@better-update/cli 0.28.1 → 0.29.1

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.28.1";
+var version = "0.29.1";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -904,7 +904,7 @@ var AssetsGroup = class extends HttpApiGroup.make("assets").add(HttpApiEndpoint.
 
 //#endregion
 //#region ../../packages/api/src/domain/audit-log.ts
-const AuditLogResourceType = Schema.Literal("project", "branch", "channel", "update", "build", "appleCredential", "androidCredential", "iosBundleConfiguration", "envVar", "device", "webhook", "iosAppMetadata", "submission", "vaultAccess", "policy", "group", "policyAttachment", "apiKey", "invitation", "member", "organization");
+const AuditLogResourceType = Schema.Literal("project", "branch", "channel", "update", "environment", "build", "appleCredential", "androidCredential", "iosBundleConfiguration", "envVar", "device", "webhook", "iosAppMetadata", "submission", "vaultAccess", "policy", "group", "policyAttachment", "apiKey", "invitation", "member", "organization");
 const AuditLogSource = Schema.Literal("session", "api-key");
 var AuditLog = class extends Schema.Class("AuditLog")({
 	id: Id,
@@ -941,6 +941,7 @@ var Branch = class extends Schema.Class("Branch")({
 	id: Id,
 	projectId: Id,
 	name: Schema.String,
+	isBuiltin: Schema.Boolean,
 	createdAt: DateTimeString,
 	updateCount: Schema.Number
 }) {};
@@ -1231,6 +1232,7 @@ var Channel = class extends Schema.Class("Channel")({
 	branchMappingJson: Schema.NullOr(Schema.String),
 	cacheVersion: Schema.Number,
 	isPaused: Schema.Boolean,
+	isBuiltin: Schema.Boolean,
 	createdAt: DateTimeString
 }) {};
 const ChannelSortColumn = Schema.Literal("name", "createdAt");
@@ -1381,11 +1383,32 @@ var DevicesGroup = class extends HttpApiGroup.make("devices").add(HttpApiEndpoin
 	description: "Apple device management for ad-hoc builds"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/domain/environment.ts
+/**
+* An environment name: lowercase letters, digits and hyphens, starting with a
+* letter. Shared by the env-var `environment` axis and the environment entity so
+* a custom environment name and an env var's `environment` use one shape.
+*/
+const EnvironmentName = Schema.String.pipe(Schema.pattern(/^[a-z][a-z0-9-]*$/u), Schema.maxLength(64));
+/** An organization environment: a built-in (virtual) or a user-defined row. */
+var Environment = class extends Schema.Class("Environment")({
+	id: Id,
+	organizationId: Id,
+	name: EnvironmentName,
+	isBuiltin: Schema.Boolean,
+	createdAt: DateTimeString
+}) {};
+const EnvironmentListResult = Schema.Struct({ items: Schema.Array(Environment) });
+const CreateEnvironmentBody = Schema.Struct({ name: EnvironmentName });
+const RenameEnvironmentBody = Schema.Struct({ name: EnvironmentName });
+const DeleteEnvironmentResult = Schema.Struct({ deleted: Schema.Number });
+
 //#endregion
 //#region ../../packages/api/src/domain/env-var.ts
 const EnvVarVisibility = Schema.Literal("plaintext", "sensitive");
 const EnvVarScope = Schema.Literal("project", "global");
-const EnvVarEnvironment = Schema.Literal("development", "preview", "production");
+const EnvVarEnvironment = EnvironmentName;
 const EnvVarListScope = Schema.Literal("all", "project", "global");
 /**
 * A client-sealed env var value. `id` is the revision UUID the CLI bound as the
@@ -1519,6 +1542,27 @@ var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoi
 	description: "Manage end-to-end encrypted, versioned environment variables for project builds"
 })) {};
 
+//#endregion
+//#region ../../packages/api/src/groups/environments.ts
+/** `:name` path parameter — the environment name (built-in or user-defined). */
+const nameParam = HttpApiSchema.param("name", Schema.String);
+var EnvironmentsGroup = class extends HttpApiGroup.make("environments").add(HttpApiEndpoint.get("list", "/api/environments").addSuccess(EnvironmentListResult).annotateContext(OpenApi.annotations({
+	title: "List environments",
+	description: "List the organization's environments: the three built-ins (development, preview, production) followed by user-defined ones."
+}))).add(HttpApiEndpoint.post("create", "/api/environments").setPayload(CreateEnvironmentBody).addSuccess(Environment, { status: 201 }).addError(Conflict).addError(BadRequest).annotateContext(OpenApi.annotations({
+	title: "Create environment",
+	description: "Create a user-defined environment for the organization. Built-in names are reserved."
+}))).add(HttpApiEndpoint.patch("rename")`/api/environments/${nameParam}`.setPayload(RenameEnvironmentBody).addSuccess(Environment).addError(Conflict).addError(BadRequest).annotateContext(OpenApi.annotations({
+	title: "Rename environment",
+	description: "Rename a user-defined environment. Built-ins cannot be renamed. Env vars referencing the old name are re-pointed at the new name."
+}))).add(HttpApiEndpoint.del("delete")`/api/environments/${nameParam}`.addSuccess(DeleteEnvironmentResult).addError(Conflict).annotateContext(OpenApi.annotations({
+	title: "Delete environment",
+	description: "Delete a user-defined environment. Built-ins cannot be deleted, nor can an environment still referenced by env vars."
+}))).addError(NotFound).addError(Conflict).addError(BadRequest).addError(Forbidden).annotateContext(OpenApi.annotations({
+	title: "Environments",
+	description: "Organization environment management endpoints"
+})) {};
+
 //#endregion
 //#region ../../packages/api/src/domain/update.ts
 var Update = class extends Schema.Class("Update")({
@@ -2434,7 +2478,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(PoliciesGroup).add(GroupsGroup).add(PolicyAttachmentsGroup).add(ApiKeysGroup).add(InvitationsGroup).add(MembersGroup).add(OrganizationGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(EnvironmentsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(PoliciesGroup).add(GroupsGroup).add(PolicyAttachmentsGroup).add(ApiKeysGroup).add(InvitationsGroup).add(MembersGroup).add(OrganizationGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -4789,7 +4833,7 @@ const parseLimit = (raw, defaultValue) => {
 
 //#endregion
 //#region src/commands/audit-logs/list.ts
-const listCommand$9 = defineCommand({
+const listCommand$10 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List audit log entries"
@@ -4851,7 +4895,7 @@ const auditLogsCommand = defineCommand({
 		name: "audit-logs",
 		description: "View audit logs"
 	},
-	subCommands: { list: listCommand$9 }
+	subCommands: { list: listCommand$10 }
 });
 
 //#endregion
@@ -4955,7 +4999,7 @@ const drainPages = (fetchPage) => {
 
 //#endregion
 //#region src/commands/branches.ts
-const listCommand$8 = defineCommand({
+const listCommand$9 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List branches for the linked project"
@@ -4978,7 +5022,7 @@ const listCommand$8 = defineCommand({
 		]), "No branches found.");
 	}))
 });
-const createCommand$4 = defineCommand({
+const createCommand$5 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a branch"
@@ -5033,7 +5077,7 @@ const viewCommand$3 = defineCommand({
 		return branch;
 	}), { json: "value" })
 });
-const renameCommand$1 = defineCommand({
+const renameCommand$2 = defineCommand({
 	meta: {
 		name: "rename",
 		description: "Rename a branch"
@@ -5059,7 +5103,7 @@ const renameCommand$1 = defineCommand({
 		return branch;
 	}), { json: "value" })
 });
-const deleteCommand$6 = defineCommand({
+const deleteCommand$7 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a branch"
@@ -5084,11 +5128,11 @@ const branchesCommand = defineCommand({
 		description: "Manage branches"
 	},
 	subCommands: {
-		list: listCommand$8,
+		list: listCommand$9,
 		view: viewCommand$3,
-		create: createCommand$4,
-		rename: renameCommand$1,
-		delete: deleteCommand$6
+		create: createCommand$5,
+		rename: renameCommand$2,
+		delete: deleteCommand$7
 	}
 });
 
@@ -18882,15 +18926,6 @@ const grantRecipient = (args) => Effect.gen(function* () {
 	} });
 });
 /**
-* Resolve the passphrase needed to unlock the active identity before a crypto
-* operation: prompt for it when the identity is the on-disk file, or return
-* `undefined` when the raw `BETTER_UPDATE_IDENTITY` env key is in use (CI). The
-* resolved value is threaded into {@link unlockVaultKey} by the cipher helpers.
-*/
-const resolveVaultPassphrase = Effect.gen(function* () {
-	return (yield* activeRecipient).source === "file" ? yield* promptPassword("Passphrase to unlock this device's identity:") : void 0;
-});
-/**
 * Unlock the org vault key for an interactive command, reusing a cached vault key
 * from the OS keychain when one is present and unexpired — so the device
 * passphrase is prompted at most once per cache TTL rather than on every command
@@ -18898,6 +18933,12 @@ const resolveVaultPassphrase = Effect.gen(function* () {
 * The CI `BETTER_UPDATE_IDENTITY` key carries no passphrase and is never cached:
 * it skips straight to the raw unwrap. On a cache miss the full unlock runs —
 * prompt, Argon2id, fetch + unwrap — and the result is cached for next time.
+*
+* The cached key is the unwrapped vault key, which both unwraps (decrypt/read)
+* and wraps (encrypt/write) DEKs — so this single entry point backs every vault
+* operation: download/build-resolve reads, seal-for-upload + generate writes, and
+* rotation. There is no read-only cache: an unlock makes the next write seamless
+* too.
 */
 const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
 	const recipient = yield* activeRecipient;
@@ -18909,6 +18950,17 @@ const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
 	yield* cache.set(recipient.publicKey, vault);
 	return vault;
 }).pipe(Effect.provide(VaultCacheLive));
+/**
+* Forget the active recipient's cached vault key. Called after a rotation re-keys
+* the vault: the cached key + version are now stale, so leaving them would make
+* the next seal upload a key/version the server CAS-rejects (and the next decrypt
+* fail integrity). Clearing forces a fresh unlock at the new version next time —
+* which also correctly locks out a device that just revoked its own access.
+*/
+const forgetCachedVaultKey = Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	yield* (yield* VaultCache).clear(recipient.publicKey);
+}).pipe(Effect.provide(VaultCacheLive));
 /** Look up a registered recipient by its key id or full `SHA256:` fingerprint. */
 const findRecipient = (api, selector) => Effect.gen(function* () {
 	const { items } = yield* api.userEncryptionKeys.list();
@@ -18948,13 +19000,6 @@ const getActiveOrgId = (api) => Effect.gen(function* () {
 	if (me.activeOrganization === null) return yield* new IdentityError({ message: "No active organization for this token." });
 	return me.activeOrganization.id;
 });
-/** Resolve the active org id and unlock this device's vault key — the once-per-command I/O. */
-const openVaultSession = (api, passphrase) => Effect.gen(function* () {
-	return {
-		orgId: yield* getActiveOrgId(api),
-		vault: yield* unlockVaultKey(api, passphrase)
-	};
-});
 /**
 * {@link openVaultSession} that unlocks the vault key interactively — reusing the
 * OS-keychain-cached key when one is live (no prompt), prompting for the device
@@ -19566,7 +19611,7 @@ const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(funct
 		...compact({ validityDays: input.validityDays })
 	});
 	const bytes = yield* fs.readFile(keystorePath);
-	const session = yield* openVaultSession(api, input.passphrase ?? (yield* resolveVaultPassphrase));
+	const session = yield* openVaultSessionInteractive(api);
 	const metadata = { keyAlias: input.keyAlias };
 	const envelope = yield* sealForUpload({
 		session,
@@ -19617,7 +19662,7 @@ const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(func
 		step: "p12-build",
 		message: cause.message
 	})));
-	const session = yield* openVaultSession(api, input.passphrase ?? (yield* resolveVaultPassphrase));
+	const session = yield* openVaultSessionInteractive(api);
 	const metadata = {
 		serialNumber: bundle.metadata.serialNumber,
 		appleTeamIdentifier: bundle.metadata.appleTeamId,
@@ -20623,7 +20668,7 @@ const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effec
 		step: "parse-p12",
 		message: cause.message
 	})));
-	const session = yield* openVaultSession(api, yield* resolveVaultPassphrase);
+	const session = yield* openVaultSessionInteractive(api);
 	const envelopeMetadata = {
 		serialNumber: metadata.serialNumber,
 		appleTeamIdentifier: metadata.appleTeamId,
@@ -21021,14 +21066,12 @@ const isMissingResolveError = (cause) => hasTag(cause) && (cause._tag === "NotFo
 const randomKeystoreSecret = () => randomBytes(24).toString("base64url");
 const generateKeystoreAuto = (api, applicationIdentifier) => Effect.gen(function* () {
 	yield* Console.log("Generating a new Android Keystore...");
-	const passphrase = yield* resolveVaultPassphrase;
 	return (yield* generateAndUploadKeystore(api, {
 		keyAlias: "upload",
 		storePassword: randomKeystoreSecret(),
 		keyPassword: randomKeystoreSecret(),
 		commonName: applicationIdentifier,
-		organization: "better-update",
-		...compact({ passphrase })
+		organization: "better-update"
 	})).id;
 });
 const generateKeystoreInteractive = (api) => Effect.gen(function* () {
@@ -21037,15 +21080,13 @@ const generateKeystoreInteractive = (api) => Effect.gen(function* () {
 	const keyPassword = yield* promptPassword("Key password");
 	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
 	const organization = yield* promptText("Organization (O)", { placeholder: "Your Company" });
-	const passphrase = yield* resolveVaultPassphrase;
 	yield* Console.log("Generating keystore with keytool...");
 	return (yield* generateAndUploadKeystore(api, {
 		keyAlias: alias,
 		storePassword,
 		keyPassword,
 		commonName,
-		organization,
-		...compact({ passphrase })
+		organization
 	})).id;
 });
 const pickExistingKeystore = (api) => Effect.gen(function* () {
@@ -21068,6 +21109,25 @@ const resolveAndroidAppId = (api, input) => Effect.gen(function* () {
 	})).id;
 });
 const resolveAndroidKeystoreId = (api, choice) => choice === "generate" ? generateKeystoreInteractive(api) : pickExistingKeystore(api);
+const bindAndroidKeystore = (api, appId, keystoreId) => Effect.gen(function* () {
+	const existing = yield* api.androidBuildCredentials.list({ path: { applicationIdentifierId: appId } });
+	const target = existing.items.find((group) => group.isDefault) ?? existing.items.at(0);
+	if (target === void 0) {
+		yield* api.androidBuildCredentials.create({
+			path: { applicationIdentifierId: appId },
+			payload: {
+				name: "Default",
+				isDefault: true,
+				androidUploadKeystoreId: keystoreId
+			}
+		});
+		return;
+	}
+	yield* api.androidBuildCredentials.update({
+		path: { id: target.id },
+		payload: { androidUploadKeystoreId: keystoreId }
+	});
+});
 const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 	yield* Console.log("");
 	yield* Console.log(`No Android build credentials configured for ${input.applicationIdentifier}.`);
@@ -21090,15 +21150,7 @@ const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
 		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
 	});
-	const keystoreId = yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api);
-	yield* api.androidBuildCredentials.create({
-		path: { applicationIdentifierId: appId },
-		payload: {
-			name: "Default",
-			isDefault: true,
-			androidUploadKeystoreId: keystoreId
-		}
-	});
+	yield* bindAndroidKeystore(api, appId, yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api));
 	yield* Console.log("Android build credentials configured.");
 });
 const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.resolve({
@@ -22734,7 +22786,8 @@ const warnIfDevClientMissing = (projectRoot) => Effect.gen(function* () {
 
 //#endregion
 //#region src/lib/env-exporter.ts
-const coerceEnvironment = (raw) => raw === "development" || raw === "preview" || raw === "production" ? raw : void 0;
+const ENVIRONMENT_NAME_PATTERN$1 = /^[a-z][a-z0-9-]*$/u;
+const coerceEnvironment = (raw) => ENVIRONMENT_NAME_PATTERN$1.test(raw) && raw.length <= 64 ? raw : void 0;
 /** Decrypt one sealed env var value, re-checking the sealed metadata against the row. */
 const decryptEnvVarValue = (session, item) => openFromDownload({
 	session,
@@ -22766,7 +22819,7 @@ const exportDecryptedEnvVars = (api, projectId, environment) => Effect.gen(funct
 */
 const pullEnvVars = (api, { projectId, environment }) => Effect.gen(function* () {
 	const validated = coerceEnvironment(environment);
-	if (!validated) return yield* new EnvExportError({ message: `Invalid environment "${environment}". Must be one of: development, preview, production.` });
+	if (!validated) return yield* new EnvExportError({ message: `Invalid environment "${environment}": must be lowercase letters, digits, and hyphens, starting with a letter.` });
 	const items = yield* exportDecryptedEnvVars(api, projectId, validated);
 	return Object.fromEntries(items.map((item) => [item.key, item.value]));
 });
@@ -24536,7 +24589,7 @@ const compatibilityMatrixCommand = defineCommand({
 
 //#endregion
 //#region src/commands/builds/delete.ts
-const deleteCommand$5 = defineCommand({
+const deleteCommand$6 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a build"
@@ -24682,7 +24735,7 @@ const DISTRIBUTION_OPTIONS$1 = [
 	"play-store",
 	"direct"
 ];
-const listCommand$7 = defineCommand({
+const listCommand$8 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List builds for the linked project"
@@ -25340,9 +25393,9 @@ const buildsCommand = defineCommand({
 		description: "Manage builds"
 	},
 	subCommands: {
-		list: listCommand$7,
+		list: listCommand$8,
 		get: getCommand$2,
-		delete: deleteCommand$5,
+		delete: deleteCommand$6,
 		download: downloadCommand$1,
 		run: runCommand$1,
 		"install-link": installLinkCommand,
@@ -25368,7 +25421,7 @@ const resolveNamedResourceId$1 = (params) => resolveNamedResourceId$2(params, (m
 
 //#endregion
 //#region src/commands/channels/create.ts
-const createCommand$3 = defineCommand({
+const createCommand$4 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create a channel"
@@ -25413,7 +25466,7 @@ const createCommand$3 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/delete.ts
-const deleteCommand$4 = defineCommand({
+const deleteCommand$5 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a channel"
@@ -25482,7 +25535,7 @@ const insightsCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/list.ts
-const listCommand$6 = defineCommand({
+const listCommand$7 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List channels for the linked project"
@@ -25586,7 +25639,7 @@ const completeCommand$1 = defineCommand({
 
 //#endregion
 //#region src/commands/channels/rollout/create.ts
-const createCommand$2 = defineCommand({
+const createCommand$3 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Start a branch rollout on a channel"
@@ -25706,7 +25759,7 @@ const rolloutCommand$1 = defineCommand({
 		description: "Manage channel branch rollouts"
 	},
 	subCommands: {
-		create: createCommand$2,
+		create: createCommand$3,
 		update: updateCommand$3,
 		complete: completeCommand$1,
 		revert: revertCommand$2
@@ -25818,13 +25871,13 @@ const channelsCommand = defineCommand({
 		description: "Manage channels"
 	},
 	subCommands: {
-		list: listCommand$6,
+		list: listCommand$7,
 		view: viewCommand$2,
-		create: createCommand$3,
+		create: createCommand$4,
 		update: updateCommand$2,
 		pause: pauseCommand,
 		resume: resumeCommand,
-		delete: deleteCommand$4,
+		delete: deleteCommand$5,
 		rollout: rolloutCommand$1,
 		insights: insightsCommand$1
 	}
@@ -26004,7 +26057,7 @@ const uploadIosDistributionCertificate = (api, input, bytes) => Effect.gen(funct
 		validUntil: info.expiresAt.toISOString()
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "distribution-certificate",
 		metadata,
 		secret: {
@@ -26030,7 +26083,7 @@ const uploadIosPushKey = (api, input, bytes) => Effect.gen(function* () {
 		appleTeamIdentifier: input.appleTeamIdentifier
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "push-key",
 		metadata,
 		secret: { p8Pem: toUtf8(bytes) }
@@ -26055,7 +26108,7 @@ const uploadIosAscApiKey = (api, input, bytes) => Effect.gen(function* () {
 		appleTeamIdentifier: input.appleTeamIdentifier
 	});
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "asc-api-key",
 		metadata,
 		secret: { p8Pem: toUtf8(bytes) }
@@ -26089,7 +26142,7 @@ const uploadAndroidKeystore = (api, input, bytes) => Effect.gen(function* () {
 		keyPassword: input.keyPassword
 	})).keyAlias };
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "keystore",
 		metadata,
 		secret: {
@@ -26117,7 +26170,7 @@ const uploadAndroidGoogleServiceAccountKey = (api, input, bytes) => Effect.gen(f
 		googleProjectId: parsed.googleProjectId
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "google-service-account-key",
 		metadata,
 		secret: { json }
@@ -26146,10 +26199,7 @@ const uploadCredential = (api, input) => Effect.gen(function* () {
 	const hasKey = (candidate) => Object.hasOwn(uploadHandlers, candidate);
 	const handler = hasKey(key) ? uploadHandlers[key] : void 0;
 	if (!handler) return yield* new CredentialValidationError({ message: `Unsupported credential combination: platform=${input.platform} type=${input.type}` });
-	return yield* handler(api, input.type === "provisioning-profile" || input.passphrase !== void 0 ? input : {
-		...input,
-		...compact({ passphrase: yield* resolveVaultPassphrase })
-	}, bytes);
+	return yield* handler(api, input, bytes);
 });
 const deleteCredential = (api, input) => {
 	const path = { id: input.id };
@@ -27140,10 +27190,14 @@ const runCredentialsManager = Effect.gen(function* () {
 * one, re-wrap the new vault key to each recipient, then submit the rotation
 * atomically (the server CAS-guards on the current version and requires a
 * recovery recipient in the set). Drops every recipient not in `recipients`.
+*
+* Unlocks via the cache-aware path (reusing a live `credentials unlock` session),
+* then drops that cached key once the re-key lands — it is now stale, so the next
+* operation must re-unlock at the new version.
 */
 const rotateVaultTo = (args) => Effect.gen(function* () {
 	const orgId = yield* getActiveOrgId(args.api);
-	const current = yield* unlockVaultKey(args.api, args.passphrase);
+	const current = yield* unlockVaultKeyInteractive(args.api);
 	const newVaultKey = generateVaultKey();
 	const newVersion = current.vaultVersion + 1;
 	const { deks } = yield* args.api.orgVault.listCredentialDeks();
@@ -27181,11 +27235,13 @@ const rotateVaultTo = (args) => Effect.gen(function* () {
 			recipient: recipient.publicKey
 		}))
 	})), { concurrency: "unbounded" });
-	return yield* args.api.orgVault.rotate({ payload: {
+	const rotated = yield* args.api.orgVault.rotate({ payload: {
 		fromVersion: current.vaultVersion,
 		recipientWraps,
 		credentialDeks
 	} });
+	yield* forgetCachedVaultKey;
+	return rotated;
 });
 /** The encryption keys currently holding the vault key, joined with their public keys. */
 const currentRecipients = (api) => Effect.gen(function* () {
@@ -27239,7 +27295,7 @@ const toRecipientView = (userEncryptionKeyId, key) => ({
 		fingerprint: key?.fingerprint
 	})
 });
-const listCommand$5 = defineCommand({
+const listCommand$6 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List recipients that currently hold the org vault key"
@@ -27320,7 +27376,6 @@ const rotateCommand = defineCommand({
 		yield* confirmRecipients(recipients, args.yes === true);
 		const rotated = yield* rotateVaultTo({
 			api,
-			passphrase: yield* resolveVaultPassphrase,
 			recipients: recipients.map(toRotationRecipient)
 		});
 		yield* printHuman(`Rotated the vault to version ${String(rotated.vaultVersion)} (${String(recipients.length)} recipients).`);
@@ -27356,7 +27411,6 @@ const revokeCommand$1 = defineCommand({
 		yield* confirmRecipients(surviving, args.yes === true);
 		const rotated = yield* rotateVaultTo({
 			api,
-			passphrase: yield* resolveVaultPassphrase,
 			recipients: surviving.map(toRotationRecipient)
 		});
 		yield* printHuman(`Revoked ${target.label} and rotated the vault to version ${String(rotated.vaultVersion)}.`);
@@ -27442,7 +27496,6 @@ const recoveryCommand = defineCommand({
 			yield* confirmRecipients(surviving, args.yes === true);
 			const rotated = yield* rotateVaultTo({
 				api,
-				passphrase: yield* resolveVaultPassphrase,
 				recipients: [...surviving.map(toRotationRecipient), {
 					userEncryptionKeyId: registered.id,
 					publicKey: newRecovery.publicKey
@@ -27466,7 +27519,7 @@ const accessCommand = defineCommand({
 		description: "Inspect, grant, rotate, revoke, and recover access to the org credential vault"
 	},
 	subCommands: {
-		list: listCommand$5,
+		list: listCommand$6,
 		grant: grantCommand,
 		rotate: rotateCommand,
 		revoke: revokeCommand$1,
@@ -27675,7 +27728,7 @@ const CREDENTIAL_TYPES$3 = [
 	"keystore",
 	"google-service-account-key"
 ];
-const deleteCommand$3 = defineCommand({
+const deleteCommand$4 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a credential"
@@ -27717,7 +27770,7 @@ const deleteCommand$3 = defineCommand({
 //#region src/commands/credentials/device.ts
 /** Self-linking is for your own device keys; recovery/machine keys go through `access grant`. */
 const requireDeviceKind = (target) => target.kind === "device" ? Effect.void : new IdentityError({ message: `Key ${target.id} is a ${target.kind} key, not a device. Use \`better-update credentials access grant\` for recovery/machine keys.` });
-const listCommand$4 = defineCommand({
+const listCommand$5 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List your registered device keys (the active one is marked)"
@@ -27775,7 +27828,7 @@ const deviceCommand = defineCommand({
 		description: "Manage your vault device keys"
 	},
 	subCommands: {
-		list: listCommand$4,
+		list: listCommand$5,
 		link: linkCommand
 	},
 	default: "list"
@@ -28430,7 +28483,7 @@ const printRecipient = (key) => printKeyValue([
 	["Recipient (public key)", key.publicKey],
 	["Fingerprint", key.fingerprint]
 ]);
-const createCommand$1 = defineCommand({
+const createCommand$2 = defineCommand({
 	meta: {
 		name: "create",
 		description: "Create this device's encryption identity and register it as a recipient"
@@ -28533,7 +28586,7 @@ const identityCommand = defineCommand({
 		description: "Manage this device's end-to-end encryption identity"
 	},
 	subCommands: {
-		create: createCommand$1,
+		create: createCommand$2,
 		init: initCommand$1,
 		register: registerCommand,
 		show: showCommand
@@ -28543,7 +28596,7 @@ const identityCommand = defineCommand({
 
 //#endregion
 //#region src/commands/credentials/list.ts
-const listCommand$3 = defineCommand({
+const listCommand$4 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List credentials across platforms"
@@ -29745,14 +29798,14 @@ const credentialsCommand = defineCommand({
 		unlock: unlockCommand,
 		lock: lockCommand,
 		status: statusCommand$1,
-		list: listCommand$3,
+		list: listCommand$4,
 		view: viewCommand$1,
 		download: downloadCommand,
 		upload: uploadCommand,
 		"upload-asc-key": uploadAscKeyCommand,
 		generate: generateCommand$1,
 		"regenerate-profile": regenerateProfileCommand,
-		delete: deleteCommand$3,
+		delete: deleteCommand$4,
 		remove: removeCommand,
 		revoke: revokeCommand,
 		configure: configureCommand$1,
@@ -30252,19 +30305,20 @@ const envErrorExtras = {
 	SystemError: 6,
 	BadArgument: 6
 };
-const isEnvironmentName = (value) => value === "development" || value === "preview" || value === "production";
+const ENVIRONMENT_NAME_PATTERN = /^[a-z][a-z0-9-]*$/u;
+const isEnvironmentName = (value) => ENVIRONMENT_NAME_PATTERN.test(value) && value.length <= 64;
 const parseEnvironmentsArg = (raw) => Effect.gen(function* () {
 	const tokens = raw.split(",").map((token) => token.trim()).filter((token) => token.length > 0);
-	if (tokens.length === 0) return yield* new InvalidArgumentError({ message: "Provide at least one environment (development, preview, production)." });
+	if (tokens.length === 0) return yield* new InvalidArgumentError({ message: "Provide at least one environment (e.g. development, preview, production)." });
 	const seen = /* @__PURE__ */ new Set();
 	yield* Effect.forEach(tokens, (token) => Effect.gen(function* () {
-		if (!isEnvironmentName(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}". Must be one of: development, preview, production.` });
+		if (!isEnvironmentName(token)) return yield* new InvalidArgumentError({ message: `Invalid environment "${token}": must be lowercase letters, digits, and hyphens, starting with a letter.` });
 		seen.add(token);
 	}), { discard: true });
 	return [...seen];
 });
 const parseSingleEnvironmentArg = (raw) => Effect.gen(function* () {
-	if (!isEnvironmentName(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}". Must be one of: development, preview, production.` });
+	if (!isEnvironmentName(raw)) return yield* new InvalidArgumentError({ message: `Invalid environment "${raw}": must be lowercase letters, digits, and hyphens, starting with a letter.` });
 	return raw;
 });
 const formatEnvironments = (environments) => [...environments].toSorted((left, right) => left.localeCompare(right)).join(",");
@@ -30303,7 +30357,7 @@ const findProjectEnvVar = (api, projectId, key, environment) => Effect.gen(funct
 
 //#endregion
 //#region src/commands/env/delete.ts
-const deleteCommand$2 = defineCommand({
+const deleteCommand$3 = defineCommand({
 	meta: {
 		name: "delete",
 		description: "Delete a project env var (one environment, or every environment by default)"
@@ -30573,7 +30627,7 @@ const importCommand = defineCommand({
 
 //#endregion
 //#region src/commands/env/list.ts
-const listCommand$2 = defineCommand({
+const listCommand$3 = defineCommand({
 	meta: {
 		name: "list",
 		description: "List environment variable metadata. Values are end-to-end encrypted — read them with `env pull`, `env export`, or `env get`."
@@ -30920,11 +30974,11 @@ const envCommand = defineCommand({
 		description: "Manage environment variables"
 	},
 	subCommands: {
-		list: listCommand$2,
+		list: listCommand$3,
 		get: getCommand$1,
 		set: setCommand$1,
 		update: updateCommand$1,
-		delete: deleteCommand$2,
+		delete: deleteCommand$3,
 		history: historyCommand,
 		rollback: rollbackCommand$1,
 		import: importCommand,
@@ -30935,6 +30989,93 @@ const envCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/commands/environments.ts
+const listCommand$2 = defineCommand({
+	meta: {
+		name: "list",
+		description: "List the organization's environments"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const { items } = yield* (yield* apiClient).environments.list();
+		yield* printList(["Name", "Built-in"], items.map((environment) => [environment.name, environment.isBuiltin ? "yes" : "no"]), "No environments found.");
+		return items;
+	}), { json: "value" })
+});
+const createCommand$1 = defineCommand({
+	meta: {
+		name: "create",
+		description: "Create a user-defined environment"
+	},
+	args: { name: {
+		type: "positional",
+		required: true,
+		description: "Environment name (lowercase letters, digits, hyphens)"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const environment = yield* (yield* apiClient).environments.create({ payload: { name: args.name } });
+		yield* printKeyValue([["Name", environment.name], ["Created", environment.createdAt]]);
+		return environment;
+	}), { json: "value" })
+});
+const renameCommand$1 = defineCommand({
+	meta: {
+		name: "rename",
+		description: "Rename a user-defined environment"
+	},
+	args: {
+		name: {
+			type: "positional",
+			required: true,
+			description: "Current environment name"
+		},
+		to: {
+			type: "string",
+			required: true,
+			description: "New environment name"
+		}
+	},
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		const environment = yield* (yield* apiClient).environments.rename({
+			path: { name: args.name },
+			payload: { name: args.to }
+		});
+		yield* printHuman(`Environment renamed to "${environment.name}".`);
+		return environment;
+	}), { json: "value" })
+});
+const deleteCommand$2 = defineCommand({
+	meta: {
+		name: "delete",
+		description: "Delete a user-defined environment"
+	},
+	args: { name: {
+		type: "positional",
+		required: true,
+		description: "Environment name"
+	} },
+	run: async ({ args }) => runEffect(Effect.gen(function* () {
+		yield* (yield* apiClient).environments.delete({ path: { name: args.name } });
+		yield* printHuman(`Environment "${args.name}" deleted.`);
+		return {
+			name: args.name,
+			deleted: true
+		};
+	}), { json: "value" })
+});
+const environmentsCommand = defineCommand({
+	meta: {
+		name: "environments",
+		description: "Manage organization environments"
+	},
+	subCommands: {
+		list: listCommand$2,
+		create: createCommand$1,
+		rename: renameCommand$1,
+		delete: deleteCommand$2
+	}
+});
+
 //#endregion
 //#region src/commands/fingerprint/compare.ts
 /**
@@ -35468,6 +35609,7 @@ const commandRegistry = {
 	groups: groupsCommand,
 	branches: branchesCommand,
 	channels: channelsCommand,
+	environments: environmentsCommand,
 	build: buildCommand,
 	builds: buildsCommand,
 	credentials: credentialsCommand,