npm - @better-update/cli - Versions diffs - 0.22.0 → 0.23.0 - Mend

@better-update/cli 0.22.0 → 0.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.mjs CHANGED Viewed

@@ -33,7 +33,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
 //#region package.json
-var version = "0.22.0";
+var version = "0.23.0";
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -356,11 +356,12 @@ const Ciphertext = Schema.String.pipe(Schema.minLength(1)).annotations({ descrip
 /** Base64 of the per-credential DEK wrapped under the org vault key (AAD-bound). */
 const WrappedDek = Schema.String.pipe(Schema.minLength(1)).annotations({ description: "Base64 of the DEK wrapped under the org vault key" });
 /**
-* The secret-credential kinds whose DEK is wrapped under the org vault key — the
-* five tables a rotation must re-wrap. Provisioning profiles are plaintext and
-* are deliberately absent.
+* The secret kinds whose DEK is wrapped under the org vault key — the rows a
+* rotation must re-wrap. Five signing-credential tables plus `envVarValue` (one
+* row per environment variable value revision). Provisioning profiles are
+* plaintext and are deliberately absent.
 */
-const CredentialType = Schema.Literal("appleDistributionCertificate", "applePushKey", "ascApiKey", "googleServiceAccountKey", "androidUploadKeystore").annotations({ description: "Which encrypted-credential table a vault-key DEK re-wrap targets" });
+const CredentialType = Schema.Literal("appleDistributionCertificate", "applePushKey", "ascApiKey", "googleServiceAccountKey", "androidUploadKeystore", "envVarValue").annotations({ description: "Which encrypted-secret table a vault-key DEK re-wrap targets" });
 /**
 * The client-encrypted envelope. Spread into each secret credential's upload
 * body and download result alongside that credential's public metadata. The
@@ -383,6 +384,23 @@ const CredentialDekUpdate = Schema.Struct({
 	wrappedDek: WrappedDek
 });
 /**
+* One credential's currently-stored wrapped DEK — what the client fetches before
+* a rotation so it can unwrap each DEK with the old vault key and re-wrap it. The
+* wrapped DEK is opaque (decryptable only with the vault key), so the server may
+* serve it to any vault reader.
+*/
+const CredentialDekRef = Schema.Struct({
+	credentialType: CredentialType,
+	credentialId: Id,
+	wrappedDek: WrappedDek,
+	vaultVersion: VaultVersion
+});
+/** Every wrapped DEK in the org + the current vault version (the rotation source set). */
+const VaultCredentialDeks = Schema.Struct({
+	vaultVersion: VaultVersion,
+	deks: Schema.Array(CredentialDekRef)
+});
+/**
 * Rotate (or revoke) the org vault key. The client generates a new vault key at
 * version `fromVersion + 1`, re-wraps every credential DEK under it, and
 * re-wraps the new key to each surviving recipient (a revoke just omits the
@@ -1245,47 +1263,64 @@ const EnvVarVisibility = Schema.Literal("plaintext", "sensitive");
 const EnvVarScope = Schema.Literal("project", "global");
 const EnvVarEnvironment = Schema.Literal("development", "preview", "production");
 const EnvVarListScope = Schema.Literal("all", "project", "global");
+/**
+* A client-sealed env var value. `id` is the revision UUID the CLI bound as the
+* AAD `credentialId` when sealing; the envelope fields are the opaque ciphertext,
+* wrapped DEK, and vault version. The server stores these and never decrypts —
+* env var values are end-to-end encrypted, like credentials.
+*/
+const EnvVarValueEnvelope = Schema.Struct({
+	id: Id,
+	...encryptedEnvelopeFields
+});
+/**
+* Env var metadata. The value is **not** here — it lives encrypted in the
+* revision pointed at by `currentRevisionId` and is only ever readable by the
+* CLI (which holds the org vault key). One entity per (scope, key, environment).
+*/
 var EnvVar = class extends Schema.Class("EnvVar")({
 	id: Id,
 	organizationId: Id,
 	projectId: Schema.NullOr(Id),
 	scope: EnvVarScope,
+	environment: EnvVarEnvironment,
 	key: Schema.String,
 	visibility: EnvVarVisibility,
-	value: Schema.NullOr(Schema.String),
-	environments: Schema.Array(EnvVarEnvironment),
+	currentRevisionId: Schema.NullOr(Id),
+	revisionNumber: Schema.NullOr(Schema.Number),
+	revisionCount: Schema.Number,
 	overridesGlobal: Schema.optional(Schema.Boolean),
 	createdAt: DateTimeString,
 	updatedAt: DateTimeString
 }) {};
 const EnvVarKey = Schema.String.pipe(Schema.pattern(/^[A-Z][A-Z0-9_]*$/u), Schema.maxLength(256));
-const EnvVarValue = Schema.String.pipe(Schema.maxLength(32768));
-const EnvVarEnvironmentArray = Schema.Array(EnvVarEnvironment).pipe(Schema.minItems(1));
 const CreateEnvVarBody = Schema.Struct({
 	scope: EnvVarScope,
 	projectId: Schema.optional(Id),
-	environments: EnvVarEnvironmentArray,
+	environment: EnvVarEnvironment,
 	key: EnvVarKey,
-	value: EnvVarValue,
-	visibility: EnvVarVisibility
+	visibility: EnvVarVisibility,
+	value: EnvVarValueEnvelope
 });
 const UpdateEnvVarBody = Schema.Struct({
-	value: Schema.optional(EnvVarValue),
-	visibility: Schema.optional(EnvVarVisibility),
-	environments: Schema.optional(EnvVarEnvironmentArray)
+	value: Schema.optional(EnvVarValueEnvelope),
+	visibility: Schema.optional(EnvVarVisibility)
 });
 const BulkImportEntry = Schema.Struct({
 	key: EnvVarKey,
-	value: EnvVarValue,
-	visibility: Schema.optional(EnvVarVisibility)
+	environment: EnvVarEnvironment,
+	visibility: EnvVarVisibility,
+	value: EnvVarValueEnvelope
 });
+/**
+* Bulk import already-sealed entries. The CLI parses the dotenv file, seals each
+* value per (key, environment) locally, and sends the envelopes — the server
+* cannot parse or encrypt plaintext itself.
+*/
 const BulkImportEnvVarsBody = Schema.Struct({
 	scope: EnvVarScope,
 	projectId: Schema.optional(Id),
-	environments: EnvVarEnvironmentArray,
-	content: Schema.optional(Schema.String.pipe(Schema.maxLength(4e6))),
-	entries: Schema.optional(Schema.Array(BulkImportEntry).pipe(Schema.maxItems(100))),
-	visibility: Schema.optional(EnvVarVisibility)
+	entries: Schema.Array(BulkImportEntry).pipe(Schema.minItems(1), Schema.maxItems(300))
 });
 const BulkImportResult = Schema.Struct({
 	created: Schema.Number,
@@ -1293,51 +1328,71 @@ const BulkImportResult = Schema.Struct({
 	skipped: Schema.Number
 });
 const DeleteEnvVarResult = Schema.Struct({ id: Id });
+/** One exported variable's sealed value envelope; the CLI decrypts it locally. */
 const EnvVarExportItem = Schema.Struct({
 	key: Schema.String,
-	value: Schema.String,
-	visibility: EnvVarVisibility
+	environment: EnvVarEnvironment,
+	visibility: EnvVarVisibility,
+	id: Id,
+	...encryptedEnvelopeFields
 });
 const EnvVarExportResult = Schema.Struct({
 	items: Schema.Array(EnvVarExportItem),
 	environment: EnvVarEnvironment
 });
+/** One entry in a variable's value history (metadata only — no ciphertext). */
+const EnvVarRevision = Schema.Struct({
+	id: Id,
+	revisionNumber: Schema.Number,
+	vaultVersion: VaultVersion,
+	isCurrent: Schema.Boolean,
+	createdBy: Schema.NullOr(Id),
+	createdAt: DateTimeString
+});
+const EnvVarRevisionsResult = Schema.Struct({ items: Schema.Array(EnvVarRevision) });
+const RollbackEnvVarBody = Schema.Struct({ toRevisionId: Id });
 //#endregion
 //#region ../../packages/api/src/groups/env-vars.ts
-var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoint.post("create", "/api/env-vars").setPayload(CreateEnvVarBody).addSuccess(EnvVar, { status: 201 }).addError(BadRequest).addError(Conflict).annotateContext(OpenApi.annotations({
+var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoint.post("create", "/api/env-vars").setPayload(CreateEnvVarBody).addSuccess(EnvVar, { status: 201 }).annotateContext(OpenApi.annotations({
 	title: "Create environment variable",
-	description: "Create a new environment variable. Scope can be 'project' (requires projectId) or 'global' (organization-wide)."
+	description: "Create a new environment variable for one environment. The body carries the client-sealed value envelope; the server never sees plaintext. Scope can be 'project' (requires projectId) or 'global'."
 }))).add(HttpApiEndpoint.get("list", "/api/env-vars").setUrlParams(Schema.Struct({
 	scope: Schema.optional(EnvVarListScope),
 	projectId: Schema.optional(Id),
 	environments: Schema.optional(Schema.String),
 	search: Schema.optional(Schema.String),
 	...PaginationParams.fields
-})).addSuccess(Schema.Struct({ items: Schema.Array(EnvVar) })).addError(BadRequest).annotateContext(OpenApi.annotations({
+})).addSuccess(Schema.Struct({ items: Schema.Array(EnvVar) })).annotateContext(OpenApi.annotations({
 	title: "List environment variables",
-	description: "List environment variables. scope=all merges project + global vars with project overrides. environments is a comma-separated list. search matches key substring."
+	description: "List environment variable metadata (no values — those are encrypted). scope=all merges project + global vars with project overrides. environments is a comma-separated list. search matches key substring."
 }))).add(HttpApiEndpoint.get("get")`/api/env-vars/${idParam}`.addSuccess(EnvVar).annotateContext(OpenApi.annotations({
 	title: "Get environment variable",
-	description: "Get an environment variable by ID"
-}))).add(HttpApiEndpoint.patch("update")`/api/env-vars/${idParam}`.setPayload(UpdateEnvVarBody).addSuccess(EnvVar).addError(BadRequest).annotateContext(OpenApi.annotations({
+	description: "Get an environment variable's metadata by ID (no value)"
+}))).add(HttpApiEndpoint.patch("update")`/api/env-vars/${idParam}`.setPayload(UpdateEnvVarBody).addSuccess(EnvVar).annotateContext(OpenApi.annotations({
 	title: "Update environment variable",
-	description: "Update value, visibility, or assigned environments"
+	description: "Change the value (a new sealed revision) and/or the visibility tier. The environment is immutable."
 }))).add(HttpApiEndpoint.del("delete")`/api/env-vars/${idParam}`.addSuccess(DeleteEnvVarResult).annotateContext(OpenApi.annotations({
 	title: "Delete environment variable",
-	description: "Delete an environment variable"
-}))).add(HttpApiEndpoint.post("bulkImport", "/api/env-vars/bulk-import").setPayload(BulkImportEnvVarsBody).addSuccess(BulkImportResult).addError(BadRequest).annotateContext(OpenApi.annotations({
+	description: "Delete an environment variable and all of its value revisions"
+}))).add(HttpApiEndpoint.get("revisions")`/api/env-vars/${idParam}/revisions`.addSuccess(EnvVarRevisionsResult).annotateContext(OpenApi.annotations({
+	title: "List value revisions",
+	description: "List a variable's value history (metadata only, newest first)"
+}))).add(HttpApiEndpoint.post("rollback")`/api/env-vars/${idParam}/rollback`.setPayload(RollbackEnvVarBody).addSuccess(EnvVar).annotateContext(OpenApi.annotations({
+	title: "Roll back to a revision",
+	description: "Re-point the active value at an earlier revision of this variable"
+}))).add(HttpApiEndpoint.post("bulkImport", "/api/env-vars/bulk-import").setPayload(BulkImportEnvVarsBody).addSuccess(BulkImportResult).annotateContext(OpenApi.annotations({
 	title: "Bulk import environment variables",
-	description: "Import variables from a dotenv-formatted string. Applies to all selected environments. Supports KEY=VALUE format with # comments. Quoted values (single/double) are unquoted. Multiline values are not supported."
+	description: "Upsert pre-sealed entries (one per key+environment). The CLI parses the dotenv file and seals each value locally before sending."
 }))).add(HttpApiEndpoint.get("export", "/api/env-vars/export").setUrlParams(Schema.Struct({
 	projectId: Id,
 	environment: EnvVarEnvironment
 })).addSuccess(EnvVarExportResult).addError(Forbidden).annotateContext(OpenApi.annotations({
 	title: "Export environment variables",
-	description: "Export environment variables for a project environment. Global org-scoped vars are merged in; project values override globals on key collision."
-}))).addError(NotFound).addError(Forbidden).addError(BadRequest).annotateContext(OpenApi.annotations({
+	description: "Export sealed value envelopes for a project environment (CLI decrypts locally). Global org-scoped vars are merged in; project values override globals on key collision. Bearer (CLI/API-key) auth only."
+}))).addError(NotFound).addError(Forbidden).addError(BadRequest).addError(Conflict).annotateContext(OpenApi.annotations({
 	title: "Environment Variables",
-	description: "Manage environment variables for project builds and deployments"
+	description: "Manage end-to-end encrypted, versioned environment variables for project builds"
 })) {};
 //#endregion
@@ -1656,6 +1711,9 @@ var OrgVaultGroup = class extends HttpApiGroup.make("orgVault").add(HttpApiEndpo
 }))).add(HttpApiEndpoint.get("getWrap")`/api/vault/wraps/${keyIdParam}`.addSuccess(RecipientVaultKey).annotateContext(OpenApi.annotations({
 	title: "Get vault wrap",
 	description: "Fetch the wrapped vault key for a recipient to unwrap locally"
+}))).add(HttpApiEndpoint.get("listCredentialDeks", "/api/vault/credential-deks").addSuccess(VaultCredentialDeks).annotateContext(OpenApi.annotations({
+	title: "List wrapped credential DEKs",
+	description: "Every wrapped DEK in the org + the current vault version — the client fetches these to re-wrap under a new vault key during a rotation (the DEKs are opaque)"
 }))).add(HttpApiEndpoint.post("rotate", "/api/vault/rotate").setPayload(RotateVaultBody).addSuccess(OrgVault).annotateContext(OpenApi.annotations({
 	title: "Rotate vault key",
 	description: "Revoke or rotate (admin): bump the vault version, re-wrap every credential DEK, and re-wrap the new key to the surviving recipients — applied atomically with compare-and-swap"
@@ -2683,7 +2741,6 @@ const CALLBACK_PAGE = `<!doctype html>
             }
             window.history.replaceState({}, document.title, window.location.pathname);
             render("CLI login complete. You can close this tab.");
-            setTimeout(() => window.close(), 300);
           })
           .catch((error) => {
             render(error instanceof Error ? error.message : "Callback failed.");
@@ -2776,6 +2833,7 @@ const createBrowserLoginServer = async (options = {}) => {
 		waitForToken: session.waitForToken,
 		stop: () => {
 			session.dispose();
+			server.closeAllConnections();
 			server.close();
 		}
 	};
@@ -20713,14 +20771,19 @@ const unlockActivePrivateKey = (passphrase) => Effect.gen(function* () {
 	})).privateKey;
 });
 /**
-* Turn a missing-wrap `NotFound` into actionable guidance by asking the server
-* whether the org vault exists at all. A fresh org has no vault yet — the first
-* member must run `credentials identity init` (which also mints the offline
-* recovery key); an existing vault means this device simply isn't a recipient,
-* so it needs an admin grant or a self-link from a device that already has it.
+* Actionable guidance for a device that can't reach the vault, branched on
+* whether the org vault exists yet. A fresh org has no vault — the first member
+* runs `credentials identity init` (which also mints the offline recovery key);
+* an existing vault means this device simply isn't a recipient, so it needs an
+* admin grant or a self-link from a device that already has it. Exported so the
+* post-`identity create` hint stays in sync with this error path.
 */
+const VAULT_NOT_RECIPIENT_GUIDANCE = "This device isn't a vault recipient yet. Ask an org admin to run `better-update credentials access grant`, or self-link from a device that already has access with `better-update credentials device link`.";
+const VAULT_NOT_SET_UP_GUIDANCE = "This organization's credential vault isn't set up yet. Run `better-update credentials identity init` to bootstrap it — you'll get a one-time offline recovery key to store safely.";
+/** `true` if the org vault has been bootstrapped; `false` on `NotFound` (a fresh org). */
+const orgVaultExists = (api) => api.orgVault.get().pipe(Effect.as(true), Effect.catchTag("NotFound", () => Effect.succeed(false)));
 const vaultAccessError = (api) => Effect.gen(function* () {
-	return yield* new IdentityError({ message: (yield* api.orgVault.get().pipe(Effect.as(true), Effect.catchTag("NotFound", () => Effect.succeed(false)))) ? "This device isn't a vault recipient yet. Ask an org admin to run `better-update credentials access grant`, or self-link from a device that already has access with `better-update credentials device link`." : "This organization's credential vault isn't set up yet. Run `better-update credentials identity init` to bootstrap it — you'll get a one-time offline recovery key to store safely." });
+	return yield* new IdentityError({ message: (yield* orgVaultExists(api)) ? VAULT_NOT_RECIPIENT_GUIDANCE : VAULT_NOT_SET_UP_GUIDANCE });
 });
 /**
 * Unlock the org vault key for this device: find this device's recipient row,
@@ -24314,18 +24377,76 @@ const warnIfDevClientMissing = (projectRoot) => Effect.gen(function* () {
 //#endregion
 //#region src/lib/env-exporter.ts
 const coerceEnvironment = (raw) => raw === "development" || raw === "preview" || raw === "production" ? raw : void 0;
+/** Decrypt one sealed env var value, re-checking the sealed metadata against the row. */
+const decryptEnvVarValue = (session, item) => openFromDownload({
+	session,
+	credentialType: "envVarValue",
+	downloaded: item
+}).pipe(Effect.mapError((cause) => new EnvExportError({ message: `Failed to decrypt env var "${item.key}": ${cause.message}` })), Effect.flatMap((secret) => requireSecretString(secret, "value", () => new EnvExportError({ message: `Decrypted env var "${item.key}" is missing its value.` }))));
+/** Decrypt a batch of sealed env vars into plaintext key/value/visibility entries. */
+const decryptEnvVars = (session, items) => Effect.forEach(items, (item) => Effect.map(decryptEnvVarValue(session, item), (value) => ({
+	key: item.key,
+	value,
+	visibility: item.visibility
+})), { concurrency: 8 });
+/**
+* Export and decrypt every env var for a project + environment, in key order.
+* Skips unlocking the vault when the project has no variables; otherwise unlocks
+* once and decrypts every value locally (the server never sees plaintext).
+*/
+const exportDecryptedEnvVars = (api, projectId, environment) => Effect.gen(function* () {
+	const result = yield* api["env-vars"].export({ urlParams: {
+		projectId,
+		environment
+	} }).pipe(Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
+	if (result.items.length === 0) return [];
+	return yield* decryptEnvVars(yield* openVaultSessionInteractive(api).pipe(Effect.mapError((cause) => new EnvExportError({ message: `Could not unlock the credential vault to decrypt environment variables: ${cause.message}` }))), result.items);
+});
 /**
-* Pull environment variables for a project + environment and flatten them into
-* a key/value map. Returns an empty map when the project has no variables.
+* Pull + decrypt environment variables flattened into a key/value map for
+* injection into a build/subprocess.
 */
-const pullEnvVars = (api, { projectId, environment }) => {
+const pullEnvVars = (api, { projectId, environment }) => Effect.gen(function* () {
 	const validated = coerceEnvironment(environment);
-	if (!validated) return Effect.fail(new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` }));
-	return api["env-vars"].export({ urlParams: {
-		projectId,
-		environment: validated
-	} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.mapError((cause) => new EnvExportError({ message: `Failed to export environment variables for "${environment}": ${String(cause)}` })));
-};
+	if (!validated) return yield* new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` });
+	const items = yield* exportDecryptedEnvVars(api, projectId, validated);
+	return Object.fromEntries(items.map((item) => [item.key, item.value]));
+});
+/**
+* Seal each entry for every target environment and bulk-upsert them. Unlocks the
+* vault once; the server stores only the sealed envelopes (never the plaintext).
+*/
+const uploadEnvVars = (api, params) => Effect.gen(function* () {
+	const session = yield* openVaultSessionInteractive(api);
+	const pairs = params.environments.flatMap((environment) => params.entries.map((entry) => ({
+		...entry,
+		environment
+	})));
+	const sealed = yield* Effect.forEach(pairs, (pair) => Effect.map(sealForUpload({
+		session,
+		credentialType: "envVarValue",
+		metadata: {
+			key: pair.key,
+			environment: pair.environment
+		},
+		secret: { value: pair.value }
+	}), (envelope) => ({
+		key: pair.key,
+		environment: pair.environment,
+		visibility: pair.visibility,
+		value: {
+			id: envelope.id,
+			ciphertext: envelope.ciphertext,
+			wrappedDek: envelope.wrappedDek,
+			vaultVersion: envelope.vaultVersion
+		}
+	})), { concurrency: 8 });
+	return yield* api["env-vars"].bulkImport({ payload: {
+		scope: params.scope,
+		...params.projectId === void 0 ? {} : { projectId: params.projectId },
+		entries: sealed
+	} });
+});
 //#endregion
 //#region src/lib/fingerprint.ts
@@ -28211,6 +28332,68 @@ const runCredentialsManager = Effect.gen(function* () {
 	yield* Console.log("Bye.");
 });
+//#endregion
+//#region src/application/vault-rotation.ts
+/**
+* Re-key the org vault to `recipients`: generate a new vault key (v+1), unwrap
+* every credential + env-var DEK with the old key and re-wrap it under the new
+* one, re-wrap the new vault key to each recipient, then submit the rotation
+* atomically (the server CAS-guards on the current version and requires a
+* recovery recipient in the set). Drops every recipient not in `recipients`.
+*/
+const rotateVaultTo = (args) => Effect.gen(function* () {
+	const orgId = yield* getActiveOrgId(args.api);
+	const current = yield* unlockVaultKey(args.api, args.passphrase);
+	const newVaultKey = generateVaultKey();
+	const newVersion = current.vaultVersion + 1;
+	const { deks } = yield* args.api.orgVault.listCredentialDeks();
+	const credentialDeks = yield* Effect.forEach(deks, (dek) => Effect.try({
+		try: () => {
+			const raw = unwrapDek({
+				wrappedDek: fromBase64(dek.wrappedDek),
+				vaultKey: current.vaultKey,
+				binding: {
+					orgId,
+					credentialId: dek.credentialId,
+					vaultVersion: dek.vaultVersion
+				}
+			});
+			return {
+				credentialType: dek.credentialType,
+				credentialId: dek.credentialId,
+				wrappedDek: toBase64(wrapDek({
+					dek: raw,
+					vaultKey: newVaultKey,
+					binding: {
+						orgId,
+						credentialId: dek.credentialId,
+						vaultVersion: newVersion
+					}
+				}))
+			};
+		},
+		catch: () => new IdentityError({ message: `Failed to re-wrap a ${dek.credentialType} DEK during rotation — re-unlock the vault and retry.` })
+	}), { concurrency: "unbounded" });
+	const recipientWraps = yield* Effect.forEach(args.recipients, (recipient) => Effect.promise(async () => ({
+		userEncryptionKeyId: recipient.userEncryptionKeyId,
+		wrappedKey: toBase64(await wrapVaultKey({
+			vaultKey: newVaultKey,
+			recipient: recipient.publicKey
+		}))
+	})), { concurrency: "unbounded" });
+	return yield* args.api.orgVault.rotate({ payload: {
+		fromVersion: current.vaultVersion,
+		recipientWraps,
+		credentialDeks
+	} });
+});
+/** The encryption keys currently holding the vault key, joined with their public keys. */
+const currentRecipients = (api) => Effect.gen(function* () {
+	const [wraps, keys] = yield* Effect.all([api.orgVault.listWraps(), api.userEncryptionKeys.list()]);
+	const byId = new Map(keys.items.map((key) => [key.id, key]));
+	return wraps.recipients.map((recipient) => byId.get(recipient.userEncryptionKeyId)).filter((key) => key !== void 0);
+});
 //#endregion
 //#region src/commands/credentials/vault-session.ts
 /**
@@ -28245,6 +28428,11 @@ const confirmFingerprint = (target, skip) => Effect.gen(function* () {
 //#endregion
 //#region src/commands/credentials/access.ts
+const RECOVERY_LABEL$1 = "Offline recovery key";
+const toRotationRecipient = (key) => ({
+	userEncryptionKeyId: key.id,
+	publicKey: key.publicKey
+});
 const listCommand$5 = defineCommand({
 	meta: {
 		name: "list",
@@ -28299,14 +28487,153 @@ const grantCommand = defineCommand({
 		yield* printHuman(`Granted vault access to ${target.label} (${target.fingerprint}).`);
 	}))
 });
+const confirmRecipients = (recipients, skip) => Effect.forEach(recipients, (recipient) => confirmFingerprint(recipient, skip), { discard: true });
+const rotateCommand = defineCommand({
+	meta: {
+		name: "rotate",
+		description: "Rotate the vault key, re-wrapping every credential to the same recipients (admin)"
+	},
+	args: { yes: {
+		type: "boolean",
+		description: "Skip the out-of-band fingerprint confirmation prompt"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const recipients = yield* currentRecipients(api);
+		yield* confirmRecipients(recipients, args.yes === true);
+		const rotated = yield* rotateVaultTo({
+			api,
+			passphrase: yield* resolveVaultPassphrase,
+			recipients: recipients.map(toRotationRecipient)
+		});
+		yield* printHuman(`Rotated the vault to version ${String(rotated.vaultVersion)} (${String(recipients.length)} recipients).`);
+	}))
+});
+const revokeCommand$1 = defineCommand({
+	meta: {
+		name: "revoke",
+		description: "Revoke a recipient and rotate the vault key so they can no longer decrypt (admin)"
+	},
+	args: {
+		recipient: {
+			type: "positional",
+			required: false,
+			description: "Key id or fingerprint of the recipient to revoke"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip the out-of-band fingerprint confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const target = yield* findRecipient(api, yield* resolveSelector(args.recipient, "Recipient key id or fingerprint to revoke:"));
+		const recipients = yield* currentRecipients(api);
+		const surviving = recipients.filter((recipient) => recipient.id !== target.id);
+		if (surviving.length === recipients.length) return yield* new IdentityError({ message: `${target.label} (${target.fingerprint}) is not a current vault recipient.` });
+		if (!surviving.some((recipient) => recipient.kind === "recovery")) return yield* new IdentityError({ message: "Refusing to revoke the offline recovery recipient — rotate it with `credentials access recovery rotate` instead." });
+		yield* confirmRecipients(surviving, args.yes === true);
+		const rotated = yield* rotateVaultTo({
+			api,
+			passphrase: yield* resolveVaultPassphrase,
+			recipients: surviving.map(toRotationRecipient)
+		});
+		yield* printHuman(`Revoked ${target.label} and rotated the vault to version ${String(rotated.vaultVersion)}.`);
+	}))
+});
+const recoverCommand = defineCommand({
+	meta: {
+		name: "recover",
+		description: "Restore this device's vault access with the offline recovery private key"
+	},
+	args: { key: {
+		type: "string",
+		description: "The offline recovery private key (AGE-SECRET-KEY-1...); prompted if omitted"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const api = yield* apiClient;
+		const recoveryPrivateKey = yield* resolveSelector(args.key, "Paste the offline recovery private key (AGE-SECRET-KEY-1...):");
+		const { items } = yield* api.userEncryptionKeys.list();
+		const recovery = items.find((key) => key.kind === "recovery" && key.revokedAt === null);
+		if (!recovery) return yield* new IdentityError({ message: "This organization has no active recovery recipient to recover from." });
+		const recipient = yield* activeRecipient;
+		const own = items.find((key) => key.publicKey === recipient.publicKey);
+		if (!own) return yield* new IdentityError({ message: "This device's encryption key is not registered. Run `better-update credentials identity register` first." });
+		const wrap = yield* api.orgVault.getWrap({ path: { keyId: recovery.id } });
+		const vaultKey = yield* Effect.tryPromise({
+			try: async () => unwrapVaultKey({
+				wrapped: fromBase64(wrap.wrappedKey),
+				privateKey: recoveryPrivateKey
+			}),
+			catch: () => new IdentityError({ message: "Could not unwrap the vault key — the recovery private key is wrong." })
+		});
+		const wrapped = yield* Effect.promise(async () => wrapVaultKey({
+			vaultKey,
+			recipient: own.publicKey
+		}));
+		yield* api.orgVault.addWrap({ payload: {
+			vaultVersion: wrap.vaultVersion,
+			wrap: {
+				userEncryptionKeyId: own.id,
+				wrappedKey: toBase64(wrapped)
+			}
+		} });
+		yield* printHuman(`Recovered vault access for this device (${own.label}).`);
+	}))
+});
+const recoveryCommand = defineCommand({
+	meta: {
+		name: "recovery",
+		description: "Manage the offline recovery recipient"
+	},
+	subCommands: { rotate: defineCommand({
+		meta: {
+			name: "rotate",
+			description: "Mint a new offline recovery key and rotate the vault, revoking the old one (admin)"
+		},
+		args: { yes: {
+			type: "boolean",
+			description: "Skip the out-of-band fingerprint confirmation prompt"
+		} },
+		run: async ({ args }) => runEffect(Effect.gen(function* () {
+			const api = yield* apiClient;
+			const recipients = yield* currentRecipients(api);
+			const newRecovery = yield* Effect.promise(async () => generateIdentity());
+			const registered = yield* api.userEncryptionKeys.register({ payload: {
+				kind: "recovery",
+				publicKey: newRecovery.publicKey,
+				label: RECOVERY_LABEL$1,
+				fingerprint: newRecovery.fingerprint
+			} });
+			const surviving = recipients.filter((recipient) => recipient.kind !== "recovery");
+			yield* confirmRecipients(surviving, args.yes === true);
+			const rotated = yield* rotateVaultTo({
+				api,
+				passphrase: yield* resolveVaultPassphrase,
+				recipients: [...surviving.map(toRotationRecipient), {
+					userEncryptionKeyId: registered.id,
+					publicKey: newRecovery.publicKey
+				}]
+			});
+			yield* printKeyValue([["New recovery fingerprint", newRecovery.fingerprint], ["Vault version", String(rotated.vaultVersion)]]);
+			yield* printHuman("Store this offline recovery private key safely — it is shown once and never again:");
+			yield* Console.log(newRecovery.privateKey);
+		}))
+	}) },
+	default: "rotate"
+});
 const accessCommand = defineCommand({
 	meta: {
 		name: "access",
-		description: "Inspect and grant access to the org credential vault"
+		description: "Inspect, grant, rotate, revoke, and recover access to the org credential vault"
 	},
 	subCommands: {
 		list: listCommand$5,
-		grant: grantCommand
+		grant: grantCommand,
+		rotate: rotateCommand,
+		revoke: revokeCommand$1,
+		recover: recoverCommand,
+		recovery: recoveryCommand
 	},
 	default: "list"
 });
@@ -29242,7 +29569,8 @@ const createCommand$1 = defineCommand({
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const label = yield* resolveLabel(args.label);
 		const identity = yield* createLocalIdentity(yield* promptNewPassphrase);
-		yield* printRecipient(yield* registerRecipient(yield* apiClient, {
+		const api = yield* apiClient;
+		yield* printRecipient(yield* registerRecipient(api, {
 			kind: "device",
 			publicKey: identity.publicKey,
 			fingerprint: identity.fingerprint,
@@ -29250,7 +29578,7 @@ const createCommand$1 = defineCommand({
 		}));
 		yield* printHuman("");
 		yield* printHuman("Sealed at ~/.better-update/identity.json — the private key never leaves this machine.");
-		yield* printHuman("Before you can read or upload credentials, this device needs vault access — granted by an org admin, or self-linked from another device that already has it.");
+		yield* printHuman(yield* orgVaultExists(api).pipe(Effect.map((exists) => exists ? VAULT_NOT_RECIPIENT_GUIDANCE : VAULT_NOT_SET_UP_GUIDANCE), Effect.orElseSucceed(() => VAULT_NOT_RECIPIENT_GUIDANCE)));
 	}))
 });
 const registerCommand = defineCommand({
@@ -30969,29 +31297,70 @@ const parseSingleEnvironmentArg = (raw) => Effect.gen(function* () {
 	return raw;
 });
 const formatEnvironments = (environments) => [...environments].toSorted((left, right) => left.localeCompare(right)).join(",");
+const DOTENV_LINE = /^\s*(?:export\s+)?([A-Z][A-Z0-9_]*)\s*=\s*(.*?)\s*$/u;
+const stripQuotes = (raw) => {
+	if (raw.length < 2) return raw;
+	const [first] = raw;
+	const last = raw.at(-1);
+	return first === "\"" && last === "\"" || first === "'" && last === "'" ? raw.slice(1, -1) : raw;
+};
+const parseDotenvLine = (rawLine) => {
+	const line = rawLine.trim();
+	if (line === "" || line.startsWith("#")) return;
+	const match = DOTENV_LINE.exec(line);
+	if (!match) return;
+	const [, key, rawValue] = match;
+	if (key === void 0 || rawValue === void 0) return;
+	return {
+		key,
+		value: stripQuotes(rawValue)
+	};
+};
+/** Parse a dotenv file's `KEY=VALUE` lines (comments + blanks skipped, quotes stripped). */
+const parseDotenv = (content) => content.split(/\r?\n/u).map(parseDotenvLine).filter((entry) => entry !== void 0);
+/** Resolve a single project env var by (key, environment), or fail NotFound. */
+const findProjectEnvVar = (api, projectId, key, environment) => Effect.gen(function* () {
+	const { items } = yield* api["env-vars"].list({ urlParams: {
+		projectId,
+		scope: "project",
+		environments: environment
+	} });
+	const match = items.find((item) => item.key === key && item.environment === environment);
+	if (!match) return yield* new EnvResourceNotFoundError({ message: `Env var "${key}" not found for environment "${environment}".` });
+	return match;
+});
 //#endregion
 //#region src/commands/env/delete.ts
 const deleteCommand$2 = defineCommand({
 	meta: {
 		name: "delete",
-		description: "Delete a project env var by key"
+		description: "Delete a project env var (one environment, or every environment by default)"
+	},
+	args: {
+		key: {
+			type: "positional",
+			required: true,
+			description: "Env var key"
+		},
+		environment: {
+			type: "string",
+			description: "Only delete this environment (default: every environment for the key)"
+		}
 	},
-	args: { key: {
-		type: "positional",
-		required: true,
-		description: "Env var key"
-	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const environment = args.environment === void 0 ? void 0 : yield* parseSingleEnvironmentArg(args.environment);
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
-		const match = (yield* api["env-vars"].list({ urlParams: {
+		const { items } = yield* api["env-vars"].list({ urlParams: {
 			projectId,
-			scope: "project"
-		} })).items.find((item) => item.key === args.key);
-		if (!match) return yield* new EnvResourceNotFoundError({ message: `Project env var "${args.key}" not found.` });
-		yield* api["env-vars"].delete({ path: { id: match.id } });
-		yield* Console.log(`Deleted ${args.key}`);
+			scope: "project",
+			...environment ? { environments: environment } : {}
+		} });
+		const matches = items.filter((item) => item.key === args.key && (environment === void 0 || item.environment === environment));
+		if (matches.length === 0) return yield* new EnvResourceNotFoundError({ message: `Project env var "${args.key}" not found${environment ? ` for environment "${environment}"` : ""}.` });
+		yield* Effect.forEach(matches, (match) => api["env-vars"].delete({ path: { id: match.id } }), { concurrency: 4 });
+		yield* Console.log(`Deleted ${args.key} (${String(matches.length)} environment${matches.length === 1 ? "" : "s"})`);
 	}), envErrorExtras)
 });
@@ -31021,10 +31390,10 @@ const getExecTrailingArgv = () => trailing$1;
 //#endregion
 //#region src/commands/env/exec.ts
-const pullForExec = (api, projectId, environment) => api["env-vars"].export({ urlParams: {
+const pullForExec = (api, projectId, environment) => pullEnvVars(api, {
 	projectId,
 	environment
-} }).pipe(Effect.map((result) => Object.fromEntries(result.items.map((item) => [item.key, item.value]))), Effect.catchAll(() => Effect.succeed({})));
+}).pipe(Effect.catchAll(() => Effect.succeed({})));
 const splitTrailing = (trailing) => {
 	if (!trailing || trailing.length === 0) return Effect.fail(new InvalidArgumentError({ message: "Pass the command after `--`. Example: `better-update env exec production -- bun run dev`." }));
 	const [bin, ...rest] = trailing;
@@ -31073,11 +31442,8 @@ const exportCommand = defineCommand({
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const environment = yield* parseSingleEnvironmentArg(args.environment);
 		const projectId = yield* readProjectId;
-		const result = yield* (yield* apiClient)["env-vars"].export({ urlParams: {
-			projectId,
-			environment
-		} });
-		for (const item of result.items) {
+		const items = yield* exportDecryptedEnvVars(yield* apiClient, projectId, environment);
+		for (const item of items) {
 			const escaped = item.value.replaceAll("'", String.raw`'\''`);
 			yield* Console.log(`${item.key}='${escaped}'`);
 		}
@@ -31086,43 +31452,21 @@ const exportCommand = defineCommand({
 //#endregion
 //#region src/commands/env/get.ts
-const resolveByKey = (api, key, environment) => Effect.gen(function* () {
-	const env = environment === void 0 ? void 0 : yield* parseSingleEnvironmentArg(environment);
-	const urlParams = {
-		projectId: yield* readProjectId,
-		scope: "all",
-		search: key,
-		...compact({ environments: env })
-	};
-	const { items } = yield* api["env-vars"].list({ urlParams });
-	const matches = items.filter((item) => item.key === key);
-	if (matches.length === 0) return yield* new EnvResourceNotFoundError({ message: `No env var with key "${key}" found${env === void 0 ? "" : ` for environment "${env}"`}.` });
-	if (matches.length > 1) return yield* new EnvResourceNotFoundError({ message: `Multiple env vars match key "${key}". Disambiguate with --environment <${[...new Set(matches.flatMap((entry) => entry.environments))].join(", ")}>.` });
-	return matches[0];
-});
-const renderValue$1 = (envVar, includeSensitive) => {
-	if (envVar.visibility === "plaintext") return envVar.value ?? "";
-	if (includeSensitive) return envVar.value ?? "";
-	return "******";
-};
 const getCommand$1 = defineCommand({
 	meta: {
 		name: "get",
-		description: "Show an environment variable by KEY (or --by-id)"
+		description: "Show an environment variable's effective value for an environment (decrypted locally)"
 	},
 	args: {
 		key: {
 			type: "positional",
 			required: true,
-			description: "Env var KEY (uppercase) — or ID when used with --by-id"
+			description: "Env var KEY (uppercase)"
 		},
 		environment: {
 			type: "string",
-			description: "Filter by environment when looking up by KEY"
-		},
-		"by-id": {
-			type: "boolean",
-			description: "Treat the argument as an ID instead of KEY"
+			default: "production",
+			description: "Target environment (development, preview, production)"
 		},
 		"include-sensitive": {
 			type: "boolean",
@@ -31130,21 +31474,62 @@ const getCommand$1 = defineCommand({
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const api = yield* apiClient;
-		const envVar = args["by-id"] ? yield* api["env-vars"].get({ path: { id: args.key } }) : yield* resolveByKey(api, args.key, args.environment);
+		const environment = yield* parseSingleEnvironmentArg(args.environment);
+		const projectId = yield* readProjectId;
+		const match = (yield* exportDecryptedEnvVars(yield* apiClient, projectId, environment)).find((item) => item.key === args.key);
+		if (!match) return yield* new EnvResourceNotFoundError({ message: `No env var "${args.key}" found for environment "${environment}".` });
+		const includeSensitive = args["include-sensitive"] ?? false;
+		const value = match.visibility === "sensitive" && !includeSensitive ? "******" : match.value;
 		yield* printKeyValue([
-			["ID", envVar.id],
-			["Key", envVar.key],
-			["Scope", envVar.scope],
-			["Environments", formatEnvironments(envVar.environments)],
-			["Visibility", envVar.visibility],
-			["Value", renderValue$1(envVar, args["include-sensitive"] ?? false)],
-			["Created", envVar.createdAt],
-			["Updated", envVar.updatedAt]
+			["Key", match.key],
+			["Environment", environment],
+			["Visibility", match.visibility],
+			["Value", value]
 		]);
 	}), envErrorExtras)
 });
+//#endregion
+//#region src/commands/env/history.ts
+const historyCommand = defineCommand({
+	meta: {
+		name: "history",
+		description: "Show a project env var's value revision history (metadata only)"
+	},
+	args: {
+		key: {
+			type: "positional",
+			required: true,
+			description: "Env var key"
+		},
+		environment: {
+			type: "string",
+			default: "production",
+			description: "Target environment (development, preview, production)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const environment = yield* parseSingleEnvironmentArg(args.environment);
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const match = yield* findProjectEnvVar(api, projectId, args.key, environment);
+		const { items } = yield* api["env-vars"].revisions({ path: { id: match.id } });
+		yield* printList([
+			"Revision",
+			"Active",
+			"Vault",
+			"Created",
+			"By"
+		], items.map((revision) => [
+			String(revision.revisionNumber),
+			revision.isCurrent ? "current" : "",
+			String(revision.vaultVersion),
+			revision.createdAt,
+			revision.createdBy ?? "-"
+		]), "No revisions found.");
+	}), envErrorExtras)
+});
 //#endregion
 //#region src/commands/env/import.ts
 const importCommand = defineCommand({
@@ -31171,31 +31556,33 @@ const importCommand = defineCommand({
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const content = yield* (yield* FileSystem.FileSystem).readFileString(args.file);
+		const entries = parseDotenv(yield* (yield* FileSystem.FileSystem).readFileString(args.file)).map((entry) => ({
+			key: entry.key,
+			value: entry.value,
+			visibility: args.visibility
+		}));
+		if (entries.length === 0) {
+			yield* Console.log(`No valid KEY=VALUE entries found in ${args.file}.`);
+			return;
+		}
 		const environments = yield* parseEnvironmentsArg(args.environment);
 		const projectId = yield* readProjectId;
-		const result = yield* (yield* apiClient)["env-vars"].bulkImport({ payload: {
+		const result = yield* uploadEnvVars(yield* apiClient, {
 			scope: "project",
 			projectId,
 			environments,
-			content,
-			visibility: args.visibility
-		} });
+			entries
+		});
 		yield* Console.log(`Imported: ${String(result.created)} created, ${String(result.updated)} updated, ${String(result.skipped)} skipped`);
 	}), envErrorExtras)
 });
 //#endregion
 //#region src/commands/env/list.ts
-const renderValue = (item, includeSensitive) => {
-	if (item.visibility === "plaintext") return item.value ?? "";
-	if (includeSensitive) return item.value ?? "";
-	return "••••••";
-};
 const listCommand$2 = defineCommand({
 	meta: {
 		name: "list",
-		description: "List environment variables"
+		description: "List environment variable metadata. Values are end-to-end encrypted — read them with `env pull`, `env export`, or `env get`."
 	},
 	args: {
 		environments: {
@@ -31214,10 +31601,6 @@ const listCommand$2 = defineCommand({
 		search: {
 			type: "string",
 			description: "Filter by key substring (case-insensitive)"
-		},
-		"include-sensitive": {
-			type: "boolean",
-			description: "Reveal masked sensitive values (default: masked)"
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
@@ -31229,20 +31612,18 @@ const listCommand$2 = defineCommand({
 			...args.environments ? { environments: args.environments } : {},
 			...args.search ? { search: args.search } : {}
 		};
-		const result = yield* api["env-vars"].list({ urlParams });
-		const includeSensitive = args["include-sensitive"] ?? false;
 		yield* printList([
 			"Key",
-			"Environments",
+			"Environment",
 			"Scope",
 			"Visibility",
-			"Value"
-		], result.items.map((item) => [
+			"Revisions"
+		], (yield* api["env-vars"].list({ urlParams })).items.map((item) => [
 			item.key,
-			formatEnvironments(item.environments),
+			item.environment,
 			item.overridesGlobal ? `${item.scope} (overrides global)` : item.scope,
 			item.visibility,
-			renderValue(item, includeSensitive)
+			String(item.revisionCount)
 		]), "No environment variables found.");
 	}), envErrorExtras)
 });
@@ -31293,18 +31674,15 @@ const pullCommand = defineCommand({
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
 		const environment = yield* parseSingleEnvironmentArg(args.environment);
 		const projectId = yield* readProjectId;
-		const result = yield* (yield* apiClient)["env-vars"].export({ urlParams: {
-			projectId,
-			environment
-		} });
+		const items = yield* exportDecryptedEnvVars(yield* apiClient, projectId, environment);
 		if (args.stdout) {
-			yield* printStdout(result.items);
+			yield* printStdout(items);
 			return;
 		}
 		const cwd = yield* (yield* CliRuntime).cwd;
 		yield* writeDotenvFile({
 			targetPath: path.resolve(cwd, args.path ?? DEFAULT_PATH),
-			items: result.items,
+			items,
 			force: args.force ?? false
 		});
 	}), envErrorExtras)
@@ -31312,32 +31690,11 @@ const pullCommand = defineCommand({
 //#endregion
 //#region src/commands/env/push.ts
-const LINE_PATTERN = /^\s*(?:export\s+)?([A-Z][A-Z0-9_]*)\s*=\s*(.*?)\s*$/u;
-const stripQuotes = (raw) => {
-	if (raw.length < 2) return raw;
-	const [first] = raw;
-	const last = raw.at(-1);
-	return first === "\"" && last === "\"" || first === "'" && last === "'" ? raw.slice(1, -1) : raw;
-};
 const classifyVisibility = (key) => key.startsWith("EXPO_PUBLIC_") ? "plaintext" : "sensitive";
-const parseLine = (rawLine) => {
-	const line = rawLine.trim();
-	if (line === "" || line.startsWith("#")) return;
-	const match = LINE_PATTERN.exec(line);
-	if (!match) return;
-	const [, key, rawValue] = match;
-	if (key === void 0 || rawValue === void 0) return;
-	return {
-		key,
-		value: stripQuotes(rawValue),
-		visibility: classifyVisibility(key)
-	};
-};
-const parseDotenv = (content) => content.split(/\r?\n/u).map(parseLine).filter((entry) => entry !== void 0);
 const pushCommand = defineCommand({
 	meta: {
 		name: "push",
-		description: "Push env vars from a dotenv file. Auto-classifies EXPO_PUBLIC_* as plaintext, others as sensitive."
+		description: "Push (encrypt + upsert) env vars from a dotenv file. Auto-classifies EXPO_PUBLIC_* as plaintext, others as sensitive."
 	},
 	args: {
 		file: {
@@ -31350,10 +31707,6 @@ const pushCommand = defineCommand({
 			type: "string",
 			default: "production",
 			description: "Target environments (comma-separated, e.g. development,production). Default: production"
-		},
-		force: {
-			type: "boolean",
-			description: "Overwrite existing vars without prompting"
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
@@ -31364,49 +31717,57 @@ const pushCommand = defineCommand({
 		}
 		const environments = yield* parseEnvironmentsArg(args.environment);
 		const projectId = yield* readProjectId;
-		const api = yield* apiClient;
-		const existingResp = yield* api["env-vars"].list({ urlParams: {
-			projectId,
-			scope: "project"
-		} });
-		const existingByKey = new Map(existingResp.items.map((item) => [item.key, item]));
-		const conflicts = parsed.filter((entry) => existingByKey.has(entry.key));
-		const newEntries = parsed.filter((entry) => !existingByKey.has(entry.key));
-		const entriesToOverwrite = yield* Effect.gen(function* () {
-			if (conflicts.length === 0 || args.force) return conflicts;
-			if (!(yield* InteractiveMode).allow) {
-				const conflictKeys = conflicts.map((conflict) => conflict.key).join(", ");
-				return yield* new InvalidArgumentError({ message: `${String(conflicts.length)} conflict(s): ${conflictKeys}. Pass --force to overwrite or run interactively.` });
-			}
-			const picked = yield* promptMultiSelect("Overwrite which existing vars?", conflicts.map((entry) => ({
-				value: entry.key,
-				label: `${entry.key} (${existingByKey.get(entry.key)?.visibility ?? "?"} → ${entry.visibility})`
-			})));
-			const pickedSet = new Set(picked);
-			return conflicts.filter((entry) => pickedSet.has(entry.key));
-		});
-		const skipped = conflicts.length - entriesToOverwrite.length;
-		yield* Effect.forEach(newEntries, (entry) => api["env-vars"].create({ payload: {
+		const result = yield* uploadEnvVars(yield* apiClient, {
 			scope: "project",
 			projectId,
 			environments,
-			key: entry.key,
-			value: entry.value,
-			visibility: entry.visibility
-		} }), { concurrency: 4 });
-		yield* Effect.forEach(entriesToOverwrite, (entry) => {
-			const existing = existingByKey.get(entry.key);
-			if (!existing) return Effect.succeed(void 0);
-			return api["env-vars"].update({
-				path: { id: existing.id },
-				payload: {
-					value: entry.value,
-					visibility: entry.visibility,
-					environments
-				}
-			});
-		}, { concurrency: 4 });
-		yield* printHuman(`Pushed to ${formatEnvironments(environments)}: ${String(newEntries.length)} created, ${String(entriesToOverwrite.length)} updated${skipped > 0 ? `, ${String(skipped)} skipped` : ""}.`);
+			entries: parsed.map((entry) => ({
+				key: entry.key,
+				value: entry.value,
+				visibility: classifyVisibility(entry.key)
+			}))
+		});
+		yield* printHuman(`Pushed to ${formatEnvironments(environments)}: ${String(result.created)} created, ${String(result.updated)} updated${result.skipped > 0 ? `, ${String(result.skipped)} skipped` : ""}.`);
+	}), envErrorExtras)
+});
+//#endregion
+//#region src/commands/env/rollback.ts
+const rollbackCommand$1 = defineCommand({
+	meta: {
+		name: "rollback",
+		description: "Roll a project env var back to an earlier value revision"
+	},
+	args: {
+		key: {
+			type: "positional",
+			required: true,
+			description: "Env var key"
+		},
+		to: {
+			type: "string",
+			required: true,
+			description: "Target revision number (from `env history`) or revision id"
+		},
+		environment: {
+			type: "string",
+			default: "production",
+			description: "Target environment (development, preview, production)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const environment = yield* parseSingleEnvironmentArg(args.environment);
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const match = yield* findProjectEnvVar(api, projectId, args.key, environment);
+		const { items } = yield* api["env-vars"].revisions({ path: { id: match.id } });
+		const target = items.find((revision) => revision.id === args.to || String(revision.revisionNumber) === args.to);
+		if (!target) return yield* new InvalidArgumentError({ message: `Revision "${args.to}" not found for ${args.key} (${environment}). See \`env history\`.` });
+		yield* api["env-vars"].rollback({
+			path: { id: match.id },
+			payload: { toRevisionId: target.id }
+		});
+		yield* Console.log(`Rolled back ${args.key} (${environment}) to revision ${String(target.revisionNumber)}.`);
 	}), envErrorExtras)
 });
@@ -31432,7 +31793,7 @@ const setCommand$1 = defineCommand({
 			type: "enum",
 			options: ["plaintext", "sensitive"],
 			default: "plaintext",
-			description: "Value visibility"
+			description: "Value visibility (build-log redaction hint)"
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
@@ -31440,33 +31801,18 @@ const setCommand$1 = defineCommand({
 		const environments = yield* parseEnvironmentsArg(args.environment);
 		const { visibility } = args;
 		const projectId = yield* readProjectId;
-		const api = yield* apiClient;
-		const match = (yield* api["env-vars"].list({ urlParams: {
+		const result = yield* uploadEnvVars(yield* apiClient, {
+			scope: "project",
 			projectId,
-			scope: "project"
-		} })).items.find((item) => item.key === key);
-		const label = formatEnvironments(environments);
-		if (match) {
-			yield* api["env-vars"].update({
-				path: { id: match.id },
-				payload: {
-					value,
-					visibility,
-					environments
-				}
-			});
-			yield* Console.log(`Updated ${key} (environments: ${label})`);
-		} else {
-			yield* api["env-vars"].create({ payload: {
-				scope: "project",
-				projectId,
-				environments,
+			environments,
+			entries: [{
 				key,
 				value,
 				visibility
-			} });
-			yield* Console.log(`Created ${key} (environments: ${label})`);
-		}
+			}]
+		});
+		const label = formatEnvironments(environments);
+		yield* Console.log(`Set ${key} (environments: ${label}; ${result.created} created, ${result.updated} updated)`);
 	}), envErrorExtras)
 });
@@ -31475,7 +31821,7 @@ const setCommand$1 = defineCommand({
 const updateCommand$1 = defineCommand({
 	meta: {
 		name: "update",
-		description: "Update a project env var's value, visibility, or environments"
+		description: "Update a project env var's value or visibility for an environment"
 	},
 	args: {
 		key: {
@@ -31483,6 +31829,11 @@ const updateCommand$1 = defineCommand({
 			required: true,
 			description: "Env var key (e.g. API_KEY)"
 		},
+		environment: {
+			type: "string",
+			default: "production",
+			description: "Target environment (development, preview, production)"
+		},
 		value: {
 			type: "string",
 			description: "New value (leave unset to keep current)"
@@ -31491,37 +31842,52 @@ const updateCommand$1 = defineCommand({
 			type: "enum",
 			options: ["plaintext", "sensitive"],
 			description: "New visibility (leave unset to keep current)"
-		},
-		environments: {
-			type: "string",
-			description: "New environments assignment (comma-separated, e.g. development,production). Leave unset to keep current."
 		}
 	},
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const { key, value, visibility, environments } = args;
-		if (value === void 0 && visibility === void 0 && environments === void 0) return yield* new InvalidArgumentError({ message: "Pass --value, --visibility, --environments (or any combination). Nothing to update otherwise." });
+		const { key, value, visibility } = args;
+		if (value === void 0 && visibility === void 0) return yield* new InvalidArgumentError({ message: "Pass --value and/or --visibility. Nothing to update otherwise." });
+		const environment = yield* parseSingleEnvironmentArg(args.environment);
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
-		const match = (yield* api["env-vars"].list({ urlParams: {
+		const { items } = yield* api["env-vars"].list({ urlParams: {
 			projectId,
-			scope: "project"
-		} })).items.find((item) => item.key === key);
-		if (!match) return yield* new EnvResourceNotFoundError({ message: `Env var "${key}" not found in project.` });
-		const envList = environments ? yield* parseEnvironmentsArg(environments) : void 0;
-		const payload = compact({
-			value,
-			visibility,
-			environments: envList
-		});
-		yield* api["env-vars"].update({
+			scope: "project",
+			environments: environment
+		} });
+		const match = items.find((item) => item.key === key && item.environment === environment);
+		if (!match) return yield* new EnvResourceNotFoundError({ message: `Env var "${key}" not found for environment "${environment}".` });
+		if (value === void 0) yield* api["env-vars"].update({
 			path: { id: match.id },
-			payload
+			payload: compact({ visibility })
 		});
+		else {
+			const envelope = yield* sealForUpload({
+				session: yield* openVaultSessionInteractive(api),
+				credentialType: "envVarValue",
+				metadata: {
+					key,
+					environment
+				},
+				secret: { value }
+			});
+			yield* api["env-vars"].update({
+				path: { id: match.id },
+				payload: {
+					value: {
+						id: envelope.id,
+						ciphertext: envelope.ciphertext,
+						wrappedDek: envelope.wrappedDek,
+						vaultVersion: envelope.vaultVersion
+					},
+					...compact({ visibility })
+				}
+			});
+		}
 		const changed = [];
 		if (value !== void 0) changed.push("value");
 		if (visibility !== void 0) changed.push("visibility");
-		if (envList) changed.push("environments");
-		yield* printHuman(`Updated ${changed.join(" + ")} for ${key}.`);
+		yield* printHuman(`Updated ${changed.join(" + ")} for ${key} (${environment}).`);
 	}), envErrorExtras)
 });
@@ -31538,6 +31904,8 @@ const envCommand = defineCommand({
 		set: setCommand$1,
 		update: updateCommand$1,
 		delete: deleteCommand$2,
+		history: historyCommand,
+		rollback: rollbackCommand$1,
 		import: importCommand,
 		push: pushCommand,
 		export: exportCommand,