diff --git a/Cargo.lock b/Cargo.lock
index 4284f0e0a..1d357cc15 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -531,6 +531,21 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "assert_cmd"
+version = "2.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2aa3a22042e45de04255c7bf3626e239f450200fd0493c1e382263544b20aea6"
+dependencies = [
+ "anstyle",
+ "bstr",
+ "libc",
+ "predicates",
+ "predicates-core",
+ "predicates-tree",
+ "wait-timeout",
+]
+
 [[package]]
 name = "async-channel"
 version = "2.5.0"
@@ -1370,6 +1385,7 @@ checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
 name = "basilica-cli"
 version = "0.29.0"
 dependencies = [
+ "assert_cmd",
  "axum 0.7.9",
  "base64 0.21.7",
  "basilica-common",
@@ -1396,6 +1412,7 @@ dependencies = [
  "semver 1.0.27",
  "serde",
  "serde_json",
+ "serial_test",
  "sha2 0.10.9",
  "shellexpand",
  "ssh-key",
@@ -1834,6 +1851,17 @@ dependencies = [
  "tinyvec",
 ]
 
+[[package]]
+name = "bstr"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63044e1ae8e69f3b5a92c736ca6269b8d12fa7efe39bf34ddb06d102cf0e2cab"
+dependencies = [
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.19.1"
@@ -2621,6 +2649,12 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "difflib"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
+
 [[package]]
 name = "digest"
 version = "0.9.0"
@@ -5595,6 +5629,33 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "predicates"
+version = "3.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ada8f2932f28a27ee7b70dd6c1c39ea0675c55a36879ab92f3a715eaa1e63cfe"
+dependencies = [
+ "anstyle",
+ "difflib",
+ "predicates-core",
+]
+
+[[package]]
+name = "predicates-core"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cad38746f3166b4031b1a0d39ad9f954dd291e7854fcc0eed52ee41a0b50d144"
+
+[[package]]
+name = "predicates-tree"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0de1b847b39c8131db0467e9df1ff60e6d0562ab8e9a16e568ad0fdb372e2f2"
+dependencies = [
+ "predicates-core",
+ "termtree",
+]
+
 [[package]]
 name = "prettyplease"
 version = "0.2.37"
@@ -6813,6 +6874,15 @@ dependencies = [
  "yap",
 ]
 
+[[package]]
+name = "scc"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46e6f046b7fef48e2660c57ed794263155d713de679057f2d0c169bfc6e756cc"
+dependencies = [
+ "sdd",
+]
+
 [[package]]
 name = "schannel"
 version = "0.1.28"
@@ -6904,6 +6974,12 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "sdd"
+version = "3.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "490dcfcbfef26be6800d11870ff2df8774fa6e86d047e3e8c8a76b25655e41ca"
+
 [[package]]
 name = "seahash"
 version = "4.1.0"
@@ -7239,6 +7315,32 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serial_test"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "911bd979bf1070a3f3aa7b691a3b3e9968f339ceeec89e08c280a8a22207a32f"
+dependencies = [
+ "futures-executor",
+ "futures-util",
+ "log",
+ "once_cell",
+ "parking_lot",
+ "scc",
+ "serial_test_derive",
+]
+
+[[package]]
+name = "serial_test_derive"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a7d91949b85b0d2fb687445e448b40d322b6b3e4af6b44a29b21d9a5f33e6d9"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.114",
+]
+
 [[package]]
 name = "sha1"
 version = "0.10.6"
@@ -8603,6 +8705,12 @@ dependencies = [
  "winapi-util",
 ]
 
+[[package]]
+name = "termtree"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"
diff --git a/crates/basilica-cli/CHANGELOG.md b/crates/basilica-cli/CHANGELOG.md
index 148e9c9c2..8cf80f342 100644
--- a/crates/basilica-cli/CHANGELOG.md
+++ b/crates/basilica-cli/CHANGELOG.md
@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Non-interactive mode for agent and CI usage. Auto-detected when stdin
+  is not a TTY, or forced with `BASILICA_NON_INTERACTIVE=1`. In this
+  mode every interactive prompt surfaces a structured error instead of
+  blocking on stdin.
+  - Errors carry a `field` identifier and a `hint` naming the flag or
+    command to run. Rendered as single-line JSON on stderr when
+    `--json` is set, and as human-readable text otherwise.
+
+### Changed
+- OAuth auto-login is skipped in non-interactive mode: commands that
+  need authentication now exit with a `missing_prerequisite` error
+  pointing at `basilica login` (or `BASILICA_API_TOKEN`) instead of
+  starting a callback server that would block for 300s.
+- `basilica ssh-keys add` no longer silently generates a new key under
+  `~/.ssh` in non-interactive mode when no local public keys are
+  present; pass `--file <path>` to an existing public key instead.
+
 ## [0.29.0] - 2026-05-04
 
 ### Added
diff --git a/crates/basilica-cli/Cargo.toml b/crates/basilica-cli/Cargo.toml
index d0581bdf4..aea003c33 100644
--- a/crates/basilica-cli/Cargo.toml
+++ b/crates/basilica-cli/Cargo.toml
@@ -75,3 +75,5 @@ basilica-sdk = { path = "../basilica-sdk" }
 basilica-validator = { path = "../basilica-validator", features = ["client", "cli"] }
 
 [dev-dependencies]
+serial_test = "3"
+assert_cmd = "2"
diff --git a/crates/basilica-cli/src/cli/args.rs b/crates/basilica-cli/src/cli/args.rs
index bb44b407d..675c4b13e 100644
--- a/crates/basilica-cli/src/cli/args.rs
+++ b/crates/basilica-cli/src/cli/args.rs
@@ -101,6 +101,19 @@ impl Args {
             Err(err) => {
                 // Check if this is specifically a login_required error
                 if matches!(&err, CliError::Auth(_)) {
+                    // In non-interactive mode, never start an OAuth flow — the
+                    // callback server / device flow will block on user action
+                    // (300s timeout). Surface a structured error instead.
+                    if matches!(
+                        crate::interactive::gate::current(),
+                        crate::interactive::gate::Interactivity::NonInteractive
+                    ) {
+                        return Err(CliError::MissingPrerequisite {
+                            field: "authentication".into(),
+                            hint: "Not authenticated. Run `basilica login` (or `basilica login --device-code` on headless hosts), or set BASILICA_API_TOKEN.".into(),
+                        });
+                    }
+
                     // Inform user we need to authenticate
                     println!("You need to authenticate to continue.");
                     println!();
diff --git a/crates/basilica-cli/src/cli/handlers/ssh_keys.rs b/crates/basilica-cli/src/cli/handlers/ssh_keys.rs
index 8fab4b19c..c2d892b44 100644
--- a/crates/basilica-cli/src/cli/handlers/ssh_keys.rs
+++ b/crates/basilica-cli/src/cli/handlers/ssh_keys.rs
@@ -1,11 +1,12 @@
 //! SSH key management handlers for the Basilica CLI
 
 use crate::error::CliError;
-use crate::output::{compress_path, json_output, print_success};
-use crate::ssh::find_local_public_key_path;
+use crate::interactive::gate::{self, ask_confirm, ask_select, ask_text, Interactivity};
+use crate::output::{compress_path, json_output, print_success, print_warning};
+use crate::ssh::{find_local_public_key_path, same_public_key};
 use basilica_sdk::BasilicaClient;
 use console::style;
-use dialoguer::{theme::ColorfulTheme, Confirm, Input};
+use dialoguer::theme::ColorfulTheme;
 use etcetera::{choose_base_strategy, BaseStrategy};
 use ssh_key::PublicKey;
 use std::fs;
@@ -249,41 +250,43 @@ pub async fn handle_add_ssh_key(
             let keys = find_ssh_public_keys();
 
             if keys.is_empty() {
-                // No keys found, generate one automatically
-                generate_ssh_key().await?
+                // No local keys to choose from. Generate one in interactive
+                // mode; in non-interactive mode refuse to mutate the user's
+                // ~/.ssh directory silently and tell them to pass --file.
+                match gate::current() {
+                    Interactivity::NonInteractive => {
+                        return Err(CliError::MissingInput {
+                            field: "ssh_public_key_path".into(),
+                            hint: "No SSH public keys found under ~/.ssh. Pass --file <path> to an existing SSH public key, e.g. ~/.ssh/id_ed25519.pub.".into(),
+                        });
+                    }
+                    Interactivity::Interactive => generate_ssh_key().await?,
+                }
             } else {
-                // Show interactive selection with existing keys
-                use dialoguer::Select;
-
-                let options: Vec<String> = keys
+                let labels: Vec<String> = keys
                     .iter()
-                    .map(|path| {
-                        path.file_name()
+                    .map(|p| {
+                        p.file_name()
                             .and_then(|n| n.to_str())
                             .unwrap_or("unknown")
                             .to_string()
                     })
                     .collect();
+                let label_refs: Vec<&str> = labels.iter().map(String::as_str).collect();
+
+                let idx = ask_select(
+                    "ssh_public_key_path",
+                    "Select an SSH key to register",
+                    &label_refs,
+                    "Pass --file <path> to choose an SSH public key file (e.g. ~/.ssh/id_ed25519.pub)",
+                )?;
 
-                // Run interactive selection in a blocking context
-                let selection = tokio::task::spawn_blocking(move || {
-                    let theme = ColorfulTheme::default();
-                    Select::with_theme(&theme)
-                        .with_prompt("Select an SSH key to register")
-                        .items(&options)
-                        .default(0)
-                        .interact()
-                })
-                .await
-                .map_err(|e| CliError::Internal(color_eyre::eyre::eyre!("Task join error: {}", e)))?
-                .map_err(|e| CliError::Internal(e.into()))?;
-
-                let path = &keys[selection];
+                let path = keys[idx].clone();
                 println!(
                     "{}",
                     style(format!("Selected SSH public key: {}", path.display())).cyan()
                 );
-                path.clone()
+                path
             }
         }
     };
@@ -303,7 +306,7 @@ pub async fn handle_add_ssh_key(
         )));
     }
 
-    // Step 3: Get name interactively if not provided
+    // Step 3: Get name (from flag, or via the gate)
     let name = match name {
         Some(n) => {
             if n.trim().is_empty() {
@@ -319,17 +322,13 @@ pub async fn handle_add_ssh_key(
             n
         }
         None => {
-            let input: String = tokio::task::spawn_blocking(move || {
-                let theme = ColorfulTheme::default();
-                Input::with_theme(&theme)
-                    .with_prompt("Enter a name for this SSH key")
-                    .default("default".to_string())
-                    .interact_text()
-            })
-            .await
-            .map_err(|e| CliError::Internal(color_eyre::eyre::eyre!("Task join error: {}", e)))?
-            .map_err(|e| CliError::Internal(e.into()))?;
-
+            let default_name = basilica_common::rental::generate_random_rental_name();
+            let input = ask_text(
+                "name",
+                "Enter a name for this SSH key",
+                Some(&default_name),
+                "Pass --name <label> to label the registered key",
+            )?;
             if input.trim().is_empty() {
                 return Err(CliError::Internal(color_eyre::eyre::eyre!(
                     "SSH key name cannot be empty"
@@ -339,48 +338,46 @@ pub async fn handle_add_ssh_key(
         }
     };
 
-    // Step 4: Check if user already has an SSH key (warn about replacement)
-    match client.get_ssh_key().await {
-        Ok(Some(existing)) => {
-            println!(
-                "{}",
-                style(format!(
-                    "⚠️  You already have an SSH key registered: '{}'",
-                    existing.name
-                ))
-                .yellow()
-            );
-            println!(
-                "{}",
-                style("Note: Only one SSH key is allowed per user.").yellow()
-            );
-
-            let confirmed = tokio::task::spawn_blocking(move || {
-                let theme = ColorfulTheme::default();
-                Confirm::with_theme(&theme)
-                    .with_prompt("Do you want to replace it with the new key?")
-                    .default(false)
-                    .interact()
-            })
-            .await
-            .map_err(|e| CliError::Internal(color_eyre::eyre::eyre!("Task join error: {}", e)))?
-            .map_err(|e| CliError::Internal(e.into()))?;
-
-            if !confirmed {
-                println!("Operation cancelled.");
-                return Ok(());
-            }
-
-            // Delete existing key first
-            client.delete_ssh_key().await.map_err(CliError::Api)?;
-            println!("{}", style("Existing SSH key deleted.").dim());
+    // Step 4: Handle an existing key (only one SSH key per user).
+    if let Some(existing) = client.get_ssh_key().await.map_err(CliError::Api)? {
+        if same_public_key(&existing.public_key, &public_key) {
+            print_success(&format!(
+                "SSH key '{}' is already registered (same public key). Nothing to do.",
+                existing.name
+            ));
+            return Ok(());
         }
-        Ok(None) => {
-            // No existing key, proceed
+
+        if matches!(gate::current(), Interactivity::NonInteractive) {
+            return Err(CliError::MissingPrerequisite {
+                field: "ssh_key_already_registered".into(),
+                hint: format!(
+                    "An SSH key '{}' is already registered. Only one SSH key is allowed per user. \
+                     Run `basilica ssh-keys delete -y` first, then re-run this command to register a new one.",
+                    existing.name
+                ),
+            });
         }
-        Err(e) => {
-            return Err(CliError::Api(e));
+
+        print_warning(&format!(
+            "You already have an SSH key registered: '{}'",
+            existing.name
+        ));
+        print_warning("Note: Only one SSH key is allowed per user.");
+
+        let confirmed = ask_confirm(
+            "replace_existing",
+            "Do you want to replace it with the new key?",
+            false,
+            "Run `basilica ssh-keys delete -y` first, then re-run this command to register a new key.",
+        )?;
+        if !confirmed {
+            println!("Operation cancelled.");
+            return Ok(());
         }
+
+        client.delete_ssh_key().await.map_err(CliError::Api)?;
+        println!("{}", style("Existing SSH key deleted.").dim());
     }
 
     // Step 5: Register the new SSH key
@@ -458,20 +455,16 @@ pub async fn handle_delete_ssh_key(
 
     // Confirm deletion if not skipped
     if !skip_confirm {
-        let key_name = existing.name.clone();
-        let confirmed = tokio::task::spawn_blocking(move || {
-            let theme = ColorfulTheme::default();
-            Confirm::with_theme(&theme)
-                .with_prompt(format!(
-                    "Are you sure you want to delete SSH key '{}'?",
-                    key_name
-                ))
-                .default(false)
-                .interact()
-        })
-        .await
-        .map_err(|e| CliError::Internal(color_eyre::eyre::eyre!("Task join error: {}", e)))?
-        .map_err(|e| CliError::Internal(e.into()))?;
+        let prompt = format!(
+            "Are you sure you want to delete SSH key '{}'?",
+            existing.name
+        );
+        let confirmed = ask_confirm(
+            "confirm_delete_ssh_key",
+            &prompt,
+            false,
+            "Pass -y/--yes to skip the confirmation prompt and delete the registered key.",
+        )?;
 
         if !confirmed {
             println!("Deletion cancelled.");
diff --git a/crates/basilica-cli/src/error.rs b/crates/basilica-cli/src/error.rs
index 73752f16a..04fbccb4f 100644
--- a/crates/basilica-cli/src/error.rs
+++ b/crates/basilica-cli/src/error.rs
@@ -89,6 +89,19 @@ pub enum CliError {
     #[error("Invalid provider: {0}")]
     InvalidProvider(String),
 
+    /// A required input was not provided and we cannot prompt because we are
+    /// running non-interactively. `field` names the conceptual input and
+    /// `hint` tells the caller which flag or argument to supply.
+    #[error("missing input: {field}")]
+    MissingInput { field: String, hint: String },
+
+    /// A piece of account state (e.g. a registered SSH key) that the
+    /// interactive flow would have set up implicitly is missing, and the CLI
+    /// refuses to set it up silently in non-interactive mode. `hint` names the
+    /// command the agent should run first.
+    #[error("missing prerequisite: {field}")]
+    MissingPrerequisite { field: String, hint: String },
+
     /// Everything else (using color-eyre's Report for rich errors)
     #[error(transparent)]
     Internal(#[from] Report),
diff --git a/crates/basilica-cli/src/interactive/gate.rs b/crates/basilica-cli/src/interactive/gate.rs
new file mode 100644
index 000000000..f207499fd
--- /dev/null
+++ b/crates/basilica-cli/src/interactive/gate.rs
@@ -0,0 +1,184 @@
+//! Interactivity gate. Every interactive prompt MUST route through this.
+//! In non-interactive mode the helpers return structured errors instead of hanging.
+
+use crate::error::CliError;
+use dialoguer::{theme::ColorfulTheme, Confirm, Input, Select};
+use std::io::IsTerminal;
+
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+pub enum Interactivity {
+    Interactive,
+    NonInteractive,
+}
+
+pub fn current() -> Interactivity {
+    let env_forces_non_interactive = std::env::var("BASILICA_NON_INTERACTIVE")
+        .map(|v| !v.is_empty())
+        .unwrap_or(false);
+    if !std::io::stdin().is_terminal() || env_forces_non_interactive {
+        Interactivity::NonInteractive
+    } else {
+        Interactivity::Interactive
+    }
+}
+
+// Helpers below take three concerns explicitly:
+// - `field`: stable machine identifier (shows up as `"field":` in JSON errors).
+// - `prompt`: human-readable question shown interactively via dialoguer.
+// - `hint`: how-to-skip guidance shown in non-interactive errors.
+
+pub fn ask_text(
+    field: &str,
+    prompt: &str,
+    default: Option<&str>,
+    hint: &str,
+) -> Result<String, CliError> {
+    match current() {
+        Interactivity::NonInteractive => {
+            if let Some(d) = default {
+                return Ok(d.to_string());
+            }
+            Err(CliError::MissingInput {
+                field: field.to_string(),
+                hint: hint.to_string(),
+            })
+        }
+        Interactivity::Interactive => {
+            let theme = ColorfulTheme::default();
+            let mut input = Input::<String>::with_theme(&theme).with_prompt(prompt);
+            if let Some(d) = default {
+                input = input.default(d.to_string());
+            }
+            input
+                .interact_text()
+                .map_err(|e| CliError::Internal(color_eyre::eyre::eyre!(e)))
+        }
+    }
+}
+
+pub fn ask_select(
+    field: &str,
+    prompt: &str,
+    labels: &[&str],
+    hint: &str,
+) -> Result<usize, CliError> {
+    match current() {
+        Interactivity::NonInteractive => Err(CliError::MissingInput {
+            field: field.to_string(),
+            hint: hint.to_string(),
+        }),
+        Interactivity::Interactive => {
+            let theme = ColorfulTheme::default();
+            Select::with_theme(&theme)
+                .with_prompt(prompt)
+                .items(labels)
+                .default(0)
+                .interact()
+                .map_err(|e| CliError::Internal(color_eyre::eyre::eyre!(e)))
+        }
+    }
+}
+
+pub fn ask_confirm(field: &str, prompt: &str, default: bool, hint: &str) -> Result<bool, CliError> {
+    match current() {
+        Interactivity::NonInteractive => Err(CliError::MissingInput {
+            field: field.to_string(),
+            hint: hint.to_string(),
+        }),
+        Interactivity::Interactive => {
+            let theme = ColorfulTheme::default();
+            Confirm::with_theme(&theme)
+                .with_prompt(prompt)
+                .default(default)
+                .interact()
+                .map_err(|e| CliError::Internal(color_eyre::eyre::eyre!(e)))
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::error::CliError;
+    use serial_test::serial;
+
+    /// RAII guard: sets `BASILICA_NON_INTERACTIVE` for the duration of the test
+    /// and restores the previous value on drop so neighboring tests aren't affected.
+    struct NonInteractiveEnv {
+        previous: Option<std::ffi::OsString>,
+    }
+
+    impl NonInteractiveEnv {
+        fn set() -> Self {
+            let previous = std::env::var_os("BASILICA_NON_INTERACTIVE");
+            std::env::set_var("BASILICA_NON_INTERACTIVE", "1");
+            Self { previous }
+        }
+    }
+
+    impl Drop for NonInteractiveEnv {
+        fn drop(&mut self) {
+            match &self.previous {
+                Some(v) => std::env::set_var("BASILICA_NON_INTERACTIVE", v),
+                None => std::env::remove_var("BASILICA_NON_INTERACTIVE"),
+            }
+        }
+    }
+
+    #[test]
+    #[serial]
+    fn ask_text_non_interactive_no_default_errors() {
+        let _env = NonInteractiveEnv::set();
+        let err = ask_text("name", "Name?", None, "Pass --name").unwrap_err();
+        match err {
+            CliError::MissingInput { field, hint } => {
+                assert_eq!(field, "name");
+                assert!(hint.contains("--name"));
+            }
+            other => panic!("expected MissingInput, got {other:?}"),
+        }
+    }
+
+    #[test]
+    #[serial]
+    fn ask_text_non_interactive_with_default_returns_default() {
+        let _env = NonInteractiveEnv::set();
+        let v = ask_text("name", "Name?", Some("auto-name"), "irrelevant").unwrap();
+        assert_eq!(v, "auto-name");
+    }
+
+    #[test]
+    #[serial]
+    fn ask_select_non_interactive_errors() {
+        let _env = NonInteractiveEnv::set();
+        let labels = ["alpha", "beta"];
+        let err = ask_select(
+            "offering",
+            "Choose an offering",
+            &labels,
+            "Pass --offering-id",
+        )
+        .unwrap_err();
+        match err {
+            CliError::MissingInput { field, hint } => {
+                assert_eq!(field, "offering");
+                assert!(hint.contains("--offering-id"));
+            }
+            other => panic!("expected MissingInput, got {other:?}"),
+        }
+    }
+
+    #[test]
+    #[serial]
+    fn ask_confirm_non_interactive_errors() {
+        let _env = NonInteractiveEnv::set();
+        let err = ask_confirm("replace", "Replace?", false, "Pass --force").unwrap_err();
+        match err {
+            CliError::MissingInput { field, hint } => {
+                assert_eq!(field, "replace");
+                assert!(hint.contains("--force"));
+            }
+            other => panic!("expected MissingInput, got {other:?}"),
+        }
+    }
+}
diff --git a/crates/basilica-cli/src/interactive/mod.rs b/crates/basilica-cli/src/interactive/mod.rs
index efdda2bef..27b3841ae 100644
--- a/crates/basilica-cli/src/interactive/mod.rs
+++ b/crates/basilica-cli/src/interactive/mod.rs
@@ -1,5 +1,6 @@
 //! Interactive UI components
 
+pub mod gate;
 pub mod selector;
 
 pub use selector::*;
diff --git a/crates/basilica-cli/src/main.rs b/crates/basilica-cli/src/main.rs
index de66fc01b..8933b9d8a 100644
--- a/crates/basilica-cli/src/main.rs
+++ b/crates/basilica-cli/src/main.rs
@@ -71,20 +71,17 @@ async fn run_async(args: Args) -> Result<()> {
     )
     .map_err(|e| eyre!("Failed to initialize logging: {}", e))?;
 
+    // Capture render-affecting flags before `args` is moved into `run()`.
+    let json = args.json;
+
     // Run and handle errors explicitly to show suggestions
     if let Err(err) = args.run().await {
-        // Extract and format the inner error properly
-        match err {
-            basilica_cli::CliError::Internal(report) => {
-                // For Internal errors (which contain eyre Reports with suggestions),
-                // use Debug formatting to show the full error report
-                eprintln!("Error: {:?}", report);
-            }
-            other => {
-                // For other error types, use Display formatting
-                eprintln!("Error: {}", other);
-            }
-        }
+        let mode = if json {
+            basilica_cli::output::RenderMode::Json
+        } else {
+            basilica_cli::output::RenderMode::Human
+        };
+        let _ = basilica_cli::output::render_error(&err, mode, &mut std::io::stderr());
         std::process::exit(1);
     }
 
diff --git a/crates/basilica-cli/src/output/error_render.rs b/crates/basilica-cli/src/output/error_render.rs
new file mode 100644
index 000000000..f7f0bf90e
--- /dev/null
+++ b/crates/basilica-cli/src/output/error_render.rs
@@ -0,0 +1,100 @@
+//! Render CliError to stderr. Two modes: Human (color-eyre style) and Json
+//! (single object per error). Lives outside of `error.rs` so the error type
+//! itself stays renderer-agnostic and does not need to implement `Serialize`.
+
+use crate::error::CliError;
+use std::io::Write;
+
+#[derive(Copy, Clone, Debug)]
+pub enum RenderMode {
+    Human,
+    Json,
+}
+
+pub fn render_error(err: &CliError, mode: RenderMode, w: &mut dyn Write) -> std::io::Result<()> {
+    match mode {
+        RenderMode::Json => render_json(err, w),
+        RenderMode::Human => render_human(err, w),
+    }
+}
+
+fn render_json(err: &CliError, w: &mut dyn Write) -> std::io::Result<()> {
+    let payload = match err {
+        CliError::MissingInput { field, hint } => serde_json::json!({
+            "error": "missing_input",
+            "field": field,
+            "hint": hint,
+        }),
+        CliError::MissingPrerequisite { field, hint } => serde_json::json!({
+            "error": "missing_prerequisite",
+            "field": field,
+            "hint": hint,
+        }),
+        other => serde_json::json!({
+            "error": "cli_error",
+            "message": other.to_string(),
+        }),
+    };
+    writeln!(w, "{}", payload)
+}
+
+fn render_human(err: &CliError, w: &mut dyn Write) -> std::io::Result<()> {
+    match err {
+        CliError::MissingInput { field, hint } => {
+            writeln!(w, "error: missing input for '{}'", field)?;
+            writeln!(w, "hint: {}", hint)
+        }
+        CliError::MissingPrerequisite { field, hint } => {
+            writeln!(w, "error: missing prerequisite for '{}'", field)?;
+            writeln!(w, "hint: {}", hint)
+        }
+        CliError::Internal(report) => writeln!(w, "Error: {:?}", report),
+        other => writeln!(w, "Error: {}", other),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn json_render_missing_input() {
+        let err = CliError::MissingInput {
+            field: "offering_id".into(),
+            hint: "Pass --offering-id".into(),
+        };
+        let mut buf = Vec::new();
+        render_error(&err, RenderMode::Json, &mut buf).unwrap();
+        let v: serde_json::Value = serde_json::from_slice(&buf).unwrap();
+        assert_eq!(v["error"], "missing_input");
+        assert_eq!(v["field"], "offering_id");
+        assert_eq!(v["hint"], "Pass --offering-id");
+    }
+
+    #[test]
+    fn json_render_missing_prerequisite() {
+        let err = CliError::MissingPrerequisite {
+            field: "ssh_key".into(),
+            hint: "Run `basilica ssh-keys add` first.".into(),
+        };
+        let mut buf = Vec::new();
+        render_error(&err, RenderMode::Json, &mut buf).unwrap();
+        let v: serde_json::Value = serde_json::from_slice(&buf).unwrap();
+        assert_eq!(v["error"], "missing_prerequisite");
+        assert_eq!(v["field"], "ssh_key");
+    }
+
+    #[test]
+    fn human_render_missing_input() {
+        let err = CliError::MissingInput {
+            field: "rental".into(),
+            hint: "Pass <rental-name-or-id>.".into(),
+        };
+        let mut buf = Vec::new();
+        render_error(&err, RenderMode::Human, &mut buf).unwrap();
+        let s = String::from_utf8(buf).unwrap();
+        assert!(s.contains("missing input"));
+        assert!(s.contains("rental"));
+        assert!(s.contains("<rental-name-or-id>"));
+    }
+}
diff --git a/crates/basilica-cli/src/output/mod.rs b/crates/basilica-cli/src/output/mod.rs
index 5a0d33268..a11364b24 100644
--- a/crates/basilica-cli/src/output/mod.rs
+++ b/crates/basilica-cli/src/output/mod.rs
@@ -1,8 +1,11 @@
 //! Output formatting utilities
 
 pub mod banner;
+pub mod error_render;
 pub mod table_output;
 
+pub use error_render::{render_error, RenderMode};
+
 use color_eyre::eyre::{eyre, Result};
 use console::style;
 use rust_decimal::Decimal;
diff --git a/crates/basilica-cli/src/progress/mod.rs b/crates/basilica-cli/src/progress/mod.rs
index 4da3dacbe..d18374285 100644
--- a/crates/basilica-cli/src/progress/mod.rs
+++ b/crates/basilica-cli/src/progress/mod.rs
@@ -1,4 +1,8 @@
-//! Progress indicators and user feedback utilities
+//! Progress indicators and user feedback utilities.
+//!
+//! `indicatif` already auto-hides progress bars/spinners when stderr is not a
+//! terminal (see `ProgressDrawTarget::stderr` and `is_hidden`), so we don't
+//! gate creation on our own interactivity detection here.
 
 use indicatif::{MultiProgress, ProgressBar, ProgressStyle};
 use std::collections::HashMap;
@@ -29,8 +33,8 @@ impl ProgressManager {
                 .unwrap()
                 .tick_chars("⠁⠂⠄⡀⢀⠠⠐⠈ "),
         );
-        spinner.set_message(message.to_string());
         spinner.enable_steady_tick(Duration::from_millis(120));
+        spinner.set_message(message.to_string());
 
         let pb = self.multi.add(spinner);
 
@@ -103,8 +107,8 @@ pub fn create_spinner(message: &str) -> ProgressBar {
             .unwrap()
             .tick_chars("⠁⠂⠄⡀⢀⠠⠐⠈ "),
     );
-    spinner.set_message(message.to_string());
     spinner.enable_steady_tick(Duration::from_millis(120));
+    spinner.set_message(message.to_string());
     spinner
 }
 
diff --git a/crates/basilica-cli/src/ssh/key_matcher.rs b/crates/basilica-cli/src/ssh/key_matcher.rs
index 4b4eee73d..490719358 100644
--- a/crates/basilica-cli/src/ssh/key_matcher.rs
+++ b/crates/basilica-cli/src/ssh/key_matcher.rs
@@ -155,6 +155,16 @@ pub fn find_local_public_key_path(registered_public_key: &str) -> Option<PathBuf
     None
 }
 
+/// Compare two SSH public keys by key type and key data, ignoring any
+/// trailing comment (`user@host`) or whitespace differences. Returns false
+/// if either side is not a parseable public key.
+pub fn same_public_key(a: &str, b: &str) -> bool {
+    match (parse_public_key(a), parse_public_key(b)) {
+        (Ok(x), Ok(y)) => x == y,
+        _ => false,
+    }
+}
+
 /// Parsed components of an SSH public key
 #[derive(Debug, PartialEq)]
 struct PublicKeyParts {
diff --git a/crates/basilica-cli/src/ssh/mod.rs b/crates/basilica-cli/src/ssh/mod.rs
index 497428b00..31d906249 100644
--- a/crates/basilica-cli/src/ssh/mod.rs
+++ b/crates/basilica-cli/src/ssh/mod.rs
@@ -2,7 +2,9 @@
 
 mod key_matcher;
 
-pub use key_matcher::{find_local_public_key_path, find_private_key_for_public_key};
+pub use key_matcher::{
+    find_local_public_key_path, find_private_key_for_public_key, same_public_key,
+};
 
 use crate::config::SshConfig;
 use crate::error::{CliError, Result};
diff --git a/crates/basilica-cli/tests/non_interactive.rs b/crates/basilica-cli/tests/non_interactive.rs
new file mode 100644
index 000000000..1ceea2561
--- /dev/null
+++ b/crates/basilica-cli/tests/non_interactive.rs
@@ -0,0 +1,43 @@
+//! Integration tests: every cost-bearing or state-mutating command in
+//! `BASILICA_NON_INTERACTIVE` mode must surface a structured `MissingInput` /
+//! `MissingPrerequisite` JSON error on stderr rather than blocking on stdin.
+
+use assert_cmd::Command;
+
+fn parse_stderr_json(bytes: &[u8]) -> serde_json::Value {
+    let s = std::str::from_utf8(bytes).expect("stderr is utf-8");
+    // The renderer writes one JSON object per line, possibly preceded by
+    // unrelated log output. Find the first line that parses as JSON.
+    for line in s.lines() {
+        if let Ok(v) = serde_json::from_str::<serde_json::Value>(line) {
+            return v;
+        }
+    }
+    panic!("no JSON object found in stderr:\n{s}");
+}
+
+#[test]
+fn ssh_keys_add_with_invalid_file_in_non_interactive_emits_json_error() {
+    // Pass --json globally; expect a single JSON object on stderr.
+    let assert = Command::cargo_bin("basilica")
+        .unwrap()
+        .env("BASILICA_NON_INTERACTIVE", "1")
+        .env_remove("RUST_LOG")
+        .args([
+            "--json",
+            "ssh-keys",
+            "add",
+            "--file",
+            "/this/does/not/exist.pub",
+            "--name",
+            "test",
+        ])
+        .assert()
+        .failure();
+
+    let v = parse_stderr_json(&assert.get_output().stderr);
+    // Some error happened, and it was rendered as JSON. Either cli_error or
+    // missing_input is acceptable here — the contract is "no hang, structured
+    // stderr".
+    assert!(v["error"].is_string());
+}