@better-update/cli 0.26.1 → 0.27.0

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.26.1";
+var version = "0.27.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -67,6 +67,7 @@ const cookieSecurity = HttpApiSecurity.apiKey({
 	key: "__Secure-better-auth.session_token",
 	in: "cookie"
 });
+/** @effect-expect-leaking HttpServerRequest | ParsedSearchParams | RouteContext */
 var Authentication = class extends HttpApiMiddleware.Tag()("api/Authentication", {
 	failure: Schema.Union(Unauthorized, Forbidden),
 	provides: AuthContext,
@@ -1177,6 +1178,44 @@ var BuildsGroup = class extends HttpApiGroup.make("builds").add(HttpApiEndpoint.
 	description: "Build artifact upload, tracking, and download endpoints"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/channel-grant.ts
+const GrantEffectSchema = Schema.Literal("allow", "deny");
+/** One member's allow/deny set on a channel; `actions` are "resource:action". */
+var ChannelGrant = class extends Schema.Class("ChannelGrant")({
+	id: Id,
+	memberId: Id,
+	scopeKind: Schema.Literal("channel"),
+	scopeId: Id,
+	effect: GrantEffectSchema,
+	actions: Schema.Array(Schema.String),
+	createdAt: DateTimeString
+}) {};
+/** Upsert one (member, channel, effect) grant. effect defaults to "allow". */
+const UpsertChannelGrantBody = Schema.Struct({
+	effect: Schema.optionalWith(GrantEffectSchema, { default: () => "allow" }),
+	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1))
+});
+const ListChannelGrantsParams = Schema.Struct({});
+const DeleteChannelGrantResult = Schema.Struct({ deleted: Schema.Number });
+
+//#endregion
+//#region ../../packages/api/src/groups/channel-grants.ts
+const memberIdParam = HttpApiSchema.param("memberId", Schema.String);
+var ChannelGrantsGroup = class extends HttpApiGroup.make("channelGrants").add(HttpApiEndpoint.get("list")`/api/channels/${idParam}/grants`.setUrlParams(ListChannelGrantsParams).addSuccess(Schema.Array(ChannelGrant)).annotateContext(OpenApi.annotations({
+	title: "List channel grants",
+	description: "List all per-member allow/deny grants on a channel"
+}))).add(HttpApiEndpoint.put("upsert")`/api/channels/${idParam}/grants/${memberIdParam}`.setPayload(UpsertChannelGrantBody).addSuccess(ChannelGrant).annotateContext(OpenApi.annotations({
+	title: "Upsert channel grant",
+	description: "Create or replace a member's allow/deny grant on a channel"
+}))).add(HttpApiEndpoint.del("delete")`/api/channels/${idParam}/grants/${memberIdParam}`.addSuccess(DeleteChannelGrantResult).annotateContext(OpenApi.annotations({
+	title: "Delete channel grant",
+	description: "Revoke a member's grants on a channel"
+}))).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Channel grants",
+	description: "Per-channel ABAC permission grants (allow/deny by member)"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/channel.ts
 var Channel = class extends Schema.Class("Channel")({
@@ -1432,6 +1471,71 @@ const EnvVarRevision = Schema.Struct({
 const EnvVarRevisionsResult = Schema.Struct({ items: Schema.Array(EnvVarRevision) });
 const RollbackEnvVarBody = Schema.Struct({ toRevisionId: Id });
 
+//#endregion
+//#region ../../packages/api/src/domain/env-grant.ts
+/**
+* One member's allow/deny set on a (project × environment) env-var scope.
+* `scopeKind` is fixed to "env_var_environment". `scopeId` is the encoded
+* `<projectId|global>:<environment>` token (server-built). `actions` are
+* "resource:action" tokens (here always envVar:*).
+*/
+var EnvGrant = class extends Schema.Class("EnvGrant")({
+	id: Id,
+	memberId: Id,
+	scopeKind: Schema.Literal("env_var_environment"),
+	scopeId: Schema.String,
+	effect: GrantEffectSchema,
+	actions: Schema.Array(Schema.String),
+	createdAt: DateTimeString
+}) {};
+/** A flattened row for the list UI: one member × environment cell. */
+var EnvGrantRow = class extends Schema.Class("EnvGrantRow")({
+	memberId: Id,
+	environment: EnvVarEnvironment,
+	effect: GrantEffectSchema,
+	actions: Schema.Array(Schema.String)
+}) {};
+/**
+* URL params for listing grants on a project-or-global scope. `projectId` is the
+* sentinel "global" or a real project id (the server resolves null vs the
+* sentinel). Carried as a query param.
+*/
+const ListEnvGrantsParams = Schema.Struct({ projectId: Schema.String });
+/**
+* Upsert one (member, project-or-global, environment) grant. `projectId` null =
+* org-global vault. effect defaults to "allow". actions are envVar:* tokens.
+*/
+const UpsertEnvGrantBody = Schema.Struct({
+	memberId: Id,
+	projectId: Schema.NullOr(Id),
+	environment: EnvVarEnvironment,
+	effect: Schema.optionalWith(GrantEffectSchema, { default: () => "allow" }),
+	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1))
+});
+/** Delete both effects for (member, project-or-global, environment). */
+const DeleteEnvGrantBody = Schema.Struct({
+	memberId: Id,
+	projectId: Schema.NullOr(Id),
+	environment: EnvVarEnvironment
+});
+const DeleteEnvGrantResult = Schema.Struct({ deleted: Schema.Number });
+
+//#endregion
+//#region ../../packages/api/src/groups/env-grants.ts
+var EnvGrantsGroup = class extends HttpApiGroup.make("envGrants").add(HttpApiEndpoint.get("list", "/api/env-grants").setUrlParams(ListEnvGrantsParams).addSuccess(Schema.Array(EnvGrantRow)).annotateContext(OpenApi.annotations({
+	title: "List env-var environment grants",
+	description: "List per-member allow/deny env-var grants on a project-or-global scope across all environments. projectId is a real id or the sentinel 'global'."
+}))).add(HttpApiEndpoint.put("upsert", "/api/env-grants").setPayload(UpsertEnvGrantBody).addSuccess(EnvGrant).annotateContext(OpenApi.annotations({
+	title: "Upsert env-var environment grant",
+	description: "Create or replace a member's allow/deny env-var grant on one (project-or-global × environment) scope. projectId null = org-global."
+}))).add(HttpApiEndpoint.del("delete", "/api/env-grants").setPayload(DeleteEnvGrantBody).addSuccess(DeleteEnvGrantResult).annotateContext(OpenApi.annotations({
+	title: "Delete env-var environment grants",
+	description: "Revoke both allow and deny grants for a member on one (project-or-global × environment) scope."
+}))).addError(NotFound).addError(Forbidden).addError(BadRequest).annotateContext(OpenApi.annotations({
+	title: "Env-var environment grants",
+	description: "Per (project × environment) ABAC permission grants for env vars (allow/deny by member)"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/groups/env-vars.ts
 var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoint.post("create", "/api/env-vars").setPayload(CreateEnvVarBody).addSuccess(EnvVar, { status: 201 }).annotateContext(OpenApi.annotations({
@@ -1805,6 +1909,54 @@ var MeGroup = class extends HttpApiGroup.make("me").add(HttpApiEndpoint.get("get
 	description: "Current authenticated actor information"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/org-role.ts
+/** One resource→actions grant inside a role's permission set. */
+const PermissionGrantSchema = Schema.Struct({
+	resource: Schema.String,
+	actions: Schema.Array(Schema.String)
+});
+var OrgRole = class extends Schema.Class("OrgRole")({
+	id: Id,
+	organizationId: Id,
+	role: Schema.String,
+	permissions: Schema.Array(PermissionGrantSchema),
+	createdAt: DateTimeString,
+	updatedAt: Schema.NullOr(DateTimeString)
+}) {};
+const CreateOrgRoleBody = Schema.Struct({
+	name: Schema.String.pipe(Schema.minLength(1)),
+	permissions: Schema.Array(PermissionGrantSchema)
+});
+const UpdateOrgRoleBody = Schema.Struct({
+	permissions: Schema.optional(Schema.Array(PermissionGrantSchema)),
+	name: Schema.optional(Schema.String.pipe(Schema.minLength(1)))
+});
+const ListOrgRolesParams = Schema.Struct({ organizationId: Id });
+const DeleteOrgRoleResult = Schema.Struct({ deleted: Schema.Number });
+
+//#endregion
+//#region ../../packages/api/src/groups/org-roles.ts
+var OrgRolesGroup = class extends HttpApiGroup.make("roles").add(HttpApiEndpoint.get("list", "/api/roles").setUrlParams(ListOrgRolesParams).addSuccess(Schema.Array(OrgRole)).annotateContext(OpenApi.annotations({
+	title: "List custom roles",
+	description: "List all custom roles defined for an organization"
+}))).add(HttpApiEndpoint.post("create", "/api/roles").setPayload(CreateOrgRoleBody).addSuccess(OrgRole, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create custom role",
+	description: "Create a new custom role with a permission set"
+}))).add(HttpApiEndpoint.get("get")`/api/roles/${idParam}`.addSuccess(OrgRole).annotateContext(OpenApi.annotations({
+	title: "Get custom role",
+	description: "Fetch a single custom role by id"
+}))).add(HttpApiEndpoint.patch("update")`/api/roles/${idParam}`.setPayload(UpdateOrgRoleBody).addSuccess(OrgRole).annotateContext(OpenApi.annotations({
+	title: "Update custom role",
+	description: "Rename a custom role or replace its permission set"
+}))).add(HttpApiEndpoint.del("delete")`/api/roles/${idParam}`.addSuccess(DeleteOrgRoleResult).annotateContext(OpenApi.annotations({
+	title: "Delete custom role",
+	description: "Delete a custom role"
+}))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Roles",
+	description: "Custom organization role management (dynamic access control)"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/groups/org-vault.ts
 /** `:keyId` path parameter — a registered recipient's `user_encryption_keys.id`. */
@@ -2155,7 +2307,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(AdminGroup).add(OrgRolesGroup).add(ChannelGrantsGroup).add(EnvGrantsGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -2308,13 +2460,13 @@ const ConfigStoreLive = Layer.effect(ConfigStore, Effect.gen(function* () {
 	const runtime = yield* CliRuntime;
 	const homeDirectory = yield* runtime.homeDirectory;
 	const configFile = path.join(homeDirectory, ".better-update", "config.json");
-	const readConfig = fs.readFileString(configFile).pipe(Effect.catchAll(() => Effect.succeed("")), Effect.flatMap((content) => content.length === 0 ? Effect.succeed(void 0) : Effect.try({
+	const readConfig = fs.readFileString(configFile).pipe(Effect.orElseSucceed(() => ""), Effect.flatMap((content) => content.length === 0 ? Effect.void : Effect.try({
 		try: () => JSON.parse(content),
 		catch: (cause) => new ConfigStoreParseError({
 			message: "Config file contains invalid JSON",
 			cause
 		})
-	}).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.catchAll(() => Effect.succeed(void 0)))));
+	}).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0))));
 	return {
 		getBaseUrl: Effect.gen(function* () {
 			const envUrl = yield* runtime.getEnv("BETTER_UPDATE_URL");
@@ -2537,7 +2689,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 	const usernameFile = path.join(sessionDir, "apple-username.json");
 	return {
 		loadSession: Effect.gen(function* () {
-			const content = yield* fs.readFileString(sessionFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const content = yield* fs.readFileString(sessionFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
 			if (!isRecord(parsed)) return null;
@@ -2555,7 +2707,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 		}).pipe(Effect.mapError((cause) => new AppleAuthError$1({ message: `Failed to save Apple session: ${formatCause(cause)}` }))),
 		clearSession: fs.remove(sessionFile).pipe(Effect.catchAll(() => Effect.void)),
 		loadLastUsername: Effect.gen(function* () {
-			const content = yield* fs.readFileString(usernameFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const content = yield* fs.readFileString(usernameFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
 			if (!isRecord(parsed) || typeof parsed["username"] !== "string") return null;
@@ -2651,7 +2803,7 @@ const interactiveLogin = (appleUtils, options, cachedUsername) => Effect.gen(fun
 const tryRestore = (appleUtils, store) => Effect.gen(function* () {
 	const stored = yield* store.loadSession;
 	if (stored === null) return null;
-	const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.orElseSucceed(() => null));
 	if (restored === null) return null;
 	return yield* resolveSessionTeam(appleUtils, restored);
 });
@@ -2670,7 +2822,7 @@ const makeAppleAuthLive = (appleUtils = defaultAppleUtils) => Layer.effect(Apple
 		whoami: Effect.gen(function* () {
 			const stored = yield* store.loadSession;
 			if (stored === null) return null;
-			const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.orElseSucceed(() => null));
 			if (restored !== null) return sessionFromAuthState(restored);
 			const info = appleUtils.Session.getAnySessionInfo();
 			return info === null ? null : sessionFromInfo(stored.username, info);
@@ -2756,7 +2908,7 @@ const IdentityStoreLive = Layer.effect(IdentityStore, Effect.gen(function* () {
 	const identityFile = path.join(identityDir, "identity.json");
 	return {
 		load: Effect.gen(function* () {
-			const content = yield* fs.readFileString(identityFile).pipe(Effect.catchAll(() => Effect.succeed("")));
+			const content = yield* fs.readFileString(identityFile).pipe(Effect.orElseSucceed(() => ""));
 			if (content.length === 0) return null;
 			const parsed = safeJsonParse(content);
 			return isIdentityFile(parsed) ? parsed : null;
@@ -2980,7 +3132,7 @@ const VaultCacheLive = Layer.effect(VaultCache, Effect.gen(function* () {
 		const flag = yield* runtime.getEnv("BETTER_UPDATE_NO_CACHE");
 		return flag !== void 0 && flag.length > 0 && flag !== "0" && flag !== "false";
 	});
-	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.orElseSucceed(() => null));
 	const writeRaw = (publicKey, blob) => Effect.try(() => {
 		new Entry(KEYCHAIN_SERVICE, publicKey).setPassword(blob);
 	}).pipe(Effect.ignore);
@@ -3018,12 +3170,12 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 	const cacheDir = path.join(homeDirectory, ".better-update");
 	const cacheFile = path.join(cacheDir, "version-check.json");
 	const readCache = Effect.gen(function* () {
-		const content = yield* fs.readFileString(cacheFile).pipe(Effect.catchAll(() => Effect.succeed("")));
+		const content = yield* fs.readFileString(cacheFile).pipe(Effect.orElseSucceed(() => ""));
 		if (content.length === 0) return;
 		const parsed = yield* Effect.try({
 			try: () => JSON.parse(content),
 			catch: () => "parse-error"
-		}).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+		}).pipe(Effect.orElseSucceed(() => void 0));
 		if (isRecord(parsed) && typeof parsed["latest"] === "string" && typeof parsed["checkedAt"] === "number") return {
 			latest: parsed["latest"],
 			checkedAt: parsed["checkedAt"]
@@ -3224,7 +3376,7 @@ const buildOpenBrowserCommand = (platform, url) => {
 };
 const openBrowser = (url) => Effect.gen(function* () {
 	const command = buildOpenBrowserCommand((yield* CliRuntime).platform, url);
-	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.catchAll(() => Effect.succeed(false))))) yield* Console.log(`Open this URL manually:\n${url}`);
+	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.orElseSucceed(() => false)))) yield* Console.log(`Open this URL manually:\n${url}`);
 });
 const browserLogin = Effect.scoped(Effect.gen(function* () {
 	const configStore = yield* ConfigStore;
@@ -3623,9 +3775,9 @@ const configPath = (projectRoot) => path.join(projectRoot, BETTER_UPDATE_CONFIG_
 * graceful `readConfig`.
 */
 const readBetterUpdateConfig = (projectRoot) => Effect.gen(function* () {
-	const content = yield* (yield* FileSystem.FileSystem).readFileString(configPath(projectRoot)).pipe(Effect.catchAll(() => Effect.succeed("")));
+	const content = yield* (yield* FileSystem.FileSystem).readFileString(configPath(projectRoot)).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
-	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.catchAll(() => Effect.succeed(void 0)));
+	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0));
 });
 /**
 * Resolve the linked project id from `better-update.json`, or `undefined` when
@@ -4354,14 +4506,8 @@ const KeyValueFromString = Schema.transformOrFail(Schema.String, KeyValuePair, {
 	},
 	encode: ({ key, value }) => ParseResult.succeed(`${key}=${value}`)
 });
-const parseRolloutPercentage = (raw, flag) => Effect.try({
-	try: () => Schema.decodeUnknownSync(RolloutPercentage)(Number(raw)),
-	catch: () => new InvalidArgumentError({ message: `--${flag} must be an integer between 1 and 100, got "${raw}".` })
-});
-const parseKeyValue = (raw) => Effect.try({
-	try: () => Schema.decodeUnknownSync(KeyValueFromString)(raw),
-	catch: () => new InvalidArgumentError({ message: "Invalid format. Use KEY=VALUE (e.g. API_KEY=abc123)" })
-});
+const parseRolloutPercentage = (raw, flag) => Schema.decodeUnknown(RolloutPercentage)(Number(raw)).pipe(Effect.mapError(() => new InvalidArgumentError({ message: `--${flag} must be an integer between 1 and 100, got "${raw}".` })));
+const parseKeyValue = (raw) => Schema.decodeUnknown(KeyValueFromString)(raw).pipe(Effect.mapError(() => new InvalidArgumentError({ message: "Invalid format. Use KEY=VALUE (e.g. API_KEY=abc123)" })));
 const parseLimit = (raw, defaultValue) => {
 	if (raw === void 0) return Effect.succeed(defaultValue);
 	const parsed = Number(raw);
@@ -4371,7 +4517,7 @@ const parseLimit = (raw, defaultValue) => {
 
 //#endregion
 //#region src/commands/audit-logs/list.ts
-const listCommand$9 = defineCommand({
+const listCommand$12 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List audit log entries"
@@ -4433,7 +4579,7 @@ const auditLogsCommand = defineCommand({
 		name: "audit-logs",
 		description: "View audit logs"
 	},
-	subCommands: { list: listCommand$9 }
+	subCommands: { list: listCommand$12 }
 });
 
 //#endregion
@@ -4537,7 +4683,7 @@ const drainPages = (fetchPage) => {
 
 //#endregion
 //#region src/commands/branches.ts
-const listCommand$8 = defineCommand({
+const listCommand$11 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List branches for the linked project"
@@ -4560,7 +4706,7 @@ const listCommand$8 = defineCommand({
 		]), "No branches found.");
 	}))
 });
-const createCommand$4 = defineCommand({
+const createCommand$5 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a branch"
@@ -4583,7 +4729,7 @@ const createCommand$4 = defineCommand({
 		]);
 	}))
 });
-const viewCommand$3 = defineCommand({
+const viewCommand$4 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show a branch by ID or name"
@@ -4641,7 +4787,7 @@ const renameCommand$1 = defineCommand({
 		return branch;
 	}), { json: "value" })
 });
-const deleteCommand$6 = defineCommand({
+const deleteCommand$7 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a branch"
@@ -4666,11 +4812,11 @@ const branchesCommand = defineCommand({
 		description: "Manage branches"
 	},
 	subCommands: {
-		list: listCommand$8,
-		view: viewCommand$3,
-		create: createCommand$4,
+		list: listCommand$11,
+		view: viewCommand$4,
+		create: createCommand$5,
 		rename: renameCommand$1,
-		delete: deleteCommand$6
+		delete: deleteCommand$7
 	}
 });
 
@@ -18709,7 +18855,7 @@ const asArrayBuffer$1 = (bytes) => {
 };
 const signAscJwt = (credentials) => Effect.gen(function* () {
 	const der = pemToPkcs8Der(credentials.p8Pem);
-	if (der === null) return yield* Effect.fail(new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") }));
+	if (der === null) return yield* new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") });
 	const header = {
 		alg: "ES256",
 		kid: credentials.keyId,
@@ -18793,7 +18939,7 @@ const fetchRaw = (jwt, path, init) => Effect.gen(function* () {
 		try: () => text.length === 0 ? {} : JSON.parse(text),
 		catch: (cause) => new AscNetworkError({ cause })
 	});
-	if (!response.ok) return yield* Effect.fail(parseApiError(response, body, text));
+	if (!response.ok) return yield* parseApiError(response, body, text);
 	return body;
 });
 const toAscCertificate = (value) => {
@@ -18893,12 +19039,10 @@ const createCertificate = (credentials, params) => withJwt(credentials, (jwt) =>
 			}
 		} })
 	}), toAscCertificate);
-	if (resource === null) return yield* Effect.fail(malformed("certificate"));
+	if (resource === null) return yield* malformed("certificate");
 	return resource;
 }));
-const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	yield* fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" });
-}));
+const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.asVoid(fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" })));
 const listBundleIds = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
 	return extractList(yield* fetchRaw(jwt, "/v1/bundleIds?limit=200"), toAscBundleId);
 }));
@@ -18914,7 +19058,7 @@ const createBundleId = (credentials, params) => withJwt(credentials, (jwt) => Ef
 			}
 		} })
 	}), toAscBundleId);
-	if (resource === null) return yield* Effect.fail(malformed("bundleId"));
+	if (resource === null) return yield* malformed("bundleId");
 	return resource;
 }));
 const listDevices = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
@@ -18946,7 +19090,7 @@ const createProvisioningProfile = (credentials, params) => withJwt(credentials,
 			relationships
 		} })
 	}), toAscProfile);
-	if (resource === null) return yield* Effect.fail(malformed("profile"));
+	if (resource === null) return yield* malformed("profile");
 	return resource;
 }));
 const isCertificateLimitError = (error) => {
@@ -18982,7 +19126,7 @@ const parseCert = (certDerBytes) => {
 const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
 const extractCertMetadata = (cert) => Effect.gen(function* () {
 	const appleTeamId = extractTeamId$1(cert);
-	if (appleTeamId === null) return yield* Effect.fail(new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" }));
+	if (appleTeamId === null) return yield* new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" });
 	return {
 		serialNumber: cert.serialNumber.toUpperCase(),
 		validFrom: cert.validity.notBefore.toISOString(),
@@ -19000,7 +19144,7 @@ const extractCertMetadata = (cert) => Effect.gen(function* () {
 */
 const extractMetadataFromP12 = (params) => Effect.gen(function* () {
 	const certBagOid = forge.pki.oids["certBag"];
-	if (certBagOid === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" }));
+	if (certBagOid === void 0) return yield* new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" });
 	const [first] = yield* Effect.try({
 		try: () => {
 			const p12Der = forge.util.decode64(params.p12Base64);
@@ -19009,7 +19153,7 @@ const extractMetadataFromP12 = (params) => Effect.gen(function* () {
 		},
 		catch: (error) => new CertParseError({ message: `Failed to parse PKCS#12 bundle: ${error instanceof Error ? error.message : String(error)}` })
 	});
-	if (first?.cert === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" }));
+	if (first?.cert === void 0) return yield* new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" });
 	return yield* extractCertMetadata(first.cert);
 });
 const buildDistributionCertP12 = (params) => Effect.gen(function* () {
@@ -19190,10 +19334,10 @@ const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(func
 		csrPem: csrResult.csrPem,
 		certificateType
 	}).pipe(Effect.mapError(wrapAscError("apple-create-certificate")));
-	if (apple.certificateContent === null) return yield* Effect.fail(new GenerateFailedError({
+	if (apple.certificateContent === null) return yield* new GenerateFailedError({
 		step: "apple-create-certificate",
 		message: "Apple response missing certificateContent"
-	}));
+	});
 	const bundle = yield* buildDistributionCertP12({
 		certificateContentBase64: apple.certificateContent,
 		privateKey: csrResult.privateKey
@@ -19243,10 +19387,10 @@ const revokeAppleCertificate = (api, input) => Effect.gen(function* () {
 });
 const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function* () {
 	const local = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === input.distributionCertificateId);
-	if (local === void 0) return yield* Effect.fail(new GenerateFailedError({
+	if (local === void 0) return yield* new GenerateFailedError({
 		step: "load-distribution-certificate",
 		message: `Distribution certificate ${input.distributionCertificateId} not found on this account`
-	}));
+	});
 	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
 	const ascCreds = {
 		keyId: creds.keyId,
@@ -19283,10 +19427,10 @@ const listAppleCertificates = (api, input) => Effect.gen(function* () {
 });
 const resolveCertAscId = (creds, serialNumber, certificateType) => Effect.gen(function* () {
 	const match = (yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")))).find((entry) => entry.serialNumber.toUpperCase() === serialNumber);
-	if (match === void 0) return yield* Effect.fail(new GenerateFailedError({
+	if (match === void 0) return yield* new GenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
+	});
 	return match.id;
 });
 const ensureBundleId = (creds, bundleIdentifier) => Effect.gen(function* () {
@@ -19319,10 +19463,10 @@ const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function
 	const [certAscId, bundleIdAscId] = yield* Effect.all([resolveCertAscId(ascCreds, cert.serialNumber.toUpperCase(), certificateType), ensureBundleId(ascCreds, input.bundleIdentifier)], { concurrency: 2 });
 	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
 	const { ids: deviceAscIds } = useDevices ? yield* collectDeviceAscIds(ascCreds, cert.appleTeamId, input.deviceIds) : { ids: [] };
-	if (useDevices && deviceAscIds.length === 0) return yield* Effect.fail(new GenerateFailedError({
+	if (useDevices && deviceAscIds.length === 0) return yield* new GenerateFailedError({
 		step: "collect-devices",
 		message: "No registered devices to attach to the provisioning profile"
-	}));
+	});
 	const profileBytes = fromBase64((yield* createProvisioningProfile(ascCreds, {
 		profileName: `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`,
 		profileType: DISTRIBUTION_TO_PROFILE_TYPE$1[input.distributionType],
@@ -19633,10 +19777,10 @@ const downloadAndroidCredentials = (api, options) => Effect.gen(function* () {
 			...compact({ buildProfile: options.buildProfile })
 		}
 	}).pipe(Effect.mapError((cause) => resolveErrorToMissingCredentials(cause, "android")));
-	if (resolved.platform !== "android") return yield* Effect.fail(new MissingCredentialsError({
+	if (resolved.platform !== "android") return yield* new MissingCredentialsError({
 		message: "Server returned non-Android credentials for an Android build request",
 		hint: androidBindHint
-	}));
+	});
 	const secret = yield* decryptResolveSecret({
 		session: yield* openVaultSessionForBuild(api, androidBindHint),
 		credentialType: "keystore",
@@ -19757,7 +19901,7 @@ const credentialsJsonPath = (projectRoot) => path.join(projectRoot, CREDENTIALS_
 const readCredentialsJson = (projectRoot) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = credentialsJsonPath(projectRoot);
-	if (!(yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false))))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
+	if (!(yield* fs.exists(filePath).pipe(Effect.orElseSucceed(() => false)))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
 	return yield* parseCredentialsJson(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new CredentialsJsonError({ message: `Failed to read credentials.json: ${String(cause)}` }))));
 });
 const writeCredentialsJson = (projectRoot, data) => Effect.gen(function* () {
@@ -19774,7 +19918,7 @@ const resolveCredentialPath = (projectRoot, candidate) => path.isAbsolute(candid
 
 //#endregion
 //#region src/lib/local-credentials.ts
-const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.catchAll(() => Effect.succeed(false)), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
+const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.orElseSucceed(() => false), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
 	message: `Local credentials.json: ${label} not found at ${absolutePath}.`,
 	hint: "Run `better-update credentials sync pull` to materialize files, or fix the path in credentials.json."
 }))));
@@ -20029,7 +20173,7 @@ const runStepFormatted = (cmd, step, formatter) => Effect.gen(function* () {
 	if (code !== 0) {
 		const summary = formatter.getBuildSummary();
 		if (summary.length > 0) process$1.stderr.write(`${summary}\n`);
-		return yield* Effect.fail(buildFailed(step, code, `${step} exited with code ${code}`));
+		return yield* buildFailed(step, code, `${step} exited with code ${code}`);
 	}
 });
 
@@ -20265,10 +20409,10 @@ const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(
 	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
 	const upper = serialNumber.toUpperCase();
 	const match = certs.find((entry) => entry.attributes.serialNumber.toUpperCase() === upper);
-	if (match === void 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (match === void 0) return yield* new AppleIdGenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
+	});
 	return match.id;
 });
 const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
@@ -20287,10 +20431,10 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
 	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
 	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
-	if (useDevices && deviceIds.length === 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (useDevices && deviceIds.length === 0) return yield* new AppleIdGenerateFailedError({
 		step: "collect-devices",
 		message: "No registered devices to attach to the provisioning profile"
-	}));
+	});
 	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
 	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
 		bundleId: bundleIdAscId,
@@ -20299,10 +20443,10 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 		name: profileName,
 		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
 	}))).attributes;
-	if (profileContent === null) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (profileContent === null) return yield* new AppleIdGenerateFailedError({
 		step: "extract-profile-content",
 		message: "Apple returned a profile with no content (likely expired/invalid)"
-	}));
+	});
 	const profileBytes = fromBase64(profileContent);
 	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
 	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
@@ -20482,10 +20626,10 @@ const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* (
 		ascApiKeyId,
 		certificateType: "IOS_DISTRIBUTION"
 	});
-	if (certs.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (certs.length === 0) return yield* new MissingCredentialsError({
 		message: "Apple says the certificate limit is hit but no existing certificates were returned.",
 		hint: "Try again later or check the Apple Developer portal."
-	}));
+	});
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
 		value: entry.id,
 		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
@@ -20498,10 +20642,10 @@ const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* (
 });
 const generateDistributionCertInteractive = (api) => Effect.gen(function* () {
 	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (teamAscKeys.length === 0) return yield* new MissingCredentialsError({
 		message: "No ASC API key linked to an Apple team in this organization.",
 		hint: "Upload an ASC API key with a team assignment via the dashboard, then retry."
-	}));
+	});
 	const ascKeyId = yield* promptSelect("Select an ASC API key to issue the certificate against", teamAscKeys.map((key) => ({
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
@@ -20520,10 +20664,10 @@ const chooseIosCertificateId = (api) => Effect.gen(function* () {
 		}, {
 			value: "abort",
 			label: "Abort — I'll upload one manually"
-		}])) === "abort") return yield* Effect.fail(new MissingCredentialsError({
+		}])) === "abort") return yield* new MissingCredentialsError({
 			message: "Build aborted — no distribution certificate available.",
 			hint: "Run `better-update credentials generate distribution-certificate --asc-key-id <id>` or upload via the dashboard."
-		}));
+		});
 		return (yield* generateDistributionCertInteractive(api)).id;
 	}
 	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
@@ -20539,10 +20683,10 @@ const chooseIosCertificateId = (api) => Effect.gen(function* () {
 const pickIosCertificate = (api) => Effect.gen(function* () {
 	const chosenId = yield* chooseIosCertificateId(api);
 	const cert = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === chosenId);
-	if (cert === void 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (cert === void 0) return yield* new MissingCredentialsError({
 		message: "Selected certificate not found after generation.",
 		hint: "Retry."
-	}));
+	});
 	return {
 		certId: chosenId,
 		cert
@@ -20550,10 +20694,10 @@ const pickIosCertificate = (api) => Effect.gen(function* () {
 });
 const pickIosAscKey = (api, appleTeamId) => Effect.gen(function* () {
 	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null && key.appleTeamId === appleTeamId);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (teamAscKeys.length === 0) return yield* new MissingCredentialsError({
 		message: `No ASC API key linked to Apple team ${appleTeamId}.`,
 		hint: "Upload an ASC API key for that team via the dashboard, then retry."
-	}));
+	});
 	return yield* promptSelect("Select an ASC API key", teamAscKeys.map((key) => ({
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
@@ -20634,10 +20778,10 @@ const generateKeystoreInteractive = (api) => Effect.gen(function* () {
 });
 const pickExistingKeystore = (api) => Effect.gen(function* () {
 	const keystores = yield* api.androidUploadKeystores.list();
-	if (keystores.items.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (keystores.items.length === 0) return yield* new MissingCredentialsError({
 		message: "No existing keystores in this organization.",
 		hint: "Re-run and choose 'Generate new keystore'."
-	}));
+	});
 	return yield* promptSelect("Select a keystore", keystores.items.map((item) => ({
 		value: item.id,
 		label: item.keyAlias
@@ -20670,10 +20814,10 @@ const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 			label: "Abort — I'll configure it in the dashboard"
 		}
 	]);
-	if (choice === "abort") return yield* Effect.fail(new MissingCredentialsError({
+	if (choice === "abort") return yield* new MissingCredentialsError({
 		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
 		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
-	}));
+	});
 	const keystoreId = yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api);
 	yield* api.androidBuildCredentials.create({
 		path: { applicationIdentifierId: appId },
@@ -20694,10 +20838,10 @@ const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.r
 }).pipe(Effect.asVoid);
 const ensureAndroidCredentials = (api, input, options) => ensureAndroidCredentialsAvailable(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `No Android build credentials for ${input.applicationIdentifier}.`,
 		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
+	});
 	yield* setupAndroidInteractive(api, input);
 	return yield* ensureAndroidCredentialsAvailable(api, input);
 })));
@@ -20718,10 +20862,10 @@ const resolveIosBuildCredentials = (api, input) => api.buildCredentials.resolve(
 const findBoundIosConfig = (api, input) => Effect.gen(function* () {
 	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
 	const match = (yield* api.iosBundleConfigurations.list({ path: { projectId: input.projectId } })).items.find((config) => config.bundleIdentifier === input.bundleIdentifier && config.distributionType === distributionType);
-	if (match === void 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (match === void 0) return yield* new MissingCredentialsError({
 		message: `iOS bundle configuration vanished while regenerating stale profile for ${input.bundleIdentifier}`,
 		hint: "Retry; the configuration must exist before regeneration"
-	}));
+	});
 	return match;
 });
 const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
@@ -20752,19 +20896,19 @@ const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
 });
 const ensureIosCredentials = (api, input, options) => resolveIosBuildCredentials(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `No iOS build credentials for ${input.bundleIdentifier} (${input.distribution}).`,
 		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
+	});
 	yield* setupIosInteractive(api, input);
 	return yield* resolveIosBuildCredentials(api, input);
 })), Effect.flatMap((resolved) => Effect.gen(function* () {
 	if (resolved.platform !== "ios" || !resolved.profileStale) return;
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `Stale provisioning profile for ${input.bundleIdentifier}; cannot regenerate without an interactive session.`,
 		hint: options.freezeCredentials ? "Run a build without --freeze-credentials once to refresh the profile, or run `better-update credentials regenerate-profile`." : "Run `better-update credentials regenerate-profile --bundle <id> --distribution <type>` from an interactive terminal."
-	}));
+	});
 	yield* Console.log(`Stale provisioning profile for ${input.bundleIdentifier} (device roster changed). Regenerating...`);
 	yield* regenerateProvisioningProfile(api, input);
 })));
@@ -20814,7 +20958,7 @@ const applyTargetSigning = (options) => Effect.gen(function* () {
 	const projectDir = yield* findXcodeProjectDir$1(options.iosDir);
 	const pbxprojPath = path.join(projectDir, "project.pbxproj");
 	const project = yield* parseProject$1(pbxprojPath);
-	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
+	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) return yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
 	const serialized = yield* Effect.try({
 		try: () => project.writeSync(),
 		catch: (cause) => new XcodeProjectError({ message: `Failed to serialize ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
@@ -21002,7 +21146,7 @@ const installProvisioningProfile = ({ profilePath }) => Effect.acquireRelease(Ef
 //#endregion
 //#region src/lib/post-build-validation.ts
 const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Effect.gen(function* () {
-	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.orElseSucceed(() => void 0));
 	if (!bundleId) return {
 		bundleId: void 0,
 		warnings: [`Missing CFBundleIdentifier in Info.plist at ${bundleDir}`]
@@ -21014,16 +21158,16 @@ const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Eff
 	};
 	return {
 		bundleId,
-		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.catchAll(() => Effect.succeed([])))
+		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.orElseSucceed(() => []))
 	};
 });
 const validateIosBuild = (params) => Effect.gen(function* () {
-	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.orElseSucceed(() => void 0));
 	if (!appDir) return {
 		passed: false,
 		warnings: ["Could not locate .app bundle in archive — skipping post-build validation"]
 	};
-	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.catchAll(() => Effect.succeed([appDir])));
+	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.orElseSucceed(() => [appDir]));
 	const expectedByBundleId = new Map(params.expectedTargets.map((target) => [target.bundleId, target]));
 	const perBundle = yield* Effect.forEach(bundleDirs, (bundleDir) => validateOneBundle(bundleDir, expectedByBundleId, params.expectedTeamId));
 	const warnings = perBundle.flatMap((entry) => [...entry.warnings]);
@@ -21053,7 +21197,7 @@ const findAppDirectory$1 = (archivePath) => Effect.gen(function* () {
 const listSignedBundleDirs = (appDir) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const plugInsDir = path.join(appDir, "PlugIns");
-	if (!(yield* fs.exists(plugInsDir).pipe(Effect.catchAll(() => Effect.succeed(false))))) return [appDir];
+	if (!(yield* fs.exists(plugInsDir).pipe(Effect.orElseSucceed(() => false)))) return [appDir];
 	return [appDir, ...(yield* fs.readDirectory(plugInsDir)).filter((entry) => entry.endsWith(".appex")).map((entry) => path.join(plugInsDir, entry))];
 });
 const readBundleId = (bundleDir) => Effect.gen(function* () {
@@ -21996,7 +22140,7 @@ const easJsonPath = (projectRoot) => Effect.gen(function* () {
 const readEasJson = (projectRoot) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = yield* easJsonPath(projectRoot);
-	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.catchAll((cause) => Effect.fail(new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` })))));
+	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` }))));
 });
 const mergeCustom = (base, overlay) => {
 	const merged = shallowMerge(base, overlay);
@@ -22208,8 +22352,8 @@ const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
 	const removed = [];
 	yield* Effect.forEach(CACHE_DIRS, (rel) => Effect.gen(function* () {
 		const target = path.join(projectRoot, rel);
-		if (!(yield* fs.exists(target).pipe(Effect.catchAll(() => Effect.succeed(false))))) return;
-		yield* fs.remove(target, { recursive: true }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+		if (!(yield* fs.exists(target).pipe(Effect.orElseSucceed(() => false)))) return;
+		yield* fs.remove(target, { recursive: true }).pipe(Effect.orElseSucceed(() => void 0));
 		removed.push(rel);
 	}), { concurrency: 4 });
 	if (removed.length > 0) yield* Console.error(`Cleared caches: ${removed.join(", ")}`);
@@ -22538,10 +22682,10 @@ const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd
 */
 const readGitContext = (projectRoot) => Effect.gen(function* () {
 	const [commit, ref, commitMessage, status] = yield* Effect.all([
-		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.catchAll(() => Effect.succeed("")))
+		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.orElseSucceed(() => ""))
 	], { concurrency: "unbounded" });
 	return {
 		ref: ref.length > 0 ? ref : void 0,
@@ -22570,14 +22714,14 @@ const readGradleConfig = (androidDir) => Effect.gen(function* () {
 	const hasKts = yield* fs.exists(ktsPath).pipe(Effect.orElseSucceed(() => false));
 	if (!hasGroovy && hasKts) return;
 	if (!hasGroovy) return;
-	const content = yield* fs.readFileString(gradlePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const content = yield* fs.readFileString(gradlePath).pipe(Effect.orElseSucceed(() => void 0));
 	if (!content) return;
 	return yield* Effect.tryPromise({
 		try: async () => {
 			return __require("gradle-to-js").parseText(stripGroovyComments(content));
 		},
 		catch: () => void 0
-	}).pipe(Effect.map(extractGradleConfig), Effect.catchAll(() => Effect.succeed(void 0)));
+	}).pipe(Effect.map(extractGradleConfig), Effect.orElseSucceed(() => void 0));
 });
 /**
 * Log a warning if Gradle applicationId differs from app.json package name.
@@ -22697,7 +22841,7 @@ const ALWAYS_IGNORE = [...[
 	"dist"
 ], ...NATIVE_BUILD_OUTPUTS];
 const findLockfile = (fs, dir) => Effect.gen(function* () {
-	for (const [name, pm] of LOCKFILES) if (yield* fs.exists(path.join(dir, name)).pipe(Effect.catchAll(() => Effect.succeed(false)))) return pm;
+	for (const [name, pm] of LOCKFILES) if (yield* fs.exists(path.join(dir, name)).pipe(Effect.orElseSucceed(() => false))) return pm;
 });
 const walkUpForLockfile = (startCwd, dir) => Effect.gen(function* () {
 	const pm = yield* findLockfile(yield* FileSystem.FileSystem, dir);
@@ -22733,13 +22877,13 @@ const buildIgnoreInstance = (workspaceRoot, options = {}) => Effect.gen(function
 	const ig = ignore();
 	ig.add([...ALWAYS_IGNORE]);
 	const easignorePath = path.join(workspaceRoot, ".easignore");
-	if (yield* fs.exists(easignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
-		const content = yield* fs.readFileString(easignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
+	if (yield* fs.exists(easignorePath).pipe(Effect.orElseSucceed(() => false))) {
+		const content = yield* fs.readFileString(easignorePath).pipe(Effect.orElseSucceed(() => ""));
 		ig.add(content);
 	} else {
 		const gitignorePath = path.join(workspaceRoot, ".gitignore");
-		if (yield* fs.exists(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
-			const content = yield* fs.readFileString(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
+		if (yield* fs.exists(gitignorePath).pipe(Effect.orElseSucceed(() => false))) {
+			const content = yield* fs.readFileString(gitignorePath).pipe(Effect.orElseSucceed(() => ""));
 			ig.add(content);
 		}
 	}
@@ -22810,7 +22954,7 @@ const prepareStagingProject = (input) => Effect.gen(function* () {
 		})
 	});
 	yield* initGitRepo(stagingRoot);
-	if (yield* fs.exists(path.join(workspaceRoot, "package.json")).pipe(Effect.catchAll(() => Effect.succeed(false)))) yield* runInstall({
+	if (yield* fs.exists(path.join(workspaceRoot, "package.json")).pipe(Effect.orElseSucceed(() => false))) yield* runInstall({
 		stagingRoot,
 		packageManager,
 		env: yield* runtime.commandEnvironment(input.envVars)
@@ -22827,7 +22971,7 @@ const prepareStagingProject = (input) => Effect.gen(function* () {
 //#endregion
 //#region src/lib/repo-clean.ts
 const MAX_FILES_SHOWN = 10;
-const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.catchAll(() => Effect.succeed([])));
+const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.orElseSucceed(() => []));
 /**
 * Refuse to proceed when the working tree has uncommitted changes. Skipped when
 * `allowDirty` is true. In interactive mode, prompts the user to confirm; in
@@ -22840,11 +22984,8 @@ const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(funct
 	const preview = dirty.slice(0, MAX_FILES_SHOWN).join("\n  ");
 	const overflow = dirty.length > MAX_FILES_SHOWN ? `\n  ... and ${String(dirty.length - MAX_FILES_SHOWN)} more` : "";
 	yield* Console.error(`Uncommitted changes (${String(dirty.length)} file(s)):\n  ${preview}${overflow}`);
-	if (!(yield* InteractiveMode).allow) {
-		yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
-		return;
-	}
-	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
+	if (!(yield* InteractiveMode).allow) return yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
+	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) return yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
 });
 
 //#endregion
@@ -22984,7 +23125,7 @@ const postTokenRequest = (tokenUri, jwt) => Effect.tryPromise({
 });
 const exchangeJwtForAccessToken = (tokenUri, jwt) => Effect.gen(function* () {
 	const result = yield* postTokenRequest(tokenUri, jwt);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayAuthError({ message: `OAuth token exchange failed: ${String(result.status)} ${result.text}` }));
+	if (!result.ok) return yield* new GooglePlayAuthError({ message: `OAuth token exchange failed: ${String(result.status)} ${result.text}` });
 	const json = yield* Effect.try({
 		try: () => JSON.parse(result.text),
 		catch: (cause) => new GooglePlayAuthError({
@@ -23009,7 +23150,7 @@ const acquireGooglePlayAccessToken = (serviceAccountJson) => Effect.gen(function
 		message: "Service account JSON missing required fields (type, client_email, private_key)",
 		cause
 	})));
-	if (parsed.type !== "service_account") return yield* Effect.fail(new GooglePlayAuthError({ message: `Service account JSON has wrong type: ${parsed.type}` }));
+	if (parsed.type !== "service_account") return yield* new GooglePlayAuthError({ message: `Service account JSON has wrong type: ${parsed.type}` });
 	const tokenUri = parsed.token_uri ?? GOOGLE_OAUTH_TOKEN_URL;
 	return {
 		accessToken: yield* exchangeJwtForAccessToken(tokenUri, yield* signJwt(yield* importPrivateKey(parsed.private_key), buildJwtAssertion({
@@ -23049,10 +23190,10 @@ const performFetch = (params) => Effect.tryPromise({
 });
 const callJsonRaw = (params) => Effect.gen(function* () {
 	const result = yield* performFetch(params);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayApiError({
+	if (!result.ok) return yield* new GooglePlayApiError({
 		message: `${params.label} failed: ${String(result.status)} ${result.text}`,
 		httpStatus: result.status
-	}));
+	});
 	return yield* Effect.try({
 		try: () => result.text === "" ? {} : JSON.parse(result.text),
 		catch: (cause) => new GooglePlayApiError({
@@ -23107,10 +23248,10 @@ const performBundleUpload = (params) => Effect.tryPromise({
 });
 const uploadBundle = (params) => Effect.gen(function* () {
 	const result = yield* performBundleUpload(params);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayApiError({
+	if (!result.ok) return yield* new GooglePlayApiError({
 		message: `edits.bundles.upload failed: ${String(result.status)} ${result.text}`,
 		httpStatus: result.status
-	}));
+	});
 	const raw = yield* Effect.try({
 		try: () => JSON.parse(result.text),
 		catch: (cause) => new GooglePlayApiError({
@@ -23301,10 +23442,10 @@ const fetchArchiveOverHttp = (url) => Effect.gen(function* () {
 			message: `Failed to download AAB from ${url}: ${cause instanceof Error ? cause.message : String(cause)}`
 		})
 	});
-	if (!result.ok || result.bytes === null) return yield* Effect.fail(new CliSubmitError({
+	if (!result.ok || result.bytes === null) return yield* new CliSubmitError({
 		code: "SUBMISSION_ARCHIVE_DOWNLOAD_FAILED",
 		message: `HTTP ${String(result.status)} fetching archive at ${url}`
-	}));
+	});
 	return result.bytes;
 });
 const readArchiveBytes = (archive) => archive.source === "path" ? Effect.map(readLocalFile(archive.value, "SUBMISSION_ARCHIVE_READ_FAILED", (cause) => `Failed to read AAB at ${archive.value}: ${cause instanceof Error ? cause.message : String(cause)}`), (buf) => new Uint8Array(buf)) : fetchArchiveOverHttp(archive.value);
@@ -23379,10 +23520,10 @@ const runGooglePlayPipeline = (params) => Effect.gen(function* () {
 });
 const runAndroidGooglePlayUpload = (inputs) => Effect.gen(function* () {
 	const { applicationId } = inputs.androidProfile;
-	if (applicationId === void 0) return yield* Effect.fail(new CliSubmitError({
+	if (applicationId === void 0) return yield* new CliSubmitError({
 		code: "SUBMISSION_ANDROID_APP_ID_MISSING",
 		message: "Android submit profile requires applicationId — set submit.<profile>.android.applicationId in eas.json"
-	}));
+	});
 	const serviceAccountJson = yield* resolveServiceAccountJson({
 		api: inputs.api,
 		serviceAccountKeyId: inputs.serviceAccountKeyId,
@@ -23407,7 +23548,7 @@ const runAndroidGooglePlayUpload = (inputs) => Effect.gen(function* () {
 			errorCode: engineError.code,
 			errorMessage: engineError.message
 		});
-		return yield* Effect.fail(engineError);
+		return yield* engineError;
 	})));
 	yield* patchSubmissionStatus(inputs.api, inputs.submissionId, { status: "FINISHED" });
 	yield* printHuman(`Google Play bundle uploaded (versionCode ${String(result.versionCode)})`);
@@ -23824,7 +23965,7 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		commit: rawGitContext.commit,
 		dirty: rawGitContext.dirty
 	});
-	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(userCwd, platform).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0))) : void 0;
+	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(userCwd, platform).pipe(Effect.map((entry) => entry.hash), Effect.orElseSucceed(() => void 0)) : void 0;
 	const result = yield* reserveAndUpload(api, {
 		target,
 		projectId,
@@ -24123,7 +24264,7 @@ const compatibilityMatrixCommand = defineCommand({
 
 //#endregion
 //#region src/commands/builds/delete.ts
-const deleteCommand$5 = defineCommand({
+const deleteCommand$6 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a build"
@@ -24179,10 +24320,7 @@ const downloadCommand$1 = defineCommand({
 		const fs = yield* FileSystem.FileSystem;
 		const cwd = yield* (yield* CliRuntime).cwd;
 		const { artifact } = yield* api.builds.get({ path: { id: args.id } });
-		if (!artifact) {
-			yield* Effect.fail(new UploadFailedError({ message: `Build ${args.id} has no artifact yet.` }));
-			return;
-		}
+		if (!artifact) return yield* new UploadFailedError({ message: `Build ${args.id} has no artifact yet.` });
 		const link = yield* api.builds.getInstallLink({ path: { id: args.id } });
 		const ext = artifact.format;
 		const outputPath = args.output ?? path.join(cwd, `${args.id}.${ext}`);
@@ -24272,7 +24410,7 @@ const DISTRIBUTION_OPTIONS$1 = [
 	"play-store",
 	"direct"
 ];
-const listCommand$7 = defineCommand({
+const listCommand$10 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List builds for the linked project"
@@ -24455,7 +24593,7 @@ const runInherit = (step, bin, ...args) => Command.exitCode(Command.make(bin, ..
 * Locate a tool on PATH. Returns the absolute path or fails with NativeRunError.
 */
 const which = (bin) => Effect.gen(function* () {
-	const trimmed = (yield* Command.string(Command.make("which", bin)).pipe(Effect.catchAll(() => Effect.fail(new NativeRunError({ message: `${bin} not found in PATH` }))))).trim();
+	const trimmed = (yield* Command.string(Command.make("which", bin)).pipe(Effect.mapError(() => new NativeRunError({ message: `${bin} not found in PATH` })))).trim();
 	if (trimmed === "") return yield* new NativeRunError({ message: `${bin} not found in PATH` });
 	return trimmed;
 });
@@ -24474,7 +24612,7 @@ const findAppBundle = (root) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const candidates = [root, path.join(root, "Payload")];
 	for (const candidate of candidates) {
-		const app = (yield* fs.readDirectory(candidate).pipe(Effect.catchAll(() => Effect.succeed([])))).find((entry) => entry.endsWith(".app"));
+		const app = (yield* fs.readDirectory(candidate).pipe(Effect.orElseSucceed(() => []))).find((entry) => entry.endsWith(".app"));
 		if (app) return path.join(candidate, app);
 	}
 	return yield* new NativeRunError({ message: `No .app bundle found inside ${root} or ${path.join(root, "Payload")}.` });
@@ -24553,8 +24691,8 @@ const installAndLaunchIosDevice = (params) => Effect.gen(function* () {
 * fall back to a CLI flag.
 */
 const tryReadApkPackageWith = (bin, apkPath) => Effect.gen(function* () {
-	if (!(yield* which(bin).pipe(Effect.catchAll(() => Effect.succeed(null))))) return;
-	const raw = yield* execCapture(`${bin} dump`, bin, "dump", "badging", apkPath).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	if (!(yield* which(bin).pipe(Effect.orElseSucceed(() => null)))) return;
+	const raw = yield* execCapture(`${bin} dump`, bin, "dump", "badging", apkPath).pipe(Effect.orElseSucceed(() => null));
 	if (!raw) return;
 	return /package: name='(?<packageName>[^']+)'/u.exec(raw)?.[1];
 });
@@ -24626,10 +24764,7 @@ const runIosSimulator = (params) => Effect.gen(function* () {
 });
 const runIosDevice = (params) => Effect.gen(function* () {
 	const { deviceSelector } = params;
-	if (deviceSelector === void 0) {
-		yield* Effect.fail(new InvalidArgumentError({ message: "Pass --device-id <udid>. Run `xcrun devicectl list devices` to list connected devices." }));
-		return;
-	}
+	if (deviceSelector === void 0) return yield* new InvalidArgumentError({ message: "Pass --device-id <udid>. Run `xcrun devicectl list devices` to list connected devices." });
 	const bundleId = yield* readBundleIdFromApp(yield* findAppBundle(yield* extractIosArtifact({
 		tempDir: params.tempDir,
 		artifactPath: params.artifactPath,
@@ -24654,21 +24789,12 @@ const runIos = (params) => {
 	return Effect.fail(new NativeRunError({ message: `Cannot install ${params.format} on iOS; only tar.gz (simulator) or ipa are supported.` }));
 };
 const runAndroid = (params) => Effect.gen(function* () {
-	if (params.format === "aab") {
-		yield* Effect.fail(new InvalidArgumentError({ message: ".aab artifacts cannot be installed directly. Use bundletool to convert to apks, or download the play-store APK." }));
-		return;
-	}
-	if (params.format !== "apk") {
-		yield* Effect.fail(new NativeRunError({ message: `Cannot install ${params.format} on Android; only apk is supported.` }));
-		return;
-	}
+	if (params.format === "aab") return yield* new InvalidArgumentError({ message: ".aab artifacts cannot be installed directly. Use bundletool to convert to apks, or download the play-store APK." });
+	if (params.format !== "apk") return yield* new NativeRunError({ message: `Cannot install ${params.format} on Android; only apk is supported.` });
 	const device = yield* pickAndroidDevice(params.emulatorSelector);
 	const detected = yield* readApkPackageName(params.artifactPath);
 	const packageName = params.packageOverride ?? detected;
-	if (!packageName) {
-		yield* Effect.fail(new InvalidArgumentError({ message: "Could not detect APK package name (aapt/aapt2 not on PATH). Pass --package <name> explicitly." }));
-		return;
-	}
+	if (!packageName) return yield* new InvalidArgumentError({ message: "Could not detect APK package name (aapt/aapt2 not on PATH). Pass --package <name> explicitly." });
 	yield* printHuman(`Installing on Android device ${device.serial}...`);
 	yield* installAndLaunchAndroid({
 		serial: device.serial,
@@ -24733,7 +24859,7 @@ const runCommand$1 = defineCommand({
 			projectId
 		});
 		const { artifact } = build;
-		if (!artifact) return yield* Effect.fail(new UploadFailedError({ message: `Build ${build.id} has no artifact yet.` }));
+		if (!artifact) return yield* new UploadFailedError({ message: `Build ${build.id} has no artifact yet.` });
 		const link = yield* api.builds.getInstallLink({ path: { id: build.id } });
 		const tempDir = yield* acquireBuildTempDir;
 		const artifactPath = path.join(tempDir, `artifact.${artifact.format}`);
@@ -24828,7 +24954,7 @@ const resolveUploadMeta = (params) => Effect.gen(function* () {
 const runUploadWorkflow = (options) => Effect.gen(function* () {
 	const api = yield* apiClient;
 	const projectRoot = yield* (yield* CliRuntime).cwd;
-	if (!(yield* (yield* FileSystem.FileSystem).exists(options.artifactPath).pipe(Effect.orElseSucceed(() => false)))) yield* new ArtifactNotFoundError({ message: `Artifact not found at ${options.artifactPath}.` });
+	if (!(yield* (yield* FileSystem.FileSystem).exists(options.artifactPath).pipe(Effect.orElseSucceed(() => false)))) return yield* new ArtifactNotFoundError({ message: `Artifact not found at ${options.artifactPath}.` });
 	const projectType = yield* detectProjectType({
 		projectRoot,
 		override: asProjectType((yield* readBetterUpdateConfig(projectRoot))?.["projectType"])
@@ -24858,7 +24984,7 @@ const runUploadWorkflow = (options) => Effect.gen(function* () {
 		commit: rawGitContext.commit,
 		dirty: rawGitContext.dirty
 	});
-	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(projectRoot, options.platform).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0))) : void 0;
+	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(projectRoot, options.platform).pipe(Effect.map((entry) => entry.hash), Effect.orElseSucceed(() => void 0)) : void 0;
 	const result = yield* reserveAndUpload(api, compact({
 		target,
 		projectId,
@@ -24942,9 +25068,9 @@ const buildsCommand = defineCommand({
 		description: "Manage builds"
 	},
 	subCommands: {
-		list: listCommand$7,
+		list: listCommand$10,
 		get: getCommand$2,
-		delete: deleteCommand$5,
+		delete: deleteCommand$6,
 		download: downloadCommand$1,
 		run: runCommand$1,
 		"install-link": installLinkCommand,
@@ -24970,7 +25096,7 @@ const resolveNamedResourceId$1 = (params) => resolveNamedResourceId$2(params, (m
 
 //#endregion
 //#region src/commands/channels/create.ts
-const createCommand$3 = defineCommand({
+const createCommand$4 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a channel"
@@ -25015,7 +25141,7 @@ const createCommand$3 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/delete.ts
-const deleteCommand$4 = defineCommand({
+const deleteCommand$5 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a channel"
@@ -25038,6 +25164,193 @@ const deleteCommand$4 = defineCommand({
 	})
 });
 
+//#endregion
+//#region src/commands/channels/grants/helpers.ts
+var GrantCommandError = class extends Data.TaggedError("GrantCommandError") {};
+const grantErrorExtras = { GrantCommandError: 2 };
+
+//#endregion
+//#region src/commands/channels/grants/list.ts
+const resolveChannel = (channels, target) => Effect.gen(function* () {
+	const channel = channels.find((ch) => ch.id === target) ?? channels.find((ch) => ch.name === target);
+	if (!channel) return yield* new ChannelCommandError({ message: `Channel "${target}" not found by ID or name.` });
+	return channel;
+});
+const listCommand$9 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List per-member grants on a channel"
+	},
+	args: { channel: {
+		type: "positional",
+		required: true,
+		description: "Channel ID or channel name"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const channel = yield* resolveChannel(yield* drainPages((page) => api.channels.list({ urlParams: {
+			projectId,
+			limit: 100,
+			page
+		} })), args.channel);
+		yield* printList([
+			"ID",
+			"Member ID",
+			"Effect",
+			"Actions",
+			"Created"
+		], (yield* api.channelGrants.list({
+			path: { id: channel.id },
+			urlParams: {}
+		})).map((grant) => [
+			grant.id,
+			grant.memberId,
+			grant.effect,
+			grant.actions.join(", "),
+			grant.createdAt
+		]), "No grants found for this channel.");
+	}), { exits: {
+		...channelErrorExtras,
+		...grantErrorExtras
+	} })
+});
+
+//#endregion
+//#region src/commands/channels/grants/revoke.ts
+const revokeCommand$2 = defineCommand({
+	meta: {
+		name: "revoke",
+		description: "Revoke all grants for a member on a channel"
+	},
+	args: {
+		channel: {
+			type: "positional",
+			required: true,
+			description: "Channel ID or channel name"
+		},
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID whose grants to revoke"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Revoke all grants for member ${args.member} on channel ${args.channel}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return { deleted: 0 };
+			}
+		}
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const channels = yield* drainPages((page) => api.channels.list({ urlParams: {
+			projectId,
+			limit: 100,
+			page
+		} }));
+		const channel = channels.find((ch) => ch.id === args.channel) ?? channels.find((ch) => ch.name === args.channel);
+		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.channel}" not found by ID or name.` });
+		const result = yield* api.channelGrants.delete({ path: {
+			id: channel.id,
+			memberId: args.member
+		} });
+		yield* printHuman(`Revoked grants for member ${args.member} on channel "${channel.name}".`);
+		return result;
+	}), {
+		exits: {
+			...channelErrorExtras,
+			...grantErrorExtras
+		},
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/channels/grants/set.ts
+const setCommand$3 = defineCommand({
+	meta: {
+		name: "set",
+		description: "Create or replace a member's grant on a channel"
+	},
+	args: {
+		channel: {
+			type: "positional",
+			required: true,
+			description: "Channel ID or channel name"
+		},
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID to grant permissions to"
+		},
+		actions: {
+			type: "string",
+			required: true,
+			description: "Permission action tokens in resource:action format, comma-separated (e.g. update:create,rollout:update)"
+		},
+		effect: {
+			type: "string",
+			description: "Grant effect: allow (default) or deny"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const effectValue = args.effect ?? "allow";
+		if (effectValue !== "allow" && effectValue !== "deny") return yield* new GrantCommandError({ message: `Invalid effect "${effectValue}" — must be "allow" or "deny".` });
+		const actionTokens = args.actions.split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
+		if (actionTokens.length === 0) return yield* new GrantCommandError({ message: "At least one action token is required." });
+		const projectId = yield* readProjectId;
+		const api = yield* apiClient;
+		const channels = yield* drainPages((page) => api.channels.list({ urlParams: {
+			projectId,
+			limit: 100,
+			page
+		} }));
+		const channel = channels.find((ch) => ch.id === args.channel) ?? channels.find((ch) => ch.name === args.channel);
+		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.channel}" not found by ID or name.` });
+		const grant = yield* api.channelGrants.upsert({
+			path: {
+				id: channel.id,
+				memberId: args.member
+			},
+			payload: {
+				effect: effectValue,
+				actions: actionTokens
+			}
+		});
+		yield* printHumanKeyValue([
+			["ID", grant.id],
+			["Member ID", grant.memberId],
+			["Channel ID", grant.scopeId],
+			["Effect", grant.effect],
+			["Actions", grant.actions.join(", ")],
+			["Created", grant.createdAt]
+		]);
+		return grant;
+	}), { exits: {
+		...channelErrorExtras,
+		...grantErrorExtras
+	} })
+});
+
+//#endregion
+//#region src/commands/channels/grants/index.ts
+const grantsCommand$1 = defineCommand({
+	meta: {
+		name: "grants",
+		description: "Manage per-member permission grants on a channel"
+	},
+	subCommands: {
+		list: listCommand$9,
+		set: setCommand$3,
+		revoke: revokeCommand$2
+	}
+});
+
 //#endregion
 //#region src/commands/channels/insights.ts
 const insightsCommand$1 = defineCommand({
@@ -25084,7 +25397,7 @@ const insightsCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/list.ts
-const listCommand$6 = defineCommand({
+const listCommand$8 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List channels for the linked project"
@@ -25188,7 +25501,7 @@ const completeCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/create.ts
-const createCommand$2 = defineCommand({
+const createCommand$3 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Start a branch rollout on a channel"
@@ -25269,7 +25582,7 @@ const revertCommand$2 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/update.ts
-const updateCommand$3 = defineCommand({
+const updateCommand$4 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Update the rollout percentage on a channel"
@@ -25308,8 +25621,8 @@ const rolloutCommand$1 = defineCommand({
 		description: "Manage channel branch rollouts"
 	},
 	subCommands: {
-		create: createCommand$2,
-		update: updateCommand$3,
+		create: createCommand$3,
+		update: updateCommand$4,
 		complete: completeCommand$1,
 		revert: revertCommand$2
 	}
@@ -25317,7 +25630,7 @@ const rolloutCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/update.ts
-const updateCommand$2 = defineCommand({
+const updateCommand$3 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Relink a channel to a different branch"
@@ -25360,7 +25673,7 @@ const updateCommand$2 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/view.ts
-const viewCommand$2 = defineCommand({
+const viewCommand$3 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show a channel by ID or name"
@@ -25383,7 +25696,7 @@ const viewCommand$2 = defineCommand({
 			page
 		} }))]);
 		const channel = channels.find((entry) => entry.id === args.target) ?? channels.find((entry) => entry.name === args.target);
-		if (!channel) return yield* Effect.fail(new ChannelCommandError({ message: `Channel "${args.target}" not found by ID or name.` }));
+		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.target}" not found by ID or name.` });
 		const branchName = new Map(branches.map((branch) => [branch.id, branch.name])).get(channel.branchId) ?? channel.branchId;
 		yield* printHumanKeyValue([
 			["ID", channel.id],
@@ -25420,14 +25733,15 @@ const channelsCommand = defineCommand({
 		description: "Manage channels"
 	},
 	subCommands: {
-		list: listCommand$6,
-		view: viewCommand$2,
-		create: createCommand$3,
-		update: updateCommand$2,
+		list: listCommand$8,
+		view: viewCommand$3,
+		create: createCommand$4,
+		update: updateCommand$3,
 		pause: pauseCommand,
 		resume: resumeCommand,
-		delete: deleteCommand$4,
+		delete: deleteCommand$5,
 		rollout: rolloutCommand$1,
+		grants: grantsCommand$1,
 		insights: insightsCommand$1
 	}
 });
@@ -25808,7 +26122,7 @@ const announce = (heading) => Effect.gen(function* () {
 });
 const reportError = (label, cause) => Console.log(`✗ ${label}: ${cause instanceof Error ? cause.message : String(cause)}`);
 const safely = (label, effect) => effect.pipe(Effect.catchAll((cause) => reportError(label, cause)), Effect.asVoid);
-const safePrompt = (effect) => effect.pipe(Effect.catchAll(() => Effect.succeed(BACK)));
+const safePrompt = (effect) => effect.pipe(Effect.orElseSucceed(() => BACK));
 const promptForBundleConfig = (ctx) => Effect.gen(function* () {
 	const list = yield* ctx.api.iosBundleConfigurations.list({ path: { projectId: ctx.projectId } });
 	if (list.items.length === 0) return yield* new MissingCredentialsError({
@@ -26841,7 +27155,7 @@ const toRecipientView = (userEncryptionKeyId, key) => ({
 		fingerprint: key?.fingerprint
 	})
 });
-const listCommand$5 = defineCommand({
+const listCommand$7 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List recipients that currently hold the org vault key"
@@ -27068,7 +27382,7 @@ const accessCommand = defineCommand({
 		description: "Inspect, grant, rotate, revoke, and recover access to the org credential vault"
 	},
 	subCommands: {
-		list: listCommand$5,
+		list: listCommand$7,
 		grant: grantCommand,
 		rotate: rotateCommand,
 		revoke: revokeCommand$1,
@@ -27277,7 +27591,7 @@ const CREDENTIAL_TYPES$3 = [
 	"keystore",
 	"google-service-account-key"
 ];
-const deleteCommand$3 = defineCommand({
+const deleteCommand$4 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a credential"
@@ -27319,7 +27633,7 @@ const deleteCommand$3 = defineCommand({
 //#region src/commands/credentials/device.ts
 /** Self-linking is for your own device keys; recovery/machine keys go through `access grant`. */
 const requireDeviceKind = (target) => target.kind === "device" ? Effect.void : new IdentityError({ message: `Key ${target.id} is a ${target.kind} key, not a device. Use \`better-update credentials access grant\` for recovery/machine keys.` });
-const listCommand$4 = defineCommand({
+const listCommand$6 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List your registered device keys (the active one is marked)"
@@ -27377,7 +27691,7 @@ const deviceCommand = defineCommand({
 		description: "Manage your vault device keys"
 	},
 	subCommands: {
-		list: listCommand$4,
+		list: listCommand$6,
 		link: linkCommand
 	},
 	default: "list"
@@ -27739,7 +28053,7 @@ const handleCertLimitInteractive = (api, ascApiKeyId, certificateType) => Effect
 		ascApiKeyId,
 		certificateType
 	});
-	if (certs.length === 0) return yield* Effect.fail(new CertificateLimitError({ message: "Apple says the certificate limit is hit but no existing certificates were returned — try again later." }));
+	if (certs.length === 0) return yield* new CertificateLimitError({ message: "Apple says the certificate limit is hit but no existing certificates were returned — try again later." });
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
 		value: entry.id,
 		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
@@ -28032,7 +28346,7 @@ const printRecipient = (key) => printKeyValue([
 	["Recipient (public key)", key.publicKey],
 	["Fingerprint", key.fingerprint]
 ]);
-const createCommand$1 = defineCommand({
+const createCommand$2 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create this device's encryption identity and register it as a recipient"
@@ -28135,7 +28449,7 @@ const identityCommand = defineCommand({
 		description: "Manage this device's end-to-end encryption identity"
 	},
 	subCommands: {
-		create: createCommand$1,
+		create: createCommand$2,
 		init: initCommand$1,
 		register: registerCommand,
 		show: showCommand
@@ -28145,7 +28459,7 @@ const identityCommand = defineCommand({
 
 //#endregion
 //#region src/commands/credentials/list.ts
-const listCommand$3 = defineCommand({
+const listCommand$5 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List credentials across platforms"
@@ -28501,7 +28815,7 @@ const writeArtifact = (fs, projectRoot, relPath, bytes) => Effect.gen(function*
 const writeText = (fs, projectRoot, relPath, text) => writeArtifact(fs, projectRoot, relPath, new TextEncoder().encode(text));
 const ensureGitignoreEntries = (fs, projectRoot, paths) => Effect.gen(function* () {
 	const filePath = path.join(projectRoot, ".gitignore");
-	const lines = ((yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) ? yield* fs.readFileString(filePath).pipe(Effect.catchAll(() => Effect.succeed(""))) : "").split("\n");
+	const lines = ((yield* fs.exists(filePath).pipe(Effect.orElseSucceed(() => false))) ? yield* fs.readFileString(filePath).pipe(Effect.orElseSucceed(() => "")) : "").split("\n");
 	const added = [];
 	const next = [...lines];
 	for (const entry of paths) if (!lines.includes(entry)) {
@@ -29300,7 +29614,7 @@ const lookupByType = (api, id, type) => {
 		default: return Effect.fail(new CredentialValidationError({ message: `Unsupported credential type: ${String(type)}` }));
 	}
 };
-const viewCommand$1 = defineCommand({
+const viewCommand$2 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show details for a single credential (without secrets)"
@@ -29347,14 +29661,14 @@ const credentialsCommand = defineCommand({
 		unlock: unlockCommand,
 		lock: lockCommand,
 		status: statusCommand$1,
-		list: listCommand$3,
-		view: viewCommand$1,
+		list: listCommand$5,
+		view: viewCommand$2,
 		download: downloadCommand,
 		upload: uploadCommand,
 		"upload-asc-key": uploadAscKeyCommand,
 		generate: generateCommand$1,
 		"regenerate-profile": regenerateProfileCommand,
-		delete: deleteCommand$3,
+		delete: deleteCommand$4,
 		remove: removeCommand,
 		revoke: revokeCommand,
 		configure: configureCommand$1,
@@ -29721,6 +30035,7 @@ const devicesCommand = defineCommand({
 
 //#endregion
 //#region src/commands/doctor.ts
+var HealthCheckError = class extends Data.TaggedError("HealthCheckError") {};
 const pass = (id, name, message) => ({
 	id,
 	name,
@@ -29759,7 +30074,10 @@ const checkServerHealth = Effect.gen(function* () {
 	const url = `${yield* (yield* ConfigStore).getBaseUrl}/api/health`;
 	const response = yield* Effect.tryPromise({
 		try: async () => fetch(url, { signal: AbortSignal.timeout(3e3) }),
-		catch: (cause) => new Error(String(cause))
+		catch: (cause) => new HealthCheckError({
+			message: String(cause),
+			cause
+		})
 	}).pipe(Effect.either);
 	if (response._tag === "Left") return fail("health", "Server reachable", `${url} unreachable: ${response.left.message}`);
 	const res = response.right;
@@ -29850,19 +30168,19 @@ const envErrorExtras = {
 	SystemError: 6,
 	BadArgument: 6
 };
-const isEnvironmentName = (value) => value === "development" || value === "preview" || value === "production";
+const isEnvironmentName$1 = (value) => value === "development" || value === "preview" || value === "production";
 const parseEnvironmentsArg = (raw) => Effect.gen(function* () {
 	const tokens = raw.split(",").map((token) => token.trim()).filter((token) => token.length > 0);
 	if (tokens.length === 0) return yield* new InvalidArgumentError({ message: "Provide at least one environment (development, preview, production)." });
 	const seen = /* @__PURE__ */ new Set();
 	yield* Effect.forEach(tokens, (token) => Effect.gen(function* () {
-		if (!isEnvironmentName(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
+		if (!isEnvironmentName$1(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
 		seen.add(token);
 	}), { discard: true });
 	return [...seen];
 });
 const parseSingleEnvironmentArg = (raw) => Effect.gen(function* () {
-	if (!isEnvironmentName(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
+	if (!isEnvironmentName$1(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
 	return raw;
 });
 const formatEnvironments = (environments) => [...environments].toSorted((left, right) => left.localeCompare(right)).join(",");
@@ -29901,7 +30219,7 @@ const findProjectEnvVar = (api, projectId, key, environment) => Effect.gen(funct
 
 //#endregion
 //#region src/commands/env/delete.ts
-const deleteCommand$2 = defineCommand({
+const deleteCommand$3 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a project env var (one environment, or every environment by default)"
@@ -29970,7 +30288,7 @@ const getExecTrailingArgv = () => trailing$1;
 const pullForExec = (api, projectId, environment) => pullEnvVars(api, {
 	projectId,
 	environment
-}).pipe(Effect.catchAll(() => Effect.succeed({})));
+}).pipe(Effect.orElseSucceed(() => ({})));
 const splitTrailing = (trailing) => {
 	if (!trailing || trailing.length === 0) return Effect.fail(new InvalidArgumentError({ message: "Pass the command after `--`. Example: `better-update env exec production -- bun run dev`." }));
 	const [bin, ...rest] = trailing;
@@ -30073,6 +30391,191 @@ const getCommand$1 = defineCommand({
 	}), envErrorExtras)
 });
 
+//#endregion
+//#region src/commands/env/grants/helpers.ts
+var EnvGrantCommandError = class extends Data.TaggedError("EnvGrantCommandError") {};
+const envGrantErrorExtras = { EnvGrantCommandError: 2 };
+/** Sentinel project token for the org-global env-var scope (mirrors server). */
+const ENV_GRANT_GLOBAL = "global";
+const ENVIRONMENTS = [
+	"development",
+	"preview",
+	"production"
+];
+/**
+* Type guard narrowing a raw arg to an {@link EnvironmentName}. Lets set/unset
+* validate `args.environment` AND narrow it without an unsafe `as` assertion.
+*/
+const isEnvironmentName = (value) => ENVIRONMENTS.includes(value);
+
+//#endregion
+//#region src/commands/env/grants/list.ts
+const listCommand$4 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List env-var grants on a (project × environment) scope"
+	},
+	args: {
+		project: {
+			type: "string",
+			description: `Project id, or "${ENV_GRANT_GLOBAL}" for the org-global scope (default: linked project)`
+		},
+		global: {
+			type: "boolean",
+			default: false,
+			description: "Target the org-global env-var scope instead of a project"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const projectId = args.global ? ENV_GRANT_GLOBAL : args.project ?? (yield* readProjectId);
+		yield* printList([
+			"Member ID",
+			"Environment",
+			"Effect",
+			"Actions"
+		], (yield* (yield* apiClient).envGrants.list({ urlParams: { projectId } })).map((row) => [
+			row.memberId,
+			row.environment,
+			row.effect,
+			row.actions.join(", ")
+		]), "No env-var grants found for this scope.");
+	}), { exits: { ...envGrantErrorExtras } })
+});
+
+//#endregion
+//#region src/commands/env/grants/set.ts
+const setCommand$2 = defineCommand({
+	meta: {
+		name: "set",
+		description: "Create or replace a member's env-var grant on a scope"
+	},
+	args: {
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID to grant"
+		},
+		environment: {
+			type: "string",
+			required: true,
+			description: "Environment: development | preview | production"
+		},
+		actions: {
+			type: "string",
+			description: "Comma-separated envVar:* tokens (default: envVar:read)"
+		},
+		effect: {
+			type: "string",
+			description: "allow (default) or deny"
+		},
+		project: {
+			type: "string",
+			description: `Project id (default: linked project)`
+		},
+		global: {
+			type: "boolean",
+			default: false,
+			description: "Target the org-global env-var scope"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const effectValue = args.effect ?? "allow";
+		if (effectValue !== "allow" && effectValue !== "deny") return yield* new EnvGrantCommandError({ message: `Invalid effect "${effectValue}".` });
+		const { environment } = args;
+		if (!isEnvironmentName(environment)) return yield* new EnvGrantCommandError({ message: `Invalid environment "${environment}". One of: ${ENVIRONMENTS.join(", ")}.` });
+		const actionTokens = (args.actions ?? "envVar:read").split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
+		if (actionTokens.length === 0) return yield* new EnvGrantCommandError({ message: "At least one action token is required." });
+		const projectId = args.global ? null : args.project ?? (yield* readProjectId);
+		const grant = yield* (yield* apiClient).envGrants.upsert({ payload: {
+			memberId: args.member,
+			projectId,
+			environment,
+			effect: effectValue,
+			actions: actionTokens
+		} });
+		yield* printHumanKeyValue([
+			["ID", grant.id],
+			["Member ID", grant.memberId],
+			["Scope", grant.scopeId],
+			["Effect", grant.effect],
+			["Actions", grant.actions.join(", ")],
+			["Created", grant.createdAt]
+		]);
+		return grant;
+	}), { exits: { ...envGrantErrorExtras } })
+});
+
+//#endregion
+//#region src/commands/env/grants/unset.ts
+const unsetCommand = defineCommand({
+	meta: {
+		name: "unset",
+		description: "Revoke a member's env-var grants on a scope"
+	},
+	args: {
+		member: {
+			type: "string",
+			required: true,
+			description: "Member ID whose grants to revoke"
+		},
+		environment: {
+			type: "string",
+			required: true,
+			description: "Environment"
+		},
+		project: {
+			type: "string",
+			description: "Project id (default: linked project)"
+		},
+		global: {
+			type: "boolean",
+			default: false,
+			description: "Target the org-global scope"
+		},
+		yes: {
+			type: "boolean",
+			default: false,
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const { environment } = args;
+		if (!isEnvironmentName(environment)) return yield* new EnvGrantCommandError({ message: `Invalid environment "${environment}".` });
+		if (!args.yes) {
+			const scopeLabel = args.global ? ENV_GRANT_GLOBAL : args.project ?? "linked project";
+			if (!(yield* promptConfirm(`Revoke env-var grants for member ${args.member} on ${scopeLabel}/${args.environment}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return { deleted: 0 };
+			}
+		}
+		const projectId = args.global ? null : args.project ?? (yield* readProjectId);
+		const result = yield* (yield* apiClient).envGrants.delete({ payload: {
+			memberId: args.member,
+			projectId,
+			environment
+		} });
+		yield* printHuman(`Revoked env-var grants for member ${args.member}.`);
+		return result;
+	}), {
+		exits: { ...envGrantErrorExtras },
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/env/grants/index.ts
+const grantsCommand = defineCommand({
+	meta: {
+		name: "grants",
+		description: "Manage per-member env-var access grants on a (project × environment) scope"
+	},
+	subCommands: {
+		list: listCommand$4,
+		set: setCommand$2,
+		unset: unsetCommand
+	}
+});
+
 //#endregion
 //#region src/commands/env/history.ts
 const historyCommand = defineCommand({
@@ -30171,7 +30674,7 @@ const importCommand = defineCommand({
 
 //#endregion
 //#region src/commands/env/list.ts
-const listCommand$2 = defineCommand({
+const listCommand$3 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List environment variable metadata. Values are end-to-end encrypted — read them with `env pull`, `env export`, or `env get`."
@@ -30437,7 +30940,7 @@ const setCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/env/update.ts
-const updateCommand$1 = defineCommand({
+const updateCommand$2 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Update a project env var's value or visibility for an environment"
@@ -30518,18 +31021,19 @@ const envCommand = defineCommand({
 		description: "Manage environment variables"
 	},
 	subCommands: {
-		list: listCommand$2,
+		list: listCommand$3,
 		get: getCommand$1,
 		set: setCommand$1,
-		update: updateCommand$1,
-		delete: deleteCommand$2,
+		update: updateCommand$2,
+		delete: deleteCommand$3,
 		history: historyCommand,
 		rollback: rollbackCommand$1,
 		import: importCommand,
 		push: pushCommand,
 		export: exportCommand,
 		pull: pullCommand,
-		exec: execCommand
+		exec: execCommand,
+		grants: grantsCommand
 	}
 });
 
@@ -30800,7 +31304,7 @@ const fingerprintCommand = defineCommand({
 const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
 	const existingId = config.extra?.betterUpdate?.projectId;
 	if (typeof existingId !== "string" || existingId.length === 0) return "no-link";
-	const project = yield* api.projects.get({ path: { id: existingId } }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const project = yield* api.projects.get({ path: { id: existingId } }).pipe(Effect.orElseSucceed(() => void 0));
 	if (project === void 0) {
 		yield* printHuman(`Existing projectId "${existingId}" not found on server. Re-linking by local slug "${localSlug}".`);
 		return "stale";
@@ -30820,9 +31324,9 @@ const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
 const slugify = (value) => value.toLowerCase().replaceAll(/[^a-z0-9]+/gu, "-").replaceAll(/^-+|-+$/gu, "");
 /** Best-effort `name` from the local package.json, or undefined when absent. */
 const readPackageJsonName = (projectRoot) => Effect.gen(function* () {
-	const content = yield* (yield* FileSystem.FileSystem).readFileString(path.join(projectRoot, "package.json")).pipe(Effect.catchAll(() => Effect.succeed("")));
+	const content = yield* (yield* FileSystem.FileSystem).readFileString(path.join(projectRoot, "package.json")).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
-	const parsed = yield* Effect.try(() => JSON.parse(content)).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const parsed = yield* Effect.try(() => JSON.parse(content)).pipe(Effect.orElseSucceed(() => void 0));
 	const name = isRecord(parsed) ? parsed["name"] : void 0;
 	return typeof name === "string" && name.length > 0 ? name : void 0;
 });
@@ -31066,7 +31570,7 @@ const openCommand = defineCommand({
 
 //#endregion
 //#region src/commands/projects.ts
-const listCommand$1 = defineCommand({
+const listCommand$2 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List projects (most recently active first)"
@@ -31117,7 +31621,7 @@ const listCommand$1 = defineCommand({
 		yield* printHuman(`Page ${result.page} · ${result.items.length} of ${result.total} project(s)`);
 	}))
 });
-const createCommand = defineCommand({
+const createCommand$1 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a new project"
@@ -31195,7 +31699,7 @@ const renameCommand = defineCommand({
 		return project;
 	}), { json: "value" })
 });
-const deleteCommand$1 = defineCommand({
+const deleteCommand$2 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a project"
@@ -31220,10 +31724,229 @@ const projectsCommand = defineCommand({
 		description: "Manage projects"
 	},
 	subCommands: {
-		list: listCommand$1,
-		create: createCommand,
+		list: listCommand$2,
+		create: createCommand$1,
 		get: getCommand,
 		rename: renameCommand,
+		delete: deleteCommand$2
+	}
+});
+
+//#endregion
+//#region src/commands/roles/helpers.ts
+var RoleCommandError = class extends Data.TaggedError("RoleCommandError") {};
+const roleErrorExtras = { RoleCommandError: 2 };
+/**
+* Parse comma-separated "resource:action" tokens into the PermissionGrant array
+* the API expects. Multiple actions for the same resource are grouped.
+*
+* Input examples:
+*   "channel:read,channel:update"
+*   "channel:read, rollout:create, rollout:update"
+*/
+const parsePermissionTokens = (raw) => Effect.gen(function* () {
+	const tokens = raw.split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
+	const grouped = /* @__PURE__ */ new Map();
+	for (const token of tokens) {
+		const colonIdx = token.indexOf(":");
+		if (colonIdx === -1) return yield* new RoleCommandError({ message: `Invalid permission token "${token}" — expected "resource:action" format.` });
+		const resource = token.slice(0, colonIdx).trim();
+		const action = token.slice(colonIdx + 1).trim();
+		if (!resource || !action) return yield* new RoleCommandError({ message: `Invalid permission token "${token}" — resource and action must be non-empty.` });
+		const actions = grouped.get(resource) ?? /* @__PURE__ */ new Set();
+		actions.add(action);
+		grouped.set(resource, actions);
+	}
+	return [...grouped.entries()].map(([resource, actions]) => ({
+		resource,
+		actions: [...actions]
+	}));
+});
+
+//#endregion
+//#region src/commands/roles/create.ts
+const createCommand = defineCommand({
+	meta: {
+		name: "create",
+		description: "Create a custom role"
+	},
+	args: {
+		name: {
+			type: "string",
+			required: true,
+			description: "Role name (unique per organization)"
+		},
+		permission: {
+			type: "string",
+			required: true,
+			description: "Permission tokens in resource:action format, comma-separated (e.g. channel:read,channel:update)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const permissions = yield* parsePermissionTokens(args.permission);
+		const role = yield* (yield* apiClient).roles.create({ payload: {
+			name: args.name,
+			permissions
+		} });
+		yield* printHumanKeyValue([
+			["ID", role.id],
+			["Name", role.role],
+			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
+			["Created", role.createdAt]
+		]);
+		return role;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/delete.ts
+const deleteCommand$1 = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete a custom role"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Role ID"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Delete role ${args.id}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return { deleted: 0 };
+			}
+		}
+		const result = yield* (yield* apiClient).roles.delete({ path: { id: args.id } });
+		yield* printHuman(`Role ${args.id} deleted.`);
+		return result;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/list.ts
+const listCommand$1 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List custom roles for the active organization"
+	},
+	args: { "organization-id": {
+		type: "string",
+		required: true,
+		description: "Organization ID to list roles for"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		yield* printList([
+			"ID",
+			"Name",
+			"Permissions",
+			"Created"
+		], (yield* (yield* apiClient).roles.list({ urlParams: { organizationId: args["organization-id"] } })).map((role) => [
+			role.id,
+			role.role,
+			role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; "),
+			role.createdAt
+		]), "No custom roles found.");
+	}), roleErrorExtras)
+});
+
+//#endregion
+//#region src/commands/roles/update.ts
+const updateCommand$1 = defineCommand({
+	meta: {
+		name: "update",
+		description: "Update a custom role's name or permissions"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Role ID"
+		},
+		name: {
+			type: "string",
+			description: "New role name"
+		},
+		permission: {
+			type: "string",
+			description: "Replacement permission tokens in resource:action format, comma-separated (e.g. channel:read,channel:update)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const permissions = args.permission === void 0 ? void 0 : yield* parsePermissionTokens(args.permission);
+		const role = yield* (yield* apiClient).roles.update({
+			path: { id: args.id },
+			payload: compact({
+				name: args.name,
+				permissions
+			})
+		});
+		yield* printHumanKeyValue([
+			["ID", role.id],
+			["Name", role.role],
+			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
+			["Updated", role.updatedAt ?? "-"]
+		]);
+		return role;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/view.ts
+const viewCommand$1 = defineCommand({
+	meta: {
+		name: "view",
+		description: "Show a custom role by ID"
+	},
+	args: { id: {
+		type: "positional",
+		required: true,
+		description: "Role ID"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const role = yield* (yield* apiClient).roles.get({ path: { id: args.id } });
+		yield* printHumanKeyValue([
+			["ID", role.id],
+			["Name", role.role],
+			["Organization ID", role.organizationId],
+			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
+			["Created", role.createdAt],
+			["Updated", role.updatedAt ?? "-"]
+		]);
+		return role;
+	}), {
+		exits: roleErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/roles/index.ts
+const rolesCommand = defineCommand({
+	meta: {
+		name: "roles",
+		description: "Manage custom organization roles"
+	},
+	subCommands: {
+		list: listCommand$1,
+		view: viewCommand$1,
+		create: createCommand,
+		update: updateCommand$1,
 		delete: deleteCommand$1
 	}
 });
@@ -32872,7 +33595,7 @@ const runPatchPhase = (input) => Effect.gen(function* () {
 		runtimeVersion: input.runtimeVersion,
 		platform: input.platform,
 		limit: Math.max(1, input.baseWindow)
-	} }).pipe(Effect.catchAll(() => Effect.succeed([])));
+	} }).pipe(Effect.orElseSucceed(() => []));
 	const bases = selectBaseWindow(candidates, {
 		newUpdateId: input.newUpdateId,
 		maxRecent: input.baseWindow
@@ -32888,7 +33611,7 @@ const runPatchPhase = (input) => Effect.gen(function* () {
 			bestSavingsPct: void 0
 		};
 	}
-	const newBundleBytes = yield* sha256File(input.newLaunchPath).pipe(Effect.map((result) => result.byteSize), Effect.catchAll(() => Effect.succeed(void 0)));
+	const newBundleBytes = yield* sha256File(input.newLaunchPath).pipe(Effect.map((result) => result.byteSize), Effect.orElseSucceed(() => void 0));
 	yield* printHuman(`Diffing against ${bases.length} base(s) (window=${input.baseWindow}; ${candidates.length} candidate(s) available).`);
 	const uploadedOutcomes = (yield* Effect.forEach(bases, (base, index) => Effect.gen(function* () {
 		const basePath = path.join(input.workDir, `base-${index}.bundle`);
@@ -32983,7 +33706,7 @@ const dedupeAssetsByHash = (assets) => uniqBy(assets, (asset) => asset.hash);
 * is informational, so a fingerprint failure resolves to `undefined` rather than
 * failing the publish.
 */
-const resolvePlatformFingerprintHash = (projectRoot, platform) => runFingerprintForPlatform(projectRoot, platform).pipe(Effect.map((result) => result.hash), Effect.catchAll(() => Effect.succeed(void 0)));
+const resolvePlatformFingerprintHash = (projectRoot, platform) => runFingerprintForPlatform(projectRoot, platform).pipe(Effect.map((result) => result.hash), Effect.orElseSucceed(() => void 0));
 const preparePlatformAssets = ({ exportDir, platform }) => Effect.gen(function* () {
 	const exportedAssets = yield* readExpoExportAssets({
 		exportDir,
@@ -33079,7 +33802,7 @@ const publishPlatform = (params) => Effect.gen(function* () {
 	const uploadDetailsByHash = new Map(assetRegistration.uploaded.map((asset) => [asset.hash, asset]));
 	yield* Effect.forEach(uniqueAssets.filter((asset) => uploadDetailsByHash.has(asset.hash)), (asset) => Effect.gen(function* () {
 		const detail = uploadDetailsByHash.get(asset.hash);
-		if (!detail) return yield* Effect.fail(new UpdatePublishError({ message: `Missing upload details for asset ${asset.hash}` }));
+		if (!detail) return yield* new UpdatePublishError({ message: `Missing upload details for asset ${asset.hash}` });
 		return yield* assetUploader.uploadAssetBinary({
 			path: asset.path,
 			hash: asset.hash,
@@ -34464,6 +35187,7 @@ const commandRegistry = {
 	projects: projectsCommand,
 	branches: branchesCommand,
 	channels: channelsCommand,
+	roles: rolesCommand,
 	build: buildCommand,
 	builds: buildsCommand,
 	credentials: credentialsCommand,