@appfleet-cli/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/README.md +14 -0
  2. package/dist/appfleet.d.ts +4 -0
  3. package/dist/appfleet.js +12253 -0
  4. package/dist/audit.d.ts +10 -0
  5. package/dist/audit.js +85 -0
  6. package/dist/billing-cost.d.ts +8 -0
  7. package/dist/billing-cost.js +186 -0
  8. package/dist/cloud-session.d.ts +124 -0
  9. package/dist/cloud-session.js +1819 -0
  10. package/dist/command-registry.d.ts +18 -0
  11. package/dist/command-registry.js +1067 -0
  12. package/dist/demo-fixture.d.ts +11 -0
  13. package/dist/demo-fixture.js +39 -0
  14. package/dist/generate-cli-docs.d.ts +1 -0
  15. package/dist/generate-cli-docs.js +94 -0
  16. package/dist/health.d.ts +8 -0
  17. package/dist/health.js +60 -0
  18. package/dist/local-vault.d.ts +75 -0
  19. package/dist/local-vault.js +1169 -0
  20. package/dist/operations.d.ts +8 -0
  21. package/dist/operations.js +220 -0
  22. package/dist/project-memory.d.ts +138 -0
  23. package/dist/project-memory.js +1529 -0
  24. package/dist/prototype-inject.d.ts +21 -0
  25. package/dist/prototype-inject.js +170 -0
  26. package/dist/provider-integrations.d.ts +8 -0
  27. package/dist/provider-integrations.js +197 -0
  28. package/package.json +45 -0
package/dist/command-registry.js ADDED
@@ -0,0 +1,1067 @@
1
+ export const cliCommandDocs = [
2
+ {
3
+ namespace: "appfleet",
4
+ name: "link",
5
+ summary: "Link local project memory to the signed-in hosted AppFleet workspace.",
6
+ usage: "appfleet link [--json]",
7
+ arguments: [],
8
+ options: [{ flags: "--json", description: "Emit machine-readable JSON." }],
9
+ examples: ["appfleet link", "appfleet link --json"],
10
+ reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json"],
11
+ writes: ["hosted project metadata and local metadata-sync state after authorization"],
12
+ secretSafety: [
13
+ "Uploads safe project metadata and the latest safe doctor report only.",
14
+ "Never uploads environment values, credential values, command output, key wrappers, or provider payloads.",
15
+ ],
16
+ },
17
+ {
18
+ namespace: "appfleet",
19
+ name: "init",
20
+ summary: "Run the first-time local setup flow for the current project.",
21
+ usage: "appfleet init --url <url> [path] [options]",
22
+ arguments: ["path: optional project path; defaults to the caller directory."],
23
+ options: [
24
+ { flags: "--url <url>", description: "Canonical project URL to import." },
25
+ { flags: "--project <project>", description: "Project id to use when importing." },
26
+ { flags: "--name <name>", description: "Human project name." },
27
+ { flags: "--json", description: "Emit machine-readable JSON." },
28
+ ],
29
+ examples: [
30
+ "appfleet init --url https://atlas-notes.example.com",
31
+ "appfleet init /path/to/app --url https://atlas-notes.example.com --project atlas-notes",
32
+ "appfleet init --url https://atlas-notes.example.com --json",
33
+ ],
34
+ reads: [
35
+ "package.json and safe source/config files under the project path",
36
+ "target project git origin remote",
37
+ ],
38
+ writes: [".appfleet/project-memory.json"],
39
+ secretSafety: [
40
+ "Runs safe discovery and import only.",
41
+ "Skips .env files, .appfleet, node_modules, .git, test files, and build output.",
42
+ "Does not ask for or store secret values.",
43
+ "Does not call provider APIs or infer provider health.",
44
+ ],
45
+ },
46
+ {
47
+ namespace: "auth",
48
+ name: "login",
49
+ summary: "Create local-test session metadata by default, or hosted session metadata when production cloud is explicitly enabled.",
50
+ usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--production-cloud] [--api-base-url <url>] [--json]",
51
+ arguments: [],
52
+ options: [
53
+ { flags: "--workspace <workspace-id>", description: "Workspace id for local-test or hosted session metadata." },
54
+ { flags: "--email <email>", description: "Optional non-secret user label for local-test identity or hosted login metadata." },
55
+ { flags: "--production-cloud", description: "Explicitly use hosted auth mode; also requires API/auth env config." },
56
+ { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
57
+ { flags: "--json", description: "Emit machine-readable JSON." },
58
+ ],
59
+ examples: [
60
+ "appfleet auth login --workspace workspace_test",
61
+ "appfleet auth login --workspace workspace_test --email demo@example.com --json",
62
+ "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet auth login --production-cloud --workspace workspace_prod --json",
63
+ ],
64
+ reads: [".appfleet/cloud-session.json if it already exists"],
65
+ writes: [".appfleet/cloud-session.json local-test or hosted redacted session metadata with status and expiry"],
66
+ secretSafety: [
67
+ "Stores user/workspace identity, session status, expiry metadata, and redacted auth source metadata only.",
68
+ "In production mode, opens the hosted browser auth page and completes through a Clerk-backed local callback; APPFLEET_CLOUD_AUTH_TOKEN is not used for login.",
69
+ "Does not store access tokens, refresh tokens, cookies, provider credentials, encrypted credential blobs, key wrappers, command output, secret fragments, or secret values.",
70
+ ],
71
+ },
72
+ {
73
+ namespace: "auth",
74
+ name: "logout",
75
+ summary: "Log out of local-test session metadata by default, or revoke hosted session metadata when production cloud is explicitly enabled.",
76
+ usage: "appfleet auth logout [--production-cloud] [--api-base-url <url>] [--json]",
77
+ arguments: [],
78
+ options: [
79
+ { flags: "--production-cloud", description: "Explicitly use hosted logout mode; also requires API/auth env config and hosted session metadata." },
80
+ { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
81
+ { flags: "--json", description: "Emit machine-readable JSON." },
82
+ ],
83
+ examples: [
84
+ "appfleet auth logout",
85
+ "appfleet auth logout --json",
86
+ "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet auth logout --production-cloud --json",
87
+ ],
88
+ reads: [".appfleet/cloud-session.json"],
89
+ writes: [".appfleet/cloud-session.json is removed when present; JSON output includes a safe logged_out/not_found/missing_hosted_session status"],
90
+ secretSafety: [
91
+ "Removes local-test or hosted redacted session metadata and reports a safe logout status.",
92
+ "In production mode, opens the hosted browser auth page to revoke AppFleet hosted session metadata for the signed-in Clerk user.",
93
+ "Does not read or remove access tokens, refresh tokens, cookies, provider credentials, encrypted credential blobs, key wrappers, command output, or secret fragments.",
94
+ ],
95
+ },
96
+ {
97
+ namespace: "cloud",
98
+ name: "sync",
99
+ summary: "Sync cloud-safe project metadata in local-test mode by default, or production mode only when explicitly enabled.",
100
+ usage: "appfleet cloud sync [--workspace <workspace-id>] [--production-cloud] [--api-base-url <url>] [--idempotency-key <key>] [--json]",
101
+ arguments: [],
102
+ options: [
103
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the local-test sync store." },
104
+ { flags: "--production-cloud", description: "Explicitly use production cloud mode; also requires API/auth env config." },
105
+ { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
106
+ { flags: "--idempotency-key <key>", description: "Override the production metadata sync idempotency key; retries reuse the same key." },
107
+ { flags: "--json", description: "Emit machine-readable JSON." },
108
+ ],
109
+ examples: [
110
+ "appfleet cloud sync",
111
+ "appfleet cloud sync --workspace workspace_test --json",
112
+ "APPFLEET_PRODUCTION_CLOUD_ENABLED=true APPFLEET_API_BASE_URL=https://appfleet.xyz APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud sync --workspace <workspace-id> --json",
113
+ "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet cloud sync --production-cloud --workspace <workspace-id> --json",
114
+ ],
115
+ reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json", ".appfleet/cloud-metadata-sync.json"],
116
+ writes: [".appfleet/cloud-metadata-sync.json", ".appfleet/project-memory.json lastSyncedAt for accepted projects"],
117
+ secretSafety: [
118
+ "Chooses local-test mode by default; production mode requires --production-cloud, APPFLEET_PRODUCTION_CLOUD_ENABLED=true, or APPFLEET_CLOUD_MODE=production.",
119
+ "In production mode, fails closed when APPFLEET_API_BASE_URL/--api-base-url or APPFLEET_CLOUD_AUTH_TOKEN is missing.",
120
+ "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured AppFleet web API base URL.",
121
+ "Production metadata sync sends redacted auth reporting plus an idempotency key, workspace id, and project metadata envelopes.",
122
+ "Production metadata sync retries safe transient transport failures with the same idempotency key.",
123
+ "Persists local-test and production sync metadata, project ids, fingerprints, durable queue status, idempotency metadata, and conflict reports only.",
124
+ "Reports API, database, and config state with redacted tokens, cookies, DSNs, secrets, command output, encrypted blob ids, and key wrappers.",
125
+ "Omits project-memory payloads, plaintext credential values, encrypted credential blobs, key wrappers, key material, command output, and secret fragments.",
126
+ ],
127
+ },
128
+ {
129
+ namespace: "cloud",
130
+ name: "metadata-sync",
131
+ summary: "Alias-style command for cloud-safe metadata sync with the same local-test/production boundary as cloud sync.",
132
+ usage: "appfleet cloud metadata-sync [--workspace <workspace-id>] [--production-cloud] [--api-base-url <url>] [--idempotency-key <key>] [--json]",
133
+ arguments: [],
134
+ options: [
135
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the local-test sync store." },
136
+ { flags: "--production-cloud", description: "Explicitly use production cloud mode; also requires API/auth env config." },
137
+ { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
138
+ { flags: "--idempotency-key <key>", description: "Override the production metadata sync idempotency key; retries reuse the same key." },
139
+ { flags: "--json", description: "Emit machine-readable JSON." },
140
+ ],
141
+ examples: [
142
+ "appfleet cloud metadata-sync",
143
+ "appfleet cloud metadata-sync --workspace workspace_test --json",
144
+ "APPFLEET_CLOUD_MODE=production APPFLEET_API_BASE_URL=https://appfleet.xyz APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud metadata-sync --workspace <workspace-id> --json",
145
+ "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet cloud metadata-sync --production-cloud --workspace <workspace-id> --json",
146
+ ],
147
+ reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json", ".appfleet/cloud-metadata-sync.json"],
148
+ writes: [".appfleet/cloud-metadata-sync.json", ".appfleet/project-memory.json lastSyncedAt for accepted projects"],
149
+ secretSafety: [
150
+ "Chooses local-test mode by default; production mode requires --production-cloud, APPFLEET_PRODUCTION_CLOUD_ENABLED=true, or APPFLEET_CLOUD_MODE=production.",
151
+ "In production mode, fails closed when APPFLEET_API_BASE_URL/--api-base-url or APPFLEET_CLOUD_AUTH_TOKEN is missing.",
152
+ "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured AppFleet web API base URL.",
153
+ "Production metadata sync sends redacted auth reporting plus an idempotency key, workspace id, and project metadata envelopes.",
154
+ "Production metadata sync retries safe transient transport failures with the same idempotency key.",
155
+ "Persists local-test and production sync metadata, project ids, fingerprints, durable queue status, idempotency metadata, and conflict reports only.",
156
+ "Reports API, database, and config state with redacted tokens, cookies, DSNs, secrets, command output, encrypted blob ids, and key wrappers.",
157
+ "Omits project-memory payloads, plaintext credential values, encrypted credential blobs, key wrappers, key material, command output, and secret fragments.",
158
+ ],
159
+ },
160
+ {
161
+ namespace: "cloud",
162
+ name: "resolve-conflict",
163
+ summary: "Resolve a pending local/cloud metadata conflict state without syncing secret values or encrypted blobs.",
164
+ usage: "appfleet cloud resolve-conflict --project <project-id> --accept <local|remote> [--workspace <workspace-id>] [--json]",
165
+ arguments: [],
166
+ options: [
167
+ { flags: "--project <project-id>", description: "Project id with a pending metadata conflict." },
168
+ { flags: "--accept <local|remote>", description: "Resolve by accepting local metadata for the next sync or acknowledging remote metadata." },
169
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the local sync store." },
170
+ { flags: "--json", description: "Emit machine-readable JSON." },
171
+ ],
172
+ examples: [
173
+ "appfleet cloud resolve-conflict --workspace workspace_test --project atlas-notes --accept local",
174
+ "appfleet cloud resolve-conflict --project atlas-notes --accept remote --json",
175
+ ],
176
+ reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json", ".appfleet/cloud-metadata-sync.json"],
177
+ writes: [".appfleet/cloud-metadata-sync.json conflict and queue status metadata only"],
178
+ secretSafety: [
179
+ "Resolves metadata conflict state locally and does not call cloud transport.",
180
+ "Does not overwrite local project memory with remote payloads because remote project payloads are not stored in the sync queue.",
181
+ "Does not store project-memory payloads, plaintext credential values, encrypted credential blobs, key wrappers, key material, command output, or secret fragments.",
182
+ ],
183
+ },
184
+ {
185
+ namespace: "projects",
186
+ name: "seed-demo-fleet",
187
+ summary: "Seed three safe mock projects for local dashboard demos.",
188
+ usage: "appfleet projects seed-demo-fleet",
189
+ arguments: [],
190
+ options: [],
191
+ examples: ["appfleet projects seed-demo-fleet"],
192
+ reads: [],
193
+ writes: [".appfleet/project-memory.json"],
194
+ secretSafety: [
195
+ "Writes safe mock metadata only.",
196
+ "Does not store credential values or encrypted credential internals.",
197
+ ],
198
+ },
199
+ {
200
+ namespace: "projects",
201
+ name: "discover",
202
+ summary: "Discover safe local project metadata and optionally import it into project memory.",
203
+ usage: "appfleet projects discover [path] [--remember] [--url <url>] [options]",
204
+ arguments: ["path: optional project path; defaults to the current directory."],
205
+ options: [
206
+ { flags: "--project <project>", description: "Project id to use when importing." },
207
+ { flags: "--name <name>", description: "Human project name." },
208
+ { flags: "--url <url>", description: "Canonical project URL for import." },
209
+ { flags: "--remember", description: "Write discovered safe facts to project memory." },
210
+ { flags: "--json", description: "Emit machine-readable JSON." },
211
+ ],
212
+ examples: [
213
+ "appfleet projects discover",
214
+ "appfleet projects discover /path/to/app --json",
215
+ "appfleet projects discover --remember --url https://atlas-notes.example.com",
216
+ ],
217
+ reads: [
218
+ "package.json and safe source/config files under the project path",
219
+ "target project git origin remote",
220
+ ],
221
+ writes: [".appfleet/project-memory.json only when --remember is provided"],
222
+ secretSafety: [
223
+ "Skips .env files, .appfleet, node_modules, .git, test files, and build output.",
224
+ "Records env alias names only; it never stores values.",
225
+ "Does not call provider APIs or infer provider health.",
226
+ ],
227
+ },
228
+ {
229
+ namespace: "projects",
230
+ name: "create",
231
+ summary: "Create local project memory from safe public metadata.",
232
+ usage: "appfleet projects create <project> --url <url> [options]",
233
+ arguments: ["project: project id to create."],
234
+ options: [
235
+ { flags: "--url <url>", description: "Canonical project URL." },
236
+ { flags: "--name <name>", description: "Human project name." },
237
+ { flags: "--repo <repo-url>", description: "Repository URL." },
238
+ {
239
+ flags: "--git-remote-fingerprint <fingerprint>",
240
+ description: "Explicit repo fingerprint override.",
241
+ },
242
+ { flags: "--path <path>", description: "Remembered local path." },
243
+ { flags: "--remembered-url <url>", description: "Known old or alternate URL." },
244
+ {
245
+ flags: "--provider <Name:kind:role>",
246
+ description: "Provider alias and safe role metadata.",
247
+ },
248
+ {
249
+ flags: "--env-alias <NAME:purpose>",
250
+ description: "Environment alias name and non-secret purpose.",
251
+ },
252
+ { flags: "--note <note>", description: "Non-secret recovery note." },
253
+ { flags: "--json", description: "Emit machine-readable JSON." },
254
+ ],
255
+ examples: [
256
+ "appfleet projects create atlas-notes --url https://atlas-notes.example.com",
257
+ "appfleet projects create atlas-notes --url https://atlas-notes.example.com --env-alias \"VITE_SUPABASE_URL:Supabase project URL\"",
258
+ ],
259
+ reads: ["current git origin remote unless --git-remote-fingerprint is provided"],
260
+ writes: [".appfleet/project-memory.json"],
261
+ secretSafety: [
262
+ "Thin alias of projects remember for safe metadata only.",
263
+ "Does not read .env files or provider secrets.",
264
+ "Does not store environment values or claim cloud persistence.",
265
+ ],
266
+ },
267
+ {
268
+ namespace: "projects",
269
+ name: "remember",
270
+ summary: "Record safe public recovery facts for a project.",
271
+ usage: "appfleet projects remember <project> --url <url> [options]",
272
+ arguments: ["project: project id to remember."],
273
+ options: [
274
+ { flags: "--url <url>", description: "Canonical project URL." },
275
+ { flags: "--name <name>", description: "Human project name." },
276
+ { flags: "--repo <repo-url>", description: "Repository URL." },
277
+ {
278
+ flags: "--git-remote-fingerprint <fingerprint>",
279
+ description: "Explicit repo fingerprint override.",
280
+ },
281
+ { flags: "--path <path>", description: "Remembered local path." },
282
+ { flags: "--remembered-url <url>", description: "Known old or alternate URL." },
283
+ {
284
+ flags: "--provider <Name:kind:role>",
285
+ description: "Provider alias and safe role metadata.",
286
+ },
287
+ {
288
+ flags: "--env-alias <NAME:purpose>",
289
+ description: "Environment alias name and non-secret purpose.",
290
+ },
291
+ { flags: "--note <note>", description: "Non-secret recovery note." },
292
+ { flags: "--json", description: "Emit machine-readable JSON." },
293
+ ],
294
+ examples: [
295
+ "appfleet projects remember atlas-notes --url https://atlas-notes.example.com",
296
+ "appfleet projects remember atlas-notes --url https://atlas-notes.example.com --provider \"Netlify:deployment:frontend hosting\" --env-alias \"VITE_SUPABASE_URL:Supabase project URL\"",
297
+ ],
298
+ reads: ["current git origin remote unless --git-remote-fingerprint is provided"],
299
+ writes: [".appfleet/project-memory.json"],
300
+ secretSafety: [
301
+ "Stores alias names and public metadata only.",
302
+ "Does not read .env files.",
303
+ "Do not put secret values in notes, provider aliases, or env alias purposes.",
304
+ ],
305
+ },
306
+ {
307
+ namespace: "projects",
308
+ name: "edit",
309
+ summary: "Update safe local project memory fields without reading secrets.",
310
+ usage: "appfleet projects edit <project> [options]",
311
+ arguments: ["project: project id to edit."],
312
+ options: [
313
+ { flags: "--url <url>", description: "Replace the canonical project URL." },
314
+ { flags: "--name <name>", description: "Replace the human project name." },
315
+ { flags: "--repo <repo-url>", description: "Replace the repository URL." },
316
+ {
317
+ flags: "--git-remote-fingerprint <fingerprint>",
318
+ description: "Replace the stored repo fingerprint.",
319
+ },
320
+ { flags: "--remembered-url <url>", description: "Add a known old or alternate URL." },
321
+ {
322
+ flags: "--provider <Name:kind:role>",
323
+ description: "Add or update provider alias and safe role metadata.",
324
+ },
325
+ {
326
+ flags: "--env-alias <NAME:purpose>",
327
+ description: "Add or update an environment alias name and non-secret purpose.",
328
+ },
329
+ { flags: "--note <note>", description: "Add a non-secret recovery note." },
330
+ { flags: "--json", description: "Emit machine-readable JSON." },
331
+ ],
332
+ examples: [
333
+ "appfleet projects edit atlas-notes --name \"Atlas Notes\"",
334
+ "appfleet projects edit atlas-notes --url https://app.example.com --remembered-url https://old.example.com",
335
+ ],
336
+ reads: [".appfleet/project-memory.json"],
337
+ writes: [".appfleet/project-memory.json"],
338
+ secretSafety: [
339
+ "Updates safe names, URLs, provider labels, env alias names, and notes only.",
340
+ "Does not read .env files or store environment values.",
341
+ "Does not call provider APIs or infer provider health.",
342
+ ],
343
+ },
344
+ {
345
+ namespace: "projects",
346
+ name: "env",
347
+ summary: "List, add, or remove local project environment labels and alias metadata.",
348
+ usage: "appfleet projects env <list|add|remove> <project> [environment] [options]",
349
+ arguments: [
350
+ "action: list, add, or remove.",
351
+ "project: project id.",
352
+ "environment: environment label for add or remove.",
353
+ ],
354
+ options: [
355
+ {
356
+ flags: "--env-alias <NAME:purpose>",
357
+ description: "Alias metadata to add; for remove, pass alias names to remove.",
358
+ },
359
+ { flags: "--json", description: "Emit machine-readable JSON." },
360
+ ],
361
+ examples: [
362
+ "appfleet projects env list atlas-notes",
363
+ "appfleet projects env add atlas-notes production --env-alias \"VITE_SUPABASE_URL:Supabase project URL\"",
364
+ "appfleet projects env remove atlas-notes preview --env-alias VITE_PREVIEW_URL",
365
+ ],
366
+ reads: [".appfleet/project-memory.json"],
367
+ writes: [".appfleet/project-memory.json for add and remove"],
368
+ secretSafety: [
369
+ "Stores environment labels and alias names only.",
370
+ "Does not read .env files or store values.",
371
+ "Does not call provider APIs or claim cloud persistence.",
372
+ ],
373
+ },
374
+ {
375
+ namespace: "projects",
376
+ name: "brief",
377
+ summary: "Show the lower-level memory-only project view.",
378
+ usage: "appfleet projects brief [project] [--json]",
379
+ arguments: ["project: optional explicit project id."],
380
+ options: [{ flags: "--json", description: "Emit machine-readable JSON." }],
381
+ examples: ["appfleet projects brief", "appfleet projects brief atlas-notes --json"],
382
+ reads: [".appfleet/project-memory.json", "current git origin remote when project is omitted"],
383
+ writes: [],
384
+ secretSafety: ["Omits credential references and secret material."],
385
+ },
386
+ {
387
+ namespace: "projects",
388
+ name: "status",
389
+ summary: "Show the daily recovery summary for a remembered project.",
390
+ usage: "appfleet projects status [project] [--json]",
391
+ arguments: ["project: optional explicit project id."],
392
+ options: [{ flags: "--json", description: "Emit machine-readable JSON." }],
393
+ examples: ["appfleet projects status", "appfleet projects status atlas-notes --json"],
394
+ reads: [".appfleet/project-memory.json", "current git origin remote when project is omitted"],
395
+ writes: [],
396
+ secretSafety: [
397
+ "Does not read .env files.",
398
+ "Does not call provider APIs.",
399
+ "Does not print credential values.",
400
+ ],
401
+ },
402
+ {
403
+ namespace: "projects",
404
+ name: "doctor",
405
+ summary: "Run conservative safe diagnostics and persist the latest safe report.",
406
+ usage: "appfleet projects doctor [project] [--json] [--upload]",
407
+ arguments: ["project: optional explicit project id."],
408
+ options: [
409
+ { flags: "--json", description: "Emit machine-readable JSON." },
410
+ { flags: "--upload", description: "Upload the safe report through the authenticated production metadata sync path." },
411
+ ],
412
+ examples: ["appfleet projects doctor", "appfleet projects doctor atlas-notes --upload --json"],
413
+ reads: [".appfleet/project-memory.json", "public canonical and remembered URLs"],
414
+ writes: [".appfleet/project-memory.json"],
415
+ secretSafety: [
416
+ "Does not read .env files.",
417
+ "Does not inspect secret contents.",
418
+ "Does not call Supabase, Netlify, Vercel, or other provider APIs.",
419
+ "Reports unknown instead of guessing provider failure.",
420
+ ],
421
+ },
422
+ {
423
+ namespace: "projects",
424
+ name: "dashboard",
425
+ summary: "Print the local dashboard URL, dev command, memory status, and next steps.",
426
+ usage: "appfleet projects dashboard [project] [--json]",
427
+ arguments: ["project: optional explicit project id."],
428
+ options: [{ flags: "--json", description: "Emit machine-readable JSON." }],
429
+ examples: ["appfleet projects dashboard", "appfleet projects dashboard --json"],
430
+ reads: [".appfleet/project-memory.json", "current git origin remote when project is omitted"],
431
+ writes: [],
432
+ secretSafety: ["Does not start the dashboard or read secrets."],
433
+ },
434
+ {
435
+ namespace: "projects",
436
+ name: "check",
437
+ summary: "Refresh stored canonical URL status for an explicit project.",
438
+ usage: "appfleet projects check <project>",
439
+ arguments: ["project: explicit project id."],
440
+ options: [],
441
+ examples: ["appfleet projects check atlas-notes"],
442
+ reads: [".appfleet/project-memory.json", "public canonical and remembered URLs"],
443
+ writes: [".appfleet/project-memory.json"],
444
+ secretSafety: ["Performs URL checks only; it does not use credentials."],
445
+ },
446
+ {
447
+ namespace: "projects",
448
+ name: "sync",
449
+ summary: "Inspect the cloud-safe sync contract scaffold.",
450
+ usage: "appfleet projects sync [--workspace <workspace-id>] [--json]",
451
+ arguments: [],
452
+ options: [
453
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the scaffold envelope." },
454
+ { flags: "--json", description: "Emit machine-readable JSON." },
455
+ ],
456
+ examples: ["appfleet projects sync", "appfleet projects sync --workspace workspace_test --json"],
457
+ reads: [".appfleet/project-memory.json"],
458
+ writes: [],
459
+ secretSafety: ["Omits credential references and does not claim production cloud persistence."],
460
+ },
461
+ {
462
+ namespace: "providers",
463
+ name: "catalog",
464
+ summary: "List provider integration catalog contracts for GitHub, Vercel, Netlify, Supabase, Cloudflare, Stripe, OpenAI, and Anthropic.",
465
+ usage: "appfleet providers catalog [--workspace <workspace-id>] [--json]",
466
+ arguments: [],
467
+ options: [
468
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the metadata-only contract report." },
469
+ { flags: "--json", description: "Emit machine-readable JSON." },
470
+ ],
471
+ examples: ["appfleet providers catalog", "appfleet providers catalog --json"],
472
+ reads: [],
473
+ writes: [],
474
+ secretSafety: [
475
+ "Does not read provider credentials or local secret stores.",
476
+ "Reports connector boundaries, supported discovery surfaces, and credential-location hint kinds only.",
477
+ "Does not call provider APIs or infer live provider health.",
478
+ ],
479
+ },
480
+ {
481
+ namespace: "providers",
482
+ name: "status",
483
+ summary: "Report fail-closed provider connection status without contacting the provider.",
484
+ usage: "appfleet providers status <provider> [--workspace <workspace-id>] [--json]",
485
+ arguments: ["provider: one of github, vercel, netlify, supabase, cloudflare, stripe, openai, anthropic."],
486
+ options: [
487
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the metadata-only status report." },
488
+ { flags: "--json", description: "Emit machine-readable JSON." },
489
+ ],
490
+ examples: [
491
+ "appfleet providers status github",
492
+ "appfleet providers status supabase --workspace workspace_test --json",
493
+ ],
494
+ reads: [],
495
+ writes: [],
496
+ secretSafety: [
497
+ "Returns credentials_required and canSync=false until explicit provider credentials exist.",
498
+ "Does not read tokens, cookies, provider credentials, encrypted blobs, key wrappers, env values, or command output.",
499
+ "Does not call provider APIs or infer live provider health.",
500
+ ],
501
+ },
502
+ {
503
+ namespace: "providers",
504
+ name: "sync",
505
+ summary: "Create a provider sync-run scaffold that is blocked until credentials are configured.",
506
+ usage: "appfleet providers sync <provider> [--workspace <workspace-id>] [--json]",
507
+ arguments: ["provider: one of github, vercel, netlify, supabase, cloudflare, stripe, openai, anthropic."],
508
+ options: [
509
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the metadata-only sync run." },
510
+ { flags: "--json", description: "Emit machine-readable JSON." },
511
+ ],
512
+ examples: ["appfleet providers sync vercel --json"],
513
+ reads: [],
514
+ writes: [],
515
+ secretSafety: [
516
+ "Records no provider payloads and imports zero records.",
517
+ "Reports blocked_missing_credentials instead of attempting a live sync.",
518
+ "Does not call provider APIs.",
519
+ ],
520
+ },
521
+ {
522
+ namespace: "providers",
523
+ name: "discover",
524
+ summary: "Inspect provider-side project, environment, or credential-location discovery contracts.",
525
+ usage: "appfleet providers discover <provider> [--surface <surface>] [--workspace <workspace-id>] [--json]",
526
+ arguments: ["provider: one of github, vercel, netlify, supabase, cloudflare, stripe, openai, anthropic."],
527
+ options: [
528
+ { flags: "--surface <surface>", description: "projects, environments, or credential_locations; defaults to projects." },
529
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the metadata-only discovery contract." },
530
+ { flags: "--json", description: "Emit machine-readable JSON." },
531
+ ],
532
+ examples: [
533
+ "appfleet providers discover netlify --surface projects",
534
+ "appfleet providers discover stripe --surface credential_locations --json",
535
+ ],
536
+ reads: [],
537
+ writes: [],
538
+ secretSafety: [
539
+ "Returns output schema and credential-location hint kinds only.",
540
+ "Does not discover provider-side records until explicit provider credentials exist.",
541
+ "Does not call provider APIs.",
542
+ ],
543
+ },
544
+ {
545
+ namespace: "providers",
546
+ name: "github",
547
+ summary: "GitHub provider subcommands, including metadata-only app inventory import.",
548
+ usage: "appfleet providers github inventory-import --repo <owner/name> [--repo <owner/name>] [--workspace <workspace-id>] [--json]",
549
+ arguments: ["subcommand: inventory-import."],
550
+ options: [
551
+ { flags: "--repo <owner/name>", description: "Repository metadata to include in the import contract; repeatable." },
552
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the import contract." },
553
+ { flags: "--json", description: "Emit machine-readable JSON." },
554
+ ],
555
+ examples: [
556
+ "appfleet providers github inventory-import --repo acme/atlas-notes --json",
557
+ ],
558
+ reads: [],
559
+ writes: [],
560
+ secretSafety: [
561
+ "Accepts caller-supplied repository names only.",
562
+ "Does not call GitHub, read GitHub App private keys, installation tokens, OAuth tokens, cookies, or provider payloads.",
563
+ "Does not persist imported project memory; it emits a metadata-only import contract.",
564
+ ],
565
+ },
566
+ {
567
+ namespace: "ops",
568
+ name: "observability",
569
+ summary: "Plan advanced observability integrations with safe public checks and audit correlation.",
570
+ usage: "appfleet ops observability [--workspace <workspace-id>] [--project <project-id>] [--provider <provider-id>] [--json]",
571
+ arguments: [],
572
+ options: [
573
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the operational workflow." },
574
+ { flags: "--project <project-id>", description: "Optional project id to scope the plan." },
575
+ { flags: "--provider <provider-id>", description: "Optional provider id for credential-gated observability import." },
576
+ { flags: "--json", description: "Emit machine-readable JSON." },
577
+ ],
578
+ examples: ["appfleet ops observability --project atlas-notes --provider vercel --json"],
579
+ reads: [],
580
+ writes: [],
581
+ secretSafety: [
582
+ "Plans public health, TLS, domain, provider-status annotation, and audit-correlation metadata only.",
583
+ "Does not call provider APIs, read env files, or accept plaintext secrets.",
584
+ ],
585
+ },
586
+ {
587
+ namespace: "ops",
588
+ name: "rotate-secret",
589
+ summary: "Generate a fail-closed manual secret rotation plan.",
590
+ usage: "appfleet ops rotate-secret --project <project-id> --alias <NAME> [--workspace <workspace-id>] [--provider <provider-id>] [--json]",
591
+ arguments: [],
592
+ options: [
593
+ { flags: "--project <project-id>", description: "Project id whose alias should rotate." },
594
+ { flags: "--alias <NAME>", description: "Credential alias to rotate; repeat for multiple aliases." },
595
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the operational workflow." },
596
+ { flags: "--provider <provider-id>", description: "Provider id whose external dashboard/tool owns rotation." },
597
+ { flags: "--json", description: "Emit machine-readable JSON." },
598
+ ],
599
+ examples: ["appfleet ops rotate-secret --project atlas-notes --provider supabase --alias SUPABASE_SERVICE_ROLE_KEY --json"],
600
+ reads: [],
601
+ writes: [],
602
+ secretSafety: [
603
+ "Does not rotate provider credentials automatically.",
604
+ "Requires local audit before mutation and local vault update after external provider rotation.",
605
+ "Does not accept or print secret values.",
606
+ ],
607
+ },
608
+ {
609
+ namespace: "ops",
610
+ name: "repair-provider",
611
+ summary: "Generate a provider repair plan that fails closed without explicit provider credentials.",
612
+ usage: "appfleet ops repair-provider --provider <provider-id> [--workspace <workspace-id>] [--project <project-id>] [--json]",
613
+ arguments: [],
614
+ options: [
615
+ { flags: "--provider <provider-id>", description: "Provider id to repair." },
616
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the operational workflow." },
617
+ { flags: "--project <project-id>", description: "Optional project id to scope the repair." },
618
+ { flags: "--json", description: "Emit machine-readable JSON." },
619
+ ],
620
+ examples: ["appfleet ops repair-provider --provider github --project atlas-notes --json"],
621
+ reads: [],
622
+ writes: [],
623
+ secretSafety: [
624
+ "Checks safe metadata contracts only.",
625
+ "Does not mutate provider settings or persist provider payloads.",
626
+ ],
627
+ },
628
+ {
629
+ namespace: "ops",
630
+ name: "incident",
631
+ summary: "Open a safe incident workflow with mitigation and audit-correlation steps.",
632
+ usage: "appfleet ops incident [--workspace <workspace-id>] [--project <project-id>] [--provider <provider-id>] [--severity <sev1|sev2|sev3>] [--json]",
633
+ arguments: [],
634
+ options: [
635
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the incident." },
636
+ { flags: "--project <project-id>", description: "Optional affected project id." },
637
+ { flags: "--provider <provider-id>", description: "Optional affected provider id." },
638
+ { flags: "--severity <sev1|sev2|sev3>", description: "Incident severity; defaults to sev3." },
639
+ { flags: "--json", description: "Emit machine-readable JSON." },
640
+ ],
641
+ examples: ["appfleet ops incident --project atlas-notes --provider vercel --severity sev2 --json"],
642
+ reads: [],
643
+ writes: [],
644
+ secretSafety: [
645
+ "Captures safe evidence fields only.",
646
+ "Does not include logs, command output, provider payloads, or secret values.",
647
+ ],
648
+ },
649
+ {
650
+ namespace: "ops",
651
+ name: "runbook",
652
+ summary: "Generate a production operations runbook checklist.",
653
+ usage: "appfleet ops runbook --kind <deploy|rollback|env_rotation|migration|provider_repair|incident_response> [--workspace <workspace-id>] [--project <project-id>] [--json]",
654
+ arguments: [],
655
+ options: [
656
+ { flags: "--kind <kind>", description: "Runbook kind to generate." },
657
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the runbook." },
658
+ { flags: "--project <project-id>", description: "Optional project id to scope the runbook." },
659
+ { flags: "--json", description: "Emit machine-readable JSON." },
660
+ ],
661
+ examples: ["appfleet ops runbook --kind rollback --project atlas-notes --json"],
662
+ reads: [],
663
+ writes: [],
664
+ secretSafety: [
665
+ "Returns checklist metadata only.",
666
+ "Does not execute deploys, rollbacks, migrations, provider changes, or env rotations.",
667
+ ],
668
+ },
669
+ {
670
+ namespace: "ops",
671
+ name: "audit-verify",
672
+ summary: "Plan tamper-evident audit-chain verification over safe audit ids.",
673
+ usage: "appfleet ops audit-verify [--workspace <workspace-id>] [--project <project-id>] [--audit-id <audit-id>] [--broken-at <audit-id>] [--json]",
674
+ arguments: [],
675
+ options: [
676
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the audit chain." },
677
+ { flags: "--project <project-id>", description: "Optional project id to scope verification." },
678
+ { flags: "--audit-id <audit-id>", description: "Safe audit id to include; repeat for ordered events." },
679
+ { flags: "--broken-at <audit-id>", description: "Optional audit id where a broken chain was detected." },
680
+ { flags: "--json", description: "Emit machine-readable JSON." },
681
+ ],
682
+ examples: ["appfleet ops audit-verify --audit-id audit_1 --audit-id audit_2 --json"],
683
+ reads: [],
684
+ writes: [],
685
+ secretSafety: [
686
+ "Uses audit ids and hash-chain metadata only.",
687
+ "Does not include local command output, encrypted blobs, provider payloads, or secret values.",
688
+ ],
689
+ },
690
+ {
691
+ namespace: "audit",
692
+ name: "sync",
693
+ summary: "Convert local sensitive-audit events into cloud-safe audit shadow metadata.",
694
+ usage: "appfleet audit sync [--workspace <workspace-id>] [--json]",
695
+ arguments: [],
696
+ options: [
697
+ { flags: "--workspace <workspace-id>", description: "Workspace id whose local audit events should be synced." },
698
+ { flags: "--json", description: "Emit machine-readable JSON." },
699
+ ],
700
+ examples: ["appfleet audit sync --workspace workspace_local --json"],
701
+ reads: [".appfleet/vault-audit.jsonl"],
702
+ writes: [".appfleet/cloud-audit-sync.json"],
703
+ secretSafety: [
704
+ "Writes cloud-safe audit metadata only.",
705
+ "Omits command output, plaintext secrets, encrypted credential blob ids, provider payloads, key material, and secret fragments.",
706
+ "Does not call provider APIs.",
707
+ ],
708
+ },
709
+ {
710
+ namespace: "health",
711
+ name: "schedule",
712
+ summary: "Show the safe health-check scheduler and cron heartbeat contract.",
713
+ usage: "appfleet health schedule [--workspace <workspace-id>] [--json]",
714
+ arguments: [],
715
+ options: [
716
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the scheduler contract." },
717
+ { flags: "--json", description: "Emit machine-readable JSON." },
718
+ ],
719
+ examples: ["appfleet health schedule --workspace workspace_local --json"],
720
+ reads: [],
721
+ writes: [],
722
+ secretSafety: [
723
+ "Schedules public URL, TLS, and stored domain metadata checks only.",
724
+ "Does not read .env files.",
725
+ "Does not call provider APIs or use credentials.",
726
+ ],
727
+ },
728
+ {
729
+ namespace: "vault",
730
+ name: "init",
731
+ summary: "Create the encrypted local vault store.",
732
+ usage: "appfleet vault init [--workspace <workspace-id>] [--master-password <password>]",
733
+ arguments: [],
734
+ options: [
735
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the local vault." },
736
+ { flags: "--master-password <password>", description: "Master password; prefer APPFLEET_MASTER_PASSWORD." },
737
+ ],
738
+ examples: ["APPFLEET_MASTER_PASSWORD=demo appfleet vault init"],
739
+ reads: [".appfleet/local-vault.json if it already exists"],
740
+ writes: [".appfleet/local-vault.json"],
741
+ secretSafety: [
742
+ "Does not print the master password or workspace vault key.",
743
+ "Prefer APPFLEET_MASTER_PASSWORD over command-line password values.",
744
+ ],
745
+ },
746
+ {
747
+ namespace: "vault",
748
+ name: "unlock",
749
+ summary: "Verify the local vault can be unlocked by the master password.",
750
+ usage: "appfleet vault unlock [--master-password <password>]",
751
+ arguments: [],
752
+ options: [
753
+ { flags: "--master-password <password>", description: "Master password; prefer APPFLEET_MASTER_PASSWORD." },
754
+ ],
755
+ examples: ["APPFLEET_MASTER_PASSWORD=demo appfleet vault unlock"],
756
+ reads: [".appfleet/local-vault.json"],
757
+ writes: [],
758
+ secretSafety: ["Does not print plaintext key material."],
759
+ },
760
+ {
761
+ namespace: "vault",
762
+ name: "change-password",
763
+ summary: "Replace the active master-password key wrapper.",
764
+ usage: "appfleet vault change-password [--master-password <password>] [--new-master-password <password>]",
765
+ arguments: [],
766
+ options: [
767
+ { flags: "--master-password <password>", description: "Current master password; prefer APPFLEET_MASTER_PASSWORD." },
768
+ { flags: "--new-master-password <password>", description: "New master password; prefer APPFLEET_NEW_MASTER_PASSWORD." },
769
+ ],
770
+ examples: ["APPFLEET_MASTER_PASSWORD=old APPFLEET_NEW_MASTER_PASSWORD=new appfleet vault change-password"],
771
+ reads: [".appfleet/local-vault.json"],
772
+ writes: [".appfleet/local-vault.json"],
773
+ secretSafety: [
774
+ "Revokes the old master-password wrapper after the new wrapper is written.",
775
+ "Does not print passwords, workspace vault keys, salts, ciphertext, or wrapper internals.",
776
+ ],
777
+ },
778
+ {
779
+ namespace: "vault",
780
+ name: "recovery generate",
781
+ summary: "Create recovery-key wrapper and emergency recovery kit metadata.",
782
+ usage: "appfleet vault recovery generate [--master-password <password>] [--recovery-key <key>]",
783
+ arguments: [],
784
+ options: [
785
+ { flags: "--master-password <password>", description: "Master password; prefer APPFLEET_MASTER_PASSWORD." },
786
+ { flags: "--recovery-key <key>", description: "User-held recovery key; prefer APPFLEET_RECOVERY_KEY." },
787
+ ],
788
+ examples: ["APPFLEET_MASTER_PASSWORD=demo APPFLEET_RECOVERY_KEY=... appfleet vault recovery generate"],
789
+ reads: [".appfleet/local-vault.json"],
790
+ writes: [".appfleet/local-vault.json"],
791
+ secretSafety: [
792
+ "Stores only encrypted wrapper data and recovery-kit metadata.",
793
+ "Does not print or persist the recovery key or plaintext vault key.",
794
+ ],
795
+ },
796
+ {
797
+ namespace: "vault",
798
+ name: "recovery unlock",
799
+ summary: "Verify recovery-key unlock metadata can unwrap the local vault.",
800
+ usage: "appfleet vault recovery unlock [--recovery-key <key>]",
801
+ arguments: [],
802
+ options: [
803
+ { flags: "--recovery-key <key>", description: "User-held recovery key; prefer APPFLEET_RECOVERY_KEY." },
804
+ ],
805
+ examples: ["APPFLEET_RECOVERY_KEY=... appfleet vault recovery unlock"],
806
+ reads: [".appfleet/local-vault.json"],
807
+ writes: [],
808
+ secretSafety: ["Does not print the recovery key or plaintext key material."],
809
+ },
810
+ {
811
+ namespace: "vault",
812
+ name: "recovery rotate",
813
+ summary: "Rotate the active recovery-key wrapper metadata.",
814
+ usage: "appfleet vault recovery rotate [--master-password <password>] [--recovery-key <key>]",
815
+ arguments: [],
816
+ options: [
817
+ { flags: "--master-password <password>", description: "Master password; prefer APPFLEET_MASTER_PASSWORD." },
818
+ { flags: "--recovery-key <key>", description: "New user-held recovery key; prefer APPFLEET_RECOVERY_KEY." },
819
+ ],
820
+ examples: ["APPFLEET_MASTER_PASSWORD=demo APPFLEET_RECOVERY_KEY=... appfleet vault recovery rotate"],
821
+ reads: [".appfleet/local-vault.json"],
822
+ writes: [".appfleet/local-vault.json"],
823
+ secretSafety: [
824
+ "Revokes the old active recovery wrapper and records replacement metadata.",
825
+ "Does not print recovery keys, plaintext vault keys, or wrapper internals.",
826
+ ],
827
+ },
828
+ {
829
+ namespace: "vault",
830
+ name: "recovery kit",
831
+ summary: "Show emergency recovery kit metadata without rendering key material.",
832
+ usage: "appfleet vault recovery kit",
833
+ arguments: [],
834
+ options: [],
835
+ examples: ["appfleet vault recovery kit"],
836
+ reads: [".appfleet/local-vault.json"],
837
+ writes: [],
838
+ secretSafety: ["Shows recovery-kit metadata only and never renders recovery-key material."],
839
+ },
840
+ {
841
+ namespace: "vault",
842
+ name: "device-key register",
843
+ summary: "Record metadata for a future device-key unlock path.",
844
+ usage: "appfleet vault device-key register --device <device-id> [--label <label>]",
845
+ arguments: [],
846
+ options: [
847
+ { flags: "--device <device-id>", description: "Stable non-secret device id." },
848
+ { flags: "--label <label>", description: "Non-secret device label." },
849
+ ],
850
+ examples: ["appfleet vault device-key register --device laptop-1 --label work-laptop"],
851
+ reads: [".appfleet/local-vault.json"],
852
+ writes: [".appfleet/local-vault.json"],
853
+ secretSafety: ["Records metadata only; no device private key or plaintext vault key is stored."],
854
+ },
855
+ {
856
+ namespace: "vault",
857
+ name: "keychain status",
858
+ summary: "Record the OS keychain integration boundary.",
859
+ usage: "appfleet vault keychain status [--provider <provider>]",
860
+ arguments: [],
861
+ options: [
862
+ { flags: "--provider <provider>", description: "macos_keychain, windows_credential_manager, or linux_secret_service." },
863
+ ],
864
+ examples: ["appfleet vault keychain status --provider macos_keychain"],
865
+ reads: [".appfleet/local-vault.json"],
866
+ writes: [".appfleet/local-vault.json"],
867
+ secretSafety: ["Records integration status only; AppFleet local JSON never stores OS keychain key material."],
868
+ },
869
+ {
870
+ namespace: "secrets",
871
+ name: "set",
872
+ summary: "Encrypt and store a local secret value by project, environment, and alias.",
873
+ usage: "appfleet secrets set <project> --env <env> --alias <NAME> [options]",
874
+ arguments: ["project: project id."],
875
+ options: [
876
+ { flags: "--env <env>", description: "Environment name." },
877
+ { flags: "--alias <NAME>", description: "Environment variable alias." },
878
+ { flags: "--value <value>", description: "Secret value; prefer APPFLEET_SECRET_VALUE." },
879
+ { flags: "--master-password <password>", description: "Master password; prefer APPFLEET_MASTER_PASSWORD." },
880
+ ],
881
+ examples: [
882
+ "APPFLEET_SECRET_VALUE=... APPFLEET_MASTER_PASSWORD=demo appfleet secrets set atlas-notes --env production --alias SUPABASE_SERVICE_ROLE_KEY",
883
+ ],
884
+ reads: [".appfleet/local-vault.json"],
885
+ writes: [".appfleet/local-vault.json"],
886
+ secretSafety: [
887
+ "Encrypts values before writing the local store.",
888
+ "Does not print secret values or encrypted credential internals.",
889
+ "Prefer APPFLEET_SECRET_VALUE over --value.",
890
+ ],
891
+ },
892
+ {
893
+ namespace: "secrets",
894
+ name: "list",
895
+ summary: "List recorded secret aliases without revealing values.",
896
+ usage: "appfleet secrets list <project> [--env <env>]",
897
+ arguments: ["project: project id."],
898
+ options: [{ flags: "--env <env>", description: "Filter by environment." }],
899
+ examples: ["appfleet secrets list atlas-notes", "appfleet secrets list atlas-notes --env production"],
900
+ reads: [".appfleet/local-vault.json"],
901
+ writes: [],
902
+ secretSafety: ["Shows aliases only; it does not decrypt or print values."],
903
+ },
904
+ {
905
+ namespace: "secrets",
906
+ name: "inject",
907
+ summary: "Decrypt matching local secrets and inject them into one child command.",
908
+ usage: "appfleet secrets inject <project> --env <env> [--master-password <password>] -- <command> [args...]",
909
+ arguments: ["project: project id.", "command: child process to run after --."],
910
+ options: [
911
+ { flags: "--env <env>", description: "Environment name." },
912
+ { flags: "--master-password <password>", description: "Master password; prefer APPFLEET_MASTER_PASSWORD." },
913
+ ],
914
+ examples: [
915
+ "APPFLEET_MASTER_PASSWORD=demo appfleet secrets inject atlas-notes --env production -- node -e \"console.log(process.env.SUPABASE_SERVICE_ROLE_KEY ? 'ok' : 'missing')\"",
916
+ ],
917
+ reads: [".appfleet/local-vault.json"],
918
+ writes: [".appfleet/vault-audit.jsonl"],
919
+ secretSafety: [
920
+ "Writes audit before starting the child process.",
921
+ "Fails closed when unlock, decrypt, or audit writing fails.",
922
+ "Redacts injected secret values from captured child stdout and stderr.",
923
+ "Runs the child with shell:false.",
924
+ ],
925
+ },
926
+ {
927
+ namespace: "secrets",
928
+ name: "upload",
929
+ summary: "Write a zero-knowledge encrypted secret sync package from the local vault.",
930
+ usage: "appfleet secrets upload [--output <path>]",
931
+ arguments: [],
932
+ options: [
933
+ { flags: "--output <path>", description: "Encrypted sync package path; defaults to .appfleet/cloud-secret-sync.json." },
934
+ ],
935
+ examples: [
936
+ "appfleet secrets upload",
937
+ "appfleet secrets upload --output .appfleet/cloud-secret-sync.json",
938
+ ],
939
+ reads: [".appfleet/local-vault.json encrypted credential blobs and encrypted key wrappers"],
940
+ writes: [".appfleet/cloud-secret-sync.json or --output path"],
941
+ secretSafety: [
942
+ "Packages encrypted credential blobs and encrypted key wrappers as opaque base64url payloads with SHA-256 metadata.",
943
+ "Does not decrypt vault contents or print plaintext values.",
944
+ "Does not print encrypted blob ids, key wrapper ids, ciphertext, key material, master passwords, or recovery keys.",
945
+ ],
946
+ },
947
+ {
948
+ namespace: "secrets",
949
+ name: "download",
950
+ summary: "Import a zero-knowledge encrypted secret sync package into the local vault.",
951
+ usage: "appfleet secrets download [--input <path>]",
952
+ arguments: [],
953
+ options: [
954
+ { flags: "--input <path>", description: "Encrypted sync package path; defaults to .appfleet/cloud-secret-sync.json." },
955
+ ],
956
+ examples: [
957
+ "appfleet secrets download",
958
+ "appfleet secrets download --input .appfleet/cloud-secret-sync.json",
959
+ ],
960
+ reads: [".appfleet/local-vault.json", ".appfleet/cloud-secret-sync.json or --input path"],
961
+ writes: [".appfleet/local-vault.json encrypted envelope records only"],
962
+ secretSafety: [
963
+ "Imports encrypted envelopes without decrypting secret values or vault keys.",
964
+ "Fails closed when the package workspace does not match the local vault.",
965
+ "Does not print encrypted blob ids, key wrapper ids, ciphertext, key material, master passwords, recovery keys, or plaintext values.",
966
+ ],
967
+ },
968
+ {
969
+ namespace: "billing",
970
+ name: "plan",
971
+ summary: "Emit a Stripe-ready billing account metadata contract without calling Stripe.",
972
+ usage: "appfleet billing plan [--workspace <workspace-id>] [--plan <free|team|business>] [--json]",
973
+ arguments: [],
974
+ options: [
975
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the metadata contract." },
976
+ { flags: "--plan <plan>", description: "Billing plan metadata to report." },
977
+ { flags: "--json", description: "Emit machine-readable JSON." },
978
+ ],
979
+ examples: [
980
+ "appfleet billing plan --workspace workspace_test --plan team",
981
+ "appfleet billing plan --json",
982
+ ],
983
+ reads: [],
984
+ writes: [],
985
+ secretSafety: [
986
+ "Does not call Stripe or accept payment method details.",
987
+ "Reports safe customer/subscription reference fields only when supplied by future provider wiring.",
988
+ "Fails closed without provider credentials.",
989
+ ],
990
+ },
991
+ {
992
+ namespace: "billing",
993
+ name: "status",
994
+ summary: "Report billing/payment provider readiness without provider calls.",
995
+ usage: "appfleet billing status [--workspace <workspace-id>] [--json]",
996
+ arguments: [],
997
+ options: [
998
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the status report." },
999
+ { flags: "--json", description: "Emit machine-readable JSON." },
1000
+ ],
1001
+ examples: ["appfleet billing status --workspace workspace_test --json"],
1002
+ reads: [],
1003
+ writes: [],
1004
+ secretSafety: [
1005
+ "Does not call Stripe, read credentials, or print provider payloads.",
1006
+ "Does not include payment method details, tokens, card data, or command output.",
1007
+ ],
1008
+ },
1009
+ {
1010
+ namespace: "billing",
1011
+ name: "failures",
1012
+ summary: "Emit fail-closed payment failure detection metadata.",
1013
+ usage: "appfleet billing failures [--workspace <workspace-id>] [--json]",
1014
+ arguments: [],
1015
+ options: [
1016
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the failure detection contract." },
1017
+ { flags: "--json", description: "Emit machine-readable JSON." },
1018
+ ],
1019
+ examples: ["appfleet billing failures --workspace workspace_test --json"],
1020
+ reads: [],
1021
+ writes: [],
1022
+ secretSafety: [
1023
+ "Represents payment failure detection as metadata only.",
1024
+ "Does not store webhook payloads, payment methods, customer secrets, or Stripe credentials.",
1025
+ ],
1026
+ },
1027
+ {
1028
+ namespace: "billing",
1029
+ name: "kms",
1030
+ summary: "Emit customer-managed KMS metadata without key material.",
1031
+ usage: "appfleet billing kms [--workspace <workspace-id>] [--json]",
1032
+ arguments: [],
1033
+ options: [
1034
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the KMS metadata contract." },
1035
+ { flags: "--json", description: "Emit machine-readable JSON." },
1036
+ ],
1037
+ examples: ["appfleet billing kms --workspace workspace_test --json"],
1038
+ reads: [],
1039
+ writes: [],
1040
+ secretSafety: [
1041
+ "Does not ask for or store plaintext key material.",
1042
+ "Does not call customer KMS providers without explicit credentials.",
1043
+ "Stores customer-managed KMS references only.",
1044
+ ],
1045
+ },
1046
+ {
1047
+ namespace: "cost",
1048
+ name: "summary",
1049
+ summary: "Emit cloud-safe cost usage summary metadata.",
1050
+ usage: "appfleet cost summary [--workspace <workspace-id>] [--json]",
1051
+ arguments: [],
1052
+ options: [
1053
+ { flags: "--workspace <workspace-id>", description: "Workspace id for the cost summary." },
1054
+ { flags: "--json", description: "Emit machine-readable JSON." },
1055
+ ],
1056
+ examples: ["appfleet cost summary --workspace workspace_test --json"],
1057
+ reads: [],
1058
+ writes: [],
1059
+ secretSafety: [
1060
+ "Reports usage totals only.",
1061
+ "Does not read provider invoices, payment method data, provider payloads, credentials, or command output.",
1062
+ ],
1063
+ },
1064
+ ];
1065
+ export function findCliCommandDoc(namespace, name) {
1066
+ return cliCommandDocs.find((command) => command.namespace === namespace && command.name === name);
1067
+ }