@better-update/cli 0.27.0 → 0.28.1

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.27.0";
+var version = "0.28.1";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -527,6 +527,49 @@ var AndroidUploadKeystoresGroup = class extends HttpApiGroup.make("androidUpload
 	description: "Manage Android signing keystores"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/api-key.ts
+var ApiKey = class extends Schema.Class("ApiKey")({
+	id: Id,
+	name: Schema.NullOr(Schema.String),
+	start: Schema.NullOr(Schema.String),
+	prefix: Schema.NullOr(Schema.String),
+	enabled: Schema.Boolean,
+	createdAt: DateTimeString,
+	expiresAt: Schema.NullOr(DateTimeString)
+}) {};
+var CreatedApiKey = class extends Schema.Class("CreatedApiKey")({
+	id: Id,
+	name: Schema.NullOr(Schema.String),
+	start: Schema.NullOr(Schema.String),
+	prefix: Schema.NullOr(Schema.String),
+	enabled: Schema.Boolean,
+	createdAt: DateTimeString,
+	expiresAt: Schema.NullOr(DateTimeString),
+	key: Schema.String
+}) {};
+const CreateApiKeyBody = Schema.Struct({
+	name: Name120,
+	expiresInDays: Schema.optional(Schema.Number.pipe(Schema.int(), Schema.positive()))
+});
+const ApiKeyList = Schema.Struct({ items: Schema.Array(ApiKey) });
+
+//#endregion
+//#region ../../packages/api/src/groups/api-keys.ts
+var ApiKeysGroup = class extends HttpApiGroup.make("api-keys").add(HttpApiEndpoint.get("list", "/api/api-keys").addSuccess(ApiKeyList).annotateContext(OpenApi.annotations({
+	title: "List API keys",
+	description: "List the active organization's API keys (hashed secret never exposed; only the `start` prefix for identification)"
+}))).add(HttpApiEndpoint.post("create", "/api/api-keys").setPayload(CreateApiKeyBody).addSuccess(CreatedApiKey, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create API key",
+	description: "Mint a new API key for the active organization. The plaintext key is returned ONCE; only its hash is stored"
+}))).add(HttpApiEndpoint.del("revoke")`/api/api-keys/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Revoke API key",
+	description: "Delete an API key by id (org-scoped; no cross-organization deletes)"
+}))).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "API Keys",
+	description: "IAM-gated organization API key mint / list / revoke"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/apple-team.ts
 const AppleTeamType = Schema.Literal("IN_HOUSE", "COMPANY_ORGANIZATION", "INDIVIDUAL");
@@ -861,7 +904,7 @@ var AssetsGroup = class extends HttpApiGroup.make("assets").add(HttpApiEndpoint.
 
 //#endregion
 //#region ../../packages/api/src/domain/audit-log.ts
-const AuditLogResourceType = Schema.Literal("project", "branch", "channel", "update", "build", "appleCredential", "androidCredential", "iosBundleConfiguration", "envVar", "device", "webhook", "iosAppMetadata", "submission", "vaultAccess");
+const AuditLogResourceType = Schema.Literal("project", "branch", "channel", "update", "build", "appleCredential", "androidCredential", "iosBundleConfiguration", "envVar", "device", "webhook", "iosAppMetadata", "submission", "vaultAccess", "policy", "group", "policyAttachment", "apiKey", "invitation", "member", "organization");
 const AuditLogSource = Schema.Literal("session", "api-key");
 var AuditLog = class extends Schema.Class("AuditLog")({
 	id: Id,
@@ -1178,44 +1221,6 @@ var BuildsGroup = class extends HttpApiGroup.make("builds").add(HttpApiEndpoint.
 	description: "Build artifact upload, tracking, and download endpoints"
 })) {};
 
-//#endregion
-//#region ../../packages/api/src/domain/channel-grant.ts
-const GrantEffectSchema = Schema.Literal("allow", "deny");
-/** One member's allow/deny set on a channel; `actions` are "resource:action". */
-var ChannelGrant = class extends Schema.Class("ChannelGrant")({
-	id: Id,
-	memberId: Id,
-	scopeKind: Schema.Literal("channel"),
-	scopeId: Id,
-	effect: GrantEffectSchema,
-	actions: Schema.Array(Schema.String),
-	createdAt: DateTimeString
-}) {};
-/** Upsert one (member, channel, effect) grant. effect defaults to "allow". */
-const UpsertChannelGrantBody = Schema.Struct({
-	effect: Schema.optionalWith(GrantEffectSchema, { default: () => "allow" }),
-	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1))
-});
-const ListChannelGrantsParams = Schema.Struct({});
-const DeleteChannelGrantResult = Schema.Struct({ deleted: Schema.Number });
-
-//#endregion
-//#region ../../packages/api/src/groups/channel-grants.ts
-const memberIdParam = HttpApiSchema.param("memberId", Schema.String);
-var ChannelGrantsGroup = class extends HttpApiGroup.make("channelGrants").add(HttpApiEndpoint.get("list")`/api/channels/${idParam}/grants`.setUrlParams(ListChannelGrantsParams).addSuccess(Schema.Array(ChannelGrant)).annotateContext(OpenApi.annotations({
-	title: "List channel grants",
-	description: "List all per-member allow/deny grants on a channel"
-}))).add(HttpApiEndpoint.put("upsert")`/api/channels/${idParam}/grants/${memberIdParam}`.setPayload(UpsertChannelGrantBody).addSuccess(ChannelGrant).annotateContext(OpenApi.annotations({
-	title: "Upsert channel grant",
-	description: "Create or replace a member's allow/deny grant on a channel"
-}))).add(HttpApiEndpoint.del("delete")`/api/channels/${idParam}/grants/${memberIdParam}`.addSuccess(DeleteChannelGrantResult).annotateContext(OpenApi.annotations({
-	title: "Delete channel grant",
-	description: "Revoke a member's grants on a channel"
-}))).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
-	title: "Channel grants",
-	description: "Per-channel ABAC permission grants (allow/deny by member)"
-})) {};
-
 //#endregion
 //#region ../../packages/api/src/domain/channel.ts
 var Channel = class extends Schema.Class("Channel")({
@@ -1471,71 +1476,6 @@ const EnvVarRevision = Schema.Struct({
 const EnvVarRevisionsResult = Schema.Struct({ items: Schema.Array(EnvVarRevision) });
 const RollbackEnvVarBody = Schema.Struct({ toRevisionId: Id });
 
-//#endregion
-//#region ../../packages/api/src/domain/env-grant.ts
-/**
-* One member's allow/deny set on a (project × environment) env-var scope.
-* `scopeKind` is fixed to "env_var_environment". `scopeId` is the encoded
-* `<projectId|global>:<environment>` token (server-built). `actions` are
-* "resource:action" tokens (here always envVar:*).
-*/
-var EnvGrant = class extends Schema.Class("EnvGrant")({
-	id: Id,
-	memberId: Id,
-	scopeKind: Schema.Literal("env_var_environment"),
-	scopeId: Schema.String,
-	effect: GrantEffectSchema,
-	actions: Schema.Array(Schema.String),
-	createdAt: DateTimeString
-}) {};
-/** A flattened row for the list UI: one member × environment cell. */
-var EnvGrantRow = class extends Schema.Class("EnvGrantRow")({
-	memberId: Id,
-	environment: EnvVarEnvironment,
-	effect: GrantEffectSchema,
-	actions: Schema.Array(Schema.String)
-}) {};
-/**
-* URL params for listing grants on a project-or-global scope. `projectId` is the
-* sentinel "global" or a real project id (the server resolves null vs the
-* sentinel). Carried as a query param.
-*/
-const ListEnvGrantsParams = Schema.Struct({ projectId: Schema.String });
-/**
-* Upsert one (member, project-or-global, environment) grant. `projectId` null =
-* org-global vault. effect defaults to "allow". actions are envVar:* tokens.
-*/
-const UpsertEnvGrantBody = Schema.Struct({
-	memberId: Id,
-	projectId: Schema.NullOr(Id),
-	environment: EnvVarEnvironment,
-	effect: Schema.optionalWith(GrantEffectSchema, { default: () => "allow" }),
-	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1))
-});
-/** Delete both effects for (member, project-or-global, environment). */
-const DeleteEnvGrantBody = Schema.Struct({
-	memberId: Id,
-	projectId: Schema.NullOr(Id),
-	environment: EnvVarEnvironment
-});
-const DeleteEnvGrantResult = Schema.Struct({ deleted: Schema.Number });
-
-//#endregion
-//#region ../../packages/api/src/groups/env-grants.ts
-var EnvGrantsGroup = class extends HttpApiGroup.make("envGrants").add(HttpApiEndpoint.get("list", "/api/env-grants").setUrlParams(ListEnvGrantsParams).addSuccess(Schema.Array(EnvGrantRow)).annotateContext(OpenApi.annotations({
-	title: "List env-var environment grants",
-	description: "List per-member allow/deny env-var grants on a project-or-global scope across all environments. projectId is a real id or the sentinel 'global'."
-}))).add(HttpApiEndpoint.put("upsert", "/api/env-grants").setPayload(UpsertEnvGrantBody).addSuccess(EnvGrant).annotateContext(OpenApi.annotations({
-	title: "Upsert env-var environment grant",
-	description: "Create or replace a member's allow/deny env-var grant on one (project-or-global × environment) scope. projectId null = org-global."
-}))).add(HttpApiEndpoint.del("delete", "/api/env-grants").setPayload(DeleteEnvGrantBody).addSuccess(DeleteEnvGrantResult).annotateContext(OpenApi.annotations({
-	title: "Delete env-var environment grants",
-	description: "Revoke both allow and deny grants for a member on one (project-or-global × environment) scope."
-}))).addError(NotFound).addError(Forbidden).addError(BadRequest).annotateContext(OpenApi.annotations({
-	title: "Env-var environment grants",
-	description: "Per (project × environment) ABAC permission grants for env vars (allow/deny by member)"
-})) {};
-
 //#endregion
 //#region ../../packages/api/src/groups/env-vars.ts
 var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoint.post("create", "/api/env-vars").setPayload(CreateEnvVarBody).addSuccess(EnvVar, { status: 201 }).annotateContext(OpenApi.annotations({
@@ -1760,6 +1700,97 @@ var GoogleServiceAccountKeysGroup = class extends HttpApiGroup.make("googleServi
 	description: "Manage Google Play + FCM service account JSON keys"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/group.ts
+var Group = class extends Schema.Class("Group")({
+	id: Id,
+	organizationId: Id,
+	name: Schema.NonEmptyString,
+	description: Schema.NullOr(Schema.String),
+	createdAt: DateTimeString,
+	updatedAt: Schema.NullOr(DateTimeString)
+}) {};
+const CreateGroupBody = Schema.Struct({
+	name: Schema.NonEmptyString,
+	description: Schema.optional(Schema.String)
+});
+const UpdateGroupBody = Schema.Struct({
+	name: Schema.optional(Schema.NonEmptyString),
+	description: Schema.optional(Schema.NullOr(Schema.String))
+});
+var GroupMember = class extends Schema.Class("GroupMember")({
+	memberId: Id,
+	createdAt: DateTimeString
+}) {};
+const AddGroupMemberBody = Schema.Struct({ memberId: Id });
+
+//#endregion
+//#region ../../packages/api/src/groups/groups.ts
+/** `:memberId` path parameter — the `member.id` of a group member. */
+const memberIdParam = HttpApiSchema.param("memberId", Id);
+var GroupsGroup = class extends HttpApiGroup.make("groups").add(HttpApiEndpoint.get("list", "/api/groups").addSuccess(Schema.Struct({ items: Schema.Array(Group) })).annotateContext(OpenApi.annotations({
+	title: "List groups",
+	description: "List member groups in the active organization"
+}))).add(HttpApiEndpoint.post("create", "/api/groups").setPayload(CreateGroupBody).addSuccess(Group, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create group",
+	description: "Create a member group for the active organization"
+}))).add(HttpApiEndpoint.get("get")`/api/groups/${idParam}`.addSuccess(Group).annotateContext(OpenApi.annotations({
+	title: "Get group",
+	description: "Fetch a single group by id"
+}))).add(HttpApiEndpoint.patch("update")`/api/groups/${idParam}`.setPayload(UpdateGroupBody).addSuccess(Group).annotateContext(OpenApi.annotations({
+	title: "Update group",
+	description: "Update a group's name or description"
+}))).add(HttpApiEndpoint.del("delete")`/api/groups/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Delete group",
+	description: "Delete a group and sweep its memberships and policy attachments"
+}))).add(HttpApiEndpoint.get("listMembers")`/api/groups/${idParam}/members`.addSuccess(Schema.Struct({ items: Schema.Array(GroupMember) })).annotateContext(OpenApi.annotations({
+	title: "List group members",
+	description: "List the members belonging to a group"
+}))).add(HttpApiEndpoint.post("addMember")`/api/groups/${idParam}/members`.setPayload(AddGroupMemberBody).addSuccess(GroupMember, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Add group member",
+	description: "Add an organization member to a group"
+}))).add(HttpApiEndpoint.del("removeMember")`/api/groups/${idParam}/members/${memberIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Remove group member",
+	description: "Remove a member from a group"
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Groups",
+	description: "Member groups for collective policy attachment"
+})) {};
+
+//#endregion
+//#region ../../packages/api/src/domain/invitation.ts
+var Invitation = class extends Schema.Class("Invitation")({
+	id: Id,
+	email: Schema.String,
+	role: Schema.NullOr(Schema.String),
+	status: Schema.String,
+	expiresAt: DateTimeString,
+	createdAt: DateTimeString
+}) {};
+const EMAIL_PATTERN = /^[^\s@]+@[^\s@]+\.[^\s@]+$/u;
+const InvitableRole = Schema.Literal("member");
+const CreateInvitationBody = Schema.Struct({
+	email: Schema.String.pipe(Schema.minLength(1), Schema.maxLength(320), Schema.pattern(EMAIL_PATTERN)),
+	role: Schema.optional(InvitableRole)
+});
+const InvitationList = Schema.Struct({ items: Schema.Array(Invitation) });
+
+//#endregion
+//#region ../../packages/api/src/groups/invitations.ts
+var InvitationsGroup = class extends HttpApiGroup.make("invitations").add(HttpApiEndpoint.get("list", "/api/invitations").addSuccess(InvitationList).annotateContext(OpenApi.annotations({
+	title: "List invitations",
+	description: "List the active organization's invitations (all statuses, newest first)"
+}))).add(HttpApiEndpoint.post("create", "/api/invitations").setPayload(CreateInvitationBody).addSuccess(Invitation, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create invitation",
+	description: "Invite a member to the active organization. Writes a pending `invitation` row (better-auth's accept-invitation consumes it) and sends the invite email"
+}))).add(HttpApiEndpoint.del("cancel")`/api/invitations/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Cancel invitation",
+	description: "Cancel a pending invitation by id (org-scoped). A canceled invitation can no longer be accepted"
+}))).addError(NotFound).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Invitations",
+	description: "IAM-gated organization invitation create / list / cancel"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/ios-app-metadata.ts
 const AscAppId = Schema.String.pipe(Schema.pattern(/^[0-9]{1,30}$/u, { message: () => "ASC App ID must be 1-30 digits" }));
@@ -1896,7 +1927,13 @@ const Me = Schema.Struct({
 	/** Authentication source — "session" for browser + CLI sessions, "api-key" for API-key (CI) bearer tokens. */
 	source: Schema.Literal("session", "api-key"),
 	/** Email or descriptor identifying the actor — useful when `user` is null (api-key auth). */
-	actorEmail: Schema.String
+	actorEmail: Schema.String,
+	/** Holds `invitation:create` on `org` — gates the Invite button. */
+	canInviteMembers: Schema.Boolean,
+	/** Holds `member:delete` on `org` — gates the per-member Remove action. */
+	canRemoveMembers: Schema.Boolean,
+	/** Holds `policy:update` on `org` — gates the per-member Manage-policies action. */
+	canManagePolicies: Schema.Boolean
 });
 
 //#endregion
@@ -1910,51 +1947,13 @@ var MeGroup = class extends HttpApiGroup.make("me").add(HttpApiEndpoint.get("get
 })) {};
 
 //#endregion
-//#region ../../packages/api/src/domain/org-role.ts
-/** One resource→actions grant inside a role's permission set. */
-const PermissionGrantSchema = Schema.Struct({
-	resource: Schema.String,
-	actions: Schema.Array(Schema.String)
-});
-var OrgRole = class extends Schema.Class("OrgRole")({
-	id: Id,
-	organizationId: Id,
-	role: Schema.String,
-	permissions: Schema.Array(PermissionGrantSchema),
-	createdAt: DateTimeString,
-	updatedAt: Schema.NullOr(DateTimeString)
-}) {};
-const CreateOrgRoleBody = Schema.Struct({
-	name: Schema.String.pipe(Schema.minLength(1)),
-	permissions: Schema.Array(PermissionGrantSchema)
-});
-const UpdateOrgRoleBody = Schema.Struct({
-	permissions: Schema.optional(Schema.Array(PermissionGrantSchema)),
-	name: Schema.optional(Schema.String.pipe(Schema.minLength(1)))
-});
-const ListOrgRolesParams = Schema.Struct({ organizationId: Id });
-const DeleteOrgRoleResult = Schema.Struct({ deleted: Schema.Number });
-
-//#endregion
-//#region ../../packages/api/src/groups/org-roles.ts
-var OrgRolesGroup = class extends HttpApiGroup.make("roles").add(HttpApiEndpoint.get("list", "/api/roles").setUrlParams(ListOrgRolesParams).addSuccess(Schema.Array(OrgRole)).annotateContext(OpenApi.annotations({
-	title: "List custom roles",
-	description: "List all custom roles defined for an organization"
-}))).add(HttpApiEndpoint.post("create", "/api/roles").setPayload(CreateOrgRoleBody).addSuccess(OrgRole, { status: 201 }).annotateContext(OpenApi.annotations({
-	title: "Create custom role",
-	description: "Create a new custom role with a permission set"
-}))).add(HttpApiEndpoint.get("get")`/api/roles/${idParam}`.addSuccess(OrgRole).annotateContext(OpenApi.annotations({
-	title: "Get custom role",
-	description: "Fetch a single custom role by id"
-}))).add(HttpApiEndpoint.patch("update")`/api/roles/${idParam}`.setPayload(UpdateOrgRoleBody).addSuccess(OrgRole).annotateContext(OpenApi.annotations({
-	title: "Update custom role",
-	description: "Rename a custom role or replace its permission set"
-}))).add(HttpApiEndpoint.del("delete")`/api/roles/${idParam}`.addSuccess(DeleteOrgRoleResult).annotateContext(OpenApi.annotations({
-	title: "Delete custom role",
-	description: "Delete a custom role"
+//#region ../../packages/api/src/groups/members.ts
+var MembersGroup = class extends HttpApiGroup.make("members").add(HttpApiEndpoint.del("remove")`/api/members/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Remove member",
+	description: "Remove a member from the active organization by member id (org-scoped; no cross-organization removes). Rejects removing the last owner (409). Membership role is `owner | member`; admin/developer/viewer access comes from policy attachments, not the role"
 }))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
-	title: "Roles",
-	description: "Custom organization role management (dynamic access control)"
+	title: "Members",
+	description: "IAM-gated organization member removal"
 })) {};
 
 //#endregion
@@ -1987,6 +1986,134 @@ var OrgVaultGroup = class extends HttpApiGroup.make("orgVault").add(HttpApiEndpo
 	description: "Manage the organization's end-to-end encrypted vault key wraps"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/organization.ts
+var Organization = class extends Schema.Class("Organization")({
+	id: Id,
+	name: Schema.String,
+	slug: Schema.String
+}) {};
+const UpdateOrganizationBody = Schema.Struct({
+	name: Schema.optional(Schema.String.pipe(Schema.minLength(1), Schema.maxLength(120))),
+	slug: Schema.optional(Schema.String.pipe(Schema.minLength(1), Schema.maxLength(120)))
+});
+
+//#endregion
+//#region ../../packages/api/src/groups/organization.ts
+var OrganizationGroup = class extends HttpApiGroup.make("organization").add(HttpApiEndpoint.patch("update", "/api/organization").setPayload(UpdateOrganizationBody).addSuccess(Organization).annotateContext(OpenApi.annotations({
+	title: "Update organization",
+	description: "Rename / re-slug the active organization (IAM-gated by organization:update)"
+}))).addError(NotFound).addError(Conflict).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Organization",
+	description: "IAM-gated active-organization settings"
+})) {};
+
+//#endregion
+//#region ../../packages/api/src/domain/policy.ts
+/** Whether a statement grants or denies the matched actions. */
+const PolicyEffect = Schema.Literal("allow", "deny");
+const PolicyStatement = Schema.Struct({
+	effect: PolicyEffect,
+	actions: Schema.Array(Schema.String).pipe(Schema.minItems(1)),
+	resources: Schema.Array(Schema.String).pipe(Schema.minItems(1))
+});
+const PolicyDocument = Schema.Struct({ statements: Schema.Array(PolicyStatement) });
+var Policy = class extends Schema.Class("Policy")({
+	id: Id,
+	organizationId: Id,
+	name: Schema.NonEmptyString,
+	description: Schema.NullOr(Schema.String),
+	document: PolicyDocument,
+	createdAt: DateTimeString,
+	updatedAt: Schema.NullOr(DateTimeString)
+}) {};
+const CreatePolicyBody = Schema.Struct({
+	name: Schema.NonEmptyString,
+	description: Schema.optional(Schema.String),
+	document: PolicyDocument
+});
+const UpdatePolicyBody = Schema.Struct({
+	name: Schema.optional(Schema.NonEmptyString),
+	description: Schema.optional(Schema.NullOr(Schema.String)),
+	document: Schema.optional(PolicyDocument)
+});
+
+//#endregion
+//#region ../../packages/api/src/groups/policies.ts
+var PoliciesGroup = class extends HttpApiGroup.make("policies").add(HttpApiEndpoint.get("list", "/api/policies").addSuccess(Schema.Struct({ items: Schema.Array(Policy) })).annotateContext(OpenApi.annotations({
+	title: "List policies",
+	description: "List policies in the active organization, merging the read-only managed presets (admin/developer/viewer) into the list"
+}))).add(HttpApiEndpoint.post("create", "/api/policies").setPayload(CreatePolicyBody).addSuccess(Policy, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Create policy",
+	description: "Create a named IAM policy document for the active organization"
+}))).add(HttpApiEndpoint.get("get")`/api/policies/${idParam}`.addSuccess(Policy).annotateContext(OpenApi.annotations({
+	title: "Get policy",
+	description: "Fetch a single policy by id, resolving real ids or managed:* preset ids"
+}))).add(HttpApiEndpoint.patch("update")`/api/policies/${idParam}`.setPayload(UpdatePolicyBody).addSuccess(Policy).annotateContext(OpenApi.annotations({
+	title: "Update policy",
+	description: "Update a policy's name, description, or document; managed:* ids are rejected"
+}))).add(HttpApiEndpoint.del("delete")`/api/policies/${idParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Delete policy",
+	description: "Delete a policy and sweep its attachments; managed:* ids are rejected"
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Policies",
+	description: "IAM policy documents (named, reusable permission grants)"
+})) {};
+
+//#endregion
+//#region ../../packages/api/src/domain/policy-attachment.ts
+/** Whether an attachment binds a policy to a member, a group, or an api-key. */
+const PrincipalType = Schema.Literal("member", "group", "apikey");
+var PolicyAttachment = class extends Schema.Class("PolicyAttachment")({
+	id: Id,
+	organizationId: Id,
+	policyId: Schema.String,
+	principalType: PrincipalType,
+	principalId: Id,
+	createdAt: DateTimeString
+}) {};
+const AttachPolicyBody = Schema.Struct({ policyId: Schema.String });
+
+//#endregion
+//#region ../../packages/api/src/groups/policy-attachments.ts
+/**
+* `:policyId` path parameter — a real `policy.id` or a managed preset id. Managed
+* ids contain a colon (`managed:admin`); the single path segment matches it as-is,
+* and clients URL-encode the colon when building the path.
+*/
+const policyIdParam = HttpApiSchema.param("policyId", Schema.String);
+var PolicyAttachmentsGroup = class extends HttpApiGroup.make("policy-attachments").add(HttpApiEndpoint.get("listForMember")`/api/members/${idParam}/policies`.addSuccess(Schema.Struct({ items: Schema.Array(PolicyAttachment) })).annotateContext(OpenApi.annotations({
+	title: "List member policy attachments",
+	description: "List policies attached directly to an organization member"
+}))).add(HttpApiEndpoint.post("attachToMember")`/api/members/${idParam}/policies`.setPayload(AttachPolicyBody).addSuccess(PolicyAttachment, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Attach policy to member",
+	description: "Attach a policy (real or managed) directly to a member"
+}))).add(HttpApiEndpoint.del("detachFromMember")`/api/members/${idParam}/policies/${policyIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Detach policy from member",
+	description: "Remove a policy attachment from a member"
+}))).add(HttpApiEndpoint.get("listForGroup")`/api/groups/${idParam}/policies`.addSuccess(Schema.Struct({ items: Schema.Array(PolicyAttachment) })).annotateContext(OpenApi.annotations({
+	title: "List group policy attachments",
+	description: "List policies attached to a group"
+}))).add(HttpApiEndpoint.post("attachToGroup")`/api/groups/${idParam}/policies`.setPayload(AttachPolicyBody).addSuccess(PolicyAttachment, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Attach policy to group",
+	description: "Attach a policy (real or managed) to a group; members inherit it"
+}))).add(HttpApiEndpoint.del("detachFromGroup")`/api/groups/${idParam}/policies/${policyIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Detach policy from group",
+	description: "Remove a policy attachment from a group"
+}))).add(HttpApiEndpoint.get("listForApiKey")`/api/api-keys/${idParam}/policies`.addSuccess(Schema.Struct({ items: Schema.Array(PolicyAttachment) })).annotateContext(OpenApi.annotations({
+	title: "List api-key policy attachments",
+	description: "List policies attached to an api-key principal"
+}))).add(HttpApiEndpoint.post("attachToApiKey")`/api/api-keys/${idParam}/policies`.setPayload(AttachPolicyBody).addSuccess(PolicyAttachment, { status: 201 }).annotateContext(OpenApi.annotations({
+	title: "Attach policy to api-key",
+	description: "Attach a policy (real or managed) to an api-key principal"
+}))).add(HttpApiEndpoint.del("detachFromApiKey")`/api/api-keys/${idParam}/policies/${policyIdParam}`.addSuccess(DeletedResult).annotateContext(OpenApi.annotations({
+	title: "Detach policy from api-key",
+	description: "Remove a policy attachment from an api-key principal"
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Policy Attachments",
+	description: "Bindings of policies to member, group, and api-key principals"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/project.ts
 var Project = class extends Schema.Class("Project")({
@@ -2307,7 +2434,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(AdminGroup).add(OrgRolesGroup).add(ChannelGrantsGroup).add(EnvGrantsGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(PoliciesGroup).add(GroupsGroup).add(PolicyAttachmentsGroup).add(ApiKeysGroup).add(InvitationsGroup).add(MembersGroup).add(OrganizationGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -2337,6 +2464,151 @@ var ProtocolApi = class extends HttpApi.make("protocol-api").add(ManifestGroup).
 	description: "Expo Updates protocol endpoints (unauthenticated)"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/policy-selector.ts
+/**
+* Pure, framework-agnostic validators for the IAM path-glob SELECTOR GRAMMAR and
+* the action-token shape. Shared by web / CLI / server so all three reject bad
+* input identically. This is INPUT-SHAPE validation only — it is distinct from
+* the server matching algorithm (`selectorMatches`), which is NOT duplicated here.
+*/
+/** A selector segment: `*` or a non-empty token of `[A-Za-z0-9._:-]`. */
+const SEGMENT_PATTERN = /^[A-Za-z0-9._:-]+$/u;
+/**
+* An action token of `"<word>:<word>"` or `"<word>:*"`, where a word is a
+* non-empty run of `[A-Za-z0-9_-]`. The standalone `"*"` token is handled
+* separately in `isValidActionTokenShape`.
+*/
+const ACTION_TOKEN_PATTERN = /^[A-Za-z0-9_-]+:(?:\*|[A-Za-z0-9_-]+)$/u;
+const isValidSegment = (segment) => segment === "*" || SEGMENT_PATTERN.test(segment);
+/**
+* A resource selector is valid when it is `"*"` OR is slash-joined segments where
+* each segment is `"*"` or a non-empty token of `[A-Za-z0-9._:-]`. Empty segments
+* (leading/trailing/double slashes) are rejected.
+*/
+const isValidSelector = (selector) => {
+	if (selector === "*") return true;
+	if (selector.length === 0) return false;
+	return selector.split("/").every(isValidSegment);
+};
+/**
+* An action token is valid in SHAPE when it is `"*"`, `"<word>:<word>"`, or
+* `"<word>:*"`. The server still validates the token against the real
+* resource/action vocabulary — this only guards the grammar.
+*/
+const isValidActionTokenShape = (token) => token === "*" || ACTION_TOKEN_PATTERN.test(token);
+const ID = "@";
+const CANONICAL_TEMPLATES = [
+	["org"],
+	["project", ID],
+	[
+		"project",
+		ID,
+		"build"
+	],
+	[
+		"project",
+		ID,
+		"build",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"credential"
+	],
+	[
+		"project",
+		ID,
+		"credential",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"submission"
+	],
+	[
+		"project",
+		ID,
+		"submission",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"env",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"env",
+		ID,
+		"envVar"
+	],
+	[
+		"project",
+		ID,
+		"env",
+		ID,
+		"envVar",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"update"
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"update",
+		ID
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"rollout"
+	],
+	[
+		"project",
+		ID,
+		"channel",
+		ID,
+		"rollout",
+		ID
+	]
+];
+const matchesTemplate = (template, segments) => template.length === segments.length && template.every((slot, index) => {
+	const segment = segments[index];
+	return segment !== void 0 && (slot === ID || segment === slot || segment === "*");
+});
+/**
+* True when a (shape-valid) selector matches one of the canonical resource-path
+* templates the server can actually produce — so a typo'd or pluralised segment
+* (e.g. `"project/A/channels/X"`) is caught at policy-write time instead of being
+* stored as a silently inert policy that can never match. The standalone `"*"`
+* matches everything and is always canonical.
+*/
+const isCanonicalSelector = (selector) => {
+	if (selector === "*") return true;
+	const segments = selector.split("/");
+	return CANONICAL_TEMPLATES.some((template) => matchesTemplate(template, segments));
+};
+
 //#endregion
 //#region src/lib/exit-codes.ts
 var AuthRequiredError = class extends Data.TaggedError("AuthRequiredError") {};
@@ -2373,8 +2645,8 @@ var FingerprintMismatchError = class extends Data.TaggedError("FingerprintMismat
 
 //#endregion
 //#region ../../packages/type-guards/src/index.ts
-const isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
-const asRecord = (value) => isRecord(value) ? value : void 0;
+const isRecord$1 = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+const asRecord = (value) => isRecord$1(value) ? value : void 0;
 const toOptional = (value) => value ?? void 0;
 const toDbNull = (value) => value ?? null;
 const compact = (obj) => Object.fromEntries(Object.entries(obj).filter(([, value]) => value !== void 0));
@@ -2432,7 +2704,7 @@ const AuthStoreLive = Layer.effect(AuthStore, Effect.gen(function* () {
 				try: () => JSON.parse(content),
 				catch: () => new AuthRequiredError({ message: "Corrupted auth file. Run `better-update login` to re-authenticate." })
 			});
-			if (!isRecord(parsed)) return yield* new AuthRequiredError({ message: "Invalid auth file. Run `better-update login` to re-authenticate." });
+			if (!isRecord$1(parsed)) return yield* new AuthRequiredError({ message: "Invalid auth file. Run `better-update login` to re-authenticate." });
 			const { token } = parsed;
 			if (typeof token !== "string") return yield* new AuthRequiredError({ message: "Invalid auth file. Run `better-update login` to re-authenticate." });
 			return token;
@@ -2466,7 +2738,7 @@ const ConfigStoreLive = Layer.effect(ConfigStore, Effect.gen(function* () {
 			message: "Config file contains invalid JSON",
 			cause
 		})
-	}).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0))));
+	}).pipe(Effect.map((parsed) => isRecord$1(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0))));
 	return {
 		getBaseUrl: Effect.gen(function* () {
 			const envUrl = yield* runtime.getEnv("BETTER_UPDATE_URL");
@@ -2692,7 +2964,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 			const content = yield* fs.readFileString(sessionFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
-			if (!isRecord(parsed)) return null;
+			if (!isRecord$1(parsed)) return null;
 			if (typeof parsed["username"] !== "string" || !parsed["cookies"]) return null;
 			return {
 				cookies: parsed["cookies"],
@@ -2710,7 +2982,7 @@ const AppleSessionStoreLive = Layer.effect(AppleSessionStore, Effect.gen(functio
 			const content = yield* fs.readFileString(usernameFile).pipe(Effect.orElseSucceed(() => null));
 			if (!content) return null;
 			const parsed = safeJsonParse(content);
-			if (!isRecord(parsed) || typeof parsed["username"] !== "string") return null;
+			if (!isRecord$1(parsed) || typeof parsed["username"] !== "string") return null;
 			return parsed["username"];
 		}),
 		saveLastUsername: (username) => Effect.gen(function* () {
@@ -2893,13 +3165,13 @@ const BsdiffServiceLive = Layer.succeed(BsdiffService, { diff: (input) => Effect
 
 //#endregion
 //#region src/services/identity-store.ts
-const isArgon2Params = (value) => isRecord(value) && typeof value["time"] === "number" && typeof value["memory"] === "number" && typeof value["parallelism"] === "number";
+const isArgon2Params = (value) => isRecord$1(value) && typeof value["time"] === "number" && typeof value["memory"] === "number" && typeof value["parallelism"] === "number";
 /**
 * Structural guard for the on-disk identity envelope. A corrupt or foreign file
 * reads as "absent" so the CLI prompts to (re)create rather than crashing — the
 * AAD-bound `openIdentity` still fails loudly if a well-formed file was tampered.
 */
-const isIdentityFile = (value) => isRecord(value) && value["version"] === 1 && typeof value["publicKey"] === "string" && typeof value["fingerprint"] === "string" && value["kdf"] === "argon2id" && isArgon2Params(value["kdfParams"]) && typeof value["salt"] === "string" && value["cipher"] === "xchacha20poly1305" && typeof value["ct"] === "string";
+const isIdentityFile = (value) => isRecord$1(value) && value["version"] === 1 && typeof value["publicKey"] === "string" && typeof value["fingerprint"] === "string" && value["kdf"] === "argon2id" && isArgon2Params(value["kdfParams"]) && typeof value["salt"] === "string" && value["cipher"] === "xchacha20poly1305" && typeof value["ct"] === "string";
 var IdentityStore = class extends Context.Tag("cli/IdentityStore")() {};
 const IdentityStoreLive = Layer.effect(IdentityStore, Effect.gen(function* () {
 	const fs = yield* FileSystem.FileSystem;
@@ -3100,7 +3372,7 @@ const UpdateAssetUploaderLive = Layer.effect(UpdateAssetUploader, Effect.gen(fun
 const VAULT_CACHE_TTL_MS = 900 * 1e3;
 /** Keychain service name; the account is the recipient's public key. */
 const KEYCHAIN_SERVICE = "better-update-vault";
-const isCachedVaultEntry = (value) => isRecord(value) && typeof value["vaultKey"] === "string" && typeof value["vaultVersion"] === "number" && typeof value["keyId"] === "string" && typeof value["exp"] === "number";
+const isCachedVaultEntry = (value) => isRecord$1(value) && typeof value["vaultKey"] === "string" && typeof value["vaultVersion"] === "number" && typeof value["keyId"] === "string" && typeof value["exp"] === "number";
 /** Serialize an unlocked vault into a keychain blob, stamping a TTL from `now`. */
 const encodeCacheEntry = (vault, now, ttlMs = VAULT_CACHE_TTL_MS) => JSON.stringify({
 	vaultKey: toBase64(vault.vaultKey),
@@ -3176,7 +3448,7 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 			try: () => JSON.parse(content),
 			catch: () => "parse-error"
 		}).pipe(Effect.orElseSucceed(() => void 0));
-		if (isRecord(parsed) && typeof parsed["latest"] === "string" && typeof parsed["checkedAt"] === "number") return {
+		if (isRecord$1(parsed) && typeof parsed["latest"] === "string" && typeof parsed["checkedAt"] === "number") return {
 			latest: parsed["latest"],
 			checkedAt: parsed["checkedAt"]
 		};
@@ -3193,7 +3465,7 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 			const response = yield* httpClient.execute(request);
 			if (response.status < 200 || response.status >= 300) return;
 			const body = yield* response.json;
-			if (!isRecord(body) || typeof body["version"] !== "string") return;
+			if (!isRecord$1(body) || typeof body["version"] !== "string") return;
 			const latest = body["version"];
 			yield* fs.makeDirectory(cacheDir, { recursive: true });
 			yield* fs.writeFileString(cacheFile, `${JSON.stringify({
@@ -3294,7 +3566,7 @@ const createBrowserLoginSession = (options = {}) => {
 			if (request.method === "GET" && url.pathname === "/callback") return new Response(CALLBACK_PAGE, { headers: { "content-type": "text/html; charset=utf-8" } });
 			if (request.method === "POST" && url.pathname === "/callback/token") try {
 				const body = await request.json();
-				if (!isRecord(body)) return new Response("Invalid callback payload", { status: 400 });
+				if (!isRecord$1(body)) return new Response("Invalid callback payload", { status: 400 });
 				const token = typeof body["token"] === "string" ? body["token"].trim() : "";
 				if (token.length === 0) return new Response("Missing token", { status: 400 });
 				Effect.runSync(Deferred.succeed(tokenDeferred, token));
@@ -3777,7 +4049,7 @@ const configPath = (projectRoot) => path.join(projectRoot, BETTER_UPDATE_CONFIG_
 const readBetterUpdateConfig = (projectRoot) => Effect.gen(function* () {
 	const content = yield* (yield* FileSystem.FileSystem).readFileString(configPath(projectRoot)).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
-	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0));
+	return yield* Effect.try(() => JSON.parse(content)).pipe(Effect.map((parsed) => isRecord$1(parsed) ? parsed : void 0), Effect.orElseSucceed(() => void 0));
 });
 /**
 * Resolve the linked project id from `better-update.json`, or `undefined` when
@@ -4517,7 +4789,7 @@ const parseLimit = (raw, defaultValue) => {
 
 //#endregion
 //#region src/commands/audit-logs/list.ts
-const listCommand$12 = defineCommand({
+const listCommand$9 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List audit log entries"
@@ -4579,7 +4851,7 @@ const auditLogsCommand = defineCommand({
 		name: "audit-logs",
 		description: "View audit logs"
 	},
-	subCommands: { list: listCommand$12 }
+	subCommands: { list: listCommand$9 }
 });
 
 //#endregion
@@ -4683,7 +4955,7 @@ const drainPages = (fetchPage) => {
 
 //#endregion
 //#region src/commands/branches.ts
-const listCommand$11 = defineCommand({
+const listCommand$8 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List branches for the linked project"
@@ -4706,7 +4978,7 @@ const listCommand$11 = defineCommand({
 		]), "No branches found.");
 	}))
 });
-const createCommand$5 = defineCommand({
+const createCommand$4 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a branch"
@@ -4729,7 +5001,7 @@ const createCommand$5 = defineCommand({
 		]);
 	}))
 });
-const viewCommand$4 = defineCommand({
+const viewCommand$3 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show a branch by ID or name"
@@ -4787,7 +5059,7 @@ const renameCommand$1 = defineCommand({
 		return branch;
 	}), { json: "value" })
 });
-const deleteCommand$7 = defineCommand({
+const deleteCommand$6 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a branch"
@@ -4812,11 +5084,11 @@ const branchesCommand = defineCommand({
 		description: "Manage branches"
 	},
 	subCommands: {
-		list: listCommand$11,
-		view: viewCommand$4,
-		create: createCommand$5,
+		list: listCommand$8,
+		view: viewCommand$3,
+		create: createCommand$4,
 		rename: renameCommand$1,
-		delete: deleteCommand$7
+		delete: deleteCommand$6
 	}
 });
 
@@ -18906,8 +19178,8 @@ var AscApiError = class extends Data.TaggedError("AscApiError") {};
 var AscNetworkError = class extends Data.TaggedError("AscNetworkError") {};
 const API_BASE = "https://api.appstoreconnect.apple.com";
 const extractErrors = (body) => {
-	if (!isRecord(body) || !Array.isArray(body["errors"])) return [];
-	return body["errors"].filter((value) => isRecord(value));
+	if (!isRecord$1(body) || !Array.isArray(body["errors"])) return [];
+	return body["errors"].filter((value) => isRecord$1(value));
 };
 const parseApiError = (response, body, raw) => {
 	const [first] = extractErrors(body);
@@ -18943,9 +19215,9 @@ const fetchRaw = (jwt, path, init) => Effect.gen(function* () {
 	return body;
 });
 const toAscCertificate = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { serialNumber, certificateType, expirationDate, certificateContent, displayName } = attributes;
 	if (typeof serialNumber !== "string" || typeof certificateType !== "string" || typeof expirationDate !== "string") return null;
 	return {
@@ -18958,9 +19230,9 @@ const toAscCertificate = (value) => {
 	};
 };
 const toAscBundleId = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { identifier, name } = attributes;
 	if (typeof identifier !== "string" || typeof name !== "string") return null;
 	return {
@@ -18980,9 +19252,9 @@ const asProfileType = (value) => {
 	return match === void 0 ? null : match;
 };
 const toAscProfile = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { name, uuid, expirationDate, profileContent } = attributes;
 	const profileType = asProfileType(attributes["profileType"]);
 	if (typeof name !== "string" || typeof uuid !== "string" || typeof expirationDate !== "string" || typeof profileContent !== "string" || profileType === null) return null;
@@ -18996,9 +19268,9 @@ const toAscProfile = (value) => {
 	};
 };
 const toAscDevice = (value) => {
-	if (!isRecord(value)) return null;
+	if (!isRecord$1(value)) return null;
 	const { id, attributes } = value;
-	if (typeof id !== "string" || !isRecord(attributes)) return null;
+	if (typeof id !== "string" || !isRecord$1(attributes)) return null;
 	const { udid, name } = attributes;
 	if (typeof udid !== "string" || typeof name !== "string") return null;
 	return {
@@ -19008,11 +19280,11 @@ const toAscDevice = (value) => {
 	};
 };
 const extractList = (body, map) => {
-	if (!isRecord(body) || !Array.isArray(body["data"])) return [];
+	if (!isRecord$1(body) || !Array.isArray(body["data"])) return [];
 	return body["data"].map(map).filter((value) => value !== null);
 };
 const extractSingle = (body, map) => {
-	if (!isRecord(body)) return null;
+	if (!isRecord$1(body)) return null;
 	return map(body["data"]);
 };
 const malformed = (resource) => new AscApiError({
@@ -22647,7 +22919,7 @@ const runFingerprintFull = (projectRoot, options = {}) => Effect.gen(function* (
 		try: () => JSON.parse(stdout),
 		catch: () => new FingerprintError({ message: "Failed to parse @expo/fingerprint output as JSON." })
 	});
-	if (!isRecord(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
+	if (!isRecord$1(parsed)) return yield* new FingerprintError({ message: "@expo/fingerprint output was not a JSON object." });
 	const { hash } = parsed;
 	if (typeof hash !== "string" || hash.length === 0) return yield* new FingerprintError({ message: "@expo/fingerprint output did not contain a \"hash\" string field." });
 	const sourcesRaw = parsed["sources"];
@@ -24264,7 +24536,7 @@ const compatibilityMatrixCommand = defineCommand({
 
 //#endregion
 //#region src/commands/builds/delete.ts
-const deleteCommand$6 = defineCommand({
+const deleteCommand$5 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a build"
@@ -24410,7 +24682,7 @@ const DISTRIBUTION_OPTIONS$1 = [
 	"play-store",
 	"direct"
 ];
-const listCommand$10 = defineCommand({
+const listCommand$7 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List builds for the linked project"
@@ -25068,9 +25340,9 @@ const buildsCommand = defineCommand({
 		description: "Manage builds"
 	},
 	subCommands: {
-		list: listCommand$10,
+		list: listCommand$7,
 		get: getCommand$2,
-		delete: deleteCommand$6,
+		delete: deleteCommand$5,
 		download: downloadCommand$1,
 		run: runCommand$1,
 		"install-link": installLinkCommand,
@@ -25096,7 +25368,7 @@ const resolveNamedResourceId$1 = (params) => resolveNamedResourceId$2(params, (m
 
 //#endregion
 //#region src/commands/channels/create.ts
-const createCommand$4 = defineCommand({
+const createCommand$3 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a channel"
@@ -25141,7 +25413,7 @@ const createCommand$4 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/delete.ts
-const deleteCommand$5 = defineCommand({
+const deleteCommand$4 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a channel"
@@ -25164,193 +25436,6 @@ const deleteCommand$5 = defineCommand({
 	})
 });
 
-//#endregion
-//#region src/commands/channels/grants/helpers.ts
-var GrantCommandError = class extends Data.TaggedError("GrantCommandError") {};
-const grantErrorExtras = { GrantCommandError: 2 };
-
-//#endregion
-//#region src/commands/channels/grants/list.ts
-const resolveChannel = (channels, target) => Effect.gen(function* () {
-	const channel = channels.find((ch) => ch.id === target) ?? channels.find((ch) => ch.name === target);
-	if (!channel) return yield* new ChannelCommandError({ message: `Channel "${target}" not found by ID or name.` });
-	return channel;
-});
-const listCommand$9 = defineCommand({
-	meta: {
-		name: "list",
-		description: "List per-member grants on a channel"
-	},
-	args: { channel: {
-		type: "positional",
-		required: true,
-		description: "Channel ID or channel name"
-	} },
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const projectId = yield* readProjectId;
-		const api = yield* apiClient;
-		const channel = yield* resolveChannel(yield* drainPages((page) => api.channels.list({ urlParams: {
-			projectId,
-			limit: 100,
-			page
-		} })), args.channel);
-		yield* printList([
-			"ID",
-			"Member ID",
-			"Effect",
-			"Actions",
-			"Created"
-		], (yield* api.channelGrants.list({
-			path: { id: channel.id },
-			urlParams: {}
-		})).map((grant) => [
-			grant.id,
-			grant.memberId,
-			grant.effect,
-			grant.actions.join(", "),
-			grant.createdAt
-		]), "No grants found for this channel.");
-	}), { exits: {
-		...channelErrorExtras,
-		...grantErrorExtras
-	} })
-});
-
-//#endregion
-//#region src/commands/channels/grants/revoke.ts
-const revokeCommand$2 = defineCommand({
-	meta: {
-		name: "revoke",
-		description: "Revoke all grants for a member on a channel"
-	},
-	args: {
-		channel: {
-			type: "positional",
-			required: true,
-			description: "Channel ID or channel name"
-		},
-		member: {
-			type: "string",
-			required: true,
-			description: "Member ID whose grants to revoke"
-		},
-		yes: {
-			type: "boolean",
-			description: "Skip confirmation prompt"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		if (!args.yes) {
-			if (!(yield* promptConfirm(`Revoke all grants for member ${args.member} on channel ${args.channel}?`, { initialValue: false }))) {
-				yield* printHuman("Cancelled.");
-				return { deleted: 0 };
-			}
-		}
-		const projectId = yield* readProjectId;
-		const api = yield* apiClient;
-		const channels = yield* drainPages((page) => api.channels.list({ urlParams: {
-			projectId,
-			limit: 100,
-			page
-		} }));
-		const channel = channels.find((ch) => ch.id === args.channel) ?? channels.find((ch) => ch.name === args.channel);
-		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.channel}" not found by ID or name.` });
-		const result = yield* api.channelGrants.delete({ path: {
-			id: channel.id,
-			memberId: args.member
-		} });
-		yield* printHuman(`Revoked grants for member ${args.member} on channel "${channel.name}".`);
-		return result;
-	}), {
-		exits: {
-			...channelErrorExtras,
-			...grantErrorExtras
-		},
-		json: "value"
-	})
-});
-
-//#endregion
-//#region src/commands/channels/grants/set.ts
-const setCommand$3 = defineCommand({
-	meta: {
-		name: "set",
-		description: "Create or replace a member's grant on a channel"
-	},
-	args: {
-		channel: {
-			type: "positional",
-			required: true,
-			description: "Channel ID or channel name"
-		},
-		member: {
-			type: "string",
-			required: true,
-			description: "Member ID to grant permissions to"
-		},
-		actions: {
-			type: "string",
-			required: true,
-			description: "Permission action tokens in resource:action format, comma-separated (e.g. update:create,rollout:update)"
-		},
-		effect: {
-			type: "string",
-			description: "Grant effect: allow (default) or deny"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const effectValue = args.effect ?? "allow";
-		if (effectValue !== "allow" && effectValue !== "deny") return yield* new GrantCommandError({ message: `Invalid effect "${effectValue}" — must be "allow" or "deny".` });
-		const actionTokens = args.actions.split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
-		if (actionTokens.length === 0) return yield* new GrantCommandError({ message: "At least one action token is required." });
-		const projectId = yield* readProjectId;
-		const api = yield* apiClient;
-		const channels = yield* drainPages((page) => api.channels.list({ urlParams: {
-			projectId,
-			limit: 100,
-			page
-		} }));
-		const channel = channels.find((ch) => ch.id === args.channel) ?? channels.find((ch) => ch.name === args.channel);
-		if (!channel) return yield* new ChannelCommandError({ message: `Channel "${args.channel}" not found by ID or name.` });
-		const grant = yield* api.channelGrants.upsert({
-			path: {
-				id: channel.id,
-				memberId: args.member
-			},
-			payload: {
-				effect: effectValue,
-				actions: actionTokens
-			}
-		});
-		yield* printHumanKeyValue([
-			["ID", grant.id],
-			["Member ID", grant.memberId],
-			["Channel ID", grant.scopeId],
-			["Effect", grant.effect],
-			["Actions", grant.actions.join(", ")],
-			["Created", grant.createdAt]
-		]);
-		return grant;
-	}), { exits: {
-		...channelErrorExtras,
-		...grantErrorExtras
-	} })
-});
-
-//#endregion
-//#region src/commands/channels/grants/index.ts
-const grantsCommand$1 = defineCommand({
-	meta: {
-		name: "grants",
-		description: "Manage per-member permission grants on a channel"
-	},
-	subCommands: {
-		list: listCommand$9,
-		set: setCommand$3,
-		revoke: revokeCommand$2
-	}
-});
-
 //#endregion
 //#region src/commands/channels/insights.ts
 const insightsCommand$1 = defineCommand({
@@ -25397,7 +25482,7 @@ const insightsCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/list.ts
-const listCommand$8 = defineCommand({
+const listCommand$6 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List channels for the linked project"
@@ -25501,7 +25586,7 @@ const completeCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/create.ts
-const createCommand$3 = defineCommand({
+const createCommand$2 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Start a branch rollout on a channel"
@@ -25582,7 +25667,7 @@ const revertCommand$2 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/update.ts
-const updateCommand$4 = defineCommand({
+const updateCommand$3 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Update the rollout percentage on a channel"
@@ -25621,8 +25706,8 @@ const rolloutCommand$1 = defineCommand({
 		description: "Manage channel branch rollouts"
 	},
 	subCommands: {
-		create: createCommand$3,
-		update: updateCommand$4,
+		create: createCommand$2,
+		update: updateCommand$3,
 		complete: completeCommand$1,
 		revert: revertCommand$2
 	}
@@ -25630,7 +25715,7 @@ const rolloutCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/update.ts
-const updateCommand$3 = defineCommand({
+const updateCommand$2 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Relink a channel to a different branch"
@@ -25673,7 +25758,7 @@ const updateCommand$3 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/view.ts
-const viewCommand$3 = defineCommand({
+const viewCommand$2 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show a channel by ID or name"
@@ -25733,15 +25818,14 @@ const channelsCommand = defineCommand({
 		description: "Manage channels"
 	},
 	subCommands: {
-		list: listCommand$8,
-		view: viewCommand$3,
-		create: createCommand$4,
-		update: updateCommand$3,
+		list: listCommand$6,
+		view: viewCommand$2,
+		create: createCommand$3,
+		update: updateCommand$2,
 		pause: pauseCommand,
 		resume: resumeCommand,
-		delete: deleteCommand$5,
+		delete: deleteCommand$4,
 		rollout: rolloutCommand$1,
-		grants: grantsCommand$1,
 		insights: insightsCommand$1
 	}
 });
@@ -27155,7 +27239,7 @@ const toRecipientView = (userEncryptionKeyId, key) => ({
 		fingerprint: key?.fingerprint
 	})
 });
-const listCommand$7 = defineCommand({
+const listCommand$5 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List recipients that currently hold the org vault key"
@@ -27382,7 +27466,7 @@ const accessCommand = defineCommand({
 		description: "Inspect, grant, rotate, revoke, and recover access to the org credential vault"
 	},
 	subCommands: {
-		list: listCommand$7,
+		list: listCommand$5,
 		grant: grantCommand,
 		rotate: rotateCommand,
 		revoke: revokeCommand$1,
@@ -27591,7 +27675,7 @@ const CREDENTIAL_TYPES$3 = [
 	"keystore",
 	"google-service-account-key"
 ];
-const deleteCommand$4 = defineCommand({
+const deleteCommand$3 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a credential"
@@ -27633,7 +27717,7 @@ const deleteCommand$4 = defineCommand({
 //#region src/commands/credentials/device.ts
 /** Self-linking is for your own device keys; recovery/machine keys go through `access grant`. */
 const requireDeviceKind = (target) => target.kind === "device" ? Effect.void : new IdentityError({ message: `Key ${target.id} is a ${target.kind} key, not a device. Use \`better-update credentials access grant\` for recovery/machine keys.` });
-const listCommand$6 = defineCommand({
+const listCommand$4 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List your registered device keys (the active one is marked)"
@@ -27691,7 +27775,7 @@ const deviceCommand = defineCommand({
 		description: "Manage your vault device keys"
 	},
 	subCommands: {
-		list: listCommand$6,
+		list: listCommand$4,
 		link: linkCommand
 	},
 	default: "list"
@@ -28346,7 +28430,7 @@ const printRecipient = (key) => printKeyValue([
 	["Recipient (public key)", key.publicKey],
 	["Fingerprint", key.fingerprint]
 ]);
-const createCommand$2 = defineCommand({
+const createCommand$1 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create this device's encryption identity and register it as a recipient"
@@ -28449,7 +28533,7 @@ const identityCommand = defineCommand({
 		description: "Manage this device's end-to-end encryption identity"
 	},
 	subCommands: {
-		create: createCommand$2,
+		create: createCommand$1,
 		init: initCommand$1,
 		register: registerCommand,
 		show: showCommand
@@ -28459,7 +28543,7 @@ const identityCommand = defineCommand({
 
 //#endregion
 //#region src/commands/credentials/list.ts
-const listCommand$5 = defineCommand({
+const listCommand$3 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List credentials across platforms"
@@ -29614,7 +29698,7 @@ const lookupByType = (api, id, type) => {
 		default: return Effect.fail(new CredentialValidationError({ message: `Unsupported credential type: ${String(type)}` }));
 	}
 };
-const viewCommand$2 = defineCommand({
+const viewCommand$1 = defineCommand({
 	meta: {
 		name: "view",
 		description: "Show details for a single credential (without secrets)"
@@ -29661,14 +29745,14 @@ const credentialsCommand = defineCommand({
 		unlock: unlockCommand,
 		lock: lockCommand,
 		status: statusCommand$1,
-		list: listCommand$5,
-		view: viewCommand$2,
+		list: listCommand$3,
+		view: viewCommand$1,
 		download: downloadCommand,
 		upload: uploadCommand,
 		"upload-asc-key": uploadAscKeyCommand,
 		generate: generateCommand$1,
 		"regenerate-profile": regenerateProfileCommand,
-		delete: deleteCommand$4,
+		delete: deleteCommand$3,
 		remove: removeCommand,
 		revoke: revokeCommand,
 		configure: configureCommand$1,
@@ -30168,19 +30252,19 @@ const envErrorExtras = {
 	SystemError: 6,
 	BadArgument: 6
 };
-const isEnvironmentName$1 = (value) => value === "development" || value === "preview" || value === "production";
+const isEnvironmentName = (value) => value === "development" || value === "preview" || value === "production";
 const parseEnvironmentsArg = (raw) => Effect.gen(function* () {
 	const tokens = raw.split(",").map((token) => token.trim()).filter((token) => token.length > 0);
 	if (tokens.length === 0) return yield* new InvalidArgumentError({ message: "Provide at least one environment (development, preview, production)." });
 	const seen = /* @__PURE__ */ new Set();
 	yield* Effect.forEach(tokens, (token) => Effect.gen(function* () {
-		if (!isEnvironmentName$1(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
+		if (!isEnvironmentName(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
 		seen.add(token);
 	}), { discard: true });
 	return [...seen];
 });
 const parseSingleEnvironmentArg = (raw) => Effect.gen(function* () {
-	if (!isEnvironmentName$1(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
+	if (!isEnvironmentName(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
 	return raw;
 });
 const formatEnvironments = (environments) => [...environments].toSorted((left, right) => left.localeCompare(right)).join(",");
@@ -30219,7 +30303,7 @@ const findProjectEnvVar = (api, projectId, key, environment) => Effect.gen(funct
 
 //#endregion
 //#region src/commands/env/delete.ts
-const deleteCommand$3 = defineCommand({
+const deleteCommand$2 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a project env var (one environment, or every environment by default)"
@@ -30391,191 +30475,6 @@ const getCommand$1 = defineCommand({
 	}), envErrorExtras)
 });
 
-//#endregion
-//#region src/commands/env/grants/helpers.ts
-var EnvGrantCommandError = class extends Data.TaggedError("EnvGrantCommandError") {};
-const envGrantErrorExtras = { EnvGrantCommandError: 2 };
-/** Sentinel project token for the org-global env-var scope (mirrors server). */
-const ENV_GRANT_GLOBAL = "global";
-const ENVIRONMENTS = [
-	"development",
-	"preview",
-	"production"
-];
-/**
-* Type guard narrowing a raw arg to an {@link EnvironmentName}. Lets set/unset
-* validate `args.environment` AND narrow it without an unsafe `as` assertion.
-*/
-const isEnvironmentName = (value) => ENVIRONMENTS.includes(value);
-
-//#endregion
-//#region src/commands/env/grants/list.ts
-const listCommand$4 = defineCommand({
-	meta: {
-		name: "list",
-		description: "List env-var grants on a (project × environment) scope"
-	},
-	args: {
-		project: {
-			type: "string",
-			description: `Project id, or "${ENV_GRANT_GLOBAL}" for the org-global scope (default: linked project)`
-		},
-		global: {
-			type: "boolean",
-			default: false,
-			description: "Target the org-global env-var scope instead of a project"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const projectId = args.global ? ENV_GRANT_GLOBAL : args.project ?? (yield* readProjectId);
-		yield* printList([
-			"Member ID",
-			"Environment",
-			"Effect",
-			"Actions"
-		], (yield* (yield* apiClient).envGrants.list({ urlParams: { projectId } })).map((row) => [
-			row.memberId,
-			row.environment,
-			row.effect,
-			row.actions.join(", ")
-		]), "No env-var grants found for this scope.");
-	}), { exits: { ...envGrantErrorExtras } })
-});
-
-//#endregion
-//#region src/commands/env/grants/set.ts
-const setCommand$2 = defineCommand({
-	meta: {
-		name: "set",
-		description: "Create or replace a member's env-var grant on a scope"
-	},
-	args: {
-		member: {
-			type: "string",
-			required: true,
-			description: "Member ID to grant"
-		},
-		environment: {
-			type: "string",
-			required: true,
-			description: "Environment: development | preview | production"
-		},
-		actions: {
-			type: "string",
-			description: "Comma-separated envVar:* tokens (default: envVar:read)"
-		},
-		effect: {
-			type: "string",
-			description: "allow (default) or deny"
-		},
-		project: {
-			type: "string",
-			description: `Project id (default: linked project)`
-		},
-		global: {
-			type: "boolean",
-			default: false,
-			description: "Target the org-global env-var scope"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const effectValue = args.effect ?? "allow";
-		if (effectValue !== "allow" && effectValue !== "deny") return yield* new EnvGrantCommandError({ message: `Invalid effect "${effectValue}".` });
-		const { environment } = args;
-		if (!isEnvironmentName(environment)) return yield* new EnvGrantCommandError({ message: `Invalid environment "${environment}". One of: ${ENVIRONMENTS.join(", ")}.` });
-		const actionTokens = (args.actions ?? "envVar:read").split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
-		if (actionTokens.length === 0) return yield* new EnvGrantCommandError({ message: "At least one action token is required." });
-		const projectId = args.global ? null : args.project ?? (yield* readProjectId);
-		const grant = yield* (yield* apiClient).envGrants.upsert({ payload: {
-			memberId: args.member,
-			projectId,
-			environment,
-			effect: effectValue,
-			actions: actionTokens
-		} });
-		yield* printHumanKeyValue([
-			["ID", grant.id],
-			["Member ID", grant.memberId],
-			["Scope", grant.scopeId],
-			["Effect", grant.effect],
-			["Actions", grant.actions.join(", ")],
-			["Created", grant.createdAt]
-		]);
-		return grant;
-	}), { exits: { ...envGrantErrorExtras } })
-});
-
-//#endregion
-//#region src/commands/env/grants/unset.ts
-const unsetCommand = defineCommand({
-	meta: {
-		name: "unset",
-		description: "Revoke a member's env-var grants on a scope"
-	},
-	args: {
-		member: {
-			type: "string",
-			required: true,
-			description: "Member ID whose grants to revoke"
-		},
-		environment: {
-			type: "string",
-			required: true,
-			description: "Environment"
-		},
-		project: {
-			type: "string",
-			description: "Project id (default: linked project)"
-		},
-		global: {
-			type: "boolean",
-			default: false,
-			description: "Target the org-global scope"
-		},
-		yes: {
-			type: "boolean",
-			default: false,
-			description: "Skip confirmation prompt"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const { environment } = args;
-		if (!isEnvironmentName(environment)) return yield* new EnvGrantCommandError({ message: `Invalid environment "${environment}".` });
-		if (!args.yes) {
-			const scopeLabel = args.global ? ENV_GRANT_GLOBAL : args.project ?? "linked project";
-			if (!(yield* promptConfirm(`Revoke env-var grants for member ${args.member} on ${scopeLabel}/${args.environment}?`, { initialValue: false }))) {
-				yield* printHuman("Cancelled.");
-				return { deleted: 0 };
-			}
-		}
-		const projectId = args.global ? null : args.project ?? (yield* readProjectId);
-		const result = yield* (yield* apiClient).envGrants.delete({ payload: {
-			memberId: args.member,
-			projectId,
-			environment
-		} });
-		yield* printHuman(`Revoked env-var grants for member ${args.member}.`);
-		return result;
-	}), {
-		exits: { ...envGrantErrorExtras },
-		json: "value"
-	})
-});
-
-//#endregion
-//#region src/commands/env/grants/index.ts
-const grantsCommand = defineCommand({
-	meta: {
-		name: "grants",
-		description: "Manage per-member env-var access grants on a (project × environment) scope"
-	},
-	subCommands: {
-		list: listCommand$4,
-		set: setCommand$2,
-		unset: unsetCommand
-	}
-});
-
 //#endregion
 //#region src/commands/env/history.ts
 const historyCommand = defineCommand({
@@ -30674,7 +30573,7 @@ const importCommand = defineCommand({
 
 //#endregion
 //#region src/commands/env/list.ts
-const listCommand$3 = defineCommand({
+const listCommand$2 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List environment variable metadata. Values are end-to-end encrypted — read them with `env pull`, `env export`, or `env get`."
@@ -30940,7 +30839,7 @@ const setCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/env/update.ts
-const updateCommand$2 = defineCommand({
+const updateCommand$1 = defineCommand({
 	meta: {
 		name: "update",
 		description: "Update a project env var's value or visibility for an environment"
@@ -31021,19 +30920,18 @@ const envCommand = defineCommand({
 		description: "Manage environment variables"
 	},
 	subCommands: {
-		list: listCommand$3,
+		list: listCommand$2,
 		get: getCommand$1,
 		set: setCommand$1,
-		update: updateCommand$2,
-		delete: deleteCommand$3,
+		update: updateCommand$1,
+		delete: deleteCommand$2,
 		history: historyCommand,
 		rollback: rollbackCommand$1,
 		import: importCommand,
 		push: pushCommand,
 		export: exportCommand,
 		pull: pullCommand,
-		exec: execCommand,
-		grants: grantsCommand
+		exec: execCommand
 	}
 });
 
@@ -31299,6 +31197,376 @@ const fingerprintCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/commands/groups/helpers.ts
+const groupErrorExtras = { GroupCommandError: 2 };
+
+//#endregion
+//#region src/commands/groups/attach.ts
+const attachGroupPolicyCommand = defineCommand({
+	meta: {
+		name: "attach",
+		description: "Attach a policy (real or managed:*) to a group; members inherit it"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"policy-id": {
+			type: "string",
+			required: true,
+			description: "Policy ID to attach (real id or managed preset like managed:admin)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const attachment = yield* (yield* apiClient)["policy-attachments"].attachToGroup({
+			path: { id: args.id },
+			payload: { policyId: args["policy-id"] }
+		});
+		yield* printHumanKeyValue([
+			["Attachment ID", attachment.id],
+			["Group ID", attachment.principalId],
+			["Policy ID", attachment.policyId],
+			["Created", attachment.createdAt]
+		]);
+		return attachment;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/create.ts
+const createGroupCommand = defineCommand({
+	meta: {
+		name: "create",
+		description: "Create a member group"
+	},
+	args: {
+		name: {
+			type: "string",
+			required: true,
+			description: "Group display name"
+		},
+		description: {
+			type: "string",
+			description: "Optional human description"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const group = yield* (yield* apiClient).groups.create({ payload: {
+			name: args.name,
+			...compact({ description: args.description })
+		} });
+		yield* printHumanKeyValue([
+			["ID", group.id],
+			["Name", group.name],
+			["Description", group.description ?? "-"],
+			["Created", group.createdAt]
+		]);
+		return group;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/delete.ts
+const deleteGroupCommand = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete a group and sweep its memberships and policy attachments"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Delete group ${args.id}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return;
+			}
+		}
+		yield* (yield* apiClient).groups.delete({ path: { id: args.id } });
+		yield* printHuman(`Deleted group ${args.id}.`);
+		return {
+			id: args.id,
+			deleted: true
+		};
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/detach.ts
+const detachGroupPolicyCommand = defineCommand({
+	meta: {
+		name: "detach",
+		description: "Remove a policy attachment from a group"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"policy-id": {
+			type: "string",
+			required: true,
+			description: "Policy ID to detach (real id or managed preset like managed:admin)"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		yield* (yield* apiClient)["policy-attachments"].detachFromGroup({ path: {
+			id: args.id,
+			policyId: encodeURIComponent(args["policy-id"])
+		} });
+		yield* printHuman(`Detached policy ${args["policy-id"]} from group ${args.id}.`);
+		return {
+			groupId: args.id,
+			policyId: args["policy-id"],
+			detached: true
+		};
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/list.ts
+const listGroupsCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List member groups in the active organization"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient).groups.list();
+		yield* printHumanTable([
+			"ID",
+			"Name",
+			"Description",
+			"Created"
+		], result.items.map((group) => [
+			group.id,
+			group.name,
+			group.description ?? "-",
+			group.createdAt
+		]));
+		return result;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/members/add.ts
+const addGroupMemberCommand = defineCommand({
+	meta: {
+		name: "add",
+		description: "Add an organization member to a group"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"member-id": {
+			type: "string",
+			required: true,
+			description: "Organization member ID to add"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const member = yield* (yield* apiClient).groups.addMember({
+			path: { id: args.id },
+			payload: { memberId: args["member-id"] }
+		});
+		yield* printHumanKeyValue([["Member ID", member.memberId], ["Added", member.createdAt]]);
+		return member;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/members/remove.ts
+const removeGroupMemberCommand = defineCommand({
+	meta: {
+		name: "remove",
+		description: "Remove a member from a group"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		"member-id": {
+			type: "string",
+			required: true,
+			description: "Organization member ID to remove"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		yield* (yield* apiClient).groups.removeMember({ path: {
+			id: args.id,
+			memberId: args["member-id"]
+		} });
+		yield* printHuman(`Removed member ${args["member-id"]} from group ${args.id}.`);
+		return {
+			groupId: args.id,
+			memberId: args["member-id"],
+			removed: true
+		};
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/members/index.ts
+const listGroupMembersCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List the members belonging to a group"
+	},
+	args: { id: {
+		type: "positional",
+		required: true,
+		description: "Group ID"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient).groups.listMembers({ path: { id: args.id } });
+		yield* printHumanTable(["Member ID", "Added"], result.items.map((member) => [member.memberId, member.createdAt]));
+		return result;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+const membersCommand = defineCommand({
+	meta: {
+		name: "members",
+		description: "Manage the members of a group"
+	},
+	subCommands: {
+		list: listGroupMembersCommand,
+		add: addGroupMemberCommand,
+		remove: removeGroupMemberCommand
+	}
+});
+
+//#endregion
+//#region src/commands/groups/policies.ts
+const listGroupPoliciesCommand = defineCommand({
+	meta: {
+		name: "policies",
+		description: "List policies attached to a group"
+	},
+	args: { id: {
+		type: "positional",
+		required: true,
+		description: "Group ID"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient)["policy-attachments"].listForGroup({ path: { id: args.id } });
+		yield* printHumanTable([
+			"Attachment ID",
+			"Policy ID",
+			"Created"
+		], result.items.map((attachment) => [
+			attachment.id,
+			attachment.policyId,
+			attachment.createdAt
+		]));
+		return result;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/update.ts
+const updateGroupCommand = defineCommand({
+	meta: {
+		name: "update",
+		description: "Update a group's name or description"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Group ID"
+		},
+		name: {
+			type: "string",
+			description: "New display name"
+		},
+		description: {
+			type: "string",
+			description: "New description"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const group = yield* (yield* apiClient).groups.update({
+			path: { id: args.id },
+			payload: compact({
+				name: args.name,
+				description: args.description
+			})
+		});
+		yield* printHumanKeyValue([
+			["ID", group.id],
+			["Name", group.name],
+			["Description", group.description ?? "-"],
+			["Updated", group.updatedAt ?? "-"]
+		]);
+		return group;
+	}), {
+		exits: groupErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/groups/index.ts
+const groupsCommand = defineCommand({
+	meta: {
+		name: "groups",
+		description: "Manage member groups for collective policy attachment"
+	},
+	subCommands: {
+		list: listGroupsCommand,
+		create: createGroupCommand,
+		update: updateGroupCommand,
+		delete: deleteGroupCommand,
+		members: membersCommand,
+		policies: listGroupPoliciesCommand,
+		attach: attachGroupPolicyCommand,
+		detach: detachGroupPolicyCommand
+	}
+});
+
 //#endregion
 //#region src/commands/init.ts
 const checkExistingLink = (api, config, localSlug) => Effect.gen(function* () {
@@ -31327,7 +31595,7 @@ const readPackageJsonName = (projectRoot) => Effect.gen(function* () {
 	const content = yield* (yield* FileSystem.FileSystem).readFileString(path.join(projectRoot, "package.json")).pipe(Effect.orElseSucceed(() => ""));
 	if (content.length === 0) return;
 	const parsed = yield* Effect.try(() => JSON.parse(content)).pipe(Effect.orElseSucceed(() => void 0));
-	const name = isRecord(parsed) ? parsed["name"] : void 0;
+	const name = isRecord$1(parsed) ? parsed["name"] : void 0;
 	return typeof name === "string" && name.length > 0 ? name : void 0;
 });
 /**
@@ -31568,9 +31836,239 @@ const openCommand = defineCommand({
 	}))
 });
 
+//#endregion
+//#region src/commands/policies/helpers.ts
+var PolicyCommandError = class extends Data.TaggedError("PolicyCommandError") {};
+const policyErrorExtras = { PolicyCommandError: 2 };
+/** A managed preset id is virtual + read-only; its id is prefixed with `managed:`. */
+const isManagedPolicyId = (id) => id.startsWith("managed:");
+const isStringArray = (value) => Array.isArray(value) && value.every((entry) => typeof entry === "string");
+const isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+/**
+* Parse + shape-validate a `--document` JSON string client-side so a malformed
+* document fails with a clear local message before any network round-trip. The
+* server still re-validates action tokens against the real vocabulary and the
+* selectors against the shared grammar; this only guards the JSON shape and the
+* action/selector token SHAPE via the contract's pure validators.
+*
+* Expected shape:
+*   { "statements": [ { "effect": "allow"|"deny", "actions": ["project:read"|"*"], "resources": ["*"|"project/A"] } ] }
+*/
+const parsePolicyDocument = (raw) => Effect.gen(function* () {
+	const parsed = yield* Effect.try({
+		try: () => JSON.parse(raw),
+		catch: () => new PolicyCommandError({ message: "The --document value is not valid JSON. Pass a JSON object string." })
+	});
+	if (!isRecord(parsed) || !Array.isArray(parsed["statements"])) return yield* new PolicyCommandError({ message: "The document must be a JSON object with a \"statements\" array. Example: {\"statements\":[{\"effect\":\"allow\",\"actions\":[\"project:read\"],\"resources\":[\"*\"]}]}" });
+	const statements = [];
+	for (const [index, entry] of parsed["statements"].entries()) {
+		const statement = yield* validateStatement(entry, index);
+		statements.push(statement);
+	}
+	if (statements.length === 0) return yield* new PolicyCommandError({ message: "The document must contain at least one statement." });
+	return { statements };
+});
+const validateStatement = (entry, index) => Effect.gen(function* () {
+	const at = `statements[${index}]`;
+	if (!isRecord(entry)) return yield* new PolicyCommandError({ message: `${at} must be a JSON object.` });
+	const { effect } = entry;
+	if (effect !== "allow" && effect !== "deny") return yield* new PolicyCommandError({ message: `${at}.effect must be "allow" or "deny".` });
+	const { actions } = entry;
+	if (!isStringArray(actions) || actions.length === 0) return yield* new PolicyCommandError({ message: `${at}.actions must be a non-empty array of action-token strings.` });
+	const badAction = actions.find((token) => !isValidActionTokenShape(token));
+	if (badAction !== void 0) return yield* new PolicyCommandError({ message: `${at}.actions has an invalid token "${badAction}". Use "*", "<resource>:*", or "<resource>:<action>".` });
+	const { resources } = entry;
+	if (!isStringArray(resources) || resources.length === 0) return yield* new PolicyCommandError({ message: `${at}.resources must be a non-empty array of selector strings.` });
+	const badResource = resources.find((selector) => !isValidSelector(selector));
+	if (badResource !== void 0) return yield* new PolicyCommandError({ message: `${at}.resources has an invalid selector "${badResource}". Use "*" or slash-joined segments like "project/A".` });
+	const inertResource = resources.find((selector) => !isCanonicalSelector(selector));
+	if (inertResource !== void 0) return yield* new PolicyCommandError({ message: `${at}.resources selector "${inertResource}" matches no known resource path. Use segments like "project/{id}/channel/{id}" or "project/{id}/env/{env}".` });
+	return {
+		effect,
+		actions,
+		resources
+	};
+});
+
+//#endregion
+//#region src/commands/policies/create.ts
+const DOCUMENT_HELP = "JSON document string: {\"statements\":[{\"effect\":\"allow\"|\"deny\",\"actions\":[\"<resource>:<action>\"|\"<resource>:*\"|\"*\"],\"resources\":[\"*\"|\"project/A\"|\"project/*/env/production\"]}]}";
+const createPolicyCommand = defineCommand({
+	meta: {
+		name: "create",
+		description: "Create a named IAM policy from a JSON document"
+	},
+	args: {
+		name: {
+			type: "string",
+			required: true,
+			description: "Policy display name"
+		},
+		description: {
+			type: "string",
+			description: "Optional human description"
+		},
+		document: {
+			type: "string",
+			required: true,
+			description: DOCUMENT_HELP
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const document = yield* parsePolicyDocument(args.document);
+		const policy = yield* (yield* apiClient).policies.create({ payload: {
+			name: args.name,
+			document,
+			...compact({ description: args.description })
+		} });
+		yield* printHumanKeyValue([
+			["ID", policy.id],
+			["Name", policy.name],
+			["Description", policy.description ?? "-"],
+			["Statements", String(policy.document.statements.length)],
+			["Created", policy.createdAt]
+		]);
+		return policy;
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/delete.ts
+const deletePolicyCommand = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete a policy and sweep its attachments (managed presets cannot be deleted)"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Policy ID"
+		},
+		yes: {
+			type: "boolean",
+			description: "Skip confirmation prompt"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (isManagedPolicyId(args.id)) return yield* new PolicyCommandError({ message: `Policy "${args.id}" is a managed preset and cannot be deleted.` });
+		if (!args.yes) {
+			if (!(yield* promptConfirm(`Delete policy ${args.id}?`, { initialValue: false }))) {
+				yield* printHuman("Cancelled.");
+				return;
+			}
+		}
+		yield* (yield* apiClient).policies.delete({ path: { id: args.id } });
+		yield* printHuman(`Deleted policy ${args.id}.`);
+		return {
+			id: args.id,
+			deleted: true
+		};
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/list.ts
+const listPoliciesCommand = defineCommand({
+	meta: {
+		name: "list",
+		description: "List policies in the active organization (includes read-only managed presets)"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const result = yield* (yield* apiClient).policies.list();
+		yield* printHumanTable([
+			"ID",
+			"Name",
+			"Statements",
+			"Managed"
+		], result.items.map((policy) => [
+			policy.id,
+			policy.name,
+			String(policy.document.statements.length),
+			isManagedPolicyId(policy.id) ? "yes" : "no"
+		]));
+		return result;
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/update.ts
+const updatePolicyCommand = defineCommand({
+	meta: {
+		name: "update",
+		description: "Update a policy's name, description, or document (managed presets are read-only)"
+	},
+	args: {
+		id: {
+			type: "positional",
+			required: true,
+			description: "Policy ID"
+		},
+		name: {
+			type: "string",
+			description: "New display name"
+		},
+		description: {
+			type: "string",
+			description: "New description"
+		},
+		document: {
+			type: "string",
+			description: "Replacement JSON document string"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		if (isManagedPolicyId(args.id)) return yield* new PolicyCommandError({ message: `Policy "${args.id}" is a managed preset and is read-only. Create a custom policy instead.` });
+		const document = args.document === void 0 ? void 0 : yield* parsePolicyDocument(args.document);
+		const policy = yield* (yield* apiClient).policies.update({
+			path: { id: args.id },
+			payload: compact({
+				name: args.name,
+				description: args.description,
+				document
+			})
+		});
+		yield* printHumanKeyValue([
+			["ID", policy.id],
+			["Name", policy.name],
+			["Description", policy.description ?? "-"],
+			["Statements", String(policy.document.statements.length)],
+			["Updated", policy.updatedAt ?? "-"]
+		]);
+		return policy;
+	}), {
+		exits: policyErrorExtras,
+		json: "value"
+	})
+});
+
+//#endregion
+//#region src/commands/policies/index.ts
+const policiesCommand = defineCommand({
+	meta: {
+		name: "policies",
+		description: "Manage IAM policies (named, reusable permission grants)"
+	},
+	subCommands: {
+		list: listPoliciesCommand,
+		create: createPolicyCommand,
+		update: updatePolicyCommand,
+		delete: deletePolicyCommand
+	}
+});
+
 //#endregion
 //#region src/commands/projects.ts
-const listCommand$2 = defineCommand({
+const listCommand$1 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List projects (most recently active first)"
@@ -31621,7 +32119,7 @@ const listCommand$2 = defineCommand({
 		yield* printHuman(`Page ${result.page} · ${result.items.length} of ${result.total} project(s)`);
 	}))
 });
-const createCommand$1 = defineCommand({
+const createCommand = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a new project"
@@ -31699,7 +32197,7 @@ const renameCommand = defineCommand({
 		return project;
 	}), { json: "value" })
 });
-const deleteCommand$2 = defineCommand({
+const deleteCommand$1 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a project"
@@ -31723,230 +32221,11 @@ const projectsCommand = defineCommand({
 		name: "projects",
 		description: "Manage projects"
 	},
-	subCommands: {
-		list: listCommand$2,
-		create: createCommand$1,
-		get: getCommand,
-		rename: renameCommand,
-		delete: deleteCommand$2
-	}
-});
-
-//#endregion
-//#region src/commands/roles/helpers.ts
-var RoleCommandError = class extends Data.TaggedError("RoleCommandError") {};
-const roleErrorExtras = { RoleCommandError: 2 };
-/**
-* Parse comma-separated "resource:action" tokens into the PermissionGrant array
-* the API expects. Multiple actions for the same resource are grouped.
-*
-* Input examples:
-*   "channel:read,channel:update"
-*   "channel:read, rollout:create, rollout:update"
-*/
-const parsePermissionTokens = (raw) => Effect.gen(function* () {
-	const tokens = raw.split(",").map((tok) => tok.trim()).filter((tok) => tok.length > 0);
-	const grouped = /* @__PURE__ */ new Map();
-	for (const token of tokens) {
-		const colonIdx = token.indexOf(":");
-		if (colonIdx === -1) return yield* new RoleCommandError({ message: `Invalid permission token "${token}" — expected "resource:action" format.` });
-		const resource = token.slice(0, colonIdx).trim();
-		const action = token.slice(colonIdx + 1).trim();
-		if (!resource || !action) return yield* new RoleCommandError({ message: `Invalid permission token "${token}" — resource and action must be non-empty.` });
-		const actions = grouped.get(resource) ?? /* @__PURE__ */ new Set();
-		actions.add(action);
-		grouped.set(resource, actions);
-	}
-	return [...grouped.entries()].map(([resource, actions]) => ({
-		resource,
-		actions: [...actions]
-	}));
-});
-
-//#endregion
-//#region src/commands/roles/create.ts
-const createCommand = defineCommand({
-	meta: {
-		name: "create",
-		description: "Create a custom role"
-	},
-	args: {
-		name: {
-			type: "string",
-			required: true,
-			description: "Role name (unique per organization)"
-		},
-		permission: {
-			type: "string",
-			required: true,
-			description: "Permission tokens in resource:action format, comma-separated (e.g. channel:read,channel:update)"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const permissions = yield* parsePermissionTokens(args.permission);
-		const role = yield* (yield* apiClient).roles.create({ payload: {
-			name: args.name,
-			permissions
-		} });
-		yield* printHumanKeyValue([
-			["ID", role.id],
-			["Name", role.role],
-			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
-			["Created", role.createdAt]
-		]);
-		return role;
-	}), {
-		exits: roleErrorExtras,
-		json: "value"
-	})
-});
-
-//#endregion
-//#region src/commands/roles/delete.ts
-const deleteCommand$1 = defineCommand({
-	meta: {
-		name: "delete",
-		description: "Delete a custom role"
-	},
-	args: {
-		id: {
-			type: "positional",
-			required: true,
-			description: "Role ID"
-		},
-		yes: {
-			type: "boolean",
-			description: "Skip confirmation prompt"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		if (!args.yes) {
-			if (!(yield* promptConfirm(`Delete role ${args.id}?`, { initialValue: false }))) {
-				yield* printHuman("Cancelled.");
-				return { deleted: 0 };
-			}
-		}
-		const result = yield* (yield* apiClient).roles.delete({ path: { id: args.id } });
-		yield* printHuman(`Role ${args.id} deleted.`);
-		return result;
-	}), {
-		exits: roleErrorExtras,
-		json: "value"
-	})
-});
-
-//#endregion
-//#region src/commands/roles/list.ts
-const listCommand$1 = defineCommand({
-	meta: {
-		name: "list",
-		description: "List custom roles for the active organization"
-	},
-	args: { "organization-id": {
-		type: "string",
-		required: true,
-		description: "Organization ID to list roles for"
-	} },
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		yield* printList([
-			"ID",
-			"Name",
-			"Permissions",
-			"Created"
-		], (yield* (yield* apiClient).roles.list({ urlParams: { organizationId: args["organization-id"] } })).map((role) => [
-			role.id,
-			role.role,
-			role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; "),
-			role.createdAt
-		]), "No custom roles found.");
-	}), roleErrorExtras)
-});
-
-//#endregion
-//#region src/commands/roles/update.ts
-const updateCommand$1 = defineCommand({
-	meta: {
-		name: "update",
-		description: "Update a custom role's name or permissions"
-	},
-	args: {
-		id: {
-			type: "positional",
-			required: true,
-			description: "Role ID"
-		},
-		name: {
-			type: "string",
-			description: "New role name"
-		},
-		permission: {
-			type: "string",
-			description: "Replacement permission tokens in resource:action format, comma-separated (e.g. channel:read,channel:update)"
-		}
-	},
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const permissions = args.permission === void 0 ? void 0 : yield* parsePermissionTokens(args.permission);
-		const role = yield* (yield* apiClient).roles.update({
-			path: { id: args.id },
-			payload: compact({
-				name: args.name,
-				permissions
-			})
-		});
-		yield* printHumanKeyValue([
-			["ID", role.id],
-			["Name", role.role],
-			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
-			["Updated", role.updatedAt ?? "-"]
-		]);
-		return role;
-	}), {
-		exits: roleErrorExtras,
-		json: "value"
-	})
-});
-
-//#endregion
-//#region src/commands/roles/view.ts
-const viewCommand$1 = defineCommand({
-	meta: {
-		name: "view",
-		description: "Show a custom role by ID"
-	},
-	args: { id: {
-		type: "positional",
-		required: true,
-		description: "Role ID"
-	} },
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const role = yield* (yield* apiClient).roles.get({ path: { id: args.id } });
-		yield* printHumanKeyValue([
-			["ID", role.id],
-			["Name", role.role],
-			["Organization ID", role.organizationId],
-			["Permissions", role.permissions.map((perm) => `${perm.resource}:[${perm.actions.join(",")}]`).join("; ")],
-			["Created", role.createdAt],
-			["Updated", role.updatedAt ?? "-"]
-		]);
-		return role;
-	}), {
-		exits: roleErrorExtras,
-		json: "value"
-	})
-});
-
-//#endregion
-//#region src/commands/roles/index.ts
-const rolesCommand = defineCommand({
-	meta: {
-		name: "roles",
-		description: "Manage custom organization roles"
-	},
 	subCommands: {
 		list: listCommand$1,
-		view: viewCommand$1,
 		create: createCommand,
-		update: updateCommand$1,
+		get: getCommand,
+		rename: renameCommand,
 		delete: deleteCommand$1
 	}
 });
@@ -33423,10 +33702,10 @@ const assertSignedManifestBundleUrl = (params) => Effect.gen(function* () {
 		try: () => JSON.parse(params.manifestBody),
 		catch: () => params.makeError(`Signed ${params.platform} manifestBody is not valid JSON.`)
 	});
-	if (!isRecord(parsed)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must be a JSON object.`));
+	if (!isRecord$1(parsed)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must be a JSON object.`));
 	const { id } = parsed;
 	const { launchAsset } = parsed;
-	if (typeof id !== "string" || !isRecord(launchAsset)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must carry a string "id" and an object "launchAsset".`));
+	if (typeof id !== "string" || !isRecord$1(launchAsset)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody must carry a string "id" and an object "launchAsset".`));
 	const { url } = launchAsset;
 	const expectedPrefix = `${params.serverBaseUrl}/manifest/${params.projectId}/bundle/${id}/`;
 	if (typeof url !== "string" || !url.startsWith(expectedPrefix)) return yield* Effect.fail(params.makeError(`Signed ${params.platform} manifestBody launchAsset.url must point at the Worker bundle route (${expectedPrefix}…) so bsdiff patches apply; got ${typeof url === "string" ? url : "a non-string value"}. Re-render the signed manifest with the Worker bundle URL.`));
@@ -34354,10 +34633,10 @@ const extractDirectiveCommitTime = (directiveBody) => Effect.gen(function* () {
 		try: () => JSON.parse(directiveBody),
 		catch: () => new UpdateRollbackError({ message: "directiveBody must be valid JSON." })
 	});
-	if (!isRecord(directive)) return yield* new UpdateRollbackError({ message: "directiveBody must decode to a JSON object." });
+	if (!isRecord$1(directive)) return yield* new UpdateRollbackError({ message: "directiveBody must decode to a JSON object." });
 	if (directive["type"] !== "rollBackToEmbedded") return yield* new UpdateRollbackError({ message: "directiveBody.type must be \"rollBackToEmbedded\"." });
 	const { parameters } = directive;
-	if (!isRecord(parameters)) return yield* new UpdateRollbackError({ message: "directiveBody.parameters must be an object." });
+	if (!isRecord$1(parameters)) return yield* new UpdateRollbackError({ message: "directiveBody.parameters must be an object." });
 	const { commitTime } = parameters;
 	if (typeof commitTime !== "string" || Number.isNaN(Date.parse(commitTime))) return yield* new UpdateRollbackError({ message: "directiveBody.parameters.commitTime must be a valid ISO 8601 timestamp." });
 	if (new Date(Date.parse(commitTime)).toISOString() !== commitTime) return yield* new UpdateRollbackError({ message: "directiveBody.parameters.commitTime must be canonical ISO 8601 with milliseconds and a trailing Z (e.g. 2026-05-06T14:00:00.000Z). The expo-updates client cannot parse other forms (no milliseconds, numeric timezone offsets), so the signed rollback would be rejected on-device." });
@@ -35185,9 +35464,10 @@ const commandRegistry = {
 	init: initCommand,
 	status: statusCommand,
 	projects: projectsCommand,
+	policies: policiesCommand,
+	groups: groupsCommand,
 	branches: branchesCommand,
 	channels: channelsCommand,
-	roles: rolesCommand,
 	build: buildCommand,
 	builds: buildsCommand,
 	credentials: credentialsCommand,