@appfleet-cli/cli 0.1.1 → 0.1.3

package/dist/appfleet.js

@@ -3370,10 +3370,58 @@ var program = new Command();
 
 // src/appfleet.ts
 import { realpathSync } from "node:fs";
+import { readFile as readFile5 } from "node:fs/promises";
+import { dirname as dirname5, join as join4 } from "node:path";
 import { fileURLToPath } from "node:url";
 
 // src/command-registry.ts
 var cliCommandDocs = [
+  {
+    namespace: "appfleet",
+    name: "login",
+    summary: "Sign in to AppFleet Cloud.",
+    usage: "appfleet login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
+    arguments: [],
+    options: [
+      { flags: "--workspace <workspace-id>", description: "Workspace id to sign in to; defaults to workspace_local." },
+      { flags: "--email <email>", description: "Optional non-secret user label for local-test identity metadata." },
+      { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+      { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: [
+      "appfleet login",
+      "appfleet login --workspace workspace_prod",
+      "appfleet login --json"
+    ],
+    reads: [".appfleet/cloud-session.json if it already exists"],
+    writes: [".appfleet/cloud-session.json hosted redacted session metadata with status and expiry", ".appfleet/cloud-auth-token mode-0600 local credential file"],
+    secretSafety: [
+      "Opens the hosted browser auth flow and stores session metadata only.",
+      "The short-lived hosted session token is isolated in a mode-0600 local credential file and is never printed or included in project memory.",
+      "Does not store OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, secret fragments, or secret values."
+    ]
+  },
+  {
+    namespace: "appfleet",
+    name: "logout",
+    summary: "Sign out of AppFleet Cloud.",
+    usage: "appfleet logout [--api-base-url <url>] [--local-test] [--json]",
+    arguments: [],
+    options: [
+      { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+      { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: ["appfleet logout", "appfleet logout --json"],
+    reads: [".appfleet/cloud-session.json"],
+    writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token are removed when present"],
+    secretSafety: [
+      "Revokes hosted session metadata through AppFleet Cloud when available.",
+      "Removes local hosted session metadata and the local credential file without printing credential material.",
+      "Does not read or print OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, or secret fragments."
+    ]
+  },
   {
     namespace: "appfleet",
     name: "link",
@@ -3389,6 +3437,68 @@ var cliCommandDocs = [
       "Never uploads environment values, credential values, command output, key wrappers, or provider payloads."
     ]
   },
+  {
+    namespace: "appfleet",
+    name: "doctor",
+    summary: "Run safe diagnostics for a remembered project, optionally uploading the report.",
+    usage: "appfleet doctor [project] [--upload] [--json]",
+    arguments: ["project: project id, path, URL, or repo fingerprint; defaults to the current project when resolvable."],
+    options: [
+      { flags: "--upload", description: "Upload the safe doctor report to AppFleet Cloud after the local check." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: [
+      "appfleet doctor appfleet-demo",
+      "appfleet doctor .",
+      "appfleet doctor appfleet-demo --upload"
+    ],
+    reads: [".appfleet/project-memory.json", ".appfleet/cloud-session.json when --upload is used"],
+    writes: [".appfleet/project-memory.json latest safe doctor evidence", ".appfleet/cloud-metadata-sync.json when --upload is used"],
+    secretSafety: [
+      "Runs safe URL and metadata checks only.",
+      "Uploads safe project metadata and doctor evidence only when --upload is passed.",
+      "Never reads .env files or uploads environment values, credential values, command output, key wrappers, or provider payloads."
+    ]
+  },
+  {
+    namespace: "appfleet",
+    name: "workspaces",
+    summary: "List AppFleet Cloud workspaces available to the signed-in user.",
+    usage: "appfleet workspaces [--api-base-url <url>] [--json]",
+    arguments: [],
+    options: [
+      { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: ["appfleet workspaces", "appfleet workspaces --json"],
+    reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+    writes: [],
+    secretSafety: [
+      "Uses the active hosted AppFleet session to list workspace metadata.",
+      "Does not print auth tokens, cookies, provider credentials, environment values, or secret fragments."
+    ]
+  },
+  {
+    namespace: "appfleet",
+    name: "workspace",
+    summary: "Show or change the active AppFleet Cloud workspace.",
+    usage: "appfleet workspace current|list|use <workspace-id> [--json]",
+    arguments: [],
+    options: [
+      { flags: "--json", description: "Emit machine-readable JSON." }
+    ],
+    examples: [
+      "appfleet workspace current",
+      "appfleet workspace list",
+      "appfleet workspace use workspace_prod"
+    ],
+    reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+    writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token when using a workspace"],
+    secretSafety: [
+      "Workspace use runs the hosted AppFleet login flow for the selected workspace.",
+      "Stores active workspace session metadata only and never prints auth tokens, cookies, provider credentials, or secret fragments."
+    ]
+  },
   {
     namespace: "appfleet",
     name: "init",
@@ -3421,20 +3531,21 @@ var cliCommandDocs = [
   {
     namespace: "auth",
     name: "login",
-    summary: "Create local-test session metadata by default, or hosted session metadata when production cloud is explicitly enabled.",
-    usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--production-cloud] [--api-base-url <url>] [--json]",
+    summary: "Sign in to AppFleet Cloud; use --local-test for local scaffold sessions.",
+    usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
     arguments: [],
     options: [
       { flags: "--workspace <workspace-id>", description: "Workspace id for local-test or hosted session metadata." },
       { flags: "--email <email>", description: "Optional non-secret user label for local-test identity or hosted login metadata." },
-      { flags: "--production-cloud", description: "Explicitly use hosted auth mode; also requires API/auth env config." },
-      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+      { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+      { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
+      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
       { flags: "--json", description: "Emit machine-readable JSON." }
     ],
     examples: [
-      "appfleet auth login --workspace workspace_test",
-      "appfleet auth login --workspace workspace_test --email demo@example.com --json",
-      "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet auth login --production-cloud --workspace workspace_prod --json"
+      "appfleet login",
+      "appfleet auth login --workspace workspace_prod --json",
+      "appfleet auth login --local-test --workspace workspace_test --email demo@example.com --json"
     ],
     reads: [".appfleet/cloud-session.json if it already exists"],
     writes: [".appfleet/cloud-session.json local-test or hosted redacted session metadata with status and expiry"],
@@ -3447,18 +3558,19 @@ var cliCommandDocs = [
   {
     namespace: "auth",
     name: "logout",
-    summary: "Log out of local-test session metadata by default, or revoke hosted session metadata when production cloud is explicitly enabled.",
-    usage: "appfleet auth logout [--production-cloud] [--api-base-url <url>] [--json]",
+    summary: "Sign out of AppFleet Cloud; use --local-test for local scaffold sessions.",
+    usage: "appfleet auth logout [--api-base-url <url>] [--local-test] [--json]",
     arguments: [],
     options: [
-      { flags: "--production-cloud", description: "Explicitly use hosted logout mode; also requires API/auth env config and hosted session metadata." },
-      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+      { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+      { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
+      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
       { flags: "--json", description: "Emit machine-readable JSON." }
     ],
     examples: [
-      "appfleet auth logout",
+      "appfleet logout",
       "appfleet auth logout --json",
-      "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet auth logout --production-cloud --json"
+      "appfleet auth logout --local-test --json"
     ],
     reads: [".appfleet/cloud-session.json"],
     writes: [".appfleet/cloud-session.json is removed when present; JSON output includes a safe logged_out/not_found/missing_hosted_session status"],
@@ -3476,23 +3588,23 @@ var cliCommandDocs = [
     arguments: [],
     options: [
       { flags: "--workspace <workspace-id>", description: "Workspace id for the local-test sync store." },
-      { flags: "--production-cloud", description: "Explicitly use production cloud mode; also requires API/auth env config." },
-      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+      { flags: "--production-cloud", description: "Explicitly use production cloud mode against AppFleet Cloud." },
+      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
       { flags: "--idempotency-key <key>", description: "Override the production metadata sync idempotency key; retries reuse the same key." },
       { flags: "--json", description: "Emit machine-readable JSON." }
     ],
     examples: [
       "appfleet cloud sync",
       "appfleet cloud sync --workspace workspace_test --json",
-      "APPFLEET_PRODUCTION_CLOUD_ENABLED=true APPFLEET_API_BASE_URL=https://appfleet.xyz APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud sync --workspace <workspace-id> --json",
-      "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet cloud sync --production-cloud --workspace <workspace-id> --json"
+      "APPFLEET_PRODUCTION_CLOUD_ENABLED=true APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud sync --workspace <workspace-id> --json",
+      "appfleet cloud sync --production-cloud --workspace <workspace-id> --json"
     ],
     reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json", ".appfleet/cloud-metadata-sync.json"],
     writes: [".appfleet/cloud-metadata-sync.json", ".appfleet/project-memory.json lastSyncedAt for accepted projects"],
     secretSafety: [
       "Chooses local-test mode by default; production mode requires --production-cloud, APPFLEET_PRODUCTION_CLOUD_ENABLED=true, or APPFLEET_CLOUD_MODE=production.",
-      "In production mode, fails closed when APPFLEET_API_BASE_URL/--api-base-url or APPFLEET_CLOUD_AUTH_TOKEN is missing.",
-      "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured AppFleet web API base URL.",
+      "In production mode, defaults to https://appfleet.xyz and fails closed when APPFLEET_CLOUD_AUTH_TOKEN is missing.",
+      "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured or default AppFleet web API base URL.",
       "Production metadata sync sends redacted auth reporting plus an idempotency key, workspace id, and project metadata envelopes.",
       "Production metadata sync retries safe transient transport failures with the same idempotency key.",
       "Persists local-test and production sync metadata, project ids, fingerprints, durable queue status, idempotency metadata, and conflict reports only.",
@@ -3508,23 +3620,23 @@ var cliCommandDocs = [
     arguments: [],
     options: [
       { flags: "--workspace <workspace-id>", description: "Workspace id for the local-test sync store." },
-      { flags: "--production-cloud", description: "Explicitly use production cloud mode; also requires API/auth env config." },
-      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+      { flags: "--production-cloud", description: "Explicitly use production cloud mode against AppFleet Cloud." },
+      { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
       { flags: "--idempotency-key <key>", description: "Override the production metadata sync idempotency key; retries reuse the same key." },
       { flags: "--json", description: "Emit machine-readable JSON." }
     ],
     examples: [
       "appfleet cloud metadata-sync",
       "appfleet cloud metadata-sync --workspace workspace_test --json",
-      "APPFLEET_CLOUD_MODE=production APPFLEET_API_BASE_URL=https://appfleet.xyz APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud metadata-sync --workspace <workspace-id> --json",
-      "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet cloud metadata-sync --production-cloud --workspace <workspace-id> --json"
+      "APPFLEET_CLOUD_MODE=production APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud metadata-sync --workspace <workspace-id> --json",
+      "appfleet cloud metadata-sync --production-cloud --workspace <workspace-id> --json"
     ],
     reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json", ".appfleet/cloud-metadata-sync.json"],
     writes: [".appfleet/cloud-metadata-sync.json", ".appfleet/project-memory.json lastSyncedAt for accepted projects"],
     secretSafety: [
       "Chooses local-test mode by default; production mode requires --production-cloud, APPFLEET_PRODUCTION_CLOUD_ENABLED=true, or APPFLEET_CLOUD_MODE=production.",
-      "In production mode, fails closed when APPFLEET_API_BASE_URL/--api-base-url or APPFLEET_CLOUD_AUTH_TOKEN is missing.",
-      "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured AppFleet web API base URL.",
+      "In production mode, defaults to https://appfleet.xyz and fails closed when APPFLEET_CLOUD_AUTH_TOKEN is missing.",
+      "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured or default AppFleet web API base URL.",
       "Production metadata sync sends redacted auth reporting plus an idempotency key, workspace id, and project metadata envelopes.",
       "Production metadata sync retries safe transient transport failures with the same idempotency key.",
       "Persists local-test and production sync metadata, project ids, fingerprints, durable queue status, idempotency metadata, and conflict reports only.",
@@ -8093,7 +8205,7 @@ function defaultProjectMemoryStorePath(cwd) {
 function errorMessage2(error) {
   return error instanceof Error ? error.message : String(error);
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/project-memory.ts") && import.meta.url === `file://${process.argv[1]}`) {
   const result = await runProjectMemoryCommand(process.argv.slice(2), {
     storePath: process.env.APPFLEET_PROJECT_MEMORY_STORE_PATH,
     currentGitRemoteFingerprint: process.env.APPFLEET_GIT_REMOTE_FINGERPRINT
@@ -8104,6 +8216,7 @@ if (import.meta.url === `file://${process.argv[1]}`) {
 }
 
 // src/cloud-session.ts
+var DEFAULT_PRODUCTION_API_BASE_URL = "https://appfleet.xyz";
 async function runCloudSessionCommand(argv, options = {}) {
   const now = options.now ?? (() => /* @__PURE__ */ new Date());
   let env = options.env ?? process.env;
@@ -8172,7 +8285,7 @@ async function runCloudSessionCommand(argv, options = {}) {
           createdAt: createdAt3,
           result: authResult
         });
-        const localAuthToken = authResult.authToken ?? authResult.sessionId;
+        const localAuthToken = authResult.sessionId ?? authResult.authToken;
         if (localAuthToken) {
           await writeAuthToken(authTokenPath, localAuthToken);
         }
@@ -8792,7 +8905,7 @@ function parseCloudSessionCommand(argv, env) {
         action,
         workspaceId: readFlag4(normalizedArgv, "--workspace") ?? "workspace_local",
         email: readFlag4(normalizedArgv, "--email"),
-        productionCloud: cloudProductionFlag(normalizedArgv, env),
+        productionCloud: cloudProductionFlag(normalizedArgv, env, true),
         productionCloudSource: cloudProductionSource(normalizedArgv, env),
         apiBaseUrl: readFlag4(normalizedArgv, "--api-base-url"),
         outputFormat
@@ -8802,7 +8915,7 @@ function parseCloudSessionCommand(argv, env) {
       return {
         namespace,
         action,
-        productionCloud: cloudProductionFlag(normalizedArgv, env),
+        productionCloud: cloudProductionFlag(normalizedArgv, env, true),
         productionCloudSource: cloudProductionSource(normalizedArgv, env),
         apiBaseUrl: readFlag4(normalizedArgv, "--api-base-url"),
         outputFormat
@@ -9110,23 +9223,35 @@ function createZeroSecretBoundary() {
     storesSecretFragments: false
   };
 }
-function cloudProductionFlag(argv, env) {
+function cloudProductionFlag(argv, env, defaultProduction = false) {
+  if (hasFlag2(argv, "--local-test")) {
+    return false;
+  }
   if (hasFlag2(argv, "--production-cloud")) {
     return true;
   }
-  return env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" || env.APPFLEET_CLOUD_MODE === "production";
+  if (env.APPFLEET_CLOUD_MODE === "local-test") {
+    return false;
+  }
+  return env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" || env.APPFLEET_CLOUD_MODE === "production" || defaultProduction;
 }
 function cloudProductionSource(argv, env) {
+  if (hasFlag2(argv, "--local-test")) {
+    return "flag";
+  }
   if (hasFlag2(argv, "--production-cloud")) {
     return "flag";
   }
+  if (env.APPFLEET_CLOUD_MODE === "local-test") {
+    return "env";
+  }
   if (productionEnvEnabled(env)) {
     return "env";
   }
   return "default";
 }
 function resolveProductionCloudConfig(parsed, env) {
-  const apiBaseUrl = parsed.apiBaseUrl ?? env.APPFLEET_API_BASE_URL;
+  const apiBaseUrl = parsed.apiBaseUrl ?? env.APPFLEET_API_BASE_URL ?? DEFAULT_PRODUCTION_API_BASE_URL;
   return {
     enabled: parsed.productionCloud,
     apiBaseUrl,
@@ -9134,7 +9259,7 @@ function resolveProductionCloudConfig(parsed, env) {
     databaseDsn: env.APPFLEET_DATABASE_URL,
     sources: {
       enabled: parsed.productionCloudSource,
-      apiBaseUrl: parsed.apiBaseUrl ? "flag" : env.APPFLEET_API_BASE_URL ? "env" : "missing",
+      apiBaseUrl: parsed.apiBaseUrl ? "flag" : env.APPFLEET_API_BASE_URL ? "env" : "default",
       authToken: env.APPFLEET_CLOUD_AUTH_TOKEN ? env.APPFLEET_CLOUD_AUTH_TOKEN_SOURCE === "device_store" ? "device_store" : "env" : "missing",
       databaseDsn: env.APPFLEET_DATABASE_URL ? "env" : "missing"
     }
@@ -9145,14 +9270,11 @@ function productionEnvEnabled(env) {
 }
 function missingProductionConfig(config) {
   return [
-    config.apiBaseUrl ? void 0 : "APPFLEET_API_BASE_URL or --api-base-url",
     config.authToken ? void 0 : "APPFLEET_CLOUD_AUTH_TOKEN"
   ].filter((value) => value !== void 0);
 }
 function missingProductionAuthConfig(config) {
-  return [
-    config.apiBaseUrl ? void 0 : "APPFLEET_API_BASE_URL or --api-base-url"
-  ].filter((value) => value !== void 0);
+  return [];
 }
 function resolveHostedAuthTimeoutMs(env, override) {
   const raw = override ?? Number.parseInt(env.APPFLEET_HOSTED_AUTH_TIMEOUT_MS ?? "", 10);
@@ -11461,7 +11583,7 @@ function commandError(error) {
     childStarted: false
   };
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/local-vault.ts") && import.meta.url === `file://${process.argv[1]}`) {
   const result = await runLocalVaultCommand(process.argv.slice(2));
   process.stdout.write(result.stdout);
   process.stderr.write(result.stderr);
@@ -11888,6 +12010,7 @@ var namespaces = [
   "vault",
   "secrets"
 ];
+var DEFAULT_PRODUCTION_API_BASE_URL2 = "https://appfleet.xyz";
 async function runAppFleetCli(argv) {
   const normalizedArgv = argv[0] === "--" ? argv.slice(1) : argv;
   if (shouldShowHelp(normalizedArgv)) {
@@ -11901,6 +12024,61 @@ async function runAppFleetCli(argv) {
     return 0;
   }
   const namespace = normalizedArgv[0];
+  if (namespace === "login" || namespace === "logout") {
+    const result = await runCloudSessionCommand(
+      ["auth", namespace, ...normalizedArgv.slice(1)],
+      cloudCommandOptions()
+    );
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    return result.exitCode;
+  }
+  if (namespace === "workspaces") {
+    const result = await runWorkspaceListCommand(normalizedArgv.slice(1));
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    return result.exitCode;
+  }
+  if (namespace === "workspace") {
+    const action = normalizedArgv[1] ?? "current";
+    if (action === "use") {
+      const workspaceId = normalizedArgv[2] ?? readFlag9(normalizedArgv, "--workspace");
+      if (!workspaceId) {
+        process.stderr.write("AppFleet workspace failed: usage: appfleet workspace use <workspace-id> [--json]\n");
+        return 1;
+      }
+      const result = await runCloudSessionCommand(
+        [
+          "auth",
+          "login",
+          "--workspace",
+          workspaceId,
+          ...normalizedArgv.includes("--json") ? ["--json"] : []
+        ],
+        cloudCommandOptions()
+      );
+      process.stdout.write(result.stdout);
+      process.stderr.write(result.stderr);
+      return result.exitCode;
+    }
+    if (action === "current") {
+      const result = await runWorkspaceCurrentCommand(normalizedArgv.slice(2));
+      process.stdout.write(result.stdout);
+      process.stderr.write(result.stderr);
+      return result.exitCode;
+    }
+    if (action === "list") {
+      const result = await runWorkspaceListCommand(normalizedArgv.slice(2));
+      process.stdout.write(result.stdout);
+      process.stderr.write(result.stderr);
+      return result.exitCode;
+    }
+    process.stderr.write(
+      `AppFleet workspace failed: unknown workspace command "${action}"
+`
+    );
+    return 1;
+  }
   if (namespace === "init") {
     const result = await runFirstRunSetup(normalizedArgv.slice(1));
     process.stdout.write(result.stdout);
@@ -11921,6 +12099,20 @@ async function runAppFleetCli(argv) {
     process.stderr.write(result.stderr);
     return result.exitCode;
   }
+  if (namespace === "doctor") {
+    const args = ["projects", "doctor", ...normalizedArgv.slice(1)];
+    if (normalizedArgv.includes("--upload")) {
+      return runDoctorAndUpload(args);
+    }
+    const result = await runProjectMemoryCommand(args, {
+      storePath: process.env.APPFLEET_PROJECT_MEMORY_STORE_PATH,
+      currentGitRemoteFingerprint: process.env.APPFLEET_GIT_REMOTE_FINGERPRINT,
+      projectRoot: process.env.INIT_CWD
+    });
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    return result.exitCode;
+  }
   if (namespace === "projects") {
     if (normalizedArgv[1] === "doctor" && normalizedArgv.includes("--upload")) {
       return runDoctorAndUpload(normalizedArgv);
@@ -11991,7 +12183,7 @@ async function runAppFleetCli(argv) {
 }
 function createAppFleetProgram() {
   const program2 = new Command();
-  program2.name("appfleet").description("Local AppFleet recovery cockpit and encrypted secret injection CLI.").showHelpAfterError().configureHelp({ sortSubcommands: true, sortOptions: true });
+  program2.name("appfleet").description("AppFleet Cloud CLI for remembering, diagnosing, and recovering projects.").showHelpAfterError().configureHelp({ sortSubcommands: true, sortOptions: true });
   const initDoc = findCliCommandDoc("appfleet", "init");
   if (initDoc) {
     program2.addCommand(commandFromDoc(initDoc));
@@ -12000,6 +12192,26 @@ function createAppFleetProgram() {
   if (linkDoc) {
     program2.addCommand(commandFromDoc(linkDoc));
   }
+  const loginDoc = findCliCommandDoc("appfleet", "login");
+  if (loginDoc) {
+    program2.addCommand(commandFromDoc(loginDoc));
+  }
+  const logoutDoc = findCliCommandDoc("appfleet", "logout");
+  if (logoutDoc) {
+    program2.addCommand(commandFromDoc(logoutDoc));
+  }
+  const doctorDoc = findCliCommandDoc("appfleet", "doctor");
+  if (doctorDoc) {
+    program2.addCommand(commandFromDoc(doctorDoc));
+  }
+  const workspacesDoc = findCliCommandDoc("appfleet", "workspaces");
+  if (workspacesDoc) {
+    program2.addCommand(commandFromDoc(workspacesDoc));
+  }
+  const workspaceDoc = findCliCommandDoc("appfleet", "workspace");
+  if (workspaceDoc) {
+    program2.addCommand(commandFromDoc(workspaceDoc));
+  }
   for (const namespace of namespaces) {
     const namespaceCommand = new Command(namespace).description(
       namespaceDescription(namespace)
@@ -12022,6 +12234,139 @@ function cloudCommandOptions() {
     env: process.env
   };
 }
+async function runWorkspaceCurrentCommand(argv) {
+  const outputFormat = argv.includes("--json") ? "json" : "human";
+  const session = await readHostedSession();
+  if (!session) {
+    const document2 = {
+      type: "appfleet_active_workspace_result",
+      version: 1,
+      status: "not_logged_in",
+      activeWorkspaceId: void 0,
+      next: "Run appfleet login."
+    };
+    return {
+      exitCode: 1,
+      stdout: outputFormat === "json" ? `${JSON.stringify(document2, null, 2)}
+` : "",
+      stderr: outputFormat === "json" ? "" : "AppFleet workspace failed: not logged in. Run appfleet login.\n"
+    };
+  }
+  const document = {
+    type: "appfleet_active_workspace_result",
+    version: 1,
+    status: "ok",
+    activeWorkspaceId: session.workspaceId,
+    user: session.user,
+    expiresAt: session.expiresAt
+  };
+  return {
+    exitCode: 0,
+    stdout: outputFormat === "json" ? `${JSON.stringify(document, null, 2)}
+` : `Active workspace: ${session.workspaceId}
+`,
+    stderr: ""
+  };
+}
+async function runWorkspaceListCommand(argv) {
+  const outputFormat = argv.includes("--json") ? "json" : "human";
+  const session = await readHostedSession();
+  const authToken = await readWorkspaceAuthToken();
+  if (!session || !authToken) {
+    const document2 = {
+      type: "appfleet_workspace_list_result",
+      version: 1,
+      status: "not_logged_in",
+      workspaces: [],
+      next: "Run appfleet login."
+    };
+    return {
+      exitCode: 1,
+      stdout: outputFormat === "json" ? `${JSON.stringify(document2, null, 2)}
+` : "",
+      stderr: outputFormat === "json" ? "" : "AppFleet workspaces failed: not logged in. Run appfleet login.\n"
+    };
+  }
+  const apiBaseUrl = readFlag9(argv, "--api-base-url") ?? process.env.APPFLEET_API_BASE_URL ?? DEFAULT_PRODUCTION_API_BASE_URL2;
+  const url = new URL("/api/workspaces", apiBaseUrl);
+  url.searchParams.set("workspaceId", session.workspaceId);
+  const response = await fetch(url, {
+    headers: {
+      Accept: "application/json",
+      "X-AppFleet-Hosted-Session": authToken,
+      "X-AppFleet-Workspace-Id": session.workspaceId
+    }
+  });
+  if (!response.ok) {
+    const document2 = {
+      type: "appfleet_workspace_list_result",
+      version: 1,
+      status: "request_failed",
+      httpStatusCode: response.status,
+      activeWorkspaceId: session.workspaceId,
+      workspaces: []
+    };
+    return {
+      exitCode: 1,
+      stdout: outputFormat === "json" ? `${JSON.stringify(document2, null, 2)}
+` : "",
+      stderr: outputFormat === "json" ? "" : `AppFleet workspaces failed: cloud request returned HTTP ${response.status}.
+`
+    };
+  }
+  const parsed = await response.json();
+  const workspaces = parsed.data?.workspaces ?? [];
+  const document = {
+    type: "appfleet_workspace_list_result",
+    version: 1,
+    status: "ok",
+    activeWorkspaceId: session.workspaceId,
+    workspaces: workspaces.map((workspace) => ({
+      ...workspace,
+      active: workspace.id === session.workspaceId
+    }))
+  };
+  return {
+    exitCode: 0,
+    stdout: outputFormat === "json" ? `${JSON.stringify(document, null, 2)}
+` : formatWorkspaceList(document),
+    stderr: ""
+  };
+}
+function formatWorkspaceList(document) {
+  if (document.workspaces.length === 0) {
+    return "No workspaces found.\n";
+  }
+  return `${document.workspaces.map(
+    (workspace) => `${workspace.active ? "*" : " "} ${workspace.name} (${workspace.id})`
+  ).join("\n")}
+`;
+}
+async function readHostedSession() {
+  try {
+    const parsed = JSON.parse(await readFile5(defaultCliSessionPath(), "utf8"));
+    if (!parsed.workspaceId) return void 0;
+    return {
+      type: parsed.type,
+      workspaceId: parsed.workspaceId,
+      user: parsed.user,
+      expiresAt: parsed.expiresAt
+    };
+  } catch {
+    return void 0;
+  }
+}
+async function readWorkspaceAuthToken() {
+  try {
+    const token = await readFile5(join4(dirname5(defaultCliSessionPath()), "cloud-auth-token"), "utf8");
+    return token.trim() || void 0;
+  } catch {
+    return void 0;
+  }
+}
+function defaultCliSessionPath() {
+  return process.env.APPFLEET_CLOUD_SESSION_PATH ?? join4(process.env.INIT_CWD ?? process.cwd(), ".appfleet", "cloud-session.json");
+}
 async function runDoctorAndUpload(argv) {
   const doctorArgs = argv.filter((argument) => argument !== "--upload");
   if (!doctorArgs.includes("--json")) doctorArgs.push("--json");
@@ -12198,9 +12543,9 @@ function namespaceDescription(namespace) {
     case "projects":
       return "Remember projects, summarize recovery status, and run safe diagnostics.";
     case "auth":
-      return "Manage local-test hosted auth session metadata.";
+      return "Manage AppFleet Cloud login sessions.";
     case "cloud":
-      return "Prepare cloud-safe metadata sync envelopes for V1 scaffold flows.";
+      return "Sync cloud-safe metadata with AppFleet Cloud.";
     case "providers":
       return "Inspect provider integration contracts and fail-closed discovery scaffolds.";
     case "ops":

package/dist/cloud-session.d.ts

@@ -24,7 +24,7 @@ type ProductionCloudConfig = {
     databaseDsn?: string;
     sources: {
         enabled: "flag" | "env" | "default";
-        apiBaseUrl: "flag" | "env" | "missing";
+        apiBaseUrl: "flag" | "env" | "default" | "missing";
         authToken: "env" | "device_store" | "missing";
         databaseDsn: "env" | "missing";
     };

package/dist/cloud-session.js

@@ -5,6 +5,7 @@ import { dirname, join } from "node:path";
 import { spawn } from "node:child_process";
 import { createAppProjectMemory, createCloudSyncMetadata, createCloudSyncRuntimeConflictState, createLocalMetadataSyncQueueEntry, createProjectMemorySyncRequest, createProjectMemorySyncResult, } from "@appfleet/domain";
 import { readProjectMemories, writeProjectMemories } from "./project-memory.js";
+const DEFAULT_PRODUCTION_API_BASE_URL = "https://appfleet.xyz";
 export async function runCloudSessionCommand(argv, options = {}) {
     const now = options.now ?? (() => new Date());
     let env = options.env ?? process.env;
@@ -72,7 +73,7 @@ export async function runCloudSessionCommand(argv, options = {}) {
                     createdAt,
                     result: authResult,
                 });
-                const localAuthToken = authResult.authToken ?? authResult.sessionId;
+                const localAuthToken = authResult.sessionId ?? authResult.authToken;
                 if (localAuthToken) {
                     await writeAuthToken(authTokenPath, localAuthToken);
                 }
@@ -706,7 +707,7 @@ function parseCloudSessionCommand(argv, env) {
                 action,
                 workspaceId: readFlag(normalizedArgv, "--workspace") ?? "workspace_local",
                 email: readFlag(normalizedArgv, "--email"),
-                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloud: cloudProductionFlag(normalizedArgv, env, true),
                 productionCloudSource: cloudProductionSource(normalizedArgv, env),
                 apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
                 outputFormat,
@@ -716,7 +717,7 @@ function parseCloudSessionCommand(argv, env) {
             return {
                 namespace,
                 action,
-                productionCloud: cloudProductionFlag(normalizedArgv, env),
+                productionCloud: cloudProductionFlag(normalizedArgv, env, true),
                 productionCloudSource: cloudProductionSource(normalizedArgv, env),
                 apiBaseUrl: readFlag(normalizedArgv, "--api-base-url"),
                 outputFormat,
@@ -1014,24 +1015,37 @@ function createZeroSecretBoundary() {
         storesSecretFragments: false,
     };
 }
-function cloudProductionFlag(argv, env) {
+function cloudProductionFlag(argv, env, defaultProduction = false) {
+    if (hasFlag(argv, "--local-test")) {
+        return false;
+    }
     if (hasFlag(argv, "--production-cloud")) {
         return true;
     }
+    if (env.APPFLEET_CLOUD_MODE === "local-test") {
+        return false;
+    }
     return (env.APPFLEET_PRODUCTION_CLOUD_ENABLED === "true" ||
-        env.APPFLEET_CLOUD_MODE === "production");
+        env.APPFLEET_CLOUD_MODE === "production" ||
+        defaultProduction);
 }
 function cloudProductionSource(argv, env) {
+    if (hasFlag(argv, "--local-test")) {
+        return "flag";
+    }
     if (hasFlag(argv, "--production-cloud")) {
         return "flag";
     }
+    if (env.APPFLEET_CLOUD_MODE === "local-test") {
+        return "env";
+    }
     if (productionEnvEnabled(env)) {
         return "env";
     }
     return "default";
 }
 function resolveProductionCloudConfig(parsed, env) {
-    const apiBaseUrl = parsed.apiBaseUrl ?? env.APPFLEET_API_BASE_URL;
+    const apiBaseUrl = parsed.apiBaseUrl ?? env.APPFLEET_API_BASE_URL ?? DEFAULT_PRODUCTION_API_BASE_URL;
     return {
         enabled: parsed.productionCloud,
         apiBaseUrl,
@@ -1043,7 +1057,7 @@ function resolveProductionCloudConfig(parsed, env) {
                 ? "flag"
                 : env.APPFLEET_API_BASE_URL
                     ? "env"
-                    : "missing",
+                    : "default",
             authToken: env.APPFLEET_CLOUD_AUTH_TOKEN
                 ? env.APPFLEET_CLOUD_AUTH_TOKEN_SOURCE === "device_store"
                     ? "device_store"
@@ -1059,14 +1073,11 @@ function productionEnvEnabled(env) {
 }
 function missingProductionConfig(config) {
     return [
-        config.apiBaseUrl ? undefined : "APPFLEET_API_BASE_URL or --api-base-url",
         config.authToken ? undefined : "APPFLEET_CLOUD_AUTH_TOKEN",
     ].filter((value) => value !== undefined);
 }
 function missingProductionAuthConfig(config) {
-    return [
-        config.apiBaseUrl ? undefined : "APPFLEET_API_BASE_URL or --api-base-url",
-    ].filter((value) => value !== undefined);
+    return [];
 }
 function resolveHostedAuthTimeoutMs(env, override) {
     const raw = override ?? Number.parseInt(env.APPFLEET_HOSTED_AUTH_TIMEOUT_MS ?? "", 10);

package/dist/command-registry.js

@@ -1,4 +1,50 @@
 export const cliCommandDocs = [
+    {
+        namespace: "appfleet",
+        name: "login",
+        summary: "Sign in to AppFleet Cloud.",
+        usage: "appfleet login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
+        arguments: [],
+        options: [
+            { flags: "--workspace <workspace-id>", description: "Workspace id to sign in to; defaults to workspace_local." },
+            { flags: "--email <email>", description: "Optional non-secret user label for local-test identity metadata." },
+            { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+            { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: [
+            "appfleet login",
+            "appfleet login --workspace workspace_prod",
+            "appfleet login --json",
+        ],
+        reads: [".appfleet/cloud-session.json if it already exists"],
+        writes: [".appfleet/cloud-session.json hosted redacted session metadata with status and expiry", ".appfleet/cloud-auth-token mode-0600 local credential file"],
+        secretSafety: [
+            "Opens the hosted browser auth flow and stores session metadata only.",
+            "The short-lived hosted session token is isolated in a mode-0600 local credential file and is never printed or included in project memory.",
+            "Does not store OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, secret fragments, or secret values.",
+        ],
+    },
+    {
+        namespace: "appfleet",
+        name: "logout",
+        summary: "Sign out of AppFleet Cloud.",
+        usage: "appfleet logout [--api-base-url <url>] [--local-test] [--json]",
+        arguments: [],
+        options: [
+            { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+            { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: ["appfleet logout", "appfleet logout --json"],
+        reads: [".appfleet/cloud-session.json"],
+        writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token are removed when present"],
+        secretSafety: [
+            "Revokes hosted session metadata through AppFleet Cloud when available.",
+            "Removes local hosted session metadata and the local credential file without printing credential material.",
+            "Does not read or print OAuth refresh material, session cookies, provider credentials, encrypted credential blobs, key wrappers, command output, or secret fragments.",
+        ],
+    },
     {
         namespace: "appfleet",
         name: "link",
@@ -14,6 +60,68 @@ export const cliCommandDocs = [
             "Never uploads environment values, credential values, command output, key wrappers, or provider payloads.",
         ],
     },
+    {
+        namespace: "appfleet",
+        name: "doctor",
+        summary: "Run safe diagnostics for a remembered project, optionally uploading the report.",
+        usage: "appfleet doctor [project] [--upload] [--json]",
+        arguments: ["project: project id, path, URL, or repo fingerprint; defaults to the current project when resolvable."],
+        options: [
+            { flags: "--upload", description: "Upload the safe doctor report to AppFleet Cloud after the local check." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: [
+            "appfleet doctor appfleet-demo",
+            "appfleet doctor .",
+            "appfleet doctor appfleet-demo --upload",
+        ],
+        reads: [".appfleet/project-memory.json", ".appfleet/cloud-session.json when --upload is used"],
+        writes: [".appfleet/project-memory.json latest safe doctor evidence", ".appfleet/cloud-metadata-sync.json when --upload is used"],
+        secretSafety: [
+            "Runs safe URL and metadata checks only.",
+            "Uploads safe project metadata and doctor evidence only when --upload is passed.",
+            "Never reads .env files or uploads environment values, credential values, command output, key wrappers, or provider payloads.",
+        ],
+    },
+    {
+        namespace: "appfleet",
+        name: "workspaces",
+        summary: "List AppFleet Cloud workspaces available to the signed-in user.",
+        usage: "appfleet workspaces [--api-base-url <url>] [--json]",
+        arguments: [],
+        options: [
+            { flags: "--api-base-url <url>", description: "AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: ["appfleet workspaces", "appfleet workspaces --json"],
+        reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+        writes: [],
+        secretSafety: [
+            "Uses the active hosted AppFleet session to list workspace metadata.",
+            "Does not print auth tokens, cookies, provider credentials, environment values, or secret fragments.",
+        ],
+    },
+    {
+        namespace: "appfleet",
+        name: "workspace",
+        summary: "Show or change the active AppFleet Cloud workspace.",
+        usage: "appfleet workspace current|list|use <workspace-id> [--json]",
+        arguments: [],
+        options: [
+            { flags: "--json", description: "Emit machine-readable JSON." },
+        ],
+        examples: [
+            "appfleet workspace current",
+            "appfleet workspace list",
+            "appfleet workspace use workspace_prod",
+        ],
+        reads: [".appfleet/cloud-session.json", ".appfleet/cloud-auth-token"],
+        writes: [".appfleet/cloud-session.json and .appfleet/cloud-auth-token when using a workspace"],
+        secretSafety: [
+            "Workspace use runs the hosted AppFleet login flow for the selected workspace.",
+            "Stores active workspace session metadata only and never prints auth tokens, cookies, provider credentials, or secret fragments.",
+        ],
+    },
     {
         namespace: "appfleet",
         name: "init",
@@ -46,20 +154,21 @@ export const cliCommandDocs = [
     {
         namespace: "auth",
         name: "login",
-        summary: "Create local-test session metadata by default, or hosted session metadata when production cloud is explicitly enabled.",
-        usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--production-cloud] [--api-base-url <url>] [--json]",
+        summary: "Sign in to AppFleet Cloud; use --local-test for local scaffold sessions.",
+        usage: "appfleet auth login [--workspace <workspace-id>] [--email <email>] [--api-base-url <url>] [--local-test] [--json]",
         arguments: [],
         options: [
             { flags: "--workspace <workspace-id>", description: "Workspace id for local-test or hosted session metadata." },
             { flags: "--email <email>", description: "Optional non-secret user label for local-test identity or hosted login metadata." },
-            { flags: "--production-cloud", description: "Explicitly use hosted auth mode; also requires API/auth env config." },
-            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+            { flags: "--local-test", description: "Create local-test session metadata instead of signing in to AppFleet Cloud." },
+            { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
+            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
             { flags: "--json", description: "Emit machine-readable JSON." },
         ],
         examples: [
-            "appfleet auth login --workspace workspace_test",
-            "appfleet auth login --workspace workspace_test --email demo@example.com --json",
-            "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet auth login --production-cloud --workspace workspace_prod --json",
+            "appfleet login",
+            "appfleet auth login --workspace workspace_prod --json",
+            "appfleet auth login --local-test --workspace workspace_test --email demo@example.com --json",
         ],
         reads: [".appfleet/cloud-session.json if it already exists"],
         writes: [".appfleet/cloud-session.json local-test or hosted redacted session metadata with status and expiry"],
@@ -72,18 +181,19 @@ export const cliCommandDocs = [
     {
         namespace: "auth",
         name: "logout",
-        summary: "Log out of local-test session metadata by default, or revoke hosted session metadata when production cloud is explicitly enabled.",
-        usage: "appfleet auth logout [--production-cloud] [--api-base-url <url>] [--json]",
+        summary: "Sign out of AppFleet Cloud; use --local-test for local scaffold sessions.",
+        usage: "appfleet auth logout [--api-base-url <url>] [--local-test] [--json]",
         arguments: [],
         options: [
-            { flags: "--production-cloud", description: "Explicitly use hosted logout mode; also requires API/auth env config and hosted session metadata." },
-            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+            { flags: "--local-test", description: "Remove local-test session metadata instead of revoking a hosted AppFleet Cloud session." },
+            { flags: "--production-cloud", description: "Deprecated compatibility flag; hosted AppFleet Cloud is already the default." },
+            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
             { flags: "--json", description: "Emit machine-readable JSON." },
         ],
         examples: [
-            "appfleet auth logout",
+            "appfleet logout",
             "appfleet auth logout --json",
-            "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet auth logout --production-cloud --json",
+            "appfleet auth logout --local-test --json",
         ],
         reads: [".appfleet/cloud-session.json"],
         writes: [".appfleet/cloud-session.json is removed when present; JSON output includes a safe logged_out/not_found/missing_hosted_session status"],
@@ -101,23 +211,23 @@ export const cliCommandDocs = [
         arguments: [],
         options: [
             { flags: "--workspace <workspace-id>", description: "Workspace id for the local-test sync store." },
-            { flags: "--production-cloud", description: "Explicitly use production cloud mode; also requires API/auth env config." },
-            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+            { flags: "--production-cloud", description: "Explicitly use production cloud mode against AppFleet Cloud." },
+            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
             { flags: "--idempotency-key <key>", description: "Override the production metadata sync idempotency key; retries reuse the same key." },
             { flags: "--json", description: "Emit machine-readable JSON." },
         ],
         examples: [
             "appfleet cloud sync",
             "appfleet cloud sync --workspace workspace_test --json",
-            "APPFLEET_PRODUCTION_CLOUD_ENABLED=true APPFLEET_API_BASE_URL=https://appfleet.xyz APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud sync --workspace <workspace-id> --json",
-            "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet cloud sync --production-cloud --workspace <workspace-id> --json",
+            "APPFLEET_PRODUCTION_CLOUD_ENABLED=true APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud sync --workspace <workspace-id> --json",
+            "appfleet cloud sync --production-cloud --workspace <workspace-id> --json",
         ],
         reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json", ".appfleet/cloud-metadata-sync.json"],
         writes: [".appfleet/cloud-metadata-sync.json", ".appfleet/project-memory.json lastSyncedAt for accepted projects"],
         secretSafety: [
             "Chooses local-test mode by default; production mode requires --production-cloud, APPFLEET_PRODUCTION_CLOUD_ENABLED=true, or APPFLEET_CLOUD_MODE=production.",
-            "In production mode, fails closed when APPFLEET_API_BASE_URL/--api-base-url or APPFLEET_CLOUD_AUTH_TOKEN is missing.",
-            "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured AppFleet web API base URL.",
+            "In production mode, defaults to https://appfleet.xyz and fails closed when APPFLEET_CLOUD_AUTH_TOKEN is missing.",
+            "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured or default AppFleet web API base URL.",
             "Production metadata sync sends redacted auth reporting plus an idempotency key, workspace id, and project metadata envelopes.",
             "Production metadata sync retries safe transient transport failures with the same idempotency key.",
             "Persists local-test and production sync metadata, project ids, fingerprints, durable queue status, idempotency metadata, and conflict reports only.",
@@ -133,23 +243,23 @@ export const cliCommandDocs = [
         arguments: [],
         options: [
             { flags: "--workspace <workspace-id>", description: "Workspace id for the local-test sync store." },
-            { flags: "--production-cloud", description: "Explicitly use production cloud mode; also requires API/auth env config." },
-            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL." },
+            { flags: "--production-cloud", description: "Explicitly use production cloud mode against AppFleet Cloud." },
+            { flags: "--api-base-url <url>", description: "Production AppFleet API base URL; overrides APPFLEET_API_BASE_URL and the default https://appfleet.xyz." },
             { flags: "--idempotency-key <key>", description: "Override the production metadata sync idempotency key; retries reuse the same key." },
             { flags: "--json", description: "Emit machine-readable JSON." },
         ],
         examples: [
             "appfleet cloud metadata-sync",
             "appfleet cloud metadata-sync --workspace workspace_test --json",
-            "APPFLEET_CLOUD_MODE=production APPFLEET_API_BASE_URL=https://appfleet.xyz APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud metadata-sync --workspace <workspace-id> --json",
-            "APPFLEET_API_BASE_URL=https://appfleet.xyz appfleet cloud metadata-sync --production-cloud --workspace <workspace-id> --json",
+            "APPFLEET_CLOUD_MODE=production APPFLEET_CLOUD_AUTH_TOKEN=<redacted> appfleet cloud metadata-sync --workspace <workspace-id> --json",
+            "appfleet cloud metadata-sync --production-cloud --workspace <workspace-id> --json",
         ],
         reads: [".appfleet/cloud-session.json", ".appfleet/project-memory.json", ".appfleet/cloud-metadata-sync.json"],
         writes: [".appfleet/cloud-metadata-sync.json", ".appfleet/project-memory.json lastSyncedAt for accepted projects"],
         secretSafety: [
             "Chooses local-test mode by default; production mode requires --production-cloud, APPFLEET_PRODUCTION_CLOUD_ENABLED=true, or APPFLEET_CLOUD_MODE=production.",
-            "In production mode, fails closed when APPFLEET_API_BASE_URL/--api-base-url or APPFLEET_CLOUD_AUTH_TOKEN is missing.",
-            "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured AppFleet web API base URL.",
+            "In production mode, defaults to https://appfleet.xyz and fails closed when APPFLEET_CLOUD_AUTH_TOKEN is missing.",
+            "Production metadata sync posts to /api/workspaces/<workspace-id>/metadata-sync on the configured or default AppFleet web API base URL.",
             "Production metadata sync sends redacted auth reporting plus an idempotency key, workspace id, and project metadata envelopes.",
             "Production metadata sync retries safe transient transport failures with the same idempotency key.",
             "Persists local-test and production sync metadata, project ids, fingerprints, durable queue status, idempotency metadata, and conflict reports only.",

package/dist/local-vault.js

@@ -1161,7 +1161,8 @@ function commandError(error) {
         childStarted: false,
     };
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/local-vault.ts") &&
+    import.meta.url === `file://${process.argv[1]}`) {
     const result = await runLocalVaultCommand(process.argv.slice(2));
     process.stdout.write(result.stdout);
     process.stderr.write(result.stderr);

package/dist/project-memory.js

@@ -1518,7 +1518,8 @@ function defaultProjectMemoryStorePath(cwd) {
 function errorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (import.meta.url.endsWith("/project-memory.ts") &&
+    import.meta.url === `file://${process.argv[1]}`) {
     const result = await runProjectMemoryCommand(process.argv.slice(2), {
         storePath: process.env.APPFLEET_PROJECT_MEMORY_STORE_PATH,
         currentGitRemoteFingerprint: process.env.APPFLEET_GIT_REMOTE_FINGERPRINT,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appfleet-cli/cli",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "private": false,
   "type": "module",
   "bin": {