diff --git a/README.md b/README.md
index 5eb32d2..3d6a61e 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ agents that you configure declaratively without writing or deploying any runtime
 
 - **One-command super agent** — `ar super-agent run` creates a hosted agent and drops you into a chat REPL in seconds.
 - **Declarative deployment** — Kubernetes-style YAML (`ar sa apply -f superagent.yaml`) for reproducible, version-controlled agents.
-- **Runtime declarative deploy** — `ar runtime apply -f runtime.yaml` builds an Agent Runtime from a container image and waits for it to reach `READY`.
+- **Runtime declarative deploy** — `ar runtime apply -f runtime.yaml` deploys an Agent Runtime from an image, or invokes a cloud build first when the YAML defines `cloudBuild`.
 - **Seven resource groups** — `config`, `model`, `sandbox`, `tool`, `skill`, `super-agent`, `runtime`, all following the same `ar <group> <action>` pattern.
 - **Multi-profile config** — store multiple sets of credentials in `~/.agentrun/config.json` and switch with `--profile`.
 - **Multiple output formats** — `json` (default), `table`, `yaml`, and `quiet` for shell piping.
@@ -191,6 +191,29 @@ EOF
 ar runtime apply -f runtime.yaml
 ```
 
+To cloud-build the image before deploy, add `cloudBuild`. The target image is
+the same `spec.container.image`; docker-image-builder skips existing tags by
+default.
+
+```bash
+cat > runtime-build.yaml <<EOF
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata: {name: my-agent}
+spec:
+  container:
+    image: registry.cn-hangzhou.aliyuncs.com/my-ns/my-agent:v1
+    cloudBuild:
+      dir: .
+      setupScript: scripts/setup.sh
+      baseContainerConfig:
+        image: serverless-registry.cn-hangzhou.cr.aliyuncs.com/functionai/docker-image-builder-worker:20260514-111141-2d80effe
+EOF
+ar runtime apply -f runtime-build.yaml
+# or build without deploying:
+# ar runtime cloud-build -f runtime-build.yaml
+```
+
 ## Command groups
 
 | Group | Alias | Purpose | Docs |
@@ -201,7 +224,7 @@ ar runtime apply -f runtime.yaml
 | `tool` |  | MCP and FunctionCall tools | [en](./docs/en/tool.md) · [zh](./docs/zh/tool.md) |
 | `skill` |  | Platform skill packages + local execution | [en](./docs/en/skill.md) · [zh](./docs/zh/skill.md) |
 | `super-agent` | `sa` | Quickstart / CRUD / declarative / conversation | [en](./docs/en/super-agent.md) · [zh](./docs/zh/super-agent.md) |
-| `runtime` | `rt` | Declarative Agent Runtime deploy (container mode) | [en](./docs/en/runtime.md) · [zh](./docs/zh/runtime.md) |
+| `runtime` | `rt` | Declarative Agent Runtime deploy and optional cloud image build | [en](./docs/en/runtime.md) · [zh](./docs/zh/runtime.md) |
 
 ## Documentation
 
diff --git a/README_zh.md b/README_zh.md
index 80e242c..ef69537 100644
--- a/README_zh.md
+++ b/README_zh.md
@@ -12,7 +12,7 @@ Agent）**：一种由平台托管、用户只需声明配置、无需编写或
 
 - **一键拉起超级 Agent** — `ar super-agent run` 一条命令创建托管 Agent 并进入 REPL 对话。
 - **声明式部署** — Kubernetes 风格 YAML（`ar sa apply -f superagent.yaml`），可版本化、可重复部署。
-- **Runtime 声明式部署** — `ar runtime apply -f runtime.yaml` 从容器镜像创建 Agent Runtime 并等待 `READY`。
+- **Runtime 声明式部署** — `ar runtime apply -f runtime.yaml` 从镜像部署 Agent Runtime；YAML 写了 `cloudBuild` 时，会先调用云上构建。
 - **七大资源组** — `config`、`model`、`sandbox`、`tool`、`skill`、`super-agent`、`runtime`，统一 `ar <group> <action>` 模式。
 - **多 Profile 配置** — `~/.agentrun/config.json` 支持多套凭证，通过 `--profile` 切换。
 - **多种输出格式** — 默认 `json`，支持 `table` / `yaml` / `quiet`（适合 shell 管道）。
@@ -187,6 +187,28 @@ EOF
 ar runtime apply -f runtime.yaml
 ```
 
+如需部署前云上构建镜像，可增加 `cloudBuild`。目标镜像就是同一个
+`spec.container.image`；docker-image-builder 默认会跳过已存在 tag。
+
+```bash
+cat > runtime-build.yaml <<EOF
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata: {name: my-agent}
+spec:
+  container:
+    image: registry.cn-hangzhou.aliyuncs.com/my-ns/my-agent:v1
+    cloudBuild:
+      dir: .
+      setupScript: scripts/setup.sh
+      baseContainerConfig:
+        image: serverless-registry.cn-hangzhou.cr.aliyuncs.com/functionai/docker-image-builder-worker:20260514-111141-2d80effe
+EOF
+ar runtime apply -f runtime-build.yaml
+# 或者只构建不部署：
+# ar runtime cloud-build -f runtime-build.yaml
+```
+
 ## 命令组总览
 
 | 命令组 | 别名 | 用途 | 文档 |
@@ -197,7 +219,7 @@ ar runtime apply -f runtime.yaml
 | `tool` |  | MCP 与 FunctionCall 工具 | [en](./docs/en/tool.md) · [zh](./docs/zh/tool.md) |
 | `skill` |  | 平台技能包 + 本地执行 | [en](./docs/en/skill.md) · [zh](./docs/zh/skill.md) |
 | `super-agent` | `sa` | 一键拉起 / CRUD / 声明式 / 会话管理 | [en](./docs/en/super-agent.md) · [zh](./docs/zh/super-agent.md) |
-| `runtime` | `rt` | 声明式 Agent Runtime 部署（容器模式） | [en](./docs/en/runtime.md) · [zh](./docs/zh/runtime.md) |
+| `runtime` | `rt` | 声明式 Agent Runtime 部署，可选云上镜像构建 | [en](./docs/en/runtime.md) · [zh](./docs/zh/runtime.md) |
 
 ## 文档
 
diff --git a/agentruntime.yaml b/agentruntime.yaml
index 6ea0e1b..de19e6d 100644
--- a/agentruntime.yaml
+++ b/agentruntime.yaml
@@ -20,6 +20,9 @@ metadata:
 spec:
   container:
     image: registry.cn-hangzhou.aliyuncs.com/my-ns/my-agent:v1
+    # cloudBuild:                         # optional; build only if image tag is missing
+    #   dir: .                            # source directory uploaded to builder
+    #   setupScript: scripts/setup.sh     # empty string skips setup
     # command: ["python", "app.py"]       # optional, overrides image CMD/ENTRYPOINT
     # port: 9000                          # optional; spec.port below also works
 
diff --git a/docs/en/runtime-yaml.md b/docs/en/runtime-yaml.md
index 91f9a7f..eeeb05f 100644
--- a/docs/en/runtime-yaml.md
+++ b/docs/en/runtime-yaml.md
@@ -15,6 +15,7 @@ rejected (see [Validation rules](#validation-rules)).
 - [CLI auto-injection](#cli-auto-injection)
 - [`metadata`](#metadata)
 - [`spec.container`](#speccontainer)
+- [`spec.container.cloudBuild`](#speccontainercloudbuild)
 - [`spec` resource & runtime knobs](#spec-resource--runtime-knobs)
 - [`spec.protocol`](#specprotocol)
 - [`spec.network`](#specnetwork)
@@ -77,7 +78,8 @@ Required block. Defines the container image and registry credentials.
 
 | Key | Type | Required | Notes |
 |---|---|---|---|
-| `image` | string | ✓ | OCI image reference. |
+| `image` | string | ✓ | OCI image reference. When `cloudBuild` is set, this is also the target image passed to the builder. |
+| `cloudBuild` | mapping |  | Build the image in the cloud. docker-image-builder skips existing target tags by default. |
 | `command` | list&lt;string&gt; |  | Overrides image `ENTRYPOINT`/`CMD`. |
 | `port` | int |  | Container listen port. If set, wins over `spec.port`. |
 | `imageRegistryType` | enum |  | One of `ACR`, `ACREE`, `CUSTOM`. |
@@ -103,6 +105,45 @@ registryConfig:
 All three sub-blocks (`auth`, `cert`, `network`) are individually optional, but
 `registryConfig` itself is mandatory under `CUSTOM`.
 
+
+## `spec.container.cloudBuild`
+
+Optional block. It asks `ar runtime apply` or `ar runtime cloud-build` to build
+`spec.container.image` with docker-image-builder. The target image is always
+`spec.container.image`; existing-tag checks are delegated to docker-image-builder.
+
+| Key | Type | Default | Notes |
+|---|---|---|---|
+| `dir` | string | `.` | Local source directory to upload. Relative paths are resolved from the current working directory. |
+| `setupScript` | string | `scripts/setup.sh` | Script executed in the builder before packaging. Empty string skips setup. |
+| `timeoutMinutes` | string/number | `20` | Setup script timeout in minutes. Worker creation, upload and push are not counted. |
+| `cpu` | string/number | `4` | Builder worker CPU, for example `4` or `4c`. |
+| `memory` | string/number | `8192` | Builder worker memory in MB. |
+| `region` | string | AgentRun region / `cn-hangzhou` | FC region for the builder worker. |
+| `registry` | mapping | env vars | Optional target registry auth; see below. |
+| `baseContainerConfig.image` | string | docker-image-builder default | Build environment image used by the cloud worker. |
+
+Only standard OCI registry mode is supported. Do not write `registryMode`,
+`baseImage`, `baseAcrInstanceId`, or `baseRegistry` in this block.
+
+```yaml
+cloudBuild:
+  dir: .
+  setupScript: scripts/setup.sh
+  timeoutMinutes: 20
+  cpu: 4
+  memory: 8192
+  baseContainerConfig:
+    image: serverless-registry.cn-hangzhou.cr.aliyuncs.com/functionai/docker-image-builder-worker:20260514-111141-2d80effe
+```
+
+`registry.username` and `registry.password` are optional. If omitted, the CLI
+reads `DOCKER_IMAGE_BUILDER_USERNAME` and `DOCKER_IMAGE_BUILDER_PASSWORD` from
+the environment or `.env`. Aliyun UID/AK/SK are resolved from the active
+AgentRun profile and passed to docker-image-builder through environment
+variables. The CLI does not interpolate `${...}` in YAML values; use environment
+variables by omitting `registry`, or put literal values in YAML.
+
 ## `spec` resource & runtime knobs
 
 | Key | Type | Default | Notes |
@@ -274,6 +315,7 @@ for the parser (`src/agentrun_cli/_utils/agentruntime_yaml.py`).
 | `metadata.name` missing or fails `[a-z0-9-]{1,63}` |  |
 | `spec.container` missing or not a mapping |  |
 | `spec.container.image` missing or empty |  |
+| `spec.container.cloudBuild` has unsupported fields | Only OCI mode is supported; ACREE/base-registry builder fields are rejected. |
 | `spec.container.imageRegistryType` not in `ACR|ACREE|CUSTOM` |  |
 | `imageRegistryType=CUSTOM` but `registryConfig` missing |  |
 | `metadata.tags` present | SDK 0.0.200 removed the field. |
@@ -320,6 +362,28 @@ spec:
 # system_tags=["x-agentrun-cli"], artifact_type=Container
 ```
 
+
+### Cloud build before deploy
+
+```yaml
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata:
+  name: my-agent
+spec:
+  container:
+    image: registry.cn-hangzhou.aliyuncs.com/my-ns/my-agent:v1
+    cloudBuild:
+      dir: .
+      setupScript: scripts/setup.sh
+  env:
+    LOG_LEVEL: info
+```
+
+`ar runtime apply -f runtime.yaml` invokes docker-image-builder and then deploys
+the same `image` value. docker-image-builder skips existing target tags by
+default.
+
 ### Production — ACREE + private network + NAS + canary endpoint
 
 ```yaml
@@ -406,6 +470,7 @@ For users who need to cross-reference the SDK
 | `spec.container.imageRegistryType` | `container_configuration.image_registry_type` |
 | `spec.container.acrInstanceId` | `container_configuration.acr_instance_id` |
 | `spec.container.registryConfig.*` | `container_configuration.registry_config.*` |
+| `spec.container.cloudBuild.*` | CLI-only build plan; not sent to AgentRun SDK. |
 | `spec.cpu / memory / port / diskSize` | `cpu / memory / port / disk_size` |
 | `spec.enableSessionIsolation` | `enable_session_isolation` |
 | `spec.protocol.type` | `protocol_configuration.type` |
diff --git a/docs/en/runtime.md b/docs/en/runtime.md
index 1862232..9e31f16 100644
--- a/docs/en/runtime.md
+++ b/docs/en/runtime.md
@@ -2,10 +2,11 @@
 
 # ar runtime
 
-Manage **Agent Runtimes** declaratively from a YAML file. The CLI only supports
-container-mode runtimes (you supply an OCI image; building the image is out of
-scope for this command group). Endpoints are embedded in the same YAML; the
-default behaviour is to inject one named `default` (`targetVersion=LATEST`).
+Manage **Agent Runtimes** declaratively from a YAML file. The CLI supports
+container-mode runtimes from an existing OCI image, and can optionally invoke a
+cloud image build before deployment through `spec.container.cloudBuild`.
+Endpoints are embedded in the same YAML; the default behaviour is to inject one
+named `default` (`targetVersion=LATEST`).
 
 Also available as the alias `ar rt`.
 
@@ -15,7 +16,8 @@ Also available as the alias `ar rt`.
 
 ## Commands
 
-- [apply](#apply) — create-or-update from YAML, with status polling.
+- [apply](#apply) — cloud-build when configured, then create-or-update from YAML.
+- [cloud-build](#cloud-build) — build images from YAML without deploying.
 - [render](#render) — dry-run validate + render to SDK input.
 - [get](#get) — fetch one runtime by name.
 - [list](#list) — list runtimes; filter by `--created-by-cli` or `--workspace`.
@@ -49,7 +51,10 @@ ar runtime apply -f FILE [--wait/--no-wait] [--timeout DURATION]
 
 The CLI injects sensible defaults for `cpu` (2 cores), `memory` (4096 MB) and
 `port` (9000) when the YAML omits them — the backend rejects null values for
-these three fields with HTTP 400.
+these three fields with HTTP 400. If `spec.container.cloudBuild` is present,
+`apply` invokes docker-image-builder before submitting the runtime, then deploys
+the same image reference. docker-image-builder skips existing target tags by
+default.
 
 ### Examples
 
@@ -65,6 +70,22 @@ spec:
 EOF
 ar runtime apply -f runtime.yaml
 
+# Build in the cloud, then deploy.
+cat > runtime-build.yaml <<EOF
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata: {name: my-agent}
+spec:
+  container:
+    image: registry.cn-hangzhou.aliyuncs.com/my-ns/my-agent:v1
+    cloudBuild:
+      dir: .
+      setupScript: scripts/setup.sh
+      baseContainerConfig:
+        image: serverless-registry.cn-hangzhou.cr.aliyuncs.com/functionai/docker-image-builder-worker:20260514-111141-2d80effe
+EOF
+ar runtime apply -f runtime-build.yaml
+
 # Non-blocking submit (CI-friendly):
 ar runtime apply -f runtime.yaml --no-wait
 
@@ -75,6 +96,44 @@ ar runtime apply -f runtime.yaml --timeout 20m
 ar runtime apply -f runtime.yaml --no-prune-endpoints
 ```
 
+
+---
+
+## cloud-build
+
+```
+ar runtime cloud-build -f FILE
+```
+
+### Options
+
+| Flag | Type | Required | Default | Description |
+|------|------|----------|---------|-------------|
+| `-f`, `--file` | path | yes |  | YAML file path (supports multi-document). |
+
+Runs only the `spec.container.cloudBuild` step and does not create or update the
+runtime. For each document, the command invokes docker-image-builder and reports
+`completed` when the builder exits successfully. The builder skips existing
+target tags by default. For multi-document YAML (`---` separated), every
+document must define `spec.container.cloudBuild`; otherwise the command fails
+before invoking any builder process.
+
+`cloud-build` uses the same credentials as `apply`: AgentRun profile values for
+Aliyun UID/AK/SK, and `DOCKER_IMAGE_BUILDER_USERNAME` /
+`DOCKER_IMAGE_BUILDER_PASSWORD` for registry auth unless the YAML overrides them
+under `cloudBuild.registry`.
+
+When the CLI downloads docker-image-builder automatically, it verifies the
+sibling `.sha256` file before caching or running the binary. Set
+`DOCKER_IMAGE_BUILDER_BINPATH` to use an explicit local builder binary.
+
+### Examples
+
+```bash
+# Build only; do not deploy the runtime.
+ar runtime cloud-build -f runtime-build.yaml
+```
+
 ---
 
 ## render
@@ -91,8 +150,10 @@ ar runtime render -f FILE
 
 Validates the YAML, applies CLI auto-injection (`system_tags=["x-agentrun-cli"]`,
 `artifact_type=Container`, default endpoint when `spec.endpoints` is omitted),
-and prints the SDK create-input as JSON without calling the server. Use this to
-preview changes before `apply`.
+and prints the SDK create-input as JSON without calling the server. When the
+YAML includes `cloudBuild`, `render` also prints a `cloudBuildPlan` preview but
+does not check the registry or build anything. Use this to preview changes
+before `apply`.
 
 ---
 
diff --git a/docs/zh/runtime-yaml.md b/docs/zh/runtime-yaml.md
index d707b32..efc0c78 100644
--- a/docs/zh/runtime-yaml.md
+++ b/docs/zh/runtime-yaml.md
@@ -13,6 +13,7 @@
 - [CLI 自动注入](#cli-自动注入)
 - [`metadata`](#metadata)
 - [`spec.container`](#speccontainer)
+- [`spec.container.cloudBuild`](#speccontainercloudbuild)
 - [`spec` 资源与运行时开关](#spec-资源与运行时开关)
 - [`spec.protocol`](#specprotocol)
 - [`spec.network`](#specnetwork)
@@ -74,7 +75,8 @@ endpoints:
 
 | 字段 | 类型 | 必填 | 说明 |
 |---|---|---|---|
-| `image` | string | ✓ | OCI 镜像引用。 |
+| `image` | string | ✓ | OCI 镜像引用。写了 `cloudBuild` 时，它也是传给 builder 的目标镜像。 |
+| `cloudBuild` | 映射 |  | 在云上构建镜像。docker-image-builder 默认会跳过已存在的目标 tag。 |
 | `command` | list&lt;string&gt; |  | 覆盖镜像的 `ENTRYPOINT`/`CMD`。 |
 | `port` | int |  | 容器监听端口。若设置，则覆盖 `spec.port`。 |
 | `imageRegistryType` | 枚举 |  | `ACR`、`ACREE`、`CUSTOM` 之一。 |
@@ -100,6 +102,44 @@ registryConfig:
 三个子块（`auth`、`cert`、`network`）各自可选；但 `registryConfig` 本身在
 `CUSTOM` 下必填。
 
+
+## `spec.container.cloudBuild`
+
+可选块。它让 `ar runtime apply` 或 `ar runtime cloud-build` 在
+云上调用 docker-image-builder 构建 `spec.container.image`。目标镜像永远就是
+`spec.container.image`；目标 tag 是否存在由 docker-image-builder 判断。
+
+| 字段 | 类型 | 默认 | 说明 |
+|---|---|---|---|
+| `dir` | string | `.` | 要上传的本地源码目录。相对路径按当前工作目录解析。 |
+| `setupScript` | string | `scripts/setup.sh` | 构建前在 builder 内执行的脚本。空字符串表示跳过 setup。 |
+| `timeoutMinutes` | string/number | `20` | setup 脚本超时，单位分钟；不包含创建 worker、上传代码和推送镜像。 |
+| `cpu` | string/number | `4` | Builder worker CPU，例如 `4` 或 `4c`。 |
+| `memory` | string/number | `8192` | Builder worker 内存，单位 MB。 |
+| `region` | string | AgentRun region / `cn-hangzhou` | Builder worker 所在 FC 地域。 |
+| `registry` | 映射 | 环境变量 | 可选的目标镜像仓库鉴权，见下文。 |
+| `baseContainerConfig.image` | string | docker-image-builder 默认值 | 云端 worker 使用的构建环境镜像。 |
+
+仅支持标准 OCI registry 模式。不要在该块中写 `registryMode`、`baseImage`、
+`baseAcrInstanceId` 或 `baseRegistry`。
+
+```yaml
+cloudBuild:
+  dir: .
+  setupScript: scripts/setup.sh
+  timeoutMinutes: 20
+  cpu: 4
+  memory: 8192
+  baseContainerConfig:
+    image: serverless-registry.cn-hangzhou.cr.aliyuncs.com/functionai/docker-image-builder-worker:20260514-111141-2d80effe
+```
+
+`registry.username` 和 `registry.password` 可省略。省略时 CLI 会从环境变量或 `.env`
+读取 `DOCKER_IMAGE_BUILDER_USERNAME` 和 `DOCKER_IMAGE_BUILDER_PASSWORD`。阿里云
+UID/AK/SK 从当前 AgentRun profile 解析，并通过环境变量传给 docker-image-builder。
+CLI 不会对 YAML 值做 `${...}` 插值；需要使用环境变量时不要写 `registry`，或者
+在 YAML 中写入字面值。
+
 ## `spec` 资源与运行时开关
 
 | 字段 | 类型 | 默认 | 说明 |
@@ -270,6 +310,7 @@ routing:
 | `metadata.name` 缺失或不符合 `[a-z0-9-]{1,63}` |  |
 | `spec.container` 缺失或不是映射 |  |
 | `spec.container.image` 缺失或为空 |  |
+| `spec.container.cloudBuild` 出现不支持字段 | 只支持 OCI 模式；ACREE/base-registry builder 字段会被拒绝。 |
 | `spec.container.imageRegistryType` 不在 `ACR|ACREE|CUSTOM` 中 |  |
 | `imageRegistryType=CUSTOM` 但 `registryConfig` 缺失 |  |
 | 出现 `metadata.tags` | SDK 0.0.200 已移除该字段。 |
@@ -316,6 +357,27 @@ spec:
 # system_tags=["x-agentrun-cli"], artifact_type=Container
 ```
 
+
+### 部署前云上构建
+
+```yaml
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata:
+  name: my-agent
+spec:
+  container:
+    image: registry.cn-hangzhou.aliyuncs.com/my-ns/my-agent:v1
+    cloudBuild:
+      dir: .
+      setupScript: scripts/setup.sh
+  env:
+    LOG_LEVEL: info
+```
+
+`ar runtime apply -f runtime.yaml` 会调用 docker-image-builder 构建并推送镜像，然后部署
+同一个 `image` 值。docker-image-builder 默认会跳过已存在的目标 tag。
+
 ### 生产示例 —— ACREE + 私网 + NAS + 金丝雀
 
 ```yaml
@@ -401,6 +463,7 @@ spec:
 | `spec.container.imageRegistryType` | `container_configuration.image_registry_type` |
 | `spec.container.acrInstanceId` | `container_configuration.acr_instance_id` |
 | `spec.container.registryConfig.*` | `container_configuration.registry_config.*` |
+| `spec.container.cloudBuild.*` | CLI-only 构建计划，不发送给 AgentRun SDK。 |
 | `spec.cpu / memory / port / diskSize` | `cpu / memory / port / disk_size` |
 | `spec.enableSessionIsolation` | `enable_session_isolation` |
 | `spec.protocol.type` | `protocol_configuration.type` |
diff --git a/docs/zh/runtime.md b/docs/zh/runtime.md
index 0f0fcaf..f3f0768 100644
--- a/docs/zh/runtime.md
+++ b/docs/zh/runtime.md
@@ -2,9 +2,9 @@
 
 # ar runtime
 
-通过 YAML 声明式管理 **Agent Runtime**。本命令组只支持容器模式（用户提供 OCI 镜像；
-代码 → 镜像构建不在本命令组范围）。Endpoint 嵌入同一份 YAML；用户不写时 CLI 会自动
-注入一个名为 `default` 的 endpoint（`targetVersion=LATEST`）。
+通过 YAML 声明式管理 **Agent Runtime**。本命令组支持基于已有 OCI 镜像部署，也支持
+通过 `spec.container.cloudBuild` 在部署前调用云上构建。Endpoint 嵌入同一份
+YAML；用户不写时 CLI 会自动注入一个名为 `default` 的 endpoint（`targetVersion=LATEST`）。
 
 别名：`ar rt`。
 
@@ -13,7 +13,8 @@
 
 ## 命令
 
-- [apply](#apply) — 从 YAML create-or-update，附带状态轮询。
+- [apply](#apply) — 配置后先云上构建，再从 YAML create-or-update。
+- [cloud-build](#cloud-build) — 只按 YAML 构建镜像，不部署 runtime。
 - [render](#render) — 校验 + 渲染为 SDK 输入（不调用服务端）。
 - [get](#get) — 按名字获取单个 runtime。
 - [list](#list) — 列出 runtime；可用 `--created-by-cli` 或 `--workspace` 过滤。
@@ -46,7 +47,10 @@ ar runtime apply -f FILE [--wait/--no-wait] [--timeout DURATION]
 | `--prune-endpoints/--no-prune-endpoints` | flag | no | `--prune-endpoints` | 删除远端存在但 YAML 缺失的 endpoint。 |
 
 YAML 中省略 `cpu` / `memory` / `port` 时，CLI 会自动注入合理默认值（2 核 /
-4096 MB / 9000）—— 后端对这三个字段的 null 会回复 HTTP 400。
+4096 MB / 9000）—— 后端对这三个字段的 null 会回复 HTTP 400。若 YAML 写了
+`spec.container.cloudBuild`，`apply` 会先调用 docker-image-builder，再提交
+runtime，最终仍部署同一个 image 引用。docker-image-builder 默认会跳过已存在的目标
+tag。
 
 ### Examples
 
@@ -62,6 +66,22 @@ spec:
 EOF
 ar runtime apply -f runtime.yaml
 
+# 先云上构建，再部署 runtime
+cat > runtime-build.yaml <<EOF
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata: {name: my-agent}
+spec:
+  container:
+    image: registry.cn-hangzhou.aliyuncs.com/my-ns/my-agent:v1
+    cloudBuild:
+      dir: .
+      setupScript: scripts/setup.sh
+      baseContainerConfig:
+        image: serverless-registry.cn-hangzhou.cr.aliyuncs.com/functionai/docker-image-builder-worker:20260514-111141-2d80effe
+EOF
+ar runtime apply -f runtime-build.yaml
+
 # CI 场景：异步提交不等待
 ar runtime apply -f runtime.yaml --no-wait
 
@@ -72,6 +92,40 @@ ar runtime apply -f runtime.yaml --timeout 20m
 ar runtime apply -f runtime.yaml --no-prune-endpoints
 ```
 
+
+---
+
+## cloud-build
+
+```
+ar runtime cloud-build -f FILE
+```
+
+### Options
+
+| Flag | Type | Required | Default | Description |
+|------|------|----------|---------|-------------|
+| `-f`, `--file` | path | yes |  | YAML 文件路径（支持多文档）。 |
+
+只执行 `spec.container.cloudBuild` 构建步骤，不创建或更新 runtime。每篇文档都会调用
+docker-image-builder；builder 成功退出时输出 `completed`。docker-image-builder
+默认会跳过已存在的目标 tag。对于用 `---` 分隔的多文档 YAML，每篇都必须声明
+`spec.container.cloudBuild`；否则命令会在启动任何 builder 进程前失败。
+
+`cloud-build` 使用与 `apply` 相同的凭据来源：阿里云 UID/AK/SK 读取 AgentRun profile；
+镜像仓库用户名和密码优先读 YAML 的 `cloudBuild.registry`，否则读取
+`DOCKER_IMAGE_BUILDER_USERNAME` / `DOCKER_IMAGE_BUILDER_PASSWORD`。
+
+CLI 自动下载 docker-image-builder 时，会先校验同名 `.sha256` 文件，再缓存或执行该
+二进制。设置 `DOCKER_IMAGE_BUILDER_BINPATH` 可以使用显式指定的本地 builder。
+
+### Examples
+
+```bash
+# 只构建，不部署 runtime
+ar runtime cloud-build -f runtime-build.yaml
+```
+
 ---
 
 ## render
@@ -88,7 +142,9 @@ ar runtime render -f FILE
 
 校验 YAML 并应用 CLI 自动注入（`system_tags=["x-agentrun-cli"]`、
 `artifact_type=Container`、`spec.endpoints` 缺省时注入默认 endpoint），
-以 JSON 形式打印 SDK create-input，不调用服务端。可在 `apply` 之前用于预览。
+以 JSON 形式打印 SDK create-input，不调用服务端。YAML 包含 `cloudBuild` 时，`render`
+还会输出 `cloudBuildPlan` 预览，但不会检查 registry，也不会构建镜像。可在 `apply`
+之前用于预览。
 
 ---
 
diff --git a/src/agentrun_cli/_utils/agentruntime_yaml.py b/src/agentrun_cli/_utils/agentruntime_yaml.py
index 5fe2271..4d21866 100644
--- a/src/agentrun_cli/_utils/agentruntime_yaml.py
+++ b/src/agentrun_cli/_utils/agentruntime_yaml.py
@@ -12,6 +12,8 @@
     spec:
       container:            # required (Container mode only)
         image: <str>        # required
+        cloudBuild: ...      # optional, build image in cloud before apply
+        cloudBuild.baseContainerConfig.image: <str>
         command: [<str>, ...]
         port: <int>
         imageRegistryType: <ACR|ACREE|CUSTOM>
@@ -75,6 +77,24 @@ class ParsedRegistryConfig:
     network: ParsedRegistryNetwork | None = None
 
 
+@dataclass
+class ParsedCloudBuildRegistry:
+    username: str | None = None
+    password: str | None = field(default=None, repr=False)
+
+
+@dataclass
+class ParsedCloudBuild:
+    dir: str = "."
+    setup_script: str = "scripts/setup.sh"
+    timeout_minutes: str = "20"
+    cpu: str = "4"
+    memory: str = "8192"
+    region: str | None = None
+    registry: ParsedCloudBuildRegistry | None = None
+    base_container_image: str | None = None
+
+
 @dataclass
 class ParsedContainer:
     image: str
@@ -83,6 +103,7 @@ class ParsedContainer:
     image_registry_type: str | None = None
     acr_instance_id: str | None = None
     registry_config: ParsedRegistryConfig | None = None
+    cloud_build: ParsedCloudBuild | None = None
 
 
 @dataclass
@@ -240,10 +261,137 @@ def _require_mapping(value: Any, where: str) -> dict:
     return value
 
 
+def _require_known_keys(raw: dict, allowed: set[str], where: str) -> None:
+    """Validate that a config mapping only contains supported fields.
+
+    Args:
+        raw: YAML mapping to validate.
+        allowed: Allowed field names.
+        where: Path used in error messages.
+    """
+    unknown = sorted(set(raw) - allowed)
+    if unknown:
+        raise YamlSchemaError(
+            f"{where} has unsupported field(s): {', '.join(unknown)}."
+        )
+
+
+def _as_string(value: Any, where: str) -> str:
+    """Convert a YAML scalar to a string.
+
+    Args:
+        value: Field value.
+        where: Path used in error messages.
+    """
+    if isinstance(value, bool):
+        raise YamlSchemaError(f"{where} must be a string or number.")
+    if isinstance(value, (str, int, float)):
+        return str(value)
+    raise YamlSchemaError(f"{where} must be a string or number.")
+
+
+def _parse_cloud_build_registry(raw: Any) -> ParsedCloudBuildRegistry | None:
+    """Parse `cloudBuild.registry`.
+
+    Args:
+        raw: Registry mapping, or None when omitted.
+    """
+    if raw is None:
+        return None
+    if not isinstance(raw, dict):
+        raise YamlSchemaError("spec.container.cloudBuild.registry must be a mapping.")
+    _require_known_keys(
+        raw,
+        {"username", "password"},
+        "spec.container.cloudBuild.registry",
+    )
+    username = raw.get("username")
+    password = raw.get("password")
+    if username is not None and not isinstance(username, str):
+        raise YamlSchemaError(
+            "spec.container.cloudBuild.registry.username must be a string."
+        )
+    if password is not None and not isinstance(password, str):
+        raise YamlSchemaError(
+            "spec.container.cloudBuild.registry.password must be a string."
+        )
+    return ParsedCloudBuildRegistry(username=username, password=password)
+
+
+def _parse_cloud_build_base_container_config(raw: Any) -> str | None:
+    """Parse `cloudBuild.baseContainerConfig.image`.
+
+    Args:
+        raw: Base container config mapping, or None when omitted.
+    """
+    if raw is None:
+        return None
+    if not isinstance(raw, dict):
+        raise YamlSchemaError(
+            "spec.container.cloudBuild.baseContainerConfig must be a mapping."
+        )
+    _require_known_keys(
+        raw,
+        {"image"},
+        "spec.container.cloudBuild.baseContainerConfig",
+    )
+    image = raw.get("image")
+    if image is None:
+        return None
+    return _as_string(image, "spec.container.cloudBuild.baseContainerConfig.image")
+
+
+def _parse_cloud_build(raw: Any) -> ParsedCloudBuild | None:
+    """Parse `cloudBuild` configuration.
+
+    Args:
+        raw: `cloudBuild` mapping.
+    """
+    if raw is None:
+        return None
+    if not isinstance(raw, dict):
+        raise YamlSchemaError("spec.container.cloudBuild must be a mapping.")
+    _require_known_keys(
+        raw,
+        {
+            "dir",
+            "setupScript",
+            "timeoutMinutes",
+            "cpu",
+            "memory",
+            "region",
+            "registry",
+            "baseContainerConfig",
+        },
+        "spec.container.cloudBuild",
+    )
+
+    def field(name: str, default: str | None = None) -> str | None:
+        value = raw.get(name)
+        if value is None:
+            return default
+        return _as_string(value, f"spec.container.cloudBuild.{name}")
+
+    region = field("region")
+    return ParsedCloudBuild(
+        dir=field("dir", ".") or ".",
+        setup_script=field("setupScript", "scripts/setup.sh") or "",
+        timeout_minutes=field("timeoutMinutes", "20") or "20",
+        cpu=field("cpu", "4") or "4",
+        memory=field("memory", "8192") or "8192",
+        region=region,
+        registry=_parse_cloud_build_registry(raw.get("registry")),
+        base_container_image=_parse_cloud_build_base_container_config(
+            raw.get("baseContainerConfig")
+        ),
+    )
+
+
 def _parse_container(raw: dict) -> ParsedContainer:
     image = raw.get("image")
     if not isinstance(image, str) or not image:
         raise YamlSchemaError("spec.container.image is required and must be a string.")
+    cloud_build = _parse_cloud_build(raw.get("cloudBuild"))
     image_registry_type = raw.get("imageRegistryType")
     if image_registry_type is not None and image_registry_type not in (
         "ACR",
@@ -273,6 +421,7 @@ def _parse_container(raw: dict) -> ParsedContainer:
         image_registry_type=image_registry_type,
         acr_instance_id=raw.get("acrInstanceId"),
         registry_config=registry_config,
+        cloud_build=cloud_build,
     )
 
 
diff --git a/src/agentrun_cli/_utils/cloud_build.py b/src/agentrun_cli/_utils/cloud_build.py
new file mode 100644
index 0000000..723adc7
--- /dev/null
+++ b/src/agentrun_cli/_utils/cloud_build.py
@@ -0,0 +1,373 @@
+"""Agent Runtime cloud image build helpers."""
+
+from __future__ import annotations
+
+import os
+import platform
+import stat
+import subprocess
+import sys
+import time
+import urllib.request
+from dataclasses import dataclass
+from hashlib import sha256
+from pathlib import Path
+from typing import Any
+
+from agentrun_cli._utils.agentruntime_yaml import ParsedAgentRuntime, ParsedCloudBuild
+
+BUILDER_RELEASE_TAG = "latest"
+BUILDER_BASE_URL = "https://images.devsapp.cn/docker-image-builder"
+
+
+class CloudBuildError(RuntimeError):
+    """Raised when cloud build fails."""
+
+
+@dataclass
+class CloudBuildResult:
+    """Cloud build result for one runtime."""
+
+    name: str
+    image: str
+    build_status: str
+    elapsed_seconds: float
+
+
+def load_dotenv(path: Path | None = None) -> None:
+    """Load dotenv values into process environment.
+
+    Args:
+        path: Dotenv path. Defaults to `.env` under the current working directory.
+    """
+    env_path = path or Path.cwd() / ".env"
+    if not env_path.exists():
+        return
+    for raw_line in env_path.read_text(encoding="utf-8").splitlines():
+        line = raw_line.strip()
+        if not line or line.startswith("#") or "=" not in line:
+            continue
+        key, value = line.split("=", 1)
+        key = key.strip()
+        value = value.strip().strip('"').strip("'")
+        if key and key not in os.environ:
+            os.environ[key] = value
+
+
+def build_runtime_image(
+    parsed: ParsedAgentRuntime,
+    cfg: Any,
+) -> CloudBuildResult | None:
+    """Build the runtime image according to `cloudBuild`.
+
+    Args:
+        parsed: Parsed runtime document.
+        cfg: AgentRun SDK config or a test double.
+    """
+    cloud_build = parsed.container.cloud_build
+    if cloud_build is None:
+        return None
+
+    started = time.monotonic()
+    image = parsed.container.image
+    binary_path = ensure_builder_binary()
+    env = build_builder_env(cfg, cloud_build)
+    args = build_builder_args(binary_path, image, cloud_build)
+    completed = subprocess.run(  # noqa: S603
+        args,
+        env=env,
+        stdout=sys.stderr,
+        stderr=sys.stderr,
+        check=False,
+    )
+    if completed.returncode != 0:
+        raise CloudBuildError(
+            f"docker-image-builder exited with code {completed.returncode}"
+        )
+
+    return CloudBuildResult(
+        name=parsed.name,
+        image=image,
+        build_status="completed",
+        elapsed_seconds=round(time.monotonic() - started, 3),
+    )
+
+
+def build_builder_env(
+    cfg: Any,
+    cloud_build: ParsedCloudBuild,
+) -> dict[str, str]:
+    """Build docker-image-builder subprocess environment variables.
+
+    Args:
+        cfg: AgentRun SDK config or a test double.
+        cloud_build: Parsed build configuration.
+    """
+    env = os.environ.copy()
+    _set_env_if_present(env, "DOCKER_IMAGE_BUILDER_UID", _cfg_value(cfg, "account_id"))
+    _set_env_if_present(
+        env,
+        "DOCKER_IMAGE_BUILDER_AK",
+        _cfg_value(cfg, "access_key_id"),
+    )
+    _set_env_if_present(
+        env,
+        "DOCKER_IMAGE_BUILDER_SK",
+        _cfg_value(cfg, "access_key_secret"),
+    )
+    _set_env_if_present(
+        env,
+        "DOCKER_IMAGE_BUILDER_REGION",
+        cloud_build.region or _cfg_value(cfg, "region_id"),
+    )
+    if cloud_build.registry and cloud_build.registry.username:
+        env["DOCKER_IMAGE_BUILDER_USERNAME"] = cloud_build.registry.username
+    if cloud_build.registry and cloud_build.registry.password:
+        env["DOCKER_IMAGE_BUILDER_PASSWORD"] = cloud_build.registry.password
+    return env
+
+
+def build_builder_args(
+    binary_path: str,
+    image: str,
+    cloud_build: ParsedCloudBuild,
+) -> list[str]:
+    """Build docker-image-builder CLI arguments.
+
+    Args:
+        binary_path: Path to the builder executable.
+        image: Target image.
+        cloud_build: Parsed build configuration.
+    """
+    args = [
+        binary_path,
+        "build",
+        f"--image={image}",
+        f"--dir={cloud_build.dir}",
+        f"--setup-script={cloud_build.setup_script}",
+        f"--timeout-minutes={cloud_build.timeout_minutes}",
+        f"--cpu={cloud_build.cpu}",
+        f"--memory={cloud_build.memory}",
+    ]
+    if cloud_build.region:
+        args.append(f"--region={cloud_build.region}")
+    if cloud_build.base_container_image:
+        args.append(f"--base-image={cloud_build.base_container_image}")
+    return args
+
+
+def serialize_cloud_build_plan(parsed: ParsedAgentRuntime) -> dict | None:
+    """Serialize `cloudBuild` configuration for render output.
+
+    Args:
+        parsed: Parsed runtime document.
+    """
+    cloud_build = parsed.container.cloud_build
+    if cloud_build is None:
+        return None
+    plan: dict[str, Any] = {
+        "image": parsed.container.image,
+        "dir": cloud_build.dir,
+        "setupScript": cloud_build.setup_script,
+        "timeoutMinutes": cloud_build.timeout_minutes,
+        "cpu": cloud_build.cpu,
+        "memory": cloud_build.memory,
+        "region": cloud_build.region,
+    }
+    if cloud_build.base_container_image:
+        plan["baseContainerConfig"] = {"image": cloud_build.base_container_image}
+    return plan
+
+
+def serialize_cloud_build_result(result: CloudBuildResult) -> dict:
+    """Serialize a build result for CLI output.
+
+    Args:
+        result: Cloud build result for one runtime.
+    """
+    return {
+        "name": result.name,
+        "image": result.image,
+        "buildStatus": result.build_status,
+        "elapsedSeconds": result.elapsed_seconds,
+    }
+
+
+def ensure_builder_binary() -> str:
+    """Return an executable docker-image-builder path."""
+    configured = os.getenv("DOCKER_IMAGE_BUILDER_BINPATH", "").strip()
+    if configured:
+        if _is_executable(Path(configured)):
+            return configured
+        raise CloudBuildError(
+            "DOCKER_IMAGE_BUILDER_BINPATH does not exist or is not executable: "
+            f"{configured}"
+        )
+
+    tag = os.getenv("DOCKER_IMAGE_BUILDER_BINTAG", "").strip() or BUILDER_RELEASE_TAG
+    install_dir = Path.home() / ".docker-image-builder" / tag
+    target = install_dir / _executable_name()
+
+    install_dir.mkdir(parents=True, exist_ok=True)
+    tmp = install_dir / f"{_executable_name()}.tmp-{os.getpid()}"
+    artifact = _artifact_name()
+    url = f"{BUILDER_BASE_URL}/{tag}/{artifact}"
+    try:
+        expected_sha256 = _download_sha256(f"{url}.sha256", artifact)
+        if _is_executable(target) and _sha256_file(target) == expected_sha256:
+            return str(target)
+        _download_binary(url, tmp)
+        _verify_sha256(tmp, expected_sha256)
+        tmp.chmod(tmp.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+        tmp.replace(target)
+    except Exception as exc:
+        tmp.unlink(missing_ok=True)
+        raise CloudBuildError(f"download docker-image-builder failed: {exc}") from exc
+    return str(target)
+
+
+def _download_binary(url: str, target: Path) -> None:
+    """Download a binary to a temporary local path.
+
+    Args:
+        url: Download URL.
+        target: Target file path.
+    """
+    with urllib.request.urlopen(url, timeout=120) as resp:  # noqa: S310
+        target.write_bytes(resp.read())
+
+
+def _download_sha256(url: str, artifact_name: str) -> str:
+    """Download and parse a SHA256 checksum file.
+
+    Args:
+        url: Checksum URL.
+        artifact_name: Expected release artifact name.
+    """
+    with urllib.request.urlopen(url, timeout=30) as resp:  # noqa: S310
+        text = resp.read().decode("utf-8")
+    return _parse_sha256(text, artifact_name)
+
+
+def _parse_sha256(text: str, artifact_name: str) -> str:
+    """Parse a SHA256 checksum file.
+
+    Args:
+        text: Checksum file content.
+        artifact_name: Expected release artifact name.
+    """
+    for raw_line in text.splitlines():
+        line = raw_line.strip()
+        if not line or line.startswith("#"):
+            continue
+        parts = line.split()
+        digest = parts[0].lower()
+        if len(digest) != 64 or any(ch not in "0123456789abcdef" for ch in digest):
+            continue
+        if len(parts) == 1 or parts[-1].lstrip("*") == artifact_name:
+            return digest
+    raise CloudBuildError(f"invalid sha256 checksum file for {artifact_name}")
+
+
+def _verify_sha256(path: Path, expected_sha256: str) -> None:
+    """Verify a local file against an expected SHA256 digest.
+
+    Args:
+        path: File path to verify.
+        expected_sha256: Expected SHA256 digest.
+    """
+    actual_sha256 = _sha256_file(path)
+    if actual_sha256 != expected_sha256:
+        raise CloudBuildError(
+            "checksum mismatch for docker-image-builder: "
+            f"expected {expected_sha256}, got {actual_sha256}"
+        )
+
+
+def _sha256_file(path: Path) -> str:
+    """Compute the SHA256 digest of a local file.
+
+    Args:
+        path: File path to hash.
+    """
+    digest = sha256()
+    with path.open("rb") as f:
+        for chunk in iter(lambda: f.read(1024 * 1024), b""):
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def _is_executable(path: Path) -> bool:
+    """Return whether the path is an executable file.
+
+    Args:
+        path: Path to inspect.
+    """
+    return path.is_file() and os.access(path, os.X_OK)
+
+
+def _executable_name() -> str:
+    """Return the executable filename for the current platform."""
+    if sys.platform == "win32":
+        return "docker-image-builder.exe"
+    return "docker-image-builder"
+
+
+def _artifact_name() -> str:
+    """Return the release artifact name on OSS."""
+    os_name = _go_platform()
+    arch = _go_arch()
+    suffix = ".exe" if os_name == "windows" else ""
+    return f"docker-image-builder-{os_name}-{arch}{suffix}"
+
+
+def _go_platform() -> str:
+    """Convert a Python platform name to a Go release platform name."""
+    if sys.platform == "win32":
+        return "windows"
+    if sys.platform == "darwin":
+        return "darwin"
+    if sys.platform.startswith("linux"):
+        return "linux"
+    raise CloudBuildError(f"unsupported platform: {sys.platform}")
+
+
+def _go_arch() -> str:
+    """Convert a Python architecture name to a Go release architecture name."""
+    machine = platform.machine().lower()
+    if machine in ("x86_64", "amd64"):
+        return "amd64"
+    if machine in ("aarch64", "arm64"):
+        return "arm64"
+    raise CloudBuildError(f"unsupported arch: {platform.machine()}")
+
+
+def _cfg_value(cfg: Any, name: str) -> str | None:
+    """Read a field value from an SDK Config object.
+
+    Args:
+        cfg: SDK Config object or test double.
+        name: Field name without the `get_` prefix.
+    """
+    method_name = f"get_{name}"
+    for candidate in (method_name, name):
+        if not hasattr(cfg, candidate):
+            continue
+        value = getattr(cfg, candidate)
+        if callable(value):
+            value = value()
+        if value:
+            return str(value)
+    return None
+
+
+def _set_env_if_present(env: dict[str, str], key: str, value: str | None) -> None:
+    """Set a non-empty environment value when the key is missing.
+
+    Args:
+        env: Child process environment mapping.
+        key: Environment variable name.
+        value: Candidate value.
+    """
+    if value and not env.get(key):
+        env[key] = value
diff --git a/src/agentrun_cli/commands/runtime/__init__.py b/src/agentrun_cli/commands/runtime/__init__.py
index e117ad2..5503a49 100644
--- a/src/agentrun_cli/commands/runtime/__init__.py
+++ b/src/agentrun_cli/commands/runtime/__init__.py
@@ -15,6 +15,9 @@
 import click  # noqa: E402
 
 from agentrun_cli.commands.runtime import apply_cmd as _apply_mod  # noqa: E402
+from agentrun_cli.commands.runtime import (
+    cloud_build_cmd as _cloud_build_mod,  # noqa: E402
+)
 from agentrun_cli.commands.runtime import crud_cmd as _crud_mod  # noqa: E402
 from agentrun_cli.commands.runtime import delete_cmd as _delete_mod  # noqa: E402
 from agentrun_cli.commands.runtime import render_cmd as _render_mod  # noqa: E402
@@ -30,6 +33,7 @@ def runtime_group():
 
 
 runtime_group.add_command(_apply_mod.apply_cmd)
+runtime_group.add_command(_cloud_build_mod.cloud_build_cmd)
 runtime_group.add_command(_render_mod.render_cmd)
 runtime_group.add_command(_crud_mod.get_cmd)
 runtime_group.add_command(_crud_mod.list_cmd)
diff --git a/src/agentrun_cli/commands/runtime/apply_cmd.py b/src/agentrun_cli/commands/runtime/apply_cmd.py
index b4fc30b..4f05fc6 100644
--- a/src/agentrun_cli/commands/runtime/apply_cmd.py
+++ b/src/agentrun_cli/commands/runtime/apply_cmd.py
@@ -11,6 +11,11 @@
     YamlSchemaError,
     parse_yaml_file,
 )
+from agentrun_cli._utils.cloud_build import (
+    build_runtime_image,
+    load_dotenv,
+    serialize_cloud_build_result,
+)
 from agentrun_cli._utils.config import build_sdk_config
 from agentrun_cli._utils.error import EXIT_BAD_INPUT, handle_errors
 from agentrun_cli._utils.output import echo_error, format_output
@@ -103,8 +108,9 @@ def _progress(stream, parsed, runtime, elapsed):
 @handle_errors
 def apply_cmd(ctx, file_path, wait, timeout, prune_endpoints):
     runtime_cls = _lazy_sdk()
+    load_dotenv()
     profile, region = ctx_cfg(ctx)
-    build_sdk_config(profile_name=profile, region=region)
+    cfg = build_sdk_config(profile_name=profile, region=region)
 
     docs = _parse(file_path)
     timeout_seconds = parse_duration(timeout) or DEFAULT_APPLY_TIMEOUT_SECONDS
@@ -113,6 +119,7 @@ def apply_cmd(ctx, file_path, wait, timeout, prune_endpoints):
     results = []
     for parsed in docs:
         started = time.monotonic()
+        build_result = build_runtime_image(parsed, cfg)
         rt_res = reconcile_runtime(parsed, client=runtime_cls)
         runtime = rt_res.runtime
 
@@ -160,6 +167,11 @@ def apply_cmd(ctx, file_path, wait, timeout, prune_endpoints):
             {
                 "action": rt_res.action,
                 "runtime": serialize_runtime(runtime),
+                "cloudBuild": (
+                    serialize_cloud_build_result(build_result)
+                    if build_result is not None
+                    else None
+                ),
                 "endpoints": [
                     {
                         **serialize_endpoint(a.endpoint or _empty_ep(a.name)),
diff --git a/src/agentrun_cli/commands/runtime/cloud_build_cmd.py b/src/agentrun_cli/commands/runtime/cloud_build_cmd.py
new file mode 100644
index 0000000..8f200fa
--- /dev/null
+++ b/src/agentrun_cli/commands/runtime/cloud_build_cmd.py
@@ -0,0 +1,100 @@
+"""Build Agent Runtime images in the cloud from YAML."""
+
+from __future__ import annotations
+
+import sys
+
+import click
+
+from agentrun_cli._utils.agentruntime_yaml import (
+    ParsedAgentRuntime,
+    YamlSchemaError,
+    parse_yaml_file,
+)
+from agentrun_cli._utils.cloud_build import (
+    build_runtime_image,
+    load_dotenv,
+    serialize_cloud_build_result,
+)
+from agentrun_cli._utils.config import build_sdk_config
+from agentrun_cli._utils.error import EXIT_BAD_INPUT, handle_errors
+from agentrun_cli._utils.output import echo_error, format_output
+from agentrun_cli.commands.runtime._helpers import ctx_cfg
+
+
+def _parse_file(path: str):
+    """Parse a runtime YAML file.
+
+    Args:
+        path: YAML file path.
+    """
+    try:
+        return parse_yaml_file(path)
+    except YamlSchemaError as exc:
+        echo_error("InvalidYaml", str(exc))
+        raise SystemExit(EXIT_BAD_INPUT) from exc
+
+
+def _require_cloud_build_blocks(docs: list[ParsedAgentRuntime]) -> None:
+    """Validate that all runtime documents declare cloud build config.
+
+    Args:
+        docs: Parsed runtime documents.
+    """
+    missing = [
+        f"Document #{idx + 1} runtime {parsed.name!r}"
+        for idx, parsed in enumerate(docs)
+        if parsed.container.cloud_build is None
+    ]
+    if not missing:
+        return
+    echo_error(
+        "InvalidYaml",
+        "All runtime documents must define spec.container.cloudBuild before "
+        f"cloud-build starts; missing: {'; '.join(missing)}.",
+    )
+    raise SystemExit(EXIT_BAD_INPUT)
+
+
+@click.command(
+    "cloud-build",
+    help="Build Agent Runtime images in the cloud from YAML.",
+)
+@click.option(
+    "-f",
+    "--file",
+    "file_path",
+    required=True,
+    help="YAML file path (supports multi-document).",
+)
+@click.pass_context
+@handle_errors
+def cloud_build_cmd(ctx, file_path):
+    load_dotenv()
+    docs = _parse_file(file_path)
+    _require_cloud_build_blocks(docs)
+
+    profile, region = ctx_cfg(ctx)
+    cfg = build_sdk_config(profile_name=profile, region=region)
+
+    results = []
+    for parsed in docs:
+        result = build_runtime_image(parsed, cfg)
+        if result is None:
+            continue
+        results.append(serialize_cloud_build_result(result))
+
+    if not results:
+        echo_error("InvalidYaml", "No spec.container.cloudBuild blocks found.")
+        raise SystemExit(EXIT_BAD_INPUT)
+
+    if sys.stderr.isatty():
+        for item in results:
+            sys.stderr.write(
+                f"[runtime {item['name']}] cloudBuild={item['buildStatus']} "
+                f"image={item['image']}\n"
+            )
+    format_output(ctx, results, quiet_field="image")
+
+
+__all__ = ["cloud_build_cmd"]
diff --git a/src/agentrun_cli/commands/runtime/render_cmd.py b/src/agentrun_cli/commands/runtime/render_cmd.py
index 215a31c..98e5532 100644
--- a/src/agentrun_cli/commands/runtime/render_cmd.py
+++ b/src/agentrun_cli/commands/runtime/render_cmd.py
@@ -6,6 +6,7 @@
     YamlSchemaError,
     parse_yaml_file,
 )
+from agentrun_cli._utils.cloud_build import serialize_cloud_build_plan
 from agentrun_cli._utils.error import EXIT_BAD_INPUT, handle_errors
 from agentrun_cli._utils.output import echo_error, format_output
 
@@ -61,6 +62,7 @@ def render_cmd(ctx, file_path):
                     ei.model_dump() if hasattr(ei, "model_dump") else ei
                     for ei in ep_inputs
                 ],
+                "cloudBuildPlan": serialize_cloud_build_plan(parsed),
             }
         )
     format_output(ctx, results)
diff --git a/tests/integration/test_runtime_cmd.py b/tests/integration/test_runtime_cmd.py
index 595ecf1..f01c49d 100644
--- a/tests/integration/test_runtime_cmd.py
+++ b/tests/integration/test_runtime_cmd.py
@@ -14,6 +14,7 @@
 import click
 from click.testing import CliRunner
 
+from agentrun_cli._utils.cloud_build import CloudBuildError, CloudBuildResult
 from agentrun_cli.commands.runtime import runtime_group
 
 
@@ -40,6 +41,7 @@ def test_runtime_group_registered():
     result = CliRunner().invoke(_root(), ["runtime", "--help"])
     assert result.exit_code == 0
     assert "apply" in result.output
+    assert "cloud-build" in result.output
     assert "render" in result.output
 
 
@@ -53,6 +55,35 @@ def test_runtime_group_registered():
     image: img:v1
 """
 
+CLOUD_BUILD_YAML = """
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata:
+  name: my-agent
+spec:
+  container:
+    image: registry.example.com/ns/app:v1
+    cloudBuild:
+      dir: .
+      setupScript: ""
+      baseContainerConfig:
+        image: registry.example.com/ns/worker:tag
+"""
+
+MULTI_DOC_PARTIAL_CLOUD_BUILD_YAML = (
+    CLOUD_BUILD_YAML
+    + """
+---
+apiVersion: agentrun/v1
+kind: AgentRuntime
+metadata:
+  name: plain-agent
+spec:
+  container:
+    image: registry.example.com/ns/plain:v1
+"""
+)
+
 
 def test_render_outputs_rendered_input():
     fake_input = MagicMock()
@@ -87,6 +118,131 @@ def test_render_outputs_rendered_input():
     assert out[0]["name"] == "my-agent"
     assert out[0]["renderedCreateInput"]["systemTags"] == ["x-agentrun-cli"]
     assert out[0]["renderedEndpoints"][0]["agentRuntimeEndpointName"] == "default"
+    assert out[0]["cloudBuildPlan"] is None
+
+
+def test_render_outputs_cloud_build_plan():
+    fake_input = MagicMock()
+    fake_input.model_dump.return_value = {"agentRuntimeName": "my-agent"}
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.render_cmd.to_runtime_create_input",
+            return_value=fake_input,
+        ),
+        patch(
+            "agentrun_cli.commands.runtime.render_cmd.to_endpoint_create_inputs",
+            return_value=[],
+        ),
+    ):
+        runner = CliRunner()
+        with runner.isolated_filesystem():
+            with open("rt.yaml", "w") as f:
+                f.write(CLOUD_BUILD_YAML)
+            result = runner.invoke(_root(), ["runtime", "render", "-f", "rt.yaml"])
+    assert result.exit_code == 0, result.output
+    out = json.loads(result.output)
+    assert out[0]["cloudBuildPlan"]["image"] == "registry.example.com/ns/app:v1"
+    assert out[0]["cloudBuildPlan"]["setupScript"] == ""
+    assert (
+        out[0]["cloudBuildPlan"]["baseContainerConfig"]["image"]
+        == "registry.example.com/ns/worker:tag"
+    )
+
+
+def test_cloud_build_command_success():
+    result_obj = CloudBuildResult(
+        name="my-agent",
+        image="registry.example.com/ns/app:v1",
+        build_status="completed",
+        elapsed_seconds=0.1,
+    )
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.cloud_build_cmd.build_sdk_config",
+            return_value=MagicMock(),
+        ),
+        patch(
+            "agentrun_cli.commands.runtime.cloud_build_cmd.build_runtime_image",
+            return_value=result_obj,
+        ) as build_mock,
+    ):
+        runner = CliRunner()
+        with runner.isolated_filesystem():
+            with open("rt.yaml", "w") as f:
+                f.write(CLOUD_BUILD_YAML)
+            result = runner.invoke(_root(), ["runtime", "cloud-build", "-f", "rt.yaml"])
+    assert result.exit_code == 0, result.output
+    out = json.loads(result.output)
+    assert out[0]["buildStatus"] == "completed"
+    build_mock.assert_called_once()
+
+
+def test_cloud_build_command_requires_cloud_build_block():
+    runner = CliRunner()
+    with runner.isolated_filesystem():
+        with open("rt.yaml", "w") as f:
+            f.write(VALID_YAML)
+        result = runner.invoke(_root(), ["runtime", "cloud-build", "-f", "rt.yaml"])
+    assert result.exit_code == 2
+
+
+def test_cloud_build_command_prescans_all_docs_before_building():
+    result_obj = CloudBuildResult(
+        name="my-agent",
+        image="registry.example.com/ns/app:v1",
+        build_status="completed",
+        elapsed_seconds=0.1,
+    )
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.cloud_build_cmd.build_sdk_config",
+            return_value=MagicMock(),
+        ) as cfg_mock,
+        patch(
+            "agentrun_cli.commands.runtime.cloud_build_cmd.build_runtime_image",
+            return_value=result_obj,
+        ) as build_mock,
+    ):
+        runner = CliRunner()
+        with runner.isolated_filesystem():
+            with open("rt.yaml", "w") as f:
+                f.write(MULTI_DOC_PARTIAL_CLOUD_BUILD_YAML)
+            result = runner.invoke(_root(), ["runtime", "cloud-build", "-f", "rt.yaml"])
+    assert result.exit_code == 2
+    assert "plain-agent" in result.output
+    cfg_mock.assert_not_called()
+    build_mock.assert_not_called()
+
+
+def test_cloud_build_command_no_results_exit_code_2():
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.cloud_build_cmd.build_sdk_config",
+            return_value=MagicMock(),
+        ),
+        patch(
+            "agentrun_cli.commands.runtime.cloud_build_cmd.build_runtime_image",
+            return_value=None,
+        ),
+    ):
+        runner = CliRunner()
+        with runner.isolated_filesystem():
+            with open("rt.yaml", "w") as f:
+                f.write(CLOUD_BUILD_YAML)
+            result = runner.invoke(_root(), ["runtime", "cloud-build", "-f", "rt.yaml"])
+    assert result.exit_code == 2
+
+
+def test_cloud_build_invalid_yaml_exit_code_2():
+    runner = CliRunner()
+    with runner.isolated_filesystem():
+        with open("bad.yaml", "w") as f:
+            f.write(
+                "apiVersion: wrong/v1\nkind: AgentRuntime\nmetadata: {name: x}\n"
+                "spec: {container: {image: i}}\n"
+            )
+        result = runner.invoke(_root(), ["runtime", "cloud-build", "-f", "bad.yaml"])
+    assert result.exit_code == 2
 
 
 def test_render_invalid_yaml_exit_code_2():
@@ -180,6 +336,84 @@ def _refresh(self=None, *a, **k):
     assert out[0]["endpoints"] == []
 
 
+def test_apply_cloud_build_before_runtime_submit(monkeypatch):
+    monkeypatch.setattr("time.sleep", lambda *_: None)
+    events = []
+    fake_runtime_cls = MagicMock()
+    created = _make_runtime(status="CREATING")
+    created.refresh = lambda *a, **k: created
+    created.list_endpoints = MagicMock(return_value=[])
+    created.create_endpoint = MagicMock(return_value=_make_endpoint())
+
+    def fake_create(*_args, **_kwargs):
+        events.append("runtime")
+        return created
+
+    def fake_build(*_args, **_kwargs):
+        events.append("build")
+        return CloudBuildResult(
+            name="my-agent",
+            image="registry.example.com/ns/app:v1",
+            build_status="completed",
+            elapsed_seconds=0.1,
+        )
+
+    fake_runtime_cls.list_all.return_value = []
+    fake_runtime_cls.create.side_effect = fake_create
+
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.apply_cmd.build_sdk_config",
+            return_value=MagicMock(),
+        ),
+        patch(
+            "agentrun_cli.commands.runtime.apply_cmd.build_runtime_image",
+            fake_build,
+        ),
+        patch(
+            "agentrun_cli.commands.runtime.apply_cmd.AgentRuntime",
+            fake_runtime_cls,
+        ),
+    ):
+        runner = CliRunner()
+        with runner.isolated_filesystem():
+            with open("rt.yaml", "w") as f:
+                f.write(CLOUD_BUILD_YAML)
+            result = runner.invoke(
+                _root(),
+                ["runtime", "apply", "-f", "rt.yaml", "--no-wait"],
+            )
+    assert result.exit_code == 0, result.output
+    assert events == ["build", "runtime"]
+    out = json.loads(result.output)
+    assert out[0]["cloudBuild"]["buildStatus"] == "completed"
+
+
+def test_apply_cloud_build_failure_skips_runtime():
+    fake_runtime_cls = MagicMock()
+    fake_runtime_cls.list_all.return_value = []
+
+    with (
+        patch(
+            "agentrun_cli.commands.runtime.apply_cmd.build_sdk_config",
+            return_value=MagicMock(),
+        ),
+        patch(
+            "agentrun_cli.commands.runtime.apply_cmd.build_runtime_image",
+            side_effect=CloudBuildError("build failed"),
+        ),
+        patch("agentrun_cli.commands.runtime.apply_cmd.AgentRuntime", fake_runtime_cls),
+    ):
+        runner = CliRunner()
+        with runner.isolated_filesystem():
+            with open("rt.yaml", "w") as f:
+                f.write(CLOUD_BUILD_YAML)
+            result = runner.invoke(_root(), ["runtime", "apply", "-f", "rt.yaml"])
+    assert result.exit_code == 4
+    fake_runtime_cls.list_all.assert_not_called()
+    fake_runtime_cls.create.assert_not_called()
+
+
 def test_apply_update_path(monkeypatch):
     monkeypatch.setattr("time.sleep", lambda *_: None)
     existing = _make_runtime(status="UPDATING")
@@ -447,6 +681,7 @@ def test_real_cli_exposes_runtime_group():
     result = CliRunner().invoke(real_cli, ["runtime", "--help"])
     assert result.exit_code == 0
     assert "apply" in result.output
+    assert "cloud-build" in result.output
 
 
 def test_real_cli_exposes_rt_alias():
diff --git a/tests/unit/test_cloud_build.py b/tests/unit/test_cloud_build.py
new file mode 100644
index 0000000..7d059e4
--- /dev/null
+++ b/tests/unit/test_cloud_build.py
@@ -0,0 +1,412 @@
+"""Tests for Agent Runtime cloud build helpers."""
+
+from __future__ import annotations
+
+import os
+import stat
+import sys
+from hashlib import sha256
+from types import SimpleNamespace
+
+import pytest
+
+from agentrun_cli._utils import cloud_build as cloud_build_mod
+from agentrun_cli._utils.agentruntime_yaml import (
+    ParsedAgentRuntime,
+    ParsedCloudBuild,
+    ParsedCloudBuildRegistry,
+    ParsedContainer,
+)
+from agentrun_cli._utils.cloud_build import (
+    BUILDER_RELEASE_TAG,
+    CloudBuildError,
+    build_builder_args,
+    build_builder_env,
+    build_runtime_image,
+    ensure_builder_binary,
+    load_dotenv,
+    serialize_cloud_build_plan,
+    serialize_cloud_build_result,
+)
+
+
+def _runtime(cloud_build: ParsedCloudBuild | None = None):
+    return ParsedAgentRuntime(
+        name="my-agent",
+        container=ParsedContainer(
+            image="registry.example.com/ns/app:v1",
+            cloud_build=cloud_build,
+        ),
+    )
+
+
+def test_build_builder_env_uses_cfg_and_yaml_registry(monkeypatch):
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_UID", raising=False)
+    cfg = SimpleNamespace(
+        get_account_id=lambda: "123",
+        get_access_key_id=lambda: "ak",
+        get_access_key_secret=lambda: "sk",
+        get_region_id=lambda: "cn-hangzhou",
+    )
+    cloud_build = ParsedCloudBuild(
+        registry=ParsedCloudBuildRegistry("yaml-u", "yaml-p")
+    )
+    env = build_builder_env(
+        cfg,
+        cloud_build,
+    )
+    assert env["DOCKER_IMAGE_BUILDER_UID"] == "123"
+    assert env["DOCKER_IMAGE_BUILDER_AK"] == "ak"
+    assert env["DOCKER_IMAGE_BUILDER_SK"] == "sk"
+    assert env["DOCKER_IMAGE_BUILDER_REGION"] == "cn-hangzhou"
+    assert env["DOCKER_IMAGE_BUILDER_USERNAME"] == "yaml-u"
+    assert env["DOCKER_IMAGE_BUILDER_PASSWORD"] == "yaml-p"
+
+
+def test_load_dotenv_sets_missing_values(monkeypatch, tmp_path):
+    env_file = tmp_path / ".env"
+    env_file.write_text(
+        "\n".join(
+            [
+                "DOCKER_IMAGE_BUILDER_UID=123",
+                "QUOTED='value'",
+                "EXISTING=from-file",
+                "# ignored",
+                "invalid-line",
+            ]
+        ),
+        encoding="utf-8",
+    )
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_UID", raising=False)
+    monkeypatch.delenv("QUOTED", raising=False)
+    monkeypatch.setenv("EXISTING", "from-env")
+
+    load_dotenv(env_file)
+
+    assert os.environ["DOCKER_IMAGE_BUILDER_UID"] == "123"
+    assert os.environ["QUOTED"] == "value"
+    assert os.environ["EXISTING"] == "from-env"
+
+
+def test_build_builder_args_do_not_include_secrets_or_registry_mode():
+    cloud_build = ParsedCloudBuild(
+        dir=".",
+        setup_script="",
+        timeout_minutes="30",
+        cpu="8c",
+        memory="16384",
+        registry=ParsedCloudBuildRegistry("u", "secret"),
+    )
+    args = build_builder_args("/bin/docker-image-builder", "reg/ns/app:v1", cloud_build)
+    joined = " ".join(args)
+    assert "--image=reg/ns/app:v1" in args
+    assert "--setup-script=" in args
+    assert "secret" not in joined
+    assert "registry-mode" not in joined
+
+
+def test_build_builder_args_include_base_container_image():
+    cloud_build = ParsedCloudBuild(
+        base_container_image="registry.example.com/ns/worker:tag"
+    )
+    args = build_builder_args("/bin/docker-image-builder", "reg/ns/app:v1", cloud_build)
+    assert "--base-image=registry.example.com/ns/worker:tag" in args
+
+
+def test_build_builder_args_include_region():
+    cloud_build = ParsedCloudBuild(region="cn-shanghai")
+    args = build_builder_args("/bin/docker-image-builder", "reg/ns/app:v1", cloud_build)
+    assert "--region=cn-shanghai" in args
+
+
+def test_serialize_cloud_build_plan_and_result():
+    cloud_build = ParsedCloudBuild(
+        base_container_image="registry.example.com/ns/worker:tag"
+    )
+    plan = serialize_cloud_build_plan(_runtime(cloud_build))
+    assert plan and plan["baseContainerConfig"]["image"] == (
+        "registry.example.com/ns/worker:tag"
+    )
+    result = serialize_cloud_build_result(
+        cloud_build_mod.CloudBuildResult(
+            name="my-agent",
+            image="registry.example.com/ns/app:v1",
+            build_status="completed",
+            elapsed_seconds=0.1,
+        )
+    )
+    assert result == {
+        "name": "my-agent",
+        "image": "registry.example.com/ns/app:v1",
+        "buildStatus": "completed",
+        "elapsedSeconds": 0.1,
+    }
+    assert serialize_cloud_build_plan(_runtime(None)) is None
+
+
+def test_ensure_builder_binary_uses_binpath(monkeypatch, tmp_path):
+    binary = tmp_path / "docker-image-builder"
+    binary.write_text("#!/bin/sh\n", encoding="utf-8")
+    binary.chmod(binary.stat().st_mode | stat.S_IXUSR)
+    monkeypatch.setenv("DOCKER_IMAGE_BUILDER_BINPATH", str(binary))
+    assert ensure_builder_binary() == str(binary)
+
+
+def test_ensure_builder_binary_rejects_bad_binpath(monkeypatch, tmp_path):
+    bad_path = tmp_path / "missing"
+    monkeypatch.setenv("DOCKER_IMAGE_BUILDER_BINPATH", str(bad_path))
+    with pytest.raises(CloudBuildError, match="BINPATH"):
+        ensure_builder_binary()
+
+
+def test_ensure_builder_binary_downloads_latest_with_checksum(monkeypatch, tmp_path):
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINPATH", raising=False)
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINTAG", raising=False)
+    monkeypatch.setenv("HOME", str(tmp_path))
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._artifact_name",
+        lambda: "docker-image-builder-linux-amd64",
+    )
+    content = b"#!/bin/sh\n"
+
+    def fake_download(url, target):
+        assert f"/{BUILDER_RELEASE_TAG}/" in url
+        target.write_bytes(content)
+
+    def fake_download_sha256(url, artifact_name):
+        assert url.endswith("/docker-image-builder-linux-amd64.sha256")
+        assert artifact_name == "docker-image-builder-linux-amd64"
+        return sha256(content).hexdigest()
+
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_binary",
+        fake_download,
+    )
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_sha256",
+        fake_download_sha256,
+    )
+    binary = ensure_builder_binary()
+    expected_suffix = (
+        f".docker-image-builder/{BUILDER_RELEASE_TAG}/docker-image-builder"
+    )
+    assert binary.endswith(expected_suffix)
+    assert os.access(binary, os.X_OK)
+
+
+def test_ensure_builder_binary_uses_cached_bintag(monkeypatch, tmp_path):
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINPATH", raising=False)
+    monkeypatch.setenv("DOCKER_IMAGE_BUILDER_BINTAG", "custom-tag")
+    monkeypatch.setenv("HOME", str(tmp_path))
+    cached = tmp_path / ".docker-image-builder" / "custom-tag" / "docker-image-builder"
+    cached.parent.mkdir(parents=True)
+    content = b"#!/bin/sh\n"
+    cached.write_bytes(content)
+    cached.chmod(cached.stat().st_mode | stat.S_IXUSR)
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_sha256",
+        lambda *_args: sha256(content).hexdigest(),
+    )
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_binary",
+        lambda *_args: pytest.fail("cached binary should not be downloaded"),
+    )
+    assert ensure_builder_binary() == str(cached)
+
+
+def test_ensure_builder_binary_replaces_stale_cached_latest(monkeypatch, tmp_path):
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINPATH", raising=False)
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINTAG", raising=False)
+    monkeypatch.setenv("HOME", str(tmp_path))
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._artifact_name",
+        lambda: "docker-image-builder-linux-amd64",
+    )
+    cached = (
+        tmp_path
+        / ".docker-image-builder"
+        / BUILDER_RELEASE_TAG
+        / "docker-image-builder"
+    )
+    cached.parent.mkdir(parents=True)
+    cached.write_bytes(b"old")
+    cached.chmod(cached.stat().st_mode | stat.S_IXUSR)
+    new_content = b"new"
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_sha256",
+        lambda *_args: sha256(new_content).hexdigest(),
+    )
+
+    def fake_download(_url, target):
+        target.write_bytes(new_content)
+
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_binary",
+        fake_download,
+    )
+    assert ensure_builder_binary() == str(cached)
+    assert cached.read_bytes() == new_content
+
+
+def test_ensure_builder_binary_rejects_checksum_mismatch(monkeypatch, tmp_path):
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINPATH", raising=False)
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINTAG", raising=False)
+    monkeypatch.setenv("HOME", str(tmp_path))
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._artifact_name",
+        lambda: "docker-image-builder-linux-amd64",
+    )
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_sha256",
+        lambda *_args: sha256(b"expected").hexdigest(),
+    )
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_binary",
+        lambda _url, target: target.write_bytes(b"actual"),
+    )
+    with pytest.raises(CloudBuildError, match="checksum mismatch"):
+        ensure_builder_binary()
+
+
+def test_ensure_builder_binary_download_failure(monkeypatch, tmp_path):
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINPATH", raising=False)
+    monkeypatch.delenv("DOCKER_IMAGE_BUILDER_BINTAG", raising=False)
+    monkeypatch.setenv("HOME", str(tmp_path))
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._artifact_name",
+        lambda: "docker-image-builder-linux-amd64",
+    )
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_sha256",
+        lambda *_args: sha256(b"bin").hexdigest(),
+    )
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build._download_binary",
+        lambda *_args: (_ for _ in ()).throw(RuntimeError("boom")),
+    )
+    with pytest.raises(CloudBuildError, match="download docker-image-builder failed"):
+        ensure_builder_binary()
+
+
+def test_download_binary(monkeypatch, tmp_path):
+    class Resp:
+        def __enter__(self):
+            return self
+
+        def __exit__(self, *_args):
+            return False
+
+        def read(self):
+            return b"bin"
+
+    target = tmp_path / "docker-image-builder"
+    monkeypatch.setattr("urllib.request.urlopen", lambda *_a, **_k: Resp())
+    cloud_build_mod._download_binary("https://example.com/bin", target)
+    assert target.read_bytes() == b"bin"
+
+
+def test_download_sha256(monkeypatch):
+    class Resp:
+        def __enter__(self):
+            return self
+
+        def __exit__(self, *_args):
+            return False
+
+        def read(self):
+            return (
+                b"619ab54b0f5dd2208ce04c910b6b6800daf591adb6c3873e3cd9eecdedac341f"
+                b"  docker-image-builder-linux-amd64\n"
+            )
+
+    monkeypatch.setattr("urllib.request.urlopen", lambda *_a, **_k: Resp())
+    assert (
+        cloud_build_mod._download_sha256(
+            "https://example.com/bin.sha256",
+            "docker-image-builder-linux-amd64",
+        )
+        == "619ab54b0f5dd2208ce04c910b6b6800daf591adb6c3873e3cd9eecdedac341f"
+    )
+
+
+def test_parse_sha256_accepts_raw_digest():
+    digest = "a" * 64
+    assert cloud_build_mod._parse_sha256(digest, "artifact") == digest
+
+
+def test_parse_sha256_rejects_missing_artifact():
+    with pytest.raises(CloudBuildError, match="invalid sha256"):
+        cloud_build_mod._parse_sha256("a" * 64 + " other-artifact", "artifact")
+
+
+def test_build_runtime_image_runs_builder(monkeypatch):
+    calls = {}
+    cloud_build = ParsedCloudBuild()
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build.ensure_builder_binary",
+        lambda: "/bin/dib",
+    )
+
+    def fake_run(args, env, stdout, stderr, check):
+        calls["args"] = args
+        calls["env"] = env
+        calls["stdout"] = stdout
+        calls["stderr"] = stderr
+        calls["check"] = check
+        return SimpleNamespace(returncode=0)
+
+    monkeypatch.setattr("subprocess.run", fake_run)
+    result = build_runtime_image(_runtime(cloud_build), SimpleNamespace())
+    assert result and result.build_status == "completed"
+    assert calls["args"][0] == "/bin/dib"
+    assert calls["args"][1] == "build"
+    assert calls["stdout"] is sys.stderr
+    assert calls["stderr"] is sys.stderr
+    assert calls["check"] is False
+
+
+def test_build_runtime_image_without_cloud_build_returns_none():
+    assert build_runtime_image(_runtime(None), SimpleNamespace()) is None
+
+
+def test_build_runtime_image_failure_raises(monkeypatch):
+    cloud_build = ParsedCloudBuild()
+    monkeypatch.setattr(
+        "agentrun_cli._utils.cloud_build.ensure_builder_binary",
+        lambda: "/bin/dib",
+    )
+    monkeypatch.setattr(
+        "subprocess.run",
+        lambda *_a, **_k: SimpleNamespace(returncode=7),
+    )
+    with pytest.raises(CloudBuildError, match="code 7"):
+        build_runtime_image(_runtime(cloud_build), SimpleNamespace())
+
+
+def test_platform_and_arch_helpers(monkeypatch):
+    monkeypatch.setattr(cloud_build_mod.sys, "platform", "darwin")
+    assert cloud_build_mod._go_platform() == "darwin"
+    monkeypatch.setattr(cloud_build_mod.sys, "platform", "win32")
+    assert cloud_build_mod._go_platform() == "windows"
+    assert cloud_build_mod._executable_name() == "docker-image-builder.exe"
+    assert cloud_build_mod._artifact_name().endswith(".exe")
+    monkeypatch.setattr(cloud_build_mod.sys, "platform", "plan9")
+    with pytest.raises(CloudBuildError, match="unsupported platform"):
+        cloud_build_mod._go_platform()
+
+    monkeypatch.setattr(cloud_build_mod.platform, "machine", lambda: "arm64")
+    assert cloud_build_mod._go_arch() == "arm64"
+    monkeypatch.setattr(cloud_build_mod.platform, "machine", lambda: "sparc")
+    with pytest.raises(CloudBuildError, match="unsupported arch"):
+        cloud_build_mod._go_arch()
+
+
+def test_cfg_value_and_set_env_helpers():
+    assert cloud_build_mod._cfg_value(SimpleNamespace(account_id="123"), "account_id")
+    assert (
+        cloud_build_mod._cfg_value(SimpleNamespace(account_id=""), "account_id") is None
+    )
+    env = {"KEY": "old"}
+    cloud_build_mod._set_env_if_present(env, "KEY", "new")
+    cloud_build_mod._set_env_if_present(env, "EMPTY", None)
+    assert env == {"KEY": "old"}
diff --git a/tests/unit/test_runtime_yaml.py b/tests/unit/test_runtime_yaml.py
index 6826b26..39af3e0 100644
--- a/tests/unit/test_runtime_yaml.py
+++ b/tests/unit/test_runtime_yaml.py
@@ -151,6 +151,95 @@ def test_container_full_fields():
     assert rt.container.acr_instance_id == "cri-xxx"
 
 
+def test_cloud_build_defaults_parsed():
+    text = _doc_with(
+        spec={
+            "container": {
+                "image": "registry.example.com/ns/app:v1",
+                "cloudBuild": {},
+            }
+        }
+    )
+    cloud_build = parse_yaml_text(text)[0].container.cloud_build
+    assert cloud_build is not None
+    assert cloud_build.dir == "."
+    assert cloud_build.setup_script == "scripts/setup.sh"
+    assert cloud_build.timeout_minutes == "20"
+    assert cloud_build.cpu == "4"
+    assert cloud_build.memory == "8192"
+
+
+def test_cloud_build_registry_parsed():
+    text = _doc_with(
+        spec={
+            "container": {
+                "image": "registry.example.com/ns/app:v1",
+                "cloudBuild": {
+                    "dir": "src",
+                    "setupScript": "",
+                    "timeoutMinutes": 30,
+                    "cpu": "8c",
+                    "memory": "16384",
+                    "region": "cn-shanghai",
+                    "registry": {"username": "u", "password": "p"},
+                    "baseContainerConfig": {
+                        "image": "registry.example.com/ns/worker:tag"
+                    },
+                },
+            }
+        }
+    )
+    cloud_build = parse_yaml_text(text)[0].container.cloud_build
+    assert cloud_build is not None
+    assert cloud_build.dir == "src"
+    assert cloud_build.setup_script == ""
+    assert cloud_build.timeout_minutes == "30"
+    assert cloud_build.cpu == "8c"
+    assert cloud_build.memory == "16384"
+    assert cloud_build.region == "cn-shanghai"
+    assert cloud_build.registry and cloud_build.registry.username == "u"
+    assert cloud_build.base_container_image == "registry.example.com/ns/worker:tag"
+
+
+def test_cloud_build_allows_image_without_prevalidation():
+    text = _doc_with(
+        spec={
+            "container": {
+                "image": "registry.example.com/ns/app",
+                "cloudBuild": {},
+            }
+        }
+    )
+    cloud_build = parse_yaml_text(text)[0].container.cloud_build
+    assert cloud_build is not None
+
+
+def test_cloud_build_rejects_registry_mode_field():
+    text = _doc_with(
+        spec={
+            "container": {
+                "image": "registry.example.com/ns/app:v1",
+                "cloudBuild": {"registryMode": "fc-registry"},
+            }
+        }
+    )
+    with pytest.raises(YamlSchemaError, match="unsupported field"):
+        parse_yaml_text(text)
+
+
+def test_cloud_build_rejects_acree_base_fields():
+    text = _doc_with(
+        spec={
+            "container": {
+                "image": "registry.example.com/ns/app:v1",
+                "cloudBuild": {"baseAcrInstanceId": "cri-xxx"},
+            }
+        }
+    )
+    with pytest.raises(YamlSchemaError, match="unsupported field"):
+        parse_yaml_text(text)
+
+
 def test_custom_registry_requires_config():
     text = _doc_with(
         spec={"container": {"image": "img", "imageRegistryType": "CUSTOM"}}