Merge branch 'main' into rgarcia/cua-native-kernel-api

Author: rgarcia

.cursor/commands/qa.md

@@ -58,7 +58,7 @@ Here are all valid language + template combinations:
 | typescript | openai-computer-use    | ts-openai-cua     | ts-openai-cua         | Yes            | OPENAI_API_KEY                 |
 | typescript | gemini-computer-use    | ts-gemini-cua     | ts-gemini-cua         | Yes            | GOOGLE_API_KEY                 |
 | typescript | claude-agent-sdk       | ts-claude-agent-sdk | ts-claude-agent-sdk | Yes            | ANTHROPIC_API_KEY              |
-| typescript | yutori-computer-use    | ts-yutori-cua     | ts-yutori-cua         | Yes            | YUTORI_API_KEY                 |
+| typescript | yutori                 | ts-yutori-cua     | ts-yutori-cua         | Yes            | YUTORI_API_KEY                 |
 
 | python     | sample-app             | py-sample-app     | python-basic          | No             | -                              |
 | python     | gemini-computer-use    | py-gemini-cua     | python-gemini-cua     | Yes            | GOOGLE_API_KEY                 |
@@ -68,7 +68,7 @@ Here are all valid language + template combinations:
 | python     | openai-computer-use    | py-openai-cua     | python-openai-cua     | Yes            | OPENAI_API_KEY                 |
 | python     | openagi-computer-use   | py-openagi-cua    | python-openagi-cua    | Yes            | OAGI_API_KEY                   |
 | python     | claude-agent-sdk       | py-claude-agent-sdk | py-claude-agent-sdk | Yes            | ANTHROPIC_API_KEY              |
-| python     | yutori-computer-use    | py-yutori-cua     | python-yutori-cua     | Yes            | YUTORI_API_KEY                 |
+| python     | yutori                 | py-yutori-cua     | python-yutori-cua     | Yes            | YUTORI_API_KEY                 |
 
 > **Yutori:** Test both default browser and `"kiosk": true` (uses Playwright for goto_url when kiosk is enabled).
 
@@ -86,7 +86,7 @@ Run each of these (they are non-interactive when all flags are provided):
 ../bin/kernel create -n ts-openai-cua -l typescript -t openai-computer-use
 ../bin/kernel create -n ts-gemini-cua -l typescript -t gemini-computer-use
 ../bin/kernel create -n ts-claude-agent-sdk -l typescript -t claude-agent-sdk
-../bin/kernel create -n ts-yutori-cua -l typescript -t yutori-computer-use
+../bin/kernel create -n ts-yutori-cua -l typescript -t yutori
 
 # Python templates
 ../bin/kernel create -n py-sample-app -l python -t sample-app
@@ -97,7 +97,7 @@ Run each of these (they are non-interactive when all flags are provided):
 ../bin/kernel create -n py-openagi-cua -l python -t openagi-computer-use
 ../bin/kernel create -n py-claude-agent-sdk -l python -t claude-agent-sdk
 ../bin/kernel create -n py-gemini-cua -l python -t gemini-computer-use
-../bin/kernel create -n py-yutori-cua -l python -t yutori-computer-use
+../bin/kernel create -n py-yutori-cua -l python -t yutori
 ```
 
 ## Step 5: Deploy Each Template

AGENTS.md

@@ -0,0 +1,28 @@
+# Kernel CLI
+
+## Cursor Cloud specific instructions
+
+This is a Go CLI application (no long-running services). Development commands are in the `Makefile`:
+
+- **Build:** `make build` → produces `./bin/kernel`
+- **Test:** `make test` → runs `go vet` + `go test ./...`
+- **Lint:** `make lint` → runs `golangci-lint run` (requires `golangci-lint` on `PATH`)
+
+### Testing against production
+
+When `KERNEL_API_KEY` is set (provided as a secret), the CLI hits the **production** Kernel API. After `make build`, test with `./bin/kernel`. Useful smoke-test sequence:
+
+1. `./bin/kernel auth status` — verify auth
+2. `./bin/kernel app list` — list deployed apps
+3. `./bin/kernel browsers create` — create a browser session (remember to delete it after)
+4. `./bin/kernel browsers delete <session_id>` — clean up
+
+Be mindful that these operations affect production resources.
+
+### Gotchas
+
+- `golangci-lint` is installed via `go install` to `$(go env GOPATH)/bin`. This directory must be on `PATH` (the update script handles this via `.bashrc`).
+- The Makefile's `lint` target uses `|| true`, so it always exits 0 even when lint issues exist. Pre-existing lint warnings (errcheck, staticcheck) are present in the codebase and expected.
+- The `go-keyring` dependency requires D-Bus and `libsecret` on Linux. These are pre-installed in the Cloud VM.
+- `kernel create` works locally without authentication. Most other commands (`deploy`, `invoke`, `browsers`, etc.) require a `KERNEL_API_KEY` env var or `kernel login` OAuth flow.
+- Go module path is `github.com/kernel/cli`. The project requires Go 1.25.0 (specified in `go.mod`).

cmd/auth_connections.go

@@ -219,12 +219,74 @@ func (c AuthConnectionCmd) Get(ctx context.Context, in AuthConnectionGetInput) e
 	if auth.FlowStep != "" {
 		tableData = append(tableData, []string{"Flow Step", string(auth.FlowStep)})
 	}
+	if len(auth.DiscoveredFields) > 0 {
+		discoveredFields := make([]string, 0, len(auth.DiscoveredFields))
+		for _, field := range auth.DiscoveredFields {
+			fieldName := field.Name
+			if fieldName == "" {
+				fieldName = field.Label
+			} else if field.Label != "" && field.Label != field.Name {
+				fieldName = fmt.Sprintf("%s (%s)", field.Name, field.Label)
+			}
+
+			fieldMeta := make([]string, 0, 2)
+			if field.Type != "" {
+				fieldMeta = append(fieldMeta, field.Type)
+			}
+			if field.Required {
+				fieldMeta = append(fieldMeta, "required")
+			}
+			if len(fieldMeta) > 0 {
+				fieldName = fmt.Sprintf("%s [%s]", fieldName, strings.Join(fieldMeta, ", "))
+			}
+			discoveredFields = append(discoveredFields, fieldName)
+		}
+		tableData = append(tableData, []string{"Discovered Fields", strings.Join(discoveredFields, "; ")})
+	}
+	if len(auth.MfaOptions) > 0 {
+		mfaOptions := make([]string, 0, len(auth.MfaOptions))
+		for _, option := range auth.MfaOptions {
+			optionName := option.Label
+			if optionName == "" {
+				optionName = option.Type
+			} else if option.Type != "" {
+				optionName = fmt.Sprintf("%s (%s)", option.Label, option.Type)
+			}
+			mfaOptions = append(mfaOptions, optionName)
+		}
+		tableData = append(tableData, []string{"MFA Options", strings.Join(mfaOptions, "; ")})
+	}
+	if len(auth.PendingSSOButtons) > 0 {
+		pendingSSOButtons := make([]string, 0, len(auth.PendingSSOButtons))
+		for _, button := range auth.PendingSSOButtons {
+			buttonLabel := button.Label
+			if buttonLabel == "" {
+				buttonLabel = button.Provider
+			} else if button.Provider != "" {
+				buttonLabel = fmt.Sprintf("%s (%s)", button.Label, button.Provider)
+			}
+			pendingSSOButtons = append(pendingSSOButtons, buttonLabel)
+		}
+		tableData = append(tableData, []string{"Pending SSO Buttons", strings.Join(pendingSSOButtons, "; ")})
+	}
+	if auth.ExternalActionMessage != "" {
+		tableData = append(tableData, []string{"External Action", auth.ExternalActionMessage})
+	}
 	if auth.HostedURL != "" {
 		tableData = append(tableData, []string{"Hosted URL", auth.HostedURL})
 	}
 	if auth.LiveViewURL != "" {
 		tableData = append(tableData, []string{"Live View URL", auth.LiveViewURL})
 	}
+	if auth.WebsiteError != "" {
+		tableData = append(tableData, []string{"Website Error", auth.WebsiteError})
+	}
+	if !auth.FlowExpiresAt.IsZero() {
+		tableData = append(tableData, []string{"Flow Expires At", util.FormatLocal(auth.FlowExpiresAt)})
+	}
+	if auth.ErrorCode != "" {
+		tableData = append(tableData, []string{"Error Code", auth.ErrorCode})
+	}
 	if auth.ErrorMessage != "" {
 		tableData = append(tableData, []string{"Error Message", auth.ErrorMessage})
 	}
@@ -272,6 +334,13 @@ func (c AuthConnectionCmd) List(ctx context.Context, in AuthConnectionListInput)
 	}
 
 	if in.Output == "json" {
+		if page == nil {
+			fmt.Println("[]")
+			return nil
+		}
+		if page.RawJSON() != "" {
+			return util.PrintPrettyJSON(page)
+		}
 		if len(auths) == 0 {
 			fmt.Println("[]")
 			return nil
@@ -381,6 +450,37 @@ func (c AuthConnectionCmd) Submit(ctx context.Context, in AuthConnectionSubmitIn
 		return fmt.Errorf("must provide at least one of: --field, --mfa-option-id, or --sso-button-selector")
 	}
 
+	// Resolve MFA option: the user may pass the label (e.g. "Get a text"), the
+	// type (e.g. "sms"), or the display string ("Get a text (sms)"). The API
+	// expects the type, so look up the connection's available options and map
+	// whatever the user provided to the correct type value.
+	if hasMfaOption {
+		conn, err := c.svc.Get(ctx, in.ID)
+		if err != nil {
+			return util.CleanedUpSdkError{Err: fmt.Errorf("failed to fetch connection for MFA option resolution: %w", err)}
+		}
+		if len(conn.MfaOptions) > 0 {
+			resolved := false
+			for _, opt := range conn.MfaOptions {
+				displayName := fmt.Sprintf("%s (%s)", opt.Label, opt.Type)
+				if strings.EqualFold(in.MfaOptionID, opt.Type) ||
+					strings.EqualFold(in.MfaOptionID, opt.Label) ||
+					strings.EqualFold(in.MfaOptionID, displayName) {
+					in.MfaOptionID = opt.Type
+					resolved = true
+					break
+				}
+			}
+			if !resolved {
+				available := make([]string, 0, len(conn.MfaOptions))
+				for _, opt := range conn.MfaOptions {
+					available = append(available, fmt.Sprintf("%s (%s)", opt.Label, opt.Type))
+				}
+				return fmt.Errorf("unknown MFA option %q; available: %s", in.MfaOptionID, strings.Join(available, ", "))
+			}
+		}
+	}
+
 	params := kernel.AuthConnectionSubmitParams{
 		SubmitFieldsRequest: kernel.SubmitFieldsRequestParam{
 			Fields: in.FieldValues,