@appfleet-cli/cli 0.1.0

package/dist/cloud-session.js

@@ -0,0 +1,1819 @@
+import { createHash, randomUUID } from "node:crypto";
+import { chmod, mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import { createServer } from "node:http";
+import { dirname, join } from "node:path";
+import { spawn } from "node:child_process";
+import { createAppProjectMemory, createCloudSyncMetadata, createCloudSyncRuntimeConflictState, createLocalMetadataSyncQueueEntry, createProjectMemorySyncRequest, createProjectMemorySyncResult, } from "@appfleet/domain";
+import { readProjectMemories, writeProjectMemories } from "./project-memory.js";
+export async function runCloudSessionCommand(argv, options = {}) {
+    const now = options.now ?? (() => new Date());
+    let env = options.env ?? process.env;
+    let parsed;
+    try {
+        parsed = parseCloudSessionCommand(argv, env);
+    }
+    catch (error) {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: `AppFleet cloud scaffold failed: ${errorMessage(error)}\n`,
+        };
+    }
+    const projectRoot = options.projectRoot ?? process.cwd();
+    const sessionPath = options.sessionPath ?? defaultSessionPath(projectRoot);
+    const authTokenPath = defaultAuthTokenPath(sessionPath);
+    const storedAuthToken = await readAuthToken(authTokenPath);
+    if (!env.APPFLEET_CLOUD_AUTH_TOKEN && storedAuthToken) {
+        env = {
+            ...env,
+            APPFLEET_CLOUD_AUTH_TOKEN: storedAuthToken,
+            APPFLEET_CLOUD_AUTH_TOKEN_SOURCE: "device_store",
+        };
+    }
+    const projectMemoryStorePath = options.projectMemoryStorePath ?? defaultProjectMemoryStorePath(projectRoot);
+    const metadataSyncStorePath = options.metadataSyncStorePath ?? defaultMetadataSyncStorePath(projectRoot);
+    try {
+        if (parsed.namespace === "auth" && parsed.action === "login") {
+            const productionConfig = resolveProductionCloudConfig(parsed, env);
+            if (productionConfig.enabled) {
+                const configReport = createRedactedCloudConfigReport("production", productionConfig);
+                const missing = missingProductionAuthConfig(productionConfig);
+                if (missing.length > 0) {
+                    const report = createAuthMisconfiguredReport({
+                        action: "login",
+                        workspaceId: parsed.workspaceId,
+                        configReport,
+                        missing,
+                    });
+                    return {
+                        exitCode: 1,
+                        stdout: parsed.outputFormat === "json"
+                            ? formatJson(report)
+                            : formatAuthMisconfigured(report),
+                        stderr: "",
+                    };
+                }
+                const createdAt = now();
+                const request = buildHostedAuthRequest({
+                    apiBaseUrl: productionConfig.apiBaseUrl,
+                    action: "login",
+                    workspaceId: parsed.workspaceId,
+                    email: parsed.email,
+                });
+                const transport = options.hostedAuthTransport ?? defaultHostedAuthTransport;
+                const authResult = await transport(request, {
+                    configReport,
+                    action: "login",
+                    timeoutMs: resolveHostedAuthTimeoutMs(env, options.hostedAuthTimeoutMs),
+                });
+                const session = createHostedSessionMetadata({
+                    requestedWorkspaceId: parsed.workspaceId,
+                    requestedEmail: parsed.email,
+                    createdAt,
+                    result: authResult,
+                });
+                if (authResult.authToken) {
+                    await writeAuthToken(authTokenPath, authResult.authToken);
+                }
+                await writeJson(sessionPath, session);
+                const document = {
+                    type: "hosted_auth_login_result",
+                    version: 1,
+                    cloudMode: "production",
+                    status: "logged_in",
+                    config: configReport,
+                    request,
+                    session,
+                    trustBoundary: session.trustBoundary,
+                };
+                return {
+                    exitCode: 0,
+                    stdout: parsed.outputFormat === "json"
+                        ? formatJson(document)
+                        : formatHostedLogin(document, sessionPath),
+                    stderr: "",
+                };
+            }
+            const createdAt = now();
+            const session = {
+                type: "local_demo_cloud_session",
+                version: 1,
+                sessionId: `local_${randomUUID()}`,
+                status: "active",
+                workspaceId: parsed.workspaceId,
+                workspace: {
+                    id: parsed.workspaceId,
+                    source: "local_test_override",
+                },
+                user: {
+                    id: localUserId(parsed.workspaceId, parsed.email),
+                    email: parsed.email,
+                    source: "local_test_override",
+                },
+                email: parsed.email,
+                createdAt: createdAt.toISOString(),
+                expiresAt: sessionExpiry(createdAt).toISOString(),
+                hostedAuthImplemented: false,
+                productionCloudPersistenceImplemented: false,
+                localTestPersistenceImplemented: true,
+                secretMaterialStored: false,
+                zeroSecretBoundary: createZeroSecretBoundary(),
+                trustBoundary: [
+                    "This is local-test hosted auth session metadata only.",
+                    "No hosted AppFleet auth session is created.",
+                    "No bearer auth material, OAuth refresh material, session cookie, key material, provider credential, encrypted credential blob, command output, or secret fragment is stored.",
+                ],
+            };
+            await writeJson(sessionPath, session);
+            return {
+                exitCode: 0,
+                stdout: parsed.outputFormat === "json"
+                    ? formatJson({ session })
+                    : formatLogin(session, sessionPath),
+                stderr: "",
+            };
+        }
+        if (parsed.namespace === "auth" && parsed.action === "logout") {
+            const productionConfig = resolveProductionCloudConfig(parsed, env);
+            if (productionConfig.enabled) {
+                const configReport = createRedactedCloudConfigReport("production", productionConfig);
+                const missing = missingProductionAuthConfig(productionConfig);
+                if (missing.length > 0) {
+                    const report = createAuthMisconfiguredReport({
+                        action: "logout",
+                        workspaceId: "workspace_local",
+                        configReport,
+                        missing,
+                    });
+                    return {
+                        exitCode: 1,
+                        stdout: parsed.outputFormat === "json"
+                            ? formatJson(report)
+                            : formatAuthMisconfigured(report),
+                        stderr: "",
+                    };
+                }
+                const existing = await readSession(sessionPath);
+                if (existing?.type !== "hosted_cloud_session_metadata") {
+                    const report = createHostedLogoutMissingSessionReport({
+                        configReport,
+                        loggedOutAt: now().toISOString(),
+                    });
+                    return {
+                        exitCode: 1,
+                        stdout: parsed.outputFormat === "json"
+                            ? formatJson(report)
+                            : formatHostedLogoutMissingSession(report),
+                        stderr: "",
+                    };
+                }
+                const request = buildHostedAuthRequest({
+                    apiBaseUrl: productionConfig.apiBaseUrl,
+                    action: "logout",
+                    workspaceId: existing.workspaceId,
+                    sessionId: existing.sessionId,
+                });
+                const transport = options.hostedAuthTransport ?? defaultHostedAuthTransport;
+                const authResult = await transport(request, {
+                    configReport,
+                    action: "logout",
+                    timeoutMs: resolveHostedAuthTimeoutMs(env, options.hostedAuthTimeoutMs),
+                });
+                await rm(sessionPath, { force: true });
+                await rm(authTokenPath, { force: true });
+                const document = {
+                    type: "hosted_auth_logout_result",
+                    version: 1,
+                    cloudMode: "production",
+                    status: authResult.revoked === false ? "logout_unconfirmed" : "logged_out",
+                    removedLocalSessionMetadata: true,
+                    hostedAuthSessionRevoked: authResult.revoked !== false,
+                    loggedOutAt: now().toISOString(),
+                    config: configReport,
+                    request,
+                    session: {
+                        sessionId: existing.sessionId,
+                        workspaceId: existing.workspaceId,
+                        status: "logged_out",
+                        expiresAt: existing.expiresAt,
+                    },
+                    zeroSecretBoundary: createZeroSecretBoundary(),
+                    trustBoundary: [
+                        "Hosted logout used explicit production mode and redacted auth material.",
+                        "Removed local hosted session metadata after the revocation request completed.",
+                        "No bearer auth material, OAuth refresh material, session cookie, key material, provider credential, encrypted credential blob, command output, or secret fragment was printed or stored.",
+                    ],
+                };
+                return {
+                    exitCode: 0,
+                    stdout: parsed.outputFormat === "json"
+                        ? formatJson(document)
+                        : formatHostedLogout(document),
+                    stderr: "",
+                };
+            }
+            const existing = await readSession(sessionPath);
+            await rm(sessionPath, { force: true });
+            await rm(authTokenPath, { force: true });
+            const loggedOutAt = now().toISOString();
+            const result = {
+                type: "local_demo_logout_result",
+                version: 1,
+                removedLocalSessionMetadata: existing !== undefined,
+                sessionStatus: existing === undefined ? "not_found" : "logged_out",
+                loggedOutAt,
+                session: existing
+                    ? {
+                        sessionId: existing.sessionId,
+                        workspaceId: existing.workspaceId,
+                        userId: existing.user?.id,
+                        status: "logged_out",
+                        expiresAt: existing.expiresAt,
+                    }
+                    : undefined,
+                hostedAuthSessionRevoked: false,
+                productionCloudPersistenceImplemented: false,
+                localTestPersistenceImplemented: true,
+                zeroSecretBoundary: createZeroSecretBoundary(),
+                trustBoundary: [
+                    "Only local-test session metadata was removed.",
+                    "No hosted AppFleet auth session exists to revoke in V1.",
+                    "No bearer auth material, OAuth refresh material, session cookie, key material, provider credential, encrypted credential blob, command output, or secret fragment was read or removed.",
+                ],
+            };
+            return {
+                exitCode: 0,
+                stdout: parsed.outputFormat === "json"
+                    ? formatJson(result)
+                    : formatLogout(result.removedLocalSessionMetadata),
+                stderr: "",
+            };
+        }
+        if (parsed.namespace === "cloud") {
+            if (parsed.action === "resolve-conflict") {
+                const session = await readSession(sessionPath);
+                const workspaceId = parsed.workspaceId ?? safeSessionWorkspaceId(session) ?? "workspace_local";
+                const resolvedAt = now().toISOString();
+                const syncStore = await readMetadataSyncStore(metadataSyncStorePath);
+                const workspaceState = getWorkspaceSyncState(syncStore, workspaceId);
+                const pendingConflicts = workspaceState.conflicts.filter((conflict) => conflict.projectId === parsed.projectId &&
+                    conflict.status === "pending");
+                if (pendingConflicts.length === 0) {
+                    const document = {
+                        type: "cloud_metadata_sync_conflict_resolution_result",
+                        version: 1,
+                        cloudMode: "local-test",
+                        status: "not_found",
+                        workspaceId,
+                        projectId: parsed.projectId,
+                        resolution: parsed.resolution,
+                        metadataSyncStorePath,
+                        syncAttempted: false,
+                        trustBoundary: [
+                            "No pending runtime conflict was found for this project.",
+                            "No cloud transport was called and no project memory payload was stored.",
+                        ],
+                    };
+                    return {
+                        exitCode: 1,
+                        stdout: parsed.outputFormat === "json"
+                            ? formatJson(document)
+                            : formatConflictResolution(document),
+                        stderr: "",
+                    };
+                }
+                const status = parsed.resolution === "local"
+                    ? "resolved_accept_local_metadata"
+                    : "resolved_accept_remote_metadata";
+                workspaceState.conflicts = workspaceState.conflicts.map((conflict) => conflict.projectId === parsed.projectId && conflict.status === "pending"
+                    ? createCloudSyncRuntimeConflictState({
+                        ...conflict,
+                        status,
+                        resolvedAt,
+                        resolution: parsed.resolution === "local"
+                            ? "accept_local_metadata"
+                            : "accept_remote_metadata",
+                    })
+                    : conflict);
+                workspaceState.queue = workspaceState.queue.map((entry) => entry.rejectedProjectIds.includes(parsed.projectId) &&
+                    entry.status === "pending_conflict"
+                    ? createLocalMetadataSyncQueueEntry({
+                        ...entry,
+                        status,
+                        updatedAt: resolvedAt,
+                        retryable: parsed.resolution === "local",
+                    })
+                    : entry);
+                if (parsed.resolution === "local") {
+                    const localMemories = await readProjectMemories(projectMemoryStorePath);
+                    const memory = localMemories.find((candidate) => candidate.id === parsed.projectId);
+                    if (memory) {
+                        workspaceState.projectFingerprints[parsed.projectId] = {
+                            projectId: parsed.projectId,
+                            fingerprint: projectMemoryFingerprint(memory),
+                            lastSyncedAt: memory.cloudSync.lastSyncedAt ?? resolvedAt,
+                        };
+                    }
+                }
+                syncStore.workspaces[workspaceId] = workspaceState;
+                await writeMetadataSyncStore(metadataSyncStorePath, syncStore);
+                const pendingConflictCount = workspaceState.conflicts.filter((conflict) => conflict.status === "pending").length;
+                const document = {
+                    type: "cloud_metadata_sync_conflict_resolution_result",
+                    version: 1,
+                    cloudMode: "local-test",
+                    status: "resolved",
+                    workspaceId,
+                    projectId: parsed.projectId,
+                    resolution: parsed.resolution,
+                    resolvedAt,
+                    pendingConflictCount,
+                    metadataSyncStorePath,
+                    syncAttempted: false,
+                    localProjectMemoryOverwritten: false,
+                    remoteProjectMemoryPayloadStored: false,
+                    trustBoundary: [
+                        "Resolved local/cloud metadata conflict state only.",
+                        "No cloud transport was called during conflict resolution.",
+                        "Did not store remote project payloads, local project payloads, plaintext credential values, encrypted credential blobs, key wrappers, key material, command output, or secret fragments.",
+                    ],
+                };
+                return {
+                    exitCode: 0,
+                    stdout: parsed.outputFormat === "json"
+                        ? formatJson(document)
+                        : formatConflictResolution(document),
+                    stderr: "",
+                };
+            }
+            const productionConfig = resolveProductionCloudConfig(parsed, env);
+            const mode = productionConfig.enabled ? "production" : "local-test";
+            if (mode === "production") {
+                const configReport = createRedactedCloudConfigReport(mode, productionConfig);
+                const missing = missingProductionConfig(productionConfig);
+                if (missing.length > 0) {
+                    const report = createProductionMisconfiguredReport({
+                        action: parsed.action,
+                        workspaceId: parsed.workspaceId ?? "workspace_local",
+                        configReport,
+                        missing,
+                    });
+                    return {
+                        exitCode: 1,
+                        stdout: parsed.outputFormat === "json"
+                            ? formatJson(report)
+                            : formatProductionMisconfigured(report),
+                        stderr: "",
+                    };
+                }
+                const localMemories = await readProjectMemories(projectMemoryStorePath);
+                const memories = localMemories.map(cloudSafeProjectMemory);
+                const session = await readSession(sessionPath);
+                const workspaceId = parsed.workspaceId ?? safeSessionWorkspaceId(session) ?? "workspace_local";
+                const createdAt = now().toISOString();
+                const request = buildProductionCloudMetadataSyncRequest({
+                    apiBaseUrl: productionConfig.apiBaseUrl,
+                    workspaceId,
+                    createdAt,
+                    memories,
+                    idempotencyKey: parsed.idempotencyKey ?? env.APPFLEET_METADATA_SYNC_IDEMPOTENCY_KEY,
+                });
+                const syncStore = await readMetadataSyncStore(metadataSyncStorePath);
+                const workspaceState = getWorkspaceSyncState(syncStore, workspaceId);
+                const pendingEntry = createSyncQueueEntry({
+                    id: `queue_${randomUUID()}`,
+                    workspaceId,
+                    cloudMode: "production",
+                    requestedProjectIds: request.body.envelopes.map((envelope) => envelope.projectId),
+                    acceptedProjectIds: [],
+                    rejectedProjectIds: [],
+                    status: "pending_upload",
+                    idempotencyKey: request.headers.idempotencyKey,
+                    createdAt,
+                    updatedAt: createdAt,
+                    productionCloudRequestCompleted: false,
+                    retryable: true,
+                });
+                workspaceState.queue = [...workspaceState.queue, pendingEntry];
+                syncStore.workspaces[workspaceId] = workspaceState;
+                await writeMetadataSyncStore(metadataSyncStorePath, syncStore);
+                const transport = options.transport ?? defaultProductionCloudTransport;
+                const maxRetries = options.productionSyncMaxRetries ?? 2;
+                const transportResult = await runProductionMetadataSyncWithRetry({
+                    request,
+                    transport,
+                    authToken: productionConfig.authToken,
+                    configReport,
+                    maxRetries,
+                });
+                if (transportResult.status === "failed") {
+                    workspaceState.queue = workspaceState.queue.map((entry) => entry.id === pendingEntry.id
+                        ? createSyncQueueEntry({
+                            ...entry,
+                            status: "failed_retryable",
+                            updatedAt: now().toISOString(),
+                            productionCloudRequestCompleted: false,
+                            retryable: true,
+                        })
+                        : entry);
+                    syncStore.workspaces[workspaceId] = workspaceState;
+                    await writeMetadataSyncStore(metadataSyncStorePath, syncStore);
+                    const document = createProductionTransportFailedReport({
+                        action: parsed.action,
+                        mode,
+                        localDemoSessionPresent: session !== undefined,
+                        hostedSessionMetadataPresent: session?.type === "hosted_cloud_session_metadata",
+                        configReport,
+                        request,
+                        retry: transportResult.retry,
+                    });
+                    return {
+                        exitCode: 1,
+                        stdout: parsed.outputFormat === "json"
+                            ? formatJson(document)
+                            : formatProductionTransportFailed(document),
+                        stderr: "",
+                    };
+                }
+                const result = createProjectMemorySyncResult({
+                    workspaceId,
+                    createdAt,
+                    acceptedProjectIds: transportResult.result.acceptedProjectIds,
+                    rejectedProjectIds: transportResult.result.rejectedProjectIds,
+                });
+                const rejectedProjectIdSet = new Set(result.rejectedProjectIds);
+                for (const envelope of request.body.envelopes) {
+                    if (rejectedProjectIdSet.has(envelope.projectId)) {
+                        workspaceState.conflicts = upsertRuntimeConflict({
+                            conflicts: workspaceState.conflicts,
+                            workspaceId,
+                            projectId: envelope.projectId,
+                            localFingerprint: projectMemoryFingerprint(envelope.memory),
+                            remoteFingerprint: "production_cloud_rejected_metadata",
+                            localLastSyncedAt: envelope.memory.cloudSync.lastSyncedAt,
+                            remoteLastSyncedAt: "unknown",
+                            detectedAt: createdAt,
+                        });
+                        continue;
+                    }
+                    workspaceState.projectFingerprints[envelope.projectId] = {
+                        projectId: envelope.projectId,
+                        fingerprint: projectMemoryFingerprint(envelope.memory),
+                        lastSyncedAt: createdAt,
+                    };
+                }
+                workspaceState.queue = workspaceState.queue.map((entry) => entry.id === pendingEntry.id
+                    ? createSyncQueueEntry({
+                        ...entry,
+                        acceptedProjectIds: result.acceptedProjectIds,
+                        rejectedProjectIds: result.rejectedProjectIds,
+                        status: result.rejectedProjectIds.length > 0
+                            ? "pending_conflict"
+                            : "applied",
+                        updatedAt: createdAt,
+                        productionCloudRequestCompleted: true,
+                        retryable: result.rejectedProjectIds.length > 0,
+                    })
+                    : entry);
+                const syncMetadata = createCloudSyncMetadata({
+                    id: `sync_${randomUUID()}`,
+                    request: createProjectMemorySyncRequest({
+                        workspaceId,
+                        createdAt,
+                        memories,
+                    }),
+                    result,
+                    completedAt: createdAt,
+                });
+                workspaceState.syncMetadata = [...workspaceState.syncMetadata, syncMetadata];
+                syncStore.workspaces[workspaceId] = workspaceState;
+                await writeMetadataSyncStore(metadataSyncStorePath, syncStore);
+                if (result.acceptedProjectIds.length > 0) {
+                    const acceptedProjectIdSet = new Set(result.acceptedProjectIds);
+                    await writeProjectMemories(projectMemoryStorePath, localMemories.map((memory) => acceptedProjectIdSet.has(memory.id)
+                        ? createAppProjectMemory({
+                            ...memory,
+                            cloudSync: {
+                                ...memory.cloudSync,
+                                lastSyncedAt: createdAt,
+                            },
+                        })
+                        : memory));
+                }
+                const document = {
+                    type: "cloud_metadata_sync_result",
+                    version: 1,
+                    mode: parsed.action,
+                    cloudMode: mode,
+                    localDemoSessionPresent: session !== undefined,
+                    hostedSessionMetadataPresent: session?.type === "hosted_cloud_session_metadata",
+                    hostedAuthImplemented: false,
+                    productionCloudPersistenceImplemented: false,
+                    productionCloudRequestCompleted: true,
+                    localTestPersistenceImplemented: false,
+                    config: configReport,
+                    request,
+                    retry: transportResult.retry,
+                    result,
+                    syncMetadata,
+                    queue: {
+                        addedEntryId: pendingEntry.id,
+                        latestStatus: result.rejectedProjectIds.length > 0
+                            ? "pending_conflict"
+                            : "applied",
+                        pendingUploadCount: workspaceState.queue.filter((entry) => entry.status === "pending_upload").length,
+                        pendingConflictCount: workspaceState.queue.filter((entry) => entry.status === "pending_conflict").length,
+                    },
+                    trustBoundary: [
+                        "Production cloud mode was explicitly enabled.",
+                        "The request descriptor contains sanitized project metadata only.",
+                        "Safe transient transport failures are retried with the same idempotency key.",
+                        "Persisted durable local sync queue metadata for production attempts without storing project payloads.",
+                        "Bearer auth material, cookies, DSNs, provider credentials, encrypted credential blob ids, key wrappers, command output, and secret fragments are redacted or omitted from output.",
+                    ],
+                };
+                return {
+                    exitCode: 0,
+                    stdout: parsed.outputFormat === "json"
+                        ? formatJson(document)
+                        : formatProductionCloudSync(document),
+                    stderr: "",
+                };
+            }
+        }
+        const localMemories = await readProjectMemories(projectMemoryStorePath);
+        const memories = localMemories.map(cloudSafeProjectMemory);
+        const session = await readSession(sessionPath);
+        const workspaceId = parsed.workspaceId ?? safeSessionWorkspaceId(session) ?? "workspace_local";
+        const createdAt = now().toISOString();
+        const request = createProjectMemorySyncRequest({
+            workspaceId,
+            createdAt,
+            memories,
+        });
+        const syncStore = await readMetadataSyncStore(metadataSyncStorePath);
+        const workspaceState = getWorkspaceSyncState(syncStore, workspaceId);
+        const conflicts = request.envelopes
+            .map((envelope) => {
+            const incomingFingerprint = projectMemoryFingerprint(envelope.memory);
+            const existing = workspaceState.projectFingerprints[envelope.projectId];
+            const localLastSyncedAt = envelope.memory.cloudSync.lastSyncedAt;
+            const isConflict = existing !== undefined &&
+                existing.fingerprint !== incomingFingerprint &&
+                existing.lastSyncedAt !== localLastSyncedAt;
+            if (!isConflict) {
+                return undefined;
+            }
+            workspaceState.conflicts = upsertRuntimeConflict({
+                conflicts: workspaceState.conflicts,
+                workspaceId,
+                projectId: envelope.projectId,
+                localFingerprint: incomingFingerprint,
+                remoteFingerprint: existing.fingerprint,
+                localLastSyncedAt,
+                remoteLastSyncedAt: existing.lastSyncedAt,
+                detectedAt: createdAt,
+            });
+            return {
+                projectId: envelope.projectId,
+                localLastSyncedAt: localLastSyncedAt ?? "never",
+                storedLastSyncedAt: existing.lastSyncedAt,
+                resolution: "Run cloud resolve-conflict after choosing local or remote metadata; no overwrite was performed.",
+            };
+        })
+            .filter((conflict) => conflict !== undefined);
+        const rejectedProjectIds = conflicts.map((conflict) => conflict.projectId);
+        const rejectedProjectIdSet = new Set(rejectedProjectIds);
+        const acceptedProjectIds = request.envelopes
+            .map((envelope) => envelope.projectId)
+            .filter((projectId) => !rejectedProjectIdSet.has(projectId));
+        const result = createProjectMemorySyncResult({
+            workspaceId,
+            createdAt,
+            acceptedProjectIds,
+            rejectedProjectIds,
+        });
+        const syncMetadata = createCloudSyncMetadata({
+            id: `sync_${randomUUID()}`,
+            request,
+            result,
+            completedAt: createdAt,
+        });
+        for (const envelope of request.envelopes) {
+            if (rejectedProjectIdSet.has(envelope.projectId)) {
+                continue;
+            }
+            workspaceState.projectFingerprints[envelope.projectId] = {
+                projectId: envelope.projectId,
+                fingerprint: projectMemoryFingerprint(envelope.memory),
+                lastSyncedAt: createdAt,
+            };
+        }
+        const queueEntry = createSyncQueueEntry({
+            id: `queue_${randomUUID()}`,
+            workspaceId,
+            cloudMode: "local-test",
+            requestedProjectIds: request.envelopes.map((envelope) => envelope.projectId),
+            acceptedProjectIds,
+            rejectedProjectIds,
+            status: rejectedProjectIds.length > 0 ? "pending_conflict" : "applied",
+            createdAt,
+            updatedAt: createdAt,
+            productionCloudRequestCompleted: false,
+            retryable: rejectedProjectIds.length > 0,
+        });
+        workspaceState.syncMetadata = [...workspaceState.syncMetadata, syncMetadata];
+        workspaceState.queue = [...workspaceState.queue, queueEntry];
+        syncStore.workspaces[workspaceId] = workspaceState;
+        await writeMetadataSyncStore(metadataSyncStorePath, syncStore);
+        if (acceptedProjectIds.length > 0) {
+            const acceptedProjectIdSet = new Set(acceptedProjectIds);
+            await writeProjectMemories(projectMemoryStorePath, localMemories.map((memory) => acceptedProjectIdSet.has(memory.id)
+                ? createAppProjectMemory({
+                    ...memory,
+                    cloudSync: {
+                        ...memory.cloudSync,
+                        lastSyncedAt: createdAt,
+                    },
+                })
+                : memory));
+        }
+        const pendingQueueDepth = workspaceState.queue.filter((entry) => entry.status === "pending_conflict").length;
+        const document = {
+            type: "cloud_metadata_sync_result",
+            version: 1,
+            mode: parsed.action,
+            cloudMode: "local-test",
+            localDemoSessionPresent: session !== undefined,
+            hostedAuthImplemented: false,
+            productionCloudPersistenceImplemented: false,
+            localTestPersistenceImplemented: true,
+            config: createRedactedCloudConfigReport("local-test", {
+                enabled: false,
+                apiBaseUrl: undefined,
+                authToken: undefined,
+                databaseDsn: env.APPFLEET_DATABASE_URL,
+                sources: {
+                    enabled: "default",
+                    apiBaseUrl: "missing",
+                    authToken: "missing",
+                    databaseDsn: env.APPFLEET_DATABASE_URL ? "env" : "missing",
+                },
+            }),
+            metadataSyncStorePath,
+            request,
+            result,
+            syncMetadata,
+            queue: {
+                addedEntryId: queueEntry.id,
+                pendingConflictCount: pendingQueueDepth,
+                latestStatus: queueEntry.status,
+            },
+            conflicts,
+            trustBoundary: [
+                "Persisted local-test sync metadata only.",
+                "Queued local sync attempts by project id and status only.",
+                "Did not upload to hosted AppFleet Cloud.",
+                "Did not persist project memory payloads, plaintext credential values, encrypted credential blobs, key wrappers, key material, command output, or secret fragments.",
+            ],
+        };
+        return {
+            exitCode: 0,
+            stdout: parsed.outputFormat === "json"
+                ? formatJson(document)
+                : formatCloudSync(document),
+            stderr: "",
+        };
+    }
+    catch (error) {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: `AppFleet cloud scaffold failed: ${errorMessage(error)}\n`,
+        };
+    }
+}
+function parseCloudSessionCommand(argv, env) {
+    const normalizedArgv = argv[0] === "--" ? argv.slice(1) : argv;
+    const namespace = normalizedArgv[0];
+    const action = normalizedArgv[1];
+    const outputFormat = hasFlag(normalizedArgv, "--json") ? "json" : "human";
+    if (namespace === "auth") {
+        if (action === "login") {
+            return {
+                namespace,
+                action,
+                workspaceId: readFlag(normalizedArgv, "--workspace") ?? "workspace_local",
+                email: readFlag(normalizedArgv, "--email"),
+                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloudSource: cloudProductionSource(normalizedArgv, env),
+                apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
+                outputFormat,
+            };
+        }
+        if (action === "logout") {
+            return {
+                namespace,
+                action,
+                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloudSource: cloudProductionSource(normalizedArgv, env),
+                apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
+                outputFormat,
+            };
+        }
+        throw new Error("usage: auth <login|logout> [arguments]");
+    }
+    if (namespace === "cloud") {
+        if (action === "sync") {
+            return {
+                namespace,
+                action,
+                workspaceId: readFlag(normalizedArgv, "--workspace"),
+                idempotencyKey: readFlag(normalizedArgv, "--idempotency-key"),
+                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloudSource: cloudProductionSource(normalizedArgv, env),
+                apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
+                outputFormat,
+            };
+        }
+        if (action === "metadata-sync") {
+            return {
+                namespace,
+                action,
+                workspaceId: readFlag(normalizedArgv, "--workspace"),
+                idempotencyKey: readFlag(normalizedArgv, "--idempotency-key"),
+                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloudSource: cloudProductionSource(normalizedArgv, env),
+                apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
+                outputFormat,
+            };
+        }
+        if (action === "resolve-conflict") {
+            const projectId = readFlag(normalizedArgv, "--project");
+            const resolution = readFlag(normalizedArgv, "--accept");
+            if (!projectId || (resolution !== "local" && resolution !== "remote")) {
+                throw new Error("usage: cloud resolve-conflict --project <project-id> --accept <local|remote> [--workspace <workspace-id>] [--json]");
+            }
+            return {
+                namespace,
+                action,
+                workspaceId: readFlag(normalizedArgv, "--workspace"),
+                projectId,
+                resolution,
+                outputFormat,
+            };
+        }
+        throw new Error("usage: cloud <sync|metadata-sync> [arguments]");
+    }
+    throw new Error("usage: auth <login|logout> or cloud <sync|metadata-sync>");
+}
+async function readSession(path) {
+    try {
+        return JSON.parse(await readFile(path, "utf8"));
+    }
+    catch (error) {
+        if (isNotFound(error)) {
+            return undefined;
+        }
+        throw error;
+    }
+}
+function safeSessionWorkspaceId(session) {
+    if (!session) {
+        return undefined;
+    }
+    return session.workspaceId;
+}
+async function writeJson(path, value) {
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, `${JSON.stringify(value, null, 2)}\n`, { mode: 0o600 });
+}
+function formatLogin(session, sessionPath) {
+    return `${[
+        "AppFleet auth scaffold: local-test hosted auth session metadata saved.",
+        `sessionPath=${sessionPath}`,
+        `sessionId=${session.sessionId}`,
+        `status=${session.status}`,
+        `workspaceId=${session.workspaceId}`,
+        `userId=${session.user.id}`,
+        `email=${session.email ?? "not-set"}`,
+        `expiresAt=${session.expiresAt}`,
+        "hostedAuthImplemented=false",
+        "productionCloudPersistence=false",
+        "localTestPersistence=true",
+        "secretMaterialStored=false",
+        "trustBoundary:",
+        ...session.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatLogout(removedLocalSessionMetadata) {
+    return `${[
+        "AppFleet auth scaffold: logout complete.",
+        `removedLocalSessionMetadata=${removedLocalSessionMetadata}`,
+        `sessionStatus=${removedLocalSessionMetadata ? "logged_out" : "not_found"}`,
+        "hostedAuthSessionRevoked=false",
+        "productionCloudPersistence=false",
+        "localTestPersistence=true",
+    ].join("\n")}\n`;
+}
+function formatHostedLogin(document, sessionPath) {
+    return `${[
+        "AppFleet auth: hosted login metadata saved.",
+        `cloudMode=${document.cloudMode}`,
+        `status=${document.status}`,
+        `sessionPath=${sessionPath}`,
+        `sessionId=${document.session.sessionId}`,
+        `workspaceId=${document.session.workspaceId}`,
+        `userId=${document.session.user.id ?? "not-returned"}`,
+        `email=${document.session.user.email ?? "not-set"}`,
+        `expiresAt=${document.session.expiresAt ?? "not-returned"}`,
+        `apiBaseUrl=${document.config.api.baseUrl ?? "missing"}`,
+        `apiAuth=${document.config.api.auth.bearerToken}`,
+        "secretMaterialStored=false",
+        "trustBoundary:",
+        ...document.session.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatHostedLogout(document) {
+    return `${[
+        "AppFleet auth: hosted logout complete.",
+        `cloudMode=${document.cloudMode}`,
+        `status=${document.status}`,
+        `removedLocalSessionMetadata=${document.removedLocalSessionMetadata}`,
+        `hostedAuthSessionRevoked=${document.hostedAuthSessionRevoked}`,
+        `sessionId=${document.session.sessionId}`,
+        `workspaceId=${document.session.workspaceId}`,
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatCloudSync(document) {
+    return `${[
+        "AppFleet cloud sync: metadata persisted to local test store.",
+        `cloudMode=${document.cloudMode ?? "local-test"}`,
+        `workspaceId=${document.request.workspaceId}`,
+        `localDemoSessionPresent=${document.localDemoSessionPresent}`,
+        "hostedAuthImplemented=false",
+        "productionCloudPersistence=false",
+        `localTestPersistence=${document.localTestPersistenceImplemented}`,
+        `metadataSyncStorePath=${document.metadataSyncStorePath}`,
+        `envelopeCount=${document.request.envelopes.length}`,
+        `projectIds=${document.request.envelopes.map((envelope) => envelope.projectId).join(", ")}`,
+        `acceptedProjectIds=${document.result.acceptedProjectIds.join(", ")}`,
+        `rejectedProjectIds=${document.result.rejectedProjectIds.join(", ")}`,
+        `queueStatus=${document.queue.latestStatus}`,
+        `pendingConflictCount=${document.queue.pendingConflictCount}`,
+        ...document.conflicts.map((conflict) => `conflict projectId=${conflict.projectId} resolution=${conflict.resolution}`),
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatConflictResolution(document) {
+    return `${[
+        "AppFleet cloud sync: conflict resolution state updated.",
+        `status=${document.status}`,
+        `workspaceId=${document.workspaceId}`,
+        `projectId=${document.projectId}`,
+        `resolution=${document.resolution}`,
+        `pendingConflictCount=${document.pendingConflictCount ?? "unknown"}`,
+        `metadataSyncStorePath=${document.metadataSyncStorePath}`,
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatProductionMisconfigured(document) {
+    return `${[
+        "AppFleet cloud sync: production mode misconfigured.",
+        `cloudMode=${document.cloudMode}`,
+        `action=${document.mode}`,
+        `workspaceId=${document.workspaceId}`,
+        `status=${document.status}`,
+        `missing=${document.missing.join(", ")}`,
+        `apiBaseUrl=${document.config.api.baseUrl ?? "missing"}`,
+        `apiAuth=${document.config.api.auth.bearerToken}`,
+        `databaseDsn=${document.config.database.dsn}`,
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatAuthMisconfigured(document) {
+    return `${[
+        "AppFleet auth: production mode misconfigured.",
+        `cloudMode=${document.cloudMode}`,
+        `action=${document.mode}`,
+        `workspaceId=${document.workspaceId}`,
+        `status=${document.status}`,
+        `missing=${document.missing.join(", ")}`,
+        `apiBaseUrl=${document.config.api.baseUrl ?? "missing"}`,
+        `apiAuth=${document.config.api.auth.bearerToken}`,
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatHostedLogoutMissingSession(document) {
+    return `${[
+        "AppFleet auth: hosted logout failed closed.",
+        `cloudMode=${document.cloudMode}`,
+        `status=${document.status}`,
+        `apiBaseUrl=${document.config.api.baseUrl ?? "missing"}`,
+        `apiAuth=${document.config.api.auth.bearerToken}`,
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatProductionCloudSync(document) {
+    return `${[
+        "AppFleet cloud sync: production metadata sync request completed.",
+        `cloudMode=${document.cloudMode}`,
+        `workspaceId=${document.request.body.workspaceId}`,
+        `localDemoSessionPresent=${document.localDemoSessionPresent}`,
+        `productionCloudPersistence=${document.productionCloudPersistenceImplemented}`,
+        `localTestPersistence=${document.localTestPersistenceImplemented}`,
+        `apiBaseUrl=${document.config.api.baseUrl ?? "missing"}`,
+        `apiAuth=${document.config.api.auth.bearerToken}`,
+        `databaseDsn=${document.config.database.dsn}`,
+        `idempotencyKey=${document.request.headers.idempotencyKey}`,
+        `attempts=${document.retry.attempts}`,
+        `transientFailureCount=${document.retry.transientFailureCount}`,
+        `envelopeCount=${document.request.body.envelopes.length}`,
+        `projectIds=${document.request.body.envelopes.map((envelope) => envelope.projectId).join(", ")}`,
+        `acceptedProjectIds=${document.result.acceptedProjectIds.join(", ")}`,
+        `rejectedProjectIds=${document.result.rejectedProjectIds.join(", ")}`,
+        `queueStatus=${document.queue?.latestStatus ?? "unknown"}`,
+        `pendingUploadCount=${document.queue?.pendingUploadCount ?? "unknown"}`,
+        `pendingConflictCount=${document.queue?.pendingConflictCount ?? "unknown"}`,
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function formatProductionTransportFailed(document) {
+    return `${[
+        "AppFleet cloud sync: production metadata sync failed closed.",
+        `cloudMode=${document.cloudMode}`,
+        `status=${document.status}`,
+        `workspaceId=${document.request.body.workspaceId}`,
+        `localDemoSessionPresent=${document.localDemoSessionPresent}`,
+        `productionCloudPersistence=${document.productionCloudPersistenceImplemented}`,
+        `localTestPersistence=${document.localTestPersistenceImplemented}`,
+        `apiBaseUrl=${document.config.api.baseUrl ?? "missing"}`,
+        `apiAuth=${document.config.api.auth.bearerToken}`,
+        `databaseDsn=${document.config.database.dsn}`,
+        `idempotencyKey=${document.request.headers.idempotencyKey}`,
+        `attempts=${document.retry.attempts}`,
+        `maxRetries=${document.retry.maxRetries}`,
+        `transientFailureCount=${document.retry.transientFailureCount}`,
+        `retryExhausted=${document.retry.exhausted}`,
+        `envelopeCount=${document.request.body.envelopes.length}`,
+        `projectIds=${document.request.body.envelopes.map((envelope) => envelope.projectId).join(", ")}`,
+        "trustBoundary:",
+        ...document.trustBoundary.map((item) => `- ${item}`),
+    ].join("\n")}\n`;
+}
+function defaultSessionPath(projectRoot) {
+    return join(projectRoot, ".appfleet", "cloud-session.json");
+}
+function defaultAuthTokenPath(sessionPath) {
+    return join(dirname(sessionPath), "cloud-auth-token");
+}
+async function readAuthToken(path) {
+    try {
+        return stringOrUndefined(await readFile(path, "utf8"));
+    }
+    catch (error) {
+        if (isNotFound(error))
+            return undefined;
+        throw error;
+    }
+}
+async function writeAuthToken(path, token) {
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, token, { mode: 0o600 });
+    await chmod(path, 0o600);
+}
+function sessionExpiry(createdAt) {
+    const expiresAt = new Date(createdAt);
+    expiresAt.setUTCHours(expiresAt.getUTCHours() + 8);
+    return expiresAt;
+}
+function localUserId(workspaceId, email) {
+    return `local_user_${createHash("sha256")
+        .update(`${workspaceId}:${email ?? "anonymous"}`)
+        .digest("hex")
+        .slice(0, 16)}`;
+}
+function createZeroSecretBoundary() {
+    return {
+        storesBearerAuthMaterial: false,
+        storesOAuthRefreshMaterial: false,
+        storesSessionCookies: false,
+        storesProviderCredentials: false,
+        storesEncryptedCredentialBlobs: false,
+        storesKeyManagementMaterial: false,
+        storesCommandOutput: false,
+        storesSecretFragments: false,
+    };
+}
+function cloudProductionFlag(argv, env) {
+    if (hasFlag(argv, "--production-cloud")) {
+        return true;
+    }
+    return (env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" ||
+        env.APPFLEET_CLOUD_MODE === "production");
+}
+function cloudProductionSource(argv, env) {
+    if (hasFlag(argv, "--production-cloud")) {
+        return "flag";
+    }
+    if (productionEnvEnabled(env)) {
+        return "env";
+    }
+    return "default";
+}
+function resolveProductionCloudConfig(parsed, env) {
+    const apiBaseUrl = parsed.apiBaseUrl ?? env.APPFLEET_API_BASE_URL;
+    return {
+        enabled: parsed.productionCloud,
+        apiBaseUrl,
+        authToken: env.APPFLEET_CLOUD_AUTH_TOKEN,
+        databaseDsn: env.APPFLEET_DATABASE_URL,
+        sources: {
+            enabled: parsed.productionCloudSource,
+            apiBaseUrl: parsed.apiBaseUrl
+                ? "flag"
+                : env.APPFLEET_API_BASE_URL
+                    ? "env"
+                    : "missing",
+            authToken: env.APPFLEET_CLOUD_AUTH_TOKEN
+                ? env.APPFLEET_CLOUD_AUTH_TOKEN_SOURCE === "device_store"
+                    ? "device_store"
+                    : "env"
+                : "missing",
+            databaseDsn: env.APPFLEET_DATABASE_URL ? "env" : "missing",
+        },
+    };
+}
+function productionEnvEnabled(env) {
+    return (env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" ||
+        env.APPFLEET_CLOUD_MODE === "production");
+}
+function missingProductionConfig(config) {
+    return [
+        config.apiBaseUrl ? undefined : "APPFLEET_API_BASE_URL or --api-base-url",
+        config.authToken ? undefined : "APPFLEET_CLOUD_AUTH_TOKEN",
+    ].filter((value) => value !== undefined);
+}
+function missingProductionAuthConfig(config) {
+    return [
+        config.apiBaseUrl ? undefined : "APPFLEET_API_BASE_URL or --api-base-url",
+    ].filter((value) => value !== undefined);
+}
+function resolveHostedAuthTimeoutMs(env, override) {
+    const raw = override ?? Number.parseInt(env.APPFLEET_HOSTED_AUTH_TIMEOUT_MS ?? "", 10);
+    return Number.isFinite(raw) && raw > 0 ? raw : 120_000;
+}
+function createRedactedCloudConfigReport(mode, config) {
+    return {
+        type: "cloud_config_report",
+        mode,
+        productionCloudEnabled: config.enabled,
+        api: {
+            baseUrl: redactUrl(config.apiBaseUrl),
+            source: config.sources.apiBaseUrl,
+            auth: {
+                bearerToken: config.authToken ? "configured_redacted" : "missing",
+                source: config.sources.authToken,
+            },
+        },
+        database: {
+            dsn: config.databaseDsn ? "configured_redacted" : "missing",
+            source: config.sources.databaseDsn,
+        },
+        redaction: {
+            tokens: "redacted",
+            cookies: "redacted",
+            dsns: "redacted",
+            secrets: "redacted",
+            commandOutput: "omitted",
+            encryptedBlobIds: "omitted",
+            keyManagementMaterial: "omitted",
+        },
+    };
+}
+function createProductionMisconfiguredReport(input) {
+    return {
+        type: "cloud_metadata_sync_result",
+        version: 1,
+        mode: input.action,
+        cloudMode: "production",
+        status: "misconfigured",
+        workspaceId: input.workspaceId,
+        productionCloudPersistenceImplemented: false,
+        localTestPersistenceImplemented: false,
+        config: input.configReport,
+        missing: input.missing,
+        requestBuilt: false,
+        syncAttempted: false,
+        trustBoundary: [
+            "Production cloud mode was explicitly enabled, but required API/auth config is missing.",
+            "Failed closed before reading or writing local sync metadata.",
+            "No tokens, cookies, DSNs, secrets, command output, encrypted blob ids, or key wrappers are printed.",
+        ],
+    };
+}
+function createProductionTransportFailedReport(input) {
+    return {
+        type: "cloud_metadata_sync_result",
+        version: 1,
+        mode: input.action,
+        cloudMode: input.mode,
+        status: "transport_failed",
+        localDemoSessionPresent: input.localDemoSessionPresent,
+        hostedSessionMetadataPresent: input.hostedSessionMetadataPresent,
+        hostedAuthImplemented: false,
+        productionCloudPersistenceImplemented: false,
+        productionCloudRequestCompleted: false,
+        localTestPersistenceImplemented: false,
+        localQueuePreserved: true,
+        conflictMetadataPreserved: true,
+        config: input.configReport,
+        request: input.request,
+        retry: input.retry,
+        requestBuilt: true,
+        syncAttempted: true,
+        failure: {
+            category: input.retry.exhausted
+                ? "transient_transport_exhausted"
+                : "transport_failed",
+            message: "Production metadata sync failed closed without printing transport details.",
+        },
+        trustBoundary: [
+            "Production cloud mode was explicitly enabled.",
+            "The request descriptor contains sanitized project metadata only.",
+            "Safe transient transport failures were retried with the same idempotency key.",
+            "Failed closed without mutating the local queue, conflict metadata, project memory sync timestamps, or local-test sync store.",
+            "Bearer auth material, cookies, DSNs, provider credentials, encrypted credential blob ids, key wrappers, command output, transport response bodies, and secret fragments are redacted or omitted from output.",
+        ],
+    };
+}
+function createAuthMisconfiguredReport(input) {
+    return {
+        type: "hosted_auth_result",
+        version: 1,
+        mode: input.action,
+        cloudMode: "production",
+        status: "misconfigured",
+        workspaceId: input.workspaceId,
+        productionCloudPersistenceImplemented: false,
+        localTestPersistenceImplemented: false,
+        config: input.configReport,
+        missing: input.missing,
+        requestBuilt: false,
+        authAttempted: false,
+        trustBoundary: [
+            "Production auth mode was explicitly enabled, but required API/auth config is missing.",
+            "Failed closed before creating, revoking, or storing hosted session metadata.",
+            "No tokens, cookies, DSNs, secrets, command output, encrypted blob ids, or key wrappers are printed.",
+        ],
+    };
+}
+function createHostedLogoutMissingSessionReport(input) {
+    return {
+        type: "hosted_auth_logout_result",
+        version: 1,
+        cloudMode: "production",
+        status: "missing_hosted_session",
+        removedLocalSessionMetadata: false,
+        hostedAuthSessionRevoked: false,
+        loggedOutAt: input.loggedOutAt,
+        config: input.configReport,
+        requestBuilt: false,
+        authAttempted: false,
+        zeroSecretBoundary: createZeroSecretBoundary(),
+        trustBoundary: [
+            "Production hosted logout requires existing hosted session metadata.",
+            "Failed closed before calling the hosted logout endpoint.",
+            "No bearer auth material, OAuth refresh material, session cookie, key material, provider credential, encrypted credential blob, command output, or secret fragment was printed or stored.",
+        ],
+    };
+}
+export function buildProductionCloudMetadataSyncRequest(input) {
+    const baseUrl = new URL(input.apiBaseUrl);
+    const url = new URL(`/api/workspaces/${encodeURIComponent(input.workspaceId)}/metadata-sync`, baseUrl);
+    const safeMemories = input.memories.map(cloudSafeProjectMemory);
+    const idempotencyKey = input.idempotencyKey ??
+        createMetadataSyncIdempotencyKey({
+            workspaceId: input.workspaceId,
+            createdAt: input.createdAt,
+            memories: safeMemories,
+        });
+    return {
+        method: "POST",
+        url: redactUrl(url.toString()) ?? url.toString(),
+        headers: {
+            accept: "application/json",
+            contentType: "application/json",
+            authorization: "bearer_env_redacted",
+            idempotencyKey,
+        },
+        body: {
+            idempotencyKey,
+            workspaceId: input.workspaceId,
+            createdAt: input.createdAt,
+            envelopes: safeMemories.map((memory) => ({
+                type: "project_memory_sync",
+                version: 1,
+                workspaceId: input.workspaceId,
+                projectId: memory.id,
+                createdAt: input.createdAt,
+                memory,
+            })),
+        },
+        redaction: {
+            tokens: "redacted",
+            cookies: "redacted",
+            dsns: "redacted",
+            secrets: "redacted",
+            commandOutput: "omitted",
+            encryptedBlobIds: "omitted",
+            keyManagementMaterial: "omitted",
+        },
+    };
+}
+async function runProductionMetadataSyncWithRetry(input) {
+    const maxRetries = Math.max(0, input.maxRetries);
+    let attempts = 0;
+    let transientFailureCount = 0;
+    while (attempts <= maxRetries) {
+        attempts += 1;
+        try {
+            const result = await input.transport(input.request, {
+                authToken: input.authToken,
+                configReport: input.configReport,
+            });
+            return {
+                status: "completed",
+                result,
+                retry: {
+                    attempts,
+                    maxRetries,
+                    transientFailureCount,
+                    exhausted: false,
+                    idempotencyKey: input.request.headers.idempotencyKey,
+                },
+            };
+        }
+        catch (error) {
+            const isTransient = isTransientTransportFailure(error);
+            if (isTransient) {
+                transientFailureCount += 1;
+            }
+            if (!isTransient || attempts > maxRetries) {
+                return {
+                    status: "failed",
+                    retry: {
+                        attempts,
+                        maxRetries,
+                        transientFailureCount,
+                        exhausted: isTransient,
+                        idempotencyKey: input.request.headers.idempotencyKey,
+                    },
+                };
+            }
+        }
+    }
+    return {
+        status: "failed",
+        retry: {
+            attempts,
+            maxRetries,
+            transientFailureCount,
+            exhausted: true,
+            idempotencyKey: input.request.headers.idempotencyKey,
+        },
+    };
+}
+function isTransientTransportFailure(error) {
+    if (typeof error !== "object" || error === null) {
+        return false;
+    }
+    const record = error;
+    if (record.transient === true) {
+        return true;
+    }
+    const status = typeof record.status === "number"
+        ? record.status
+        : typeof record.statusCode === "number"
+            ? record.statusCode
+            : httpStatusFromMessage(error);
+    if (status !== undefined) {
+        return status === 408 || status === 425 || status === 429 || status >= 500;
+    }
+    const code = typeof record.code === "string" ? record.code : undefined;
+    return (code === "ECONNRESET" ||
+        code === "ETIMEDOUT" ||
+        code === "EAI_AGAIN" ||
+        code === "ENETUNREACH" ||
+        code === "ECONNREFUSED");
+}
+function httpStatusFromMessage(error) {
+    if (!(error instanceof Error)) {
+        return undefined;
+    }
+    const match = error.message.match(/\bHTTP\s+(\d{3})\b/i);
+    if (!match) {
+        return undefined;
+    }
+    return Number.parseInt(match[1], 10);
+}
+function buildHostedAuthRequest(input) {
+    const baseUrl = new URL(input.apiBaseUrl);
+    const url = new URL("/auth/hosted", baseUrl);
+    if (input.workspaceId) {
+        url.searchParams.set("workspaceId", input.workspaceId);
+    }
+    if (input.email) {
+        url.searchParams.set("email", input.email);
+    }
+    if (input.sessionId) {
+        url.searchParams.set("cliLogoutSessionId", input.sessionId);
+    }
+    url.searchParams.set("cliAction", input.action);
+    return {
+        method: "POST",
+        url: redactUrl(url.toString()) ?? url.toString(),
+        headers: {
+            accept: "application/json",
+            contentType: "application/json",
+        },
+        body: {
+            workspaceId: input.workspaceId,
+            email: input.email,
+            sessionId: input.sessionId,
+        },
+        redaction: {
+            tokens: "redacted",
+            cookies: "redacted",
+            dsns: "redacted",
+            secrets: "redacted",
+            commandOutput: "omitted",
+            encryptedBlobIds: "omitted",
+            keyManagementMaterial: "omitted",
+        },
+    };
+}
+function createHostedSessionMetadata(input) {
+    const workspaceId = input.result.workspaceId ?? input.requestedWorkspaceId;
+    return {
+        type: "hosted_cloud_session_metadata",
+        version: 1,
+        sessionId: input.result.sessionId ?? `hosted_${randomUUID()}`,
+        status: "active",
+        workspaceId,
+        workspace: {
+            id: workspaceId,
+            source: input.result.workspaceId ? "hosted_appfleet_api" : "cli_override",
+        },
+        user: {
+            id: input.result.userId,
+            email: input.result.email ?? input.requestedEmail,
+            source: input.result.userId
+                ? "hosted_appfleet_api"
+                : input.requestedEmail
+                    ? "cli_override"
+                    : "not_returned",
+        },
+        createdAt: input.createdAt.toISOString(),
+        expiresAt: input.result.expiresAt,
+        hostedAuthImplemented: true,
+        productionCloudPersistenceImplemented: true,
+        localTestPersistenceImplemented: false,
+        secretMaterialStored: false,
+        auth: {
+            source: "hosted_browser_session",
+            tokensStored: false,
+            cookiesStored: false,
+            localCallbackStored: false,
+        },
+        zeroSecretBoundary: createZeroSecretBoundary(),
+        trustBoundary: [
+            "Hosted auth was explicitly enabled and completed through an authenticated API contract.",
+            "The session metadata file stores only workspace/user labels, status, and expiry metadata.",
+            "The short-lived Clerk session token is isolated in a mode-0600 local credential file and is never printed or included in project memory.",
+            "No OAuth refresh material, session cookie, key material, provider credential, encrypted credential blob, command output, or secret fragment is stored.",
+        ],
+    };
+}
+function createMetadataSyncIdempotencyKey(input) {
+    const projectIds = input.memories.map((memory) => memory.id).sort();
+    const digest = createHash("sha256")
+        .update(JSON.stringify({ workspaceId: input.workspaceId, projectIds }))
+        .digest("hex")
+        .slice(0, 16);
+    return `metadata-sync:${input.workspaceId}:${input.createdAt}:${digest}`;
+}
+async function defaultProductionCloudTransport(request, context) {
+    const response = await fetch(request.url, {
+        method: request.method,
+        headers: {
+            Accept: request.headers.accept,
+            "Content-Type": request.headers.contentType,
+            Authorization: `Bearer ${context.authToken}`,
+            "Idempotency-Key": request.headers.idempotencyKey,
+        },
+        body: JSON.stringify(request.body),
+    });
+    if (!response.ok) {
+        const error = new Error(`production cloud API request failed with HTTP ${response.status}`);
+        error.status = response.status;
+        throw error;
+    }
+    const parsed = (await response.json());
+    return normalizeProductionMetadataSyncResponse(parsed);
+}
+function normalizeProductionMetadataSyncResponse(parsed) {
+    const routeAcceptedProjectIds = parsed.data?.sync?.acceptedProjectIds ??
+        parsed.data?.projects
+            ?.map((project) => project.projectId ?? project.id)
+            .filter((projectId) => projectId !== undefined);
+    return {
+        acceptedProjectIds: parsed.acceptedProjectIds ?? routeAcceptedProjectIds ?? [],
+        rejectedProjectIds: parsed.rejectedProjectIds ?? parsed.data?.sync?.rejectedProjectIds ?? [],
+    };
+}
+async function defaultHostedAuthTransport(request, context) {
+    const state = `cli_${randomUUID()}`;
+    const callback = await createHostedAuthCallbackServer({
+        expectedState: state,
+        timeoutMs: context.timeoutMs,
+    });
+    try {
+        const browserUrl = new URL(request.url);
+        browserUrl.searchParams.set("cliCallback", callback.url);
+        browserUrl.searchParams.set("cliState", state);
+        browserUrl.searchParams.set("cliAction", context.action);
+        if (request.body.workspaceId) {
+            browserUrl.searchParams.set("workspaceId", request.body.workspaceId);
+        }
+        if (request.body.email) {
+            browserUrl.searchParams.set("email", request.body.email);
+        }
+        if (request.body.sessionId) {
+            browserUrl.searchParams.set("cliLogoutSessionId", request.body.sessionId);
+        }
+        openHostedAuthBrowser(browserUrl.toString());
+        const result = await callback.result;
+        if (context.action === "logout") {
+            return {
+                sessionId: result.sessionId,
+                workspaceId: result.workspaceId,
+                revoked: result.revoked === "true",
+            };
+        }
+        return {
+            sessionId: result.sessionId,
+            workspaceId: result.workspaceId,
+            userId: result.userId,
+            email: result.email,
+            expiresAt: result.expiresAt,
+            authToken: result.authToken,
+        };
+    }
+    finally {
+        await closeServer(callback.server);
+    }
+}
+async function createHostedAuthCallbackServer(input) {
+    let settle;
+    let reject;
+    const result = new Promise((resolve, rejectPromise) => {
+        settle = resolve;
+        reject = rejectPromise;
+    });
+    const timeout = setTimeout(() => {
+        reject?.(new Error("hosted auth browser callback timed out before a Clerk-backed session was completed"));
+    }, input.timeoutMs);
+    const server = createServer((request, response) => {
+        try {
+            const url = new URL(request.url ?? "/", "http://127.0.0.1");
+            const state = url.searchParams.get("cliState");
+            if (state !== input.expectedState) {
+                response.writeHead(400, { "Content-Type": "text/plain; charset=utf-8" });
+                response.end("AppFleet hosted auth callback rejected.");
+                return;
+            }
+            const fields = {
+                sessionId: stringOrUndefined(url.searchParams.get("sessionId") ?? undefined),
+                workspaceId: stringOrUndefined(url.searchParams.get("workspaceId") ?? undefined),
+                userId: stringOrUndefined(url.searchParams.get("userId") ?? undefined),
+                email: stringOrUndefined(url.searchParams.get("email") ?? undefined),
+                expiresAt: stringOrUndefined(url.searchParams.get("expiresAt") ?? undefined),
+                revoked: stringOrUndefined(url.searchParams.get("revoked") ?? undefined),
+                authToken: stringOrUndefined(url.searchParams.get("sessionToken") ?? undefined),
+            };
+            clearTimeout(timeout);
+            settle?.(fields);
+            response.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
+            response.end("AppFleet hosted auth complete. You can close this tab.");
+        }
+        catch (error) {
+            clearTimeout(timeout);
+            reject?.(error);
+            response.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
+            response.end("AppFleet hosted auth callback failed.");
+        }
+    });
+    await new Promise((resolve, rejectListen) => {
+        server.once("error", rejectListen);
+        server.listen(0, "127.0.0.1", () => {
+            server.off("error", rejectListen);
+            resolve();
+        });
+    });
+    const address = server.address();
+    if (!address || typeof address === "string") {
+        await closeServer(server);
+        throw new Error("hosted auth callback server did not bind to a local port");
+    }
+    return {
+        url: `http://127.0.0.1:${address.port}/callback`,
+        server,
+        result,
+    };
+}
+function openHostedAuthBrowser(url) {
+    const command = process.platform === "darwin"
+        ? "open"
+        : process.platform === "win32"
+            ? "cmd"
+            : "xdg-open";
+    const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+    const child = spawn(command, args, {
+        detached: true,
+        stdio: "ignore",
+    });
+    child.unref();
+}
+async function closeServer(server) {
+    if (!server.listening) {
+        return;
+    }
+    await new Promise((resolve) => {
+        server.close(() => resolve());
+    });
+}
+function stringOrUndefined(value) {
+    const trimmed = value?.trim();
+    return trimmed ? trimmed : undefined;
+}
+function cloudSafeProjectMemory(memory) {
+    return createAppProjectMemory({
+        ...memory,
+        identity: {
+            id: memory.identity.id,
+            name: memory.identity.name,
+            repoUrl: sanitizeUrl(memory.identity.repoUrl),
+            gitRemoteFingerprint: memory.identity.gitRemoteFingerprint,
+            rememberedLocalPaths: [],
+        },
+        canonicalUrl: sanitizeUrl(memory.canonicalUrl) ?? memory.canonicalUrl,
+        rememberedUrls: memory.rememberedUrls
+            .map((url) => sanitizeUrl(url))
+            .filter((url) => url !== undefined),
+        domain: {
+            canonicalUrl: sanitizeUrl(memory.domain.canonicalUrl) ?? memory.domain.canonicalUrl,
+            rememberedUrls: memory.domain.rememberedUrls
+                .map((url) => sanitizeUrl(url))
+                .filter((url) => url !== undefined),
+            customDomainBought: memory.domain.customDomainBought,
+            notes: "Omitted from metadata sync to preserve the zero-secret boundary.",
+        },
+        providers: memory.providers.map((provider) => ({
+            id: provider.id,
+            name: provider.name,
+            kind: provider.kind,
+            role: "metadata",
+            status: provider.status,
+        })),
+        environmentAliases: memory.environmentAliases.map((alias) => ({
+            name: alias.name,
+            purpose: "Alias name only; purpose omitted from metadata sync.",
+            required: alias.required,
+            valueStored: false,
+        })),
+        credentialReferences: [],
+        troubleshootingNotes: [],
+        latestCheck: memory.latestCheck
+            ? {
+                checkedAt: memory.latestCheck.checkedAt,
+                url: sanitizeUrl(memory.latestCheck.url) ?? memory.latestCheck.url,
+                status: memory.latestCheck.status,
+                latencyMs: memory.latestCheck.latencyMs,
+                responseTimeMs: memory.latestCheck.responseTimeMs,
+                httpStatusCode: memory.latestCheck.httpStatusCode,
+                failureCategory: memory.latestCheck.failureCategory,
+            }
+            : undefined,
+        latestDoctorReport: memory.latestDoctorReport
+            ? {
+                ...memory.latestDoctorReport,
+                gitRemoteFingerprint: memory.latestDoctorReport.gitRemoteFingerprint,
+                latestCheck: memory.latestDoctorReport.latestCheck
+                    ? {
+                        ...memory.latestDoctorReport.latestCheck,
+                        url: sanitizeUrl(memory.latestDoctorReport.latestCheck.url) ??
+                            memory.latestDoctorReport.latestCheck.url,
+                        message: undefined,
+                    }
+                    : undefined,
+                findings: memory.latestDoctorReport.findings.map((finding) => ({
+                    ...finding,
+                    evidence: undefined,
+                })),
+            }
+            : undefined,
+        nextPlaceToLook: [],
+    });
+}
+function defaultProjectMemoryStorePath(projectRoot) {
+    return join(projectRoot, ".appfleet", "project-memory.json");
+}
+function defaultMetadataSyncStorePath(projectRoot) {
+    return join(projectRoot, ".appfleet", "cloud-metadata-sync.json");
+}
+async function readMetadataSyncStore(path) {
+    try {
+        const parsed = JSON.parse(await readFile(path, "utf8"));
+        const workspaces = {};
+        for (const [workspaceId, state] of Object.entries(parsed.workspaces ?? {})) {
+            workspaces[workspaceId] = {
+                projectFingerprints: state.projectFingerprints ?? {},
+                syncMetadata: state.syncMetadata ?? [],
+                queue: (state.queue ?? []).map((entry) => createLocalMetadataSyncQueueEntry({
+                    ...entry,
+                    type: "local_metadata_sync_queue_entry",
+                    version: 1,
+                    cloudMode: entry.cloudMode ?? "local-test",
+                    updatedAt: entry.updatedAt ?? entry.createdAt,
+                    productionCloudRequestCompleted: entry.productionCloudRequestCompleted ?? false,
+                    retryable: entry.retryable ?? entry.status === "pending_conflict",
+                    containsProjectMemoryPayload: false,
+                    containsCredentialValues: false,
+                    containsCommandOutput: false,
+                    containsEncryptedBlobPayload: false,
+                    storesDecryptedMaterial: false,
+                })),
+                conflicts: (state.conflicts ?? []).map(createCloudSyncRuntimeConflictState),
+            };
+        }
+        return {
+            ...createEmptyMetadataSyncStore(),
+            ...parsed,
+            workspaces,
+        };
+    }
+    catch (error) {
+        if (isNotFound(error)) {
+            return createEmptyMetadataSyncStore();
+        }
+        throw error;
+    }
+}
+async function writeMetadataSyncStore(path, store) {
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, `${JSON.stringify(store, null, 2)}\n`, { mode: 0o600 });
+}
+function createEmptyMetadataSyncStore() {
+    return {
+        type: "local_metadata_sync_store",
+        version: 1,
+        workspaces: {},
+        zeroSecretBoundary: {
+            storesProjectMemoryPayload: false,
+            storesPlaintextCredentials: false,
+            storesEncryptedCredentialBlobs: false,
+            storesKeyMaterial: false,
+            storesCommandOutput: false,
+            storesSecretFragments: false,
+        },
+    };
+}
+function getWorkspaceSyncState(store, workspaceId) {
+    return store.workspaces[workspaceId] ?? {
+        projectFingerprints: {},
+        syncMetadata: [],
+        queue: [],
+        conflicts: [],
+    };
+}
+function createSyncQueueEntry(entry) {
+    return createLocalMetadataSyncQueueEntry({
+        type: "local_metadata_sync_queue_entry",
+        version: 1,
+        ...entry,
+        containsProjectMemoryPayload: false,
+        containsCredentialValues: false,
+        containsCommandOutput: false,
+        containsEncryptedBlobPayload: false,
+        storesDecryptedMaterial: false,
+    });
+}
+function upsertRuntimeConflict(input) {
+    const state = createCloudSyncRuntimeConflictState({
+        type: "cloud_sync_runtime_conflict_state",
+        version: 1,
+        id: `conflict_${input.workspaceId}_${input.projectId}`,
+        workspaceId: input.workspaceId,
+        projectId: input.projectId,
+        status: "pending",
+        detectedAt: input.detectedAt,
+        localLastSyncedAt: input.localLastSyncedAt ?? "never",
+        remoteLastSyncedAt: input.remoteLastSyncedAt,
+        localMetadataFingerprint: input.localFingerprint,
+        remoteMetadataFingerprint: input.remoteFingerprint,
+        safeMetadataFields: [
+            "projectId",
+            "name",
+            "repoUrl",
+            "gitRemoteFingerprint",
+            "canonicalUrl",
+            "rememberedUrls",
+            "providerNames",
+            "environmentAliases",
+            "credentialMetadataIds",
+            "cloudSyncStatus",
+        ],
+        resolution: "manual_review_required",
+        productionReady: false,
+        productionReadiness: "local_test_metadata_persistence",
+        containsCredentialValues: false,
+        containsCommandOutput: false,
+        containsEncryptedBlobPayload: false,
+        storesProjectMemoryPayload: false,
+        storesDecryptedMaterial: false,
+    });
+    return [
+        ...input.conflicts.filter((conflict) => !(conflict.workspaceId === input.workspaceId &&
+            conflict.projectId === input.projectId &&
+            conflict.status === "pending")),
+        state,
+    ];
+}
+function projectMemoryFingerprint(memory) {
+    return createHash("sha256")
+        .update(JSON.stringify(cloudSafeProjectMemory(memory)))
+        .digest("hex");
+}
+function sanitizeUrl(value) {
+    if (!value) {
+        return undefined;
+    }
+    try {
+        const parsed = new URL(value);
+        parsed.username = "";
+        parsed.password = "";
+        parsed.search = "";
+        parsed.hash = "";
+        return parsed.toString();
+    }
+    catch {
+        return undefined;
+    }
+}
+function redactUrl(value) {
+    if (!value) {
+        return undefined;
+    }
+    try {
+        const parsed = new URL(value);
+        parsed.username = "";
+        parsed.password = "";
+        parsed.search = "";
+        parsed.hash = "";
+        return parsed.toString();
+    }
+    catch {
+        return "invalid_redacted";
+    }
+}
+function readFlag(argv, flag) {
+    const index = argv.indexOf(flag);
+    if (index === -1) {
+        return undefined;
+    }
+    return argv[index + 1];
+}
+function hasFlag(argv, flag) {
+    return argv.includes(flag);
+}
+function formatJson(value) {
+    return `${JSON.stringify(value, null, 2)}\n`;
+}
+function isNotFound(error) {
+    return (typeof error === "object" &&
+        error !== null &&
+        "code" in error &&
+        error.code === "ENOENT");
+}
+function errorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}