import sys
+
+            sys.stdout.write(body.decode("utf-8"))
+            sys.stdout.write("\n")
+        target_repr = "stdout" if out is None else str(Path(out).expanduser())
+
+    payload = {
+        "name": name,
+        "title": match["title"],
+        "output_type": match["output_type"],
+        "out": target_repr,
+        "bytes": len(body),
+        # `nodes` count is the only field the agent needs to confirm the
+        # workflow loaded; the full JSON ride-along bloats every envelope.
+        "node_count": len(wf) if isinstance(wf, dict) else None,
+    }
+    if renderer.is_pretty() and out:
+        rprint(f"[green]✓[/green] wrote {len(body):,} bytes ({payload['node_count']} nodes) to {target_repr}")
+    renderer.emit(payload, command="templates fetch")
diff --git a/comfy_cli/command/transfer.py b/comfy_cli/command/transfer.py
new file mode 100644
index 00000000..ede794f2
--- /dev/null
+++ b/comfy_cli/command/transfer.py
@@ -0,0 +1,560 @@
+"""``comfy upload`` / ``comfy download`` — move files between local disk and ComfyUI.
+
+Upload sends local files to the server's input directory (both local and cloud).
+Download fetches outputs from completed jobs to the local filesystem.
+
+Pipe-friendly: ``comfy --json run --wait | comfy download`` reads the prompt_id
+and output URLs from stdin, avoiding manual extraction.
+"""
+
+from __future__ import annotations
+
+import json
+import mimetypes
+import re
+import sys
+import urllib.error
+import urllib.parse
+import urllib.request
+import uuid
+from pathlib import Path
+from typing import Any
+
+import typer
+
+from comfy_cli import jobs_state
+from comfy_cli.comfy_client import Client, Unauthenticated, extract_output_entries
+from comfy_cli.output import get_renderer
+from comfy_cli.output import rprint as pprint
+from comfy_cli.target import resolve_target
+
+
+def _default_out_dir() -> str:
+    """Return the governing project/1 root's ``outputs/`` dir, else the
+    legacy ``default_project_dir`` config key's outputs dir, else ./outputs."""
+    # project/1 convention first: downloads land in <root>/outputs by
+    # contract (execute_download mkdirs the dest, so it need not exist yet).
+    try:
+        from comfy_cli.project import find_project
+
+        p = find_project()
+        if p is not None:
+            return str(p.root / "outputs")
+    except Exception:  # noqa: BLE001
+        pass
+    try:
+        from comfy_cli.config_manager import ConfigManager
+        from comfy_cli.constants import CONFIG_KEY_DEFAULT_PROJECT_DIR
+
+        project = ConfigManager().get(CONFIG_KEY_DEFAULT_PROJECT_DIR)
+        if project:
+            from pathlib import Path
+
+            d = Path(project) / "outputs"
+            if d.is_dir():
+                return str(d)
+    except Exception:  # noqa: BLE001
+        pass
+    return "./outputs"
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def _auth_headers(target: Any) -> dict[str, str]:
+    """Build auth headers for a target (cloud only)."""
+    headers: dict[str, str] = {}
+    if target.is_cloud:
+        if target.api_key:
+            headers["X-API-Key"] = target.api_key
+        elif target.auth_token:
+            headers["Authorization"] = f"Bearer {target.auth_token}"
+    return headers
+
+
+# Refuse redirects on upload — a 30x from an authenticated POST is suspicious.
+class _NoRedirectHandler(urllib.request.HTTPRedirectHandler):
+    def http_error_301(self, req, fp, code, msg, headers):
+        raise urllib.error.HTTPError(req.full_url, code, "redirect refused (auth leak prevention)", headers, fp)
+
+    http_error_302 = http_error_303 = http_error_307 = http_error_308 = http_error_301
+
+
+# Stripped on every download redirect so auth never crosses origins.
+_AUTH_HEADERS_TO_STRIP = frozenset({"authorization", "x-api-key", "x-comfy-api-key", "cookie"})
+_MAX_REDIRECTS = 5
+
+
+class _DownloadRedirectHandler(urllib.request.HTTPRedirectHandler):
+    """Follow redirects but strip auth headers — cloud's `/api/view` 302s to
+    a signed GCS URL where the signature is the auth."""
+
+    max_redirections = _MAX_REDIRECTS
+
+    def redirect_request(self, req, fp, code, msg, headers, newurl):
+        new_req = super().redirect_request(req, fp, code, msg, headers, newurl)
+        if new_req is None:
+            return None
+        scheme = urllib.parse.urlsplit(newurl).scheme
+        if scheme not in ("http", "https"):
+            raise urllib.error.HTTPError(
+                req.full_url, code, f"refusing redirect to non-HTTP scheme: {scheme}", headers, fp
+            )
+        for src in (new_req.headers, new_req.unredirected_hdrs):
+            for key in list(src.keys()):
+                if key.lower() in _AUTH_HEADERS_TO_STRIP:
+                    del src[key]
+        return new_req
+
+
+_TRANSFER_OPENER = urllib.request.build_opener(_NoRedirectHandler())
+_DOWNLOAD_OPENER = urllib.request.build_opener(_DownloadRedirectHandler())
+
+
+def _sanitize_multipart_filename(name: str) -> str:
+    """Escape a filename for use in Content-Disposition per RFC 7578.
+
+    Strips characters that break multipart framing (quotes, backslashes,
+    carriage returns, newlines) to prevent header injection.
+    """
+    return re.sub(r'["\\\r\n]', "_", name)
+
+
+def _assert_download_url(url: str) -> None:
+    """Reject download URLs that aren't http(s) to prevent SSRF."""
+    parsed = urllib.parse.urlsplit(url)
+    if parsed.scheme not in ("http", "https"):
+        raise ValueError(f"refusing to download from non-HTTP URL: {url}")
+
+
+def _sanitize_item_name(item: str) -> str:
+    """A filesystem-safe token for an item key used in download filenames."""
+    return re.sub(r"[^A-Za-z0-9._-]", "_", item) or "item"
+
+
+def _collision_safe_path(path: Path) -> Path:
+    """Never overwrite an existing download: ``name.ext`` → ``name.1.ext``,
+    ``name.2.ext``, … (deterministic, first free slot).
+
+    A retry fan-out reusing the same item ids re-downloads into the same
+    out-dir, and the per-job counters restart at 000 — without this, attempt
+    2 silently clobbers attempt 1. Symlinks (including dangling ones) count
+    as taken so the suffix walk can never be steered into writing through
+    one.
+    """
+    if not path.exists() and not path.is_symlink():
+        return path
+    n = 1
+    while True:
+        candidate = path.with_name(f"{path.stem}.{n}{path.suffix}")
+        if not candidate.exists() and not candidate.is_symlink():
+            return candidate
+        n += 1
+
+
+def _annotate_output_urls(output_urls: list[str], state) -> list[tuple[str | None, str | None]]:
+    """Per output URL: ``(node_id, item)`` provenance, ``None`` when unknown.
+
+    Joins URLs back to the state file's final history ``record`` on the
+    (filename, subfolder, type) query-param triple — the same triple
+    ``Client.view_url`` encodes — so matching survives base_url drift between
+    submit and download. ``node_id -> item`` comes from the compose
+    ``item_map`` (a node belongs to an item when it appears in the item's
+    ``nodes`` list or is its ``save_node``). Without a record everything is
+    ``(None, None)`` and the caller falls back to legacy naming.
+    """
+    if state is None or not isinstance(state.record, dict):
+        return [(None, None)] * len(output_urls)
+
+    key_to_node: dict[tuple[str, str, str], str] = {}
+    for entry in extract_output_entries(state.record):
+        key_to_node.setdefault((entry["filename"], entry["subfolder"], entry["type"]), entry["node_id"])
+
+    node_to_item: dict[str, str] = {}
+    for item, entry in (state.item_map or {}).items():
+        if not isinstance(entry, dict):
+            continue
+        members = list(entry.get("nodes") or [])
+        if entry.get("save_node") is not None:
+            members.append(entry["save_node"])
+        for node_id in members:
+            node_to_item[str(node_id)] = str(item)
+
+    annotations: list[tuple[str | None, str | None]] = []
+    for url in output_urls:
+        qs = urllib.parse.parse_qs(urllib.parse.urlparse(url).query)
+        key = (
+            qs.get("filename", [""])[0],
+            qs.get("subfolder", [""])[0],
+            qs.get("type", ["output"])[0],
+        )
+        node_id = key_to_node.get(key)
+        item = node_to_item.get(node_id) if node_id is not None else None
+        annotations.append((node_id, item))
+    return annotations
+
+
+# ---------------------------------------------------------------------------
+# Upload
+# ---------------------------------------------------------------------------
+
+
+def _upload_file(path: Path, target: Any, *, overwrite: bool) -> dict:
+    """POST one local file to ``target``'s ``/upload/image`` endpoint.
+
+    This is the ONLY ingestion path the CLI uses — files always travel over
+    the server's HTTP API, never by writing into a ComfyUI install's folders.
+    Returns the server's parsed JSON response (``name``/``subfolder``/``type``).
+    Raises ``urllib.error.HTTPError`` on a non-2xx response; callers own the
+    envelope/error rendering.
+    """
+    filename = path.name
+    file_data = path.read_bytes()
+    content_type = mimetypes.guess_type(filename)[0] or "application/octet-stream"
+
+    # Build multipart/form-data body
+    boundary = uuid.uuid4().hex
+    body = b""
+    # -- overwrite field
+    body += f"--{boundary}\r\n".encode()
+    body += b'Content-Disposition: form-data; name="overwrite"\r\n\r\n'
+    body += (b"true" if overwrite else b"false") + b"\r\n"
+    # -- file field
+    body += f"--{boundary}\r\n".encode()
+    safe_filename = _sanitize_multipart_filename(filename)
+    body += f'Content-Disposition: form-data; name="image"; filename="{safe_filename}"\r\n'.encode()
+    body += f"Content-Type: {content_type}\r\n\r\n".encode()
+    body += file_data
+    body += b"\r\n"
+    body += f"--{boundary}--\r\n".encode()
+
+    url = target.url("upload/image")
+    req = urllib.request.Request(url, data=body, method="POST")
+    req.add_header("Content-Type", f"multipart/form-data; boundary={boundary}")
+    for hdr, val in _auth_headers(target).items():
+        req.add_header(hdr, val)
+
+    with _TRANSFER_OPENER.open(req) as resp:
+        return json.loads(resp.read().decode("utf-8", errors="replace"))
+
+
+def execute_upload(
+    files: list[str],
+    *,
+    where: str | None = None,
+    overwrite: bool = False,
+) -> list[str]:
+    """Upload one or more local files to the ComfyUI server's input directory.
+
+    Returns the list of server-side filenames (the ``name`` field from each
+    upload response).
+    """
+    renderer = get_renderer()
+    target = resolve_target(where=where)
+
+    uploads: list[dict[str, Any]] = []
+    cloud_names: list[str] = []
+
+    for filepath in files:
+        path = Path(filepath)
+        if not path.is_file():
+            renderer.error(
+                code="upload_failed",
+                message=f"File not found: {filepath}",
+                hint="check the file path and try again",
+                details={"filename": filepath},
+            )
+            raise typer.Exit(code=1)
+
+        filename = path.name
+        file_size = path.stat().st_size
+        max_upload = 2 * 1024 * 1024 * 1024  # 2 GB safety cap
+        if file_size > max_upload:
+            renderer.error(
+                code="upload_failed",
+                message=f"File too large: {file_size} bytes (limit {max_upload})",
+                hint="compress or resize the file before uploading",
+                details={"filename": filepath, "size": file_size, "limit": max_upload},
+            )
+            raise typer.Exit(code=1)
+        try:
+            result = _upload_file(path, target, overwrite=overwrite)
+        except urllib.error.HTTPError as e:
+            status = e.code
+            renderer.error(
+                code="upload_failed",
+                message=f"Failed to upload {filename}: HTTP {status}",
+                hint="check the file exists and the server is reachable",
+                details={"status": status, "filename": filename},
+            )
+            raise typer.Exit(code=1)
+
+        cloud_name = result.get("name", filename)
+        subfolder = result.get("subfolder", "")
+        file_type = result.get("type", "input")
+
+        cloud_names.append(cloud_name)
+        uploads.append(
+            {
+                "local_path": str(path.resolve()),
+                "cloud_name": cloud_name,
+                "subfolder": subfolder,
+                "type": file_type,
+            }
+        )
+        # Human progress line is pretty-mode-only: machine consumers read the
+        # envelope, and stdout must stay pure JSON for `| jq` pipelines.
+        if renderer.is_pretty():
+            pprint(f"✓ uploaded {filename} → {cloud_name} ({file_type})")
+
+    renderer.emit({"uploads": uploads}, command="upload")
+    return cloud_names
+
+
+# ---------------------------------------------------------------------------
+# Download
+# ---------------------------------------------------------------------------
+
+
+def execute_download(
+    prompt_id: str | None = None,
+    *,
+    out_dir: str | None = None,
+    where: str | None = None,
+    url_only: bool = False,
+) -> list[str]:
+    """Download all outputs from a completed job to a local directory.
+
+    Supports piped input: ``comfy --json run --wait | comfy download``.
+    Returns the list of saved file paths.
+    """
+    renderer = get_renderer()
+    piped_urls: list[str] = []
+
+    # -- Try reading from stdin if prompt_id wasn't given explicitly ----------
+    # `comfy --json run --wait | comfy download` is the documented pipe
+    # pattern, so this must survive whatever the upstream wrote: an error
+    # envelope (`"data": null`), a non-envelope JSON value, or non-JSON
+    # garbage — never a traceback.
+    if prompt_id is None and not sys.stdin.isatty():
+        try:
+            envelope = json.load(sys.stdin)
+        except (json.JSONDecodeError, ValueError):
+            envelope = {}
+        if not isinstance(envelope, dict):
+            envelope = {}
+        data = envelope.get("data")
+        if not isinstance(data, dict):
+            data = {}
+        if envelope.get("ok") is False:
+            # Upstream command failed — surface its error (and prompt_id when
+            # it carried one, e.g. a --wait poll failure on a still-running
+            # job) so the caller can recover instead of guessing.
+            upstream_error = envelope.get("error") if isinstance(envelope.get("error"), dict) else None
+            upstream_details = (upstream_error or {}).get("details")
+            if not isinstance(upstream_details, dict):
+                upstream_details = {}
+            upstream_prompt_id = data.get("prompt_id") or upstream_details.get("prompt_id")
+            details: dict[str, Any] = {"upstream_command": envelope.get("command")}
+            if upstream_error is not None:
+                details["upstream_error"] = upstream_error
+            if upstream_prompt_id:
+                details["prompt_id"] = upstream_prompt_id
+            renderer.error(
+                code="download_no_prompt",
+                message="Piped envelope reports a failed upstream command (ok=false) — nothing to download",
+                hint=(
+                    f"the upstream job may still exist; check `comfy jobs status {upstream_prompt_id}` "
+                    f"and retry `comfy download {upstream_prompt_id}`"
+                    if upstream_prompt_id
+                    else "fix the upstream failure (see details.upstream_error), then re-run the pipe"
+                ),
+                details=details,
+            )
+            raise typer.Exit(code=1)
+        prompt_id = data.get("prompt_id")
+        piped_urls = data.get("outputs") or []
+
+    if not prompt_id:
+        renderer.error(
+            code="download_no_prompt",
+            message="No prompt_id provided",
+            hint=("pass a prompt_id argument, or pipe the output of 'comfy --json run --wait' into this command"),
+        )
+        raise typer.Exit(code=1)
+
+    target = resolve_target(where=where)
+
+    # -- Resolve output URLs --------------------------------------------------
+    # The state file is read regardless of the URL source: its `record` +
+    # `item_map` (when present) drive item-aware file naming below.
+    state = jobs_state.read(prompt_id)
+    output_urls: list[str] = []
+
+    if piped_urls:
+        output_urls = list(piped_urls)
+    else:
+        # Try the on-disk state file first
+        if state is not None and state.outputs:
+            output_urls = list(state.outputs)
+        else:
+            # Fall back to querying the API. Download is an observer command —
+            # often running in concurrent retry loops — so it must never clear
+            # the shared OAuth session on a fatal refresh error.
+            try:
+                client = Client(target, clear_session_on_auth_failure=False)
+                record = client.get_history(prompt_id)
+                if record is not None:
+                    output_urls = client.extract_output_urls(record)
+                else:
+                    renderer.error(
+                        code="download_job_not_found",
+                        message=f"Job {prompt_id} not found in state files or API",
+                        hint="check the prompt_id and ensure the job has completed",
+                        details={"prompt_id": prompt_id},
+                    )
+                    raise typer.Exit(code=1)
+            except Unauthenticated as exc:
+                renderer.error(
+                    code="download_job_not_found",
+                    message=f"Job {prompt_id} not found in local state files and cloud auth is missing",
+                    hint="run 'comfy cloud login' or check the prompt_id",
+                    details={"prompt_id": prompt_id},
+                )
+                raise typer.Exit(code=1) from exc
+
+    if not output_urls:
+        renderer.error(
+            code="download_no_outputs",
+            message=f"Job {prompt_id} has no outputs yet",
+            hint="wait for the job to complete before downloading",
+            details={"prompt_id": prompt_id},
+        )
+        raise typer.Exit(code=1)
+
+    # -- URL-only mode: emit URLs without downloading --------------------------
+    if url_only:
+        renderer.emit(
+            {
+                "prompt_id": prompt_id,
+                "urls": output_urls,
+            },
+            command="download",
+        )
+        return output_urls
+
+    # -- Download each URL ----------------------------------------------------
+    dest = Path(out_dir or _default_out_dir())
+    dest.mkdir(parents=True, exist_ok=True)
+
+    auth_hdrs = _auth_headers(target)
+    saved_files: list[dict[str, Any]] = []
+    saved_paths: list[str] = []
+    short_id = prompt_id[:8]
+
+    # Provenance per URL (node id + compose foreach item) from the state
+    # file's record/item_map. Item-mapped outputs are named `<item>_<nnn>`
+    # with a PER-ITEM counter; everything else keeps `<prompt8>_<idx>`.
+    annotations = _annotate_output_urls(output_urls, state)
+    item_counters: dict[str, int] = {}
+
+    for idx, url in enumerate(output_urls):
+        # Derive extension from the URL's filename query param
+        parsed = urllib.parse.urlparse(url)
+        qs = urllib.parse.parse_qs(parsed.query)
+        remote_name = qs.get("filename", ["output.png"])[0]
+        ext = Path(remote_name).suffix or ".png"
+        node_id, item = annotations[idx]
+        if item is not None:
+            safe_item = _sanitize_item_name(item)
+            n = item_counters.get(safe_item, 0)
+            item_counters[safe_item] = n + 1
+            local_name = f"{safe_item}_{n:03d}{ext}"
+        else:
+            local_name = f"{short_id}_{idx:03d}{ext}"
+        # Suffix deterministically instead of overwriting a prior attempt.
+        local_path = _collision_safe_path(dest / local_name)
+
+        try:
+            _assert_download_url(url)
+        except ValueError as e:
+            renderer.error(
+                code="download_failed",
+                message=str(e),
+                hint="output URLs should be http or https",
+                details={"url": url, "index": idx},
+            )
+            raise typer.Exit(code=1)
+
+        # Refuse to overwrite symlinks (could be pointed at arbitrary files).
+        if local_path.is_symlink():
+            renderer.error(
+                code="download_failed",
+                message=f"Refusing to write to symlink: {local_path}",
+                hint="remove the symlink and retry",
+                details={"path": str(local_path), "index": idx},
+            )
+            raise typer.Exit(code=1)
+
+        req = urllib.request.Request(url)
+        for hdr, val in auth_hdrs.items():
+            req.add_header(hdr, val)
+
+        max_download = 10 * 1024 * 1024 * 1024  # 10 GB safety cap
+        try:
+            with _DOWNLOAD_OPENER.open(req) as resp:
+                total = 0
+                with open(local_path, "wb") as fp:
+                    while True:
+                        chunk = resp.read(65536)
+                        if not chunk:
+                            break
+                        total += len(chunk)
+                        if total > max_download:
+                            raise ValueError(f"download exceeds {max_download} byte safety limit")
+                        fp.write(chunk)
+        except urllib.error.HTTPError as e:
+            renderer.error(
+                code="download_failed",
+                message=f"Failed to download output {idx}: HTTP {e.code}",
+                hint="check that the job completed successfully and the server is reachable",
+                details={"status": e.code, "url": url, "index": idx},
+            )
+            raise typer.Exit(code=1)
+
+        file_size = local_path.stat().st_size
+        entry: dict[str, Any] = {
+            "url": url,
+            "path": str(local_path.resolve()),
+            "size": file_size,
+        }
+        # Optional provenance keys — present only when known (no nulls).
+        if node_id is not None:
+            entry["node_id"] = node_id
+        if item is not None:
+            entry["item"] = item
+        saved_files.append(entry)
+        saved_paths.append(str(local_path.resolve()))
+
+    # Human progress line + inline previews are pretty-mode-only: machine
+    # consumers read the envelope, and `comfy --json download | jq` requires
+    # stdout to carry nothing but JSON (envelope as the last line).
+    if renderer.is_pretty():
+        pprint(f"✓ downloaded {len(saved_files)} file(s) to {dest}")
+
+        from comfy_cli.output.preview import preview
+
+        for sf in saved_files:
+            preview(sf["path"])
+
+    renderer.emit(
+        {
+            "prompt_id": prompt_id,
+            "out_dir": str(dest.resolve()),
+            "files": saved_files,
+        },
+        command="download",
+    )
+    return saved_paths
diff --git a/comfy_cli/command/workflow.py b/comfy_cli/command/workflow.py
new file mode 100644
index 00000000..132bb144
--- /dev/null
+++ b/comfy_cli/command/workflow.py
@@ -0,0 +1,747 @@
+"""``comfy workflow`` — slot-based editing of ComfyUI frontend-format workflows.
+
+Three primitives:
+
+    comfy workflow slots <file>                        # what can I tweak?
+    comfy workflow set-slot <file> ADDR=VALUE [...]    # tweak one or more
+    comfy workflow vary <file> --slot ADDR='[v1,v2]'   # produce N variants
+
+Workflows must be **frontend-format** (the regular ComfyUI save — has
+``nodes[]`` / ``links[]``, may contain subgraphs). API-format (the export
+that ``comfy run`` consumes) is rejected with a clean envelope and a hint.
+
+Slot addresses follow CQL's format: ``<instance_id>.<input_name>``. Run
+``slots`` first to discover them.
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import Annotated, Any
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.output import get_renderer, rprint
+
+app = typer.Typer(no_args_is_help=True, help="Slot-based editing of frontend-format ComfyUI workflows.")
+
+
+# ---------------------------------------------------------------------------
+# shared helpers
+# ---------------------------------------------------------------------------
+
+
+def _is_frontend_format(data: Any) -> bool:
+    """Heuristic: frontend format has ``nodes`` as a list. API format has it as a dict keyed by IDs."""
+    return isinstance(data, dict) and isinstance(data.get("nodes"), list)
+
+
+def _load_workflow_or_fail(renderer, path: str) -> tuple[Path, dict[str, Any]]:
+    """Read + parse + format-check a workflow file. Exit with envelope on any failure."""
+    p = Path(path).expanduser()
+    if not p.is_file():
+        renderer.error(
+            code="workflow_not_found",
+            message=f"Workflow file not found: {path}",
+            hint="check the path",
+        )
+        raise typer.Exit(code=1)
+    try:
+        data = json.loads(p.read_text(encoding="utf-8"))
+    except OSError as e:
+        renderer.error(code="workflow_not_found", message=f"Unable to read workflow file: {e}")
+        raise typer.Exit(code=1) from e
+    except json.JSONDecodeError as e:
+        renderer.error(
+            code="workflow_invalid_json",
+            message=f"Workflow file is not valid JSON: {e}",
+            hint="check the file or re-export from ComfyUI",
+        )
+        raise typer.Exit(code=1) from e
+    if not _is_frontend_format(data):
+        renderer.error(
+            code="workflow_not_frontend_format",
+            message="`comfy workflow` requires the frontend-format workflow (with `nodes[]` / `links[]`).",
+            hint="in ComfyUI, use `File > Save (As)` to export the editing format. "
+            "The `File > Export (API)` output is for `comfy run`, not for editing.",
+            details={"path": str(p)},
+        )
+        raise typer.Exit(code=1)
+    return p, data
+
+
+def _get_graph(input_path: str | None, host: str | None, port: int | None, on_stale=None):
+    """Build a Graph from the resolved object_info source.
+
+    The live (non-``--input``) fetch goes through ``resilient_load_object_info``,
+    which auto-caches successful fetches, retries once after a session refresh,
+    and falls back to the last cached dump (with a stderr warning) when the
+    server/session is briefly unreachable.
+
+    ``on_stale``, if provided, is fired when a stale-cache fallback occurs:
+    ``on_stale(host_key, error_str)``.
+    """
+    from comfy_cli.cql.engine import Graph, LoadError
+
+    renderer = get_renderer()
+    try:
+        if input_path is not None:
+            # Explicit offline dump — Graph.load reads + annotates it.
+            return Graph.load(input_path=input_path, host=host or "127.0.0.1", port=port or 8188)
+        # Live fetch: resolve mode from global routing chain, then use resilient loader.
+        from comfy_cli import where as where_module
+        from comfy_cli.config_manager import ConfigManager
+
+        decision = where_module.resolve(
+            flag=None,
+            config_value=ConfigManager().get(where_module.CONFIG_KEY_WHERE_DEFAULT),
+        )
+        mode = "cloud" if decision.target is where_module.WhereTarget.CLOUD else "local"
+        from comfy_cli.cql.loader import resilient_load_object_info
+
+        raw = resilient_load_object_info(
+            mode=mode,
+            host=host or "127.0.0.1",
+            port=port or 8188,
+            on_stale=on_stale,
+        )
+        graph = Graph.from_object_info(raw)
+        graph._try_default_annotations()
+        return graph
+    except LoadError as e:
+        renderer.error(
+            code="cql_no_graph",
+            message=str(e),
+            hint=e.details.get("hint", "pass --input <path>, or start the server with `comfy launch`"),
+        )
+        raise typer.Exit(code=1) from e
+
+
+def _atomic_write_text(path: Path, content: str) -> None:
+    """Write via tmp + rename so SIGINT mid-write can't leave a half-written file."""
+    import os
+
+    tmp = path.with_suffix(path.suffix + f".{os.getpid()}.tmp")
+    try:
+        tmp.write_text(content, encoding="utf-8")
+        os.replace(tmp, path)
+    except Exception:
+        try:
+            tmp.unlink()
+        except OSError:
+            pass
+        raise
+
+
+def _parse_value(raw: str) -> Any:
+    """Parse a CLI-supplied value as JSON; fall back to the literal string."""
+    try:
+        return json.loads(raw)
+    except (json.JSONDecodeError, ValueError):
+        return raw
+
+
+def _split_addr_value(arg: str, renderer) -> tuple[str, Any]:
+    """Split ``addr=value`` and parse value as JSON-or-string."""
+    if "=" not in arg:
+        renderer.error(
+            code="workflow_slot_invalid",
+            message=f"Expected `ADDR=VALUE`, got {arg!r}",
+            hint='example: `6.text="a cat"` — run `comfy workflow slots <file>` first to list real addresses (`<node_id>.<input>`)',
+        )
+        raise typer.Exit(code=1)
+    addr, _, raw = arg.partition("=")
+    return addr.strip(), _parse_value(raw)
+
+
+# ---------------------------------------------------------------------------
+# slots
+# ---------------------------------------------------------------------------
+
+
+@app.command("slots", help="List the agent-tweakable slots a workflow exposes.")
+@tracking.track_command("workflow")
+def slots_cmd(
+    file: Annotated[str, typer.Argument(help="Frontend-format workflow JSON.")],
+    input_path: Annotated[
+        str | None,
+        typer.Option("--input", show_default=False, help="Path to a saved object_info JSON (offline)."),
+    ] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+    template_id: Annotated[
+        str,
+        typer.Option("--id", show_default=False, help="Template ID label; cosmetic only — defaults to the filename."),
+    ] = "",
+):
+    renderer = get_renderer()
+    p, workflow = _load_workflow_or_fail(renderer, file)
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path, host, port, on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err)
+    )
+
+    template_id = template_id or p.stem
+    try:
+        schema = graph.get_template_schema(template_id, workflow)
+    except (ValueError, KeyError) as e:
+        renderer.error(code="workflow_slot_invalid", message=f"Could not extract slots: {e}")
+        raise typer.Exit(code=1) from e
+
+    payload = {
+        "workflow": str(p),
+        "id": schema.get("id"),
+        "count": len(schema.get("slots") or []),
+        "slots": schema.get("slots") or [],
+    }
+
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = [
+            {"code": "object_info_stale", "message": f"served from cache ({_stale['source']}): {_stale['reason']}"}
+        ]
+
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        slots = payload["slots"]
+        if not slots:
+            rprint("[dim]No tweakable slots in this workflow.[/dim]")
+        else:
+            tbl = Table(show_header=True, header_style="bold")
+            tbl.add_column("address", no_wrap=True)
+            tbl.add_column("type", style="dim", no_wrap=True)
+            tbl.add_column("current", style="dim", overflow="fold")
+            for s in slots:
+                if not isinstance(s, dict):
+                    continue
+                addr = s.get("address") or s.get("name") or ""
+                t = s.get("type") or ""
+                val = s.get("current_value")
+                tbl.add_row(str(addr), str(t), "" if val is None else str(val)[:80])
+            renderer.console().print(tbl)
+            rprint(f"[dim]{len(slots)} slot(s) · run `comfy workflow set-slot {p} <addr>=<value>`[/dim]")
+    renderer.emit(payload, command="workflow slots")
+
+
+# ---------------------------------------------------------------------------
+# set-slot
+# ---------------------------------------------------------------------------
+
+
+@app.command("set-slot", help="Apply one or more slot overrides to a workflow in place (or --stdout).")
+@tracking.track_command("workflow")
+def set_slot_cmd(
+    file: Annotated[str, typer.Argument(help="Frontend-format workflow JSON.")],
+    overrides: Annotated[list[str], typer.Argument(metavar="ADDR=VALUE...", help="One or more ADDR=VALUE pairs.")],
+    stdout: Annotated[
+        bool,
+        typer.Option(
+            "--stdout/--in-place",
+            show_default=False,
+            help="Print the result to stdout instead of writing back to <file>.",
+        ),
+    ] = False,
+    input_path: Annotated[str | None, typer.Option("--input", show_default=False)] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+):
+    renderer = get_renderer()
+    p, workflow = _load_workflow_or_fail(renderer, file)
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path, host, port, on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err)
+    )
+
+    overrides_dict: dict[str, Any] = {}
+    for raw in overrides:
+        addr, value = _split_addr_value(raw, renderer)
+        overrides_dict[addr] = value
+
+    try:
+        new_workflow, warnings = graph.apply_slots(workflow, overrides_dict)
+    except ValueError as e:
+        renderer.error(
+            code="workflow_slot_invalid",
+            message=str(e),
+            hint="run `comfy workflow slots <file>` to see valid addresses + types",
+        )
+        raise typer.Exit(code=1) from e
+
+    serialized = json.dumps(new_workflow, indent=2)
+
+    if stdout:
+        import sys
+
+        sys.stdout.write(serialized)
+        sys.stdout.write("\n")
+        return
+
+    _atomic_write_text(p, serialized)
+
+    payload = {
+        "workflow": str(p),
+        "applied": list(overrides_dict.keys()),
+        "warnings": warnings,
+        "wrote": str(p),
+    }
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = list(warnings) + [
+            {"code": "object_info_stale", "message": f"served from cache ({_stale['source']}): {_stale['reason']}"}
+        ]
+    if renderer.is_pretty():
+        rprint(f"[bold green]✓[/bold green] applied {len(overrides_dict)} slot(s) → [dim]{p}[/dim]")
+        for addr in overrides_dict:
+            rprint(f"  [dim]·[/dim] {addr}")
+        for w in warnings:
+            rprint(f"  [yellow]warning:[/yellow] {w}")
+    renderer.emit(payload, command="workflow set-slot", changed=True)
+
+
+# ---------------------------------------------------------------------------
+# vary
+# ---------------------------------------------------------------------------
+
+
+@app.command("vary", help="Produce N workflow variants from a per-slot value list. Emits NDJSON.")
+@tracking.track_command("workflow")
+def vary_cmd(
+    file: Annotated[str, typer.Argument(help="Frontend-format workflow JSON.")],
+    slot: Annotated[
+        list[str],
+        typer.Option(
+            "--slot",
+            help="ADDR='[v1,v2,...]' — repeat per slot. Lists are zipped, so all --slot args must have the same length.",
+        ),
+    ],
+    input_path: Annotated[str | None, typer.Option("--input", show_default=False)] = None,
+    host: Annotated[str | None, typer.Option(show_default=False)] = None,
+    port: Annotated[int | None, typer.Option(show_default=False)] = None,
+    out_dir: Annotated[
+        str | None,
+        typer.Option(
+            "--out-dir",
+            show_default=False,
+            help="If set, write each variation to <out-dir>/<stem>_<N>.json. Otherwise emit NDJSON to stdout.",
+        ),
+    ] = None,
+):
+    renderer = get_renderer()
+    p, workflow = _load_workflow_or_fail(renderer, file)
+    _stale: dict = {}
+    graph = _get_graph(
+        input_path, host, port, on_stale=lambda key, err: _stale.update(stale=True, source=key, reason=err)
+    )
+
+    # Parse each --slot ADDR='[a,b,c]'. Each value must be a JSON list.
+    by_addr: dict[str, list[Any]] = {}
+    for raw in slot:
+        addr, value = _split_addr_value(raw, renderer)
+        if not isinstance(value, list):
+            renderer.error(
+                code="workflow_slot_invalid",
+                message=f"--slot {addr}: value must be a JSON array (got {type(value).__name__}).",
+                hint='example: --slot \'6.text=["a cat","a dog"]\' — run `comfy workflow slots <file>` first to list real addresses (`<node_id>.<input>`)',
+            )
+            raise typer.Exit(code=1)
+        by_addr[addr] = value
+
+    if not by_addr:
+        renderer.error(code="workflow_slot_invalid", message="vary needs at least one --slot")
+        raise typer.Exit(code=1)
+
+    lengths = {addr: len(vals) for addr, vals in by_addr.items()}
+    n = next(iter(lengths.values()))
+    if any(length != n for length in lengths.values()):
+        renderer.error(
+            code="workflow_slot_invalid",
+            message=f"All --slot lists must have the same length. Got: {lengths}",
+        )
+        raise typer.Exit(code=1)
+
+    variations = [{addr: vals[i] for addr, vals in by_addr.items()} for i in range(n)]
+
+    try:
+        workflows, warnings = graph.expand_variations(workflow, variations)
+    except ValueError as e:
+        renderer.error(code="workflow_slot_invalid", message=str(e))
+        raise typer.Exit(code=1) from e
+
+    written: list[str] = []
+    if out_dir:
+        out = Path(out_dir).expanduser()
+        out.mkdir(parents=True, exist_ok=True)
+        for i, wf in enumerate(workflows):
+            target = out / f"{p.stem}_{i:03d}.json"
+            _atomic_write_text(target, json.dumps(wf, indent=2))
+            written.append(str(target))
+    else:
+        import sys
+
+        for wf in workflows:
+            sys.stdout.write(json.dumps(wf))
+            sys.stdout.write("\n")
+        sys.stdout.flush()
+
+    payload = {
+        "workflow": str(p),
+        "count": len(workflows),
+        "warnings": warnings,
+        "out_dir": str(Path(out_dir).expanduser()) if out_dir else None,
+        "written": written,
+    }
+    if _stale:
+        payload["stale"] = True
+        payload["warnings"] = list(warnings) + [
+            {"code": "object_info_stale", "message": f"served from cache ({_stale['source']}): {_stale['reason']}"}
+        ]
+    if renderer.is_pretty():
+        rprint(f"[bold green]✓[/bold green] produced {len(workflows)} variation(s)")
+        if written:
+            for path in written[:5]:
+                rprint(f"  [dim]→[/dim] {path}")
+            if len(written) > 5:
+                rprint(f"  [dim]… and {len(written) - 5} more[/dim]")
+        for w in warnings:
+            rprint(f"  [yellow]warning:[/yellow] {w}")
+    renderer.emit(payload, command="workflow vary", changed=bool(written))
+
+
+# ---------------------------------------------------------------------------
+# Cloud-saved workflows — list, get, save, delete via /api/workflows
+# ---------------------------------------------------------------------------
+#
+# These four subcommands are cloud-only. ComfyUI's local server has no
+# /api/workflows surface; users on local manage workflows as JSON files
+# on disk via the slot-editing commands above. With ``--where local`` or
+# no cloud session configured, we surface ``workflow_saved_local_unsupported``
+# with a hint pointing at the local file-based flow.
+
+
+def _cloud_target_or_local_error(where: str | None, renderer):
+    """Resolve a cloud Target or emit ``workflow_saved_local_unsupported``."""
+    from comfy_cli.target import resolve_target
+
+    target = resolve_target(where=where)
+    if not target.is_cloud:
+        renderer.error(
+            code="workflow_saved_local_unsupported",
+            message="Saved-workflow management requires Comfy Cloud; local ComfyUI has no /api/workflows surface.",
+            hint="for local workflows, manage JSON files on disk via `comfy workflow slots/set-slot/vary`",
+        )
+        raise typer.Exit(code=1)
+    return target
+
+
+def _authed_request(
+    url: str, target, *, method: str = "GET", data: bytes | None = None, content_type: str | None = None
+):
+    """Build an authenticated urllib Request. The return type is annotated
+    loosely to keep urllib out of the module's top-level imports."""
+    import urllib.request
+
+    req = urllib.request.Request(url, data=data, method=method)
+    if target.api_key:
+        req.add_header("X-API-Key", target.api_key)
+    elif target.auth_token:
+        req.add_header("Authorization", f"Bearer {target.auth_token}")
+    if content_type:
+        req.add_header("Content-Type", content_type)
+    return req
+
+
+def _http_request(
+    url: str, target, *, method: str = "GET", body: dict | None = None, timeout: float = 30.0
+) -> tuple[int, dict | None]:
+    """Authed HTTP call returning (status, parsed_json_or_none). Raises
+    urllib errors verbatim so callers can surface the right error code."""
+    import urllib.request
+
+    data = json.dumps(body).encode("utf-8") if body is not None else None
+    ct = "application/json" if data is not None else None
+    req = _authed_request(url, target, method=method, data=data, content_type=ct)
+    with urllib.request.urlopen(req, timeout=timeout) as resp:
+        status = resp.status
+        raw = resp.read(64 * 1024 * 1024)  # 64 MiB cap
+    if not raw:
+        return status, None
+    try:
+        return status, json.loads(raw)
+    except json.JSONDecodeError:
+        return status, None
+
+
+def _handle_cloud_http_error(renderer, e, *, operation: str, workflow_id: str | None = None) -> typer.Exit:
+    """Map HTTP failures to envelope codes. Returns an Exit to ``raise from``."""
+    import urllib.error
+
+    if isinstance(e, urllib.error.HTTPError):
+        body = (e.read() or b"")[:1000].decode("utf-8", "replace")
+        if e.code == 404:
+            renderer.error(
+                code="workflow_not_found",
+                message=f"no saved workflow with id {workflow_id!r}"
+                if workflow_id
+                else f"workflow not found ({operation})",
+                hint="list available workflows via `comfy --json workflow list`",
+                details={"workflow_id": workflow_id, "operation": operation},
+            )
+        elif e.code in (401, 403):
+            renderer.error(
+                code="cloud_unauthorized",
+                message=f"HTTP {e.code} during {operation}",
+                hint="re-run `comfy cloud login`",
+                details={"status": e.code},
+            )
+        else:
+            renderer.error(
+                code="cloud_http_error",
+                message=f"HTTP {e.code} during {operation}",
+                hint="check `details.body` for the server's message",
+                details={"status": e.code, "body": body, "operation": operation},
+            )
+    else:
+        renderer.error(
+            code="cloud_http_error",
+            message=f"{operation} failed: {e}",
+            hint="check network / `comfy auth whoami`",
+        )
+    return typer.Exit(code=1)
+
+
+@app.command("list", help="List your saved workflows on Comfy Cloud.")
+@tracking.track_command("workflow")
+def list_cmd(
+    name: Annotated[
+        str | None,
+        typer.Option("--name", show_default=False, help="Case-insensitive substring match on workflow name."),
+    ] = None,
+    limit: Annotated[int, typer.Option("--limit", help="Cap rows returned (max 100).")] = 20,
+    sort: Annotated[
+        str,
+        typer.Option("--sort", help="Sort field: create_time | update_time | name."),
+    ] = "create_time",
+    order: Annotated[
+        str,
+        typer.Option("--order", help="Sort direction: asc | desc."),
+    ] = "desc",
+    where: Annotated[str | None, typer.Option("--where", show_default=False)] = None,
+):
+    import urllib.error
+    import urllib.parse
+
+    renderer = get_renderer()
+    target = _cloud_target_or_local_error(where, renderer)
+
+    params: dict[str, Any] = {"limit": min(max(limit, 1), 100), "sort": sort, "order": order}
+    if name:
+        params["name"] = name
+    url = target.url("workflows") + "?" + urllib.parse.urlencode(params)
+
+    try:
+        _, body = _http_request(url, target)
+    except (urllib.error.HTTPError, urllib.error.URLError, OSError) as e:
+        raise _handle_cloud_http_error(renderer, e, operation="list") from e
+
+    rows = (body or {}).get("data") or []
+    payload = {
+        "count": len(rows),
+        "workflows": [
+            {
+                "id": r.get("id"),
+                "name": r.get("name"),
+                "description": r.get("description"),
+                "default_view": r.get("default_view"),
+                "latest_version": r.get("latest_version"),
+                "created_at": r.get("created_at"),
+                "updated_at": r.get("updated_at"),
+            }
+            for r in rows
+            if isinstance(r, dict)
+        ],
+    }
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        tbl = Table(show_header=True, header_style="bold")
+        tbl.add_column("id", style="dim")
+        tbl.add_column("name")
+        tbl.add_column("ver", justify="right", style="dim")
+        tbl.add_column("updated", style="dim")
+        for r in payload["workflows"][:50]:
+            tbl.add_row(
+                (r["id"] or "")[:8] + "…" if r["id"] else "",
+                r["name"] or "(untitled)",
+                str(r["latest_version"] or ""),
+                (r["updated_at"] or "")[:10],
+            )
+        renderer.console().print(tbl)
+        rprint(f"[dim]{len(rows)} workflow(s)[/dim]")
+    renderer.emit(payload, command="workflow list", where="cloud")
+
+
+@app.command("get", help="Fetch a saved workflow's content from Comfy Cloud (writes JSON to --out or stdout).")
+@tracking.track_command("workflow")
+def get_cmd(
+    workflow_id: Annotated[str, typer.Argument(help="The workflow UUID.")],
+    out: Annotated[
+        str | None,
+        typer.Option("--out", "-o", show_default=False, help="Write JSON to this file instead of stdout."),
+    ] = None,
+    where: Annotated[str | None, typer.Option("--where", show_default=False)] = None,
+):
+    import urllib.error
+
+    renderer = get_renderer()
+    target = _cloud_target_or_local_error(where, renderer)
+
+    import urllib.parse as _up
+
+    # Encode the id so a malformed or hostile value can't escape the path
+    # segment. Cloud rejects malformed UUIDs upstream too, but encode at
+    # the client for defense in depth (e.g. ``../foo`` → ``%2E%2E%2Ffoo``).
+    url = target.url("workflows", _up.quote(workflow_id, safe=""), "content")
+    try:
+        _, body = _http_request(url, target)
+    except (urllib.error.HTTPError, urllib.error.URLError, OSError) as e:
+        raise _handle_cloud_http_error(renderer, e, operation="get", workflow_id=workflow_id) from e
+
+    if not isinstance(body, dict) or "workflow_json" not in body:
+        renderer.error(
+            code="cloud_http_error",
+            message=f"unexpected response shape from /api/workflows/{workflow_id}/content",
+            details={"workflow_id": workflow_id, "got_keys": list(body.keys()) if isinstance(body, dict) else None},
+        )
+        raise typer.Exit(code=1)
+
+    workflow_bytes = json.dumps(body["workflow_json"], indent=2).encode("utf-8")
+    if out:
+        out_path = Path(out).expanduser()
+        out_path.parent.mkdir(parents=True, exist_ok=True)
+        out_path.write_bytes(workflow_bytes)
+        target_repr = str(out_path)
+    else:
+        if renderer.is_pretty():
+            import sys
+
+            sys.stdout.write(workflow_bytes.decode("utf-8"))
+            sys.stdout.write("\n")
+        target_repr = "stdout"
+
+    payload = {
+        "workflow_id": workflow_id,
+        "version_id": body.get("id"),
+        "version": body.get("version"),
+        "out": target_repr,
+        "bytes": len(workflow_bytes),
+        "node_count": len(body["workflow_json"]) if isinstance(body["workflow_json"], dict) else None,
+    }
+    if renderer.is_pretty() and out:
+        rprint(f"[green]✓[/green] wrote {len(workflow_bytes):,} bytes to {target_repr}")
+    renderer.emit(payload, command="workflow get", where="cloud")
+
+
+@app.command("save", help="Save a local workflow JSON to Comfy Cloud as a new saved workflow.")
+@tracking.track_command("workflow")
+def save_cmd(
+    workflow_file: Annotated[str, typer.Argument(help="Path to a workflow JSON file.")],
+    name: Annotated[str, typer.Option("--name", help="Display name for the workflow.")],
+    description: Annotated[
+        str | None,
+        typer.Option("--description", show_default=False, help="Optional description."),
+    ] = None,
+    where: Annotated[str | None, typer.Option("--where", show_default=False)] = None,
+):
+    import urllib.error
+
+    renderer = get_renderer()
+    target = _cloud_target_or_local_error(where, renderer)
+
+    path = Path(workflow_file).expanduser()
+    if not path.is_file():
+        renderer.error(
+            code="workflow_not_found",
+            message=f"local workflow file not found: {path}",
+            hint="check the path",
+        )
+        raise typer.Exit(code=1)
+    try:
+        workflow_json = json.loads(path.read_text(encoding="utf-8"))
+    except json.JSONDecodeError as e:
+        renderer.error(
+            code="workflow_invalid_json",
+            message=f"{path} is not valid JSON: {e}",
+            hint="re-export the workflow from ComfyUI",
+        )
+        raise typer.Exit(code=1) from e
+    if not isinstance(workflow_json, dict):
+        renderer.error(
+            code="workflow_not_api_format",
+            message="workflow_json must be a JSON object",
+            hint="use ComfyUI's `File > Save` to export",
+        )
+        raise typer.Exit(code=1)
+
+    body: dict[str, Any] = {"name": name, "workflow_json": workflow_json}
+    if description:
+        body["description"] = description
+    url = target.url("workflows")
+    try:
+        _, resp = _http_request(url, target, method="POST", body=body)
+    except (urllib.error.HTTPError, urllib.error.URLError, OSError) as e:
+        raise _handle_cloud_http_error(renderer, e, operation="save") from e
+
+    workflow_id = (resp or {}).get("id") if isinstance(resp, dict) else None
+    payload = {
+        "workflow_id": workflow_id,
+        "name": name,
+        "latest_version": (resp or {}).get("latest_version") if isinstance(resp, dict) else None,
+        "source": str(path),
+    }
+    if renderer.is_pretty():
+        rprint(f"[green]✓[/green] saved {name!r} → [dim]{workflow_id}[/dim]")
+    renderer.emit(payload, command="workflow save", where="cloud", changed=True)
+
+
+@app.command("delete", help="Delete a saved workflow from Comfy Cloud.")
+@tracking.track_command("workflow")
+def delete_cmd(
+    workflow_id: Annotated[str, typer.Argument(help="The workflow UUID to delete.")],
+    where: Annotated[str | None, typer.Option("--where", show_default=False)] = None,
+):
+    import urllib.error
+
+    renderer = get_renderer()
+    target = _cloud_target_or_local_error(where, renderer)
+
+    import urllib.parse as _up
+
+    url = target.url("workflows", _up.quote(workflow_id, safe=""))
+    try:
+        _, _body = _http_request(url, target, method="DELETE")
+    except (urllib.error.HTTPError, urllib.error.URLError, OSError) as e:
+        raise _handle_cloud_http_error(renderer, e, operation="delete", workflow_id=workflow_id) from e
+
+    payload = {"workflow_id": workflow_id, "deleted": True}
+    if renderer.is_pretty():
+        rprint(f"[green]✓[/green] deleted [dim]{workflow_id}[/dim]")
+    renderer.emit(payload, command="workflow delete", where="cloud", changed=True)
+
+
+# ---------------------------------------------------------------------------
+# compose / fragment — fragment-based workflow composition
+# ---------------------------------------------------------------------------
+# Implemented in workflow_fragments.py; mounted here so the surface stays
+# under `comfy workflow`. compose is a single command; fragment is a sub-typer
+# of inspectors (ls/show/validate).
+
+from comfy_cli.command import workflow_fragments as _wfrag  # noqa: E402
+
+app.command(
+    "compose",
+    help="Compose a YAML blueprint of fragments into a single API-format workflow.",
+)(_wfrag.compose_cmd)
+app.add_typer(_wfrag.fragment_app, name="fragment")
diff --git a/comfy_cli/command/workflow_fragments.py b/comfy_cli/command/workflow_fragments.py
new file mode 100644
index 00000000..f777c211
--- /dev/null
+++ b/comfy_cli/command/workflow_fragments.py
@@ -0,0 +1,360 @@
+"""``comfy workflow compose`` and ``comfy workflow fragment`` — the Typer surface.
+
+The composition engine lives in :mod:`comfy_cli.fragments`; this module is the
+thin I/O shell that wraps it for the CLI — it renders envelopes and maps the
+domain exceptions (``FragmentError`` / ``BlueprintError``) onto error codes.
+See ``comfy_cli/fragments.py`` for the fragment/blueprint format and model.
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import Annotated, Any
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.fragments import (
+    BlueprintError,
+    FragmentError,
+    RefResolutionError,
+    compose_blueprints,
+    load_fragment,
+    resolve_fragment_name,
+)
+from comfy_cli.output import get_renderer, rprint
+
+# ---------------------------------------------------------------------------
+# Typer surface
+# ---------------------------------------------------------------------------
+
+fragment_app = typer.Typer(no_args_is_help=True, help="Inspect and validate workflow fragments.")
+
+
+def _default_lib_dir(override: str | None) -> Path:
+    """Resolve ``--lib`` → Path. Default is ``./fragments`` in cwd."""
+    if override:
+        return Path(override).expanduser()
+    return Path.cwd() / "fragments"
+
+
+@tracking.track_command("workflow")
+def compose_cmd(
+    blueprint: Annotated[Path, typer.Argument(help="Blueprint YAML file.")],
+    out: Annotated[
+        Path | None,
+        typer.Option(
+            "--out", "-o", show_default=False, help="Output workflow JSON path. Defaults to <blueprint>.compiled.json"
+        ),
+    ] = None,
+    lib: Annotated[
+        str | None,
+        typer.Option("--lib", show_default=False, help="Fragment library directory. Defaults to ./fragments"),
+    ] = None,
+):
+    """Compose a YAML blueprint of fragments into a single API-format workflow."""
+    renderer = get_renderer()
+    if not blueprint.is_file():
+        renderer.error(code="blueprint_not_found", message=f"Blueprint file not found: {blueprint}")
+        raise typer.Exit(code=1)
+
+    try:
+        import yaml
+    except ImportError as e:  # pragma: no cover
+        renderer.error(
+            code="blueprint_yaml_unavailable",
+            message="PyYAML is required for `compose`",
+            hint="install with: pip install pyyaml",
+        )
+        raise typer.Exit(code=1) from e
+
+    try:
+        blueprint_data = yaml.safe_load(blueprint.read_text(encoding="utf-8"))
+    except yaml.YAMLError as e:
+        renderer.error(code="blueprint_invalid_yaml", message=f"Blueprint is not valid YAML: {e}")
+        raise typer.Exit(code=1) from e
+    except OSError as e:
+        renderer.error(code="compose_io_error", message=f"Unable to read blueprint file: {e}")
+        raise typer.Exit(code=1) from e
+
+    # `$asset.<name>` refs resolve through the governing project's push lock
+    # and `$var.<name>` refs through its comfy.yaml `vars:` block (anchored
+    # at the blueprint's dir, like the journal). No project, no resolvers —
+    # fragments.py stays project-unaware and errors with the hint. The var
+    # resolver is wrapped to record which vars this compilation actually
+    # referenced, so `_meta.vars` can snapshot the values used (provenance).
+    from comfy_cli.project import find_project, make_asset_resolver, make_var_resolver
+
+    project = find_project(blueprint.resolve().parent)
+    asset_resolver = make_asset_resolver(project) if project is not None else None
+    var_resolver = None
+    used_vars: dict[str, Any] = {}
+    if project is not None:
+        _resolve_var = make_var_resolver(project)
+
+        def var_resolver(name: str) -> Any:
+            used_vars[name] = _resolve_var(name)
+            return used_vars[name]
+
+    lib_dir = _default_lib_dir(lib)
+    try:
+        graphs = compose_blueprints(
+            blueprint_data,
+            lib_dir=lib_dir,
+            blueprint_dir=blueprint.parent,
+            asset_resolver=asset_resolver,
+            var_resolver=var_resolver,
+        )
+    except FragmentError as e:
+        renderer.error(code="fragment_invalid", message=str(e), hint=e.hint or "", details={"path": e.path})
+        raise typer.Exit(code=1) from e
+    except RefResolutionError as e:
+        # Before BlueprintError — AssetError/VarError subclass it and carry their own code.
+        renderer.error(code=e.code, message=str(e), hint=e.hint or "")
+        raise typer.Exit(code=1) from e
+    except BlueprintError as e:
+        renderer.error(
+            code="blueprint_invalid", message=str(e), hint=e.hint or "", details={"step_alias": e.step_alias}
+        )
+        raise typer.Exit(code=1) from e
+
+    base_out = out or blueprint.with_suffix(".compiled.json")
+    try:
+        base_out.parent.mkdir(parents=True, exist_ok=True)
+    except OSError as e:
+        renderer.error(code="compose_io_error", message=f"Failed preparing output path: {e}")
+        raise typer.Exit(code=1) from e
+
+    # Provenance block embedded in every written workflow (`compose/1`). The
+    # one artifact that travels (the compiled JSON) carries which blueprint
+    # produced it and — for foreach — which item produced which nodes.
+    # `comfy run` strips `_meta` before submitting (see run/loader.py).
+    blueprint_abs = str(blueprint.resolve())
+
+    def _meta_block(summary: dict) -> dict:
+        meta: dict = {"schema": "compose/1", "blueprint": blueprint_abs}
+        if summary.get("item_map"):
+            meta["items"] = summary["item_map"]
+        # Vars this compilation referenced, with the values used — provenance,
+        # same spirit as `items`. Only referenced names; raw scalars.
+        if used_vars:
+            meta["vars"] = dict(used_vars)
+        return meta
+
+    # A single graph keeps the simple `<out>` name; `chunk:` fan-out writes one
+    # numbered file per graph (`<stem>.000.json`, `<stem>.001.json`, ...).
+    written: list[str] = []
+    try:
+        if len(graphs) == 1:
+            workflow, summary = graphs[0]
+            workflow["_meta"] = _meta_block(summary)
+            base_out.write_text(json.dumps(workflow, indent=2), encoding="utf-8")
+            written.append(str(base_out))
+            single_out: str | None = str(base_out)
+        else:
+            # Chunked fan-out: numbered files only. Remove any stale unnumbered file
+            # from a prior single-graph compose so `comfy run <out>` can't execute it.
+            if base_out.exists():
+                base_out.unlink()
+            for i, (workflow, summary) in enumerate(graphs):
+                workflow["_meta"] = _meta_block(summary)  # each file: only ITS batch's items
+                target = base_out.with_suffix(f".{i:03d}{base_out.suffix}")
+                target.write_text(json.dumps(workflow, indent=2), encoding="utf-8")
+                written.append(str(target))
+            single_out = None  # no single runnable file; consumers must read `written`
+    except OSError as e:
+        renderer.error(code="compose_io_error", message=f"Failed writing composed workflow: {e}")
+        raise typer.Exit(code=1) from e
+
+    # Provenance journal: one line into the governing project, if any
+    # (anchored at the blueprint's dir, not cwd). Best-effort by contract.
+    _journal_compose(blueprint, written)
+
+    first_summary = graphs[0][1]
+    total_nodes = sum(s["nodes"] for _, s in graphs)
+    fragments_used = sorted({f for _, s in graphs for f in s["fragments_used"]})
+    payload = {
+        "blueprint": str(blueprint),
+        "out": single_out,
+        "graphs": len(graphs),
+        "written": written,
+        "steps": first_summary["steps"],
+        "nodes": total_nodes,
+        "fragments_used": fragments_used,
+    }
+    if "total_items" in first_summary:
+        payload["items"] = first_summary["total_items"]
+    # Union of every graph's per-item provenance (keys are unique across
+    # batches, so a plain merge is lossless).
+    item_map = {k: v for _, s in graphs for k, v in (s.get("item_map") or {}).items()}
+    if item_map:
+        payload["item_map"] = item_map
+    if renderer.is_pretty():
+        rprint(f"[green]✓[/green] composed [bold]{len(graphs)} graph(s)[/bold]")
+        for path in written:
+            rprint(f"  [dim]→[/dim] {path}")
+        if "total_items" in first_summary:
+            rprint(f"  items     : {first_summary['total_items']}")
+        rprint(f"  steps     : {first_summary['steps']}")
+        rprint(f"  nodes     : {total_nodes}")
+        rprint(f"  fragments : {', '.join(fragments_used)}")
+    renderer.emit(payload, command="workflow compose")
+
+
+def _journal_compose(blueprint: Path, written: list[str]) -> None:
+    """Append the compose event to the governing project's run journal.
+    Wrapped end-to-end: a journaling failure can never fail the compose."""
+    try:
+        from comfy_cli import project as project_module
+
+        p = project_module.find_project(blueprint.resolve().parent)
+        if p is not None:
+            project_module.journal(p, cmd="compose", blueprint=str(blueprint), written=list(written))
+    except Exception:  # noqa: BLE001 — best-effort by contract
+        pass
+
+
+@fragment_app.command("ls", help="List fragments in a library directory.")
+@tracking.track_command("workflow")
+def fragment_ls_cmd(
+    lib: Annotated[
+        str | None,
+        typer.Option("--lib", show_default=False, help="Library dir. Defaults to ./fragments"),
+    ] = None,
+):
+    renderer = get_renderer()
+    lib_dir = _default_lib_dir(lib)
+    if not lib_dir.is_dir():
+        renderer.error(
+            code="fragment_lib_not_found",
+            message=f"Fragment library directory not found: {lib_dir}",
+            hint="create ./fragments/ or pass --lib <dir>",
+        )
+        raise typer.Exit(code=1)
+
+    rows: list[dict] = []
+    errors: list[dict] = []
+    for path in sorted(lib_dir.glob("*.json")):
+        try:
+            frag = load_fragment(path)
+        except FragmentError as e:
+            errors.append({"path": str(path), "error": str(e)})
+            continue
+        rows.append(
+            {
+                "name": frag.name,
+                "version": frag.version,
+                "description": frag.description,
+                "inputs": list(frag.inputs.keys()),
+                "outputs": list(frag.outputs.keys()),
+                "params": list(frag.params.keys()),
+                "terminal": frag.terminal,
+                "path": str(path),
+            }
+        )
+
+    payload = {"lib": str(lib_dir), "count": len(rows), "fragments": rows, "errors": errors}
+    if renderer.is_pretty():
+        if not rows and not errors:
+            rprint("[dim]No fragments found.[/dim]")
+        for f in rows:
+            rprint(
+                f"[bold]{f['name']}[/bold]  v{f['version']}  "
+                f"in={','.join(f['inputs']) or '∅'}  "
+                f"out={','.join(f['outputs']) or '∅'}  "
+                f"params={','.join(f['params']) or '∅'}"
+            )
+            if f["description"]:
+                rprint(f"  [dim]{f['description']}[/dim]")
+        for e in errors:
+            rprint(f"[red]✗ {e['path']}: {e['error']}[/red]")
+    renderer.emit(payload, command="workflow fragment ls")
+
+
+@fragment_app.command("show", help="Show a fragment's metadata, ports, and interior node count.")
+@tracking.track_command("workflow")
+def fragment_show_cmd(
+    fragment: Annotated[str, typer.Argument(help="Fragment name (looked up in --lib) or path to .json.")],
+    lib: Annotated[
+        str | None,
+        typer.Option("--lib", show_default=False, help="Library dir. Defaults to ./fragments"),
+    ] = None,
+):
+    renderer = get_renderer()
+    lib_dir = _default_lib_dir(lib)
+    path = resolve_fragment_name(fragment, lib_dir)
+    try:
+        frag = load_fragment(path)
+    except FragmentError as e:
+        renderer.error(code="fragment_invalid", message=str(e), hint=e.hint or "", details={"path": e.path})
+        raise typer.Exit(code=1) from e
+
+    payload = {
+        "path": str(path),
+        "name": frag.name,
+        "version": frag.version,
+        "description": frag.description,
+        "terminal": frag.terminal,
+        "inputs": {n: {"type": p.type, "binds": p.binds} for n, p in frag.inputs.items()},
+        "outputs": {n: {"type": p.type, "from": p.from_node, "port": p.port} for n, p in frag.outputs.items()},
+        "params": {
+            n: {"type": p.type, "binds": p.binds, **({"default": p.default} if p.has_default else {})}
+            for n, p in frag.params.items()
+        },
+        "node_count": len(frag.nodes),
+    }
+    if renderer.is_pretty():
+        rprint(f"[bold]{frag.name}[/bold]  v{frag.version}")
+        if frag.description:
+            rprint(f"  [dim]{frag.description}[/dim]")
+        rprint(f"  terminal: {frag.terminal}  |  interior nodes: {len(frag.nodes)}")
+        if frag.inputs:
+            rprint("  [bold]inputs[/bold]")
+            for n, p in frag.inputs.items():
+                rprint(f"    {n}: {p.type}  → {p.binds}")
+        if frag.outputs:
+            rprint("  [bold]outputs[/bold]")
+            for n, p in frag.outputs.items():
+                rprint(f"    {n}: {p.type}  ← {p.from_node}[{p.port}]")
+        if frag.params:
+            rprint("  [bold]params[/bold]")
+            for n, p in frag.params.items():
+                d = f"  (default={p.default!r})" if p.has_default else ""
+                rprint(f"    {n}: {p.type}  → {p.binds}{d}")
+    renderer.emit(payload, command="workflow fragment show")
+
+
+@fragment_app.command("validate", help="Validate that a fragment file is well-formed.")
+@tracking.track_command("workflow")
+def fragment_validate_cmd(
+    fragment: Annotated[str, typer.Argument(help="Fragment name (looked up in --lib) or path to .json.")],
+    lib: Annotated[
+        str | None,
+        typer.Option("--lib", show_default=False, help="Library dir. Defaults to ./fragments"),
+    ] = None,
+):
+    renderer = get_renderer()
+    lib_dir = _default_lib_dir(lib)
+    path = resolve_fragment_name(fragment, lib_dir)
+    try:
+        frag = load_fragment(path)
+    except FragmentError as e:
+        renderer.error(
+            code="fragment_invalid",
+            message=str(e),
+            hint=e.hint or "",
+            details={"path": str(path)},
+        )
+        raise typer.Exit(code=1) from e
+
+    payload = {
+        "path": str(path),
+        "valid": True,
+        "name": frag.name,
+        "node_count": len(frag.nodes),
+        "ports": {"inputs": len(frag.inputs), "outputs": len(frag.outputs), "params": len(frag.params)},
+    }
+    if renderer.is_pretty():
+        rprint(f"[green]✓[/green] {path}  ({frag.name} v{frag.version}, {len(frag.nodes)} nodes)")
+    renderer.emit(payload, command="workflow fragment validate")
diff --git a/comfy_cli/config_manager.py b/comfy_cli/config_manager.py
index a4fa87d2..5e402b18 100644
--- a/comfy_cli/config_manager.py
+++ b/comfy_cli/config_manager.py
@@ -153,6 +153,29 @@ def get_env_data(self):
 
         return data
 
+    def get_data(self) -> dict:
+        """Structured snapshot of config, used by ``comfy env --json``.
+
+        Returned values are JSON-serializable; absent keys are null.
+        """
+        default_workspace = self.get(constants.CONFIG_KEY_DEFAULT_WORKSPACE)
+        return {
+            "path": self.get_config_file_path(),
+            "default_workspace": default_workspace,
+            "default_launch_extras": self.get(constants.CONFIG_KEY_DEFAULT_LAUNCH_EXTRAS) or None,
+            "recent_workspace": self.get(constants.CONFIG_KEY_RECENT_WORKSPACE),
+            "tracking_enabled": self.get_bool(constants.CONFIG_KEY_ENABLE_TRACKING),
+            "background": (
+                {
+                    "host": self.background[0],
+                    "port": self.background[1],
+                    "pid": self.background[2],
+                }
+                if self.background is not None
+                else None
+            ),
+        }
+
     def remove_background(self):
         del self.config["DEFAULT"][constants.CONFIG_KEY_BACKGROUND]
         self.write_config()
diff --git a/comfy_cli/constants.py b/comfy_cli/constants.py
index 9e1517ee..0f7634bb 100644
--- a/comfy_cli/constants.py
+++ b/comfy_cli/constants.py
@@ -57,6 +57,8 @@ class PROC(str, Enum):
 
 DEFAULT_TRACKING_VALUE = True
 
+CONFIG_KEY_DEFAULT_PROJECT_DIR = "default_project_dir"
+
 COMFY_LOCK_YAML_FILE = "comfy.lock.yaml"
 
 # TODO: figure out a better way to check if this is a comfy repo
diff --git a/comfy_cli/cql/__init__.py b/comfy_cli/cql/__init__.py
new file mode 100644
index 00000000..e035a987
--- /dev/null
+++ b/comfy_cli/cql/__init__.py
@@ -0,0 +1,10 @@
+"""object_info loader — normalize ComfyUI's ``/object_info`` into typed rows.
+
+Public entry points:
+    load_graph(input_path=..., host=..., port=...) -> dict
+"""
+
+from comfy_cli.cql.errors import CQLRuntimeError
+from comfy_cli.cql.loader import load_graph
+
+__all__ = ["CQLRuntimeError", "load_graph"]
diff --git a/comfy_cli/cql/data/__init__.py b/comfy_cli/cql/data/__init__.py
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/comfy_cli/cql/data/__init__.py
@@ -0,0 +1 @@
+
diff --git a/comfy_cli/cql/data/cloud_disable_config.yaml b/comfy_cli/cql/data/cloud_disable_config.yaml
new file mode 100644
index 00000000..7ebf53b6
--- /dev/null
+++ b/comfy_cli/cql/data/cloud_disable_config.yaml
@@ -0,0 +1,15 @@
+# Cloud node filtering - which labels cause nodes to be disabled on cloud.
+# Consumed by filter_object_info_nodes.py via resolve_disabled_nodes.py.
+# Adding a new label to supported_nodes.yaml does NOT automatically disable
+# those nodes on cloud — you must explicitly add the label here.
+disable_nodes:
+  or:
+    - DisabledOnCloud: true
+    - ReadsArbitraryFile: true
+    - WritesToDisk: true
+    - CreatesLargeOutputs: true
+    - NetworkAccess: true
+    - Stateful: true
+    - HasCustomEndpoints: true
+    - RequiresExternalAPI: true
+    - PathParsing: true
diff --git a/comfy_cli/cql/data/no_gpu_nodes.json b/comfy_cli/cql/data/no_gpu_nodes.json
new file mode 100644
index 00000000..e9b7865a
--- /dev/null
+++ b/comfy_cli/cql/data/no_gpu_nodes.json
@@ -0,0 +1 @@
+{"schema_version": 1, "no_gpu_nodes": []}
diff --git a/comfy_cli/cql/data/supported_nodes.yaml b/comfy_cli/cql/data/supported_nodes.yaml
new file mode 100644
index 00000000..943b7a75
--- /dev/null
+++ b/comfy_cli/cql/data/supported_nodes.yaml
@@ -0,0 +1,1107 @@
+# Comfy Complete - Supported Custom Nodes
+# This file defines the custom node packs that are part of the Comfy Complete distribution.
+# Each node pack is pinned to a specific version to ensure compatibility.
+
+# Available labels - all labels used in node_packs must be declared here
+labels:
+  - ReadsArbitraryFile     # Node can read files from arbitrary paths
+  - CreatesLargeOutputs    # Node may create unusually large outputs
+  - DisabledOnCloud        # Explicitly disabled for cloud deployments
+  - WritesToDisk           # Node writes to the filesystem
+  - NetworkAccess          # Node makes network requests
+  - Stateful               # Node persists user-specific data between runs
+  - HasCustomEndpoints     # Node registers custom HTTP server routes
+  - RequiresExternalAPI    # Node requires external API keys (OpenAI, etc.)
+  - PathParsing            # Node parses, manipulates, or exposes filesystem path information
+  - DuplicateOfCoreNode    # Node duplicates functionality available in a core ComfyUI node
+
+node_packs:
+  - name: core
+    node_labels:
+      LoadImageDataSetFromFolder:
+        - ReadsArbitraryFile
+      LoadImageTextDataSetFromFolder:
+        - ReadsArbitraryFile
+      LoadTrainingDataset:
+        - ReadsArbitraryFile
+      SaveImageDataSetToFolder:
+        - WritesToDisk
+      SaveImageTextDataSetToFolder:
+        - WritesToDisk
+      SaveLoRA:
+        - CreatesLargeOutputs
+      SaveTrainingDataset:
+        - WritesToDisk
+      CheckpointSave:
+        - CreatesLargeOutputs
+      ImageOnlyCheckpointSave:
+        - CreatesLargeOutputs
+      ModelSave:
+        - CreatesLargeOutputs
+      ModelSaveKJ:
+        - CreatesLargeOutputs
+      LoraSave:
+        - WritesToDisk
+      CLIPSave:
+        - WritesToDisk
+      VAESave:
+        - WritesToDisk
+
+  - name: https://github.com/kijai/ComfyUI-KJNodes@53987d76fbf61830a724628d7681ae5724c98e2b
+    node_labels:
+      CameraPoseVisualizer:
+        - ReadsArbitraryFile
+      LoadVideosFromFolder:
+        - ReadsArbitraryFile
+      LoadImagesFromFolderKJ:
+        - ReadsArbitraryFile
+      SaveImageKJ:
+        - WritesToDisk
+      SaveStringKJ:
+        - WritesToDisk
+      ModelSaveKJ:
+        - WritesToDisk
+      StartRecordCUDAMemoryHistory:
+        - Stateful
+      EndRecordCUDAMemoryHistory:
+        - Stateful
+        - WritesToDisk
+      VisualizeCUDAMemoryHistory:
+        - WritesToDisk
+      WebcamCaptureCV2:
+        - DisabledOnCloud
+      ScreencapStream:
+        - DisabledOnCloud
+      PlaySoundKJ:
+        - ReadsArbitraryFile
+      GGUFLoaderKJ:
+        - DisabledOnCloud
+
+  - name: https://github.com/kijai/ComfyUI-KwaiKolorsWrapper@6fc1cd9d20bb7537facf180e5494b486b9710e24
+
+  - name: comfyui_controlnet_aux
+    version: "1.1.5"
+
+  - name: comfyui-animatediff-evolved
+    version: "1.5.6"
+    node_labels:
+      ADE_LoadCameraPosesFromPath:
+        - ReadsArbitraryFile
+
+  - name: comfyui-videohelpersuite
+    version: "1.7.9"
+    node_labels:
+      VHS_LoadVideoPath:
+        - ReadsArbitraryFile
+      VHS_LoadVideoFFmpegPath:
+        - ReadsArbitraryFile
+      VHS_LoadImagesPath:
+        - ReadsArbitraryFile
+      VHS_LoadImagePath:
+        - ReadsArbitraryFile
+      VHS_SelectFilename:
+        - ReadsArbitraryFile
+      VHS_LoadImages:
+        - ReadsArbitraryFile
+      VHS_LoadAudio:
+        - ReadsArbitraryFile
+      VHS_BatchManager:
+        - DisabledOnCloud
+
+  - name: comfyui_ultimatesdupscale
+    version: "1.6.2"
+
+  - name: audio-separation-nodes-comfyui
+    version: "1.5.0"
+
+  - name: ComfyUI-WanVideoWrapper
+    version: "1.4.7"
+    node_labels:
+      WanVideoVRAMManagement:
+        - DisabledOnCloud
+      WanVideoSetBlockSwap:
+        - DisabledOnCloud
+      WanVideoBlockSwap:
+        - DisabledOnCloud
+      WanVideoLoraSelectByName:
+        - DisabledOnCloud
+      DownloadAndLoadNLFModel:
+        - NetworkAccess
+        - DisabledOnCloud
+
+  - name: "https://github.com/kijai/ComfyUI-DynamiCrafterWrapper@d312c62982f1582b7955444d3a22ac948fb9c603"
+    version: ""
+    node_labels:
+      DownloadAndLoadCLIPModel:
+        - DisabledOnCloud
+
+  - name: comfyui-enricos-nodes
+    version: "3.1.6"
+
+  - name: comfyui-florence2
+    version: "1.0.7"
+    node_labels:
+      Florence2ModelLoader:
+        - DisabledOnCloud
+
+  - name: comfyui-inpaint-cropandstitch
+    version: "2.1.8"
+    web_directory: js
+
+  - name: comfyui-inpaint-nodes
+    version: "1.4.0"
+
+  - name: comfyui_essentials
+    version: "1.1.0"
+
+  - name: comfyui-supir
+    version: "1.0.4"
+
+  - name: comfyui-segment-anything-2
+    version: "1.0.2"
+
+  - name: "https://github.com/Comfy-Org/CustomNodeComfyMath@c01177221c31b8e5fbc062778fc8254aeb541638"
+    version: ""
+
+  - name: comfyui-impact-pack
+    version: "8.28.2"
+    node_labels:
+      PreviewBridge:
+        - DisabledOnCloud
+      PreviewBridgeLatent:
+        - DisabledOnCloud
+      ImageReceiver:
+        - DisabledOnCloud
+      ImageSender:
+        - DisabledOnCloud
+      MaskRectAreaAdvanced:
+        - DisabledOnCloud
+      MaskRectArea:
+        - DisabledOnCloud
+      ImpactSEGSPicker:
+        - DisabledOnCloud
+      LatentReceiver:
+        - DisabledOnCloud
+      ImpactValueReceiver:
+        - DisabledOnCloud
+      ImpactQueueTrigger:
+        - DisabledOnCloud
+      ImpactQueueTriggerCountdown:
+        - DisabledOnCloud
+      ImpactSetWidgetValue:
+        - DisabledOnCloud
+
+  - name: comfyui_ipadapter_plus
+    version: "2.0.0"
+    node_labels:
+      IPAdapterSaveEmbeds:
+        - WritesToDisk
+        - DisabledOnCloud
+
+  - name: ComfyUI-WanAnimatePreprocess
+    version: "1.0.1"
+
+  - name: "https://github.com/lum3on/ComfyUI_AudioTools@c816d0a1629c05a0f463ddb77ea96ada69875d32"
+    version: ""
+    node_labels:
+      AudioLoadBatch:
+        - ReadsArbitraryFile
+      AudioGetFromList:
+        - DisabledOnCloud
+
+  - name: comfyui-fl-path-animator
+    version: "1.0.6"
+
+  - name: "https://github.com/kijai/ComfyUI-DepthAnythingV2@d505cbca99803fc63327b8305618a23e59a18b42"
+    version: ""
+
+  - name: "https://github.com/kijai/ComfyUI-Lotus@dcd5bea7a418717a6e0c27a5f607058cb9c24a5e"
+    version: ""
+
+  - name: "https://github.com/AIWarper/ComfyUI-NormalCrafterWrapper@10408381e60f42775a977966e111f1353d86e970"
+    version: ""
+
+  - name: comfyui-advanced-controlnet
+    version: "1.5.6"
+    node_labels:
+      LoadImagesFromDirectory:
+        - ReadsArbitraryFile
+
+  - name: comfyui-frame-interpolation
+    version: "1.0.8"
+    node_labels:
+      GMFSS Fortuna VFI:
+        - NetworkAccess
+      M2M VFI:
+        - NetworkAccess
+      Sepconv VFI:
+        - NetworkAccess
+      AMT VFI:
+        - NetworkAccess
+      STMFNet VFI:
+        - NetworkAccess
+
+  - name: comfyui-impact-subpack
+    version: "1.3.5"
+
+  - name: ComfyUI-SCAIL-Pose
+    version: "1.0.1"
+
+  # v1.1.4
+  - name: "https://github.com/gseth/ControlAltAI-Nodes@721492b66c9cede8ae23ae10615462ad80cfd061"
+    version: ""
+    node_labels:
+      FluxAttentionControl:
+        - Stateful
+        - DisabledOnCloud
+
+  - name: "https://github.com/ClownsharkBatwing/RES4LYF@0dc91c0817e8b40b429b2f5dd26fc7b1c3cd0c53"
+    version: ""
+    node_labels:
+      # Important: labels key off object_info class_type (YAML key), not display_name.
+      # In object_info, class_type `ClownsharKSampler` is the deprecated legacy2 node
+      # (display_name "Legacy2_ClownsharKSampler"). The non-legacy sampler is
+      # class_type `ClownsharKSampler_Beta` and is intentionally not disabled here.
+      ConditioningToBase64:
+        - DisabledOnCloud
+      Base64ToConditioning:
+        - DisabledOnCloud
+      ClownsharKSamplerOptions:
+        - DisabledOnCloud
+      # Formula-string eval path is sourced from options/timestep nodes.
+      SamplerOptions_TimestepScaling:
+        - DisabledOnCloud
+      Sigmas Math1:
+        - DisabledOnCloud
+      Sigmas Math3:
+        - DisabledOnCloud
+      TextLoadFile:
+        - ReadsArbitraryFile
+      UNetSave:
+        - WritesToDisk
+        - CreatesLargeOutputs
+
+  - name: comfyui_layerstyle
+    version: "2.0.32"
+    web_directory: js
+    node_labels:
+      "LayerUtility: ImageTaggerSave":
+        - WritesToDisk
+      "LayerUtility: ImageTaggerSaveV2":
+        - WritesToDisk
+      "LayerUtility: LoadImagesFromPath":
+        - ReadsArbitraryFile
+      "LayerUtility: PurgeVRAM":
+        - Stateful
+        - DisabledOnCloud
+      "LayerUtility: PurgeVRAM V2":
+        - Stateful
+        - DisabledOnCloud
+      "LayerUtility: QueueStop":
+        - DisabledOnCloud
+      "LayerMask: RemBgUltra":
+        - NetworkAccess
+        - DisabledOnCloud
+      "LayerMask: RmBgUltra V2":
+        - NetworkAccess
+        - DisabledOnCloud
+      "LayerFilter: LightLeak":
+        - DisabledOnCloud
+
+  - name: ComfyUI_LayerStyle_Advance
+    version: "2.0.37"
+    web_directory: js
+    node_labels:
+      "LayerUtility: SaveImagePlus":
+        - WritesToDisk
+      "LayerUtility: SaveImagePlusV2":
+        - WritesToDisk
+      "LayerUtility: LoadPSD":
+        - ReadsArbitraryFile
+      "LayerUtility: Gemini":
+        - RequiresExternalAPI
+      "LayerUtility: GeminiV2":
+        - RequiresExternalAPI
+      "LayerMask: ObjectDetectorGemini":
+        - RequiresExternalAPI
+      "LayerMask: ObjectDetectorGeminiV2":
+        - RequiresExternalAPI
+      "LayerUtility: GeminiImageEdit":
+        - RequiresExternalAPI
+      "LayerUtility: DeepSeekAPI":
+        - RequiresExternalAPI
+      "LayerUtility: DeepSeekAPIV2":
+        - RequiresExternalAPI
+      "LayerUtility: ZhipuGLM4V":
+        - RequiresExternalAPI
+      "LayerUtility: ZhipuGLM4":
+        - RequiresExternalAPI
+      "LayerUtility: JimengI2IAPI":
+        - RequiresExternalAPI
+      "LayerUtility: PromptEmbellish":
+        - RequiresExternalAPI
+      "LayerUtility: PromptTagger":
+        - RequiresExternalAPI
+      "LayerUtility: LoadJoyCaption2Model":
+        - DisabledOnCloud
+      "LayerUtility: JoyCaption2":
+        - DisabledOnCloud
+      "LayerUtility: JoyCaption2ExtraOptions":
+        - DisabledOnCloud
+      "LayerUtility: JoyCaption2Split":
+        - DisabledOnCloud
+      "LayerUtility: LoadJoyCaptionBeta1Model":
+        - DisabledOnCloud
+      "LayerUtility: JoyCaptionBeta1":
+        - DisabledOnCloud
+      "LayerUtility: JoyCaptionBeta1ExtraOptions":
+        - DisabledOnCloud
+      "LayerUtility: LlamaVision":
+        - DisabledOnCloud
+      "LayerUtility: PhiPrompt":
+        - DisabledOnCloud
+      "LayerUtility: AddBlindWaterMark":
+        - DisabledOnCloud
+      "LayerUtility: ShowBlindWaterMark":
+        - DisabledOnCloud
+      "LayerUtility: ImageRewardFilter":
+        - DisabledOnCloud
+      "LayerFilter: LightLeak":
+        - DisabledOnCloud
+      # TODO: Re-enable after merge to main triggers upload-models workflow
+      # which creates asset DB records. Models already in GCS, preset mappings
+      # and model_directories.go are correct. Just needs DB asset sync.
+      "LayerMask: Florence2Ultra":
+        - DisabledOnCloud
+      "LayerMask: LoadFlorence2Model":
+        - DisabledOnCloud
+      "LayerUtility: Florence2Image2Prompt":
+        - DisabledOnCloud
+      "LayerMask: HumanPartsUltra":
+        - NetworkAccess
+        - DisabledOnCloud
+
+  # v1.0.0
+  - name: "https://github.com/filliptm/ComfyUI_Fill-ChatterBox@2f72aca98e4ceda18caceaef91ddf5683f5f093e"
+    version: ""
+    web_directory: web
+
+  - name: comfyui-qwenmultiangle
+    version: "0.6.1"
+    web_directory: js
+
+  # latest (2025-01-18)
+  - name: "https://github.com/lquesada/ComfyUI-Prompt-Combinator@3576ace3f2776918c1046b6674fbe345a46dba2f"
+    version: ""
+    node_labels:
+      PromptCombinatorExportGallery:
+        - WritesToDisk
+
+  # latest (2025-01-08)
+  - name: "https://github.com/lihaoyun6/ComfyUI-FlashVSR_Ultra_Fast@4820b3f02347bddcbbb9a5a85ab7638fe976366e"
+    version: ""
+
+  # v2.5.24
+  - name: "https://github.com/numz/ComfyUI-SeedVR2_VideoUpscaler@4490bd1f482e026674543386bb2a4d176da245b9"
+    version: ""
+
+  - name: "https://github.com/flybirdxx/ComfyUI-Qwen-TTS@5e97d3cce967c842aeee02854725c371c8a101d7"
+    version: ""
+    node_labels:
+      FB_Qwen3TTSSaveVoice:
+        - WritesToDisk
+        - DisabledOnCloud
+      FB_Qwen3TTSLoadSpeaker:
+        - ReadsArbitraryFile
+        - DisabledOnCloud
+
+  - name: comfyui-sam3
+    version: "0.1.2"
+
+  - name: "https://github.com/jtydhr88/ComfyUI-UltraShape1@2f8ea9b59bda7528ea2884b0868e205ece342e9e"
+    version: ""
+    node_labels:
+      UltraShapeSaveGLB:
+        - WritesToDisk
+        - DisabledOnCloud
+      UltraShapeMeshSelector:
+        - DisabledOnCloud
+
+  - name: comfyui-rmbg
+    version: "3.0.0"
+    web_directory: web
+    node_labels:
+      AILab_LoadImage:
+        - ReadsArbitraryFile
+      AILab_LoadImageSimple:
+        - ReadsArbitraryFile
+      AILab_LoadImageAdvanced:
+        - ReadsArbitraryFile
+      AILab_LoadImageBatch:
+        - ReadsArbitraryFile
+      AILab_YoloV8:
+        - DisabledOnCloud
+      AILab_YoloV8Adv:
+        - DisabledOnCloud
+      Segment:
+        - DisabledOnCloud
+      SegmentV2:
+        - DisabledOnCloud
+
+  - name: ComfyUI-QwenVL
+    version: "2.1.1"
+    node_labels:
+      AILab_QwenVL_GGUF:
+        - DisabledOnCloud
+      AILab_QwenVL_GGUF_Advanced:
+        - DisabledOnCloud
+
+  - name: "https://github.com/ltdrdata/was-node-suite-comfyui@afeee09ba44e713ec52a413ac6b105fd06b2d356"
+    version: ""
+    node_labels:
+      "BLIP Analyze Image":
+        - DisabledOnCloud
+      "BLIP Model Loader":
+        - DisabledOnCloud
+      "CLIPSeg Batch Masking":
+        - DisabledOnCloud
+      "CLIPSeg Masking":
+        - DisabledOnCloud
+      "CLIPSeg Model Loader":
+        - DisabledOnCloud
+      CLIPSEG2:
+        - DisabledOnCloud
+      "Cache Node":
+        - DisabledOnCloud
+      "Checkpoint Loader":
+        - DuplicateOfCoreNode
+        - DisabledOnCloud
+      "Checkpoint Loader (Simple)":
+        - DuplicateOfCoreNode
+        - DisabledOnCloud
+      "Create Morph Image from Path":
+        - ReadsArbitraryFile
+      "Create Grid Image":
+        - ReadsArbitraryFile
+      "Create Video from Path":
+        - ReadsArbitraryFile
+      "Debug Number to Console":
+        - DisabledOnCloud
+      "Dictionary to Console":
+        - DisabledOnCloud
+      "Diffusers Hub Model Down-Loader":
+        - NetworkAccess
+      "Export API":
+        - DisabledOnCloud
+      "Image Bounds to Console":
+        - DisabledOnCloud
+      "Image History Loader":
+        - ReadsArbitraryFile
+      "Image Load":
+        - ReadsArbitraryFile
+      "Image Save":
+        - WritesToDisk
+      "Image Send HTTP":
+        - NetworkAccess
+      "Load Cache":
+        - DisabledOnCloud
+      "Load Image Batch":
+        - ReadsArbitraryFile
+      "Load Text File":
+        - ReadsArbitraryFile
+      "MiDaS Depth Approximation":
+        - DisabledOnCloud
+      "MiDaS Mask Image":
+        - DisabledOnCloud
+      "MiDaS Model Loader":
+        - DisabledOnCloud
+      "SAM Model Loader":
+        - DisabledOnCloud
+      "Save Text File":
+        - WritesToDisk
+      "Text File History Loader":
+        - ReadsArbitraryFile
+      "Text Load Line From File":
+        - ReadsArbitraryFile
+      "Text Random Prompt":
+        - DisabledOnCloud
+      "True Random.org Number Generator":
+        - NetworkAccess
+      "Upscale Model Loader":
+        - DuplicateOfCoreNode
+        - DisabledOnCloud
+      "Video Dump Frames":
+        - WritesToDisk
+      "Write to GIF":
+        - WritesToDisk
+      "Write to Video":
+        - WritesToDisk
+
+  - name: comfyui-sharp
+    version: "0.0.3"
+
+  - name: comfyui-logic
+    version: "1.0.0"
+    node_labels:
+      DebugPrint:
+        - DisabledOnCloud
+
+  - name: comfyui-PlyPreview
+    version: "1.1.0"
+    web_directory: web
+    node_labels:
+      PlyPreviewLoadGaussianPLYEnhance:
+        - ReadsArbitraryFile
+      PlyPreviewLoadGaussianPLYPathEnhance:
+        - ReadsArbitraryFile
+
+  - name: https://github.com/kijai/ComfyUI-LivePortraitKJ@4d9dc6205b79e50f81c0e6d245a2e0e5e53d5ecd
+
+  - name: "https://github.com/fxtdstudios/radiance@f262f47ddfda01ece154bf80c22769b1e4cef795"
+    version: ""
+    web_directory: js
+    node_labels:
+      RadianceLUTApply:
+        - DisabledOnCloud
+      "◎ RadianceDigitalCinemaRead":
+        - ReadsArbitraryFile
+      "◎ RadianceNukeBridge":
+        - NetworkAccess
+        - WritesToDisk
+      "◎ RadianceQCExport":
+        - WritesToDisk
+
+  - name: "https://github.com/shiimizu/ComfyUI-TiledDiffusion@a155b1bac39147381aeaa52b9be42e545626a44f"
+    version: ""
+
+  - name: "https://github.com/spacepxl/ComfyUI-Image-Filters@bbb3fb0045461adf3602faeedaf40af57090d4e2"
+    version: ""
+    node_labels:
+      ModelTest:
+        - DisabledOnCloud
+
+  - name: "https://github.com/Comfy-Org/ComfyUI-test-framework@80caae462d3293a2d40c2938de33a5f50eea8333"
+    version: ""
+
+  - name: ComfyUI-DepthAnythingV3
+    version: "0.1.2"
+    web_directory: web
+    node_labels:
+      DA3_SavePointCloud:
+        - WritesToDisk
+      DA3_FilterGaussians:
+        - WritesToDisk
+      DA3_PreviewPointCloud:
+        - WritesToDisk
+      DepthAnythingV3_Streaming:
+        - WritesToDisk
+      DA3_DownloadModel:
+        - NetworkAccess
+      LoadSALADModel:
+        # Only consumed by DepthAnythingV3_Streaming (disabled on cloud)
+        - DisabledOnCloud
+
+  # v1.0.0
+  - name: "https://github.com/PowerHouseMan/ComfyUI-AdvancedLivePortrait@3bba732915e22f18af0d221b9c5c282990181f1b"
+    version: ""
+    node_labels:
+      SaveExpData:
+        - WritesToDisk
+        - DisabledOnCloud
+      LoadExpData:
+        - ReadsArbitraryFile
+        - DisabledOnCloud
+
+  # v0.9
+  - name: "https://github.com/BadCafeCode/masquerade-nodes-comfyui@432cb4d146a391b387a0cd25ace824328b5b61cf"
+    version: ""
+    node_labels:
+      "Mask By Text":
+        - NetworkAccess
+        - DisabledOnCloud
+      "Create QR Code":
+        - DisabledOnCloud
+
+  # ComfyQR by coreyryanhanson - QR code generation for generative QR art
+  - name: "https://github.com/coreyryanhanson/ComfyQR@e31449c99a6ba8c5c567646659e0a75e4056259f"
+    version: ""
+
+  # comfyui-various by jamesWalker55 - image ops, primitives, RAFT optical flow, color ops
+  - name: "https://github.com/jamesWalker55/comfyui-various@5bd85aaf7616878471469c4ec7e11bbd0cef3bf2"
+    version: ""
+    node_labels:
+      JWImageLoadRGB:
+        - ReadsArbitraryFile
+      JWImageLoadRGBA:
+        - ReadsArbitraryFile
+      JWLoadImagesFromString:
+        - ReadsArbitraryFile
+      JWImageSaveToPath:
+        - WritesToDisk
+      JWImageLoadRGBFromClipboard:
+        - DisabledOnCloud
+      "JWImageLoadRGBA From Clipboard":
+        - DisabledOnCloud
+      RAFTLoadFlowFromEXRChannels:
+        - ReadsArbitraryFile
+      JWLoadImageSequence:
+        - ReadsArbitraryFile
+      JWLoadImageSequenceWithStopIndex:
+        - ReadsArbitraryFile
+      JWSaveImageSequence:
+        - WritesToDisk
+      JWImageLoadRGBIfExists:
+        - ReadsArbitraryFile
+      JWLoadAudio:
+        - ReadsArbitraryFile
+      JWAudioSaveToPath:
+        - WritesToDisk
+
+  - name: comfyui-cogvideoxwrapper
+    version: "1.5.1"
+
+  - name: "https://github.com/glowcone/comfyui-string-converter@0e1e78f877e4d5fc2b46ace8fa21a0ef70e92f11"
+    version: ""
+
+  - name: comfyui_face_parsing
+    version: "1.0.5"
+
+  - name: nodesweet
+    version: "1.0.1"
+
+  - name: "https://github.com/AIrjen/OneButtonPrompt@2129c5dfe6a73d4a0cf971c3af6c3cddbd0e97f8"
+    version: ""
+    node_labels:
+      SavePromptToFile:
+        - WritesToDisk
+
+  # v1.2.2 - SeC (Segment Concept) SOTA video object segmentation
+  - name: "https://github.com/9nate-drake/Comfyui-SecNodes@af39e6260bc414873fbb2dc8df355904d1609754"
+    version: ""
+
+  - name: "https://github.com/kijai/ComfyUI-MimicMotionWrapper@89d0ed551dbb1e0a14e89a01d42a39e9ed755d9c"
+    version: ""
+
+  - name: basic_data_handling
+    version: "1.4.0"
+    node_labels:
+      "Basic data handling: PathLoadStringFile":
+        - ReadsArbitraryFile
+      "Basic data handling: PathLoadImageRGB":
+        - ReadsArbitraryFile
+      "Basic data handling: PathLoadImageRGBA":
+        - ReadsArbitraryFile
+      "Basic data handling: PathLoadMaskFromAlpha":
+        - ReadsArbitraryFile
+      "Basic data handling: PathLoadMaskFromGreyscale":
+        - ReadsArbitraryFile
+      "Basic data handling: PathSaveStringFile":
+        - WritesToDisk
+      "Basic data handling: PathSaveImageRGB":
+        - WritesToDisk
+      "Basic data handling: PathSaveImageRGBA":
+        - WritesToDisk
+      "Basic data handling: PathGlob":
+        - ReadsArbitraryFile
+      "Basic data handling: PathListDir":
+        - ReadsArbitraryFile
+      "Basic data handling: PathGetSize":
+        - ReadsArbitraryFile
+      "Basic data handling: PathExists":
+        - ReadsArbitraryFile
+      "Basic data handling: PathIsFile":
+        - ReadsArbitraryFile
+      "Basic data handling: PathIsDir":
+        - ReadsArbitraryFile
+      "Basic data handling: PathExpandVars":
+        - PathParsing
+      "Basic data handling: PathGetCwd":
+        - PathParsing
+      "Basic data handling: PathAbspath":
+        - PathParsing
+      "Basic data handling: PathBasename":
+        - PathParsing
+      "Basic data handling: PathCommonPrefix":
+        - PathParsing
+      "Basic data handling: PathDirname":
+        - PathParsing
+      "Basic data handling: PathGetExtension":
+        - PathParsing
+      "Basic data handling: PathInputDir":
+        - PathParsing
+      "Basic data handling: PathIsAbsolute":
+        - PathParsing
+      "Basic data handling: PathJoin":
+        - PathParsing
+      "Basic data handling: PathNormalize":
+        - PathParsing
+      "Basic data handling: PathOutputDir":
+        - PathParsing
+      "Basic data handling: PathRelative":
+        - PathParsing
+      "Basic data handling: PathSetExtension":
+        - PathParsing
+      "Basic data handling: PathSplit":
+        - PathParsing
+      "Basic data handling: PathSplitExt":
+        - PathParsing
+
+  - name: ComfyUI-MelBandRoFormer
+    version: "1.0.2"
+
+  - name: "https://github.com/Extraltodeus/Skimmed_CFG@b2cf6e99303f9f310054b888fa23c37da9a4d224"
+    version: ""
+
+  - name: sd-dynamic-thresholding
+    version: "1.0.1"
+
+  - name: "https://github.com/filliptm/ComfyUI_Fill-Nodes@12c5bcded72a7f2c31c3df37516987c5d3691e28"
+    version: ""
+    web_directory: web
+    node_labels:
+      FL_API_Base64_ImageLoader:
+        - DisabledOnCloud
+      FL_CodeNode:
+        - DisabledOnCloud
+        - ReadsArbitraryFile
+      FL_JS:
+        - DisabledOnCloud
+      FL_WF_Agent:
+        - DisabledOnCloud
+      FL_SystemCheck:
+        - DisabledOnCloud
+        - HasCustomEndpoints
+      FL_Shadertoy:
+        - DisabledOnCloud
+      FL_InfiniteZoom:
+        - DisabledOnCloud
+      FL_PaperDrawn:
+        - DisabledOnCloud
+      FL_ProResVideo:
+        - DisabledOnCloud
+        - WritesToDisk
+        - ReadsArbitraryFile
+      FL_VideoCut:
+        - DisabledOnCloud
+        - WritesToDisk
+      FL_LoadImage:
+        - HasCustomEndpoints
+        - ReadsArbitraryFile
+      FL_ImagePicker:
+        - HasCustomEndpoints
+        - Stateful
+      FL_TimeLine:
+        - HasCustomEndpoints
+      FL_DirectoryCrawl:
+        - ReadsArbitraryFile
+      FL_ModelInspector:
+        - ReadsArbitraryFile
+      FL_ImageRandomizer:
+        - ReadsArbitraryFile
+      FL_NFTGenerator:
+        - ReadsArbitraryFile
+      FL_CaptionToCSV:
+        - ReadsArbitraryFile
+      FL_LoadCSV:
+        - ReadsArbitraryFile
+      FL_WordFrequencyGraph:
+        - ReadsArbitraryFile
+      FL_ImageCaptionLayout:
+        - ReadsArbitraryFile
+      FL_PDFLoader:
+        - ReadsArbitraryFile
+      FL_BulkPDFLoader:
+        - ReadsArbitraryFile
+      FL_ZipDirectory:
+        - ReadsArbitraryFile
+      FL_SaveImages:
+        - WritesToDisk
+        - ReadsArbitraryFile
+      FL_SaveWebM:
+        - WritesToDisk
+        - ReadsArbitraryFile
+      FL_CaptionSaver_V2:
+        - WritesToDisk
+        - ReadsArbitraryFile
+      FL_MirrorAndAppendCaptions:
+        - WritesToDisk
+        - ReadsArbitraryFile
+      FL_ImageCaptionLayoutPDF:
+        - WritesToDisk
+        - ReadsArbitraryFile
+      FL_ZipSave:
+        - WritesToDisk
+        - ReadsArbitraryFile
+      FL_ImageCaptionSaver:
+        - WritesToDisk
+      FL_VideoCaptionSaver:
+        - WritesToDisk
+        - CreatesLargeOutputs
+      FL_SaveCSV:
+        - WritesToDisk
+      FL_PDFSaver:
+        - WritesToDisk
+      FL_API_ImageSaver:
+        - WritesToDisk
+      FL_SaveAndDisplayImage:
+        - WritesToDisk
+      "FL_SaveWebPImage(SaveImage)":
+        - WritesToDisk
+      FL_SaveRGBAAnimatedWebP:
+        - WritesToDisk
+      FL_FILM:
+        - NetworkAccess
+        - WritesToDisk
+        - Stateful
+      FL_RIFE:
+        - NetworkAccess
+        - WritesToDisk
+        - Stateful
+      FL_ClipScanner:
+        - Stateful
+      # External API nodes - disabled on cloud (require user API keys, cloud has partner nodes)
+      FL_OllamaCaptioner:
+        - DisabledOnCloud
+        - NetworkAccess
+      FL_HFHubModelUploader:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_HF_Character:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_HF_UploaderAbsolute:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_HFDatasetDownloader:
+        - DisabledOnCloud
+        - NetworkAccess
+      FL_Hedra_API:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GoogleDriveDownloader:
+        - DisabledOnCloud
+        - NetworkAccess
+      FL_GoogleDriveImageDownloader:
+        - DisabledOnCloud
+        - NetworkAccess
+      FL_GoogleCloudStorage:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_SendToDiscordWebhook:
+        - DisabledOnCloud
+        - NetworkAccess
+      FL_KartelJobInput:
+        - DisabledOnCloud
+        - NetworkAccess
+      FL_KartelJobOutput:
+        - DisabledOnCloud
+        - NetworkAccess
+      FL_Fal_Gemini_ImageEdit:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Kling_AIAvatar:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Kontext:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Pixverse:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Pixverse_LipSync:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Pixverse_Transition:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_SeedVR_Upscale:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Seedance_i2v:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Seedream_Edit:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Fal_Sora:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GeminiImageEditor:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GeminiImageGenADV:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GeminiTextAPI:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GeminiVideoCaptioner:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_PixVerseAPI:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_RunwayAct2:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_RunwayImageAPI:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_VertexGemini25FlashImage:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Veo3VideoGen:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_Dalle3:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GPT_Image1:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GPT_Image1_ADV:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GPT_Text:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_GPT_Vision:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+      FL_SimpleGPTVision:
+        - DisabledOnCloud
+        - NetworkAccess
+        - RequiresExternalAPI
+
+  - name: comfyui_steudio
+    version: "2.0.5"
+    node_labels:
+      "Display UI":
+        # Duplicate of core PreviewAny ("Preview as Text") node; does not work on cloud
+        - DuplicateOfCoreNode
+        - DisabledOnCloud
+      "Load Images into List":
+        - ReadsArbitraryFile
+
+  - name: "https://github.com/logtd/ComfyUI-Fluxtapoz@17c71bea20e932945e9c1be0586cfd4b7e51cbf6"
+    version: ""
+
+  # v1.0.5
+  - name: "https://github.com/lrzjason/ComfyUI-EditUtils@256a2340b161da3f814e5982ca4aa999f474df93"
+    version: ""
+
+  - name: feedback-sampler
+    version: "2.0.0"
+
+  - name: vewd
+    version: "1.7.2"
+
+  - name: comfyui-workflow-prettier
+    version: "1.0.5"
+    web_directory: web
+
+  - name: "https://github.com/Lightricks/ComfyUI-LTXVideo@531512f7286963dc7aff1fd8bf5556e95eae03af"
+    version: ""
+    node_labels:
+      GemmaAPITextEncode:
+        - RequiresExternalAPI
+        - NetworkAccess
+      LTXVSaveConditioning:
+        - WritesToDisk
+
+  - name: "https://github.com/yuvraj108c/ComfyUI-Upscaler-Tensorrt@dfc266538368e4c9a03a296917716a214517ccb5"
+    version: ""
+    web_directory: js
+
+  - name: comfyui-layerdiffuse
+    version: "1.0.4"
+    node_labels:
+      # SD1.5 attn_sharing nodes are broken in this custom node: AttentionSharingUnit.forward() does not accept
+      # transformer_options kwarg added in newer ComfyUI attention API
+      LayeredDiffusionJointApply:
+        - DisabledOnCloud
+      LayeredDiffusionCondJointApply:
+        - DisabledOnCloud
+
+  - name: comfyui-itools
+    version: "0.6.8"
+    web_directory: web
+    node_labels:
+      iToolsPromptLoader:
+        - ReadsArbitraryFile
+      iToolsPromptSaver:
+        - WritesToDisk
+      iToolsLoadImages:
+        - ReadsArbitraryFile
+      iToolsLoadRandomImage:
+        - ReadsArbitraryFile
+      iToolsPaintNode:
+        - HasCustomEndpoints
+        - DisabledOnCloud
+      iToolsCropImage:
+        - HasCustomEndpoints
+      iToolsPromptStyler:
+        - HasCustomEndpoints
+        - DisabledOnCloud
+      iToolsPromptStylerExtra:
+        - HasCustomEndpoints
+        - DisabledOnCloud
+      # iToolsTestNode, iToolsDomNode, iToolsFreeChat, iToolsFreeSchnell are
+      # conditional nodes (disabled by default in __init__.py settings) and
+      # never register in object_info — no labels needed
+
+  - name: https://github.com/Liquid-XO/ComfyUI_SchemaNodes@8e5676d89f046e8c28cbe7f2548f4abdaf86ca35
+    version: ""  # 0.1.1+8 (configurable image save format, remove SCHEMA_FIELD output)
+    web_directory: js
+
+  - name: comfyui-ic-light-native
+    version: "1.0.1"
+
+  - name: comfyui_nvidia_rtx_nodes
+    version: "0.1.2"
+
+  - name: "https://github.com/kijai/ComfyUI-GIMM-VFI@4c9a3123762af85e7c796e41737da0b70c75d72d"
+    version: ""
+
+  - name: wanvaceadvanced
+    version: "1.4.0"
+    node_labels:
+      WanVacePhantomDual:
+        - DisabledOnCloud
+      WanVacePhantomExperimental:
+        - DisabledOnCloud
+
+  - name: comfyui-systms-facecomposite
+    version: "1.0.0"
+
+  - name: comfyui-bfsnodes
+    version: "1.0.0"
diff --git a/comfy_cli/cql/engine.py b/comfy_cli/cql/engine.py
new file mode 100644
index 00000000..170425ec
--- /dev/null
+++ b/comfy_cli/cql/engine.py
@@ -0,0 +1,1526 @@
+"""Pure-Python CQL graph engine.
+
+Parses ComfyUI's ``object_info.json``, builds an indexed compatibility graph,
+and exposes upstream/downstream, path-finding, validation, annotations,
+and widget-order resolution.
+
+Port of ``github.com/Comfy-Org/cql/nodegraph`` (Go).
+"""
+
+from __future__ import annotations
+
+import copy
+import difflib
+import ipaddress
+import json
+import logging
+import urllib.error
+import urllib.parse
+import urllib.request
+import uuid as _uuid
+from collections import defaultdict
+from dataclasses import dataclass, field
+from typing import Any
+
+# ---------------------------------------------------------------------------
+# Types — mirrors nodegraph/types.go
+# ---------------------------------------------------------------------------
+
+_IMPLICIT_WIDGET_TYPES = frozenset({"STRING", "INT", "FLOAT", "NUMBER", "BOOLEAN", "COMBO"})
+
+
+@dataclass
+class PortOptions:
+    min: float | None = None
+    max: float | None = None
+    step: float | None = None
+    default: Any = None
+    multiline: bool = False
+    control_after_generate: bool = False
+    force_input: bool = False
+
+
+@dataclass
+class Port:
+    name: str
+    type: str
+    required: bool = False
+    is_link: bool = False
+    enum_values: list[str] = field(default_factory=list)
+    options: PortOptions = field(default_factory=PortOptions)
+
+    @property
+    def is_autogrow(self) -> bool:
+        """V3 autogrow input (e.g. BatchImagesNode.images): the schema declares
+        ONE input, but the server expects autogrown slot keys —
+        ``images.image0``, ``images.image1``, … one per connection."""
+        return self.type.startswith("COMFY_AUTOGROW")
+
+    def autogrow_slot_example(self) -> str:
+        """Best-effort slot-key example for hints. The element name comes from
+        the node's V3 definition and isn't in object_info; the observed server
+        convention is the singular of the input name (images → image0)."""
+        stem = self.name[:-1] if self.name.endswith("s") else self.name
+        return f"{self.name}.{stem}0, {self.name}.{stem}1, …"
+
+    def validate_shape(self, value: Any) -> str | None:
+        """Hard-reject on JSON-shape mismatch. Returns error message or None."""
+        if self.type == "INT":
+            if isinstance(value, bool) or not isinstance(value, int | float):
+                return f"{self.name}: expected INT, got {type(value).__name__} {value!r}"
+            if isinstance(value, float) and value != int(value):
+                return f"{self.name}: expected integer, got {value}"
+        elif self.type in ("FLOAT", "NUMBER"):
+            if isinstance(value, bool) or not isinstance(value, int | float):
+                return f"{self.name}: expected {self.type}, got {type(value).__name__}"
+        elif self.type == "STRING":
+            if not isinstance(value, str):
+                return f"{self.name}: expected STRING (string), got {type(value).__name__}"
+        elif self.type == "COMBO":
+            # COMBO options are usually strings, but the server also ships
+            # int-valued combos (e.g. LTXV `duration`/`fps`). Accept any
+            # scalar here; membership is the catalog enum check's job. Only
+            # bool and container/None shapes are a true mismatch.
+            if isinstance(value, bool) or not isinstance(value, str | int | float):
+                return f"{self.name}: expected COMBO (string or number), got {type(value).__name__}"
+        elif self.type == "BOOLEAN":
+            if not isinstance(value, bool):
+                return f"{self.name}: expected BOOLEAN, got {type(value).__name__}"
+        return None
+
+    def validate_catalog(self, value: Any) -> list[dict]:
+        """Soft checks against catalog snapshot. Returns warnings list."""
+        if self.validate_shape(value) is not None:
+            return []
+        warnings: list[dict] = []
+        if self.type == "COMBO" and self.enum_values:
+            # enum_values are stored as strings; the submitted value may be a
+            # string or a number (int-valued combos). Compare on the stringified
+            # form so `8` matches the option "8", and `8.0` matches "8" too.
+            candidates = {value, str(value)}
+            if isinstance(value, float) and value.is_integer():
+                candidates.add(str(int(value)))
+            if not (candidates & set(self.enum_values)):
+                warnings.append(
+                    {
+                        "code": "unknown_enum_value",
+                        "field": self.name,
+                        "message": f"{value!r} not in {len(self.enum_values)} known options for {self.name}",
+                    }
+                )
+        if self.type in ("INT", "FLOAT", "NUMBER") and isinstance(value, int | float):
+            if self.options.min is not None and value < self.options.min:
+                warnings.append(
+                    {
+                        "code": "below_min",
+                        "field": self.name,
+                        "message": f"{self.name}={value} below catalog min {self.options.min}",
+                    }
+                )
+            if self.options.max is not None and value > self.options.max:
+                warnings.append(
+                    {
+                        "code": "above_max",
+                        "field": self.name,
+                        "message": f"{self.name}={value} above catalog max {self.options.max}",
+                    }
+                )
+        return warnings
+
+
+@dataclass
+class Morphism:
+    id: str
+    display_name: str = ""
+    description: str = ""
+    category: str = ""
+    inputs: list[Port] = field(default_factory=list)
+    outputs: list[Port] = field(default_factory=list)
+    is_output_node: bool = False
+    is_api_node: bool = False
+    deprecated: bool = False
+    experimental: bool = False
+    search_aliases: list[str] = field(default_factory=list)
+    pack: str = ""
+    labels: list[str] = field(default_factory=list)
+    cloud_disabled: bool = False
+    needs_gpu: bool = True  # default True per Go
+
+    def output_types(self) -> list[str]:
+        seen: set[str] = set()
+        out: list[str] = []
+        for p in self.outputs:
+            if p.type not in seen:
+                seen.add(p.type)
+                out.append(p.type)
+        return out
+
+    def input_link_types(self) -> list[str]:
+        seen: set[str] = set()
+        out: list[str] = []
+        for p in self.inputs:
+            if p.is_link and p.type not in seen:
+                seen.add(p.type)
+                out.append(p.type)
+        return out
+
+    def required_link_types(self) -> list[str]:
+        seen: set[str] = set()
+        out: list[str] = []
+        for p in self.inputs:
+            if p.is_link and p.required and p.type not in seen:
+                seen.add(p.type)
+                out.append(p.type)
+        return out
+
+    def has_input(self, t: str) -> bool:
+        return any(p.is_link and p.type == t for p in self.inputs)
+
+    def has_output(self, t: str) -> bool:
+        return any(p.type == t for p in self.outputs)
+
+    def can_apply(self, available: set[str]) -> bool:
+        return all(t in available for t in self.required_link_types())
+
+
+# ---------------------------------------------------------------------------
+# Parsing — mirrors nodegraph/parse.go
+# ---------------------------------------------------------------------------
+
+
+def _is_link(type_id: str, is_enum: bool, force_input: bool) -> bool:
+    """Determine if an input participates in typed wiring (link) or is inline (widget)."""
+    if is_enum:
+        return False
+    if type_id in _IMPLICIT_WIDGET_TYPES and not force_input and type_id != "*":
+        return False
+    return True
+
+
+def _derive_pack(python_module: str) -> str:
+    if not python_module:
+        return "core"
+    if (
+        python_module.startswith("nodes")
+        or python_module.startswith("comfy_extras")
+        or python_module.startswith("comfy.comfy_types")
+    ):
+        return "core"
+    if python_module.startswith("custom_nodes."):
+        parts = python_module.split(".", 3)
+        if len(parts) >= 2:
+            return parts[1]
+    return "core"
+
+
+def _parse_port_options(opts_raw: dict) -> PortOptions:
+    return PortOptions(
+        min=opts_raw.get("min"),
+        max=opts_raw.get("max"),
+        step=opts_raw.get("step"),
+        default=opts_raw.get("default"),
+        multiline=bool(opts_raw.get("multiline", False)),
+        control_after_generate=_control_after_generate_set(opts_raw.get("control_after_generate")),
+        force_input=bool(opts_raw.get("forceInput", False)),
+    )
+
+
+def _control_after_generate_set(val: Any) -> bool:
+    if val is None:
+        return False
+    if isinstance(val, bool):
+        return val
+    if isinstance(val, str):
+        return val != "" and val != "false"
+    return True
+
+
+def _parse_input_spec(spec: Any) -> tuple[str, bool, list[str], PortOptions]:
+    """Returns (type_id, is_enum, enum_values, options)."""
+    if isinstance(spec, str):
+        return spec, False, [], PortOptions()
+
+    if not isinstance(spec, list) or len(spec) == 0:
+        return "UNKNOWN", False, [], PortOptions()
+
+    opts_raw = spec[1] if len(spec) > 1 and isinstance(spec[1], dict) else {}
+    port_opts = _parse_port_options(opts_raw)
+
+    first = spec[0]
+    if isinstance(first, str):
+        # V3 / partner-API combo dialect: the type is the literal string
+        # "COMBO" (or a dynamic-combo type) and the choices live in the
+        # options dict, e.g. ["COMBO", {"options": ["480p", "720p"]}].
+        # Without this, dict-form combos lose their enum and validate can't
+        # enum-check them — exactly the partner nodes (ByteDance, BFL, …)
+        # where the choices array is the precision check.
+        options = opts_raw.get("options")
+        if isinstance(options, list) and options and all(_is_scalar_choice(v) for v in options):
+            values = [v if isinstance(v, str) else str(v) for v in options]
+            return first, True, values, port_opts
+        return first, False, [], port_opts
+
+    if isinstance(first, list):
+        values = [str(v) if not isinstance(v, str) else v for v in first]
+        return "COMBO", True, values, port_opts
+
+    return "UNKNOWN", False, [], port_opts
+
+
+def _is_scalar_choice(v: Any) -> bool:
+    """A combo option is enumerable only if it's a scalar. Dynamic combos
+    (COMFY_DYNAMICCOMBO_V3) carry dict options describing sub-inputs — those
+    are not membership choices and must not be flattened into enum_values."""
+    return isinstance(v, str | int | float) and not isinstance(v, bool)
+
+
+def _ordered_names(raw: dict, order: list[str] | None) -> list[str]:
+    """Return input names in declared order, falling back to alphabetical."""
+    seen: set[str] = set()
+    out: list[str] = []
+    for name in order or []:
+        if name in raw and name not in seen:
+            out.append(name)
+            seen.add(name)
+    for name in sorted(raw.keys()):
+        if name not in seen:
+            out.append(name)
+    return out
+
+
+def _parse_inputs(raw: dict, order: list[str] | None, required: bool) -> list[Port]:
+    ports: list[Port] = []
+    for name in _ordered_names(raw, order):
+        spec = raw[name]
+        type_id, is_enum, enum_values, opts = _parse_input_spec(spec)
+        ports.append(
+            Port(
+                name=name,
+                type=type_id,
+                required=required,
+                is_link=_is_link(type_id, is_enum, opts.force_input),
+                enum_values=enum_values,
+                options=opts,
+            )
+        )
+    return ports
+
+
+def _unmarshal_string_list(val: Any) -> list[str]:
+    if isinstance(val, list):
+        return [str(v) for v in val]
+    if isinstance(val, str):
+        return [val]
+    return []
+
+
+def _parse_morphism(node_id: str, raw: dict) -> Morphism:
+    input_block = raw.get("input") or {}
+    input_order = raw.get("input_order") or {}
+    req_raw = input_block.get("required") or {}
+    opt_raw = input_block.get("optional") or {}
+    req_order = input_order.get("required")
+    opt_order = input_order.get("optional")
+
+    inputs = _parse_inputs(req_raw, req_order, required=True)
+    inputs += _parse_inputs(opt_raw, opt_order, required=False)
+
+    raw_outputs = raw.get("output") or []
+    output_names = _unmarshal_string_list(raw.get("output_name"))
+    outputs: list[Port] = []
+    for i, out in enumerate(raw_outputs):
+        name = output_names[i] if i < len(output_names) else ""
+        t = out if isinstance(out, str) else "COMBO"
+        outputs.append(Port(name=name, type=t, required=True, is_link=True))
+
+    return Morphism(
+        id=node_id,
+        display_name=raw.get("display_name") or node_id,
+        description=raw.get("description") or "",
+        category=raw.get("category") or "",
+        inputs=inputs,
+        outputs=outputs,
+        is_output_node=bool(raw.get("output_node", False)),
+        is_api_node=bool(raw.get("api_node", False)),
+        deprecated=bool(raw.get("deprecated", False)),
+        experimental=bool(raw.get("experimental", False)),
+        search_aliases=_unmarshal_string_list(raw.get("search_aliases")),
+        pack=_derive_pack(raw.get("python_module") or ""),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Annotations — mirrors nodegraph/annotations.go
+# ---------------------------------------------------------------------------
+
+
+def parse_supported_nodes(data: bytes) -> tuple[dict[str, str], dict[str, list[str]]]:
+    """Parse supported_nodes.yaml → (node_pack, node_labels)."""
+    try:
+        import yaml
+
+        cfg = yaml.safe_load(data)
+    except Exception:
+        return {}, {}
+    if not isinstance(cfg, dict):
+        return {}, {}
+    node_pack: dict[str, str] = {}
+    node_labels: dict[str, list[str]] = {}
+    for pack in cfg.get("node_packs") or []:
+        if not isinstance(pack, dict):
+            continue
+        pack_name = pack.get("name", "")
+        for node_name, labels in (pack.get("node_labels") or {}).items():
+            node_pack[node_name] = pack_name
+            node_labels[node_name] = list(labels) if isinstance(labels, list) else []
+    return node_pack, node_labels
+
+
+def parse_disable_config(data: bytes) -> set[str]:
+    """Parse cloud_disable_config.yaml → set of labels that disable nodes."""
+    try:
+        import yaml
+
+        cfg = yaml.safe_load(data)
+    except Exception:
+        return set()
+    if not isinstance(cfg, dict):
+        return set()
+    disable = cfg.get("disable_nodes") or {}
+    labels: set[str] = set()
+    for rule in disable.get("or") or []:
+        if isinstance(rule, dict):
+            for label, enabled in rule.items():
+                if enabled:
+                    labels.add(label)
+    return labels
+
+
+def parse_no_gpu_nodes(data: bytes) -> set[str]:
+    """Parse no_gpu_nodes.json → set of CPU-only node IDs."""
+    try:
+        cfg = json.loads(data)
+    except Exception:
+        return set()
+    if not isinstance(cfg, dict) or cfg.get("schema_version") != 1:
+        return set()
+    return set(cfg.get("no_gpu_nodes") or [])
+
+
+# ---------------------------------------------------------------------------
+# Graph — mirrors nodegraph/graph.go
+# ---------------------------------------------------------------------------
+
+
+class Graph:
+    """Indexed compatibility graph over ComfyUI node classes."""
+
+    def __init__(self) -> None:
+        self._nodes: dict[str, Morphism] = {}
+        self._producers: dict[str, list[Morphism]] = defaultdict(list)
+        self._consumers: dict[str, list[Morphism]] = defaultdict(list)
+        self._types: set[str] = set()
+        self._annotated = False
+
+    @classmethod
+    def from_object_info(cls, object_info: dict[str, Any]) -> Graph:
+        if not isinstance(object_info, dict):
+            raise LoadError(
+                "object_info must be a JSON object",
+                details={"top_level_type": type(object_info).__name__},
+            )
+        g = cls()
+        for node_id, raw in object_info.items():
+            if not isinstance(raw, dict):
+                continue
+            m = _parse_morphism(node_id, raw)
+            g._nodes[m.id] = m
+            for t in m.output_types():
+                g._producers[t].append(m)
+                g._types.add(t)
+            for t in m.input_link_types():
+                g._consumers[t].append(m)
+                g._types.add(t)
+        # Sort indexes for deterministic output
+        for t in g._producers:
+            g._producers[t].sort(key=lambda m: m.id)
+        for t in g._consumers:
+            g._consumers[t].sort(key=lambda m: m.id)
+        return g
+
+    # -- Annotation --
+
+    def annotate(
+        self,
+        supported_nodes_yaml: bytes | None = None,
+        cloud_disable_yaml: bytes | None = None,
+        no_gpu_json: bytes | None = None,
+    ) -> None:
+        node_pack: dict[str, str] = {}
+        node_labels: dict[str, list[str]] = {}
+        disable_labels: set[str] = set()
+        no_gpu: set[str] = set()
+
+        if supported_nodes_yaml:
+            node_pack, node_labels = parse_supported_nodes(supported_nodes_yaml)
+        if cloud_disable_yaml:
+            disable_labels = parse_disable_config(cloud_disable_yaml)
+        if no_gpu_json:
+            no_gpu = parse_no_gpu_nodes(no_gpu_json)
+
+        for nid, m in self._nodes.items():
+            if nid in node_pack:
+                m.pack = node_pack[nid]
+            if nid in node_labels:
+                m.labels = node_labels[nid]
+            m.cloud_disabled = any(label in disable_labels for label in m.labels)
+            m.needs_gpu = nid not in no_gpu
+        self._annotated = True
+
+    # -- Lookup --
+
+    def node(self, name: str) -> Morphism | None:
+        return self._nodes.get(name)
+
+    def all_nodes(self) -> list[Morphism]:
+        return sorted(self._nodes.values(), key=lambda m: m.id)
+
+    def node_count(self) -> int:
+        return len(self._nodes)
+
+    # -- Traversal --
+
+    def upstream(self, name: str) -> list[Morphism]:
+        m = self._nodes.get(name)
+        if m is None:
+            return []
+        seen: set[str] = set()
+        result: list[Morphism] = []
+        for t in m.input_link_types():
+            for producer in self._producers.get(t, []):
+                if producer.id != name and producer.id not in seen:
+                    seen.add(producer.id)
+                    result.append(producer)
+        result.sort(key=lambda m: m.id)
+        return result
+
+    def downstream(self, name: str) -> list[Morphism]:
+        m = self._nodes.get(name)
+        if m is None:
+            return []
+        seen: set[str] = set()
+        result: list[Morphism] = []
+        for t in m.output_types():
+            for consumer in self._consumers.get(t, []):
+                if consumer.id != name and consumer.id not in seen:
+                    seen.add(consumer.id)
+                    result.append(consumer)
+        result.sort(key=lambda m: m.id)
+        return result
+
+    def pack_nodes(self, pack: str) -> list[Morphism]:
+        """All nodes belonging to a custom-node pack (case-insensitive)."""
+        p = pack.lower()
+        return sorted([m for m in self._nodes.values() if m.pack.lower() == p], key=lambda m: m.id)
+
+    def label_nodes(self, label: str) -> list[Morphism]:
+        """All nodes carrying a specific behavioral label."""
+        return sorted([m for m in self._nodes.values() if label in m.labels], key=lambda m: m.id)
+
+    def cloud_disabled_nodes(self) -> list[Morphism]:
+        """All nodes that are disabled on Comfy Cloud."""
+        return sorted([m for m in self._nodes.values() if m.cloud_disabled], key=lambda m: m.id)
+
+    def cloud_enabled_nodes(self) -> list[Morphism]:
+        """All nodes that are enabled on Comfy Cloud."""
+        return sorted([m for m in self._nodes.values() if not m.cloud_disabled], key=lambda m: m.id)
+
+    def api_nodes(self) -> list[Morphism]:
+        """All partner API nodes."""
+        return sorted([m for m in self._nodes.values() if m.is_api_node], key=lambda m: m.id)
+
+    def output_nodes(self) -> list[Morphism]:
+        """All terminal output nodes (SaveImage, etc.)."""
+        return sorted([m for m in self._nodes.values() if m.is_output_node], key=lambda m: m.id)
+
+    def packs(self) -> list[str]:
+        """All known pack names, sorted."""
+        return sorted(set(m.pack for m in self._nodes.values() if m.pack))
+
+    def known_labels(self) -> list[str]:
+        """All known labels, sorted."""
+        labels: set[str] = set()
+        for m in self._nodes.values():
+            labels.update(m.labels)
+        return sorted(labels)
+
+    def find_paths(
+        self,
+        from_type: str,
+        to_type: str,
+        *,
+        max_depth: int = 4,
+        max_paths: int = 10,
+    ) -> list[dict]:
+        """BFS multi-hop path finding from one type to another."""
+        if from_type == to_type:
+            return []
+        # queue items: (current_type, steps[])
+        queue: list[tuple[str, list[dict]]] = [(from_type, [])]
+        visited: set[str] = {from_type}
+        paths: list[dict] = []
+
+        while queue and len(paths) < max_paths:
+            next_queue: list[tuple[str, list[dict]]] = []
+            for cur_type, steps in queue:
+                if len(steps) >= max_depth:
+                    continue
+                for consumer in self._consumers.get(cur_type, []):
+                    for out_t in consumer.output_types():
+                        if out_t == cur_type:
+                            continue
+                        step = {"node": consumer.id, "input_type": cur_type, "output_type": out_t}
+                        new_steps = steps + [step]
+                        if out_t == to_type:
+                            paths.append({"from": from_type, "to": to_type, "steps": new_steps})
+                            if len(paths) >= max_paths:
+                                return paths
+                        elif out_t not in visited and len(new_steps) < max_depth:
+                            visited.add(out_t)
+                            next_queue.append((out_t, new_steps))
+            queue = next_queue
+        return paths
+
+    def exact_paths(
+        self,
+        from_type: str,
+        to_type: str,
+        *,
+        max_depth: int = 6,
+        max_paths: int = 10,
+    ) -> list[dict]:
+        """Satisfiability-aware BFS: each step's required link inputs must be
+        available from types produced by prior steps."""
+        if from_type == to_type:
+            return []
+        # state: (available_types_frozenset, steps[])
+        initial: frozenset[str] = frozenset({from_type})
+        queue: list[tuple[frozenset[str], list[dict]]] = [(initial, [])]
+        visited: set[frozenset[str]] = {initial}
+        paths: list[dict] = []
+
+        while queue and len(paths) < max_paths:
+            next_queue: list[tuple[frozenset[str], list[dict]]] = []
+            for available, steps in queue:
+                if len(steps) >= max_depth:
+                    continue
+                for m in sorted(self._nodes.values(), key=lambda m: m.id):
+                    if not m.can_apply(available):
+                        continue
+                    new_outs = [t for t in m.output_types() if t not in available and t != "*"]
+                    if not new_outs:
+                        continue
+                    # Pick one representative input type this node consumes from available
+                    input_type = ""
+                    for t in m.required_link_types():
+                        if t in available:
+                            input_type = t
+                            break
+                    for out_t in new_outs:
+                        step = {"node": m.id, "input_type": input_type, "output_type": out_t}
+                        new_steps = steps + [step]
+                        new_avail = available | frozenset(new_outs)
+                        if out_t == to_type:
+                            # ``from_type`` seeds ``available`` and the set only
+                            # grows, so every reachable path originates from it by
+                            # construction — no extra consumption guard needed.
+                            paths.append({"from": from_type, "to": to_type, "steps": new_steps})
+                            if len(paths) >= max_paths:
+                                return paths
+                        elif new_avail not in visited and len(new_steps) < max_depth:
+                            visited.add(new_avail)
+                            next_queue.append((new_avail, new_steps))
+            queue = next_queue
+        return paths
+
+    # -- Browse --
+
+    def list_types(self) -> list[str]:
+        return sorted(self._types)
+
+    def category_tree(self) -> dict:
+        """Build a hierarchical category tree with node counts."""
+        counts: dict[str, int] = defaultdict(int)
+        for m in self._nodes.values():
+            if m.category:
+                counts[m.category] += 1
+
+        root: dict[str, Any] = {"FullPath": "", "Count": 0, "Children": {}}
+        for path, count in sorted(counts.items()):
+            parts = path.split("/")
+            node = root
+            for i, part in enumerate(parts):
+                full = "/".join(parts[: i + 1])
+                if part not in node["Children"]:
+                    node["Children"][part] = {"FullPath": full, "Count": 0, "Children": {}}
+                child = node["Children"][part]
+                child["Count"] += count
+                node = child
+        return {"Root": root}
+
+    # -- Widget order --
+
+    def widget_order(self, class_name: str) -> list[str]:
+        m = self._nodes.get(class_name)
+        if m is None:
+            return []
+        order: list[str] = []
+        for p in m.inputs:
+            if p.is_link:
+                continue
+            order.append(p.name)
+            if p.options.control_after_generate:
+                order.append("control_after_generate")
+        return order
+
+    # -- Validation --
+
+    def validate_workflow(self, workflow: dict[str, Any]) -> dict[str, Any]:
+        """Validate an API-format workflow. Returns {valid, errors, warnings}."""
+        errors: list[dict] = []
+        warnings: list[dict] = []
+        all_names = list(self._nodes.keys())
+
+        for node_id, node_data in workflow.items():
+            if not isinstance(node_data, dict):
+                warnings.append(
+                    {
+                        "node_id": node_id,
+                        "field": node_id,
+                        "code": "non_node_key",
+                        "message": f"key {node_id!r} is not a workflow node (expected a dict with class_type)",
+                    }
+                )
+                continue
+            class_type = node_data.get("class_type", "")
+            if not class_type:
+                warnings.append(
+                    {
+                        "node_id": node_id,
+                        "field": node_id,
+                        "code": "non_node_key",
+                        "message": f"key {node_id!r} has no class_type and will be ignored by the server",
+                    }
+                )
+                continue
+
+            m = self._nodes.get(class_type)
+            if m is None:
+                close = difflib.get_close_matches(class_type, all_names, n=3, cutoff=0.6)
+                errors.append(
+                    {
+                        "node_id": node_id,
+                        "code": "unknown_class_type",
+                        "message": f"class_type {class_type!r} not found in object_info",
+                        "hint": f"did you mean: {', '.join(close)}?"
+                        if close
+                        else "run `comfy nodes search <name>` to find available classes",
+                        "suggestions": close,
+                    }
+                )
+                continue
+
+            port_by_name = {p.name: p for p in m.inputs}
+            # V3 autogrow inputs are declared once (e.g. `images`) but wired as
+            # slot keys (`images.image0`, `images.image1`, …). Track which
+            # autogrow ports actually received a slot so the required-but-empty
+            # case surfaces here instead of as a cryptic server reject.
+            autogrow_ports = {p.name: p for p in m.inputs if p.is_autogrow}
+            autogrow_seen: set[str] = set()
+            for input_name, value in (node_data.get("inputs") or {}).items():
+                if autogrow_ports and "." in input_name:
+                    base = input_name.split(".", 1)[0]
+                    if base in autogrow_ports:
+                        autogrow_seen.add(base)
+                if input_name in autogrow_ports and isinstance(value, list) and len(value) == 2:
+                    port = autogrow_ports[input_name]
+                    errors.append(
+                        {
+                            "node_id": node_id,
+                            "field": input_name,
+                            "code": "autogrow_bare_input",
+                            "message": (
+                                f"input {input_name!r} is an autogrow input ({port.type}) and cannot be "
+                                f"wired as a single connection — the server expects one slot key per "
+                                f"connection"
+                            ),
+                            "hint": f"wire one key per connection: {port.autogrow_slot_example()} "
+                            f'(e.g. "{input_name}.{input_name[:-1] if input_name.endswith("s") else input_name}0": '
+                            f"[{value[0]!r}, {value[1]!r}])",
+                        }
+                    )
+                    continue
+                # Link references: [source_node_id, output_index]
+                if isinstance(value, list) and len(value) == 2:
+                    src_id = str(value[0])
+                    out_idx = value[1] if isinstance(value[1], int) else None
+
+                    # (i) source node exists in workflow
+                    src_data = workflow.get(src_id)
+                    if not isinstance(src_data, dict) or not src_data.get("class_type"):
+                        errors.append(
+                            {
+                                "node_id": node_id,
+                                "field": input_name,
+                                "code": "dangling_edge",
+                                "message": f"input {input_name!r} references node {src_id!r} which does not exist",
+                                "hint": f"add node {src_id!r} to the workflow, or rewire this input to an existing node",
+                            }
+                        )
+                        continue
+
+                    src_class = src_data["class_type"]
+                    src_m = self._nodes.get(src_class)
+                    if src_m is None:
+                        # Source class_type already flagged by the outer loop
+                        continue
+
+                    # (ii) output index in range
+                    if out_idx is None or out_idx < 0 or out_idx >= len(src_m.outputs):
+                        valid_indices = ", ".join(f"[{i}]={p.type}" for i, p in enumerate(src_m.outputs))
+                        errors.append(
+                            {
+                                "node_id": node_id,
+                                "field": input_name,
+                                "code": "output_index_out_of_range",
+                                "message": (
+                                    f"input {input_name!r} references {src_class}[{value[1]}] "
+                                    f"but {src_class} has {len(src_m.outputs)} output(s)"
+                                ),
+                                "hint": f"valid indices for {src_class}: {valid_indices}",
+                            }
+                        )
+                        continue
+
+                    # (iii) type compatibility — advisory only.
+                    # ComfyUI allows cross-type wiring via reroutes, converters,
+                    # and wildcard ports; the server is the authoritative validator.
+                    port = port_by_name.get(input_name)
+                    if port is not None:
+                        src_type = src_m.outputs[out_idx].type
+                        dst_type = port.type
+                        if src_type != "*" and dst_type != "*" and src_type != dst_type:
+                            # Find the correct index for the expected type
+                            correct = [f"[{i}]" for i, p in enumerate(src_m.outputs) if p.type == dst_type]
+                            hint = (
+                                f"use {src_class}{correct[0]} instead"
+                                if correct
+                                else f"run `comfy nodes ls --produces {dst_type}` to find a source"
+                            )
+                            warnings.append(
+                                {
+                                    "node_id": node_id,
+                                    "field": input_name,
+                                    "code": "edge_type_mismatch",
+                                    "message": (
+                                        f"input {input_name!r} expects {dst_type} but "
+                                        f"{src_class}[{out_idx}] produces {src_type}"
+                                    ),
+                                    "hint": hint,
+                                }
+                            )
+                    continue
+
+                port = port_by_name.get(input_name)
+                if port is None:
+                    continue
+                # Shape check (hard error)
+                shape_err = port.validate_shape(value)
+                if shape_err:
+                    errors.append(
+                        {
+                            "node_id": node_id,
+                            "field": input_name,
+                            "code": "shape_mismatch",
+                            "message": shape_err,
+                            "hint": f"expected {port.type}; check the value type",
+                        }
+                    )
+                    continue
+                # Catalog checks
+                for w in port.validate_catalog(value):
+                    if w["code"] == "unknown_enum_value":
+                        top = port.enum_values[:5]
+                        errors.append(
+                            {
+                                "node_id": node_id,
+                                "field": input_name,
+                                "code": "unknown_enum_value",
+                                "message": w["message"],
+                                "hint": f"valid options include: {', '.join(top)}"
+                                + (f" (and {len(port.enum_values) - 5} more)" if len(port.enum_values) > 5 else ""),
+                                "suggestions": port.enum_values[:20],
+                            }
+                        )
+                    else:
+                        w["field"] = f"{node_id}.{class_type}.{w['field']}"
+                        warnings.append(w)
+
+            for base, port in autogrow_ports.items():
+                if port.required and base not in autogrow_seen and base not in (node_data.get("inputs") or {}):
+                    errors.append(
+                        {
+                            "node_id": node_id,
+                            "field": base,
+                            "code": "autogrow_no_slots",
+                            "message": (
+                                f"required autogrow input {base!r} has no connected slots — "
+                                f"the server will reject this node"
+                            ),
+                            "hint": f"wire one key per connection: {port.autogrow_slot_example()}",
+                        }
+                    )
+
+        return {
+            "valid": len(errors) == 0,
+            "errors": errors,
+            "warnings": warnings,
+        }
+
+    # -- Workflow slot editing --
+
+    def get_template_schema(self, template_id: str, workflow: dict) -> dict:
+        """Extract the slot manifest from a frontend-format workflow."""
+        return {"id": template_id, "slots": _extract_frontend_slots(workflow, self)}
+
+    def apply_slots(self, workflow: dict, overrides: dict[str, Any]) -> tuple[dict, list[dict]]:
+        """Apply slot overrides. Returns (modified_workflow, warnings)."""
+        import copy
+
+        wf = copy.deepcopy(workflow)
+        warnings: list[dict] = []
+        for addr, value in overrides.items():
+            warnings.extend(_apply_one_slot(wf, addr, value, self))
+        return wf, warnings
+
+    def expand_variations(self, workflow: dict, variations: list[dict[str, Any]]) -> tuple[list[dict], list[dict]]:
+        """Apply N override sets, return N independent workflow copies."""
+        results: list[dict] = []
+        all_warnings: list[dict] = []
+        for overrides in variations:
+            modified, warnings = self.apply_slots(workflow, overrides)
+            results.append(modified)
+            all_warnings.extend(warnings)
+        return results, all_warnings
+
+    # -- Source loading (local / cloud / file) --
+
+    @classmethod
+    def load(
+        cls,
+        *,
+        mode: str = "local",
+        input_path: str | None = None,
+        host: str = "127.0.0.1",
+        port: int = 8188,
+        supported_nodes_yaml: bytes | None = None,
+        cloud_disable_yaml: bytes | None = None,
+        no_gpu_json: bytes | None = None,
+    ) -> Graph:
+        """Unified entry point: resolve object_info, build graph, annotate.
+
+        Both local and cloud are the same: fetch ``/object_info`` from the
+        resolved target. The only differences are base URL, path prefix,
+        and auth headers — all handled by ``_load_from_target()``.
+
+        Resolution order:
+          1. ``input_path`` → read from local JSON file
+          2. ``mode`` → resolve a Target via the CLI's routing chain,
+             fetch ``/object_info`` over HTTP (local or cloud).
+
+        Security: loopback-only guard for local, HTTPS-only for cloud,
+        bounded read (64 MB), no-redirect policy.
+        """
+        if input_path is not None:
+            raw = _load_from_file(input_path)
+        else:
+            raw = _load_from_target(mode=mode, host=host, port=port)
+
+        g = cls.from_object_info(raw)
+        if supported_nodes_yaml or cloud_disable_yaml or no_gpu_json:
+            g.annotate(supported_nodes_yaml, cloud_disable_yaml, no_gpu_json)
+        else:
+            g._try_default_annotations()
+        return g
+
+    def _try_default_annotations(self) -> None:
+        """Load bundled annotation files from ``comfy_cli.cql.data``.
+
+        These ship as package data (40 KB total) from Comfy-Org/comfy-complete.
+        They enrich every node with:
+          - pack membership (which custom-node pack it belongs to)
+          - behavioral labels (ReadsArbitraryFile, NetworkAccess, etc.)
+          - cloud_disabled (whether this node is disabled on cloud)
+
+        Useful for BOTH local and cloud: an agent building a workflow on a
+        local server still needs to know which nodes will work on cloud.
+        Local-only custom nodes not in comfy-complete simply get no labels
+        and cloud_disabled=False (safe default).
+        """
+        try:
+            from importlib import resources
+
+            data_pkg = resources.files("comfy_cli.cql.data")
+            sup = (data_pkg / "supported_nodes.yaml").read_bytes()
+            dis = (data_pkg / "cloud_disable_config.yaml").read_bytes()
+            nogpu = (data_pkg / "no_gpu_nodes.json").read_bytes()
+            self.annotate(sup, dis, nogpu)
+        except Exception:
+            pass  # missing package data is non-fatal
+
+    # -- Serialization helpers for CLI compat --
+
+    def morphism_to_dict(self, m: Morphism) -> dict[str, Any]:
+        return {
+            "id": m.id,
+            "name": m.id,
+            "display_name": m.display_name,
+            "description": m.description,
+            "category": m.category,
+            "output_types": m.output_types(),
+            "output_node": m.is_output_node,
+            "is_api_node": m.is_api_node,
+            "deprecated": m.deprecated,
+            "pack": m.pack,
+            "labels": m.labels,
+            "cloud_disabled": m.cloud_disabled,
+            "needs_gpu": m.needs_gpu,
+            "inputs": [
+                {
+                    "name": p.name,
+                    "type": p.type,
+                    "required": p.required,
+                    "is_link": p.is_link,
+                    "section": "required" if p.required else "optional",
+                    "choices": p.enum_values,
+                    "options": {
+                        "min": p.options.min,
+                        "max": p.options.max,
+                        "step": p.options.step,
+                        "default": p.options.default,
+                    },
+                    # Autogrow inputs wire as one slot key per connection;
+                    # surface that here so `nodes show` is self-documenting.
+                    **({"autogrow": True, "wire_as": p.autogrow_slot_example()} if p.is_autogrow else {}),
+                }
+                for p in m.inputs
+            ],
+            "outputs": [{"name": p.name, "type": p.type} for p in m.outputs],
+        }
+
+
+# ---------------------------------------------------------------------------
+# Source loaders
+# ---------------------------------------------------------------------------
+
+_logger = logging.getLogger(__name__)
+
+_LOOPBACK_HOSTS = frozenset({"127.0.0.1", "localhost", "::1", "[::1]"})
+_MAX_OBJECT_INFO_BYTES = 64 * 1024 * 1024
+
+
+class _NoRedirectHandler(urllib.request.HTTPRedirectHandler):
+    """Refuse redirects — a 302 from /object_info is suspicious."""
+
+    def http_error_301(self, req, fp, code, msg, headers):
+        raise urllib.error.HTTPError(req.full_url, code, "redirect refused", headers, fp)
+
+    http_error_302 = http_error_303 = http_error_307 = http_error_308 = http_error_301
+
+
+_opener = urllib.request.build_opener(_NoRedirectHandler())
+
+
+class LoadError(Exception):
+    """Failed to load object_info from a source."""
+
+    def __init__(self, message: str, *, details: dict[str, Any] | None = None):
+        super().__init__(message)
+        self.details = details or {}
+
+
+def _load_from_file(path: str) -> dict[str, Any]:
+    """Read object_info from a local JSON file."""
+    from pathlib import Path
+
+    p = Path(path).expanduser()
+    try:
+        raw = p.read_text(encoding="utf-8")
+    except OSError as e:
+        raise LoadError(f"cannot read object_info: {p}: {e}", details={"path": str(p)}) from e
+    try:
+        return json.loads(raw)
+    except json.JSONDecodeError as e:
+        raise LoadError(f"invalid JSON in {p}: {e}", details={"path": str(p)}) from e
+
+
+def _load_from_target(*, mode: str = "local", host: str = "127.0.0.1", port: int = 8188) -> dict[str, Any]:
+    """Fetch /object_info from the resolved target — local or cloud.
+
+    Both paths are the same HTTP fetch; only the base URL, path prefix,
+    and auth headers differ. The Target abstraction handles all three.
+
+    Security:
+      - Local: loopback-only guard (warn on non-loopback)
+      - Cloud: HTTPS enforced by Target + auth headers
+      - Both: bounded read (64 MB), no-redirect policy
+    """
+    from comfy_cli.target import resolve_target
+
+    target = resolve_target(where=mode, host=host, port=port)
+    url = target.url("object_info")
+
+    # Loopback guard for local targets
+    if not target.is_cloud:
+        parsed_host = urllib.parse.urlsplit(url).hostname or ""
+        host_l = parsed_host.lower()
+        is_loopback = host_l in _LOOPBACK_HOSTS
+        if not is_loopback:
+            try:
+                is_loopback = ipaddress.ip_address(host_l).is_loopback
+            except ValueError:
+                is_loopback = False
+        if not is_loopback:
+            raise LoadError(
+                f"Refusing to fetch object_info from non-loopback host {parsed_host!r} "
+                f"in local mode (potential SSRF). Use --where cloud for remote targets."
+            )
+
+    req = urllib.request.Request(url)
+    req.add_header("Accept", "application/json")
+
+    # Auth headers (cloud only — local has no auth)
+    if target.is_cloud:
+        if target.api_key:
+            req.add_header("X-API-Key", target.api_key)
+        elif target.auth_token:
+            req.add_header("Authorization", f"Bearer {target.auth_token}")
+
+    try:
+        with _opener.open(req, timeout=30.0) as resp:
+            raw = resp.read(_MAX_OBJECT_INFO_BYTES + 1)
+            if len(raw) > _MAX_OBJECT_INFO_BYTES:
+                raise LoadError(
+                    f"response exceeds {_MAX_OBJECT_INFO_BYTES} bytes",
+                    details={"url": url},
+                )
+            return json.loads(raw)
+    except urllib.error.HTTPError as e:
+        body = ""
+        try:
+            body = e.read().decode("utf-8", errors="replace")[:500]
+        except Exception:
+            pass
+        hint = "run `comfy cloud login`" if target.is_cloud else "run `comfy launch` first"
+        raise LoadError(
+            f"HTTP {e.code} from {url}: {body[:200]}",
+            details={"url": url, "status": e.code, "hint": hint},
+        ) from e
+    except urllib.error.URLError as e:
+        hint = "run `comfy cloud login`" if target.is_cloud else "run `comfy launch` first"
+        raise LoadError(
+            f"cannot reach {url}: {e.reason if hasattr(e, 'reason') else e}",
+            details={"url": url, "mode": mode, "hint": hint},
+        ) from e
+    except (json.JSONDecodeError, OSError) as e:
+        raise LoadError(f"invalid response from {url}: {e}", details={"url": url}) from e
+
+
+# ---------------------------------------------------------------------------
+# Slot editing helpers — port of nodegraph/frontend.go + runtemplate.go
+# ---------------------------------------------------------------------------
+
+# Defends slot recursion against pathological / cyclic subgraph nesting.
+_MAX_SUBGRAPH_DEPTH = 32
+
+
+# Delimiter that separates subgraph-nesting levels in a slot address. The
+# final ``.`` separates the (possibly nested) node path from the input name.
+# Examples:
+#   ``3.seed``          top-level node 3, widget ``seed``
+#   ``10/9.prompt``     subgraph instance 10 → interior node 9, widget ``prompt``
+#   ``10/3/7.value``    instance 10 → interior subgraph node 3 → interior node 7
+# UUID subgraph class_types contain ``-`` but never ``/`` or top-level ``.`` in
+# an instance id, so the delimiters stay unambiguous.
+_SUBGRAPH_PATH_SEP = "/"
+
+
+def _subgraph_defs_by_id(workflow: dict) -> dict[str, dict]:
+    """Index subgraph definitions so an instance's ``type`` resolves to its def.
+
+    A subgraph *instance* node's ``type`` is normally the UUID ``id`` of its
+    definition, so the UUID is the primary key. Real ComfyUI saves can also
+    carry several distinct defs sharing the cosmetic ``name`` "New Subgraph";
+    keying by name alone would silently map instances onto the wrong def, so id
+    always wins. We still register ``name`` as a *fallback* key (only when it
+    doesn't shadow an id and isn't ambiguous across defs) to support older
+    name-typed templates that predate UUID ids.
+    """
+    defs = (workflow.get("definitions") or {}).get("subgraphs") or []
+    by_id: dict[str, dict] = {}
+    name_counts: dict[str, int] = {}
+    name_first: dict[str, dict] = {}
+    for sg in defs:
+        if not isinstance(sg, dict):
+            continue
+        sg_id = sg.get("id")
+        if isinstance(sg_id, str) and sg_id:
+            by_id[sg_id] = sg
+        name = sg.get("name")
+        if isinstance(name, str) and name:
+            name_counts[name] = name_counts.get(name, 0) + 1
+            name_first.setdefault(name, sg)
+    for name, count in name_counts.items():
+        if count == 1 and name not in by_id:
+            by_id[name] = name_first[name]
+    return by_id
+
+
+def _node_widget_slots(node: dict, prefix: str, graph: Graph) -> list[dict]:
+    """Surface a regular node's widget inputs as slots under ``prefix``.
+
+    ``prefix`` is the addressable node path (``"3"`` at top level, ``"10/9"``
+    inside a subgraph). Returns one slot per widget input the schema knows
+    about. Returns ``[]`` for nodes whose type isn't in object_info.
+    """
+    node_type = node.get("type", "")
+    m = graph.node(node_type)
+    if m is None:
+        return []
+    order = graph.widget_order(node_type)
+    widgets = node.get("widgets_values") or []
+    slots: list[dict] = []
+    for port in m.inputs:
+        if port.is_link:
+            continue
+        try:
+            idx = order.index(port.name)
+        except ValueError:
+            continue
+        current = widgets[idx] if idx < len(widgets) else None
+        slots.append(
+            {
+                "address": f"{prefix}.{port.name}",
+                "name": port.name,
+                "type": port.type,
+                "current_value": current,
+                "instance_id": prefix,
+                "node_type": node_type,
+            }
+        )
+    return slots
+
+
+def _extract_frontend_slots(workflow: dict, graph: Graph) -> list[dict]:
+    """Walk workflow nodes and extract tweakable slots.
+
+    For every node we surface its widget inputs at ``<nodePath>.<input>``. When
+    a node is a *subgraph instance* (its ``type`` is a UUID matching a def under
+    ``definitions.subgraphs``) we additionally recurse INTO the definition and
+    surface every interior node's widget inputs under a nested, instance-scoped
+    address (``<instanceId>/<interiorId>.<input>``, recursing for deeper
+    subgraphs). This is what lets an agent slot-edit a fetched gallery template
+    whose editable prompt/seed/image live inside an opaque UUID subgraph.
+
+    Curated subgraph ``inputs[]`` (the proxy parameter list) are still exposed
+    at ``<instanceId>.<name>`` for backward compatibility, but the recursion
+    means an agent is never stranded when those proxies are missing or dangle
+    (fetched templates routinely point proxyWidgets at deleted interior ids).
+    """
+    defs_by_id = _subgraph_defs_by_id(workflow)
+    slots: list[dict] = []
+    seen_addrs: set[str] = set()
+
+    def add(slot: dict) -> None:
+        addr = slot["address"]
+        if addr in seen_addrs:
+            return
+        seen_addrs.add(addr)
+        slots.append(slot)
+
+    def walk(nodes: list, prefix: str, depth: int) -> None:
+        if depth > _MAX_SUBGRAPH_DEPTH:
+            return
+        for node in nodes:
+            if not isinstance(node, dict):
+                continue
+            node_id = str(node.get("id", ""))
+            node_path = f"{prefix}{_SUBGRAPH_PATH_SEP}{node_id}" if prefix else node_id
+            node_type = node.get("type", "")
+            sg = defs_by_id.get(node_type)
+            if sg is None:
+                for slot in _node_widget_slots(node, node_path, graph):
+                    add(slot)
+                continue
+
+            # Subgraph instance. A *curated* template (every declared proxy input
+            # resolves to a live interior widget) keeps its clean, hand-picked
+            # parameter view — we surface only its declared inputs and do NOT
+            # recurse, so the agent sees the intended surface. When the proxies
+            # are missing or dangling (the norm for fetched gallery templates,
+            # whose proxyWidgets point at deleted interior ids) we recurse into
+            # the definition so the real editable inner inputs are reachable.
+            declared, fully_curated = _declared_subgraph_slots(node, sg, node_id, graph)
+            for slot in declared:
+                add(slot)
+            if not fully_curated:
+                walk(sg.get("nodes") or [], node_path, depth + 1)
+
+    walk(workflow.get("nodes") or [], "", 0)
+    return slots
+
+
+# Sentinel returned by _resolve_proxy_value when a proxy entry is genuinely
+# unresolvable (interior node missing, widget name not in the node's order, or
+# index past the end of widgets_values).  Callers must use ``is _UNRESOLVED``
+# to distinguish this from a legitimately-null widget value (e.g. seed saved as
+# None, or an optional image input that has not yet been set).
+_UNRESOLVED = object()
+
+
+def _declared_subgraph_slots(instance: dict, sg: dict, instance_id: str, graph: Graph) -> tuple[list[dict], bool]:
+    """Build slots for a subgraph instance's curated proxy inputs.
+
+    Returns ``(slots, fully_curated)`` where ``fully_curated`` is True only when
+    the instance declares at least one input and EVERY declared input resolves
+    to a real interior widget value (so the curated surface is complete and the
+    caller can skip recursion).
+    """
+    declared: list[dict] = []
+    inputs = sg.get("inputs") or []
+    any_declared = False
+    all_resolved = True
+    for inp in inputs:
+        if not isinstance(inp, dict):
+            continue
+        inp_name = inp.get("name", "")
+        if not inp_name:
+            continue
+        any_declared = True
+        current = _resolve_proxy_value(instance, sg, inp_name, graph)
+        if current is _UNRESOLVED:
+            all_resolved = False
+            continue
+        inp_type = inp.get("type", {})
+        declared.append(
+            {
+                "address": f"{instance_id}.{inp_name}",
+                "name": inp_name,
+                "type": inp_type if isinstance(inp_type, str) else str(inp_type),
+                "current_value": current,
+                "instance_id": instance_id,
+                "node_type": instance.get("type", ""),
+            }
+        )
+    return declared, (any_declared and all_resolved)
+
+
+def _resolve_proxy_value(instance: dict, subgraph: dict, input_name: str, graph: Graph):
+    """Navigate proxyWidgets to find the current widget value.
+
+    Returns the widget's current value (which may be ``None`` for a
+    legitimately-null widget) or the module-level ``_UNRESOLVED`` sentinel when
+    the proxy entry points at a missing/dangling interior node, when the widget
+    name is absent from the node's widget order, or when the index is past the
+    end of ``widgets_values``.  Callers must use ``is _UNRESOLVED`` to test for
+    the unresolvable case so that a real ``None`` value is preserved.
+    """
+    proxy = (instance.get("properties") or {}).get("proxyWidgets") or []
+    for entry in proxy:
+        if not isinstance(entry, list) or len(entry) < 2:
+            continue
+        name = entry[1] if isinstance(entry[1], str) else str(entry[1])
+        if name != input_name:
+            continue
+        interior_id = str(entry[0])
+        for inode in subgraph.get("nodes") or []:
+            if not isinstance(inode, dict) or str(inode.get("id", "")) != interior_id:
+                continue
+            interior_class = inode.get("type", "")
+            order = graph.widget_order(interior_class)
+            try:
+                idx = order.index(name)
+            except ValueError:
+                return _UNRESOLVED
+            widgets = inode.get("widgets_values") or []
+            return widgets[idx] if idx < len(widgets) else _UNRESOLVED
+        break
+    return _UNRESOLVED
+
+
+def _write_widget(node: dict, input_name: str, value: Any, graph: Graph, *, extend: bool) -> list[dict]:
+    """Write ``value`` into ``node``'s ``widgets_values`` slot for ``input_name``.
+
+    Validates against the node's schema and returns catalog warnings. ``extend``
+    pads a short widget list for top-level direct edits (matches prior behavior);
+    interior subgraph nodes always carry a full widget list and are not padded.
+    """
+    node_type = node.get("type", "")
+    m = graph.node(node_type)
+    if m is None:
+        raise ValueError(f"unknown node type {node_type!r} for node {node.get('id')}")
+    order = graph.widget_order(node_type)
+    try:
+        widget_idx = order.index(input_name)
+    except ValueError:
+        avail = [n for n in order if n != "control_after_generate"]
+        raise ValueError(
+            f"widget {input_name!r} not found on {node_type}; "
+            f"available widgets: {', '.join(avail) if avail else '(none — all inputs are links)'}"
+        )
+    widgets = node.get("widgets_values") or []
+    if widget_idx >= len(widgets):
+        if not extend:
+            raise ValueError(f"widget index {widget_idx} out of range for {node_type}")
+        widgets.extend([None] * (widget_idx + 1 - len(widgets)))
+
+    warnings: list[dict] = []
+    port = next((p for p in m.inputs if p.name == input_name), None)
+    if port:
+        err = port.validate_shape(value)
+        if err:
+            raise ValueError(err)
+        warnings = port.validate_catalog(value)
+
+    widgets[widget_idx] = value
+    node["widgets_values"] = widgets
+    return warnings
+
+
+def _resolve_node_path(workflow: dict, segments: list[str], defs_by_id: dict[str, dict]) -> dict:
+    """Walk a ``/``-separated node path into (possibly nested) subgraphs.
+
+    The first segment names a top-level node; each subsequent segment names an
+    interior node of the subgraph definition the previous segment instantiated.
+    Returns the resolved (mutable) node dict, or raises ValueError describing
+    the first hop that couldn't be found.
+
+    Isolation: every non-terminal hop is forked (if its subgraph definition is
+    shared) before descending, so interior writes at any depth can't alias
+    sibling instances — not just the first hop.
+    """
+    nodes = workflow.get("nodes") or []
+    node = next((n for n in nodes if isinstance(n, dict) and str(n.get("id", "")) == segments[0]), None)
+    if node is None:
+        raise ValueError(f"node {segments[0]} not found in workflow")
+    for seg in segments[1:]:
+        # ``node`` is a non-terminal hop we are about to descend into: fork its
+        # shared definition first so the write below this hop stays isolated.
+        _isolate_shared_subgraph(workflow, node, defs_by_id)
+        defs_by_id = _subgraph_defs_by_id(workflow)  # rebuild: node.type may have changed
+        sg = defs_by_id.get(node.get("type", ""))
+        if sg is None:
+            raise ValueError(f"node {node.get('id')} is not a subgraph; cannot descend to {seg!r}")
+        inner = next((n for n in (sg.get("nodes") or []) if isinstance(n, dict) and str(n.get("id", "")) == seg), None)
+        if inner is None:
+            raise ValueError(f"interior node {seg} not found in subgraph {sg.get('id')}")
+        node = inner
+    return node
+
+
+def _count_instances(workflow: dict, def_id: str) -> int:
+    """Count nodes (top-level + interior-of-definitions) instantiating ``def_id``."""
+    count = 0
+    for n in workflow.get("nodes") or []:
+        if isinstance(n, dict) and str(n.get("type", "")) == def_id:
+            count += 1
+    for sg in (workflow.get("definitions") or {}).get("subgraphs") or []:
+        if isinstance(sg, dict):
+            for n in sg.get("nodes") or []:
+                if isinstance(n, dict) and str(n.get("type", "")) == def_id:
+                    count += 1
+    return count
+
+
+def _isolate_shared_subgraph(workflow: dict, instance: dict, defs_by_id: dict[str, dict]) -> None:
+    """If ``instance``'s subgraph definition is shared with another instance,
+    deep-copy it under a fresh id and repoint ``instance`` so an interior write
+    can't alias sibling instances. No-op when the instance already owns its def.
+    """
+    def_id = str(instance.get("type", ""))
+    sg = defs_by_id.get(def_id)
+    if sg is None or _count_instances(workflow, def_id) <= 1:
+        return
+    new_sg = copy.deepcopy(sg)
+    new_id = str(_uuid.uuid4())
+    new_sg["id"] = new_id
+    workflow.setdefault("definitions", {}).setdefault("subgraphs", []).append(new_sg)
+    instance["type"] = new_id
+
+
+def _apply_one_slot(workflow: dict, addr: str, value: Any, graph: Graph) -> list[dict]:
+    """Apply a single slot override. Returns warnings. Raises ValueError on hard errors.
+
+    Address forms (see ``_extract_frontend_slots`` / ``_SUBGRAPH_PATH_SEP``):
+      * ``<id>.<input>``                 — top-level node widget (direct mode).
+      * ``<id>.<declaredInput>``         — curated subgraph proxy input, routed
+                                           through ``proxyWidgets`` to its interior
+                                           node (legacy template mode).
+      * ``<instanceId>/<innerId>.<input>`` (and deeper) — a widget on an interior
+                                           node reached by descending into the
+                                           subgraph definition(s).
+    """
+    if "." not in addr:
+        raise ValueError(f"invalid slot address {addr!r} (expected 'instance_id.input_name')")
+    # Node paths use '/' as separator; node IDs are numeric or UUID (no '.').
+    # Input names may legitimately contain dots (e.g. 'images.image0').
+    # Always split on the FIRST dot so multi-dot input names are preserved.
+    node_path, input_name = addr.split(".", 1)
+    segments = node_path.split(_SUBGRAPH_PATH_SEP)
+
+    defs_by_id = _subgraph_defs_by_id(workflow)
+
+    # --- Nested form: descend the subgraph path and write the interior widget. ---
+    if len(segments) > 1:
+        # _resolve_node_path forks every shared definition along the path (each
+        # non-terminal hop) before the terminal write, so sibling instances at
+        # any nesting depth stay independent.
+        target = _resolve_node_path(workflow, segments, defs_by_id)
+        return _write_widget(target, input_name, value, graph, extend=False)
+
+    instance_id = segments[0]
+    nodes = workflow.get("nodes") or []
+    instance = next((n for n in nodes if isinstance(n, dict) and str(n.get("id", "")) == instance_id), None)
+    if instance is None:
+        raise ValueError(f"node {instance_id} not found in workflow")
+
+    node_type = instance.get("type", "")
+    sg = defs_by_id.get(node_type)
+
+    # --- Curated subgraph proxy input (legacy ``<id>.<declaredInput>``). ---
+    if sg is not None:
+        proxy = (instance.get("properties") or {}).get("proxyWidgets") or []
+        interior_id = None
+        for entry in proxy:
+            if not isinstance(entry, list) or len(entry) < 2:
+                continue
+            name = entry[1] if isinstance(entry[1], str) else str(entry[1])
+            if name == input_name:
+                interior_id = str(entry[0])
+                break
+        if interior_id is None:
+            raise ValueError(
+                f"no proxyWidget mapping for {addr}; "
+                f"address an interior input directly, e.g. {instance_id}/<innerId>.<input> "
+                f"(run `comfy workflow slots` to list them)"
+            )
+        inode = next(
+            (n for n in (sg.get("nodes") or []) if isinstance(n, dict) and str(n.get("id", "")) == interior_id),
+            None,
+        )
+        if inode is None:
+            raise ValueError(f"interior node {interior_id} not found in subgraph")
+        return _write_widget(inode, input_name, value, graph, extend=False)
+
+    # --- Direct mode: regular top-level node. ---
+    return _write_widget(instance, input_name, value, graph, extend=True)
diff --git a/comfy_cli/cql/errors.py b/comfy_cli/cql/errors.py
new file mode 100644
index 00000000..fe58eb45
--- /dev/null
+++ b/comfy_cli/cql/errors.py
@@ -0,0 +1,29 @@
+"""Loader exception types.
+
+``CQLRuntimeError`` is a standalone exception for the Python-side CQL
+loader / normaliser.  It carries a ``details`` dict for structured error
+envelopes, matching the interface that callers expect.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Any
+
+
+@dataclass
+class CQLRuntimeError(Exception):
+    """Error from the Python-side CQL loader / normalizer."""
+
+    runtime_message: str
+    details: dict[str, Any] = field(default_factory=dict)
+
+    def __post_init__(self):
+        # Initialize the Exception base with the message so str(e) works.
+        Exception.__init__(self, self.runtime_message)
+
+    def __str__(self) -> str:  # pragma: no cover - trivial
+        return self.runtime_message
+
+    def as_details(self) -> dict[str, Any]:
+        return {**self.details, "runtime_message": self.runtime_message}
diff --git a/comfy_cli/cql/loader.py b/comfy_cli/cql/loader.py
new file mode 100644
index 00000000..5e78daef
--- /dev/null
+++ b/comfy_cli/cql/loader.py
@@ -0,0 +1,454 @@
+"""Build a CQL-shaped graph dict from sources.
+
+Sources, in priority order:
+
+1. A local file (``--input path``). May be:
+   - A raw ``object_info`` JSON dump (the response from ``/object_info``).
+   - An API-format workflow JSON.
+   - An already-shaped CQL graph (``{"nodes": [...], "inputs": [...]}``).
+2. A local ComfyUI server's ``/object_info`` endpoint (``--host`` / ``--port``).
+
+The loader is intentionally permissive: anything dict-shaped that looks like
+one of those formats is normalized into ``{"nodes": [...], "inputs": [...],
+"categories": [...]}`` so the engine can run uniformly.
+
+This module performs only local I/O. Network calls hit ``http://host:port``
+and are short-circuited when no host is provided.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import ipaddress
+import json
+import os
+import sys
+import urllib.error
+import urllib.parse
+import urllib.request
+from pathlib import Path
+from typing import Any
+
+from comfy_cli.cql.errors import CQLRuntimeError
+
+# Cap raw bytes read from disk or the network. Real `object_info` dumps are a
+# few MB; anything past 256 MiB is almost certainly a wrong path or a hostile
+# server and would just OOM the CLI before json.loads even fails.
+MAX_INPUT_BYTES = 256 * 1024 * 1024
+
+
+class _NoRedirect(urllib.request.HTTPRedirectHandler):
+    """Refuse redirects — a 302 from /object_info to elsewhere is suspicious
+    and would expose us to a different server than the user asked to query."""
+
+    def http_error_301(self, req, fp, code, msg, headers):
+        raise urllib.error.HTTPError(req.full_url, code, "redirect refused", headers, fp)
+
+    http_error_302 = http_error_303 = http_error_307 = http_error_308 = http_error_301
+
+
+_LOADER_OPENER = urllib.request.build_opener(_NoRedirect())
+
+
+def load_graph(
+    *,
+    input_path: str | None = None,
+    host: str | None = None,
+    port: int | None = None,
+    timeout: float = 5.0,
+) -> dict[str, Any]:
+    if input_path:
+        return _load_from_file(input_path)
+    if host and port:
+        return _load_from_server(host, int(port), timeout=timeout)
+    raise CQLRuntimeError(
+        "no graph source available",
+        details={"hint": "pass --input <path> or --host/--port pointing at a ComfyUI server"},
+    )
+
+
+def _load_from_file(path: str) -> dict[str, Any]:
+    p = Path(path).expanduser()
+    try:
+        size = p.stat().st_size
+    except OSError as e:
+        raise CQLRuntimeError(f"cannot stat {p}: {e}") from e
+    if size > MAX_INPUT_BYTES:
+        raise CQLRuntimeError(
+            f"{p} is {size} bytes, exceeds MAX_INPUT_BYTES={MAX_INPUT_BYTES}",
+            details={"hint": "shrink the input or raise MAX_INPUT_BYTES in cql.loader"},
+        )
+    try:
+        raw = p.read_text(encoding="utf-8")
+    except OSError as e:
+        raise CQLRuntimeError(f"cannot read {p}: {e}") from e
+    try:
+        data = json.loads(raw)
+    except json.JSONDecodeError as e:
+        raise CQLRuntimeError(f"{p} is not valid JSON: {e}") from e
+    return normalize(data)
+
+
+def _load_from_server(host: str, port: int, *, timeout: float) -> dict[str, Any]:
+    url = f"http://{host}:{port}/object_info"
+    # Refuse anything that isn't a localhost-ish target — we don't want CQL
+    # silently sending traffic to a remote box. (Cloud CQL goes through its
+    # own path; this loader is local-only by design.)
+    parsed = urllib.parse.urlsplit(url)
+    hostname = (parsed.hostname or "").strip().lower()
+    is_loopback = hostname == "localhost"
+    if not is_loopback:
+        try:
+            is_loopback = ipaddress.ip_address(hostname).is_loopback
+        except ValueError:
+            is_loopback = False
+    if not is_loopback:
+        raise CQLRuntimeError(
+            f"refusing non-loopback CQL server target: {host}",
+            details={"hint": "pass --input <path> for remote object_info dumps"},
+        )
+    try:
+        with _LOADER_OPENER.open(url, timeout=timeout) as resp:
+            # Bounded read so a misbehaving server can't OOM us.
+            raw = resp.read(MAX_INPUT_BYTES + 1)
+            if len(raw) > MAX_INPUT_BYTES:
+                raise CQLRuntimeError(
+                    f"server response exceeds MAX_INPUT_BYTES={MAX_INPUT_BYTES}",
+                    details={"host": host, "port": port},
+                )
+            data = json.loads(raw)
+    except urllib.error.URLError as e:
+        raise CQLRuntimeError(
+            f"failed to reach {url}: {e.reason if hasattr(e, 'reason') else e}",
+            details={"host": host, "port": port},
+        ) from e
+    except (json.JSONDecodeError, OSError) as e:
+        raise CQLRuntimeError(f"server returned invalid object_info: {e}") from e
+    return normalize(data)
+
+
+# ---- normalization --------------------------------------------------------
+
+
+def normalize(data: Any) -> dict[str, Any]:
+    """Turn any supported input into ``{nodes, inputs, categories}``."""
+    if not isinstance(data, dict):
+        raise CQLRuntimeError("expected a JSON object at the top level")
+
+    # Already CQL-shaped — trust it.
+    if any(isinstance(data.get(k), list) for k in ("nodes", "inputs", "categories")):
+        graph: dict[str, Any] = {
+            "nodes": list(data.get("nodes") or []),
+            "inputs": list(data.get("inputs") or []),
+            "categories": list(data.get("categories") or []),
+        }
+        return graph
+
+    if _looks_like_object_info(data):
+        return _from_object_info(data)
+    if _looks_like_api_workflow(data):
+        return _from_api_workflow(data)
+
+    raise CQLRuntimeError(
+        "unrecognized graph shape",
+        details={"keys_sample": sorted(list(data.keys()))[:10]},
+    )
+
+
+def _looks_like_object_info(data: dict[str, Any]) -> bool:
+    # /object_info maps "ClassName" -> { "input": {...}, "category": "...",
+    # "display_name": "...", "description": "...", "output": [...], ... }
+    if not data:
+        return False
+    return any(isinstance(v, dict) and ("input" in v or "category" in v) for v in data.values())
+
+
+def _looks_like_api_workflow(data: dict[str, Any]) -> bool:
+    if not data:
+        return False
+    return any(isinstance(v, dict) and "class_type" in v for v in data.values())
+
+
+def _from_object_info(data: dict[str, Any]) -> dict[str, Any]:
+    nodes: list[dict[str, Any]] = []
+    inputs: list[dict[str, Any]] = []
+    categories: dict[str, int] = {}
+
+    for class_name, raw in data.items():
+        if not isinstance(raw, dict):
+            continue
+        category = raw.get("category")
+        node = {
+            "name": class_name,
+            "display_name": raw.get("display_name") or class_name,
+            "category": category,
+            "description": raw.get("description"),
+            "output_node": bool(raw.get("output_node", False)),
+            "output_types": list(raw.get("output") or []),
+        }
+        nodes.append(node)
+        if category:
+            categories[category] = categories.get(category, 0) + 1
+
+        sections = raw.get("input") or {}
+        if isinstance(sections, dict):
+            for section, body in sections.items():  # "required" / "optional" / "hidden"
+                if not isinstance(body, dict):
+                    continue
+                for input_name, spec in body.items():
+                    inputs.append(_normalize_input(class_name, section, input_name, spec))
+
+    return {
+        "nodes": nodes,
+        "inputs": inputs,
+        "categories": [{"name": k, "node_count": v} for k, v in sorted(categories.items())],
+    }
+
+
+def _normalize_input(class_name: str, section: str, name: str, spec: Any) -> dict[str, Any]:
+    type_name: Any = None
+    options: dict[str, Any] = {}
+    choices: list[Any] = []
+    if isinstance(spec, list) and spec:
+        type_name = spec[0]
+        if isinstance(type_name, list):
+            choices = list(type_name)
+            type_name = "ENUM"
+        if len(spec) > 1 and isinstance(spec[1], dict):
+            options = dict(spec[1])
+    elif isinstance(spec, str):
+        type_name = spec
+    return {
+        "node": class_name,
+        "section": section,
+        "name": name,
+        "type": type_name,
+        "choices": choices,
+        "options": options,
+    }
+
+
+def _from_api_workflow(data: dict[str, Any]) -> dict[str, Any]:
+    nodes: list[dict[str, Any]] = []
+    inputs: list[dict[str, Any]] = []
+    node_ids = {str(k) for k in data}
+    for nid, node in data.items():
+        if not isinstance(node, dict):
+            continue
+        class_type = node.get("class_type")
+        title = (node.get("_meta") or {}).get("title") if isinstance(node.get("_meta"), dict) else None
+        nodes.append(
+            {
+                "id": nid,
+                "name": class_type or "?",
+                "class_type": class_type,
+                "title": title,
+                "category": None,
+            }
+        )
+        raw_inputs = node.get("inputs") or {}
+        if isinstance(raw_inputs, dict):
+            for in_name, value in raw_inputs.items():
+                ref = (
+                    isinstance(value, list)
+                    and len(value) == 2
+                    and isinstance(value[1], int)
+                    and not isinstance(value[1], bool)
+                    and str(value[0]) in node_ids
+                )
+                inputs.append(
+                    {
+                        "node_id": nid,
+                        "node": class_type,
+                        "name": in_name,
+                        "value": None if ref else value,
+                        "ref_node": value[0] if ref else None,
+                        "ref_slot": value[1] if ref else None,
+                        "is_reference": ref,
+                    }
+                )
+    return {"nodes": nodes, "inputs": inputs, "categories": []}
+
+
+# ---------------------------------------------------------------------------
+# Resilient object_info loading (cache + refresh-retry + stale fallback)
+# ---------------------------------------------------------------------------
+#
+# The live ``/object_info`` fetch (``comfy nodes``, ``comfy workflow slots``,
+# ``comfy validate``) intermittently returns HTTP 401 / ``cql_no_graph`` mid
+# session when the cloud access token has gone stale. The session token DOES
+# auto-refresh (see ``comfy_cli.cloud.oauth.ensure_fresh_session``), but the
+# raw object_info path didn't leverage it, and there was no offline fallback.
+#
+# ``resilient_load_object_info`` wraps the engine's network fetch with:
+#   1. auto-cache of every successful fetch (per host),
+#   2. one refresh-and-retry on failure, and
+#   3. a stale-cache fallback (with a clear stderr warning) when the retry
+#      still fails — only raising the original error when no cache exists.
+#
+# An explicit ``--input <object_info.json>`` always wins and is never cached.
+
+
+def _cache_dir() -> Path:
+    """Return the per-user cache directory for comfy-cli object_info dumps.
+
+    Honors ``XDG_CACHE_HOME`` (Linux/freedesktop convention) and falls back to
+    ``~/.cache/comfy-cli`` everywhere else. We deliberately use a plain cache
+    dir rather than the config dir: this data is reconstructible and safe to
+    delete at any time.
+    """
+    xdg = os.environ.get("XDG_CACHE_HOME")
+    base = Path(xdg) if xdg else Path.home() / ".cache"
+    return base / "comfy-cli"
+
+
+def _host_key_digest(host_key: str) -> str:
+    """Short, filesystem-safe hash of the target identity.
+
+    ``host_key`` is the resolved base URL (e.g. ``https://api.comfy.org`` or
+    ``http://127.0.0.1:8188``) so local and cloud — and distinct cloud envs —
+    each get their own cache file and never clobber one another.
+    """
+    return hashlib.sha256(host_key.encode("utf-8")).hexdigest()[:16]
+
+
+def object_info_cache_path(host_key: str) -> Path:
+    """Cache-file path for a given target identity."""
+    return _cache_dir() / f"object_info-{_host_key_digest(host_key)}.json"
+
+
+def write_object_info_cache(host_key: str, data: dict[str, Any]) -> None:
+    """Persist a freshly-fetched object_info dump. Best-effort; never raises.
+
+    Written atomically (tmp + ``os.replace``) so a SIGINT mid-write can't leave
+    a half-written file that later loads as garbage.
+    """
+    path = object_info_cache_path(host_key)
+    try:
+        path.parent.mkdir(parents=True, exist_ok=True)
+        tmp = path.with_suffix(path.suffix + f".{os.getpid()}.tmp")
+        tmp.write_text(json.dumps(data), encoding="utf-8")
+        os.replace(tmp, path)
+    except OSError:
+        # A cache we can't write is not worth failing the command over.
+        try:
+            tmp.unlink()  # type: ignore[possibly-undefined]
+        except (OSError, NameError, UnboundLocalError):
+            pass
+
+
+def read_object_info_cache(host_key: str) -> dict[str, Any] | None:
+    """Return the cached object_info dump for ``host_key``, or ``None``.
+
+    Returns ``None`` on any problem (missing file, unreadable, corrupt JSON,
+    wrong shape) — the caller treats "no usable cache" uniformly.
+    """
+    path = object_info_cache_path(host_key)
+    try:
+        raw = path.read_text(encoding="utf-8")
+    except OSError:
+        return None
+    try:
+        data = json.loads(raw)
+    except (json.JSONDecodeError, ValueError):
+        return None
+    return data if isinstance(data, dict) else None
+
+
+def _resolve_host_key(mode: str, host: str, port: int) -> str:
+    """Resolve the cache key (the target base URL) without doing any I/O.
+
+    Mirrors how the engine resolves its fetch target so the cache key matches
+    the server actually queried. Falls back to a host:port string if the
+    Target machinery is unavailable (e.g. unconfigured cloud).
+    """
+    try:
+        from comfy_cli.target import resolve_target
+
+        target = resolve_target(where=mode, host=host, port=port)
+        return target.base_url
+    except Exception:  # noqa: BLE001 — never let key resolution break the fetch
+        return f"{mode}:{host}:{port}"
+
+
+def resilient_load_object_info(
+    *,
+    mode: str = "local",
+    host: str = "127.0.0.1",
+    port: int = 8188,
+    input_path: str | None = None,
+    _warn=None,
+    on_stale=None,
+) -> dict[str, Any]:
+    """Fetch ``object_info`` with cache + refresh-retry + stale fallback.
+
+    Resolution order:
+
+    1. ``input_path`` — explicit offline dump always wins; never cached.
+    2. Live fetch via the engine. On success, write the per-host cache.
+    3. On failure: attempt ``ensure_fresh_session`` and retry the fetch ONCE.
+       On success, write the cache.
+    4. Still failing: fall back to the cached dump (if any) with a clear
+       stderr WARNING that it may be stale.
+    5. No cache: re-raise the original ``LoadError`` (callers map it to the
+       ``cql_no_graph`` envelope with their existing hint).
+
+    ``_warn`` is an injectable sink for the stale-cache warning (defaults to
+    stderr); tests pass their own to assert on it.
+    """
+    from comfy_cli.cql.engine import LoadError, _load_from_file, _load_from_target
+
+    if input_path is not None:
+        # Explicit dump wins and is intentionally not cached — the user is
+        # already pinning a known-good file.
+        return _load_from_file(input_path)
+
+    host_key = _resolve_host_key(mode, host, port)
+
+    try:
+        data = _load_from_target(mode=mode, host=host, port=port)
+        write_object_info_cache(host_key, data)
+        return data
+    except LoadError as first_err:
+        # (a) Best-effort token refresh, then retry the fetch exactly once.
+        # Refresh only helps cloud auth, but it's cheap and a no-op locally.
+        # ``force=True``: the fetch already failed (typically HTTP 401), and a
+        # server 401 is authoritative — the access token is rejected even if
+        # our local clock still thinks it is valid (skew / no recorded
+        # expiry). A non-forced refresh would no-op in that case and the retry
+        # would re-send the same dead token. Force-refresh spends the refresh
+        # token so the retry carries a brand-new access token.
+        try:
+            from comfy_cli.credentials import get_session
+
+            get_session(refresh=True, force=True)
+        except Exception:  # noqa: BLE001 — refresh is best-effort
+            pass
+
+        try:
+            data = _load_from_target(mode=mode, host=host, port=port)
+            write_object_info_cache(host_key, data)
+            return data
+        except LoadError:
+            # Retry failed too — fall through to the cache.
+            pass
+
+        # (b) Stale-cache fallback.
+        cached = read_object_info_cache(host_key)
+        if cached is not None:
+            warn = _warn if _warn is not None else _default_warn
+            warn(
+                f"WARNING: could not refresh object_info from {host_key} "
+                f"({first_err}); using a cached copy that may be stale. "
+                f"Run the command again once the server/session is reachable."
+            )
+            if on_stale is not None:
+                on_stale(host_key, str(first_err))
+            return cached
+
+        # (c) No cache — surface the original error untouched.
+        raise first_err
+
+
+def _default_warn(message: str) -> None:
+    print(message, file=sys.stderr)
diff --git a/comfy_cli/credentials.py b/comfy_cli/credentials.py
new file mode 100644
index 00000000..ace6908e
--- /dev/null
+++ b/comfy_cli/credentials.py
@@ -0,0 +1,154 @@
+"""The ONE credential resolver for Comfy Cloud / partner-API auth.
+
+Historically four call sites each hand-rolled an OAuth-first credential
+chain (cloud target resolution, local partner-node injection, the generate
+partner-API proxy, and ``cloud whoami``) and they drifted. They all share a
+single precedence order — only small per-site knobs differ — so the chain
+lives here exactly once:
+
+    explicit flag → live OAuth session → purpose env var → stored key
+
+Two *purposes* exist and their credentials are NOT interchangeable:
+
+- ``"cloud"``   — the Comfy Cloud platform API (Bearer / ``X-API-Key`` on
+  cloud.comfy.org). Env var: ``COMFY_CLOUD_API_KEY``. Values are passed
+  verbatim (no stripping), matching the historical target-resolution chain.
+- ``"partner"`` — partner-API nodes / the partner proxy
+  (``api_key_comfy_org``). Env var: ``COMFY_API_KEY``. Ambient values are
+  whitespace-stripped and whitespace-only values are treated as absent,
+  matching the historical ``comfy generate`` chain.
+
+Both purposes fall back to the same stored key (provider
+``comfy-cloud-api-key``, persisted via the hidden ``comfy cloud set-key``).
+
+This module is also the only sanctioned *read* gateway to the OAuth session
+(:func:`get_session`) and the ambient API key (:func:`find_api_key`) — a
+ratchet test (``tests/comfy_cli/test_credentials.py``) rejects any new
+direct ``os.environ``/``get_cloud_session``/``ensure_fresh_session`` reads
+elsewhere in the package.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import TYPE_CHECKING, Literal
+
+if TYPE_CHECKING:
+    from comfy_cli.auth.store import CloudSession
+
+# Provider name under which a Comfy Cloud API key is persisted in the auth
+# store. Hidden / testing-only path; the canonical sign-in is OAuth.
+# (Re-exported by ``comfy_cli.target`` for back-compat.)
+CLOUD_API_KEY_PROVIDER = "comfy-cloud-api-key"
+
+Purpose = Literal["cloud", "partner"]
+
+# purpose → (env var, stored-key provider, strip ambient values?)
+_PURPOSES: dict[str, tuple[str, str, bool]] = {
+    "cloud": ("COMFY_CLOUD_API_KEY", CLOUD_API_KEY_PROVIDER, False),
+    "partner": ("COMFY_API_KEY", CLOUD_API_KEY_PROVIDER, True),
+}
+
+
+@dataclass(frozen=True)
+class Credential:
+    kind: Literal["oauth", "api_key"]
+    value: str
+    source: str  # "flag" | "session" | "env:<VAR>" | "stored:<provider>"
+
+    # Never leak the secret into logs / pytest failure dumps.
+    def __repr__(self) -> str:  # pragma: no cover - cosmetic
+        return f"Credential(kind={self.kind!r}, value=***, source={self.source!r})"
+
+
+def get_session(*, refresh: bool = True, force: bool = False, allow_clear: bool = True) -> CloudSession | None:
+    """Read the stored Comfy Cloud OAuth session.
+
+    ``refresh=True`` goes through ``ensure_fresh_session`` (spends the
+    refresh token when the access token is expired / near expiry);
+    ``refresh=False`` reads the store as-is, possibly returning an expired
+    session — callers that only display state, or that must never touch the
+    network, want this.
+
+    ``force=True`` (implies the refresh path) refreshes unconditionally,
+    ignoring the local expiry check. Reserved for the *reactive* path: after a
+    server 401, the token is known-rejected even if our clock disagrees.
+
+    ``allow_clear=False`` forwards to ``ensure_fresh_session`` so a fatal
+    refresh failure does NOT clear the stored session. Background watchers pass
+    this — they are read-mostly and must never log the user off the shared
+    session; only foreground, user-driven commands own that lifecycle.
+    """
+    if refresh or force:
+        from comfy_cli.cloud import oauth
+
+        return oauth.ensure_fresh_session(force=force, allow_clear=allow_clear)
+    from comfy_cli.auth import store as auth_store
+
+    return auth_store.get_cloud_session()
+
+
+def find_api_key(*, purpose: Purpose) -> Credential | None:
+    """Locate an ambient API key for ``purpose``: env var → stored key.
+
+    Ignores any OAuth session — use this for presence checks (e.g. whoami's
+    "API key present but outranked by the session" note) and as the tail of
+    :func:`resolve_cloud_credential`.
+    """
+    import os
+
+    env_var, provider, strip = _PURPOSES[purpose]
+
+    env_value = os.environ.get(env_var)
+    if env_value is not None:
+        candidate = env_value.strip() if strip else env_value
+        if candidate:
+            return Credential(kind="api_key", value=candidate, source=f"env:{env_var}")
+
+    from comfy_cli.auth import store as auth_store
+
+    record = auth_store.get(provider)
+    stored = getattr(record, "key", None) if record is not None else None
+    if stored:
+        candidate = stored.strip() if strip else stored
+        if candidate:
+            return Credential(kind="api_key", value=candidate, source=f"stored:{provider}")
+
+    return None
+
+
+def resolve_cloud_credential(
+    *,
+    purpose: Purpose,
+    explicit: str | None = None,
+    base_url: str | None = None,
+    refresh: bool = True,
+) -> Credential | None:
+    """Resolve the active credential for ``purpose``, or ``None``.
+
+    Precedence (OAuth-first — API keys are on a deprecation path; only a
+    deliberate per-call flag outranks a live session):
+
+    1. ``explicit`` flag value (whitespace-stripped; blank → ignored).
+    2. Live (non-expired) OAuth session. Refreshed first when
+       ``refresh=True``; read as-is when ``refresh=False``. When
+       ``base_url`` is given, a session minted for a *different* base URL is
+       skipped (replay-guard: never send a token to a host the user didn't
+       authenticate against).
+    3. The purpose's env var (``COMFY_CLOUD_API_KEY`` / ``COMFY_API_KEY``).
+    4. The stored ``comfy-cloud-api-key`` key (``comfy cloud set-key``).
+    """
+    explicit_key = explicit.strip() if isinstance(explicit, str) else ""
+    if explicit_key:
+        return Credential(kind="api_key", value=explicit_key, source="flag")
+
+    session = get_session(refresh=refresh)
+    if (
+        session is not None
+        and not session.is_expired()
+        and session.access_token
+        and (base_url is None or session.base_url == base_url)
+    ):
+        return Credential(kind="oauth", value=session.access_token, source="session")
+
+    return find_api_key(purpose=purpose)
diff --git a/comfy_cli/discovery.py b/comfy_cli/discovery.py
new file mode 100644
index 00000000..ad2291a9
--- /dev/null
+++ b/comfy_cli/discovery.py
@@ -0,0 +1,210 @@
+"""Self-discovery for agents.
+
+``comfy discover --json`` emits a single document describing the entire CLI
+surface plus the JSON Schemas the CLI's structured outputs adhere to.
+
+Why this exists: a fresh agent should be able to ``comfy discover`` once and
+have everything it needs — command tree, schemas, error codes, capability
+flags — without scraping ``--help`` text or reading source.
+"""
+
+from __future__ import annotations
+
+import json
+from importlib import resources
+from typing import Any
+
+from comfy_cli.help_json import build_help_json
+from comfy_cli.output.renderer import ENVELOPE_SCHEMA, EVENT_SCHEMA
+
+# Maps fully-qualified command paths to the schema name (without .json) that
+# the command's envelope ``data`` field validates against. Phase 2 covers the
+# commands that already emit structured output. New commands should register
+# here as they migrate.
+COMMAND_SCHEMAS: dict[str, str] = {
+    "comfy env": "env",
+    "comfy which": "which",
+    "comfy run": "run",
+    "comfy discover": "discover",
+    "comfy auth list": "auth",
+    "comfy auth set": "auth",
+    "comfy auth remove": "auth",
+    "comfy cloud login": "auth",
+    "comfy cloud logout": "auth",
+    "comfy cloud whoami": "auth",
+    "comfy jobs ls": "jobs",
+    "comfy jobs status": "jobs",
+    "comfy jobs watch": "jobs",
+    # help / validation
+    "comfy help": "help",
+    "comfy validate": "workflow",
+    # nodes introspection
+    "comfy nodes ls": "nodes",
+    "comfy nodes show": "nodes",
+    "comfy nodes search": "nodes",
+    "comfy nodes upstream": "nodes",
+    "comfy nodes downstream": "nodes",
+    "comfy nodes path": "nodes",
+    "comfy nodes types": "nodes",
+    "comfy nodes categories": "nodes",
+    "comfy nodes refresh": "nodes",
+    # workflow editing
+    "comfy workflow slots": "workflow",
+    "comfy workflow set-slot": "workflow",
+    "comfy workflow vary": "workflow",
+    # workflow cloud CRUD + fragment composition
+    "comfy workflow list": "workflow",
+    "comfy workflow get": "workflow",
+    "comfy workflow save": "workflow",
+    "comfy workflow delete": "workflow",
+    "comfy workflow compose": "workflow",
+    "comfy workflow fragment ls": "workflow",
+    "comfy workflow fragment show": "workflow",
+    "comfy workflow fragment validate": "workflow",
+    # skill management
+    "comfy skills install": "skill",
+    "comfy skills uninstall": "skill",
+    "comfy skills show": "skill",
+    "comfy skills status": "skill",
+    "comfy skills validate": "skill",
+    # `comfy skill` is the hidden singular alias; envelopes from the skills
+    # group carry the singular form in `command`, so both spellings register.
+    "comfy skill install": "skill",
+    "comfy skill uninstall": "skill",
+    "comfy skill list": "skill",
+    "comfy skill show": "skill",
+    "comfy skill status": "skill",
+    # model discovery (all asset types: checkpoints, loras, controlnets, vae, ...)
+    "comfy models search": "models",
+    "comfy models show": "models",
+    "comfy models list-folders": "models",
+    "comfy models list-folder": "models",
+    # template gallery
+    "comfy templates ls": "templates",
+    "comfy templates show": "templates",
+    "comfy templates fetch": "templates",
+    "comfy templates refresh": "templates",
+    # file transfer
+    "comfy upload": "transfer",
+    "comfy download": "transfer",
+    # project convention
+    "comfy project init": "project",
+    "comfy project status": "project",
+    "comfy assets push": "assets",
+    # config
+    "comfy set-default": "set_default",
+    "comfy version": "version",
+}
+
+
+# Streaming event schemas for commands that emit NDJSON
+# (e.g. `comfy --json-stream jobs watch <id>`).
+
+
+# Streaming commands additionally emit per-line events that validate against a
+# different schema. Keyed by command path.
+STREAM_EVENT_SCHEMAS: dict[str, str] = {
+    "comfy run": "run_event",
+    "comfy jobs watch": "run_event",
+}
+
+
+def _read_schema(name: str) -> dict[str, Any]:
+    pkg = resources.files("comfy_cli.schemas")
+    text = (pkg / f"{name}.json").read_text(encoding="utf-8")
+    return json.loads(text)
+
+
+def list_schema_names() -> list[str]:
+    pkg = resources.files("comfy_cli.schemas")
+    out: list[str] = []
+    for child in pkg.iterdir():
+        n = child.name
+        if n.endswith(".json"):
+            out.append(n[:-5])
+    return sorted(out)
+
+
+def load_all_schemas() -> dict[str, dict[str, Any]]:
+    """Return ``{schema_name: {name, title, schema}}`` for every shipped schema."""
+    bundle: dict[str, dict[str, Any]] = {}
+    for name in list_schema_names():
+        schema = _read_schema(name)
+        bundle[name] = {
+            "name": f"{name}.json",
+            "title": schema.get("title", name),
+            "schema": schema,
+        }
+    return bundle
+
+
+def load_error_codes() -> list[dict[str, Any]]:
+    """Return the error-code list for the discovery envelope.
+
+    Sourced from the typed registry in :mod:`comfy_cli.error_codes`, which is
+    the contract agents branch on.
+    """
+    from comfy_cli import error_codes
+
+    return [dict(row) for row in error_codes.as_discover_rows()]
+
+
+def build_discovery(app: Any, *, prog_name: str = "comfy", version: str = "") -> dict[str, Any]:
+    """Build the discovery document.
+
+    ``app`` is the root Typer app. Kept untyped to avoid importing typer at
+    module import; the call site already has it.
+    """
+    help_doc = build_help_json(app, prog_name=prog_name)
+
+    schemas = load_all_schemas()
+
+    # Annotate each leaf command with its schema (when known) so agents don't
+    # have to cross-reference the schemas map.
+    _annotate_schemas(help_doc["commands"], path=[prog_name])
+
+    capabilities = {
+        "json_envelope": True,
+        "json_stream": True,
+        "cancellation": True,
+        "cql": True,
+        "where_routing": True,
+        "where_targets": ["local", "cloud"],
+        # Comfy Cloud uses OAuth (Authorization Code + PKCE); third-party
+        # services that don't speak OAuth keep the API-key path.
+        "cloud_oauth": True,
+        "auth_providers": {
+            "oauth": ["comfy-cloud"],
+            "api_key": ["civitai", "huggingface"],
+        },
+    }
+
+    return {
+        "prog": prog_name,
+        "version": version,
+        # Versioned machine-output contract (see comfy_cli/output/renderer.py
+        # for the constants and the bump rule). Agents negotiate shape on
+        # these, not on the CLI `version` above.
+        "output_contract": {"envelope": ENVELOPE_SCHEMA, "event": EVENT_SCHEMA},
+        "commands": help_doc["commands"],
+        "root": help_doc["root"],
+        "schemas": schemas,
+        "command_schemas": dict(COMMAND_SCHEMAS),
+        "stream_event_schemas": dict(STREAM_EVENT_SCHEMAS),
+        "error_codes": load_error_codes(),
+        "capabilities": capabilities,
+    }
+
+
+def _annotate_schemas(commands: dict[str, Any], *, path: list[str]) -> None:
+    for name, entry in commands.items():
+        fqp = " ".join(path + [name])
+        schema_name = COMMAND_SCHEMAS.get(fqp)
+        if schema_name:
+            entry["output_schema"] = f"{schema_name}.json"
+        stream_schema = STREAM_EVENT_SCHEMAS.get(fqp)
+        if stream_schema:
+            entry["stream_event_schema"] = f"{stream_schema}.json"
+        subs = entry.get("subcommands")
+        if subs:
+            _annotate_schemas(subs, path=path + [name])
diff --git a/comfy_cli/env_checker.py b/comfy_cli/env_checker.py
index 8fa51350..2aea4cbd 100644
--- a/comfy_cli/env_checker.py
+++ b/comfy_cli/env_checker.py
@@ -117,3 +117,26 @@ def fill_print_table(self):
             data.append(("Comfy Server Running", "[bold red]No[/bold red]"))
 
         return data
+
+    def fill_data(self) -> dict:
+        """Structured snapshot of the environment, used by ``comfy env --json``.
+
+        Distinct from ``fill_print_table`` (which returns Rich-formatted tuples
+        for display): this returns a JSON-serializable dict that validates
+        against ``schemas/env.json``.
+        """
+        cm = ConfigManager()
+        server_running = check_comfy_server_running()
+        return {
+            "python": {
+                "version": f"{sys.version_info.major}.{sys.version_info.minor}.{sys.version_info.micro}",
+                "executable": sys.executable,
+                "virtualenv": self.virtualenv_path,
+                "conda_env": self.conda_env,
+            },
+            "config": cm.get_data(),
+            "server": {
+                "running": server_running,
+                "url": "http://localhost:8188" if server_running else None,
+            },
+        }
diff --git a/comfy_cli/error_codes.py b/comfy_cli/error_codes.py
new file mode 100644
index 00000000..0e13a362
--- /dev/null
+++ b/comfy_cli/error_codes.py
@@ -0,0 +1,519 @@
+"""Source of truth for the JSON envelope's ``error.code`` values.
+
+Every code raised by ``renderer.error(code=…)`` must appear here. Two tests
+enforce this both ways:
+
+  - ``tests/comfy_cli/output/test_error_code_registry.py``:
+      every raised code is registered
+      every registered code is raised somewhere
+
+That makes this module the canonical contract for agents. Agents fetch the
+list via ``comfy discover`` and branch on the codes; if you rename, deprecate,
+or remove one, you're breaking the contract and the tests fail before merge.
+
+Codes are snake_case and match ``^[a-z][a-z0-9_]*$``.
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+
+CODE_PATTERN = re.compile(r"^[a-z][a-z0-9_]*$")
+
+
+@dataclass(frozen=True)
+class ErrorCode:
+    code: str
+    meaning: str
+    hint: str | None = None
+
+
+# ---------------------------------------------------------------------------
+# The registry.
+#
+# Ordered roughly by subsystem so a reader can scan a logical neighborhood.
+# Appendable; do not repurpose an existing code.
+# ---------------------------------------------------------------------------
+
+REGISTRY: tuple[ErrorCode, ...] = (
+    # --- output / cancellation / lifecycle -----------------------------------
+    ErrorCode(
+        "cancelled",
+        "User pressed Ctrl-C; in-flight work was torn down.",
+    ),
+    ErrorCode(
+        "not_in_workspace",
+        "Resolved no workspace where one was required (e.g. `comfy which`).",
+        "run `comfy install`, or pass `--workspace`",
+    ),
+    # --- workflow loading ----------------------------------------------------
+    ErrorCode(
+        "workflow_not_found",
+        "The `--workflow` path doesn't exist or isn't readable.",
+        "check the path",
+    ),
+    ErrorCode(
+        "workflow_invalid_json",
+        "The file at `--workflow` failed JSON parsing.",
+        "re-export the workflow from ComfyUI (File > Export (API))",
+    ),
+    ErrorCode(
+        "workflow_not_api_format",
+        "Loaded JSON isn't API-format and no converter is available.",
+        "use ComfyUI's `File > Export (API)`",
+    ),
+    ErrorCode(
+        "workflow_read_error",
+        "Workflow file exists but isn't readable as UTF-8 text (OSError / UnicodeDecodeError).",
+        "check file permissions and encoding",
+    ),
+    # --- local server / WebSocket --------------------------------------------
+    ErrorCode(
+        "server_not_running",
+        "Local ComfyUI server isn't reachable on host:port.",
+        "run `comfy launch`",
+    ),
+    ErrorCode(
+        "connection_error",
+        "Could not connect to the ComfyUI server.",
+        "check the server is running and the host:port is correct",
+    ),
+    ErrorCode(
+        "ws_disconnected",
+        "WebSocket dropped and reconnect failed mid-execution.",
+        "check the server is still running; re-run the command",
+    ),
+    ErrorCode(
+        "ws_timeout",
+        "WebSocket idle past `--timeout` while waiting for the server.",
+        "re-run with a larger `--timeout` (e.g. `--timeout 300`)",
+    ),
+    ErrorCode(
+        "prompt_rejected",
+        "Server returned 400. `details.node_errors` carries the per-node errors.",
+        "inspect `details.node_errors` and fix the workflow",
+    ),
+    ErrorCode(
+        "client_error",
+        "Server rejected the request with an HTTP 4xx that isn't a validation failure "
+        "(401/403/429/…). `details.status` and `details.body` carry the response.",
+        "check `details.body` for the server's message",
+    ),
+    ErrorCode(
+        "server_error",
+        "Server returned an HTTP 5xx while submitting the workflow. "
+        "`details.status` and `details.body` carry the response.",
+        "check the ComfyUI server logs",
+    ),
+    ErrorCode(
+        "invalid_response",
+        "Server returned HTTP 2xx but the body was unparseable or lacked a `prompt_id`.",
+        "check that the host:port really is a ComfyUI server",
+    ),
+    ErrorCode(
+        "object_info_unavailable",
+        "`/object_info` returned an HTTP error, or an HTTP 200 with an unparseable body. "
+        "`details.status` and `details.body` carry the response.",
+        "check the ComfyUI server logs; restart the server",
+    ),
+    ErrorCode(
+        "prompt_not_found",
+        "Asked about a prompt_id the server doesn't know.",
+        "`comfy jobs ls` to find a valid prompt_id",
+    ),
+    ErrorCode(
+        "partner_node_requires_credential",
+        "Workflow uses a partner-API node (category `partner/*` — Veo, Kling, BFL, Gemini, etc.) "
+        "but no `api_key_comfy_org` credential is available. Local submit would succeed at /prompt "
+        "and then fail opaquely at execute time with `Unauthorized: Please login first`.",
+        "re-submit with `--where cloud` (the CLI auto-injects the credential there), or run "
+        "`comfy auth set comfy-cloud-api-key --key …` so the local submit path can inject it too",
+    ),
+    ErrorCode(
+        "workflow_empty",
+        "Workflow JSON is an empty object (no nodes).",
+        "add at least one node to the workflow",
+    ),
+    ErrorCode(
+        "conversion_error",
+        "UI-format workflow could not be converted to API format.",
+        "export your workflow from ComfyUI via 'File > Export (API)' and retry",
+    ),
+    ErrorCode(
+        "conversion_crash",
+        "UI-format workflow conversion crashed unexpectedly.",
+        "export your workflow from ComfyUI via 'File > Export (API)' and retry",
+    ),
+    ErrorCode(
+        "template_not_found",
+        "The requested workflow template was not found.",
+        "check the template name and try again",
+    ),
+    ErrorCode(
+        "gallery_load_failed",
+        "Failed to load the workflow gallery.",
+        "check your network connection and try again",
+    ),
+    ErrorCode(
+        "gallery_fetch_failed",
+        "Failed to fetch gallery data from the remote server.",
+        "check your network connection and try again",
+    ),
+    ErrorCode(
+        "workflow_unknown_nodes",
+        "Workflow references class_type(s) not present in the server's object_info. "
+        "`details.unknown_nodes` lists each with close_matches.",
+        "fix the class_type names; install missing custom nodes",
+    ),
+    # --- routing / cloud / auth ---------------------------------------------
+    ErrorCode(
+        "where_invalid",
+        "`--where` value was neither `local` nor `cloud`.",
+        "use `--where local` or `--where cloud`",
+    ),
+    ErrorCode(
+        "cloud_not_configured",
+        "`--where cloud` requested without a stored session.",
+        "run `comfy cloud login`",
+    ),
+    ErrorCode(
+        "cloud_unauthorized",
+        "Cloud rejected the bearer token (missing / expired / invalid).",
+        "run `comfy cloud login`",
+    ),
+    ErrorCode(
+        "cloud_http_error",
+        "Cloud returned a non-2xx HTTP error. `details.status` carries the code.",
+        "check `details.body` for the server's message",
+    ),
+    ErrorCode(
+        "cloud_timeout",
+        "Cloud wait_for_completion exceeded `--timeout`.",
+        "raise `--timeout`, or `comfy jobs watch <id> --where cloud`",
+    ),
+    ErrorCode(
+        "partial_execution",
+        "The cloud reported `completed` but returned outputs for fewer output "
+        "nodes than were submitted — branch(es) were pruned server-side (likely "
+        "failed validation). Surfaced as a non-fatal warning in `data.warnings`.",
+        "inspect the pruned branch's inputs; validate with `comfy --json validate` "
+        "against `--where cloud` before re-running",
+    ),
+    # --- models / templates introspection ------------------------------------
+    ErrorCode(
+        "invalid_argument",
+        "An argument intended for a URL path failed safe-path validation.",
+        "use only alphanumerics, `_`, `-`, or `.` in path-segment arguments",
+    ),
+    ErrorCode(
+        "folder_not_found",
+        "Cloud or local server returned 404 for the requested model folder.",
+        "list available folders via `comfy models list-folders`",
+    ),
+    ErrorCode(
+        "model_not_found",
+        "No asset matched the requested model name exactly. `details.close_matches` lists substring hits.",
+        "use `comfy models search --text <substring>` to find candidates",
+    ),
+    ErrorCode(
+        "models_show_local_unsupported",
+        "`comfy models show` needs the cloud asset catalog; local servers don't have one.",
+        "for local filename listing use `comfy models list-folder <folder>`",
+    ),
+    ErrorCode(
+        "template_fetch_failed",
+        "Fetching the per-template workflow JSON from `Comfy-Org/workflow_templates` failed.",
+        "check network; if 404, the gallery and templates dir are out of sync — report upstream",
+    ),
+    ErrorCode(
+        "template_workflow_invalid_json",
+        "Upstream `templates/<name>.json` was not parseable JSON.",
+        "report at https://github.com/Comfy-Org/workflow_templates/issues",
+    ),
+    ErrorCode(
+        "cancel_failed",
+        "`comfy jobs cancel` could not reach the local server to cancel the prompt.",
+        "check the server is still running on the host/port",
+    ),
+    ErrorCode(
+        "workflow_saved_local_unsupported",
+        "`comfy workflow {list,get,save,delete}` requires Comfy Cloud — local ComfyUI has no /api/workflows.",
+        "for local workflows, manage JSON files on disk via `workflow slots`/`set-slot`/`vary`",
+    ),
+    # --- auth (provider keys + cloud session intertwined) --------------------
+    ErrorCode(
+        "auth_invalid_key",
+        "Missing or empty `--key` on `comfy auth set`.",
+        "pass `--key <KEY>`",
+    ),
+    ErrorCode(
+        "auth_not_found",
+        "Tried to remove a provider with no stored key.",
+        "`comfy auth list` to see what's stored",
+    ),
+    ErrorCode(
+        "auth_not_signed_in",
+        "Action requires a Comfy Cloud session.",
+        "run `comfy cloud login`",
+    ),
+    ErrorCode(
+        "auth_use_login_for_cloud",
+        "`comfy auth set comfy-cloud` is no longer the cloud auth path.",
+        "use `comfy cloud login`",
+    ),
+    ErrorCode(
+        "auth_use_logout_for_cloud",
+        "`comfy auth remove comfy-cloud` is no longer the cloud signout path.",
+        "use `comfy cloud logout`",
+    ),
+    # --- oauth ---------------------------------------------------------------
+    ErrorCode(
+        "oauth_register_failed",
+        "Dynamic client registration (RFC 7591) failed.",
+        "check that the cloud server is reachable",
+    ),
+    ErrorCode(
+        "oauth_authorize_failed",
+        "OAuth authorization step failed (user denied, state mismatch, etc.).",
+        "re-run `comfy cloud login`",
+    ),
+    ErrorCode(
+        "oauth_token_failed",
+        "OAuth token exchange failed.",
+        "re-run `comfy cloud login` to start a fresh authorization",
+    ),
+    ErrorCode(
+        "oauth_refresh_failed",
+        "OAuth token refresh failed.",
+        "run `comfy cloud login` to sign in again",
+    ),
+    ErrorCode(
+        "oauth_cancelled",
+        "OAuth flow was cancelled by the user.",
+    ),
+    ErrorCode(
+        "oauth_timeout",
+        "Timed out waiting for browser callback during OAuth login.",
+        "re-run `comfy cloud login` and complete the sign-in in your browser",
+    ),
+    # --- watcher / background jobs -------------------------------------------
+    ErrorCode(
+        "watcher_crashed",
+        "Background watcher process is no longer running; job state is stale.",
+        "re-submit the workflow, or check `comfy jobs status <id>` against the server",
+    ),
+    ErrorCode(
+        "watcher_timeout",
+        "Background watcher gave up after max runtime without a terminal status.",
+    ),
+    ErrorCode(
+        "watcher_poll_error",
+        "Background watcher encountered a transient error polling the server.",
+    ),
+    ErrorCode(
+        "unknown_status_stall",
+        "Cloud reported a status the CLI does not recognize and it did not change within the stall window.",
+        "check `comfy jobs status <id> --where cloud`; report the status so it can be mapped",
+    ),
+    ErrorCode(
+        "execution_error",
+        "ComfyUI reported an execution error for the workflow.",
+        "inspect the error details or re-run with `--wait --verbose`",
+    ),
+    ErrorCode(
+        "transient_auth",
+        "An API node's server-side session token expired mid-execution "
+        '("Unauthorized: Please login first to use this node"). Transient — not a local credential problem.',
+        "resubmit the same workflow — it succeeds on retry; `comfy cloud login` will not help",
+    ),
+    # --- general argument / mode errors --------------------------------------
+    ErrorCode(
+        "missing_argument",
+        "Required argument(s) not provided.",
+    ),
+    ErrorCode(
+        "json_incompatible",
+        "Requested feature is not available in JSON output mode.",
+    ),
+    # --- skills --------------------------------------------------------------
+    ErrorCode(
+        "unknown_skill",
+        "Requested skill is not in the bundled set.",
+        "run `comfy skills list` to see available skills",
+    ),
+    ErrorCode(
+        "skill_invalid",
+        "A skill path failed format validation (missing SKILL.md, frontmatter name/description, or name/dir mismatch).",
+        "a skill dir must contain SKILL.md with `name:`/`description:` frontmatter; run `comfy skills validate <path>`",
+    ),
+    # --- workflow editor -----------------------------------------------------
+    ErrorCode(
+        "workflow_not_frontend_format",
+        "Workflow editing requires the UI export (with `nodes[]` / `links[]`); "
+        "got API-format. Auto-convert isn't wired yet.",
+        "in ComfyUI, use the regular save (File > Save Workflow) — the API export is for `comfy run`, not for editing",
+    ),
+    ErrorCode(
+        "workflow_slot_invalid",
+        "A slot override failed validation (bad shape, unknown address, etc.).",
+        "see `details` — addresses follow `<instance_id>.<input_name>`",
+    ),
+    # --- workflow fragments / compose ---------------------------------------
+    ErrorCode(
+        "fragment_invalid",
+        "A workflow fragment file failed schema validation "
+        "(bad `_fragment` header, missing fields, dangling `binds`, malformed interior node).",
+        "see `details.path` and the message — run `comfy workflow fragment validate <path>` to re-check",
+    ),
+    ErrorCode(
+        "fragment_lib_not_found",
+        "The fragment library directory doesn't exist.",
+        "create `./fragments/` (default) or pass `--lib <dir>`",
+    ),
+    ErrorCode(
+        "blueprint_not_found",
+        "The compose blueprint YAML file doesn't exist.",
+        "check the path",
+    ),
+    ErrorCode(
+        "blueprint_invalid_yaml",
+        "The blueprint file isn't valid YAML.",
+        "lint with `yamllint` or fix the syntax",
+    ),
+    ErrorCode(
+        "blueprint_invalid",
+        "The blueprint semantically fails to compose: missing required input/param, "
+        "unknown input/param key, duplicate alias, or unresolvable cross-step reference.",
+        "see `details.step_alias` and the message",
+    ),
+    ErrorCode(
+        "blueprint_yaml_unavailable",
+        "PyYAML is not installed — `comfy workflow compose` needs it to read blueprints.",
+        "pip install pyyaml",
+    ),
+    ErrorCode(
+        "compose_io_error",
+        "Reading the blueprint or writing the composed workflow failed with an OSError "
+        "(permissions, missing parent dir, disk full, unreadable encoding).",
+        "check the path is readable/writable and the disk has space",
+    ),
+    # --- CQL / object_info ---------------------------------------------------
+    ErrorCode(
+        "cql_no_graph",
+        "No object_info source available (no local server, no `--input`).",
+        "pass `--input <path>`, or start the server with `comfy launch`",
+    ),
+    ErrorCode(
+        "object_info_stale",
+        "Live object_info fetch failed; the response was served from a cached copy that may be out of date. "
+        "`details.source` has the host key; `details.reason` has the fetch error. "
+        "Surfaced in `data.warnings[]` (not as an error envelope) so the command still succeeds.",
+        "re-run once the server/session is reachable to get a fresh schema",
+    ),
+    ErrorCode(
+        "cql_query_invalid",
+        "Grammar query failed to parse or evaluate.",
+        "check the grammar; `comfy nodes ls --help` has examples",
+    ),
+    ErrorCode(
+        "node_not_found",
+        "Requested node class isn't in the loaded environment.",
+        "see `details.close_matches` or run `comfy nodes search`",
+    ),
+    # --- file transfer (upload / download) -----------------------------------
+    ErrorCode(
+        "upload_failed",
+        "HTTP error during file upload to the server's input directory.",
+        "check the file exists and the server is reachable",
+    ),
+    ErrorCode(
+        "download_failed",
+        "HTTP error while downloading an output file.",
+        "check that the job completed successfully and the server is reachable",
+    ),
+    ErrorCode(
+        "download_no_outputs",
+        "The job has no output files (yet).",
+        "wait for the job to complete before downloading",
+    ),
+    ErrorCode(
+        "download_no_prompt",
+        "No prompt_id was provided to the download command.",
+        "pass a prompt_id argument, or pipe from `comfy --json run --wait`",
+    ),
+    ErrorCode(
+        "download_job_not_found",
+        "The prompt_id wasn't found in state files or the server API.",
+        "check the prompt_id and ensure the job has completed",
+    ),
+    ErrorCode(
+        "setup_missing_where",
+        "--non-interactive requires --where (local or cloud).",
+        "comfy setup --non-interactive --where cloud --api-key sk-...",
+    ),
+    ErrorCode(
+        "setup_no_auth",
+        "Cloud requires authentication in non-interactive mode.",
+        "pass --api-key sk-... or run `comfy cloud login` first",
+    ),
+    # --- project (project/1 convention) ---------------------------------------
+    ErrorCode(
+        "project_already_exists",
+        "`comfy project init` ran in a directory already governed by a comfy.yaml project (`details.root`).",
+        "use the existing project, or init outside it",
+    ),
+    ErrorCode(
+        "project_not_found",
+        "No comfy.yaml (schema project/1) governs the current directory.",
+        "run: comfy project init",
+    ),
+    ErrorCode(
+        "asset_not_pushed",
+        "A blueprint references `$asset.<name>` with no matching entry in .comfy/assets.lock.json "
+        "(or the file is missing under assets/).",
+        "run: comfy assets push",
+    ),
+    ErrorCode(
+        "asset_stale",
+        "A referenced asset changed on disk after its last push — its sha256 no longer matches the lock.",
+        "run: comfy assets push",
+    ),
+    ErrorCode(
+        "var_not_defined",
+        "A blueprint references `$var.<name>` with no matching entry under `vars:` in the project's comfy.yaml.",
+        "add the name under `vars:` in <root>/comfy.yaml, then re-compose",
+    ),
+    # --- generate / emit -----------------------------------------------------
+    ErrorCode(
+        "emit_workflow_failed",
+        "`generate --emit-workflow` could not build the partner-node workflow.",
+        "check the model name and that all required inputs are provided",
+    ),
+    # --- feedback ------------------------------------------------------------
+    ErrorCode(
+        "feedback_message_required",
+        "`comfy feedback` was run in JSON/non-interactive mode without an inline message.",
+        'comfy feedback "your feedback here"',
+    ),
+)
+
+
+_BY_CODE: dict[str, ErrorCode] = {ec.code: ec for ec in REGISTRY}
+
+
+def is_registered(code: str) -> bool:
+    return code in _BY_CODE
+
+
+def get(code: str) -> ErrorCode | None:
+    return _BY_CODE.get(code)
+
+
+def all_codes() -> list[str]:
+    return [ec.code for ec in REGISTRY]
+
+
+def as_discover_rows() -> list[dict[str, str | None]]:
+    """The shape ``comfy discover`` emits under ``data.error_codes``."""
+    return [{"code": ec.code, "meaning": ec.meaning, "hint": ec.hint} for ec in REGISTRY]
diff --git a/comfy_cli/execution_errors.py b/comfy_cli/execution_errors.py
new file mode 100644
index 00000000..400e3ac2
--- /dev/null
+++ b/comfy_cli/execution_errors.py
@@ -0,0 +1,115 @@
+"""Parse and classify ComfyUI execution failures into envelope-ready fields.
+
+The cloud's ``/api/job/<id>/status`` carries a failed job's cause as
+``error_message`` — a JSON-encoded string holding ``exception_message``,
+``exception_type``, ``node_id``, ``node_type`` and a full Python traceback.
+Embedding that string verbatim in an error envelope buries the one line a
+consumer needs under kilobytes of server traceback, and historically it was
+duplicated into both ``error.message`` and ``details``. The local WebSocket
+``execution_error`` event carries the same fields as an already-decoded dict.
+
+:func:`classify` normalizes either shape into a single envelope-ready verdict
+and routes known-transient failures to their own error code so callers (and
+agents) can tell "resubmit" apart from "your workflow is broken". The full
+raw traceback intentionally stays out of the verdict — it remains available
+on the server record via ``comfy jobs status <prompt_id>``.
+"""
+
+from __future__ import annotations
+
+import json
+from typing import Any
+
+# Marker for the cloud API-node session-token expiry ("Unauthorized: Please
+# login first to use this node", sometimes wrapped in "Polling aborted due to
+# error: ..."). The token lives server-side and expires mid-execution on
+# long-running API-node jobs; resubmitting the same workflow succeeds, while
+# re-running `comfy cloud login` changes nothing.
+_TRANSIENT_AUTH_MARKER = "please login first to use this node"
+
+# How many trailing traceback frames survive into envelope details.
+_TRACEBACK_TAIL_FRAMES = 2
+
+
+def parse_error_message(raw: Any) -> dict[str, Any]:
+    """Normalize a job-failure payload into flat fields.
+
+    Accepts the cloud's JSON-encoded ``error_message`` string, an
+    already-decoded dict (local WebSocket event), plain text, or None.
+    Always returns at least ``{"exception_message": str}``.
+    """
+    data: dict[str, Any]
+    if isinstance(raw, dict):
+        data = raw
+    elif isinstance(raw, str):
+        try:
+            decoded = json.loads(raw)
+        except ValueError:
+            return {"exception_message": raw.strip()}
+        if not isinstance(decoded, dict):
+            return {"exception_message": raw.strip()}
+        data = decoded
+    elif raw is None:
+        return {"exception_message": ""}
+    else:
+        return {"exception_message": str(raw)}
+
+    node_id = data.get("node_id")
+    out: dict[str, Any] = {
+        "exception_message": str(data.get("exception_message") or "").strip(),
+        "exception_type": data.get("exception_type"),
+        # Contract: node_id is always a string in envelope details, even if
+        # the server sends an int.
+        "node_id": str(node_id) if node_id is not None else None,
+        "node_type": data.get("node_type"),
+    }
+    tb = data.get("traceback") or []
+    if isinstance(tb, str):
+        tb = [tb]
+    if tb:
+        out["traceback_tail"] = [str(frame) for frame in tb[-_TRACEBACK_TAIL_FRAMES:]]
+    return out
+
+
+def is_transient_auth(text: Any) -> bool:
+    """True when the failure text is the server-side API-node token expiry."""
+    return _TRANSIENT_AUTH_MARKER in str(text or "").lower()
+
+
+def classify(raw: Any) -> dict[str, Any]:
+    """Build an envelope-ready ``{"code", "message", "hint", "details"}`` verdict.
+
+    ``message`` is the one-line cause prefixed with the failing node;
+    ``details`` carries the structured fields plus a short traceback tail —
+    never the full raw server traceback.
+    """
+    parsed = parse_error_message(raw)
+    cause = parsed.get("exception_message") or "ComfyUI reported an execution error."
+    node_type = parsed.get("node_type")
+    node_id = parsed.get("node_id")
+    if node_type:
+        where = f"{node_type} (node {node_id})" if node_id is not None else str(node_type)
+        message = f"{where}: {cause}"
+    else:
+        message = cause
+    details = {k: v for k, v in parsed.items() if v not in (None, "", [])}
+    if is_transient_auth(cause):
+        return {
+            "code": "transient_auth",
+            "message": message,
+            "hint": (
+                "an API node's server-side session token expired mid-execution — transient; "
+                "resubmit the same workflow and it will succeed on retry. "
+                "Local credentials are fine: `comfy cloud login` will not help"
+            ),
+            "details": details,
+        }
+    return {
+        "code": "execution_error",
+        "message": message,
+        "hint": (
+            "inspect details (node_type/node_id/exception_type); "
+            "full server traceback: `comfy --json jobs status <prompt_id>`"
+        ),
+        "details": details,
+    }
diff --git a/comfy_cli/fragments.py b/comfy_cli/fragments.py
new file mode 100644
index 00000000..be94cda5
--- /dev/null
+++ b/comfy_cli/fragments.py
@@ -0,0 +1,916 @@
+"""Typed fragment-based workflow composition — the domain core.
+
+A FRAGMENT is a workflow-JSON file with a ``_fragment`` metadata header that
+declares its typed inputs, outputs, and parameters. A BLUEPRINT (YAML) lists
+fragments to instantiate, how to bind their inputs, and how to override their
+parameters. Composing a blueprint produces ONE API-format workflow ready to
+submit with ``comfy run``.
+
+The big idea: tested, reusable subgraph fragments — "workflow as code." An
+agent can ship a 4-stage video pipeline by writing a 10-line blueprint instead
+of hand-merging four 100-node JSONs and rewiring edges.
+
+Format — ``fragments/<name>.json``
+----------------------------------
+::
+
+    {
+      "_fragment": {
+        "name":        "image_blend",
+        "version":     "1",
+        "description": "Blend two images using a configurable mode and factor.",
+        "terminal":    false,
+        "inputs":  {"image1": {"type":"IMAGE", "binds":"10.image1"}, ...},
+        "outputs": {"image":  {"type":"IMAGE", "from":"10", "port":0}},
+        "params":  {"blend_factor": {"type":"FLOAT", "binds":"10.blend_factor",
+                                     "default":0.5}, ...}
+      },
+      "10": {"class_type":"ImageBlend", "inputs":{...}, "_meta":{...}},
+      ...
+    }
+
+Blueprint — ``blueprints/<name>.yaml``
+--------------------------------------
+::
+
+    output_prefix: outputs/my_pipeline
+    pipeline:
+      - fragment: text_card
+        alias:    headline
+        inputs:   {destination_image: inputs/base.png,
+                   source_mask:       inputs/mask.png}
+        params:   {text_prompt: "BREAKING NEWS"}
+
+      - fragment: text_card
+        alias:    subhead
+        inputs:   {destination_image: $headline.image,
+                   source_mask:       inputs/sub_mask.png}
+        params:   {text_prompt: "...details..."}
+
+This module is pure value-in, value-out: it reads fragment files and returns
+plain dicts. It does no rendering and knows nothing about Typer or error
+codes — the CLI shell in ``command/workflow_fragments.py`` wraps it.
+"""
+
+from __future__ import annotations
+
+import copy
+import json
+import re
+from collections.abc import Callable
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Any
+
+# Reserved `$`-reference prefixes. Both resolve through injected resolvers
+# wherever a whole-value string can appear: graph inputs, step params, and
+# foreach item field values. `$asset.<name>` → server-side filename via the
+# push lock; `$var.<name>` → raw scalar from the project comfy.yaml `vars:`
+# block. The prefixes are reserved: never a cross-step alias, and foreach
+# namespacing must leave them untouched. Whole-value only — a prefix embedded
+# mid-string is plain text (no interpolation/templating).
+ASSET_REF_PREFIX = "$asset."
+VAR_REF_PREFIX = "$var."
+_RESERVED_REF_PREFIXES = (ASSET_REF_PREFIX, VAR_REF_PREFIX)
+
+# Input modalities the composer can materialize from a bare file path by
+# injecting a loader node. Everything else (MODEL, CONDITIONING, LATENT, VAE,
+# and any custom socket type) is "graph-only": valid as a fragment input, but
+# it can only be fed by a cross-step ref (`$alias.output`), never a path.
+LOADABLE_INPUT_TYPES = {"IMAGE", "MASK", "AUDIO", "VIDEO"}
+
+# Loader class + its REAL input key per path-loadable modality, exactly as the
+# server's object_info publishes them (verified against live cloud
+# object_info: LoadImage.image, LoadAudio.audio, LoadVideo.file — all COMBO).
+# An invented key (e.g. LoadVideo "video") passes client-side validation and
+# then burns the cloud run in input staging, so this table is the single
+# source of truth. MASK rides IMAGE: LoadImage → ImageToMask.
+PATH_LOADERS = {
+    "IMAGE": ("LoadImage", "image"),
+    "AUDIO": ("LoadAudio", "audio"),
+    "VIDEO": ("LoadVideo", "file"),
+}
+# Param types use the node-schema vocabulary exactly as `nodes show` prints
+# it (BOOLEAN, never a BOOL alias) so types copy straight across.
+KNOWN_PARAM_TYPES = {"STRING", "INT", "FLOAT", "BOOLEAN", "COMBO"}
+
+# A ComfyUI socket type is UPPER_SNAKE_CASE (IMAGE, MODEL, CONTROL_NET, ...).
+# We accept any such token as an input type so fragments can model the full
+# ComfyUI graph, including custom-node sockets — not just a fixed modality set.
+_SOCKET_TYPE_RE = re.compile(r"^[A-Z][A-Z0-9_]*$")
+# A step alias reads like a variable name; this also keeps `$alias.output`
+# refs unambiguous (a stray `:` or `.` can't masquerade as an alias).
+_ALIAS_RE = re.compile(r"^[A-Za-z_][A-Za-z0-9_-]*$")
+
+
+# ---------------------------------------------------------------------------
+# Errors
+# ---------------------------------------------------------------------------
+
+
+class FragmentError(Exception):
+    """A fragment file is malformed or fails schema validation."""
+
+    def __init__(self, message: str, *, path: str | None = None, hint: str | None = None):
+        super().__init__(message)
+        self.path = path
+        self.hint = hint
+
+
+class BlueprintError(Exception):
+    """A blueprint is malformed or references a fragment that won't compose."""
+
+    def __init__(self, message: str, *, step_alias: str | None = None, hint: str | None = None):
+        super().__init__(message)
+        self.step_alias = step_alias
+        self.hint = hint
+
+
+class RefResolutionError(BlueprintError):
+    """A reserved whole-value reference (``$asset.`` / ``$var.``) failed to
+    resolve. Carries the envelope error code so the CLI surface maps it 1:1.
+    Lives here (not in ``project.py``) so both pure modules can use it
+    without an import cycle — ``project.py`` imports fragments, never the
+    reverse."""
+
+    def __init__(self, message: str, *, code: str, hint: str | None = None):
+        super().__init__(message, hint=hint)
+        self.code = code
+
+
+class AssetError(RefResolutionError):
+    """A ``$asset.<name>`` reference can't be resolved from the push lock.
+
+    Raised by the asset resolver :func:`comfy_cli.project.make_asset_resolver`
+    injects into compose. Codes: ``asset_not_pushed`` | ``asset_stale``.
+    """
+
+
+class VarError(RefResolutionError):
+    """A ``$var.<name>`` reference names nothing under the project
+    comfy.yaml ``vars:`` block.
+
+    Raised by the var resolver :func:`comfy_cli.project.make_var_resolver`
+    injects into compose. Code: ``var_not_defined``.
+    """
+
+
+# ---------------------------------------------------------------------------
+# Fragment model
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class FragmentPort:
+    name: str
+    type: str
+    binds: str | None = None  # for inputs and params: "<node_id>.<input_name>"
+    from_node: str | None = None  # for outputs
+    port: int = 0
+    default: Any = None
+    has_default: bool = False
+
+
+@dataclass
+class Fragment:
+    """A parsed fragment: metadata + interior nodes."""
+
+    name: str
+    version: str
+    description: str
+    terminal: bool
+    inputs: dict[str, FragmentPort] = field(default_factory=dict)
+    outputs: dict[str, FragmentPort] = field(default_factory=dict)
+    params: dict[str, FragmentPort] = field(default_factory=dict)
+    nodes: dict[str, dict] = field(default_factory=dict)
+    source_path: str = ""
+
+
+def _parse_port(name: str, spec: dict, role: str) -> FragmentPort:
+    """Parse one entry from inputs/outputs/params. ``role`` ∈ {input, output, param}."""
+    if not isinstance(spec, dict):
+        raise FragmentError(f"{role} {name!r}: expected an object, got {type(spec).__name__}")
+    t = spec.get("type")
+    if not isinstance(t, str):
+        raise FragmentError(f"{role} {name!r}: missing or non-string `type`")
+    if role == "input" and not _SOCKET_TYPE_RE.match(t):
+        raise FragmentError(
+            f"{role} {name!r}: type {t!r} is not a valid ComfyUI socket type",
+            hint="use an UPPER_SNAKE_CASE socket type, e.g. IMAGE, MODEL, CONDITIONING, LATENT, VAE",
+        )
+    if role == "param" and t not in KNOWN_PARAM_TYPES:
+        raise FragmentError(
+            f"{role} {name!r}: type {t!r} not in {sorted(KNOWN_PARAM_TYPES)}",
+        )
+
+    port = FragmentPort(name=name, type=t)
+    if role in ("input", "param"):
+        binds = spec.get("binds")
+        if not isinstance(binds, str) or "." not in binds:
+            raise FragmentError(
+                f"{role} {name!r}: `binds` must be '<node_id>.<input_name>' (got {binds!r})",
+            )
+        port.binds = binds
+    elif role == "output":
+        frm = spec.get("from")
+        if not isinstance(frm, str):
+            raise FragmentError(f"output {name!r}: `from` must be a string node id (got {frm!r})")
+        port.from_node = frm
+        try:
+            port.port = int(spec.get("port", 0))
+        except (TypeError, ValueError) as e:
+            raise FragmentError(f"output {name!r}: `port` must be an integer (got {spec.get('port')!r})") from e
+    if role == "param" and "default" in spec:
+        port.default = spec["default"]
+        port.has_default = True
+    return port
+
+
+def parse_fragment(data: dict, *, source_path: str = "") -> Fragment:
+    """Parse a fragment JSON dict into a typed ``Fragment``.
+
+    Raises ``FragmentError`` on any schema violation.
+    """
+    if not isinstance(data, dict):
+        raise FragmentError("fragment JSON must be an object", path=source_path)
+    meta = data.get("_fragment")
+    if not isinstance(meta, dict):
+        raise FragmentError(
+            "missing `_fragment` metadata header",
+            path=source_path,
+            hint="every fragment file must declare a `_fragment` object with name/inputs/outputs/params",
+        )
+
+    name = meta.get("name")
+    if not isinstance(name, str) or not name:
+        raise FragmentError("`_fragment.name` is required (non-empty string)", path=source_path)
+
+    inputs_raw = meta.get("inputs", {})
+    outputs_raw = meta.get("outputs", {})
+    params_raw = meta.get("params", {})
+    for label, raw in (("inputs", inputs_raw), ("outputs", outputs_raw), ("params", params_raw)):
+        if not isinstance(raw, dict):
+            raise FragmentError(f"`_fragment.{label}` must be an object", path=source_path)
+
+    frag = Fragment(
+        name=name,
+        version=str(meta.get("version", "1")),
+        description=str(meta.get("description", "")),
+        terminal=bool(meta.get("terminal", False)),
+        source_path=source_path,
+    )
+    for n, spec in inputs_raw.items():
+        frag.inputs[n] = _parse_port(n, spec, "input")
+    for n, spec in outputs_raw.items():
+        frag.outputs[n] = _parse_port(n, spec, "output")
+    for n, spec in params_raw.items():
+        frag.params[n] = _parse_port(n, spec, "param")
+
+    # interior nodes: every top-level key besides _fragment
+    for k, v in data.items():
+        if k == "_fragment":
+            continue
+        if not isinstance(v, dict) or "class_type" not in v:
+            raise FragmentError(
+                f"interior key {k!r}: expected a node object with `class_type`",
+                path=source_path,
+            )
+        if not str(k).isdigit():
+            raise FragmentError(
+                f"interior key {k!r}: node id must be a numeric string",
+                path=source_path,
+            )
+        frag.nodes[k] = v
+    if not frag.nodes:
+        raise FragmentError("fragment has no interior nodes", path=source_path)
+
+    # cross-check: all `binds` and `from` reference real interior nodes
+    for port in list(frag.inputs.values()) + list(frag.params.values()):
+        if port.binds is None:
+            raise FragmentError(
+                f"input/param {port.name!r} is missing `binds`",
+                path=source_path,
+            )
+        node_id = port.binds.split(".", 1)[0]
+        if node_id not in frag.nodes:
+            raise FragmentError(
+                f"`binds` points to missing interior node {node_id!r} (in {port.name!r})",
+                path=source_path,
+            )
+    for port in frag.outputs.values():
+        if port.from_node not in frag.nodes:
+            raise FragmentError(
+                f"output {port.name!r}: `from` points to missing interior node {port.from_node!r}",
+                path=source_path,
+            )
+    return frag
+
+
+def load_fragment(path: Path) -> Fragment:
+    """Read a fragment JSON file. Raises FragmentError on I/O or schema failure."""
+    if not path.is_file():
+        raise FragmentError(f"fragment file not found: {path}", path=str(path))
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except OSError as e:
+        raise FragmentError(f"unable to read fragment: {e}", path=str(path)) from e
+    except json.JSONDecodeError as e:
+        raise FragmentError(f"fragment file is not valid JSON: {e}", path=str(path)) from e
+    return parse_fragment(data, source_path=str(path))
+
+
+def resolve_fragment_name(name: str, lib_dir: Path) -> Path:
+    """``name`` may be a bare name (``text_card`` → ``<lib>/text_card.json``) or a path."""
+    candidate = Path(name).expanduser()
+    if candidate.is_file():
+        return candidate
+    if name.endswith(".json"):
+        return (lib_dir / name).expanduser()
+    return (lib_dir / f"{name}.json").expanduser()
+
+
+# ---------------------------------------------------------------------------
+# Pipeline composer
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class _StepOutput:
+    """Where a step's named output landed in the merged workflow."""
+
+    node_id: str
+    port: int
+    type: str
+
+
+class Pipeline:
+    """Composes fragments + per-step bindings into one API-format workflow.
+
+    Pure value-in, value-out: load fragments, parse a blueprint, return the
+    merged workflow dict. The Typer command wraps this for I/O.
+    """
+
+    def __init__(
+        self,
+        *,
+        asset_resolver: Callable[[str], str] | None = None,
+        var_resolver: Callable[[str], Any] | None = None,
+    ) -> None:
+        self.workflow: dict[str, dict] = {}
+        self.next_id: int = 100
+        self.outputs: dict[str, dict[str, _StepOutput]] = {}
+        self.last_step_terminal: bool = False
+        # `$asset.<name>` → server-side filename (push lock) and
+        # `$var.<name>` → raw scalar (comfy.yaml `vars:`); both injected by
+        # the CLI shell. None = no governing project.
+        self.asset_resolver = asset_resolver
+        self.var_resolver = var_resolver
+
+    # -- ID allocation -------------------------------------------------------
+
+    def _alloc(self, n: int) -> int:
+        start = self.next_id
+        self.next_id += n + 50  # buffer to keep renumbering deterministic
+        return start
+
+    # -- Loader-node helpers -------------------------------------------------
+
+    def _add_loader(self, class_type: str, input_name: str, path: str, *, title: str) -> str:
+        node_id = str(self._alloc(1))
+        self.workflow[node_id] = {
+            "class_type": class_type,
+            "_meta": {"title": title},
+            "inputs": {input_name: path},
+        }
+        return node_id
+
+    def _add_image_to_mask(self, image_ref: list) -> str:
+        node_id = str(self._alloc(1))
+        self.workflow[node_id] = {
+            "class_type": "ImageToMask",
+            "_meta": {"title": "→ mask"},
+            "inputs": {"image": image_ref, "channel": "red"},
+        }
+        return node_id
+
+    # -- Reserved whole-value references ($asset.<name> / $var.<name>) --------
+
+    def _resolve_value_ref(self, value: Any, *, step_alias: str, site: str) -> Any:
+        """Resolve a reserved whole-value reference string; pass through the rest.
+
+        WHOLE-VALUE ONLY: a reference is the ENTIRE string ("$asset.x",
+        "$var.style"). An embedded occurrence ("a $asset.x b") is plain text —
+        there is no interpolation/templating, so it passes through untouched
+        and no resolver is consulted. `$var` returns the resolver's RAW scalar
+        (never str()'d) so INT/FLOAT/BOOLEAN params keep their types. The one
+        shared prefix-parser for both the graph-input path
+        (:meth:`_resolve_input`) and the param path (:meth:`add_step`), so the
+        two never drift.
+        """
+        if not isinstance(value, str):
+            return value
+        if value.startswith(ASSET_REF_PREFIX):
+            name = value[len(ASSET_REF_PREFIX) :]
+            if self.asset_resolver is None:
+                raise BlueprintError(
+                    f"[{step_alias}] {site}: $asset.{name} requires a project with a pushed assets lock",
+                    step_alias=step_alias,
+                    hint="run: comfy project init, add the file under assets/, then: comfy assets push",
+                )
+            return self.asset_resolver(name)
+        if value.startswith(VAR_REF_PREFIX):
+            name = value[len(VAR_REF_PREFIX) :]
+            if self.var_resolver is None:
+                raise BlueprintError(
+                    f"[{step_alias}] {site}: $var.{name} requires a project — vars live in comfy.yaml",
+                    step_alias=step_alias,
+                    hint="run `comfy project init`, then declare the name under `vars:` in the project's comfy.yaml",
+                )
+            return self.var_resolver(name)
+        return value
+
+    def _resolve_input(self, value: Any, decl_type: str, *, step_alias: str, in_name: str):
+        """Return the [node_id, port] (or literal) the input should bind to."""
+        # `$asset.<name>` / `$var.<name>` — resolve through the project
+        # resolvers BEFORE the cross-step parse (reserved prefixes, never an
+        # alias), then fall through: the resolved value gets the exact same
+        # loader materialization a literal filename does.
+        value = self._resolve_value_ref(value, step_alias=step_alias, site=f"input {in_name!r}")
+
+        # Cross-step ref — wires to a prior step's output, whatever its type.
+        if isinstance(value, str) and value.startswith("$"):
+            ref = value[1:]
+            if "." not in ref:
+                raise BlueprintError(
+                    f"[{step_alias}] input {in_name!r}: cross-step ref must be '$alias.output_name' (got {value!r})",
+                    step_alias=step_alias,
+                )
+            alias, output_name = ref.split(".", 1)
+            if not _ALIAS_RE.match(alias) or not output_name:
+                raise BlueprintError(
+                    f"[{step_alias}] input {in_name!r}: malformed cross-step ref {value!r}",
+                    step_alias=step_alias,
+                    hint="a cross-step ref is '$alias.output_name' — e.g. $headline.image",
+                )
+            if alias not in self.outputs:
+                raise BlueprintError(
+                    f"[{step_alias}] input {in_name!r}: unknown alias {alias!r}",
+                    step_alias=step_alias,
+                    hint=f"available aliases: {sorted(self.outputs.keys())}",
+                )
+            if output_name not in self.outputs[alias]:
+                raise BlueprintError(
+                    f"[{step_alias}] input {in_name!r}: alias {alias!r} has no output {output_name!r}",
+                    step_alias=step_alias,
+                    hint=f"alias {alias!r} exposes: {sorted(self.outputs[alias].keys())}",
+                )
+            out = self.outputs[alias][output_name]
+            return [out.node_id, out.port]
+
+        # STRING passes through as a literal (any scalar — int/float included).
+        if decl_type == "STRING":
+            return value
+
+        if not isinstance(value, str):
+            raise BlueprintError(
+                f"[{step_alias}] input {in_name!r}: type {decl_type!r} needs a file path "
+                f"or a cross-step ref, got {type(value).__name__}",
+                step_alias=step_alias,
+            )
+
+        # Loadable modalities — materialize the path with the right loader
+        # node, wired through its real input key (see PATH_LOADERS).
+        if decl_type in PATH_LOADERS:
+            loader_class, loader_key = PATH_LOADERS[decl_type]
+            return [self._add_loader(loader_class, loader_key, value, title=f"load {Path(value).name}"), 0]
+        if decl_type == "MASK":
+            load_id = self._add_loader("LoadImage", "image", value, title=f"load {Path(value).name}")
+            return [self._add_image_to_mask([load_id, 0]), 0]
+
+        # Graph-only socket types (MODEL, CONDITIONING, LATENT, VAE, custom):
+        # there is no loader to inject — they must come from a prior step.
+        raise BlueprintError(
+            f"[{step_alias}] input {in_name!r}: type {decl_type!r} can't be loaded from a path "
+            f"({value!r}); feed it from a prior step with a cross-step ref",
+            step_alias=step_alias,
+            hint="only IMAGE/MASK/AUDIO/VIDEO accept a file path; wire everything else via $alias.output_name",
+        )
+
+    # -- Add one step --------------------------------------------------------
+
+    def add_step(self, fragment: Fragment, alias: str, inputs: dict, params: dict) -> None:
+        if not _ALIAS_RE.match(alias):
+            raise BlueprintError(
+                f"alias {alias!r} is not a valid identifier",
+                step_alias=alias,
+                hint="aliases read like a variable name: letters/digits/_/-, starting with a letter or _",
+            )
+        # Validate inputs/params presence
+        for in_name in fragment.inputs:
+            if in_name not in inputs:
+                raise BlueprintError(
+                    f"[{alias}] missing required input {in_name!r}",
+                    step_alias=alias,
+                    hint=f"fragment {fragment.name!r} requires: {sorted(fragment.inputs.keys())}",
+                )
+        full_params: dict[str, Any] = {}
+        for p_name, port in fragment.params.items():
+            if p_name in params:
+                full_params[p_name] = params[p_name]
+            elif port.has_default:
+                full_params[p_name] = port.default
+            else:
+                raise BlueprintError(
+                    f"[{alias}] missing required param {p_name!r} (no default)",
+                    step_alias=alias,
+                )
+        # Unknown keys → fail loud, so typos don't silently no-op.
+        extra_inputs = set(inputs) - set(fragment.inputs)
+        if extra_inputs:
+            raise BlueprintError(
+                f"[{alias}] unknown inputs: {sorted(extra_inputs)}",
+                step_alias=alias,
+                hint=f"fragment declares inputs: {sorted(fragment.inputs.keys())}",
+            )
+        extra_params = set(params) - set(fragment.params)
+        if extra_params:
+            raise BlueprintError(
+                f"[{alias}] unknown params: {sorted(extra_params)}",
+                step_alias=alias,
+                hint=f"fragment declares params: {sorted(fragment.params.keys())}",
+            )
+        if alias in self.outputs:
+            raise BlueprintError(f"alias {alias!r} used by a previous step", step_alias=alias)
+
+        # Deep-copy interior nodes, remap IDs, apply params + inputs
+        offset = self._alloc(len(fragment.nodes))
+        remap = {old: str(int(old) + offset) for old in fragment.nodes.keys()}
+        new_nodes: dict[str, dict] = {}
+        for old_id, node in fragment.nodes.items():
+            new_node = copy.deepcopy(node)
+            for input_name, value in list(new_node.get("inputs", {}).items()):
+                if isinstance(value, list) and len(value) == 2 and isinstance(value[0], str):
+                    if value[0] in remap:
+                        new_node["inputs"][input_name] = [remap[value[0]], value[1]]
+            new_nodes[remap[old_id]] = new_node
+
+        for p_name, port in fragment.params.items():
+            if port.binds is None:
+                raise FragmentError(f"param {port.name!r} is missing `binds`")
+            old_id, input_name = port.binds.split(".", 1)
+            # Reserved whole-value refs ($asset.<name> / $var.<name>) resolve
+            # in PARAM values too — before the value lands as a widget value,
+            # so the resolved value is what the node sees and the asset
+            # resolver's staleness checks fire identically to the inputs path.
+            # Params have no client-side widget-type validation: an INT-typed
+            # param fed a `$asset.` ref deterministically receives the resolved
+            # STRING (the server rejects it at run time), while `$var` returns
+            # the raw scalar so INT/FLOAT/BOOLEAN params keep their types. In
+            # `foreach`, `$item.<field>` substitution has already run, so an
+            # item field carrying a ref resolves here per item.
+            new_nodes[remap[old_id]]["inputs"][input_name] = self._resolve_value_ref(
+                full_params[p_name], step_alias=alias, site=f"param {p_name!r}"
+            )
+        for in_name, port in fragment.inputs.items():
+            if port.binds is None:
+                raise FragmentError(f"input {port.name!r} is missing `binds`")
+            resolved = self._resolve_input(inputs[in_name], port.type, step_alias=alias, in_name=in_name)
+            old_id, input_name = port.binds.split(".", 1)
+            new_nodes[remap[old_id]]["inputs"][input_name] = resolved
+
+        self.workflow.update(new_nodes)
+
+        # Record outputs (keep the declared type so the composer can pick a
+        # save node later without re-reading the fragment from disk).
+        self.outputs[alias] = {}
+        for o_name, port in fragment.outputs.items():
+            if port.from_node is None:
+                raise FragmentError(f"output {port.name!r} is missing `from`")
+            self.outputs[alias][o_name] = _StepOutput(node_id=remap[port.from_node], port=port.port, type=port.type)
+        self.last_step_terminal = fragment.terminal
+
+    # -- Save-node convenience ----------------------------------------------
+
+    def add_save(self, output: _StepOutput, output_type: str, *, prefix: str) -> str:
+        """Append a SaveImage/SaveVideo node and return its node id."""
+        if output_type == "VIDEO":
+            class_type, ref_key = "SaveVideo", "video"
+            inputs = {
+                ref_key: [output.node_id, output.port],
+                "filename_prefix": prefix,
+                "format": "mp4",
+                "codec": "h264",
+            }
+        else:
+            class_type, ref_key = "SaveImage", "images"
+            inputs = {ref_key: [output.node_id, output.port], "filename_prefix": prefix}
+        node_id = str(self._alloc(1))
+        self.workflow[node_id] = {
+            "class_type": class_type,
+            "_meta": {"title": f"save composed final ({output_type.lower()})"},
+            "inputs": inputs,
+        }
+        return node_id
+
+
+# ---------------------------------------------------------------------------
+# Blueprint parsing + compose entry points
+# ---------------------------------------------------------------------------
+
+# `$item` / `$item.<field>` placeholders in a `foreach` pipeline template are
+# replaced with the current item's value before the step is composed. A bare
+# `$item` yields the whole item; `$item.<field>` indexes a mapping item.
+_ITEM_RE = re.compile(r"^\$item(?:\.([A-Za-z_][A-Za-z0-9_-]*))?$")
+
+
+def _validate_pipeline_steps(steps: Any) -> list[dict]:
+    """Validate a `pipeline:` list and return it (each step is a mapping)."""
+    if not isinstance(steps, list) or not steps:
+        raise BlueprintError("blueprint must have a non-empty `pipeline:` list")
+    for i, step in enumerate(steps):
+        if not isinstance(step, dict):
+            raise BlueprintError(f"pipeline[{i}]: each step must be a mapping")
+        name = step.get("fragment")
+        alias = step.get("alias")
+        if not isinstance(name, str) or not isinstance(alias, str):
+            raise BlueprintError(f"pipeline[{i}]: each step must declare `fragment` and `alias` strings")
+    return steps
+
+
+def _substitute_item(value: Any, item: Any, *, ns: str, alias_refs: bool = True) -> Any:
+    """Resolve `$item` placeholders in a blueprint value against ``item``.
+
+    A bare ``$item`` becomes the whole item; ``$item.<field>`` indexes a mapping
+    item. Cross-step refs (``$alias.output``) are namespaced with ``ns`` so each
+    item's branch wires to its own copies, never another item's. Non-``$`` values
+    pass through untouched. Containers (lists/dicts) are recursed.
+
+    ``alias_refs`` controls whether ``$alias.output`` cross-step refs are
+    namespaced. Set to ``False`` for params, which are literal widget values and
+    must never be alias-rewritten.
+    """
+    # `$asset.<name>` / `$var.<name>` are reserved refs resolved later by
+    # `_resolve_value_ref`; without this guard the alias-namespacing below
+    # would mangle them into `$<ns>__asset.<name>` / `$<ns>__var.<name>` and
+    # the reference would be lost.
+    if isinstance(value, str) and value.startswith(_RESERVED_REF_PREFIXES):
+        return value
+    if isinstance(value, str) and value.startswith("$"):
+        m = _ITEM_RE.match(value)
+        if m:
+            field = m.group(1)
+            if field is None:
+                return item
+            if not isinstance(item, dict):
+                raise BlueprintError(
+                    f"`$item.{field}` requires a mapping item, got {type(item).__name__}",
+                    hint="use `$item` (whole value) for scalar foreach items",
+                )
+            if field not in item:
+                raise BlueprintError(
+                    f"foreach item has no field {field!r} (referenced as `$item.{field}`)",
+                    hint=f"item exposes: {sorted(item.keys())}",
+                )
+            return item[field]
+        # A `$alias.output` cross-step ref — namespace its alias to this branch.
+        # Only valid for INPUTS; params are literal widget values, never refs.
+        if alias_refs and "." in value:
+            alias, _, output = value[1:].partition(".")
+            if _ALIAS_RE.match(alias):
+                return f"${ns}__{alias}.{output}"
+        return value
+    if isinstance(value, list):
+        return [_substitute_item(v, item, ns=ns, alias_refs=alias_refs) for v in value]
+    if isinstance(value, dict):
+        return {k: _substitute_item(v, item, ns=ns, alias_refs=alias_refs) for k, v in value.items()}
+    return value
+
+
+def _add_branch(
+    pipeline: Pipeline,
+    steps: list[dict],
+    *,
+    lib_dir: Path,
+    item: Any = None,
+    ns: str | None = None,
+) -> tuple[str, bool, list[str]]:
+    """Add one pipeline instantiation to ``pipeline``.
+
+    When ``item``/``ns`` are given the steps are treated as a ``foreach`` template:
+    ``$item.*`` placeholders are bound to ``item`` and every alias (its own +
+    cross-step refs) is prefixed with ``ns`` so the branch can't collide with or
+    wire into another item's branch. Returns ``(final_alias, last_terminal,
+    used_fragments)``.
+    """
+    used_fragments: list[str] = []
+    final_alias = ""
+    for step in steps:
+        name = step["fragment"]
+        alias = step["alias"]
+        inputs = step.get("inputs") or {}
+        params = step.get("params") or {}
+        if ns is not None:
+            alias = f"{ns}__{alias}"
+            inputs = {k: _substitute_item(v, item, ns=ns) for k, v in inputs.items()}
+            params = {k: _substitute_item(v, item, ns=ns, alias_refs=False) for k, v in params.items()}
+        fragment = load_fragment(resolve_fragment_name(name, lib_dir))
+        used_fragments.append(fragment.name)
+        pipeline.add_step(fragment=fragment, alias=alias, inputs=inputs, params=params)
+        final_alias = alias
+    return final_alias, pipeline.last_step_terminal, used_fragments
+
+
+def _auto_save(pipeline: Pipeline, final_alias: str, *, terminal: bool, prefix: str) -> tuple[dict | None, str | None]:
+    """Append a save node for a branch's final IMAGE/VIDEO output, unless terminal.
+
+    Returns ``(save_action, save_node_id)`` — both ``None`` when no node was
+    appended (terminal step, or no saveable output type).
+    """
+    if terminal:
+        return None, None
+    chosen = None
+    for out in pipeline.outputs[final_alias].values():
+        if out.type in ("IMAGE", "VIDEO"):
+            chosen = out
+            break
+    if chosen is None:
+        return None, None
+    save_node = pipeline.add_save(chosen, chosen.type, prefix=prefix)
+    return {"type": chosen.type, "prefix": prefix}, save_node
+
+
+def compose_blueprint(
+    blueprint: dict,
+    *,
+    lib_dir: Path,
+    asset_resolver: Callable[[str], str] | None = None,
+    var_resolver: Callable[[str], Any] | None = None,
+) -> tuple[dict, dict]:
+    """Compose a single-graph (no ``foreach``) blueprint into an API workflow.
+
+    Returns ``(workflow, summary)`` where ``summary`` describes the composition
+    (step count, node count, final-save action). Raises ``BlueprintError`` /
+    ``FragmentError`` on any failure. For ``foreach`` blueprints (and chunking),
+    use :func:`compose_blueprints`, which returns one entry per emitted graph.
+    """
+    if not isinstance(blueprint, dict):
+        raise BlueprintError("blueprint must be a YAML mapping")
+    steps = _validate_pipeline_steps(blueprint.get("pipeline"))
+
+    pipeline = Pipeline(asset_resolver=asset_resolver, var_resolver=var_resolver)
+    final_alias, terminal, used_fragments = _add_branch(pipeline, steps, lib_dir=lib_dir)
+    save_action, _ = _auto_save(
+        pipeline, final_alias, terminal=terminal, prefix=str(blueprint.get("output_prefix", "composed"))
+    )
+
+    summary = {
+        "steps": len(steps),
+        "nodes": len(pipeline.workflow),
+        "fragments_used": used_fragments,
+        "final_alias": final_alias,
+        "save_action": save_action,
+    }
+    return pipeline.workflow, summary
+
+
+def _resolve_foreach_items(spec: Any, *, blueprint_dir: Path | None) -> list[Any]:
+    """Resolve a ``foreach:`` value (inline list or ``{$ref: path.yaml}``) to items."""
+    if isinstance(spec, dict) and "$ref" in spec:
+        ref = spec["$ref"]
+        if not isinstance(ref, str):
+            raise BlueprintError("foreach `$ref` must be a path string")
+        if blueprint_dir is None:
+            raise BlueprintError(
+                "foreach `$ref` cannot be resolved without a blueprint directory",
+                hint="`$ref` is resolved relative to the blueprint file; compose from a file, not an in-memory dict",
+            )
+        ref_path = (blueprint_dir / ref).expanduser()
+        if not ref_path.is_file():
+            raise BlueprintError(f"foreach `$ref` file not found: {ref_path}")
+        try:
+            import yaml
+        except ImportError as e:  # pragma: no cover
+            raise BlueprintError("PyYAML is required to resolve foreach `$ref`") from e
+        try:
+            spec = yaml.safe_load(ref_path.read_text(encoding="utf-8"))
+        except yaml.YAMLError as e:
+            raise BlueprintError(f"foreach `$ref` file is not valid YAML: {e}") from e
+    if not isinstance(spec, list) or not spec:
+        raise BlueprintError(
+            "foreach must resolve to a non-empty list of items",
+            hint="provide an inline list or `{$ref: items.yaml}` pointing at a YAML list",
+        )
+    return spec
+
+
+def _item_namespace(item: Any, index: int) -> str:
+    """A unique, alias-safe namespace token for one item's branch."""
+    if isinstance(item, dict) and isinstance(item.get("id"), str | int):
+        raw = re.sub(r"[^A-Za-z0-9_]", "_", str(item["id"]))
+        if raw:
+            return f"i{index}_{raw}"
+    return f"i{index}"
+
+
+def _item_key(item: Any, index: int) -> str:
+    """Stable key for one foreach item — ``str(item["id"])`` when present, else
+    ``str(index)``. The SAME rule ``_item_prefix`` uses, so ``item_map`` keys
+    and per-item output filenames always agree."""
+    if isinstance(item, dict) and item.get("id") is not None:
+        return str(item["id"])
+    return str(index)
+
+
+def _item_prefix(base: str, item: Any, index: int) -> str:
+    """Per-item terminal/output prefix — uses the item id when present, else index."""
+    return f"{base}/{_item_key(item, index)}"
+
+
+def compose_blueprints(
+    blueprint: dict,
+    *,
+    lib_dir: Path,
+    blueprint_dir: Path | None = None,
+    asset_resolver: Callable[[str], str] | None = None,
+    var_resolver: Callable[[str], Any] | None = None,
+) -> list[tuple[dict, dict]]:
+    """Compose a blueprint into one or more API workflows.
+
+    Without ``foreach:`` this returns a single ``[(workflow, summary)]`` — the
+    same graph :func:`compose_blueprint` produces. With ``foreach:`` the
+    ``pipeline:`` is a TEMPLATE instantiated once per item; all instantiations
+    land in ONE graph as independent branches (the engine parallelizes them).
+    ``$item`` / ``$item.<field>`` in step ``inputs``/``params`` bind to the item;
+    each branch gets a unique alias namespace so the copies never collide.
+
+    ``chunk: N`` (only when set) splits the items into ``ceil(items/N)`` graphs
+    for memory limits; the default is a single graph. ``foreach: {$ref: x.yaml}``
+    loads items from a YAML list resolved relative to ``blueprint_dir``.
+    """
+    if not isinstance(blueprint, dict):
+        raise BlueprintError("blueprint must be a YAML mapping")
+    steps = _validate_pipeline_steps(blueprint.get("pipeline"))
+
+    if "foreach" not in blueprint:
+        return [compose_blueprint(blueprint, lib_dir=lib_dir, asset_resolver=asset_resolver, var_resolver=var_resolver)]
+
+    items = _resolve_foreach_items(blueprint["foreach"], blueprint_dir=blueprint_dir)
+    # Item keys drive `item_map` provenance and per-item output prefixes; a
+    # duplicate id would silently overwrite a map entry and collide outputs.
+    keys = [_item_key(item, index) for index, item in enumerate(items)]
+    dup_keys = sorted({k for k in keys if keys.count(k) > 1})
+    if dup_keys:
+        raise BlueprintError(
+            f"foreach items contain duplicate id/key values: {dup_keys}",
+            hint="ensure each item `id` is unique (or remove duplicate ids)",
+        )
+    base_prefix = str(blueprint.get("output_prefix", "composed"))
+
+    chunk = blueprint.get("chunk")
+    if chunk is None:
+        chunk_size = len(items)
+    else:
+        if not isinstance(chunk, int) or isinstance(chunk, bool) or chunk < 1:
+            raise BlueprintError("`chunk:` must be a positive integer", hint="omit `chunk` for a single graph")
+        chunk_size = chunk
+
+    enumerated = list(enumerate(items))
+    batches = [enumerated[i : i + chunk_size] for i in range(0, len(enumerated), chunk_size)]
+    total_graphs = len(batches)
+
+    results: list[tuple[dict, dict]] = []
+    for batch in batches:
+        pipeline = Pipeline(asset_resolver=asset_resolver, var_resolver=var_resolver)
+        save_actions: list[dict] = []
+        used_fragments: list[str] = []
+        # Per-item provenance: which node ids each foreach item produced, the
+        # auto-appended save node (if any), and the per-item output prefix.
+        # Keys follow the `_item_key` / `_item_prefix` rule so map keys and
+        # output filenames agree. Each graph's map covers only ITS batch.
+        item_map: dict[str, dict] = {}
+        for index, item in batch:
+            ns = _item_namespace(item, index)
+            before = set(pipeline.workflow)
+            final_alias, terminal, frags = _add_branch(pipeline, steps, lib_dir=lib_dir, item=item, ns=ns)
+            used_fragments.extend(frags)
+            prefix = _item_prefix(base_prefix, item, index)
+            sa, save_node = _auto_save(pipeline, final_alias, terminal=terminal, prefix=prefix)
+            if sa:
+                save_actions.append(sa)
+            item_map[_item_key(item, index)] = {
+                "nodes": sorted(set(pipeline.workflow) - before, key=int),
+                "save_node": save_node,
+                "prefix": prefix,
+            }
+        summary = {
+            "steps": len(steps),
+            "items": len(batch),
+            "total_items": len(items),
+            "graphs": total_graphs,
+            "nodes": len(pipeline.workflow),
+            "fragments_used": used_fragments,
+            "save_actions": save_actions,
+            "item_map": item_map,
+        }
+        results.append((pipeline.workflow, summary))
+    return results
diff --git a/comfy_cli/help_json.py b/comfy_cli/help_json.py
new file mode 100644
index 00000000..f8034c13
--- /dev/null
+++ b/comfy_cli/help_json.py
@@ -0,0 +1,169 @@
+"""Machine-readable help for the Typer/Click command tree.
+
+``comfy --help-json`` writes a single JSON document describing every command,
+its options, types, defaults, and examples. The shape is the contract for
+agents that drive the CLI without reading source.
+
+Examples are looked up from ``HELP_EXAMPLES`` (a module-level dict keyed by
+fully-qualified command path) so we can attach one-liners without bloating
+docstrings. Phase 2 will hoist this alongside ``comfy discover`` and add a
+``schemas`` field that points at each command's output schema.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+import click
+import typer
+
+# One-liner examples per fully-qualified command path. Agents copy/paste.
+# Keys match the full ``path`` we emit (``"comfy <subcommand> ..."``).
+HELP_EXAMPLES: dict[str, list[str]] = {
+    "comfy env": ["comfy env", "comfy --json env"],
+    "comfy which": ["comfy which", "comfy --json which"],
+    "comfy discover": [
+        "comfy --json discover",
+        "comfy --json discover --schemas-only",
+    ],
+    "comfy query": [
+        "comfy --json query --query 'from nodes select name'",
+        "comfy query --input object_info.json --query 'from nodes where category=\"loaders\"'",
+    ],
+    "comfy auth": ["comfy auth list", "comfy auth set civitai --key ..."],
+    "comfy auth set": ["comfy auth set comfy-cloud --key sk-…"],
+    "comfy auth list": ["comfy auth list", "comfy --json auth list"],
+    "comfy auth remove": ["comfy auth remove civitai"],
+    "comfy install": [
+        "comfy install --nvidia",
+        "comfy install --cpu --skip-manager",
+    ],
+    "comfy launch": [
+        "comfy launch",
+        "comfy launch -- --listen 0.0.0.0 --port 8188",
+    ],
+    "comfy run": [
+        "comfy run --workflow path/to/workflow_api.json",
+        "comfy --json-stream run --workflow path/to/workflow_api.json",
+    ],
+    "comfy stop": ["comfy stop"],
+    "comfy set-default": ["comfy set-default /path/to/ComfyUI"],
+    "comfy update": ["comfy update", "comfy update all"],
+    "comfy standalone": ["comfy standalone"],
+    "comfy feedback": ["comfy feedback"],
+    "comfy model": ["comfy model download --url ..."],
+    "comfy model download": [
+        "comfy model download --url https://civitai.com/api/download/models/12345",
+    ],
+    "comfy node": ["comfy node show installed"],
+    "comfy manager": ["comfy manager disable-gui"],
+}
+
+
+def _param_to_dict(param: click.Parameter) -> dict[str, Any]:
+    info: dict[str, Any] = {
+        "name": param.name,
+        "param_kind": param.param_type_name,  # "option" or "argument"
+        "required": bool(param.required),
+        "hidden": bool(getattr(param, "hidden", False)),
+        "default": _coerce_default(param.default),
+        "help": getattr(param, "help", None),
+        "is_flag": bool(getattr(param, "is_flag", False)),
+        "multiple": bool(getattr(param, "multiple", False)),
+    }
+    type_info = _type_to_dict(param.type)
+    info["type"] = type_info["type"]
+    if "choices" in type_info:
+        info["choices"] = type_info["choices"]
+    # Duck-type "is this an option?" via ``param_type_name`` rather than
+    # ``isinstance(param, click.Option)``: typer >= 0.13 ships ``TyperOption`` /
+    # ``TyperArgument`` whose MRO is ``-> click.Parameter`` (they no longer
+    # subclass click.Option/Argument), so the isinstance check silently dropped
+    # ``flags``/``envvar`` from every option in the help JSON contract.
+    if param.param_type_name == "option":
+        info["flags"] = list(param.opts) + list(param.secondary_opts)
+        info["envvar"] = param.envvar
+    return info
+
+
+def _type_to_dict(t: click.ParamType) -> dict[str, Any]:
+    name = getattr(t, "name", t.__class__.__name__).lower()
+    out: dict[str, Any] = {"type": name}
+    if isinstance(t, click.Choice):
+        out["choices"] = list(t.choices)
+    return out
+
+
+def _coerce_default(default: Any) -> Any:
+    # Typer wraps defaults in OptionInfo / ArgumentInfo; unwrap.
+    if hasattr(default, "default"):
+        default = default.default
+    if callable(default):
+        return None
+    if default is ... or default is None:
+        return None
+    try:
+        import json
+
+        json.dumps(default)
+        return default
+    except TypeError:
+        return str(default)
+
+
+def _command_to_dict(cmd: click.Command, *, path: list[str]) -> dict[str, Any]:
+    fqp = " ".join(path)
+    params = [_param_to_dict(p) for p in cmd.params]
+    entry: dict[str, Any] = {
+        "name": cmd.name,
+        "path": fqp,
+        "help": (cmd.help or "").strip() or None,
+        "short_help": (cmd.short_help or "").strip() or None,
+        "hidden": bool(getattr(cmd, "hidden", False)),
+        "params": params,
+        "examples": HELP_EXAMPLES.get(fqp, []),
+    }
+    # Duck-type the group capability instead of ``isinstance(cmd, click.Group)``.
+    # typer >= 0.13 / click >= 8.2 ship a ``TyperGroup`` that no longer subclasses
+    # ``click.Group`` (its MRO is ``TyperGroup -> click.Command``), so the isinstance
+    # check silently returned no subcommands and produced an empty command tree.
+    if hasattr(cmd, "list_commands") and hasattr(cmd, "get_command"):
+        subs: dict[str, Any] = {}
+        for sub_name in sorted(cmd.list_commands(ctx=None)):  # type: ignore[arg-type]
+            sub = cmd.get_command(None, sub_name)  # type: ignore[arg-type]
+            if sub is None:
+                continue
+            subs[sub_name] = _command_to_dict(sub, path=path + [sub_name])
+        entry["subcommands"] = subs
+    return entry
+
+
+def build_help_json(app: typer.Typer, *, prog_name: str = "comfy") -> dict[str, Any]:
+    """Walk the Typer app and produce a help JSON document."""
+    click_command = typer.main.get_command(app)
+    root = _command_to_dict(click_command, path=[prog_name])
+    return {
+        "prog": prog_name,
+        "commands": root.get("subcommands", {}),
+        "root": {
+            "help": root.get("help"),
+            "params": root.get("params", []),
+        },
+    }
+
+
+def iter_command_paths(app: typer.Typer, *, prog_name: str = "comfy") -> list[str]:
+    """Return every leaf-command path as a flat list. Useful for tests."""
+    doc = build_help_json(app, prog_name=prog_name)
+    out: list[str] = []
+
+    def walk(node: dict[str, Any], path: list[str]) -> None:
+        subs = node.get("subcommands")
+        if subs:
+            for name, child in subs.items():
+                walk(child, path + [name])
+        else:
+            out.append(" ".join(path))
+
+    walk({"subcommands": doc["commands"]}, [prog_name])
+    return out
diff --git a/comfy_cli/jobs_state.py b/comfy_cli/jobs_state.py
new file mode 100644
index 00000000..2758125d
--- /dev/null
+++ b/comfy_cli/jobs_state.py
@@ -0,0 +1,185 @@
+"""On-disk state for in-flight workflow runs.
+
+When ``comfy run`` submits a workflow (the default, non-blocking path), the
+prompt's lifecycle state lives in ``<state-dir>/jobs/<prompt_id>.json``. A
+detached watcher subprocess updates the file as the job progresses; any
+agent or shell session can ``cat`` it to find the current status, outputs,
+or error — no second API call needed.
+
+State-file contract (the same shape across local and cloud):
+
+    {
+      "prompt_id": "...",
+      "client_id": "...",
+      "workflow": "/abs/path/to/x.json",
+      "where": "local" | "cloud",
+      "host": "127.0.0.1" | null,
+      "port": 8188 | null,
+      "base_url": "https://..." | null,
+      "submitted_at": "<iso8601>",
+      "updated_at": "<iso8601>",
+      "completed_at": "<iso8601>" | null,
+      "status": "queued" | "running" | "completed" | "error" | "cancelled",
+      "outputs": [<url>, ...],
+      "error": {"code": "...", "message": "...", "details": {...}} | null,
+      "watcher_pid": <int> | null,
+      "record": {<full final cloud history record>} | null,
+      "item_map": {<item>: {"nodes": [...], "save_node": "...", "prefix": "..."}} | null
+    }
+
+``record`` is the node-keyed history record stashed when a cloud job reaches
+a terminal state; ``item_map`` maps blueprint foreach items to the node ids
+they produced (written at submit by ``comfy run``). Both are null for older
+files and local runs — readers must tolerate their absence.
+
+Terminal states (``completed``, ``error``, ``cancelled``) mean the file
+won't change further; agents can stop polling.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import secrets as _secrets
+from dataclasses import asdict, dataclass, field
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+from comfy_cli import constants, locking
+from comfy_cli.utils import get_os
+
+TERMINAL_STATUSES = frozenset({"completed", "error", "cancelled"})
+
+
+def state_dir() -> Path:
+    """Return ``<config-root>/jobs`` and ensure it exists with safe mode."""
+    base = Path(constants.DEFAULT_CONFIG[get_os()]) / "jobs"
+    base.mkdir(parents=True, exist_ok=True, mode=0o700)
+    return base
+
+
+_SAFE_PROMPT_ID = re.compile(r"^[a-zA-Z0-9_\-]{1,128}$")
+
+
+def state_path(prompt_id: str) -> Path:
+    """Canonical path for one prompt's state file."""
+    safe = prompt_id.replace("/", "_").replace("\\", "_")
+    if not _SAFE_PROMPT_ID.match(safe):
+        raise ValueError(f"unsafe prompt_id: {prompt_id!r}")
+    return state_dir() / f"{safe}.json"
+
+
+@dataclass
+class JobState:
+    prompt_id: str
+    client_id: str | None
+    workflow: str
+    where: str
+    host: str | None = None
+    port: int | None = None
+    base_url: str | None = None
+    submitted_at: str = ""
+    updated_at: str = ""
+    completed_at: str | None = None
+    status: str = "queued"
+    outputs: list[Any] = field(default_factory=list)
+    error: dict[str, Any] | None = None
+    watcher_pid: int | None = None
+    # Full final cloud history record (node-keyed outputs), stashed at terminal.
+    record: dict[str, Any] | None = None
+    # foreach item -> {"nodes": [...], "save_node": ..., "prefix": ...} map,
+    # written at submit time by `comfy run` for composed workflows.
+    item_map: dict[str, Any] | None = None
+
+    @property
+    def is_terminal(self) -> bool:
+        return self.status in TERMINAL_STATUSES
+
+    def to_dict(self) -> dict[str, Any]:
+        return asdict(self)
+
+
+def _now_iso() -> str:
+    return datetime.now(timezone.utc).isoformat(timespec="seconds")
+
+
+def write(state: JobState) -> Path | None:
+    """Atomically write a state file. Returns the path (or ``None`` if the
+    write was skipped because ``prompt_id`` wasn't a sane string).
+
+    The string-check is defensive against tests that mock WorkflowExecution
+    and let MagicMock prompt_ids slip through. Real users always have
+    real prompt_ids (UUIDs from the server), so this is a no-op in
+    practice.
+    """
+    if not isinstance(state.prompt_id, str) or not state.prompt_id.strip():
+        return None
+    state.updated_at = _now_iso()
+    if state.is_terminal and state.completed_at is None:
+        state.completed_at = state.updated_at
+    path = state_path(state.prompt_id)
+    # Lock per-file so a watcher and a foreground update can't tear each
+    # other's writes.
+    with locking.file_lock(path.with_suffix(".lock")):
+        tmp = path.with_suffix(f".{os.getpid()}.{_secrets.token_hex(4)}.tmp")
+        tmp.write_text(json.dumps(state.to_dict(), indent=2, default=str), encoding="utf-8")
+        # fsync for durability before atomic rename
+        try:
+            fd = os.open(str(tmp), os.O_RDONLY)
+            try:
+                os.fsync(fd)
+            finally:
+                os.close(fd)
+        except OSError:
+            pass
+        os.replace(tmp, path)
+    return path
+
+
+def read(prompt_id: str) -> JobState | None:
+    """Read a state file. Returns None if the file doesn't exist."""
+    path = state_path(prompt_id)
+    if not path.exists():
+        return None
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return None
+    if not isinstance(data, dict):
+        return None
+    # Tolerant load: drop unknown keys, fill defaults for missing ones.
+    known = {f.name for f in JobState.__dataclass_fields__.values()}
+    filtered = {k: v for k, v in data.items() if k in known}
+    try:
+        return JobState(**filtered)
+    except TypeError:
+        # Required fields missing (e.g. truncated/legacy file) — treat as absent.
+        return None
+
+
+def new(
+    prompt_id: str,
+    *,
+    client_id: str | None,
+    workflow: str,
+    where: str,
+    host: str | None = None,
+    port: int | None = None,
+    base_url: str | None = None,
+) -> JobState:
+    """Build a fresh JobState in ``queued`` status. Call ``write()`` to persist."""
+    now = _now_iso()
+    return JobState(
+        prompt_id=prompt_id,
+        client_id=client_id,
+        workflow=workflow,
+        where=where,
+        host=host,
+        port=port,
+        base_url=base_url,
+        submitted_at=now,
+        updated_at=now,
+        status="queued",
+    )
diff --git a/comfy_cli/locking.py b/comfy_cli/locking.py
new file mode 100644
index 00000000..3027144a
--- /dev/null
+++ b/comfy_cli/locking.py
@@ -0,0 +1,154 @@
+"""Cross-platform exclusive file locking.
+
+Used by ConfigManager (Phase 1 audit) and secrets.bin (Phase 5). Picks the
+right primitive per OS:
+- Unix: fcntl.flock
+- Windows: msvcrt.locking with a fixed byte range
+
+Locks are advisory and process-scoped. Concurrent writers in different
+processes serialize on the same lock file. Within a process, callers should
+combine this with their own threading.Lock if needed.
+"""
+
+from __future__ import annotations
+
+import contextlib
+import os
+import sys
+import threading
+from collections.abc import Iterator
+from pathlib import Path
+
+# Per-thread reentrancy bookkeeping. ``fcntl.flock`` locks are tied to the open
+# file *description*, so a single thread that opens the same lock file twice
+# (different fds) and tries to take LOCK_EX on both would block on itself —
+# a self-deadlock. That happens for real in the OAuth refresh path:
+# ``ensure_fresh_session`` holds the secrets lock and then calls
+# ``auth_store.get_cloud_session`` / ``save_cloud_session``, which each lock the
+# same file. We make ``file_lock`` reentrant within one thread so those nested
+# acquisitions are cheap no-ops and only the outermost frame touches the OS
+# lock. Cross-process serialization is unchanged.
+_reentrant = threading.local()
+
+
+def _held_depths() -> dict[str, int]:
+    depths = getattr(_reentrant, "depths", None)
+    if depths is None:
+        depths = {}
+        _reentrant.depths = depths
+    return depths
+
+
+def _lock_key(p: Path) -> str:
+    # realpath collapses symlinks / .. so two spellings of the same file share
+    # one reentrancy counter. Works even when the file doesn't exist yet.
+    return os.path.realpath(str(p))
+
+
+@contextlib.contextmanager
+def file_lock(path: str | os.PathLike[str], *, timeout: float | None = None) -> Iterator[None]:
+    """Acquire an exclusive lock on ``path`` (created if absent).
+
+    ``timeout`` is a best-effort upper bound; on platforms that don't support
+    non-blocking acquire with timeout we block indefinitely.
+
+    Reentrant within a single thread: nesting the same path returns
+    immediately without re-acquiring the OS lock (and the lock is only released
+    when the outermost frame exits).
+
+    Note: ``fcntl.flock`` on NFS is silently a no-op on many configurations
+    (the lock isn't propagated to the NFS server). Lock files that need
+    cross-host serialization should use a different primitive. We keep flock
+    for the local case and warn lazily if we detect we're on NFS.
+    """
+    p = Path(path)
+    key = _lock_key(p)
+    depths = _held_depths()
+    if depths.get(key, 0) > 0:
+        # Already held by this thread — reentrant no-op.
+        depths[key] += 1
+        try:
+            yield
+        finally:
+            depths[key] -= 1
+            if depths[key] == 0:
+                del depths[key]
+        return
+    p.parent.mkdir(parents=True, exist_ok=True, mode=0o700)
+    # Open in append-binary so we don't truncate any existing payload; the
+    # lock byte-range is at offset 0 and doesn't affect data.
+    fd = os.open(p, os.O_CREAT | os.O_RDWR, 0o600)
+    # Re-tighten perms if the file existed with looser mode (covers the case
+    # where an older build wrote the lock file world-readable). ``os.fchmod`` is
+    # POSIX-only — it doesn't exist on Windows (which uses ACLs, not mode bits),
+    # so guard on the attribute to avoid an AttributeError there.
+    if hasattr(os, "fchmod"):
+        try:
+            os.fchmod(fd, 0o600)
+        except OSError:
+            pass
+    try:
+        _acquire(fd, timeout=timeout)
+        depths[key] = 1
+        try:
+            yield
+        finally:
+            depths.pop(key, None)
+            _release(fd)
+    finally:
+        os.close(fd)
+
+
+if sys.platform == "win32":
+    import msvcrt  # type: ignore[import-not-found]
+
+    def _acquire(fd: int, *, timeout: float | None) -> None:  # pragma: no cover - platform branch
+        # Lock a single byte at offset 0. msvcrt has no native timeout, so we
+        # spin with short non-blocking attempts.
+        import time
+
+        deadline = None if timeout is None else (time.monotonic() + timeout)
+        while True:
+            try:
+                # Lock/unlock are relative to the file position; seek to 0 so
+                # _acquire and _release always target the same byte (mirrors
+                # _release) even if the fd position ever drifts.
+                os.lseek(fd, 0, os.SEEK_SET)
+                msvcrt.locking(fd, msvcrt.LK_NBLCK, 1)
+                return
+            except OSError:
+                if deadline is not None and time.monotonic() >= deadline:
+                    raise TimeoutError(f"failed to acquire lock within {timeout}s") from None
+                time.sleep(0.05)
+
+    def _release(fd: int) -> None:  # pragma: no cover - platform branch
+        try:
+            os.lseek(fd, 0, os.SEEK_SET)
+            msvcrt.locking(fd, msvcrt.LK_UNLCK, 1)
+        except OSError:
+            pass
+
+else:
+    import fcntl
+
+    def _acquire(fd: int, *, timeout: float | None) -> None:
+        if timeout is None:
+            fcntl.flock(fd, fcntl.LOCK_EX)
+            return
+        import time
+
+        deadline = time.monotonic() + timeout
+        while True:
+            try:
+                fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
+                return
+            except BlockingIOError:
+                if time.monotonic() >= deadline:
+                    raise TimeoutError(f"failed to acquire lock within {timeout}s") from None
+                time.sleep(0.05)
+
+    def _release(fd: int) -> None:
+        try:
+            fcntl.flock(fd, fcntl.LOCK_UN)
+        except OSError:
+            pass
diff --git a/comfy_cli/output/__init__.py b/comfy_cli/output/__init__.py
new file mode 100644
index 00000000..c8b6e7fe
--- /dev/null
+++ b/comfy_cli/output/__init__.py
@@ -0,0 +1,36 @@
+"""Output rendering for comfy-cli.
+
+Two audiences, one CLI: humans see Rich-formatted output; agents see JSON envelopes.
+The same code path produces both. The mode is decided once at command entry by
+`Renderer.resolve(...)` and stored as a process-wide singleton via `set_renderer`.
+
+Migration policy (Phase 1):
+- Every existing ``from rich import print as rprint`` becomes
+  ``from comfy_cli.output import rprint``. The shim suppresses stdout in JSON
+  mode (redirecting to stderr so logs are still visible) and is byte-identical
+  to rprint in pretty mode.
+- Commands that produce a structured result emit a final envelope with
+  ``renderer.emit(data)``. This is the *only* thing on stdout in JSON mode.
+- Streaming commands emit ``renderer.event(type, **fields)`` events; one
+  NDJSON object per line.
+"""
+
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    get_renderer,
+    set_renderer,
+)
+from comfy_cli.output.rich_compat import (
+    console_print,
+    rprint,
+)
+
+__all__ = [
+    "OutputMode",
+    "Renderer",
+    "console_print",
+    "get_renderer",
+    "rprint",
+    "set_renderer",
+]
diff --git a/comfy_cli/output/branding.py b/comfy_cli/output/branding.py
new file mode 100644
index 00000000..4fd31aea
--- /dev/null
+++ b/comfy_cli/output/branding.py
@@ -0,0 +1,447 @@
+"""Branded output — wordmark, gradient text, welcome card.
+
+Used after ``comfy cloud login`` succeeds and on ``comfy cloud whoami`` so the
+human moment of "I just signed into Comfy Cloud" looks like a product, not
+a JSON envelope.
+
+Design references:
+    - comfy.org brand: orange → pink gradient, modern, minimal
+    - Rich truecolor support: every modern terminal does ``#rrggbb`` styles;
+      Rich downgrades to the closest ANSI color if it doesn't.
+"""
+
+from __future__ import annotations
+
+import time
+from typing import Any
+
+from rich.align import Align
+from rich.console import Group
+from rich.panel import Panel
+from rich.rule import Rule
+from rich.table import Table
+from rich.text import Text
+
+# ---------------------------------------------------------------------------
+# Brand palette — matches the comfy.org orange→pink wordmark.
+# ---------------------------------------------------------------------------
+
+BRAND_START = "#FF6E00"  # orange
+BRAND_END = "#FF1B6B"  # pink/magenta
+BRAND_ACCENT = "#FFAA33"  # warm amber, for accents
+
+
+# The single tagline used on the welcome banner. Centralized here so a future
+# rename happens in one place and the per-command panels (which intentionally
+# don't repeat it) stay consistent.
+TAGLINE = "the agent-aware ComfyUI CLI"
+
+
+def branded_panel(
+    body,
+    *,
+    title: str,
+    version: str,
+    where: str | None = None,
+    host: str | None = None,
+    padding: tuple[int, int] = (1, 2),
+) -> Panel:
+    """The canonical Panel wrapper for every pretty-mode screen.
+
+    title    → left-aligned command name (e.g. ``env``, ``jobs``, ``comfy cloud``).
+    subtitle → right-aligned, always starts with ``comfy CLI v<version>`` and
+               optionally carries routing context. See "Cross-Task Contracts"
+               in ``docs/superpowers/plans/2026-05-19-cli-ux-consistency.md``.
+
+    Subtitle composition:
+      - Always ``comfy CLI v<version>``.
+      - If ``where`` is set, append ``  ·  {where}`` (double-space + dot — same
+        weight as the welcome banner uses for its tagline divider).
+      - If ``host`` is set, append `` · {host}`` (single-space, since it's a
+        sub-qualifier of ``where``). When ``where`` is absent ``host`` rides
+        alone behind a single dot.
+    """
+    parts = [f"comfy CLI v{version}"]
+    if where:
+        parts.append(f"  ·  {where}")
+    if host:
+        parts.append(f" · {host}")
+    subtitle = "".join(parts)
+    return Panel(
+        body,
+        title=Text(title, style=f"bold {BRAND_START}"),
+        subtitle=Text(subtitle, style="dim"),
+        title_align="left",
+        subtitle_align="right",
+        border_style=BRAND_START,
+        padding=padding,
+    )
+
+
+def cli_footer(*, version: str, where: str | None = None) -> Text:
+    """Right-aligned, dim subtitle used as the pretty-mode brand signature.
+
+    Every pretty rendering that *isn't* already a Panel should print this
+    after its primary output so the human always knows which tool / version /
+    routing target produced what they're looking at.
+    """
+    suffix = f"  ·  {where}" if where else ""
+    return Text(f"comfy CLI v{version}{suffix}", style="dim", justify="right")
+
+
+# ---------------------------------------------------------------------------
+# Wordmark — handcrafted 5-row block art, kept narrow enough for an 80-col tty
+# ---------------------------------------------------------------------------
+
+_WORDMARK_ROWS = [
+    " ████   ████  ██   ██ █████  ██  ██",
+    "██     ██  ██ ███ ███ ██      ████ ",
+    "██     ██  ██ ██ █ ██ ████     ██  ",
+    "██     ██  ██ ██   ██ ██       ██  ",
+    " ████   ████  ██   ██ ██       ██  ",
+]
+
+
+# ---------------------------------------------------------------------------
+# Gradient helpers
+# ---------------------------------------------------------------------------
+
+
+def _hex_to_rgb(hex_color: str) -> tuple[int, int, int]:
+    h = hex_color.lstrip("#")
+    return int(h[0:2], 16), int(h[2:4], 16), int(h[4:6], 16)
+
+
+def _rgb_to_hex(r: int, g: int, b: int) -> str:
+    return f"#{max(0, min(255, r)):02x}{max(0, min(255, g)):02x}{max(0, min(255, b)):02x}"
+
+
+def _lerp_color(a: tuple[int, int, int], b: tuple[int, int, int], t: float) -> tuple[int, int, int]:
+    return (
+        int(a[0] + (b[0] - a[0]) * t),
+        int(a[1] + (b[1] - a[1]) * t),
+        int(a[2] + (b[2] - a[2]) * t),
+    )
+
+
+def gradient_text(
+    text: str,
+    *,
+    start: str = BRAND_START,
+    end: str = BRAND_END,
+    bold: bool = True,
+) -> Text:
+    """Render ``text`` so each character is colored along a linear gradient.
+
+    Whitespace is rendered uncolored so the gradient lands on glyphs only.
+    """
+    sa = _hex_to_rgb(start)
+    sb = _hex_to_rgb(end)
+    visible_indices = [i for i, ch in enumerate(text) if not ch.isspace()]
+    out = Text()
+    n = max(len(visible_indices) - 1, 1)
+    pos = 0
+    for i, ch in enumerate(text):
+        if ch.isspace():
+            out.append(ch)
+            continue
+        t = pos / n
+        rgb = _lerp_color(sa, sb, t)
+        style = f"bold {_rgb_to_hex(*rgb)}" if bold else _rgb_to_hex(*rgb)
+        out.append(ch, style=style)
+        pos += 1
+    return out
+
+
+def gradient_block(
+    rows: list[str],
+    *,
+    start: str = BRAND_START,
+    end: str = BRAND_END,
+) -> Text:
+    """Apply a top-to-bottom gradient to a multi-line block of text.
+
+    Each *row* gets a single color, interpolated from start to end. Looks
+    cleaner than per-character gradient for chunky block letters.
+    """
+    sa = _hex_to_rgb(start)
+    sb = _hex_to_rgb(end)
+    n = max(len(rows) - 1, 1)
+    out = Text()
+    last = len(rows) - 1
+    for i, row in enumerate(rows):
+        t = i / n
+        rgb = _lerp_color(sa, sb, t)
+        style = f"bold {_rgb_to_hex(*rgb)}"
+        if i < last:
+            out.append(row + "\n", style=style)
+        else:
+            out.append(row, style=style)
+    return out
+
+
+# ---------------------------------------------------------------------------
+# Time formatting
+# ---------------------------------------------------------------------------
+
+
+def _humanize_relative(expires_at: int | None) -> str:
+    if expires_at is None:
+        return "unknown"
+    delta = int(expires_at) - int(time.time())
+    if delta < 0:
+        return f"expired {_humanize_seconds(-delta)} ago"
+    return f"in {_humanize_seconds(delta)}"
+
+
+def _humanize_seconds(s: int) -> str:
+    if s < 60:
+        return f"{s}s"
+    if s < 3600:
+        return f"{s // 60}m {s % 60}s"
+    h, rem = divmod(s, 3600)
+    return f"{h}h {rem // 60}m"
+
+
+# ---------------------------------------------------------------------------
+# Welcome banner — the big one, shown after auth login success
+# ---------------------------------------------------------------------------
+
+
+def welcome_banner(
+    *,
+    base_url: str,
+    scope: str,
+    client_id: str,
+    expires_at: int | None,
+    cta: str | None = None,
+) -> Panel:
+    """The post-login banner. Gradient wordmark + 'CLOUD' subtitle + info.
+
+    Layout::
+
+        ╭──────────────────────────────────────────────────────╮
+        │                                                      │
+        │   <gradient COMFY block>                             │
+        │                  C L O U D                           │
+        │                                                      │
+        │   ✓ Signed in                                        │
+        │     Scope      …                                     │
+        │     Expires    in 59m 58s · 2026-05-15T05:00         │
+        │     Client     comfy-cli                              │
+        │                                                      │
+        │   → comfy run …                                      │
+        │                                                      │
+        ╰─────────── testcloud.comfy.org ──────────────────────╯
+    """
+    wordmark = gradient_block(_WORDMARK_ROWS)
+    subtitle = Text("C  L  O  U  D", style=f"dim {BRAND_END}", justify="center")
+
+    info_tbl = Table.grid(padding=(0, 2), expand=False)
+    info_tbl.add_column(justify="right", style="dim", no_wrap=True)
+    info_tbl.add_column(overflow="fold")
+    info_tbl.add_row("Scope", Text(scope, style="white"))
+    info_tbl.add_row(
+        "Access token",
+        Text.assemble(
+            (_humanize_relative(expires_at), f"bold {BRAND_ACCENT}"),
+            ("   ", ""),
+            (_iso(expires_at), "dim"),
+        ),
+    )
+    info_tbl.add_row("", Text("renews automatically while you keep using the CLI", style="dim"))
+    info_tbl.add_row("Client", Text(client_id, style="white"))
+
+    signed_in_line = Text.assemble(
+        ("✓ ", "bold green"),
+        ("Signed in to Comfy Cloud", "bold white"),
+    )
+
+    body_parts: list[Any] = [
+        Align.center(wordmark),
+        Align.center(subtitle),
+        Text(""),
+        signed_in_line,
+        Text(""),
+        info_tbl,
+    ]
+    if cta:
+        body_parts.append(Text(""))
+        body_parts.append(
+            Text.assemble(
+                ("→ ", f"bold {BRAND_ACCENT}"),
+                (cta, "yellow"),
+            )
+        )
+
+    return Panel(
+        Group(*body_parts),
+        title=Text("", style=""),  # no top title — wordmark is the brand
+        subtitle=Text(_pretty_host(base_url), style="dim"),
+        subtitle_align="right",
+        border_style=BRAND_START,
+        padding=(1, 3),
+    )
+
+
+def whoami_banner(
+    *,
+    base_url: str,
+    scope: str,
+    client_id: str,
+    expires_at: int | None,
+    expired: bool,
+    version: str = "",
+) -> Panel:
+    """A compact branded card for ``comfy cloud whoami`` when active.
+
+    Smaller than the post-login banner (no big wordmark) — but still uses
+    the brand gradient on the header and the same info table.
+    """
+    header = gradient_text("comfy cloud", bold=True)
+    status = (
+        Text.assemble(("⚠ ", "bold yellow"), ("expired", "bold yellow"))
+        if expired
+        else Text.assemble(("✓ ", "bold green"), ("active", "bold green"))
+    )
+
+    head_line = Text.assemble(header, ("   ", ""), status)
+
+    info_tbl = Table.grid(padding=(0, 2), expand=False)
+    info_tbl.add_column(justify="right", style="dim", no_wrap=True)
+    info_tbl.add_column(overflow="fold")
+    info_tbl.add_row("Scope", Text(scope, style="white"))
+    info_tbl.add_row(
+        "Access token",
+        Text.assemble(
+            (_humanize_relative(expires_at), f"bold {BRAND_ACCENT}"),
+            ("   ", ""),
+            (_iso(expires_at), "dim"),
+        ),
+    )
+    if not expired:
+        info_tbl.add_row("", Text("renews automatically while you keep using the CLI", style="dim"))
+    info_tbl.add_row("Client", Text(client_id, style="white"))
+
+    return branded_panel(
+        Group(head_line, Text(""), info_tbl),
+        title="comfy cloud",
+        version=version,
+        host=_pretty_host(base_url),
+        padding=(0, 2),
+    )
+
+
+def intro_banner(
+    *,
+    version: str,
+    signed_in: bool,
+    base_url: str,
+    update_hint: str | None = None,
+) -> Panel:
+    """The branded landing screen shown when a user types just ``comfy``.
+
+    Gradient wordmark + quick-start list + sign-in status. Pretty mode only;
+    JSON callers will hit the help schema or ``discover`` paths.
+    """
+    wordmark = gradient_block(_WORDMARK_ROWS)
+    tagline = Text(
+        TAGLINE,
+        style=f"dim {BRAND_END}",
+        justify="center",
+    )
+
+    # Quick start: command + one-line description
+    qs = Table.grid(padding=(0, 3), expand=False)
+    qs.add_column(style="bold white", no_wrap=True)
+    qs.add_column(style="dim", overflow="fold")
+    qs.add_row("comfy install", "install ComfyUI")
+    qs.add_row("comfy launch", "start the local server")
+    qs.add_row("comfy cloud login", "sign in to Comfy Cloud")
+    qs.add_row("comfy discover", "the agent-facing surface")
+    qs.add_row("comfy --help", "everything else")
+
+    if signed_in:
+        cloud_line = Text.assemble(
+            ("Cloud  ", "dim"),
+            ("✓ signed in", "bold green"),
+            ("   ", ""),
+            (_pretty_host(base_url), "dim"),
+        )
+    else:
+        cloud_line = Text.assemble(
+            ("Cloud  ", "dim"),
+            ("– not signed in", "dim"),
+            ("   ", ""),
+            ("→ ", f"bold {BRAND_ACCENT}"),
+            ("comfy cloud login", "yellow"),
+        )
+
+    rows = [
+        Align.center(wordmark),
+        Align.center(tagline),
+        Text(""),
+        Rule(style=BRAND_END),
+        Text(""),
+        Text("Quick start", style=f"bold {BRAND_ACCENT}"),
+        qs,
+        Text(""),
+        cloud_line,
+    ]
+    if update_hint:
+        rows.append(
+            Text.assemble(
+                ("Update ", "dim"),
+                (f"v{update_hint} available", f"bold {BRAND_ACCENT}"),
+                ("   → ", f"bold {BRAND_ACCENT}"),
+                ("comfy update cli", "yellow"),
+            )
+        )
+    body = Group(*rows)
+    return Panel(
+        body,
+        subtitle=Text(f"comfy CLI v{version}", style="dim"),
+        subtitle_align="right",
+        border_style=BRAND_START,
+        padding=(1, 3),
+    )
+
+
+def signed_out_banner(*, base_url: str, version: str = "") -> Panel:
+    """Tiny branded card for whoami when not signed in."""
+    body = Group(
+        Text("not signed in", style="dim"),
+        Text(""),
+        Text.assemble(
+            ("→ ", f"bold {BRAND_ACCENT}"),
+            ("comfy cloud login", "yellow"),
+        ),
+    )
+    return branded_panel(
+        body,
+        title="comfy cloud",
+        version=version,
+        host=_pretty_host(base_url),
+        padding=(0, 2),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Internals
+# ---------------------------------------------------------------------------
+
+
+def _iso(expires_at: int | None) -> str:
+    if expires_at is None:
+        return ""
+    try:
+        from datetime import datetime, timezone
+
+        return datetime.fromtimestamp(expires_at, tz=timezone.utc).isoformat(timespec="seconds")
+    except (OSError, OverflowError, ValueError):
+        return ""
+
+
+def _pretty_host(url: str) -> str:
+    # Strip scheme for the panel subtitle — looks cleaner.
+    return url.replace("https://", "").replace("http://", "").rstrip("/")
diff --git a/comfy_cli/output/glyphs.py b/comfy_cli/output/glyphs.py
new file mode 100644
index 00000000..c09cee2f
--- /dev/null
+++ b/comfy_cli/output/glyphs.py
@@ -0,0 +1,58 @@
+"""Tiny shared vocabulary for status icons + colors across pretty-mode output.
+
+One source of truth so a queued job looks the same in ``comfy run``,
+``comfy jobs ls``, and ``comfy jobs watch``. Easy to swap if the brand
+changes; easy to teach an agent ("✓ means completed everywhere").
+"""
+
+from __future__ import annotations
+
+# (glyph, rich-style) per terminal status. Mirrors the JobStatus enum from
+# the architecture doc; new statuses must be added here.
+STATUS_STYLE: dict[str, tuple[str, str]] = {
+    "queued": ("⏳", "cyan"),
+    "running": ("◐", "yellow"),
+    "completed": ("✓", "bold green"),
+    "error": ("✗", "bold red"),
+    "cancelled": ("⊘", "yellow"),
+    "pending": ("⏳", "cyan"),  # alias used by cloud
+}
+
+DEFAULT_STYLE: tuple[str, str] = ("·", "dim")
+
+
+# Cloud's raw status vocabulary (``executing``, ``success``, ``failed``,
+# ``non_retryable_error``, ``retryable_error``) doesn't match the small set
+# above. Canonicalize at the rendering boundary so users see one stable set
+# regardless of whether the prompt ran on a local server or Comfy Cloud.
+_CLOUD_ALIASES = {
+    "executing": "running",
+    "success": "completed",
+    "failed": "error",
+    "non_retryable_error": "error",
+    "retryable_error": "error",
+}
+
+
+def _canonical(status: str | None) -> str:
+    raw = (status or "").strip().lower()
+    return _CLOUD_ALIASES.get(raw, raw)
+
+
+def status_glyph(status: str | None) -> str:
+    """Return ``"<glyph> <status>"`` styled with Rich tags.
+
+    Cloud aliases collapse to the local-style vocabulary before lookup —
+    no raw ``non_retryable_error`` or ``executing`` strings leak into
+    the pretty surface.
+    """
+    canonical = _canonical(status)
+    glyph, style = STATUS_STYLE.get(canonical, DEFAULT_STYLE)
+    return f"[{style}]{glyph} {canonical or 'unknown'}[/{style}]"
+
+
+def glyph_only(status: str | None) -> str:
+    """Return just the colored glyph, no label — handy for tight tables."""
+    canonical = _canonical(status)
+    glyph, style = STATUS_STYLE.get(canonical, DEFAULT_STYLE)
+    return f"[{style}]{glyph}[/{style}]"
diff --git a/comfy_cli/output/panels.py b/comfy_cli/output/panels.py
new file mode 100644
index 00000000..eaf722ba
--- /dev/null
+++ b/comfy_cli/output/panels.py
@@ -0,0 +1,318 @@
+"""Pretty-mode panel builders for the agent-aware commands.
+
+Centralizes the Rich rendering for the new commands (``discover``, ``which``,
+``auth list``) and the structured error path so the human surface matches the
+quality of the existing ``install`` / ``launch`` / ``env`` flows.
+
+Every helper returns a Rich renderable — the renderer is responsible for
+choosing the right Console (stdout in pretty mode, stderr in JSON mode).
+"""
+
+from __future__ import annotations
+
+from collections.abc import Mapping, Sequence
+from typing import Any
+
+from rich.console import Group
+from rich.panel import Panel
+from rich.table import Table
+from rich.text import Text
+
+_TARGET_DIM_CHAR = "·"
+
+
+def _kv_table(rows: Sequence[tuple[str, str]], *, label_style: str = "bold cyan", value_style: str = "") -> Table:
+    """Two-column borderless table used inside panels to align label/value rows."""
+    tbl = Table.grid(padding=(0, 2), expand=False)
+    tbl.add_column(justify="right", style=label_style, no_wrap=True)
+    tbl.add_column(style=value_style, overflow="fold")
+    for label, value in rows:
+        tbl.add_row(label, value)
+    return tbl
+
+
+# ---------------------------------------------------------------------------
+# Error panel
+# ---------------------------------------------------------------------------
+
+
+def error_panel(
+    *,
+    code: str,
+    message: str,
+    hint: str | None = None,
+    details: Mapping[str, Any] | None = None,
+) -> Panel:
+    """Render an error as a red-bordered Rich Panel.
+
+    Layout::
+
+        ╭─ error · <code> ─────────────────────────────────────────────╮
+        │ <message>                                                     │
+        │                                                               │
+        │ → <hint>                                                      │
+        │ details:                                                      │
+        │   key=value                                                   │
+        ╰───────────────────────────────────────────────────────────────╯
+    """
+    body: list[Any] = [Text(message, style="white")]
+    if hint:
+        body.append(Text(""))
+        body.append(Text.assemble(("→ ", "bold yellow"), (hint, "yellow")))
+    if details:
+        body.append(Text(""))
+        body.append(Text("details:", style="dim"))
+        rows = []
+        for k, v in details.items():
+            if v is None:
+                continue
+            rows.append((str(k), str(v)))
+        if rows:
+            body.append(_kv_table(rows, label_style="dim", value_style="dim"))
+    return Panel(
+        Group(*body),
+        title=Text.assemble(("error", "bold red"), (f" {_TARGET_DIM_CHAR} ", "dim"), (code, "red")),
+        title_align="left",
+        border_style="red",
+        padding=(0, 1),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Discover panel
+# ---------------------------------------------------------------------------
+
+
+def discover_panel(doc: Mapping[str, Any], *, command_count: int) -> Panel:
+    version = doc.get("version") or "(dev)"
+    commands = doc.get("commands") or {}
+    schemas = doc.get("schemas") or {}
+    error_codes = doc.get("error_codes") or []
+    capabilities = doc.get("capabilities") or {}
+
+    caps_text: list[Text] = []
+    for cap, val in sorted(capabilities.items()):
+        if isinstance(val, list):
+            continue  # rendered separately below
+        if val is True:
+            caps_text.append(Text.assemble(("✓ ", "bold green"), (cap, "white")))
+    caps_grid = Table.grid(padding=(0, 3))
+    if caps_text:
+        per_row = 3
+        for i in range(0, len(caps_text), per_row):
+            row = caps_text[i : i + per_row]
+            while len(row) < per_row:
+                row.append(Text(""))
+            caps_grid.add_row(*row)
+    else:
+        caps_grid.add_row(Text("(none advertised)", style="dim"))
+
+    where_targets = capabilities.get("where_targets") or []
+    auth_providers = capabilities.get("auth_providers") or []
+    # auth_providers may be a flat list (legacy) or a {kind: [names...]} map.
+    if isinstance(auth_providers, dict):
+        oauth_names = list(auth_providers.get("oauth") or [])
+        key_names = list(auth_providers.get("api_key") or [])
+        oauth_line = "OAuth: " + f" {_TARGET_DIM_CHAR} ".join(oauth_names) if oauth_names else None
+        key_line = "API key: " + f" {_TARGET_DIM_CHAR} ".join(key_names) if key_names else None
+        auth_value = "  ".join(p for p in (oauth_line, key_line) if p) or "—"
+    else:
+        auth_value = f" {_TARGET_DIM_CHAR} ".join(auth_providers) if auth_providers else "—"
+
+    # Build a two-column command table: name (+ subcount) | description
+    visible_cmds = {
+        name: entry
+        for name, entry in sorted(commands.items())
+        if isinstance(entry, dict) and not entry.get("hidden", False)
+    }
+    cmd_table = Table.grid(padding=(0, 2))
+    cmd_table.add_column(style="white", no_wrap=True)  # name
+    cmd_table.add_column(style="dim")  # description
+    for name, entry in visible_cmds.items():
+        subs = entry.get("subcommands") or {}
+        desc = entry.get("short_help") or entry.get("help") or ""
+        # Truncate long descriptions to first sentence
+        if desc:
+            dot = desc.find(".")
+            if dot > 0:
+                desc = desc[: dot + 1]
+            if len(desc) > 60:
+                desc = desc[:57] + "…"
+        if subs:
+            sub_count = len([s for s in subs.values() if isinstance(s, dict) and not s.get("hidden", False)])
+            label = Text.assemble((name, "white"), (f" ({sub_count})", "dim cyan"))
+        else:
+            label = Text(name, style="white")
+        cmd_table.add_row(label, Text(desc, style="dim"))
+
+    # Schema names list
+    schema_names = sorted(schemas.keys())
+    schema_line = f" {_TARGET_DIM_CHAR} ".join(schema_names) if schema_names else "—"
+
+    summary = _kv_table(
+        [
+            ("Commands", f"{len(visible_cmds)} top-level, {command_count} total (incl. subcommands)"),
+            ("Schemas", f"{len(schemas)} — {schema_line}"),
+            ("Error codes", f"{len(error_codes)}"),
+        ]
+    )
+    routing = _kv_table(
+        [
+            ("Where targets", f" {_TARGET_DIM_CHAR} ".join(where_targets) if where_targets else "—"),
+            ("Auth providers", auth_value),
+        ]
+    )
+
+    body = Group(
+        Text("Commands", style="bold magenta"),
+        cmd_table,
+        Text(""),
+        Text("Capabilities", style="bold magenta"),
+        caps_grid,
+        Text(""),
+        Text("Routing", style="bold magenta"),
+        routing,
+        Text(""),
+        Text("Summary", style="bold magenta"),
+        summary,
+        Text(""),
+        Text.assemble(
+            ("→ ", "bold yellow"),
+            ("comfy --json discover", "yellow"),
+            ("   for the full machine-readable document", "dim"),
+        ),
+    )
+    from comfy_cli.output.branding import branded_panel
+
+    return branded_panel(
+        body,
+        title="discover",
+        version=str(version),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Which panel
+# ---------------------------------------------------------------------------
+
+
+def which_panel(
+    *,
+    workspace_path: str,
+    workspace_type: str | None,
+    python_executable: str | None = None,
+    python_version: str | None = None,
+    server_running: bool = False,
+    server_url: str | None = None,
+    version: str = "0.0.0",
+) -> Panel:
+    type_badge = Text(workspace_type or "—", style="bold green") if workspace_type else Text("—", style="dim")
+    python_value = Text("—", style="dim")
+    if python_executable:
+        if python_version:
+            python_value = Text.assemble((python_executable, "white"), (f"  ({python_version})", "dim"))
+        else:
+            python_value = Text(python_executable, style="white")
+
+    if server_running:
+        server_value = Text.assemble(
+            ("● running", "bold green"),
+            ("    ", ""),
+            (server_url or "", "white"),
+        )
+    else:
+        server_value = Text.assemble(
+            ("○ stopped", "dim"),
+            ("    ", ""),
+            (server_url or "", "dim"),
+        )
+
+    rows: list[tuple[str, Any]] = [
+        ("Path", Text(workspace_path, style="bold white")),
+        ("Type", type_badge),
+        ("Python", python_value),
+        ("Server", server_value),
+    ]
+    tbl = Table.grid(padding=(0, 2), expand=False)
+    tbl.add_column(justify="right", style="bold cyan", no_wrap=True)
+    tbl.add_column(overflow="fold")
+    for label, value in rows:
+        tbl.add_row(label, value)
+    from comfy_cli.output.branding import branded_panel
+
+    return branded_panel(
+        tbl,
+        title="workspace",
+        version=version,
+        padding=(0, 1),
+    )
+
+
+# ---------------------------------------------------------------------------
+# Auth list table / empty panel
+# ---------------------------------------------------------------------------
+
+
+def auth_list_table(records: Sequence[Mapping[str, Any]], *, supported: Sequence[str], path: str | None = None) -> Any:
+    """Return a Group: title + table + supported-providers footer.
+
+    ``records`` should be the redacted dicts from ``AuthRecord.to_dict(redact=True)``
+    (provider / key / updated_at).
+    """
+    title = Text.assemble(
+        ("Auth providers", "bold cyan"),
+        (f"  ({len(records)} configured)", "dim"),
+    )
+
+    tbl = Table(show_header=True, header_style="bold magenta", border_style="cyan", pad_edge=False)
+    tbl.add_column("Provider", style="bold white", no_wrap=True)
+    tbl.add_column("Key", style="white", no_wrap=True)
+    tbl.add_column("Updated", style="dim", no_wrap=True)
+    for r in records:
+        tbl.add_row(
+            str(r.get("provider", "")),
+            str(r.get("key", "")),
+            str(r.get("updated_at") or "—"),
+        )
+
+    footer_parts: list[Text] = []
+    if supported:
+        footer_parts.append(
+            Text.assemble(
+                ("supported: ", "dim"),
+                (f" {_TARGET_DIM_CHAR} ".join(supported), "white"),
+            )
+        )
+    if path:
+        footer_parts.append(Text.assemble(("store: ", "dim"), (path, "dim")))
+    footer = Group(*footer_parts) if footer_parts else Text("")
+
+    return Group(title, tbl, footer)
+
+
+def auth_empty_panel(*, supported: Sequence[str], path: str | None = None) -> Panel:
+    lines: list[Any] = [
+        Text("No providers configured.", style="white"),
+        Text(""),
+        Text.assemble(
+            ("→ ", "bold yellow"),
+            ("comfy auth set <provider> --key <KEY>", "yellow"),
+        ),
+    ]
+    if supported:
+        lines.append(Text(""))
+        lines.append(
+            Text.assemble(
+                ("Supported: ", "dim"),
+                (f" {_TARGET_DIM_CHAR} ".join(supported), "white"),
+            )
+        )
+    if path:
+        lines.append(Text.assemble(("Store:     ", "dim"), (path, "dim")))
+    return Panel(
+        Group(*lines),
+        title=Text("Auth providers", style="bold cyan"),
+        title_align="left",
+        border_style="cyan",
+        padding=(0, 1),
+    )
diff --git a/comfy_cli/output/preview.py b/comfy_cli/output/preview.py
new file mode 100644
index 00000000..80c8028b
--- /dev/null
+++ b/comfy_cli/output/preview.py
@@ -0,0 +1,155 @@
+"""Inline image/video preview in the terminal.
+
+Uses ``term-image`` (optional dependency) to auto-detect the best
+terminal graphics protocol (Kitty, iTerm2, or Unicode half-blocks)
+and render images inline.
+
+For videos, extracts a thumbnail frame via ``ffmpeg`` and displays that
+alongside a metadata panel.
+
+Skips silently when:
+  - term-image is not installed
+  - the renderer is in JSON/agentic mode (agents get file paths from the envelope)
+  - the file doesn't exist or isn't a supported format
+"""
+
+from __future__ import annotations
+
+import json
+import subprocess
+import tempfile
+import warnings
+from pathlib import Path
+
+# Suppress term-image's "not running in a terminal" warning — we handle
+# the TTY check ourselves before calling into term-image.
+warnings.filterwarnings("ignore", message=".*not running within a terminal.*", category=UserWarning)
+
+_IMAGE_EXTS = {".png", ".jpg", ".jpeg", ".webp", ".gif", ".apng", ".bmp", ".tiff"}
+_VIDEO_EXTS = {".mp4", ".avi", ".mov", ".webm", ".mkv", ".flv", ".wmv", ".mpg", ".mpeg"}
+
+
+def preview(path: str | Path) -> None:
+    """Show an inline preview of an image or video file.
+
+    Call this from pretty-mode code paths only. Returns immediately if
+    term-image is not installed or the file is unsupported.
+    """
+    p = Path(path)
+    if not p.is_file():
+        return
+
+    suffix = p.suffix.lower()
+    if suffix in _IMAGE_EXTS:
+        _show_image(p)
+    elif suffix in _VIDEO_EXTS:
+        _show_video(p)
+
+
+def _show_image(path: Path) -> None:
+    try:
+        from term_image.image import from_file
+
+        img = from_file(str(path))
+        img.draw()
+    except (ImportError, Exception):  # noqa: BLE001
+        pass
+
+
+def _show_video(path: Path) -> None:
+    """Extract a thumbnail + metadata panel for a video file."""
+    _show_video_info(path)
+    _show_video_thumbnail(path)
+
+
+def _show_video_thumbnail(path: Path) -> None:
+    """Extract the first frame via ffmpeg and display it."""
+    tmp_path: str | None = None
+    try:
+        with tempfile.NamedTemporaryFile(suffix=".jpg", delete=False) as tmp:
+            tmp_path = tmp.name
+
+        result = subprocess.run(  # noqa: S603
+            [
+                "ffmpeg",
+                "-i",
+                str(path),
+                "-vf",
+                "select=eq(n\\,0)",
+                "-frames:v",
+                "1",
+                "-q:v",
+                "2",
+                "-y",
+                tmp_path,
+            ],
+            capture_output=True,
+            timeout=10,
+        )
+        if result.returncode == 0:
+            _show_image(Path(tmp_path))
+    except (FileNotFoundError, subprocess.TimeoutExpired, Exception):  # noqa: BLE001
+        # ffmpeg not installed or failed — skip silently
+        pass
+    finally:
+        if tmp_path is not None:
+            try:
+                Path(tmp_path).unlink(missing_ok=True)
+            except Exception:  # noqa: BLE001
+                pass
+
+
+def _show_video_info(path: Path) -> None:
+    """Show a Rich panel with video metadata via ffprobe."""
+    try:
+        result = subprocess.run(  # noqa: S603
+            [
+                "ffprobe",
+                "-v",
+                "quiet",
+                "-print_format",
+                "json",
+                "-show_format",
+                "-show_streams",
+                str(path),
+            ],
+            capture_output=True,
+            text=True,
+            timeout=10,
+        )
+        if result.returncode != 0:
+            return
+
+        info = json.loads(result.stdout)
+        fmt = info.get("format", {})
+        vstream = next((s for s in info.get("streams", []) if s.get("codec_type") == "video"), {})
+        if not vstream:
+            return
+
+        duration = float(fmt.get("duration", 0))
+        w, h = vstream.get("width", "?"), vstream.get("height", "?")
+
+        # Parse fps from "24/1" or "30000/1001" format
+        fps_str = vstream.get("r_frame_rate", "0/1")
+        try:
+            num, den = fps_str.split("/")
+            fps = int(num) / int(den)
+        except (ValueError, ZeroDivisionError):
+            fps = 0
+
+        codec = vstream.get("codec_name", "?")
+        size_bytes = int(fmt.get("size", 0))
+        size_mb = size_bytes / 1048576
+
+        from rich import print as rprint
+        from rich.panel import Panel
+
+        rprint(
+            Panel(
+                f"🎬 [bold]{path.name}[/bold]\n   {w}×{h} · {fps:.0f}fps · {codec} · {duration:.1f}s · {size_mb:.1f}MB",
+                border_style="blue",
+                expand=False,
+            )
+        )
+    except (FileNotFoundError, subprocess.TimeoutExpired, Exception):  # noqa: BLE001
+        pass
diff --git a/comfy_cli/output/renderer.py b/comfy_cli/output/renderer.py
new file mode 100644
index 00000000..a168b2ea
--- /dev/null
+++ b/comfy_cli/output/renderer.py
@@ -0,0 +1,393 @@
+"""Renderer: decides output mode and emits JSON envelopes or pretty output.
+
+UX contract:
+- Pretty mode produces output byte-identical to the pre-Phase-1 CLI.
+- JSON mode produces a single envelope on stdout (intermediate messages → stderr).
+- NDJSON mode produces one JSON event per line on stdout; the final envelope is
+  the last line.
+- Errors carry a stable ``code`` and a ``hint``. The hint is rendered as a
+  yellow line under the error in pretty mode and as ``error.hint`` in JSON.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+import time
+from collections.abc import Mapping
+from dataclasses import dataclass, field
+from enum import Enum
+from typing import Any, TextIO
+
+from rich.console import Console
+
+from comfy_cli.caller import Caller, detect_caller
+
+# Machine-output contract versions, surfaced in every envelope/event line and
+# in `comfy discover` (output_contract). Bump rule: additive optional fields =
+# no bump; rename/remove/retype a field or changed exit semantics = bump.
+ENVELOPE_SCHEMA = "envelope/1"
+EVENT_SCHEMA = "event/1"
+
+
+class OutputMode(str, Enum):
+    PRETTY = "pretty"
+    JSON = "json"
+    NDJSON = "ndjson"
+
+
+def _truthy(value: str | None) -> bool:
+    if value is None:
+        return False
+    return value.strip().lower() in {"1", "true", "yes", "on"}
+
+
+@dataclass
+class Renderer:
+    mode: OutputMode = OutputMode.PRETTY
+    caller: Caller = field(default_factory=detect_caller)
+    command: str = ""
+    version: str = ""
+    where: str | None = None
+    # Stream overrides. When None we look up sys.stdout / sys.stderr at the
+    # *call site* so test fixtures (capsys, CliRunner) that monkey-patch
+    # streams still capture our output. Tests can set these explicitly to
+    # pin redirection in scope.
+    _pretty_stream_override: TextIO | None = field(default=None, repr=False)
+    _machine_stream_override: TextIO | None = field(default=None, repr=False)
+    # Throttle map for high-frequency events: {token: last_emit_ts}.
+    _throttle: dict[str, float] = field(default_factory=dict, repr=False)
+    _envelope_emitted: bool = field(default=False, repr=False)
+    _exit_code: int = field(default=0, repr=False)
+
+    @property
+    def pretty_stream(self) -> TextIO:
+        if self._pretty_stream_override is not None:
+            return self._pretty_stream_override
+        # In pretty mode we use stdout. In JSON modes we redirect to stderr so
+        # stdout is reserved for the envelope/events.
+        return sys.stdout if self.mode is OutputMode.PRETTY else sys.stderr
+
+    @pretty_stream.setter
+    def pretty_stream(self, value: TextIO) -> None:
+        self._pretty_stream_override = value
+
+    @property
+    def machine_stream(self) -> TextIO:
+        if self._machine_stream_override is not None:
+            return self._machine_stream_override
+        return sys.stdout
+
+    @machine_stream.setter
+    def machine_stream(self, value: TextIO) -> None:
+        self._machine_stream_override = value
+
+    @classmethod
+    def resolve(
+        cls,
+        *,
+        json_flag: bool | None = None,
+        json_stream_flag: bool | None = None,
+        no_json_flag: bool = False,
+        env: Mapping[str, str] | None = None,
+        is_stdout_tty: bool | None = None,
+        caller: Caller | None = None,
+        command: str = "",
+        version: str = "",
+    ) -> Renderer:
+        """Decide the output mode.
+
+        Precedence (highest first):
+            1. --json-stream flag                       → NDJSON
+            2. --json flag                              → JSON
+            3. --no-json flag                           → PRETTY
+            4. COMFY_OUTPUT env (json/ndjson/pretty)    → that mode
+            5. agentic caller detected                  → JSON
+            6. stdout is not a TTY                      → JSON
+            7. default                                  → PRETTY
+        """
+        env_map = env if env is not None else os.environ
+        caller = caller if caller is not None else detect_caller(env_map)
+        if is_stdout_tty is None:
+            is_stdout_tty = sys.stdout.isatty()
+
+        mode: OutputMode
+        if json_stream_flag:
+            mode = OutputMode.NDJSON
+        elif json_flag:
+            mode = OutputMode.JSON
+        elif no_json_flag:
+            mode = OutputMode.PRETTY
+        else:
+            env_choice = (env_map.get("COMFY_OUTPUT") or "").strip().lower()
+            if env_choice in {"json", "ndjson", "pretty"}:
+                mode = OutputMode(env_choice)
+            elif caller.agentic:
+                mode = OutputMode.JSON
+            elif not is_stdout_tty:
+                mode = OutputMode.JSON
+            else:
+                mode = OutputMode.PRETTY
+
+        # Streams are resolved lazily from sys.stdout/sys.stderr at each call
+        # site (see pretty_stream / machine_stream properties), so test
+        # fixtures that monkey-patch streams keep working.
+        return cls(
+            mode=mode,
+            caller=caller,
+            command=command,
+            version=version,
+        )
+
+    # ----- pretty (Rich) helpers -----
+
+    def pretty_console(self) -> Console:
+        # Recreated each call so it respects whatever sys.stdout/stderr looks
+        # like *now*. Console is cheap.
+        return Console(file=self.pretty_stream, force_terminal=None, soft_wrap=False)
+
+    def stderr_console(self) -> Console:
+        return Console(file=sys.stderr)
+
+    def is_pretty(self) -> bool:
+        return self.mode is OutputMode.PRETTY
+
+    def is_json(self) -> bool:
+        return self.mode in {OutputMode.JSON, OutputMode.NDJSON}
+
+    def is_stream(self) -> bool:
+        return self.mode is OutputMode.NDJSON
+
+    def force_stream(self) -> None:
+        """Upgrade this renderer to NDJSON streaming mode.
+
+        Used by command-local streaming flags (e.g. ``comfy run --json``)
+        after the global callback has already resolved the mode: the
+        command knows it produces an event stream, so a plain ``--json``
+        on it means "stream NDJSON events + final envelope" rather than
+        the single-envelope JSON mode.
+        """
+        self.mode = OutputMode.NDJSON
+
+    # ----- printing -----
+
+    def print(self, *args: Any, **kwargs: Any) -> None:
+        """Print human-readable text. In JSON modes this goes to stderr.
+
+        Use this as a drop-in for ``rich.print``: the Rich markup, panels,
+        tables, and exact whitespace are preserved in pretty mode.
+        """
+        # Rich's print accepts file= kwarg. We always direct human output to
+        # `pretty_stream` (stdout in pretty mode, stderr in JSON mode).
+        from rich import print as _rprint
+
+        kwargs.setdefault("file", self.pretty_stream)
+        _rprint(*args, **kwargs)
+
+    def console(self) -> Console:
+        """Return the Console used for Rich tables / panels in pretty mode.
+
+        In JSON modes, returns a Console attached to stderr so any
+        ``console.print(table)`` calls don't pollute stdout.
+        """
+        return self.pretty_console() if self.is_pretty() else self.stderr_console()
+
+    # ----- semantic helpers -----
+
+    def info(self, message: str, *, hint: str | None = None) -> None:
+        self.print(message)
+        if hint:
+            self.print(f"[yellow]Hint:[/yellow] {hint}")
+
+    def warn(self, message: str, *, hint: str | None = None) -> None:
+        self.print(f"[yellow]{message}[/yellow]")
+        if hint:
+            self.print(f"[yellow]Hint:[/yellow] {hint}")
+
+    def success(self, message: str) -> None:
+        self.print(f"[bold green]{message}[/bold green]")
+
+    # ----- structured output -----
+
+    def emit(
+        self,
+        data: Any = None,
+        *,
+        command: str | None = None,
+        where: str | None = None,
+        changed: bool | None = None,
+        ok: bool = True,
+    ) -> None:
+        """Emit the final envelope. In pretty mode this is a no-op (data was
+        already shown by ``print``/``success``/etc).
+
+        ``ok`` defaults to True for the common success path. Commands that
+        carry a structured result *and* a negative verdict (e.g. ``validate``
+        on an invalid workflow, which still emits its error/warning payload as
+        data) pass ``ok=False`` so the envelope's ``ok`` agrees with the
+        process exit code.
+        """
+        if self.is_pretty():
+            return
+        if self._envelope_emitted:
+            # Defensive: the harness should only emit once. Don't double-write.
+            return
+        envelope = self._envelope(
+            ok=ok,
+            command=command or self.command,
+            data=data,
+            where=where or self.where,
+            changed=changed,
+            error=None,
+        )
+        self._write_json_line(envelope)
+        self._envelope_emitted = True
+
+    def error(
+        self,
+        code: str,
+        message: str,
+        *,
+        hint: str | None = None,
+        details: Mapping[str, Any] | None = None,
+        exit_code: int = 1,
+        command: str | None = None,
+    ) -> None:
+        """Emit a structured error. In pretty mode, prints red message + yellow
+        hint. In JSON mode, emits an envelope with ``ok=false`` and the error
+        block; in NDJSON mode also emits the envelope as the final line.
+        """
+        self._exit_code = exit_code
+        if self.is_pretty():
+            # Lazy import to keep panel deps optional.
+            from comfy_cli.output.panels import error_panel
+
+            self.console().print(error_panel(code=code, message=message, hint=hint, details=details))
+            return
+        if self._envelope_emitted:
+            return
+        envelope = self._envelope(
+            ok=False,
+            command=command or self.command,
+            data=None,
+            where=self.where,
+            changed=None,
+            error={
+                "code": code,
+                "message": message,
+                "hint": hint,
+                "details": dict(details) if details else None,
+            },
+        )
+        self._write_json_line(envelope)
+        self._envelope_emitted = True
+
+    def event(self, type: str, **fields: Any) -> None:
+        """Emit one NDJSON event line. Only meaningful in NDJSON mode."""
+        if not self.is_stream():
+            return
+        payload = {"schema": EVENT_SCHEMA, "type": type, **fields}
+        self._write_json_line(payload)
+
+    def throttled_event(self, token: str, type: str, *, max_hz: float = 10.0, **fields: Any) -> bool:
+        """Emit an NDJSON event only if at least ``1/max_hz`` seconds have
+        passed since the last event with the same ``token``. Returns True if
+        the event was emitted.
+        """
+        if not self.is_stream():
+            return False
+        now = time.monotonic()
+        last = self._throttle.get(token, 0.0)
+        if now - last < (1.0 / max_hz):
+            return False
+        self._throttle[token] = now
+        self.event(type, **fields)
+        return True
+
+    def flush_throttled(self, token: str, type: str, **fields: Any) -> None:
+        """Force-emit one final event for a throttle token (e.g., on completion)."""
+        if not self.is_stream():
+            return
+        self._throttle[token] = time.monotonic()
+        self.event(type, **fields)
+
+    # ----- internals -----
+
+    def _envelope(
+        self,
+        *,
+        ok: bool,
+        command: str,
+        data: Any,
+        where: str | None,
+        changed: bool | None,
+        error: Mapping[str, Any] | None,
+    ) -> dict[str, Any]:
+        env: dict[str, Any] = {
+            # Contract discriminator + version first: NDJSON consumers pick
+            # out the final line by `type` and negotiate shape on `schema`.
+            "schema": ENVELOPE_SCHEMA,
+            "type": "envelope",
+            "ok": ok,
+            "command": command,
+            "version": self.version,
+            "where": where,
+            "data": data,
+            "error": dict(error) if error else None,
+        }
+        if changed is not None:
+            env["changed"] = changed
+        return env
+
+    def _write_json_line(self, payload: Mapping[str, Any]) -> None:
+        line = json.dumps(payload, default=_json_default, ensure_ascii=False)
+        self.machine_stream.write(line + "\n")
+        self.machine_stream.flush()
+
+    @property
+    def exit_code(self) -> int:
+        return self._exit_code
+
+
+def _json_default(obj: Any) -> Any:
+    # Best-effort JSON coercion for common non-serializable types.
+    from pathlib import Path
+
+    if isinstance(obj, Path):
+        return str(obj)
+    if isinstance(obj, Enum):
+        return obj.value
+    if hasattr(obj, "isoformat"):
+        try:
+            return obj.isoformat()
+        except Exception:  # noqa: BLE001
+            pass
+    return str(obj)
+
+
+# ----- process-wide singleton ----------------------------------------------
+
+_RENDERER: Renderer | None = None
+
+
+def set_renderer(renderer: Renderer) -> None:
+    """Install the process-wide renderer. Called once from cmdline.entry()."""
+    global _RENDERER
+    _RENDERER = renderer
+
+
+def get_renderer() -> Renderer:
+    """Return the installed renderer, creating a default pretty one if none.
+
+    The default is pretty so existing tests and ad-hoc imports don't blow up.
+    """
+    global _RENDERER
+    if _RENDERER is None:
+        _RENDERER = Renderer()
+    return _RENDERER
+
+
+def reset_renderer_for_testing() -> None:
+    global _RENDERER
+    _RENDERER = None
diff --git a/comfy_cli/output/rich_compat.py b/comfy_cli/output/rich_compat.py
new file mode 100644
index 00000000..b16f72fd
--- /dev/null
+++ b/comfy_cli/output/rich_compat.py
@@ -0,0 +1,42 @@
+"""Drop-in replacements for ``rich.print``.
+
+Migration pattern:
+    # before
+    from rich import print as rprint
+    # after
+    from comfy_cli.output import rprint
+
+Behavior:
+- Pretty mode: byte-identical to ``rich.print``.
+- JSON / NDJSON mode: routed to stderr so stdout is reserved for the envelope
+  / NDJSON events. The Rich markup is preserved on stderr, so humans tailing
+  ``stderr`` (or developers debugging) still see formatted output.
+
+Existing code that uses ``console.print(table)`` for Rich tables should
+migrate to ``renderer.console().print(table)`` so the same redirection
+applies. That's not required for pretty-mode correctness — those calls
+already work — only for clean stdout in JSON mode.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+
+def rprint(*args: Any, **kwargs: Any) -> None:
+    """Print via the current renderer.
+
+    The renderer is a process-wide singleton; in pretty mode this matches
+    ``rich.print`` exactly. In JSON modes it goes to stderr.
+    """
+    # Imported lazily so we don't take a hard dependency at import time.
+    from comfy_cli.output.renderer import get_renderer
+
+    get_renderer().print(*args, **kwargs)
+
+
+def console_print(*args: Any, **kwargs: Any) -> None:
+    """Like rprint but via a Rich Console object (for tables/panels)."""
+    from comfy_cli.output.renderer import get_renderer
+
+    get_renderer().console().print(*args, **kwargs)
diff --git a/comfy_cli/project.py b/comfy_cli/project.py
new file mode 100644
index 00000000..19adcc06
--- /dev/null
+++ b/comfy_cli/project.py
@@ -0,0 +1,220 @@
+"""project/1 convention — pure discovery, layout, and journaling helpers.
+
+A PROJECT is any directory holding a ``comfy.yaml`` marker whose parsed
+``schema`` is ``"project/1"``::
+
+    schema: project/1
+    defaults:
+      where: cloud
+
+The convention is the contract (agent-first, like the output-schema and
+error-code ratchets): five conventional top-level dirs —
+``assets/ fragments/ blueprints/ outputs/ .comfy/`` (machine-owned) — and an
+append-only run journal at ``.comfy/runs.jsonl`` so provenance is queryable
+state, not hand-written manifests.
+
+This module is pure domain logic — no Typer, no renderer (mirror of
+``fragments.py``). Hard rules:
+
+- :func:`find_project` NEVER raises. A malformed/unreadable ``comfy.yaml``
+  or one with the wrong schema is treated as "no project at that level" and
+  the walk continues — a stray marker file must not crash unrelated commands.
+- :func:`journal` is best-effort: every exception is swallowed internally.
+  A journaling failure can never fail a run.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+from collections.abc import Callable
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+from comfy_cli.fragments import AssetError, VarError
+
+PROJECT_MARKER = "comfy.yaml"
+PROJECT_SCHEMA = "project/1"
+
+# The five conventional top-level dirs. Anything else (non-hidden) is
+# surfaced as a warning by `comfy project status` — warnings only, never
+# enforcement. Files are fine anywhere.
+CONVENTIONAL_DIRS = ("assets", "fragments", "blueprints", "outputs", ".comfy")
+
+
+@dataclass
+class Project:
+    root: Path
+    config: dict
+
+
+def find_project(start: Path | None = None) -> Project | None:
+    """Walk up from ``start`` (default: cwd) to the filesystem root; the
+    first directory whose ``comfy.yaml`` parses to a dict with
+    ``schema: project/1`` wins. Returns ``None`` when nothing governs
+    ``start``. Never raises."""
+    try:
+        here = (Path(start) if start is not None else Path.cwd()).resolve()
+    except OSError:
+        return None
+    for candidate in (here, *here.parents):
+        config = _load_marker(candidate / PROJECT_MARKER)
+        if config is not None:
+            return Project(root=candidate, config=config)
+    return None
+
+
+def _load_marker(marker: Path) -> dict | None:
+    """Parse one candidate marker. Anything short of a well-formed project/1
+    dict — missing file, unreadable file, YAML that doesn't parse, non-dict
+    document, wrong/absent schema — is ``None`` (keep walking)."""
+    try:
+        if not marker.is_file():
+            return None
+        parsed = yaml.safe_load(marker.read_text(encoding="utf-8"))
+    except Exception:  # noqa: BLE001 — any failure means "not a project here"
+        return None
+    if isinstance(parsed, dict) and parsed.get("schema") == PROJECT_SCHEMA:
+        return parsed
+    return None
+
+
+def unknown_dirs(project: Project) -> list[str]:
+    """Top-level directories outside the convention, sorted. Hidden dirs are
+    skipped (``.comfy`` is conventional anyway); files are fine anywhere.
+    Consumed by ``comfy project status`` as warnings — nothing enforces."""
+    try:
+        names = sorted(p.name for p in project.root.iterdir() if p.is_dir())
+    except OSError:
+        return []
+    return [n for n in names if not n.startswith(".") and n not in CONVENTIONAL_DIRS]
+
+
+def journal(project: Project, **event) -> None:
+    """Append one JSON line to ``<root>/.comfy/runs.jsonl`` (creating
+    ``.comfy/`` if needed). A ``ts`` (UTC ISO-8601, seconds) is auto-added.
+
+    Best-effort by contract: ALL exceptions are swallowed — a read-only
+    directory, a full disk, or an unserializable value must never fail the
+    command being journaled."""
+    try:
+        record = {"ts": datetime.now(timezone.utc).isoformat(timespec="seconds"), **event}
+        comfy_dir = project.root / ".comfy"
+        comfy_dir.mkdir(parents=True, exist_ok=True)
+        with (comfy_dir / "runs.jsonl").open("a", encoding="utf-8") as fh:
+            fh.write(json.dumps(record, ensure_ascii=False, default=str) + "\n")
+    except Exception:  # noqa: BLE001 — journaling can never fail a run
+        pass
+
+
+ASSETS_LOCK_SCHEMA = "assets-lock/1"
+_ASSETS_PUSH_HINT = "run: comfy assets push"
+
+
+def read_assets_lock(project: Project) -> dict:
+    """The ``assets-lock/1`` map ``{name: {sha256, cloud_name, …}}`` written
+    by ``comfy assets push``; ``{}`` when absent or malformed. Never raises."""
+    path = project.root / ".comfy" / "assets.lock.json"
+    try:
+        parsed = json.loads(path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError, ValueError):
+        return {}
+    if (
+        isinstance(parsed, dict)
+        and parsed.get("schema") == ASSETS_LOCK_SCHEMA
+        and isinstance(parsed.get("assets"), dict)
+    ):
+        return parsed["assets"]
+    return {}
+
+
+def make_asset_resolver(project: Project) -> Callable[[str], str]:
+    """Resolver for ``$asset.<name>`` blueprint refs, backed by the push lock.
+
+    Loads ``.comfy/assets.lock.json`` once; per referenced name (hashing is
+    lazy — only names actually referenced are hashed):
+
+    - no lock entry, or the file is missing under ``assets/`` →
+      :class:`~comfy_cli.fragments.AssetError` ``asset_not_pushed``
+    - on-disk sha256 differs from the lock → ``asset_stale``
+    - otherwise → the lock entry's ``cloud_name`` (the server-side filename
+      on the push target).
+    """
+    lock = read_assets_lock(project)
+
+    def resolve(name: str) -> str:
+        entry = lock.get(name)
+        if not isinstance(entry, dict) or not entry.get("cloud_name"):
+            raise AssetError(
+                f"asset {name!r} has not been pushed (no entry in .comfy/assets.lock.json)",
+                code="asset_not_pushed",
+                hint=_ASSETS_PUSH_HINT,
+            )
+        path = project.root / "assets" / name
+        if not path.is_file():
+            raise AssetError(
+                f"asset {name!r} is in the lock but missing from assets/",
+                code="asset_not_pushed",
+                hint=_ASSETS_PUSH_HINT,
+            )
+        sha = hashlib.sha256(path.read_bytes()).hexdigest()
+        if sha != entry.get("sha256"):
+            raise AssetError(
+                f"asset {name!r} changed on disk after its last push (sha256 mismatch)",
+                code="asset_stale",
+                hint=_ASSETS_PUSH_HINT,
+            )
+        return str(entry["cloud_name"])
+
+    return resolve
+
+
+def make_var_resolver(project: Project) -> Callable[[str], Any]:
+    """Resolver for ``$var.<name>`` blueprint refs, backed by the project's
+    ``comfy.yaml`` top-level ``vars:`` block (name → scalar str/int/float/bool).
+
+    Returns the RAW scalar (never ``str()``'d) so non-STRING params keep
+    their widget types. A missing/non-mapping ``vars:`` block is treated as
+    empty; an undefined name raises
+    :class:`~comfy_cli.fragments.VarError` ``var_not_defined`` with a hint
+    pointing at the project's ``comfy.yaml``.
+    """
+    vars_block = project.config.get("vars")
+    if not isinstance(vars_block, dict):
+        vars_block = {}
+
+    def resolve(name: str) -> Any:
+        if name not in vars_block:
+            raise VarError(
+                f"var {name!r} is not defined in the project's `vars:` block",
+                code="var_not_defined",
+                hint=f"add it under `vars:` in {project.root / PROJECT_MARKER}",
+            )
+        return vars_block[name]
+
+    return resolve
+
+
+def read_journal(project: Project, limit: int = 20) -> list[dict]:
+    """Return the last ``limit`` journal events, newest last. Corrupt or
+    non-object lines are skipped; a missing/unreadable journal is ``[]``."""
+    path = project.root / ".comfy" / "runs.jsonl"
+    try:
+        lines = path.read_text(encoding="utf-8").splitlines()
+    except OSError:
+        return []
+    events: list[dict] = []
+    for line in lines:
+        if not line.strip():
+            continue
+        try:
+            parsed = json.loads(line)
+        except json.JSONDecodeError:
+            continue
+        if isinstance(parsed, dict):
+            events.append(parsed)
+    return events[-limit:] if limit and limit > 0 else events
diff --git a/comfy_cli/schemas/__init__.py b/comfy_cli/schemas/__init__.py
new file mode 100644
index 00000000..191d11b6
--- /dev/null
+++ b/comfy_cli/schemas/__init__.py
@@ -0,0 +1,6 @@
+"""JSON Schema resources for comfy-cli output.
+
+Schemas live next to this module so ``importlib.resources`` can load them on
+the installed CLI as well as the dev checkout. The mapping from command path
+to schema is defined in :mod:`comfy_cli.discovery`.
+"""
diff --git a/comfy_cli/schemas/assets.json b/comfy_cli/schemas/assets.json
new file mode 100644
index 00000000..e6e0e5fa
--- /dev/null
+++ b/comfy_cli/schemas/assets.json
@@ -0,0 +1,33 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/assets.json",
+  "title": "comfy assets push --json data payload",
+  "description": "Result of `comfy assets push`: files uploaded to the resolved target via the server's /upload/image API and recorded in .comfy/assets.lock.json. `cloud_name` is the server-returned name on the push target (kept under that key for both local and cloud).",
+  "type": "object",
+  "required": ["pushed", "skipped", "lock", "where"],
+  "additionalProperties": true,
+  "properties": {
+    "pushed": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["name", "sha256", "cloud_name", "size"],
+        "additionalProperties": true,
+        "properties": {
+          "name": {"type": "string", "description": "Path relative to assets/ (posix) — the `$asset.<name>` key."},
+          "sha256": {"type": "string"},
+          "cloud_name": {"type": "string", "description": "Server-returned filename on the push target."},
+          "size": {"type": "integer"}
+        }
+      }
+    },
+    "current": {
+      "type": "array",
+      "items": {"type": "string"},
+      "description": "Asset names verified already-current on this target (lock hit, not re-uploaded). pushed ∪ current = everything now on the server, so scripts can assert their files landed without treating a truthful pushed:[] as failure."
+    },
+    "skipped": {"type": "integer", "description": "Files whose lock entry already matched (same sha256 and same target)."},
+    "lock": {"type": "string", "description": "Absolute path of .comfy/assets.lock.json."},
+    "where": {"type": "string", "enum": ["local", "cloud"], "description": "Resolved push target."}
+  }
+}
diff --git a/comfy_cli/schemas/auth.json b/comfy_cli/schemas/auth.json
new file mode 100644
index 00000000..654db438
--- /dev/null
+++ b/comfy_cli/schemas/auth.json
@@ -0,0 +1,30 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/auth.json",
+  "title": "comfy auth --json data payload",
+  "description": "Result of an `auth list|set|remove` invocation. Keys are always returned redacted.",
+  "type": "object",
+  "required": ["providers", "supported", "path"],
+  "additionalProperties": true,
+  "properties": {
+    "action": {"type": "string", "enum": ["list", "set", "remove"]},
+    "path": {"type": "string", "description": "Filesystem path to the local secret store."},
+    "supported": {
+      "type": "array",
+      "items": {"type": "string"}
+    },
+    "providers": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["provider", "key", "updated_at"],
+        "properties": {
+          "provider": {"type": "string"},
+          "key": {"type": "string", "description": "Redacted key, e.g. 'sk-…abc1'."},
+          "key_redacted": {"type": "boolean"},
+          "updated_at": {"type": "string"}
+        }
+      }
+    }
+  }
+}
diff --git a/comfy_cli/schemas/discover.json b/comfy_cli/schemas/discover.json
new file mode 100644
index 00000000..c53f9901
--- /dev/null
+++ b/comfy_cli/schemas/discover.json
@@ -0,0 +1,86 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/discover.json",
+  "title": "comfy discover --json data payload",
+  "description": "Self-describing surface for agents: full command tree, the schema each command emits, and capabilities the CLI exposes.",
+  "type": "object",
+  "required": ["prog", "version", "commands", "schemas", "capabilities"],
+  "additionalProperties": true,
+  "properties": {
+    "prog": {"type": "string"},
+    "version": {"type": "string"},
+    "output_contract": {
+      "type": "object",
+      "description": "Versioned machine-output contract: negotiate envelope/event shape on these, not on the CLI version.",
+      "properties": {
+        "envelope": {"type": "string"},
+        "event": {"type": "string"}
+      }
+    },
+    "commands": {
+      "type": "object",
+      "description": "Same shape as `comfy --help-json`'s `commands`."
+    },
+    "schemas": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z][a-z0-9_]*$": {
+          "type": "object",
+          "required": ["name", "title", "schema"],
+          "properties": {
+            "name": {"type": "string", "description": "Schema filename, e.g. 'env.json'."},
+            "title": {"type": "string"},
+            "schema": {"type": "object", "description": "Inline JSON Schema document."}
+          }
+        }
+      }
+    },
+    "command_schemas": {
+      "type": "object",
+      "description": "Map of fully-qualified command path -> schema name (without .json).",
+      "additionalProperties": {"type": "string"}
+    },
+    "error_codes": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["code", "meaning"],
+        "properties": {
+          "code": {"type": "string"},
+          "meaning": {"type": "string"},
+          "phase": {"type": "string"},
+          "hint": {"type": ["string", "null"]}
+        }
+      }
+    },
+    "capabilities": {
+      "type": "object",
+      "description": "Feature flags an agent can branch on.",
+      "additionalProperties": true,
+      "properties": {
+        "json_envelope": {"type": "boolean"},
+        "json_stream": {"type": "boolean"},
+        "cancellation": {"type": "boolean"},
+        "cql": {"type": "boolean"},
+        "where_routing": {"type": "boolean"},
+        "where_targets": {"type": "array", "items": {"type": "string"}},
+        "cloud_oauth": {"type": "boolean"},
+        "auth_providers": {
+          "description": "Either a flat list (legacy) or {oauth: [...], api_key: [...]}.",
+          "oneOf": [
+            {"type": "array", "items": {"type": "string"}},
+            {
+              "type": "object",
+              "properties": {
+                "oauth": {"type": "array", "items": {"type": "string"}},
+                "api_key": {"type": "array", "items": {"type": "string"}}
+              },
+              "additionalProperties": false
+            }
+          ]
+        }
+      }
+    }
+  }
+}
diff --git a/comfy_cli/schemas/env.json b/comfy_cli/schemas/env.json
new file mode 100644
index 00000000..46afcccd
--- /dev/null
+++ b/comfy_cli/schemas/env.json
@@ -0,0 +1,56 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/env.json",
+  "title": "comfy env --json data payload",
+  "type": "object",
+  "required": ["python", "config", "workspace", "server"],
+  "additionalProperties": true,
+  "properties": {
+    "python": {
+      "type": "object",
+      "required": ["version", "executable"],
+      "properties": {
+        "version": {"type": "string"},
+        "executable": {"type": "string"},
+        "virtualenv": {"type": ["string", "null"]},
+        "conda_env": {"type": ["string", "null"]}
+      }
+    },
+    "config": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "path": {"type": "string"},
+        "default_workspace": {"type": ["string", "null"]},
+        "default_launch_extras": {"type": ["string", "null"]},
+        "recent_workspace": {"type": ["string", "null"]},
+        "tracking_enabled": {"type": ["boolean", "null"]}
+      }
+    },
+    "workspace": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "path": {"type": ["string", "null"]},
+        "type": {"type": ["string", "null"]}
+      }
+    },
+    "server": {
+      "type": "object",
+      "required": ["running"],
+      "properties": {
+        "running": {"type": "boolean"},
+        "url": {"type": ["string", "null"]}
+      }
+    },
+    "background": {
+      "type": ["object", "null"],
+      "additionalProperties": true,
+      "properties": {
+        "host": {"type": "string"},
+        "port": {"type": "integer"},
+        "pid": {"type": "integer"}
+      }
+    }
+  }
+}
diff --git a/comfy_cli/schemas/envelope.json b/comfy_cli/schemas/envelope.json
new file mode 100644
index 00000000..6935a67f
--- /dev/null
+++ b/comfy_cli/schemas/envelope.json
@@ -0,0 +1,49 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/envelope.json",
+  "title": "comfy-cli output envelope",
+  "description": "Every --json command returns one of these on stdout. Streaming commands emit it as the last NDJSON line.",
+  "type": "object",
+  "required": ["ok", "command", "version", "where", "data", "error"],
+  "additionalProperties": true,
+  "properties": {
+    "schema": {
+      "const": "envelope/1",
+      "description": "Envelope contract version. Additive optional fields do not bump it; renamed/removed/retyped fields or changed exit semantics do."
+    },
+    "type": {
+      "const": "envelope",
+      "description": "Line discriminator: in NDJSON streams the final line is the envelope, every other line is an event."
+    },
+    "ok": {
+      "type": "boolean",
+      "description": "True iff the command succeeded. Mirrors a 0 exit code."
+    },
+    "command": {
+      "type": "string",
+      "description": "Fully-qualified command path (e.g. 'env', 'model download')."
+    },
+    "version": {
+      "type": "string",
+      "description": "comfy-cli version that produced this output."
+    },
+    "where": {
+      "type": ["string", "null"],
+      "enum": ["local", "cloud", null],
+      "description": "Backend that handled the command. Null for commands that don't route."
+    },
+    "data": {
+      "description": "Command-specific payload. Schema lives in comfy_cli/schemas/<command>.json."
+    },
+    "error": {
+      "oneOf": [
+        {"type": "null"},
+        {"$ref": "error.json"}
+      ]
+    },
+    "changed": {
+      "type": "boolean",
+      "description": "Optional: present on mutating commands; true iff state changed."
+    }
+  }
+}
diff --git a/comfy_cli/schemas/error.json b/comfy_cli/schemas/error.json
new file mode 100644
index 00000000..c6f71ed6
--- /dev/null
+++ b/comfy_cli/schemas/error.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/error.json",
+  "title": "comfy-cli error block",
+  "type": "object",
+  "required": ["code", "message"],
+  "additionalProperties": false,
+  "properties": {
+    "code": {
+      "type": "string",
+      "description": "Stable machine identifier. Append-only; see error_codes.md.",
+      "pattern": "^[a-z][a-z0-9_]*$"
+    },
+    "message": {
+      "type": "string",
+      "description": "Human-readable sentence."
+    },
+    "hint": {
+      "type": ["string", "null"],
+      "description": "Optional actionable next step."
+    },
+    "details": {
+      "type": ["object", "null"],
+      "description": "Optional structured details (e.g. last_status, parser_message)."
+    }
+  }
+}
diff --git a/comfy_cli/schemas/error_codes.md b/comfy_cli/schemas/error_codes.md
new file mode 100644
index 00000000..db80004d
--- /dev/null
+++ b/comfy_cli/schemas/error_codes.md
@@ -0,0 +1,28 @@
+# comfy-cli error codes
+
+Stable machine identifiers for `error.code` in the JSON envelope. The
+canonical list lives in `comfy_cli/error_codes.py` — this file is for humans.
+**Append-only** — never repurpose an existing code.
+
+For programmatic access, agents call:
+
+```bash
+comfy --json discover | jq '.data.error_codes[]'
+```
+
+## Conventions
+
+- `code` is the contract; agents branch on it.
+- `message` is human-readable; phrased so it can be shown to users verbatim.
+- `hint` is one actionable next step. Always set a hint when there is one.
+- `details` carries structured context (`status`, `path`, `host`,
+  `close_matches`, `valid_inputs`, etc.) so agents can self-correct.
+
+## Tests
+
+Two tests pin the contract:
+
+- Every `renderer.error(code="…")` site is registered.
+- Every registered code is raised somewhere (no dead codes).
+
+A code goes into `error_codes.py` *before* it lands in any call site.
diff --git a/comfy_cli/schemas/help.json b/comfy_cli/schemas/help.json
new file mode 100644
index 00000000..edebb486
--- /dev/null
+++ b/comfy_cli/schemas/help.json
@@ -0,0 +1,63 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/help.json",
+  "title": "comfy --help-json output",
+  "description": "Machine-readable description of the CLI surface. Agents use this to enumerate commands and flags without reading source.",
+  "type": "object",
+  "required": ["prog", "commands", "root"],
+  "additionalProperties": true,
+  "properties": {
+    "prog": {"type": "string"},
+    "root": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "help": {"type": ["string", "null"]},
+        "params": {"type": "array", "items": {"$ref": "#/$defs/param"}}
+      }
+    },
+    "commands": {
+      "type": "object",
+      "additionalProperties": {"$ref": "#/$defs/command"}
+    }
+  },
+  "$defs": {
+    "param": {
+      "type": "object",
+      "required": ["name", "param_kind", "type"],
+      "additionalProperties": true,
+      "properties": {
+        "name": {"type": "string"},
+        "param_kind": {"type": "string", "enum": ["option", "argument"]},
+        "type": {"type": "string"},
+        "choices": {"type": "array", "items": {"type": "string"}},
+        "required": {"type": "boolean"},
+        "hidden": {"type": "boolean"},
+        "default": {},
+        "help": {"type": ["string", "null"]},
+        "is_flag": {"type": "boolean"},
+        "multiple": {"type": "boolean"},
+        "flags": {"type": "array", "items": {"type": "string"}},
+        "envvar": {"type": ["string", "array", "null"]}
+      }
+    },
+    "command": {
+      "type": "object",
+      "required": ["name", "path", "params"],
+      "additionalProperties": true,
+      "properties": {
+        "name": {"type": "string"},
+        "path": {"type": "string"},
+        "help": {"type": ["string", "null"]},
+        "short_help": {"type": ["string", "null"]},
+        "hidden": {"type": "boolean"},
+        "params": {"type": "array", "items": {"$ref": "#/$defs/param"}},
+        "examples": {"type": "array", "items": {"type": "string"}},
+        "subcommands": {
+          "type": "object",
+          "additionalProperties": {"$ref": "#/$defs/command"}
+        }
+      }
+    }
+  }
+}
diff --git a/comfy_cli/schemas/jobs.json b/comfy_cli/schemas/jobs.json
new file mode 100644
index 00000000..ef366a64
--- /dev/null
+++ b/comfy_cli/schemas/jobs.json
@@ -0,0 +1,48 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/jobs.json",
+  "title": "comfy jobs --json data payload",
+  "description": "Union schema for `jobs ls`, `jobs status`, and `jobs watch`.",
+  "type": "object",
+  "required": ["host", "port"],
+  "additionalProperties": true,
+  "properties": {
+    "host": {"type": "string"},
+    "port": {"type": "integer"},
+    "prompt_id": {"type": "string"},
+    "status": {
+      "type": "string",
+      "enum": ["running", "pending", "queued", "completed", "error", "unknown", "watching"]
+    },
+    "queue_position": {"type": ["integer", "null"]},
+    "workflow_size": {"type": ["integer", "null"]},
+    "outputs": {"type": "array", "items": {"type": "string"}},
+    "outputs_by_node": {
+      "type": "object",
+      "description": "Cloud status/watch terminal: the same artifact URLs grouped by the node id that produced them.",
+      "additionalProperties": {"type": "array", "items": {"type": "string"}}
+    },
+    "outputs_by_item": {
+      "type": "object",
+      "description": "Cloud status/watch terminal: artifact URLs grouped by blueprint foreach item (via the compose item_map on the job state file). Empty object when no item_map exists.",
+      "additionalProperties": {"type": "array", "items": {"type": "string"}}
+    },
+    "elapsed_seconds": {"type": ["number", "null"]},
+    "completed_nodes": {"type": "array", "items": {"type": "string"}},
+    "count": {"type": "integer"},
+    "jobs": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["prompt_id", "status"],
+        "properties": {
+          "prompt_id": {"type": "string"},
+          "status": {"type": "string"},
+          "queue_position": {"type": ["integer", "null"]},
+          "workflow_size": {"type": ["integer", "null"]},
+          "outputs": {"type": "integer"}
+        }
+      }
+    }
+  }
+}
diff --git a/comfy_cli/schemas/models.json b/comfy_cli/schemas/models.json
new file mode 100644
index 00000000..41bd06fc
--- /dev/null
+++ b/comfy_cli/schemas/models.json
@@ -0,0 +1,90 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy models *",
+  "description": "Output shape for model discovery commands (search, show, list-folders, list-folder). All subcommands share this schema; each field is optional because the payload varies per subcommand.",
+  "type": "object",
+  "properties": {
+    "mode": { "type": "string", "description": "Routing mode: 'cloud' or 'local'." },
+    "url": { "type": "string", "description": "The backend URL that was queried (list-folders, list-folder)." },
+    "filters": {
+      "type": "object",
+      "description": "Active filter parameters (search only).",
+      "properties": {
+        "text": { "type": ["string", "null"] },
+        "type": { "type": ["string", "null"] },
+        "include_public": { "type": ["boolean", "null"] }
+      }
+    },
+    "total": { "type": "integer", "description": "Total items before capping (list-folder, search)." },
+    "shown": { "type": "integer", "description": "Number of items in the response after capping." },
+    "count": { "type": "integer", "description": "Count of folders (list-folders)." },
+    "folder": { "type": "string", "description": "Folder name that was listed (list-folder)." },
+    "rows": {
+      "type": "array",
+      "description": "Enriched model rows (search).",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": { "type": "string" },
+          "display_name": { "type": "string" },
+          "type": { "type": "string" },
+          "tags": { "type": "array", "items": { "type": "string" } },
+          "base_model": { "type": ["string", "null"] },
+          "trained_words": {
+            "oneOf": [
+              { "type": "array", "items": { "type": "string" } },
+              { "type": "null" }
+            ]
+          },
+          "source_url": { "type": ["string", "null"] },
+          "preview_url": { "type": ["string", "null"] },
+          "size": { "type": ["integer", "null"] },
+          "is_public": { "type": "boolean" },
+          "id": { "type": ["string", "null"] }
+        }
+      }
+    },
+    "folders": {
+      "type": "array",
+      "description": "Available model folders (list-folders).",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": { "type": "string" },
+          "subfolders": { "type": "array", "items": { "type": "string" } }
+        }
+      }
+    },
+    "files": {
+      "type": "array",
+      "description": "Files within a single folder (list-folder).",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": { "type": "string" },
+          "pathIndex": { "type": "integer" }
+        }
+      }
+    },
+    "row": {
+      "type": "object",
+      "description": "Projected model row for the exact match (show).",
+      "properties": {
+        "name": { "type": "string" },
+        "display_name": { "type": "string" },
+        "type": { "type": "string" },
+        "tags": { "type": "array", "items": { "type": "string" } },
+        "base_model": { "type": ["string", "null"] },
+        "source_url": { "type": ["string", "null"] },
+        "preview_url": { "type": ["string", "null"] },
+        "size": { "type": ["integer", "null"] },
+        "is_public": { "type": "boolean" },
+        "id": { "type": ["string", "null"] }
+      }
+    },
+    "asset": {
+      "type": "object",
+      "description": "Full verbatim Asset object from the server (show)."
+    }
+  }
+}
diff --git a/comfy_cli/schemas/nodes.json b/comfy_cli/schemas/nodes.json
new file mode 100644
index 00000000..42e114a9
--- /dev/null
+++ b/comfy_cli/schemas/nodes.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy nodes *",
+  "description": "Output shape for node introspection commands (ls, show, search, upstream, downstream, path, types, categories).",
+  "type": "object",
+  "properties": {
+    "count": { "type": "integer" },
+    "rows": { "type": "array" },
+    "query": { "type": "string" },
+    "filter": { "type": "object" },
+    "name": { "type": "string" },
+    "paths": { "type": "array" },
+    "types": { "type": "array" }
+  }
+}
diff --git a/comfy_cli/schemas/project.json b/comfy_cli/schemas/project.json
new file mode 100644
index 00000000..bc7fb0d3
--- /dev/null
+++ b/comfy_cli/schemas/project.json
@@ -0,0 +1,60 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/project.json",
+  "title": "comfy project --json data payload",
+  "description": "Result of a `project init|status` invocation. `init` carries root/created; `status` is the queryable project state: defaults, blueprints, assets joined against the push lock, the run journal tail, and layout warnings.",
+  "type": "object",
+  "required": ["root"],
+  "additionalProperties": true,
+  "properties": {
+    "action": {"type": "string", "enum": ["init", "status"]},
+    "where_default": {
+      "type": "string",
+      "enum": ["local", "cloud"],
+      "description": "Backend default written into comfy.yaml by `project init` (--where flag, else auto-detected from configured credentials)."
+    },
+    "root": {"type": "string", "description": "Absolute path of the project root (the dir holding comfy.yaml)."},
+    "created": {
+      "type": "array",
+      "items": {"type": "string"},
+      "description": "Paths created by `project init`, relative to root."
+    },
+    "schema": {"type": "string", "description": "The marker schema, e.g. 'project/1'."},
+    "defaults": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "where": {"type": "string", "enum": ["local", "cloud"]}
+      }
+    },
+    "blueprints": {
+      "type": "array",
+      "items": {"type": "string"},
+      "description": "Names of *.yaml files under blueprints/."
+    },
+    "assets": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["name", "sha256", "size", "pushed", "stale"],
+        "additionalProperties": true,
+        "properties": {
+          "name": {"type": "string", "description": "Path relative to assets/ (posix)."},
+          "sha256": {"type": "string"},
+          "size": {"type": "integer"},
+          "pushed": {"type": "boolean", "description": "Present in .comfy/assets.lock.json."},
+          "stale": {"type": "boolean", "description": "Pushed, but the on-disk sha256 no longer matches the lock."}
+        }
+      }
+    },
+    "recent_runs": {
+      "type": "array",
+      "items": {"type": "object"},
+      "description": "Tail of .comfy/runs.jsonl, newest last."
+    },
+    "warnings": {
+      "type": "array",
+      "items": {"type": "string"}
+    }
+  }
+}
diff --git a/comfy_cli/schemas/run.json b/comfy_cli/schemas/run.json
new file mode 100644
index 00000000..3a41afaa
--- /dev/null
+++ b/comfy_cli/schemas/run.json
@@ -0,0 +1,45 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/run.json",
+  "title": "comfy run --json data payload",
+  "type": "object",
+  "required": ["workflow", "status"],
+  "additionalProperties": true,
+  "properties": {
+    "workflow": {"type": "string", "description": "Absolute path to the workflow file."},
+    "status": {"type": "string", "enum": ["queued", "completed", "cancelled"]},
+    "prompt_id": {"type": ["string", "null"]},
+    "client_id": {"type": ["string", "null"]},
+    "outputs": {
+      "type": "array",
+      "items": {"type": "string"},
+      "description": "URLs or local paths to produced artifacts."
+    },
+    "outputs_by_node": {
+      "type": "object",
+      "description": "Cloud --wait only: the same artifact URLs grouped by the node id that produced them.",
+      "additionalProperties": {"type": "array", "items": {"type": "string"}}
+    },
+    "outputs_by_item": {
+      "type": "object",
+      "description": "Cloud --wait only: artifact URLs grouped by blueprint foreach item (via the compose item_map). Empty object when no item_map exists.",
+      "additionalProperties": {"type": "array", "items": {"type": "string"}}
+    },
+    "warnings": {
+      "type": "array",
+      "description": "Non-fatal diagnostics about the run (e.g. partial_execution when the cloud pruned an output branch). Empty when none.",
+      "items": {
+        "type": "object",
+        "required": ["code", "message"],
+        "additionalProperties": true,
+        "properties": {
+          "code": {"type": "string"},
+          "message": {"type": "string"}
+        }
+      }
+    },
+    "elapsed_seconds": {"type": ["number", "null"]},
+    "host": {"type": "string"},
+    "port": {"type": "integer"}
+  }
+}
diff --git a/comfy_cli/schemas/run_event.json b/comfy_cli/schemas/run_event.json
new file mode 100644
index 00000000..511ec81b
--- /dev/null
+++ b/comfy_cli/schemas/run_event.json
@@ -0,0 +1,35 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/run_event.json",
+  "title": "comfy run --json-stream NDJSON event",
+  "description": "One JSON object per line. The final line is an envelope (run.json schema in .data).",
+  "type": "object",
+  "required": ["type"],
+  "additionalProperties": true,
+  "properties": {
+    "schema": {
+      "const": "event/1",
+      "description": "Event contract version. Additive optional fields do not bump it; renamed/removed/retyped fields do."
+    },
+    "type": {
+      "type": "string",
+      "enum": [
+        "queued",
+        "executing",
+        "execution_cached",
+        "progress",
+        "executed",
+        "execution_error",
+        "output",
+        "cancelled"
+      ]
+    },
+    "node": {"type": ["string", "null"]},
+    "title": {"type": ["string", "null"]},
+    "class_type": {"type": ["string", "null"]},
+    "completed": {"type": ["integer", "null"]},
+    "total": {"type": ["integer", "null"]},
+    "prompt_id": {"type": ["string", "null"]},
+    "url": {"type": ["string", "null"]}
+  }
+}
diff --git a/comfy_cli/schemas/set_default.json b/comfy_cli/schemas/set_default.json
new file mode 100644
index 00000000..19c3756f
--- /dev/null
+++ b/comfy_cli/schemas/set_default.json
@@ -0,0 +1,11 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy set-default",
+  "description": "Output shape for the set-default command.",
+  "type": "object",
+  "properties": {
+    "default_workspace": { "type": ["string", "null"] },
+    "default_launch_extras": { "type": ["string", "null"] },
+    "default_where": { "type": ["string", "null"] }
+  }
+}
diff --git a/comfy_cli/schemas/skill.json b/comfy_cli/schemas/skill.json
new file mode 100644
index 00000000..5d0a732c
--- /dev/null
+++ b/comfy_cli/schemas/skill.json
@@ -0,0 +1,34 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy skills *",
+  "description": "Output shape for skill management commands.",
+  "type": "object",
+  "properties": {
+    "scope": { "type": "string" },
+    "dry_run": { "type": "boolean" },
+    "results": { "type": "array" },
+    "targets": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "skill": { "type": "string" },
+          "kind": { "type": "string" },
+          "scope": { "type": "string" },
+          "path": { "type": "string" },
+          "installed": { "type": "boolean" },
+          "state": {
+            "type": "string",
+            "enum": ["current", "stale", "modified", "missing", "unmanaged"]
+          }
+        }
+      }
+    },
+    "content": { "type": "string" },
+    "skills": { "type": "array" },
+    "valid": { "type": "boolean" },
+    "name": { "type": "string" },
+    "bundled": { "type": "boolean" },
+    "path": { "type": "string" }
+  }
+}
diff --git a/comfy_cli/schemas/templates.json b/comfy_cli/schemas/templates.json
new file mode 100644
index 00000000..62a6ee8e
--- /dev/null
+++ b/comfy_cli/schemas/templates.json
@@ -0,0 +1,72 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy templates *",
+  "description": "Output shape for template gallery commands (ls, show, fetch). All subcommands share this schema; each field is optional because the payload varies per subcommand.",
+  "type": "object",
+  "properties": {
+    "total_in_gallery": { "type": "integer", "description": "Total templates in the gallery before filtering (ls)." },
+    "matched": { "type": "integer", "description": "Templates matching the active filters before the --limit cap (ls)." },
+    "shown": { "type": "integer", "description": "Number of rows in the response after capping (ls)." },
+    "filters": {
+      "type": "object",
+      "description": "Active filter parameters (ls).",
+      "properties": {
+        "type": { "type": ["string", "null"] },
+        "category": { "type": ["string", "null"] },
+        "tag": { "type": ["string", "null"] },
+        "model": { "type": ["string", "null"] },
+        "provider": { "type": ["string", "null"] },
+        "name": { "type": ["string", "null"] }
+      }
+    },
+    "rows": {
+      "type": "array",
+      "description": "Template rows (ls).",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": { "type": "string" },
+          "title": { "type": "string" },
+          "output_type": { "type": "string" },
+          "category_title": { "type": "string" },
+          "tags": { "type": "array", "items": { "type": "string" } },
+          "models": { "type": "array", "items": { "type": "string" } },
+          "providers": { "type": "array", "items": { "type": "string" } },
+          "description": { "type": "string" }
+        }
+      }
+    },
+    "template": {
+      "type": "object",
+      "description": "Full template record (show).",
+      "properties": {
+        "name": { "type": "string" },
+        "title": { "type": "string" },
+        "output_type": { "type": "string" },
+        "category_title": { "type": "string" },
+        "group_category": { "type": "string" },
+        "tags": { "type": "array", "items": { "type": "string" } },
+        "models": { "type": "array", "items": { "type": "string" } },
+        "providers": { "type": "array", "items": { "type": "string" } },
+        "description": { "type": "string" },
+        "date": { "type": "string" },
+        "open_source": { "type": "boolean" },
+        "usage": { "type": "integer" },
+        "media_subtype": { "type": "string" },
+        "io": { "type": "object" }
+      }
+    },
+    "name": { "type": "string", "description": "Template name (fetch)." },
+    "title": { "type": "string", "description": "Template display title (fetch)." },
+    "output_type": { "type": "string", "description": "Output kind: image, video, audio, 3d (fetch)." },
+    "out": { "type": "string", "description": "Destination: file path or 'stdout' (fetch)." },
+    "bytes": { "type": "integer", "description": "Size of the fetched workflow JSON in bytes (fetch)." },
+    "node_count": {
+      "oneOf": [
+        { "type": "integer" },
+        { "type": "null" }
+      ],
+      "description": "Number of nodes in the fetched workflow (fetch)."
+    }
+  }
+}
diff --git a/comfy_cli/schemas/transfer.json b/comfy_cli/schemas/transfer.json
new file mode 100644
index 00000000..cf7f5c4d
--- /dev/null
+++ b/comfy_cli/schemas/transfer.json
@@ -0,0 +1,48 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy upload / comfy download",
+  "description": "Output schema for file transfer commands.",
+  "oneOf": [
+    {
+      "type": "object",
+      "properties": {
+        "uploads": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "local_path": {"type": "string"},
+              "cloud_name": {"type": "string"},
+              "subfolder": {"type": "string"},
+              "type": {"type": "string"}
+            },
+            "required": ["local_path", "cloud_name"]
+          }
+        }
+      },
+      "required": ["uploads"]
+    },
+    {
+      "type": "object",
+      "properties": {
+        "prompt_id": {"type": "string"},
+        "out_dir": {"type": "string"},
+        "files": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "url": {"type": "string"},
+              "path": {"type": "string"},
+              "size": {"type": "integer"},
+              "node_id": {"type": "string", "description": "id of the workflow node that produced this output (omitted when the job state has no final record to join against)"},
+              "item": {"type": "string", "description": "compose foreach item key this output belongs to (omitted without an item_map); item-mapped files are named <item>_<nnn>.<ext> with a per-item counter"}
+            },
+            "required": ["path"]
+          }
+        }
+      },
+      "required": ["prompt_id", "files"]
+    }
+  ]
+}
diff --git a/comfy_cli/schemas/version.json b/comfy_cli/schemas/version.json
new file mode 100644
index 00000000..1a952a3b
--- /dev/null
+++ b/comfy_cli/schemas/version.json
@@ -0,0 +1,10 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy version",
+  "description": "Output shape for the version command.",
+  "type": "object",
+  "properties": {
+    "version": { "type": "string" }
+  },
+  "required": ["version"]
+}
diff --git a/comfy_cli/schemas/which.json b/comfy_cli/schemas/which.json
new file mode 100644
index 00000000..a727e451
--- /dev/null
+++ b/comfy_cli/schemas/which.json
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://comfy.org/schemas/which.json",
+  "title": "comfy which --json data payload",
+  "type": "object",
+  "required": ["workspace_path"],
+  "additionalProperties": true,
+  "properties": {
+    "workspace_path": {"type": ["string", "null"]},
+    "workspace_type": {"type": ["string", "null"]}
+  }
+}
diff --git a/comfy_cli/schemas/workflow.json b/comfy_cli/schemas/workflow.json
new file mode 100644
index 00000000..ccddd541
--- /dev/null
+++ b/comfy_cli/schemas/workflow.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "comfy workflow *",
+  "description": "Output shape for workflow editing commands (slots, set-slot, vary).",
+  "type": "object",
+  "properties": {
+    "workflow": { "type": "string" },
+    "count": { "type": "integer" },
+    "slots": { "type": "array" },
+    "applied": { "type": "array" },
+    "warnings": { "type": "array" },
+    "wrote": { "type": "string" },
+    "variations_summary": { "type": "array" },
+    "item_map": {
+      "type": "object",
+      "description": "compose: foreach item -> provenance map. Mirrors the `_meta.items` block embedded in each written workflow (`_meta.schema == \"compose/1\"`).",
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "nodes": { "type": "array", "items": { "type": "string" }, "description": "node ids this item's branch produced (numerically sorted, includes the save node)" },
+          "save_node": { "type": ["string", "null"], "description": "auto-appended save node id, null when the branch is terminal" },
+          "prefix": { "type": "string", "description": "per-item output filename prefix (<output_prefix>/<item key>)" }
+        }
+      }
+    }
+  }
+}
diff --git a/comfy_cli/skills/__init__.py b/comfy_cli/skills/__init__.py
new file mode 100644
index 00000000..78f22c42
--- /dev/null
+++ b/comfy_cli/skills/__init__.py
@@ -0,0 +1,651 @@
+"""Agent skill installer — multi-skill bundle.
+
+Ships a small set of SKILL.md files (the agent-facing description of how to
+drive ``comfy``) and writes them into every supported agent host on the
+user's machine:
+
+- Claude Code        — ``<scope>/.claude/skills/<name>/SKILL.md``
+- Cursor             — ``<scope>/.cursor/rules/<name>.mdc``
+- AGENTS.md (any)    — append a fenced ``<name>`` block
+
+The point: instead of running an MCP server, one command teaches every agent
+on the box how to drive ``comfy`` directly. This is the productized form of
+the agent-first CLI.
+
+Bundled skills (4 total):
+
+- ``comfy``          — the primary driver skill (command surface, output
+                       contract, routing, discovery, execution, and all
+                       domain patterns: image, video, audio, cloud, edit,
+                       condition, pipeline)
+- ``comfy-fragments``— typed reusable workflow fragments + YAML blueprint
+                       composition (build large pipelines from small pieces)
+- ``comfy-debug``    — debugging skill for when workflows fail or jobs hang
+- ``comfy-relay``    — what to put in chat while driving the CLI
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import os
+import re
+from collections.abc import Sequence
+from dataclasses import dataclass
+from importlib import resources
+from pathlib import Path
+from typing import Literal
+
+# Where the bundled skills live. Each tuple is (skill_name, package_subdir).
+# ``skill_name`` is the public identifier used in AGENTS.md fences and as the
+# subdir name in installed targets. ``package_subdir`` is the local resource
+# directory.
+_SKILL_PACKAGE_ROOT = "comfy_cli.skills"
+_SKILL_FILE = "SKILL.md"
+
+
+# (name, subdir) — the subdir is named after the skill, same as the rule
+# `skills validate` enforces on third-party skills (directory == frontmatter
+# name). The bundled skills must satisfy their own convention.
+BUNDLED_SKILLS: tuple[tuple[str, str], ...] = (
+    ("comfy", "comfy"),
+    ("comfy-fragments", "comfy-fragments"),
+    ("comfy-debug", "comfy-debug"),
+    ("comfy-relay", "comfy-relay"),
+    ("comfy-director", "comfy-director"),
+)
+
+
+# Skills we used to bundle and have since folded into the consolidated `comfy`
+# skill. `install()` prunes any of these left behind on disk so machines that
+# installed an older bundle converge to the current 4 on the next install.
+RETIRED_SKILLS: tuple[str, ...] = (
+    "comfy-image",
+    "comfy-video",
+    "comfy-audio",
+    "comfy-edit",
+    "comfy-condition",
+    "comfy-pipeline",
+    "comfy-cloud",
+)
+
+
+def bundled_skill_names() -> tuple[str, ...]:
+    return tuple(name for name, _ in BUNDLED_SKILLS)
+
+
+def _resolve_subdir(skill_name: str) -> str:
+    for name, subdir in BUNDLED_SKILLS:
+        if name == skill_name:
+            return subdir
+    raise ValueError(f"unknown bundled skill {skill_name!r}; choices: {', '.join(n for n, _ in BUNDLED_SKILLS)}")
+
+
+TargetKind = Literal["claude-code", "cursor", "agents-md"]
+Scope = Literal["user", "project"]
+
+
+@dataclass(frozen=True)
+class TargetPlan:
+    """A planned write to a single agent host for a single skill."""
+
+    skill: str
+    kind: TargetKind
+    scope: Scope
+    path: Path
+    exists: bool  # whether the file already exists at `path`
+
+
+@dataclass
+class TargetResult:
+    """Outcome of executing a TargetPlan."""
+
+    skill: str
+    kind: TargetKind
+    scope: Scope
+    path: Path
+    action: Literal["wrote", "skipped", "removed", "absent", "would_write", "would_remove"]
+    reason: str | None = None
+
+    def to_dict(self) -> dict:
+        return {
+            "skill": self.skill,
+            "kind": self.kind,
+            "scope": self.scope,
+            "path": str(self.path),
+            "action": self.action,
+            "reason": self.reason,
+        }
+
+
+def skill_content(name: str = "comfy") -> str:
+    """Return the SKILL.md text for the named bundled skill."""
+    subdir = _resolve_subdir(name)
+    pkg = resources.files(_SKILL_PACKAGE_ROOT) / subdir
+    return (pkg / _SKILL_FILE).read_text(encoding="utf-8")
+
+
+# ---------------------------------------------------------------------------
+# Third-party / path-based skill source resolution
+# ---------------------------------------------------------------------------
+
+_FRONTMATTER_NAME_RE = re.compile(r"^name:\s*(\S+)\s*$", re.MULTILINE)
+_FRONTMATTER_DESC_RE = re.compile(r"^description:\s*(.+)$", re.MULTILINE)
+
+
+@dataclass(frozen=True)
+class SkillSource:
+    name: str  # canonical skill name (frontmatter ``name:``)
+    content: str  # full SKILL.md content
+    bundled: bool  # False for path-loaded skills
+
+
+def load_skill_source(token: str) -> SkillSource:
+    """Resolve a --skill token: a bundled name, or a path to a skill dir/SKILL.md.
+
+    Path rules: the path may be a directory containing SKILL.md or the SKILL.md
+    itself. Frontmatter must declare ``name:`` (matching the directory name when
+    a directory is given) and a non-empty ``description:``. Raises ValueError
+    with a human-readable reason on any violation.
+    """
+    p = Path(token).expanduser()
+    looks_like_path = os.sep in token or token.startswith((".", "~")) or p.exists()
+    if not looks_like_path:
+        return SkillSource(name=token, content=skill_content(token), bundled=True)
+
+    md = p / "SKILL.md" if p.is_dir() else p
+    if not md.is_file():
+        raise ValueError(f"no SKILL.md found at {p}")
+    content = md.read_text(encoding="utf-8")
+    if not content.startswith("---"):
+        raise ValueError(f"{md}: missing frontmatter block")
+    name_m = _FRONTMATTER_NAME_RE.search(content)
+    desc_m = _FRONTMATTER_DESC_RE.search(content)
+    if not name_m:
+        raise ValueError(f"{md}: frontmatter must declare `name:`")
+    if not desc_m or not desc_m.group(1).strip():
+        raise ValueError(f"{md}: frontmatter must declare a non-empty `description:`")
+    name = name_m.group(1)
+    # The name becomes a directory component of the install target — restrict it
+    # to a simple slug so a hostile SKILL.md can't traverse out of the skills dir.
+    if not re.fullmatch(r"[A-Za-z0-9][A-Za-z0-9_-]*", name):
+        raise ValueError(
+            f"{md}: frontmatter name {name!r} must be a simple slug ([A-Za-z0-9_-], no leading dot/separators)"
+        )
+    if p.is_dir() and p.name != name:
+        raise ValueError(f"{md}: frontmatter name {name!r} must match directory name {p.name!r}")
+    return SkillSource(name=name, content=content, bundled=False)
+
+
+# ---------------------------------------------------------------------------
+# Install manifest — provenance and staleness tracking
+# ---------------------------------------------------------------------------
+
+
+def manifest_path() -> Path:
+    """Return the path to the skills install manifest (in the CLI config dir)."""
+    from comfy_cli.config_manager import ConfigManager
+
+    return Path(ConfigManager().get_config_path()) / "skills-manifest.json"
+
+
+def read_manifest() -> dict:
+    """Read the manifest; returns {} on missing or corrupt file."""
+    try:
+        return json.loads(manifest_path().read_text(encoding="utf-8"))
+    except (OSError, ValueError):
+        return {}
+
+
+def write_manifest(manifest: dict) -> None:
+    """Atomically write the manifest (tmp + rename so a SIGINT can't corrupt it)."""
+    path = manifest_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+    tmp = path.with_suffix(f".{os.getpid()}.tmp")
+    tmp.write_text(json.dumps(manifest, indent=2), encoding="utf-8")
+    os.replace(tmp, path)
+
+
+def _sha256(text: str) -> str:
+    return hashlib.sha256(text.encode("utf-8")).hexdigest()
+
+
+def _record_installed(target_path: Path, skill_name: str, content: str) -> None:
+    """Add or update the manifest entry for a successfully installed skill file."""
+    from comfy_cli.config_manager import ConfigManager
+
+    try:
+        cli_version = ConfigManager().get_cli_version()
+    except Exception:
+        cli_version = "0.0.0"
+
+    manifest = read_manifest()
+    manifest[str(target_path)] = {
+        "skill": skill_name,
+        "sha256": _sha256(content),
+        "cli_version": cli_version,
+    }
+    write_manifest(manifest)
+
+
+def _remove_manifest_entry(target_path: Path) -> None:
+    """Remove the manifest entry for an uninstalled skill file (if present)."""
+    manifest = read_manifest()
+    key = str(target_path)
+    if key in manifest:
+        del manifest[key]
+        write_manifest(manifest)
+
+
+SkillState = Literal["current", "stale", "modified", "missing", "unmanaged"]
+
+
+def _compute_skill_state(path: Path, skill_name: str, manifest: dict) -> SkillState:
+    """Compute the provenance state for a single installed skill file.
+
+    States:
+    - missing    — file does not exist on disk
+    - current    — file matches the current bundled content exactly
+    - stale      — file matches the manifest sha (user hasn't edited) but bundled moved on
+    - modified   — file differs from manifest sha (user has edited it)
+    - unmanaged  — file exists, no manifest entry, and differs from bundled content
+    """
+    if not path.exists():
+        return "missing"
+
+    try:
+        file_content = path.read_text(encoding="utf-8")
+    except OSError:
+        return "missing"
+
+    file_sha = _sha256(file_content)
+
+    # Try to get the current bundled content hash for comparison.
+    try:
+        bundled_content = skill_content(skill_name)
+        bundled_sha = _sha256(bundled_content)
+    except ValueError:
+        # Not a bundled skill (path-based) — only manifest tells us if it's unmodified.
+        bundled_sha = None
+
+    if bundled_sha is not None and file_sha == bundled_sha:
+        return "current"
+
+    entry = manifest.get(str(path))
+    if entry is None:
+        # File exists, no manifest, differs from bundled — unmanaged.
+        return "unmanaged"
+
+    manifest_sha = entry.get("sha256", "")
+    if file_sha == manifest_sha:
+        # File matches what was installed (user hasn't edited), but bundled moved on.
+        return "stale"
+
+    # File differs from both manifest and bundled — user edited it.
+    return "modified"
+
+
+def _agents_fence(skill_name: str) -> tuple[str, str]:
+    return (f"<!-- {skill_name}:start -->", f"<!-- {skill_name}:end -->")
+
+
+def _resolve_paths(*, skill_name: str, scope: Scope, project_root: Path) -> dict[TargetKind, Path]:
+    """Map each target kind to the path it would be written to under `scope`.
+
+    For ``user`` scope, paths are under ``~``.
+    For ``project`` scope, paths are under ``project_root`` (typically cwd).
+    """
+    if scope == "user":
+        home = Path.home()
+        return {
+            "claude-code": home / ".claude" / "skills" / skill_name / "SKILL.md",
+            "cursor": home / ".cursor" / "rules" / f"{skill_name}.mdc",
+            "agents-md": home / "AGENTS.md",
+        }
+    return {
+        "claude-code": project_root / ".claude" / "skills" / skill_name / "SKILL.md",
+        "cursor": project_root / ".cursor" / "rules" / f"{skill_name}.mdc",
+        "agents-md": project_root / "AGENTS.md",
+    }
+
+
+def _normalize_skills(skills: Sequence[str] | None) -> list[SkillSource]:
+    """Resolve a sequence of skill tokens into SkillSource objects.
+
+    Tokens that look like paths are resolved via ``load_skill_source``; plain
+    names are validated against the bundled set.  ``None`` / empty defaults to
+    all bundled skills.
+    """
+    if not skills:
+        return [SkillSource(name=name, content=skill_content(name), bundled=True) for name, _ in BUNDLED_SKILLS]
+    out: list[SkillSource] = []
+    for s in skills:
+        p = Path(s).expanduser()
+        looks_like_path = os.sep in s or s.startswith((".", "~")) or p.exists()
+        if looks_like_path:
+            # Raises ValueError on invalid path skills — caller handles.
+            out.append(load_skill_source(s))
+        else:
+            _resolve_subdir(s)  # validates bundled name; raises ValueError on unknown
+            out.append(SkillSource(name=s, content=skill_content(s), bundled=True))
+    return out
+
+
+def plan_install(
+    *,
+    scope: Scope = "user",
+    targets: Sequence[TargetKind] | None = None,
+    skills: Sequence[str] | None = None,
+    project_root: Path | None = None,
+) -> list[TargetPlan]:
+    """Return a TargetPlan per (skill, target) pair.
+
+    Default skills: all bundled. Default targets: all three. Default scope: user.
+    """
+    root = project_root or Path.cwd()
+    plans: list[TargetPlan] = []
+    for source in _normalize_skills(skills):
+        all_paths = _resolve_paths(skill_name=source.name, scope=scope, project_root=root)
+        kinds: list[TargetKind] = list(targets) if targets else list(all_paths.keys())
+        for kind in kinds:
+            path = all_paths[kind]
+            plans.append(TargetPlan(skill=source.name, kind=kind, scope=scope, path=path, exists=path.exists()))
+    return plans
+
+
+def install(
+    *,
+    scope: Scope = "user",
+    targets: Sequence[TargetKind] | None = None,
+    skills: Sequence[str] | None = None,
+    project_root: Path | None = None,
+    dry_run: bool = False,
+) -> list[TargetResult]:
+    """Install (or preview) the chosen skills across the chosen targets.
+
+    AGENTS.md gets one fenced block per skill (idempotent re-installs replace
+    the block). Other targets are full file writes per skill.
+    """
+    root = project_root or Path.cwd()
+    results: list[TargetResult] = []
+    sources = _normalize_skills(skills)
+    # Build a per-name content map so path-based skills carry their own content.
+    content_map: dict[str, str] = {src.name: src.content for src in sources}
+    plans = plan_install(scope=scope, targets=targets, skills=skills, project_root=root)
+    for plan in plans:
+        if dry_run:
+            results.append(
+                TargetResult(
+                    skill=plan.skill,
+                    kind=plan.kind,
+                    scope=plan.scope,
+                    path=plan.path,
+                    action="would_write",
+                )
+            )
+            continue
+        try:
+            content = content_map[plan.skill]
+            if plan.kind == "claude-code":
+                _write_claude_skill(plan.path, content)
+                _record_installed(plan.path, plan.skill, content)
+            elif plan.kind == "cursor":
+                _write_cursor_rule(plan.path, content, skill_name=plan.skill)
+                _record_installed(plan.path, plan.skill, content)
+            elif plan.kind == "agents-md":
+                _upsert_agents_md_block(plan.path, content, skill_name=plan.skill)
+            results.append(
+                TargetResult(skill=plan.skill, kind=plan.kind, scope=plan.scope, path=plan.path, action="wrote")
+            )
+        except OSError as e:
+            results.append(
+                TargetResult(
+                    skill=plan.skill,
+                    kind=plan.kind,
+                    scope=plan.scope,
+                    path=plan.path,
+                    action="skipped",
+                    reason=str(e),
+                )
+            )
+    return results
+
+
+def uninstall(
+    *,
+    scope: Scope = "user",
+    targets: Sequence[TargetKind] | None = None,
+    skills: Sequence[str] | None = None,
+    project_root: Path | None = None,
+    dry_run: bool = False,
+) -> list[TargetResult]:
+    """Remove the chosen skills from each target. AGENTS.md keeps its other content."""
+    results: list[TargetResult] = []
+    for plan in plan_install(scope=scope, targets=targets, skills=skills, project_root=project_root):
+        if dry_run:
+            action: Literal["would_remove", "absent"] = "would_remove" if plan.exists else "absent"
+            results.append(
+                TargetResult(skill=plan.skill, kind=plan.kind, scope=plan.scope, path=plan.path, action=action)
+            )
+            continue
+        try:
+            if plan.kind == "agents-md":
+                removed = _remove_agents_md_block(plan.path, skill_name=plan.skill)
+                results.append(
+                    TargetResult(
+                        skill=plan.skill,
+                        kind=plan.kind,
+                        scope=plan.scope,
+                        path=plan.path,
+                        action="removed" if removed else "absent",
+                    )
+                )
+            else:
+                if plan.path.exists():
+                    plan.path.unlink()
+                    _remove_manifest_entry(plan.path)
+                    results.append(
+                        TargetResult(
+                            skill=plan.skill,
+                            kind=plan.kind,
+                            scope=plan.scope,
+                            path=plan.path,
+                            action="removed",
+                        )
+                    )
+                else:
+                    results.append(
+                        TargetResult(
+                            skill=plan.skill,
+                            kind=plan.kind,
+                            scope=plan.scope,
+                            path=plan.path,
+                            action="absent",
+                        )
+                    )
+        except OSError as e:
+            results.append(
+                TargetResult(
+                    skill=plan.skill,
+                    kind=plan.kind,
+                    scope=plan.scope,
+                    path=plan.path,
+                    action="skipped",
+                    reason=str(e),
+                )
+            )
+    return results
+
+
+def _agents_block_present(path: Path, skill_name: str) -> bool:
+    if not path.exists():
+        return False
+    text = path.read_text(encoding="utf-8")
+    start, end = _agents_fence(skill_name)
+    return start in text and end in text
+
+
+def _prune_one(name: str, kind: TargetKind, scope: Scope, path: Path, dry_run: bool) -> TargetResult:
+    present = _agents_block_present(path, name) if kind == "agents-md" else path.exists()
+    if not present:
+        return TargetResult(skill=name, kind=kind, scope=scope, path=path, action="absent")
+
+    # Manifest guard: only delete a file when:
+    #   (a) the manifest records it as comfy-managed, OR
+    #   (b) no manifest file exists (legacy pre-manifest installs — converge anyway).
+    if kind != "agents-md":
+        mfile = manifest_path()
+        manifest_exists = mfile.exists()
+        if manifest_exists:
+            manifest = read_manifest()
+            if str(path) not in manifest:
+                # File exists but is not comfy-managed — skip to preserve user files.
+                return TargetResult(skill=name, kind=kind, scope=scope, path=path, action="absent")
+
+    if dry_run:
+        return TargetResult(
+            skill=name,
+            kind=kind,
+            scope=scope,
+            path=path,
+            action="would_remove",
+        )
+    try:
+        if kind == "agents-md":
+            _remove_agents_md_block(path, skill_name=name)
+        else:
+            path.unlink()
+            _remove_manifest_entry(path)
+            # Claude skills live in their own <name>/ dir — drop it if now empty.
+            if kind == "claude-code" and not any(path.parent.iterdir()):
+                path.parent.rmdir()
+        return TargetResult(skill=name, kind=kind, scope=scope, path=path, action="removed")
+    except OSError as e:
+        return TargetResult(skill=name, kind=kind, scope=scope, path=path, action="skipped", reason=str(e))
+
+
+def prune_retired(
+    *,
+    scope: Scope = "user",
+    targets: Sequence[TargetKind] | None = None,
+    project_root: Path | None = None,
+    dry_run: bool = False,
+) -> list[TargetResult]:
+    """Remove any retired skills (see ``RETIRED_SKILLS``) left on disk.
+
+    Idempotent and safe when none exist — every absent target reports
+    ``absent``. Lets a machine that installed an older bundle converge to the
+    current set on the next ``install``.
+    """
+    root = project_root or Path.cwd()
+    results: list[TargetResult] = []
+    for name in RETIRED_SKILLS:
+        all_paths = _resolve_paths(skill_name=name, scope=scope, project_root=root)
+        kinds: list[TargetKind] = list(targets) if targets else list(all_paths.keys())
+        for kind in kinds:
+            results.append(_prune_one(name, kind, scope, all_paths[kind], dry_run))
+    return results
+
+
+# ---------------------------------------------------------------------------
+# per-target writers
+# ---------------------------------------------------------------------------
+
+
+def _backup_if_user_edited(path: Path, expected_content: str) -> Path | None:
+    """If `path` exists with content that differs from what we'd write, save a
+    timestamped `.bak` so a user's hand-edits aren't silently destroyed.
+
+    Returns the backup path (or None if no backup was needed).
+    """
+    if not path.exists():
+        return None
+    try:
+        current = path.read_text(encoding="utf-8")
+    except OSError:
+        return None
+    if current == expected_content:
+        return None
+    from datetime import datetime
+
+    ts = datetime.now().strftime("%Y%m%d-%H%M%S")
+    bak = path.with_suffix(path.suffix + f".{ts}.bak")
+    try:
+        bak.write_text(current, encoding="utf-8")
+    except OSError:
+        return None
+    return bak
+
+
+def _atomic_write_text(path: Path, content: str) -> None:
+    """Write via tmp + rename so a SIGINT mid-write can't leave the file empty."""
+    path.parent.mkdir(parents=True, exist_ok=True)
+    tmp = path.with_suffix(path.suffix + f".{os.getpid()}.tmp")
+    try:
+        tmp.write_text(content, encoding="utf-8")
+        os.replace(tmp, path)
+    except Exception:
+        try:
+            tmp.unlink()
+        except OSError:
+            pass
+        raise
+
+
+def _write_claude_skill(path: Path, content: str) -> None:
+    _backup_if_user_edited(path, content)
+    _atomic_write_text(path, content)
+
+
+def _cursor_description_for(skill_name: str) -> str:
+    return {
+        "comfy": "comfy CLI for ComfyUI workflows, models, node-graph queries, image/video/audio generation, cloud, and pipeline orchestration.",
+        "comfy-fragments": "Typed reusable workflow fragments + YAML blueprint composition: build large pipelines from small tested pieces via comfy CLI.",
+        "comfy-debug": "Debugging skill for the comfy CLI: failed workflows, hung jobs, error envelopes.",
+        "comfy-relay": "What to put in chat while driving the comfy CLI: show artifacts, surface results, truncation rules.",
+    }.get(skill_name, f"comfy CLI skill: {skill_name}")
+
+
+def _write_cursor_rule(path: Path, content: str, *, skill_name: str) -> None:
+    body = _strip_frontmatter(content)
+    rule = f'---\ndescription: {_cursor_description_for(skill_name)}\nglobs: "**/*"\nalwaysApply: false\n---\n\n{body}'
+    _backup_if_user_edited(path, rule)
+    _atomic_write_text(path, rule)
+
+
+def _upsert_agents_md_block(path: Path, content: str, *, skill_name: str) -> None:
+    start, end = _agents_fence(skill_name)
+    block = f"\n{start}\n{content}\n{end}\n"
+    if not path.exists():
+        _atomic_write_text(path, block.lstrip("\n"))
+        return
+    existing = path.read_text(encoding="utf-8")
+    if start in existing and end in existing:
+        before, _, rest = existing.partition(start)
+        _, _, after = rest.partition(end)
+        new = before.rstrip() + "\n\n" + block.lstrip("\n") + after.lstrip("\n")
+    else:
+        new = existing.rstrip() + "\n" + block
+    _atomic_write_text(path, new)
+
+
+def _remove_agents_md_block(path: Path, *, skill_name: str) -> bool:
+    if not path.exists():
+        return False
+    text = path.read_text(encoding="utf-8")
+    start, end = _agents_fence(skill_name)
+    if start not in text or end not in text:
+        return False
+    before, _, rest = text.partition(start)
+    _, _, after = rest.partition(end)
+    new = before.rstrip() + ("\n" + after.lstrip("\n") if after.strip() else "\n")
+    path.write_text(new, encoding="utf-8")
+    return True
+
+
+def _strip_frontmatter(content: str) -> str:
+    if not content.startswith("---\n"):
+        return content
+    _, _, rest = content.partition("---\n")
+    _, _, body = rest.partition("---\n")
+    return body.lstrip("\n")
diff --git a/comfy_cli/skills/comfy-debug/SKILL.md b/comfy_cli/skills/comfy-debug/SKILL.md
new file mode 100644
index 00000000..056a737a
--- /dev/null
+++ b/comfy_cli/skills/comfy-debug/SKILL.md
@@ -0,0 +1,162 @@
+---
+name: comfy-debug
+description: Debugging skill for the comfy CLI — failed workflows, stuck jobs, error envelopes, and the fastest path from "it broke" to "fixed".
+---
+
+When something fails on the comfy CLI, **read the JSON envelope first**, act on the `hint`, and only go deeper if needed. This skill is the bottom-up playbook.
+
+## The envelope is the source of truth
+
+Every command emits the standard JSON envelope (see core skill). When `error` is present, map `error.code` to a fix below.
+
+Three rules:
+
+1. **Map `error.code` to a fix below.** Most codes have a one-line resolution.
+2. **`hint` is authoritative.** If it says "run: comfy launch", that's the fix. Don't paraphrase, don't guess.
+3. **`details` carries the why.** Look here before scrolling logs.
+
+## Decision tree for common failures
+
+### `server_not_running` (local)
+```
+comfy launch              # start the local server in the foreground
+# or, for background mode:
+comfy launch --background
+```
+If `comfy launch` itself fails: check `comfy --json env` for the resolved interpreter and workspace, and inspect whatever stdout `comfy launch` was attached to.
+
+### `cloud_not_configured` / `cloud_unauthorized` (cloud)
+```
+comfy cloud login                   # opens browser, OAuth + PKCE
+# or, if you already have an API key:
+comfy cloud set-key --key sk-…      # alternative path; API key is a fallback, not an override
+comfy --json cloud whoami           # confirm signed_in: true (auth_method is "oauth" or "api_key")
+```
+Auth precedence is **OAuth-first**: a live `comfy cloud login` session outranks `COMFY_CLOUD_API_KEY` env, which outranks a stored key. `comfy cloud whoami` shows which credential is active. If a stale session is causing 401s, `comfy cloud logout && comfy cloud login` — setting an API key will NOT override a live session.
+If you're on a custom env (PR preview), set the base URL first:
+```
+comfy cloud set-base-url https://fe-pr-NNNNN.testenvs.comfy.org
+```
+**Do not confuse this with `transient_auth` (below).** `cloud_unauthorized` happens before submission (your CLI session); an "Unauthorized" that appears as a *job failure* is the server-side token expiry and re-login does nothing.
+
+### `transient_auth` (cloud job failed with "Unauthorized: Please login first to use this node")
+An API node's **server-side** session token expired mid-execution. It is transient and has nothing to do with your local credentials — `comfy cloud login` will NOT fix it, and your auth was fine at submit time (often it strikes minutes into a long render, sometimes a whole batch at once).
+```
+comfy --json run --workflow same_workflow.json --where cloud   # just resubmit — succeeds on retry
+```
+If several jobs from one batch died together with this code, resubmit them all; one retry each is normally enough.
+
+### `workflow_not_api_format`
+UI-format workflows are converted to API format **client-side** using object_info (no server conversion endpoint exists). If conversion fails with `conversion_error`, re-export via `File > Export (API)` in ComfyUI; if object_info can't be fetched (`cql_no_graph`), run `comfy nodes refresh --where cloud` or start a local server.
+
+### `workflow_invalid_json`
+The file isn't valid JSON. Inspect the first/last 100 bytes — often it's an HTML error page that was saved with `.json`.
+
+### `prompt_rejected` (server returned `node_errors`)
+The server validated the workflow and rejected nodes. The full per-node error map is in `details.node_errors`. The two most common causes:
+
+- **Unknown class_type** → the cloud or local server lacks the custom node. Run:
+  ```
+  comfy --json nodes search MissingNodeName
+  ```
+  If `data.count` is 0, the node is genuinely absent. Then either install via `comfy node install <pkg>` (local) or pick a different workflow (cloud).
+
+- **Missing model file** (`ckpt_name`, `lora_name`, `vae_name` not found) → confirm the loader node exists and see its choices:
+  ```
+  comfy --json nodes show CheckpointLoaderSimple   # inputs[].choices lists available checkpoints
+  comfy --json env                                  # see workspace/models path
+  ```
+
+### `cloud_http_error` (HTTP 4xx/5xx from cloud)
+`details.status` is the HTTP code. `details.body` is the truncated server response. Most common:
+
+- `401 invalid auth token` → token audience mismatch. Decode the token at jwt.io or via `python3 -c 'import base64,json,sys; ...'` and check `aud`. The `aud` field must match what `/api/prompt` expects.
+- `404` returning XML `<AuthenticationRequired>` → wrong path. Real ComfyUI endpoints on cloud live under `/api/*`; everything else hits the CDN catch-all.
+- `503` → check the Comfy Cloud dashboard or server logs for deployment health.
+
+### `cloud_timeout`
+`cloud_timeout` — the run went **silent** for `--timeout` seconds (default 120). `comfy run --timeout` is a per-event-silence deadline on both local and cloud: it resets whenever the job reports progress, so a workflow streaming progress can run indefinitely. Wall-clock limits exist only on `comfy jobs watch --max-wait` (default 600s, cloud). Recovery: re-run with a larger `--timeout`, or submit async and `comfy jobs watch <id>`.
+```
+RES=$(comfy --json run --workflow X.json --where cloud)   # async by default
+PID=$(echo "$RES" | jq -r .data.prompt_id)
+comfy --json-stream jobs watch "$PID" --where cloud --max-wait 1800
+```
+
+### `ws_timeout` / `ws_disconnected` (local)
+The WebSocket dropped mid-stream. Reconnect:
+```
+comfy jobs status <prompt_id>      # one-shot snapshot
+comfy --json-stream jobs watch <prompt_id>   # re-attach
+```
+The local server keeps the job; the CLI just lost its tail.
+
+### `cql_query_invalid`
+`cql_query_invalid` — raised when a legacy `--query` string is passed to `comfy templates ls`. There is no query grammar; use flag-based filtering instead: `--type image|video|audio`, `--tag <t>`, `--model <m>` (templates) and `--produces/--accepts/--category/--pack` (`comfy nodes ls`).
+
+### `cql_no_graph`
+The CLI needs an `object_info.json` to query against. Two options:
+```
+comfy launch                                        # then re-run the nodes command
+comfy --json nodes ls --produces IMAGE --input /path/to/object_info.json
+```
+
+### `comfy generate` is partially machine-readable
+`comfy generate` is partially machine-readable: `generate <model> --json` and
+`generate resume <id> --json` print the raw API response as JSON;
+`generate upload <file> --json` emits structured `{url, expires_at, ...}`;
+`generate <model> --emit-workflow out.json` goes through the full renderer
+envelope (`command: "generate emit-workflow"`, error code `emit_workflow_failed`).
+The default proxy path (`generate <model>` without those flags) is still
+pretty-only — don't parse it. Known sharp edge: `generate resume` for BFL can
+raise a raw traceback on an expired/unknown id (HTTP 404 is unwrapped).
+
+## Job-stuck triage
+
+If a prompt seems to hang:
+
+```
+# 1. Is it still tracked?
+comfy --json jobs ls
+
+# 2. What does the server think?
+comfy --json jobs status <prompt_id>
+
+# 3. Watch live events (NDJSON, one per line)
+comfy --json-stream jobs watch <prompt_id>
+```
+
+Three possible answers:
+
+| Symptom | Likely cause | Fix |
+|---|---|---|
+| `status: pending`, `queue_position > 0` | Earlier jobs ahead of you | Wait or cancel them |
+| `status: running` but no progress events | A long sampler step, or a hung custom node | Wait one sampler-step's worth; if still stuck, interrupt |
+| `status: error` with no `error_message` | Server crashed mid-execution | Check the Comfy Cloud dashboard or server logs (cloud), or the stdout of `comfy launch` (local) |
+
+## Interrupting / cancelling
+
+```
+comfy --json run --workflow X.json    # async by default, returns a prompt_id
+# later, if it's running too long:
+comfy jobs cancel <prompt_id>         # works on both local and cloud
+```
+
+## When `--json` makes diagnosis worse, not better
+
+Pretty mode hides the envelope behind a rendered panel. If the rendered output is opaque, **always re-run with `--json`** — that's the contract. Conversely, if `--json` floods you with NDJSON, drop `-stream` to get a single envelope.
+
+## What to NOT do
+
+- Don't `chmod` files in the model dirs to "fix" load failures — the path is wrong, not the permissions.
+- Don't delete the OAuth session to "reset" — that loses state. Use `comfy cloud logout` and `comfy skills uninstall` instead.
+- Don't paste raw error messages into prompts without the `details` block — the details are usually what disambiguates the fix.
+
+## Where to look when nothing in the envelope helps
+
+1. `comfy --json env`               → interpreter, workspace, server reachability, conda env
+2. `comfy --json which`              → resolved workspace path + how it was picked
+3. `comfy --json cloud whoami`        → cloud session state + base URL
+4. Server logs:
+   - Local: whatever stdout `comfy launch` was attached to (foreground), or the journal/console for `comfy launch --background`
+   - Cloud: check the Comfy Cloud dashboard or server logs
+5. The bundled `comfy` skill — re-read it; the right command for what you're trying to do is almost certainly already documented there.
diff --git a/comfy_cli/skills/comfy-director/SKILL.md b/comfy_cli/skills/comfy-director/SKILL.md
new file mode 100644
index 00000000..2570f652
--- /dev/null
+++ b/comfy_cli/skills/comfy-director/SKILL.md
@@ -0,0 +1,109 @@
+---
+name: comfy-director
+description: Use when asked to make a narrative video — an ad, brand film, short, trailer, music video, or any multi-shot clip that tells a story (not a single shot or loop). Also use when a video was rejected for "no story", "doesn't flow", "feels like a montage", or characters that change between shots.
+---
+
+# Comfy Director
+
+Story first, pictures second. Multi-shot AI films fail in the edit, not the
+render: beats that don't cause each other read as a montage wearing a story's
+clothes, no matter how good each clip looks.
+
+**REQUIRED BACKGROUND:** the `comfy` skill (CLI mechanics, workflow hierarchy)
+and `comfy-fragments` (composing multi-stage graphs). On any failed job,
+`comfy-debug`.
+
+## Order of operations
+
+1. **Concept** — one idea a stranger can retell.
+2. **Screenplay** — before touching the pipeline. Deliver it to the user first.
+3. **Shot list** — each scene mapped to a continuity strategy.
+4. **Audio design** — against the screenplay's emotional beats, not after picture.
+5. **Produce** → **conform** → **QC**.
+
+Skipping 2 and jumping to renders is the #1 cause of killed cuts.
+
+## Screenplay rules
+
+- **One protagonist** the camera can follow. Recognizable in every shot.
+- **Causality test:** every cut answers "and BECAUSE of that…" — never
+  "and then, somewhere else…". If a beat can be reordered without breaking
+  anything, it isn't a story yet.
+- **Stranger test:** someone with zero context must retell the plot in two
+  sentences ("X wanted A, B stopped them, they did C, so D").
+- Beats carry timings that sum to the target runtime.
+
+## Concept rules
+
+- The brand/product is **felt, not name-checked**: argue its philosophy;
+  in-jokes and community lore quoted on screen read as fan-service.
+- A technique the client mentions ("style transfer", a model name) is a
+  **spark, not a mandate** — use it only if the idea needs it. Building the
+  film around a technique is the tell of a vendor, not a director.
+- Weirdness must compound: surprising subject AND object AND setting.
+  One weird element in a normal frame is decoration.
+
+## Prompting shots
+
+- **Photoreal shots:** live-action cinematographer / film-stock language ONLY.
+  One illustrator/anime/comics name in a photoreal prompt poisons it.
+  Illustrated references belong only in deliberately stylized shots.
+- Motion prompts describe HOW the scene moves, not what's in it (see `comfy`
+  skill video gotchas — t2v/i2v model traps, SaveVideo, fps wiring).
+
+## Continuity toolkit
+
+Pick per shot, in rough order of strength:
+
+| Strategy | Use for |
+|---|---|
+| Character/location reference image carried into each shot's i2v graph | protagonist identity |
+| Keyframe of shot N seeds shot N+1 (image-referenced restyle or end-frame) | contiguous action |
+| Repeated wardrobe/light/lens lines verbatim in every prompt | cheap baseline glue |
+
+If a shot can't hold continuity, **rewrite the screenplay** so it doesn't
+need that shot — don't ship the break.
+
+## Audio
+
+- Score = **short designed cues joined at story pivots**; one long generation
+  will not follow a dynamic arc (it inverts exactly where you need the peak).
+- Place VO by math: stem duration vs beat window, before mixing.
+- Duck score under VO; loudness-normalize the final mix (~-14 LUFS).
+
+## Production ops
+
+- Append EVERY submit — shots, keyframes, audio stems, resubmits — to
+  `job_ids.txt` (`<job_name> <prompt_id>`) **at submit time**. Append-only:
+  a resubmit gets a new line (`shot_s3_resubmit <id>`), never an overwrite,
+  so dead prompt_ids keep their shot identity.
+- Keep `LOG.md` at the project root: an append-only event log, written **at
+  event time, not session end** — one line per submit/resubmit (+ failure
+  code), per QC verdict (+ re-roll reason), and per decision that invalidates
+  earlier work: recasts, prompt changes, which reference image or stem is now
+  canonical. Frame-by-frame findings live in `qc/QC_LOG.md`; LOG.md indexes them.
+
+  ```
+  17:36 ERROR shot_s3 transient_auth -> RESUBMIT 27dd45b4 (same workflow, no re-login)
+  17:44 QC shot_s2 FAIL background-crawl -> re-roll (same kf, new seed); recut beat if 2nd fails
+  17:50 DECISION recast protagonist -> ref_ray.png canonical; vo2, vo6 stale, re-gen
+  ```
+- **Recovery contract:** a successor agent with zero memory must resume from
+  disk alone: `LOG.md` (what happened, why) → `job_ids.txt` (which jobs) →
+  `comfy jobs status` (their states). A decision not in LOG.md dies with the
+  session — completed-but-stale jobs (an old casting's VO stems) otherwise
+  look identical to good ones.
+- ffprobe every downloaded clip; normalize off-spec duration/dimensions
+  before conform.
+- QC one frame from every clip against the screenplay before cutting.
+- Exact runtime: trim/retime per-beat in ffmpeg, don't hope.
+
+## Common mistakes (each killed a real cut)
+
+| Mistake | Result |
+|---|---|
+| Renders before screenplay | "Eight handsome beats that don't cause each other" |
+| Community lore on screen | "Too direct, fan-service" |
+| Client's mentioned technique as the concept | "I said it to spark ideas" |
+| No continuity plan | Protagonist changes face every cut |
+| One 40s music gen | Arc inverts at the climax |
diff --git a/comfy_cli/skills/comfy-fragments/SKILL.md b/comfy_cli/skills/comfy-fragments/SKILL.md
new file mode 100644
index 00000000..78afa5ac
--- /dev/null
+++ b/comfy_cli/skills/comfy-fragments/SKILL.md
@@ -0,0 +1,604 @@
+---
+name: comfy-fragments
+description: Compose large Comfy workflows from small reusable fragment pieces — each a self-contained workflow JSON with declared inputs, outputs, and parameters. Use when iterating on complex workflows, when patterns repeat, or when a workflow JSON grows past ~200 lines.
+---
+
+This skill is the **composition layer** on top of `comfy`. Where
+the core skill teaches you to build large single-graph workflows that
+ComfyUI can parallelize, this skill teaches you how to **assemble those
+large graphs from smaller reusable pieces** — like functions in code.
+
+It assumes `comfy` (core CLI) is loaded. Pair it with the domain skills
+(image, video, audio, editing domains in the core `comfy` skill). Fragments
+are how you avoid rebuilding the same 8-node IPAdapter block five times.
+
+---
+
+## When to use fragments
+
+Default to fragments + blueprints for workflows that may be extended. A small
+workflow often becomes tomorrow's multi-shot, multi-seed, or multi-provider
+pipeline; starting with a named fragment and a blueprint keeps that next step
+cheap.
+
+Use fragments when **any of**:
+
+- A simple template or node chain might later need another shot, seed sweep,
+  provider swap, refiner, ControlNet, LoRA, or final save variant.
+- A sub-region of a workflow (a ControlNet stack, an IPAdapter block, a
+  refiner pass, a save+thumbnail group) is reused across two or more
+  workflows — extract it once, instantiate twice.
+- A workflow JSON is creeping past ~200 lines and you're losing the
+  mental model of which node ID does what.
+- You're about to copy-paste a pattern from another workflow (text cards,
+  inpaint passes, upscale finishers, LLM-driven prompt direction).
+- You're iterating on a piece and small edits keep cascading through the
+  whole JSON.
+- Multiple model providers are chained (Ideogram + Reve + Flux + Magnific)
+  and the chain wiring is the hard part.
+
+Avoid fragments only when:
+
+- A workflow is a truly throwaway one-shot and the user explicitly values speed
+  over future extension.
+- You only need to tweak values inside an existing workflow — use
+  `comfy workflow slots / set-slot / vary` instead.
+- The whole graph is under ~10-15 nodes, will not be varied or reused, and has
+  no natural named sub-region.
+
+---
+
+## The mental model
+
+A fragment is a **function with named inputs, outputs, and parameters**:
+
+```
+inpaint_region(
+    image: IMAGE,                  # input
+    mask:  MASK,                   # input
+    prompt: str,                   # param
+    guidance: float = 30.0,        # param with default
+    seed: int = 2000,              # param with default
+) -> IMAGE
+```
+
+Inside the fragment, the implementation can be 1 node or 30 — the caller
+doesn't care. They pass arguments and get a typed result they can pipe
+into the next step.
+
+A **blueprint** chains fragments end-to-end (typically YAML), and a small
+**composer** tool emits the final monolithic workflow JSON ready for
+`comfy run`.
+
+---
+
+## 1. The fragment file format
+
+A fragment is one `.json` file in a `fragments/` directory. It has a
+`_fragment` metadata header that declares the fragment's typed interface,
+followed by the interior ComfyUI nodes (API-format, just like a workflow).
+
+```json
+{
+  "_fragment": {
+    "name":        "image_blend",
+    "version":     "1",
+    "description": "Blend two images with a configurable mode and factor.",
+    "terminal":    false,
+    "inputs": {
+      "image1": {"type": "IMAGE", "binds": "10.image1"},
+      "image2": {"type": "IMAGE", "binds": "10.image2"}
+    },
+    "outputs": {
+      "image":  {"type": "IMAGE", "from": "10", "port": 0}
+    },
+    "params": {
+      "blend_factor": {"type": "FLOAT", "binds": "10.blend_factor", "default": 0.5},
+      "blend_mode":   {"type": "COMBO", "binds": "10.blend_mode",   "default": "normal"}
+    }
+  },
+
+  "10": {
+    "class_type": "ImageBlend",
+    "_meta": {"title": "blend two passes"},
+    "inputs": {
+      "image1": "PLACEHOLDER",
+      "image2": "PLACEHOLDER",
+      "blend_factor": 0.5,
+      "blend_mode": "normal"
+    }
+  }
+}
+```
+
+### Metadata fields
+
+| field | required | meaning |
+|---|---|---|
+| `name` | yes | Stable identifier. Blueprints reference fragments by this name. |
+| `version` | no (default `"1"`) | String version, semver-ish. Bump when the interface changes. |
+| `description` | recommended | One-line human description. |
+| `terminal` | optional (default `false`) | `true` if the fragment contains its own `SaveImage`/`SaveVideo`. Stops the composer from appending another save. |
+| `inputs` | no (default `{}`) | Each input has a `type` — any UPPER_SNAKE_CASE socket type (`IMAGE`, `MASK`, `AUDIO`, `VIDEO`, `STRING`, `MODEL`, `CONDITIONING`, `LATENT`, `VAE`, `CLIP`, custom types…) — and a `binds: "<interior_node_id>.<input_name>"` pointing at the actual node-field this input feeds. Path-loadable types (`IMAGE`/`MASK`/`AUDIO`/`VIDEO`) accept file paths — the composer injects a loader node. All other socket types must be fed by a cross-step ref (`$alias.output`), never a path. |
+| `outputs` | no (default `{}`) | Each output has a `type` and `from: "<interior_node_id>"` plus optional `port` (default `0`). |
+| `params` | optional | Settable values (text, seed, strength, model name, etc.). Each has `type` ∈ {`STRING`, `INT`, `FLOAT`, `BOOLEAN`, `COMBO`} (the node-schema vocabulary, exactly as `nodes show` prints it), a `binds`, and optionally a `default`. |
+
+### Conventions for interior nodes
+
+- Use simple integer IDs (`"10"`, `"11"`, …). The composer remaps them
+  globally so collisions across fragments don't matter.
+- Use the literal string `"PLACEHOLDER"` for any input that will be filled
+  by the composer at instantiation. (Defaults from `params` overwrite it.)
+- Internal edges (`["10", 0]`) are preserved and renumbered automatically.
+
+---
+
+## 2. The blueprint DSL
+
+A blueprint is a YAML file describing one composed workflow. The composer reads
+the blueprint, instantiates each listed fragment, wires inputs/params, and
+writes one API-format workflow JSON.
+
+```yaml
+output_prefix: outputs/my_pipeline
+
+pipeline:
+  - fragment: text_card           # name (looked up in ./fragments/)
+    alias:    headline            # unique handle for downstream refs
+    inputs:
+      destination_image: $asset.base.png        # project asset → resolved via the push lock
+      source_mask:       $asset.mask_top.png    # type MASK → LoadImage + ImageToMask
+    params:
+      text_prompt: "BREAKING NEWS"
+      comp_x: 140
+      comp_y: 30
+
+  - fragment: text_card
+    alias:    subhead
+    inputs:
+      destination_image: $headline.image        # ← previous step's output
+      source_mask:       $asset.mask_sub.png
+    params:
+      text_prompt: "...details..."
+```
+
+### The `$`-reference algebra
+
+Four reference kinds, each with ONE resolution source, all resolved at
+compose time. **Whole-value only**: a `$`-ref must be the ENTIRE string —
+`"a $asset.x b"` is plain text, there is no interpolation/templating.
+
+| Reference | Resolves from | Where it works |
+|---|---|---|
+| `$alias.output` | a prior step's named output → `[node_id, port]` wire | inputs |
+| `$item.field` | the current `foreach` item (see foreach below) | inputs + params |
+| `$asset.<relative/path>` | the project push lock → server-side filename | inputs + params + item field values |
+| `$var.<name>` | the project comfy.yaml `vars:` block | inputs + params + item field values |
+
+- **`$asset.<relative/path>`** — a file under the governing project's
+  `assets/` dir (project/1 — see the core `comfy` skill), resolved through
+  the push lock (`comfy assets push`) to the server-side filename. On an
+  input it is then materialized like a path (loader injected); on a param
+  the resolved filename lands as the widget value. Compose fails closed
+  with `asset_not_pushed` / `asset_stale` when the file was never pushed or
+  changed since — the hint says exactly what to run.
+- **`$var.<name>`** — a project constant from a top-level `vars:` mapping
+  in `comfy.yaml` (scalars: str/int/float/bool). Resolves to the RAW scalar,
+  so an `INT` param fed `$var.steps` stays an int. Undefined name →
+  `var_not_defined` (add it under `vars:`). Referenced vars are snapshotted
+  into the compiled JSON's `_meta.vars` for provenance. Use it for the
+  style/prompt constants every scene shares:
+
+  ```yaml
+  # comfy.yaml
+  vars:
+    house_style: "<your shared style suffix>, golden hour"
+  # blueprint params — every scene appends the same style, edited in ONE place:
+  #   params: {prompt: $var.house_style}
+  ```
+
+- In a `foreach`, an item FIELD value may itself be a `$asset.`/`$var.` ref:
+  `$item.first` substitutes the field first, then the resulting whole-value
+  string resolves per item.
+
+Besides refs, an `inputs:` entry also accepts:
+
+- **A path string** — for `IMAGE`, `MASK`, `AUDIO`, `VIDEO` inputs the composer
+  injects the appropriate loader (`LoadImage` / `LoadAudio` / `LoadVideo`,
+  plus `ImageToMask` for `MASK`). The value must be a filename the *server*
+  can see in its input dir — in a project, prefer `$asset` so push and
+  resolution are handled for you. For `STRING` inputs the value passes through
+  as a literal.
+- **A literal** — for `STRING` inputs only. Non-string literals for non-STRING
+  types are rejected.
+
+### Cross-step refs work across any output type
+
+`$alias.image`, `$alias.conditioning`, `$alias.mask`, `$alias.audio`,
+`$alias.video` — whatever the fragment declared as outputs. The composer
+errors clearly if the alias or output name doesn't exist.
+
+### Final save behavior
+
+If the **last** step's fragment has `terminal: true`, the composer leaves the
+workflow alone (your fragment handles saving). Otherwise it appends a
+`SaveImage` or `SaveVideo` (auto-detected from the final step's first
+`IMAGE`/`VIDEO` output) using `output_prefix` as the filename prefix.
+
+---
+
+## 3. The command surface
+
+Fragment composition is built into the `comfy` CLI:
+
+```bash
+# Compose a blueprint into a single workflow JSON
+comfy workflow compose blueprints/my_pipeline.yaml   # → blueprints/my_pipeline.compiled.json
+
+# Specify a custom fragments directory (default: ./fragments) or output path
+comfy workflow compose blueprints/my_pipeline.yaml --lib ./my_fragments -o pipeline.json
+
+# List fragments in a library
+comfy --json workflow fragment ls [--lib DIR]
+
+# Show a fragment's metadata, ports, and interior node count
+comfy --json workflow fragment show <name_or_path>
+
+# Validate a fragment file is well-formed
+comfy --json workflow fragment validate <name_or_path>
+
+# Then submit the composed workflow
+comfy run --workflow blueprints/my_pipeline.compiled.json --wait
+```
+
+`--lib` defaults to `./fragments` relative to cwd. Default output is
+`<blueprint>.compiled.json`, next to the blueprint.
+
+Compose embeds `_meta` (`schema: compose/1`) provenance in the compiled
+JSON — the blueprint path and, for `foreach`, which nodes belong to which
+item (also `item_map` in the envelope). `comfy run` strips it before
+submit (old servers unaffected) and uses the map to report
+`outputs_by_item` and to name downloaded files `<item>_<nnn>.<ext>` —
+never identify fan-out outputs by array order.
+
+With `chunk: N` in a `foreach` blueprint, compose splits items into
+N-item batches and writes one numbered file per batch (`<stem>.000.json`,
+`<stem>.001.json`, …). The envelope then reports `out: null` (there is no
+single runnable file) plus `graphs` (count) and `written[]` (all paths) —
+script against `data.written`, not `data.out`, and note any stale
+unnumbered `<stem>.compiled.json` from a previous non-chunked compose is
+deleted automatically.
+
+All commands emit JSON envelopes under `comfy --json`. The composer
+exits non-zero on validation errors with structured error codes
+(`fragment_invalid`, `blueprint_invalid`, `blueprint_not_found`,
+`fragment_lib_not_found`) — caught at compose time, not after cloud spend.
+`fragment_lib_not_found` is raised by `workflow fragment ls` when the
+library directory (explicit `--lib`, or the default `./fragments`)
+doesn't exist yet — create it when you author your first fragment. A
+missing fragment during `compose` surfaces as `fragment_invalid` instead.
+
+---
+
+## 4. End-to-end example
+
+Project layout (project/1 — `comfy project init`):
+
+```
+my-project/
+  comfy.yaml          # schema: project/1 + defaults.where
+  fragments/
+    text_encode.json
+    sampler.json
+    save_still.json
+  blueprints/
+    portrait.yaml
+  assets/
+    seed_photo.png    # referenced as $asset.seed_photo.png
+```
+
+Push, compose, submit:
+
+```bash
+cd my-project
+comfy --json assets push                      # upload changed assets, update the lock
+comfy workflow compose blueprints/portrait.yaml
+comfy run --workflow blueprints/portrait.compiled.json --wait
+```
+
+That's the full agent loop. The fragment library is reusable across blueprints;
+blueprints are small and obvious; the composed workflow is a normal API JSON
+that submits like any other.
+
+---
+
+## 5. Real-world blueprint shape
+
+A typical production pipeline for a single piece:
+
+```yaml
+pipeline:
+  - fragment: subject_generator         # base photoreal scene
+    alias: subject
+    ...
+
+  - fragment: text_card                  # branded text card 1
+    alias: card_a
+    inputs: {destination_image: $subject.image, source_mask: ...}
+    ...
+
+  - fragment: text_card                  # branded text card 2
+    alias: card_b
+    inputs: {destination_image: $card_a.image, source_mask: ...}
+    ...
+
+  - fragment: inpaint_region             # surgical fix to a problem area
+    alias: fix_face
+    inputs: {image: $card_b.image, mask: ...}
+    ...
+
+  - fragment: vision_verify              # in-graph QA gate (optional)
+    alias: qa
+    inputs: {image: $fix_face.image}
+
+  - fragment: magnific_finish            # 4x upscale to print
+    alias: final
+    inputs: {image: $fix_face.image}
+```
+
+A 30-40 line blueprint expands to a 200-500 node workflow. Compose-time
+validation catches the typical mistakes (missing inputs, bad alias
+references, type mismatches) before you spend cloud compute on a
+broken job.
+
+---
+
+## 6. How to create a fragment
+
+**The typical flow** — discover the node, wrap it in a fragment, use it
+from a blueprint:
+
+1. Discover the node: `comfy --json nodes show <ClassName>` — check its
+   inputs, outputs, and valid parameter values
+2. Write `fragments/<name>.json` with:
+   - `_fragment` header (name, inputs, outputs, params with binds)
+   - Interior nodes (1-15) in standard API format
+   - `"PLACEHOLDER"` for inputs that the blueprint will supply
+   - Reasonable defaults for optional params
+3. Validate: `comfy --json workflow fragment validate <name>`
+4. Use from a blueprint and compose to verify it works end-to-end
+
+**Refactoring path** — if you already have a working raw JSON workflow
+and want to extract reusable pieces:
+
+1. Identify the sub-region you'll reuse (5-15 nodes that form a logical unit)
+2. Copy those nodes into `fragments/<name>.json`, add a `_fragment` header
+3. Replace concrete values with `"PLACEHOLDER"`
+4. Validate + compose + test
+
+Always test a new fragment by composing a blueprint and submitting the
+result before relying on it.
+
+---
+
+## 7. Picking input types
+
+| Input type | Use for | The composer does |
+|---|---|---|
+| `IMAGE` | Photos, generated images, reference frames | Injects `LoadImage` when the blueprint value is a path; passes through when the value is `$alias.image` |
+| `MASK` | Binary/alpha masks | Injects `LoadImage` + `ImageToMask` (channel: red) for paths |
+| `AUDIO` | WAV/MP3/FLAC | Injects `LoadAudio` for paths |
+| `VIDEO` | MP4/WebM | Injects `LoadVideo` for paths |
+| `STRING` | Prompts, model names, captions, any literal | Pass-through. No loader injection. |
+
+Use the type that matches what the interior node actually consumes.
+`CONDITIONING` (and `MODEL`, `CLIP`, `VAE`, `LATENT`) are first-class input
+types — declare `type: CONDITIONING` and wire it with a cross-step ref like
+`conditioning: $encode.conditioning`. Only path-loadable types (`IMAGE`,
+`MASK`, `AUDIO`, `VIDEO`) accept file paths; all other socket types must
+come from a prior step via `$alias.output_name`.
+
+---
+
+## 8. Starter pattern library
+
+Build these once and reuse forever.
+
+### `subject_generator` — LLM-directed base generation
+
+`ClaudeNode` (positive) + `ClaudeNode` (negative) + `Flux Dev` + LoRA
+stack → IMAGE. Sweep on the Claude seed for genuine interpretation
+variance, not just noise variance.
+
+### `text_card` — typography card via Ideogram + composite
+
+`IdeogramV3` → `ImageScale` → `ImageCompositeMasked`. Use this whenever
+brand text or specific phrases must be legible — Ideogram is reliable
+at text where Flux is not.
+
+### `inpaint_region` — context-aware content replacement
+
+`FluxProFillNode` with detailed prompt. Use for replacing a masked
+region with new content that integrates with scene lighting. **Note:
+this is REPLACE-ONLY — see gotchas section.**
+
+### `magnific_finish` — production upscale
+
+`MagnificImageUpscalerCreativeNode` (Sparkle engine). Defaults to
+preserve mode (`creativity=0`, `resemblance=10`) for final delivery.
+Bump `creativity` to 2-3 for mild detail enhancement.
+
+### `vision_verify` — in-graph QA gate
+
+`ClaudeNode` with `images` input + a checklist system_prompt. Returns
+a structured PASS/FAIL critique. (Note: capturing the TEXT output of
+ClaudeNode for retrieval requires a `SaveString` node — its in-graph
+output is consumable by downstream nodes but not always exposed by the
+job-status API.)
+
+---
+
+## 9. Gotchas baked into fragment defaults
+
+Each of these tripped someone up during real production. Encoding them
+into the fragment defaults means they can't be forgotten:
+
+### `ImageCompositeMasked` — mask MUST match SOURCE size
+
+The mask input gets bilinear-upscaled to the source image's dimensions.
+If you pass a destination-sized mask (e.g., 1536×1024) with a small
+source (e.g., 330×180), the small white-rectangle inside the big mask
+shrinks to almost-black and the composite renders almost nothing.
+
+The `text_card` fragment requires you to supply a mask **already sized
+to your `scale_width × scale_height` params**. The composer documents
+this expectation in error messages.
+
+### `COMFY_DYNAMICCOMBO_V3` inputs use dotted keys
+
+Nodes like `ClaudeNode`, `ReveImageCreateNode` declare a `model` input
+with type `COMFY_DYNAMICCOMBO_V3` — when you select a model, that model
+brings its own required sub-params (`max_tokens`, `temperature`, etc.).
+In API workflow JSON these are flat dotted keys, NOT nested:
+
+```json
+// ✅ correct
+"inputs": {
+  "model": "Opus 4.6",
+  "model.max_tokens": 800,
+  "model.temperature": 0.95
+}
+
+// ❌ wrong — fails validation
+"inputs": {
+  "model": ["Opus 4.6", {"max_tokens": 800, "temperature": 0.95}]
+}
+```
+
+### `SAM3Grounding` outputs MASK directly
+
+Looks like a "find boxes" node but actually returns a `MASK`. Wire it
+straight into mask-consuming nodes. `SAM3Segmentation` is only needed
+when you've built boxes yourself via `SAM3CreateBox` +
+`SAM3CombineBoxes`.
+
+### `FluxProFillNode` is REPLACE-ONLY
+
+It has no denoise / strength parameter. Whatever pixels are inside the
+mask get fully regenerated from the prompt. **Never use it to "refine"
+existing composited content** — it will overwrite that content.
+
+For true refinement (preserve most of the masked region, only smooth
+edges and lighting), use **KSampler + VAEEncode + SetLatentNoiseMask**
+with `denoise=0.15–0.25`, or run `MagnificImageUpscalerCreativeNode`
+with `creativity=2-3` at upscale time.
+
+### `MagnificImageRelightNode` `style="smooth"` drains color
+
+Counter-intuitively, the "smooth" relight style produces a sepia /
+monochromatic image. For warming light without color loss, use
+`style="brighter"` or `style="clean"`. Always test on a small image
+before committing it to a pipeline.
+
+### `MagnificImageUpscalerCreativeNode` parameter ranges
+
+| Param | Range | Note |
+|---|---|---|
+| `creativity` | 0–10 | 0 = preserve, 4+ = noticeable reinterpretation |
+| `resemblance` | -10–10 | NOT 0–100. 10 = max preservation. |
+| `hdr` | 0–10 | small values are fine for most scenes |
+
+### Text rendering: use Ideogram, not Flux
+
+Flux and SDXL/SD3 cannot reliably render specific text. If your piece
+has brand wordmarks, specific phrases, or proper names that MUST be
+spelled correctly, the right tool is:
+
+1. **Ideogram V3** in-graph (`IdeogramV3` node) — Ideogram is the
+   text-master model in this stack
+2. PIL composite externally (post-processing) — guaranteed but layered
+3. **Don't** trust Flux Pro Fill to render text inside an inpaint
+   — it will produce garbled glyphs every time
+
+The `text_card` fragment uses Ideogram for this reason. Don't substitute
+Flux into it.
+
+---
+
+## 10. When the pattern breaks down
+
+Honest limits:
+
+- **One-shot exploration is faster without the indirection** — if
+  you're just trying things, write raw workflow JSON or use
+  `comfy workflow vary`.
+- **External (non-Comfy) steps don't compose as cleanly** — Python
+  post-processing like PIL composites or external file conversions
+  need a separate step type in the composer. Keep them outside the
+  Comfy graph.
+- **Comfy version drift** — if ComfyUI's native subgraph support
+  (v0.3+) stabilizes for API workflow JSON export, eventually migrate
+  to native subgraphs. The JSON-composition approach is portable but
+  reinvents what Comfy itself wants to provide.
+- **Debugging composed workflows** — when something fails, you're
+  looking at a generated workflow JSON, not your hand-written one.
+  Keep the composer's intermediate output (`blueprint.compiled.json`)
+  for inspection. Log the blueprint + fragment versions per run.
+
+---
+
+## 11. What NOT to do
+
+- **Don't put model loading inside every fragment.** Load `CheckpointLoaderSimple`
+  once in the blueprint's first step and pass `model`/`clip`/`vae` outputs by
+  cross-step ref. Fragments are about reusable sub-regions; the shared model
+  state belongs at the top.
+- **Don't author huge fragments.** If a fragment has more than ~15 interior
+  nodes, it's probably two fragments. Same for params — 15+ params means
+  you should split.
+- **Don't hide critical model choices in defaults.** If swapping
+  `flux1-dev` for `sd3.5_large` would silently change the output
+  character, expose it as a required param.
+- **Don't compose at runtime via shell scripts.** The Python composer
+  catches errors at compose time. Shell glue catches them after cloud spend.
+- **Don't reach into another fragment's internals.** If you need access
+  to a node deep inside a fragment, that node should be promoted to
+  an output of the fragment's public interface, or the fragment should
+  be split.
+- **Don't skip validation** before submitting a composed workflow that
+  uses a new fragment. Run `comfy workflow fragment validate <name>`
+  first — it catches missing `binds` targets, malformed metadata, and
+  orphan interior nodes locally.
+- **Don't reuse aliases across steps.** Aliases must be unique within a
+  blueprint; the composer rejects duplicates.
+
+---
+
+## 12. Failure modes and what they mean
+
+| code | what's wrong | what to fix |
+|---|---|---|
+| `fragment_invalid` | The fragment file itself is malformed (bad `_fragment` header, missing fields, dangling `binds`) | Read the error message; fix the fragment JSON |
+| `fragment_lib_not_found` | The library directory passed to `fragment ls` (explicit `--lib`, or the default `./fragments`) doesn't exist | Create `./fragments/` and author a fragment, or pass a valid `--lib <real_path>` |
+| `blueprint_not_found` | The blueprint YAML path doesn't exist | Check the path |
+| `blueprint_invalid_yaml` | The blueprint file isn't valid YAML | Run it through `yamllint` |
+| `blueprint_invalid` | The blueprint semantically fails (missing fragment, missing input, unknown input key, duplicate alias) | Read the error — it names the offending step alias |
+| `asset_not_pushed` | A `$asset.<name>` ref has no entry in `.comfy/assets.lock.json` (or the file vanished from `assets/`) | `comfy assets push`, then re-compose |
+| `asset_stale` | The file under `assets/` changed since its last push (sha256 mismatch with the lock) | `comfy assets push`, then re-compose |
+| `var_not_defined` | A `$var.<name>` ref names nothing under `vars:` in the project's comfy.yaml | Add the name under `vars:`, then re-compose |
+
+---
+
+## Summary
+
+| Without fragments | With fragments |
+|---|---|
+| 1500-line workflow JSON | 40-line blueprint + N small fragments |
+| Edits hunt through node IDs | Edits change one blueprint param |
+| Errors caught at cloud submission | Errors caught at compose time |
+| Patterns get copy-pasted between projects | Patterns become reusable units |
+| Gotchas re-discovered each project | Gotchas baked into fragment defaults |
+
+Fragments treat workflows the way good code treats logic: small named
+units, typed interfaces, defaults that encode wisdom, and a composer
+that wires them up.
diff --git a/comfy_cli/skills/comfy-relay/SKILL.md b/comfy_cli/skills/comfy-relay/SKILL.md
new file mode 100644
index 00000000..552995d9
--- /dev/null
+++ b/comfy_cli/skills/comfy-relay/SKILL.md
@@ -0,0 +1,126 @@
+---
+name: comfy-relay
+description: Use when constructing, writing, or slot-editing a ComfyUI workflow JSON, or surfacing the result of `comfy run` — the artifact must appear in chat, not vanish into /tmp.
+---
+
+The artifact is the update. When you build or change a workflow, the user
+should see the JSON — not a sentence about the JSON. When you submit it,
+the user should see the prompt_id and routing — not a 200-line envelope.
+
+This skill is about **what to put in chat** while driving the comfy CLI.
+It is paired with `comfy` (the surface).
+
+## The rule
+
+**Show the artifact. Then act on it.**
+
+| Moment | Show in chat |
+|---|---|
+| Creating a fragment JSON | The `_fragment` header (inputs/outputs/params) — not the full interior nodes unless small |
+| Writing a blueprint YAML | The full YAML blueprint in a fenced block |
+| Constructing raw JSON (<30 nodes only) | The full JSON in a fenced ```json block |
+| Editing one slot | A one-line diff: `<addr>: <old> → <new>` |
+| Varying multiple slots | The sweep matrix as a small table |
+| Composing a blueprint | The `comfy workflow compose` command + summary (steps, nodes) |
+| Submitting a workflow | `prompt_id`, `state_file`, route (local/cloud), one line |
+| Job terminal | status + the output URL(s) or path(s) — nothing else |
+
+**Anti-pattern:** building a 100-node raw JSON workflow in chat. Use
+fragments + blueprints — show the blueprint YAML (10-30 lines) instead of
+the compiled workflow (100+ lines). The user can spot bad values in
+a blueprint far more easily than in raw node wiring.
+
+## Constructing — show the blueprint, not the compiled JSON
+
+For fragment-based workflows: show the **blueprint YAML** and the
+**fragment `_fragment` headers** — not the compiled workflow JSON.
+The compiled JSON is a build artifact; the blueprint is the source of truth.
+
+For raw JSON workflows (<30 nodes): show the full JSON in a fenced
+```json block before writing to disk.
+
+## Editing one slot — show the diff
+
+Discover slots, then announce the change as a single-line diff before
+running `set-slot`:
+
+```text
+Slot edit: 1.prompt
+  - "A 1950s Technicolor TV commercial …"
+  + "A 1950s Technicolor TV commercial, color-saturated Kodachrome …"
+```
+
+Then:
+
+```bash
+comfy workflow set-slot ./workflows/vintage-intro.json 1.prompt="…"
+```
+
+If the new value is >200 chars, show the first 120 chars + `[…N more]`
+in the diff. The full string is in the command, so they can still see it
+if they need to.
+
+## Varying many slots — show the matrix
+
+For `workflow vary`, show the sweep as a small table (variant | slot values)
+before generating files.
+
+## Submitting — surface route + ids in one line
+
+After `comfy run`, distill the envelope into a single line:
+
+```text
+Submitted (cloud) → 99626e0a-b7fb-4c21-a9f3-d8e1052c7a34 · state: <state_file path from envelope>
+```
+
+Not this (don't dump the full envelope):
+```json
+{"ok": true, "command": "run", "version": "0.0.0", "where": "cloud", "data": { … 40 lines … }}
+```
+
+If `node_errors` is non-empty, show those — that's the only part of the
+envelope the user usually cares about.
+
+## Terminal status — output, not envelope
+
+When `jobs watch` or `--wait` returns, surface just status + outputs:
+
+```text
+✓ completed in 2m45s — 1 output
+  https://cloud.comfy.org/api/view?filename=dcb37…mp4
+```
+
+Or on failure:
+```text
+✗ error (node 1 / Veo3VideoGenerationNode)
+  Unauthorized: Please login first to use this node.
+  Hint: comfy cloud login   (or comfy cloud set-key --key …)
+```
+
+## Truncation rules — keep chat scannable
+
+- JSON > ~60 lines: show first 40 and last 10, elide the middle with `// … N nodes elided …`
+- Any string slot > 200 chars: show first 120 chars + `[…N more]`
+- Never truncate `prompt_id`, `state_file`, error messages, or URLs
+- File paths: show relative-to-cwd (`./workflows/x.json`) not the `/tmp/…` form
+
+## What NOT to relay
+
+- Don't narrate the building process ("first I will set the model, then…").
+  The JSON itself shows the structure.
+- Don't dump the raw `comfy --json …` envelope unless the user asked for it.
+- Don't relay every progress tick during `jobs watch` — one line per state
+  transition (`queued → executing → completed`) is plenty.
+- Don't echo API keys or auth tokens, ever. The CLI redacts; you should too.
+
+## Output presentation
+
+After downloading outputs, present them to the user: use `view_media` for
+images, provide the file path for videos. Don't just say "downloaded to
+./outputs/" — show the artifact.
+
+## Quick check before sending a message
+
+Ask: would the user be able to spot a bad value (wrong model, wrong prompt,
+wrong seed) from what I'm about to send? If the answer is "only by
+opening a file," put the artifact in the message.
diff --git a/comfy_cli/skills/comfy/SKILL.md b/comfy_cli/skills/comfy/SKILL.md
new file mode 100644
index 00000000..2c2b43ee
--- /dev/null
+++ b/comfy_cli/skills/comfy/SKILL.md
@@ -0,0 +1,947 @@
+---
+name: comfy
+description: Generate images, videos, audio, and 3D via ComfyUI — CLI surface, workflow creation hierarchy (template → fragment → raw JSON), domain gotchas, cloud auth, multi-stage orchestration.
+---
+
+You have access to `comfy`, a local CLI that drives ComfyUI (local install or Comfy Cloud).
+
+The surface splits cleanly in two:
+
+- **Discovery** — read-only commands that answer "what's here?" (nodes,
+  schemas, workflow slots, auth state, env). Safe to call freely.
+- **Execution** — state-changing commands that submit work, edit files,
+  sign in, or install software.
+
+Read the **Ground rules** first; they cross both halves. Then the two
+halves are independent — you can scan only what's relevant to the task.
+
+---
+
+# Ground rules
+
+## Output contract (the envelope)
+
+Every command emits the same JSON shape:
+
+```json
+{
+  "ok": true,
+  "command": "...",
+  "version": "0.0.0",
+  "where": "local" | "cloud" | null,
+  "data": { ... },
+  "error": null | { "code": "...", "message": "...", "hint": "...", "details": {...} }
+}
+```
+
+When `error` is present, **read the `hint` and act on it**. Don't guess.
+
+## Routing
+
+The CLI auto-detects: `cloud` if credentials are configured (API key or
+OAuth session), else `local`. Precedence: `--where` flag → `COMFY_WHERE`
+env → the governing project's `defaults.where` (`comfy.yaml`, see
+Projects) → `comfy set-default --where …` config → auto-detect. A local
+`--where` always beats the project default. Check routing:
+
+```bash
+comfy --json cloud whoami   # signed_in, auth_method, base_url
+```
+
+If the user is signed in, commands auto-route to cloud — just run them
+without `--where`. Mention routing only when the user asks to switch.
+
+## Error codes — react, don't guess
+
+The most common error codes and what to do:
+
+| Code | Do this |
+|---|---|
+| `server_not_running` | `comfy launch` to start the local server, or switch to `--where cloud` |
+| `cloud_not_configured` | Ask the user to run `comfy cloud login` (opens browser, OAuth + PKCE) |
+| `cloud_unauthorized` | Your CLI session expired or token rejected *before submission*. Run `comfy cloud login` again. |
+| `transient_auth` | A cloud job died mid-run with "Unauthorized: Please login first to use this node" — server-side token expiry, NOT your login. Resubmit the same workflow; do NOT re-login. |
+| `node_not_found` | Read `details.close_matches` — pick the closest match and re-run |
+
+For the full error code list and resolution steps, run `comfy --json discover`.
+When any *job* fails (an `execution_error`-family envelope), invoke the
+`comfy-debug` skill before improvising — it maps every failure code to a fix.
+
+## Routing the request — survey first, then choose
+
+Don't commit to the first approach that fits. The ecosystem spans gallery
+templates, partner-API providers, and thousands of OSS nodes/models. Survey
+the option space before deciding (see "The ecosystem is vast" below for the
+commands). The default is **workflow-first**: even when a partner provider is
+the right model, reach for its *node* inside a fragment/blueprint so the result
+is a reusable, inspectable Job on the graph. What to build — which model,
+provider, and approach — is your judgment to make from what discovery returns;
+this skill teaches you how to look, not what to pick.
+
+Once you know what you want, there are three *mechanisms* to build it. Pick
+by structure, not by habit — this is a mechanism map, not a quality ranking:
+
+| Mechanism | When it fits |
+|---|---|
+| `comfy templates ls/fetch` → slot-edit → `comfy run` | A curated gallery workflow already matches the shape you need |
+| fragments + blueprint → one composed workflow → `comfy run` | **Default** — workflows you may extend, fan out, reuse, vary, or explain later; wrap a partner provider's *node* here too |
+| `comfy generate <slug>` | **Escape hatch** — a throwaway one-shot against a single partner provider (a proxy call, not a graph Job) |
+
+Prefer **one larger Comfy workflow** over many separate submissions when the
+steps can run in the same graph. Comfy can parallelize independent branches,
+so use fan-out branches, batch nodes, and shared loaders/references inside one
+workflow before splitting into separate jobs. Split only when a stage needs
+human review, different routing/auth, server memory isolation, or failure
+recovery that is worth losing graph-level parallelism.
+
+**Escape hatch — `comfy generate <slug>`:** for a throwaway one-shot
+against a single partner provider, `comfy generate` skips the graph
+entirely. It dispatches to Comfy's partner-API **proxy**
+(`api.comfy.org/proxy/...`), which calls the provider on your behalf and
+bills to your Comfy account (it is **not** a workflow Job — nothing lands
+on the graph and nothing is reusable). Reach for it only when you want a
+quick disposable result; anything you'll reiterate on belongs in a
+workflow.
+
+## Workflow creation — choosing how to build
+
+Once discovery has told you *what* to build, choose the construction
+mechanism by complexity and reuse — not as a quality ranking:
+
+1. **Template** — `comfy templates ls --type <image|video|audio>`
+   If a curated workflow matches the shape, fetch it. For one-off smoke tests,
+   slot-edit and run it directly. For anything that may become a longer piece,
+   multiple variations, or a reusable pattern, wrap the useful template region
+   as a fragment and drive it from a blueprint.
+
+2. **Fragment + blueprint** — this is the **default construction path** once
+   the workflow is more than a throwaway. Use it even for simple workflows if
+   the next likely step is "make it longer", "add another shot", "vary seeds",
+   "reuse this with a different prompt", or "chain another model".
+
+   There is no shipped fragment library. A fragment is what YOU write
+   *after* deriving the wiring from live sources — distilled knowledge,
+   kept in the project's `./fragments/`. The loop below is the reusable
+   part; the artifacts it produces depend on what YOUR backend has today.
+
+   **a. Survey the space** — compare OSS, partner, and gallery options
+   before choosing (swap `video`/`VIDEO` for the media type at hand):
+   ```bash
+   comfy --json templates ls --type video --limit 10        # working exemplar graphs
+   comfy --json nodes ls --produces VIDEO --exclude-deprecated
+   comfy --json nodes ls --category "partner/video*"       # partner providers
+   ```
+
+   **b. Learn the wiring from a real graph.** Templates are
+   upstream-curated, *working* workflows — THE reference for how nodes
+   actually wire (positive vs negative conditioning, lora'd CLIP feeding
+   both text encoders, VAE-from-checkpoint, denoise semantics):
+   ```bash
+   comfy templates fetch <name-from-YOUR-survey> --out ref.json
+   comfy --json workflow slots ref.json          # its addressable surface
+   ```
+   Or derive from the type graph directly:
+   ```bash
+   comfy --json nodes show <NodeClass-from-YOUR-survey> --where cloud  # exact schema + enum choices
+   comfy nodes path IMAGE VIDEO                  # what CAN connect these types
+   ```
+
+   **c. Distill into a local fragment** — author `./fragments/<name>.json`
+   capturing the wiring you derived: 1-15 standard API-format nodes wrapped
+   with a `_fragment` header declaring typed inputs, outputs, and params
+   (caller-supplied values marked `"PLACEHOLDER"`). Make EVERY asset/model
+   name a required param with no default, so the next composition
+   re-discovers instead of inheriting. Load the `comfy-fragments` skill for
+   the format, then check your work:
+   ```bash
+   comfy --json workflow fragment validate <name>
+   ```
+
+   **d. Compose + run** — a YAML blueprint in `blueprints/<name>.yaml`
+   wires your fragments together; cross-step refs use `$alias.output_name`,
+   project assets use `$asset.<relative/path>`, project constants use
+   `$var.<name>` (the full `$`-reference algebra is in the Projects section):
+   ```bash
+   comfy workflow compose blueprints/<name>.yaml   # → blueprints/<name>.compiled.json
+   RES=$(comfy --json run --workflow blueprints/<name>.compiled.json)
+   PROMPT_ID=$(echo "$RES" | jq -r .data.prompt_id)
+   comfy --json jobs watch "$PROMPT_ID"
+   ```
+
+   **Trace (video, partner node) — a record of one run of the loop, NOT a
+   recommendation.** On this backend, today, the survey returned what's
+   sketched below; yours WILL differ — pick from YOUR rows:
+   ```bash
+   comfy --json nodes ls --category "partner/video*" --limit 10
+   # → today's rows included an image-to-video partner node; call it <I2VNode>
+   comfy --json nodes show <I2VNode> --where cloud
+   # → schema said: start image + prompt + a duration enum in, VIDEO out
+   comfy nodes path IMAGE VIDEO   # confirmed the route; SaveVideo still required at the end
+   ```
+   The agent then AUTHORED `./fragments/i2v.json` (input `start_frame:
+   IMAGE`; params `prompt`, `duration` — all required) and wired it behind
+   a t2i fragment derived the same way from an image survey:
+   ```yaml
+   # blueprints/video.yaml — both fragments written by the agent, not shipped
+   pipeline:
+     - fragment: t2i             # ./fragments/t2i.json — from YOUR image survey
+       alias: hero
+       params: {prompt: "a fennec fox astronaut, golden hour"}
+     - fragment: i2v             # ./fragments/i2v.json — derived above
+       alias: vid
+       inputs:
+         start_frame: $hero.image   # ← t2i output "image" → i2v input "start_frame"
+       params: {duration: "<a value from the enum nodes show returned>"}
+   ```
+
+   `comfy workflow fragment ls` lists `./fragments` — it errors with
+   `fragment_lib_not_found` until that directory exists, so create it when
+   you author your first fragment.
+
+   Prefer a single composed workflow with repeated fragment instances over a
+   loop of separate `comfy run` calls. For example, a music video should be a
+   blueprint that composes one fan-out graph with N video branches and
+   shared character references, then a separate assembly step if final editing
+   needs exact audio sync.
+
+3. **Raw JSON** — ONLY for truly throwaway one-shot workflows under ~10-15
+   nodes where extension is not expected. Write the file and run it
+   directly.
+
+**Hard rule: never build raw workflow JSON with >30 nodes. Use fragments and a
+blueprint.** Even for smaller workflows, prefer fragments if any part could be
+extended, repeated, or reused.
+
+---
+
+# Discovery — what's here?
+
+Read-only. None of these mutate state, charge quota beyond a cheap read,
+or require sign-in unless you target `--where cloud` against a node graph
+the user doesn't have locally. Run them freely.
+
+**Always start a non-trivial task with:**
+
+```bash
+comfy --json discover
+```
+
+Returns the full command tree, JSON Schemas for every output, error
+codes, and capabilities. Everything below flows from it.
+
+## Workspace + auth state
+
+```bash
+comfy --json env             # what's installed locally
+comfy --json which           # workspace path
+comfy --json cloud whoami    # signed_in, auth_method (oauth/api_key), base_url, api_key_source
+comfy --json auth list       # all credentials (redacted)
+```
+
+## Nodes — introspect the graph
+
+Use flag-based filters on `nodes ls` to find nodes by capability:
+
+```bash
+comfy --json nodes search "checkpoint"           # fuzzy by name/desc
+comfy --json nodes show KSampler                 # full schema
+comfy --json nodes ls --produces MODEL --limit 5 # filter by output type
+comfy --json nodes ls --accepts CONDITIONING     # nodes that take this input
+comfy --json nodes ls --category "loaders*"      # glob on category path
+comfy --json nodes ls --pack comfyui-impact-pack # nodes from a specific pack
+comfy --json nodes ls --api-only                 # only partner-API nodes
+comfy --json nodes ls --output-only              # terminal output nodes (SaveImage, etc.)
+comfy --json nodes ls --exclude-deprecated       # skip deprecated nodes
+comfy --json nodes ls --cloud-disabled           # what cloud refuses to run
+comfy --json nodes upstream KSampler             # what feeds in
+comfy --json nodes downstream CheckpointLoaderSimple  # what follows
+comfy --json nodes path MODEL IMAGE              # routed paths between types
+comfy --json nodes types                         # all connection types
+comfy --json nodes categories                    # full category tree
+```
+
+Combine flags to narrow results:
+
+```bash
+comfy --json nodes ls --produces VIDEO --exclude-deprecated --limit 10
+comfy --json nodes ls --pack core --produces MASK --limit 5
+```
+
+If no local server is running and you're not signed into cloud, pass
+`--input <object_info.json>` to query against a saved dump.
+
+## Models — find what's installed, with metadata
+
+On **cloud**, `comfy models search` hits the live asset catalog
+(`/api/assets`) and returns enriched rows: `name`, `type`, `tags`,
+`base_model`, `source_url`, `preview_url`, `size`. On **local**, the same
+command falls back to `/models/<folder>` listings (filenames only).
+
+```bash
+comfy --json models list-folders                 # every model folder (loras, checkpoints, vae, …)
+comfy --json models list-folder loras            # files in a folder, with pathIndex
+comfy --json models search --text "wan2.2" --type lora --limit 10
+comfy --json models search --text "flux"         # text search across the catalog
+comfy --json models show <rows[0].name>          # full Asset + projected row (cloud-only)
+```
+
+`models search --type <X>` accepts the conventional folder names
+(`lora`/`loras`, `checkpoint`/`checkpoints`, `vae`, `controlnet`,
+`upscale`, `clip`, `clip_vision`, `unet`/`diffusion_models`, …). Use
+`models list-folders` first if you're unsure what types the backend
+exposes.
+
+**Discover → wire loop — every asset type, never hardcoded names:**
+
+Every asset name (checkpoint, lora, controlnet, vae, upscaler, embedding,
+clip-vision model, …) must be discovered at runtime — never hardcoded. Do
+not default to any model family you've seen in examples, either — the
+survey IS the decision input; backends differ and the ecosystem moves. The
+pattern is the same regardless of type:
+
+```bash
+# 1. Discover available assets for any type
+comfy --json models search --type lora --where cloud --text "detail" --limit 5
+comfy --json models search --type controlnet --where cloud --limit 5
+comfy --json models search --type checkpoint --where cloud --limit 5
+comfy --json models search --type vae --where cloud --limit 5
+comfy --json models search --type upscale --where cloud --limit 5
+comfy --json models search --type embeddings --where cloud --limit 5
+
+# 2. Take rows[0].name verbatim — paste it into your fragment's required param
+
+# 3. Precision check — what will the server actually accept?
+comfy --json nodes show LoraLoader --where cloud
+# → the lora_name input's "choices" array is the exact list the server accepts
+# Same pattern for any loader: ControlNetLoader, VAELoader, UpscaleModelLoader, etc.
+```
+
+**Trace (image, OSS checkpoint + lora) — one run of the loop, NOT a
+recommendation.** On this backend, today, the survey returned the rows
+sketched below; yours will differ — pick from YOUR rows:
+
+```bash
+comfy --json models search --type checkpoint --where cloud --limit 5  # → picked <ckpt> from rows
+comfy --json models search --type lora --where cloud --limit 5        # → picked <lora> from rows
+# Learn the lora wiring from a real graph, not memory — fetch a matching template:
+comfy --json templates ls --type image --model "<family of <ckpt>, from its row>"
+comfy templates fetch <name-from-those-rows> --out ref.json   # read how it wires
+# …or derive it from the type graph:
+comfy --json nodes show LoraLoader --where cloud  # MODEL+CLIP in, MODEL+CLIP out —
+#   the lora'd CLIP must feed BOTH text encoders, not just positive
+comfy nodes path MODEL IMAGE                      # sampler → decode → save spine
+```
+
+The agent then authored `./fragments/<your_name>.json` with `ckpt_name`
+and `lora_name` as required params (no defaults) and drove it from a
+blueprint:
+
+```yaml
+pipeline:
+  - fragment: <your_name>        # the fragment YOU just wrote
+    alias: out
+    params:
+      ckpt_name: "<rows[0].name from checkpoint search>"
+      lora_name: "<rows[0].name from lora search>"
+      prompt: "a detailed portrait"
+```
+
+The `choices` array from `nodes show` is the universal precision check: it
+reflects exactly what `<server>/object_info` reports — authoritative for
+any loader node on that target.
+
+## Templates — one starting point among several
+
+The curated `Comfy-Org/workflow_templates` gallery is a strong starting
+point *when a template matches your intent* — but it sits beside partner-API
+providers and hand-composed fragments, not above them. Survey all three
+(see "The ecosystem is vast") before committing.
+
+```bash
+comfy --json templates ls --type video --tag "Image to Video" --limit 10
+comfy --json templates show <name>               # full metadata: models, tags, providers
+comfy --json templates fetch <name> --out my.json # pulls the workflow JSON itself
+```
+
+`templates fetch` validates the name against the gallery index first, so
+typos surface as `template_not_found` with `details.close_matches` — not
+as a raw 404. The downloaded JSON is frontend-format; `comfy run --where
+cloud` auto-converts it to API format on submit.
+
+## Saved workflows on cloud
+
+`comfy workflow {list,save,get,delete}` manages workflows persisted to
+your cloud account via `/api/workflows`. Cloud-only — on local, manage
+JSON files on disk via `workflow slots/set-slot/vary` instead.
+
+```bash
+comfy --json workflow list                             # paginated, sorted by create_time
+comfy --json workflow list --name "wan" --limit 5      # case-insensitive name filter
+comfy --json workflow get <id> --out my.json           # writes workflow JSON
+comfy --json workflow save my.json --name "X" --description "Y"
+comfy --json workflow delete <id>
+```
+
+## Cancel a running job
+
+```bash
+comfy --json jobs cancel <prompt_id>            # auto-routes via --where
+comfy --json jobs cancel <prompt_id> --where cloud
+```
+
+Idempotent on cloud — calling on an already-terminal job returns ok.
+Local cancels both the pending-queue entry and any in-flight execution.
+
+## The ecosystem is vast — explore before building
+
+ComfyUI spans **image, video, audio, 3D, and text** — with hundreds of
+models and many partner API providers (BFL, Kling, Runway, ElevenLabs,
+Meshy, Gemini, Grok, …). Don't guess at counts — discover them:
+
+```bash
+comfy --json nodes ls --limit 1                  # check data.total for node count
+comfy --json nodes ls --produces IMAGE --limit 1 # IMAGE producer count
+comfy --json nodes ls --produces VIDEO --limit 1 # VIDEO producer count
+comfy --json nodes ls --produces AUDIO --limit 1 # AUDIO producer count
+comfy --json nodes ls --api-only --limit 1       # partner API node count
+comfy --json nodes categories --prefix "partner"# API provider categories
+comfy --json nodes types                         # all connection types
+comfy --json models list-folders                 # all model folders
+comfy --json templates ls --limit 1              # template count
+```
+
+The `total` field in `nodes ls`, `nodes search`, and `models search`
+gives the full count even when `--limit` caps the returned rows.
+
+## Workflows — what can I tweak?
+
+```bash
+comfy --json workflow slots path.json   # every addressable slot, by address
+```
+
+`workflow slots`/`set-slot`/`vary` and all `nodes` commands resolve
+object_info through the routing chain with a cached fallback — cloud-signed-in
+works with no local server. If the live fetch fails, the command still succeeds
+from cache and the envelope carries `data.stale: true` +
+`warnings[] {code: "object_info_stale"}` — treat results as possibly outdated
+and run `comfy nodes refresh --where cloud` to refresh.
+
+Slot addresses are `<instance_id>.<input_name>`. Feed them to
+`workflow set-slot` / `workflow vary` in the Execution half. Works on
+any frontend-format workflow JSON — templates, saved workflows, or
+hand-built files.
+
+---
+
+# Execution — make it happen
+
+State-changing. Each of these submits work, edits files, charges cloud
+quota, or talks to an authenticated backend.
+
+## Projects (project/1) — the working convention
+
+Anything beyond a one-shot lives in a project: a directory with a
+`comfy.yaml` marker (`schema: project/1`, plus `defaults.where`) and five
+conventional dirs. The convention is the contract — like the envelope.
+
+```
+my-project/
+├── comfy.yaml     # marker: schema project/1 + defaults (e.g. defaults.where)
+├── assets/        # source files — reference as $asset.<relative/path>
+├── fragments/     # fragments YOU author (_fragment JSON)
+├── blueprints/    # blueprint YAML; compose writes <name>.compiled.json beside it
+├── outputs/       # downloads land here by default
+└── .comfy/        # machine-owned: assets.lock.json + runs.jsonl journal
+```
+
+The loop:
+
+```bash
+comfy project init                     # marker + the five dirs; --where sets the default
+cp ~/ref.png assets/s1_first.png       # drop source files under assets/ (subdirs fine)
+comfy --json assets push               # upload new/changed files, record them in the lock
+# blueprints reference assets by path relative to assets/ (inputs or params):
+#   inputs: {start_frame: $asset.s1_first.png}
+comfy workflow compose blueprints/<name>.yaml          # → blueprints/<name>.compiled.json
+comfy --json run --workflow blueprints/<name>.compiled.json
+comfy --json jobs watch <prompt_id>    # terminal envelope: outputs_by_item / outputs_by_node
+comfy --json download <prompt_id>      # → outputs/, item-named files
+comfy --json project status            # THE state query — root, defaults, blueprints,
+                                       #   assets {pushed, stale}, recent_runs, warnings
+```
+
+What the convention buys you:
+
+- **The `$`-reference algebra.** Four reference kinds in blueprints, each
+  with ONE resolution source, all resolved at compose time:
+
+  | Reference | Resolves from | Where it works |
+  |---|---|---|
+  | `$alias.output` | a prior step's graph output (a wire) | inputs |
+  | `$item.field` | the current `foreach` item | inputs + params |
+  | `$asset.<relative/path>` | the push lock → server-side filename | inputs + params + item field values |
+  | `$var.<name>` | the `vars:` block in `comfy.yaml` | inputs + params + item field values |
+
+  **Whole-value only**: a `$`-ref must be the ENTIRE string. `"a $asset.x b"`
+  is plain text — there is no interpolation. `$var` returns the raw scalar
+  (int stays int); `$asset` resolves through the lock with staleness checks.
+- **`$asset` kills upload-then-paste.** The lock (`.comfy/assets.lock.json`)
+  records sha256 + server name + push target per file, so local and cloud
+  both work; `assets push` skips files whose content AND target are
+  unchanged (`--force` re-pushes everything), `--where` picks the target.
+- **`$var` kills copy-pasted constants.** Declare a top-level `vars:`
+  mapping (str/int/float/bool scalars) in `comfy.yaml`; blueprints reference
+  `$var.<name>`. Compose snapshots the referenced names + values into the
+  compiled JSON's `_meta.vars` — provenance for what this compilation used.
+- **Errors are instructions.** Compose fails closed with `asset_not_pushed`
+  (no lock entry / file gone), `asset_stale` (file changed since its last
+  push) — both hint exactly `run: comfy assets push` — or `var_not_defined`
+  (add the name under `vars:`). Run the hint, re-compose. `$asset` / `$var`
+  outside a project hint `comfy project init` first.
+- **Provenance is queryable state, not prose.** compose and run append to
+  the `.comfy/runs.jsonl` journal automatically (best-effort, never fails a
+  run); `comfy --json project status` joins assets against the lock and
+  returns `recent_runs`. Never hand-write a manifest.md.
+- **Routing**: `defaults.where` in `comfy.yaml` routes every command run
+  inside the project tree (discovery walks up from cwd). The precedence
+  chain in Ground rules applies — flag and env always win over the project.
+- `project status` warns on unknown top-level dirs (warnings only, nothing
+  enforces). `comfy project init` inside an existing project errors with
+  `project_already_exists`; `project status` / `assets push` outside one
+  error with `project_not_found`.
+
+## Submit a workflow
+
+`comfy run` is **async by default** — returns a `prompt_id` and
+`state_file` path in milliseconds. A detached watcher polls in the
+background and writes the state file as the job progresses through
+`queued → allocated → executing → terminal`.
+
+**Prefer async-first: submit, then watch separately.** Never poll
+`jobs status` in a loop. There are three ways to wait — pick one:
+
+```bash
+# Step 1: Submit (returns immediately with prompt_id)
+RES=$(comfy --json run --workflow path.json)
+PROMPT_ID=$(echo "$RES" | jq -r .data.prompt_id)
+STATE_FILE=$(echo "$RES" | jq -r .data.state_file)
+
+# (a) Watch — blocks until terminal, returns outputs. The default.
+comfy --json jobs watch "$PROMPT_ID"
+# → exit 0 / ok:true only on completed; failed job exits 1 / ok:false /
+#   error.code=execution_error (payload under error.details); cancelled exits 130.
+# `&& next-step` therefore only proceeds on success.
+
+# (b) Read the state file for a quick non-blocking check
+jq '{status, outputs, error}' "$STATE_FILE"
+
+# (c) --wait on submit — foreground blocks start-to-finish. Fine for
+#     one-shot synchronous runs (e.g. the download pipe below).
+comfy --json run --workflow path.json --wait
+```
+
+**Why prefer async:** submit returns in milliseconds so you can report
+the prompt_id to the user immediately, then watch in a separate step.
+Reach for `--wait` when you want a single blocking call and don't need
+the prompt_id mid-flight (it's hidden until the job finishes).
+
+`--notify` fires a desktop notification when the job is terminal.
+It defaults **on** in pretty/human async mode, and **off** in JSON/agent
+contexts and with `--wait`. Override explicitly with `--notify` or `--no-notify`.
+
+**Scope:** the async-first / `jobs watch` / state-file pattern above is the
+**`comfy run`** workflow path only. `comfy generate` (partner-API one-call)
+has its own waiting model — see the next section.
+
+## Partner-API one-call generation (`comfy generate`)
+
+`comfy generate` dispatches straight to a partner provider (BFL Flux, Kling,
+Gemini, Veo, Ideogram, …) and is often the highest-quality route for a single
+image/video/edit — not a fallback. It is a **separate sub-surface** from
+`comfy run`, with its own commands and conventions:
+
+```bash
+comfy generate list                       # enumerate provider models (+ their sync/async mode)
+comfy generate schema <model>             # params for one model (e.g. flux-2, kling-i2v)
+comfy generate <model> --prompt "…" [--<param> v]… --download outputs/x.png
+comfy generate upload <file>              # host a local file → signed URL (for I2V image inputs)
+comfy generate <model> … --async          # submit, returns a job id
+comfy generate resume <model> <job_id> --download outputs/x.mp4
+```
+
+Mechanical contracts that bite agents — encode them, don't rediscover:
+
+- **Machine-readable output:** `generate <model> --json` prints the raw API
+  response as JSON; `generate upload <file> --json` emits structured
+  `{url, expires_at, …}`; `generate <model> --emit-workflow out.json` goes
+  through the full renderer envelope (`command: "generate emit-workflow"`,
+  error code `emit_workflow_failed`) — the output is a runnable partner-node
+  workflow you can compose with (fragments+`run` route, no extra API key).
+  The default pretty path (no flags) is still human-only — do not parse it.
+- **`--emit-workflow` resolves the escape-hatch vs. quality tradeoff:**
+  fragments+`run` is the default for graph work; `generate` is the
+  highest-quality single-shot for partner models. With
+  `--emit-workflow out.json` you get a runnable workflow you can extend,
+  compose with other fragments, or iterate on — it's not a dead end.
+- **`generate upload --json`** returns structured JSON; without `--json` the
+  signed URL may soft-wrap across terminal lines — use `--json` in scripts.
+- **Prefer sync** (plain `--download`, no `--async`): the CLI polls internally
+  and waits for you (that's the tool blocking, not you sleep-polling), so an
+  expensive video gen can't be orphaned. Reach for `--async` + `resume` only
+  when you deliberately want to detach.
+- **I2V pattern:** `generate <i2v-model>` needs an image **URL**, so the flow is
+  `generate <image-model> --download still.png` → `generate upload still.png --json`
+  → `generate <i2v-model> --image <url> --download clip.mp4`.
+
+## Pre-flight — validate before you submit
+
+Before `comfy run`, verify the workflow will succeed:
+
+```bash
+# Free dry-run: prints the exact API-format graph that WOULD be submitted,
+# exits without POSTing — works on both local and cloud routes.
+comfy run --workflow wf.json --print-prompt
+
+# Full pre-flight: checks class_types, input shapes, enum values, edge wiring
+comfy --json validate --workflow api.json
+
+# Spot-check a single node class exists on the target
+comfy --json nodes show <ClassName>
+# If error.code == "node_not_found", check details.close_matches
+
+# Confirm a model filename is actually available on the resolved backend (cloud-only)
+# On local: use `comfy models list-folder <type>` instead
+comfy --json models show <filename>
+# If error.code == "model_not_found", check details.close_matches and pick one
+```
+
+This catches the most common failures — unknown nodes, missing models,
+bad wiring — before burning cloud compute.
+
+## Inspect / track jobs
+
+```bash
+comfy --json jobs ls                # merged: local state files + server queue
+comfy --json jobs status <prompt_id>
+comfy --json jobs watch <prompt_id> # blocks until terminal; emits NDJSON with --json-stream
+```
+
+Terminal envelopes (`run --wait`, `jobs status`, `jobs watch`) carry the
+flat `outputs` list plus grouped views of the same artifacts:
+`outputs_by_node: {node_id: [url]}` always, and `outputs_by_item:
+{item: [url]}` when the workflow came from a `foreach` blueprint (compose
+embeds the item map — see Multi-stage orchestration). **Never identify
+fan-out outputs by array order** — read `outputs_by_item`.
+
+## Edit workflows in place
+
+`workflow slots`, `set-slot`, and `vary` work on any frontend-format
+workflow JSON — not just templates. Get slot addresses first:
+
+```bash
+# 1. Discover addressable slots — addresses are <node_id>.<input>, never titles
+comfy --json workflow slots path.json
+# → lists every slot as <node_id>.<input_name> with current values
+#   subgraph interiors: <instance_id>/<inner_id>.<input>
+#   copy addresses verbatim from this output
+
+# 2. Set a single slot
+comfy workflow set-slot path.json 6.text="a cat"
+
+# 3. Generate variations (slot lists are zipped — same length required)
+comfy --json workflow slots wf.json          # discover addresses first
+comfy workflow vary wf.json \
+    --slot '6.text=["a cat","a dog","a fox"]' \
+    --slot '3.seed=[1,2,3]' \
+    --out-dir ./variants
+# → 3 workflow JSONs in ./variants
+# NOTE: slot addresses use node ids (numeric or UUID), never titles.
+#       Always run `slots` first and copy addresses verbatim.
+```
+
+## Auth
+
+```bash
+comfy --json cloud login                         # browser OAuth + PKCE
+comfy --json cloud logout
+comfy --json auth set huggingface --key hf-…     # third-party provider key
+comfy --json cloud set-key --key sk-…            # API-key path for cloud
+```
+
+## File transfer — upload and download
+
+**Never extract API keys manually.** The CLI handles auth internally.
+
+**In a project, prefer `comfy assets push`** — it uploads new/changed files
+under `assets/`, records server names in the lock, and blueprints just say
+`$asset.<relative/path>` (see Projects). The raw commands remain as the
+non-project fallback:
+
+```bash
+# Non-project upload fallback: take data.uploads[0].cloud_name from the envelope
+comfy --json upload photo.png --where cloud
+
+# Download outputs from a completed job (works in or out of a project)
+comfy --json download <prompt_id>
+
+# Pipe pattern — the idiomatic way to generate + collect:
+comfy --json run --workflow blueprints/<name>.compiled.json --wait | comfy download
+# → submits, waits, downloads outputs in one pipeline
+```
+
+`comfy download` reads prompt_id + output URLs from piped stdin
+automatically — no manual extraction, no `jq`, no API key exposure.
+
+Output directory: the governing project's `outputs/`, else `./outputs/`
+(override with `--out-dir`). Naming: outputs from a `foreach` blueprint
+are named by originating item — `<item>_<nnn>.<ext>` with a per-item
+counter — and `files[]` entries carry `node_id`/`item` when known;
+everything else keeps `<prompt8>_<idx>.<ext>`.
+
+## Project layout convention
+
+The project/1 convention above IS the layout: `comfy.yaml` +
+`assets/ fragments/ blueprints/ outputs/ .comfy/`. Lay it down with
+`comfy project init`; `comfy --json project status` reports unknown
+top-level dirs as warnings (warnings only, nothing enforces).
+
+**Never write workflows, fragments, or outputs to `/tmp`.** Always work
+inside a project. If none governs the directory, run `comfy project init`
+before building anything.
+
+## Lifecycle (local installs + persistent config)
+
+```bash
+comfy install                              # set up a local ComfyUI workspace
+comfy launch                               # start the local server
+comfy set-default --where cloud            # persist the routing mode
+comfy set-default --clear-where
+```
+
+## Relaying user feedback
+
+This channel carries the **user's own words** to the maintainers — never your
+opinion of the tool. You are a relay, not the author.
+
+```bash
+comfy --json feedback "run is great, but jobs watch should show an ETA"
+```
+
+One-shot and non-interactive. The message ships as a `feedback_submitted`
+event; the JSON envelope reports `{"sent": true|false}`. Feedback is
+consent-independent (user-initiated), but the hard opt-out (`DO_NOT_TRACK` /
+`COMFY_NO_TELEMETRY`) still suppresses it → `sent: false`.
+
+**When to ask.** Occasionally — *not* every session — invite feedback after a
+clearly good moment (a job just completed successfully, a multi-step pipeline
+landed). Roughly one session in five; pick randomly so it stays rare. Ask at
+most once per session, and never twice if they ignored or declined the first
+time. One short question, e.g.: *"Quick one — anything about the comfy CLI you'd
+want the maintainers to know? (totally optional)"*
+
+**What to send.** Only what the user actually says, relayed close to verbatim.
+Never invent, embellish, or send your own assessment. If they say nothing or
+brush it off, send nothing. Strip secrets, file contents, and PII. For long or
+sensitive reports, point them to
+`https://github.com/Comfy-Org/comfy-cli/issues/new/choose` instead.
+
+## Agent session review (separate, consent-gated)
+
+Distinct from user feedback above: this is **your** short summary of how the
+session went — what the user tried, what worked, where they got stuck. Send it
+at most once, at the end of a substantive session:
+
+```bash
+comfy --json agent-review "User generated a text-to-video clip; hit a missing-model error on first try, succeeded after switching templates."
+```
+
+**Honors every opt-out.** Unlike user feedback, this is agent-authored, so it's
+treated as passive telemetry: it sends ONLY if the user has telemetry enabled.
+If they opted out by any means (`DO_NOT_TRACK`, `COMFY_NO_TELEMETRY`, or no
+consent), the envelope returns `{"sent": false}` and nothing is transmitted —
+that's expected, don't retry or work around it. Keep it short and factual; no
+secrets, no PII, no user verbatim (that's what `comfy feedback` is for).
+
+---
+
+# Domain gotchas by media type
+
+Hard-won lessons per domain. Not a tutorial — a reference card.
+
+## Image
+
+- Survey first: `comfy nodes ls --produces IMAGE --api-only` (partner APIs), `comfy templates ls --type image`, `comfy models search --type checkpoint` — then choose
+- Batch sweeps: `comfy workflow vary` for multi-prompt/seed generation
+- Text rendering: use Ideogram (IdeogramV3), NOT Flux — Flux garbles text
+- Partner API escape hatch (one-shots only, via the proxy — not a workflow Job): `comfy generate flux-ultra --prompt "..."`
+- Never hardcode checkpoint/LoRA names — discover via `models search`
+
+## Video
+
+- **SaveVideo is REQUIRED** — video API nodes produce VIDEO but are NOT output nodes
+- **Never hardcode fps** — wire from GetVideoComponents output index 2
+- Motion prompts: describe HOW the scene moves, not WHAT is in it
+- Assembly: GetVideoComponents → BatchImagesNode → CreateVideo → SaveVideo (ImageBatch is deprecated)
+- Autogrow inputs (type COMFY_AUTOGROW_*, e.g. BatchImagesNode `images`): wire ONE slot key per
+  connection — `"images.image0": [..], "images.image1": [..]` — never a single `images` link.
+  `nodes show` prints the `wire_as` form; `comfy validate` rejects the bare form before submit.
+- I2V pattern: LoadImage → I2VNode → SaveVideo (check `nodes show` for the I2V node)
+- **Model enums mix t2v and i2v variants** — a node's `model` choices may include
+  image-to-video-only models (e.g. `grok-imagine-video-1.5`) that fail at runtime
+  without an `image` input. Capability isn't in the metadata: if the model name
+  hints at i2v/image, wire an image or pick another model before burning a cloud run
+- Provider clips come back off-spec (e.g. 5.042s @ 1924x1076) — ffprobe and
+  normalize (crop/trim) every clip before concat/conform
+- Audio sync: match durations — short audio = silent ending, long audio = truncated ending
+- Survey first: `comfy nodes ls --produces VIDEO --exclude-deprecated`, `comfy nodes ls --category "partner/video*"`, `comfy templates ls --type video` — compare OSS, partner-API, and gallery before choosing
+
+## Audio
+
+- ACE-Step: timesignature is `"4"`, NOT `"4/4"`
+- Duration on TextEncode AND EmptyLatentAudio MUST match
+- Output format is FLAC, not MP3
+- For instrumental: set lyrics to empty string `""`
+- Wire both positive AND negative to same TextEncode output when cfg=1.0
+- Survey first: `comfy nodes ls --produces AUDIO`, `comfy nodes ls --category "partner/audio*"`, `comfy templates ls --type audio` — compare before choosing
+
+## Editing (upscale, inpaint, style transfer)
+
+- FluxProFillNode is REPLACE-ONLY — no denoise/strength param
+- For refinement: use KSampler with denoise=0.15–0.25, not FluxProFill
+- MagnificImageUpscalerCreativeNode: creativity 0–10, resemblance -10–10 (NOT 0–100)
+- MagnificImageRelightNode style="smooth" drains color — use "brighter" or "clean"
+- Local upscale: LoadImage → UpscaleModelLoader → ImageUpscaleWithModel → SaveImage
+- API upscale: discover via `comfy nodes search "upscale"`
+
+## Conditioning (ControlNet, masks, references)
+
+- Preprocessor output ≠ ControlNet model (two separate things)
+- Don't feed raw photos into ControlNet without preprocessing first
+- ImageCompositeMasked: mask MUST match SOURCE size, not destination
+- COMFY_DYNAMICCOMBO_V3: use flat dotted keys (`"model.max_tokens": 800`), not nested
+- First/last frame transitions: wire start_frame + end_frame → I2V node fills in between
+- Wiring: ControlNetApplyAdvanced takes CONDITIONING + IMAGE + CONTROL_NET → modified CONDITIONING
+
+## Cloud
+
+- Auth: `comfy cloud login` (OAuth) or `comfy cloud set-key --key sk-…`
+- Check: `comfy --json cloud whoami`
+- Custom env: `comfy cloud set-base-url <url>` before login
+- CLI auto-injects API keys for partner nodes — never extract manually
+- Session tokens are short-lived (~1h); CLI auto-refreshes on 401
+- HTTP 401 with XML body = CDN catch-all, not ComfyUI — endpoints are under `/api/*`
+- Cloud uses HTTP polling (no WebSocket); `jobs watch` polls `/api/job/<id>/status`
+
+---
+
+# Multi-stage orchestration
+
+Build one large workflow graph when possible — ComfyUI parallelizes
+independent branches automatically. Only split into separate workflows when:
+- An intermediate result needs human review before continuing
+- Different stages need different routing (local vs cloud)
+- The workflow would exceed server memory constraints
+
+**Video productions: prefer ONE graph from keyframes to finished film.**
+Generated VIDEO flows between nodes as wires — no save/upload round-trip —
+so clips + music + assembly belong in a single graph:
+
+```
+LoadImage($asset.s1_first.png) ×N  →  N× first/last-frame i2v nodes
+  ├→ per-scene SaveVideo            (side-taps: each clip saved for review)
+  └→ N× GetVideoComponents → BatchImagesNode(images.image0…N, scene order)
+       → CreateVideo(fps ← GetVideoComponents, audio ← music node) → SaveVideo
+```
+
+The side-taps mean ONE job emits both the reviewable clips AND the
+assembled film; if review fails a scene, fix and re-run the graph (the
+extra assembly cost is small next to the video generations). The
+job-boundary alternative (save clips → download → `assets push` →
+LoadVideo in a second graph) is the fallback for a genuine review gate —
+and note its current limit: pushed *images* appear in LoadImage's choices,
+pushed *videos* are not yet catalogued for LoadVideo on cloud, so the
+cross-job video handoff requires local assembly today.
+
+Some steps don't belong in a Comfy graph at all — final assembly, format
+conversion, timing/structure analysis of generated media. Comfy outputs are
+just files; when the graph can't express what the task needs, you're free to
+orchestrate your own tools around those files. How is your call — this skill
+defines what `comfy` does, not the limits of what you can do with its output.
+
+**For parallel generation, don't hand-roll fan-out with shell loops.** The
+engine already parallelizes independent branches, so author **ONE** graph and
+let it run them concurrently. Independent fragment steps in a blueprint
+`pipeline` (those that don't wire into each other) become parallel branches.
+For the same pipeline across many inputs, use `foreach` — it instantiates the
+pipeline once per item into a single graph:
+
+```yaml
+# blueprints/fan_out.yaml — one graph, N parallel branches via foreach
+output_prefix: outputs/sweep
+foreach:
+  - {id: a, prompt: "a zen garden"}
+  - {id: b, prompt: "a neon city"}
+  - {id: c, prompt: "a desert at dusk"}
+pipeline:
+  - fragment: t2i               # ./fragments/t2i.json — a fragment YOU authored via the derivation loop
+    alias: shot
+    params:
+      prompt: $item.prompt
+```
+
+```bash
+comfy workflow compose blueprints/fan_out.yaml   # → blueprints/fan_out.compiled.json
+RES=$(comfy --json run --workflow blueprints/fan_out.compiled.json)
+comfy --json jobs watch "$(echo "$RES" | jq -r .data.prompt_id)"
+```
+
+This submits a single Job; the engine runs the independent branches
+concurrently. Compose embeds `_meta` (`schema: compose/1`) provenance in
+the compiled workflow — blueprint path plus which nodes belong to which
+`foreach` item. `comfy run` strips it before submit (old servers are
+unaffected) and stashes the map on the job state, so the terminal
+envelopes report `outputs_by_item: {item: [url]}` and `comfy download`
+names files `<item>_<nnn>.<ext>`. Read outputs by item, never by array
+order. Avoid the old `PIDS=()` shell-loop pattern — it duplicates
+scheduling the engine already does and gives you N jobs to babysit instead
+of one. (For a pure prompt/seed sweep over the *same* graph, `comfy
+workflow vary` is the right tool; see the `comfy-fragments` skill for the
+full blueprint syntax.)
+
+With `chunk: N` in a `foreach` blueprint, compose splits items into
+N-item batches and writes one numbered file per batch. The envelope then
+reports `out: null` plus `written[]` (all paths) — script against
+`data.written`, not `data.out`.
+
+Stage handoff (download → promote into assets/ → push → `$asset`):
+
+```bash
+# `jobs watch` exits 0 only on completion — use && to chain safely:
+comfy --json jobs watch "$PID" && comfy --json download "$PID"
+# downloads land in outputs/ (item-named) — promote the keepers:
+cp outputs/s1_000.png assets/s1_first.png
+comfy --json assets push
+# the next stage's blueprint references it directly in its inputs:
+#   inputs: {start_frame: $asset.s1_first.png}
+```
+
+Outside a project, the legacy handoff still works: `comfy --json upload
+<file> --where cloud`, take `data.uploads[0].cloud_name`, paste it into
+the next workflow's LoadImage input — but prefer the project flow.
+
+Pipeline failure recovery: re-submit only the failed workflow. Use
+`comfy --json jobs status <id>` to identify which failed.
+
+---
+
+# Async + parallel — cross-cuts both halves
+
+Image generation: ~5-30s. Video generation: **2-5 minutes**. Upscale
+chains and multi-stage pipelines: variable.
+
+Don't block your turn on a long job — do other useful work while the
+watcher updates the state file, then check when you need the result.
+The three wait patterns are in **Submit a workflow** above (`jobs watch`,
+state file read, `--wait`). For parallelism, author one graph with
+independent (parallel) branches in a single blueprint rather than fanning
+out across jobs — see **Multi-stage orchestration** above.
diff --git a/comfy_cli/skills/comfy/__init__.py b/comfy_cli/skills/comfy/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/comfy_cli/skills/command.py b/comfy_cli/skills/command.py
new file mode 100644
index 00000000..dd91ca21
--- /dev/null
+++ b/comfy_cli/skills/command.py
@@ -0,0 +1,402 @@
+"""``comfy skills`` — install the agent skills so Claude / Cursor / Aider can drive comfy directly.
+
+The unlock: instead of running an MCP server, this command teaches every
+agent on the machine how to call ``comfy`` natively. One file per skill,
+three targets, zero protocol.
+
+Bundled skills (5 total) — see ``comfy skills list`` for descriptions:
+
+  - ``comfy``           — the consolidated driver skill (command surface,
+                          output contract, routing, discovery, execution,
+                          image, video, audio, cloud, edit, condition, pipeline)
+  - ``comfy-fragments`` — typed reusable workflow fragments + YAML blueprint composition
+  - ``comfy-debug``     — debugging when workflows fail or jobs hang
+  - ``comfy-relay``     — what to put in chat while driving the CLI
+  - ``comfy-director``  — narrative multi-shot video production (screenplay,
+                          continuity, audio design, conform discipline)
+"""
+
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Annotated, Literal
+
+import typer
+
+from comfy_cli import tracking
+from comfy_cli.output import get_renderer, rprint
+from comfy_cli.skills import (
+    BUNDLED_SKILLS,
+    TargetKind,
+    _compute_skill_state,
+    bundled_skill_names,
+    load_skill_source,
+    plan_install,
+    read_manifest,
+    skill_content,
+)
+from comfy_cli.skills import (
+    install as _install,
+)
+from comfy_cli.skills import (
+    prune_retired as _prune_retired,
+)
+from comfy_cli.skills import (
+    uninstall as _uninstall,
+)
+
+app = typer.Typer(
+    no_args_is_help=True,
+    help="Install the comfy agent skills — Claude, Cursor, Aider, and any AGENTS.md-aware tool.",
+)
+
+
+def _print_skill_panel(title: str, body) -> None:
+    """Helper: render any ``skill <verb>`` body inside the canonical
+    branded panel so install / uninstall / list / status all share chrome."""
+    from comfy_cli.config_manager import ConfigManager
+    from comfy_cli.output.branding import branded_panel
+
+    get_renderer().console().print(branded_panel(body, title=title, version=ConfigManager().get_cli_version()))
+
+
+def _kinds(targets: list[str] | None) -> list[TargetKind] | None:
+    if not targets:
+        return None
+    valid: list[TargetKind] = []
+    for t in targets:
+        if t not in ("claude-code", "cursor", "agents-md"):
+            raise typer.BadParameter(f"unknown target {t!r}; pick claude-code, cursor, or agents-md")
+        valid.append(t)  # type: ignore[arg-type]
+    return valid
+
+
+def _validate_skills(skills: list[str] | None) -> list[str] | None:
+    if not skills:
+        return None
+    import os
+
+    renderer = get_renderer()
+    known = bundled_skill_names()
+    for s in skills:
+        p = Path(s).expanduser()
+        looks_like_path = os.sep in s or s.startswith((".", "~")) or p.exists()
+        if looks_like_path:
+            # Path-based token: validate it eagerly so we fail fast before any writes.
+            try:
+                load_skill_source(s)
+            except ValueError as e:
+                renderer.error(
+                    code="skill_invalid",
+                    message=str(e),
+                    hint="a skill is a directory named after the skill containing SKILL.md with `name:` and `description:` frontmatter; check with `comfy skills validate <path>`",
+                )
+                raise typer.Exit(code=1) from e
+        elif s not in known:
+            raise typer.BadParameter(f"unknown skill {s!r}; choices: {', '.join(known)}")
+    return skills
+
+
+def _scope(scope: str) -> Literal["user", "project"]:
+    if scope not in ("user", "project"):
+        raise typer.BadParameter("scope must be 'user' or 'project'")
+    return scope  # type: ignore[return-value]
+
+
+_PROJECT_MARKERS = (".git", "pyproject.toml", "package.json", "Cargo.toml", "go.mod", "AGENTS.md")
+
+
+def _ensure_project_root(cwd: Path) -> None:
+    """Refuse `--scope project` when cwd doesn't look like a project root."""
+    for marker in _PROJECT_MARKERS:
+        if (cwd / marker).exists():
+            return
+    raise typer.BadParameter(
+        f"--scope project from {cwd} doesn't look like a project root "
+        f"(no {', '.join(_PROJECT_MARKERS)}). cd into your project first, "
+        "or run `touch AGENTS.md` to mark this directory."
+    )
+
+
+@app.command("install", help="Write the comfy skills into Claude Code, Cursor, and AGENTS.md.")
+@tracking.track_command("skill")
+def install_cmd(
+    scope: Annotated[
+        str,
+        typer.Option(
+            "--scope",
+            help="user → ~/.claude/ ~/.cursor/ ~/AGENTS.md (default); project → ./.claude/ ./.cursor/ ./AGENTS.md.",
+        ),
+    ] = "user",
+    target: Annotated[
+        list[str] | None,
+        typer.Option(
+            "--target",
+            help="Install only the named target(s). Repeatable. Default: all three.",
+        ),
+    ] = None,
+    skill: Annotated[
+        list[str] | None,
+        typer.Option(
+            "--skill",
+            help="Install only the named skill(s). Repeatable. Default: all 4 bundled skills (see `comfy skills list`).",
+        ),
+    ] = None,
+    dry_run: Annotated[
+        bool,
+        typer.Option("--dry-run", help="Show what would be written without touching anything."),
+    ] = False,
+):
+    renderer = get_renderer()
+    s = _scope(scope)
+    cwd = Path.cwd()
+    if s == "project":
+        _ensure_project_root(cwd)
+    kinds = _kinds(target)
+    skills = _validate_skills(skill)
+    # Prune skills we've since retired so old machines converge on every install.
+    # Surface only the ones that actually changed — `absent` is a non-event.
+    prune_results = [
+        r for r in _prune_retired(scope=s, targets=kinds, dry_run=dry_run, project_root=cwd) if r.action != "absent"
+    ]
+    results = prune_results + _install(scope=s, targets=kinds, skills=skills, dry_run=dry_run, project_root=cwd)
+
+    if renderer.is_pretty():
+        from rich.console import Group
+        from rich.table import Table
+        from rich.text import Text
+
+        title_word = "would install" if dry_run else "installed"
+        tbl = Table(
+            show_header=True,
+            header_style="bold magenta",
+            border_style="dim",
+            pad_edge=False,
+            expand=True,
+        )
+        tbl.add_column("Skill", style="bold cyan", no_wrap=True)
+        tbl.add_column("Target", style="bold white", no_wrap=True)
+        tbl.add_column("Action", no_wrap=True)
+        tbl.add_column("Path", style="dim", overflow="fold")
+        for r in results:
+            action_style = {
+                "wrote": "bold green",
+                "would_write": "yellow",
+                "skipped": "red",
+                "absent": "dim",
+                "removed": "yellow",
+                "would_remove": "yellow",
+            }.get(r.action, "white")
+            tbl.add_row(r.skill, r.kind, f"[{action_style}]{r.action}[/{action_style}]", str(r.path))
+
+        header = Text(f"{title_word} · {s} scope", style="dim")
+        body = Group(header, Text(""), tbl)
+        if not dry_run and any(r.action == "wrote" for r in results):
+            body = Group(
+                body,
+                Text(""),
+                Text(
+                    "Done. Restart Claude Code / Cursor to pick up the new skills.",
+                    style="bold green",
+                ),
+            )
+        _print_skill_panel("skill install", body)
+    renderer.emit(
+        {
+            "scope": s,
+            "dry_run": dry_run,
+            "results": [r.to_dict() for r in results],
+        },
+        command="skill install",
+        changed=not dry_run,
+    )
+
+
+@app.command("uninstall", help="Remove the comfy skills from Claude Code, Cursor, and AGENTS.md.")
+@tracking.track_command("skill")
+def uninstall_cmd(
+    scope: Annotated[str, typer.Option("--scope")] = "user",
+    target: Annotated[list[str] | None, typer.Option("--target")] = None,
+    skill: Annotated[
+        list[str] | None,
+        typer.Option("--skill", help="Uninstall only the named skill(s). Default: all bundled."),
+    ] = None,
+    dry_run: Annotated[bool, typer.Option("--dry-run")] = False,
+):
+    renderer = get_renderer()
+    s = _scope(scope)
+    kinds = _kinds(target)
+    skills = _validate_skills(skill)
+    results = _uninstall(scope=s, targets=kinds, skills=skills, dry_run=dry_run, project_root=Path.cwd())
+
+    if renderer.is_pretty():
+        from rich.console import Group
+        from rich.table import Table
+        from rich.text import Text
+
+        tbl = Table(
+            show_header=True,
+            header_style="bold magenta",
+            border_style="dim",
+            pad_edge=False,
+            expand=True,
+        )
+        tbl.add_column("Skill", style="bold cyan", no_wrap=True)
+        tbl.add_column("Target", style="bold white", no_wrap=True)
+        tbl.add_column("Action", no_wrap=True)
+        tbl.add_column("Path", style="dim", overflow="fold")
+        for r in results:
+            style = {
+                "removed": "yellow",
+                "would_remove": "yellow",
+                "absent": "dim",
+                "skipped": "red",
+            }.get(r.action, "white")
+            tbl.add_row(r.skill, r.kind, f"[{style}]{r.action}[/{style}]", str(r.path))
+
+        header = Text(f"{s} scope", style="dim")
+        _print_skill_panel("skill uninstall", Group(header, Text(""), tbl))
+    renderer.emit(
+        {
+            "scope": s,
+            "dry_run": dry_run,
+            "results": [r.to_dict() for r in results],
+        },
+        command="skill uninstall",
+        changed=not dry_run,
+    )
+
+
+_LIST_HELP = "List the bundled skills (" + ", ".join(name for name, _ in BUNDLED_SKILLS) + ")."
+
+
+@app.command("list", help=_LIST_HELP)
+@tracking.track_command("skill")
+def list_cmd():
+    renderer = get_renderer()
+    rows = []
+    for name, _subdir in BUNDLED_SKILLS:
+        # Pull the description out of the SKILL.md frontmatter, if any.
+        text = skill_content(name)
+        desc = ""
+        if text.startswith("---\n"):
+            _, _, rest = text.partition("---\n")
+            front, _, _ = rest.partition("---\n")
+            for line in front.splitlines():
+                if line.startswith("description:"):
+                    desc = line.split(":", 1)[1].strip()
+                    break
+        rows.append({"name": name, "description": desc})
+
+    if renderer.is_pretty():
+        from rich.table import Table
+
+        tbl = Table(
+            show_header=True,
+            header_style="bold magenta",
+            border_style="dim",
+            pad_edge=False,
+            expand=True,
+        )
+        tbl.add_column("Skill", style="bold cyan", no_wrap=True)
+        tbl.add_column("Description", style="white", overflow="fold")
+        for r in rows:
+            tbl.add_row(r["name"], r["description"])
+        _print_skill_panel("skill list", tbl)
+    renderer.emit({"skills": rows}, command="skill list")
+
+
+@app.command("show", help="Print a bundled SKILL.md to stdout (default: comfy).")
+@tracking.track_command("skill")
+def show_cmd(
+    name: Annotated[
+        str,
+        typer.Argument(help="Which bundled skill to print (see `comfy skills list` for all 4)."),
+    ] = "comfy",
+):
+    renderer = get_renderer()
+    try:
+        content = skill_content(name)
+    except ValueError as e:
+        renderer.error(code="unknown_skill", message=str(e), hint="run `comfy skills list`")
+        raise typer.Exit(code=1) from e
+    if renderer.is_pretty():
+        from rich.markdown import Markdown
+
+        renderer.console().print(Markdown(content))
+        return
+    renderer.emit({"name": name, "content": content}, command="skill show")
+
+
+@app.command("status", help="Show which skills are installed across Claude Code / Cursor / AGENTS.md.")
+@tracking.track_command("skill")
+def status_cmd(
+    scope: Annotated[str, typer.Option("--scope")] = "user",
+):
+    renderer = get_renderer()
+    s = _scope(scope)
+    plans = plan_install(scope=s, project_root=Path.cwd())
+    manifest = read_manifest()
+    rows = []
+    for p in plans:
+        state = _compute_skill_state(p.path, p.skill, manifest)
+        rows.append(
+            {
+                "skill": p.skill,
+                "kind": p.kind,
+                "scope": p.scope,
+                "path": str(p.path),
+                "installed": p.exists,
+                "state": state,
+            }
+        )
+    if renderer.is_pretty():
+        from rich.console import Group
+        from rich.table import Table
+        from rich.text import Text
+
+        tbl = Table(
+            show_header=True,
+            header_style="bold magenta",
+            border_style="dim",
+            pad_edge=False,
+            expand=True,
+        )
+        tbl.add_column("Skill", style="bold cyan", no_wrap=True)
+        tbl.add_column("Target", style="bold white", no_wrap=True)
+        tbl.add_column("State", no_wrap=True)
+        tbl.add_column("Path", style="dim", overflow="fold")
+        _STATE_STYLES = {
+            "current": "[bold green]current[/bold green]",
+            "stale": "[yellow]stale[/yellow]",
+            "modified": "[bold yellow]modified[/bold yellow]",
+            "missing": "[dim]missing[/dim]",
+            "unmanaged": "[cyan]unmanaged[/cyan]",
+        }
+        for r in rows:
+            badge = _STATE_STYLES.get(r["state"], r["state"])
+            tbl.add_row(r["skill"], r["kind"], badge, r["path"])
+        header = Text(f"{s} scope", style="dim")
+        _print_skill_panel("skill status", Group(header, Text(""), tbl))
+    renderer.emit({"scope": s, "targets": rows}, command="skill status")
+
+
+@app.command("validate", help="Validate a skill directory or SKILL.md against the format contract.")
+@tracking.track_command("skill")
+def validate_cmd(
+    path: Annotated[str, typer.Argument(help="Skill dir or SKILL.md path.")],
+):
+    renderer = get_renderer()
+    try:
+        src = load_skill_source(path)
+    except ValueError as e:
+        renderer.error(
+            code="skill_invalid",
+            message=str(e),
+            hint="a skill is a directory named after the skill containing SKILL.md with `name:` and `description:` frontmatter",
+        )
+        raise typer.Exit(code=1) from e
+    payload = {"valid": True, "name": src.name, "bundled": src.bundled, "path": path}
+    if renderer.is_pretty():
+        rprint(f"[green]✓[/green] {src.name} is a valid skill")
+    renderer.emit(payload, command="skills validate")
diff --git a/comfy_cli/target.py b/comfy_cli/target.py
new file mode 100644
index 00000000..c71f6dfa
--- /dev/null
+++ b/comfy_cli/target.py
@@ -0,0 +1,124 @@
+"""Routing target for ComfyUI HTTP traffic.
+
+A ``Target`` is the small bundle of facts that distinguishes "talk to a local
+ComfyUI on 127.0.0.1:8188" from "talk to Comfy Cloud on
+fe-pr-12159.testenvs.comfy.org": a base URL, an optional path prefix
+(``/api``), and an optional Bearer token. Everything else flows through the
+unified :class:`comfy_cli.comfy_client.Client`.
+
+A few thin differences remain (the cloud history endpoint is ``history_v2``,
+queue inspection works differently, no WebSocket on cloud) — those are
+captured as fields on the Target so the client can branch on them rather than
+duplicating call sites.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Any
+
+# Back-compat re-export: the provider name now lives with the credential
+# resolver. Hidden / testing-only path; the canonical sign-in is OAuth.
+from comfy_cli.credentials import CLOUD_API_KEY_PROVIDER as CLOUD_API_KEY_PROVIDER
+
+
+@dataclass(frozen=True)
+class Target:
+    """Where to send ComfyUI HTTP requests."""
+
+    kind: str  # "local" | "cloud"
+    base_url: str  # e.g. "http://127.0.0.1:8188" or "https://fe-pr-12159.testenvs.comfy.org"
+    path_prefix: str = ""  # "" for local, "/api" for cloud
+    history_path: str = "history"  # "history" for local, "history_v2" for cloud
+    jobs_path: str | None = None  # "jobs" for cloud, None for local (uses queue+history)
+    # auth_token (OAuth Bearer) and api_key (X-API-Key) are both repr-suppressed
+    # so logger.debug + pytest failure dumps can't leak credentials.
+    auth_token: str | None = field(default=None, repr=False)
+    api_key: str | None = field(default=None, repr=False)
+    host: str | None = None  # only for local — preserved for back-compat
+    port: int | None = None  # only for local
+
+    @property
+    def is_cloud(self) -> bool:
+        return self.kind == "cloud"
+
+    def url(self, *parts: str) -> str:
+        """Build a fully-qualified URL, applying the path prefix."""
+        joined = "/".join(p.strip("/") for p in parts if p)
+        if self.path_prefix:
+            return f"{self.base_url}{self.path_prefix}/{joined}"
+        return f"{self.base_url}/{joined}"
+
+
+def resolve_target(
+    *, where: str | None, host: str | None = None, port: int | None = None, config: Any = None
+) -> Target:
+    """Pick a Target based on ``--where`` plus host/port (for local).
+
+    Precedence honoring the global routing mode: explicit ``where`` arg >
+    ``COMFY_WHERE`` env var > persisted ``where_default`` config key >
+    auto-detect (``cloud`` if credentials exist, else ``local``).
+    The ``config`` arg is honored if passed; otherwise
+    we instantiate a ``ConfigManager`` to read the persisted key.
+    """
+    from comfy_cli import where as where_module
+
+    config_value: str | None = None
+    if config is not None:
+        config_value = config.get(where_module.CONFIG_KEY_WHERE_DEFAULT)
+    else:
+        try:
+            from comfy_cli.config_manager import ConfigManager
+
+            config_value = ConfigManager().get(where_module.CONFIG_KEY_WHERE_DEFAULT)
+        except Exception:  # noqa: BLE001 — never break target resolution on a bad config
+            pass
+
+    decision = where_module.resolve(flag=where, config_value=config_value)
+
+    if decision.target is where_module.WhereTarget.CLOUD:
+        from comfy_cli.cloud import get_base_url
+        from comfy_cli.credentials import resolve_cloud_credential
+
+        # OAuth-first: a live session is preferred over API keys (which are on
+        # a deprecation path). Precedence: OAuth session > env var > stored key.
+        # ``base_url=`` arms the replay-guard: a session minted for a different
+        # base_url (or expired) is ignored so credentials are never replayed to
+        # a host the user didn't authenticate against; the API-key fallback or
+        # a downstream "unauthenticated" error takes over. ``refresh=True`` is
+        # the *proactive* leg: a near-expiry access token is refreshed before
+        # it's attached, so the user keeps working across the ~1h token
+        # lifetime without ever hitting a 401. The refresh is a cheap no-op
+        # when the token isn't near expiry (no network), and the client/loader
+        # still force-refresh *reactively* on a server 401 as a backstop.
+        base_url = get_base_url()
+        cred = resolve_cloud_credential(purpose="cloud", base_url=base_url, refresh=True)
+        token = cred.value if cred is not None and cred.kind == "oauth" else None
+        api_key = cred.value if cred is not None and cred.kind == "api_key" else None
+
+        return Target(
+            kind="cloud",
+            base_url=base_url,
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token=token,
+            api_key=api_key,
+        )
+
+    # Local — keep the existing host/port resolution semantics. host/port may
+    # be None here; callers fill those in from their config_manager.
+    resolved_host = host or "127.0.0.1"
+    resolved_port = int(port or 8188)
+    # Bracket IPv6 literals so the URL is well-formed (RFC 3986 §3.2.2).
+    url_host = f"[{resolved_host}]" if ":" in resolved_host and not resolved_host.startswith("[") else resolved_host
+    return Target(
+        kind="local",
+        base_url=f"http://{url_host}:{resolved_port}",
+        path_prefix="",
+        history_path="history",
+        jobs_path=None,
+        auth_token=None,
+        host=resolved_host,
+        port=resolved_port,
+    )
diff --git a/comfy_cli/tracking.py b/comfy_cli/tracking.py
index 8c631515..91e1e375 100644
--- a/comfy_cli/tracking.py
+++ b/comfy_cli/tracking.py
@@ -45,9 +45,10 @@
 
 _SENSITIVE_SUFFIXES = ("_token", "_api_key", "_secret", "_password")
 # `token` is the publish PAT; `changelog` is bulky free text with no analytics
-# value beyond its presence. Sensitive values become "<redacted>" (the key is
-# kept so we can still tell the option was supplied).
-_SENSITIVE_EXACT = frozenset({"api_key", "token", "password", "secret", "changelog"})
+# value beyond its presence. `key` is the bare `--key` option carrying the Comfy
+# Cloud API key (e.g. `cloud set-key`, auth store). Sensitive values become
+# "<redacted>" (the key is kept so we can still tell the option was supplied).
+_SENSITIVE_EXACT = frozenset({"api_key", "key", "token", "password", "secret", "changelog"})
 
 
 def _is_sensitive(name: str) -> bool:
@@ -114,6 +115,17 @@ def _telemetry_disabled_by_env() -> bool:
     return False
 
 
+def _consent_enabled() -> bool:
+    """Whether passive telemetry may be sent right now: no env opt-out AND the
+    user has consented (persisted flag) or a session-only opt-in is active.
+
+    This is the full gate. Agent-authored data (e.g. session reviews) rides it,
+    so opting out of tracking by any means means nothing is sent."""
+    if _telemetry_disabled_by_env():
+        return False
+    return bool(config_manager.get_bool(constants.CONFIG_KEY_ENABLE_TRACKING)) or _session_only_tracking
+
+
 class TelemetryProvider(Protocol):
     enabled: bool
 
@@ -128,7 +140,7 @@ def __init__(self, token: str):
         self.enabled = self.client is not None
 
     def track(self, event_name: str, distinct_id: str | None, properties: dict[str, Any]) -> None:
-        if not self.enabled or distinct_id is None:
+        if self.client is None or distinct_id is None:
             return
         self.client.track(distinct_id=distinct_id, event_name=event_name, properties=properties)
 
@@ -182,14 +194,32 @@ def flush(self) -> None:
 @app.command()
 def enable():
     init_tracking(True)
-    typer.echo(f"Tracking is now {'enabled'}.")
-    init_tracking(True)
+    typer.echo("Tracking is now enabled.")
 
 
 @app.command()
 def disable():
     init_tracking(False)
-    typer.echo(f"Tracking is now {'disabled'}.")
+    typer.echo("Tracking is now disabled.")
+
+
+def _dispatch(
+    event_name: str, properties: dict[str, Any], *, distinct_id: str | None, mixpanel_name: str | None = None
+):
+    """Fan an event out to every provider. Enriches with cli_version/tracing_id.
+
+    This is the shared send path; callers above own the gating (consent for
+    passive telemetry, env-only for feedback).
+    """
+    properties = {**properties, "cli_version": cli_version, "tracing_id": tracing_id}
+    for provider in PROVIDERS:
+        provider_event_name = (
+            mixpanel_name if (mixpanel_name is not None and isinstance(provider, MixpanelProvider)) else event_name
+        )
+        try:
+            provider.track(provider_event_name, distinct_id=distinct_id, properties=dict(properties))
+        except Exception as e:
+            logging.warning(f"Failed to track event via {type(provider).__name__}: {e}")
 
 
 def track_event(event_name: str, properties: Any = None, *, mixpanel_name: str | None = None):
@@ -207,16 +237,74 @@ def track_event(event_name: str, properties: Any = None, *, mixpanel_name: str |
     if not enable_tracking and not _session_only_tracking:
         return
 
-    properties = {**properties, "cli_version": cli_version, "tracing_id": tracing_id}
+    _dispatch(event_name, properties, distinct_id=user_id, mixpanel_name=mixpanel_name)
 
-    for provider in PROVIDERS:
-        provider_event_name = (
-            mixpanel_name if (mixpanel_name is not None and isinstance(provider, MixpanelProvider)) else event_name
-        )
+
+def _ensure_user_id(*, persist: bool = True) -> str:
+    """Return a distinct_id. Persists a generated anonymous id only when
+    ``persist`` is True (consent on). For an opted-out, user-initiated action
+    we still attach an ephemeral id but never write durable identity to disk.
+    """
+    global user_id
+    if user_id:
+        return user_id
+    existing = config_manager.get(constants.CONFIG_KEY_USER_ID)
+    if existing:
+        user_id = existing
+        return user_id
+    new_id = str(uuid.uuid4())
+    if persist:
+        user_id = new_id
         try:
-            provider.track(provider_event_name, distinct_id=user_id, properties=dict(properties))
-        except Exception as e:
-            logging.warning(f"Failed to track event via {type(provider).__name__}: {e}")
+            config_manager.set(constants.CONFIG_KEY_USER_ID, new_id)
+        except OSError:
+            pass
+    return new_id
+
+
+def submit_feedback(message: str = "", *, scores: dict[str, str | None] | None = None) -> bool:
+    """Send user feedback to telemetry (PostHog + Mixpanel) as ``feedback_submitted``.
+
+    Unlike passive command telemetry, feedback is an explicit, user-initiated
+    action — so it is NOT gated on the consent flag. Only the hard env opt-out
+    (``DO_NOT_TRACK`` / ``COMFY_NO_TELEMETRY``) suppresses it. Returns False
+    without sending when opted out or when there's nothing to send, so the
+    caller can tell the user rather than silently drop their words. Fail-fast:
+    no on-disk queue, no retry — best-effort delivery.
+    """
+    if _telemetry_disabled_by_env():
+        return False
+    properties: dict[str, Any] = {}
+    if message:
+        properties["message"] = message
+    if scores:
+        properties.update({k: v for k, v in scores.items() if v is not None})
+    if not properties:
+        return False
+    consented = config_manager.get_bool(constants.CONFIG_KEY_ENABLE_TRACKING)
+    _dispatch("feedback_submitted", properties, distinct_id=_ensure_user_id(persist=bool(consented)))
+    return True
+
+
+def submit_agent_review(summary: str = "", *, properties: dict[str, Any] | None = None) -> bool:
+    """Send an agent-authored summary of how the session went as ``agent_review_submitted``.
+
+    Distinct from :func:`submit_feedback`: this is the agent's assessment, not
+    the user's words, so it is treated like passive telemetry — fully
+    consent-gated. If the user opted out by ANY means (env opt-out, or no
+    consent), nothing is sent and this returns False. No queue, no retry.
+    """
+    if not _consent_enabled():
+        return False
+    payload: dict[str, Any] = {}
+    if summary:
+        payload["summary"] = summary
+    if properties:
+        payload.update({k: v for k, v in properties.items() if v is not None})
+    if not payload:
+        return False
+    _dispatch("agent_review_submitted", payload, distinct_id=user_id)
+    return True
 
 
 def filter_command_kwargs(kwargs: dict[str, Any]) -> dict[str, Any]:
@@ -230,7 +318,7 @@ def filter_command_kwargs(kwargs: dict[str, Any]) -> dict[str, Any]:
     }
 
 
-def track_command(sub_command: str = None):
+def track_command(sub_command: str | None = None):
     """
     A decorator factory that logs the command function name and selected arguments when it's called.
     """
@@ -271,21 +359,14 @@ def prompt_tracking_consent(skip_prompt: bool = False, default_value: bool = Fal
         init_tracking(default_value)
         return
 
-    # When stdin or stdout is not a TTY (subprocess pipe, redirect, CI),
-    # blocking on the consent prompt would either hang the caller forever
-    # or corrupt their output stream. Enable tracking for this process and
-    # persist a stable anonymous user_id so repeat agentic usage from the
-    # same machine attributes to one identity. The consent flag itself
-    # stays unset so a later interactive run can still ask the human; if
-    # they consent, init_tracking will reuse this user_id.
+    # Non-interactive sessions (pipes, CI, agents) default to no tracking
+    # until the user explicitly consents via an interactive terminal.
+    # Persist a stable anonymous user_id so a later interactive consent
+    # prompt can reuse it, but do NOT auto-enable telemetry — that would
+    # violate the DO_NOT_TRACK convention spirit for OSS tooling.
     if not sys.stdin.isatty() or not sys.stdout.isatty():
-        _session_only_tracking = True
         if user_id is None:
             user_id = str(uuid.uuid4())
-            # Best-effort persistence — a read-only config dir (fresh CI,
-            # restricted sandbox) must not crash the caller. If the write
-            # fails we keep the in-memory user_id so this process still
-            # tracks normally; the next run on a writable host will retry.
             try:
                 config_manager.set(constants.CONFIG_KEY_USER_ID, user_id)
             except OSError:
diff --git a/comfy_cli/update.py b/comfy_cli/update.py
index 8300f81c..4c8ec4db 100644
--- a/comfy_cli/update.py
+++ b/comfy_cli/update.py
@@ -1,17 +1,30 @@
+import json
 import logging
+import os
+import subprocess
 import sys
+import time
 from importlib.metadata import metadata
+from pathlib import Path
 
 import requests
 from packaging import version
-from rich.console import Console
-from rich.panel import Panel
 
 logger = logging.getLogger(__name__)
-console = Console()
+
+UPDATE_CHECK_TTL_SECONDS = 24 * 60 * 60
+UPDATE_CHECK_DISABLE_ENV = "COMFY_NO_UPDATE_CHECK"
 
 
 def check_for_newer_pypi_version(package_name, current_version):
+    """Return ``(has_newer, latest_version)`` for the named package.
+
+    Used by the welcome banner to indicate "an upgrade is available";
+    the standalone ``check_for_updates()`` side-effect that fired a
+    bright blue "🔔 Update Available!" panel mid-command has been
+    retired (Task 5 of the CLI UX consistency pass) — chrome should be
+    one panel per command, not random unsolicited banners.
+    """
     url = f"https://pypi.org/pypi/{package_name}/json"
     try:
         response = requests.get(url, timeout=5)
@@ -27,38 +40,55 @@ def check_for_newer_pypi_version(package_name, current_version):
         return False, current_version
 
 
-def check_for_updates():
-    current_version = get_version_from_pyproject()
-    has_newer, newer_version = check_for_newer_pypi_version("comfy-cli", current_version)
-
-    if has_newer:
-        notify_update(current_version, newer_version)
-
-
 def get_version_from_pyproject():
     package_metadata = metadata("comfy-cli")
     return package_metadata["Version"]
 
 
-def notify_update(current_version: str, newer_version: str):
-    message = (
-        f":sparkles: Newer version of [bold magenta]comfy-cli[/bold magenta] is available: [bold green]{newer_version}[/bold green].\n"
-        f"Current version: [bold cyan]{current_version}[/bold cyan]\n"
-        f"Update by running: [bold yellow]'pip install --upgrade comfy-cli'[/bold yellow] :arrow_up:"
-    )
-
-    if sys.platform == "win32":
-        # windows cannot display emoji characters.
-        bell = ""
-        message = message.replace(":sparkles:", "")
-        message = message.replace(":arrow_up:", "")
-    else:
-        bell = ":bell:"
-
-    console.print(
-        Panel(
-            message,
-            title=f"[bold red]{bell} Update Available![/bold red]",
-            border_style="bright_blue",
-        )
-    )
+def upgrade_cli():
+    """Upgrade the ``comfy-cli`` package itself via pip against the running
+    interpreter. Raises ``CalledProcessError`` if pip fails — fail fast."""
+    subprocess.run([sys.executable, "-m", "pip", "install", "-U", "comfy-cli"], check=True)
+
+
+def _read_fresh_cache(cache_file, now):
+    """Return the cached latest version if the cache exists and is fresh, else None."""
+    if not cache_file.exists():
+        return None
+    payload = json.loads(cache_file.read_text())
+    if now - payload["checked_at"] > UPDATE_CHECK_TTL_SECONDS:
+        return None
+    return payload["latest"]
+
+
+def _refresh_cache(cache_file, current_version, now):
+    """Query PyPI, persist the result, and return the latest version string."""
+    _, latest = check_for_newer_pypi_version("comfy-cli", current_version)
+    cache_file.parent.mkdir(parents=True, exist_ok=True)
+    cache_file.write_text(json.dumps({"checked_at": now, "latest": latest}))
+    return latest
+
+
+def latest_upgrade_version(current_version, config_path):
+    """Return the newer PyPI version string, or ``None`` if already current.
+
+    Cached for ``UPDATE_CHECK_TTL_SECONDS`` under ``config_path`` so PyPI is
+    hit at most once a day. Opt out entirely via ``COMFY_NO_UPDATE_CHECK``.
+    Best-effort: any failure resolves to "no upgrade to show" rather than
+    breaking the calling command.
+    """
+    if os.getenv(UPDATE_CHECK_DISABLE_ENV):
+        return None
+
+    now = time.time()
+    cache_file = Path(config_path) / "update-check.json"
+    try:
+        latest = _read_fresh_cache(cache_file, now) or _refresh_cache(cache_file, current_version, now)
+        if latest is None:
+            return None
+        if version.parse(latest) > version.parse(current_version):
+            return latest
+        return None
+    except (OSError, ValueError, TypeError, KeyError) as e:
+        logger.debug(f"Update check skipped: {e}")
+        return None
diff --git a/comfy_cli/utils.py b/comfy_cli/utils.py
index 332d467e..2c39b5da 100644
--- a/comfy_cli/utils.py
+++ b/comfy_cli/utils.py
@@ -8,15 +8,20 @@
 import subprocess
 import tarfile
 from pathlib import Path
+from typing import BinaryIO, cast
 
 import psutil
 import requests
 import typer
-from rich import print, progress
+from rich import progress
 from rich.live import Live
 from rich.table import Table
 
 from comfy_cli.constants import DEFAULT_COMFY_WORKSPACE, OS, PROC
+
+# Use the output shim so prints go to stderr (not stdout) in JSON mode,
+# preserving the one-envelope-on-stdout contract.
+from comfy_cli.output import rprint as print  # noqa: A001 - intentional shadowing
 from comfy_cli.typing import PathLike
 
 
@@ -126,7 +131,7 @@ def download_url(
             fsize = int(response.headers.get("Content-Length", 0))
             desc = f"downloading {fname}..." + ("(Unknown total file size)" if fsize == 0 else "")
 
-            with progress.wrap_file(response.raw, total=fsize, description=desc) as response_raw:
+            with progress.wrap_file(cast(BinaryIO, response.raw), total=fsize, description=desc) as response_raw:
                 shutil.copyfileobj(response_raw, f)
         else:
             shutil.copyfileobj(response.raw, f)
@@ -144,6 +149,8 @@ def extract_tarball(
 
     with tarfile.open(inPath) as tar:
         info = tar.next()
+        if info is None:
+            raise ValueError(f"tarball is empty: {inPath}")
         old_name = info.name.split("/")[0]
     # path to top-level of extraction result
     extractPath = inPath.with_name(old_name)
@@ -152,39 +159,40 @@ def extract_tarball(
     shutil.rmtree(extractPath, ignore_errors=True)
     shutil.rmtree(outPath, ignore_errors=True)
 
-    if show_progress:
-        fileSize = inPath.stat().st_size
+    if not show_progress:
+        with tarfile.open(inPath) as tar:
+            tar.extractall(filter=None)
+        shutil.move(extractPath, outPath)
+        return
 
-        barProg = progress.Progress()
-        barTask = barProg.add_task("[cyan]extracting tarball...", total=fileSize)
-        pathProg = progress.Progress(progress.TextColumn("{task.description}"))
-        pathTask = pathProg.add_task("")
+    fileSize = inPath.stat().st_size
 
-        progress_table = Table.grid()
-        progress_table.add_row(barProg)
-        progress_table.add_row(pathProg)
+    barProg = progress.Progress()
+    barTask = barProg.add_task("[cyan]extracting tarball...", total=fileSize)
+    pathProg = progress.Progress(progress.TextColumn("{task.description}"))
+    pathTask = pathProg.add_task("")
 
-        _size = 0
+    progress_table = Table.grid()
+    progress_table.add_row(barProg)
+    progress_table.add_row(pathProg)
 
-        def _filter(tinfo: tarfile.TarInfo, _path: PathLike):
-            nonlocal _size
-            pathProg.update(pathTask, description=tinfo.path)
-            barProg.advance(barTask, _size)
-            _size = tinfo.size
+    _size = 0
 
-            # TODO: ideally we'd use data_filter here, but it's busted: https://github.com/python/cpython/issues/107845
-            # return tarfile.data_filter(tinfo, _path)
-            return tinfo
-    else:
-        _filter = None
+    def _filter(tinfo: tarfile.TarInfo, _path: PathLike):
+        nonlocal _size
+        pathProg.update(pathTask, description=tinfo.path)
+        barProg.advance(barTask, _size)
+        _size = tinfo.size
+
+        # TODO: ideally we'd use data_filter here, but it's busted: https://github.com/python/cpython/issues/107845
+        # return tarfile.data_filter(tinfo, _path)
+        return tinfo
 
     with Live(progress_table, refresh_per_second=10):
         with tarfile.open(inPath) as tar:
             tar.extractall(filter=_filter)
-
-        if show_progress:
-            barProg.advance(barTask, _size)
-            pathProg.update(pathTask, description="")
+        barProg.advance(barTask, _size)
+        pathProg.update(pathTask, description="")
 
     shutil.move(extractPath, outPath)
 
@@ -202,35 +210,36 @@ def create_tarball(
     # clean the archive target path
     outPath.unlink(missing_ok=True)
 
-    if show_progress:
-        fileSize = sum(f.stat().st_size for f in inPath.glob("**/*"))
+    if not show_progress:
+        with tarfile.open(outPath, "w:gz") as tar:
+            # don't include parent paths in archive
+            tar.add(inPath.relative_to(cwd), filter=None)
+        return
 
-        barProg = progress.Progress()
-        barTask = barProg.add_task("[cyan]creating tarball...", total=fileSize)
-        pathProg = progress.Progress(progress.TextColumn("{task.description}"))
-        pathTask = pathProg.add_task("")
+    fileSize = sum(f.stat().st_size for f in inPath.glob("**/*"))
 
-        progress_table = Table.grid()
-        progress_table.add_row(barProg)
-        progress_table.add_row(pathProg)
+    barProg = progress.Progress()
+    barTask = barProg.add_task("[cyan]creating tarball...", total=fileSize)
+    pathProg = progress.Progress(progress.TextColumn("{task.description}"))
+    pathTask = pathProg.add_task("")
 
-        _size = 0
+    progress_table = Table.grid()
+    progress_table.add_row(barProg)
+    progress_table.add_row(pathProg)
 
-        def _filter(tinfo: tarfile.TarInfo):
-            nonlocal _size
-            pathProg.update(pathTask, description=tinfo.path)
-            barProg.advance(barTask, _size)
-            _size = Path(tinfo.path).stat().st_size
+    _size = 0
 
-            return tinfo
-    else:
-        _filter = None
+    def _filter(tinfo: tarfile.TarInfo):
+        nonlocal _size
+        pathProg.update(pathTask, description=tinfo.path)
+        barProg.advance(barTask, _size)
+        _size = Path(tinfo.path).stat().st_size
+
+        return tinfo
 
     with Live(progress_table, refresh_per_second=10):
         with tarfile.open(outPath, "w:gz") as tar:
             # don't include parent paths in archive
             tar.add(inPath.relative_to(cwd), filter=_filter)
-
-        if show_progress:
-            barProg.advance(barTask, _size)
-            pathProg.update(pathTask, description="")
+        barProg.advance(barTask, _size)
+        pathProg.update(pathTask, description="")
diff --git a/comfy_cli/where.py b/comfy_cli/where.py
new file mode 100644
index 00000000..24f7be07
--- /dev/null
+++ b/comfy_cli/where.py
@@ -0,0 +1,168 @@
+"""``--where`` resolution: pick the backend that handles a routed command.
+
+Targets:
+
+- ``local``  — run against the local ComfyUI server.
+- ``cloud``  — talk to Comfy Cloud over HTTPS.
+
+Precedence for ``--where``:
+
+1. Explicit ``--where`` flag.
+2. ``COMFY_WHERE`` environment variable.
+3. ``defaults.where`` in the governing project/1 ``comfy.yaml``
+   (see :mod:`comfy_cli.project`).
+4. ``where_default`` in the config file.
+5. Auto-detect: ``cloud`` if any cloud credential is configured
+   (API key env/store, or active OAuth session), else ``local``.
+"""
+
+from __future__ import annotations
+
+import os
+from collections.abc import Mapping
+from dataclasses import dataclass
+from enum import Enum
+from typing import Any
+
+from comfy_cli.cancellation import get_token  # noqa: F401  — re-exported indirectly
+
+
+class WhereTarget(str, Enum):
+    LOCAL = "local"
+    CLOUD = "cloud"
+
+
+CLOUD_PROVIDER = "comfy-cloud"
+ENV_DEFAULT = "COMFY_WHERE"
+CONFIG_KEY_WHERE_DEFAULT = "where_default"
+
+
+@dataclass
+class WhereResolution:
+    target: WhereTarget
+    source: str  # "flag" | "env" | "project" | "config" | "default"
+
+
+# Sentinel: "caller didn't say" — resolve() then looks up the governing
+# project itself, so the existing call sites get project routing without
+# changes. Pass ``project_value=None`` to disable the lookup explicitly
+# (tests / deliberately project-unaware callers).
+_UNSET: Any = object()
+
+
+def resolve(
+    *,
+    flag: str | None = None,
+    env: Mapping[str, str] | None = None,
+    config_value: str | None = None,
+    project_value: str | None = _UNSET,
+) -> WhereResolution:
+    """Pick the target. Invalid values raise ``ValueError`` with a clear message."""
+    e = env if env is not None else os.environ
+    if flag:
+        return WhereResolution(target=_parse(flag), source="flag")
+    env_choice = e.get(ENV_DEFAULT)
+    if env_choice:
+        return WhereResolution(target=_parse(env_choice), source="env")
+    if project_value is _UNSET:
+        project_value = _project_where_default()
+    if project_value:
+        return WhereResolution(target=_parse(project_value), source="project")
+    if config_value:
+        return WhereResolution(target=_parse(config_value), source="config")
+
+    # Auto-detect: if cloud credentials are configured, default to cloud.
+    if _has_cloud_credentials():
+        return WhereResolution(target=WhereTarget.CLOUD, source="auto")
+    return WhereResolution(target=WhereTarget.LOCAL, source="default")
+
+
+def _project_where_default() -> str | None:
+    """``defaults.where`` from the project/1 ``comfy.yaml`` governing cwd, if
+    any. Discovery itself never raises (see :mod:`comfy_cli.project`); a
+    present-but-invalid value is parsed by the caller like any other source."""
+    # Lazy import: keep `where` cheap for the common no-project path and
+    # avoid import cycles.
+    from comfy_cli.project import find_project
+
+    project = find_project()
+    if project is None:
+        return None
+    defaults = project.config.get("defaults")
+    value = defaults.get("where") if isinstance(defaults, dict) else None
+    return value if isinstance(value, str) and value else None
+
+
+def _has_cloud_credentials() -> bool:
+    """Return True if any cloud auth path is configured (API key or OAuth).
+
+    Presence check, not resolution: an *expired* session still counts (cloud
+    is clearly the configured backend; preflight surfaces the expiry), so this
+    deliberately doesn't use ``resolve_cloud_credential``.
+    """
+    from comfy_cli.credentials import find_api_key, get_session
+
+    if find_api_key(purpose="cloud") is not None:
+        return True
+    return get_session(refresh=False) is not None
+
+
+def _parse(value: str) -> WhereTarget:
+    norm = value.strip().lower()
+    try:
+        return WhereTarget(norm)
+    except ValueError as exc:
+        raise ValueError(f"invalid --where value {value!r}: expected one of {[t.value for t in WhereTarget]}") from exc
+
+
+# ---- cloud client (local-only stub) ---------------------------------------
+
+
+@dataclass
+class CloudError:
+    code: str  # "cloud_not_configured" | "cloud_unauthorized" | "cloud_unavailable"
+    message: str
+    hint: str | None
+    details: dict[str, Any]
+
+
+def cloud_preflight() -> CloudError | None:
+    """Return an error envelope payload if the cloud path can't proceed.
+
+    Accepts either auth path:
+      - ``COMFY_CLOUD_API_KEY`` env var, OR
+      - persisted ``comfy-cloud-api-key`` provider record, OR
+      - active OAuth session (valid + non-expired).
+
+    Failure modes:
+      - Nothing configured     → ``cloud_not_configured``
+      - OAuth session expired  → ``cloud_unauthorized``
+    """
+    from comfy_cli.credentials import find_api_key, get_session
+
+    # API key path — no expiry check, key is either valid or it isn't (server
+    # tells us at request time).
+    if find_api_key(purpose="cloud") is not None:
+        return None
+
+    # Proactively refresh an expired-but-refreshable session so work doesn't
+    # die just because the short-lived access token lapsed between commands.
+    session = get_session(refresh=True)
+    if session is None:
+        return CloudError(
+            code="cloud_not_configured",
+            message="Not signed in to Comfy Cloud.",
+            hint="run: comfy cloud login (or set COMFY_CLOUD_API_KEY for hidden testing path)",
+            details={"provider": CLOUD_PROVIDER},
+        )
+    if session.is_expired():
+        return CloudError(
+            code="cloud_unauthorized",
+            message="Comfy Cloud session has expired.",
+            hint="run: comfy cloud login",
+            details={
+                "provider": CLOUD_PROVIDER,
+                "expires_at": session.expires_at,
+            },
+        )
+    return None
diff --git a/comfy_cli/workspace_manager.py b/comfy_cli/workspace_manager.py
index ed10c887..119cb61e 100644
--- a/comfy_cli/workspace_manager.py
+++ b/comfy_cli/workspace_manager.py
@@ -8,10 +8,13 @@
 import git
 import typer
 import yaml
-from rich import print
 
 from comfy_cli import constants, logging, utils
 from comfy_cli.config_manager import ConfigManager
+
+# Route prints through the output shim so they land on stderr in JSON mode
+# rather than corrupting the envelope on stdout.
+from comfy_cli.output import rprint as print  # noqa: A001 - intentional shadowing
 from comfy_cli.utils import singleton
 
 
@@ -367,3 +370,16 @@ def fill_print_table(self):
             ("Manager", manager_status),
             ("UV Compile Default", uv_compile_status),
         ]
+
+    def fill_data(self) -> dict:
+        """Structured workspace info for ``comfy env --json``."""
+        from comfy_cli.command.custom_nodes.cm_cli_util import resolve_manager_gui_mode
+
+        config_manager = ConfigManager()
+        uv_compile_value = config_manager.get(constants.CONFIG_KEY_UV_COMPILE_DEFAULT)
+        return {
+            "path": str(self.workspace_path) if self.workspace_path else None,
+            "type": self.workspace_type.value if self.workspace_type is not None else None,
+            "manager_mode": resolve_manager_gui_mode(not_installed_value="not-installed"),
+            "uv_compile_default": (str(uv_compile_value).lower() == "true" if uv_compile_value is not None else False),
+        }
diff --git a/docs/json-output.md b/docs/json-output.md
index c5f83bbb..c10a53c4 100644
--- a/docs/json-output.md
+++ b/docs/json-output.md
@@ -1,10 +1,25 @@
 # `comfy run --json`: Machine-Readable Output (NDJSON)
 
+> **Dialect change (breaking).** The legacy `{"event": …, "schema_version": 1,
+> "error": {"kind": …}}` dialect was removed; `comfy run --json` now emits the
+> CLI-wide renderer stream. Every event line carries `schema: "event/1"` and a
+> `type` discriminator, and the stream is terminated by a single envelope line
+> (`schema: "envelope/1"`, `type: "envelope"`) carrying `ok`/`data`/`error`.
+> Consumers discriminate the final line by `type: "envelope"`. Error
+> categorisation moved from `error.kind` to the registered `error.code` values
+> (`comfy --json discover` lists them all). The full legacy→current mapping is
+> at the [bottom of this document](#legacy-dialect-mapping).
+
 This document specifies the output contract of `comfy run --json`. The intent
 is to give agents and automation a stable, parseable view of a workflow
 execution — independent of the human-readable Rich-formatted output that
 `comfy run` emits by default.
 
+`comfy run --json` is exactly `comfy --json-stream run`: the command-local
+flag switches the process-wide renderer into NDJSON streaming mode. The same
+event names are used by `comfy jobs watch` in stream mode, so the run stream
+and the watch stream speak one dialect.
+
 ## Overview
 
 When `--json` is passed, `comfy run` switches into a strict
@@ -14,19 +29,17 @@ machine-readable mode:
   JSON object per line, each terminated by `\n`. No ANSI, no progress bar,
   no headings. Each line is written and flushed to stdout as soon as the
   underlying event is produced; agents may rely on read-as-emitted timing —
-  there is no batching.
-- The stream is 7-bit ASCII clean. Non-ASCII characters in string fields
-  are emitted as `\uXXXX` JSON escapes (equivalent to Python's
-  `json.dumps(..., ensure_ascii=True)`).
-- **stderr** is reserved for things the CLI cannot route through the JSON
-  contract: framework-level Python errors, uncaught exceptions, library
-  warnings. Agents should not parse stderr; they may discard it or
-  capture it for diagnostics.
-- **Exit code** is `0` when the terminal event is `completed`,
-  `queued` (`--no-wait` mode), or `prompt_preview` (`--print-prompt`
-  mode); `1` on a `failed` terminal event. Error categorisation is
-  carried in the `error.kind` field of the `failed` event, not in the
-  exit code (see [Stability](#stability-and-exit-codes)).
+  there is no batching (the `progress` event is throttled to ~10 Hz per node).
+- The stream is UTF-8. Non-ASCII characters in string fields are emitted
+  as-is (`json.dumps(..., ensure_ascii=False)`).
+- **stderr** carries human-readable side messages plus anything the CLI
+  cannot route through the JSON contract: framework-level Python errors,
+  uncaught exceptions, library warnings. Agents should not parse stderr;
+  they may discard it or capture it for diagnostics.
+- **Exit code** is `0` when the final envelope has `ok: true`, `130` when
+  the run was cancelled (`error.code: "cancelled"` — Ctrl-C or a
+  server-side interrupt), and `1` for every other failure. Fine-grained
+  error categorisation is carried in `error.code`, not in the exit code.
 
 In `--json` mode, `--verbose` has no effect: agents receive the full event
 stream regardless.
@@ -41,153 +54,109 @@ emitted before [`queued`](#queued). API-format input does not produce a
 `converted` event.
 
 All duration fields in this contract are floats representing seconds.
-Numeric count fields (e.g., `node_progress.value` / `max`) are JSON
+Numeric count fields (e.g., `progress.completed` / `total`) are JSON
 `number` and may be int or float depending on the underlying node.
 
-This contract targets ComfyUI servers reached via `--host` / `--port`
-(typically local). Cloud-specific URL routing (e.g., `/api` prefix,
-endpoint renames like `/history` → `/history_v2`) is not exercised in
-v1 and may not work without additional flag wiring — agents talking to
-Comfy Cloud should expect to use their own client code for now.
-
 ## Stream shape
 
-Every line on stdout is a JSON object containing a non-empty string
-`event` field acting as a discriminator. Agents must dispatch on this
-field. In normal `--json` execution the stream ends with a terminal
-event (`completed` or `failed`). In `--no-wait` mode the stream ends
-at `queued`, and the agent is responsible for polling
-`/history/{prompt_id}` to observe completion. In `--print-prompt`
-mode the stream ends at `prompt_preview` (no execution happens, so
-`completed`/`failed` would be category-error events about something
-that was never started). See [Process-level termination](#process-level-termination)
-for the edge case where the CLI is killed before emitting its terminal
-event.
-
-### Stream archetypes
+Every line on stdout is a JSON object with two universal fields:
 
-The stream takes one of these shapes depending on the workflow format and
-outcome:
+| Field    | Type | Description                                                       |
+| -------- | ---- | ----------------------------------------------------------------- |
+| `schema` | str  | Contract version: `"event/1"` on events, `"envelope/1"` on the final line |
+| `type`   | str  | Discriminator. Agents must dispatch on this field.                |
 
-| Outcome                           | Stream                                                              |
-| --------------------------------- | ------------------------------------------------------------------- |
-| Success                           | `[converted]? + prompt_preview + queued + [node_*]* + completed`    |
-| `--no-wait` queued                | `[converted]? + prompt_preview + queued`                            |
-| `--print-prompt`                  | `[converted]? + prompt_preview` (terminal)                          |
-| Failure mid-execution             | `[converted]? + prompt_preview + queued + [node_*]* + failed`       |
-| Failure during submission         | `[converted]? + prompt_preview + failed`                            |
-| Failure pre-flight                | `failed`                                                            |
+The stream always ends with exactly one line of `type: "envelope"`:
 
-Where `[node_*]*` is zero or more interleaved `node_cached`,
-`node_executing`, `node_progress`, and `node_executed` events. `[X]?`
-means X may or may not appear.
+```json
+{"schema": "envelope/1", "type": "envelope", "ok": true, "command": "run", "version": "1.6.1", "where": "local", "data": {...}, "error": null}
+```
 
-### Early-exit rule
+| Field     | Type         | Description                                                     |
+| --------- | ------------ | --------------------------------------------------------------- |
+| `ok`      | bool         | `true` on success, `false` on failure                           |
+| `command` | str          | The subcommand (`"run"`)                                        |
+| `version` | str          | comfy-cli version                                               |
+| `where`   | str \| null  | `"local"` or `"cloud"`                                          |
+| `data`    | dict \| null | Result payload on success (see [Success envelope](#success-envelope)) |
+| `error`   | dict \| null | Error object on failure (see [Error object](#error-object))     |
 
-`failed` can replace any non-terminal event, terminating the stream
-early. The archetypes table above is the canonical view of what shapes
-of stream agents will actually see; the early-exit rule is the universal
-quantifier behind it.
+### Stream archetypes
 
-### Schema version
+| Outcome                   | Stream                                                                       |
+| ------------------------- | ---------------------------------------------------------------------------- |
+| Success (`--wait`)        | `[converted]? + prompt_preview + queued + [node events]* + envelope(ok)`     |
+| `--no-wait` queued (default) | `[converted]? + prompt_preview + queued + envelope(ok, data.status="queued")` |
+| `--print-prompt`          | `[converted]? + prompt_preview + envelope(ok, data.status="preview")`        |
+| Failure mid-execution     | `[converted]? + prompt_preview + queued + [node events]* + envelope(error)`  |
+| Failure during submission | `[converted]? + prompt_preview + envelope(error)`                            |
+| Failure pre-flight        | `envelope(error)`                                                            |
 
-Every event in v1 streams carries `schema_version: 1`. The field is a
-monotonically increasing integer; minor versions are not used. Future
-schema versions will emit `schema_version: 2`, etc., on every event.
-Agents may read the version from any line. Agents needing
-feature-presence detection beyond the integer version should
-feature-detect by field presence rather than version comparison.
+Where `[node events]*` is zero or more interleaved `execution_cached`,
+`executing`, `progress`, `executed`, and `output` events. `[X]?` means X
+may or may not appear. An error envelope can replace any non-terminal
+line, ending the stream early.
 
 ## Event reference
 
-| Event             | When                                              | Terminal |
-| ----------------- | ------------------------------------------------- | -------- |
-| `converted`       | UI-format workflow was client-side converted      |          |
-| `prompt_preview`  | The API-format workflow graph about to be submitted | (✓ in `--print-prompt`) |
-| `queued`          | Server accepted the prompt (HTTP 200 on `/prompt`)| (✓ in `--no-wait`) |
-| `node_cached`     | Node hit the execution cache and was skipped      |          |
-| `node_executing`  | Node started execution                            |          |
-| `node_progress`   | In-flight progress update for the running node    |          |
-| `node_executed`   | Node finished and reported its outputs            |          |
-| `completed`       | Workflow finished successfully                    | ✓        |
-| `failed`          | Workflow could not complete                       | ✓        |
-
-Agents must ignore events whose `event` value they do not recognise —
-new event kinds may be added in a backward-compatible manner. Agents
-must ignore unknown fields on known events for the same reason.
+| `type`             | When                                                 |
+| ------------------ | ---------------------------------------------------- |
+| `converted`        | UI-format workflow was client-side converted         |
+| `prompt_preview`   | The API-format workflow graph about to be submitted  |
+| `queued`           | Server accepted the prompt (HTTP 200 on `/prompt`)   |
+| `execution_cached` | Node hit the execution cache and was skipped         |
+| `executing`        | Node started execution                               |
+| `progress`         | In-flight progress update for the running node       |
+| `executed`         | Node finished and reported its outputs               |
+| `output`           | One file-like output became available (`url`)        |
+| `execution_error`  | Server reported a node exception (error envelope follows) |
+
+Agents must ignore events whose `type` they do not recognise — new event
+kinds may be added in a backward-compatible manner. Agents must ignore
+unknown fields on known events for the same reason.
 
 A handful of fields carry values from a server-defined open set rather
-than a fixed enumeration: `class_type`, `category`, `type`, and
-`exception_type`. Each is flagged **Open set** at one canonical
-description below; the same treatment applies wherever that field
-appears across events. Agents must accept and pass through unknown
-values without keying behaviour on specific strings.
-
-Every event that names a single node also carries a `title` field —
-the human-readable label to show in a per-node UI. The contract for
-`title` is the same wherever it appears: **`_meta.title` if present,
-else `class_type`, else `node_id`**. Per-event field tables list it
-simply as "display label" rather than repeating the chain.
+than a fixed enumeration: `class_type`, `category`, `type` (output folder),
+and `exception_type`. Agents must accept and pass through unknown values
+without keying behaviour on specific strings.
+
+Every per-node event also carries a `title` field — the human-readable
+label to show in a per-node UI: **`_meta.title` if present, else
+`class_type`, else the node id**.
 
 ### `converted`
 
 Emitted once if the input workflow was in UI format and was converted to
-API format client-side. Not emitted when the input was already in API
-format.
+API format client-side.
 
 ```json
-{"event": "converted", "schema_version": 1, "node_count": 2}
+{"schema": "event/1", "type": "converted", "node_count": 2}
 ```
 
-| Field            | Type | Description                                    |
-| ---------------- | ---- | ---------------------------------------------- |
-| `event`          | str  | `"converted"`                                  |
-| `schema_version` | int  | `1`                                            |
-| `node_count`     | int  | Number of nodes in the converted graph         |
-
 ### `prompt_preview`
 
-Emitted in `--json` mode once the workflow has been successfully
-loaded, parsed, and (if UI-format) converted — i.e., in every stream
-except the **Failure pre-flight** archetype (a `failed`-only stream
-where the CLI bails out before it has a workflow to preview: file
-errors, parse errors, server-probe / `/object_info` failures, UI
-conversion failures, etc.). Fires immediately after the optional
-`converted` event and immediately before `queued`. Carries the API-format workflow graph the CLI is
+Emitted once the workflow has been successfully loaded, parsed, and (if
+UI-format) converted — i.e., in every stream except the **Failure
+pre-flight** archetype. Carries the API-format workflow graph the CLI is
 about to POST to `/prompt` — the same dict that would land in the
-request's `prompt` field. Gives agents a complete audit trail of what
-was submitted, useful for debugging conversions, logging, and
-post-mortem analysis, without needing a separate run.
+request's `prompt` field. It does **not** include `client_id` or
+`extra_data` (so any `--api-key` value never appears here).
 
-Under `--print-prompt` this event is also the **terminal** event:
-the CLI emits it and exits 0 without queuing. In normal flow it's
-informational and execution continues with `queued`.
+Under `--print-prompt` this is the only event: the CLI emits it plus the
+final envelope and exits 0 without queuing.
 
 ```json
-{"event": "prompt_preview", "schema_version": 1, "prompt": {"1": {"class_type": "EmptyLatentImage", "inputs": {"width": 512, "height": 512, "batch_size": 1}}}}
+{"schema": "event/1", "type": "prompt_preview", "prompt": {"1": {"class_type": "EmptyLatentImage", "inputs": {"width": 512, "height": 512, "batch_size": 1}}}}
 ```
 
-| Field            | Type | Description                                                            |
-| ---------------- | ---- | ---------------------------------------------------------------------- |
-| `event`          | str  | `"prompt_preview"`                                                     |
-| `schema_version` | int  | `1`                                                                    |
-| `prompt`         | dict | The API-format workflow graph keyed by node id. Same shape as the `prompt` field POSTed to `/prompt`. Does NOT include `client_id` or `extra_data` (those are runtime fields, not part of the workflow — so any `--api-key` value never appears here). |
-
-For UI-format input under `--print-prompt`, `/object_info` must still
-be reachable (the converter consults it). For API-format input under
-`--print-prompt`, no server requests are made and the command works
-fully offline. In normal (non-`--print-prompt`) flow the server is
-always contacted regardless, since execution follows.
-
 ### `queued`
 
-Emitted after `POST /prompt` returns 200. Carries the server's prompt
-handle, which can be used to correlate against `/history/{prompt_id}`.
+Emitted after `POST /prompt` returns 200.
 
 ```json
 {
-  "event": "queued",
-  "schema_version": 1,
+  "schema": "event/1",
+  "type": "queued",
   "prompt_id": "9b1c…",
   "client_id": "fe2a…",
   "validation_warnings": [],
@@ -198,105 +167,59 @@ handle, which can be used to correlate against `/history/{prompt_id}`.
 }
 ```
 
-| Field                 | Type           | Description                                                  |
-| --------------------- | -------------- | ------------------------------------------------------------ |
-| `event`               | str            | `"queued"`                                                   |
-| `schema_version`      | int            | `1`                                                          |
-| `prompt_id`           | str            | Server-assigned prompt UUID                                  |
-| `client_id`           | str            | Client-generated UUID (sent with `/prompt`)                  |
-| `validation_warnings` | array of dict  | List of per-node validation issues that ComfyUI reported alongside a successful queue (some output chains validated, others didn't). Same record shape as `validation_error.node_errors` (see below). Empty (`[]`) in the common case. |
-| `nodes`               | array of dict  | Manifest of every node in the submitted (post-conversion) workflow. Each entry has `node_id` (str), `class_type` (str), and `title` (str — display label, see canonical `title` rule). Lets piped consumers (who don't have the workflow file at hand) render a per-node UI immediately without waiting for `completed`. |
-
-The `validation_warnings` field exists specifically for the case where
-ComfyUI's `validate_prompt` returns success because at least one output
-chain validated, but other nodes failed validation and will not run.
-This field is not a general warnings channel; other warning surfaces
-would require separate spec decisions.
-
-### `node_cached`
-
-Emitted up front as a group, before any `node_executing` in the same
-run, listing nodes whose outputs were retrieved from the execution
-cache. Comes from ComfyUI's `execution_cached` websocket message.
-
-Note: for cached nodes that had prior UI output (e.g., a cached
-`SaveImage`), ComfyUI emits both `execution_cached` AND a per-node
-`executed` payload with the cached UI dict. The CLI surfaces both: a
-single node may produce both `node_cached` and `node_executed` events.
-See [completed](#completed) for the resulting semantics of
-`cached_node_ids` / `executed_node_ids`.
+| Field                 | Type          | Description                                            |
+| --------------------- | ------------- | ------------------------------------------------------ |
+| `prompt_id`           | str           | Server-assigned prompt UUID                            |
+| `client_id`           | str           | Client-generated UUID (sent with `/prompt`)            |
+| `validation_warnings` | array of dict | Per-node validation issues ComfyUI reported alongside a successful queue (some output chains validated, others didn't). Same record shape as `prompt_rejected`'s `details.node_errors` (see [shape](#node_errors-shape)). Empty (`[]`) in the common case. |
+| `nodes`               | array of dict | Manifest of every node in the submitted (post-conversion) workflow: `node_id` (str), `class_type` (str), `title` (str). Lets piped consumers render a per-node UI without the workflow file. |
 
-```json
-{"event": "node_cached", "schema_version": 1, "node_id": "1", "class_type": "GeminiNanoBanana2", "title": "Nano Banana 2"}
-```
+### `executing`
 
-| Field            | Type | Description                                 |
-| ---------------- | ---- | ------------------------------------------- |
-| `event`          | str  | `"node_cached"`                             |
-| `schema_version` | int  | `1`                                         |
-| `node_id`        | str  | Node key in the workflow dict               |
-| `class_type`     | str  | Node class name. **Open set** — current ComfyUI versions emit names like `KSampler`, `SaveImage`, plus arbitrary custom-node class names; agents must accept and pass through unknown values without keying behaviour on specific strings. |
-| `title`          | str  | display label (see canonical `title` rule above) |
-
-### `node_executing`
-
-Emitted when a node starts execution. Subsequent `node_progress` events
-(if any) refer to this node until either a different `node_executing`
-arrives or the node's `node_executed` event is emitted.
-
-Two consecutive `node_executing` events with different `node_id` values
-are normal: the first node finished but didn't surface a result the
-server forwarded as `executed` (this happens for intermediate compute
-nodes whose outputs aren't published to the client). Agents that track
-a "current node" should treat a new `node_executing` as implicitly
+Emitted when a node starts execution. Two consecutive `executing` events
+with different `node` values are normal (intermediate compute nodes whose
+outputs aren't published to the client never fire `executed`); agents that
+track a "current node" should treat a new `executing` as implicitly
 closing the previous one.
 
 ```json
-{"event": "node_executing", "schema_version": 1, "node_id": "2", "class_type": "SaveImage", "title": "Save Image"}
+{"schema": "event/1", "type": "executing", "node": "2", "title": "Save Image", "class_type": "SaveImage", "prompt_id": "9b1c…"}
 ```
 
-Fields are identical to `node_cached`.
+### `execution_cached`
 
-### `node_progress`
+One event per node whose outputs were retrieved from the execution cache
+(from ComfyUI's `execution_cached` websocket message). Same fields as
+`executing`. A cached output-bearing node (e.g., a cached `SaveImage`)
+may emit both `execution_cached` AND `executed`.
+
+### `progress`
 
 Per-step progress for samplers, video encoders, and any node that calls
-`ProgressBar.update_absolute(...)`. Shares the `node_id` of the most
-recently-emitted `node_executing` event.
+`ProgressBar.update_absolute(...)`. Throttled to ~10 events/second per
+node. Same field names as the `comfy jobs watch` stream.
 
 ```json
-{"event": "node_progress", "schema_version": 1, "node_id": "1", "class_type": "GeminiNanoBanana2", "title": "Nano Banana 2", "value": 14, "max": 30}
+{"schema": "event/1", "type": "progress", "node": "1", "completed": 14, "total": 30, "prompt_id": "9b1c…"}
 ```
 
-| Field            | Type   | Description                                                 |
-| ---------------- | ------ | ----------------------------------------------------------- |
-| `event`          | str    | `"node_progress"`                                           |
-| `schema_version` | int    | `1`                                                         |
-| `node_id`        | str    | Node currently running                                      |
-| `class_type`     | str    | Node class name (duplicated from the workflow so stateless consumers don't need to track the prior `node_executing`) |
-| `title`          | str    | display label (see canonical `title` rule above)                 |
-| `value`          | number | Current progress. Typically int (step count); some custom nodes emit float (fractional progress). Defaults to `0` when the server omits the field. |
-| `max`            | number | Total progress; same caveat as `value`. Defaults to `0` when the server omits the field. |
-
-Some custom nodes may emit `value > max` near the end of execution.
-Agents rendering a progress bar should clamp `value` to `max`.
+Some custom nodes may emit `completed > total` near the end of execution;
+agents rendering a progress bar should clamp.
 
-### `node_executed`
+### `executed`
 
 Emitted when the server reports node completion via its `executed`
 websocket message. **Not guaranteed for every executed node** —
 intermediate compute nodes that don't surface output to the client may
-finish without emitting this event. Output nodes (like `SaveImage`) and
-some custom partner nodes that publish previews reliably emit it. A
-cached output-bearing node also emits `node_executed` (in addition to
-`node_cached`).
+finish without it.
 
 ```json
 {
-  "event": "node_executed",
-  "schema_version": 1,
-  "node_id": "2",
-  "class_type": "SaveImage",
+  "schema": "event/1",
+  "type": "executed",
+  "node": "2",
   "title": "Save Image",
+  "class_type": "SaveImage",
   "outputs": [
     {
       "category": "images",
@@ -308,214 +231,132 @@ cached output-bearing node also emits `node_executed` (in addition to
       "type": "output",
       "url": "http://127.0.0.1:8188/view?filename=banana_test_00001_.png&subfolder=&type=output"
     }
-  ]
+  ],
+  "prompt_id": "9b1c…"
 }
 ```
 
-| Field            | Type             | Description                                 |
-| ---------------- | ---------------- | ------------------------------------------- |
-| `event`          | str              | `"node_executed"`                           |
-| `schema_version` | int              | `1`                                         |
-| `node_id`        | str              | Node key                                    |
-| `class_type`     | str              | Node class name                             |
-| `title`          | str              | display label (see canonical `title` rule above) |
-| `outputs`        | array of Output  | File-like outputs (empty if none)           |
-
 `outputs` is populated by iterating each key in ComfyUI's
 `executed.output` dict and emitting any item that matches the
 file-record shape (a dict containing a `filename` key). Items that are
 not file-record-shaped (strings, booleans, mixed lists from nodes that
 publish non-file data like text predictions or animation flags) are
-silently skipped. See [Output object](#output-object) for the entry
-shape.
+silently skipped. See [Output object](#output-object).
 
-### `completed`
+### `output`
 
-Terminal event on success. Carries identifiers, timing, the aggregated
-output list, and node-execution metadata.
+One event per newly seen file-like output, emitted right after the
+`executed` event that produced it. `url` is the contractual way to fetch
+the bytes (it points at ComfyUI's `/view` endpoint); on a local loopback
+run with a resolvable workspace it may instead be an absolute local file
+path — treat any non-`http(s)` value as a filesystem path.
 
 ```json
-{
-  "event": "completed",
-  "schema_version": 1,
-  "prompt_id": "9b1c…",
-  "client_id": "fe2a…",
-  "elapsed_seconds": 8.342,
-  "outputs": [],
-  "cached_node_ids": ["1"],
-  "executed_node_ids": ["2"]
-}
+{"schema": "event/1", "type": "output", "url": "http://127.0.0.1:8188/view?filename=banana_test_00001_.png&subfolder=&type=output", "prompt_id": "9b1c…"}
 ```
 
-| Field               | Type            | Description                                                  |
-| ------------------- | --------------- | ------------------------------------------------------------ |
-| `event`             | str             | `"completed"`                                                |
-| `schema_version`    | int             | `1`                                                          |
-| `prompt_id`         | str             | Server-assigned prompt UUID                                  |
-| `client_id`         | str             | Client-generated UUID                                        |
-| `elapsed_seconds`   | float           | Wall-clock duration from start of `comfy run` (same clock as `failed.elapsed_seconds`) |
-| `outputs`           | array of Output | All file-like outputs across all nodes (empty if none)       |
-| `cached_node_ids`   | array of str    | Node IDs the server reported as cached (via `execution_cached`) |
-| `executed_node_ids` | array of str    | Node IDs the executor *ran* — the union of every `node_id` that appeared in a `node_executing` or `node_executed` event. Named for what the executor did (run a node), broader than the leaf-only `node_executed` event: includes intermediate compute nodes (CheckpointLoaderSimple, KSampler, etc.) that don't surface output to the client. |
-
-`cached_node_ids` and `executed_node_ids` are independent signals about
-what the server reported. **They may overlap**: a cached output-bearing
-node emits both `execution_cached` and `executed`, so it appears in
-both lists. Agents wanting "ran fresh, not from cache" should compute
-`set(executed_node_ids) - set(cached_node_ids)`.
-
-### `failed`
+### `execution_error`
 
-Terminal event on any failure. The `error.kind` discriminator is the
-documented stable enum (see [Error object](#error-object) and
-[Error kinds](#error-kinds)).
+Diagnostic event carrying the raw server payload when a node raises
+during execution. The terminal error envelope (`error.code:
+"execution_error"`) follows immediately; agents can dispatch on the
+envelope alone.
 
 ```json
-{
-  "event": "failed",
-  "schema_version": 1,
-  "prompt_id": "9b1c…",
-  "client_id": "fe2a…",
-  "elapsed_seconds": 1.23,
-  "error": {
-    "kind": "execution_error",
-    "message": "API key invalid",
-    "node_id": "1",
-    "class_type": "GeminiNanoBanana2",
-    "title": "Nano Banana 2",
-    "exception_type": "RuntimeError",
-    "traceback": "  File \"/path/to/node.py\", line 42, in execute\n    raise RuntimeError(\"API key invalid\")\n"
-  }
-}
+{"schema": "event/1", "type": "execution_error", "prompt_id": "9b1c…", "details": {"node_id": "1", "exception_message": "API key invalid", "...": "..."}}
 ```
 
-| Field             | Type        | Description                                                                |
-| ----------------- | ----------- | -------------------------------------------------------------------------- |
-| `event`           | str         | `"failed"`                                                                 |
-| `schema_version`  | int         | `1`                                                                        |
-| `prompt_id`       | str \| null | `null` when failure occurred before `/prompt` was accepted                 |
-| `client_id`       | str \| null | `null` when failure occurred before `WorkflowExecution` was constructed    |
-| `elapsed_seconds` | float       | Wall-clock duration from start of `comfy run`                              |
-| `error`           | Error       | See [Error object](#error-object)                                          |
-
-If `prompt_id` is non-null, `client_id` is also non-null (a `prompt_id`
-cannot be assigned without a `client_id`).
-
-## Output object
-
-```json
-{
-  "category": "images",
-  "node_id": "2",
-  "class_type": "SaveImage",
-  "title": "Save Image",
-  "filename": "banana_test_00001_.png",
-  "subfolder": "",
-  "type": "output",
-  "url": "http://127.0.0.1:8188/view?filename=..."
-}
-```
+## Success envelope
+
+On `--wait` success, `data` carries:
+
+| Field               | Type            | Description                                            |
+| ------------------- | --------------- | ------------------------------------------------------ |
+| `workflow`          | str             | Absolute path of the submitted workflow file           |
+| `status`            | str             | `"completed"` (`"queued"` without `--wait`; `"preview"` under `--print-prompt`) |
+| `prompt_id`         | str             | Server-assigned prompt UUID                            |
+| `client_id`         | str             | Client-generated UUID                                  |
+| `outputs`           | array of str    | URL (or local path) per file-like output, deduplicated |
+| `cached_node_ids`   | array of str    | Node IDs the server reported as cached                 |
+| `executed_node_ids` | array of str    | Node IDs the executor *ran* — the union of every node that appeared in an `executing` or `executed` event, including intermediate compute nodes |
+| `elapsed_seconds`   | float \| null   | Wall-clock duration (null when not waiting)            |
+| `host` / `port`     | str / int       | Target server                                          |
+| `state_file`        | str \| null     | Path of the job state file (poll with `comfy jobs status`) |
+
+`cached_node_ids` and `executed_node_ids` may overlap: a cached
+output-bearing node emits both `execution_cached` and `executed`. Agents
+wanting "ran fresh, not from cache" should compute
+`set(executed_node_ids) - set(cached_node_ids)`.
 
-| Field        | Type        | Description                                                                                              |
-| ------------ | ----------- | -------------------------------------------------------------------------------------------------------- |
-| `category`   | str         | Output category as keyed by ComfyUI's `executed.output` dict. **Open set.** Current ComfyUI versions emit values like `images`, `audio`, `3d`, `latents`; agents must accept and pass through unknown values. |
-| `node_id`    | str         | Node that produced the output                                                                            |
-| `class_type` | str         | Node class name                                                                                          |
-| `title`      | str         | display label (see canonical `title` rule above)                                                              |
-| `filename`   | str         | Raw filename as reported by the server                                                                   |
-| `subfolder`  | str         | Subfolder within the output folder's root. Defaults to `""` when the server omits or empties the field.   |
-| `type`       | str         | ComfyUI output folder discriminator. **Open set.** Current ComfyUI versions emit `output`, `temp`, `input`; agents must accept and pass through unknown values. Defaults to `"output"` when the server omits or empties the field. |
-| `url`        | str         | `http(s)://<host>:<port>/view?...` URL — always present, fetch this to get the bytes |
-
-### Fetching output bytes
-
-The `url` field is the only contractual way to retrieve an output's
-bytes. It points at ComfyUI's `/view` endpoint and works whether the
-agent is on the same machine as ComfyUI, on a different host, or
-talking to Cloud. For the local case, a loopback HTTP fetch from a
-ComfyUI on the same box is cheap — the agent's HTTP client reads
-through the kernel loopback in the same way it'd read a local file.
-
-An earlier draft of v1 also emitted a `local_path` field for the
-same-machine case; it was removed because resolving ComfyUI's actual
-output directory reliably (across manual launches, alternate install
-paths, multi-install machines, bind-mounted volumes) wasn't feasible.
-Agents should rely on `url` exclusively.
+Without `--wait` (the default), the stream ends at the `queued` envelope
+(`data.status: "queued"`, `data.watcher_spawned: bool`) and a detached
+watcher keeps the state file updated; follow up with
+`comfy jobs watch <prompt_id>` or `comfy jobs status <prompt_id>`.
 
 ## Error object
 
-Every `failed` event carries an `error` object with these universal
-fields, plus per-kind extras documented in [Error kinds](#error-kinds).
-
-| Field     | Type | Description                                                                                  |
-| --------- | ---- | -------------------------------------------------------------------------------------------- |
-| `kind`    | str  | Discriminator; one of the values in [Error kinds](#error-kinds)                              |
-| `message` | str  | Human-readable summary. For display only — agents should dispatch on `kind`, not on `message`|
-
-The set of per-kind extra fields is the documented minimum. New
-optional extra fields may be added in non-breaking releases; existing
-fields will not be removed or renamed without a `schema_version` bump.
-
-## Error kinds
-
-Per-kind extra fields. Universal fields (`kind`, `message`) are
-documented in [Error object](#error-object).
-
-Each `error.kind` is a stable string. New kinds may be added in
-backward-compatible releases; existing kinds will not be renamed or
-removed without a schema version bump.
-
-| `kind`                    | Triggered when                                                                                | Extra fields                                       |
-| ------------------------- | --------------------------------------------------------------------------------------------- | -------------------------------------------------- |
-| `workflow_not_found`      | `--workflow` path does not exist                                                              | —                                                  |
-| `workflow_invalid_json`   | Workflow file is not valid JSON                                                               | —                                                  |
-| `workflow_read_error`     | Workflow file exists but isn't readable as text (`OSError`, `UnicodeDecodeError`)             | —                                                  |
-| `workflow_format_invalid` | File parses but is neither UI nor API format                                                  | —                                                  |
-| `workflow_empty`          | Workflow has no executable nodes (UI conversion produced `{}`, or API workflow is `{}`)       | —                                                  |
-| `conversion_error`        | UI→API converter raised `WorkflowConversionError`                                             | —                                                  |
-| `conversion_crash`        | UI→API converter raised an unexpected exception                                               | `exception_type` (str)                             |
-| `object_info_unavailable` | `/object_info` returned an HTTP error, or an HTTP 200 with an unparseable body                | `status_code` (int), `body` (str)                  |
-| `connection_error`        | ComfyUI server unreachable: `URLError`, `TimeoutError`, or other `OSError` while contacting it (including on `/object_info`) | —                                |
-| `validation_error`        | Server returned HTTP 400 with `node_errors`                                                   | `node_errors` (array of dict; see [shape](#validation_errornode_errors-shape)) |
-| `client_error`            | Server returned an HTTP 4xx response (not validation)                                         | `status_code` (int, 4xx), `body` (str)             |
-| `server_error`            | Server returned an HTTP 5xx response                                                          | `status_code` (int, 5xx), `body` (str)             |
-| `invalid_response`        | Server returned HTTP 2xx but body was unparseable or lacked `prompt_id`                       | `status_code` (int, 2xx), `body` (str)             |
-| `timeout`                 | WebSocket `recv` timed out                                                                    | `timeout_seconds` (float)                          |
-| `connection_lost`         | WebSocket connection dropped mid-execution                                                    | —                                                  |
-| `execution_interrupted`   | Workflow was interrupted — either by the server (`execution_interrupted` WS, e.g., via `/interrupt`) or by the client process receiving `SIGINT` (Ctrl-C) | —              |
-| `execution_error`         | A node raised during execution (server emitted `execution_error`)                             | `node_id` (str), `class_type` (str), `title` (str — display label, see canonical `title` rule), `exception_type` (str), `traceback` (str) |
+Every failure envelope carries:
+
+| Field     | Type         | Description                                                                |
+| --------- | ------------ | -------------------------------------------------------------------------- |
+| `code`    | str          | Registered discriminator — see [Error codes](#error-codes); the full registry is in `comfy --json discover` under `data.error_codes` |
+| `message` | str          | Human-readable summary. For display only — dispatch on `code`              |
+| `hint`    | str \| null  | Suggested next action                                                      |
+| `details` | dict \| null | Per-code structured extras (documented below)                              |
+
+## Error codes
+
+Codes raised by `comfy run` against a local server, with their `details`
+payloads. All of them are registered in `comfy_cli/error_codes.py` (the
+registry test enforces this) and surfaced by `comfy discover`.
+
+| `code`                    | Triggered when                                                                  | `details`                                          | Exit |
+| ------------------------- | ------------------------------------------------------------------------------- | -------------------------------------------------- | ---- |
+| `workflow_not_found`      | `--workflow` path does not exist                                                | —                                                  | 1 |
+| `workflow_invalid_json`   | Workflow file is not valid JSON                                                 | —                                                  | 1 |
+| `workflow_read_error`     | Workflow file exists but isn't readable as text (`OSError`, `UnicodeDecodeError`) | —                                                | 1 |
+| `workflow_not_api_format` | File parses but is neither UI nor API format                                    | —                                                  | 1 |
+| `workflow_empty`          | Workflow has no executable nodes (UI conversion produced `{}`, or API workflow is `{}`) | —                                          | 1 |
+| `conversion_error`        | UI→API converter raised `WorkflowConversionError`                               | —                                                  | 1 |
+| `conversion_crash`        | UI→API converter raised an unexpected exception                                 | `exception_type` (str)                             | 1 |
+| `server_not_running`      | Pre-flight probe found no ComfyUI on host:port                                  | `host` (str), `port` (int)                         | 1 |
+| `object_info_unavailable` | `/object_info` returned an HTTP error, or HTTP 200 with an unparseable body     | `status` (int), `body` (str)                       | 1 |
+| `connection_error`        | Server unreachable mid-flow: `URLError`, `TimeoutError`, or other `OSError` (including on `/object_info`) | —                       | 1 |
+| `workflow_unknown_nodes`  | Pre-submit validation found unknown class_types / shape mismatches              | `errors` (array), `warnings` (array)               | 1 |
+| `partner_node_requires_credential` | Workflow uses a partner-API node and no `api_key_comfy_org` credential is available | `partner_nodes` (array of str), `host`, `port` | 1 |
+| `prompt_rejected`         | Server returned HTTP 400 with `node_errors`                                     | `status` (400), `node_errors` (array — [shape](#node_errors-shape)) | 1 |
+| `client_error`            | Server returned another HTTP 4xx response                                       | `status` (int, 4xx), `body` (str)                  | 1 |
+| `server_error`            | Server returned an HTTP 5xx response                                            | `status` (int, 5xx), `body` (str)                  | 1 |
+| `invalid_response`        | Server returned HTTP 2xx but body was unparseable or lacked `prompt_id`         | `status` (int, 2xx)                                | 1 |
+| `ws_timeout`              | WebSocket `recv` idle past `--timeout`                                          | `timeout` (int, seconds)                           | 1 |
+| `ws_disconnected`         | WebSocket connection dropped mid-execution                                      | —                                                  | 1 |
+| `cancelled`               | Run was interrupted — client `SIGINT` (Ctrl-C) or the server's `execution_interrupted` (e.g. `/interrupt`) | —                       | 130 |
+| `execution_error`         | A node raised during execution (server emitted `execution_error`)               | `node_id` (str), `class_type` (str), `title` (str), `exception_type` (str), `traceback` (str) | 1 |
 
 ### `exception_type` field
 
-`exception_type` is provided for diagnostic and observability purposes
-(e.g., metrics bucketing). **Open set** — the format is whatever
-ComfyUI sends, typically the bare class name for builtins
-(`RuntimeError`, `ValueError`) and a dotted module path for non-
-builtins (`comfy.model_management.InterruptProcessingException`). May
-be `""` when the server omits it. Agents should not key retry or
-routing logic on `exception_type`; use `error.kind` for coarse
-dispatch and `error.message` for human display.
+Provided for diagnostic and observability purposes (e.g., metrics
+bucketing). **Open set** — the format is whatever ComfyUI sends,
+typically the bare class name for builtins (`RuntimeError`,
+`ValueError`) and a dotted module path for non-builtins. May be `""`
+when the server omits it. Don't key retry or routing logic on it; use
+`error.code` for coarse dispatch.
 
 ### `traceback` field
 
-`traceback` is a single multi-line string carrying the formatted stack
-frames as reported by ComfyUI (joined from the server's
-`traceback.format_tb()` output). It does NOT include the
-`"Traceback (most recent call last):"` header or the final
-`"ExceptionType: message"` summary line — agents reconstructing a
-Python-style display can do so themselves from `exception_type`,
-`error.message`, and `traceback`. May be empty (`""`) when the server's
-formatted stack is empty.
-
-After `json.loads()`, the `traceback` string contains real newline
-characters (the JSON wire-format `\n` escapes are decoded).
+A single multi-line string carrying the formatted stack frames as
+reported by ComfyUI (joined from the server's `traceback.format_tb()`
+output). It does NOT include the `"Traceback (most recent call last):"`
+header or the final `"ExceptionType: message"` summary line. May be
+empty (`""`).
 
-### `validation_error.node_errors` shape
+### `node_errors` shape
 
-The same shape is used for `queued.validation_warnings`. The value is
-an array of self-contained records, one per affected node. Each record
-carries `node_id` (str — same identifier as appears in `node_*` events)
-plus the per-node fields ComfyUI emits. Example shape:
+Used for `prompt_rejected`'s `details.node_errors` and for
+`queued.validation_warnings`. The value is an array of self-contained
+records, one per affected node. Each record carries `node_id` (str —
+same identifier as in the per-node events) plus the per-node fields
+ComfyUI emits:
 
 ```json
 "node_errors": [
@@ -526,10 +367,7 @@ plus the per-node fields ComfyUI emits. Example shape:
         "type": "value_not_in_list",
         "message": "Value not in list",
         "details": "resolution: '5K' not in ['1K','2K','4K']",
-        "extra_info": {
-          "input_name": "resolution",
-          "received_value": "5K"
-        }
+        "extra_info": {"input_name": "resolution", "received_value": "5K"}
       }
     ],
     "dependent_outputs": ["2"],
@@ -539,79 +377,59 @@ plus the per-node fields ComfyUI emits. Example shape:
 ```
 
 The inner per-node fields are defined by ComfyUI's `validate_prompt()`
-in [`server.py`](https://github.com/comfyanonymous/ComfyUI/blob/master/server.py)
-and may evolve with ComfyUI versions. **Agents should ignore unknown
-fields.** The CLI guarantees only:
-- the outer value is an array of dicts, each carrying a `node_id` (str), and
-- under current ComfyUI versions, each record additionally carries
-  `errors`, `dependent_outputs`, and `class_type`.
+and may evolve with ComfyUI versions — agents should ignore unknown
+fields. The CLI guarantees only that the outer value is an array of
+dicts, each carrying a `node_id` (str).
 
-The record order matches ComfyUI's response order and is not guaranteed
-to be sorted; consumers that need a specific order should sort
-themselves.
+## Output object
+
+Entries of `executed.outputs`:
+
+| Field        | Type | Description                                                                       |
+| ------------ | ---- | ---------------------------------------------------------------------------------- |
+| `category`   | str  | Output category as keyed by ComfyUI's `executed.output` dict. **Open set** (`images`, `audio`, `3d`, `latents`, …) |
+| `node_id`    | str  | Node that produced the output                                                      |
+| `class_type` | str  | Node class name                                                                    |
+| `title`      | str  | Display label                                                                      |
+| `filename`   | str  | Raw filename as reported by the server                                             |
+| `subfolder`  | str  | Subfolder within the output root. Defaults to `""`                                 |
+| `type`       | str  | ComfyUI output folder discriminator. **Open set** (`output`, `temp`, `input`). Defaults to `"output"` |
+| `url`        | str  | `http(s)://<host>:<port>/view?...` URL — fetch this to get the bytes               |
 
 ## Process-level termination
 
 The CLI may be terminated by the operating system or a parent process
-(SIGKILL, SIGTERM, SIGINT, OOM-kill, segmentation fault). In these
-cases, no terminal event is emitted and the stream may be truncated.
-
-Agents should treat the run as failed when **both**:
+(SIGKILL, SIGTERM, OOM-kill, segmentation fault). In these cases the
+envelope may never be emitted and the stream may be truncated. Agents
+should treat the run as failed when **both**:
 - the process exit code is non-zero, and
-- the last line on stdout is not one of the documented terminal events
-  (`completed`, `failed`, `queued` under `--no-wait`, or `prompt_preview`
-  under `--print-prompt`), or stdout is empty.
+- the last line on stdout is not a `type: "envelope"` line, or stdout is
+  empty.
 
 Stderr may contain a Python traceback in these cases.
 
 ## Examples
 
-Class type names in these examples (`SaveImage`, `GeminiNanoBanana2`,
-etc.) are illustrative — they reflect specific ComfyUI/partner nodes.
-Agents should not hardcode behavior on specific `class_type` strings;
-the contract guarantees the *shape* of these fields, not their content.
-
-Every line, including the terminal event (`completed` / `failed` /
-`queued` under `--no-wait` / `prompt_preview` under `--print-prompt`),
-ends with `\n`. Agents using line iteration (`for line in stdout`) are fine;
-agents using `splitlines()` or `split("\n")` should filter empty
-trailing entries.
-
-### Successful run (UI-format input)
+### Successful run (UI-format input, `--wait`)
 
 ```json
-{"event":"converted","schema_version":1,"node_count":2}
-{"event":"prompt_preview","schema_version":1,"prompt":{"1":{"class_type":"GeminiNanoBanana2","inputs":{"prompt":"a banana","width":2048,"height":2048},"_meta":{"title":"Nano Banana 2"}},"2":{"class_type":"SaveImage","inputs":{"filename_prefix":"banana_test","images":["1",0]},"_meta":{"title":"Save Image"}}}}
-{"event":"queued","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","validation_warnings":[],"nodes":[{"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"},{"node_id":"2","class_type":"SaveImage","title":"Save Image"}]}
-{"event":"node_executing","schema_version":1,"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"}
-{"event":"node_progress","schema_version":1,"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2","value":1,"max":4}
-{"event":"node_progress","schema_version":1,"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2","value":4,"max":4}
-{"event":"node_executing","schema_version":1,"node_id":"2","class_type":"SaveImage","title":"Save Image"}
-{"event":"node_executed","schema_version":1,"node_id":"2","class_type":"SaveImage","title":"Save Image","outputs":[{"category":"images","node_id":"2","class_type":"SaveImage","title":"Save Image","filename":"banana_test_00001_.png","subfolder":"","type":"output","url":"http://127.0.0.1:8188/view?filename=banana_test_00001_.png&subfolder=&type=output"}]}
-{"event":"completed","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","elapsed_seconds":8.342,"outputs":[{"category":"images","node_id":"2","class_type":"SaveImage","title":"Save Image","filename":"banana_test_00001_.png","subfolder":"","type":"output","url":"http://127.0.0.1:8188/view?filename=banana_test_00001_.png&subfolder=&type=output"}],"cached_node_ids":[],"executed_node_ids":["1","2"]}
+{"schema":"event/1","type":"converted","node_count":2}
+{"schema":"event/1","type":"prompt_preview","prompt":{"1":{"class_type":"GeminiNanoBanana2","inputs":{"prompt":"a banana"},"_meta":{"title":"Nano Banana 2"}},"2":{"class_type":"SaveImage","inputs":{"filename_prefix":"banana_test","images":["1",0]},"_meta":{"title":"Save Image"}}}}
+{"schema":"event/1","type":"queued","prompt_id":"9b1c…","client_id":"fe2a…","validation_warnings":[],"nodes":[{"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"},{"node_id":"2","class_type":"SaveImage","title":"Save Image"}]}
+{"schema":"event/1","type":"executing","node":"1","title":"Nano Banana 2","class_type":"GeminiNanoBanana2","prompt_id":"9b1c…"}
+{"schema":"event/1","type":"progress","node":"1","completed":4,"total":4,"prompt_id":"9b1c…"}
+{"schema":"event/1","type":"executing","node":"2","title":"Save Image","class_type":"SaveImage","prompt_id":"9b1c…"}
+{"schema":"event/1","type":"executed","node":"2","title":"Save Image","class_type":"SaveImage","outputs":[{"category":"images","node_id":"2","class_type":"SaveImage","title":"Save Image","filename":"banana_test_00001_.png","subfolder":"","type":"output","url":"http://127.0.0.1:8188/view?filename=banana_test_00001_.png&subfolder=&type=output"}],"prompt_id":"9b1c…"}
+{"schema":"event/1","type":"output","url":"http://127.0.0.1:8188/view?filename=banana_test_00001_.png&subfolder=&type=output","prompt_id":"9b1c…"}
+{"schema":"envelope/1","type":"envelope","ok":true,"command":"run","version":"1.6.1","where":"local","data":{"workflow":"/path/wf.json","status":"completed","prompt_id":"9b1c…","client_id":"fe2a…","outputs":["http://127.0.0.1:8188/view?filename=banana_test_00001_.png&subfolder=&type=output"],"cached_node_ids":[],"executed_node_ids":["1","2"],"elapsed_seconds":8.342,"host":"127.0.0.1","port":8188,"state_file":"…"},"error":null}
 ```
 
 Exit code: `0`.
 
-Note: node 1 (`GeminiNanoBanana2`) does not emit a `node_executed`
-event in this example — it's an intermediate compute node whose result
-is forwarded via tensors rather than surfaced as a file output, so the
-server doesn't send an `executed` ws message for it.
-
-### `--no-wait` (API-format input)
-
-```json
-{"event":"prompt_preview","schema_version":1,"prompt":{"1":{"class_type":"GeminiNanoBanana2","inputs":{"prompt":"a banana","width":2048,"height":2048},"_meta":{"title":"Nano Banana 2"}},"2":{"class_type":"SaveImage","inputs":{"filename_prefix":"banana_test","images":["1",0]},"_meta":{"title":"Save Image"}}}}
-{"event":"queued","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","validation_warnings":[],"nodes":[{"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"},{"node_id":"2","class_type":"SaveImage","title":"Save Image"}]}
-```
-
-Exit code: `0`. The agent is responsible for polling
-`/history/{prompt_id}` to observe completion.
-
 ### Failure: workflow file missing
 
 ```json
-{"event":"failed","schema_version":1,"prompt_id":null,"client_id":null,"elapsed_seconds":0.001,"error":{"kind":"workflow_not_found","message":"Workflow file not found: /tmp/missing.json"}}
+{"schema":"envelope/1","type":"envelope","ok":false,"command":"run","version":"1.6.1","where":"local","data":null,"error":{"code":"workflow_not_found","message":"Specified workflow file not found: /tmp/missing.json","hint":"check the path; pass the API-format JSON exported from ComfyUI","details":null}}
 ```
 
 Exit code: `1`.
@@ -619,9 +437,8 @@ Exit code: `1`.
 ### Failure: server returned validation errors
 
 ```json
-{"event":"converted","schema_version":1,"node_count":2}
-{"event":"prompt_preview","schema_version":1,"prompt":{"1":{"class_type":"GeminiNanoBanana2","inputs":{"prompt":"a banana","resolution":"5K"},"_meta":{"title":"Nano Banana 2"}},"2":{"class_type":"SaveImage","inputs":{"filename_prefix":"banana_test","images":["1",0]},"_meta":{"title":"Save Image"}}}}
-{"event":"failed","schema_version":1,"prompt_id":null,"client_id":"fe2a…","elapsed_seconds":0.45,"error":{"kind":"validation_error","message":"Value not in list","node_errors":[{"node_id":"1","errors":[{"type":"value_not_in_list","message":"Value not in list","details":"resolution: '5K' not in ['1K','2K','4K']","extra_info":{"input_name":"resolution","received_value":"5K"}}],"dependent_outputs":["2"],"class_type":"GeminiNanoBanana2"}]}}
+{"schema":"event/1","type":"prompt_preview","prompt":{"…":"…"}}
+{"schema":"envelope/1","type":"envelope","ok":false,"command":"run","version":"1.6.1","where":"local","data":null,"error":{"code":"prompt_rejected","message":"Workflow has 1 validation error(s)","hint":"inspect `details.node_errors` and fix the workflow","details":{"status":400,"node_errors":[{"node_id":"1","errors":[{"type":"value_not_in_list","message":"Value not in list","details":"resolution: '5K' not in ['1K','2K','4K']"}],"dependent_outputs":["2"],"class_type":"GeminiNanoBanana2"}]}}}
 ```
 
 Exit code: `1`.
@@ -629,74 +446,84 @@ Exit code: `1`.
 ### Failure: node raised during execution
 
 ```json
-{"event":"prompt_preview","schema_version":1,"prompt":{"1":{"class_type":"GeminiNanoBanana2","inputs":{"prompt":"a banana","width":2048,"height":2048},"_meta":{"title":"Nano Banana 2"}},"2":{"class_type":"SaveImage","inputs":{"filename_prefix":"banana_test","images":["1",0]},"_meta":{"title":"Save Image"}}}}
-{"event":"queued","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","validation_warnings":[],"nodes":[{"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"},{"node_id":"2","class_type":"SaveImage","title":"Save Image"}]}
-{"event":"node_executing","schema_version":1,"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"}
-{"event":"failed","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","elapsed_seconds":2.1,"error":{"kind":"execution_error","message":"API key invalid","node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2","exception_type":"RuntimeError","traceback":"  File \"/path/to/node.py\", line 42, in execute\n    raise RuntimeError(\"API key invalid\")\n"}}
+{"schema":"event/1","type":"prompt_preview","prompt":{"…":"…"}}
+{"schema":"event/1","type":"queued","prompt_id":"9b1c…","client_id":"fe2a…","validation_warnings":[],"nodes":[{"…":"…"}]}
+{"schema":"event/1","type":"executing","node":"1","title":"Nano Banana 2","class_type":"GeminiNanoBanana2","prompt_id":"9b1c…"}
+{"schema":"event/1","type":"execution_error","prompt_id":"9b1c…","details":{"node_id":"1","exception_message":"API key invalid","…":"…"}}
+{"schema":"envelope/1","type":"envelope","ok":false,"command":"run","version":"1.6.1","where":"local","data":null,"error":{"code":"execution_error","message":"API key invalid","hint":"inspect the per-node fields in details; re-run with `--wait --verbose`","details":{"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2","exception_type":"RuntimeError","traceback":"  File \"/path/to/node.py\", line 42, in execute\n    raise RuntimeError(\"API key invalid\")\n"}}}
 ```
 
 Exit code: `1`.
 
-### Failure: websocket timeout
+### Cancellation (Ctrl-C or server interrupt)
 
 ```json
-{"event":"prompt_preview","schema_version":1,"prompt":{"1":{"class_type":"GeminiNanoBanana2","inputs":{"prompt":"a banana","width":2048,"height":2048},"_meta":{"title":"Nano Banana 2"}},"2":{"class_type":"SaveImage","inputs":{"filename_prefix":"banana_test","images":["1",0]},"_meta":{"title":"Save Image"}}}}
-{"event":"queued","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","validation_warnings":[],"nodes":[{"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"},{"node_id":"2","class_type":"SaveImage","title":"Save Image"}]}
-{"event":"node_executing","schema_version":1,"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"}
-{"event":"failed","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","elapsed_seconds":30.0,"error":{"kind":"timeout","message":"WebSocket timed out after 30s waiting for server response","timeout_seconds":30.0}}
+{"schema":"envelope/1","type":"envelope","ok":false,"command":"run","version":"1.6.1","where":"local","data":null,"error":{"code":"cancelled","message":"Cancelled by user","hint":null,"details":null}}
 ```
 
-Exit code: `1`.
-
-### Failure: workflow interrupted
-
-```json
-{"event":"prompt_preview","schema_version":1,"prompt":{"1":{"class_type":"GeminiNanoBanana2","inputs":{"prompt":"a banana","width":2048,"height":2048},"_meta":{"title":"Nano Banana 2"}},"2":{"class_type":"SaveImage","inputs":{"filename_prefix":"banana_test","images":["1",0]},"_meta":{"title":"Save Image"}}}}
-{"event":"queued","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","validation_warnings":[],"nodes":[{"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"},{"node_id":"2","class_type":"SaveImage","title":"Save Image"}]}
-{"event":"node_executing","schema_version":1,"node_id":"1","class_type":"GeminiNanoBanana2","title":"Nano Banana 2"}
-{"event":"failed","schema_version":1,"prompt_id":"9b1c…","client_id":"fe2a…","elapsed_seconds":3.2,"error":{"kind":"execution_interrupted","message":"Workflow execution was interrupted"}}
-```
-
-Exit code: `1`.
+Exit code: `130`.
 
-## Stability and exit codes
+## Stability
 
 ### What is stable
 
-For the v1 contract documented here:
-- The set of event names listed above and the field names within them.
-- The set of `error.kind` values listed above and the per-kind extra
-  fields documented for each.
-- The exit code mapping: `0` when the terminal event is `completed`,
-  `queued` (under `--no-wait`), or `prompt_preview` (under
-  `--print-prompt`); `1` on `failed`.
-- The stdout/stderr separation: stdout carries only NDJSON (no ANSI,
-  no human-readable progress bar, no headings); stderr is reserved
-  for framework-level Python errors, uncaught exceptions, and library
-  warnings — agents should not parse it.
-- The 7-bit ASCII encoding of stdout (non-ASCII characters in string
-  fields are emitted as `\uXXXX` JSON escapes, equivalent to
-  `json.dumps(..., ensure_ascii=True)`).
-- The `schema_version: 1` field on every event of v1 streams.
+- The two-schema framing: `event/1` lines + a final `envelope/1` /
+  `type: "envelope"` line. Bump rule: additive optional fields = no bump;
+  rename/remove/retype a field or changed exit semantics = bump.
+- The set of event `type`s listed above and the field names within them.
+- The set of `error.code` values listed above, their registration in the
+  error-code registry, and the per-code `details` documented for each.
+- The exit code mapping: `0` on `ok: true`, `130` on `cancelled`, `1` on
+  every other failure.
+- The stdout/stderr separation: stdout carries only NDJSON.
 
 ### What may change in a non-breaking way
 
-- New event types being added (agents must ignore unknown `event` values).
-- New `error.kind` values being added (agents must default-handle unknown
-  kinds).
-- New optional fields being added to existing events (agents must ignore
-  unknown fields).
-
-New events that would alter the meaning of existing events when
-ignored (for example, a per-node skip event whose absence would make
-`executed_node_ids` incomplete) require a `schema_version` bump rather
-than being treated as an additive change.
-
-### Why exit codes are not granular
-
-The 0/1 mapping (defined in "What is stable" above) intentionally
-trades resolution for stability. `error.kind` is the expressive,
-extensible discriminator — agents dispatch on it; the exit code is
-just a coarse "did we succeed?" signal. Granular exit codes can be
-introduced later for non-`--json` callers in a separate,
-evidence-driven change without breaking the JSON contract.
+- New event types being added (ignore unknown `type` values).
+- New `error.code` values being added (default-handle unknown codes).
+- New optional fields being added to existing events or to `data`
+  (ignore unknown fields).
+
+## Legacy dialect mapping
+
+For consumers migrating from the pre-`event/1` `comfy run --json` dialect
+(removed; was `{"event": …, "schema_version": 1}` with `error.kind`):
+
+| Legacy event     | Current                                                      |
+| ---------------- | ------------------------------------------------------------ |
+| `converted`      | `type: "converted"`                                          |
+| `prompt_preview` | `type: "prompt_preview"`                                     |
+| `queued`         | `type: "queued"`                                             |
+| `node_executing` | `type: "executing"` (`node_id` → `node`)                     |
+| `node_cached`    | `type: "execution_cached"` (`node_id` → `node`)              |
+| `node_progress`  | `type: "progress"` (`value`/`max` → `completed`/`total`; `class_type`/`title` dropped — read them from the `executing` event) |
+| `node_executed`  | `type: "executed"` (+ one `output` event per file)           |
+| `completed`      | envelope `ok: true` (`outputs` → `data.outputs` as URLs; `cached_node_ids` / `executed_node_ids` preserved in `data`) |
+| `failed`         | envelope `ok: false` with `error.code`                       |
+
+| Legacy `error.kind`        | Current `error.code`        | Exit |
+| -------------------------- | --------------------------- | ---- |
+| `workflow_not_found`       | `workflow_not_found`        | 1 |
+| `workflow_invalid_json`    | `workflow_invalid_json`     | 1 |
+| `workflow_read_error`      | `workflow_read_error`       | 1 |
+| `workflow_format_invalid`  | `workflow_not_api_format`   | 1 |
+| `workflow_empty`           | `workflow_empty`            | 1 |
+| `conversion_error`         | `conversion_error`          | 1 |
+| `conversion_crash`         | `conversion_crash`          | 1 |
+| `connection_error` (probe) | `server_not_running`        | 1 |
+| `connection_error` (network) | `connection_error`        | 1 |
+| `object_info_unavailable`  | `object_info_unavailable`   | 1 |
+| `validation_error`         | `prompt_rejected`           | 1 |
+| `client_error`             | `client_error`              | 1 |
+| `server_error`             | `server_error`              | 1 |
+| `invalid_response`         | `invalid_response`          | 1 |
+| `timeout`                  | `ws_timeout`                | 1 |
+| `connection_lost`          | `ws_disconnected`           | 1 |
+| `execution_interrupted`    | `cancelled`                 | 130 (was 1) |
+| `execution_error`          | `execution_error`           | 1 |
+
+Other framing changes: `schema_version: 1` → `schema: "event/1"`;
+per-kind error extras moved under `error.details`; stdout is now UTF-8
+(was ASCII-escaped); `--print-prompt` and `--no-wait` streams now end
+with an explicit `ok: true` envelope instead of ending at
+`prompt_preview` / `queued`.
diff --git a/pyproject.toml b/pyproject.toml
index a6fae57b..6cecbd4f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -33,7 +33,7 @@ classifiers = [
 dependencies = [
   "charset-normalizer>=3",
   "cookiecutter",
-  "gitpython",
+  "gitpython>=3.1.50",
   "httpx",
   "mixpanel",
   "packaging",
@@ -49,11 +49,13 @@ dependencies = [
   "tomlkit",
   "typer>=0.12.5",
   "typing-extensions>=4.7",
-  "uv>=0.6.9",
+  "uv>=0.11.15",
+
   "websocket-client",
 ]
 
-optional-dependencies.dev = [ "pre-commit", "pytest", "pytest-cov", "ruff" ]
+optional-dependencies.dev = [ "jsonschema", "pre-commit", "pytest", "pytest-cov", "ruff" ]
+optional-dependencies.preview = [ "term-image>=0.7,<0.8" ]
 urls.Repository = "https://github.com/Comfy-Org/comfy-cli.git"
 scripts.comfy = "comfy_cli.__main__:main"
 scripts.comfy-cli = "comfy_cli.__main__:main"
@@ -64,6 +66,13 @@ where = [ "." ]
 include = [ "comfy_cli*" ]
 
 [tool.setuptools.package-data]
+# Bundled skills: subdirs of comfy_cli.skills named after each skill (kept in
+# sync with BUNDLED_SKILLS). Hyphenated dirs aren't importable packages, so
+# they're plain data dirs matched by glob from the parent package.
+"comfy_cli.skills" = [ "*/SKILL.md" ]
+"comfy_cli.schemas" = [ "*.json", "*.md" ]
+
+"comfy_cli.cql.data" = [ "*.yaml", "*.json" ]
 "comfy_cli.command.generate" = [ "spec/openapi.yml" ]
 
 [tool.ruff]
diff --git a/scripts/verify_tracking_live.py b/scripts/verify_tracking_live.py
new file mode 100644
index 00000000..0f98ea6b
--- /dev/null
+++ b/scripts/verify_tracking_live.py
@@ -0,0 +1,143 @@
+#!/usr/bin/env python3
+"""Live end-to-end verification that CLI telemetry actually reaches PostHog.
+
+Unlike the unit suites (which mock the providers / SDK clients), this fires a
+real event through the production ``track_event`` path and then reads it back
+out of PostHog via the query API. It is the only check that proves the network
+round-trip works — so it is opt-in and never runs in CI.
+
+Required environment (fail-fast: missing any of these aborts):
+
+    POSTHOG_PERSONAL_API_KEY   personal API key with project *read* scope
+                               (NOT the phc_* project write key)
+    POSTHOG_PROJECT_ID         numeric project id
+    POSTHOG_QUERY_HOST         host that serves /api/projects/... query API,
+                               e.g. https://us.posthog.com (the ingestion
+                               proxy may not expose the query API)
+
+Optional:
+    POSTHOG_VERIFY_TIMEOUT     seconds to wait for ingestion (default 120)
+
+Usage:
+    POSTHOG_PERSONAL_API_KEY=phx_... POSTHOG_PROJECT_ID=12345 \
+    POSTHOG_QUERY_HOST=https://us.posthog.com \
+    python scripts/verify_tracking_live.py
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import sys
+import time
+import urllib.error
+import urllib.request
+import uuid
+
+SMOKETEST_EVENT = "cli_telemetry_smoketest"
+_POLL_INTERVAL_SECONDS = 5
+
+
+def _die(message: str) -> None:
+    """Fail fast with a clear message and non-zero exit."""
+    print(f"FAIL: {message}", file=sys.stderr)
+    raise SystemExit(1)
+
+
+def _require_env(name: str) -> str:
+    value = os.environ.get(name, "").strip()
+    if not value:
+        _die(f"missing required env var {name} (see module docstring)")
+    return value
+
+
+def _send_smoketest_event(nonce: str) -> tuple[str, str]:
+    """Fire one event through the real track_event path, PostHog pipe only.
+
+    Returns (distinct_id, event_name). Raises (via _die) if telemetry is
+    suppressed or no PostHog provider is available.
+    """
+    import comfy_cli.tracking as tracking
+
+    if tracking._telemetry_disabled_by_env():
+        _die("telemetry is opted out via DO_NOT_TRACK / COMFY_NO_TELEMETRY — unset it to verify")
+
+    posthog_providers = [p for p in tracking.PROVIDERS if isinstance(p, tracking.PostHogProvider) and p.enabled]
+    if not posthog_providers:
+        _die("no enabled PostHog provider — check POSTHOG_API_KEY token")
+
+    # Restrict the fan-out to PostHog so the smoke test doesn't pollute Mixpanel,
+    # and force a session-only opt-in so we send without mutating persisted consent.
+    tracking.PROVIDERS = posthog_providers
+    tracking._session_only_tracking = True
+    distinct_id = tracking._ensure_user_id()
+
+    tracking.track_event(SMOKETEST_EVENT, {"nonce": nonce})
+    tracking._flush_all_providers()
+    return distinct_id, SMOKETEST_EVENT
+
+
+def _build_query(nonce: str) -> dict:
+    hogql = (
+        "SELECT event, timestamp, properties.nonce AS nonce "
+        "FROM events "
+        f"WHERE event = '{SMOKETEST_EVENT}' AND properties.nonce = '{nonce}' "
+        "AND timestamp > now() - INTERVAL 1 HOUR "
+        "LIMIT 1"
+    )
+    return {"query": {"kind": "HogQLQuery", "query": hogql}}
+
+
+def _query_posthog(host: str, project_id: str, api_key: str, body: dict) -> list:
+    url = f"{host.rstrip('/')}/api/projects/{project_id}/query/"
+    request = urllib.request.Request(
+        url,
+        data=json.dumps(body).encode("utf-8"),
+        headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
+        method="POST",
+    )
+    try:
+        with urllib.request.urlopen(request, timeout=30) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+    except urllib.error.HTTPError as e:
+        detail = e.read().decode("utf-8", "replace")[:300]
+        _die(f"PostHog query API returned HTTP {e.code}: {detail}")
+    except urllib.error.URLError as e:
+        _die(f"could not reach PostHog query API at {url}: {e.reason}")
+    return payload.get("results", [])
+
+
+def _poll_for_event(host: str, project_id: str, api_key: str, nonce: str, timeout: int) -> list | None:
+    """Poll the query API until the nonce shows up or the deadline passes."""
+    body = _build_query(nonce)
+    deadline = time.monotonic() + timeout
+    while time.monotonic() < deadline:
+        results = _query_posthog(host, project_id, api_key, body)
+        if results:
+            return results[0]
+        remaining = int(deadline - time.monotonic())
+        print(f"  ...not yet in PostHog, retrying ({remaining}s left)")
+        time.sleep(_POLL_INTERVAL_SECONDS)
+    return None
+
+
+def main() -> None:
+    api_key = _require_env("POSTHOG_PERSONAL_API_KEY")
+    project_id = _require_env("POSTHOG_PROJECT_ID")
+    query_host = _require_env("POSTHOG_QUERY_HOST")
+    timeout = int(os.environ.get("POSTHOG_VERIFY_TIMEOUT", "120"))
+
+    nonce = uuid.uuid4().hex
+    print(f"Sending {SMOKETEST_EVENT} with nonce={nonce} ...")
+    distinct_id, event_name = _send_smoketest_event(nonce)
+    print(f"  dispatched (distinct_id={distinct_id}); waiting for ingestion (up to {timeout}s)")
+
+    hit = _poll_for_event(query_host, project_id, api_key, nonce, timeout)
+    if hit is None:
+        _die(f"event with nonce={nonce} never appeared within {timeout}s — delivery NOT confirmed")
+
+    print(f"PASS: telemetry round-trip confirmed — PostHog returned {hit}")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/tests/comfy_cli/auth/__init__.py b/tests/comfy_cli/auth/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/comfy_cli/auth/test_auth_command.py b/tests/comfy_cli/auth/test_auth_command.py
new file mode 100644
index 00000000..3a660dda
--- /dev/null
+++ b/tests/comfy_cli/auth/test_auth_command.py
@@ -0,0 +1,235 @@
+"""``comfy auth`` integration: set / list / remove via subprocess."""
+
+from __future__ import annotations
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+import jsonschema
+import pytest
+
+SCHEMAS_DIR = Path(__file__).parent.parent.parent.parent / "comfy_cli" / "schemas"
+
+
+def _validator_for(name: str) -> jsonschema.Validator:
+    schema = json.loads((SCHEMAS_DIR / name).read_text())
+    store: dict[str, dict] = {}
+    for path in SCHEMAS_DIR.glob("*.json"):
+        s = json.loads(path.read_text())
+        if s.get("$id"):
+            store[s["$id"]] = s
+        store[path.name] = s
+    base = SCHEMAS_DIR.absolute().as_uri() + "/"
+    resolver = jsonschema.RefResolver(base_uri=base, referrer=schema, store=store)
+    return jsonschema.Draft202012Validator(schema, resolver=resolver)
+
+
+@pytest.fixture
+def cli_env(tmp_path):
+    env = os.environ.copy()
+    env["NO_COLOR"] = "1"
+    env["COMFY_SECRETS_PATH"] = str(tmp_path / "secrets.json")
+    return env
+
+
+def _run(args, env):
+    return subprocess.run(
+        [sys.executable, "-m", "comfy_cli", *args],
+        capture_output=True,
+        text=True,
+        env=env,
+        check=False,
+    )
+
+
+def _last_json(stdout: str) -> dict:
+    last = [line for line in stdout.splitlines() if line.strip()][-1]
+    return json.loads(last)
+
+
+def test_auth_list_empty_envelope(cli_env):
+    res = _run(["--json", "auth", "list"], cli_env)
+    assert res.returncode == 0, res.stderr
+    env = _last_json(res.stdout)
+    _validator_for("envelope.json").validate(env)
+    _validator_for("auth.json").validate(env["data"])
+    assert env["data"]["providers"] == []
+    # `auth` is now scoped to third-party model-host tokens only.
+    # Comfy Cloud sign-in lives under `comfy cloud`.
+    assert "comfy-cloud" not in env["data"]["supported"]
+    assert "civitai" in env["data"]["supported"]
+    assert "huggingface" in env["data"]["supported"]
+
+
+def test_auth_set_then_list_shows_redacted(cli_env):
+    res = _run(["--json", "auth", "set", "civitai", "--key", "abcd1234efgh5678abcd1234"], cli_env)
+    assert res.returncode == 0, res.stderr
+    env = _last_json(res.stdout)
+    assert env["changed"] is True
+    providers = {p["provider"]: p for p in env["data"]["providers"]}
+    assert providers["civitai"]["key"] == "abcd…1234"
+    assert providers["civitai"]["key_redacted"] is True
+    # Plaintext key must not appear in the envelope.
+    assert "abcd1234efgh5678abcd1234" not in json.dumps(env)
+
+
+def test_auth_remove_idempotent(cli_env):
+    _run(["auth", "set", "civitai", "--key", "abcd1234efgh5678"], cli_env)
+    res = _run(["--json", "auth", "remove", "civitai"], cli_env)
+    assert res.returncode == 0
+    res2 = _run(["--json", "auth", "remove", "civitai"], cli_env)
+    assert res2.returncode != 0
+    env = _last_json(res2.stdout)
+    assert env["error"]["code"] == "auth_not_found"
+
+
+def test_run_where_cloud_without_key_returns_cloud_not_configured(cli_env, tmp_path):
+    wf = tmp_path / "workflow.json"
+    wf.write_text(json.dumps({"1": {"class_type": "Anything", "inputs": {}}}))
+    res = _run(["--json", "run", "--workflow", str(wf), "--where", "cloud"], cli_env)
+    assert res.returncode != 0
+    env = _last_json(res.stdout)
+    assert env["ok"] is False
+    assert env["error"]["code"] == "cloud_not_configured"
+    assert env["error"]["hint"] is not None
+
+
+def test_run_where_cloud_with_expired_session_returns_unauthorized(cli_env, tmp_path):
+    # Plant an *expired* OAuth session with NO refresh token (so proactive
+    # refresh is skipped — no network) → preflight surfaces unauthorized.
+    secrets_path = Path(cli_env["COMFY_SECRETS_PATH"])
+    secrets_path.write_text(
+        json.dumps(
+            {
+                "providers": {},
+                "cloud_session": {
+                    "base_url": "https://testcloud.comfy.org",
+                    "resource": "https://testcloud.comfy.org/mcp",
+                    "client_id": "mcp-dyn-fake-id",
+                    "scope": "mcp:tools:read mcp:tools:call",
+                    "saved_at": "2026-05-15T00:00:00+00:00",
+                    "tokens": {
+                        "access_token": "fake-access-token-aaaaaaaa",
+                        "refresh_token": None,  # unrefreshable
+                        "token_type": "Bearer",
+                        "expires_at": 1,  # long expired
+                    },
+                },
+            }
+        )
+    )
+    wf = tmp_path / "workflow.json"
+    wf.write_text(json.dumps({"1": {"class_type": "Anything", "inputs": {}}}))
+    res = _run(["--json", "run", "--workflow", str(wf), "--where", "cloud"], cli_env)
+    assert res.returncode != 0
+    env = _last_json(res.stdout)
+    assert env["error"]["code"] == "cloud_unauthorized"
+    assert "comfy cloud login" in env["error"]["hint"]
+
+
+def test_cloud_whoami_expired_unrefreshable_session_is_not_signed_in(cli_env):
+    # An expired OAuth session with no refresh token must report signed_in=False
+    # (and expired=True) — not a misleading signed_in=True.
+    secrets_path = Path(cli_env["COMFY_SECRETS_PATH"])
+    secrets_path.write_text(
+        json.dumps(
+            {
+                "providers": {},
+                "cloud_session": {
+                    "base_url": "https://testcloud.comfy.org",
+                    "resource": "https://testcloud.comfy.org/mcp",
+                    "client_id": "mcp-dyn-fake-id",
+                    "scope": "mcp:tools:read",
+                    "saved_at": "2026-05-15T00:00:00+00:00",
+                    "tokens": {
+                        "access_token": "fake-access-token-aaaaaaaa",
+                        "refresh_token": None,  # unrefreshable
+                        "token_type": "Bearer",
+                        "expires_at": 1,  # long expired
+                    },
+                },
+            }
+        )
+    )
+    res = _run(["--json", "cloud", "whoami"], cli_env)
+    assert res.returncode == 0
+    env = _last_json(res.stdout)
+    assert env["data"]["signed_in"] is False
+    assert env["data"]["expired"] is True
+
+
+def test_auth_set_comfy_cloud_rejected(cli_env):
+    res = _run(
+        ["--json", "auth", "set", "comfy-cloud", "--key", "sk-test-1234567890"],
+        cli_env,
+    )
+    assert res.returncode != 0
+    env = _last_json(res.stdout)
+    assert env["error"]["code"] == "auth_use_login_for_cloud"
+    assert "comfy cloud login" in (env["error"]["hint"] or "")
+
+
+def test_cloud_whoami_not_signed_in(cli_env):
+    """`whoami` lives under the `cloud` namespace now, not `auth`."""
+    res = _run(["--json", "cloud", "whoami"], cli_env)
+    assert res.returncode == 0
+    env = _last_json(res.stdout)
+    assert env["command"] == "cloud whoami"
+    assert env["data"]["signed_in"] is False
+    assert env["data"]["auth_method"] is None
+    assert env["data"]["api_key_source"] is None
+    assert env["data"]["base_url"].startswith("https://")
+
+
+def test_cloud_whoami_signed_in_via_api_key_env(cli_env):
+    """API key in env should make whoami report signed_in=true, auth_method=api_key."""
+    env = dict(cli_env)
+    env["COMFY_CLOUD_API_KEY"] = "sk-test-1234567890"
+    res = _run(["--json", "cloud", "whoami"], env)
+    assert res.returncode == 0
+    payload = _last_json(res.stdout)
+    assert payload["data"]["signed_in"] is True
+    assert payload["data"]["auth_method"] == "api_key"
+    assert payload["data"]["api_key_source"] == "env"
+    # Plaintext key must never appear in the envelope.
+    assert "sk-test-1234567890" not in json.dumps(payload)
+
+
+def test_cloud_whoami_signed_in_via_api_key_store(cli_env):
+    """API key in the on-disk store should also flip signed_in=true."""
+    secrets_path = Path(cli_env["COMFY_SECRETS_PATH"])
+    secrets_path.write_text(
+        json.dumps(
+            {
+                "providers": {
+                    "comfy-cloud-api-key": {"key": "sk-store-1234567890", "updated_at": "2026-05-19T00:00:00+00:00"}
+                },
+                "cloud_session": None,
+            }
+        )
+    )
+    res = _run(["--json", "cloud", "whoami"], cli_env)
+    assert res.returncode == 0
+    payload = _last_json(res.stdout)
+    assert payload["data"]["signed_in"] is True
+    assert payload["data"]["auth_method"] == "api_key"
+    assert payload["data"]["api_key_source"] == "store"
+    assert "sk-store-1234567890" not in json.dumps(payload)
+
+
+def test_legacy_auth_whoami_is_gone(cli_env):
+    """We removed the alias deliberately — `auth whoami` is no longer a command."""
+    res = _run(["auth", "whoami"], cli_env)
+    assert res.returncode != 0
+
+
+def test_run_where_invalid_value_errors(cli_env, tmp_path):
+    wf = tmp_path / "workflow.json"
+    wf.write_text("{}")
+    res = _run(["--json", "run", "--workflow", str(wf), "--where", "spaceship"], cli_env)
+    assert res.returncode != 0
+    env = _last_json(res.stdout)
+    assert env["error"]["code"] == "where_invalid"
diff --git a/tests/comfy_cli/auth/test_oauth.py b/tests/comfy_cli/auth/test_oauth.py
new file mode 100644
index 00000000..253e6897
--- /dev/null
+++ b/tests/comfy_cli/auth/test_oauth.py
@@ -0,0 +1,1213 @@
+"""OAuth flow unit tests — PKCE, callback server, refresh, store round-trip.
+
+The live round-trip against testcloud is exercised manually; these tests
+cover everything that doesn't require a browser.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import os
+import threading
+import time
+import urllib.parse
+import urllib.request
+from unittest.mock import patch
+
+import pytest
+
+from comfy_cli.auth import store as auth_store
+from comfy_cli.cloud import oauth
+
+# ---------------------------------------------------------------------------
+# PKCE
+# ---------------------------------------------------------------------------
+
+
+def test_pkce_pair_satisfies_server_format():
+    verifier, challenge = oauth.generate_pkce_pair()
+    # Server requires 43-char base64url challenge with S256.
+    assert len(challenge) == 43
+    # Challenge is base64url(sha256(verifier)) — verify the math.
+    expected = base64.urlsafe_b64encode(hashlib.sha256(verifier.encode("ascii")).digest()).rstrip(b"=").decode("ascii")
+    assert challenge == expected
+
+
+def test_pkce_pairs_are_unique_per_call():
+    pairs = {oauth.generate_pkce_pair() for _ in range(20)}
+    assert len(pairs) == 20  # zero collisions across 20 draws
+
+
+def test_state_is_high_entropy():
+    states = {oauth.generate_state() for _ in range(100)}
+    assert len(states) == 100
+
+
+# ---------------------------------------------------------------------------
+# Authorize URL construction
+# ---------------------------------------------------------------------------
+
+
+def test_build_authorize_url_includes_every_required_param():
+    url = oauth._build_authorize_url(
+        base_url="https://testcloud.comfy.org",
+        client_id="mcp-dyn-abc",
+        redirect_uri="http://127.0.0.1:51234/callback",
+        scopes=("mcp:tools:read", "mcp:tools:call"),
+        state="STATE",
+        challenge="C" * 43,
+        resource="https://testcloud.comfy.org/mcp",
+    )
+    parsed = urllib.parse.urlsplit(url)
+    qs = urllib.parse.parse_qs(parsed.query)
+    assert parsed.scheme == "https"
+    assert parsed.netloc == "testcloud.comfy.org"
+    assert parsed.path == "/oauth/authorize"
+    assert qs["response_type"] == ["code"]
+    assert qs["client_id"] == ["mcp-dyn-abc"]
+    assert qs["redirect_uri"] == ["http://127.0.0.1:51234/callback"]
+    assert qs["scope"] == ["mcp:tools:read mcp:tools:call"]
+    assert qs["state"] == ["STATE"]
+    assert qs["code_challenge_method"] == ["S256"]
+    assert qs["resource"] == ["https://testcloud.comfy.org/mcp"]
+
+
+# ---------------------------------------------------------------------------
+# Callback server — happy path + bad state + error param
+# ---------------------------------------------------------------------------
+
+
+def _drive_callback(*, expected_state: str, query: str) -> oauth._CallbackCapture:
+    capture = oauth._CallbackCapture()
+    handler_cls = oauth._build_handler(
+        expected_state=expected_state,
+        capture=capture,
+        success_html="OK",
+        failure_html="FAIL",
+    )
+    port = oauth._pick_free_port()
+    server = oauth.http.server.HTTPServer(("127.0.0.1", port), handler_cls)
+    t = threading.Thread(target=server.handle_request, daemon=True)
+    t.start()
+    try:
+        urllib.request.urlopen(f"http://127.0.0.1:{port}{oauth.CALLBACK_PATH}?{query}", timeout=2).read()
+    except Exception:  # noqa: BLE001 — failure HTML still returns a body
+        pass
+    t.join(timeout=2)
+    server.server_close()
+    return capture
+
+
+def test_callback_happy_path_captures_code():
+    cap = _drive_callback(expected_state="STATE", query="code=THECODE&state=STATE")
+    assert cap.code == "THECODE"
+    assert cap.state == "STATE"
+    assert cap.error is None
+
+
+def test_callback_rejects_state_mismatch():
+    cap = _drive_callback(expected_state="EXPECTED", query="code=THECODE&state=WRONG")
+    assert cap.code is None
+    assert cap.error is not None
+    assert "missing_code_or_state_mismatch" in cap.error
+
+
+def test_success_html_interpolates_base_url_host():
+    """The success page must show the real base URL host, not a hardcoded one."""
+    rendered = oauth._SUCCESS_HTML.replace("__HOST__", "fe-pr-12159.testenvs.comfy.org")
+    assert "fe-pr-12159.testenvs.comfy.org" in rendered
+    assert "__HOST__" not in rendered
+    # The template should not bake any specific deployment into the source.
+    assert "testcloud.comfy.org" not in oauth._SUCCESS_HTML
+
+
+def test_callback_surfaces_oauth_error_param():
+    cap = _drive_callback(
+        expected_state="STATE",
+        query="error=access_denied&error_description=user+cancelled&state=STATE",
+    )
+    assert cap.code is None
+    assert cap.error == "access_denied"
+    assert cap.error_description == "user cancelled"
+
+
+# ---------------------------------------------------------------------------
+# DCR + token exchange + refresh (mocked HTTP)
+# ---------------------------------------------------------------------------
+
+
+def test_register_client_returns_parsed_record(monkeypatch: pytest.MonkeyPatch):
+    monkeypatch.setattr(
+        oauth,
+        "_post_json",
+        lambda url, body: {
+            "client_id": "mcp-dyn-NEW",
+            "client_name": body["client_name"],
+            "redirect_uris": body["redirect_uris"],
+            "client_id_issued_at": 1700000000,
+        },
+    )
+    result = oauth.register_client(
+        base_url="https://testcloud.comfy.org",
+        client_name="comfy-cli",
+        redirect_uris=("http://127.0.0.1:0/callback",),
+    )
+    assert result.client_id == "mcp-dyn-NEW"
+    assert result.client_name == "comfy-cli"
+    assert result.issued_at == 1700000000
+
+
+def test_exchange_code_returns_token_set(monkeypatch: pytest.MonkeyPatch):
+    monkeypatch.setattr(
+        oauth,
+        "_post_form",
+        lambda url, body: {
+            "access_token": "comfy_at_AAA",
+            "refresh_token": "comfy_rt_BBB",
+            "token_type": "Bearer",
+            "expires_in": 3600,
+            "scope": "mcp:tools:read mcp:tools:call",
+        },
+    )
+    before = int(time.time())
+    tokens = oauth.exchange_code(
+        base_url="https://testcloud.comfy.org",
+        client_id="cid",
+        code="THECODE",
+        redirect_uri="http://127.0.0.1:5/callback",
+        code_verifier="V" * 43,
+    )
+    after = int(time.time())
+    assert tokens.access_token == "comfy_at_AAA"
+    assert tokens.refresh_token == "comfy_rt_BBB"
+    assert tokens.token_type == "Bearer"
+    assert tokens.expires_in == 3600
+    # expires_at is now + expires_in, allow 1s drift between before/after.
+    assert before + 3600 - 1 <= tokens.expires_at <= after + 3600 + 1
+
+
+def test_refresh_tokens_calls_token_endpoint(monkeypatch: pytest.MonkeyPatch):
+    seen = {}
+
+    def fake_post_form(url, body):
+        seen["url"] = url
+        seen["body"] = body
+        return {"access_token": "NEW_AT", "refresh_token": "NEW_RT", "token_type": "Bearer", "expires_in": 60}
+
+    monkeypatch.setattr(oauth, "_post_form", fake_post_form)
+    tokens = oauth.refresh_tokens(
+        base_url="https://testcloud.comfy.org",
+        client_id="cid",
+        refresh_token="OLD_RT",
+    )
+    assert seen["url"].endswith("/oauth/token")
+    assert seen["body"]["grant_type"] == "refresh_token"
+    assert seen["body"]["refresh_token"] == "OLD_RT"
+    assert seen["body"]["client_id"] == "cid"
+    assert tokens.access_token == "NEW_AT"
+
+
+def test_exchange_code_sends_resource_indicator(monkeypatch: pytest.MonkeyPatch):
+    # RFC 8707: resource= must travel on the token POST, not just authorize.
+    seen = {}
+
+    def fake(url, body):
+        seen["body"] = body
+        return {"access_token": "AT", "refresh_token": "RT", "token_type": "Bearer", "expires_in": 60}
+
+    monkeypatch.setattr(oauth, "_post_form", fake)
+    oauth.exchange_code(
+        base_url="https://testcloud.comfy.org",
+        client_id="cid",
+        code="THECODE",
+        redirect_uri="http://127.0.0.1:5/callback",
+        code_verifier="V" * 43,
+        resource="https://testcloud.comfy.org/api",
+    )
+    assert seen["body"]["resource"] == "https://testcloud.comfy.org/api"
+
+
+def test_refresh_tokens_sends_resource_indicator(monkeypatch: pytest.MonkeyPatch):
+    seen = {}
+
+    def fake(url, body):
+        seen["body"] = body
+        return {"access_token": "AT", "refresh_token": "RT", "token_type": "Bearer", "expires_in": 60}
+
+    monkeypatch.setattr(oauth, "_post_form", fake)
+    oauth.refresh_tokens(
+        base_url="https://testcloud.comfy.org",
+        client_id="cid",
+        refresh_token="OLD_RT",
+        resource="https://testcloud.comfy.org/api",
+        scopes=("comfy-cloud:workflows:read", "comfy-cloud:jobs:read"),
+    )
+    assert seen["body"]["resource"] == "https://testcloud.comfy.org/api"
+    assert seen["body"]["scope"] == "comfy-cloud:workflows:read comfy-cloud:jobs:read"
+
+
+def test_exchange_code_maps_http_failure_to_token_error(monkeypatch: pytest.MonkeyPatch):
+    def boom(url, body):
+        raise oauth._HTTPFail(400, '{"error":"invalid_grant"}')
+
+    monkeypatch.setattr(oauth, "_post_form", boom)
+    with pytest.raises(oauth.OAuthTokenError) as exc:
+        oauth.exchange_code(
+            base_url="https://testcloud.comfy.org",
+            client_id="cid",
+            code="x",
+            redirect_uri="http://127.0.0.1:5/callback",
+            code_verifier="V" * 43,
+        )
+    assert exc.value.code == "oauth_token_failed"
+    assert "invalid_grant" in exc.value.details.get("body", "")
+
+
+def test_token_response_redacts_access_and_refresh():
+    redacted = oauth._redact_token_response(
+        {"access_token": "verysecrettoken", "refresh_token": "anotherverysecret", "expires_in": 60}
+    )
+    assert redacted["access_token"] != "verysecrettoken"
+    assert redacted["refresh_token"] != "anotherverysecret"
+    assert "verysecrettoken" not in str(redacted)
+    assert redacted["expires_in"] == 60  # non-secret fields untouched
+
+
+# ---------------------------------------------------------------------------
+# run_login end-to-end (mocked network + faked browser callback)
+# ---------------------------------------------------------------------------
+
+
+def test_run_login_orchestrates_full_flow(monkeypatch: pytest.MonkeyPatch):
+    # 1) Mock DCR.
+    monkeypatch.setattr(
+        oauth,
+        "_post_json",
+        lambda url, body: {"client_id": "mcp-dyn-LIVE", "redirect_uris": body["redirect_uris"]},
+    )
+    # 2) Mock token exchange.
+    monkeypatch.setattr(
+        oauth,
+        "_post_form",
+        lambda url, body: {"access_token": "AT", "refresh_token": "RT", "token_type": "Bearer", "expires_in": 600},
+    )
+
+    captured_url = {}
+
+    # 3) Replace browser-open with an immediate HTTP GET to the callback so the
+    # localhost server completes and run_login returns.
+    def fake_open(url, **kwargs):
+        captured_url["url"] = url
+        parsed = urllib.parse.urlsplit(url)
+        qs = urllib.parse.parse_qs(parsed.query)
+        redirect = qs["redirect_uri"][0]
+        state = qs["state"][0]
+
+        # Hit our own loopback server in a thread so urlopen doesn't deadlock.
+        def hit():
+            try:
+                urllib.request.urlopen(
+                    f"{redirect}?code=THECODE&state={urllib.parse.quote(state)}",
+                    timeout=2,
+                ).read()
+            except Exception:  # noqa: BLE001
+                pass
+
+        threading.Thread(target=hit, daemon=True).start()
+        return True
+
+    with patch.object(oauth.webbrowser, "open", side_effect=fake_open):
+        result = oauth.run_login(
+            base_url="https://testcloud.comfy.org",
+            resource="https://cloud.comfy.org/mcp",
+            scopes=("mcp:tools:read", "mcp:tools:call"),
+            client_id=None,
+            register_if_missing=True,  # force DCR for this orchestration test
+            timeout_s=5,
+        )
+
+    assert result.client_id == "mcp-dyn-LIVE"
+    assert result.tokens.access_token == "AT"
+    assert result.tokens.refresh_token == "RT"
+    assert result.scope == "mcp:tools:read mcp:tools:call"
+    # The redirect URI we used must be loopback.
+    assert result.redirect_uri.startswith("http://127.0.0.1:")
+    # The authorize URL we built must include resource + S256.
+    assert "code_challenge_method=S256" in captured_url["url"]
+    assert "resource=https" in captured_url["url"]
+
+
+def test_run_login_times_out_when_browser_never_returns(monkeypatch: pytest.MonkeyPatch):
+    monkeypatch.setattr(
+        oauth,
+        "_post_json",
+        lambda url, body: {"client_id": "mcp-dyn-X", "redirect_uris": body["redirect_uris"]},
+    )
+    with patch.object(oauth.webbrowser, "open", return_value=True):
+        with pytest.raises(oauth.OAuthTimeout) as exc:
+            oauth.run_login(
+                base_url="https://testcloud.comfy.org",
+                resource="https://testcloud.comfy.org/mcp",
+                timeout_s=0.5,
+            )
+    assert exc.value.code == "oauth_timeout"
+
+
+# ---------------------------------------------------------------------------
+# Store round-trip
+# ---------------------------------------------------------------------------
+
+
+def test_save_and_get_cloud_session_round_trip(tmp_path, monkeypatch):
+    monkeypatch.setattr(auth_store, "secrets_path", lambda: tmp_path / "secrets.json")
+    session = auth_store.save_cloud_session(
+        base_url="https://testcloud.comfy.org",
+        resource="https://testcloud.comfy.org/mcp",
+        client_id="mcp-dyn-ABC",
+        scope="mcp:tools:read mcp:tools:call",
+        access_token="AT",
+        refresh_token="RT",
+        token_type="Bearer",
+        expires_at=int(time.time()) + 3600,
+    )
+    loaded = auth_store.get_cloud_session()
+    assert loaded is not None
+    assert loaded.client_id == session.client_id
+    assert loaded.access_token == "AT"
+    assert loaded.refresh_token == "RT"
+    assert loaded.token_type == "Bearer"
+
+
+def test_clear_cloud_session_removes_record(tmp_path, monkeypatch):
+    monkeypatch.setattr(auth_store, "secrets_path", lambda: tmp_path / "secrets.json")
+    auth_store.save_cloud_session(
+        base_url="x",
+        resource="y",
+        client_id="c",
+        scope="s",
+        access_token="AT",
+        refresh_token=None,
+        token_type="Bearer",
+        expires_at=None,
+    )
+    assert auth_store.clear_cloud_session() is True
+    assert auth_store.get_cloud_session() is None
+    # Idempotent.
+    assert auth_store.clear_cloud_session() is False
+
+
+def test_session_to_dict_redacts_tokens(tmp_path, monkeypatch):
+    monkeypatch.setattr(auth_store, "secrets_path", lambda: tmp_path / "secrets.json")
+    session = auth_store.save_cloud_session(
+        base_url="x",
+        resource="y",
+        client_id="c",
+        scope="s",
+        access_token="verysecretaccesstokenAAA",
+        refresh_token="verysecretrefreshtokenBBB",
+        token_type="Bearer",
+        expires_at=int(time.time()) + 3600,
+    )
+    d = session.to_dict(redact=True)
+    assert d["tokens_redacted"] is True
+    assert "verysecret" not in str(d)
+    assert d["access_token"] != "verysecretaccesstokenAAA"
+
+
+def test_session_is_expired_after_window():
+    session = auth_store.CloudSession(
+        base_url="x",
+        resource="y",
+        client_id="c",
+        scope="s",
+        access_token="AT",
+        refresh_token="RT",
+        token_type="Bearer",
+        expires_at=int(time.time()) - 1,  # already past
+        saved_at="2026-01-01T00:00:00+00:00",
+    )
+    assert session.is_expired() is True
+
+
+def test_session_not_expired_when_future():
+    session = auth_store.CloudSession(
+        base_url="x",
+        resource="y",
+        client_id="c",
+        scope="s",
+        access_token="AT",
+        refresh_token="RT",
+        token_type="Bearer",
+        expires_at=int(time.time()) + 3600,
+        saved_at="2026-01-01T00:00:00+00:00",
+    )
+    assert session.is_expired() is False
+
+
+class TestEnsureFreshSession:
+    """Proactive refresh: keep an expired-but-refreshable session alive without
+    forcing the user to re-run `cloud login`."""
+
+    def _expired(self, refresh: str | None = "RT") -> auth_store.CloudSession:
+        return auth_store.CloudSession(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="OLD",
+            refresh_token=refresh,
+            token_type="Bearer",
+            expires_at=int(time.time()) - 1,
+            saved_at="2026-01-01T00:00:00+00:00",
+        )
+
+    def test_refreshes_expired_session_with_refresh_token(self, monkeypatch):
+        saved: dict = {}
+        fresh = auth_store.CloudSession(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="NEW",
+            refresh_token="RT2",
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+            saved_at="2026-01-01T00:00:01+00:00",
+        )
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: self._expired())
+        monkeypatch.setattr(auth_store, "save_cloud_session", lambda **kw: saved.update(kw) or fresh)
+        monkeypatch.setattr(
+            oauth,
+            "refresh_tokens",
+            lambda **kw: oauth.TokenSet(
+                access_token="NEW",
+                refresh_token="RT2",
+                token_type="Bearer",
+                expires_in=3600,
+                expires_at=int(time.time()) + 3600,
+                scope="s",
+            ),
+        )
+        result = oauth.ensure_fresh_session()
+        assert result.access_token == "NEW"
+        assert result.is_expired() is False
+        assert saved["access_token"] == "NEW"
+
+    def test_no_refresh_token_returns_stale_without_calling_refresh(self, monkeypatch):
+        called = []
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: self._expired(refresh=None))
+        monkeypatch.setattr(oauth, "refresh_tokens", lambda **kw: called.append(1))
+        result = oauth.ensure_fresh_session()
+        assert result.is_expired() is True
+        assert called == []
+
+    def test_valid_session_not_refreshed(self, monkeypatch):
+        valid = auth_store.CloudSession(
+            base_url="x",
+            resource="y",
+            client_id="c",
+            scope="s",
+            access_token="AT",
+            refresh_token="RT",
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+            saved_at="2026-01-01T00:00:00+00:00",
+        )
+        called = []
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: valid)
+        monkeypatch.setattr(oauth, "refresh_tokens", lambda **kw: called.append(1))
+        assert oauth.ensure_fresh_session() is valid
+        assert called == []
+
+    def test_refresh_failure_falls_back_to_stale_session(self, monkeypatch):
+        def boom(**kw):
+            raise oauth.OAuthRefreshError("dead", hint="re-login", details={})
+
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: self._expired())
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+        result = oauth.ensure_fresh_session()
+        assert result.is_expired() is True  # no crash; caller's expiry check still fires
+
+    def test_none_when_no_session(self, monkeypatch):
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: None)
+        assert oauth.ensure_fresh_session() is None
+
+    def _valid(self) -> auth_store.CloudSession:
+        return auth_store.CloudSession(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="OLD",
+            refresh_token="RT",
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+            saved_at="2026-01-01T00:00:00+00:00",
+        )
+
+    def test_force_refreshes_even_when_locally_valid(self, monkeypatch):
+        """Reactive path: a server 401 means refresh even if our clock thinks
+        the access token is still good (skew / no recorded expiry)."""
+        saved: dict = {}
+        called = []
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: self._valid())
+        monkeypatch.setattr(auth_store, "save_cloud_session", lambda **kw: saved.update(kw) or self._valid())
+
+        def _refresh(**kw):
+            called.append(1)
+            return oauth.TokenSet(
+                access_token="NEW",
+                refresh_token="RT2",
+                token_type="Bearer",
+                expires_in=3600,
+                expires_at=int(time.time()) + 3600,
+                scope="s",
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", _refresh)
+        result = oauth.ensure_fresh_session(force=True)
+        assert called == [1]  # refreshed despite local validity
+        assert saved["access_token"] == "NEW"
+        assert result is not None
+
+    def test_force_without_refresh_token_is_noop(self, monkeypatch):
+        called = []
+        valid_no_rt = auth_store.CloudSession(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="OLD",
+            refresh_token=None,
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+            saved_at="2026-01-01T00:00:00+00:00",
+        )
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: valid_no_rt)
+        monkeypatch.setattr(oauth, "refresh_tokens", lambda **kw: called.append(1))
+        result = oauth.ensure_fresh_session(force=True)
+        assert result is valid_no_rt
+        assert called == []  # no refresh token → nothing to spend
+
+
+class TestConcurrentRefresh:
+    """Rotation-correct, concurrency-safe refresh.
+
+    The auth server rotates the refresh token on every refresh and trips
+    reuse-detection (invalidating the whole family) if a consumed token is ever
+    replayed. These tests pin the cross-process lock + double-check + atomic
+    persist + reuse handling that guarantee a refresh token is never sent twice.
+    All network is mocked — ``oauth.refresh_tokens`` is the only seam patched.
+    """
+
+    @pytest.fixture
+    def persisted(self, tmp_path, monkeypatch):
+        """A real, on-disk secret store so the file lock and the
+        read-modify-write actually exercise the store (not mocked reads)."""
+        path = tmp_path / "secrets.json"
+        monkeypatch.setattr(auth_store, "secrets_path", lambda: path)
+        return path
+
+    def _persist_expired(self, *, refresh_token: str = "RT0") -> None:
+        auth_store.save_cloud_session(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="OLD",
+            refresh_token=refresh_token,
+            token_type="Bearer",
+            expires_at=int(time.time()) - 1,  # already expired → refresh path
+        )
+
+    @staticmethod
+    def _token_set(*, access: str, refresh: str) -> oauth.TokenSet:
+        return oauth.TokenSet(
+            access_token=access,
+            refresh_token=refresh,
+            token_type="Bearer",
+            expires_in=3600,
+            expires_at=int(time.time()) + 3600,
+            scope="s",
+        )
+
+    # (a) + (c): two concurrent refreshes coalesce to ONE network call, and the
+    # rotated refresh token is what ends up persisted.
+    def test_concurrent_refresh_coalesces_to_single_network_call(self, persisted, monkeypatch):
+        self._persist_expired(refresh_token="RT0")
+
+        calls: list[str] = []
+        start_barrier = threading.Barrier(2)
+
+        def fake_refresh(**kw):
+            calls.append(kw["refresh_token"])
+            time.sleep(0.15)  # widen the window so the second thread must wait
+            return self._token_set(access="NEW", refresh="RT1")
+
+        monkeypatch.setattr(oauth, "refresh_tokens", fake_refresh)
+
+        results: list = []
+
+        def worker():
+            start_barrier.wait()  # both threads read the stale token first
+            results.append(oauth.ensure_fresh_session())
+
+        threads = [threading.Thread(target=worker) for _ in range(2)]
+        for t in threads:
+            t.start()
+        for t in threads:
+            t.join()
+
+        # Exactly one network refresh — the second waiter saw the rotated token
+        # under the lock (double-check) and never replayed the consumed RT0.
+        assert calls == ["RT0"]
+        # The consumed token was never sent twice.
+        assert "RT0" not in calls[1:]
+        # Both callers end up with the fresh access token.
+        assert all(r is not None and r.access_token == "NEW" for r in results)
+        # (c) Rotation persisted: the store holds the NEW refresh token.
+        stored = auth_store.get_cloud_session()
+        assert stored.refresh_token == "RT1"
+        assert stored.access_token == "NEW"
+
+    # (b) Double-check: if a peer already rotated the token between our pre-lock
+    # read and the post-lock re-read, we adopt it and do NOT refresh again.
+    def test_double_check_skips_refresh_when_peer_already_rotated(self, persisted, monkeypatch):
+        self._persist_expired(refresh_token="RT0")
+
+        # Simulate a peer that rotated RT0 → RT1 while we waited for the lock:
+        # the pre-lock read sees RT0; the post-lock re-read sees a fresh RT1.
+        fresh_peer = auth_store.CloudSession(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="PEER_NEW",
+            refresh_token="RT1",
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+            saved_at="2026-01-01T00:00:02+00:00",
+        )
+        reads = [self._stale(), fresh_peer]
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: reads.pop(0) if reads else fresh_peer)
+        monkeypatch.setattr(oauth, "refresh_tokens", lambda **kw: pytest.fail("must not refresh after peer rotation"))
+
+        result = oauth.ensure_fresh_session()
+        assert result.refresh_token == "RT1"
+        assert result.access_token == "PEER_NEW"
+
+    def _stale(self) -> auth_store.CloudSession:
+        return auth_store.CloudSession(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="OLD",
+            refresh_token="RT0",
+            token_type="Bearer",
+            expires_at=int(time.time()) - 1,
+            saved_at="2026-01-01T00:00:00+00:00",
+        )
+
+    # (d) Reuse-detected / invalid_grant is fatal: clear the session, return
+    # None, surface login guidance, and NEVER loop.
+    def test_reuse_detected_clears_session_and_does_not_loop(self, persisted, monkeypatch):
+        self._persist_expired(refresh_token="RT0")
+
+        calls = []
+
+        def boom(**kw):
+            calls.append(1)
+            raise oauth.OAuthRefreshError(
+                "refresh failed: HTTP 400",
+                hint="run `comfy cloud login`",
+                details={
+                    "status": 400,
+                    "body": '{"error":"invalid_grant","error_description":"refresh token reuse detected"}',
+                },
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+
+        result = oauth.ensure_fresh_session()
+        assert result is None  # family is dead → caller surfaces cloud_unauthorized
+        assert calls == [1]  # exactly one attempt, no retry loop
+        # Stored session was cleared so the dead token is never replayed again.
+        assert auth_store.get_cloud_session() is None
+
+    def test_is_fatal_token_error_classification(self):
+        def err(status, body=""):
+            return oauth.OAuthRefreshError("refresh failed", details={"status": status, "body": body})
+
+        # Fatal: the refresh-token family is genuinely dead → re-login required.
+        assert oauth._is_fatal_token_error(err(400, "invalid_grant")) is True
+        assert oauth._is_fatal_token_error(err(400, '{"error":"invalid_token"}')) is True
+        # Gated on the body, NOT the bare status: recoverable 4xx must NOT wipe
+        # the session (re-register / fix config instead of forcing re-login).
+        assert oauth._is_fatal_token_error(err(401, '{"error":"invalid_client"}')) is False
+        assert oauth._is_fatal_token_error(err(400, '{"error":"invalid_request"}')) is False
+        assert oauth._is_fatal_token_error(err(400, '{"error":"invalid_scope"}')) is False
+        assert oauth._is_fatal_token_error(err(401)) is False  # bare 401, no error code
+        assert oauth._is_fatal_token_error(err(0, "Connection refused")) is False  # transient network
+        assert oauth._is_fatal_token_error(err(503)) is False  # server hiccup, token may be fine
+        # Message-based detection when status is absent.
+        assert oauth._is_fatal_token_error(oauth.OAuthRefreshError("reuse detected", details={})) is True
+
+    def test_describe_token_error_extracts_server_reason(self):
+        def err(body):
+            return oauth.OAuthRefreshError("refresh failed", details={"status": 400, "body": body})
+
+        # error + error_description → "code: description".
+        assert (
+            oauth._describe_token_error(
+                err('{"error":"invalid_grant","error_description":"workspace membership lost"}')
+            )
+            == "invalid_grant: workspace membership lost"
+        )
+        # error only.
+        assert oauth._describe_token_error(err('{"error":"invalid_grant"}')) == "invalid_grant"
+        # Nothing useful (network error, empty body) → None so the caller falls
+        # back to its generic phrasing.
+        assert oauth._describe_token_error(err("")) is None
+        assert oauth._describe_token_error(err("not json")) is None
+
+    def test_take_last_fatal_refresh_reason_is_one_shot(self):
+        oauth._last_fatal.reason = "invalid_grant: resource state changed"
+        assert oauth.take_last_fatal_refresh_reason() == "invalid_grant: resource state changed"
+        # Cleared after read — a later unrelated failure can't inherit it.
+        assert oauth.take_last_fatal_refresh_reason() is None
+
+    # (d) end-to-end surface: after a reuse clears the session, building a cloud
+    # client with no other credentials raises Unauthenticated (mapped to
+    # cloud_unauthorized by the command layer) — exactly once.
+    def test_reactive_client_raises_unauthenticated_on_reuse(self, persisted, monkeypatch):
+        import comfy_cli.comfy_client as comfy_client
+
+        self._persist_expired(refresh_token="RT0")
+
+        calls = []
+
+        def boom(**kw):
+            calls.append(1)
+            raise oauth.OAuthRefreshError(
+                "refresh failed: HTTP 400",
+                details={"status": 400, "body": "refresh token reuse detected"},
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+
+        target = comfy_client.Target(
+            kind="cloud",
+            base_url="https://c",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token="OLD",
+        )
+        client = comfy_client.Client(target)
+        with pytest.raises(comfy_client.Unauthenticated):
+            client._try_refresh_token()
+        assert calls == [1]  # one attempt, no loop
+        assert auth_store.get_cloud_session() is None  # cleared
+
+    def test_unauthenticated_message_surfaces_server_reason(self, persisted, monkeypatch):
+        """The user-facing failure carries the auth server's real
+        error_description (not the canned "reuse detected" guess), so a logout
+        caused by e.g. lost workspace membership is diagnosable."""
+        import comfy_cli.comfy_client as comfy_client
+
+        self._persist_expired(refresh_token="RT0")
+
+        def boom(**kw):
+            raise oauth.OAuthRefreshError(
+                "refresh failed: HTTP 400",
+                details={
+                    "status": 400,
+                    "body": '{"error":"invalid_grant","error_description":"workspace membership lost"}',
+                },
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+
+        target = comfy_client.Target(
+            kind="cloud",
+            base_url="https://c",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token="OLD",
+        )
+        client = comfy_client.Client(target)
+        with pytest.raises(comfy_client.Unauthenticated, match="workspace membership lost"):
+            client._try_refresh_token()
+
+    def test_transient_network_failure_keeps_session(self, persisted, monkeypatch):
+        """A URLError (status 0) must NOT clear the family — the token is
+        probably still good; keep the stale session for the caller to retry."""
+        self._persist_expired(refresh_token="RT0")
+
+        def boom(**kw):
+            raise oauth.OAuthRefreshError("refresh failed: <urlopen error>", details={"status": 0, "body": ""})
+
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+        result = oauth.ensure_fresh_session()
+        assert result is not None and result.refresh_token == "RT0"  # session preserved
+        assert auth_store.get_cloud_session() is not None
+
+    def test_successful_refresh_never_repersists_spent_token(self, persisted, monkeypatch):
+        """Rotating server: once a refresh SUCCEEDS the token we sent is spent.
+        If the response omits a new refresh token we must persist ``None`` — never
+        fall back to re-saving the consumed one (that would guarantee an
+        invalid_grant / forced logout on the very next use)."""
+        self._persist_expired(refresh_token="RT0")
+
+        def no_rotation(**kw):
+            # 200 OK with a fresh access token but NO new refresh token.
+            return oauth.TokenSet(
+                access_token="NEW_AT",
+                refresh_token=None,
+                token_type="Bearer",
+                expires_in=3600,
+                expires_at=int(time.time()) + 3600,
+                scope="s",
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", no_rotation)
+        result = oauth.ensure_fresh_session()
+        assert result is not None and result.access_token == "NEW_AT"
+        # The spent RT0 is gone — not re-persisted.
+        assert result.refresh_token is None
+        assert auth_store.get_cloud_session().refresh_token is None
+
+
+class TestAtomicPersist:
+    """save_cloud_session must write atomically (temp + rename) so a crash mid
+    write can never leave a half-written / corrupt session file."""
+
+    @pytest.fixture
+    def persisted(self, tmp_path, monkeypatch):
+        path = tmp_path / "secrets.json"
+        monkeypatch.setattr(auth_store, "secrets_path", lambda: path)
+        return path
+
+    def test_uses_temp_then_rename(self, persisted, monkeypatch):
+        seen = {}
+        real_replace = os.replace
+
+        def spy_replace(src, dst):
+            seen["src"] = str(src)
+            seen["dst"] = str(dst)
+            return real_replace(src, dst)
+
+        monkeypatch.setattr(os, "replace", spy_replace)
+        auth_store.save_cloud_session(
+            base_url="b",
+            resource="r",
+            client_id="c",
+            scope="s",
+            access_token="AT",
+            refresh_token="RT",
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+        )
+        # Wrote to a distinct temp path, then renamed onto the real file.
+        assert seen["src"] != seen["dst"]
+        assert seen["src"].endswith(".tmp")
+        assert seen["dst"] == str(persisted)
+
+    def test_mid_write_failure_leaves_original_intact(self, persisted, monkeypatch):
+        # Seed a known-good session.
+        good = auth_store.save_cloud_session(
+            base_url="b",
+            resource="r",
+            client_id="c",
+            scope="s",
+            access_token="GOOD",
+            refresh_token="RTgood",
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+        )
+        before = persisted.read_text(encoding="utf-8")
+
+        # Simulate a crash at the rename step of the next write.
+        def boom_replace(src, dst):
+            raise OSError("simulated crash during rename")
+
+        monkeypatch.setattr(os, "replace", boom_replace)
+        with pytest.raises(OSError):
+            auth_store.save_cloud_session(
+                base_url="b",
+                resource="r",
+                client_id="c",
+                scope="s",
+                access_token="HALF",
+                refresh_token="RThalf",
+                token_type="Bearer",
+                expires_at=int(time.time()) + 3600,
+            )
+
+        # The original file is byte-for-byte intact (no partial/corrupt write).
+        assert persisted.read_text(encoding="utf-8") == before
+        # And the half-written temp file was cleaned up.
+        leftovers = list(persisted.parent.glob("secrets.json*.tmp"))
+        assert leftovers == []
+        # The store still reads the good session.
+        reread = auth_store.get_cloud_session()
+        assert reread.access_token == good.access_token == "GOOD"
+
+
+class TestApi401DoesNotClearSession:
+    """Regression: a data/API 401 (a partner-node ``cloud_unauthorized`` blip,
+    or any normal REST endpoint 401) must NOT, by itself, wipe the login.
+
+    The reactive 401 path triggers at most ONE locked refresh-and-retry. The
+    stored session is only ever cleared when the *token endpoint itself* returns
+    a fatal ``invalid_grant`` during that refresh — never because a data request
+    came back 401 after a successful token refresh.
+    """
+
+    @pytest.fixture
+    def persisted(self, tmp_path, monkeypatch):
+        path = tmp_path / "secrets.json"
+        monkeypatch.setattr(auth_store, "secrets_path", lambda: path)
+        return path
+
+    def _persist_valid(self, *, refresh_token: str = "RT0", access: str = "AT0") -> None:
+        auth_store.save_cloud_session(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token=access,
+            refresh_token=refresh_token,
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,  # locally valid — force=True drives the refresh
+        )
+
+    def _cloud_target(self, token: str = "AT0"):
+        import comfy_cli.comfy_client as comfy_client
+
+        return comfy_client.Target(
+            kind="cloud",
+            base_url="https://c",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token=token,
+        )
+
+    # (1) Refresh SUCCEEDS, but the API request still 401s → retry happened once,
+    # the session is preserved, and the caller surfaces the unauthorized error.
+    def test_refresh_succeeds_but_api_still_401_does_not_clear(self, persisted, monkeypatch):
+        import comfy_cli.comfy_client as comfy_client
+
+        self._persist_valid(refresh_token="RT0", access="AT0")
+
+        refresh_calls: list[str] = []
+
+        def fake_refresh(**kw):
+            refresh_calls.append(kw["refresh_token"])
+            return oauth.TokenSet(
+                access_token="AT1",  # a genuinely fresh access token
+                refresh_token="RT1",
+                token_type="Bearer",
+                expires_in=3600,
+                expires_at=int(time.time()) + 3600,
+                scope="s",
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", fake_refresh)
+
+        clears: list[int] = []
+        monkeypatch.setattr(
+            auth_store,
+            "clear_cloud_session",
+            lambda: clears.append(1) or False,
+        )
+
+        # The server keeps returning 401 even after a clean token refresh — i.e.
+        # an API/entitlement problem, not a token problem.
+        attempts: list[str] = []
+
+        def always_401(req, timeout=None):
+            attempts.append(req.get_header("Authorization"))
+            raise urllib.error.HTTPError(req.full_url, 401, "Unauthorized", {}, None)
+
+        monkeypatch.setattr(comfy_client._OPENER, "open", always_401)
+
+        client = comfy_client.Client(self._cloud_target("AT0"))
+        with pytest.raises(comfy_client.HTTPError) as exc:
+            client.get_job_status("p1")
+
+        assert exc.value.status == 401  # surfaced as-is to the caller
+        assert refresh_calls == ["RT0"]  # exactly one refresh, with the stored token
+        # The retry carried the rotated access token, proving refresh installed it.
+        assert attempts == ["Bearer AT0", "Bearer AT1"]
+        assert clears == []  # session NEVER cleared on an API-only 401
+        assert auth_store.get_cloud_session() is not None  # still signed in
+        assert auth_store.get_cloud_session().refresh_token == "RT1"
+
+    # (2) Refresh itself returns invalid_grant / reuse → token-endpoint failure
+    # IS fatal: the session is cleared exactly once, with no retry loop.
+    def test_token_endpoint_invalid_grant_clears_once(self, persisted, monkeypatch):
+        import comfy_cli.comfy_client as comfy_client
+
+        self._persist_valid(refresh_token="RT0", access="AT0")
+
+        refresh_calls: list[int] = []
+
+        def boom(**kw):
+            refresh_calls.append(1)
+            raise oauth.OAuthRefreshError(
+                "refresh failed: HTTP 400",
+                details={
+                    "status": 400,
+                    "body": '{"error":"invalid_grant","error_description":"refresh token reuse detected"}',
+                },
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+
+        real_clear = auth_store.clear_cloud_session
+        clears: list[int] = []
+
+        def counting_clear():
+            clears.append(1)
+            return real_clear()
+
+        monkeypatch.setattr(auth_store, "clear_cloud_session", counting_clear)
+
+        def first_401(req, timeout=None):
+            raise urllib.error.HTTPError(req.full_url, 401, "Unauthorized", {}, None)
+
+        monkeypatch.setattr(comfy_client._OPENER, "open", first_401)
+
+        client = comfy_client.Client(self._cloud_target("AT0"))
+        with pytest.raises(comfy_client.Unauthenticated):
+            client.get_job_status("p1")
+
+        assert refresh_calls == [1]  # exactly one refresh attempt, no loop
+        assert clears == [1]  # cleared exactly once
+        assert auth_store.get_cloud_session() is None  # family is dead → wiped
+
+
+class TestWatcherContextRefresh:
+    """Background watcher (``clear_session_on_auth_failure=False``): a fatal
+    refresh failure must NEVER clear the shared session. The foreground command
+    owns the session lifecycle; a detached poller hitting a transient/spurious
+    invalid_grant must not log the user off mid-run."""
+
+    @pytest.fixture
+    def persisted(self, tmp_path, monkeypatch):
+        path = tmp_path / "secrets.json"
+        monkeypatch.setattr(auth_store, "secrets_path", lambda: path)
+        return path
+
+    def _persist_valid(self) -> None:
+        auth_store.save_cloud_session(
+            base_url="https://c",
+            resource="https://c/api",
+            client_id="cid",
+            scope="s",
+            access_token="AT0",
+            refresh_token="RT0",
+            token_type="Bearer",
+            expires_at=int(time.time()) + 3600,
+        )
+
+    # (3) allow_clear=False at the oauth layer: invalid_grant returns None but
+    # leaves the stored session intact.
+    def test_ensure_fresh_session_allow_clear_false_keeps_session(self, persisted, monkeypatch):
+        self._persist_valid()
+
+        def boom(**kw):
+            raise oauth.OAuthRefreshError(
+                "refresh failed: HTTP 400",
+                details={"status": 400, "body": "invalid_grant: refresh token reuse detected"},
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+
+        result = oauth.ensure_fresh_session(force=True, allow_clear=False)
+        assert result is None  # could not produce a usable token
+        # ...but the shared session is preserved for the foreground command.
+        assert auth_store.get_cloud_session() is not None
+        assert auth_store.get_cloud_session().refresh_token == "RT0"
+
+    # (3) end-to-end: a watcher-context Client surfaces Unauthenticated on a
+    # fatal refresh but does NOT clear the session.
+    def test_watcher_client_does_not_clear_on_fatal_refresh(self, persisted, monkeypatch):
+        import comfy_cli.comfy_client as comfy_client
+
+        self._persist_valid()
+
+        def boom(**kw):
+            raise oauth.OAuthRefreshError(
+                "refresh failed: HTTP 400",
+                details={"status": 400, "body": "refresh token reuse detected"},
+            )
+
+        monkeypatch.setattr(oauth, "refresh_tokens", boom)
+
+        def first_401(req, timeout=None):
+            raise urllib.error.HTTPError(req.full_url, 401, "Unauthorized", {}, None)
+
+        monkeypatch.setattr(comfy_client._OPENER, "open", first_401)
+
+        target = comfy_client.Target(
+            kind="cloud",
+            base_url="https://c",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token="AT0",
+        )
+        client = comfy_client.Client(target, clear_session_on_auth_failure=False)
+        with pytest.raises(comfy_client.Unauthenticated):
+            client.get_job_status("p1")
+
+        # The detached watcher never wiped the shared login.
+        assert auth_store.get_cloud_session() is not None
+        assert auth_store.get_cloud_session().refresh_token == "RT0"
+
+
+class TestLockFileStability:
+    """DEFECT B root cause: the refresh lock must be a stable sidecar file, NOT
+    the data file. ``save_cloud_session`` persists via ``os.replace`` (new
+    inode each write); locking the data file directly breaks ``flock`` mutual
+    exclusion exactly during a refresh, letting two processes replay the same
+    rotated token and trip reuse-detection."""
+
+    def test_lock_path_is_sidecar_not_data_file(self, tmp_path, monkeypatch):
+        path = tmp_path / "secrets.json"
+        monkeypatch.setattr(auth_store, "secrets_path", lambda: path)
+        assert auth_store.lock_path() == tmp_path / "secrets.json.lock"
+        assert auth_store.lock_path() != auth_store.secrets_path()
+
+    def test_lock_inode_survives_atomic_replace(self, tmp_path, monkeypatch):
+        """The lock file's identity (inode) is stable across many session
+        persists, so every process serializes on the same lock."""
+        path = tmp_path / "secrets.json"
+        monkeypatch.setattr(auth_store, "secrets_path", lambda: path)
+
+        def _save(rt: str) -> None:
+            auth_store.save_cloud_session(
+                base_url="https://c",
+                resource="https://c/api",
+                client_id="cid",
+                scope="s",
+                access_token="AT",
+                refresh_token=rt,
+                token_type="Bearer",
+                expires_at=int(time.time()) + 3600,
+            )
+
+        _save("RT0")
+        lock_file = auth_store.lock_path()
+        inode_before = lock_file.stat().st_ino
+        # Many atomic replaces of the *data* file...
+        for i in range(5):
+            _save(f"RT{i + 1}")
+        # ...leave the lock file's inode unchanged (data file inode does change).
+        assert lock_file.stat().st_ino == inode_before
diff --git a/tests/comfy_cli/auth/test_store.py b/tests/comfy_cli/auth/test_store.py
new file mode 100644
index 00000000..acacb801
--- /dev/null
+++ b/tests/comfy_cli/auth/test_store.py
@@ -0,0 +1,129 @@
+"""Phase 4: local secret store behavior."""
+
+from __future__ import annotations
+
+import json
+import os
+import stat
+import sys
+
+import pytest
+
+from comfy_cli.auth import store as auth_store
+
+
+@pytest.fixture
+def isolated_secrets(tmp_path, monkeypatch):
+    """Point the store at a tmp directory so we don't touch the real user config."""
+    monkeypatch.setattr(auth_store, "secrets_path", lambda: tmp_path / "secrets.json")
+    yield tmp_path / "secrets.json"
+
+
+def test_list_is_empty_when_no_store(isolated_secrets):
+    assert auth_store.list_records() == []
+
+
+def test_set_creates_file_and_returns_record(isolated_secrets):
+    rec = auth_store.set("comfy-cloud", "sk-test-1234567890")
+    assert rec.provider == "comfy-cloud"
+    assert rec.key == "sk-test-1234567890"
+    assert isolated_secrets.exists()
+    data = json.loads(isolated_secrets.read_text())
+    assert data["providers"]["comfy-cloud"]["key"] == "sk-test-1234567890"
+
+
+def test_set_redacts_in_to_dict(isolated_secrets):
+    rec = auth_store.set("civitai", "abcdefgh12345678extra")
+    redacted = rec.to_dict()
+    assert redacted["key"] == "abcd…xtra"
+    assert redacted["key_redacted"] is True
+
+
+def test_set_redacts_short_keys(isolated_secrets):
+    rec = auth_store.set("foo", "short")
+    assert rec.to_dict()["key"] == "***"
+
+
+def test_set_overwrites_existing(isolated_secrets):
+    auth_store.set("civitai", "first")
+    auth_store.set("civitai", "second")
+    assert auth_store.get("civitai").key == "second"
+
+
+def test_get_returns_none_when_absent(isolated_secrets):
+    assert auth_store.get("nope") is None
+
+
+def test_remove_returns_true_only_when_existed(isolated_secrets):
+    auth_store.set("civitai", "k")
+    assert auth_store.remove("civitai") is True
+    assert auth_store.remove("civitai") is False
+
+
+def test_list_is_sorted(isolated_secrets):
+    auth_store.set("zeta", "longerthan8chars")
+    auth_store.set("alpha", "alsolonger12345")
+    names = [r.provider for r in auth_store.list_records()]
+    assert names == ["alpha", "zeta"]
+
+
+@pytest.mark.skipif(sys.platform == "win32", reason="POSIX permissions only")
+def test_secrets_file_is_owner_only(isolated_secrets):
+    auth_store.set("comfy-cloud", "this-is-a-long-key")
+    mode = stat.S_IMODE(os.stat(isolated_secrets).st_mode)
+    assert mode == 0o600
+
+
+@pytest.mark.skipif(sys.platform == "win32", reason="POSIX permissions only")
+def test_secrets_file_mode_under_permissive_umask(isolated_secrets):
+    """Mode must be 0o600 from inception, even if the umask is 0o000.
+
+    Regression for the TOCTOU window where a stat-after-write could observe a
+    world-readable file before the chmod fired.
+    """
+    old_umask = os.umask(0o000)
+    try:
+        auth_store.set("civitai", "another-long-key-123")
+    finally:
+        os.umask(old_umask)
+    mode = stat.S_IMODE(os.stat(isolated_secrets).st_mode)
+    assert mode == 0o600
+
+
+@pytest.mark.skipif(sys.platform == "win32", reason="POSIX permissions only")
+def test_secrets_parent_dir_is_owner_only(isolated_secrets):
+    auth_store.set("civitai", "another-long-key-123")
+    parent_mode = stat.S_IMODE(os.stat(isolated_secrets.parent).st_mode)
+    assert parent_mode == 0o700
+
+
+def test_concurrent_tmp_filenames_do_not_collide(isolated_secrets, monkeypatch):
+    """Two writers landing in the same nanosecond must not corrupt each other.
+
+    Simulated by stubbing os.replace to capture the tmp path each call uses.
+    """
+    seen_tmps = []
+    real_replace = os.replace
+
+    def spy_replace(src, dst):
+        seen_tmps.append(src)
+        return real_replace(src, dst)
+
+    monkeypatch.setattr(auth_store.os, "replace", spy_replace)
+    auth_store.set("alpha", "alpha-long-key-aa")
+    auth_store.set("beta", "beta-long-key-bb")
+    assert len(set(seen_tmps)) == 2  # distinct tmp paths per write
+
+
+def test_corrupt_store_does_not_explode(isolated_secrets):
+    isolated_secrets.parent.mkdir(parents=True, exist_ok=True)
+    isolated_secrets.write_text("{ not json")
+    # Treated as empty until something is written.
+    assert auth_store.list_records() == []
+    auth_store.set("civitai", "abcdefgh")
+    assert auth_store.get("civitai").key == "abcdefgh"
+
+
+def test_empty_key_is_rejected(isolated_secrets):
+    with pytest.raises(ValueError):
+        auth_store.set("civitai", "")
diff --git a/tests/comfy_cli/auth/test_where.py b/tests/comfy_cli/auth/test_where.py
new file mode 100644
index 00000000..863a9409
--- /dev/null
+++ b/tests/comfy_cli/auth/test_where.py
@@ -0,0 +1,189 @@
+"""Phase 4: --where resolution and the local-only cloud preflight."""
+
+from __future__ import annotations
+
+import pytest
+
+from comfy_cli import where as where_module
+from comfy_cli.auth import store as auth_store
+
+
+@pytest.fixture
+def isolated_secrets(tmp_path, monkeypatch):
+    monkeypatch.setattr(auth_store, "secrets_path", lambda: tmp_path / "secrets.json")
+    yield tmp_path / "secrets.json"
+
+
+def test_resolve_flag_wins():
+    r = where_module.resolve(flag="cloud", env={"COMFY_WHERE": "local"}, config_value="local")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "flag"
+
+
+def test_resolve_env_wins_over_config():
+    r = where_module.resolve(flag=None, env={"COMFY_WHERE": "cloud"}, config_value="local")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "env"
+
+
+def test_resolve_config_used_when_no_flag_or_env():
+    r = where_module.resolve(flag=None, env={}, config_value="cloud")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "config"
+
+
+def test_resolve_defaults_to_local():
+    r = where_module.resolve(flag=None, env={}, config_value=None)
+    assert r.target is where_module.WhereTarget.LOCAL
+    assert r.source == "default"
+
+
+def test_resolve_invalid_raises():
+    with pytest.raises(ValueError) as exc_info:
+        where_module.resolve(flag="hybrid")
+    assert "hybrid" in str(exc_info.value)
+
+
+# ---------------------------------------------------------------------------
+# project/1 precedence: flag → env → project → config → auto
+# ---------------------------------------------------------------------------
+
+
+def test_resolve_flag_beats_project():
+    r = where_module.resolve(flag="local", env={}, project_value="cloud")
+    assert r.target is where_module.WhereTarget.LOCAL
+    assert r.source == "flag"
+
+
+def test_resolve_env_beats_project():
+    r = where_module.resolve(flag=None, env={"COMFY_WHERE": "local"}, project_value="cloud")
+    assert r.target is where_module.WhereTarget.LOCAL
+    assert r.source == "env"
+
+
+def test_resolve_project_beats_config():
+    r = where_module.resolve(flag=None, env={}, project_value="cloud", config_value="local")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "project"
+
+
+def test_resolve_explicit_none_project_value_disables_lookup(monkeypatch):
+    """``project_value=None`` opts out entirely — no filesystem discovery."""
+    import comfy_cli.project as project_mod
+
+    def _boom(*a, **kw):  # pragma: no cover — must not be called
+        raise AssertionError("find_project must not be called when project_value=None")
+
+    monkeypatch.setattr(project_mod, "find_project", _boom)
+    r = where_module.resolve(flag=None, env={}, project_value=None, config_value="cloud")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "config"
+
+
+def test_resolve_default_sentinel_discovers_project(tmp_path, monkeypatch):
+    """Left unset, resolve() looks up the governing project's defaults.where —
+    the ~10 existing call sites get project routing without changes."""
+    proj = tmp_path / "proj"
+    proj.mkdir()
+    (proj / "comfy.yaml").write_text("schema: project/1\ndefaults:\n  where: cloud\n")
+    monkeypatch.chdir(proj)
+
+    r = where_module.resolve(flag=None, env={}, config_value="local")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "project"
+
+
+def test_resolve_no_project_falls_through_to_config(tmp_path, monkeypatch):
+    monkeypatch.chdir(tmp_path)  # no comfy.yaml anywhere up a tmp tree
+    r = where_module.resolve(flag=None, env={}, config_value="cloud")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "config"
+
+
+def test_resolve_project_without_where_default_falls_through(tmp_path, monkeypatch):
+    proj = tmp_path / "proj"
+    proj.mkdir()
+    (proj / "comfy.yaml").write_text("schema: project/1\n")
+    monkeypatch.chdir(proj)
+    r = where_module.resolve(flag=None, env={}, config_value="cloud")
+    assert r.target is where_module.WhereTarget.CLOUD
+    assert r.source == "config"
+
+
+def test_cloud_preflight_without_session_returns_not_configured(isolated_secrets):
+    err = where_module.cloud_preflight()
+    assert err is not None
+    assert err.code == "cloud_not_configured"
+    assert "comfy cloud login" in err.hint
+
+
+def test_cloud_preflight_with_valid_session_allows_proceeding(isolated_secrets):
+    """A live session is enough to clear preflight — the cloud client takes over."""
+    auth_store.save_cloud_session(
+        base_url="https://testcloud.comfy.org",
+        resource="https://testcloud.comfy.org/mcp",
+        client_id="mcp-dyn-test-id",
+        scope="mcp:tools:read mcp:tools:call",
+        access_token="fake-access-token",
+        refresh_token="fake-refresh-token",
+        token_type="Bearer",
+        expires_at=9999999999,
+    )
+    assert where_module.cloud_preflight() is None
+
+
+def test_cloud_preflight_with_expired_unrefreshable_session_returns_unauthorized(isolated_secrets, monkeypatch):
+    # Expired session whose refresh fails (dead refresh token) → unauthorized.
+    from comfy_cli.cloud import oauth
+
+    def _refresh_fails(**kw):
+        raise oauth.OAuthRefreshError("dead", hint="re-login", details={})
+
+    monkeypatch.setattr(oauth, "refresh_tokens", _refresh_fails)
+    auth_store.save_cloud_session(
+        base_url="https://testcloud.comfy.org",
+        resource="https://testcloud.comfy.org/mcp",
+        client_id="mcp-dyn-test-id",
+        scope="mcp:tools:read mcp:tools:call",
+        access_token="fake-access-token",
+        refresh_token="fake-refresh-token",
+        token_type="Bearer",
+        expires_at=1,  # epoch second 1 → long expired
+    )
+    err = where_module.cloud_preflight()
+    assert err is not None
+    assert err.code == "cloud_unauthorized"
+    assert "comfy cloud login" in err.hint
+
+
+def test_cloud_preflight_refreshes_expired_session(isolated_secrets, monkeypatch):
+    # Expired session + working refresh token → preflight refreshes and passes.
+    import time
+
+    from comfy_cli.cloud import oauth
+
+    monkeypatch.setattr(
+        oauth,
+        "refresh_tokens",
+        lambda **kw: oauth.TokenSet(
+            access_token="fresh-access-token",
+            refresh_token="fresh-refresh-token",
+            token_type="Bearer",
+            expires_in=3600,
+            expires_at=int(time.time()) + 3600,
+            scope="s",
+        ),
+    )
+    auth_store.save_cloud_session(
+        base_url="https://testcloud.comfy.org",
+        resource="https://testcloud.comfy.org/mcp",
+        client_id="mcp-dyn-test-id",
+        scope="mcp:tools:read mcp:tools:call",
+        access_token="stale-access-token",
+        refresh_token="good-refresh-token",
+        token_type="Bearer",
+        expires_at=1,  # expired
+    )
+    assert where_module.cloud_preflight() is None
+    # The refreshed token was persisted, so subsequent commands use it.
+    assert auth_store.get_cloud_session().access_token == "fresh-access-token"
diff --git a/tests/comfy_cli/cloud/__init__.py b/tests/comfy_cli/cloud/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/comfy_cli/cloud/test_client.py b/tests/comfy_cli/cloud/test_client.py
new file mode 100644
index 00000000..e92b0ffb
--- /dev/null
+++ b/tests/comfy_cli/cloud/test_client.py
@@ -0,0 +1,782 @@
+"""Tests for the unified HTTP Client + Target abstraction.
+
+Both local and cloud paths flow through the same ``Client``; the differences
+are encoded as ``Target`` fields. These tests pin the contract.
+"""
+
+from __future__ import annotations
+
+import io
+import json
+import urllib.error
+from unittest.mock import patch
+
+import pytest
+
+from comfy_cli import comfy_client
+from comfy_cli.target import Target
+
+
+def _mock_response(payload):
+    class _Resp:
+        def __init__(self, body):
+            self.body = body if isinstance(body, bytes) else json.dumps(body).encode()
+
+        def read(self):
+            return self.body
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, *args):
+            return False
+
+    return _Resp(payload)
+
+
+def _http_error(status: int, body: bytes = b""):
+    return urllib.error.HTTPError(
+        url="https://cloud/x",
+        code=status,
+        msg=f"HTTP {status}",
+        hdrs=None,
+        fp=io.BytesIO(body),
+    )
+
+
+CLOUD = Target(
+    kind="cloud",
+    base_url="https://cloud.example.com",
+    path_prefix="/api",
+    history_path="history_v2",
+    jobs_path="jobs",
+    auth_token="tok-abc",
+)
+
+LOCAL = Target(
+    kind="local",
+    base_url="http://127.0.0.1:8188",
+    path_prefix="",
+    history_path="history",
+    jobs_path=None,
+    auth_token=None,
+    host="127.0.0.1",
+    port=8188,
+)
+
+
+class TestTargetURLs:
+    def test_cloud_paths_get_api_prefix(self):
+        assert CLOUD.url("prompt") == "https://cloud.example.com/api/prompt"
+        assert CLOUD.url("history_v2", "abc") == "https://cloud.example.com/api/history_v2/abc"
+
+    def test_local_paths_have_no_prefix(self):
+        assert LOCAL.url("prompt") == "http://127.0.0.1:8188/prompt"
+        assert LOCAL.url("history", "abc") == "http://127.0.0.1:8188/history/abc"
+
+
+class TestSubmitPrompt:
+    def test_posts_with_bearer_to_prefixed_url(self):
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"prompt_id": "pid-1", "number": 7, "node_errors": {}}),
+        ) as urlopen:
+            client = comfy_client.Client(CLOUD)
+            result = client.submit_prompt({"1": {"class_type": "X", "inputs": {}}}, "cid")
+        assert result.prompt_id == "pid-1"
+        assert result.number == 7
+        req = urlopen.call_args.args[0]
+        assert req.full_url == "https://cloud.example.com/api/prompt"
+        assert req.headers["Authorization"] == "Bearer tok-abc"
+        body = json.loads(req.data)
+        assert body == {
+            "prompt": {"1": {"class_type": "X", "inputs": {}}},
+            "client_id": "cid",
+            "extra_data": {"auth_token_comfy_org": "tok-abc", "comfy_usage_source": "comfy-cli"},
+        }
+        # Usage-source attribution header on every request (#468).
+        assert req.headers["Comfy-usage-source"] == "comfy-cli"
+
+    def test_local_target_has_no_auth_header(self):
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"prompt_id": "pid-2", "number": 1, "node_errors": {}}),
+        ) as urlopen:
+            client = comfy_client.Client(LOCAL)
+            client.submit_prompt({"1": {"class_type": "X", "inputs": {}}}, "cid")
+        req = urlopen.call_args.args[0]
+        assert req.full_url == "http://127.0.0.1:8188/prompt"
+        assert "Authorization" not in req.headers
+        body = json.loads(req.data)
+        # Local submissions get no body-level token injection — only the
+        # usage-source attribution rides extra_data (#468).
+        assert body.keys() == {"prompt", "client_id", "extra_data"}
+        assert body["extra_data"] == {"comfy_usage_source": "comfy-cli"}
+
+    def test_cloud_caller_extra_data_is_merged_not_overwritten(self):
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"prompt_id": "pid", "number": 1, "node_errors": {}}),
+        ) as urlopen:
+            client = comfy_client.Client(CLOUD)
+            client.submit_prompt(
+                {"1": {"class_type": "X", "inputs": {}}},
+                "cid",
+                extra_data={"pnginfo": {"workflow": "..."}},
+            )
+        body = json.loads(urlopen.call_args.args[0].data)
+        # Caller-supplied keys preserved; cloud auth token added alongside.
+        assert body["extra_data"]["pnginfo"] == {"workflow": "..."}
+        assert body["extra_data"]["auth_token_comfy_org"] == "tok-abc"
+
+    def test_cloud_caller_auth_token_is_not_clobbered(self):
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"prompt_id": "pid", "number": 1, "node_errors": {}}),
+        ) as urlopen:
+            client = comfy_client.Client(CLOUD)
+            client.submit_prompt(
+                {"1": {"class_type": "X", "inputs": {}}},
+                "cid",
+                extra_data={"auth_token_comfy_org": "caller-token"},
+            )
+        body = json.loads(urlopen.call_args.args[0].data)
+        # setdefault — caller wins.
+        assert body["extra_data"]["auth_token_comfy_org"] == "caller-token"
+
+    def test_oauth_refresh_rebuilds_partner_auth_extra_data(self):
+        cloud = Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token="expired-token",
+        )
+        client = comfy_client.Client(cloud)
+
+        def refresh():
+            object.__setattr__(cloud, "auth_token", "fresh-token")
+            return True
+
+        seq = [_http_error(401), _mock_response({"prompt_id": "pid", "number": 1, "node_errors": {}})]
+        with patch.object(client, "_try_refresh_token", side_effect=refresh):
+            with patch.object(comfy_client._OPENER, "open", side_effect=seq) as urlopen:
+                client.submit_prompt({"1": {"class_type": "X", "inputs": {}}}, "cid")
+
+        first_req = urlopen.call_args_list[0].args[0]
+        retry_req = urlopen.call_args_list[1].args[0]
+        assert first_req.headers["Authorization"] == "Bearer expired-token"
+        assert json.loads(first_req.data)["extra_data"]["auth_token_comfy_org"] == "expired-token"
+        assert retry_req.headers["Authorization"] == "Bearer fresh-token"
+        assert json.loads(retry_req.data)["extra_data"]["auth_token_comfy_org"] == "fresh-token"
+
+    def test_cloud_with_api_key_sends_x_api_key_header(self):
+        cloud_apikey = Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            api_key="sk-test-1234",
+        )
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"prompt_id": "pid", "number": 1, "node_errors": {}}),
+        ) as urlopen:
+            client = comfy_client.Client(cloud_apikey)
+            client.submit_prompt({"1": {"class_type": "X", "inputs": {}}}, "cid")
+        req = urlopen.call_args.args[0]
+        # X-API-Key header is set; Authorization Bearer is NOT.
+        assert req.headers["X-api-key"] == "sk-test-1234"
+        assert "Authorization" not in req.headers
+        # Partner-API extra_data uses api_key_comfy_org for the key path.
+        body = json.loads(req.data)
+        assert body["extra_data"] == {"api_key_comfy_org": "sk-test-1234", "comfy_usage_source": "comfy-cli"}
+
+    def test_cloud_oauth_wins_over_api_key_when_both_set(self):
+        """OAuth-first: if both are configured, the Bearer token wins."""
+        cloud_both = Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token="bearer-token",
+            api_key="api-key-1234",
+        )
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"prompt_id": "pid", "number": 1, "node_errors": {}}),
+        ) as urlopen:
+            client = comfy_client.Client(cloud_both)
+            client.submit_prompt({"1": {"class_type": "X", "inputs": {}}}, "cid")
+        req = urlopen.call_args.args[0]
+        assert req.headers["Authorization"] == "Bearer bearer-token"
+        assert "X-api-key" not in req.headers
+        body = json.loads(req.data)
+        assert "auth_token_comfy_org" in body["extra_data"]
+        assert "api_key_comfy_org" not in body["extra_data"]
+
+    def test_raises_http_error_on_4xx(self):
+        with patch.object(comfy_client._OPENER, "open", side_effect=_http_error(400, b"bad workflow")):
+            with pytest.raises(comfy_client.HTTPError) as exc:
+                comfy_client.Client(CLOUD).submit_prompt({}, "cid")
+        assert exc.value.status == 400
+        assert "bad workflow" in exc.value.body
+
+    def test_raises_on_missing_prompt_id_in_response(self):
+        with patch.object(comfy_client._OPENER, "open", return_value=_mock_response({"number": 1})):
+            with pytest.raises(comfy_client.HTTPError):
+                comfy_client.Client(CLOUD).submit_prompt({}, "cid")
+
+
+class TestUnauthenticated:
+    def test_cloud_without_token_raises_at_construction(self):
+        cloud_no_token = Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token=None,
+        )
+        with pytest.raises(comfy_client.Unauthenticated):
+            comfy_client.Client(cloud_no_token)
+
+
+class TestGetHistory:
+    def test_cloud_uses_history_v2_path(self):
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"pid-1": {"outputs": {"3": {"images": []}}, "status": {"completed": True}}}),
+        ) as urlopen:
+            rec = comfy_client.Client(CLOUD).get_history("pid-1")
+        req = urlopen.call_args.args[0]
+        assert req.full_url == "https://cloud.example.com/api/history_v2/pid-1"
+        assert rec["status"]["completed"] is True
+
+    def test_local_uses_history_path(self):
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"pid-1": {"outputs": {}, "status": {"completed": True}}}),
+        ) as urlopen:
+            comfy_client.Client(LOCAL).get_history("pid-1")
+        req = urlopen.call_args.args[0]
+        assert req.full_url == "http://127.0.0.1:8188/history/pid-1"
+
+    def test_404_treated_as_transient_returns_none(self):
+        with patch.object(comfy_client._OPENER, "open", side_effect=_http_error(404, b"not yet")):
+            assert comfy_client.Client(CLOUD).get_history("pid") is None
+
+    def test_returns_inner_when_flat(self):
+        flat = {"outputs": {"3": {"images": []}}, "status": {"completed": False}}
+        with patch.object(comfy_client._OPENER, "open", return_value=_mock_response(flat)):
+            rec = comfy_client.Client(CLOUD).get_history("pid-1")
+        assert rec["status"]["completed"] is False
+
+    def test_returns_none_for_unrecognized_shape(self):
+        with patch.object(comfy_client._OPENER, "open", return_value=_mock_response({"unrelated": 1})):
+            assert comfy_client.Client(CLOUD).get_history("pid-1") is None
+
+
+class TestListJobs:
+    def test_cloud_hits_jobs_endpoint_with_limit(self):
+        with patch.object(
+            comfy_client._OPENER, "open", return_value=_mock_response({"jobs": [{"id": "a"}, {"id": "b"}]})
+        ) as urlopen:
+            jobs = comfy_client.Client(CLOUD).list_jobs(limit=5)
+        req = urlopen.call_args.args[0]
+        assert req.full_url == "https://cloud.example.com/api/jobs?limit=5"
+        assert [j["id"] for j in jobs] == ["a", "b"]
+
+    def test_local_raises_not_implemented(self):
+        with pytest.raises(NotImplementedError):
+            comfy_client.Client(LOCAL).list_jobs()
+
+
+class TestGetJobStatus:
+    def test_cloud_uses_job_status_endpoint(self):
+        with patch.object(comfy_client._OPENER, "open", return_value=_mock_response({"status": "success"})) as urlopen:
+            comfy_client.Client(CLOUD).get_job_status("pid-1")
+        req = urlopen.call_args.args[0]
+        assert req.full_url == "https://cloud.example.com/api/job/pid-1/status"
+
+    def test_404_returns_none(self):
+        with patch.object(comfy_client._OPENER, "open", side_effect=_http_error(404)):
+            assert comfy_client.Client(CLOUD).get_job_status("pid") is None
+
+
+class TestWaitForCompletion:
+    def test_returns_record_when_status_completed_true(self):
+        record = {"status": {"completed": True}, "outputs": {}}
+        with patch.object(comfy_client.Client, "get_history", return_value=record):
+            assert comfy_client.Client(CLOUD).wait_for_completion("pid", poll_interval=0) == record
+
+    def test_treats_outputs_present_as_done(self):
+        record = {"outputs": {"3": {"images": [{"filename": "out.png"}]}}}
+        with patch.object(comfy_client.Client, "get_history", return_value=record):
+            assert comfy_client.Client(CLOUD).wait_for_completion("pid", poll_interval=0) == record
+
+    def test_raises_timeout(self):
+        with patch.object(comfy_client.Client, "get_history", return_value=None):
+            with pytest.raises(TimeoutError):
+                comfy_client.Client(CLOUD).wait_for_completion("pid", poll_interval=0.01, timeout=0.05)
+
+
+class TestTransientRetry:
+    """A 429 / transient 5xx during polling must back off and retry, not abort
+    the request — this is the bug that killed `comfy run --wait` mid-job."""
+
+    def test_get_retries_on_429_then_succeeds(self):
+        seq = [_http_error(429), _mock_response({"status": "success"})]
+        with patch("comfy_cli.comfy_client.time.sleep"):
+            with patch.object(comfy_client._OPENER, "open", side_effect=seq) as urlopen:
+                result = comfy_client.Client(CLOUD).get_job_status("pid")
+        assert result == {"status": "success"}
+        assert urlopen.call_count == 2
+
+    def test_persistent_429_eventually_raises(self):
+        with patch("comfy_cli.comfy_client.time.sleep"):
+            with patch.object(comfy_client._OPENER, "open", side_effect=_http_error(429)) as urlopen:
+                with pytest.raises(comfy_client.HTTPError) as exc:
+                    comfy_client.Client(CLOUD).get_job_status("pid")
+        assert exc.value.status == 429
+        assert urlopen.call_count == comfy_client._MAX_TRANSIENT_RETRIES + 1
+
+    def test_submit_retries_on_429(self):
+        # 429 means the request was rejected (not processed), so retrying a POST is safe.
+        seq = [_http_error(429), _mock_response({"prompt_id": "pid-1", "node_errors": {}})]
+        with patch("comfy_cli.comfy_client.time.sleep"):
+            with patch.object(comfy_client._OPENER, "open", side_effect=seq) as urlopen:
+                res = comfy_client.Client(CLOUD).submit_prompt({"1": {}}, "cid")
+        assert res.prompt_id == "pid-1"
+        assert urlopen.call_count == 2
+
+    def test_5xx_retried_on_get(self):
+        seq = [_http_error(503), _mock_response({"status": "success"})]
+        with patch("comfy_cli.comfy_client.time.sleep"):
+            with patch.object(comfy_client._OPENER, "open", side_effect=seq) as urlopen:
+                assert comfy_client.Client(CLOUD).get_job_status("pid") == {"status": "success"}
+        assert urlopen.call_count == 2
+
+    def test_5xx_not_retried_on_post(self):
+        # A 5xx on submit could have partially applied — must NOT auto-retry (double-execute risk).
+        with patch("comfy_cli.comfy_client.time.sleep"):
+            with patch.object(comfy_client._OPENER, "open", side_effect=_http_error(503)) as urlopen:
+                with pytest.raises(comfy_client.HTTPError):
+                    comfy_client.Client(CLOUD).submit_prompt({"1": {}}, "cid")
+        assert urlopen.call_count == 1
+
+    def test_honors_retry_after_header(self):
+        from http.client import HTTPMessage
+
+        hdrs = HTTPMessage()
+        hdrs["Retry-After"] = "3"
+        err = urllib.error.HTTPError(url="https://cloud/x", code=429, msg="429", hdrs=hdrs, fp=io.BytesIO(b""))
+        seq = [err, _mock_response({"status": "success"})]
+        with patch("comfy_cli.comfy_client.time.sleep") as sleep:
+            with patch.object(comfy_client._OPENER, "open", side_effect=seq):
+                comfy_client.Client(CLOUD).get_job_status("pid")
+        assert sleep.call_args.args[0] == 3.0
+
+    def test_wait_for_completion_survives_transient_429(self):
+        done = {"status": {"completed": True}, "outputs": {}}
+        seq = [_http_error(429), _mock_response(done)]
+        with patch("comfy_cli.comfy_client.time.sleep"):
+            with patch.object(comfy_client._OPENER, "open", side_effect=seq):
+                assert comfy_client.Client(CLOUD).wait_for_completion("pid", poll_interval=0) == done
+
+
+class TestPollLevelBackoff:
+    """In-request retries cover quick blips, but once a poll's request budget
+    is spent — or on a plain 500, which the in-request layer never retries —
+    the whole `run --wait` used to abort for a job that was still fine
+    (fennec friction #2). wait_for_completion owns a poll-level budget:
+    exponential backoff (base 2s, cap 60s, jitter, Retry-After honored) and
+    only ~5 CONSECUTIVE poll failures surface the existing HTTPError path."""
+
+    DONE = {"status": {"completed": True}, "outputs": {}}
+
+    @staticmethod
+    def _history_side_effect(events):
+        """Each event is an Exception (raised) or a record (returned)."""
+        it = iter(events)
+
+        def _next(prompt_id, **kwargs):
+            value = next(it)
+            if isinstance(value, Exception):
+                raise value
+            return value
+
+        return _next
+
+    def test_429_twice_then_success_completes(self):
+        client = comfy_client.Client(CLOUD)
+        events = [
+            comfy_client.HTTPError(429, "Too Many Requests"),
+            comfy_client.HTTPError(429, "Too Many Requests"),
+            self.DONE,
+        ]
+        with (
+            patch("comfy_cli.comfy_client.time.sleep") as sleep,
+            patch.object(client, "get_history", side_effect=self._history_side_effect(events)) as gh,
+        ):
+            assert client.wait_for_completion("pid", poll_interval=0) == self.DONE
+        assert gh.call_count == 3
+        assert sleep.call_count >= 2  # backed off between failed polls
+
+    def test_500_twice_then_success_completes(self):
+        # Plain 500 is NOT retried by the in-request layer; the poller must
+        # absorb it instead of aborting the wait.
+        client = comfy_client.Client(CLOUD)
+        events = [
+            comfy_client.HTTPError(500, "Internal Server Error"),
+            comfy_client.HTTPError(500, "Internal Server Error"),
+            self.DONE,
+        ]
+        with (
+            patch("comfy_cli.comfy_client.time.sleep"),
+            patch.object(client, "get_history", side_effect=self._history_side_effect(events)) as gh,
+        ):
+            assert client.wait_for_completion("pid", poll_interval=0) == self.DONE
+        assert gh.call_count == 3
+
+    def test_permanent_500_fails_after_retry_budget(self):
+        client = comfy_client.Client(CLOUD)
+        with (
+            patch("comfy_cli.comfy_client.time.sleep"),
+            patch.object(client, "get_history", side_effect=comfy_client.HTTPError(500, "boom")) as gh,
+        ):
+            with pytest.raises(comfy_client.HTTPError) as exc:
+                client.wait_for_completion("pid", poll_interval=0)
+        assert exc.value.status == 500
+        assert gh.call_count == comfy_client._MAX_POLL_FAILURES
+
+    def test_backoff_is_exponential_with_cap(self):
+        client = comfy_client.Client(CLOUD)
+        with (
+            patch("comfy_cli.comfy_client.time.sleep") as sleep,
+            patch("comfy_cli.comfy_client.random.uniform", return_value=0.0),
+            patch.object(client, "get_history", side_effect=comfy_client.HTTPError(429, "rl")),
+        ):
+            with pytest.raises(comfy_client.HTTPError):
+                client.wait_for_completion("pid", poll_interval=0)
+        backoffs = [c.args[0] for c in sleep.call_args_list if c.args[0] > 0]
+        assert backoffs == [2.0, 4.0, 8.0, 16.0]  # base 2s, doubling, jitter zeroed
+        assert all(b <= 60.0 for b in backoffs)
+
+    def test_retry_after_overrides_backoff(self):
+        client = comfy_client.Client(CLOUD)
+        events = [
+            comfy_client.HTTPError(429, "rl", retry_after=7.0),
+            self.DONE,
+        ]
+        with (
+            patch("comfy_cli.comfy_client.time.sleep") as sleep,
+            patch.object(client, "get_history", side_effect=self._history_side_effect(events)),
+        ):
+            assert client.wait_for_completion("pid", poll_interval=0) == self.DONE
+        assert 7.0 in [c.args[0] for c in sleep.call_args_list]
+
+    def test_failure_counter_resets_on_successful_poll(self):
+        client = comfy_client.Client(CLOUD)
+        budget = comfy_client._MAX_POLL_FAILURES
+        events = (
+            [comfy_client.HTTPError(429, "rl")] * (budget - 1)
+            + [None]  # successful poll (job not done yet) resets the counter
+            + [comfy_client.HTTPError(429, "rl")] * (budget - 1)
+            + [self.DONE]
+        )
+        with (
+            patch("comfy_cli.comfy_client.time.sleep"),
+            patch.object(client, "get_history", side_effect=self._history_side_effect(events)) as gh,
+        ):
+            assert client.wait_for_completion("pid", poll_interval=0, timeout=600) == self.DONE
+        assert gh.call_count == len(events)
+
+    def test_non_transient_http_error_propagates_immediately(self):
+        client = comfy_client.Client(CLOUD)
+        with (
+            patch("comfy_cli.comfy_client.time.sleep") as sleep,
+            patch.object(client, "get_history", side_effect=comfy_client.HTTPError(403, "forbidden")) as gh,
+        ):
+            with pytest.raises(comfy_client.HTTPError) as exc:
+                client.wait_for_completion("pid", poll_interval=0)
+        assert exc.value.status == 403
+        assert gh.call_count == 1
+        assert sleep.call_count == 0
+
+    def test_request_attaches_retry_after_to_http_error(self):
+        from http.client import HTTPMessage
+
+        hdrs = HTTPMessage()
+        hdrs["Retry-After"] = "12"
+        err = urllib.error.HTTPError(url="https://cloud/x", code=500, msg="500", hdrs=hdrs, fp=io.BytesIO(b""))
+        with patch.object(comfy_client._OPENER, "open", side_effect=err):
+            with pytest.raises(comfy_client.HTTPError) as exc:
+                comfy_client.Client(CLOUD).submit_prompt({"1": {}}, "cid")
+        assert exc.value.retry_after == 12.0
+
+
+class TestOutputUrls:
+    def test_view_url_uses_api_prefix_for_cloud(self):
+        url = comfy_client.Client(CLOUD).view_url({"filename": "a.png", "subfolder": "", "type": "output"})
+        assert url == "https://cloud.example.com/api/view?filename=a.png&subfolder=&type=output"
+
+    def test_view_url_no_prefix_for_local(self):
+        url = comfy_client.Client(LOCAL).view_url({"filename": "a.png", "subfolder": "", "type": "output"})
+        assert url == "http://127.0.0.1:8188/view?filename=a.png&subfolder=&type=output"
+
+    def test_extract_collects_image_urls(self):
+        record = {
+            "outputs": {
+                "3": {
+                    "images": [
+                        {"filename": "a.png", "subfolder": "", "type": "output"},
+                        {"filename": "b.png", "subfolder": "sub", "type": "temp"},
+                    ]
+                }
+            }
+        }
+        urls = comfy_client.Client(CLOUD).extract_output_urls(record)
+        assert urls == [
+            "https://cloud.example.com/api/view?filename=a.png&subfolder=&type=output",
+            "https://cloud.example.com/api/view?filename=b.png&subfolder=sub&type=temp",
+        ]
+
+    def test_extract_skips_malformed(self):
+        assert comfy_client.Client(CLOUD).extract_output_urls({}) == []
+        record = {"outputs": {"3": {"images": [{"no_filename": True}, "garbage"]}}}
+        assert comfy_client.Client(CLOUD).extract_output_urls(record) == []
+
+    def test_extract_outputs_keeps_node_association(self):
+        """extract_outputs returns one dict per artifact with the producing
+        node id — the node association that flat URL lists drop."""
+        record = {
+            "outputs": {
+                "9": {
+                    "images": [
+                        {"filename": "a.png", "subfolder": "", "type": "output"},
+                        {"filename": "b.png", "subfolder": "sub", "type": "temp"},
+                    ]
+                },
+                "12": {"videos": [{"filename": "v.mp4", "subfolder": "", "type": "output"}]},
+            }
+        }
+        out = comfy_client.Client(CLOUD).extract_outputs(record)
+        assert out == [
+            {
+                "node_id": "9",
+                "url": "https://cloud.example.com/api/view?filename=a.png&subfolder=&type=output",
+                "filename": "a.png",
+                "type": "output",
+            },
+            {
+                "node_id": "9",
+                "url": "https://cloud.example.com/api/view?filename=b.png&subfolder=sub&type=temp",
+                "filename": "b.png",
+                "type": "temp",
+            },
+            {
+                "node_id": "12",
+                "url": "https://cloud.example.com/api/view?filename=v.mp4&subfolder=&type=output",
+                "filename": "v.mp4",
+                "type": "output",
+            },
+        ]
+
+    def test_extract_outputs_skips_non_dict_noise(self):
+        record = {
+            "outputs": {
+                "3": "garbage-not-a-dict",
+                "4": {"images": [{"no_filename": True}, "garbage", None]},
+                "5": {"images": "not-a-list"},
+                "6": {"images": [{"filename": "ok.png", "subfolder": "", "type": "output"}]},
+            }
+        }
+        out = comfy_client.Client(CLOUD).extract_outputs(record)
+        assert [o["node_id"] for o in out] == ["6"]
+        assert comfy_client.Client(CLOUD).extract_outputs({}) == []
+        assert comfy_client.Client(CLOUD).extract_outputs({"outputs": "nope"}) == []
+
+    def test_extract_output_urls_delegates_to_extract_outputs(self):
+        record = {
+            "outputs": {
+                "9": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]},
+                "12": {"videos": [{"filename": "v.mp4", "subfolder": "", "type": "output"}]},
+            }
+        }
+        client = comfy_client.Client(CLOUD)
+        assert client.extract_output_urls(record) == [o["url"] for o in client.extract_outputs(record)]
+
+
+class TestGroupOutputs:
+    """_group_outputs: pure grouping of extract_outputs entries by node and
+    (via an item_map) by blueprint foreach item."""
+
+    OUTPUTS = [
+        {"node_id": "9", "url": "https://x/a.png", "filename": "a.png", "type": "output"},
+        {"node_id": "9", "url": "https://x/b.png", "filename": "b.png", "type": "output"},
+        {"node_id": "12", "url": "https://x/v.mp4", "filename": "v.mp4", "type": "output"},
+    ]
+
+    def test_groups_by_node(self):
+        by_node, by_item = comfy_client._group_outputs(self.OUTPUTS, None)
+        assert by_node == {"9": ["https://x/a.png", "https://x/b.png"], "12": ["https://x/v.mp4"]}
+        assert by_item == {}
+
+    def test_groups_by_item_via_item_map_nodes(self):
+        item_map = {
+            "s1": {"nodes": ["7", "9"], "save_node": "9", "prefix": "outputs/s1"},
+            "s2": {"nodes": ["10", "12"], "save_node": "12", "prefix": "outputs/s2"},
+        }
+        _by_node, by_item = comfy_client._group_outputs(self.OUTPUTS, item_map)
+        assert by_item == {
+            "s1": ["https://x/a.png", "https://x/b.png"],
+            "s2": ["https://x/v.mp4"],
+        }
+
+    def test_item_with_no_outputs_keeps_empty_list(self):
+        # A pruned branch (item produced nothing) must still be visible.
+        item_map = {
+            "s1": {"nodes": ["9"], "save_node": "9", "prefix": "p"},
+            "s2": {"nodes": ["99"], "save_node": "99", "prefix": "p"},
+        }
+        _by_node, by_item = comfy_client._group_outputs(self.OUTPUTS[:1], item_map)
+        assert by_item == {"s1": ["https://x/a.png"], "s2": []}
+
+    def test_save_node_membership_counts_even_outside_nodes_list(self):
+        item_map = {"s1": {"nodes": ["7"], "save_node": "9", "prefix": "p"}}
+        _by_node, by_item = comfy_client._group_outputs(self.OUTPUTS[:1], item_map)
+        assert by_item == {"s1": ["https://x/a.png"]}
+
+    def test_empty_inputs(self):
+        assert comfy_client._group_outputs([], None) == ({}, {})
+        assert comfy_client._group_outputs([], {}) == ({}, {})
+
+    def test_skips_malformed_entries(self):
+        outputs = [
+            "garbage",
+            {"url": "https://x/no-node.png"},
+            {"node_id": "9"},
+            {"node_id": "9", "url": "https://x/a.png"},
+        ]
+        item_map = {"s1": {"nodes": ["9"]}, "bad": "not-a-dict"}
+        by_node, by_item = comfy_client._group_outputs(outputs, item_map)
+        assert by_node == {"9": ["https://x/a.png"]}
+        assert by_item == {"s1": ["https://x/a.png"], "bad": []}
+
+
+class TestWaitForCompletionProgressProbe:
+    def test_wait_for_completion_resets_idle_on_progress(self, monkeypatch):
+        import comfy_cli.comfy_client as cc
+
+        client = cc.Client(CLOUD)
+
+        poll_interval = 0.04  # each poll sleeps ~40ms
+        timeout = 0.06  # without reset, the idle timer trips after 60ms
+
+        calls = {"n": 0}
+        done = {"status": {"completed": True}, "outputs": {}}
+
+        def history(pid):
+            calls["n"] += 1
+            return done if calls["n"] >= 5 else {"status": {"status_str": "running"}}
+
+        counter = {"v": 0}
+
+        def probe():
+            counter["v"] += 1
+            return ("running", counter["v"])  # advances every poll → resets last_change
+
+        monkeypatch.setattr(client, "get_history", history)
+        # ~5 polls × 40ms ≈ 200ms total elapsed, far past the 60ms timeout, but the
+        # idle timer resets each poll because the probe value advances → must NOT raise.
+        rec = client.wait_for_completion("pid", poll_interval=poll_interval, timeout=timeout, progress_probe=probe)
+        assert rec is done
+
+    def test_wait_for_completion_times_out_on_silence(self, monkeypatch):
+        import comfy_cli.comfy_client as cc
+
+        client = cc.Client(CLOUD)
+        monkeypatch.setattr(client, "get_history", lambda pid: {"status": {"status_str": "running"}})
+        with pytest.raises(TimeoutError):
+            client.wait_for_completion("pid", poll_interval=0, timeout=0.05, progress_probe=lambda: ("running", 1))
+
+
+class TestRedirectRefusal:
+    """The opener must refuse to follow redirects so the Bearer token can't
+    be replayed at a different host."""
+
+    def test_302_to_attacker_raises_http_error(self):
+        # Build a 302 response that the redirect handler would normally follow.
+        from http.client import HTTPMessage
+
+        headers = HTTPMessage()
+        headers["Location"] = "http://attacker.example/steal"
+        err = urllib.error.HTTPError(
+            url="https://cloud.example.com/api/prompt",
+            code=302,
+            msg="Found",
+            hdrs=headers,
+            fp=io.BytesIO(b""),
+        )
+        with patch.object(comfy_client._OPENER, "open", side_effect=err):
+            with pytest.raises(comfy_client.HTTPError) as exc:
+                comfy_client.Client(CLOUD).submit_prompt({}, "cid")
+        assert exc.value.status == 302
+
+
+class TestHttpUrlRejectedForCloud:
+    def test_cloud_with_http_non_loopback_refused(self):
+        bad = Target(
+            kind="cloud",
+            base_url="http://attacker.example",  # http, non-loopback, with token
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token="tok",
+        )
+        client = comfy_client.Client(bad)
+        with pytest.raises(ValueError, match="non-https"):
+            client.submit_prompt({}, "cid")
+
+    def test_cloud_with_http_loopback_allowed(self):
+        local_cloud = Target(
+            kind="cloud",
+            base_url="http://127.0.0.1:8190",  # loopback exception
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            auth_token="tok",
+        )
+        with patch.object(
+            comfy_client._OPENER,
+            "open",
+            return_value=_mock_response({"prompt_id": "x", "number": 1, "node_errors": {}}),
+        ):
+            comfy_client.Client(local_cloud).submit_prompt({}, "cid")  # no raise
+
+
+class TestTokenRedaction:
+    def test_http_error_str_does_not_leak_bearer(self):
+        body = b'{"error": "missing scope, header was Bearer abc123def456"}'
+        err = urllib.error.HTTPError("https://x", 401, "Unauthorized", None, io.BytesIO(body))
+        with patch.object(comfy_client._OPENER, "open", side_effect=err):
+            with pytest.raises(comfy_client.HTTPError) as exc:
+                comfy_client.Client(CLOUD).submit_prompt({}, "cid")
+        assert "abc123def456" not in str(exc.value)
+        assert "abc123def456" not in exc.value.body
+
+    def test_target_repr_omits_token(self):
+        # Bearer should never show in logger.debug("%r", target).
+        assert "tok-abc" not in repr(CLOUD)
diff --git a/tests/comfy_cli/command/generate/test_app.py b/tests/comfy_cli/command/generate/test_app.py
index 6efb7108..a0bb0d3e 100644
--- a/tests/comfy_cli/command/generate/test_app.py
+++ b/tests/comfy_cli/command/generate/test_app.py
@@ -133,12 +133,14 @@ def test_per_model_help(runner):
 
 def test_generate_missing_api_key(runner, monkeypatch):
     monkeypatch.delenv("COMFY_API_KEY", raising=False)
+    # No OAuth session in the isolated test config, so this is the "no credential
+    # at all" path. OAuth-over-env precedence is intended; this asserts the new message.
     r = runner.invoke(
         cli_app,
         ["generate", "flux-pro", "--prompt", "x", "--width", "1", "--height", "1"],
     )
     assert r.exit_code == 1
-    assert "No API key" in r.stdout
+    assert "Not signed in" in r.stdout
 
 
 def test_generate_bad_int_suggests_schema(runner, api_key):
diff --git a/tests/comfy_cli/command/generate/test_client.py b/tests/comfy_cli/command/generate/test_client.py
index c3909143..732c90a3 100644
--- a/tests/comfy_cli/command/generate/test_client.py
+++ b/tests/comfy_cli/command/generate/test_client.py
@@ -18,7 +18,9 @@ def test_resolve_api_key_explicit_wins(monkeypatch):
 
 def test_resolve_api_key_missing(monkeypatch):
     monkeypatch.delenv("COMFY_API_KEY", raising=False)
-    with pytest.raises(client.ApiError, match="No API key"):
+    # No OAuth session in the isolated test config and no env key -> "no credential"
+    # path. OAuth-over-env precedence is intentional; assert the current message.
+    with pytest.raises(client.ApiError, match="Not signed in"):
         client.resolve_api_key()
 
 
diff --git a/tests/comfy_cli/command/generate/test_emit.py b/tests/comfy_cli/command/generate/test_emit.py
new file mode 100644
index 00000000..1d060d6c
--- /dev/null
+++ b/tests/comfy_cli/command/generate/test_emit.py
@@ -0,0 +1,172 @@
+"""Tests for ``comfy generate <model> --emit-workflow`` and the underlying
+``emit`` module: model→node-class mapping, param translation, and the emitted
+API-format workflow shape.
+"""
+
+import json
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.cmdline import app as cli_app
+from comfy_cli.command.generate import emit
+
+
+@pytest.fixture(autouse=True)
+def disable_tracking_prompt(monkeypatch):
+    monkeypatch.setattr("comfy_cli.tracking.prompt_tracking_consent", lambda *a, **kw: None)
+    monkeypatch.setattr("comfy_cli.tracking.track_event", lambda *a, **kw: None)
+
+
+@pytest.fixture
+def runner():
+    return CliRunner()
+
+
+# ─── unit: build_workflow ─────────────────────────────────────────────────
+
+
+def test_build_flux_text_to_image_class_type_and_params():
+    wf = emit.build_workflow("flux-pro", {"prompt": "a fox", "width": 512})
+    # partner node is "1"
+    assert wf["1"]["class_type"] == "Flux2ProImageNode"
+    assert wf["1"]["inputs"]["prompt"] == "a fox"
+    # user override applied, fixed default preserved for unset params
+    assert wf["1"]["inputs"]["width"] == 512
+    assert wf["1"]["inputs"]["height"] == 768
+    # save node references the partner output
+    save = [n for n in wf.values() if n["class_type"] == "SaveImage"]
+    assert len(save) == 1
+    assert save[0]["inputs"]["images"] == ["1", 0]
+
+
+def test_build_nano_banana_wires_load_image():
+    wf = emit.build_workflow("nano-banana", {"prompt": "add sunglasses", "image": "cat.png"})
+    assert wf["1"]["class_type"] == "GeminiImageNode"
+    # an image param becomes a LoadImage node wired into `images`
+    loaders = [(k, v) for k, v in wf.items() if v["class_type"] == "LoadImage"]
+    assert len(loaders) == 1
+    loader_id, loader = loaders[0]
+    assert loader["inputs"]["image"] == "cat.png"
+    assert wf["1"]["inputs"]["images"] == [loader_id, 0]
+
+
+def test_build_seedance_emits_save_video():
+    wf = emit.build_workflow("seedance", {"prompt": "drift", "image": "frame.png", "duration": 8})
+    assert wf["1"]["class_type"] == "ByteDanceImageToVideoNode"
+    assert wf["1"]["inputs"]["duration"] == 8
+    save = [n for n in wf.values() if n["class_type"] == "SaveVideo"]
+    assert len(save) == 1
+    assert save[0]["inputs"]["video"] == ["1", 0]
+
+
+def test_build_kling_i2v_class_and_start_frame():
+    wf = emit.build_workflow("kling-i2v", {"prompt": "zoom in", "image": "start.png"})
+    assert wf["1"]["class_type"] == "KlingImage2VideoNode"
+    loader_id = next(k for k, v in wf.items() if v["class_type"] == "LoadImage")
+    assert wf["1"]["inputs"]["start_frame"] == [loader_id, 0]
+
+
+def test_unknown_model_lists_supported():
+    with pytest.raises(emit.EmitError) as ei:
+        emit.build_workflow("dalle", {"prompt": "x"})
+    msg = str(ei.value)
+    assert "flux-pro" in msg and "nano-banana" in msg
+
+
+def test_emitted_workflow_is_api_format_node_ids_are_strings():
+    wf = emit.build_workflow("flux-pro", {"prompt": "p"})
+    for k, node in wf.items():
+        assert isinstance(k, str)
+        assert "class_type" in node
+        assert "inputs" in node
+
+
+# ─── CLI integration ──────────────────────────────────────────────────────
+
+
+def test_cli_emit_writes_file_no_api_key(runner, tmp_path, monkeypatch):
+    # No COMFY_API_KEY set: emit must not require one.
+    monkeypatch.delenv("COMFY_API_KEY", raising=False)
+    out = tmp_path / "wf.json"
+    r = runner.invoke(
+        cli_app,
+        ["generate", "flux-pro", "--prompt", "a cat", "--emit-workflow", str(out)],
+    )
+    assert r.exit_code == 0, r.stdout
+    assert out.is_file()
+    wf = json.loads(out.read_text())
+    assert wf["1"]["class_type"] == "Flux2ProImageNode"
+    assert wf["1"]["inputs"]["prompt"] == "a cat"
+
+
+def test_cli_emit_json_mode_prints_workflow(runner, tmp_path, monkeypatch):
+    # --json (generate-local flag) is now superseded by the global renderer
+    # envelope. Use COMFY_OUTPUT=json to put the renderer in JSON mode and
+    # assert the output is a proper envelope, not a bare workflow dict.
+    monkeypatch.delenv("COMFY_API_KEY", raising=False)
+    monkeypatch.setenv("COMFY_OUTPUT", "json")
+    out = tmp_path / "wf.json"
+    r = runner.invoke(
+        cli_app,
+        ["generate", "nano-banana", "--prompt", "hi", "--emit-workflow", str(out)],
+    )
+    assert r.exit_code == 0, r.stdout
+    lines = [ln for ln in r.stdout.splitlines() if ln.strip().startswith("{")]
+    env = json.loads(lines[-1])
+    assert env.get("ok") is True
+    assert env["data"]["out"].endswith("wf.json")
+
+
+def test_emit_workflow_uses_envelope(runner, monkeypatch, tmp_path):
+    # Force the renderer into JSON-envelope mode via the COMFY_OUTPUT env var
+    # (which Renderer.resolve() reads from os.environ in the @app.callback).
+    # This is the global mechanism — distinct from the generate-local --json
+    # flag that _separate_meta_flags() parses (which no longer drives emit output).
+    monkeypatch.delenv("COMFY_API_KEY", raising=False)
+    monkeypatch.setenv("COMFY_OUTPUT", "json")
+    out = tmp_path / "wf.json"
+    r = runner.invoke(
+        cli_app,
+        ["generate", "flux-pro", "--prompt", "x", "--width", "1024", "--height", "768", "--emit-workflow", str(out)],
+    )
+    assert r.exit_code == 0, r.stdout
+    lines = [ln for ln in r.stdout.splitlines() if ln.strip().startswith("{")]
+    env = json.loads(lines[-1])
+    assert env.get("ok") is True
+    assert "command" in env and "data" in env  # envelope shape, not a bare workflow dict
+    assert env["data"]["out"].endswith("wf.json")
+
+
+def test_cli_emit_unsupported_model_errors(runner, tmp_path, monkeypatch):
+    monkeypatch.setenv("COMFY_API_KEY", "comfyui-test")
+    out = tmp_path / "wf.json"
+    r = runner.invoke(
+        cli_app,
+        ["generate", "dalle", "--prompt", "x", "--emit-workflow", str(out)],
+    )
+    assert r.exit_code == 1
+    assert "does not support" in r.stdout
+    assert not out.exists()
+
+
+def test_cli_emit_output_prefix(runner, tmp_path, monkeypatch):
+    monkeypatch.delenv("COMFY_API_KEY", raising=False)
+    out = tmp_path / "wf.json"
+    r = runner.invoke(
+        cli_app,
+        [
+            "generate",
+            "flux-pro",
+            "--prompt",
+            "p",
+            "--emit-workflow",
+            str(out),
+            "--output-prefix",
+            "myfox",
+        ],
+    )
+    assert r.exit_code == 0, r.stdout
+    wf = json.loads(out.read_text())
+    save = next(n for n in wf.values() if n["class_type"] == "SaveImage")
+    assert save["inputs"]["filename_prefix"] == "myfox"
diff --git a/tests/comfy_cli/command/github/test_pr.py b/tests/comfy_cli/command/github/test_pr.py
index ebc37bd3..3b7e93e4 100644
--- a/tests/comfy_cli/command/github/test_pr.py
+++ b/tests/comfy_cli/command/github/test_pr.py
@@ -354,7 +354,7 @@ def test_install_with_pr_parameter(self, mock_execute, runner):
         """Test install command with --pr parameter"""
         result = runner.invoke(app, ["install", "--pr", "jtydhr88:load-3d-nodes", "--nvidia", "--skip-prompt"])
 
-        assert "Invalid PR reference format" not in result.stdout
+        assert "Invalid PR reference format" not in result.output
 
         if mock_execute.called:
             call_args = mock_execute.call_args
@@ -376,14 +376,15 @@ def test_pr_and_commit_conflict(self, runner):
     @patch("comfy_cli.cmdline.check_comfy_repo", return_value=(False, None))
     @patch("comfy_cli.cmdline.workspace_manager")
     @patch("comfy_cli.tracking.prompt_tracking_consent")
-    def test_commit_without_pr_does_not_conflict(self, mock_track, mock_ws, mock_check, mock_execute, runner):
+    @patch("comfy_cli.cmdline.utils.get_os", return_value="linux")
+    def test_commit_without_pr_does_not_conflict(self, mock_os, mock_track, mock_ws, mock_check, mock_execute, runner):
         """Test that --commit alone does not trigger --pr conflict error (issue #335)"""
         mock_ws.get_workspace_path.return_value = ("/tmp/test", None)
         result = runner.invoke(
             app, ["--skip-prompt", "install", "--version", "nightly", "--commit", "abc123", "--nvidia"]
         )
 
-        assert "--pr cannot be used" not in result.stdout
+        assert "--pr cannot be used" not in result.output
         assert mock_execute.called
 
     @patch("comfy_cli.command.install.execute")
@@ -396,7 +397,9 @@ def test_cpu_pr_conflict_with_version(self, mock_track, mock_ws, mock_check, moc
         result = runner.invoke(app, ["--skip-prompt", "install", "--cpu", "--pr", "#123", "--version", "1.0.0"])
 
         assert result.exit_code != 0
-        assert "--pr cannot be used" in result.stdout
+        # ``result.output`` (not ``.stdout``): click >= 8.2 keeps stderr out of
+        # ``.stdout`` in CliRunner, and the conflict error is emitted on stderr.
+        assert "--pr cannot be used" in result.output
         assert not mock_execute.called
 
     @patch("comfy_cli.command.install.execute")
@@ -411,7 +414,7 @@ def test_cpu_pr_conflict_with_commit(self, mock_track, mock_ws, mock_check, mock
         )
 
         assert result.exit_code != 0
-        assert "--pr cannot be used" in result.stdout
+        assert "--pr cannot be used" in result.output
         assert not mock_execute.called
 
     @patch("comfy_cli.command.install.execute")
diff --git a/tests/comfy_cli/command/models/test_search.py b/tests/comfy_cli/command/models/test_search.py
new file mode 100644
index 00000000..56cade1a
--- /dev/null
+++ b/tests/comfy_cli/command/models/test_search.py
@@ -0,0 +1,350 @@
+"""Tests for ``comfy models`` — live discovery against /api/assets + /api/experiment/models.
+
+All HTTP is mocked: tests own a small set of fixture payloads modeled on real
+cloud responses. The asset fixtures intentionally exercise both metadata bags
+(``user_metadata`` and ``metadata``), the tag conventions (``models`` +
+type-tag), and the sparse-field pattern (``base_model`` populated on only some
+entries).
+"""
+
+from __future__ import annotations
+
+import io
+import json
+import urllib.error
+from typing import Any
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command.models import search as search_cmd
+from comfy_cli.output.renderer import OutputMode, Renderer, reset_renderer_for_testing, set_renderer
+
+# ---------------------------------------------------------------------------
+# Fixtures + helpers
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _run(args: list[str], capsys: pytest.CaptureFixture[str]) -> dict[str, Any]:
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(search_cmd.app, args, standalone_mode=False)
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    assert captured.strip(), f"no envelope on stdout (rc={result.exit_code}, exc={result.exception})"
+    return json.loads(captured.strip().splitlines()[-1])
+
+
+def _fake_resp(body: bytes, status: int = 200):
+    """Build a minimal urlopen-compatible response object."""
+
+    class _Resp:
+        def __init__(self):
+            self.status = status
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, *args):
+            return False
+
+        def read(self, n: int | None = None):
+            return body if n is None else body[:n]
+
+    return _Resp()
+
+
+# Cloud /api/experiment/models — list-of-dicts shape.
+_CLOUD_FOLDERS = [
+    {"name": "checkpoints", "folders": ["checkpoints"]},
+    {"name": "loras", "folders": ["loras"]},
+    {"name": "vae", "folders": ["vae"]},
+]
+
+# Local /models — flat-string-list shape (older ComfyUI servers also serve dicts;
+# both shapes are accepted by the normalizer).
+_LOCAL_FOLDERS = ["checkpoints", "loras", "vae"]
+
+
+_CLOUD_FILES_LORAS = [
+    {"name": "wan2.2_t2v_lightx2v.safetensors", "pathIndex": 0},
+    {"name": "flux1-redux-dev.safetensors", "pathIndex": 0},
+    {"name": "z-image-turbo-rank64.safetensors", "pathIndex": 0},
+]
+
+
+_ASSETS_RESPONSE = {
+    "assets": [
+        {
+            "id": "11111111-1111-1111-1111-111111111111",
+            "name": "wan2.2_t2v_lightx2v.safetensors",
+            "display_name": "Wan 2.2 LightX2V",
+            "size": 295_146_208,
+            "tags": ["models", "loras"],
+            "user_metadata": {"filename": "wan2.2_t2v_lightx2v.safetensors"},
+            "metadata": {
+                "repo_url": "https://huggingface.co/example/wan",
+                "preview_url": "https://example.com/preview.webp",
+                # base_model deliberately omitted — exercises the sparse path.
+            },
+            "preview_url": "https://example.com/preview.webp",
+            "is_immutable": True,
+            "created_at": "2026-05-10T00:00:00Z",
+            "updated_at": "2026-05-10T00:00:00Z",
+        },
+        {
+            "id": "22222222-2222-2222-2222-222222222222",
+            "name": "flux1-redux-dev.safetensors",
+            "display_name": "Flux Redux",
+            "size": 800_000_000,
+            "tags": ["models", "style_models"],
+            "user_metadata": {},
+            "metadata": {
+                "base_model": "Flux.1 D",
+                "repo_url": "https://huggingface.co/black-forest-labs/FLUX.1-Redux-dev",
+                "trained_words": ["redux", "blend"],
+            },
+            "preview_url": None,
+            "is_immutable": False,
+            "created_at": "2026-05-11T00:00:00Z",
+            "updated_at": "2026-05-11T00:00:00Z",
+        },
+    ],
+    "total": 2,
+    "has_more": False,
+}
+
+
+@pytest.fixture
+def cloud_target(monkeypatch: pytest.MonkeyPatch):
+    """Pin ``resolve_target(where='cloud')`` to a known cloud target with an API key."""
+    from comfy_cli.target import Target
+
+    fake = Target(
+        kind="cloud",
+        base_url="https://cloud.example.com",
+        path_prefix="/api",
+        history_path="history_v2",
+        jobs_path="jobs",
+        api_key="test-api-key",
+    )
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda **kw: fake)
+    monkeypatch.setattr("comfy_cli.command.models.search.resolve_target", lambda **kw: fake, raising=False)
+    return fake
+
+
+@pytest.fixture
+def local_target(monkeypatch: pytest.MonkeyPatch):
+    from comfy_cli.target import Target
+
+    fake = Target(
+        kind="local",
+        base_url="http://127.0.0.1:8188",
+        path_prefix="",
+        history_path="history",
+        host="127.0.0.1",
+        port=8188,
+    )
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda **kw: fake)
+    monkeypatch.setattr("comfy_cli.command.models.search.resolve_target", lambda **kw: fake, raising=False)
+    return fake
+
+
+def _patch_urlopen(monkeypatch: pytest.MonkeyPatch, routes: dict[str, Any]):
+    """Wire urlopen to a URL→body lookup. Body is JSON-encoded.
+
+    Substring matching: the first registered URL substring that matches wins.
+    Unknown URLs raise so we never silently pass on a typo'd path.
+    """
+    calls = []
+
+    def _fake(req, timeout=None):
+        url = req.full_url if hasattr(req, "full_url") else str(req)
+        calls.append({"url": url, "headers": dict(req.headers) if hasattr(req, "headers") else {}})
+        for needle, payload in routes.items():
+            if needle in url:
+                if isinstance(payload, Exception):
+                    raise payload
+                body = json.dumps(payload).encode()
+                return _fake_resp(body)
+        raise AssertionError(f"unexpected URL hit by mock: {url}")
+
+    monkeypatch.setattr("urllib.request.urlopen", _fake)
+    return calls
+
+
+# ---------------------------------------------------------------------------
+# list-folders
+# ---------------------------------------------------------------------------
+
+
+class TestListFolders:
+    def test_cloud_happy_path(self, cloud_target, monkeypatch, capsys):
+        calls = _patch_urlopen(monkeypatch, {"/api/experiment/models": _CLOUD_FOLDERS})
+        env = _run(["list-folders", "--where", "cloud"], capsys)
+        assert env["ok"] is True, env
+        assert env["data"]["mode"] == "cloud"
+        assert env["data"]["count"] == 3
+        names = [f["name"] for f in env["data"]["folders"]]
+        assert names == ["checkpoints", "loras", "vae"]
+        # Auth header is set on cloud.
+        assert any(h.get("X-api-key") or h.get("X-Api-Key") for h in [c["headers"] for c in calls])
+
+    def test_local_happy_path(self, local_target, monkeypatch, capsys):
+        _patch_urlopen(monkeypatch, {"127.0.0.1:8188/models": _LOCAL_FOLDERS})
+        env = _run(["list-folders", "--where", "local"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["mode"] == "local"
+        # The string-list shape normalizes to [{name, subfolders=[]}].
+        assert env["data"]["folders"][0] == {"name": "checkpoints", "subfolders": []}
+
+
+# ---------------------------------------------------------------------------
+# list-folder
+# ---------------------------------------------------------------------------
+
+
+class TestListFolder:
+    def test_cloud_lists_files(self, cloud_target, monkeypatch, capsys):
+        _patch_urlopen(monkeypatch, {"/api/experiment/models/loras": _CLOUD_FILES_LORAS})
+        env = _run(["list-folder", "loras", "--where", "cloud"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["folder"] == "loras"
+        assert env["data"]["total"] == 3
+        names = [f["name"] for f in env["data"]["files"]]
+        assert "wan2.2_t2v_lightx2v.safetensors" in names
+
+    def test_limit_caps_results(self, cloud_target, monkeypatch, capsys):
+        _patch_urlopen(monkeypatch, {"/api/experiment/models/loras": _CLOUD_FILES_LORAS})
+        env = _run(["list-folder", "loras", "--where", "cloud", "--limit", "1"], capsys)
+        assert env["data"]["total"] == 3
+        assert env["data"]["shown"] == 1
+        assert len(env["data"]["files"]) == 1
+
+    def test_404_surfaces_folder_not_found(self, cloud_target, monkeypatch, capsys):
+        err = urllib.error.HTTPError("https://x/folder", 404, "Not Found", {}, io.BytesIO(b'{"error": "nope"}'))
+        _patch_urlopen(monkeypatch, {"/api/experiment/models/ghost": err})
+        env = _run(["list-folder", "ghost", "--where", "cloud"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "folder_not_found"
+
+
+# ---------------------------------------------------------------------------
+# search
+# ---------------------------------------------------------------------------
+
+
+class TestSearch:
+    def test_cloud_returns_enriched_rows(self, cloud_target, monkeypatch, capsys):
+        calls = _patch_urlopen(monkeypatch, {"/api/assets": _ASSETS_RESPONSE})
+        env = _run(["search", "--text", "flux", "--limit", "5", "--where", "cloud"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["mode"] == "cloud"
+        assert env["data"]["total"] == 2
+        rows = env["data"]["rows"]
+        # The `metadata.base_model` field was populated for flux, sparse for wan.
+        flux = next(r for r in rows if r["name"] == "flux1-redux-dev.safetensors")
+        wan = next(r for r in rows if r["name"] == "wan2.2_t2v_lightx2v.safetensors")
+        assert flux["base_model"] == "Flux.1 D"
+        assert wan["base_model"] is None  # sparse — mirrors real cloud data
+        # Source URL falls back from repo_url
+        assert flux["source_url"].startswith("https://huggingface.co/")
+        # The type is derived from the first non-"models" tag.
+        assert wan["type"] == "loras"
+        assert flux["type"] == "style_models"
+        # The query string carried name_contains + include_tags=models.
+        url = calls[0]["url"]
+        assert "name_contains=flux" in url
+        # include_tags is comma-separated (URL-encoded) per the cloud OpenAPI
+        # spec — exploded form is rejected by /api/assets with HTTP 400.
+        assert "include_tags=models" in url
+
+    def test_cloud_type_filter_appends_tag(self, cloud_target, monkeypatch, capsys):
+        calls = _patch_urlopen(monkeypatch, {"/api/assets": _ASSETS_RESPONSE})
+        _run(["search", "--type", "lora", "--where", "cloud"], capsys)
+        url = calls[0]["url"]
+        # Comma-separated form: include_tags=models,loras (URL-encoded as %2C).
+        assert "include_tags=models%2Cloras" in url
+
+    def test_local_falls_back_to_folder_listing(self, local_target, monkeypatch, capsys):
+        _patch_urlopen(
+            monkeypatch,
+            {"127.0.0.1:8188/models/checkpoints": [{"name": "sd_xl_base_1.0.safetensors", "pathIndex": 0}]},
+        )
+        env = _run(["search", "--text", "sd_xl", "--where", "local"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["mode"] == "local"
+        rows = env["data"]["rows"]
+        assert len(rows) == 1
+        assert rows[0]["name"] == "sd_xl_base_1.0.safetensors"
+        # Local has no enrichment.
+        assert rows[0]["base_model"] is None
+        assert rows[0]["source_url"] is None
+
+    def test_local_text_filter_is_client_side(self, local_target, monkeypatch, capsys):
+        _patch_urlopen(
+            monkeypatch,
+            {
+                "127.0.0.1:8188/models/checkpoints": [
+                    {"name": "sd_xl_base_1.0.safetensors", "pathIndex": 0},
+                    {"name": "flux1-dev.safetensors", "pathIndex": 0},
+                ]
+            },
+        )
+        env = _run(["search", "--text", "flux", "--where", "local"], capsys)
+        names = [r["name"] for r in env["data"]["rows"]]
+        assert names == ["flux1-dev.safetensors"]
+
+
+# ---------------------------------------------------------------------------
+# show
+# ---------------------------------------------------------------------------
+
+
+class TestShow:
+    def test_exact_match_returns_full_asset(self, cloud_target, monkeypatch, capsys):
+        _patch_urlopen(monkeypatch, {"/api/assets": _ASSETS_RESPONSE})
+        env = _run(["show", "flux1-redux-dev.safetensors", "--where", "cloud"], capsys)
+        assert env["ok"] is True
+        # Both the projected row and the raw asset ride along.
+        assert env["data"]["row"]["name"] == "flux1-redux-dev.safetensors"
+        assert env["data"]["asset"]["id"] == "22222222-2222-2222-2222-222222222222"
+        assert env["data"]["row"]["base_model"] == "Flux.1 D"
+        assert env["data"]["row"]["trained_words"] == ["redux", "blend"]
+
+    def test_no_exact_match_returns_close_matches(self, cloud_target, monkeypatch, capsys):
+        # Substring hits but no exact name match.
+        _patch_urlopen(monkeypatch, {"/api/assets": _ASSETS_RESPONSE})
+        env = _run(["show", "flux-DOES-NOT-EXIST.safetensors", "--where", "cloud"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "model_not_found"
+        # The 5-or-fewer close_matches affordance helps the agent self-correct.
+        assert "close_matches" in env["error"]["details"]
+
+    def test_local_is_explicitly_unsupported(self, local_target, monkeypatch, capsys):
+        # urlopen should never be called for `show --where local`.
+        _patch_urlopen(monkeypatch, {})
+        env = _run(["show", "anything.safetensors", "--where", "local"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "models_show_local_unsupported"
diff --git a/tests/comfy_cli/command/test_asset_refs.py b/tests/comfy_cli/command/test_asset_refs.py
new file mode 100644
index 00000000..490eeeac
--- /dev/null
+++ b/tests/comfy_cli/command/test_asset_refs.py
@@ -0,0 +1,432 @@
+"""`$asset.<name>` references — compose-time resolution from the push lock.
+
+Three layers, no network anywhere:
+
+- pure fragments: ``$asset`` on an input with an injected resolver lands as
+  the SAME loader materialization a literal filename gets; resolver absent
+  is a clear BlueprintError; foreach namespacing must not mangle the prefix.
+- pure project: resolver behavior is covered in tests/comfy_cli/test_project.py.
+- CLI: ``comfy workflow compose`` inside a project wires the resolver and
+  maps AssetError onto its error code.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+from pathlib import Path
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import workflow as workflow_cmd
+from comfy_cli.fragments import (
+    AssetError,
+    BlueprintError,
+    _substitute_item,
+    compose_blueprint,
+    compose_blueprints,
+)
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    reset_renderer_for_testing,
+    set_renderer,
+)
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _text_overlay_fragment() -> dict:
+    """STRING + INT params — exercises $asset resolution on the param path."""
+    return {
+        "_fragment": {
+            "name": "text_overlay",
+            "version": "1",
+            "inputs": {"image": {"type": "IMAGE", "binds": "10.image"}},
+            "outputs": {"image": {"type": "IMAGE", "from": "10", "port": 0}},
+            "params": {
+                "label": {"type": "STRING", "binds": "10.label", "default": "x"},
+                "size": {"type": "INT", "binds": "10.size", "default": 12},
+            },
+        },
+        "10": {"class_type": "TextOverlay", "inputs": {"image": "P", "label": "x", "size": 12}},
+    }
+
+
+def _image_blend_fragment() -> dict:
+    return {
+        "_fragment": {
+            "name": "image_blend",
+            "version": "1",
+            "inputs": {
+                "image1": {"type": "IMAGE", "binds": "10.image1"},
+                "image2": {"type": "IMAGE", "binds": "10.image2"},
+            },
+            "outputs": {"image": {"type": "IMAGE", "from": "10", "port": 0}},
+            "params": {"blend_factor": {"type": "FLOAT", "binds": "10.blend_factor", "default": 0.5}},
+        },
+        "10": {"class_type": "ImageBlend", "inputs": {"image1": "P", "image2": "P", "blend_factor": 0.5}},
+    }
+
+
+@pytest.fixture
+def lib_dir(tmp_path: Path) -> Path:
+    d = tmp_path / "fragments"
+    d.mkdir()
+    (d / "image_blend.json").write_text(json.dumps(_image_blend_fragment()))
+    (d / "text_overlay.json").write_text(json.dumps(_text_overlay_fragment()))
+    return d
+
+
+def _blueprint(image1: str, image2: str) -> dict:
+    return {
+        "pipeline": [
+            {
+                "fragment": "image_blend",
+                "alias": "blend",
+                "inputs": {"image1": image1, "image2": image2},
+            }
+        ]
+    }
+
+
+# ---------------------------------------------------------------------------
+# pure fragments: $asset resolution in _resolve_input
+# ---------------------------------------------------------------------------
+
+
+class TestAssetResolution:
+    def test_asset_ref_lands_identically_to_literal_filename(self, lib_dir):
+        """`$asset.x` with a resolver must produce byte-identical wiring to
+        composing the resolved name as a literal — same LoadImage nodes."""
+        literal_wf, _ = compose_blueprint(_blueprint("ab12.png", "cd34.png"), lib_dir=lib_dir)
+
+        resolved = {"keyframes/s1.png": "ab12.png", "s2.png": "cd34.png"}
+        asset_wf, _ = compose_blueprint(
+            _blueprint("$asset.keyframes/s1.png", "$asset.s2.png"),
+            lib_dir=lib_dir,
+            asset_resolver=resolved.__getitem__,
+        )
+        assert asset_wf == literal_wf
+
+    def test_asset_ref_without_resolver_is_blueprint_error(self, lib_dir):
+        with pytest.raises(BlueprintError) as exc:
+            compose_blueprint(_blueprint("$asset.s1.png", "x.png"), lib_dir=lib_dir)
+        assert "$asset.s1.png" in str(exc.value)
+        assert "comfy project init" in (exc.value.hint or "")
+        assert "comfy assets push" in (exc.value.hint or "")
+
+    def test_resolver_asset_error_propagates(self, lib_dir):
+        def stale(name: str) -> str:
+            raise AssetError(f"asset {name!r} is stale", code="asset_stale", hint="run: comfy assets push")
+
+        with pytest.raises(AssetError) as exc:
+            compose_blueprint(_blueprint("$asset.s1.png", "x.png"), lib_dir=lib_dir, asset_resolver=stale)
+        assert exc.value.code == "asset_stale"
+
+    def test_compose_blueprints_threads_resolver(self, lib_dir):
+        calls: list[str] = []
+
+        def resolver(name: str) -> str:
+            calls.append(name)
+            return f"srv-{name}"
+
+        graphs = compose_blueprints(
+            _blueprint("$asset.a.png", "$asset.b.png"), lib_dir=lib_dir, asset_resolver=resolver
+        )
+        assert sorted(calls) == ["a.png", "b.png"]
+        workflow = graphs[0][0]
+        loaded = {n["inputs"]["image"] for n in workflow.values() if n["class_type"] == "LoadImage"}
+        assert loaded == {"srv-a.png", "srv-b.png"}
+
+
+# ---------------------------------------------------------------------------
+# params: whole-value $asset refs resolve to widget values too
+# ---------------------------------------------------------------------------
+
+
+def _overlay_blueprint(params: dict) -> dict:
+    return {
+        "pipeline": [
+            {
+                "fragment": "text_overlay",
+                "alias": "t",
+                "inputs": {"image": "base.png"},
+                "params": params,
+            }
+        ]
+    }
+
+
+def _overlay_node(workflow: dict) -> dict:
+    nodes = [n for n in workflow.values() if n.get("class_type") == "TextOverlay"]
+    assert len(nodes) == 1
+    return nodes[0]
+
+
+class TestAssetParamResolution:
+    def test_string_param_asset_ref_resolves_to_cloud_name(self, lib_dir):
+        wf, _ = compose_blueprint(
+            _overlay_blueprint({"label": "$asset.fonts/x.ttf"}),
+            lib_dir=lib_dir,
+            asset_resolver=lambda name: f"srv-{name}",
+        )
+        assert _overlay_node(wf)["inputs"]["label"] == "srv-fonts/x.ttf"
+
+    def test_param_asset_ref_without_resolver_is_blueprint_error(self, lib_dir):
+        """Same error + hint as the inputs path — one shared resolution helper."""
+        with pytest.raises(BlueprintError) as exc:
+            compose_blueprint(_overlay_blueprint({"label": "$asset.x.ttf"}), lib_dir=lib_dir)
+        assert "$asset.x.ttf" in str(exc.value)
+        assert "comfy project init" in (exc.value.hint or "")
+        assert "comfy assets push" in (exc.value.hint or "")
+
+    def test_embedded_asset_ref_mid_string_is_not_a_reference(self, lib_dir):
+        """Whole-value only: `$asset.` mid-string is plain text, no resolver
+        consulted, value untouched (there is no interpolation/templating)."""
+        wf, _ = compose_blueprint(
+            _overlay_blueprint({"label": "use $asset.x here"}),
+            lib_dir=lib_dir,  # no resolver — must not raise either
+        )
+        assert _overlay_node(wf)["inputs"]["label"] == "use $asset.x here"
+
+    def test_int_param_asset_ref_resolves_and_lands_as_string(self, lib_dir):
+        """Resolution happens regardless of the declared param type; there is
+        no client-side widget-type validation, so the resolved STRING lands in
+        the INT widget and the server complains at run time. Deterministic and
+        documented — the staleness checks still fire identically."""
+        wf, _ = compose_blueprint(
+            _overlay_blueprint({"size": "$asset.x"}),
+            lib_dir=lib_dir,
+            asset_resolver=lambda name: f"srv-{name}",
+        )
+        assert _overlay_node(wf)["inputs"]["size"] == "srv-x"
+
+    def test_param_resolver_asset_error_propagates(self, lib_dir):
+        def stale(name: str) -> str:
+            raise AssetError(f"asset {name!r} is stale", code="asset_stale", hint="run: comfy assets push")
+
+        with pytest.raises(AssetError) as exc:
+            compose_blueprint(_overlay_blueprint({"label": "$asset.x.ttf"}), lib_dir=lib_dir, asset_resolver=stale)
+        assert exc.value.code == "asset_stale"
+
+    def test_foreach_item_field_asset_ref_resolves_per_item(self, lib_dir):
+        """Order: $item substitution first, then $asset resolution on the
+        resulting whole-value string — an item field can carry an asset ref
+        that a `$item.<field>` param receives and resolves."""
+        blueprint = {
+            "foreach": [
+                {"id": "s1", "first": "$asset.k/s1.png"},
+                {"id": "s2", "first": "$asset.k/s2.png"},
+            ],
+            "pipeline": [
+                {
+                    "fragment": "text_overlay",
+                    "alias": "t",
+                    "inputs": {"image": "base.png"},
+                    "params": {"label": "$item.first"},
+                }
+            ],
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir, asset_resolver=lambda name: f"srv-{name}")
+        assert len(graphs) == 1
+        workflow = graphs[0][0]
+        labels = {n["inputs"]["label"] for n in workflow.values() if n.get("class_type") == "TextOverlay"}
+        assert labels == {"srv-k/s1.png", "srv-k/s2.png"}
+        assert "__asset" not in json.dumps(workflow)
+
+
+# ---------------------------------------------------------------------------
+# foreach: the namespacing substitution must leave $asset.* alone
+# ---------------------------------------------------------------------------
+
+
+class TestForeachAssetGuard:
+    def test_substitute_item_leaves_asset_refs_unmangled(self):
+        """REGRESSION: without the early guard, alias namespacing rewrites
+        `$asset.x` into `$i0_s1__asset.x` and the ref is lost."""
+        assert _substitute_item("$asset.x", {"id": "s1"}, ns="i0_s1") == "$asset.x"
+
+    def test_substitute_item_recurses_containers_without_mangling(self):
+        value = {"image": "$asset.keyframes/s1.png", "rest": ["$asset.b.png"]}
+        out = _substitute_item(value, {"id": "s1"}, ns="i0_s1")
+        assert out == value
+
+    def test_foreach_blueprint_resolves_assets_per_branch(self, lib_dir):
+        calls: list[str] = []
+
+        def resolver(name: str) -> str:
+            calls.append(name)
+            return "srv-shared.png"
+
+        blueprint = {
+            "foreach": [{"id": "s1"}, {"id": "s2"}],
+            "pipeline": [
+                {
+                    "fragment": "image_blend",
+                    "alias": "blend",
+                    "inputs": {"image1": "$asset.shared.png", "image2": "$asset.shared.png"},
+                }
+            ],
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir, asset_resolver=resolver)
+        assert len(graphs) == 1
+        workflow = graphs[0][0]
+        assert calls == ["shared.png"] * 4  # 2 inputs × 2 branches
+        loads = [n for n in workflow.values() if n["class_type"] == "LoadImage"]
+        assert len(loads) == 4
+        assert all(n["inputs"]["image"] == "srv-shared.png" for n in loads)
+        # Nothing in the graph carries a mangled `__asset` token.
+        assert "__asset" not in json.dumps(workflow)
+
+
+# ---------------------------------------------------------------------------
+# CLI: compose inside a project
+# ---------------------------------------------------------------------------
+
+
+def _force_json_renderer():
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _invoke(args: list[str], capsys) -> tuple[int, dict]:
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(workflow_cmd.app, args, standalone_mode=False)
+    if result.exception is not None and not isinstance(result.exception, SystemExit):
+        raise result.exception
+    exit_code = result.return_value if isinstance(result.return_value, int) else result.exit_code
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    for line in reversed(captured.strip().splitlines()):
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            return exit_code, json.loads(line)
+        except json.JSONDecodeError:
+            continue
+    raise AssertionError(f"no JSON envelope (rc={result.exit_code}, out={captured[:500]!r})")
+
+
+@pytest.fixture
+def project_tree(tmp_path: Path) -> Path:
+    """A project/1 tree with a fragment lib, a $asset blueprint, and an asset."""
+    root = tmp_path / "proj"
+    root.mkdir()
+    (root / "comfy.yaml").write_text("schema: project/1\ndefaults:\n  where: cloud\n")
+    for d in ("assets", "fragments", "blueprints", "outputs", ".comfy"):
+        (root / d).mkdir()
+    (root / "fragments" / "image_blend.json").write_text(json.dumps(_image_blend_fragment()))
+    (root / "blueprints" / "story.yaml").write_text(
+        "pipeline:\n"
+        "  - fragment: image_blend\n"
+        "    alias: blend\n"
+        "    inputs:\n"
+        "      image1: $asset.s1.png\n"
+        "      image2: $asset.s1.png\n"
+    )
+    (root / "assets" / "s1.png").write_bytes(b"png-v1")
+    return root
+
+
+def _write_lock(root: Path, sha: str) -> None:
+    (root / ".comfy" / "assets.lock.json").write_text(
+        json.dumps({"schema": "assets-lock/1", "assets": {"s1.png": {"sha256": sha, "cloud_name": "ab12.png"}}})
+    )
+
+
+class TestComposeCli:
+    def test_compose_with_pushed_asset_uses_cloud_name(self, project_tree, capsys):
+        _write_lock(project_tree, hashlib.sha256(b"png-v1").hexdigest())
+        bp = project_tree / "blueprints" / "story.yaml"
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 0, env
+        assert env["ok"] is True
+        compiled = json.loads(Path(env["data"]["out"]).read_text())
+        loads = [n for n in compiled.values() if isinstance(n, dict) and n.get("class_type") == "LoadImage"]
+        assert loads and all(n["inputs"]["image"] == "ab12.png" for n in loads)
+
+    def test_compose_stale_asset_exits_1_with_asset_stale(self, project_tree, capsys):
+        _write_lock(project_tree, "0" * 64)  # lock sha != on-disk sha
+        bp = project_tree / "blueprints" / "story.yaml"
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 1
+        assert env["ok"] is False
+        assert env["error"]["code"] == "asset_stale"
+        assert env["error"]["hint"] == "run: comfy assets push"
+
+    def test_compose_unpushed_asset_exits_1_with_asset_not_pushed(self, project_tree, capsys):
+        # No lock written at all.
+        bp = project_tree / "blueprints" / "story.yaml"
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 1
+        assert env["error"]["code"] == "asset_not_pushed"
+        assert env["error"]["hint"] == "run: comfy assets push"
+
+    def test_compose_stale_asset_via_param_exits_1_with_asset_stale(self, project_tree, capsys):
+        """Staleness checks fire identically when the ref sits in `params:`."""
+        _write_lock(project_tree, "0" * 64)  # lock sha != on-disk sha
+        (project_tree / "fragments" / "text_overlay.json").write_text(json.dumps(_text_overlay_fragment()))
+        bp = project_tree / "blueprints" / "overlay.yaml"
+        bp.write_text(
+            "pipeline:\n"
+            "  - fragment: text_overlay\n"
+            "    alias: t\n"
+            "    inputs:\n"
+            "      image: base.png\n"
+            "    params:\n"
+            "      label: $asset.s1.png\n"
+        )
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 1
+        assert env["error"]["code"] == "asset_stale"
+        assert env["error"]["hint"] == "run: comfy assets push"
+
+    def test_compose_outside_project_keeps_blueprint_invalid(self, tmp_path, capsys):
+        """No governing project → no resolver → the generic BlueprintError
+        path with the init/push hint."""
+        lib = tmp_path / "fragments"
+        lib.mkdir()
+        (lib / "image_blend.json").write_text(json.dumps(_image_blend_fragment()))
+        bp = tmp_path / "story.yaml"
+        bp.write_text(
+            "pipeline:\n"
+            "  - fragment: image_blend\n"
+            "    alias: blend\n"
+            "    inputs:\n"
+            "      image1: $asset.s1.png\n"
+            "      image2: x.png\n"
+        )
+        rc, env = _invoke(["compose", str(bp), "--lib", str(lib)], capsys)
+        assert rc == 1
+        assert env["error"]["code"] == "blueprint_invalid"
+        assert "comfy assets push" in env["error"]["hint"]
+
+
+# ---------------------------------------------------------------------------
+# ratchets
+# ---------------------------------------------------------------------------
+
+
+def test_asset_error_codes_registered():
+    from comfy_cli import error_codes
+
+    assert error_codes.is_registered("asset_not_pushed")
+    assert error_codes.is_registered("asset_stale")
diff --git a/tests/comfy_cli/command/test_assets_push.py b/tests/comfy_cli/command/test_assets_push.py
new file mode 100644
index 00000000..4a77c03b
--- /dev/null
+++ b/tests/comfy_cli/command/test_assets_push.py
@@ -0,0 +1,306 @@
+"""``comfy assets push`` — sync assets/ to the run target over /upload/image.
+
+CliRunner-based (not subprocess) so ``_upload_file`` can be monkeypatched:
+no test ever performs a real upload, and the hard rule — the CLI never
+touches a ComfyUI install's folders directly — is enforced by construction
+(the command has no other ingestion path to fall back to).
+"""
+
+from __future__ import annotations
+
+import hashlib
+import io
+import json
+import urllib.error
+from pathlib import Path
+
+import jsonschema
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import project as project_cmd
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    reset_renderer_for_testing,
+    set_renderer,
+)
+from comfy_cli.target import Target
+
+SCHEMAS_DIR = Path(__file__).parent.parent.parent.parent / "comfy_cli" / "schemas"
+
+MARKER = "schema: project/1\ndefaults:\n  where: cloud\n"
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _invoke(args: list[str], capsys) -> tuple[int, dict]:
+    """Invoke `comfy assets ...` and parse the trailing JSON envelope."""
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(project_cmd.assets_app, args, standalone_mode=False)
+    if result.exception is not None and not isinstance(result.exception, SystemExit):
+        raise result.exception
+    # In non-standalone mode click returns typer.Exit's code as the command's
+    # return value (result.exit_code stays 0).
+    exit_code = result.return_value if isinstance(result.return_value, int) else result.exit_code
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    for line in reversed(captured.strip().splitlines()):
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            return exit_code, json.loads(line)
+        except json.JSONDecodeError:
+            continue
+    raise AssertionError(f"no JSON envelope (rc={result.exit_code}, out={captured[:500]!r})")
+
+
+def _validator_for(name: str) -> jsonschema.Validator:
+    schema = json.loads((SCHEMAS_DIR / name).read_text())
+    store: dict[str, dict] = {}
+    for path in SCHEMAS_DIR.glob("*.json"):
+        s = json.loads(path.read_text())
+        if s.get("$id"):
+            store[s["$id"]] = s
+        store[path.name] = s
+    base = SCHEMAS_DIR.absolute().as_uri() + "/"
+    resolver = jsonschema.RefResolver(base_uri=base, referrer=schema, store=store)
+    return jsonschema.Draft202012Validator(schema, resolver=resolver)
+
+
+# ---------------------------------------------------------------------------
+# fixtures
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def proj(tmp_path, monkeypatch) -> Path:
+    """A minimal project/1 tree, with cwd inside it."""
+    root = tmp_path / "proj"
+    root.mkdir()
+    (root / "comfy.yaml").write_text(MARKER)
+    for d in ("assets", "fragments", "blueprints", "outputs", ".comfy"):
+        (root / d).mkdir()
+    monkeypatch.chdir(root)
+    return root
+
+
+@pytest.fixture
+def uploads(monkeypatch) -> list:
+    """Monkeypatch _upload_file + resolve_target; record every upload call."""
+    calls: list[tuple[Path, Target, bool]] = []
+
+    def fake_upload(path, target, *, overwrite):
+        calls.append((Path(path), target, overwrite))
+        return {"name": f"srv-{Path(path).name}", "subfolder": "", "type": "input"}
+
+    def fake_resolve_target(*, where=None, **kw):
+        kind = where or "local"
+        return Target(kind=kind, base_url="http://127.0.0.1:8188")
+
+    monkeypatch.setattr(project_cmd, "_upload_file", fake_upload)
+    monkeypatch.setattr(project_cmd, "resolve_target", fake_resolve_target)
+    return calls
+
+
+def _lock(root: Path) -> dict:
+    return json.loads((root / ".comfy" / "assets.lock.json").read_text())
+
+
+# ---------------------------------------------------------------------------
+# push
+# ---------------------------------------------------------------------------
+
+
+def test_push_uploads_and_writes_lock(proj, uploads, capsys):
+    (proj / "assets" / "keyframes").mkdir()
+    (proj / "assets" / "keyframes" / "s1.png").write_bytes(b"png-one")
+    (proj / "assets" / "flat.png").write_bytes(b"png-two")
+
+    rc, env = _invoke(["push", "--where", "local"], capsys)
+    assert rc == 0
+    _validator_for("envelope.json").validate(env)
+    _validator_for("assets.json").validate(env["data"])
+    assert env["ok"] is True
+    assert env["changed"] is True
+
+    data = env["data"]
+    assert data["where"] == "local"
+    assert data["skipped"] == 0
+    assert data["current"] == []
+    assert data["lock"] == str(proj / ".comfy" / "assets.lock.json")
+    by_name = {p["name"]: p for p in data["pushed"]}
+    assert set(by_name) == {"keyframes/s1.png", "flat.png"}
+    assert by_name["flat.png"]["sha256"] == hashlib.sha256(b"png-two").hexdigest()
+    assert by_name["flat.png"]["cloud_name"] == "srv-flat.png"
+    assert by_name["flat.png"]["size"] == len(b"png-two")
+
+    lock = _lock(proj)
+    assert lock["schema"] == "assets-lock/1"
+    entry = lock["assets"]["keyframes/s1.png"]
+    assert entry["sha256"] == hashlib.sha256(b"png-one").hexdigest()
+    assert entry["cloud_name"] == "srv-s1.png"
+    assert entry["size"] == len(b"png-one")
+    assert entry["where"] == "local"
+    assert "T" in entry["pushed_at"]  # UTC ISO timestamp
+    assert len(uploads) == 2
+
+
+def test_push_skips_dotfiles_and_dot_dirs(proj, uploads, capsys):
+    (proj / "assets" / ".DS_Store").write_bytes(b"junk")
+    (proj / "assets" / ".hidden").mkdir()
+    (proj / "assets" / ".hidden" / "x.png").write_bytes(b"hidden")
+    (proj / "assets" / "real.png").write_bytes(b"real")
+
+    rc, env = _invoke(["push", "--where", "local"], capsys)
+    assert rc == 0
+    assert [p["name"] for p in env["data"]["pushed"]] == ["real.png"]
+    assert len(uploads) == 1
+
+
+def test_second_push_skips_unchanged(proj, uploads, capsys):
+    (proj / "assets" / "a.png").write_bytes(b"same")
+    assert _invoke(["push", "--where", "local"], capsys)[0] == 0
+    uploads.clear()
+
+    rc, env = _invoke(["push", "--where", "local"], capsys)
+    assert rc == 0
+    assert env["changed"] is False
+    assert env["data"]["pushed"] == []
+    assert env["data"]["skipped"] == 1
+    # `current` lists every asset verified up-to-date on this target, so a
+    # script can assert "my files are on the server" from the push envelope
+    # alone: pushed ∪ current ⊇ my files. (A truthful pushed:[] previously
+    # read as failure to agents whose peer had already pushed.)
+    assert env["data"]["current"] == ["a.png"]
+    assert uploads == []
+
+
+def test_force_repushes_unchanged(proj, uploads, capsys):
+    (proj / "assets" / "a.png").write_bytes(b"same")
+    assert _invoke(["push", "--where", "local"], capsys)[0] == 0
+    uploads.clear()
+
+    rc, env = _invoke(["push", "--where", "local", "--force"], capsys)
+    assert rc == 0
+    assert env["changed"] is True
+    assert [p["name"] for p in env["data"]["pushed"]] == ["a.png"]
+    assert len(uploads) == 1
+
+
+def test_changed_sha_repushes(proj, uploads, capsys):
+    (proj / "assets" / "a.png").write_bytes(b"v1")
+    assert _invoke(["push", "--where", "local"], capsys)[0] == 0
+    (proj / "assets" / "a.png").write_bytes(b"v2-different")
+    uploads.clear()
+
+    rc, env = _invoke(["push", "--where", "local"], capsys)
+    assert rc == 0
+    assert [p["name"] for p in env["data"]["pushed"]] == ["a.png"]
+    assert _lock(proj)["assets"]["a.png"]["sha256"] == hashlib.sha256(b"v2-different").hexdigest()
+
+
+def test_different_where_repushes(proj, uploads, capsys):
+    """The lock records WHERE an asset was pushed — a lock entry for local
+    does not satisfy a cloud push."""
+    (proj / "assets" / "a.png").write_bytes(b"same")
+    assert _invoke(["push", "--where", "local"], capsys)[0] == 0
+    uploads.clear()
+
+    rc, env = _invoke(["push", "--where", "cloud"], capsys)
+    assert rc == 0
+    assert [p["name"] for p in env["data"]["pushed"]] == ["a.png"]
+    assert env["data"]["where"] == "cloud"
+    assert _lock(proj)["assets"]["a.png"]["where"] == "cloud"
+
+
+def test_push_outside_project_errors(tmp_path, monkeypatch, uploads, capsys):
+    monkeypatch.chdir(tmp_path)
+    rc, env = _invoke(["push", "--where", "local"], capsys)
+    assert rc == 1
+    assert env["ok"] is False
+    assert env["error"]["code"] == "project_not_found"
+    assert "comfy project init" in env["error"]["hint"]
+    assert uploads == []
+
+
+def test_push_upload_http_error_maps_to_upload_failed(proj, monkeypatch, capsys):
+    (proj / "assets" / "a.png").write_bytes(b"x")
+
+    def boom(path, target, *, overwrite):
+        raise urllib.error.HTTPError("http://x/upload/image", 503, "down", {}, io.BytesIO())
+
+    monkeypatch.setattr(project_cmd, "_upload_file", boom)
+    monkeypatch.setattr(
+        project_cmd,
+        "resolve_target",
+        lambda *, where=None, **kw: Target(kind="local", base_url="http://127.0.0.1:8188"),
+    )
+    rc, env = _invoke(["push", "--where", "local"], capsys)
+    assert rc == 1
+    assert env["error"]["code"] == "upload_failed"
+    # A failed push must not record the file as pushed.
+    assert not (proj / ".comfy" / "assets.lock.json").exists()
+
+
+def test_push_status_join_agrees(proj, uploads, capsys):
+    """`project status` must read the pushed lock as pushed=True, stale=False
+    — and flip stale when the file changes afterwards."""
+    (proj / "assets" / "a.png").write_bytes(b"v1")
+    assert _invoke(["push", "--where", "local"], capsys)[0] == 0
+
+    from comfy_cli.project import find_project
+
+    entries = {e["name"]: e for e in project_cmd._asset_entries(find_project(proj))}
+    assert entries["a.png"]["pushed"] is True
+    assert entries["a.png"]["stale"] is False
+
+    (proj / "assets" / "a.png").write_bytes(b"v2")
+    entries = {e["name"]: e for e in project_cmd._asset_entries(find_project(proj))}
+    assert entries["a.png"]["stale"] is True
+
+
+def test_push_pretty_mode_lists_files(proj, uploads, monkeypatch, capsys):
+    (proj / "assets" / "a.png").write_bytes(b"x")
+    runner = CliRunner()
+    result = runner.invoke(project_cmd.assets_app, ["push", "--where", "local"], standalone_mode=False)
+    out = capsys.readouterr().out + (result.stdout or "")
+    assert "a.png" in out
+    assert "srv-a.png" in out
+
+
+# ---------------------------------------------------------------------------
+# ratchets
+# ---------------------------------------------------------------------------
+
+
+def test_assets_push_registered_in_discovery():
+    from comfy_cli.discovery import COMMAND_SCHEMAS
+
+    assert COMMAND_SCHEMAS["comfy assets push"] == "assets"
+
+
+def test_assets_schema_shipped():
+    schema = json.loads((SCHEMAS_DIR / "assets.json").read_text())
+    assert schema["$id"] == "https://comfy.org/schemas/assets.json"
diff --git a/tests/comfy_cli/command/test_command.py b/tests/comfy_cli/command/test_command.py
index 5c442941..d666d12d 100644
--- a/tests/comfy_cli/command/test_command.py
+++ b/tests/comfy_cli/command/test_command.py
@@ -78,7 +78,9 @@ class TestRunApiKeyResolution:
 
     def test_envvar_is_picked_up(self, runner, mock_run_execute, tmp_path):
         wf = _write_workflow(tmp_path)
-        result = runner.invoke(app, ["run", "--workflow", wf], env={"COMFY_API_KEY": "env-key-xyz"})
+        result = runner.invoke(
+            app, ["run", "--workflow", wf], env={"COMFY_API_KEY": "env-key-xyz", "COMFY_WHERE": "local"}
+        )
         assert result.exit_code == 0, result.output
         assert mock_run_execute.call_args.kwargs["api_key"] == "env-key-xyz"
 
@@ -87,7 +89,7 @@ def test_flag_overrides_envvar(self, runner, mock_run_execute, tmp_path):
         result = runner.invoke(
             app,
             ["run", "--workflow", wf, "--api-key", "flag-key-abc"],
-            env={"COMFY_API_KEY": "env-key-xyz"},
+            env={"COMFY_API_KEY": "env-key-xyz", "COMFY_WHERE": "local"},
         )
         assert result.exit_code == 0, result.output
         assert mock_run_execute.call_args.kwargs["api_key"] == "flag-key-abc"
@@ -95,18 +97,20 @@ def test_flag_overrides_envvar(self, runner, mock_run_execute, tmp_path):
     def test_absent_resolves_to_none(self, runner, mock_run_execute, tmp_path):
         wf = _write_workflow(tmp_path)
         # Explicit empty env to neutralize any host-level COMFY_API_KEY leak.
-        result = runner.invoke(app, ["run", "--workflow", wf], env={"COMFY_API_KEY": ""})
+        result = runner.invoke(app, ["run", "--workflow", wf], env={"COMFY_API_KEY": "", "COMFY_WHERE": "local"})
         assert result.exit_code == 0, result.output
         assert mock_run_execute.call_args.kwargs["api_key"] is None
 
     def test_envvar_trailing_whitespace_is_stripped(self, runner, mock_run_execute, tmp_path):
         wf = _write_workflow(tmp_path)
-        result = runner.invoke(app, ["run", "--workflow", wf], env={"COMFY_API_KEY": "  sk-abc\n"})
+        result = runner.invoke(
+            app, ["run", "--workflow", wf], env={"COMFY_API_KEY": "  sk-abc\n", "COMFY_WHERE": "local"}
+        )
         assert result.exit_code == 0, result.output
         assert mock_run_execute.call_args.kwargs["api_key"] == "sk-abc"
 
     def test_whitespace_only_collapses_to_none(self, runner, mock_run_execute, tmp_path):
         wf = _write_workflow(tmp_path)
-        result = runner.invoke(app, ["run", "--workflow", wf], env={"COMFY_API_KEY": "   \n\t"})
+        result = runner.invoke(app, ["run", "--workflow", wf], env={"COMFY_API_KEY": "   \n\t", "COMFY_WHERE": "local"})
         assert result.exit_code == 0, result.output
         assert mock_run_execute.call_args.kwargs["api_key"] is None
diff --git a/tests/comfy_cli/command/test_command_init.py b/tests/comfy_cli/command/test_command_init.py
new file mode 100644
index 00000000..92af57df
--- /dev/null
+++ b/tests/comfy_cli/command/test_command_init.py
@@ -0,0 +1,90 @@
+"""``comfy_cli.command`` package must eagerly re-export every submodule.
+
+Background: during the agent-shaped-cli rewrite, ``cmdline.py:20`` does
+
+    from comfy_cli.command import transfer as transfer_inner
+
+which Python normally resolves either as an attribute of the ``command``
+package or as a lazy submodule import (file ``comfy_cli/command/transfer.py``).
+A single startup flake was observed where the lazy path returned
+``ImportError: cannot import name 'transfer' from 'comfy_cli.command'``
+on the very first invocation despite the file existing on disk.
+
+The fix is defensive: every CLI subcommand module is re-exported from the
+package's ``__init__.py``, so ``from comfy_cli.command import X`` always
+succeeds via attribute lookup before falling through to the submodule
+discovery path. This pins the contract: if a submodule is added to the
+filesystem but forgotten in ``__init__``, the test below fails before any
+end user sees a broken CLI.
+"""
+
+from __future__ import annotations
+
+import subprocess
+import sys
+import textwrap
+
+EXPECTED_SUBMODULES = frozenset(
+    {
+        "code_search",
+        "custom_nodes",
+        "install",
+        "job_watcher",
+        "jobs",
+        "launch",
+        "nodes",
+        "pr_command",
+        "run",
+        "run_cli",
+        "transfer",
+        "workflow",
+    }
+)
+
+
+def test_command_package_exposes_all_submodules_as_attributes():
+    """Direct attribute access — ``hasattr(comfy_cli.command, 'X')`` for
+    every ``X`` in the expected set. This catches forgotten re-exports
+    without needing a fresh subprocess.
+    """
+    import comfy_cli.command as cmd
+
+    missing = sorted(name for name in EXPECTED_SUBMODULES if not hasattr(cmd, name))
+    assert not missing, (
+        f"comfy_cli.command/__init__.py forgot to re-export: {missing}. "
+        "Add them to the `from . import …` line and to `__all__`."
+    )
+
+
+def test_fresh_interpreter_can_from_import_each_submodule():
+    """Stronger check: in a *fresh* interpreter (no shared module cache),
+    each ``from comfy_cli.command import X`` must succeed. This is the
+    scenario where the original ImportError flake bit — the very first
+    ``comfy run`` in a session.
+    """
+    code = textwrap.dedent(f"""
+        names = {sorted(EXPECTED_SUBMODULES)!r}
+        for n in names:
+            mod = __import__("comfy_cli.command", fromlist=[n])
+            assert hasattr(mod, n), f"missing {{n!r}} after import"
+    """)
+    result = subprocess.run(
+        [sys.executable, "-c", code],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    assert result.returncode == 0, (
+        f"fresh-interpreter check failed:\n  stdout={result.stdout}\n  stderr={result.stderr}"
+    )
+
+
+def test_all_lists_every_submodule():
+    """``__all__`` is the source of truth for ``from comfy_cli.command
+    import *`` consumers. Keep it in sync with the actual exports.
+    """
+    import comfy_cli.command as cmd
+
+    declared = set(getattr(cmd, "__all__", ()))
+    missing = EXPECTED_SUBMODULES - declared
+    assert not missing, f"__all__ is missing: {sorted(missing)}. Update __all__ in comfy_cli/command/__init__.py."
diff --git a/tests/comfy_cli/command/test_manager_gui.py b/tests/comfy_cli/command/test_manager_gui.py
index b515f066..3743fc8c 100644
--- a/tests/comfy_cli/command/test_manager_gui.py
+++ b/tests/comfy_cli/command/test_manager_gui.py
@@ -198,11 +198,8 @@ class TestLaunchManagerFlagInjection:
     @patch("comfy_cli.command.launch.launch_comfyui")
     @patch("comfy_cli.command.launch._get_manager_flags", return_value=["--enable-manager"])
     @patch("comfy_cli.command.launch.workspace_manager")
-    @patch("comfy_cli.command.launch.check_for_updates")
     @patch("os.chdir")
-    def test_launch_injects_enable_manager(
-        self, mock_chdir, mock_updates, mock_ws, mock_get_flags, mock_launch_comfyui
-    ):
+    def test_launch_injects_enable_manager(self, mock_chdir, mock_ws, mock_get_flags, mock_launch_comfyui):
         mock_ws.workspace_path = "/fake/workspace"
         mock_ws.workspace_type = "default"
         mock_ws.config_manager.config = {"DEFAULT": {}}
@@ -219,11 +216,8 @@ def test_launch_injects_enable_manager(
     @patch("comfy_cli.command.launch.launch_comfyui")
     @patch("comfy_cli.command.launch._get_manager_flags", return_value=[])
     @patch("comfy_cli.command.launch.workspace_manager")
-    @patch("comfy_cli.command.launch.check_for_updates")
     @patch("os.chdir")
-    def test_launch_no_inject_when_disabled(
-        self, mock_chdir, mock_updates, mock_ws, mock_get_flags, mock_launch_comfyui
-    ):
+    def test_launch_no_inject_when_disabled(self, mock_chdir, mock_ws, mock_get_flags, mock_launch_comfyui):
         mock_ws.workspace_path = "/fake/workspace"
         mock_ws.workspace_type = "default"
         mock_ws.config_manager.config = {"DEFAULT": {}}
@@ -239,11 +233,8 @@ def test_launch_no_inject_when_disabled(
     @patch("comfy_cli.command.launch.launch_comfyui")
     @patch("comfy_cli.command.launch._get_manager_flags", return_value=["--enable-manager"])
     @patch("comfy_cli.command.launch.workspace_manager")
-    @patch("comfy_cli.command.launch.check_for_updates")
     @patch("os.chdir")
-    def test_launch_injects_when_extra_is_none(
-        self, mock_chdir, mock_updates, mock_ws, mock_get_flags, mock_launch_comfyui
-    ):
+    def test_launch_injects_when_extra_is_none(self, mock_chdir, mock_ws, mock_get_flags, mock_launch_comfyui):
         mock_ws.workspace_path = "/fake/workspace"
         mock_ws.workspace_type = "not_default"
         mock_ws.config_manager.config = {"DEFAULT": {}}
@@ -259,11 +250,8 @@ def test_launch_injects_when_extra_is_none(
     @patch("comfy_cli.command.launch.launch_comfyui")
     @patch("comfy_cli.command.launch._get_manager_flags", return_value=["--enable-manager", "--disable-manager-ui"])
     @patch("comfy_cli.command.launch.workspace_manager")
-    @patch("comfy_cli.command.launch.check_for_updates")
     @patch("os.chdir")
-    def test_launch_injects_disable_gui_flags(
-        self, mock_chdir, mock_updates, mock_ws, mock_get_flags, mock_launch_comfyui
-    ):
+    def test_launch_injects_disable_gui_flags(self, mock_chdir, mock_ws, mock_get_flags, mock_launch_comfyui):
         mock_ws.workspace_path = "/fake/workspace"
         mock_ws.workspace_type = "not_default"
         mock_ws.config_manager.config = {"DEFAULT": {}}
@@ -282,11 +270,8 @@ def test_launch_injects_disable_gui_flags(
         "comfy_cli.command.launch._get_manager_flags", return_value=["--enable-manager", "--enable-manager-legacy-ui"]
     )
     @patch("comfy_cli.command.launch.workspace_manager")
-    @patch("comfy_cli.command.launch.check_for_updates")
     @patch("os.chdir")
-    def test_launch_injects_legacy_gui_flags(
-        self, mock_chdir, mock_updates, mock_ws, mock_get_flags, mock_launch_comfyui
-    ):
+    def test_launch_injects_legacy_gui_flags(self, mock_chdir, mock_ws, mock_get_flags, mock_launch_comfyui):
         mock_ws.workspace_path = "/fake/workspace"
         mock_ws.workspace_type = "not_default"
         mock_ws.config_manager.config = {"DEFAULT": {}}
@@ -1065,7 +1050,15 @@ class TestFindCmCli:
 
     def test_find_cm_cli_module_found(self):
         """When cm_cli module exists, should return True."""
-        with patch("importlib.util.find_spec") as mock_find_spec:
+        from comfy_cli.command.custom_nodes import cm_cli_util as _cm_cli_util
+
+        # Pin workspace_path to None so we exercise the find_spec fallback rather
+        # than the workspace-Python subprocess branch (which would skip find_spec
+        # whenever the developer has a workspace configured).
+        with (
+            patch("importlib.util.find_spec") as mock_find_spec,
+            patch.object(_cm_cli_util.workspace_manager, "workspace_path", None),
+        ):
             mock_find_spec.return_value = MagicMock()  # Non-None means module exists
             # Clear cache before test
             from comfy_cli.command.custom_nodes.cm_cli_util import find_cm_cli
@@ -1097,7 +1090,12 @@ def test_find_cm_cli_module_not_found(self):
 
     def test_find_cm_cli_cache_behavior(self):
         """find_cm_cli should cache results and not call find_spec repeatedly."""
-        with patch("importlib.util.find_spec") as mock_find_spec:
+        from comfy_cli.command.custom_nodes import cm_cli_util as _cm_cli_util
+
+        with (
+            patch("importlib.util.find_spec") as mock_find_spec,
+            patch.object(_cm_cli_util.workspace_manager, "workspace_path", None),
+        ):
             mock_find_spec.return_value = MagicMock()
             from comfy_cli.command.custom_nodes.cm_cli_util import find_cm_cli
 
diff --git a/tests/comfy_cli/command/test_nodes_cli.py b/tests/comfy_cli/command/test_nodes_cli.py
new file mode 100644
index 00000000..7ad8c43a
--- /dev/null
+++ b/tests/comfy_cli/command/test_nodes_cli.py
@@ -0,0 +1,206 @@
+"""Layer 2: CLI envelope tests for ``comfy nodes`` — --where passthrough,
+--cloud-disabled note, and --query removal.
+
+Follows the same fixture patterns as test_nodes_introspect.py.
+"""
+
+from __future__ import annotations
+
+import json
+from typing import Any
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import nodes as nodes_cmd
+from comfy_cli.output.renderer import OutputMode, Renderer, reset_renderer_for_testing, set_renderer
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    """Pin the renderer to JSON so tests can read envelopes off stdout."""
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _fake_object_info() -> dict[str, Any]:
+    """A small object_info dict covering the cases the tests assert on."""
+    return {
+        "CheckpointLoaderSimple": {
+            "input": {"required": {}},
+            "output": ["MODEL", "CLIP", "VAE"],
+            "output_name": ["MODEL", "CLIP", "VAE"],
+            "category": "loaders",
+            "display_name": "Load Checkpoint",
+            "description": "Loads a diffusion model checkpoint.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "KSampler": {
+            "input": {
+                "required": {
+                    "model": ["MODEL"],
+                    "positive": ["CONDITIONING"],
+                    "steps": ["INT", {"default": 20, "min": 1, "max": 10000}],
+                    "sampler_name": [["euler", "heun", "dpmpp_2m"]],
+                    "scheduler": [["normal", "karras", "simple"], {"default": "normal"}],
+                },
+            },
+            "input_order": {"required": ["model", "positive", "steps", "sampler_name", "scheduler"]},
+            "output": ["LATENT"],
+            "output_name": ["LATENT"],
+            "category": "sampling",
+            "display_name": "KSampler",
+            "description": "Denoise the latent via the provided model.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "CLIPTextEncode": {
+            "input": {
+                "required": {
+                    "clip": ["CLIP"],
+                    "text": ["STRING", {"multiline": True}],
+                },
+            },
+            "output": ["CONDITIONING"],
+            "output_name": ["CONDITIONING"],
+            "category": "conditioning",
+            "display_name": "CLIP Text Encode (Prompt)",
+            "description": "Encode prompt text to conditioning.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "SaveImage": {
+            "input": {"required": {}},
+            "output": [],
+            "category": "image",
+            "display_name": "Save Image",
+            "description": "Save image to disk.",
+            "output_node": True,
+            "python_module": "nodes",
+        },
+    }
+
+
+def _fake_graph():
+    """Build a Graph from the fake object_info."""
+    from comfy_cli.cql.engine import Graph
+
+    return Graph.from_object_info(_fake_object_info())
+
+
+@pytest.fixture
+def patched_loader(monkeypatch: pytest.MonkeyPatch):
+    """Bypass network/file loading; serve the fake graph straight to the command."""
+    monkeypatch.setattr(nodes_cmd, "_get_graph", lambda *a, **kw: _fake_graph())
+
+
+def _run(args: list[str], capsys: pytest.CaptureFixture[str]) -> dict[str, Any]:
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(nodes_cmd.app, args, standalone_mode=False)
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    assert captured.strip(), f"no envelope on stdout (rc={result.exit_code})"
+    return json.loads(captured.strip().splitlines()[-1])
+
+
+# ---------------------------------------------------------------------------
+# --where passthrough tests
+# ---------------------------------------------------------------------------
+
+
+class _WhereSpy:
+    """Records what ``where=`` value ``_get_graph`` received."""
+
+    def __init__(self):
+        self.captured_where: Any = "NOT_CALLED"
+
+    def __call__(self, *a, **kw):
+        self.captured_where = kw.get("where")
+        return _fake_graph()
+
+
+class TestLsWhereFlag:
+    def test_ls_passes_where_to_get_graph(self, monkeypatch, capsys):
+        spy = _WhereSpy()
+        monkeypatch.setattr(nodes_cmd, "_get_graph", spy)
+        _run(["ls", "--where", "cloud"], capsys)
+        assert spy.captured_where == "cloud"
+
+    def test_ls_default_where_is_none(self, monkeypatch, capsys):
+        spy = _WhereSpy()
+        monkeypatch.setattr(nodes_cmd, "_get_graph", spy)
+        _run(["ls"], capsys)
+        assert spy.captured_where is None
+
+
+class TestSearchWhereFlag:
+    def test_search_passes_where(self, monkeypatch, capsys):
+        spy = _WhereSpy()
+        monkeypatch.setattr(nodes_cmd, "_get_graph", spy)
+        _run(["search", "KSampler", "--where", "cloud"], capsys)
+        assert spy.captured_where == "cloud"
+
+
+class TestUpstreamWhereFlag:
+    def test_upstream_passes_where(self, monkeypatch, capsys):
+        spy = _WhereSpy()
+        monkeypatch.setattr(nodes_cmd, "_get_graph", spy)
+        _run(["upstream", "KSampler", "--where", "cloud"], capsys)
+        assert spy.captured_where == "cloud"
+
+
+class TestDownstreamWhereFlag:
+    def test_downstream_passes_where(self, monkeypatch, capsys):
+        spy = _WhereSpy()
+        monkeypatch.setattr(nodes_cmd, "_get_graph", spy)
+        _run(["downstream", "CheckpointLoaderSimple", "--where", "cloud"], capsys)
+        assert spy.captured_where == "cloud"
+
+
+# ---------------------------------------------------------------------------
+# --cloud-disabled note tests
+# ---------------------------------------------------------------------------
+
+
+class TestCloudDisabledNote:
+    def test_cloud_disabled_on_cloud_shows_note(self, patched_loader, monkeypatch, capsys):
+        monkeypatch.setattr(nodes_cmd, "_resolved_where", lambda where: "cloud")
+        env = _run(["ls", "--cloud-disabled"], capsys)
+        assert env["data"]["count"] == 0
+        assert "cloud_note" in env["data"]
+        assert "local server" in env["data"]["cloud_note"].lower() or "local" in env["data"]["cloud_note"].lower()
+
+    def test_cloud_disabled_on_local_no_note(self, patched_loader, monkeypatch, capsys):
+        monkeypatch.setattr(nodes_cmd, "_resolved_where", lambda where: "local")
+        env = _run(["ls", "--cloud-disabled"], capsys)
+        assert env["data"]["count"] == 0
+        assert "cloud_note" not in env["data"]
+
+
+# ---------------------------------------------------------------------------
+# --query flag removed
+# ---------------------------------------------------------------------------
+
+
+class TestQueryFlagRemoved:
+    def test_query_flag_rejected(self):
+        runner = CliRunner()
+        result = runner.invoke(nodes_cmd.app, ["ls", "--query", "produces IMAGE"])
+        assert result.exit_code != 0
diff --git a/tests/comfy_cli/command/test_nodes_introspect.py b/tests/comfy_cli/command/test_nodes_introspect.py
new file mode 100644
index 00000000..c22f5b7b
--- /dev/null
+++ b/tests/comfy_cli/command/test_nodes_introspect.py
@@ -0,0 +1,289 @@
+"""Tests for ``comfy nodes`` — agent-facing node-class introspection.
+
+The commands are thin wrappers over the CQL stub's loader, so the heavy
+lifting is in the wiring (filter precedence, error codes, envelope shape).
+Tests use a hand-rolled graph fixture instead of hitting a live server.
+"""
+
+from __future__ import annotations
+
+import json
+from typing import Any
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import nodes as nodes_cmd
+from comfy_cli.output.renderer import OutputMode, Renderer, reset_renderer_for_testing, set_renderer
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    """Pin the renderer to JSON so tests can read envelopes off stdout."""
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _fake_object_info() -> dict[str, Any]:
+    """A small object_info dict covering the cases the tests assert on."""
+    return {
+        "CheckpointLoaderSimple": {
+            "input": {"required": {}},
+            "output": ["MODEL", "CLIP", "VAE"],
+            "output_name": ["MODEL", "CLIP", "VAE"],
+            "category": "loaders",
+            "display_name": "Load Checkpoint",
+            "description": "Loads a diffusion model checkpoint.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "KSampler": {
+            "input": {
+                "required": {
+                    "model": ["MODEL"],
+                    "positive": ["CONDITIONING"],
+                    "steps": ["INT", {"default": 20, "min": 1, "max": 10000}],
+                    "sampler_name": [["euler", "heun", "dpmpp_2m"]],
+                    "scheduler": [["normal", "karras", "simple"], {"default": "normal"}],
+                },
+            },
+            "input_order": {"required": ["model", "positive", "steps", "sampler_name", "scheduler"]},
+            "output": ["LATENT"],
+            "output_name": ["LATENT"],
+            "category": "sampling",
+            "display_name": "KSampler",
+            "description": "Denoise the latent via the provided model.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "CLIPTextEncode": {
+            "input": {
+                "required": {
+                    "clip": ["CLIP"],
+                    "text": ["STRING", {"multiline": True}],
+                },
+            },
+            "output": ["CONDITIONING"],
+            "output_name": ["CONDITIONING"],
+            "category": "conditioning",
+            "display_name": "CLIP Text Encode (Prompt)",
+            "description": "Encode prompt text to conditioning.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "SaveImage": {
+            "input": {"required": {}},
+            "output": [],
+            "category": "image",
+            "display_name": "Save Image",
+            "description": "Save image to disk.",
+            "output_node": True,
+            "python_module": "nodes",
+        },
+    }
+
+
+def _fake_graph():
+    """Build a Graph from the fake object_info."""
+    from comfy_cli.cql.engine import Graph
+
+    return Graph.from_object_info(_fake_object_info())
+
+
+@pytest.fixture
+def patched_loader(monkeypatch: pytest.MonkeyPatch):
+    """Bypass network/file loading; serve the fake graph straight to the command."""
+    monkeypatch.setattr(nodes_cmd, "_get_graph", lambda *a, **kw: _fake_graph())
+
+
+def _run(args: list[str], capsys: pytest.CaptureFixture[str]) -> dict[str, Any]:
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(nodes_cmd.app, args, standalone_mode=False)
+    # The renderer writes to its own stream; capsys captures stdout.
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        # Renderer wrote to its bound stream (sys.stdout in JSON mode); the
+        # CliRunner may have stolen it. Fall back to result.stdout.
+        captured = result.stdout or ""
+    assert captured.strip(), f"no envelope on stdout (rc={result.exit_code})"
+    return json.loads(captured.strip().splitlines()[-1])
+
+
+class TestLs:
+    def test_no_filter_returns_all(self, patched_loader, capsys):
+        env = _run(["ls"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["count"] == 4
+
+    def test_produces_filter(self, patched_loader, capsys):
+        env = _run(["ls", "--produces", "MODEL"], capsys)
+        assert env["data"]["count"] == 1
+        assert env["data"]["rows"][0]["name"] == "CheckpointLoaderSimple"
+
+    def test_produces_filter_case_insensitive(self, patched_loader, capsys):
+        env = _run(["ls", "--produces", "model"], capsys)
+        assert env["data"]["count"] == 1
+
+    def test_accepts_filter(self, patched_loader, capsys):
+        env = _run(["ls", "--accepts", "MODEL"], capsys)
+        assert env["data"]["count"] == 1
+        assert env["data"]["rows"][0]["name"] == "KSampler"
+
+    def test_category_glob(self, patched_loader, capsys):
+        env = _run(["ls", "--category", "sampling*"], capsys)
+        assert env["data"]["count"] == 1
+        assert env["data"]["rows"][0]["name"] == "KSampler"
+
+    def test_category_sql_percent_pattern(self, patched_loader, capsys):
+        """Agents from the SQL-CQL grammar might still send `%`."""
+        env = _run(["ls", "--category", "samp%"], capsys)
+        assert env["data"]["count"] == 1
+
+    def test_limit(self, patched_loader, capsys):
+        env = _run(["ls", "--limit", "2"], capsys)
+        assert env["data"]["count"] == 2
+
+    def test_filter_block_present_in_envelope(self, patched_loader, capsys):
+        env = _run(["ls", "--produces", "LATENT", "--category", "samp*"], capsys)
+        f = env["data"]["filter"]
+        assert f["produces"] == "LATENT"
+        assert f["accepts"] is None
+        assert f["category"] == "samp*"
+
+
+class TestShow:
+    def test_basic_envelope(self, patched_loader, capsys):
+        env = _run(["show", "KSampler"], capsys)
+        assert env["ok"] is True
+        d = env["data"]
+        assert d["name"] == "KSampler"
+        assert d["category"] == "sampling"
+        assert d["output_types"] == ["LATENT"]
+        # Inputs include section + type + options.
+        inputs = {i["name"]: i for i in d["inputs"]}
+        assert "model" in inputs and inputs["model"]["type"] == "MODEL"
+        assert inputs["steps"]["options"]["default"] == 20
+
+    def test_inputs_sorted_required_first(self, patched_loader, capsys):
+        env = _run(["show", "KSampler"], capsys)
+        sections = [i["section"] for i in env["data"]["inputs"]]
+        # No `optional` in the fixture; just verify all required come before any non-required.
+        first_optional = next((i for i, s in enumerate(sections) if s != "required"), len(sections))
+        last_required = max((i for i, s in enumerate(sections) if s == "required"), default=-1)
+        assert last_required < first_optional
+
+    def test_node_not_found_emits_structured_error(self, patched_loader, capsys):
+        env = _run(["show", "Nonexistent"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "node_not_found"
+        assert "close_matches" in env["error"]["details"]
+
+    def test_node_not_found_suggests_close_matches(self, patched_loader, capsys):
+        # Lowercase typo should still surface KSampler as a close match.
+        env = _run(["show", "ksampler"], capsys)
+        close = env["error"]["details"]["close_matches"]
+        assert "KSampler" in close
+
+    def test_choices_populated_for_local_enum(self, patched_loader, capsys):
+        env = _run(["show", "KSampler"], capsys)
+        inputs = {i["name"]: i for i in env["data"]["inputs"]}
+        assert inputs["sampler_name"]["choices"] == ["euler", "heun", "dpmpp_2m"]
+
+    def test_choices_populated_for_cloud_combo(self, patched_loader, capsys):
+        """Cloud-API COMBO inputs nest their choices at options.options.
+        `nodes show` should normalize them into the same `choices` array
+        as local ENUM inputs — agents shouldn't need to know which shape
+        the graph happens to use."""
+        env = _run(["show", "KSampler"], capsys)
+        inputs = {i["name"]: i for i in env["data"]["inputs"]}
+        assert inputs["scheduler"]["choices"] == ["normal", "karras", "simple"]
+        # And the raw options block is still passed through for callers
+        # that need the default / min / max metadata.
+        assert inputs["scheduler"]["options"]["default"] == "normal"
+
+
+class TestSearch:
+    def test_exact_name_wins(self, patched_loader, capsys):
+        env = _run(["search", "KSampler"], capsys)
+        assert env["data"]["count"] >= 1
+        assert env["data"]["rows"][0]["name"] == "KSampler"
+
+    def test_substring_match(self, patched_loader, capsys):
+        env = _run(["search", "checkpoint"], capsys)
+        assert env["data"]["count"] >= 1
+        assert env["data"]["rows"][0]["name"] == "CheckpointLoaderSimple"
+
+    def test_description_match(self, patched_loader, capsys):
+        env = _run(["search", "Denoise"], capsys)
+        # KSampler's description contains "Denoise"; should match.
+        names = [r["name"] for r in env["data"]["rows"]]
+        assert "KSampler" in names
+
+    def test_no_match_returns_empty(self, patched_loader, capsys):
+        env = _run(["search", "xyzzy_nothing"], capsys)
+        assert env["data"]["count"] == 0
+        assert env["data"]["rows"] == []
+
+    def test_limit_caps_results(self, patched_loader, capsys):
+        env = _run(["search", "e", "--limit", "2"], capsys)
+        assert env["data"]["count"] <= 2
+
+
+class TestFlattenCategoryTree:
+    """Pin the shape contract for the wasm CategoryTree, since the flattener
+    has to know the (capital-cased) field names the Go side emits."""
+
+    def test_walks_nested_children(self):
+        tree = {
+            "Root": {
+                "Name": "",
+                "FullPath": "",
+                "Children": {
+                    "loaders": {
+                        "FullPath": "loaders",
+                        "Count": 22,
+                        "Children": {
+                            "advanced": {
+                                "FullPath": "loaders/advanced",
+                                "Count": 4,
+                                "Children": {},
+                            },
+                        },
+                    },
+                    "sampling": {
+                        "FullPath": "sampling",
+                        "Count": 8,
+                        "Children": {},
+                    },
+                },
+            },
+        }
+        from comfy_cli.command.nodes import _flatten_category_tree
+
+        flat = _flatten_category_tree(tree)
+        flat_dict = dict(flat)
+        assert flat_dict["loaders"] == 22
+        assert flat_dict["loaders/advanced"] == 4
+        assert flat_dict["sampling"] == 8
+
+    def test_empty_or_malformed_returns_empty(self):
+        from comfy_cli.command.nodes import _flatten_category_tree
+
+        assert _flatten_category_tree({}) == []
+        assert _flatten_category_tree({"Root": None}) == []
+        assert _flatten_category_tree("not a dict") == []  # type: ignore[arg-type]
diff --git a/tests/comfy_cli/command/test_observer_session_safety.py b/tests/comfy_cli/command/test_observer_session_safety.py
new file mode 100644
index 00000000..9eadf3d9
--- /dev/null
+++ b/tests/comfy_cli/command/test_observer_session_safety.py
@@ -0,0 +1,85 @@
+"""Observer commands must not hold session-clearing rights.
+
+June 2026 field incident: a batch production ran dozens of concurrent
+``jobs status`` / ``download`` retry loops; one of them hit a fatal
+``invalid_grant`` on token refresh and — holding the default
+``clear_session_on_auth_failure=True`` — wiped the shared OAuth session
+mid-run, turning a transient server-side hiccup into a hard logout that
+needed a human to re-run ``comfy cloud login``.
+
+Policy pinned here: commands that *observe* jobs (status/ls/watch snapshots,
+download) construct their cloud Client with
+``clear_session_on_auth_failure=False`` — same as the detached run watcher.
+Only session-lifecycle owners (login/logout, foreground ``run``) may clear.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+
+class _CapturingClient:
+    """Stands in for comfy_client.Client; records constructor kwargs."""
+
+    captured: list[dict] = []
+
+    def __init__(self, target, *, timeout: float = 30.0, clear_session_on_auth_failure: bool = True):
+        type(self).captured.append({"clear_session_on_auth_failure": clear_session_on_auth_failure})
+        self.target = target
+
+
+@pytest.fixture(autouse=True)
+def _reset_captures():
+    _CapturingClient.captured = []
+    yield
+    _CapturingClient.captured = []
+
+
+@pytest.fixture
+def _fake_target(monkeypatch):
+    import comfy_cli.target as target_mod
+
+    class _T:
+        base_url = "https://cloud.example"
+
+    monkeypatch.setattr(target_mod, "resolve_target", lambda **kw: _T())
+    return _T
+
+
+def test_jobs_cloud_client_cannot_clear_session(monkeypatch, _fake_target):
+    import comfy_cli.comfy_client as comfy_client_mod
+    from comfy_cli.command import jobs
+
+    monkeypatch.setattr(comfy_client_mod, "Client", _CapturingClient)
+    jobs._cloud_client()
+    assert _CapturingClient.captured, "jobs._cloud_client() did not construct a Client"
+    assert _CapturingClient.captured[-1]["clear_session_on_auth_failure"] is False
+
+
+def test_download_fallback_client_cannot_clear_session():
+    """The download command's API-fallback Client (transfer.py) must pass
+    clear_session_on_auth_failure=False. Pinned at source level: a download
+    retry loop is exactly the workload that wiped the session in the field."""
+    import ast
+    import inspect
+
+    from comfy_cli.command import transfer
+
+    tree = ast.parse(inspect.getsource(transfer))
+    client_calls = [
+        node
+        for node in ast.walk(tree)
+        if isinstance(node, ast.Call) and isinstance(node.func, ast.Name) and node.func.id == "Client"
+    ]
+    assert client_calls, "expected at least one Client(...) construction in transfer.py"
+    for call in client_calls:
+        kwargs = {kw.arg: kw.value for kw in call.keywords}
+        assert "clear_session_on_auth_failure" in kwargs, (
+            f"transfer.py line {call.lineno}: Client(...) without explicit "
+            "clear_session_on_auth_failure=False — observer commands must not "
+            "be able to wipe the shared OAuth session"
+        )
+        value = kwargs["clear_session_on_auth_failure"]
+        assert isinstance(value, ast.Constant) and value.value is False, (
+            f"transfer.py line {call.lineno}: clear_session_on_auth_failure must be the literal False"
+        )
diff --git a/tests/comfy_cli/command/test_project_command.py b/tests/comfy_cli/command/test_project_command.py
new file mode 100644
index 00000000..a44ad114
--- /dev/null
+++ b/tests/comfy_cli/command/test_project_command.py
@@ -0,0 +1,237 @@
+"""``comfy project`` integration: init / status via subprocess (the same
+pattern as tests/comfy_cli/auth/test_auth_command.py)."""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+import jsonschema
+import pytest
+
+SCHEMAS_DIR = Path(__file__).parent.parent.parent.parent / "comfy_cli" / "schemas"
+
+MARKER = "schema: project/1\ndefaults:\n  where: cloud\n"
+CONVENTIONAL = ("assets", "fragments", "blueprints", "outputs", ".comfy")
+
+
+def _validator_for(name: str) -> jsonschema.Validator:
+    schema = json.loads((SCHEMAS_DIR / name).read_text())
+    store: dict[str, dict] = {}
+    for path in SCHEMAS_DIR.glob("*.json"):
+        s = json.loads(path.read_text())
+        if s.get("$id"):
+            store[s["$id"]] = s
+        store[path.name] = s
+    base = SCHEMAS_DIR.absolute().as_uri() + "/"
+    resolver = jsonschema.RefResolver(base_uri=base, referrer=schema, store=store)
+    return jsonschema.Draft202012Validator(schema, resolver=resolver)
+
+
+@pytest.fixture
+def proj_dir(tmp_path):
+    d = tmp_path / "proj"
+    d.mkdir()
+    return d
+
+
+def _run(args, cwd):
+    env = os.environ.copy()
+    env["NO_COLOR"] = "1"
+    return subprocess.run(
+        [sys.executable, "-m", "comfy_cli", *args],
+        capture_output=True,
+        text=True,
+        env=env,
+        cwd=str(cwd),
+        check=False,
+    )
+
+
+def _last_json(stdout: str) -> dict:
+    last = [line for line in stdout.splitlines() if line.strip()][-1]
+    return json.loads(last)
+
+
+# ---------------------------------------------------------------------------
+# comfy project init
+# ---------------------------------------------------------------------------
+
+
+def test_init_creates_marker_and_conventional_dirs(proj_dir):
+    # Pin the backend via the flag: auto-detect depends on whether the host
+    # machine has cloud credentials, and tests must not.
+    res = _run(["--json", "project", "init", "--where", "cloud"], proj_dir)
+    assert res.returncode == 0, res.stderr
+    env = _last_json(res.stdout)
+    _validator_for("envelope.json").validate(env)
+    _validator_for("project.json").validate(env["data"])
+    assert env["ok"] is True
+    assert env["changed"] is True
+    assert env["data"]["action"] == "init"
+    assert env["data"]["root"] == str(proj_dir.resolve())
+    assert env["data"]["where_default"] == "cloud"
+
+    marker = proj_dir / "comfy.yaml"
+    assert marker.is_file()
+    assert "schema: project/1" in marker.read_text()
+    assert "where: cloud" in marker.read_text()
+    for d in CONVENTIONAL:
+        assert (proj_dir / d).is_dir(), d
+
+
+def test_init_where_local_writes_local_default(proj_dir):
+    res = _run(["--json", "project", "init", "--where", "local"], proj_dir)
+    assert res.returncode == 0, res.stderr
+    env = _last_json(res.stdout)
+    assert env["data"]["where_default"] == "local"
+    assert "where: local" in (proj_dir / "comfy.yaml").read_text()
+
+
+def test_init_invalid_where_errors(proj_dir):
+    res = _run(["--json", "project", "init", "--where", "marsbase"], proj_dir)
+    assert res.returncode == 1
+    env = _last_json(res.stdout)
+    assert env["ok"] is False
+    assert env["error"]["code"] == "invalid_argument"
+    assert not (proj_dir / "comfy.yaml").exists()
+
+
+def test_reinit_errors_with_project_already_exists(proj_dir):
+    assert _run(["--json", "project", "init"], proj_dir).returncode == 0
+    res = _run(["--json", "project", "init"], proj_dir)
+    assert res.returncode == 1
+    env = _last_json(res.stdout)
+    assert env["ok"] is False
+    assert env["error"]["code"] == "project_already_exists"
+    assert str(proj_dir.resolve()) in env["error"]["message"]
+
+
+def test_init_inside_parent_project_errors(proj_dir):
+    # A nested dir under an existing project is already governed — init refuses.
+    assert _run(["--json", "project", "init"], proj_dir).returncode == 0
+    nested = proj_dir / "blueprints"
+    res = _run(["--json", "project", "init"], nested)
+    assert res.returncode == 1
+    env = _last_json(res.stdout)
+    assert env["error"]["code"] == "project_already_exists"
+    assert str(proj_dir.resolve()) in env["error"]["message"]
+
+
+# ---------------------------------------------------------------------------
+# comfy project status
+# ---------------------------------------------------------------------------
+
+
+def test_status_outside_project_errors(proj_dir):
+    res = _run(["--json", "project", "status"], proj_dir)
+    assert res.returncode == 1
+    env = _last_json(res.stdout)
+    assert env["ok"] is False
+    assert env["error"]["code"] == "project_not_found"
+    assert "comfy project init" in env["error"]["hint"]
+
+
+def test_status_inside_project_envelope_validates(proj_dir):
+    # Pin --where so the marker's default doesn't fall through to credential
+    # auto-detect, which would resolve to "cloud" on a machine with cloud
+    # creds but "local" on a clean CI runner.
+    assert _run(["--json", "project", "init", "--where", "cloud"], proj_dir).returncode == 0
+    (proj_dir / "blueprints" / "story.yaml").write_text("pipeline: []\n")
+    asset = proj_dir / "assets" / "keyframes" / "s1.png"
+    asset.parent.mkdir(parents=True)
+    asset.write_bytes(b"fake-png-bytes")
+    (proj_dir / "assets" / ".DS_Store").write_bytes(b"junk")  # dotfiles skipped
+    (proj_dir / "scratch").mkdir()  # unconventional → warning
+
+    res = _run(["--json", "project", "status"], proj_dir)
+    assert res.returncode == 0, res.stderr
+    env = _last_json(res.stdout)
+    _validator_for("envelope.json").validate(env)
+    _validator_for("project.json").validate(env["data"])
+
+    data = env["data"]
+    assert data["root"] == str(proj_dir.resolve())
+    assert data["schema"] == "project/1"
+    assert data["defaults"] == {"where": "cloud"}
+    assert data["blueprints"] == ["story.yaml"]
+
+    assert len(data["assets"]) == 1
+    entry = data["assets"][0]
+    assert entry["name"] == "keyframes/s1.png"
+    assert entry["sha256"] == hashlib.sha256(b"fake-png-bytes").hexdigest()
+    assert entry["size"] == len(b"fake-png-bytes")
+    assert entry["pushed"] is False
+    assert entry["stale"] is False
+
+    assert data["recent_runs"] == []
+    assert data["warnings"] == ["unknown top-level directory: scratch"]
+
+
+def test_status_joins_assets_against_lock(proj_dir):
+    assert _run(["--json", "project", "init"], proj_dir).returncode == 0
+    fresh = proj_dir / "assets" / "fresh.png"
+    fresh.write_bytes(b"fresh")
+    stale = proj_dir / "assets" / "stale.png"
+    stale.write_bytes(b"new-content")
+    (proj_dir / "assets" / "unpushed.png").write_bytes(b"unpushed")
+
+    lock = {
+        "schema": "assets-lock/1",
+        "assets": {
+            "fresh.png": {"sha256": hashlib.sha256(b"fresh").hexdigest(), "cloud_name": "ab12.png"},
+            "stale.png": {"sha256": hashlib.sha256(b"old-content").hexdigest(), "cloud_name": "cd34.png"},
+        },
+    }
+    (proj_dir / ".comfy" / "assets.lock.json").write_text(json.dumps(lock))
+
+    res = _run(["--json", "project", "status"], proj_dir)
+    assert res.returncode == 0, res.stderr
+    by_name = {a["name"]: a for a in _last_json(res.stdout)["data"]["assets"]}
+    assert by_name["fresh.png"]["pushed"] is True
+    assert by_name["fresh.png"]["stale"] is False
+    assert by_name["stale.png"]["pushed"] is True
+    assert by_name["stale.png"]["stale"] is True
+    assert by_name["unpushed.png"]["pushed"] is False
+    assert by_name["unpushed.png"]["stale"] is False
+
+
+def test_status_surfaces_recent_runs_from_journal(proj_dir):
+    assert _run(["--json", "project", "init"], proj_dir).returncode == 0
+    runs = proj_dir / ".comfy" / "runs.jsonl"
+    lines = [json.dumps({"ts": f"2026-06-10T00:00:{i:02d}+00:00", "cmd": "run", "seq": i}) for i in range(3)]
+    runs.write_text("\n".join(lines) + "\n")
+
+    res = _run(["--json", "project", "status"], proj_dir)
+    data = _last_json(res.stdout)["data"]
+    assert [r["seq"] for r in data["recent_runs"]] == [0, 1, 2]  # newest last
+
+
+def test_status_pretty_mode_mentions_root(proj_dir):
+    assert _run(["project", "init"], proj_dir).returncode == 0
+    res = _run(["project", "status"], proj_dir)
+    assert res.returncode == 0, res.stderr
+    assert str(proj_dir.resolve()) in res.stdout
+
+
+# ---------------------------------------------------------------------------
+# ratchets
+# ---------------------------------------------------------------------------
+
+
+def test_project_commands_registered_in_discovery():
+    from comfy_cli.discovery import COMMAND_SCHEMAS
+
+    assert COMMAND_SCHEMAS["comfy project init"] == "project"
+    assert COMMAND_SCHEMAS["comfy project status"] == "project"
+
+
+def test_project_error_codes_registered():
+    from comfy_cli import error_codes
+
+    assert error_codes.is_registered("project_already_exists")
+    assert error_codes.is_registered("project_not_found")
diff --git a/tests/comfy_cli/command/test_run.py b/tests/comfy_cli/command/test_run.py
index e74563f5..e135d990 100644
--- a/tests/comfy_cli/command/test_run.py
+++ b/tests/comfy_cli/command/test_run.py
@@ -11,6 +11,10 @@
 
 from comfy_cli.command.run import (
     WorkflowExecution,
+    _count_output_nodes,
+    _detect_partner_nodes,
+    _resolve_partner_credential,
+    _returned_output_node_count,
     execute,
     fetch_object_info,
     is_ui_workflow,
@@ -51,6 +55,7 @@ def mock_execution(workflow):
         host="127.0.0.1",
         port=8188,
         verbose=False,
+        local_paths=False,
         progress=progress,
         timeout=30,
     )
@@ -163,6 +168,7 @@ def _make_exec(self, workflow, api_key=None):
             host="127.0.0.1",
             port=8188,
             verbose=False,
+            local_paths=False,
             progress=progress,
             timeout=30,
             api_key=api_key,
@@ -270,6 +276,7 @@ def test_unknown_node_ids_verbose(self, workflow):
             host="127.0.0.1",
             port=8188,
             verbose=True,
+            local_paths=False,
             progress=progress,
             timeout=30,
         )
@@ -286,6 +293,33 @@ def test_unknown_node_ids_verbose(self, workflow):
 
         execution.watch_execution()
 
+    def test_no_progress_bar_survives_cached_and_executing(self, workflow):
+        """In --json mode the renderer passes progress=None; cached + executing events must not NPE."""
+        prompt_id = "test-prompt"
+        execution = WorkflowExecution(
+            workflow=workflow,
+            host="127.0.0.1",
+            port=8188,
+            verbose=False,
+            progress=None,
+            local_paths=False,
+            timeout=30,
+        )
+        execution.prompt_id = prompt_id
+
+        messages = [
+            json.dumps({"type": "execution_cached", "data": {"prompt_id": prompt_id, "nodes": ["1"]}}),
+            _make_msg("executing", prompt_id, node="2"),
+            _make_msg("executed", prompt_id, node="2"),
+            _make_msg("executing", prompt_id, node=None),
+        ]
+        mock_ws = MagicMock()
+        mock_ws.recv.side_effect = messages
+        execution.ws = mock_ws
+
+        execution.watch_execution()
+        assert len(execution.remaining_nodes) == 0
+
     def test_collects_image_outputs(self, mock_execution):
         prompt_id = "test-prompt"
         mock_execution.prompt_id = prompt_id
@@ -451,6 +485,310 @@ def test_progress_stopped_on_error(self, workflow_file):
             mock_progress.stop.assert_called()
 
 
+class TestDetectPartnerNodes:
+    """Partner-API nodes (category `partner/...` or the authoritative
+    `api_node: true` flag) must be detected before a local submit so we can
+    refuse early instead of failing opaquely at execute time with
+    `Unauthorized: Please login first`."""
+
+    def _info(self, **categories):
+        # Build a minimal /object_info-shape dict from class_type → category.
+        return {ct: {"category": cat} for ct, cat in categories.items()}
+
+    def test_finds_partner_nodes_in_workflow(self):
+        wf = {
+            "1": {"class_type": "Veo3VideoGenerationNode", "inputs": {}},
+            "2": {"class_type": "SaveVideo", "inputs": {}},
+            "3": {"class_type": "KlingImage2VideoNode", "inputs": {}},
+        }
+        info = self._info(
+            Veo3VideoGenerationNode="partner/video/Veo",
+            SaveVideo="video",
+            KlingImage2VideoNode="partner/video/Kling",
+        )
+        assert _detect_partner_nodes(wf, info) == [
+            "KlingImage2VideoNode",
+            "Veo3VideoGenerationNode",
+        ]
+
+    def test_returns_empty_when_no_partner_nodes(self):
+        wf = {
+            "1": {"class_type": "EmptyLatentImage", "inputs": {}},
+            "2": {"class_type": "KSampler", "inputs": {}},
+        }
+        info = self._info(EmptyLatentImage="latent", KSampler="sampling")
+        assert _detect_partner_nodes(wf, info) == []
+
+    def test_ignores_unknown_class_types(self):
+        """A workflow with a class_type the server doesn't advertise (custom
+        node, typo) is not treated as a partner node — we only flag when
+        the server explicitly categorizes it under `partner/*`."""
+        wf = {"1": {"class_type": "SomeUnknownThing", "inputs": {}}}
+        info = self._info(KSampler="sampling")
+        assert _detect_partner_nodes(wf, info) == []
+
+    def test_handles_malformed_workflow_entries(self):
+        wf = {
+            "1": "not-a-dict",
+            "2": {"class_type": None, "inputs": {}},
+            "3": {"inputs": {}},  # no class_type
+            "4": {"class_type": "Veo3VideoGenerationNode", "inputs": {}},
+        }
+        info = self._info(Veo3VideoGenerationNode="partner/video/Veo")
+        assert _detect_partner_nodes(wf, info) == ["Veo3VideoGenerationNode"]
+
+    def test_finds_partner_nodes_with_partner_prefix(self):
+        """Current cloud/ComfyUI categorizes partner nodes under `partner/...`
+        (e.g. `partner/video/ByteDance`)."""
+        wf = {
+            "1": {"class_type": "ByteDanceTextToVideoNode", "inputs": {}},
+            "2": {"class_type": "SaveVideo", "inputs": {}},
+        }
+        info = self._info(
+            ByteDanceTextToVideoNode="partner/video/ByteDance",
+            SaveVideo="video",
+        )
+        assert _detect_partner_nodes(wf, info) == ["ByteDanceTextToVideoNode"]
+
+    def test_finds_partner_nodes_via_api_node_flag(self):
+        """The authoritative signal is `api_node: true`, even if the category
+        doesn't match either prefix."""
+        wf = {"1": {"class_type": "SomePartnerNode", "inputs": {}}}
+        info = {"SomePartnerNode": {"category": "weird/category", "api_node": True}}
+        assert _detect_partner_nodes(wf, info) == ["SomePartnerNode"]
+
+    def test_legacy_api_node_prefix_no_longer_detected(self):
+        """One name per concept: the legacy `api node/...` category alias is
+        dropped — current servers publish `partner/*` and the authoritative
+        `api_node: true` flag, and the CLI speaks only those."""
+        wf = {"1": {"class_type": "OldServerNode", "inputs": {}}}
+        info = self._info(OldServerNode="api node/video/Veo")
+        assert _detect_partner_nodes(wf, info) == []
+
+
+class TestPartialExecutionDiff:
+    """The cloud prunes branches that fail server-side validation and still
+    reports `completed`. We diff submitted output nodes against returned ones
+    so a vanished branch surfaces instead of passing as a clean success."""
+
+    def _info(self):
+        return {
+            "SaveVideo": {"category": "video", "output_node": True},
+            "SaveImage": {"category": "image", "output_node": True},
+            "KSampler": {"category": "sampling", "output_node": False},
+        }
+
+    def test_counts_output_nodes(self):
+        wf = {
+            "1": {"class_type": "KSampler", "inputs": {}},
+            "2": {"class_type": "SaveVideo", "inputs": {}},
+            "3": {"class_type": "SaveImage", "inputs": {}},
+        }
+        assert _count_output_nodes(wf, self._info()) == 2
+
+    def test_returns_none_when_object_info_empty(self):
+        wf = {"2": {"class_type": "SaveVideo", "inputs": {}}}
+        assert _count_output_nodes(wf, {}) is None
+
+    def test_returned_output_node_count(self):
+        record = {
+            "outputs": {
+                "2": {"videos": [{"filename": "a.mp4"}]},
+                "3": {},  # produced nothing
+            }
+        }
+        assert _returned_output_node_count(record) == 1
+
+    def test_returned_count_handles_missing_outputs(self):
+        assert _returned_output_node_count({}) == 0
+        assert _returned_output_node_count({"outputs": None}) == 0
+
+    def test_diff_detects_pruned_branch(self):
+        wf = {
+            "1": {"class_type": "SaveVideo", "inputs": {}},
+            "2": {"class_type": "SaveVideo", "inputs": {}},
+        }
+        record = {"outputs": {"1": {"videos": [{"filename": "a.mp4"}]}}}
+        submitted = _count_output_nodes(wf, self._info())
+        returned = _returned_output_node_count(record)
+        assert submitted == 2
+        assert returned == 1
+        assert returned < submitted  # the partial-execution warning trigger
+
+
+class TestResolvePartnerCredential:
+    """The credential the local submit can inject into ``extra_data`` so a
+    partner-API node finds it. Three sources, env > stored key > OAuth."""
+
+    def test_uses_env_var_first(self, monkeypatch: pytest.MonkeyPatch):
+        monkeypatch.setenv("COMFY_CLOUD_API_KEY", "env-key-123")
+        from comfy_cli.auth import store as auth_store
+
+        monkeypatch.setattr(auth_store, "get", lambda _: None)
+        assert _resolve_partner_credential() == ("api_key_comfy_org", "env-key-123")
+
+    def test_falls_back_to_stored_provider_key(self, monkeypatch: pytest.MonkeyPatch):
+        monkeypatch.delenv("COMFY_CLOUD_API_KEY", raising=False)
+        from comfy_cli.auth import store as auth_store
+        from comfy_cli.target import CLOUD_API_KEY_PROVIDER
+
+        record = MagicMock()
+        record.key = "stored-key-456"
+        monkeypatch.setattr(
+            auth_store,
+            "get",
+            lambda name: record if name == CLOUD_API_KEY_PROVIDER else None,
+        )
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: None)
+        assert _resolve_partner_credential() == ("api_key_comfy_org", "stored-key-456")
+
+    def test_falls_back_to_oauth_token(self, monkeypatch: pytest.MonkeyPatch):
+        monkeypatch.delenv("COMFY_CLOUD_API_KEY", raising=False)
+        from comfy_cli.auth import store as auth_store
+
+        session = MagicMock()
+        session.is_expired.return_value = False
+        session.access_token = "oauth-bearer-789"
+        monkeypatch.setattr(auth_store, "get", lambda _: None)
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: session)
+        assert _resolve_partner_credential() == ("auth_token_comfy_org", "oauth-bearer-789")
+
+    def test_returns_none_when_nothing_configured(self, monkeypatch: pytest.MonkeyPatch):
+        monkeypatch.delenv("COMFY_CLOUD_API_KEY", raising=False)
+        from comfy_cli.auth import store as auth_store
+
+        monkeypatch.setattr(auth_store, "get", lambda _: None)
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: None)
+        assert _resolve_partner_credential() is None
+
+    def test_treats_expired_session_as_no_creds(self, monkeypatch: pytest.MonkeyPatch):
+        monkeypatch.delenv("COMFY_CLOUD_API_KEY", raising=False)
+        from comfy_cli.auth import store as auth_store
+
+        session = MagicMock()
+        session.is_expired.return_value = True
+        session.access_token = "stale"
+        monkeypatch.setattr(auth_store, "get", lambda _: None)
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: session)
+        assert _resolve_partner_credential() is None
+
+
+class TestExecutePartnerNodePreflight:
+    """Submitting a partner-API workflow to a local server with no
+    credentials must fail with the structured envelope error
+    ``partner_node_requires_credential`` before /prompt is hit — not at
+    execute time with an opaque "Unauthorized" string buried in
+    /history."""
+
+    PARTNER_WF = {
+        "1": {"class_type": "Veo3VideoGenerationNode", "inputs": {"prompt": "x"}},
+        "2": {"class_type": "SaveVideo", "inputs": {"video": ["1", 0]}},
+    }
+    OBJECT_INFO = {
+        "Veo3VideoGenerationNode": {
+            "category": "partner/video/Veo",
+            "output": ["VIDEO"],
+            "output_name": ["VIDEO"],
+        },
+        "SaveVideo": {
+            "category": "video",
+            "output": [],
+            "output_name": [],
+            "output_node": True,
+        },
+    }
+
+    def _wf_file(self, tmp_path):
+        path = tmp_path / "partner.json"
+        path.write_text(json.dumps(self.PARTNER_WF))
+        return str(path)
+
+    def test_refuses_when_no_credential(self, tmp_path, monkeypatch: pytest.MonkeyPatch):
+        wf_file = self._wf_file(tmp_path)
+        monkeypatch.delenv("COMFY_CLOUD_API_KEY", raising=False)
+
+        from comfy_cli.auth import store as auth_store
+
+        monkeypatch.setattr(auth_store, "get", lambda _: None)
+        monkeypatch.setattr(auth_store, "get_cloud_session", lambda: None)
+
+        renderer_errors = []
+        from comfy_cli.output.renderer import Renderer
+
+        original_error = Renderer.error
+
+        def capture_error(self, *, code, message, hint=None, details=None, exit_code=1):
+            renderer_errors.append({"code": code, "message": message, "hint": hint, "details": details})
+            return original_error(self, code=code, message=message, hint=hint, details=details, exit_code=exit_code)
+
+        monkeypatch.setattr(Renderer, "error", capture_error)
+
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch("comfy_cli.command.run._fetch_object_info", return_value=self.OBJECT_INFO),
+            patch("comfy_cli.command.run.WorkflowExecution") as MockExec,
+        ):
+            with pytest.raises(typer.Exit) as exc_info:
+                execute(wf_file, host="127.0.0.1", port=8188, wait=True, timeout=30)
+            assert exc_info.value.exit_code == 1
+            # /prompt must NOT be hit — refuse pre-submit.
+            MockExec.assert_not_called()
+
+        codes = [e["code"] for e in renderer_errors]
+        assert "partner_node_requires_credential" in codes, f"got error codes: {codes}"
+        err = next(e for e in renderer_errors if e["code"] == "partner_node_requires_credential")
+        assert "Veo3VideoGenerationNode" in (err["details"] or {}).get("partner_nodes", [])
+
+    def test_proceeds_and_injects_credential_when_available(self, tmp_path, monkeypatch: pytest.MonkeyPatch):
+        """With creds available, the local submit injects them into
+        ``extra_data`` so the partner-API node can call out — same as the
+        cloud route does. Closes the silent-failure loop."""
+        wf_file = self._wf_file(tmp_path)
+        monkeypatch.setenv("COMFY_CLOUD_API_KEY", "test-key-abc")
+        from comfy_cli.auth import store as auth_store
+
+        monkeypatch.setattr(auth_store, "get", lambda _: None)
+
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch("comfy_cli.command.run._fetch_object_info", return_value=self.OBJECT_INFO),
+            patch("comfy_cli.command.run.ExecutionProgress"),
+            patch("comfy_cli.command.run.WorkflowExecution") as MockExec,
+        ):
+            mock_exec = MagicMock()
+            MockExec.return_value = mock_exec
+            mock_exec.outputs = []
+            execute(wf_file, host="127.0.0.1", port=8188, wait=True, timeout=30)
+
+            # WorkflowExecution receives the credential via the
+            # ``extra_data`` constructor kwarg.
+            kwargs = MockExec.call_args.kwargs
+            extra = kwargs.get("extra_data") or {}
+            assert extra.get("api_key_comfy_org") == "test-key-abc"
+
+    def test_non_partner_workflow_skips_preflight(self, workflow_file, monkeypatch):
+        """The preflight must not gate ordinary workflows. ``_fetch_object_info``
+        is allowed to be skipped when no partner nodes are present (or
+        called but the workflow has no api-node class types)."""
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch(
+                "comfy_cli.command.run._fetch_object_info",
+                return_value={
+                    "EmptyLatentImage": {"category": "latent", "output": ["LATENT"], "output_name": ["LATENT"]},
+                    "PreviewAny": {"category": "image", "output": [], "output_name": [], "output_node": True},
+                },
+            ),
+            patch("comfy_cli.command.run.ExecutionProgress"),
+            patch("comfy_cli.command.run.WorkflowExecution") as MockExec,
+        ):
+            mock_exec = MagicMock()
+            MockExec.return_value = mock_exec
+            mock_exec.outputs = []
+            execute(workflow_file, host="127.0.0.1", port=8188, wait=True, timeout=30)
+            MockExec.assert_called_once()
+
+
 class TestExecuteUiWorkflow:
     UI = {
         "nodes": [
@@ -482,12 +820,16 @@ class TestExecuteUiWorkflow:
                 }
             },
             "input_order": {"required": ["width", "height", "batch_size"]},
+            "output": ["LATENT"],
+            "output_name": ["LATENT"],
             "output_node": False,
             "display_name": "Empty Latent Image",
         },
         "PreviewImage": {
             "input": {"required": {"images": ["IMAGE"]}},
             "input_order": {"required": ["images"]},
+            "output": [],
+            "output_name": [],
             "output_node": True,
             "display_name": "Preview Image",
         },
@@ -566,7 +908,7 @@ def test_ui_workflow_plumbs_api_key_through_to_execution(self, ui_workflow_file)
 
             mock_fetch.assert_called_once()
             assert mock_fetch.call_args.args == ("127.0.0.1", 8188, 30)
-            assert MockExec.call_args.kwargs["api_key"] == "sk-test"
+            assert MockExec.call_args.kwargs["extra_data"]["api_key_comfy_org"] == "sk-test"
 
     def test_ui_workflow_exits_when_conversion_yields_nothing(self):
         # All nodes are UI-only (Note/PrimitiveNode/Reroute/GetNode/SetNode) and
@@ -597,6 +939,31 @@ def test_ui_workflow_exits_when_conversion_yields_nothing(self):
             os.unlink(path)
 
 
+class TestLanHostUsesPlainWs:
+    """LAN hosts (non-loopback, plain HTTP) must connect over ws://, not wss://."""
+
+    def test_lan_host_uses_plain_ws(self, monkeypatch):
+        captured = {}
+        fake_ws = MagicMock()
+        fake_ws.connect.side_effect = lambda url, **kw: captured.setdefault("url", url)
+        import comfy_cli.command.run as run_pkg
+
+        monkeypatch.setattr(run_pkg, "WebSocket", lambda: fake_ws)
+
+        ex = WorkflowExecution(
+            workflow={},
+            host="192.168.1.50",
+            port=8188,
+            verbose=False,
+            progress=None,
+            local_paths=None,
+            timeout=5,
+        )
+        ex.connect()
+
+        assert captured["url"].startswith("ws://192.168.1.50:8188/ws"), captured["url"]
+
+
 class TestWildcardHostSubstitution:
     """0.0.0.0 is a wildcard bind that macOS/Windows clients can't connect to;
     execute() substitutes it with the canonical loopback so downstream uses
@@ -611,7 +978,7 @@ def fake_check(port, host, *args, **kwargs):
 
         with patch("comfy_cli.command.run.check_comfy_server_running", side_effect=fake_check):
             with pytest.raises(typer.Exit):
-                execute(workflow_file, host="0.0.0.0", port=8188, json_mode=True)
+                execute(workflow_file, host="0.0.0.0", port=8188)
         assert captured["check_host"] == "127.0.0.1"
 
     def test_other_local_hosts_not_substituted(self, workflow_file):
@@ -623,5 +990,688 @@ def fake_check(port, host, *args, **kwargs):
 
         with patch("comfy_cli.command.run.check_comfy_server_running", side_effect=fake_check):
             with pytest.raises(typer.Exit):
-                execute(workflow_file, host="localhost", port=8188, json_mode=True)
+                execute(workflow_file, host="localhost", port=8188)
         assert captured["check_host"] == "localhost"
+
+
+# ---------------------------------------------------------------------------
+# execute_cloud auto-convert
+# ---------------------------------------------------------------------------
+
+
+class TestExecuteCloudAutoConvert:
+    """The cloud path used to bail with `cloud_ui_workflow_unsupported` on any
+    frontend-format workflow. It now converts via convert_ui_to_api against the
+    cached cloud object_info, mirroring the local path's behavior.
+    """
+
+    UI_WORKFLOW = {
+        "nodes": [{"id": 1, "type": "KSampler", "inputs": [], "outputs": [], "widgets_values": []}],
+        "links": [],
+    }
+    CONVERTED = {"1": {"class_type": "KSampler", "inputs": {"steps": 20}}}
+
+    @pytest.fixture
+    def ui_workflow_file(self, tmp_path):
+        path = tmp_path / "ui.json"
+        path.write_text(json.dumps(self.UI_WORKFLOW))
+        return str(path)
+
+    @pytest.fixture
+    def fake_target(self):
+        from comfy_cli.target import Target
+
+        return Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            api_key="test-api-key",
+        )
+
+    def test_ui_workflow_converts_and_submits(self, ui_workflow_file, fake_target):
+        from comfy_cli.comfy_client import SubmitResult
+        from comfy_cli.command.run import execute_cloud
+
+        # Wire the conversion path: object_info loader returns a non-empty dict,
+        # convert_ui_to_api returns our pre-cooked API workflow, Client submits
+        # successfully. The watcher subprocess is stubbed so the test doesn't
+        # actually fork.
+        mock_client = MagicMock()
+        mock_client.submit_prompt.return_value = SubmitResult(prompt_id="prompt-abc", number=1, node_errors={})
+
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch("comfy_cli.command.run.convert_ui_to_api", return_value=self.CONVERTED) as mock_convert,
+            patch(
+                "comfy_cli.cql.engine._load_from_target",
+                return_value={"KSampler": {}},  # any truthy dict suffices for the converter
+            ),
+            patch("comfy_cli.comfy_client.Client", return_value=mock_client),
+            patch("comfy_cli.command.run._spawn_watcher"),
+        ):
+            execute_cloud(ui_workflow_file, wait=False)
+
+        # Convert was called against our UI workflow + the cloud object_info.
+        assert mock_convert.called
+        # The CONVERTED workflow was passed to the submit call — not the raw UI form.
+        submitted_args, _ = mock_client.submit_prompt.call_args
+        assert submitted_args[0] == self.CONVERTED
+
+    def test_ui_workflow_conversion_failure_surfaces_conversion_error(self, ui_workflow_file, fake_target):
+        from comfy_cli.command.run import execute_cloud
+        from comfy_cli.workflow_to_api import WorkflowConversionError
+
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch(
+                "comfy_cli.cql.engine._load_from_target",
+                return_value={"KSampler": {}},
+            ),
+            patch(
+                "comfy_cli.command.run.convert_ui_to_api",
+                side_effect=WorkflowConversionError("missing required field"),
+            ),
+        ):
+            with pytest.raises(typer.Exit) as exc_info:
+                execute_cloud(ui_workflow_file, wait=False)
+            assert exc_info.value.exit_code == 1
+
+    def test_ui_workflow_no_object_info_surfaces_cql_no_graph(self, ui_workflow_file, fake_target):
+        from comfy_cli.command.run import execute_cloud
+
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch(
+                "comfy_cli.cql.engine._load_from_target",
+                side_effect=RuntimeError("no cache and no live server"),
+            ),
+        ):
+            with pytest.raises(typer.Exit) as exc_info:
+                execute_cloud(ui_workflow_file, wait=False)
+            assert exc_info.value.exit_code == 1
+
+
+# ---------------------------------------------------------------------------
+# execute_cloud --wait terminal handling
+# ---------------------------------------------------------------------------
+
+
+class TestExecuteCloudWait:
+    """The --wait success path: the final cloud history record is stashed on
+    the state file (state.record) so downstream consumers (grouped outputs,
+    item-named downloads) don't need a second API call."""
+
+    API_WORKFLOW = {
+        "1": {"class_type": "KSampler", "inputs": {}},
+        "9": {"class_type": "SaveImage", "inputs": {"images": ["1", 0]}},
+    }
+    RECORD = {
+        "status": {"completed": True, "status_str": "success"},
+        "outputs": {
+            "9": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]},
+            "12": {"videos": [{"filename": "v.mp4", "subfolder": "", "type": "output"}]},
+        },
+    }
+
+    @pytest.fixture
+    def api_workflow_file(self, tmp_path):
+        path = tmp_path / "api.json"
+        path.write_text(json.dumps(self.API_WORKFLOW))
+        return str(path)
+
+    @pytest.fixture
+    def fake_target(self):
+        from comfy_cli.target import Target
+
+        return Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            api_key="test-api-key",
+        )
+
+    def _client(self, fake_target, record=None):
+        """A real Client (real extract_* helpers) with the network calls mocked."""
+        from comfy_cli import comfy_client
+        from comfy_cli.comfy_client import SubmitResult
+
+        client = comfy_client.Client(fake_target)
+        client.submit_prompt = MagicMock(return_value=SubmitResult(prompt_id="prompt-wait", number=1, node_errors={}))
+        client.wait_for_completion = MagicMock(return_value=record or self.RECORD)
+        client.get_job_status = MagicMock(return_value=None)
+        return client
+
+    def _run_wait(self, workflow_file, fake_target, client):
+        from comfy_cli.command.run import execute_cloud
+
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch("comfy_cli.cql.engine._load_from_target", return_value={}),
+            patch("comfy_cli.comfy_client.Client", return_value=client),
+        ):
+            execute_cloud(workflow_file, wait=True, timeout=5)
+
+    def test_wait_success_stashes_record_in_state_file(self, api_workflow_file, fake_target):
+        from comfy_cli import jobs_state
+
+        client = self._client(fake_target)
+        self._run_wait(api_workflow_file, fake_target, client)
+
+        state = jobs_state.read("prompt-wait")
+        assert state is not None
+        assert state.status == "completed"
+        assert state.record == self.RECORD
+
+    def _wait_envelope(self, workflow_file, fake_target, client, capsys):
+        """Run --wait with an NDJSON renderer and return the final envelope."""
+        from comfy_cli.output import Renderer, set_renderer
+        from comfy_cli.output.renderer import OutputMode
+
+        set_renderer(Renderer(mode=OutputMode.NDJSON, command="run"))
+        self._run_wait(workflow_file, fake_target, client)
+        lines = [ln for ln in capsys.readouterr().out.splitlines() if ln.strip()]
+        envelope = json.loads(lines[-1])
+        assert envelope["type"] == "envelope"
+        return envelope
+
+    def test_wait_envelope_has_outputs_by_node(self, api_workflow_file, fake_target, capsys):
+        client = self._client(fake_target)
+        env = self._wait_envelope(api_workflow_file, fake_target, client, capsys)
+
+        data = env["data"]
+        url_a = "https://cloud.example.com/api/view?filename=a.png&subfolder=&type=output"
+        url_v = "https://cloud.example.com/api/view?filename=v.mp4&subfolder=&type=output"
+        assert data["outputs"] == [url_a, url_v]  # flat list untouched
+        assert data["outputs_by_node"] == {"9": [url_a], "12": [url_v]}
+        # No item_map on the state → key present, empty dict.
+        assert data["outputs_by_item"] == {}
+
+    def test_wait_envelope_groups_outputs_by_item_when_item_map_present(self, tmp_path, fake_target, capsys):
+        # The real mechanism: compose embeds `_meta.items` in the compiled
+        # workflow; run pops it at submit and stashes it on the state file.
+        wf = dict(self.API_WORKFLOW)
+        wf["_meta"] = {
+            "schema": "compose/1",
+            "blueprint": "/abs/story.yaml",
+            "items": {
+                "s1": {"nodes": ["1", "9"], "save_node": "9", "prefix": "outputs/s1"},
+                "s2": {"nodes": ["12"], "save_node": "12", "prefix": "outputs/s2"},
+            },
+        }
+        composed_file = tmp_path / "composed.json"
+        composed_file.write_text(json.dumps(wf))
+
+        client = self._client(fake_target)
+        env = self._wait_envelope(str(composed_file), fake_target, client, capsys)
+
+        url_a = "https://cloud.example.com/api/view?filename=a.png&subfolder=&type=output"
+        url_v = "https://cloud.example.com/api/view?filename=v.mp4&subfolder=&type=output"
+        assert env["data"]["outputs_by_item"] == {"s1": [url_a], "s2": [url_v]}
+
+    def test_wait_permanent_500_fails_with_cloud_http_error_after_budget(self, api_workflow_file, fake_target, capsys):
+        """Transient 429/5xx mid-poll back off and retry (fennec friction #2);
+        a PERMANENT 500 exhausts the poll budget and lands on the existing
+        cloud_http_error path — never a traceback."""
+        import typer
+
+        from comfy_cli import comfy_client
+        from comfy_cli.comfy_client import SubmitResult
+        from comfy_cli.command.run import execute_cloud
+        from comfy_cli.output import Renderer, set_renderer
+        from comfy_cli.output.renderer import OutputMode
+
+        client = comfy_client.Client(fake_target)
+        client.submit_prompt = MagicMock(return_value=SubmitResult(prompt_id="prompt-500", number=1, node_errors={}))
+        client.get_job_status = MagicMock(return_value=None)
+        client.get_history = MagicMock(side_effect=comfy_client.HTTPError(500, "Internal Server Error"))
+
+        set_renderer(Renderer(mode=OutputMode.NDJSON, command="run"))
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch("comfy_cli.cql.engine._load_from_target", return_value={}),
+            patch("comfy_cli.comfy_client.Client", return_value=client),
+            patch("comfy_cli.comfy_client.time.sleep"),
+        ):
+            with pytest.raises(typer.Exit) as excinfo:
+                execute_cloud(api_workflow_file, wait=True, timeout=5)
+
+        assert excinfo.value.exit_code == 1
+        lines = [ln for ln in capsys.readouterr().out.splitlines() if ln.strip()]
+        envelope = json.loads(lines[-1])
+        assert envelope["ok"] is False
+        assert envelope["error"]["code"] == "cloud_http_error"
+        # The poll budget was actually spent before giving up.
+        assert client.get_history.call_count == comfy_client._MAX_POLL_FAILURES
+
+    def test_wait_envelope_data_validates_against_run_schema(self, api_workflow_file, fake_target, capsys):
+        from pathlib import Path
+
+        import jsonschema
+
+        client = self._client(fake_target)
+        env = self._wait_envelope(api_workflow_file, fake_target, client, capsys)
+
+        schema_path = Path(__file__).parents[3] / "comfy_cli" / "schemas" / "run.json"
+        schema = json.loads(schema_path.read_text())
+        jsonschema.Draft202012Validator.check_schema(schema)
+        jsonschema.Draft202012Validator(schema).validate(env["data"])
+        # The new keys are part of the documented contract, not just tolerated.
+        assert "outputs_by_node" in schema["properties"]
+        assert "outputs_by_item" in schema["properties"]
+
+
+# ---------------------------------------------------------------------------
+# pop_compose_meta — strip compose provenance before preflight/submit
+# ---------------------------------------------------------------------------
+
+
+class TestPopComposeMeta:
+    """`compose` embeds `_meta` (compose/1 provenance) in the compiled
+    workflow; `run` must pop it before validation and POST. A node that is
+    legitimately keyed "_meta" (has a class_type) must be left alone."""
+
+    ITEMS = {"s1": {"nodes": ["1", "9"], "save_node": "9", "prefix": "o/s1"}}
+
+    def test_pops_meta_dict_without_class_type(self):
+        from comfy_cli.command.run.loader import pop_compose_meta
+
+        meta = {"schema": "compose/1", "blueprint": "/abs/b.yaml", "items": self.ITEMS}
+        wf = {"_meta": dict(meta), "1": {"class_type": "KSampler", "inputs": {}}}
+        popped = pop_compose_meta(wf)
+        assert popped == meta
+        assert "_meta" not in wf
+        assert "1" in wf  # nodes untouched
+
+    def test_returns_none_when_absent(self):
+        from comfy_cli.command.run.loader import pop_compose_meta
+
+        wf = {"1": {"class_type": "KSampler", "inputs": {}}}
+        assert pop_compose_meta(wf) is None
+        assert wf == {"1": {"class_type": "KSampler", "inputs": {}}}
+
+    def test_node_keyed_meta_with_class_type_is_preserved(self):
+        from comfy_cli.command.run.loader import pop_compose_meta
+
+        node = {"class_type": "Note", "inputs": {"text": "hi"}}
+        wf = {"_meta": node, "1": {"class_type": "KSampler", "inputs": {}}}
+        assert pop_compose_meta(wf) is None
+        assert wf["_meta"] is node
+
+    def test_non_dict_meta_left_alone(self):
+        from comfy_cli.command.run.loader import pop_compose_meta
+
+        wf = {"_meta": "garbage", "1": {"class_type": "KSampler", "inputs": {}}}
+        assert pop_compose_meta(wf) is None
+        assert wf["_meta"] == "garbage"
+
+    def test_node_level_meta_titles_not_confused_with_top_level(self):
+        from comfy_cli.command.run.loader import pop_compose_meta
+
+        # Per-node `_meta: {title}` blocks live INSIDE nodes — not stripped.
+        wf = {"1": {"class_type": "KSampler", "inputs": {}, "_meta": {"title": "K"}}}
+        assert pop_compose_meta(wf) is None
+        assert wf["1"]["_meta"] == {"title": "K"}
+
+    def test_preflight_sees_no_meta_warning_after_strip(self):
+        """With `_meta` stripped, CQL validation emits no `_meta` warning.
+
+        Control: WITHOUT the strip the validator warns about the key, which
+        proves this test would catch a regression."""
+        from comfy_cli.command.run.loader import pop_compose_meta
+        from comfy_cli.cql.engine import Graph
+
+        object_info = {"KSampler": {"output": ["LATENT"], "output_name": ["LATENT"], "input": {"required": {}}}}
+        graph = Graph.from_object_info(object_info)
+
+        def meta_warnings(validation):
+            return [w for w in validation.get("warnings", []) if "_meta" in str(w)]
+
+        wf = {"_meta": {"schema": "compose/1"}, "1": {"class_type": "KSampler", "inputs": {}}}
+        # Control: unstripped workflow DOES warn about the `_meta` key.
+        assert meta_warnings(graph.validate_workflow(dict(wf)))
+
+        pop_compose_meta(wf)
+        assert not meta_warnings(graph.validate_workflow(wf))
+
+
+class TestRunStripsComposeMeta:
+    """Both submit paths strip `_meta` before the POST and stash its `items`
+    map on the job state file so downstream consumers (grouped outputs,
+    item-named downloads) can join outputs back to foreach items."""
+
+    ITEMS = {"s1": {"nodes": ["1", "9"], "save_node": "9", "prefix": "o/s1"}}
+    META = {"schema": "compose/1", "blueprint": "/abs/b.yaml", "items": ITEMS}
+    API_WORKFLOW = {
+        "1": {"class_type": "KSampler", "inputs": {}},
+        "9": {"class_type": "SaveImage", "inputs": {"images": ["1", 0]}},
+    }
+    RECORD = {
+        "status": {"completed": True, "status_str": "success"},
+        "outputs": {"9": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]}},
+    }
+
+    @pytest.fixture
+    def composed_workflow_file(self, tmp_path):
+        wf = dict(self.API_WORKFLOW)
+        wf["_meta"] = dict(self.META)
+        path = tmp_path / "composed.json"
+        path.write_text(json.dumps(wf))
+        return str(path)
+
+    @pytest.fixture
+    def fake_target(self):
+        from comfy_cli.target import Target
+
+        return Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            api_key="test-api-key",
+        )
+
+    def test_cloud_nowait_strips_meta_and_stashes_item_map(self, composed_workflow_file, fake_target):
+        from comfy_cli import jobs_state
+        from comfy_cli.comfy_client import SubmitResult
+        from comfy_cli.command.run import execute_cloud
+
+        mock_client = MagicMock()
+        mock_client.submit_prompt.return_value = SubmitResult(prompt_id="prompt-meta-nw", number=1, node_errors={})
+
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch("comfy_cli.cql.engine._load_from_target", return_value={}),
+            patch("comfy_cli.comfy_client.Client", return_value=mock_client),
+            patch("comfy_cli.command.run._spawn_watcher"),
+        ):
+            execute_cloud(composed_workflow_file, wait=False)
+
+        submitted = mock_client.submit_prompt.call_args.args[0]
+        assert "_meta" not in submitted
+        assert set(submitted) == set(self.API_WORKFLOW)
+
+        state = jobs_state.read("prompt-meta-nw")
+        assert state is not None
+        assert state.item_map == self.ITEMS
+
+    def test_cloud_wait_strips_meta_and_stashes_item_map(self, composed_workflow_file, fake_target):
+        from comfy_cli import comfy_client, jobs_state
+        from comfy_cli.comfy_client import SubmitResult
+        from comfy_cli.command.run import execute_cloud
+
+        client = comfy_client.Client(fake_target)
+        client.submit_prompt = MagicMock(return_value=SubmitResult(prompt_id="prompt-meta-w", number=1, node_errors={}))
+        client.wait_for_completion = MagicMock(return_value=self.RECORD)
+        client.get_job_status = MagicMock(return_value=None)
+
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch("comfy_cli.cql.engine._load_from_target", return_value={}),
+            patch("comfy_cli.comfy_client.Client", return_value=client),
+        ):
+            execute_cloud(composed_workflow_file, wait=True, timeout=5)
+
+        submitted = client.submit_prompt.call_args.args[0]
+        assert "_meta" not in submitted
+
+        state = jobs_state.read("prompt-meta-w")
+        assert state is not None
+        assert state.status == "completed"
+        assert state.item_map == self.ITEMS
+
+    def test_local_execute_strips_meta_before_submit(self, tmp_path):
+        wf = {
+            "1": {"class_type": "EmptyLatentImage", "inputs": {}, "_meta": {"title": "latent"}},
+            "_meta": dict(self.META),
+        }
+        path = tmp_path / "composed_local.json"
+        path.write_text(json.dumps(wf))
+
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch("comfy_cli.command.run._fetch_object_info", return_value={}),
+            patch("comfy_cli.command.run.ExecutionProgress"),
+            patch("comfy_cli.command.run.WorkflowExecution") as MockExec,
+        ):
+            mock_exec = MagicMock()
+            MockExec.return_value = mock_exec
+            mock_exec.outputs = []
+            execute(str(path), host="127.0.0.1", port=8188, wait=True, timeout=30)
+
+        submitted = MockExec.call_args.args[0]
+        assert "_meta" not in submitted
+        # Node-interior `_meta` titles survive untouched.
+        assert submitted["1"]["_meta"] == {"title": "latent"}
+
+
+class TestLocalExecuteItemMapAndGroupedOutputs:
+    """Local-path parity with execute_cloud: `execute` stashes the compose
+    item_map on the job state file (both --wait and async paths) and the
+    --wait envelope carries outputs_by_node / outputs_by_item grouped from
+    the execution's node-keyed output entries."""
+
+    ITEMS = {
+        "s1": {"nodes": ["1", "9"], "save_node": "9", "prefix": "o/s1"},
+        "s2": {"nodes": ["12"], "save_node": "12", "prefix": "o/s2"},
+    }
+    META = {"schema": "compose/1", "blueprint": "/abs/b.yaml", "items": ITEMS}
+    API_WORKFLOW = {
+        "1": {"class_type": "KSampler", "inputs": {}},
+        "9": {"class_type": "SaveImage", "inputs": {"images": ["1", 0]}},
+    }
+    URL_A = "http://127.0.0.1:8188/view?filename=a.png&subfolder=&type=output"
+    URL_V = "http://127.0.0.1:8188/view?filename=v.mp4&subfolder=&type=output"
+
+    @pytest.fixture
+    def composed_workflow_file(self, tmp_path):
+        wf = dict(self.API_WORKFLOW)
+        wf["_meta"] = dict(self.META)
+        path = tmp_path / "composed_local.json"
+        path.write_text(json.dumps(wf))
+        return str(path)
+
+    def _mock_exec(self, prompt_id):
+        mock_exec = MagicMock()
+        mock_exec.prompt_id = prompt_id
+        mock_exec.client_id = "cid-local"
+        mock_exec.outputs = []
+        mock_exec.output_entries = []
+        mock_exec.cached_node_ids = []
+        mock_exec.executed_node_ids = []
+        return mock_exec
+
+    def _run(self, workflow_file, mock_exec, *, wait, extra_patches=()):
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch("comfy_cli.command.run._fetch_object_info", return_value={}),
+            patch("comfy_cli.command.run.ExecutionProgress"),
+            patch("comfy_cli.command.run.WorkflowExecution", return_value=mock_exec),
+            patch("comfy_cli.command.run._spawn_watcher", return_value=True),
+            patch("comfy_cli.command.run._tail_state_file"),
+        ):
+            execute(workflow_file, host="127.0.0.1", port=8188, wait=wait, timeout=30)
+
+    def test_local_wait_stashes_item_map(self, composed_workflow_file):
+        from comfy_cli import jobs_state
+
+        mock_exec = self._mock_exec("local-meta-wait")
+        self._run(composed_workflow_file, mock_exec, wait=True)
+
+        state = jobs_state.read("local-meta-wait")
+        assert state is not None
+        assert state.status == "completed"
+        assert state.item_map == self.ITEMS
+
+    def test_local_async_stashes_item_map(self, composed_workflow_file):
+        from comfy_cli import jobs_state
+
+        mock_exec = self._mock_exec("local-meta-async")
+        self._run(composed_workflow_file, mock_exec, wait=False)
+
+        state = jobs_state.read("local-meta-async")
+        assert state is not None
+        assert state.item_map == self.ITEMS
+
+    def _wait_envelope(self, workflow_file, mock_exec, capsys):
+        from comfy_cli.output import Renderer, set_renderer
+        from comfy_cli.output.renderer import OutputMode
+
+        set_renderer(Renderer(mode=OutputMode.NDJSON, command="run"))
+        self._run(workflow_file, mock_exec, wait=True)
+        lines = [ln for ln in capsys.readouterr().out.splitlines() if ln.strip()]
+        envelope = json.loads(lines[-1])
+        assert envelope["type"] == "envelope"
+        return envelope
+
+    def test_local_wait_envelope_groups_by_node_and_item(self, composed_workflow_file, capsys):
+        mock_exec = self._mock_exec("local-grouped")
+        mock_exec.outputs = [self.URL_A, self.URL_V]
+        mock_exec.output_entries = [
+            {"node_id": "9", "url": self.URL_A, "filename": "a.png", "type": "output"},
+            {"node_id": "12", "url": self.URL_V, "filename": "v.mp4", "type": "output"},
+        ]
+
+        env = self._wait_envelope(composed_workflow_file, mock_exec, capsys)
+
+        data = env["data"]
+        assert data["outputs"] == [self.URL_A, self.URL_V]  # flat list untouched
+        assert data["outputs_by_node"] == {"9": [self.URL_A], "12": [self.URL_V]}
+        assert data["outputs_by_item"] == {"s1": [self.URL_A], "s2": [self.URL_V]}
+
+    def test_local_wait_envelope_without_item_map_has_empty_by_item(self, tmp_path, capsys):
+        # Plain workflow (no _meta) → outputs_by_node still grouped from the
+        # node-keyed entries, outputs_by_item stays {}.
+        path = tmp_path / "plain.json"
+        path.write_text(json.dumps(self.API_WORKFLOW))
+        mock_exec = self._mock_exec("local-plain")
+        mock_exec.outputs = [self.URL_A]
+        mock_exec.output_entries = [{"node_id": "9", "url": self.URL_A, "filename": "a.png", "type": "output"}]
+
+        env = self._wait_envelope(str(path), mock_exec, capsys)
+
+        assert env["data"]["outputs_by_node"] == {"9": [self.URL_A]}
+        assert env["data"]["outputs_by_item"] == {}
+
+
+class TestRunJournal:
+    """Successful submits journal one runs.jsonl line into the governing
+    project (cwd-anchored); failures of the journal itself never fail the run."""
+
+    API_WORKFLOW = {
+        "1": {"class_type": "KSampler", "inputs": {}},
+        "9": {"class_type": "SaveImage", "inputs": {"images": ["1", 0]}},
+    }
+
+    @pytest.fixture
+    def proj_dir(self, tmp_path, monkeypatch):
+        proj = tmp_path / "proj"
+        proj.mkdir()
+        (proj / "comfy.yaml").write_text("schema: project/1\ndefaults:\n  where: cloud\n")
+        monkeypatch.chdir(proj)
+        return proj
+
+    @pytest.fixture
+    def fake_target(self):
+        from comfy_cli.target import Target
+
+        return Target(
+            kind="cloud",
+            base_url="https://cloud.example.com",
+            path_prefix="/api",
+            history_path="history_v2",
+            jobs_path="jobs",
+            api_key="test-api-key",
+        )
+
+    def _workflow_file(self, proj_dir):
+        path = proj_dir / "wf.json"
+        path.write_text(json.dumps(self.API_WORKFLOW))
+        return str(path)
+
+    def _journal_events(self, proj_dir):
+        path = proj_dir / ".comfy" / "runs.jsonl"
+        if not path.exists():
+            return []
+        return [json.loads(ln) for ln in path.read_text().splitlines() if ln.strip()]
+
+    def _execute_cloud_nowait(self, workflow_file, fake_target):
+        from comfy_cli.comfy_client import SubmitResult
+        from comfy_cli.command.run import execute_cloud
+
+        mock_client = MagicMock()
+        mock_client.submit_prompt.return_value = SubmitResult(prompt_id="prompt-journal", number=1, node_errors={})
+        with (
+            patch("comfy_cli.target.resolve_target", return_value=fake_target),
+            patch("comfy_cli.cql.engine._load_from_target", return_value={}),
+            patch("comfy_cli.comfy_client.Client", return_value=mock_client),
+            patch("comfy_cli.command.run._spawn_watcher"),
+        ):
+            execute_cloud(workflow_file, wait=False)
+
+    def test_cloud_submit_journals_inside_project(self, proj_dir, fake_target):
+        workflow_file = self._workflow_file(proj_dir)
+        self._execute_cloud_nowait(workflow_file, fake_target)
+
+        events = self._journal_events(proj_dir)
+        assert len(events) == 1
+        ev = events[0]
+        assert ev["cmd"] == "run"
+        assert ev["workflow"] == workflow_file
+        assert ev["prompt_id"] == "prompt-journal"
+        assert ev["where"] == "cloud"
+        assert "ts" in ev
+
+    def test_local_submit_journals_inside_project(self, proj_dir):
+        workflow_file = self._workflow_file(proj_dir)
+        mock_exec = MagicMock()
+        mock_exec.prompt_id = "prompt-local-journal"
+        mock_exec.client_id = "cid"
+        mock_exec.outputs = []
+        mock_exec.output_entries = []
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch("comfy_cli.command.run._fetch_object_info", return_value={}),
+            patch("comfy_cli.command.run.ExecutionProgress"),
+            patch("comfy_cli.command.run.WorkflowExecution", return_value=mock_exec),
+            patch("comfy_cli.command.run._spawn_watcher", return_value=True),
+            patch("comfy_cli.command.run._tail_state_file"),
+        ):
+            execute(workflow_file, host="127.0.0.1", port=8188, wait=False, timeout=30)
+
+        events = self._journal_events(proj_dir)
+        assert len(events) == 1
+        ev = events[0]
+        assert ev["cmd"] == "run"
+        assert ev["workflow"] == workflow_file
+        assert ev["prompt_id"] == "prompt-local-journal"
+        assert ev["where"] == "local"
+
+    def test_run_outside_project_writes_no_journal(self, tmp_path, monkeypatch, fake_target):
+        plain = tmp_path / "plain"
+        plain.mkdir()
+        monkeypatch.chdir(plain)
+        workflow_file = plain / "wf.json"
+        workflow_file.write_text(json.dumps(self.API_WORKFLOW))
+        self._execute_cloud_nowait(str(workflow_file), fake_target)
+        assert not (plain / ".comfy").exists()
+
+    def test_journal_failure_does_not_fail_run(self, proj_dir, fake_target, monkeypatch):
+        import comfy_cli.project as project_mod
+
+        def _boom(*a, **kw):
+            raise RuntimeError("journal exploded")
+
+        monkeypatch.setattr(project_mod, "journal", _boom)
+        workflow_file = self._workflow_file(proj_dir)
+        # Must not raise — the wrapped hook swallows the failure.
+        self._execute_cloud_nowait(workflow_file, fake_target)
+
+        from comfy_cli import jobs_state
+
+        state = jobs_state.read("prompt-journal")
+        assert state is not None  # submit completed normally
diff --git a/tests/comfy_cli/command/test_run_cli.py b/tests/comfy_cli/command/test_run_cli.py
new file mode 100644
index 00000000..a062f37a
--- /dev/null
+++ b/tests/comfy_cli/command/test_run_cli.py
@@ -0,0 +1,266 @@
+"""Tests for the `comfy run-cli` guided walkthrough."""
+
+import json
+from unittest.mock import patch
+
+import pytest
+
+from comfy_cli.command import run_cli
+
+
+def _ok_envelope(**data) -> str:
+    return json.dumps({"ok": True, "data": data, "error": None})
+
+
+class TestStepBuilders:
+    def test_classify_treats_json_flag_as_agent(self):
+        inv = run_cli.Invocation(argv=["comfy", "--json", "env"], label="agent")
+        assert run_cli._classify(inv) == "agent"
+
+    def test_classify_treats_json_stream_as_agent(self):
+        inv = run_cli.Invocation(argv=["comfy", "--json-stream", "jobs", "watch", "x"], label="agent")
+        assert run_cli._classify(inv) == "agent"
+
+    def test_classify_default_is_human(self):
+        inv = run_cli.Invocation(argv=["comfy", "env"], label="human")
+        assert run_cli._classify(inv) == "human"
+
+    def test_build_steps_contains_full_surface(self):
+        state = run_cli._DemoState(workflow_path="/tmp/x.json")
+        steps = run_cli._build_steps(state)
+        titles = " ".join(s.title.lower() for s in steps)
+        for needle in [
+            "env",
+            "which",
+            "discover",
+            "cql",
+            "synchronous",
+            "json envelope",
+            "async",
+            "jobs ls",
+            "jobs status",
+            "jobs watch",
+            "fleet",
+            "auth",
+        ]:
+            assert needle in titles, f"missing coverage for: {needle}"
+
+    def test_build_steps_includes_parallel_fleet(self):
+        state = run_cli._DemoState(workflow_path="/tmp/x.json")
+        steps = run_cli._build_steps(state)
+        fleet = [s for s in steps if "FLEET" in s.title]
+        assert len(fleet) == 1
+        assert fleet[0].custom is not None  # uses custom runner, not plain invocations
+
+    def test_fleet_workflows_have_distinct_colors(self):
+        # Distinct colors prevent ComfyUI's per-node cache from collapsing the
+        # fleet into a single execution.
+        colors = {run_cli.fleet_workflow(i)["1"]["inputs"]["color"] for i in range(run_cli.FLEET_SIZE)}
+        assert len(colors) == run_cli.FLEET_SIZE
+
+    def test_capture_prompt_id_extracts_from_last_line(self):
+        state = run_cli._DemoState(workflow_path="/tmp/x.json")
+        handler = run_cli._capture_prompt_id(state)
+        handler(_ok_envelope(prompt_id="abc-123"))
+        assert state.async_prompt_id == "abc-123"
+
+    def test_capture_prompt_id_ignores_garbage(self):
+        state = run_cli._DemoState(workflow_path="/tmp/x.json")
+        handler = run_cli._capture_prompt_id(state)
+        handler("not json at all")
+        assert state.async_prompt_id is None
+
+
+class TestRunInvocation:
+    def test_streaming_invocation_returns_subprocess_rc(self):
+        inv = run_cli.Invocation(argv=["true"], label="trivial")
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            rc = run_cli._run_invocation(inv, pause_seconds=0)
+        assert rc == 0
+        call_env = run.call_args.kwargs["env"]
+        assert call_env["COMFY_OUTPUT"] == "pretty"
+
+    def test_capturing_invocation_runs_on_output(self):
+        captured: list[str] = []
+        inv = run_cli.Invocation(
+            argv=["true"],
+            label="cap",
+            capture=True,
+            on_output=captured.append,
+        )
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            run.return_value.stdout = _ok_envelope(value=42)
+            run.return_value.stderr = ""
+            rc = run_cli._run_invocation(inv, pause_seconds=0)
+        assert rc == 0
+        assert captured == [_ok_envelope(value=42)]
+
+
+class TestRunStep:
+    def _state(self) -> run_cli._DemoState:
+        return run_cli._DemoState(workflow_path="/tmp/x.json")
+
+    def test_skip_if_short_circuits(self):
+        step = run_cli.Step(
+            title="skipped",
+            invocations=[run_cli.Invocation(argv=["false"], label="never")],
+            skip_if=lambda: True,
+        )
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            rc = run_cli._run_step(step, self._state(), pause_seconds=0, show_agent=True)
+        assert rc == 0
+        run.assert_not_called()
+
+    def test_no_show_agent_skips_agent_invocations(self):
+        step = run_cli.Step(
+            title="step",
+            invocations=[
+                run_cli.Invocation(argv=["comfy", "env"], label="human"),
+                run_cli.Invocation(argv=["comfy", "--json", "env"], label="agent"),
+            ],
+        )
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            run_cli._run_step(step, self._state(), pause_seconds=0, show_agent=False)
+        assert run.call_count == 1
+        assert "--json" not in run.call_args_list[0].args[0]
+
+    def test_show_agent_runs_both(self):
+        step = run_cli.Step(
+            title="step",
+            invocations=[
+                run_cli.Invocation(argv=["comfy", "env"], label="human"),
+                run_cli.Invocation(argv=["comfy", "--json", "env"], label="agent"),
+            ],
+        )
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            run_cli._run_step(step, self._state(), pause_seconds=0, show_agent=True)
+        assert run.call_count == 2
+
+    def test_optional_failure_does_not_propagate(self):
+        step = run_cli.Step(
+            title="step",
+            invocations=[run_cli.Invocation(argv=["false"], label="opt", optional=True)],
+        )
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 17
+            rc = run_cli._run_step(step, self._state(), pause_seconds=0, show_agent=True)
+        assert rc == 0
+
+    def test_required_failure_propagates(self):
+        step = run_cli.Step(
+            title="step",
+            invocations=[run_cli.Invocation(argv=["false"], label="req")],
+        )
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 3
+            rc = run_cli._run_step(step, self._state(), pause_seconds=0, show_agent=True)
+        assert rc == 3
+
+    def test_custom_step_runner_is_invoked(self):
+        called: dict = {}
+
+        def custom(state, pause_seconds, show_agent):
+            called["state"] = state
+            called["pause"] = pause_seconds
+            called["agent"] = show_agent
+            return 0
+
+        step = run_cli.Step(title="custom", custom=custom)
+        state = self._state()
+        rc = run_cli._run_step(step, state, pause_seconds=0, show_agent=False)
+        assert rc == 0
+        assert called == {"state": state, "pause": 0, "agent": False}
+
+
+class TestSubmitOneAsync:
+    def test_returns_prompt_id_on_success(self):
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            run.return_value.stdout = _ok_envelope(prompt_id="pid-7")
+            run.return_value.stderr = ""
+            idx, pid, elapsed = run_cli._submit_one_async(["comfy"], idx=3)
+        assert idx == 3
+        assert pid == "pid-7"
+        assert elapsed >= 0
+
+    def test_returns_none_on_nonzero_exit(self):
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 1
+            run.return_value.stdout = ""
+            run.return_value.stderr = "boom"
+            idx, pid, _ = run_cli._submit_one_async(["comfy"], idx=0)
+        assert idx == 0
+        assert pid is None
+
+    def test_returns_none_on_malformed_json(self):
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            run.return_value.stdout = "garbage"
+            run.return_value.stderr = ""
+            idx, pid, _ = run_cli._submit_one_async(["comfy"], idx=2)
+        assert pid is None
+
+
+class TestExecute:
+    def test_execute_writes_workflow_and_runs_all_steps(self, tmp_path, monkeypatch):
+        monkeypatch.setattr(run_cli.tempfile, "gettempdir", lambda: str(tmp_path))
+
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            run.return_value.stdout = _ok_envelope(prompt_id="pid-1", commands={"env": {}, "run": {}})
+            run.return_value.stderr = ""
+            rc = run_cli.execute(pause_seconds=0, no_cleanup=False, show_agent=True)
+
+        assert rc == 0
+        # 11 invocation-driven steps + 1 custom fleet step. The fleet step uses
+        # ThreadPoolExecutor but the subprocess.run mock still records calls.
+        assert run.call_count >= 11
+        # All temp workflow files cleaned up (single-job + fleet).
+        leftover = list(tmp_path.glob("comfy_run_cli_*.json"))
+        assert leftover == []
+
+    def test_execute_keeps_workflows_with_no_cleanup(self, tmp_path, monkeypatch):
+        monkeypatch.setattr(run_cli.tempfile, "gettempdir", lambda: str(tmp_path))
+        with patch("comfy_cli.command.run_cli.subprocess.run") as run:
+            run.return_value.returncode = 0
+            run.return_value.stdout = _ok_envelope(prompt_id="pid-1")
+            run.return_value.stderr = ""
+            run_cli.execute(pause_seconds=0, no_cleanup=True, show_agent=True)
+        leftover = list(tmp_path.glob("comfy_run_cli_*.json"))
+        # 1 single-job workflow + FLEET_SIZE fleet workflows.
+        assert len(leftover) == 1 + run_cli.FLEET_SIZE
+
+
+def test_cloud_print_prompt_does_not_submit(monkeypatch, tmp_path):
+    """--print-prompt on the cloud route prints the graph and never submits."""
+    import typer
+
+    import comfy_cli.comfy_client as cc
+    from comfy_cli.command.run import execute_cloud
+
+    wf = tmp_path / "wf.json"
+    wf.write_text('{"1": {"class_type": "X", "inputs": {}}}')
+
+    class FakeClient:
+        def __init__(self, *a, **k):
+            pass
+
+        def submit_prompt(self, *a, **k):
+            raise AssertionError("submit_prompt must not be called in --print-prompt mode")
+
+    # execute_cloud does `from comfy_cli.comfy_client import Client`; patching the
+    # attribute on the module makes that import pick up the fake. But the dry-run
+    # should return BEFORE Client is even constructed.
+    monkeypatch.setattr(cc, "Client", FakeClient)
+
+    with pytest.raises(typer.Exit) as exc:
+        execute_cloud(str(wf), wait=True, print_prompt=True, timeout=5)
+    assert exc.value.exit_code == 0
+
+
+if __name__ == "__main__":
+    pytest.main([__file__, "-v"])
diff --git a/tests/comfy_cli/command/test_run_json.py b/tests/comfy_cli/command/test_run_json.py
index cc492843..15f16d14 100644
--- a/tests/comfy_cli/command/test_run_json.py
+++ b/tests/comfy_cli/command/test_run_json.py
@@ -1,10 +1,17 @@
-"""Unit tests for `comfy run --json` (NDJSON output mode).
+"""Unit tests for `comfy run --json` (NDJSON streaming through the renderer).
 
+One dialect: the legacy `JsonEmitter` (`{"event": …, "error": {"kind": …}}`)
+is gone. `comfy run --json` now emits the renderer's `event/1` stream —
+`{"schema": "event/1", "type": …}` lines — terminated by a single
+`{"schema": "envelope/1", "type": "envelope", ok, data, error}` line.
 See `docs/json-output.md` for the contract these tests pin in place.
+
 The tests cover:
   - every event type emitted at the right time and shape
-  - every error.kind for each documented failure path
-  - schema_version: 1 on every line
+  - every error.code for each documented failure path (all registered
+    in `comfy_cli.error_codes`)
+  - the final envelope on both success and failure, with exit codes
+    (1 for errors, 130 for cancellation)
   - stream archetypes from the spec table
   - the duck-typed output filter rule
   - the cached/executed overlap semantics
@@ -24,11 +31,22 @@
 from websocket import WebSocketException, WebSocketTimeoutException
 
 from comfy_cli.command.run import (
-    JsonEmitter,
     WorkflowExecution,
     _classify_api_workflow,
     execute,
 )
+from comfy_cli.output import Renderer, set_renderer
+from comfy_cli.output.renderer import OutputMode, reset_renderer_for_testing
+
+
+@pytest.fixture(autouse=True)
+def ndjson_renderer():
+    """Install a fresh NDJSON renderer per test (the state `comfy run --json`
+    runs in after `force_stream()`), and reset the singleton afterwards."""
+    renderer = Renderer(mode=OutputMode.NDJSON, command="run")
+    set_renderer(renderer)
+    yield renderer
+    reset_renderer_for_testing()
 
 
 @pytest.fixture
@@ -57,29 +75,44 @@ def workflow_file(simple_workflow):
     os.unlink(path)
 
 
+def _parse_lines(out: str) -> list[dict]:
+    lines = []
+    for line in out.splitlines():
+        line = line.strip()
+        if not line:
+            continue
+        lines.append(json.loads(line))
+    return lines
+
+
+def _events(lines: list[dict]) -> list[dict]:
+    return [ln for ln in lines if ln.get("type") != "envelope"]
+
+
+def _envelope(lines: list[dict]) -> dict:
+    assert lines, "expected at least one NDJSON line"
+    last = lines[-1]
+    assert last.get("type") == "envelope", f"last line is not the envelope: {last}"
+    return last
+
+
 def _run_execute_capture(workflow_path, capsys, **overrides):
-    """Run execute() and return the parsed JSON events from stdout."""
+    """Run execute() and return (parsed stdout lines, exit_code)."""
     kwargs = dict(
         host="127.0.0.1",
         port=8188,
         wait=True,
         verbose=False,
         timeout=30,
-        json_mode=True,
     )
     kwargs.update(overrides)
+    exit_code = 0
     try:
         execute(workflow_path, **kwargs)
-    except typer.Exit:
-        pass
+    except typer.Exit as e:
+        exit_code = e.exit_code or 0
     out, _err = capsys.readouterr()
-    events = []
-    for line in out.splitlines():
-        line = line.strip()
-        if not line:
-            continue
-        events.append(json.loads(line))
-    return events
+    return _parse_lines(out), exit_code
 
 
 def _make_http_error(code: int, body: bytes = b"") -> urllib.error.HTTPError:
@@ -92,12 +125,9 @@ def _make_http_error(code: int, body: bytes = b"") -> urllib.error.HTTPError:
     )
 
 
-def _make_workflow_execution(workflow, *, with_progress: bool = False, json_mode: bool = True):
-    """Build a `WorkflowExecution` with a `JsonEmitter` pre-wired to the
-    workflow. `with_progress=True` attaches a MagicMock progress object —
-    needed by tests that exercise `update_overall_progress`."""
-    e = JsonEmitter(json_mode=json_mode)
-    e.set_workflow(workflow)
+def _make_workflow_execution(workflow, *, with_progress: bool = False):
+    """Build a `WorkflowExecution`. `with_progress=True` attaches a MagicMock
+    progress object — needed by tests that exercise `update_overall_progress`."""
     progress = None
     if with_progress:
         progress = MagicMock()
@@ -107,229 +137,64 @@ def _make_workflow_execution(workflow, *, with_progress: bool = False, json_mode
         host="127.0.0.1",
         port=8188,
         verbose=False,
+        local_paths=False,
         progress=progress,
         timeout=30,
-        emitter=e,
     )
 
 
-class TestJsonEmitter:
-    """Direct emitter tests — verify event shape, schema_version, no-op in non-JSON mode."""
+class TestStreamShape:
+    """Dialect-level invariants: schema fields, pretty-mode no-op, UTF-8."""
 
-    def test_noop_in_human_mode(self, capsys):
-        e = JsonEmitter(json_mode=False)
-        e.set_client_id("cid")
-        e.emit_queued("pid", None)
-        e.emit_completed()
-        e.emit_failed("workflow_not_found", "x")
+    def test_events_are_noop_in_pretty_mode(self, simple_workflow, capsys):
+        set_renderer(Renderer(mode=OutputMode.PRETTY))
+        ex = _make_workflow_execution(simple_workflow)
+        ex.prompt_id = "p"
+        ex.on_executed({"node": "2", "output": {"images": [{"filename": "x.png", "subfolder": "", "type": "output"}]}})
+        ex.on_cached({"nodes": ["1"]})
         out, _ = capsys.readouterr()
-        assert out == ""
+        # No NDJSON lines in pretty mode (event() is a no-op there).
+        for line in out.splitlines():
+            assert not line.strip().startswith("{"), f"unexpected JSON in pretty mode: {line!r}"
 
-    def test_every_event_has_schema_version_1(self, capsys, simple_workflow):
-        e = JsonEmitter(json_mode=True)
-        e.set_workflow(simple_workflow)
-        e.set_client_id("cid")
-        e.emit_converted(2)
-        e.emit_queued("pid", None)
-        e.emit_node_cached("1")
-        e.emit_node_executing("2")
-        e.emit_node_progress("2", 5, 10)
-        e.emit_node_executed("2", [])
-        e.emit_completed()
-        e.emit_failed("execution_error", "x", node_id="2")
-        out, _ = capsys.readouterr()
-        lines = [line for line in out.splitlines() if line.strip()]
-        assert len(lines) == 8
-        for line in lines:
-            event = json.loads(line)
-            assert event.get("schema_version") == 1, f"Missing schema_version on: {line}"
-
-    def test_queued_includes_validation_warnings_empty(self, capsys):
-        e = JsonEmitter(json_mode=True)
-        e.set_client_id("c")
-        e.emit_queued("p", [])
-        out, _ = capsys.readouterr()
-        event = json.loads(out.strip())
-        assert event["event"] == "queued"
-        assert event["validation_warnings"] == []
-        assert event["prompt_id"] == "p"
-        assert event["client_id"] == "c"
-        # nodes manifest is always present (empty when no workflow set)
-        assert event["nodes"] == []
-
-    def test_queued_includes_validation_warnings_list(self, capsys):
-        e = JsonEmitter(json_mode=True)
-        e.set_client_id("c")
-        warnings = [{"node_id": "5", "errors": [{"type": "x", "message": "y"}]}]
-        e.emit_queued("p", warnings)
+    def test_every_line_carries_schema_and_type(self, workflow_file, capsys):
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch("comfy_cli.command.run.request.urlopen") as mock_open,
+            patch("comfy_cli.command.run.WebSocket") as MockWs,
+        ):
+            mock_open.return_value.read.return_value = json.dumps({"prompt_id": "p"}).encode()
+            ws_instance = MagicMock()
+            MockWs.return_value = ws_instance
+            ws_instance.recv.side_effect = [
+                json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": "1"}}),
+                json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
+            ]
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        assert exit_code == 0
+        for ln in _events(lines):
+            assert ln["schema"] == "event/1", ln
+            assert isinstance(ln["type"], str) and ln["type"], ln
+        env = _envelope(lines)
+        assert env["schema"] == "envelope/1"
+        assert env["ok"] is True
+
+    def test_non_ascii_round_trips_as_utf8(self, capsys, ndjson_renderer):
+        # The renderer writes UTF-8 (ensure_ascii=False); consumers get the
+        # original characters back after json.loads.
+        ndjson_renderer.error(code="workflow_not_found", message="found: 猫_00001_.png")
         out, _ = capsys.readouterr()
-        event = json.loads(out.strip())
-        assert event["validation_warnings"] == warnings
-
-    def test_queued_nodes_manifest_from_workflow(self, capsys, simple_workflow):
-        """`nodes` should list one entry per workflow node with node_id, class_type, title."""
-        e = JsonEmitter(json_mode=True)
-        e.set_workflow(simple_workflow)
-        e.set_client_id("c")
-        e.emit_queued("p", None)
-        event = json.loads(capsys.readouterr().out.strip())
-        nodes = event["nodes"]
-        assert len(nodes) == 2
-        by_id = {n["node_id"]: n for n in nodes}
-        assert by_id["1"]["class_type"] == "EmptyLatentImage"
-        assert by_id["1"]["title"] == "Latent"  # _meta.title wins
-        assert by_id["2"]["class_type"] == "SaveImage"
-        assert by_id["2"]["title"] == "Save"
-
-    def test_node_progress_includes_class_type_and_title(self, capsys, simple_workflow):
-        """node_progress carries class_type+title so stateless consumers can
-        render the running node without buffering a prior node_executing event."""
-        e = JsonEmitter(json_mode=True)
-        e.set_workflow(simple_workflow)
-        e.set_client_id("c")
-        e.emit_node_progress("1", 5, 10)
-        event = json.loads(capsys.readouterr().out.strip())
-        assert event["event"] == "node_progress"
-        assert event["class_type"] == "EmptyLatentImage"
-        assert event["title"] == "Latent"
-        assert event["value"] == 5
-        assert event["max"] == 10
-
-    def test_emit_node_handlers_coerce_node_id_to_str(self, capsys, simple_workflow):
-        """If the server ever sends an int node_id, emit_* must coerce to str."""
-        e = JsonEmitter(json_mode=True)
-        e.set_workflow(simple_workflow)
-        e.set_client_id("c")
-        e.emit_node_executing(2)
-        e.emit_node_progress(2, 1, 10)
-        e.emit_node_cached(2)
-        e.emit_node_executed(2, [])
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        for ev in events:
-            assert isinstance(ev["node_id"], str), f"{ev['event']} node_id is {type(ev['node_id']).__name__}"
-            assert ev["node_id"] == "2"
-        e.emit_completed()
-        completed = json.loads(capsys.readouterr().out.strip())
-        assert all(isinstance(nid, str) for nid in completed["cached_node_ids"])
-        assert all(isinstance(nid, str) for nid in completed["executed_node_ids"])
-
-    def test_completed_aggregates_outputs_and_node_ids(self, capsys, simple_workflow):
-        e = JsonEmitter(json_mode=True)
-        e.set_workflow(simple_workflow)
-        e.set_client_id("c")
-        e.emit_node_cached("1")
-        out1 = {
-            "category": "images",
-            "node_id": "2",
-            "class_type": "SaveImage",
-            "title": "Save",
-            "filename": "x.png",
-            "subfolder": "",
-            "type": "output",
-            "url": "http://x",
-        }
-        e.emit_node_executed("2", [out1])
-        e.emit_completed()
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        completed = events[-1]
-        assert completed["event"] == "completed"
-        assert completed["cached_node_ids"] == ["1"]
-        assert completed["executed_node_ids"] == ["2"]
-        assert completed["outputs"] == [out1]
-        assert isinstance(completed["elapsed_seconds"], float)
-        assert completed["elapsed_seconds"] >= 0
-
-    def test_cached_and_executed_can_overlap(self, capsys, simple_workflow):
-        """Cached output-bearing nodes emit both execution_cached and executed."""
-        e = JsonEmitter(json_mode=True)
-        e.set_workflow(simple_workflow)
-        e.set_client_id("c")
-        e.emit_node_cached("2")
-        e.emit_node_executed("2", [])
-        e.emit_completed()
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        completed = events[-1]
-        assert "2" in completed["cached_node_ids"]
-        assert "2" in completed["executed_node_ids"]
-
-    def test_failed_event_carries_universal_and_extras(self, capsys):
-        e = JsonEmitter(json_mode=True)
-        e.set_client_id("c")
-        e.emit_failed("client_error", "Bad request", status_code=401, body="unauthorized")
-        event = json.loads(capsys.readouterr().out.strip())
-        assert event["event"] == "failed"
-        assert event["error"]["kind"] == "client_error"
-        assert event["error"]["message"] == "Bad request"
-        assert event["error"]["status_code"] == 401
-        assert event["error"]["body"] == "unauthorized"
-        assert event["client_id"] == "c"
-        assert event["prompt_id"] is None  # never set
-        assert isinstance(event["elapsed_seconds"], float)
-
-    def test_fail_helper_emits_event_and_returns_exit(self, capsys):
-        # JSON mode: the helper emits a `failed` event, returns a typer.Exit
-        # (not raised — caller raises so `from e` chaining is clean), and
-        # does NOT print prose (stdout stays NDJSON-only).
-        e = JsonEmitter(json_mode=True)
-        e.set_client_id("c")
-        result = e.fail("client_error", "Bad request", status_code=403, body="forbidden")
-        assert isinstance(result, typer.Exit)
-        assert result.exit_code == 1
-        out = capsys.readouterr().out
-        event = json.loads(out.strip())
-        assert event["event"] == "failed"
-        assert event["error"]["kind"] == "client_error"
-        assert event["error"]["message"] == "Bad request"
-        assert event["error"]["status_code"] == 403
-
-    def test_fail_helper_wraps_text_mode_message_in_bold_red(self, capsys):
-        # Non-JSON mode: the helper auto-wraps `message` in
-        # [bold red]...[/bold red] and returns typer.Exit (no event on stdout).
-        e = JsonEmitter(json_mode=False)
-        result = e.fail("client_error", "Bad request")
-        assert isinstance(result, typer.Exit)
-        out = capsys.readouterr().out
-        assert "Bad request" in out
-        # Rich strips markup tags but still applies the formatting; the
-        # message content must reach stdout. No NDJSON in text mode.
-        assert "failed" not in out  # no event was emitted
-
-    def test_fail_helper_rich_message_overrides_text_only(self, capsys):
-        # `rich_message` replaces the auto-wrapped text; JSON event still
-        # carries the original `message`.
-        e = JsonEmitter(json_mode=True)
-        e.set_client_id("c")
-        e.fail("client_error", "machine-readable", rich_message="human-friendly")
-        event = json.loads(capsys.readouterr().out.strip())
-        assert event["error"]["message"] == "machine-readable"
-        # In text mode it'd flip — verify separately.
-        e2 = JsonEmitter(json_mode=False)
-        e2.fail("client_error", "machine-readable", rich_message="human-friendly")
-        out = capsys.readouterr().out
-        assert "human-friendly" in out
-        assert "machine-readable" not in out
-
-    def test_title_falls_back_to_class_type(self, simple_workflow):
-        e = JsonEmitter(json_mode=True)
-        # Drop _meta.title from node 1
-        wf = {"1": {"class_type": "EmptyLatentImage", "inputs": {}}}
-        e.set_workflow(wf)
-        assert e.get_title("1") == "EmptyLatentImage"
+        env = json.loads(out.strip())
+        assert env["error"]["message"] == "found: 猫_00001_.png"
+        assert "猫" in out
 
-    def test_title_falls_back_to_node_id_for_unknown(self):
-        e = JsonEmitter(json_mode=True)
-        e.set_workflow({})
-        assert e.get_title("unknown") == "unknown"
-
-    def test_ascii_safe_emission(self, capsys):
-        """ensure_ascii=True: non-ASCII becomes \\u escapes."""
-        e = JsonEmitter(json_mode=True)
-        e.set_client_id("c")
-        e.emit_failed("workflow_not_found", "found: 猫_00001_.png")
+    def test_error_envelope_is_emitted_once(self, capsys, ndjson_renderer):
+        ndjson_renderer.error(code="workflow_not_found", message="first")
+        ndjson_renderer.error(code="workflow_empty", message="second")
         out, _ = capsys.readouterr()
-        # The wire must contain \u escapes, not raw UTF-8 bytes.
-        assert "\\u732b" in out
-        assert "猫" not in out
+        lines = _parse_lines(out)
+        assert len(lines) == 1
+        assert lines[0]["error"]["code"] == "workflow_not_found"
 
 
 class TestClassifyApiWorkflow:
@@ -347,16 +212,15 @@ def test_invalid_not_a_dict(self):
 
 
 class TestPreFlightFailures:
-    """Single `failed` event, prompt_id=null, client_id=null."""
+    """Single error envelope, no events, exit 1."""
 
     def test_workflow_not_found(self, capsys):
-        events = _run_execute_capture("/nonexistent.json", capsys)
-        assert len(events) == 1
-        assert events[0]["event"] == "failed"
-        assert events[0]["error"]["kind"] == "workflow_not_found"
-        assert events[0]["prompt_id"] is None
-        assert events[0]["client_id"] is None
-        assert events[0]["schema_version"] == 1
+        lines, exit_code = _run_execute_capture("/nonexistent.json", capsys)
+        assert exit_code == 1
+        assert len(lines) == 1
+        env = _envelope(lines)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_not_found"
 
     def test_workflow_invalid_json(self, capsys):
         with tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) as f:
@@ -364,9 +228,9 @@ def test_workflow_invalid_json(self, capsys):
             path = f.name
         try:
             with patch("comfy_cli.command.run.check_comfy_server_running", return_value=True):
-                events = _run_execute_capture(path, capsys)
-            assert len(events) == 1
-            assert events[0]["error"]["kind"] == "workflow_invalid_json"
+                lines, exit_code = _run_execute_capture(path, capsys)
+            assert exit_code == 1
+            assert _envelope(lines)["error"]["code"] == "workflow_invalid_json"
         finally:
             os.unlink(path)
 
@@ -376,9 +240,9 @@ def test_workflow_read_error_unicode(self, capsys):
             path = f.name
         try:
             with patch("comfy_cli.command.run.check_comfy_server_running", return_value=True):
-                events = _run_execute_capture(path, capsys)
-            assert len(events) == 1
-            assert events[0]["error"]["kind"] == "workflow_read_error"
+                lines, exit_code = _run_execute_capture(path, capsys)
+            assert exit_code == 1
+            assert _envelope(lines)["error"]["code"] == "workflow_read_error"
         finally:
             os.unlink(path)
 
@@ -388,29 +252,29 @@ def test_workflow_empty_api(self, capsys):
             path = f.name
         try:
             with patch("comfy_cli.command.run.check_comfy_server_running", return_value=True):
-                events = _run_execute_capture(path, capsys)
-            assert len(events) == 1
-            assert events[0]["error"]["kind"] == "workflow_empty"
+                lines, exit_code = _run_execute_capture(path, capsys)
+            assert _envelope(lines)["error"]["code"] == "workflow_empty"
         finally:
             os.unlink(path)
 
-    def test_workflow_format_invalid(self, capsys):
+    def test_workflow_not_api_format(self, capsys):
         with tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) as f:
             json.dump({"foo": "bar"}, f)
             path = f.name
         try:
             with patch("comfy_cli.command.run.check_comfy_server_running", return_value=True):
-                events = _run_execute_capture(path, capsys)
-            assert len(events) == 1
-            assert events[0]["error"]["kind"] == "workflow_format_invalid"
+                lines, exit_code = _run_execute_capture(path, capsys)
+            assert _envelope(lines)["error"]["code"] == "workflow_not_api_format"
         finally:
             os.unlink(path)
 
-    def test_connection_error_server_down(self, workflow_file, capsys):
+    def test_server_not_running(self, workflow_file, capsys):
         with patch("comfy_cli.command.run.check_comfy_server_running", return_value=False):
-            events = _run_execute_capture(workflow_file, capsys)
-        assert len(events) == 1
-        assert events[0]["error"]["kind"] == "connection_error"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        assert exit_code == 1
+        env = _envelope(lines)
+        assert env["error"]["code"] == "server_not_running"
+        assert env["error"]["details"]["port"] == 8188
 
 
 class TestSuccessfulRun:
@@ -418,18 +282,25 @@ def test_no_wait_emits_prompt_preview_then_queued(self, workflow_file, capsys):
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
             patch("comfy_cli.command.run.request.urlopen") as mock_open,
+            patch("comfy_cli.command.run._spawn_watcher", return_value=True),
         ):
             mock_open.return_value.read.return_value = json.dumps({"prompt_id": "p123"}).encode()
-            events = _run_execute_capture(workflow_file, capsys, wait=False)
-        # prompt_preview is always emitted in --json before queued so agents
-        # have a full audit trail of the submitted workflow graph.
-        assert [e["event"] for e in events] == ["prompt_preview", "queued"]
-        assert events[0]["prompt"]
-        assert events[1]["prompt_id"] == "p123"
-        assert events[1]["validation_warnings"] == []
-
-    def test_completed_event_after_success(self, workflow_file, capsys):
-        """Mocked WS flow → expect queued + node_* + completed."""
+            lines, exit_code = _run_execute_capture(workflow_file, capsys, wait=False)
+        assert exit_code == 0
+        # prompt_preview is always emitted before queued so agents have a
+        # full audit trail of the submitted workflow graph.
+        assert [e["type"] for e in _events(lines)] == ["prompt_preview", "queued"]
+        assert _events(lines)[0]["prompt"]
+        queued = _events(lines)[1]
+        assert queued["prompt_id"] == "p123"
+        assert queued["validation_warnings"] == []
+        env = _envelope(lines)
+        assert env["ok"] is True
+        assert env["data"]["status"] == "queued"
+        assert env["data"]["prompt_id"] == "p123"
+
+    def test_envelope_after_success(self, workflow_file, capsys):
+        """Mocked WS flow → queued + executing/executed/output events + ok envelope."""
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
             patch("comfy_cli.command.run.request.urlopen") as mock_open,
@@ -449,19 +320,24 @@ def msg(t, **d):
                 ),
                 msg("executing", node=None),
             ]
-            events = _run_execute_capture(workflow_file, capsys, wait=True)
+            lines, exit_code = _run_execute_capture(workflow_file, capsys, wait=True)
 
-        terminal = events[-1]
-        assert terminal["event"] == "completed"
-        assert terminal["prompt_id"] == "p"
-        assert len(terminal["outputs"]) == 1
-        assert terminal["outputs"][0]["filename"] == "x.png"
-        assert terminal["outputs"][0]["category"] == "images"
-        assert terminal["executed_node_ids"] == ["1"]
+        assert exit_code == 0
+        types = [e["type"] for e in _events(lines)]
+        assert types == ["prompt_preview", "queued", "executing", "executed", "output"]
+        executed = next(e for e in _events(lines) if e["type"] == "executed")
+        assert executed["outputs"][0]["filename"] == "x.png"
+        assert executed["outputs"][0]["category"] == "images"
+        env = _envelope(lines)
+        assert env["ok"] is True
+        assert env["data"]["status"] == "completed"
+        assert env["data"]["prompt_id"] == "p"
+        assert len(env["data"]["outputs"]) == 1
+        assert env["data"]["executed_node_ids"] == ["1"]
 
 
 class TestQueueHttpErrors:
-    """Verify the 5-way HTTP error mapping for /prompt failures."""
+    """Verify the HTTP error mapping for /prompt failures."""
 
     def _setup_and_run(self, workflow_file, http_response, capsys, status=None, body=b""):
         with (
@@ -476,23 +352,25 @@ def _setup_and_run(self, workflow_file, http_response, capsys, status=None, body
                 mock_open.side_effect = _make_http_error(status, body)
             return _run_execute_capture(workflow_file, capsys)
 
-    def test_400_with_node_errors_routes_to_validation_error(self, workflow_file, capsys):
+    def test_400_with_node_errors_routes_to_prompt_rejected(self, workflow_file, capsys):
         body = json.dumps(
             {
                 "error": {"type": "x", "message": "y"},
                 "node_errors": {"1": {"errors": [{"type": "z", "message": "bad"}], "class_type": "X"}},
             }
         ).encode()
-        events = self._setup_and_run(workflow_file, None, capsys, status=400, body=body)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "validation_error"
-        node_errors = terminal["error"]["node_errors"]
+        lines, exit_code = self._setup_and_run(workflow_file, None, capsys, status=400, body=body)
+        assert exit_code == 1
+        env = _envelope(lines)
+        assert env["error"]["code"] == "prompt_rejected"
+        node_errors = env["error"]["details"]["node_errors"]
         assert isinstance(node_errors, list)
         assert any(rec["node_id"] == "1" for rec in node_errors)
 
     @pytest.mark.parametrize(
-        "status,body,kind",
+        "status,body,code",
         [
+            (400, b"plain bad request", "client_error"),
             (401, b"unauthorized", "client_error"),
             (403, b"forbidden", "client_error"),
             (429, b"too many", "client_error"),
@@ -500,50 +378,31 @@ def test_400_with_node_errors_routes_to_validation_error(self, workflow_file, ca
             (503, b"down", "server_error"),
         ],
     )
-    def test_http_status_routes_to_kind(self, workflow_file, capsys, status, body, kind):
-        events = self._setup_and_run(workflow_file, None, capsys, status=status, body=body)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == kind
-        assert terminal["error"]["status_code"] == status
-        assert terminal["error"]["body"] == body.decode()
+    def test_http_status_routes_to_code(self, workflow_file, capsys, status, body, code):
+        lines, exit_code = self._setup_and_run(workflow_file, None, capsys, status=status, body=body)
+        assert exit_code == 1
+        env = _envelope(lines)
+        assert env["error"]["code"] == code
+        assert env["error"]["details"]["status"] == status
+        assert env["error"]["details"]["body"] == body.decode()
 
     def test_200_with_non_json_body_routes_to_invalid_response(self, workflow_file, capsys):
-        with (
-            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
-            patch("comfy_cli.command.run.request.urlopen") as mock_open,
-            patch("comfy_cli.command.run.WebSocket"),
-        ):
-            mock_open.return_value.read.return_value = b"<html>garbage</html>"
-            events = _run_execute_capture(workflow_file, capsys)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "invalid_response"
-        assert terminal["error"]["status_code"] == 200
+        lines, exit_code = self._setup_and_run(workflow_file, b"<html>garbage</html>", capsys)
+        env = _envelope(lines)
+        assert env["error"]["code"] == "invalid_response"
+        assert env["error"]["details"]["status"] == 200
 
     def test_200_without_prompt_id_routes_to_invalid_response(self, workflow_file, capsys):
-        with (
-            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
-            patch("comfy_cli.command.run.request.urlopen") as mock_open,
-            patch("comfy_cli.command.run.WebSocket"),
-        ):
-            mock_open.return_value.read.return_value = json.dumps({"other": "x"}).encode()
-            events = _run_execute_capture(workflow_file, capsys)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "invalid_response"
+        lines, exit_code = self._setup_and_run(workflow_file, json.dumps({"other": "x"}).encode(), capsys)
+        assert _envelope(lines)["error"]["code"] == "invalid_response"
 
     def test_200_with_utf16_bom_body_routes_to_invalid_response(self, workflow_file, capsys):
         # `json.loads(bytes)` sniffs encoding before parsing — a UTF-16 BOM
         # makes it raise `UnicodeDecodeError`, not `JSONDecodeError`.
-        with (
-            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
-            patch("comfy_cli.command.run.request.urlopen") as mock_open,
-            patch("comfy_cli.command.run.WebSocket"),
-        ):
-            mock_open.return_value.read.return_value = b"\x00\x01\xff\xfeNOT JSON \x80\x81"
-            events = _run_execute_capture(workflow_file, capsys)
-        terminal = events[-1]
-        assert terminal["event"] == "failed"
-        assert terminal["error"]["kind"] == "invalid_response"
-        assert terminal["error"]["status_code"] == 200
+        lines, exit_code = self._setup_and_run(workflow_file, b"\x00\x01\xff\xfeNOT JSON \x80\x81", capsys)
+        env = _envelope(lines)
+        assert env["error"]["code"] == "invalid_response"
+        assert env["error"]["details"]["status"] == 200
 
     def test_url_error_routes_to_connection_error(self, workflow_file, capsys):
         with (
@@ -552,12 +411,11 @@ def test_url_error_routes_to_connection_error(self, workflow_file, capsys):
             patch("comfy_cli.command.run.WebSocket"),
         ):
             mock_open.side_effect = urllib.error.URLError("refused")
-            events = _run_execute_capture(workflow_file, capsys)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "connection_error"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        assert _envelope(lines)["error"]["code"] == "connection_error"
 
     def test_validation_warnings_on_200_with_partial_node_errors(self, workflow_file, capsys):
-        """200 + non-empty node_errors → emit `queued` with validation_warnings populated."""
+        """200 + non-empty node_errors → `queued` with validation_warnings populated."""
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
             patch("comfy_cli.command.run.request.urlopen") as mock_open,
@@ -575,16 +433,36 @@ def test_validation_warnings_on_200_with_partial_node_errors(self, workflow_file
             ws_instance.recv.side_effect = [
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
             ]
-            events = _run_execute_capture(workflow_file, capsys)
-        queued = next(e for e in events if e["event"] == "queued")
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        queued = next(e for e in _events(lines) if e["type"] == "queued")
         warnings = queued["validation_warnings"]
         assert isinstance(warnings, list)
-        assert any(rec["node_id"] == "3" for rec in warnings)
         rec = next(rec for rec in warnings if rec["node_id"] == "3")
         assert rec["class_type"] == "X"
         assert rec["errors"][0]["message"] == "skipped"
 
 
+class TestQueuedEventShape:
+    def test_queued_nodes_manifest_from_workflow(self, workflow_file, capsys, simple_workflow):
+        """`nodes` lists one entry per workflow node with node_id, class_type, title."""
+        with (
+            patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
+            patch("comfy_cli.command.run.request.urlopen") as mock_open,
+            patch("comfy_cli.command.run._spawn_watcher", return_value=True),
+        ):
+            mock_open.return_value.read.return_value = json.dumps({"prompt_id": "p"}).encode()
+            lines, exit_code = _run_execute_capture(workflow_file, capsys, wait=False)
+        queued = next(e for e in _events(lines) if e["type"] == "queued")
+        assert queued["client_id"]
+        nodes = queued["nodes"]
+        assert len(nodes) == 2
+        by_id = {n["node_id"]: n for n in nodes}
+        assert by_id["1"]["class_type"] == "EmptyLatentImage"
+        assert by_id["1"]["title"] == "Latent"  # _meta.title wins
+        assert by_id["2"]["class_type"] == "SaveImage"
+        assert by_id["2"]["title"] == "Save"
+
+
 class TestWebSocketEvents:
     def _run_with_ws_messages(self, workflow_file, recv_side_effect, capsys):
         with (
@@ -599,46 +477,49 @@ def _run_with_ws_messages(self, workflow_file, recv_side_effect, capsys):
             return _run_execute_capture(workflow_file, capsys)
 
     def test_websocket_timeout(self, workflow_file, capsys):
-        events = self._run_with_ws_messages(
+        lines, exit_code = self._run_with_ws_messages(
             workflow_file,
             WebSocketTimeoutException("timed out"),
             capsys,
         )
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "timeout"
-        assert isinstance(terminal["error"]["timeout_seconds"], float)
+        assert exit_code == 1
+        env = _envelope(lines)
+        assert env["error"]["code"] == "ws_timeout"
+        assert env["error"]["details"]["timeout"] == 30
 
     def test_connection_lost_websocket(self, workflow_file, capsys):
-        events = self._run_with_ws_messages(
+        lines, exit_code = self._run_with_ws_messages(
             workflow_file,
             WebSocketException("dropped"),
             capsys,
         )
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "connection_lost"
+        assert exit_code == 1
+        assert _envelope(lines)["error"]["code"] == "ws_disconnected"
 
-    def test_keyboard_interrupt_emits_execution_interrupted(self, workflow_file, capsys):
-        events = self._run_with_ws_messages(
+    def test_keyboard_interrupt_maps_to_cancelled_exit_130(self, workflow_file, capsys):
+        lines, exit_code = self._run_with_ws_messages(
             workflow_file,
             KeyboardInterrupt(),
             capsys,
         )
-        terminal = events[-1]
-        assert terminal["event"] == "failed"
-        assert terminal["error"]["kind"] == "execution_interrupted"
+        assert exit_code == 130
+        env = _envelope(lines)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "cancelled"
 
     def test_malformed_frame_is_skipped_run_completes(self, workflow_file, capsys):
-        """We silently skip malformed JSON frames mid-stream. A valid
-        executing(node=None) frame following the bad one should still
-        terminate the run normally with `completed`."""
-        events = self._run_with_ws_messages(
+        """Malformed JSON frames are silently skipped mid-stream. A valid
+        executing(node=None) frame following the bad one still terminates
+        the run normally with an ok envelope."""
+        lines, exit_code = self._run_with_ws_messages(
             workflow_file,
             ["{not json", json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}})],
             capsys,
         )
-        # No crash, normal completion path reached.
-        terminal = events[-1]
-        assert terminal["event"] == "completed"
+        assert exit_code == 0
+        env = _envelope(lines)
+        assert env["ok"] is True
+        assert env["data"]["status"] == "completed"
 
     def test_execution_error(self, workflow_file, capsys):
         messages = [
@@ -657,20 +538,27 @@ def test_execution_error(self, workflow_file, capsys):
                 }
             ),
         ]
-        events = self._run_with_ws_messages(workflow_file, messages, capsys)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "execution_error"
-        assert terminal["error"]["node_id"] == "1"
-        assert terminal["error"]["class_type"] == "EmptyLatentImage"
-        assert terminal["error"]["exception_type"] == "RuntimeError"
-        assert terminal["error"]["title"] == "Latent"  # from _meta.title
-        assert isinstance(terminal["error"]["traceback"], str)
-        assert "raise RuntimeError" in terminal["error"]["traceback"]
+        lines, exit_code = self._run_with_ws_messages(workflow_file, messages, capsys)
+        assert exit_code == 1
+        # An `execution_error` event precedes the error envelope.
+        assert any(e["type"] == "execution_error" for e in _events(lines))
+        env = _envelope(lines)
+        assert env["error"]["code"] == "execution_error"
+        assert env["error"]["message"] == "EmptyLatentImage (node 1): boom"
+        details = env["error"]["details"]
+        assert details["node_id"] == "1"
+        assert details["class_type"] == "EmptyLatentImage"
+        assert details["exception_type"] == "RuntimeError"
+        assert details["title"] == "Latent"  # from _meta.title
+        # The envelope carries only the traceback tail; the full traceback
+        # stays on the execution_error event.
+        assert isinstance(details["traceback_tail"], list)
+        assert any("raise RuntimeError" in frame for frame in details["traceback_tail"])
+        assert "traceback" not in details
 
     def test_execution_error_node_id_coerced_to_str(self, workflow_file, capsys):
-        # If ComfyUI ever sends node_id as an int in execution_error (other
-        # node_id-bearing events all string-coerce defensively), the
-        # contract still requires a string.
+        # If ComfyUI ever sends node_id as an int, the contract still
+        # requires a string in details.node_id.
         messages = [
             json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": "1"}}),
             json.dumps(
@@ -687,26 +575,30 @@ def test_execution_error_node_id_coerced_to_str(self, workflow_file, capsys):
                 }
             ),
         ]
-        events = self._run_with_ws_messages(workflow_file, messages, capsys)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "execution_error"
-        assert terminal["error"]["node_id"] == "7"
-        assert isinstance(terminal["error"]["node_id"], str)
+        lines, exit_code = self._run_with_ws_messages(workflow_file, messages, capsys)
+        env = _envelope(lines)
+        assert env["error"]["code"] == "execution_error"
+        assert env["error"]["details"]["node_id"] == "7"
+        assert isinstance(env["error"]["details"]["node_id"], str)
 
-    def test_execution_interrupted(self, workflow_file, capsys):
+    def test_server_side_interrupt_maps_to_cancelled_exit_130(self, workflow_file, capsys):
         messages = [
             json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": "1"}}),
             json.dumps({"type": "execution_interrupted", "data": {"prompt_id": "p"}}),
         ]
-        events = self._run_with_ws_messages(workflow_file, messages, capsys)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "execution_interrupted"
+        lines, exit_code = self._run_with_ws_messages(workflow_file, messages, capsys)
+        assert exit_code == 130
+        assert _envelope(lines)["error"]["code"] == "cancelled"
 
 
 class TestOutputObject:
     def _exec(self, simple_workflow):
         return _make_workflow_execution(simple_workflow, with_progress=True)
 
+    def _executed_event(self, capsys):
+        events = _parse_lines(capsys.readouterr().out)
+        return next(e for e in events if e["type"] == "executed")
+
     def test_duck_typed_filter_skips_strings(self, simple_workflow, capsys):
         """ComfyUI's `text` output key emits a list of strings; the filter must skip non-file shapes."""
         ex = self._exec(simple_workflow)
@@ -720,8 +612,7 @@ def test_duck_typed_filter_skips_strings(self, simple_workflow, capsys):
                 },
             }
         )
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        executed = next(e for e in events if e["event"] == "node_executed")
+        executed = self._executed_event(capsys)
         assert len(executed["outputs"]) == 1
         assert executed["outputs"][0]["category"] == "images"
 
@@ -738,8 +629,7 @@ def test_duck_typed_filter_skips_booleans(self, simple_workflow, capsys):
                 },
             }
         )
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        executed = next(e for e in events if e["event"] == "node_executed")
+        executed = self._executed_event(capsys)
         assert len(executed["outputs"]) == 1
 
     def test_audio_category_recognized(self, simple_workflow, capsys):
@@ -753,8 +643,7 @@ def test_audio_category_recognized(self, simple_workflow, capsys):
                 },
             }
         )
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        executed = next(e for e in events if e["event"] == "node_executed")
+        executed = self._executed_event(capsys)
         assert executed["outputs"][0]["category"] == "audio"
         assert executed["outputs"][0]["filename"] == "a.wav"
         assert executed["outputs"][0]["subfolder"] == "sf"
@@ -770,8 +659,8 @@ def test_output_url_has_correct_format(self, simple_workflow, capsys):
                 },
             }
         )
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        url = events[-1]["outputs"][0]["url"]
+        executed = self._executed_event(capsys)
+        url = executed["outputs"][0]["url"]
         assert url.startswith("http://127.0.0.1:8188/view?")
         assert "filename=x.png" in url
         assert "type=output" in url
@@ -787,8 +676,42 @@ def test_missing_subfolder_defaults_to_empty_string(self, simple_workflow, capsy
                 },
             }
         )
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        assert events[-1]["outputs"][0]["subfolder"] == ""
+        executed = self._executed_event(capsys)
+        assert executed["outputs"][0]["subfolder"] == ""
+
+
+class TestNodeBookkeeping:
+    """`cached_node_ids` / `executed_node_ids` aggregation surfaced in the
+    success envelope (ported from the emitter's `completed` event)."""
+
+    def test_cached_and_executed_can_overlap(self, simple_workflow):
+        """Cached output-bearing nodes appear in both lists."""
+        ex = _make_workflow_execution(simple_workflow)
+        ex.prompt_id = "p"
+        ex.on_cached({"nodes": ["2"]})
+        ex.on_executed({"node": "2"})
+        assert "2" in ex.cached_node_ids
+        assert "2" in ex.executed_node_ids
+
+    def test_node_ids_coerced_to_str(self, simple_workflow, capsys):
+        ex = _make_workflow_execution(simple_workflow)
+        ex.prompt_id = "p"
+        ex.on_executing({"node": 2})
+        ex.on_cached({"nodes": [1]})
+        ex.on_executed({"node": 2})
+        assert ex.executed_node_ids == ["2"]
+        assert ex.cached_node_ids == ["1"]
+        events = _parse_lines(capsys.readouterr().out)
+        for ev in events:
+            assert isinstance(ev["node"], str), f"{ev['type']} node is {type(ev['node']).__name__}"
+
+    def test_title_falls_back_to_class_type(self):
+        ex = _make_workflow_execution({"1": {"class_type": "EmptyLatentImage", "inputs": {}}})
+        assert ex.get_node_title("1") == "EmptyLatentImage"
+
+    def test_title_falls_back_to_node_id_for_unknown(self):
+        ex = _make_workflow_execution({})
+        assert ex.get_node_title("unknown") == "unknown"
 
 
 UI_WORKFLOW = {
@@ -853,22 +776,22 @@ def test_tilde_path_is_expanded_before_existence_check(self, capsys, monkeypatch
         workflow_path = tmp_path / "wf.json"
         workflow_path.write_text(json.dumps({"1": {"class_type": "X", "inputs": {}}}))
         monkeypatch.setenv("HOME", str(tmp_path))
-        events = _run_execute_capture("~/wf.json", capsys, print_prompt=True)
-        assert events[0]["event"] == "prompt_preview", events
+        lines, exit_code = _run_execute_capture("~/wf.json", capsys, print_prompt=True)
+        assert _events(lines)[0]["type"] == "prompt_preview", lines
 
     def test_tilde_path_to_missing_file_reports_expanded_path(self, capsys, monkeypatch, tmp_path):
         monkeypatch.setenv("HOME", str(tmp_path))
-        events = _run_execute_capture("~/missing.json", capsys, print_prompt=True)
-        assert events[0]["event"] == "failed"
-        assert events[0]["error"]["kind"] == "workflow_not_found"
+        lines, exit_code = _run_execute_capture("~/missing.json", capsys, print_prompt=True)
+        env = _envelope(lines)
+        assert env["error"]["code"] == "workflow_not_found"
         # The error message should name the resolved path so the user can
         # see exactly where we looked.
-        assert str(tmp_path) in events[0]["error"]["message"]
+        assert str(tmp_path) in env["error"]["message"]
 
 
 class TestCliRunnerIntegration:
     """End-to-end: the typer entry callback chain (consent prompt, decorators,
-    config init) must not leak any prose to stdout in JSON mode. Direct
+    config init) must not leak any prose to stdout in stream mode. Direct
     `execute()` tests bypass this seam; agents on a fresh machine with
     no recorded consent are exactly where the original prompt-corrupts-stream
     bug would have hidden."""
@@ -880,22 +803,25 @@ def _make_workflow_file(self, tmp_path):
 
     def test_cli_json_print_prompt_emits_clean_ndjson(self, tmp_path):
         # Smoke: default config state, --json --print-prompt → every stdout
-        # line is valid JSON with `event` and `schema_version`.
+        # line is valid JSON with `schema` and `type`, ending in an envelope.
         from typer.testing import CliRunner
 
         from comfy_cli.cmdline import app
 
         runner = CliRunner()  # non-TTY by default
         result = runner.invoke(
-            app, ["run", "--workflow", self._make_workflow_file(tmp_path), "--json", "--print-prompt"]
+            app,
+            ["run", "--workflow", self._make_workflow_file(tmp_path), "--json", "--print-prompt"],
+            env={"COMFY_WHERE": "local"},
         )
         assert result.exit_code == 0, f"stdout={result.stdout!r}\nexc={result.exception!r}"
-        lines = [line for line in result.stdout.splitlines() if line.strip()]
+        lines = _parse_lines(result.stdout)
         assert lines, "expected at least one NDJSON line"
-        for line in lines:
-            event = json.loads(line)
-            assert "event" in event
-            assert "schema_version" in event
+        for ln in lines:
+            assert "schema" in ln
+            assert "type" in ln
+        env = _envelope(lines)
+        assert env["ok"] is True
         # Consent prompt text must not appear.
         assert "Do you agree" not in result.stdout
         assert "improve the application" not in result.stdout
@@ -919,20 +845,19 @@ def test_cli_json_with_fresh_consent_state_stays_clean(self, tmp_path):
         ):
             runner = CliRunner()
             result = runner.invoke(
-                app, ["run", "--workflow", self._make_workflow_file(tmp_path), "--json", "--print-prompt"]
+                app,
+                ["run", "--workflow", self._make_workflow_file(tmp_path), "--json", "--print-prompt"],
+                env={"COMFY_WHERE": "local"},
             )
         assert result.exit_code == 0, f"stdout={result.stdout!r}\nexc={result.exception!r}"
-        for line in result.stdout.splitlines():
-            if not line.strip():
-                continue
-            event = json.loads(line)
-            assert "event" in event
+        for ln in _parse_lines(result.stdout):
+            assert "type" in ln
         assert "Do you agree" not in result.stdout
         assert "tracking" not in result.stdout.lower()
 
 
 class TestPromptPreviewAlwaysEmitted:
-    """In JSON mode the converted workflow graph is always emitted as a
+    """In stream mode the converted workflow graph is always emitted as a
     `prompt_preview` event before `queued`. Agents debugging conversions
     or building an audit trail get full visibility without re-running
     with a flag."""
@@ -949,12 +874,12 @@ def test_api_input_emits_prompt_preview_before_queued(self, workflow_file, capsy
             ws_instance.recv.side_effect = [
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
             ]
-            events = _run_execute_capture(workflow_file, capsys)
-        kinds = [e["event"] for e in events]
-        assert kinds[0] == "prompt_preview"
-        assert "queued" in kinds
-        assert kinds.index("prompt_preview") < kinds.index("queued")
-        assert events[0]["prompt"]["1"]["class_type"] == "EmptyLatentImage"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        types = [e["type"] for e in _events(lines)]
+        assert types[0] == "prompt_preview"
+        assert "queued" in types
+        assert types.index("prompt_preview") < types.index("queued")
+        assert _events(lines)[0]["prompt"]["1"]["class_type"] == "EmptyLatentImage"
 
     def test_ui_input_emits_converted_then_prompt_preview_then_queued(self, ui_workflow_file, capsys):
         with (
@@ -969,12 +894,12 @@ def test_ui_input_emits_converted_then_prompt_preview_then_queued(self, ui_workf
             ws_instance.recv.side_effect = [
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
             ]
-            events = _run_execute_capture(ui_workflow_file, capsys)
-        kinds = [e["event"] for e in events]
-        # Ordering: converted, prompt_preview, queued (then node_* / completed).
-        c = kinds.index("converted")
-        p = kinds.index("prompt_preview")
-        q = kinds.index("queued")
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys)
+        types = [e["type"] for e in _events(lines)]
+        # Ordering: converted, prompt_preview, queued (then per-node events).
+        c = types.index("converted")
+        p = types.index("prompt_preview")
+        q = types.index("queued")
         assert c < p < q
 
     def test_prompt_preview_excludes_client_id_and_extra_data(self, workflow_file, capsys):
@@ -991,8 +916,8 @@ def test_prompt_preview_excludes_client_id_and_extra_data(self, workflow_file, c
             ws_instance.recv.side_effect = [
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
             ]
-            events = _run_execute_capture(workflow_file, capsys, api_key="sk-secret")
-        preview = next(e for e in events if e["event"] == "prompt_preview")
+            lines, exit_code = _run_execute_capture(workflow_file, capsys, api_key="sk-secret")
+        preview = next(e for e in _events(lines) if e["type"] == "prompt_preview")
         prompt = preview["prompt"]
         assert "client_id" not in prompt
         assert "extra_data" not in prompt
@@ -1004,23 +929,25 @@ class TestPrintPrompt:
     without POSTing. UI input still needs `/object_info`; API input
     doesn't touch the server at all."""
 
-    def test_api_input_emits_prompt_preview_and_no_other_events(self, workflow_file, capsys):
+    def test_api_input_emits_prompt_preview_and_envelope_only(self, workflow_file, capsys):
         # No server probe, no /object_info fetch — API input is printed as-is.
         with (
             patch("comfy_cli.command.run.check_comfy_server_running") as mock_check,
             patch("comfy_cli.command.run.fetch_object_info") as mock_fetch,
             patch("comfy_cli.command.run.request.urlopen") as mock_post,
         ):
-            events = _run_execute_capture(workflow_file, capsys, print_prompt=True)
+            lines, exit_code = _run_execute_capture(workflow_file, capsys, print_prompt=True)
         assert mock_check.call_count == 0
         assert mock_fetch.call_count == 0
         assert mock_post.call_count == 0
-        assert len(events) == 1
-        assert events[0]["event"] == "prompt_preview"
-        assert events[0]["schema_version"] == 1
-        assert isinstance(events[0]["prompt"], dict)
-        assert "1" in events[0]["prompt"]
-        assert events[0]["prompt"]["1"]["class_type"] == "EmptyLatentImage"
+        assert exit_code == 0
+        assert [e["type"] for e in _events(lines)] == ["prompt_preview"]
+        preview = _events(lines)[0]
+        assert preview["schema"] == "event/1"
+        assert preview["prompt"]["1"]["class_type"] == "EmptyLatentImage"
+        env = _envelope(lines)
+        assert env["ok"] is True
+        assert env["data"]["status"] == "preview"
 
     def test_ui_input_emits_converted_then_prompt_preview(self, ui_workflow_file, capsys):
         with (
@@ -1028,10 +955,10 @@ def test_ui_input_emits_converted_then_prompt_preview(self, ui_workflow_file, ca
             patch("comfy_cli.command.run.fetch_object_info", return_value=OBJECT_INFO),
             patch("comfy_cli.command.run.request.urlopen") as mock_post,
         ):
-            events = _run_execute_capture(ui_workflow_file, capsys, print_prompt=True)
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys, print_prompt=True)
         assert mock_post.call_count == 0
-        assert [e["event"] for e in events] == ["converted", "prompt_preview"]
-        prompt = events[1]["prompt"]
+        assert [e["type"] for e in _events(lines)] == ["converted", "prompt_preview"]
+        prompt = _events(lines)[1]["prompt"]
         assert isinstance(prompt, dict)
         # The converted prompt should have entries for the UI nodes.
         assert len(prompt) >= 1
@@ -1044,31 +971,31 @@ def test_ui_input_with_unreachable_object_info_routes_to_connection_error(self,
         with (
             patch("comfy_cli.command.run.request.urlopen", side_effect=urllib.error.URLError("Connection refused")),
         ):
-            events = _run_execute_capture(ui_workflow_file, capsys, print_prompt=True)
-        assert events[-1]["event"] == "failed"
-        assert events[-1]["error"]["kind"] == "connection_error"
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys, print_prompt=True)
+        assert exit_code == 1
+        assert _envelope(lines)["error"]["code"] == "connection_error"
 
     def test_api_input_works_with_offline_server(self, workflow_file, capsys):
         # Hard-fail the server probe — the API path must not call it under --print-prompt.
         with patch(
             "comfy_cli.command.run.check_comfy_server_running", side_effect=AssertionError("must not be called")
         ):
-            events = _run_execute_capture(workflow_file, capsys, print_prompt=True)
-        assert len(events) == 1
-        assert events[0]["event"] == "prompt_preview"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys, print_prompt=True)
+        assert _events(lines)[0]["type"] == "prompt_preview"
 
     def test_print_prompt_does_not_include_api_key_or_client_id(self, workflow_file, capsys):
         # The prompt_preview body should only carry the workflow graph,
         # not the runtime POST envelope (which would otherwise leak the api_key).
-        events = _run_execute_capture(workflow_file, capsys, print_prompt=True, api_key="sk-secret")
-        prompt = events[0]["prompt"]
+        lines, exit_code = _run_execute_capture(workflow_file, capsys, print_prompt=True, api_key="sk-secret")
+        prompt = _events(lines)[0]["prompt"]
         assert "extra_data" not in prompt
         assert "client_id" not in prompt
         assert "sk-secret" not in json.dumps(prompt)
 
     def test_print_prompt_text_mode_pretty_prints_json(self, workflow_file, capsys):
+        set_renderer(Renderer(mode=OutputMode.PRETTY))
         try:
-            execute(workflow_file, host="127.0.0.1", port=8188, print_prompt=True, json_mode=False)
+            execute(workflow_file, host="127.0.0.1", port=8188, print_prompt=True)
         except typer.Exit:
             pass
         out, _err = capsys.readouterr()
@@ -1077,24 +1004,24 @@ def test_print_prompt_text_mode_pretty_prints_json(self, workflow_file, capsys):
         assert parsed["1"]["class_type"] == "EmptyLatentImage"
 
     def test_print_prompt_does_not_post_when_workflow_invalid(self, capsys):
-        # Pre-flight failures (workflow_not_found, workflow_format_invalid)
-        # still trigger `failed` and exit 1 under --print-prompt.
+        # Pre-flight failures (workflow_not_found, workflow_not_api_format)
+        # still produce an error envelope and exit 1 under --print-prompt.
         with tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) as f:
             json.dump({"not": "a workflow"}, f)
             path = f.name
         try:
-            events = _run_execute_capture(path, capsys, print_prompt=True)
-            assert events[-1]["event"] == "failed"
-            assert events[-1]["error"]["kind"] == "workflow_format_invalid"
+            lines, exit_code = _run_execute_capture(path, capsys, print_prompt=True)
+            assert exit_code == 1
+            assert _envelope(lines)["error"]["code"] == "workflow_not_api_format"
         finally:
             os.unlink(path)
 
 
 class TestConvertedAndConversionErrors:
-    """UI-input event path and the conversion_error / conversion_crash kinds."""
+    """UI-input event path and the conversion_error / conversion_crash codes."""
 
     def test_converted_event_for_ui_input(self, ui_workflow_file, capsys):
-        """Spec lines 84-98: `converted` is the first event when input is UI format."""
+        """`converted` is the first event when input is UI format."""
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
             patch("comfy_cli.command.run.fetch_object_info", return_value=OBJECT_INFO),
@@ -1107,14 +1034,15 @@ def test_converted_event_for_ui_input(self, ui_workflow_file, capsys):
             ws_instance.recv.side_effect = [
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
             ]
-            events = _run_execute_capture(ui_workflow_file, capsys)
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys)
 
-        assert events[0]["event"] == "converted"
-        assert events[0]["schema_version"] == 1
-        assert events[0]["node_count"] == 2  # the UI workflow has 2 nodes
+        converted = _events(lines)[0]
+        assert converted["type"] == "converted"
+        assert converted["schema"] == "event/1"
+        assert converted["node_count"] == 2  # the UI workflow has 2 nodes
 
-    def test_conversion_error_kind(self, ui_workflow_file, capsys):
-        """WorkflowConversionError → kind=conversion_error, no extras."""
+    def test_conversion_error_code(self, ui_workflow_file, capsys):
+        """WorkflowConversionError → code=conversion_error."""
         from comfy_cli.workflow_to_api import WorkflowConversionError
 
         with (
@@ -1125,15 +1053,13 @@ def test_conversion_error_kind(self, ui_workflow_file, capsys):
                 side_effect=WorkflowConversionError("broken graph"),
             ),
         ):
-            events = _run_execute_capture(ui_workflow_file, capsys)
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys)
 
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "conversion_error"
-        assert terminal["client_id"] is None  # before WorkflowExecution
-        assert terminal["prompt_id"] is None
+        assert exit_code == 1
+        assert _envelope(lines)["error"]["code"] == "conversion_error"
 
-    def test_conversion_crash_kind_with_exception_type(self, ui_workflow_file, capsys):
-        """Unexpected converter crash → kind=conversion_crash with exception_type extra."""
+    def test_conversion_crash_code_with_exception_type(self, ui_workflow_file, capsys):
+        """Unexpected converter crash → code=conversion_crash with details.exception_type."""
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
             patch("comfy_cli.command.run.fetch_object_info", return_value=OBJECT_INFO),
@@ -1142,13 +1068,11 @@ def test_conversion_crash_kind_with_exception_type(self, ui_workflow_file, capsy
                 side_effect=KeyError("missing field"),
             ),
         ):
-            events = _run_execute_capture(ui_workflow_file, capsys)
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys)
 
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "conversion_crash"
-        assert terminal["error"]["exception_type"] == "KeyError"
-        assert terminal["client_id"] is None
-        assert terminal["prompt_id"] is None
+        env = _envelope(lines)
+        assert env["error"]["code"] == "conversion_crash"
+        assert env["error"]["details"]["exception_type"] == "KeyError"
 
     def test_workflow_empty_after_conversion(self, capsys):
         """UI conversion producing {} → workflow_empty."""
@@ -1163,8 +1087,8 @@ def test_workflow_empty_after_conversion(self, capsys):
                 patch("comfy_cli.command.run.fetch_object_info", return_value=OBJECT_INFO),
                 patch("comfy_cli.command.run.convert_ui_to_api", return_value={}),
             ):
-                events = _run_execute_capture(path, capsys)
-            assert events[-1]["error"]["kind"] == "workflow_empty"
+                lines, exit_code = _run_execute_capture(path, capsys)
+            assert _envelope(lines)["error"]["code"] == "workflow_empty"
         finally:
             os.unlink(path)
 
@@ -1186,13 +1110,12 @@ def test_object_info_unavailable_on_http_error(self, ui_workflow_file, capsys):
                 hdrs=None,
                 fp=io.BytesIO(b"service unavailable"),
             )
-            events = _run_execute_capture(ui_workflow_file, capsys)
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys)
 
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "object_info_unavailable"
-        assert terminal["error"]["status_code"] == 503
-        assert "service unavailable" in terminal["error"]["body"]
-        assert terminal["client_id"] is None  # pre-WorkflowExecution
+        env = _envelope(lines)
+        assert env["error"]["code"] == "object_info_unavailable"
+        assert env["error"]["details"]["status"] == 503
+        assert "service unavailable" in env["error"]["details"]["body"]
 
     def test_object_info_connection_error_on_urlerror(self, ui_workflow_file, capsys):
         """URLError on /object_info → connection_error (NOT object_info_unavailable)."""
@@ -1201,16 +1124,15 @@ def test_object_info_connection_error_on_urlerror(self, ui_workflow_file, capsys
             patch("comfy_cli.command.run.request.urlopen") as mock_open,
         ):
             mock_open.side_effect = urllib.error.URLError("connection refused")
-            events = _run_execute_capture(ui_workflow_file, capsys)
+            lines, exit_code = _run_execute_capture(ui_workflow_file, capsys)
 
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "connection_error"
+        assert _envelope(lines)["error"]["code"] == "connection_error"
 
 
 class TestNodeCachedIntegration:
-    """`execution_cached` WS message → node_cached events with class_type / title."""
+    """`execution_cached` WS message → execution_cached events with class_type / title."""
 
-    def test_node_cached_event_shape(self, workflow_file, capsys):
+    def test_execution_cached_event_shape(self, workflow_file, capsys):
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
             patch("comfy_cli.command.run.request.urlopen") as mock_open,
@@ -1223,36 +1145,35 @@ def test_node_cached_event_shape(self, workflow_file, capsys):
                 json.dumps({"type": "execution_cached", "data": {"prompt_id": "p", "nodes": ["1", "2"]}}),
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
             ]
-            events = _run_execute_capture(workflow_file, capsys)
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
 
-        cached_events = [e for e in events if e["event"] == "node_cached"]
+        cached_events = [e for e in _events(lines) if e["type"] == "execution_cached"]
         assert len(cached_events) == 2
         # Node 1 has _meta.title="Latent"; class_type=EmptyLatentImage
-        n1 = next(e for e in cached_events if e["node_id"] == "1")
+        n1 = next(e for e in cached_events if e["node"] == "1")
         assert n1["class_type"] == "EmptyLatentImage"
         assert n1["title"] == "Latent"
         # Node 2 has _meta.title="Save"; class_type=SaveImage
-        n2 = next(e for e in cached_events if e["node_id"] == "2")
+        n2 = next(e for e in cached_events if e["node"] == "2")
         assert n2["class_type"] == "SaveImage"
         assert n2["title"] == "Save"
 
-        # All cached nodes also appear in completed.cached_node_ids
-        completed = events[-1]
-        assert completed["event"] == "completed"
-        assert set(completed["cached_node_ids"]) == {"1", "2"}
+        # All cached nodes also appear in the envelope's cached_node_ids.
+        env = _envelope(lines)
+        assert env["ok"] is True
+        assert set(env["data"]["cached_node_ids"]) == {"1", "2"}
 
 
 class TestNodeExecutedFiresEvenWithoutOutputs:
-    """`node_executed` must fire whenever the server emits `executed` for our
+    """`executed` must fire whenever the server emits `executed` for our
     prompt, even when there's no `output` dict or it's empty (outputs=[])."""
 
     def _exec(self, simple_workflow):
         return _make_workflow_execution(simple_workflow, with_progress=True)
 
     def test_output_node_id_coerced_to_str(self, simple_workflow, capsys):
-        # If the server ever sends `node` as an int, every other emit site
-        # coerces — outputs[i].node_id must too, since the contract says
-        # node_id is always str.
+        # If the server ever sends `node` as an int, every emit site coerces —
+        # outputs[i].node_id must too, since the contract says node_id is str.
         ex = self._exec(simple_workflow)
         ex.prompt_id = "p"
         ex.on_executed(
@@ -1261,9 +1182,9 @@ def test_output_node_id_coerced_to_str(self, simple_workflow, capsys):
                 "output": {"images": [{"filename": "x.png", "subfolder": "", "type": "output"}]},
             }
         )
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        executed = next(e for e in events if e["event"] == "node_executed")
-        assert isinstance(executed["node_id"], str)
+        events = _parse_lines(capsys.readouterr().out)
+        executed = next(e for e in events if e["type"] == "executed")
+        assert isinstance(executed["node"], str)
         assert executed["outputs"]
         for out in executed["outputs"]:
             assert isinstance(out["node_id"], str), (
@@ -1275,18 +1196,18 @@ def test_executed_with_missing_output(self, simple_workflow, capsys):
         ex = self._exec(simple_workflow)
         ex.prompt_id = "p"
         ex.on_executed({"node": "2"})  # no `output` key at all
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        executed = [e for e in events if e["event"] == "node_executed"]
+        events = _parse_lines(capsys.readouterr().out)
+        executed = [e for e in events if e["type"] == "executed"]
         assert len(executed) == 1
         assert executed[0]["outputs"] == []
-        assert executed[0]["node_id"] == "2"
+        assert executed[0]["node"] == "2"
 
     def test_executed_with_non_dict_output(self, simple_workflow, capsys):
         ex = self._exec(simple_workflow)
         ex.prompt_id = "p"
         ex.on_executed({"node": "2", "output": []})  # list instead of dict
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        executed = [e for e in events if e["event"] == "node_executed"]
+        events = _parse_lines(capsys.readouterr().out)
+        executed = [e for e in events if e["type"] == "executed"]
         assert len(executed) == 1
         assert executed[0]["outputs"] == []
 
@@ -1294,8 +1215,8 @@ def test_executed_with_empty_dict_output(self, simple_workflow, capsys):
         ex = self._exec(simple_workflow)
         ex.prompt_id = "p"
         ex.on_executed({"node": "2", "output": {}})
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
-        executed = [e for e in events if e["event"] == "node_executed"]
+        events = _parse_lines(capsys.readouterr().out)
+        executed = [e for e in events if e["type"] == "executed"]
         assert len(executed) == 1
         assert executed[0]["outputs"] == []
 
@@ -1321,9 +1242,9 @@ def test_no_keyerror_on_missing_subfolder(self, simple_workflow):
 
 
 class TestVerboseNoOpInJsonMode:
-    """Spec lines 24-25: `--verbose` has no effect in JSON mode. Regression
-    against a bug where `log_node()` printed Rich-formatted lines to stdout
-    when verbose=True, corrupting the NDJSON stream."""
+    """`--verbose` has no effect in stream mode. Regression against a bug
+    where `log_node()` printed Rich-formatted lines to stdout when
+    verbose=True, corrupting the NDJSON stream."""
 
     def test_verbose_does_not_corrupt_json_stream(self, workflow_file, capsys):
         with (
@@ -1347,7 +1268,6 @@ def test_verbose_does_not_corrupt_json_stream(self, workflow_file, capsys):
                     wait=True,
                     verbose=True,
                     timeout=30,
-                    json_mode=True,
                 )
             except typer.Exit:
                 pass
@@ -1364,7 +1284,7 @@ def test_verbose_does_not_corrupt_json_stream(self, workflow_file, capsys):
 class TestErrorPathCoverage:
     """Less-trodden paths: /object_info timeout/non-JSON, queue()
     TimeoutError/OSError, on_executed/on_progress None guards, on_cached
-    None entries, two consecutive node_executing pattern."""
+    None entries, two consecutive executing pattern."""
 
     def _make_workflow(self):
         return {
@@ -1383,7 +1303,7 @@ def _make_exec(self, workflow):
         return _make_workflow_execution(workflow)
 
     def test_object_info_timeout_routes_to_connection_error(self, capsys):
-        """fetch_object_info(timeout → connection_error). Previously untested."""
+        """fetch_object_info(timeout → connection_error)."""
         ui_wf = {
             "nodes": [
                 {
@@ -1405,13 +1325,13 @@ def test_object_info_timeout_routes_to_connection_error(self, capsys):
                 patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
                 patch("comfy_cli.command.run.request.urlopen", side_effect=TimeoutError("timed out")),
             ):
-                events = _run_execute_capture(path, capsys)
-            assert events[-1]["error"]["kind"] == "connection_error"
+                lines, exit_code = _run_execute_capture(path, capsys)
+            assert _envelope(lines)["error"]["code"] == "connection_error"
         finally:
             os.unlink(path)
 
     def test_object_info_non_json_body_routes_to_object_info_unavailable(self, capsys):
-        """fetch_object_info(200 + non-JSON body → object_info_unavailable status_code=200)."""
+        """fetch_object_info(200 + non-JSON body → object_info_unavailable status=200)."""
         ui_wf = {
             "nodes": [
                 {
@@ -1437,10 +1357,10 @@ def test_object_info_non_json_body_routes_to_object_info_unavailable(self, capsy
                 patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
                 patch("comfy_cli.command.run.request.urlopen", return_value=mock_resp),
             ):
-                events = _run_execute_capture(path, capsys)
-            terminal = events[-1]
-            assert terminal["error"]["kind"] == "object_info_unavailable"
-            assert terminal["error"]["status_code"] == 200
+                lines, exit_code = _run_execute_capture(path, capsys)
+            env = _envelope(lines)
+            assert env["error"]["code"] == "object_info_unavailable"
+            assert env["error"]["details"]["status"] == 200
         finally:
             os.unlink(path)
 
@@ -1451,8 +1371,8 @@ def test_queue_timeout_error_routes_to_connection_error(self, workflow_file, cap
             patch("comfy_cli.command.run.request.urlopen", side_effect=TimeoutError("post timed out")),
             patch("comfy_cli.command.run.WebSocket"),
         ):
-            events = _run_execute_capture(workflow_file, capsys)
-        assert events[-1]["error"]["kind"] == "connection_error"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        assert _envelope(lines)["error"]["code"] == "connection_error"
 
     def test_queue_oserror_routes_to_connection_error(self, workflow_file, capsys):
         """queue()'s urlopen OSError → connection_error."""
@@ -1461,12 +1381,12 @@ def test_queue_oserror_routes_to_connection_error(self, workflow_file, capsys):
             patch("comfy_cli.command.run.request.urlopen", side_effect=OSError("network unreachable")),
             patch("comfy_cli.command.run.WebSocket"),
         ):
-            events = _run_execute_capture(workflow_file, capsys)
-        assert events[-1]["error"]["kind"] == "connection_error"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        assert _envelope(lines)["error"]["code"] == "connection_error"
 
     def test_on_executed_none_node_id_does_not_emit(self, capsys):
         """If server emits `executed` without `node`, skip rather than emit
-        a malformed event with node_id=null."""
+        a malformed event with node=null."""
         wf = self._make_workflow()
         ex = self._make_exec(wf)
         ex.prompt_id = "p"
@@ -1487,11 +1407,25 @@ def test_on_progress_none_node_id_does_not_emit(self, capsys):
         out, _ = capsys.readouterr()
         assert out.strip() == ""
 
+    def test_on_progress_emits_progress_event(self, capsys):
+        wf = self._make_workflow()
+        ex = self._make_exec(wf)
+        ex.prompt_id = "p"
+        ex.on_progress({"node": "1", "value": 5, "max": 10})
+        events = _parse_lines(capsys.readouterr().out)
+        assert len(events) == 1
+        ev = events[0]
+        assert ev["type"] == "progress"
+        assert ev["node"] == "1"
+        assert ev["completed"] == 5
+        assert ev["total"] == 10
+        assert ev["prompt_id"] == "p"
+
     @pytest.mark.parametrize("malformed", [None, 42, "string", [1, 2, 3], True])
     def test_on_message_skips_non_dict_payloads(self, capsys, malformed):
         # A bad JSON frame (scalar, array, etc.) must not raise out of the
         # recv loop — that would tear down the run without a terminal
-        # `failed` event and break the stream contract.
+        # envelope and break the stream contract.
         wf = self._make_workflow()
         ex = self._make_exec(wf)
         ex.prompt_id = "p"
@@ -1523,13 +1457,13 @@ def test_on_cached_skips_none_entries(self, capsys):
         ex = self._make_exec(wf)
         ex.prompt_id = "p"
         ex.on_cached({"nodes": ["1", None, "2"]})
-        events = [json.loads(line) for line in capsys.readouterr().out.splitlines() if line.strip()]
+        events = _parse_lines(capsys.readouterr().out)
         assert len(events) == 2
-        assert {ev["node_id"] for ev in events} == {"1", "2"}
+        assert {ev["node"] for ev in events} == {"1", "2"}
 
-    def test_two_consecutive_node_executing_includes_intermediate(self, workflow_file, capsys):
-        """`executed_node_ids` is the union of nodes that emitted `node_executing`
-        OR `node_executed` — intermediate compute nodes that only fire `executing`
+    def test_two_consecutive_executing_includes_intermediate(self, workflow_file, capsys):
+        """`executed_node_ids` is the union of nodes that emitted `executing`
+        OR `executed` — intermediate compute nodes that only fire `executing`
         are still included so consumers see the complete 'what ran' picture."""
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
@@ -1541,7 +1475,7 @@ def test_two_consecutive_node_executing_includes_intermediate(self, workflow_fil
             MockWs.return_value = ws_instance
             ws_instance.recv.side_effect = [
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": "1"}}),
-                # node 2 starts without a node_executed for 1 — intermediate compute node
+                # node 2 starts without an executed for 1 — intermediate compute node
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": "2"}}),
                 json.dumps(
                     {
@@ -1555,19 +1489,19 @@ def test_two_consecutive_node_executing_includes_intermediate(self, workflow_fil
                 ),
                 json.dumps({"type": "executing", "data": {"prompt_id": "p", "node": None}}),
             ]
-            events = _run_execute_capture(workflow_file, capsys)
-        completed = events[-1]
-        assert completed["event"] == "completed"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys)
+        env = _envelope(lines)
+        assert env["ok"] is True
         # Both nodes ran; both should appear in executed_node_ids
-        # (1 via node_executing only, 2 via both events with dedup)
-        assert set(completed["executed_node_ids"]) == {"1", "2"}
+        # (1 via executing only, 2 via both events with dedup)
+        assert set(env["data"]["executed_node_ids"]) == {"1", "2"}
         # And node 2 should only appear once (dedup verified)
-        assert completed["executed_node_ids"].count("2") == 1
+        assert env["data"]["executed_node_ids"].count("2") == 1
 
 
 class TestTimeoutAppliesToConnectAndPost:
     """`--timeout` must bound every blocking network call (ws.connect, /prompt
-    POST, ws.recv) so the terminal-event guarantee holds under server hangs."""
+    POST, ws.recv) so the terminal-envelope guarantee holds under server hangs."""
 
     def test_queue_passes_timeout_to_urlopen(self, workflow_file, capsys):
         with (
@@ -1590,7 +1524,6 @@ def test_queue_passes_timeout_to_urlopen(self, workflow_file, capsys):
                     wait=True,
                     verbose=False,
                     timeout=42,
-                    json_mode=True,
                 )
             except typer.Exit:
                 pass
@@ -1614,7 +1547,6 @@ def test_preflight_probe_passes_timeout(self, workflow_file, capsys):
                     host="127.0.0.1",
                     port=8188,
                     timeout=55,
-                    json_mode=True,
                 )
             except typer.Exit:
                 pass
@@ -1646,7 +1578,6 @@ def test_connect_passes_timeout_to_ws_connect(self, workflow_file, capsys):
                     wait=True,
                     verbose=False,
                     timeout=37,
-                    json_mode=True,
                 )
             except typer.Exit:
                 pass
@@ -1664,7 +1595,7 @@ class TestNoWaitQueueErrorRegression:
     """--no-wait + queue HTTPError must not crash on the progress-stop path
     (progress is None in --no-wait mode)."""
 
-    def test_no_wait_with_400_emits_validation_error(self, workflow_file, capsys):
+    def test_no_wait_with_400_emits_prompt_rejected(self, workflow_file, capsys):
         with (
             patch("comfy_cli.command.run.check_comfy_server_running", return_value=True),
             patch("comfy_cli.command.run.request.urlopen") as mock_open,
@@ -1676,7 +1607,80 @@ def test_no_wait_with_400_emits_validation_error(self, workflow_file, capsys):
                 }
             ).encode()
             mock_open.side_effect = _make_http_error(400, body)
-            events = _run_execute_capture(workflow_file, capsys, wait=False)
-        terminal = events[-1]
-        assert terminal["error"]["kind"] == "validation_error"
+            lines, exit_code = _run_execute_capture(workflow_file, capsys, wait=False)
+        assert _envelope(lines)["error"]["code"] == "prompt_rejected"
         # The big invariant: it didn't crash with AttributeError on `progress.stop()`
+
+
+def test_on_executed_emits_output_event():
+    from comfy_cli.command.run.execution import WorkflowExecution
+
+    ex = WorkflowExecution(
+        workflow={"9": {}},
+        host="127.0.0.1",
+        port=8188,
+        verbose=False,
+        progress=None,
+        local_paths=None,
+        timeout=5,
+    )
+    events = []
+    ex.renderer = MagicMock()
+    ex.renderer.event.side_effect = lambda typ, **kw: events.append((typ, kw))
+    ex.prompt_id = "p1"
+
+    ex.on_executed({"node": "9", "output": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]}})
+
+    output_events = [e for e in events if e[0] == "output"]
+    assert len(output_events) == 1, events
+    assert "a.png" in output_events[0][1]["url"]
+    # And outputs are still recorded exactly once for the state file.
+    assert sum(1 for u in ex.outputs if "a.png" in u) == 1
+
+
+def test_on_executed_records_node_keyed_output_entries():
+    """Local parity with the cloud history record: the execution keeps a
+    node-keyed `output_entries` list alongside the flat `outputs` URLs so
+    `run --wait` can group local outputs by node / foreach item."""
+    from comfy_cli.command.run.execution import WorkflowExecution
+
+    ex = WorkflowExecution(
+        workflow={"9": {}, "12": {}},
+        host="127.0.0.1",
+        port=8188,
+        verbose=False,
+        progress=None,
+        local_paths=None,
+        timeout=5,
+    )
+    ex.renderer = MagicMock()
+    ex.prompt_id = "p1"
+
+    ex.on_executed({"node": "9", "output": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]}})
+    ex.on_executed({"node": "12", "output": {"videos": [{"filename": "v.mp4", "subfolder": "", "type": "output"}]}})
+    # Duplicate frame: outputs and entries both stay deduped.
+    ex.on_executed({"node": "9", "output": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]}})
+
+    assert [e["node_id"] for e in ex.output_entries] == ["9", "12"]
+    assert ex.output_entries[0]["filename"] == "a.png"
+    assert ex.output_entries[0]["type"] == "output"
+    # Entry URLs are the same values recorded in the flat list (1:1, in order).
+    assert [e["url"] for e in ex.output_entries] == ex.outputs
+
+
+def test_cloud_route_load_failure_emits_envelope(tmp_path, capsys):
+    """execute_cloud must emit a workflow_not_found envelope, not crash on e.code."""
+    import json
+
+    import pytest
+    import typer
+
+    from comfy_cli.command.run import execute_cloud
+
+    with pytest.raises(typer.Exit) as exc:
+        execute_cloud(str(tmp_path / "missing.json"), wait=True, timeout=5)
+    assert exc.value.exit_code == 1
+    out, _ = capsys.readouterr()
+    lines = [ln for ln in out.splitlines() if ln.strip()]
+    env = json.loads(lines[-1])
+    assert env["ok"] is False and env["error"]["code"] == "workflow_not_found"
diff --git a/tests/comfy_cli/command/test_setup_consent.py b/tests/comfy_cli/command/test_setup_consent.py
new file mode 100644
index 00000000..2efb21d1
--- /dev/null
+++ b/tests/comfy_cli/command/test_setup_consent.py
@@ -0,0 +1,77 @@
+"""Tests for the telemetry-consent step of ``comfy setup``.
+
+The consent *logic* (env opt-out, init_tracking, the global lazy prompt) is
+covered in test_tracking.py. Here we pin the wizard step's branching:
+env opt-out and an already-recorded choice never re-ask or re-write, a
+non-interactive run leaves the flag UNSET, and an interactive answer is
+forwarded verbatim to init_tracking.
+"""
+
+from __future__ import annotations
+
+import types
+from unittest.mock import MagicMock
+
+import pytest
+import questionary
+
+from comfy_cli import tracking
+from comfy_cli.command import setup as setup_inner
+from comfy_cli.config_manager import ConfigManager
+
+
+@pytest.fixture
+def consent_spies(monkeypatch):
+    """init_tracking spy + a recorded-consent value controller."""
+    init_spy = MagicMock()
+    monkeypatch.setattr(tracking, "init_tracking", init_spy)
+
+    confirm_spy = MagicMock()
+    monkeypatch.setattr(questionary, "confirm", confirm_spy)
+
+    def set_recorded(value):
+        monkeypatch.setattr(ConfigManager(), "get_bool", lambda _k: value)
+
+    def set_answer(value):
+        confirm_spy.return_value = types.SimpleNamespace(ask=lambda: value)
+
+    return types.SimpleNamespace(init=init_spy, confirm=confirm_spy, set_recorded=set_recorded, set_answer=set_answer)
+
+
+def test_env_optout_never_writes_or_asks(monkeypatch, consent_spies):
+    monkeypatch.setattr(tracking, "_telemetry_disabled_by_env", lambda: True)
+    setup_inner._do_consent(None, non_interactive=False)
+    consent_spies.init.assert_not_called()
+    consent_spies.confirm.assert_not_called()
+
+
+def test_already_recorded_is_reported_not_reasked(monkeypatch, consent_spies):
+    monkeypatch.setattr(tracking, "_telemetry_disabled_by_env", lambda: False)
+    consent_spies.set_recorded(True)
+    setup_inner._do_consent(None, non_interactive=False)
+    consent_spies.init.assert_not_called()
+    consent_spies.confirm.assert_not_called()
+
+
+def test_non_interactive_leaves_flag_unset(monkeypatch, consent_spies):
+    monkeypatch.setattr(tracking, "_telemetry_disabled_by_env", lambda: False)
+    consent_spies.set_recorded(None)
+    setup_inner._do_consent(None, non_interactive=True)
+    consent_spies.init.assert_not_called()
+    consent_spies.confirm.assert_not_called()
+
+
+def test_interactive_yes_enables(monkeypatch, consent_spies):
+    monkeypatch.setattr(tracking, "_telemetry_disabled_by_env", lambda: False)
+    consent_spies.set_recorded(None)
+    consent_spies.set_answer(True)
+    setup_inner._do_consent(None, non_interactive=False)
+    consent_spies.init.assert_called_once_with(True)
+
+
+def test_interactive_no_disables(monkeypatch, consent_spies):
+    monkeypatch.setattr(tracking, "_telemetry_disabled_by_env", lambda: False)
+    consent_spies.set_recorded(None)
+    consent_spies.set_answer(False)
+    setup_inner._do_consent(None, non_interactive=False)
+    consent_spies.init.assert_called_once_with(False)
diff --git a/tests/comfy_cli/command/test_templates.py b/tests/comfy_cli/command/test_templates.py
new file mode 100644
index 00000000..faa5fe8d
--- /dev/null
+++ b/tests/comfy_cli/command/test_templates.py
@@ -0,0 +1,276 @@
+"""Tests for ``comfy templates`` — gallery introspection.
+
+Uses a small in-repo fixture index.json (mirroring the real schema) so
+the tests don't hit GitHub. Covers filter precedence, the JSON envelope
+shape, and the not-found error code.
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import templates as templates_cmd
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    reset_renderer_for_testing,
+    set_renderer,
+)
+
+FIXTURE = [
+    {
+        "moduleName": "default",
+        "category": "GENERATION TYPE",
+        "title": "Image",
+        "type": "image",
+        "templates": [
+            {
+                "name": "image_flux2",
+                "title": "Flux 2 Image",
+                "description": "Text-to-image using Flux 2 via the BFL API.",
+                "mediaType": "image",
+                "mediaSubtype": "webp",
+                "tags": ["API", "Text to Image"],
+                "models": ["Flux 2"],
+                "logos": [{"provider": ["Black Forest Labs"]}],
+                "openSource": False,
+                "usage": 100,
+            },
+            {
+                "name": "image_z_image",
+                "title": "Z Image",
+                "description": "Local SDXL-style text-to-image.",
+                "mediaType": "image",
+                "mediaSubtype": "webp",
+                "tags": ["Local", "Text to Image"],
+                "models": ["Z Image"],
+                "logos": [{"provider": "Z"}],
+                "openSource": True,
+                "usage": 50,
+            },
+        ],
+    },
+    {
+        "moduleName": "default",
+        "category": "GENERATION TYPE",
+        "title": "Video",
+        "type": "video",
+        "templates": [
+            {
+                "name": "gsc_starter_1",
+                "title": "Genesis Starter",
+                "description": "Image-to-video starter using Kling.",
+                "mediaType": "video",
+                "mediaSubtype": "mp4",
+                "tags": ["API", "Image to Video"],
+                "models": ["Kling 2.5"],
+                "logos": [{"provider": ["Kling"]}],
+                "openSource": False,
+                "usage": 75,
+            }
+        ],
+    },
+]
+
+
+@pytest.fixture
+def gallery_file(tmp_path: Path) -> str:
+    path = tmp_path / "index.json"
+    path.write_text(json.dumps(FIXTURE))
+    return str(path)
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    """Pin the renderer to JSON so tests can read envelopes off stdout."""
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _envelope(stdout: str) -> dict:
+    """Parse the last JSON line of stdout as the envelope."""
+    for line in reversed(stdout.strip().splitlines()):
+        try:
+            return json.loads(line)
+        except json.JSONDecodeError:
+            continue
+    raise AssertionError(f"no JSON envelope in stdout:\n{stdout}")
+
+
+def test_ls_default_returns_all_three(gallery_file):
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["ls", "--gallery", gallery_file])
+    assert result.exit_code == 0, result.output
+    env = _envelope(result.output)
+    assert env["ok"] is True
+    assert env["data"]["total_in_gallery"] == 3
+    assert env["data"]["matched"] == 3
+
+
+def test_ls_type_filter(gallery_file):
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["ls", "--gallery", gallery_file, "--type", "video"])
+    assert result.exit_code == 0, result.output
+    env = _envelope(result.output)
+    names = [r["name"] for r in env["data"]["rows"]]
+    assert names == ["gsc_starter_1"]
+
+
+def test_ls_provider_filter_handles_both_scalar_and_array_logos(gallery_file):
+    _force_json_renderer()
+    runner = CliRunner()
+    # 'Z' provider was set as a scalar string in the fixture
+    result = runner.invoke(templates_cmd.app, ["ls", "--gallery", gallery_file, "--provider", "Z"])
+    assert result.exit_code == 0
+    env = _envelope(result.output)
+    names = [r["name"] for r in env["data"]["rows"]]
+    assert "image_z_image" in names
+
+
+def test_ls_limit_applies_after_filter(gallery_file):
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(
+        templates_cmd.app,
+        ["ls", "--gallery", gallery_file, "--tag", "API", "--limit", "1"],
+    )
+    assert result.exit_code == 0
+    env = _envelope(result.output)
+    assert env["data"]["matched"] == 2  # API tag in both image_flux2 and gsc_starter_1
+    assert env["data"]["shown"] == 1
+
+
+def test_show_returns_full_template(gallery_file):
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["show", "--gallery", gallery_file, "image_flux2"])
+    assert result.exit_code == 0, result.output
+    env = _envelope(result.output)
+    tpl = env["data"]["template"]
+    assert tpl["name"] == "image_flux2"
+    assert tpl["title"] == "Flux 2 Image"
+    assert "Black Forest Labs" in tpl["providers"]
+    assert tpl["output_type"] == "image"
+
+
+def test_show_unknown_template_returns_error_code(gallery_file):
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["show", "--gallery", gallery_file, "no_such_template"])
+    assert result.exit_code != 0
+    env = _envelope(result.output)
+    assert env["ok"] is False
+    assert env["error"]["code"] == "template_not_found"
+
+
+# ---------------------------------------------------------------------------
+# templates fetch
+# ---------------------------------------------------------------------------
+
+
+def _stub_template_workflow_fetch(monkeypatch, body_or_exc):
+    """Patch the GitHub workflow-JSON fetch to return a canned body (or raise)."""
+
+    def _impl(name, timeout=15.0):
+        if isinstance(body_or_exc, Exception):
+            raise body_or_exc
+        return body_or_exc
+
+    monkeypatch.setattr(templates_cmd, "_fetch_template_workflow", _impl)
+
+
+def test_fetch_writes_to_stdout_in_pretty_mode(gallery_file, monkeypatch, capsys):
+    # Pretty mode (default); workflow JSON streams to stdout.
+    reset_renderer_for_testing()
+    workflow_body = json.dumps({"1": {"class_type": "KSampler", "inputs": {}}}).encode()
+    _stub_template_workflow_fetch(monkeypatch, workflow_body)
+
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["fetch", "--gallery", gallery_file, "image_flux2"])
+    assert result.exit_code == 0, result.output
+    # The workflow JSON itself was written to stdout (the user can pipe it).
+    assert '"class_type": "KSampler"' in result.output
+
+
+def test_fetch_with_out_writes_to_file(gallery_file, tmp_path: Path, monkeypatch, capsys):
+    _force_json_renderer()
+    workflow_body = json.dumps({"1": {"class_type": "KSampler", "inputs": {}}}).encode()
+    _stub_template_workflow_fetch(monkeypatch, workflow_body)
+
+    out_path = tmp_path / "out" / "wf.json"  # nested to verify parent mkdir
+    runner = CliRunner()
+    result = runner.invoke(
+        templates_cmd.app, ["fetch", "--gallery", gallery_file, "image_flux2", "--out", str(out_path)]
+    )
+    assert result.exit_code == 0, result.output
+    env = _envelope(result.output)
+    assert env["ok"] is True
+    assert env["data"]["name"] == "image_flux2"
+    assert env["data"]["node_count"] == 1
+    assert out_path.exists()
+    assert out_path.read_bytes() == workflow_body
+
+
+def test_fetch_unknown_template_surfaces_template_not_found(gallery_file, monkeypatch, capsys):
+    _force_json_renderer()
+    # The fetch helper should never be called because the gallery check fails first.
+    sentinel_called = {"fired": False}
+
+    def _should_not_fire(name, timeout=15.0):
+        sentinel_called["fired"] = True
+        raise AssertionError("fetch was called for an unknown template")
+
+    monkeypatch.setattr(templates_cmd, "_fetch_template_workflow", _should_not_fire)
+
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["fetch", "--gallery", gallery_file, "no_such_template"])
+    assert result.exit_code != 0
+    env = _envelope(result.output)
+    assert env["ok"] is False
+    assert env["error"]["code"] == "template_not_found"
+    assert sentinel_called["fired"] is False
+
+
+def test_fetch_upstream_404_surfaces_template_fetch_failed(gallery_file, monkeypatch, capsys):
+    import urllib.error
+
+    _force_json_renderer()
+    err = urllib.error.HTTPError("https://github/templates/x.json", 404, "Not Found", {}, None)
+    _stub_template_workflow_fetch(monkeypatch, err)
+
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["fetch", "--gallery", gallery_file, "image_flux2"])
+    assert result.exit_code != 0
+    env = _envelope(result.output)
+    assert env["error"]["code"] == "template_fetch_failed"
+
+
+def test_fetch_non_json_upstream_surfaces_workflow_invalid(gallery_file, monkeypatch, capsys):
+    _force_json_renderer()
+    _stub_template_workflow_fetch(monkeypatch, b"<html>not json</html>")
+
+    runner = CliRunner()
+    result = runner.invoke(templates_cmd.app, ["fetch", "--gallery", gallery_file, "image_flux2"])
+    assert result.exit_code != 0
+    env = _envelope(result.output)
+    assert env["error"]["code"] == "template_workflow_invalid_json"
diff --git a/tests/comfy_cli/command/test_transfer_download.py b/tests/comfy_cli/command/test_transfer_download.py
new file mode 100644
index 00000000..8798d09d
--- /dev/null
+++ b/tests/comfy_cli/command/test_transfer_download.py
@@ -0,0 +1,423 @@
+"""Tests for `comfy download` item-aware naming and output provenance.
+
+When the job state file carries BOTH the final history record and a compose
+item_map (stashed by `comfy run` from the workflow's `_meta`), downloads are
+named `<item>_<nnn>.<ext>` with a per-item counter and `files[]` entries gain
+`node_id`/`item`. Without the map, naming stays `<prompt8>_<idx>` and the new
+keys are omitted.
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+
+from comfy_cli import comfy_client, jobs_state
+from comfy_cli.comfy_client import extract_output_entries
+from comfy_cli.command import transfer
+from comfy_cli.output import Renderer, set_renderer
+from comfy_cli.output.renderer import OutputMode, reset_renderer_for_testing
+from comfy_cli.target import Target
+
+
+@pytest.fixture(autouse=True)
+def reset_renderer():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+@pytest.fixture
+def fake_target():
+    return Target(
+        kind="cloud",
+        base_url="https://cloud.example.com",
+        path_prefix="/api",
+        history_path="history_v2",
+        jobs_path="jobs",
+        api_key="test-api-key",
+    )
+
+
+PROMPT_ID = "prompt-dl-12345"
+SHORT_ID = PROMPT_ID[:8]
+
+RECORD = {
+    "status": {"completed": True, "status_str": "success"},
+    "outputs": {
+        "5": {
+            "images": [
+                {"filename": "ComfyUI_a.png", "subfolder": "", "type": "output"},
+                {"filename": "ComfyUI_b.png", "subfolder": "", "type": "output"},
+            ]
+        },
+        "9": {"images": [{"filename": "ComfyUI_c.png", "subfolder": "", "type": "output"}]},
+        # Node 12 produced an output but belongs to no foreach item.
+        "12": {"images": [{"filename": "stray.png", "subfolder": "", "type": "output"}]},
+    },
+}
+
+ITEM_MAP = {
+    "s1": {"nodes": ["3", "5"], "save_node": "5", "prefix": "o/s1"},
+    # save_node listed outside `nodes` — membership must include it anyway.
+    "s2": {"nodes": ["8"], "save_node": "9", "prefix": "o/s2"},
+}
+
+
+def _urls(target: Target) -> list[str]:
+    return comfy_client.Client(target).extract_output_urls(RECORD)
+
+
+def _write_state(target: Target, *, record=None, item_map=None) -> list[str]:
+    urls = _urls(target)
+    state = jobs_state.JobState(
+        prompt_id=PROMPT_ID,
+        client_id=None,
+        workflow="/abs/composed.json",
+        where="cloud",
+        base_url=target.base_url,
+        status="completed",
+        outputs=urls,
+        record=record,
+        item_map=item_map,
+    )
+    assert jobs_state.write(state) is not None
+    return urls
+
+
+class _FakeResp:
+    """Context-manager response yielding one chunk then EOF."""
+
+    def __init__(self, data: bytes = b"\x89PNG-fake"):
+        self._chunks = [data]
+
+    def read(self, n: int) -> bytes:
+        return self._chunks.pop(0) if self._chunks else b""
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *exc):
+        return False
+
+
+def _run_download(fake_target, tmp_path, capsys) -> tuple[list[str], dict]:
+    """Run execute_download with mocked target + HTTP; return (paths, envelope data)."""
+    set_renderer(Renderer(mode=OutputMode.NDJSON, command="download"))
+    with (
+        patch("comfy_cli.command.transfer.resolve_target", return_value=fake_target),
+        patch.object(transfer._DOWNLOAD_OPENER, "open", side_effect=lambda req: _FakeResp()),
+    ):
+        paths = transfer.execute_download(PROMPT_ID, out_dir=str(tmp_path / "out"))
+    lines = [ln for ln in capsys.readouterr().out.splitlines() if ln.strip()]
+    envelope = json.loads(lines[-1])
+    assert envelope["type"] == "envelope"
+    return paths, envelope["data"]
+
+
+class TestItemNamedDownloads:
+    def test_files_named_by_item_with_per_item_counter(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=RECORD, item_map=ITEM_MAP)
+        paths, data = _run_download(fake_target, tmp_path, capsys)
+
+        names = [Path(p).name for p in paths]
+        # Per-item counters restart at 000; the unmapped node 12 output keeps
+        # the legacy <prompt8>_<global idx> name.
+        assert names == ["s1_000.png", "s1_001.png", "s2_000.png", f"{SHORT_ID}_003.png"]
+        for p in paths:
+            assert Path(p).is_file()
+        assert data["out_dir"] == str((tmp_path / "out").resolve())
+
+    def test_files_entries_carry_node_id_and_item(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=RECORD, item_map=ITEM_MAP)
+        _, data = _run_download(fake_target, tmp_path, capsys)
+
+        files = data["files"]
+        assert [(f.get("node_id"), f.get("item")) for f in files] == [
+            ("5", "s1"),
+            ("5", "s1"),
+            ("9", "s2"),
+            ("12", None),
+        ]
+        # The unmapped entry has a node_id but NO item key (omitted, not null).
+        assert "item" not in files[3]
+
+    def test_legacy_names_without_record_or_map(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=None, item_map=None)
+        paths, data = _run_download(fake_target, tmp_path, capsys)
+
+        names = [Path(p).name for p in paths]
+        assert names == [f"{SHORT_ID}_{i:03d}.png" for i in range(4)]
+        for f in data["files"]:
+            assert "node_id" not in f
+            assert "item" not in f
+
+    def test_record_without_item_map_still_carries_node_id(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=RECORD, item_map=None)
+        paths, data = _run_download(fake_target, tmp_path, capsys)
+
+        # No map → legacy names throughout, but node provenance is known.
+        names = [Path(p).name for p in paths]
+        assert names == [f"{SHORT_ID}_{i:03d}.png" for i in range(4)]
+        assert [f["node_id"] for f in data["files"]] == ["5", "5", "9", "12"]
+        assert all("item" not in f for f in data["files"])
+
+    def test_download_data_validates_against_transfer_schema(self, fake_target, tmp_path, capsys):
+        import jsonschema
+
+        _write_state(fake_target, record=RECORD, item_map=ITEM_MAP)
+        _, data = _run_download(fake_target, tmp_path, capsys)
+
+        schema_path = Path(__file__).parents[3] / "comfy_cli" / "schemas" / "transfer.json"
+        schema = json.loads(schema_path.read_text())
+        jsonschema.Draft202012Validator.check_schema(schema)
+        jsonschema.Draft202012Validator(schema).validate(data)
+        # The new keys are part of the documented contract, not just tolerated.
+        download_files = schema["oneOf"][1]["properties"]["files"]["items"]["properties"]
+        assert "node_id" in download_files
+        assert "item" in download_files
+
+
+class TestExtractOutputEntries:
+    """Module-level pure flatten — the record half of Client.extract_outputs,
+    usable without a Target (download joins URLs to it by query params)."""
+
+    def test_flattens_record_with_node_ids(self):
+        entries = extract_output_entries(RECORD)
+        assert [(e["node_id"], e["filename"]) for e in entries] == [
+            ("5", "ComfyUI_a.png"),
+            ("5", "ComfyUI_b.png"),
+            ("9", "ComfyUI_c.png"),
+            ("12", "stray.png"),
+        ]
+        for e in entries:
+            assert e["subfolder"] == ""
+            assert e["type"] == "output"
+
+    def test_tolerates_malformed_records(self):
+        assert extract_output_entries({}) == []
+        assert extract_output_entries({"outputs": "garbage"}) == []
+        assert extract_output_entries({"outputs": {"1": "garbage", "2": {"images": "nope"}}}) == []
+        # Items without a filename are skipped.
+        assert extract_output_entries({"outputs": {"1": {"images": [{"type": "output"}]}}}) == []
+
+    def test_client_extract_outputs_delegates(self, fake_target):
+        client = comfy_client.Client(fake_target)
+        outputs = client.extract_outputs(RECORD)
+        entries = extract_output_entries(RECORD)
+        assert [o["node_id"] for o in outputs] == [e["node_id"] for e in entries]
+        assert [o["filename"] for o in outputs] == [e["filename"] for e in entries]
+        # URLs are the view_url of each entry — same triple, same encoding.
+        assert outputs[0]["url"] == "https://cloud.example.com/api/view?filename=ComfyUI_a.png&subfolder=&type=output"
+
+
+class TestCollisionSafeNaming:
+    """A retry fan-out reusing the same item ids re-downloads into the same
+    out-dir; attempt 1 must never be silently clobbered (fennec friction #3,
+    P1 — lost the rejected frames). Existing destinations get a deterministic
+    numeric suffix: s1_000.png → s1_000.1.png → s1_000.2.png …"""
+
+    def test_item_named_existing_file_gets_numeric_suffix(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=RECORD, item_map=ITEM_MAP)
+        out = tmp_path / "out"
+        out.mkdir(parents=True)
+        (out / "s1_000.png").write_bytes(b"attempt-1-keep-me")
+
+        paths, data = _run_download(fake_target, tmp_path, capsys)
+
+        names = [Path(p).name for p in paths]
+        assert names == ["s1_000.1.png", "s1_001.png", "s2_000.png", f"{SHORT_ID}_003.png"]
+        # The prior attempt is untouched; the new download lives beside it.
+        assert (out / "s1_000.png").read_bytes() == b"attempt-1-keep-me"
+        assert (out / "s1_000.1.png").is_file()
+        # files[] reports the path that was ACTUALLY written.
+        assert data["files"][0]["path"] == str((out / "s1_000.1.png").resolve())
+
+    def test_suffix_increments_past_prior_retries(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=RECORD, item_map=ITEM_MAP)
+        out = tmp_path / "out"
+        out.mkdir(parents=True)
+        (out / "s1_000.png").write_bytes(b"attempt-1")
+        (out / "s1_000.1.png").write_bytes(b"attempt-2")
+
+        paths, _ = _run_download(fake_target, tmp_path, capsys)
+
+        assert Path(paths[0]).name == "s1_000.2.png"
+        assert (out / "s1_000.png").read_bytes() == b"attempt-1"
+        assert (out / "s1_000.1.png").read_bytes() == b"attempt-2"
+
+    def test_legacy_prompt8_naming_also_never_overwrites(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=None, item_map=None)
+        out = tmp_path / "out"
+        out.mkdir(parents=True)
+        (out / f"{SHORT_ID}_000.png").write_bytes(b"attempt-1")
+
+        paths, _ = _run_download(fake_target, tmp_path, capsys)
+
+        names = [Path(p).name for p in paths]
+        assert names == [f"{SHORT_ID}_000.1.png"] + [f"{SHORT_ID}_{i:03d}.png" for i in range(1, 4)]
+        assert (out / f"{SHORT_ID}_000.png").read_bytes() == b"attempt-1"
+
+
+class TestPipedErrorEnvelope:
+    """`comfy --json run --wait | comfy download` is the SKILL.md-recommended
+    pattern, so download must survive a failed upstream: an error envelope
+    (`"data": null`) used to crash with a raw AttributeError (fennec friction
+    #1). Bad stdin of any shape → structured error envelope + exit 1."""
+
+    def _download_with_stdin(self, stdin_text: str, monkeypatch, capsys) -> dict:
+        import io
+
+        import typer
+
+        set_renderer(Renderer(mode=OutputMode.JSON, command="download"))
+        monkeypatch.setattr("sys.stdin", io.StringIO(stdin_text))
+        with pytest.raises(typer.Exit) as excinfo:
+            transfer.execute_download(None)
+        assert excinfo.value.exit_code == 1
+        out_lines = [ln for ln in capsys.readouterr().out.splitlines() if ln.strip()]
+        envelope = json.loads(out_lines[-1])
+        assert envelope["type"] == "envelope"
+        assert envelope["ok"] is False
+        return envelope
+
+    def test_error_envelope_with_null_data_no_traceback(self, monkeypatch, capsys):
+        upstream = {
+            "schema": "envelope/1",
+            "type": "envelope",
+            "ok": False,
+            "command": "run",
+            "version": "1.0.0",
+            "where": "cloud",
+            "data": None,
+            "error": {
+                "code": "cloud_http_error",
+                "message": "Cloud server error while polling (HTTP 429): Too Many Requests",
+                "hint": None,
+                "details": {"status": 429, "prompt_id": "d4f68191-de90-49e1-ba0f-2668b9c5b30f"},
+            },
+        }
+        envelope = self._download_with_stdin(json.dumps(upstream), monkeypatch, capsys)
+
+        err = envelope["error"]
+        assert err["code"] == "download_no_prompt"  # registered code, not a crash
+        assert "ok=false" in err["message"]
+        # The upstream failure and its prompt_id surface for recovery.
+        assert err["details"]["upstream_error"]["code"] == "cloud_http_error"
+        assert err["details"]["prompt_id"] == "d4f68191-de90-49e1-ba0f-2668b9c5b30f"
+
+    def test_ok_envelope_without_prompt_id_errors_cleanly(self, monkeypatch, capsys):
+        upstream = {"schema": "envelope/1", "type": "envelope", "ok": True, "data": {}, "error": None}
+        envelope = self._download_with_stdin(json.dumps(upstream), monkeypatch, capsys)
+        assert envelope["error"]["code"] == "download_no_prompt"
+
+    def test_non_envelope_stdin_errors_cleanly(self, monkeypatch, capsys):
+        envelope = self._download_with_stdin("this is not json {", monkeypatch, capsys)
+        assert envelope["error"]["code"] == "download_no_prompt"
+
+    def test_json_scalar_stdin_errors_cleanly(self, monkeypatch, capsys):
+        # Valid JSON but not an envelope object (e.g. a bare list of URLs).
+        envelope = self._download_with_stdin('["https://x/view?filename=a.png"]', monkeypatch, capsys)
+        assert envelope["error"]["code"] == "download_no_prompt"
+
+
+class TestMachineModeStdoutPurity:
+    """`comfy --json download` consumers pipe stdout into jq/json.load: stdout
+    must carry NOTHING but JSON (envelope last), and the human "✓ downloaded"
+    progress line is pretty-mode-only — it must not appear at all in machine
+    modes (fennec friction #4/#5)."""
+
+    def _download(self, fake_target, tmp_path):
+        with (
+            patch("comfy_cli.command.transfer.resolve_target", return_value=fake_target),
+            patch.object(transfer._DOWNLOAD_OPENER, "open", side_effect=lambda req: _FakeResp()),
+        ):
+            transfer.execute_download(PROMPT_ID, out_dir=str(tmp_path / "out"))
+
+    def test_json_mode_stdout_is_pure_json_envelope_last(self, fake_target, tmp_path, capsys):
+        from comfy_cli.caller import Caller
+
+        _write_state(fake_target, record=RECORD, item_map=ITEM_MAP)
+        # Resolve the mode the way the entrypoint does, from COMFY_OUTPUT=json.
+        renderer = Renderer.resolve(
+            env={"COMFY_OUTPUT": "json"},
+            is_stdout_tty=False,
+            caller=Caller(kind="user", agentic=False, source_env=None),
+            command="download",
+        )
+        assert renderer.mode is OutputMode.JSON
+        set_renderer(renderer)
+
+        self._download(fake_target, tmp_path)
+
+        captured = capsys.readouterr()
+        out_lines = [ln for ln in captured.out.splitlines() if ln.strip()]
+        assert out_lines, "the envelope must land on stdout"
+        parsed = [json.loads(ln) for ln in out_lines]  # every line is JSON
+        assert parsed[-1]["type"] == "envelope"
+        assert parsed[-1]["ok"] is True
+        # The human progress line is pretty-mode-only: not on stdout, and not
+        # duplicated to stderr either — the envelope already says everything.
+        assert "downloaded" not in captured.out
+        assert "downloaded" not in captured.err
+
+    def test_ndjson_mode_emits_no_human_progress_line(self, fake_target, tmp_path, capsys):
+        _write_state(fake_target, record=RECORD, item_map=ITEM_MAP)
+        set_renderer(Renderer(mode=OutputMode.NDJSON, command="download"))
+
+        self._download(fake_target, tmp_path)
+
+        captured = capsys.readouterr()
+        for ln in captured.out.splitlines():
+            if ln.strip():
+                json.loads(ln)
+        assert "downloaded" not in captured.out
+        assert "downloaded" not in captured.err
+
+
+# ---------------------------------------------------------------------------
+# _default_out_dir — project/1 root wins over the legacy config key
+# ---------------------------------------------------------------------------
+
+
+class TestDefaultOutDir:
+    def test_prefers_governing_project_outputs(self, tmp_path, monkeypatch):
+        proj = tmp_path / "proj"
+        proj.mkdir()
+        (proj / "comfy.yaml").write_text("schema: project/1\ndefaults:\n  where: cloud\n")
+        monkeypatch.chdir(proj)
+
+        assert transfer._default_out_dir() == str(proj.resolve() / "outputs")
+
+    def test_falls_back_to_config_key_outside_project(self, tmp_path, monkeypatch):
+        plain = tmp_path / "plain"
+        plain.mkdir()
+        monkeypatch.chdir(plain)
+        legacy = tmp_path / "legacy"
+        (legacy / "outputs").mkdir(parents=True)
+
+        class _FakeCM:
+            def get(self, key):
+                return str(legacy)
+
+        import comfy_cli.config_manager as config_manager
+
+        monkeypatch.setattr(config_manager, "ConfigManager", _FakeCM)
+        assert transfer._default_out_dir() == str(legacy / "outputs")
+
+    def test_defaults_to_relative_outputs(self, tmp_path, monkeypatch):
+        plain = tmp_path / "plain"
+        plain.mkdir()
+        monkeypatch.chdir(plain)
+
+        class _FakeCM:
+            def get(self, key):
+                return None
+
+        import comfy_cli.config_manager as config_manager
+
+        monkeypatch.setattr(config_manager, "ConfigManager", _FakeCM)
+        assert transfer._default_out_dir() == "./outputs"
diff --git a/tests/comfy_cli/command/test_transfer_redirect.py b/tests/comfy_cli/command/test_transfer_redirect.py
new file mode 100644
index 00000000..4efc8311
--- /dev/null
+++ b/tests/comfy_cli/command/test_transfer_redirect.py
@@ -0,0 +1,170 @@
+"""Tests for the download redirect handler.
+
+Cloud's ``/api/view`` returns 302 to a short-lived signed GCS URL. The
+download path follows the redirect but **must** strip auth headers
+(X-API-Key, Authorization, Cookie) before the follow-up request — the
+signed URL's signature is the auth, and dragging our credential along
+would leak it to storage.
+"""
+
+from __future__ import annotations
+
+import io
+import threading
+import urllib.error
+import urllib.request
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+
+import pytest
+
+from comfy_cli.command.transfer import (
+    _AUTH_HEADERS_TO_STRIP,
+    _DOWNLOAD_OPENER,
+    _DownloadRedirectHandler,
+)
+
+
+def _make_request(url: str, **headers) -> urllib.request.Request:
+    req = urllib.request.Request(url)
+    for k, v in headers.items():
+        req.add_header(k.replace("_", "-"), v)
+    return req
+
+
+class TestRedirectStripping:
+    """Unit tests against the handler's redirect_request() method directly."""
+
+    def test_strips_api_key_on_redirect(self):
+        handler = _DownloadRedirectHandler()
+        req = _make_request("https://cloud.example.com/api/view?filename=x.png", X_API_Key="secret")
+        new_req = handler.redirect_request(
+            req,
+            fp=io.BytesIO(),
+            code=302,
+            msg="Found",
+            headers={"Location": "https://storage.googleapis.com/signed?sig=abc"},
+            newurl="https://storage.googleapis.com/signed?sig=abc",
+        )
+        # The follow-up request must NOT carry the X-API-Key.
+        all_headers = {**new_req.headers, **new_req.unredirected_hdrs}
+        for k in all_headers:
+            assert k.lower() not in _AUTH_HEADERS_TO_STRIP, f"leaked header: {k}"
+
+    def test_strips_authorization_on_redirect(self):
+        handler = _DownloadRedirectHandler()
+        req = _make_request("https://cloud.example.com/api/view", Authorization="Bearer eyJhbG…")
+        new_req = handler.redirect_request(
+            req,
+            fp=io.BytesIO(),
+            code=302,
+            msg="Found",
+            headers={"Location": "https://storage.googleapis.com/signed"},
+            newurl="https://storage.googleapis.com/signed",
+        )
+        all_headers = {**new_req.headers, **new_req.unredirected_hdrs}
+        assert "Authorization" not in all_headers
+        assert "authorization" not in {k.lower() for k in all_headers}
+
+    def test_preserves_non_auth_headers(self):
+        handler = _DownloadRedirectHandler()
+        req = _make_request("https://cloud.example.com/api/view", X_API_Key="secret", User_Agent="comfy-cli")
+        new_req = handler.redirect_request(
+            req,
+            fp=io.BytesIO(),
+            code=302,
+            msg="Found",
+            headers={"Location": "https://storage.googleapis.com/signed"},
+            newurl="https://storage.googleapis.com/signed",
+        )
+        # User-Agent should survive; X-API-Key should not.
+        all_headers = {k.lower(): v for k, v in {**new_req.headers, **new_req.unredirected_hdrs}.items()}
+        assert all_headers.get("user-agent") == "comfy-cli"
+        assert "x-api-key" not in all_headers
+
+    def test_rejects_non_http_redirect_target(self):
+        handler = _DownloadRedirectHandler()
+        req = _make_request("https://cloud.example.com/api/view", X_API_Key="secret")
+        with pytest.raises(urllib.error.HTTPError) as exc:
+            handler.redirect_request(
+                req,
+                fp=io.BytesIO(),
+                code=302,
+                msg="Found",
+                headers={"Location": "file:///etc/passwd"},
+                newurl="file:///etc/passwd",
+            )
+        assert "non-HTTP" in str(exc.value) or "scheme" in str(exc.value)
+
+
+# ---------------------------------------------------------------------------
+# Integration test against a real HTTP server.
+#
+# Spin up a thread-local server that 302s /api/view -> /signed.png and serves
+# a tiny PNG at /signed. The test asserts the follow-up request carries no
+# auth header.
+# ---------------------------------------------------------------------------
+
+
+_PNG_BODY = b"\x89PNG\r\n\x1a\nfake-png-body-for-test"
+
+
+class _RedirectServer(BaseHTTPRequestHandler):
+    received_headers: list[dict[str, str]] = []
+
+    def log_message(self, format, *args):  # noqa: A002 — silence stderr
+        pass
+
+    def do_GET(self):
+        type(self).received_headers.append(dict(self.headers))
+        if self.path.startswith("/api/view"):
+            # 302 redirect to the "signed" URL on the same host (avoids needing
+            # a second port; the signing fiction is just for the test).
+            self.send_response(302)
+            self.send_header("Location", "/signed")
+            self.end_headers()
+        elif self.path == "/signed":
+            self.send_response(200)
+            self.send_header("Content-Type", "image/png")
+            self.send_header("Content-Length", str(len(_PNG_BODY)))
+            self.end_headers()
+            self.wfile.write(_PNG_BODY)
+        else:
+            self.send_response(404)
+            self.end_headers()
+
+
+@pytest.fixture
+def redirect_server():
+    _RedirectServer.received_headers = []
+    srv = ThreadingHTTPServer(("127.0.0.1", 0), _RedirectServer)
+    port = srv.server_address[1]
+    thread = threading.Thread(target=srv.serve_forever, daemon=True)
+    thread.start()
+    try:
+        yield port
+    finally:
+        srv.shutdown()
+        srv.server_close()
+
+
+def test_download_opener_follows_redirect_and_strips_auth(redirect_server):
+    """End-to-end: the opener follows the 302 but the auth header doesn't go with it."""
+    port = redirect_server
+    req = urllib.request.Request(f"http://127.0.0.1:{port}/api/view?filename=x.png")
+    req.add_header("X-API-Key", "super-secret-key")
+
+    with _DOWNLOAD_OPENER.open(req, timeout=5) as resp:
+        body = resp.read()
+
+    assert body == _PNG_BODY
+
+    # Two requests reached the server: the initial /api/view (with auth) and
+    # the follow-up /signed (without auth).
+    headers = _RedirectServer.received_headers
+    assert len(headers) == 2
+    # First request keeps the credential.
+    assert headers[0].get("X-Api-Key") == "super-secret-key" or headers[0].get("X-API-Key") == "super-secret-key"
+    # Second request DOES NOT carry it.
+    h2_lower = {k.lower(): v for k, v in headers[1].items()}
+    assert "x-api-key" not in h2_lower, f"auth leaked to redirect target: {headers[1]}"
+    assert "authorization" not in h2_lower
diff --git a/tests/comfy_cli/command/test_transfer_upload.py b/tests/comfy_cli/command/test_transfer_upload.py
new file mode 100644
index 00000000..3852dfa1
--- /dev/null
+++ b/tests/comfy_cli/command/test_transfer_upload.py
@@ -0,0 +1,147 @@
+"""Tests for the per-file upload helper ``transfer._upload_file``.
+
+The helper is the single place the CLI speaks the server's ``/upload/image``
+multipart API — both ``comfy upload`` and ``comfy assets push`` go through
+it. The CLI must NEVER touch a ComfyUI install's folders directly; this HTTP
+endpoint is the only ingestion path.
+"""
+
+from __future__ import annotations
+
+import io
+import json
+import urllib.error
+from pathlib import Path
+
+import pytest
+
+from comfy_cli.command import transfer
+from comfy_cli.target import Target
+
+
+class _FakeResponse(io.BytesIO):
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *exc):
+        return False
+
+
+class _FakeOpener:
+    """Captures the request and returns a canned JSON response."""
+
+    def __init__(self, payload: dict | None = None, error: Exception | None = None):
+        self.payload = payload or {"name": "ab12.png", "subfolder": "", "type": "input"}
+        self.error = error
+        self.requests: list = []
+
+    def open(self, req):
+        self.requests.append(req)
+        if self.error is not None:
+            raise self.error
+        return _FakeResponse(json.dumps(self.payload).encode())
+
+
+def _local_target() -> Target:
+    return Target(kind="local", base_url="http://127.0.0.1:8188")
+
+
+def _cloud_target(**kw) -> Target:
+    return Target(kind="cloud", base_url="https://cloud.example.com", path_prefix="/api", **kw)
+
+
+@pytest.fixture
+def asset(tmp_path: Path) -> Path:
+    p = tmp_path / "frame.png"
+    p.write_bytes(b"fake-png-bytes")
+    return p
+
+
+def test_upload_file_posts_multipart_and_returns_response_dict(asset, monkeypatch):
+    opener = _FakeOpener(payload={"name": "deadbeef.png", "subfolder": "sub", "type": "input"})
+    monkeypatch.setattr(transfer, "_TRANSFER_OPENER", opener)
+
+    result = transfer._upload_file(asset, _local_target(), overwrite=False)
+
+    assert result == {"name": "deadbeef.png", "subfolder": "sub", "type": "input"}
+    assert len(opener.requests) == 1
+    req = opener.requests[0]
+    assert req.full_url == "http://127.0.0.1:8188/upload/image"
+    assert req.get_method() == "POST"
+    body = req.data
+    assert b'name="image"; filename="frame.png"' in body
+    assert b"fake-png-bytes" in body
+    assert b'name="overwrite"\r\n\r\nfalse\r\n' in body
+    assert "multipart/form-data; boundary=" in req.get_header("Content-type")
+
+
+def test_upload_file_overwrite_true_in_body(asset, monkeypatch):
+    opener = _FakeOpener()
+    monkeypatch.setattr(transfer, "_TRANSFER_OPENER", opener)
+
+    transfer._upload_file(asset, _local_target(), overwrite=True)
+
+    assert b'name="overwrite"\r\n\r\ntrue\r\n' in opener.requests[0].data
+
+
+def test_upload_file_cloud_target_attaches_auth_and_prefix(asset, monkeypatch):
+    opener = _FakeOpener()
+    monkeypatch.setattr(transfer, "_TRANSFER_OPENER", opener)
+
+    transfer._upload_file(asset, _cloud_target(auth_token="tok123"), overwrite=False)
+
+    req = opener.requests[0]
+    assert req.full_url == "https://cloud.example.com/api/upload/image"
+    assert req.get_header("Authorization") == "Bearer tok123"
+
+
+def test_upload_file_http_error_propagates(asset, monkeypatch):
+    err = urllib.error.HTTPError("http://x/upload/image", 500, "boom", {}, io.BytesIO())
+    monkeypatch.setattr(transfer, "_TRANSFER_OPENER", _FakeOpener(error=err))
+
+    with pytest.raises(urllib.error.HTTPError):
+        transfer._upload_file(asset, _local_target(), overwrite=False)
+
+
+def test_upload_file_sanitizes_hostile_filename(tmp_path, monkeypatch):
+    hostile = tmp_path / 'a"b.png'
+    hostile.write_bytes(b"x")
+    opener = _FakeOpener()
+    monkeypatch.setattr(transfer, "_TRANSFER_OPENER", opener)
+
+    transfer._upload_file(hostile, _local_target(), overwrite=False)
+
+    assert b'filename="a_b.png"' in opener.requests[0].data
+
+
+class TestUploadMachineModeStdoutPurity:
+    """Same contract as download: in machine modes stdout carries only JSON
+    (envelope last) and the human "✓ uploaded" line is pretty-mode-only."""
+
+    @pytest.fixture(autouse=True)
+    def reset_renderer(self):
+        from comfy_cli.output.renderer import reset_renderer_for_testing
+
+        reset_renderer_for_testing()
+        yield
+        reset_renderer_for_testing()
+
+    def test_json_mode_stdout_is_pure_json_no_human_line(self, asset, monkeypatch, capsys):
+        from comfy_cli.output import Renderer, set_renderer
+        from comfy_cli.output.renderer import OutputMode
+
+        opener = _FakeOpener()
+        monkeypatch.setattr(transfer, "_TRANSFER_OPENER", opener)
+        monkeypatch.setattr(transfer, "resolve_target", lambda where=None: _local_target())
+        set_renderer(Renderer(mode=OutputMode.JSON, command="upload"))
+
+        transfer.execute_upload([str(asset)], where="local")
+
+        captured = capsys.readouterr()
+        out_lines = [ln for ln in captured.out.splitlines() if ln.strip()]
+        assert out_lines, "the envelope must land on stdout"
+        parsed = [json.loads(ln) for ln in out_lines]
+        assert parsed[-1]["type"] == "envelope"
+        assert parsed[-1]["data"]["uploads"][0]["cloud_name"] == "ab12.png"
+        assert "uploaded" not in captured.out
+        assert "uploaded" not in captured.err
diff --git a/tests/comfy_cli/command/test_var_refs.py b/tests/comfy_cli/command/test_var_refs.py
new file mode 100644
index 00000000..7da50b5a
--- /dev/null
+++ b/tests/comfy_cli/command/test_var_refs.py
@@ -0,0 +1,353 @@
+"""`$var.<name>` references — project constants from comfy.yaml `vars:`.
+
+Mirror of test_asset_refs.py, same three layers, no network anywhere:
+
+- pure fragments: `$var` with an injected resolver resolves wherever a
+  whole-value string can appear (params, foreach item fields, inputs) and
+  returns the RAW scalar so non-STRING params keep their types; resolver
+  absent is a clear BlueprintError; foreach namespacing must not mangle the
+  prefix.
+- pure project: resolver behavior is covered in tests/comfy_cli/test_project.py.
+- CLI: `comfy workflow compose` inside a project wires the resolver, maps
+  VarError onto `var_not_defined`, and snapshots referenced vars into
+  `_meta.vars` for provenance.
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import workflow as workflow_cmd
+from comfy_cli.fragments import (
+    BlueprintError,
+    VarError,
+    _substitute_item,
+    compose_blueprint,
+    compose_blueprints,
+)
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    reset_renderer_for_testing,
+    set_renderer,
+)
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _text_overlay_fragment() -> dict:
+    """STRING + INT params and an IMAGE input — exercises every $var site."""
+    return {
+        "_fragment": {
+            "name": "text_overlay",
+            "version": "1",
+            "inputs": {"image": {"type": "IMAGE", "binds": "10.image"}},
+            "outputs": {"image": {"type": "IMAGE", "from": "10", "port": 0}},
+            "params": {
+                "label": {"type": "STRING", "binds": "10.label", "default": "x"},
+                "size": {"type": "INT", "binds": "10.size", "default": 12},
+            },
+        },
+        "10": {"class_type": "TextOverlay", "inputs": {"image": "P", "label": "x", "size": 12}},
+    }
+
+
+@pytest.fixture
+def lib_dir(tmp_path: Path) -> Path:
+    d = tmp_path / "fragments"
+    d.mkdir()
+    (d / "text_overlay.json").write_text(json.dumps(_text_overlay_fragment()))
+    return d
+
+
+def _overlay_blueprint(*, inputs: dict | None = None, params: dict | None = None) -> dict:
+    return {
+        "pipeline": [
+            {
+                "fragment": "text_overlay",
+                "alias": "t",
+                "inputs": inputs or {"image": "base.png"},
+                "params": params or {},
+            }
+        ]
+    }
+
+
+def _overlay_node(workflow: dict) -> dict:
+    nodes = [n for n in workflow.values() if n.get("class_type") == "TextOverlay"]
+    assert len(nodes) == 1
+    return nodes[0]
+
+
+_VARS = {"style": "cinematic, golden hour", "steps": 28, "base": "shared_bg.png"}
+
+
+# ---------------------------------------------------------------------------
+# pure fragments: $var resolution in params, inputs, foreach item fields
+# ---------------------------------------------------------------------------
+
+
+class TestVarResolution:
+    def test_string_param_var_ref_resolves(self, lib_dir):
+        wf, _ = compose_blueprint(
+            _overlay_blueprint(params={"label": "$var.style"}),
+            lib_dir=lib_dir,
+            var_resolver=_VARS.__getitem__,
+        )
+        assert _overlay_node(wf)["inputs"]["label"] == "cinematic, golden hour"
+
+    def test_int_param_var_ref_keeps_int_type(self, lib_dir):
+        """$var returns the raw scalar, not str()'d — INT widgets stay ints."""
+        wf, _ = compose_blueprint(
+            _overlay_blueprint(params={"size": "$var.steps"}),
+            lib_dir=lib_dir,
+            var_resolver=_VARS.__getitem__,
+        )
+        size = _overlay_node(wf)["inputs"]["size"]
+        assert size == 28 and isinstance(size, int) and not isinstance(size, bool)
+
+    def test_var_ref_resolves_in_inputs_too(self, lib_dir):
+        """Same shared helper as $asset: an IMAGE input fed `$var.base` gets
+        the loader materialization of the resolved filename."""
+        wf, _ = compose_blueprint(
+            _overlay_blueprint(inputs={"image": "$var.base"}),
+            lib_dir=lib_dir,
+            var_resolver=_VARS.__getitem__,
+        )
+        loads = [n for n in wf.values() if n["class_type"] == "LoadImage"]
+        assert len(loads) == 1 and loads[0]["inputs"]["image"] == "shared_bg.png"
+
+    def test_embedded_var_ref_mid_string_is_not_a_reference(self, lib_dir):
+        """Whole-value only: `$var.` mid-string is plain text, no resolver
+        consulted (must not raise even with no resolver)."""
+        wf, _ = compose_blueprint(
+            _overlay_blueprint(params={"label": "in the $var.style style"}),
+            lib_dir=lib_dir,
+        )
+        assert _overlay_node(wf)["inputs"]["label"] == "in the $var.style style"
+
+    def test_var_ref_without_resolver_is_blueprint_error(self, lib_dir):
+        with pytest.raises(BlueprintError) as exc:
+            compose_blueprint(_overlay_blueprint(params={"label": "$var.style"}), lib_dir=lib_dir)
+        assert "$var.style" in str(exc.value)
+        assert "comfy.yaml" in (exc.value.hint or "")
+        assert "project" in (exc.value.hint or "")
+
+    def test_resolver_var_error_propagates(self, lib_dir):
+        def undefined(name: str):
+            raise VarError(f"var {name!r} is not defined", code="var_not_defined", hint="add it under `vars:`")
+
+        with pytest.raises(VarError) as exc:
+            compose_blueprint(
+                _overlay_blueprint(params={"label": "$var.style"}), lib_dir=lib_dir, var_resolver=undefined
+            )
+        assert exc.value.code == "var_not_defined"
+
+
+# ---------------------------------------------------------------------------
+# foreach: namespacing guard + per-item resolution through $item fields
+# ---------------------------------------------------------------------------
+
+
+class TestForeachVar:
+    def test_substitute_item_leaves_var_refs_unmangled(self):
+        """REGRESSION GUARD: without the prefix guard, alias namespacing would
+        rewrite `$var.style` into `$i0_s1__var.style` and the ref is lost."""
+        assert _substitute_item("$var.style", {"id": "s1"}, ns="i0_s1") == "$var.style"
+
+    def test_foreach_item_field_var_ref_resolves_per_item(self, lib_dir):
+        """$item substitution first, then $var resolution on the result."""
+        blueprint = {
+            "foreach": [
+                {"id": "s1", "look": "$var.style"},
+                {"id": "s2", "look": "plain"},
+            ],
+            "pipeline": [
+                {
+                    "fragment": "text_overlay",
+                    "alias": "t",
+                    "inputs": {"image": "base.png"},
+                    "params": {"label": "$item.look"},
+                }
+            ],
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir, var_resolver=_VARS.__getitem__)
+        assert len(graphs) == 1
+        workflow = graphs[0][0]
+        labels = {n["inputs"]["label"] for n in workflow.values() if n.get("class_type") == "TextOverlay"}
+        assert labels == {"cinematic, golden hour", "plain"}
+        assert "__var" not in json.dumps(workflow)
+
+    def test_shared_var_across_branches(self, lib_dir):
+        blueprint = {
+            "foreach": [{"id": "s1"}, {"id": "s2"}],
+            "pipeline": [
+                {
+                    "fragment": "text_overlay",
+                    "alias": "t",
+                    "inputs": {"image": "base.png"},
+                    "params": {"label": "$var.style"},
+                }
+            ],
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir, var_resolver=_VARS.__getitem__)
+        labels = [n["inputs"]["label"] for n in graphs[0][0].values() if n.get("class_type") == "TextOverlay"]
+        assert labels == ["cinematic, golden hour"] * 2
+
+
+# ---------------------------------------------------------------------------
+# CLI: compose inside a project with a comfy.yaml `vars:` block
+# ---------------------------------------------------------------------------
+
+
+def _force_json_renderer():
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _invoke(args: list[str], capsys) -> tuple[int, dict]:
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(workflow_cmd.app, args, standalone_mode=False)
+    if result.exception is not None and not isinstance(result.exception, SystemExit):
+        raise result.exception
+    exit_code = result.return_value if isinstance(result.return_value, int) else result.exit_code
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    for line in reversed(captured.strip().splitlines()):
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            return exit_code, json.loads(line)
+        except json.JSONDecodeError:
+            continue
+    raise AssertionError(f"no JSON envelope (rc={result.exit_code}, out={captured[:500]!r})")
+
+
+@pytest.fixture
+def project_tree(tmp_path: Path) -> Path:
+    """A project/1 tree whose comfy.yaml carries a `vars:` block."""
+    root = tmp_path / "proj"
+    root.mkdir()
+    (root / "comfy.yaml").write_text(
+        "schema: project/1\n"
+        "defaults:\n"
+        "  where: cloud\n"
+        "vars:\n"
+        "  style: cinematic, golden hour\n"
+        "  steps: 28\n"
+        "  unused: never referenced\n"
+    )
+    for d in ("assets", "fragments", "blueprints", "outputs", ".comfy"):
+        (root / d).mkdir()
+    (root / "fragments" / "text_overlay.json").write_text(json.dumps(_text_overlay_fragment()))
+    (root / "blueprints" / "story.yaml").write_text(
+        "pipeline:\n"
+        "  - fragment: text_overlay\n"
+        "    alias: t\n"
+        "    inputs:\n"
+        "      image: base.png\n"
+        "    params:\n"
+        "      label: $var.style\n"
+        "      size: $var.steps\n"
+    )
+    return root
+
+
+class TestComposeCli:
+    def test_compose_resolves_vars_from_comfy_yaml(self, project_tree, capsys):
+        bp = project_tree / "blueprints" / "story.yaml"
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 0, env
+        assert env["ok"] is True
+        compiled = json.loads(Path(env["data"]["out"]).read_text())
+        node = _overlay_node({k: v for k, v in compiled.items() if isinstance(v, dict) and "class_type" in v})
+        assert node["inputs"]["label"] == "cinematic, golden hour"
+        assert node["inputs"]["size"] == 28 and isinstance(node["inputs"]["size"], int)
+
+    def test_meta_vars_records_only_referenced_vars(self, project_tree, capsys):
+        """Provenance: `_meta.vars` snapshots the values this compilation
+        used — referenced names only, `unused` stays out."""
+        bp = project_tree / "blueprints" / "story.yaml"
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 0, env
+        compiled = json.loads(Path(env["data"]["out"]).read_text())
+        assert compiled["_meta"]["vars"] == {"style": "cinematic, golden hour", "steps": 28}
+
+    def test_no_vars_referenced_no_meta_vars_key(self, project_tree, capsys):
+        bp = project_tree / "blueprints" / "plain.yaml"
+        bp.write_text(
+            "pipeline:\n  - fragment: text_overlay\n    alias: t\n    inputs:\n      image: base.png\n",
+        )
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 0, env
+        compiled = json.loads(Path(env["data"]["out"]).read_text())
+        assert "vars" not in compiled["_meta"]
+
+    def test_undefined_var_exits_1_with_var_not_defined(self, project_tree, capsys):
+        bp = project_tree / "blueprints" / "bad.yaml"
+        bp.write_text(
+            "pipeline:\n"
+            "  - fragment: text_overlay\n"
+            "    alias: t\n"
+            "    inputs:\n"
+            "      image: base.png\n"
+            "    params:\n"
+            "      label: $var.missing\n"
+        )
+        rc, env = _invoke(["compose", str(bp), "--lib", str(project_tree / "fragments")], capsys)
+        assert rc == 1
+        assert env["ok"] is False
+        assert env["error"]["code"] == "var_not_defined"
+        assert "vars:" in env["error"]["hint"]
+
+    def test_compose_outside_project_keeps_blueprint_invalid(self, tmp_path, capsys):
+        """No governing project → no resolver → BlueprintError with the
+        comfy.yaml-requires-a-project hint."""
+        lib = tmp_path / "fragments"
+        lib.mkdir()
+        (lib / "text_overlay.json").write_text(json.dumps(_text_overlay_fragment()))
+        bp = tmp_path / "story.yaml"
+        bp.write_text(
+            "pipeline:\n"
+            "  - fragment: text_overlay\n"
+            "    alias: t\n"
+            "    inputs:\n"
+            "      image: base.png\n"
+            "    params:\n"
+            "      label: $var.style\n"
+        )
+        rc, env = _invoke(["compose", str(bp), "--lib", str(lib)], capsys)
+        assert rc == 1
+        assert env["error"]["code"] == "blueprint_invalid"
+        assert "comfy.yaml" in env["error"]["hint"]
+
+
+# ---------------------------------------------------------------------------
+# ratchets
+# ---------------------------------------------------------------------------
+
+
+def test_var_error_code_registered():
+    from comfy_cli import error_codes
+
+    assert error_codes.is_registered("var_not_defined")
diff --git a/tests/comfy_cli/command/test_workflow_fragments.py b/tests/comfy_cli/command/test_workflow_fragments.py
new file mode 100644
index 00000000..f4009436
--- /dev/null
+++ b/tests/comfy_cli/command/test_workflow_fragments.py
@@ -0,0 +1,1210 @@
+"""Tests for `comfy workflow compose / fragment {ls,show,validate}`."""
+
+from __future__ import annotations
+
+import json
+import textwrap
+from pathlib import Path
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import workflow as workflow_cmd
+from comfy_cli.fragments import (
+    BlueprintError,
+    Fragment,
+    FragmentError,
+    compose_blueprint,
+    compose_blueprints,
+    load_fragment,
+    parse_fragment,
+)
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    reset_renderer_for_testing,
+    set_renderer,
+)
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _run(args: list[str], capsys) -> dict:
+    """Invoke `comfy workflow ...` and parse the trailing JSON envelope.
+
+    Mirrors the helper in ``test_workflow_slots.py``: capsys catches the
+    renderer's emit; CliRunner's stdout is the fallback. We parse the last
+    JSON line of the combined output.
+    """
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(workflow_cmd.app, args, standalone_mode=False)
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    for line in reversed(captured.strip().splitlines()):
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            return json.loads(line)
+        except json.JSONDecodeError:
+            continue
+    raise AssertionError(f"no JSON envelope (rc={result.exit_code}, exc={result.exception}, out={captured[:500]!r})")
+
+
+# ---------------------------------------------------------------------------
+# Fixtures: well-formed and malformed fragments
+# ---------------------------------------------------------------------------
+
+
+def _text_encode_fragment() -> dict:
+    """Minimal STRING-typed fragment for unit tests."""
+    return {
+        "_fragment": {
+            "name": "text_encode",
+            "version": "1",
+            "description": "Encode a prompt.",
+            "inputs": {"clip": {"type": "STRING", "binds": "10.clip"}},
+            "outputs": {"conditioning": {"type": "STRING", "from": "10", "port": 0}},
+            "params": {"text": {"type": "STRING", "binds": "10.text", "default": "default prompt"}},
+        },
+        "10": {"class_type": "CLIPTextEncode", "inputs": {"text": "PLACEHOLDER", "clip": "PLACEHOLDER"}},
+    }
+
+
+def _save_still_fragment() -> dict:
+    """Terminal fragment (self-saves)."""
+    return {
+        "_fragment": {
+            "name": "save_still",
+            "version": "1",
+            "terminal": True,
+            "inputs": {"images": {"type": "IMAGE", "binds": "10.images"}},
+            "outputs": {},
+            "params": {"prefix": {"type": "STRING", "binds": "10.filename_prefix", "default": "out"}},
+        },
+        "10": {"class_type": "SaveImage", "inputs": {"images": "PLACEHOLDER", "filename_prefix": "out"}},
+    }
+
+
+def _image_blend_fragment() -> dict:
+    """Two-IMAGE-input fragment with a FLOAT param."""
+    return {
+        "_fragment": {
+            "name": "image_blend",
+            "version": "1",
+            "inputs": {
+                "image1": {"type": "IMAGE", "binds": "10.image1"},
+                "image2": {"type": "IMAGE", "binds": "10.image2"},
+            },
+            "outputs": {"image": {"type": "IMAGE", "from": "10", "port": 0}},
+            "params": {
+                "blend_factor": {"type": "FLOAT", "binds": "10.blend_factor", "default": 0.5},
+            },
+        },
+        "10": {"class_type": "ImageBlend", "inputs": {"image1": "P", "image2": "P", "blend_factor": 0.5}},
+    }
+
+
+def _av_mux_fragment() -> dict:
+    """VIDEO + AUDIO path inputs — literal/$asset values must materialize the
+    loaders with their REAL input keys (LoadVideo.file, LoadAudio.audio per
+    the server's object_info), not invented ones."""
+    return {
+        "_fragment": {
+            "name": "av_mux",
+            "version": "1",
+            "terminal": True,
+            "inputs": {
+                "clip": {"type": "VIDEO", "binds": "10.video"},
+                "track": {"type": "AUDIO", "binds": "10.audio"},
+            },
+            "outputs": {},
+            "params": {},
+        },
+        "10": {"class_type": "SaveVideo", "inputs": {"video": "P", "audio": "P"}},
+    }
+
+
+def _model_producer_fragment() -> dict:
+    """Produces graph-typed outputs (MODEL/LATENT) — like a checkpoint loader."""
+    return {
+        "_fragment": {
+            "name": "model_producer",
+            "version": "1",
+            "inputs": {},
+            "outputs": {
+                "model": {"type": "MODEL", "from": "10", "port": 0},
+                "latent": {"type": "LATENT", "from": "11", "port": 0},
+            },
+            "params": {"ckpt": {"type": "STRING", "binds": "10.ckpt_name", "default": "x.safetensors"}},
+        },
+        "10": {"class_type": "CheckpointLoaderSimple", "inputs": {"ckpt_name": "x.safetensors"}},
+        "11": {"class_type": "EmptyLatentImage", "inputs": {"width": 512, "height": 512}},
+    }
+
+
+def _model_consumer_fragment() -> dict:
+    """Consumes graph-typed inputs (MODEL/LATENT) via cross-step refs — like a sampler."""
+    return {
+        "_fragment": {
+            "name": "model_consumer",
+            "version": "1",
+            "inputs": {
+                "model": {"type": "MODEL", "binds": "20.model"},
+                "latent": {"type": "LATENT", "binds": "20.latent_image"},
+            },
+            "outputs": {"latent": {"type": "LATENT", "from": "20", "port": 0}},
+            "params": {},
+        },
+        "20": {"class_type": "KSampler", "inputs": {"model": "PLACEHOLDER", "latent_image": "PLACEHOLDER"}},
+    }
+
+
+@pytest.fixture
+def lib_dir(tmp_path: Path) -> Path:
+    """A `fragments/` library directory pre-populated with fragments."""
+    d = tmp_path / "fragments"
+    d.mkdir()
+    (d / "text_encode.json").write_text(json.dumps(_text_encode_fragment()))
+    (d / "save_still.json").write_text(json.dumps(_save_still_fragment()))
+    (d / "image_blend.json").write_text(json.dumps(_image_blend_fragment()))
+    (d / "model_producer.json").write_text(json.dumps(_model_producer_fragment()))
+    (d / "model_consumer.json").write_text(json.dumps(_model_consumer_fragment()))
+    (d / "av_mux.json").write_text(json.dumps(_av_mux_fragment()))
+    return d
+
+
+# ---------------------------------------------------------------------------
+# parse_fragment / load_fragment
+# ---------------------------------------------------------------------------
+
+
+class TestParseFragment:
+    def test_minimal_well_formed(self):
+        frag = parse_fragment(_text_encode_fragment())
+        assert isinstance(frag, Fragment)
+        assert frag.name == "text_encode"
+        assert frag.version == "1"
+        assert "clip" in frag.inputs
+        assert "conditioning" in frag.outputs
+        assert "text" in frag.params
+        assert frag.params["text"].has_default
+        assert frag.params["text"].default == "default prompt"
+        assert frag.nodes["10"]["class_type"] == "CLIPTextEncode"
+
+    def test_terminal_flag_parsed(self):
+        frag = parse_fragment(_save_still_fragment())
+        assert frag.terminal is True
+
+    def test_default_terminal_is_false(self):
+        frag = parse_fragment(_text_encode_fragment())
+        assert frag.terminal is False
+
+    def test_missing_metadata_header_rejected(self):
+        with pytest.raises(FragmentError, match="missing `_fragment` metadata header"):
+            parse_fragment({"10": {"class_type": "Foo", "inputs": {}}})
+
+    def test_missing_name_rejected(self):
+        data = _text_encode_fragment()
+        del data["_fragment"]["name"]
+        with pytest.raises(FragmentError, match="name"):
+            parse_fragment(data)
+
+    def test_graph_socket_input_types_accepted(self):
+        """Graph-only socket types (MODEL/CONDITIONING/LATENT/VAE, custom) are valid inputs."""
+        for t in ("MODEL", "CONDITIONING", "LATENT", "VAE", "CLIP", "CONTROL_NET"):
+            data = _text_encode_fragment()
+            data["_fragment"]["inputs"]["clip"]["type"] = t
+            frag = parse_fragment(data)
+            assert frag.inputs["clip"].type == t
+
+    def test_malformed_input_type_rejected(self):
+        data = _text_encode_fragment()
+        data["_fragment"]["inputs"]["clip"]["type"] = "conditioning"  # lowercase = not a socket type
+        with pytest.raises(FragmentError, match="socket type"):
+            parse_fragment(data)
+
+    def test_unknown_param_type_rejected(self):
+        data = _text_encode_fragment()
+        data["_fragment"]["params"]["text"]["type"] = "TENSOR"
+        with pytest.raises(FragmentError, match="TENSOR"):
+            parse_fragment(data)
+
+    def test_boolean_param_type_accepted(self):
+        """Node schemas print BOOLEAN; fragments copied from `nodes show` must parse."""
+        data = _text_encode_fragment()
+        data["_fragment"]["params"]["text"]["type"] = "BOOLEAN"
+        data["_fragment"]["params"]["text"]["default"] = True
+        frag = parse_fragment(data)
+        assert frag.params["text"].type == "BOOLEAN"
+
+    def test_legacy_bool_param_type_rejected(self):
+        """One name per concept: node schemas print BOOLEAN, so the fragment
+        grammar speaks BOOLEAN only — the BOOL alias is gone, and the error
+        lists the accepted set."""
+        data = _text_encode_fragment()
+        data["_fragment"]["params"]["text"]["type"] = "BOOL"
+        with pytest.raises(FragmentError, match=r"'BOOL' not in .*BOOLEAN"):
+            parse_fragment(data)
+
+    def test_junk_param_type_still_rejected(self):
+        data = _text_encode_fragment()
+        data["_fragment"]["params"]["text"]["type"] = "WIBBLE"
+        with pytest.raises(FragmentError, match="WIBBLE"):
+            parse_fragment(data)
+
+    def test_binds_without_dot_rejected(self):
+        data = _text_encode_fragment()
+        data["_fragment"]["inputs"]["clip"]["binds"] = "10"
+        with pytest.raises(FragmentError, match="must be '<node_id>.<input_name>'"):
+            parse_fragment(data)
+
+    def test_dangling_binds_rejected(self):
+        data = _text_encode_fragment()
+        data["_fragment"]["inputs"]["clip"]["binds"] = "999.clip"
+        with pytest.raises(FragmentError, match="missing interior node '999'"):
+            parse_fragment(data)
+
+    def test_dangling_from_rejected(self):
+        data = _text_encode_fragment()
+        data["_fragment"]["outputs"]["conditioning"]["from"] = "999"
+        with pytest.raises(FragmentError, match="from"):
+            parse_fragment(data)
+
+    def test_no_interior_nodes_rejected(self):
+        data = {
+            "_fragment": {
+                "name": "empty",
+                "inputs": {},
+                "outputs": {},
+                "params": {},
+            }
+        }
+        with pytest.raises(FragmentError, match="no interior nodes"):
+            parse_fragment(data)
+
+    def test_interior_node_without_class_type_rejected(self):
+        data = _text_encode_fragment()
+        data["10"] = {"inputs": {}}  # no class_type
+        with pytest.raises(FragmentError, match="class_type"):
+            parse_fragment(data)
+
+
+class TestLoadFragment:
+    def test_load_from_disk(self, tmp_path: Path):
+        p = tmp_path / "f.json"
+        p.write_text(json.dumps(_text_encode_fragment()))
+        frag = load_fragment(p)
+        assert frag.name == "text_encode"
+        assert frag.source_path == str(p)
+
+    def test_missing_file(self, tmp_path: Path):
+        with pytest.raises(FragmentError, match="not found"):
+            load_fragment(tmp_path / "nope.json")
+
+    def test_invalid_json(self, tmp_path: Path):
+        p = tmp_path / "bad.json"
+        p.write_text("{ this isnt valid")
+        with pytest.raises(FragmentError, match="not valid JSON"):
+            load_fragment(p)
+
+
+# ---------------------------------------------------------------------------
+# Pipeline / compose_blueprint — composition behavior
+# ---------------------------------------------------------------------------
+
+
+class TestCompose:
+    def test_single_step_with_terminal_saves_nothing_extra(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "save_still",
+                    "alias": "save",
+                    "inputs": {"images": "inputs/photo.png"},
+                    "params": {"prefix": "demo"},
+                }
+            ]
+        }
+        wf, summary = compose_blueprint(blueprint, lib_dir=lib_dir)
+        # Terminal fragment → no auto-save appended
+        save_image_nodes = [n for n in wf.values() if n["class_type"] == "SaveImage"]
+        assert len(save_image_nodes) == 1  # the one inside save_still
+        assert save_image_nodes[0]["inputs"]["filename_prefix"] == "demo"
+        # LoadImage was injected for the IMAGE input
+        load_nodes = [n for n in wf.values() if n["class_type"] == "LoadImage"]
+        assert len(load_nodes) == 1
+        assert load_nodes[0]["inputs"]["image"] == "inputs/photo.png"
+        # save_action is None because the step was terminal
+        assert summary["save_action"] is None
+        assert summary["steps"] == 1
+        assert summary["fragments_used"] == ["save_still"]
+
+    def test_default_param_applied_when_omitted(self, lib_dir: Path):
+        blueprint = {"pipeline": [{"fragment": "text_encode", "alias": "p", "inputs": {"clip": "fake_clip"}}]}
+        wf, _ = compose_blueprint(blueprint, lib_dir=lib_dir)
+        encode = [n for n in wf.values() if n["class_type"] == "CLIPTextEncode"][0]
+        assert encode["inputs"]["text"] == "default prompt"
+
+    def test_param_override(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "text_encode",
+                    "alias": "p",
+                    "inputs": {"clip": "fake_clip"},
+                    "params": {"text": "OVERRIDE"},
+                }
+            ]
+        }
+        wf, _ = compose_blueprint(blueprint, lib_dir=lib_dir)
+        encode = [n for n in wf.values() if n["class_type"] == "CLIPTextEncode"][0]
+        assert encode["inputs"]["text"] == "OVERRIDE"
+
+    def test_cross_step_ref_wires_to_prior_output(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "p1", "inputs": {"clip": "clip_a"}, "params": {"text": "first"}},
+                {
+                    "fragment": "text_encode",
+                    "alias": "p2",
+                    "inputs": {"clip": "$p1.conditioning"},
+                    "params": {"text": "second"},
+                },
+            ]
+        }
+        wf, summary = compose_blueprint(blueprint, lib_dir=lib_dir)
+        # The second CLIPTextEncode's `clip` input must be a node reference to the first
+        encodes = sorted(
+            [(nid, n) for nid, n in wf.items() if n["class_type"] == "CLIPTextEncode"],
+            key=lambda x: int(x[0]),
+        )
+        assert len(encodes) == 2
+        p1_nid, _ = encodes[0]
+        _, p2_node = encodes[1]
+        assert p2_node["inputs"]["clip"] == [p1_nid, 0]
+
+    def test_image_input_injects_loadimage(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "image_blend",
+                    "alias": "b",
+                    "inputs": {"image1": "a.png", "image2": "b.png"},
+                }
+            ]
+        }
+        wf, _ = compose_blueprint(blueprint, lib_dir=lib_dir)
+        load_nodes = [n for n in wf.values() if n["class_type"] == "LoadImage"]
+        assert len(load_nodes) == 2
+        loaded_paths = {n["inputs"]["image"] for n in load_nodes}
+        assert loaded_paths == {"a.png", "b.png"}
+
+    def test_video_input_injects_loadvideo_with_file_key(self, lib_dir: Path):
+        """LoadVideo's only input is `file` (COMBO, per cloud object_info).
+        Wiring `video` validates client-side then burns the cloud run
+        server-side (ImageDownloadError) — fennec friction #7."""
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "av_mux",
+                    "alias": "m",
+                    "inputs": {"clip": "s1.mp4", "track": "score.flac"},
+                }
+            ]
+        }
+        wf, _ = compose_blueprint(blueprint, lib_dir=lib_dir)
+        load_videos = [n for n in wf.values() if n["class_type"] == "LoadVideo"]
+        assert len(load_videos) == 1
+        assert load_videos[0]["inputs"] == {"file": "s1.mp4"}
+
+    def test_audio_input_injects_loadaudio_with_audio_key(self, lib_dir: Path):
+        """LoadAudio's real input key is `audio` (COMBO, per cloud object_info)."""
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "av_mux",
+                    "alias": "m",
+                    "inputs": {"clip": "s1.mp4", "track": "score.flac"},
+                }
+            ]
+        }
+        wf, _ = compose_blueprint(blueprint, lib_dir=lib_dir)
+        load_audios = [n for n in wf.values() if n["class_type"] == "LoadAudio"]
+        assert len(load_audios) == 1
+        assert load_audios[0]["inputs"] == {"audio": "score.flac"}
+
+    def test_asset_resolved_video_and_audio_use_real_loader_keys(self, lib_dir: Path):
+        """$asset values fall through to the SAME loader materialization a
+        literal filename gets — same real input keys."""
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "av_mux",
+                    "alias": "m",
+                    "inputs": {"clip": "$asset.clips/s1.mp4", "track": "$asset.score.flac"},
+                }
+            ]
+        }
+        wf, _ = compose_blueprint(
+            blueprint,
+            lib_dir=lib_dir,
+            asset_resolver=lambda name: f"cloud-{Path(name).name}",
+        )
+        load_videos = [n for n in wf.values() if n["class_type"] == "LoadVideo"]
+        load_audios = [n for n in wf.values() if n["class_type"] == "LoadAudio"]
+        assert load_videos[0]["inputs"] == {"file": "cloud-s1.mp4"}
+        assert load_audios[0]["inputs"] == {"audio": "cloud-score.flac"}
+
+    def test_node_ids_remapped_no_collision(self, lib_dir: Path):
+        """Two instances of the same fragment must not collide on interior node IDs."""
+        blueprint = {
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "a", "inputs": {"clip": "ca"}, "params": {"text": "x"}},
+                {"fragment": "text_encode", "alias": "b", "inputs": {"clip": "cb"}, "params": {"text": "y"}},
+            ]
+        }
+        wf, _ = compose_blueprint(blueprint, lib_dir=lib_dir)
+        # Both fragments use interior id "10"; the merged workflow must have two
+        # distinct CLIPTextEncode nodes with distinct IDs.
+        encode_ids = [nid for nid, n in wf.items() if n["class_type"] == "CLIPTextEncode"]
+        assert len(encode_ids) == 2
+        assert len(set(encode_ids)) == 2
+
+    def test_non_terminal_final_auto_appends_save(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "image_blend",
+                    "alias": "b",
+                    "inputs": {"image1": "a.png", "image2": "b.png"},
+                }
+            ],
+            "output_prefix": "myprefix",
+        }
+        wf, summary = compose_blueprint(blueprint, lib_dir=lib_dir)
+        saves = [n for n in wf.values() if n["class_type"] == "SaveImage"]
+        assert len(saves) == 1
+        assert saves[0]["inputs"]["filename_prefix"] == "myprefix"
+        assert summary["save_action"] == {"type": "IMAGE", "prefix": "myprefix"}
+
+    def test_missing_input_errors_with_step_alias(self, lib_dir: Path):
+        blueprint = {"pipeline": [{"fragment": "text_encode", "alias": "only", "params": {"text": "x"}}]}
+        with pytest.raises(BlueprintError) as exc:
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+        assert exc.value.step_alias == "only"
+        assert "missing required input" in str(exc.value)
+
+    def test_unknown_input_key_errors(self, lib_dir: Path):
+        blueprint = {"pipeline": [{"fragment": "text_encode", "alias": "x", "inputs": {"clip": "a", "typo": "b"}}]}
+        with pytest.raises(BlueprintError, match="unknown inputs"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+    def test_unknown_param_key_errors(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [{"fragment": "text_encode", "alias": "x", "inputs": {"clip": "a"}, "params": {"typo": 1}}]
+        }
+        with pytest.raises(BlueprintError, match="unknown params"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+    def test_duplicate_alias_errors(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "dup", "inputs": {"clip": "a"}},
+                {"fragment": "text_encode", "alias": "dup", "inputs": {"clip": "b"}},
+            ]
+        }
+        with pytest.raises(BlueprintError, match="dup"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+    def test_unknown_alias_in_cross_ref(self, lib_dir: Path):
+        blueprint = {"pipeline": [{"fragment": "text_encode", "alias": "p2", "inputs": {"clip": "$nope.conditioning"}}]}
+        with pytest.raises(BlueprintError, match="unknown alias"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+    def test_unknown_output_name_in_cross_ref(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "p1", "inputs": {"clip": "x"}},
+                {"fragment": "text_encode", "alias": "p2", "inputs": {"clip": "$p1.no_such_output"}},
+            ]
+        }
+        with pytest.raises(BlueprintError, match="no output"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+    def test_empty_pipeline_errors(self, lib_dir: Path):
+        with pytest.raises(BlueprintError, match="blueprint"):
+            compose_blueprint({}, lib_dir=lib_dir)
+        with pytest.raises(BlueprintError, match="blueprint"):
+            compose_blueprint({"pipeline": []}, lib_dir=lib_dir)
+
+    def test_graph_typed_inputs_wire_via_cross_ref(self, lib_dir: Path):
+        """MODEL/LATENT inputs fed by `$alias.output` wire to the producer's nodes."""
+        blueprint = {
+            "pipeline": [
+                {"fragment": "model_producer", "alias": "base", "params": {"ckpt": "m.safetensors"}},
+                {
+                    "fragment": "model_consumer",
+                    "alias": "samp",
+                    "inputs": {"model": "$base.model", "latent": "$base.latent"},
+                },
+            ]
+        }
+        wf, _ = compose_blueprint(blueprint, lib_dir=lib_dir)
+        ckpt = next(nid for nid, n in wf.items() if n["class_type"] == "CheckpointLoaderSimple")
+        empty = next(nid for nid, n in wf.items() if n["class_type"] == "EmptyLatentImage")
+        ksampler = next(n for n in wf.values() if n["class_type"] == "KSampler")
+        assert ksampler["inputs"]["model"] == [ckpt, 0]
+        assert ksampler["inputs"]["latent_image"] == [empty, 0]
+
+    def test_graph_typed_input_with_path_literal_errors(self, lib_dir: Path):
+        """A graph-only type can't be loaded from a path — must use a cross-step ref."""
+        blueprint = {
+            "pipeline": [
+                {
+                    "fragment": "model_consumer",
+                    "alias": "samp",
+                    "inputs": {"model": "some/model.safetensors", "latent": "$samp.latent"},
+                },
+            ]
+        }
+        with pytest.raises(BlueprintError, match="can't be loaded from a path"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+    def test_malformed_cross_step_ref_errors_clearly(self, lib_dir: Path):
+        """A bad ref like `$ref:p1.x` reports a malformed ref, not a cryptic unknown alias."""
+        blueprint = {
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "p1", "inputs": {"clip": "x"}},
+                {"fragment": "text_encode", "alias": "p2", "inputs": {"clip": "$ref:p1.conditioning"}},
+            ]
+        }
+        with pytest.raises(BlueprintError, match="malformed cross-step ref"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+    def test_invalid_alias_rejected(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "bad:alias", "inputs": {"clip": "x"}},
+            ]
+        }
+        with pytest.raises(BlueprintError, match="valid identifier"):
+            compose_blueprint(blueprint, lib_dir=lib_dir)
+
+
+# ---------------------------------------------------------------------------
+# CLI integration tests via Typer's CliRunner
+# ---------------------------------------------------------------------------
+
+
+class TestComposeCmd:
+    def test_compose_writes_compiled_json(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "demo.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            pipeline:
+              - fragment: text_encode
+                alias: p
+                inputs: {clip: clip_a}
+                params: {text: hello}
+        """)
+        )
+        out = tmp_path / "built.json"
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        assert envelope["data"]["nodes"] >= 1
+        assert out.exists()
+        wf = json.loads(out.read_text())
+        encodes = [n for n in wf.values() if isinstance(n, dict) and n.get("class_type") == "CLIPTextEncode"]
+        assert encodes[0]["inputs"]["text"] == "hello"
+
+    def test_compose_missing_blueprint(self, tmp_path: Path, capsys):
+        envelope = _run(["compose", str(tmp_path / "nope.yaml")], capsys)
+        assert envelope["ok"] is False
+        assert envelope["error"]["code"] == "blueprint_not_found"
+
+    def test_compose_invalid_yaml(self, tmp_path: Path, capsys):
+        blueprint = tmp_path / "bad.yaml"
+        blueprint.write_text("pipeline: [ this is not balanced")
+        envelope = _run(["compose", str(blueprint)], capsys)
+        assert envelope["ok"] is False
+        assert envelope["error"]["code"] == "blueprint_invalid_yaml"
+
+    def test_compose_missing_input_returns_blueprint_invalid(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "r.yaml"
+        blueprint.write_text("pipeline:\n  - fragment: text_encode\n    alias: x\n    params: {text: y}\n")
+        envelope = _run(["compose", str(blueprint), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is False
+        assert envelope["error"]["code"] == "blueprint_invalid"
+        assert "missing required input" in envelope["error"]["message"]
+
+    def test_compose_foreach_single_graph(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "fan.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            foreach:
+              - {id: a, prompt: alpha}
+              - {id: b, prompt: beta}
+              - {id: c, prompt: gamma}
+            pipeline:
+              - fragment: text_encode
+                alias: enc
+                inputs: {clip: clip_a}
+                params: {text: $item.prompt}
+        """)
+        )
+        out = tmp_path / "fan.json"
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        assert envelope["data"]["graphs"] == 1
+        assert envelope["data"]["items"] == 3
+        wf = json.loads(out.read_text())
+        texts = {
+            n["inputs"]["text"] for n in wf.values() if isinstance(n, dict) and n.get("class_type") == "CLIPTextEncode"
+        }
+        assert texts == {"alpha", "beta", "gamma"}
+
+    def test_compose_chunk_writes_multiple_files(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "fan.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            chunk: 2
+            foreach:
+              - {id: a, prompt: alpha}
+              - {id: b, prompt: beta}
+              - {id: c, prompt: gamma}
+            pipeline:
+              - fragment: text_encode
+                alias: enc
+                inputs: {clip: clip_a}
+                params: {text: $item.prompt}
+        """)
+        )
+        out = tmp_path / "fan.json"
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        assert envelope["data"]["graphs"] == 2
+        assert len(envelope["data"]["written"]) == 2
+        for path in envelope["data"]["written"]:
+            assert Path(path).exists()
+
+    def test_compose_chunk_clears_stale_unnumbered_file(self, lib_dir: Path, tmp_path: Path, capsys):
+        """chunked compose must unlink any stale unnumbered base_out and set out=None."""
+        blueprint = tmp_path / "fan.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            chunk: 2
+            foreach:
+              - {id: a, prompt: alpha}
+              - {id: b, prompt: beta}
+              - {id: c, prompt: gamma}
+            pipeline:
+              - fragment: text_encode
+                alias: enc
+                inputs: {clip: clip_a}
+                params: {text: $item.prompt}
+        """)
+        )
+        out = tmp_path / "fan.json"
+        # Pre-write a stale unnumbered file (simulates a prior single-graph compose).
+        out.write_text('{"stale": true}', encoding="utf-8")
+        assert out.exists()  # confirm setup
+
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        # The stale unnumbered file must have been removed.
+        assert not out.exists(), "stale unnumbered base_out must be deleted on chunked compose"
+        # out must be None for multi-graph (no single runnable file).
+        assert envelope["data"]["out"] is None, "envelope.data.out must be None for chunked compose"
+        # written must list both chunk files.
+        assert len(envelope["data"]["written"]) == 2
+
+    def test_compose_foreach_ref_resolves_relative_to_blueprint(self, lib_dir: Path, tmp_path: Path, capsys):
+        (tmp_path / "items.yaml").write_text(
+            textwrap.dedent("""\
+            - {id: a, prompt: one}
+            - {id: b, prompt: two}
+        """)
+        )
+        blueprint = tmp_path / "fan.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            foreach: {$ref: items.yaml}
+            pipeline:
+              - fragment: text_encode
+                alias: enc
+                inputs: {clip: clip_a}
+                params: {text: $item.prompt}
+        """)
+        )
+        out = tmp_path / "fan.json"
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        assert envelope["data"]["items"] == 2
+        wf = json.loads(out.read_text())
+        texts = {
+            n["inputs"]["text"] for n in wf.values() if isinstance(n, dict) and n.get("class_type") == "CLIPTextEncode"
+        }
+        assert texts == {"one", "two"}
+
+
+class TestFragmentCmds:
+    def test_ls_lists_library(self, lib_dir: Path, capsys):
+        envelope = _run(["fragment", "ls", "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        names = {f["name"] for f in envelope["data"]["fragments"]}
+        assert names == {
+            "text_encode",
+            "save_still",
+            "image_blend",
+            "model_producer",
+            "model_consumer",
+            "av_mux",
+        }
+
+    def test_ls_missing_lib(self, tmp_path: Path, capsys):
+        envelope = _run(["fragment", "ls", "--lib", str(tmp_path / "nope")], capsys)
+        assert envelope["ok"] is False
+        assert envelope["error"]["code"] == "fragment_lib_not_found"
+
+    def test_show_returns_full_schema(self, lib_dir: Path, capsys):
+        envelope = _run(["fragment", "show", "text_encode", "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        d = envelope["data"]
+        assert d["name"] == "text_encode"
+        assert "clip" in d["inputs"]
+        assert "conditioning" in d["outputs"]
+        assert d["params"]["text"]["default"] == "default prompt"
+        assert d["node_count"] == 1
+
+    def test_validate_well_formed(self, lib_dir: Path, capsys):
+        envelope = _run(["fragment", "validate", "text_encode", "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        assert envelope["data"]["valid"] is True
+
+
+# ---------------------------------------------------------------------------
+# foreach — fan-out a pipeline template over N items into ONE multi-branch graph
+# ---------------------------------------------------------------------------
+
+
+class TestForeach:
+    def test_inline_list_compiles_to_one_graph_with_n_branches(self, lib_dir: Path):
+        """A 3-item foreach instantiates the pipeline 3× as independent branches."""
+        blueprint = {
+            "foreach": [
+                {"id": "a", "prompt": "alpha"},
+                {"id": "b", "prompt": "beta"},
+                {"id": "c", "prompt": "gamma"},
+            ],
+            "pipeline": [
+                {
+                    "fragment": "text_encode",
+                    "alias": "enc",
+                    "inputs": {"clip": "fake_clip"},
+                    "params": {"text": "$item.prompt"},
+                }
+            ],
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir)
+        assert len(graphs) == 1
+        wf, summary = graphs[0]
+        encodes = [n for n in wf.values() if n["class_type"] == "CLIPTextEncode"]
+        # 3 independent branches, one per item, each bound to its own prompt.
+        assert len(encodes) == 3
+        assert {n["inputs"]["text"] for n in encodes} == {"alpha", "beta", "gamma"}
+        assert summary["items"] == 3
+        assert summary["graphs"] == 1
+
+    def test_per_item_alias_namespacing_no_collision(self, lib_dir: Path):
+        """The N copies must not collide on interior node IDs."""
+        blueprint = {
+            "foreach": [{"id": "x", "prompt": "p1"}, {"id": "y", "prompt": "p2"}],
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "enc", "inputs": {"clip": "c"}, "params": {"text": "$item.prompt"}}
+            ],
+        }
+        wf, _ = compose_blueprints(blueprint, lib_dir=lib_dir)[0]
+        encode_ids = [nid for nid, n in wf.items() if n["class_type"] == "CLIPTextEncode"]
+        assert len(encode_ids) == len(set(encode_ids)) == 2
+
+    def test_cross_step_ref_stays_within_item_branch(self, lib_dir: Path):
+        """A `$alias.output` ref must resolve to the SAME item's branch, not another item's."""
+        blueprint = {
+            "foreach": [{"id": "a", "prompt": "first"}, {"id": "b", "prompt": "second"}],
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "p1", "inputs": {"clip": "c"}, "params": {"text": "$item.prompt"}},
+                {
+                    "fragment": "text_encode",
+                    "alias": "p2",
+                    "inputs": {"clip": "$p1.conditioning"},
+                    "params": {"text": "x"},
+                },
+            ],
+        }
+        wf, _ = compose_blueprints(blueprint, lib_dir=lib_dir)[0]
+        # Group the p1 encode (has the item prompt) and p2 encode (text "x") per branch.
+        # Each p2 must wire to a p1 in the same branch — i.e. exactly 2 distinct p1 targets.
+        p2_targets = {
+            tuple(n["inputs"]["clip"])
+            for n in wf.values()
+            if n["class_type"] == "CLIPTextEncode" and n["inputs"]["text"] == "x"
+        }
+        assert len(p2_targets) == 2  # each p2 wires to a distinct p1 in its own branch
+
+    def test_item_whole_value_substitution(self, lib_dir: Path):
+        """`$item` (no field) substitutes the whole item value."""
+        blueprint = {
+            "foreach": ["red", "green"],
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "enc", "inputs": {"clip": "c"}, "params": {"text": "$item"}}
+            ],
+        }
+        wf, _ = compose_blueprints(blueprint, lib_dir=lib_dir)[0]
+        texts = {n["inputs"]["text"] for n in wf.values() if n["class_type"] == "CLIPTextEncode"}
+        assert texts == {"red", "green"}
+
+    def test_per_item_output_prefix_uses_item_id(self, lib_dir: Path):
+        """Auto-saved terminal output prefix incorporates the item id."""
+        blueprint = {
+            "output_prefix": "outputs",
+            "foreach": [{"id": "shotA"}, {"id": "shotB"}],
+            "pipeline": [{"fragment": "image_blend", "alias": "b", "inputs": {"image1": "a.png", "image2": "b.png"}}],
+        }
+        wf, _ = compose_blueprints(blueprint, lib_dir=lib_dir)[0]
+        prefixes = {n["inputs"]["filename_prefix"] for n in wf.values() if n["class_type"] == "SaveImage"}
+        assert prefixes == {"outputs/shotA", "outputs/shotB"}
+
+    def test_ref_loads_items_from_external_yaml(self, lib_dir: Path, tmp_path: Path):
+        """foreach: {$ref: items.yaml} resolves relative to the blueprint dir."""
+        import yaml
+
+        items_file = tmp_path / "items.yaml"
+        items_file.write_text(yaml.safe_dump([{"id": "a", "prompt": "one"}, {"id": "b", "prompt": "two"}]))
+        blueprint = {
+            "foreach": {"$ref": "items.yaml"},
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "enc", "inputs": {"clip": "c"}, "params": {"text": "$item.prompt"}}
+            ],
+        }
+        wf, summary = compose_blueprints(blueprint, lib_dir=lib_dir, blueprint_dir=tmp_path)[0]
+        texts = {n["inputs"]["text"] for n in wf.values() if n["class_type"] == "CLIPTextEncode"}
+        assert texts == {"one", "two"}
+        assert summary["items"] == 2
+
+    def test_chunk_splits_into_multiple_graphs(self, lib_dir: Path):
+        """chunk: 2 over 3 items → ceil(3/2) = 2 graphs (2 items, then 1 item)."""
+        blueprint = {
+            "chunk": 2,
+            "foreach": [
+                {"id": "a", "prompt": "alpha"},
+                {"id": "b", "prompt": "beta"},
+                {"id": "c", "prompt": "gamma"},
+            ],
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "enc", "inputs": {"clip": "c"}, "params": {"text": "$item.prompt"}}
+            ],
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir)
+        assert len(graphs) == 2
+        counts = [len([n for n in wf.values() if n["class_type"] == "CLIPTextEncode"]) for wf, _ in graphs]
+        assert counts == [2, 1]
+        # Every item's prompt appears exactly once across all graphs.
+        all_texts = set()
+        for wf, _ in graphs:
+            all_texts |= {n["inputs"]["text"] for n in wf.values() if n["class_type"] == "CLIPTextEncode"}
+        assert all_texts == {"alpha", "beta", "gamma"}
+        for _, summary in graphs:
+            assert summary["graphs"] == 2
+
+    def test_no_foreach_returns_single_graph(self, lib_dir: Path):
+        """compose_blueprints without foreach behaves like a single linear graph."""
+        blueprint = {
+            "pipeline": [{"fragment": "text_encode", "alias": "p", "inputs": {"clip": "c"}, "params": {"text": "hi"}}]
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir)
+        assert len(graphs) == 1
+        wf, summary = graphs[0]
+        assert [n for n in wf.values() if n["class_type"] == "CLIPTextEncode"][0]["inputs"]["text"] == "hi"
+        assert summary.get("items") is None or summary["items"] == 1
+
+    def test_empty_foreach_errors(self, lib_dir: Path):
+        blueprint = {
+            "foreach": [],
+            "pipeline": [{"fragment": "text_encode", "alias": "p", "inputs": {"clip": "c"}}],
+        }
+        with pytest.raises(BlueprintError, match="foreach"):
+            compose_blueprints(blueprint, lib_dir=lib_dir)
+
+    def test_missing_item_field_errors(self, lib_dir: Path):
+        blueprint = {
+            "foreach": [{"id": "a"}],
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "p", "inputs": {"clip": "c"}, "params": {"text": "$item.prompt"}}
+            ],
+        }
+        with pytest.raises(BlueprintError, match="prompt"):
+            compose_blueprints(blueprint, lib_dir=lib_dir)
+
+    def test_ref_without_blueprint_dir_errors(self, lib_dir: Path):
+        blueprint = {
+            "foreach": {"$ref": "items.yaml"},
+            "pipeline": [{"fragment": "text_encode", "alias": "p", "inputs": {"clip": "c"}}],
+        }
+        with pytest.raises(BlueprintError, match="\\$ref"):
+            compose_blueprints(blueprint, lib_dir=lib_dir)
+
+
+# ---------------------------------------------------------------------------
+# item_map — per-item provenance in compose summaries and _meta embedding
+# ---------------------------------------------------------------------------
+
+
+class TestItemMap:
+    def _foreach_blend_blueprint(self) -> dict:
+        return {
+            "output_prefix": "story",
+            "foreach": [{"id": "s1"}, {"id": "s2"}],
+            "pipeline": [{"fragment": "image_blend", "alias": "b", "inputs": {"image1": "a.png", "image2": "b.png"}}],
+        }
+
+    def test_item_map_disjoint_nodes_with_save_inside(self, lib_dir: Path):
+        wf, summary = compose_blueprints(self._foreach_blend_blueprint(), lib_dir=lib_dir)[0]
+        im = summary["item_map"]
+        assert set(im) == {"s1", "s2"}
+        s1, s2 = set(im["s1"]["nodes"]), set(im["s2"]["nodes"])
+        # Node sets are disjoint and together cover the whole graph.
+        assert s1.isdisjoint(s2)
+        assert s1 | s2 == set(wf)
+        for key in ("s1", "s2"):
+            entry = im[key]
+            # Node lists are sorted numerically.
+            assert entry["nodes"] == sorted(entry["nodes"], key=int)
+            # The auto-appended save node belongs to its item's node set.
+            assert entry["save_node"] in entry["nodes"]
+            assert wf[entry["save_node"]]["class_type"] == "SaveImage"
+            # The per-item prefix follows the `_item_prefix` rule (base/id).
+            assert entry["prefix"] == f"story/{key}"
+            assert wf[entry["save_node"]]["inputs"]["filename_prefix"] == entry["prefix"]
+
+    def test_item_map_keys_fall_back_to_index_for_scalar_items(self, lib_dir: Path):
+        blueprint = {
+            "foreach": ["red", "green"],
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "enc", "inputs": {"clip": "c"}, "params": {"text": "$item"}}
+            ],
+        }
+        _, summary = compose_blueprints(blueprint, lib_dir=lib_dir)[0]
+        assert set(summary["item_map"]) == {"0", "1"}
+
+    def test_item_map_terminal_branch_has_no_save_node(self, lib_dir: Path):
+        blueprint = {
+            "foreach": [{"id": "s1"}],
+            "pipeline": [{"fragment": "save_still", "alias": "save", "inputs": {"images": "inputs/p.png"}}],
+        }
+        wf, summary = compose_blueprints(blueprint, lib_dir=lib_dir)[0]
+        entry = summary["item_map"]["s1"]
+        assert entry["save_node"] is None
+        assert set(entry["nodes"]) == set(wf)
+
+    def test_chunked_item_map_covers_only_its_batch(self, lib_dir: Path):
+        blueprint = {
+            "chunk": 2,
+            "foreach": [{"id": "a", "prompt": "x"}, {"id": "b", "prompt": "y"}, {"id": "c", "prompt": "z"}],
+            "pipeline": [
+                {"fragment": "text_encode", "alias": "enc", "inputs": {"clip": "c"}, "params": {"text": "$item.prompt"}}
+            ],
+        }
+        graphs = compose_blueprints(blueprint, lib_dir=lib_dir)
+        assert len(graphs) == 2
+        assert set(graphs[0][1]["item_map"]) == {"a", "b"}
+        assert set(graphs[1][1]["item_map"]) == {"c"}
+
+    def test_non_foreach_summary_has_no_item_map(self, lib_dir: Path):
+        blueprint = {
+            "pipeline": [{"fragment": "text_encode", "alias": "p", "inputs": {"clip": "c"}, "params": {"text": "hi"}}]
+        }
+        _, summary = compose_blueprints(blueprint, lib_dir=lib_dir)[0]
+        assert not summary.get("item_map")
+
+
+class TestComposeCmdMeta:
+    """compose_cmd embeds a `_meta` provenance block in every written workflow."""
+
+    def test_written_workflow_carries_meta_with_items(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "fan.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            output_prefix: story
+            foreach:
+              - {id: s1}
+              - {id: s2}
+            pipeline:
+              - fragment: image_blend
+                alias: b
+                inputs: {image1: a.png, image2: b.png}
+        """)
+        )
+        out = tmp_path / "fan.json"
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        wf = json.loads(out.read_text())
+        meta = wf["_meta"]
+        assert meta["schema"] == "compose/1"
+        assert meta["blueprint"] == str(blueprint.resolve())
+        assert set(meta["items"]) == {"s1", "s2"}
+        for key, entry in meta["items"].items():
+            assert entry["save_node"] in entry["nodes"]
+            assert entry["prefix"] == f"story/{key}"
+        # The same map rides the envelope payload.
+        assert set(envelope["data"]["item_map"]) == {"s1", "s2"}
+
+    def test_non_foreach_blueprint_still_gets_meta(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "single.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            pipeline:
+              - fragment: text_encode
+                alias: p
+                inputs: {clip: clip_a}
+                params: {text: hello}
+        """)
+        )
+        out = tmp_path / "single.json"
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        wf = json.loads(out.read_text())
+        meta = wf["_meta"]
+        assert meta["schema"] == "compose/1"
+        assert meta["blueprint"] == str(blueprint.resolve())
+        assert "items" not in meta
+        assert "item_map" not in envelope["data"]
+
+    def test_chunked_files_carry_only_their_batch_items(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "fan.yaml"
+        blueprint.write_text(
+            textwrap.dedent("""\
+            chunk: 2
+            foreach:
+              - {id: a, prompt: alpha}
+              - {id: b, prompt: beta}
+              - {id: c, prompt: gamma}
+            pipeline:
+              - fragment: text_encode
+                alias: enc
+                inputs: {clip: clip_a}
+                params: {text: $item.prompt}
+        """)
+        )
+        out = tmp_path / "fan.json"
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        written = envelope["data"]["written"]
+        assert len(written) == 2
+        items_per_file = [set(json.loads(Path(p).read_text())["_meta"]["items"]) for p in written]
+        assert items_per_file == [{"a", "b"}, {"c"}]
+        # Envelope-level map is the union across batches.
+        assert set(envelope["data"]["item_map"]) == {"a", "b", "c"}
+
+
+# ---------------------------------------------------------------------------
+# _substitute_item — alias_refs flag prevents namespacing literal string params
+# ---------------------------------------------------------------------------
+
+
+def test_foreach_literal_string_param_not_namespaced():
+    from comfy_cli.fragments import _substitute_item
+
+    # params path: alias-looking literals must NOT be rewritten
+    assert _substitute_item("$brand.tagline", {"x": 1}, ns="i0", alias_refs=False) == "$brand.tagline"
+    # inputs path: $alias.output cross-step refs ARE namespaced (unchanged behavior)
+    assert _substitute_item("$brand.tagline", {"x": 1}, ns="i0", alias_refs=True) == "$i0__brand.tagline"
+    # $item substitution still works on both paths
+    assert _substitute_item("$item.x", {"x": 42}, ns="i0", alias_refs=False) == 42
+    assert _substitute_item("$item.x", {"x": 42}, ns="i0", alias_refs=True) == 42
+
+
+# ---------------------------------------------------------------------------
+# compose journals into the governing project (best-effort)
+# ---------------------------------------------------------------------------
+
+
+class TestComposeJournal:
+    """Inside a project/1 tree, compose appends one runs.jsonl line; outside,
+    nothing is written; a journaling failure never fails the command."""
+
+    BLUEPRINT = textwrap.dedent("""\
+        pipeline:
+          - fragment: text_encode
+            alias: p
+            inputs: {clip: clip_a}
+            params: {text: hello}
+    """)
+
+    def _project(self, tmp_path: Path) -> Path:
+        proj = tmp_path / "proj"
+        (proj / "blueprints").mkdir(parents=True)
+        (proj / "comfy.yaml").write_text("schema: project/1\ndefaults:\n  where: cloud\n")
+        return proj
+
+    def test_compose_inside_project_appends_journal_line(self, lib_dir: Path, tmp_path: Path, capsys):
+        proj = self._project(tmp_path)
+        blueprint = proj / "blueprints" / "demo.yaml"
+        blueprint.write_text(self.BLUEPRINT)
+        out = proj / "built.json"
+
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+
+        lines = (proj / ".comfy" / "runs.jsonl").read_text().splitlines()
+        assert len(lines) == 1
+        ev = json.loads(lines[0])
+        assert ev["cmd"] == "compose"
+        assert ev["blueprint"] == str(blueprint)
+        assert ev["written"] == [str(out)]
+        assert "ts" in ev
+
+    def test_compose_outside_project_writes_no_journal(self, lib_dir: Path, tmp_path: Path, capsys):
+        blueprint = tmp_path / "demo.yaml"
+        blueprint.write_text(self.BLUEPRINT)
+        out = tmp_path / "built.json"
+
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        assert not (tmp_path / ".comfy").exists()
+
+    def test_journal_failure_does_not_fail_compose(self, lib_dir: Path, tmp_path: Path, capsys, monkeypatch):
+        import comfy_cli.project as project_mod
+
+        def _boom(*a, **kw):
+            raise RuntimeError("journal exploded")
+
+        monkeypatch.setattr(project_mod, "journal", _boom)
+        proj = self._project(tmp_path)
+        blueprint = proj / "blueprints" / "demo.yaml"
+        blueprint.write_text(self.BLUEPRINT)
+        out = proj / "built.json"
+
+        envelope = _run(["compose", str(blueprint), "-o", str(out), "--lib", str(lib_dir)], capsys)
+        assert envelope["ok"] is True
+        assert out.exists()
diff --git a/tests/comfy_cli/command/test_workflow_saved.py b/tests/comfy_cli/command/test_workflow_saved.py
new file mode 100644
index 00000000..6a146b36
--- /dev/null
+++ b/tests/comfy_cli/command/test_workflow_saved.py
@@ -0,0 +1,307 @@
+"""Tests for `comfy workflow list/get/save/delete` — cloud-saved workflows.
+
+These commands wrap the `/api/workflows` surface documented at
+docs.comfy.org/api-reference/cloud/workflow. All HTTP is mocked; the
+live round-trip is verified manually.
+"""
+
+from __future__ import annotations
+
+import io
+import json
+import urllib.error
+from typing import Any
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import workflow as workflow_cmd
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    reset_renderer_for_testing,
+    set_renderer,
+)
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _run(args: list[str], capsys: pytest.CaptureFixture[str]) -> dict[str, Any]:
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(workflow_cmd.app, args, standalone_mode=False)
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    assert captured.strip(), f"no envelope on stdout (rc={result.exit_code}, exc={result.exception})"
+    return json.loads(captured.strip().splitlines()[-1])
+
+
+@pytest.fixture
+def cloud_target(monkeypatch: pytest.MonkeyPatch):
+    """Pin resolve_target to a known cloud Target — same shape used by `models search` tests."""
+    from comfy_cli.target import Target
+
+    fake = Target(
+        kind="cloud",
+        base_url="https://cloud.example.com",
+        path_prefix="/api",
+        history_path="history_v2",
+        jobs_path="jobs",
+        api_key="test-key",
+    )
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda **kw: fake)
+    return fake
+
+
+@pytest.fixture
+def local_target(monkeypatch: pytest.MonkeyPatch):
+    from comfy_cli.target import Target
+
+    fake = Target(
+        kind="local",
+        base_url="http://127.0.0.1:8188",
+        path_prefix="",
+        history_path="history",
+        host="127.0.0.1",
+        port=8188,
+    )
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda **kw: fake)
+    return fake
+
+
+def _fake_resp(body: bytes, status: int = 200):
+    class _R:
+        def __init__(self):
+            self.status = status
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, *a):
+            return False
+
+        def read(self, n: int | None = None):
+            return body if n is None else body[:n]
+
+    return _R()
+
+
+def _patch_urlopen(monkeypatch: pytest.MonkeyPatch, routes: dict):
+    calls: list[dict] = []
+
+    def _fake(req, timeout=None):
+        url = req.full_url
+        method = req.get_method()
+        body = req.data
+        calls.append({"url": url, "method": method, "body": body, "headers": dict(req.headers)})
+        for needle, payload in routes.items():
+            if needle in url:
+                if isinstance(payload, Exception):
+                    raise payload
+                if isinstance(payload, tuple):
+                    body_bytes, status = payload
+                    return _fake_resp(body_bytes, status)
+                return _fake_resp(json.dumps(payload).encode())
+        raise AssertionError(f"unexpected URL: {url}")
+
+    monkeypatch.setattr("urllib.request.urlopen", _fake)
+    return calls
+
+
+_WORKFLOW_LIST_RESPONSE = {
+    "data": [
+        {
+            "id": "11111111-1111-1111-1111-111111111111",
+            "name": "Hello flux",
+            "description": "first test",
+            "default_view": "workflow",
+            "latest_version": 1,
+            "created_at": "2026-05-23T01:00:00Z",
+            "updated_at": "2026-05-23T01:00:00Z",
+        },
+        {
+            "id": "22222222-2222-2222-2222-222222222222",
+            "name": "Wan i2v",
+            "default_view": "workflow",
+            "latest_version": 3,
+            "created_at": "2026-05-23T02:00:00Z",
+            "updated_at": "2026-05-23T03:00:00Z",
+        },
+    ],
+    "pagination": {"total": 2, "limit": 20, "offset": 0},
+}
+
+
+_WORKFLOW_CONTENT_RESPONSE = {
+    "id": "version-uuid",
+    "version": 3,
+    "workflow_json": {
+        "1": {"class_type": "KSampler", "inputs": {}},
+        "2": {"class_type": "VAEDecode", "inputs": {}},
+    },
+    "created_by": "user-uuid",
+    "created_at": "2026-05-23T02:00:00Z",
+}
+
+
+# ---------------------------------------------------------------------------
+# Local route — all four subcommands must reject with workflow_saved_local_unsupported
+# ---------------------------------------------------------------------------
+
+
+class TestLocalIsRejectedCleanly:
+    def test_list_local_unsupported(self, local_target, capsys):
+        env = _run(["list", "--where", "local"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_saved_local_unsupported"
+
+    def test_get_local_unsupported(self, local_target, capsys):
+        env = _run(["get", "any-id", "--where", "local"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_saved_local_unsupported"
+
+    def test_delete_local_unsupported(self, local_target, capsys):
+        env = _run(["delete", "any-id", "--where", "local"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_saved_local_unsupported"
+
+    def test_save_local_unsupported(self, local_target, tmp_path, capsys):
+        wf = tmp_path / "wf.json"
+        wf.write_text(json.dumps({"1": {"class_type": "X"}}))
+        env = _run(["save", str(wf), "--name", "test", "--where", "local"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_saved_local_unsupported"
+
+
+# ---------------------------------------------------------------------------
+# list
+# ---------------------------------------------------------------------------
+
+
+class TestList:
+    def test_returns_paginated_rows(self, cloud_target, monkeypatch, capsys):
+        calls = _patch_urlopen(monkeypatch, {"/api/workflows": _WORKFLOW_LIST_RESPONSE})
+        env = _run(["list", "--where", "cloud", "--limit", "5"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["count"] == 2
+        names = [r["name"] for r in env["data"]["workflows"]]
+        assert names == ["Hello flux", "Wan i2v"]
+        # Auth header present.
+        h = {k.lower(): v for k, v in calls[0]["headers"].items()}
+        assert h.get("x-api-key") == "test-key"
+
+    def test_passes_name_filter_through(self, cloud_target, monkeypatch, capsys):
+        calls = _patch_urlopen(monkeypatch, {"/api/workflows": _WORKFLOW_LIST_RESPONSE})
+        _run(["list", "--name", "wan", "--where", "cloud"], capsys)
+        assert "name=wan" in calls[0]["url"]
+
+
+# ---------------------------------------------------------------------------
+# get
+# ---------------------------------------------------------------------------
+
+
+class TestGet:
+    def test_writes_to_stdout_or_file(self, cloud_target, tmp_path, monkeypatch, capsys):
+        _patch_urlopen(monkeypatch, {"/api/workflows/wf-uuid/content": _WORKFLOW_CONTENT_RESPONSE})
+        out = tmp_path / "out.json"
+        env = _run(["get", "wf-uuid", "--out", str(out), "--where", "cloud"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["workflow_id"] == "wf-uuid"
+        assert env["data"]["version"] == 3
+        assert env["data"]["node_count"] == 2
+        assert out.exists()
+        on_disk = json.loads(out.read_text())
+        assert on_disk["1"]["class_type"] == "KSampler"
+
+    def test_404_surfaces_workflow_not_found(self, cloud_target, monkeypatch, capsys):
+        err = urllib.error.HTTPError("https://x/content", 404, "Not Found", {}, io.BytesIO(b"{}"))
+        _patch_urlopen(monkeypatch, {"/api/workflows/ghost/content": err})
+        env = _run(["get", "ghost", "--where", "cloud"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_not_found"
+
+
+# ---------------------------------------------------------------------------
+# save
+# ---------------------------------------------------------------------------
+
+
+class TestSave:
+    def test_posts_workflow_payload(self, cloud_target, tmp_path, monkeypatch, capsys):
+        wf_path = tmp_path / "wf.json"
+        wf_data = {"1": {"class_type": "KSampler", "inputs": {"steps": 20}}}
+        wf_path.write_text(json.dumps(wf_data))
+
+        created = {
+            "id": "new-uuid",
+            "name": "my workflow",
+            "latest_version": 1,
+            "created_by": "user",
+            "created_at": "2026-05-23T00:00:00Z",
+            "updated_at": "2026-05-23T00:00:00Z",
+        }
+        calls = _patch_urlopen(monkeypatch, {"/api/workflows": created})
+        env = _run(["save", str(wf_path), "--name", "my workflow", "--where", "cloud"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["workflow_id"] == "new-uuid"
+        # POSTed JSON carries the workflow_json + name.
+        assert calls[0]["method"] == "POST"
+        sent = json.loads(calls[0]["body"])
+        assert sent["name"] == "my workflow"
+        assert sent["workflow_json"] == wf_data
+
+    def test_invalid_json_file_surfaces_workflow_invalid_json(self, cloud_target, tmp_path, monkeypatch, capsys):
+        wf_path = tmp_path / "bad.json"
+        wf_path.write_text("not valid json")
+        # urlopen should never fire since we fail before HTTP.
+        _patch_urlopen(monkeypatch, {})
+        env = _run(["save", str(wf_path), "--name", "x", "--where", "cloud"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_invalid_json"
+
+    def test_missing_file_surfaces_workflow_not_found(self, cloud_target, tmp_path, monkeypatch, capsys):
+        _patch_urlopen(monkeypatch, {})
+        env = _run(["save", str(tmp_path / "missing.json"), "--name", "x", "--where", "cloud"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_not_found"
+
+
+# ---------------------------------------------------------------------------
+# delete
+# ---------------------------------------------------------------------------
+
+
+class TestDelete:
+    def test_sends_delete_request(self, cloud_target, monkeypatch, capsys):
+        calls = _patch_urlopen(monkeypatch, {"/api/workflows/wf-uuid": (b"", 204)})
+        env = _run(["delete", "wf-uuid", "--where", "cloud"], capsys)
+        assert env["ok"] is True
+        assert env["data"]["deleted"] is True
+        assert calls[0]["method"] == "DELETE"
+
+    def test_404_surfaces_workflow_not_found(self, cloud_target, monkeypatch, capsys):
+        err = urllib.error.HTTPError("https://x/workflows/g", 404, "Not Found", {}, io.BytesIO(b"{}"))
+        _patch_urlopen(monkeypatch, {"/api/workflows/ghost": err})
+        env = _run(["delete", "ghost", "--where", "cloud"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_not_found"
diff --git a/tests/comfy_cli/command/test_workflow_slots.py b/tests/comfy_cli/command/test_workflow_slots.py
new file mode 100644
index 00000000..56e7566a
--- /dev/null
+++ b/tests/comfy_cli/command/test_workflow_slots.py
@@ -0,0 +1,704 @@
+"""Tests for `comfy workflow slots/set-slot/vary` — slot editing on frontend-format workflows.
+
+Tests both template/subgraph mode and direct mode (regular workflows).
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import Any
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.command import workflow as workflow_cmd
+from comfy_cli.cql.engine import Graph
+from comfy_cli.output.renderer import (
+    OutputMode,
+    Renderer,
+    reset_renderer_for_testing,
+    set_renderer,
+)
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _force_json_renderer():
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+def _object_info():
+    return {
+        "KSampler": {
+            "input": {
+                "required": {
+                    "model": "MODEL",
+                    "positive": "CONDITIONING",
+                    "negative": "CONDITIONING",
+                    "latent_image": "LATENT",
+                    "seed": ["INT", {"default": 0, "min": 0, "max": 2**32, "control_after_generate": True}],
+                    "steps": ["INT", {"default": 20, "min": 1, "max": 10000}],
+                    "cfg": ["FLOAT", {"default": 8.0}],
+                    "sampler_name": [["euler", "euler_ancestral", "dpmpp_2m"]],
+                    "scheduler": [["normal", "karras"]],
+                    "denoise": ["FLOAT", {"default": 1.0}],
+                },
+            },
+            "input_order": {
+                "required": [
+                    "model",
+                    "positive",
+                    "negative",
+                    "latent_image",
+                    "seed",
+                    "steps",
+                    "cfg",
+                    "sampler_name",
+                    "scheduler",
+                    "denoise",
+                ]
+            },
+            "output": ["LATENT"],
+            "output_name": ["LATENT"],
+            "category": "sampling",
+            "display_name": "KSampler",
+            "python_module": "nodes",
+        },
+        "CLIPTextEncode": {
+            "input": {
+                "required": {
+                    "text": ["STRING", {"multiline": True}],
+                    "clip": "CLIP",
+                },
+            },
+            "input_order": {"required": ["clip", "text"]},
+            "output": ["CONDITIONING"],
+            "output_name": ["CONDITIONING"],
+            "category": "conditioning",
+            "display_name": "CLIP Text Encode",
+            "python_module": "nodes",
+        },
+        "EmptyLatentImage": {
+            "input": {
+                "required": {
+                    "width": ["INT", {"default": 512}],
+                    "height": ["INT", {"default": 512}],
+                    "batch_size": ["INT", {"default": 1}],
+                },
+            },
+            "input_order": {"required": ["width", "height", "batch_size"]},
+            "output": ["LATENT"],
+            "output_name": ["LATENT"],
+            "category": "latent",
+            "display_name": "Empty Latent Image",
+            "python_module": "nodes",
+        },
+        "GeminiImage2Node": {
+            "input": {
+                "required": {
+                    "prompt": ["STRING", {"default": ""}],
+                    "model": "COMBO",
+                    "seed": ["INT", {"default": 42, "control_after_generate": True}],
+                    "aspect_ratio": "COMBO",
+                    "resolution": "COMBO",
+                    "response_modalities": "COMBO",
+                },
+                "optional": {
+                    "images": "IMAGE",
+                    "files": "GEMINI_INPUT_FILES",
+                    "system_prompt": ["STRING", {"default": ""}],
+                },
+            },
+            "input_order": {
+                "required": ["prompt", "model", "seed", "aspect_ratio", "resolution", "response_modalities"],
+                "optional": ["images", "files", "system_prompt"],
+            },
+            "output": ["IMAGE", "STRING"],
+            "output_name": ["IMAGE", "STRING"],
+            "category": "api node/image/Gemini",
+            "display_name": "Nano Banana Pro",
+            "python_module": "nodes",
+        },
+    }
+
+
+def _fake_graph():
+    return Graph.from_object_info(_object_info())
+
+
+_FIXTURES = Path(__file__).resolve().parents[1] / "fixtures"
+
+
+def _subgraph_graph():
+    """Graph built from committed object_info covering the fetched-template inner nodes."""
+    oi = json.loads((_FIXTURES / "subgraph_object_info.json").read_text(encoding="utf-8"))
+    return Graph.from_object_info(oi)
+
+
+def _subgraph_workflow() -> dict:
+    """The committed minimal fetched-gallery template with UUID subgraph instances."""
+    return json.loads((_FIXTURES / "subgraph_template_ui.json").read_text(encoding="utf-8"))
+
+
+@pytest.fixture
+def patched_graph(monkeypatch):
+    monkeypatch.setattr(workflow_cmd, "_get_graph", lambda *a, **kw: _fake_graph())
+
+
+@pytest.fixture
+def patched_subgraph_graph(monkeypatch):
+    monkeypatch.setattr(workflow_cmd, "_get_graph", lambda *a, **kw: _subgraph_graph())
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def _write_workflow(tmp_path: Path, data: dict, name: str = "test.json") -> Path:
+    p = tmp_path / name
+    p.write_text(json.dumps(data, indent=2), encoding="utf-8")
+    return p
+
+
+def _direct_workflow():
+    return {
+        "nodes": [
+            {
+                "id": 3,
+                "type": "KSampler",
+                "widgets_values": [42, "fixed", 20, 8.0, "euler", "normal", 1.0],
+            },
+            {
+                "id": 6,
+                "type": "CLIPTextEncode",
+                "widgets_values": ["a cat in space"],
+            },
+            {
+                "id": 7,
+                "type": "EmptyLatentImage",
+                "widgets_values": [512, 512, 1],
+            },
+        ],
+        "links": [],
+    }
+
+
+def _api_node_workflow():
+    return {
+        "nodes": [
+            {
+                "id": 263,
+                "type": "GeminiImage2Node",
+                "inputs": [
+                    {"name": "images", "type": "IMAGE", "link": None},
+                    {"name": "files", "type": "GEMINI_INPUT_FILES", "link": None},
+                ],
+                "widgets_values": [
+                    "fill the masked region",
+                    "gemini-3-pro-image-preview",
+                    41439150623705,
+                    "randomize",
+                    "auto",
+                    "4K",
+                    "IMAGE+TEXT",
+                    "always produce an image",
+                ],
+            }
+        ],
+        "links": [],
+    }
+
+
+def _template_workflow():
+    return {
+        "nodes": [
+            {
+                "id": 1,
+                "type": "MyTemplate",
+                "properties": {
+                    "proxyWidgets": [
+                        [10, "text"],
+                        [11, "seed"],
+                    ],
+                },
+            },
+        ],
+        "links": [],
+        "definitions": {
+            "subgraphs": [
+                {
+                    "name": "MyTemplate",
+                    "inputs": [
+                        {"name": "text", "type": "STRING"},
+                        {"name": "seed", "type": "INT"},
+                    ],
+                    "nodes": [
+                        {
+                            "id": 10,
+                            "type": "CLIPTextEncode",
+                            "widgets_values": ["hello world"],
+                        },
+                        {
+                            "id": 11,
+                            "type": "KSampler",
+                            "widgets_values": [42, "fixed", 20, 8.0, "euler", "normal", 1.0],
+                        },
+                    ],
+                },
+            ],
+        },
+    }
+
+
+def _run(args: list[str], capsys) -> dict[str, Any]:
+    _force_json_renderer()
+    runner = CliRunner()
+    result = runner.invoke(workflow_cmd.app, args, standalone_mode=False)
+    captured = capsys.readouterr().out
+    if not captured.strip():
+        captured = result.stdout or ""
+    lines = [ln for ln in captured.strip().splitlines() if ln.strip()]
+    for line in reversed(lines):
+        try:
+            return json.loads(line)
+        except json.JSONDecodeError:
+            continue
+    raise AssertionError(f"no JSON envelope (rc={result.exit_code}, exc={result.exception}, out={captured[:500]})")
+
+
+# ---------------------------------------------------------------------------
+# slots — direct mode
+# ---------------------------------------------------------------------------
+
+
+class TestSlotsDirectMode:
+    def test_slots_shows_widget_inputs(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(["slots", str(path)], capsys)
+        assert env["ok"] is True
+        assert env["data"]["count"] > 0, "expected at least one slot"
+
+    def test_slots_includes_address_and_current_value(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(["slots", str(path)], capsys)
+        slots = env["data"]["slots"]
+        by_addr = {s["address"]: s for s in slots}
+        assert "6.text" in by_addr
+        assert by_addr["6.text"]["current_value"] == "a cat in space"
+
+    def test_slots_rejects_api_format(self, patched_graph, tmp_path, capsys):
+        api_wf = {"3": {"class_type": "KSampler", "inputs": {}}}
+        path = _write_workflow(tmp_path, api_wf)
+        env = _run(["slots", str(path)], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_not_frontend_format"
+
+    def test_slots_rejects_missing_file(self, patched_graph, capsys):
+        env = _run(["slots", "/nonexistent/path.json"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_not_found"
+
+    def test_slots_keeps_api_node_dynamic_combo_values_aligned(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _api_node_workflow())
+        env = _run(["slots", str(path)], capsys)
+        assert env["ok"] is True
+        slots = {s["address"]: s["current_value"] for s in env["data"]["slots"]}
+        assert slots["263.model"] == "gemini-3-pro-image-preview"
+        assert slots["263.seed"] == 41439150623705
+        assert slots["263.aspect_ratio"] == "auto"
+        assert slots["263.resolution"] == "4K"
+        assert slots["263.response_modalities"] == "IMAGE+TEXT"
+        assert slots["263.system_prompt"] == "always produce an image"
+
+
+# ---------------------------------------------------------------------------
+# set-slot — direct mode
+# ---------------------------------------------------------------------------
+
+
+class TestSetSlotDirectMode:
+    def test_set_slot_modifies_in_place(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(["set-slot", str(path), '6.text="a dog"'], capsys)
+        assert env["ok"] is True
+        on_disk = json.loads(path.read_text())
+        clip_node = next(n for n in on_disk["nodes"] if n["id"] == 6)
+        assert clip_node["widgets_values"][0] == "a dog"
+
+    def test_set_slot_stdout_mode(self, patched_graph, tmp_path, capsys):
+        wf = _direct_workflow()
+        path = _write_workflow(tmp_path, wf)
+        original_text = path.read_text()
+        # --stdout prints to stdout instead of modifying file
+        _force_json_renderer()
+        runner = CliRunner()
+        runner.invoke(
+            workflow_cmd.app,
+            ["set-slot", str(path), '6.text="a dog"', "--stdout"],
+            standalone_mode=False,
+        )
+        # File should be unchanged
+        assert path.read_text() == original_text
+
+    def test_set_slot_invalid_format(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(["set-slot", str(path), "bad_no_equals"], capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "workflow_slot_invalid"
+
+    def test_set_slot_unknown_node(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(["set-slot", str(path), "99.text=foo"], capsys)
+        assert env["ok"] is False
+        assert "not found" in env["error"]["message"].lower()
+
+
+# ---------------------------------------------------------------------------
+# vary — direct mode
+# ---------------------------------------------------------------------------
+
+
+class TestVaryDirectMode:
+    def test_vary_produces_files(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        out_dir = tmp_path / "out"
+        env = _run(
+            [
+                "vary",
+                str(path),
+                "--slot",
+                "3.seed=[1,2,3]",
+                "--out-dir",
+                str(out_dir),
+            ],
+            capsys,
+        )
+        assert env["ok"] is True
+        assert env["data"]["count"] == 3
+        files = sorted(out_dir.glob("*.json"))
+        assert len(files) == 3
+
+    def test_vary_mismatched_lengths_rejected(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(
+            [
+                "vary",
+                str(path),
+                "--slot",
+                "3.seed=[1,2,3]",
+                "--slot",
+                "3.steps=[10,20]",
+                "--out-dir",
+                str(tmp_path / "out"),
+            ],
+            capsys,
+        )
+        assert env["ok"] is False
+        assert "same length" in env["error"]["message"].lower()
+
+    def test_vary_non_list_rejected(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(
+            [
+                "vary",
+                str(path),
+                "--slot",
+                "3.seed=42",
+                "--out-dir",
+                str(tmp_path / "out"),
+            ],
+            capsys,
+        )
+        assert env["ok"] is False
+        assert "array" in env["error"]["message"].lower()
+
+
+# ---------------------------------------------------------------------------
+# slots — template mode
+# ---------------------------------------------------------------------------
+
+
+class TestSlotsTemplateMode:
+    def test_slots_template_shows_declared_inputs_only(self, patched_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _template_workflow())
+        env = _run(["slots", str(path)], capsys)
+        assert env["ok"] is True
+        slots = env["data"]["slots"]
+        names = {s["name"] for s in slots}
+        assert names == {"text", "seed"}, f"expected only template-declared inputs, got {names}"
+        assert env["data"]["count"] == 2
+
+
+# ---------------------------------------------------------------------------
+# Agent scenario: seed sweep end-to-end
+# ---------------------------------------------------------------------------
+
+
+class TestAgentSeedSweepScenario:
+    def test_seed_sweep_e2e(self, patched_graph, tmp_path, capsys):
+        """Simulates what an agent actually does:
+        1. Write workflow
+        2. Run `slots` to discover addresses
+        3. Run `vary` with seed list
+        4. Read back variants and verify each has the right seed
+        """
+        # Step 1: write workflow
+        path = _write_workflow(tmp_path, _direct_workflow())
+
+        # Step 2: discover slots
+        env = _run(["slots", str(path)], capsys)
+        assert env["ok"] is True
+        slots = env["data"]["slots"]
+        seed_slot = next((s for s in slots if s["name"] == "seed"), None)
+        assert seed_slot is not None, "agent must find a 'seed' slot"
+        seed_addr = seed_slot["address"]
+        assert seed_addr == "3.seed"
+
+        # Step 3: produce variants
+        out_dir = tmp_path / "variants"
+        env = _run(
+            [
+                "vary",
+                str(path),
+                "--slot",
+                f"{seed_addr}=[10,20,30]",
+                "--out-dir",
+                str(out_dir),
+            ],
+            capsys,
+        )
+        assert env["ok"] is True
+        assert env["data"]["count"] == 3
+
+        # Step 4: verify each variant
+        files = sorted(out_dir.glob("*.json"))
+        assert len(files) == 3
+        seeds = []
+        for f in files:
+            wf = json.loads(f.read_text())
+            ks = next(n for n in wf["nodes"] if n["type"] == "KSampler")
+            # seed is the first widget in input_order
+            seeds.append(ks["widgets_values"][0])
+        assert seeds == [10, 20, 30]
+
+    def test_prompt_and_seed_sweep_e2e(self, patched_graph, tmp_path, capsys):
+        """Multi-slot sweep: vary both prompt and seed."""
+        path = _write_workflow(tmp_path, _direct_workflow())
+        out_dir = tmp_path / "variants"
+        env = _run(
+            [
+                "vary",
+                str(path),
+                "--slot",
+                '6.text=["cat","dog","fox"]',
+                "--slot",
+                "3.seed=[1,2,3]",
+                "--out-dir",
+                str(out_dir),
+            ],
+            capsys,
+        )
+        assert env["ok"] is True
+        assert env["data"]["count"] == 3
+
+        files = sorted(out_dir.glob("*.json"))
+        prompts = []
+        seeds = []
+        for f in files:
+            wf = json.loads(f.read_text())
+            clip = next(n for n in wf["nodes"] if n["type"] == "CLIPTextEncode")
+            ks = next(n for n in wf["nodes"] if n["type"] == "KSampler")
+            prompts.append(clip["widgets_values"][0])
+            seeds.append(ks["widgets_values"][0])
+        assert prompts == ["cat", "dog", "fox"]
+        assert seeds == [1, 2, 3]
+
+
+# ---------------------------------------------------------------------------
+# slots — nested subgraph (fetched gallery templates)
+# ---------------------------------------------------------------------------
+#
+# Fetched templates wrap their logic in subgraph instances whose class_type is
+# a UUID. Multiple defs collide on the cosmetic name "New Subgraph", and the
+# curated proxyWidgets reference deleted interior ids (e.g. "-1"), so the real
+# editable inner inputs (prompt / seed / image inside GeminiImage2Node) stay
+# hidden. `slots` must recurse INTO subgraphs and surface them with stable
+# nested addresses: ``<instanceId>/<innerNodeId>.<input>`` (and deeper for
+# nested subgraphs). set-slot / vary must accept those addresses.
+
+
+def _interior_node(workflow: dict, sg_id: str, inner_id) -> dict:
+    sg = next(s for s in workflow["definitions"]["subgraphs"] if s["id"] == sg_id)
+    return next(n for n in sg["nodes"] if str(n.get("id")) == str(inner_id))
+
+
+D33 = "d33c1791-dfd2-4102-8540-aa63e4434cd2"  # instance 10's subgraph def
+F22 = "f2228dc9-64e8-43b1-a4ca-b8a57eed8f64"  # instance 19's subgraph def (same name, diff def)
+BATCH = "da09b826-d678-40e0-a4e4-5f2178043ab6"  # nested subgraph (Batch Prompt Iterator)
+
+
+class TestSlotsNestedSubgraph:
+    def test_slots_recurses_into_subgraph_inner_inputs(self, patched_subgraph_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        env = _run(["slots", str(path)], capsys)
+        assert env["ok"] is True
+        by_addr = {s["address"]: s for s in env["data"]["slots"]}
+        # The editable inner prompt + seed of the Gemini node inside instance 10.
+        assert "10/9.prompt" in by_addr, f"missing nested prompt slot; got {sorted(by_addr)[:20]}"
+        assert "10/9.seed" in by_addr
+        assert by_addr["10/9.seed"]["current_value"] == 1
+
+    def test_nested_addresses_are_instance_scoped(self, patched_subgraph_graph, tmp_path, capsys):
+        """Two instances of same-named ('New Subgraph') but DIFFERENT defs must
+        not collide — each surfaces its own inner values under its own id."""
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        env = _run(["slots", str(path)], capsys)
+        by_addr = {s["address"]: s for s in env["data"]["slots"]}
+        assert by_addr["10/9.seed"]["current_value"] == 1
+        assert by_addr["19/9.seed"]["current_value"] == 2
+
+    def test_slots_recurses_into_doubly_nested_subgraph(self, patched_subgraph_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        env = _run(["slots", str(path)], capsys)
+        addrs = {s["address"] for s in env["data"]["slots"]}
+        # instance 10 -> inner node 3 (Batch Prompt Iterator subgraph) -> inner
+        # node 7 (PrimitiveStringMultiline) widget "value".
+        assert "10/3/7.value" in addrs, f"missing doubly-nested slot; got {sorted(addrs)[:30]}"
+
+
+class TestSetSlotNestedSubgraph:
+    def test_set_slot_writes_into_subgraph_inner_node(self, patched_subgraph_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        env = _run(["set-slot", str(path), '10/9.prompt="a red fox in snow"'], capsys)
+        assert env["ok"] is True, env
+        wf = json.loads(path.read_text())
+        gemini = _interior_node(wf, D33, 9)
+        # prompt is widget index 0 for GeminiImage2Node.
+        assert gemini["widgets_values"][0] == "a red fox in snow"
+
+    def test_set_slot_nested_does_not_touch_sibling_instance(self, patched_subgraph_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        _run(["set-slot", str(path), "10/9.seed=777"], capsys)
+        wf = json.loads(path.read_text())
+        # seed is widget index 2 (index 3 is control_after_generate).
+        assert _interior_node(wf, D33, 9)["widgets_values"][2] == 777
+        # The other instance's def must be untouched.
+        assert _interior_node(wf, F22, 9)["widgets_values"][2] == 2
+
+    def test_set_slot_doubly_nested(self, patched_subgraph_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        env = _run(["set-slot", str(path), '10/3/7.value="iterated prompt"'], capsys)
+        assert env["ok"] is True, env
+        wf = json.loads(path.read_text())
+        prim = _interior_node(wf, BATCH, 7)
+        assert prim["widgets_values"][0] == "iterated prompt"
+
+    def test_set_slot_unknown_nested_inner_node(self, patched_subgraph_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        env = _run(["set-slot", str(path), "10/999.prompt=foo"], capsys)
+        assert env["ok"] is False
+        assert "not found" in env["error"]["message"].lower()
+
+
+def test_cli_hints_use_id_based_slot_addresses():
+    """Slot addresses resolve by node id; hints must not teach title-style addresses."""
+    from pathlib import Path
+
+    src = (Path(__file__).resolve().parents[3] / "comfy_cli/command/workflow.py").read_text(encoding="utf-8")
+    assert "positive_prompt.text" not in src
+
+
+class TestVaryNestedSubgraph:
+    def test_vary_over_nested_prompt(self, patched_subgraph_graph, tmp_path, capsys):
+        path = _write_workflow(tmp_path, _subgraph_workflow())
+        out_dir = tmp_path / "out"
+        env = _run(
+            ["vary", str(path), "--slot", '10/9.prompt=["cat","dog","fox"]', "--out-dir", str(out_dir)],
+            capsys,
+        )
+        assert env["ok"] is True
+        assert env["data"]["count"] == 3
+        prompts = []
+        for f in sorted(out_dir.glob("*.json")):
+            wf = json.loads(f.read_text())
+            prompts.append(_interior_node(wf, D33, 9)["widgets_values"][0])
+        assert prompts == ["cat", "dog", "fox"]
+
+
+# ---------------------------------------------------------------------------
+# stale cache envelope — workflow slots/set-slot/vary surface stale flag
+# ---------------------------------------------------------------------------
+#
+# When resilient_load_object_info falls back to a cached copy it fires
+# on_stale(host_key, reason). The three slot commands must inject
+# stale=True and warnings=[{code:"object_info_stale", ...}] into the
+# emitted payload so agents can detect cache staleness.
+
+
+def _stale_get_graph(on_stale_key: str, on_stale_reason: str):
+    """Return a _get_graph replacement that fires on_stale and returns a usable Graph."""
+
+    def _patched(input_path, host, port, on_stale=None):
+        if on_stale is not None:
+            on_stale(on_stale_key, on_stale_reason)
+        return _fake_graph()
+
+    return _patched
+
+
+class TestStaleEnvelope:
+    def test_slots_surfaces_stale_in_envelope(self, monkeypatch, tmp_path, capsys):
+        """workflow slots must inject stale=True + warnings when graph came from stale cache."""
+        monkeypatch.setattr(workflow_cmd, "_get_graph", _stale_get_graph("cloud:127.0.0.1:8188", "connection refused"))
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(["slots", str(path)], capsys)
+        assert env["ok"] is True
+        assert env["data"].get("stale") is True, "stale flag must be set in data payload"
+        warnings = env["data"].get("warnings") or []
+        assert any(w.get("code") == "object_info_stale" for w in warnings), (
+            f"expected a warning with code='object_info_stale', got {warnings}"
+        )
+
+    def test_set_slot_surfaces_stale_in_envelope(self, monkeypatch, tmp_path, capsys):
+        """workflow set-slot must inject stale=True + warnings when graph came from stale cache."""
+        monkeypatch.setattr(workflow_cmd, "_get_graph", _stale_get_graph("local:127.0.0.1:8188", "timeout"))
+        path = _write_workflow(tmp_path, _direct_workflow())
+        env = _run(["set-slot", str(path), '6.text="new prompt"'], capsys)
+        assert env["ok"] is True
+        assert env["data"].get("stale") is True, "stale flag must be set in data payload"
+        warnings = env["data"].get("warnings") or []
+        assert any(w.get("code") == "object_info_stale" for w in warnings), (
+            f"expected a warning with code='object_info_stale', got {warnings}"
+        )
+
+    def test_vary_surfaces_stale_in_envelope(self, monkeypatch, tmp_path, capsys):
+        """workflow vary must inject stale=True + warnings when graph came from stale cache."""
+        monkeypatch.setattr(workflow_cmd, "_get_graph", _stale_get_graph("local:127.0.0.1:8188", "boom"))
+        path = _write_workflow(tmp_path, _direct_workflow())
+        out_dir = tmp_path / "out"
+        env = _run(
+            ["vary", str(path), "--slot", "3.seed=[1,2,3]", "--out-dir", str(out_dir)],
+            capsys,
+        )
+        assert env["ok"] is True
+        assert env["data"].get("stale") is True, "stale flag must be set in data payload"
+        warnings = env["data"].get("warnings") or []
+        assert any(w.get("code") == "object_info_stale" for w in warnings), (
+            f"expected a warning with code='object_info_stale', got {warnings}"
+        )
diff --git a/tests/comfy_cli/conftest.py b/tests/comfy_cli/conftest.py
index 0f6ae7c4..ba177eb9 100644
--- a/tests/comfy_cli/conftest.py
+++ b/tests/comfy_cli/conftest.py
@@ -15,3 +15,86 @@ def _preserve_cwd():
     original = os.getcwd()
     yield
     os.chdir(original)
+
+
+@pytest.fixture(autouse=True)
+def _reset_renderer_singleton():
+    """The Renderer is a process-wide singleton (output.set_renderer).
+
+    A CliRunner test that invokes the app installs a renderer keyed to the
+    runner's piped streams; a later direct-call test would otherwise inherit
+    that JSON-mode renderer and have its capsys captures come up empty.
+
+    Reset before AND after every test so we always start from a clean default
+    (pretty mode, looking up current sys.stdout / sys.stderr).
+    """
+    from comfy_cli.output.renderer import reset_renderer_for_testing
+
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+@pytest.fixture(autouse=True)
+def _isolate_config_path(tmp_path, monkeypatch):
+    """Redirect the CLI's config dir to a per-test tmp path.
+
+    Without this, tests that exercise ``comfy set-default``, ``comfy auth
+    set-base-url``, ``comfy auth set-cloud-key``, etc. write to the user's
+    real ``~/Library/Application Support/comfy-cli/`` (or platform
+    equivalent) — wiping persisted state between runs. We saw this in
+    practice: ``where_default`` and ``cloud_base_url`` kept disappearing
+    mid-session because tests were clobbering them.
+    """
+    from comfy_cli import constants
+
+    fake_root = tmp_path / "comfy-cli-config"
+    fake_root.mkdir(mode=0o700, parents=True, exist_ok=True)
+    # constants.DEFAULT_CONFIG is a dict keyed by OS; patch all entries so
+    # whichever ``get_os()`` resolves to lands in our tmp dir.
+    for k in list(constants.DEFAULT_CONFIG.keys()):
+        monkeypatch.setitem(constants.DEFAULT_CONFIG, k, str(fake_root))
+    yield fake_root
+
+
+@pytest.fixture(autouse=True)
+def _isolate_jobs_state_dir(tmp_path, monkeypatch):
+    """Redirect ``jobs_state.state_dir`` to a per-test tmp dir.
+
+    Without this, tests that exercise ``comfy run`` mock-write state files
+    against a ``MagicMock`` prompt_id, polluting the user's real state dir
+    with garbage files. The defensive check in ``jobs_state.write`` now
+    also raises on non-string prompt_ids, but pinning the dir keeps the
+    real one untouched even when a future test forgets.
+    """
+    from comfy_cli import jobs_state
+
+    fake = tmp_path / "jobs"
+    fake.mkdir(mode=0o700, parents=True, exist_ok=True)
+    monkeypatch.setattr(jobs_state, "state_dir", lambda: fake)
+    yield fake
+
+
+@pytest.fixture
+def pretty_no_stdout(capsys):
+    """Assert pretty-mode commands write nothing to stdout.
+
+    Opt-in. Use in tests that exercise pretty-mode rendering to pin the
+    envelope contract: pretty mode is supposed to send all output to stderr
+    so the one-JSON-on-stdout invariant for JSON consumers can't be
+    silently violated by a stray ``print()`` or ``rich.print()`` call.
+
+    Usage:
+
+        def test_my_pretty_thing(pretty_no_stdout):
+            my_command(...)
+            # fixture asserts on teardown
+    """
+    yield
+    captured = capsys.readouterr()
+    if captured.out.strip():
+        raise AssertionError(
+            "Pretty mode wrote to stdout — the envelope contract requires "
+            "that to be empty (all output goes to stderr in pretty mode):\n"
+            f"  stdout = {captured.out!r}\n"
+        )
diff --git a/tests/comfy_cli/cql/__init__.py b/tests/comfy_cli/cql/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/comfy_cli/cql/test_engine.py b/tests/comfy_cli/cql/test_engine.py
new file mode 100644
index 00000000..cc083e7a
--- /dev/null
+++ b/tests/comfy_cli/cql/test_engine.py
@@ -0,0 +1,1175 @@
+"""Tests for comfy_cli.cql.engine — the pure-Python CQL graph engine.
+
+Layer 1: unit tests for Graph methods and slot-editing helpers.
+No I/O, no CLI invocation — just the engine in isolation.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+import pytest
+
+from comfy_cli.command.run.loader import _classify_api_workflow
+from comfy_cli.cql.engine import (
+    Graph,
+    _apply_one_slot,
+    _extract_frontend_slots,
+)
+
+# ---------------------------------------------------------------------------
+# Shared fixture: a small but realistic object_info
+# ---------------------------------------------------------------------------
+
+
+def _object_info() -> dict[str, Any]:
+    """Covers: link inputs, widget inputs, COMBO/ENUM, control_after_generate,
+    force_input, output_node, api_node, multiple output types."""
+    return {
+        "CheckpointLoaderSimple": {
+            "input": {
+                "required": {
+                    "ckpt_name": [["sd_xl_base.safetensors", "v1-5-pruned.safetensors"]],
+                },
+            },
+            "input_order": {"required": ["ckpt_name"]},
+            "output": ["MODEL", "CLIP", "VAE"],
+            "output_name": ["MODEL", "CLIP", "VAE"],
+            "category": "loaders",
+            "display_name": "Load Checkpoint",
+            "description": "Loads a checkpoint.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "KSampler": {
+            "input": {
+                "required": {
+                    "model": "MODEL",
+                    "positive": "CONDITIONING",
+                    "negative": "CONDITIONING",
+                    "latent_image": "LATENT",
+                    "seed": ["INT", {"default": 0, "min": 0, "max": 2**32, "control_after_generate": True}],
+                    "steps": ["INT", {"default": 20, "min": 1, "max": 10000}],
+                    "cfg": ["FLOAT", {"default": 8.0, "min": 0.0, "max": 100.0}],
+                    "sampler_name": [["euler", "euler_ancestral", "dpmpp_2m"]],
+                    "scheduler": [["normal", "karras", "simple"]],
+                    "denoise": ["FLOAT", {"default": 1.0, "min": 0.0, "max": 1.0}],
+                },
+            },
+            "input_order": {
+                "required": [
+                    "model",
+                    "positive",
+                    "negative",
+                    "latent_image",
+                    "seed",
+                    "steps",
+                    "cfg",
+                    "sampler_name",
+                    "scheduler",
+                    "denoise",
+                ]
+            },
+            "output": ["LATENT"],
+            "output_name": ["LATENT"],
+            "category": "sampling",
+            "display_name": "KSampler",
+            "description": "Denoise latent via model.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "CLIPTextEncode": {
+            "input": {
+                "required": {
+                    "text": ["STRING", {"multiline": True}],
+                    "clip": "CLIP",
+                },
+            },
+            "input_order": {"required": ["clip", "text"]},
+            "output": ["CONDITIONING"],
+            "output_name": ["CONDITIONING"],
+            "category": "conditioning",
+            "display_name": "CLIP Text Encode",
+            "description": "Encode prompt text.",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "VAEDecode": {
+            "input": {
+                "required": {
+                    "samples": "LATENT",
+                    "vae": "VAE",
+                },
+            },
+            "output": ["IMAGE"],
+            "output_name": ["IMAGE"],
+            "category": "latent",
+            "display_name": "VAE Decode",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        "SaveImage": {
+            "input": {
+                "required": {
+                    "images": "IMAGE",
+                    "filename_prefix": ["STRING", {"default": "ComfyUI"}],
+                },
+            },
+            "input_order": {"required": ["images", "filename_prefix"]},
+            "output": [],
+            "output_name": [],
+            "category": "image",
+            "display_name": "Save Image",
+            "output_node": True,
+            "python_module": "nodes",
+        },
+        "EmptyLatentImage": {
+            "input": {
+                "required": {
+                    "width": ["INT", {"default": 512, "min": 16, "max": 8192}],
+                    "height": ["INT", {"default": 512, "min": 16, "max": 8192}],
+                    "batch_size": ["INT", {"default": 1, "min": 1, "max": 64}],
+                },
+            },
+            "input_order": {"required": ["width", "height", "batch_size"]},
+            "output": ["LATENT"],
+            "output_name": ["LATENT"],
+            "category": "latent",
+            "display_name": "Empty Latent Image",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        # V3 autogrow node mirroring the live cloud BatchImagesNode shape:
+        # one declared input `images` (COMFY_AUTOGROW_V3), but the server
+        # expects autogrown slot keys `images.image0`, `images.image1`, …
+        "BatchImagesNode": {
+            "input": {
+                "required": {
+                    "images": ["COMFY_AUTOGROW_V3", {}],
+                },
+            },
+            "input_order": {"required": ["images"]},
+            "output": ["IMAGE"],
+            "output_name": ["IMAGE"],
+            "category": "image",
+            "display_name": "Batch Images",
+            "output_node": False,
+            "python_module": "nodes",
+        },
+        # Partner-API video node mirroring the live cloud shape:
+        #  - int-valued combos (`duration`, `fps`) — list-of-ints form
+        #  - dict-form combos (`resolution`) — ["COMBO", {"options": [...]}]
+        "LtxvApiTextToVideo": {
+            "input": {
+                "required": {
+                    "prompt": ["STRING", {"default": ""}],
+                    "duration": [[6, 8, 10, 12], {"default": 8}],
+                    "fps": [[25, 50], {"default": 25}],
+                    "resolution": ["COMBO", {"options": ["1920x1080", "2560x1440"], "default": "1920x1080"}],
+                },
+            },
+            "input_order": {"required": ["prompt", "duration", "fps", "resolution"]},
+            "output": ["VIDEO"],
+            "output_name": ["VIDEO"],
+            "category": "partner/video/LTXV",
+            "display_name": "LTXV Text To Video",
+            "output_node": False,
+            "api_node": True,
+            "python_module": "nodes",
+        },
+    }
+
+
+@pytest.fixture
+def graph() -> Graph:
+    return Graph.from_object_info(_object_info())
+
+
+# ---------------------------------------------------------------------------
+# Direct-mode workflow fixture
+# ---------------------------------------------------------------------------
+
+
+def _direct_workflow():
+    """A regular frontend-format workflow — no subgraphs."""
+    return {
+        "nodes": [
+            {
+                "id": 3,
+                "type": "KSampler",
+                "widgets_values": [42, "fixed", 20, 8.0, "euler", "normal", 1.0],
+            },
+            {
+                "id": 6,
+                "type": "CLIPTextEncode",
+                "widgets_values": ["a cat in space"],
+            },
+            {
+                "id": 7,
+                "type": "EmptyLatentImage",
+                "widgets_values": [512, 512, 1],
+            },
+        ],
+        "links": [],
+    }
+
+
+# ---------------------------------------------------------------------------
+# Template-mode workflow fixture
+# ---------------------------------------------------------------------------
+
+
+def _template_workflow():
+    """A frontend-format workflow with a subgraph instance."""
+    return {
+        "nodes": [
+            {
+                "id": 1,
+                "type": "MyTemplate",
+                "properties": {
+                    "proxyWidgets": [
+                        [10, "text"],
+                        [11, "seed"],
+                    ],
+                },
+            },
+        ],
+        "links": [],
+        "definitions": {
+            "subgraphs": [
+                {
+                    "name": "MyTemplate",
+                    "inputs": [
+                        {"name": "text", "type": "STRING"},
+                        {"name": "seed", "type": "INT"},
+                    ],
+                    "nodes": [
+                        {
+                            "id": 10,
+                            "type": "CLIPTextEncode",
+                            "widgets_values": ["hello world"],
+                        },
+                        {
+                            "id": 11,
+                            "type": "KSampler",
+                            "widgets_values": [42, "fixed", 20, 8.0, "euler", "normal", 1.0],
+                        },
+                    ],
+                },
+            ],
+        },
+    }
+
+
+# ===========================================================================
+# TestWidgetOrder
+# ===========================================================================
+
+
+class TestWidgetOrder:
+    """Tests graph.widget_order(class_name)."""
+
+    def test_ksampler_order(self, graph: Graph):
+        order = graph.widget_order("KSampler")
+        assert order == [
+            "seed",
+            "control_after_generate",
+            "steps",
+            "cfg",
+            "sampler_name",
+            "scheduler",
+            "denoise",
+        ]
+
+    def test_clip_text_encode_order(self, graph: Graph):
+        order = graph.widget_order("CLIPTextEncode")
+        assert order == ["text"]
+
+    def test_no_widgets_returns_empty(self, graph: Graph):
+        order = graph.widget_order("VAEDecode")
+        assert order == []
+
+    def test_unknown_node_returns_empty(self, graph: Graph):
+        order = graph.widget_order("Nonexistent")
+        assert order == []
+
+
+# ===========================================================================
+# TestTraversal
+# ===========================================================================
+
+
+class TestTraversal:
+    """Tests upstream, downstream, find_paths, exact_paths."""
+
+    def test_upstream_ksampler(self, graph: Graph):
+        ups = graph.upstream("KSampler")
+        ids = {m.id for m in ups}
+        assert "CheckpointLoaderSimple" in ids  # produces MODEL
+        assert "CLIPTextEncode" in ids  # produces CONDITIONING
+        assert "EmptyLatentImage" in ids  # produces LATENT
+
+    def test_downstream_checkpoint(self, graph: Graph):
+        downs = graph.downstream("CheckpointLoaderSimple")
+        ids = {m.id for m in downs}
+        assert "KSampler" in ids  # accepts MODEL
+        assert "CLIPTextEncode" in ids  # accepts CLIP
+        assert "VAEDecode" in ids  # accepts VAE
+
+    def test_upstream_unknown_returns_empty(self, graph: Graph):
+        assert graph.upstream("Ghost") == []
+
+    def test_downstream_unknown_returns_empty(self, graph: Graph):
+        assert graph.downstream("Ghost") == []
+
+    def test_find_paths_model_to_image(self, graph: Graph):
+        paths = graph.find_paths("MODEL", "IMAGE")
+        assert len(paths) >= 1
+        # Every path should go from MODEL to IMAGE
+        for p in paths:
+            assert p["from"] == "MODEL"
+            assert p["to"] == "IMAGE"
+
+    def test_exact_paths_model_to_image(self, graph: Graph):
+        paths = graph.exact_paths("MODEL", "IMAGE")
+        assert len(paths) >= 1
+        for p in paths:
+            assert p["from"] == "MODEL"
+            assert p["to"] == "IMAGE"
+            # Each step's node should exist in the graph
+            for step in p["steps"]:
+                assert graph.node(step["node"]) is not None
+
+    def test_find_paths_same_type_returns_empty(self, graph: Graph):
+        assert graph.find_paths("MODEL", "MODEL") == []
+
+    def test_find_paths_unreachable_returns_empty(self, graph: Graph):
+        # No node consumes IMAGE and produces MODEL in this fixture
+        assert graph.find_paths("IMAGE", "MODEL") == []
+
+
+# ===========================================================================
+# TestValidateWorkflow
+# ===========================================================================
+
+
+class TestValidateWorkflow:
+    """Tests graph.validate_workflow(api_workflow)."""
+
+    def _valid_workflow(self) -> dict:
+        return {
+            "1": {
+                "class_type": "CheckpointLoaderSimple",
+                "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+            },
+            "3": {
+                "class_type": "CLIPTextEncode",
+                "inputs": {"clip": ["1", 1], "text": "positive prompt"},
+            },
+            "4": {
+                "class_type": "CLIPTextEncode",
+                "inputs": {"clip": ["1", 1], "text": "negative prompt"},
+            },
+            "5": {
+                "class_type": "EmptyLatentImage",
+                "inputs": {"width": 512, "height": 512, "batch_size": 1},
+            },
+            "2": {
+                "class_type": "KSampler",
+                "inputs": {
+                    "model": ["1", 0],
+                    "positive": ["3", 0],
+                    "negative": ["4", 0],
+                    "latent_image": ["5", 0],
+                    "seed": 42,
+                    "steps": 20,
+                    "cfg": 8.0,
+                    "sampler_name": "euler",
+                    "scheduler": "normal",
+                    "denoise": 1.0,
+                },
+            },
+        }
+
+    def test_valid_workflow(self, graph: Graph):
+        result = graph.validate_workflow(self._valid_workflow())
+        assert result["valid"] is True
+        assert result["errors"] == []
+
+    def test_non_node_key_warns(self, graph: Graph):
+        """Non-node keys like _meta should produce a warning, not an error."""
+        wf = {
+            "_meta": {"title": "My Workflow"},
+            "1": {
+                "class_type": "CheckpointLoaderSimple",
+                "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is True
+        non_node = [w for w in result["warnings"] if w["code"] == "non_node_key"]
+        assert len(non_node) == 1
+        assert non_node[0]["node_id"] == "_meta"
+        assert non_node[0]["field"] == "_meta"
+
+    def test_non_dict_node_value_warns(self, graph: Graph):
+        """A string value for a key should warn, not crash."""
+        wf = {
+            "_comment": "this is a comment",
+            "1": {
+                "class_type": "CheckpointLoaderSimple",
+                "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is True
+        non_node = [w for w in result["warnings"] if w["code"] == "non_node_key"]
+        assert len(non_node) == 1
+        assert non_node[0]["node_id"] == "_comment"
+
+    def test_unknown_class_type(self, graph: Graph):
+        wf = {"1": {"class_type": "KSamper", "inputs": {}}}
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        err = result["errors"][0]
+        assert err["code"] == "unknown_class_type"
+        assert "KSampler" in err["suggestions"]
+
+    def test_shape_mismatch_string_for_int(self, graph: Graph):
+        wf = {
+            "1": {
+                "class_type": "KSampler",
+                "inputs": {"seed": "hello"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        errs = [e for e in result["errors"] if e["code"] == "shape_mismatch"]
+        assert len(errs) == 1
+        assert errs[0]["field"] == "seed"
+
+    def test_shape_mismatch_bool_for_int(self, graph: Graph):
+        wf = {
+            "1": {
+                "class_type": "KSampler",
+                "inputs": {"seed": True},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        errs = [e for e in result["errors"] if e["code"] == "shape_mismatch"]
+        assert len(errs) == 1
+        assert errs[0]["field"] == "seed"
+
+    def test_unknown_enum_value(self, graph: Graph):
+        wf = {
+            "1": {
+                "class_type": "KSampler",
+                "inputs": {"sampler_name": "nonexistent_sampler"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        errs = [e for e in result["errors"] if e["code"] == "unknown_enum_value"]
+        assert len(errs) == 1
+        assert isinstance(errs[0]["suggestions"], list)
+        assert "euler" in errs[0]["suggestions"]
+
+    def test_valid_edges_pass(self, graph: Graph):
+        """Well-wired edges don't produce errors."""
+        wf = {
+            "1": {
+                "class_type": "CheckpointLoaderSimple",
+                "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+            },
+            "2": {
+                "class_type": "KSampler",
+                "inputs": {
+                    "model": ["1", 0],  # MODEL from CheckpointLoaderSimple[0]
+                    "seed": 42,
+                    "steps": 20,
+                    "cfg": 8.0,
+                    "sampler_name": "euler",
+                    "scheduler": "normal",
+                    "denoise": 1.0,
+                },
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is True
+        assert result["errors"] == []
+
+    def test_dangling_edge(self, graph: Graph):
+        """Edge to a node that doesn't exist in the workflow."""
+        wf = {
+            "1": {
+                "class_type": "KSampler",
+                "inputs": {"model": ["99", 0]},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        errs = [e for e in result["errors"] if e["code"] == "dangling_edge"]
+        assert len(errs) == 1
+        assert "99" in errs[0]["message"]
+
+    def test_output_index_out_of_range(self, graph: Graph):
+        """Edge references an output index that doesn't exist."""
+        wf = {
+            "1": {
+                "class_type": "CheckpointLoaderSimple",
+                "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+            },
+            "2": {
+                "class_type": "KSampler",
+                # CheckpointLoaderSimple has 3 outputs (0=MODEL, 1=CLIP, 2=VAE)
+                # Index 5 is out of range
+                "inputs": {"model": ["1", 5]},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        errs = [e for e in result["errors"] if e["code"] == "output_index_out_of_range"]
+        assert len(errs) == 1
+        assert "3 output" in errs[0]["message"]
+
+    def test_edge_type_mismatch(self, graph: Graph):
+        """Edge connects wrong type: CLIP fed into a MODEL input.
+
+        This is advisory (warning, not error) — ComfyUI allows cross-type
+        wiring via reroutes and converters; the server is the authority."""
+        wf = {
+            "1": {
+                "class_type": "CheckpointLoaderSimple",
+                "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+            },
+            "2": {
+                "class_type": "KSampler",
+                # Output index 1 is CLIP, but model input expects MODEL
+                "inputs": {"model": ["1", 1]},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        # edge_type_mismatch is a warning, not a hard error
+        assert result["valid"] is True
+        warns = [w for w in result["warnings"] if w["code"] == "edge_type_mismatch"]
+        assert len(warns) == 1
+        assert "CLIP" in warns[0]["message"]
+        assert "MODEL" in warns[0]["message"]
+
+    def test_int_valued_combo_accepts_int(self, graph: Graph):
+        """Server combos can be int-valued (LTXV duration/fps). An int value
+        must not be rejected as a shape mismatch."""
+        wf = {
+            "1": {
+                "class_type": "LtxvApiTextToVideo",
+                "inputs": {"prompt": "a boat", "duration": 8, "fps": 25, "resolution": "1920x1080"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is True
+        assert result["errors"] == []
+
+    def test_int_valued_combo_unknown_option_is_enum_error(self, graph: Graph):
+        """An int outside the combo's options is an unknown_enum_value (same as
+        a bad string combo) — caught by membership, not mislabeled as a shape
+        mismatch."""
+        wf = {
+            "1": {
+                "class_type": "LtxvApiTextToVideo",
+                "inputs": {"prompt": "a boat", "duration": 7, "fps": 25, "resolution": "1920x1080"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        # 7 is not in [6, 8, 10, 12]; it's an enum error, not a shape error.
+        errs = [e for e in result["errors"] if e["field"] == "duration"]
+        assert len(errs) == 1
+        assert errs[0]["code"] == "unknown_enum_value"
+
+    def test_combo_rejects_wrong_shape(self, graph: Graph):
+        """A list/dict for a COMBO is still a hard shape mismatch."""
+        wf = {
+            "1": {
+                "class_type": "LtxvApiTextToVideo",
+                "inputs": {"prompt": "x", "duration": {"bad": 1}, "fps": 25, "resolution": "1920x1080"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        errs = [e for e in result["errors"] if e["code"] == "shape_mismatch"]
+        assert any(e["field"] == "duration" for e in errs)
+
+    def test_dict_form_combo_keeps_options(self, graph: Graph):
+        """Dict-form COMBO specs (["COMBO", {"options": [...]}]) must retain
+        their enum so unknown values are caught — the partner-node case."""
+        m = graph._nodes["LtxvApiTextToVideo"]
+        resolution = next(p for p in m.inputs if p.name == "resolution")
+        assert resolution.enum_values == ["1920x1080", "2560x1440"]
+
+        wf = {
+            "1": {
+                "class_type": "LtxvApiTextToVideo",
+                "inputs": {"prompt": "x", "duration": 8, "fps": 25, "resolution": "640x480"},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        errs = [e for e in result["errors"] if e["code"] == "unknown_enum_value"]
+        assert any(e["field"] == "resolution" for e in errs)
+
+    def test_wildcard_type_compatible(self, graph: Graph):
+        """'*' type on either side should not trigger a mismatch."""
+        # Add a wildcard node to the graph for this test
+        from comfy_cli.cql.engine import Graph as G
+
+        oi = _object_info()
+        oi["Reroute"] = {
+            "input": {"required": {"input": "*"}},
+            "input_order": {"required": ["input"]},
+            "output": ["*"],
+            "output_name": ["output"],
+            "category": "utils",
+        }
+        g = G.from_object_info(oi)
+        wf = {
+            "1": {
+                "class_type": "CheckpointLoaderSimple",
+                "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+            },
+            "2": {
+                "class_type": "Reroute",
+                "inputs": {"input": ["1", 0]},  # MODEL into *
+            },
+            "3": {
+                "class_type": "KSampler",
+                "inputs": {"model": ["2", 0]},  # * into MODEL
+            },
+        }
+        result = g.validate_workflow(wf)
+        edge_errs = [e for e in result["errors"] if e["code"] == "edge_type_mismatch"]
+        assert edge_errs == []
+
+    def test_multiple_edge_errors_reported(self, graph: Graph):
+        """All edge errors are reported, not just the first."""
+        wf = {
+            "1": {
+                "class_type": "KSampler",
+                "inputs": {
+                    "model": ["99", 0],  # dangling
+                    "positive": ["98", 0],  # dangling
+                    "latent_image": ["97", 0],  # dangling
+                },
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        dangling = [e for e in result["errors"] if e["code"] == "dangling_edge"]
+        assert len(dangling) == 3
+
+    def test_below_min_warning(self, graph: Graph):
+        wf = {
+            "1": {
+                "class_type": "KSampler",
+                "inputs": {"steps": 0},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        # below_min is a warning, not an error
+        codes = [w["code"] for w in result["warnings"]]
+        assert "below_min" in codes
+
+    def test_above_max_warning(self, graph: Graph):
+        wf = {
+            "1": {
+                "class_type": "KSampler",
+                "inputs": {"steps": 99999},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        codes = [w["code"] for w in result["warnings"]]
+        assert "above_max" in codes
+
+
+class TestAutogrowInputs:
+    """COMFY_AUTOGROW_V3 inputs (e.g. BatchImagesNode.images): the schema
+    declares ONE input, the server expects autogrown slot keys
+    `images.image0`, `images.image1`, … — one per connection."""
+
+    def _loaders(self) -> dict:
+        # Two IMAGE producers from the fixture catalog (VAEDecode → IMAGE).
+        return {
+            "10": {"class_type": "VAEDecode", "inputs": {}},
+            "11": {"class_type": "VAEDecode", "inputs": {}},
+        }
+
+    def test_dotted_slots_validate_clean(self, graph: Graph):
+        wf = {
+            **self._loaders(),
+            "20": {
+                "class_type": "BatchImagesNode",
+                "inputs": {"images.image0": ["10", 0], "images.image1": ["11", 0]},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is True, result["errors"]
+        # The dotted slots must not trip type-mismatch or unknown-input noise.
+        assert result["warnings"] == []
+
+    def test_bare_link_wiring_errors_with_slot_hint(self, graph: Graph):
+        wf = {
+            **self._loaders(),
+            "20": {
+                "class_type": "BatchImagesNode",
+                "inputs": {"images": ["10", 0]},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        err = next(e for e in result["errors"] if e["code"] == "autogrow_bare_input")
+        assert err["node_id"] == "20"
+        assert "images.image0" in err["hint"]
+
+    def test_required_autogrow_with_no_slots_errors(self, graph: Graph):
+        wf = {
+            "20": {"class_type": "BatchImagesNode", "inputs": {}},
+        }
+        result = graph.validate_workflow(wf)
+        assert result["valid"] is False
+        err = next(e for e in result["errors"] if e["code"] == "autogrow_no_slots")
+        assert err["node_id"] == "20"
+        assert "images.image0" in err["hint"]
+
+    def test_dangling_dotted_slot_still_checked(self, graph: Graph):
+        wf = {
+            "20": {
+                "class_type": "BatchImagesNode",
+                "inputs": {"images.image0": ["99", 0]},
+            },
+        }
+        result = graph.validate_workflow(wf)
+        codes = [e["code"] for e in result["errors"]]
+        assert "dangling_edge" in codes
+
+    def test_describe_marks_autogrow(self, graph: Graph):
+        desc = graph.morphism_to_dict(graph.node("BatchImagesNode"))
+        images = next(i for i in desc["inputs"] if i["name"] == "images")
+        assert images["autogrow"] is True
+        assert "images.image0" in images["wire_as"]
+        # Non-autogrow inputs don't carry the keys.
+        ks = graph.morphism_to_dict(graph.node("KSampler"))
+        assert all("autogrow" not in i for i in ks["inputs"])
+
+
+# ===========================================================================
+# TestDirectModeSlots
+# ===========================================================================
+
+
+class TestDirectModeSlots:
+    """Tests _extract_frontend_slots and _apply_one_slot in direct mode."""
+
+    def test_extract_finds_all_widget_inputs(self, graph: Graph):
+        wf = _direct_workflow()
+        slots = _extract_frontend_slots(wf, graph)
+        # KSampler: seed, steps, cfg, sampler_name, scheduler, denoise (6)
+        # CLIPTextEncode: text (1)
+        # EmptyLatentImage: width, height, batch_size (3)
+        # Total: 10
+        assert len(slots) == 10
+        names = {s["name"] for s in slots}
+        # No link inputs should appear
+        assert "model" not in names
+        assert "positive" not in names
+        assert "negative" not in names
+        assert "latent_image" not in names
+        assert "clip" not in names
+        assert "samples" not in names
+        assert "vae" not in names
+
+    def test_extract_addresses_are_node_id_dot_name(self, graph: Graph):
+        wf = _direct_workflow()
+        slots = _extract_frontend_slots(wf, graph)
+        for slot in slots:
+            assert slot["address"] == f"{slot['instance_id']}.{slot['name']}"
+
+    def test_extract_current_values(self, graph: Graph):
+        wf = _direct_workflow()
+        slots = _extract_frontend_slots(wf, graph)
+        by_addr = {s["address"]: s for s in slots}
+        assert by_addr["6.text"]["current_value"] == "a cat in space"
+        assert by_addr["3.seed"]["current_value"] == 42
+
+    def test_apply_slot_updates_value(self, graph: Graph):
+        wf = _direct_workflow()
+        _apply_one_slot(wf, "3.seed", 999, graph)
+        assert wf["nodes"][0]["widgets_values"][0] == 999
+
+    def test_apply_slot_text(self, graph: Graph):
+        wf = _direct_workflow()
+        _apply_one_slot(wf, "6.text", "a dog", graph)
+        assert wf["nodes"][1]["widgets_values"][0] == "a dog"
+
+    def test_apply_slot_shape_rejection(self, graph: Graph):
+        wf = _direct_workflow()
+        with pytest.raises(ValueError):
+            _apply_one_slot(wf, "3.seed", "not_an_int", graph)
+
+    def test_apply_slot_unknown_node(self, graph: Graph):
+        wf = _direct_workflow()
+        with pytest.raises(ValueError, match="not found"):
+            _apply_one_slot(wf, "99.seed", 1, graph)
+
+    def test_apply_slot_unknown_widget(self, graph: Graph):
+        wf = _direct_workflow()
+        with pytest.raises(ValueError, match="not found on KSampler"):
+            _apply_one_slot(wf, "3.nonexistent", 1, graph)
+
+    def test_apply_returns_catalog_warnings(self, graph: Graph):
+        wf = _direct_workflow()
+        warnings = _apply_one_slot(wf, "3.steps", 99999, graph)
+        codes = [w["code"] for w in warnings]
+        assert "above_max" in codes
+
+
+# ===========================================================================
+# TestTemplateModeSlots
+# ===========================================================================
+
+
+class TestTemplateModeSlots:
+    """Tests _extract_frontend_slots and _apply_one_slot in template/subgraph mode."""
+
+    def test_extract_template_slots(self, graph: Graph):
+        wf = _template_workflow()
+        slots = _extract_frontend_slots(wf, graph)
+        assert len(slots) == 2
+        by_addr = {s["address"]: s for s in slots}
+        assert "1.text" in by_addr
+        assert "1.seed" in by_addr
+        assert by_addr["1.text"]["current_value"] == "hello world"
+        assert by_addr["1.seed"]["current_value"] == 42
+
+    def test_template_mode_takes_priority(self, graph: Graph):
+        wf = _template_workflow()
+        slots = _extract_frontend_slots(wf, graph)
+        # Only the 2 template-declared inputs, not direct widget slots
+        assert len(slots) == 2
+        assert all(s["node_type"] == "MyTemplate" for s in slots)
+
+    def test_apply_template_slot_text(self, graph: Graph):
+        wf = _template_workflow()
+        _apply_one_slot(wf, "1.text", "new prompt", graph)
+        interior_nodes = wf["definitions"]["subgraphs"][0]["nodes"]
+        clip_node = next(n for n in interior_nodes if n["id"] == 10)
+        assert clip_node["widgets_values"][0] == "new prompt"
+
+    def test_apply_template_slot_seed(self, graph: Graph):
+        wf = _template_workflow()
+        _apply_one_slot(wf, "1.seed", 999, graph)
+        interior_nodes = wf["definitions"]["subgraphs"][0]["nodes"]
+        ks_node = next(n for n in interior_nodes if n["id"] == 11)
+        assert ks_node["widgets_values"][0] == 999
+
+
+# ===========================================================================
+# TestSubgraphIsolation
+# ===========================================================================
+
+
+class TestSubgraphIsolation:
+    """Two instances of one subgraph definition must not alias on interior write."""
+
+    def test_nested_slot_write_isolates_instances(self, graph: Graph):
+        """Writing 10/9.text must not affect instance 12's interior node."""
+        from comfy_cli.cql.engine import _apply_one_slot
+
+        wf = {
+            "nodes": [
+                {"id": 10, "type": "uuid-def-1"},
+                {"id": 12, "type": "uuid-def-1"},
+            ],
+            "definitions": {
+                "subgraphs": [
+                    {
+                        "id": "uuid-def-1",
+                        "name": "Sub",
+                        "nodes": [
+                            {"id": 9, "type": "CLIPTextEncode", "widgets_values": ["orig"]},
+                        ],
+                    },
+                ]
+            },
+        }
+        _apply_one_slot(wf, "10/9.text", "VALUE-FOR-10", graph)
+
+        # Rebuild the definitions index from the (potentially mutated) workflow
+        defs = {d["id"]: d for d in wf["definitions"]["subgraphs"]}
+
+        # Instance 12 must still read 'orig'
+        inst12 = next(n for n in wf["nodes"] if n["id"] == 12)
+        inst12_def = defs[inst12["type"]]
+        assert inst12_def["nodes"][0]["widgets_values"][0] == "orig"
+
+        # Instance 10 got the new value
+        inst10 = next(n for n in wf["nodes"] if n["id"] == 10)
+        inst10_def = defs[inst10["type"]]
+        assert inst10_def["nodes"][0]["widgets_values"][0] == "VALUE-FOR-10"
+
+    def test_second_write_to_same_instance_no_extra_fork(self, graph: Graph):
+        """A second write to the same instance must not create yet another fork."""
+        from comfy_cli.cql.engine import _apply_one_slot
+
+        wf = {
+            "nodes": [
+                {"id": 10, "type": "uuid-def-1"},
+                {"id": 12, "type": "uuid-def-1"},
+            ],
+            "definitions": {
+                "subgraphs": [
+                    {
+                        "id": "uuid-def-1",
+                        "name": "Sub",
+                        "nodes": [
+                            {"id": 9, "type": "CLIPTextEncode", "widgets_values": ["orig"]},
+                        ],
+                    },
+                ]
+            },
+        }
+        _apply_one_slot(wf, "10/9.text", "FIRST", graph)
+        _apply_one_slot(wf, "10/9.text", "SECOND", graph)
+
+        # Should still be exactly 2 definitions total (one fork + one original)
+        assert len(wf["definitions"]["subgraphs"]) == 2
+
+        # Instance 10 has the latest value
+        defs = {d["id"]: d for d in wf["definitions"]["subgraphs"]}
+        inst10 = next(n for n in wf["nodes"] if n["id"] == 10)
+        inst10_def = defs[inst10["type"]]
+        assert inst10_def["nodes"][0]["widgets_values"][0] == "SECOND"
+
+        # Instance 12 still has the original value
+        inst12 = next(n for n in wf["nodes"] if n["id"] == 12)
+        inst12_def = defs[inst12["type"]]
+        assert inst12_def["nodes"][0]["widgets_values"][0] == "orig"
+
+    def test_single_instance_no_fork(self, graph: Graph):
+        """When only one instance of a def exists, no fork is created."""
+        from comfy_cli.cql.engine import _apply_one_slot
+
+        wf = {
+            "nodes": [
+                {"id": 10, "type": "uuid-def-1"},
+            ],
+            "definitions": {
+                "subgraphs": [
+                    {
+                        "id": "uuid-def-1",
+                        "name": "Sub",
+                        "nodes": [
+                            {"id": 9, "type": "CLIPTextEncode", "widgets_values": ["orig"]},
+                        ],
+                    },
+                ]
+            },
+        }
+        _apply_one_slot(wf, "10/9.text", "NEW", graph)
+
+        # No extra definition was appended
+        assert len(wf["definitions"]["subgraphs"]) == 1
+        # The single def got the new value directly
+        assert wf["definitions"]["subgraphs"][0]["nodes"][0]["widgets_values"][0] == "NEW"
+
+
+# ===========================================================================
+# TestExpandVariations
+# ===========================================================================
+
+
+class TestExpandVariations:
+    """Tests graph.expand_variations."""
+
+    def test_produces_n_independent_copies(self, graph: Graph):
+        wf = _direct_workflow()
+        variations = [
+            {"3.seed": 100},
+            {"3.seed": 200},
+            {"3.seed": 300},
+        ]
+        results, _ = graph.expand_variations(wf, variations)
+        assert len(results) == 3
+        # Each has its own seed
+        assert results[0]["nodes"][0]["widgets_values"][0] == 100
+        assert results[1]["nodes"][0]["widgets_values"][0] == 200
+        assert results[2]["nodes"][0]["widgets_values"][0] == 300
+        # Mutating one doesn't affect others
+        results[0]["nodes"][0]["widgets_values"][0] = -1
+        assert results[1]["nodes"][0]["widgets_values"][0] == 200
+
+    def test_original_unchanged(self, graph: Graph):
+        wf = _direct_workflow()
+        original_seed = wf["nodes"][0]["widgets_values"][0]
+        graph.expand_variations(wf, [{"3.seed": 999}])
+        assert wf["nodes"][0]["widgets_values"][0] == original_seed
+
+    def test_multi_slot_sweep(self, graph: Graph):
+        wf = _direct_workflow()
+        variations = [
+            {"3.seed": 10, "6.text": "cat"},
+            {"3.seed": 20, "6.text": "dog"},
+            {"3.seed": 30, "6.text": "fox"},
+        ]
+        results, _ = graph.expand_variations(wf, variations)
+        assert len(results) == 3
+        for i, (seed, text) in enumerate([(10, "cat"), (20, "dog"), (30, "fox")]):
+            assert results[i]["nodes"][0]["widgets_values"][0] == seed
+            assert results[i]["nodes"][1]["widgets_values"][0] == text
+
+
+# ===========================================================================
+# TestBrowse
+# ===========================================================================
+
+
+class TestBrowse:
+    """Quick tests for list_types, category_tree, node_count, all_nodes."""
+
+    def test_list_types(self, graph: Graph):
+        types = graph.list_types()
+        for t in ["CLIP", "CONDITIONING", "IMAGE", "LATENT", "MODEL", "VAE"]:
+            assert t in types
+        # Should be sorted
+        assert types == sorted(types)
+
+    def test_category_tree_has_root(self, graph: Graph):
+        tree = graph.category_tree()
+        assert "Root" in tree
+
+    def test_node_count(self, graph: Graph):
+        assert graph.node_count() == 8
+
+    def test_all_nodes_sorted(self, graph: Graph):
+        nodes = graph.all_nodes()
+        ids = [m.id for m in nodes]
+        assert ids == sorted(ids)
+
+
+# ===========================================================================
+# TestClassifyApiWorkflow
+# ===========================================================================
+
+
+class TestClassifyApiWorkflow:
+    def test_meta_key_first_still_ok(self):
+        wf = {
+            "_meta": {"title": "test"},
+            "1": {"class_type": "KSampler", "inputs": {}},
+        }
+        kind, _ = _classify_api_workflow(wf)
+        assert kind == "ok"
+
+    def test_no_nodes_invalid(self):
+        wf = {"_meta": {"title": "test"}}
+        kind, _ = _classify_api_workflow(wf)
+        assert kind == "invalid"
+
+    def test_empty_dict_is_empty(self):
+        kind, _ = _classify_api_workflow({})
+        assert kind == "empty"
+
+    def test_meta_with_class_type_is_ok(self):
+        """A metadata key that happens to have class_type passes shape check.
+        Downstream validate_workflow catches unknown class_types."""
+        wf = {"_meta": {"class_type": "NotARealNode"}}
+        kind, _ = _classify_api_workflow(wf)
+        assert kind == "ok"
+
+
+# ===========================================================================
+# TestNullValuedProxy
+# ===========================================================================
+
+
+class TestNullValuedProxy:
+    """A proxy that resolves to a legitimately-null widget value must keep the
+    curated address and must NOT explode into interior-node slots."""
+
+    def test_null_valued_proxy_stays_curated(self, graph: Graph):
+        """CLIPTextEncode.text at index 0 is resolvable; widgets_values=[None]
+        means the widget exists but its value is null — the slot must remain
+        curated with address '10.text' and current_value None."""
+        wf = {
+            "nodes": [
+                {
+                    "id": 10,
+                    "type": "uuid-def-2",
+                    "properties": {"proxyWidgets": [["9", "text"]]},
+                }
+            ],
+            "definitions": {
+                "subgraphs": [
+                    {
+                        "id": "uuid-def-2",
+                        "name": "Sub",
+                        "inputs": [{"name": "text", "type": "STRING"}],
+                        "nodes": [
+                            {
+                                "id": 9,
+                                "type": "CLIPTextEncode",
+                                "widgets_values": [None],
+                            }
+                        ],
+                    }
+                ]
+            },
+        }
+        slots = _extract_frontend_slots(wf, graph)
+        addrs = [s["address"] for s in slots]
+        # Curated address preserved despite null value
+        assert "10.text" in addrs
+        # Value is explicitly None (not missing)
+        by_addr = {s["address"]: s for s in slots}
+        assert by_addr["10.text"]["current_value"] is None
+        # Did NOT explode into interior slots
+        assert not any(a.startswith("10/") for a in addrs)
+
+
+# ===========================================================================
+# TestDottedInputName
+# ===========================================================================
+
+
+def test_slot_address_with_dotted_input_name(graph, monkeypatch):
+    """Input names may contain dots; the node path never does, so parse on the
+    FIRST dot: 10/9.images.image0 -> node_path '10/9', input 'images.image0'."""
+    from comfy_cli.cql import engine
+
+    class _FakeMeta:
+        inputs = []  # no declared inputs -> _write_widget skips shape/catalog validation
+
+    real_node = graph.node
+    real_order = graph.widget_order
+    monkeypatch.setattr(graph, "node", lambda nt: _FakeMeta() if nt == "DottedWidgetNode" else real_node(nt))
+    monkeypatch.setattr(
+        graph,
+        "widget_order",
+        lambda nt: ["images.image0"] if nt == "DottedWidgetNode" else real_order(nt),
+    )
+
+    wf = {
+        "nodes": [{"id": 10, "type": "uuid-dot"}],
+        "definitions": {
+            "subgraphs": [
+                {
+                    "id": "uuid-dot",
+                    "name": "Sub",
+                    "nodes": [
+                        {"id": 9, "type": "DottedWidgetNode", "widgets_values": [None]},
+                    ],
+                },
+            ]
+        },
+    }
+    # Must NOT raise "interior node images not found"; value lands on node 9's dotted widget.
+    engine._apply_one_slot(wf, "10/9.images.image0", "X", graph)
+    assert wf["definitions"]["subgraphs"][0]["nodes"][0]["widgets_values"][0] == "X"
diff --git a/tests/comfy_cli/cql/test_loader.py b/tests/comfy_cli/cql/test_loader.py
new file mode 100644
index 00000000..6aecd084
--- /dev/null
+++ b/tests/comfy_cli/cql/test_loader.py
@@ -0,0 +1,120 @@
+"""Loader tests: object_info, API workflow, and pre-shaped graph inputs."""
+
+from __future__ import annotations
+
+import json
+
+import pytest
+
+from comfy_cli.cql.errors import CQLRuntimeError
+from comfy_cli.cql.loader import load_graph, normalize
+
+OBJECT_INFO = {
+    "KSampler": {
+        "input": {
+            "required": {
+                "seed": ["INT", {"default": 0}],
+                "model": ["MODEL"],
+                "scheduler": [["normal", "karras"]],
+            },
+            "optional": {
+                "denoise": ["FLOAT", {"default": 1.0}],
+            },
+        },
+        "output": ["LATENT"],
+        "category": "sampling",
+        "display_name": "K Sampler",
+        "description": "samples",
+    },
+    "CheckpointLoaderSimple": {
+        "input": {"required": {"ckpt_name": ["STRING"]}},
+        "output": ["MODEL", "CLIP", "VAE"],
+        "category": "loaders",
+    },
+}
+
+
+API_WORKFLOW = {
+    "3": {
+        "class_type": "KSampler",
+        "inputs": {"seed": 42, "model": ["4", 0]},
+        "_meta": {"title": "Sampler"},
+    },
+    "4": {
+        "class_type": "CheckpointLoaderSimple",
+        "inputs": {"ckpt_name": "sd_xl_base.safetensors"},
+    },
+}
+
+
+def test_normalize_object_info_extracts_nodes_and_inputs():
+    g = normalize(OBJECT_INFO)
+    names = {n["name"] for n in g["nodes"]}
+    assert names == {"KSampler", "CheckpointLoaderSimple"}
+    ks = next(n for n in g["nodes"] if n["name"] == "KSampler")
+    assert ks["category"] == "sampling"
+    assert ks["display_name"] == "K Sampler"
+    assert ks["output_types"] == ["LATENT"]
+    # Inputs were flattened with section labels.
+    seed = next(i for i in g["inputs"] if i["node"] == "KSampler" and i["name"] == "seed")
+    assert seed["type"] == "INT"
+    assert seed["section"] == "required"
+    assert seed["options"]["default"] == 0
+    # Choices captured for combo inputs.
+    sch = next(i for i in g["inputs"] if i["name"] == "scheduler")
+    assert sch["type"] == "ENUM"
+    assert sch["choices"] == ["normal", "karras"]
+
+
+def test_normalize_object_info_aggregates_categories():
+    g = normalize(OBJECT_INFO)
+    by_name = {c["name"]: c["node_count"] for c in g["categories"]}
+    assert by_name == {"sampling": 1, "loaders": 1}
+
+
+def test_normalize_api_workflow_marks_references():
+    g = normalize(API_WORKFLOW)
+    nodes_by_id = {n["id"]: n for n in g["nodes"]}
+    assert nodes_by_id["3"]["class_type"] == "KSampler"
+    assert nodes_by_id["3"]["title"] == "Sampler"
+    seed = next(i for i in g["inputs"] if i["node_id"] == "3" and i["name"] == "seed")
+    assert seed["is_reference"] is False
+    assert seed["value"] == 42
+    model = next(i for i in g["inputs"] if i["node_id"] == "3" and i["name"] == "model")
+    assert model["is_reference"] is True
+    assert model["ref_node"] == "4"
+    assert model["ref_slot"] == 0
+
+
+def test_normalize_preshaped_graph_pass_through():
+    pre = {
+        "nodes": [{"name": "Foo"}],
+        "inputs": [],
+        "categories": [{"name": "x", "node_count": 1}],
+    }
+    g = normalize(pre)
+    assert g["nodes"][0]["name"] == "Foo"
+
+
+def test_load_graph_from_file(tmp_path):
+    p = tmp_path / "object_info.json"
+    p.write_text(json.dumps(OBJECT_INFO))
+    g = load_graph(input_path=str(p))
+    assert {n["name"] for n in g["nodes"]} == {"KSampler", "CheckpointLoaderSimple"}
+
+
+def test_load_graph_missing_source_raises():
+    with pytest.raises(CQLRuntimeError):
+        load_graph()
+
+
+def test_load_graph_bad_json(tmp_path):
+    p = tmp_path / "broken.json"
+    p.write_text("{ not json")
+    with pytest.raises(CQLRuntimeError):
+        load_graph(input_path=str(p))
+
+
+def test_normalize_rejects_garbage():
+    with pytest.raises(CQLRuntimeError):
+        normalize({"foo": 1, "bar": "baz"})
diff --git a/tests/comfy_cli/cql/test_loader_resilient.py b/tests/comfy_cli/cql/test_loader_resilient.py
new file mode 100644
index 00000000..1bfce55c
--- /dev/null
+++ b/tests/comfy_cli/cql/test_loader_resilient.py
@@ -0,0 +1,312 @@
+"""Resilience tests for ``resilient_load_object_info``.
+
+Covers the four behaviours A3 promises:
+
+  (a) successful fetch populates the per-host cache,
+  (b) a failed fetch triggers ``ensure_fresh_session`` + a single retry that
+      then succeeds (and caches),
+  (c) a persistently-failing fetch falls back to the cached dump with a warning,
+  (d) a persistently-failing fetch with no cache re-raises the original error.
+
+The network fetch (``engine._load_from_target``) and the session refresh
+(``oauth.ensure_fresh_session``) are always mocked — no sockets are opened.
+"""
+
+from __future__ import annotations
+
+import json
+
+import pytest
+
+from comfy_cli.cql import loader
+from comfy_cli.cql.engine import LoadError
+
+OBJECT_INFO = {
+    "KSampler": {
+        "input": {"required": {"seed": ["INT", {"default": 0}]}},
+        "output": ["LATENT"],
+        "category": "sampling",
+    }
+}
+
+STALE_OBJECT_INFO = {
+    "OldNode": {
+        "input": {"required": {}},
+        "output": [],
+        "category": "legacy",
+    }
+}
+
+
+@pytest.fixture(autouse=True)
+def _isolated_cache(tmp_path, monkeypatch):
+    """Point the cache dir at a throwaway tmp dir for every test."""
+    cache_root = tmp_path / "cache"
+    monkeypatch.setenv("XDG_CACHE_HOME", str(cache_root))
+    # Make the host-key resolution deterministic and I/O-free.
+    monkeypatch.setattr(loader, "_resolve_host_key", lambda mode, host, port: "https://test.comfy.org")
+    return cache_root
+
+
+def _fake_refresh(monkeypatch):
+    """Install a no-op ``ensure_fresh_session`` and count its calls."""
+    calls = {"n": 0}
+
+    def _refresh(**_kw):
+        calls["n"] += 1
+        return None
+
+    import comfy_cli.cloud.oauth as oauth
+
+    monkeypatch.setattr(oauth, "ensure_fresh_session", _refresh)
+    return calls
+
+
+# ---------------------------------------------------------------------------
+# (a) success → cache populated
+# ---------------------------------------------------------------------------
+
+
+def test_success_populates_cache(monkeypatch):
+    import comfy_cli.cql.engine as engine
+
+    monkeypatch.setattr(engine, "_load_from_target", lambda **kw: OBJECT_INFO)
+
+    result = loader.resilient_load_object_info(mode="cloud", host="h", port=1)
+    assert result == OBJECT_INFO
+
+    # Cache file written for this host key.
+    path = loader.object_info_cache_path("https://test.comfy.org")
+    assert path.is_file()
+    assert json.loads(path.read_text()) == OBJECT_INFO
+
+
+# ---------------------------------------------------------------------------
+# (b) 401 → refresh + retry → success
+# ---------------------------------------------------------------------------
+
+
+def test_failure_then_refresh_retry_succeeds(monkeypatch):
+    import comfy_cli.cql.engine as engine
+
+    refresh = _fake_refresh(monkeypatch)
+    attempts = {"n": 0}
+
+    def _flaky(**kw):
+        attempts["n"] += 1
+        if attempts["n"] == 1:
+            raise LoadError("HTTP 401 from /object_info", details={"status": 401})
+        return OBJECT_INFO
+
+    monkeypatch.setattr(engine, "_load_from_target", _flaky)
+
+    result = loader.resilient_load_object_info(mode="cloud", host="h", port=1)
+
+    assert result == OBJECT_INFO
+    assert attempts["n"] == 2  # original + exactly one retry
+    assert refresh["n"] == 1  # refresh attempted between the two
+    # Retry success also caches.
+    assert loader.object_info_cache_path("https://test.comfy.org").is_file()
+
+
+def test_401_retry_forces_refresh(monkeypatch):
+    """The reactive retry must FORCE the refresh (force=True): a server 401 is
+    authoritative, so the token must be spent even if the local expiry check
+    still thinks the access token is valid."""
+    import comfy_cli.cloud.oauth as oauth
+    import comfy_cli.cql.engine as engine
+
+    seen_kwargs: list[dict] = []
+
+    def _refresh(**kw):
+        seen_kwargs.append(kw)
+        return None
+
+    monkeypatch.setattr(oauth, "ensure_fresh_session", _refresh)
+
+    attempts = {"n": 0}
+
+    def _flaky(**kw):
+        attempts["n"] += 1
+        if attempts["n"] == 1:
+            raise LoadError("HTTP 401 from /object_info", details={"status": 401})
+        return OBJECT_INFO
+
+    monkeypatch.setattr(engine, "_load_from_target", _flaky)
+
+    result = loader.resilient_load_object_info(mode="cloud", host="h", port=1)
+    assert result == OBJECT_INFO
+    # Forced, exactly once. The loader is a foreground command, so it keeps the
+    # default allow_clear=True (a genuine token-endpoint invalid_grant should
+    # still clear the dead session).
+    assert seen_kwargs == [{"force": True, "allow_clear": True}]
+
+
+def test_persistent_401_no_cache_retries_once_then_raises(monkeypatch):
+    """Graceful failure: a refresh token that can't rescue the session must
+    surface the original error exactly once — no infinite refresh/retry loop."""
+    import comfy_cli.cloud.oauth as oauth
+    import comfy_cli.cql.engine as engine
+
+    refresh = {"n": 0}
+
+    def _refresh(**kw):
+        refresh["n"] += 1
+        return None
+
+    monkeypatch.setattr(oauth, "ensure_fresh_session", _refresh)
+
+    attempts = {"n": 0}
+    original = LoadError("HTTP 401 from /object_info", details={"status": 401, "hint": "run `comfy cloud login`"})
+
+    def _always_401(**kw):
+        attempts["n"] += 1
+        raise original
+
+    monkeypatch.setattr(engine, "_load_from_target", _always_401)
+
+    with pytest.raises(LoadError) as excinfo:
+        loader.resilient_load_object_info(mode="cloud", host="h", port=1, _warn=lambda m: None)
+
+    assert excinfo.value is original  # the cloud_unauthorized-style hint survives
+    assert attempts["n"] == 2  # original + exactly one retry — no loop
+    assert refresh["n"] == 1  # refreshed exactly once
+
+
+# ---------------------------------------------------------------------------
+# (c) persistent failure + cache present → stale fallback with warning
+# ---------------------------------------------------------------------------
+
+
+def test_persistent_failure_falls_back_to_cache_with_warning(monkeypatch):
+    import comfy_cli.cql.engine as engine
+
+    _fake_refresh(monkeypatch)
+
+    # Seed the cache with a (stale) dump.
+    loader.write_object_info_cache("https://test.comfy.org", STALE_OBJECT_INFO)
+
+    def _always_fail(**kw):
+        raise LoadError("HTTP 401 from /object_info", details={"status": 401})
+
+    monkeypatch.setattr(engine, "_load_from_target", _always_fail)
+
+    warnings: list[str] = []
+    result = loader.resilient_load_object_info(mode="cloud", host="h", port=1, _warn=warnings.append)
+
+    assert result == STALE_OBJECT_INFO
+    assert len(warnings) == 1
+    assert "cached" in warnings[0].lower()
+    assert "stale" in warnings[0].lower()
+
+
+def test_connection_error_also_falls_back_to_cache(monkeypatch):
+    import comfy_cli.cql.engine as engine
+
+    _fake_refresh(monkeypatch)
+    loader.write_object_info_cache("https://test.comfy.org", STALE_OBJECT_INFO)
+
+    def _offline(**kw):
+        raise LoadError("cannot reach https://test.comfy.org/object_info: offline")
+
+    monkeypatch.setattr(engine, "_load_from_target", _offline)
+
+    warnings: list[str] = []
+    result = loader.resilient_load_object_info(mode="cloud", host="h", port=1, _warn=warnings.append)
+    assert result == STALE_OBJECT_INFO
+    assert warnings
+
+
+# ---------------------------------------------------------------------------
+# (d) persistent failure + no cache → original error re-raised
+# ---------------------------------------------------------------------------
+
+
+def test_persistent_failure_no_cache_raises_original(monkeypatch):
+    import comfy_cli.cql.engine as engine
+
+    _fake_refresh(monkeypatch)
+
+    original = LoadError("HTTP 401 from /object_info", details={"status": 401, "hint": "run `comfy cloud login`"})
+
+    def _always_fail(**kw):
+        raise original
+
+    monkeypatch.setattr(engine, "_load_from_target", _always_fail)
+
+    warnings: list[str] = []
+    with pytest.raises(LoadError) as excinfo:
+        loader.resilient_load_object_info(mode="cloud", host="h", port=1, _warn=warnings.append)
+
+    # The *original* error (with its hint) is what propagates.
+    assert excinfo.value is original
+    assert excinfo.value.details.get("hint") == "run `comfy cloud login`"
+    assert warnings == []  # no stale-cache warning when there's nothing to fall back to
+
+
+# ---------------------------------------------------------------------------
+# explicit --input always wins and is never cached
+# ---------------------------------------------------------------------------
+
+
+def test_input_path_wins_and_is_not_cached(monkeypatch, tmp_path):
+    import comfy_cli.cql.engine as engine
+
+    # If the live fetch were consulted it would blow up — assert it isn't.
+    def _boom(**kw):
+        raise AssertionError("network fetch must not run when --input is given")
+
+    monkeypatch.setattr(engine, "_load_from_target", _boom)
+
+    dump = tmp_path / "object_info.json"
+    dump.write_text(json.dumps(OBJECT_INFO), encoding="utf-8")
+
+    result = loader.resilient_load_object_info(mode="cloud", input_path=str(dump))
+    assert result == OBJECT_INFO
+    # Explicit input is not auto-cached.
+    assert not loader.object_info_cache_path("https://test.comfy.org").exists()
+
+
+# ---------------------------------------------------------------------------
+# cache helpers: corrupt / missing handled gracefully
+# ---------------------------------------------------------------------------
+
+
+def test_read_cache_missing_returns_none():
+    assert loader.read_object_info_cache("https://nope.example") is None
+
+
+def test_read_cache_corrupt_returns_none():
+    path = loader.object_info_cache_path("https://test.comfy.org")
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text("{not json", encoding="utf-8")
+    assert loader.read_object_info_cache("https://test.comfy.org") is None
+
+
+def test_per_host_cache_keys_do_not_collide(monkeypatch):
+    a = loader.object_info_cache_path("https://a.comfy.org")
+    b = loader.object_info_cache_path("http://127.0.0.1:8188")
+    assert a != b
+
+
+# ---------------------------------------------------------------------------
+# (e) stale-cache fallback fires the on_stale callback
+# ---------------------------------------------------------------------------
+
+
+def test_resilient_load_reports_stale_via_callback(monkeypatch):
+    from comfy_cli.cql import loader
+    from comfy_cli.cql.engine import LoadError
+
+    def boom(**kw):
+        raise LoadError("server down")
+
+    monkeypatch.setattr("comfy_cli.cql.engine._load_from_target", boom)
+    monkeypatch.setattr(loader, "read_object_info_cache", lambda key: {"NodeA": {}})
+    # Suppress the stderr warning during the test.
+    monkeypatch.setattr(loader, "_default_warn", lambda msg: None)
+
+    stale = {}
+    data = loader.resilient_load_object_info(mode="cloud", on_stale=lambda key, err: stale.update(host=key, error=err))
+    assert data == {"NodeA": {}}
+    assert stale.get("host")  # callback fired with the host key
diff --git a/tests/comfy_cli/fixtures/subgraph_object_info.json b/tests/comfy_cli/fixtures/subgraph_object_info.json
new file mode 100644
index 00000000..451c96f2
--- /dev/null
+++ b/tests/comfy_cli/fixtures/subgraph_object_info.json
@@ -0,0 +1,799 @@
+{
+  "BatchImagesNode": {
+    "input": {
+      "required": {
+        "images": [
+          "COMFY_AUTOGROW_V3",
+          {
+            "template": {
+              "input": {
+                "required": {
+                  "image": [
+                    "IMAGE",
+                    {}
+                  ]
+                }
+              },
+              "prefix": "image",
+              "min": 1,
+              "max": 50
+            }
+          }
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "images"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "IMAGE"
+    ],
+    "output_is_list": [
+      false
+    ],
+    "output_name": [
+      "IMAGE"
+    ],
+    "output_tooltips": [
+      null
+    ],
+    "output_matchtypes": null,
+    "name": "BatchImagesNode",
+    "display_name": "Batch Images",
+    "description": "",
+    "python_module": "comfy_extras.nodes_post_processing",
+    "category": "image/batch",
+    "output_node": false,
+    "deprecated": false,
+    "experimental": false,
+    "dev_only": false,
+    "api_node": false,
+    "price_badge": null,
+    "search_aliases": [
+      "batch",
+      "image batch",
+      "batch images",
+      "combine images",
+      "merge images",
+      "stack images"
+    ],
+    "essentials_category": "Image Tools",
+    "has_intermediate_output": false
+  },
+  "GeminiImage2Node": {
+    "input": {
+      "required": {
+        "prompt": [
+          "STRING",
+          {
+            "tooltip": "Text prompt describing the image to generate or the edits to apply. Include any constraints, styles, or details the model should follow.",
+            "default": "",
+            "multiline": true
+          }
+        ],
+        "model": [
+          "COMBO",
+          {
+            "multiselect": false,
+            "options": [
+              "gemini-3-pro-image-preview",
+              "Nano Banana 2 (Gemini 3.1 Flash Image)"
+            ]
+          }
+        ],
+        "seed": [
+          "INT",
+          {
+            "tooltip": "When the seed is fixed to a specific value, the model makes a best effort to provide the same response for repeated requests. Deterministic output isn't guaranteed. Also, changing the model or parameter settings, such as the temperature, can cause variations in the response even when you use the same seed value. By default, a random seed value is used.",
+            "default": 42,
+            "min": 0,
+            "max": 18446744073709551615,
+            "control_after_generate": true
+          }
+        ],
+        "aspect_ratio": [
+          "COMBO",
+          {
+            "tooltip": "If set to 'auto', matches your input image's aspect ratio; if no image is provided, a 16:9 square is usually generated.",
+            "default": "auto",
+            "multiselect": false,
+            "options": [
+              "auto",
+              "1:1",
+              "2:3",
+              "3:2",
+              "3:4",
+              "4:3",
+              "4:5",
+              "5:4",
+              "9:16",
+              "16:9",
+              "21:9"
+            ]
+          }
+        ],
+        "resolution": [
+          "COMBO",
+          {
+            "tooltip": "Target output resolution. For 2K/4K the native Gemini upscaler is used.",
+            "multiselect": false,
+            "options": [
+              "1K",
+              "2K",
+              "4K"
+            ]
+          }
+        ],
+        "response_modalities": [
+          "COMBO",
+          {
+            "tooltip": "Choose 'IMAGE' for image-only output, or 'IMAGE+TEXT' to return both the generated image and a text response.",
+            "advanced": true,
+            "multiselect": false,
+            "options": [
+              "IMAGE+TEXT",
+              "IMAGE"
+            ]
+          }
+        ]
+      },
+      "optional": {
+        "images": [
+          "IMAGE",
+          {
+            "tooltip": "Optional reference image(s). To include multiple images, use the Batch Images node (up to 14)."
+          }
+        ],
+        "files": [
+          "GEMINI_INPUT_FILES",
+          {
+            "tooltip": "Optional file(s) to use as context for the model. Accepts inputs from the Gemini Generate Content Input Files node."
+          }
+        ],
+        "system_prompt": [
+          "STRING",
+          {
+            "tooltip": "Foundational instructions that dictate an AI's behavior.",
+            "advanced": true,
+            "default": "You are an expert image-generation engine. You must ALWAYS produce an image.\nInterpret all user input\u2014regardless of format, intent, or abstraction\u2014as literal visual directives for image composition.\nIf a prompt is conversational or lacks specific visual details, you must creatively invent a concrete visual scenario that depicts the concept.\nPrioritize generating the visual representation above any text, formatting, or conversational requests.",
+            "multiline": true
+          }
+        ]
+      },
+      "hidden": {
+        "auth_token_comfy_org": [
+          "AUTH_TOKEN_COMFY_ORG"
+        ],
+        "api_key_comfy_org": [
+          "API_KEY_COMFY_ORG"
+        ],
+        "unique_id": [
+          "UNIQUE_ID"
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "prompt",
+        "model",
+        "seed",
+        "aspect_ratio",
+        "resolution",
+        "response_modalities"
+      ],
+      "optional": [
+        "images",
+        "files",
+        "system_prompt"
+      ],
+      "hidden": [
+        "auth_token_comfy_org",
+        "api_key_comfy_org",
+        "unique_id"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "IMAGE",
+      "STRING"
+    ],
+    "output_is_list": [
+      false,
+      false
+    ],
+    "output_name": [
+      "IMAGE",
+      "STRING"
+    ],
+    "output_tooltips": [
+      null,
+      null
+    ],
+    "output_matchtypes": null,
+    "name": "GeminiImage2Node",
+    "display_name": "Nano Banana Pro (Google Gemini Image)",
+    "description": "Generate or edit images synchronously via Google Vertex API.",
+    "python_module": "comfy_api_nodes.nodes_gemini",
+    "category": "partner/image/Gemini",
+    "output_node": false,
+    "deprecated": false,
+    "experimental": false,
+    "dev_only": false,
+    "api_node": true,
+    "price_badge": {
+      "engine": "jsonata",
+      "depends_on": {
+        "widgets": [
+          {
+            "name": "model",
+            "type": "COMBO"
+          },
+          {
+            "name": "resolution",
+            "type": "COMBO"
+          }
+        ],
+        "inputs": [],
+        "input_groups": []
+      },
+      "expr": "\n    (\n      $m := widgets.model;\n      $r := widgets.resolution;\n      $isFlash := $contains($m, \"nano banana 2\");\n      $flashPrices := {\"1k\": 0.0696, \"2k\": 0.1014, \"4k\": 0.154};\n      $proPrices := {\"1k\": 0.134, \"2k\": 0.134, \"4k\": 0.24};\n      $prices := $isFlash ? $flashPrices : $proPrices;\n      {\"type\":\"usd\",\"usd\": $lookup($prices, $r), \"format\":{\"suffix\":\"/Image\",\"approximate\":true}}\n    )\n    "
+    },
+    "search_aliases": null,
+    "essentials_category": null,
+    "has_intermediate_output": false
+  },
+  "PreviewAny": {
+    "input": {
+      "required": {
+        "source": [
+          "*",
+          {}
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "source"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "STRING"
+    ],
+    "output_is_list": [
+      false
+    ],
+    "output_name": [
+      "STRING"
+    ],
+    "name": "PreviewAny",
+    "display_name": "Preview as Text",
+    "description": "",
+    "python_module": "comfy_extras.nodes_preview_any",
+    "category": "utilities",
+    "output_node": true,
+    "has_intermediate_output": false,
+    "search_aliases": [
+      "show output",
+      "inspect",
+      "debug",
+      "print value",
+      "show text"
+    ]
+  },
+  "PreviewImage": {
+    "input": {
+      "required": {
+        "images": [
+          "IMAGE"
+        ]
+      },
+      "hidden": {
+        "prompt": "PROMPT",
+        "extra_pnginfo": "EXTRA_PNGINFO"
+      }
+    },
+    "input_order": {
+      "required": [
+        "images"
+      ],
+      "hidden": [
+        "prompt",
+        "extra_pnginfo"
+      ]
+    },
+    "is_input_list": false,
+    "output": [],
+    "output_is_list": [],
+    "output_name": [],
+    "name": "PreviewImage",
+    "display_name": "Preview Image",
+    "description": "Saves the input images to your ComfyUI output directory.",
+    "python_module": "nodes",
+    "category": "image",
+    "output_node": true,
+    "has_intermediate_output": false,
+    "search_aliases": [
+      "preview",
+      "preview image",
+      "show image",
+      "view image",
+      "display image",
+      "image viewer"
+    ],
+    "essentials_category": "Basics"
+  },
+  "PrimitiveInt": {
+    "input": {
+      "required": {
+        "value": [
+          "INT",
+          {
+            "min": -9223372036854775807,
+            "max": 9223372036854775807,
+            "control_after_generate": "fixed"
+          }
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "value"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "INT"
+    ],
+    "output_is_list": [
+      false
+    ],
+    "output_name": [
+      "INT"
+    ],
+    "output_tooltips": [
+      null
+    ],
+    "output_matchtypes": null,
+    "name": "PrimitiveInt",
+    "display_name": "Int",
+    "description": "",
+    "python_module": "comfy_extras.nodes_primitive",
+    "category": "utilities/primitive",
+    "output_node": false,
+    "deprecated": false,
+    "experimental": false,
+    "dev_only": false,
+    "api_node": false,
+    "price_badge": null,
+    "search_aliases": null,
+    "essentials_category": null,
+    "has_intermediate_output": false
+  },
+  "PrimitiveStringMultiline": {
+    "input": {
+      "required": {
+        "value": [
+          "STRING",
+          {
+            "multiline": true
+          }
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "value"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "STRING"
+    ],
+    "output_is_list": [
+      false
+    ],
+    "output_name": [
+      "STRING"
+    ],
+    "output_tooltips": [
+      null
+    ],
+    "output_matchtypes": null,
+    "name": "PrimitiveStringMultiline",
+    "display_name": "Text String (Multiline)",
+    "description": "",
+    "python_module": "comfy_extras.nodes_primitive",
+    "category": "utilities/primitive",
+    "output_node": false,
+    "deprecated": false,
+    "experimental": false,
+    "dev_only": false,
+    "api_node": false,
+    "price_badge": null,
+    "search_aliases": [
+      "text",
+      "string",
+      "text multiline",
+      "string multiline",
+      "text box",
+      "prompt"
+    ],
+    "essentials_category": "Basics",
+    "has_intermediate_output": false
+  },
+  "RegexExtract": {
+    "input": {
+      "required": {
+        "string": [
+          "STRING",
+          {
+            "multiline": true
+          }
+        ],
+        "regex_pattern": [
+          "STRING",
+          {
+            "multiline": true
+          }
+        ],
+        "mode": [
+          "COMBO",
+          {
+            "multiselect": false,
+            "options": [
+              "First Match",
+              "All Matches",
+              "First Group",
+              "All Groups"
+            ]
+          }
+        ],
+        "case_insensitive": [
+          "BOOLEAN",
+          {
+            "advanced": true,
+            "default": true
+          }
+        ],
+        "multiline": [
+          "BOOLEAN",
+          {
+            "advanced": true,
+            "default": false
+          }
+        ],
+        "dotall": [
+          "BOOLEAN",
+          {
+            "advanced": true,
+            "default": false
+          }
+        ],
+        "group_index": [
+          "INT",
+          {
+            "advanced": true,
+            "default": 1,
+            "min": 0,
+            "max": 100
+          }
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "string",
+        "regex_pattern",
+        "mode",
+        "case_insensitive",
+        "multiline",
+        "dotall",
+        "group_index"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "STRING"
+    ],
+    "output_is_list": [
+      false
+    ],
+    "output_name": [
+      "STRING"
+    ],
+    "output_tooltips": [
+      null
+    ],
+    "output_matchtypes": null,
+    "name": "RegexExtract",
+    "display_name": "Extract Text",
+    "description": "",
+    "python_module": "comfy_extras.nodes_string",
+    "category": "text",
+    "output_node": false,
+    "deprecated": false,
+    "experimental": false,
+    "dev_only": false,
+    "api_node": false,
+    "price_badge": null,
+    "search_aliases": [
+      "regex extract",
+      "regex",
+      "pattern extract",
+      "text parser",
+      "parse text"
+    ],
+    "essentials_category": null,
+    "has_intermediate_output": false
+  },
+  "RegexReplace": {
+    "input": {
+      "required": {
+        "string": [
+          "STRING",
+          {
+            "multiline": true
+          }
+        ],
+        "regex_pattern": [
+          "STRING",
+          {
+            "multiline": true
+          }
+        ],
+        "replace": [
+          "STRING",
+          {
+            "multiline": true
+          }
+        ]
+      },
+      "optional": {
+        "case_insensitive": [
+          "BOOLEAN",
+          {
+            "advanced": true,
+            "default": true
+          }
+        ],
+        "multiline": [
+          "BOOLEAN",
+          {
+            "advanced": true,
+            "default": false
+          }
+        ],
+        "dotall": [
+          "BOOLEAN",
+          {
+            "tooltip": "When enabled, the dot (.) character will match any character including newline characters. When disabled, dots won't match newlines.",
+            "advanced": true,
+            "default": false
+          }
+        ],
+        "count": [
+          "INT",
+          {
+            "tooltip": "Maximum number of replacements to make. Set to 0 to replace all occurrences (default). Set to 1 to replace only the first match, 2 for the first two matches, etc.",
+            "advanced": true,
+            "default": 0,
+            "min": 0,
+            "max": 100
+          }
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "string",
+        "regex_pattern",
+        "replace"
+      ],
+      "optional": [
+        "case_insensitive",
+        "multiline",
+        "dotall",
+        "count"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "STRING"
+    ],
+    "output_is_list": [
+      false
+    ],
+    "output_name": [
+      "STRING"
+    ],
+    "output_tooltips": [
+      null
+    ],
+    "output_matchtypes": null,
+    "name": "RegexReplace",
+    "display_name": "Replace Text (Regex)",
+    "description": "Find and replace text using regex patterns.",
+    "python_module": "comfy_extras.nodes_string",
+    "category": "text",
+    "output_node": false,
+    "deprecated": false,
+    "experimental": false,
+    "dev_only": false,
+    "api_node": false,
+    "price_badge": null,
+    "search_aliases": [
+      "regex replace",
+      "regex",
+      "pattern replace",
+      "substitution"
+    ],
+    "essentials_category": null,
+    "has_intermediate_output": false
+  },
+  "SimpleMath+": {
+    "input": {
+      "optional": {
+        "a": [
+          "INT,FLOAT",
+          {
+            "default": 0.0,
+            "step": 0.1
+          }
+        ],
+        "b": [
+          "INT,FLOAT",
+          {
+            "default": 0.0,
+            "step": 0.1
+          }
+        ]
+      },
+      "required": {
+        "value": [
+          "STRING",
+          {
+            "multiline": false,
+            "default": ""
+          }
+        ]
+      }
+    },
+    "input_order": {
+      "optional": [
+        "a",
+        "b"
+      ],
+      "required": [
+        "value"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "INT",
+      "FLOAT"
+    ],
+    "output_is_list": [
+      false,
+      false
+    ],
+    "output_name": [
+      "INT",
+      "FLOAT"
+    ],
+    "name": "SimpleMath+",
+    "display_name": "\ud83d\udd27 Simple Math",
+    "description": "",
+    "python_module": "custom_nodes.comfyui_essentials",
+    "category": "essentials/utilities",
+    "output_node": false,
+    "has_intermediate_output": false,
+    "search_aliases": []
+  },
+  "SomethingToString": {
+    "input": {
+      "required": {
+        "input": [
+          "*"
+        ]
+      },
+      "optional": {
+        "prefix": [
+          "STRING",
+          {
+            "default": ""
+          }
+        ],
+        "suffix": [
+          "STRING",
+          {
+            "default": ""
+          }
+        ]
+      }
+    },
+    "input_order": {
+      "required": [
+        "input"
+      ],
+      "optional": [
+        "prefix",
+        "suffix"
+      ]
+    },
+    "is_input_list": false,
+    "output": [
+      "STRING"
+    ],
+    "output_is_list": [
+      false
+    ],
+    "output_name": [
+      "STRING"
+    ],
+    "name": "SomethingToString",
+    "display_name": "Something To String",
+    "description": "\nConverts any type to a string.\n",
+    "python_module": "custom_nodes.ComfyUI-KJNodes",
+    "category": "KJNodes/text",
+    "output_node": false,
+    "has_intermediate_output": false,
+    "search_aliases": []
+  },
+  "SaveImage": {
+    "input": {
+      "required": {
+        "images": [
+          "IMAGE",
+          {
+            "tooltip": "The images to save."
+          }
+        ],
+        "filename_prefix": [
+          "STRING",
+          {
+            "default": "ComfyUI",
+            "tooltip": "The prefix for the file to save. This may include formatting information such as %date:yyyy-MM-dd% or %Empty Latent Image.width% to include values from nodes."
+          }
+        ]
+      },
+      "hidden": {
+        "prompt": "PROMPT",
+        "extra_pnginfo": "EXTRA_PNGINFO"
+      }
+    },
+    "input_order": {
+      "required": [
+        "images",
+        "filename_prefix"
+      ],
+      "hidden": [
+        "prompt",
+        "extra_pnginfo"
+      ]
+    },
+    "is_input_list": false,
+    "output": [],
+    "output_is_list": [],
+    "output_name": [],
+    "name": "SaveImage",
+    "display_name": "Save Image",
+    "description": "Saves the input images to your ComfyUI output directory.",
+    "python_module": "nodes",
+    "category": "image",
+    "output_node": true,
+    "has_intermediate_output": false,
+    "search_aliases": [
+      "save",
+      "save image",
+      "export image",
+      "output image",
+      "write image",
+      "download"
+    ],
+    "essentials_category": "Basics"
+  }
+}
\ No newline at end of file
diff --git a/tests/comfy_cli/fixtures/subgraph_template_ui.json b/tests/comfy_cli/fixtures/subgraph_template_ui.json
new file mode 100644
index 00000000..5b052a49
--- /dev/null
+++ b/tests/comfy_cli/fixtures/subgraph_template_ui.json
@@ -0,0 +1,1504 @@
+{
+  "id": "fixture-subgraph",
+  "revision": 0,
+  "last_node_id": 100,
+  "last_link_id": 100,
+  "nodes": [
+    {
+      "id": 10,
+      "type": "d33c1791-dfd2-4102-8540-aa63e4434cd2",
+      "properties": {
+        "proxyWidgets": [
+          [
+            "-1",
+            "value"
+          ],
+          [
+            "-1",
+            "aspect_ratio"
+          ],
+          [
+            "9",
+            "seed"
+          ]
+        ],
+        "cnr_id": "comfy-core",
+        "ver": "0.10.0"
+      },
+      "inputs": [
+        {
+          "name": "value",
+          "type": "STRING",
+          "widget": {
+            "name": "value"
+          },
+          "link": 12
+        },
+        {
+          "label": "image0",
+          "name": "images.image0",
+          "type": "IMAGE",
+          "link": 86
+        },
+        {
+          "name": "aspect_ratio",
+          "type": "COMBO",
+          "widget": {
+            "name": "aspect_ratio"
+          },
+          "link": 14
+        }
+      ],
+      "outputs": [
+        {
+          "name": "IMAGE",
+          "type": "IMAGE",
+          "links": [
+            15
+          ]
+        },
+        {
+          "name": "STRING",
+          "type": "STRING",
+          "links": [
+            16
+          ]
+        },
+        {
+          "label": "IMAGES",
+          "name": "IMAGE_1",
+          "type": "IMAGE",
+          "links": []
+        }
+      ],
+      "title": "Generate Image 1"
+    },
+    {
+      "id": 19,
+      "type": "f2228dc9-64e8-43b1-a4ca-b8a57eed8f64",
+      "properties": {
+        "proxyWidgets": [
+          [
+            "-1",
+            "value"
+          ],
+          [
+            "-1",
+            "aspect_ratio"
+          ],
+          [
+            "9",
+            "seed"
+          ]
+        ],
+        "cnr_id": "comfy-core",
+        "ver": "0.10.0"
+      },
+      "inputs": [
+        {
+          "name": "value",
+          "type": "STRING",
+          "widget": {
+            "name": "value"
+          },
+          "link": 72
+        },
+        {
+          "label": "image0",
+          "name": "images.image0",
+          "type": "IMAGE",
+          "link": 60
+        },
+        {
+          "name": "aspect_ratio",
+          "type": "COMBO",
+          "widget": {
+            "name": "aspect_ratio"
+          },
+          "link": 81
+        }
+      ],
+      "outputs": [
+        {
+          "name": "IMAGE",
+          "type": "IMAGE",
+          "links": [
+            28
+          ]
+        },
+        {
+          "name": "STRING",
+          "type": "STRING",
+          "links": [
+            31
+          ]
+        },
+        {
+          "label": "IMAGES",
+          "name": "IMAGE_1",
+          "type": "IMAGE",
+          "links": []
+        }
+      ],
+      "title": "Generate Image 2"
+    },
+    {
+      "id": 5,
+      "type": "SaveImage",
+      "inputs": [
+        {
+          "name": "images",
+          "type": "IMAGE",
+          "link": null
+        }
+      ],
+      "widgets_values": [
+        "ComfyUI"
+      ]
+    }
+  ],
+  "links": [],
+  "groups": [],
+  "definitions": {
+    "subgraphs": [
+      {
+        "id": "da09b826-d678-40e0-a4e4-5f2178043ab6",
+        "version": 1,
+        "state": {
+          "lastGroupId": 0,
+          "lastNodeId": 9,
+          "lastLinkId": 9,
+          "lastRerouteId": 0
+        },
+        "revision": 0,
+        "config": {},
+        "name": "Batch Prompt Iterator",
+        "inputNode": {
+          "id": -10,
+          "bounding": [
+            90.40727678453659,
+            2325.662789361009,
+            144,
+            72
+          ]
+        },
+        "outputNode": {
+          "id": -20,
+          "bounding": [
+            2942,
+            2258,
+            144,
+            72
+          ]
+        },
+        "inputs": [
+          {
+            "id": "da7d2f59-a52d-4f36-a474-9079e0b97ff1",
+            "name": "value",
+            "type": "STRING",
+            "linkIds": [
+              9
+            ],
+            "pos": [
+              173.6727306537805,
+              1956.3856578008408
+            ]
+          }
+        ],
+        "outputs": [
+          {
+            "id": "90326b5a-6290-4028-9573-5338419fba1b",
+            "name": "STRING",
+            "type": "STRING",
+            "linkIds": [
+              8
+            ],
+            "pos": [
+              2470,
+              1900
+            ]
+          }
+        ],
+        "widgets": [],
+        "nodes": [
+          {
+            "id": 8,
+            "type": "RegexReplace",
+            "pos": [
+              1458.4071265833052,
+              1856.462824138249
+            ],
+            "size": [
+              270,
+              522
+            ],
+            "flags": {},
+            "order": 4,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "replace",
+                "name": "replace",
+                "type": "STRING",
+                "widget": {
+                  "name": "replace"
+                },
+                "link": 6
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "STRING",
+                "name": "STRING",
+                "type": "STRING",
+                "links": [
+                  2
+                ]
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "RegexReplace"
+            },
+            "widgets_values": [
+              "(?:^(?!\\s*\\*?\\s*$).+$\\n(?:^\\s*\\*?\\s*$\\n)\u2026",
+              "(?<=\\{)\\d+(?=\\})",
+              "",
+              true,
+              false,
+              false,
+              0
+            ]
+          },
+          {
+            "id": 6,
+            "type": "PrimitiveInt",
+            "pos": [
+              810.4071259347734,
+              2012.4627471341084
+            ],
+            "size": [
+              355.0875,
+              126
+            ],
+            "flags": {},
+            "order": 0,
+            "mode": 0,
+            "inputs": [],
+            "outputs": [
+              {
+                "localized_name": "INT",
+                "name": "INT",
+                "type": "INT",
+                "links": [
+                  7
+                ]
+              }
+            ],
+            "title": "Int - Select Prompt Number (not index)",
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "PrimitiveInt"
+            },
+            "widgets_values": [
+              1,
+              "fixed"
+            ]
+          },
+          {
+            "id": 9,
+            "type": "SimpleMath+",
+            "pos": [
+              829.9998717200663,
+              1933.9997188073237
+            ],
+            "size": [
+              257.980078125,
+              54
+            ],
+            "flags": {
+              "collapsed": true
+            },
+            "order": 2,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "a",
+                "name": "a",
+                "shape": 7,
+                "type": "INT,FLOAT",
+                "link": 7
+              },
+              {
+                "localized_name": "b",
+                "name": "b",
+                "shape": 7,
+                "type": "INT,FLOAT",
+                "link": null
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "INT",
+                "name": "INT",
+                "type": "INT",
+                "links": [
+                  4
+                ]
+              },
+              {
+                "localized_name": "FLOAT",
+                "name": "FLOAT",
+                "type": "FLOAT",
+                "links": null
+              }
+            ],
+            "title": "Convert Prompt Number to Index",
+            "properties": {
+              "cnr_id": "comfyui_essentials",
+              "ver": "1.1.0",
+              "Node name for S&R": "SimpleMath+"
+            },
+            "widgets_values": [
+              "a-1"
+            ]
+          },
+          {
+            "id": 3,
+            "type": "SomethingToString",
+            "pos": [
+              1177.9998019226534,
+              1933.9997188073237
+            ],
+            "size": [
+              210,
+              39.6
+            ],
+            "flags": {
+              "collapsed": true
+            },
+            "order": 3,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "input",
+                "name": "input",
+                "type": "*",
+                "link": 4
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "STRING",
+                "name": "STRING",
+                "type": "STRING",
+                "links": [
+                  6
+                ]
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfyui-kjnodes",
+              "ver": "c661baadd9683c0033cd2a6ad90157c6d099a6c2",
+              "Node name for S&R": "SomethingToString"
+            },
+            "widgets_values": [
+              "",
+              ""
+            ]
+          },
+          {
+            "id": 5,
+            "type": "MarkdownNote",
+            "pos": [
+              1741.9996692102889,
+              1861.9999291723602
+            ],
+            "size": [
+              432,
+              1737.9937499999999
+            ],
+            "flags": {},
+            "order": 1,
+            "mode": 0,
+            "inputs": [],
+            "outputs": [],
+            "properties": {},
+            "widgets_values": [
+              "# Prompt Selector Regex Pattern\n\n## Patt\u2026"
+            ],
+            "color": "#432",
+            "bgcolor": "#653"
+          },
+          {
+            "id": 1,
+            "type": "RegexExtract",
+            "pos": [
+              2197.999852045479,
+              1861.9999291723602
+            ],
+            "size": [
+              480,
+              453.1875
+            ],
+            "flags": {},
+            "order": 5,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "string",
+                "name": "string",
+                "type": "STRING",
+                "widget": {
+                  "name": "string"
+                },
+                "link": 1
+              },
+              {
+                "localized_name": "regex_pattern",
+                "name": "regex_pattern",
+                "type": "STRING",
+                "widget": {
+                  "name": "regex_pattern"
+                },
+                "link": 2
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "STRING",
+                "name": "STRING",
+                "type": "STRING",
+                "links": [
+                  3,
+                  8
+                ]
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "RegexExtract"
+            },
+            "widgets_values": [
+              "",
+              "",
+              "First Group",
+              true,
+              true,
+              false,
+              1
+            ]
+          },
+          {
+            "id": 2,
+            "type": "PreviewAny",
+            "pos": [
+              2401.999824191367,
+              2233.999978646654
+            ],
+            "size": [
+              276,
+              270
+            ],
+            "flags": {},
+            "order": 6,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "source",
+                "name": "source",
+                "type": "*",
+                "link": 3
+              }
+            ],
+            "outputs": [],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "PreviewAny"
+            },
+            "widgets_values": [
+              null,
+              null,
+              null
+            ]
+          },
+          {
+            "id": 7,
+            "type": "PrimitiveStringMultiline",
+            "pos": [
+              313.9998641890731,
+              2018.0002309549918
+            ],
+            "size": [
+              480,
+              594
+            ],
+            "flags": {},
+            "order": 7,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "value",
+                "name": "value",
+                "type": "STRING",
+                "widget": {
+                  "name": "value"
+                },
+                "link": 9
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "STRING",
+                "name": "STRING",
+                "type": "STRING",
+                "links": [
+                  1
+                ]
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "PrimitiveStringMultiline"
+            },
+            "widgets_values": [
+              ""
+            ]
+          }
+        ],
+        "groups": [],
+        "links": [
+          {
+            "id": 1,
+            "origin_id": 7,
+            "origin_slot": 0,
+            "target_id": 1,
+            "target_slot": 0,
+            "type": "STRING"
+          },
+          {
+            "id": 2,
+            "origin_id": 8,
+            "origin_slot": 0,
+            "target_id": 1,
+            "target_slot": 1,
+            "type": "STRING"
+          },
+          {
+            "id": 3,
+            "origin_id": 1,
+            "origin_slot": 0,
+            "target_id": 2,
+            "target_slot": 0,
+            "type": "STRING"
+          },
+          {
+            "id": 4,
+            "origin_id": 9,
+            "origin_slot": 0,
+            "target_id": 3,
+            "target_slot": 0,
+            "type": "INT"
+          },
+          {
+            "id": 6,
+            "origin_id": 3,
+            "origin_slot": 0,
+            "target_id": 8,
+            "target_slot": 0,
+            "type": "STRING"
+          },
+          {
+            "id": 7,
+            "origin_id": 6,
+            "origin_slot": 0,
+            "target_id": 9,
+            "target_slot": 0,
+            "type": "INT"
+          },
+          {
+            "id": 8,
+            "origin_id": 1,
+            "origin_slot": 0,
+            "target_id": -20,
+            "target_slot": 0,
+            "type": "STRING"
+          },
+          {
+            "id": 9,
+            "origin_id": -10,
+            "origin_slot": 0,
+            "target_id": 7,
+            "target_slot": 0,
+            "type": "STRING"
+          }
+        ],
+        "extra": {
+          "workflowRendererVersion": "Vue"
+        }
+      },
+      {
+        "id": "d33c1791-dfd2-4102-8540-aa63e4434cd2",
+        "version": 1,
+        "state": {
+          "lastGroupId": 0,
+          "lastNodeId": 9,
+          "lastLinkId": 13,
+          "lastRerouteId": 0
+        },
+        "revision": 0,
+        "config": {},
+        "name": "New Subgraph",
+        "inputNode": {
+          "id": -10,
+          "bounding": [
+            1538.4162218932536,
+            1360.7424319789518,
+            120,
+            100
+          ]
+        },
+        "outputNode": {
+          "id": -20,
+          "bounding": [
+            2906.4161122605633,
+            1384.7424319789518,
+            120,
+            100
+          ]
+        },
+        "inputs": [
+          {
+            "id": "0cce5c00-af31-4ed7-bc88-4a03f774e6b8",
+            "name": "value",
+            "type": "STRING",
+            "linkIds": [
+              3
+            ],
+            "pos": [
+              1638.4162218932536,
+              1380.7424319789518
+            ]
+          },
+          {
+            "id": "3caab8c6-6b7e-4342-ad7c-f7fd98191c05",
+            "name": "images.image0",
+            "type": "IMAGE",
+            "linkIds": [
+              6,
+              8
+            ],
+            "localized_name": "images.image0",
+            "label": "image0",
+            "pos": [
+              1638.4162218932536,
+              1400.7424319789518
+            ]
+          },
+          {
+            "id": "d972ea9d-b00c-4f61-bd3a-581b58a66f6b",
+            "name": "aspect_ratio",
+            "type": "COMBO",
+            "linkIds": [
+              10
+            ],
+            "localized_name": "aspect_ratio",
+            "pos": [
+              1638.4162218932536,
+              1420.7424319789518
+            ]
+          }
+        ],
+        "outputs": [
+          {
+            "id": "2a0fa53c-8840-4a6c-89c1-0c26b921407a",
+            "name": "IMAGE",
+            "type": "IMAGE",
+            "linkIds": [
+              5
+            ],
+            "localized_name": "IMAGE",
+            "pos": [
+              2926.4161122605633,
+              1404.7424319789518
+            ]
+          },
+          {
+            "id": "0cc3a5b8-24ab-4c53-843e-654df60c7385",
+            "name": "STRING",
+            "type": "STRING",
+            "linkIds": [
+              12
+            ],
+            "pos": [
+              2926.4161122605633,
+              1424.7424319789518
+            ]
+          },
+          {
+            "id": "b257ea65-71bc-40cc-a144-4a3eb1bb05c0",
+            "name": "IMAGE_1",
+            "type": "IMAGE",
+            "linkIds": [
+              13
+            ],
+            "label": "IMAGES",
+            "pos": [
+              2926.4161122605633,
+              1444.7424319789518
+            ]
+          }
+        ],
+        "widgets": [],
+        "nodes": [
+          {
+            "id": 3,
+            "type": "da09b826-d678-40e0-a4e4-5f2178043ab6",
+            "pos": [
+              1754.4167347459374,
+              1308.284764723154
+            ],
+            "size": [
+              480,
+              189
+            ],
+            "flags": {},
+            "order": 0,
+            "mode": 0,
+            "inputs": [
+              {
+                "name": "value",
+                "type": "STRING",
+                "widget": {
+                  "name": "value"
+                },
+                "link": 3
+              }
+            ],
+            "outputs": [
+              {
+                "name": "STRING",
+                "type": "STRING",
+                "links": [
+                  9,
+                  12
+                ]
+              }
+            ],
+            "properties": {
+              "proxyWidgets": [
+                [
+                  "-1",
+                  "value"
+                ],
+                [
+                  "6",
+                  "value"
+                ],
+                [
+                  "6",
+                  "control_after_generate"
+                ]
+              ],
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2"
+            },
+            "widgets_values": [
+              ""
+            ]
+          },
+          {
+            "id": 8,
+            "type": "BatchImagesNode",
+            "pos": [
+              2558.000236768496,
+              1837.9999171215882
+            ],
+            "size": [
+              270,
+              96
+            ],
+            "flags": {},
+            "order": 1,
+            "mode": 0,
+            "inputs": [
+              {
+                "label": "image0",
+                "localized_name": "images.image0",
+                "name": "images.image0",
+                "type": "IMAGE",
+                "link": 6
+              },
+              {
+                "label": "image1",
+                "localized_name": "images.image1",
+                "name": "images.image1",
+                "type": "IMAGE",
+                "link": 11
+              },
+              {
+                "label": "image2",
+                "localized_name": "images.image2",
+                "name": "images.image2",
+                "shape": 7,
+                "type": "IMAGE",
+                "link": null
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "IMAGE",
+                "name": "IMAGE",
+                "type": "IMAGE",
+                "links": [
+                  13
+                ]
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "BatchImagesNode"
+            },
+            "widgets_values": []
+          },
+          {
+            "id": 9,
+            "type": "GeminiImage2Node",
+            "pos": [
+              2354.416645670207,
+              1308.284764723154
+            ],
+            "size": [
+              480,
+              396.65625
+            ],
+            "flags": {},
+            "order": 2,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "images",
+                "name": "images",
+                "shape": 7,
+                "type": "IMAGE",
+                "link": 8
+              },
+              {
+                "localized_name": "files",
+                "name": "files",
+                "shape": 7,
+                "type": "GEMINI_INPUT_FILES",
+                "link": null
+              },
+              {
+                "localized_name": "prompt",
+                "name": "prompt",
+                "type": "STRING",
+                "widget": {
+                  "name": "prompt"
+                },
+                "link": 9
+              },
+              {
+                "localized_name": "aspect_ratio",
+                "name": "aspect_ratio",
+                "type": "COMBO",
+                "widget": {
+                  "name": "aspect_ratio"
+                },
+                "link": 10
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "IMAGE",
+                "name": "IMAGE",
+                "type": "IMAGE",
+                "links": [
+                  5,
+                  7,
+                  11
+                ]
+              },
+              {
+                "localized_name": "STRING",
+                "name": "STRING",
+                "type": "STRING",
+                "links": null
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "GeminiImage2Node"
+            },
+            "widgets_values": [
+              "",
+              "gemini-3-pro-image-preview",
+              1,
+              "fixed",
+              "16:9",
+              "2K",
+              "IMAGE+TEXT",
+              "You are an expert image-generation engin\u2026"
+            ],
+            "color": "#432",
+            "bgcolor": "#653"
+          }
+        ],
+        "groups": [],
+        "links": [
+          {
+            "id": 11,
+            "origin_id": 9,
+            "origin_slot": 0,
+            "target_id": 8,
+            "target_slot": 1,
+            "type": "IMAGE"
+          },
+          {
+            "id": 9,
+            "origin_id": 3,
+            "origin_slot": 0,
+            "target_id": 9,
+            "target_slot": 2,
+            "type": "STRING"
+          },
+          {
+            "id": 3,
+            "origin_id": -10,
+            "origin_slot": 0,
+            "target_id": 3,
+            "target_slot": 0,
+            "type": "STRING"
+          },
+          {
+            "id": 6,
+            "origin_id": -10,
+            "origin_slot": 1,
+            "target_id": 8,
+            "target_slot": 0,
+            "type": "IMAGE"
+          },
+          {
+            "id": 8,
+            "origin_id": -10,
+            "origin_slot": 1,
+            "target_id": 9,
+            "target_slot": 0,
+            "type": "IMAGE"
+          },
+          {
+            "id": 10,
+            "origin_id": -10,
+            "origin_slot": 2,
+            "target_id": 9,
+            "target_slot": 3,
+            "type": "COMBO"
+          },
+          {
+            "id": 5,
+            "origin_id": 9,
+            "origin_slot": 0,
+            "target_id": -20,
+            "target_slot": 0,
+            "type": "IMAGE"
+          },
+          {
+            "id": 12,
+            "origin_id": 3,
+            "origin_slot": 0,
+            "target_id": -20,
+            "target_slot": 1,
+            "type": "STRING"
+          },
+          {
+            "id": 13,
+            "origin_id": 8,
+            "origin_slot": 0,
+            "target_id": -20,
+            "target_slot": 2,
+            "type": "IMAGE"
+          }
+        ],
+        "extra": {
+          "workflowRendererVersion": "Vue"
+        }
+      },
+      {
+        "id": "f2228dc9-64e8-43b1-a4ca-b8a57eed8f64",
+        "version": 1,
+        "state": {
+          "lastGroupId": 0,
+          "lastNodeId": 11,
+          "lastLinkId": 15,
+          "lastRerouteId": 0
+        },
+        "revision": 0,
+        "config": {},
+        "name": "New Subgraph",
+        "inputNode": {
+          "id": -10,
+          "bounding": [
+            1538.4162218932536,
+            1360.7424319789518,
+            120,
+            100
+          ]
+        },
+        "outputNode": {
+          "id": -20,
+          "bounding": [
+            2906.4161122605633,
+            1384.7424319789518,
+            120,
+            100
+          ]
+        },
+        "inputs": [
+          {
+            "id": "0cce5c00-af31-4ed7-bc88-4a03f774e6b8",
+            "name": "value",
+            "type": "STRING",
+            "linkIds": [
+              3
+            ],
+            "pos": [
+              1638.4162218932536,
+              1380.7424319789518
+            ]
+          },
+          {
+            "id": "3caab8c6-6b7e-4342-ad7c-f7fd98191c05",
+            "name": "images.image0",
+            "type": "IMAGE",
+            "linkIds": [
+              6,
+              8,
+              14
+            ],
+            "localized_name": "images.image0",
+            "label": "image0",
+            "pos": [
+              1638.4162218932536,
+              1400.7424319789518
+            ]
+          },
+          {
+            "id": "d972ea9d-b00c-4f61-bd3a-581b58a66f6b",
+            "name": "aspect_ratio",
+            "type": "COMBO",
+            "linkIds": [
+              10
+            ],
+            "localized_name": "aspect_ratio",
+            "pos": [
+              1638.4162218932536,
+              1420.7424319789518
+            ]
+          }
+        ],
+        "outputs": [
+          {
+            "id": "2a0fa53c-8840-4a6c-89c1-0c26b921407a",
+            "name": "IMAGE",
+            "type": "IMAGE",
+            "linkIds": [
+              5
+            ],
+            "localized_name": "IMAGE",
+            "pos": [
+              2926.4161122605633,
+              1404.7424319789518
+            ]
+          },
+          {
+            "id": "0cc3a5b8-24ab-4c53-843e-654df60c7385",
+            "name": "STRING",
+            "type": "STRING",
+            "linkIds": [
+              12
+            ],
+            "pos": [
+              2926.4161122605633,
+              1424.7424319789518
+            ]
+          },
+          {
+            "id": "b257ea65-71bc-40cc-a144-4a3eb1bb05c0",
+            "name": "IMAGE_1",
+            "type": "IMAGE",
+            "linkIds": [
+              13
+            ],
+            "label": "IMAGES",
+            "pos": [
+              2926.4161122605633,
+              1444.7424319789518
+            ]
+          }
+        ],
+        "widgets": [],
+        "nodes": [
+          {
+            "id": 3,
+            "type": "6d92985e-3e1e-49e2-acea-91c5259d86a8",
+            "pos": [
+              1754.4161685123258,
+              1308.2848343010835
+            ],
+            "size": [
+              480,
+              189
+            ],
+            "flags": {},
+            "order": 0,
+            "mode": 0,
+            "inputs": [
+              {
+                "name": "value",
+                "type": "STRING",
+                "widget": {
+                  "name": "value"
+                },
+                "link": 3
+              }
+            ],
+            "outputs": [
+              {
+                "name": "STRING",
+                "type": "STRING",
+                "links": [
+                  9,
+                  12
+                ]
+              }
+            ],
+            "properties": {
+              "proxyWidgets": [
+                [
+                  "-1",
+                  "value"
+                ],
+                [
+                  "6",
+                  "value"
+                ],
+                [
+                  "6",
+                  "control_after_generate"
+                ]
+              ],
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2"
+            },
+            "widgets_values": [
+              ""
+            ]
+          },
+          {
+            "id": 8,
+            "type": "BatchImagesNode",
+            "pos": [
+              2558.0002715632495,
+              1837.9998294132495
+            ],
+            "size": [
+              270,
+              96
+            ],
+            "flags": {},
+            "order": 1,
+            "mode": 0,
+            "inputs": [
+              {
+                "label": "image0",
+                "localized_name": "images.image0",
+                "name": "images.image0",
+                "type": "IMAGE",
+                "link": 6
+              },
+              {
+                "label": "image1",
+                "localized_name": "images.image1",
+                "name": "images.image1",
+                "type": "IMAGE",
+                "link": 11
+              },
+              {
+                "label": "image2",
+                "localized_name": "images.image2",
+                "name": "images.image2",
+                "shape": 7,
+                "type": "IMAGE",
+                "link": null
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "IMAGE",
+                "name": "IMAGE",
+                "type": "IMAGE",
+                "links": [
+                  13,
+                  15
+                ]
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "BatchImagesNode"
+            },
+            "widgets_values": []
+          },
+          {
+            "id": 9,
+            "type": "GeminiImage2Node",
+            "pos": [
+              2354.4162540892944,
+              1308.2848343010835
+            ],
+            "size": [
+              480,
+              396.65625
+            ],
+            "flags": {},
+            "order": 2,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "images",
+                "name": "images",
+                "shape": 7,
+                "type": "IMAGE",
+                "link": 8
+              },
+              {
+                "localized_name": "files",
+                "name": "files",
+                "shape": 7,
+                "type": "GEMINI_INPUT_FILES",
+                "link": null
+              },
+              {
+                "localized_name": "prompt",
+                "name": "prompt",
+                "type": "STRING",
+                "widget": {
+                  "name": "prompt"
+                },
+                "link": 9
+              },
+              {
+                "localized_name": "aspect_ratio",
+                "name": "aspect_ratio",
+                "type": "COMBO",
+                "widget": {
+                  "name": "aspect_ratio"
+                },
+                "link": 10
+              }
+            ],
+            "outputs": [
+              {
+                "localized_name": "IMAGE",
+                "name": "IMAGE",
+                "type": "IMAGE",
+                "links": [
+                  5,
+                  7,
+                  11
+                ]
+              },
+              {
+                "localized_name": "STRING",
+                "name": "STRING",
+                "type": "STRING",
+                "links": null
+              }
+            ],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.9.2",
+              "Node name for S&R": "GeminiImage2Node"
+            },
+            "widgets_values": [
+              "",
+              "gemini-3-pro-image-preview",
+              2,
+              "fixed",
+              "16:9",
+              "2K",
+              "IMAGE+TEXT",
+              "You are an expert image-generation engin\u2026"
+            ],
+            "color": "#432",
+            "bgcolor": "#653"
+          },
+          {
+            "id": 10,
+            "type": "PreviewImage",
+            "pos": [
+              2050.000047849463,
+              1700.0000366184754
+            ],
+            "size": [
+              225,
+              248
+            ],
+            "flags": {},
+            "order": 3,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "images",
+                "name": "images",
+                "type": "IMAGE",
+                "link": 14
+              }
+            ],
+            "outputs": [],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.10.0",
+              "Node name for S&R": "PreviewImage"
+            },
+            "widgets_values": []
+          },
+          {
+            "id": 11,
+            "type": "PreviewImage",
+            "pos": [
+              2870.00024883722,
+              1970.000033111828
+            ],
+            "size": [
+              225,
+              248
+            ],
+            "flags": {},
+            "order": 4,
+            "mode": 0,
+            "inputs": [
+              {
+                "localized_name": "images",
+                "name": "images",
+                "type": "IMAGE",
+                "link": 15
+              }
+            ],
+            "outputs": [],
+            "properties": {
+              "cnr_id": "comfy-core",
+              "ver": "0.10.0",
+              "Node name for S&R": "PreviewImage"
+            },
+            "widgets_values": []
+          }
+        ],
+        "groups": [],
+        "links": [
+          {
+            "id": 11,
+            "origin_id": 9,
+            "origin_slot": 0,
+            "target_id": 8,
+            "target_slot": 1,
+            "type": "IMAGE"
+          },
+          {
+            "id": 9,
+            "origin_id": 3,
+            "origin_slot": 0,
+            "target_id": 9,
+            "target_slot": 2,
+            "type": "STRING"
+          },
+          {
+            "id": 3,
+            "origin_id": -10,
+            "origin_slot": 0,
+            "target_id": 3,
+            "target_slot": 0,
+            "type": "STRING"
+          },
+          {
+            "id": 6,
+            "origin_id": -10,
+            "origin_slot": 1,
+            "target_id": 8,
+            "target_slot": 0,
+            "type": "IMAGE"
+          },
+          {
+            "id": 8,
+            "origin_id": -10,
+            "origin_slot": 1,
+            "target_id": 9,
+            "target_slot": 0,
+            "type": "IMAGE"
+          },
+          {
+            "id": 10,
+            "origin_id": -10,
+            "origin_slot": 2,
+            "target_id": 9,
+            "target_slot": 3,
+            "type": "COMBO"
+          },
+          {
+            "id": 5,
+            "origin_id": 9,
+            "origin_slot": 0,
+            "target_id": -20,
+            "target_slot": 0,
+            "type": "IMAGE"
+          },
+          {
+            "id": 12,
+            "origin_id": 3,
+            "origin_slot": 0,
+            "target_id": -20,
+            "target_slot": 1,
+            "type": "STRING"
+          },
+          {
+            "id": 13,
+            "origin_id": 8,
+            "origin_slot": 0,
+            "target_id": -20,
+            "target_slot": 2,
+            "type": "IMAGE"
+          },
+          {
+            "id": 14,
+            "origin_id": -10,
+            "origin_slot": 1,
+            "target_id": 10,
+            "target_slot": 0,
+            "type": "IMAGE"
+          },
+          {
+            "id": 15,
+            "origin_id": 8,
+            "origin_slot": 0,
+            "target_id": 11,
+            "target_slot": 0,
+            "type": "IMAGE"
+          }
+        ],
+        "extra": {
+          "workflowRendererVersion": "Vue"
+        }
+      }
+    ]
+  },
+  "version": 0.4
+}
\ No newline at end of file
diff --git a/tests/comfy_cli/jobs/__init__.py b/tests/comfy_cli/jobs/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/comfy_cli/jobs/test_jobs.py b/tests/comfy_cli/jobs/test_jobs.py
new file mode 100644
index 00000000..e4dcfa2c
--- /dev/null
+++ b/tests/comfy_cli/jobs/test_jobs.py
@@ -0,0 +1,1123 @@
+"""Unit tests for `comfy jobs` — ls, status, watch.
+
+The WebSocket and HTTP calls are mocked. The live round-trip against a real
+ComfyUI server is a separate manual demo step.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+import pytest
+
+from comfy_cli.command import jobs as jobs_mod
+
+# ---------------------------------------------------------------------------
+# Pure data shaping
+# ---------------------------------------------------------------------------
+
+
+_HISTORY_FIXTURE = {
+    "abc-1": {
+        "prompt": [
+            0,
+            "abc-1",
+            {"1": {"class_type": "KSampler", "inputs": {}}, "2": {"class_type": "VAEDecode", "inputs": {}}},
+        ],
+        "status": {"completed": True, "messages": []},
+        "outputs": {
+            "9": {
+                "images": [
+                    {"filename": "out.png", "subfolder": "", "type": "output"},
+                    {"filename": "out_1.png", "subfolder": "", "type": "output"},
+                ]
+            },
+        },
+    },
+    "abc-2": {
+        "prompt": [0, "abc-2", {"1": {"class_type": "X", "inputs": {}}}],
+        "status": {"completed": False, "messages": [["execution_error", {"node_id": "1"}]]},
+        "outputs": {},
+    },
+}
+
+
+def test_gather_jobs_combines_queue_and_history(monkeypatch: pytest.MonkeyPatch):
+    def fake_get(url, timeout=10.0):
+        if url.endswith("/queue"):
+            return {
+                "queue_running": [[0, "running-id", {"a": {}, "b": {}, "c": {}}, {}, {}]],
+                "queue_pending": [[1, "pending-id", {"a": {}}, {}, {}]],
+            }
+        if url.endswith("/history"):
+            return _HISTORY_FIXTURE
+        raise AssertionError(f"unexpected url: {url}")
+
+    monkeypatch.setattr(jobs_mod, "_http_get_json", fake_get)
+    rows = jobs_mod._gather_jobs("h", 8188, limit=10)
+
+    assert any(r.prompt_id == "running-id" and r.status == "running" for r in rows)
+    assert any(r.prompt_id == "pending-id" and r.status == "pending" and r.queue_position == 1 for r in rows)
+    completed = [r for r in rows if r.prompt_id == "abc-1"]
+    assert completed and completed[0].status == "completed"
+    assert completed[0].outputs == 2  # two images
+    errored = [r for r in rows if r.prompt_id == "abc-2"]
+    assert errored and errored[0].status == "error"
+
+
+def test_snapshot_finds_running_in_queue(monkeypatch: pytest.MonkeyPatch):
+    def fake_get(url, timeout=10.0):
+        if url.endswith("/queue"):
+            return {
+                "queue_running": [[0, "live-id", {"a": {}, "b": {}}, {}, {}]],
+                "queue_pending": [],
+            }
+        if url.endswith("/history/live-id"):
+            return {}
+        raise AssertionError(url)
+
+    monkeypatch.setattr(jobs_mod, "_http_get_json", fake_get)
+    snap = jobs_mod._snapshot("h", 8188, "live-id")
+    assert snap is not None
+    assert snap["status"] == "running"
+    assert snap["workflow_size"] == 2
+
+
+def test_snapshot_finds_completed_in_history(monkeypatch: pytest.MonkeyPatch):
+    def fake_get(url, timeout=10.0):
+        if url.endswith("/queue"):
+            return {"queue_running": [], "queue_pending": []}
+        if url.endswith("/history/abc-1"):
+            return {"abc-1": _HISTORY_FIXTURE["abc-1"]}
+        raise AssertionError(url)
+
+    monkeypatch.setattr(jobs_mod, "_http_get_json", fake_get)
+    snap = jobs_mod._snapshot("h", 8188, "abc-1")
+    assert snap is not None
+    assert snap["status"] == "completed"
+    assert len(snap["outputs"]) == 2
+    assert "filename=out.png" in snap["outputs"][0]
+
+
+def test_snapshot_missing_returns_none(monkeypatch: pytest.MonkeyPatch):
+    def fake_get(url, timeout=10.0):
+        if url.endswith("/queue"):
+            return {"queue_running": [], "queue_pending": []}
+        return {}
+
+    monkeypatch.setattr(jobs_mod, "_http_get_json", fake_get)
+    assert jobs_mod._snapshot("h", 8188, "ghost") is None
+
+
+class TestLocalSnapshotGroupedOutputs:
+    """Local-path parity with the cloud snapshot: `_snapshot` exposes the
+    node-keyed /history outputs grouped by producing node and — when the
+    state file carries a compose item_map — by blueprint foreach item."""
+
+    _HISTORY_BODY = {
+        "status": {"completed": True, "messages": []},
+        "outputs": {
+            "9": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]},
+            "12": {"videos": [{"filename": "v.mp4", "subfolder": "", "type": "output"}]},
+        },
+    }
+    URL_A = "http://h:8188/view?filename=a.png&subfolder=&type=output"
+    URL_V = "http://h:8188/view?filename=v.mp4&subfolder=&type=output"
+
+    def _patch_history(self, monkeypatch, prompt_id):
+        def fake_get(url, timeout=10.0):
+            if url.endswith("/queue"):
+                return {"queue_running": [], "queue_pending": []}
+            if url.endswith(f"/history/{prompt_id}"):
+                return {prompt_id: self._HISTORY_BODY}
+            raise AssertionError(url)
+
+        monkeypatch.setattr(jobs_mod, "_http_get_json", fake_get)
+
+    def test_history_snapshot_groups_by_node_and_item(self, monkeypatch):
+        from comfy_cli import jobs_state
+
+        state = jobs_state.new(prompt_id="grp-local", client_id="c", workflow="w", where="local", host="h", port=8188)
+        state.item_map = {
+            "s1": {"nodes": ["9"], "save_node": "9", "prefix": "outputs/s1"},
+            "s2": {"nodes": ["12"], "save_node": "12", "prefix": "outputs/s2"},
+        }
+        jobs_state.write(state)
+        self._patch_history(monkeypatch, "grp-local")
+
+        snap = jobs_mod._snapshot("h", 8188, "grp-local")
+        assert snap is not None
+        assert snap["status"] == "completed"
+        assert snap["outputs"] == [self.URL_A, self.URL_V]  # flat list untouched
+        assert snap["outputs_by_node"] == {"9": [self.URL_A], "12": [self.URL_V]}
+        assert snap["outputs_by_item"] == {"s1": [self.URL_A], "s2": [self.URL_V]}
+
+    def test_history_snapshot_without_item_map_emits_empty_by_item(self, monkeypatch):
+        self._patch_history(monkeypatch, "grp-nomap")
+
+        snap = jobs_mod._snapshot("h", 8188, "grp-nomap")
+        assert snap is not None
+        assert snap["outputs_by_node"] == {"9": [self.URL_A], "12": [self.URL_V]}
+        assert snap["outputs_by_item"] == {}
+
+    def test_queue_snapshot_keeps_empty_groupings(self, monkeypatch):
+        """In-flight jobs have nothing to group — keys present, empty dicts
+        (same shape as the cloud snapshot)."""
+
+        def fake_get(url, timeout=10.0):
+            if url.endswith("/queue"):
+                return {"queue_running": [[0, "grp-live", {"a": {}}, {}, {}]], "queue_pending": []}
+            raise AssertionError(url)
+
+        monkeypatch.setattr(jobs_mod, "_http_get_json", fake_get)
+        snap = jobs_mod._snapshot("h", 8188, "grp-live")
+        assert snap is not None
+        assert snap["status"] == "running"
+        assert snap["outputs_by_node"] == {}
+        assert snap["outputs_by_item"] == {}
+
+
+def test_safe_queue_entry_handles_short_rows():
+    assert jobs_mod._safe_queue_entry([0, "id", {"node": {}}]) == ("id", {"node": {}})
+    assert jobs_mod._safe_queue_entry([])[0] == "?"
+    assert jobs_mod._safe_queue_entry("not-a-list")[0] == "?"
+
+
+# ---------------------------------------------------------------------------
+# CLI integration — error envelope when no server
+# ---------------------------------------------------------------------------
+
+
+def _run(args, env=None):
+    cli_env = os.environ.copy()
+    cli_env["NO_COLOR"] = "1"
+    # Pin subprocess routing to local so tests don't depend on whatever
+    # `where_default` the developer has persisted in their real config.
+    # Individual tests can still override via env={"COMFY_WHERE": "cloud"}.
+    cli_env.setdefault("COMFY_WHERE", "local")
+    if env:
+        cli_env.update(env)
+    return subprocess.run(
+        [sys.executable, "-m", "comfy_cli", *args],
+        capture_output=True,
+        text=True,
+        env=cli_env,
+        check=False,
+    )
+
+
+def _last_json(stdout: str) -> dict:
+    last = [line for line in stdout.splitlines() if line.strip()][-1]
+    return json.loads(last)
+
+
+def test_jobs_ls_no_server_degrades_to_local_state():
+    """When the server is unreachable, ``jobs ls`` no longer errors — it
+    falls back to the local state-dir view so async submits remain visible.
+    The user can pass ``--local-only`` to skip the server probe entirely.
+    """
+    res = _run(["--json", "jobs", "ls", "--local-only", "--host", "127.0.0.1", "--port", "65431"])
+    assert res.returncode == 0
+    env = _last_json(res.stdout)
+    assert env["ok"] is True
+    # Count may be 0 (clean machine) or more (state dir has files); the
+    # contract is that we got a successful envelope shape.
+    assert "jobs" in env["data"]
+
+
+def test_jobs_status_no_server_emits_error_envelope():
+    res = _run(["--json", "jobs", "status", "some-id", "--host", "127.0.0.1", "--port", "65431"])
+    assert res.returncode != 0
+    env = _last_json(res.stdout)
+    assert env["ok"] is False
+    assert env["error"]["code"] == "server_not_running"
+
+
+# ---------------------------------------------------------------------------
+# `jobs ls --orphaned` — surface watcher_crashed jobs for cleanup
+# ---------------------------------------------------------------------------
+
+
+def _write_state(tmp_dir: Path, prompt_id: str, **fields) -> None:
+    """Helper: write a state file shaped like jobs_state.JobState."""
+    base = {
+        "prompt_id": prompt_id,
+        "client_id": "c-" + prompt_id,
+        "workflow": f"/tmp/{prompt_id}.json",
+        "where": "local",
+        "host": "127.0.0.1",
+        "port": 8188,
+        "base_url": None,
+        "submitted_at": "2026-05-19T00:00:00+00:00",
+        "updated_at": "2026-05-19T00:00:00+00:00",
+        "completed_at": None,
+        "status": "queued",
+        "outputs": [],
+        "error": None,
+        "watcher_pid": None,
+    }
+    base.update(fields)
+    (tmp_dir / f"{prompt_id}.json").write_text(json.dumps(base))
+
+
+def test_orphaned_flag_filters_to_watcher_crashed(monkeypatch):
+    """``jobs ls --orphaned`` shows only jobs whose state file records a
+    crashed/reaped watcher. Regular ``jobs ls`` includes them alongside
+    everything else."""
+    # The autouse ``_isolate_jobs_state_dir`` from conftest already
+    # repointed ``jobs_state.state_dir`` at a per-test tmp dir — write
+    # state files into whatever it returns.
+    from comfy_cli import jobs_state
+
+    state_dir = jobs_state.state_dir()
+
+    _write_state(state_dir, "healthy-completed", status="completed")
+    _write_state(
+        state_dir,
+        "orphan-crashed",
+        status="error",
+        error={
+            "code": "watcher_crashed",
+            "message": "Background watcher (pid 99999) is no longer running.",
+            "hint": "re-submit the workflow, or check `comfy jobs status <id>`",
+        },
+    )
+    _write_state(state_dir, "other-error", status="error", error={"code": "prompt_rejected", "message": "..."})
+
+    all_rows = jobs_mod._gather_local_state_files(limit=100)
+    ids = {r.prompt_id for r in all_rows}
+    assert {"healthy-completed", "orphan-crashed", "other-error"} <= ids
+
+    orphans = jobs_mod._gather_local_state_files(limit=100, orphaned_only=True)
+    orphan_ids = {r.prompt_id for r in orphans}
+    assert orphan_ids == {"orphan-crashed"}, f"--orphaned should select only watcher_crashed rows; got {orphan_ids}"
+
+
+def _command_flags(*path: str) -> list[str]:
+    """Flags exposed for a command path via the machine-readable help contract.
+
+    This is the surface agents actually consume (``comfy --help-json``), and it
+    is render-independent — unlike scraping the rich-formatted ``--help`` text,
+    whose wrapping/styling varies with the CI terminal and silently hid flags.
+    """
+    from comfy_cli.cmdline import app
+    from comfy_cli.help_json import build_help_json
+
+    node: dict = {"subcommands": build_help_json(app)["commands"]}
+    for part in path:
+        node = node["subcommands"][part]
+    return [flag for param in node.get("params", []) for flag in (param.get("flags") or [])]
+
+
+def test_orphaned_flag_visible_in_help():
+    """The flag must be documented on `jobs ls` so agents can
+    discover it without reading source."""
+    assert "--orphaned" in _command_flags("jobs", "ls")
+
+
+# ---------------------------------------------------------------------------
+# --where routing — top-level flag must be honored, not just per-command
+# ---------------------------------------------------------------------------
+
+
+# ---------------------------------------------------------------------------
+# `jobs cancel` — local + cloud paths
+# ---------------------------------------------------------------------------
+
+
+def _capture_urlopen(monkeypatch: pytest.MonkeyPatch, routes: dict):
+    """Capture calls to urlopen and return a list of (url, method, headers) per call."""
+    calls: list[dict] = []
+
+    class _Resp:
+        def __init__(self, body: bytes = b"{}"):
+            self.body = body
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, *a):
+            return False
+
+        def read(self):
+            return self.body
+
+    def _fake(req, timeout=None):
+        url = req.full_url
+        method = req.get_method()
+        calls.append({"url": url, "method": method, "headers": dict(req.headers)})
+        for needle, payload in routes.items():
+            # A needle may be "<METHOD> <substring>" to match on verb too;
+            # plain substrings (no space) match any method.
+            want_method = None
+            sub = needle
+            if " " in needle:
+                want_method, sub = needle.split(" ", 1)
+            if sub in url and (want_method is None or want_method == method):
+                if isinstance(payload, Exception):
+                    raise payload
+                return _Resp(payload if isinstance(payload, bytes) else json.dumps(payload).encode())
+        raise AssertionError(f"unexpected URL: {url}")
+
+    monkeypatch.setattr("urllib.request.urlopen", _fake)
+    return calls
+
+
+def test_jobs_cancel_local_hits_queue_and_interrupt(monkeypatch: pytest.MonkeyPatch):
+    """`comfy jobs cancel <id>` on local POSTs the queue delete (for pending),
+    then GETs /queue and — because this prompt is the running one — POSTs
+    /interrupt. /interrupt is gated on queue_running so cancelling a pending
+    job never kills an unrelated running job."""
+    from typer.testing import CliRunner
+
+    monkeypatch.setattr(jobs_mod, "_server_or_error", lambda h, p, **kw: True)
+    calls = _capture_urlopen(
+        monkeypatch,
+        {
+            # GET /queue reports prompt-abc as the running job.
+            "GET /queue": {"queue_running": [[0, "prompt-abc", {}, {}, {}]], "queue_pending": []},
+            "POST /queue": b"{}",
+            "/interrupt": b"{}",
+        },
+    )
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["cancel", "prompt-abc", "--where", "local"])
+    assert result.exit_code == 0, result.output
+
+    # Queue delete (POST), queue status (GET), and interrupt (POST) all hit.
+    urls = [c["url"] for c in calls]
+    assert any("/queue" in u for u in urls), urls
+    assert any("/interrupt" in u for u in urls), urls
+    methods = {c["method"] for c in calls}
+    assert methods == {"POST", "GET"}
+
+    # /queue delete payload carries the prompt_id.
+    queue_call = next(c for c in calls if "/queue" in c["url"] and c["method"] == "POST")
+    # The body is on the Request, not in our captured dict — re-derive from headers.
+    assert queue_call["headers"].get("Content-type") == "application/json"
+
+
+def test_jobs_cancel_local_tolerates_one_failure(monkeypatch: pytest.MonkeyPatch):
+    """If the queue delete 404s but the job is running (queue_running lists it)
+    and /interrupt 200s, the cancel still succeeds. Mirrors the real ComfyUI
+    server's behavior for a running-not-pending job."""
+    import urllib.error
+
+    from typer.testing import CliRunner
+
+    monkeypatch.setattr(jobs_mod, "_server_or_error", lambda h, p, **kw: True)
+    _capture_urlopen(
+        monkeypatch,
+        {
+            "POST /queue": urllib.error.HTTPError("http://x/queue", 404, "Not Found", {}, None),
+            "GET /queue": {"queue_running": [[0, "prompt-abc", {}, {}, {}]], "queue_pending": []},
+            "/interrupt": b"{}",
+        },
+    )
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["cancel", "prompt-abc", "--where", "local"])
+    assert result.exit_code == 0, result.output
+
+
+def test_jobs_cancel_local_pending_job_does_not_interrupt(monkeypatch: pytest.MonkeyPatch):
+    """Cancelling a *pending* job (a different prompt is running) must NOT POST
+    /interrupt — otherwise 'cancel B' would also kill the running 'A'."""
+    from typer.testing import CliRunner
+
+    monkeypatch.setattr(jobs_mod, "_server_or_error", lambda h, p, **kw: True)
+    calls = _capture_urlopen(
+        monkeypatch,
+        {
+            # prompt-pending is queued; a *different* prompt is running.
+            "GET /queue": {"queue_running": [[0, "prompt-running", {}, {}, {}]], "queue_pending": []},
+            "POST /queue": b"{}",
+            "/interrupt": b"{}",
+        },
+    )
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["cancel", "prompt-pending", "--where", "local"])
+    assert result.exit_code == 0, result.output
+
+    urls = [c["url"] for c in calls]
+    assert any("/queue" in u for u in urls), urls
+    assert not any("/interrupt" in u for u in urls), f"must not interrupt a pending job: {urls}"
+
+
+def test_jobs_cancel_local_both_fail_returns_error(monkeypatch: pytest.MonkeyPatch):
+    """If both /queue and /interrupt fail, surface cancel_failed."""
+    import urllib.error
+
+    from typer.testing import CliRunner
+
+    monkeypatch.setattr(jobs_mod, "_server_or_error", lambda h, p, **kw: True)
+    _capture_urlopen(
+        monkeypatch,
+        {
+            "/queue": urllib.error.URLError("connection refused"),
+            "/interrupt": urllib.error.URLError("connection refused"),
+        },
+    )
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["cancel", "prompt-abc", "--where", "local"])
+    assert result.exit_code == 1, result.output
+
+
+def test_jobs_cancel_cloud_posts_to_jobs_cancel_endpoint(monkeypatch: pytest.MonkeyPatch):
+    """Cloud cancel POSTs to /api/jobs/<id>/cancel with the auth header."""
+    from typer.testing import CliRunner
+
+    from comfy_cli.target import Target
+
+    fake_target = Target(
+        kind="cloud",
+        base_url="https://cloud.example.com",
+        path_prefix="/api",
+        history_path="history_v2",
+        jobs_path="jobs",
+        api_key="test-key",
+    )
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda **kw: fake_target)
+    monkeypatch.setattr(jobs_mod, "_is_cloud", lambda w: True)
+    monkeypatch.setattr(jobs_mod, "_cloud_preflight_or_exit", lambda: None)
+
+    calls = _capture_urlopen(
+        monkeypatch,
+        {"/api/jobs/prompt-abc/cancel": b'{"status":"cancelling"}'},
+    )
+
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["cancel", "prompt-abc", "--where", "cloud"])
+    assert result.exit_code == 0, result.output
+
+    assert len(calls) == 1
+    assert calls[0]["method"] == "POST"
+    assert "/api/jobs/prompt-abc/cancel" in calls[0]["url"]
+    # Auth header (urllib title-cases X-API-Key → X-api-key).
+    h = {k.lower(): v for k, v in calls[0]["headers"].items()}
+    assert h.get("x-api-key") == "test-key"
+
+
+def test_jobs_cancel_cloud_404_surfaces_prompt_not_found(monkeypatch: pytest.MonkeyPatch):
+    """404 on cloud cancel is the 'unknown prompt_id' signal — surface it as prompt_not_found."""
+    import io
+    import urllib.error
+
+    from typer.testing import CliRunner
+
+    from comfy_cli.target import Target
+
+    fake_target = Target(
+        kind="cloud",
+        base_url="https://cloud.example.com",
+        path_prefix="/api",
+        history_path="history_v2",
+        jobs_path="jobs",
+        api_key="test-key",
+    )
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda **kw: fake_target)
+    monkeypatch.setattr(jobs_mod, "_is_cloud", lambda w: True)
+    monkeypatch.setattr(jobs_mod, "_cloud_preflight_or_exit", lambda: None)
+
+    err = urllib.error.HTTPError("https://x/cancel", 404, "Not Found", {}, io.BytesIO(b'{"error":"no such job"}'))
+    _capture_urlopen(monkeypatch, {"/api/jobs/missing/cancel": err})
+
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["cancel", "missing", "--where", "cloud"])
+    assert result.exit_code == 1
+    # Output contains the error code marker.
+    assert "prompt_not_found" in result.output
+
+
+def test_is_cloud_honors_env_var(monkeypatch: pytest.MonkeyPatch):
+    """``comfy --where cloud jobs status X`` sets COMFY_WHERE in the env.
+    ``_is_cloud(None)`` must return True so the cloud path is taken.
+
+    Without this, the top-level ``--where cloud`` flag is silently dropped
+    by every ``jobs`` subcommand and the call falls through to local
+    routing — the bug observed during the Veo3 video run.
+    """
+    monkeypatch.setenv("COMFY_WHERE", "cloud")
+    assert jobs_mod._is_cloud(None) is True
+
+
+def test_is_cloud_per_command_flag_still_wins(monkeypatch: pytest.MonkeyPatch):
+    """An explicit ``jobs status X --where local`` must override
+    ``COMFY_WHERE=cloud`` (flag > env > config > default precedence)."""
+    monkeypatch.setenv("COMFY_WHERE", "cloud")
+    assert jobs_mod._is_cloud("local") is False
+    assert jobs_mod._is_cloud("cloud") is True
+
+
+def test_is_cloud_default_local(monkeypatch: pytest.MonkeyPatch):
+    monkeypatch.delenv("COMFY_WHERE", raising=False)
+    # Ensure no persisted config interferes with the default-local assumption.
+    from comfy_cli.config_manager import ConfigManager
+
+    monkeypatch.setattr(ConfigManager(), "get", lambda key: None)
+    assert jobs_mod._is_cloud(None) is False
+
+
+def test_top_level_where_cloud_reaches_preflight(monkeypatch: pytest.MonkeyPatch):
+    """Integration: with COMFY_WHERE=cloud and no auth, ``jobs status``
+    must surface ``cloud_not_configured`` (the preflight error), not
+    ``server_not_running`` (which would mean it routed to local)."""
+    import typer.testing
+
+    monkeypatch.setenv("COMFY_WHERE", "cloud")
+    monkeypatch.delenv("COMFY_CLOUD_API_KEY", raising=False)
+
+    # Force-empty the auth store so preflight reports not-configured even
+    # if the developer running the suite is signed in.
+    from comfy_cli.auth import store as auth_store
+
+    monkeypatch.setattr(auth_store, "get", lambda _: None)
+    monkeypatch.setattr(auth_store, "get_cloud_session", lambda: None)
+
+    from comfy_cli.cmdline import app
+
+    runner = typer.testing.CliRunner()
+    result = runner.invoke(app, ["--json", "jobs", "status", "some-id"])
+
+    # The last non-empty line is the envelope (intermediate messages → stderr).
+    lines = [ln for ln in result.stdout.splitlines() if ln.strip()]
+    assert lines, f"no stdout: stderr={result.stderr!r}"
+    env = json.loads(lines[-1])
+    assert env["ok"] is False
+    assert env["error"]["code"] == "cloud_not_configured", (
+        f"top-level --where cloud was dropped — got {env['error']['code']!r}; this is the routing-flag-position bug"
+    )
+
+
+# ---------------------------------------------------------------------------
+# Discover surface — make sure jobs commands are advertised
+# ---------------------------------------------------------------------------
+
+
+def test_jobs_commands_in_discover():
+    res = _run(["--json", "discover"])
+    env = _last_json(res.stdout)
+    cs = env["data"]["command_schemas"]
+    for k in ("comfy jobs ls", "comfy jobs status", "comfy jobs watch"):
+        assert k in cs, f"{k!r} missing from command_schemas"
+    # Stream event schema for watch
+    assert "comfy jobs watch" in env["data"]["stream_event_schemas"]
+
+
+# ---------------------------------------------------------------------------
+# Run async-by-default
+# ---------------------------------------------------------------------------
+
+
+def test_run_wait_flag_visible_in_help():
+    """Async is the default; --wait is the documented opt-in for blocking."""
+    assert "--wait" in _command_flags("run")
+
+
+def test_run_default_async_emits_clean_server_not_running(tmp_path):
+    """The default (no --wait) still validates the server before submitting,
+    so a missing server emits the structured envelope. Confirms the path
+    is wired through whether async or wait."""
+    wf = tmp_path / "wf.json"
+    wf.write_text(json.dumps({"1": {"class_type": "Anything", "inputs": {}}}))
+    res = _run(
+        [
+            "--json",
+            "run",
+            "--workflow",
+            str(wf),
+            "--host",
+            "127.0.0.1",
+            "--port",
+            "65431",
+        ]
+    )
+    assert res.returncode != 0
+    env = _last_json(res.stdout)
+    assert env["error"]["code"] == "server_not_running"
+
+
+# ---------------------------------------------------------------------------
+# Cancelled / interrupted job terminal-state fixes
+# ---------------------------------------------------------------------------
+
+
+def test_snapshot_maps_interrupted_to_cancelled(monkeypatch):
+    """_snapshot must return status='cancelled' when the history record has
+    completed=False and an execution_interrupted message (not execution_error)."""
+    body = {
+        "pid": {
+            "status": {
+                "completed": False,
+                "messages": [["execution_interrupted", {}]],
+            },
+            "outputs": {},
+        }
+    }
+    monkeypatch.setattr(
+        jobs_mod,
+        "_http_get_json",
+        lambda url, **kw: {} if "/queue" in url else body,
+    )
+    snap = jobs_mod._snapshot("127.0.0.1", 8188, "pid")
+    assert snap is not None
+    assert snap["status"] == "cancelled"
+
+
+def test_poll_local_once_treats_cancelled_as_terminal(monkeypatch):
+    """_poll_local_once must return True (terminal) and set state.status='cancelled'
+    when _snapshot reports status='cancelled'."""
+    from comfy_cli import jobs_state
+    from comfy_cli.command import job_watcher
+
+    monkeypatch.setattr(
+        "comfy_cli.command.jobs._snapshot",
+        lambda h, p, pid: {"prompt_id": pid, "status": "cancelled", "outputs": []},
+    )
+    state = jobs_state.new(prompt_id="pid", client_id="c", workflow="w", where="local")
+    assert job_watcher._poll_local_once(state, host=None, port=None) is True
+    assert state.status == "cancelled"
+
+
+def test_watcher_timeout_preserves_prior_status(monkeypatch):
+    from comfy_cli import jobs_state
+    from comfy_cli.command import job_watcher
+
+    state = jobs_state.new(prompt_id="pid", client_id="c", workflow="w", where="local")
+    state.status = "running"
+    # First time() call (start) = 0.0, second (loop check) is past the ceiling.
+    times = iter([0.0, job_watcher._MAX_RUNTIME_S + 1])
+    monkeypatch.setattr(job_watcher.time, "time", lambda: next(times))
+    monkeypatch.setattr(jobs_state, "write", lambda s: None)
+    monkeypatch.setattr(job_watcher, "_notify", lambda s: None)
+    monkeypatch.setattr(jobs_state, "read", lambda pid: state)
+    job_watcher.watch_job("pid", where="local")
+    assert state.error["details"]["last_status"] == "running"
+
+
+class _FakeCloudClient:
+    """Minimal stand-in for comfy_client.Client used by cloud status paths."""
+
+    def __init__(self, status_payload):
+        self._status_payload = status_payload
+        self.target = type("T", (), {"base_url": "https://cloud.example"})()
+
+    def get_job_status(self, prompt_id):
+        return dict(self._status_payload)
+
+    def get_history(self, prompt_id):  # pragma: no cover — error paths never fetch
+        raise AssertionError("get_history must not be called for failed jobs")
+
+    def extract_output_urls(self, record):  # pragma: no cover
+        return []
+
+
+@pytest.mark.parametrize("raw_status", ["non_retryable_error", "lost"])
+def test_cloud_status_snapshot_maps_fatal_statuses_to_error(monkeypatch, raw_status):
+    """Cloud statuses like non_retryable_error/lost must snapshot to 'error',
+    not leak through raw (which makes `jobs watch` poll forever)."""
+    payload = {"status": raw_status, "error_message": "RIP to the server"}
+    monkeypatch.setattr(jobs_mod, "_cloud_client", lambda: _FakeCloudClient(payload))
+    snap = jobs_mod._cloud_status_snapshot("pid-1")
+    assert snap is not None
+    assert snap["status"] == "error"
+    assert snap["error_message"] == "RIP to the server"
+
+
+@pytest.mark.parametrize("raw_status", ["non_retryable_error", "lost"])
+def test_poll_cloud_once_treats_fatal_statuses_as_terminal(raw_status):
+    """The watcher must treat non_retryable_error/lost as terminal errors and
+    stop polling, recording state.error."""
+    from comfy_cli import jobs_state
+    from comfy_cli.command import job_watcher
+
+    client = _FakeCloudClient({"status": raw_status, "error_message": "RIP to the server"})
+    state = jobs_state.new(prompt_id="pid", client_id="c", workflow="w", where="cloud")
+    assert job_watcher._poll_cloud_once(state, client=client) is True
+    assert state.status == "error"
+    assert state.error is not None
+    assert state.error["message"] == "RIP to the server"
+
+
+_CLOUD_RECORD = {
+    "status": {"completed": True, "status_str": "success"},
+    "outputs": {
+        "9": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]},
+        "12": {"videos": [{"filename": "v.mp4", "subfolder": "", "type": "output"}]},
+    },
+}
+
+
+class _CompletedCloudClient:
+    """Fake cloud client for a job that finished successfully."""
+
+    target = type("T", (), {"base_url": "https://cloud.example"})()
+
+    def __init__(self, record=None):
+        self._record = record if record is not None else _CLOUD_RECORD
+
+    def get_job_status(self, prompt_id):
+        return {"status": "success"}
+
+    def get_history(self, prompt_id):
+        return dict(self._record)
+
+    def extract_outputs(self, record):
+        # Mirrors Client.extract_outputs' shape; URL plumbing is the real
+        # client's concern (covered in tests/comfy_cli/cloud/test_client.py).
+        out = []
+        for node_id, node_output in (record.get("outputs") or {}).items():
+            for key in ("images", "gifs", "videos", "audio", "files"):
+                for item in node_output.get(key) or []:
+                    out.append(
+                        {
+                            "node_id": str(node_id),
+                            "url": f"https://cloud.example/view/{item['filename']}",
+                            "filename": item["filename"],
+                            "type": item.get("type", "output"),
+                        }
+                    )
+        return out
+
+
+def test_cloud_status_snapshot_groups_outputs_by_node_and_item(monkeypatch):
+    """With a state file carrying an item_map, the cloud snapshot exposes
+    outputs grouped by producing node and by blueprint foreach item."""
+    from comfy_cli import jobs_state
+
+    monkeypatch.setattr(jobs_mod, "_cloud_client", lambda: _CompletedCloudClient())
+    state = jobs_state.new(prompt_id="pid-grouped", client_id="c", workflow="w", where="cloud")
+    state.item_map = {
+        "s1": {"nodes": ["9"], "save_node": "9", "prefix": "outputs/s1"},
+        "s2": {"nodes": ["12"], "save_node": "12", "prefix": "outputs/s2"},
+    }
+    jobs_state.write(state)
+
+    snap = jobs_mod._cloud_status_snapshot("pid-grouped")
+    assert snap is not None
+    assert snap["status"] == "completed"
+    assert snap["outputs"] == ["https://cloud.example/view/a.png", "https://cloud.example/view/v.mp4"]
+    assert snap["outputs_by_node"] == {
+        "9": ["https://cloud.example/view/a.png"],
+        "12": ["https://cloud.example/view/v.mp4"],
+    }
+    assert snap["outputs_by_item"] == {
+        "s1": ["https://cloud.example/view/a.png"],
+        "s2": ["https://cloud.example/view/v.mp4"],
+    }
+
+
+def test_cloud_status_snapshot_without_item_map_emits_empty_by_item(monkeypatch):
+    """No state file (or no item_map) → outputs_by_item stays {} while
+    outputs_by_node is still grouped from the history record."""
+    monkeypatch.setattr(jobs_mod, "_cloud_client", lambda: _CompletedCloudClient())
+
+    snap = jobs_mod._cloud_status_snapshot("pid-no-map")
+    assert snap is not None
+    assert snap["outputs_by_node"] == {
+        "9": ["https://cloud.example/view/a.png"],
+        "12": ["https://cloud.example/view/v.mp4"],
+    }
+    assert snap["outputs_by_item"] == {}
+
+
+def test_cloud_status_snapshot_non_terminal_keeps_empty_groupings(monkeypatch):
+    """In-flight jobs have no record to group — keys present, empty dicts."""
+
+    class _RunningClient(_CompletedCloudClient):
+        def get_job_status(self, prompt_id):
+            return {"status": "running"}
+
+        def get_history(self, prompt_id):  # pragma: no cover — must not be called
+            raise AssertionError("history must not be fetched for in-flight jobs")
+
+    monkeypatch.setattr(jobs_mod, "_cloud_client", lambda: _RunningClient())
+    snap = jobs_mod._cloud_status_snapshot("pid-running")
+    assert snap is not None
+    assert snap["outputs_by_node"] == {}
+    assert snap["outputs_by_item"] == {}
+
+
+def test_jobs_status_cloud_envelope_carries_grouped_outputs(monkeypatch, capsys):
+    """End-to-end through `jobs status --where cloud`: the envelope data
+    carries outputs_by_node / outputs_by_item."""
+    from comfy_cli import jobs_state
+    from comfy_cli.output import Renderer, set_renderer
+    from comfy_cli.output.renderer import OutputMode
+
+    monkeypatch.setattr(jobs_mod, "_cloud_preflight_or_exit", lambda: None)
+    monkeypatch.setattr(jobs_mod, "_cloud_client", lambda: _CompletedCloudClient())
+    state = jobs_state.new(prompt_id="pid-env", client_id="c", workflow="w", where="cloud")
+    state.item_map = {"s1": {"nodes": ["9", "12"], "save_node": "12", "prefix": "outputs/s1"}}
+    jobs_state.write(state)
+
+    set_renderer(Renderer(mode=OutputMode.NDJSON, command="jobs status"))
+    jobs_mod._cloud_status("pid-env")
+    lines = [ln for ln in capsys.readouterr().out.splitlines() if ln.strip()]
+    env = json.loads(lines[-1])
+    assert env["type"] == "envelope" and env["ok"] is True
+    assert env["data"]["outputs_by_node"]["9"] == ["https://cloud.example/view/a.png"]
+    assert env["data"]["outputs_by_item"]["s1"] == [
+        "https://cloud.example/view/a.png",
+        "https://cloud.example/view/v.mp4",
+    ]
+
+
+def test_jobs_watch_cloud_terminal_envelope_carries_grouped_outputs(monkeypatch, capsys):
+    """`jobs watch --where cloud` reaches terminal via the same snapshot —
+    the grouped keys must flow through to the terminal envelope."""
+    from comfy_cli import jobs_state
+    from comfy_cli.output import Renderer, set_renderer
+    from comfy_cli.output.renderer import OutputMode
+
+    monkeypatch.setattr(jobs_mod, "_cloud_preflight_or_exit", lambda: None)
+    monkeypatch.setattr(jobs_mod, "_cloud_client", lambda: _CompletedCloudClient())
+    state = jobs_state.new(prompt_id="pid-watch", client_id="c", workflow="w", where="cloud")
+    state.item_map = {"s1": {"nodes": ["9"], "save_node": "9", "prefix": "outputs/s1"}}
+    jobs_state.write(state)
+
+    set_renderer(Renderer(mode=OutputMode.NDJSON, command="jobs watch"))
+    jobs_mod._cloud_watch("pid-watch", poll_interval=0.01, max_wait=5)
+    lines = [ln for ln in capsys.readouterr().out.splitlines() if ln.strip()]
+    env = json.loads(lines[-1])
+    assert env["type"] == "envelope" and env["ok"] is True
+    assert env["data"]["status"] == "completed"
+    assert env["data"]["outputs_by_node"] == {
+        "9": ["https://cloud.example/view/a.png"],
+        "12": ["https://cloud.example/view/v.mp4"],
+    }
+    assert env["data"]["outputs_by_item"] == {"s1": ["https://cloud.example/view/a.png"]}
+
+
+def test_jobs_schema_documents_grouped_outputs():
+    """schemas/jobs.json carries the additive grouped-output keys."""
+    schema_path = Path(__file__).parents[3] / "comfy_cli" / "schemas" / "jobs.json"
+    schema = json.loads(schema_path.read_text())
+    for key in ("outputs_by_node", "outputs_by_item"):
+        prop = schema["properties"][key]
+        assert prop["type"] == "object"
+        assert prop["additionalProperties"] == {"type": "array", "items": {"type": "string"}}
+
+
+def test_poll_cloud_once_stashes_history_record_on_completion():
+    """When the watcher fetches history at terminal, the full node-keyed
+    record must be stashed on state.record so later consumers (grouped
+    outputs, item-named downloads) don't need a second API call."""
+    from comfy_cli import jobs_state
+    from comfy_cli.command import job_watcher
+
+    history = {
+        "status": {"completed": True, "status_str": "success"},
+        "outputs": {"9": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]}},
+    }
+
+    class _DoneClient:
+        target = type("T", (), {"base_url": "https://cloud.example"})()
+
+        def get_job_status(self, prompt_id):
+            return {"status": "success"}  # no inline outputs → history fetch
+
+        def get_history(self, prompt_id):
+            return dict(history)
+
+        def extract_output_urls(self, record):
+            return ["https://cloud.example/api/view?filename=a.png&subfolder=&type=output"]
+
+    state = jobs_state.new(prompt_id="pid", client_id="c", workflow="w", where="cloud")
+    assert job_watcher._poll_cloud_once(state, client=_DoneClient()) is True
+    assert state.status == "completed"
+    assert state.record == history
+    assert state.outputs == ["https://cloud.example/api/view?filename=a.png&subfolder=&type=output"]
+
+
+def test_watcher_unknown_status_stall_writes_error(monkeypatch):
+    """A cloud status the CLI does not recognize (and that never changes) must
+    not hang the watcher for the full 6h ceiling — after _UNKNOWN_STALL_S it
+    writes terminal status='error' with code 'unknown_status_stall'."""
+    from comfy_cli import jobs_state
+    from comfy_cli.command import job_watcher
+
+    class _WeirdClient:
+        target = type("T", (), {"base_url": "https://cloud.example"})()
+
+        def get_job_status(self, prompt_id):
+            return {"status": "weird_new_state"}
+
+    state = jobs_state.new(prompt_id="pid", client_id="c", workflow="w", where="cloud")
+    monkeypatch.setattr(jobs_state, "read", lambda pid: state)
+    monkeypatch.setattr(jobs_state, "write", lambda s: None)
+    monkeypatch.setattr(job_watcher, "_notify", lambda s: None)
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda where: object())
+    monkeypatch.setattr("comfy_cli.comfy_client.Client", lambda target, **kw: _WeirdClient())
+    # Fake clock: each time() call advances 150s; sleep is a no-op. The guard
+    # window (300s) elapses after a couple of polls instead of for real.
+    clock = {"t": 0.0}
+
+    def fake_time():
+        clock["t"] += 150.0
+        return clock["t"]
+
+    monkeypatch.setattr(job_watcher.time, "time", fake_time)
+    monkeypatch.setattr(job_watcher.time, "sleep", lambda s: None)
+
+    job_watcher.watch_job("pid", where="cloud")
+
+    assert state.status == "error"
+    assert state.error is not None
+    assert state.error["code"] == "unknown_status_stall"
+    assert "weird_new_state" in state.error["message"]
+
+
+def test_watcher_known_inflight_status_never_stalls(monkeypatch):
+    """Known in-flight statuses (queued/running/...) must not trip the
+    unknown-status stall guard even when unchanged past the window."""
+    from comfy_cli import jobs_state
+    from comfy_cli.command import job_watcher
+
+    statuses = iter(["running"] * 5 + ["success"])
+
+    class _SlowClient:
+        target = type("T", (), {"base_url": "https://cloud.example"})()
+
+        def get_job_status(self, prompt_id):
+            return {"status": next(statuses)}
+
+        def get_history(self, prompt_id):
+            return None
+
+    state = jobs_state.new(prompt_id="pid", client_id="c", workflow="w", where="cloud")
+    monkeypatch.setattr(jobs_state, "read", lambda pid: state)
+    monkeypatch.setattr(jobs_state, "write", lambda s: None)
+    monkeypatch.setattr(job_watcher, "_notify", lambda s: None)
+    monkeypatch.setattr("comfy_cli.target.resolve_target", lambda where: object())
+    monkeypatch.setattr("comfy_cli.comfy_client.Client", lambda target, **kw: _SlowClient())
+    clock = {"t": 0.0}
+
+    def fake_time():
+        clock["t"] += 150.0
+        return clock["t"]
+
+    monkeypatch.setattr(job_watcher.time, "time", fake_time)
+    monkeypatch.setattr(job_watcher.time, "sleep", lambda s: None)
+
+    job_watcher.watch_job("pid", where="cloud")
+
+    assert state.status == "completed"
+    assert state.error is None
+
+
+def test_emit_terminal_verdicts():
+    import typer
+
+    from comfy_cli.command import jobs
+    from comfy_cli.output.renderer import get_renderer, reset_renderer_for_testing
+
+    def verdict(payload):
+        reset_renderer_for_testing()
+        r = get_renderer()
+        try:
+            jobs._emit_terminal(r, dict(payload), command="jobs watch")
+        except typer.Exit as e:
+            return e.exit_code
+        return 0
+
+    assert verdict({"prompt_id": "p", "status": "error"}) == 1
+    assert verdict({"prompt_id": "p", "status": "cancelled"}) == 130
+    assert verdict({"prompt_id": "p", "status": "completed", "outputs": []}) == 0
+
+
+def test_emit_terminal_falls_back_to_top_level_error_message(capsys):
+    """Cloud snapshots carry failure text at top-level `error_message`, not in
+    an `error` dict — _emit_terminal must surface it in the error envelope."""
+    import typer
+
+    from comfy_cli.command import jobs
+    from comfy_cli.output.renderer import OutputMode, Renderer
+
+    renderer = Renderer(mode=OutputMode.JSON)
+    payload = {"prompt_id": "p", "status": "error", "error_message": "OOM on worker"}
+    with pytest.raises(typer.Exit) as exc_info:
+        jobs._emit_terminal(renderer, payload, command="jobs watch")
+    assert exc_info.value.exit_code == 1
+    env = json.loads(capsys.readouterr().out.strip().splitlines()[-1])
+    assert env["ok"] is False
+    assert "OOM on worker" in env["error"]["message"]
+
+
+def test_emit_terminal_prefers_error_dict_message(capsys):
+    """When both are present, the structured error dict's message wins."""
+    import typer
+
+    from comfy_cli.command import jobs
+    from comfy_cli.output.renderer import OutputMode, Renderer
+
+    renderer = Renderer(mode=OutputMode.JSON)
+    payload = {
+        "prompt_id": "p",
+        "status": "error",
+        "error": {"code": "execution_error", "message": "node 5 exploded"},
+        "error_message": "OOM on worker",
+    }
+    with pytest.raises(typer.Exit):
+        jobs._emit_terminal(renderer, payload, command="jobs watch")
+    env = json.loads(capsys.readouterr().out.strip().splitlines()[-1])
+    assert env["error"]["message"] == "node 5 exploded"
+
+
+def test_local_cancel_writes_cancelled_state(monkeypatch: pytest.MonkeyPatch):
+    """_local_cancel must persist status='cancelled' to the on-disk state file
+    after successfully POSTing to /queue and /interrupt."""
+    from typer.testing import CliRunner
+
+    from comfy_cli import jobs_state
+
+    # Pre-write a state file so _local_cancel has something to update.
+    st = jobs_state.new(prompt_id="pidX", client_id="c", workflow="w", where="local")
+    jobs_state.write(st)
+    assert jobs_state.read("pidX") is not None
+
+    monkeypatch.setattr(jobs_mod, "_server_or_error", lambda h, p, **kw: True)
+    _capture_urlopen(
+        monkeypatch,
+        {
+            "/queue": b"{}",
+            "/interrupt": b"{}",
+        },
+    )
+
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["cancel", "pidX", "--where", "local"])
+    assert result.exit_code == 0, result.output
+
+    # The on-disk state file must now carry status='cancelled'.
+    persisted = jobs_state.read("pidX")
+    assert persisted is not None, "state file was deleted instead of updated"
+    assert persisted.status == "cancelled", f"expected 'cancelled', got {persisted.status!r}"
+
+
+def test_watch_already_cancelled_job_exits_130(monkeypatch):
+    """An already-cancelled local job must short-circuit to exit 130, not hang
+    in the WS loop. Regression for the watch gate omitting 'cancelled'."""
+    import typer  # noqa: F401 — ensures typer.Exit is raised, not SystemExit
+    from typer.testing import CliRunner
+
+    monkeypatch.setattr(jobs_mod, "_server_or_error", lambda h, p, **kw: True)
+    monkeypatch.setattr(
+        jobs_mod,
+        "_snapshot",
+        lambda h, p, pid: {"prompt_id": pid, "status": "cancelled", "outputs": []},
+    )
+
+    # If the gate is broken, watch would try to open a WebSocket. Make
+    # WebSocket construction explode so a fall-through is unmistakable (not a hang).
+    def _boom(*a, **k):
+        raise AssertionError("watch fell through to WebSocket instead of short-circuiting on 'cancelled'")
+
+    monkeypatch.setattr(jobs_mod, "WebSocket", _boom)
+
+    runner = CliRunner()
+    result = runner.invoke(jobs_mod.app, ["watch", "pidX", "--where", "local"])
+    assert result.exit_code == 130, (result.exit_code, result.output)
diff --git a/tests/comfy_cli/output/__init__.py b/tests/comfy_cli/output/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/comfy_cli/output/test_branding.py b/tests/comfy_cli/output/test_branding.py
new file mode 100644
index 00000000..b3650936
--- /dev/null
+++ b/tests/comfy_cli/output/test_branding.py
@@ -0,0 +1,219 @@
+"""Tests for the branded welcome / whoami banners."""
+
+from __future__ import annotations
+
+import io
+import re
+import time
+
+from rich.console import Console
+from rich.panel import Panel
+
+from comfy_cli.output.branding import (
+    TAGLINE,
+    branded_panel,
+    gradient_block,
+    gradient_text,
+    intro_banner,
+    signed_out_banner,
+    welcome_banner,
+    whoami_banner,
+)
+
+# ---------------------------------------------------------------------------
+# Task 1 — branded_panel + TAGLINE (the screen-wide chrome contract)
+# ---------------------------------------------------------------------------
+
+
+def test_tagline_constant():
+    assert TAGLINE == "the agent-aware ComfyUI CLI"
+
+
+def test_branded_panel_minimal_subtitle():
+    panel = branded_panel("body", title="env", version="0.0.0")
+    assert isinstance(panel, Panel)
+    assert str(panel.title) == "env"
+    assert str(panel.subtitle) == "comfy CLI v0.0.0"
+    assert panel.title_align == "left"
+    assert panel.subtitle_align == "right"
+
+
+def test_branded_panel_with_where():
+    panel = branded_panel("body", title="jobs", version="0.0.0", where="local")
+    assert str(panel.subtitle) == "comfy CLI v0.0.0  ·  local"
+
+
+def test_branded_panel_with_where_and_host():
+    panel = branded_panel("body", title="jobs", version="0.0.0", where="local", host="127.0.0.1:8188")
+    assert str(panel.subtitle) == "comfy CLI v0.0.0  ·  local · 127.0.0.1:8188"
+
+
+def test_branded_panel_with_host_no_where():
+    """host alone (no where) — used by cloud whoami screen."""
+    panel = branded_panel("body", title="comfy cloud", version="0.0.0", host="cloud.comfy.org")
+    assert str(panel.subtitle) == "comfy CLI v0.0.0 · cloud.comfy.org"
+
+
+_ANSI_RE = re.compile(r"\x1b\[[0-9;]*m")
+
+
+def _render(renderable, *, width: int = 100) -> str:
+    buf = io.StringIO()
+    Console(file=buf, force_terminal=True, width=width, no_color=True).print(renderable)
+    return _ANSI_RE.sub("", buf.getvalue())
+
+
+# ---------------------------------------------------------------------------
+# gradient helpers
+# ---------------------------------------------------------------------------
+
+
+def test_gradient_text_preserves_input_characters():
+    text = gradient_text("comfy cloud")
+    assert text.plain == "comfy cloud"
+
+
+def test_gradient_block_preserves_row_content():
+    rows = [" ████   ████ ", "██     ██  ██", "██     ██  ██"]
+    block = gradient_block(rows)
+    # plain (un-styled) text should be the rows joined by newlines.
+    assert block.plain == "\n".join(rows)
+
+
+def test_gradient_block_handles_single_row():
+    block = gradient_block(["one row only"])
+    assert block.plain == "one row only"
+
+
+# ---------------------------------------------------------------------------
+# welcome_banner
+# ---------------------------------------------------------------------------
+
+
+def test_welcome_banner_includes_wordmark_and_info():
+    out = _render(
+        welcome_banner(
+            base_url="https://testcloud.comfy.org",
+            scope="mcp:tools:read mcp:tools:call",
+            client_id="comfy-cli",
+            expires_at=int(time.time()) + 3600,
+            cta="comfy run --workflow X.json",
+        )
+    )
+    # Wordmark glyph rows: at least one row of block characters present.
+    assert "████" in out
+    # Subtitle below the wordmark.
+    assert "C  L  O  U  D" in out
+    assert "Signed in to Comfy Cloud" in out
+    assert "mcp:tools:read" in out
+    assert "comfy-cli" in out
+    # CTA arrow.
+    assert "→" in out
+    assert "comfy run --workflow X.json" in out
+    # Host shown in the subtitle.
+    assert "testcloud.comfy.org" in out
+
+
+def test_welcome_banner_renders_in_narrow_terminal():
+    # 60 cols is the lower bound we care about — must not raise / wrap badly.
+    out = _render(
+        welcome_banner(
+            base_url="https://testcloud.comfy.org",
+            scope="mcp:tools:read",
+            client_id="comfy-cli",
+            expires_at=int(time.time()) + 600,
+            cta=None,
+        ),
+        width=60,
+    )
+    assert "Signed in" in out
+    assert "comfy-cli" in out
+
+
+def test_welcome_banner_humanizes_expiry():
+    out = _render(
+        welcome_banner(
+            base_url="https://testcloud.comfy.org",
+            scope="x",
+            client_id="c",
+            expires_at=int(time.time()) + 3597,
+            cta=None,
+        )
+    )
+    # "in 59m 57s" (or close — exact seconds may drift in CI)
+    assert re.search(r"in \d+m \d+s", out), out
+
+
+# ---------------------------------------------------------------------------
+# whoami_banner / signed_out_banner
+# ---------------------------------------------------------------------------
+
+
+def test_whoami_banner_active_shows_check():
+    out = _render(
+        whoami_banner(
+            base_url="https://testcloud.comfy.org",
+            scope="mcp:tools:read",
+            client_id="comfy-cli",
+            expires_at=int(time.time()) + 600,
+            expired=False,
+        )
+    )
+    assert "active" in out
+    assert "✓" in out
+    assert "comfy-cli" in out
+
+
+def test_whoami_banner_expired_shows_warning():
+    out = _render(
+        whoami_banner(
+            base_url="https://testcloud.comfy.org",
+            scope="mcp:tools:read",
+            client_id="comfy-cli",
+            expires_at=int(time.time()) - 60,
+            expired=True,
+        )
+    )
+    assert "expired" in out
+    assert "⚠" in out
+
+
+def test_intro_banner_signed_out_includes_wordmark_and_login_hint():
+    out = _render(
+        intro_banner(
+            version="0.0.0",
+            signed_in=False,
+            base_url="https://testcloud.comfy.org",
+        )
+    )
+    assert "████" in out  # wordmark glyph present
+    assert "the agent-aware ComfyUI CLI" in out
+    assert "Quick start" in out
+    assert "comfy install" in out
+    assert "comfy launch" in out
+    assert "comfy auth login" in out or "comfy cloud login" in out
+    assert "comfy discover" in out
+    assert "comfy --help" in out
+    assert "not signed in" in out
+    assert "comfy CLI v0.0.0" in out or "comfy-cli v0.0.0" in out
+
+
+def test_intro_banner_signed_in_shows_check_and_host():
+    out = _render(
+        intro_banner(
+            version="1.2.3",
+            signed_in=True,
+            base_url="https://testcloud.comfy.org",
+        )
+    )
+    assert "signed in" in out
+    assert "✓" in out
+    assert "testcloud.comfy.org" in out
+    assert "comfy CLI v1.2.3" in out or "comfy-cli v1.2.3" in out
+
+
+def test_signed_out_banner_points_at_login():
+    out = _render(signed_out_banner(base_url="https://testcloud.comfy.org"))
+    assert "not signed in" in out
+    assert "comfy auth login" in out or "comfy cloud login" in out
+    assert "testcloud.comfy.org" in out
diff --git a/tests/comfy_cli/output/test_caller.py b/tests/comfy_cli/output/test_caller.py
new file mode 100644
index 00000000..79df1e75
--- /dev/null
+++ b/tests/comfy_cli/output/test_caller.py
@@ -0,0 +1,72 @@
+"""Caller detection: env vars + TTY → agentic mode.
+
+Priority: COMFY_USER_AGENT > AI_AGENT > CLAUDECODE > non-TTY > user.
+All agentic callers flip the same three defaults (JSON, skip prompts,
+no banner). The ``kind`` field is for analytics/logging only.
+"""
+
+from comfy_cli.caller import detect_caller
+
+
+def test_tty_no_env_is_user():
+    c = detect_caller(env={}, is_tty=True)
+    assert c.kind == "user"
+    assert c.agentic is False
+    assert c.source_env is None
+
+
+def test_no_tty_is_pipe():
+    """Piped into another process or backgrounded → agentic, kind="pipe"."""
+    c = detect_caller(env={}, is_tty=False)
+    assert c.agentic is True
+    assert c.kind == "pipe"
+    assert c.source_env is None
+
+
+def test_ai_agent_env_var_forces_agentic_even_on_tty():
+    c = detect_caller(env={"AI_AGENT": "1"}, is_tty=True)
+    assert c.agentic is True
+    assert c.kind == "agent"
+    assert c.source_env == "AI_AGENT"
+
+
+def test_ai_agent_explicit_off_falls_through():
+    """A user who set AI_AGENT=0 doesn't want the agentic path."""
+    c = detect_caller(env={"AI_AGENT": "0"}, is_tty=True)
+    assert c.agentic is False
+    assert c.kind == "user"
+
+
+def test_claude_code_detected_on_tty():
+    """CLAUDECODE=1 is set in every shell Claude Code spawns."""
+    c = detect_caller(env={"CLAUDECODE": "1"}, is_tty=True)
+    assert c.agentic is True
+    assert c.kind == "claude-code"
+    assert c.source_env == "CLAUDECODE"
+
+
+def test_claude_code_off_falls_through():
+    c = detect_caller(env={"CLAUDECODE": "0"}, is_tty=True)
+    assert c.agentic is False
+    assert c.kind == "user"
+
+
+def test_ai_agent_wins_over_claudecode():
+    """AI_AGENT is more specific (explicitly set by agent frameworks)."""
+    c = detect_caller(env={"AI_AGENT": "1", "CLAUDECODE": "1"}, is_tty=True)
+    assert c.kind == "agent"
+    assert c.source_env == "AI_AGENT"
+
+
+def test_user_agent_override_carries_label():
+    """COMFY_USER_AGENT lets a wrapper self-attribute with a specific label."""
+    c = detect_caller(env={"COMFY_USER_AGENT": "my-bot"}, is_tty=True)
+    assert c.agentic is True
+    assert c.kind == "my-bot"
+    assert c.source_env == "COMFY_USER_AGENT"
+
+
+def test_user_agent_override_wins_over_everything():
+    c = detect_caller(env={"COMFY_USER_AGENT": "harness", "AI_AGENT": "1", "CLAUDECODE": "1"}, is_tty=True)
+    assert c.kind == "harness"
+    assert c.source_env == "COMFY_USER_AGENT"
diff --git a/tests/comfy_cli/output/test_cancellation.py b/tests/comfy_cli/output/test_cancellation.py
new file mode 100644
index 00000000..dcbed2de
--- /dev/null
+++ b/tests/comfy_cli/output/test_cancellation.py
@@ -0,0 +1,93 @@
+"""Cancellation token + SIGINT integration."""
+
+import os
+import signal
+import threading
+import time
+
+import pytest
+
+from comfy_cli import cancellation
+
+
+@pytest.fixture(autouse=True)
+def reset_token():
+    cancellation.reset_for_testing()
+    yield
+    cancellation.reset_for_testing()
+
+
+def test_token_starts_unset():
+    t = cancellation.get_token()
+    assert t.is_set() is False
+
+
+def test_cancel_sets_event():
+    t = cancellation.get_token()
+    t.cancel()
+    assert t.is_set() is True
+
+
+def test_callbacks_fire_on_cancel():
+    t = cancellation.get_token()
+    seen = []
+    t.on_cancel(lambda: seen.append("a"))
+    t.on_cancel(lambda: seen.append("b"))
+    t.cancel()
+    assert seen == ["a", "b"]
+
+
+def test_callback_registered_after_cancel_fires_immediately():
+    t = cancellation.get_token()
+    t.cancel()
+    seen = []
+    t.on_cancel(lambda: seen.append("late"))
+    assert seen == ["late"]
+
+
+def test_cancel_is_idempotent():
+    t = cancellation.get_token()
+    seen = []
+    t.on_cancel(lambda: seen.append("x"))
+    t.cancel()
+    t.cancel()
+    assert seen == ["x"]
+
+
+def test_callback_exception_does_not_propagate():
+    t = cancellation.get_token()
+
+    def boom():
+        raise RuntimeError("nope")
+
+    t.on_cancel(boom)
+    # Must not raise.
+    t.cancel()
+    assert t.is_set()
+
+
+def test_wait_releases_on_cancel():
+    t = cancellation.get_token()
+    threading.Timer(0.05, t.cancel).start()
+    got = t.wait(timeout=1.0)
+    assert got is True
+
+
+def test_sigint_handler_cancels_token():
+    # Install the handler then send SIGINT to this process.
+    t = cancellation.install_sigint_handler()
+    raised = []
+    try:
+        os.kill(os.getpid(), signal.SIGINT)
+        # Give the handler a moment to run.
+        time.sleep(0.05)
+    except KeyboardInterrupt:
+        raised.append(True)
+    assert t.is_set()
+    assert raised == [True], "default chained handler should still raise"
+
+
+def test_install_is_idempotent():
+    t1 = cancellation.install_sigint_handler()
+    t2 = cancellation.install_sigint_handler()
+    assert t1 is t2
diff --git a/tests/comfy_cli/output/test_discovery.py b/tests/comfy_cli/output/test_discovery.py
new file mode 100644
index 00000000..07a71136
--- /dev/null
+++ b/tests/comfy_cli/output/test_discovery.py
@@ -0,0 +1,242 @@
+"""Phase 2: ``comfy discover`` produces a complete self-describing document.
+
+These are the contract tests: an agent should be able to call ``comfy
+--json discover`` once and get everything it needs without consulting source.
+"""
+
+from __future__ import annotations
+
+import ast
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+import jsonschema
+import pytest
+
+SCHEMAS_DIR = Path(__file__).parent.parent.parent.parent / "comfy_cli" / "schemas"
+SRC_ROOT = Path(__file__).resolve().parents[3] / "comfy_cli"
+
+
+def _validator_for(schema_name: str) -> jsonschema.Validator:
+    schema = json.loads((SCHEMAS_DIR / schema_name).read_text())
+    store: dict[str, dict] = {}
+    for path in SCHEMAS_DIR.glob("*.json"):
+        s = json.loads(path.read_text())
+        if s.get("$id"):
+            store[s["$id"]] = s
+        store[path.name] = s
+    base = SCHEMAS_DIR.absolute().as_uri() + "/"
+    resolver = jsonschema.RefResolver(base_uri=base, referrer=schema, store=store)
+    return jsonschema.Draft202012Validator(schema, resolver=resolver)
+
+
+def _run_cli(args: list[str], env: dict | None = None) -> dict:
+    proc_env = os.environ.copy()
+    proc_env.setdefault("NO_COLOR", "1")
+    if env:
+        proc_env.update(env)
+    result = subprocess.run(
+        [sys.executable, "-m", "comfy_cli", *args],
+        capture_output=True,
+        text=True,
+        env=proc_env,
+        check=False,
+    )
+    assert result.stdout.strip(), f"empty stdout. stderr={result.stderr!r}"
+    last = [line for line in result.stdout.splitlines() if line.strip()][-1]
+    return json.loads(last)
+
+
+def test_discover_envelope_validates():
+    envelope = _run_cli(["--json", "discover"])
+    _validator_for("envelope.json").validate(envelope)
+    assert envelope["ok"] is True
+    assert envelope["command"] == "discover"
+
+
+def test_discover_payload_validates():
+    envelope = _run_cli(["--json", "discover"])
+    _validator_for("discover.json").validate(envelope["data"])
+
+
+def test_discover_includes_all_shipped_schemas():
+    envelope = _run_cli(["--json", "discover"])
+    data = envelope["data"]
+    shipped = {p.stem for p in SCHEMAS_DIR.glob("*.json")}
+    declared = set(data["schemas"].keys())
+    assert shipped == declared
+
+
+def test_discover_annotates_commands_with_schema():
+    envelope = _run_cli(["--json", "discover"])
+    cmds = envelope["data"]["commands"]
+    assert cmds["env"]["output_schema"] == "env.json"
+    assert cmds["which"]["output_schema"] == "which.json"
+    assert cmds["run"]["output_schema"] == "run.json"
+    assert cmds["run"]["stream_event_schema"] == "run_event.json"
+    assert cmds["discover"]["output_schema"] == "discover.json"
+
+
+def test_discover_includes_error_codes_from_markdown():
+    envelope = _run_cli(["--json", "discover"])
+    codes = {row["code"] for row in envelope["data"]["error_codes"]}
+    # Spot-check a representative set across phases.
+    assert "cancelled" in codes
+    assert "workflow_not_found" in codes
+    assert "cloud_not_configured" in codes
+    # `cql_unavailable` was removed when the Python grammar layer was deleted.
+    assert "cql_no_graph" in codes  # the loader's "no source available" survives
+
+
+def test_discover_capabilities_flags():
+    envelope = _run_cli(["--json", "discover"])
+    caps = envelope["data"]["capabilities"]
+    assert caps["json_envelope"] is True
+    assert caps["json_stream"] is True
+    assert caps["cancellation"] is True
+    assert caps["cql"] is True
+    assert caps["where_routing"] is True
+    assert "local" in caps["where_targets"]
+    assert "cloud" in caps["where_targets"]
+
+
+def test_discover_schemas_only_strips_command_tree():
+    envelope = _run_cli(["--json", "discover", "--schemas-only"])
+    data = envelope["data"]
+    assert "schemas" in data
+    assert "commands" not in data
+    assert "error_codes" not in data
+
+
+def test_models_and_templates_registered():
+    from comfy_cli.discovery import COMMAND_SCHEMAS
+
+    for cmd in (
+        "comfy models search",
+        "comfy models show",
+        "comfy models list-folders",
+        "comfy models list-folder",
+        "comfy templates ls",
+        "comfy templates show",
+        "comfy templates fetch",
+    ):
+        assert cmd in COMMAND_SCHEMAS, cmd
+
+
+def test_discover_exposes_output_contract_versions():
+    """Agents negotiate shape on `output_contract`, not the CLI version."""
+    from comfy_cli.output.renderer import ENVELOPE_SCHEMA, EVENT_SCHEMA
+
+    envelope = _run_cli(["--json", "discover"])
+    contract = envelope["data"]["output_contract"]
+    assert contract == {"envelope": ENVELOPE_SCHEMA, "event": EVENT_SCHEMA}
+    assert contract == {"envelope": "envelope/1", "event": "event/1"}
+    # The envelope itself carries the discriminator + version.
+    assert envelope["schema"] == "envelope/1"
+    assert envelope["type"] == "envelope"
+
+
+# ---------------------------------------------------------------------------
+# Registration ratchet: every `renderer.emit(..., command="X")` call site must
+# either be registered in COMMAND_SCHEMAS or sit in the frozen allowlist
+# below. The allowlist may only shrink — new commands must register a schema.
+# (Scan style mirrors tests/comfy_cli/output/test_error_code_registry.py.)
+# ---------------------------------------------------------------------------
+
+# Commands that emitted envelopes before schema registration was enforced.
+# Do NOT add to this set: register the command in COMMAND_SCHEMAS instead.
+LEGACY_UNREGISTERED: frozenset[str] = frozenset(
+    {
+        "agent-review",
+        "cloud set-base-url",
+        "cloud set-key",
+        "feedback",
+        "generate emit-workflow",
+        "jobs cancel",
+        "setup",
+        "welcome",
+    }
+)
+
+
+def _iter_python_files(root: Path):
+    for p in root.rglob("*.py"):
+        if "__pycache__" in p.parts:
+            continue
+        yield p
+
+
+def _collect_emitted_commands() -> dict[str, list[Path]]:
+    """AST-scan comfy_cli for ``.emit(..., command="X")`` literal call sites."""
+    found: dict[str, list[Path]] = {}
+    for path in _iter_python_files(SRC_ROOT):
+        try:
+            tree = ast.parse(path.read_text(encoding="utf-8"))
+        except (OSError, SyntaxError):
+            continue
+        for node in ast.walk(tree):
+            if not isinstance(node, ast.Call):
+                continue
+            func = node.func
+            if not (isinstance(func, ast.Attribute) and func.attr == "emit"):
+                continue
+            for kw in node.keywords:
+                if kw.arg == "command" and isinstance(kw.value, ast.Constant) and isinstance(kw.value.value, str):
+                    found.setdefault(kw.value.value, []).append(path)
+    return found
+
+
+@pytest.fixture(scope="module")
+def emitted_commands() -> dict[str, list[Path]]:
+    return _collect_emitted_commands()
+
+
+def test_every_emitted_command_registers_a_schema(emitted_commands):
+    """If this fails: you added a `renderer.emit(command="X")` call without
+    registering X in COMMAND_SCHEMAS. Register it (comfy_cli/discovery.py),
+    don't grow LEGACY_UNREGISTERED."""
+    from comfy_cli.discovery import COMMAND_SCHEMAS
+
+    assert emitted_commands, "AST scan found no emit(command=...) call sites — scanner broken?"
+    unregistered = {
+        cmd: [str(p.relative_to(SRC_ROOT.parent)) for p in paths]
+        for cmd, paths in sorted(emitted_commands.items())
+        if f"comfy {cmd}" not in COMMAND_SCHEMAS and cmd not in LEGACY_UNREGISTERED
+    }
+    assert not unregistered, (
+        f"Commands emitting envelopes without a registered schema:\n{unregistered}\n"
+        "Add each to COMMAND_SCHEMAS in comfy_cli/discovery.py."
+    )
+
+
+def test_legacy_unregistered_only_shrinks(emitted_commands):
+    """Every allowlisted command must still exist in source. If this fails the
+    command was removed or registered — delete it from LEGACY_UNREGISTERED so
+    the allowlist ratchets down."""
+    from comfy_cli.discovery import COMMAND_SCHEMAS
+
+    stale = sorted(
+        cmd for cmd in LEGACY_UNREGISTERED if cmd not in emitted_commands or f"comfy {cmd}" in COMMAND_SCHEMAS
+    )
+    assert not stale, f"Stale LEGACY_UNREGISTERED entries (no longer emitted, or now registered): {stale}"
+
+
+def test_discover_pretty_mode_shows_counts():
+    proc_env = os.environ.copy()
+    proc_env.setdefault("NO_COLOR", "1")
+    result = subprocess.run(
+        [sys.executable, "-m", "comfy_cli", "--no-json", "discover"],
+        capture_output=True,
+        text=True,
+        env=proc_env,
+        check=False,
+    )
+    # Panel-rendered pretty output: section headers + counts.
+    assert "Commands" in result.stdout
+    assert "Schemas" in result.stdout
+    assert "Capabilities" in result.stdout
+    with pytest.raises(json.JSONDecodeError):
+        json.loads(result.stdout)
diff --git a/tests/comfy_cli/output/test_envelope_schemas.py b/tests/comfy_cli/output/test_envelope_schemas.py
new file mode 100644
index 00000000..3db7e2b6
--- /dev/null
+++ b/tests/comfy_cli/output/test_envelope_schemas.py
@@ -0,0 +1,160 @@
+"""Validate that envelope / error / help schemas are well-formed and that
+real output from migrated commands validates against the appropriate schema.
+
+This is the regression gate the plan calls out: every --json-capable command
+ships a schema and its output must pass.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+import jsonschema
+import pytest
+
+SCHEMAS_DIR = Path(__file__).parent.parent.parent.parent / "comfy_cli" / "schemas"
+
+
+def _load_schema(name: str) -> dict:
+    return json.loads((SCHEMAS_DIR / name).read_text())
+
+
+def _validator_for(name: str) -> jsonschema.Validator:
+    schema = _load_schema(name)
+    # Build a local store keyed by $id AND by filename so refs like
+    # "error.json" resolve without hitting the network.
+    store = {}
+    for path in SCHEMAS_DIR.glob("*.json"):
+        s = json.loads(path.read_text())
+        sid = s.get("$id")
+        if sid:
+            store[sid] = s
+        store[path.name] = s
+    base = SCHEMAS_DIR.absolute().as_uri() + "/"
+    resolver = jsonschema.RefResolver(base_uri=base, referrer=schema, store=store)
+    return jsonschema.Draft202012Validator(schema, resolver=resolver)
+
+
+@pytest.mark.parametrize(
+    "schema_name",
+    [
+        "envelope.json",
+        "error.json",
+        "help.json",
+        "env.json",
+        "which.json",
+        "run.json",
+        "run_event.json",
+    ],
+)
+def test_schemas_are_well_formed(schema_name):
+    schema = _load_schema(schema_name)
+    # Will raise if the schema itself is invalid.
+    jsonschema.Draft202012Validator.check_schema(schema)
+
+
+def test_envelope_schema_declares_contract_version():
+    """envelope.json pins the discriminator + version the renderer emits."""
+    from comfy_cli.output.renderer import ENVELOPE_SCHEMA
+
+    props = _load_schema("envelope.json")["properties"]
+    assert props["schema"]["const"] == ENVELOPE_SCHEMA == "envelope/1"
+    assert props["type"]["const"] == "envelope"
+
+
+def test_run_event_schema_declares_contract_version():
+    from comfy_cli.output.renderer import EVENT_SCHEMA
+
+    props = _load_schema("run_event.json")["properties"]
+    assert props["schema"]["const"] == EVENT_SCHEMA == "event/1"
+
+
+def _run_cli(args: list[str], env: dict | None = None) -> dict:
+    proc_env = os.environ.copy()
+    proc_env.setdefault("NO_COLOR", "1")
+    if env:
+        proc_env.update(env)
+    result = subprocess.run(
+        [sys.executable, "-m", "comfy_cli", *args],
+        capture_output=True,
+        text=True,
+        env=proc_env,
+        check=False,
+    )
+    assert result.stdout.strip(), f"expected JSON on stdout, got nothing.\nstderr: {result.stderr}"
+    # Last non-empty line is the envelope (handles --json-stream).
+    last = [line for line in result.stdout.splitlines() if line.strip()][-1]
+    return json.loads(last)
+
+
+def test_env_json_validates():
+    envelope = _run_cli(["--json", "env"])
+    env_validator = _validator_for("envelope.json")
+    env_validator.validate(envelope)
+    # And the data sub-document validates against env.json.
+    data_validator = _validator_for("env.json")
+    data_validator.validate(envelope["data"])
+    assert envelope["command"] == "env"
+    assert envelope["ok"] is True
+
+
+def test_which_json_validates():
+    envelope = _run_cli(["--json", "which"])
+    _validator_for("envelope.json").validate(envelope)
+    _validator_for("which.json").validate(envelope["data"])
+
+
+def test_help_json_validates():
+    proc_env = os.environ.copy()
+    proc_env.setdefault("NO_COLOR", "1")
+    result = subprocess.run(
+        [sys.executable, "-m", "comfy_cli", "--help-json"],
+        capture_output=True,
+        text=True,
+        env=proc_env,
+        check=False,
+    )
+    doc = json.loads(result.stdout)
+    # --help-json now wraps in the standard envelope when running in JSON mode
+    # (which is the default for non-TTY subprocesses). The bare help doc lives
+    # under `data` — validate both layers so we lock the new contract.
+    if isinstance(doc, dict) and {"ok", "command", "data"} <= doc.keys():
+        _validator_for("envelope.json").validate(doc)
+        _validator_for("help.json").validate(doc["data"])
+    else:
+        # Pretty-mode emits the bare doc directly to stdout.
+        _validator_for("help.json").validate(doc)
+
+
+def test_non_tty_auto_selects_json():
+    """A subprocess (no TTY) defaults to JSON without --json being passed.
+
+    This is the agent-out-of-the-box case: Claude Code / Cursor / etc. shell
+    out and read stdout; they never see a TTY, so the renderer flips to
+    JSON without the agent having to opt in.
+    """
+    envelope = _run_cli(["which"])
+    _validator_for("envelope.json").validate(envelope)
+
+
+def test_no_json_forces_pretty():
+    """When stdout is not a TTY but --no-json is set, we should NOT get JSON."""
+    proc_env = os.environ.copy()
+    proc_env.setdefault("NO_COLOR", "1")
+    result = subprocess.run(
+        [sys.executable, "-m", "comfy_cli", "--no-json", "which"],
+        capture_output=True,
+        text=True,
+        env=proc_env,
+        check=False,
+    )
+    # Panel-rendered pretty output: workspace section header is enough to
+    # confirm we're not emitting JSON.
+    assert "workspace" in result.stdout.lower()
+    # And it must not be valid JSON.
+    with pytest.raises(json.JSONDecodeError):
+        json.loads(result.stdout)
diff --git a/tests/comfy_cli/output/test_error_code_registry.py b/tests/comfy_cli/output/test_error_code_registry.py
new file mode 100644
index 00000000..1b3d28f5
--- /dev/null
+++ b/tests/comfy_cli/output/test_error_code_registry.py
@@ -0,0 +1,204 @@
+"""Pin the error-code registry against actual call sites.
+
+These tests are deliberately blunt: they scan the source tree for
+``renderer.error(code="X")`` (and the equivalent self-method form),
+extract every literal code string, and cross-check against
+:mod:`comfy_cli.error_codes`.
+
+Two directions are enforced:
+
+1. Every code raised in source is in the registry. A typo or a fresh code
+   added without registry update fails the test and surfaces the typo.
+2. Every code in the registry is raised somewhere. A code that's
+   deprecated or removed but left in the registry fails the test, forcing
+   the dead entry to be deleted.
+
+The shape of the AST scan is conservative (literal strings only). Dynamic
+codes (e.g. constructed from variables) are excluded — there are none in
+the tree today.
+"""
+
+from __future__ import annotations
+
+import ast
+from pathlib import Path
+
+import pytest
+
+from comfy_cli import error_codes
+
+SRC_ROOT = Path(__file__).resolve().parents[3] / "comfy_cli"
+
+
+def _iter_python_files(root: Path):
+    for p in root.rglob("*.py"):
+        # Don't grade the registry against itself.
+        if p.name == "error_codes.py":
+            continue
+        if "__pycache__" in p.parts:
+            continue
+        # engine.py uses internal validation result codes ("unknown_class_type",
+        # "shape_mismatch", etc.) in return-value dicts, not CLI error codes.
+        if p.name == "engine.py" and "cql" in p.parts:
+            continue
+        yield p
+
+
+def _extract_codes_from_call(call: ast.Call) -> list[str]:
+    """Return any string literal passed as ``code=...`` whose shape matches a code.
+
+    Conservative on what counts as a code (must match the snake_case pattern)
+    so we don't accept random ``code=1`` ints (e.g. ``typer.Exit(code=1)``) or
+    arbitrary string kwargs.
+    """
+    out: list[str] = []
+    for kw in call.keywords:
+        if kw.arg != "code":
+            continue
+        if isinstance(kw.value, ast.Constant) and isinstance(kw.value.value, str):
+            value = kw.value.value
+            if error_codes.CODE_PATTERN.match(value):
+                out.append(value)
+    # Positional first arg on ``.error("code", "msg")`` — keep the heuristic
+    # for the small set of callers that use the positional form.
+    func = call.func
+    if (
+        isinstance(func, ast.Attribute)
+        and func.attr == "error"
+        and call.args
+        and isinstance(call.args[0], ast.Constant)
+        and isinstance(call.args[0].value, str)
+        and error_codes.CODE_PATTERN.match(call.args[0].value)
+    ):
+        out.append(call.args[0].value)
+    return out
+
+
+def _extract_class_code_attrs(tree: ast.Module) -> list[str]:
+    """Find ``code = "some_code"`` class-attribute assignments.
+
+    OAuth error subclasses (e.g. ``class OAuthTokenError(OAuthError): code =
+    "oauth_token_failed"``) define their codes as class attributes, not as
+    call-site string literals.  These are passed dynamically to
+    ``renderer.error(code=e.code, ...)`` so the call-site extractor can't see
+    them.  This function picks them up from the class body.
+    """
+    codes: list[str] = []
+    for node in ast.walk(tree):
+        if not isinstance(node, ast.ClassDef):
+            continue
+        for item in node.body:
+            if not isinstance(item, ast.Assign):
+                continue
+            for target in item.targets:
+                if isinstance(target, ast.Name) and target.id == "code":
+                    if isinstance(item.value, ast.Constant) and isinstance(item.value.value, str):
+                        value = item.value.value
+                        if error_codes.CODE_PATTERN.match(value):
+                            codes.append(value)
+    return codes
+
+
+def _extract_dict_code_values(tree: ast.Module) -> list[str]:
+    """Find ``"code": "some_code"`` in dict literals.
+
+    The watcher and state-file paths build error dicts inline (e.g.
+    ``{"code": "watcher_crashed", ...}``), not via ``renderer.error()``.
+    This picks up those codes so the registry stays honest.
+    """
+    codes: list[str] = []
+    for node in ast.walk(tree):
+        if not isinstance(node, ast.Dict):
+            continue
+        for key, value in zip(node.keys, node.values):
+            if (
+                isinstance(key, ast.Constant)
+                and key.value == "code"
+                and isinstance(value, ast.Constant)
+                and isinstance(value.value, str)
+                and error_codes.CODE_PATTERN.match(value.value)
+            ):
+                codes.append(value.value)
+    return codes
+
+
+def _collect_raised_codes() -> dict[str, list[Path]]:
+    """Walk every .py under comfy_cli and collect distinct error codes raised."""
+    raised: dict[str, list[Path]] = {}
+    for path in _iter_python_files(SRC_ROOT):
+        try:
+            tree = ast.parse(path.read_text(encoding="utf-8"))
+        except (OSError, SyntaxError):
+            continue
+        for node in ast.walk(tree):
+            if not isinstance(node, ast.Call):
+                continue
+            for code in _extract_codes_from_call(node):
+                raised.setdefault(code, []).append(path)
+        # Also pick up class-level ``code = "..."`` (e.g. OAuthError subclasses).
+        for code in _extract_class_code_attrs(tree):
+            raised.setdefault(code, []).append(path)
+        # Also pick up ``"code": "..."`` in dict literals (inline error dicts).
+        for code in _extract_dict_code_values(tree):
+            raised.setdefault(code, []).append(path)
+    return raised
+
+
+@pytest.fixture(scope="module")
+def raised_codes() -> dict[str, list[Path]]:
+    return _collect_raised_codes()
+
+
+def test_every_raised_code_is_registered(raised_codes):
+    """If this fails: you raised a code that isn't in ``error_codes.REGISTRY``.
+
+    Fix: add the code to the registry first, then re-run.
+    """
+    unregistered = {
+        code: [str(p.relative_to(SRC_ROOT.parent)) for p in paths]
+        for code, paths in raised_codes.items()
+        if not error_codes.is_registered(code)
+    }
+    assert not unregistered, (
+        f"Unregistered error codes raised in source:\n{unregistered}\nAdd each to comfy_cli/error_codes.REGISTRY."
+    )
+
+
+def test_every_registered_code_is_raised(raised_codes):
+    """If this fails: a code in the registry is no longer raised anywhere.
+
+    Fix: delete the dead entry from the registry, or wire the code up.
+    """
+    dead = [c for c in error_codes.all_codes() if c not in raised_codes]
+    assert not dead, (
+        f"Registered but never raised:\n{dead}\nEither delete these from comfy_cli/error_codes.REGISTRY or use them."
+    )
+
+
+def test_codes_match_pattern():
+    """Every registered code is snake_case matching the documented pattern."""
+    bad = [ec.code for ec in error_codes.REGISTRY if not error_codes.CODE_PATTERN.match(ec.code)]
+    assert not bad, f"Codes that don't match {error_codes.CODE_PATTERN.pattern}: {bad}"
+
+
+def test_no_duplicate_codes():
+    """Each entry in the registry is unique by code."""
+    seen: set[str] = set()
+    dupes: list[str] = []
+    for ec in error_codes.REGISTRY:
+        if ec.code in seen:
+            dupes.append(ec.code)
+        seen.add(ec.code)
+    assert not dupes, f"Duplicate codes in registry: {dupes}"
+
+
+def test_discover_includes_all_registered_codes():
+    """The discover envelope must surface every registered code so an agent
+    that calls `comfy --json discover` sees the full contract.
+    """
+    from comfy_cli.discovery import load_error_codes
+
+    discovered = {row["code"] for row in load_error_codes()}
+    expected = set(error_codes.all_codes())
+    missing = expected - discovered
+    assert not missing, f"Codes registered but not emitted by discover: {missing}"
diff --git a/tests/comfy_cli/output/test_glyphs.py b/tests/comfy_cli/output/test_glyphs.py
new file mode 100644
index 00000000..065b926a
--- /dev/null
+++ b/tests/comfy_cli/output/test_glyphs.py
@@ -0,0 +1,37 @@
+"""Tests for the shared status-glyph vocabulary.
+
+Cloud (``executing``, ``success``, ``failed``, ``non_retryable_error``)
+and local (``running``, ``completed``, ``error``) use different status
+strings; the pretty surface canonicalizes everything onto the small
+local-style set so users see one stable vocabulary across ``comfy
+jobs ls`` regardless of routing.
+"""
+
+from __future__ import annotations
+
+from comfy_cli.output.glyphs import status_glyph
+
+
+def test_cloud_executing_renders_as_running():
+    assert "◐" in status_glyph("executing")
+    assert "running" in status_glyph("executing")  # canonical label
+
+
+def test_cloud_failed_renders_as_error():
+    assert "✗" in status_glyph("failed")
+    assert "error" in status_glyph("failed")
+
+
+def test_cloud_non_retryable_error_renders_as_error():
+    assert "✗" in status_glyph("non_retryable_error")
+    assert "error" in status_glyph("non_retryable_error")
+
+
+def test_cloud_success_renders_as_completed():
+    assert "✓" in status_glyph("success")
+    assert "completed" in status_glyph("success")
+
+
+def test_unknown_status_falls_through_to_default():
+    out = status_glyph("definitely_not_a_status")
+    assert "·" in out  # default glyph
diff --git a/tests/comfy_cli/output/test_help_json.py b/tests/comfy_cli/output/test_help_json.py
new file mode 100644
index 00000000..bff81eae
--- /dev/null
+++ b/tests/comfy_cli/output/test_help_json.py
@@ -0,0 +1,65 @@
+"""Help JSON coverage: every visible Typer command appears."""
+
+import json
+
+import pytest
+
+from comfy_cli.cmdline import app
+from comfy_cli.help_json import build_help_json, iter_command_paths
+
+
+def test_help_json_includes_top_level_commands():
+    doc = build_help_json(app)
+    cmds = doc["commands"]
+    # A representative subset that must always be there.
+    for expected in ("env", "which", "install", "run", "launch", "model", "node"):
+        assert expected in cmds, f"missing top-level command: {expected}"
+
+
+def test_help_json_has_examples_for_well_known_commands():
+    doc = build_help_json(app)
+    assert doc["commands"]["env"]["examples"], "expected examples for `comfy env`"
+    assert doc["commands"]["run"]["examples"], "expected examples for `comfy run`"
+
+
+def test_help_json_run_has_workflow_param():
+    doc = build_help_json(app)
+    params = doc["commands"]["run"]["params"]
+    assert any(p["name"] == "workflow" for p in params), "comfy run should expose --workflow"
+
+
+def test_help_json_is_json_serializable():
+    doc = build_help_json(app)
+    s = json.dumps(doc, default=str)
+    # Round-trip
+    again = json.loads(s)
+    assert sorted(again["commands"]) == sorted(doc["commands"])
+
+
+def test_iter_command_paths_includes_subcommands():
+    paths = iter_command_paths(app)
+    # `comfy model download` is a known nested command via add_typer.
+    assert any(p.endswith("model download") for p in paths), paths
+
+
+def test_global_options_present_on_root():
+    doc = build_help_json(app)
+    root_params = {p["name"]: p for p in doc["root"]["params"]}
+    for expected in ("workspace", "json_output", "json_stream", "no_json", "help_json"):
+        assert expected in root_params, f"missing global option: {expected}"
+
+
+@pytest.mark.parametrize(
+    "cmd_path",
+    [
+        "env",
+        "which",
+        "install",
+        "run",
+        "launch",
+    ],
+)
+def test_visible_command_has_help_text(cmd_path):
+    doc = build_help_json(app)
+    cmd = doc["commands"][cmd_path]
+    assert cmd["help"], f"`comfy {cmd_path}` should have a help string"
diff --git a/tests/comfy_cli/output/test_locking.py b/tests/comfy_cli/output/test_locking.py
new file mode 100644
index 00000000..2a3be00f
--- /dev/null
+++ b/tests/comfy_cli/output/test_locking.py
@@ -0,0 +1,96 @@
+"""File-lock primitive: serialization and timeout."""
+
+import threading
+import time
+from pathlib import Path
+
+from comfy_cli.locking import file_lock
+
+
+def test_serializes_concurrent_acquires(tmp_path: Path):
+    lock_file = tmp_path / "test.lock"
+    order: list[str] = []
+    barrier = threading.Barrier(2)
+
+    def worker(name: str, hold_s: float) -> None:
+        barrier.wait()
+        with file_lock(lock_file):
+            order.append(f"{name}-enter")
+            time.sleep(hold_s)
+            order.append(f"{name}-exit")
+
+    t1 = threading.Thread(target=worker, args=("a", 0.10))
+    t2 = threading.Thread(target=worker, args=("b", 0.05))
+    t1.start()
+    t2.start()
+    t1.join()
+    t2.join()
+
+    # Each worker's enter and exit must be contiguous — no interleaving.
+    assert len(order) == 4
+    assert order[0].endswith("-enter")
+    assert order[1].endswith("-exit")
+    assert order[2].endswith("-enter")
+    assert order[3].endswith("-exit")
+    assert order[0][0] == order[1][0]
+    assert order[2][0] == order[3][0]
+
+
+def test_creates_parent_dir(tmp_path: Path):
+    lock_file = tmp_path / "nested" / "subdir" / "thing.lock"
+    with file_lock(lock_file):
+        pass
+    assert lock_file.exists()
+
+
+def test_reentrant_in_same_process_is_ok(tmp_path: Path):
+    # flock is per-fd, not per-process; entering twice from the same process
+    # should still work as long as we use a fresh fd each time.
+    lock_file = tmp_path / "rt.lock"
+    with file_lock(lock_file):
+        pass
+    with file_lock(lock_file):
+        pass
+
+
+def test_nested_same_path_does_not_self_deadlock(tmp_path: Path):
+    # The OAuth refresh path holds the secrets lock and then calls store
+    # helpers that lock the SAME file. With per-fd flock that would block on
+    # itself; the lock is reentrant within a thread, so this must not hang.
+    lock_file = tmp_path / "nested.lock"
+    reached_inner = False
+    with file_lock(lock_file):
+        with file_lock(lock_file):  # nested — different fd, same path
+            reached_inner = True
+    assert reached_inner
+
+
+def test_nested_different_spelling_same_file_is_reentrant(tmp_path: Path):
+    # Two spellings of the same file (".." in the path) must share one
+    # reentrancy counter so the inner acquire is recognized as nested.
+    target = tmp_path / "sub" / "x.lock"
+    target.parent.mkdir(parents=True, exist_ok=True)
+    alias = tmp_path / "sub" / ".." / "sub" / "x.lock"
+    with file_lock(target):
+        with file_lock(alias):
+            pass
+
+
+def test_lock_released_after_nested_block_exits(tmp_path: Path):
+    # After a nested acquire fully unwinds, the OS lock must be free again so a
+    # second thread can take it (i.e. reentrancy didn't leak the held state).
+    lock_file = tmp_path / "release.lock"
+    with file_lock(lock_file):
+        with file_lock(lock_file):
+            pass
+
+    acquired = threading.Event()
+
+    def worker():
+        with file_lock(lock_file, timeout=2.0):
+            acquired.set()
+
+    t = threading.Thread(target=worker)
+    t.start()
+    t.join(timeout=3.0)
+    assert acquired.is_set()
diff --git a/tests/comfy_cli/output/test_panels.py b/tests/comfy_cli/output/test_panels.py
new file mode 100644
index 00000000..1c34f28d
--- /dev/null
+++ b/tests/comfy_cli/output/test_panels.py
@@ -0,0 +1,230 @@
+"""Snapshot/fragment tests for the new pretty-mode panels."""
+
+from __future__ import annotations
+
+import io
+import re
+
+from rich.console import Console
+
+from comfy_cli.output.panels import (
+    auth_empty_panel,
+    auth_list_table,
+    discover_panel,
+    error_panel,
+    which_panel,
+)
+
+_ANSI_RE = re.compile(r"\x1b\[[0-9;]*m")
+
+
+def _render(renderable) -> str:
+    """Render to a string with ANSI escapes stripped, so fragment asserts work."""
+    buf = io.StringIO()
+    console = Console(file=buf, force_terminal=True, width=100, no_color=True)
+    console.print(renderable)
+    return _ANSI_RE.sub("", buf.getvalue())
+
+
+# ---------------------------------------------------------------------------
+# error_panel
+# ---------------------------------------------------------------------------
+
+
+def test_error_panel_includes_code_and_message():
+    out = _render(
+        error_panel(
+            code="cql_no_graph",
+            message="failed to reach http://127.0.0.1:8188/object_info",
+            hint="pass --input <path>",
+        )
+    )
+    assert "error" in out
+    assert "cql_no_graph" in out
+    assert "failed to reach" in out
+    assert "pass --input" in out
+    assert "→" in out  # hint arrow
+
+
+def test_error_panel_renders_without_hint_or_details():
+    out = _render(error_panel(code="boom", message="something broke"))
+    assert "boom" in out
+    assert "something broke" in out
+    # No hint line, no details section.
+    assert "→" not in out
+    assert "details" not in out.lower()
+
+
+def test_error_panel_renders_details():
+    out = _render(
+        error_panel(
+            code="server_not_running",
+            message="not running",
+            hint="run: comfy launch",
+            details={"host": "127.0.0.1", "port": 8188},
+        )
+    )
+    assert "details" in out
+    assert "127.0.0.1" in out
+    assert "8188" in out
+
+
+# ---------------------------------------------------------------------------
+# discover_panel
+# ---------------------------------------------------------------------------
+
+
+def test_discover_panel_shows_surface_counts_and_caps():
+    doc = {
+        "version": "0.0.0",
+        "commands": {
+            "run": {"name": "run", "help": "Run an API workflow.", "hidden": False},
+            "nodes": {
+                "name": "nodes",
+                "help": "Introspect ComfyUI node classes.",
+                "hidden": False,
+                "subcommands": {
+                    "ls": {"name": "ls", "help": "List node classes.", "hidden": False},
+                    "show": {"name": "show", "help": "Show full schema.", "hidden": False},
+                },
+            },
+            "_secret": {"name": "_secret", "hidden": True},
+        },
+        "schemas": {"a": {}, "b": {}, "c": {}},
+        "error_codes": [{}, {}],
+        "capabilities": {
+            "json_envelope": True,
+            "cql": True,
+            "where_routing": True,
+            "where_targets": ["local", "cloud"],
+            "auth_providers": ["comfy-cloud", "civitai"],
+        },
+    }
+    out = _render(discover_panel(doc, command_count=42))
+    assert "comfy CLI" in out or "comfy-cli" in out
+    assert "v0.0.0" in out
+    assert "Commands" in out
+    assert "run" in out  # visible command listed
+    assert "nodes (2)" in out  # subcommand count shown
+    assert "_secret" not in out  # hidden command excluded
+    assert "Run an API workflow." in out  # description shown
+    assert "Capabilities" in out
+    assert "✓ cql" in out
+    assert "✓ json_envelope" in out
+    assert "Routing" in out
+    assert "local · cloud" in out
+    assert "comfy-cloud · civitai" in out
+    assert "Summary" in out
+    assert "42 total" in out
+    assert "discover" in out
+    assert "comfy CLI v0.0.0" in out
+
+
+def test_discover_panel_handles_empty_capabilities():
+    doc = {"version": "0.0.0", "commands": {}, "schemas": {}, "error_codes": [], "capabilities": {}}
+    out = _render(discover_panel(doc, command_count=0))
+    assert "Commands" in out
+    assert "(none advertised)" in out
+
+
+def test_discover_panel_uses_canonical_branded_subtitle():
+    """The chrome (title + subtitle) goes through ``branded_panel`` so
+    ``discover`` looks identical to ``env``, ``jobs ls``, etc."""
+    doc = {"version": "0.0.0", "commands": {}, "schemas": {}, "error_codes": [], "capabilities": {}}
+    panel = discover_panel(doc, command_count=42)
+    assert "discover" in str(panel.title)
+    assert "comfy CLI v0.0.0" in str(panel.subtitle)
+    # The old "agent-aware CLI" subtitle is the welcome banner's job now.
+    assert "agent-aware CLI" not in str(panel.subtitle)
+
+
+# ---------------------------------------------------------------------------
+# which_panel
+# ---------------------------------------------------------------------------
+
+
+def test_which_panel_running_server():
+    out = _render(
+        which_panel(
+            workspace_path="/Users/k/comfyui",
+            workspace_type="recent",
+            python_executable="/usr/bin/python3",
+            python_version="3.12.8",
+            server_running=True,
+            server_url="http://127.0.0.1:8188",
+        )
+    )
+    assert "/Users/k/comfyui" in out
+    assert "recent" in out
+    assert "/usr/bin/python3" in out
+    assert "3.12.8" in out
+    assert "running" in out
+    assert "127.0.0.1:8188" in out
+
+
+def test_which_panel_stopped_server():
+    out = _render(
+        which_panel(
+            workspace_path="/x",
+            workspace_type="here",
+            python_executable=None,
+            python_version=None,
+            server_running=False,
+            server_url=None,
+        )
+    )
+    assert "/x" in out
+    assert "here" in out
+    assert "stopped" in out
+
+
+def test_which_panel_subtitle_carries_brand():
+    """When ``version`` is passed, ``which_panel`` emits the canonical
+    title/subtitle via ``branded_panel`` — no separate ``cli_footer``
+    needed below."""
+    panel = which_panel(
+        workspace_path="/x",
+        workspace_type="recent",
+        python_executable="/usr/bin/python",
+        python_version="3.12",
+        server_running=False,
+        server_url="http://127.0.0.1:8188",
+        version="0.0.0",
+    )
+    assert "workspace" in str(panel.title)
+    assert "comfy CLI v0.0.0" in str(panel.subtitle)
+
+
+# ---------------------------------------------------------------------------
+# auth panels
+# ---------------------------------------------------------------------------
+
+
+def test_auth_list_table_renders_rows():
+    records = [
+        {"provider": "comfy-cloud", "key": "sk-t…7890", "updated_at": "2026-05-15T09:48:24+00:00"},
+        {"provider": "huggingface", "key": "hf-f…-baz", "updated_at": "2026-05-15T09:48:24+00:00"},
+    ]
+    out = _render(
+        auth_list_table(
+            records,
+            supported=["comfy-cloud", "civitai", "huggingface"],
+            path="/tmp/secrets.json",
+        )
+    )
+    assert "Auth providers" in out
+    assert "2 configured" in out
+    assert "comfy-cloud" in out
+    assert "huggingface" in out
+    assert "sk-t…7890" in out
+    assert "supported:" in out
+    assert "/tmp/secrets.json" in out
+
+
+def test_auth_empty_panel_shows_supported_and_hint():
+    out = _render(auth_empty_panel(supported=["comfy-cloud", "civitai"], path="/tmp/x.json"))
+    assert "No providers configured" in out
+    assert "comfy auth set" in out
+    assert "Supported:" in out
+    assert "comfy-cloud · civitai" in out
+    assert "/tmp/x.json" in out
diff --git a/tests/comfy_cli/output/test_renderer.py b/tests/comfy_cli/output/test_renderer.py
new file mode 100644
index 00000000..296c5050
--- /dev/null
+++ b/tests/comfy_cli/output/test_renderer.py
@@ -0,0 +1,211 @@
+"""Renderer mode resolution + envelope shape."""
+
+from __future__ import annotations
+
+import io
+import json
+
+import pytest
+
+from comfy_cli.caller import Caller
+from comfy_cli.output.renderer import OutputMode, Renderer, get_renderer, reset_renderer_for_testing, set_renderer
+
+
+@pytest.fixture(autouse=True)
+def reset_singleton():
+    reset_renderer_for_testing()
+    yield
+    reset_renderer_for_testing()
+
+
+def _resolve(**kwargs):
+    return Renderer.resolve(
+        is_stdout_tty=kwargs.pop("is_stdout_tty", True),
+        env=kwargs.pop("env", {}),
+        caller=kwargs.pop("caller", Caller(kind="user", agentic=False, source_env=None)),
+        **kwargs,
+    )
+
+
+def test_default_is_pretty_when_tty():
+    r = _resolve()
+    assert r.mode is OutputMode.PRETTY
+
+
+def test_no_tty_defaults_to_json():
+    r = _resolve(is_stdout_tty=False)
+    assert r.mode is OutputMode.JSON
+
+
+def test_agentic_caller_defaults_to_json_even_when_tty():
+    r = _resolve(caller=Caller(kind="claude", agentic=True, source_env="CLAUDECODE"))
+    assert r.mode is OutputMode.JSON
+
+
+def test_explicit_no_json_beats_agentic():
+    r = _resolve(no_json_flag=True, caller=Caller(kind="claude", agentic=True, source_env="X"))
+    assert r.mode is OutputMode.PRETTY
+
+
+def test_json_stream_beats_json_flag():
+    r = _resolve(json_flag=True, json_stream_flag=True)
+    assert r.mode is OutputMode.NDJSON
+
+
+def test_comfy_output_env_picks_mode():
+    r = _resolve(env={"COMFY_OUTPUT": "ndjson"}, is_stdout_tty=True)
+    assert r.mode is OutputMode.NDJSON
+
+
+def test_flag_beats_env():
+    r = _resolve(no_json_flag=True, env={"COMFY_OUTPUT": "json"})
+    assert r.mode is OutputMode.PRETTY
+
+
+def test_envelope_shape_on_success():
+    stream = io.StringIO()
+    r = _resolve()
+    r.mode = OutputMode.JSON  # bypass pretty branch
+    r.machine_stream = stream
+    r.command = "env"
+    r.version = "1.2.3"
+    r.emit({"foo": "bar"})
+    line = stream.getvalue().strip()
+    env = json.loads(line)
+    # Contract versioning: the discriminator + schema version lead the
+    # envelope so NDJSON consumers can pick out the final line by `type`.
+    assert list(env)[:2] == ["schema", "type"]
+    assert env["schema"] == "envelope/1"
+    assert env["type"] == "envelope"
+    assert env["ok"] is True
+    assert env["command"] == "env"
+    assert env["version"] == "1.2.3"
+    assert env["data"] == {"foo": "bar"}
+    assert env["error"] is None
+    assert env["where"] is None
+
+
+def test_emit_ok_false_carries_data():
+    """`validate` on an invalid workflow emits its structured payload as data
+    but with ok=False, so the envelope agrees with the exit code."""
+    stream = io.StringIO()
+    r = _resolve()
+    r.mode = OutputMode.JSON
+    r.machine_stream = stream
+    r.command = "validate"
+    r.emit({"valid": False, "error_count": 2}, ok=False)
+    env = json.loads(stream.getvalue().strip())
+    assert env["ok"] is False
+    assert env["data"] == {"valid": False, "error_count": 2}
+    assert env["error"] is None  # the verdict rides in data, not error
+
+
+def test_envelope_shape_on_error():
+    stream = io.StringIO()
+    r = _resolve()
+    r.mode = OutputMode.JSON
+    r.machine_stream = stream
+    r.command = "which"
+    r.error("not_in_workspace", "no workspace", hint="run: comfy install")
+    env = json.loads(stream.getvalue().strip())
+    assert env["schema"] == "envelope/1"
+    assert env["type"] == "envelope"
+    assert env["ok"] is False
+    assert env["error"]["code"] == "not_in_workspace"
+    assert env["error"]["message"] == "no workspace"
+    assert env["error"]["hint"] == "run: comfy install"
+    assert env["error"]["details"] is None
+    assert r.exit_code == 1
+
+
+def test_error_exit_code_is_observable_after_call():
+    """main() reads renderer.exit_code as a backstop so call sites that
+    forgot to also `raise typer.Exit(1)` still produce a non-zero process
+    exit. Pin the public surface so that backstop keeps working."""
+    r = _resolve()
+    r.mode = OutputMode.JSON
+    r.machine_stream = io.StringIO()
+    assert r.exit_code == 0
+    r.error("boom", "something broke")
+    assert r.exit_code == 1
+    # Custom exit codes (e.g. 130 for SIGINT) flow through too.
+    r2 = _resolve()
+    r2.mode = OutputMode.JSON
+    r2.machine_stream = io.StringIO()
+    r2.error("cancelled", "user cancelled", exit_code=130)
+    assert r2.exit_code == 130
+
+
+def test_emit_is_noop_in_pretty():
+    stream = io.StringIO()
+    r = _resolve()
+    assert r.is_pretty()
+    r.machine_stream = stream
+    r.emit({"foo": "bar"})
+    assert stream.getvalue() == ""
+
+
+def test_pretty_emit_writes_nothing_to_stdout(pretty_no_stdout):
+    """Regression: in pretty mode, ``renderer.emit`` is a no-op for stdout.
+
+    Uses the conftest fixture that pins the contract — if a future change
+    makes pretty mode print the envelope to stdout, this test fails.
+    """
+    r = _resolve()
+    assert r.is_pretty()
+    r.emit({"hello": "world"}, command="test")
+    # Fixture asserts no stdout after the test body finishes.
+
+
+def test_emit_is_idempotent():
+    stream = io.StringIO()
+    r = _resolve()
+    r.mode = OutputMode.JSON
+    r.machine_stream = stream
+    r.emit({"a": 1})
+    r.emit({"a": 2})  # second call ignored
+    lines = [line for line in stream.getvalue().splitlines() if line.strip()]
+    assert len(lines) == 1
+    assert json.loads(lines[0])["data"] == {"a": 1}
+
+
+def test_event_only_in_ndjson():
+    stream = io.StringIO()
+    r = _resolve()
+    r.mode = OutputMode.JSON  # not ndjson
+    r.machine_stream = stream
+    r.event("progress", node="K", completed=1, total=2)
+    assert stream.getvalue() == ""
+
+    r.mode = OutputMode.NDJSON
+    r.event("progress", node="K", completed=1, total=2)
+    line = json.loads(stream.getvalue().strip())
+    assert line == {"schema": "event/1", "type": "progress", "node": "K", "completed": 1, "total": 2}
+
+
+def test_throttled_event_drops_within_window():
+    import time as _time
+
+    stream = io.StringIO()
+    r = _resolve()
+    r.mode = OutputMode.NDJSON
+    r.machine_stream = stream
+    # First emits, immediate second drops, then sleep > 1/max_hz emits again.
+    assert r.throttled_event("k1", "progress", max_hz=20, v=1) is True
+    assert r.throttled_event("k1", "progress", max_hz=20, v=2) is False
+    _time.sleep(0.08)  # 1/20 = 0.05
+    assert r.throttled_event("k1", "progress", max_hz=20, v=3) is True
+    emitted = [json.loads(line) for line in stream.getvalue().splitlines()]
+    assert [e["v"] for e in emitted] == [1, 3]
+
+
+def test_singleton_set_and_get():
+    r = _resolve()
+    set_renderer(r)
+    assert get_renderer() is r
+
+
+def test_get_renderer_default_is_pretty():
+    # No prior set; default is pretty so unsuspecting callers don't crash.
+    r = get_renderer()
+    assert r.is_pretty()
diff --git a/tests/comfy_cli/skills/__init__.py b/tests/comfy_cli/skills/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/comfy_cli/skills/test_installer.py b/tests/comfy_cli/skills/test_installer.py
new file mode 100644
index 00000000..09297223
--- /dev/null
+++ b/tests/comfy_cli/skills/test_installer.py
@@ -0,0 +1,567 @@
+"""Tests for the multi-skill installer (no MCP needed)."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+from typer.testing import CliRunner
+
+from comfy_cli.caller import Caller
+from comfy_cli.output.renderer import OutputMode, Renderer, reset_renderer_for_testing, set_renderer
+from comfy_cli.skills import (
+    RETIRED_SKILLS,
+    bundled_skill_names,
+    install,
+    plan_install,
+    prune_retired,
+    skill_content,
+    uninstall,
+)
+from comfy_cli.skills.command import app
+
+
+def _force_json_renderer():
+    """Pin the renderer to JSON so tests can read envelopes off stdout."""
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=True,
+    )
+    r.mode = OutputMode.JSON
+    set_renderer(r)
+    return r
+
+
+# ---------------------------------------------------------------------------
+# Bundled skill inventory
+# ---------------------------------------------------------------------------
+
+
+def test_bundles_expected_skills():
+    names = bundled_skill_names()
+    assert "comfy" in names
+    assert "comfy-fragments" in names
+    assert "comfy-debug" in names
+    assert "comfy-relay" in names
+
+
+def test_bundled_skills_have_required_frontmatter():
+    for name in bundled_skill_names():
+        text = skill_content(name)
+        assert text.startswith("---\n"), f"{name}: missing frontmatter"
+        assert f"name: {name}" in text, f"{name}: frontmatter name doesn't match"
+        assert "description:" in text, f"{name}: frontmatter missing description"
+
+
+def test_comfy_skill_content_has_required_sections():
+    text = skill_content("comfy").lower()
+    assert "comfy --json discover" in text
+    assert "routing" in text or "--where" in text
+    assert "nodes ls" in text  # the node introspection surface
+    assert "envelope" in text  # the section that documents the output contract
+
+
+def test_comfy_debug_skill_covers_common_error_codes():
+    text = skill_content("comfy-debug")
+    for code in ("server_not_running", "cloud_not_configured", "workflow_not_api_format", "prompt_rejected"):
+        assert code in text, f"comfy-debug skill should mention {code}"
+
+
+def test_comfy_skill_covers_cloud_setup_and_routing():
+    # Cloud guidance was folded into the consolidated `comfy` skill's
+    # "Cloud" gotchas section when the standalone comfy-cloud skill was retired.
+    text = skill_content("comfy")
+    for needle in ("comfy cloud login", "cloud set-base-url", "--where cloud"):
+        assert needle in text, f"comfy skill should mention {needle}"
+
+
+def test_comfy_fragments_skill_covers_composition():
+    text = skill_content("comfy-fragments")
+    for needle in ("workflow compose", "_fragment", "blueprint"):
+        assert needle in text, f"comfy-fragments skill should mention {needle}"
+
+
+def test_skill_content_rejects_unknown_name():
+    with pytest.raises(ValueError) as exc:
+        skill_content("not-a-real-skill")
+    assert "not-a-real-skill" in str(exc.value)
+
+
+# ---------------------------------------------------------------------------
+# Planning
+# ---------------------------------------------------------------------------
+
+
+def test_plan_install_default_covers_every_skill_and_target(tmp_path: Path, monkeypatch: pytest.MonkeyPatch):
+    monkeypatch.setenv("HOME", str(tmp_path))
+    plans = plan_install(scope="user", project_root=tmp_path / "anywhere")
+    skill_target_pairs = {(p.skill, p.kind) for p in plans}
+    expected = {(name, kind) for name in bundled_skill_names() for kind in ("claude-code", "cursor", "agents-md")}
+    assert skill_target_pairs == expected
+
+
+def test_plan_install_project_scope_paths(tmp_path: Path):
+    plans = plan_install(scope="project", project_root=tmp_path, skills=["comfy-debug"])
+    paths = {p.kind: p.path for p in plans}
+    assert paths["claude-code"] == tmp_path / ".claude" / "skills" / "comfy-debug" / "SKILL.md"
+    assert paths["cursor"] == tmp_path / ".cursor" / "rules" / "comfy-debug.mdc"
+    assert paths["agents-md"] == tmp_path / "AGENTS.md"
+
+
+def test_plan_install_filters_by_skill(tmp_path: Path):
+    plans = plan_install(scope="project", project_root=tmp_path, skills=["comfy", "comfy-fragments"])
+    assert {p.skill for p in plans} == {"comfy", "comfy-fragments"}
+
+
+# ---------------------------------------------------------------------------
+# Install
+# ---------------------------------------------------------------------------
+
+
+def test_install_writes_every_skill_to_every_target(tmp_path: Path):
+    results = install(scope="project", project_root=tmp_path)
+    for r in results:
+        assert r.action == "wrote", f"unexpected action for {r.skill}/{r.kind}: {r.action}"
+        assert r.path.exists()
+
+    for name in bundled_skill_names():
+        claude = (tmp_path / f".claude/skills/{name}/SKILL.md").read_text(encoding="utf-8")
+        assert claude.startswith("---\n")
+        assert f"name: {name}" in claude
+
+        cursor = (tmp_path / f".cursor/rules/{name}.mdc").read_text(encoding="utf-8")
+        assert "alwaysApply: false" in cursor
+
+    agents_md = (tmp_path / "AGENTS.md").read_text(encoding="utf-8")
+    for name in bundled_skill_names():
+        assert f"<!-- {name}:start -->" in agents_md
+        assert f"<!-- {name}:end -->" in agents_md
+
+
+def test_install_one_skill_only(tmp_path: Path):
+    install(scope="project", project_root=tmp_path, skills=["comfy-debug"])
+    assert (tmp_path / ".claude/skills/comfy-debug/SKILL.md").exists()
+    assert not (tmp_path / ".claude/skills/comfy/SKILL.md").exists()
+    assert not (tmp_path / ".claude/skills/comfy-fragments/SKILL.md").exists()
+    agents = (tmp_path / "AGENTS.md").read_text(encoding="utf-8")
+    assert "<!-- comfy-debug:start -->" in agents
+    assert "<!-- comfy:start -->" not in agents
+    assert "<!-- comfy-fragments:start -->" not in agents
+
+
+def test_install_is_idempotent_across_skills(tmp_path: Path):
+    install(scope="project", project_root=tmp_path)
+    install(scope="project", project_root=tmp_path)
+    agents_md = (tmp_path / "AGENTS.md").read_text(encoding="utf-8")
+    for name in bundled_skill_names():
+        assert agents_md.count(f"<!-- {name}:start -->") == 1
+        assert agents_md.count(f"<!-- {name}:end -->") == 1
+
+
+def test_install_preserves_existing_agents_md_content(tmp_path: Path):
+    (tmp_path / "AGENTS.md").write_text("# My project agent notes\n\nKeep this.\n", encoding="utf-8")
+    install(scope="project", project_root=tmp_path, targets=["agents-md"])
+    text = (tmp_path / "AGENTS.md").read_text(encoding="utf-8")
+    assert "# My project agent notes" in text
+    assert "Keep this." in text
+
+
+def test_dry_run_does_not_touch_disk(tmp_path: Path):
+    results = install(scope="project", project_root=tmp_path, dry_run=True)
+    for r in results:
+        assert r.action == "would_write"
+        assert not r.path.exists()
+
+
+# ---------------------------------------------------------------------------
+# Uninstall
+# ---------------------------------------------------------------------------
+
+
+def test_uninstall_removes_all_skills_and_keeps_other_agents_md(tmp_path: Path):
+    (tmp_path / "AGENTS.md").write_text("# keep me\n\n", encoding="utf-8")
+    install(scope="project", project_root=tmp_path)
+    for name in bundled_skill_names():
+        assert (tmp_path / f".claude/skills/{name}/SKILL.md").exists()
+
+    uninstall(scope="project", project_root=tmp_path)
+    for name in bundled_skill_names():
+        assert not (tmp_path / f".claude/skills/{name}/SKILL.md").exists()
+        assert not (tmp_path / f".cursor/rules/{name}.mdc").exists()
+
+    agents_md = (tmp_path / "AGENTS.md").read_text(encoding="utf-8")
+    assert "# keep me" in agents_md
+    for name in bundled_skill_names():
+        assert f"<!-- {name}:start -->" not in agents_md
+
+
+def test_uninstall_can_target_one_skill(tmp_path: Path):
+    install(scope="project", project_root=tmp_path)
+    uninstall(scope="project", project_root=tmp_path, skills=["comfy-debug"])
+    assert not (tmp_path / ".claude/skills/comfy-debug/SKILL.md").exists()
+    assert (tmp_path / ".claude/skills/comfy/SKILL.md").exists()
+    assert (tmp_path / ".claude/skills/comfy-relay/SKILL.md").exists()
+
+
+def test_uninstall_is_safe_on_clean_tree(tmp_path: Path):
+    results = uninstall(scope="project", project_root=tmp_path)
+    for r in results:
+        assert r.action in {"absent", "removed"}
+
+
+# ---------------------------------------------------------------------------
+# Backup / atomic-write contracts (kept from the original)
+# ---------------------------------------------------------------------------
+
+
+def test_install_backs_up_user_edited_skill_md(tmp_path: Path):
+    skill_path = tmp_path / ".claude/skills/comfy/SKILL.md"
+    skill_path.parent.mkdir(parents=True)
+    skill_path.write_text("# my custom edits, please preserve me\n", encoding="utf-8")
+
+    install(scope="project", project_root=tmp_path, skills=["comfy"], targets=["claude-code"])
+
+    backups = list(skill_path.parent.glob("SKILL.md.*.bak"))
+    assert len(backups) == 1, f"expected exactly one backup, got {backups}"
+    assert "my custom edits" in backups[0].read_text(encoding="utf-8")
+    assert "my custom edits" not in skill_path.read_text(encoding="utf-8")
+
+
+def test_install_does_not_back_up_identical_content(tmp_path: Path):
+    install(scope="project", project_root=tmp_path, skills=["comfy"], targets=["claude-code"])
+    skill_path = tmp_path / ".claude/skills/comfy/SKILL.md"
+    install(scope="project", project_root=tmp_path, skills=["comfy"], targets=["claude-code"])
+    assert list(skill_path.parent.glob("SKILL.md.*.bak")) == []
+
+
+def test_install_atomic_write_does_not_leave_partial_file(tmp_path: Path, monkeypatch: pytest.MonkeyPatch):
+    skill_path = tmp_path / ".claude/skills/comfy/SKILL.md"
+    skill_path.parent.mkdir(parents=True)
+    skill_path.write_text("original\n", encoding="utf-8")
+
+    import os as real_os
+
+    real_replace = real_os.replace
+
+    def boom(src, dst):
+        raise OSError("simulated kill -9 between write and rename")
+
+    monkeypatch.setattr("comfy_cli.skills.os.replace", boom)
+
+    results = install(scope="project", project_root=tmp_path, skills=["comfy"], targets=["claude-code"])
+
+    assert results[0].action == "skipped"
+    assert skill_path.read_text(encoding="utf-8") == "original\n"
+    leftover = list(skill_path.parent.glob("*.tmp"))
+    assert leftover == [], f"tmp not cleaned: {leftover}"
+    monkeypatch.setattr("comfy_cli.skills.os.replace", real_replace)
+
+
+# ---------------------------------------------------------------------------
+# Retired-skill pruning (10 → 4 convergence)
+# ---------------------------------------------------------------------------
+
+
+def test_retired_and_bundled_are_disjoint():
+    assert set(RETIRED_SKILLS).isdisjoint(set(bundled_skill_names()))
+
+
+def _seed_retired_orphan(root: Path, name: str) -> tuple[Path, Path, Path]:
+    """Write a stale orphan for `name` across all three targets."""
+    claude = root / ".claude" / "skills" / name / "SKILL.md"
+    cursor = root / ".cursor" / "rules" / f"{name}.mdc"
+    agents = root / "AGENTS.md"
+    claude.parent.mkdir(parents=True, exist_ok=True)
+    cursor.parent.mkdir(parents=True, exist_ok=True)
+    claude.write_text("stale\n", encoding="utf-8")
+    cursor.write_text("stale\n", encoding="utf-8")
+    agents.write_text(f"# keep me\n\n<!-- {name}:start -->\nstale\n<!-- {name}:end -->\n", encoding="utf-8")
+    return claude, cursor, agents
+
+
+def test_prune_retired_removes_orphans(tmp_path: Path):
+    name = RETIRED_SKILLS[0]
+    claude, cursor, agents = _seed_retired_orphan(tmp_path, name)
+
+    results = prune_retired(scope="project", project_root=tmp_path)
+
+    assert not claude.exists()
+    assert not claude.parent.exists()  # empty <name>/ dir cleaned up too
+    assert not cursor.exists()
+    agents_text = agents.read_text(encoding="utf-8")
+    assert f"<!-- {name}:start -->" not in agents_text
+    assert "# keep me" in agents_text  # unrelated content preserved
+    removed = {(r.skill, r.kind) for r in results if r.action == "removed"}
+    assert (name, "claude-code") in removed
+    assert (name, "cursor") in removed
+    assert (name, "agents-md") in removed
+
+
+def test_prune_retired_is_absent_on_clean_tree(tmp_path: Path):
+    results = prune_retired(scope="project", project_root=tmp_path)
+    assert results, "should still report a plan per retired skill/target"
+    assert all(r.action == "absent" for r in results)
+
+
+def test_prune_retired_dry_run_does_not_delete(tmp_path: Path):
+    name = RETIRED_SKILLS[0]
+    claude, _cursor, _agents = _seed_retired_orphan(tmp_path, name)
+
+    results = prune_retired(scope="project", project_root=tmp_path, dry_run=True)
+
+    assert claude.exists(), "dry-run must not delete"
+    assert any(r.action == "would_remove" for r in results)
+
+
+def test_install_converges_old_machine(tmp_path: Path):
+    # Simulate a machine that installed a now-retired skill, then reinstall the
+    # current bundle and prune in one pass (as the install command does).
+    name = RETIRED_SKILLS[0]
+    claude, cursor, _agents = _seed_retired_orphan(tmp_path, name)
+
+    prune_retired(scope="project", project_root=tmp_path)
+    install(scope="project", project_root=tmp_path)
+
+    assert not claude.exists()
+    assert not cursor.exists()
+    for current in bundled_skill_names():
+        assert (tmp_path / ".claude" / "skills" / current / "SKILL.md").exists()
+
+
+# ---------------------------------------------------------------------------
+# Path-based (third-party) skill install
+# ---------------------------------------------------------------------------
+
+
+def test_install_accepts_directory_path(tmp_path: Path):
+    """--skill ./my-skill/ (dir containing SKILL.md) installs a third-party skill."""
+    skill_dir = tmp_path / "my-skill"
+    skill_dir.mkdir()
+    skill_content_text = "---\nname: my-skill\ndescription: Test skill.\n---\n\n# My Skill\nBody.\n"
+    (skill_dir / "SKILL.md").write_text(skill_content_text, encoding="utf-8")
+
+    target_root = tmp_path / "target"
+    target_root.mkdir()
+
+    results = install(
+        scope="project",
+        project_root=target_root,
+        skills=[str(skill_dir)],
+        targets=["claude-code"],
+    )
+    assert results, "expected at least one result"
+    assert results[0].action == "wrote"
+
+    installed_path = target_root / ".claude" / "skills" / "my-skill" / "SKILL.md"
+    assert installed_path.exists(), f"expected SKILL.md at {installed_path}"
+    assert installed_path.read_text(encoding="utf-8") == skill_content_text
+
+
+def test_install_rejects_path_with_mismatched_name(tmp_path: Path):
+    """frontmatter name must match the directory name."""
+    skill_dir = tmp_path / "my-skill"
+    skill_dir.mkdir()
+    (skill_dir / "SKILL.md").write_text("---\nname: other-name\ndescription: d.\n---\nBody.\n", encoding="utf-8")
+    from comfy_cli.skills import load_skill_source
+
+    with pytest.raises(ValueError, match="other-name"):
+        load_skill_source(str(skill_dir))
+
+
+def test_skills_validate_command(tmp_path: Path):
+    """comfy skills validate <path> returns ok:true for a well-formed skill."""
+    import json
+
+    skill_dir = tmp_path / "my-skill"
+    skill_dir.mkdir()
+    (skill_dir / "SKILL.md").write_text(
+        "---\nname: my-skill\ndescription: Test skill.\n---\n\n# My Skill\nBody.\n",
+        encoding="utf-8",
+    )
+
+    _force_json_renderer()
+    try:
+        runner = CliRunner()
+        result = runner.invoke(app, ["validate", str(skill_dir)])
+        assert result.exit_code == 0, f"expected exit 0, got {result.exit_code}\noutput: {result.output}"
+
+        # Last non-empty line is the envelope.
+        lines = [line for line in result.output.splitlines() if line.strip()]
+        envelope = json.loads(lines[-1])
+        assert envelope["ok"] is True
+        assert envelope["data"]["valid"] is True
+        assert envelope["data"]["name"] == "my-skill"
+    finally:
+        reset_renderer_for_testing()
+
+
+# ---------------------------------------------------------------------------
+# Security: slug guard — name must be a simple slug, no path traversal
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.parametrize("bad_name", ["../../evil", "/tmp/evil", "a/b", "a\\b", ".hidden", ".."])
+def test_load_skill_source_rejects_non_slug_names(tmp_path, bad_name):
+    """Frontmatter name must be a simple slug — traversal/absolute names are rejected
+    even when the token is a direct SKILL.md file path (no dir-match check applies)."""
+    from comfy_cli.skills import load_skill_source
+
+    md = tmp_path / "SKILL.md"
+    md.write_text(f"---\nname: {bad_name}\ndescription: d.\n---\nBody.\n", encoding="utf-8")
+    with pytest.raises(ValueError, match="simple slug"):
+        load_skill_source(str(md))
+
+
+def test_load_skill_source_accepts_slug_names(tmp_path):
+    from comfy_cli.skills import load_skill_source
+
+    md = tmp_path / "SKILL.md"
+    md.write_text("---\nname: anime-video_v2\ndescription: d.\n---\nBody.\n", encoding="utf-8")
+    assert load_skill_source(str(md)).name == "anime-video_v2"
+
+
+def test_validate_command_rejects_evil_name(tmp_path: Path):
+    """comfy skills validate must exit 1 and emit skill_invalid for a traversal name."""
+    import json
+
+    md = tmp_path / "SKILL.md"
+    md.write_text("---\nname: ../../evil\ndescription: d.\n---\nBody.\n", encoding="utf-8")
+
+    _force_json_renderer()
+    try:
+        runner = CliRunner()
+        result = runner.invoke(app, ["validate", str(md)])
+        assert result.exit_code == 1, f"expected exit 1, got {result.exit_code}\noutput: {result.output}"
+
+        lines = [line for line in result.output.splitlines() if line.strip()]
+        envelope = json.loads(lines[-1])
+        assert envelope["ok"] is False
+        assert envelope["error"]["code"] == "skill_invalid"
+    finally:
+        reset_renderer_for_testing()
+
+
+# ---------------------------------------------------------------------------
+# Manifest (provenance + staleness) — Task 9
+# ---------------------------------------------------------------------------
+
+
+def test_install_records_manifest(tmp_path: Path):
+    """Installing writes a manifest entry: target path -> {skill, sha256, cli_version}."""
+    import hashlib
+
+    from comfy_cli.skills import manifest_path, read_manifest, skill_content
+
+    results = install(scope="project", project_root=tmp_path, skills=["comfy-debug"], targets=["claude-code"])
+    assert results[0].action == "wrote"
+
+    mpath = manifest_path()
+    assert mpath.exists(), f"manifest file not created at {mpath}"
+    manifest = read_manifest()
+
+    installed_path = str(tmp_path / ".claude" / "skills" / "comfy-debug" / "SKILL.md")
+    assert installed_path in manifest, f"manifest missing entry for {installed_path}"
+    entry = manifest[installed_path]
+    assert entry["skill"] == "comfy-debug"
+    assert "sha256" in entry
+    assert "cli_version" in entry
+
+    expected_sha = hashlib.sha256(skill_content("comfy-debug").encode("utf-8")).hexdigest()
+    assert entry["sha256"] == expected_sha
+
+
+def test_prune_skips_unmanaged_files(tmp_path: Path):
+    """A user-authored skill at a retired-name path is NOT deleted by prune when manifest exists."""
+    from comfy_cli.skills import manifest_path, write_manifest
+
+    # Seed a file at a retired-skill path but do NOT put it in the manifest.
+    retired_name = RETIRED_SKILLS[0]
+    claude_path = tmp_path / ".claude" / "skills" / retired_name / "SKILL.md"
+    claude_path.parent.mkdir(parents=True, exist_ok=True)
+    claude_path.write_text("# user-authored content — must survive\n", encoding="utf-8")
+
+    # Write a manifest that exists but does NOT contain this path.
+    mpath = manifest_path()
+    mpath.parent.mkdir(parents=True, exist_ok=True)
+    write_manifest({"some/other/path": {"skill": "comfy", "sha256": "abc", "cli_version": "0.0.0"}})
+
+    # Run prune — manifest exists but doesn't record this file as comfy-managed.
+    results = prune_retired(scope="project", project_root=tmp_path, targets=["claude-code"])
+
+    assert claude_path.exists(), "prune must NOT delete unmanaged files when manifest exists"
+    result_for_name = [r for r in results if r.skill == retired_name and r.kind == "claude-code"]
+    assert result_for_name, "should still report a result for the retired skill"
+    assert result_for_name[0].action == "absent"
+
+
+def test_status_reports_stale_and_modified(tmp_path: Path, monkeypatch: pytest.MonkeyPatch):
+    """status distinguishes current / stale (bundled content moved on) / modified (user edited)."""
+    import hashlib
+    import json as _json
+
+    from comfy_cli.skills import read_manifest, write_manifest
+    from comfy_cli.skills.command import app
+
+    # status_cmd resolves project_root from Path.cwd() — point it at tmp_path.
+    monkeypatch.chdir(tmp_path)
+
+    runner = CliRunner()
+
+    def _invoke_status():
+        """Re-arm the JSON renderer for each CliRunner invocation (each creates a new stdout)."""
+        _force_json_renderer()
+        try:
+            result = runner.invoke(app, ["status", "--scope", "project"])
+        finally:
+            reset_renderer_for_testing()
+        return result
+
+    try:
+        # Step 1: install comfy-debug into claude-code only, then check status.
+        install(scope="project", project_root=tmp_path, skills=["comfy-debug"], targets=["claude-code"])
+        result = _invoke_status()
+        assert result.exit_code == 0, result.output
+        lines = [ln for ln in result.output.splitlines() if ln.strip()]
+        envelope = _json.loads(lines[-1])
+        rows = envelope["data"]["targets"]
+        debug_row = next((r for r in rows if r["skill"] == "comfy-debug" and r["kind"] == "claude-code"), None)
+        assert debug_row is not None
+        assert debug_row["state"] == "current"
+
+        # Step 2: edit the installed file — state should become 'modified'.
+        installed_path = tmp_path / ".claude" / "skills" / "comfy-debug" / "SKILL.md"
+        installed_path.write_text(installed_path.read_text(encoding="utf-8") + "\n# user edit\n", encoding="utf-8")
+
+        result2 = _invoke_status()
+        assert result2.exit_code == 0, result2.output
+        lines2 = [ln for ln in result2.output.splitlines() if ln.strip()]
+        envelope2 = _json.loads(lines2[-1])
+        rows2 = envelope2["data"]["targets"]
+        debug_row2 = next((r for r in rows2 if r["skill"] == "comfy-debug" and r["kind"] == "claude-code"), None)
+        assert debug_row2 is not None
+        assert debug_row2["state"] == "modified"
+
+        # Step 3: restore the file to bundled content but with an old (stale) manifest hash.
+        # file sha == manifest sha != bundled sha  →  state == 'stale'
+        stale_content = "# stale version of the skill\n"
+        installed_path.write_text(stale_content, encoding="utf-8")
+        manifest = read_manifest()
+        manifest[str(installed_path)] = {
+            "skill": "comfy-debug",
+            "sha256": hashlib.sha256(stale_content.encode("utf-8")).hexdigest(),
+            "cli_version": "0.0.0",
+        }
+        write_manifest(manifest)
+
+        result3 = _invoke_status()
+        assert result3.exit_code == 0, result3.output
+        lines3 = [ln for ln in result3.output.splitlines() if ln.strip()]
+        envelope3 = _json.loads(lines3[-1])
+        rows3 = envelope3["data"]["targets"]
+        debug_row3 = next((r for r in rows3 if r["skill"] == "comfy-debug" and r["kind"] == "claude-code"), None)
+        assert debug_row3 is not None
+        assert debug_row3["state"] == "stale"
+    finally:
+        reset_renderer_for_testing()
diff --git a/tests/comfy_cli/test_credentials.py b/tests/comfy_cli/test_credentials.py
new file mode 100644
index 00000000..2b0d5b5c
--- /dev/null
+++ b/tests/comfy_cli/test_credentials.py
@@ -0,0 +1,331 @@
+"""Tests for the single shared credential resolver (`comfy_cli.credentials`).
+
+Two test groups:
+
+1. A behavior matrix over (explicit flag, OAuth session state, env var,
+   stored key) × purpose, pinning the precedence order and the per-purpose
+   differences (env var name, value stripping) that previously lived in four
+   hand-rolled chains.
+
+2. A "no direct reads" ratchet: an AST scan asserting that no module under
+   ``comfy_cli/`` (outside the resolver itself and the auth/oauth internals)
+   reads ``COMFY_API_KEY``/``COMFY_CLOUD_API_KEY`` from the environment or
+   calls ``get_cloud_session``/``ensure_fresh_session`` directly — so the
+   chains can never drift apart again.
+"""
+
+from __future__ import annotations
+
+import ast
+from pathlib import Path
+from unittest.mock import MagicMock
+
+import pytest
+
+from comfy_cli import credentials
+from comfy_cli.auth import store as auth_store
+from comfy_cli.cloud import oauth
+from comfy_cli.credentials import (
+    CLOUD_API_KEY_PROVIDER,
+    Credential,
+    find_api_key,
+    get_session,
+    resolve_cloud_credential,
+)
+
+# ---------------------------------------------------------------------------
+# helpers
+# ---------------------------------------------------------------------------
+
+
+def _session(*, expired: bool = False, base_url: str = "https://cloud.comfy.org", token: str = "oauth-token-123"):
+    s = MagicMock()
+    s.is_expired.return_value = expired
+    s.access_token = token
+    s.base_url = base_url
+    return s
+
+
+@pytest.fixture
+def clean_env(monkeypatch: pytest.MonkeyPatch):
+    """No ambient credentials: no env vars, no stored key, no session."""
+    monkeypatch.delenv("COMFY_CLOUD_API_KEY", raising=False)
+    monkeypatch.delenv("COMFY_API_KEY", raising=False)
+    monkeypatch.setattr(auth_store, "get", lambda _provider: None)
+    monkeypatch.setattr(auth_store, "get_cloud_session", lambda: None)
+    monkeypatch.setattr(oauth, "ensure_fresh_session", lambda **kw: None)
+    return monkeypatch
+
+
+def _stored(key: str):
+    record = MagicMock()
+    record.key = key
+    return lambda name: record if name == CLOUD_API_KEY_PROVIDER else None
+
+
+ENV_VAR = {"cloud": "COMFY_CLOUD_API_KEY", "partner": "COMFY_API_KEY"}
+OTHER_ENV_VAR = {"cloud": "COMFY_API_KEY", "partner": "COMFY_CLOUD_API_KEY"}
+
+
+# ---------------------------------------------------------------------------
+# 1. behavior matrix
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.parametrize("purpose", ["cloud", "partner"])
+class TestPrecedence:
+    def test_nothing_configured_returns_none(self, purpose, clean_env):
+        assert resolve_cloud_credential(purpose=purpose) is None
+
+    def test_explicit_flag_wins_over_everything(self, purpose, clean_env):
+        clean_env.setenv(ENV_VAR[purpose], "env-key")
+        clean_env.setattr(auth_store, "get", _stored("stored-key"))
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session())
+        cred = resolve_cloud_credential(purpose=purpose, explicit="flag-key")
+        assert cred == Credential(kind="api_key", value="flag-key", source="flag")
+
+    def test_explicit_flag_is_stripped(self, purpose, clean_env):
+        cred = resolve_cloud_credential(purpose=purpose, explicit="  flag-key \n")
+        assert cred is not None
+        assert cred.value == "flag-key"
+
+    def test_whitespace_only_explicit_is_ignored(self, purpose, clean_env):
+        clean_env.setenv(ENV_VAR[purpose], "env-key")
+        cred = resolve_cloud_credential(purpose=purpose, explicit="   \n\t")
+        assert cred is not None
+        assert cred.source == f"env:{ENV_VAR[purpose]}"
+
+    def test_live_session_outranks_env_and_stored(self, purpose, clean_env):
+        clean_env.setenv(ENV_VAR[purpose], "env-key")
+        clean_env.setattr(auth_store, "get", _stored("stored-key"))
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session(token="live-token"))
+        cred = resolve_cloud_credential(purpose=purpose)
+        assert cred == Credential(kind="oauth", value="live-token", source="session")
+
+    def test_expired_session_falls_through_to_env(self, purpose, clean_env):
+        clean_env.setenv(ENV_VAR[purpose], "env-key")
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session(expired=True))
+        cred = resolve_cloud_credential(purpose=purpose)
+        assert cred == Credential(kind="api_key", value="env-key", source=f"env:{ENV_VAR[purpose]}")
+
+    def test_env_outranks_stored(self, purpose, clean_env):
+        clean_env.setenv(ENV_VAR[purpose], "env-key")
+        clean_env.setattr(auth_store, "get", _stored("stored-key"))
+        cred = resolve_cloud_credential(purpose=purpose)
+        assert cred is not None
+        assert cred.value == "env-key"
+        assert cred.kind == "api_key"
+
+    def test_stored_key_is_last_resort(self, purpose, clean_env):
+        clean_env.setattr(auth_store, "get", _stored("stored-key"))
+        cred = resolve_cloud_credential(purpose=purpose)
+        assert cred == Credential(kind="api_key", value="stored-key", source=f"stored:{CLOUD_API_KEY_PROVIDER}")
+
+    def test_other_purposes_env_var_is_ignored(self, purpose, clean_env):
+        clean_env.setenv(OTHER_ENV_VAR[purpose], "wrong-key")
+        assert resolve_cloud_credential(purpose=purpose) is None
+
+    def test_refresh_true_uses_ensure_fresh_session(self, purpose, clean_env):
+        calls = []
+
+        def fake_refresh(**kw):
+            calls.append(1)
+            return _session(token="refreshed-token")
+
+        clean_env.setattr(oauth, "ensure_fresh_session", fake_refresh)
+        clean_env.setattr(
+            auth_store, "get_cloud_session", lambda: pytest.fail("refresh=True must not use get_cloud_session")
+        )
+        cred = resolve_cloud_credential(purpose=purpose, refresh=True)
+        assert calls == [1]
+        assert cred is not None
+        assert cred.value == "refreshed-token"
+
+    def test_refresh_false_uses_get_cloud_session_without_refresh(self, purpose, clean_env):
+        clean_env.setattr(auth_store, "get_cloud_session", lambda: _session(token="stored-session-token"))
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: pytest.fail("refresh=False must not refresh"))
+        cred = resolve_cloud_credential(purpose=purpose, refresh=False)
+        assert cred == Credential(kind="oauth", value="stored-session-token", source="session")
+
+    def test_session_with_empty_token_falls_through(self, purpose, clean_env):
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session(token=""))
+        clean_env.setattr(auth_store, "get", _stored("stored-key"))
+        cred = resolve_cloud_credential(purpose=purpose)
+        assert cred is not None
+        assert cred.kind == "api_key"
+
+    def test_base_url_mismatch_skips_session(self, purpose, clean_env):
+        """The replay-guard: a session minted for another host is never sent."""
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session(base_url="https://other.comfy.org"))
+        clean_env.setenv(ENV_VAR[purpose], "env-key")
+        cred = resolve_cloud_credential(purpose=purpose, base_url="https://cloud.comfy.org")
+        assert cred is not None
+        assert cred.kind == "api_key"
+        assert cred.value == "env-key"
+
+    def test_base_url_match_uses_session(self, purpose, clean_env):
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session(base_url="https://cloud.comfy.org"))
+        cred = resolve_cloud_credential(purpose=purpose, base_url="https://cloud.comfy.org")
+        assert cred is not None
+        assert cred.kind == "oauth"
+
+    def test_no_base_url_means_no_replay_guard(self, purpose, clean_env):
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session(base_url="https://other.comfy.org"))
+        cred = resolve_cloud_credential(purpose=purpose)
+        assert cred is not None
+        assert cred.kind == "oauth"
+
+
+class TestPurposeSpecificStripping:
+    """`partner` (the generate proxy) historically strips ambient keys and
+    treats whitespace-only values as absent; `cloud` passes them verbatim.
+    Encoded per-purpose to preserve each site's exact behavior."""
+
+    def test_partner_strips_env_value(self, clean_env):
+        clean_env.setenv("COMFY_API_KEY", "  sk-abc  ")
+        cred = resolve_cloud_credential(purpose="partner")
+        assert cred is not None
+        assert cred.value == "sk-abc"
+
+    def test_partner_whitespace_only_env_is_absent(self, clean_env):
+        clean_env.setenv("COMFY_API_KEY", "   \n\t")
+        assert resolve_cloud_credential(purpose="partner") is None
+
+    def test_partner_strips_stored_value(self, clean_env):
+        clean_env.setattr(auth_store, "get", _stored("  stored-key \n"))
+        cred = resolve_cloud_credential(purpose="partner")
+        assert cred is not None
+        assert cred.value == "stored-key"
+
+    def test_cloud_env_value_passed_verbatim(self, clean_env):
+        clean_env.setenv("COMFY_CLOUD_API_KEY", "  sk-abc  ")
+        cred = resolve_cloud_credential(purpose="cloud")
+        assert cred is not None
+        assert cred.value == "  sk-abc  "
+
+
+class TestFindApiKey:
+    """`find_api_key` checks only the ambient key sources (env → stored),
+    ignoring any OAuth session — whoami uses it to report an API key that is
+    present-but-outranked."""
+
+    def test_ignores_live_session(self, clean_env):
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: _session())
+        clean_env.setattr(auth_store, "get_cloud_session", lambda: _session())
+        clean_env.setenv("COMFY_CLOUD_API_KEY", "env-key")
+        cred = find_api_key(purpose="cloud")
+        assert cred == Credential(kind="api_key", value="env-key", source="env:COMFY_CLOUD_API_KEY")
+
+    def test_stored_fallback(self, clean_env):
+        clean_env.setattr(auth_store, "get", _stored("stored-key"))
+        cred = find_api_key(purpose="cloud")
+        assert cred is not None
+        assert cred.source == f"stored:{CLOUD_API_KEY_PROVIDER}"
+
+    def test_none_when_absent(self, clean_env):
+        assert find_api_key(purpose="cloud") is None
+
+
+class TestGetSession:
+    """`get_session` is the single read gateway to the stored OAuth session."""
+
+    def test_refresh_true_delegates_to_ensure_fresh_session(self, clean_env):
+        marker = _session()
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: marker)
+        assert get_session(refresh=True) is marker
+
+    def test_refresh_false_delegates_to_get_cloud_session(self, clean_env):
+        marker = _session()
+        clean_env.setattr(auth_store, "get_cloud_session", lambda: marker)
+        clean_env.setattr(oauth, "ensure_fresh_session", lambda **kw: pytest.fail("refresh=False must not refresh"))
+        assert get_session(refresh=False) is marker
+
+    def test_force_threads_through_to_ensure_fresh_session(self, clean_env):
+        """The reactive 401 path passes force=True; it must reach the refresher
+        even when refresh defaults are otherwise off."""
+        seen = {}
+
+        def _refresh(**kw):
+            seen.update(kw)
+            return _session(token="forced")
+
+        clean_env.setattr(oauth, "ensure_fresh_session", _refresh)
+        cred = get_session(refresh=False, force=True)
+        assert seen.get("force") is True
+        assert cred is not None and cred.access_token == "forced"
+
+
+# ---------------------------------------------------------------------------
+# 2. no-direct-reads ratchet
+# ---------------------------------------------------------------------------
+
+PACKAGE_ROOT = Path(credentials.__file__).resolve().parent
+
+# Files allowed to touch the raw credential sources:
+#   - credentials.py is the resolver itself.
+#   - auth/ holds the secret store (defines get_cloud_session).
+#   - cloud/oauth.py defines ensure_fresh_session and the refresh flow.
+ALLOWED = {
+    "credentials.py",
+    "cloud/oauth.py",
+}
+ALLOWED_DIRS = {"auth"}
+
+# FROZEN allowlist for call sites that could not be migrated yet. Adding to
+# this list is a ratchet violation — migrate the new code to
+# `comfy_cli.credentials` instead. (Currently empty: all known readers were
+# migrated when the resolver was introduced.)
+FROZEN_ALLOWLIST: set[str] = set()
+
+ENV_VARS = {"COMFY_API_KEY", "COMFY_CLOUD_API_KEY"}
+SESSION_FUNCS = {"get_cloud_session", "ensure_fresh_session"}
+
+
+def _is_environ_node(node: ast.expr) -> bool:
+    """True for `os.environ` / bare `environ` references."""
+    if isinstance(node, ast.Attribute) and node.attr == "environ":
+        return True
+    return isinstance(node, ast.Name) and node.id == "environ"
+
+
+def _literal(node: ast.expr) -> str | None:
+    return node.value if isinstance(node, ast.Constant) and isinstance(node.value, str) else None
+
+
+def _violations_in(path: Path) -> list[str]:
+    tree = ast.parse(path.read_text(encoding="utf-8"), filename=str(path))
+    found: list[str] = []
+    for node in ast.walk(tree):
+        # os.environ.get("COMFY_..."), os.getenv("COMFY_...")
+        if isinstance(node, ast.Call) and isinstance(node.func, ast.Attribute):
+            func = node.func
+            if func.attr == "get" and _is_environ_node(func.value) and node.args:
+                if _literal(node.args[0]) in ENV_VARS:
+                    found.append(f"{path}:{node.lineno}: os.environ.get({_literal(node.args[0])!r})")
+            if func.attr == "getenv" and node.args and _literal(node.args[0]) in ENV_VARS:
+                found.append(f"{path}:{node.lineno}: os.getenv({_literal(node.args[0])!r})")
+            if func.attr in SESSION_FUNCS:
+                found.append(f"{path}:{node.lineno}: call to {func.attr}()")
+        # bare get_cloud_session(...) / ensure_fresh_session(...)
+        if isinstance(node, ast.Call) and isinstance(node.func, ast.Name) and node.func.id in SESSION_FUNCS:
+            found.append(f"{path}:{node.lineno}: call to {node.func.id}()")
+        # os.environ["COMFY_..."]
+        if isinstance(node, ast.Subscript) and _is_environ_node(node.value):
+            if _literal(node.slice) in ENV_VARS:
+                found.append(f"{path}:{node.lineno}: os.environ[{_literal(node.slice)!r}]")
+    return found
+
+
+def test_no_direct_credential_reads_outside_resolver():
+    violations: list[str] = []
+    for path in sorted(PACKAGE_ROOT.rglob("*.py")):
+        rel = path.relative_to(PACKAGE_ROOT).as_posix()
+        if rel in ALLOWED or rel in FROZEN_ALLOWLIST:
+            continue
+        if rel.split("/", 1)[0] in ALLOWED_DIRS:
+            continue
+        violations.extend(_violations_in(path))
+    assert not violations, (
+        "Direct credential reads found outside comfy_cli/credentials.py — "
+        "use resolve_cloud_credential / find_api_key / get_session instead:\n" + "\n".join(violations)
+    )
diff --git a/tests/comfy_cli/test_execution_errors.py b/tests/comfy_cli/test_execution_errors.py
new file mode 100644
index 00000000..520f2fab
--- /dev/null
+++ b/tests/comfy_cli/test_execution_errors.py
@@ -0,0 +1,115 @@
+"""Tests for execution-failure parsing/classification (comfy_cli.execution_errors).
+
+Pins the two contracts the June 2026 agent field test surfaced:
+
+1. The cloud API-node session-token expiry ("Unauthorized: Please login first
+   to use this node") classifies as ``transient_auth`` with a resubmit hint —
+   not as a generic ``execution_error``, and never as advice to re-login.
+2. Envelope verdicts carry the one-line cause + a short traceback tail, never
+   the full raw server traceback (which used to land in the envelope twice).
+"""
+
+from __future__ import annotations
+
+import json
+
+from comfy_cli import error_codes, execution_errors
+
+_TRACEBACK = [
+    '  File "/app/comfyui/execution.py", line 455, in execute\n    raise ex\n',
+    '  File "/app/comfyui/comfy_api_nodes/util/client.py", line 163, in poll_op\n    raw = await poll_op_raw(\n',
+    '  File "/app/comfyui/comfy_api_nodes/util/client.py", line 436, in poll_op_raw\n    raise Exception(...)\n',
+]
+
+
+def _cloud_error_message(exception_message: str) -> str:
+    """Build the JSON-encoded error_message string the cloud status API returns."""
+    return json.dumps(
+        {
+            "exception_message": exception_message,
+            "exception_type": "Exception",
+            "node_id": "1",
+            "node_type": "KlingImage2VideoNode",
+            "traceback": _TRACEBACK,
+        }
+    )
+
+
+# --- parse_error_message ----------------------------------------------------
+
+
+def test_parse_json_encoded_string():
+    parsed = execution_errors.parse_error_message(_cloud_error_message("boom"))
+    assert parsed["exception_message"] == "boom"
+    assert parsed["node_type"] == "KlingImage2VideoNode"
+    assert parsed["node_id"] == "1"
+    assert parsed["exception_type"] == "Exception"
+
+
+def test_parse_truncates_traceback_to_tail():
+    parsed = execution_errors.parse_error_message(_cloud_error_message("boom"))
+    assert parsed["traceback_tail"] == _TRACEBACK[-2:]
+
+
+def test_parse_accepts_decoded_dict():
+    parsed = execution_errors.parse_error_message({"exception_message": "x", "node_type": "T"})
+    assert parsed["exception_message"] == "x"
+    assert parsed["node_type"] == "T"
+
+
+def test_parse_plain_text_and_none():
+    assert execution_errors.parse_error_message("plain failure\n") == {"exception_message": "plain failure"}
+    assert execution_errors.parse_error_message(None) == {"exception_message": ""}
+
+
+def test_parse_non_dict_json_falls_back_to_text():
+    assert execution_errors.parse_error_message('["a", "b"]') == {"exception_message": '["a", "b"]'}
+
+
+# --- classify ---------------------------------------------------------------
+
+
+def test_transient_auth_direct():
+    raw = _cloud_error_message("Unauthorized: Please login first to use this node.\n")
+    verdict = execution_errors.classify(raw)
+    assert verdict["code"] == "transient_auth"
+    assert "resubmit" in verdict["hint"]
+    assert "cloud login" in verdict["hint"]
+
+
+def test_transient_auth_wrapped_in_polling_abort():
+    raw = _cloud_error_message("Polling aborted due to error: Unauthorized: Please login first to use this node.\n")
+    verdict = execution_errors.classify(raw)
+    assert verdict["code"] == "transient_auth"
+
+
+def test_ordinary_failure_stays_execution_error():
+    raw = _cloud_error_message("The 'grok-imagine-video-1.5' model requires an input image.")
+    verdict = execution_errors.classify(raw)
+    assert verdict["code"] == "execution_error"
+
+
+def test_message_is_one_line_with_node_prefix():
+    raw = _cloud_error_message("boom")
+    verdict = execution_errors.classify(raw)
+    assert verdict["message"] == "KlingImage2VideoNode (node 1): boom"
+
+
+def test_verdict_never_carries_full_traceback():
+    raw = _cloud_error_message("boom")
+    verdict = execution_errors.classify(raw)
+    assert "traceback" not in verdict["details"]
+    assert verdict["details"]["traceback_tail"] == _TRACEBACK[-2:]
+    # The frames above the tail are gone from the verdict entirely.
+    assert _TRACEBACK[0] not in json.dumps(verdict)
+
+
+def test_classify_handles_empty_input():
+    verdict = execution_errors.classify(None)
+    assert verdict["code"] == "execution_error"
+    assert verdict["message"] == "ComfyUI reported an execution error."
+
+
+def test_verdict_codes_are_registered():
+    for raw in (None, _cloud_error_message("Unauthorized: Please login first to use this node.")):
+        assert error_codes.is_registered(execution_errors.classify(raw)["code"])
diff --git a/tests/comfy_cli/test_feedback_commands.py b/tests/comfy_cli/test_feedback_commands.py
new file mode 100644
index 00000000..588b2c41
--- /dev/null
+++ b/tests/comfy_cli/test_feedback_commands.py
@@ -0,0 +1,119 @@
+"""CLI envelope tests for ``comfy feedback`` and ``comfy agent-review``.
+
+These pin the agent-facing contract: JSON mode emits a single ``{sent, ...}``
+envelope, a missing inline message in JSON mode is a structured error, and the
+underlying ``tracking`` helpers receive exactly what the user typed. The
+delivery/consent logic itself lives in test_tracking.py — here we only assert
+the command layer wires through correctly.
+"""
+
+from __future__ import annotations
+
+import json
+
+import pytest
+import typer
+
+from comfy_cli import cmdline, tracking
+from comfy_cli.caller import Caller
+from comfy_cli.output.renderer import OutputMode, Renderer, set_renderer
+
+
+def _force_renderer(mode: OutputMode) -> Renderer:
+    r = Renderer.resolve(
+        is_stdout_tty=False,
+        env={},
+        caller=Caller(kind="user", agentic=False, source_env=None),
+        json_flag=(mode is OutputMode.JSON),
+    )
+    r.mode = mode
+    set_renderer(r)
+    return r
+
+
+def _last_envelope(capsys) -> dict:
+    out = capsys.readouterr().out.strip()
+    assert out, "expected an envelope on stdout"
+    return json.loads(out.splitlines()[-1])
+
+
+class TestFeedbackJson:
+    def test_oneshot_emits_sent_true(self, monkeypatch, capsys):
+        monkeypatch.setattr(tracking, "submit_feedback", lambda *a, **k: True)
+        _force_renderer(OutputMode.JSON)
+        cmdline.feedback(message="run is great")
+        env = _last_envelope(capsys)
+        assert env["ok"] is True
+        assert env["command"] == "feedback"
+        assert env["data"] == {"sent": True, "message": "run is great"}
+
+    def test_oneshot_relays_message_verbatim(self, monkeypatch, capsys):
+        captured: dict = {}
+        monkeypatch.setattr(tracking, "submit_feedback", lambda msg, **k: captured.update(msg=msg) or True)
+        _force_renderer(OutputMode.JSON)
+        cmdline.feedback(message="jobs watch needs an ETA")
+        assert captured["msg"] == "jobs watch needs an ETA"
+
+    def test_oneshot_sent_false_when_opted_out(self, monkeypatch, capsys):
+        monkeypatch.setattr(tracking, "submit_feedback", lambda *a, **k: False)
+        _force_renderer(OutputMode.JSON)
+        cmdline.feedback(message="anything")
+        env = _last_envelope(capsys)
+        assert env["data"]["sent"] is False
+
+    def test_missing_message_in_json_is_structured_error(self, monkeypatch, capsys):
+        monkeypatch.setattr(tracking, "submit_feedback", _fail_if_called("submit_feedback"))
+        _force_renderer(OutputMode.JSON)
+        with pytest.raises(typer.Exit):
+            cmdline.feedback(message=None)
+        env = _last_envelope(capsys)
+        assert env["ok"] is False
+        assert env["error"]["code"] == "feedback_message_required"
+
+
+class TestFeedbackPretty:
+    def test_oneshot_pretty_thanks(self, monkeypatch, capsys):
+        monkeypatch.setattr(tracking, "submit_feedback", lambda *a, **k: True)
+        _force_renderer(OutputMode.PRETTY)
+        cmdline.feedback(message="great tool")
+        captured = capsys.readouterr()
+        assert "Thank you" in (captured.out + captured.err)
+
+    def test_oneshot_pretty_disabled_notice(self, monkeypatch, capsys):
+        monkeypatch.setattr(tracking, "submit_feedback", lambda *a, **k: False)
+        _force_renderer(OutputMode.PRETTY)
+        cmdline.feedback(message="great tool")
+        captured = capsys.readouterr()
+        assert "not sent" in (captured.out + captured.err).lower()
+
+
+class TestAgentReviewJson:
+    def test_emits_sent_true(self, monkeypatch, capsys):
+        monkeypatch.setattr(tracking, "submit_agent_review", lambda *a, **k: True)
+        _force_renderer(OutputMode.JSON)
+        cmdline.agent_review(summary="user shipped a clip after one retry")
+        env = _last_envelope(capsys)
+        assert env["ok"] is True
+        assert env["command"] == "agent-review"
+        assert env["data"] == {"sent": True, "summary": "user shipped a clip after one retry"}
+
+    def test_relays_summary_verbatim(self, monkeypatch, capsys):
+        captured: dict = {}
+        monkeypatch.setattr(tracking, "submit_agent_review", lambda s, **k: captured.update(s=s) or True)
+        _force_renderer(OutputMode.JSON)
+        cmdline.agent_review(summary="hit a missing-model error then succeeded")
+        assert captured["s"] == "hit a missing-model error then succeeded"
+
+    def test_sent_false_when_consent_gated_off(self, monkeypatch, capsys):
+        monkeypatch.setattr(tracking, "submit_agent_review", lambda *a, **k: False)
+        _force_renderer(OutputMode.JSON)
+        cmdline.agent_review(summary="anything")
+        env = _last_envelope(capsys)
+        assert env["data"]["sent"] is False
+
+
+def _fail_if_called(name: str):
+    def _boom(*_a, **_k):
+        raise AssertionError(f"{name} must not be called on the error path")
+
+    return _boom
diff --git a/tests/comfy_cli/test_jobs_state.py b/tests/comfy_cli/test_jobs_state.py
new file mode 100644
index 00000000..fee603b6
--- /dev/null
+++ b/tests/comfy_cli/test_jobs_state.py
@@ -0,0 +1,129 @@
+"""On-disk job state: round-trips + terminal handling."""
+
+from __future__ import annotations
+
+import json
+
+from comfy_cli import jobs_state
+
+# The autouse ``_isolate_jobs_state_dir`` fixture in ``tests/comfy_cli/conftest.py``
+# pins ``jobs_state.state_dir`` to a per-test tmp path. No local fixture needed.
+
+
+class TestRoundTrip:
+    def test_new_and_read_returns_equal_state(self):
+        s = jobs_state.new(
+            prompt_id="abc-123",
+            client_id="cid",
+            workflow="/tmp/x.json",
+            where="local",
+            host="127.0.0.1",
+            port=8188,
+        )
+        jobs_state.write(s)
+        loaded = jobs_state.read("abc-123")
+        assert loaded is not None
+        assert loaded.prompt_id == "abc-123"
+        assert loaded.workflow == "/tmp/x.json"
+        assert loaded.status == "queued"
+        assert loaded.host == "127.0.0.1"
+
+    def test_read_missing_returns_none(self):
+        assert jobs_state.read("nonexistent") is None
+
+    def test_read_tolerates_unknown_keys(self):
+        s = jobs_state.new(prompt_id="x", client_id=None, workflow="/w.json", where="local")
+        jobs_state.write(s)
+        path = jobs_state.state_path("x")
+        data = json.loads(path.read_text())
+        data["future_field_we_dont_know_about"] = "ignored"
+        path.write_text(json.dumps(data))
+        loaded = jobs_state.read("x")
+        assert loaded is not None
+        assert loaded.prompt_id == "x"
+
+    def test_read_tolerates_corrupt_json(self):
+        path = jobs_state.state_path("garbage")
+        path.parent.mkdir(parents=True, exist_ok=True)
+        path.write_text("{ not valid json")
+        assert jobs_state.read("garbage") is None
+
+    def test_record_and_item_map_round_trip(self):
+        record = {
+            "status": {"completed": True, "status_str": "success"},
+            "outputs": {"9": {"images": [{"filename": "a.png", "subfolder": "", "type": "output"}]}},
+        }
+        item_map = {"s1": {"nodes": ["7", "9"], "save_node": "9", "prefix": "outputs/story/s1"}}
+        s = jobs_state.new(prompt_id="rt", client_id=None, workflow="/w.json", where="cloud")
+        s.status = "completed"
+        s.record = record
+        s.item_map = item_map
+        jobs_state.write(s)
+        loaded = jobs_state.read("rt")
+        assert loaded is not None
+        assert loaded.record == record
+        assert loaded.item_map == item_map
+
+    def test_legacy_file_without_record_fields_reads_none(self):
+        # State files written before record/item_map existed must load with
+        # both defaulting to None — not crash, not KeyError.
+        s = jobs_state.new(prompt_id="legacy", client_id=None, workflow="/w.json", where="cloud")
+        jobs_state.write(s)
+        path = jobs_state.state_path("legacy")
+        data = json.loads(path.read_text())
+        data.pop("record", None)
+        data.pop("item_map", None)
+        path.write_text(json.dumps(data))
+        loaded = jobs_state.read("legacy")
+        assert loaded is not None
+        assert loaded.record is None
+        assert loaded.item_map is None
+
+
+class TestTerminal:
+    def test_completed_marks_completed_at(self):
+        s = jobs_state.new(prompt_id="x", client_id=None, workflow="/w.json", where="local")
+        s.status = "completed"
+        s.outputs = ["https://example/img.png"]
+        jobs_state.write(s)
+        loaded = jobs_state.read("x")
+        assert loaded.completed_at is not None
+        assert loaded.is_terminal is True
+
+    def test_running_does_not_mark_completed_at(self):
+        s = jobs_state.new(prompt_id="x", client_id=None, workflow="/w.json", where="local")
+        s.status = "running"
+        jobs_state.write(s)
+        loaded = jobs_state.read("x")
+        assert loaded.completed_at is None
+        assert loaded.is_terminal is False
+
+    def test_terminal_statuses_enum(self):
+        # Pin the closed set so a typo in any caller is caught.
+        assert jobs_state.TERMINAL_STATUSES == frozenset({"completed", "error", "cancelled"})
+
+
+class TestPath:
+    def test_prompt_id_with_slashes_is_safe(self):
+        # If a backend ever returns a slashy id, we shouldn't escape the dir.
+        s = jobs_state.new(prompt_id="weird/id", client_id=None, workflow="/w.json", where="local")
+        jobs_state.write(s)
+        loaded = jobs_state.read("weird/id")
+        assert loaded is not None
+        # File lives inside state_dir, no traversal.
+        path = jobs_state.state_path("weird/id")
+        assert path.parent == jobs_state.state_dir()
+
+
+class TestAtomicity:
+    def test_repeated_writes_replace_not_append(self):
+        s = jobs_state.new(prompt_id="x", client_id=None, workflow="/w.json", where="local")
+        jobs_state.write(s)
+        s.status = "running"
+        jobs_state.write(s)
+        s.status = "completed"
+        s.outputs = ["a", "b"]
+        jobs_state.write(s)
+        loaded = jobs_state.read("x")
+        assert loaded.status == "completed"
+        assert loaded.outputs == ["a", "b"]
diff --git a/tests/comfy_cli/test_launch_python_resolution.py b/tests/comfy_cli/test_launch_python_resolution.py
index 418cafb6..911c0193 100644
--- a/tests/comfy_cli/test_launch_python_resolution.py
+++ b/tests/comfy_cli/test_launch_python_resolution.py
@@ -46,7 +46,6 @@ def test_resolves_and_passes_python(self):
             patch.object(launch.workspace_manager, "workspace_type", launch.WorkspaceType.DEFAULT),
             patch.object(launch.workspace_manager, "config_manager", MagicMock()),
             patch.object(launch.workspace_manager, "set_recent_workspace"),
-            patch("comfy_cli.command.launch.check_for_updates"),
             patch("comfy_cli.command.launch.os.chdir"),
             patch("comfy_cli.command.launch.launch_comfyui") as mock_launch_comfyui,
         ):
diff --git a/tests/comfy_cli/test_project.py b/tests/comfy_cli/test_project.py
new file mode 100644
index 00000000..7aacc737
--- /dev/null
+++ b/tests/comfy_cli/test_project.py
@@ -0,0 +1,385 @@
+"""Unit tests for ``comfy_cli.project`` — the pure project/1 convention module.
+
+Everything runs against tmp_path. The module must never raise out of
+discovery or journaling: a stray/malformed ``comfy.yaml`` anywhere up the
+tree must not crash a non-project command, and a journaling failure must
+never fail a run.
+"""
+
+from __future__ import annotations
+
+import json
+import os
+
+import pytest
+
+from comfy_cli import project as project_mod
+from comfy_cli.project import (
+    CONVENTIONAL_DIRS,
+    Project,
+    find_project,
+    journal,
+    read_journal,
+    unknown_dirs,
+)
+
+MARKER = "schema: project/1\ndefaults:\n  where: cloud\n"
+
+
+def _make_project(tmp_path) -> Project:
+    # A dedicated subdir: the autouse conftest fixtures plant their own
+    # dirs (comfy-cli-config/, jobs/) directly in tmp_path.
+    root = tmp_path / "proj"
+    root.mkdir(exist_ok=True)
+    (root / "comfy.yaml").write_text(MARKER)
+    p = find_project(root)
+    assert p is not None
+    return p
+
+
+# ---------------------------------------------------------------------------
+# find_project — walk-up discovery
+# ---------------------------------------------------------------------------
+
+
+class TestFindProject:
+    def test_finds_marker_in_start_dir(self, tmp_path):
+        (tmp_path / "comfy.yaml").write_text(MARKER)
+        p = find_project(tmp_path)
+        assert p is not None
+        assert p.root == tmp_path.resolve()
+        assert p.config["schema"] == "project/1"
+        assert p.config["defaults"] == {"where": "cloud"}
+
+    def test_walks_up_from_nested_dir(self, tmp_path):
+        (tmp_path / "comfy.yaml").write_text(MARKER)
+        nested = tmp_path / "blueprints" / "deep" / "deeper"
+        nested.mkdir(parents=True)
+        p = find_project(nested)
+        assert p is not None
+        assert p.root == tmp_path.resolve()
+
+    def test_stops_at_first_valid_marker(self, tmp_path):
+        # Inner project shadows the outer one when starting inside it.
+        (tmp_path / "comfy.yaml").write_text(MARKER)
+        inner = tmp_path / "sub"
+        inner.mkdir()
+        (inner / "comfy.yaml").write_text(MARKER)
+        p = find_project(inner)
+        assert p is not None
+        assert p.root == inner.resolve()
+
+    def test_no_marker_returns_none(self, tmp_path):
+        nested = tmp_path / "a" / "b"
+        nested.mkdir(parents=True)
+        assert find_project(nested) is None
+
+    def test_malformed_yaml_skipped_and_walk_continues(self, tmp_path):
+        (tmp_path / "comfy.yaml").write_text(MARKER)
+        mid = tmp_path / "mid"
+        mid.mkdir()
+        (mid / "comfy.yaml").write_text("{::: not yaml :::")
+        p = find_project(mid)
+        assert p is not None
+        assert p.root == tmp_path.resolve()  # malformed level skipped, kept walking
+
+    def test_wrong_schema_skipped_and_walk_continues(self, tmp_path):
+        (tmp_path / "comfy.yaml").write_text(MARKER)
+        mid = tmp_path / "mid"
+        mid.mkdir()
+        (mid / "comfy.yaml").write_text("schema: project/999\n")
+        p = find_project(mid)
+        assert p is not None
+        assert p.root == tmp_path.resolve()
+
+    def test_non_dict_yaml_skipped(self, tmp_path):
+        (tmp_path / "comfy.yaml").write_text("- just\n- a\n- list\n")
+        assert find_project(tmp_path) is None
+
+    def test_missing_schema_key_skipped(self, tmp_path):
+        # A stray comfy.yaml that isn't a project marker (e.g. some other
+        # tool's config) must be ignored, never crash.
+        (tmp_path / "comfy.yaml").write_text("foo: bar\n")
+        assert find_project(tmp_path) is None
+
+    @pytest.mark.skipif(os.geteuid() == 0, reason="root ignores file modes")
+    def test_unreadable_marker_skipped_and_walk_continues(self, tmp_path):
+        (tmp_path / "comfy.yaml").write_text(MARKER)
+        mid = tmp_path / "mid"
+        mid.mkdir()
+        unreadable = mid / "comfy.yaml"
+        unreadable.write_text(MARKER)
+        unreadable.chmod(0o000)
+        try:
+            p = find_project(mid)
+        finally:
+            unreadable.chmod(0o644)
+        assert p is not None
+        assert p.root == tmp_path.resolve()
+
+    def test_defaults_to_cwd(self, tmp_path, monkeypatch):
+        (tmp_path / "comfy.yaml").write_text(MARKER)
+        monkeypatch.chdir(tmp_path)
+        p = find_project()
+        assert p is not None
+        assert p.root == tmp_path.resolve()
+
+
+# ---------------------------------------------------------------------------
+# unknown_dirs — warnings-only convention check
+# ---------------------------------------------------------------------------
+
+
+class TestUnknownDirs:
+    def test_conventional_dirs_are_known(self, tmp_path):
+        p = _make_project(tmp_path)
+        for d in CONVENTIONAL_DIRS:
+            (p.root / d).mkdir()
+        assert unknown_dirs(p) == []
+
+    def test_flags_unconventional_top_level_dirs(self, tmp_path):
+        p = _make_project(tmp_path)
+        (p.root / "assets").mkdir()
+        (p.root / "scratch").mkdir()
+        (p.root / "renders").mkdir()
+        assert unknown_dirs(p) == ["renders", "scratch"]
+
+    def test_hidden_dirs_and_files_are_ignored(self, tmp_path):
+        p = _make_project(tmp_path)
+        (p.root / ".git").mkdir()
+        (p.root / ".comfy").mkdir()
+        (p.root / "notes.md").write_text("files are fine anywhere")
+        assert unknown_dirs(p) == []
+
+
+# ---------------------------------------------------------------------------
+# journal / read_journal — best-effort run provenance
+# ---------------------------------------------------------------------------
+
+
+class TestJournal:
+    def test_append_read_round_trip(self, tmp_path):
+        p = _make_project(tmp_path)
+        journal(p, cmd="run", prompt_id="abc", where="cloud")
+
+        events = read_journal(p)
+        assert len(events) == 1
+        ev = events[0]
+        assert ev["cmd"] == "run"
+        assert ev["prompt_id"] == "abc"
+        assert ev["where"] == "cloud"
+        # ts auto-added: UTC ISO-8601 at seconds precision.
+        assert "ts" in ev
+        assert "T" in ev["ts"]
+        assert "." not in ev["ts"]  # timespec="seconds"
+
+    def test_journal_creates_comfy_dir(self, tmp_path):
+        p = _make_project(tmp_path)
+        assert not (p.root / ".comfy").exists()
+        journal(p, cmd="compose")
+        assert (p.root / ".comfy" / "runs.jsonl").is_file()
+
+    def test_newest_last_and_limit(self, tmp_path):
+        p = _make_project(tmp_path)
+        for i in range(25):
+            journal(p, cmd="run", seq=i)
+        events = read_journal(p, limit=20)
+        assert len(events) == 20
+        assert events[-1]["seq"] == 24  # newest last
+        assert events[0]["seq"] == 5
+
+    def test_corrupt_journal_line_skipped(self, tmp_path):
+        p = _make_project(tmp_path)
+        journal(p, cmd="run", seq=0)
+        path = p.root / ".comfy" / "runs.jsonl"
+        with path.open("a", encoding="utf-8") as fh:
+            fh.write("{not json\n")
+            fh.write('"a bare string"\n')
+        journal(p, cmd="run", seq=1)
+
+        events = read_journal(p)
+        assert [e["seq"] for e in events] == [0, 1]
+
+    def test_read_journal_missing_file_returns_empty(self, tmp_path):
+        p = _make_project(tmp_path)
+        assert read_journal(p) == []
+
+    @pytest.mark.skipif(os.geteuid() == 0, reason="root ignores file modes")
+    def test_journal_never_raises_on_readonly_dir(self, tmp_path):
+        p = _make_project(tmp_path)
+        comfy_dir = p.root / ".comfy"
+        comfy_dir.mkdir()
+        comfy_dir.chmod(0o500)
+        try:
+            journal(p, cmd="run")  # must swallow the OSError
+        finally:
+            comfy_dir.chmod(0o755)
+        assert read_journal(p) == []
+
+    def test_journal_never_raises_on_unserializable_event(self, tmp_path):
+        p = _make_project(tmp_path)
+        journal(p, cmd="run", weird=object())  # default=str or swallowed — never raises
+
+    def test_journal_module_is_pure(self):
+        # Mirror fragments.py's purity: no typer/renderer imports at module level.
+        import sys
+
+        src = (project_mod.__file__ and open(project_mod.__file__).read()) or ""
+        assert "import typer" not in src
+        assert "comfy_cli.output" not in src
+        assert project_mod.__name__ in sys.modules
+
+
+# ---------------------------------------------------------------------------
+# make_asset_resolver — `$asset.<name>` → cloud_name via the push lock
+# ---------------------------------------------------------------------------
+
+
+def _write_lock(root, assets: dict) -> None:
+    (root / ".comfy").mkdir(exist_ok=True)
+    (root / ".comfy" / "assets.lock.json").write_text(json.dumps({"schema": "assets-lock/1", "assets": assets}))
+
+
+def _add_asset(root, name: str, data: bytes) -> str:
+    path = root / "assets" / name
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_bytes(data)
+    import hashlib
+
+    return hashlib.sha256(data).hexdigest()
+
+
+class TestMakeAssetResolver:
+    def test_asset_error_is_a_blueprint_error(self):
+        from comfy_cli.fragments import AssetError, BlueprintError
+
+        assert issubclass(AssetError, BlueprintError)
+
+    def test_resolves_pushed_asset_to_cloud_name(self, tmp_path):
+        p = _make_project(tmp_path)
+        sha = _add_asset(p.root, "keyframes/s1.png", b"png-bytes")
+        _write_lock(p.root, {"keyframes/s1.png": {"sha256": sha, "cloud_name": "ab12.png"}})
+
+        resolve = project_mod.make_asset_resolver(p)
+        assert resolve("keyframes/s1.png") == "ab12.png"
+
+    def test_missing_lock_file_raises_not_pushed(self, tmp_path):
+        from comfy_cli.fragments import AssetError
+
+        p = _make_project(tmp_path)
+        _add_asset(p.root, "a.png", b"x")
+
+        resolve = project_mod.make_asset_resolver(p)
+        with pytest.raises(AssetError) as exc:
+            resolve("a.png")
+        assert exc.value.code == "asset_not_pushed"
+        assert exc.value.hint == "run: comfy assets push"
+
+    def test_name_missing_from_lock_raises_not_pushed(self, tmp_path):
+        from comfy_cli.fragments import AssetError
+
+        p = _make_project(tmp_path)
+        sha = _add_asset(p.root, "a.png", b"x")
+        _write_lock(p.root, {"other.png": {"sha256": sha, "cloud_name": "zz.png"}})
+
+        with pytest.raises(AssetError) as exc:
+            project_mod.make_asset_resolver(p)("a.png")
+        assert exc.value.code == "asset_not_pushed"
+        assert exc.value.hint == "run: comfy assets push"
+
+    def test_file_missing_on_disk_raises_not_pushed(self, tmp_path):
+        from comfy_cli.fragments import AssetError
+
+        p = _make_project(tmp_path)
+        _write_lock(p.root, {"ghost.png": {"sha256": "0" * 64, "cloud_name": "gh.png"}})
+
+        with pytest.raises(AssetError) as exc:
+            project_mod.make_asset_resolver(p)("ghost.png")
+        assert exc.value.code == "asset_not_pushed"
+        assert exc.value.hint == "run: comfy assets push"
+
+    def test_sha_mismatch_raises_stale(self, tmp_path):
+        from comfy_cli.fragments import AssetError
+
+        p = _make_project(tmp_path)
+        _add_asset(p.root, "a.png", b"new-content")
+        _write_lock(p.root, {"a.png": {"sha256": "0" * 64, "cloud_name": "old.png"}})
+
+        with pytest.raises(AssetError) as exc:
+            project_mod.make_asset_resolver(p)("a.png")
+        assert exc.value.code == "asset_stale"
+        assert exc.value.hint == "run: comfy assets push"
+
+    def test_hashing_is_lazy_per_referenced_name(self, tmp_path):
+        """A broken lock entry for an UNREFERENCED name must not matter."""
+        p = _make_project(tmp_path)
+        sha = _add_asset(p.root, "good.png", b"good")
+        _write_lock(
+            p.root,
+            {
+                "good.png": {"sha256": sha, "cloud_name": "good-srv.png"},
+                "ghost.png": {"sha256": "0" * 64, "cloud_name": "gh.png"},  # no file on disk
+            },
+        )
+
+        assert project_mod.make_asset_resolver(p)("good.png") == "good-srv.png"
+
+
+# ---------------------------------------------------------------------------
+# make_var_resolver — `$var.<name>` → scalar from comfy.yaml `vars:`
+# ---------------------------------------------------------------------------
+
+
+def _make_project_with_vars(tmp_path, vars_yaml: str) -> Project:
+    root = tmp_path / "proj"
+    root.mkdir(exist_ok=True)
+    (root / "comfy.yaml").write_text(MARKER + vars_yaml)
+    p = find_project(root)
+    assert p is not None
+    return p
+
+
+class TestMakeVarResolver:
+    def test_var_error_is_a_blueprint_error_with_code(self):
+        from comfy_cli.fragments import BlueprintError, VarError
+
+        assert issubclass(VarError, BlueprintError)
+
+    def test_resolves_scalars_with_raw_types(self, tmp_path):
+        """$var returns the raw YAML scalar — int stays int, bool stays bool —
+        so non-STRING params keep their widget types."""
+        p = _make_project_with_vars(
+            tmp_path,
+            "vars:\n  style: cinematic, golden hour\n  steps: 28\n  cfg: 4.5\n  hires: true\n",
+        )
+        resolve = project_mod.make_var_resolver(p)
+        assert resolve("style") == "cinematic, golden hour"
+        assert resolve("steps") == 28 and isinstance(resolve("steps"), int)
+        assert resolve("cfg") == 4.5
+        assert resolve("hires") is True
+
+    def test_missing_name_raises_var_not_defined(self, tmp_path):
+        from comfy_cli.fragments import VarError
+
+        p = _make_project_with_vars(tmp_path, "vars:\n  style: x\n")
+        with pytest.raises(VarError) as exc:
+            project_mod.make_var_resolver(p)("nope")
+        assert exc.value.code == "var_not_defined"
+        assert "vars:" in (exc.value.hint or "")
+        assert str(p.root / "comfy.yaml") in (exc.value.hint or "")
+
+    def test_no_vars_block_treated_as_empty(self, tmp_path):
+        from comfy_cli.fragments import VarError
+
+        p = _make_project(tmp_path)
+        with pytest.raises(VarError) as exc:
+            project_mod.make_var_resolver(p)("style")
+        assert exc.value.code == "var_not_defined"
+
+    def test_non_mapping_vars_block_treated_as_empty(self, tmp_path):
+        from comfy_cli.fragments import VarError
+
+        p = _make_project_with_vars(tmp_path, "vars: [a, b]\n")
+        with pytest.raises(VarError) as exc:
+            project_mod.make_var_resolver(p)("a")
+        assert exc.value.code == "var_not_defined"
diff --git a/tests/comfy_cli/test_run_execution_lifecycle.py b/tests/comfy_cli/test_run_execution_lifecycle.py
index e2fe5ff1..fb5779cf 100644
--- a/tests/comfy_cli/test_run_execution_lifecycle.py
+++ b/tests/comfy_cli/test_run_execution_lifecycle.py
@@ -52,16 +52,16 @@ def test_emits_execution_start_then_success(self, runner, tracked_run):
 
         with patch("comfy_cli.cmdline.run_inner.execute") as mock_execute:
             mock_execute.return_value = None
-            result = runner.invoke(app, ["run", "--workflow", "wf.json"])
+            result = runner.invoke(app, ["run", "--workflow", "wf.json", "--where", "local", "--where", "local"])
 
-        assert result.exit_code == 0, f"stderr={result.stderr!r} exc={result.exception!r}"
+        assert result.exit_code == 0, f"stdout={result.output!r} exc={result.exception!r}"
         assert _event_names(tracked_run) == ["execution_start", "execution_success"]
 
     def test_execution_start_uses_mixpanel_name_run_alias(self, runner, tracked_run):
         from comfy_cli.cmdline import app
 
         with patch("comfy_cli.cmdline.run_inner.execute"):
-            runner.invoke(app, ["run", "--workflow", "wf.json"])
+            runner.invoke(app, ["run", "--workflow", "wf.json", "--where", "local"])
 
         # Only execution_start carries the alias; success/error do not.
         start_kwargs = next(kw for name, _, kw in tracked_run if name == "execution_start")
@@ -75,7 +75,19 @@ def test_properties_carry_workflow_and_other_kwargs(self, runner, tracked_run):
         with patch("comfy_cli.cmdline.run_inner.execute"):
             runner.invoke(
                 app,
-                ["run", "--workflow", "wf.json", "--timeout", "60", "--host", "1.2.3.4", "--port", "9000"],
+                [
+                    "run",
+                    "--workflow",
+                    "wf.json",
+                    "--where",
+                    "local",
+                    "--timeout",
+                    "60",
+                    "--host",
+                    "1.2.3.4",
+                    "--port",
+                    "9000",
+                ],
             )
 
         for name, props in _events(tracked_run):
@@ -94,7 +106,7 @@ def test_api_key_is_redacted_in_lifecycle_properties(self, runner, tracked_run,
         # Avoid env var leakage masking the redaction check.
         monkeypatch.delenv("COMFY_API_KEY", raising=False)
         with patch("comfy_cli.cmdline.run_inner.execute"):
-            runner.invoke(app, ["run", "--workflow", "wf.json", "--api-key", "sk-supersecret"])
+            runner.invoke(app, ["run", "--workflow", "wf.json", "--where", "local", "--api-key", "sk-supersecret"])
 
         for name, props in _events(tracked_run):
             assert props.get("api_key") == "<redacted>", f"{name} leaked api_key={props.get('api_key')!r}"
@@ -107,7 +119,7 @@ def test_typer_exit_1_emits_execution_error_with_exit_code(self, runner, tracked
 
         with patch("comfy_cli.cmdline.run_inner.execute") as mock_execute:
             mock_execute.side_effect = typer.Exit(code=1)
-            result = runner.invoke(app, ["run", "--workflow", "wf.json"])
+            result = runner.invoke(app, ["run", "--workflow", "wf.json", "--where", "local"])
 
         assert result.exit_code == 1
         names = _event_names(tracked_run)
@@ -124,7 +136,7 @@ def test_unexpected_exception_emits_execution_error(self, runner, tracked_run):
 
         with patch("comfy_cli.cmdline.run_inner.execute") as mock_execute:
             mock_execute.side_effect = ValueError("oops")
-            result = runner.invoke(app, ["run", "--workflow", "wf.json"])
+            result = runner.invoke(app, ["run", "--workflow", "wf.json", "--where", "local"])
 
         # The exception propagates; CliRunner surfaces it as a nonzero exit.
         assert result.exit_code != 0
@@ -141,7 +153,7 @@ def test_typer_exit_0_is_treated_as_success(self, runner, tracked_run):
 
         with patch("comfy_cli.cmdline.run_inner.execute") as mock_execute:
             mock_execute.side_effect = typer.Exit(code=0)
-            result = runner.invoke(app, ["run", "--workflow", "wf.json"])
+            result = runner.invoke(app, ["run", "--workflow", "wf.json", "--where", "local"])
 
         assert result.exit_code == 0
         assert _event_names(tracked_run) == ["execution_start", "execution_success"]
diff --git a/tests/comfy_cli/test_tracking.py b/tests/comfy_cli/test_tracking.py
index f642ee32..e1123f52 100644
--- a/tests/comfy_cli/test_tracking.py
+++ b/tests/comfy_cli/test_tracking.py
@@ -89,6 +89,138 @@ def test_swallows_provider_errors(self, tracking_module):
         tracking_module.provider.track.assert_called_once()
 
 
+class TestSubmitFeedback:
+    def test_sends_even_when_passive_consent_disabled(self, tracking_module):
+        # Feedback is explicit/user-initiated: it ignores the passive-telemetry
+        # consent flag (only the hard env opt-out can block it).
+        tracking_module.config_manager.set(constants.CONFIG_KEY_ENABLE_TRACKING, "False")
+        assert tracking_module.submit_feedback("great tool") is True
+        event_name, distinct_id, properties = _last_track_call(tracking_module.provider)
+        assert event_name == "feedback_submitted"
+        assert properties["message"] == "great tool"
+        assert distinct_id, "feedback must attach a stable distinct_id"
+
+    def test_sends_when_consent_unset(self, tracking_module):
+        # Default state (no consent recorded) — still sends.
+        assert tracking_module.submit_feedback("the run command is great") is True
+        event_name, _, properties = _last_track_call(tracking_module.provider)
+        assert event_name == "feedback_submitted"
+        assert properties["message"] == "the run command is great"
+
+    def test_uses_ephemeral_id_without_consent(self, tracking_module):
+        # When no consent is recorded (get_bool returns None → falsy), feedback
+        # must still send (user-initiated), but must NOT persist a user_id to disk.
+        # Previously this test encoded the old always-persist bug — updated to the
+        # correct privacy contract.
+        assert tracking_module.user_id is None
+        assert tracking_module.config_manager.get(constants.CONFIG_KEY_USER_ID) is None
+        tracking_module.submit_feedback("hi")
+        _, distinct_id, _ = _last_track_call(tracking_module.provider)
+        assert distinct_id  # an id is attached
+        assert tracking_module.config_manager.get(constants.CONFIG_KEY_USER_ID) is None  # NOT persisted
+
+    def test_generates_and_persists_user_id_when_absent_with_consent(self, tracking_module):
+        # With explicit consent on, feedback should persist a stable user_id.
+        tracking_module.config_manager.set(constants.CONFIG_KEY_ENABLE_TRACKING, "True")
+        assert tracking_module.user_id is None
+        assert tracking_module.config_manager.get(constants.CONFIG_KEY_USER_ID) is None
+        tracking_module.submit_feedback("hi")
+        persisted = tracking_module.config_manager.get(constants.CONFIG_KEY_USER_ID)
+        assert persisted is not None
+        _, distinct_id, _ = _last_track_call(tracking_module.provider)
+        assert distinct_id == persisted
+
+    def test_sends_scores_and_drops_none(self, tracking_module):
+        assert tracking_module.submit_feedback("", scores={"general_satisfaction": "5", "usability_satisfaction": None})
+        _, _, properties = _last_track_call(tracking_module.provider)
+        assert properties["general_satisfaction"] == "5"
+        assert "usability_satisfaction" not in properties
+        assert "message" not in properties
+
+    def test_returns_false_when_nothing_to_send(self, tracking_module):
+        assert tracking_module.submit_feedback("") is False
+        tracking_module.provider.track.assert_not_called()
+
+    @pytest.mark.parametrize("env_var", ["DO_NOT_TRACK", "COMFY_NO_TELEMETRY"])
+    def test_env_opt_out_blocks_feedback(self, tracking_module, monkeypatch, env_var):
+        tracking_module.config_manager.set(constants.CONFIG_KEY_ENABLE_TRACKING, "True")
+        monkeypatch.setenv(env_var, "1")
+        assert tracking_module.submit_feedback("hi") is False
+        tracking_module.provider.track.assert_not_called()
+
+
+class TestSubmitAgentReview:
+    def test_sends_when_consent_enabled(self, tracking_module):
+        tracking_module.config_manager.set(constants.CONFIG_KEY_ENABLE_TRACKING, "True")
+        assert tracking_module.submit_agent_review("user shipped a video after one retry") is True
+        event_name, _, properties = _last_track_call(tracking_module.provider)
+        assert event_name == "agent_review_submitted"
+        assert properties["summary"] == "user shipped a video after one retry"
+
+    def test_blocked_when_consent_disabled(self, tracking_module):
+        # Unlike feedback, an agent review is suppressed when passive consent is off.
+        tracking_module.config_manager.set(constants.CONFIG_KEY_ENABLE_TRACKING, "False")
+        assert tracking_module.submit_agent_review("anything") is False
+        tracking_module.provider.track.assert_not_called()
+
+    def test_blocked_when_consent_unset(self, tracking_module):
+        assert tracking_module.submit_agent_review("anything") is False
+        tracking_module.provider.track.assert_not_called()
+
+    def test_sends_under_session_only_consent(self, tracking_module):
+        tracking_module._session_only_tracking = True
+        assert tracking_module.submit_agent_review("ran fine") is True
+        event_name, _, _ = _last_track_call(tracking_module.provider)
+        assert event_name == "agent_review_submitted"
+
+    def test_returns_false_when_nothing_to_send(self, tracking_module):
+        tracking_module.config_manager.set(constants.CONFIG_KEY_ENABLE_TRACKING, "True")
+        assert tracking_module.submit_agent_review("") is False
+        tracking_module.provider.track.assert_not_called()
+
+    @pytest.mark.parametrize("env_var", ["DO_NOT_TRACK", "COMFY_NO_TELEMETRY"])
+    def test_env_opt_out_blocks_review(self, tracking_module, monkeypatch, env_var):
+        tracking_module.config_manager.set(constants.CONFIG_KEY_ENABLE_TRACKING, "True")
+        monkeypatch.setenv(env_var, "1")
+        assert tracking_module.submit_agent_review("hi") is False
+        tracking_module.provider.track.assert_not_called()
+
+
+def test_feedback_does_not_persist_user_id_without_consent(monkeypatch):
+    from comfy_cli import constants, tracking
+
+    sent = {}
+    monkeypatch.setattr(tracking, "_telemetry_disabled_by_env", lambda: False)
+    monkeypatch.setattr(tracking, "_dispatch", lambda name, props, *, distinct_id: sent.update(id=distinct_id))
+    # Consent declined; no persisted user_id; in-memory user_id empty.
+    monkeypatch.setattr(tracking.config_manager, "get_bool", lambda k: False)
+    persisted = {}
+    monkeypatch.setattr(tracking.config_manager, "set", lambda k, v: persisted.update({k: v}))
+    monkeypatch.setattr(tracking.config_manager, "get", lambda k: None)
+    monkeypatch.setattr(tracking, "user_id", "", raising=False)
+
+    assert tracking.submit_feedback("hello") is True
+    assert sent.get("id")  # an id was attached (ephemeral is fine)
+    assert constants.CONFIG_KEY_USER_ID not in persisted  # but NOT persisted to disk
+
+
+def test_feedback_persists_user_id_with_consent(monkeypatch):
+    from comfy_cli import constants, tracking
+
+    sent = {}
+    monkeypatch.setattr(tracking, "_telemetry_disabled_by_env", lambda: False)
+    monkeypatch.setattr(tracking, "_dispatch", lambda name, props, *, distinct_id: sent.update(id=distinct_id))
+    monkeypatch.setattr(tracking.config_manager, "get_bool", lambda k: True)  # consent ON
+    persisted = {}
+    monkeypatch.setattr(tracking.config_manager, "set", lambda k, v: persisted.update({k: v}))
+    monkeypatch.setattr(tracking.config_manager, "get", lambda k: None)
+    monkeypatch.setattr(tracking, "user_id", "", raising=False)
+
+    assert tracking.submit_feedback("hello") is True
+    assert sent.get("id")
+    assert persisted.get(constants.CONFIG_KEY_USER_ID)  # consent on -> identity persisted
+
+
 class TestTrackCommandRedaction:
     """track_command must redact secret-bearing kwargs before they reach the tracking system."""
 
@@ -389,7 +521,7 @@ def test_install_event_fires_once_across_calls(self, tracking_module):
 
 
 class TestPromptTrackingConsent:
-    def test_enables_session_only_when_stdin_not_tty(self, tracking_module):
+    def test_no_tracking_when_stdin_not_tty(self, tracking_module):
         with (
             patch.object(tracking_module.sys.stdin, "isatty", return_value=False),
             patch.object(tracking_module.sys.stdout, "isatty", return_value=True),
@@ -398,10 +530,10 @@ def test_enables_session_only_when_stdin_not_tty(self, tracking_module):
             tracking_module.prompt_tracking_consent()
         mock_prompt.assert_not_called()
         assert tracking_module.config_manager.get_bool(constants.CONFIG_KEY_ENABLE_TRACKING) is None
-        assert tracking_module._session_only_tracking is True
+        assert tracking_module._session_only_tracking is False
         assert tracking_module.user_id is not None
 
-    def test_enables_session_only_when_stdout_not_tty(self, tracking_module):
+    def test_no_tracking_when_stdout_not_tty(self, tracking_module):
         with (
             patch.object(tracking_module.sys.stdin, "isatty", return_value=True),
             patch.object(tracking_module.sys.stdout, "isatty", return_value=False),
@@ -410,19 +542,16 @@ def test_enables_session_only_when_stdout_not_tty(self, tracking_module):
             tracking_module.prompt_tracking_consent()
         mock_prompt.assert_not_called()
         assert tracking_module.config_manager.get_bool(constants.CONFIG_KEY_ENABLE_TRACKING) is None
-        assert tracking_module._session_only_tracking is True
+        assert tracking_module._session_only_tracking is False
 
-    def test_session_only_tracking_fires_track_event(self, tracking_module):
+    def test_non_tty_does_not_fire_track_event(self, tracking_module):
         with (
             patch.object(tracking_module.sys.stdin, "isatty", return_value=False),
             patch.object(tracking_module.sys.stdout, "isatty", return_value=False),
         ):
             tracking_module.prompt_tracking_consent()
         tracking_module.track_event("some_event", {"k": "v"})
-        tracking_module.provider.track.assert_called_once()
-        event_name, distinct_id, _ = _last_track_call(tracking_module.provider)
-        assert event_name == "some_event"
-        assert distinct_id is not None
+        tracking_module.provider.track.assert_not_called()
 
     def test_session_only_persists_user_id(self, tracking_module):
         with (
@@ -444,8 +573,8 @@ def test_session_only_survives_unwritable_config(self, tracking_module):
             patch.object(tracking_module.config_manager, "set", side_effect=PermissionError("read-only fs")),
         ):
             tracking_module.prompt_tracking_consent()
-        # In-memory state is still correct so this process tracks normally.
-        assert tracking_module._session_only_tracking is True
+        # Non-TTY sessions do not auto-enable tracking.
+        assert tracking_module._session_only_tracking is False
         assert tracking_module.user_id is not None
 
     def test_session_only_reuses_existing_user_id(self, tracking_module):
diff --git a/tests/comfy_cli/test_update.py b/tests/comfy_cli/test_update.py
index 7b275c96..11010b1b 100644
--- a/tests/comfy_cli/test_update.py
+++ b/tests/comfy_cli/test_update.py
@@ -1,8 +1,17 @@
+import json
+import time
 from unittest.mock import MagicMock, patch
 
+import pytest
 import requests
 
-from comfy_cli.update import check_for_newer_pypi_version, check_for_updates
+from comfy_cli import update
+from comfy_cli.update import (
+    UPDATE_CHECK_DISABLE_ENV,
+    check_for_newer_pypi_version,
+    latest_upgrade_version,
+    upgrade_cli,
+)
 
 
 def _mock_pypi_response(latest_version):
@@ -41,19 +50,79 @@ def test_timeout_value_is_passed(self, mock_get):
         mock_get.assert_called_once_with("https://pypi.org/pypi/comfy-cli/json", timeout=5)
 
 
-class TestCheckForUpdates:
-    @patch("comfy_cli.update.notify_update")
-    @patch("comfy_cli.update.get_version_from_pyproject", return_value="1.0.0")
-    @patch("comfy_cli.update.requests.get")
-    def test_notifies_when_update_available(self, mock_get, _mock_ver, mock_notify):
-        mock_get.return_value = _mock_pypi_response("2.0.0")
-        check_for_updates()
-        mock_notify.assert_called_once_with("1.0.0", "2.0.0")
+# TestCheckForUpdates was removed alongside the bright-blue
+# "🔔 Update Available!" panel (Task 5 of the CLI UX consistency pass).
+# ``check_for_newer_pypi_version`` is still tested directly above; the
+# welcome banner consumes ``latest_upgrade_version`` (below) inline.
 
-    @patch("comfy_cli.update.notify_update")
-    @patch("comfy_cli.update.get_version_from_pyproject", return_value="1.0.0")
-    @patch("comfy_cli.update.requests.get")
-    def test_no_notification_on_network_error(self, mock_get, _mock_ver, mock_notify):
-        mock_get.side_effect = requests.ConnectionError("offline")
-        check_for_updates()
-        mock_notify.assert_not_called()
+
+class TestLatestUpgradeVersion:
+    @patch("comfy_cli.update.check_for_newer_pypi_version")
+    def test_returns_newer_version_and_writes_cache(self, mock_check, tmp_path):
+        mock_check.return_value = (True, "99.0.0")
+        result = latest_upgrade_version("1.0.0", tmp_path)
+        assert result == "99.0.0"
+        cache = tmp_path / "update-check.json"
+        assert json.loads(cache.read_text())["latest"] == "99.0.0"
+
+    @patch("comfy_cli.update.check_for_newer_pypi_version")
+    def test_returns_none_when_current(self, mock_check, tmp_path):
+        mock_check.return_value = (False, "1.0.0")
+        assert latest_upgrade_version("1.0.0", tmp_path) is None
+
+    @patch("comfy_cli.update.check_for_newer_pypi_version")
+    def test_fresh_cache_skips_network(self, mock_check, tmp_path):
+        cache = tmp_path / "update-check.json"
+        cache.write_text(json.dumps({"checked_at": time.time(), "latest": "99.0.0"}))
+        assert latest_upgrade_version("1.0.0", tmp_path) == "99.0.0"
+        mock_check.assert_not_called()
+
+    @patch("comfy_cli.update.check_for_newer_pypi_version")
+    def test_stale_cache_refreshes(self, mock_check, tmp_path):
+        mock_check.return_value = (True, "99.0.0")
+        cache = tmp_path / "update-check.json"
+        cache.write_text(json.dumps({"checked_at": 0, "latest": "2.0.0"}))
+        assert latest_upgrade_version("1.0.0", tmp_path) == "99.0.0"
+        mock_check.assert_called_once()
+
+    @patch("comfy_cli.update.check_for_newer_pypi_version")
+    def test_disabled_via_env(self, mock_check, tmp_path, monkeypatch):
+        monkeypatch.setenv(UPDATE_CHECK_DISABLE_ENV, "1")
+        assert latest_upgrade_version("1.0.0", tmp_path) is None
+        mock_check.assert_not_called()
+
+    @patch("comfy_cli.update.check_for_newer_pypi_version")
+    def test_corrupt_cache_does_not_raise(self, mock_check, tmp_path):
+        mock_check.return_value = (True, "99.0.0")
+        cache = tmp_path / "update-check.json"
+        cache.write_text("not json")
+        assert latest_upgrade_version("1.0.0", tmp_path) is None
+
+
+class TestUpgradeCli:
+    @patch("comfy_cli.update.subprocess.run")
+    def test_runs_pip_install_upgrade(self, mock_run):
+        upgrade_cli()
+        args = mock_run.call_args[0][0]
+        assert args[1:] == ["-m", "pip", "install", "-U", "comfy-cli"]
+        assert mock_run.call_args[1]["check"] is True
+
+
+@pytest.mark.parametrize("payload", ["[]", '"x"', '{"checked_at": "abc"}'])
+def test_latest_upgrade_version_survives_malformed_cache(tmp_path, payload):
+    (tmp_path / "update-check.json").write_text(payload)
+    assert update.latest_upgrade_version("1.0.0", str(tmp_path)) is None
+
+
+@patch("comfy_cli.update.check_for_newer_pypi_version")
+def test_latest_upgrade_version_survives_missing_latest_key(mock_check, tmp_path):
+    # {"checked_at": 0} is stale — triggers refresh; the payload itself lacks "latest"
+    # but refresh returns a valid current_version, so we just confirm no crash.
+    mock_check.return_value = (False, "1.0.0")
+    (tmp_path / "update-check.json").write_text('{"checked_at": 0}')
+    assert update.latest_upgrade_version("1.0.0", str(tmp_path)) is None
+
+
+def test_latest_upgrade_version_survives_unparseable_latest(tmp_path):
+    (tmp_path / "update-check.json").write_text(json.dumps({"checked_at": time.time(), "latest": "unknown"}))
+    assert update.latest_upgrade_version("1.0.0", str(tmp_path)) is None
diff --git a/tests/e2e/test_e2e.py b/tests/e2e/test_e2e.py
index 143c1aa5..e0083def 100644
--- a/tests/e2e/test_e2e.py
+++ b/tests/e2e/test_e2e.py
@@ -19,6 +19,14 @@ def exec(cmd: str, **kwargs) -> subprocess.CompletedProcess[str]:
     cmd = dedent(cmd).strip()
     print(f"cmd: {cmd}")
 
+    # These e2e tests assert on the human-readable (pretty) output. The CLI now
+    # auto-selects JSON mode when stdout isn't a TTY (and subprocess pipes never
+    # are), which would route human messages to stderr and emit envelopes on
+    # stdout. Pin COMFY_OUTPUT=pretty so the assertions keep matching; the JSON
+    # auto-selection path is covered by the unit tests in tests/comfy_cli/output.
+    run_env = dict(kwargs.pop("env", None) or os.environ)
+    run_env.setdefault("COMFY_OUTPUT", "pretty")
+
     proc = subprocess.run(
         args=cmd,
         capture_output=True,
@@ -26,6 +34,7 @@ def exec(cmd: str, **kwargs) -> subprocess.CompletedProcess[str]:
         shell=True,
         encoding="utf-8",
         check=False,
+        env=run_env,
         **kwargs,
     )
     print(proc.stdout, proc.stderr)
diff --git a/uv.lock b/uv.lock
index 1f442ba9..ffd02f50 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1,6 +1,10 @@
 version = 1
 revision = 3
 requires-python = ">=3.10"
+resolution-markers = [
+    "python_full_version >= '3.11'",
+    "python_full_version < '3.11'",
+]
 
 [[package]]
 name = "anyio"
@@ -30,6 +34,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/f8/ed/e97229a566617f2ae958a6b13e7cc0f585470eac730a73e9e82c32a3cdd2/arrow-1.3.0-py3-none-any.whl", hash = "sha256:c728b120ebc00eb84e01882a6f5e7927a53960aa990ce7dd2b10f39005a67f80", size = 66419, upload-time = "2023-09-30T22:11:16.072Z" },
 ]
 
+[[package]]
+name = "attrs"
+version = "26.1.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/9a/8e/82a0fe20a541c03148528be8cac2408564a6c9a0cc7e9171802bc1d26985/attrs-26.1.0.tar.gz", hash = "sha256:d03ceb89cb322a8fd706d4fb91940737b6642aa36998fe130a9bc96c985eff32", size = 952055, upload-time = "2026-03-19T14:22:25.026Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/64/b4/17d4b0b2a2dc85a6df63d1157e028ed19f90d4cd97c36717afef2bc2f395/attrs-26.1.0-py3-none-any.whl", hash = "sha256:c647aa4a12dfbad9333ca4e71fe62ddc36f4e63b2d260a37a8b83d2f043ac309", size = 67548, upload-time = "2026-03-19T14:22:23.645Z" },
+]
+
 [[package]]
 name = "backoff"
 version = "2.2.1"
@@ -189,18 +202,23 @@ dependencies = [
 
 [package.optional-dependencies]
 dev = [
+    { name = "jsonschema" },
     { name = "pre-commit" },
     { name = "pytest" },
     { name = "pytest-cov" },
     { name = "ruff" },
 ]
+preview = [
+    { name = "term-image" },
+]
 
 [package.metadata]
 requires-dist = [
     { name = "charset-normalizer", specifier = ">=3" },
     { name = "cookiecutter" },
-    { name = "gitpython" },
+    { name = "gitpython", specifier = ">=3.1.50" },
     { name = "httpx" },
+    { name = "jsonschema", marker = "extra == 'dev'" },
     { name = "mixpanel" },
     { name = "packaging" },
     { name = "pathspec" },
@@ -216,13 +234,14 @@ requires-dist = [
     { name = "ruff" },
     { name = "ruff", marker = "extra == 'dev'" },
     { name = "semver", specifier = "~=3.0.2" },
+    { name = "term-image", marker = "extra == 'preview'", specifier = ">=0.7,<0.8" },
     { name = "tomlkit" },
     { name = "typer", specifier = ">=0.12.5" },
     { name = "typing-extensions", specifier = ">=4.7" },
-    { name = "uv", specifier = ">=0.6.9" },
+    { name = "uv", specifier = ">=0.11.15" },
     { name = "websocket-client" },
 ]
-provides-extras = ["dev"]
+provides-extras = ["dev", "preview"]
 
 [[package]]
 name = "cookiecutter"
@@ -386,14 +405,14 @@ wheels = [
 
 [[package]]
 name = "gitpython"
-version = "3.1.45"
+version = "3.1.50"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "gitdb" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9a/c8/dd58967d119baab745caec2f9d853297cec1989ec1d63f677d3880632b88/gitpython-3.1.45.tar.gz", hash = "sha256:85b0ee964ceddf211c41b9f27a49086010a190fd8132a24e21f362a4b36a791c", size = 215076, upload-time = "2025-07-24T03:45:54.871Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/33/f6/354ae6491228b5eb40e10d89c4d13c651fe1cf7556e35ebdded50cff57ce/gitpython-3.1.50.tar.gz", hash = "sha256:80da2d12504d52e1f998772dc5baf6e553f8d2fcfe1fcc226c9d9a2ee3372dcc", size = 219798, upload-time = "2026-05-06T04:01:26.571Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/01/61/d4b89fec821f72385526e1b9d9a3a0385dda4a72b206d28049e2c7cd39b8/gitpython-3.1.45-py3-none-any.whl", hash = "sha256:8908cb2e02fb3b93b7eb0f2827125cb699869470432cc885f019b8fd0fccff77", size = 208168, upload-time = "2025-07-24T03:45:52.517Z" },
+    { url = "https://files.pythonhosted.org/packages/20/7a/1c6e3562dfd8950adbb11ffbc65d21e7c89d01a6e4f137fa981056de25c5/gitpython-3.1.50-py3-none-any.whl", hash = "sha256:d352abe2908d07355014abdd21ddf798c2a961469239afec4962e9da884858f9", size = 212507, upload-time = "2026-05-06T04:01:23.799Z" },
 ]
 
 [[package]]
@@ -472,6 +491,34 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/62/a1/3d680cbfd5f4b8f15abc1d571870c5fc3e594bb582bc3b64ea099db13e56/jinja2-3.1.6-py3-none-any.whl", hash = "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67", size = 134899, upload-time = "2025-03-05T20:05:00.369Z" },
 ]
 
+[[package]]
+name = "jsonschema"
+version = "4.26.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "attrs" },
+    { name = "jsonschema-specifications" },
+    { name = "referencing" },
+    { name = "rpds-py", version = "0.30.0", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version < '3.11'" },
+    { name = "rpds-py", version = "2026.5.1", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version >= '3.11'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/b3/fc/e067678238fa451312d4c62bf6e6cf5ec56375422aee02f9cb5f909b3047/jsonschema-4.26.0.tar.gz", hash = "sha256:0c26707e2efad8aa1bfc5b7ce170f3fccc2e4918ff85989ba9ffa9facb2be326", size = 366583, upload-time = "2026-01-07T13:41:07.246Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/69/90/f63fb5873511e014207a475e2bb4e8b2e570d655b00ac19a9a0ca0a385ee/jsonschema-4.26.0-py3-none-any.whl", hash = "sha256:d489f15263b8d200f8387e64b4c3a75f06629559fb73deb8fdfb525f2dab50ce", size = 90630, upload-time = "2026-01-07T13:41:05.306Z" },
+]
+
+[[package]]
+name = "jsonschema-specifications"
+version = "2025.9.1"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "referencing" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/19/74/a633ee74eb36c44aa6d1095e7cc5569bebf04342ee146178e2d36600708b/jsonschema_specifications-2025.9.1.tar.gz", hash = "sha256:b540987f239e745613c7a9176f3edb72b832a4ac465cf02712288397832b5e8d", size = 32855, upload-time = "2025-09-08T01:34:59.186Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/41/45/1a4ed80516f02155c51f51e8cedb3c1902296743db0bbc66608a0db2814f/jsonschema_specifications-2025.9.1-py3-none-any.whl", hash = "sha256:98802fee3a11ee76ecaca44429fda8a41bff98b00a0f2838151b113f210cc6fe", size = 18437, upload-time = "2025-09-08T01:34:57.871Z" },
+]
+
 [[package]]
 name = "markdown-it-py"
 version = "3.0.0"
@@ -592,6 +639,65 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/cc/20/ff623b09d963f88bfde16306a54e12ee5ea43e9b597108672ff3a408aad6/pathspec-0.12.1-py3-none-any.whl", hash = "sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08", size = 31191, upload-time = "2023-12-10T22:30:43.14Z" },
 ]
 
+[[package]]
+name = "pillow"
+version = "10.4.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/cd/74/ad3d526f3bf7b6d3f408b73fde271ec69dfac8b81341a318ce825f2b3812/pillow-10.4.0.tar.gz", hash = "sha256:166c1cd4d24309b30d61f79f4a9114b7b2313d7450912277855ff5dfd7cd4a06", size = 46555059, upload-time = "2024-07-01T09:48:43.583Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/0e/69/a31cccd538ca0b5272be2a38347f8839b97a14be104ea08b0db92f749c74/pillow-10.4.0-cp310-cp310-macosx_10_10_x86_64.whl", hash = "sha256:4d9667937cfa347525b319ae34375c37b9ee6b525440f3ef48542fcf66f2731e", size = 3509271, upload-time = "2024-07-01T09:45:22.07Z" },
+    { url = "https://files.pythonhosted.org/packages/9a/9e/4143b907be8ea0bce215f2ae4f7480027473f8b61fcedfda9d851082a5d2/pillow-10.4.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:543f3dc61c18dafb755773efc89aae60d06b6596a63914107f75459cf984164d", size = 3375658, upload-time = "2024-07-01T09:45:25.292Z" },
+    { url = "https://files.pythonhosted.org/packages/8a/25/1fc45761955f9359b1169aa75e241551e74ac01a09f487adaaf4c3472d11/pillow-10.4.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7928ecbf1ece13956b95d9cbcfc77137652b02763ba384d9ab508099a2eca856", size = 4332075, upload-time = "2024-07-01T09:45:27.94Z" },
+    { url = "https://files.pythonhosted.org/packages/5e/dd/425b95d0151e1d6c951f45051112394f130df3da67363b6bc75dc4c27aba/pillow-10.4.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e4d49b85c4348ea0b31ea63bc75a9f3857869174e2bf17e7aba02945cd218e6f", size = 4444808, upload-time = "2024-07-01T09:45:30.305Z" },
+    { url = "https://files.pythonhosted.org/packages/b1/84/9a15cc5726cbbfe7f9f90bfb11f5d028586595907cd093815ca6644932e3/pillow-10.4.0-cp310-cp310-manylinux_2_28_aarch64.whl", hash = "sha256:6c762a5b0997f5659a5ef2266abc1d8851ad7749ad9a6a5506eb23d314e4f46b", size = 4356290, upload-time = "2024-07-01T09:45:32.868Z" },
+    { url = "https://files.pythonhosted.org/packages/b5/5b/6651c288b08df3b8c1e2f8c1152201e0b25d240e22ddade0f1e242fc9fa0/pillow-10.4.0-cp310-cp310-manylinux_2_28_x86_64.whl", hash = "sha256:a985e028fc183bf12a77a8bbf36318db4238a3ded7fa9df1b9a133f1cb79f8fc", size = 4525163, upload-time = "2024-07-01T09:45:35.279Z" },
+    { url = "https://files.pythonhosted.org/packages/07/8b/34854bf11a83c248505c8cb0fcf8d3d0b459a2246c8809b967963b6b12ae/pillow-10.4.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:812f7342b0eee081eaec84d91423d1b4650bb9828eb53d8511bcef8ce5aecf1e", size = 4463100, upload-time = "2024-07-01T09:45:37.74Z" },
+    { url = "https://files.pythonhosted.org/packages/78/63/0632aee4e82476d9cbe5200c0cdf9ba41ee04ed77887432845264d81116d/pillow-10.4.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ac1452d2fbe4978c2eec89fb5a23b8387aba707ac72810d9490118817d9c0b46", size = 4592880, upload-time = "2024-07-01T09:45:39.89Z" },
+    { url = "https://files.pythonhosted.org/packages/df/56/b8663d7520671b4398b9d97e1ed9f583d4afcbefbda3c6188325e8c297bd/pillow-10.4.0-cp310-cp310-win32.whl", hash = "sha256:bcd5e41a859bf2e84fdc42f4edb7d9aba0a13d29a2abadccafad99de3feff984", size = 2235218, upload-time = "2024-07-01T09:45:42.771Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/72/0203e94a91ddb4a9d5238434ae6c1ca10e610e8487036132ea9bf806ca2a/pillow-10.4.0-cp310-cp310-win_amd64.whl", hash = "sha256:ecd85a8d3e79cd7158dec1c9e5808e821feea088e2f69a974db5edf84dc53141", size = 2554487, upload-time = "2024-07-01T09:45:45.176Z" },
+    { url = "https://files.pythonhosted.org/packages/bd/52/7e7e93d7a6e4290543f17dc6f7d3af4bd0b3dd9926e2e8a35ac2282bc5f4/pillow-10.4.0-cp310-cp310-win_arm64.whl", hash = "sha256:ff337c552345e95702c5fde3158acb0625111017d0e5f24bf3acdb9cc16b90d1", size = 2243219, upload-time = "2024-07-01T09:45:47.274Z" },
+    { url = "https://files.pythonhosted.org/packages/a7/62/c9449f9c3043c37f73e7487ec4ef0c03eb9c9afc91a92b977a67b3c0bbc5/pillow-10.4.0-cp311-cp311-macosx_10_10_x86_64.whl", hash = "sha256:0a9ec697746f268507404647e531e92889890a087e03681a3606d9b920fbee3c", size = 3509265, upload-time = "2024-07-01T09:45:49.812Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/5f/491dafc7bbf5a3cc1845dc0430872e8096eb9e2b6f8161509d124594ec2d/pillow-10.4.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:dfe91cb65544a1321e631e696759491ae04a2ea11d36715eca01ce07284738be", size = 3375655, upload-time = "2024-07-01T09:45:52.462Z" },
+    { url = "https://files.pythonhosted.org/packages/73/d5/c4011a76f4207a3c151134cd22a1415741e42fa5ddecec7c0182887deb3d/pillow-10.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5dc6761a6efc781e6a1544206f22c80c3af4c8cf461206d46a1e6006e4429ff3", size = 4340304, upload-time = "2024-07-01T09:45:55.006Z" },
+    { url = "https://files.pythonhosted.org/packages/ac/10/c67e20445a707f7a610699bba4fe050583b688d8cd2d202572b257f46600/pillow-10.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5e84b6cc6a4a3d76c153a6b19270b3526a5a8ed6b09501d3af891daa2a9de7d6", size = 4452804, upload-time = "2024-07-01T09:45:58.437Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/83/6523837906d1da2b269dee787e31df3b0acb12e3d08f024965a3e7f64665/pillow-10.4.0-cp311-cp311-manylinux_2_28_aarch64.whl", hash = "sha256:bbc527b519bd3aa9d7f429d152fea69f9ad37c95f0b02aebddff592688998abe", size = 4365126, upload-time = "2024-07-01T09:46:00.713Z" },
+    { url = "https://files.pythonhosted.org/packages/ba/e5/8c68ff608a4203085158cff5cc2a3c534ec384536d9438c405ed6370d080/pillow-10.4.0-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:76a911dfe51a36041f2e756b00f96ed84677cdeb75d25c767f296c1c1eda1319", size = 4533541, upload-time = "2024-07-01T09:46:03.235Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/7c/01b8dbdca5bc6785573f4cee96e2358b0918b7b2c7b60d8b6f3abf87a070/pillow-10.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:59291fb29317122398786c2d44427bbd1a6d7ff54017075b22be9d21aa59bd8d", size = 4471616, upload-time = "2024-07-01T09:46:05.356Z" },
+    { url = "https://files.pythonhosted.org/packages/c8/57/2899b82394a35a0fbfd352e290945440e3b3785655a03365c0ca8279f351/pillow-10.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:416d3a5d0e8cfe4f27f574362435bc9bae57f679a7158e0096ad2beb427b8696", size = 4600802, upload-time = "2024-07-01T09:46:08.145Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/d7/a44f193d4c26e58ee5d2d9db3d4854b2cfb5b5e08d360a5e03fe987c0086/pillow-10.4.0-cp311-cp311-win32.whl", hash = "sha256:7086cc1d5eebb91ad24ded9f58bec6c688e9f0ed7eb3dbbf1e4800280a896496", size = 2235213, upload-time = "2024-07-01T09:46:10.211Z" },
+    { url = "https://files.pythonhosted.org/packages/c1/d0/5866318eec2b801cdb8c82abf190c8343d8a1cd8bf5a0c17444a6f268291/pillow-10.4.0-cp311-cp311-win_amd64.whl", hash = "sha256:cbed61494057c0f83b83eb3a310f0bf774b09513307c434d4366ed64f4128a91", size = 2554498, upload-time = "2024-07-01T09:46:12.685Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/c8/310ac16ac2b97e902d9eb438688de0d961660a87703ad1561fd3dfbd2aa0/pillow-10.4.0-cp311-cp311-win_arm64.whl", hash = "sha256:f5f0c3e969c8f12dd2bb7e0b15d5c468b51e5017e01e2e867335c81903046a22", size = 2243219, upload-time = "2024-07-01T09:46:14.83Z" },
+    { url = "https://files.pythonhosted.org/packages/05/cb/0353013dc30c02a8be34eb91d25e4e4cf594b59e5a55ea1128fde1e5f8ea/pillow-10.4.0-cp312-cp312-macosx_10_10_x86_64.whl", hash = "sha256:673655af3eadf4df6b5457033f086e90299fdd7a47983a13827acf7459c15d94", size = 3509350, upload-time = "2024-07-01T09:46:17.177Z" },
+    { url = "https://files.pythonhosted.org/packages/e7/cf/5c558a0f247e0bf9cec92bff9b46ae6474dd736f6d906315e60e4075f737/pillow-10.4.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:866b6942a92f56300012f5fbac71f2d610312ee65e22f1aa2609e491284e5597", size = 3374980, upload-time = "2024-07-01T09:46:19.169Z" },
+    { url = "https://files.pythonhosted.org/packages/84/48/6e394b86369a4eb68b8a1382c78dc092245af517385c086c5094e3b34428/pillow-10.4.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:29dbdc4207642ea6aad70fbde1a9338753d33fb23ed6956e706936706f52dd80", size = 4343799, upload-time = "2024-07-01T09:46:21.883Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/f3/a8c6c11fa84b59b9df0cd5694492da8c039a24cd159f0f6918690105c3be/pillow-10.4.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bf2342ac639c4cf38799a44950bbc2dfcb685f052b9e262f446482afaf4bffca", size = 4459973, upload-time = "2024-07-01T09:46:24.321Z" },
+    { url = "https://files.pythonhosted.org/packages/7d/1b/c14b4197b80150fb64453585247e6fb2e1d93761fa0fa9cf63b102fde822/pillow-10.4.0-cp312-cp312-manylinux_2_28_aarch64.whl", hash = "sha256:f5b92f4d70791b4a67157321c4e8225d60b119c5cc9aee8ecf153aace4aad4ef", size = 4370054, upload-time = "2024-07-01T09:46:26.825Z" },
+    { url = "https://files.pythonhosted.org/packages/55/77/40daddf677897a923d5d33329acd52a2144d54a9644f2a5422c028c6bf2d/pillow-10.4.0-cp312-cp312-manylinux_2_28_x86_64.whl", hash = "sha256:86dcb5a1eb778d8b25659d5e4341269e8590ad6b4e8b44d9f4b07f8d136c414a", size = 4539484, upload-time = "2024-07-01T09:46:29.355Z" },
+    { url = "https://files.pythonhosted.org/packages/40/54/90de3e4256b1207300fb2b1d7168dd912a2fb4b2401e439ba23c2b2cabde/pillow-10.4.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:780c072c2e11c9b2c7ca37f9a2ee8ba66f44367ac3e5c7832afcfe5104fd6d1b", size = 4477375, upload-time = "2024-07-01T09:46:31.756Z" },
+    { url = "https://files.pythonhosted.org/packages/13/24/1bfba52f44193860918ff7c93d03d95e3f8748ca1de3ceaf11157a14cf16/pillow-10.4.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:37fb69d905be665f68f28a8bba3c6d3223c8efe1edf14cc4cfa06c241f8c81d9", size = 4608773, upload-time = "2024-07-01T09:46:33.73Z" },
+    { url = "https://files.pythonhosted.org/packages/55/04/5e6de6e6120451ec0c24516c41dbaf80cce1b6451f96561235ef2429da2e/pillow-10.4.0-cp312-cp312-win32.whl", hash = "sha256:7dfecdbad5c301d7b5bde160150b4db4c659cee2b69589705b6f8a0c509d9f42", size = 2235690, upload-time = "2024-07-01T09:46:36.587Z" },
+    { url = "https://files.pythonhosted.org/packages/74/0a/d4ce3c44bca8635bd29a2eab5aa181b654a734a29b263ca8efe013beea98/pillow-10.4.0-cp312-cp312-win_amd64.whl", hash = "sha256:1d846aea995ad352d4bdcc847535bd56e0fd88d36829d2c90be880ef1ee4668a", size = 2554951, upload-time = "2024-07-01T09:46:38.777Z" },
+    { url = "https://files.pythonhosted.org/packages/b5/ca/184349ee40f2e92439be9b3502ae6cfc43ac4b50bc4fc6b3de7957563894/pillow-10.4.0-cp312-cp312-win_arm64.whl", hash = "sha256:e553cad5179a66ba15bb18b353a19020e73a7921296a7979c4a2b7f6a5cd57f9", size = 2243427, upload-time = "2024-07-01T09:46:43.15Z" },
+    { url = "https://files.pythonhosted.org/packages/c3/00/706cebe7c2c12a6318aabe5d354836f54adff7156fd9e1bd6c89f4ba0e98/pillow-10.4.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:8bc1a764ed8c957a2e9cacf97c8b2b053b70307cf2996aafd70e91a082e70df3", size = 3525685, upload-time = "2024-07-01T09:46:45.194Z" },
+    { url = "https://files.pythonhosted.org/packages/cf/76/f658cbfa49405e5ecbfb9ba42d07074ad9792031267e782d409fd8fe7c69/pillow-10.4.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6209bb41dc692ddfee4942517c19ee81b86c864b626dbfca272ec0f7cff5d9fb", size = 3374883, upload-time = "2024-07-01T09:46:47.331Z" },
+    { url = "https://files.pythonhosted.org/packages/46/2b/99c28c4379a85e65378211971c0b430d9c7234b1ec4d59b2668f6299e011/pillow-10.4.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bee197b30783295d2eb680b311af15a20a8b24024a19c3a26431ff83eb8d1f70", size = 4339837, upload-time = "2024-07-01T09:46:49.647Z" },
+    { url = "https://files.pythonhosted.org/packages/f1/74/b1ec314f624c0c43711fdf0d8076f82d9d802afd58f1d62c2a86878e8615/pillow-10.4.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1ef61f5dd14c300786318482456481463b9d6b91ebe5ef12f405afbba77ed0be", size = 4455562, upload-time = "2024-07-01T09:46:51.811Z" },
+    { url = "https://files.pythonhosted.org/packages/4a/2a/4b04157cb7b9c74372fa867096a1607e6fedad93a44deeff553ccd307868/pillow-10.4.0-cp313-cp313-manylinux_2_28_aarch64.whl", hash = "sha256:297e388da6e248c98bc4a02e018966af0c5f92dfacf5a5ca22fa01cb3179bca0", size = 4366761, upload-time = "2024-07-01T09:46:53.961Z" },
+    { url = "https://files.pythonhosted.org/packages/ac/7b/8f1d815c1a6a268fe90481232c98dd0e5fa8c75e341a75f060037bd5ceae/pillow-10.4.0-cp313-cp313-manylinux_2_28_x86_64.whl", hash = "sha256:e4db64794ccdf6cb83a59d73405f63adbe2a1887012e308828596100a0b2f6cc", size = 4536767, upload-time = "2024-07-01T09:46:56.664Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/77/05fa64d1f45d12c22c314e7b97398ffb28ef2813a485465017b7978b3ce7/pillow-10.4.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:bd2880a07482090a3bcb01f4265f1936a903d70bc740bfcb1fd4e8a2ffe5cf5a", size = 4477989, upload-time = "2024-07-01T09:46:58.977Z" },
+    { url = "https://files.pythonhosted.org/packages/12/63/b0397cfc2caae05c3fb2f4ed1b4fc4fc878f0243510a7a6034ca59726494/pillow-10.4.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4b35b21b819ac1dbd1233317adeecd63495f6babf21b7b2512d244ff6c6ce309", size = 4610255, upload-time = "2024-07-01T09:47:01.189Z" },
+    { url = "https://files.pythonhosted.org/packages/7b/f9/cfaa5082ca9bc4a6de66ffe1c12c2d90bf09c309a5f52b27759a596900e7/pillow-10.4.0-cp313-cp313-win32.whl", hash = "sha256:551d3fd6e9dc15e4c1eb6fc4ba2b39c0c7933fa113b220057a34f4bb3268a060", size = 2235603, upload-time = "2024-07-01T09:47:03.918Z" },
+    { url = "https://files.pythonhosted.org/packages/01/6a/30ff0eef6e0c0e71e55ded56a38d4859bf9d3634a94a88743897b5f96936/pillow-10.4.0-cp313-cp313-win_amd64.whl", hash = "sha256:030abdbe43ee02e0de642aee345efa443740aa4d828bfe8e2eb11922ea6a21ea", size = 2554972, upload-time = "2024-07-01T09:47:06.152Z" },
+    { url = "https://files.pythonhosted.org/packages/48/2c/2e0a52890f269435eee38b21c8218e102c621fe8d8df8b9dd06fabf879ba/pillow-10.4.0-cp313-cp313-win_arm64.whl", hash = "sha256:5b001114dd152cfd6b23befeb28d7aee43553e2402c9f159807bf55f33af8a8d", size = 2243375, upload-time = "2024-07-01T09:47:09.065Z" },
+    { url = "https://files.pythonhosted.org/packages/38/30/095d4f55f3a053392f75e2eae45eba3228452783bab3d9a920b951ac495c/pillow-10.4.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:5b4815f2e65b30f5fbae9dfffa8636d992d49705723fe86a3661806e069352d4", size = 3493889, upload-time = "2024-07-01T09:48:04.815Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/e8/4ff79788803a5fcd5dc35efdc9386af153569853767bff74540725b45863/pillow-10.4.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:8f0aef4ef59694b12cadee839e2ba6afeab89c0f39a3adc02ed51d109117b8da", size = 3346160, upload-time = "2024-07-01T09:48:07.206Z" },
+    { url = "https://files.pythonhosted.org/packages/d7/ac/4184edd511b14f760c73f5bb8a5d6fd85c591c8aff7c2229677a355c4179/pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9f4727572e2918acaa9077c919cbbeb73bd2b3ebcfe033b72f858fc9fbef0026", size = 3435020, upload-time = "2024-07-01T09:48:09.66Z" },
+    { url = "https://files.pythonhosted.org/packages/da/21/1749cd09160149c0a246a81d646e05f35041619ce76f6493d6a96e8d1103/pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ff25afb18123cea58a591ea0244b92eb1e61a1fd497bf6d6384f09bc3262ec3e", size = 3490539, upload-time = "2024-07-01T09:48:12.529Z" },
+    { url = "https://files.pythonhosted.org/packages/b6/f5/f71fe1888b96083b3f6dfa0709101f61fc9e972c0c8d04e9d93ccef2a045/pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:dc3e2db6ba09ffd7d02ae9141cfa0ae23393ee7687248d46a7507b75d610f4f5", size = 3476125, upload-time = "2024-07-01T09:48:14.891Z" },
+    { url = "https://files.pythonhosted.org/packages/96/b9/c0362c54290a31866c3526848583a2f45a535aa9d725fd31e25d318c805f/pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:02a2be69f9c9b8c1e97cf2713e789d4e398c751ecfd9967c18d0ce304efbf885", size = 3579373, upload-time = "2024-07-01T09:48:17.601Z" },
+    { url = "https://files.pythonhosted.org/packages/52/3b/ce7a01026a7cf46e5452afa86f97a5e88ca97f562cafa76570178ab56d8d/pillow-10.4.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:0755ffd4a0c6f267cccbae2e9903d95477ca2f77c4fcf3a3a09570001856c8a5", size = 2554661, upload-time = "2024-07-01T09:48:20.293Z" },
+]
+
 [[package]]
 name = "platformdirs"
 version = "4.3.8"
@@ -789,6 +895,21 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/ad/3f/11dd4cd4f39e05128bfd20138faea57bec56f9ffba6185d276e3107ba5b2/questionary-2.1.0-py3-none-any.whl", hash = "sha256:44174d237b68bc828e4878c763a9ad6790ee61990e0ae72927694ead57bab8ec", size = 36747, upload-time = "2024-12-29T11:49:16.734Z" },
 ]
 
+[[package]]
+name = "referencing"
+version = "0.37.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "attrs" },
+    { name = "rpds-py", version = "0.30.0", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version < '3.11'" },
+    { name = "rpds-py", version = "2026.5.1", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version >= '3.11'" },
+    { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/22/f5/df4e9027acead3ecc63e50fe1e36aca1523e1719559c499951bb4b53188f/referencing-0.37.0.tar.gz", hash = "sha256:44aefc3142c5b842538163acb373e24cce6632bd54bdb01b21ad5863489f50d8", size = 78036, upload-time = "2025-10-13T15:30:48.871Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/2c/58/ca301544e1fa93ed4f80d724bf5b194f6e4b945841c5bfd555878eea9fcb/referencing-0.37.0-py3-none-any.whl", hash = "sha256:381329a9f99628c9069361716891d34ad94af76e461dcb0335825aecc7692231", size = 26766, upload-time = "2025-10-13T15:30:47.625Z" },
+]
+
 [[package]]
 name = "requests"
 version = "2.33.0"
@@ -817,6 +938,271 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/e3/30/3c4d035596d3cf444529e0b2953ad0466f6049528a879d27534700580395/rich-14.1.0-py3-none-any.whl", hash = "sha256:536f5f1785986d6dbdea3c75205c473f970777b4a0d6c6dd1b696aa05a3fa04f", size = 243368, upload-time = "2025-07-25T07:32:56.73Z" },
 ]
 
+[[package]]
+name = "rpds-py"
+version = "0.30.0"
+source = { registry = "https://pypi.org/simple" }
+resolution-markers = [
+    "python_full_version < '3.11'",
+]
+sdist = { url = "https://files.pythonhosted.org/packages/20/af/3f2f423103f1113b36230496629986e0ef7e199d2aa8392452b484b38ced/rpds_py-0.30.0.tar.gz", hash = "sha256:dd8ff7cf90014af0c0f787eea34794ebf6415242ee1d6fa91eaba725cc441e84", size = 69469, upload-time = "2025-11-30T20:24:38.837Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/06/0c/0c411a0ec64ccb6d104dcabe0e713e05e153a9a2c3c2bd2b32ce412166fe/rpds_py-0.30.0-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:679ae98e00c0e8d68a7fda324e16b90fd5260945b45d3b824c892cec9eea3288", size = 370490, upload-time = "2025-11-30T20:21:33.256Z" },
+    { url = "https://files.pythonhosted.org/packages/19/6a/4ba3d0fb7297ebae71171822554abe48d7cab29c28b8f9f2c04b79988c05/rpds_py-0.30.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:4cc2206b76b4f576934f0ed374b10d7ca5f457858b157ca52064bdfc26b9fc00", size = 359751, upload-time = "2025-11-30T20:21:34.591Z" },
+    { url = "https://files.pythonhosted.org/packages/cd/7c/e4933565ef7f7a0818985d87c15d9d273f1a649afa6a52ea35ad011195ea/rpds_py-0.30.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:389a2d49eded1896c3d48b0136ead37c48e221b391c052fba3f4055c367f60a6", size = 389696, upload-time = "2025-11-30T20:21:36.122Z" },
+    { url = "https://files.pythonhosted.org/packages/5e/01/6271a2511ad0815f00f7ed4390cf2567bec1d4b1da39e2c27a41e6e3b4de/rpds_py-0.30.0-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:32c8528634e1bf7121f3de08fa85b138f4e0dc47657866630611b03967f041d7", size = 403136, upload-time = "2025-11-30T20:21:37.728Z" },
+    { url = "https://files.pythonhosted.org/packages/55/64/c857eb7cd7541e9b4eee9d49c196e833128a55b89a9850a9c9ac33ccf897/rpds_py-0.30.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f207f69853edd6f6700b86efb84999651baf3789e78a466431df1331608e5324", size = 524699, upload-time = "2025-11-30T20:21:38.92Z" },
+    { url = "https://files.pythonhosted.org/packages/9c/ed/94816543404078af9ab26159c44f9e98e20fe47e2126d5d32c9d9948d10a/rpds_py-0.30.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:67b02ec25ba7a9e8fa74c63b6ca44cf5707f2fbfadae3ee8e7494297d56aa9df", size = 412022, upload-time = "2025-11-30T20:21:40.407Z" },
+    { url = "https://files.pythonhosted.org/packages/61/b5/707f6cf0066a6412aacc11d17920ea2e19e5b2f04081c64526eb35b5c6e7/rpds_py-0.30.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0c0e95f6819a19965ff420f65578bacb0b00f251fefe2c8b23347c37174271f3", size = 390522, upload-time = "2025-11-30T20:21:42.17Z" },
+    { url = "https://files.pythonhosted.org/packages/13/4e/57a85fda37a229ff4226f8cbcf09f2a455d1ed20e802ce5b2b4a7f5ed053/rpds_py-0.30.0-cp310-cp310-manylinux_2_31_riscv64.whl", hash = "sha256:a452763cc5198f2f98898eb98f7569649fe5da666c2dc6b5ddb10fde5a574221", size = 404579, upload-time = "2025-11-30T20:21:43.769Z" },
+    { url = "https://files.pythonhosted.org/packages/f9/da/c9339293513ec680a721e0e16bf2bac3db6e5d7e922488de471308349bba/rpds_py-0.30.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:e0b65193a413ccc930671c55153a03ee57cecb49e6227204b04fae512eb657a7", size = 421305, upload-time = "2025-11-30T20:21:44.994Z" },
+    { url = "https://files.pythonhosted.org/packages/f9/be/522cb84751114f4ad9d822ff5a1aa3c98006341895d5f084779b99596e5c/rpds_py-0.30.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:858738e9c32147f78b3ac24dc0edb6610000e56dc0f700fd5f651d0a0f0eb9ff", size = 572503, upload-time = "2025-11-30T20:21:46.91Z" },
+    { url = "https://files.pythonhosted.org/packages/a2/9b/de879f7e7ceddc973ea6e4629e9b380213a6938a249e94b0cdbcc325bb66/rpds_py-0.30.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:da279aa314f00acbb803da1e76fa18666778e8a8f83484fba94526da5de2cba7", size = 598322, upload-time = "2025-11-30T20:21:48.709Z" },
+    { url = "https://files.pythonhosted.org/packages/48/ac/f01fc22efec3f37d8a914fc1b2fb9bcafd56a299edbe96406f3053edea5a/rpds_py-0.30.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:7c64d38fb49b6cdeda16ab49e35fe0da2e1e9b34bc38bd78386530f218b37139", size = 560792, upload-time = "2025-11-30T20:21:50.024Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/da/4e2b19d0f131f35b6146425f846563d0ce036763e38913d917187307a671/rpds_py-0.30.0-cp310-cp310-win32.whl", hash = "sha256:6de2a32a1665b93233cde140ff8b3467bdb9e2af2b91079f0333a0974d12d464", size = 221901, upload-time = "2025-11-30T20:21:51.32Z" },
+    { url = "https://files.pythonhosted.org/packages/96/cb/156d7a5cf4f78a7cc571465d8aec7a3c447c94f6749c5123f08438bcf7bc/rpds_py-0.30.0-cp310-cp310-win_amd64.whl", hash = "sha256:1726859cd0de969f88dc8673bdd954185b9104e05806be64bcd87badbe313169", size = 235823, upload-time = "2025-11-30T20:21:52.505Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/6e/f964e88b3d2abee2a82c1ac8366da848fce1c6d834dc2132c3fda3970290/rpds_py-0.30.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a2bffea6a4ca9f01b3f8e548302470306689684e61602aa3d141e34da06cf425", size = 370157, upload-time = "2025-11-30T20:21:53.789Z" },
+    { url = "https://files.pythonhosted.org/packages/94/ba/24e5ebb7c1c82e74c4e4f33b2112a5573ddc703915b13a073737b59b86e0/rpds_py-0.30.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:dc4f992dfe1e2bc3ebc7444f6c7051b4bc13cd8e33e43511e8ffd13bf407010d", size = 359676, upload-time = "2025-11-30T20:21:55.475Z" },
+    { url = "https://files.pythonhosted.org/packages/84/86/04dbba1b087227747d64d80c3b74df946b986c57af0a9f0c98726d4d7a3b/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:422c3cb9856d80b09d30d2eb255d0754b23e090034e1deb4083f8004bd0761e4", size = 389938, upload-time = "2025-11-30T20:21:57.079Z" },
+    { url = "https://files.pythonhosted.org/packages/42/bb/1463f0b1722b7f45431bdd468301991d1328b16cffe0b1c2918eba2c4eee/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:07ae8a593e1c3c6b82ca3292efbe73c30b61332fd612e05abee07c79359f292f", size = 402932, upload-time = "2025-11-30T20:21:58.47Z" },
+    { url = "https://files.pythonhosted.org/packages/99/ee/2520700a5c1f2d76631f948b0736cdf9b0acb25abd0ca8e889b5c62ac2e3/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:12f90dd7557b6bd57f40abe7747e81e0c0b119bef015ea7726e69fe550e394a4", size = 525830, upload-time = "2025-11-30T20:21:59.699Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/ad/bd0331f740f5705cc555a5e17fdf334671262160270962e69a2bdef3bf76/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:99b47d6ad9a6da00bec6aabe5a6279ecd3c06a329d4aa4771034a21e335c3a97", size = 412033, upload-time = "2025-11-30T20:22:00.991Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/1e/372195d326549bb51f0ba0f2ecb9874579906b97e08880e7a65c3bef1a99/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:33f559f3104504506a44bb666b93a33f5d33133765b0c216a5bf2f1e1503af89", size = 390828, upload-time = "2025-11-30T20:22:02.723Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/2b/d88bb33294e3e0c76bc8f351a3721212713629ffca1700fa94979cb3eae8/rpds_py-0.30.0-cp311-cp311-manylinux_2_31_riscv64.whl", hash = "sha256:946fe926af6e44f3697abbc305ea168c2c31d3e3ef1058cf68f379bf0335a78d", size = 404683, upload-time = "2025-11-30T20:22:04.367Z" },
+    { url = "https://files.pythonhosted.org/packages/50/32/c759a8d42bcb5289c1fac697cd92f6fe01a018dd937e62ae77e0e7f15702/rpds_py-0.30.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:495aeca4b93d465efde585977365187149e75383ad2684f81519f504f5c13038", size = 421583, upload-time = "2025-11-30T20:22:05.814Z" },
+    { url = "https://files.pythonhosted.org/packages/2b/81/e729761dbd55ddf5d84ec4ff1f47857f4374b0f19bdabfcf929164da3e24/rpds_py-0.30.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d9a0ca5da0386dee0655b4ccdf46119df60e0f10da268d04fe7cc87886872ba7", size = 572496, upload-time = "2025-11-30T20:22:07.713Z" },
+    { url = "https://files.pythonhosted.org/packages/14/f6/69066a924c3557c9c30baa6ec3a0aa07526305684c6f86c696b08860726c/rpds_py-0.30.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8d6d1cc13664ec13c1b84241204ff3b12f9bb82464b8ad6e7a5d3486975c2eed", size = 598669, upload-time = "2025-11-30T20:22:09.312Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/48/905896b1eb8a05630d20333d1d8ffd162394127b74ce0b0784ae04498d32/rpds_py-0.30.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:3896fa1be39912cf0757753826bc8bdc8ca331a28a7c4ae46b7a21280b06bb85", size = 561011, upload-time = "2025-11-30T20:22:11.309Z" },
+    { url = "https://files.pythonhosted.org/packages/22/16/cd3027c7e279d22e5eb431dd3c0fbc677bed58797fe7581e148f3f68818b/rpds_py-0.30.0-cp311-cp311-win32.whl", hash = "sha256:55f66022632205940f1827effeff17c4fa7ae1953d2b74a8581baaefb7d16f8c", size = 221406, upload-time = "2025-11-30T20:22:13.101Z" },
+    { url = "https://files.pythonhosted.org/packages/fa/5b/e7b7aa136f28462b344e652ee010d4de26ee9fd16f1bfd5811f5153ccf89/rpds_py-0.30.0-cp311-cp311-win_amd64.whl", hash = "sha256:a51033ff701fca756439d641c0ad09a41d9242fa69121c7d8769604a0a629825", size = 236024, upload-time = "2025-11-30T20:22:14.853Z" },
+    { url = "https://files.pythonhosted.org/packages/14/a6/364bba985e4c13658edb156640608f2c9e1d3ea3c81b27aa9d889fff0e31/rpds_py-0.30.0-cp311-cp311-win_arm64.whl", hash = "sha256:47b0ef6231c58f506ef0b74d44e330405caa8428e770fec25329ed2cb971a229", size = 229069, upload-time = "2025-11-30T20:22:16.577Z" },
+    { url = "https://files.pythonhosted.org/packages/03/e7/98a2f4ac921d82f33e03f3835f5bf3a4a40aa1bfdc57975e74a97b2b4bdd/rpds_py-0.30.0-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:a161f20d9a43006833cd7068375a94d035714d73a172b681d8881820600abfad", size = 375086, upload-time = "2025-11-30T20:22:17.93Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/a1/bca7fd3d452b272e13335db8d6b0b3ecde0f90ad6f16f3328c6fb150c889/rpds_py-0.30.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:6abc8880d9d036ecaafe709079969f56e876fcf107f7a8e9920ba6d5a3878d05", size = 359053, upload-time = "2025-11-30T20:22:19.297Z" },
+    { url = "https://files.pythonhosted.org/packages/65/1c/ae157e83a6357eceff62ba7e52113e3ec4834a84cfe07fa4b0757a7d105f/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca28829ae5f5d569bb62a79512c842a03a12576375d5ece7d2cadf8abe96ec28", size = 390763, upload-time = "2025-11-30T20:22:21.661Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/36/eb2eb8515e2ad24c0bd43c3ee9cd74c33f7ca6430755ccdb240fd3144c44/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a1010ed9524c73b94d15919ca4d41d8780980e1765babf85f9a2f90d247153dd", size = 408951, upload-time = "2025-11-30T20:22:23.408Z" },
+    { url = "https://files.pythonhosted.org/packages/d6/65/ad8dc1784a331fabbd740ef6f71ce2198c7ed0890dab595adb9ea2d775a1/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f8d1736cfb49381ba528cd5baa46f82fdc65c06e843dab24dd70b63d09121b3f", size = 514622, upload-time = "2025-11-30T20:22:25.16Z" },
+    { url = "https://files.pythonhosted.org/packages/63/8e/0cfa7ae158e15e143fe03993b5bcd743a59f541f5952e1546b1ac1b5fd45/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d948b135c4693daff7bc2dcfc4ec57237a29bd37e60c2fabf5aff2bbacf3e2f1", size = 414492, upload-time = "2025-11-30T20:22:26.505Z" },
+    { url = "https://files.pythonhosted.org/packages/60/1b/6f8f29f3f995c7ffdde46a626ddccd7c63aefc0efae881dc13b6e5d5bb16/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47f236970bccb2233267d89173d3ad2703cd36a0e2a6e92d0560d333871a3d23", size = 394080, upload-time = "2025-11-30T20:22:27.934Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/d5/a266341051a7a3ca2f4b750a3aa4abc986378431fc2da508c5034d081b70/rpds_py-0.30.0-cp312-cp312-manylinux_2_31_riscv64.whl", hash = "sha256:2e6ecb5a5bcacf59c3f912155044479af1d0b6681280048b338b28e364aca1f6", size = 408680, upload-time = "2025-11-30T20:22:29.341Z" },
+    { url = "https://files.pythonhosted.org/packages/10/3b/71b725851df9ab7a7a4e33cf36d241933da66040d195a84781f49c50490c/rpds_py-0.30.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a8fa71a2e078c527c3e9dc9fc5a98c9db40bcc8a92b4e8858e36d329f8684b51", size = 423589, upload-time = "2025-11-30T20:22:31.469Z" },
+    { url = "https://files.pythonhosted.org/packages/00/2b/e59e58c544dc9bd8bd8384ecdb8ea91f6727f0e37a7131baeff8d6f51661/rpds_py-0.30.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:73c67f2db7bc334e518d097c6d1e6fed021bbc9b7d678d6cc433478365d1d5f5", size = 573289, upload-time = "2025-11-30T20:22:32.997Z" },
+    { url = "https://files.pythonhosted.org/packages/da/3e/a18e6f5b460893172a7d6a680e86d3b6bc87a54c1f0b03446a3c8c7b588f/rpds_py-0.30.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:5ba103fb455be00f3b1c2076c9d4264bfcb037c976167a6047ed82f23153f02e", size = 599737, upload-time = "2025-11-30T20:22:34.419Z" },
+    { url = "https://files.pythonhosted.org/packages/5c/e2/714694e4b87b85a18e2c243614974413c60aa107fd815b8cbc42b873d1d7/rpds_py-0.30.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:7cee9c752c0364588353e627da8a7e808a66873672bcb5f52890c33fd965b394", size = 563120, upload-time = "2025-11-30T20:22:35.903Z" },
+    { url = "https://files.pythonhosted.org/packages/6f/ab/d5d5e3bcedb0a77f4f613706b750e50a5a3ba1c15ccd3665ecc636c968fd/rpds_py-0.30.0-cp312-cp312-win32.whl", hash = "sha256:1ab5b83dbcf55acc8b08fc62b796ef672c457b17dbd7820a11d6c52c06839bdf", size = 223782, upload-time = "2025-11-30T20:22:37.271Z" },
+    { url = "https://files.pythonhosted.org/packages/39/3b/f786af9957306fdc38a74cef405b7b93180f481fb48453a114bb6465744a/rpds_py-0.30.0-cp312-cp312-win_amd64.whl", hash = "sha256:a090322ca841abd453d43456ac34db46e8b05fd9b3b4ac0c78bcde8b089f959b", size = 240463, upload-time = "2025-11-30T20:22:39.021Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/d2/b91dc748126c1559042cfe41990deb92c4ee3e2b415f6b5234969ffaf0cc/rpds_py-0.30.0-cp312-cp312-win_arm64.whl", hash = "sha256:669b1805bd639dd2989b281be2cfd951c6121b65e729d9b843e9639ef1fd555e", size = 230868, upload-time = "2025-11-30T20:22:40.493Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/dc/d61221eb88ff410de3c49143407f6f3147acf2538c86f2ab7ce65ae7d5f9/rpds_py-0.30.0-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:f83424d738204d9770830d35290ff3273fbb02b41f919870479fab14b9d303b2", size = 374887, upload-time = "2025-11-30T20:22:41.812Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/32/55fb50ae104061dbc564ef15cc43c013dc4a9f4527a1f4d99baddf56fe5f/rpds_py-0.30.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:e7536cd91353c5273434b4e003cbda89034d67e7710eab8761fd918ec6c69cf8", size = 358904, upload-time = "2025-11-30T20:22:43.479Z" },
+    { url = "https://files.pythonhosted.org/packages/58/70/faed8186300e3b9bdd138d0273109784eea2396c68458ed580f885dfe7ad/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2771c6c15973347f50fece41fc447c054b7ac2ae0502388ce3b6738cd366e3d4", size = 389945, upload-time = "2025-11-30T20:22:44.819Z" },
+    { url = "https://files.pythonhosted.org/packages/bd/a8/073cac3ed2c6387df38f71296d002ab43496a96b92c823e76f46b8af0543/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0a59119fc6e3f460315fe9d08149f8102aa322299deaa5cab5b40092345c2136", size = 407783, upload-time = "2025-11-30T20:22:46.103Z" },
+    { url = "https://files.pythonhosted.org/packages/77/57/5999eb8c58671f1c11eba084115e77a8899d6e694d2a18f69f0ba471ec8b/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:76fec018282b4ead0364022e3c54b60bf368b9d926877957a8624b58419169b7", size = 515021, upload-time = "2025-11-30T20:22:47.458Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/af/5ab4833eadc36c0a8ed2bc5c0de0493c04f6c06de223170bd0798ff98ced/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:692bef75a5525db97318e8cd061542b5a79812d711ea03dbc1f6f8dbb0c5f0d2", size = 414589, upload-time = "2025-11-30T20:22:48.872Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/de/f7192e12b21b9e9a68a6d0f249b4af3fdcdff8418be0767a627564afa1f1/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9027da1ce107104c50c81383cae773ef5c24d296dd11c99e2629dbd7967a20c6", size = 394025, upload-time = "2025-11-30T20:22:50.196Z" },
+    { url = "https://files.pythonhosted.org/packages/91/c4/fc70cd0249496493500e7cc2de87504f5aa6509de1e88623431fec76d4b6/rpds_py-0.30.0-cp313-cp313-manylinux_2_31_riscv64.whl", hash = "sha256:9cf69cdda1f5968a30a359aba2f7f9aa648a9ce4b580d6826437f2b291cfc86e", size = 408895, upload-time = "2025-11-30T20:22:51.87Z" },
+    { url = "https://files.pythonhosted.org/packages/58/95/d9275b05ab96556fefff73a385813eb66032e4c99f411d0795372d9abcea/rpds_py-0.30.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a4796a717bf12b9da9d3ad002519a86063dcac8988b030e405704ef7d74d2d9d", size = 422799, upload-time = "2025-11-30T20:22:53.341Z" },
+    { url = "https://files.pythonhosted.org/packages/06/c1/3088fc04b6624eb12a57eb814f0d4997a44b0d208d6cace713033ff1a6ba/rpds_py-0.30.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:5d4c2aa7c50ad4728a094ebd5eb46c452e9cb7edbfdb18f9e1221f597a73e1e7", size = 572731, upload-time = "2025-11-30T20:22:54.778Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/42/c612a833183b39774e8ac8fecae81263a68b9583ee343db33ab571a7ce55/rpds_py-0.30.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ba81a9203d07805435eb06f536d95a266c21e5b2dfbf6517748ca40c98d19e31", size = 599027, upload-time = "2025-11-30T20:22:56.212Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/60/525a50f45b01d70005403ae0e25f43c0384369ad24ffe46e8d9068b50086/rpds_py-0.30.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:945dccface01af02675628334f7cf49c2af4c1c904748efc5cf7bbdf0b579f95", size = 563020, upload-time = "2025-11-30T20:22:58.2Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/5d/47c4655e9bcd5ca907148535c10e7d489044243cc9941c16ed7cd53be91d/rpds_py-0.30.0-cp313-cp313-win32.whl", hash = "sha256:b40fb160a2db369a194cb27943582b38f79fc4887291417685f3ad693c5a1d5d", size = 223139, upload-time = "2025-11-30T20:23:00.209Z" },
+    { url = "https://files.pythonhosted.org/packages/f2/e1/485132437d20aa4d3e1d8b3fb5a5e65aa8139f1e097080c2a8443201742c/rpds_py-0.30.0-cp313-cp313-win_amd64.whl", hash = "sha256:806f36b1b605e2d6a72716f321f20036b9489d29c51c91f4dd29a3e3afb73b15", size = 240224, upload-time = "2025-11-30T20:23:02.008Z" },
+    { url = "https://files.pythonhosted.org/packages/24/95/ffd128ed1146a153d928617b0ef673960130be0009c77d8fbf0abe306713/rpds_py-0.30.0-cp313-cp313-win_arm64.whl", hash = "sha256:d96c2086587c7c30d44f31f42eae4eac89b60dabbac18c7669be3700f13c3ce1", size = 230645, upload-time = "2025-11-30T20:23:03.43Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/1b/b10de890a0def2a319a2626334a7f0ae388215eb60914dbac8a3bae54435/rpds_py-0.30.0-cp313-cp313t-macosx_10_12_x86_64.whl", hash = "sha256:eb0b93f2e5c2189ee831ee43f156ed34e2a89a78a66b98cadad955972548be5a", size = 364443, upload-time = "2025-11-30T20:23:04.878Z" },
+    { url = "https://files.pythonhosted.org/packages/0d/bf/27e39f5971dc4f305a4fb9c672ca06f290f7c4e261c568f3dea16a410d47/rpds_py-0.30.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:922e10f31f303c7c920da8981051ff6d8c1a56207dbdf330d9047f6d30b70e5e", size = 353375, upload-time = "2025-11-30T20:23:06.342Z" },
+    { url = "https://files.pythonhosted.org/packages/40/58/442ada3bba6e8e6615fc00483135c14a7538d2ffac30e2d933ccf6852232/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cdc62c8286ba9bf7f47befdcea13ea0e26bf294bda99758fd90535cbaf408000", size = 383850, upload-time = "2025-11-30T20:23:07.825Z" },
+    { url = "https://files.pythonhosted.org/packages/14/14/f59b0127409a33c6ef6f5c1ebd5ad8e32d7861c9c7adfa9a624fc3889f6c/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:47f9a91efc418b54fb8190a6b4aa7813a23fb79c51f4bb84e418f5476c38b8db", size = 392812, upload-time = "2025-11-30T20:23:09.228Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/66/e0be3e162ac299b3a22527e8913767d869e6cc75c46bd844aa43fb81ab62/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1f3587eb9b17f3789ad50824084fa6f81921bbf9a795826570bda82cb3ed91f2", size = 517841, upload-time = "2025-11-30T20:23:11.186Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/55/fa3b9cf31d0c963ecf1ba777f7cf4b2a2c976795ac430d24a1f43d25a6ba/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:39c02563fc592411c2c61d26b6c5fe1e51eaa44a75aa2c8735ca88b0d9599daa", size = 408149, upload-time = "2025-11-30T20:23:12.864Z" },
+    { url = "https://files.pythonhosted.org/packages/60/ca/780cf3b1a32b18c0f05c441958d3758f02544f1d613abf9488cd78876378/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51a1234d8febafdfd33a42d97da7a43f5dcb120c1060e352a3fbc0c6d36e2083", size = 383843, upload-time = "2025-11-30T20:23:14.638Z" },
+    { url = "https://files.pythonhosted.org/packages/82/86/d5f2e04f2aa6247c613da0c1dd87fcd08fa17107e858193566048a1e2f0a/rpds_py-0.30.0-cp313-cp313t-manylinux_2_31_riscv64.whl", hash = "sha256:eb2c4071ab598733724c08221091e8d80e89064cd472819285a9ab0f24bcedb9", size = 396507, upload-time = "2025-11-30T20:23:16.105Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/9a/453255d2f769fe44e07ea9785c8347edaf867f7026872e76c1ad9f7bed92/rpds_py-0.30.0-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:6bdfdb946967d816e6adf9a3d8201bfad269c67efe6cefd7093ef959683c8de0", size = 414949, upload-time = "2025-11-30T20:23:17.539Z" },
+    { url = "https://files.pythonhosted.org/packages/a3/31/622a86cdc0c45d6df0e9ccb6becdba5074735e7033c20e401a6d9d0e2ca0/rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:c77afbd5f5250bf27bf516c7c4a016813eb2d3e116139aed0096940c5982da94", size = 565790, upload-time = "2025-11-30T20:23:19.029Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/5d/15bbf0fb4a3f58a3b1c67855ec1efcc4ceaef4e86644665fff03e1b66d8d/rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:61046904275472a76c8c90c9ccee9013d70a6d0f73eecefd38c1ae7c39045a08", size = 590217, upload-time = "2025-11-30T20:23:20.885Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/61/21b8c41f68e60c8cc3b2e25644f0e3681926020f11d06ab0b78e3c6bbff1/rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:4c5f36a861bc4b7da6516dbdf302c55313afa09b81931e8280361a4f6c9a2d27", size = 555806, upload-time = "2025-11-30T20:23:22.488Z" },
+    { url = "https://files.pythonhosted.org/packages/f9/39/7e067bb06c31de48de3eb200f9fc7c58982a4d3db44b07e73963e10d3be9/rpds_py-0.30.0-cp313-cp313t-win32.whl", hash = "sha256:3d4a69de7a3e50ffc214ae16d79d8fbb0922972da0356dcf4d0fdca2878559c6", size = 211341, upload-time = "2025-11-30T20:23:24.449Z" },
+    { url = "https://files.pythonhosted.org/packages/0a/4d/222ef0b46443cf4cf46764d9c630f3fe4abaa7245be9417e56e9f52b8f65/rpds_py-0.30.0-cp313-cp313t-win_amd64.whl", hash = "sha256:f14fc5df50a716f7ece6a80b6c78bb35ea2ca47c499e422aa4463455dd96d56d", size = 225768, upload-time = "2025-11-30T20:23:25.908Z" },
+    { url = "https://files.pythonhosted.org/packages/86/81/dad16382ebbd3d0e0328776d8fd7ca94220e4fa0798d1dc5e7da48cb3201/rpds_py-0.30.0-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:68f19c879420aa08f61203801423f6cd5ac5f0ac4ac82a2368a9fcd6a9a075e0", size = 362099, upload-time = "2025-11-30T20:23:27.316Z" },
+    { url = "https://files.pythonhosted.org/packages/2b/60/19f7884db5d5603edf3c6bce35408f45ad3e97e10007df0e17dd57af18f8/rpds_py-0.30.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ec7c4490c672c1a0389d319b3a9cfcd098dcdc4783991553c332a15acf7249be", size = 353192, upload-time = "2025-11-30T20:23:29.151Z" },
+    { url = "https://files.pythonhosted.org/packages/bf/c4/76eb0e1e72d1a9c4703c69607cec123c29028bff28ce41588792417098ac/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f251c812357a3fed308d684a5079ddfb9d933860fc6de89f2b7ab00da481e65f", size = 384080, upload-time = "2025-11-30T20:23:30.785Z" },
+    { url = "https://files.pythonhosted.org/packages/72/87/87ea665e92f3298d1b26d78814721dc39ed8d2c74b86e83348d6b48a6f31/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ac98b175585ecf4c0348fd7b29c3864bda53b805c773cbf7bfdaffc8070c976f", size = 394841, upload-time = "2025-11-30T20:23:32.209Z" },
+    { url = "https://files.pythonhosted.org/packages/77/ad/7783a89ca0587c15dcbf139b4a8364a872a25f861bdb88ed99f9b0dec985/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3e62880792319dbeb7eb866547f2e35973289e7d5696c6e295476448f5b63c87", size = 516670, upload-time = "2025-11-30T20:23:33.742Z" },
+    { url = "https://files.pythonhosted.org/packages/5b/3c/2882bdac942bd2172f3da574eab16f309ae10a3925644e969536553cb4ee/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4e7fc54e0900ab35d041b0601431b0a0eb495f0851a0639b6ef90f7741b39a18", size = 408005, upload-time = "2025-11-30T20:23:35.253Z" },
+    { url = "https://files.pythonhosted.org/packages/ce/81/9a91c0111ce1758c92516a3e44776920b579d9a7c09b2b06b642d4de3f0f/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47e77dc9822d3ad616c3d5759ea5631a75e5809d5a28707744ef79d7a1bcfcad", size = 382112, upload-time = "2025-11-30T20:23:36.842Z" },
+    { url = "https://files.pythonhosted.org/packages/cf/8e/1da49d4a107027e5fbc64daeab96a0706361a2918da10cb41769244b805d/rpds_py-0.30.0-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:b4dc1a6ff022ff85ecafef7979a2c6eb423430e05f1165d6688234e62ba99a07", size = 399049, upload-time = "2025-11-30T20:23:38.343Z" },
+    { url = "https://files.pythonhosted.org/packages/df/5a/7ee239b1aa48a127570ec03becbb29c9d5a9eb092febbd1699d567cae859/rpds_py-0.30.0-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4559c972db3a360808309e06a74628b95eaccbf961c335c8fe0d590cf587456f", size = 415661, upload-time = "2025-11-30T20:23:40.263Z" },
+    { url = "https://files.pythonhosted.org/packages/70/ea/caa143cf6b772f823bc7929a45da1fa83569ee49b11d18d0ada7f5ee6fd6/rpds_py-0.30.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:0ed177ed9bded28f8deb6ab40c183cd1192aa0de40c12f38be4d59cd33cb5c65", size = 565606, upload-time = "2025-11-30T20:23:42.186Z" },
+    { url = "https://files.pythonhosted.org/packages/64/91/ac20ba2d69303f961ad8cf55bf7dbdb4763f627291ba3d0d7d67333cced9/rpds_py-0.30.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:ad1fa8db769b76ea911cb4e10f049d80bf518c104f15b3edb2371cc65375c46f", size = 591126, upload-time = "2025-11-30T20:23:44.086Z" },
+    { url = "https://files.pythonhosted.org/packages/21/20/7ff5f3c8b00c8a95f75985128c26ba44503fb35b8e0259d812766ea966c7/rpds_py-0.30.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:46e83c697b1f1c72b50e5ee5adb4353eef7406fb3f2043d64c33f20ad1c2fc53", size = 553371, upload-time = "2025-11-30T20:23:46.004Z" },
+    { url = "https://files.pythonhosted.org/packages/72/c7/81dadd7b27c8ee391c132a6b192111ca58d866577ce2d9b0ca157552cce0/rpds_py-0.30.0-cp314-cp314-win32.whl", hash = "sha256:ee454b2a007d57363c2dfd5b6ca4a5d7e2c518938f8ed3b706e37e5d470801ed", size = 215298, upload-time = "2025-11-30T20:23:47.696Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/d2/1aaac33287e8cfb07aab2e6b8ac1deca62f6f65411344f1433c55e6f3eb8/rpds_py-0.30.0-cp314-cp314-win_amd64.whl", hash = "sha256:95f0802447ac2d10bcc69f6dc28fe95fdf17940367b21d34e34c737870758950", size = 228604, upload-time = "2025-11-30T20:23:49.501Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/95/ab005315818cc519ad074cb7784dae60d939163108bd2b394e60dc7b5461/rpds_py-0.30.0-cp314-cp314-win_arm64.whl", hash = "sha256:613aa4771c99f03346e54c3f038e4cc574ac09a3ddfb0e8878487335e96dead6", size = 222391, upload-time = "2025-11-30T20:23:50.96Z" },
+    { url = "https://files.pythonhosted.org/packages/9e/68/154fe0194d83b973cdedcdcc88947a2752411165930182ae41d983dcefa6/rpds_py-0.30.0-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:7e6ecfcb62edfd632e56983964e6884851786443739dbfe3582947e87274f7cb", size = 364868, upload-time = "2025-11-30T20:23:52.494Z" },
+    { url = "https://files.pythonhosted.org/packages/83/69/8bbc8b07ec854d92a8b75668c24d2abcb1719ebf890f5604c61c9369a16f/rpds_py-0.30.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:a1d0bc22a7cdc173fedebb73ef81e07faef93692b8c1ad3733b67e31e1b6e1b8", size = 353747, upload-time = "2025-11-30T20:23:54.036Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/00/ba2e50183dbd9abcce9497fa5149c62b4ff3e22d338a30d690f9af970561/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0d08f00679177226c4cb8c5265012eea897c8ca3b93f429e546600c971bcbae7", size = 383795, upload-time = "2025-11-30T20:23:55.556Z" },
+    { url = "https://files.pythonhosted.org/packages/05/6f/86f0272b84926bcb0e4c972262f54223e8ecc556b3224d281e6598fc9268/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5965af57d5848192c13534f90f9dd16464f3c37aaf166cc1da1cae1fd5a34898", size = 393330, upload-time = "2025-11-30T20:23:57.033Z" },
+    { url = "https://files.pythonhosted.org/packages/cb/e9/0e02bb2e6dc63d212641da45df2b0bf29699d01715913e0d0f017ee29438/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9a4e86e34e9ab6b667c27f3211ca48f73dba7cd3d90f8d5b11be56e5dbc3fb4e", size = 518194, upload-time = "2025-11-30T20:23:58.637Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/ca/be7bca14cf21513bdf9c0606aba17d1f389ea2b6987035eb4f62bd923f25/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e5d3e6b26f2c785d65cc25ef1e5267ccbe1b069c5c21b8cc724efee290554419", size = 408340, upload-time = "2025-11-30T20:24:00.2Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/c7/736e00ebf39ed81d75544c0da6ef7b0998f8201b369acf842f9a90dc8fce/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:626a7433c34566535b6e56a1b39a7b17ba961e97ce3b80ec62e6f1312c025551", size = 383765, upload-time = "2025-11-30T20:24:01.759Z" },
+    { url = "https://files.pythonhosted.org/packages/4a/3f/da50dfde9956aaf365c4adc9533b100008ed31aea635f2b8d7b627e25b49/rpds_py-0.30.0-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:acd7eb3f4471577b9b5a41baf02a978e8bdeb08b4b355273994f8b87032000a8", size = 396834, upload-time = "2025-11-30T20:24:03.687Z" },
+    { url = "https://files.pythonhosted.org/packages/4e/00/34bcc2565b6020eab2623349efbdec810676ad571995911f1abdae62a3a0/rpds_py-0.30.0-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fe5fa731a1fa8a0a56b0977413f8cacac1768dad38d16b3a296712709476fbd5", size = 415470, upload-time = "2025-11-30T20:24:05.232Z" },
+    { url = "https://files.pythonhosted.org/packages/8c/28/882e72b5b3e6f718d5453bd4d0d9cf8df36fddeb4ddbbab17869d5868616/rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:74a3243a411126362712ee1524dfc90c650a503502f135d54d1b352bd01f2404", size = 565630, upload-time = "2025-11-30T20:24:06.878Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/97/04a65539c17692de5b85c6e293520fd01317fd878ea1995f0367d4532fb1/rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:3e8eeb0544f2eb0d2581774be4c3410356eba189529a6b3e36bbbf9696175856", size = 591148, upload-time = "2025-11-30T20:24:08.445Z" },
+    { url = "https://files.pythonhosted.org/packages/85/70/92482ccffb96f5441aab93e26c4d66489eb599efdcf96fad90c14bbfb976/rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:dbd936cde57abfee19ab3213cf9c26be06d60750e60a8e4dd85d1ab12c8b1f40", size = 556030, upload-time = "2025-11-30T20:24:10.956Z" },
+    { url = "https://files.pythonhosted.org/packages/20/53/7c7e784abfa500a2b6b583b147ee4bb5a2b3747a9166bab52fec4b5b5e7d/rpds_py-0.30.0-cp314-cp314t-win32.whl", hash = "sha256:dc824125c72246d924f7f796b4f63c1e9dc810c7d9e2355864b3c3a73d59ade0", size = 211570, upload-time = "2025-11-30T20:24:12.735Z" },
+    { url = "https://files.pythonhosted.org/packages/d0/02/fa464cdfbe6b26e0600b62c528b72d8608f5cc49f96b8d6e38c95d60c676/rpds_py-0.30.0-cp314-cp314t-win_amd64.whl", hash = "sha256:27f4b0e92de5bfbc6f86e43959e6edd1425c33b5e69aab0984a72047f2bcf1e3", size = 226532, upload-time = "2025-11-30T20:24:14.634Z" },
+    { url = "https://files.pythonhosted.org/packages/69/71/3f34339ee70521864411f8b6992e7ab13ac30d8e4e3309e07c7361767d91/rpds_py-0.30.0-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:c2262bdba0ad4fc6fb5545660673925c2d2a5d9e2e0fb603aad545427be0fc58", size = 372292, upload-time = "2025-11-30T20:24:16.537Z" },
+    { url = "https://files.pythonhosted.org/packages/57/09/f183df9b8f2d66720d2ef71075c59f7e1b336bec7ee4c48f0a2b06857653/rpds_py-0.30.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:ee6af14263f25eedc3bb918a3c04245106a42dfd4f5c2285ea6f997b1fc3f89a", size = 362128, upload-time = "2025-11-30T20:24:18.086Z" },
+    { url = "https://files.pythonhosted.org/packages/7a/68/5c2594e937253457342e078f0cc1ded3dd7b2ad59afdbf2d354869110a02/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3adbb8179ce342d235c31ab8ec511e66c73faa27a47e076ccc92421add53e2bb", size = 391542, upload-time = "2025-11-30T20:24:20.092Z" },
+    { url = "https://files.pythonhosted.org/packages/49/5c/31ef1afd70b4b4fbdb2800249f34c57c64beb687495b10aec0365f53dfc4/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:250fa00e9543ac9b97ac258bd37367ff5256666122c2d0f2bc97577c60a1818c", size = 404004, upload-time = "2025-11-30T20:24:22.231Z" },
+    { url = "https://files.pythonhosted.org/packages/e3/63/0cfbea38d05756f3440ce6534d51a491d26176ac045e2707adc99bb6e60a/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9854cf4f488b3d57b9aaeb105f06d78e5529d3145b1e4a41750167e8c213c6d3", size = 527063, upload-time = "2025-11-30T20:24:24.302Z" },
+    { url = "https://files.pythonhosted.org/packages/42/e6/01e1f72a2456678b0f618fc9a1a13f882061690893c192fcad9f2926553a/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:993914b8e560023bc0a8bf742c5f303551992dcb85e247b1e5c7f4a7d145bda5", size = 413099, upload-time = "2025-11-30T20:24:25.916Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/25/8df56677f209003dcbb180765520c544525e3ef21ea72279c98b9aa7c7fb/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58edca431fb9b29950807e301826586e5bbf24163677732429770a697ffe6738", size = 392177, upload-time = "2025-11-30T20:24:27.834Z" },
+    { url = "https://files.pythonhosted.org/packages/4a/b4/0a771378c5f16f8115f796d1f437950158679bcd2a7c68cf251cfb00ed5b/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_31_riscv64.whl", hash = "sha256:dea5b552272a944763b34394d04577cf0f9bd013207bc32323b5a89a53cf9c2f", size = 406015, upload-time = "2025-11-30T20:24:29.457Z" },
+    { url = "https://files.pythonhosted.org/packages/36/d8/456dbba0af75049dc6f63ff295a2f92766b9d521fa00de67a2bd6427d57a/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ba3af48635eb83d03f6c9735dfb21785303e73d22ad03d489e88adae6eab8877", size = 423736, upload-time = "2025-11-30T20:24:31.22Z" },
+    { url = "https://files.pythonhosted.org/packages/13/64/b4d76f227d5c45a7e0b796c674fd81b0a6c4fbd48dc29271857d8219571c/rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:dff13836529b921e22f15cb099751209a60009731a68519630a24d61f0b1b30a", size = 573981, upload-time = "2025-11-30T20:24:32.934Z" },
+    { url = "https://files.pythonhosted.org/packages/20/91/092bacadeda3edf92bf743cc96a7be133e13a39cdbfd7b5082e7ab638406/rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_i686.whl", hash = "sha256:1b151685b23929ab7beec71080a8889d4d6d9fa9a983d213f07121205d48e2c4", size = 599782, upload-time = "2025-11-30T20:24:35.169Z" },
+    { url = "https://files.pythonhosted.org/packages/d1/b7/b95708304cd49b7b6f82fdd039f1748b66ec2b21d6a45180910802f1abf1/rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:ac37f9f516c51e5753f27dfdef11a88330f04de2d564be3991384b2f3535d02e", size = 562191, upload-time = "2025-11-30T20:24:36.853Z" },
+]
+
+[[package]]
+name = "rpds-py"
+version = "2026.5.1"
+source = { registry = "https://pypi.org/simple" }
+resolution-markers = [
+    "python_full_version >= '3.11'",
+]
+sdist = { url = "https://files.pythonhosted.org/packages/2e/43/25a8dcd3feedd735039a8f0b5b7e3b118232b5eae288c4fd9ab200d41094/rpds_py-2026.5.1.tar.gz", hash = "sha256:07b24fea40541e28570e5b795a4a38fbdcd12550c06bd0748005ecc8116ca256", size = 64459, upload-time = "2026-05-28T12:02:13.232Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/4f/a0/acf8b6fc20bfdcd3a45bd3f57680fb198e157b7e997b9123b10763798bd2/rpds_py-2026.5.1-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:3397a5ed7174dc2786bb214030232fc36fe8e5584fec43a9952cc542b1a12036", size = 355609, upload-time = "2026-05-28T11:58:50.78Z" },
+    { url = "https://files.pythonhosted.org/packages/b6/95/f8203fd997484b1690a6869cd0e503b6c3c6be55b0ecc36d1a491fe742f0/rpds_py-2026.5.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:99ab6ba7bfa2cb0f96a04e3652355bf04e3f51aceb1e943b8541dab7ba4828cc", size = 348460, upload-time = "2026-05-28T11:58:52.374Z" },
+    { url = "https://files.pythonhosted.org/packages/33/8c/b47326ad2f0be545a5e5c1a55937a12afaea7d392ba2837bb9680f57e6c9/rpds_py-2026.5.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d0efbe45632665e53e3db8fe1e5692db58fc5cb9bab4459d570b83efefe11164", size = 381031, upload-time = "2026-05-28T11:58:53.775Z" },
+    { url = "https://files.pythonhosted.org/packages/22/0b/e83bbd97ffac6f6389b605cd4e1c8ac5761dc7e977769c9255d8c5adb7bd/rpds_py-2026.5.1-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:01d17b29c0c23d82b1f4751147ec49cf451f1fc2554eb9ef5f957e55d2656ead", size = 387121, upload-time = "2026-05-28T11:58:55.243Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/0e/d285d1bc8864245919c61e1ca82263e4a66d337759c3a4cef72766ff9afc/rpds_py-2026.5.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7559f72b94ae52659086c595dfa017cde03155f7832071d30959049052cb3ece", size = 501026, upload-time = "2026-05-28T11:58:56.788Z" },
+    { url = "https://files.pythonhosted.org/packages/86/06/ccb2109a1e543437b5e43816f2b43b9554cc6783145528a4e3711e05c011/rpds_py-2026.5.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9e25b7088f9ccbfc0dfcaa52bf969300ca229e10ecf758974ebcbb080a4b37bb", size = 391865, upload-time = "2026-05-28T11:58:58.298Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/33/237173db1cfef10105b3839a24de00eb8d2a523711add4632447cdf0aedd/rpds_py-2026.5.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:613fc4ee9eaef26dc5840666214dd6fbcebcf32f46e76f4abc473059f4e13dda", size = 378012, upload-time = "2026-05-28T11:58:59.589Z" },
+    { url = "https://files.pythonhosted.org/packages/97/64/1eae54e34d5161f9969295e80bd6b62a55f2b6ac5f2a5b60d02c2140e758/rpds_py-2026.5.1-cp311-cp311-manylinux_2_31_riscv64.whl", hash = "sha256:85264a90ff4c05c1568dd65f5921c837614b67c60358fb4c17df3b7f2e90690a", size = 391111, upload-time = "2026-05-28T11:59:01.104Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/34/5bb334a5a0f65d77869217c4654f34c78a7d11b93938a3c076a2edeafc52/rpds_py-2026.5.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fe71bca7d547acb17027c7fd1624ff8aae623499c498d3e7011182c4de5c25e0", size = 409225, upload-time = "2026-05-28T11:59:02.433Z" },
+    { url = "https://files.pythonhosted.org/packages/16/0f/007ec21283b5b040b4ec3bd95e0402591e22bfa7d5c93dfe01c465c2d2d7/rpds_py-2026.5.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:a05fa4f41f37ec97c9c260441a940450a192f78d774d2b097eee1379f1e1246a", size = 556487, upload-time = "2026-05-28T11:59:04.012Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/10/5437c94508169b6b22d8418fef7a66e9ffb5f3b9e9c94460f2eedafe06ff/rpds_py-2026.5.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:df1d2a1996755b24b9ecee92cb4d36c28f86f464a6a173349c26bab41e94b8c2", size = 620798, upload-time = "2026-05-28T11:59:05.485Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/d5/9937dce4d6bda74157b954e7d1460db05a22f5929dccfeeba1ed27a93df0/rpds_py-2026.5.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:8895840ac4809e5f60c88fd07617cd71326e73d6e5a8aa783c5c0f7c24985de2", size = 584053, upload-time = "2026-05-28T11:59:06.837Z" },
+    { url = "https://files.pythonhosted.org/packages/6c/31/750617dd0ae1752471bf43f9e41d263398fae7cde7849d23b8574a70e617/rpds_py-2026.5.1-cp311-cp311-win32.whl", hash = "sha256:3684a59b158a7683aaeb8e25352e9a9dd2122cec78f2d8530266e4f91b4c7b3f", size = 214390, upload-time = "2026-05-28T11:59:08.402Z" },
+    { url = "https://files.pythonhosted.org/packages/3c/bb/3dcab0e1d9516303f2eb672a5d6f62eca5a69e2886301e9c8c54b520c39b/rpds_py-2026.5.1-cp311-cp311-win_amd64.whl", hash = "sha256:7bd530e6a530bb3ea892f194fafa455f3516ac25ecf7143fd33c09be62b0470a", size = 231097, upload-time = "2026-05-28T11:59:09.786Z" },
+    { url = "https://files.pythonhosted.org/packages/49/d6/c6bbf5cb1cf12b9732df8074b57f6ef8341ba884c95d40632ae8bddb44e4/rpds_py-2026.5.1-cp311-cp311-win_arm64.whl", hash = "sha256:0a5ae4dbe43c1076983b72616496919872ae7bbe7a1e21cc48336bc3154d130b", size = 226361, upload-time = "2026-05-28T11:59:11.079Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/e7/a78582dc57caa592dcc7d4fb69b61390561e908eb3d2f5df5928a8e354c0/rpds_py-2026.5.1-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:3abe24a66e57adcfa645d718063a5fa5103ecc71ddbf26d78af8f9368018ff1d", size = 353040, upload-time = "2026-05-28T11:59:12.531Z" },
+    { url = "https://files.pythonhosted.org/packages/a3/43/35e3f136343aef451e545ce8c38d36c2f93c0ed88703db8b64ba2b205c68/rpds_py-2026.5.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:58b1d94308ddf0b1982f61f2eb54bf92997c9ece8a8093ef014250f4a517906c", size = 345775, upload-time = "2026-05-28T11:59:13.827Z" },
+    { url = "https://files.pythonhosted.org/packages/20/e1/0f2160c5982d3157734d5cb3ed63d8b2d583a73c9864f77b666449f32cf8/rpds_py-2026.5.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0fa92420128dadce7f54bd73ba1825a273e9268fe9e35dbf7e6362890efa4e08", size = 376329, upload-time = "2026-05-28T11:59:15.271Z" },
+    { url = "https://files.pythonhosted.org/packages/d0/11/ee0ba42aff83bf4effdbc576673c6be64c5e173978c3f6d537e94482f77d/rpds_py-2026.5.1-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ca653c6546386227cd9800d1bef6a348099acf8db4250341da6d90f663d6dfcb", size = 383539, upload-time = "2026-05-28T11:59:16.665Z" },
+    { url = "https://files.pythonhosted.org/packages/11/df/d94aa6a499d4ac40afe2d7620f2c597fd3c0f182e854ad7cf3f596a81cb6/rpds_py-2026.5.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:66c93681c4729e4e3ecba31b8179fae083ff3118841672835140338b4b9867c1", size = 494674, upload-time = "2026-05-28T11:59:17.991Z" },
+    { url = "https://files.pythonhosted.org/packages/1f/75/33d30f43bb2f458de11979486a591b1bf6e5651765ed1704c6197c2dc773/rpds_py-2026.5.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:40ff257542e04796880e011e15cd4dc21c2599975df2aaa8f2c8495ca574e1a5", size = 389268, upload-time = "2026-05-28T11:59:19.434Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/1e/2c9096fc19d5fd084b0184ca2b651e659aa0a37e6fdbecf6ece47f147fe1/rpds_py-2026.5.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b6825cc329b290e93c5f6a9be2393118a763f6ccf6abd83704e0c102ca583644", size = 376280, upload-time = "2026-05-28T11:59:21Z" },
+    { url = "https://files.pythonhosted.org/packages/b9/e5/61ec9f8be8211ea7f48448195549e4aaf02004083475493b0e137702ecb2/rpds_py-2026.5.1-cp312-cp312-manylinux_2_31_riscv64.whl", hash = "sha256:de42116e69cb53b911cc34aee5ab98f36c597b822545045d49e938818b99e5e4", size = 387233, upload-time = "2026-05-28T11:59:22.454Z" },
+    { url = "https://files.pythonhosted.org/packages/0d/ca/bcec1005c4f4a234f92a29078631fee49206c7265ccae966f18fd332e80e/rpds_py-2026.5.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c0f920015df2a504bebaba6d4c31ccf3fcf942f92655c086da30b671aad19aa6", size = 405009, upload-time = "2026-05-28T11:59:23.845Z" },
+    { url = "https://files.pythonhosted.org/packages/72/e6/4d5718c5cf26c522dc7c9999e238da1e77380b81d0c5d1df11e271ddfeb1/rpds_py-2026.5.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:0408a24e44feb919423dc6d9da677cb5cddb894d2ca9e763967d156d9c60fab4", size = 553113, upload-time = "2026-05-28T11:59:25.184Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/25/2ee807bdb3e1f0b7eddf7782acd5665a8b5205a331a7d7244a52c4812fd9/rpds_py-2026.5.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:cea68bcd53467561ae2f96a6bdad1544299ba97b5b0ddcd5ac3d376e5c781c24", size = 618838, upload-time = "2026-05-28T11:59:26.749Z" },
+    { url = "https://files.pythonhosted.org/packages/6a/c1/7d4c26f167f8c41501cc073d30ee22082b16ce358cf5b00ec97cbc7804ea/rpds_py-2026.5.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:4be8b1d2a705cc37d08256004e1d07de143fa0075c8e85a3df020b776f62b732", size = 582436, upload-time = "2026-05-28T11:59:28.11Z" },
+    { url = "https://files.pythonhosted.org/packages/04/1d/9d12b0a337bab46f4769f8857f4007e3b2d639e14f9a44a0efe157696e64/rpds_py-2026.5.1-cp312-cp312-win32.whl", hash = "sha256:6736718bd4fc49cbcb538ba30516fdbef161522acefb739657d48b97bd864fed", size = 212734, upload-time = "2026-05-28T11:59:29.689Z" },
+    { url = "https://files.pythonhosted.org/packages/c5/93/e4116f2de7f56bc7406a76033dc501811ddeb22b7f056b92d632871ebb0c/rpds_py-2026.5.1-cp312-cp312-win_amd64.whl", hash = "sha256:0a7d1eec967df0e9b22614a5e177622e0c89611d03727fa0cb48e45028907870", size = 229045, upload-time = "2026-05-28T11:59:31.033Z" },
+    { url = "https://files.pythonhosted.org/packages/cb/53/6c3419d85eb2ec5938a37627c585b42d76a63bb731d6e42ed4b079ebf486/rpds_py-2026.5.1-cp312-cp312-win_arm64.whl", hash = "sha256:1841d067089e117142d79b98aa0df2f08b52f2ecc1819dd2700636c0db74a473", size = 223967, upload-time = "2026-05-28T11:59:32.318Z" },
+    { url = "https://files.pythonhosted.org/packages/6c/32/14c961ad295f490eb0849ada8b79683e93a59b9de3afdd983eaf55fa6867/rpds_py-2026.5.1-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:efef4ac29c6ff495531eb17ee705b62841ecaa291b7c7077e848ea03e237164d", size = 352787, upload-time = "2026-05-28T11:59:33.655Z" },
+    { url = "https://files.pythonhosted.org/packages/ca/bb/d1b85117967c11191441a7274ae616c65d93901d082c588f89a50a8da5ae/rpds_py-2026.5.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:c39f5b67a8a2e67179ada2a954227d670fe65fa9098457f698f56ddf248709b3", size = 345179, upload-time = "2026-05-28T11:59:35Z" },
+    { url = "https://files.pythonhosted.org/packages/7c/46/d84105f062e626a1b233f863907288a4708c2d833b8b4c6fb2764bc080c0/rpds_py-2026.5.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b5c30f3f04eef4fbd362226a6f31d7c8895ca4fbb6e0b790f6890a98d8da8559", size = 376173, upload-time = "2026-05-28T11:59:36.43Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/ae/469d7959ce5b1201e1de135dc735b86db3b35dd0d1734f6a44246d5f061c/rpds_py-2026.5.1-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:277f6c82f0580848796c7ecc8a7173aa3bfb928e4ff831261c2f60a81dc270db", size = 383162, upload-time = "2026-05-28T11:59:37.995Z" },
+    { url = "https://files.pythonhosted.org/packages/dc/a2/57853d31a1116a561aa072794602ad3f6341e18d70a8523f1bd5b9fc1e5a/rpds_py-2026.5.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:63c2c4c213f1a4e3f3de28ecab029dbdee976324e729c0d7a55211be72576b02", size = 495093, upload-time = "2026-05-28T11:59:39.453Z" },
+    { url = "https://files.pythonhosted.org/packages/99/63/3a8eabcad9314b7daf5c65f451d2c33d989235cd8a5762186cf2c3f5a4f8/rpds_py-2026.5.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3350ec808fb538fe71a1f94dfaa0e29c598dfad805ce49f0caec5ae3183c652b", size = 389829, upload-time = "2026-05-28T11:59:40.896Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/25/05678d97fc25e2622df14dc530fb82023174ecfff6733991ed0d78f167bd/rpds_py-2026.5.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b1b964e3ab599e718dc46c018d104b1ebc007cbc6567d827c94a687fca56d77e", size = 374786, upload-time = "2026-05-28T11:59:42.626Z" },
+    { url = "https://files.pythonhosted.org/packages/88/d1/8c90b6431e80a3b91b284a5c7c8c0c4f9c006444d90477a740d6e0f9c694/rpds_py-2026.5.1-cp313-cp313-manylinux_2_31_riscv64.whl", hash = "sha256:19cb09fab7b7fc96b2a6e28f2e34b72a3705ff27b37edb77455316e5d3f3dc9b", size = 386920, upload-time = "2026-05-28T11:59:44.124Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/99/4638f672ab356682d633ee0da9255f5b67ce6efd0b85eb94ad3e255e65a5/rpds_py-2026.5.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:abe76bcdba31e576cb83eeb8797aa0d882b738fef6dc65d0601fc753806a5b46", size = 405059, upload-time = "2026-05-28T11:59:47.177Z" },
+    { url = "https://files.pythonhosted.org/packages/66/3f/3546524b6eb4cc2e1f363a3d638fa52f6c24faae3500c25fb488b02f1740/rpds_py-2026.5.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:8bff7073db3899158fff55ebf57b113a67030af26f80a18978f9f0aa60250ddf", size = 553030, upload-time = "2026-05-28T11:59:48.603Z" },
+    { url = "https://files.pythonhosted.org/packages/c6/c3/7b3388c796fcf471bd17194242d4dc1a7608567c0fa422bcc1c5e79f9c1e/rpds_py-2026.5.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:8ba264fa49be666cd9cc56bf34ec7002fb3d27a4aee5bcb4d43d0d18feb1bb6f", size = 618975, upload-time = "2026-05-28T11:59:50.314Z" },
+    { url = "https://files.pythonhosted.org/packages/61/1e/a3cb07f2795075d1d88efddae2f541359fde5f08c81ee114c29c2949c90a/rpds_py-2026.5.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4860b603ddda0475a8885499b3729e90229d480105b42651962a5397d995fa89", size = 581178, upload-time = "2026-05-28T11:59:51.673Z" },
+    { url = "https://files.pythonhosted.org/packages/a1/74/e758c03a5ef46f04c37f2651a2893db846d569ba8a7bca469d4b58939bcd/rpds_py-2026.5.1-cp313-cp313-win32.whl", hash = "sha256:7944270ae71383f6e2657dd7d5ce4eeb4ac2d0059a6738f0510583d462ab4842", size = 212481, upload-time = "2026-05-28T11:59:53.148Z" },
+    { url = "https://files.pythonhosted.org/packages/70/ec/a2aca432db9c7359b40fa393eeeaa0d166c2f70175be956e75fa24197c44/rpds_py-2026.5.1-cp313-cp313-win_amd64.whl", hash = "sha256:88647f43a73c4e01be19b04ceef0c8d3a1958153604d13c773becd8016f2a0cf", size = 228519, upload-time = "2026-05-28T11:59:54.505Z" },
+    { url = "https://files.pythonhosted.org/packages/29/60/a73bfdd45b096574556acf303bbd9fa9eed36ca8a818b514e2a5d5fe2b9d/rpds_py-2026.5.1-cp313-cp313-win_arm64.whl", hash = "sha256:453895624ecf7db7063b1004e44037522bbaef9ff6a945e59bc71662d7a03abd", size = 223446, upload-time = "2026-05-28T11:59:56.081Z" },
+    { url = "https://files.pythonhosted.org/packages/18/e2/408105fd611823f00882aea810f3989a30d26b1bab8b6beb20f98c724e0e/rpds_py-2026.5.1-cp313-cp313t-macosx_10_12_x86_64.whl", hash = "sha256:b4e4bc98639ec915f512fde3aa7a95e0041d95d9c3cc86eea841fa63cb1e8600", size = 355287, upload-time = "2026-05-28T11:59:57.448Z" },
+    { url = "https://files.pythonhosted.org/packages/8d/58/5c4a43436843c90d0f6d19f82c200c80e3843ca9fa07b237623327f6d384/rpds_py-2026.5.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:cacedb7a6e167680acba45ad5716e89067d225dc80da0d7040cae8c81d4572fa", size = 347033, upload-time = "2026-05-28T11:59:58.881Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/c2/1a71acdacaf4e259b10278fb87b039ded3cf80041bcd89dd8a3ea702ded6/rpds_py-2026.5.1-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:68700371c5d7ae1412862ddfa719090925c93ecf351c566d66f09d04b136ea00", size = 376891, upload-time = "2026-05-28T12:00:00.516Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/c8/535f3d9b65addd8e28aa87b83c6e526799c3717a88273db8ea795beeef7a/rpds_py-2026.5.1-cp313-cp313t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:296c799becfa849c779c8725494fe9ed94959ed886787df4364b058465bad7f0", size = 385646, upload-time = "2026-05-28T12:00:02.394Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/91/dc033f313345c354ade914dbe73cdb90b615a4409ea02430d5356794f3d8/rpds_py-2026.5.1-cp313-cp313t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d3858b908218ee108d0bbfb2095ccc237648053c9bf98affad7cb079acaf1d97", size = 498830, upload-time = "2026-05-28T12:00:04.189Z" },
+    { url = "https://files.pythonhosted.org/packages/27/fc/90fcbea459dbb8ddc18a2e0fd1de9412b48bc84ffff2db771cf714bacfd6/rpds_py-2026.5.1-cp313-cp313t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4fb8d2e7cb2f850b169806d61d1b991738acec96500a75c30f49caf064ce7cef", size = 392830, upload-time = "2026-05-28T12:00:05.797Z" },
+    { url = "https://files.pythonhosted.org/packages/b2/1d/46cd11a228c9750684a798d98f878be6f614aa762438da7378f035e79e35/rpds_py-2026.5.1-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:27b74c10ed6a8f190f4287f53bcfea348b92a84a9c9f70d30183d1e6172d580d", size = 379613, upload-time = "2026-05-28T12:00:07.433Z" },
+    { url = "https://files.pythonhosted.org/packages/24/4a/d9b0c6af3a1de03eb93741bbe8be2bdce84d8fda8224f3005451d86df389/rpds_py-2026.5.1-cp313-cp313t-manylinux_2_31_riscv64.whl", hash = "sha256:b9a6528956191c48c52294a592dbd4a8386d7048bdb25c0efcb6b966466c6d83", size = 388183, upload-time = "2026-05-28T12:00:09.227Z" },
+    { url = "https://files.pythonhosted.org/packages/c5/b4/db7aaabdda6d020afc87d981bcc2f57a434c7dec60ecfc2ab3dd50b20351/rpds_py-2026.5.1-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:af03e34e860047bc7a352b842856fcf78798fbb81132cc98bd2f907ab4eb9cd2", size = 408578, upload-time = "2026-05-28T12:00:10.779Z" },
+    { url = "https://files.pythonhosted.org/packages/08/d6/070f6a41cbb343e2ac4171859bf3f3623e0ab002f72619d6d505313ec2de/rpds_py-2026.5.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:fea6e836d10abbe191d557d33bd58bd5987725fe63aa1eefe557d230209855bd", size = 553573, upload-time = "2026-05-28T12:00:12.443Z" },
+    { url = "https://files.pythonhosted.org/packages/75/ab/1a71ea3589c4345dac0a0518f0e6a031cb42689277851b683c46d27463a5/rpds_py-2026.5.1-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:fc0c0f878ea770a0a8a462456c5ad36fc9fe6358e6b76fdadc7f17575e0b8bf1", size = 620861, upload-time = "2026-05-28T12:00:14.09Z" },
+    { url = "https://files.pythonhosted.org/packages/8a/22/9bf80a56069c0c443fcfefac639a86a744550a2898817a6dfd3e26654924/rpds_py-2026.5.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:e0b360f316d966b048b085857630b3cc51f3db2f07b06f440eac8f695374d1e3", size = 585633, upload-time = "2026-05-28T12:00:15.66Z" },
+    { url = "https://files.pythonhosted.org/packages/da/68/3b2c0a75c9e04125696f84ebdbbf304acf5a40b58ba4481cdb98a922c3ba/rpds_py-2026.5.1-cp313-cp313t-win32.whl", hash = "sha256:a2999883eedf72fdfb7520b92c7d4ec2572a71ff40239377aa604cc529eecafc", size = 210074, upload-time = "2026-05-28T12:00:17.291Z" },
+    { url = "https://files.pythonhosted.org/packages/e7/8b/609157d5a25d37d4f29f92840ba531f416907c34ae5c5739dd21fc2bef98/rpds_py-2026.5.1-cp313-cp313t-win_amd64.whl", hash = "sha256:e07be2a9d7122bd6e82dea89814ef8dc893feb1aae97fec1630f3263bbb30e55", size = 228635, upload-time = "2026-05-28T12:00:18.73Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/6f/19c1918a4b590d8de87e712e4abe4b3875771eff60216fb6153cf6665c68/rpds_py-2026.5.1-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:1f2c391c3059798093b65df23aca2cac150460ae9c630d99dec83d703d9485b9", size = 349756, upload-time = "2026-05-28T12:00:20.217Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/60/a06fe7da34eca79dacbf958a2ba0c6eea85bc2b29de20080bf40f72f66fa/rpds_py-2026.5.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:413b424f7c4ee65ab5e5be91f5731be0f8b41a1ee2b12dfe810d716312e95a78", size = 343831, upload-time = "2026-05-28T12:00:21.711Z" },
+    { url = "https://files.pythonhosted.org/packages/bf/ec/b2333b97b90e2a6ef6ca8ad386ee284968e74bcfe113b3f1a8d9036429a9/rpds_py-2026.5.1-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2c595a1d9255dce0599e13130d1440ab2506654f2b50294226ee06402f8fef63", size = 375127, upload-time = "2026-05-28T12:00:23.326Z" },
+    { url = "https://files.pythonhosted.org/packages/14/7f/e00aae54067f2b488c4637961d5f58204d470795fc791085fa3f15060d2e/rpds_py-2026.5.1-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1c27c5f6102eac8c03e7595a00827a53b271ba40a53b59ff8709170e0855ea4a", size = 379034, upload-time = "2026-05-28T12:00:24.89Z" },
+    { url = "https://files.pythonhosted.org/packages/be/cc/423999bbb8ae8dc93c77fc1d5e984ade5eb89d237d3bb884ccfa72ae2890/rpds_py-2026.5.1-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6c7fcf61d44cacecaf3aea542b0e053db77972a4573e7ceda16fb2b399161195", size = 490823, upload-time = "2026-05-28T12:00:26.676Z" },
+    { url = "https://files.pythonhosted.org/packages/0f/aa/c671bf660f12e68d3c52ff86c7066ed1372df5a0f4f2ff584e419b8207e7/rpds_py-2026.5.1-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2c817a189d4ee14290420e5ff051e4dd6baa13f3edf84685071dee07a6d538ee", size = 388144, upload-time = "2026-05-28T12:00:28.577Z" },
+    { url = "https://files.pythonhosted.org/packages/19/c8/d63bb75b68afe77b229e3021c6031bcaf01da5db5b0e69d0d10f9ba679a7/rpds_py-2026.5.1-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:21846aac0ed2e0589f38c12dc44e77bb64e494b771eadbcf169cba00566ba7ba", size = 371959, upload-time = "2026-05-28T12:00:30.304Z" },
+    { url = "https://files.pythonhosted.org/packages/82/35/c51122014d8274ff37dc606d60049c3db7d83da02b5b282511e5a906a9a6/rpds_py-2026.5.1-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:b317c87a13f769a4e787819bd508aaa5d69aa09b0880de9af6d3a8a54571cdec", size = 383558, upload-time = "2026-05-28T12:00:31.764Z" },
+    { url = "https://files.pythonhosted.org/packages/e3/f9/2790cb99c136a5363acdeacf5c27c56f3de0d4118a1f48fca83404c99c89/rpds_py-2026.5.1-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ce87129d9f2c14fa6c4a8601fb80eb4488c80d38a20cd13758ef11123e14995d", size = 402789, upload-time = "2026-05-28T12:00:33.247Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/1b/e4fb584f8c75d35c38150ff6a332cda949e6f97acba1f4fd123b14ab56fe/rpds_py-2026.5.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:9cdddb6c1207d284d94fd1530adf57fbd797fe7c4b8704ba85f49414f2557e7d", size = 551405, upload-time = "2026-05-28T12:00:34.819Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/f7/a6731b4216cb3793ea1af5391da240f5683dacc0d13e034fe5fc3503f240/rpds_py-2026.5.1-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:4e237e139f94d3c036fd28eb9f564c99055476ff4ff05cd42be55ce349b5aa02", size = 616975, upload-time = "2026-05-28T12:00:36.268Z" },
+    { url = "https://files.pythonhosted.org/packages/2c/ea/2e051a81d95d8e63f4b35a1c463a87e8766bc3d083c067c5dfb6bf220747/rpds_py-2026.5.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:ed0954b524873214369184a9c82b0eaa45a3fbb9a798cd95b17e0d98499e7ea0", size = 578701, upload-time = "2026-05-28T12:00:37.82Z" },
+    { url = "https://files.pythonhosted.org/packages/65/56/b5f6fdb2083e32bca8a8993d89e70db114b4756c9e2c38421328126689d2/rpds_py-2026.5.1-cp314-cp314-win32.whl", hash = "sha256:2d88621d6a7d4dfa633d21abe90f280bb205274e16b1d1e61c6ad4640b2453b7", size = 209806, upload-time = "2026-05-28T12:00:39.492Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/80/65a5aa96c155e611d1ed844e4e1f57f3e36b021f396d9f8585d756e6b90d/rpds_py-2026.5.1-cp314-cp314-win_amd64.whl", hash = "sha256:cef8ac28d26f4dda3533060c20fbf80a325458fa9fd23ea72a73cdfa8e978838", size = 225985, upload-time = "2026-05-28T12:00:40.94Z" },
+    { url = "https://files.pythonhosted.org/packages/27/7c/ad185212e87b05f196daef92bc5f3caf07298eb47c295b5585c3dd3093ac/rpds_py-2026.5.1-cp314-cp314-win_arm64.whl", hash = "sha256:eaaea962c68cdc68d4a533ba985ab8e9484277910bbfaa2ab3ef7732667bfed8", size = 221219, upload-time = "2026-05-28T12:00:43.15Z" },
+    { url = "https://files.pythonhosted.org/packages/23/58/e14ae18759020334646b031e708ab4158d653a938822bfb7b95ef2e93aa3/rpds_py-2026.5.1-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:21942f52dbbd5f8758bf021213d28bd45c39e873e65e2407faf5f1846f5761ad", size = 352148, upload-time = "2026-05-28T12:00:44.638Z" },
+    { url = "https://files.pythonhosted.org/packages/31/9b/5f4a1e2f960bca3ac5d052b139dd31eed97b259f9d909173821760d542e8/rpds_py-2026.5.1-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:f414556f6e3958300ff941e40c9f97e3dc9774ddd1b3434c475d73dd354bbed3", size = 345196, upload-time = "2026-05-28T12:00:46.14Z" },
+    { url = "https://files.pythonhosted.org/packages/1a/71/1d9574d6a2fa20ab60eaa55c7467f5aa20cbc770f341a05f09c0876f59e2/rpds_py-2026.5.1-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ef1013a8625c74043210190b246f5b1551e09757c1f356c6e4160ef96c5bc081", size = 374981, upload-time = "2026-05-28T12:00:47.531Z" },
+    { url = "https://files.pythonhosted.org/packages/0c/9a/37e99f4915a80aa71670263c1267f7ae0af95f53a3f61e6c3bdc016d4515/rpds_py-2026.5.1-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:cc68e231a77a5f0d774ae278a1f8e55c0456501820847c1e4efb3829f3441df6", size = 379961, upload-time = "2026-05-28T12:00:49.216Z" },
+    { url = "https://files.pythonhosted.org/packages/a8/ff/6e73f74b89d2e0715e0fc86b7dde893f9a61ae2f9b256ff3bdfe41ac4e94/rpds_py-2026.5.1-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9baffb505aff33acc69b422a19f77806680f3c8632227d79f48de8a810d1c2c5", size = 495965, upload-time = "2026-05-28T12:00:51.111Z" },
+    { url = "https://files.pythonhosted.org/packages/ea/e0/425faba25f59d74d4638b267f7c7a80e8649d2ef4db10a19b0c4a71e6e6f/rpds_py-2026.5.1-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b8d2f912928d426e8cfa396f7f3f8d29a59e6689c86dcca3c420730c1096322b", size = 389526, upload-time = "2026-05-28T12:00:52.77Z" },
+    { url = "https://files.pythonhosted.org/packages/c6/76/7a41960e3fddae47fab43a28684d5da981401dffd88253de0944148654cb/rpds_py-2026.5.1-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:90f628283be835db980c941767d41c9a27b5239e54ba0a9c1335247e82406964", size = 376190, upload-time = "2026-05-28T12:00:54.215Z" },
+    { url = "https://files.pythonhosted.org/packages/27/60/5f38dc70824fc6951b51d35377e577a3a3a4c81a6769cc5a2de25ebe0ad1/rpds_py-2026.5.1-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:1ebb2f0ab7e16132995a72de805170e0203df0c3dd22e1ef1cd1fdd90bd7a131", size = 383921, upload-time = "2026-05-28T12:00:55.673Z" },
+    { url = "https://files.pythonhosted.org/packages/60/1a/d60a38caa1505f4b9483c3fbbde12c94e1079154f4f401a6da96f7e77621/rpds_py-2026.5.1-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:f3df3d16ded76f1f8c9cdebd0e1ea55fdf4c23b812de189814da7cf229c22a81", size = 404766, upload-time = "2026-05-28T12:00:57.518Z" },
+    { url = "https://files.pythonhosted.org/packages/87/ff/602fd3f174d6425f0bce05ad0dfbec0e96b38d0f7d08a79af5aa20083885/rpds_py-2026.5.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:9af8905b8f854990e40d5206aa5ac58d9b0fe0b7f351ff2bb086c20f6c8c6a47", size = 551343, upload-time = "2026-05-28T12:00:58.978Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/c1/1be13327acdbead3eca1fde03b6a34dbb011f1e864e217f0d32cc1779a7f/rpds_py-2026.5.1-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:036a36a87fb1cd3b214d11c4b3c4f7d2ddad933625dca1c900b56a057c07740a", size = 618502, upload-time = "2026-05-28T12:01:00.656Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/d7/afb49b49d7f2be8b7ba1a9f0977fa5168003437b93086726f066544e8351/rpds_py-2026.5.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:62ae3853454fe9ef283a03c96c2d835d39e84b14643a9d62c82ef0fb87d702ca", size = 581916, upload-time = "2026-05-28T12:01:02.22Z" },
+    { url = "https://files.pythonhosted.org/packages/25/d1/dbef8c1f8a10f07beb62b5f054e20099fd9924b3ec001b8f0b6ac7813a85/rpds_py-2026.5.1-cp314-cp314t-win32.whl", hash = "sha256:6c3d771a46ec18b12af06ce36243a9a80b07a5d0515236332d90863ca8bb326a", size = 207855, upload-time = "2026-05-28T12:01:03.821Z" },
+    { url = "https://files.pythonhosted.org/packages/2a/72/bfa4e61ab8e7dc1c8adf397e05e6cbdd4239357bd72b248d3de662f23915/rpds_py-2026.5.1-cp314-cp314t-win_amd64.whl", hash = "sha256:c93c629be4636cf54337bd5f06c104d55e42ced54d681f6fe21ae510a65116f6", size = 225422, upload-time = "2026-05-28T12:01:05.194Z" },
+    { url = "https://files.pythonhosted.org/packages/27/3a/7b5da92b640f67b6717ccafc83cdd06bfa7ff2395c3685c68922bb54d703/rpds_py-2026.5.1-cp315-cp315-macosx_10_12_x86_64.whl", hash = "sha256:3574b55c604b8f75dacb007136508bbc0db406e626301778096a133327e7f2fb", size = 349576, upload-time = "2026-05-28T12:01:06.722Z" },
+    { url = "https://files.pythonhosted.org/packages/d7/8a/2aafd7ad355a1bd48ca76e2262b74b15e6432b5a1efe150efd4d779cd55d/rpds_py-2026.5.1-cp315-cp315-macosx_11_0_arm64.whl", hash = "sha256:94068eb3ae6d43f5a786b7db96a406a34e6d5c24489feef32fd6e8946ea7b291", size = 343640, upload-time = "2026-05-28T12:01:08.441Z" },
+    { url = "https://files.pythonhosted.org/packages/f7/7d/6c9523c1abbe840a1b7fba3c516d48e1d3487cc80fea4366c4071cf56784/rpds_py-2026.5.1-cp315-cp315-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f3a5b10e8ce894825f380a8f1b6444cf73c294dfea62afbb2d13e3a9e630cec1", size = 375322, upload-time = "2026-05-28T12:01:09.934Z" },
+    { url = "https://files.pythonhosted.org/packages/5a/5d/0b7b03fb1dc509321f01de3149784ab773e34c8573022029af8076afcb9c/rpds_py-2026.5.1-cp315-cp315-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:fc09f82e63d4bcd58149572f857a431bae851dc747e313c3b5bdf7abb907fda8", size = 379066, upload-time = "2026-05-28T12:01:11.48Z" },
+    { url = "https://files.pythonhosted.org/packages/d7/e2/8ef6012999ebf1cb1c22f876d9ce5e63d960fd4631d2af3202d3f480aa25/rpds_py-2026.5.1-cp315-cp315-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e10464d17df3b582745c25cec695cb9558bca2cb6ddb631aee1787fc72c767b2", size = 494586, upload-time = "2026-05-28T12:01:13.051Z" },
+    { url = "https://files.pythonhosted.org/packages/80/af/1eeb029bec67582c226b7809172207cd005073af4ebd906e65ff494f4983/rpds_py-2026.5.1-cp315-cp315-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ba05adbf15d994c38ec0b7ab32e858e5110c21e9009a00a86545fd220f84e038", size = 388415, upload-time = "2026-05-28T12:01:14.631Z" },
+    { url = "https://files.pythonhosted.org/packages/18/23/ffbe10711c4d766c1cab0557d6906c074f795814863c67b351355d29354a/rpds_py-2026.5.1-cp315-cp315-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:77c004fdc7b891967106f78ddfd7b076bfe6813c6139c6fff6aed3bcaa960b26", size = 372427, upload-time = "2026-05-28T12:01:16.153Z" },
+    { url = "https://files.pythonhosted.org/packages/bd/3a/30ba4a6ad457e5b070c18d742a33fb77d8d922b565cc881f8a5313d63bfe/rpds_py-2026.5.1-cp315-cp315-manylinux_2_31_riscv64.whl", hash = "sha256:83bcf894486c9d78dd290d3c0124ff6dd8875d3025e2090a8ec49fcc37c55fdd", size = 383615, upload-time = "2026-05-28T12:01:17.809Z" },
+    { url = "https://files.pythonhosted.org/packages/d3/69/62e242b53ce39c0814bd24e1a6e6eba6c92be716277745f317f9540a2e7b/rpds_py-2026.5.1-cp315-cp315-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c3df104083952a0e0c6f10de33e440eabe98fb6317d23e1a58c68f6df08d01b9", size = 402786, upload-time = "2026-05-28T12:01:19.419Z" },
+    { url = "https://files.pythonhosted.org/packages/38/c1/a770b9c186928a1ed0f7e6d7ae50e7f3950ed23e3f9e366dbc8e38cb55de/rpds_py-2026.5.1-cp315-cp315-musllinux_1_2_aarch64.whl", hash = "sha256:980450826cf22e133c57e0835070bdd0dd3f73b9b708c3ce223def2cb9469e14", size = 551583, upload-time = "2026-05-28T12:01:21.013Z" },
+    { url = "https://files.pythonhosted.org/packages/21/7c/68e8579b95375b70d2a963103c42e705856cdb98569258bd807f4423891c/rpds_py-2026.5.1-cp315-cp315-musllinux_1_2_i686.whl", hash = "sha256:205dde846f24332ab0c1188699a043b8d165b79bb84529ce272c45048ff6be01", size = 616941, upload-time = "2026-05-28T12:01:22.548Z" },
+    { url = "https://files.pythonhosted.org/packages/70/a1/a6135aed5730ff03ab957182259987ac11e55fb392a28dc6f0592048a280/rpds_py-2026.5.1-cp315-cp315-musllinux_1_2_x86_64.whl", hash = "sha256:3966b82dd563176396df030f3dd52a6e54cb69b718e95e78bd555ed3d1e0185d", size = 578349, upload-time = "2026-05-28T12:01:24.118Z" },
+    { url = "https://files.pythonhosted.org/packages/09/6e/f24201a76a84e6c49d0bdfdfcb735210e21701e9b21c5bfc0ba497dd62f6/rpds_py-2026.5.1-cp315-cp315-win32.whl", hash = "sha256:7818f8d0a415be74d2be3590b0a1c1f463a642f4d0217e7d10602dceef5b79aa", size = 209922, upload-time = "2026-05-28T12:01:25.522Z" },
+    { url = "https://files.pythonhosted.org/packages/9e/e4/966bc240bb0485fc265278f6de44d05834bf0b3618886e0b22e33d54c49a/rpds_py-2026.5.1-cp315-cp315-win_amd64.whl", hash = "sha256:b3cc20c0d800af78fd0fac68086e28c1856cec51ea528bb81ea851aa40d39325", size = 226003, upload-time = "2026-05-28T12:01:27.062Z" },
+    { url = "https://files.pythonhosted.org/packages/5c/5c/a15a59269cd5e74472734516c73795c15eccfc841b3d4b0228c3f53f19d0/rpds_py-2026.5.1-cp315-cp315-win_arm64.whl", hash = "sha256:3609e9939a8a76cd904cf98a3f1f13b5dc7e150adeaee89e0ea09652ea213e16", size = 221245, upload-time = "2026-05-28T12:01:28.51Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/22/135ce03804e179a71ceb13be095deda4a279bc88f7a6b8fa161c5ad44e12/rpds_py-2026.5.1-cp315-cp315t-macosx_10_12_x86_64.whl", hash = "sha256:5d333a7127d4b307601ac37792bee01bb95c867cbfacf21b6375b804d6bbd723", size = 352015, upload-time = "2026-05-28T12:01:30.214Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/5f/f1f6d2652eb9d848f6eb369d8db83a2da6249bb49ad2c2a48f45d54538d3/rpds_py-2026.5.1-cp315-cp315t-macosx_11_0_arm64.whl", hash = "sha256:b5f077b44a4f7808520f66dae234988d867deb9aed9be5da057ce9ba831b2a41", size = 345016, upload-time = "2026-05-28T12:01:31.656Z" },
+    { url = "https://files.pythonhosted.org/packages/88/66/b74182775691ea2290c99e52ac8d5db844e56fbec90ce421f107658c8314/rpds_py-2026.5.1-cp315-cp315t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:55d8f9b7b78c9538fc9e04e82ec0e888ff0c3cffcfad152c77e57cd09351a98a", size = 374775, upload-time = "2026-05-28T12:01:33.136Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/8f/15e5a61d9f0a43902d36561d4f07cae6ae9f4716be825159fd72717f33af/rpds_py-2026.5.1-cp315-cp315t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e3a8ae58895ac107ed934a6bf51e5846f95c53b9b940c2c6d310838fd5846358", size = 380270, upload-time = "2026-05-28T12:01:34.574Z" },
+    { url = "https://files.pythonhosted.org/packages/02/c3/f859b12763a80540cdf2af0f15b19904cf756a71d7bdd3f82ff3e5b1bbf9/rpds_py-2026.5.1-cp315-cp315t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0957cf3c2b8632ec7aaebffebea8005b353cc2a237b6e2ae3c2cac0820704cfb", size = 495285, upload-time = "2026-05-28T12:01:36.127Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/c7/ff27c2ac8411d30b03b1829fd88cae8dad1a4d0da48dd25e57c4038042e6/rpds_py-2026.5.1-cp315-cp315t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c396c1304de421050b3681ea70f371874b54d41b0151e96109758144c231e30b", size = 389581, upload-time = "2026-05-28T12:01:37.635Z" },
+    { url = "https://files.pythonhosted.org/packages/6e/67/fe92ee32a6cc05c77228a2f8b1762e7124f386ec20ff83d0757b762d58d0/rpds_py-2026.5.1-cp315-cp315t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:aad1bff7f666b9598e573815affd666aac6a13a585dde336f843e33350c7fadc", size = 376041, upload-time = "2026-05-28T12:01:39.307Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/91/b4d6685c27aba55bd82f25b278be8237038117d05f9659a6213ad3408130/rpds_py-2026.5.1-cp315-cp315t-manylinux_2_31_riscv64.whl", hash = "sha256:656a042550878f12d45752452d47094b7cfe5ad1e9d7b87b5a22ad3ae5ff8015", size = 383946, upload-time = "2026-05-28T12:01:41.043Z" },
+    { url = "https://files.pythonhosted.org/packages/bd/79/2c1d832a53c8e0f8e98fc970ec257b950fecd4f62be2ab7182b500a0cbc8/rpds_py-2026.5.1-cp315-cp315t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:73c4bd4f70294737b5206a3e8e30ccadbf8a60301831c8ea23eec5dbeea1ecfa", size = 405526, upload-time = "2026-05-28T12:01:43.032Z" },
+    { url = "https://files.pythonhosted.org/packages/78/c4/c98117b03c6a8581ab2c2dfccfe9a5ad82bd8128a3c28b46a6ad2d97c393/rpds_py-2026.5.1-cp315-cp315t-musllinux_1_2_aarch64.whl", hash = "sha256:43bca78665423cabae77146f2fe7ce55272b6c8d55d82cca83effd42c7e13972", size = 551165, upload-time = "2026-05-28T12:01:44.648Z" },
+    { url = "https://files.pythonhosted.org/packages/3b/c1/bc479ca069200af730881b1bd525e3114b2b391a351509fcb1b772f28086/rpds_py-2026.5.1-cp315-cp315t-musllinux_1_2_i686.whl", hash = "sha256:42d0f20e85e549c870749d0e247f0c10d318a45b7e9676d575d2dcb04a1b2e66", size = 618778, upload-time = "2026-05-28T12:01:46.337Z" },
+    { url = "https://files.pythonhosted.org/packages/77/65/38ab2f90df44c2febfb63cc10ced40763d9b4bc94d173e734528663fe7f5/rpds_py-2026.5.1-cp315-cp315t-musllinux_1_2_x86_64.whl", hash = "sha256:b1be5c35683684d5331b93600c210e8367c254683d8a6df6bd21bd2da3a334fb", size = 581839, upload-time = "2026-05-28T12:01:48.109Z" },
+    { url = "https://files.pythonhosted.org/packages/15/2d/ce1f605fe036aadd460e5822e578c6c7ec3a860936cca37d6e0f299daa77/rpds_py-2026.5.1-cp315-cp315t-win32.whl", hash = "sha256:75808f6c38ce7749bb68cc2770161aae5045e6c6f6781a9782e74b93304399df", size = 207866, upload-time = "2026-05-28T12:01:49.648Z" },
+    { url = "https://files.pythonhosted.org/packages/79/cb/966040123eb102371559746908ef2c9471f4d43e17ec9a645a2258dab64b/rpds_py-2026.5.1-cp315-cp315t-win_amd64.whl", hash = "sha256:90bd6630002a1c7f09e7843dd79f0d24f3d2897cc25a753480917865d14f15b3", size = 225441, upload-time = "2026-05-28T12:01:51.408Z" },
+    { url = "https://files.pythonhosted.org/packages/42/56/3fe0fb34820ff667be791b3a3c22b85e8bcba54e9c832f47438c191fa7be/rpds_py-2026.5.1-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:edf2765d84e42447f112ad877af8fe1db0089aaec5b28e88d6eab45e7fe99cea", size = 357151, upload-time = "2026-05-28T12:01:53.43Z" },
+    { url = "https://files.pythonhosted.org/packages/8b/f2/3eb9ccdb9f143b8c9b003978898cb497f942a324c077401e6b8834238e63/rpds_py-2026.5.1-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:ad3773236e95f7f33991eb125224b7da66f206504d032a253a02da7e134519fb", size = 350195, upload-time = "2026-05-28T12:01:54.901Z" },
+    { url = "https://files.pythonhosted.org/packages/a7/24/dbda232bc4f3ed732120692ab0d2c8402cb020516556d8bee622dcef2413/rpds_py-2026.5.1-pp311-pypy311_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a04df86b3f0fade39ec8fd0e0aab089b1da9fbd2b48df778a57ef96f5e7d38df", size = 381850, upload-time = "2026-05-28T12:01:56.601Z" },
+    { url = "https://files.pythonhosted.org/packages/40/30/32e769839a358f78810c234f160f2cc21d1e4e47e1c0e0e0d535be5a0219/rpds_py-2026.5.1-pp311-pypy311_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:6142dbd80c4df62a5d899f0d616d417f84e0bc8d32526c8e5589019d75d028a7", size = 387899, upload-time = "2026-05-28T12:01:58.212Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/86/ec84d243aadb3b34b71dd26a010d0930b2d284ff5fc9a69fec53810ee6fd/rpds_py-2026.5.1-pp311-pypy311_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0b35217adefe87f2fe4db7e9766cabe84744bfe9616d9667be18988928c7f2dc", size = 501618, upload-time = "2026-05-28T12:01:59.888Z" },
+    { url = "https://files.pythonhosted.org/packages/74/25/b60e52686bbff777a64f9e4f4d3dd57980dc846913777177a2c92e4937aa/rpds_py-2026.5.1-pp311-pypy311_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b95d5e11fc712b752081183a55a244c03cd00570489edd7014d8899f8ceb8162", size = 394003, upload-time = "2026-05-28T12:02:01.482Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/c7/b3a6a588cc2219510ef3f42e207483a93950bedd1e3a0fd4015c95cff9e5/rpds_py-2026.5.1-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:141c9498daf2ace9eda35d2b0e376f9ea8b058d84f2aef4f96fccfd449a2f251", size = 379778, upload-time = "2026-05-28T12:02:03.197Z" },
+    { url = "https://files.pythonhosted.org/packages/31/00/c7dba3fc8a3da8cb3f6db1eb3386be4d79c2e97c6890d20eb9ac66ae8c43/rpds_py-2026.5.1-pp311-pypy311_pp73-manylinux_2_31_riscv64.whl", hash = "sha256:6f249f8b860a200ad35193af961183ebe9132710484e6f6ce0cf89fd83c63a9a", size = 392359, upload-time = "2026-05-28T12:02:04.817Z" },
+    { url = "https://files.pythonhosted.org/packages/93/dd/472ba494c70753f93745992c99855bee0636daf74e6984e5e003f150316f/rpds_py-2026.5.1-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:e4abbf391a70be864920858bf360f4fb380577c9a0f732438a1996726e2c195b", size = 412820, upload-time = "2026-05-28T12:02:06.401Z" },
+    { url = "https://files.pythonhosted.org/packages/1d/6f/93831a3bfe789542ed0c1d0d74b78b440f055d6dc3ea4640eba2d95e6e23/rpds_py-2026.5.1-pp311-pypy311_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:c74005a7bb87752acf351c93897ec63ad77a07a0da7ecad9c050e32e7286ba34", size = 557243, upload-time = "2026-05-28T12:02:08.013Z" },
+    { url = "https://files.pythonhosted.org/packages/1f/ff/0b3d604614ffc77522c6b288fdbce68957eb583da1002aa65ba38ac0ee40/rpds_py-2026.5.1-pp311-pypy311_pp73-musllinux_1_2_i686.whl", hash = "sha256:8213afbe8a3a906fb9acb2014423fe3359ee783d0bf90995f70623a3217bfa6c", size = 623541, upload-time = "2026-05-28T12:02:09.661Z" },
+    { url = "https://files.pythonhosted.org/packages/ea/ea/e7b0251441da9adfeaebcf29601d10f2a1455fcf0772fae9e7e19032bd96/rpds_py-2026.5.1-pp311-pypy311_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:8c43a8a973270fd173bf48cdf80bbe66312421cba68d40845034f174f2389049", size = 586326, upload-time = "2026-05-28T12:02:11.47Z" },
+]
+
 [[package]]
 name = "ruff"
 version = "0.12.7"
@@ -887,6 +1273,19 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/e9/44/75a9c9421471a6c4805dbf2356f7c181a29c1879239abab1ea2cc8f38b40/sniffio-1.3.1-py3-none-any.whl", hash = "sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2", size = 10235, upload-time = "2024-02-25T23:20:01.196Z" },
 ]
 
+[[package]]
+name = "term-image"
+version = "0.7.2"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "pillow" },
+    { name = "requests" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/39/87/7e8ba20702294ee8b750427c2600308c20f39ddf3b0f73250dc43ef13038/term_image-0.7.2.tar.gz", hash = "sha256:07320573baa667dcde145d55e94769cbaafeea43b61245245153ff5075b55ffb", size = 63946, upload-time = "2024-06-06T22:17:06.237Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/8f/51/986c06467bb274f7c8d5bdb7a60bfb628b2cdf20ee30bc28ce6c4190f0ba/term_image-0.7.2-py3-none-any.whl", hash = "sha256:97d9dba5afcf3989a23b1868adc5b2de3126d1ef915df2a7859f67fbdd613e15", size = 64712, upload-time = "2024-06-06T22:17:03.71Z" },
+]
+
 [[package]]
 name = "text-unidecode"
 version = "1.3"
@@ -988,28 +1387,28 @@ wheels = [
 
 [[package]]
 name = "uv"
-version = "0.11.6"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/dd/f3/8aceeab67ea69805293ab290e7ca8cc1b61a064d28b8a35c76d8eba063dd/uv-0.11.6.tar.gz", hash = "sha256:e3b21b7e80024c95ff339fcd147ac6fc3dd98d3613c9d45d3a1f4fd1057f127b", size = 4073298, upload-time = "2026-04-09T12:09:01.738Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/1f/fe/4b61a3d5ad9d02e8a4405026ccd43593d7044598e0fa47d892d4dafe44c9/uv-0.11.6-py3-none-linux_armv6l.whl", hash = "sha256:ada04dcf89ddea5b69d27ac9cdc5ef575a82f90a209a1392e930de504b2321d6", size = 23780079, upload-time = "2026-04-09T12:08:56.609Z" },
-    { url = "https://files.pythonhosted.org/packages/52/db/d27519a9e1a5ffee9d71af1a811ad0e19ce7ab9ae815453bef39dd479389/uv-0.11.6-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:5be013888420f96879c6e0d3081e7bcf51b539b034a01777041934457dfbedf3", size = 23214721, upload-time = "2026-04-09T12:09:32.228Z" },
-    { url = "https://files.pythonhosted.org/packages/a6/8f/4399fa8b882bd7e0efffc829f73ab24d117d490a93e6bc7104a50282b854/uv-0.11.6-py3-none-macosx_11_0_arm64.whl", hash = "sha256:ffa5dc1cbb52bdce3b8447e83d1601a57ad4da6b523d77d4b47366db8b1ceb18", size = 21750109, upload-time = "2026-04-09T12:09:24.357Z" },
-    { url = "https://files.pythonhosted.org/packages/32/07/5a12944c31c3dda253632da7a363edddb869ed47839d4d92a2dc5f546c93/uv-0.11.6-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:bfb107b4dade1d2c9e572992b06992d51dd5f2136eb8ceee9e62dd124289e825", size = 23551146, upload-time = "2026-04-09T12:09:10.439Z" },
-    { url = "https://files.pythonhosted.org/packages/79/5b/2ec8b0af80acd1016ed596baf205ddc77b19ece288473b01926c4a9cf6db/uv-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:9e2fe7ce12161d8016b7deb1eaad7905a76ff7afec13383333ca75e0c4b5425d", size = 23331192, upload-time = "2026-04-09T12:09:34.792Z" },
-    { url = "https://files.pythonhosted.org/packages/62/7d/eea35935f2112b21c296a3e42645f3e4b1aa8bcd34dcf13345fbd55134b7/uv-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7ed9c6f70c25e8dfeedddf4eddaf14d353f5e6b0eb43da9a14d3a1033d51d915", size = 23337686, upload-time = "2026-04-09T12:09:18.522Z" },
-    { url = "https://files.pythonhosted.org/packages/21/47/2584f5ab618f6ebe9bdefb2f765f2ca8540e9d739667606a916b35449eec/uv-0.11.6-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d68a013e609cebf82077cbeeb0809ed5e205257814273bfd31e02fc0353bbfc2", size = 25008139, upload-time = "2026-04-09T12:09:03.983Z" },
-    { url = "https://files.pythonhosted.org/packages/95/81/497ae5c1d36355b56b97dc59f550c7e89d0291c163a3f203c6f341dff195/uv-0.11.6-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:93f736dddca03dae732c6fdea177328d3bc4bf137c75248f3d433c57416a4311", size = 25712458, upload-time = "2026-04-09T12:09:07.598Z" },
-    { url = "https://files.pythonhosted.org/packages/3c/1c/74083238e4fab2672b63575b9008f1ea418b02a714bcfcf017f4f6a309b6/uv-0.11.6-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e96a66abe53fced0e3389008b8d2eff8278cfa8bb545d75631ae8ceb9c929aba", size = 24915507, upload-time = "2026-04-09T12:08:50.892Z" },
-    { url = "https://files.pythonhosted.org/packages/5a/ee/e14fe10ba455a823ed18233f12de6699a601890905420b5c504abf115116/uv-0.11.6-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b096311b2743b228df911a19532b3f18fa420bf9530547aecd6a8e04bbfaccd", size = 24971011, upload-time = "2026-04-09T12:08:54.016Z" },
-    { url = "https://files.pythonhosted.org/packages/3c/a1/7b9c83eaadf98e343317ff6384a7227a4855afd02cdaf9696bcc71ee6155/uv-0.11.6-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:904d537b4a6e798015b4a64ff5622023bd4601b43b6cd1e5f423d63471f5e948", size = 23640234, upload-time = "2026-04-09T12:09:15.735Z" },
-    { url = "https://files.pythonhosted.org/packages/d6/51/75ccdd23e76ff1703b70eb82881cd5b4d2a954c9679f8ef7e0136ef2cfab/uv-0.11.6-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:4ed8150c26b5e319381d75ae2ce6aba1e9c65888f4850f4e3b3fa839953c90a5", size = 24452664, upload-time = "2026-04-09T12:09:26.875Z" },
-    { url = "https://files.pythonhosted.org/packages/4d/86/ace80fe47d8d48b5e3b5aee0b6eb1a49deaacc2313782870250b3faa36f5/uv-0.11.6-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:1c9218c8d4ac35ca6e617fb0951cc0ab2d907c91a6aea2617de0a5494cf162c0", size = 24494599, upload-time = "2026-04-09T12:09:37.368Z" },
-    { url = "https://files.pythonhosted.org/packages/05/2d/4b642669b56648194f026de79bc992cbfc3ac2318b0a8d435f3c284934e8/uv-0.11.6-py3-none-musllinux_1_1_i686.whl", hash = "sha256:9e211c83cc890c569b86a4183fcf5f8b6f0c7adc33a839b699a98d30f1310d3a", size = 24159150, upload-time = "2026-04-09T12:09:13.17Z" },
-    { url = "https://files.pythonhosted.org/packages/ae/24/7eecd76fe983a74fed1fc700a14882e70c4e857f1d562a9f2303d4286c12/uv-0.11.6-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:d2a1d2089afdf117ad19a4c1dd36b8189c00ae1ad4135d3bfbfced82342595cf", size = 25164324, upload-time = "2026-04-09T12:08:59.56Z" },
-    { url = "https://files.pythonhosted.org/packages/27/e0/bbd4ba7c2e5067bbba617d87d306ec146889edaeeaa2081d3e122178ca08/uv-0.11.6-py3-none-win32.whl", hash = "sha256:6e8344f38fa29f85dcfd3e62dc35a700d2448f8e90381077ef393438dcd5012e", size = 22865693, upload-time = "2026-04-09T12:09:21.415Z" },
-    { url = "https://files.pythonhosted.org/packages/a5/33/1983ce113c538a856f2d620d16e39691962ecceef091a84086c5785e32e5/uv-0.11.6-py3-none-win_amd64.whl", hash = "sha256:a28bea69c1186303d1200f155c7a28c449f8a4431e458fcf89360cc7ef546e40", size = 25371258, upload-time = "2026-04-09T12:09:40.52Z" },
-    { url = "https://files.pythonhosted.org/packages/35/01/be0873f44b9c9bc250fcbf263367fcfc1f59feab996355bcb6b52fff080d/uv-0.11.6-py3-none-win_arm64.whl", hash = "sha256:a78f6d64b9950e24061bc7ec7f15ff8089ad7f5a976e7b65fcadce58fe02f613", size = 23869585, upload-time = "2026-04-09T12:09:29.425Z" },
+version = "0.11.20"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/80/09/c29c0b90bc9308cfa6f5d77ce9b38ce97852210fda17d79019c7bcf9c3a1/uv-0.11.20.tar.gz", hash = "sha256:a246f30931cbc93d0a39d0cfc75be045fddd45773a734ddf8afa869aabc46c63", size = 4237464, upload-time = "2026-06-10T17:20:05.905Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/6b/8a/25fc4d94ad3896e636466ee1fb03c4077f7a151c19cb25c1e6a731fa9cbf/uv-0.11.20-py3-none-linux_armv6l.whl", hash = "sha256:f867fd0807e39653fd101e16f2292ff488de14b5ffbb86a5678a87a27aa58ea0", size = 23713010, upload-time = "2026-06-10T17:19:32.058Z" },
+    { url = "https://files.pythonhosted.org/packages/02/7d/bbaad5f0c616f7824149a4ac0271db14107b859b36bd75d16db1486c495f/uv-0.11.20-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:f3bacc52778775cef671867ddab744b50c4183bc3cd6419a5fb4eb01a02f9526", size = 22918378, upload-time = "2026-06-10T17:19:20.828Z" },
+    { url = "https://files.pythonhosted.org/packages/39/3e/e3d39361b95c262b43ccfe260f41184da71c536a08f39d4ad59ab962e459/uv-0.11.20-py3-none-macosx_11_0_arm64.whl", hash = "sha256:c9f2062096e146b351fd5da3cd43e15a5c43bfa37166c509d884dab3dbb72f03", size = 21716975, upload-time = "2026-06-10T17:19:51.552Z" },
+    { url = "https://files.pythonhosted.org/packages/24/30/9031204d7b592d1595322d7506944793728a74795a8c4a3c38bc4a8985f0/uv-0.11.20-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:8fe143572a1f02d536c4e9c6994f0c89d9fa58ff6e5d91de55f61660658c694b", size = 23571826, upload-time = "2026-06-10T17:19:46.206Z" },
+    { url = "https://files.pythonhosted.org/packages/98/c3/7f9f00c7a152e67d59ae5f25635d19ac4252929dd6ac454cdb1dee3119fa/uv-0.11.20-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:3d00754be09a381030829526f7ff47c06d0e28ca90760c4439be48e71c1bf13a", size = 23249218, upload-time = "2026-06-10T17:19:26.603Z" },
+    { url = "https://files.pythonhosted.org/packages/35/a9/1ce58670a89c25d4a8b84532207183b5a97b3623d9b9151afe641499fbc8/uv-0.11.20-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:edb59d33e602fc462b6ed8fde66d404445294de41ad4de31039f7a2c41153601", size = 23302149, upload-time = "2026-06-10T17:20:01.111Z" },
+    { url = "https://files.pythonhosted.org/packages/61/cf/3a498a315364f906bd655a94fa6b5f74f5240dc90875d6ab67ef28c081ec/uv-0.11.20-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:14026b64ccbe0174e4fcf107f585f5d23f0f5b9f5b3e8b28394fe63fff3e60ff", size = 24652804, upload-time = "2026-06-10T17:19:16.692Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/8c/68e4a805e3b49d834e95b3838e53a623d2e0ad956bb44e681ece54b3308b/uv-0.11.20-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:73dcaf5543d1b24e4c6fa4c19af033ed015304171c132670ebe9ef01ddec3d17", size = 25660209, upload-time = "2026-06-10T17:20:08.156Z" },
+    { url = "https://files.pythonhosted.org/packages/a6/de/e8e205a79b9a39454c5da5c2695e4911a42860a4404739e32802e599af0c/uv-0.11.20-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cac8ca5d187dc5040b1c22c83f6ed789195c3fc06b6a5a2b32c747c603f07820", size = 24866467, upload-time = "2026-06-10T17:19:37.981Z" },
+    { url = "https://files.pythonhosted.org/packages/7e/38/f844d125db277d8ce0c921f0219078d292d0ee72d314d0c12f4cf510aa40/uv-0.11.20-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:61588768f04a24b0b4d87b43f03b4521ba66d5eec3ab1aca37cb59b1d52337db", size = 24957448, upload-time = "2026-06-10T17:19:40.979Z" },
+    { url = "https://files.pythonhosted.org/packages/ab/7d/b0e28abfa41c424d2a3df83be2b00b2fbe3ad5795baf7361262c6d800a62/uv-0.11.20-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:2d307d47b1a0cf8f76aa69bde850be407bca9482c13cff066142e586a5c57e77", size = 23671087, upload-time = "2026-06-10T17:19:54.595Z" },
+    { url = "https://files.pythonhosted.org/packages/80/ff/92bce88101ce61d708e888db6ab7f5ebf4ccd61f54d3316e7e48a4be56a5/uv-0.11.20-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:bb5839cbb68d7469925fe1599dacd16cefdb7698a7adeaf9c8e4d8a7cd4122bf", size = 24324677, upload-time = "2026-06-10T17:19:43.534Z" },
+    { url = "https://files.pythonhosted.org/packages/0f/90/d308bd88c7a53cae93f7fe13ce5c621895b8fb94e37911660a3de7283b67/uv-0.11.20-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:efefbd491ba443b326fdd344d7efc89c1de8a006cab5bc639a4d5ce9d1dd1ab9", size = 24429959, upload-time = "2026-06-10T17:19:29.352Z" },
+    { url = "https://files.pythonhosted.org/packages/e5/e6/b87c941b93b61dceaa11f4f8d02760de7aa7d1c58ea24a2298e7c5aafb4f/uv-0.11.20-py3-none-musllinux_1_1_i686.whl", hash = "sha256:daa41b97386699212b2266a80c178140c5396e3c444ff5553f68f79812334e41", size = 23880515, upload-time = "2026-06-10T17:19:23.733Z" },
+    { url = "https://files.pythonhosted.org/packages/53/ab/11b07641f8387177889f4341a36318561208c18703837bc47163244aa11b/uv-0.11.20-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:37ca61eddb940d1c698fce46d63789adfda3033344dabab0e18e2958e1a69771", size = 25171603, upload-time = "2026-06-10T17:19:34.848Z" },
+    { url = "https://files.pythonhosted.org/packages/b4/7d/62af57509c7007600ce11cd5222b2cb84d5cd8f80f427a499d1b44ef3601/uv-0.11.20-py3-none-win32.whl", hash = "sha256:32893ee9f94657fbf89e22638ac88850db4529d454f102bfa7ceea5fc9fe8d77", size = 22570328, upload-time = "2026-06-10T17:19:48.808Z" },
+    { url = "https://files.pythonhosted.org/packages/66/35/c9ee48cdce11f5cdac9e2be41a5446bae7382cde18d2ce1050bcd81dc05a/uv-0.11.20-py3-none-win_amd64.whl", hash = "sha256:4836044213bb23a3be1f5550db340d3a19babe1dfc3ca1313544e8b614085ce9", size = 25228859, upload-time = "2026-06-10T17:19:57.824Z" },
+    { url = "https://files.pythonhosted.org/packages/8b/8d/00a382c2f8f44b328cf98f734a3fcd72957698c30bed2392bd241b573384/uv-0.11.20-py3-none-win_arm64.whl", hash = "sha256:442ae26f47bf6e58b072e99dbfd6d5296ab90308574b2c02adff1dace051008d", size = 23664943, upload-time = "2026-06-10T17:20:03.774Z" },
 ]
 
 [[package]]