@better-update/cli 0.26.1 → 0.28.0

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.26.1";
+var version = "0.28.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -67,6 +67,7 @@ const cookieSecurity = HttpApiSecurity.apiKey({
 	key: "__Secure-better-auth.session_token",
 	in: "cookie"
 });
+/** @effect-expect-leaking HttpServerRequest | ParsedSearchParams | RouteContext */
 var Authentication = class extends HttpApiMiddleware.Tag()("api/Authentication", {
 	failure: Schema.Union(Unauthorized, Forbidden),
 	provides: AuthContext,
@@ -526,6 +527,49 @@ var AndroidUploadKeystoresGroup = class extends HttpApiGroup.make("androidUpload
 	description: "Manage Android signing keystores"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/api-key.ts
+var ApiKey = class extends Schema.Class("ApiKey")({
+	id: Id,
+	name: Schema.NullOr(Schema.String),
+	start: Schema.NullOr(Schema.String),
+	prefix: Schema.NullOr(Schema.String),
+	enabled: Schema.Boolean,
+	createdAt: DateTimeString,
+	expiresAt: Schema.NullOr(DateTimeString)
+}) {};
+var CreatedApiKey = class extends Schema.Class("CreatedApiKey")({
+	id: Id,
+	name: Schema.NullOr(Schema.String),
+	start: Schema.NullOr(Schema.String),
+	prefix: Schema.NullOr(Schema.String),
+	enabled: Schema.Boolean,
+	createdAt: DateTimeString,
+	expiresAt: Schema.NullOr(DateTimeString),
+	key: Schema.String
+}) {};
+const CreateApiKeyBody = Schema.Struct({
+	name: Name120,
+	expiresInDays: Schema.optional(Schema.Number.pipe(Schema.int(), Schema.positive()))
+});
+const ApiKeyList = Schema.Struct({ items: Schema.Array(ApiKey) });
+
+//#endregion
+//#region ../../packages/api/src/groups/api-keys.ts
+var ApiKeysGroup = class extends HttpApiGroup.make("api-keys").add(HttpApiEndpoint.get("list", "/api/api-keys").addSuccess(ApiKeyList).annotateContext(OpenApi.annotations({
+	title: "List API keys",
+	description: "List the active organization's API keys (hashed secret never exposed; only the `start` prefix for identification)"
+}))).add(HttpApiEndpoint.post("create", "/api/api-keys").setPayload(CreateApiKeyBody).addSuccess(CreatedApiKey, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create API key",
+	description: "Mint a new API key for the active organization. The plaintext key is returned ONCE; only its hash is stored"
+}))).add(HttpApiEndpoint.del("revoke")`/api/api-keys/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Revoke API key",
+	description: "Delete an API key by id (org-scoped; no cross-organization deletes)"
+}))).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "API Keys",
+	description: "IAM-gated organization API key mint / list / revoke"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/apple-team.ts
 const AppleTeamType = Schema.Literal("IN_HOUSE", "COMPANY_ORGANIZATION", "INDIVIDUAL");
@@ -860,7 +904,7 @@ var AssetsGroup = class extends HttpApiGroup.make("assets").add(HttpApiEndpoint.
 
 //#endregion
 //#region ../../packages/api/src/domain/audit-log.ts
-const AuditLogResourceType = Schema.Literal("project", "branch", "channel", "update", "build", "appleCredential", "androidCredential", "iosBundleConfiguration", "envVar", "device", "webhook", "iosAppMetadata", "submission", "vaultAccess");
+const AuditLogResourceType = Schema.Literal("project", "branch", "channel", "update", "build", "appleCredential", "androidCredential", "iosBundleConfiguration", "envVar", "device", "webhook", "iosAppMetadata", "submission", "vaultAccess", "policy", "group", "policyAttachment", "apiKey", "invitation", "member", "organization");
 const AuditLogSource = Schema.Literal("session", "api-key");
 var AuditLog = class extends Schema.Class("AuditLog")({
 	id: Id,
@@ -1656,6 +1700,97 @@ var GoogleServiceAccountKeysGroup = class extends HttpApiGroup.make("googleServi
 	description: "Manage Google Play + FCM service account JSON keys"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/group.ts
+var Group = class extends Schema.Class("Group")({
+	id: Id,
+	organizationId: Id,
+	name: Schema.NonEmptyString,
+	description: Schema.NullOr(Schema.String),
+	createdAt: DateTimeString,
+	updatedAt: Schema.NullOr(DateTimeString)
+}) {};
+const CreateGroupBody = Schema.Struct({
+	name: Schema.NonEmptyString,
+	description: Schema.optional(Schema.String)
+});
+const UpdateGroupBody = Schema.Struct({
+	name: Schema.optional(Schema.NonEmptyString),
+	description: Schema.optional(Schema.NullOr(Schema.String))
+});
+var GroupMember = class extends Schema.Class("GroupMember")({
+	memberId: Id,
+	createdAt: DateTimeString
+}) {};
+const AddGroupMemberBody = Schema.Struct({ memberId: Id });
+
+//#endregion
+//#region ../../packages/api/src/groups/groups.ts
+/** `:memberId` path parameter — the `member.id` of a group member. */
+const memberIdParam = HttpApiSchema.param("memberId", Id);
+var GroupsGroup = class extends HttpApiGroup.make("groups").add(HttpApiEndpoint.get("list", "/api/groups").addSuccess(Schema.Struct({ items: Schema.Array(Group) })).annotateContext(OpenApi.annotations({
+	title: "List groups",
+	description: "List member groups in the active organization"
+}))).add(HttpApiEndpoint.post("create", "/api/groups").setPayload(CreateGroupBody).addSuccess(Group, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create group",
+	description: "Create a member group for the active organization"
+}))).add(HttpApiEndpoint.get("get")`/api/groups/${idParam}`.addSuccess(Group).annotateContext(OpenApi.annotations({
+	title: "Get group",
+	description: "Fetch a single group by id"
+}))).add(HttpApiEndpoint.patch("update")`/api/groups/${idParam}`.setPayload(UpdateGroupBody).addSuccess(Group).annotateContext(OpenApi.annotations({
+	title: "Update group",
+	description: "Update a group's name or description"
+}))).add(HttpApiEndpoint.del("delete")`/api/groups/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Delete group",
+	description: "Delete a group and sweep its memberships and policy attachments"
+}))).add(HttpApiEndpoint.get("listMembers")`/api/groups/${idParam}/members`.addSuccess(Schema.Struct({ items: Schema.Array(GroupMember) })).annotateContext(OpenApi.annotations({
+	title: "List group members",
+	description: "List the members belonging to a group"
+}))).add(HttpApiEndpoint.post("addMember")`/api/groups/${idParam}/members`.setPayload(AddGroupMemberBody).addSuccess(GroupMember, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Add group member",
+	description: "Add an organization member to a group"
+}))).add(HttpApiEndpoint.del("removeMember")`/api/groups/${idParam}/members/${memberIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Remove group member",
+	description: "Remove a member from a group"
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Groups",
+	description: "Member groups for collective policy attachment"
+})) {};
+
+//#endregion
+//#region ../../packages/api/src/domain/invitation.ts
+var Invitation = class extends Schema.Class("Invitation")({
+	id: Id,
+	email: Schema.String,
+	role: Schema.NullOr(Schema.String),
+	status: Schema.String,
+	expiresAt: DateTimeString,
+	createdAt: DateTimeString
+}) {};
+const EMAIL_PATTERN = /^[^\s@]+@[^\s@]+\.[^\s@]+$/u;
+const InvitableRole = Schema.Literal("member");
+const CreateInvitationBody = Schema.Struct({
+	email: Schema.String.pipe(Schema.minLength(1), Schema.maxLength(320), Schema.pattern(EMAIL_PATTERN)),
+	role: Schema.optional(InvitableRole)
+});
+const InvitationList = Schema.Struct({ items: Schema.Array(Invitation) });
+
+//#endregion
+//#region ../../packages/api/src/groups/invitations.ts
+var InvitationsGroup = class extends HttpApiGroup.make("invitations").add(HttpApiEndpoint.get("list", "/api/invitations").addSuccess(InvitationList).annotateContext(OpenApi.annotations({
+	title: "List invitations",
+	description: "List the active organization's invitations (all statuses, newest first)"
+}))).add(HttpApiEndpoint.post("create", "/api/invitations").setPayload(CreateInvitationBody).addSuccess(Invitation, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create invitation",
+	description: "Invite a member to the active organization. Writes a pending `invitation` row (better-auth's accept-invitation consumes it) and sends the invite email"
+}))).add(HttpApiEndpoint.del("cancel")`/api/invitations/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Cancel invitation",
+	description: "Cancel a pending invitation by id (org-scoped). A canceled invitation can no longer be accepted"
+}))).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Invitations",
+	description: "IAM-gated organization invitation create / list / cancel"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/ios-app-metadata.ts
 const AscAppId = Schema.String.pipe(Schema.pattern(/^[0-9]{1,30}$/u, { message: () => "ASC App ID must be 1-30 digits" }));
@@ -1792,7 +1927,13 @@ const Me = Schema.Struct({
 	/** Authentication source — "session" for browser + CLI sessions, "api-key" for API-key (CI) bearer tokens. */
 	source: Schema.Literal("session", "api-key"),
 	/** Email or descriptor identifying the actor — useful when `user` is null (api-key auth). */
-	actorEmail: Schema.String
+	actorEmail: Schema.String,
+	/** Holds `invitation:create` on `org` — gates the Invite button. */
+	canInviteMembers: Schema.Boolean,
+	/** Holds `member:delete` on `org` — gates the per-member Remove action. */
+	canRemoveMembers: Schema.Boolean,
+	/** Holds `policy:update` on `org` — gates the per-member Manage-policies action. */
+	canManagePolicies: Schema.Boolean
 });
 
 //#endregion
@@ -1805,6 +1946,16 @@ var MeGroup = class extends HttpApiGroup.make("me").add(HttpApiEndpoint.get("get
 	description: "Current authenticated actor information"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/groups/members.ts
+var MembersGroup = class extends HttpApiGroup.make("members").add(HttpApiEndpoint.del("remove")`/api/members/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Remove member",
+	description: "Remove a member from the active organization by member id (org-scoped; no cross-organization removes). Rejects removing the last owner (409). Membership role is `owner | member`; admin/developer/viewer access comes from policy attachments, not the role"
+}))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Members",
+	description: "IAM-gated organization member removal"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/groups/org-vault.ts
 /** `:keyId` path parameter — a registered recipient's `user_encryption_keys.id`. */
@@ -1835,6 +1986,134 @@ var OrgVaultGroup = class extends HttpApiGroup.make("orgVault").add(HttpApiEndpo
 	description: "Manage the organization's end-to-end encrypted vault key wraps"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/organization.ts
+var Organization = class extends Schema.Class("Organization")({
+	id: Id,
+	name: Schema.String,
+	slug: Schema.String
+}) {};
+const UpdateOrganizationBody = Schema.Struct({
+	name: Schema.optional(Schema.String.pipe(Schema.minLength(1), Schema.maxLength(120))),
+	slug: Schema.optional(Schema.String.pipe(Schema.minLength(1), Schema.maxLength(120)))
+});
+
+//#endregion
+//#region ../../packages/api/src/groups/organization.ts
+var OrganizationGroup = class extends HttpApiGroup.make("organization").add(HttpApiEndpoint.patch("update", "/api/organization").setPayload(UpdateOrganizationBody).addSuccess(Organization).annotateContext(OpenApi.annotations({
+	title: "Update organization",
+	description: "Rename / re-slug the active organization (IAM-gated by organization:update)"
+}))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Organization",
+	description: "IAM-gated active-organization settings"
+})) {};
+
+//#endregion
+//#region ../../packages/api/src/domain/policy.ts
+/** Whether a statement grants or denies the matched actions. */
+const PolicyEffect = Schema.Literal("allow", "deny");
+const PolicyStatement = Schema.Struct({
+	effect: PolicyEffect,
+	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1)),
+	resources: Schema.Array(Schema.String).pipe(Schema.minItems(1))
+});
+const PolicyDocument = Schema.Struct({ statements: Schema.Array(PolicyStatement) });
+var Policy = class extends Schema.Class("Policy")({
+	id: Id,
+	organizationId: Id,
+	name: Schema.NonEmptyString,
+	description: Schema.NullOr(Schema.String),
+	document: PolicyDocument,
+	createdAt: DateTimeString,
+	updatedAt: Schema.NullOr(DateTimeString)
+}) {};
+const CreatePolicyBody = Schema.Struct({
+	name: Schema.NonEmptyString,
+	description: Schema.optional(Schema.String),
+	document: PolicyDocument
+});
+const UpdatePolicyBody = Schema.Struct({
+	name: Schema.optional(Schema.NonEmptyString),
+	description: Schema.optional(Schema.NullOr(Schema.String)),
+	document: Schema.optional(PolicyDocument)
+});
+
+//#endregion
+//#region ../../packages/api/src/groups/policies.ts
+var PoliciesGroup = class extends HttpApiGroup.make("policies").add(HttpApiEndpoint.get("list", "/api/policies").addSuccess(Schema.Struct({ items: Schema.Array(Policy) })).annotateContext(OpenApi.annotations({
+	title: "List policies",
+	description: "List policies in the active organization, merging the read-only managed presets (admin/developer/viewer) into the list"
+}))).add(HttpApiEndpoint.post("create", "/api/policies").setPayload(CreatePolicyBody).addSuccess(Policy, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create policy",
+	description: "Create a named IAM policy document for the active organization"
+}))).add(HttpApiEndpoint.get("get")`/api/policies/${idParam}`.addSuccess(Policy).annotateContext(OpenApi.annotations({
+	title: "Get policy",
+	description: "Fetch a single policy by id, resolving real ids or managed:* preset ids"
+}))).add(HttpApiEndpoint.patch("update")`/api/policies/${idParam}`.setPayload(UpdatePolicyBody).addSuccess(Policy).annotateContext(OpenApi.annotations({
+	title: "Update policy",
+	description: "Update a policy's name, description, or document; managed:* ids are rejected"
+}))).add(HttpApiEndpoint.del("delete")`/api/policies/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Delete policy",
+	description: "Delete a policy and sweep its attachments; managed:* ids are rejected"
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Policies",
+	description: "IAM policy documents (named, reusable permission grants)"
+})) {};
+
+//#endregion
+//#region ../../packages/api/src/domain/policy-attachment.ts
+/** Whether an attachment binds a policy to a member, a group, or an api-key. */
+const PrincipalType = Schema.Literal("member", "group", "apikey");
+var PolicyAttachment = class extends Schema.Class("PolicyAttachment")({
+	id: Id,
+	organizationId: Id,
+	policyId: Schema.String,
+	principalType: PrincipalType,
+	principalId: Id,
+	createdAt: DateTimeString
+}) {};
+const AttachPolicyBody = Schema.Struct({ policyId: Schema.String });
+
+//#endregion
+//#region ../../packages/api/src/groups/policy-attachments.ts
+/**
+* `:policyId` path parameter — a real `policy.id` or a managed preset id. Managed
+* ids contain a colon (`managed:admin`); the single path segment matches it as-is,
+* and clients URL-encode the colon when building the path.
+*/
+const policyIdParam = HttpApiSchema.param("policyId", Schema.String);
+var PolicyAttachmentsGroup = class extends HttpApiGroup.make("policy-attachments").add(HttpApiEndpoint.get("listForMember")`/api/members/${idParam}/policies`.addSuccess(Schema.Struct({ items: Schema.Array(PolicyAttachment) })).annotateContext(OpenApi.annotations({
+	title: "List member policy attachments",
+	description: "List policies attached directly to an organization member"
+}))).add(HttpApiEndpoint.post("attachToMember")`/api/members/${idParam}/policies`.setPayload(AttachPolicyBody).addSuccess(PolicyAttachment, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Attach policy to member",
+	description: "Attach a policy (real or managed) directly to a member"
+}))).add(HttpApiEndpoint.del("detachFromMember")`/api/members/${idParam}/policies/${policyIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Detach policy from member",
+	description: "Remove a policy attachment from a member"
+}))).add(HttpApiEndpoint.get("listForGroup")`/api/groups/${idParam}/policies`.addSuccess(Schema.Struct({ items: Schema.Array(PolicyAttachment) })).annotateContext(OpenApi.annotations({
+	title: "List group policy attachments",
+	description: "List policies attached to a group"
+}))).add(HttpApiEndpoint.post("attachToGroup")`/api/groups/${idParam}/policies`.setPayload(AttachPolicyBody).addSuccess(PolicyAttachment, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Attach policy to group",
+	description: "Attach a policy (real or managed) to a group; members inherit it"
+}))).add(HttpApiEndpoint.del("detachFromGroup")`/api/groups/${idParam}/policies/${policyIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Detach policy from group",
+	description: "Remove a policy attachment from a group"
+}))).add(HttpApiEndpoint.get("listForApiKey")`/api/api-keys/${idParam}/policies`.addSuccess(Schema.Struct({ items: Schema.Array(PolicyAttachment) })).annotateContext(OpenApi.annotations({
+	title: "List api-key policy attachments",
+	description: "List policies attached to an api-key principal"
+}))).add(HttpApiEndpoint.post("attachToApiKey")`/api/api-keys/${idParam}/policies`.setPayload(AttachPolicyBody).addSuccess(PolicyAttachment, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Attach policy to api-key",
+	description: "Attach a policy (real or managed) to an api-key principal"
+}))).add(HttpApiEndpoint.del("detachFromApiKey")`/api/api-keys/${idParam}/policies/${policyIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Detach policy from api-key",
+	description: "Remove a policy attachment from an api-key principal"
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Policy Attachments",
+	description: "Bindings of policies to member, group, and api-key principals"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/project.ts
 var Project = class extends Schema.Class("Project")({
@@ -2155,7 +2434,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(PoliciesGroup).add(GroupsGroup).add(PolicyAttachmentsGroup).add(ApiKeysGroup).add(InvitationsGroup).add(MembersGroup).add(OrganizationGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -2185,6 +2464,151 @@ var ProtocolApi = class extends HttpApi.make("protocol-api").add(ManifestGroup).
 	description: "Expo Updates protocol endpoints (unauthenticated)"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/policy-selector.ts
+/**
+* Pure, framework-agnostic validators for the IAM path-glob SELECTOR GRAMMAR and
+* the action-token shape. Shared by web / CLI / server so all three reject bad
+* input identically. This is INPUT-SHAPE validation only — it is distinct from
+* the server matching algorithm (`selectorMatches`), which is NOT duplicated here.
+*/
+/** A selector segment: `*` or a non-empty token of `[A-Za-z0-9._:-]`. */
+const SEGMENT_PATTERN = /^[A-Za-z0-9._:-]+$/u;
+/**
+* An action token of `"<word>:<word>"` or `"<word>:*"`, where a word is a
+* non-empty run of `[A-Za-z0-9_-]`. The standalone `"*"` token is handled
+* separately in `isValidActionTokenShape`.
+*/
+const ACTION_TOKEN_PATTERN = /^[A-Za-z0-9_-]+:(?:\*|[A-Za-z0-9_-]+)$/u;
+const isValidSegment = (segment) => segment === "*" || SEGMENT_PATTERN.test(segment);
+/**
+* A resource selector is valid when it is `"*"` OR is slash-joined segments where
+* each segment is `"*"` or a non-empty token of `[A-Za-z0-9._:-]`. Empty segments
+* (leading/trailing/double slashes) are rejected.
+*/
+const isValidSelector = (selector) => {
+	if (selector === "*") return true;
+	if (selector.length === 0) return false;
+	return selector.split("/").every(isValidSegment);
+};
+/**
+* An action token is valid in SHAPE when it is `"*"`, `"<word>:<word>"`, or
+* `"<word>:*"`. The server still validates the token against the real
+* resource/action vocabulary — this only guards the grammar.
+*/
+const isValidActionTokenShape = (token) => token === "*" || ACTION_TOKEN_PATTERN.test(token);
+const ID = "@";
+const CANONICAL_TEMPLATES = [
+	["org"],
+	["project", ID],
+	[
+		"project",
+		ID,
+		"build"
+	],
+	[
+		"project",
+		ID,
+		"build",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"credential"
+	],
+	[
+		"project",
+		ID,
+		"credential",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"submission"
+	],
+	[
+		"project",
+		ID,
+		"submission",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"env",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"env",
+		ID,
+		"envVar"
+	],
+	[
+		"project",
+		ID,
+		"env",
+		ID,
+		"envVar",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"update"
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"update",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"rollout"
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"rollout",
+		ID
+	]
+];
+const matchesTemplate = (template, segments) => template.length === segments.length && template.every((slot, index) => {
+	const segment = segments[index];
+	return segment !== void 0 && (slot === ID || segment === slot || segment === "*");
+});
+/**
+* True when a (shape-valid) selector matches one of the canonical resource-path
+* templates the server can actually produce — so a typo'd or pluralised segment
+* (e.g. `"project/A/channels/X"`) is caught at policy-write time instead of being
+* stored as a silently inert policy that can never match. The standalone `"*"`
+* matches everything and is always canonical.
+*/
+const isCanonicalSelector = (selector) => {
+	if (selector === "*") return true;
+	const segments = selector.split("/");
+	return CANONICAL_TEMPLATES.some((template) => matchesTemplate(template, segments));
+};
+
 //#endregion
 //#region src/lib/exit-codes.ts
 var AuthRequiredError = class extends Data.TaggedError("AuthRequiredError") {};
@@ -2221,8 +2645,8 @@ var FingerprintMismatchError = class extends Data.TaggedError("FingerprintMismat
 
 //#endregion
 //#region ../../packages/type-guards/src/index.ts
-const isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
-const asRecord = (value) => isRecord(value) ? value : void 0;
+const isRecord$1 = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+const asRecord = (value) => isRecord$1(value) ? value : void 0;
 const toOptional = (value) => value ?? void 0;
 const toDbNull = (value) => value ?? null;
 const compact = (obj) => Object.fromEntries(Object.entries(obj).filter(([, value]) => value !== void 0));
@@ -2280,7 +2704,7 @@ const AuthStoreLive = Layer.effect(AuthStore, Effect.gen(function* () {
 				try: () => JSON.parse(content),
 				catch: () => new AuthRequiredError({ message: "Corrupted auth file. Run `better-update login` to re-authenticate." })
 			});
-			if (!isRecord(parsed)) return yield* new AuthRequiredError({ message: "Invalid auth file. Run `better-update login` to re-authenticate." });
+			if (!isRecord$1(parsed)) return yield* new AuthRequiredError({ message: "Invalid auth file. Run `better-update login` to re-authenticate." });
 			const { token } = parsed;
 			if (typeof token !== "string") return yield* new AuthRequiredError({ message: "Invalid auth file. Run `better-update login` to re-authenticate." });
 			return token;
@@ -2308,13 +2732,13 @@ const ConfigStoreLive = Layer.effect(ConfigStore, Effect.gen(function* () {
 	const runtime = yield* CliRuntime;
 	const homeDirectory = yield* runtime.homeDirectory;
 	const configFile = path.join(homeDirectory, ".better-update", "config.json");
-	const readConfig = fs.readFileString(configFile).pipe(Effect.catchAll(() => Effect.succeed("")), Effect.flatMap((content) => content.length === 0 ? Effect.succeed(void 0) : Effect.try({
+	const readConfig = fs.readFileString(configFile).pipe(Effect.orElseSucceed(() => ""), Effect.flatMap((content) => content.length === 0 ? Effect.void : Effect.try({
 		try: () => JSON.parse(content),
 		catch: (cause) => new ConfigStoreParseError({
 			message: "Config file contains invalid JSON",
 			cause
 		})
-	}).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.catchAll(() => Effect.succeed(void 0)))));
+	}).pipe(Effect.map((parsed) => isRecord$1(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0))));
 	return {
 		getBaseUrl: Effect.gen(function* () {
 			const envUrl = yield* runtime.getEnv("BETTER_UPDATE_URL");
@@ -2537,10 +2961,10 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 	const usernameFile = path.join(sessionDir, "apple-username.json");
 	return {
 		loadSession: Effect.gen(function* () {
-			const content = yield* fs.readFileString(sessionFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const content = yield* fs.readFileString(sessionFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
-			if (!isRecord(parsed)) return null;
+			if (!isRecord$1(parsed)) return null;
 			if (typeof parsed["username"] !== "string" || !parsed["cookies"]) return null;
 			return {
 				cookies: parsed["cookies"],
@@ -2555,10 +2979,10 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 		}).pipe(Effect.mapError((cause) => new AppleAuthError$1({ message: `Failed to save Apple session: ${formatCause(cause)}` }))),
 		clearSession: fs.remove(sessionFile).pipe(Effect.catchAll(() => Effect.void)),
 		loadLastUsername: Effect.gen(function* () {
-			const content = yield* fs.readFileString(usernameFile).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const content = yield* fs.readFileString(usernameFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
-			if (!isRecord(parsed) || typeof parsed["username"] !== "string") return null;
+			if (!isRecord$1(parsed) || typeof parsed["username"] !== "string") return null;
 			return parsed["username"];
 		}),
 		saveLastUsername: (username) => Effect.gen(function* () {
@@ -2651,7 +3075,7 @@ const interactiveLogin = (appleUtils, options, cachedUsername) => Effect.gen(fun
 const tryRestore = (appleUtils, store) => Effect.gen(function* () {
 	const stored = yield* store.loadSession;
 	if (stored === null) return null;
-	const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.orElseSucceed(() => null));
 	if (restored === null) return null;
 	return yield* resolveSessionTeam(appleUtils, restored);
 });
@@ -2670,7 +3094,7 @@ const makeAppleAuthLive = (appleUtils = defaultAppleUtils) => Layer.effect(Apple
 		whoami: Effect.gen(function* () {
 			const stored = yield* store.loadSession;
 			if (stored === null) return null;
-			const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.catchAll(() => Effect.succeed(null)));
+			const restored = yield* restoreFromCookies(appleUtils, stored.cookies).pipe(Effect.orElseSucceed(() => null));
 			if (restored !== null) return sessionFromAuthState(restored);
 			const info = appleUtils.Session.getAnySessionInfo();
 			return info === null ? null : sessionFromInfo(stored.username, info);
@@ -2741,13 +3165,13 @@ const BsdiffServiceLive = Layer.succeed(BsdiffService, { diff: (input) => Effect
 
 //#endregion
 //#region src/services/identity-store.ts
-const isArgon2Params = (value) => isRecord(value) && typeof value["time"] === "number" && typeof value["memory"] === "number" && typeof value["parallelism"] === "number";
+const isArgon2Params = (value) => isRecord$1(value) && typeof value["time"] === "number" && typeof value["memory"] === "number" && typeof value["parallelism"] === "number";
 /**
 * Structural guard for the on-disk identity envelope. A corrupt or foreign file
 * reads as "absent" so the CLI prompts to (re)create rather than crashing — the
 * AAD-bound `openIdentity` still fails loudly if a well-formed file was tampered.
 */
-const isIdentityFile = (value) => isRecord(value) && value["version"] === 1 && typeof value["publicKey"] === "string" && typeof value["fingerprint"] === "string" && value["kdf"] === "argon2id" && isArgon2Params(value["kdfParams"]) && typeof value["salt"] === "string" && value["cipher"] === "xchacha20poly1305" && typeof value["ct"] === "string";
+const isIdentityFile = (value) => isRecord$1(value) && value["version"] === 1 && typeof value["publicKey"] === "string" && typeof value["fingerprint"] === "string" && value["kdf"] === "argon2id" && isArgon2Params(value["kdfParams"]) && typeof value["salt"] === "string" && value["cipher"] === "xchacha20poly1305" && typeof value["ct"] === "string";
 var IdentityStore = class extends Context.Tag("cli/IdentityStore")() {};
 const IdentityStoreLive = Layer.effect(IdentityStore, Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
@@ -2756,7 +3180,7 @@ const IdentityStoreLive = Layer.effect(IdentityStore, Effect.gen(function* () {
 	const identityFile = path.join(identityDir, "identity.json");
 	return {
 		load: Effect.gen(function* () {
-			const content = yield* fs.readFileString(identityFile).pipe(Effect.catchAll(() => Effect.succeed("")));
+			const content = yield* fs.readFileString(identityFile).pipe(Effect.orElseSucceed(() => ""));
 			if (content.length === 0) return null;
 			const parsed = safeJsonParse(content);
 			return isIdentityFile(parsed) ? parsed : null;
@@ -2948,7 +3372,7 @@ const UpdateAssetUploaderLive = Layer.effect(UpdateAssetUploader, Effect.gen(fun
 const VAULT_CACHE_TTL_MS = 900 * 1e3;
 /** Keychain service name; the account is the recipient's public key. */
 const KEYCHAIN_SERVICE = "better-update-vault";
-const isCachedVaultEntry = (value) => isRecord(value) && typeof value["vaultKey"] === "string" && typeof value["vaultVersion"] === "number" && typeof value["keyId"] === "string" && typeof value["exp"] === "number";
+const isCachedVaultEntry = (value) => isRecord$1(value) && typeof value["vaultKey"] === "string" && typeof value["vaultVersion"] === "number" && typeof value["keyId"] === "string" && typeof value["exp"] === "number";
 /** Serialize an unlocked vault into a keychain blob, stamping a TTL from `now`. */
 const encodeCacheEntry = (vault, now, ttlMs = VAULT_CACHE_TTL_MS) => JSON.stringify({
 	vaultKey: toBase64(vault.vaultKey),
@@ -2980,7 +3404,7 @@ const VaultCacheLive = Layer.effect(VaultCache, Effect.gen(function* () {
 		const flag = yield* runtime.getEnv("BETTER_UPDATE_NO_CACHE");
 		return flag !== void 0 && flag.length > 0 && flag !== "0" && flag !== "false";
 	});
-	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.orElseSucceed(() => null));
 	const writeRaw = (publicKey, blob) => Effect.try(() => {
 		new Entry(KEYCHAIN_SERVICE, publicKey).setPassword(blob);
 	}).pipe(Effect.ignore);
@@ -3018,13 +3442,13 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 	const cacheDir = path.join(homeDirectory, ".better-update");
 	const cacheFile = path.join(cacheDir, "version-check.json");
 	const readCache = Effect.gen(function* () {
-		const content = yield* fs.readFileString(cacheFile).pipe(Effect.catchAll(() => Effect.succeed("")));
+		const content = yield* fs.readFileString(cacheFile).pipe(Effect.orElseSucceed(() => ""));
 		if (content.length === 0) return;
 		const parsed = yield* Effect.try({
 			try: () => JSON.parse(content),
 			catch: () => "parse-error"
-		}).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-		if (isRecord(parsed) && typeof parsed["latest"] === "string" && typeof parsed["checkedAt"] === "number") return {
+		}).pipe(Effect.orElseSucceed(() => void 0));
+		if (isRecord$1(parsed) && typeof parsed["latest"] === "string" && typeof parsed["checkedAt"] === "number") return {
 			latest: parsed["latest"],
 			checkedAt: parsed["checkedAt"]
 		};
@@ -3041,7 +3465,7 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 			const response = yield* httpClient.execute(request);
 			if (response.status < 200 || response.status >= 300) return;
 			const body = yield* response.json;
-			if (!isRecord(body) || typeof body["version"] !== "string") return;
+			if (!isRecord$1(body) || typeof body["version"] !== "string") return;
 			const latest = body["version"];
 			yield* fs.makeDirectory(cacheDir, { recursive: true });
 			yield* fs.writeFileString(cacheFile, `${JSON.stringify({
@@ -3142,7 +3566,7 @@ const createBrowserLoginSession = (options = {}) => {
 			if (request.method === "GET" && url.pathname === "/callback") return new Response(CALLBACK_PAGE, { headers: { "content-type": "text/html; charset=utf-8" } });
 			if (request.method === "POST" && url.pathname === "/callback/token") try {
 				const body = await request.json();
-				if (!isRecord(body)) return new Response("Invalid callback payload", { status: 400 });
+				if (!isRecord$1(body)) return new Response("Invalid callback payload", { status: 400 });
 				const token = typeof body["token"] === "string" ? body["token"].trim() : "";
 				if (token.length === 0) return new Response("Missing token", { status: 400 });
 				Effect.runSync(Deferred.succeed(tokenDeferred, token));
@@ -3224,7 +3648,7 @@ const buildOpenBrowserCommand = (platform, url) => {
 };
 const openBrowser = (url) => Effect.gen(function* () {
 	const command = buildOpenBrowserCommand((yield* CliRuntime).platform, url);
-	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.catchAll(() => Effect.succeed(false))))) yield* Console.log(`Open this URL manually:\n${url}`);
+	if (!(yield* Command.exitCode(command).pipe(Effect.map((code) => code === 0), Effect.orElseSucceed(() => false)))) yield* Console.log(`Open this URL manually:\n${url}`);
 });
 const browserLogin = Effect.scoped(Effect.gen(function* () {
 	const configStore = yield* ConfigStore;
@@ -3623,9 +4047,9 @@ const configPath = (projectRoot) => path.join(projectRoot, BETTER_UPDATE_CONFIG_
 * graceful `readConfig`.
 */
 const readBetterUpdateConfig = (projectRoot) => Effect.gen(function* () {
-	const content = yield* (yield* FileSystem.FileSystem).readFileString(configPath(projectRoot)).pipe(Effect.catchAll(() => Effect.succeed("")));
+	const content = yield* (yield* FileSystem.FileSystem).readFileString(configPath(projectRoot)).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
-	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.catchAll(() => Effect.succeed(void 0)));
+	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord$1(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0));
 });
 /**
 * Resolve the linked project id from `better-update.json`, or `undefined` when
@@ -4354,14 +4778,8 @@ const KeyValueFromString = Schema.transformOrFail(Schema.String, KeyValuePair, {
 	},
 	encode: ({ key, value }) => ParseResult.succeed(`${key}=${value}`)
 });
-const parseRolloutPercentage = (raw, flag) => Effect.try({
-	try: () => Schema.decodeUnknownSync(RolloutPercentage)(Number(raw)),
-	catch: () => new InvalidArgumentError({ message: `--${flag} must be an integer between 1 and 100, got "${raw}".` })
-});
-const parseKeyValue = (raw) => Effect.try({
-	try: () => Schema.decodeUnknownSync(KeyValueFromString)(raw),
-	catch: () => new InvalidArgumentError({ message: "Invalid format. Use KEY=VALUE (e.g. API_KEY=abc123)" })
-});
+const parseRolloutPercentage = (raw, flag) => Schema.decodeUnknown(RolloutPercentage)(Number(raw)).pipe(Effect.mapError(() => new InvalidArgumentError({ message: `--${flag} must be an integer between 1 and 100, got "${raw}".` })));
+const parseKeyValue = (raw) => Schema.decodeUnknown(KeyValueFromString)(raw).pipe(Effect.mapError(() => new InvalidArgumentError({ message: "Invalid format. Use KEY=VALUE (e.g. API_KEY=abc123)" })));
 const parseLimit = (raw, defaultValue) => {
 	if (raw === void 0) return Effect.succeed(defaultValue);
 	const parsed = Number(raw);
@@ -18709,7 +19127,7 @@ const asArrayBuffer$1 = (bytes) => {
 };
 const signAscJwt = (credentials) => Effect.gen(function* () {
 	const der = pemToPkcs8Der(credentials.p8Pem);
-	if (der === null) return yield* Effect.fail(new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") }));
+	if (der === null) return yield* new AppleAuthError({ cause: /* @__PURE__ */ new Error("Invalid .p8 PEM") });
 	const header = {
 		alg: "ES256",
 		kid: credentials.keyId,
@@ -18760,8 +19178,8 @@ var AscApiError = class extends Data.TaggedError("AscApiError") {};
 var AscNetworkError = class extends Data.TaggedError("AscNetworkError") {};
 const API_BASE = "https://api.appstoreconnect.apple.com";
 const extractErrors = (body) => {
-	if (!isRecord(body) || !Array.isArray(body["errors"])) return [];
-	return body["errors"].filter((value) => isRecord(value));
+	if (!isRecord$1(body) || !Array.isArray(body["errors"])) return [];
+	return body["errors"].filter((value) => isRecord$1(value));
 };
 const parseApiError = (response, body, raw) => {
 	const [first] = extractErrors(body);
@@ -18793,13 +19211,13 @@ const fetchRaw = (jwt, path, init) => Effect.gen(function* () {
 		try: () => text.length === 0 ? {} : JSON.parse(text),
 		catch: (cause) => new AscNetworkError({ cause })
 	});
-	if (!response.ok) return yield* Effect.fail(parseApiError(response, body, text));
+	if (!response.ok) return yield* parseApiError(response, body, text);
 	return body;
 });
 const toAscCertificate = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { serialNumber, certificateType, expirationDate, certificateContent, displayName } = attributes;
 	if (typeof serialNumber !== "string" || typeof certificateType !== "string" || typeof expirationDate !== "string") return null;
 	return {
@@ -18812,9 +19230,9 @@ const toAscCertificate = (value) => {
 	};
 };
 const toAscBundleId = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { identifier, name } = attributes;
 	if (typeof identifier !== "string" || typeof name !== "string") return null;
 	return {
@@ -18834,9 +19252,9 @@ const asProfileType = (value) => {
 	return match === void 0 ? null : match;
 };
 const toAscProfile = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { name, uuid, expirationDate, profileContent } = attributes;
 	const profileType = asProfileType(attributes["profileType"]);
 	if (typeof name !== "string" || typeof uuid !== "string" || typeof expirationDate !== "string" || typeof profileContent !== "string" || profileType === null) return null;
@@ -18850,9 +19268,9 @@ const toAscProfile = (value) => {
 	};
 };
 const toAscDevice = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { udid, name } = attributes;
 	if (typeof udid !== "string" || typeof name !== "string") return null;
 	return {
@@ -18862,11 +19280,11 @@ const toAscDevice = (value) => {
 	};
 };
 const extractList = (body, map) => {
-	if (!isRecord(body) || !Array.isArray(body["data"])) return [];
+	if (!isRecord$1(body) || !Array.isArray(body["data"])) return [];
 	return body["data"].map(map).filter((value) => value !== null);
 };
 const extractSingle = (body, map) => {
-	if (!isRecord(body)) return null;
+	if (!isRecord$1(body)) return null;
 	return map(body["data"]);
 };
 const malformed = (resource) => new AscApiError({
@@ -18893,12 +19311,10 @@ const createCertificate = (credentials, params) => withJwt(credentials, (jwt) =>
 			}
 		} })
 	}), toAscCertificate);
-	if (resource === null) return yield* Effect.fail(malformed("certificate"));
+	if (resource === null) return yield* malformed("certificate");
 	return resource;
 }));
-const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.gen(function* () {
-	yield* fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" });
-}));
+const deleteCertificate = (credentials, id) => withJwt(credentials, (jwt) => Effect.asVoid(fetchRaw(jwt, `/v1/certificates/${encodeURIComponent(id)}`, { method: "DELETE" })));
 const listBundleIds = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
 	return extractList(yield* fetchRaw(jwt, "/v1/bundleIds?limit=200"), toAscBundleId);
 }));
@@ -18914,7 +19330,7 @@ const createBundleId = (credentials, params) => withJwt(credentials, (jwt) => Ef
 			}
 		} })
 	}), toAscBundleId);
-	if (resource === null) return yield* Effect.fail(malformed("bundleId"));
+	if (resource === null) return yield* malformed("bundleId");
 	return resource;
 }));
 const listDevices = (credentials) => withJwt(credentials, (jwt) => Effect.gen(function* () {
@@ -18946,7 +19362,7 @@ const createProvisioningProfile = (credentials, params) => withJwt(credentials,
 			relationships
 		} })
 	}), toAscProfile);
-	if (resource === null) return yield* Effect.fail(malformed("profile"));
+	if (resource === null) return yield* malformed("profile");
 	return resource;
 }));
 const isCertificateLimitError = (error) => {
@@ -18982,7 +19398,7 @@ const parseCert = (certDerBytes) => {
 const generatePassword = () => forge.util.encode64(forge.random.getBytesSync(16));
 const extractCertMetadata = (cert) => Effect.gen(function* () {
 	const appleTeamId = extractTeamId$1(cert);
-	if (appleTeamId === null) return yield* Effect.fail(new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" }));
+	if (appleTeamId === null) return yield* new CertParseError({ message: "Could not extract Apple team identifier from certificate subject" });
 	return {
 		serialNumber: cert.serialNumber.toUpperCase(),
 		validFrom: cert.validity.notBefore.toISOString(),
@@ -19000,7 +19416,7 @@ const extractCertMetadata = (cert) => Effect.gen(function* () {
 */
 const extractMetadataFromP12 = (params) => Effect.gen(function* () {
 	const certBagOid = forge.pki.oids["certBag"];
-	if (certBagOid === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" }));
+	if (certBagOid === void 0) return yield* new CertParseError({ message: "PKCS#12 OID lookup for certBag failed" });
 	const [first] = yield* Effect.try({
 		try: () => {
 			const p12Der = forge.util.decode64(params.p12Base64);
@@ -19009,7 +19425,7 @@ const extractMetadataFromP12 = (params) => Effect.gen(function* () {
 		},
 		catch: (error) => new CertParseError({ message: `Failed to parse PKCS#12 bundle: ${error instanceof Error ? error.message : String(error)}` })
 	});
-	if (first?.cert === void 0) return yield* Effect.fail(new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" }));
+	if (first?.cert === void 0) return yield* new CertParseError({ message: "PKCS#12 bundle does not contain a certificate" });
 	return yield* extractCertMetadata(first.cert);
 });
 const buildDistributionCertP12 = (params) => Effect.gen(function* () {
@@ -19190,10 +19606,10 @@ const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(func
 		csrPem: csrResult.csrPem,
 		certificateType
 	}).pipe(Effect.mapError(wrapAscError("apple-create-certificate")));
-	if (apple.certificateContent === null) return yield* Effect.fail(new GenerateFailedError({
+	if (apple.certificateContent === null) return yield* new GenerateFailedError({
 		step: "apple-create-certificate",
 		message: "Apple response missing certificateContent"
-	}));
+	});
 	const bundle = yield* buildDistributionCertP12({
 		certificateContentBase64: apple.certificateContent,
 		privateKey: csrResult.privateKey
@@ -19243,10 +19659,10 @@ const revokeAppleCertificate = (api, input) => Effect.gen(function* () {
 });
 const revokeLocalDistributionCertificate = (api, input) => Effect.gen(function* () {
 	const local = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === input.distributionCertificateId);
-	if (local === void 0) return yield* Effect.fail(new GenerateFailedError({
+	if (local === void 0) return yield* new GenerateFailedError({
 		step: "load-distribution-certificate",
 		message: `Distribution certificate ${input.distributionCertificateId} not found on this account`
-	}));
+	});
 	const creds = yield* fetchAscCredentials(api, input.ascApiKeyId);
 	const ascCreds = {
 		keyId: creds.keyId,
@@ -19283,10 +19699,10 @@ const listAppleCertificates = (api, input) => Effect.gen(function* () {
 });
 const resolveCertAscId = (creds, serialNumber, certificateType) => Effect.gen(function* () {
 	const match = (yield* listCertificates(creds, { certificateType }).pipe(Effect.mapError(wrapAscError("apple-list-certificates")))).find((entry) => entry.serialNumber.toUpperCase() === serialNumber);
-	if (match === void 0) return yield* Effect.fail(new GenerateFailedError({
+	if (match === void 0) return yield* new GenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
+	});
 	return match.id;
 });
 const ensureBundleId = (creds, bundleIdentifier) => Effect.gen(function* () {
@@ -19319,10 +19735,10 @@ const generateAndUploadProvisioningProfile = (api, input) => Effect.gen(function
 	const [certAscId, bundleIdAscId] = yield* Effect.all([resolveCertAscId(ascCreds, cert.serialNumber.toUpperCase(), certificateType), ensureBundleId(ascCreds, input.bundleIdentifier)], { concurrency: 2 });
 	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
 	const { ids: deviceAscIds } = useDevices ? yield* collectDeviceAscIds(ascCreds, cert.appleTeamId, input.deviceIds) : { ids: [] };
-	if (useDevices && deviceAscIds.length === 0) return yield* Effect.fail(new GenerateFailedError({
+	if (useDevices && deviceAscIds.length === 0) return yield* new GenerateFailedError({
 		step: "collect-devices",
 		message: "No registered devices to attach to the provisioning profile"
-	}));
+	});
 	const profileBytes = fromBase64((yield* createProvisioningProfile(ascCreds, {
 		profileName: `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`,
 		profileType: DISTRIBUTION_TO_PROFILE_TYPE$1[input.distributionType],
@@ -19633,10 +20049,10 @@ const downloadAndroidCredentials = (api, options) => Effect.gen(function* () {
 			...compact({ buildProfile: options.buildProfile })
 		}
 	}).pipe(Effect.mapError((cause) => resolveErrorToMissingCredentials(cause, "android")));
-	if (resolved.platform !== "android") return yield* Effect.fail(new MissingCredentialsError({
+	if (resolved.platform !== "android") return yield* new MissingCredentialsError({
 		message: "Server returned non-Android credentials for an Android build request",
 		hint: androidBindHint
-	}));
+	});
 	const secret = yield* decryptResolveSecret({
 		session: yield* openVaultSessionForBuild(api, androidBindHint),
 		credentialType: "keystore",
@@ -19757,7 +20173,7 @@ const credentialsJsonPath = (projectRoot) => path.join(projectRoot, CREDENTIALS_
 const readCredentialsJson = (projectRoot) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = credentialsJsonPath(projectRoot);
-	if (!(yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false))))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
+	if (!(yield* fs.exists(filePath).pipe(Effect.orElseSucceed(() => false)))) return yield* new CredentialsJsonError({ message: `credentials.json not found at ${filePath}.` });
 	return yield* parseCredentialsJson(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new CredentialsJsonError({ message: `Failed to read credentials.json: ${String(cause)}` }))));
 });
 const writeCredentialsJson = (projectRoot, data) => Effect.gen(function* () {
@@ -19774,7 +20190,7 @@ const resolveCredentialPath = (projectRoot, candidate) => path.isAbsolute(candid
 
 //#endregion
 //#region src/lib/local-credentials.ts
-const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.catchAll(() => Effect.succeed(false)), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
+const requirePath = (fs, absolutePath, label) => fs.exists(absolutePath).pipe(Effect.orElseSucceed(() => false), Effect.flatMap((exists) => exists ? Effect.void : Effect.fail(new MissingCredentialsError({
 	message: `Local credentials.json: ${label} not found at ${absolutePath}.`,
 	hint: "Run `better-update credentials sync pull` to materialize files, or fix the path in credentials.json."
 }))));
@@ -20029,7 +20445,7 @@ const runStepFormatted = (cmd, step, formatter) => Effect.gen(function* () {
 	if (code !== 0) {
 		const summary = formatter.getBuildSummary();
 		if (summary.length > 0) process$1.stderr.write(`${summary}\n`);
-		return yield* Effect.fail(buildFailed(step, code, `${step} exited with code ${code}`));
+		return yield* buildFailed(step, code, `${step} exited with code ${code}`);
 	}
 });
 
@@ -20265,10 +20681,10 @@ const findAscCertificateId = (ctx, serialNumber, certificateType) => Effect.gen(
 	const certs = yield* wrap("apple-list-certificates", async () => AppleUtils.Certificate.getAsync(ctx, { query: { filter: { certificateType } } }));
 	const upper = serialNumber.toUpperCase();
 	const match = certs.find((entry) => entry.attributes.serialNumber.toUpperCase() === upper);
-	if (match === void 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (match === void 0) return yield* new AppleIdGenerateFailedError({
 		step: "match-apple-certificate",
 		message: `Distribution certificate ${serialNumber} not present on Apple Developer Portal; upload or re-generate it`
-	}));
+	});
 	return match.id;
 });
 const collectIosDeviceIds = (ctx, deviceIds) => Effect.gen(function* () {
@@ -20287,10 +20703,10 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 	const [certAscId, bundleIdAscId] = yield* Effect.all([findAscCertificateId(ctx, cert.serialNumber, certificateType), findOrCreateBundleId(ctx, input.bundleIdentifier)], { concurrency: 2 });
 	const useDevices = input.distributionType === "AD_HOC" || input.distributionType === "DEVELOPMENT";
 	const deviceIds = useDevices ? yield* collectIosDeviceIds(ctx, input.deviceIds) : [];
-	if (useDevices && deviceIds.length === 0) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (useDevices && deviceIds.length === 0) return yield* new AppleIdGenerateFailedError({
 		step: "collect-devices",
 		message: "No registered devices to attach to the provisioning profile"
-	}));
+	});
 	const profileName = `${input.bundleIdentifier} ${input.distributionType} ${Date.now()}`;
 	const { profileContent } = (yield* wrap("apple-create-profile", async () => AppleUtils.Profile.createAsync(ctx, {
 		bundleId: bundleIdAscId,
@@ -20299,10 +20715,10 @@ const generateAndUploadProvisioningProfileViaAppleId = (api, input) => Effect.ge
 		name: profileName,
 		profileType: DISTRIBUTION_TO_PROFILE_TYPE[input.distributionType]
 	}))).attributes;
-	if (profileContent === null) return yield* Effect.fail(new AppleIdGenerateFailedError({
+	if (profileContent === null) return yield* new AppleIdGenerateFailedError({
 		step: "extract-profile-content",
 		message: "Apple returned a profile with no content (likely expired/invalid)"
-	}));
+	});
 	const profileBytes = fromBase64(profileContent);
 	const rosterHash = useDevices ? computeDeviceRosterHashHex(deviceIds) : void 0;
 	const created = yield* api.appleProvisioningProfiles.upload({ payload: {
@@ -20482,10 +20898,10 @@ const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* (
 		ascApiKeyId,
 		certificateType: "IOS_DISTRIBUTION"
 	});
-	if (certs.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (certs.length === 0) return yield* new MissingCredentialsError({
 		message: "Apple says the certificate limit is hit but no existing certificates were returned.",
 		hint: "Try again later or check the Apple Developer portal."
-	}));
+	});
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
 		value: entry.id,
 		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
@@ -20498,10 +20914,10 @@ const interactiveCertLimitRecover = (api, ascApiKeyId) => Effect.gen(function* (
 });
 const generateDistributionCertInteractive = (api) => Effect.gen(function* () {
 	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (teamAscKeys.length === 0) return yield* new MissingCredentialsError({
 		message: "No ASC API key linked to an Apple team in this organization.",
 		hint: "Upload an ASC API key with a team assignment via the dashboard, then retry."
-	}));
+	});
 	const ascKeyId = yield* promptSelect("Select an ASC API key to issue the certificate against", teamAscKeys.map((key) => ({
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
@@ -20520,10 +20936,10 @@ const chooseIosCertificateId = (api) => Effect.gen(function* () {
 		}, {
 			value: "abort",
 			label: "Abort — I'll upload one manually"
-		}])) === "abort") return yield* Effect.fail(new MissingCredentialsError({
+		}])) === "abort") return yield* new MissingCredentialsError({
 			message: "Build aborted — no distribution certificate available.",
 			hint: "Run `better-update credentials generate distribution-certificate --asc-key-id <id>` or upload via the dashboard."
-		}));
+		});
 		return (yield* generateDistributionCertInteractive(api)).id;
 	}
 	const choice = yield* promptSelect("Select a distribution certificate (or 'generate' for a fresh one)", [{
@@ -20539,10 +20955,10 @@ const chooseIosCertificateId = (api) => Effect.gen(function* () {
 const pickIosCertificate = (api) => Effect.gen(function* () {
 	const chosenId = yield* chooseIosCertificateId(api);
 	const cert = (yield* api.appleDistributionCertificates.list()).items.find((entry) => entry.id === chosenId);
-	if (cert === void 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (cert === void 0) return yield* new MissingCredentialsError({
 		message: "Selected certificate not found after generation.",
 		hint: "Retry."
-	}));
+	});
 	return {
 		certId: chosenId,
 		cert
@@ -20550,10 +20966,10 @@ const pickIosCertificate = (api) => Effect.gen(function* () {
 });
 const pickIosAscKey = (api, appleTeamId) => Effect.gen(function* () {
 	const teamAscKeys = (yield* api.ascApiKeys.list()).items.filter((key) => key.appleTeamId !== null && key.appleTeamId === appleTeamId);
-	if (teamAscKeys.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (teamAscKeys.length === 0) return yield* new MissingCredentialsError({
 		message: `No ASC API key linked to Apple team ${appleTeamId}.`,
 		hint: "Upload an ASC API key for that team via the dashboard, then retry."
-	}));
+	});
 	return yield* promptSelect("Select an ASC API key", teamAscKeys.map((key) => ({
 		value: key.id,
 		label: `${key.name} (${key.keyId})`
@@ -20634,10 +21050,10 @@ const generateKeystoreInteractive = (api) => Effect.gen(function* () {
 });
 const pickExistingKeystore = (api) => Effect.gen(function* () {
 	const keystores = yield* api.androidUploadKeystores.list();
-	if (keystores.items.length === 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (keystores.items.length === 0) return yield* new MissingCredentialsError({
 		message: "No existing keystores in this organization.",
 		hint: "Re-run and choose 'Generate new keystore'."
-	}));
+	});
 	return yield* promptSelect("Select a keystore", keystores.items.map((item) => ({
 		value: item.id,
 		label: item.keyAlias
@@ -20670,10 +21086,10 @@ const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 			label: "Abort — I'll configure it in the dashboard"
 		}
 	]);
-	if (choice === "abort") return yield* Effect.fail(new MissingCredentialsError({
+	if (choice === "abort") return yield* new MissingCredentialsError({
 		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
 		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
-	}));
+	});
 	const keystoreId = yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api);
 	yield* api.androidBuildCredentials.create({
 		path: { applicationIdentifierId: appId },
@@ -20694,10 +21110,10 @@ const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.r
 }).pipe(Effect.asVoid);
 const ensureAndroidCredentials = (api, input, options) => ensureAndroidCredentialsAvailable(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `No Android build credentials for ${input.applicationIdentifier}.`,
 		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
+	});
 	yield* setupAndroidInteractive(api, input);
 	return yield* ensureAndroidCredentialsAvailable(api, input);
 })));
@@ -20718,10 +21134,10 @@ const resolveIosBuildCredentials = (api, input) => api.buildCredentials.resolve(
 const findBoundIosConfig = (api, input) => Effect.gen(function* () {
 	const distributionType = IOS_DISTRIBUTION_TO_TYPE[input.distribution];
 	const match = (yield* api.iosBundleConfigurations.list({ path: { projectId: input.projectId } })).items.find((config) => config.bundleIdentifier === input.bundleIdentifier && config.distributionType === distributionType);
-	if (match === void 0) return yield* Effect.fail(new MissingCredentialsError({
+	if (match === void 0) return yield* new MissingCredentialsError({
 		message: `iOS bundle configuration vanished while regenerating stale profile for ${input.bundleIdentifier}`,
 		hint: "Retry; the configuration must exist before regeneration"
-	}));
+	});
 	return match;
 });
 const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
@@ -20752,19 +21168,19 @@ const regenerateProvisioningProfile = (api, input) => Effect.gen(function* () {
 });
 const ensureIosCredentials = (api, input, options) => resolveIosBuildCredentials(api, input).pipe(Effect.catchIf(isMissingResolveError, () => Effect.gen(function* () {
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `No iOS build credentials for ${input.bundleIdentifier} (${input.distribution}).`,
 		hint: options.freezeCredentials ? "Run `better-update credentials generate` first, or remove --freeze-credentials." : "Run `better-update credentials generate` first, or rerun with --interactive to configure now."
-	}));
+	});
 	yield* setupIosInteractive(api, input);
 	return yield* resolveIosBuildCredentials(api, input);
 })), Effect.flatMap((resolved) => Effect.gen(function* () {
 	if (resolved.platform !== "ios" || !resolved.profileStale) return;
 	const mode = yield* InteractiveMode;
-	if (options.freezeCredentials || !mode.allow) return yield* Effect.fail(new MissingCredentialsError({
+	if (options.freezeCredentials || !mode.allow) return yield* new MissingCredentialsError({
 		message: `Stale provisioning profile for ${input.bundleIdentifier}; cannot regenerate without an interactive session.`,
 		hint: options.freezeCredentials ? "Run a build without --freeze-credentials once to refresh the profile, or run `better-update credentials regenerate-profile`." : "Run `better-update credentials regenerate-profile --bundle <id> --distribution <type>` from an interactive terminal."
-	}));
+	});
 	yield* Console.log(`Stale provisioning profile for ${input.bundleIdentifier} (device roster changed). Regenerating...`);
 	yield* regenerateProvisioningProfile(api, input);
 })));
@@ -20814,7 +21230,7 @@ const applyTargetSigning = (options) => Effect.gen(function* () {
 	const projectDir = yield* findXcodeProjectDir$1(options.iosDir);
 	const pbxprojPath = path.join(projectDir, "project.pbxproj");
 	const project = yield* parseProject$1(pbxprojPath);
-	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
+	for (const entry of options.entries) for (const configUuid of entry.buildConfigurationUuids) if (!mutateConfig(project, configUuid, entry.settings)) return yield* new XcodeProjectError({ message: `Build configuration ${configUuid} not found for target "${entry.targetName}" in ${pbxprojPath}.` });
 	const serialized = yield* Effect.try({
 		try: () => project.writeSync(),
 		catch: (cause) => new XcodeProjectError({ message: `Failed to serialize ${pbxprojPath}: ${cause instanceof Error ? cause.message : String(cause)}` })
@@ -21002,7 +21418,7 @@ const installProvisioningProfile = ({ profilePath }) => Effect.acquireRelease(Ef
 //#endregion
 //#region src/lib/post-build-validation.ts
 const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Effect.gen(function* () {
-	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const bundleId = yield* readBundleId(bundleDir).pipe(Effect.orElseSucceed(() => void 0));
 	if (!bundleId) return {
 		bundleId: void 0,
 		warnings: [`Missing CFBundleIdentifier in Info.plist at ${bundleDir}`]
@@ -21014,16 +21430,16 @@ const validateOneBundle = (bundleDir, expectedByBundleId, expectedTeamId) => Eff
 	};
 	return {
 		bundleId,
-		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.catchAll(() => Effect.succeed([])))
+		warnings: yield* validateEmbeddedProfile(bundleDir, expected.profileUuid, expectedTeamId, bundleId).pipe(Effect.orElseSucceed(() => []))
 	};
 });
 const validateIosBuild = (params) => Effect.gen(function* () {
-	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const appDir = yield* findAppDirectory$1(params.archivePath).pipe(Effect.orElseSucceed(() => void 0));
 	if (!appDir) return {
 		passed: false,
 		warnings: ["Could not locate .app bundle in archive — skipping post-build validation"]
 	};
-	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.catchAll(() => Effect.succeed([appDir])));
+	const bundleDirs = yield* listSignedBundleDirs(appDir).pipe(Effect.orElseSucceed(() => [appDir]));
 	const expectedByBundleId = new Map(params.expectedTargets.map((target) => [target.bundleId, target]));
 	const perBundle = yield* Effect.forEach(bundleDirs, (bundleDir) => validateOneBundle(bundleDir, expectedByBundleId, params.expectedTeamId));
 	const warnings = perBundle.flatMap((entry) => [...entry.warnings]);
@@ -21053,7 +21469,7 @@ const findAppDirectory$1 = (archivePath) => Effect.gen(function* () {
 const listSignedBundleDirs = (appDir) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const plugInsDir = path.join(appDir, "PlugIns");
-	if (!(yield* fs.exists(plugInsDir).pipe(Effect.catchAll(() => Effect.succeed(false))))) return [appDir];
+	if (!(yield* fs.exists(plugInsDir).pipe(Effect.orElseSucceed(() => false)))) return [appDir];
 	return [appDir, ...(yield* fs.readDirectory(plugInsDir)).filter((entry) => entry.endsWith(".appex")).map((entry) => path.join(plugInsDir, entry))];
 });
 const readBundleId = (bundleDir) => Effect.gen(function* () {
@@ -21996,7 +22412,7 @@ const easJsonPath = (projectRoot) => Effect.gen(function* () {
 const readEasJson = (projectRoot) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const filePath = yield* easJsonPath(projectRoot);
-	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.catchAll((cause) => Effect.fail(new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` })))));
+	return yield* parseEasConfig(yield* fs.readFileString(filePath).pipe(Effect.mapError((cause) => new BuildProfileError({ message: cause._tag === "SystemError" && cause.reason === "NotFound" ? `No eas.json found at ${filePath}. Create one with a "build" section.` : `Failed to read eas.json: ${cause.message}` }))));
 });
 const mergeCustom = (base, overlay) => {
 	const merged = shallowMerge(base, overlay);
@@ -22208,8 +22624,8 @@ const clearBuildCaches = (projectRoot) => Effect.gen(function* () {
 	const removed = [];
 	yield* Effect.forEach(CACHE_DIRS, (rel) => Effect.gen(function* () {
 		const target = path.join(projectRoot, rel);
-		if (!(yield* fs.exists(target).pipe(Effect.catchAll(() => Effect.succeed(false))))) return;
-		yield* fs.remove(target, { recursive: true }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+		if (!(yield* fs.exists(target).pipe(Effect.orElseSucceed(() => false)))) return;
+		yield* fs.remove(target, { recursive: true }).pipe(Effect.orElseSucceed(() => void 0));
 		removed.push(rel);
 	}), { concurrency: 4 });
 	if (removed.length > 0) yield* Console.error(`Cleared caches: ${removed.join(", ")}`);
@@ -22503,7 +22919,7 @@ const runFingerprintFull = (projectRoot, options = {}) => Effect.gen(function* (
 		try: () => JSON.parse(stdout),
 		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
 	});
-	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
+	if (!isRecord$1(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
 	const { hash } = parsed;
 	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
 	const sourcesRaw = parsed["sources"];
@@ -22538,10 +22954,10 @@ const runString = (cmd, cwd) => Command.string(Command.workingDirectory(cmd, cwd
 */
 const readGitContext = (projectRoot) => Effect.gen(function* () {
 	const [commit, ref, commitMessage, status] = yield* Effect.all([
-		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.catchAll(() => Effect.succeed(""))),
-		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.catchAll(() => Effect.succeed("")))
+		runString(Command.make("git", "rev-parse", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "symbolic-ref", "--short", "HEAD"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "log", "-1", "--format=%s"), projectRoot).pipe(Effect.map((output) => output.trim()), Effect.orElseSucceed(() => "")),
+		runString(Command.make("git", "status", "--porcelain"), projectRoot).pipe(Effect.orElseSucceed(() => ""))
 	], { concurrency: "unbounded" });
 	return {
 		ref: ref.length > 0 ? ref : void 0,
@@ -22570,14 +22986,14 @@ const readGradleConfig = (androidDir) => Effect.gen(function* () {
 	const hasKts = yield* fs.exists(ktsPath).pipe(Effect.orElseSucceed(() => false));
 	if (!hasGroovy && hasKts) return;
 	if (!hasGroovy) return;
-	const content = yield* fs.readFileString(gradlePath).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const content = yield* fs.readFileString(gradlePath).pipe(Effect.orElseSucceed(() => void 0));
 	if (!content) return;
 	return yield* Effect.tryPromise({
 		try: async () => {
 			return __require("gradle-to-js").parseText(stripGroovyComments(content));
 		},
 		catch: () => void 0
-	}).pipe(Effect.map(extractGradleConfig), Effect.catchAll(() => Effect.succeed(void 0)));
+	}).pipe(Effect.map(extractGradleConfig), Effect.orElseSucceed(() => void 0));
 });
 /**
 * Log a warning if Gradle applicationId differs from app.json package name.
@@ -22697,7 +23113,7 @@ const ALWAYS_IGNORE = [...[
 	"dist"
 ], ...NATIVE_BUILD_OUTPUTS];
 const findLockfile = (fs, dir) => Effect.gen(function* () {
-	for (const [name, pm] of LOCKFILES) if (yield* fs.exists(path.join(dir, name)).pipe(Effect.catchAll(() => Effect.succeed(false)))) return pm;
+	for (const [name, pm] of LOCKFILES) if (yield* fs.exists(path.join(dir, name)).pipe(Effect.orElseSucceed(() => false))) return pm;
 });
 const walkUpForLockfile = (startCwd, dir) => Effect.gen(function* () {
 	const pm = yield* findLockfile(yield* FileSystem.FileSystem, dir);
@@ -22733,13 +23149,13 @@ const buildIgnoreInstance = (workspaceRoot, options = {}) => Effect.gen(function
 	const ig = ignore();
 	ig.add([...ALWAYS_IGNORE]);
 	const easignorePath = path.join(workspaceRoot, ".easignore");
-	if (yield* fs.exists(easignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
-		const content = yield* fs.readFileString(easignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
+	if (yield* fs.exists(easignorePath).pipe(Effect.orElseSucceed(() => false))) {
+		const content = yield* fs.readFileString(easignorePath).pipe(Effect.orElseSucceed(() => ""));
 		ig.add(content);
 	} else {
 		const gitignorePath = path.join(workspaceRoot, ".gitignore");
-		if (yield* fs.exists(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) {
-			const content = yield* fs.readFileString(gitignorePath).pipe(Effect.catchAll(() => Effect.succeed("")));
+		if (yield* fs.exists(gitignorePath).pipe(Effect.orElseSucceed(() => false))) {
+			const content = yield* fs.readFileString(gitignorePath).pipe(Effect.orElseSucceed(() => ""));
 			ig.add(content);
 		}
 	}
@@ -22810,7 +23226,7 @@ const prepareStagingProject = (input) => Effect.gen(function* () {
 		})
 	});
 	yield* initGitRepo(stagingRoot);
-	if (yield* fs.exists(path.join(workspaceRoot, "package.json")).pipe(Effect.catchAll(() => Effect.succeed(false)))) yield* runInstall({
+	if (yield* fs.exists(path.join(workspaceRoot, "package.json")).pipe(Effect.orElseSucceed(() => false))) yield* runInstall({
 		stagingRoot,
 		packageManager,
 		env: yield* runtime.commandEnvironment(input.envVars)
@@ -22827,7 +23243,7 @@ const prepareStagingProject = (input) => Effect.gen(function* () {
 //#endregion
 //#region src/lib/repo-clean.ts
 const MAX_FILES_SHOWN = 10;
-const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.catchAll(() => Effect.succeed([])));
+const readPorcelain = (projectRoot) => Command.make("git", "status", "--porcelain").pipe(Command.workingDirectory(projectRoot), Command.string, Effect.map((output) => output.split(/\r?\n/u).map((line) => line.trim()).filter((line) => line.length > 0)), Effect.orElseSucceed(() => []));
 /**
 * Refuse to proceed when the working tree has uncommitted changes. Skipped when
 * `allowDirty` is true. In interactive mode, prompts the user to confirm; in
@@ -22840,11 +23256,8 @@ const ensureRepoClean = ({ projectRoot, allowDirty, label }) => Effect.gen(funct
 	const preview = dirty.slice(0, MAX_FILES_SHOWN).join("\n  ");
 	const overflow = dirty.length > MAX_FILES_SHOWN ? `\n  ... and ${String(dirty.length - MAX_FILES_SHOWN)} more` : "";
 	yield* Console.error(`Uncommitted changes (${String(dirty.length)} file(s)):\n  ${preview}${overflow}`);
-	if (!(yield* InteractiveMode).allow) {
-		yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
-		return;
-	}
-	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
+	if (!(yield* InteractiveMode).allow) return yield* new DirtyRepoError({ message: `Refusing to ${label} with a dirty working tree. Commit your changes or pass --allow-dirty.` });
+	if (!(yield* promptConfirm(`Continue ${label} with uncommitted changes?`, { initialValue: false }))) return yield* new DirtyRepoError({ message: `${label} cancelled by user.` });
 });
 
 //#endregion
@@ -22984,7 +23397,7 @@ const postTokenRequest = (tokenUri, jwt) => Effect.tryPromise({
 });
 const exchangeJwtForAccessToken = (tokenUri, jwt) => Effect.gen(function* () {
 	const result = yield* postTokenRequest(tokenUri, jwt);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayAuthError({ message: `OAuth token exchange failed: ${String(result.status)} ${result.text}` }));
+	if (!result.ok) return yield* new GooglePlayAuthError({ message: `OAuth token exchange failed: ${String(result.status)} ${result.text}` });
 	const json = yield* Effect.try({
 		try: () => JSON.parse(result.text),
 		catch: (cause) => new GooglePlayAuthError({
@@ -23009,7 +23422,7 @@ const acquireGooglePlayAccessToken = (serviceAccountJson) => Effect.gen(function
 		message: "Service account JSON missing required fields (type, client_email, private_key)",
 		cause
 	})));
-	if (parsed.type !== "service_account") return yield* Effect.fail(new GooglePlayAuthError({ message: `Service account JSON has wrong type: ${parsed.type}` }));
+	if (parsed.type !== "service_account") return yield* new GooglePlayAuthError({ message: `Service account JSON has wrong type: ${parsed.type}` });
 	const tokenUri = parsed.token_uri ?? GOOGLE_OAUTH_TOKEN_URL;
 	return {
 		accessToken: yield* exchangeJwtForAccessToken(tokenUri, yield* signJwt(yield* importPrivateKey(parsed.private_key), buildJwtAssertion({
@@ -23049,10 +23462,10 @@ const performFetch = (params) => Effect.tryPromise({
 });
 const callJsonRaw = (params) => Effect.gen(function* () {
 	const result = yield* performFetch(params);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayApiError({
+	if (!result.ok) return yield* new GooglePlayApiError({
 		message: `${params.label} failed: ${String(result.status)} ${result.text}`,
 		httpStatus: result.status
-	}));
+	});
 	return yield* Effect.try({
 		try: () => result.text === "" ? {} : JSON.parse(result.text),
 		catch: (cause) => new GooglePlayApiError({
@@ -23107,10 +23520,10 @@ const performBundleUpload = (params) => Effect.tryPromise({
 });
 const uploadBundle = (params) => Effect.gen(function* () {
 	const result = yield* performBundleUpload(params);
-	if (!result.ok) return yield* Effect.fail(new GooglePlayApiError({
+	if (!result.ok) return yield* new GooglePlayApiError({
 		message: `edits.bundles.upload failed: ${String(result.status)} ${result.text}`,
 		httpStatus: result.status
-	}));
+	});
 	const raw = yield* Effect.try({
 		try: () => JSON.parse(result.text),
 		catch: (cause) => new GooglePlayApiError({
@@ -23301,10 +23714,10 @@ const fetchArchiveOverHttp = (url) => Effect.gen(function* () {
 			message: `Failed to download AAB from ${url}: ${cause instanceof Error ? cause.message : String(cause)}`
 		})
 	});
-	if (!result.ok || result.bytes === null) return yield* Effect.fail(new CliSubmitError({
+	if (!result.ok || result.bytes === null) return yield* new CliSubmitError({
 		code: "SUBMISSION_ARCHIVE_DOWNLOAD_FAILED",
 		message: `HTTP ${String(result.status)} fetching archive at ${url}`
-	}));
+	});
 	return result.bytes;
 });
 const readArchiveBytes = (archive) => archive.source === "path" ? Effect.map(readLocalFile(archive.value, "SUBMISSION_ARCHIVE_READ_FAILED", (cause) => `Failed to read AAB at ${archive.value}: ${cause instanceof Error ? cause.message : String(cause)}`), (buf) => new Uint8Array(buf)) : fetchArchiveOverHttp(archive.value);
@@ -23379,10 +23792,10 @@ const runGooglePlayPipeline = (params) => Effect.gen(function* () {
 });
 const runAndroidGooglePlayUpload = (inputs) => Effect.gen(function* () {
 	const { applicationId } = inputs.androidProfile;
-	if (applicationId === void 0) return yield* Effect.fail(new CliSubmitError({
+	if (applicationId === void 0) return yield* new CliSubmitError({
 		code: "SUBMISSION_ANDROID_APP_ID_MISSING",
 		message: "Android submit profile requires applicationId — set submit.<profile>.android.applicationId in eas.json"
-	}));
+	});
 	const serviceAccountJson = yield* resolveServiceAccountJson({
 		api: inputs.api,
 		serviceAccountKeyId: inputs.serviceAccountKeyId,
@@ -23407,7 +23820,7 @@ const runAndroidGooglePlayUpload = (inputs) => Effect.gen(function* () {
 			errorCode: engineError.code,
 			errorMessage: engineError.message
 		});
-		return yield* Effect.fail(engineError);
+		return yield* engineError;
 	})));
 	yield* patchSubmissionStatus(inputs.api, inputs.submissionId, { status: "FINISHED" });
 	yield* printHuman(`Google Play bundle uploaded (versionCode ${String(result.versionCode)})`);
@@ -23824,7 +24237,7 @@ const runBuildWorkflow = (options) => Effect.scoped(Effect.gen(function* () {
 		commit: rawGitContext.commit,
 		dirty: rawGitContext.dirty
 	});
-	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(userCwd, platform).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0))) : void 0;
+	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(userCwd, platform).pipe(Effect.map((entry) => entry.hash), Effect.orElseSucceed(() => void 0)) : void 0;
 	const result = yield* reserveAndUpload(api, {
 		target,
 		projectId,
@@ -24179,10 +24592,7 @@ const downloadCommand$1 = defineCommand({
 		const fs = yield* FileSystem.FileSystem;
 		const cwd = yield* (yield* CliRuntime).cwd;
 		const { artifact } = yield* api.builds.get({ path: { id: args.id } });
-		if (!artifact) {
-			yield* Effect.fail(new UploadFailedError({ message: `Build ${args.id} has no artifact yet.` }));
-			return;
-		}
+		if (!artifact) return yield* new UploadFailedError({ message: `Build ${args.id} has no artifact yet.` });
 		const link = yield* api.builds.getInstallLink({ path: { id: args.id } });
 		const ext = artifact.format;
 		const outputPath = args.output ?? path.join(cwd, `${args.id}.${ext}`);
@@ -24455,7 +24865,7 @@ const runInherit = (step, bin, ...args) => Command.exitCode(Command.make(bin, ..
 * Locate a tool on PATH. Returns the absolute path or fails with NativeRunError.
 */
 const which = (bin) => Effect.gen(function* () {
-	const trimmed = (yield* Command.string(Command.make("which", bin)).pipe(Effect.catchAll(() => Effect.fail(new NativeRunError({ message: `${bin} not found in PATH` }))))).trim();
+	const trimmed = (yield* Command.string(Command.make("which", bin)).pipe(Effect.mapError(() => new NativeRunError({ message: `${bin} not found in PATH` })))).trim();
 	if (trimmed === "") return yield* new NativeRunError({ message: `${bin} not found in PATH` });
 	return trimmed;
 });
@@ -24474,7 +24884,7 @@ const findAppBundle = (root) => Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
 	const candidates = [root, path.join(root, "Payload")];
 	for (const candidate of candidates) {
-		const app = (yield* fs.readDirectory(candidate).pipe(Effect.catchAll(() => Effect.succeed([])))).find((entry) => entry.endsWith(".app"));
+		const app = (yield* fs.readDirectory(candidate).pipe(Effect.orElseSucceed(() => []))).find((entry) => entry.endsWith(".app"));
 		if (app) return path.join(candidate, app);
 	}
 	return yield* new NativeRunError({ message: `No .app bundle found inside ${root} or ${path.join(root, "Payload")}.` });
@@ -24553,8 +24963,8 @@ const installAndLaunchIosDevice = (params) => Effect.gen(function* () {
 * fall back to a CLI flag.
 */
 const tryReadApkPackageWith = (bin, apkPath) => Effect.gen(function* () {
-	if (!(yield* which(bin).pipe(Effect.catchAll(() => Effect.succeed(null))))) return;
-	const raw = yield* execCapture(`${bin} dump`, bin, "dump", "badging", apkPath).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	if (!(yield* which(bin).pipe(Effect.orElseSucceed(() => null)))) return;
+	const raw = yield* execCapture(`${bin} dump`, bin, "dump", "badging", apkPath).pipe(Effect.orElseSucceed(() => null));
 	if (!raw) return;
 	return /package: name='(?<packageName>[^']+)'/u.exec(raw)?.[1];
 });
@@ -24626,10 +25036,7 @@ const runIosSimulator = (params) => Effect.gen(function* () {
 });
 const runIosDevice = (params) => Effect.gen(function* () {
 	const { deviceSelector } = params;
-	if (deviceSelector === void 0) {
-		yield* Effect.fail(new InvalidArgumentError({ message: "Pass --device-id <udid>. Run `xcrun devicectl list devices` to list connected devices." }));
-		return;
-	}
+	if (deviceSelector === void 0) return yield* new InvalidArgumentError({ message: "Pass --device-id <udid>. Run `xcrun devicectl list devices` to list connected devices." });
 	const bundleId = yield* readBundleIdFromApp(yield* findAppBundle(yield* extractIosArtifact({
 		tempDir: params.tempDir,
 		artifactPath: params.artifactPath,
@@ -24654,21 +25061,12 @@ const runIos = (params) => {
 	return Effect.fail(new NativeRunError({ message: `Cannot install ${params.format} on iOS; only tar.gz (simulator) or ipa are supported.` }));
 };
 const runAndroid = (params) => Effect.gen(function* () {
-	if (params.format === "aab") {
-		yield* Effect.fail(new InvalidArgumentError({ message: ".aab artifacts cannot be installed directly. Use bundletool to convert to apks, or download the play-store APK." }));
-		return;
-	}
-	if (params.format !== "apk") {
-		yield* Effect.fail(new NativeRunError({ message: `Cannot install ${params.format} on Android; only apk is supported.` }));
-		return;
-	}
+	if (params.format === "aab") return yield* new InvalidArgumentError({ message: ".aab artifacts cannot be installed directly. Use bundletool to convert to apks, or download the play-store APK." });
+	if (params.format !== "apk") return yield* new NativeRunError({ message: `Cannot install ${params.format} on Android; only apk is supported.` });
 	const device = yield* pickAndroidDevice(params.emulatorSelector);
 	const detected = yield* readApkPackageName(params.artifactPath);
 	const packageName = params.packageOverride ?? detected;
-	if (!packageName) {
-		yield* Effect.fail(new InvalidArgumentError({ message: "Could not detect APK package name (aapt/aapt2 not on PATH). Pass --package <name> explicitly." }));
-		return;
-	}
+	if (!packageName) return yield* new InvalidArgumentError({ message: "Could not detect APK package name (aapt/aapt2 not on PATH). Pass --package <name> explicitly." });
 	yield* printHuman(`Installing on Android device ${device.serial}...`);
 	yield* installAndLaunchAndroid({
 		serial: device.serial,
@@ -24733,7 +25131,7 @@ const runCommand$1 = defineCommand({
 			projectId
 		});
 		const { artifact } = build;
-		if (!artifact) return yield* Effect.fail(new UploadFailedError({ message: `Build ${build.id} has no artifact yet.` }));
+		if (!artifact) return yield* new UploadFailedError({ message: `Build ${build.id} has no artifact yet.` });
 		const link = yield* api.builds.getInstallLink({ path: { id: build.id } });
 		const tempDir = yield* acquireBuildTempDir;
 		const artifactPath = path.join(tempDir, `artifact.${artifact.format}`);
@@ -24828,7 +25226,7 @@ const resolveUploadMeta = (params) => Effect.gen(function* () {
 const runUploadWorkflow = (options) => Effect.gen(function* () {
 	const api = yield* apiClient;
 	const projectRoot = yield* (yield* CliRuntime).cwd;
-	if (!(yield* (yield* FileSystem.FileSystem).exists(options.artifactPath).pipe(Effect.orElseSucceed(() => false)))) yield* new ArtifactNotFoundError({ message: `Artifact not found at ${options.artifactPath}.` });
+	if (!(yield* (yield* FileSystem.FileSystem).exists(options.artifactPath).pipe(Effect.orElseSucceed(() => false)))) return yield* new ArtifactNotFoundError({ message: `Artifact not found at ${options.artifactPath}.` });
 	const projectType = yield* detectProjectType({
 		projectRoot,
 		override: asProjectType((yield* readBetterUpdateConfig(projectRoot))?.["projectType"])
@@ -24858,7 +25256,7 @@ const runUploadWorkflow = (options) => Effect.gen(function* () {
 		commit: rawGitContext.commit,
 		dirty: rawGitContext.dirty
 	});
-	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(projectRoot, options.platform).pipe(Effect.map((entry) => entry.hash), Effect.catchAll(() => Effect.succeed(void 0))) : void 0;
+	const fingerprintHash = isExpo ? yield* runFingerprintForPlatform(projectRoot, options.platform).pipe(Effect.map((entry) => entry.hash), Effect.orElseSucceed(() => void 0)) : void 0;
 	const result = yield* reserveAndUpload(api, compact({
 		target,
 		projectId,
@@ -25383,7 +25781,7 @@ const viewCommand$2 = defineCommand({
 			page
 		} }))]);
 		const channel = channels.find((entry) => entry.id === args.target) ?? channels.find((entry) => entry.name === args.target);
-		if (!channel) return yield* Effect.fail(new ChannelCommandError({ message: `Channel "${args.target}" not found by ID or name.` }));
+		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.target}" not found by ID or name.` });
 		const branchName = new Map(branches.map((branch) => [branch.id, branch.name])).get(channel.branchId) ?? channel.branchId;
 		yield* printHumanKeyValue([
 			["ID", channel.id],
@@ -25808,7 +26206,7 @@ const announce = (heading) => Effect.gen(function* () {
 });
 const reportError = (label, cause) => Console.log(`✗ ${label}: ${cause instanceof Error ? cause.message : String(cause)}`);
 const safely = (label, effect) => effect.pipe(Effect.catchAll((cause) => reportError(label, cause)), Effect.asVoid);
-const safePrompt = (effect) => effect.pipe(Effect.catchAll(() => Effect.succeed(BACK)));
+const safePrompt = (effect) => effect.pipe(Effect.orElseSucceed(() => BACK));
 const promptForBundleConfig = (ctx) => Effect.gen(function* () {
 	const list = yield* ctx.api.iosBundleConfigurations.list({ path: { projectId: ctx.projectId } });
 	if (list.items.length === 0) return yield* new MissingCredentialsError({
@@ -27739,7 +28137,7 @@ const handleCertLimitInteractive = (api, ascApiKeyId, certificateType) => Effect
 		ascApiKeyId,
 		certificateType
 	});
-	if (certs.length === 0) return yield* Effect.fail(new CertificateLimitError({ message: "Apple says the certificate limit is hit but no existing certificates were returned — try again later." }));
+	if (certs.length === 0) return yield* new CertificateLimitError({ message: "Apple says the certificate limit is hit but no existing certificates were returned — try again later." });
 	const toRevoke = yield* promptMultiSelect("Select one or more certificates to revoke before retrying", certs.map((entry) => ({
 		value: entry.id,
 		label: `${entry.serialNumber.slice(0, 12)}… (${entry.displayName ?? entry.certificateType}, exp ${entry.expirationDate.slice(0, 10)})`
@@ -28501,7 +28899,7 @@ const writeArtifact = (fs, projectRoot, relPath, bytes) => Effect.gen(function*
 const writeText = (fs, projectRoot, relPath, text) => writeArtifact(fs, projectRoot, relPath, new TextEncoder().encode(text));
 const ensureGitignoreEntries = (fs, projectRoot, paths) => Effect.gen(function* () {
 	const filePath = path.join(projectRoot, ".gitignore");
-	const lines = ((yield* fs.exists(filePath).pipe(Effect.catchAll(() => Effect.succeed(false)))) ? yield* fs.readFileString(filePath).pipe(Effect.catchAll(() => Effect.succeed(""))) : "").split("\n");
+	const lines = ((yield* fs.exists(filePath).pipe(Effect.orElseSucceed(() => false))) ? yield* fs.readFileString(filePath).pipe(Effect.orElseSucceed(() => "")) : "").split("\n");
 	const added = [];
 	const next = [...lines];
 	for (const entry of paths) if (!lines.includes(entry)) {
@@ -29721,6 +30119,7 @@ const devicesCommand = defineCommand({
 
 //#endregion
 //#region src/commands/doctor.ts
+var HealthCheckError = class extends Data.TaggedError("HealthCheckError") {};
 const pass = (id, name, message) => ({
 	id,
 	name,
@@ -29759,7 +30158,10 @@ const checkServerHealth = Effect.gen(function* () {
 	const url = `${yield* (yield* ConfigStore).getBaseUrl}/api/health`;
 	const response = yield* Effect.tryPromise({
 		try: async () => fetch(url, { signal: AbortSignal.timeout(3e3) }),
-		catch: (cause) => new Error(String(cause))
+		catch: (cause) => new HealthCheckError({
+			message: String(cause),
+			cause
+		})
 	}).pipe(Effect.either);
 	if (response._tag === "Left") return fail("health", "Server reachable", `${url} unreachable: ${response.left.message}`);
 	const res = response.right;
@@ -29970,7 +30372,7 @@ const getExecTrailingArgv = () => trailing$1;
 const pullForExec = (api, projectId, environment) => pullEnvVars(api, {
 	projectId,
 	environment
-}).pipe(Effect.catchAll(() => Effect.succeed({})));
+}).pipe(Effect.orElseSucceed(() => ({})));
 const splitTrailing = (trailing) => {
 	if (!trailing || trailing.length === 0) return Effect.fail(new InvalidArgumentError({ message: "Pass the command after `--`. Example: `better-update env exec production -- bun run dev`." }));
 	const [bin, ...rest] = trailing;
@@ -30795,12 +31197,382 @@ const fingerprintCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/commands/groups/helpers.ts
+const groupErrorExtras = { GroupCommandError: 2 };
+
+//#endregion
+//#region src/commands/groups/attach.ts
+const attachGroupPolicyCommand = defineCommand({
+	meta: {
+		name: "attach",
+		description: "Attach a policy (real or managed:*) to a group; members inherit it"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"policy-id": {
+			type: "string",
+			required: true,
+			description: "Policy ID to attach (real id or managed preset like managed:admin)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const attachment = yield* (yield* apiClient)["policy-attachments"].attachToGroup({
+			path: { id: args.id },
+			payload: { policyId: args["policy-id"] }
+		});
+		yield* printHumanKeyValue([
+			["Attachment ID", attachment.id],
+			["Group ID", attachment.principalId],
+			["Policy ID", attachment.policyId],
+			["Created", attachment.createdAt]
+		]);
+		return attachment;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/create.ts
+const createGroupCommand = defineCommand({
+	meta: {
+		name: "create",
+		description: "Create a member group"
+	},
+	args: {
+		name: {
+			type: "string",
+			required: true,
+			description: "Group display name"
+		},
+		description: {
+			type: "string",
+			description: "Optional human description"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const group = yield* (yield* apiClient).groups.create({ payload: {
+			name: args.name,
+			...compact({ description: args.description })
+		} });
+		yield* printHumanKeyValue([
+			["ID", group.id],
+			["Name", group.name],
+			["Description", group.description ?? "-"],
+			["Created", group.createdAt]
+		]);
+		return group;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/delete.ts
+const deleteGroupCommand = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete a group and sweep its memberships and policy attachments"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Delete group ${args.id}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return;
+			}
+		}
+		yield* (yield* apiClient).groups.delete({ path: { id: args.id } });
+		yield* printHuman(`Deleted group ${args.id}.`);
+		return {
+			id: args.id,
+			deleted: true
+		};
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/detach.ts
+const detachGroupPolicyCommand = defineCommand({
+	meta: {
+		name: "detach",
+		description: "Remove a policy attachment from a group"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"policy-id": {
+			type: "string",
+			required: true,
+			description: "Policy ID to detach (real id or managed preset like managed:admin)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		yield* (yield* apiClient)["policy-attachments"].detachFromGroup({ path: {
+			id: args.id,
+			policyId: encodeURIComponent(args["policy-id"])
+		} });
+		yield* printHuman(`Detached policy ${args["policy-id"]} from group ${args.id}.`);
+		return {
+			groupId: args.id,
+			policyId: args["policy-id"],
+			detached: true
+		};
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/list.ts
+const listGroupsCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List member groups in the active organization"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient).groups.list();
+		yield* printHumanTable([
+			"ID",
+			"Name",
+			"Description",
+			"Created"
+		], result.items.map((group) => [
+			group.id,
+			group.name,
+			group.description ?? "-",
+			group.createdAt
+		]));
+		return result;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/members/add.ts
+const addGroupMemberCommand = defineCommand({
+	meta: {
+		name: "add",
+		description: "Add an organization member to a group"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"member-id": {
+			type: "string",
+			required: true,
+			description: "Organization member ID to add"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const member = yield* (yield* apiClient).groups.addMember({
+			path: { id: args.id },
+			payload: { memberId: args["member-id"] }
+		});
+		yield* printHumanKeyValue([["Member ID", member.memberId], ["Added", member.createdAt]]);
+		return member;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/members/remove.ts
+const removeGroupMemberCommand = defineCommand({
+	meta: {
+		name: "remove",
+		description: "Remove a member from a group"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"member-id": {
+			type: "string",
+			required: true,
+			description: "Organization member ID to remove"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		yield* (yield* apiClient).groups.removeMember({ path: {
+			id: args.id,
+			memberId: args["member-id"]
+		} });
+		yield* printHuman(`Removed member ${args["member-id"]} from group ${args.id}.`);
+		return {
+			groupId: args.id,
+			memberId: args["member-id"],
+			removed: true
+		};
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/members/index.ts
+const listGroupMembersCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List the members belonging to a group"
+	},
+	args: { id: {
+		type: "positional",
+		required: true,
+		description: "Group ID"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient).groups.listMembers({ path: { id: args.id } });
+		yield* printHumanTable(["Member ID", "Added"], result.items.map((member) => [member.memberId, member.createdAt]));
+		return result;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+const membersCommand = defineCommand({
+	meta: {
+		name: "members",
+		description: "Manage the members of a group"
+	},
+	subCommands: {
+		list: listGroupMembersCommand,
+		add: addGroupMemberCommand,
+		remove: removeGroupMemberCommand
+	}
+});
+
+//#endregion
+//#region src/commands/groups/policies.ts
+const listGroupPoliciesCommand = defineCommand({
+	meta: {
+		name: "policies",
+		description: "List policies attached to a group"
+	},
+	args: { id: {
+		type: "positional",
+		required: true,
+		description: "Group ID"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient)["policy-attachments"].listForGroup({ path: { id: args.id } });
+		yield* printHumanTable([
+			"Attachment ID",
+			"Policy ID",
+			"Created"
+		], result.items.map((attachment) => [
+			attachment.id,
+			attachment.policyId,
+			attachment.createdAt
+		]));
+		return result;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/update.ts
+const updateGroupCommand = defineCommand({
+	meta: {
+		name: "update",
+		description: "Update a group's name or description"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		name: {
+			type: "string",
+			description: "New display name"
+		},
+		description: {
+			type: "string",
+			description: "New description"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const group = yield* (yield* apiClient).groups.update({
+			path: { id: args.id },
+			payload: compact({
+				name: args.name,
+				description: args.description
+			})
+		});
+		yield* printHumanKeyValue([
+			["ID", group.id],
+			["Name", group.name],
+			["Description", group.description ?? "-"],
+			["Updated", group.updatedAt ?? "-"]
+		]);
+		return group;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/index.ts
+const groupsCommand = defineCommand({
+	meta: {
+		name: "groups",
+		description: "Manage member groups for collective policy attachment"
+	},
+	subCommands: {
+		list: listGroupsCommand,
+		create: createGroupCommand,
+		update: updateGroupCommand,
+		delete: deleteGroupCommand,
+		members: membersCommand,
+		policies: listGroupPoliciesCommand,
+		attach: attachGroupPolicyCommand,
+		detach: detachGroupPolicyCommand
+	}
+});
+
 //#endregion
 //#region src/commands/init.ts
 const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
 	const existingId = config.extra?.betterUpdate?.projectId;
 	if (typeof existingId !== "string" || existingId.length === 0) return "no-link";
-	const project = yield* api.projects.get({ path: { id: existingId } }).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
+	const project = yield* api.projects.get({ path: { id: existingId } }).pipe(Effect.orElseSucceed(() => void 0));
 	if (project === void 0) {
 		yield* printHuman(`Existing projectId "${existingId}" not found on server. Re-linking by local slug "${localSlug}".`);
 		return "stale";
@@ -30820,10 +31592,10 @@ const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
 const slugify = (value) => value.toLowerCase().replaceAll(/[^a-z0-9]+/gu, "-").replaceAll(/^-+|-+$/gu, "");
 /** Best-effort `name` from the local package.json, or undefined when absent. */
 const readPackageJsonName = (projectRoot) => Effect.gen(function* () {
-	const content = yield* (yield* FileSystem.FileSystem).readFileString(path.join(projectRoot, "package.json")).pipe(Effect.catchAll(() => Effect.succeed("")));
+	const content = yield* (yield* FileSystem.FileSystem).readFileString(path.join(projectRoot, "package.json")).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
-	const parsed = yield* Effect.try(() => JSON.parse(content)).pipe(Effect.catchAll(() => Effect.succeed(void 0)));
-	const name = isRecord(parsed) ? parsed["name"] : void 0;
+	const parsed = yield* Effect.try(() => JSON.parse(content)).pipe(Effect.orElseSucceed(() => void 0));
+	const name = isRecord$1(parsed) ? parsed["name"] : void 0;
 	return typeof name === "string" && name.length > 0 ? name : void 0;
 });
 /**
@@ -31064,6 +31836,236 @@ const openCommand = defineCommand({
 	}))
 });
 
+//#endregion
+//#region src/commands/policies/helpers.ts
+var PolicyCommandError = class extends Data.TaggedError("PolicyCommandError") {};
+const policyErrorExtras = { PolicyCommandError: 2 };
+/** A managed preset id is virtual + read-only; its id is prefixed with `managed:`. */
+const isManagedPolicyId = (id) => id.startsWith("managed:");
+const isStringArray = (value) => Array.isArray(value) && value.every((entry) => typeof entry === "string");
+const isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+/**
+* Parse + shape-validate a `--document` JSON string client-side so a malformed
+* document fails with a clear local message before any network round-trip. The
+* server still re-validates action tokens against the real vocabulary and the
+* selectors against the shared grammar; this only guards the JSON shape and the
+* action/selector token SHAPE via the contract's pure validators.
+*
+* Expected shape:
+*   { "statements": [ { "effect": "allow"|"deny", "actions": ["project:read"|"*"], "resources": ["*"|"project/A"] } ] }
+*/
+const parsePolicyDocument = (raw) => Effect.gen(function* () {
+	const parsed = yield* Effect.try({
+		try: () => JSON.parse(raw),
+		catch: () => new PolicyCommandError({ message: "The --document value is not valid JSON. Pass a JSON object string." })
+	});
+	if (!isRecord(parsed) || !Array.isArray(parsed["statements"])) return yield* new PolicyCommandError({ message: "The document must be a JSON object with a \"statements\" array. Example: {\"statements\":[{\"effect\":\"allow\",\"actions\":[\"project:read\"],\"resources\":[\"*\"]}]}" });
+	const statements = [];
+	for (const [index, entry] of parsed["statements"].entries()) {
+		const statement = yield* validateStatement(entry, index);
+		statements.push(statement);
+	}
+	if (statements.length === 0) return yield* new PolicyCommandError({ message: "The document must contain at least one statement." });
+	return { statements };
+});
+const validateStatement = (entry, index) => Effect.gen(function* () {
+	const at = `statements[${index}]`;
+	if (!isRecord(entry)) return yield* new PolicyCommandError({ message: `${at} must be a JSON object.` });
+	const { effect } = entry;
+	if (effect !== "allow" && effect !== "deny") return yield* new PolicyCommandError({ message: `${at}.effect must be "allow" or "deny".` });
+	const { actions } = entry;
+	if (!isStringArray(actions) || actions.length === 0) return yield* new PolicyCommandError({ message: `${at}.actions must be a non-empty array of action-token strings.` });
+	const badAction = actions.find((token) => !isValidActionTokenShape(token));
+	if (badAction !== void 0) return yield* new PolicyCommandError({ message: `${at}.actions has an invalid token "${badAction}". Use "*", "<resource>:*", or "<resource>:<action>".` });
+	const { resources } = entry;
+	if (!isStringArray(resources) || resources.length === 0) return yield* new PolicyCommandError({ message: `${at}.resources must be a non-empty array of selector strings.` });
+	const badResource = resources.find((selector) => !isValidSelector(selector));
+	if (badResource !== void 0) return yield* new PolicyCommandError({ message: `${at}.resources has an invalid selector "${badResource}". Use "*" or slash-joined segments like "project/A".` });
+	const inertResource = resources.find((selector) => !isCanonicalSelector(selector));
+	if (inertResource !== void 0) return yield* new PolicyCommandError({ message: `${at}.resources selector "${inertResource}" matches no known resource path. Use segments like "project/{id}/channel/{id}" or "project/{id}/env/{env}".` });
+	return {
+		effect,
+		actions,
+		resources
+	};
+});
+
+//#endregion
+//#region src/commands/policies/create.ts
+const DOCUMENT_HELP = "JSON document string: {\"statements\":[{\"effect\":\"allow\"|\"deny\",\"actions\":[\"<resource>:<action>\"|\"<resource>:*\"|\"*\"],\"resources\":[\"*\"|\"project/A\"|\"project/*/env/production\"]}]}";
+const createPolicyCommand = defineCommand({
+	meta: {
+		name: "create",
+		description: "Create a named IAM policy from a JSON document"
+	},
+	args: {
+		name: {
+			type: "string",
+			required: true,
+			description: "Policy display name"
+		},
+		description: {
+			type: "string",
+			description: "Optional human description"
+		},
+		document: {
+			type: "string",
+			required: true,
+			description: DOCUMENT_HELP
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const document = yield* parsePolicyDocument(args.document);
+		const policy = yield* (yield* apiClient).policies.create({ payload: {
+			name: args.name,
+			document,
+			...compact({ description: args.description })
+		} });
+		yield* printHumanKeyValue([
+			["ID", policy.id],
+			["Name", policy.name],
+			["Description", policy.description ?? "-"],
+			["Statements", String(policy.document.statements.length)],
+			["Created", policy.createdAt]
+		]);
+		return policy;
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/delete.ts
+const deletePolicyCommand = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete a policy and sweep its attachments (managed presets cannot be deleted)"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Policy ID"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (isManagedPolicyId(args.id)) return yield* new PolicyCommandError({ message: `Policy "${args.id}" is a managed preset and cannot be deleted.` });
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Delete policy ${args.id}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return;
+			}
+		}
+		yield* (yield* apiClient).policies.delete({ path: { id: args.id } });
+		yield* printHuman(`Deleted policy ${args.id}.`);
+		return {
+			id: args.id,
+			deleted: true
+		};
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/list.ts
+const listPoliciesCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List policies in the active organization (includes read-only managed presets)"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient).policies.list();
+		yield* printHumanTable([
+			"ID",
+			"Name",
+			"Statements",
+			"Managed"
+		], result.items.map((policy) => [
+			policy.id,
+			policy.name,
+			String(policy.document.statements.length),
+			isManagedPolicyId(policy.id) ? "yes" : "no"
+		]));
+		return result;
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/update.ts
+const updatePolicyCommand = defineCommand({
+	meta: {
+		name: "update",
+		description: "Update a policy's name, description, or document (managed presets are read-only)"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Policy ID"
+		},
+		name: {
+			type: "string",
+			description: "New display name"
+		},
+		description: {
+			type: "string",
+			description: "New description"
+		},
+		document: {
+			type: "string",
+			description: "Replacement JSON document string"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (isManagedPolicyId(args.id)) return yield* new PolicyCommandError({ message: `Policy "${args.id}" is a managed preset and is read-only. Create a custom policy instead.` });
+		const document = args.document === void 0 ? void 0 : yield* parsePolicyDocument(args.document);
+		const policy = yield* (yield* apiClient).policies.update({
+			path: { id: args.id },
+			payload: compact({
+				name: args.name,
+				description: args.description,
+				document
+			})
+		});
+		yield* printHumanKeyValue([
+			["ID", policy.id],
+			["Name", policy.name],
+			["Description", policy.description ?? "-"],
+			["Statements", String(policy.document.statements.length)],
+			["Updated", policy.updatedAt ?? "-"]
+		]);
+		return policy;
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/index.ts
+const policiesCommand = defineCommand({
+	meta: {
+		name: "policies",
+		description: "Manage IAM policies (named, reusable permission grants)"
+	},
+	subCommands: {
+		list: listPoliciesCommand,
+		create: createPolicyCommand,
+		update: updatePolicyCommand,
+		delete: deletePolicyCommand
+	}
+});
+
 //#endregion
 //#region src/commands/projects.ts
 const listCommand$1 = defineCommand({
@@ -32700,10 +33702,10 @@ const assertSignedManifestBundleUrl = (params) => Effect.gen(function* () {
 		try: () => JSON.parse(params.manifestBody),
 		catch: () => params.makeError(`Signed ${params.platform} manifestBody is not valid JSON.`)
 	});
-	if (!isRecord(parsed)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must be a JSON object.`));
+	if (!isRecord$1(parsed)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must be a JSON object.`));
 	const { id } = parsed;
 	const { launchAsset } = parsed;
-	if (typeof id !== "string" || !isRecord(launchAsset)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must carry a string "id" and an object "launchAsset".`));
+	if (typeof id !== "string" || !isRecord$1(launchAsset)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must carry a string "id" and an object "launchAsset".`));
 	const { url } = launchAsset;
 	const expectedPrefix = `${params.serverBaseUrl}/manifest/${params.projectId}/bundle/${id}/`;
 	if (typeof url !== "string" || !url.startsWith(expectedPrefix)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody launchAsset.url must point at the Worker bundle route (${expectedPrefix}…) so bsdiff patches apply; got ${typeof url === "string" ? url : "a non-string value"}. Re-render the signed manifest with the Worker bundle URL.`));
@@ -32872,7 +33874,7 @@ const runPatchPhase = (input) => Effect.gen(function* () {
 		runtimeVersion: input.runtimeVersion,
 		platform: input.platform,
 		limit: Math.max(1, input.baseWindow)
-	} }).pipe(Effect.catchAll(() => Effect.succeed([])));
+	} }).pipe(Effect.orElseSucceed(() => []));
 	const bases = selectBaseWindow(candidates, {
 		newUpdateId: input.newUpdateId,
 		maxRecent: input.baseWindow
@@ -32888,7 +33890,7 @@ const runPatchPhase = (input) => Effect.gen(function* () {
 			bestSavingsPct: void 0
 		};
 	}
-	const newBundleBytes = yield* sha256File(input.newLaunchPath).pipe(Effect.map((result) => result.byteSize), Effect.catchAll(() => Effect.succeed(void 0)));
+	const newBundleBytes = yield* sha256File(input.newLaunchPath).pipe(Effect.map((result) => result.byteSize), Effect.orElseSucceed(() => void 0));
 	yield* printHuman(`Diffing against ${bases.length} base(s) (window=${input.baseWindow}; ${candidates.length} candidate(s) available).`);
 	const uploadedOutcomes = (yield* Effect.forEach(bases, (base, index) => Effect.gen(function* () {
 		const basePath = path.join(input.workDir, `base-${index}.bundle`);
@@ -32983,7 +33985,7 @@ const dedupeAssetsByHash = (assets) => uniqBy(assets, (asset) => asset.hash);
 * is informational, so a fingerprint failure resolves to `undefined` rather than
 * failing the publish.
 */
-const resolvePlatformFingerprintHash = (projectRoot, platform) => runFingerprintForPlatform(projectRoot, platform).pipe(Effect.map((result) => result.hash), Effect.catchAll(() => Effect.succeed(void 0)));
+const resolvePlatformFingerprintHash = (projectRoot, platform) => runFingerprintForPlatform(projectRoot, platform).pipe(Effect.map((result) => result.hash), Effect.orElseSucceed(() => void 0));
 const preparePlatformAssets = ({ exportDir, platform }) => Effect.gen(function* () {
 	const exportedAssets = yield* readExpoExportAssets({
 		exportDir,
@@ -33079,7 +34081,7 @@ const publishPlatform = (params) => Effect.gen(function* () {
 	const uploadDetailsByHash = new Map(assetRegistration.uploaded.map((asset) => [asset.hash, asset]));
 	yield* Effect.forEach(uniqueAssets.filter((asset) => uploadDetailsByHash.has(asset.hash)), (asset) => Effect.gen(function* () {
 		const detail = uploadDetailsByHash.get(asset.hash);
-		if (!detail) return yield* Effect.fail(new UpdatePublishError({ message: `Missing upload details for asset ${asset.hash}` }));
+		if (!detail) return yield* new UpdatePublishError({ message: `Missing upload details for asset ${asset.hash}` });
 		return yield* assetUploader.uploadAssetBinary({
 			path: asset.path,
 			hash: asset.hash,
@@ -33631,10 +34633,10 @@ const extractDirectiveCommitTime = (directiveBody) => Effect.gen(function* () {
 		try: () => JSON.parse(directiveBody),
 		catch: () => new UpdateRollbackError({ message: "directiveBody must be valid JSON." })
 	});
-	if (!isRecord(directive)) return yield* new UpdateRollbackError({ message: "directiveBody must decode to a JSON object." });
+	if (!isRecord$1(directive)) return yield* new UpdateRollbackError({ message: "directiveBody must decode to a JSON object." });
 	if (directive["type"] !== "rollBackToEmbedded") return yield* new UpdateRollbackError({ message: "directiveBody.type must be \"rollBackToEmbedded\"." });
 	const { parameters } = directive;
-	if (!isRecord(parameters)) return yield* new UpdateRollbackError({ message: "directiveBody.parameters must be an object." });
+	if (!isRecord$1(parameters)) return yield* new UpdateRollbackError({ message: "directiveBody.parameters must be an object." });
 	const { commitTime } = parameters;
 	if (typeof commitTime !== "string" || Number.isNaN(Date.parse(commitTime))) return yield* new UpdateRollbackError({ message: "directiveBody.parameters.commitTime must be a valid ISO 8601 timestamp." });
 	if (new Date(Date.parse(commitTime)).toISOString() !== commitTime) return yield* new UpdateRollbackError({ message: "directiveBody.parameters.commitTime must be canonical ISO 8601 with milliseconds and a trailing Z (e.g. 2026-05-06T14:00:00.000Z). The expo-updates client cannot parse other forms (no milliseconds, numeric timezone offsets), so the signed rollback would be rejected on-device." });
@@ -34462,6 +35464,8 @@ const commandRegistry = {
 	init: initCommand,
 	status: statusCommand,
 	projects: projectsCommand,
+	policies: policiesCommand,
+	groups: groupsCommand,
 	branches: branchesCommand,
 	channels: channelsCommand,
 	build: buildCommand,