@better-update/cli 0.25.0 → 0.27.0

package/dist/index.mjs

@@ -11,7 +11,7 @@ import AppleUtils from "@expo/apple-utils";
 import { autocomplete, cancel, confirm, isCancel, multiselect, password, select, text } from "@clack/prompts";
 import { open, readFile, writeFile } from "node:fs/promises";
 import { X509Certificate, createHash, createSign, createVerify, randomBytes, randomUUID } from "node:crypto";
-import { accessSync, chmodSync, constants, createReadStream, existsSync, promises, readFileSync, writeFileSync } from "node:fs";
+import { accessSync, chmodSync, constants, createReadStream, promises } from "node:fs";
 import { Entry } from "@napi-rs/keyring";
 import { once } from "node:events";
 import { createServer } from "node:http";
@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.25.0";
+var version = "0.27.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -67,6 +67,7 @@ const cookieSecurity = HttpApiSecurity.apiKey({
 	key: "__Secure-better-auth.session_token",
 	in: "cookie"
 });
+/** @effect-expect-leaking HttpServerRequest | ParsedSearchParams | RouteContext */
 var Authentication = class extends HttpApiMiddleware.Tag()("api/Authentication", {
 	failure: Schema.Union(Unauthorized, Forbidden),
 	provides: AuthContext,
@@ -256,7 +257,7 @@ var AnalyticsGroup = class extends HttpApiGroup.make("analytics").add(HttpApiEnd
 
 //#endregion
 //#region ../../packages/api/src/domain/android-application-identifier.ts
-const AndroidPackageName = Schema.String.pipe(Schema.pattern(/^[A-Za-z][A-Za-z0-9_]*(\.[A-Za-z][A-Za-z0-9_]*)+$/u, { message: () => "Package name must be reverse-domain style (e.g., com.acme.app)" }));
+const AndroidPackageName = Schema.String.pipe(Schema.pattern(/^[A-Za-z][A-Za-z0-9_]*(?:\.[A-Za-z][A-Za-z0-9_]*)+$/u, { message: () => "Package name must be reverse-domain style (e.g., com.acme.app)" }));
 var AndroidApplicationIdentifier = class extends Schema.Class("AndroidApplicationIdentifier")({
 	id: Id,
 	organizationId: Id,
@@ -1177,6 +1178,44 @@ var BuildsGroup = class extends HttpApiGroup.make("builds").add(HttpApiEndpoint.
 	description: "Build artifact upload, tracking, and download endpoints"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/channel-grant.ts
+const GrantEffectSchema = Schema.Literal("allow", "deny");
+/** One member's allow/deny set on a channel; `actions` are "resource:action". */
+var ChannelGrant = class extends Schema.Class("ChannelGrant")({
+	id: Id,
+	memberId: Id,
+	scopeKind: Schema.Literal("channel"),
+	scopeId: Id,
+	effect: GrantEffectSchema,
+	actions: Schema.Array(Schema.String),
+	createdAt: DateTimeString
+}) {};
+/** Upsert one (member, channel, effect) grant. effect defaults to "allow". */
+const UpsertChannelGrantBody = Schema.Struct({
+	effect: Schema.optionalWith(GrantEffectSchema, { default: () => "allow" }),
+	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1))
+});
+const ListChannelGrantsParams = Schema.Struct({});
+const DeleteChannelGrantResult = Schema.Struct({ deleted: Schema.Number });
+
+//#endregion
+//#region ../../packages/api/src/groups/channel-grants.ts
+const memberIdParam = HttpApiSchema.param("memberId", Schema.String);
+var ChannelGrantsGroup = class extends HttpApiGroup.make("channelGrants").add(HttpApiEndpoint.get("list")`/api/channels/${idParam}/grants`.setUrlParams(ListChannelGrantsParams).addSuccess(Schema.Array(ChannelGrant)).annotateContext(OpenApi.annotations({
+	title: "List channel grants",
+	description: "List all per-member allow/deny grants on a channel"
+}))).add(HttpApiEndpoint.put("upsert")`/api/channels/${idParam}/grants/${memberIdParam}`.setPayload(UpsertChannelGrantBody).addSuccess(ChannelGrant).annotateContext(OpenApi.annotations({
+	title: "Upsert channel grant",
+	description: "Create or replace a member's allow/deny grant on a channel"
+}))).add(HttpApiEndpoint.del("delete")`/api/channels/${idParam}/grants/${memberIdParam}`.addSuccess(DeleteChannelGrantResult).annotateContext(OpenApi.annotations({
+	title: "Delete channel grant",
+	description: "Revoke a member's grants on a channel"
+}))).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Channel grants",
+	description: "Per-channel ABAC permission grants (allow/deny by member)"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/channel.ts
 var Channel = class extends Schema.Class("Channel")({
@@ -1432,6 +1471,71 @@ const EnvVarRevision = Schema.Struct({
 const EnvVarRevisionsResult = Schema.Struct({ items: Schema.Array(EnvVarRevision) });
 const RollbackEnvVarBody = Schema.Struct({ toRevisionId: Id });
 
+//#endregion
+//#region ../../packages/api/src/domain/env-grant.ts
+/**
+* One member's allow/deny set on a (project × environment) env-var scope.
+* `scopeKind` is fixed to "env_var_environment". `scopeId` is the encoded
+* `<projectId|global>:<environment>` token (server-built). `actions` are
+* "resource:action" tokens (here always envVar:*).
+*/
+var EnvGrant = class extends Schema.Class("EnvGrant")({
+	id: Id,
+	memberId: Id,
+	scopeKind: Schema.Literal("env_var_environment"),
+	scopeId: Schema.String,
+	effect: GrantEffectSchema,
+	actions: Schema.Array(Schema.String),
+	createdAt: DateTimeString
+}) {};
+/** A flattened row for the list UI: one member × environment cell. */
+var EnvGrantRow = class extends Schema.Class("EnvGrantRow")({
+	memberId: Id,
+	environment: EnvVarEnvironment,
+	effect: GrantEffectSchema,
+	actions: Schema.Array(Schema.String)
+}) {};
+/**
+* URL params for listing grants on a project-or-global scope. `projectId` is the
+* sentinel "global" or a real project id (the server resolves null vs the
+* sentinel). Carried as a query param.
+*/
+const ListEnvGrantsParams = Schema.Struct({ projectId: Schema.String });
+/**
+* Upsert one (member, project-or-global, environment) grant. `projectId` null =
+* org-global vault. effect defaults to "allow". actions are envVar:* tokens.
+*/
+const UpsertEnvGrantBody = Schema.Struct({
+	memberId: Id,
+	projectId: Schema.NullOr(Id),
+	environment: EnvVarEnvironment,
+	effect: Schema.optionalWith(GrantEffectSchema, { default: () => "allow" }),
+	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1))
+});
+/** Delete both effects for (member, project-or-global, environment). */
+const DeleteEnvGrantBody = Schema.Struct({
+	memberId: Id,
+	projectId: Schema.NullOr(Id),
+	environment: EnvVarEnvironment
+});
+const DeleteEnvGrantResult = Schema.Struct({ deleted: Schema.Number });
+
+//#endregion
+//#region ../../packages/api/src/groups/env-grants.ts
+var EnvGrantsGroup = class extends HttpApiGroup.make("envGrants").add(HttpApiEndpoint.get("list", "/api/env-grants").setUrlParams(ListEnvGrantsParams).addSuccess(Schema.Array(EnvGrantRow)).annotateContext(OpenApi.annotations({
+	title: "List env-var environment grants",
+	description: "List per-member allow/deny env-var grants on a project-or-global scope across all environments. projectId is a real id or the sentinel 'global'."
+}))).add(HttpApiEndpoint.put("upsert", "/api/env-grants").setPayload(UpsertEnvGrantBody).addSuccess(EnvGrant).annotateContext(OpenApi.annotations({
+	title: "Upsert env-var environment grant",
+	description: "Create or replace a member's allow/deny env-var grant on one (project-or-global × environment) scope. projectId null = org-global."
+}))).add(HttpApiEndpoint.del("delete", "/api/env-grants").setPayload(DeleteEnvGrantBody).addSuccess(DeleteEnvGrantResult).annotateContext(OpenApi.annotations({
+	title: "Delete env-var environment grants",
+	description: "Revoke both allow and deny grants for a member on one (project-or-global × environment) scope."
+}))).addError(NotFound).addError(Forbidden).addError(BadRequest).annotateContext(OpenApi.annotations({
+	title: "Env-var environment grants",
+	description: "Per (project × environment) ABAC permission grants for env vars (allow/deny by member)"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/groups/env-vars.ts
 var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoint.post("create", "/api/env-vars").setPayload(CreateEnvVarBody).addSuccess(EnvVar, { status: 201 }).annotateContext(OpenApi.annotations({
@@ -1805,6 +1909,54 @@ var MeGroup = class extends HttpApiGroup.make("me").add(HttpApiEndpoint.get("get
 	description: "Current authenticated actor information"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/org-role.ts
+/** One resource→actions grant inside a role's permission set. */
+const PermissionGrantSchema = Schema.Struct({
+	resource: Schema.String,
+	actions: Schema.Array(Schema.String)
+});
+var OrgRole = class extends Schema.Class("OrgRole")({
+	id: Id,
+	organizationId: Id,
+	role: Schema.String,
+	permissions: Schema.Array(PermissionGrantSchema),
+	createdAt: DateTimeString,
+	updatedAt: Schema.NullOr(DateTimeString)
+}) {};
+const CreateOrgRoleBody = Schema.Struct({
+	name: Schema.String.pipe(Schema.minLength(1)),
+	permissions: Schema.Array(PermissionGrantSchema)
+});
+const UpdateOrgRoleBody = Schema.Struct({
+	permissions: Schema.optional(Schema.Array(PermissionGrantSchema)),
+	name: Schema.optional(Schema.String.pipe(Schema.minLength(1)))
+});
+const ListOrgRolesParams = Schema.Struct({ organizationId: Id });
+const DeleteOrgRoleResult = Schema.Struct({ deleted: Schema.Number });
+
+//#endregion
+//#region ../../packages/api/src/groups/org-roles.ts
+var OrgRolesGroup = class extends HttpApiGroup.make("roles").add(HttpApiEndpoint.get("list", "/api/roles").setUrlParams(ListOrgRolesParams).addSuccess(Schema.Array(OrgRole)).annotateContext(OpenApi.annotations({
+	title: "List custom roles",
+	description: "List all custom roles defined for an organization"
+}))).add(HttpApiEndpoint.post("create", "/api/roles").setPayload(CreateOrgRoleBody).addSuccess(OrgRole, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create custom role",
+	description: "Create a new custom role with a permission set"
+}))).add(HttpApiEndpoint.get("get")`/api/roles/${idParam}`.addSuccess(OrgRole).annotateContext(OpenApi.annotations({
+	title: "Get custom role",
+	description: "Fetch a single custom role by id"
+}))).add(HttpApiEndpoint.patch("update")`/api/roles/${idParam}`.setPayload(UpdateOrgRoleBody).addSuccess(OrgRole).annotateContext(OpenApi.annotations({
+	title: "Update custom role",
+	description: "Rename a custom role or replace its permission set"
+}))).add(HttpApiEndpoint.del("delete")`/api/roles/${idParam}`.addSuccess(DeleteOrgRoleResult).annotateContext(OpenApi.annotations({
+	title: "Delete custom role",
+	description: "Delete a custom role"
+}))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Roles",
+	description: "Custom organization role management (dynamic access control)"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/groups/org-vault.ts
 /** `:keyId` path parameter — a registered recipient's `user_encryption_keys.id`. */
@@ -2155,7 +2307,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(AdminGroup).add(OrgRolesGroup).add(ChannelGrantsGroup).add(EnvGrantsGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -2308,13 +2460,13 @@ const ConfigStoreLive = Layer.effect(ConfigStore, Effect.gen(function* () {
 	const runtime = yield* CliRuntime;
 	const homeDirectory = yield* runtime.homeDirectory;
 	const configFile = path.join(homeDirectory, ".better-update", "config.json");
-	const readConfig = fs.readFileString(configFile).pipe(Effect.catchAll(() => Effect.succeed("")), Effect.flatMap((content) => content.length === 0 ? Effect.succeed(void 0) : Effect.try({
+	const readConfig = fs.readFileString(configFile).pipe(Effect.orElseSucceed(() => ""), Effect.flatMap((content) => content.length === 0 ? Effect.void : Effect.try({
 		try: () => JSON.parse(content),
 		catch: (cause) => new ConfigStoreParseError({
 			message: "Config file contains invalid JSON",
 			cause
 		})
-	}).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.catchAll(() => Effect.succeed(void 0)))));
+	}).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0))));
 	return {
 		getBaseUrl: Effect.gen(function* () {
 			const envUrl = yield* runtime.getEnv("BETTER_UPDATE_URL");
@@ -2537,7 +2689,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 	const usernameFile = path.join(sessionDir, "apple-username.json");
 	return {
 		loadSession: Effect.gen(function* () {
-			const content = yield* fs.readFileString(sessionFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const content = yield* fs.readFileString(sessionFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
 			if (!isRecord(parsed)) return null;
@@ -2555,7 +2707,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 		}).pipe(Effect.mapError((cause) => new AppleAuthError$1({ message: `Failed to save Apple session: ${formatCause(cause)}` }))),
 		clearSession: fs.remove(sessionFile).pipe(Effect.catchAll(() => Effect.void)),
 		loadLastUsername: Effect.gen(function* () {
-			const content = yield* fs.readFileString(usernameFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const content = yield* fs.readFileString(usernameFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
 			if (!isRecord(parsed) || typeof parsed["username"] !== "string") return null;
@@ -2651,7 +2803,7 @@ const interactiveLogin = (appleUtils, options, cachedUsername) => Effect.gen(fun
 const tryRestore = (appleUtils, store) => Effect.gen(function* () {
 	const stored = yield* store.loadSession;
 	if (stored === null) return null;
-	const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.orElseSucceed(() => null));
 	if (restored === null) return null;
 	return yield* resolveSessionTeam(appleUtils, restored);
 });
@@ -2670,7 +2822,7 @@ const makeAppleAuthLive = (appleUtils = defaultAppleUtils) => Layer.effect(Apple
 		whoami: Effect.gen(function* () {
 			const stored = yield* store.loadSession;
 			if (stored === null) return null;
-			const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.orElseSucceed(() => null));
 			if (restored !== null) return sessionFromAuthState(restored);
 			const info = appleUtils.Session.getAnySessionInfo();
 			return info === null ? null : sessionFromInfo(stored.username, info);
@@ -2756,7 +2908,7 @@ const IdentityStoreLive = Layer.effect(IdentityStore, Effect.gen(function* () {
 	const identityFile = path.join(identityDir, "identity.json");
 	return {
 		load: Effect.gen(function* () {
-			const content = yield* fs.readFileString(identityFile).pipe(Effect.catchAll(() => Effect.succeed("")));
+			const content = yield* fs.readFileString(identityFile).pipe(Effect.orElseSucceed(() => ""));
 			if (content.length === 0) return null;
 			const parsed = safeJsonParse(content);
 			return isIdentityFile(parsed) ? parsed : null;
@@ -2980,7 +3132,7 @@ const VaultCacheLive = Layer.effect(VaultCache, Effect.gen(function* () {
 		const flag = yield* runtime.getEnv("BETTER_UPDATE_NO_CACHE");
 		return flag !== void 0 && flag.length > 0 && flag !== "0" && flag !== "false";
 	});
-	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.orElseSucceed(() => null));
 	const writeRaw = (publicKey, blob) => Effect.try(() => {
 		new Entry(KEYCHAIN_SERVICE, publicKey).setPassword(blob);
 	}).pipe(Effect.ignore);
@@ -3018,12 +3170,12 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 	const cacheDir = path.join(homeDirectory, ".better-update");
 	const cacheFile = path.join(cacheDir, "version-check.json");
 	const readCache = Effect.gen(function* () {
-		const content = yield* fs.readFileString(cacheFile).pipe(Effect.catchAll(() => Effect.succeed("")));
+		const content = yield* fs.readFileString(cacheFile).pipe(Effect.orElseSucceed(() => ""));
 		if (content.length === 0) return;
 		const parsed = yield* Effect.try({
 			try: () => JSON.parse(content),
 			catch: () => "parse-error"
-		}).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+		}).pipe(Effect.orElseSucceed(() => void 0));
 		if (isRecord(parsed) && typeof parsed["latest"] === "string" && typeof parsed["checkedAt"] === "number") return {
 			latest: parsed["latest"],
 			checkedAt: parsed["checkedAt"]
@@ -3224,7 +3376,7 @@ const buildOpenBrowserCommand = (platform, url) => {
 };
 const openBrowser = (url) => Effect.gen(function* () {
 	const command = buildOpenBrowserCommand((yield* CliRuntime).platform, url);
-	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.catchAll(() => Effect.succeed(false))))) yield* Console.log(`Open this URL manually:\n${url}`);
+	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.orElseSucceed(() => false)))) yield* Console.log(`Open this URL manually:\n${url}`);
 });
 const browserLogin = Effect.scoped(Effect.gen(function* () {
 	const configStore = yield* ConfigStore;
@@ -3623,9 +3775,9 @@ const configPath = (projectRoot) => path.join(projectRoot, BETTER_UPDATE_CONFIG_
 * graceful `readConfig`.
 */
 const readBetterUpdateConfig = (projectRoot) => Effect.gen(function* () {
-	const content = yield* (yield* FileSystem.FileSystem).readFileString(configPath(projectRoot)).pipe(Effect.catchAll(() => Effect.succeed("")));
+	const content = yield* (yield* FileSystem.FileSystem).readFileString(configPath(projectRoot)).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
-	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.catchAll(() => Effect.succeed(void 0)));
+	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0));
 });
 /**
 * Resolve the linked project id from `better-update.json`, or `undefined` when
@@ -4354,14 +4506,8 @@ const KeyValueFromString = Schema.transformOrFail(Schema.String, KeyValuePair, {
 	},
 	encode: ({ key, value }) => ParseResult.succeed(`${key}=${value}`)
 });
-const parseRolloutPercentage = (raw, flag) => Effect.try({
-	try: () => Schema.decodeUnknownSync(RolloutPercentage)(Number(raw)),
-	catch: () => new InvalidArgumentError({ message: `--${flag} must be an integer between 1 and 100, got "${raw}".` })
-});
-const parseKeyValue = (raw) => Effect.try({
-	try: () => Schema.decodeUnknownSync(KeyValueFromString)(raw),
-	catch: () => new InvalidArgumentError({ message: "Invalid format. Use KEY=VALUE (e.g. API_KEY=abc123)" })
-});
+const parseRolloutPercentage = (raw, flag) => Schema.decodeUnknown(RolloutPercentage)(Number(raw)).pipe(Effect.mapError(() => new InvalidArgumentError({ message: `--${flag} must be an integer between 1 and 100, got "${raw}".` })));
+const parseKeyValue = (raw) => Schema.decodeUnknown(KeyValueFromString)(raw).pipe(Effect.mapError(() => new InvalidArgumentError({ message: "Invalid format. Use KEY=VALUE (e.g. API_KEY=abc123)" })));
 const parseLimit = (raw, defaultValue) => {
 	if (raw === void 0) return Effect.succeed(defaultValue);
 	const parsed = Number(raw);
@@ -4371,7 +4517,7 @@ const parseLimit = (raw, defaultValue) => {
 
 //#endregion
 //#region src/commands/audit-logs/list.ts
-const listCommand$9 = defineCommand({
+const listCommand$12 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List audit log entries"
@@ -4433,7 +4579,7 @@ const auditLogsCommand = defineCommand({
 		name: "audit-logs",
 		description: "View audit logs"
 	},
-	subCommands: { list: listCommand$9 }
+	subCommands: { list: listCommand$12 }
 });
 
 //#endregion
@@ -4537,7 +4683,7 @@ const drainPages = (fetchPage) => {
 
 //#endregion
 //#region src/commands/branches.ts
-const listCommand$8 = defineCommand({
+const listCommand$11 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List branches for the linked project"
@@ -4560,7 +4706,7 @@ const listCommand$8 = defineCommand({
 		]), "No branches found.");
 	}))
 });
-const createCommand$4 = defineCommand({
+const createCommand$5 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a branch"
@@ -4583,7 +4729,7 @@ const createCommand$4 = defineCommand({
 		]);
 	}))
 });
-const viewCommand$3 = defineCommand({
+const viewCommand$4 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show a branch by ID or name"
@@ -4641,7 +4787,7 @@ const renameCommand$1 = defineCommand({
 		return branch;
 	}), { json: "value" })
 });
-const deleteCommand$6 = defineCommand({
+const deleteCommand$7 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a branch"
@@ -4666,11 +4812,11 @@ const branchesCommand = defineCommand({
 		description: "Manage branches"
 	},
 	subCommands: {
-		list: listCommand$8,
-		view: viewCommand$3,
-		create: createCommand$4,
+		list: listCommand$11,
+		view: viewCommand$4,
+		create: createCommand$5,
 		rename: renameCommand$1,
-		delete: deleteCommand$6
+		delete: deleteCommand$7
 	}
 });
 
@@ -4751,8 +4897,31 @@ const findIosArtifact = ({ exportPath }) => Effect.gen(function* () {
 	if (!picked) return yield* new ArtifactNotFoundError({ message: `No .ipa file found under "${exportPath}".` });
 	return picked.path;
 });
-const findAndroidArtifact = ({ projectRoot, format, flavor, buildType, minMtimeMs }) => Effect.gen(function* () {
-	const outputsRoot = path.join(projectRoot, "android", "app", "build", "outputs");
+/**
+* Resolve a custom-command build artifact from a user-supplied path. A pattern
+* without wildcards is treated as a literal path (relative to `baseDir`);
+* otherwise the fixed leading directory + file extension are extracted and the
+* newest matching file under that directory is returned.
+*/
+const findArtifactByGlob = ({ baseDir, pattern, minMtimeMs }) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
+	if (!/[*?[]/u.test(pattern)) {
+		const full = path.isAbsolute(pattern) ? pattern : path.join(baseDir, pattern);
+		if (yield* fs.exists(full).pipe(Effect.orElseSucceed(() => false))) return full;
+		return yield* new ArtifactNotFoundError({ message: `No artifact found at "${full}".` });
+	}
+	const extension = path.extname(pattern).toLowerCase();
+	if (extension === "") return yield* new ArtifactNotFoundError({ message: `artifactPath "${pattern}" must end in a file extension (e.g. **/*.aab).` });
+	const wildcardIndex = pattern.search(/[*?[]/u);
+	const fixedPrefix = pattern.slice(0, wildcardIndex);
+	const prefixDir = fixedPrefix.includes("/") ? fixedPrefix.slice(0, fixedPrefix.lastIndexOf("/")) : "";
+	const searchRoot = prefixDir === "" ? baseDir : path.join(baseDir, prefixDir);
+	const picked = newest(yield* walkAndFind(searchRoot, extension), minMtimeMs);
+	if (!picked) return yield* new ArtifactNotFoundError({ message: `No file matching "${pattern}" found under "${searchRoot}".` });
+	return picked.path;
+});
+const findAndroidArtifact = ({ projectRoot, format, flavor, buildType, minMtimeMs, module: gradleModule = "app" }) => Effect.gen(function* () {
+	const outputsRoot = path.join(projectRoot, "android", gradleModule, "build", "outputs");
 	const subdir = format === "aab" ? "bundle" : "apk";
 	const variantDir = flavor ? `${flavor}${capitalize(buildType)}` : buildType;
 	const pickedDirect = newest(yield* walkAndFind(path.join(outputsRoot, subdir, variantDir), `.${format}`), minMtimeMs);
@@ -18686,7 +18855,7 @@ const asArrayBuffer$1 = (bytes) => {
 };
 const signAscJwt = (credentials) => Effect.gen(function* () {
 	const der = pemToPkcs8Der(credentials.p8Pem);
-	if (der === null) return yield* Effect.fail(new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") }));
+	if (der === null) return yield* new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") });
 	const header = {
 		alg: "ES256",
 		kid: credentials.keyId,
@@ -18770,7 +18939,7 @@ const fetchRaw = (jwt, path, init) => Effect.gen(function* () {
 		try: () => text.length === 0 ? {} : JSON.parse(text),
 		catch: (cause) => new AscNetworkError({ cause })
 	});
-	if (!response.ok) return yield* Effect.fail(parseApiError(response, body, text));
+	if (!response.ok) return yield* parseApiError(response, body, text);
 	return body;
 });
 const toAscCertificate = (value) => {
@@ -18870,12 +19039,10 @@ const createCertificate = (credentials, params) => withJwt(credentials, (jwt) =>
 			}
 		} })
 	}), toAscCertificate);
-	if (resource === null) return yield* Effect.fail(malformed("certificate"));
+	if (resource === null) return yield* malformed("certificate");
 	return resource;
 }));
-const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	yield* fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" });
-}));
+const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.asVoid(fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" })));
 const listBundleIds = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
 	return extractList(yield* fetchRaw(jwt, "/v1/bundleIds?limit=200"), toAscBundleId);
 }));
@@ -18891,7 +19058,7 @@ const createBundleId = (credentials, params) => withJwt(credentials, (jwt) => Ef
 			}
 		} })
 	}), toAscBundleId);
-	if (resource === null) return yield* Effect.fail(malformed("bundleId"));
+	if (resource === null) return yield* malformed("bundleId");
 	return resource;
 }));
 const listDevices = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
@@ -18923,7 +19090,7 @@ const createProvisioningProfile = (credentials, params) => withJwt(credentials,
 			relationships
 		} })
 	}), toAscProfile);
-	if (resource === null) return yield* Effect.fail(malformed("profile"));
+	if (resource === null) return yield* malformed("profile");
 	return resource;
 }));
 const isCertificateLimitError = (error) => {
@@ -18940,7 +19107,7 @@ const stringField = (cert, name) => {
 	return typeof value === "string" ? value : null;
 };
 const matchTeamFromCommonName = (cn) => {
-	const match = /\(([A-Z0-9]{10})\)/u.exec(cn);
+	const match = /\((?<team>[A-Z0-9]{10})\)/u.exec(cn);
 	if (match === null) return null;
 	const [, captured] = match;
 	return captured === void 0 ? null : captured;
@@ -18959,7 +19126,7 @@ const parseCert = (certDerBytes) => {
 const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
 const extractCertMetadata = (cert) => Effect.gen(function* () {
 	const appleTeamId = extractTeamId$1(cert);
-	if (appleTeamId === null) return yield* Effect.fail(new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" }));
+	if (appleTeamId === null) return yield* new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" });
 	return {
 		serialNumber: cert.serialNumber.toUpperCase(),
 		validFrom: cert.validity.notBefore.toISOString(),
@@ -18977,7 +19144,7 @@ const extractCertMetadata = (cert) => Effect.gen(function* () {
 */
 const extractMetadataFromP12 = (params) => Effect.gen(function* () {
 	const certBagOid = forge.pki.oids["certBag"];
-	if (certBagOid === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" }));
+	if (certBagOid === void 0) return yield* new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" });
 	const [first] = yield* Effect.try({
 		try: () => {
 			const p12Der = forge.util.decode64(params.p12Base64);
@@ -18986,7 +19153,7 @@ const extractMetadataFromP12 = (params) => Effect.gen(function* () {
 		},
 		catch: (error) => new CertParseError({ message: `Failed to parse PKCS#12 bundle: ${error instanceof Error ? error.message : String(error)}` })
 	});
-	if (first?.cert === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" }));
+	if (first?.cert === void 0) return yield* new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" });
 	return yield* extractCertMetadata(first.cert);
 });
 const buildDistributionCertP12 = (params) => Effect.gen(function* () {
@@ -19167,10 +19334,10 @@ const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(func
 		csrPem: csrResult.csrPem,
 		certificateType
 	}).pipe(Effect.mapError(wrapAscError("apple-create-certificate")));
-	if (apple.certificateContent === null) return yield* Effect.fail(new GenerateFailedError({
+	if (apple.certificateContent === null) return yield* new GenerateFailedError({
 		step: "apple-create-certificate",
 		message: "Apple response missing certificateContent"
-	}));
+	});
 	const bundle = yield* buildDistributionCertP12({
 		certificateContentBase64: apple.certificateContent,
 		privateKey: csrResult.privateKey
@@ -19220,10 +19387,10 @@ const revokeAppleCertificate = (api, input) => Effect.gen(function* () {
 });
 const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function* () {
 	const local = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === input.distributionCertificateId);
-	if (local === void 0) return yield* Effect.fail(new GenerateFailedError({
+	if (local === void 0) return yield* new GenerateFailedError({
 		step: "load-distribution-certificate",
 		message: `Distribution certificate ${input.distributionCertificateId} not found on this account`
-	}));
+	});
 	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
 	const ascCreds = {
 		keyId: creds.keyId,
@@ -19260,10 +19427,10 @@ const listAppleCertificates = (api, input) => Effect.gen(function* () {
 });
 const resolveCertAscId = (creds, serialNumber, certificateType) => Effect.gen(function* () {
 	const match = (yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")))).find((entry) => entry.serialNumber.toUpperCase() === serialNumber);
-	if (match === void 0) return yield* Effect.fail(new GenerateFailedError({
+	if (match === void 0) return yield* new GenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
+	});
 	return match.id;
 });
 const ensureBundleId = (creds, bundleIdentifier) => Effect.gen(function* () {
@@ -19296,10 +19463,10 @@ const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function
 	const [certAscId, bundleIdAscId] = yield* Effect.all([resolveCertAscId(ascCreds, cert.serialNumber.toUpperCase(), certificateType), ensureBundleId(ascCreds, input.bundleIdentifier)], { concurrency: 2 });
 	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
 	const { ids: deviceAscIds } = useDevices ? yield* collectDeviceAscIds(ascCreds, cert.appleTeamId, input.deviceIds) : { ids: [] };
-	if (useDevices && deviceAscIds.length === 0) return yield* Effect.fail(new GenerateFailedError({
+	if (useDevices && deviceAscIds.length === 0) return yield* new GenerateFailedError({
 		step: "collect-devices",
 		message: "No registered devices to attach to the provisioning profile"
-	}));
+	});
 	const profileBytes = fromBase64((yield* createProvisioningProfile(ascCreds, {
 		profileName: `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`,
 		profileType: DISTRIBUTION_TO_PROFILE_TYPE$1[input.distributionType],
@@ -19610,10 +19777,10 @@ const downloadAndroidCredentials = (api, options) => Effect.gen(function* () {
 			...compact({ buildProfile: options.buildProfile })
 		}
 	}).pipe(Effect.mapError((cause) => resolveErrorToMissingCredentials(cause, "android")));
-	if (resolved.platform !== "android") return yield* Effect.fail(new MissingCredentialsError({
+	if (resolved.platform !== "android") return yield* new MissingCredentialsError({
 		message: "Server returned non-Android credentials for an Android build request",
 		hint: androidBindHint
-	}));
+	});
 	const secret = yield* decryptResolveSecret({
 		session: yield* openVaultSessionForBuild(api, androidBindHint),
 		credentialType: "keystore",
@@ -19734,7 +19901,7 @@ const credentialsJsonPath = (projectRoot) => path.join(projectRoot, CREDENTIALS_
 const readCredentialsJson = (projectRoot) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = credentialsJsonPath(projectRoot);
-	if (!(yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false))))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
+	if (!(yield* fs.exists(filePath).pipe(Effect.orElseSucceed(() => false)))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
 	return yield* parseCredentialsJson(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new CredentialsJsonError({ message: `Failed to read credentials.json: ${String(cause)}` }))));
 });
 const writeCredentialsJson = (projectRoot, data) => Effect.gen(function* () {
@@ -19751,7 +19918,7 @@ const resolveCredentialPath = (projectRoot, candidate) => path.isAbsolute(candid
 
 //#endregion
 //#region src/lib/local-credentials.ts
-const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.catchAll(() => Effect.succeed(false)), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
+const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.orElseSucceed(() => false), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
 	message: `Local credentials.json: ${label} not found at ${absolutePath}.`,
 	hint: "Run `better-update credentials sync pull` to materialize files, or fix the path in credentials.json."
 }))));
@@ -20006,7 +20173,7 @@ const runStepFormatted = (cmd, step, formatter) => Effect.gen(function* () {
 	if (code !== 0) {
 		const summary = formatter.getBuildSummary();
 		if (summary.length > 0) process$1.stderr.write(`${summary}\n`);
-		return yield* Effect.fail(buildFailed(step, code, `${step} exited with code ${code}`));
+		return yield* buildFailed(step, code, `${step} exited with code ${code}`);
 	}
 });
 
@@ -20025,56 +20192,44 @@ const gradleTaskName = (format, flavor, buildType) => {
 	const verb = format === "aab" ? "bundle" : "assemble";
 	return flavor ? `${verb}${capitalize(flavor)}${capitalize(buildType)}` : `${verb}${capitalize(buildType)}`;
 };
-const runAndroidBuild = (input) => Effect.gen(function* () {
-	const { api, tempDir, projectRoot, androidProfile, applicationIdentifier, envVars, projectId } = input;
-	const runtime = yield* CliRuntime;
+/** Resolve the signing keystore (remote or local), or `undefined` when skipped. */
+const resolveAndroidCredentials = (input) => {
+	if (input.skipCredentials) return Effect.succeed(void 0);
+	return input.credentialsSource === "local" ? loadLocalAndroidCredentials({ projectRoot: input.projectRoot }) : downloadAndroidCredentials(input.api, {
+		projectId: input.projectId,
+		applicationIdentifier: input.applicationIdentifier,
+		tempDir: input.tempDir,
+		buildProfile: input.profileName
+	});
+};
+/** Gradle build against the (already-prepared) `android/` dir. */
+const runGradleBuild = (input, commandEnv) => Effect.gen(function* () {
 	const buildStartMs = Date.now();
-	const { format } = androidProfile;
-	const { flavor } = androidProfile;
-	const buildType = androidProfile.buildType ?? "release";
-	const androidDir = path.join(projectRoot, "android");
-	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	yield* runStep({
-		command: "bunx",
-		args: [
-			"expo",
-			"prebuild",
-			"--platform",
-			"android",
-			"--clean"
-		],
-		cwd: projectRoot,
-		env: commandEnv
-	}, "expo prebuild android");
-	const gradleArgs = yield* input.skipCredentials ? Effect.succeed([]) : Effect.gen(function* () {
-		const credentials = input.credentialsSource === "local" ? yield* loadLocalAndroidCredentials({ projectRoot }) : yield* downloadAndroidCredentials(api, {
-			projectId,
-			applicationIdentifier,
-			tempDir,
-			buildProfile: input.profileName
-		});
+	const { format, flavor } = input.androidProfile;
+	const buildType = input.androidProfile.buildType ?? "release";
+	const moduleName = input.androidProfile.module ?? "app";
+	const androidDir = path.join(input.projectRoot, "android");
+	const credentials = yield* resolveAndroidCredentials(input);
+	const gradleArgs = credentials === void 0 ? [] : yield* Effect.gen(function* () {
 		const fs = yield* FileSystem.FileSystem;
-		const signingGradlePath = path.join(tempDir, "signing.gradle");
-		yield* fs.writeFileString(signingGradlePath, renderSigningGradle({
-			keystorePath: credentials.keystorePath,
-			storePassword: credentials.storePassword,
-			keyAlias: credentials.keyAlias,
-			keyPassword: credentials.keyPassword
-		}));
+		const signingGradlePath = path.join(input.tempDir, "signing.gradle");
+		yield* fs.writeFileString(signingGradlePath, renderSigningGradle(credentials));
 		return ["--init-script", signingGradlePath];
 	});
-	const taskName = gradleTaskName(format, flavor, buildType);
+	const taskName = input.androidProfile.gradleTask ?? gradleTaskName(format, flavor, buildType);
+	const taskArg = taskName.startsWith(":") ? taskName : `:${moduleName}:${taskName}`;
 	yield* runStep({
 		command: "./gradlew",
-		args: [...gradleArgs, `:app:${taskName}`],
+		args: [...gradleArgs, taskArg],
 		cwd: androidDir,
 		env: commandEnv
 	}, "gradlew");
 	const artifactPath = yield* findAndroidArtifact({
-		projectRoot,
+		projectRoot: input.projectRoot,
 		format,
 		buildType,
 		minMtimeMs: buildStartMs,
+		module: moduleName,
 		...compact({ flavor })
 	});
 	const { sha256, byteSize } = yield* sha256File(artifactPath);
@@ -20084,6 +20239,71 @@ const runAndroidBuild = (input) => Effect.gen(function* () {
 		sha256
 	};
 });
+/**
+* Custom-command build. We can't inject signing into an arbitrary build, so the
+* resolved keystore + passwords are exposed to the command as `BETTER_UPDATE_*`
+* env vars; the user's script consumes them. The artifact is located via the
+* profile's `artifactPath` glob.
+*/
+const runAndroidCustom = (input, commandEnv) => Effect.gen(function* () {
+	const buildStartMs = Date.now();
+	const custom = input.customCommand;
+	if (custom === void 0) return yield* new BuildFailedError({
+		step: "custom android build",
+		exitCode: 1,
+		message: "Internal: custom Android strategy selected without a custom command."
+	});
+	if (custom.artifactPath === void 0) return yield* new BuildFailedError({
+		step: "custom android build",
+		exitCode: 1,
+		message: "Custom Android build requires \"artifactPath\" (e.g. \"**/*.aab\") in better-update.json."
+	});
+	const credentials = yield* resolveAndroidCredentials(input);
+	const credEnv = credentials === void 0 ? {} : {
+		BETTER_UPDATE_ANDROID_KEYSTORE_PATH: credentials.keystorePath,
+		BETTER_UPDATE_ANDROID_KEYSTORE_PASSWORD: credentials.storePassword,
+		BETTER_UPDATE_ANDROID_KEY_ALIAS: credentials.keyAlias,
+		BETTER_UPDATE_ANDROID_KEY_PASSWORD: credentials.keyPassword
+	};
+	const cwd = custom.cwd === void 0 ? input.projectRoot : path.join(input.projectRoot, custom.cwd);
+	yield* runStep({
+		command: "sh",
+		args: ["-c", custom.command],
+		cwd,
+		env: {
+			...commandEnv,
+			...credEnv,
+			...custom.env
+		}
+	}, "custom android build");
+	const artifactPath = yield* findArtifactByGlob({
+		baseDir: cwd,
+		pattern: custom.artifactPath,
+		minMtimeMs: buildStartMs
+	});
+	const { sha256, byteSize } = yield* sha256File(artifactPath);
+	return {
+		artifactPath,
+		byteSize,
+		sha256
+	};
+});
+const runAndroidBuild = (input) => Effect.gen(function* () {
+	const commandEnv = yield* (yield* CliRuntime).commandEnvironment(input.envVars);
+	if (input.strategy === "expo") yield* runStep({
+		command: "bunx",
+		args: [
+			"expo",
+			"prebuild",
+			"--platform",
+			"android",
+			"--clean"
+		],
+		cwd: input.projectRoot,
+		env: commandEnv
+	}, "expo prebuild android");
+	return input.strategy === "custom" ? yield* runAndroidCustom(input, commandEnv) : yield* runGradleBuild(input, commandEnv);
+});
 
 //#endregion
 //#region src/lib/credentials-generator-apple-id.ts
@@ -20189,10 +20409,10 @@ const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(
 	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
 	const upper = serialNumber.toUpperCase();
 	const match = certs.find((entry) => entry.attributes.serialNumber.toUpperCase() === upper);
-	if (match === void 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (match === void 0) return yield* new AppleIdGenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
+	});
 	return match.id;
 });
 const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
@@ -20211,10 +20431,10 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
 	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
 	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
-	if (useDevices && deviceIds.length === 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (useDevices && deviceIds.length === 0) return yield* new AppleIdGenerateFailedError({
 		step: "collect-devices",
 		message: "No registered devices to attach to the provisioning profile"
-	}));
+	});
 	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
 	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
 		bundleId: bundleIdAscId,
@@ -20223,10 +20443,10 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 		name: profileName,
 		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
 	}))).attributes;
-	if (profileContent === null) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (profileContent === null) return yield* new AppleIdGenerateFailedError({
 		step: "extract-profile-content",
 		message: "Apple returned a profile with no content (likely expired/invalid)"
-	}));
+	});
 	const profileBytes = fromBase64(profileContent);
 	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
 	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
@@ -20406,10 +20626,10 @@ const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* (
 		ascApiKeyId,
 		certificateType: "IOS_DISTRIBUTION"
 	});
-	if (certs.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (certs.length === 0) return yield* new MissingCredentialsError({
 		message: "Apple says the certificate limit is hit but no existing certificates were returned.",
 		hint: "Try again later or check the Apple Developer portal."
-	}));
+	});
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
 		value: entry.id,
 		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
@@ -20422,10 +20642,10 @@ const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* (
 });
 const generateDistributionCertInteractive = (api) => Effect.gen(function* () {
 	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (teamAscKeys.length === 0) return yield* new MissingCredentialsError({
 		message: "No ASC API key linked to an Apple team in this organization.",
 		hint: "Upload an ASC API key with a team assignment via the dashboard, then retry."
-	}));
+	});
 	const ascKeyId = yield* promptSelect("Select an ASC API key to issue the certificate against", teamAscKeys.map((key) => ({
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
@@ -20444,10 +20664,10 @@ const chooseIosCertificateId = (api) => Effect.gen(function* () {
 		}, {
 			value: "abort",
 			label: "Abort — I'll upload one manually"
-		}])) === "abort") return yield* Effect.fail(new MissingCredentialsError({
+		}])) === "abort") return yield* new MissingCredentialsError({
 			message: "Build aborted — no distribution certificate available.",
 			hint: "Run `better-update credentials generate distribution-certificate --asc-key-id <id>` or upload via the dashboard."
-		}));
+		});
 		return (yield* generateDistributionCertInteractive(api)).id;
 	}
 	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
@@ -20463,10 +20683,10 @@ const chooseIosCertificateId = (api) => Effect.gen(function* () {
 const pickIosCertificate = (api) => Effect.gen(function* () {
 	const chosenId = yield* chooseIosCertificateId(api);
 	const cert = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === chosenId);
-	if (cert === void 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (cert === void 0) return yield* new MissingCredentialsError({
 		message: "Selected certificate not found after generation.",
 		hint: "Retry."
-	}));
+	});
 	return {
 		certId: chosenId,
 		cert
@@ -20474,10 +20694,10 @@ const pickIosCertificate = (api) => Effect.gen(function* () {
 });
 const pickIosAscKey = (api, appleTeamId) => Effect.gen(function* () {
 	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null && key.appleTeamId === appleTeamId);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (teamAscKeys.length === 0) return yield* new MissingCredentialsError({
 		message: `No ASC API key linked to Apple team ${appleTeamId}.`,
 		hint: "Upload an ASC API key for that team via the dashboard, then retry."
-	}));
+	});
 	return yield* promptSelect("Select an ASC API key", teamAscKeys.map((key) => ({
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
@@ -20558,10 +20778,10 @@ const generateKeystoreInteractive = (api) => Effect.gen(function* () {
 });
 const pickExistingKeystore = (api) => Effect.gen(function* () {
 	const keystores = yield* api.androidUploadKeystores.list();
-	if (keystores.items.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (keystores.items.length === 0) return yield* new MissingCredentialsError({
 		message: "No existing keystores in this organization.",
 		hint: "Re-run and choose 'Generate new keystore'."
-	}));
+	});
 	return yield* promptSelect("Select a keystore", keystores.items.map((item) => ({
 		value: item.id,
 		label: item.keyAlias
@@ -20594,10 +20814,10 @@ const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 			label: "Abort — I'll configure it in the dashboard"
 		}
 	]);
-	if (choice === "abort") return yield* Effect.fail(new MissingCredentialsError({
+	if (choice === "abort") return yield* new MissingCredentialsError({
 		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
 		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
-	}));
+	});
 	const keystoreId = yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api);
 	yield* api.androidBuildCredentials.create({
 		path: { applicationIdentifierId: appId },
@@ -20618,10 +20838,10 @@ const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.r
 }).pipe(Effect.asVoid);
 const ensureAndroidCredentials = (api, input, options) => ensureAndroidCredentialsAvailable(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `No Android build credentials for ${input.applicationIdentifier}.`,
 		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
+	});
 	yield* setupAndroidInteractive(api, input);
 	return yield* ensureAndroidCredentialsAvailable(api, input);
 })));
@@ -20642,10 +20862,10 @@ const resolveIosBuildCredentials = (api, input) => api.buildCredentials.resolve(
 const findBoundIosConfig = (api, input) => Effect.gen(function* () {
 	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
 	const match = (yield* api.iosBundleConfigurations.list({ path: { projectId: input.projectId } })).items.find((config) => config.bundleIdentifier === input.bundleIdentifier && config.distributionType === distributionType);
-	if (match === void 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (match === void 0) return yield* new MissingCredentialsError({
 		message: `iOS bundle configuration vanished while regenerating stale profile for ${input.bundleIdentifier}`,
 		hint: "Retry; the configuration must exist before regeneration"
-	}));
+	});
 	return match;
 });
 const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
@@ -20676,19 +20896,19 @@ const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
 });
 const ensureIosCredentials = (api, input, options) => resolveIosBuildCredentials(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `No iOS build credentials for ${input.bundleIdentifier} (${input.distribution}).`,
 		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
+	});
 	yield* setupIosInteractive(api, input);
 	return yield* resolveIosBuildCredentials(api, input);
 })), Effect.flatMap((resolved) => Effect.gen(function* () {
 	if (resolved.platform !== "ios" || !resolved.profileStale) return;
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `Stale provisioning profile for ${input.bundleIdentifier}; cannot regenerate without an interactive session.`,
 		hint: options.freezeCredentials ? "Run a build without --freeze-credentials once to refresh the profile, or run `better-update credentials regenerate-profile`." : "Run `better-update credentials regenerate-profile --bundle <id> --distribution <type>` from an interactive terminal."
-	}));
+	});
 	yield* Console.log(`Stale provisioning profile for ${input.bundleIdentifier} (device roster changed). Regenerating...`);
 	yield* regenerateProvisioningProfile(api, input);
 })));
@@ -20738,7 +20958,7 @@ const applyTargetSigning = (options) => Effect.gen(function* () {
 	const projectDir = yield* findXcodeProjectDir$1(options.iosDir);
 	const pbxprojPath = path.join(projectDir, "project.pbxproj");
 	const project = yield* parseProject$1(pbxprojPath);
-	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
+	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) return yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
 	const serialized = yield* Effect.try({
 		try: () => project.writeSync(),
 		catch: (cause) => new XcodeProjectError({ message: `Failed to serialize ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
@@ -20798,7 +21018,7 @@ const listCurrentKeychains = Effect.gen(function* () {
 const parseSigningIdentity = (output) => {
 	const lines = output.split("\n");
 	for (const line of lines) {
-		const match = /"([^"]+)"/u.exec(line);
+		const match = /"(?<identity>[^"]+)"/u.exec(line);
 		if (match?.[1]) return match[1];
 	}
 };
@@ -20926,7 +21146,7 @@ const installProvisioningProfile = ({ profilePath }) => Effect.acquireRelease(Ef
 //#endregion
 //#region src/lib/post-build-validation.ts
 const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Effect.gen(function* () {
-	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.orElseSucceed(() => void 0));
 	if (!bundleId) return {
 		bundleId: void 0,
 		warnings: [`Missing CFBundleIdentifier in Info.plist at ${bundleDir}`]
@@ -20938,16 +21158,16 @@ const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Eff
 	};
 	return {
 		bundleId,
-		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.catchAll(() => Effect.succeed([])))
+		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.orElseSucceed(() => []))
 	};
 });
 const validateIosBuild = (params) => Effect.gen(function* () {
-	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.orElseSucceed(() => void 0));
 	if (!appDir) return {
 		passed: false,
 		warnings: ["Could not locate .app bundle in archive — skipping post-build validation"]
 	};
-	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.catchAll(() => Effect.succeed([appDir])));
+	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.orElseSucceed(() => [appDir]));
 	const expectedByBundleId = new Map(params.expectedTargets.map((target) => [target.bundleId, target]));
 	const perBundle = yield* Effect.forEach(bundleDirs, (bundleDir) => validateOneBundle(bundleDir, expectedByBundleId, params.expectedTeamId));
 	const warnings = perBundle.flatMap((entry) => [...entry.warnings]);
@@ -20977,7 +21197,7 @@ const findAppDirectory$1 = (archivePath) => Effect.gen(function* () {
 const listSignedBundleDirs = (appDir) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const plugInsDir = path.join(appDir, "PlugIns");
-	if (!(yield* fs.exists(plugInsDir).pipe(Effect.catchAll(() => Effect.succeed(false))))) return [appDir];
+	if (!(yield* fs.exists(plugInsDir).pipe(Effect.orElseSucceed(() => false)))) return [appDir];
 	return [appDir, ...(yield* fs.readDirectory(plugInsDir)).filter((entry) => entry.endsWith(".appex")).map((entry) => path.join(plugInsDir, entry))];
 });
 const readBundleId = (bundleDir) => Effect.gen(function* () {
@@ -21101,36 +21321,85 @@ const createXcodebuildFormatter = (projectRoot) => {
 };
 
 //#endregion
-//#region src/commands/build/ios.ts
-const findXcworkspace = (iosDir) => Effect.gen(function* () {
-	const workspace = (yield* (yield* FileSystem.FileSystem).readDirectory(iosDir)).find((entry) => entry.endsWith(".xcworkspace"));
-	if (!workspace) return yield* new BuildFailedError({
-		step: "detect xcworkspace",
+//#region src/commands/build/ios-prepare.ts
+const baseName = (entry) => entry.replace(/\.(?<ext>xcworkspace|xcodeproj)$/u, "");
+/**
+* Resolve the Xcode container to build: an explicit `workspace`/`project` from
+* the profile, else an auto-discovered `.xcworkspace` (CocoaPods), else the
+* `.xcodeproj` (pure-native apps without Pods).
+*/
+const resolveXcodeContainer = (projectRoot, iosDir, iosProfile) => Effect.gen(function* () {
+	if (iosProfile.workspace !== void 0) {
+		const containerPath = path.resolve(projectRoot, iosProfile.workspace);
+		return {
+			flag: "-workspace",
+			containerPath,
+			schemeBase: baseName(path.basename(containerPath))
+		};
+	}
+	if (iosProfile.project !== void 0) {
+		const containerPath = path.resolve(projectRoot, iosProfile.project);
+		return {
+			flag: "-project",
+			containerPath,
+			schemeBase: baseName(path.basename(containerPath))
+		};
+	}
+	const entries = yield* (yield* FileSystem.FileSystem).readDirectory(iosDir).pipe(Effect.orElseSucceed(() => []));
+	const workspace = entries.find((entry) => entry.endsWith(".xcworkspace"));
+	if (workspace !== void 0) return {
+		flag: "-workspace",
+		containerPath: path.join(iosDir, workspace),
+		schemeBase: baseName(workspace)
+	};
+	const project = entries.find((entry) => entry.endsWith(".xcodeproj"));
+	if (project !== void 0) return {
+		flag: "-project",
+		containerPath: path.join(iosDir, project),
+		schemeBase: baseName(project)
+	};
+	return yield* new BuildFailedError({
+		step: "resolve Xcode container",
 		exitCode: 1,
-		message: `No .xcworkspace found under ${iosDir}. Did "pod install" run?`
+		message: `No .xcworkspace or .xcodeproj found under ${iosDir}. Set ios.workspace / ios.project in better-update.json.`
 	});
-	return workspace;
 });
-const prebuildAndPods = (params) => Effect.gen(function* () {
-	yield* runStep({
-		command: "bunx",
-		args: [
-			"expo",
-			"prebuild",
-			"--platform",
-			"ios",
-			"--clean"
-		],
-		cwd: params.projectRoot,
-		env: params.commandEnv
-	}, "expo prebuild ios");
-	yield* runStep({
+/**
+* Prepare the `ios/` dir for an xcodebuild. Expo regenerates it from app.json
+* via prebuild then runs `pod install`; bare/KMP/native build the committed dir
+* and only run `pod install` when a Podfile is present (unless disabled).
+*/
+const prepareIosNative = (params) => Effect.gen(function* () {
+	if (params.strategy === "expo") {
+		yield* runStep({
+			command: "bunx",
+			args: [
+				"expo",
+				"prebuild",
+				"--platform",
+				"ios",
+				"--clean"
+			],
+			cwd: params.projectRoot,
+			env: params.commandEnv
+		}, "expo prebuild ios");
+		yield* runStep({
+			command: "pod",
+			args: ["install"],
+			cwd: params.iosDir,
+			env: params.commandEnv
+		}, "pod install");
+		return;
+	}
+	if (params.iosProfile.podInstall === false) return;
+	if (yield* (yield* FileSystem.FileSystem).exists(path.join(params.iosDir, "Podfile")).pipe(Effect.orElseSucceed(() => false))) yield* runStep({
 		command: "pod",
 		args: ["install"],
 		cwd: params.iosDir,
 		env: params.commandEnv
 	}, "pod install");
 });
+/** Recursively locate the first `.app` bundle under `root` (simulator output). */
 const findAppDirectory = (root) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const stack = [root];
@@ -21150,25 +21419,30 @@ const findAppDirectory = (root) => Effect.gen(function* () {
 	}
 	return yield* new ArtifactNotFoundError({ message: `No .app bundle found under "${root}".` });
 });
+
+//#endregion
+//#region src/commands/build/ios.ts
 const runIosSimulatorBuild = (input) => Effect.gen(function* () {
 	const { projectRoot, iosProfile, envVars, tempDir } = input;
 	const runtime = yield* CliRuntime;
 	const iosDir = path.join(projectRoot, "ios");
 	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	yield* prebuildAndPods({
+	yield* prepareIosNative({
+		strategy: input.strategy,
 		projectRoot,
 		iosDir,
+		iosProfile,
 		commandEnv
 	});
-	const workspaceFilename = yield* findXcworkspace(iosDir);
-	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
+	const container = yield* resolveXcodeContainer(projectRoot, iosDir, iosProfile);
+	const scheme = iosProfile.scheme ?? container.schemeBase;
 	const configuration = iosProfile.buildConfiguration ?? "Release";
 	const derivedDataPath = path.join(tempDir, "derived-data");
 	const buildCmd = {
 		command: "xcodebuild",
 		args: [
-			"-workspace",
-			workspaceFilename,
+			container.flag,
+			container.containerPath,
 			"-scheme",
 			scheme,
 			"-configuration",
@@ -21256,13 +21530,15 @@ const runIosDeviceBuild = (input) => Effect.gen(function* () {
 	const iosDir = path.join(projectRoot, "ios");
 	const { distribution } = iosProfile;
 	const commandEnv = yield* runtime.commandEnvironment(envVars);
-	yield* prebuildAndPods({
+	yield* prepareIosNative({
+		strategy: input.strategy,
 		projectRoot,
 		iosDir,
+		iosProfile,
 		commandEnv
 	});
-	const workspaceFilename = yield* findXcworkspace(iosDir);
-	const scheme = iosProfile.scheme ?? workspaceFilename.replace(/\.xcworkspace$/u, "");
+	const container = yield* resolveXcodeContainer(projectRoot, iosDir, iosProfile);
+	const scheme = iosProfile.scheme ?? container.schemeBase;
 	const configuration = iosProfile.buildConfiguration ?? "Release";
 	const signedTargets = yield* discoverSignedTargets({
 		iosDir,
@@ -21309,8 +21585,8 @@ const runIosDeviceBuild = (input) => Effect.gen(function* () {
 	const archiveCmd = {
 		command: "xcodebuild",
 		args: [
-			"-workspace",
-			workspaceFilename,
+			container.flag,
+			container.containerPath,
 			"-scheme",
 			scheme,
 			"-configuration",
@@ -21374,19 +21650,76 @@ const runIosDeviceBuild = (input) => Effect.gen(function* () {
 		sha256
 	};
 });
-const runIosBuild = (input) => input.iosProfile.simulator === true ? runIosSimulatorBuild(input) : runIosDeviceBuild(input);
+/**
+* Custom-command iOS build. The resolved p12 + provisioning profiles are written
+* to `tempDir` and their paths exposed via `BETTER_UPDATE_IOS_*` env vars; the
+* user's command performs the actual signing/archive. The artifact is located
+* via the profile's `artifactPath` glob.
+*/
+const runIosCustom = (input) => Effect.gen(function* () {
+	const commandEnv = yield* (yield* CliRuntime).commandEnvironment(input.envVars);
+	const custom = input.customCommand;
+	if (custom === void 0) return yield* new BuildFailedError({
+		step: "custom ios build",
+		exitCode: 1,
+		message: "Internal: custom iOS strategy selected without a custom command."
+	});
+	if (custom.artifactPath === void 0) return yield* new BuildFailedError({
+		step: "custom ios build",
+		exitCode: 1,
+		message: "Custom iOS build requires \"artifactPath\" (e.g. \"build/*.ipa\") in better-update.json."
+	});
+	const credentials = yield* fetchAllCredentials({
+		api: input.api,
+		input,
+		mainBundleIdentifier: input.bundleId,
+		allBundleIdentifiers: [input.bundleId]
+	});
+	const credEnv = {
+		BETTER_UPDATE_IOS_P12_PATH: credentials.p12Path,
+		BETTER_UPDATE_IOS_P12_PASSWORD: credentials.p12Password,
+		BETTER_UPDATE_IOS_PROVISIONING_PROFILES: credentials.profiles.map((profile) => profile.profilePath).join(":")
+	};
+	const cwd = custom.cwd === void 0 ? input.projectRoot : path.join(input.projectRoot, custom.cwd);
+	const buildStartMs = Date.now();
+	yield* runStep({
+		command: "sh",
+		args: ["-c", custom.command],
+		cwd,
+		env: {
+			...commandEnv,
+			...credEnv,
+			...custom.env
+		}
+	}, "custom ios build");
+	const artifactPath = yield* findArtifactByGlob({
+		baseDir: cwd,
+		pattern: custom.artifactPath,
+		minMtimeMs: buildStartMs
+	});
+	const { sha256, byteSize } = yield* sha256File(artifactPath);
+	return {
+		artifactPath,
+		byteSize,
+		sha256
+	};
+});
+const runIosBuild = (input) => {
+	if (input.strategy === "custom") return runIosCustom(input);
+	return input.iosProfile.simulator === true ? runIosSimulatorBuild(input) : runIosDeviceBuild(input);
+};
 
 //#endregion
 //#region src/commands/build/reserve-and-upload.ts
 const buildReserveCommon = (input) => ({
 	projectId: input.projectId,
 	profile: input.profileName,
-	runtimeVersion: input.runtimeVersion,
 	bundleId: input.bundleId,
 	sha256: input.sha256,
 	byteSize: input.byteSize,
 	gitDirty: input.gitContext.dirty,
 	...compact({
+		runtimeVersion: input.runtimeVersion,
 		appVersion: input.appVersion,
 		buildNumber: input.buildNumber,
 		gitRef: input.gitContext.ref,
@@ -21462,7 +21795,7 @@ const bumpVersionCode = (current) => Effect.gen(function* () {
 	if (!Number.isInteger(value) || value < 0) return yield* new BuildProfileError({ message: `Cannot autoIncrement android.versionCode: current value ${String(value)} is not a non-negative integer.` });
 	return value + 1;
 });
-const SEMVER_PATCH = /^(\d+)\.(\d+)\.(\d+)(.*)$/u;
+const SEMVER_PATCH = /^(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)(?<suffix>.*)$/u;
 const bumpVersion = (current) => Effect.gen(function* () {
 	if (current === void 0) return yield* new BuildProfileError({ message: "Cannot autoIncrement version: no `version` field set in Expo config." });
 	const match = SEMVER_PATCH.exec(current);
@@ -21543,20 +21876,21 @@ const stripExtends = (profile) => {
 };
 const resolveExtendsChain = (params) => Effect.gen(function* () {
 	const { profiles, profileName, label, maxDepth, makeError } = params;
+	const sourceLabel = params.sourceLabel ?? "eas.json";
 	const noun = label === "build" ? "Build" : "Submit";
 	const chain = [];
 	const visited = /* @__PURE__ */ new Set();
 	let current = profileName;
 	let depth = 0;
 	while (current !== void 0) {
-		if (visited.has(current)) return yield* Effect.fail(makeError(`Cycle detected in eas.json ${label}.${profileName} extends chain at "${current}".`));
+		if (visited.has(current)) return yield* Effect.fail(makeError(`Cycle detected in ${sourceLabel} ${label}.${profileName} extends chain at "${current}".`));
 		visited.add(current);
 		const profile = profiles[current];
-		if (!profile) return yield* Effect.fail(makeError(current === profileName ? `${noun} profile "${profileName}" not found in eas.json.` : `${noun} profile "${profileName}" extends missing profile "${current}".`));
+		if (!profile) return yield* Effect.fail(makeError(current === profileName ? `${noun} profile "${profileName}" not found in ${sourceLabel}.` : `${noun} profile "${profileName}" extends missing profile "${current}".`));
 		chain.unshift(profile);
 		current = profile.extends;
 		depth += 1;
-		if (depth > maxDepth) return yield* Effect.fail(makeError(`Too many "extends" levels (max ${String(maxDepth)}) in eas.json ${label}.${profileName}.`));
+		if (depth > maxDepth) return yield* Effect.fail(makeError(`Too many "extends" levels (max ${String(maxDepth)}) in ${sourceLabel} ${label}.${profileName}.`));
 	}
 	return chain;
 });
@@ -21623,13 +21957,14 @@ const mergeSubmitProfile = (base, overlay) => {
 		android
 	});
 };
-const resolveEasSubmitProfile = (profiles, profileName) => Effect.gen(function* () {
-	if (!profiles) return yield* new BuildProfileError({ message: "eas.json has no \"submit\" section. Add at least one submit profile." });
+const resolveEasSubmitProfile = (profiles, profileName, sourceLabel = "eas.json") => Effect.gen(function* () {
+	if (!profiles) return yield* new BuildProfileError({ message: `${sourceLabel} has no "submit" section. Add at least one submit profile.` });
 	return stripExtends((yield* resolveExtendsChain({
 		profiles,
 		profileName,
 		label: "submit",
 		maxDepth: MAX_SUBMIT_EXTENDS_DEPTH,
+		sourceLabel,
 		makeError: (message) => new BuildProfileError({ message })
 	})).reduce((acc, next, index) => index === 0 ? next : mergeSubmitProfile(acc, next), {}));
 });
@@ -21696,7 +22031,13 @@ const parseIosProfile = (raw) => {
 		scheme: asStringValue(record["scheme"]),
 		simulator: asBooleanValue(record["simulator"]),
 		enterpriseProvisioning: asEnterpriseProvisioning(record["enterpriseProvisioning"]),
-		autoIncrement: asIosAutoIncrement(record["autoIncrement"])
+		autoIncrement: asIosAutoIncrement(record["autoIncrement"]),
+		workspace: asStringValue(record["workspace"]),
+		project: asStringValue(record["project"]),
+		podInstall: asBooleanValue(record["podInstall"]),
+		bundleIdentifier: asStringValue(record["bundleIdentifier"]),
+		version: asStringValue(record["version"]),
+		buildNumber: asStringValue(record["buildNumber"])
 	});
 };
 const parseAndroidProfile = (raw) => {
@@ -21708,9 +22049,35 @@ const parseAndroidProfile = (raw) => {
 		gradleCommand: asStringValue(record["gradleCommand"]),
 		format: asAndroidFormat(record["format"]),
 		distribution: asAndroidDistribution(record["distribution"]),
-		autoIncrement: asAndroidAutoIncrement(record["autoIncrement"])
+		autoIncrement: asAndroidAutoIncrement(record["autoIncrement"]),
+		module: asStringValue(record["module"]),
+		gradleTask: asStringValue(record["gradleTask"]),
+		applicationId: asStringValue(record["applicationId"]),
+		version: asStringValue(record["version"]),
+		versionCode: asStringValue(record["versionCode"])
 	});
 };
+const parseCustomCommandSpec = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const command = asStringValue(record["command"]);
+	if (command === void 0) return;
+	return compact({
+		command,
+		cwd: asStringValue(record["cwd"]),
+		env: asEnv(record["env"]),
+		artifactPath: asStringValue(record["artifactPath"])
+	});
+};
+const parseCustomCommandProfile = (raw) => {
+	const record = asRecord(raw);
+	if (!record) return;
+	const result = compact({
+		ios: parseCustomCommandSpec(record["ios"]),
+		android: parseCustomCommandSpec(record["android"])
+	});
+	return Object.keys(result).length === 0 ? void 0 : result;
+};
 const parseBuildProfile = (raw) => {
 	const record = asRecord(raw);
 	if (!record) return;
@@ -21725,15 +22092,16 @@ const parseBuildProfile = (raw) => {
 		android: parseAndroidProfile(record["android"]),
 		credentialsSource: asCredentialsSource(record["credentialsSource"]),
 		autoIncrement: asAutoIncrement(record["autoIncrement"]),
-		withoutCredentials: asBooleanValue(record["withoutCredentials"])
+		withoutCredentials: asBooleanValue(record["withoutCredentials"]),
+		custom: parseCustomCommandProfile(record["custom"])
 	});
 };
-const parseEasConfig = (text) => Effect.gen(function* () {
-	const root = asRecord(yield* Effect.try({
-		try: () => JSON.parse(text),
-		catch: (cause) => new BuildProfileError({ message: `eas.json is not valid JSON: ${formatCause(cause)}` })
-	}));
-	if (!root) return yield* new BuildProfileError({ message: "eas.json must be a JSON object at the top level." });
+/**
+* Parse an already-decoded JSON object into an {@link EasConfig}. Shared by the
+* `eas.json` reader and the `better-update.json` build-config reader — both hold
+* the same `build`/`submit`/`cli` shape, only the source file differs.
+*/
+const parseConfigFromRecord = (root) => {
 	const buildRecord = asRecord(root["build"]);
 	if (!buildRecord) return asRecord(root["cli"]) ? { cli: parseCli(root["cli"]) } : {};
 	const profiles = {};
@@ -21752,6 +22120,14 @@ const parseEasConfig = (text) => Effect.gen(function* () {
 		build: profiles,
 		...Object.keys(submit).length === 0 ? {} : { submit }
 	};
+};
+const parseEasConfig = (text) => Effect.gen(function* () {
+	const root = asRecord(yield* Effect.try({
+		try: () => JSON.parse(text),
+		catch: (cause) => new BuildProfileError({ message: `eas.json is not valid JSON: ${formatCause(cause)}` })
+	}));
+	if (!root) return yield* new BuildProfileError({ message: "eas.json must be a JSON object at the top level." });
+	return parseConfigFromRecord(root);
 });
 const parseCli = (raw) => {
 	const record = asRecord(raw);
@@ -21764,12 +22140,17 @@ const easJsonPath = (projectRoot) => Effect.gen(function* () {
 const readEasJson = (projectRoot) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = yield* easJsonPath(projectRoot);
-	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.catchAll((cause) => Effect.fail(new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` })))));
+	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` }))));
 });
+const mergeCustom = (base, overlay) => {
+	const merged = shallowMerge(base, overlay);
+	return merged === void 0 || Object.keys(merged).length === 0 ? void 0 : merged;
+};
 const mergeProfile = (base, overlay) => {
 	const ios = shallowMerge(base.ios, overlay.ios);
 	const android = shallowMerge(base.android, overlay.android);
 	const env = shallowMerge(base.env, overlay.env);
+	const custom = mergeCustom(base.custom, overlay.custom);
 	const developmentClient = overlay.developmentClient ?? base.developmentClient;
 	const distribution = overlay.distribution ?? base.distribution;
 	const channel = overlay.channel ?? base.channel;
@@ -21788,21 +22169,41 @@ const mergeProfile = (base, overlay) => {
 		android,
 		credentialsSource,
 		autoIncrement,
-		withoutCredentials
+		withoutCredentials,
+		custom
 	});
 };
-const resolveEasBuildProfile = (config, profileName) => Effect.gen(function* () {
+const resolveEasBuildProfile = (config, profileName, sourceLabel = "eas.json") => Effect.gen(function* () {
 	const profiles = config.build;
-	if (!profiles) return yield* new BuildProfileError({ message: "eas.json has no \"build\" section. Add at least one profile." });
+	if (!profiles) return yield* new BuildProfileError({ message: `${sourceLabel} has no "build" section. Add at least one profile.` });
 	return stripExtends((yield* resolveExtendsChain({
 		profiles,
 		profileName,
 		label: "build",
 		maxDepth: MAX_EXTENDS_DEPTH,
+		sourceLabel,
 		makeError: (message) => new BuildProfileError({ message })
 	})).reduce((acc, next, index) => index === 0 ? next : mergeProfile(acc, next), {}));
 });
 
+//#endregion
+//#region src/lib/better-update-build-config.ts
+/** Label used in profile-resolution error copy when config comes from this file. */
+const BETTER_UPDATE_SOURCE_LABEL = "better-update.json";
+/**
+* Read the `build`/`submit`/`cli` config from `better-update.json`. Returns an
+* empty config (no `build` key) when the file is absent or carries no build
+* section. Shares the parser with {@link file://./eas-config.ts}; only the
+* source file and the error `sourceLabel` differ.
+*/
+const readBuildConfig = (projectRoot) => readBetterUpdateConfig(projectRoot).pipe(Effect.map((config) => config === void 0 ? {} : parseConfigFromRecord(config)));
+/** List available build-profile names declared in `better-update.json`. */
+const listBuildProfileNames = (projectRoot) => readBuildConfig(projectRoot).pipe(Effect.map((config) => Object.keys(config.build ?? {})));
+/** Resolve a submit profile from `better-update.json`'s `submit` section. */
+const readSubmitProfile = (projectRoot, profileName) => Effect.gen(function* () {
+	return yield* resolveEasSubmitProfile((yield* readBuildConfig(projectRoot)).submit, profileName, BETTER_UPDATE_SOURCE_LABEL);
+});
+
 //#endregion
 //#region src/lib/build-profile.ts
 const deriveIosDistribution = (eas) => {
@@ -21849,12 +22250,22 @@ const toIosProfile = (eas) => {
 	if (!distribution) return;
 	const ios = eas.ios ?? {};
 	const autoIncrement = resolveIosAutoIncrement(eas);
+	const buildConfiguration = ios.buildConfiguration ?? (eas.developmentClient === true ? "Debug" : void 0);
+	const metaOverride = compact({
+		bundleIdentifier: ios.bundleIdentifier,
+		version: ios.version,
+		buildNumber: ios.buildNumber
+	});
 	return compact({
 		distribution,
-		buildConfiguration: ios.buildConfiguration ?? (eas.developmentClient === true ? "Debug" : void 0),
+		buildConfiguration,
 		scheme: ios.scheme,
 		simulator: ios.simulator,
-		autoIncrement
+		autoIncrement,
+		workspace: ios.workspace,
+		project: ios.project,
+		podInstall: ios.podInstall,
+		metaOverride: Object.keys(metaOverride).length === 0 ? void 0 : metaOverride
 	});
 };
 const toAndroidProfile = (eas) => {
@@ -21864,16 +22275,25 @@ const toAndroidProfile = (eas) => {
 	const android = eas.android ?? {};
 	const distribution = deriveAndroidDistribution(eas, format);
 	const autoIncrement = resolveAndroidAutoIncrement(eas);
+	const buildType = android.buildType ?? (eas.developmentClient === true ? "debug" : void 0);
+	const metaOverride = compact({
+		applicationId: android.applicationId,
+		version: android.version,
+		versionCode: android.versionCode
+	});
 	return compact({
 		format,
 		distribution,
-		buildType: android.buildType ?? (eas.developmentClient === true ? "debug" : void 0),
+		buildType,
 		flavor: android.flavor,
 		gradleCommand: android.gradleCommand,
-		autoIncrement
+		autoIncrement,
+		module: android.module,
+		gradleTask: android.gradleTask,
+		metaOverride: Object.keys(metaOverride).length === 0 ? void 0 : metaOverride
 	});
 };
-const fromEasProfile = (eas, profileName) => {
+const fromGenericProfile = (eas, profileName) => {
 	const ios = toIosProfile(eas);
 	const android = toAndroidProfile(eas);
 	return compact({
@@ -21885,11 +22305,13 @@ const fromEasProfile = (eas, profileName) => {
 		android,
 		credentialsSource: eas.credentialsSource,
 		developmentClient: eas.developmentClient,
-		withoutCredentials: eas.withoutCredentials
+		withoutCredentials: eas.withoutCredentials,
+		customCommand: eas.custom
 	});
 };
+/** Resolve a build profile from `better-update.json`'s `build` section. */
 const readBuildProfile = (projectRoot, profileName) => Effect.gen(function* () {
-	return fromEasProfile(yield* resolveEasBuildProfile(yield* readEasJson(projectRoot), profileName), profileName);
+	return fromGenericProfile(yield* resolveEasBuildProfile(yield* readBuildConfig(projectRoot), profileName, "better-update.json"), profileName);
 });
 const readRuntimeVersionMeta = (config, platform) => ({
 	platform,
@@ -21899,6 +22321,17 @@ const readRuntimeVersionMeta = (config, platform) => ({
 	rawRuntimeVersion: extractRawRuntimeVersion(config, platform)
 });
 
+//#endregion
+//#region src/lib/build-strategy.ts
+const resolveAndroidStrategy = (profile, projectType) => {
+	if (profile.customCommand?.android !== void 0) return "custom";
+	return projectType === "expo" ? "expo" : "gradle";
+};
+const resolveIosStrategy = (profile, projectType) => {
+	if (profile.customCommand?.ios !== void 0) return "custom";
+	return projectType === "expo" ? "expo" : "xcode";
+};
+
 //#endregion
 //#region src/lib/clear-cache.ts
 /**
@@ -21919,13 +22352,71 @@ const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
 	const removed = [];
 	yield* Effect.forEach(CACHE_DIRS, (rel) => Effect.gen(function* () {
 		const target = path.join(projectRoot, rel);
-		if (!(yield* fs.exists(target).pipe(Effect.catchAll(() => Effect.succeed(false))))) return;
-		yield* fs.remove(target, { recursive: true }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+		if (!(yield* fs.exists(target).pipe(Effect.orElseSucceed(() => false)))) return;
+		yield* fs.remove(target, { recursive: true }).pipe(Effect.orElseSucceed(() => void 0));
 		removed.push(rel);
 	}), { concurrency: 4 });
 	if (removed.length > 0) yield* Console.error(`Cleared caches: ${removed.join(", ")}`);
 });
 
+//#endregion
+//#region src/lib/detect-project-type.ts
+const PROJECT_TYPES = [
+	"expo",
+	"bare",
+	"kmp",
+	"native",
+	"custom"
+];
+/** Narrow an arbitrary `projectType` override (e.g. from better-update.json) to a valid value. */
+const asProjectType = (raw) => PROJECT_TYPES.find((type) => type === raw);
+const exists = (filePath) => Effect.gen(function* () {
+	return yield* (yield* FileSystem.FileSystem).exists(filePath).pipe(Effect.orElseSucceed(() => false));
+});
+const readText = (filePath) => Effect.gen(function* () {
+	return yield* (yield* FileSystem.FileSystem).readFileString(filePath).pipe(Effect.orElseSucceed(() => ""));
+});
+const hasExpoDependency = (projectRoot) => Effect.gen(function* () {
+	const text = yield* readText(path.join(projectRoot, "package.json"));
+	if (text.length === 0) return false;
+	const pkg = asRecord(yield* Effect.try(() => JSON.parse(text)).pipe(Effect.orElseSucceed(() => void 0)));
+	const deps = asRecord(pkg?.["dependencies"]);
+	const devDeps = asRecord(pkg?.["devDependencies"]);
+	return deps?.["expo"] !== void 0 || devDeps?.["expo"] !== void 0;
+});
+const hasAnyExpoConfigFile = (projectRoot) => Effect.gen(function* () {
+	for (const name of [
+		"app.json",
+		"app.config.js",
+		"app.config.ts"
+	]) if (yield* exists(path.join(projectRoot, name))) return true;
+	return false;
+});
+const looksKmp = (projectRoot) => Effect.gen(function* () {
+	if (yield* exists(path.join(projectRoot, "composeApp"))) return true;
+	for (const name of ["settings.gradle.kts", "settings.gradle"]) {
+		const text = yield* readText(path.join(projectRoot, name));
+		if (text.includes("composeApp") || text.includes(":shared")) return true;
+	}
+	return yield* exists(path.join(projectRoot, "android", "app", "build.gradle.kts"));
+});
+/**
+* Resolve a project's build-system family. An explicit override always wins;
+* otherwise the filesystem shape is inspected. `custom` is never auto-detected —
+* it is intent expressed via override or a profile `custom` block.
+*/
+const detectProjectType = (params) => Effect.gen(function* () {
+	if (params.override !== void 0) return params.override;
+	const { projectRoot } = params;
+	if (isExpoConfigInstalled() && ((yield* hasExpoDependency(projectRoot)) || (yield* hasAnyExpoConfigFile(projectRoot)))) return "expo";
+	if (yield* looksKmp(projectRoot)) return "kmp";
+	const hasAndroid = yield* exists(path.join(projectRoot, "android"));
+	const hasIos = yield* exists(path.join(projectRoot, "ios"));
+	const hasPackageJson = yield* exists(path.join(projectRoot, "package.json"));
+	if (hasAndroid && hasIos && hasPackageJson) return "bare";
+	return "native";
+});
+
 //#endregion
 //#region src/lib/dev-client-check.ts
 const readDeps = (filePath) => Effect.gen(function* () {
@@ -22191,10 +22682,10 @@ const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd
 */
 const readGitContext = (projectRoot) => Effect.gen(function* () {
 	const [commit, ref, commitMessage, status] = yield* Effect.all([
-		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.catchAll(() => Effect.succeed("")))
+		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.orElseSucceed(() => ""))
 	], { concurrency: "unbounded" });
 	return {
 		ref: ref.length > 0 ? ref : void 0,
@@ -22223,14 +22714,14 @@ const readGradleConfig = (androidDir) => Effect.gen(function* () {
 	const hasKts = yield* fs.exists(ktsPath).pipe(Effect.orElseSucceed(() => false));
 	if (!hasGroovy && hasKts) return;
 	if (!hasGroovy) return;
-	const content = yield* fs.readFileString(gradlePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const content = yield* fs.readFileString(gradlePath).pipe(Effect.orElseSucceed(() => void 0));
 	if (!content) return;
 	return yield* Effect.tryPromise({
 		try: async () => {
 			return __require("gradle-to-js").parseText(stripGroovyComments(content));
 		},
 		catch: () => void 0
-	}).pipe(Effect.map(extractGradleConfig), Effect.catchAll(() => Effect.succeed(void 0)));
+	}).pipe(Effect.map(extractGradleConfig), Effect.orElseSucceed(() => void 0));
 });
 /**
 * Log a warning if Gradle applicationId differs from app.json package name.
@@ -22291,6 +22782,28 @@ const detectPlatform = (explicit, config) => Effect.gen(function* () {
 		label: entry
 	})));
 });
+/**
+* Resolve a build platform for non-Expo projects from an explicit flag, or by
+* intersecting the profile's declared platform sections with the native dirs
+* present on disk. Prompts when both remain; fails when ambiguous and prompts
+* are disallowed.
+*/
+const detectPlatformGeneric = (explicit, context) => Effect.gen(function* () {
+	if (explicit !== void 0) return explicit;
+	const candidates = [];
+	const wantsIos = context.profile.ios !== void 0 || context.profile.customCommand?.ios !== void 0;
+	const wantsAndroid = context.profile.android !== void 0 || context.profile.customCommand?.android !== void 0;
+	if (wantsIos && (context.hasIosDir || context.profile.customCommand?.ios !== void 0)) candidates.push("ios");
+	if (wantsAndroid && (context.hasAndroidDir || context.profile.customCommand?.android !== void 0)) candidates.push("android");
+	if (candidates.length === 0) return yield* new BuildProfileError({ message: "Cannot infer build platform. Add an `ios` or `android` section to the build profile in better-update.json, or pass --platform." });
+	const [only] = candidates;
+	if (candidates.length === 1 && only !== void 0) return only;
+	if (!(yield* InteractiveMode).allow) return yield* new BuildProfileError({ message: `Multiple platforms available (${candidates.join(", ")}). Pass --platform explicitly when running non-interactively.` });
+	return yield* promptSelect("Which platform to build?", candidates.map((entry) => ({
+		value: entry,
+		label: entry
+	})));
+});
 
 //#endregion
 //#region src/lib/project-staging.ts
@@ -22303,26 +22816,32 @@ const LOCKFILES = [
 	["package-lock.json", "npm"]
 ];
 /**
-* Paths never copied into staging — covers generated native build outputs and
-* dependency dirs that must be reinstalled fresh in staging.
+* Generated native build outputs / dependency dirs that must never be copied —
+* they are regenerated in staging (Pods via `pod install`, build/ via gradle).
 */
-const ALWAYS_IGNORE = [
-	"node_modules",
-	".git",
+const NATIVE_BUILD_OUTPUTS = [
 	"ios/build",
 	"ios/Pods",
 	"ios/DerivedData",
 	"android/build",
 	"android/app/build",
 	"android/.gradle",
-	"android/.kotlin",
+	"android/.kotlin"
+];
+/**
+* Paths never copied into staging — covers generated native build outputs and
+* dependency dirs that must be reinstalled fresh in staging.
+*/
+const ALWAYS_IGNORE = [...[
+	"node_modules",
+	".git",
 	".expo",
 	".gradle",
 	".turbo",
 	"dist"
-];
+], ...NATIVE_BUILD_OUTPUTS];
 const findLockfile = (fs, dir) => Effect.gen(function* () {
-	for (const [name, pm] of LOCKFILES) if (yield* fs.exists(path.join(dir, name)).pipe(Effect.catchAll(() => Effect.succeed(false)))) return pm;
+	for (const [name, pm] of LOCKFILES) if (yield* fs.exists(path.join(dir, name)).pipe(Effect.orElseSucceed(() => false))) return pm;
 });
 const walkUpForLockfile = (startCwd, dir) => Effect.gen(function* () {
 	const pm = yield* findLockfile(yield* FileSystem.FileSystem, dir);
@@ -22348,21 +22867,30 @@ const detectWorkspaceRoot = (cwd) => walkUpForLockfile(cwd, cwd);
 * Build an `Ignore` matcher for the workspace root. `.easignore` REPLACES
 * `.gitignore` when present (matches EAS semantics); otherwise `.gitignore`
 * is layered on top of the always-ignore baseline.
+*
+* When `includeNativeSource` is set, the native source dirs are re-included
+* after the ignore files are applied, then their build outputs re-excluded, so
+* a committed `ios/`/`android/` reaches staging intact.
 */
-const buildIgnoreInstance = (workspaceRoot) => Effect.gen(function* () {
+const buildIgnoreInstance = (workspaceRoot, options = {}) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const ig = ignore();
 	ig.add([...ALWAYS_IGNORE]);
 	const easignorePath = path.join(workspaceRoot, ".easignore");
-	if (yield* fs.exists(easignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
-		const content = yield* fs.readFileString(easignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
+	if (yield* fs.exists(easignorePath).pipe(Effect.orElseSucceed(() => false))) {
+		const content = yield* fs.readFileString(easignorePath).pipe(Effect.orElseSucceed(() => ""));
 		ig.add(content);
-		return ig;
+	} else {
+		const gitignorePath = path.join(workspaceRoot, ".gitignore");
+		if (yield* fs.exists(gitignorePath).pipe(Effect.orElseSucceed(() => false))) {
+			const content = yield* fs.readFileString(gitignorePath).pipe(Effect.orElseSucceed(() => ""));
+			ig.add(content);
+		}
 	}
-	const gitignorePath = path.join(workspaceRoot, ".gitignore");
-	if (yield* fs.exists(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
-		const content = yield* fs.readFileString(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
-		ig.add(content);
+	if (options.includeNativeSource === true) {
+		const base = options.appRelPath === void 0 || options.appRelPath === "" ? "" : `${options.appRelPath}/`;
+		ig.add([`!${base}android`, `!${base}ios`]);
+		ig.add(NATIVE_BUILD_OUTPUTS.map((entry) => `${base}${entry}`));
 	}
 	return ig;
 });
@@ -22410,6 +22938,7 @@ const runInstall = (params) => runStep({
 * regardless of what `expo prebuild`, `pod install`, or `gradlew` write.
 */
 const prepareStagingProject = (input) => Effect.gen(function* () {
+	const fs = yield* FileSystem.FileSystem;
 	const runtime = yield* CliRuntime;
 	const { workspaceRoot, packageManager } = yield* detectWorkspaceRoot(input.userCwd);
 	const relAppPath = path.relative(workspaceRoot, input.userCwd);
@@ -22419,14 +22948,18 @@ const prepareStagingProject = (input) => Effect.gen(function* () {
 	yield* copyProjectTree({
 		source: workspaceRoot,
 		dest: stagingRoot,
-		ig: yield* buildIgnoreInstance(workspaceRoot)
+		ig: yield* buildIgnoreInstance(workspaceRoot, {
+			includeNativeSource: input.projectType !== void 0 && input.projectType !== "expo",
+			appRelPath: relAppPath
+		})
 	});
 	yield* initGitRepo(stagingRoot);
-	yield* runInstall({
+	if (yield* fs.exists(path.join(workspaceRoot, "package.json")).pipe(Effect.orElseSucceed(() => false))) yield* runInstall({
 		stagingRoot,
 		packageManager,
 		env: yield* runtime.commandEnvironment(input.envVars)
 	});
+	else yield* printHuman("No package.json at the staging root — skipping dependency install.");
 	return {
 		stagingRoot,
 		projectRoot,
@@ -22438,7 +22971,7 @@ const prepareStagingProject = (input) => Effect.gen(function* () {
 //#endregion
 //#region src/lib/repo-clean.ts
 const MAX_FILES_SHOWN = 10;
-const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.catchAll(() => Effect.succeed([])));
+const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.orElseSucceed(() => []));
 /**
 * Refuse to proceed when the working tree has uncommitted changes. Skipped when
 * `allowDirty` is true. In interactive mode, prompts the user to confirm; in
@@ -22451,11 +22984,8 @@ const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(funct
 	const preview = dirty.slice(0, MAX_FILES_SHOWN).join("\n  ");
 	const overflow = dirty.length > MAX_FILES_SHOWN ? `\n  ... and ${String(dirty.length - MAX_FILES_SHOWN)} more` : "";
 	yield* Console.error(`Uncommitted changes (${String(dirty.length)} file(s)):\n  ${preview}${overflow}`);
-	if (!(yield* InteractiveMode).allow) {
-		yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
-		return;
-	}
-	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
+	if (!(yield* InteractiveMode).allow) return yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
+	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) return yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
 });
 
 //#endregion
@@ -22595,7 +23125,7 @@ const postTokenRequest = (tokenUri, jwt) => Effect.tryPromise({
 });
 const exchangeJwtForAccessToken = (tokenUri, jwt) => Effect.gen(function* () {
 	const result = yield* postTokenRequest(tokenUri, jwt);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayAuthError({ message: `OAuth token exchange failed: ${String(result.status)} ${result.text}` }));
+	if (!result.ok) return yield* new GooglePlayAuthError({ message: `OAuth token exchange failed: ${String(result.status)} ${result.text}` });
 	const json = yield* Effect.try({
 		try: () => JSON.parse(result.text),
 		catch: (cause) => new GooglePlayAuthError({
@@ -22620,7 +23150,7 @@ const acquireGooglePlayAccessToken = (serviceAccountJson) => Effect.gen(function
 		message: "Service account JSON missing required fields (type, client_email, private_key)",
 		cause
 	})));
-	if (parsed.type !== "service_account") return yield* Effect.fail(new GooglePlayAuthError({ message: `Service account JSON has wrong type: ${parsed.type}` }));
+	if (parsed.type !== "service_account") return yield* new GooglePlayAuthError({ message: `Service account JSON has wrong type: ${parsed.type}` });
 	const tokenUri = parsed.token_uri ?? GOOGLE_OAUTH_TOKEN_URL;
 	return {
 		accessToken: yield* exchangeJwtForAccessToken(tokenUri, yield* signJwt(yield* importPrivateKey(parsed.private_key), buildJwtAssertion({
@@ -22660,10 +23190,10 @@ const performFetch = (params) => Effect.tryPromise({
 });
 const callJsonRaw = (params) => Effect.gen(function* () {
 	const result = yield* performFetch(params);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayApiError({
+	if (!result.ok) return yield* new GooglePlayApiError({
 		message: `${params.label} failed: ${String(result.status)} ${result.text}`,
 		httpStatus: result.status
-	}));
+	});
 	return yield* Effect.try({
 		try: () => result.text === "" ? {} : JSON.parse(result.text),
 		catch: (cause) => new GooglePlayApiError({
@@ -22718,10 +23248,10 @@ const performBundleUpload = (params) => Effect.tryPromise({
 });
 const uploadBundle = (params) => Effect.gen(function* () {
 	const result = yield* performBundleUpload(params);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayApiError({
+	if (!result.ok) return yield* new GooglePlayApiError({
 		message: `edits.bundles.upload failed: ${String(result.status)} ${result.text}`,
 		httpStatus: result.status
-	}));
+	});
 	const raw = yield* Effect.try({
 		try: () => JSON.parse(result.text),
 		catch: (cause) => new GooglePlayApiError({
@@ -22912,10 +23442,10 @@ const fetchArchiveOverHttp = (url) => Effect.gen(function* () {
 			message: `Failed to download AAB from ${url}: ${cause instanceof Error ? cause.message : String(cause)}`
 		})
 	});
-	if (!result.ok || result.bytes === null) return yield* Effect.fail(new CliSubmitError({
+	if (!result.ok || result.bytes === null) return yield* new CliSubmitError({
 		code: "SUBMISSION_ARCHIVE_DOWNLOAD_FAILED",
 		message: `HTTP ${String(result.status)} fetching archive at ${url}`
-	}));
+	});
 	return result.bytes;
 });
 const readArchiveBytes = (archive) => archive.source === "path" ? Effect.map(readLocalFile(archive.value, "SUBMISSION_ARCHIVE_READ_FAILED", (cause) => `Failed to read AAB at ${archive.value}: ${cause instanceof Error ? cause.message : String(cause)}`), (buf) => new Uint8Array(buf)) : fetchArchiveOverHttp(archive.value);
@@ -22990,10 +23520,10 @@ const runGooglePlayPipeline = (params) => Effect.gen(function* () {
 });
 const runAndroidGooglePlayUpload = (inputs) => Effect.gen(function* () {
 	const { applicationId } = inputs.androidProfile;
-	if (applicationId === void 0) return yield* Effect.fail(new CliSubmitError({
+	if (applicationId === void 0) return yield* new CliSubmitError({
 		code: "SUBMISSION_ANDROID_APP_ID_MISSING",
 		message: "Android submit profile requires applicationId — set submit.<profile>.android.applicationId in eas.json"
-	}));
+	});
 	const serviceAccountJson = yield* resolveServiceAccountJson({
 		api: inputs.api,
 		serviceAccountKeyId: inputs.serviceAccountKeyId,
@@ -23018,7 +23548,7 @@ const runAndroidGooglePlayUpload = (inputs) => Effect.gen(function* () {
 			errorCode: engineError.code,
 			errorMessage: engineError.message
 		});
-		return yield* Effect.fail(engineError);
+		return yield* engineError;
 	})));
 	yield* patchSubmissionStatus(inputs.api, inputs.submissionId, { status: "FINISHED" });
 	yield* printHuman(`Google Play bundle uploaded (versionCode ${String(result.versionCode)})`);
@@ -23026,7 +23556,7 @@ const runAndroidGooglePlayUpload = (inputs) => Effect.gen(function* () {
 });
 
 //#endregion
-//#region src/application/build-workflow.ts
+//#region src/application/build-auto-submit.ts
 const buildAutoSubmitIosConfig = (iosProfile, whatToTest) => {
 	if (iosProfile?.bundleIdentifier === void 0) return;
 	return compact({
@@ -23052,9 +23582,10 @@ const buildAutoSubmitAndroidConfig = (androidProfile) => {
 		rollout: androidProfile.rollout
 	});
 };
+/** Submit a freshly-built artifact to the store using the profile's submit config. */
 const runAutoSubmit = (input) => Effect.gen(function* () {
 	yield* printHuman(`\nAuto-submitting build ${input.buildId} (profile ${input.profileName})...`);
-	const easProfile = yield* resolveEasSubmitProfile((yield* readEasJson(process.cwd())).submit, input.profileName);
+	const easProfile = yield* readSubmitProfile(yield* (yield* CliRuntime).cwd, input.profileName);
 	const archiveUrl = (yield* input.api.builds.getInstallLink({ path: { id: input.buildId } })).artifactUrl;
 	const iosConfig = input.platform === "ios" ? buildAutoSubmitIosConfig(easProfile.ios, input.whatToTest) : void 0;
 	const androidConfig = input.platform === "android" ? buildAutoSubmitAndroidConfig(easProfile.android) : void 0;
@@ -23082,15 +23613,146 @@ const runAutoSubmit = (input) => Effect.gen(function* () {
 	}
 	yield* printHuman(`Submission final status: ${(yield* pollSubmissionUntilTerminal(input.api, submission.id)).status}`);
 });
+
+//#endregion
+//#region src/lib/ios-native-meta.ts
+const APPLICATION_PRODUCT_TYPE = "com.apple.product-type.application";
+/**
+* A build setting that is an unresolved reference (`$(MARKETING_VERSION)`) or a
+* variable interpolation tells us nothing concrete — treat it as absent so the
+* profile `metaOverride` can supply a real value.
+*/
+const concreteSetting = (raw) => {
+	if (typeof raw === "number") return String(raw);
+	if (typeof raw !== "string") return;
+	const value = unquote$1(raw);
+	return value.length === 0 || value.includes("$(") ? void 0 : value;
+};
+const findApplicationTarget = (project) => {
+	const nativeTargets = project.pbxNativeTargetSection();
+	for (const [uuid, entry] of Object.entries(nativeTargets)) {
+		if (uuid.endsWith("_comment") || typeof entry === "string") continue;
+		if (unquote$1(entry.productType) === APPLICATION_PRODUCT_TYPE) return entry;
+	}
+};
+const configUuidForName = (project, target, configurationName) => {
+	const configList = project.pbxXCConfigurationList()[target.buildConfigurationList];
+	if (!configList || typeof configList === "string") return;
+	const buildConfigSection = project.pbxXCBuildConfigurationSection();
+	return configList.buildConfigurations.map((entry) => entry.value).find((uuid) => {
+		const cfg = buildConfigSection[uuid];
+		return cfg !== void 0 && typeof cfg !== "string" && unquote$1(cfg.name) === configurationName;
+	});
+};
+/**
+* Read app metadata (bundle id, marketing version, build number) for the main
+* application target of the single `.xcodeproj` under `iosDir`, for a given build
+* configuration. Used for non-Expo (bare/native) projects where there is no
+* `app.json`. Missing or unresolved settings come back `undefined` so the caller
+* can fall back to profile `metaOverride`.
+*/
+const readIosNativeMeta = (params) => Effect.gen(function* () {
+	const projectDir = yield* findXcodeProjectDir(params.iosDir);
+	const project = yield* parseProject(path.join(projectDir, "project.pbxproj"));
+	const target = findApplicationTarget(project);
+	if (target === void 0) return {};
+	const configUuid = configUuidForName(project, target, params.configurationName);
+	if (configUuid === void 0) return {};
+	const cfg = project.pbxXCBuildConfigurationSection()[configUuid];
+	if (cfg === void 0 || typeof cfg === "string") return {};
+	const settings = cfg.buildSettings;
+	return compact({
+		bundleId: concreteSetting(settings["PRODUCT_BUNDLE_IDENTIFIER"]),
+		marketingVersion: concreteSetting(settings["MARKETING_VERSION"]),
+		currentProjectVersion: concreteSetting(settings["CURRENT_PROJECT_VERSION"])
+	});
+});
+
+//#endregion
+//#region src/application/resolve-app-meta.ts
+const EMPTY = {
+	bundleId: void 0,
+	androidPackage: void 0,
+	appVersion: void 0,
+	buildNumber: void 0,
+	rawRuntimeVersion: void 0
+};
+const warnIfMismatch = (label, override, native) => override !== void 0 && native !== void 0 && override !== native ? printWarn(`${label} override "${override}" differs from the native value "${native}". The better-update.json value will be used for build metadata.`) : Effect.void;
+const resolveAndroidMeta = (projectRoot, profile) => Effect.gen(function* () {
+	const gradle = yield* readGradleConfig(path.join(projectRoot, "android"));
+	const override = profile.android?.metaOverride;
+	yield* warnIfMismatch("android.applicationId", override?.applicationId, gradle?.applicationId);
+	const androidPackage = override?.applicationId ?? gradle?.applicationId;
+	if (androidPackage === void 0) return yield* new BuildProfileError({ message: "Could not determine the Android applicationId. Set android.applicationId under this build profile in better-update.json, or ensure android/app/build.gradle defines it." });
+	const versionCode = override?.versionCode ?? (gradle?.versionCode === void 0 ? void 0 : String(gradle.versionCode));
+	return {
+		...EMPTY,
+		androidPackage,
+		appVersion: override?.version ?? gradle?.versionName,
+		buildNumber: versionCode
+	};
+});
+const resolveIosMeta = (projectRoot, profile) => Effect.gen(function* () {
+	const configurationName = profile.ios?.buildConfiguration ?? "Release";
+	const native = yield* readIosNativeMeta({
+		iosDir: path.join(projectRoot, "ios"),
+		configurationName
+	}).pipe(Effect.orElseSucceed(() => ({})));
+	const override = profile.ios?.metaOverride;
+	yield* warnIfMismatch("ios.bundleIdentifier", override?.bundleIdentifier, native.bundleId);
+	const bundleId = override?.bundleIdentifier ?? native.bundleId;
+	if (bundleId === void 0) return yield* new BuildProfileError({ message: "Could not determine the iOS bundle identifier. Set ios.bundleIdentifier under this build profile in better-update.json, or ensure the Xcode project defines PRODUCT_BUNDLE_IDENTIFIER for the build configuration." });
+	return {
+		...EMPTY,
+		bundleId,
+		appVersion: override?.version ?? native.marketingVersion,
+		buildNumber: override?.buildNumber ?? native.currentProjectVersion
+	};
+});
+const overlayExpoOverride = (meta, platform, profile) => {
+	if (platform === "ios") {
+		const override = profile.ios?.metaOverride;
+		return {
+			...meta,
+			bundleId: override?.bundleIdentifier ?? meta.bundleId,
+			appVersion: override?.version ?? meta.appVersion,
+			buildNumber: override?.buildNumber ?? meta.buildNumber
+		};
+	}
+	const override = profile.android?.metaOverride;
+	return {
+		...meta,
+		androidPackage: override?.applicationId ?? meta.androidPackage,
+		appVersion: override?.version ?? meta.appVersion,
+		buildNumber: override?.versionCode ?? meta.buildNumber
+	};
+};
+/**
+* Resolve app metadata (bundle id / package, version, build number) in a
+* project-type-aware way. Expo reads from app.json; bare/native read from native
+* files (build.gradle / pbxproj); KMP/custom rely on profile `metaOverride`,
+* which also overrides native values when both are present.
+*/
+const resolveAppMeta = (params) => {
+	if (params.projectType === "expo") {
+		if (params.expoAppMeta === void 0) return Effect.fail(new BuildProfileError({ message: "Internal: missing Expo app metadata for expo project." }));
+		return Effect.succeed(overlayExpoOverride(params.expoAppMeta, params.platform, params.profile));
+	}
+	return params.platform === "ios" ? resolveIosMeta(params.projectRoot, params.profile) : resolveAndroidMeta(params.projectRoot, params.profile);
+};
+
+//#endregion
+//#region src/application/build-workflow.ts
 const runIosPlatformBuild = (input) => Effect.gen(function* () {
 	const { api, appMeta, envVars, options, profile, projectId, projectRoot, tempDir } = input;
 	if (!profile.ios) return yield* new BuildProfileError({ message: `Profile "${profile.name}" has no ios section.` });
 	const iosProfile = profile.ios;
 	const iosBundleId = appMeta.bundleId;
-	if (!iosBundleId) return yield* new BuildProfileError({ message: "Missing ios.bundleIdentifier in your Expo config." });
+	if (!iosBundleId) return yield* new BuildProfileError({ message: "Missing iOS bundle identifier (set ios.bundleIdentifier or your Expo config)." });
+	const strategy = resolveIosStrategy(profile, input.projectType);
 	const isSimulator = iosProfile.simulator === true;
 	const credentialsSource = profile.credentialsSource ?? "remote";
-	if (!isSimulator && credentialsSource === "remote") yield* ensureIosCredentials(api, {
+	if (strategy !== "custom" && !isSimulator && credentialsSource === "remote") yield* ensureIosCredentials(api, {
 		projectId,
 		bundleIdentifier: iosBundleId,
 		distribution: iosProfile.distribution
@@ -23105,8 +23767,10 @@ const runIosPlatformBuild = (input) => Effect.gen(function* () {
 			envVars,
 			projectId,
 			credentialsSource,
+			strategy,
 			rawOutput: options.rawOutput,
-			freezeCredentials: options.freezeCredentials ?? false
+			freezeCredentials: options.freezeCredentials ?? false,
+			...compact({ customCommand: profile.customCommand?.ios })
 		}),
 		target: isSimulator ? {
 			platform: "ios",
@@ -23125,7 +23789,8 @@ const runAndroidPlatformBuild = (input) => Effect.gen(function* () {
 	if (!profile.android) return yield* new BuildProfileError({ message: `Profile "${profile.name}" has no android section.` });
 	const androidProfile = profile.android;
 	const androidBundleId = appMeta.androidPackage;
-	if (!androidBundleId) return yield* new BuildProfileError({ message: "Missing android.package in your Expo config." });
+	if (!androidBundleId) return yield* new BuildProfileError({ message: "Missing Android applicationId (set android.applicationId or your Expo config)." });
+	const strategy = resolveAndroidStrategy(profile, input.projectType);
 	const gradleConfig = yield* readGradleConfig(`${projectRoot}/android`);
 	yield* warnOnGradleMismatch(gradleConfig, androidBundleId);
 	const applicationIdentifier = gradleConfig?.applicationId ?? androidBundleId;
@@ -23146,7 +23811,9 @@ const runAndroidPlatformBuild = (input) => Effect.gen(function* () {
 			projectId,
 			credentialsSource,
 			profileName: profile.name,
-			skipCredentials
+			skipCredentials,
+			strategy,
+			...compact({ customCommand: profile.customCommand?.android })
 		}),
 		target: androidProfile.format === "aab" ? {
 			platform: "android",
@@ -23161,12 +23828,48 @@ const runAndroidPlatformBuild = (input) => Effect.gen(function* () {
 	};
 });
 const runPlatformBuild = (input) => input.platform === "ios" ? runIosPlatformBuild(input) : runAndroidPlatformBuild(input);
+const dirExists = (root, name) => Effect.gen(function* () {
+	return yield* (yield* FileSystem.FileSystem).exists(path.join(root, name)).pipe(Effect.orElseSucceed(() => false));
+});
+/**
+* Expo metadata path: read app.json (with the env overlay so dynamic configs
+* resolve), apply autoIncrement to the user's tree, re-read, then derive the OTA
+* runtimeVersion. Mirrors the original managed flow.
+*/
+const resolveExpoBuildMeta = (params) => Effect.gen(function* () {
+	const { userCwd, platform, profile, envVars } = params;
+	yield* applyAutoIncrement({
+		projectRoot: userCwd,
+		platform,
+		config: yield* readExpoConfig(userCwd, envVars),
+		...platform === "ios" && profile.ios?.autoIncrement !== void 0 ? { iosMode: profile.ios.autoIncrement } : {},
+		...platform === "android" && profile.android?.autoIncrement !== void 0 ? { androidMode: profile.android.autoIncrement } : {}
+	});
+	const bumpedConfig = yield* readExpoConfig(userCwd, envVars);
+	const appMeta = yield* resolveAppMeta({
+		projectType: "expo",
+		platform,
+		projectRoot: userCwd,
+		profile,
+		expoAppMeta: yield* readAppMeta(bumpedConfig, platform)
+	});
+	return {
+		appMeta,
+		runtimeVersion: yield* resolveRuntimeVersion({
+			raw: appMeta.rawRuntimeVersion,
+			appVersion: appMeta.appVersion,
+			projectRoot: userCwd,
+			platform,
+			buildNumber: appMeta.buildNumber,
+			sdkVersion: bumpedConfig.sdkVersion
+		})
+	};
+});
 const resolveProfileName = (projectRoot, requested) => Effect.gen(function* () {
-	const easConfig = yield* readEasJson(projectRoot);
-	const available = Object.keys(easConfig.build ?? {});
+	const available = yield* listBuildProfileNames(projectRoot);
 	if (available.includes(requested)) return requested;
 	if (!(yield* InteractiveMode).allow || available.length === 0) return requested;
-	yield* printHuman(`Build profile "${requested}" not found in eas.json.`);
+	yield* printHuman(`Build profile "${requested}" not found in better-update.json.`);
 	return yield* promptSelect("Pick a build profile:", available.map((name) => ({
 		value: name,
 		label: name
@@ -23180,11 +23883,19 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		allowDirty: options.allowDirty ?? false,
 		label: "build"
 	});
-	const baseConfig = yield* readExpoConfig(userCwd);
-	const projectId = yield* extractProjectId(baseConfig);
-	const platform = yield* detectPlatform(options.platform, baseConfig);
+	const projectType = yield* detectProjectType({
+		projectRoot: userCwd,
+		override: asProjectType((yield* readBetterUpdateConfig(userCwd))?.["projectType"])
+	});
+	const isExpo = projectType === "expo";
+	const projectId = yield* readProjectId;
 	const profile = yield* readBuildProfile(userCwd, yield* resolveProfileName(userCwd, options.profileName));
 	if (profile.developmentClient === true) yield* warnIfDevClientMissing(userCwd);
+	const platform = isExpo ? yield* detectPlatform(options.platform, yield* readExpoConfig(userCwd)) : yield* detectPlatformGeneric(options.platform, {
+		profile,
+		hasAndroidDir: yield* dirExists(userCwd, "android"),
+		hasIosDir: yield* dirExists(userCwd, "ios")
+	});
 	const envVars = {
 		...yield* pullEnvVars(api, {
 			projectId,
@@ -23192,36 +23903,35 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		}),
 		...profile.env
 	};
-	yield* applyAutoIncrement({
-		projectRoot: userCwd,
-		platform,
-		config: yield* readExpoConfig(userCwd, envVars),
-		...platform === "ios" && profile.ios?.autoIncrement !== void 0 ? { iosMode: profile.ios.autoIncrement } : {},
-		...platform === "android" && profile.android?.autoIncrement !== void 0 ? { androidMode: profile.android.autoIncrement } : {}
-	});
-	const bumpedConfig = yield* readExpoConfig(userCwd, envVars);
-	const appMeta = yield* readAppMeta(bumpedConfig, platform);
-	const runtimeVersion = yield* resolveRuntimeVersion({
-		raw: appMeta.rawRuntimeVersion,
-		appVersion: appMeta.appVersion,
-		projectRoot: userCwd,
+	const { appMeta, runtimeVersion } = isExpo ? yield* resolveExpoBuildMeta({
+		userCwd,
 		platform,
-		buildNumber: appMeta.buildNumber,
-		sdkVersion: bumpedConfig.sdkVersion
-	});
+		profile,
+		envVars
+	}) : {
+		appMeta: yield* resolveAppMeta({
+			projectType,
+			platform,
+			projectRoot: userCwd,
+			profile
+		}),
+		runtimeVersion: void 0
+	};
 	if (options.clearCache) yield* clearBuildCaches(userCwd);
 	const tempDir = yield* acquireBuildTempDir;
 	const staging = yield* prepareStagingProject({
 		userCwd,
 		tempDir,
-		envVars
+		envVars,
+		projectType
 	});
-	yield* printHuman(`Building ${platform} artifact for profile "${profile.name}" (runtimeVersion=${runtimeVersion})`);
+	yield* printHuman(`Building ${platform} artifact for profile "${profile.name}"${runtimeVersion === void 0 ? "" : ` (runtimeVersion=${runtimeVersion})`}`);
 	const { build, target, bundleId } = yield* runPlatformBuild({
 		api,
 		options,
 		platform,
 		profile,
+		projectType,
 		appMeta,
 		envVars,
 		projectId,
@@ -23255,18 +23965,18 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		commit: rawGitContext.commit,
 		dirty: rawGitContext.dirty
 	});
-	const fingerprintHash = yield* runFingerprintForPlatform(userCwd, platform).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0)));
+	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(userCwd, platform).pipe(Effect.map((entry) => entry.hash), Effect.orElseSucceed(() => void 0)) : void 0;
 	const result = yield* reserveAndUpload(api, {
 		target,
 		projectId,
 		profileName: profile.name,
-		runtimeVersion,
 		bundleId,
 		gitContext,
 		artifactPath: build.artifactPath,
 		sha256: build.sha256,
 		byteSize: build.byteSize,
 		...compact({
+			runtimeVersion,
 			appVersion: appMeta.appVersion,
 			buildNumber: appMeta.buildNumber,
 			message: options.message,
@@ -23279,7 +23989,7 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		["Status", result.status],
 		["Platform", platform],
 		["Profile", profile.name],
-		["Runtime version", runtimeVersion],
+		...runtimeVersion === void 0 ? [] : [["Runtime version", runtimeVersion]],
 		["Artifact", build.artifactPath],
 		["SHA-256", build.sha256],
 		["Bytes", String(build.byteSize)]
@@ -23324,7 +24034,7 @@ const DEFAULT_PROFILES = [
 	"preview",
 	"production"
 ];
-const writeEasJson$1 = (filePath, value) => Effect.gen(function* () {
+const writeEasJson = (filePath, value) => Effect.gen(function* () {
 	yield* (yield* FileSystem.FileSystem).writeFileString(filePath, `${JSON.stringify(value, null, 2)}\n`).pipe(Effect.mapError((cause) => new BuildProfileError({ message: `Failed to write eas.json: ${cause.message}` })));
 });
 const configureBuildCommand = defineCommand({
@@ -23342,7 +24052,7 @@ const configureBuildCommand = defineCommand({
 		const easJsonPath = path.join(projectRoot, "eas.json");
 		const fs = yield* FileSystem.FileSystem;
 		if (!(yield* fs.exists(easJsonPath))) {
-			yield* writeEasJson$1(easJsonPath, DEFAULT_EAS_JSON);
+			yield* writeEasJson(easJsonPath, DEFAULT_EAS_JSON);
 			yield* printHuman(`Wrote eas.json with default profiles to ${easJsonPath}.`);
 			yield* printHumanKeyValue([["Profiles", DEFAULT_PROFILES.join(", ")], ["Path", easJsonPath]]);
 			return {
@@ -23359,7 +24069,7 @@ const configureBuildCommand = defineCommand({
 					path: easJsonPath
 				};
 			}
-			yield* writeEasJson$1(easJsonPath, DEFAULT_EAS_JSON);
+			yield* writeEasJson(easJsonPath, DEFAULT_EAS_JSON);
 			yield* printHuman(`Overwrote eas.json with default profiles.`);
 			return {
 				action: "overwritten",
@@ -23387,7 +24097,7 @@ const configureBuildCommand = defineCommand({
 			};
 		}
 		const additions = Object.fromEntries(missing.map((name) => [name, DEFAULT_EAS_JSON.build[name]]));
-		yield* writeEasJson$1(easJsonPath, {
+		yield* writeEasJson(easJsonPath, {
 			build: {
 				...config.build,
 				...additions
@@ -23554,7 +24264,7 @@ const compatibilityMatrixCommand = defineCommand({
 
 //#endregion
 //#region src/commands/builds/delete.ts
-const deleteCommand$5 = defineCommand({
+const deleteCommand$6 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a build"
@@ -23610,10 +24320,7 @@ const downloadCommand$1 = defineCommand({
 		const fs = yield* FileSystem.FileSystem;
 		const cwd = yield* (yield* CliRuntime).cwd;
 		const { artifact } = yield* api.builds.get({ path: { id: args.id } });
-		if (!artifact) {
-			yield* Effect.fail(new UploadFailedError({ message: `Build ${args.id} has no artifact yet.` }));
-			return;
-		}
+		if (!artifact) return yield* new UploadFailedError({ message: `Build ${args.id} has no artifact yet.` });
 		const link = yield* api.builds.getInstallLink({ path: { id: args.id } });
 		const ext = artifact.format;
 		const outputPath = args.output ?? path.join(cwd, `${args.id}.${ext}`);
@@ -23703,7 +24410,7 @@ const DISTRIBUTION_OPTIONS$1 = [
 	"play-store",
 	"direct"
 ];
-const listCommand$7 = defineCommand({
+const listCommand$10 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List builds for the linked project"
@@ -23886,7 +24593,7 @@ const runInherit = (step, bin, ...args) => Command.exitCode(Command.make(bin, ..
 * Locate a tool on PATH. Returns the absolute path or fails with NativeRunError.
 */
 const which = (bin) => Effect.gen(function* () {
-	const trimmed = (yield* Command.string(Command.make("which", bin)).pipe(Effect.catchAll(() => Effect.fail(new NativeRunError({ message: `${bin} not found in PATH` }))))).trim();
+	const trimmed = (yield* Command.string(Command.make("which", bin)).pipe(Effect.mapError(() => new NativeRunError({ message: `${bin} not found in PATH` })))).trim();
 	if (trimmed === "") return yield* new NativeRunError({ message: `${bin} not found in PATH` });
 	return trimmed;
 });
@@ -23905,7 +24612,7 @@ const findAppBundle = (root) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const candidates = [root, path.join(root, "Payload")];
 	for (const candidate of candidates) {
-		const app = (yield* fs.readDirectory(candidate).pipe(Effect.catchAll(() => Effect.succeed([])))).find((entry) => entry.endsWith(".app"));
+		const app = (yield* fs.readDirectory(candidate).pipe(Effect.orElseSucceed(() => []))).find((entry) => entry.endsWith(".app"));
 		if (app) return path.join(candidate, app);
 	}
 	return yield* new NativeRunError({ message: `No .app bundle found inside ${root} or ${path.join(root, "Payload")}.` });
@@ -23984,10 +24691,10 @@ const installAndLaunchIosDevice = (params) => Effect.gen(function* () {
 * fall back to a CLI flag.
 */
 const tryReadApkPackageWith = (bin, apkPath) => Effect.gen(function* () {
-	if (!(yield* which(bin).pipe(Effect.catchAll(() => Effect.succeed(null))))) return;
-	const raw = yield* execCapture(`${bin} dump`, bin, "dump", "badging", apkPath).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	if (!(yield* which(bin).pipe(Effect.orElseSucceed(() => null)))) return;
+	const raw = yield* execCapture(`${bin} dump`, bin, "dump", "badging", apkPath).pipe(Effect.orElseSucceed(() => null));
 	if (!raw) return;
-	return /package: name='([^']+)'/u.exec(raw)?.[1];
+	return /package: name='(?<packageName>[^']+)'/u.exec(raw)?.[1];
 });
 const readApkPackageName = (apkPath) => Effect.gen(function* () {
 	return yield* Effect.reduce(["aapt2", "aapt"], void 0, (acc, bin) => acc === void 0 ? tryReadApkPackageWith(bin, apkPath) : Effect.succeed(acc));
@@ -24057,10 +24764,7 @@ const runIosSimulator = (params) => Effect.gen(function* () {
 });
 const runIosDevice = (params) => Effect.gen(function* () {
 	const { deviceSelector } = params;
-	if (deviceSelector === void 0) {
-		yield* Effect.fail(new InvalidArgumentError({ message: "Pass --device-id <udid>. Run `xcrun devicectl list devices` to list connected devices." }));
-		return;
-	}
+	if (deviceSelector === void 0) return yield* new InvalidArgumentError({ message: "Pass --device-id <udid>. Run `xcrun devicectl list devices` to list connected devices." });
 	const bundleId = yield* readBundleIdFromApp(yield* findAppBundle(yield* extractIosArtifact({
 		tempDir: params.tempDir,
 		artifactPath: params.artifactPath,
@@ -24085,21 +24789,12 @@ const runIos = (params) => {
 	return Effect.fail(new NativeRunError({ message: `Cannot install ${params.format} on iOS; only tar.gz (simulator) or ipa are supported.` }));
 };
 const runAndroid = (params) => Effect.gen(function* () {
-	if (params.format === "aab") {
-		yield* Effect.fail(new InvalidArgumentError({ message: ".aab artifacts cannot be installed directly. Use bundletool to convert to apks, or download the play-store APK." }));
-		return;
-	}
-	if (params.format !== "apk") {
-		yield* Effect.fail(new NativeRunError({ message: `Cannot install ${params.format} on Android; only apk is supported.` }));
-		return;
-	}
+	if (params.format === "aab") return yield* new InvalidArgumentError({ message: ".aab artifacts cannot be installed directly. Use bundletool to convert to apks, or download the play-store APK." });
+	if (params.format !== "apk") return yield* new NativeRunError({ message: `Cannot install ${params.format} on Android; only apk is supported.` });
 	const device = yield* pickAndroidDevice(params.emulatorSelector);
 	const detected = yield* readApkPackageName(params.artifactPath);
 	const packageName = params.packageOverride ?? detected;
-	if (!packageName) {
-		yield* Effect.fail(new InvalidArgumentError({ message: "Could not detect APK package name (aapt/aapt2 not on PATH). Pass --package <name> explicitly." }));
-		return;
-	}
+	if (!packageName) return yield* new InvalidArgumentError({ message: "Could not detect APK package name (aapt/aapt2 not on PATH). Pass --package <name> explicitly." });
 	yield* printHuman(`Installing on Android device ${device.serial}...`);
 	yield* installAndLaunchAndroid({
 		serial: device.serial,
@@ -24164,7 +24859,7 @@ const runCommand$1 = defineCommand({
 			projectId
 		});
 		const { artifact } = build;
-		if (!artifact) return yield* Effect.fail(new UploadFailedError({ message: `Build ${build.id} has no artifact yet.` }));
+		if (!artifact) return yield* new UploadFailedError({ message: `Build ${build.id} has no artifact yet.` });
 		const link = yield* api.builds.getInstallLink({ path: { id: build.id } });
 		const tempDir = yield* acquireBuildTempDir;
 		const artifactPath = path.join(tempDir, `artifact.${artifact.format}`);
@@ -24200,7 +24895,7 @@ const runCommand$1 = defineCommand({
 //#region src/application/upload-workflow.ts
 const resolveIosTarget = (profile, appMeta) => Effect.gen(function* () {
 	if (!profile.ios) return yield* new BuildProfileError({ message: `Profile "${profile.name}" has no ios section.` });
-	if (!appMeta.bundleId) return yield* new BuildProfileError({ message: "Missing ios.bundleIdentifier in your Expo config." });
+	if (!appMeta.bundleId) return yield* new BuildProfileError({ message: "Missing iOS bundle identifier (set ios.bundleIdentifier or your Expo config)." });
 	return {
 		target: {
 			platform: "ios",
@@ -24212,7 +24907,7 @@ const resolveIosTarget = (profile, appMeta) => Effect.gen(function* () {
 });
 const resolveAndroidTarget = (profile, appMeta, projectRoot) => Effect.gen(function* () {
 	if (!profile.android) return yield* new BuildProfileError({ message: `Profile "${profile.name}" has no android section.` });
-	if (!appMeta.androidPackage) return yield* new BuildProfileError({ message: "Missing android.package in your Expo config." });
+	if (!appMeta.androidPackage) return yield* new BuildProfileError({ message: "Missing Android applicationId (set android.applicationId or your Expo config)." });
 	const gradleConfig = yield* readGradleConfig(`${projectRoot}/android`);
 	yield* warnOnGradleMismatch(gradleConfig, appMeta.androidPackage);
 	const bundleId = gradleConfig?.applicationId ?? appMeta.androidPackage;
@@ -24229,27 +24924,56 @@ const resolveAndroidTarget = (profile, appMeta, projectRoot) => Effect.gen(funct
 		bundleId
 	};
 });
+/** Resolve app metadata + OTA runtimeVersion for an upload (project-type aware). */
+const resolveUploadMeta = (params) => Effect.gen(function* () {
+	const { projectType, platform, projectRoot, profile, envVars } = params;
+	const expoConfig = projectType === "expo" ? yield* readExpoConfig(projectRoot, envVars) : void 0;
+	const appMeta = yield* resolveAppMeta({
+		projectType,
+		platform,
+		projectRoot,
+		profile,
+		...compact({
+			expoConfig,
+			expoAppMeta: expoConfig === void 0 ? void 0 : yield* readAppMeta(expoConfig, platform)
+		})
+	});
+	return {
+		appMeta,
+		runtimeVersion: expoConfig === void 0 ? void 0 : yield* resolveRuntimeVersion({
+			raw: appMeta.rawRuntimeVersion,
+			appVersion: appMeta.appVersion,
+			projectRoot,
+			platform,
+			buildNumber: appMeta.buildNumber,
+			sdkVersion: expoConfig.sdkVersion
+		}),
+		isExpo: expoConfig !== void 0
+	};
+});
 const runUploadWorkflow = (options) => Effect.gen(function* () {
 	const api = yield* apiClient;
 	const projectRoot = yield* (yield* CliRuntime).cwd;
-	if (!(yield* (yield* FileSystem.FileSystem).exists(options.artifactPath).pipe(Effect.orElseSucceed(() => false)))) yield* new ArtifactNotFoundError({ message: `Artifact not found at ${options.artifactPath}.` });
-	const projectId = yield* extractProjectId(yield* readExpoConfig(projectRoot));
+	if (!(yield* (yield* FileSystem.FileSystem).exists(options.artifactPath).pipe(Effect.orElseSucceed(() => false)))) return yield* new ArtifactNotFoundError({ message: `Artifact not found at ${options.artifactPath}.` });
+	const projectType = yield* detectProjectType({
+		projectRoot,
+		override: asProjectType((yield* readBetterUpdateConfig(projectRoot))?.["projectType"])
+	});
+	const projectId = yield* readProjectId;
 	const profile = yield* readBuildProfile(projectRoot, options.profileName);
-	const expoConfig = yield* readExpoConfig(projectRoot, {
+	const envVars = {
 		...yield* pullEnvVars(api, {
 			projectId,
 			environment: profile.environment
 		}),
 		...profile.env
-	});
-	const appMeta = yield* readAppMeta(expoConfig, options.platform);
-	const runtimeVersion = yield* resolveRuntimeVersion({
-		raw: appMeta.rawRuntimeVersion,
-		appVersion: appMeta.appVersion,
-		projectRoot,
+	};
+	const { appMeta, runtimeVersion, isExpo } = yield* resolveUploadMeta({
+		projectType,
 		platform: options.platform,
-		buildNumber: appMeta.buildNumber,
-		sdkVersion: expoConfig.sdkVersion
+		projectRoot,
+		profile,
+		envVars
 	});
 	const { target, bundleId } = options.platform === "ios" ? yield* resolveIosTarget(profile, appMeta) : yield* resolveAndroidTarget(profile, appMeta, projectRoot);
 	yield* printHuman(`Hashing ${options.artifactPath}...`);
@@ -24260,7 +24984,7 @@ const runUploadWorkflow = (options) => Effect.gen(function* () {
 		commit: rawGitContext.commit,
 		dirty: rawGitContext.dirty
 	});
-	const fingerprintHash = yield* runFingerprintForPlatform(projectRoot, options.platform).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0)));
+	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(projectRoot, options.platform).pipe(Effect.map((entry) => entry.hash), Effect.orElseSucceed(() => void 0)) : void 0;
 	const result = yield* reserveAndUpload(api, compact({
 		target,
 		projectId,
@@ -24282,7 +25006,7 @@ const runUploadWorkflow = (options) => Effect.gen(function* () {
 		["Status", result.status],
 		["Platform", options.platform],
 		["Profile", profile.name],
-		["Runtime version", runtimeVersion],
+		...runtimeVersion === void 0 ? [] : [["Runtime version", runtimeVersion]],
 		["Artifact", options.artifactPath],
 		["SHA-256", sha256],
 		["Bytes", String(byteSize)]
@@ -24344,9 +25068,9 @@ const buildsCommand = defineCommand({
 		description: "Manage builds"
 	},
 	subCommands: {
-		list: listCommand$7,
+		list: listCommand$10,
 		get: getCommand$2,
-		delete: deleteCommand$5,
+		delete: deleteCommand$6,
 		download: downloadCommand$1,
 		run: runCommand$1,
 		"install-link": installLinkCommand,
@@ -24372,7 +25096,7 @@ const resolveNamedResourceId$1 = (params) => resolveNamedResourceId$2(params, (m
 
 //#endregion
 //#region src/commands/channels/create.ts
-const createCommand$3 = defineCommand({
+const createCommand$4 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a channel"
@@ -24417,7 +25141,7 @@ const createCommand$3 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/delete.ts
-const deleteCommand$4 = defineCommand({
+const deleteCommand$5 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a channel"
@@ -24440,6 +25164,193 @@ const deleteCommand$4 = defineCommand({
 	})
 });
 
+//#endregion
+//#region src/commands/channels/grants/helpers.ts
+var GrantCommandError = class extends Data.TaggedError("GrantCommandError") {};
+const grantErrorExtras = { GrantCommandError: 2 };
+
+//#endregion
+//#region src/commands/channels/grants/list.ts
+const resolveChannel = (channels, target) => Effect.gen(function* () {
+	const channel = channels.find((ch) => ch.id === target) ?? channels.find((ch) => ch.name === target);
+	if (!channel) return yield* new ChannelCommandError({ message: `Channel "${target}" not found by ID or name.` });
+	return channel;
+});
+const listCommand$9 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List per-member grants on a channel"
+	},
+	args: { channel: {
+		type: "positional",
+		required: true,
+		description: "Channel ID or channel name"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const channel = yield* resolveChannel(yield* drainPages((page) => api.channels.list({ urlParams: {
+			projectId,
+			limit: 100,
+			page
+		} })), args.channel);
+		yield* printList([
+			"ID",
+			"Member ID",
+			"Effect",
+			"Actions",
+			"Created"
+		], (yield* api.channelGrants.list({
+			path: { id: channel.id },
+			urlParams: {}
+		})).map((grant) => [
+			grant.id,
+			grant.memberId,
+			grant.effect,
+			grant.actions.join(", "),
+			grant.createdAt
+		]), "No grants found for this channel.");
+	}), { exits: {
+		...channelErrorExtras,
+		...grantErrorExtras
+	} })
+});
+
+//#endregion
+//#region src/commands/channels/grants/revoke.ts
+const revokeCommand$2 = defineCommand({
+	meta: {
+		name: "revoke",
+		description: "Revoke all grants for a member on a channel"
+	},
+	args: {
+		channel: {
+			type: "positional",
+			required: true,
+			description: "Channel ID or channel name"
+		},
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID whose grants to revoke"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Revoke all grants for member ${args.member} on channel ${args.channel}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return { deleted: 0 };
+			}
+		}
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const channels = yield* drainPages((page) => api.channels.list({ urlParams: {
+			projectId,
+			limit: 100,
+			page
+		} }));
+		const channel = channels.find((ch) => ch.id === args.channel) ?? channels.find((ch) => ch.name === args.channel);
+		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.channel}" not found by ID or name.` });
+		const result = yield* api.channelGrants.delete({ path: {
+			id: channel.id,
+			memberId: args.member
+		} });
+		yield* printHuman(`Revoked grants for member ${args.member} on channel "${channel.name}".`);
+		return result;
+	}), {
+		exits: {
+			...channelErrorExtras,
+			...grantErrorExtras
+		},
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/channels/grants/set.ts
+const setCommand$3 = defineCommand({
+	meta: {
+		name: "set",
+		description: "Create or replace a member's grant on a channel"
+	},
+	args: {
+		channel: {
+			type: "positional",
+			required: true,
+			description: "Channel ID or channel name"
+		},
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID to grant permissions to"
+		},
+		actions: {
+			type: "string",
+			required: true,
+			description: "Permission action tokens in resource:action format, comma-separated (e.g. update:create,rollout:update)"
+		},
+		effect: {
+			type: "string",
+			description: "Grant effect: allow (default) or deny"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const effectValue = args.effect ?? "allow";
+		if (effectValue !== "allow" && effectValue !== "deny") return yield* new GrantCommandError({ message: `Invalid effect "${effectValue}" — must be "allow" or "deny".` });
+		const actionTokens = args.actions.split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
+		if (actionTokens.length === 0) return yield* new GrantCommandError({ message: "At least one action token is required." });
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const channels = yield* drainPages((page) => api.channels.list({ urlParams: {
+			projectId,
+			limit: 100,
+			page
+		} }));
+		const channel = channels.find((ch) => ch.id === args.channel) ?? channels.find((ch) => ch.name === args.channel);
+		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.channel}" not found by ID or name.` });
+		const grant = yield* api.channelGrants.upsert({
+			path: {
+				id: channel.id,
+				memberId: args.member
+			},
+			payload: {
+				effect: effectValue,
+				actions: actionTokens
+			}
+		});
+		yield* printHumanKeyValue([
+			["ID", grant.id],
+			["Member ID", grant.memberId],
+			["Channel ID", grant.scopeId],
+			["Effect", grant.effect],
+			["Actions", grant.actions.join(", ")],
+			["Created", grant.createdAt]
+		]);
+		return grant;
+	}), { exits: {
+		...channelErrorExtras,
+		...grantErrorExtras
+	} })
+});
+
+//#endregion
+//#region src/commands/channels/grants/index.ts
+const grantsCommand$1 = defineCommand({
+	meta: {
+		name: "grants",
+		description: "Manage per-member permission grants on a channel"
+	},
+	subCommands: {
+		list: listCommand$9,
+		set: setCommand$3,
+		revoke: revokeCommand$2
+	}
+});
+
 //#endregion
 //#region src/commands/channels/insights.ts
 const insightsCommand$1 = defineCommand({
@@ -24486,7 +25397,7 @@ const insightsCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/list.ts
-const listCommand$6 = defineCommand({
+const listCommand$8 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List channels for the linked project"
@@ -24590,7 +25501,7 @@ const completeCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/create.ts
-const createCommand$2 = defineCommand({
+const createCommand$3 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Start a branch rollout on a channel"
@@ -24671,7 +25582,7 @@ const revertCommand$2 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/update.ts
-const updateCommand$3 = defineCommand({
+const updateCommand$4 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Update the rollout percentage on a channel"
@@ -24710,8 +25621,8 @@ const rolloutCommand$1 = defineCommand({
 		description: "Manage channel branch rollouts"
 	},
 	subCommands: {
-		create: createCommand$2,
-		update: updateCommand$3,
+		create: createCommand$3,
+		update: updateCommand$4,
 		complete: completeCommand$1,
 		revert: revertCommand$2
 	}
@@ -24719,7 +25630,7 @@ const rolloutCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/update.ts
-const updateCommand$2 = defineCommand({
+const updateCommand$3 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Relink a channel to a different branch"
@@ -24762,7 +25673,7 @@ const updateCommand$2 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/view.ts
-const viewCommand$2 = defineCommand({
+const viewCommand$3 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show a channel by ID or name"
@@ -24785,7 +25696,7 @@ const viewCommand$2 = defineCommand({
 			page
 		} }))]);
 		const channel = channels.find((entry) => entry.id === args.target) ?? channels.find((entry) => entry.name === args.target);
-		if (!channel) return yield* Effect.fail(new ChannelCommandError({ message: `Channel "${args.target}" not found by ID or name.` }));
+		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.target}" not found by ID or name.` });
 		const branchName = new Map(branches.map((branch) => [branch.id, branch.name])).get(channel.branchId) ?? channel.branchId;
 		yield* printHumanKeyValue([
 			["ID", channel.id],
@@ -24822,14 +25733,15 @@ const channelsCommand = defineCommand({
 		description: "Manage channels"
 	},
 	subCommands: {
-		list: listCommand$6,
-		view: viewCommand$2,
-		create: createCommand$3,
-		update: updateCommand$2,
+		list: listCommand$8,
+		view: viewCommand$3,
+		create: createCommand$4,
+		update: updateCommand$3,
 		pause: pauseCommand,
 		resume: resumeCommand,
-		delete: deleteCommand$4,
+		delete: deleteCommand$5,
 		rollout: rolloutCommand$1,
+		grants: grantsCommand$1,
 		insights: insightsCommand$1
 	}
 });
@@ -24891,7 +25803,7 @@ const parseGoogleServiceAccountKey = (jsonText) => Effect.gen(function* () {
 const APPLE_TEAM_ID_RE = /^[A-Z0-9]{10}$/u;
 const extractTeamId = (params) => {
 	if (params.orgUnit && APPLE_TEAM_ID_RE.test(params.orgUnit)) return params.orgUnit;
-	return /\(([A-Z0-9]{10})\)\s*$/u.exec(params.signingIdentity)?.[1];
+	return /\((?<team>[A-Z0-9]{10})\)\s*$/u.exec(params.signingIdentity)?.[1];
 };
 /**
 * Parse a PKCS#12 (.p12) buffer and extract certificate metadata.
@@ -25210,7 +26122,7 @@ const announce = (heading) => Effect.gen(function* () {
 });
 const reportError = (label, cause) => Console.log(`✗ ${label}: ${cause instanceof Error ? cause.message : String(cause)}`);
 const safely = (label, effect) => effect.pipe(Effect.catchAll((cause) => reportError(label, cause)), Effect.asVoid);
-const safePrompt = (effect) => effect.pipe(Effect.catchAll(() => Effect.succeed(BACK)));
+const safePrompt = (effect) => effect.pipe(Effect.orElseSucceed(() => BACK));
 const promptForBundleConfig = (ctx) => Effect.gen(function* () {
 	const list = yield* ctx.api.iosBundleConfigurations.list({ path: { projectId: ctx.projectId } });
 	if (list.items.length === 0) return yield* new MissingCredentialsError({
@@ -26243,7 +27155,7 @@ const toRecipientView = (userEncryptionKeyId, key) => ({
 		fingerprint: key?.fingerprint
 	})
 });
-const listCommand$5 = defineCommand({
+const listCommand$7 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List recipients that currently hold the org vault key"
@@ -26470,7 +27382,7 @@ const accessCommand = defineCommand({
 		description: "Inspect, grant, rotate, revoke, and recover access to the org credential vault"
 	},
 	subCommands: {
-		list: listCommand$5,
+		list: listCommand$7,
 		grant: grantCommand,
 		rotate: rotateCommand,
 		revoke: revokeCommand$1,
@@ -26679,7 +27591,7 @@ const CREDENTIAL_TYPES$3 = [
 	"keystore",
 	"google-service-account-key"
 ];
-const deleteCommand$3 = defineCommand({
+const deleteCommand$4 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a credential"
@@ -26721,7 +27633,7 @@ const deleteCommand$3 = defineCommand({
 //#region src/commands/credentials/device.ts
 /** Self-linking is for your own device keys; recovery/machine keys go through `access grant`. */
 const requireDeviceKind = (target) => target.kind === "device" ? Effect.void : new IdentityError({ message: `Key ${target.id} is a ${target.kind} key, not a device. Use \`better-update credentials access grant\` for recovery/machine keys.` });
-const listCommand$4 = defineCommand({
+const listCommand$6 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List your registered device keys (the active one is marked)"
@@ -26779,7 +27691,7 @@ const deviceCommand = defineCommand({
 		description: "Manage your vault device keys"
 	},
 	subCommands: {
-		list: listCommand$4,
+		list: listCommand$6,
 		link: linkCommand
 	},
 	default: "list"
@@ -27141,7 +28053,7 @@ const handleCertLimitInteractive = (api, ascApiKeyId, certificateType) => Effect
 		ascApiKeyId,
 		certificateType
 	});
-	if (certs.length === 0) return yield* Effect.fail(new CertificateLimitError({ message: "Apple says the certificate limit is hit but no existing certificates were returned — try again later." }));
+	if (certs.length === 0) return yield* new CertificateLimitError({ message: "Apple says the certificate limit is hit but no existing certificates were returned — try again later." });
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
 		value: entry.id,
 		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
@@ -27434,7 +28346,7 @@ const printRecipient = (key) => printKeyValue([
 	["Recipient (public key)", key.publicKey],
 	["Fingerprint", key.fingerprint]
 ]);
-const createCommand$1 = defineCommand({
+const createCommand$2 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create this device's encryption identity and register it as a recipient"
@@ -27537,7 +28449,7 @@ const identityCommand = defineCommand({
 		description: "Manage this device's end-to-end encryption identity"
 	},
 	subCommands: {
-		create: createCommand$1,
+		create: createCommand$2,
 		init: initCommand$1,
 		register: registerCommand,
 		show: showCommand
@@ -27547,7 +28459,7 @@ const identityCommand = defineCommand({
 
 //#endregion
 //#region src/commands/credentials/list.ts
-const listCommand$3 = defineCommand({
+const listCommand$5 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List credentials across platforms"
@@ -27903,7 +28815,7 @@ const writeArtifact = (fs, projectRoot, relPath, bytes) => Effect.gen(function*
 const writeText = (fs, projectRoot, relPath, text) => writeArtifact(fs, projectRoot, relPath, new TextEncoder().encode(text));
 const ensureGitignoreEntries = (fs, projectRoot, paths) => Effect.gen(function* () {
 	const filePath = path.join(projectRoot, ".gitignore");
-	const lines = ((yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) ? yield* fs.readFileString(filePath).pipe(Effect.catchAll(() => Effect.succeed(""))) : "").split("\n");
+	const lines = ((yield* fs.exists(filePath).pipe(Effect.orElseSucceed(() => false))) ? yield* fs.readFileString(filePath).pipe(Effect.orElseSucceed(() => "")) : "").split("\n");
 	const added = [];
 	const next = [...lines];
 	for (const entry of paths) if (!lines.includes(entry)) {
@@ -28702,7 +29614,7 @@ const lookupByType = (api, id, type) => {
 		default: return Effect.fail(new CredentialValidationError({ message: `Unsupported credential type: ${String(type)}` }));
 	}
 };
-const viewCommand$1 = defineCommand({
+const viewCommand$2 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show details for a single credential (without secrets)"
@@ -28749,14 +29661,14 @@ const credentialsCommand = defineCommand({
 		unlock: unlockCommand,
 		lock: lockCommand,
 		status: statusCommand$1,
-		list: listCommand$3,
-		view: viewCommand$1,
+		list: listCommand$5,
+		view: viewCommand$2,
 		download: downloadCommand,
 		upload: uploadCommand,
 		"upload-asc-key": uploadAscKeyCommand,
 		generate: generateCommand$1,
 		"regenerate-profile": regenerateProfileCommand,
-		delete: deleteCommand$3,
+		delete: deleteCommand$4,
 		remove: removeCommand,
 		revoke: revokeCommand,
 		configure: configureCommand$1,
@@ -28776,7 +29688,7 @@ const DEVICE_CLASS_VALUES = [
 const isDeviceClass = (value) => DEVICE_CLASS_VALUES.includes(value);
 const ttlHours = (value) => {
 	if (value === void 0) return;
-	const match = /^([0-9]+)([hd])?$/u.exec(value);
+	const match = /^(?<value>[0-9]+)(?<unit>[hd])?$/u.exec(value);
 	if (!match?.[1]) return;
 	const num = Number.parseInt(match[1], 10);
 	return match[2] === "d" ? num * 24 : num;
@@ -29123,6 +30035,7 @@ const devicesCommand = defineCommand({
 
 //#endregion
 //#region src/commands/doctor.ts
+var HealthCheckError = class extends Data.TaggedError("HealthCheckError") {};
 const pass = (id, name, message) => ({
 	id,
 	name,
@@ -29161,7 +30074,10 @@ const checkServerHealth = Effect.gen(function* () {
 	const url = `${yield* (yield* ConfigStore).getBaseUrl}/api/health`;
 	const response = yield* Effect.tryPromise({
 		try: async () => fetch(url, { signal: AbortSignal.timeout(3e3) }),
-		catch: (cause) => new Error(String(cause))
+		catch: (cause) => new HealthCheckError({
+			message: String(cause),
+			cause
+		})
 	}).pipe(Effect.either);
 	if (response._tag === "Left") return fail("health", "Server reachable", `${url} unreachable: ${response.left.message}`);
 	const res = response.right;
@@ -29186,11 +30102,18 @@ const checkProjectLink = Effect.gen(function* () {
 	const source = (yield* readLinkedProjectId(root)) === void 0 ? "Expo config" : "better-update.json";
 	return pass("project-linked", "Project linked", `projectId=${resolved.right} (via ${source})`);
 });
-const checkEasJson = Effect.gen(function* () {
-	const result = yield* readEasJson(yield* (yield* CliRuntime).cwd).pipe(Effect.either);
-	if (result._tag === "Left") return warn("eas-json", "eas.json", result.left.message);
-	const count = Object.keys(result.right.build ?? {}).length;
-	return pass("eas-json", "eas.json", `${count} profile(s) defined`);
+const checkProjectType = Effect.gen(function* () {
+	const root = yield* (yield* CliRuntime).cwd;
+	const override = asProjectType((yield* readBetterUpdateConfig(root))?.["projectType"]);
+	return pass("project-type", "Project type", `${yield* detectProjectType({
+		projectRoot: root,
+		override
+	})} (${override === void 0 ? "auto-detected" : "better-update.json override"})`);
+});
+const checkBuildConfig = Effect.gen(function* () {
+	const names = yield* listBuildProfileNames(yield* (yield* CliRuntime).cwd);
+	if (names.length === 0) return warn("build-config", "Build config", "No build profiles found. Add a \"build\" section to better-update.json.");
+	return pass("build-config", "Build config", `${names.length} profile(s) defined`);
 });
 const runChecks = Effect.gen(function* () {
 	const xcode = (yield* CliRuntime).platform === "darwin" ? [yield* checkCommand("xcode", "Xcode CLI tools", "xcode-select", ["-p"])] : [];
@@ -29201,7 +30124,8 @@ const runChecks = Effect.gen(function* () {
 		yield* checkServerHealth,
 		yield* checkAuth,
 		yield* checkProjectLink,
-		yield* checkEasJson
+		yield* checkProjectType,
+		yield* checkBuildConfig
 	];
 });
 const statusIcon = (status) => {
@@ -29244,23 +30168,23 @@ const envErrorExtras = {
 	SystemError: 6,
 	BadArgument: 6
 };
-const isEnvironmentName = (value) => value === "development" || value === "preview" || value === "production";
+const isEnvironmentName$1 = (value) => value === "development" || value === "preview" || value === "production";
 const parseEnvironmentsArg = (raw) => Effect.gen(function* () {
 	const tokens = raw.split(",").map((token) => token.trim()).filter((token) => token.length > 0);
 	if (tokens.length === 0) return yield* new InvalidArgumentError({ message: "Provide at least one environment (development, preview, production)." });
 	const seen = /* @__PURE__ */ new Set();
 	yield* Effect.forEach(tokens, (token) => Effect.gen(function* () {
-		if (!isEnvironmentName(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
+		if (!isEnvironmentName$1(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
 		seen.add(token);
 	}), { discard: true });
 	return [...seen];
 });
 const parseSingleEnvironmentArg = (raw) => Effect.gen(function* () {
-	if (!isEnvironmentName(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
+	if (!isEnvironmentName$1(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
 	return raw;
 });
 const formatEnvironments = (environments) => [...environments].toSorted((left, right) => left.localeCompare(right)).join(",");
-const DOTENV_LINE = /^\s*(?:export\s+)?([A-Z][A-Z0-9_]*)\s*=\s*(.*?)\s*$/u;
+const DOTENV_LINE = /^\s*(?:export\s+)?(?<key>[A-Z][A-Z0-9_]*)\s*=\s*(?<value>.*?)\s*$/u;
 const stripQuotes = (raw) => {
 	if (raw.length < 2) return raw;
 	const [first] = raw;
@@ -29295,7 +30219,7 @@ const findProjectEnvVar = (api, projectId, key, environment) => Effect.gen(funct
 
 //#endregion
 //#region src/commands/env/delete.ts
-const deleteCommand$2 = defineCommand({
+const deleteCommand$3 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a project env var (one environment, or every environment by default)"
@@ -29364,7 +30288,7 @@ const getExecTrailingArgv = () => trailing$1;
 const pullForExec = (api, projectId, environment) => pullEnvVars(api, {
 	projectId,
 	environment
-}).pipe(Effect.catchAll(() => Effect.succeed({})));
+}).pipe(Effect.orElseSucceed(() => ({})));
 const splitTrailing = (trailing) => {
 	if (!trailing || trailing.length === 0) return Effect.fail(new InvalidArgumentError({ message: "Pass the command after `--`. Example: `better-update env exec production -- bun run dev`." }));
 	const [bin, ...rest] = trailing;
@@ -29467,6 +30391,191 @@ const getCommand$1 = defineCommand({
 	}), envErrorExtras)
 });
 
+//#endregion
+//#region src/commands/env/grants/helpers.ts
+var EnvGrantCommandError = class extends Data.TaggedError("EnvGrantCommandError") {};
+const envGrantErrorExtras = { EnvGrantCommandError: 2 };
+/** Sentinel project token for the org-global env-var scope (mirrors server). */
+const ENV_GRANT_GLOBAL = "global";
+const ENVIRONMENTS = [
+	"development",
+	"preview",
+	"production"
+];
+/**
+* Type guard narrowing a raw arg to an {@link EnvironmentName}. Lets set/unset
+* validate `args.environment` AND narrow it without an unsafe `as` assertion.
+*/
+const isEnvironmentName = (value) => ENVIRONMENTS.includes(value);
+
+//#endregion
+//#region src/commands/env/grants/list.ts
+const listCommand$4 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List env-var grants on a (project × environment) scope"
+	},
+	args: {
+		project: {
+			type: "string",
+			description: `Project id, or "${ENV_GRANT_GLOBAL}" for the org-global scope (default: linked project)`
+		},
+		global: {
+			type: "boolean",
+			default: false,
+			description: "Target the org-global env-var scope instead of a project"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const projectId = args.global ? ENV_GRANT_GLOBAL : args.project ?? (yield* readProjectId);
+		yield* printList([
+			"Member ID",
+			"Environment",
+			"Effect",
+			"Actions"
+		], (yield* (yield* apiClient).envGrants.list({ urlParams: { projectId } })).map((row) => [
+			row.memberId,
+			row.environment,
+			row.effect,
+			row.actions.join(", ")
+		]), "No env-var grants found for this scope.");
+	}), { exits: { ...envGrantErrorExtras } })
+});
+
+//#endregion
+//#region src/commands/env/grants/set.ts
+const setCommand$2 = defineCommand({
+	meta: {
+		name: "set",
+		description: "Create or replace a member's env-var grant on a scope"
+	},
+	args: {
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID to grant"
+		},
+		environment: {
+			type: "string",
+			required: true,
+			description: "Environment: development | preview | production"
+		},
+		actions: {
+			type: "string",
+			description: "Comma-separated envVar:* tokens (default: envVar:read)"
+		},
+		effect: {
+			type: "string",
+			description: "allow (default) or deny"
+		},
+		project: {
+			type: "string",
+			description: `Project id (default: linked project)`
+		},
+		global: {
+			type: "boolean",
+			default: false,
+			description: "Target the org-global env-var scope"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const effectValue = args.effect ?? "allow";
+		if (effectValue !== "allow" && effectValue !== "deny") return yield* new EnvGrantCommandError({ message: `Invalid effect "${effectValue}".` });
+		const { environment } = args;
+		if (!isEnvironmentName(environment)) return yield* new EnvGrantCommandError({ message: `Invalid environment "${environment}". One of: ${ENVIRONMENTS.join(", ")}.` });
+		const actionTokens = (args.actions ?? "envVar:read").split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
+		if (actionTokens.length === 0) return yield* new EnvGrantCommandError({ message: "At least one action token is required." });
+		const projectId = args.global ? null : args.project ?? (yield* readProjectId);
+		const grant = yield* (yield* apiClient).envGrants.upsert({ payload: {
+			memberId: args.member,
+			projectId,
+			environment,
+			effect: effectValue,
+			actions: actionTokens
+		} });
+		yield* printHumanKeyValue([
+			["ID", grant.id],
+			["Member ID", grant.memberId],
+			["Scope", grant.scopeId],
+			["Effect", grant.effect],
+			["Actions", grant.actions.join(", ")],
+			["Created", grant.createdAt]
+		]);
+		return grant;
+	}), { exits: { ...envGrantErrorExtras } })
+});
+
+//#endregion
+//#region src/commands/env/grants/unset.ts
+const unsetCommand = defineCommand({
+	meta: {
+		name: "unset",
+		description: "Revoke a member's env-var grants on a scope"
+	},
+	args: {
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID whose grants to revoke"
+		},
+		environment: {
+			type: "string",
+			required: true,
+			description: "Environment"
+		},
+		project: {
+			type: "string",
+			description: "Project id (default: linked project)"
+		},
+		global: {
+			type: "boolean",
+			default: false,
+			description: "Target the org-global scope"
+		},
+		yes: {
+			type: "boolean",
+			default: false,
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const { environment } = args;
+		if (!isEnvironmentName(environment)) return yield* new EnvGrantCommandError({ message: `Invalid environment "${environment}".` });
+		if (!args.yes) {
+			const scopeLabel = args.global ? ENV_GRANT_GLOBAL : args.project ?? "linked project";
+			if (!(yield* promptConfirm(`Revoke env-var grants for member ${args.member} on ${scopeLabel}/${args.environment}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return { deleted: 0 };
+			}
+		}
+		const projectId = args.global ? null : args.project ?? (yield* readProjectId);
+		const result = yield* (yield* apiClient).envGrants.delete({ payload: {
+			memberId: args.member,
+			projectId,
+			environment
+		} });
+		yield* printHuman(`Revoked env-var grants for member ${args.member}.`);
+		return result;
+	}), {
+		exits: { ...envGrantErrorExtras },
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/env/grants/index.ts
+const grantsCommand = defineCommand({
+	meta: {
+		name: "grants",
+		description: "Manage per-member env-var access grants on a (project × environment) scope"
+	},
+	subCommands: {
+		list: listCommand$4,
+		set: setCommand$2,
+		unset: unsetCommand
+	}
+});
+
 //#endregion
 //#region src/commands/env/history.ts
 const historyCommand = defineCommand({
@@ -29565,7 +30674,7 @@ const importCommand = defineCommand({
 
 //#endregion
 //#region src/commands/env/list.ts
-const listCommand$2 = defineCommand({
+const listCommand$3 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List environment variable metadata. Values are end-to-end encrypted — read them with `env pull`, `env export`, or `env get`."
@@ -29831,7 +30940,7 @@ const setCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/env/update.ts
-const updateCommand$1 = defineCommand({
+const updateCommand$2 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Update a project env var's value or visibility for an environment"
@@ -29912,18 +31021,19 @@ const envCommand = defineCommand({
 		description: "Manage environment variables"
 	},
 	subCommands: {
-		list: listCommand$2,
+		list: listCommand$3,
 		get: getCommand$1,
 		set: setCommand$1,
-		update: updateCommand$1,
-		delete: deleteCommand$2,
+		update: updateCommand$2,
+		delete: deleteCommand$3,
 		history: historyCommand,
 		rollback: rollbackCommand$1,
 		import: importCommand,
 		push: pushCommand,
 		export: exportCommand,
 		pull: pullCommand,
-		exec: execCommand
+		exec: execCommand,
+		grants: grantsCommand
 	}
 });
 
@@ -30194,7 +31304,7 @@ const fingerprintCommand = defineCommand({
 const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
 	const existingId = config.extra?.betterUpdate?.projectId;
 	if (typeof existingId !== "string" || existingId.length === 0) return "no-link";
-	const project = yield* api.projects.get({ path: { id: existingId } }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const project = yield* api.projects.get({ path: { id: existingId } }).pipe(Effect.orElseSucceed(() => void 0));
 	if (project === void 0) {
 		yield* printHuman(`Existing projectId "${existingId}" not found on server. Re-linking by local slug "${localSlug}".`);
 		return "stale";
@@ -30214,9 +31324,9 @@ const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
 const slugify = (value) => value.toLowerCase().replaceAll(/[^a-z0-9]+/gu, "-").replaceAll(/^-+|-+$/gu, "");
 /** Best-effort `name` from the local package.json, or undefined when absent. */
 const readPackageJsonName = (projectRoot) => Effect.gen(function* () {
-	const content = yield* (yield* FileSystem.FileSystem).readFileString(path.join(projectRoot, "package.json")).pipe(Effect.catchAll(() => Effect.succeed("")));
+	const content = yield* (yield* FileSystem.FileSystem).readFileString(path.join(projectRoot, "package.json")).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
-	const parsed = yield* Effect.try(() => JSON.parse(content)).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const parsed = yield* Effect.try(() => JSON.parse(content)).pipe(Effect.orElseSucceed(() => void 0));
 	const name = isRecord(parsed) ? parsed["name"] : void 0;
 	return typeof name === "string" && name.length > 0 ? name : void 0;
 });
@@ -30369,49 +31479,40 @@ const logoutCommand = defineCommand({
 
 //#endregion
 //#region src/commands/migrate-config.ts
-const readAppJson = (projectRoot) => {
-	const path$1 = path.join(projectRoot, "app.json");
-	if (!existsSync(path$1)) return null;
-	const raw = readFileSync(path$1, "utf8");
-	return JSON.parse(raw);
-};
-const writeAppJson = (projectRoot, content) => {
-	writeFileSync(path.join(projectRoot, "app.json"), `${JSON.stringify(content, null, 2)}\n`);
-};
-const writeEasJson = (projectRoot, profiles) => {
-	writeFileSync(path.join(projectRoot, "eas.json"), `${JSON.stringify({ build: profiles }, null, 2)}\n`);
-};
 const migrateConfigCommand = defineCommand({
 	meta: {
 		name: "migrate-config",
-		description: "Migrate legacy `extra.betterUpdate.profiles` (in app.json) to a sibling `eas.json` file"
+		description: "Migrate `build`/`submit` profiles from a legacy eas.json into better-update.json"
 	},
 	args: { yes: {
 		type: "boolean",
 		description: "Skip the confirmation prompt"
 	} },
 	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const root = yield* (yield* CliRuntime).cwd;
-		const appJson = readAppJson(root);
-		if (!appJson) return yield* new InvalidArgumentError({ message: `No app.json found at ${root}.` });
-		const profiles = appJson.expo?.extra?.betterUpdate?.profiles;
-		if (profiles === void 0) {
-			yield* printHuman("No legacy `extra.betterUpdate.profiles` found in app.json — nothing to migrate.");
+		const runtime = yield* CliRuntime;
+		const fs = yield* FileSystem.FileSystem;
+		const root = yield* runtime.cwd;
+		const easPath = path.join(root, "eas.json");
+		if (!(yield* fs.exists(easPath).pipe(Effect.orElseSucceed(() => false)))) return yield* new InvalidArgumentError({ message: `No eas.json found at ${root}.` });
+		const config = yield* readEasJson(root);
+		const patch = compact({
+			build: config.build,
+			submit: config.submit,
+			cli: config.cli
+		});
+		if (Object.keys(patch).length === 0) {
+			yield* printHuman("eas.json has no build/submit/cli sections — nothing to migrate.");
 			return;
 		}
-		if (existsSync(path.join(root, "eas.json"))) return yield* new InvalidArgumentError({ message: "eas.json already exists. Manual review required — refusing to overwrite. Remove eas.json first if you want to regenerate." });
-		if (!args.yes) {
-			if (!(yield* promptConfirm(`Move profiles to eas.json and strip from app.json?`, { initialValue: true }))) {
+		const existingBuild = (yield* readBetterUpdateConfig(root))?.["build"];
+		if (typeof existingBuild === "object" && existingBuild !== null && config.build !== void 0 && !args.yes) {
+			if (!(yield* promptConfirm("better-update.json already has a build section — overwrite it from eas.json?", { initialValue: false }))) {
 				yield* printHuman("Cancelled.");
 				return;
 			}
 		}
-		writeEasJson(root, profiles);
-		const clone = structuredClone(appJson);
-		const betterUpdate = (clone.expo?.extra)?.betterUpdate;
-		if (betterUpdate) delete betterUpdate["profiles"];
-		writeAppJson(root, clone);
-		yield* printHuman("Migrated profiles into eas.json. Legacy field removed from app.json.");
+		yield* writeBetterUpdateConfig(root, patch);
+		yield* printHuman("Merged eas.json build/submit into better-update.json. You can now delete eas.json.");
 	}))
 });
 
@@ -30469,7 +31570,7 @@ const openCommand = defineCommand({
 
 //#endregion
 //#region src/commands/projects.ts
-const listCommand$1 = defineCommand({
+const listCommand$2 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List projects (most recently active first)"
@@ -30520,7 +31621,7 @@ const listCommand$1 = defineCommand({
 		yield* printHuman(`Page ${result.page} · ${result.items.length} of ${result.total} project(s)`);
 	}))
 });
-const createCommand = defineCommand({
+const createCommand$1 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a new project"
@@ -30598,7 +31699,7 @@ const renameCommand = defineCommand({
 		return project;
 	}), { json: "value" })
 });
-const deleteCommand$1 = defineCommand({
+const deleteCommand$2 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a project"
@@ -30623,10 +31724,229 @@ const projectsCommand = defineCommand({
 		description: "Manage projects"
 	},
 	subCommands: {
-		list: listCommand$1,
-		create: createCommand,
+		list: listCommand$2,
+		create: createCommand$1,
 		get: getCommand,
 		rename: renameCommand,
+		delete: deleteCommand$2
+	}
+});
+
+//#endregion
+//#region src/commands/roles/helpers.ts
+var RoleCommandError = class extends Data.TaggedError("RoleCommandError") {};
+const roleErrorExtras = { RoleCommandError: 2 };
+/**
+* Parse comma-separated "resource:action" tokens into the PermissionGrant array
+* the API expects. Multiple actions for the same resource are grouped.
+*
+* Input examples:
+*   "channel:read,channel:update"
+*   "channel:read, rollout:create, rollout:update"
+*/
+const parsePermissionTokens = (raw) => Effect.gen(function* () {
+	const tokens = raw.split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
+	const grouped = /* @__PURE__ */ new Map();
+	for (const token of tokens) {
+		const colonIdx = token.indexOf(":");
+		if (colonIdx === -1) return yield* new RoleCommandError({ message: `Invalid permission token "${token}" — expected "resource:action" format.` });
+		const resource = token.slice(0, colonIdx).trim();
+		const action = token.slice(colonIdx + 1).trim();
+		if (!resource || !action) return yield* new RoleCommandError({ message: `Invalid permission token "${token}" — resource and action must be non-empty.` });
+		const actions = grouped.get(resource) ?? /* @__PURE__ */ new Set();
+		actions.add(action);
+		grouped.set(resource, actions);
+	}
+	return [...grouped.entries()].map(([resource, actions]) => ({
+		resource,
+		actions: [...actions]
+	}));
+});
+
+//#endregion
+//#region src/commands/roles/create.ts
+const createCommand = defineCommand({
+	meta: {
+		name: "create",
+		description: "Create a custom role"
+	},
+	args: {
+		name: {
+			type: "string",
+			required: true,
+			description: "Role name (unique per organization)"
+		},
+		permission: {
+			type: "string",
+			required: true,
+			description: "Permission tokens in resource:action format, comma-separated (e.g. channel:read,channel:update)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const permissions = yield* parsePermissionTokens(args.permission);
+		const role = yield* (yield* apiClient).roles.create({ payload: {
+			name: args.name,
+			permissions
+		} });
+		yield* printHumanKeyValue([
+			["ID", role.id],
+			["Name", role.role],
+			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
+			["Created", role.createdAt]
+		]);
+		return role;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/delete.ts
+const deleteCommand$1 = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete a custom role"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Role ID"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Delete role ${args.id}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return { deleted: 0 };
+			}
+		}
+		const result = yield* (yield* apiClient).roles.delete({ path: { id: args.id } });
+		yield* printHuman(`Role ${args.id} deleted.`);
+		return result;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/list.ts
+const listCommand$1 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List custom roles for the active organization"
+	},
+	args: { "organization-id": {
+		type: "string",
+		required: true,
+		description: "Organization ID to list roles for"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		yield* printList([
+			"ID",
+			"Name",
+			"Permissions",
+			"Created"
+		], (yield* (yield* apiClient).roles.list({ urlParams: { organizationId: args["organization-id"] } })).map((role) => [
+			role.id,
+			role.role,
+			role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; "),
+			role.createdAt
+		]), "No custom roles found.");
+	}), roleErrorExtras)
+});
+
+//#endregion
+//#region src/commands/roles/update.ts
+const updateCommand$1 = defineCommand({
+	meta: {
+		name: "update",
+		description: "Update a custom role's name or permissions"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Role ID"
+		},
+		name: {
+			type: "string",
+			description: "New role name"
+		},
+		permission: {
+			type: "string",
+			description: "Replacement permission tokens in resource:action format, comma-separated (e.g. channel:read,channel:update)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const permissions = args.permission === void 0 ? void 0 : yield* parsePermissionTokens(args.permission);
+		const role = yield* (yield* apiClient).roles.update({
+			path: { id: args.id },
+			payload: compact({
+				name: args.name,
+				permissions
+			})
+		});
+		yield* printHumanKeyValue([
+			["ID", role.id],
+			["Name", role.role],
+			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
+			["Updated", role.updatedAt ?? "-"]
+		]);
+		return role;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/view.ts
+const viewCommand$1 = defineCommand({
+	meta: {
+		name: "view",
+		description: "Show a custom role by ID"
+	},
+	args: { id: {
+		type: "positional",
+		required: true,
+		description: "Role ID"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const role = yield* (yield* apiClient).roles.get({ path: { id: args.id } });
+		yield* printHumanKeyValue([
+			["ID", role.id],
+			["Name", role.role],
+			["Organization ID", role.organizationId],
+			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
+			["Created", role.createdAt],
+			["Updated", role.updatedAt ?? "-"]
+		]);
+		return role;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/index.ts
+const rolesCommand = defineCommand({
+	meta: {
+		name: "roles",
+		description: "Manage custom organization roles"
+	},
+	subCommands: {
+		list: listCommand$1,
+		view: viewCommand$1,
+		create: createCommand,
+		update: updateCommand$1,
 		delete: deleteCommand$1
 	}
 });
@@ -30856,7 +32176,7 @@ const submitCommand = defineCommand({
 		}
 		const projectId = yield* readProjectId;
 		const api = yield* apiClient;
-		const easProfile = yield* resolveEasSubmitProfile((yield* readEasJson(process.cwd())).submit, args.profile);
+		const easProfile = yield* readSubmitProfile(yield* (yield* CliRuntime).cwd, args.profile);
 		const archive = yield* resolveArchive(api, projectId, platform, {
 			id: args.id,
 			path: args.path,
@@ -32275,7 +33595,7 @@ const runPatchPhase = (input) => Effect.gen(function* () {
 		runtimeVersion: input.runtimeVersion,
 		platform: input.platform,
 		limit: Math.max(1, input.baseWindow)
-	} }).pipe(Effect.catchAll(() => Effect.succeed([])));
+	} }).pipe(Effect.orElseSucceed(() => []));
 	const bases = selectBaseWindow(candidates, {
 		newUpdateId: input.newUpdateId,
 		maxRecent: input.baseWindow
@@ -32291,7 +33611,7 @@ const runPatchPhase = (input) => Effect.gen(function* () {
 			bestSavingsPct: void 0
 		};
 	}
-	const newBundleBytes = yield* sha256File(input.newLaunchPath).pipe(Effect.map((result) => result.byteSize), Effect.catchAll(() => Effect.succeed(void 0)));
+	const newBundleBytes = yield* sha256File(input.newLaunchPath).pipe(Effect.map((result) => result.byteSize), Effect.orElseSucceed(() => void 0));
 	yield* printHuman(`Diffing against ${bases.length} base(s) (window=${input.baseWindow}; ${candidates.length} candidate(s) available).`);
 	const uploadedOutcomes = (yield* Effect.forEach(bases, (base, index) => Effect.gen(function* () {
 		const basePath = path.join(input.workDir, `base-${index}.bundle`);
@@ -32386,7 +33706,7 @@ const dedupeAssetsByHash = (assets) => uniqBy(assets, (asset) => asset.hash);
 * is informational, so a fingerprint failure resolves to `undefined` rather than
 * failing the publish.
 */
-const resolvePlatformFingerprintHash = (projectRoot, platform) => runFingerprintForPlatform(projectRoot, platform).pipe(Effect.map((result) => result.hash), Effect.catchAll(() => Effect.succeed(void 0)));
+const resolvePlatformFingerprintHash = (projectRoot, platform) => runFingerprintForPlatform(projectRoot, platform).pipe(Effect.map((result) => result.hash), Effect.orElseSucceed(() => void 0));
 const preparePlatformAssets = ({ exportDir, platform }) => Effect.gen(function* () {
 	const exportedAssets = yield* readExpoExportAssets({
 		exportDir,
@@ -32482,7 +33802,7 @@ const publishPlatform = (params) => Effect.gen(function* () {
 	const uploadDetailsByHash = new Map(assetRegistration.uploaded.map((asset) => [asset.hash, asset]));
 	yield* Effect.forEach(uniqueAssets.filter((asset) => uploadDetailsByHash.has(asset.hash)), (asset) => Effect.gen(function* () {
 		const detail = uploadDetailsByHash.get(asset.hash);
-		if (!detail) return yield* Effect.fail(new UpdatePublishError({ message: `Missing upload details for asset ${asset.hash}` }));
+		if (!detail) return yield* new UpdatePublishError({ message: `Missing upload details for asset ${asset.hash}` });
 		return yield* assetUploader.uploadAssetBinary({
 			path: asset.path,
 			hash: asset.hash,
@@ -33867,6 +35187,7 @@ const commandRegistry = {
 	projects: projectsCommand,
 	branches: branchesCommand,
 	channels: channelsCommand,
+	roles: rolesCommand,
 	build: buildCommand,
 	builds: buildsCommand,
 	credentials: credentialsCommand,